Post on 30-Jun-2015
読んだ人: みよしたけふみ
CITED BY 82010年1月8日金曜日
概要
• Event-driven State-machines Programming (ESP)
• 開発の簡単さ/高性能の実現
• コンパクトでモジュラプログラムの開発をサポートする包括的な特徴を有する
• Cと検証コード(SPIN)などを生成
• ケーススタディ:VMMCファームウェアの実装
• C(15600) →ESP(about 300) ????
2010年1月8日金曜日
Contents• Introduction
• Motivation
• Case Study: VMMC Firmware
• Implementing Firmware in C
• Goals and Approach
• Event-driven State-machine programming(ESP) language
• Types, Expressions, and Statements
• Channels/Processes
• Memory Management
• External Interface
• Case Study: VMMC Firmware
• Developing and Testing Using a Verifier
• Spin Model Checking Verifier
• Translating ESP into SPIN Specifications
• Case Study: VMMC Firmware
• Generating Efficient Firmware
• ESP Compiler
• Case Study: VMMC Firmware
• Related Work
• Conclusions
実装に係る行数/複雑さ
既知のバグ、わざとのバグ、未知のバグを発見!!
性能
2010年1月8日金曜日
Motivation
ProgrammableDevice
firmware(concurrency)
user-level threads orevent-driven state-machines
2010年1月8日金曜日
Case Study: VMMCThe VMMC architecture delivers high-performance on Gigabitnetworks by using sophisticated network cards(Myrinet).
Event-driven state-machine in C
2010年1月8日金曜日
Firmware for VMMC in C
very hard to read
fragmented across several handlers.
be saved explicitly in global variables
the stack is shared to pass between handlers(e.g. pAddr, sendData)
to used by state machines to communicate with each other (e.g. reqSM2).
explicit memory management
be responsible for freeing
functions are an inappropriate abstraction mechanism for programming with state machines
Union data type to encode by “switch”
hard to optimize
Problems:
2010年1月8日金曜日
C v.s. ESP
2010年1月8日金曜日
Goal and Approach
simple device-specific functionalitylike accessing device registers
to verify different properties of the system
• Ease of development
• Permit extensive testing
• Low performance penalty
2010年1月8日金曜日
ESP
• based on the CSP [13] language/a Cstyle syntax
• supports Event-driven State-machines Programming
• processes
• a sequential flow of control in a concurrent program
• channels
• processes communicate with each other by sending messages on channels
2010年1月8日金曜日
Types, Expressions, and Statements• basic type(int, bool), record, union, array/mutable, immutable
• no global variables
• initialized at declaration time(with a $ prefix)
• common imperative constructs
• if-then-else/while
• no recursive2010年1月8日金曜日
Channels
• synchronous
• sender(out) and receiver(in) are blocking operations
• The alt construct allows a process to wait on the in/out readiness of multiple channels
• the use of pattern matching to support dispatch(like ML)
• passed by value
2010年1月8日金曜日
Pattern Matching by ChannelDeclaration:
Usage:
2010年1月8日金曜日
Process• processes implement state machines
2010年1月8日金曜日
Memory Management
• provides a novel explicit management scheme to allow efficient but bug free memory management
• memory safety a local property of each process
• When objects are sent over channels, deep copies of the objects are delivered to the receiving process
• each process is responsible for managing its own objects.
• provides a reference counting interface to manage memory
• link(increment)/unlink(decrement) for ref. counter
2010年1月8日金曜日
External Interface• provides a single external interface for both SPIN and C
code
• the channel mechanism to support external interfaces
• ESP processes often block on external events like arrival of user request or network packets
• external code can also use the same dispatch mechanism built into channels through pattern-matching
• it promotes modularity
2010年1月8日金曜日
Case Study: VMMC Firmware
2010年1月8日金曜日
ESP to SPIN Spec.
• right after type checking
• pointer/the size of the state space
• bugs in compile-stage
• straight forward translation with a few exceptions
• lack of pointer(by using objectId)
• dynamic allocation(array is treated as its max)
2010年1月8日金曜日
Case Study: VMMC Firmware
• Retransmission Protocol: 10日かかったのが2日でできた
• バグ入りの初期のコードでバグみつけた
• メモリアロケーション関係の様々なバグいれてみたら全部検出できた
• デッドロックおこすバグもみつけられた
• State-space explosion prevented us from checking for systemwide properties like absence of deadlocks
• We are currently working on extracting more abstract models so that the state-space search is more tractable
2010年1月8日金曜日
ESP Compiler
• generating one big C function
• each process = an automaton
• zero-overhead context switching
• code size growing exponentially
• generating the code for processes separately
• does not have to save stack
• low-overhead(save/restore program counter)
• idle loop/stack-based scheduling policy(shown @next)
• some of the traditional optimization
Processes
2010年1月8日金曜日
ESP CompilerProcesses
2010年1月8日金曜日
ESP Compiler
• a set of queue
• alt を作るのに複数のqueueが必要で、高価
• bit-mask per process
• one bit for every channel the process may block on
• requirement of deep copies(semantics)
• increment reference count of the objects(implementation)
Channels
Messages on Channels
2010年1月8日金曜日
Microbenchmarks Perf.
2010年1月8日金曜日
Related Work
• Concurrency Theory
• CSP, Squeak
• Concurrent Languages
• CML, Java, OCCAM
• Code Generation+Verification
• Esterel, Teapot, Promela++
• Software Testing
• Verisoft, Meta-level Compilation
いい実装はない
重い、大きい
機能不足
concurrentなtaskはね
2010年1月8日金曜日