

#### Using Model Checking to Develop and Verify sDDF Communication Protocols

**Courtney Darville** 



© 2024 Courtney Darville – CC BY 4.0

#### seL4 Device Driver Framework IRQ Device drivers and supporting Driver Device components Running natively on seL4 Receive Interface specifications Virtualiser Principle of separation of concerns Client



#### sDDF Component Communication

Asynchronous *notification*

objects

- Shared memory for data and meta-data transfer
- Subsystem specific queues



#### sDDF Queues

```
/* buffer descriptor */
typedef struct buff_desc {
    /* offset of buffer within memory region */
    uint64_t offset;
    /* length of data inside buffer */
    uint16_t len;
} net_buff_desc_t;
```

```
/* queue */
typedef struct queue {
    /* index to insert at */
    uint16_t tail;
    /* index to remove from */
    uint16_t head;
    /* buffer descriptor array */
    net_buff_desc_t buffers[];
} gueue_t;
```





#### **Event Based Components**



- Signalling is required for processing to begin
- This process is called the *signalling* protocol





# Signalling Protocols - Over Signalling



Signalling before a consumer has

#### been scheduled



Signalling when no work can be

done







Missed signal - system deadlocked!



# Signalling Protocol Development

- Components simple but
  - *interleavings* complex
- Reasoning about system state difficult!







### Model Checking - Basics

- Create a *model* of your program
- Model converted into a *directed graph*
- *Paths* of the graph are enumerated
- Each path is examined







## Model Checking - Limitations

• Accuracy of model must be

checked by hand

• Extremely sensitive to *state space explosions* 





#### Spin and PROMELA



- The model checker Spin was selected
- The modelling language of spin is **PROMELA**



Spin: https://spinroot.com/spin/whatispin.html





#### sDDF Networking

- First device class
- Sensitive to *latency*
- High *throughput*

requirements



### **Modelling Components**



- Careful code examination
- Non-essential state abstracted
- Receive and transmit control paths split
  - Deadlocks found and analysed

// capacity of queue
#define QUEUE\_CAPACITY 2

```
typedef queue {
    // notification object
    chan notification = [1] of {bit};
    // index to remove from
    unsigned head : 2;
    // index to insert at
    unsigned tail : 2;
```

**PROMELA** queue



#### **Development Begins**

- Experiments using two
  - component system
- Three candidates found and benchmarked
  - Most performant protocol selected!













© 2024 Courtney Darville – CC BY 4.0

15

### State-Space Reductions - Priorities





#### State-Space Reductions - One Component





#### **Results - Kernel Entries**

Kernel Entries per Component



• Number of *kernel* 

entries of each

component

 Includes nonsignalling kernel entries



Component

#### **Results - Unnecessary Signals**

Number of times each

component is *signalled* 

Number of times there was *no work* from

signaller



Component interfaces



#### Future Work

Prove that the PROMELA model is an

abstraction of sDDF C code

- Model other subsystems
- Model checking more properties







#### Links to our Work



PROMELA Modelling: <a href="https://github.com/au-ts/sddf/tree/spin\_models">https://github.com/au-ts/sddf/tree/spin\_models</a>

Component Models: <u>https://github.com/au-ts/sddf/tree/spin\_models/</u> examples/echo\_server/spin\_models/verified\_models

Thank you!

