Skip to content

Endpoint Budget Threshold #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Indanz wants to merge 5 commits into
base: master
Choose a base branch
from
Draft

Endpoint Budget Threshold #2

Indanz wants to merge 5 commits into from

Conversation

@Indanz
Copy link
Owner

@Indanz Indanz commented Jul 30, 2025
edited
Loading

Work in progress, cleaner implementation of the work done by @Yermin9. See

Issues that make the implementation complicated:

  • We want the task to be restarted when ThreadState_Restart, but
    current code assumes that means something else. Commit 8ae457a
    is one possible work-around and something I think we want anyway.

    Another solution would be to clean up the threadstate code so that
    ThreadState_Restart will be honoured. Whatever is done, it will
    cause changes to the current code and add verification work.

  • There is no way to do endpoint invocations. Current work-around
    is to make it a reply invocation at the cost of one extra if-check
    in the reply handling slow path. An alternative is to make it a
    CNode operation like Yermin9 did, but that's even uglier of a
    solution, as it requires too much permissions. Now if a server
    can receive on the endpoint, it can also set the budget threshold,
    which makes sense considering the server has to be trusted to reply
    eventually.

  • The bitfield generator can't deal with fields spread over multiple
    words, forcing us to split the field into a high and a low one.
    Solution would be to fix the generator to support this, but I
    don't know how to do that for the generated proofs. Only 64-bit
    has this problem, but to reduce differences between 32 and 64-bits
    the code is the same.

TODO:

  • Check details (exact behaviour on block, !canDonate etc.)
  • Write tests.
  • Bechmark.

@Indanz Indanz mentioned this pull request Jul 30, 2025
Open
@Indanz Indanz force-pushed the threshold branch 2 times, most recently from dc812ca to 5ff7fae Compare August 5, 2025 09:05
Indanz added 3 commits August 5, 2025 15:01
@Indanz
Remove mcsPreemptionPoint and IRQ checking
8ae457a 
There is no reason to check for pending interrupts after failed or
preempted system calls. All it does is save a bit of time avoiding
exiting and entering the kernel when preempting long-running kernel
operations. The slowdown for such operations after this change is a
factor of:

(kernel exit + entry time) / WCET

But making the code more complicated and slowing down all syscalls
to speed up a corner case is not a good trade off.

There is no reason for mcsPreemptionPoint to do basic timekeeping,
normal kernel operation is sufficient if we don't try to bypass
kernel exit/entry.

Signed-off-by: Indan Zupancic <indan@nul.nu>
@Indanz
MCS: Mark for reschedule in endTimeslice
52eeffe 
Otherwise all caller of endTimeslice will need to do it themselves.

Signed-off-by: Indan Zupancic <indan@nul.nu>
@Indanz
MCS: Add refill_merge_until_budget function
4ba284c 
Signed-off-by: Indan Zupancic <indan@nul.nu>
@Indanz Indanz force-pushed the threshold branch 2 times, most recently from b0cf453 to ff3a46d Compare August 12, 2025 13:49
@Indanz Indanz mentioned this pull request Aug 13, 2025
Open
@Indanz
Endpoint Budget Threshold
4d9693f 
Issues that make the implementation complicated:

- We want the task to be restarted when ThreadState_Restart, but
  current code assumes that means something else. Commit 8ae457a
  is one possible work-around and something I think we want anyway.

  Another solution would be to clean up the threadstate code so that
  ThreadState_Restart will be honoured. Whatever is done, it will
  cause changes to the current code and add verification work.

- There is no way to do endpoint invocations. Current work-around
  is to make it a reply invocation at the cost of one extra if-check
  in the reply handling slow path. An alternative is to make it a
  CNode operation like Yermin9 did, but that's even uglier of a
  solution, as it requires too much permissions. Now if a server
  can receive on the endpoint, it can also set the budget threshold,
  which makes sense considering the server has to be trusted to reply
  eventually.

- The bitfield generator can't deal with fields spread over multiple
  words, forcing us to split the field into a high and a low one.
  Solution would be to fix the generator to support this, but I
  don't know how to do that for the generated proofs. Only 64-bit
  has this problem, but to reduce differences between 32 and 64-bits
  the code is the same.

TODO:
- Check details (exact behaviour on block, !canDonate etc.)
- Write sel4test tests.

Signed-off-by: Indan Zupancic <indan@nul.nu>
@Indanz Indanz mentioned this pull request Oct 31, 2025
Open
@Indanz
Copy link
Owner Author

Indanz commented Nov 3, 2025

Small correction for commit 8ae457a:

The slowdown for such operations after this change is a factor of:

(schedule + kernel exit + entry time) / WCET

That is, the kernel also does a schedule call for each iteration, which currently is skipped.

@Indanz Indanz mentioned this pull request Nov 4, 2025
Closed
Indanz
Indanz commented Dec 2, 2025
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Indanz