Understanding and Improving Device Access Complexity
Asim Kadav (with Prof. Michael M. Swift) University of Wisconsin-Madison Devices enrich computers
★ Keyboard ★ Flash storage ★ Graphics ★ WIFI ★ Keyboard ★ Headphones ★ Sound ★ SD card ★ Printer ★ Camera ★ Network ★ Accelerometers ★ Storage ★ GPS ★ Touch display ★ NFC
2 Huge growth in number of devices
New I/O devices: accelerometers, GPUS, GPS, touch
Many buses: USB, PCI-e, thunderbolt
Heterogeneous OS support: 10G ethernet vs card readers
3 Device drivers: OS interface to devices diversity applications
OS
Expose device abstractions and hide device complexity Expose kernel device drivers abstractions and hide OS complexity
buses devices
diversity Allow diverse set of applications and OS services to access diverse set of devices 4 Evolution of devices hurts device access
Low Simplicity latency Tools and mechanisms to address Efficient device Cost increasing device complexity Reliabilitysupport in OS effective
Growth in Run in number and challenging diversity environments
Complex Hardware firmware and failures (like configuration CMOS Evolution issues) of devices modes
5 Growth in drivers hurts understanding of drivers
Lines of code in Linux 3.8 applications
OS 0 1750000 3500000 5250000 7000000 memory mgmt 60,000 device devicekernel drivers66,000 OS drivers file systems 760,000 kernel drivers buses Contribute 60% of Linux kernel code and more than 90% in Windows devices 6,700,000
Understand the software complexity and improve driver code
6 Last decade: Focus on the driver-kernel interface
+ device drivers OS 3rd party developers kernel
Recipe for disaster
7 Re-use lessons from existing driver research
Improvement System Validation Drivers Bus Classes New functionality Shadow driver migration [OSR09] 1 1 1
RevNIC [Eurosys 10] 1 1 1 Reliability Nooks [SOSP 03] 6 1 2 XFI [ OSDI 06] 2 1 1 CuriOS [OSDI 08] 2 1 2 Type Safety SafeDrive [OSDI 06] 6 2 3 Singularity [Eurosys 06] 1 1 1 Limited kernel changes + Applicable to lots of drivers => Specification Nexus [OSDI 08] 2 1 2 Real Impact Termite [SOSP 09] 2 1 2 Static analysis tools Windows SDV [Eurosys 06] Many Many Many DesignLarge kernel goal: subsystems CompleteCoverity and solution [CACM validity 10] that of few Alllimits deviceAll kernel typesAll resultchanges in limited and adoptionCocinelle applies [Eurosys of 08] to research all driversAll solutionsAll All
8 Goal: Address software and hardware complexity
★ Understand and improve device access in the face of rising hardware and software complexity
Increasing hardware Increasing hardware complexity complexity
Reliability against Low latency hardware failures 1 device availability 2
Increasing software Better understanding 3 complexity of driver code
9 My approach
Narrow approach and solve specific problems in all drivers Tolerate device failures
Broad approach and have a Understand drivers and holistic view of all drivers potential opportunities
Known approach and apply to all Transactional approach for drivers low latency recovery
Minimize kernel changes and apply to all drivers 10 Contributions/Outline
SOSP ’09 First research consideration of hardware failures in drivers Tolerate device failures
ASPLOS ’12 Largest study of drivers to Understand drivers and understand their behavior and potential opportunities verify research assumptions
ASPLOS ’13 Introduce checkpoint/restore in Transactional approach for drivers for low latency low latency recovery fault tolerance
11 What happens when devices misbehave?
★ Drivers make it better ★ Provide error detection and recovery
★ Drivers make it worse ★ Assume perfect hardware or panic when anything bad happens
What assumptions do modern drivers make about hardware ?
12 Current state of OS-hardware interaction
★ Many device drivers often assume device perfection - Common Linux network driver: 3c59x.c
while&(ioread16(ioaddr&+&Wn7_MasterStatus)) &&&&0x8000);
HANG!
Hardware dependence bug: Device malfunction can crash the system
13 Sources of hardware misbehavior
★ Sources of hardware Driver misbehavior
Bus ★ Firmware/Design bugs
★ Device wear-out, Cache insufficient burn-in ★ Bridging faults Firmware ★ Electromagnetic interference, radiation, Electrical heat
Mechanical Device
14 Sources of hardware misbehavior
★ Sources of hardware ★ Results of misbehavior misbehavior
★ Firmware/Design bugs ★ Corrupted/stuck-at inputs ★ Device wear-out, ★ Timing errors insufficient burn-in ★ Interrupt storms/missing ★ Bridging faults interrupts ★ Electromagnetic ★ Incorrect memory access interference, radiation, heat
15 An evidence:
Transient hardware failures caused 8% of all crashes and 9% of all unplanned reboots [1] ★ Systems work fine after reboots ★ Vendors report returned device was faultless
Existing solution is hand-coded hardened drivers ★ Crashes reduce from 8% to 3%
[1] Fault resilient drivers for Longhorn server, May 2004. Microsoft Corp.
16 How do hardware dependence bugs manifest?
1 Drivers use device printk(“%s”,msg[inb(regA)]); data in critical control and data paths
2 if&(inb(regA)!=&5)&&{ Drivers do not report device &&return&Q22;&//do¬hing malfunction to system log }
3 if&(inb(regA)!=&5)&{ Drivers do not detect or recover from &panic(); device failures }
17 Vendor recommendations for driver developers Recommendation Summary Recommended by Intel Sun MS Linux Validation Input validation ! ! ! Read once& CRC data ! ! !
DMA protection ! ! Timing Infinite polling ! ! ! Stuck interrupt ! Lost request ! Avoid excess delay in OS ! Unexpected events ! ! Reporting Report all failures ! ! ! Recovery Handle all failures ! ! Cleanup correctly ! !
Goal: AutomaticallyDo not crash on failure implement! as many! ! recommendations as possible in commodity drivers Wrap I/O memory access ! ! ! !
18 Carburizer [SOSP ’09]
Goal: Tolerate hardware device failures in software through hardware failure detection and recovery Static analysis component Runtime component
★ Detect and fix hardware ★ Detect interrupt dependence bugs failures
★ Detect and generate ★ Provide automatic missing error reporting recovery information
19 Carburizer architecture
Bug detection and Recovery and interrupt automatic fix generation watchdog OS Kernel Kernel Interface Carburizer
If&(c==0)&{ . print&(“Driver&init”); } . If&(c==0)&{ Compiler . Carburizer . print&(“Driver& init”); } . Runtime . Hardened Driver Binary Driver
Faulty Hardware
20 Hardening drivers
• Goal: Remove hardware dependence bugs ★ Find driver code that uses data from device ★ Ensure driver performs validity checks • Carburizer detects and fixes hardware bugs :
Unsafe Unsafe System Infinite array pointer panic polling reference reference calls
21 Finding sensitive code
★ First pass: Identify tainted variables that contain data from device
Tainted&Variables int&test&()&Types of { device I/O OS &a&=&readl(); a b ★ &b&=&Port I/O :!inb/inwinb(); c ★ &c&=&Memory-mappedb; I/O : readl/readw &d&=&c&+&2; d ★ DMA buffers &return&d; test() ★ Data from USB packets } e int&set()& { &&&&&&&e&=&test(); } network card
22 Detecting risky uses of tainted variables
★ Second pass: Identify risky uses of tainted variables
★ Example: Infinite polling ★ Driver waiting for device to enter particular state ★ Solution: Detect loops where all terminating conditions depend on tainted variables ★ Extra analyses to existing timeouts
23 Infinite polling
★ Infinite polling of devices can cause system lockups
static&int&amd8111e_read_phy(………) { &... &®_val&=&readl(mmio&+&PHY_ACCESS); !!while!(reg_val!&!PHY_CMD_ACTIVE) & reg_val&=&readl(mmio&+&PHY_ACCESS); &&... }
AMD&8111e&network&driver(amd8111e.c)
24 Hardware data used in array reference
★ Tainted variables used as array indexes ★ Detect existing range/not NULL checks
static&void&__init&attach_pas_card(...) { &&&if&((pas_model&=&pas_read(0xFF88)))& &&&{& &&&&&... &&&&&sprintf(temp,&“%s&rev&%d”,& &&&&&&&pas_model_names[(int)&pas_model],&pas_read(0x2789));& &&&&&... }
Pro&Audio&Sound&driver&(pas2_card.c)
25 Analysis results over the Linux kernel
Driver class Infinite polling Static array Dynamic array Panic calls net 117 2 21 2 scsi 298 31 22 121 sound 64 1 0 2 Lightweight and usable technique to video 174find hardware0 dependence22 bugs 22 other 381 9 57 32 Total 860 43 89 179
★ Analyzed/Built 6300 driver files (2.8 million LOC) in 37 min ★ Found 992 hardware dependence bugs in driver code ★ False positive rate: 7.4% (manual sampling of 190 bugs)
26 Repairing drivers
★ Carburizer automatically generates repair code ★ InsertsCall failure recovery detection and recovery service service callout
Timeout Array bounds Not null checks check checks
Unsafe Unsafe System Infinite array pointer panic polling reference reference calls
27 Runtime fault recovery : Shadow drivers
Driver-Kernel Interface • Carburizer calls generic recovery service if check fails Taps • Low cost transparent recovery Shadow ★ Based on shadow drivers Driver ★ Records state of driver at all times ★ Transparently restarts and replays Device recorded state on failure Driver • No isolation required (like Nooks)
Device
Swift [OSDI ’04]
28 Carburizer automatically fixes infinite loops
timeout!=!rdtscll(start)!+!(cpu/khz/HZ)*2; reg_val&=&readl(mmio&+&PHY_ACCESS); while&(reg_val&&&PHY_CMD_ACTIVE)& { & reg_val&=&readl(mmio&+&PHY_ACCESS);&
& if!(_cur!
AMD&8111e&network&driver(amd8111e.c)
*Code/simplified/for/presentation/purposes
29 Carburizer automatically adds bounds checks
static&void&__init&attach_pas_card(...) Array bounds { detected and &&if&((pas_model&=&pas_read(0xFF88)))& check added &&{& &&&&... &&&!if!((pas_model=!5)) ! __recover_driver();!!& &&&&... &&&&sprintf(temp,&“%s&rev&%d”,& &&&&&&pas_model_names[(int)&pas_model],&pas_read(0x2789));&
}
Pro&Audio&Sound&driver&(pas2_card.c)
*Code/simplified/for/presentation/purposes
30 Fault injection and performance
★ Synthetic fault injection on network drivers Device/ Original Driver Carburizer Driver Behavior Detection Behavior Detection Recovery 3COM 3C905 CRASH None RUNNING Yes Yes DEC DC 21x4x CRASH None RUNNING Yes Yes
★ < 0.5% throughput overhead and no CPU overhead with network drivers
Carburizer failure detection and transparent recovery works and has very low overhead
31 Summary Recommendation Summary Recommended by Carburizer Intel Sun MS Linux Ensures Validation Input validation ! ! ! ! Read once& CRC data ! ! !
DMA protection ! !
Timing Infinite polling ! ! ! !
Stuck interrupt ! ! Lost request ! ! Avoid excess delay in OS ! Unexpected events ! ! Reporting Report all failures ! ! ! !
Recovery Handle all failures ! ! !
Carburizer improvesCleanup correctly system reliability! ! by automatically! ensuring that hardwareDo not crash on failurefailures! are tolerated! ! in software!
Wrap I/O memory access ! ! ! !
32 Contributions beyond research
★ Linux Plumbers Conference [Sep ‘11] ★ LWN Article with paper & list of bugs [Feb ‘12] ★ Released patches to the Linux kernel ★ Tool + source available for download at: http://bit.ly/carburizer
33 Module Allocate device Map BAR Register device Detect chipset Registration structures and I/O ports operations capabilities
Cold boot hardware, Perform EEPROM Optional self Set chipset flash device memory checsumming test on boot specific ops Recovery performance: device initialization is slow Allocate driver Configure device to Device ready structures working state for requests
Module registration Device ready ★ Multi-second device probe for requests ★ Identify device Allocate device structures Configure device ★ Cold boot device Map BAR and I/O ports Allocate driver structures ★ Setup device/driver Register device operations
structures Detect chipset capabilities Set chipset specific ops
★ Configuration/Self-test Cold boot the device Self test on boot Verify EEPROM checksum Self test?
★ What does slow device re-initialization hurt? ★ Fault tolerance: Driver recovery ★ Virtualization: Live migration, cloning ★ OS functions: Boot, upgrade
34 Recovery functionality: assumes drivers follow class behavior
Driver-Kernel ★ Kernel exports standard entry points entrypoints for every class (like “packet send” for network class) Taps Shadow Driver ★ Shadow drivers records state by interposing class defined entry points
Device ★ Recovery = Restart and replay of Driver captured state
★ Do drivers have additional state? Device
How many drivers obey class behavior?
35 Outline
Tolerate device failures
Understand drivers and Overview potential opportunities Recovery specific results
Transactional approach for cheap recovery
36 Our view of drivers is narrow
Drivers 6.7 million LOC in Linux
Necessary to review driver code in modern settings
Driver Research (avg. 2.2 drivers/ Bugs system)
37 Understanding Modern Device Drivers[ASPLOS 2012]
Study source of all Linux drivers for x86 (~3200 drivers)
Driver Driver Driver properties interaction similarity
★ Code properties ★ Driver kernel & ★ 7 million lines of ★ Verify research device interaction code needed? assumptions ★ Driver architecture
38 Study methodology ★ Static source analysis of 3200 drivers in Linux 2.6.37.6 (May 2011)
★ Identify driver entry points, kernel Driver and bus callouts properties ★ Device class, sub-class, chipsets ★ Bus properties & other properties (like module params) ★ Driver functions registered as entry points (purpose)
Driver entry points
open For every driver xmit probe close
39 Study methodology ★ Static source analysis of 3200 drivers in Linux 2.6.37.6 (May 2011)
Driver ★ Identify driver entry points, kernel properties and bus callouts
★ Reverse propagate information to aggregate bus, device and kernel Driver behavior interactions Driver entry points
open
xmit probe close
kmalloc 40 Study methodology ★ Static source analysis of 3200 drivers in Linux 2.6.37.6 (May 2011)
★ Driver Identify driver wide and function properties specific properties of all drivers
★ Reverse propagate information to Driver aggregate bus, device and kernel behavior interactions
Driver ★ Use statistical clustering techniques and similarity static analysis to identify similar code
41 Contributions/Outline
Tolerate device failures
Understand drivers and Overview potential opportunities Recovery specific results
Transactional approach for cheap recovery
42 acpi Driver Code bluetooth cdrom char Characteristics acpi crypto bluetooth edac !rewire cdrom gpio char gpu ★Initialization/cleanup – 36% crypto hid hwmon ★Core I/O & interrupts – 23% edac input !rewire isdn Percent★Device- configuration – 15% leds age of LOC char drivers char gpio media ★ message Power management – 7.4% gpu 0 misc 10 hid parport ★Device ioctl – 6.2% hwmon platform 20 input pnp 30 serial 40 isdn sound Percent50 - leds tty age of LOC video media watchdog message ata block 0 misc ide 10 parport md platform drivers block mtd 20 scsi pnp atm 30 in!niband Initialization code dominates driver serial 40 net sound net net drivers uwb LOC and adds to50 complexity tty video init cleanup ioctl con!g power error proc core intr watchdog 43 ata block ide md mtd scsi atm in!niband net uwb init cleanup ioctl con!g power error proc core intr Problem 2: Shadow drivers assume drivers follow class behavior
kernel bus
probe shadow network net device xmit drivers driver network subsystem config card
★ Class definition includes: ★ Callbacks registered with the bus, device and kernel subsystem
How many drivers follow class behavior and how much code does this add?
44 Problem 2(a): Drivers do behave outside class definitions
★ Non-class behavior in device drivers: - module parameters, unique ioctls, procfs/sysfs interactions
$!echo!1!>!/sys/class/sound/mixer/ device/enable
Windows WLAN card Linux sound card config via sysfs config via private ioctls
Overall 44% of drivers have non-class behavior and research making this assumption will not apply
45 Problem 2(b): Too many classes
radio tablet game port touch screen
mouse digital video broadcasting video serio key board pcm joy stick media (10.5%) input midi leds vga isdn (3.4%) gpu (3.9%) mixer drm sound (10%) gpio thermal char (52%) crypto tpm fire wire serial blue tooth acpi tty display dma/pci libs Linux other (5%) lcd Device Drivers video (5.2%) xen/lguest driver libraries back light block (16%) bus drivers net (27%) pata ata (1%) atm
wireless disk cdrom mmc ethernet sata ide network RAID wan token ring md (RAID) floppy scsi (9.6%) uwb mtd (1.5%) wimax tape iscsi infiniband Class-specificdisk driverosd recoveryusb-storage leads to a
large kernel fiber channel recoveryraid subsystem
★ ASPLOS 2012 “Understanding Modern Device Drivers” 46 Few other results
★ Many assumptions made by driver research does not hold: Driver ★ 44% of drivers do not obey class behavior properties ★ 15% drivers perform significant processing ★ 28% drivers support multiple chipsets
★ USB bus offers efficient access (as compared to PCI, Xen) Driver ★ Supports high # devices/driver interactions (standardized code) ★ Coarse-grained access
★ 400, 000 lines of code similar to code elsewhere and ripe for improvement via: Driver ★ Procedural abstractions similarity ★ Better multiple chipset support ★ Table driver programming
★ More results in “Understanding Modern Device Drivers” ASPLOS 2012 47 Outline
Tolerate device failures
Understand drivers and potential opportunities
Transactional approach for Checkpoint/restore FGFT cheap recovery Conclusions
48 Limitations of restart/replay recovery
Driver-Kernel ★ Device save/restore limited to Interface restart/replay ★ Slow: Device initialization is complex (multiple seconds) Shadow Taps ★ Incomplete: Unique device Driver semantics not captured ★ Hard: Need to be written for Device every class of drivers Driver ★ Large changes: Introduces new, large kernel subsystem Device Checkpoint/restore of device and driver state removes the need to reboot device and replay state
49 Checkpointing drivers is hard
★ Easy to capture memory state
checkpoint
network Intuition: Operating driversystems already capture device state during power management network card
★ Device state is not captured ★ Device configuration space ★ Internal device registers and counters ★ Memory buffer addresses used for DMA ★ Unique for every device
50 Intuition with power management
★ Refactor power management code for device checkpoints ★ Correct: Developer captures unique device semantics ★ Fast: Avoids probe and latency critical for applications
★ Ask developers to export checkpoint/restore in their drivers
51 Device checkpoint/restore from PM code
CheckpointSuspend ResumeRestore
Save config state Restore config state
Save register state Restore register state
Restore or reset Disable device DMA state Re-attach/Enable Save DMA state device
Suspend device Device Ready Suspend/resume code provides device checkpoint functionality
52 Fine-Grained Fault Tolerance[ASPLOS 2013]
★ Goal: Improve driver recovery with minor changes to drivers ★ Solution: Run drivers as transactions using device checkpoints
Device state Driver state Execution model
★ Developers export ★ Run drivers invocations as ★ Checkpoint device checkpoint/restore memory transactions ★ Execute driver code as in drivers ★ Use source transformation memory transactions to copy parameters and ★ On failure, rollback run on separate stack C R and restore device ★ Re-use existing device SFI locks in the driver network network driver driver
53 Adding transactional support to drivers
If&(c==0)&{ . print&(“Driver& init”); 1200 LOC } . . Object tracking Main driver module Marshaling/ If&(c==0)&{ Source transformation . print&(“Driver& Demarshaling init”); } (adds driver transactions) . . Kernel SFI driver Driver with undo log checkpoint support module User supplied Communication If&(c==0)&{ . print&(“Driver& and recovery annotations init”); } . support .
SFI = software fault isolated Static modifications Run-time support
54 Transactional execution of drivers
C Range Table netdev->priv->rx_ring Address Access rights
netdev->priv->tx_ring 0xffffa000 Read
0xffffa008 Write get ringparam netdev 0xffffa00a Read probe SFI network Kernel xmit network Log driver get config driver result alloc netdev->priv->rx_ring netdev->priv->tx_ring
★ Detects and recovers from: ★ Memory errors like invalid pointer accesses ★ Structural errors like malformed structures ★ Processor exceptions like divide by zero, stack corruption 55 FGFT: Failed transactions
C Range Table netdev->priv->rx_ring Address Access rights
netdev->priv->tx_ring 0xffffa000 Read
0xffffa008 Write get ringparam netdev 0xffffa00a Read probe SFI network Kernel xmit network Log driver get config driver alloc R err
FGFT provides transactional execution of driver entry points
56 How does this give us transactional execution?
★ Atomicity: All or nothing execution ★ Driver state: Run code in SFI module ★ Device state: Explicitly checkpoint/restore state
★ Isolation: Serialization to hide incomplete transactions ★ Re-use existing device locks to lock driver ★ Two phase locking
★ Consistency: Only valid (kernel, driver and device) states ★ Higher level mechanisms to rollback external actions ★ At most once device action guarantee to applications
57 Evaluation platform
★ Criterion : ★ Latency of recovery: How fast is it? ★ Correctness of recovery: How well does it work? ★ Incremental effort: How much work is it? ★ Performance: How much does it cost?
★ Operating system : ★ Linux 2.6.29 ★ Six drivers across three buses
★ Hardware : ★ Results on 2.5 GHz Intel Core 2 Quad system configured with 4 GB DDR2 DRAM
58 Recovery Recovery speedup times 2,000ms 1800.00 Restart recovery FGFT recovery 1,500ms
1030.00 1,000ms 680.00
500ms 410.00 310.00 295.00
150.00 120.00 115.00 0ms 0.07 5.00 0.04 8139too e1000 pegasus r8169 ens1371 psmouse
FGFT provides significant speedup in driver recovery and improves system availability
59 Static and dynamic fault injection
Driver Injected Native FGFT Faults Crashes Crashes 8139too 43 43 NONE e1000 47 47 NONE r8169 36 36 NONE pegasus 34 33 NONE ens1371 22 21 NONE psmouse 46 46 NONE TOTAL 258 256 NONE
FGFT survives multiple static and dynamic faults without aborting other threads in the driver
60 Programming effort
Driver LOC Checkpoint/restore effort LOC Moved LOC Added 8139too 1, 904 26 4 e1000 13, 973 32 10 r8169 2, 993 17 5 pegasus 1, 541 22 5 ens1371 2, 110 16 6 psmouse 2, 448 19 6
FGFT requires limited programmer effort and needs only 38 lines of new kernel code
61 Throughput with isolation and recovery
CPU: 2.4% 3.4% 2.4% 2.9% 100 100 100 93 96
75
50 Native FGFTDI/ODall FGFTDoffDI/O 25 FGFTDI/OD1/2
0
FGFTThroughput %age (Baseline 844 Mbps) can isolate and recover high bandwidth devices at low overheade1000 without Network addingCard kernel subsystems
netperf on Intel quad-core machines 62 Talk summary
SOSP ’09 First research consideration of Released tool, patches & hardware failures in drivers informed developers
ASPLOS ’12 Largest study of drivers to Measured driver behavior & understand their behavior and identified new directions verify research assumptions
ASPLOS ’13 Introduced checkpoint/restore in Fast & correct recovery with drivers for low latency incremental changes to drivers fault tolerance
63 Thank you
Asim Kadav ★ http://cs.wisc.edu/~kadav ★ [email protected]