Indicating and Checking Stateful Programming Interfaces (Address 2).


58 views
Uploaded on:
Category: Animals / Pets
Description
Solid Computing. Stateful Software Interfaces. Contextual investigation: Windows Drivers. Driver ... Dependable Computing. Stateful Software Interfaces. Demand frequently lives ...
Transcripts
Slide 1

Indicating and Checking Stateful Software Interfaces (Lecture 2) Manuel F ä hndrich maf@microsoft.com Microsoft Research 2005 Summer School on Reliable Computing Eugene, Oregon

Slide 2

Lecture 1 recap Goal: Specify and check stateful interfaces Techniques Linear sort frameworks Type framework in light of capacities (consents) Modeling distribution/deallocation sort state conventions locking

Slide 3

Lecture 2 Frame adage Type-states utilizing abilities Vault: W2K driver contextual investigation Recursive information structures Unifying non-direct information structures and straight information

Slide 4

Lambda deliberation We can digest assignment arrangement pre-stack post-pile

Slide 5

Recall cases Function taking a rundown contention (however not expending it!) Function liberating whole rundown Application principle

Slide 6

freeAll(y); The casing standard Example x : pt(  x ), y : pt(  y ) freeAll(y); int z = length(x); freeAll(x); Modifications? C List h  x i C List h  y i ­ C List h  x i ­

Slide 7

Allocation/Deallocation   Memory introduction  Locks   Events Type states   Object states Regions Reference tallying Sharing Channels Deadlock opportunity Let\'s take a gander at sort states. Detail assignments

Slide 8

R openR close alloc free A C advance openW W close Type-states with capacities Still one write per sort state

Slide 9

Observation about sort expresses A sort state is only a sort! Sort = Predicate over qualities and pile pieces A physical square of memory can have diverse sorts, along these lines distinctive states/properties at various times.

Slide 10

Heavy documentation? Vault programming dialect Try to make capacities accessible to software engineers Type-states as group of some base sort File@A, File@R, File@W, File@C void openR( followed(  ) File document ) [  @A ! R ]; void closeR( followed(  ) File record ) [ -  @A ];

Slide 11

Case Study: Windows Drivers Driver handles demands from the part e.g. begin, read, compose, shutdown, ... driver trades a capacity for every solicitation sort lifetime of solicitation ¹ lifetime of capacity call Request is typified in an information structure I/O Request Packet (IRP) Driver handles demand by side-affecting IRP possession and lifetime are critical

Slide 12

Request frequently lives crosswise over calls KERNEL DRIVER Read(Device,Irp) on interfere with call IFun IoMarkIrpPending(Irp) IFun read memory IFun read memory IoCompleteRequest(Irp)

Slide 13

KERNEL document framework driver stockpiling class driver floppy driver transport driver Drivers shape a stack Kernel sends IRP to top driver in stack Driver may... handle IRP itself pass IRP down pass new IRP(s) down

Slide 14

IRP Ownership IoCompleteRequest VOID IoCompleteRequest( IN PIRP Irp , IN CCHAR PriorityBoost ); IoCompleteRequest shows the guest has finished all preparing for a given I/O ask for and is giving back the offered IRP to the I/O Manager. Parameters Irp Points to the IRP to be finished. PriorityBoost Specifies a framework characterized consistent by which to increase the runtime need of the first string that asked for the operation. This worth is IO_NO_INCREMENT if the first string asked for an operation the driver could finish rapidly (so the asking for string is not made up for its accepted attend to I/O) or if the IRP is finished with a blunder. Something else, the arrangement of PriorityBoost constants are gadget sort particular. See ntddk.h or wdm.h for these constants. Remarks When a driver has completed all handling for a given IRP, it calls IoCompleteRequest . The I/O Manager checks the IRP to figure out if any larger amount drivers have set up an IoCompletion routine for the IRP. Assuming this is the case, every IoCompletion routine is called, thus, until each layered driver in the chain has finished the IRP. When all drivers have finished a given IRP, the I/O Manger returns status to the first requestor of the operation. Note that a more elevated amount driver that sets up a driver-made IRP must supply an IoCompletion routine to discharge the IRP it made. Guests of IoCompleteRequest must keep running at IRQL <= DISPATCH_LEVEL. See Also IoSetCompletionRoutine " IoCompleteRequest demonstrates the guest has finished all preparing for a given I/O ask for and is giving back the offered IRP to the I/O Manager."

Slide 15

IRP Ownership IoCompleteRequest VOID IoCompleteRequest( IN PIRP Irp , IN CCHAR PriorityBoost ); IoCompleteRequest shows the guest has finished all handling for a given I/O ask for and is giving back the offered IRP to the I/O Manager. Parameters Irp Points to the IRP to be finished. PriorityBoost Specifies a framework characterized steady by which to increase the runtime need of the first string that asked for the operation. This worth is IO_NO_INCREMENT if the first string asked for an operation the driver could finish rapidly (so the asking for string is not made up for its expected attend to I/O) or if the IRP is finished with a mistake. Something else, the arrangement of PriorityBoost constants are gadget sort particular. See ntddk.h or wdm.h for these constants. Remarks When a driver has completed all preparing for a given IRP, it calls IoCompleteRequest . The I/O Manager checks the IRP to figure out if any more elevated amount drivers have set up an IoCompletion routine for the IRP. Provided that this is true, every IoCompletion routine is called, thus, until each layered driver in the chain has finished the IRP. When all drivers have finished a given IRP, the I/O Manger returns status to the first requestor of the operation. Note that a more elevated amount driver that sets up a driver-made IRP must supply an IoCompletion routine to discharge the IRP it made. Guests of IoCompleteRequest must keep running at IRQL <= DISPATCH_LEVEL. See Also IoSetCompletionRoutine void IoCompleteRequest( followed( I ) Irp, CHAR Boost) [ - I ];

Slide 16

IRP Ownership IoCallDriver NTSTATUS IoCallDriver( IN PDEVICE_OBJECT DeviceObject , IN OUT PIRP Irp ); IoCallDriver sends an IRP to the following lower-level driver after the guest has set up the I/O stack area in the IRP for that driver. Parameters DeviceObject Points to the following lower driver\'s gadget object, speaking to the objective gadget for the asked for I/O operation. Irp Points to the IRP. Return Value IoCallDriver gives back the NTSTATUS esteem that a lower driver set in the I/O status obstruct for the given solicitation or STATUS_PENDING if the solicitation was lined for extra preparing. Remarks IoCallDriver doles out the DeviceObject info parameter to the gadget object field of the IRP stack area for the following lower driver. An IRP went in a call to IoCallDriver gets to be out of reach to the more elevated amount driver, unless the larger amount driver has set up its IoCompletion routine for the IRP with IoSetCompletionRoutine . On the off chance that it does, the IRP contribution to the driver-supplied IoCompletion routine has its I/O status piece set by the lower driver(s) and all lower-level driver(s)\' I/O stack areas loaded with zeros. Drivers must not utilize IoCallDriver to pass power IRPs (IRP_MJ_POWER). Use PoCallDriver. Guests of IoCallDriver must keep running at IRQL <= DISPATCH_LEVEL. See Also IoAllocateIrp , IoBuildAsynchronousFsdRequest , IoBuildDeviceIoControlRequest , IoBuildSynchronousFsdRequest , IoSetCompletionRoutine , PoCallDriver "An IRP went in a call to IoCallDriver gets to be out of reach to the more elevated amount driver, … "

Slide 17

IRP Ownership IoCallDriver NTSTATUS IoCallDriver( IN PDEVICE_OBJECT DeviceObject , IN OUT PIRP Irp ); IoCallDriver sends an IRP to the following lower-level driver after the guest has set up the I/O stack area in the IRP for that driver. Parameters DeviceObject Points to the following lower driver\'s gadget object, speaking to the objective gadget for the asked for I/O operation. Irp Points to the IRP. Return Value IoCallDriver gives back the NTSTATUS esteem that a lower driver set in the I/O status obstruct for the given solicitation or STATUS_PENDING if the solicitation was lined for extra preparing. Remarks IoCallDriver appoints the DeviceObject info parameter to the gadget object field of the IRP stack area for the following lower driver. An IRP went in a call to IoCallDriver gets to be out of reach to the more elevated amount driver, unless the larger amount driver has set up its IoCompletion routine for the IRP with IoSetCompletionRoutine . In the event that it does, the IRP contribution to the driver-supplied IoCompletion routine has its I/O status square set by the lower driver(s) and all lower-level driver(s)\' I/O stack areas loaded with zeros. Drivers must not utilize IoCallDriver to pass power IRPs (IRP_MJ_POWER). Use PoCallDriver. Guests of IoCallDriver must keep running at IRQL <= DISPATCH_LEVEL. See Also IoAllocateIrp , IoBuildAsynchronousFsdRequest , IoBuildDeviceIoControlRequest , IoBuildSynchronousFsdRequest , IoSetCompletionRoutine , PoCallDriver void IoCallDriver( DEVICE_OBJECT Dev, followed( I ) Irp) [ - I ];

Slide 18

Example: Driver ask for NTSTATUS Read( DEVICE_OBJECT Dev, followed( I ) Irp) [ - I ] { if (GetRequestLength(Irp) == 0) { NTSTATUS status = `STATUS_SUCCESS(`TransferBytes(0)); IoCompleteRequest(Irp, status); return status; } else return IoCallDriver(NextDriver,Irp); }

Slide 19

Example: Driver ask for NTSTATUS Read( DEVICE_OBJECT Dev, followed( I ) Irp) [ - I ] { { I } if (GetRequestLength(Irp) == 0) { { I } NTSTATUS status = `STATUS_SUCCESS(`TransferBytes(0)); { I } IoCompleteRequest(Irp, status); {} return status; {} } else { I } return IoCallDriver(NextDriver,Irp); {} }

Slide 20

IRP fulfillment schedules Getting IRP possession back driver A hands IRP to B and needs it back after B is done driver A sets "finish schedule" on IRP void IoSetCompletionRoutine( tracked(K) Irp, COMPLETION_ROUTINE<K> Fun) [K]; sort COMPLETION_R