mutex requirements #35
Conversation
nashif
commented
Mar 25, 2024
nashif
commented
- high-level: refine mutex requirement
- mutex: add requirements for a mutex
Mutex functional requirements. Signed-off-by: Anas Nashif <[email protected]>
| STATEMENT: >>> | ||
| While a thread needs exclusive access to a shared resource, the Zephyr RTOS | ||
| shall provide a mechanism to lock a mutex. | ||
| <<< |
There was a problem hiding this comment.
Remove the While clause. The mechanism needs to always be provided.
There was a problem hiding this comment.
"The Zephyr RTOS shall provide a mechanism for a thread to lock a mutex."
| When a mutex is successfully locked by a thread, the Zephyr RTOS shall ensure | ||
| that the mutex becomes unavailable for locking by other threads until it is | ||
| unlocked. | ||
| <<< |
There was a problem hiding this comment.
How do you verify "ensure"? Can the verification be automated?
There was a problem hiding this comment.
yeah, we already have tests verifying this.
There was a problem hiding this comment.
I do you test that something is ensured rather than just that it happens?
Restate without superfluous infinitives per INCOSE GtWR R10.
There was a problem hiding this comment.
Does this still cover the current implementation?
"When a mutex is locked by a thread,
that mutex is unavailable for locking by other threads
the mutex retains the thread is the owning thread"
There was a problem hiding this comment.
I am not sure if this second RQT is needed and seperate from the first. Isn't this the very nature of a Mutex to be lockable by one and only one thread at the same time always?
That the same thread can lock the same Mutex multiple times is different though and probably covered elswhere, too.
| STATEMENT: >>> | ||
| While a thread no longer requires exclusive access to a shared resource, the | ||
| Zephyr RTOS shall provide a mechanism to unlock a mutex. | ||
| <<< |
There was a problem hiding this comment.
Remove the While clause. The mechanism needs to always be provided.
There was a problem hiding this comment.
"The Zephyr RTOS shall provide a mechanism for the owning thread to unlock a mutex."
There was a problem hiding this comment.
I second with Tims suggestion for the RQT.
| STATEMENT: >>> | ||
| When a mutex is successfully unlocked by a thread, the Zephyr RTOS shall ensure | ||
| that the mutex becomes available for locking by other threads. | ||
| <<< |
There was a problem hiding this comment.
How do you verify "ensure"? Can the verification be automated?
There was a problem hiding this comment.
yes, we test for this already.
There was a problem hiding this comment.
Restate without superfluous infinitives per INCOSE GtWR R10.
There was a problem hiding this comment.
I think this requirement is intended to cover the atomic mutex operation of unlocking and then locking for the next waiting thread.
If so, I suggest:
"When a mutex is unlocked and another thread waiting to lock that mutex, the unlock and lock operations shall be atomic"
| TITLE: Timed locking of a Mutex | ||
| STATEMENT: >>> | ||
| Mutexes shall support timed locking, where threads can specify a timeout period for waiting on the mutex. | ||
| <<< |
There was a problem hiding this comment.
You just changed abstraction levels. "the Zephyr RTOS shall" is a different level than "Mutexes shall".
Rephrase to remove "where". Reserve "where" for preconditions.
There was a problem hiding this comment.
Seems like the Semaphore requirements covering timeouts should be duplicated for mutexes.
There was a problem hiding this comment.
For consistency of language this RQT should also start with "The Zephyr RTOS shall support ..." the more consistent RQTs are written the easier they become to parse (by humans and non-humans alike)
| TITLE: Priority Inheritance | ||
| STATEMENT: >>> | ||
| When using mutexes for resource synchronization, the Zephyr RTOS shall implement priority inheritance protocols to prevent priority inversion scenarios. | ||
| <<< |
There was a problem hiding this comment.
Remove the While clause. The mechanism needs to always be provided.
"shall implement" is not an observable behavior. Are you intentionally trying to constrain the implementation? If so, how do you verify this? Can verification be automated?
There was a problem hiding this comment.
please provide a suggestion on the wording. I do not see any other way this can
be expressed. You keep asking about automation of verification, not sure what
you mean by now, this is something that can be tested, yes, why are we talking
about automation? why is this relevant?
There was a problem hiding this comment.
Mutexes are only used for resource synchronization, so remove the conditional.
"to prevent priority inversion scenarios" is justification. Remove it (INCOSE GtWR R20).
Priority inheritance is implied by mutex in an RTOS. I think this is a better description for the highest abstraction layers: "The Zephyr shall expose mutex services."
There was a problem hiding this comment.
{sigh}
Automated verification helps fulfill a critical User Need: to be able to verify the OSS software with the User-provided qualified toolchain in a timely manner. There are 4 identified methods for verification: Test, Demonstration, Inspection, Analysis. Doing full verification manually takes FAR too long, so product integrators need automated verification suites to come with the OSS. The most natural verification type to automate is Test.
AFAICT the biggest enabler to deploying and updating secure systems is the rapid integration, revalidation, and deployment of security fixes. Product manufacturers soon will need to publicly commit to a specific response time to security issues (e.g., 30d, 60d, 90d). Component providers (e.g., Nordic, Zephyr Project) that commit to rolling out security fixes faster than the product manufacturer commitment remain as viable suppliers. Those that do not lose out on the design win.
There was a problem hiding this comment.
Requirements need to be testable, fully agree with that and there is no argument. Automation is key and we need to get to almost 100% automation, sure thing.
Asking if the some requirement can be tested or verified is fine, however asking if "verification can be automated" is off-topic and I did not know what you mean because of that.
AFAICT the biggest enabler to deploying and updating secure systems is the rapid integration, revalidation, and deployment of security fixes. Product manufacturers soon will need to publicly commit to a specific response time to security issues (e.g., 30d, 60d, 90d). Component providers (e.g., Nordic, Zephyr Project) that commit to rolling out security fixes faster than the product manufacturer commitment remain as viable suppliers. Those that do not lose out on the design win.
This is going off-topic.
There was a problem hiding this comment.
"Mutexes shall implement priority inheritance protocols."
Implement does not tell me how priority inheritance behaves. But the next two requirements address priority inheritance specifically.
| TITLE: Priority Inheritance - priority elevation | ||
| STATEMENT: >>> | ||
| When a higher-priority thread begins waiting on the mutex, the Zephyr RTOS shall temporarily elevate the priority of the owning thread. | ||
| <<< |
There was a problem hiding this comment.
How is this distinct from the "Priority Inheritance" requirement above? If these are at different levels of detail then they need to reference each other.
Use "While" instead of "When". This condition is a state not an event.
There was a problem hiding this comment.
"While a higher-priority thread is waiting on a mutex, the Zephyr RTOS shall elevate the priority of the owning thread."
| TITLE: Mutex Ownership | ||
| STATEMENT: >>> | ||
| Mutexes shall track the owning thread when locked to ensure exclusive access to the associated resource. | ||
| <<< |
There was a problem hiding this comment.
Remove "to ensure ...". It is justification not observable behavior or condition.
There was a problem hiding this comment.
"Mutexes shall track the owning thread when locked"
I think I made this a second part to ZEP-MUTEX-4 Exclusive Locking of a Mutex
| TITLE: Mutex Ownership - Unlock | ||
| STATEMENT: >>> | ||
| The Zephyr RTOS shall allow only the owning thread to unlock the mutex. | ||
| <<< |
There was a problem hiding this comment.
Avoid using the word "only" in requirements. It is usually(?) very hard or impossible to verify.
In many cI think this is better phrased as:
While the mutex is not in a recursive lock,
When the thread owning a mutex requests to unlock it,
the ... shall ...
There was a problem hiding this comment.
I think this is covered by my suggested wording for ZEP-MUTEX-5 Unlocking of a Mutex:
"The Zephyr RTOS shall provide a mechanism for the owning thread to unlock a mutex."
| TITLE: Priority Ceiling | ||
| STATEMENT: >>> | ||
| The Zephyr RTOS shall implement priority ceiling protocols to limit the extent of priority elevation during priority inheritance. | ||
| <<< |
There was a problem hiding this comment.
Remove the justification phrase "to limit ...".
"shall implement" is not an observable behavior. Are you intentionally trying to constrain the implementation? If so, how do you verify this? Can verification be automated?
| @@ -960,25 +960,184 @@ As a Zephyr OS user I want to be able to exchange 1 to N data objects between di | |||
| [/SECTION] | |||
|
|
|||
| [SECTION] | |||
| TITLE: Mutex | |||
| TITLE: Thread Syncronization | |||
There was a problem hiding this comment.
nitpick: Thread Synchronization
| COMPONENT: Mutex | ||
| TITLE: Locking of a Mutex | ||
| STATEMENT: >>> | ||
| While a thread needs exclusive access to a shared resource, the Zephyr RTOS |
There was a problem hiding this comment.
Suggestion: While the above RQTs begin with "The Zephyr RTOS ..." this one doesn't. Also the refernce to shared resource is probably a rationale. Consider rephrasing this RQT to read "The Zephyr RTOS shall provide a mechanism to lock a mutex so that no other thread can obtain the same Mutex while the mutex is locked. Rationale: This way threads can protect critical regions of code and prevent concurrent access to shared resources.
| When a mutex is successfully locked by a thread, the Zephyr RTOS shall ensure | ||
| that the mutex becomes unavailable for locking by other threads until it is | ||
| unlocked. | ||
| <<< |
There was a problem hiding this comment.
I am not sure if this second RQT is needed and seperate from the first. Isn't this the very nature of a Mutex to be lockable by one and only one thread at the same time always?
That the same thread can lock the same Mutex multiple times is different though and probably covered elswhere, too.
| STATEMENT: >>> | ||
| While a thread no longer requires exclusive access to a shared resource, the | ||
| Zephyr RTOS shall provide a mechanism to unlock a mutex. | ||
| <<< |
There was a problem hiding this comment.
I second with Tims suggestion for the RQT.
| TITLE: Timed locking of a Mutex | ||
| STATEMENT: >>> | ||
| Mutexes shall support timed locking, where threads can specify a timeout period for waiting on the mutex. | ||
| <<< |
There was a problem hiding this comment.
For consistency of language this RQT should also start with "The Zephyr RTOS shall support ..." the more consistent RQTs are written the easier they become to parse (by humans and non-humans alike)
| STATUS: Draft | ||
| TYPE: Functional | ||
| COMPONENT: Mutex | ||
| TITLE: Indifinite locking of a Mutex |
| TITLE: Indifinite locking of a Mutex | ||
| STATEMENT: >>> | ||
| Mutexes shall support indefinite locking allowing threads to wait indefinitely until the mutex becomes available. | ||
| <<< |
There was a problem hiding this comment.
Not sure if we are running into semantic non-sense land (pun intended) but indefinite and K_FOREVER are pretty much the same thing for me. Using words not stemming from the actual implementation has the added advantage that we do not bind the RQTs too strongly to the implementation.
|
I would hate to lose the work that has been done on this PR. Even without changes, it is better than the near empty file it will replace. |
