Hostname: page-component-7479d7b7d-8zxtt Total loading time: 0 Render date: 2024-07-11T03:56:36.276Z Has data issue: false hasContentIssue false
  • English
  • Français

Modular verification of preemptive OS kernels

Part of: JFP Research Articles

Published online by Cambridge University Press:  29 October 2013

ALEXEY GOTSMAN  and
HONGSEOK YANG
ALEXEY GOTSMAN
Affiliation:
IMDEA Software Institute (e-mail: alexey.gotsman@imdea.org)
HONGSEOK YANG
Affiliation:
University of Oxford (e-mail: Hongseok.Yang@cs.ox.ac.uk)
Rights & Permissions [Opens in a new window]

Abstract

Core share and HTML view are not available for this content. However, as you have access to this content, a full PDF is available via the ‘Save PDF’ action button.

Most major OS kernels today run on multiprocessor systems and are preemptive: it is possible for a process running in the kernel mode to get descheduled. Existing modular techniques for verifying concurrent code are not directly applicable in this setting: they rely on scheduling being implemented correctly, and in a preemptive kernel, the correctness of the scheduler is interdependent with the correctness of the code it schedules. This interdependency is even stronger in mainstream kernels, such as those of Linux, FreeBSD or Mac OS X, where the scheduler and processes interact in complex ways. We propose the first logic that is able to decompose the verification of preemptive multiprocessor kernel code into verifying the scheduler and the rest of the kernel separately, even in the presence of complex interdependencies between the two components. The logic hides the manipulation of control by the scheduler when reasoning about preemptable code and soundly inherits proof rules from concurrent separation logic to verify it thread-modularly. We illustrate the power of our logic by verifying an example scheduler, which includes some of the key features of the scheduler from Linux 2.6.11 challenging for verification.

Type
Articles
Information
Journal of Functional Programming , Volume 23 , Issue 4: ICFP 2011 , July 2013 , pp. 452 - 514
Copyright
Copyright © Cambridge University Press 2013 

References

Back, R.-J. (1981) On correct refinement of programs. J. Comput. Syst. Sci. 23, 4968.CrossRefGoogle Scholar
Berdine, J., O'Hearn, P. W., Reddy, U. S. & Thielecke, H. (2002) Linear continuation-passing. Higher-order Symb. Comput. 15 (2–3), 181208.CrossRefGoogle Scholar
Bovet, D. & Cesati, M. (2005) Understanding the Linux Kernel, 3rd ed.O'Reilly.Google Scholar
Brookes, S. D. (2007) A semantics of concurrent separation logic. Theor. Comput. Sci. 375 (1–3), 227270.CrossRefGoogle Scholar
Calcagno, C., O'Hearn, P. W. & Yang, H. (2007) Local action and abstract separation logic. In Symposium on Logic in Computer Science (LICS'07). IEEE, pp. 366378.Google Scholar
Charlton, N. (2011) Hoare logic for higher order store using simple semantics. In Conference on Logic, Language, Information and Computation (WoLLIC'11). LNCS, vol. 6642. Springer, pp. 5266.CrossRefGoogle Scholar
Clarke, D. G., Noble, J. & Potter, J. (2001) Simple ownership types for object containment. In European Conference on Object-Oriented Programming (ECOOP'01). LNCS, vol. 2072. Springer, pp. 5376.Google Scholar
Cohen, E., Schulte, W. & Tobies, S. (2010) Local verification of global invariants in concurrent programs. In Conference on Computer-Aided Verification (CAV'10). LNCS, vol. 6174. Springer, pp. 480494.CrossRefGoogle Scholar
Dinsdale-Young, T., Birkedal, L., Gardner, P., Parkinson, M. & Yang, H. (2013) Views: Compositional reasoning for concurrent programs. In Symposium on Principles of Programming Languages (POPL'13). ACM, pp. 287300.Google Scholar
Dinsdale-Young, T., Dodds, M., Gardner, P., Parkinson, M. & Vafeiadis, V. (2010) Concurrent abstract predicates. In European Conference on Object-Oriented Programming (ECOOP'10). LNCS, vol. 6183. Springer, pp. 504528.Google Scholar
Feng, X., Ferreira, R. & Shao, Z. (2007a) On the relationship between concurrent separation logic and assume-guarantee reasoning. In European Conference on Programming (ESOP'07). LNCS, vol. 4421. Springer, pp. 173188.Google Scholar
Feng, X., Ni, Z., Shao, Z. & Guo, Y. (2007b) An open framework for foundational proof-carrying code. In Workshop on Types in Language Design and Implementation (TLDI'07). ACM, pp. 6778.Google Scholar
Feng, X., Shao, Z., Dong, Y. & Guo, Y. (2008a) Certifying low-level programs with hardware interrupts and preemptive threads. In Conference on Programming Language Design and Implementation (PLDI'08). ACM, pp. 170182.CrossRefGoogle Scholar
Feng, X., Shao, Z., Guo, Y. & Dong, Y. (2008b) Combining domain-specific and foundational logics to verify complete software systems. In Conference on Verified Software: Theories, Tools, Experiments (VSTTE'08). LNCS, vol. 5295. Springer, pp. 5469.CrossRefGoogle Scholar
Feng, X., Shao, Z., Vaynberg, A., Xiang, S. & Ni, Z. (2006) Modular verification of assembly code with stack-based control abstractions. In Conference on Programming Language Design and Implementation (PLDI'06). ACM, pp. 401414.CrossRefGoogle Scholar
Gargano, M., Hillebrand, M., Leinenbach, D. & Paul, W. (2005) On the correctness of operating system kernels. In Conference on Theorem Proving in Higher-Order Logics (TPHOLs'05). LNCS, vol. 3603. Springer, pp. 116.Google Scholar
Gotsman, A. (2009) Logics and Analyses for Concurrent Heap-Manipulating Programs. PhD Thesis, University of Cambridge.Google Scholar
Gotsman, A., Berdine, J. & Cook, B. (2011) Precision and the conjunction rule in concurrent separation logic. ENTCS 276 (1), 171190. MFPS'11: Mathematical Foundations of Programming Semantics.Google Scholar
Gotsman, A., Berdine, J., Cook, B., Rinetzky, N. & Sagiv, M. (2007) Local reasoning for storable locks and threads. In Asian Symposium on Programming Languages and Systems (APLAS'07). LNCS, vol. 4807. Springer, pp. 1937.CrossRefGoogle Scholar
Gotsman, A. & Yang, H. (2013) Electronic Appendix for This Paper. Available from http://dx.doi.org/10.1017/S0956796813000075.CrossRefGoogle Scholar
Hasegawa, M. (2002) Linearly used effects: Monadic and CPS transformations into the linear lambda calculus. In International Symposium on Functional and Logic Programming (FLOPS'02). LNCS, vol. 2441. Springer, pp. 167182.CrossRefGoogle Scholar
Hasegawa, M. (2004) Semantics of linear continuation-passing in call-by-name. In International Symposium on Functional and Logic Programming (FLOPS'04). LNCS, vol. 2998. Springer, pp. 229243.CrossRefGoogle Scholar
Jones, C. (2007) Splitting atoms safely. Theor. Comput. Sci. 375, 109119.CrossRefGoogle Scholar
Jones, C. B. (1983) Specification and design of (parallel) programs. In IFIP Congress, pp. 321332.Google Scholar
Klein, G. (2009) Operating system verification–an overview. Sādhanā 34, 2669.CrossRefGoogle Scholar
Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H. & Winwood, S. (2009) seL4: Formal verification of an OS kernel. In Symposium on Operating Systems Principles (SOSP'09). ACM, pp. 207220.Google Scholar
Laird, J. (2005) Game semantics and linear CPS interpretation. Theor. Comput. Sci. 333 (1–2), 199224.CrossRefGoogle Scholar
Love, R. (2010) Linux Kernel Development, 3rd ed. Addison Wesley.Google Scholar
Maeda, T. & Yonezawa, A. (2009) Writing an OS kernel in a strictly and statically typed language. In Formal to Practical Security. LNCS, vol. 5458. Springer, pp. 181197.CrossRefGoogle Scholar
Ni, Z. & Shao, Z. (2006) Certified assembly programming with embedded code pointers. In Symposium on Principles of Programming Languages (POPL'06). ACM, pp. 320333.Google Scholar
O'Hearn, P. W. (2007) Resources, concurrency and local reasoning. Theor. Comput. Sci. 375, 271307.CrossRefGoogle Scholar
Parkinson, M. & Bierman, G. (2005) Separation logic and abstraction. In Symposium on Principles of Programming Languages (POPL'05). ACM, pp. 247258.Google Scholar
Pnueli, A. (1985) In transition from global to modular temporal reasoning about programs. In Logics and Models of Concurrent Systems. Springer, pp. 123144.CrossRefGoogle Scholar
Reynolds, J. C. (2002) Separation logic: A logic for shared mutable data structures. In Symposium on Logic in Computer Science (LICS'02). IEEE, pp. 5574.Google Scholar
Schwinghammer, J., Birkedal, L., Reus, B. & Yang, H. (2009) Nested Hoare triples and frame rules for higher-order store. In Conference on Computer Science Logic (CSL'09). LNCS, vol. 5771. Springer, pp. 440454.CrossRefGoogle Scholar
Shao, Z. (2010) Certified software. Commun. ACM 53 (12), 5666.CrossRefGoogle Scholar
Thielecke, H. (2003) From control effects to typed continuation passing. In Symposium on Principles of Programming Languages (POPL'03). ACM, pp. 139149.Google Scholar
Turon, A. & Wand, M. (2011) A separation logic for refining concurrent objects. In Symposium on Principles of Programming Languages (POPL'11). ACM, pp. 247258.Google Scholar
Vafeiadis, V. & Parkinson, M. J. (2007) A marriage of rely/guarantee and separation logic. In Conference on Concurrency Theory (CONCUR'07). LNCS, vol. 4703. Springer, pp. 256271.Google Scholar
Yang, J. & Hawblitzel, C. (2010) Safe to the last instruction: Automated verification of a type-safe operating system. In Conference on Programming Language Design and Implementation (PLDI'10). ACM, pp. 99110.Google Scholar
Supplementary material: PDF

Gotsman supplementary material

Gotsman supplementary material

Download Gotsman supplementary material(PDF)
PDF 172.5 KB
Submit a response

Discussions

No Discussions have been published for this article.