Skip to main content Accessibility help
×
Home

Modular verification of preemptive OS kernels

  • ALEXEY GOTSMAN (a1) and HONGSEOK YANG (a2)

Abstract

Most major OS kernels today run on multiprocessor systems and are preemptive: it is possible for a process running in the kernel mode to get descheduled. Existing modular techniques for verifying concurrent code are not directly applicable in this setting: they rely on scheduling being implemented correctly, and in a preemptive kernel, the correctness of the scheduler is interdependent with the correctness of the code it schedules. This interdependency is even stronger in mainstream kernels, such as those of Linux, FreeBSD or Mac OS X, where the scheduler and processes interact in complex ways. We propose the first logic that is able to decompose the verification of preemptive multiprocessor kernel code into verifying the scheduler and the rest of the kernel separately, even in the presence of complex interdependencies between the two components. The logic hides the manipulation of control by the scheduler when reasoning about preemptable code and soundly inherits proof rules from concurrent separation logic to verify it thread-modularly. We illustrate the power of our logic by verifying an example scheduler, which includes some of the key features of the scheduler from Linux 2.6.11 challenging for verification.

Copyright

References

Hide All
Back, R.-J. (1981) On correct refinement of programs. J. Comput. Syst. Sci. 23, 4968.
Berdine, J., O'Hearn, P. W., Reddy, U. S. & Thielecke, H. (2002) Linear continuation-passing. Higher-order Symb. Comput. 15 (2–3), 181208.
Bovet, D. & Cesati, M. (2005) Understanding the Linux Kernel, 3rd ed.O'Reilly.
Brookes, S. D. (2007) A semantics of concurrent separation logic. Theor. Comput. Sci. 375 (1–3), 227270.
Calcagno, C., O'Hearn, P. W. & Yang, H. (2007) Local action and abstract separation logic. In Symposium on Logic in Computer Science (LICS'07). IEEE, pp. 366378.
Charlton, N. (2011) Hoare logic for higher order store using simple semantics. In Conference on Logic, Language, Information and Computation (WoLLIC'11). LNCS, vol. 6642. Springer, pp. 5266.
Clarke, D. G., Noble, J. & Potter, J. (2001) Simple ownership types for object containment. In European Conference on Object-Oriented Programming (ECOOP'01). LNCS, vol. 2072. Springer, pp. 5376.
Cohen, E., Schulte, W. & Tobies, S. (2010) Local verification of global invariants in concurrent programs. In Conference on Computer-Aided Verification (CAV'10). LNCS, vol. 6174. Springer, pp. 480494.
Dinsdale-Young, T., Birkedal, L., Gardner, P., Parkinson, M. & Yang, H. (2013) Views: Compositional reasoning for concurrent programs. In Symposium on Principles of Programming Languages (POPL'13). ACM, pp. 287300.
Dinsdale-Young, T., Dodds, M., Gardner, P., Parkinson, M. & Vafeiadis, V. (2010) Concurrent abstract predicates. In European Conference on Object-Oriented Programming (ECOOP'10). LNCS, vol. 6183. Springer, pp. 504528.
Feng, X., Ferreira, R. & Shao, Z. (2007a) On the relationship between concurrent separation logic and assume-guarantee reasoning. In European Conference on Programming (ESOP'07). LNCS, vol. 4421. Springer, pp. 173188.
Feng, X., Ni, Z., Shao, Z. & Guo, Y. (2007b) An open framework for foundational proof-carrying code. In Workshop on Types in Language Design and Implementation (TLDI'07). ACM, pp. 6778.
Feng, X., Shao, Z., Dong, Y. & Guo, Y. (2008a) Certifying low-level programs with hardware interrupts and preemptive threads. In Conference on Programming Language Design and Implementation (PLDI'08). ACM, pp. 170182.
Feng, X., Shao, Z., Guo, Y. & Dong, Y. (2008b) Combining domain-specific and foundational logics to verify complete software systems. In Conference on Verified Software: Theories, Tools, Experiments (VSTTE'08). LNCS, vol. 5295. Springer, pp. 5469.
Feng, X., Shao, Z., Vaynberg, A., Xiang, S. & Ni, Z. (2006) Modular verification of assembly code with stack-based control abstractions. In Conference on Programming Language Design and Implementation (PLDI'06). ACM, pp. 401414.
Gargano, M., Hillebrand, M., Leinenbach, D. & Paul, W. (2005) On the correctness of operating system kernels. In Conference on Theorem Proving in Higher-Order Logics (TPHOLs'05). LNCS, vol. 3603. Springer, pp. 116.
Gotsman, A. (2009) Logics and Analyses for Concurrent Heap-Manipulating Programs. PhD Thesis, University of Cambridge.
Gotsman, A., Berdine, J. & Cook, B. (2011) Precision and the conjunction rule in concurrent separation logic. ENTCS 276 (1), 171190. MFPS'11: Mathematical Foundations of Programming Semantics.
Gotsman, A., Berdine, J., Cook, B., Rinetzky, N. & Sagiv, M. (2007) Local reasoning for storable locks and threads. In Asian Symposium on Programming Languages and Systems (APLAS'07). LNCS, vol. 4807. Springer, pp. 1937.
Gotsman, A. & Yang, H. (2013) Electronic Appendix for This Paper. Available from http://dx.doi.org/10.1017/S0956796813000075.
Hasegawa, M. (2002) Linearly used effects: Monadic and CPS transformations into the linear lambda calculus. In International Symposium on Functional and Logic Programming (FLOPS'02). LNCS, vol. 2441. Springer, pp. 167182.
Hasegawa, M. (2004) Semantics of linear continuation-passing in call-by-name. In International Symposium on Functional and Logic Programming (FLOPS'04). LNCS, vol. 2998. Springer, pp. 229243.
Jones, C. (2007) Splitting atoms safely. Theor. Comput. Sci. 375, 109119.
Jones, C. B. (1983) Specification and design of (parallel) programs. In IFIP Congress, pp. 321332.
Klein, G. (2009) Operating system verification–an overview. Sādhanā 34, 2669.
Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H. & Winwood, S. (2009) seL4: Formal verification of an OS kernel. In Symposium on Operating Systems Principles (SOSP'09). ACM, pp. 207220.
Laird, J. (2005) Game semantics and linear CPS interpretation. Theor. Comput. Sci. 333 (1–2), 199224.
Love, R. (2010) Linux Kernel Development, 3rd ed. Addison Wesley.
Maeda, T. & Yonezawa, A. (2009) Writing an OS kernel in a strictly and statically typed language. In Formal to Practical Security. LNCS, vol. 5458. Springer, pp. 181197.
Ni, Z. & Shao, Z. (2006) Certified assembly programming with embedded code pointers. In Symposium on Principles of Programming Languages (POPL'06). ACM, pp. 320333.
O'Hearn, P. W. (2007) Resources, concurrency and local reasoning. Theor. Comput. Sci. 375, 271307.
Parkinson, M. & Bierman, G. (2005) Separation logic and abstraction. In Symposium on Principles of Programming Languages (POPL'05). ACM, pp. 247258.
Pnueli, A. (1985) In transition from global to modular temporal reasoning about programs. In Logics and Models of Concurrent Systems. Springer, pp. 123144.
Reynolds, J. C. (2002) Separation logic: A logic for shared mutable data structures. In Symposium on Logic in Computer Science (LICS'02). IEEE, pp. 5574.
Schwinghammer, J., Birkedal, L., Reus, B. & Yang, H. (2009) Nested Hoare triples and frame rules for higher-order store. In Conference on Computer Science Logic (CSL'09). LNCS, vol. 5771. Springer, pp. 440454.
Shao, Z. (2010) Certified software. Commun. ACM 53 (12), 5666.
Thielecke, H. (2003) From control effects to typed continuation passing. In Symposium on Principles of Programming Languages (POPL'03). ACM, pp. 139149.
Turon, A. & Wand, M. (2011) A separation logic for refining concurrent objects. In Symposium on Principles of Programming Languages (POPL'11). ACM, pp. 247258.
Vafeiadis, V. & Parkinson, M. J. (2007) A marriage of rely/guarantee and separation logic. In Conference on Concurrency Theory (CONCUR'07). LNCS, vol. 4703. Springer, pp. 256271.
Yang, J. & Hawblitzel, C. (2010) Safe to the last instruction: Automated verification of a type-safe operating system. In Conference on Programming Language Design and Implementation (PLDI'10). ACM, pp. 99110.

Related content

Powered by UNSILO
Type Description Title
PDF
Supplementary materials

Gotsman supplementary material
Gotsman supplementary material

 PDF (173 KB)
173 KB

Modular verification of preemptive OS kernels

  • ALEXEY GOTSMAN (a1) and HONGSEOK YANG (a2)

Metrics

Full text views

Total number of HTML views: 0
Total number of PDF views: 0 *
Loading metrics...

Abstract views

Total abstract views: 0 *
Loading metrics...

* Views captured on Cambridge Core between <date>. This data will be updated every 24 hours.

Usage data cannot currently be displayed.

Modular verification of preemptive OS kernels

  • ALEXEY GOTSMAN (a1) and HONGSEOK YANG (a2)
Submit a response

Discussions

No Discussions have been published for this article.

×

Reply to: Submit a response


Your details


Conflicting interests

Do you have any conflicting interests? *