Skip to main content
Springer Nature Link
Log in

Should We Balance? Towards Formal Verification of the Linux Kernel Scheduler

  • Conference paper
  • First Online:
Static Analysis (SAS 2024)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14995))

Included in the following conference series:

  • 142 Accesses

Abstract

The frequent tweaking of heuristics in the Linux kernel task scheduler suggests a need for formal verification, to ensure that important properties are maintained. Nevertheless, writing and verifying specifications for Linux kernel code have been considered to be impractical, leading other operating system verification efforts to propose co-design of new code and associated specifications instead. Furthermore, the Linux kernel evolves frequently, making any verification effort quickly out of date. Still, verification tools for C code are becoming more and more robust. In this paper, we explore whether it is now possible to apply formal verification directly to Linux kernel code, and to maintain the resulting specifications as the Linux kernel evolves. Our experiment focuses on the function should_we_balance, which is the gatekeeper to the Linux kernel scheduler’s load balancer, and on the verification tool Frama-C.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://docs.sel4.systems/releases/sel4/12.1.0.

  2. 2.

    The load balancer is implemented in kernel/sched/fair.c. load_balance() was renamed sched_balance_rq() in Linux 6.10.

  3. 3.

    for_each_cpu_and is a macro of the Linux kernel. It expands to a for loop header.

  4. 4.

    https://zenodo.org/records/13132904 (10.5281/zenodo.13132903).

  5. 5.

    https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/.

  6. 6.

    This predicate is actually defined as a macro, to expose the constituent properties to the SMT solvers used by Frama-C without relying on the solver to unfold predicates.

  7. 7.

    https://github.com/verifast/verifast/issues/{500,507}.

References

  1. Barbosa, H., et al.: cvc5: a versatile and industrial-strength SMT solver. In: Fisman, D., Rosu, G. (eds.) TACAS 2022. LNCS, vol. 13243, pp. 415–442. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-99524-9_24

    Chapter  MATH  Google Scholar 

  2. Barrett, C., et al.: CVC4. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 171–177. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22110-1_14

    Chapter  MATH  Google Scholar 

  3. Baudin, P., Filliâtre, J.-C., Marché, C., Monate, B., Moy, Y., Prevosto, V.: ACSL: ANSI/ISO C Specification Language

    Google Scholar 

  4. Bernier, T., Ziani, Y., Kosmatov, N., Loulergue, F.: Combining deductive verification with shape analysis. In: Beyer, D., Cavalcanti, A. (eds.) FASE 2024. LNCS, vol. 14573, pp. 280–289. Springer, Cham (2024). https://doi.org/10.1007/978-3-031-57259-3_14

    Chapter  Google Scholar 

  5. Bertot, Y., Castéran, P.: Interactive Theorem Proving and Program Development: Coq’Art: The Calculus of Inductive Constructions. Texts in Theoretical Computer Science. An EATCS Series (TTCS), Springer, Cham (2004). https://doi.org/10.1007/978-3-662-07964-5

    Book  MATH  Google Scholar 

  6. Bessey, A., et al.: A few billion lines of code later: using static analysis to find bugs in the real world. Commun. ACM 53(2), 66–75 (2010)

    Article  MATH  Google Scholar 

  7. Bobot, F., Filliâtre, J.-C., Marché, C., Paskevich, A.: Why3: shepherd your herd of provers. In: Boogie 2011: First International Workshop on Intermediate Verification Languages, Wrocław, Poland, pp. 53–64 (2011). https://hal.inria.fr/hal-00790310

  8. de Oliveira, D.B., Cucinotta, T., de Oliveira, R.S.: Efficient formal verification for the Linux kernel. In: Ölveczky, P.C., Salaün, G. (eds.) SEFM 2019. LNCS, vol. 11724, pp. 315–332. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-30446-1_17

    Chapter  MATH  Google Scholar 

  9. Brown, N.: Smatch: pluggable static analysis for C. Linux Weekly News (2016)

    Google Scholar 

  10. Conchon, S., Coquereau, A., Iguernlala, M., Mebsout, A.: Alt-Ergo 2.2. In: SMT Workshop: International Workshop on Satisfiability Modulo Theories, Oxford, UK (2018)

    Google Scholar 

  11. Corbet, J.: The managed resource API. Linux Weekly News (2007)

    Google Scholar 

  12. Corbet, J.: Committing to Rust for kernel code. Linux Weekly News (2023)

    Google Scholar 

  13. Corbet, J.: Scope-based resource management for the kernel. Linux Weekly News (2023)

    Google Scholar 

  14. Correnson, L., Blanchard, A., Djoudi, A., Kosmatov, N.: Automate where automation fails: proof strategies for Frama-C/WP. In: Finkbeiner, B., Kovács, L. (eds.) TACAS 2024. LNCS, vol. 14570, pp. 331–339. Springer, Cham (2024). https://doi.org/10.1007/978-3-031-57246-10.1007/978-3-031-57246-3_18

    Chapter  Google Scholar 

  15. Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: POPL, pp. 238–252 (1977)

    Google Scholar 

  16. Cuoq, P., Kirchner, F., Kosmatov, N., Prevosto, V., Signoles, J., Yakobowski, B.: Frama-C. In: Eleftherakis, G., Hinchey, M., Holcombe, M. (eds.) SEFM 2012. LNCS, vol. 7504, pp. 233–247. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33826-7_16

    Chapter  MATH  Google Scholar 

  17. Efremov, D., Mandrykin, M., Khoroshilov, A.: Deductive verification of unmodified Linux kernel library functions. In: Margaria, T., Steffen, B. (eds.) ISoLA 2018. LNCS, vol. 11245, pp. 216–234. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03421-4_15

    Chapter  MATH  Google Scholar 

  18. Felsing, D., Grebing, S., Klebanov, V., Rümmer, P., Ulbrich, M.: Automating regression verification. In: Automated Software Engineering (ASE), pp. 349–360 (2014)

    Google Scholar 

  19. Giet, J., Ridoux, F., Rival, X.: A product of shape and sequence abstractions. In: Hermenegildo, M.V., Morales, J.F. (eds.) SAS 2023. LNCS, vol. 14284, pp. 310–342. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-44245-2_15

    Chapter  Google Scholar 

  20. Godlin, B., Strichman, O.: Regression verification. In: Design Automation Conference (DAC), pp. 466–471 (2009)

    Google Scholar 

  21. Greenaway, D., Lim, J., Andronick, J., Klein, G.: Don’t sweat the small stuff: formal verification of C code without the pain. In: PLDI, pp. 429–439 (2014)

    Google Scholar 

  22. Gu, R., et al.: CertiKOS: an extensible architecture for building certified concurrent OS kernels. In: OSDI, pp. 653–669 (2016)

    Google Scholar 

  23. Jacobs, B., Smans, J., Philippaerts, P., Vogels, F., Penninckx, W., Piessens, F.: VeriFast: a powerful, sound, predictable, fast verifier for C and Java. In: Bobaru, M., Havelund, K., Holzmann, G.J., Joshi, R. (eds.) NFM 2011. LNCS, vol. 6617, pp. 41–55. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20398-5_4

    Chapter  Google Scholar 

  24. Kim, S., Xu, M., Kashyap, S., Yoon, J., Xu, W., Kim, T.: Finding semantic bugs in file systems with an extensible fuzzing framework. In: SOSP, pp. 207–220 (2019)

    Google Scholar 

  25. Klein, G., et al.: seL4: formal verification of an OS kernel. In: SOSP, pp. 207–220 (2009)

    Google Scholar 

  26. Lahiri, S.K., Hawblitzel, C., Kawaguchi, M., Rebêlo, H.: SYMDIFF: a language-agnostic semantic diff tool for imperative programs. In: Madhusudan, P., Seshia, S.A. (eds.) CAV 2012. LNCS, vol. 7358, pp. 712–717. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31424-7_54

    Chapter  MATH  Google Scholar 

  27. Lawall, J., Muller, G.: Coccinelle: 10 years of automated evolution in the Linux kernel. In: USENIX Annual Technical Conference, pp. 601–614 (2018)

    Google Scholar 

  28. Lepers, B., et al.: Provable multicore schedulers with Ipanema: application to work conservation. In: EuroSys, pp. 3:1–3:16 (2020)

    Google Scholar 

  29. Levin, R., Cohen, E.S., Corwin, W.M., Pollack, F.J., Wulf, W.A.: Policy/mechanism separation in HYDRA. In: SOSP, pp. 132–140 (1975)

    Google Scholar 

  30. Lu, S., Li, Z., Qin, F., Tan, L., Zhou, P., Zhou, Y.: Bugbench: benchmarks for evaluating bug detection tools. In: Workshop on the Evaluation of Software Defect Detection Tools (BUGS), vol. 5 (2005)

    Google Scholar 

  31. Memarian, K., et al.: Into the depths of C: elaborating the de facto standards. In: PLDI, pp. 1–15 (2016)

    Google Scholar 

  32. de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78800-3_24

    Chapter  MATH  Google Scholar 

  33. Miller, M.L., Goldstein, I.P.: SPADE: a grammar based editor for planning and debugging programs. MIT AI Memo, no. 386 (1976)

    Google Scholar 

  34. Palix, N., Thomas, G., Saha, S., Calvès, C., Muller, G., Lawall, J.: Faults in Linux 2.6. ACM Trans. Comput. Syst. 32(2):4:1–4:40 (2014)

    Google Scholar 

  35. Paturel, M., Subasinghe, I., Heiser, G.: First steps in verifying the seL4 core platform. In: Asia-Pacific Workshop on Systems (APSys), pp. 9–15 (2023)

    Google Scholar 

  36. Pulte, C., Makwana, D.C., Sewell, T., Memarian, K., Sewell, P., Krishnaswami, N.: CN: verifying systems C code with separation-logic refinement types. Proc. ACM Program. Lang. 7(POPL), 1–32 (2023)

    Google Scholar 

  37. Sotin, P., Rival, X.: Hierarchical shape abstraction of dynamic structures in static blocks. In: Jhala, R., Igarashi, A. (eds.) APLAS 2012. LNCS, vol. 7705, pp. 131–147. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-35182-2_10

    Chapter  MATH  Google Scholar 

Download references

Acknowledgements

We would like to thank the Frama-C team for their quick and thorough feedback throughout this work. We would like to thank Olivier Danvy and Xavier Rival for their feedback on preliminary drafts of this paper. This work was supported in part by the ANR grants VeriAMOS and EMASS.

Author information

Authors and Affiliations

  1. Inria Paris, Paris, France

    Julia Lawall, Keisuke Nishimura & Jean-Pierre Lozi

Authors
  1. Julia Lawall
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Keisuke Nishimura
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jean-Pierre Lozi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Julia Lawall .

Editor information

Editors and Affiliations

  1. Department of Computer Science, University of Arizona, Tucson, AZ, USA

    Roberto Giacobazzi

  2. IMDEA Software Institute, Pozuelo de Alarcon, Madrid, Spain

    Alessandra Gorla

Rights and permissions

Reprints and permissions

Copyright information

© 2025 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Lawall, J., Nishimura, K., Lozi, JP. (2025). Should We Balance? Towards Formal Verification of the Linux Kernel Scheduler. In: Giacobazzi, R., Gorla, A. (eds) Static Analysis. SAS 2024. Lecture Notes in Computer Science, vol 14995. Springer, Cham. https://doi.org/10.1007/978-3-031-74776-2_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-74776-2_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-74775-5

  • Online ISBN: 978-3-031-74776-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics