Skip to main content
SpringerLink
Log in

Order Reduction for Multi-core Interruptible Operating Systems

  • Conference paper
  • First Online:
Verified Software. Theories, Tools, and Experiments (VSTTE 2016)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 9971))

  • 556 Accesses

Abstract

If one wishes to verify a program in high-level semantics, one has to deal with the fact that the compiled code is run on an architecture very different from the one the program was verified in. For example, one unit of execution in the high-level language can be compiled to a block consisting of multiple units of execution in the target architecture. Order reduction is then the property that this block can indeed be considered to be executed in a single step, i.e., that the behavior of the program remains unchanged. Order reduction is dependent on certain properties of the compiled code, e.g., that there is at most one linearization point in each block. Conditions under which order reduction is possible have been studied in depth for user programs, but not for operating systems. Interruptible operating systems are particularly exciting because inter processor interrupts can interrupt an operating system thread while it has not yet completed a block of execution. In this paper, we show an order reduction theorem for interruptible operating systems. Unlike most order reduction theorems, all properties of the compiled code necessary for order reduction can be verified on the order-reduced program. Thus, one can verify high-level programs completely in the high-level semantics, including the property that the behavior of the program is unchanged when executed on a low-level machine. Furthermore, we make no assumptions about user code. We use a simple ownership annotation which can be deduced mechanically and thus be used to find data races in programs. The order reduction theorem presented here is strong in the sense that multiple memory accesses can be part of a single block, as long as at most one of them is racing.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    As an example, the conditions in Pentchev’s PhD thesis [Pen16] can not be satisfied by any multi-core program.

  2. 2.

    For some architectures, such as TSO, it is possible to apply a reduction theorem that first reduces to a sequentially consistent machine, and then apply the theorem in this paper, to obtain a sequentially consistent C level.

  3. 3.

    Well-synchronized code modification in general is necessary (e.g., for page fault handlers). It is also difficult, and not supported by any other order reduction theorem to the best of our knowledge.

  4. 4.

    Real architectures also have in-service registers, which prevent low-priority interrupts from overtaking high-priority interrupts. Those registers have no effect on the proof.

  5. 5.

    In the scope of this theorem, a jisr step in operating system mode only includes hardware interrupts. Software interrupts in operating system mode, e.g., when using a system call, do not increase the interrupt level or create a new thread and are most certainly not guaranteed to occur at an interleaving point, although they may technically cause a jump to the interrupt service routine.

  6. 6.

    Languages which do not have such a feature usually disallow shared state altogether, e.g., Erlang or Go.

  7. 7.

    Indubitably for weak memory and optimizations, but also for order reduction.

  8. 8.

    At the time of writing, an implementation bug in VCC allows this program to be verified.

  9. 9.
    $$\begin{aligned} c[a{:}=v](b) = {\left\{ \begin{array}{ll} v &{} a = b \\ b &{} \text {o.w.} \end{array}\right. } \end{aligned}$$

    .

  10. 10.

    Baumann’s proof has a small gap here. Baumann simply assumes the existence of a computation with such a shape, without proving that it can be obtained through this reordering.

References

  1. Baumann, C.: Ownership-based order reduction and simulation in shared-memory concurrent computer systems. Ph.D. thesis, Saarland University (2014)

    Google Scholar 

  2. Boehm, H.: N1528: why undefined behavior for infinite loops? http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1528.htm

  3. Chen, G., Cohen, E., Kovalev, M.: Store buffer reduction with MMUs. In: Giannakopoulou, D., Kroening, D. (eds.) VSTTE 2014. LNCS, vol. 8471, pp. 117–132. Springer, Heidelberg (2014). doi:10.1007/978-3-319-12154-3_8

    Google Scholar 

  4. Cohen, E., Dahlweid, M., Hillebrand, M., Leinenbach, D., Moskal, M., Santen, T., Schulte, W., Tobies, S.: VCC: a practical system for verifying concurrent C. In: Berghofer, S., Nipkow, T., Urban, C., Wenzel, M. (eds.) TPHOLs 2009. LNCS, vol. 5674, pp. 23–42. Springer, Heidelberg (2009). doi:10.1007/978-3-642-03359-9_2

    Chapter  Google Scholar 

  5. Cohen, E., Lamport, L.: Reduction in TLA. In: Sangiorgi, D., Simone, R. (eds.) CONCUR 1998. LNCS, vol. 1466, pp. 317–331. Springer, Heidelberg (1998). doi:10.1007/BFb0055631

    Google Scholar 

  6. Feng, X., Shao, Z., Dong, Y., Guo, Y.: Certifying low-level programs with hardware interrupts and preemptive threads. In: ACM SIGPLAN Notices, vol. 43, pp. 170–182. ACM (2008)

    Google Scholar 

  7. Heule, S., Leino, K.R.M., Müller, P., Summers, A.J.: Abstract read permissions: fractional permissions without the fractions. In: Giacobazzi, R., Berdine, J., Mastroeni, I. (eds.) VMCAI 2013. LNCS, vol. 7737, pp. 315–334. Springer, Heidelberg (2013). doi:10.1007/978-3-642-35873-9_20

    Chapter  Google Scholar 

  8. Lipton, R.J.: Reduction: a method of proving properties of parallel programs. Commun. ACM 18(12), 717–721 (1975)

    Article  MathSciNet  MATH  Google Scholar 

  9. Oberhauser, J.: Justifying the Semantics of High-Level Languages. Ph.D. thesis, Saarland University, unpublished thesis (2016)

    Google Scholar 

  10. Oberhauser, J.: A simpler reduction theorem for x86-TSO. In: Gurfinkel, A., Seshia, S.A. (eds.) VSTTE 2015. LNCS, vol. 9593, pp. 142–164. Springer, Heidelberg (2016). doi:10.1007/978-3-319-29613-5_9

    Chapter  Google Scholar 

  11. Pentchev, H.: Sound Semantics of a High-Level Language with Interprocessor Interrupts. Ph.D. thesis, Saarland University (2016)

    Google Scholar 

  12. Stoller, S.D., Cohen, E.: Optimistic synchronization-based state-space reduction. Form. Methods Syst. Des. 28(3), 263–289 (2006)

    Article  MATH  Google Scholar 

  13. Sindhu, P.S., Frailong, J.-M., Cekleov, M.: Formal specification of memory models. In: Dubois, M., Thakkar, S. (eds.) Scalable Shared Memory Multiprocessors, pp. 25–41. Springer, US (1992). doi:10.1007/978-1-4615-3604-8_2

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Saarland University, Saarbrücken, Germany

    Jonas Oberhauser

Authors
  1. Jonas Oberhauser
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jonas Oberhauser .

Editor information

Editors and Affiliations

  1. IRISA, University of Rennes 1, Rennes, France

    Sandrine Blazy

  2. Department of Computer Science, University of Toronto, Toronto, Ontario, Canada

    Marsha Chechik

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing AG

About this paper

Cite this paper

Oberhauser, J. (2016). Order Reduction for Multi-core Interruptible Operating Systems. In: Blazy, S., Chechik, M. (eds) Verified Software. Theories, Tools, and Experiments. VSTTE 2016. Lecture Notes in Computer Science(), vol 9971. Springer, Cham. https://doi.org/10.1007/978-3-319-48869-1_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-48869-1_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-48868-4

  • Online ISBN: 978-3-319-48869-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation