Abstract
We have developed a stack of semantics for a high-level C-like language and low-level assembly code, which has been carefully crafted to support the pervasive verification of system software. It can handle mixed-language implementations and concurrently operating devices, and permits the transferral of properties to the target architecture while obeying its resource restrictions. We demonstrate the applicability of our framework by proving the correct virtualization of user memory in our microkernel, which implements demand paging. This verification target is of particular interest because it has a relatively simple top-level specification and it exercises all parts of our semantics stack. At the bottom level a disk driver written in assembly implements page transfers via a swap disk. A page-fault handler written in C uses the driver to implement the paging algorithm. It guarantees that a step of the currently executing user can be simulated at the architecture level. Besides the mere theoretical and technical difficulties the project also bore the social challenge to manage the large verification effort, spread over many sites and people, concurrently contributing to and maintaining a common theory corpus. We share our experiences and elaborate on lessons learned.
Similar content being viewed by others
References
Alkassar, E., Bogan, S., Paul, W.: Proving the correctness of client/server software. Sādhanā 34(1), 145–192 (2009)
Alkassar, E., Hillebrand, M.A.: Formal functional verification of device drivers. In: Shankar, N., Woodcock, J. (eds.) Proceedings, Verified Software: Theories, Tools, Experiments Second International Conference, VSTTE 2008. LNCS, vol. 5295, Toronto, Canada, 6–9 October 2008, pp. 225–239. Springer, New York (2008)
Alkassar, E., Hillebrand, M., Knapp, S., Rusev, R., Tverdyshev, S.: Formal device and programming model for a serial interface. In: Beckert, B. (ed.) Proceedings, 4th International Verification Workshop (VERIFY), Bremen, Germany, pp. 4–20. CEUR-WS.org (2007)
Alkassar, E., Hillebrand, M.A., Leinenbach, D., Schirmer, N.W., Starostin, A.: The Verisoft approach to systems verification. In: Shankar, N., Woodcock, J. (eds.) Proceedings, Verified Software: Theories, Tools, Experiments Second International Conference, VSTTE 2008. LNCS, vol. 5295, Toronto, Canada, 6–9 October 2008, pp. 209–224. Springer, New York (2008)
Alkassar, E., Schirmer, N., Starostin, A.: Formal pervasive verification of a paging mechanism. In: Ramakrishnan, C.R., Rehof, J. (eds.) 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS08). LNCS, vol. 4963, pp. 109–123. Springer, New York (2008)
Ballarin, C.: Locales and locale expressions in Isabelle/Isar. In: Berardi, S., Coppo, M., Damiani, F. (eds.) Types for Proofs and Programs, International Workshop, TYPES 2003, Revised Selected Papers. LNCS, vol. 3085, Torino, Italy, 30 April–4 May 2003, pp. 34–50. Springer, New York (2003)
Ballarin, C.: Interpretation of locales in Isabelle: theories and proof contexts. In: Borwein, J.M., Farmer, W.M. (eds.) Proceedings, Mathematical Knowledge Management, 5th International Conference, MKM 2006. LNCS, vol. 4108, Wokingham, UK, 11–12 August 2006, pp. 31–43. Springer, New York (2006)
Bevier, W.R., Hunt, W.A., Jr., Moore, J S., Young, W.D.: An approach to systems verification. JAR 5(4), 411–428 (1989)
Beuster, G., Henrich, N., Wagner, M.: Real world verification—experiences from the Verisoft email client. In: Sutcliffe, G., Schmidt, R., Schulz, S. (eds.) Proceedings of the FLoC’06 Workshop on Empirically Successful Computerized Reasoning (ESCoR 2006). CEUR Workshop Proceedings, August 2006, vol. 192, pp. 112–125. CEUR-WS.org (2006)
Beyer, S., Jacobi, C., Kroening, D., Leinenbach, D., Paul, W.: Instantiating uninterpreted functional units and memory system: functional verification of the VAMP. In: Geist, D., Tronci, E. (eds.) Proceedings of the 12th Advanced Research Working Conference on Correct Hardware Design and Verification Methods (CHARME). LNCS, vol. 860, pp. 51–65. Springer, New York (2003)
Beyer, S., Jacobi, C., Kroening, D., Leinenbach, D., Paul, W.: Putting it all together: formal verification of the VAMP. Int. J. Softw. Tools Technol. Transf. 8(4–5), 411–430 (2006)
Bogan, S.: Formal Specification of a Simple Operating System. PhD thesis, Saarland University, Computer Science Department (2008)
Burstall, R.: Some techniques for proving correctness of programs which alter data structures. In: Meltzer, B., Michie, D. (eds) Machine Intelligence 7, pp. 23–50. Edinburgh University Press, Edinburgh (1972)
Condea, C.: Design and implementation of a page fault handler in C0. Master’s thesis, Saarland University (2006)
Daum, M., Dörrenbächer, J., Bogan, S.: Model stack for the pervasive verification of a microkernel-based operating system. In: Beckert, B., Klein, G. (eds.) Proceedings, 5th International Verification Workshop (VERIFY). CEUR Workshop Proceedings, vol. 372, Sydney, Australia, August 2008, pp. 56–70. CEUR-WS.org (2008)
Daum, M., Dörrenbächer, J., Wolff, B.: Proving fairness and implementation correctness of a microkernel scheduler. J. Autom. Reason. (Special Issue on Operating Systems Verification). (2009). doi:10.1007/s10817-009-9119-8
Daum, M., Dörrenbächer, J., Wolff, B., Schmidt, M.: A verification approach for system-level concurrent programs. In: Shankar, N., Woodcock, J. (eds.) Proceedings, Verified Software: Theories, Tools, Experiments Second International Conference, VSTTE 2008. LNCS, vol. 5295, Toronto, Canada, 6–9 October 2008, pp. 161–176. Springer, New York (2008)
Dalinger, I., Hillebrand, M., Paul, W.: On the verification of memory management mechanisms. In: Borrione, D., Paul, W. (eds.) Proceedings of the 13th Advanced Research Working Conference on Correct Hardware Design and Verification Methods (CHARME 2005). LNCS, vol. 3725, pp. 301–316. Springer, New York (2005)
Daum, M., Maus, S., Schirmer, N., Seghir, M.N.: Integration of a software model checker into Isabelle. In: Sutcliffe, G., Voronkov, A. (eds.) Proceedings, Logic for Programming, Artificial Intelligence, and Reasoning, 12th International Conference, LPAR 2005. LNCS, vol. 3835, Montego Bay, Jamaica, 2–6 December 2005, pp. 381–395. Springer, New York (2005)
Gargano, M., Hillebrand, M., Leinenbach, D., Paul, W.: On the correctness of operating system kernels. In: Hurd, J., Melham, T.F. (eds.) 18th International Conference on Theorem Proving in Higher Order Logics (TPHOLs 2005). LNCS, vol. 3603, pp. 1–16. Springer, New York (2005)
Heiser, G., Elphinstone, K., Kuz, I., Klein, G., Petters, S.M.: Towards trustworthy computing systems: taking microkernels to the next level. SIGOPS Oper. Syst. Rev. 41(4), 3–11 (2007)
Hennessy, J.L., Patterson, D.A.: Computer Architecture: A Quantitative Approach, 2nd edn. Morgan Kaufmann, San Mateo (1996)
Hillebrand, M.A., Paul, W.: On the architecture of system verification environments. In: Yorav, K. (ed.) Hardware and Software, Verification and Testing, Third International Haifa Verification Conference, HVC 2007. LNCS, vol. 4899, Haifa, Israel, 23–25 October 2007, pp. 153–168. Springer, New York (2008)
In der Rieden, T., Tsyban, A.: CVM—a verified framework for microkernel programmers. In: Huuck, R., Klein, G., Schlich, B. (eds.) 3rd Intl Workshop on Systems Software Verification (SSV 2008). Electronic Notes in Theoretical Computer Science, vol. 217C. Elsevier Science B.V., Oxford (2008)
Kleymann, T.: Hoare logic and auxiliary variables. Form. Asp. Comput. 11(5), 541–566 (1999)
Klein, G.: Operating system verification—an overview. Sādhanā 34(1), 27–70 (2009)
Leinenbach, D.C.: Compiler Verification in the Context of Pervasive System Verification. PhD thesis, Saarland University, Computer Science Department (2008)
Langenstein, B., Nonnengart, A., Rock, G., Stephan, W.: Verification of distributed applications. In: Saglietti, F., Oster, N. (eds.) Computer Safety, Reliability, and Security, 26th International Conference, SAFECOMP 2007. LNCS, vol. 4680, Nuremberg, Germany, 18–21 September 2007, pp. 315–328. Springer, New York (2007)
Leinenbach, D., Petrova, E.: Pervasive compiler verification—from verified programs to verified systems. In: Huuck, R., Klein, G., Schlich, B. (eds.) 3rd intl Workshop on Systems Software Verification (SSV 2008). Electronic Notes in Theoretical Computer Science, vol. 217C, pp. 23–40. Elsevier Science B.V., Oxford (2008)
Mueller, S.M., Paul, W.J.: Computer Architecture: Complexity and Correctness. Springer, New York (2000)
Nipkow, T., Paulson, L.C., Wenzel, M.: Isabelle/HOL: a proof assistant for higher-order logic. LNCS, vol. 2283. Springer, New York (2002)
Ni, Z., Yu, D., Shao, Z.: Using XCAP to certify realistic systems code: machine context management. In: TPHOLs ’07. LNCS, pp. 189–206, Kaiserslautern, 10–13 September 2007
Paulson, L.C.: Isabelle: a generic theorem prover. LNCS, vol. 828. Springer, New York (1994)
Petrova, E.: Verification of the C0 Compiler Implementation on the Source Code Level. PhD thesis, Saarland University, Computer Science Department (2007)
Schirmer, N.: A verification environment for sequential imperative programs in Isabelle/HOL. In: Baader, F., Voronkov, A. (eds.) Logic for Programming, Artificial Intelligence, and Reasoning, 11th International Conference, LPAR 2004. LNCS, vol. 3452, pp. 398–414. Springer, New York (2005)
Schirmer, N.: Verification of Sequential Imperative Programs in Isabelle/HOL. PhD thesis, Technical University of Munich (2006)
Starostin, A., Tsyban, A.: Correct microkernel primitives. In: Huuck, R., Klein, G., Schlich, B. (eds.) 3rd Intl Workshop on Systems Software Verification (SSV 2008). Electronic Notes in Theoretical Computer Science, vol. 217C, pp. 169–185. Elsevier Science B.V., Oxford (2008)
Starostin, A., Tsyban, A.: Verified process-context switch for C-programmed kernels. In: Shankar, N., Woodcock, J. (eds.) Proceedings, Verified Software: Theories, Tools, Experiments Second International Conference, VSTTE 2008. LNCS, vol. 5295, Toronto, Canada, 6–9 October 2008, pp. 240–254. Springer, New York (2008)
Tverdyshev, S., Shadrin, A.: Formal verification of gate-level computer systems. In: Rozier, K.Y. (ed.) LFM 2008: Sixth NASA Langley Formal Methods Workshop, NASA Scientific and Technical Information (STI), pp. 56–58. NASA, Washington, DC (2008)
Author information
Authors and Affiliations
Corresponding author
Additional information
Work supported by the German Federal Ministry of Education and Research (BMBF) under grant 01 IS C38. Work of the first and the third author supported by DFG Graduiertenkolleg “Leistungsgarantien für Rechnersysteme”. Work of the fifth author supported by the International Max Planck Research School for Computer Science (IMPRS-CS).
Rights and permissions
About this article
Cite this article
Alkassar, E., Hillebrand, M.A., Leinenbach, D.C. et al. Balancing the Load. J Autom Reasoning 42, 389–454 (2009). https://doi.org/10.1007/s10817-009-9123-z
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10817-009-9123-z