Formal methods: a practical tool for OS implementors

The formal methods community has long known about the need to formally analyze concurrent software, but the operating systems (OS) community has been slow to adopt such methods. The foremost reasons for this are the cultural and knowledge gaps between formalists and OS hackers, fostered by three beliefs: inaccessibility of the tools, the disabling gap between the validated model and actual implementation, and the intractable size of OSs. In this paper, we show these beliefs to be untrue for appropriately structured OSs. We applied formal methods to verify properties of the implementation of the Fluke microkernel's IPC (interprocess communication) subsystem, a major component of the kernel. In particular, we have verified, in many scenarios, certain liveness properties and lack of deadlock, with results that apply to both SMP (scalable multiprocessor) and uniprocessor environments. The SPIN model checker provided an exhaustive concurrency analysis of the IPC subsystem, unattainable through traditional OS testing methods. SPIN is easily accessible to programmers inexperienced with formal methods. We present our results as a starting point for a more comprehensive inclusion of formal methods in practical OS development.

[1]  Doron A. Peled Combining Partial Order Reductions with On-the-fly Model-Checking , 1994, CAV.

[2]  Gerard J. Holzmann,et al.  Process Sleep and Wakeup on a Shared-memory Multiprocessor , 1991 .

[3]  K. Mani Chandy,et al.  Parallel program design - a foundation , 1988 .

[4]  Lawrence Yang System Design Methodology of UltraSPARCa#8482; -I , 1995, DAC 1995.

[5]  Natarajan Shankar,et al.  PVS: A Prototype Verification System , 1992, CADE.

[6]  T. Cattel Modelling and verification of a multiprocessor realtime OS kernel , 1995 .

[7]  Edsger W. Dijkstra,et al.  Guarded commands, nondeterminacy and formal derivation of programs , 1975, Commun. ACM.

[8]  Edsger W. Dijkstra,et al.  Guarded commands, non-determinacy and a calculus for the derivation of programs , 1975, Language Hierarchies and Interfaces.

[9]  LepreauJay,et al.  Microkernels meet recursive virtual machines , 1996 .

[10]  Pierre Wolper,et al.  Memory-efficient algorithms for the verification of temporal properties , 1990, Formal Methods Syst. Des..

[11]  James R. Larus,et al.  Teapot: language support for writing memory coherence protocols , 1996, PLDI '96.

[12]  Gerard J. Holzmann,et al.  Design and validation of computer protocols , 1991 .

[13]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[14]  David Gao,et al.  System design methodology of ultraSPARC-I , 1995, DAC '95.

[15]  L. Douglas Smith,et al.  A mathematical model of the Mach kernel , 1994 .

[16]  Mark G. Staskauskas Formal Derivation of Concurrent Programs: An Example from Industry , 1993, IEEE Trans. Software Eng..

[17]  Jochen Liedtke,et al.  On micro-kernel construction , 1995, SOSP.

[18]  Anindya Basu,et al.  A Language-Based Approach to Protocol Construction , 1998 .

[19]  Mike Hibler,et al.  Microkernels meet recursive virtual machines , 1996, OSDI '96.

[20]  Mike Hibler,et al.  User-level checkpointing through exportable kernel state , 1996, Proceedings of the Fifth International Workshop on Object-Orientation in Operation Systems.