Verifying concurrent, crash-safe systems with Perennial

This paper introduces Perennial, a framework for verifying concurrent, crash-safe systems. Perennial extends the Iris concurrency framework with three techniques to enable crash-safety reasoning: recovery leases, recovery helping, and versioned memory. To ease development and deployment of applications, Perennial provides Goose, a subset of Go and a translator from that subset to a model in Perennial with support for reasoning about Go threads, data structures, and file-system primitives. We implemented and verified a crash-safe, concurrent mail server using Perennial and Goose that achieves speedup on multiple cores. Both Perennial and Iris use the Coq proof assistant, and the mail server and the framework's proofs are machine checked.

[1]  Zhong Shao,et al.  CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels , 2016, OSDI.

[2]  Gernot Heiser,et al.  Comprehensive formal verification of an OS microkernel , 2014, TOCS.

[3]  Jim Gray,et al.  Notes on Data Base Operating Systems , 1978, Advanced Course: Operating Systems.

[4]  Nancy A. Lynch,et al.  Forward and Backward Simulations: I. Untimed Systems , 1995, Inf. Comput..

[5]  Butler W. Lampson,et al.  Verifying concurrent software using movers in CSPEC , 2018, OSDI.

[6]  Nicolas Christin,et al.  Push-Button Verification of File Systems via Crash Refinement , 2016, USENIX Annual Technical Conference.

[7]  Lars Birkedal,et al.  Iron: managing obligations in higher-order concurrent separation logic , 2019, Proc. ACM Program. Lang..

[8]  Adam Chlipala,et al.  Chapar: certified causally consistent distributed key-value stores , 2016, POPL.

[9]  Ramana Kumar,et al.  Verified Characteristic Formulae for CakeML , 2017, ESOP.

[10]  Arthur Charguéraud,et al.  Characteristic formulae for the verification of imperative programs , 2011, ICFP.

[11]  Adam Chlipala,et al.  Using Crash Hoare logic for certifying the FSCQ file system , 2015, USENIX Annual Technical Conference.

[12]  Andrew W. Appel,et al.  VST-Floyd: A Separation Logic Tool to Verify Correctness of C Programs , 2018, Journal of Automated Reasoning.

[13]  Emina Torlak,et al.  Nickel: A Framework for Design and Verification of Information Flow Control Systems , 2018, OSDI.

[14]  Magnus O. Myreen,et al.  Proof-producing synthesis of ML from higher-order logic , 2012, ICFP.

[15]  Lars Birkedal,et al.  A relational model of types-and-effects in higher-order concurrent separation logic , 2017, POPL.

[16]  Shaz Qadeer,et al.  Layered Concurrent Programs , 2018, CAV.

[17]  Maurice Herlihy,et al.  Linearizability: a correctness condition for concurrent objects , 1990, TOPL.

[18]  F. Vaandrager Forward and Backward Simulations Part I : Untimed Systems , 1993 .

[19]  Philippa Gardner,et al.  Fault-Tolerant Resource Reasoning , 2015, APLAS.

[20]  Adam Chlipala,et al.  Mostly-automated verification of low-level programs in computational separation logic , 2011, PLDI '11.

[21]  Derek Dreyer,et al.  RustBelt: securing the foundations of the rust programming language , 2017, Proc. ACM Program. Lang..

[22]  Nikhil Swamy,et al.  Verified low-level programming embedded in F* , 2017, Proc. ACM Program. Lang..

[23]  Pierre-Yves Strub,et al.  Dependent types and multi-monadic effects in F* , 2016, POPL.

[24]  Benjamin C. Pierce,et al.  From C to interaction trees: specifying, verifying, and testing a networked server , 2018, CPP.

[25]  Zhong Shao,et al.  Certified concurrent abstraction layers , 2018, PLDI.

[26]  Xi Wang,et al.  Verdi: a framework for implementing and formally verifying distributed systems , 2015, PLDI.

[27]  Maurice Herlihy,et al.  Wait-free synchronization , 1991, TOPL.

[28]  Stephanie Weirich,et al.  Total Haskell is reasonable Coq , 2017, CPP.

[29]  Srinath T. V. Setty,et al.  IronFleet: proving practical distributed systems correct , 2015, SOSP.

[30]  Joseph Tassarotti,et al.  Argosy: verifying layered storage systems with recovery refinement , 2019, PLDI.

[31]  BirkedalLars,et al.  Unifying refinement and hoare-style reasoning in a logic for higher-order concurrency , 2013 .

[32]  Ilya Sergey,et al.  Mechanized verification of fine-grained concurrent programs , 2015, PLDI.

[33]  Ronghui Gu,et al.  Using concurrent relational logic with helpers for verifying the AtomFS file system , 2019, SOSP.

[34]  Sidney Amani,et al.  Complx: a verification framework for concurrent imperative programs , 2017, Arch. Formal Proofs.

[35]  Hongseok Yang,et al.  Views: compositional reasoning for concurrent programs , 2013, POPL.

[36]  Pierre Letouzey Extraction in Coq: An Overview , 2008, CiE.

[37]  Gidon Ernst,et al.  Modular, crash-safe refinement for ASMs with submachines , 2016, Sci. Comput. Program..

[38]  Emina Torlak,et al.  Scaling symbolic evaluation for automated verification of systems code with Serval , 2019, SOSP.

[39]  Lars Birkedal,et al.  The Essence of Higher-Order Concurrent Separation Logic , 2017, ESOP.

[40]  Danfeng Zhang,et al.  Ironclad Apps: End-to-End Security via Automated Full-System Verification , 2014, OSDI.