Modelization and verification of a multiprocessor realtime OS kernel

This paper reports the experience of the Software Engineering Laboratory of the National Research Council of Canada with the modelling and verification of the kernel of Harmony, a portable real-time multitasking multiprocessor operating system. In this paper we explain the aim of this study and give the first results. We use a modelling approach and formalize the models of the system, the scenarios and the properties that are to be checked in PROMELA using the SPIN tool. Several models of the systems were produced with various degrees of abstraction and completeness. The most recent is a tractable one that enables the expression, simulation and verification of any scenario that consists of a bounded number of tasks that may use all the services of the kernel. An exhaustive verification of the intertask communication features of Harmony was carried out by model-checking. It revealed a bug that has been in the system for more than ten years. The first verifications of the dynamic task management primitives lead to the discovery of other bugs and serious critical races. This paper shows that it is possible to detect more than deadlocks when using formal methods for the study of a real medium-sized operating system that encompasses complex internal management.

[1]  Charles Pecheur,et al.  Using LOTOS for specifying the CHORUS distributed operating system kernel , 1992, Comput. Commun..

[2]  Reinhard Gotzhein,et al.  Temporal Logic and Applications-A Tutorial , 1992, Comput. Networks ISDN Syst..

[3]  Dan Craigen,et al.  Experience with formal methods in critical systems , 1994, IEEE Software.

[4]  John K. Ousterhout,et al.  Tcl and the Tk Toolkit , 1994 .

[5]  J. Michael Spivey Specifying a real-time kernel , 1990, IEEE Software.

[6]  Mohamed G. Gouda Protocol Verification Made Simple: A Tutorial , 1993, Comput. Networks ISDN Syst..

[7]  Richard Lai,et al.  Verification of ISO ACSE protocol specified in Estelle , 1994, Comput. Commun..

[8]  Darrel C. Ince,et al.  Practical formal methods with VDM , 1991 .

[9]  Gerard J. Holzmann,et al.  Design and validation of computer protocols , 1991 .

[10]  C. H. West,et al.  Protocol Validation - Principles and Applications , 1992, Comput. Networks ISDN Syst..

[11]  Thomas W. Doeppner,et al.  A formal description of the UNIX operating system , 1983, PODC '83.

[12]  Gerard J. Holzmann,et al.  Design and Validation of Protocols: A Tutorial , 1993, Comput. Networks ISDN Syst..

[13]  Norman Ramsey,et al.  Correctness of trap-based breakpoint implementations , 1994, POPL '94.

[14]  Gerard J. Holzmann,et al.  Process Sleep and Wakeup on a Shared-memory Multiprocessor , 1991 .

[15]  Darlene A. Stewart,et al.  Using the Harmony Operating System: Release 3.0 , 1989 .

[16]  Cliff B. Jones,et al.  Systematic software development using VDM , 1986, Prentice Hall International Series in Computer Science.

[17]  James J. Horning,et al.  Synchronization Primitives for a Multiprocessor: A Formal Speci cation , 1987 .

[18]  Gerard J. Holzmann Algorithms for automated protocol verification , 1990, AT&T Technical Journal.