Verifying a File System Implementation

We present a correctness proof for a basic file system implementation. This implementation contains key elements of standard Unix file systems such as inodes and fixed-size disk blocks. We prove the implementation correct by establishing a simulation relation between the specification of the file system (which models the file system as an abstract map from file names to sequences of bytes) and its implementation (which uses fixed-size disk blocks to store the contents of the files). We used the Athena proof system to represent and validate our proof. Our experience indicates that Athena’s use of block-structured natural deduction, support for structural induction and proof abstraction, and seamless integration with high-performance automated theorem provers were essential to our ability to successfully manage a proof of this size.

[1]  Achim D. Brucker,et al.  A CVS-Server Security Architecture — Concepts and Formal Analysis , 2002 .

[2]  David Notkin,et al.  Model checking large software specifications , 1996, SIGSOFT '96.

[3]  Sorin Lerner,et al.  ESP: path-sensitive program verification in polynomial time , 2002, PLDI '02.

[4]  Willem-Paul de Roever,et al.  Data Refinement by Willem-Paul de Roever , 1998 .

[5]  Andrei Voronkov,et al.  The Anatomy of Vampire Implementing Bottom-up Procedures with Code Trees , 1995, J. Autom. Reason..

[6]  David A. McAllester,et al.  Automated Deduction - CADE-17 , 2000, Lecture Notes in Computer Science.

[7]  James R. Larus,et al.  Mining specifications , 2002, POPL '02.

[8]  K. Thompson,et al.  UNIX time-sharing system: UNIX implementation , 1978, The Bell System Technical Journal.

[9]  Teodoro Arvizo A Virtual Machine for a Type-omega Denotational Proof Language , 2002 .

[10]  Markus Wenzel,et al.  Isabelle, Isar - a versatile environment for human readable formal proof documents , 2002 .

[11]  Dan A. Simovici Review of "The classical decision problem" by Egon Börger,Erich Grädel and Yuri Gurevich. Springer-Verlag 1997. , 2004, SIGA.

[12]  Konstantine Arkoudas,et al.  Deductive Runtime Certification , 2005, RV@ETAPS.

[13]  Robert DeLine,et al.  Enforcing high-level protocols in low-level software , 2001, PLDI '01.

[14]  Pascal Fradet,et al.  Shape types , 1997, POPL '97.

[15]  Maria Paola Bonacina,et al.  High-performance deduction for verification: a case study in the theory of arrays , 2002 .

[16]  Sarfraz Khurshid,et al.  Exploring the design of an intentional naming scheme with an automatic constraint analyzer , 2000, Proceedings ASE 2000. Fifteenth IEEE International Conference on Automated Software Engineering.

[17]  Viktor Kuncak,et al.  Boolean Algebra of Shape Analysis Constraints , 2004, VMCAI.

[18]  M. Gordon,et al.  Introduction to HOL: a theorem proving environment for higher order logic , 1993 .

[19]  Konstantinos Arkoudas Denotational proof languages , 2000 .

[20]  Jeannette M. Wing,et al.  A Case study in Model Checking Software Systems , 1997, Sci. Comput. Program..

[21]  Christoph Weidenbach,et al.  Combining Superposition, Sorts and Splitting , 2001, Handbook of Automated Reasoning.

[22]  James R. Larus,et al.  Detecting conflicts between structure accesses , 1988, PLDI '88.

[23]  Melissa B. Hao Using a denotational proof language to verify dataflow analyses , 2002 .

[24]  R. S. Fabry,et al.  A fast file system for UNIX , 1984, TOCS.

[25]  Kousha Etessami,et al.  Analysis of Recursive Game Graphs Using Data Flow Equations , 2004, VMCAI.

[26]  Tobias Nipkow,et al.  A Proof Assistant for Higher-Order Logic , 2002 .

[27]  Yuri Gurevich,et al.  The Classical Decision Problem , 1997, Perspectives in Mathematical Logic.

[28]  Willem-Paul de Roever,et al.  Data Refinement: Theory , 1998 .

[29]  David L. Dill,et al.  A Framework for Cooperating Decision Procedures , 2000, CADE.

[30]  Selmer Bringsjord,et al.  Metareasoning for Multi-agent Epistemic Logics , 2004, CLIMA.

[31]  Lawrence Charles Paulson,et al.  Isabelle/HOL: A Proof Assistant for Higher-Order Logic , 2002 .

[32]  Alexander Aiken,et al.  Flow-sensitive type qualifiers , 2002, PLDI '02.

[33]  Nils Klarlund,et al.  MONA Implementation Secrets , 2000, Int. J. Found. Comput. Sci..

[34]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 1999, POPL '99.

[35]  Viktor Kuncak,et al.  Generalized typestate checking using set interfaces and pluggable analyses , 2004, SIGP.

[36]  Kai Engelhardt,et al.  Data Refinement: Model-Oriented Proof Methods and their Comparison , 1998 .

[37]  Ana Cavalcanti,et al.  The Unix filing system: a MooZ specification , 1994 .

[38]  Sarfraz Khurshid,et al.  Integrating Model Checking and Theorem Proving for Relational Reasoning , 2003, RelMiCS.

[39]  K Thompson,et al.  UNIX implementation , 1986 .

[40]  F. Vaandrager Forward and Backward Simulations Part I : Untimed Systems , 1993 .

[41]  F. J. Pelletier A Brief History of Natural Deduction , 1999 .

[42]  Konstantine Arkoudas,et al.  Specification, Abduction, and Proof , 2004, ATVA.

[43]  Wolfgang Breuer,et al.  X, Y, Z , 2003 .

[44]  Daniel Jackson,et al.  Alloy: a lightweight object modelling notation , 2002, TSEM.

[45]  Thomas W. Reps,et al.  Symbolic Implementation of the Best Transformer , 2004, VMCAI.

[46]  Nancy A. Lynch,et al.  Forward and Backward Simulations: I. Untimed Systems , 1995, Inf. Comput..