Certified concurrent abstraction layers

Concurrent abstraction layers are ubiquitous in modern computer systems because of the pervasiveness of multithreaded programming and multicore hardware. Abstraction layers are used to hide the implementation details (e.g., fine-grained synchronization) and reduce the complex dependencies among components at different levels of abstraction. Despite their obvious importance, concurrent abstraction layers have not been treated formally. This severely limits the applicability of layer-based techniques and makes it difficult to scale verification across multiple concurrent layers. In this paper, we present CCAL---a fully mechanized programming toolkit developed under the CertiKOS project---for specifying, composing, compiling, and linking certified concurrent abstraction layers. CCAL consists of three technical novelties: a new game-theoretical, strategy-based compositional semantic model for concurrency (and its associated program verifiers), a set of formal linking theorems for composing multithreaded and multicore concurrent layers, and a new CompCertX compiler that supports certified thread-safe compilation and linking. The CCAL toolkit is implemented in Coq and supports layered concurrent programming in both C and assembly. It has been successfully applied to build a fully certified concurrent OS kernel with fine-grained locking.

[1]  Kim B. Clark,et al.  Design Rules: The Power of Modularity , 2000 .

[2]  Zhong Shao,et al.  Safety and Liveness of MCS Lock - Layer by Layer , 2017, APLAS.

[3]  Susumu Nishimura A Fully Abstract Game Semantics for Parallelism with Non-Blocking Synchronization on Shared Variables , 2013, CSL.

[4]  D. M. Hutton,et al.  The Art of Multiprocessor Programming , 2008 .

[5]  Lars Birkedal,et al.  Iris: Monoids and Invariants as an Orthogonal Basis for Concurrent Reasoning , 2015, POPL.

[6]  Ilya Sergey,et al.  Communicating State Transition Systems for Fine-Grained Concurrent Resources , 2014, ESOP.

[7]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[8]  Xinyu Feng,et al.  On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning , 2007, ESOP.

[9]  Serdar Tasiran,et al.  Automated and Modular Refinement Reasoning for Concurrent Programs , 2015, CAV.

[10]  Xavier Leroy,et al.  Formal Verification of a C-like Memory Model and Its Uses for Verifying Program Transformations , 2008, Journal of Automated Reasoning.

[11]  Andrzej S. Murawski,et al.  Angelic semantics of fine-grained concurrency , 2008, Ann. Pure Appl. Log..

[12]  Xinyu Feng,et al.  Compositional verification of termination-preserving refinement of concurrent programs , 2014, CSL-LICS.

[13]  Philippa Gardner,et al.  TaDA: A Logic for Time and Data Abstraction , 2014, ECOOP.

[14]  Samson Abramsky,et al.  Concurrent games and full completeness , 1999, Proceedings. 14th Symposium on Logic in Computer Science (Cat. No. PR00158).

[15]  Andrzej S. Murawski,et al.  Angelic Semantics of Fine-Grained Concurrency , 2004, FoSSaCS.

[16]  Peter W. O'Hearn,et al.  Abstraction for concurrent objects , 2009, Theor. Comput. Sci..

[17]  Danfeng Zhang,et al.  Ironclad Apps: End-to-End Security via Automated Full-System Verification , 2014, OSDI.

[18]  Jerome H. Saltzer,et al.  Chapter 1 – Systems , 2009 .

[19]  Glynn Winskel,et al.  Concurrent Strategies , 2011, 2011 IEEE 26th Annual Symposium on Logic in Computer Science.

[20]  Chris Hawblitzel,et al.  Safe to the last instruction: automated verification of a type-safe operating system , 2011, CACM.

[21]  David Park,et al.  Concurrency and Automata on Infinite Sequences , 1981, Theoretical Computer Science.

[22]  Andrzej S. Murawski,et al.  An invitation to game semantics , 2016, SIGL.

[23]  Seif Haridi,et al.  Distributed Algorithms , 1992, Lecture Notes in Computer Science.

[24]  Xinyu Feng,et al.  A program logic for concurrent objects under fair scheduling , 2016, POPL.

[25]  Frank Piessens,et al.  Expressive modular fine-grained concurrency specification , 2011, POPL '11.

[26]  Peter W. O'Hearn,et al.  Resources, Concurrency and Local Reasoning , 2004, CONCUR.

[27]  N. Lynch,et al.  Forward and backward simulations , 1993 .

[28]  Andrew W. Appel,et al.  Compositional CompCert , 2015, POPL.

[29]  Yu Guo,et al.  Deep Specifications and Certified Abstraction Layers , 2015, POPL.

[30]  Philippa Gardner,et al.  Modular Termination Verification for Non-blocking Concurrency , 2016, ESOP.

[31]  Lars Birkedal,et al.  Polymorphism and separation in hoare type theory , 2006, ICFP '06.

[32]  Lauretta O. Osho,et al.  Axiomatic Basis for Computer Programming , 2013 .

[33]  Xinyu Feng,et al.  A Practical Verification Framework for Preemptive OS Kernels , 2016, CAV.

[34]  Viktor Vafeiadis,et al.  A Marriage of Rely/Guarantee and Separation Logic , 2007, CONCUR.

[35]  Xinyu Feng,et al.  Characterizing Progress Properties of Concurrent Objects via Contextual Refinements , 2013, CONCUR.

[36]  Francesco Zappa Nardelli,et al.  x86-TSO , 2010, Commun. ACM.

[37]  Zhong Shao,et al.  CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels , 2016, OSDI.

[38]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[39]  Hongseok Yang,et al.  Verifying Concurrent Memory Reclamation Algorithms with Grace , 2013, ESOP.

[40]  Lars Birkedal,et al.  Unifying refinement and hoare-style reasoning in a logic for higher-order concurrency , 2013, ICFP.

[41]  Yu Guo,et al.  Certifying Low-Level Programs with Hardware Interrupts and Preemptive Threads , 2009, Journal of Automated Reasoning.

[42]  Maurice Herlihy,et al.  Linearizability: a correctness condition for concurrent objects , 1990, TOPL.

[43]  Bor-Yuh Evan Chang,et al.  Boogie: A Modular Reusable Verifier for Object-Oriented Programs , 2005, FMCO.

[44]  Nancy A. Lynch,et al.  Forward and Backward Simulations: I. Untimed Systems , 1995, Inf. Comput..

[45]  Davide Sangiorgi,et al.  The Pi-Calculus - a theory of mobile processes , 2001 .

[46]  Ilya Sergey,et al.  Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity , 2014, ESOP.

[47]  Nile W. Hatch,et al.  Design Rules, Volume 1: The Power of Modularity , 2001 .

[48]  Robin Milner,et al.  An Algebraic Definition of Simulation Between Programs , 1971, IJCAI.

[49]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[50]  Michael L. Scott,et al.  Algorithms for scalable synchronization on shared-memory multiprocessors , 1991, TOCS.

[51]  Jerome H. Saltzer,et al.  Principles Of Computer System Design , 2013 .

[52]  Hongseok Yang,et al.  Linearizability with Ownership Transfer , 2012, CONCUR.

[53]  Stephen D. Brookes,et al.  A Semantics for Concurrent Separation Logic , 2004, CONCUR.

[54]  Gernot Heiser,et al.  Comprehensive formal verification of an OS microkernel , 2014, TOCS.

[55]  Xinyu Feng Local rely-guarantee reasoning , 2009, POPL '09.

[56]  Ilya Sergey,et al.  Mechanized verification of fine-grained concurrent programs , 2015, PLDI.

[57]  Xinyu Feng,et al.  A rely-guarantee-based simulation for verifying concurrent program transformations , 2012, POPL '12.

[58]  Francesco Zappa Nardelli,et al.  86-TSO : A Rigorous and Usable Programmer ’ s Model for x 86 Multiprocessors , 2010 .

[59]  Lars Birkedal,et al.  Logical relations for fine-grained concurrency , 2013, POPL.

[60]  Aleksandar Nanevski,et al.  Subjective auxiliary state for coarse-grained concurrency , 2013, POPL.

[61]  Thomas Anderson,et al.  Operating Systems: Principles and Practice , 2012 .

[62]  Yu Zhang,et al.  Reasoning about Optimistic Concurrency Using a Program Logic for History , 2010, CONCUR.