Certifying Low-Level Programs with Hardware Interrupts and Preemptive Threads

Hardware interrupts are widely used in the world’s critical software systems to support preemptive threads, device drivers, operating system kernels, and hypervisors. Handling interrupts properly is an essential component of low-level system programming. Unfortunately, interrupts are also extremely hard to reason about: they dramatically alter the program control flow and complicate the invariants in low-level concurrent code (e.g., implementation of synchronization primitives). Existing formal verification techniques—including Hoare logic, typed assembly language, concurrent separation logic, and the assume-guarantee method—have consistently ignored the issues of interrupts; this severely limits the applicability and power of today’s program verification systems. In this paper we present a novel Hoare-logic-like framework for certifying low-level system programs involving both hardware interrupts and preemptive threads. We show that enabling and disabling interrupts can be formalized precisely using simple ownership-transfer semantics, and the same technique also extends to the concurrent setting. By carefully reasoning about the interaction among interrupt handlers, context switching, and synchronization libraries, we are able to—for the first time—successfully certify a preemptive thread implementation and a large number of common synchronization primitives. Our work provides a foundation for reasoning about interrupt-based kernel programs and makes an important advance toward building fully certified operating system kernels and hypervisors.

[1]  Natarajan Shankar,et al.  A Tutorial on Satisfiability Modulo Theories , 2007, CAV.

[2]  Xinyu Feng,et al.  Combining Domain-Specific and Foundational Logics to Verify Complete Software Systems , 2008, VSTTE.

[3]  Yu Guo,et al.  An open framework for foundational proof-carrying code , 2007, TLDI '07.

[4]  Andrew W. Appel,et al.  Oracle Semantics for Concurrent Separation Logic , 2008, ESOP.

[5]  Charles Antony Richard Hoare Towards a theory of parallel programming , 2002 .

[6]  John Regehr,et al.  Interrupt Verification via Thread Verification , 2007, Electron. Notes Theor. Comput. Sci..

[7]  C. A. R. HOARE,et al.  An axiomatic basis for computer programming , 1969, CACM.

[8]  Per Brinch Hansen,et al.  The programming language Concurrent Pascal , 1975, IEEE Transactions on Software Engineering.

[9]  Peter W. O'Hearn,et al.  Permission accounting in separation logic , 2005, POPL '05.

[10]  C. A. R. Hoare,et al.  Monitors: an operating system structuring concept , 1974, CACM.

[11]  Karl Crary,et al.  From system F to typed assembly language , 1999, TOPL.

[12]  James R. Larus,et al.  Singularity Design Motivation , 2004 .

[13]  Zhong Shao,et al.  Local Reasoning and Information Hiding in SCAP , 2008 .

[14]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[15]  Xinyu Feng,et al.  Modular verification of assembly code with stack-based control abstractions , 2006, PLDI '06.

[16]  Zhong Shao,et al.  Using XCAP to Certify Realistic Systems Code: Machine Context Management , 2007, TPHOLs.

[17]  Naoki Kobayashi,et al.  Type-Based Analysis of Deadlock for a Concurrent Calculus with Interrupts , 2007, ESOP.

[18]  Thomas Kleymann,et al.  Metatheory of Verification Calculi in LEGO - To what Extent Does Syntax Matter? , 1998, TYPES.

[19]  Stephen Brookes A semantics for concurrent separation logic , 2007, Theor. Comput. Sci..

[20]  Hugo Herbelin,et al.  The Coq proof assistant : reference manual, version 6.1 , 1997 .

[21]  Xinyu Feng,et al.  On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning , 2007, ESOP.

[22]  Viktor Vafeiadis,et al.  A Marriage of Rely/Guarantee and Separation Logic , 2007, CONCUR.

[23]  Gernot Heiser,et al.  OS Verification - Now! , 2005, HotOS.

[24]  Mark A. Hillebrand,et al.  On the Correctness of Operating System Kernels , 2005, TPHOLs.

[25]  Peter W. O'Hearn,et al.  Resources, Concurrency and Local Reasoning , 2004, CONCUR.

[26]  Long Li,et al.  A general framework for certifying garbage collectors and their mutators , 2007, PLDI '07.

[27]  Cliff B. Jones,et al.  Tentative steps toward a development method for interfering programs , 1983, TOPL.

[28]  Butler W. Lampson,et al.  Experience with processes and monitors in Mesa , 1980, CACM.

[29]  Peter W. O'Hearn,et al.  Smallfoot: Modular Automatic Assertion Checking with Separation Logic , 2005, FMCO.

[30]  Peter W. O'Hearn,et al.  BI as an assertion language for mutable data structures , 2001, POPL '01.

[31]  Peter W. O'Hearn,et al.  A Semantic Basis for Local Reasoning , 2002, FoSSaCS.

[32]  Peter W. O'Hearn,et al.  Separation and information hiding , 2004, POPL.

[33]  Jens Palsberg,et al.  A Typed Interrupt Calculus , 2002, FTRTFT.

[34]  Yu Guo,et al.  Certifying low-level programs with hardware interrupts and preemptive threads , 2008, PLDI '08.

[35]  C. A. R. Hoare,et al.  An Axiomatic Basis for Computer Programming (Reprint) , 2002, Software Pioneers.

[36]  William R. Bevier,et al.  Kit: A Study in Operating System Verification , 1989, IEEE Trans. Software Eng..

[37]  Xinyu Feng,et al.  Modular verification of concurrent assembly code with dynamic thread creation and termination , 2005, ICFP '05.

[38]  Alexey Gotsman,et al.  Local Reasoning for Storable Locks and Threads , 2007, APLAS.

[39]  Robert DeLine,et al.  Enforcing high-level protocols in low-level software , 2001, PLDI '01.

[40]  Christine Paulin-Mohring,et al.  The coq proof assistant reference manual , 2000 .

[41]  Matthias Felleisen,et al.  A Syntactic Approach to Type Soundness , 1994, Inf. Comput..