Tentative steps toward a development method for interfering programs
ACM Transactions on Programming Languages and Systems (TOPLAS)
Kit: A Study in Operating System Verification
IEEE Transactions on Software Engineering
A syntactic approach to type soundness
Information and Computation
From system F to typed assembly language
POPL '98 Proceedings of the 25th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
An axiomatic basis for computer programming
Communications of the ACM - Special 25th Anniversary Issue
Experience with processes and monitors in Mesa
Communications of the ACM
Monitors: an operating system structuring concept
Communications of the ACM
BI as an assertion language for mutable data structures
POPL '01 Proceedings of the 28th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Enforcing high-level protocols in low-level software
Proceedings of the ACM SIGPLAN 2001 conference on Programming language design and implementation
Separation Logic: A Logic for Shared Mutable Data Structures
LICS '02 Proceedings of the 17th Annual IEEE Symposium on Logic in Computer Science
A Semantic Basis for Local Reasoning
FoSSaCS '02 Proceedings of the 5th International Conference on Foundations of Software Science and Computation Structures
FTRTFT '02 Proceedings of the 7th International Symposium on Formal Techniques in Real-Time and Fault-Tolerant Systems: Co-sponsored by IFIP WG 2.2
Separation and information hiding
Proceedings of the 31st ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Permission accounting in separation logic
Proceedings of the 32nd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Modular verification of concurrent assembly code with dynamic thread creation and termination
Proceedings of the tenth ACM SIGPLAN international conference on Functional programming
Modular verification of assembly code with stack-based control abstractions
Proceedings of the 2006 ACM SIGPLAN conference on Programming language design and implementation
An open framework for foundational proof-carrying code
TLDI '07 Proceedings of the 2007 ACM SIGPLAN international workshop on Types in languages design and implementation
A general framework for certifying garbage collectors and their mutators
Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation
HOTOS'05 Proceedings of the 10th conference on Hot Topics in Operating Systems - Volume 10
Interrupt Verification via Thread Verification
Electronic Notes in Theoretical Computer Science (ENTCS)
On the relationship between concurrent separation logic and assume-guarantee reasoning
ESOP'07 Proceedings of the 16th European conference on Programming
Type-based analysis of deadlock for a concurrent calculus with interrupts
ESOP'07 Proceedings of the 16th European conference on Programming
A tutorial on satisfiability modulo theories
CAV'07 Proceedings of the 19th international conference on Computer aided verification
Local reasoning for storable locks and threads
APLAS'07 Proceedings of the 5th Asian conference on Programming languages and systems
Using XCAP to certify realistic systems code: machine context management
TPHOLs'07 Proceedings of the 20th international conference on Theorem proving in higher order logics
Oracle semantics for concurrent separation logic
ESOP'08/ETAPS'08 Proceedings of the Theory and practice of software, 17th European conference on Programming languages and systems
Smallfoot: modular automatic assertion checking with separation logic
FMCO'05 Proceedings of the 4th international conference on Formal Methods for Components and Objects
On the correctness of operating system kernels
TPHOLs'05 Proceedings of the 18th international conference on Theorem Proving in Higher Order Logics
A marriage of rely/guarantee and separation logic
CONCUR'07 Proceedings of the 18th international conference on Concurrency Theory
Safe to the last instruction: automated verification of a type-safe operating system
PLDI '10 Proceedings of the 2010 ACM SIGPLAN conference on Programming language design and implementation
Automated verification of a small hypervisor
VSTTE'10 Proceedings of the Third international conference on Verified software: theories, tools, experiments
Pervasive verification of an OS microkernel: inline assembly, memory consumption, concurrent devices
VSTTE'10 Proceedings of the Third international conference on Verified software: theories, tools, experiments
Correctness proofs for device drivers in embedded systems
SSV'10 Proceedings of the 5th international conference on Systems software verification
Modular specification and verification of interprocess communication
Proceedings of the 2010 Conference on Formal Methods in Computer-Aided Design
VSTTE'12 Proceedings of the 4th international conference on Verified Software: theories, tools, experiments
Investigating time properties of interrupt-driven programs
SBMF'12 Proceedings of the 15th Brazilian conference on Formal Methods: foundations and applications
Hi-index | 0.00 |
Hardware interrupts are widely used in the world's critical software systems to support preemptive threads, device drivers, operating system kernels, and hypervisors. Handling interrupts properly is an essential component of low-level system programming. Unfortunately, interrupts are also extremely hard to reason about: they dramatically alter the program control flow and complicate the invariants in low-level concurrent code (e.g., implementation of synchronization primitives). Existing formal verification techniques--including Hoare logic, typed assembly language, concurrent separation logic, and the assume-guarantee method--have consistently ignored the issues of interrupts; this severely limits the applicability and power of today's program verification systems. In this paper we present a novel Hoare-logic-like framework for certifying low-level system programs involving both hardware interrupts and preemptive threads. We show that enabling and disabling interrupts can be formalized precisely using simple ownership-transfer semantics, and the same technique also extends to the concurrent setting. By carefully reasoning about the interaction among interrupt handlers, context switching, and synchronization libraries, we are able to--for the first time--successfully certify a preemptive thread implementation and a large number of common synchronization primitives. Our work provides a foundation for reasoning about interrupt-based kernel programs and makes an important advance toward building fully certified operating system kernels and hypervisors.