Separation Logic: A Logic for Shared Mutable Data Structures
LICS '02 Proceedings of the 17th Annual IEEE Symposium on Logic in Computer Science
Understanding The Linux Kernel
Understanding The Linux Kernel
Modular verification of assembly code with stack-based control abstractions
Proceedings of the 2006 ACM SIGPLAN conference on Programming language design and implementation
An open framework for foundational proof-carrying code
TLDI '07 Proceedings of the 2007 ACM SIGPLAN international workshop on Types in languages design and implementation
Theoretical Computer Science
Resources, concurrency, and local reasoning
Theoretical Computer Science
Certifying low-level programs with hardware interrupts and preemptive threads
Proceedings of the 2008 ACM SIGPLAN conference on Programming language design and implementation
Combining Domain-Specific and Foundational Logics to Verify Complete Software Systems
VSTTE '08 Proceedings of the 2nd international conference on Verified Software: Theories, Tools, Experiments
Writing an OS Kernel in a Strictly and Statically Typed Language
Formal to Practical Security
seL4: formal verification of an OS kernel
Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles
On the relationship between concurrent separation logic and assume-guarantee reasoning
ESOP'07 Proceedings of the 16th European conference on Programming
Local reasoning for storable locks and threads
APLAS'07 Proceedings of the 5th Asian conference on Programming languages and systems
Safe to the last instruction: automated verification of a type-safe operating system
PLDI '10 Proceedings of the 2010 ACM SIGPLAN conference on Programming language design and implementation
Linux Kernel Development
Concurrent abstract predicates
ECOOP'10 Proceedings of the 24th European conference on Object-oriented programming
A separation logic for refining concurrent objects
Proceedings of the 38th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Modular verification of preemptive OS kernels
Proceedings of the 16th ACM SIGPLAN international conference on Functional programming
Local verification of global invariants in concurrent programs
CAV'10 Proceedings of the 22nd international conference on Computer Aided Verification
On the correctness of operating system kernels
TPHOLs'05 Proceedings of the 18th international conference on Theorem Proving in Higher Order Logics
A marriage of rely/guarantee and separation logic
CONCUR'07 Proceedings of the 18th international conference on Concurrency Theory
Modular verification of preemptive OS kernels
Proceedings of the 16th ACM SIGPLAN international conference on Functional programming
Precision and the Conjunction Rule in Concurrent Separation Logic
Electronic Notes in Theoretical Computer Science (ENTCS)
Improving interrupt response time in a verifiable protected microkernel
Proceedings of the 7th ACM european conference on Computer Systems
On the formal verification of component-based embedded operating systems
ACM SIGOPS Operating Systems Review
Hi-index | 0.00 |
Most major OS kernels today run on multiprocessor systems and are preemptive: it is possible for a process running in the kernel mode to get descheduled. Existing modular techniques for verifying concurrent code are not directly applicable in this setting: they rely on scheduling being implemented correctly, and in a preemptive kernel, the correctness of the scheduler is interdependent with the correctness of the code it schedules. This interdependency is even stronger in mainstream kernels, such as Linux, FreeBSD or XNU, where the scheduler and processes interact in complex ways. We propose the first logic that is able to decompose the verification of preemptive multiprocessor kernel code into verifying the scheduler and the rest of the kernel separately, even in the presence of complex interdependencies between the two components. The logic hides the manipulation of control by the scheduler when reasoning about preemptable code and soundly inherits proof rules from concurrent separation logic to verify it thread-modularly. This is achieved by establishing a novel form of refinement between an operational semantics of the real machine and an axiomatic semantics of OS processes, where the latter assumes an abstract machine with each process executing on a separate virtual CPU. The refinement is local in the sense that the logic focuses only on the relevant state of the kernel while verifying the scheduler. We illustrate the power of our logic by verifying an example scheduler, modelled on the one from Linux 2.6.11.