Skip to main content
SpringerLink
Log in

Certifying Low-Level Programs with Hardware Interrupts and Preemptive Threads

  • Published:
Journal of Automated Reasoning Aims and scope Submit manuscript

Abstract

Hardware interrupts are widely used in the world’s critical software systems to support preemptive threads, device drivers, operating system kernels, and hypervisors. Handling interrupts properly is an essential component of low-level system programming. Unfortunately, interrupts are also extremely hard to reason about: they dramatically alter the program control flow and complicate the invariants in low-level concurrent code (e.g., implementation of synchronization primitives). Existing formal verification techniques—including Hoare logic, typed assembly language, concurrent separation logic, and the assume-guarantee method—have consistently ignored the issues of interrupts; this severely limits the applicability and power of today’s program verification systems. In this paper we present a novel Hoare-logic-like framework for certifying low-level system programs involving both hardware interrupts and preemptive threads. We show that enabling and disabling interrupts can be formalized precisely using simple ownership-transfer semantics, and the same technique also extends to the concurrent setting. By carefully reasoning about the interaction among interrupt handlers, context switching, and synchronization libraries, we are able to—for the first time—successfully certify a preemptive thread implementation and a large number of common synchronization primitives. Our work provides a foundation for reasoning about interrupt-based kernel programs and makes an important advance toward building fully certified operating system kernels and hypervisors.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Berdine, J., Calcagno, C., O’Hearn, P.W.: Smallfoot: modular automatic assertion checking with separation logic. In: Proc. 4th International Symposium on Formal Methods for Components and Objects (FMCO’05). LNCS, vol. 4111, pp. 115–137. Springer, New York (2005)

  2. Bevier, W.R.: Kit: a study in operating system verification. IEEE Trans. Softw. Eng. 15(11), 1382–1396 (1989)

    Article  Google Scholar 

  3. Bornat, R., Calcagno, C., O’Hearn, P., Parkinson, M.: Permission accounting in separation logic. In: Proc. 32nd ACM Symp. on Principles of Prog. Lang., pp. 259–270. ACM, New York (2005)

  4. Brinch Hansen, P.: The programming language concurrent pascal. IEEE Trans. Software Eng. 1(2), 199–207 (1975)

    Google Scholar 

  5. Brookes, S.: A semantics for concurrent separation logic. In: Proc. 15th Int’l Conf. on Concurrency Theory (CONCUR’04). LNCS, vol. 3170, pp. 16–34. Springer, New York (2004)

  6. Coq Development Team: The Coq proof assistant reference manual. The Coq release v8.1 (2006)

  7. DeLine, R., Fähndrich, M.: Enforcing high-level protocols in low-level software. In: Proc. 2001 ACM Conf. on Prog. Lang. Design and Impl., pp. 59–69. ACM, New York (2001)

  8. Feng, X., Ferreira, R., Shao, Z.: On the relationship between concurrent separation logic and assume-guarantee reasoning. In: Proc. 16th European Symp. on Prog. (ESOP’07). LNCS, vol. 4421, pp. 173–188. Springer, New York (2007)

  9. Feng, X., Ni, Z., Shao, Z., Guo, Y.: An open framework for foundational proof-carrying code. In: Proc. 2007 ACM Workshop on Types in Lang. Design and Impl., pp. 67–78. ACM, New York (2007)

  10. Feng, X., Shao, Z.: Modular verification of concurrent assembly code with dynamic thread creation and termination. In: Proc. 2005 ACM Int’l Conf. on Functional Prog., pp. 254–267. ACM, New York (2005)

  11. Feng, X., Shao, Z.: Local reasoning and information hiding in SCAP. Tech. rep. YALEU/DCS/TR-1398, Dept. of Computer Science, Yale University, New Haven, CT (2008). http://flint.cs.yale.edu/publications/SCAPFrame.html

  12. Feng, X., Shao, Z., Guo, Y., Dong, Y.: Combining domain-specific and foundational logics to verify complete software systems. In: Proc. Second IFIP Working Conference on Verified Software: Theories, Tools, and Experiments (VSTTE’08). LNCS, vol. 5295, pp. 54–69. Springer, New York (2008)

  13. Feng, X., Shao, Z., Vaynberg, A., Xiang, S., Ni, Z.: Modular verification of assembly code with stack-based control abstractions. In: Proc. 2006 ACM Conf. on Prog. Lang. Design and Impl., pp. 401–414. ACM, New York (2006)

  14. Gargano, M., Hillebrand, M.A., Leinenbach, D., Paul, W.J.: On the correctness of operating system kernels. In: Proc. 18th Int’l Conf. on Theorem Proving in Higher Order Logics. LNCS, vol. 3603, pp. 1–16. Springer, New York (2005)

  15. Gotsman, A., Berdine, J., Cook, B., Rinetzky, N., Sagiv, M.: Local reasoning for storable locks and threads. In: Proc. Fifth ASIAN Symp. on Prog. Lang. and Sys. (APLAS’07). LNCS, vol. 4807, pp. 19–37. Springer, New York (2007)

  16. Hoare, C.A.R.: An axiomatic basis for computer programming. Commun. ACM 26(1), 53–56 (1969)

    Article  Google Scholar 

  17. Hoare, C.A.R.: Towards a theory of parallel programming. In: Operating Systems Techniques, pp. 61–71. Academic, London (1972)

    Google Scholar 

  18. Hoare, C.A.R.: Monitors: An operating system structuring concept. Commun. ACM 17(10), 549–557 (1974)

    Article  MATH  Google Scholar 

  19. Hobor, A., Appel, A.W., Nardelli, F.Z.: Oracle semantics for concurrent separation logic. In: Proc. 17th European Symp. on Prog. (ESOP’08). LNCS, vol. 4960, pp. 353–367. Springer, New York (2008)

  20. Hunt, G.C., Larus, J.R.: Singularity design motivation. Tech. rep. MSR-TR-2004-105, Microsoft Corporation (2004)

  21. Ishtiaq, S.S., O’Hearn, P.W.: BI as an assertion language for mutable data structures. In: Proc. 28th ACM Symp. on Principles of Prog. Lang., pp. 14–26. ACM, New York (2001)

  22. Jones, C.B.: Tentative steps toward a development method for interfering programs. ACM Trans. Program. Lang. Syst. 5(4), 596–619 (1983)

    Article  MATH  Google Scholar 

  23. Kleymann, T.: Metatheory of verification calculi in LEGO—to what extent does syntax matter? In: Proc. International Workshop on Types for Proofs and Programs (TYPES’98). LNCS, vol. 1657, pp. 133–148. Springer, New York (1998)

  24. Lampson, B.W., Redell, D.D.: Experience with processes and monitors in Mesa. Commun. ACM 23(2), 105–117 (1980)

    Article  Google Scholar 

  25. McCreight, A., Shao, Z., Lin, C., Li, L.: A general framework for certifying garbage collectors and their mutators. In: Proc. 2007 ACM Conf. on Prog. Lang. Design and Impl., pp. 468–479. ACM, New York (2007)

  26. Morrisett, G., Walker, D., Crary, K., Glew, N.: From system F to typed assembly language. In: Proc. 25th ACM Symp. on Principles of Prog. Lang., pp. 85–97. ACM, New York (1998)

  27. de Moura, L.M., Dutertre, B., Shankar, N.: A tutorial on satisfiability modulo theories. In: Proc. 19th International Conference on Computer Aided Verification (CAV’07). LNCS, vol. 4590, pp. 20–36. Springer, New York (2007)

  28. Ni, Z., Yu, D., Shao, Z.: Using XCAP to certify realistic systems code: machine context management. In: Proc. 20th Int’l Conf. on Theorem Proving in Higher Order Logics. LNCS, vol. 4421, pp. 189–206. Springer, New York (2007)

  29. O’Hearn, P.W.: Resources, concurrency and local reasoning. In: Proc. 15th Int’l Conf. on Concurrency Theory (CONCUR’04). LNCS, vol. 3170, pp. 49–67. Springer, New York (2004)

  30. O’Hearn, P.W., Yang, H., Reynolds, J.C.: Separation and information hiding. In: Proc. 31th ACM Symp. on Principles of Prog. Lang., pp. 268–280. ACM, New York (2004)

  31. Palsberg, J., Ma, D.: A typed interrupt calculus. In: Proc. 7th Int’l Symp. on Formal Tech. in Real-Time and Fault-Tolerant Sys. (FTRTFT’02). LNCS, vol. 2469, pp. 291–310. Springer, New York (2002)

  32. Paul, W., Broy, M., In der Rieden, T.: The Verisoft XT project. http://www.verisoft.de (2007)

  33. Regehr, J., Cooprider, N.: Interrupt verification via thread verification. Electron. Notes Theor. Comput. Sci. 174(9) (2007)

  34. Reynolds, J.C.: Separation logic: a logic for shared mutable data structures. In: Proc. 17th Annual IEEE Symp. on Logic in Comp. Sci. (LICS’02), pp. 55–74. IEEE Computer Society, Los Alamitos (2002)

  35. Suenaga, K., Kobayashi, N.: Type based analysis of deadlock for a concurrent calculus with interrupts. In: Proc. 16th European Symp. on Prog. (ESOP’07). LNCS, vol. 4421, pp. 490–504. Springer, New York (2007)

  36. Tuch, H., Klein, G., Heiser, G.: OS verification—now! In: Proc. 10th Workshop on Hot Topics in Operating Systems, Santa Fe, 12–15 June 2005

  37. Vafeiadis, V., Parkinson, M.: A marriage of rely/guarantee and separation logic. In: Proc. 18th Int’l Conf. on Concurrency Theory (CONCUR’07). LNCS, vol. 4703, pp. 256–271. Springer, New York (2007)

  38. Wright, A.K., Felleisen, M.: A syntactic approach to type soundness. Inf. Comput. 115(1), 38–94 (1994)

    Article  MATH  MathSciNet  Google Scholar 

  39. Yang, H., O’Hearn, P.W.: A semantic basis for local reasoning. In: Proc. 5th Int’l Conf. on Foundations of Software Science and Computation Structures (FoSSaCS’02). LNCS, vol. 2303, pp. 402–416. Springer, New York (2002)

Download references

Author information

Authors and Affiliations

  1. Toyota Technological Institute at Chicago, 6045 S. Kenwood Avenue, Chicago, IL, 60637, USA

    Xinyu Feng

  2. Department of Computer Science, Yale University, 51 Prospect Street, New Haven, CT, 06520-8285, USA

    Zhong Shao

  3. Department of Computer Science and Technology, University of Science and Technology of China, Hefei, Anhui, 230026, China

    Yu Guo

  4. Department of Computer Science and Technology, Tsinghua University, Beijing, 100084, China

    Yuan Dong

Authors
  1. Xinyu Feng
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Zhong Shao
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yu Guo
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Yuan Dong
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Xinyu Feng.

Additional information

A preliminary version of this paper appeared in the Proceedings of ACM SIGPLAN 2008 Conference on Programming Language Design and Implementation (PLDI’08), pp. 170–182, ACM Press (2008).

Rights and permissions

Reprints and permissions

About this article

Cite this article

Feng, X., Shao, Z., Guo, Y. et al. Certifying Low-Level Programs with Hardware Interrupts and Preemptive Threads. J Autom Reasoning 42, 301–347 (2009). https://doi.org/10.1007/s10817-009-9118-9

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10817-009-9118-9

Keywords

Search

Navigation