Patrick Tullmann, J. Turner, J. McCorquodale, Jay Lepreau, Ajaya Chitturi, Godmar Back
{"title":"Formal methods: a practical tool for OS implementors","authors":"Patrick Tullmann, J. Turner, J. McCorquodale, Jay Lepreau, Ajaya Chitturi, Godmar Back","doi":"10.1109/HOTOS.1997.595176","DOIUrl":null,"url":null,"abstract":"The formal methods community has long known about the need to formally analyze concurrent software, but the operating systems (OS) community has been slow to adopt such methods. The foremost reasons for this are the cultural and knowledge gaps between formalists and OS hackers, fostered by three beliefs: inaccessibility of the tools, the disabling gap between the validated model and actual implementation, and the intractable size of OSs. In this paper, we show these beliefs to be untrue for appropriately structured OSs. We applied formal methods to verify properties of the implementation of the Fluke microkernel's IPC (interprocess communication) subsystem, a major component of the kernel. In particular, we have verified, in many scenarios, certain liveness properties and lack of deadlock, with results that apply to both SMP (scalable multiprocessor) and uniprocessor environments. The SPIN model checker provided an exhaustive concurrency analysis of the IPC subsystem, unattainable through traditional OS testing methods. SPIN is easily accessible to programmers inexperienced with formal methods. We present our results as a starting point for a more comprehensive inclusion of formal methods in practical OS development.","PeriodicalId":176246,"journal":{"name":"Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133)","volume":"15 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"1997-05-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"31","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/HOTOS.1997.595176","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 31
Abstract
The formal methods community has long known about the need to formally analyze concurrent software, but the operating systems (OS) community has been slow to adopt such methods. The foremost reasons for this are the cultural and knowledge gaps between formalists and OS hackers, fostered by three beliefs: inaccessibility of the tools, the disabling gap between the validated model and actual implementation, and the intractable size of OSs. In this paper, we show these beliefs to be untrue for appropriately structured OSs. We applied formal methods to verify properties of the implementation of the Fluke microkernel's IPC (interprocess communication) subsystem, a major component of the kernel. In particular, we have verified, in many scenarios, certain liveness properties and lack of deadlock, with results that apply to both SMP (scalable multiprocessor) and uniprocessor environments. The SPIN model checker provided an exhaustive concurrency analysis of the IPC subsystem, unattainable through traditional OS testing methods. SPIN is easily accessible to programmers inexperienced with formal methods. We present our results as a starting point for a more comprehensive inclusion of formal methods in practical OS development.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
