Abstract. A context switch -an act of saving and restoring the state of a CPU such that multiple processes can share a single CPU resource -is an essential feature of multitasking operating systems. Commonly computationally intensive and necessarily accessing hardware registers, context-switch procedures are implemented as inline assembly portions in C-programmed operating-system kernels. Feasible verification of operating systems is usually attempted in some kind of C semantics. However, seamless verification of kernels requires reasoning about context-switch routines in semantics of assembly language. At the end of the day, both semantics meet together in an overall correctness theorem of operating system. The task of formal integration of correctness results achieved on different semantical layers is challenging but inevitable for systems verification. The paper describes a formal approach to pervasive reasoning about interleaved computations of user processes and a C-programmed kernel. The interleaving is achieved by context-switch procedures implemented in inline assembly. We report on the correctness proof of the contextswitch procedures and elaborate on our experience in formal integration of this result into the correctness proof of CVM, a verified framework for microkernel programmers.
Introduction
Pervasive systems verification [2] -an act of proving correct an entire computer system from gates to software -is a grand challenge [16] undertaken by the Verisoft project [20] . In our experience, the complexity of the problem turns out to be not in verification of individual components comprised by a system, but rather in formal integration of different correctness results achieved separately.
One representative example where different formal theories meet together is a correctness proof of process-context switch. Context-switch procedures save and restore the state (content of visible registers) of a CPU such that multiple processes can share a single CPU resource. This puts them at the heart of multitasking operating systems. Convincing arguments about correctness of context switch tie together at least the following formal theories: (i) a model of processor on which user processes and an operating system run, (ii) a virtual memory model used to implement separate address spaces of user processes, (iii) some sort of C semantics used to model computations of operating system, and (iv) inline assembly semantics used to reason about context-switch routines as the latter access hardware registers not visible via C variables. These formal theories have been developed in the scope of Verisoft [4, 5, 15, 19] , however putting them together in a correctness theorem of context switch requires additional investigations. The complications appear when one needs to switch from a computation of model x to a computation of model y. In order to reason about y, it turns out that additional invariants about it have to be preserved under the computation of x. Determining such invariants and proving them is a tedious scientific task.
The paper describes a pervasive correctness proof of process-context switch. Our context-switch procedures have C signatures, their functionality is implemented as inline assembly portions. This makes possible to plug them into C implementations of operating-system kernels on the source code level. In order to guarantee correctness of context-switch procedures as parts of C-programmed kernels it is not sufficient only to show their functional correctness. In order to proceed with kernel computations additional invariants about the kernel have to hold during computations of user processes. We introduce a concept of weak kernels -together with a correctness relation towards a hardware model -a formalization of suspended kernels during user executions. Our correctness theorems of context-switch procedures formally describe how an active kernel is constructed out of weak one and vice versa. This result makes possible to produce a pervasive seamless proof of C-programmed microkernels, like those that are considered in Verisoft. The paper gives details on integration of correct context-switch procedures into CVM, a framework for building verified kernels [13] . All material presented in the paper is supported by formal theories 1 in Isabelle/HOL, a verification environment common to Verisoft.
We believe the contributions of the paper fit into the program of the Verified Software Initiative [10] , a state-of-the-art plan for research communities with the goal of making verification a core technology for developing reliable software. The authors personally see contributions to two fields: (i) theory unification, and (ii) experience reports on verification of realistic software systems. The former is confirmed as follows. We have not only exploited existing formal theories, rather evolved and adjusted them in a way they formally fit together. We have found and formalized additional invariants that made the integration possible. We have produced a formal proof for a critical part of realistic operating-system microkernel running on a verified processor -this argues for the second contribution.
Related Work. Much and, to the best of our knowledge, pioneering work on formal verification of process-context switch has been done by the FLINT group at Yale University. [18] describes how XCAP -a verification framework implemented in the Coq proof assistant -is applied to certify an x86-assembly implementation of machine-context management. [8] shows the FLINT's approach to integration of context switches with thread implementation. The correctness criteria considered are formulated, in contrast to the current paper, only at the assembly-language level: no results on integration of object code correctness into a high-level programming language are reported. Conversely, a large number of research groups working on OS verification consider only code implemented in high-level programming languages. The Singularity project builds an OS using Sing#, a type-safe programming language [11] . The NICTA group considers C implementation generated from an OS prototype designed in Haskell [7] . Both rely on unsafe portions of assembly code for context-switch.
Outline. We start in Sect. 2 by defining computational models of CPU, user processes, and a kernel. In Sect. 3 we describe the interaction between the models and state our verification objective. We continue in Sect. 4 by outlining our verification approach and presenting the correctness theorems of context switch. Finally, we conclude in Sect. 5. 
Computational Models
We consider a scenario where a number of user processes interact with a kernel on a shared CPU resource. We use a physical machine [4] to model the CPU and virtual machines [5] to model user processes. We use the C0 language [15] , a slightly restricted dialect of C developed in Verisoft, to implement the kernel. Note, that kernel implementation necessarily contains inline assembly portions as the kernel accesses hardware registers not visible to C0 variable. The C0 small-step semantics is used to model kernel computations. Next, we give details on each concept.
Physical Machine
The physical machine is a sequential abstraction of the VAMP hardware [4] -a formally verified processor with memory management units, out-of-order execution, and memory-mapped devices -as seen by a system software programmer. VAMP implements the DLX instruction set [17] . The model state pm is the record with the following components: (i) the normal pm.pc :: bv and the delayed Alias Name Description sr status reg. stores an interrupt mask esr exceptional status reg. stores the last interrupt mask before an interrupt eca exceptional cause reg. stores masked interrupt cause epc exceptional pc stores the last pc value before an interrupt edpc exceptional dpc stores the last dpc value before an interrupt edata exceptional data reg. stores data specific for a certain interrupt pto page- value 0 is system, any other value is user Table 1 . Special purpose registers pm.dpc :: bv program counters used to implement the delayed branch mechanism, (ii) the general purpose pm.gpr :: bv * and the special purpose pm.spr :: bv * register files, and (iii) the byte-addressable physical memory pm.m :: bv → bv . The general purpose register file contains 32 registers: pm.gpr [0] always contains zeros, and the last three registers are reserved for the global, the stack, and the heap pointers of a program. We abbreviate them as pm.gp, pm.sp, and pm.hp. The special purpose register file contains 9 registers described in Table 1 . For each alias x we abbreviate access to the special register pm.spr [x] as pm.x.
The computation of the model is defined by the transition function δ pm which maps the current processor configuration pm and a bit vector of external inputs eev to the next configuration pm = δ pm (pm, eev ). Due to the lack of space we do not present a complete definition of the step function, but rather an idea behind it. For formal details cf. [3] . Executions are possible in two modes: user and system. The processor switches to the system mode, denoted by sys(pm), when an interrupt, either internal or external, arrives and the JISR (jump to interrupt service routine) signal, denoted by jisr (pm, eev ), is activated. The mode switch in the opposite direction happens when the RFE (return from exception) instruction, denoted by rfe(pm), is executed. In user mode a memory address a is virtual and is subject to address translation. The translation either redirects to the computed physical memory address or generates a page fault interrupt which signals that the desired page is not in the physical memory. The decision is made by examining the valid bit v(pm, a) stored in page tables maintained by memory management units of the physical machine. When on, it signals that the page storing the virtual address a resides in the main memory, otherwise, it is on a hard disk.
Interrupts. Internal interrupts comprise an illegal instruction, a misaligned access, page faults, overflows, and the trap. The latter is used to implement system calls to kernel libraries. External interrupts are signals from devices. VAMP supports maskable interrupts. For a maskable interrupt i, the bit pm.sr [i] stores its mask. The cause register ca(pm, eev ) is the bit vector which stores raised interrupt signals. The masked cause register mca(pm, eev ) is defined as a bitwise conjunction ca(pm, eev )[i] ∧ pm.sr [i] over all maskable interrupts i. If at least one bit of mca(pm, eev ) is on the jisr (pm, eev ) is activated.
Semantics of JISR and RFE. On jisr (pm, eev ), the program counters pm.(dpc, pc) are set to the kernel start address (kstart, kstart +4). The exceptional versions of registers pm.(edpc, epc, esr ) are assigned their normal versions. Register pm.eca stores the masked interrupt cause mca(pm, eev ). Finally, pm.edata stores data needed to process a particular kind of an interrupt, e.g., an address of a page missing in the main memory for page-fault interrupts, or a system call code for the trap interrupt. The mode is switched to system. On rfe(pm) the normal versions of registers pm.(dpc, pc, sr ) are assigned their exceptional versions. The mode is switched to user.
Virtual Machines
A virtual machine is a hardware abstraction with an illusion of address space exceeding the physical memory. The state of a virtual machine vm is a record comprising the same components as the physical machine. There are different rules for accessing special purpose registers: only reading is allowed. As for the rest, the semantics of virtual machines simply implements the DLX instruction set architecture. There is no address translation, hence page faults are invisible. There is no interaction with devices. Transitions are modeled by the function δ vm which takes the current virtual machine configuration vm and yields an updated one vm = δ vm (vm).
C0 Small-Step Semantics
The C0 concrete syntax and visibility rules for variables are very similar to standard C. Operational semantics, though, is similar to Pascal. The main language restrictions compared to C comprise absence of pointer arithmetic, side effects, and pointers to functions and local variables. A list of assembly instruction il can be embedded in C0 by a special statement asm(il ).
A C0 program π is a record with the following components: (i) a global symbol table π.gst which is a list of variable names together with their types, (ii) a type name environment π.te which maps type names to types, and (iii) a function table π.ft which maps function names to functions. A function is represented by symbol tables for parameters and local variables, the function's return type, and the function's body.
Configurations c of the C0 small-step semantics are records with two components: the memory configuration c.mem and the program rest c.pr . The program rest stores those statements which still have to be executed. The memory configuration is a record comprising the following components: (i) a global memory frame c.mem.gm, (ii) a stack of local memory frames c.mem.lm, and (iii) a memory frame for heap variables c.mem. C0 (c, π) . A computation ends in the error state if, for instance, expression evaluation detects an error in the program, e.g., null-pointer dereference, or out-of-boundary array access. Details are available through [14] .
Verification Objective
CVM (communicating virtual machines) [9] is a computational model for concurrent user processes interacting with a generic microkernel and devices. CVM is implemented in C0 with inline assembly as a framework featuring virtual memory support, memory management, and low-level inter-process and devices communications. The framework can be linked on the source code level with an abstract kernel, an interface to users, in order to obtain a concrete kernel, a program that can run on a target machine, like the kernel we discuss in the paper. CVM has been verified to a large extent within Verisoft [13] .
Let a C0 with inline assembly program π k be a concrete kernel implementation. Let k be a C0 small-step configuration corresponding to π k . The kernel interacts with N user processes up [1. .N ]. Each process up[i] is modeled by a virtual machine. When a user execution is interrupted the hardware generates the JISR signal which triggers the kernel start. Kernel executions begin with the Save procedure which stores the content of the hardware registers to kernel variables. After that, depending on the interrupt, kernel performs one or several jobs: handles interrupts, invokes system calls, schedules the next process. Kernel execution ends with the call of the Restore procedure which copies the context of the scheduled user process to hardware registers and executes the RFE instruction.
The CVM verification objective is to justify correctness of (pseudo-)parallel executions of user processes and the kernel on the underlying hardware. This is expressed as a simulation theorem between the physical machine and virtual machines interleaving with the kernel: for all steps of an interleaved execution of the kernel and user processes there exists a number of hardware steps after which an appropriate simulation relation holds. The simulation relation is split into two parts: each relates a hardware configuration either to a kernel configuration, or to configurations of user processes. One of the most interesting proof cases is switching between executions of different user process by means of a kernel invocation. The task is tricky since correctness theorems of Save and Restore (i) tie together different semantics used to model user processes and the kernel, (ii) formalize a connection between correctness relations for users and the kernel, and (iii) involve inline assembly semantics to prove the functional correctness.
Correctness criteria of user processes must reflect two main features realized by CVM: memory virtualization and multitasking. Correct memory virtualization ensures that each user process has a notion of its own isolated virtual memory exceeding the physical memory. CVM implements memory virtualization by means of demand paging: [1] reports on formal verification of the used paging mechanism. Multitasking is a method by which multiple processes share a single computational resource like CPU. Correct multitasking ensures reassigning a CPU from one process to another. This paper focuses on correctness of multitasking implementation in CVM.
The rest of this section is organized as follows. We give some details on the kernel implementation, discuss the notion of contexts, and describe our implementation of context-switch procedures. Next, we state the correctness relations for the kernel and user processes and describe at which parts of an interleaved run which relations hold. Finally, we discuss how to combine correctness criteria by introducing invariants over a suspended kernel.
Kernel
We consider a non-preemptive kernel. On a user interrupt the kernel needs to know which process has been preempted. When Restore is invoked the kernel needs to know which process has to be resumed. In order to deal with it, the kernel has the variable cup of unsigned integer type storing the identifier of the last executed process. The kernel scheduler assigns the new value to cup, thus the process up[cup] will be resumed.
We allow dynamic memory allocation for the kernel. The kernel contains the variable kheap of integer type which stores the amount of memory allocated by the kernel on the heap. Base addresses of kernel global and stack memories are defined by the constants kglobal and kstack , respectively.
Contexts and Context-Switch Procedures
We split registers of user processes into two groups: those whose values affect user executions and those that are used only to implement the interrupt mechanism.
Registers Relevant for User Executions. This group comprises delayed and normal program counters, 31 general purpose registers excluding gpr [0] -according to the DLX instruction set architecture it always contains zeros -, the status register, page-table origin, and page-table length registers. We call these registers the context of a process. For a virtual machine vm it is formally retrieved by the function ctx (vm) = vm.pc • vm.dpc • vm.gpr [1..31] • vm.sr • vm.pto • vm.ptl . We store contexts of processes in a special data structure, called the process control blocks. The kernel symbol table π k .gst includes the variable pcb, an integer array with 36 · N items capable to store all contexts of user processes.
Registers Needed to Process Interrupts. In order to react appropriately to an interrupt which occurs during a user execution the kernel has to know the interrupt cause and exceptional data, e.g., if an interrupt happens due to the trap instruction the kernel has to know its parameter in order to execute the right system call. Because of that we declare two variables in π k : (i) the variable eca of integer type used to store the current exceptional cause register, and (ii) the variable edata of integer type storing data for interrupt handling.
The context-switch procedures are C0 functions with inline assembly bodies. The Save procedure starts by computing the memory address a = 4 · &(pcb [cup · 36] ). Starting at address a we write to the memory pm.m consecutively the contents of the following registers: (i) pm.epc and pm.edpc as they are equal to pm.pc and pm.dpc, and (ii) pm.gpr [1..31]. Note, that we do not save registers pm.(sr , pto, ptl ) because they could not be modified by a user. Next we save registers pm.eca and pm.edata to corresponding kernel variables and assign pm.gp, pm.sp, and pm.hp the values of kglobal , kstack , and kheap. The last statement of the Save routine is a C0 call to the kernel dispatcher.
The Restore function is quite symmetrical to Save. In the C0 portion of the function we compute an offset in pcb corresponding to the next scheduler process identifier cup. By means of inline assembly we remember the value of the kernel heap pointer in variable kheap and write the context of the next scheduled process from pcb into hardware registers pm.(epc, edpc, gpr [1.
.31], esr , pto, ptl ). Note, that pm.sr , pm.pto and pm.ptl registers are updated as the kernel can modify their values, e.g., when it allocates additional memory for some user process. The last instruction of Restore is RFE.
Assembly bodies of the context-switch procedures contain all in all about 100 instructions.
Kernel Correctness Relation: C0 Consistency
Our correctness relation for the kernel maps a C0 small-step semantics state to a state of the physical machine. A C0 configuration c corresponding to a program π is related to an underlying physical machine pm by the compiler simulation relation consis(alloc)(π, c, pm) parameterized over an allocation function alloc which maps C0 variables to the physical memory cells. The relation describes consistency of (i) code, (ii) control, and (iii) data. The code consistency consis code requires that the compiled code lies at the correct address in the memory pm.m. The control consistency consis c states that the delayed program counter pm.dpc points to the start of the translated code of the first statement of c.pr and that return addresses of all stack frames are correct. Essentially, the data consistency consis d is a conjunction of the correctness relation for: (i) allocation, consis alloc : the allocation function alloc conforms with the allocated base address of global and local variables, and the reachable portions of the heaps in c.hm and pm.m are isomorphic, (ii) values and pointers, consis v and consis p : the respective variables and pointers of c and pm have the same values, (iii) registers, consis r : the heap pointer pm.hp points to the first free address of c.mem.hm, and the global resp. the stack pointers pm.gp resp. pm.sp refer to the beginning of the global resp. top local memory frames of c. A scheme of the C0 consistency relation is depicted in Fig. 1 . For complete formal definitions cf. [14] . 
Correctness of User Processes: Context-Encoding Relation
The correctness of user processes is stated by the context-encoding relation C which maps the vector of user processes up to the physical machine configuration pm. For a process pid and a register r which belong to the context, let ad r pid (pm) be the physical memory address in the machine pm where the register r of the process pid is stored in the pcb array. The content of this register is then r pid = pm.m 4 (ad 
In case sys(pm) the kernel is running and all user process are suspended. Otherwise a user with identifier pid = cup(pm) is running and its context occupies physical registers of the hardware. We define the context of a physical machine pm as active-ctx (pm) = pm.pc • pm.dpc • pm.gpr [1. .31] • pm.sr • pm.pto • pm.ptl . Altogether, we formalize both stored and active process contexts as:
otherwise .
The context-encoding relation states that all user processes are simultaneously encoded by the hardware:
Combining Correctness Relations
The correctness of user processes, expressed by the context-encoding relation, has to hold at every step of user executions. A kernel run might contain a system call which affects users, e.g., writing to a user register. The abstract semantics, i.e., specification, of system calls is defined over the vector of user processes up. The concrete semantics, i.e., implementation, affects though the underlying physical machine. Abstract and concrete semantics must agree: universally this is expressed as the the context-encoding relation must be preserved under kernel runs.
The correctness of the kernel, expressed by the C0 consistency relation has to hold after an execution of every statement of the kernel. However, a C0 smallstep semantics configuration encoding the kernel and consistent to the underlying hardware cannot be simply constructed from a physical machine configuration after a user execution. There are two reasons for that: (i) there is no information about C0 types in the memory model of the physical machine, and (ii) there is no one-to-one mapping between the heap of the physical machine and the heap memory frame of the C0 configuration. In order to be able to resume a C0 kernel computation after a user execution users have to respect the constraint that they do not affect kernel code and kernel data, including a mapping between heaps. We call this constraint the C0 weak consistency and define formally below. Fig. 2 depicts overall correctness.
Correctness of Suspended Kernels: C0 Weak Consistency
The parts of the C0 configuration k encoding the kernel that is possible to preserve unchanged during user computation are the global memory frame k .mem.gm and the heap memory frame k .mem.hm. These two components define a C0 small-step semantics configuration which we call a weak kernel. Formally, we construct a weak kernel k weak by means of the function weak -kernel (gm, hm) = k weak , s.t. k weak .mem = (gm, [], hm) and k weak .pr = skip.
A weak kernel k weak is related to a physical machine configuration pm w.r.t. the kernel program π k and an allocation function alloc by the C0 weak consistency relation consis weak (alloc)(π k , k weak , pm). The relation comprises: (i) the code consistency consis code , which guarantees that users do not modify the kernel code, (ii) the value consistency consis v and the pointer consistency consis p , which guarantees that users do not modify the kernel data, and (iii) the allocation consistency consis alloc and the kernel heap consistency consis kheap , which
