Formal verification of a small real-time operating system by Schmidt, Mareike Dorothee
Formal Verification
of a Small Real-Time Operating
System
U
N I
V E R S IT A S
S
A R A V I E N
S I
S
Dissertation
zur Erlangung des Grades
der Doktorin der Ingenieurwissenschaften (Dr.-Ing.)
der Naturwissenschaftlich-Technischen Fakulta¨ten
der Universita¨t des Saarlandes
Mareike Schmidt
mareike@wjpserver.cs.uni-saarland.de
Saarbru¨cken, 14. April 2011

Eidesstattliche Versicherung
Hiermit versichere ich an Eides statt, dass ich die vorliegende Arbeit selbsta¨ndig und ohne
Benutzung anderer als der angegebenen Hilfsmittel angefertigt habe. Die aus anderen
Quellen oder indirekt u¨bernommenen Daten und Konzepte sind unter Angabe der Quelle
gekennzeichnet.
Die Arbeit wurde bisher weder im In- noch im Ausland in gleicher oder a¨hnlicher Form
in einem Verfahren zur Erlangung eines akademischen Grades vorgelegt.
Saarbru¨cken, 14. April 2011
Tag des Kolloquiums: 12. April 2011
Dekan: Prof. Dr. Holger Hermanns
Vorsitzender des Pru¨fungsausschusses: Prof. Dr. Sebastian Hack
1. Berichterstatter: Prof. Dr. Wolfgang J. Paul
2. Berichterstatter: Dr. habil. Werner Stephan
akademischer Mitarbeiter: Dr. Alexey Pospelov
iii
iv
Ist man in kleinen Dingen nicht geduldig,
bringt man die großen Vorhaben zum Scheitern.
(Konfuzius, chinesischer Philosoph, 551 - 479 v. Chr.)
Danksagung
An dieser Stelle mo¨chte ich mich bei allen bedanken, die mich unterstu¨tzt und zum
Gelingen dieser Arbeit beigetragen haben.
Insbesondere danke ich Herrn Prof. Wolfgang Paul, der mir die Mo¨glichkeit zur Pro-
motion an seinem Lehrstuhl gab, meine Arbeit wissenschaftlich betreute und daru¨ber
hinaus immer Versta¨ndnis fu¨r meine besondere Situation zeigte.
Ein weiterer Dank gilt allen Kollegen und Mitarbeitern des Lehrstuhls fu¨r die gute
Zusammenarbeit und die angenehme Arbeitsatmospha¨re. Besonders mo¨chte ich Jan
Do¨rrenba¨cher, Mark Hillebrand, Steffen Knapp, Dirk Leinenbach, Norbert Schirmer und
Alexandra Tsyban erwa¨hnen, die mir mit Rat und Tat zur Seite standen, wenn es um die
Anbindung ihrer Theorien, die Verbesserung meiner Arbeit oder deren Publikation ging.
Vor allem Matthias Daum mo¨chte ich fu¨r seine stetige Unterstu¨tzung, die zahlreichen
Diskussionen und seine konstruktive Kritik danken, die mich um vieles weitergebracht
hat. Daru¨ber hinausgehend ein großer Dank an die Damen des Sekretariats, fu¨r ihre
Freundlichkeit und ihren Einsatz, um uns Mitarbeitern den Ru¨cken fu¨r die ’wesentlichen
Dinge’ freizuhalten.
Ich mo¨chte aber auch meine Freunde und meine Familie nicht vergessen, die in all
der Zeit fu¨r mich da waren, mich ermutigt und unterstu¨tzt haben. Ein besonderer Dank
gilt meinen Eltern, die mich auf meinem Weg immer begleitet haben und mir zur Seite
standen. Ohne ihre Hilfsbereitschaft und ihren unermu¨dlichen Einsatz ha¨tte ich es sehr
viel schwerer gehabt, meine Ziele zu erreichen. Zu guter Letzt mo¨chte ich mich bei meiner
Tochter Sophie fu¨r ihr Versta¨ndnis und ihre Geduld mit mir ganz herzlich bedanken.
This work has been partially funded by the German Federal Ministry of Education and
Research (BMBF) in the framework of the Verisoft project under grant 01 IS C38.
v
vi
Abstract
The foundation of this thesis is a distributed real-time system that connects several
electronic control units (ECUs) with a communication bus. Each ECU consists of a
processor executing the real-time operating system Olos and several applications on
the one hand, and an interface to the bus (ABC) on the other hand. Olos provides
application scheduling and controls the communication with the bus. The applications
may communicate with Olos via so-called system calls. For applications written in
high-level languages these calls are available in terms of library functions.
First, we present the design and the implementation of Olos and its necessary library
functions. Thereafter, we introduce the abstract model of an entire ECU which specifies
the interface to the bus (ABC), process models and the behaviour of Olos.
Then, we formulate a simulation theorem between the abstract ECU model and a
model that embeds the concrete Olos implementation. The proof of this theorem pro-
vides us with the implementation correctness of Olos. Based on the formal correctness
of our operating system, the last section of this thesis presents an approach to pervasively
verify applications that are executed under Olos on a single ECU.
Kurze Zusammenfassung
Grundlage dieser Arbeit ist ein verteiltes Echtzeitsystem, welches mehrere elektron-
ische Kontrolleinheiten (ECUs) mit einem Kommunikationsbus verbindet. Jede dieser
Kontrolleinheiten besteht aus einer Schnittstelle zum Bus (ABC) und einem Prozessor,
welcher das Echtzeitbetriebssystem Olos und mehrere Anwendungen ausfu¨hrt. Olos
organisiert die Ausfu¨hrungszeit der Anwendungen auf dem Prozessor und steuert deren
Kommunikation mit dem Bus. Die Anwendungen haben die Mo¨glichkeit, u¨ber sogenannte
Systemaufrufe mit dem Betriebssystem zu kommunizieren. Diese stehen den Anwendun-
gen, die in ho¨heren Programmiersprachen geschrieben sind, in Form von Bibliotheks-
funktionen zur Verfu¨gung.
Zuerst stellen wir den Entwurf und die Implementierung von Olos und den notwendi-
gen Bibliotheksfunktionen vor. Danach beschreiben wir das abstrakte Modell einer vollsta¨ndigen
ECU, welches die Schnittstelle zum Bus (ABC), Prozessmodelle und das Verhalten des
Betriebssystems Olos festlegt.
Wir formulieren ein Simulationstheorem zwischen dem abstrakten ECU Modell und
einem Modell mit eingebetteter konkreter Olos-Implementierung. Der Beweis dieser
Aussage liefert uns die Implementierungskorrektheit von Olos. Im letzten Teil der Ar-
beit benutzen wir dieses Ergebnis als Grundlage fu¨r einen Ansatz, mit dem durchga¨ngig
Anwendungen verifiziert werden ko¨nnen, die unter Olos auf einer elektronischen Kon-
trolleinheit ausgefu¨hrt werden.
vii
Ausfu¨hrliche Zusammenfassung
Computersysteme sind allgegenwa¨rtig und beeinflussen unseren Alltag. Obwohl sich viele
Menschen auf Computersysteme verlassen, hinterfragen nur wenige ihre Zuverla¨ssigkeit.
Besonders ihr Einsatz in sicherheitskritischen Bereichen, wie zum Beispiel in der Medizin-
technik oder in Fahrzeugen, verlangt Robustheit, Sicherheit und Verla¨sslichkeit eines Sys-
tems. In diesem Zusammenhang ko¨nnte ein Fehlverhalten weitreichende Folgen haben.
Gerade in letzer Zeit wurde die Fehlfunktion eines Bremskontrollsystems mit einem
Softwarefehler in Verbindung gebracht [VB10, Guy10]. Allein das Geru¨cht einer solchen
Schwachstelle der Software zieht einen wirtschaftlichen Schaden fu¨r den Hersteller nach
sich. Weitaus schlimmer wa¨re jedoch die Vorstellung, dass schwere Unfa¨lle mit ihren Kon-
sequenzen die Folgen eines Softwarefehlers wa¨ren. Zudem ist in Autos ein kontinuierliches
Ansteigen der Anzahl von elektronischen Steuergera¨ten, die fu¨r eine Vielzahl verschieden-
er Aufgaben zusta¨ndig sind, zu beobachten. Die steigende Komplexita¨t verteilter Systeme
stellt immer gro¨ßere Anforderungen an die Verla¨sslichkeit und Fehlerfreiheit der Systeme
und ihrer Komponenten. Der sicherste Ansatz, um schon beim Systementwurf konzep-
tionelle und menschliche Unzula¨nglichkeiten auszuschließen, ist Verifikation. Dazu wird
die korrekte Funktionsweise einer Implementierung durch ein mathematisches Modell
spezifiziert und ein Beweis dafu¨r entwickelt, dass der Systementwurf dieser Spezifikation
genu¨gt. Wird dieser Beweis von einem Computer u¨berpru¨ft, sprechen wir von formaler
Verifikation.
In der Praxis sind Computersysteme u¨blicherweise in mehreren Abstraktionsebenen
implementiert: Schon die Hardware besteht aus unterschiedlich abstrakten Schichten,
die von der Register-Transferebene u¨ber die Befehlssatzarchitektur bis hin zur Assem-
blerebene reicht. Das Betriebssystem stu¨tzt sich auf die abstrakteste Hardware-Schicht
und stellt seinerseits eine Plattform zur Verfu¨gung auf der Benutzerprogramme imple-
mentiert werden. Um systematische Fehler im gesamten Systementwurf ausschließen zu
ko¨nnen, muss man deshalb alle Schichten des betrachteten Computersystems beru¨cksichtigen.
Wir nennen Verifikation, die sich u¨ber mehrere Schichten eines Systems erstreckt durchga¨ngig.
Das Forschungsprojekt Verisoft verfolgt genau diesen Ansatz, um die Qualita¨t integri-
erter Computersysteme schon im Entwurf zu sichern. Genauer gesagt, entstand diese Ar-
beit im Rahmen des Teilprojekts Automotive, das die durchga¨ngige formale Verifikation
des automatischen Automobilnotrufs eCall [Eur03] zum Ziel hat. Das zugrundeliegende
Echtzeitsystem verbindet mehrere elektronische Kontrolleinheiten (ECUs) mit einem
Kommunikationsbus. Ein U¨bertragungsprotokoll ordnet dann jeder angeschlossenen Kom-
ponente feste Sendezeiten zu. Dieser Ansatz fu¨hrt auf das von Kopetz und Gru¨nstreidl
[KG94] entwickelte time-triggered protocol zuru¨ck und findet heutzutage weite Akzeptanz
und vielfachen Einsatz in der Industrie.
Jede ECU besteht aus einem Prozessor und einer Schnittstelle zum Bus (ABC). Auf
dem Prozessor la¨uft das Echtzeitbetriebssystem Olos und darauf mehrere interagierende
Anwendungen, die bestimmte Aufgaben ausfu¨hren. Die Funktionalita¨t von Olos umfasst
im Wesentlichen die Interaktion zwischen Kommunikationshardware und Anwendersoft-
ware.
Olos stellt den Anwendungen eine Prozessorabstraktion mit
viii
(a) exklusivem Zugang zu Ressourcen wie Speicher und Registern und
(b) Kommunikationsmitteln, um Dienste des Betriebssystems anzufordern,
zur Verfu¨gung. Eine solche Abstraktion nennt man im allgemeinen Prozess und die Kom-
munikationsmittel Systemaufrufe. Da die meisten Programme kompiliert werden, um als
Prozess unter einem Betriebssystem zu laufen, dehnen wir den Prozessbegriff auf eine
Programmsemantik mit Systemaufrufen aus. Anwendungen in ho¨heren Programmier-
sprachen ko¨nnen Systemaufrufe nutzen, die Assemblerbefehle kapseln. Diese Aufrufe
stehen dem Anwender in Form von Bibliotheksfunktionen zur Verfu¨gung.
Olos wurde mit Ru¨cksicht auf seine spa¨tere Verifikation entwickelt und implemen-
tiert. Ein mathematisches Modell liefert die Spezifikation einer kompletten elektronis-
chen Steuereinheit mit eingebettetem Betriebssystem. Mit Hilfe eines Simulationsthe-
orems beweisen wir dann die Korrektheit der Olos Implementierung. Dazu beno¨tigen
wir die Definition einer Abstraktionsfunktion, die die Datenstrukturen der Implemen-
tierung auf die des Modells abbildet. Eine weitere Grundlage fu¨r den Beweis ist eine
Implementierungsinvariante, die alle notwendigen Gu¨ltigkeitsaussagen u¨ber die Daten-
strukturen zusammenfasst. Die Implementierungskorrektheit liefert uns die Sicherheit,
dass wir unser abstraktes Modell auch auf ho¨heren Ebenen wiederverwenden ko¨nnen.
Unter bestimmten Annahmen ko¨nnen wir es beispielsweise in das verteilte Modell von
Steffen Knapp [Kna08] integrieren.
Diese Annahmen benutzen wir auch fu¨r die Pra¨sentation eines Ansatzes, der es erlaubt
kommunizierende Anwendungen durchga¨ngig zu verifizieren. Zu diesem Zweck benutzen
wir den Ansatz von Daum et al. [DDB08, DDWS08], der fu¨r den Vamos-Kernel den
Compiler-Satz fu¨r sequentielle Sprachen auf die Semantik von Prozessen erweitert. Dieses
Ergebnis basiert auf dem von Leinenbach & Petrova [LP08] formal verifizierten Compil-
er, der Programme des C-Dialekts C0 in Vamp Assembler Befehle u¨bersetzt. Wir passen
diese Idee an unser Betriebssystem Olos an und (i) formalisieren die Systemaufrufe von
Olos, (ii) fu¨hren eine Spezifikation von C0 und Assembler-Prozessen ein, die die sequen-
tiellen Sprachen um die Systemaufrufe erweitern, und (iii) beweisen die Erweiterung des
sequentiellen Compiler-Satzes fu¨r unsere Prozessmodelle.
Schließlich ko¨nnen wir das Ergebnis in unser abstraktes ECU Modell einbetten. Diese
Arbeit erlaubt es interagierende Anwendungen auf abstrakter Ebene zu verifizieren, die
abgeleiteten Ergebnisse bis zur Assemblerebene zu transferieren und sogar Schlu¨sse u¨ber
das Verhalten einer ganzen ECU zu ziehen, auf der die Anwendungen laufen.
Im Wesentlichen umfasst diese Arbeit drei Teile:
(i) die Implementierung des Echtzeitbetriebssystems Olos und das mathematische
Modell einer gesamten ECU
(ii) den Simulationsbeweis der Implementierungskorrektheit und
(iii) einen Ansatz, der es erlaubt kommunizierende Anwendungen, die unter Olos
laufen, durchga¨ngig zu verifizieren
Alle Definitionen, Modelle und Beweise, die im Verlauf dieser Arbeit pra¨sentiert wer-
den, wurden mit dem interaktiven Theorembeweiser Isabelle/HOL formalisiert.
ix
x
Contents
1 Introduction 1
1.1 RelatedWork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.3 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2 Background 13
2.1 System and Proof Architecture . . . . . . . . . . . . . . . . . . . . . . . . 14
2.2 The VAMP Assembly Language . . . . . . . . . . . . . . . . . . . . . . . 17
2.3 The Language C0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.4 Compiler Correctness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.5 Switching the Layers - Inlined Assembly Code . . . . . . . . . . . . . . . 32
2.6 Interrupts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
2.7 Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
2.7.1 Device Automata . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
2.8 CVM: A Programming Framework for Operating Systems . . . . . . . . . 41
2.8.1 CVM State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
2.8.2 CVM Transitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
2.8.3 CVM Primitives . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
2.9 The Verification Environment Isabelle/Simpl for C0 . . . . . . . . . . . . 52
2.9.1 Dealing with Inline Assembly in Isabelle/Simpl . . . . . . . . . . . 54
2.9.2 Code Verification in Isabelle/Simpl . . . . . . . . . . . . . . . . . . 55
3 OLOS Design and Implementation 57
3.1 ECU Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
3.2 Partitioning Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
3.3 OLOS Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
3.3.1 OLOS Variables and Data Structures . . . . . . . . . . . . . . . . 61
3.3.2 The Top-Level Function . . . . . . . . . . . . . . . . . . . . . . . 64
3.3.3 System Initialization . . . . . . . . . . . . . . . . . . . . . . . . . 65
3.3.4 Communicating with the Device . . . . . . . . . . . . . . . . . . . 67
3.3.5 Implementing System Calls - the Trap Handler . . . . . . . . . . . 68
3.4 The System Call Library . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
3.4.1 The Message Structure . . . . . . . . . . . . . . . . . . . . . . . . 71
4 Formal Specification of an ECU 75
4.1 ABC Automaton . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
4.2 Application Abstraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
xi
4.2.1 Application Model . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
4.2.2 Assembly Applications . . . . . . . . . . . . . . . . . . . . . . . . 90
4.2.3 C0 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
4.3 Abstract ECU Automaton . . . . . . . . . . . . . . . . . . . . . . . . . . 101
4.3.1 Excursion: Towards a Distributed OLOS Model . . . . . . . . . . 111
5 Implementation Correctness 115
5.1 Implementation Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
5.1.1 Defining CVM Primitives in Simpl . . . . . . . . . . . . . . . . . . 117
5.1.2 Predicates of the OLOS Implementation State . . . . . . . . . . . 119
5.1.3 Functional Correctness of OLOS Functions . . . . . . . . . . . . . 124
5.1.4 Expressing a CVM Transition in Simpl . . . . . . . . . . . . . . . . 134
5.1.5 Defining the Implementation Invariant . . . . . . . . . . . . . . . . 135
5.2 Relating Implementation and Abstract States . . . . . . . . . . . . . . . 135
5.3 Proving Correctness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
5.3.1 Induction Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
5.3.2 Induction Step . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
5.3.3 Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
6 Towards Pervasively Verified Applications 143
6.1 Process Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
6.1.1 System Call Simulation . . . . . . . . . . . . . . . . . . . . . . . . 148
6.1.2 Extending Compiler Correctness to Applications . . . . . . . . . . 165
6.2 Computation Step Simulation . . . . . . . . . . . . . . . . . . . . . . . . 167
6.3 Embedding Applications into the Overall ECU Model . . . . . . . . . . . 168
6.4 Reasoning about Applications – a Practical Example . . . . . . . . . . . . 169
7 Conclusion and Future work 173
7.1 Formal Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
7.2 Gained Insights from Pervasive Verification . . . . . . . . . . . . . . . . . 175
7.3 The Effort of Formal Verification . . . . . . . . . . . . . . . . . . . . . . . 176
7.4 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
A Appendix 189
A.1 Source Code of the OLOS Implementation . . . . . . . . . . . . . . . . . . 189
A.1.1 OLOS Constant Definitions . . . . . . . . . . . . . . . . . . . . . . 189
A.1.2 Declarations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
A.1.3 The Interrupt Handler . . . . . . . . . . . . . . . . . . . . . . . . . 191
A.1.4 The Trap Handler . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
A.1.5 The Initialization Function . . . . . . . . . . . . . . . . . . . . . . 192
A.1.6 OLOS Mainfunction . . . . . . . . . . . . . . . . . . . . . . . . . . 193
A.1.7 Typed CVM Primitives . . . . . . . . . . . . . . . . . . . . . . . . 194
A.2 Source Code of the OLOS System Call Library . . . . . . . . . . . . . . . 196
A.2.1 Message Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
xii
A.2.2 System Call Functions . . . . . . . . . . . . . . . . . . . . . . . . . 197
A.2.3 OLOS Program State . . . . . . . . . . . . . . . . . . . . . . . . . 197
A.3 Theory Structure and Statistics . . . . . . . . . . . . . . . . . . . . . . . . 198
xiii
xiv
1 Introduction
Take time to deliberate,
but when the time for action arrives, stop thinking and go in.
Andrew Jackson, quoted in: ”No Ordinary Moments: A Peaceful
Warrior’s Guide to Daily Life”, 1992 by Dan Millman
Contents
1.1 RelatedWork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.3 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Computer systems are omnipresent and affect our daily lives. Although many people
confide in computer systems only a few scrutinize their trustworthiness. Especially, their
employment in safety-critical areas e. g., in medical engineering or vehicles demands for
their robustness, safety and reliability. In this context a failure may cost human lives.
Recently, a failing accelerator control was associated to a software bug [VB10, Guy10].
The mere rumour of such a software flaw is economically troublesome, not to mention
the tragedy of possibly resulting fatal accidents. Moreover, the number of electronic
devices in cars dealing with a variety of different tasks increases steadily. The growing
complexity of distributed systems reveals the urgency to ensure their reliability and
correct functionality. The most secure approach to rule out all systematic design errors
is verification. This approach specifies the correct functionality of an implementation
by a mathematical model and develops a proof that the system design satisfies this
specification. Verification is called formal if the proofs are checked by a computer.
Usually, computer systems are implemented in several abstraction layers: Even the
hardware is modelled at different levels of abstraction from the register-transfer layer to
the instruction set architecture to the assembly layer. The operating system is based on
the highest abstract hardware layer, and provides in turn a platform on which applica-
tions are implemented. In order to safely exclude all systematic errors in the design of
the complete system, all layers must be regarded. We obtain pervasiveness of a verifica-
tion attempt when it spans over multiple layers of a system. Usually, several layers are
coupled by formal soundness and simulation theorems. Then, results that are derived in
an abstract layer can be transferred down to a correctness theorem on a lower level.
The research project Verisoft aims at the pervasive formal verification of integrated
computer systems to assure their quality already at the design stage. More specifically,
the topic of this thesis belongs to the automotive subproject that aims to pervasively
verify an automatic emergency call system eCall [Eur03].
1
1 Introduction
We consider a distributed real-time system that consists of several electronic control
units (ECUs) connected by a communication bus. Then, a network protocol schedules
fixed transmission times to each connected component. This approach traces back to
the time-triggered protocol developed by Kopetz and Gru¨nstreidl [KG94]. Variations of
this protocol are nowadays widely accepted and used in industry.
Each ECU comprises a bus interface called automotive bus controller (ABC) and a
processor. The former decouples the processor from the communication bus and takes
care of the timely transmission and reception of messages that are sent over the bus.
The processor executes the real-time operating system Olos and several interacting ap-
plications that perform specific tasks. Basically, the functionality of Olos comprises the
interaction between the communication hardware and the application software. Olos
provides a processor abstraction to the applications with
(a) the exclusive access to resources like registers and memory and
(b) means for the communication with the operating system to request further services.
This abstraction is commonly referred to as a process and the means to communicate
with the operating system are called system calls. As even most high-level programs
are eventually compiled to run as a process, we consider any program semantics with
system calls as a process. System calls are available to high-level applications in terms of
library functions which encapsulate instructions of lower-levels to access low-level func-
tionality. A system call library provides a programming interface for these calls. Thus,
a programmer may use these functions without knowing the concrete implementation
details of such a call.
The real-time operating system Olos was developed verification in mind. We final-
ized its initial implementation. A mathematical model serves as specification of an entire
ECU comprising the ABC device, Olos functionality and applications. Then, we prove a
simulation theorem to reveal that the Olos implementation satisfies this model. There-
fore, we define an abstraction function to map data structures of the implementation
to corresponding ones in the model. A further basis for the proof is an implementation
invariant specifying all necessary validity constraints for these data structures. The im-
plementation correctness ensures that our abstract ECU model can be reused on higher
levels of abstraction. Under several assumptions we can integrate this model to the
distributed model of Steffen Knapp [Kna08]. We also rely on this argument when we
present an approach that allows to pervasively verify communicating applications.
For this purpose we use the approach of Daum et al. [DDB08, DDWS08] for the Va-
mos kernel that extends the sequential compiler-correctness theorem to the semantics
of processes. This result relies on the formal verified compiler of Leinenbach & Petrova
[LP08], which translates programs written in the C-dialect C0 to Vamp assembly in-
structions. We adapt this idea to our operating system Olos and (i) formalize the
Olos system calls (ii) introduce the specifications of C0 and assembly processes that
extend the sequential languages by the system calls, and (iii) prove the extension of the
sequential compiler-correctness theorem for our process models. Finally, we embed this
result in our abstract ECU model. This work is the foundation that permits to verify
communicating applications on an abstract level, transfer the derived results down to
the assembly layer and even infer properies about the entire ECU.
2
1.1 RelatedWork
Essentially, this thesis comprises three parts:
(i) the implementation of the real-time operating system Olos and the specification
of an entire ECU
(ii) the simulation theorem of the implementation correctness, and
(iii) an approach to pervasively verify communicating applications running on top of
Olos
All definitions, models and proofs presented in this thesis have been formalized with
the interactive theorem prover Isabelle/HOL1.
Outline. The remainder of this chapter introduces notation, presents general approaches
of verification, and presents related work. Chapter 2 describes in more detail the spe-
cific context and all necessary prerequisites of this thesis. The main part of this work
starts in Chapter 3, which introduces the design principles and the implementation of
the real-time operating system Olos. The formal specification of an ECU including all
its subcomponents is described in Chapter 4. Chapter 5 reports on the implementation
correctness proof. A simulation theorem proving the correctness of the Olos system-
call library is presented in Chapter 6. Finally, in Chapter 7 we conclude and propose
potential future work.
1.1 Related Work2
There have been numerous attempts to increase confidence in system software by means
of formal methods.
An article of Klein [Kle09b] comprehensively summarizes all past and present ap-
proaches to the verification of operating-system kernels. He reports that already in the
1970s the Provable Secure Operating System (Psos) introduced concepts for OS veri-
fication and aimed at applying formal methods throughout the entire implementation
of the OS. The retrospective report [NF03] from 2003 describes that Psos comprised
hardware and software and strives for a useful general-purpose operating system with
demonstrable security properties. Despite some simple illustrative proofs were carried
out, it would be false to claim that Psos was a proved secure operating-system. Nev-
ertheless, the approach clearly demonstrates how properties such as security could be
formally proved.
The aim of the UCLA Secure Unix project [WKP80] was the verification of a kernel
supporting threads, a capability-based access control, virtual memory, and device ac-
cesses. It relied on the assumptions that the compiler and the hardware work correctly.
They reported that about 20% of the code proofs and 90% of the specifications were
completed.
In the end of the 1980s, Bevier [Bev89] reports on the first fully verified kernel: KIT,
1An overview of the formal work and the corresponding directories is given in Section A.3. All proofs
will soon be published in the Repository: http://www.verisoft.de/VerisoftRepository.html
2I thank Jan Do¨rrenba¨cher and Matthias Daum for the valuable knowledge about related work in their
publications [Do¨r10, Dau10]
3
1 Introduction
a small assembly program, that provides task isolation, device I/O, and single-word
message passing. This verification project can only be referred to as groundbreaking
in the area of pervasive verification. KIT is very far from any real system and the
verification is based on a fairly abstract LISP execution model. Moreover, the corner-
stone theorem of this work is limited to memory separation of processes. Olos, in
contrast, is implemented in C and has been developed with an industrial use case in
mind.
Several past verification projects concentrated on the specification but fell short on
the actual verification. The VFiasco project [HTS02] aims at the verification of the
microkernel Fiasco implemented in a subset of C++. Besides model checking of basic
safety properties in Spin [End05] for a strongly limited and simplified version of Fiasco
IPC, three properties concerning ready and waiting lists have been verified in PVS
[Sch07]. However, this work is less than full code verification since C++ code was
transformed (only for this purpose) into PVS without defining a formal semantics of
the used C++ subset. Even some functions were only described by their semantical
effects, and hence the resulting implementation model is rather a specification. The
VFiasco approach to C++ source code verification was continued in the Robin Project
[Tew07] that investigated the verification of the Nova hypervisor. After the completion
of Robin in 2008, about 70% of the high-level specification of the Nova kernel was
produced. Neither, VFiasco nor Robin did manage to verifiy significant portions of the
implementation.
With the capability-based microkernel Eros and its successor the Coyotos kernel
[SDD+04], Shapiro and Weber defined a capability based kernel system and prove cer-
tain security policies to hold. The security model of the Eros kernel was not formally
connected to the implementation. The successor project Coyotos finished a complete
formal specification of the microkernel and the used programming language BitC. Some
early experiments were carried out but no formal proofs have been reported yet.
Several projects regard the operating system kernel decoupled from the remaining
system. Then, formal methods are applied to the isolated kernel layer with the aim to
show the correctness of a given specification and some properties. More specifically, the
implementation of the underlying layers are assumed to be correct. In contrast to the
pervasive approach we are aiming at, it can not be ensured that the specification can
be integrated or used in the upper layers of the system. This method is used e. g., of
the Mask project [MWTG00]. The project’s name stands for mathematically analyzed
separation kernel. It guarantees a separation property that is provided by construction
in the highest-level model, and by multiple formal refinement proofs down to a low-level
design, which is close to an implementation. Code proofs, however, were not attempted.
The Flint project [FSDG08] does not directly aim at operating-system verification but
it made a number of important contributions in the area. In the project an assembly code
verification framework was developed and code for context switching on a x86 machine
was formally proved to be correct. Although a verification logic for assembler code is
presented, no integration of results into high level programming languages has been
undertaken yet. Embedded Device [HALM06] report on the verification and Common
Criteria certification of a software-based embedded device featuring a seperation kernel.
4
1.1 RelatedWork
Their proof should qualify for EAL7, the highest Common Criteria evaluation level.
They were successful in the verification but in contrast to a fully verified system they
did not reach down to the implementation level.
Verification has a long tradition for improving the confidence in very complex operation-
systems functionality but seldom attempts full code coverage. There are projects that
focus on selected system components and prove some high level properties. A fruitful
target for verification have been, for instance, file systems [AZKR04] and network proto-
cols [AS97]. Moreover, the verified property and the abstraction level vary widely. Bevier
et al. [BCT04], for instance, have specified the interface of the Synergy file system on
a very abstract level while Yang et al. [YTE04] used model checking to systematically
check implementations for specific file-system errors.
An important aspect for security-sensitive applications is the reliability of software.
Secure system architectures are specifically developed for such applications. These ar-
chitectures are usually based on a microkernel that faciliates the separation of legacy
operating-system functionality from security-sensitive services. Therefore, they provide
complete functionality of common general-purpose operating systems and reduce the
trusted computing base for security-sensitive applications. This approach has been taken
by the Perseus security framework [PRS+01] as well as the Nizza secure-system archi-
tecture [HHF+05]. In spite of the high relevance of reliance, formal verification for these
architectures has to our knowledge yet been limited to the used operating-system kernel.
Both architectures are based on the Fiasco kernel, whose verification has been attempted
in VFiasco/Robin (see above). Beyond that, the Perseus project aims at an evaluation
’according to the Common Criteria at a later date’3. The Perseus framework is the basis
for the Turaya security platform [LP06].
Furthermore, Green Hills Software has announced that its Integrity-178B4 real-time
operating system was certified as EAL6 which is the highest rating given to an OS so far.
Nevertheless, this level of assurance only guarantees the formal treatment of software
requirements whereas the functional specification, the high- and low-level design of the
system are treated semi-formal and the implementation is affirmed in an informal way.
Most recent verification projects aiming at the complete code-level verification of op-
erating system kernels are L4.verified, Verisoft [Pau05, HP07] and its successor Verisoft
XT.
L4.verified. The L4.verified project [HEK+07, KEH+09] completed the world’s first
refinement proof for a general-purpose microkernel. L4.verified focuses on the seL4
kernel, which is based on the ARM11 platform. Their verification target, seL4, is a
third-generation microkernel of L4 provenance comparable to other high-performance
L4 kernels. It comprises 8,700 lines of C and 600 lines of assembly code. Relying
on [KEH+09, Kle09a], the L4.verified project is providing a machine-checked proof of
the functional correctness of the seL4 microkernel with respect to a high level, formal
3The announcement has been found on the project’s homepage, http://www.perseus-os.org/
content/pages/Evaluation.htm.
4For more information, see http://www.ghs.com/products/safety_critical/integrity-do-178b.
html
5
1 Introduction
description of its expected behaviour. The lowest level of the verification and of the
refinement is a high- performance C and ARM assembly implementation of the seL4
microkernel. The next level up, the low-level design, is a detailed, executable specifica-
tion of the intended behaviour of the C implementation. This executable specification
is derived automatically from a prototype of the kernel which was written in the high-
level, functional programming language Haskell. While trying to avoid messy specifics
of how data structures and code are optimized in C, the executable specification still
represents a pretty concrete view on the kernel implementation. For instance, it still
contains doubly-linked lists i. e., pointer structures. Furthermore, user transitions are
completely abstracted from the semantics of user-mode instructions and specified as
non-deterministically changing arbitrary user-accessible parts of the state space. The
highest refinement layer is the high-level design, an abstract, operational specification of
the kernel. Usually, this is accompanied with a high level of abstraction. It is reported,
however, that this layer precisely describes argument formats, encodings and error re-
porting. Thus, for instance, some of the C-level size restrictions become visible on this
level. On the other hand, the specification uses non-determinism in order to avoid an
explicit description of the system. For example, neither a scheduling policy is defined
at the abstract level nor the correctness of the interrupt controller management is mod-
elled in detail. The refinement proofs are machine-checked in the interactive theorem
prover Isabelle/HOL. In [Boy09, EKE08], they also defined an abstract access control
model of seL4 that captures how capabilities (the kernel s access control mechanism)
are distributed in the system and showed the isolation of security domains based on this
model. The access control model, however, is not formally connected to the high-level
design of seL4 which is used in the refinement proof. Without doubt, the results of the
L4.verified project are very promissing.
However, there are several issues to be considered: The approach assumes the correct-
ness of the C compiler, the assembly code, and the hardware5. Then, the abstraction
level of the high-level design seems to be comparatively low (which reduces the effort
regarding the refinement proof) and unsuitable to show, for instance, properties of the
access control mechanism. Instead, these proofs rely on a (probably) more abstract
model which is not formally connected to the high-level design in the refinement proof.
Furthermore, the abstract models are not yet applied, in the sense that they are used to
specify an operating system, for instance. In the future, the project plans to use their
correctness proof for proving the correctness of applications running on top of the seL4
microkernel. Finally, the proof relies on a certain standard behavior of memory.
In contrast to the abstract models of seL4 microkernel, the formal model of an ECU is
completely integrated into the model stack that covers all layers from applications down
to hardware. The ECU model literally uses definitions from the lower layers and can be
integrated to higher layers on the other hand. The seamless integration into the model
stack is not the only remarkable difference between the high-level design of seL4 and
the ECU model. The ECU model is used to prove functional correctness of the Olos
implementation. Moreover, properties of verified applications running on an ECU can
5For proof assumptions, see also http://ertos.nicta.com.au/research/l4.verified/proof.pml
6
1.1 RelatedWork
be integrated into properties of an entire ECU. In contrast to the non-deterministic user
processes in the seL4 model, we specify the exact semantics of applications running on
an ECU. This fact is crucial for pervasive verification because only an exactly defined
semantics is the basis for the verification of application programs. And finally, as opposed
to us the L4.verified project neither verified boot-up nor any assembly code.
Verisoft. Besides the verification of Olos, the Verisoft project also dealt with the
correctness of the microkernel Vamos. Jan Do¨rrenba¨cher [Do¨r10] has shown large parts
of the Vamos functional correctness proof and presented a model of the Vamos kernel.
This model of the Vamos kernel is completely integrated into a model stack reaching
from applications down to the hardware. This model establishes an abstraction level that
serves as basis for the simple operating system Sos of Sebastian Bogan [Bog08] and the
model of communicating user processes Coup of Matthias Daum [Dau10]. Furthermore,
it is used to show the fairness of the Vamos scheduler [Dau10, DDW09]. Compared to
Olos the complexity of Vamos is much higher. Most notably, the verification of the
microkernel Vamos [DDW09] has reached a mature state. While this kernel has more
features than Olos, the Vamos functional correctness proof does not cover the entire
code.
Verisoft XT. The Verisoft XT6 project aims at the complete code-level verification of
the PikeOS kernel, the virtualization environment Hyper-V and the Baby Hyper-V.
The first two verification targets are part of commercial products, whereas the latter one
is seen in academic context.
• PikeOS. PikeOS [Kai07, BBBB09b] is available for Intel’s x86, PowerPC, and
ARM, and has an L4-like kernel with about 6,000 lines of code. The proofs
are carried out by the VCC verification environment [CDH+09] (a descendant
of the Spec# program-verification environment of Microsoft Research), which uses
a trusted tool chain comprising the automatic verifier for concurrent C code VCC,
the verification condition generator Boogie [BLW, BMSW], and the automated
theorem prover Z3 [DMB08]. The supported C fragment is a large fragment of
ANSI C. Recent publications [BBBB09a, BBBB09b] mainly introduce the tool
chain and methodology. Apart from the verification of a simple system call which
changes the priority of a thread, there are no reports yet on the portion of verified
code.
• Hyper-V. [LS09, Sam08]. The kernel comprises 100,000 lines of C and 5,000 lines
of assembly code and is part of a commercial virtualization environment. The
hypervisor turns a single real multi-processor x64 machine (with AMD SVM or
Intel VMX virtualization extensions) into a number of virtual multi-processor x64
machines. The verification is also realized by the VCC verification environment
(see above); the supported C fragment is a large fragment of ANSI C. Recent
6More information about this project is available at http://verisoftxt.de/.
7
1 Introduction
publications [CAB+09, CMST09, CMST10a, CMST10b] in this context mainly
focus on the methodology of VCC and its application.
• Baby Hyper-V. Alkassar et al. [AHPP10], report on the successful verification of
the so-called baby hypervisor. In comparison to the Hyper-V, the baby hypervisor
and the architecture it virtualizes are very simple because it only includes the
initialization of the guest partitions and a simple shadow page table algorithm
for memory virtualization. However, it played an important role of driving the
development of the VCC technology and applying it to system verification.
The VCC technology [CMST09] demands a high level of trust: The current VCC ver-
sion uses an axiomatization of the execution model consisting of various axioms, which
introduce some rather abstract concepts like concurrency and ownership of references.
Though critical subproblems of the foundation are tackled by informal as well as formal
proof methods, the integration into a uniform foundational theory is significantly less
prioritized. In this respect, the tool chains, methodologies etc. are driven by the need
to deal with the existing code that can only be changed, if errors have been revealed.
1.2 Methodology
sv sv ′
s s ′
d+c
da
ab
s
ab
s
Figure 1.1: Simulation proof
In order to obtain pervasive formal verification of a system we have to consider several
adjacent layers of a system. We have learned, that these layers usually are coupled by
formal soundness and simulation theorems. The entire model stack of the Verisoft project
is formalized in the theorem prover Isabelle/HOL. The main results of this work, namely
the implementation correctness theorem (presented in Chapter 5) and the extended
compiler correctness theorem (shown in Chapter 6), are both simulation proofs. Figure
1.1 depicts the technique that is used to prove simulation proofs. Roughly speaking we
relate a concrete state sv to a corresponding abstract state s via an abstraction relation
or function abs. Correctness is given when all possible transitions dc on the concrete
layer result into successor states sv ′ that can be abstracted to corresponding states of
the specification s ′ after a correlating transition in the model da. Note that an abstract
transition usually simulates a number of steps in the concrete layer.
8
1.3 Notation
1.3 Notation7
The formalizations presented in this thesis are mechanized and checked within the generic
interactive theorem prover Isabelle [Pau94]. Isabelle is called generic as it provides a
framework to formalize various object logics that are declared via natural-deduction-
style inference rules within Isabelle’s meta-logic Pure. The object logic that we employ
for our formalization is the higher-order logic of Isabelle/HOL [NPW02], which is based
on the typed λ-calculus.
This work is written using Isabelle’s document-generating facilities, which guarantees
that the presented theorems correspond to formally proved ones. We distinguish formal
entities typographically from other text. We use a sans-serif font for types and constants
(including functions and predicates), e. g., replicate, a slanted serif font for free variables,
e. g., x, and a slanted sans-serif font for bound variables, e. g., x . Small capitals are used
for data-type constructors, e. g., Foo. Keywords are set in type-writer font, e. g., let.
As Isabelle’s inference kernel manipulates rules and theorems at the Pure level, the
meta-logic becomes visible to the user and also in this document when we present the-
orems and lemmas. The Pure logic itself is intuitive higher-order logic, where universal
quantification is
∧
, implication is =⇒, and equality is ≡. Nested implications like P1
=⇒ P2 =⇒ P3 =⇒ C are abbreviated with [[P1; P2; P3]] =⇒ C , where we refer to P1,
P2, and P3 as the premises and to C as the conclusion. We may also write:
P1 P2 P3
C
In the object logic HOL, universal quantification is ∀, implication is −→, and equality
is =. We sometimes use the abbreviation P ←→ Q for (P −→ Q) ∧ (Q −→ P). The
other logical and mathematical notions follow the standard notational conventions with
a bias towards functional programming. Isabelle/HOL provides a library of standard
types like Booleans, natural numbers, integers, total functions, pairs, lists, and sets as
well as packages to define new data types and records. We only present them shortly in
the following.
Functions. In HOL all functions are total, e. g., nat⇒ nat is a total function on natural
numbers. An unnamed function can be specified using the λ-operator, e. g., λx . x is the
identity function. In general, we prefer curried functions over functions taking an n-
tuple as argument, e. g., f (a)(b) instead of f (a, b). As the parentheses for function
application soon become distracting, we omit them and write f a b, instead. Note that
function application binds tighter than any other operator, i. e., f i + g j means (f i)
+ (g j). We write f ◦ g for functional composition and recursively define the n-fold
7For taming Isabelle’s powerful document-generating mechanism in general, and in particular for the
major part of this section, I am indebted to Schirmer et al. [Sch06, AHL+09]
9
1 Introduction
function application by f 0 = (λx . x) and f n + 1 = f ◦ f n. Function update is f (y := v)
≡ λx . if x = y then v else f x .
Partial functions are usually formalized in HOL with the option type. This type is
a data type with two constructors, one to inject values of the base type, e. g., bxc, and
the other one is simply the additional element ⊥. A base value can be projected by dxe,
which is defined by the sole equation dbxce = x. As HOL is a total logic, the term d⊥e is
nevertheless a well-defined yet unspecified value. For data types, we write the structural
case distinction over some value v as case v of ⊥ ⇒ g | bxc ⇒ f x . Some data types
might have many constructors, which are all treated in the same fashion in a certain
situation. In this situation, we may write case v of Foo ⇒ x | ⇒ y , which means
value x if v has the value Foo, and otherwise value y . Finally, we abbreviate case a of
⊥ ⇒ ⊥ | bxc ⇒ e with let⊥ x = a in e.
Sets, Intervals, and Relations. Sets come along with the standard operations for union,
i. e., A ∪ B, intersection, i. e., A ∩ B and membership, i. e., x ∈ A. We denote the
interval of the numbers a and b excluding the endpoints by {a<..<b}, and including the
endpoints by {a..b}. Furthermore, we write a < c ≤ b to denote that a number c is in
the interval {a<..b}. Relational composition is written as R1 ◦ R2.
Lists. The syntax and the operations for lists are similar to functional programming
languages like ML or Haskell. The empty list is [ ] and by x  xs the list xs is preceded
with the element x. The head of list xs is computed with hd xs and the remainder, its
tail, is tl xs. Function last returns the last element of a list. We write [a, b, c] instead
of a  b  c  [ ]. With xs } ys, list ys is appended to list xs. The function concat
takes a list of lists as argument and returns the concatenation of these lists. The length
of a list xs is written |xs|, the n -th element of a list can be selected with xs ! n and
updated via xs[n := v ]. With set xs we obtain the set of elements in list xs. Filtering
those elements from a list, for which predicate P holds, is achieved by [x∈xs . P x ].
With replicate n e we denote a list that consists of n elements e. Function rotate1 takes
the head of a list and appends it on its tail rotate1 xs = tl xs } [hd xs]. We drop the
last element of a non-empty list xs by applying the function butlast xs. With map f xs,
the function f is applied to all elements in xs. We can extract a sublist of j elements
starting from the i-th element of a given list xs by using function extr i j xs. With [i..<j]
we denote a list of consequitive natural numbers from i to j (exclusively). Function zip
xs ys takes two lists xs and ys and returns a new list by combining the list elements to
pairs. We use function fold in order to apply function f with a list of inputs to a state s.
The recursively defined function returns state s when the input list is empty, otherwise
it starts its computation with the head of the input list: fold f (x  xs) s = fold f xs (f
x s). Function list sum xs returns the sum of all numbers stored in list xs.
Records and Tuples. A record is constructed by assigning all of its fields: (|fld1 = v1,
fld2 = v2|). Field fld1 of record r is selected by r.fld1 and updated with value x via r(|fld1
:= x|). The first and second component of a pair p = (p1, p2) can be accessed with the
10
1.3 Notation
functions fst p = p1 and snd p = p2. Tuples with more than two components are pairs
nested to the right.
11
1 Introduction
12
2 Background
”What is the right way to listen to a fugue:
as a whole, or as the sum of its parts?”
D. Hofstadter, quoted in: Go¨del, Escher, Bach: An Eternal
Golden Braid
Contents
2.1 System and Proof Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.2 The VAMP Assembly Language . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.3 The Language C0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.4 Compiler Correctness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.5 Switching the Layers - Inlined Assembly Code . . . . . . . . . . . . . . . . . . . 32
2.6 Interrupts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
2.7 Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
2.7.1 Device Automata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
2.8 CVM: A Programming Framework for Operating Systems . . . . . . . . . . . . . 41
2.8.1 CVM State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
2.8.2 CVM Transitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
2.8.3 CVM Primitives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
2.9 The Verification Environment Isabelle/Simpl for C0 . . . . . . . . . . . . . . . . 52
2.9.1 Dealing with Inline Assembly in Isabelle/Simpl . . . . . . . . . . . . . . . 54
2.9.2 Code Verification in Isabelle/Simpl . . . . . . . . . . . . . . . . . . . . . . 55
The context of this work is the German Verisoft project, a large-scale research project
with partners from industry and academia, funded by the German government. The
main goal of the project is the pervasive formal verification [BHMY89] of computer
systems.
In order to prevent errors and gain compatible verification results, all theories are
developed in the logical framework of the interactive theorem prover Isabelle/HOL.
Verisoft focuses on three goals: (i) the creation of methods and tools permitting the
pervasive formal verification of computer-system designs (ii) an increase of the industrial
productivity and quality, and (iii) the prototypical realization of four concrete computer
systems, where three are from the industrial sector.
More precisely, this work belongs to the automotive subproject where we consider
a distributed real-time system that consists of several electronic control units (ECUs)
13
2 Background
connected by a bus. The ECUs comprise an automotive bus controller (ABC) and a
processor executing the real-time operating system Olos and several application pro-
grams.
This chapter presents a general view of the context of this thesis and introduces all
required fundamentals used for the implementation, specification and verification of our
operating system Olos.
In Section 2.1, we introduce the scope of this work and classify its dependencies.
Therefore, we give a short overview of the implementation layers in our software system.
The behaviour of each layer is specified by a computational model. We summarize
the general verification approach that has been developed within Verisoft for sequential
programs. This approach can deal with mixed-language implementations. In our case,
we rely on two different languages: Vamp assembly [MP00] and C0 [Lei08], a fragment
of C. We briefly present both languages in Section 2.2 and Section 2.3, respectively.
Then, we outline the compiler-correctness theorem (Section 2.4) of Leinenbach & Petrova
[LPP05, Pet07, LP08].1 Section 2.5 briefly describes an approach of Starostin & Tsyban
[ST08, Tsy09] to reason formally about inline-assembly portions in C0 programs. More
specifically, we show how to lift the effects of the assembly instructions back to the C0
level.
Furthermore, we present the concept of interrupts [MP00] (Section 2.6) and the de-
vice model [AH08] (Section 2.7). Olos is implemented on the verified RISC processor
Vamp [BJK+06] using a programming framework called communicating virtual machines
(Cvm) [GHLP05, IT08]. We describe this framework in Section 2.8. Finally, we intro-
duce general concepts of the verification environment Isabelle/Simpl [Sch06] in Section
2.9.
2.1 System and Proof Architecture
In this section, we briefly introduce the implementation layers of our system. More
specifically, we describe how the operating system Olos is integrated in the system-
stack. Moreover, we present the general verification approach for sequential programs
that has been developed within Verisoft and specify the semantic stack layers we used
in the following work.
System Stack. The system software layers used in the automotive subproject are de-
picted in Figure 2.1 on the next page. Our work is restricted to the software layers
(depicted as white boxes) built on top of a model called communicating virtual machines
(Cvm) [GHLP05, IT08], a generic programming framework for the implementation of
operating-system kernels on the Vamp processor [MP00]. This layer encapsulates the
hardware-specific low-level functionality, which employs inlined assembly. Using this
framework, the real-time operating system Olos is implemented in C0 without extra
portions of inlined assembly. Both layers interact via C0 function calls: The Cvm frame-
work calls the top-level function kdispatch of Olos, and Olos itself uses Cvm primi-
1 For major parts of Section 2.2,Section 2.3, and Section 2.4, I am indebted to Matthias Daum [Dau10]
14
2.1 System and Proof Architecture
tives to access low-level functionality. While these two layers run in system mode of the
processor, applications are executed in user mode on top of our operating system. The
user applications may request services from Olos using so-called system calls. Cvm’s
major task is process separation and memory virtualization. Hence, Cvm includes a
page-fault handler with a simple memory-swapping facility [ASS08]. All remaining ker-
nel functionality is to be implemented in the hardware-independent part, the so-called
abstract kernel. Technically, the Cvm framework consists of the interrupt-service routine
(ISR), on the one hand, and the primitives, on the other hand. The ISR is stored at a
specific memory address and the processor executes the code at this address whenever
an interrupt occurs. Cvm’s ISR saves the old processor context, establishes a suitable
C0 environment and calls the C0 function kdispatch of the abstract kernel. Cvm primi-
tives are C0 functions employing inlined assembly code to provide low-level functionality
to the abstract kernel e. g., for the manipulation of process memory or registers. The
return value of kdispatch instructs Cvm, which application is to resume when the ker-
nel execution finishes. The functionality of Olos is accessible for applications system
calls. Technically, a system call is implemented using the special instruction trap: This
instruction generates an exception similar to e. g., an arithmetic overflow. Exceptions
are a special class of interrupts that are generated as a direct result of the program
execution (as opposed to the so-called external or device interrupts that are caused by
the peripherals). Thus, the exception causes - like any interrupt - a jump to Cvm’s
ISR, which eventually invokes Olos. Olos can examine and manipulate the state of
the application using Cvm primitives. That means, the calling application can store
parameters to a system call in registers and memory in order to describe its specific
demand from Olos. The operating system, in turn, interprets the inquiry by examining
the applications state and in response, it alters this state accordingly. A well-defined
interface precisely defines this interaction between the operating system and applications
by assigning a system-call semantics to register values and memory contents.
Hardware
Cvm
kdispatch primitives
Olos
Sy
st
em
m
od
e
App App
primitives system calls
U
se
r
m
od
e
Devices
Figure 2.1: System stack
15
2 Background
C0 Hoare logic
C0 big-step semantics
C0 small-step semantics
Vamp assembler
Vamp ISA
Vamp hardware (gate-level)
XCalls
Devices
+
+
+
+
+
+
soundness/simulation
simulation
compiler correctness XCall implementation
simulation
processor correctness
Figure 2.2: Semantics Stack
Semantics Stack. An overview of the semantics stack in depicted in Figure 2.2. The
C0-semantics stack consists of a Hoare Logic on the highest level, a big-step and a
small-step semantics. The underlying Vamp machine level includes an assembly layer,
an instruction set architecture, and at the lowest layer a gate-level hardware. All re-
sults gained on a specific layer can be transferred down to the lowest layer by applying
simulation, soundness and correctness proofs that connect all adjacent levels with each
other. The lowest layer used in this thesis to prove correctness theorems is the Vamp
assembly layer.
In the Hoare logic we can reason about pre- and postconditions of sequential, type-
safe, and assembly-free C0 programs. Compiler correctness, in contrast, is formulated
at the small-step semanctics layer. Both layers are bridged by the big-step semantics
which is suited to express results of the Hoare logic operationally. The differences of
these layers reflect their purpose: Whereas the Hoare logic was designed to support
verification of individual programs, the small-step semantics supports considerations
about interleaving programs at the system level. In the context of system code, we
often have to deal with portions of inlined assembly code. The effects on low-level
computations cannot be expressed at the C0 layers. There is an approach of abstracting
these computations into atomic functions. These functions, referred to as extended
calls (XCalls), encapsulate the portion of inlined assembler code. For this purpose, a
C0 state is extended with an additional component representing external states e. g.,
devices or applications. Then, the XCall is a procedure call that performs a transition
on the external state and communicates with C0 via parameter passing and return
values. A more detailed description of XCalls is presented in [ASS08]. This model can
be integrated into all C0-semantics layers. XCalls can be transferred down to the Vamp
assembler semantics where they are finally discharged by an implementation proof.
Similar to the XCalls in the upper layers, devices can be integrated into the lower
16
2.2 The VAMP Assembly Language
layers. Their state and transition functions are shared between all semantic layers of
the Vamp. The device transition functions as well as the Vamp semantics describe
interleaved small-step computations to obtain concurrent execution of the combined
system. A fundamental prerequisite to prove a global property of the combined system
is to disentangle the different computations by means of reordering [AH08, Alk09] in
order to use individual transfer results then. A comprehensive report on the semantic
stack is given in [AHL+09].
All layers used in context of this thesis are shown as white boxes. Our operating
system Olos is written in the sequential language C0. The implementation-correctness
theorem is specified and carried out at the Hoare logic layer using XCalls to manipu-
late integrated application and device states. The correctness-proofs of the system-call
library are carried out on lower levels. We prove a simulation theorem stating that all
C0 functions implementing system calls simulate a certain number of steps of the Vamp
assembly machine executing the compiled code. The augmentation of the compiler cor-
rectness theorem involves the C0 small-step as well as the Vamp-assembly level.
2.2 The VAMP Assembly Language
We regard the assembly language developed for the Vamp architecture. The Vamp
architecture is based on the DLX architecture [HP96] and was initially presented by
Mueller & Paul [MP00]. An implementation of the VAMP was formally verified in 2003
[BJK+03, BJK+06]. Since then, the VAMP has been extended with address translation
and support for I/O devices [DHP05, AHK+07, TS08]. Three models [AHL+09, TS08]
are related to this processor. From the most concrete to the most abstract one, these
are: the gate-level implementation, the instruction set architecture (ISA) specification,
and the assembly-language specification. Simulation proofs relate the adjacent models
in such a way that properties shown at the assembly level can finally be transferred down
to the gate-level.
The Vamp assembly language is the target language of Leinenbach & Petrova’s verified
C0 compiler. At the same time, its specification is intended to be a convenient layer
for the implementation and the verification of hardware-dependent programs. Thus,
the language specification abstracts from certain aspects of the lower layers, which are
irrelevant for these purposes.
Most notably, the Vamp assembly machine employs a linear memory model with a
conventional memory semantics, i. e., it abstracts from memory-mapped device I/O and
the paging mechanism of the processor. This abstraction is useful for an assembly code
executed in the untranslated system mode as well as in the user mode with a transparent
handling of address translation and page faults.
Furthermore, interrupts are not modelled in the Vamp assembly machine. This ab-
straction extends the very idea of the previous one: We implicitly assume that interrupts
can either be handled transparently to the running program (like device interrupts and
page faults) or are programming errors (like misaligned memory accesses and undecod-
able instructions), which should not occur at all. The simulation theorem between the
17
2 Background
ISA and the assembly-language specification simply holds unless exceptions are gener-
ated during the execution of instructions. As part of compiler correctness, it has been
shown that a compiled C0 program does not generate exceptions if there are sufficient
resources. Note that this separation of matters is equally welcome when verifying inlined
assembly code. Besides, the abstraction from interrupts is a reversible convenience – we
re-introduce an exception semantics tailored for assembly processes in Section 4.2.2.
Finally, the bit vectors from the ISA specification are superseded in the Vamp as-
sembly machine (a) by integers for data, (b) by naturals for addresses, and (c) by a
tailored abstract data type for instructions. This representation is optimized for as-
sembly programs working with integers; arguments regarding naturals and bit-vector
operations require conversions. The two functions to nat32 and to int32, for example,
convert either 32-bit integers to naturals or vice versa.
Formal Semantics. An assembly state sasm is a record with the following components:
• two program counters sasm.dpc and sasm.pcp for implementing the delayed-branch
mechanism, which hold the addresses of the current and next instruction,
• the general-purpose and special-purpose register files sasm.gprs and sasm.sprs, which
are both lists of data, and
• the word-addressable main memory sasm.mm, mapping addresses to data.
Note that some well-formedness constraints are not enforced by the record type. We
call an assembly state valid iff the program counters are 32-bit naturals, the register files
contain 32 registers, and all registers and memory cells are 32-bit integers. We subsume
these well-formedness constraints in predicate is valid asm:
is valid asm sasm ≡
sasm.dpc < 2
32 ∧ sasm.pcp < 232 ∧ |sasm.gprs| = 32 ∧ |sasm.sprs| = 32 ∧
(∀i∈{0<..<32}. −231 ≤ sasm.gprs ! i < 231) ∧
(∀i∈used sprs. −231 ≤ sasm.sprs ! i < 231) ∧ (∀addr . −231 ≤ sasm.mm addr < 231)
Instructions are represented by an abstract data type and converted on instruction
fetch from memory cells using the conversion function to instr. Thus, the function
current instr sasm ≡ to instr (sasm.mm (sasm.dpc div 4)) denotes the instruction that is
executed next in the assembly machine.
The assembly semantics can equally be employed in user- and system mode. The
mode is determined by the special-purpose register MODE:
is system mode sasm ≡ sasm.sprs ! MODE = 0
In the course of this thesis, we do not deal with the system mode. In user mode, it is
illegal to access most of the special-purpose registers and solely the page-table length
register PTL is relevant for us: It determines the size of the main memory in pages of
1024 words. For technical reasons, the register value is a signed integer with an offset of
−1, i. e., −1 denotes a size of 0 pages. We encapsulate this fact in the function mm size
and define:
mm size sasm ≡ to nat32 (sasm.sprs ! PTL + 1)
18
2.2 The VAMP Assembly Language
A memory access beyond the specified size generates an exception in the real system –
an illegal case in the assembly semantics.
The Vamp-assembly transition function dasm computes for a given assembly state sasm
the next state s ′asm. In illegal cases, the transition function gets stuck.2 Otherwise,
the transition is specified by a simple case distinction on current instr sasm. We use the
notation dnasm sasm to denote the result of executing n steps of the assembly machine
starting in state sasm.
Memory Access Instructions. In the course of this thesis, two memory access instruc-
tions are of special interest. They are used to transfer data from memory into a general
purpose register and vice versa. Both operations have three parameters:
• RD is the register in which the memory data is stored or of which register it is
loaded
• RS1 is the register containing the memory source or destination address in the
memory
• i is the offset of the memory address
The load-word instruction Ilw RD RS1 i loads a word from the memory to a specified
general purpose register, whereas the store-word instruction Isw RD RS1 i stores a word
from a general purpose register into the memory.
For both instructions, we compute the target address in the memory from the address
stored in register RS1 and an offset given as immediate value i. The result is called the
effective address and is formally defined as:
ea sasm ≡ (to nat32 (sasm.gprs ! RS1) + to nat32 i) mod 232
A number n is divisible by k if k divides n without leaving a remainder i. e.,
(k dvd n) = (n mod k = 0)
The semantics of a load-word instruction where the current assembly state is valid
and the effective address is well-formed (i. e., it is in range and word aligned) is given
with:
current instr sasm = Ilw RD RS1 i ∧
is valid asm sasm ∧ 4 dvd ea sasm ∧ ea sasm < 232 =⇒
dasm sasm =
sasm
(|dpc := sasm.pcp, pcp := (sasm.pcp + 4) mod 232,
gprs := sasm.gprs[RD := sasm.mm (ea sasm div 4)]|)
The data stored in the memory at the effective address is copied to general purpose
register RD. Moreover, the program counters are increased.
2Technically, we avoid extra case distinctions for the detection of all possible invalid cases but sort out
those cases before we apply the transition function. In some illegal cases the transition function is
meaningless, although it would not get stuck.
19
2 Background
The store-word instruction applied on a valid assembly state with a well-formed ef-
fective address and an existing register index RD has the following effects: The value
of the general purpose register RD is stored to the effective address in the memory and
the program counters are increased. Reading from general purpose register 0 is defined
as 0. Formally:
current instr sasm = Isw RD RS1 i ∧
is valid asm sasm ∧ 4 dvd ea sasm ∧ ea sasm < 232 ∧ RD < 32 =⇒
dasm sasm =
sasm
(|dpc := sasm.pcp, pcp := (sasm.pcp + 4) mod 232,
mm := sasm.mm(ea sasm div 4 := if RD = 0 then 0 else sasm.gprs ! RD)|)
2.3 The Language C0
ANSI C [Ame99] has a complex and highly underspecified semantics. Low-level programs
such as device drivers, however, explicitly use properties of a particular compiler on a
target hardware, like register bindings or the internal representation of data types. They
can therefore not be verified based only on the vague ANSI C semantics. In Verisoft,
we have restricted ourselves to the C-like imperative language C0 [Lei08], which has
sufficient features to implement low-level software but is interpreted by a more concrete
semantics. C0’s most important limitations compared to ANSI C are:
• expressions must be free of side effects and must not contain function calls,
• there are no implicit type conversions, especially not from arrays to pointers,
• pointers are strongly typed and must not point to functions or stack variables (i. e.,
there are neither void pointers nor pointer arithmetic), and
• low-level data types (like unions and bit fields) and control-flow statements (like
switch and goto) are not supported.
Syntax. C0 supports fundamental types, aggregate types and pointers. The first cat-
egory comprises Booleans, 8-bit-wide characters, as well as signed and unsigned 32-bit
integers. Aggregate types in C0 are arrays and structures. Pointers may point to all
types of data but not to functions.
Primitive expressions are variable names and literals. Other expressions can be com-
posed using operators: If e and i are expressions and n is a component name, the follow-
ing operations are expressions as well: array access e[i], access to structure components
e.n, dereferencing *e, and the “address-of” operation &e. Moreover, C0 supports the
usual unary and binary operations. Namely, unary operations are unary minus -, bit-
wise negation ~, logical negation !, and conversion operations between integral values.
Binary operations are arithmetic operations (+, -, *, /, %), bitwise operations (|, &, ^,
<<, >>), and comparisons (>, <, ==, !=, >=, <=) as well as the lazy binary operations
(Boolean conjunction && and disjunction ||). Left expressions are expressions that re-
20
2.3 The Language C0
Lit v literal values v
VarAcc vn access of variable vn
ArrAcc ea e indexing array ea with index e
StructAcc e cn selecting component cn of structure e
BinOp bop e1 e2 binary operation
LazyBinOp lbop e1 e2 lazy binary operation
UnOp uop e unary operation
AddrOf el address of left-expression el
Deref e dereferencing e
Table 2.1: C0 expressions e
fer to memory objects, namely variable, array and structure accesses as well as pointer
dereferencing.
The statements in C0 permit assignments, dynamic memory allocation, sequential
composition, conditional and repeated execution, inlined assembly, function calls, and
returns from functions. Some of the statements are tagged with unique statement iden-
tifiers of type sid. These identifiers are mainly used in the compiler correctness proof to
examine the relationship between statements and to determine their original order within
a program. The empty statement and the sequential composition are called structural
and are the only statements that are not tagged with statement identifiers.
In Isabelle/HOL, C0 expressions e and statements s are represented as data types.
Their constructors are listed in the Tables 2.1 and 2.2.
Only a few of them are of special interest in this thesis:
• Variable accesses VarAcc vn are used to read or write the value of variables vn.
• The dereferencing operator Deref e transforms the pointer expression e into a
left expression.
• Furthermore, the function-call statement SCall vn fn es sid calls a C0 function
named fn with the argument list es. The returned result is stored to a (global or
stack) variable called vn.
• Return statements with return expression e and statement identifier sid are mod-
Skip the empty statement
Comp s1 s2 sequential composition
Ass el e sid assignment of expression e to left-expression el
PAlloc el tn sid allocation of an object of type name tn and assignment to el
SCall vn fn es sid call of function fn with arguments es and result variable vn
Return e sid return from a function
Ifte e s1 s2 sid if-then-else with condition e
Loop e s sid while loop with condition e and body s
Asm ls sid inlined assembly with instruction list ls
Table 2.2: C0 statements s
21
2 Background
elled with Return e sid.
• A list of Vamp assembly instructions ls can be inlined with statement Asm ls sid.
This statement extends C0 to C0A and the semantics of C0A programs is defined
as alternating C0 small-steps semantics and Vamp assembly semantics.
• The sequential composition Comp s1 s2 presents the consecutive execution of the
statements s1 and s2.
• Finally, the empty statement Skip does nothing.
C0 Memory Configuration. The C0 memory configuration stores information about
variables of a C0 program together with their values. As C0 is perfectly type-safe, the
memory is typed and only stores fundamental types.
A memory frame consists of three parts:
• The content that maps addresses to memory cells, where elementary values are
stored,
• a symbol table that holds all variables of the memory frame together with their
types and,
• finally a set of already initialized variables.
The memory itself includes one memory frame for global variables and one for heap
objects. The local variables are stored in several stack frames. Each of them consists of a
single memory frame stored together with the return destination of the calling function.
The local memory is modelled as a list of stack frames where the topmost stck frame is
stored at the end of this list. Thus, the index of stack frame remains constant during its
lifetime. The recursion depth recursion depth returns the current number of stack frames
in the memory. The topmost local memory frame has consequently the index recursion
depth sC0 − 1. We can access the topmost stack frame with function toplm and the
return destination with function toprd. The symbol table of the global variables can be
extracted from a memory state with the function gm st, whereas the symbol table of the
top most stack frame can be computed with function toplm symbols. Function extract
symbolconf extracts the symbol tables of the global, the local and the heap memory.
Generalized Variables. Pointers in the small-step semantics are represented in a struc-
tural way using so-called generalized variables short g-variables. They are defined in-
ductively and are structurally similar to left-expressions. There are three base cases for
g-variables:
• gvar gm x: global variables of name x,
• gvar lm x i: local variables with name x located in the i-th local memory frame
of the stack, and
• gvar hm i: nameless heap variables that are referenced by an index i
The inductive case defines g-variables for array and structure access:
• gvar arr g i: the i-th array element is a g-variable when g is an array type g-variable
• gvar str g n: the component with name n of a structure type g-variable g is also
a g-variable
22
2.3 The Language C0
The predicates is global gvar, is local gvar, and is heap gvar hold when the corre-
sponding g-variable is global, local or a heap variable. Note that these predicates are
dichotomous. Local g-variables that are located in the topmost stack frame fulfill the
predicate is top local gvar.
The set of subvariables sub gvars of a given g-variable is defined inductively: Initially,
a g-variable itself is contained in this set and all array elements and components of
a structure typed g-variable are contained. For a given g-variable x that belongs to
the set of subvariables of g-variable g , we denote: x ∈ sub gvars g . For composed g-
variables, we call the highest ancestor of g-variables the root and then predicate is root
gvar holds [Lei08, Def.4.11]. A g-variable is initialized if its root g-variable belongs to the
set of initialized variables of the corresponding memory frame; g-variables in the heap
are initialized by definition. For an initialized g-variable gvar predicate gvar initialized
m gvar holds [Lei08, Def.4.20]. The set of all reachable g-variables is denoted with
reachable gvars [Lei08, Sec. 8.2.2]. We call a g-variable g reachable when it is a global
or local variable, another reachable pointer g-variable points to g or g is a sub-variable
of a reachable g-variable. The function vlookup searches in the global memory or the
topmost local memory frame of memory state m a g-variable that corresponds to a given
variable name vn. If it finds no corresponding g-variable, it returns ⊥. Finally, function
addrof gvar takes a type table tt, a symbol table sc and a g-variable and returns a record
consisting of the type ad tn, the start address ad base of the memory object as well as
the name of the memory where the object is stored ad memname.
Expression Evaluation. Expression evaluation in the C0 small-step semantics uses a
function eval that takes the type table, a memory configuration, and an expression.
When the evaluation succeeds it returns a data slice ds. A data slice is represented as a
record with five components:
1. the left value of the expression ds.ds lval,
2. its type ds.ds type,
3. a flag determining whether the expression represents a memory object ds.intermediate,
4. a flag indicating whether the expression is initialized ds.ds initialized and,
5. the expression value ds.ds data
With a given g-variable, a memory configuration and a type table we can compute
the referenced data in form of a data slice by using function get dataslice. When the
type of the referenced data is elementary i. e., no array or structural type, we call the
corresponding g-variable elementary and predicate elementary gvar holds.
We use the function mem update tt m g d in order to manipulate memory objects. This
function updates the object denoted by the g-variable g in memory m by the new data
d. Note, however, that the expression evaluation and consequently the memory update
may fail, e. g., because of an uninitialized variable or a dereferenced null pointer. Thus,
this function is partial.
Program Rest. The program rest contains statements that still have to be executed.
More specifically, the program rest is one of the statements as depicted in Table 2.2 on
23
2 Background
page 21. Initially, it holds the body of the main function and grows or shrinks, depending
on the execution of the program. At this place, we define two functions that manipulate
the program rest. If the first statement of the program rest is a function call, function
rm scall replaces it with a Skip or does not change anything otherwise. Formally:
rm scall stmt =
(case stmt of Comp s s ′⇒ Comp (rm scall s) s ′
| SCall lv fn es sid ⇒ Skip | ⇒ stmt)
Function remove fst stmt is used to remove the first statement of a program rest. A
sequential composed statement recursively call the function until its first sub-statement
is not composed. In this case, remove fst stmt returns the second sub-statement of the
sequential composition. Single statements are simply replaced with a Skip statement.
We define function remove fst stmt as follows:
remove fst stmt stmt =
(case stmt of
Comp s s ′⇒
if is Comp s then Comp (remove fst stmt s) s ′ else s ′
| ⇒ Skip)
Small-Step Semantics. A C0 program is formally defined by a symbol table gst of
global variables, a type-name table tt, and a function table ft. A symbol table is a list
of pairs of variable names and the corresponding data types. The type-name table lists
pairs of type names and the corresponding data types. And finally, the function table
lists pairs of function names and the corresponding functions definitions.
A function definition is represented by a record fd consisting of
(a) a statement fd.body that represents the function body,
(b) a symbol table fd.params of the function’s parameters,
(c) the function’s return type fd.rettype, and
(d) a symbol table fd.stack vars of the stack variables.
In contrast to the static program definition, the program state evolves during the
execution of a C0 program. A program state sC0 comprises:
• the statement sC0.prog of the program that remains to be executed, and
• the current state sC0.mem of the program variables and the heap objects.
The transition relation dC0 of this semantics is deterministic, i. e., a partial function.
Some of the proofs employ an extended C0 state that does not only consist of the
dynamic program state but additionally includes the static program definition. The
extended C0 state is called monolithic and consists of the following components:
• sC0.pstate a C0 program state including a program rest and the memory state as
defined above,
• sC0.ttab a type table and,
• sC0.ftab a function table.
An evaluation function evalm computes the evaluation of a given expression together
with a given monolithic state sC0. Internally, it extracts the type table and the memory
24
2.3 The Language C0
state of sC0 and invokes eval to compute the corresponding data slice. We embed the
transition function dC0 into a partial transition function for monolithic states dC0m.
Here, we simply change component sC0.pstate and leave the static program definitions
unchanged. In principle, all proofs using the monolithic type can be formulated with
a C0 program state and the static program definitions. Nevertheless, hiding the tables
often simplifies reading our formulae.
Function Call and Return. To cut a long story short, the semantics of a function call
is the following: the stack is extended by a new stack frame on the top, the function
parameters kept in the parameter list es are evaluated and copied to the frame and the
return destination stores the g-variable of the function call’s left variable lv . These op-
erations are encapsulated in the function extend stack. In the program rest the function
call is substituted by the function body. The return statement should be the last in-
struction in a function body. It updates the left variable of the function call lv with the
evaluated return expression, deletes the topmost stack frame and sets the new program
rest to Skip. Function remove toplm m computes the changed memory state after the
removal of the topmost stack frame. A more detailed description of the C0 small-step
semantics concerning function calls will be given in Chapter 6.
Here, we define a useful function set primres that directly updates the left variable of
a function call with a primitive value (i. e., values of an elementary type). It takes a
monolithic C0-state and a primitive return value rv and returns a modified C0 memory
state. In the case that the first statement of the program rest is a function call, it directly
updates the memory at the address of the lefthand variable of the function call with the
return value. Therefore, evalm computes a data slice from the literal expression of the
primitive value rv . If the first statement is not a function call or the memory update
fails, function set primres returns ⊥. Formally:
set primres rv sC0 ≡
case fst stmt sC0.pstate.prog of
SCall lv fn es sid ⇒
mem update sC0.ttab sC0.pstate.mem devalm sC0 (VarAcc lv)e.ds lval
devalm sC0 (Lit (Prim rv))e
| ⇒ ⊥
Validity of C0 States. We briefly summarize the constraints of a valid C0 state sC0
with respect to a type table tt and a function table ft. The requirements are preserved
under all small-step transitions dC0 and comprise the following claims:
1. the function table is valid: (tt, gm st sC0.mem, ft) ∈ valid ft
2. the program rest of sC0 is valid
3. the number of return statements in the program rest is less than the recursion
depth of the program
4. the stack of sC0 is valid
5. the type table tt is valid valid tenv tt;
25
2 Background
6. the symbol table of the global variables is valid valid symboltable tt (gm st sC0.mem)
7. all local symbol tables correspond to a function in the function table ft
8. the types of all heap variables are valid
9. all memory frames are type correct and,
10. the return destinations are valid.
All these requirements define the set of valid C0 states. We denote this set with:
sC0 ∈ valid C0confs tt ft
As we focused only on definitions used in this thesis, we refer to [Lei08] for a compre-
hensive and detailed description of the C0 language.
2.4 Compiler Correctness
Most software in Verisoft has been implemented and verified at the C0 level. The C0
programs are translated to assembly code in order to be executed on the target machine.
Leinenbach & Petrova have developed and verified a non-optimizing compiler from C0
to VAMP assembly [LPP05, Pet07, LP08]. Below, we summarize their results.
Compiler correctness is formulated as a simulation theorem. In essence, the compiler-
simulation theorem states that every step i of the source program executed on the C0
small-step semantics simulates a certain number si of steps of the VAMP assembly ma-
chine executing the compiled code. For the property transfer from the C0 to the VAMP
assembly layer, the simulation theorem has to meet special requirements. In particular,
the simulation theorem is formulated based on the small-step semantics, which permits
the reasoning about non-terminating programs and interleaved executions. Addition-
ally, the compiler-correctness proof considers resource restrictions at the assembly layer
and allows to discharge them at the C0 layer. The compiler correctness theorem always
starts in an initial state and can only deal with sequential C0 semantics. More specifi-
cally, the theorem does not hold when inline assembly is executed. In the course of this
thesis we introduce function calls that are used by applications to communicate with the
operating system. These C0 functions embed inline assembly code. We strengthen the
induction step of the compiler correctness theorem in order to deal with these language
extensions. Moreover, we can start from any C0 state that fulfills the preconditions.
We first describe the memory layout of compiled programs. Briefly summarized, there
are three memory regions allocated:
i a code region containing the compiled code,
ii the stack, where all stack frames are stored and,
iii the heap.
For each local memory frame the stack stores the content of its C0 counterpart and
additionally a frame header. The latter stores the address of the result variable and the
return address of the function call in the code. The start address of the code is denoted
by code base whereas the heap starts at address heap base. Several general purpose
registers keep track of addresses pointing to
• the stack start (i. e., sbase sasm = to nat32 (sasm.gprs ! 28)),
• the current top element of the heap (i. e., toph sasm = to nat32 (sasm.gprs ! 29))
26
2.4 Compiler Correctness
hm
toplm c
.
.
.
lm 0
gm
Figure 2.3: C0 memory layout
code
code base
stack start
gpr[28]
top frame
gpr[30]
heap base
heap top
gpr[29]
max address
co
de
si
ze
st
ac
k
si
ze
he
ap
si
ze
global variables
frame header
stack frame 0
.
.
.
frame header
sframe (rec depth - 1)
free stack
used heap
free heap
Figure 2.4: Memory layout of the
Compiled Program
and,
• the topmost stack frame (i. e., toplm base sasm = to nat32 (sasm.gprs ! 30)).
All parameters of the last function call that created the topmost stack frame are stored
relatively to address toplm base. Leinenbach gives a more detailed description of the
memory layout in his thesis [Lei08, Chapter 7.2].
Next, we present the simulation relation:
Definition 2.1 (C0 Simulation Relation). The simulation relation consistent states that
a VAMP assembly state sasm encodes a C0 state sC0. The relation is parametrized over
an allocation function alloc, which maps all variables and heap objects in the C0 state
to their allocated address in the main memory of the assembly state. For a C0 program
with the type-name table tt and the function table ft, the relation consistent tt ft sC0
alloc sasm correlates
• the currently remaining program sC0.prog to the value of the program counters in
the assembly state sasm (called control consistency),
• the code of the C0 program, which is computed from the type-name table tt, the
function table ft, and the global symbol table3 (gm st sC0.mem), to the corre-
sponding memory region in sasm (code consistency), and
3Note that—though constant during the program execution—the symbol table of the global memory
is extracted from the current C0 state’s memory component sC0.mem.
27
2 Background
• the values of variables and heap objects in the C0 state sC0 to their corresponding
memory values in sasm (data consistency).
The formal specification of the simulation relation is a conjunction of three predicates
for control, code, and data consistency. We present only the code-consistency predicate:
code consistent tt ft sC0 sasm ≡
let code = codegen program tt ft (gm st sC0.mem)
in ∀i<|code|.
decodable (sasm.mm (program base + i)) ∧
to instr (sasm.mm (program base + i)) = code ! i
with the compiled program codegen program tt ft (gm st sC0.mem), the predicate de-
codable determining whether an integer can be interpreted as an instruction, and the
conversion function to instr realizing this interpretation. The constant program base is
a compiler parameter permitting a variable displacement of the program code in the
memory. This displacement is used in the kernel implementation to provide space for
some low-level functionality of CVM. For user programs, the displacement is not needed
and hence set to 0.
Certainly, we need an initial assembly state for a C0 program. For the support of
various use cases, the compiler-correctness theorem does not construct a particular initial
state but rather formulates the necessary requirements on an assembly state to serve as
an initial state for a specific C0 program.
Definition 2.2 (Initial Assembly States for a C0 Program). For a given C0 program
(tt, ft, gst), each corresponding initial assembly state sasm is well-formed, its program
counters point to the beginning of the code, the assembly state is code consistent with
the corresponding initial C0 state (denoted by init C0 ft gst), and the memory containing
the global variables is zero-initialized.
The formal requirements are collected in the predicate is initial asm tt ft gst sasm:
is initial asm tt ft gst sasm ≡
is valid asm sasm ∧ sasm.dpc = 4 · program base ∧ sasm.pcp = sasm.dpc + 4 ∧
code consistent tt ft (init C0 ft gst) sasm ∧
(∀i∈gm range tt ft gst. sasm.mm i = 0)
Recall that certain executions in the assembly semantics are not legal, e. g., if an
instruction accesses memory beyond the available size. Compiler correctness is even
more demanding with respect to the accessible memory: It distinguishes read-only code
regions in the memory from writable data regions in order to prevent self-modifying
code. The non-optimizing compiler furthermore maintains that the assembly machine
is not in a delay slot between two compiled C0 statements4, i. e., we require sasm.pcp =
4Recall that the Vamp features a delayed-branch mechanism, i. e., a branch instruction is executed
after the next instruction has been decoded (see [MP00]). When a C0 statement has been completely
executed, the assembly machine should certainly not be about to execute a previously seen branch.
28
2.4 Compiler Correctness
sasm.dpc + 4. Finally, we assume a well-formed assembly state, i. e., is valid asm sasm
(see page 18).
A few auxiliary predicates help to formally specify whether a compiled C0 program
is successfully executed on the VAMP assembly level: The predicate mem write inside
range holds iff the current instruction writes into a specified memory range, the predi-
cate is exception holds iff an exception is generated during the execution of the current
instruction, and finally, inside range (l, h) i is defined as l ≤ i ∧ i < h.
Definition 2.3 (Successful Execution of Assembly Code). We call a computation of the
VAMP assembly machine from a state sasm in n steps to s ′asm a successful execution with
respect to a code range crange and an address range arange iff
• the memory contents in crange has not been overwritten,
• all instructions are only fetched from crange,
• all accessed memory addresses are in arange
(encapsulated in mem access inside range),
• no exceptions are generated, and
• all executed instructions are legal (denoted by is legal instr).
Formally, the successful execution of assembly code is defined as
(crange, arange)`asm sasm →n s ′asm ≡
dnasm sasm = s
′
asm ∧ is valid asm s ′asm ∧ s ′asm.pcp = s ′asm.dpc + 4 ∧
(∀m<n. ¬ mem write inside range (dmasm sasm) crange ∧
inside range crange (dmasm sasm).dpc ∧
mem access inside range (dmasm sasm) arange ∧
¬ is exception (dmasm sasm) ∧
is legal instr (dmasm sasm) (current instr (d
m
asm sasm)))
Note that the successful execution of assembly code depends on two implicit assump-
tions: The initial assembly configuration sasm needs to be well-formed, and the program
counters must not start in a delay slot. These two conditions are invariant under a
successful execution. For a particular C0 program (tt, ft, gst), the corresponding code
range is computed with the function code range tt gst ft. The address range, in con-
trast, is not statically fixed. In practice, it is determined by a maximal memory address
max address, which results in the user mode from the value of the page-table length
register (see Section 2.2). The function address range converts this address into the cor-
responding range, which starts with the program-base address. The formal definition of
all auxiliary predicates can be found in earlier publications [AHL+09, Lei08].
Compiler correctness relies on several preconditions.
First, the considered C0 program has to be compilable, which comprises well-formed-
ness constraints on the type-name table tt, the function table ft, and the global symbol
table gst as well as a definition for the function main and static resource restrictions.
The latter require, for instance, that the generated code fits into the memory of the
target machine and that the jump distances for conditionals, loops, and function calls
are not too large (in such a way that they fit into the immediate constants of the Vamp
assembly instructions). We collect all static requirements on a C0 program (tt, ft, gst)
29
2 Background
including its well-formedness and the definedness of main in the predicate is compilable
tt ft gst.
Second, the required memory of C0 states sC0 change dynamically during the execution
of a C0 program, e. g., with the recursion depth or by the allocation of heap variables.
Predicate sufficient memory max address tt ft sC0 checks for these dynamic resource
restrictions, assuming that max address denotes the maximal memory address and does
not exceed the value 232.
Third, the compiler-correctness theorem does not hold if inlined assembly code is
executed. The predicate is Asm determines, whether a given C0 statement is an assembly
statement. We denote the first statement of the remaining program in a C0 state sC0 by
fst stmt sC0.prog.
Fourth, compiler correctness requires the absence of runtime errors like the access of
an uninitialized variable. In case of a runtime error, the transition function dC0 of the
C0 small-step semantics remains undefined, i. e., it evaluates to ⊥.
Finally, we can state the compiler-correctness theorem:
Theorem 2.1 (Compiler Correctness). We assume that (tt, ft, gst) describes a compi-
lable C0 program, there are no runtime errors during the execution of n steps, there is
sufficient memory in each execution step, the execution does not involve inlined assembly
statements, and sasm denotes an initial assembly state for (tt, ft, gst).
In this case, there exists a step number t, an allocation function alloc ′, and a final
assembly state s ′asm in such a way that
• the assembly machine successfully advances in t steps from sasm to s ′asm,
• the final C0 state s ′C0 simulates s ′asm under the allocation function alloc ′, and
• no special-purpose registers have been changed.
Formally:
[[is compilable tt ft gst;
dnC0 tt ft (init C0 ft gst) = bs ′C0c;
∀i≤n. sufficient memory max address tt ft ddiC0 tt ft (init C0 ft gst)e;
max address ≤ 232;
∀i<n. ¬ is Asm (fst stmt ddiC0 tt ft (init C0 ft gst)e.prog);
is initial asm tt ft gst sasm]]
=⇒ ∃t alloc ′ s ′asm.
(code range tt gst ft, address range max address)`asm sasm →t s ′asm ∧
consistent tt ft s ′C0 alloc ′ s ′asm ∧ s ′asm.sprs = sasm.sprs
Proof. Leinenbach [Lei08] has shown this theorem by induction on the step number n.
The induction start establishes the simulation relation between a successor of the initial
assembly state sasm and the initial C0 state init C0 ft gst. Note that simulation does
not hold between the initial states. On the assembly level, some initialization code must
be successfully executed to set up the machine accordingly. Furthermore, the values of
the special-purpose registers have to be preserved by the initialization code.
The induction step claims that under a C0 transition, the code for the current C0
statement is successfully executed, the special-purpose registers remain unchanged, and
30
2.4 Compiler Correctness
the simulation relation is preserved under a C0 transition. The proof for this claim
involves a second induction over C0 statements.
The proof has been formalized in Isabelle/HOL and is available from the public Verisoft
Repository 5.
Note that this correctness theorem explicitly requires to start with the initial state.
Thus, we cannot use the theorem for an execution of C0 statements after an inlined
assembly statement has been executed. For this purpose, we employ the stronger lemma
of the induction step for the proof of the above theorem. For the induction step, the
definition of valid C0 programs presented in [Lei08] does not suffice. Furthermore, the
compiler requires some additional assumptions about the execution environment. Be-
sides valid C0 states, the definition valid C0 includes a relation between the number of
returns in the program rest and the recursion depth of the C0 state. Moreover, translat-
able programs formalizes static resource restrictions demanding that the generated code
fits into the memory of the target machine. The extension of the validity predicate for
C0 states that are compiled to Vamp assembly is proposed in [AHL+09]. The stronger
definition of valid C0 states is given below:
valid C0 tt ft sC0 ≡
sC0 ∈ valid C0confs tt ft ∧
(nr toplevel returns (s2l sC0.prog) + 1) = recursion depth sC0.mem ∧
(tt, ft, gm st sC0.mem) ∈ translatable programs
Now, we present the stronger lemma of the induction step:
Lemma 2.2 (Compiler-Correctness Induction Step). We assume that sC0 is a well-
formed C0 state and sasm is a well-formed assembly state when the program counters
do not start in a delay slot. Moreover, the simulation relation holds for sC0 and sasm
under an allocation function alloc. Additionally, a C0 transition is legal (i. e., there is
no runtime error and the remaining program does not start with inlined assembly) and
there is sufficient memory before and after the transition.
In this case, there exists a step number t, an allocation function alloc ′, and an as-
sembly state s ′asm so that
• the assembly machine successfully advances in t steps from sasm to s ′asm,
• the final C0 state s ′C0 simulates s ′asm under the allocation function alloc ′, and
• no special-purpose registers have been changed.
Formally:
[[valid C0 tt ft sC0; is valid asm sasm; sasm.pcp = sasm.dpc + 4;
consistent tt ft sC0 alloc sasm; dC0 tt ft sC0 = bs ′C0c;
¬ is Asm (fst stmt sC0.prog); sufficient memory max address tt ft sC0;
sufficient memory max address tt ft s ′C0; max address ≤ 232]]
=⇒ ∃t alloc ′ s ′asm.
(code range tt (gm st sC0.mem) ft,
5http://www.verisoft.de/VerisoftRepository.html
31
2 Background
address range max address)`asm sasm →t s ′asm ∧
consistent tt ft s ′C0 alloc ′ s ′asm ∧ s ′asm.sprs = sasm.sprs
2.5 Switching the Layers - Inlined Assembly Code
In this section, we describe in detail how to deal with inline assembly code within a
C0 program. The semantics of C0 with portions of inline assembly cannot be solely
described with C0 states. In fact, we have to switch between two semantical layers. For
this purpose, Gargano et al. [GHLP05] proposed an approach to deal with code using
C0 statements and portions of inline assembly. This approach requires to maintain
the compiler consistency relation after the execution of each single instruction in the
inlined assembly portion. The method turned out to be inconvenient because it lead to
excessive complex formal proofs. Therefore, the earlier approach was improved and used
by Starostin & Tsyban [ST08]. Here, we present their technique and the definitions we
will use later on.
Figure 2.5 depicts a szenario where a C0 program with inlined assembly code is ex-
ecuted. As long as no inline assembly code occurs, we apply C0 small-step semantics.
Otherwise, the execution is switched to a consistent assembly state and continues di-
rectly there. In our example the assembly statement Asm il sid is encountered in the C0
state siC0. Then, we switch to a consistent assembly state s
s(i)
asm. The switching is justified
by compiler correctness that relates states of both semantic layers by function consistent.
Next, we execute the instruction list il according to the assembly semantics. After the
list of assembly instructions has been executed, we switch back to the C0 level. Thus,
function C0 asm upd constructs a C0 state si+1C0 that is consistent to the final assembly
state ss(i)+tasm . Hereinafter, we describe how to construct a consistent new C0 state out of
the new and old assembly states and the old C0 state.
asm ss(i−1)asm s
s(i)
asm s
s(i)+t
asm
C0 si−1C0 s
i
C0 s
i+1
C0
dasm
+ Asm il sid
dC0
C
0
as
m
u
p
d
co
n
si
st
en
t
co
n
si
st
en
t
Figure 2.5: C0A semantics with Inline Assembly Code
A new C0 state s ′C0 might possibly be affected by the assembly instructions. There-
fore, we define a function C0 asm upd that computes a new C0 state with an updated
memory out of an old C0 state sC0, the old and new assembly states sasm and s ′asm
respectively. Furthermore, this function takes an allocation function alloc that relates
32
2.5 Switching the Layers - Inlined Assembly Code
C0 and assembly states and a list of elementary g-variables gl comprising all possibly
altered memory objects. We start to explain how the new C0 memory is constructed
from the new assembly state s ′asm.
First, we show how to construct an elementary C0 memory cell from a given type t and
an integer value z. The function elem memcell construction returns a typed C0 memory
cell (e. g., memcellChar if the type is a character) when the given type is elementary and
the integer value has a meaningful interpretation (e. g., value 2 is not meaningful if the
type is Boolean). Otherwise, the function returns ⊥. Formally:
elem memcell construction t z ≡
if t = Boolean ∧ z = 0 then bmemcellBool Falsec
elsif t = Boolean ∧ z = 1 then bmemcellBool Truec
elsif t = Integer then bmemcellInt zc
elsif t = UnsgndT then bmemcellUnsigned (to nat32 z)c
elsif t = CharT ∧ −27 ≤ z ∧ z < 27 then bmemcellChar zc
elsif (∃tn. t = Ptr tn) ∧ z = 0 then bmemcellPtr NullPointerc else ⊥
Tsyban [Tsy09, Def. 8.3] defines a function C0 mem asm update gvar that updates
a C0 memory state sC0.pstate.mem at the address of an elementary g-variable g . This
definition is the centerpiece of the C0 state construction because here the link between
the updated assembler memory and the corresponding affected C0 memory object is
established. Therefore, the function takes the allocation function alloc together with the
type table tt, a g-variable g and the modified assembly state s ′asm. First, the function
extracts the type of the given g-variable g (recall function addrof gvar in Section 2.3).
Then, it computes the integer value that is stored in the memory of the assembly state
af the allocated address of g (i. e., s ′asm.mm (fst (alloc g) div 4)). When a C0 memcell
construction with these values fails, C0 mem asm update gvar returns ⊥. Otherwise,
the function updates an elementary memory object denoted by the g-variable g with an
initialized data slice. The value of the data slice is exactly the converted integer value
that was stored in the memory of s ′asm. The definition of C0 mem asm update gvar is
given below:
C0 mem asm update gvar tt m s ′asm alloc g ≡
let tn = (addrof gvar tt (extract symbolconf m) g).ad tn
in let⊥ f = elem memcell construction tn (s ′asm.mm (fst (alloc g) div 4))
in mem update tt m g
(|ds lval = g , ds type = tn, intermediate = False, ds initialized = True,
ds data = λi . if i = 0 then f else default|)
Finally, function C0 mem asm upd is inductively defined over a list gl of all modified
elementary g-variables. If this list is empty, the function simply returns an unchanged
memory. Otherwise, it returns a new C0 memory state by updating all g-variables of
the list gl sequentially with function C0 mem asm update gvar.
For a successful C0-state construction, however, a successful memory construction does
not suffice. Moreover, several restrictions have to be fulfilled to guarantee that execution
33
2 Background
of inlined assembly instructions does not destroy the C0 state. We briefly present these
requirements below:
• The new assembly machine s ′asm has finished the execution of the instruction list
i. e.,
pcs exec value correct sC0 sasm s
′
asm =
(s ′asm.dpc = sasm.dpc + 4 · |il| ∧ s ′asm.pcp = s ′asm.dpc + 4)
• The code region of the compiled C0 program has not been modified:
code region const tt pt sC0 sasm s
′
asm =
(∀ad . program base ≤ ad ∧
ad < program base + |codegen program tt pt (gm st sC0.mem)| −→
s ′asm.mm ad = sasm.mm ad)
• The registers pointing to the stack start, the topmost stack frame and the next
heap element to allocate remain unchanged:
reg pointers const sasm s
′
asm ≡
sbase s ′asm = sbase sasm ∧
toplm base s ′asm = toplm base sasm ∧ toph s ′asm = toph sasm
• All g-variables of list gl that have to be updated have to fulfill several requirements:
– they are either global, heap or local variables of the top most stack frame:
given gvars not not top local sC0.mem gl ≡
∀x∈set gl.
is global gvar x ∨ is top local gvar sC0.mem x ∨ is heap gvar x
– they are either root g-variables or initialized:
given gvars initialized or root sC0.mem gl ≡
∀x∈set gl. gvar initialized sC0.mem x ∨ is root gvar x
– the type of the referenced data is elementary:
given gvars elementary tt sc gl ≡ ∀x∈set gl. elementary gvar tt sc x
– all g-variables are reachable:
given gvars reachable tt sC0.mem gl ≡
∀x∈set gl. x ∈ reachable gvars tt sC0.mem
• Only variables given in gl are manipulated after the execution of the assembly code.
In other words the stack and heap memory remains unchanged if the allocated
address does not belong to a variable in list gl:
only given variables changed tt pt sC0.mem sasm s
′
asm alloc gl ≡
∀ad . compute sbase tt pt (gm st sC0.mem) ≤ ad ∧
ad < heap base + asize heap sC0.mem.hm.st ∧
ad div 4 /∈ set (map (λx . fst (alloc x) div 4) gl) −→
s ′asm.mm (ad div 4) = sasm.mm (ad div 4)
Note that all these constraints have to hold in the final assembly state s ′asm, during
the assembly execution they might not be fulfilled. We collect all requirements into
predicate preconds C0 asm upd.
Finally, we present the C0-state-constuction function C0 asm upd that we improved
for convenience and adapted to our purposes. It takes the old C0 state sC0, the assembly
state before and after the execution of the inline assembly portion (i. e., sasm and s ′asm),
an allocation function alloc and a list of changed elementary g-variables gl. If predicate
34
2.6 Interrupts
preconds C0 asm upd does not hold or the construction of the C0 memory does not
succeed, the construction of a corresponding C0 state fails and the function returns an
empty state ⊥. Otherwise, the memory is updated successfully and the first statement
from the program rest is removed with function remove fst stmt. Note that the new
states in both language layers are consistent by construction.
Definition 2.4 (Construction of a Consistent C0 State). We construct a new C0 state
from an old C0 state sC0, an old and a new assembly state sasm and s ′asm, an allocation
function alloc and a list of changed g-variables gl by applying function C0 asm upd.
Formally:
C0 asm upd sC0 sasm s
′
asm alloc gl ≡
let⊥ m ′ = C0 mem asm upd sC0.ttab sC0.pstate.mem s ′asm alloc gl
in if preconds C0 asm upd sC0 sasm s
′
asm alloc gl
then bsC0(|pstate := (|mem = m ′, prog = remove fst stmt sC0.pstate.prog|)|)c
else ⊥
The definition from above slightly differs from the original one proposed in [Tsy09,
Def. 8.4]. In Section 6.1 we use this function for process states which are modelled as
monolithic C0 states. Therefore, we adapted the construction function C0 asm upd to
monolithic C0 states. Second, the definitions differ in the manipulation of the program
rest. The former definition substituted the first statement with a Skip which had to be
removed by a following C0 small-step transition. This transition always succeeds and its
successor state is still consistent to the new assembly state s ′asm. Hence, we simplified
the treatment of the program rest by directly removing the first statement.
2.6 Interrupts
This section reports briefly about interrupts and their definition in Isabelle/HOL. Mu¨ller &
Paul give a more detailed description about interrupts in [MP00, Chapter 5].
Program computations may be disturbed by incoming event signals called interrupts.
The activation of an interrupt should result in a procedure called exception handler that
takes care of the problem signalled by the occuring interrupt.
Interrupts may be classified according to the following criteria:
• internal or external interrupts, depending on the interrupt source
• maskability
• the type (abort, repeat or continue)
We distinguish two sources of interrupts: The currently executed program might inter-
nally generate an interrupt to signal some error conditions. These exceptions occuring
at runtime are i. e., illegal instruction, misalignment or overflow. Interrupts can also
be used to switch control from a user program to the kernel. Therefore, the assembly
language supports a special instruction called trap which serves as a system call for user
applications to request a service of the operating system kernel.
External interrupts are generated by hardware peripherals to trigger the activation of
the corresponding device driver. In the automotive subproject, external interrupts are
35
2 Background
j name description maskable external type
0 reset reset no yes abort
1 ill illegal instruction no no abort
2 mal misalignment no no abort
3 pff page fault on fetch no no repeat
4 pfls page fault on load/ store no no repeat
5 trap trap instruction no no continue
6 ovf integer overflow yes no continue
13..31 eev[j] external interrupts yes yes continue
Table 2.3: Interrupts
i. e., a reset signal or timer events.
Interrupts are called maskable when they can be ignored under software control.
Therefore, a special mask register stores a bitvector that decides whether an interrupt
will be ignored or not.
The interrupt type specifies how to proceed after an interrupt has occured. Either
the program execution is aborted, the same instruction is repeated when the program
execution is resumed or the next instruction is executed after the interrupt handling.
The Vamp architecture provides interrupts numbered by indices 0 ≤ j ≤ 31 which
are depicted in Table 2.3. The indices also specify priorities of the interrupts. Small
indices correspond to higher priorities which means that in case of simultaneously active
interrupts the one with the higher priority is handled whereas all the others are ignored.
The information of occurred interrupts are stored in two registers: the exception cause
register and the exception data register. The former one stores a bitvector which indicates
the occurred interrupts, the latter one contains additional data which is written from
some interrupts i. e., traps. The kernel gets this information by two variables encoding
the register content to unsigend 32-bit integer.
Further on, we consider interrupts on the Cvm level and introduce all necessary pre-
liminaries. For a detailed explanation of Cvm state components or device states we refer
to Section 2.8, Section 2.7.
We assume that the actual user process running on the processor is given as an assem-
bly program sasm. Then, the following predicates hold when an internal interrupt occurs
during the program execution: there might be illegal instructions is illegal instr sasm,
misalignments is misaligned pc sasm ∨ is misaligned data sasm, page faults on fetch is
outranged pc sasm or load/store is outranged data sasm, traps is trap sasm and overflows
is overflow sasm.
We subsume all internal events that are generated from a user process sasm into a
bitvector, where the i-th bit is set when the corresponding interrupt occurred (see Table
2.3). The conversion from a predicate into a bit value is realized with function bool2bit.
The bitvector storing internal interrupts, is formally defined as:
iev sasm ≡
36
2.6 Interrupts
[bool2bit (is overflow sasm), bool2bit (is trap sasm),
bool2bit (is outranged data sasm), bool2bit (is outranged pc sasm),
bool2bit (is misaligned pc sasm ∨ is misaligned data sasm),
bool2bit (is illegal instr sasm)]
Furthermore, there are several devices that might generate interrupts. All devices
are summarized into state sdev which stores device identifiers together with their state.
When the device with identifier j generates an interrupt, the j-th bit of the vector will
be set. The function computing the bitvector for all external interrupts is given below:
eev sdev
We mentioned before that interrupts can be ignored under software control. Therefore,
a special purpose register called status register stores an interrupt mask. Each bit of this
mask defines whether the corresponding event signal is disabled 0 or enabled 1. Note
that the bit values for unmaskable interrupts (i. e., illegal instruction, misalignment, page
faults and the trap instruction) are always 1. A masked bitvector is then defined by the
bitwise conjunction of the mask and the interrupt vector. This operation with a given
mask mask is encapsulated in function mca iev sasm mask for internal and in function
mca eev sdev mask for external events.
For the computation of an overall masked cause bitvector, we neglected the circum-
stance that not only user processes but also the kernel can be executed on the processor.
Therefore, this function uses an optional state sasm which distinguishes whether a user
process is currently running (bprocc) or the kernel computes (⊥). Then, the masked
cause bitvector of all interrupts is a concatenation of several subvectors. We start with
the external masked bitvector mca eev which can be accessed by indices greater then
13. All interrupts with indices 7 ≤ j ≤ 12 are masked out. The next six values of the
bitvector encode the internal interrupts. When the kernel computes no internal interrupt
can occur, therefore we simply append a list of six 0. Otherwise, a user process executes
and we use the masked bitvector of internal events. Finally, we do not expect a reset
signal during normal execution, hence the rightmost value of the vector is disabled 0.
We get the entire masked cause bitvector by applying function mca bv on an optional
current process state sasm, the entire device state sdev and the mask mask. Formally:
mca bv sasm sdev mask ≡
mca eev sdev mask }
replicate 6 0 }
(case sasm of ⊥ ⇒ replicate 6 0 | bprocc ⇒ mca iev proc mask) } [0]
When the kernel is entered, it gets information of the exception cause register and the
exception data register in form of unsigend 32-bit integer values. We finally present both
conversion functions.
The bitvector stored in the exception cause register is converted to an unsigend 32-bit
integer by using function bv to nat. We encapsulate this conversion into function mca
nat:
mca nat sasm sdev mask ≡ bv to nat (mca bv sasm sdev mask)
37
2 Background
The second function edata nat computes the content of an exception data register
which is written additionally from some interrupts i. e., traps. It is only used, when
the currently executed user process sasm causes an internal interrupt. In case of a mis-
alignment or page fault on fetch, the function returns the delayed pc of the user process
sasm. The predicate is load store distinguishes load and store instructions from other
Vamp operations. When the current instruction is a legal load or store operation, the
function returns the effective address. When the user process calls the kernel with the
trap instruction, the kernel gets the immediate constant of the call i. e., the trap number
(current instr sasm = trap n =⇒ imm arg (current instr sasm) = n). Otherwise, function
edata nat returns value 0. Formally:
edata nat sasm ≡
if is misaligned pc sasm ∨ is outranged pc sasm then sasm.dpc
elsif ¬ is illegal instr sasm ∧ is load store (current instr sasm) then ea sasm
elsif is trap sasm then to nat32 (imm arg (current instr sasm)) else 0
2.7 Devices
The Verisoft project aims at the pervasive formal verification of entire computer systems
employing input/output devices for storage, communication and user interaction. At
the hardware level, these devices are integrated as memory-mapped devices that may
generate interrupts but do not use direct-memory access. The device drivers which
control the devices are included in the operating system or in a user application. There
is a device framework which provides a common device model in order to simplify the
integration for individual devices into the model stack independent from the specification
layer [AH08]. In this section, we briefly introduce the framework for device models and
present devices that are used in the automotive subproject.
2.7.1 Device Automata
In the Verisoft project, a number of different devices are considered, such as: a hard disk
hd, a network interface card nic, a serial interface uart, a simple timer timer and a bus
interface called automotive bus controller abc. We denote any of these devices with x ∈
{hd, abc, nic, uart, timer} and use a predicate is conf x that holds when a device state
is of type x.
A device may interact with a processor on the one hand and an external environment
on the other hand, as depicted in Figure 2.6 on the next page. The device model
is pseudo-parallel in that sense, that it performs either an internal transition with a
processor input or an external transition with an input from the external environment
exclusively.
More precisely, an internal memory interface supports the interaction with the proces-
sor. The processor may request a read or write access to the device with an input mifi.
The device performs an internal transition dmx on the current device state sx and returns
a successor device state s ′x together with additional outputs to the processor and to the
38
2.7 Devices
Device
P
ro
ce
ss
or
E
xt
E
nv
.
mifi
mifo
eifi
eifo
Figure 2.6: Devices
external environment.
A memory interface input mifi consists of four components:
1. a read flag mifi rd
2. a write flag mifi wr
3. a port address mifi a of type portT
4. a word-size data input mifi din
The read and write flag are assumed to be mutually exclusive, i. e.,
¬ (mifi.mifi rd ∧ mifi.mifi wr). A memory interface output mifo is a word-sized data
output that is returned when the processor has a read access on the device. We define
the idle memory interface input as mifi⊥. and the idle memory interface output mifo⊥,
respectively. Additionally, the processor can access the device system to read out an
interrupt vector of currently active interrupts.
Each device type internally specifies its own internal transition function. The internal
transition function of a device of type x is given below:
dmx mifi sx = (s
′
x, mifo, eifo)
A device function that performs multiple steps on a device state of type x over a list
of given processor inputs is defined recursively:
dm∗x (mifi  mifis) sx =
(let (s ′, mifo, eifo) = dmx mifi sx;
(s ′′, mifos, eifos) = dm∗x mifis s ′
in (s ′′, mifo  mifos, eifo  eifos))
The communication with the external environment, however, takes the current device
state sx and an external input eifi. The external device transition function returns
the successor state s ′x and an output eifo to the external environment. The memory
interface is shared by all device types in contrast to the type specific in- and outputs
of the external interface (eifi,eifo). We denote an idle external interface input with eifi
x⊥ and an idle external interface output with eifo x⊥. The external device transition is
specific for each device type x:
dex eifi sx = (s
′
x, eifo)
In the following, we use dm∗devs and d
e
devs when we speak in general about devices. These
functions operate as mediators over lists of inputs and call, depending on the state type,
the corresponding underlying internal and external transition functions.
39
2 Background
From the view of the operating system devices can be accessed and manipulated by
communicating via its ports, whereas the internal data structure of the device remains
hidden. The maximal number of word-sized ports is bounded by PORT COUNT ≡
210. All meaningful ports addresses are defined by the datatype portT ≡ {0..<PORT
COUNT} and fulfill the validity predicate valid port.
The upper bound of usable devices is limited by DEV COUNT ≡ 8. In order to
distinguish between them, we use device identifiers within the datatype devnumT ≡
{1..DEV COUNT}. All meaningful device identifiers fulfill predicate valid devid. In the
implementation, the smallest device identifier starts from DEVICE FIRST ≡ 13. Hence,
the interrupt of a device with identifier n can be derived from the n-th element of the
entire bitvector. The device identifiers of the implementation are converted to abstract
numbers with nat2dev. This function subtracts DEVICE FIRST − 1 in order to obtain
a meaningful abstract device identifier in the correct range.
The upper-layer computational models integrate several of different devices and should
be able to interact with a number of devices with varying types. Therefore, we use a
device vector sdev that keeps device numbers together with their state device states.
Recall that we used this state already in section Section 2.6. Furthermore, the external
state component used for XCalls (recall Section 2.1) includes this vector to embed a
number of devices. From a given device identifier and a list of external interface outputs
function create eifo list computes a list of pairs which tags a list of external interface
outputs with the given device identifier.
In the automotive subproject, we consider two different devices: The first one is a hard
disk with a boot region. It is only used during initialization to load an OS image from
the boot region to the memory of an application. After this phase, we neglect the hard
disk in all further considerations. Hence, we only present parts of the hard disk model
that are necessary in the course of this work. A more detailed description of the entire
specified hardware model can be found in Alkassar & Hillebrand [AH08].
The device number of the hard disk in the implementation is DEVICE HD1 ≡ 14
and after conversion it is denoted with SWAP DID. The hard disk state consists of the
disk size in sectors shd.S, the disk content shd.sm, a sector buffer shd.buf, a sector buffer
pointer shd.bp, and further components that are not important in the course of this work.
A predicate is validconf hd encapsulates all validity constraints for the hard disk i. e.,
the range of the disk size, the lengths of the disk content and the sector buffer and an
upper bound for the buffer pointer. The disk content is called valid when all values are
32-bit-naturals:
is valid disk content shd ≡ ∀i<|shd.hd sm|. asm nat (shd.hd sm ! i)
The second device used in our distributed system is of more importance. The automo-
tive bus controller ABC is responsible for the communication between different system
components. In the implementation, its identifier is given as a natural number ABC ID
≡ 13. The abstract device identifier is defined with ABC DID (certainly, nat2dev ABC
ID = ABC DID holds). We present a more detailed description of the ABC-device model
in Section 4.1.
40
2.8 CVM: A Programming Framework for Operating Systems
2.8 CVM: A Programming Framework for Operating Systems
Our operating system (OS) is implemented on the verified RISC processor Vamp [BJK+06]
using a programming framework called communicating virtual machines (Cvm) [IT08].
This framework encapsulates the necessary hardware-specific low-level functionality for
operating systems built on the Vamp. It provides basic mechanisms for address trans-
lation and processor virtualization as well as the communication with memory-mapped
devices. Technically, Cvm constitutes the central interrupt-service routine of the OS,
which is executed whenever an interrupt occurs in the system. The interrupt-service
routine saves the hardware-specific context. Then, it handles possibly occurred page
faults and otherwise, passes control on to the higher layers of the OS. The higher soft-
ware layers may control the low-level mechanisms by so-called primitives. This software
architecture permits the implementation of an operating system almost independently
from hardware in C0 without assembly.
Cvm constitutes a computational model where several user machines are interacting
with a kernel. It is parametrized with a so-called abstract kernel which allows to com-
pute independently from a particular kernel representation. The Verisoft project uses
two different abstract kernels: a general purpose microkernel Vamos and our real-time
operating system Olos. Abstract kernels can be linked to the Cvm framework on source
code level in order to obtain a concrete kernel.
In the next subsections, we present the Cvm state and transition and itemize Cvm
primitives that are used in Olos.
2.8.1 CVM State
In this subsection, we briefly summarize the formal definition of Cvm states.
States of the Cvm model scvm comprise the following components:
• an abstract kernel state cvm kernel,
• virtual user processes cvm up, and
• a device component cvm dev
The abstract kernel is modelled in Cvm as an abstract monolithic C0 state with typed
memory as we introduced in Section 2.3. The function table of the C0 machine requires
entries of all used Cvm primitives and a top-level function called kdispatch must be
defined. Moreover, this function handles all interrupts which are passed on from Cvm.
In Cvm, user processes are modelled as Vamp assembly machines (recall Section 2.2)
with virtual memory. The number of processes running on Cvm is fixed by the constant
PID MAX ≡ 128. Identifiers of the user processes are defined by the datatype procnumT
≡ {1..<PID MAX}. Natural numbers are converted to process identifiers with function
nat2pid and pid2nat converts vice versa. Accordingly, cvm up has a component userpro-
cesses providing a mapping between process identifiers pid and Vamp assembly states.
Moreover, a component scvm.cvm up.currentp distinguishes between kernel computation
⊥ and bpidc denoting the execution of the user process pid. In the implementation,
however, process identifier 0 is reserved for kernel computation. Furthermore, cvm up
has a component statusreg that holds the interrupt mask in terms of a 32-bit natural
41
2 Background
number. The mask determines which interrupts are enabled. In the following, we write
sups when we only consider the state of component cvm up.
Finally, the state has a device component that stores a device vector as described in
Section 2.7.
After power-up init cvmup defines the initial state of component cvm up:
init cvmup ≡
(|userprocesses =
λpid . if pid2nat pid = 0 then default else init process (pid2nat pid),
currentp = ⊥, statusreg = 8254|)
The user processes are initialized with function init process, where the program counters,
the memory, the general purpose registers and almost all special purpose registers are
set to 0. Exceptional cases are the mode register, the status register, and the registers
holding the page table origin and the page table length. Tsyban [Tsy09, Definition 5.5]
describes the initialization of user processes in more detail. Component currentp is set
to ⊥ and statusreg stores the interrupt mask given with 8254. This value encodes the
bitvector [1, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 0] which masks out all interrupts except for
the illegal, misalignment, page faults, trap, and external interrupt of the ABC device.
Valid User Processes. In this thesis, we rely on the fact that initial virtual machines
fulfill validity requirements that are preserved after each transition step. Formally, pred-
icate is valid cvmup encapsulates these conditions:
is valid cvmup scvm ≡
∀i . is valid asm (scvm.userprocesses i) ∧
−1 ≤ (scvm.userprocesses i).sprs ! PTL < to int32 TVM MAXPAGES ∧
(scvm.userprocesses i).sprs ! MODE 6= 0
Each virtual machine is represented as valid assembler machine satisfying is valid asm
and running in user mode. Additionally, each virtual machine has either no allocated
memory i. e., its number of pages is −1 or the number of pages is less than a fixed upper
bound TVM MAXPAGES.
2.8.2 CVM Transitions
A Cvm transition dcvm takes a Cvm state scvm and an external device input eifi as
parameters, computing the successor state s ′cvm or an empty state ⊥ in case of an
occurring runtime error. Additionally, it might return an optional output to the external
environment.
Depending on the input parameters, we distinguish between three different possibili-
ties:
1. eifi 6= ⊥: the device performs a step
2. eifi = ⊥ ∧ scvm.cvm up.currentp = ⊥: the kernel is computing
3. Otherwise, the current process is executed
42
2.8 CVM: A Programming Framework for Operating Systems
The Cvm model is semi-parallel since either devices, the kernel or one of the user
processes make progress in their execution. When the external device input eifi is not
empty the device performs an external step dedevs that only modifies the specified device
state and generates an external output. If there is no external input (i. e., eifi = ⊥)
and the current process identifier is set to ⊥, the kernel is computing. Summarized
there are three cases, when the kernel performs a step. In the situation that there
is no user process in the system to be resumed, the kernel simply waits for incoming
interrupts to be restarted. The second case handles a switch from kernel execution
to start the computation of the next scheduled user process or to wait for incoming
interrupts (defined in the first case). Finally, the kernel step models transitions of the
abstract kernel that is either a C0 step or an execution of a Cvm primitive (primitives
will be explained in more detail in Section 2.8.3). When a current process performs
a step there might be three possibilities: User steps without an interrupt are simply
executed by applying the Vamp assembly transition function dasm. When an interrupt
occurs during a user process step, Cvm invokes the abstract kernel in order to handle this
problem. The way of proceeding depends on the kind of interrupt. In case of a runtime
error i. e., the user execution is aborted, the virtual machine of the current process
remains unchanged. In case of external interrupts, trap instructions or overflows, the
current process is allowed to take a step according to dasm. As long as no runtime error
occurs i. e., user step progress holds, the user process progresses in its execution. The
updated currently scheduled user process after a user step ist determined by function
userprocesses step:
userprocesses step sups.userprocesses pid ≡
if user step progress (sups.userprocesses pid)
then sups.userprocesses(pid := dasm (sups.userprocesses pid))
else sups.userprocesses
2.8.3 CVM Primitives
Besides ordinary C0 functions, the abstract kernel requires mechanisms to access and
manipulate data structures that are not visible to the C0 variables of the kernel i. e.,
registers or the memory of user processes. Therefore, Cvm provides special functions,
so-called Cvm primitives which can access and manipulate states of user processes and
devices. Primitives are functions with portions of inline-assembly code realizing basic
operations that constitute functionality of the kernel.
These operations cover e. g.,
• enabling and disabling interrupts
• exchange data between processes itself or processes and I/O-devices
• allocation and deallocation of memory
Figure 2.7 on the following page shows all Cvm primitives used in the Olos imple-
mentation. The kernel uses primitives above the double line to interact with a user
process whereas the functions below access or manipulate a device. The kernel uses sev-
eral primitives (denoted with ∗) to exchange messages. Cvm provides several primitives
that permit copy operations of arbitrarily typed C0 values between the kernel and user
43
2 Background
processes or devices. C0 does not support a generic programming concept like C++
templates. Hence, we use C preprocessing macros [Ame99] to specify generic patterns
for individually typed copy functions. In particular, the actual C0 program code and the
implementation of the copy primitives are linked together on the source-code level. Thus,
the programmer can specify via macros within the C0 program code, for which concrete
types the C0 program requires the generic primitive functionality. The C preprocessor
then expands the macros from the pattern to a particular function implementation. In
the Olos implementation messages are of type t kmsg thus, we define macros to use
typed copy primitives 6.
The following macro e. g., expands to the definitions of the functions cvm physIOInRange
t kmsg and cvm physIOOutRange t kmsg providing I/O operations on port ranges for
kernel variables:
DEFINE CVM PHYS IO RANGE(t kmsg)
The preprocessor expands the macros to typed functions that copy data between the
kernel and a specified device. The function parameters are the device identifier dev
id, the port address port and a message given by a dereferenced pointer *ptr. The
signature of function cvm physIOInRange t kmsg e. g., is given by:
int cvm_physIOInRange_t_kmsg
(unsigned int dev_id, unsigned int port,t_kmsg *ptr)
We refer the interested reader to the preprocessed C0 code of typed Cvm primitives
in A.1.7.
Cvm primitive description
cvm reset initializes process
cvm alloc allocates additional memory
cvm load os loads an process image from the boot region
cvm get gpr reads gpr of a process
cvm set gpr writes gpr of a process
cvm v2pcopy∗ copies from virtual to physical memory
cvm p2vcopy∗ copies from physical to virtual memory
cvm physIOInRange∗ executes I/O operations from port ranges to OS variables
cvm physIOOutRange∗ executes I/O operations from OS variables to port ranges
cvm out word writes data to port of device
Figure 2.7: Cvm primitves
The specification of the Cvm primitives in C0 small-step semantics is hierarchically
structured. Functions on lower layers specify the effects of primitives on subcomponents
6Note that Olos maintains the compiled code of C0 applications. Thus, the C0 message type of the
applications differs from the message type of the kernel (see also Section 3.4.1).
44
2.8 CVM: A Programming Framework for Operating Systems
of states in higher layers. Hence, the primitive functions on upper layers are defined
by reusing the results of their corresponding function on a lower layer. Thus, this
framework provides suitable functions describing primitive effects on states at different
levels of abstractions.
Figure 2.8 gives an overview on the components that are affected by the Cvm prim-
itives. The operating system uses primitives listed above the double line to interact
with a single virtual machine or primitives to interact with a device presented below the
double line. The return values of functions on the lowest layer are depicted in the third
column of this tabular. Functions that access a virtual machine either return the read
data (d or dl) or the manipulated user process state. Primitives communicating with
a device internally call device transition functions and return an updated device vector
together with outputs to the memory ml and external interface el. However, we often
regard the entire user-process component sups or return a special output type from the
device. Functions exec <primitivename> on the second layer embed the functions of the
lowest layer and operate either on the user-process component or on the entire device
vector. The fourth column presents the return values of these functions. Functions that
interact with a user process either pass the read value or embed the result of the lowest
layer into the user-process component. Cvm primitives for device communication use
the result value from the underlying functions to create a tagged output list elt to the ex-
ternal environment that is returned together with the device vector. These functions can
be related to extended states in the Hoare logic (we will use these functions in Section
5.1.1 to define Simpl functions for Cvm primitives). For each primitive there are several
conditions to guarantee a successful computation. These requirements are summarized
into precondition predicates pre <primitivename>. The validity predicates for process
and device identifiers, ports and register numbers hold when the given number has a
meaningful interpretation i. e., valid pid pid ≡ pid ∈ procnumT.
cvm <pn> exec cvm<pn> execprim cvm<pn>
pn result result kernel ext out
s a
sm
Reset sasm sups 0 scvm.cvm up [ ]
Alloc sasm sups 0 scvm.cvm up [ ]
LoadOS sasm sups 0 scvm.cvm up [ ]
GetGPR d d d x [ ]
SetGPR sasm sups 0 scvm.cvm up [ ]
V2Pcopy dl dl (dl, 0) x [ ]
P2Vcopy sasm sups 0 scvm.cvm up [ ]
s d
ev
OutWord (sdev, ml, el) (sdev, elt) 0 scvm.cvm dev elt
PhysIOOutRange (sdev, ml, el) (sdev, elt) 0 scvm.cvm dev elt
PhysIOInRange (sdev, ml, el) (sdev, ml, elt) (ml, 0) scvm.cvm dev elt
Figure 2.8: Affected components of Cvm primitives
Finally, functions execprim <primitivename> on the uppest layer specify the function-
45
2 Background
ality of Cvm primitive execution on Cvm states. These definitions are directly used by
the Cvm transition function dcvm (cf. Section 2.8.2). These functions are partial i. e.,
they return ⊥ if the corresponding preconditions of the called primitive do not hold.
Otherwise, they return an updated successor state s ′cvm together with an output to the
external environment. Effects of functions on the uppest layer are depicted in the last
three columns of Figure 2.8 on the preceding page. Column kernel presents the values
that are stored in the kernel. Reading primitives store the read data together with the
result variable of the called primitive. A successful executed primitive always returns
0 to the kernel, the only exception is function execprim cvmGetGPR that updates the
return variable of the primitive with the read data d. Column ext shows which external
components have to be updated in the new Cvm state: This is either the user-process
component, the device component or none of them. These updates take over results of
the corresponding exec <primitivename> functions. Finally, the last column depicts the
output to the external environment. Primitives interacting with a user process return
an empty output list whereas device communicating primitives return a list of tagged
outputs elt.
According to Figure 2.8 on the previous page we classify Cvm primitives into func-
tions that only read data, manipulate the external state or both. The only primitive
that returns read data to the kernel and additionally may change the external state is
execprim cvmPhysIOInRange. This is the case because the transition functions are indi-
vidual for each device type. So there could be read accesses that internally change the
device state. The ABC state, however, remains unchanged when its buffers are read.
In the following paragraphs, we briefly introduce all precondition predicates and the
effects of Cvm primitives on the lowest layer that are used in Olos. On the next layer,
we only present one exec <primitivename> function for the different cases exemplarily
since the remaining functions resemble the examples. In the course of this thesis, we
use definitions of the exec <primitivename> functions. Thus, we only present one Cvm
primitive on the uppest layer exemplarily and refer to a more detailed definition in
[Tsy09, Chapter 5.3].
Initialization of User Processes. Olos uses three Cvm primitives in order to initialize
its user processes. The user process component is updated after their execution with a
new value of a given virtual machine.
The primitive cvm Reset initializes a single user process.
The sole precondition of predicate pre cvmReset is the constraint of a valid process
identifier:
pre cvmReset pid ≡ valid pid pid
The effects of function cvm Reset initializing a user process sasm are the following:
• The program counters are set to their initial values,
• the special purpose register PTL holding the page table length is initialized with
−1 i. e., the user process occupies no memory
• the special purpose register MODE storing the mode is set to 1 i. e., to user mode
46
2.8 CVM: A Programming Framework for Operating Systems
• all other registers are set initially to 0
Formally:
cvm Reset sasm ≡
sasm(|dpc := 0, pcp := 4, gprs := map (λx . 0) sasm.gprs,
sprs := map (λx . 0) sasm.sprs[PTL := −1, MODE := 1]|)
Function exec cvmReset embeds the effects of primitive cvm Reset into the user pro-
cess component. The virtual machine specified by its process identifier is updated with
the primitive result. Formally:
exec cvmReset sups pid ≡
sups
(|userprocesses := sups.userprocesses
(nat2pid pid := cvm Reset (sups.userprocesses (nat2pid pid)))|)
We present function execprim cvmReset on the uppest layer to give a notion how
the kernel component of a Cvm state scvm is modified after a primitive execution. If
the precondition pre cvmReset is satisfied the user processes component is modified by
exec cvmReset. Furthermore, function set primres (recall Section 2.3) updates the result
variable of the kernel with integer value Intg 0 to signal a successful primitive execution
and rm scall removes the first statement of the program rest. The output to the external
environment is an empty list [ ]. If the precondition of the primitive is not fulfilled the
function returns ⊥. The definition of function execprim cvmReset is given below:
execprim cvmReset scvm pid =
if pre cvmReset pid
then b(scvm
(|cvm kernel := scvm.cvm kernel
(|pstate := (|mem = dset primres (Intg 0) scvm.cvm kernele,
prog = rm scall scvm.cvm kernel.pstate.prog|)|),
cvm up := exec cvmReset scvm.cvm up pid|),
[ ])c
else ⊥
Note that the C0 small-step specifications of the other primitives are quite similar
and depend on the particular Cvm primitive. They vary in the modified subcomponent,
the output list to the external environment and an additional manipulation of kernel
variables. We do not present the other functions here, since we do not use them in the
course of this thesis.
Primitive cvm Alloc extends the virtual memory of a user process by a given number
of pages. The precondition predicate pre cvmAlloc encapsulates the constraint that
the process identifier has a meaningful interpretation. Moreover, the sum of all user-
process sizes (already allocated number of pages) and the number of pages pages that
is supposed to be allocated do not exceed the maximal number of available user pages
TVM MAXPAGES. Formally:
47
2 Background
pre cvmAlloc sups pid pages ≡
valid pid pid ∧
(
∑
i∈procnumT. mm size (sups.userprocesses (nat2pid i))) + pages
≤ TVM MAXPAGES
The effects of function cvm Alloc are described below:
• The number of pages pages is added to the current value of the page table length
which is stored in special purpose register PTL and,
• the given number of pages pages are allocated and set to 0 at the end of the
memory of the virtual machine.
Formally:
cvm Alloc sasm pages ≡
sasm
(|sprs := sasm.sprs[PTL := sasm.sprs ! PTL + to int32 pages],
mm := λi . if i < to nat32 (sasm.sprs ! PTL + 1) · (PAGE SIZE div 4) ∨
(to nat32 (sasm.sprs ! PTL + 1) + pages) ·
(PAGE SIZE div 4)
≤ i
then sasm.mm i
else 0|)
Finally, Olos uses primitive cvm LoadOS. This function loads an image of the op-
erating system from the boot region of the hard disk to the virtual memory of a user
process sasm.
For a successful execution we require the validity of the process identifier and that the
total amount of pages pages fits into the virtual memory of the specified user process.
The latter condition is encapsulated in predicate address in mem:
address in mem sups pid ad ≡
ad < to nat32 ((sups.userprocesses (nat2pid pid)).sprs ! PTL + 1) · PAGE SIZE
Furthermore, the device identifier did should correlate to the swap disk, the disk
content has to be valid and the entire image should be fit into the hard disks memory.
All these conditions are encapsulated in predicate pre cvmLoadOS:
pre cvmLoadOS sups sdev pages pid did start page ≡
valid pid pid ∧
address in mem sups pid (pages · PAGE SIZE − 1) ∧
nat2dev did = SWAP DID ∧
is conf HD (sdev SWAP DID) ∧
is valid disk content (sdev SWAP DID) ∧
(start page + pages) · PAGE SIZE ≤ |(sdev SWAP DID).hd sm|
The effects of the Cvm primitive cvm LoadOS are the following: We get the image by
extracting a number of pages pages starting from page start page. This list is copied to
the memory of the virtual machine sasm. Formally:
48
2.8 CVM: A Programming Framework for Operating Systems
cvm LoadOS sasm sdev pages did start page ≡
let img = extr (start page · PAGE SIZE) (pages · PAGE SIZE)
(sdev (nat2dev did)).hd sm
in sasm(|mm := λi . if |img | ≤ i then sasm.mm i else to int32 (img ! i)|)
cvm Alloc and cvm LoadOS solely modify a user process, therefore their functions on
the user-process component are similar to exec cvmReset.
Accessing User Processes. Cvm provides two primitives to read or write a register of
a user process. The preconditions of the predicates for register access are equal. The
requirements for writing to a register (pre cvmSetGPR) and reading from a register (pre
cvmGetGPR) include the validity of the process and the register identifier:
valid pid pid ∧ valid regnum r.
Then, writing a value val into a specified register r is defined as
cvm SetGPR sasm r val ≡ sasm(|gprs := sasm.gprs[r := to int32 val]|)
whereas, reading from a register r is denoted with:
cvm GetGPR sasm r ≡ to nat32 (sasm.gprs ! r)
Cvm primitive cvm GetGPR only accesses the virtual machine and returns a value to
the operating system. Hence, function exec cvmGetGPR returns the value after calling
cvm GetGPR with the specified user process:
exec cvmGetGPR sups pid r ≡ cvm GetGPR (sups.userprocesses (nat2pid pid)) r
Furthermore, Cvm supports two primitives to provide copy operations between kernel
variables located in the physical memory and the virtual memory of user processes. The
requirements for this copy primitives are equal and demand for the validity of the user
process identifier. Furthermore, the data should fit into the allocated memory region of
the user process. This can be ensured when the last address (sa + (len − 1)) of data
with length len lies within the allocated memory area. Then, due to monotonicity all
smaller addresses lie within this range and the entire data fits into the memory. The
predicates for reading from a user process pre cvmV2Pcopy and writing to a user process
pre cvmP2Vcopy encapsulate these constraints.
Formally: valid pid pid ∧ address in mem sups pid (sa + (len − 1))
Reading data with length len from the virtual memory of a user process sasm starting
at address sa is defined as:
cvm V2Pcopy sasm sa len ≡ map sasm.mm [sa div 4..<sa div 4 + len]
Writing a datalist dl from the physical to the virtual memory of a specified user process
sasm starting at address sa is denoted as:
49
2 Background
cvm P2Vcopy sasm sa dl ≡
sasm
(|mm := λi . if i < sa div 4 ∨ sa div 4 + |dl| ≤ i then sasm.mm i
else dl ! (i − sa div 4)|)
Function exec cvmV2Pcopy resembles exec cvmGetGPR since it only accesses the user
process, whereas exec cvmP2Vcopy manipulates the user process and therefore is similar
to cvm Reset.
Device Communication. For the device communication Olos uses three primitives:
one function cvm OutWord to write a single word to a device port and two typed prim-
itives to exchange data consisting of several words: cvm PhysIOInRange and cvm Phys-
IOOutRange.
The precondition pre cvmOutWord that ensures to write a single word successfully
contains the validity of the device identifier did and the port address port.
pre cvmOutWord did port ≡ valid devid did ∧ valid port port
Function cvm OutWord writes a single word data to port port of the device with
identifier did. Internally, the function executes a device transition dm∗devs on a device
state. The memory interface input signals a write request to port port with data data.
Finally, we embed the updated device state into the device vector and return the outputs
additionally to the memory and the external interface. Formally:
cvm OutWord sdev did port data ≡
let (st, mifo, eifo) =
dm∗devs [(|mifi rd = False, mifi wr = True, mifi a = port, mifi din = data|)]
(sdev (nat2dev did))
in (sdev(nat2dev did := st), mifo, eifo)
The embedding function exec cvmOutWord returns the device state after calling prim-
itive cvm OutWord on the one hand and a created list of external outputs on the other
hand.
exec cvmOutWord sdev did port data ≡
let (devs ′, devout, eifos) = cvm OutWord sdev did port data
in (devs ′, create eifo list (nat2dev did) eifos)
Primitives exchanging larger data with a device cvm PhysIOInRange and cvm Phys-
IOOutRange encapsulate word-wise reading and writing starting from port port. Besides
the validity of the device identifier did, the predicate to exchange data of length len
demands for validity of the last port address port + len. Then, due to monotonicity all
former port addresses are valid as well. The data exchanging preconditions for devices
are defined as:
pre cvmPhysIORange did port len ≡ valid devid did ∧ valid port (port + len)
50
2.8 CVM: A Programming Framework for Operating Systems
Both device communication primitives internally call function dm∗devs which performs
several transitions on a device, depending on the data length len. The transition function
is called with a read or write request from the processor. Finally, the device vector is
updated with the final state of the recursive function and the corresponding outputs to
the memory and the external interface are returned.
The primitive cvm PhysIOInRange reading from a device calls the transition function
dm∗devs with a memory interface input list that signals read requests for the next len ports
starting from port address port. The read data is given back to the operating system
as a list of memory interface outputs. Thus, reading data of length len from the device
with identifier did starting at port port is formally given with:
cvm PhysIOInRange sdev did port len ≡
let (st, mifos, eifos) =
dm∗devs (map (λport. (|mifi rd = True, mifi wr = False, mifi a = port,
mifi din = default|))
[port..<port + len])
(sdev (nat2dev did))
in (sdev(nat2dev did := st), mifos, eifos)
Function exec cvmPhysIOInRange returns the state and creates a tagged list of external
interface outputs. Furthermore, the read data from the device is converted from a list
of natural numbers to a list of integer values.
exec cvmPhysIOInRange sdev did port len ≡
let (devs ′, mifos, eifos) = cvm PhysIOInRange sdev did port len
in (devs ′, create eifo list (nat2dev did) eifos, map to int32 mifos)
Similarily, writing a datalist dl from the kernel to a device specified by its identifier did
starting at port port calls function dm∗devs. Here, the memory interface input list signals
write requests and delivers the data in |dl| words to the successing ports. Cvm primitive
cvm PhysIOOutRange returns the updated device vector together with the output lists
to the memory and the external environment. Formally:
cvm PhysIOOutRange sdev did port dl ≡
let (st, mifos, eifos) =
dm∗devs (map (λ(p, d). (|mifi rd = False, mifi wr = True, mifi a = p, mifi din = d |))
(zip [port..<port + |dl|] dl))
(sdev (nat2dev did))
in (sdev(nat2dev did := st), mifos, eifos)
Function exec cvmPhysIOOutRange resembles function exec cvmOutWord with the dif-
ference that it calls primitive cvm PhysIOOutRange.
So far, we have introduced all functions and preconditions that are necessary to manip-
ulate the user process or the device component. Until now, we cannot define the effects
of Cvm primitives in Simpl because we do not know the program state of the Olos
implementation yet. Therefore, we postpone the specification of the Cvm primitives in
Simpl to Section 5.1.1.
51
2 Background
2.9 The Verification Environment Isabelle/Simpl for C0
For the verification of C0, a fragment of C, we use a general program-verification frame-
work for sequential imperative programming languages: Isabelle/Simpl [Sch05, Sch06].
It is built as a conservative extension on top of Isabelle/HOL. The key feature of Is-
abelle/Simpl we use is the notion of a total correctness Hoare-triple: G `t P c Q. This
judgment claims that in procedure environment G , given an initial state for which the
precondition P holds, execution of statement c terminates and for the final state the
postcondition Q holds. The assertions P and Q are formalized as sets of states. A pro-
gram state represents memory and heap content mapped to the variables at some point
of the program execution. We can generate the state representation from the program
source code with a tool called c0 check, which was developed in the Verisoft project.
The state space of a program is represented as a record, where every variable is a field.
For common language constructs a concrete syntax hides the state-record. Whenever a
record field of the state is referred to, we set the acute prefix ´ in front of the variable
name i. e., ´var refers to field var in the record.
C0 variable Simpl variable
bool Sendflag sendflag :: bool
unsigned int csn csn :: nat
int result result :: int
unsigned int AST[NS] AST :: nat list
Figure 2.9: Simpl representation of basic types
Figure 2.9 depicts some C0 variables of basic types and their representation in Simpl.
Our program models use pointers that do not support address arithmetic. In Simpl they
are not typed and presented as an abstract type ref. The null pointer is defined as Null.
Complex types in C0 i. e., structures or arrays of fundamental types are represented as
a number of Simpl variables where each of them has a basic type.
In order to manipulate pointers to objects the verification environment includes a model
of a program heap. The heap model, that is actually used in the verification environment,
is the adapted split heap approach that goes back to Burstall [Bur72] and was successfully
applied by Bornat [Bor00], Metha and Nipkow [MN05]. The heap presentation then
uses functions that map variables of type ref to objects located on the heap. The main
advantage of this heap model is that it excludes overlapping between different fields of
structures by construction.
As an example for pointers and memory objects, we show the definition of message
buffers and messages in the Olos implementation. There we consider a message type
that consists of a list of MSGLENGTH integer values. Then, message buffers are represented
as a list of MSGCOUNT pointers referencing the addresses where the messages are located.
typedef int t_kmsg[MSGLENGTH];
typedef t_kmsg *p_kmsg;
52
2.9 The Verification Environment Isabelle/Simpl for C0
p_kmsg MB[MSGCOUNT];
The generated Simpl representation of this piece of C0 code returns a heap function that
refers to messages located on the heap and a list of pointers:
heap msg:: ref ⇒ int list
MB :: ref list
MB 0 1 .. m
heap msg msg1 msgm ... msg0heap
function
Figure 2.10: Messages on the heap
Accessing a memory object e. g., a message located in buffer ´MB ! ´n is denoted with
´MB !´n→´heap msg. Figure 2.10 depicts how messages are accessed via their message
pointers on the heap.
Expressions in Simpl are HOL expressions. Statements, in contrast, are represented
by a datatype, which we present in pseudo-code notation employing Isabelle’s powerful
syntax-translation machinery. In contrast to expressions, statements are represented by
an abstract datatype. The statement syntax is highly abstract, e. g., Basic f represents
a state update using function f . In order to present programs in conventional terms, we
employ Isabelle’s powerful syntax translation machinery and denote
• a program variable by ´var,
• an assignment by ´res nat :=g 3,
• a conditional by IFg b THEN s1 ELSE s2 FI,
• a procedure call by ´var := CALLg square(7),
• a field initialization of new memory object by
´MB ! ´n :=g NEW [´ heap msg := replicate MSGLENGTH 0] etc.
The index g is used to instruct the parser to generate guards that protect against
runtime faults like overflows.
The procedure environment G is a partial function from procedure names to state-
ments. These statements constitute the procedure body and are defined by the Isabelle/
Simpl command procedures. The following command, for instance, defines the proce-
dure square:
procedures square(var | res nat) =
´res nat :=g ´var · ´var
It has one formal parameter called var and the result to return to the calling function is
held in variable res nat, i. e., the bar separates input and output parameters.
Calling the functionality of the procedure, we write ´res nat :== PROC square(´ var)
as shorthand for the code of procedure square:
G ` {|sv. svvar = x|} ´res nat :== PROC square(´ var) {|t. tres nat = x|}
53
2 Background
states that procedure square assigns the value of its argument to the return variable.
Procedure names of generated functions from a given C0 program always have the prefix
fun , in such a way that the generated Simpl procedure of e. g., C0 function cvm reset
is named fun cvm reset. The brackets {|...|} contain a HOL-expression and allow the ´
notation. Furthermore, {|sv. ...|} is a shorthand to fix the current state {s. sv = s ...}, svvar
abbreviates sv.var and refers to the value of variable var at fixed state sv.
2.9.1 Dealing with Inline Assembly in Isabelle/Simpl
In the context of C0 program verification we often have to deal with inline assembly code.
Recall that these low-level computations can be encapsulated in XCalls (see Section 2.1)
modifying an external state. It is not necessary to introduce a new Hoare rule into Simpl
to handle XCalls. We rather express the semantics of an XCall by a single, guarded Basic
command. A guard resembles possible preconditions to guarantee a successful execution
of the following command. We write {| precondition |} 7−→ in front of a command to
ensure that the command is only executed when the precondition (i. e., the boolean
expression inside the brackets) is fulfilled. The definitions of some primitives require
updates on several variables. A syntax extension allows to perform multiple assignments
enclosed in BASIC and END, separated by commata. Finally, we can introduce bound
variables in Simpl via customized let expressions. LET a IN b differs from the ”regular”
let-expressions by allowing to directly refer to program variables.
We use a small example to demonstrate the characteristics in the use of the described
Simpl syntax: When we want to express the effects of the typed Cvm primitive cvm
v2p copy t kmsg we obtain the following signature of the corresponding Simpl function:
fun cvm v2pcopy t kmsg (pid, va, msg | msg, res int)
The input parameters of the function are the process identifier pid, a start address va
where the message is stored in the application and a variable msg containing a message
value that is replaced by the new message. Note that this function has two output
parameters: an updated message msg on the one hand and the result variable res int on
the other hand.
From Section 2.1 we know that a C0 state is extended with an additional component
representing external states. In our case, the external state is a user process compo-
nent ´up. Then, we can formalize the precondition pre cvmV2Pcopy of the primitive
and additionally require that the message length is fixed. The guard that ensures these
requirements is given below:
{| pre cvmV2Pcopy ´up ´pid (length ´msg) ´va ∧ length ´msg = MSGLENGTH |} 7−→
In order to describe the effects of the Cvm primitive cvm v2p copy t kmsg in Simpl,
we make use of the syntax described above. With the LET expression enclosed by BASIC
and END we simulataneously assign the read message (i. e., the result of function exec
cvmV2Pcopy) and the return variable 0 to the C0 program. Formally:
BASIC
LET (rval , msg) = (0, exec cvmV2Pcopy ´up ´pid ´va MSGLENGTH)
IN ´res int :== rval , ´msg :== msg
54
2.9 The Verification Environment Isabelle/Simpl for C0
END
If a program calls a procedure that updates more than one variable, we cannot use
the syntax for procedure calls where the result is assigned to a left variable. Procedures
with more than one modified variable are called with their input and output parameters.
In our example, fun cvm v2pcopy t kmsg is called with variable ´ca that stores a pro-
cess identifier, a variable ´msg ptr storing the start address in the applications memory
and the content of message buffer ´MB!(´ msg nr). Then, the function returns the new
message value in buffer ´MB!(´ msg nr) and updates the result variable ´dummy. This is
denoted with:
CALLg fun cvm v2pcopy t kmsg(´ ca,´ msg ptr,´ MB ! ´msg nr→´ heap msg,´ MB ! ´msg
nr→´ heap msg,´ dummy)
2.9.2 Code Verification in Isabelle/Simpl
In this subsection, we briefly describe the technique we use to prove implementation
correctness of Olos. Figure 2.11 depicts a comprehensive view on the verification target.
sv t
s s ′
fun Impl
dspec
ab
s
ab
s
Figure 2.11: Simulation proof
Roughly speaking we relate an implementation state sv to a corresponding abstract
state s via an abstraction function abs. On the concrete layer, the Simpl function
fun Impl encapsulates a number of implementation steps. Implementation correctness
holds when all possible transitions of fun Impl result into successor states t that can be
abstracted to corresponding states of the specification s ′ after a correlating transition
dspec in the abstract model.
This oversimplified goal can be reformulated in Isabelle/Simpl as follows:
G `t {sv. abs sv = s} PROC fun Impl() {t. abs t = dspec s}
The detailed correctness proof and its preliminaries are described more specifically in
Chapter 5.
Verifying a program that uses nested procedure calls requires to consider the hier-
archical program structure. We start with procedures on the lowest level that do not
contain any procedure call. For each procedure we specify a so called modifies clause
and a Hoare triple. The modifies clause only states all global state components (heap
55
2 Background
functions and global variables) that are changed during the procedure execution with-
out giving any information how they are updated. This circumstance is described in the
procedure specification given as Hoare triple.
The verification condition generator searches for each procedure call that has to be
verified whether a modifies clause can be found in the context. Its existence simplifies
a procedure call by considering only changed variables. For nested procedure calls the
VCG automatically uses specifications of already verified procedures.
56
3 OLOS Design and Implementation
Vision without implementation is hallucination.
Benjamin Franklin
Contents
3.1 ECU Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
3.2 Partitioning Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
3.3 OLOS Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
3.3.1 OLOS Variables and Data Structures . . . . . . . . . . . . . . . . . . . . 61
3.3.2 The Top-Level Function . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
3.3.3 System Initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
3.3.4 Communicating with the Device . . . . . . . . . . . . . . . . . . . . . . . 67
3.3.5 Implementing System Calls - the Trap Handler . . . . . . . . . . . . . . . 68
3.4 The System Call Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
3.4.1 The Message Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
This chapter reports on the design principles of a single ECU (Section 3.1), presents the
underlying communication protocol (Section 3.2) and outlines the implementation of our
real-time operating system Olos in Section 3.3. Initially, Steffen Knapp provided some
code portions to illustrate his overall idea of the operating system. My contribution,
however, has been the first working version of OLOS as well as the later reimplementa-
tion, which forms the current code base. To Mark Hillebrand, I am indebted for a reliable
build- and testing environment as well as for many suggestions for code improvement.
The applications running on an ECU are written as C0 programs. The communication
between them and our operating system, however, requires portions of inline assembly
code. Hiding these code fragments into functions has several advantages: On the one
hand, every application simply calls these primitives in order to request services from
Olos, on the other hand, all of them can now be written in plain C0. In Section 3.4,
we introduce all necessary functions for the kernel communication that form the system
call library of Olos.
Finally, all ECUs communicate by exchanging messages. On the upper layers these
messages are written in C0, whereas the operating system and the devices work with
the compiled code. We dedicate a subsection Section 3.4.1 to the special message format
and introduce some useful definitions based on this type.
57
3 OLOS Design and Implementation
3.1 ECU Structure
applications
OLOS
MBs
ABC
SBs RBs
ECU
bus
Figure 3.1: ECU structure
The distributed system considered in the automotive subproject of Verisoft comprises
a number of components that are connected via a communication bus. These so-called
electronic control units (ECUs) (depicted in Figure 3.1) consist of a general-purpose
RISC processor and an automotive bus controller (ABC). The latter takes care of the
timely transmission and reception of messages. This device is responsible for clock
synchronization, thus decoupling the processor from the communication bus [KP07b].
In its mediator role, the ABC buffers the messages from both sides, using pairs of send
(SB) and receive buffers (RB). We use double buffers because the parallel access from bus
and processor to a single buffer would involve the risk of reading partially transmitted
messages. The concept of buffer pairs ensures that the processor reads only completely
transmitted messages.
Our operating system Olos runs on the processor, providing a virtual processor ab-
straction to the applications that share the same physical processor. Olos supports its
own message buffers (MB) for the communication between applications (on the same
as well as on different physical processors). Moreover, it includes functions in order to
initialize the system and realize the scheduling policy. The operating system separates
the applications from the bus and is responsible for the communication between these
layers. More precisely, it organizes the correct flow within a slot by controlling the bus
communication and scheduling the applications.
3.2 Partitioning Time
In our distributed system several ECUs share the same bus. A communication protocol
formally describes rules in order to guarantee a fair and failure-free message exchange.
The schedule of the transmission times on the bus is statically fixed and repeated per-
petually. A period, or round, is subdivided into equal time slices, the so-called slots.
58
3.2 Partitioning Time
For each slot, we designate which component has the permission to send on the bus
and determine a message buffer that reads a message from the device or sends its content
to it. Furthermore, we schedule one application per slot to be executed. We keep this
time organizing information within several scheduling tables. Each ECU features its own
set of these tables:
Send-permission Table SPT The send-permission table SPT specifies for each slot whether
the ECU is allowed to send on the bus.
Application Scheduling Table AST The application scheduling table AST determines
the computing application of the ECU for each slot.
Buffer-index Table BT The buffer-index table BT identifies in each slot which message
buffer of Olos is exchanged with the device. An entry of BT in one slot is always
related to the message that is broadcast on the bus in the same slot.
Table 3.1 shows an example of scheduling tables for two communicating ECUs. In this
example, each round consists of four slots. Every ECU features its own local scheduling
tables, hence we use the indices 1 and 2 to distinguish between the tables of both ECUs.
If we regard SPT1, we see that ECU 1 is permitted to send a message to the bus in slot
2. As BT1 determines, this message is stored in message buffer 3. Note that there is a
delay of one slot, i. e., if an application wants to send a message in slot 2, it must write it
at least one slot earlier into the according message buffer. For instance, application 1 is
scheduled in slot 0 and 1 (see AST1). It may write a message into buffer 3 to be sent in
slot 2. This value will be sent regardless of whether application 2 overwrites the buffer
in slot 2. In slot 3, all ECUs store the transmitted message into the buffer determined
by the entry of slot 2 in the corresponding BT. In particular, ECU 1 stores the message
in buffer 3 and ECU 2 in buffer 2.
ECU 1 ECU 2
slot 0 1 2 3 slot 0 1 2 3
SPT1 no no yes no SPT2 yes yes no yes
BT1 1 2 3 0 BT2 0 1 2 1
AST1 1 1 2 0 AST2 0 1 2 3
Table 3.1: Example scheduling tables
We divide each slot into four phases: device communication, receive, compute, and send.
Figure 3.2 on the next page depicts them for slot 2 according to the scheduling tables
given in Table 3.1. In each phase the involved ECU components are highlighted. Note
that in each phase either the ABC device (illustrated with light gray) or the currently
scheduled application (highlighted with dark gray) are involved.
Device Communication. In this phase, the ABC device is communicating with the
other ECUs via the bus. In our example, ECU 1 has the sending permission for this
59
3 OLOS Design and Implementation
ECU 1
Phase
apps
DevComm
MB
SB 1
SB 0
RB 1
RB 0
SPT1[2]bus
ECU 2 apps
MB
SB 1
SB 0
RB 1
RB 0
apps
Receive
MB
SB 1
SB 0
RB 1
RB 0
BT1[1]
apps
MB
SB 1
SB 0
RB 1
RB 0
BT2[1]
AST1[2]
Compute
MB
SB 1
SB 0
RB 1
RB 0
AST2[2]
MB
SB 1
SB 0
RB 1
RB 0
apps
Send
MB
SB 1
SB 0
RB 1
RB 0
apps
MB
SB 1
SB 0
RB 1
RB 0
BT2[3]
Figure 3.2: Transition phases during slot 2
slot. It broadcasts the message from the send buffer SB 0. All ECUs receive this message
from the bus. Note that this phase does not involve Olos.
Receive. The operating system reads the receive buffer RB 1 from the ABC device into
its own message buffers. Figure 3.2 shows how the operating system reads the message
that the device has received in the previous slot into the message buffer indicated by the
BT table from the previous slot.
Compute. The AST specifies the application that is executed during this phase of the
current slot. This application may compute locally or exchange messages with Olos.
Send. This phase is only present if the corresponding ECU is permitted to send in the
next slot – in our example, ECU 2. The operating system writes the message to be sent
in the next slot into the ABC’s send buffer SB 1.
Note that Olos either exchanges messages with an application or with the ABC device.
Recall that the ABC device has double buffers. When exchanging messages with the
operating system, implicitly the buffers facing the processor are concerned. For the
device communication, on the contrary, only the bus-facing buffers are involved. Note
that the operating system is not aware of the device-communication phase because the
bus-facing buffers are invisible for Olos.
The receive and send buffers are swapped after each slot in such a way that processor
60
3.3 OLOS Implementation
Slot 1
Phase Send
ECU1
MB
SB 0
SB 1
bus
ECU1
2
Device Communication
SB 1
SB 0
RB 1
RB 0
SPT1[2]
ECU2
RB 1
RB 0
Receive
3
ECU1
MB
RB 0
RB 1
ECU2
MB
RB 0
RB 1
BT1[2] BT1[2] BT2[2]
Figure 3.3: Message Transmission Delay
and bus access them alternately. In the implementation, the buffer access works with a
parity bit. When the current slot number is even, the send and receive buffer with index
0 are visible for the processor. Otherwise, the buffers with index 1 are accessed from
the processor. The buffer swapping is invisible for the operating system. Due to this
mechanism, the transmission of a message from one ECU’s message buffer to a second
ECU takes two slots. Figure 3.3 briefly sketches this situation neglecting all unused
components of the ECUs. In this sketch, we see that the path of a message from one
ECU’s message buffer into another one is determined by the sending-permission-table
entry SPT1[2] and the local BT entries BT1[2] and BT2[2]. Due to the transmission
delay, the operating system computes the previous or next slot number to obtain the
appropriate BT entry.
3.3 OLOS Implementation
3.3.1 OLOS Variables and Data Structures
In this section, we introduce the global variables and data structures that are used in
the Olos implementation. The foundation of our correctness proof is the Simpl state
and the functions that are generated from the C0 implementation code. Therefore, we
directly describe the implementation in Simpl and refer the interested reader to the C0
source code which is shown in Chapter A. Additionally, Table A.1 on page 198 presents
the C0 variables of the implementation side by side with the generated Simpl variables.
All applications running under Olos are known initially and their number is bounded
by PROCCOUNT. An additional array PAGEC of length PROCCOUNT + 1 keeps the
required memory size in pages for each application. The nth-array element corresponds
to the user process with the same process identifier and the first field is set to 0 since
process identifier 0 is reserved for the kernel. Olos initializes PAGEC with the application
sizes that are kept in PAGEC CONF.
61
3 OLOS Design and Implementation
Applications never communicate directly with each other or with the ABC device.
All messages are sent and received via the kernel that controls the message transfer.
Therefore, Olos provides a number of MSGCOUNT message buffers in order to store
messages coming either from an application or the ABC device. The buffers are modelled
as a pointer array MB to the kernel message type with a fixed length MSGLENGTH.
(recall, Section 2.9 for the Simpl representation of the message buffers).
The number of slots is fixed by SLOTCOUNT. Olos provides three tables of length
SLOTCOUNT that are responsible for the scheduling of a round: the application schedul-
ing table AST, the buffer index table BT and the sending permission table SPT. The
initial table configurations are stored in the constants AST CONF, BT CONF and SPT
CONF.
Furthermore, there are several internal variables implementing the functionality of
the communication protocol: First, variable csn keeps track of the current slotnumber.
Its predecessor and successor value is computed by subtraction and addition modulo
SLOTCOUNT i. e., (sv.csn + SLOTCOUNT − 1) mod SLOTCOUNT and (sv.csn + 1) mod
SLOTCOUNT. We abbreviate the computation of the predecessor and successor slot
number with two functions prev and next.
The main function of Olos is entered with two external variables: Variable eca stores
the masked exception cause as a natural number and the second variable edata keeps ad-
ditional exception data (recall Section 2.6). The value of eca signals external interrupts
i. e., (sv.eca ∧u 32) 6= 0 in case of a trap or (sv.eca ∧u 8192) 6= 0 when a pending interrupt
line of the ABC device was detected. Additionally to the variables eca and edata, we re-
quire information how the operating system should react to an incoming timer interrupt
(sv.eca ∧u 8192) 6= 0. Therefore, Olos features a Boolean variable sendflag in order to
distinguish a slot boundary (receive phase, sv.sendflag = False) from the start of a send
phase i. e., sv.sendflag = True.
The Olos main function returns a variable ca. Either it stores the identifier of the
application that will be resumed after returning from the kernel. It can be derived from
the current entry of the application scheduling table AST. Otherwise, ca holds the special
value IDLE which forces the system to wait for the next incoming timer interrupt.
entering Olos return from Olos
Variables eca edata sendflag sendflag ca
P
ha
se
Init reset * * False IDLE
Receive timer * False SPT [next csn] AST [csn]
Send timer * True False IDLE
Compute trap
> 0
SPT [next csn] SPT [next csn]
AST [csn]
0 IDLE
reset = ((eca ∧u 1) 6= 0) // bit 1 of interrupt vector is set
timer = ¬ reset ∧ ((eca ∧u 8192) 6= 0) // bit 13 of interrupt vector is set
trap = ¬ timer ∧ ((eca ∧u 32) 6= 0) // bit 5 of interrupt vector is set
Figure 3.4: Olos phases and variables
62
3.3 OLOS Implementation
The right columns of Table 3.4 on the facing page depicts the variable values of
eca, edata and sendflag when the main function of Olos is entered. These values are
sufficient to determine the actual phase. The left columns present the values of the
variables sendflag and ca after Olos returns from its computation. Depending on the
phase these values are set to certain values.
Recv Comp Send Recv
timer
sendflag
ca XX AST[csn] XXX IDLE
Figure 3.5: Timing diagram of Olos phases and variables
The timing diagram Figure 3.5 depicts the values of the timer interrupt bit together
with the variables sendflag and ca. In the szenario we regard the Olos variables within
an entire slot where the ECU is allowed to send. The receive phase starts with a set timer
interrupt bit and an unset sendflag variable. The value of ca is irrelevant. During this
phase the interrupt is cleared, variable sendflag is set (because the ECU has the sending
permission) and variable ca holds the identifier of the currently scheduled application.
Olos enters the send phase when the timer is raised again regardless of whether the
application terminated or not. In the send phase Olos sets variable sendflag to False,
variable ca to IDLE and clears the interrupt. Then, the next timer interrupt signals
to start a new slot. Note that timing diagrams only show a snapshot of the variables
behaviour in a certain situation.
Port Address Description
SEND PORT 0 Send buffer start
RECV PORT 256 Receive buffer start
CONFR PORT 512 Configuration register start
COMR PORT 767 Command register port
Command Description
SETRD COM Signals termination of the initialization
CLEARINT COM Clears ABC interrupt
Table 3.2: ABC I/O ports and commands
Finally, the operating system communicates with the ABC device which is accessed
63
3 OLOS Design and Implementation
by using its identifier ABC ID. Besides the send and receive buffers, the device features
several configuration registers. After power-up the kernel writes their intial values that
are stored in CB CONF into the registers. A detailed description of their content is given
in Table 4.1 on page 77. Olos communicates with the device using ports. These word-
sized I/O ports are mapped to the ABC’s send and receive buffers, the configuration
registers and a special command register. The latter is used from the processor to
manipulate the device state by sending special words to the command port. All ports
and the command codes used by Olos are summarized in Table 3.2 on the previous
page.
3.3.2 The Top-Level Function
Whenever an interrupt arrives the Cvm framework saves the old processor context and
passes control to the top-level function of Olos. This function called kdispatch ad-
ditionally gets two arguments: the interrupt cause, a natural number encoding the bit
vector of occured interrupts, and the exception data, which is the provided immediate
constant when a trap instruction is executed.
reset signal? olos init
ABC interrupt? handle int
trap exception? valid trap?
handle trap
retval ← ca
yes
no
yes
no
yes
no yes
no
Figure 3.6: The program-flow diagram of function kdispatch
Figure 3.6 shows the control-flow graph of this function after entering Olos from the
Cvm framework. The corresponding C0 implementation code is depicted in A.1.6. From
the interrupt cause, the function distinguishes three cases:
Initialization. After power-up, the processor generates a reset interrupt and the Cvm
framework sets up its internal data structures. Afterwards, it passes the interrupt on
to the kdispatch function. kdispatch directly calls the function olos init with a
set reset-interrupt bit and ignores the remaining interrupt vector. olos init initializes
64
3.3 OLOS Implementation
internal data structures of Olos and configures the ABC devices as described in the
next subsection.
ABC Interrupt. The ABC device raises its interrupt line when expecting data exchange
with the operating system. From Section 3.2 we know that Olos either receives a
message from the device (in the receive phase) or sends a message to a device buffer
(in the send phase). The communication with the ABC devices is encapsulated in the
function handle int.
Trap Exception. The current application may communicate with the operating system
during the compute phase via trap exceptions. This hardware mechanism is used to
request the transfer of messages between Olos and the applications. Furthermore,
an application signals its termination (for the current slot) by a trap exception. The
function handle trap implements the handling of the operating system in case of an
incoming trap.
Potential other interrupts are ignored. The current application might cause a number
of exceptions during its execution by, e. g., misaligned addresses or attempts to access
memory outside its dedicated address range. Such exceptions certainly should not occur
in a fully verified system but despite that, even a malicious application can only harm
those applications it exchanges messages with.
The function kdispatch returns the value of the global variable ca to Cvm. It either
holds the value of the AST table in the current slot determining the currently running
application or the special value IDLE. Upon return, the Cvm framework transfers control
to the corresponding application or waits for interrupts, respectively.
3.3.3 System Initialization
The initialization of Olos is encapsulated in function olos init and includes (a) the
initialization of internal data structures, (b) the initialization of all applications, (c) and
the configuration of the ABC device. This fact is demonstrated in the generated Simpl
function fun olos init of the implementation code Figure 3.7 on the next page (see A.1.5
for the C0 code of the function). fun olos init employs generated Simpl functions (cf.
Section 2.9) of all used Cvm primitives. Although, we have not defined these functions
in Simpl, we know the effects of their C0 function counterparts from Section 2.8.3.
Initialization of OLOS Data Structures. In this part, the scheduling tables and PAGEC
are initialized with the values of their corresponding configuration tables. The global
variables ca, csn and sendflag are set so that the first incoming timer interrupt starts the
receive phase of slot 0. The first loop creates new message buffers with zero-initialized
message values.
Setting-up Applications. A second loop prepares and loads all applications sequen-
tially. fun cvm reset configures the PCs and registers of each application. Then fun
65
3 OLOS Design and Implementation
procedures fun olos init( | res int) =
´AST :=g AST CONF;
´BT :=g BT CONF;
´SPT :=g SPT CONF;
´PAGEC :=g PAGEC CONF;
´csn :=g SLOTCOUNT − 1;
´ca :=g IDLE;
´sendflag :=g False;
(∗ Part I: Message−Buffer Initialization ∗)
´n :=g 0;
WHILEg ´n < MSGCOUNT
DO ´MB ! ´n :=g NEW [´ heap msg := replicate MSGLENGTH 0];
´n :=g ´n + 1
OD;
(∗ Part II: Application Initialization ∗)
´n :=g 1;
´next :=g 0;
WHILEg ´n ≤ PROCCOUNT
DO ´dummy := CALLg fun cvm reset(´ n);
´dummy := CALLg fun cvm alloc(´ n,´ PAGEC ! ´n);
´dummy := CALLg fun cvm load os(´ PAGEC ! ´n,´ n,´ next);
´next :=g ´next + ´PAGEC ! ´n;
´n :=g ´n + 1
OD;
(∗ Part III: Device Initialization ∗)
´conf buff :=g CB CONF;
´n :=g 0;
WHILEg ´n < SLOTCOUNT
DO´dummy := CALLg fun cvm out word(ABC ID,CONFR PORT +´n,´ conf buff !´n);
´n :=g ´n + 1
OD;
´dummy := CALLg fun cvm out word(ABC ID,COMR PORT,SETRD COM);
´res int :=g 0
Figure 3.7: Implementation of the initialization function
cvm alloc allocates the required application size in memory. Finally fun cvm load os
loads the application to the first address directly behind the already used memory.
66
3.3 OLOS Implementation
ABC Configuration. The last part of fun olos init initializes the ABC device. All
configuration data stored in array conf buff is written consecutively to the ABC’s con-
figuration registers starting at address CONFR PORT. This data include system-specific
information like the slot length in hardware cycles, the number of slots per round, the
size of a message in bytes or the sending permission table.
Finally, the set-ready signal SETRD COM is sent to the command port COMR PORT
of the ABC device ABC ID using Cvm primitive fun cvm out word. Thereby, we indi-
cate the termination of the initialization phase.
3.3.4 Communicating with the Device
The communication between the ABC device and the operating system takes place dur-
ing the receive or the send phase. The ABC signals the start of these phases by a raised
interrupt line. The handling of an incoming interrupt from the device is encapsulated in
the Olos function handle int. Figure 3.8 shows the corresponding Simpl function fun
handle int (the C0 code is depicted in A.1.3). The same as in the initialization function,
we use generated Simpl functions to express the effects of Cvm primitives. Although,
we have not specified the ABC device transition and the Cvm primitives in Simpl yet,
we know from Section 2.8.3 that the corresponding C0 functions cvm physIOInRange t
kmsg and cvm physIOOutRange t kmsg are used to exchange messages with a specified
device.
procedures fun handle int( | res int) =
IFg ´sendflag
THEN ´uresult :=g ´BT ! ((´ csn + 1) mod SLOTCOUNT);
´dummy := CALLg fun cvm physIOOutRange t kmsg(´ MB ! ´uresult→´ heap msg,
ABC ID,SEND PORT);
´ca :=g IDLE;
´sendflag :=g False
ELSE ´csn :=g (´ csn + 1) mod SLOTCOUNT;
´sendflag :=g ´SPT ! ((´ csn + 1) mod SLOTCOUNT);
´uresult :=g ´BT ! ((´ csn + SLOTCOUNT − 1) mod SLOTCOUNT);
CALLg fun cvm physIOInRange t kmsg(ABC ID,RECV PORT,
´MB ! ´uresult→´ heap msg,´ MB ! ´uresult→´ heap msg,´ dummy);
´ca :=g ´AST ! ´csn
FI;
´dummy := CALLg fun cvm out word(ABC ID,COMR PORT,
CLEARINT COM);
´res int :=g 0
Figure 3.8: Implementation of the device-interrupt handling
The function distinguishes both communication phases by the current value of the
variable sendflag.
67
3 OLOS Design and Implementation
In case that it is True, the ECU is permitted to send on the bus in the next slot.
Then, our operating system starts the send phase and transfers the designated message
to the send buffer of the device using the Cvm primitive fun cvm physIOOutRange t
kmsg (i. e., the function sends the message to port address SEND PORT of the ABC
device). Afterwards, Olos sets variable sv.ca = IDLE and lowers the sendflag so that
the system simply awaits the next incoming interrupt indicating the slot boundary. The
send phase is omitted when the ECU is not allowed to send in the next slot.
When Olos receives an incoming interrupt from the device and the send flag was not
set (False) it starts immediately the receive phase of a new slot. Therefore, it increases
the current slot number csn and sets the send flag sendflag to the new value according to
the entry of the sending permission table SPT. The operating system writes the message
from the ABC’s receive buffer into the designated message buffer using function fun
cvm physIOInRange t kmsg. Finally, it schedules the current application (according to
the AST entry) before the compute phase starts.
At the end of both device communication phases, Olos instructs the device with
primitive fun cvm out word to lower its interrupt flag before returning to Cvm.
3.3.5 Implementing System Calls - the Trap Handler
As sketched in Section 2.8, the trap instruction is the designated hardware mechanism
to request services from the operating system. We call these requests system calls. The
trap instruction features an immediate constant, which allows us to distinguish different
kinds of system calls. Furthermore, parameters of a system call are delivered via specified
registers and a designated result register 22 stores the return value of the system call.
Olos implements three system calls (shown in Table 3.3): The calls olosSendMsg and
olosRecvMsg are used for the message exchange between Olos and the applications.
Moreover, an application should signal with the call olosExFinished that it has reached
a synchronization point, thus finishing the computation intended for the current slot.
The application is resumed for further computation in a future slot. In a perfect system,
all applications finish on time and call olosExFinished. Our operating system, however,
works correctly even if this requirement is violated.
Olos system call trap description
olosExFinished() 0 termination signal for current slot
olosSendMsg (msgp, mn) 1 send message to Olos MB
olosRecvMsg (msgp, mn) 2 receive message from Olos MB
Table 3.3: OLOS system calls
If an application executes a trap instruction and the provided immediate constant
corresponds to one of the three system calls, the dispatcher calls the function handle
trap. The C0 code of the trap handler is presented in A.1.4. Figure 3.9 on the facing
page shows the control-flow diagram of this function.
The implementation of the olosExFinished call is simple: Olos sets its global variable
68
3.3 OLOS Implementation
olosExFinished call? ca← IDLE
msgp← cvm get gpr
mn← cvm get gpr
msgp valid? res← INV PTR
mn valid? res← INV ID
res←SUCCESS
Send call?
cvm v2pcopy t kmsg cvm p2vcopy t kmsg
cvm set gpr (. . . , res)
yes
no
no
yes
no
yes
yes no
Figure 3.9: The program-flow diagram of function handle trap
ca to the value IDLE and returns, which causes the processor to idle until an ABC
interrupt occurs. This interrupt marks the end of the computation phase.
The remaining two system calls take two parameters:
• a pointer msgp into the memory of the application indicating either the message
value (for the olosSendMsg call) or the designated memory that should accommo-
date the message (for the olosRecvMsg call), and
• a message number mn identifying the message buffer in Olos as source or desti-
nation of the message, respectively.
These parameters are held in registers. The implementation reads them using the Cvm
primitive cvm get gpr and checks their validity. This means in particular that msgp
contains a valid memory address and the complete message fits into the applications
memory or mn is a valid buffer identifier. If these checks fail, Olos simply stores an
error value in the result register 22 of the current application (using the Cvm primitive
cvm set gpr).
In the successful case, the message value is transferred either from Olos’s message
buffer into the memory of the application using the Cvm primitive cvm p2vcopy t kmsg
69
3 OLOS Design and Implementation
(for Send), or from the application into Olos using cvm v2pcopy t kmsg (for Receive).
Finally, the designated result register is set to the value SUCCESS.
3.4 The System Call Library
As we have learned in the last section, there are several applications running on each
ECU. Applications are usually written in C0 (recall Section 2.3). In order to request a
service from the operating system it uses the mechanism of system calls. Unfortunately,
this mechanism requires the support of inline assembly portions within C0 programs. We
encapsulate the invocation of the system calls with the trap instruction in a library of
C0 functions and hide thereby the portion of inline-assembly code. Possible parameters
of the function are passed via specified registers (r11 and r12) and register r22 stores
the result value after the execution of the trap instruction. Besides the fact that the
application code can now be written in plain C0, the functions can be reused from each
application. We call this library maintaining these functions system call library.
The implementation of the function olosExFinished is presented in Table 3.4. An
application uses this call to signal the termination of its execution. Hence, we neither
require function parameters nor a return value. Thus, we immediately return 0 after we
called Olos with the assembly instruction trap 0.
int olosExFinished()
{
asm { trap(0); };
return 0;
}
Table 3.4: C0-Code of
olosExFinished
int olosSendMsg (p_msg msgp, unsigned int mn)
{
int result;
asm { lw(r11, r30, asm_offset(msgp));
lw(r12, r30, asm_offset (mn));
trap(1);
sw(r22, r30, asm_offset(result));
};
return result;
}
Table 3.5: C0-Code of olosSendMsg
The implementations of the message transferring system calls (i. e., olosSendMsg and
olosRecvMsg) are very similar. Their code fragments only differ in the function name
and the trap number (shown in Table 3.3 on page 68). Hence, we restrict ourselves to
the presentation (Table 3.5) and description of function olosSendMsg.
The function parameters of olosSendMsg are the message pointer msgp and the mes-
sage number mn. The trap handler of Olos (recall Section 3.3.5) takes care of the
meaningful interpretation of these variables. The message transmission only succeeds
when both parameters are valid.
Both C0 variables have to be related to the compiled code. Whenever a function is
called, the stack frame is extended by a new local frame. There, the function parameters
70
3.4 The System Call Library
and the local variables are stored. Recall that the address of the top most stack frame
is kept in register r30 (Figure 2.4 on page 27). The offset asm offset specifies the
displacement of both parameters with respect to the base address of the top most stack.
For further Vamp-assembly computations, the memory operation lw loads the param-
eter values into the registers r11 and r22 of the calling application. After invoking the
trap instruction, the operating system reads these registers and handles the system call
(A.1.4 presents the C0 source code of the trap handler) and writes the result value into
the designated result register r22. Afterwards, the store word instruction sw copies the
content of result register r22 back into the local result variable of the function. Finally,
the function passes its local result variable back to the calling application.
3.4.1 The Message Structure
The last subsection is dedicated to the special message format that was prespecified by
our project partners from the technical university of Munich [BBG+08]. They modelled
applications running on Olos on the top most layer as automata (AutoFocus Task
Model AFTM). Therefore, they used their CASE tool AutoFocus which was developed
for modelling distributed systems.
Initially, our operating system was designed to deal with different message types.
Later on, it turned out that there was only one message format used by their generated
AutoFocus-tasks. In the following, we do not worry about the meaning of the message
variables. Nevertheless, our verification proofs rely on the specific message format and
we briefly introduce the necessary information.
Our proofs rely on the result of the c0 check tool. Hence, we present the C0 type
declaration together with the automatically generated C0 small-step types.
First, there are several type definitions that are based on integer values. They are
converted internally to the elementary type Integer.
typedef int TYPE_CMV;
typedef int TYPE_CCMV;
typedef int TYPE_CSMV;
typedef int TYPE_Signal;
Moreover, a structural type TYPE Coordinate defines coordinates with two integer
coordinate values called xCoord and yCoord. The juxtaposition of the C0 declaration
and the generated C0 small-step type is depicted in Figure 3.12 on the next page. The
C0 small-step coordinate type TYPE Coordinate ′ty consists of a two field structure with
the two variables. Each one of them is given by its name and type.
The entire message format TYPE Message Struct contains MSGLENGTH = 40 variables
of elementary type. The first variable is defined as an unsigned int, whereas the re-
maining 39 values are integers represented as three coordinates, 22 different signal values
and a dummy array collecting the residual unused variables. c0 check automatically
reduces all elementary type definitions to their underlying basic types e. g., TYPE CMV
simply becomes an Integer in the C0 small-step type definition. Then, the type defini-
tion of the C0 small-step message type TYPE Message Struct ′ty includes only variables
71
3 OLOS Design and Implementation
struct TYPE_Coordinate{
int xCoord;
int yCoord; };
Figure 3.10: C0 Type declaration
TYPE Coordinate ′ty ≡ Struct
[( ′′xCoord ′′, Integer),
( ′′yCoord ′′, Integer)]
Figure 3.11: C0 small-step types
Figure 3.12: Declaration of a Coordinate Type
of the aggregate coordinate type TYPE Coordinate ′ty, an integer array, and the basic
types UnsgndT and Integer. The original C0 definition and the generated one are placed
side by side in Figure 3.15 on the facing page.
Applications are written in C0 and use the structured message type that is stored in
their typed memory. The operating system, however, maintains the compiled code of
the applications where the message format is converted into plain integer lists and kept
in the untyped assembly memory. Hence, Olos operates directly on those integer lists.
The C0 compiler takes care of the conversion between untyped assembly memory and
the typed C0 memory. For the specification, we have to define two conversion functions
that turn the message type into a list of integer values and vice versa.
Variable values in the C0 memory model are stored in memory cells. A single memory
cell contains values of an elementary type, whereas values of aggregate types are stored as
a consecutive sequence of memory cells. For each elementary type, there are functions to
read a value of a memory cell (e. g., mem2int) and functions to store a value into a typed
cell (e. g., int2mem). The memory of assembly processes, the kernel message buffers and
the device buffers in contrast only store integer values.
A message stored in the C0 memory can be converted into a plain integer list of length
MSGLENGTH with function struct2intlist. The first component of the message is read
from the memory cell with function mem2unsigned and is converted to an integer value
with to int32. The remaining variables simply have to be read from their memory cells
using function mem2int. Afterwards, function map glues all elementary values to an
integer list of length MSGLENGTH. Formally:
struct2intlist data ≡
map (λx . if x < MSGLENGTH
then if x = 0 then to int32 (mem2unsigned (data x))
else mem2int (data x)
else default)
[0..<MSGLENGTH]
From a given integer list of length MSGLENGTH, we reconstruct an updated C0 mem-
ory with function intlist2struct. This function converts the first element into a natural
number with to nat32 and stores it into a memory cell with function unsigned2mem.
The remaining message values are consecutively written to the C0 memory cells using
int2mem. The other cells are set to default. Function intlist2struct is defined as:
intlist2struct data ≡
72
3.4 The System Call Library
struct TYPE_Message_Struct{
unsigned int Field;
TYPE_CMV crash19;
TYPE_CSMV connection_status;
TYPE_Signal c2eCall;
struct TYPE_Coordinate coord;
TYPE_Signal started23;
struct TYPE_Coordinate outCoord;
TYPE_CCMV connection_control;
TYPE_Signal finished26;
TYPE_CCMV connection_control27;
TYPE_Signal
Taskmodel_connection_failed_channel;
struct TYPE_Coordinate coord29;
TYPE_Signal c2MP;
TYPE_Signal started31;
TYPE_Signal finished32;
TYPE_Signal c2GPS;
int x;
int y;
TYPE_Signal finished36;
TYPE_Signal started37;
TYPE_Signal end_eCall2c;
TYPE_Signal start_eCall2c;
TYPE_Signal start_mP2c;
TYPE_Signal start_GPS2c;
TYPE_Signal end_GPS2c;
TYPE_Signal end_mP2c;
int dummy[11]; };
Figure 3.13: C0 type declaration
TYPE Message Struct ′ty ≡ Struct [
( ′′Field ′′, UnsgndT),
( ′′crash19 ′′, Integer),
( ′′connection status ′′, Integer),
( ′′c2eCall ′′, Integer),
( ′′coord ′′, TYPE Coordinate ′ty),
( ′′started23 ′′, Integer),
( ′′outCoord ′′, TYPE Coordinate ′ty),
( ′′connection control ′′, Integer),
( ′′finished26 ′′, Integer),
( ′′connection control27 ′′, Integer),
( ′′Taskmodel connection failed channel ′′,
Integer),
( ′′coord29 ′′, TYPE Coordinate ′ty),
( ′′c2MP ′′, Integer),
( ′′started31 ′′, Integer),
( ′′finished32 ′′, Integer),
( ′′c2GPS ′′, Integer),
( ′′x ′′, Integer),
( ′′y ′′, Integer),
( ′′finished36 ′′, Integer),
( ′′started37 ′′, Integer),
( ′′end eCall2c ′′, Integer),
( ′′start eCall2c ′′, Integer),
( ′′start mP2c ′′, Integer),
( ′′start GPS2c ′′, Integer),
( ′′end GPS2c ′′, Integer),
( ′′end mP2c ′′, Integer),
( ′′dummy ′′, Arr 11 (Integer))]
Figure 3.14: C0 small-step types
Figure 3.15: Declaration of the Message Type
λx . if x < MSGLENGTH
then if x = 0 then unsigned2mem (to nat32 (data ! x))
else int2mem (data ! x)
else default
Whenever an application requests to receive a message from the operating system,
it calls function olosRecvMsg. Section 2.5 reported how to deal with inline assembly
code within a C0 program and how to construct a C0 state after an executed portion
of inline assembly code. In order to update the memory, function C0 asm upd takes a
list of elementary g-variables. We introduce a function msg gvars that takes the root
73
3 OLOS Design and Implementation
g-variable gvar of a message and returns all of its elementary g-variables as a list. Thus,
we can hide the entire list of g-variables into a function that extracts them after its
application:
msg gvars gvar ≡
[gvar str gvar “Field”, gvar str gvar “crash19”,
gvar str gvar “connection status”, gvar str gvar “c2eCall”,
gvar str (gvar str gvar “coord”) “xCoord”,
gvar str (gvar str gvar “coord”) “yCoord”, gvar str gvar “started23”,
gvar str (gvar str gvar “outCoord”) “xCoord”,
gvar str (gvar str gvar “outCoord”) “yCoord”,
gvar str gvar “connection control”, gvar str gvar “finished26”,
gvar str gvar “connection control27”,
gvar str gvar “Taskmodel connection failed channel”,
gvar str (gvar str gvar “coord29”) “xCoord”,
gvar str (gvar str gvar “coord29”) “yCoord”, gvar str gvar “c2MP”,
gvar str gvar “started31”, gvar str gvar “finished32”,
gvar str gvar “c2GPS”, gvar str gvar “x”, gvar str gvar “y”,
gvar str gvar “finished36”, gvar str gvar “started37”,
gvar str gvar “end eCall2c”, gvar str gvar “start eCall2c”,
gvar str gvar “start mP2c”, gvar str gvar “start GPS2c”,
gvar str gvar “end GPS2c”, gvar str gvar “end mP2c”,
gvar arr (gvar str gvar “dummy”) 0, gvar arr (gvar str gvar “dummy”) 1,
gvar arr (gvar str gvar “dummy”) 2, gvar arr (gvar str gvar “dummy”) 3,
gvar arr (gvar str gvar “dummy”) 4, gvar arr (gvar str gvar “dummy”) 5,
gvar arr (gvar str gvar “dummy”) 6, gvar arr (gvar str gvar “dummy”) 7,
gvar arr (gvar str gvar “dummy”) 8, gvar arr (gvar str gvar “dummy”) 9,
gvar arr (gvar str gvar “dummy”) 10]
In the following chapter that reports on the formal implementation correctness proof
we consider applications and messages from the operating system’s view. Thus, applica-
tions modelled as Vamp assembly machines and messages are plain integer lists. Chapter
6, in contrast, presents an approach to pervasively verify applications running on top of
Olos. Hence, we also consider C0 applications exchanging messages with the presented
structured type.
74
4 Formal Specification of an ECU
An abstraction is one thing that represents several real things
equally well.
Edsger Dijkstra, quoted by David Lorge Parnas: ”Use the
Simplest Model, But Not Too Simple”.
Contents
4.1 ABC Automaton . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
4.2 Application Abstraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
4.2.1 Application Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
4.2.2 Assembly Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
4.2.3 C0 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
4.3 Abstract ECU Automaton . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
4.3.1 Excursion: Towards a Distributed OLOS Model . . . . . . . . . . . . . . 111
In this chapter, we introduce a mathematical description of an entire ECUs behaviour.
Note that Olos relies on a specific protocol with the ABC, i. e., assuming a certain device
state, the operating system only expects a restricted set of device inputs. Consequently,
we verify the correctness of the operating system with respect to a device model which
specifies the behaviour of the ABC. The ABC automaton is described in Section 4.1.
Section 4.2 describes a formal specification of the communication interface between
applications and the operating system which was inspired to large extent by [DDWS08,
DDB08]. Moreover, we instantiate our formal model for assembly and C0 processes. This
technique is crucial to prove application simulation aside from the functional correctness
theorem.
The presentation of an entire ECU model consisting of the operating system and the
ABC device is shown in Section 4.3.
Finally, we refer to the thesis of Knapp [Kna08] that deals with a distributed ECU
model. We point out some slight differences between both specifications and present a
simulation theorem between our ECU model and Knapp’s model of a single ECU within
a single slot in Section 4.3.1.
4.1 ABC Automaton
This section presents the state and the transition function of our ABC device and spec-
ifies some predicates concerning the ABC state. Previously, the behaviour of the ABC
75
4 Formal Specification of an ECU
device was only partially specified to the extent needed for the interaction with the op-
erating system. More specifically, the device featured only the processor-visible buffers
and the device-communication phase had been neglected. We have extended the specifi-
cation by adding support for modelling the double buffers from the implementation, on
the one hand, and the communication of the device with the external environment, on
the other hand.
ABC States. As sketched in Section 3.2, the ABC device is responsible for the timely
transmission and reception of messages. For this purpose, the ABC device features
a double buffer for outgoing messages (send buffers) and a second one for incoming
messages (receive buffers). In addition, the device requires a considerable amount of
system-specific information. Namely, this information comprises the slot length in hard-
ware cycles, the sending permission table SPT, and custom-tailored parameters like the
message size or the number of slots per round. Furthermore, the device features a timer
that signals the start of the send phase to Olos, which requires information about the
length of the receive and compute phases in hardware cycles. All this information is
held in the so-called configuration registers, which are set up by Olos in an initial-
ization phase right after power up. This phase is identified by an initialization flag,
which is initially raised and remains enabled until Olos signals the completion of the
initialization by writing the set-ready command. Hence, the ABC device switches from
initialization to running mode. Finally, the ABC state includes a slot counter keeping
track of the current slot number, a send flag distinguishing send- and receive phase,
and an interrupt flag, representing the ABC’s interrupt line. Summarizing, the state
of the ABC automaton is represented in Isabelle/HOL by a record with the following
components:
• the receive buffers sabc.RB and send buffers sabc.SB, modelled as lists of messages,
• the configuration registers sabc.CR,
• three flags classifying ABC protocol states, i. e., an interrupt flag sabc.INT, an
initialization flag sabc.IP, and a send flag sabc.SF and finally,
• the current slot number sabc.CSN
hd sabc.SB
.
.
.
last sabc.SB
Processor
Bus
last sabc.RB
.
.
.
hd sabc.RB
Figure 4.1: Send and Receive Buffer Model
76
4.1 ABC Automaton
The send and receive buffers are represented as lists of arbitrary length. Hence, we
may use the model with an arbitrary number of receive and send buffers. Most notably,
we can model the ABC with single as well as double buffers. Note that in contrast to
the implementation, the specification does not have a parity bit. Instead, we model
the swapping of the buffers by rotating their contents. Figure 4.1 on the preceding
page depicts the send and receive buffer model. The processor-facing buffers are always
addressed by hd sabc.SB and last sabc.RB. The bus, on the contrary, accesses the buffers
with last sabc.SB and hd sabc.RB.
In the single buffer model, both expressions are obviously equal, i. e., hd sabc.SB = last
sabc.SB and hd sabc.RB = last sabc.RB. Each buffer entry stores a message, which is itself
represented as an integer list.
Configuration register Description
sabc.CR ! 0 number of slots per round (SLOTCOUNT)
sabc.CR ! 1 size of messages in bytes (4 · MSGLENGTH)
sabc.CR ! 2 an offset value the sender waits before sending
sabc.CR ! 3 the slot length counted in hardware cycles
sabc.CR ! 4 a wake-up value (used to generate interrupts within a slot)
sabc.CR ! 5 an initial waiting value
sabc.CR ! 6, sabc.CR ! 7 lower and higher part of the SPT
Table 4.1: Content of ABC configuration registers
There are 8 configuration registers. Table 4.1 describes their content. We are partic-
ularly often referring to the sending permission SPT. Hence, we encapsulate the access
of the i-th SPT-entry by function read sendl sabc i and define:
read sendl sabc i ≡ SPT ! i
ABC Transitions. Before we formally define the transitions of the ABC device, we first
give an abstract overview of the protocol that the device uses for the communication
with the operating system and the external environment. Figure 4.2 on the next page
illustrates the transitions within this protocol. Note that the diagram shows symbolic
names though technically, the protocol states are encoded by three flags. Table 4.2 on
the following page translates the symbolic names into the corresponding flag combination
and vice versa. The init state resembles the initialization phase and is indicated by a
raised initialization flag. Otherwise, we distinguish states from their send and interrupt
flag as follows: In the read state the interrupt line is raised and the send flag disabled,
whereas in the write state interrupt and send flag are enabled. In the idle states, the
interrupt flag is not set and we distinguish from the idlew where the send flag is raised
and idlerd.
Recall that our device interacts with the processor, on the one hand, and the external
environment, on the other hand (Section 2.7). Hence, we annotate flowing data with e
for external environment and m for the processor. Inputs are denoted by ↓, and outputs
by ↑ (i. e., e↓ is shorthand for eifi, whereas m↑ abbreviates mifo).
77
4 Formal Specification of an ECU
initreset idlerd read
write idlew
m↓setrd
m↓config
elmsg
¬ sp+ ∧ m↓clr
m↓read
m↑msg
sp+ ∧ m↓clr
e↓timerm↓msg
m↓clr
Figure 4.2: State diagram for the ABC
As described, we start in the init state, where Olos consecutively writes the configu-
ration (config) into the corresponding registers and finally issues the set-ready command
(setrd).
When the ABC sees the set-ready command, the device switches into running mode
and enters idlerd and awaits an input from the bus (elmsg). More specifically, we check
whether the ECU has the send permission (sp) in the current slot. If so, the device is
waiting for a timer event, then outputs the message from its bus-facing send buffer to the
bus and writes the same message to its bus-facing receive buffer 1. Otherwise, it awaits a
message from the bus and stores it into its bus-facing receive buffer. We abbreviate “if sp
then (e↓timer, e↑msg) else e↓msg” by elmsg. This abbreviation essentially encapsulates
two possible transitions depending on the send permission.
When the receive buffer has been written, the device enters the read state. In this state
the device expects a request from the processor (m↓read) to read a message from the
ABC’s processor-facing receive buffer (m↑msg). In analogy to the set-ready command,
the processor acknowledges the successful reception by the command clear interrupt
(clr). Depending on the send permission in the next slot (denoted by sp+), the device
either enters the read- or the write-idle state (idlerd or idlew, respectively). The former
1Here we assume an ideal bus transmission where entire messages are sent and received without data
losses
Symbolic names sabc.IP sabc.INT sabc.SF
init True - -
read False True False
write False True True
idlerd False False False
idlew False False True
Table 4.2: Automaton states related to their flag combination
78
4.1 ABC Automaton
idlerd read idlew write
sabc.INT
sabc.SF
elmsg m↓clr e↓timer m↓clr
Figure 4.3: Timing diagram of ABC flags
has been discussed before and the latter analogously awaits the beginning of the send
phase. This phase is deterministically entered after a configurably fixed time. We model
the elapsed time as an external event e↓timer.
With the external timer event, the device enters the write state in order to allow
the processor writing a message (m↓msg) into the processor-facing send buffer. When
the transmission is finished, the device transfers back to the idlerd after getting a clear-
interrupt command from the processor (like in the receive case). We can relate the read
state to the receive phase of the ECU and the write state to its send phase, respectively.
Depending on the sending permission of an ECU the ABC automaton is situated in one
of the idle states during the Compute Phase. Finally, the device-communication phase
is encapsulated in the transition elmsg.
Figure 4.3 shows the interrupt flag INT and the send flag SF of an ABC state sabc
during one slot in a timing diagram. In this szenario we assume that the ABC has the
send permission during that slot. This diagram impressively depicts the characteristic
flag combination of each state in a certain chronological sequence.
After we have given an overview of the abstract ABC automaton, we will present the
formal definitions of the ABC transition functions.
Several transitions in the automaton rely on inputs from the processor (denoted with
m↓). m↓setrd and m↓clrint are commands written from the processor to the command
register of the device. These inputs force the device to change its state internally. The
following predicates indicate that an input mifi from the processor is a clearint or a setrd
command:
is clearint mifi ≡
mifi.mifi din = CLEARINT COM ∧ mifi.mifi a = COMR PORT ∧ mifi.mifi wr
is setrd mifi ≡
mifi.mifi din = SETRD COM ∧ mifi.mifi a = COMR PORT ∧ mifi.mifi wr
Both predicates hold when the write flag mifi.mifi wr is enabled, the port equals
79
4 Formal Specification of an ECU
the command port mifi.mifi a = COMR PORT and the incoming data resembles the
individual command code (CLEARINT COM respectively SETRD COM).
Except the read access from the processor (m↓read), all the other transitions with pro-
cessor input manipulate the ABC state. These transitions are encapsulated in function
mifi write to compute a successor state from the current device state and a processor
input. We distinguish between four cases:
• m↓msg : Processor writes a message into send buffer
The processor updates the visible ABC send buffer (i. e., hd sabc.SB = sabc.SB ! 0)
with the given data when the port address refers to the send buffer.
• m↓clrint : Processor sends command CLEARINT COM
This transition either occurs in the write or the read state. Both states differ in
the value of the send flag sabc.SF. In the write state (sabc.SF), we simply disable the
interrupt flag and the send flag to enter idlerd. In the read state (¬ sabc.SF), the
device clears the interrupt flag and sets the send flag to a new value corresponding
to the entry in the SPT of the next slot. Afterwards, the state proceeds to one of
the idle states.
• m↓setrd : Processor sends command SETRD COM
Function mifi write clears the init flag to indicate the termination of the initializa-
tion phase. Moreover, the send flag is reset to change to idlerd. Finally, the current
slot number is initialized with SLOTCOUNT − 1 such that the device starts with
an incoming external event in slot 0 (the slot number is increased directly then).
• m↓config : Processor writes the configuration registers
The last branch of the function defines the initialization of the configuration reg-
isters. We require that the init flag is set and the port address refers to one of the
registers.
Function mifi write includes all the transitions mentioned above:
mifi write mifi sabc ≡
let new data = to int32 mifi.mifi din; addr = mifi.mifi a
in if SEND PORT ≤ addr < RECV PORT
then sabc
(|SB := sabc.SB
[0 := (sabc.SB ! 0)[addr − SEND PORT := new data]]|)
elsif is clearint mifi
then if sabc.SF then sabc(|INT := False, SF := False|)
else sabc
(|INT := False,
SF := read sendl sabc
((sabc.CSN + 1) mod sabc.CR ! 0)|)
elsif is setrd mifi
then sabc(|IP := False, SF := False, CSN := SLOTCOUNT − 1|)
80
4.1 ABC Automaton
elsif sabc.IP ∧ CONFR PORT ≤ addr < COMR PORT
then sabc(|CR := sabc.CR[addr − CONFR PORT := mifi.mifi din]|)
else sabc
Finally, we present the internal transition function dmabc of the ABC device that includes
all processor communicating functions. The function takes the current ABC state sabc
and an input from the processor mifi. It returns a triple consisting of the successor state
s ′abc and outputs to the processor mifo and the external environment eifo. We distinguish
between read and write requests that are mutually exclusive. When the processor wants
to read i. e., mifi.mifi rd, the ABC state remains unchanged and the output to the
processor is the data of the processor visible receive buffer (i. e., last sabc.RB) at a certain
port address. A raised write flag mifi.mifi wr, on the contrary, changes the successor
ABC state s ′abc by applying function mifi write and always returns 0 to the processor.
In both cases, we return an empty output to the external environment i. e., eifo abc⊥.
The internal transition function dmabc is defined as follows:
dmabc mifi sabc ≡
(if mifi.mifi wr then mifi write mifi sabc else sabc,
if RECV PORT ≤ mifi.mifi a < CONFR PORT ∧ mifi.mifi rd
then to nat32 (last sabc.RB ! (mifi.mifi a − RECV PORT))
else 0,
eifo abc⊥)
Apart from the processor communication, the ABC device interacts with the external
environment i. e., the bus. The device starts after the initialization phase in state idlerd
and expects an incoming external event. The incoming external event immediately
initiates the start of a new slot. The entire device communication is hidden in transition
elmsg. We encapsulate all necessary computations into function abc incoming msg.
It takes the current device state sabc and a given message msg to return an updated
ABC state. After the external event has triggered a new slot, the ABC device raises
its interrupt flag and increases the actual slot number. The value of SLOTCOUNT is
kept in a configuration register (Table 4.1 on page 77). Note that Olos increases its
implementation variable of the current slot number in the receive phase i. e., after it
detects the ABC’s raised interrupt flag. This causes a delay between both current slot
number representations. At the beginning of a new slot, we have to shift the buffer
contents. For the send buffer, we use function rotate1 to model the buffer swapping.
It simply shifts all elements left and appends the first element at the end of the list.
The receive buffer, on the contrary, updates the first element with the message msg and
appends the old buffer contents except the last element by using function butlast (we
can imagine that all buffer contents are shifted right and the last one is dropped). abc
incoming msg is formally defined as:
abc incoming msg msg sabc ≡
sabc
(|INT := True, CSN := (sabc.CSN + 1) mod sabc.CR ! 0,
RB := msg  butlast sabc.RB, SB := rotate1 sabc.SB|)
81
4 Formal Specification of an ECU
Now, we formalize the external transition function deabc of the ABC device. It takes the
current ABC state sabc and an input eifi from the external environment. The function
returns a pair consisting of the successor state s ′abc and an output to the external
environment eifo. In a certain device state, the automaton expects a restricted set of
device inputs. Whenever the ABC gets an undefined input or an empty input eifi abc⊥,
the transition function returns an unchanged state and an empty output to the bus:
(sabc, eifo abc⊥). Otherwise, we distinguish between incoming timer events or messages.
We expect an incoming timer event in one of the idle states where the interrupt flags
are disabled. The timer event in state idlew signals the start of the send phase. Here,
the transition function raises the interrupt flag and returns empty output value. The
ABC device with the sending permission awaits a timer event in idlerd signalling a slot
boundary. Hence, we obtain a new ABC state by using function abc incoming msg and
write the message of the bus-facing send buffer to the bus. Note that the bus-visible
receive buffer of the sending ABC is updated directly with the message. Otherwise, all
devices without sending permission in state idlerd await an incoming message from the
external environment. Moreover, the transferred message indicates the start of a new
slot. In this case, the transition function applies function abc incoming msg to obtain
the successor state s ′abc and returns an empty output to the bus. The external transition
function of the ABC device deabc in Isabelle/HOL is defined as:
deabc eifi sabc ≡
case eifi of eifi abc⊥ ⇒ (sabc, eifo abc⊥)
| eifi abc timer ⇒
if sabc.INT then (sabc, eifo abc⊥)
elsif sabc.SF then (sabc(|INT := True|), eifo abc⊥)
else (abc incoming msg (last sabc.SB) sabc, blast sabc.SBc)
| eifi abc msg msg ⇒
if sabc.INT ∨ sabc.SF then (sabc, eifo abc⊥)
else (abc incoming msg msg sabc, eifo abc⊥)
Predicates on ABC States. We regard states of the ABC device at different points
in time. The constraints the device should fulfill in the init state, directly after the
configuration from the operating system and after all device transitions are specified in
the following predicates.
The validity of messages given as integer lists is encapsulated in a predicate called is
valid intlistMsg. This predicate takes a message as argument and holds when the length
equals MSGLENGTH and all message values are signed 32-bit integers. Formally:
is valid intlistMsg msg ≡
|msg | = MSGLENGTH ∧ (∀x<MSGLENGTH. asm int (msg ! x))
Predicate valid ABC buffers holds if an ABC state sabc has valid ABC buffers. It
includes requirements of the buffer lengths i. e., the ABC device should provide at least
one send and receive buffer, whereas the number of configuration registers is fixed with
82
4.1 ABC Automaton
8. Moreover, the send and receive buffers contain valid data with fixed length. For a
given ABC state predicate valid ABC buffers holds
valid ABC buffers sabc ≡
1 ≤ |sabc.SB| ∧
1 ≤ |sabc.RB| ∧
|sabc.CR| = 8 ∧
(∀i<|sabc.SB|. is valid intlistMsg (sabc.SB ! i)) ∧
(∀i<|sabc.RB|. is valid intlistMsg (sabc.RB ! i))
After reset, the ABC is in the init state where it awaits the processor to configure its
registers. At that point of time, we require that the ABC device has valid buffers, the
init flag sabc.IP signals that the device is in the initialization phase and the interrupt flag
sabc.INT is initially disabled. All constraints that should hold directly after power-up
are collected in predicate abc before olosinit:
abc before olosinit sabc ≡
valid ABC buffers sabc ∧ ¬ sabc.INT ∧ sabc.IP
After the initialization phase we demand for validity of the ABC device. This includes,
besides the validity of ABC buffers that the configuration registers have been set to the
correct values. More specifically, the designated registers should hold the correct number
of slots per round, the message length and the sending permission table. Furthermore,
the device is in the running mode that is indicated by a disabled initialization flag sabc.IP.
We summarize all these requirements in predicate is valid ABC. Formally:
is valid ABC sabc ≡
sabc.CR ! 0 = SLOTCOUNT ∧
sabc.CR ! 1 div 4 = MSGLENGTH ∧
map (read sendl sabc) [0..<SLOTCOUNT] = SPT ∧
valid ABC buffers sabc ∧ ¬ sabc.IP
Directly after the operating system configured the ABC device, we assume that a device
state sabc is initial. An initial state has to fulfill the validity constraints. Furthermore,
the ABC device should start with slot number 0. Directly after the initialization, the
device awaits an incoming event from the external environment to start the first slot.
The corresponding transition function increases the current slot number, hence the initial
slot number after power-up is set to SLOTCOUNT − 1. Finally, the flags have to be
set up correctly after initialization. More specifially, all flags are disabled (¬ sabc.IP ∧
¬ sabc.SF ∧ ¬ sabc.INT) to start from state idlerd. All constraints are encapsulated into
predicate is initial ABC that is satisfied when an ABC state sabc is initial. Formally:
is initial ABC sabc ≡
is valid ABC sabc ∧
sabc.CSN = SLOTCOUNT − 1 ∧ ¬ sabc.INT ∧ ¬ sabc.SF
83
4 Formal Specification of an ECU
We require that validity holds after the initialization phase and is preserved under
internal and external ABC-transitions.
Lemma 4.1 (dmabc preserves State Validity). From a given valid ABC device state is
valid ABC sabc that receives a wellformed input from the processor in case of a write
request (i. e., mifi.mifi wr −→ asm nat mifi.mifi din), we can conclude that an internal
ABC transition preserves validity. Formally
is valid ABC (fst (dmabc mifi sabc))
Proof. The internal ABC-transition distinguishes between read or write requests from
the processor. In the first case the ABC state is only accessed but not modified. Hence,
validity holds obviously. Otherwise, function mifi write manipulates the ABC state. We
distinguish between the four possible cases:
1. Writing data into the send buffer:
In this case the configuration registers, the initialization flag and the receive buffers
remain unchanged. Hence, we have to prove that the send buffers are valid. The
buffer length does not change after a write access. From the assumption we know
that the written data is an unsigned 32-bit integer. Function natwd to intwd
converts this value to a signed 32-bit integer. Hence, the buffer is valid after
writing data into the send buffer.
2. Clearing the interrupt flag:
The clearint command modifies the values of the interrupt and the send flag. Thus,
all constraints on buffers and the initialization flag are still satisfied.
3. Change into running mode:
In case of a setrd command, the current slot number the interrupt and the ini-
tialization flag are set. Hence, buffer validity is preserved and the configuration
registers remain unchanged. The value of the initialization flag is overwritten with
False, thus all validity conditions hold.
4. Initialize the configuration registers:
We can drop this case, since the initialization of the configuration registers is only
possible in the initialization mode. A valid ABC state sabc is always in running
mode (i. e., the initialization flag is cleared ¬ sabc.IP).
Lemma 4.2 (deabc preserves State Validity). We assume that messages coming from the
external environment are always valid (i. e., ∀msg . eifi = eifi abc msg msg −→ is valid
intlistMsg msg) Then, for a valid ABC device state sabc validity is preserved under an
external ABC transition. Formally:
is valid ABC (fst (deabc eifi sabc))
Proof. We prove this lemma by case distinction over the external input eifi:
1. eifi = eifi abc⊥:
The state is not modified and obviously validity still holds.
84
4.2 Application Abstraction
2. eifi = eifi abc timer:
In the case that the interrupt flag is already set the state is unchanged. Otherwise,
when the send flag is set, only the interrupt flag is raised. Hence, all validity con-
straints are still satisfied. When neither the interrupt flag nor the send flag where
set, the state is updated with function abc incoming msg where the message is the
content of the bus-facing send buffer. The conditions on the configuration registers
and the initialization flag obviously hold. Validity of the buffers is preserved since
the buffer lengths are not changed and rotating or shifting valid values within a
buffer still satisfy the requirements.
3. eifi = eifi abc msg msg :
In the case that either the interrupt or the send flag are set the state is not
manipulated. Otherwise, the receive buffer is updated by calling function abc
incoming msg with the incoming message value msg . Setting the interrupt flag and
the current slot number and rotating valid buffers do not violate the requirements
of state validity. From the assumption that all incoming messages are valid, we
conclude that the receive buffers are valid after receiving a message.
4.2 Application Abstraction
Before we specify the behaviour of the whole ECU, we draw the readers attention to
the interaction between applications and the operating system Olos. We have learned
from Section 3.3.5 that applications use system calls in order to request services from
the operating system. Their effect is not only the manipulation of application states but
they may also modify the state of the operating system.
As we have seen in Section 3.4, system calls are implemented with portions of inline
assembly code. This code is hidden in a library of C0 functions. Accordingly, we
would like to abstract the specification of system calls as C0 machines. Daum et al.
[DDWS08, DDB08] specified a clean interface between their operating system Vamos
and their processes. Therefore, they encapsulated processes as self-contained automata
and presented an abstract process model. This definition separates the concepts of the
interface between an operating system and its processes from the actual specification of
a system call.
We adapt this idea and slightly change it for our purposes. Hence, we present an
abstract application model and instantiate this model for assembly and C0 processes.
Finally, we prove the validity of the C0 application specification and the Vamp assembly
counterpart.
Thus, we are able to regard C0 and assembler applications independently and prove
a simulation theorem that relates both models separated from the operating system.
4.2.1 Application Model
In this subsection, we introduce an abstract application model that allows a clear sepa-
ration between the operating system and the applications.
85
4 Formal Specification of an ECU
Outputs Wapp Inputs Svapp
eW (no call to a primitive) eSv (internal step)
SendMsg msgval msgnum SendSuccess
InvalidMsgNr
RecvMsg msgnum RecvSuccess msgval
InvalidMsgNr
ExFinish FinishSuccess
InvPtrErr InvPtrResponse
StuckErr —
Undefined Trap Continue
Table 4.3: Interface between Olos and its applications
Definition 4.1 (Application Model). The process model is an input-output automaton
Aapp given by a tuple
(Sapp, Wapp, Svapp, wapp, dapp, is validapp, is initapp, sizeapp) where
• Sapp is the state,
• Wapp is the output alphabet,
• Svapp is the input alphabet,
• wapp is an output function,
• dapp is the transition function,
• is validapp is a predicate determining wheter an applications state is valid,
• is initapp is a predicate indicating that an application state is initial and,
• sizeapp is a function computing the size of an application
The state Sapp depends on the individual programming language that is in our case, C0
or Vamp assembly. The interface between the applications and the operating system is
defined by Svapp and Wapp and is shared by all application models. Table 4.3 presents both
alphabets, the output alphabet (an application request) together with the corresponding
responses from Olos (inputs).
Output Alphabet. The output alphabet Wapp comprises all possible system calls, the
inquiry of an ’ordinary’ local step and some error conditions. The output eW denotes the
intention to perform a local computation in the next step. SendMsg msgval msgnum,
RecvMsg msgnum and ExFinish are outputs in order to call the operating system
(system calls). The message transferring system calls take two arguments which are
stored in registers. However, these values may not have meaningful interpretations.
We have e. g., only a bounded number of message buffers so that the message number
may be out of range. The operating system takes care of the individual handling of an
incoming msgnum. Before the application inquires communication with the operating
system it checks whether conditions of a successful transfer are given (i. e., the start
address is valid and there is enough memory space to store a whole message). If this
is not the case, the application indicates this with output InvPtrErr. Otherwise, it
86
4.2 Application Abstraction
requests a system call service with the corresponding output. Whenever an application
specifies a system call number that is not associated with any of our calls, this is signalled
with the output Undefined Trap. At least, an application could generate exceptions
like illegal page faults or overflows. These exceptions throw the output StuckErr.
Vamp assembly applications are quite robust since they can handle invalid pointers or
meaningless system call numbers. C0 programs, in contrast, immediately return an error
state when the execution of a transition fails. This state cannot be left any more. We
summarize all undesired outputs into predicate is runtime error:
is runtime error i ≡ i = StuckErr ∨ i = Undefined Trap ∨ i = InvPtrErr
All outputs are summarized in the left row in Table 4.3 on the facing page.
Input Alphabet. The input alphabet Svapp reflects all possible responses of the oper-
ating system reacting to the given outputs. Therefore, Olos passes different inputs to
the transition function dapp. In order to perform a local computation, the transition
function dapp gets the input eSv. Note that local computations depend on the individual
state. The inputs SendSuccess, RecvSuccess msgval and FinishSuccess are the
corresponding responses of the operating system to the kernel calls in case of success.
The application outputs SendMsg and RecvMsg use parameter msgnum which may
be a value out of range. When applications request to exchange messages with an unde-
fined message buffer , Olos signals this error with input InvalidMsgNr. Similarly, the
operating system replies to an output InvPtrErr with the corresponding input InvP-
trResponse. The output StuckErr has no corresponding input since the operating
system does not change a stuck application state. Finally, we pass Continue to the
transition function dapp whenever the application continues with the next instruction.
Valid OLOS Reponses. In the last paragraph we noticed that our operating system
Olos responds to an incoming inquiry only with one of the specified inputs. Table 4.3
on the preceding page emphasizes this strong correlation between outputs and inputs.
Formally, we collect the matching output-input pairs (wapp sapp, i) in a set olos responses:
(SendMsg msgval msgnumb, SendSuccess) ∈ olos responses
(SendMsg msgval msgnumb, InvalidMsgNr) ∈ olos responses
is valid intlistMsg msgval =⇒
(RecvMsg msgnumb, RecvSuccess msgval) ∈ olos responses
(RecvMsg msgnumb, InvalidMsgNr) ∈ olos responses
(ExFinish, FinishSuccess) ∈ olos responses
(InvPtrErr, InvPtrResponse) ∈ olos responses
(Undefined Trap, Continue) ∈ olos responses
(eW, eSv) ∈ olos responses
Result Values. The responses of the operating system to the calling application addi-
tionally determine the result value that is written to the result register or variable of
87
4 Formal Specification of an ECU
the application. When the input indicates a successful execution of the system call, the
result value is 0. If one of the system call parameters is invalid, this value is set to a
corresponding error code.
result value int sv ≡
case sv of InvPtrResponse ⇒ INVALID POINTER
| InvalidMsgNr ⇒ INVALID MSGNUM
| ⇒ 0
Predicates. The validity predicate is validapp includes constraints for the wellformed-
ness of the particular state depending on Sapp,. When a C0 program is started, it is
compiled by the verfied C0 compiler and saved in a binary executable file which stores
the initial memory content of code and data of the corresponding assembly program.
The operating system initializes the registers of the application and sets its memory to
the specified memory image. While the image uniquely describes the initial assembly
state, the original C0 program cannot be reconstructed since the variable names are not
preserved in the compiled code. Thus, the generic definition of application models uses
an initialization predicate is initapp that relates initial application states and memory
images. Furthermore, function sizeapp computes the amount of virtual memory that is
used by an application.
Valid Applications. So far, we have described the intuition of application automata
which interact with the operating system. We restrict these models to a special class
of automata by defining a set of rules. These rules form the specification of a valid
application and have to be discharged within each individual instantiation of an abstract
model. In the following paragraph, we present all necessary rules that specify valid
applications.
The first rule (valid success) assumes a valid application state together with an output
requesting to send a message. We require that the successor state of the application is
valid after a successful execution of the corresponding system call.
is validapp sapp wapp sapp = SendMsg msgval msgnum
is validapp (dapp SendSuccess sapp)
(valid success)
Additionally, the same assumptions should ensure that the message sent to the op-
erating system is valid. The wellformedness constraints of a message include a fixed
message length and the condition that all message values are signed 32-bit integers.
(valid success msg) encapsulates this requirement:
is validapp sapp wapp sapp = SendMsg msgval msgnum
is valid intlistMsg msgval
(valid success msg)
When a valid application requests to receive a message from the operating system, we
demand additionally that the message is well-formed. Then, the successful execution of
the corresponding system call leads to a valid successor state:
88
4.2 Application Abstraction
is validapp sapp wapp sapp = RecvMsg msgnum is valid intlistMsg msgval
is validapp (dapp (RecvSuccess msgval) sapp)
(valid succ recv)
Rule (valid succ finish) postulates that validity of an application is preserved after the
application signals its termination (wapp sapp = ExFinish) and the kernel reacts with
the corresponding transition dapp FinishSuccess sapp.
is validapp sapp wapp sapp = ExFinish
is validapp (dapp FinishSuccess sapp)
(valid succ finish)
An inquiry of an application for a message exchange with the operating system always
includes paramenter msgnum. Whenever the application tries to access an unspecified
message buffer, the operating system calls the transition function with the input In-
validMsgNr. Assuming a valid application state and a request for kernel communica-
tion, we can conclude that the successor state remains valid.
is validapp s wapp s = SendMsg msgval msgnum ∨ wapp s = RecvMsg msgnum
is validapp (dapp InvalidMsgNr s)
(valid inv msgnum)
Furthermore, validity is preserved after the operating system executes the transition
function dapp InvPtrResponse. We define this constraint in rule (valid inv pointer):
is validapp s
is validapp (dapp InvPtrResponse s)
(valid inv pointer)
Even though the operating system ignores a request from a valid application and
continues with the next instruction (Continue) the successor state remains well-formed.
is validapp s
is validapp (dapp Continue s)
(valid continue)
A valid application state that intends to perform a local step (signalled with output
eW) remains valid after executing the transition function of the underlying individual
model. This constraint is formulated below:
is validapp s wapp s = eW
is validapp (dapp eSv s)
(valid step)
We assume to have an initial application state and moreover, all values of the image
img are signed 32-bit integers and the number of allocated pages is bounded by TVM
MAXPAGES. Note that we forbid applications with no allocated memory. Then, the
initial application state fulfills the validity constraints.
89
4 Formal Specification of an ECU
is initapp img pages s
∀ad<|img |. asm int (img ! ad) 0 < pages pages ≤ TVM MAXPAGES
is validapp s
(valid initial)
From an initial application state we can conclude that the amount of allocated virtual
memory equals the number of pages pages. This is formalized in (init app size):
is initapp img pages s
sizeapp s = pages
(init app size)
Finally, we assume a valid application state that does not signal a runtime error.
Moreover, the successor state after the transition function with the corresponding input
also does not notify a runtime error. Then, the program size remains unchanged after
all valid transitions.
is validapp s ¬ is runtime error (wapp s) ¬ is runtime error (wapp (dapp sv s))
sizeapp (dapp sv s) = sizeapp s
(delta app size)
This concept allows to clearly separate the tasks of the operating system and appli-
cations and we may use either assembly or C0 machines. Note that there exist error
cases where C0 and assembly applications react in different manners. In case of an
invalid message pointer, assembly applications simply return an error code to the ap-
plication whereas C0 programs lead to a runtime error. The same can be said for the
call of undefined functions. Whereas, assembly applications would continue with the
next instruction, C0 programs give up processing. Therefore, we consider lateron only
computations that do not lead to runtime errors in C0. Then, we can guarantee that all
instructions of a C0 program can be simulated by a sequence of assembly executions.
4.2.2 Assembly Applications
Instantiating the abstract process model with assembly processes extends the seman-
tics of the sequential Vamp assembly language. Whereas in the sequential fragment
of this language the trap instruction is simply illegal, we use this instruction for the
communication with the operating system.
The state of assembly processes is identical to the formal semantics of Vamp assembly
presented in Section 2.2. In this subsection, we define the output and transition functions
as well as the predicates for assembly states.
Output Function. Before we present the output function wapp, we first introduce some
helpful definitions. In case that the application requests message exchange with the
operating system, it has to check whether the start address is divisible by 4 and whether
90
4.2 Application Abstraction
the entire message fits into the memory that is bounded by mm size d · PAGE SIZE.
This information is stored in the predicate valid sa:
valid sa arg sasm ≡ 4 dvd arg ∧ arg + 4 · MSGLENGTH < mm size sasm · PAGE SIZE
In order to communicate with the operating system the application uses the trap
instruction with an immediate constant i to distinguish between different requests. For
a given trap instruction the output function wtrap computes the corresponding output.
olosExFinished is called with trap number 0, hence we return ExFinish. The system
calls exchanging messages with Olos have two parameters: a message pointer to the
start address in the application memory and the index of the message buffer that is
involved in the message transfer. For convention these parameters are stored in the
assembly machine in the general-purpose registers 11 and 12, whereas general-purpose
register 22 always keeps the return value. The message transferring calls olosSendMsg
and olosRecvMsg rely on the correctness of the start address that is stored in the register
11: If this value is not valid the function returns InvPtrErr. Note that the validity
of the message number is handled by the kernel. Otherwise, we distinguish between
a successful send request (i = 1) and a successful receive request (i = 2) from the
application. The first one returns SendMsg together with the message value (extracted
from the application memory with a given start address and the message length) and
the message number. The output of the latter request is RecvMsg with the message
number. Every other immediate constant specifies a value that is not associated with
any call of our operating system. Then, the function returns output Undefined Trap.
Formally:
current instr sasm = trap i =⇒
wtrap sasm ≡
if i = 0 then ExFinish
elsif i = 1
then if ¬ valid sa (to nat32 (sasm.gprs ! 11)) sasm
then InvPtrErr
else let msg =
map sasm.mm
[to nat32 (sasm.gprs ! 11) div 4..<
to nat32 (sasm.gprs ! 11) div 4 + MSGLENGTH]
in SendMsg msg (to nat32 (sasm.gprs ! 12))
elsif i = 2
then if ¬ valid sa (to nat32 (sasm.gprs ! 11)) sasm
then InvPtrErr
else RecvMsg (to nat32 (sasm.gprs ! 12))
else Undefined Trap
The overall output function for assembly applications wapp takes an assembly state sasm
to return the corresponding output. An instruction may generate exceptions like illegal
instruction is illegal instr, misalignments (is misaligned data,is misaligned pc) or page
91
4 Formal Specification of an ECU
faults (is outranged pc, is outranged data). If such an exception occurs the function
returns output StuckErr. Otherwise, we distinguish the current instruction between
trap or other assembly instructions. The former uses function wtrap to determine the
output, the latter returns eW. With the formalizations from above we define the overall
output function for assembly applications wapp as follows:
wapp sasm ≡
if is illegal instr sasm ∨
is misaligned pc sasm ∨
is misaligned data sasm ∨
is outranged pc sasm ∨ is outranged data sasm
then StuckErr
else case current instr sasm of
trap i ⇒ wtrap sasm | ⇒ eW
Transition Function. The transition function for assembly applications dapp returns
a successor application state depending on the current application state sasm and the
kernel response. The effects of trap instructions depend on their immediate constants:
there are three possible distinct modifications on application states. Hence, we formalize
three seperate functions to encapsulate these independent state updates:
1. Writing a message into the application memory.
Function write msg specifies the changes of an application that receives a message
from the kernel. It takes the current application state sasm and the message value
msg to update the memory. Register sasm.gprs ! 11 keeps the start address of the
memory region where the message is stored. Formally:
write msg sasm msg ≡
let sa = to nat32 (sasm.gprs ! 11) div 4
in sasm(|mm := λi . if i < sa ∨ sa + |msg | ≤ i then sasm.mm i else msg ! (i − sa)|)
2. Updating the result register.
Whenever the application inquires a message exchange with the operating system,
the result register 22 will be updated with a result value. Recall that result
value int sv depends on the input sv. Function write result computes from a given
application state and an input sv a state with an updated result register:
write result sv sasm ≡ sasm(|gprs := sasm.gprs[22 := result value int sv]|)
3. Increasing the program counters.
Finally, a trap instruction increases the program counters of an application in such
a way that the computation proceeds with the next instruction. Function inc pcs
encapsulates the modification of the program counters and is formally defined as
follows:
92
4.2 Application Abstraction
inc pcs sasm ≡ sasm(|dpc := sasm.pcp, pcp := (sasm.pcp + 4) mod 232|)
The transition function dapp is specified by a case distinction over all possible applica-
tion inputs sv. There are two cases where simply the program counters of the application
are increased. Then, the application simply continues with the next instruction. This
happens after the system call olosExFinished (sv = FinishSuccess) or in the case of an
undefined trap number (sv = Undefined Trap). The successor state of an application
has an updated result register and increased program counters in case of a successful send
request SendSuccess or when a message transfer system call had invalid arguments (sv
= InvPtrResponse ∨ sv = InvalidMsgNr). When the application successfully re-
ceived a message from Olos, its memory is changed additionally to the result register
and the program counters. Finally, a local step in the sequential assembly semantics is
performed in case of an empty input eSv of the kernel.
dapp sv sasm ≡
case sv of
SendSuccess ⇒
inc pcs (write result SendSuccess sasm)
| RecvSuccess val ⇒
inc pcs
(write result (RecvSuccess val)
(write msg sasm val))
| InvPtrResponse ⇒
inc pcs (write result InvPtrResponse sasm)
| InvalidMsgNr ⇒
inc pcs (write result InvalidMsgNr sasm)
| eSv ⇒ dasm sasm | ⇒ inc pcs sasm
Predicates. The validity predicate is validapp constrains a state-space type of an ap-
plication model to the well-formed states. For the assembly semantics, these constraints
are defined in the predicate is valid asm. Furthermore, we require two more proper-
ties for assembly applications. The system is in user mode i. e., ¬ is system mode sasm.
Moreover, the application has either no allocated memory (i. e., its page table length
equals −1) or the number of allocated pages is less than TVM MAXPAGES. Formally,
we define:
is validapp sasm ≡ is valid asm sasm ∧ ¬ is system mode sasm ∧
−1 ≤ sasm.sprs ! PTL < int TVM MAXPAGES
After power-up, the initial state of an assembly process is uniquely determined by
the memory image img on the one hand and the application size in pages on the other
hand (pages). The definition of a function that computes the initial state with these
parameters is given below:
93
4 Formal Specification of an ECU
init asm img pages ≡
(|dpc = 0, pcp = 4, gprs = replicate 32 0,
sprs = replicate 32 0[PTL := to int32 pages − 1, MODE := 1],
mm = λad . if ad < |img | then img ! ad else 0|)
The function init asm sets the program counters to the start addresses in the memory.
The mode register MODE is set to 1 indicating that the application runs in user mode.
The register PTL holds the intended size pages of the application, so that sizeapp (init
asm img pgs) = pgs. All other registers are set to 0. The image is written at the
beginning of the main memory, the remaining memory cells are filled with 0.
Now, we formalize the initialization predicate for assembly applications by demanding
that the current state has to equal the initial one:
is initapp img pgs sasm ≡ sasm = init asm img pgs
Application Size. The application size sizeapp is simply specified as:
sizeapp sasm ≡ mm size sasm
Validity. All the definitions presented previously specify a model for assembly applica-
tions. We now prove that this specification is valid, indeed.
Theorem 4.3 (Validity of the Assembly Application Model). The presented assembly
application model is valid.
Proof. We formally show that the assembly application model fulfills all 11 validity rules
presented in Section 4.2.1. The successor states of transitions with the input sv = Fin-
ishSuccess or sv = Continue simply differ in their program counters. According to
the definition of valid assembly states these have to be 32-bit naturals. After increasing
the program counters, they remain 32-bit naturals. Hence, axiom (valid succ finish) and
axiom (valid continue) hold. Transition functions that increase the program counters
and additionally update the result register of an application have the inputs sv = Send-
Success, sv = InvalidMsgNr or sv = InvPtrResponse. We have learned that the
increasing of the program counters does not harm the validity predicate of assembly
applications. The remaining requirements concern the general purpose registers: We
know that an update does not change the length of the register file but its content.
All result values are 32-bit integers so that an update does not violate validity. Thus,
we showed the rules (valid success), (valid inv msgnum) and (valid inv pointer). Axiom
(valid success msg) assumes that the application requests to send a message to the op-
erating system. According to the output definition this message is stored in the main
memory of the application. The argument holding the message extracted from the main
memory has the required length and all message values are 32-bit integers. Receiving a
message which fulfills validity constraints preserves the wellformedness of the successor
state according to the considerations we made before (axiom (valid succ recv)). Axiom
(valid step) holds by applying a lemma of Alexandra Tsyban stating that validity is pre-
served under all assembly transitions. Due to the assumptions on the parameters pages
94
4.2 Application Abstraction
and img , we can conclude (valid initial) directly by examining the definition of asm
init. Finally, axiom (init app size) follows directly from the definition of function sizeapp
and axiom (delta app size) holds naturally since neither our operating system nor the
application itself changes the register PTL that stores the memory size.
4.2.3 C0 Applications
C0 applications extend the sequential C0 language. Recall that we introduced a special
library including functions to permit communication between an application and the
operating system. In this subsection, we describe in more detail how the model of a C0
application is defined.
C0 States. In contrast to assembly applications, we cannot reuse the state of the
sequential C0 semantics. The sequential transition function is partial i. e., the transition
function dC0 returns ⊥ in case of a programming error like null-pointer dereferencing.
Note that this is also the case for dC0. In order to keep track of such errors, we extend
the state of the sequential semantics by ⊥. In the remainder, we use SC0 for a C0
application state that is either empty or consists of a non-empty C0 monolithic state
bsC0c. As we defined in Section 2.3, the sequential program state is kept in a record
component sC0.pstate that includes the current memory state sC0.pstate.mem on the one
hand, and the program rest sC0.pstate.prog on the other hand. Moreover, we keep the
static program definition i. e., the function table sC0.ftab and the type table sC0.ttab
within the application state.
Finally, we extend the state by a component c0 pages sC0 that stores the memory size
of the application. We use this information to justify the memory sufficiency which is
an implicit assumption of the sequential C0 semantics. Summarized, our C0 application
state comprises the following components:
• the program state sC0.pstate,
• the function table sC0.ftab,
• the type table sC0.ttab and,
• the application memory size c0 pages sC0
Output Function. Before we present the output function wapp, we define an auxiliary
function get output. We use this function to distinguish between our system calls and
’ordinary’ function calls and to generate the corresponding output. get output takes
three parameters: the function name fn, the parameter list es and a non-empty mono-
lithic C0 state sC0. Formally, we define:
get output fn es sC0 ≡
if fn = “olosExFinish” then ExFinish
elsif fn = “olosSendMsg” ∨ fn = “olosRecvMsg”
then let msgval = c0 eval sC0 (Deref (es ! 0));
msgnum = c0 eval sC0 (es ! 1)
in if msgval = ⊥ ∨ msgnum = ⊥ then StuckErr
95
4 Formal Specification of an ECU
elsif fn = “olosSendMsg”
then SendMsg (struct2intlist dmsgvale)
dmsgnume
else RecvMsg dmsgnume
else eW
The function distinguishes between the different system call function names and re-
turns the corresponding output. When the application wants to exchange messages with
the operating system, the parameter list consists of two elements: Its first value (es !
0) holds the message pointer and the second one (es ! 1) stores the message number.
The evaluation functions c0 eval evaluate both parameters and return an optional data
value. When the evaluation fails or the returned data slice is not initialized the func-
tion returns ⊥. Otherwise, it returns the value of the evaluated data slice. Note that
the evaluation function c0 eval of the dereferenced message pointer returns directly the
value of the message. When one of these evaluations fails, the return value is given by
⊥ and the output is set to StuckErr. Otherwise, the outputs to the operating system
include additional arguments: In case of a send request, the parameters are the message
(converted from its special C0 format to a plain integer list with fixed length) and the
message number. The receive request, on the contrary, simply returns the evaluated
message number to the operating system. All function names that differ from the names
of the system call functions are treated as ordinary function calls. Hence, function get
output returns eW.
Now, we embed get output into the overall output function wapp. This function takes
an application state and returns an output value. Recall that an empty state SC0 = ⊥ in-
dicates that a runtime error has occurred in the computations before. When the function
gets an empty state ⊥, the application has insufficient memory i. e., predicate sufficient
memory does not hold, or the current statement is an inline assembly statement the func-
tion returns output StuckErr. Recall, however, if statements with inlined assembly are
executed in the C0 semantics the compiler-correctness theorem does not hold. Although
there are different techniques to cope with this restriction [GHLP05, ST08], we exclude
inlined assembly in C0 processes. The Olos library has especially been implemented
to circumvent the use of additional assembly code within a C0 program. Otherwise, we
distinguish over all possible current statements. In the case that the current statement is
a function call, we check whether the memory space is also sufficient after extending the
local stack extended stack in mem. wapp returns output StuckErr if the new created
stack frame of the called function fn does not fit into the memory. Otherwise, we apply
function get output in order to compute the corresponding output to the function call.
All remaining statements are ’ordinary’ C0 statements and return output eW in order
to perform a local step. Formally, the overall output function of C0 applications are
defined as follows:
wC0 SC0 ≡
case SC0 of ⊥ ⇒ StuckErr
| bcc ⇒
96
4.2 Application Abstraction
if sufficient memory (c0 pages c · PAGE SIZE) c .ttab c .ftab
c .pstate ∧
¬ is Asm (fst stmt c .pstate.prog)
then case fst stmt c.pstate.prog of
SCall lv fn ps sid ⇒
if extended stack in mem c fn then get output fn ps c
else StuckErr
| ⇒ eW
else StuckErr
Note that all failures lead to one unique output - StuckErr. C0 programs neither
return an error code nor continue with the next instruction when it fails in computing.
Whenever an error occurs, the program gets stuck.
Transition Function. Whenever an application uses a system call in order to commu-
nicate with the operating system, the current statement is a function call. The effects of
a system call function depend on the particular function name. Similar to the assembly
model, there are three possible distinct modifications on an application state. Below, we
define three seperate functions to specify the effects on C0 application states:
1. Writing a message into the applications memory.
When an application receives a message, the changes can be encapsulated in a
function receiving. This function takes the current application state and the mes-
sage value msg and returns an optional successor state. If this function gets an
empty state or the current statement is not a function call, it returns an empty
state. Otherwise, it updates the memory with a data slice (recall Section 2.3),
that has an aritrary left value, is initialized, and contains a message value with
the corresponding type. The message is stored on the address that is given by the
left value of the evaluated dereferenced pointer variable. This may be either in the
global or the heap memory. Formally:
receiving SC0 msg ≡
let⊥ sC0 = SC0
in case fst stmt sC0.pstate.prog of
SCall lv fn es sid ⇒
let⊥ m = mem update sC0.ttab sC0.pstate.mem
devalm sC0 (Deref (es ! 0))e.ds lval
(|ds lval = default, ds type = TYPE Message Struct ′ty,
intermediate = True, ds initialized = True,
ds data = msg |)
in bsC0(|pstate := sC0.pstate(|mem := m|)|)c
| ⇒ ⊥
2. Setting the result variable
At the end of a function call, the result value is stored in the left variable. Function
97
4 Formal Specification of an ECU
set result takes an input sv and the current application state and computes the
successor state with an updated left variable value. An empty application state
will be returned unchanged. Otherwise the function uses set primres to update the
left variable with the integer result value that is determined by the input sv. The
address of the left variable of the called function is either located in the global
memory or the former top most local memory frame (i. e., before the function has
extended the stack). If this update fails, function set result returns ⊥ otherwise it
updates the memory of the application. We define function set result as follows:
set result sv SC0 ≡
let⊥ sC0 = SC0; m = set primres (Intg (result value int sv)) sC0
in bsC0(|pstate := sC0.pstate(|mem := m|)|)c
3. Deleting the system call
After the execution of a function, the first statement of the program has to be
deleted in order to compute the next statement. Therefore, we define a function
del syscall that simply replaces the system call in the list of remaining statements
by a SKIP instruction. An empty application state is returned unchanged. For-
mally:
del syscall SC0 ≡
let⊥ sC0 = SC0
in bsC0(|pstate := sC0.pstate(|prog := rm scall sC0.pstate.prog|)|)c
The transition function of C0 applications is defined as a case distinction over the input
sv. When the application receives a message from the operating system, it consecutively
calls the functions receiving, set result and del syscall. Note that a message coming from
the operating system as a list of integer values has to be converted back into the message
format of C0 applications. A successful message transfer to the operating system (sv =
SendSuccess) and after the call olosExFinished (sv = FinishSuccess), we update the
left variable of the function call with 0, in case of an invalid message number with − 1.
All C0 statements except the system call functions (indicated by an empty input: sv =
eSv) use the monolithic transition function. All remaining inputs indicate runtime errors
and return the empty state ⊥. The transition function is formally given by:
dapp sv SC0 ≡
case sv of SendSuccess ⇒ del syscall (set result SendSuccess SC0)
| RecvSuccess val ⇒
del syscall
(set result (RecvSuccess val)
(receiving SC0 (intlist2struct val)))
| FinishSuccess ⇒ del syscall (set result FinishSuccess SC0)
| InvalidMsgNr ⇒ del syscall (set result InvalidMsgNr SC0)
| eSv ⇒ dC0m dSC0e
| ⇒ ⊥
98
4.2 Application Abstraction
Predicates. Before we introduce the predicates is validapp and is initapp of the C0 ap-
plication model, we first specify a condition that has to hold in both of them. In order
to figure out whether an assembly memory image can be abstracted to a C0 application,
we need to know exactly how the library functions of our system calls are implemented.
We specify a predicate for each system call function that holds, when the corresponding
function and its precise function definition belong to the function table.
Recalling the implementation of the system call functions Section 3.4, we know that
function ExFinish e. g., has neither function parameters nor local variables. The return
type of all our system call primitives is a signed 32-bit integer. The function body
consists of a composition of two statements - a single inline assembly instruction and a
return statement. The former is simply the trap instruction calling the kernel. The
return statement directly passes integer value 0 to the calling application, where Prim
(Intg 0) is a primitive value. ExFinish in ft holds when there are two statement identifiers
so that function “olosExFinish” and its precise function definition belong to the function
table. Formally:
ExFinish in ft ft ≡
∃sid sid ′.
(“olosExFinish”,
(|body =
Comp (Asm [trap 0] sid) (Return (Lit (Prim (Intg 0))) sid ′),
params = [ ], rettype = Integer, stack vars = [ ]|))
∈ set ft
From the calling interface of function olosRecvMsg, we already know that it has two
parameters, a pointer named “pmsg” to the message of type “TYPE Message Struct” and
a message number with name “mn” which is an unsigned 32-bit integer. Furthermore,
we know that the return type of the function is a signed 32-bit integer. However, this
does not suffice.
We present a predicate RecvMsg in ft which holds when function “olosRecvMsg” and
its precise function definition belong to the function table.
RecvMsg in ft ft ≡
∃sid sid ′.
(“olosRecvMsg”,
(|body =
Comp
(Asm [Ilw 11 30 16, Ilw 12 30 20, trap 2, Isw 22 30 24] sid)
(Return (VarAcc “result”) sid ′),
params = [(“pmsg”, Ptr “TYPE Message Struct”), (“mn”, UnsgndT)],
rettype = Integer, stack vars = [(“result”, Integer)]|))
∈ set ft
Additionally, to the function parameters and the return type, we learn that this func-
tion obtains exactly one local variable that is called “result” and is a signed 32-bit integer.
99
4 Formal Specification of an ECU
Furthermore, the function body consists of a composition of two statements - a portion of
inlined assembly code and a return statement. Except the annotation and the statement
identifiers, the statements are accurately defined. Predicate SendMsg in ft is almost
identical to RecvMsg in ft, it only differs in the trap number.
Finally, predicate libolos included summarizes all declarations of the library functions
together with the requirement that the message type belongs to the type table. Formally:
libolos included ft tt ≡
(“TYPE Message Struct”, TYPE Message Struct ′ty) ∈ set tt ∧
ExFinish in ft ft ∧ SendMsg in ft ft ∧ RecvMsg in ft ft
The validity predicate is validapp holds either for empty states or holds when states
of the application model fulfill well-formedness constraints. We have taken the validity
predicate valid C0 directly from the sequential semantics. Moreover, we require that the
system call functions should be declared in the system call library. In contrast to In der
Rieden &Tsyban [IT08, IdR09] we do not regard the system-call library and the kernel
code as two distinct programs that can be linked under certain preconditions. Instead,
we already regard the linked C0 program and specify the class of C0 programs that are
compatible with our library. More precisely, this means that the names of all functions
have to be disjoint. Finally, the mainfunction has to be part of the function table.
is validapp SC0 ≡
case SC0 of ⊥ ⇒ True
| bsC0c ⇒
sizeapp SC0 ≤ TVM MAXPAGES ∧
valid C0 sC0.ttab sC0.ftab sC0.pstate ∧
libolos included sC0.ftab sC0.ttab ∧
fst (hd sC0.ftab) = mainfunction
The initialization predicate is initapp subsumes all constraints a state has to fulfill
after power-up. It determines whether the C0 state SC0 is a valid initial state that
can be compiled into the memory image img . The application should have the correct
size which is determined by the number of pages pages. Furthermore, the C0 program
has to be compilable and compatible with the system call library. The state of the C0
program must be initial and the predicate is compilation ensures that the code of the
compiled program is stored in img . Moreover, the address range for the global variables
is initialized with zeros. We describe the predicate formally with:
is initapp img pages SC0 ≡
∃sC0.
SC0 = bsC0c ∧
sizeapp SC0 = pages ∧
libolos included sC0.ftab sC0.ttab ∧
(∃gms.
is compilable sC0.ttab sC0.ftab gms ∧
100
4.3 Abstract ECU Automaton
bsC0.pstatec = initial conf sC0.ftab gms ∧
is compilation sC0.ttab sC0.ftab gms img)
Application Size. The application size sizeapp returns 0 for empty states and component
c0 pages sC0 otherwise. Formally:
sizeapp SC0 ≡ case SC0 of ⊥ ⇒ 0 | bsC0c ⇒ c0 pages sC0
Validity. So far, the definitions above specify a model for C0 applications. Validity of
this model is given, when all rules presented in Section 4.2.1 can be discharged.
Theorem 4.4 (Validity of the C0 Application Model). The presented C0 application
model is valid.
Proof. The proofs of all 11 axioms are in principle similar to the proofs of assembly
applications. Axioms (valid inv pointer) and (valid continue) are very simple. According
to their input values the transition function sets the successor state of the C0 application
to the error state ⊥. This state is valid due to the definition of is validapp. The next
proofs benefit from the fact that neither the type and function table nor the application
size change under the used functions. The axioms concerning the application size ((init
app size), (delta app size)) directly follow from the definition is initapp and this fact.
Axiom (valid initial) more or less requires to unfold the definitions of the predicates.
The preservation of validity after an ’ordinary’ C0 small-step transition is given by
theorem 5.17 of [Lei08]. The remaining axioms concerning the system calls demand in
priciple that none of the state updating functions leads to the error state. Moreover, the
current statement is not modified during these executions. Summarizing, we can say that
valid memory updates and the replacing of the first statement of the program list into
a SKIP statement do not harm the validity of a C0 state. In a nutshell, the correctness
of the message format results from the type correctness of the function parameters and
the definition of the convertion functions.
4.3 Abstract ECU Automaton
In this section, we consider the abstract automaton describing the behaviour of the
entire ECU. Basically, the ECU consists of two different components - a processor with
a running operating system and several applications on the one hand, and the ABC
device on the other hand. Furthermore, we introduce predicates in order to constrain
ECU states and relate our ECU model to the distributed model of Steffen Knapp.
ECU State and Transition Function. First, we present the abstract ECU automaton
together with its transition function. A state of the ECU model is defined by the
following components:
• an application mapping secu.AM,
• the message buffers secu.MBa,
101
4 Formal Specification of an ECU
• an idle flag secu.idleflag and,
• the ABC device secu.abc dev
The application mapping secu.AM is a mapping from process identifiers to an abstract
application type. Hence, we can instantiate the ECU model with one of the specified valid
application models (either C0 or assembly applications). The message buffers secu.MBa
are modelled as a list of integer lists, and an idle flag (secu.idleflag) abstracting whether
an application or the kernel is running. Furthermore, we literally embed the state of
the ABC automaton Section 4.1 into our state (secu.abc dev). We modelled the abstract
ECU state as slim as possible by eliminating redundant information. Therefore, a lot of
informations can be extracted from the ABC state such as the current slot number, the
sending permission table, the send flag or the number of slots per round.
In Figure 4.4, the state diagram of the ECU automaton, it is possible to recognize the
transition phases of a slot as sketched in Figure 3.2 on page 60. The states recv and
send in the diagram directly correspond to the beginning of the receive phase and the
send phase. During the compute phase within one slot, the automaton is in one of the
states comp, idler, and idles. Finally, the device communication is depicted by elmsg.
idlerinit
send
idles
comp
recv
elmsg
read
sp+ ∧ e↓timer
sp+ ∧ ExFin
¬ sp+
∧ ExFin
e↓timer
write
¬ sp+ ∧
elmsg
¬ExFin
Figure 4.4: State diagram for the ECU
In the ECU specification, we abstract from the initialization phase after power-up.
The initial state is idler, where the ECU awaits an input from the environment. The
corresponding transition resembles the device-communication phase.
Symbolic names secu.abc dev.INT secu.abc dev.SF secu.idleflag
idler False False True
recv True False *
comp False * False
idles False True True
send True True *
Figure 4.5: Automaton states related to their flag combination
102
4.3 Abstract ECU Automaton
idler recv comp idles send
secu.abc dev.INT
secu.abc dev.SF
secu.idleflag
elmsg exFin e↓timer
Figure 4.6: Timing diagram of ECU components
The device communication elmsg triggers a new slot and the ECU changes to the
receive state (recv). Recall that the current slot number which is part of the ABC
device is directly increased during this transition Section 4.1. In the implementation,
however, Olos sets its corresponding current slot variable not until the receive phase.
In this state, the ABC’s interrupt is raised and its send flag is not set. The transition
labelled read represents the actual receive phase, where Olos reads the ABC’s receive
buffer into its message buffer and instructs the ABC to clear its interrupt. Furthermore,
the send flag is set to the value of sp+ (the ECU’s send permission in the next slot).
Immediately afterwards, the ECU is in the compute state comp. The idle flag as well
as the ABC’s interrupt flag are cleared. There are several transitions possible from this
state. All transitions involve a computation of the application scheduled by the AST
table. If there is no external event and the application does not issue an olosExFinished
call, the ECU remains in the comp state. In case of an olosExFinished call, the idle flag
is set and the ECU descends into an idle state, idles or idler, depending on the send
permission in the next slot, i. e., the value of the previously set send flag. If an external
event (inputs elmsg or e↓timer) occurs, the interrupt line is raised. An external event
during the comp state means that the application has exceeded its worst-case execution
time. The ECU reacts just as if it had been in an idle state: If the ECU has the send
permission in the next slot, it proceeds to the send state, otherwise to the receive state.
Finally, if the ECU is in the send state, the transition labeled write describes the send
phase, where Olos writes the content of a message buffer to the ABC’s send buffer,
resets the send flag, sets the idle flag, and finally requests the ABC to clear its interrupt.
Figure 4.6 presents the interrupt flag secu.abc dev.INT, the send flag secu.abc dev.SF
and the idle flag secu.idleflag of an ECU state secu during one slot. In this szenario we
assume that the ECU has the sending permission and the current scheduled application
terminates before the timer interrupt e↓timer occurs. The timing diagram depicts for
a certain case how the states are related to the flag combination (cf. Table 4.5 on the
preceding page).
103
4 Formal Specification of an ECU
idle r(a)
(b)
(c)
recv comp idle r recv
idle r recv comp recv
idle rd read idle rd read
ECU without sending permission
idle r recv comp idles send idle r
idle r recv comp send idle r
idle rd read idlew write idle rd
ECU with sending permission
elmsg e↓msg elmsg e↓timer e↓timer
Figure 4.7: Relation of ECU and ABC model
Note that the ECU automaton refines the ABC automaton since its device component
is an ABC state. We can relate every state of the ECU model to a corresponding one
of the ABC model. Figure 4.7 depicts the state relation between the ECU and the
ABC automaton. The columns distinguish between the sending permission and the
rows illustrate (a) an ECU slot execution with application termination, (b) an ECU
slot execution with deadline violation and, (c) a slot execution from the view of the
ABC model. The dotted lines represent the transition after system call olosExFinished
has been invoked, the dashed lines show the transitions where the processor clears the
interrupt line of the ABC device. Finally, external events trigger either the start of a
new slot or the beginning of the send phase.
Before we formalize the transition function of the abstract ECU automaton, we first
present some functions defining individual transitions. In the following definitions, we
use the functions next and prev in order to compute the next and previous current
slotnumber (modulo SLOTCOUNT).
We specify function Recv Phase encapsulating the behaviour of the ECU in the receive
phase. The function gets a pair of scheduling tables (AST, BT) and the current ECU
state secu and returns the successor state s ′ecu.
Recv Phase (AST, BT) secu ≡
let abc = secu.abc dev; csn = abc.CSN; msgnum = BT ! prev csn
in secu
(|MBa := secu.MBa[msgnum := last abc.RB], idleflag := False,
abc dev := abc(|INT := False, SF := read sendl abc (next csn)|)|)
First, we extract the current slot number from the ABC and compute the entry of
the buffer index table of the previous slot. This number determines the message buffer
that stores the message broadcast on the bus in the previous slot. Now, we can copy the
content of the processor visible receive buffer last abc.RB into the message buffer and
disable the idle flag. Finally, we update the ABC state by clearing the interrupt flag
104
4.3 Abstract ECU Automaton
and setting the send flag to the value of the next slot according to the send-permission
table (stored in an ABC configuration register).
In the ECU automaton transition write describes the send phase. We express the
effects of this transition in function Send Phase. Again, this function takes the appli-
cation scheduling table and the buffer index table as a pair (AST, BT) additionally to
the current state. The successor state s ′ecu after the execution of the send phase Send
Phase is formalized in Isabelle/HOL as follows:
Send Phase (AST, BT) secu ≡
let abc = secu.abc dev; msgnum = BT ! next abc.CSN
in secu
(|idleflag := True,
abc dev := abc(|SB := abc.SB[0 := secu.MBa ! msgnum], INT := False,
SF := False|)|)
Similar to the receive phase, we first compute the number of the message buffer. This
time, we increase the current slot number since we want to read the buffer storing the
message that will be broadcast in the next slot. Then, we enable the idle flag. In
the device component, the function disables the interrupt and the send flag and copies
the entire message from the selected message buffer to the processor visible ABC send
buffer (recall that hd sabc.SB = sabc.SB ! 0 holds). Note that we manipulated the device
component directly instead of using the ABC device transition. Hence, this allows to
read the functions more easily and presents their effects readily comprehensible.
When the ABC device raises its interrupt flag before the idle flag is set, the current
executed application has exceeded its worst-case execution time. The ECU handles this
deadline violation with function Comp DL Violation which is executed before the receive
or send phase are started as usual. The successor state s ′ecu will be computed from the
current state secu and the pair of tables (AST, BT).
Comp DL Violation (AST, BT) secu ≡
let procnum =
if secu.abc dev.SF then nat2pid (AST ! secu.abc dev.CSN)
else nat2pid (AST ! prev secu.abc dev.CSN);
app = secu.AM procnum
in case wapp app of StuckErr ⇒ secu
| eW ⇒ secu(|AM := secu.AM(procnum := dapp eSv app)|)
| ⇒ secu(|AM := secu.AM(procnum := dapp Continue app)|)
This function first determines which application has been executed until the timer
interrupt occured. Therefore, it examines the entries of the application scheduling table
AST. When the send flag is set, the interrupt signals the start of a send phase and we
use the AST entry for the current slot number. Otherwise, the application had been
interrupted when a new slot started and the slot number in the ABC device had already
been increased. Hence, the interrupted application corresponds to the AST entry in
the previous slot. Then, we examine the output function of the interrupted application
105
4 Formal Specification of an ECU
wapp app. The ECU state remains unchanged when the output is StuckErr. An
empty output eW permits the application to perform a last local step. Otherwise, the
application executes a transition with input Continue.
As long as no external event occurs (i. e., e↓timer or elmsg) in the comp state, we are
in the compute phase. During this phase, the currently scheduled application is executed
and may exchange messages with the operating system. When the application signals
its termination with ExFin, we can add the idle states to the compute phase, too. In
this phase, only the currently scheduled application and the message buffers are involved
whereas the other ECU components remain unchanged. Hence, we formulate a transition
dcc that simply takes a single application state on the one hand and the message buffers
on the other hand. The function recognizes the output of the application and computes
a corresponding input:
dcc (sapp, mb) ≡
case wapp sapp of
SendMsg msgval msgnum ⇒
if msgnum < MSGCOUNT
then (dapp SendSuccess sapp, mb[msgnum := msgval ])
else (dapp InvalidMsgNr sapp, mb)
| RecvMsg msgnum ⇒
if msgnum < MSGCOUNT
then (dapp (RecvSuccess (mb ! msgnum)) sapp, mb)
else (dapp InvalidMsgNr sapp, mb)
| ExFinish ⇒ (dapp FinishSuccess sapp, mb)
| InvPtrErr ⇒ (dapp InvPtrResponse sapp, mb)
| StuckErr ⇒ (sapp, mb)
| Undefined Trap ⇒ (dapp Continue sapp, mb)
| eW ⇒ (dapp eSv sapp, mb)
In the case that the output of the current application denotes a system call, the
operating system reacts with the corresponding response. The application may request
to exchange messages with the operating system wapp sapp = SendMsg msgval msgnum
∨ wapp sapp = RecvMsg msgnum. The kernel checks whether the message number
indicates an existing message buffer and either handles the system call or returns an error.
When the application sends a message, it is written in the corresponding message buffer.
The application may also signal the termination of its execution wapp sapp = ExFinish.
Olos handles this call with dapp FinishSuccess sapp. This transition function cannot
change the idle flag so that we postpone this component manipulation and change it into
an extra function that embeds the extracted state into an entire ECU state. When the
output of the application is empty eW, it performs a local step. The other cases are error
cases: Output StuckErr returns the former state, and continue error Undefined
Trap and invalid pointer InvPtrErr are handled from the application depending on
the used model (C0 program or Vamp assembly).
Finally, we embed the extracted successor state of function dcc into a function Com-
pute Phase. This function takes an entire ECU state secu and the pair of tables (AST,
106
4.3 Abstract ECU Automaton
BT) to return the successor state s ′ecu. We use function current pid to select a process
identifier from the application scheduling table in the current slot:
current pid (AST, BT) secu ≡ nat2pid (AST ! secu.abc dev.CSN)
Moreover, function current proc encapsulates the state of the currently scheduled appli-
cation:
current proc (AST, BT) secu ≡ secu.AM (current pid (AST, BT) secu)
Function Compute Phase applies function dcc on the selected current application and
the message buffers. Then, it updates the involved components with the result of function
dcc. At this place, we raise the idle flag of the operating system, when an application
signals its termination (i. e., “olosExFinish” is called). The successor state s ′ecu of the
compute phase can be obtained by executing function Compute Phase with a pair of
tables (AST, BT) and the current ECU state secu:
Compute Phase (AST, BT) secu ≡
let procnum = current pid (AST, BT) secu;
app = current proc (AST, BT) secu
in secu
(|AM := secu.AM(procnum := fst (dcc (app, secu.MBa))),
MBa := snd (dcc (app, secu.MBa)),
idleflag := if wapp app = ExFinish then True else secu.idleflag|)
All presented functions formalizing the receive, compute and send phase involve the
operating system Olos. We collect these internal changes into one transition called
dolos. The transition takes the current ECU state secu and the pair of scheduling tables
(AST, BT) to determine the successor ECU state s ′ecu. In the following formulae, we
abbreviate the scheduling table pair (AST, BT) with J on higher abstraction layers
(where their access is not visible any more). In case of an enabled interrupt flag of the
ABC device the function decides on the ABC’s send flag whether the ECU enters the
receive or the send phase. When it detects a deadline violation (i. e., ¬ secu.idleflag),
function Comp DL Violation is applied before handling this case. With a disabled ABC
interrupt it depends on the ECU’s idle flag whether the ECU is in the compute phase
(i. e., ¬ secu.idleflag) or simply waits (i. e., secu.idleflag). Formally, we define:
dolos J secu ≡
if secu.abc dev.INT
then let ecu ′ =
if secu.idleflag then secu
else Comp DL Violation J secu
in if ecu ′.abc dev.SF then Send Phase J ecu ′
else Recv Phase J ecu ′
elsif ¬ secu.idleflag then Compute Phase J secu else secu
107
4 Formal Specification of an ECU
So far, we have neglected the transitions relying on the external input that only change
the device component of the ECU state. The entire transition function of our abstract
ECU automaton is formalized in function dECU. This transition function takes the pair
of scheduling tables denoted with J, an optional external input eifi and the current ECU
state secu. We distinguish processor computation in case of an empty input (eifi = ⊥)
from external devices steps (eifi = bic). Recall that the transition function of the ABC
deabc has been introduced in Section 4.1. When the external input is empty, we apply
function dolos, otherwise we update the ECU’s device component with the successor state
of the extrnal ABC transition. Thus, the definition of the ECU transition function in
Isabelle/HOL is given as follows:
dECU J eifi secu ≡
case eifi of ⊥ ⇒ dolos J secu
| bic ⇒ secu(|abc dev := fst (deabc i secu.abc dev)|)
Predicates on ECU States. We restrict the scheduling tables and our ECU states by
several constraints that should hold directly after initialization or after all transitions of
the automaton. We introduce some predicates that encapsulate these requirements.
The application scheduling table AST and the buffer index table BT are called valid,
when predicate valid tables holds. Both tables should have SLOTCOUNT entries with
meaningful interpretations i. e., the application scheduling table AST only contains de-
fined application identifiers whereas the buffer index table BT includes indices to existing
message buffers. Formally:
valid tables (AST, BT) ≡
|AST| = SLOTCOUNT ∧
|BT| = SLOTCOUNT ∧
(∀i<|AST|. 0<AST ! i ∧AST ! i ≤ PROCCOUNT) ∧ (∀i<|BT|. BT ! i <MSGCOUNT)
A valid message buffer consists of MSGCOUNT buffers which store messages in a well-
defined format i. e., they have length MSGLENGTH and each value is a signed 32-bit
integer. We encapsulate these requirements in the predicate is valid MB:
is valid MB mb ≡
|mb| = MSGCOUNT ∧ (∀mn<MSGCOUNT. is valid intlistMsg (mb ! mn))
The definition of a valid abstract ECU state is given in predicate is validStatea. We
require that all applications, message buffers and the ABC device are valid. Moreover,
the current slot number has to be less than SLOTCOUNT. The validity predicate for an
abstract ECU state is given below:
is validStatea secu ≡
(∀pid . is validapp (secu.AM pid)) ∧
is valid MB secu.MBa ∧
secu.abc dev.CSN < SLOTCOUNT ∧ is valid ABC secu.abc dev
108
4.3 Abstract ECU Automaton
Right after initialization, the ECU state has to be valid, the ABC device is initial and
the idle flag is enabled. An ECU state satisfying these constraints, is called initial and
the following predicate is initStatea holds:
is initStatea secu ≡
is validStatea secu ∧ is initial ABC secu.abc dev ∧ secu.idleflag
Equality of Device Manipulations. In the transition functions dealing with device
communication i. e., Recv Phase and Send Phase we directly manipulated the device
component instead of using the transition function dabc. This was simply done for a
better readability of the functions. Here, we want to justify that the presented device
manipulations of the ECU model are equal to the effects of multiple executions of the
ABC internal transition function.
The first lemma states that the content of the updated message buffer after the re-
ceive phase equals the output list to the operating system that is computed by multiple
executions of the ABC internal transition. More specifically, the multiple internal ABC
transitions include a read request followed by a clearint command of the processor.
Lemma 4.5 (Equal Messages after Receive Phase and Multiple Internal ABC Transi-
tions). We assume that the current ECU state is valid i. e., is validStatea secu, the send-
flag is not set ¬ secu.abc dev.SF and the tables are valid valid tables (AST, BT) Then,
the updated message buffer after the receive phase equals the content of the processor-
facing ABC receive buffer after a read request followed by a clear-interrupt command of
the processor.
(Recv Phase (AST, BT) secu).MBa ! (BT ! prev secu.abc dev.CSN) =
map to int32
(fst (snd (dm∗abc (map (λport. (|mifi rd = True, mifi wr = False, mifi a = port,
mifi din = default|))
[RECV PORT..<RECV PORT + MSGLENGTH])
secu.abc dev)))
Proof. After the receive phase the content of the updated message buffer equals the
message stored in the processor-facing receive buffer. Hence, we prove by induction that
the multiple read request of the operating system returns exactly this message. The
internal ABC transition function dmabc returns in case of a read request on a valid port
the message value stored in the processor-facing receive buffer at exactly this address.
Hence, reading sequentially all port addresses up to the length of the message returns
exactly the required message.
Furthermore, the effects of the receive phase and the internal ABC transition on the
ABC component are equal.
Lemma 4.6 (ABC Equality after Receive Phase Execution and Multiple Internal ABC
Transitions). We assume that the current ECU state is valid i. e., is validStatea secu and
109
4 Formal Specification of an ECU
the sendflag is not set ¬ secu.abc dev.SF Then, the ABC state after the execution of the
receive phase equals the ABC state after multiple internal ABC transitions where Olos
requests to read a message and writes the clear interrupt command afterwards.
(Recv Phase J secu).abc dev =
fst (dm∗abc (map (λport. (|mifi rd = True, mifi wr = False, mifi a = port,
mifi din = default|))
[RECV PORT..<RECV PORT + MSGLENGTH] }
[(|mifi rd = False, mifi wr = True, mifi a = COMR PORT,
mifi din = CLEARINT COM|)])
secu.abc dev)
Proof. The read request of the internal ABC transition does not change the ABC state,
whereas the transition performs a write access to clear the interrupt line of the ABC
device. The lowered send flag indicates that we have to raise the interrupt and set the
send flag to the sending permission table SPT entry of the next slot. By unfolding the
definitions of the receive specification and the internal ABC transition function dmabc we
obtain exactly that.
Finally, the effects of the send phase and multiple internal ABC transitions on the
ABC component are equal. The multiple internal ABC transitions encapsulate the
write request of the processor on the one hand and the sending of the clearint command
on the other hand.
Lemma 4.7 (ABC Equality after Send Phase Execution and Multiple Internal ABC
Transitions). Assuming that we have well-formed scheduling tables i. e., valid tables
(AST, BT), the current state is valid i. e., secu.abc dev.SF and its send flag is raised
i. e., is validStatea secu. Then, the ABC state after the execution of the send phase equals
the ABC state after multiple internal ABC transitions where Olos requests to write a
message and sends the clear interrupt command afterwards.
(Send Phase (AST, BT) secu).abc dev =
fst (dm∗abc (map (λ(p, d). (|mifi rd = False, mifi wr = True, mifi a = p, mifi din = d |))
(zip [SEND PORT..<SEND PORT + MSGLENGTH]
(map to nat32 (secu.MBa ! (BT ! next secu.abc dev.CSN)))) }
[(|mifi rd = False, mifi wr = True, mifi a = COMR PORT,
mifi din = CLEARINT COM|)])
secu.abc dev)
Proof. The write request of the processor only changes the send buffer of the ABC
device. We prove that the word-wise update of the send buffer equals the direct update
by induction. The clear interrupt command only manipulates the interrupt flag and the
send flag of the device. Both values are set to False since the send flag of the ECU was
raised. Hence, the manipulations of the ABC device after a send phase are equal to the
effects after we have applied dm∗abc with the corresponding processor inputs.
110
4.3 Abstract ECU Automaton
4.3.1 Excursion: Towards a Distributed OLOS Model
In our thesis, we focus on the behaviour of a single ECU whereas Steffen Knapp con-
siders a system of ECUs connected by an automotive bus in his thesis [Kna08]. For
various reasons, his formalization of a single ECU slightly differs from ours. This sec-
tion illustrates the differences and presents a simulation proof that formally links both
models.
First, the partition of transition phases is a little different. More specifically, Knapp
considers global and local transition phases. Local transitions encapsulate all ECU-local
computations i. e., reading and writing the ABC buffer and executing the scheduled
application. The local receive, compute and send phase of Steffen Knapp’s thesis can
be related to our receive, compute and send phase. Note that the local computations
are individual for every ECU. Knapp abstracts all local transitions that are sequentially
executed within one slot into one big transition which is called global compute. Similarly
to the local structure, he defines a global receive and send transition phase, where the
automotive bus is involved. In principle, he splits our device-communication phase into
two phases where the ECU’s read or write accesses on the bus are strictly separated.
Table 4.4 relates both phase distributions.
Knapp Schmidt
global send
DevComm
global recv
global comp
local recv Recv
local comp Comp
local send Send
Table 4.4: Model phases
Knapp Schmidt
RB last sabc.RB
SB hd sabc.SB
oldm hd sabc.RB
newm last sabc.SB
Table 4.5: Buffer Relation
Second, Knapp abstracts the buffer pairs from the implementation (see Section 3.1) to
one buffer in the ECU-local ABC component and two global message buffers oldm and
newm. For the duration of the global compute phase, we relate the buffer components as
shown in Table 4.5: The processor-facing buffers in our model relate to Knapp’s receive
RB and send buffer SB component. The old global message oldm is stored in the bus-
facing receive buffers of our model, and the new global message newm can be found in the
bus-facing send buffer of the sending ECU. For the distributed model, Knapp’s approach
avoids redundancies because in the implementation, each ECU contains its own copy of
the broadcast messages, which are identical if we assume an ideal bus. Nevertheless, we
need pairs of buffers in our single ECU model in order to reason about computations over
slot boundaries. Otherwise, we could not model the delay in the message transmission
(see Figure 3.3 on page 61).
Furthermore, Knapp’s model has stronger assumptions about the implementation.
Most notably, his model cannot handle deadline violations and non-terminating pro-
cesses. For our implementation of the Olos kernel we have considered all events that
may occur although they do not conform to desired constraints. Hence, the specification
111
4 Formal Specification of an ECU
is a complete functional description.
Figure 4.8 on the facing page illustrates both models in comparison. The sketch once
more relies on the example with the given scheduling tables Table 3.1 on page 59 in
Section 3.2. At the top, we depicted the transmission delay of a message in our model
using the buffer swapping of the implementation. Below we depict Knapp’s model with
its different phase distribution and the global message buffers. Note that a message
transmission delay in both models takes two slots. We distinguish between different
messages: The one that is broadcast on the bus in slot 2, is denoted with ∗ whereas the
message broadcast before (i. e., slot 1) is labeled with ◦. The message that will be sent
in the next slot (i. e., slot 3) is denoted with •. Note that the message broadcast in the
previous slot ◦ does not appear in our model. In slot 2, however, message ◦ is stored in
all processor-facing receive buffers of our model.
It is clearly recognizable that our send and receive phases equal the local send and
receive phase in the lower model. For the bus communication, we regard both models
in several steps: In the global send phase of slot 1, ECU 1 of the lower model copies the
message into the global buffer newm. The corresponding action in the model above is
the buffer rotation in the device-communication phase in slot 2. In the same phase, the
bus-facing receive buffers are updated with the content of the bus-facing send buffer of
the sending ECU. In Knapp’s model, we relate the bus communication with the message
transfer during slot 2 where the value of the new global message buffer newm is copied
to the old global message buffer oldm. Finally, our model rotates the buffer in slot 3
during the device-communication phase. This corresponds to the receive buffer update in
slot 3 during the global receive phase. Obviously, both models satisfy the transmission
protocol although they deal with different phases and state components. For further
details of the distributed Olos model, we refer the interested reader to the thesis of
Steffen Knapp [Kna08].
Both models focus on different aspects. Knapp concentrates on the device communica-
tion whereas our work considers finite computation traces of a single ECU. Nevertheless,
there is a formal need to relate both models: Knapp [Kna08, chapter 23] reasoned about
the global send and receive phase in his model and left the argumentation about the
global compute phase open for future work. This thesis is concerned with exactly this
gap. Knapp’s modelling of the global compute phase, however, is more abstract than
our formalization. Below, we develop a simulation theorem bridging both formalisms.
If we assume the timely termination of the applications in Knapp’s model, we are able
to relate both models and show simulation for an entire local phase. In other words, the
currently scheduled application current proc J secu executes a certain number n of local
transitions dcc before it signals its termination by calling olosExFinish. Then, function
wapp returns the corresponding output ExFinish. Assuming that the involved message
buffers are valid, Knapp formalizes timely termination of applications as follows:
∀mb. is valid MB mb −→
(∃n. wapp (fst ((dccn) (current proc J secu, mb))) = ExFinish)
Note that for the duration of the local transitions, only the processor-facing buffers
are involved. Thus, the buffers facing the bus can be neglected. The abstraction from
112
4.3 Abstract ECU Automaton
Slot 1
Phase Send
ECU1
MB
SB 0
SB 1
∗
bus
ECU1
2
Device Communication
SB 1
SB 0
RB 1
RB 0
∗ ∗
ECU2
RB 1
RB 0
∗
Device Communication Receive
3
ECU1
RB 0
RB 1
•
ECU2
SB 0
SB 1
RB 0
RB 1
• •
ECU1
MB
RB 0
RB 1
∗
ECU2
MB
RB 0
RB 1
∗
ECU1
local
send
MB
SB
∗
newm
oldm
ECU1
global
send
SB
newm
oldm
∗
◦
global recv
ECU1
RB
ECU2
RB
newm
oldm
◦ ◦
ECU2
global
send
SB
newm
oldm
•
∗
global recv
ECU1
RB
ECU2
RB
newm
∗ ∗
oldm
local recv
ECU1
MB
RB
∗
ECU2
MB
RB
∗
newm
oldm
Figure 4.8: Comparison of both models
113
4 Formal Specification of an ECU
double to single buffers is straightforward: we simply map the processor-facing side of
the double buffers to a single one. The abstraction function for the ABC models is given
below:
abs abc sabc ≡ sabc(|SB := [hd sabc.SB], RB := [last sabc.RB]|)
For convenience, we furthermore wrap the abstraction of an entire ECU state secu to a
state of Knapp’s Olos model into the function absECU.
We state a relation between both models during a global compute phase. A global
compute transition dlcomp of Knapp’s Olos model simulates a number of local compu-
tation steps during the one slot of our ECU model. More specifically:
Theorem 4.8 (Global Compute Phase Simulation). We assume
• a valid state secu, i. e., is validStatea secu,
• valid scheduling tables J, i. e., valid tables J,
• the state secu is a receive state, i. e., the interrupt flag is raised and the send flag
is lowered ( secu.abc dev.INT ∧ ¬ secu.abc dev.SF),
• there has not recently been a deadline violation, i. e., the idle flag is set secu.idleflag,
and
• the currently scheduled application current proc J secu will eventually terminate:
∀mb. is valid MB mb −→
(∃n. wapp (fst ((dccn) (current proc J secu, mb))) = ExFinish)
Under these assumptions, there exists an input sequence is in such a way that a global
compute transition dlcomp of the abstracted secu state is equal to the state abstraction
after a computation with is.
Formally:
∃is. dlcomp (absECU secu) = absECU (fold (dECU J) is secu)
Proof. We compare both models starting at a slot boundary. The first dECU transition
handles the receive phase and is called with an empty input ⊥. After this phase, the
send flag is set to the entry of the sending permission table in the next slot. Then, both
ECUs enter the compute phase were they do several steps until the scheduled application
finishes its execution. Hence, a fixed number of empty inputs ⊥ until the application
terminates is given. Now, we distinguish on the ECU’s send flag: when the ECU is
not permitted to send, the global compute phase is done. Otherwise, we expect a timer
input beifi abc timerc of the external environment i. e., the bus. This signal indicates
the start of the send phase. A final dECU transition with an empty input ⊥ executes the
send phase in order to complete the global compute phase for the sending ECU.
114
5 Implementation Correctness
On peut avoir trois principaux objets dans l’e´tude de la ve´rite´:
l’un, de la de´couvrir quand on la cherche;
l’autre, de la de´montrer quand on la posse`de;
le dernier, de la discerner d’avec le faux quand on l’examine.1
Blaise Pascal, quoted in: ”Pense´es”, Article II: Re´flexions sur la
ge´ome´trie en ge´ne´ral
Contents
5.1 Implementation Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
5.1.1 Defining CVM Primitives in Simpl . . . . . . . . . . . . . . . . . . . . . . 117
5.1.2 Predicates of the OLOS Implementation State . . . . . . . . . . . . . . . 119
5.1.3 Functional Correctness of OLOS Functions . . . . . . . . . . . . . . . . . 124
5.1.4 Expressing a CVM Transition in Simpl . . . . . . . . . . . . . . . . . . . . 134
5.1.5 Defining the Implementation Invariant . . . . . . . . . . . . . . . . . . . . 135
5.2 Relating Implementation and Abstract States . . . . . . . . . . . . . . . . . . . 135
5.3 Proving Correctness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
5.3.1 Induction Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
5.3.2 Induction Step . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
5.3.3 Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
This chapter reports on formal implementation correctness proof using Hoare logic as
an effective method of C0 program verification. In the last chapter, we presented an
abstract model of the entire ECU including applications, the ABC device and Olos.
However, we certainly have to ensure that the ECU model really abstracts the Olos
implementation. For this reason, we aim at a formal simulation proof between imple-
mentation and specification by induction.
Recall that Olos is implemented to run as a Cvm kernel machine. Therefore, we
represent this framework in our programming model and define the effects of Cvm
integrating Olos as a Simpl function. Combining this kernel execution with the external
device transition deabc, we obtain an overall implementation step d
I
ECU. Note that in case
1In the study of truth, we may pursue three main objectives:
first, to discover it when we search for it;
secondly, to prove it when we possess it;
thirdly, to discern it from falsehood when we examine it.
115
5 Implementation Correctness
sv0 sv1 sv2 sv3 svn
s1 s2 s3 sn
dIECU ⊥
ab
s I
m
p
l
dIECU i1
dECU i1
ab
s I
m
p
l
dIECU i2
dECU i2
ab
s I
m
p
l
· · ·
· · ·
ab
s I
m
p
l
Figure 5.1: Simulation between implementation and model
of a kernel execution the implementation transition dIECU internally might perform several
C0 small-steps.
Figure 5.1 depicts the proof sketch of the implementation correctness for finite traces:
The induction start is based on the fact that the successor state sv1 after the first step
at power-up can be abstracted via an abstraction function absImpl to an initial state
s1 of the ECU model. The induction step formalizes that the semantic effects of an
implementation step dIECU can be expressed by the abstract transition function dECU
and the abstraction function is preserved. Additionally, we collect all properties that
have to hold during the kernel executions into a so-called implementation invariant.
In the remainder of this chapter, we establish the required framework for the im-
plementation layer (Section 5.1). In Section 5.2 we relate the implementation states
to corresponding abstract ECU states (as introduced in Section 4.3) by formalizing an
abstraction function.
Based on all these prerequisites, we finally formulate our correctness theorem in Sec-
tion 5.3. We show by induction, that the abstraction function and the implementation
invariant hold after each kernel execution. Furthermore, we claim that the invariant is
preserved for each transition of the ABC device. Putting all the results together, we are
able to show the implementation correctness for finite traces for the overall transition
function dIECU. This result has been presented in [DSS09].
5.1 Implementation Layer
In order to prove that our Olos implementation satisfies the abstract specification we
first present our implementation in the Hoare logic environment provided by Isabelle/
Simpl. Thus, a syntax translator automatically generates Simpl code from the source
code given as a C0 program. In the next subsection we define Cvm primitives used by
Olos in Simpl. Then, we present validity predicates on the Olos implementation state.
These are used to formalize pre- and postconditions of Hoare triples to prove functional
correctness of all Olos functions.
Afterwards, we define a Simpl function for a kernel execution that embeds the Olos
implementation into a Cvm step. Finally, we show the implementation invariant of the
entire implementation state.
116
5.1 Implementation Layer
5.1.1 Defining CVM Primitives in Simpl
C0 Implementation
kdispatch
olos init
handle trap
handle int
Cvm ISR
Cvm Primitives
cvm reset
cvm alloc
cvm load os
cvm out word
cvm get gpr
cvm set gpr
cvm p2v copy t kmsg
cvm v2p copy t kmsg
cvm physIOInRange t kmsg
cvm physIOInRange t kmsg
Figure 5.2: Olos Call Graph
In contrast to a normal application program, an operating system is not entirely writ-
ten in C. We have hidden all the hardware-specific assembly code within Cvm primitives.
Olos functions use these primitives in order to exchange data with a certain device or
user process. Figure 5.2 depicts a call graph of the Cvm’s interrupt service routine
which gives an overview of the dependencies between all Olos functions and the used
Cvm primitives. The code of Cvm primitives has been verified on the ISA level of the
processor [ST08]. Note that these code fragments cannot be proved in Isabelle/Simpl.
Nevertheless in Simpl, we can express the effects of those low-level computations that
are visible to the C0 programmer by their effect on external variables (recall XCalls
in Section 2.1). First, we augment the state of the overall program with an additional
program variable cvmX representing the external, hardware-specific state. cvmX consists
of two components:
• fst sv.cvmX stores the information of Cvm userprocesses which equals subcompo-
nent cvm up of a Cvm state as introduced in Section 2.8.1 and,
• snd sv.cvmX is the device vector as described in (Section 2.7).
We define two functions in order to avoid long names in the definitions of the remaining
chapter. We use cvm apps sv.cvmX ≡ (fst sv.cvmX).userprocesses
to consider only the user process vector and abbreviate the selection of the ABC device
from the entire device vector by
cvm abc sv.cvmX ≡ snd sv.cvmX (nat2dev ABC ID).
In Section 2.8.3 we introduced functions that specified the effects of Cvm primitives
in C0 small-step semantics. In the remaining chapter we reason about Simpl programs
117
5 Implementation Correctness
using Cvm primitives in the Hoare logic. Hence, we also require a specification of the
Cvm primitive semantics in Simpl as well. We have defined all primitives used by
Olos as transition functions with multiple assignments enclosed in BASIC and END.
Afterwards these functions are embedded into procedure bodies. Then, the Vcg later on
automatically unpacks the procedure bodies and hence, we can directly use the inlined
function specification.
In Section 2.8.3 we have learned that Cvm primitives can be classified according to
their effects. They either access a component of the external state in order to read a
value, manipulate the component or does both. Furthermore, we distinguish between
typed and untyped primitives. We exemplarily introduce Simpl functions for different
primitive cases.
First, we regard an untyped primitive that solely modifies the state of a user process.
Therefore, we show the Simpl definition of the Cvm primitive that initializes a user
process (the underlying definitions are given in paragraph 2.8.3). Function fun cvm
reset takes a process identifier pid as input parameter and result variable is given with
res int. The precondition pre cvmReset ´pid must be fulfilled in order to guarantee
successful execution of the primitive. Therefore, we guard the following command against
a violation of this requirement. The updated user-process component is computed with
function exec cvmReset. Then, the new user process component and the functions result
value 0 are assigned simultaneously to the first component of the external state cvmX
and the return variable of the Olos (by using the BASIC and END syntax). Formally:
procedures fun cvm reset (pid| res int) =
{| pre cvmReset ´pid |} 7−→
BASIC
LET (ext, rval) = (exec cvmReset (fst ´cvmX) ´pid, 0)
IN ´cvmX :== (ext, snd ´cvmX), ´res int :== rval
END
Note that all untyped primitive functions that solely manipulate the user process
component can be defined in the same manner. More precisely, these functions are fun
cvm alloc, fun cvm load os and fun cvm set gpr. Only their function signature, the
guard and the manipulation function depend on the particular primitive.
Untyped Cvm primitives that solely manipulate a device state update the second
component of the external state cvmX instead. The external output to the is simply
neglected. In particular, this solely concerns function fun cvm out word.
Next, we show primitive fun cvm get gpr that does not modify the external state
but returns read data to the return variable res nat of the kernel. We require that the
precondition pre cvmGetGPR of the primitive holds. The Simpl function directly returns
the value of function exec cvmGetGPR (cf. definitions in paragraph 2.8.3).
procedures fun cvm get gpr (pid, reg | res nat) =
{| pre cvmGetGPR ´pid ´reg |} 7−→
´res nat :=g exec cvmGetGPR (fst ´cvmX) ´pid ´reg
118
5.1 Implementation Layer
This function is the only primitive that directly returns the read data to the result
variable of the C0 program.
Finally, we show the Simpl function fun cvm physIOInRange t kmsg that modifies the
external state and returns a message and the result value to the operating system. This
Cvm primitive is specific for Olos and therefore typed. More specifically, the guards of
typed primitives do not only contain the precondition of the Cvm primitives (defined in
paragraph 2.8.3) but additionally fix the length of the copied data.
fun cvm physIOInRange t kmsg updates simultaneously the modified component of
the external state, the return value und the message buffer using the BASIC and END
syntax. The return value of function exec cvmPhysIOInRange is split and assigned inter-
nally to a changed device state ext, the list of outputs to the external environments eifos
and the list of outputs to the processor which forms the message msg . Note that only the
potentially updated state (the ABC state is not changed when its buffers are read) and
the message are relevant in this function. Hence, reading data from the processor-facing
buffers of a device with identifier dev id starting at address port is defined as:
procedures fun cvm physIOInRange t kmsg (dev id, port, msg | msg, res int) =
{| pre cvmPhysIORange ´dev id ´port (length ´msg) ∧ length ´msg = MSGLENGTH |} 7−→
BASIC
LET ((ext, eifos, msg), rval) =
(exec cvmPhysIOInRange (snd ´cvmX) ´dev id ´port MSGLENGTH, 0)
IN ´cvmX :== (fst ´cvmX, ext), ´res int :== rval , ´msg :== msg
END
All typed Cvm primitives additionally contain the requirement length ´msg = MS-
GLENGTH in the guard definition. fun cvm v2pcopy t kmsg resembles fun cvm get
gpr but returns a message value on the one hand and a result variable on the other
hand to the kernel (cf. example in Section 2.9.1). The remaining typed primitives
are fun cvm p2vcopy t kmsg and fun cvm physIOOutRange t kmsg. The former func-
tion manipulates the user process component whereas the latter one modifies the device
component of the external state. While their guard differs from the guard of untyped
primitives, the Simpl definition of their function bodies resembles the one of fun cvm
reset.
In this subsection, we have seen that the definition of a Cvm primitive in Simpl
depends on certain aspects: the number of modified kernel variables, the class of com-
ponent in the modified external variable and the distinction between typed and untyped
Cvm primitives. Note that the correctness of the Cvm primitive specification has not
be shown on Simpl level (see also Section 7.4).
5.1.2 Predicates of the OLOS Implementation State
In this subsection we present an initialization and a validity predicate for Olos imple-
mentation states sv. These predicates are based on several constraints concerning e. g.,
the scheduling tables, message buffers or the devices. First we describe the requirements
119
5 Implementation Correctness
of particular variables before we define the initialization and the validity predicate for
the overall Olos implementation state.
Tables and Constants. Olos uses three scheduling tables that have to fulfill several
constraints. Predicate valid Schedule takes all tables as arguments and holds when all
requirements on the tables are fulfilled. All table lengths are given by the number
SLOTCOUNT of slots per round. Furthermore, the tables should only contain specified
entries. Therefore, the application scheduling table AST must not exceed the maximal
number of applications PROCCOUNT whereas entires of the buffer index table BT are
bounded by MSGCOUNT, the number of specified message buffers. Formally:
valid Schedule SPT AST BT ≡
|SPT| = SLOTCOUNT ∧
|AST| = SLOTCOUNT ∧
|BT| = SLOTCOUNT ∧
(∀i<|AST|. 0 < AST ! i ≤ PROCCOUNT) ∧ (∀i<|BT|. BT ! i < MSGCOUNT)
During the initialization Olos uses an array storing the number of pages per appli-
cation in order to allocate sufficient memory. Predicate valid AppMemAlloc formalizes
several restrictions on the entries of that array. Each entry of PAGEC stores the number
of pages of the application with the corresponding identifier. Since 0 is reserved for the
kernel, the first component is set to 0 and the array length is given by PROCCOUNT +
1. For the other entries we require that the number of pages is larger than 0 (i. e., all
applications have allocated memory) and less than the maximum total virtual memory
size given by TVM MAXPAGES pages. Finally, the total sum of all the table entries
should not exceed this upper bound. The definition of predicate valid AppMemAlloc is
given below:
valid AppMemAlloc PAGEC ≡
|PAGEC | = (PROCCOUNT + 1) ∧
(∀i∈{0<..<|PAGEC |}. 0 < PAGEC ! i ∧ PAGEC ! i < TVM MAXPAGES) ∧
list sum PAGEC ≤ TVM MAXPAGES
Some implementation variables remain unchanged after the initialization. The schedul-
ing tables are initialized with values from corresponding configuration tables. The mem-
ory size of each application has been stored in one of its special purpose registers and
the status register contains the interrupt mask. These constants are set after power-up
and remain unchanged in all further executions. We summarize all constant values of
an implementation state sv in predicate olos consts:
olos consts SPT BT AST PAGEC sups ≡
SPT = SPT CONF ∧
BT = BT CONF ∧
AST = AST CONF ∧
(∀i∈{0<..<|PAGEC |}. mm size (sups.userprocesses (nat2pid i)) = PAGEC ! i) ∧
sups.statusreg = 8254
120
5.1 Implementation Layer
Message Buffers. The message buffers of an implementation state are realized as an
array of message pointers ps pointing to messages stored in the heap. Recall that we
use a heap function heap to refer directly to a message on the heap. Validity of message
buffers demands for several restrictions. The number of Olos message buffers is given
by MSGCOUNT. Furthermore, we require these buffers to be distinct and different from
Null. Each buffer contains only valid messages (i. e., predicate is valid intlistMsg holds).
Finally, we summarize all constraints mentioned above in a validity predicate for message
buffers valid MB:
valid MB ps heap ≡
|ps| = MSGCOUNT ∧
distinct ps ∧
Null /∈ set ps ∧ (∀i<MSGCOUNT. is valid intlistMsg (heap (ps ! i)))
After the initialization the message buffers should fulfill predicate init MB. All message
buffers should be valid and contain initial values (i. e., messages are initialized with an
array of MSGLENGTH zeros). Formally:
init MB ps heap ≡
valid MB ps heap ∧
(∀i<MSGCOUNT. heap (ps ! i) = replicate MSGLENGTH 0)
Devices. In the Olos implementation we use two kinds of devices - the hard disk and
the ABC device. After power-up the boot region of the former device is accessed to load
an OS image to the memory of an application and the latter is responsible for the bus
communication. The device identifiers of both devices should correspond directly to a
hard disk state and an ABC state respectively. This constraint is hidden in predicate
olos devices:
olos devices sdev ≡
is conf ABC (sdev (nat2dev ABC ID)) ∧
is conf HD (sdev (nat2dev DEVICE HD1))
In Section 4.1 we have specified several conditions for the ABC state. Now, we consider
all used devices and their state requirements at three different points in time:
1. After power-up before the Olos initialization
The predicate devices before olosinit encapsulates preconditions of all devices that
should hold before Olos starts the initialization:
devices before olosinit sdev ≡
olos devices sdev ∧
abc before olosinit (sdev (nat2dev ABC ID)) ∧
is validconf hd (sdev (nat2dev DEVICE HD1)) ∧
is valid disk content (sdev (nat2dev DEVICE HD1)) ∧
list sum PAGEC CONF · PAGE SIZE
≤ |(sdev (nat2dev DEVICE HD1)).hd sm|
121
5 Implementation Correctness
We assume that Olos ‘knows’ both devices and that the ABC device fulfills the
requirements mentioned above. Furthermore, the state and the content of the hard
disk should be valid and the sum of all application pages with size PAGE SIZE has
to fit into the memory of the hard disk.
2. After Olos initialization
After initialization, predicate initial devices should hold. It ensures olos devices
and states that Olos initialized the configuration registers of the ABC device
with values from CB CONF. Moreover, the ABC device must be in an initial state.
Formally:
initial devices sdev ≡
olos devices sdev ∧
(sdev (nat2dev ABC ID)).CR = CB CONF ∧
is initial ABC (sdev (nat2dev ABC ID))
3. After all transitions A valid device component requires that predicate olos
devices has to be fulfilled. Furthermore, the configuration registers of the ABC
device remain unchanged (i. e., they store the initial values of CB CONF) and the
ABC device is valid. When all conditions above are satisfied the validity predicate
of the device component valid devices holds:
valid devices sdev ≡
olos devices sdev ∧
(sdev (nat2dev ABC ID)).CR = CB CONF ∧
is valid ABC (sdev (nat2dev ABC ID))
Relating Redundant Components. Recall that the implementation state of Olos in-
cludes an own send flag and a current slot number. Therefore, we specify how these
variables are related to their counterparts in the ABC state. We compare the com-
ponents when we enter and leave the Olos main function. Certainly, the redundant
information must not be contradictory. We introduce a predicate olos abc consis that
takes the send flag and the current slot number of our implementation state and the
ABC state. We require that the send flags have to be equal. The current slot numbers,
on the contrary, are not equal in every situation. More specifically, they are shifted
when Olos starts a new slot (note that the send flag is not set ¬ sf ). The ABC device
receives a message or a timer signal from the bus and immediately increases its slot
number and raises the interrupt flag sabc.INT. Afterwards, the operating system reads
the raised interrupt flag and starts with the receive phase. Hence, the implementation
variable storing the slot number has a delay to its ABC counterpart. We formalize this
gap by increasing the implementation variable artificially when the variables encode a
receive phase. Otherwise, the current slot numbers are equal. Formally:
olos abc consis sf csn sabc ≡
122
5.1 Implementation Layer
sf = sabc.SF ∧
sabc.CSN = (csn + if sabc.INT ∧ ¬ sf then 1 else 0) mod SLOTCOUNT
Initial OLOS Implementation States. With all prerequisites in place we summarize
all the conditions of an implementation state after power-up in predicate is initStatei.
For an initial implementation state, we require that the constant variables are initialized
according to olos consts, the table storing the number of pages for each application
equals PAGEC CONF, the slot number is SLOTCOUNT − 1, variable sv.ca is set to IDLE
and the send flag is disabled. Furthermore, the message buffers and the devices should
be in their initial states, all applications are valid (recall Section 2.8.1) and redundant
components are consistent (i. e., olos abc consis holds). Formally:
is initStatei sv ≡
olos consts sv.SPT sv.BT sv.AST sv.PAGEC (fst sv.cvmX) ∧
sv.PAGEC = PAGEC CONF ∧
sv.csn = SLOTCOUNT − 1 ∧
sv.ca = IDLE ∧
¬ sv.sendflag ∧
init MB sv.MB sv.heap msg ∧
is valid cvmup (fst sv.cvmX) ∧
initial devices (snd sv.cvmX) ∧
olos abc consis sv.sendflag sv.csn (cvm abc sv.cvmX)
Valid OLOS Implementation States. There are several restrictions on implementation
states that should hold for all further transitions. These requirements are encapsulated
in is validStatei. A valid implementation state includes that constant variables remain
unchanged after their initialization. Furthermore, we require that variable sv.ca either
equals IDLE or stores the identifier of the currently scheduled application. The current
slot number is valid i. e., the value of variable sv.csn is less than the fixed number of
slots SLOTCOUNT per round. Moreover, the table sv.PAGEC, the message buffers, the
applications and the devices must be valid and olos abc consis holds additionally. The
definition of the validity predicate for Olos implementation states is validStatei is given
below:
is validStatei sv ≡
olos consts sv.SPT sv.BT sv.AST sv.PAGEC (fst sv.cvmX) ∧
(sv.ca = sv.AST ! sv.csn ∨ sv.ca = IDLE) ∧
sv.csn < SLOTCOUNT ∧
valid AppMemAlloc sv.PAGEC ∧
valid MB sv.MB sv.heap msg ∧
is valid cvmup (fst sv.cvmX) ∧
valid devices (snd sv.cvmX) ∧
olos abc consis sv.sendflag sv.csn (cvm abc sv.cvmX)
123
5 Implementation Correctness
5.1.3 Functional Correctness of OLOS Functions
Now we draw the readers attention back to the generated Simpl code of our Olos
implementation. In Section 2.9, we have defined the notation of a Hoare triple in order
to prove total correctness. For each Olos function c in procedure environment G where
the precondition P holds for the current state we have to discharge postcondition Q for
the successor state.
In the following, we try to restrict the preconditions on the smallest set of assumptions
and to use as few variables as possible. In contrast, the postcondition should include the
largest set of properties that is possible to conclude. Furthermore, when a variable is not
modified in a special case of the function, we explicitly note this in the predicate. Then,
properties of unchanged variables are excluded a priori. In a large proof, this permits to
concentrate only on proof goals concerning changed variables.
A modifies clause equals a record update specification and enumerates all globals that
are changed during the execution of a function. If the verification generator works on a
procedure call it checks whether it can find a modifies clause in the context. If one is
present the procedure call is internally simplified before the Hoare rules are applied.
In the following, we present the pre- and postconditions for each Olos function and
the corresponding Hoare triples.
Function fun olos init. The precondition of function fun olos init restricts the number
of used message buffers to MSGCOUNT. No application has allocated virtual memory
yet i. e., the sum of used pages equals 0. The external state variable cvmX has been
initialized: Cvm set up the user process component, whereas the device vector fulfills
some initial assumptions. Formally, the precondition olos initpre summarizes:
olos initpre sv ≡
|sv.MB| = MSGCOUNT ∧
(
∑
i∈procnumT. mm size ((fst sv.cvmX).userprocesses (nat2pid i))) = 0 ∧
fst sv.cvmX = init cvmup ∧ devices before olosinit (snd sv.cvmX)
After the execution of the initialization function fun olos init the successor state t
equals the initial state is initStatei and all table contents are well-formed i. e., the predi-
cates valid Schedule and valid AppMemAlloc hold. The postcondition of fun olos init is
denoted with:
olos initpost t ≡
is initStatei t ∧ valid Schedule t.SPT t.AST t.BT ∧ valid AppMemAlloc t.PAGEC
Now, we can formalize the Hoare triple for the Olos initialization function.
Theorem 5.1 (Functional Correctness of fun olos init). For an implementation state
sv that fulfills the precondition olos initpre we can conclude that the successor state t sat-
isfies the postcondition predicate olos initpost after the execution of fun olos init. Fur-
thermore, the result variable of the function is set to 0. Formally:
124
5.1 Implementation Layer
G`t {|sv. olos initpre sv|} ´res int :== PROC fun olos init()
{t. olos initpost t ∧ t.res int = 0}
Proof. In Figure 3.7 on page 66 we divided the implementation code into three logical
parts each containing one loop. We keep this division for our correctness proof in order
to keep neat proof goals. Thus, we obtain several subgoals in order to establish invari-
ants for the loops from the premises and conditions we gained so far, to discharge the
postconditions of a loop and to collect all conclusions to the main postcondition. We
split this proof into three subgoals each containing one loop:
1. Initialization of Olos data structures:
From the precondition we can directly conclude that init cvmup.statusreg = 8254
holds by unfolding init cvmup. Moreover, the scheduling tables and the Olos
variables PAGEC, ca, csn and sendflag are set to the desired values. valid Schedule
and valid AppMemAlloc hold after the initialization of the scheduling tables (we
obtain this result by unfolding the initial table configurations). Note that all results
derived so far still hold in the postcondition unless the involved components are
not changed during the execution of the remaing function. The invariant of the
loop initializing the message buffers now includes the following constraints:
a) the preconditions olos initpre
b) the already derived results
c) for each loop cycle n < MSGCOUNT we require that all buffers initialized so
far are different from Null, their value is initial and that they are distinct i. e.,
∀i<n. sv.MB ! i 6= Null ∧
sv.heap msg (sv.MB ! i) = replicate MSGLENGTH 0 ∧
(∀j<i . sv.MB ! i 6= sv.MB ! j)
The generated NEW command always creates internally new pointers that are
disjoint from the already existing ones and the null pointer Null. When these
constraints are fullfilled for each loop cycle obviously init MB holds after the loop
execution. We abbreviate all results gained so far with postcond loop1.
2. Application initialization:
The second loop initializes the applications and claims in its invariant that the
requirements below hold:
a) the preconditions olos initpre
b) the already derived results postcond loop1
c) in all loop cycles n ≤ PROCCOUNT starting from 1 additionally holds:
i. variable next containts the total number of pages allocated so far:
next = list sum (take n PAGEC CONF),
ii. all applications initialized so far have the correct size:
∀i . 0 < i ∧ i < n −→ mm size ((fst sv.cvmX).userprocesses (nat2pid i)) =
sv.PAGEC ! i ,
iii. all page sizes of PAGEC CONF are less or equal than the maximal number
of pages TVM MAXPAGES:
list sum PAGEC CONF ≤ TVM MAXPAGES, and
iv. the sum of the already allocated pages and the pages that are not yet
125
5 Implementation Correctness
allocated is less or equal TVM MAXPAGES:
(
∑
i∈procnumT. mm size ((fst sv.cvmX).userprocesses (nat2pid i))) +
list sum (drop n PAGEC CONF)
≤ TVM MAXPAGES
When the invariant holds for each loop cycle finally olos consts holds. Note
that the user-process component is modified in each loop cycle by applying
several Cvm primitives. Therefore, we have to discharge loop invariant re-
quirements and the corresponding primitive preconditions on the one hand
and to prove that validity of the user-process component is valid cvmup is
preserved after each application update on the other hand. All results de-
rived until now are abbreviated in postcond loop2.
3. ABC configuration:
Finally, the last loop writes the configuration registers of the ABC device. The
loop invariant includes the following conditions:
a) the precondition devices before olosinit holds,
b) the postcondition postcond loop2 is satisfied, and
c) in each loop cycle n < SLOTCOUNT the registers configured so far store the
corresponding value of initial table configuration CB CONF:
∀i . 0 ≤ i ∧ i < n −→ (cvm abc sv.cvmX).CR ! i = CB CONF ! i
olos devices can be derived directly from precondition devices before olosinit. The
loop only modifies the device component of the external state variable so that the
other conditions still hold after the loop execution. Olos uses the Cvm primitive
fun cvm out word to write the configuration registers of the ABC. Hence, we have
to discharge the precondition pre cvmOutWord for each cycle. Due to the satisfied
loop invariant (cvm abc sv.cvmX).CR = CB CONF holds after the loop execution.
Finally, Olos sends the set-ready command to the ABC device using fun cvm
out word. Internally the ABC state is updated with the internal device function
dmabc (recall Section 4.1). It remains to discharge predicate is initial ABC after all
manipulations of the ABC device: All modifications so far left the interrupt flag
and the send and receive buffers unchanged so that we conclude
¬ (cvm abc sv.cvmX).INT ∧ valid ABC buffers (cvm abc sv.cvmX) from predicate
abc before olosinit. In case of an set-ready command dmabc sets the initialization
flag, the send flag and the current slot number of the ABC device to its initial values
(i. e., ¬ (cvm abc sv.cvmX).IP ∧ ¬ (cvm abc sv.cvmX).SF ∧ (cvm abc sv.cvmX).CSN
= SLOTCOUNT − 1). Putting all partial results together we have shown that the
successor implementation state t is actually initial.
Function fun handle int. The precondition of function fun handle int demands for the
validity of message buffers, the scheduling tables and the current slot number. The
variable ca should not be greater than PROCCOUNT. Formally:
handle intpre sv ≡
valid MB sv.MB sv.heap msg ∧
126
5.1 Implementation Layer
valid Schedule sv.SPT sv.AST sv.BT ∧ sv.csn < SLOTCOUNT ∧ sv.ca ≤ PROCCOUNT
We formulate a postcondition predicate handle intpost to check whether the successor
state after the execution of fun handle int fulfills the desired properties. Therefore, it
takes the old and the new implementation state (i. e., state sv before and t after the
execution) and compares the components of the new state with the values we expect
after the execution of fun handle int. Variables that may be modified by fun handle
int are: ca, the current slotnumber csn, the send flag sendflag, the message values heap
msg, and the external state cvmX, more specifically the device component.
Recall that this function is responsible for the execution of the send and receive phase
(Section 3.3.4). Thus, the effects on the new implementation state depend on the old
value of the send flag sv.sendflag.
1. sv.sendflag:
A raised send flag indicates the start of the send phase, where Olos sends data
from its message buffer to the ABC device. In this case, we expect that the
current slot number and the message values of the new state t are not changed.
Moreover, after the send phase the new send flag t.sendflag should be set to False
and variable t.ca equals IDLE. We require that the device component of the new
implementation state has an updated send buffer and a cleared interrupt flag. We
use function exec cvmPhysIOOutRange to express how the old device component
is affected when Olos sends a message to the ABC device (recall Section 2.8.3).
Then, function exec cvmOutWord returns the expected device component after the
updated device component devss has cleared its interrupt flag. This result should
be equal to the device component of the new state t.
2. ¬ sv.sendflag:
In the case the send flag is not set we are in the receive phase. Here, we require
that new implementation state t has an increased current slot number, its send flag
equals the entry of the sending permission table SPT in the next slot and variable
t.ca is set to the entry of the application scheduling table AST in the current slot.
We express the effects of Olos reading the receive buffer of the ABC with function
exec cvmPhysIOInRange and assign the results to a new state devsr, the output list
to the external environment eifos and the read message msg . Then, we expect
that only the data of the designated message buffer is updated with the message
msg from the ABC’s receive buffer (recall Section 3.3.4 that the buffer index is
determined from the entry of the buffer index table BT in the previous slot). The
other messages remain unchanged. Finally, we require the interrupt flag of the
ABC device has been cleared. Thus, we model this effect by applying function
exec cvmOutWord on the device component devsr. After all manipulations the
variables ca and csn should be valid.
If state t fulfills all desired modifications it satisfies the postcondition handle intpost.
Formally:
127
5 Implementation Correctness
handle intpost sv t ≡
if sv.sendflag
then let devss =
fst (exec cvmPhysIOOutRange (snd sv.cvmX) ABC ID SEND PORT
(sv.heap msg
(sv.MB ! (sv.BT ! ((sv.csn + 1) mod SLOTCOUNT)))))
in t.csn = sv.csn ∧
t.sendflag = False ∧
t.ca = IDLE ∧
t.heap msg = sv.heap msg ∧
t.cvmX =
(fst sv.cvmX,
fst (exec cvmOutWord devss ABC ID COMR PORT CLEARINT COM))
else let (devsr, eifos, msg) =
exec cvmPhysIOInRange (snd sv.cvmX) ABC ID RECV PORT MSGLENGTH
in t.csn = (sv.csn + 1) mod SLOTCOUNT ∧
t.sendflag = sv.SPT ! ((t.csn + 1) mod SLOTCOUNT) ∧
t.ca = sv.AST ! t.csn ∧
(∀i . t.heap msg i =
if i = sv.MB ! (sv.BT ! ((SLOTCOUNT + t.csn − 1) mod SLOTCOUNT))
then msg
else sv.heap msg i) ∧
t.cvmX =
(fst sv.cvmX,
fst (exec cvmOutWord devsr ABC ID COMR PORT CLEARINT COM)) ∧
t.csn < SLOTCOUNT ∧ t.ca ≤ PROCCOUNT
Now, we can formalize a theorem stating the functional correctness of the Olos func-
tion fun handle int.
Theorem 5.2 (Functional Correctness of fun handle int). Assuming that an implemen-
tation state sv fulfills predicate handle intpre, we can conclude that after the execution of
function fun handle int the successor state t satisfies the postcondition predicate handle
intpost and the function result variable is set to 0. Formally:
G`t {|sv. handle intpre sv|} ´res int :== PROC fun handle int()
{t. handle intpost sv t ∧ t.res int = 0}
Proof. For a successful Cvm primitive execution we have to discharge the preconditions
of all used functions. This includes the validity of the device identifiers and the ports.
The identifier of our ABC device is less than the maximal device number, hence it
is valid Section 2.7. With the fixed message length of MSGLENGTH ≡ 40 words the
messages fit into the send and the receive buffer. From the discharged preconditions
we know that the Cvm primitives can be executed successfully. The Simpl definitions
of the used primitives manipulate the external state variable with the underlying exec
128
5.1 Implementation Layer
<primitivename> functions. Hence, we conclude that the updated device component of
the successor state fulfills the desired constraints. Examining the executed code Figure
3.8 on page 67 on the one hand and the postcondition handle intpost on the other hand,
we see that the Olos variables indeed are set to the correct values. The computations
on the current slot number are modulo operations, hence the number is always less than
SLOTCOUNT. Variable ca also can not be larger than PROCCOUNT, since it is either
IDLE ≡ 0 or an entry from the application scheduling table. From the table validity, we
can conclude that all values in AST are less or equal to PROCCOUNT.
Function fun handle trap. The precondition of function fun handle trap that handles
system calls takes the global variables of the implementation state sv and additionally
the parameter n of the function. We require that the function is only invoked with
specified system calls while an application is scheduled (i. e., sv.ca 6= IDLE). Furthermore,
the current slot number, the message buffers and all tables should be valid. Finally, the
entries of PAGEC should be less or equal to the number of allocated pages in the memory
of the corresponding user process. These requirements are summarized in handle trappre:
handle trappre sv n ≡
n ∈ {CALL SEND, CALL RECV, CALL EXFINISHED} ∧
(0 < sv.ca ∧ sv.ca ≤ PROCCOUNT) ∧
sv.csn < SLOTCOUNT ∧
valid MB sv.MB sv.heap msg ∧
valid Schedule sv.SPT sv.AST sv.BT ∧
valid AppMemAlloc sv.PAGEC ∧
(∀i∈{0<..<|sv.PAGEC|}.
address in mem (fst sv.cvmX) i (sv.PAGEC ! i · PAGE SIZE − 1))
The postcondition of function fun handle trap includes the effects on the changed
global state variables after the function execution. The function only modifies the user-
process component of the external variable cvmX, variable ca and a message value heap
msg. Similar to the postcondition predicate in the paragraph before, we describe the
desired effects on the old implementation state sv and compare it with the successor state t
we obtain after calling function fun handle trap. When the postcondition handle trappost
is satisfied the trap handler works in the expected way.
We require that the variables ca and csn fulfill their wellformedness constraints after
the execution of function fun handle trap. The effects on the other components depend
on the particular call that is determined by the trap number n. We distinguish between
the different numbers:
1. n = CALL EXFINISHED:
In this case the application signals its termination for the current slot. Here,
we simply expect that ca is set to IDLE whereas the other components remain
unchanged.
2. n 6= CALL EXFINISHED:
Otherwise, ca will not be changed. The other system calls are used for message
129
5 Implementation Correctness
transmission between Olos and the calling application. Recall Section 3.3.5, that
these calls use two registers (register 11 and 12) storing their parameter values
and one register (register 22) that keeps the result value of the call. We load both
parameter values with function exec cvmGetGPR from the general-purpose regis-
ters into the variables sa and mn. Moreover, updating a user-process component
by setting the result register to a value is provided by function exec cvmSetGPR.
We abbreviate this function in set res. Now, we check the parameter values of the
system calls:
• invalid system call parameters:
When either the start address is not aligned (i. e., (sa ∧u 3) 6= 0), the entire
message does not fit into allocated memory of the application (i. e., sv.PAGEC
! sv.ca · PAGE SIZE ≤ sa + 4 · MSGLENGTH) or the message number tries to
access a non-existing message buffer (i. e., MSGCOUNT ≤ mn) all messages
remain unchanged. Depending on the invalid parameter, Olos writes the
corresponding error value in the result register of the application.
• valid system call parameters:
Then, we require that Olos writes 0 into the result register of the applica-
tion to indicate a successful message transmission. Furthermore, when the
application sent a write request (n = CALL SEND) to Olos, we expect that
the data in the designated message buffer is updated with a message from
the application. Function exec cvmV2Pcopy computes the data that the ap-
plication writes to the kernel. Otherwise, the application receives a message
from the kernel. We model the user-process component after Olos wrote a
message into the application’s memory with exec cvmP2Vcopy.
If the successor state t fulfills the desired expectations after function fun handle trap
the postcondition handle trappost holds. Formally, all requirements for global variables
of an implementation state sv, the successor state t and the function parameter n are
encapsulated in predicate handle trappost:
handle trappost sv t n ≡
(let sa = exec cvmGetGPR (fst sv.cvmX) sv.ca 11;
mn = exec cvmGetGPR (fst sv.cvmX) sv.ca 12;
set res = λres ups. exec cvmSetGPR ups sv.ca 22 (to nat32 res)
in if n = CALL EXFINISHED
then t.cvmX = sv.cvmX ∧ t.ca = IDLE ∧ t.heap msg = sv.heap msg
else t.ca = sv.ca ∧
if sv.PAGEC ! sv.ca · PAGE SIZE ≤ sa + 4 · MSGLENGTH ∨ (sa ∧u 3) 6= 0
then t.cvmX = (set res INVALID POINTER (fst sv.cvmX), snd sv.cvmX) ∧
t.heap msg = sv.heap msg
elsif MSGCOUNT ≤ mn
then t.cvmX = (set res INVALID MSGNUM (fst sv.cvmX), snd sv.cvmX) ∧
t.heap msg = sv.heap msg
elsif n = CALL SEND
then t.cvmX = (set res 0 (fst sv.cvmX), snd sv.cvmX) ∧
130
5.1 Implementation Layer
(∀i . t.heap msg i =
if i = sv.MB ! mn
then exec cvmV2Pcopy (fst sv.cvmX) sv.ca sa MSGLENGTH
else sv.heap msg i)
else t.cvmX =
(set res 0
(exec cvmP2Vcopy (fst sv.cvmX) sv.ca sa (sv.heap msg (sv.MB ! mn))),
snd sv.cvmX) ∧
t.heap msg = sv.heap msg) ∧
t.csn < SLOTCOUNT ∧ t.ca ≤ PROCCOUNT
The functional correctness of the Olos function handle trap is now formalized with
the pre- and postconditions we defined above.
Theorem 5.3 (Functional Correctness of fun handle trap). We assume for an imple-
mentation state sv that the preconditions handle trappre hold. After the execution of fun
handle trap we obtain a state t that fulfills the postconditions handle trappost and the
result variable is set to 0. Formally:
G`t {|sv. handle trappre sv ´n|} ´res int :== PROC fun handle trap(´ n)
{t. handle trappost sv t sv.n ∧ t.res int = 0}
Proof. First, we want to show that the preconditions of all used Cvm primitives hold.
The used registers 11, 12 and 22 are all in range. Furthermore, the process identifier
should be less then PID MAX which is due to transitivity obviously the case (PROC-
COUNT < PID MAX). The message copying primitives are only executed when the en-
tire message fits into the allocated memory. The Simpl definitions of the used primitives
modify the external state variable with the underlying exec <primitivename> functions.
Hence, we derive that the manipulated user-process component of successor state t fulfills
the expected behaviour. The current slotnumber has not been changed, hence it is less
than SLOTCOUNT. The same considerations as in the proof Theorem 5.2 on page 128
lead to the fact that t.ca ≤ PROCCOUNT.
Function fun kdispatch. The precondition predicate kdispatchpre of Olos main function
combines some preconditions on state sv. Additionally, it takes variable eca storing the
exception cause as a parameter. In the case that a reset occurs (i. e., (eca ∧u 1) 6= 0), we
assume that the precondition of the initialization function olos initpre holds. Otherwise,
we require that the state is valid and that a pending device interrupt in variable eca
can be related to a raised interrupt flag in the ABC device. Furthermore, when a trap
occurs variable ca should not be IDLE. Formally:
kdispatchpre sv eca ≡
if (eca ∧u 1) 6= 0 then olos initpre sv
else is validStatei sv ∧
((eca ∧u 8192) 6= 0) = (cvm abc sv.cvmX).INT ∧
((eca ∧u 32) 6= 0 −→ sv.ca 6= IDLE)
131
5 Implementation Correctness
The postcondition kdispatchpost summarizes all properties that hold when we return
from function kdispatch. It depends on the implementation state before (sv) and after
(t) its execution as well as on both function parameters eca and edata. The parameters
encode the exception cause and additional data. We require the validity of the successor
state t after the execution of kdispatch. In the reset case (i. e., (eca ∧u 1) 6= 0), state t
must even be an initial state. When an interrupt of the ABC device occurs (i. e., (eca ∧u
8192) 6= 0), the postconditions of function handle int should be satisfied. Finally, we
expect that postcondition handle trappost holds after executing a valid system call from
a user process (i. e., (eca ∧u 32) 6= 0). This is denoted as:
kdispatchpost sv t eca edata ≡
is validStatei t ∧
if (eca ∧u 1) 6= 0 then is initStatei t
elsif (eca ∧u 8192) 6= 0 then handle intpost sv t
else (eca ∧u 32) 6= 0 ∧ edata ≤ 2 −→ handle trappost sv t edata
The execution of the Olos main function may be seen as a single Olos transition
from entering until leaving the kernel dispatcher. The Hoare Triple of this function
describes the behaviour of our real-time operating system under certain assumptions:
Theorem 5.4 (Functional Correctness of fun kdispatch). We assume that for an imple-
mentation state sv the precondition predicate kdispatchpre holds. Then, the state t after
returning from the operating systems main function the postcondition predicate handle
intpost is satisfied and the return value from the kernel is the value of variable ca. For-
mally:
∀sv t. G`t {|sv. kdispatchpre sv ´eca|} ´res nat :== PROC fun kdispatch(´ eca,´ edata)
{t. kdispatchpost sv t sv.eca sv.edata ∧ t.res nat = t.ca}
Proof. This proof includes mainly three subgoals.
1. In case of a reset, we can directly apply the results of Theorem 5.1 on page 124.
Since an initial state is valid we are done.
After the initialization the tables are not changed any more, so that predicate olos
consts holds in all remaining cases. The validity of the message buffers valid MB, the
user process component is valid cvmup, the devices valid devices and the consistency
between redundant variables in Olos and the ABC device olos abc consis cannot be
simply derived by applying the Hoare-Triples.
2. When an ABC interrupt occurs, we reuse the postconditions of proof Theorem
5.2 on page 128. Since the user process component is not involved is valid cvmup
still holds. The hard disk is not affected any more and the device identifiers
always belong to the same device type. Hence, proving device validity collapses to
predicate is valid ABC. The configuration registers and the buffer lengths remain
also unchanged after the initialization phase. We now distinguish between the
different phases depending on the send flag:
132
5.1 Implementation Layer
(a) Send phase (sabc.INT ∧ sabc.SF):
valid MB is satisfied because this component is not modified in this phase. The
copy primitive exec cvmPhysIOOutRange only updates the send buffer of the
ABC device with data from the message buffer. The values of the old message
buffers are valid, hence the updated send buffer gets a valid message as well.
Sending the clear interrupt command with Cvm primitive exec cvmOutWord
does not harm device validity. The effect on the ABC state is the following:
the send flag and the interrupt flag are cleared. In the implementation this is
done in the send phase, so that olos abc consis is fulfilled.
(b) Receive phase (sabc.INT ∧ ¬ sabc.SF):
From the assumptions we know that all ABC buffers contain valid messages.
Thus, we can conclude that the updated message buffer after Cvm primitive
exec cvmPhysIOInRange fulfills predicate is valid MB. The read request does
not change the ABC state so that we only consider the effects of exec cvmOut-
Word. The validity of the ABC is not violated by its effects, hence is valid
ABC holds. exec cvmOutWord clears the interrupt and sets the send flag to
the SPT entry of the next slot. In the send phase of the implementation,
Olos sets the send flag to the same value, hence they are consistent. When
the implementation reacts to the raised interrupt flag of the device, the ABC’s
current slot number sabc.CSN has already been increased. In other words, at
the time we enter function kdispatch csn and its ABC counterpart diverge
for one. This conforms exactly the condition, we formulated in predicate olos
abc consis.
3. In case of an incoming system call, we know that the postconditions of proof
Theorem 5.3 on page 131 holds. The device component of the external state is
not involved, hence valid devices and olos abc consis hold. When a user process
signals its termination (CALL EXFINISHED) neither the message buffers nor the
user process is changed. Thus, is valid MB and is valid cvmup obviously hold. In
the remaining cases, the status register and the special purpose register are not
modified. The result values that are written by function exec cvmSetGPR are 32-
bit integers, in such a way that a valid user process remains valid after updating the
result register. In the receive case, the user process gets a valid message from the
message buffer of the operating system, hence it remains valid. We can conclude
that for all user process modifications predicate is valid cvmup is fulfilled. The
message buffers are only affected when a user process sends a message to Olos.
We know that this message has a fixed length and consists of 32-bit integers,
consequently valid MB holds. Note that the message transfer from a user process
memory to a message buffer and vice versa preserves the type of the exchanged
data. When we have fixed lengths validity always holds.
All remaining cases, do not change the Olos implementation state and therefore, validity
of the successor state t is given.
133
5 Implementation Correctness
5.1.4 Expressing a CVM Transition in Simpl
In this subsection, we define the Simpl function fun cvmstep representing a Cvm step
where the concrete Olos implementation is integrated. This function allows us to con-
sider manipulations on the external component cvmX before invoking and after leaving
the the Olos main function fun kdispatch.
The specification of a Simpl function combining Cvm with a concrete kernel has been
presented in [DDW09]. We extended this function in order to deal with initialization.
The extended function fun cvmstep was applied successfully in the context of the Vamos
microkernel in the thesis of Jan D.
Therefore, we model the reset interrupt as a global variable reset and assume that
its initial value is True. The initial value corresponds to the processor state right after
power-up. Additionally, we use two local variables: cp stores the return value of the
Olos kernel and proc holds the state of the currently scheduled application.
After power-up, the processor generates a reset signal so that variable reset is set to
True. In this case fun cvmstep changes the variable to False, initializes the applications,
and invokes the Olos main function fun kdispatch with an interrupt vector of 1, i. e.,
exactly the reset interrupt is raised.
In further computations, a kernel execution consists of the following parts:
If there exists a current application, the application executes a single step. Then,
Cvm computes the masked exception cause and converts the value of the exception data
register (recall Section 2.6) to invoke the Olos main function fun kdispatch if an enabled
interrupt has been detected. The return value of the dispatcher function determines what
Cvm does next: if the return value is a valid process identifier Cvm starts the currently
scheduled application or otherwise idles until the next device interrupt occurs.
The formalization of the kernel execution function fun cvmstep described above is
given with:
procedures fun cvmstep () =
IFg ´reset THEN ´reset :=g False;
´eca :=g 1;
´edata :=g 0;
´cvmX :=g (init cvmup, snd ´cvmX)
ELSE IFg (fst ´cvmX).currentp = ⊥
THEN ´eca :=g mca nat ⊥ (snd ´cvmX) (fst ´cvmX).statusreg;
´edata :=g 0
ELSE ´proc :=g cvm apps ´cvmX d(fst ´cvmX).currentpe;
´eca :=g mca nat b´ procc (snd ´cvmX) (fst ´cvmX).statusreg;
´edata :=g edata nat ´proc;
´cvmX :=g
((fst ´cvmX)
(|userprocesses := userprocesses step (cvm apps ´cvmX) d(fst ´cvmX).currentpe|),
snd ´cvmX)
FI
FI;
134
5.2 Relating Implementation and Abstract States
IFg 0 < ´eca
THEN ´cp := CALLg fun kdispatch(´ eca,´ edata);
´cvmX :=g ((fst ´cvmX)(|currentp := if ´cp ∈ procnumT then bnat2pid ´cpc else ⊥|), snd
´cvmX)
FI
5.1.5 Defining the Implementation Invariant
The generated Olos implementation state has been augmented by the external variable
cvmX and the reset variable reset. Each kernel execution is constrained by certain
properties and requirements. They are encapsulated in the implementation invariant
invImpl which is established at the initialization and preserved by the kernel executions,
user steps and external device transitions.
Our implementation invariant comprises the following assumptions:
• validity of the Olos implementation state is validStatei sv
• consistency of the external state component (fst sv.cvmX).currentp and the Olos
variable ca
• disabled reset interrupt ¬ sv.reset
Formally:
invImpl sv ≡
is validStatei sv ∧
(fst sv.cvmX).currentp =
if sv.ca ∈ procnumT then bnat2pid sv.cac else ⊥ ∧
¬ sv.reset
5.2 Relating Implementation and Abstract States
After we have formalized implementation states and an overall transition function, we
need a simulation relation between implementation states and states of the abstract
model. More precisely, we use a function absImpl that maps implementation states to
model states:
absImpl sv ≡
(|AM = cvm apps sv.cvmX,
MBa = map (λn. sv.heap msg (sv.MB ! n))
[0..<MSGCOUNT],
idleflag = (sv.ca = IDLE),
abc dev = cvm abc sv.cvmX|)
This function constructs a state of the ECU automaton as described in Section 4.3.
From the external Cvm state, we extract the applications and the device state. They
are stored in the components AM and abc dev, respectively. Furthermore, the variable
of the current application ca is abstracted to the idle flag, i. e., the flag is raised iff sv.ca
135
5 Implementation Correctness
= IDLE. Finally, the message buffers are gathered from the different memory objects
in the implementation, which are scattered over the heap. The abstraction function is
depicted in Figure 5.3.
Furthermore, we prove two lemmata that relate properties of the implementation state
to the corresponding ones of the abstracted specification state.
Lemma 5.5 (Validity after Abstraction). A valid implementation state can be related
via absImpl to a valid specification state. Formally:
is validStatei sv =⇒ is validStatea (absImpl sv)
Proof. Since the implementation state and the abstract state share the same applica-
tion and ABC model their validity can be derived by simply unfolding some definitions.
From the correct implementation state we know that messages are well-formed i. e., they
have a defined length MSGLENGTH and all values are signed 32-bit integers. These re-
quirements are also encapsulated in predicate is valid intlistMsg in the abstract model.
Hence, valid message buffers in the implementation layer imply validity of abstract mes-
sage buffers. The remaining properties can be derived directly by applying the definition
of the abstraction function absImpl.
Lemma 5.6 (Initial after Abstraction). An initial implementation state can be related
via absImpl to an initial specification state. Formally:
is initStatei sv =⇒ is initStatea (absImpl sv)
Proof. Unfolding the definition of initial abstract states and applying Lemma 5.5 we
only have to show that the abstract ABC state is initial and the idle flag is raised. Both
states share the same device model so that we can conclude an initial ABC state from
an initial implementation state automatically. After power-up variable ca is set to IDLE.
According to the definition of the abstraction function absImpl the idle flag is raised.
sv.PAGEC
sv.SPT
sv.AST
sv.BT
tables
scheduling
gl
ob
al
va
ri
ab
le
s
O
l
o
s
im
pl
em
en
ta
ti
on
st
at
e
s
v
sv.cvmX
(ups,devs)
external
component
sv.csn sv.sendflag
sv.ca sv.MB
internal
variables
0 1 .. m
sv.heap msg
msg1
msgm
...
msg0
heap
function
AM abc dev idleflag MBa msg0 msg1 ... msgm
abstracted
ECU state s
u
p
s.
u
se
rp
ro
ce
ss
es
A
B
C
D
ID
=
ID
L
E
Figure 5.3: Abstracting the implementation state
136
5.3 Proving Correctness
5.3 Proving Correctness
In this section we present the formal simulation proof between the implementation and
the specification (recall Figure 5.1 on page 116). First, we prove by induction that
implementation invariant invImpl holds after the induction start and is preserved after all
kernel execution transitions fun cvmstep. Moreover, the implementation state sv can be
abstracted to an abstract ECU state after the initial step. We prove in the induction step
that the semantic effects of the kernel step fun cvmstep can be expressed by the abstract
ECU transition dECU and the abstraction function absImpl is preserved. Finally, we define
an overall implementation transition dIECU and prove the implementation correctness for
finite traces.
5.3.1 Induction Start
The induction start formalizes the correct bootstrap at power up. As already mentioned,
we assume that the reset variable initially has the value True. Additionally, we require
well-formedness, e. g., the correct length of the list representing the array of message
buffers. Finally, we presume that the peripheral device system is in an initial state.
These constraints comprise well-formedness of the device state, on the one hand, and
the correct set-up of flags (cf. definition in abc before olosinit Section 4.1), on the other
hand. We combine all these assumptions in the constant at power up sv:
at power up sv ≡ sv.reset ∧ |sv.MB| = MSGCOUNT ∧ devices before olosinit (snd sv.cvmX)
After the initial kernel execution fun cvmstep the invariant invImpl holds for the suc-
cessor state t, and the abstracted state absImpl t is an initial specification state:
Theorem 5.7 (Induction Start). After power-up, the initial kernel execution fun cvm-
step yields in a successor state t that fulfills the implementation invariant invImpl and
can be related via absImpl to an initial specification state. Formally:
G`t {|sv. at power up sv|} PROC fun cvmstep()
{t. invImpl t ∧ is initStatea (absImpl t)}
Proof. Function fun cvmstep disables the reset flag directly and sets the external state
in such a way that all preconditions are fulfilled to reuse the result of Theorem 5.1 on
page 124 (after power-up function fun kdispatch invokes directly function fun olos init).
An initial state implies that a state is valid. Since the return value of fun kdispatch is
IDLE component currentp is set to ⊥. Hence, invImpl t holds. Using Lemma 5.6 on the
facing page we may also conclude that the abstracted state is initial as well.
5.3.2 Induction Step
In the induction step, we assume that the invariant initially holds, i. e., invImpl sv. Ad-
ditionally, we require that the implementation state can be abstracted via absImpl to
a specification state. Note that the postcondition of the induction start establishes
137
5 Implementation Correctness
this assumption. After each execution of fun cvmstep, the invariant should hold for
the successor state. We show that the invariant and the simulation are preserved by
the execution of fun cvmstep on the implementation layer and a transition dECU on the
specification layer.
Theorem 5.8 (Induction Step). The simulation relation and the invariant are preserved
under a transition fun cvmstep. Formally:
G`t {|sv. invImpl sv ∧ secu = absImpl sv|} PROC fun cvmstep()
{t. invImpl t ∧ absImpl t = dECU ⊥ secu}
Proof. This prove is based implementation correctness of all Olos functions applied in
the scope of a Cvm step. We benefit from the proved Hoare triples in two respects:
(a) the state validity preserved under the Olos main function fun kdispatch is used to
discharge the implementation invariant after an kernel execution, and
(b) the successor state t satisfying several postconditions serves to prove validity of the
abstraction function absImpl. We abstract this state t and compare it with the result
of dECU applied on state absImpl sv. (Note that we can directly use dolos due to the
definition of the ECU transition function). If both states are equal, the abstraction
function holds.
In this prove we seperate both targets: the preservation of the implementation on the
one hand and the validity of the abstraction function function on the other hand.
1. Implementation invariant is preserved:
After the initialization the reset variable reset remains unchanged after each kernel
execution fun cvmstep. Either Cvm idles or the currently scheduled application
executes an assembly step before the Olos kernel is possibly invoked. Both actions
do not violate the validity of the Olos implementation state. If no interrupt
occurs afterwards, nothing happens and the implementation invariant holds due
to the assumption. Otherwise, the Olos kernel is entered and we know from
the functional correctness theorem (Theorem 5.4 on page 132) of the Olos main
function fun kdispatch that the successor state is also valid is validStatei and the
return value is the value of the Olos variable ca. Thus, variable currentp is related
to the correct value and the invariant holds indeed.
2. The abstraction function holds after all transitions:
We examine the postconditions of the called implementation functions and abstract
them via absImpl to an abstract state. This state has to be equal to the state we
get after applying the abstract function dolos to the abstracted state absImpl sv. We
distinguish between several cases:
a) Cvm idles (i. e., (fst sv.cvmX).currentp = ⊥):
This implies that the Olos variable ca is abstracted to a set idle flag idleflag.
In this situation only an ABC interrupt might occur since the others are
disabled. If the interrupt is not generated, nothing happens and the successor
states can be related via function absImpl. Otherwise, we can directly examine
the postcondition of fun handle int since this function is applied when an
interrupt occurs. We only have to distinguish between the values of the send
138
5.3 Proving Correctness
flag in the device component that is used in the implementation state as well
as in the abstracted one:
• ¬ (cvm abc sv.cvmX).SF:
We have to consider every changed variable in the postcondition of the
interrupt handler fun handle int and compute a successor state with func-
tion absImpl. Then compare this state with the result of an abstract Recv
Phase function. Variable t.ca has been set to the current application
schedule table entry, hence we conclude ¬ (absImpl t).idleflag. The mes-
sage buffer and the ABC device have been modified by Cvm primitives
that rely on the multiple execution of the internal ABC transition. The
message buffer and device equality is obtained by unfolding these primi-
tives and applying the lemmata Lemma 4.5 on page 109 and Lemma 4.6
on page 109.
• (cvm abc sv.cvmX).SF:
In this case, we have to compare the abstracted postcondition of function
fun handle int with the result of an abstract Send Phase function. Vari-
able t.ca has been set to IDLE, thus we conclude ¬ (absImpl t).idleflag. The
manipulation of the ABC device with Cvm primitives equals the direct
modification within function Send Phase. This can be shown be unfold-
ing the primitive definitions and apply lemma Lemma 4.7 on page 110.
equal devices.
b) an application executes (i. e., (fst sv.cvmX).currentp = bpidc):
This implies that the Olos variable ca is not zero and hence the abstracion
is ¬ (absImpl sv).idleflag. Function fun cvmstep performs an assembly user step
userprocesses step. Then, we distinguish between several cases:
i. no ABC interrupt occurs:
With this flag combination we apply function Compute Phase on the
abstract layer that computes an output wapp from the user-process com-
ponent and performs transition dcc according to the corresponding input.
• runtime error occurs:
on the implementation layer function userprocesses step gets stuck
(recall Section 2.8.2) and the Olos kernel does not change this state.
The output wapp returns StuckErr in this case and the application
state also remains unchanged. The other components are not affected.
• application requests service from the kernel:
Then the current instruction is a trap instruction. In this case,
function userprocesses step increases the program counters and en-
ters Olos. Function fun handle trap handles the incoming interrupt
and the successor state fulfills postcondition handle trappost. When
the trap number is invalid Olos does nothing. On the abstract layer
the output function computes Undefined Trap and dcc returns a
state with increased program counters.
Otherwise, we distinguish on the particular trap number. In each
case, we unfold the used Cvm primitive functions of postcondition
139
5 Implementation Correctness
handle trappost and compare it to the effects of function dcc. Unfold-
ing the used functions manipulating the application on the abstract
layer, we obtain the same results.
ii. an ABC interrupt occurs:
An occuring ABC interrupt in this situation implies a deadline viola-
tion and the Olos function fun handle int is called. On the abstract
layer, function Comp DL Violation adjusts the user-process component
and starts the Send Phase or the Recv Phase respectively. After function
Comp DL Violation the user-process component equals the user-process
component after one userprocesses step transition. The effects of the send
or receive phase on the abstract layer are equal to the abstracted state
fulfilling handle intpost (this case resembles the one when Cvm idles and
an ABC interrupt occurs, the only difference is the manipulation of the
user-process component before).
5.3.3 Simulation
In the last subsection we expand the correctness theorem to a simulation theorem over all
finite traces. Until now we have proved that the ECU model abstracts kernel executions
fun cvmstep. However, an ECU may either perform kernel steps or device transitions.
Thus, we define an overall implementation function dIECU that combines external device
transitions and kernel execution steps including the Olos implementation.
From the two previous theorems we know that function fun cvmstep terminates.
Moreover, C0 is deterministic. Thus, employing the soundness theorem of the Hoare
logic [Sch06] allows us to interpret the proved Hoare triples on the operational semantics
which results in our case in a transition function. In other words there exists a function
that computes from a given pre-state sv exactly one resulting successor state t. We call
this function dICVM. Now, we can formalize the overall implementation transition d
I
ECU
that combines the kernel computation and ABC transitions analogous to dECU in Sec-
tion 4.3. This function takes an implementation state sv and an optional input eifi from
the external environment. Depending on this input the overall implementation function
either performs a kernel step dICVM (in case that eifi = ⊥) or an external ABC transition
deabc. Formally:
dIECU eifi sv ≡
case eifi of ⊥ ⇒ dICVM sv
| bec ⇒
sv(|cvmX := (fst sv.cvmX, (snd sv.cvmX)
(nat2dev ABC ID := fst (deabc e (cvm abc sv.cvmX))))|)
Certainly, we require that the invariant is preserved after an external ABC device
transition deabc. Therefore, we define a predicate valid inputs that ensures validity of all
incoming messages from the external environment:
140
5.3 Proving Correctness
valid inputs eifis ≡
∀i∈set eifis. ∀msg . i = beifi abc msg msgc −→ is valid intlistMsg msg
Now, we can prove the theorem of the invariant preservation after the execution of an
external ABC transition.
Theorem 5.9 (External ABC Transition preserves Invariant). We assume a current
state sv where the invariant holds (i. e., invImpl sv) and a non-empty valid external in-
put valid inputs (eifi  eifis) Then, the invariant is preserved under the external device
transition deabc. Formally:
invImpl
(sv(|cvmX := (fst sv.cvmX, (snd sv.cvmX)
(nat2dev ABC ID := fst (deabc deifie (cvm abc sv.cvmX))))|))
Proof. Note that this transition only changes the device component of our state so
that all predicates over other variables remain unchanged. Thus, we have to show that
valid devices and olos abc consis are satisfied. In the former predicate we can exclude all
requirements that concern the hard disk. Moreover, we know that the external transition
function never changes the send flag and is valid ABC is preserved under deabc (Lemma
4.2 on page 84). The remaining goal is to show the relation between the current slot
numbers. In case that an incoming timer interrupt (j = eifi abc timer) arrives when the
send flag is set, we simply raise the interrupt flag. When a message or a timer signal
occur with a disabled send flag, the ABC device increases the current slotnumber and
enables the interrupt flag. These conditions fulfill the if-branch of predicate olos abc
consis so that (sv.csn + 1) mod SLOTCOUNT removes the delay to the implementation
variable.
Finally, we can formalize our simulation theorem, where we iterate transitions over a
list of optional external inputs is using the function fold. Note that the implementation
and the abstract transition function get the same input list. Thus, with an empty input
the abstract function dolos simulates the overall implementation function fun cvmstep.
Otherwise, we use function deabc on both layers.
Theorem 5.10 (Simulation). For an initial implementation state sv0, where at power
up sv0 holds, we obtain simulation on external inputs is fulfilling valid inputs is between
the implementation dIECU and its specification dECU after the initial step sv1 = d
I
ECU ⊥
sv0.
Formally:
absImpl (fold dIECU is sv1) = fold dECU is (absImpl sv1)
Proof. Theorem 5.7 on page 137 states that starting in the state sv0 at power-up, the
initialization step sv1 = dIECU ⊥ sv0 establishes the implementation invariant as well as
the simulation absImpl between implementation and specification states. This simulation
is preserved under transitions of both models because of Theorem 5.8 on page 138 and
Theorem 5.9 stating that external ABC transitions deabc preserve the invariant.
141
5 Implementation Correctness
142
6 Towards Pervasively Verified Applications
Per ogni problema complesso esiste una soluzione semplice,
ed e` quella sbagliata.1
Umberto Eco, quoted in: ”Il pendolo di Foucault”
Contents
6.1 Process Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
6.1.1 System Call Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
6.1.2 Extending Compiler Correctness to Applications . . . . . . . . . . . . . . 165
6.2 Computation Step Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
6.3 Embedding Applications into the Overall ECU Model . . . . . . . . . . . . . . . 168
6.4 Reasoning about Applications – a Practical Example . . . . . . . . . . . . . . . . 169
In this chapter, we describe an approach to pervasively verify applications [DSS10]
running on top of our operating system Olos. The correct operation of applications
inherently relies on the correctness of the operating system. An important challenge
here is the interaction of the application programs with our operating system Olos that
has the task to retrieve input data from applications and peripheral devices and transfers
output data to these components. We report on the necessary theorems that allow to
transfer verification results down to the operating system level and thus, establish a
formal link between proofs on the application layer and those on the operating system
layer [DDWS08]. More specifically, we extend the previously existing language stack
from Section 2.1 to application programs that may communicate with Olos.
The overall proof plan is depicted in Figure 6.1 on the next page: The three rows depict
the different semantic layers consisting of the languages Simpl, C0 and Vamp assembly.
The left most column reflects the language stack as described in Section 2.1. There
are transfer theorems [Sch06] stating that properties proved for Simpl hold on the C0
layer. Furthermore, the correct C0 compiler of Leinenbach & Petrova [LP08] translates
sequential C0 programs to Vamp assembly (Theorem 2.1 on page 30). The second
column depicts the extension of sequential C0 and assembly programs to application
processes (denoted with app) where outputs and inputs model the comunication with the
operating system. We introduced the extended languages in Section 4.2. In Section 6.1
we will present the extended compiler theorem Theorem 6.14 on page 166 that relates
the C0 and the assembly process model.
1For every complex problem, there’s a simple solution, and it’s wrong.
143
6 Towards Pervasively Verified Applications
Simpl
seqC0
seqasm
Transfer
Compiler Correct
appC0
appasm
Ext. Compiler
Simpl
ccC0
ccasm
Transfer
cc Simulation
tcECU
Figure 6.1: Extending the Language Stack towards Concurrency
The third column illustrates the extension of the language stack to cooperative con-
current applications (marked with cc). The term cooperative concurrency refers to the
sequential execution of applications with system calls until a final call of the synchro-
nization primitive olosExFinished. With our approach we prepare the basis to specify
application programs interacting with Olos in Simpl. In the Hoare logic we can reason
efficiently about sequential, type- safe, and assembly-free C0 programs. In contrast to
the lower semantical layers, the specification of the system calls in Simpl does not require
a language extension. Then, we can use transfer theorems to translate the results derived
on the Simpl layer to C0. In Section 6.2 we present a simulation theorem (Theorem 6.15
on page 167) stating that all results on the C0 layer still hold at the assembly level. The
lowest layer of this stack is embedded into a true concurrent ECU model (tcECU) with
an interleaved application execution (last column). In Section 6.3, we provide a theorem
(Theorem 6.16 on page 168) that allows us to infer properties about the entire ECU
behavior by combining verification results from the applications running on the ECU.
In the last section (Section 6.4) of this chapter, we give an example how this verification
approach can be used in practice.
6.1 Process Simulation
Section 2.4 reported that Leinenbach & Petrova proved compiler correctness in form of a
correctness theorem Theorem 2.1 on page 30 between sequential C0 and Vamp assembly.
In this section, we extend their theorem to processes we introduced in Section 4.2. Most
notably, we show that all implemented C0 functions in the system call library (Section
3.4) can be compiled into Vamp assembly code that is executed in a certain number of
steps on the target machine.
We consider the interaction between an application and the operating system from the
point of view of the application. According to Table 4.3 on page 86 an application sends
an output to the operating system, which in turn responds with a corresponding input
(except the output is StuckErr). The set olos responses collects all these matching
output-input pairs.
We relate C0 and assembly application states by the simulation relation consisapp.
144
6.1 Process Simulation
Predicate consisapp takes a C0 and an assembly state together with an allocation function
alloc. Application consistency requires that previous executions did not get stuck (i. e.,
SC0 = bsC0c), that the C0 simulation relation of Definition 2.1 on page 27 holds and the
application sizes in both layers are equal. Formally:
consisapp SC0 alloc sasm ≡
(∃sC0. SC0 = bsC0c ∧ consistent sC0.ttab sC0.ftab sC0.pstate alloc sasm) ∧
sizeapp SC0 = sizeapp sasm
Figure 6.2 depicts the scenario of application simulation: We assume that previous
executions did not get stuck i. e., the application state SjC0 6= ⊥ and the output w is not
StuckErr. On the C0 layer, the application state SjC0 computes an output w that is
sent to the kernel. The corresponding response of the operating system to this output
is the abstract transition dapp i leading to a successor state S
j+1
C0 . We relate the C0
application state SjC0 to a consistent state s
m
asm on the Vamp assembly layer. After a
certain number of assembly transitions we reach a final state snasm that can be related
via consisapp to the successor state S
j+1
C0 . We prove that there exists a state s
t
asm on
the assembly layer that generates the same output w as the C0 state SjC0. Moreover,
dapp i reflects the kernel response on the assembly layer (according to Section 4.2.1 we
stated that the transition function dapp can be used on both layers). All remaining Vamp
assembly states have empty outputs and therefore lead to local sequential assembly steps
dasm. Note that dasm equals dapp eSv.
asm smasm stasm st+1asm s
n
asm
C0 SjC0 S
j+1
C0
d
+
asm
dapp i d+asm
dapp i
co
n
si
s a
p
p
co
n
si
s a
p
p
w
w
Figure 6.2: Application Simulation
A C0 transition simulates a certain number of assembly steps. Hence a single output-
input pair [oi] on the C0 layer simulates a corresponding output-input sequence on
the assembly layer ois ′. Certainly, the application models on C0 and the assembly layer
should invoke the same primitives in such a way that output-input pairs are equal except
for internal steps (eW, eSv). To express this fact, we define a normalization function
ois ′ over an output-input sequence ois ′ that deletes all internal steps. Formally:
ois ≡ [oi∈ois . oi 6= (eW, eSv)]
145
6 Towards Pervasively Verified Applications
Successful execution of an application is characterized by the absence of runtime errors.
We define the successful execution of a C0 application as follows:
Definition 6.1 (Successful Execution of a C0 Application). The computation of a C0
application is called successful execution iff
• all output-input pairs are valid with respect to the current application state (i. e.,
∀oi∈ois. oi ∈ olos responses) and
• no runtime error occurs during the execution (i. e., ¬ is runtime error)
Formally, successful C0 application execution is defined inductively over output-input
sequences:
`procC0 SC0
[ ]−→ S ′C0 = (SC0 = S ′C0 ∧ ¬ is runtime error (wC0 SC0))
`procC0 SC0
(oi  ois)−−−−−−→ S ′C0 =
(oi ∈ olos responses ∧
`procC0 dC0 (snd oi) SC0
ois−→ S ′C0 ∧ ¬ is runtime error (wC0 SC0) ∧ wapp SC0 = fst oi)
The successful execution of assembly applications is defined similarly. However, the
sequenctial compiler correctness guarantees that the compiled code of a C0 program
does not modify itself. More specifically, for each successor state s ′asm after an assembly
instruction the code range of the memory should neither been written crange (i. e.,
no mem write inside range sasm s
′
asm crange), nor should the program counters point
outside this memory range (i. e., inside range crange sasm.dpc). Recall that we augmented
the sequential Vamp assembly language with the trap instruction. Hence, the negation
of predicate mem write inside range is not sufficient to express that the code range of the
memory has not been written by an assembly instruction. More precisely, we require that
a current trap instruction does not change this memory as well. Then, we encapsulate
the requirements that neither an assembly instruction of the sequential semantics nor
a trap instruction alter the code range of the memory into predicate no mem write
inside range.
Below, we define the successful execution of assembly applications:
Definition 6.2 (Successful Execution of a Vamp Assembly Application). The compu-
tation of a Vamp assembly application is called successful execution with respcet to the
code range crange iff
• all output-input pairs are valid with respect to the current application state,
• no runtime error occurs during the execution (i. e., ¬ is runtime error),
• the memory of crange is not written, and
• all fetched assembly instructions are located in crange
We specify successful Vamp assembly application executions inductively over output-
input sequences:
crange `procasm sasm [ ]−→ s ′asm = (sasm = s ′asm)
crange `procasm sasm (oi  is)−−−−−→ s ′asm =
146
6.1 Process Simulation
(oi ∈ olos responses ∧
crange `procasm dasm (snd oi) sasm is−→ s ′asm ∧
¬ is runtime error (wasm sasm) ∧
wapp sasm = fst oi ∧
no mem write inside range sasm (dasm (snd oi) sasm) crange ∧
inside range crange sasm.dpc)
Daum [DDWS08] formulated process simulation first for processes running on top of
the microkernel Vamos. We adapted his approach to prove simulation for applications
running on top of Olos. In the remaining section we aim to prove the fact that one tran-
sition of a C0 application simulates a transition sequence of the corresponding assembly
application.
We assume a valid C0 application state SC0 that performs one successful execution
step. Moreover, we have a consistent assembly state sasm that is not in a delay slot
(i. e., sasm.pcp = sasm.dpc + 4). Then, we aim to prove that there exists an output-input
sequence ois ′, an allocation function alloc ′ and a final assembly state s ′asm so that
• both application models invoke the same primitives (i. e., [oi] = ois ′ )
• the successor states of both layers are valid and consistent
• the final assembly state s ′asm is not in a delay slot (i. e., s ′asm.pcp = s ′asm.dpc + 4)
Formally:2.
[[is validapp SC0; is validapp sasm; sasm.pcp = sasm.dpc + 4;
consisapp SC0 alloc sasm; `procC0 SC0
[oi]−−→ S ′C0]]
=⇒ ∃ois ′ alloc ′ s ′asm.
[oi] = ois ′ ∧
code range SC0 `procasm sasm ois
′−−→ s ′asm ∧
is validapp S
′
C0 ∧
is validapp s
′
asm ∧
s ′asm.pcp = s ′asm.dpc + 4 ∧ consisapp S ′C0 alloc ′ s ′asm
Basically, this statement can be shown by a case distinction on the output-input pair
oi. The assumption that the C0 transition does not get stuck already excludes some
cases. For the empty pair (eW, eSv), we employ Lemma 2.2 on page 31 because internal
steps can be broken down to transitions of the sequential language. The remaining cases
are the three Olos system calls. For these cases, we consider the implementation of the
system call functions. Then, we show application simulation in two steps:
1. each function of the system call library is simulated by the abstract C0 transition
dapp
2. all system call primitives implemented in C0 can by compiled to Vamp assembly
code that is executed in a certain number of steps on the target machine
2For convenience we overload the definition of code range word for C0 applications:
code range SC0 ≡ code range word dSC0e.ttab (gm st dSC0e.pstate.mem) dSC0e.ftab
147
6 Towards Pervasively Verified Applications
6.1.1 System Call Simulation
In this subsection, we prove a simulation theorem stating that the abstract transition of
a system call on the C0 level equals the execution of the corresponding C0 function body.
We know from Section 3.4 that each function of the system call library includes an inline
assembly portion and a return statement in its body. Thus, their semantics cannot be
solely described in C0 but we additionally have to consider the Vamp assembly layer.
Figure 6.3 on the next page exemplarily depicts an overview over the verification
approach for the system-call function olosRecvMsg: All states and edges that are con-
sidered in this subsection are highlighted in black whereas the parts drawn in grey are
proved in theorem Theorem 6.13 on page 165. On the C0 level, only a non-empty C0
application state SC0 = bsjC0c can request a service from the operating system. Other-
wise, previous executions got stuck and the output w would be given with StuckErr.
In our scenario the application requests with its output to receive a message from the
operating system (i. e., wapp SC0 = RecvMsg msgnum). Recall Section 4.2.3, that in
this case the application has sufficient memory, the current statement is a function call
and the evalutation of the corresponding parameters does not fail. The effects of the
response from the operating system are specified in transition dapp i that computes a
non-empty successor state S ′C0 = bsj+1C0 c. We prove that this state is equal to a state
we obtain after the execution of the complete code implementing a system call function.
This execution can be split into three parts due to the implementation of system calls:
• the execution of the function call statement SCall,
• followed by the execution of the function body that contains
– an inlined assembly portion followed by
– a Return statement.
Thus, we compute the effects of a system call implementation execution on two layers -
the C0 small-step semantics on the one hand and the Vamp assembly layer on the other
hand. In Section 2.5 we described a method how to deal with inline assembly within
C0 code. We integrate the results obtained on the Vamp assembly layer by using this
technique. After the execution of the function call statement SCall (i. e., in state s ′C0)
we encounter the first statement of the function body. In our case it is a list of assembly
instructions. Hence, we continue the execution on the Vamp assembly layer from a state
s1asm that is consistent to s
′
C0. From Section 3.4 we know that the portion of inline
assembly contains two load instructions followed by a trap and a store instruction.
Thus, we reach an assembly state s3asm after two transitions that generates the same
output w as state sjC0. The last step is equal to the first two steps a sequential Vamp
assembly transition in such a way that all other outputs (except the one computed in
state s3asm) are eW. When the list of assembly instructions has been executed successfully,
we construct a C0 state s ′′C0 that is consistent to the final assembly state s5asm. Finally,
the C0 state after a C0 small-step execution of the Return statement should be sj+1C0 .
Figure 6.3 on the next page
Olos system calls can be classified into three different cases according to the modifi-
cations on the application state in the Vamp assembly layer:
• registers and memory remain unchanged:
148
6.1 Process Simulation
smasm s
1
asm s
3
asm s
4
asm s
5
asm s
n
asm
sjC0 s
′
C0 s
′′
C0 s
j+1
C0
d
+
asm d
2
asm
dapp i
dasm d
+
asm
dC0m
SCall
dC0m
Return
dapp i
co
n
si
st
en
t
co
n
si
st
en
t
co
n
si
st
en
t
co
n
si
st
en
t
w
w
Figure 6.3: Verification plan for the C0 implementation of the olosRecvMsg primitive
System call olosExFinished neither modifies the memory of the application nor
writes the result register on the Vamp assembly layer
• the result register is modified:
This is either the case when the application successfully sent a message to the
operating system (i. e., olosSendMsg) or the operating system returns an error value
to the application (note that this might happen for the system calls olosSendMsg
and olosRecvMsg)
• the memory and result register are modified:
when the application requests to receive a message olosRecvMsg without causing
an error the operating system stores the message into the memory and updates
the result register of the application
In the following subsections we use the most complex case to exemplarily show the
effects of the olosRecvMsg system call that causes no error. We explain stepwise the
effects of all transition functions on C0 or Vamp assembly states and briefly describe
how to treat the other cases. Finally we prove the simulation theorems stating that each
function of the system call library is simulated by the abstract C0 transition dapp.
Execution of the SCall Statement
We start in a C0 state SC0 = bsjC0c where the output signals a request to receive a
message from the operating system (i. e., wapp SC0 = RecvMsg msgnum). This output
implies that the memory is sufficient after extending the local stack and first statement
is a function call of “olosRecvMsg” with two valid parameters. More specifically, the first
statement of the program rest is given with:
fst stmt sjC0.pstate.prog = SCall lv “olosRecvMsg” es sid
Recall Section 4.2.3, that the parameter list es consists of two elements: the first one (es
! 0) keeps the message pointer and the second one (es ! 1) stores the message number.
The execution of a function call in the small-step semantics has the following effects:
149
6 Towards Pervasively Verified Applications
• a new stack frame is created,
• the function parameters are evaluated and copied into this frame, and
• the function-call statement in the program rest is substituted by the body of the
called function.
Recall that the transition function is partial (Section 2.3). Then, the transition func-
tion dC0m is only defined iff:
1. the function name fn has a corresponding definition in the function table,
2. the return variable lv is either a global variable or a variable of the topmost local
memory frame, and
3. the evaluation of all parameters are valid.
For all Olos system calls, we can show that the small-step semantics of the function
call succeeds:
Lemma 6.1 (Successful Execution of the SCall Statement). We assume a non-empty
valid C0 state SC0 i. e., is validapp SC0 ∧ SC0 = bsjC0c holds. Moreover, the application
neither intends to perform a local step nor does the output function wapp signal a runtime
error i. e., wapp SC0 6= eW ∧ ¬ is runtime error (wapp SC0) is fullfilled. Thus, the current
statement is a system call. Then we can conclude that the execution of the SCall
statement is not empty. Formally:
dC0m s
j
C0 6= ⊥
Proof. From the C0 state validity is validapp we know that the program rest is valid,
hence the first statement a fortiori. A valid SCall statement implies that the calling
function is part of the function table and the variable access of the left variable is valid.
The latter in turn means that the variable is either defined as a global or local variable
on the topmost stack frame. For the system call olosExFinished we are done. The other
system calls additionally require that the evaluation of the parameters does not fail.
This fact can be derived by unfolding the output functions wapp and get output.
After the successful execution of the SCall statement in sjC0, we obtain a new C0
state s ′C0. Figure 6.4 on the facing page depicts the different C0 states before (a) and
after (b) the execution of the SCall. The modified memories are illustrated below
the corresponding first statements of the program rest. C0 small-step executions of
SCall statements solely extend the local memory by creating a new stack frame for the
function call and do not affect the global or the heap memory of the successor state.
From Section 2.3 we know that each stack frame consists of a single memory frame stored
together with the return destination of the calling function. Each memory frame again
consists of a content storing elementary values in memory cells, a symbol table holding
variables together with their types and a set of already initialized variables. After the
stack extension the new stack-frame content includes the evaluated values of all function
call parameters listed in es. Moreover, the symbol table of the topmost stack frame
stores the parameters and the local variables of the function. From the precise definition
of function olosRecvMsg in Section 4.2.3, function toplm symbols returns the following
result:
150
6.1 Process Simulation
toplm symbols s ′C0.pstate.mem =
[(“pmsg”, Ptr “TYPE Message Struct”), (“mn”, UnsgndT), (“result”, Integer)]
Furthermore, the set of initialized variables consists of the variables “pmsg” and “mn”.
The left variable lv is either defined in the global memory or the second topmost stack
frame of the local memory (i. e., the topmost stack frame before the new stack frame has
been created). Thus, the return destination keeps the corresponding g-variable value
(computed with function vlookup) of the left variable lv . Formally:
toprd s ′C0.pstate.mem = dvlookup sjC0.pstate.mem lve
The first statement of the new program rest is the function body of the system call. We
know from the precise definition of function olosRecvMsg Section 4.2.3 that the program
rest of state s ′C0 is given as follows:
fst stmt s ′C0.pstate.prog =
Comp (Asm [Ilw 11 30 16, Ilw 12 30 20, trap 2, Isw 22 30 24] sid)
(Return (VarAcc “result”) sid ′)
We proceed with the execution of the first statement.
hm
SCall lv fn es sid
toplm c
.
.
.
lm 0
gm
(a)
fs
t
st
m
t
c
.p
ro
g
c
.m
em
.l
m
c
.m
em
.h
m
c
.m
em
.g
m
Comp
(Asm il sid)
(Return
expr sid ′)
hm
toplm c ′
toplm c
.
.
.
lm 0
gm
(b)
Return
expr sid ′
hm
toplm c ′ res
toplm c
.
.
.
lm 0
gm
msg
(c)
Skip
hm
toplm c res
.
.
.
lm 0
gm
msg
(d)
Figure 6.4: Program State during the System Call Execution
151
6 Towards Pervasively Verified Applications
Execution of the Inline Assembly Code Asm il sid
When an assembly statement Asm il sid is encountered, we switch to the Vamp assembly
layer and start arguing about an arbitrary, fixed assembly state s1asm that is consistent
to s ′C0. From the C0 simulation relation Section 2.4 we know that control consistency
holds i. e., the program counters point to the start of the list pf assembly instructions il.
Then, we can process the assembly portion according to the Vamp assembly semantics.
The memory layout of a compiled program has already been presented in Figure 2.4
on page 27. Recall that each local memory frame starts with a stack frame header that
stores the return address and the return destination of a function, and the previous stack
pointer. The return address specifies the address where to jump after the completion
of the function. In the return destination we store the address where the result of the
function will be written. Finally, each stack frame consists of the content of its C0
counterpart.
In the following lemmata and theorems we often use the same preconditions. There-
fore, we define a predicate common preconds that encapsulates all reusable requirements.
Definition 6.3 (Common Preconditions). Predicate common preconds encapsu-
lates the following preconditions:
• we start in a non-empty C0 application state SC0 = bsjC0c,
• that is valid (i. e., is validapp SC0),
• the application requests to receive a message from the operating system
i. e., wapp SC0 = RecvMsg mn
• the execution of the SCall statement returns the successor state s ′C0 i. e.,
dC0m s
j
C0 = bs ′C0c
• there exists an assembly state s1asm that is consistent to state s ′C0 i. e.,
consistent sjC0.ttab s
j
C0.ftab s
′
C0.pstate alloc s
1
asm
• Moreover, state s1asm is valid i. e., is validapp s1asm
• the application sizes of SC0 and s1asm are equal i. e., sizeapp SC0 = sizeapp s1asm
• Finally, the message msgval received from the application is valid
i. e., is valid intlistMsg msgval
In the following lemma we aim at three goals:
• we require that state s3asm produces the same output as sjC0 whereas all the other
outputs are eW (i. e., the inline assembly portion includes exactly one trap instruc-
tion with the number that corresponds to the C0 system call function olosRecvMsg
whereas the other instructions are local transitions of the sequential Vamp assem-
bly language),
• the final state s5asm stores the function parameters in the registers 11 and 12 and the
result value in the designated register 22. Moreover, the program counter points
to the first address after the executed code and the memory stores the message
value on the one hand and the result value on the other hand.
• in all transitions the program counter always points to addresses within the code
range and the code range is not modified
152
6.1 Process Simulation
Lemma 6.2 (Properties of Inline Assembly Code). We require that predicate common
preconds holds. With all these assumptions, we conclude three properties:
1. Outputs:
wapp s
1
asm = eW ∧
wapp (dapp eSv s1asm) = eW ∧
wapp (dapp eSv (dapp eSv s1asm)) = wapp SC0 ∧
wapp (dapp (RecvSuccess msgval) (dapp eSv (dapp eSv s1asm))) = eW
2. Final state:
dapp eSv (dapp (RecvSuccess msgval) (dapp eSv (dapp eSv s1asm))) =
(let startaddr = to nat32 (s1asm.mm (to nat32 (s
1
asm.gprs ! 30) div 4 + 4))
in s1asm(|gprs := s1asm.gprs
[11 := s1asm.mm (to nat32 (s
1
asm.gprs ! 30) div 4 + 4),
12 := s1asm.mm (to nat32 (s
1
asm.gprs ! 30) div 4 + 5), 22 := 0],
dpc := 16 + s1asm.dpc, pcp := 20 + s
1
asm.dpc,
mm := (λi . if i < startaddr div 4 ∨ startaddr div 4 + |msgval| ≤ i
then s1asm.mm i
else msgval ! (i − startaddr div 4))
(to nat32 (s1asm.gprs ! 30) div 4 + 6 := 0)|))
3. No code modifications:
inside range (code range SC0) s1asm.dpc ∧
inside range (code range SC0) (dapp eSv s1asm).dpc ∧
inside range (code range SC0) (dapp eSv (dapp eSv s1asm)).dpc ∧
inside range (code range SC0)
(dapp (RecvSuccess msgval) (dapp eSv (dapp eSv s1asm))).dpc ∧
inside range (code range SC0)
(dapp eSv (dapp (RecvSuccess msgval) (dapp eSv (dapp eSv s1asm)))).dpc ∧
no mem write inside range s1asm (dapp eSv s
1
asm) (code range SC0) ∧
no mem write inside range (dapp eSv s1asm) (dapp eSv (dapp eSv s
1
asm)) (code range SC0)
∧
no mem write inside range (dapp eSv (dapp eSv s1asm))
(dapp (RecvSuccess msgval) (dapp eSv (dapp eSv s1asm))) (code range SC0) ∧
no mem write inside range (dapp (RecvSuccess msgval) (dapp eSv (dapp eSv s1asm)))
(dapp eSv (dapp (RecvSuccess msgval) (dapp eSv (dapp eSv s1asm)))) (code range SC0)
Proof. This proof executes all the instructions of the inline assembly code stepwise and
examines the effects carefully: The entire list of assembly instructions is stored in the
code range so that the program counters pointing to their addresses do not leave the
code range. From the consistency, we know that the first instruction to be executed
is the load-word instruction Ilw 11 30 16. This instruction is decodable, the effective
address is smaller than the heap base, the program counters point to an address within
the code range and are divisible by 4. Hence, no runtime error occurs. We described
the effects of a load-word instruction in Section 2.2. The general-purpose register 11
holds the value of the first parameter of the function call and the program counters
are increased. Thus, the next instruction is given by Ilw 12 30 20. Again no runtime
153
6 Towards Pervasively Verified Applications
error occurs because this instruction is decodable, the increased program counters are
divisible by 4 and the effective address is smaller than the heap base. After the execution
of the second load-store instruction, the general-purpose register 12 stores the value of
the second parameter of the system call and the program counters point to the next
instruction. In our case the next instruction is trap 2 so that the output function
returns RecvMsg mn. This output equals the one on the C0 layer. The effects of the
corresponding transition function dapp are defined in Section 4.2.2. The trap instruction
writes the message into the global or heap memory range and the result value 0 into
the result register 22. Hence, the code range remains unchanged. Furthermore, the
program counters are increased and point to the next instruction. This instruction is the
store-word instruction Isw 22 30 24. It is decodable, the program counters are divisible
by 4 and lie within the code range. Thus, no runtime error occurs. The store-word
instruction stores the return value 0 kept in the result register 22 into the main memory
at the address of the local result variable of the system call. It does not overwrite the
message since local variables are stored on the stack. This area does not overlap with
the memory region for global or heap variables, hence the load-store target is addressed
below the heap base. Moreover, the program counters are increased such that they point
to the first address after the assembly code. During these step-by-step executions of the
assembly code we derived all the results stated above. No runtime error occurred so that
all states except one compute an empty output eW. Then, a local step of the sequential
Vamp assembly language is performed. The exception occurs when the trap instruction
is met. Here, the output function returns RecvMsg mn which is equal to the output
computed in the starting state SC0 on the C0 layer (subgoal 1 of the proof is satisfied).
All effects of the executions are reflected in the final assembly state (subgoal 2 holds).
Finally, the code range remained unchanged and the monotonously advancing program
counters never left this memory region (this satisfies subgoal 3).
Furthermore, we can derive some properties of the state s5asm that is reached after the
execution of all inline assembly instructions.
Lemma 6.3 (Properties of the Final Assembly State). We require that common pre-
conds SC0 s
j
C0 s
′
C0 s
1
asm alloc mn msgval holds. Furthermore, state s
5
asm is the final state
after the execution of the inline assembly code i. e., s5asm = dapp eSv (dapp (RecvSuccess
msgval) (dapp eSv (dapp eSv s1asm))) holds.
Then, we conclude that the final state s5asm fulfills well-formedness is valid asm s
5
asm, the
special purpose registers have not been changed i. e., s5asm.sprs = s
1
asm.sprs is satisfied and
the state is not in a delay slot in such a way that s5asm.pcp = s
5
asm.dpc + 4 is fulfilled.
Formally:
is valid asm s5asm ∧ s5asm.sprs = s1asm.sprs ∧ s5asm.pcp = s5asm.dpc + 4
Proof. These facts can be derived easily from Lemma 6.2 on page 152 examining the
final state.
Constructing a Consistent C0 State. After the successful execution of the entire as-
sembly instruction list, we obtain the final assembly state s5asm (more specifically s
5
asm =
154
6.1 Process Simulation
dapp (RecvSuccess msg) (dapp eSv (dapp eSv s1asm))). According to the proposed method
in Section 2.5 we use the final state s5asm to construct a corresponding consistent C0 state
s ′′C0. We use the construction function C0 asm upd that takes the old C0 state s ′C0,
the old and new assembly states (i. e., s1asm and s
5
asm respectively), an allocation function
alloc and a list of modified elementary g-variables. In the receive case, the message and
the result value have been written into the memory of state s5asm. Recall Section 3.4.1
that the message type TYPE Message Struct ′ty is not elementary. Instead of listing all
elementary g-variables of the message, we introduced a function msg gvars that takes
the root g-variable of the message and computes this list. Thus, we obtain the root
g-variable of the message by taking the left value of the evaluated dereferenced message
pointer. Thus, the first part of the list containing all modified elementary g-variables is
given by:
msg gvars devalm sjC0 (Deref (es ! 0))e.ds lval
For the updated result variable, we append the g-variable value of the local “result”
variable of the topmost stack frame to the list. Hence, the entire list keeping the modified
elementary g-variables is given below:
msg gvars devalm sjC0 (Deref (es ! 0))e.ds lval }
[gvar lm (recursion depth sjC0.pstate.mem) “result”]
We first show that the preconditions preconds C0 asm upd hold, so that we can con-
struct a consistent C0 state.
Lemma 6.4 (C0 Construction Preconditions). We assume that the common precon-
ditions common preconds SC0 s
j
C0 s
′
C0 s
1
asm alloc mn msgval hold. Moreover, the first
statement of the program rest in state sjC0 is a call of function “olosRecvMsg” with the
left variable lv and the parameter list es (i. e., fst stmt sjC0.pstate.prog = SCall lv “olos-
RecvMsg” es sid). Furthermore, state s5asm equals the final state after the execution of all
inlined assembly instructions (i. e., s5asm = dapp eSv (dapp (RecvSuccess msgval) (dapp
eSv (dapp eSv d)))). Then, we conclude that predicate preconds C0 asm upd is satisfied.
Formally:
preconds C0 asm upd s ′C0 s1asm s5asm alloc
(msg gvars devalm sjC0 (Deref (es ! 0))e.ds lval }
[gvar lm (recursion depth sjC0.pstate.mem) “result”])
Proof. After unfolding the definition of preconds C0 asm upd we encounter all subgoals
defined in Section 2.5. Thus, we prove that each subgoal is fulfilled:
• Due to the final state derived in Lemma 6.2 on page 152 predicate pcs exec value
correct is satisfied, the code region and the special purpose registers have not been
modified, hence code region const and reg pointers const hold.
• The root g-variable of the message is either global or a heap variable, hence all its
elementary g-variables are global or heap variables. The result variable is a local
variable of the topmost stack frame so that is top local gvar holds for it.
155
6 Towards Pervasively Verified Applications
• All subvariables of an initialized root g-variable are initialized. The successful
evaluation of the root g-variable of the message implies its initialization. The
result variable is a root variable.
• From the given root g-variable of the message msg gvar computes all elementary
g-variables. The result g-variable is an elementary g-variable because its of type
integer.
• The result variable is located in the topmost local memory frame, hence it is
reachable. All subvariables of a reachable g-variable are reachable, too. The root
g-variable of the message is reachable after the stack extension.
• After the execution of the inlined assembly instructions only the message and the
result variable have been changed.
The memory update of the construction function is done sequentially for each changed
elementary g-variable. Regarding each update separately is very tedious, hence we com-
pressed the updates logically. The next lemma states that updating all elementary g-
variables of the message with the corresponding elementary value equals a single memory
update with the complex structural message type TYPE Message Struct ′ty.
Lemma 6.5 (Write Message into C0 Memory). Assuming that
• the common preconditions hold i. e.,
common preconds SC0 s
j
C0 s
′
C0 s
1
asm alloc mn msgval,
• the first statement of the program rest in state sjC0 is a call of function “olos-
RecvMsg” with the left variable lv and the parameter list es:
fst stmt sjC0.pstate.prog = SCall lv “olosRecvMsg” es sid, and
• state s5asm equals the final state after the execution of the inline assembly portion
i. e., s5asm = dapp eSv (dapp (RecvSuccess msgval) (dapp eSv (dapp eSv s
1
asm))).
Then, the sequential memcell construction of all elementary g-variables of the message
type from a given final assembly state equals a single memory update of the root g-variable
with the entire message. Formally:
C0 mem asm upd sjC0.ttab s
′
C0.pstate.mem s
5
asm alloc
(msg gvars devalm sjC0 (Deref (es ! 0))e.ds lval) =
mem update sjC0.ttab s
′
C0.pstate.mem devalm sjC0 (Deref (es ! 0))e.ds lval
(|ds lval = default, ds type = TYPE Message Struct ′ty,
intermediate = True, ds initialized = True,
ds data = intlist2struct msgval|)
Proof. The root g-variable of the message is either a global or a heap g-variable. Hence,
we distinguish between both cases. Note that all elementary g-variables inherit properties
of their root g-variable in such a way that they are either all global or heap variables as
well. The first value of the message type TYPE Message Struct ′ty is an unsigned integer
and updated successfully in the memory region determined by the root g-variable. The
following values are integers and we show inductively that the memory update of an
elementary variable succeeds. This includes to show that all addresses of the elementary
156
6.1 Process Simulation
g-variables are disjoint and immediately consecutive. Furthermore, each single message
value stored in the assembly memory is successively updated in the C0 memory. Recall
that the correct assignment between both memory models is ensured because function
C0 mem asm update gvar uses the allocation function to construct the new C0 memory
(recall Section 2.5). The allocation function takes care of the correct assignment between
values at a certain address in the assembly main memory and the memory object in the
C0 memory. Furthermore, the sequential updates of each elementary g-variable up to
the n-th element of the message type should equal one single memory update of the
entire message type TYPE Message Struct ′ty up to the same element. For each memory
update we have to prove that the symbol tables remain unchanged. This holds because
memory updates do not affect the symbol tables.
Finally, we can prove that the constructed C0 state s ′′C0 is equal to C0 state s ′C0 after
we updated the memory with an entire message and the result value. Note that the
message is either written into the global memory or the heap memory according to the
root g-variable of the message. The result variable on the topmost local memory frame
holds the result value of the system call that is 0 after a successful message transmission.
Lemma 6.6 (Valid C0 State Construction). We assume that
• the common preconditions hold i. e.,
common preconds SC0 s
j
C0 s
′
C0 s
1
asm alloc mn msgval,
• the first statement of the program rest in state sjC0 is a call of function “olos-
RecvMsg” with the left variable lv,the parameter list es and the statement identi-
fier sid:
fst stmt sjC0.pstate.prog = SCall lv “olosRecvMsg” es sid,
• state s5asm equals the final state after the execution of the inline assembly portion
i. e., s5asm = dapp eSv (dapp (RecvSuccess msgval) (dapp eSv (dapp eSv s
1
asm)))
• the data slices to update the entire message and the result value are given with
msgds = (|ds lval = default, ds type = TYPE Message Struct ′ty, intermediate =
True, ds initialized = True, ds data = intlist2struct msgval|) and
resds = (|ds lval = default, ds type = Integer, intermediate = False, ds initialized =
True, ds data = λi . if i = 0 then memcellInt 0 else default|) respectively, and
• the root g-variable of the message and the local g-variable of the result variable are
given with
msgg = devalm sjC0 (Deref (es ! 0))e.ds lval and
resg = gvar lm (recursion depth s
j
C0.pstate.mem) “result” respectively.
Thus, we conclude that the construction of a C0 state s ′′C0 that is consistent to the final
assembly state s5asm succeeds. More specifically, the memory of the constructed C0 state
has been updated with the message on the one hand, and the result value on the other
hand. Finally, the first statement of the program rest has been deleted. Formally:
C0 asm upd s ′C0 s1asm s5asm alloc (msg gvars msgg } [resg]) =
bs ′C0(|pstate := (|mem = dmem update sjC0.ttab
dmem update sjC0.ttab s ′C0.pstate.mem msgg msgdse resg resdse,
prog = remove fst stmt s ′C0.pstate.prog|)|)c
157
6 Towards Pervasively Verified Applications
Proof. We know already from Lemma 6.5 on page 156 that the memory update of each
individual elementary g-variable of the message type succeeds and can be comprised to a
single memory update with the entire message. The remaining update of the local result
variable succeeds as well because the g-variable is a root variable and the data slice is
initialized. Furthermore, all restrictions of predicate preconds C0 asm upd are fulfilled
due to Lemma 6.4 on page 155. Then, the new constructed C0 state stores the message
on the one hand and the result value on the other hand. Moreover, the first statement
of the program rest is removed.
Note that both sides of the equation in the lemma above refer to the previously
mentioned C0 state s ′′C0. When no interrupt occurs during the execution of the inline
assembly statement and the C0 state construction succeeds, the constructed state s ′′C0
and the final assembly state s5asm fulfill the sequential simulation relation consistent. A
successful state construction implies that all the requirements of predicate preconds C0
asm upd that ensure code, data and control consistency are satisfied.
Note that the return destination in the topmost stack frame has not been affected
after the construction of a new C0 state so that toprd s ′C0 = toprd s ′′C0 holds. After
the construction of the new C0 state s ′′C0 the first statement is the remaining Return
statement:
fst stmt s ′′C0.prog = Return (VarAcc “result”) sid ′
Execution of the Return Statement
The successful execution of a Return expr sid statement has the following effects:
• the result variable is updated with the evaluated return expression expr,
• the topmost stack frame is deleted and,
• the new program rest is set to Skip
The following constraints have to hold to ensure that the transition function does not
fail:
1. the evaluation of the return expression expr succeeds
2. the return destination stored in the topmost local stack frame is either globally
defined or in the topmost frame of the stack (before the function call was executed)
We prove that the execution of the Return statement in the body of the system call
function olosRecvMsg is successful.
Lemma 6.7 (Successful Execution of the Return Statement). We assume that
• the common preconditions hold i. e.,
common preconds SC0 s
j
C0 s
′
C0 s
1
asm alloc mn msgval,
• the first statement of the program rest in state sjC0 is a call of function “olos-
RecvMsg” with the left variable lv,the parameter list es and the statement identifier
sid: fst stmt sjC0.pstate.prog = SCall lv “olosRecvMsg” es sid,
• the construction of a new C0 state s ′′C0 succeeds and the g-variable of the local
variable “result” belongs to the list of elementary modified g-variables:
C0 asm upd s ′C0 s1asm s5asm alloc (gl } [gvar lm (recursion depth s
j
C0.pstate.mem)
“result”]) = bs ′′C0c,
158
6.1 Process Simulation
• the final assembly state s5asm is valid i. e., is valid asm s5asm is satisfied, and
• the evaluation of the variable access of the local result variable “result” of the
function call returns a data slice that is initialized, is of type integer and contains
the result value of the system call:
evalm s
′′
C0 (VarAcc “result”) =
b(|ds lval = gvar lm (recursion depth sjC0.pstate.mem) “result”, ds type = Integer,
intermediate = False, ds initialized = True,
ds data = λi . if i = 0 then memcellInt 0 else default|)c
With all these assumptions, we conclude that the execution of the Return statement
in state s ′′C0 succeeds. Moreover, the return destination of the topmost stack frame
has been updated with the result variable of the system call and the stack frame has been
deleted afterwards. Finally, the first statement of the program rest is the Skip statement.
Formally:
dC0m s
′′
C0 6= ⊥ ∧
ddC0m s ′′C0e.pstate.mem =
remove toplm
dmem update s ′′C0.ttab s ′′C0.pstate.mem (toprd s ′′C0.pstate.mem)
(|ds lval = gvar lm (recursion depth sjC0.pstate.mem) “result”,
ds type = Integer, intermediate = False, ds initialized = True,
ds data = λi . if i = 0 then memcellInt 0 else default|)e ∧
fst stmt ddC0m s ′′C0e.pstate.prog = Skip
Proof. The memory update does not fail because the data slice is initialized and the
g-variable that is modified is a root g-variable. Recall that the execution of the Return
statement updates the return destination of the topmost stack frame that stores the
left variable of the function call. It has been set during the stack extension of the
SCall statement execution and remained unchanged during the C0 state construction.
Moreover, the local memory stack is not empty because it contains at least the stack
frame of the system call. Thus, it is possible to remove the topmost stack frame. The
execution of the Return statement does not fail, the memory has been changed in the
way we described above and program rest is replaced by a Skip statement.
Figure 6.4 on page 151 depicts the different C0 program states before (c) and after (d)
the execution of the Return statement. Note that we sketch only one possible memory
state. The message value may be either stored in the global or the heap memory whereas
the updated result variable is located in the global memory or the topmost stack frame
(before the stack has been extended for the system call).
After the successful execution of the Return statement, the entire body of the system
call function has been executed and we are in the successor state sj+1C0 . Its memory
contains the message on the one hand and the result value of the system call on the
other hand. The first statement of the program rest is given with
fst stmt sj+1C0 .pstate.prog = Skip
159
6 Towards Pervasively Verified Applications
System Call Simulation Theorems
In this subsection, we show that one abstract C0 transition of a system call can be
simulated by a well-defined sequence of C0 small-steps combined with several assembly
transitions. More specifically this sequence resembles the execution of a system-call
implementation. A C0 program state consists of two components: the memory and the
program rest. We consider both of them separately during all transitions belonging to
the execution of a system-call implementation and then combine the results for state
equality.
Equality of Program Rests. We know that the execution of a system-call implemen-
tation succeeds. Furthermore, the three Olos system calls have the same structure.
Thus, we can formulate a lemma that generally states that the program rest after the
execution of all system call statements equals the function that simply replaces the first
statement with a Skip.
Lemma 6.8 (Equality of Program Rests). Assuming that
• a non-empty valid C0 application state SC0 i. e.,
is validapp SC0 ∧ SC0 = bsjC0c holds,
• the application neither intends to perform a local step nor does the output function
wapp signal a runtime error i. e.,
¬ is runtime error (wapp SC0) ∧ wapp SC0 6= eWis fulfilled,
• the SCall statement is executed successfully: dC0m sjC0 = bs ′C0c,
• the constructed C0 state s ′′C0 after the executed portion of inline assembly does not
fail i. e., C0 asm upd s ′C0 d d ′ alloc gl = bs ′′C0c, and
• the Return statement succeeds i. e.,
dC0m s
′′
C0 = bsj+1C0 c.
Then, we conclude that the program rest of sj+1C0 equals the program rest that simply
replaces the first statement of state sjC0 with a Skip instruction. Formally:
sj+1C0 .pstate.prog = rm scall s
j
C0.pstate.prog
Proof. If the application neither intends to perform a local step nor does the output func-
tion wapp signal a runtime error, it requests a service from the operating system. Thus,
we know by unfolding the definitions of the output functions wapp and get output the
first statement of the program rest is an SCall statement. More specifically, the called
functions are “olosExFinished”, “olosSendMsg” or “olosRecvMsg” with precise function
definitions (recall Section 4.2.3). Figure 6.4 on page 151 depicts the progress of the first
statement in a program rest during single executions of the system call implementation.
The small-step semantics of a successful function call substitutes the SCall statement
by the body of the called function. From the function definitions we know that for all
system calls the function body consists of exactly two statements: an inlined assembly
and a Return statement. After the execution of the inlined assembly statement, a new
C0 state s ′′C0 is constructed. The construction function removes the first statement of
160
6.1 Process Simulation
the program rest in state s ′C0. Hence, the first statement of the new C0 state s ′′C0 is
the Return statement. Finally, the successful execution of the Return statement sets
the program rest to Skip. These changes are equal to the substitution of a function call
with the Skip statement.
Equality of Memory States. After we have shown the equivalence of the program rests
for Olos system calls in general, we prove that the abstract transition function dapp of
system call olosRecvMsg computes the same memory state as the execution of the entire
function body of the system call implementation.
Lemma 6.9 (Equality of Memory States). We assume that
• the common preconditions hold i. e.,
common preconds SC0 s
j
C0 s
′
C0 s
1
asm alloc mn msgval,
• the first statement of the program rest in state sjC0 is a call of function “olos-
RecvMsg” with the left variable lv and the parameter list es:
fst stmt sjC0.pstate.prog = SCall lv “olosRecvMsg” es sid, and
• state s5asm equals the final state after the execution of the inline assembly portion
i. e.,
s5asm = dapp eSv (dapp (RecvSuccess msgval) (dapp eSv (dapp eSv s
1
asm)))
We conclude that the memory state after the execution of the system call implementation
of olosRecvMsg equals the one we obtain after performing the corresponding abstract
transition function dapp. Formally:
ddC0m dC0 asm upd s ′C0 s1asm s5asm alloc
(msg gvars devalm sjC0 (Deref (es ! 0))e.ds lval }
[gvar lm (recursion depth sjC0.pstate.mem) “result”])ee.pstate.mem =
ddapp (RecvSuccess msgval) SC0e.pstate.mem
Proof. In this proof, we have to examine the memory changes of each step within the
system call function that is illustrated for one particular case in Figure 6.4 on page 151.
The effects of the SCall statement execution is the extension of the local memory
stack. From Lemma 6.6 on page 157 we know that the C0 state construction after the
execution of the inline assembly code does not fail and more specifically, the message has
been written either in the global or in the heap memory. In addition, the constructed C0
state has an updated result variable in the topmost stack frame. During the execution
of the Return statement this value is copied into the left variable of the function call
before the topmost stack is removed. Note that the left variable of the function call is
either located in the global memory or the topmost stack frame of the local memory
before the system call has extended the stack. Thus, the deletion of the topmost stack
frame neither affects the message value nor the result value. We learn in Section 4.2.3
that the abstract transition function dapp in the successful receive case manipulates the
C0 application state with three functions: receiving, set result and del syscall. receiving
stores the message value either in the global or in the heap memory, depending on the
root g-variable of the message. Obviously, the global and the heap memory after the
C0 state construction are equal. Function set result updates the left variable of the
161
6 Towards Pervasively Verified Applications
function call directly with the result value and function del syscall does not affect the
memory state of the C0 application state. Extending the stack, copying the updated
result variable of the topmost stack frame into the left variable of the function and
removing the topmost stack frame have the same effects as the direct update of the left
variable with the result value.
Now we have all prerequisites in place to prove the simulation of the successful system
call olosRecvMsg.
Theorem 6.10 (System Call Simulation of olosRecvMsg). We assume that
• the common preconditions hold i. e.,
common preconds SC0 s
j
C0 s
′
C0 s
1
asm alloc mn msgval
• the first statement of the program rest in state sjC0 is a call of function
“olosRecvMsg” with the left variable lv and the parameter list es:
fst stmt sjC0.pstate.prog = SCall lv “olosRecvMsg” es sid, and
• state s5asm equals the final state after the execution of the inline assembly portion
i. e., s5asm = dapp eSv (dapp (RecvSuccess msgval) (dapp eSv (dapp eSv s
1
asm))).
If an application successfully receives a message the transition function of C0 applications
dapp simulates the execution of the implementation of function “olosRecvMsg”. Formally:
dapp (RecvSuccess msgval) SC0 =
dC0m
dC0 asm upd s ′C0 s1asm s5asm alloc
(msg gvars devalm sjC0 (Deref (es ! 0))e.ds lval }
[gvar lm (recursion depth sjC0.pstate.mem) “result”])e
Proof. We know that the function table, the type table and the program size are never
changed during all execution steps. The program state consists of the memory state and
the program rest. We obtain the equivalence of both memory states by applying Lemma
6.9 on the preceding page. Now, we draw our attention to the program rests: From
Section 4.2.3 we know that the abstract transition function dapp in the successful receive
case modifies the C0 application state with three functions: receiving, set result and del
syscall. The former two functions do not affect the program state, the latter uses function
rm scall to replace the first function call with a Skip statement. In order to prove the
equivalence of both program rests, we have to discharge some preconditions: We know
from common preconds that the C0 application state SC0 is valid and non-empty and
that the output function neither returns an empty output eW nor does it indicate an
occurred runtime error. Moreover, this predicate includes that the SCall statement
execution has succeeded. Lemma 6.2 on page 152 and Lemma 6.6 on page 157 state that
the C0 state construction does not fail. Finally, the execution of the Return statement
succeeds due to Lemma 6.7 on page 158. Therefore, the abstract transition function
indeed simulates the execution of the implementation system call function olosRecvMsg
in the successful receive case.
Considering the Remaining Cases. We showed simulation of the olosRecvMsg func-
tion execution in the successful receive case. As we mentioned before, this case is the
162
6.1 Process Simulation
most complex one because it updates the memory on the one hand and the return
variable on the other hand. Now, we sketch the proofs for the remaining cases. An ap-
plication announces its termination for the compute phase in the actual slot by calling
olosExFinished. In contrast to the other system call primitives, this function has neither
parameters nor local variables. The inline assembly portion only consists of the trap
instruction that does not modify the application’s memory. The theorem proving the
simulation of system call olosExFinished is given below:
Theorem 6.11 (System Call Simulation of olosExFinished). Assuming that
• we start in a non-empty C0 application state SC0 = bsjC0c,
• that is valid i. e., is validapp SC0 holds,
• the application signals its termination for this slot i. e., wapp SC0 = ExFinish
• after the successful execution of the SCall statement we are in state s ′C0:
dC0m s
j
C0 = bs ′C0c,
• there is an assembly state s1asm that can be related to s ′C0 via the C0 simulation
relation consistent i. e.,
consistent sjC0.ttab s
j
C0.ftab s
′
C0.pstate alloc s
1
asm,
• the assembly state s1asm is valid i. e., is validapp s1asm is satisfied, and
• the application sizes of the C0 application state SC0 and the assembly state s1asm
are equal: sizeapp SC0 = sizeapp s1asm
Then, if the application signals its termination in the compute phase of the actual slot the
abstract transition function dapp simulates the C0A execution of the system call function
“olosExFinish”.Formally:
dapp FinishSuccess SC0 =
dC0m dC0 asm upd s ′C0 s1asm (dapp FinishSuccess s1asm) alloc [ ]e
Proof. The stack is extended after the successful execution of the SCall statement. The
inline assembly code does not change a g-variable in such a way that the list of modified,
elementary g-variables required by the update function C0 asm upd remains empty.
This means for the construction of a C0 state that the memory remains unchanged
and only the program rest has been modified. Finally, the expression of the Return
statement is a literal value and is directly written into the left variable of the function.
Afterwards the topmost stack frame is removed. The abstract function dapp internally
sets the result variable set result and deletes the function call with del syscall. We obtain
memory equality because extending the stack, writing the left variable of a function
directly and removing the topmost stack frame afterwards leads to the same memory
state that we obtain by writing the left variable directly. We know from the preconditions
that the C0 application state SC0 is valid and non-empty, that the output function
neither returns an empty output eW nor does it indicate an occurred runtime error and
the SCall statement execution succeeds. After the trap transition, we construct a
C0 state with an unchanged memory state. The execution of the Return statement
succeeds because the memory update of the result variable does not fail and the literal
value in the expression can be evaluated. After the execution of the system calls function
body the states are equal.
163
6 Towards Pervasively Verified Applications
Finally, we consider all remaining cases where only the result variable of the application
is changed. These cases are, in particular, system call olosSendMsg and the cases when
olosSendMsg or olosRecvMsg are called with an invalid message number. Then, the error
value is stored in the result variable . We formalize the respective theorem below.
Theorem 6.12 (System Call Simulation of the Remaining Cases). We assume that
• we start in a non-empty C0 application state SC0 = bsjC0c,
• this state is valid i. e., is validapp SC0 holds,
• the application requests to exchange a message with the operating system:
wapp SC0 = SendMsg msgval mn ∨ wapp SC0 = RecvMsg mn,
• the first statement of the program rest in state sjC0 is a function call with the left
variable lv, the function name fn, the parameter list es and the statement identifier
sid i. e., fst stmt sjC0.pstate.prog = SCall lv fn es sid is fulfilled,
• the execution of the SCall statement succeeds: dC0m sjC0 = bs ′C0c,
• there is an assembly state s1asm that can be related to s ′C0 via the C0 simulation
relation consistent i. e.,
consistent sjC0.ttab s
j
C0.ftab s
′
C0.pstate alloc s
1
asm holds,
• the assembly state s1asm is valid i. e., is validapp s1asm is satisfied,
• the application sizes of the C0 application state SC0 and the assembly state s1asm
are equal: sizeapp SC0 = sizeapp s1asm, and
• the response i from the operating system is either InvalidMsgNr or SendSuc-
cess: i = InvalidMsgNr ∨ i = SendSuccess, and
Then, we conclude that an abstract transition dapp simulates the execution of the imple-
mentation of the corresponding system call function. Formally:
dapp i SC0 =
dC0m
dC0 asm upd s ′C0 s1asm (dapp eSv (dapp i (dapp eSv (dapp eSv s1asm)))) alloc
[gvar lm (recursion depth sjC0.pstate.mem) “result”]e
Proof. In the case that an application successfully sends a message to the operating
system or the application requests a message exchange with an invalid message number
the modifications of the application state are similar. Then, the operating system only
writes the result value into the applications result variable. First, the local stack frame
is extended. After the execution of the inline assembly statement the result register has
been written. The C0 state construction updates the local result variable in the topmost
stack frame with this new value. This value is copied from the Return statement to
the functions left variable address and the topmost local stack frame is removed. The
abstract transition dapp consists of the functions set result and del syscall. With similar,
but simpler considerations as in Theorem 6.10 on page 162 we conclude that a direct
memory update equals the memory state after extending the stack, writing a local result
variable, copying this value to the left variable of the function call and removing the stack.
From the preconditions and proved lemmata that the single executions succeed, we derive
derive the equality of the program rests by applying Lemma 6.8 on page 160.
164
6.1 Process Simulation
6.1.2 Extending Compiler Correctness to Applications
At the beginning of this chapter we aimed to prove the induction step of the extended
compiler-correctness theorem. With the results we derived in the last subsection we can
close the gap in the proof.
Theorem 6.13 (Extended Compiler-Correctness Induction Step). We assume a valid
C0 application state SC0 and a valid assembly state sasm that can be related with the
consistency relation consisapp. Moreover, we obtain a successor state S ′C0 after one
successful C0 application step. If these assumptions hold, there exists an output-input
sequence ois ′, an allocation function alloc and a final assembly state sasm so that
• the normalized output-input [oi] and the corresponding normalized output-input
sequence on the assembly layer ois ′ are equal,
• the assembly process successfully advances from the assembly state sasm under the
output-input sequence ois ′ to a final state s ′asm,
• the final states S ′C0 and s ′asm are valid and s ′asm is not in a delay slot, and
• the final state S ′C0 simulates s ′asm under the the allocation function alloc ′.
Formally:
[[is validapp SC0; is validapp sasm; sasm.pcp = sasm.dpc + 4;
consisapp SC0 alloc sasm; `procC0 SC0
[oi]−−→ S ′C0]]
=⇒ ∃ois ′ alloc ′ s ′asm.
[oi] = ois ′ ∧
code range SC0 `procasm sasm ois
′−−→ s ′asm ∧
is validapp S
′
C0 ∧
is validapp s
′
asm ∧
s ′asm.pcp = s ′asm.dpc + 4 ∧ consisapp S ′C0 alloc ′ s ′asm
Proof. We show this theorem by a case distinction over all output-input pairs: The
empty pair (eW, eSv) signals that the application intends to perform a local step. Local
steps in C0 consist of all possible statements of the sequential C0 semantics. In this case,
we apply the sequential induction step (Lemma 2.2 on page 31). The remaining output-
input pairs belong to the system calls. Therefore, we examine the implementation of the
corresponding system-call functions. We have already shown that the execution of the
implementation code equals an abstract C0 application transition. The implementation
code of all system calls consists of a SCall statement followed by an inline assembly
statement Asm and a Return statement. From the induction hypothesis we know that
there exists a corresponding assembly state sasm that satisfies the simulation relation
consisapp. Using the sequential C0 semantics, the SCall statement is executed. From
the sequential compiler theorem, we conclude that the execution of the corresponding
compiled code yields an assembly state s1asm that satisfies the sequential consistency re-
lation consistent. Starting in this state, we execute the inlined assembly code of the
function body. After several transitions we reach the final state s5asm. During these
executions the code reaches the trap instruction where the transition function dapp on
the assembly layer uses an input i from Olos. Note that all the other transitions in
165
6 Towards Pervasively Verified Applications
the Vamp assembly layer are sequential i. e., the input-output sequence consists of pairs
(eW, eSv). From s1asm, the final assembly state s
5
asm and the C0 state s
′
C0 immediately
before the execution of the inlined assembly statement, we construct the corresponding
C0 state s ′′C0 directly after the assembly statement. For the assembly state s5asm and
the constructed C0 state s ′′C0 the sequential consistency relation consistent holds. Now,
we employ the sequential C0 semantics to execute the Return statement and obtain
the successor state sj+1C0 . From the compiler theorem, we know that there exists a cor-
responding assembly state in such a way that consistent is fulfilled. Furthermore, the
application sizes have not been changed during all these execution steps. From Theorem
6.10 on page 162, Theorem 6.11 on page 163 and Theorem 6.12 on page 164 we con-
clude, that the successor state S ′C0 of the abstract application transition equals state
sj+1C0 so that consisapp holds. The validity of the assembly state, the well-formedness of
the program counters and the non-modified code range follow directly from the compiler
correctness theorem. The validity of the final C0 state s ′′C0 can be concluded from the
validity axioms Theorem 4.4 on page 101.
We now may extend the theorem above to output-input sequences on the C0 layer.
Theorem 6.14 (Application Simulation). Assuming that the parameters img and pages
are well-formed wrt. (valid initial), there is an initial C0-process state SC0 satisfying
these parameters, and a successful execution leads from SC0 using the output-input se-
quence ois into the state S ′C0. If these assumptions hold, there exists an output-input
sequence ois ′, an allocation function alloc and a final assembly state sasm in such a way
that
• the normalized output-input [oi] and the corresponding normalized output-input
sequence on the assembly layer ois ′ are equal,
• the assembly process successfully advances from the initial assembly state that is
uniquely identified by img and pages under the output-input sequence ois ′ to a
final state s ′asm,
• the final state S ′C0 simulates s ′asm under the the allocation function alloc,
•
C0 processes simulate assembly processes. Formally:
[[∀sasm∈set img . asm int sasm; 0 < pages; pages ≤ TVM MAXPAGES;
is initapp img pages SC0; `procC0 SC0
ois−→ S ′C0]]
=⇒ ∃ois ′ alloc s ′asm.
ois = ois ′ ∧
code range SC0 `procasm init asm img pages ois
′−−→ s ′asm ∧
consisapp S
′
C0 alloc s
′
asm
Proof. We prove the theorem by induction on the output-input sequence. We use the
sequential compiler correctness (Theorem 2.1 on page 30) to establish the the sequential
consistency relation for a successor of the initial assembly state. This state is well-
formed and its special purpose registers have not been modified. Thus, the application
consistency consisapp can be established as well. For the induction step, we employ
Theorem 6.13 on the preceding page.
166
6.2 Computation Step Simulation
6.2 Computation Step Simulation
In the previous section, we presented a computational model for applications that mod-
elled communication with Olos by using outputs and inputs. For the verification of
applications, however, the system calls are distracting. Most notably, Isabelle/Simpl
cannot deal with outputs and inputs. Hence, we introduce a cooperative concurrent ex-
ecution model, where we reason sequentially about a complete computation phase i. e.,
between two calls to the olosExFinished primitive. This execution model is the basis
of the application semantics in Simpl. Recall that the current scheduled application
executes in the compute phase and Olos has the sole task to exchange messages with
it. Hence, we model the computation of Olos and the application as a single, sequen-
tial program with two separate states: on the one hand the current application and on
the other hand the message buffers of the operating system. The internal application
state can be manipulated via normal C0 statements whereas the message buffers are
only accessible through the message transferring primitives. We define a state of the
new computational model as a pair (sapp, mb) consisting of a process state sapp and a
file of message buffers mb. The transitions emulate the behaviour of Olos during the
computation phase. Thus, we can reuse the transition function dcc of Section 4.3.
This model uses a generic application interface, i. e., sapp may refer to a C0 state
as well as a Vamp assembly state. Thus, application simulation Theorem 6.14 on the
preceding page can easily be lifted to cooperative concurrently executing applications:
Theorem 6.15 (Cooperative Concurrent Simulation). We assume a valid C0 applica-
tion state SC0 and a valid assembly state sasm that can be related with the consistency
relation consisapp. Moreover, sasm is not in a delay slot i. e., sasm.pcp = sasm.dpc + 4
holds. Neither the C0 application state SC0 nor the successor state S ′C0 signal a run-
time error i. e., ¬ is runtime error (wapp SC0) ∧ ¬ is runtime error (wapp (fst (dcc (SC0,
mb)))) is satisfied. Finally, the message buffer mb is valid so that is valid MB mb is
fulfilled. Then, we conclude that a C0 step in the cooperative concurrent model simulates
a number of cooperative concurrent assembly steps. Formally:
[[consisapp SC0 alloc sasm; ¬ is runtime error (wapp SC0);
¬ is runtime error (wapp (fst (dcc (SC0, mb)))); is validapp SC0;
is validapp sasm; sasm.pcp = sasm.dpc + 4; is valid MB mb]]
=⇒ ∃t alloc ′ s ′asm.
let (S ′C0, mb ′) = dcc (SC0, mb)
in (s ′asm, mb ′) = (dcct) (sasm, mb) ∧ consisapp S ′C0 alloc ′ s ′asm
Proof. First, we show that the inputs i chosen by function dcc always match the applica-
tion output. Thus, the transition dapp i SC0 succeeds. Theorem 6.14 on the facing page
states that there exists a corresponding output-input sequence ois ′ in such a way that
this sequence obtains exactly one pair (wapp SC0, i) and a number of empty pairs (eW,
eSv) i. e., ois ′ = [(wapp SC0, i)].
Moreover, there is a successful assembly execution under ois ′ with a final state s ′asm
that starts in state sasm, where consisapp S ′C0 alloc ′ s ′asm holds. When dcc gets output
167
6 Towards Pervasively Verified Applications
eW of the currently scheduled application, it responds with the empty input eSv. Then
we apply |ois ′| times function dcc to yield the successor state s ′asm. Furthermore, the
message buffers are equal in both cases.
The centerpiece of our cooperative concurrent execution model is that it allows us
to reuse Isabelle/Simpl. The necessary adaptation of the existing technology for appli-
cation verification is straightforward: It implies to specify the effects of the primitives
for olosSendMsg and olosRecvMsg in the Simpl language and show that this specifi-
cation corresponds with the definition of dcc for these cases. Using the Hoare logic
of Isabelle/Simpl, we can efficiently reason about functional correctness of applications
between two calls of the olosExFinished primitive as well as conveniently establish the
freedom of runtime errors.
6.3 Embedding Applications into the Overall ECU Model
In Section 6.2, we claimed that the transition function dcc emulates the Olos transitions
of a scheduled application during the computation phase. Now, we prove that assertion.
Therefore, we define a projection function P that extracts the scheduled application and
the file of message buffers of an ECU state. Formally:
P pid secu ≡ (secu.AM pid, secu.MBa)
Furthermore, we define an injection function injpid, which updates the state of appli-
cation with identifier pid in the ECU state secu by sapp.
injpid sapp secu ≡ secu(|AM := secu.AM(pid := fst sapp), MBa := snd sapp|)
Predicate calls finish encapsulates the fact that an application with identifier pid in
an ECU state secu calls ExFinish. Formally:
calls finish pid secu ≡ wapp (secu.AM pid) = ExFinish
Finally, predicate is computing holds for the ECU state secu during the compute phase
when an application with identifier pid is currently scheduled and has not terminated
its execution i. e., the idleflag has not (¬ secu.idleflag) been raised yet:
is computing pid (AST, BT) secu ≡
AST ! secu.abc dev.CSN = pid2nat pid ∧ ¬ secu.idleflag ∧ ¬ secu.abc dev.INT
The following theorem states that transition function dcc indeed emulates the ECU
transitions of a scheduled application during the computation phase.
Theorem 6.16 (Application Embedding). Assuming that application pid is scheduled in
the current slot and computing in state secu. Moreover, it did not terminate its execution
yet i. e., there has no call for ExFinish. Then, the transition dcc of the projection with
pid followed by an injection into secu is equal to a transition dECU executing a kernel
computation. Formally:
168
6.4 Reasoning about Applications – a Practical Example
[[is computing pid J secu; ¬ calls finish pid secu]]
=⇒ injpid (dcc (P pid secu)) secu = dECU J ⊥ secu
Proof. From the assumptions we know that the ECU transition function dECU is in the
compute phase on the one hand and that the result of the compute phase Compute
Phase only modifies the currently scheduled application state and the message buffers
on the other hand. Thus, extracting the scheduled application and the file of message
buffers of an ECU state, performing transition dcc and embedding the result into the
ECU state again equals the effects of transition dECU under the given conditions.
6.4 Reasoning about Applications – a Practical Example
Initial Set-Up
compute
olosExFinished
Figure 6.5: General
control-flow
of applications
In this section, we give an outlook on a practical exam-
ple to demonstrate the applicability of our approach. For
this purpose, we regard a simple application program for a
cruise control. 3 Note that all Olos applications share a
common control flow, which is depicted in Figure 6.5: After
an application-specific set-up, they implement an infinite
loop. The loop body contains a function call to a function
compute, which implements the actual functionality of the
application, followed by a system call of olosExFinished.
Our example program features a global variable target
speed storing the speed that the regulator is aiming for.
Furthermore, there is a global Boolean variable enabled that is true iff the speed control
is enabled.
The compute function (see Figure 6.6 on the following page) reads the message buffer
0 to receive one of the commands ON, OFF, INCREASE, and DECREASE as well as
the message buffer 1 to receive the current speed. The function writes two buffers that
are read by the accelerator unit (message buffer 2) and the brake unit (message buffer
3). Then, function compute adjusts the global variables wrt. the received command and
subtracts the current from the target speed. If the difference is positive, the function
sends the difference to message buffer 2 (which we assume to be read by the accelerator
unit) and value 0 to message buffer 3 (which we assume to be read by the brake unit).
If the difference is negative, the function sends the absolute value to buffer 3 and value
0 to buffer 2. Afterwards, compute returns and the program calls olosExFinished.
For the verification of the compute function, we employ the existing technology for
sequential reasoning: At first, we mechanically translate the C0 code into Simpl. More-
over, all Olos system calls are modelled in Simpl as XCalls. Then, we formally specify
the functionality in terms of Hoare triples and, conveniently relying on the Hoare log-
ics, prove the correctness of our specification. The loop body only calls the ExFinish
primitive after the execution of function compute. Obviously, this call does not alter the
application’s variables and the message buffer. Thus, the proved property holds for a
3We thank Matthias Daum for providing the example in a recent joint publication [DSS10].
169
6 Towards Pervasively Verified Applications
int compute() {
unsigned int command; unsigned int current speed;
dummy = olosRecvMsg(buffer, 0u); command = buffer−>Field; // read command
dummy = olosRecvMsg(buffer, 1u); current speed = buffer−>Field; // read current speed
// target speed adjustment
if (enabled) {
if (command == CC INCREASE) {
if (target speed < MAX SPEED − 1u) { target speed = target speed + 2u; }
}
else if (command == CC DECREASE) {
if (target speed > MIN SPEED + 1u) { target speed = target speed − 2u; }
}
else if (command != CC SET) { enabled = false; }
}
else if (current speed >= MIN SPEED && (command == CC SET ||
command == CC INCREASE || command == CC DECREASE)) {
enabled = true;
if (current speed >= MAX SPEED) { target speed = MAX SPEED; }
else { target speed = current speed; }
}
// speed regulation
∗buffer = INIT BUFFER;
if (! enabled) { dummy = olosSendMsg(buffer, 2u); dummy = olosSendMsg(buffer, 3u); }
else if (current speed > target speed) {
dummy = olosSendMsg(buffer, 2u);
buffer−>Field = current speed − target speed; dummy = olosSendMsg(buffer, 3u);
}
else {
dummy = olosSendMsg(buffer, 3u);
buffer−>Field = target speed − current speed; dummy = olosSendMsg(buffer, 2u);
}
return 0;
}
Figure 6.6: Function compute of our simple cruise-control application
complete computation phase (i. e., the loop body). Finally, we know from the property
transfer theorem of Isabelle/Simpl that there is an equivalent property over the C0 se-
mantics. The property transfer between Simpl and the small-step layer used for Cvm
correctness has been done before [ASS08], demonstrating the general applicability of our
approach.
Using Theorem 6.15 on page 167, we can then infer that the property can be translated
down to assembly level. Furthermore, Theorem 6.16 on page 168 allows us to infer
properties about the whole ECU behavior by combining verification results from the
applications running on the ECU. Recall that our example application relied on several
assumptions: The message buffers 0 and 1 are assumed to stem from sensors, and the
buffers 2 and 3 should be sent to other control units. Consequently, the static schedule
should provide slots, where the messages received from the bus are stored into the buffers
0 and 1; moreover, the buffers 2 and 3 should be sent onto the bus. Furthermore, the
170
6.4 Reasoning about Applications – a Practical Example
applications sharing the same ECU as our example application, should not alter the
buffers after receiving or before sending, respecively. In addition, we have assumed that
the example application calls ExFinish before the slot end. Within the Hoare logic,
we can prove that our compute function terminates. Thus, the only remaining issue is
to find an upper bound for the worst-case execution time, which can be done by static
analysis [HF04]. Eventually, we can then argue that the values computed by our example
application are indeed sent onto the bus several slots later.
171
6 Towards Pervasively Verified Applications
172
7 Conclusion and Future work
Achilles had overtaken the Tortoise, and had seated himself
comfortably on its back. ”So you’ve got to the end of our
race-course?” said the Tortoise. ”Even though it does consist of
an infinite series of distances? I thought some wiseacre or other
had proved that the thing couldn’t be done?”
Lewis Carroll, in: “What the Tortoise Said to Achilles”
Contents
7.1 Formal Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
7.2 Gained Insights from Pervasive Verification . . . . . . . . . . . . . . . . . . . . . 175
7.3 The Effort of Formal Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
7.4 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
The contributions of this thesis are the implementation of the real-time operating
system Olos and the formal specification of an entire ECU as a part of the automotive
subproject in Verisoft. We have formally verified functional correctness of Olos in
terms of a simulation proof on the one hand and presented an approach to pervasively
verify applications running on top of it on the other hand. In the following sections, we
summarize our formal results, estimate the verification effort, and give a perspective for
future work.
7.1 Formal Results
In the course of this thesis we have considered a distributed real-time system consisting of
several ECUs and a bus in the context of pervasive formal verification. More specifically,
we have focussed on a real-time operating system that was designed for an industrial
context.
Figure 7.1 on the next page depicts an overview of our results. We implemented
the Olos kernel as a C0 program. A syntax translator automatically generates Simpl
code from the source code of Olos. Our operating system runs as a Cvm kernel ma-
chine. Therefore, we defined the effects of Cvm integrating Olos as an entire Cvm
step in Simpl. This function combined with external device steps defines an overall
implementation step. At the bottom right of Figure 7.1 on the following page, IECU
denotes the Simpl model that integrates the generated implementation code of Olos.
On the abstract layer, we modelled the behaviour of a single ECU by integrating devices
173
7 Conclusion and Future work
appC0
appasm
Ext. Compiler
ccC0
ccasm
Simpl
Transfer
cc Simulation
tcECU
Embedding
IECU
Impl. Correctness
Figure 7.1: Formal Results
and applications to the specified Olos state. This specification is depicted by tcECU.
The implementation correctness of Olos is obtained by proving a simulation theorem
Theorem 5.10 on page 141 between both layers.
Moreover, we defined an application abstraction influenced by previous work concern-
ing the Vamos microkernel (Section 4.2). We instantiated it for C0 and Vamp assembly
applications that are depicted by appC0 and appasm on the left side. Furthermore, we
formulated a number of well-formedness constraints for application models specifying
application-model validity. Then, we proved that these rules are fulfilled by both in-
stances (Theorem 4.3 on page 94 and Theorem 4.4 on page 101). The validity of the
application models is the premise for embedding them into our ECU model. The ECU
specification uses the application abstraction that cleanly separates the concepts of the
application binary interface (i. e., the interface between processes and the kernel) and
the actual kernel functionality (e. g., the global effect of system calls). For the verifi-
cation of C0 applications, we extended the sequential compiler-correctness theorem of
Dirk Leinenbach to applications and completed the formal proof of the extended the-
orem (Theorem 6.14 on page 166). Moreover, we introduced a cooperative concurrent
execution model on the C0 and the Vamp assembly layer to reason sequentially about
a complete computation phase. These models are denoted with ccC0 and ccasm. This
approach allows to verify properties of applications in Isabelle/Simpl. Results obtained
on this abstraction layer can be transferred down to the Vamp assembly layer when
we combine the cooperative concurrent simulation theorem (Theorem 6.15 on page 167)
with the transfer theorems of Norbert Schirmer [Sch06]. Finally, we have proved a the-
orem (Theorem 6.16 on page 168) that allows to infer properties about the entire ECU
behavior.
The Olos implementation is completely integrated into the system stack. The real-
time operating system runs on the verified Vamp processor [BJK+06] using the pro-
gramming framework Cvm [GHLP05, IT08]. On the abstract level, the ECU model and
the corresponding simulation proofs are seamlessly integrated into one coherent theory.
174
7.2 Gained Insights from Pervasive Verification
The Olos model is directly based on the Cvm layer and uses its definitions literally.
Moreover, the ECU model employs the device framework. Our application model is fully
embedded into the ECU model. Another archievement is that the ECU model is used to
prove the functional correctness of the Olos implementation. This result ensures that
the model can be safely used in the upper layers e. g., it can be related to the distributed
ECU model of Steffen Knapp [Kna08]. Finally, our approach to verifiy communicating
applications allows us to infer properties about the entire ECU.
We believe that our work responds to a long lasting grand challenge [Moo02] as well
as to a general encouragement [Tic98] for more experimental work in computer science.
Although the Olos kernel was developed with verification in mind and is quite small,
we claim to have a complete pervasively verified real-time operating system.
7.2 Gained Insights from Pervasive Verification
The aim of pervasiveness has considerably influenced our verification approach and its
result: Pervasive verification is inherently based on the integration of all verification
results into one single, coherent theory. The tight integration of results from various
authors with different backgrounds poses its own challenges [AHL+08]. We were able to
rely on previous work, e. g., Vamp [BJK+06], the device framework [AH08, HIP05] Cvm
[GHLP05, IT08], the verified C0 compiler [LPP05, Pet07, LP08], and Isabelle/Simpl
[Sch06], which considerably increased the possible degree of reliance so that our verifica-
tion result indeed holds for the overall system. Another advantage of the collaboration
was the fact that some problems appeared earlier. Hence, we could profit from the ex-
periences and solutions by adapting methods or approaches for our particular case. The
formalizations of the application model and the extension of the sequential compiler-
correctness theorem to the process semantics was strongly influenced by the results of
Daum et al. [DDWS08] proposed for their microkernel Vamos. We took their general
concept and adapted it for our applications running on our real-time operating system
Olos. Then, we could completely prove the application model validity and embed all
verified Olos system calls into the extended compiler-correctness theorem.
Due to the parallel proof development, our knowledge and experiences regarding the
kernel library correctness could be reused in the corresponding correctness proof for Va-
mos [Dau10]. Furthermore, the proof of the extended compiler-correctness theorem has
to deal with mixed-languages. We use the method of Gargano et al. [GHLP05] that has
been refined by Starostin & Tsyban [ST08] to deal with inline assembly code in a C0 pro-
gram. Even the refined method turned out to be inconvenient because the construction
functions only support updates of elementary types. This fact became apparent in the
simulation proof for the Olos system call olosRecvMsg where the application receives a
complex message type.
Certainly, relying on various results has also its disadvantages: Within our work, we
particularly perceived a high sensitivity to changes made by other verification engineers,
on the one hand, and considerable friction losses because of different formalization styles
and even duplicated definitions and proofs for similar problems, on the other hand.
175
7 Conclusion and Future work
Finally, another aspect has not to be underestimated. Whenever we encountered a
problem for the first time, it took us considerable time to develop a suitable verification
strategy. Then, we could cope with similar cases a lot easier. For the library correctness
each of the three Olos system calls belongs to a different degree of difficulty. Thus, we
had to prove new aspects for every function of the library.
7.3 The Effort of Formal Verification
The effort of formal verification can be only roughly estimated. The implementation
was subjected to several developments. These arose from improvements of the code or
changed requirements. All changes in the Olos source code always resulted in iterations
on the theories depending on the implementation. The task of building a model stack
extending over several abstraction levels – ideally from the gate-level implementation up
to applications – proved to require much foresight and extreme prudence for the defi-
nition of the layer’s interfaces because changes of the formalization usually spread over
several layers and are thus very costly. Though this fact can certainly be expected, we
considerably underestimated the necessary number of iterations, notably increasing the
overall verification effort. Including all iterations, adaptions and several improvements,
we approximate the effort for our implementation correctness proof with 2 years. Our
Olos implementation (without Cvm) consists of roughly 300 lines of C0 code 1. The
functional correctness proof covers the entire Olos implementation and comprises ap-
proximately 3000 lines of code. The largest portion of this code belongs to the Hoare
triple proving the functional correctness of all Olos functions in Simpl. Here, the most
challenging proof was the correctness proof of the initialization function including three
loops. It took about 3 person months and its proof size is about 490 lines of code.
The elaboration of the framework to pervasively verify applications also took about 16
months and the theories comprise about 11.000 lines of code. The work consuming most
time were the simulation proofs between our abstract C0 transition and the execution of
the system call implementation code. Each system call revealed new problems we had
to solve. The easiest system call olosExFinished was done in 2 person months. The calls
olosSendMsg and olosRecvMsg have many common properties concerning the structure
of the calls, the compiled code and the message structure. We encapsulated all these
lemmata into one theory. Without this preparatory work the most complex case (i. e.,
the successful receive case) took about 4 person months. The theory size of the latter
case is more than three times as large as the case of olosExFinished (the theory sizes of
all system call patterns range from 900 to 2900 lines of code). An overview of all theories
and their sizes are given in the appendix. Furthermore, we extended several theories to
prove important properties that we required for our verification work. We stored them
directly together with the definitions of the underlying model and did not count them
as part of our work.
Apart from that, the number of lines within a proof script or the elapsed time of a
single proof does not necessarily correlate with its degree of difficulty. As an example,
1We present more detailed statistics in Table A.3 on page 199
176
7.4 Future Work
structural proofs of the subcomponents of the message type have an unproportional
number of proof script lines whereas other proofs involve much more creativity and
finally appear rather small.
7.4 Future Work
We foresee several possible extensions of our work.
On the hardware layer Christian Mu¨ller verifies the message transmission between
several ABC devices [EMST10]. More specifically, he completed the verification of the
bus correctness and the correct message transmission between the ABC buffers and the
bus. Linking our formal proofs we would obtain an impressive result.
Our correctness statement is yet limited to a single slot schedule because of restrictions
in our tool chain: The schedule is currently specified via implementation constants in the
code. These constants are formally fixed in the generated code; the current verification
framework is incapable to instantiate a correctness proof for multiple schedules. We
are confident, however, that this problem can be solved using recent improvements of
Isabelle/HOL [HW09] and a comparatively small enhancement of Isabelle/Simpl.
Moreover, our verification approach implicitly assumes that our real-time operating
system is capable to timely handle the incoming device interrupts. We have proved that
our interrupt handler, the top-level function of Olos, terminates. In order to set up a
correctly running system, however, we need an upper bound of its worst-case execution
time. A possible approach for its computation is static worst-case execution-time analysis
[FHW04, KP07a].
Finally, the correctness of the Cvm specification in Simpl has not been verified. For
large parts of Cvm, however, there is a correctness proof up to the C0 small-step seman-
tics and parts of this specification have been reused in the Simpl specification. Further-
more, a property transfer between Simpl and the small-step semantics has been done
before [ASS08], demonstrating the general applicability of this approach. Finally, we
specified the Olos system calls for the practical example Section 6.4 in Simpl but did
not transfer the proven properties down to the small-step level yet.
177
7 Conclusion and Future work
178
Bibliography
If I have been able to see further (than you and Descartes),
it is because I have stood on the shoulders of giants.
Isaac Newton, quoted in a letter to Robert Hooke
[AH08] Eyad Alkassar and Mark A. Hillebrand. Formal Functional Verification of
Device Drivers. In Verified Software: Theories, Tools, and Experiments,
volume 5295 of LNCS, pages 225–239. Springer, October 2008.
[AHK+07] Eyad Alkassar, Mark Hillebrand, Steffen Knapp, Rostislav Rusev, and
Sergey Tverdyshev. Formal Device and Programming Model for a Serial
Interface. In Bernhard Beckert, editor, VERIFY, volume 259 of CEUR
Workshop Proceedings, pages 4–20. CEUR-WS.org, 2007.
[AHL+08] Eyad Alkassar, Mark A. Hillebrand, Dirk Leinenbach, Norbert Schirmer,
and Artem Starostin. The Verisoft Approach to Systems Verification. In
Verified Software: Theories, Tools, and Experiments, volume 5295 of LNCS,
pages 209–224. Springer, 2008.
[AHL+09] Eyad Alkassar, Mark A. Hillebrand, Dirk C. Leinenbach, Norbert W.
Schirmer, Artem Starostin, and Alexandra Tsyban. Balancing the Load
– Leveraging a Semantics Stack for Systems Verification. J. Autom. Rea-
soning, Special Issue on Operating System Verification, 42(2-4):389–454,
2009.
[AHPP10] Eyad Alkassar, Mark A. Hillebrand, Wolfgang Paul, and Elena Petrova.
Automated Verification of a Small Hypervisor. In Peter O’Hearn, Gary T.
Leavens, and Sriram Rajamani, editors, Verified Software: Theories, Tools,
Experiments (VSTTE 2010), volume 6217 of Lecture Notes in Computer
Science, pages 40–54, Edinburgh, UK, August 2010. Springer.
[Alk09] Eyad Alkassar. OS Verification Extended - On the Formal Verification of
Device Drivers and the Correctness of Client/Server Software. PhD thesis,
University of Saarland, 2009.
[Ame99] American National Standards Institute. ANSI/ISO/IEC 9899-1999: Pro-
gramming Languages — C. American National Standards Institute, New
York, USA, December 1999.
[AS97] Mark Anthony and Shawn Smith. Formal Verification of TCP and T/TCP,
1997.
179
Bibliography
[ASS08] Eyad Alkassar, Norbert Schirmer, and Artem Starostin. Formal Pervasive
Verification of a Paging Mechanism. In TACAS, volume 4963 of LNCS,
pages 109–123. Springer, 2008.
[AZKR04] Konstantine Arkoudas, Karen Zee, Viktor Kuncak, and Martin Rinard.
Verifying a file system implementation. In In Sixth International Conference
on Formal Engineering Methods (ICFEM’04), volume 3308 of LNCS, pages
8–12, 2004.
[BBBB09a] Christoph Baumann, Bernhard Beckert, Holger Blasum, and Thorsten
Bormer. Better avionics software reliability by code verification – a glance
at code verification methodology in the Verisoft XT project. In In Embedded
World 2009 Conference, 2009.
[BBBB09b] Christoph Baumann, Bernhard Beckert, Holger Blasum, and Thorsten
Bormer. Formal Verification of a Microkernel used in Dependable Software
Systems. In Proceedings of the 28th International Conference on Computer
Safety, Reliability, and Security, SAFECOMP ’09, pages 187–200, Berlin,
Heidelberg, 2009. Springer-Verlag.
[BBG+08] J. Botaschanjan, M. Broy, A. Gruler, A. Harhurin, S. Knapp, L. Kof,
W. Paul, and M. Spichkova. On the Correctness of Upper Layers of Auto-
motive Systems. Formal Aspects of Computing, 20(6):637–662, 2008.
[BCT04] William Bevier, Richard Cohen, and Jeff Turner. A Specification for the
Synergy File System, 2004.
[Bev89] William R. Bevier. Kit and the short stack. J. Autom. Reasoning, 5(4):519–
530, 1989.
[BHMY89] William R. Bevier, Warren A. Hunt, Jr., J Strother Moore, and William D.
Young. An Approach to Systems Verification. J. Autom. Reasoning,
5(4):411–428, 1989.
[BJK+03] Sven Beyer, Christian Jacobi, Daniel Kroening, Dirk Leinenbach, and Wolf-
gang Paul. Instantiating uninterpreted functional units and memory system:
Functional verification of the VAMP. In Daniel Geist and Enrico Tronci,
editors, CHARME, volume 2860 of LNCS, pages 51–65. Springer, 2003.
[BJK+06] Sven Beyer, Christian Jacobi, Daniel Kro¨ning, Dirk Leinenbach, and Wolf-
gang J. Paul. Putting it all together: Formal verification of the VAMP.
STTT, 8(4–5):411–430, 2006.
[BLW] Sascha Bo¨hme, K. Rustan M. Leino, and Burkhart Wolff. HOL/Boogie –
An Interactive Prover for the Boogie Program-Verifier.
[BMSW] S. Bo¨hme, M. Moskal, W. Schulte, and B. Wolff. HOL/Boogie: An inter-
active prover-backend for the Verifiying C Compiler. Journal of Automated
Reasoning.
180
Bibliography
[Bog08] Sebastian Bogan. Formal Specification of a Simple Operating System. PhD
thesis, Saarland University, Saarbru¨cken, 2008.
[Bor00] Richard Bornat. Proving pointer programs in Hoare Logic, 2000.
[Boy09] Andrew Boyton. A Verified Shared Capability Model. In Gerwin Klein, Ralf
Huuck, and Bastian Schlich, editors, Proceedings of the 4th Workshop on
Systems Software Verification, volume 254 of Electronic Notes in Computer
Science, pages 25–44, Aachen, Germany, Oct 2009. Elsevier.
[Bur72] R. Burstall. Some techniques for proving correctness of programs which
alter data structures. Machine Intelligence 7, pages 23–50, 1972.
[CAB+09] E. Cohen, A. Alkassar, V. Boyarinov, M. Dahlweid, U. Degenbaev, M. Hille-
brand, B. Langenstein, D. Leinenbach, M. Moskal, S. Obua, W. Paul,
H. Pentchev, E. Petrova, T. Santen, N. Schirmer, S. Schmaltz, W. Schulte,
A. Shadrin, S. Tobies, A. Tsyban, and S. Tverdyshev. Invariants, Modular-
ity, and Rights. In Amir Pnueli, Irina Virbitskaite, and Andrei Voronkov,
editors, Perspectives of Systems Informatics (PSI 2009), volume 5947 of
Lecture Notes in Computer Science, pages 43–55. Springer, 2009.
[CDH+09] Ernie Cohen, Markus Dahlweid, Mark Hillebrand, Dirk Leinenbach, Micha l
Moskal, Thomas Santen, Wolfram Schulte, and Stephan Tobies. VCC: A
Practical System for Verifying Concurrent C. In Stefan Berghofer, Tobias
Nipkow, Christian Urban, and Markus Wenzel, editors, Theorem Proving
in Higher Order Logics (TPHOLs 2009), volume 5674 of Lecture Notes in
Computer Science, pages 23–42, Munich, Germany, 2009. Springer. Invited
paper.
[CMST09] Ernie Cohen, Micha l Moskal, Wolfram Schulte, and Stephan Tobies. A
Precise Yet Efficient Memory Model for C. In Workshop on Systems Soft-
ware Verification (SSV 2009), volume 254 of Electronic Notes in Theoretical
Computer Science, pages 85–103. Elsevier Science B.V., 2009.
[CMST10a] Ernie Cohen, Micha l Moskal, Wolfram Schulte, and Stephan Tobies. Lo-
cal Verification of Global Invariants in Concurrent Programs. In Byron
Cook, Paul Jackson, and Tayssir Touili, editors, Computer Aided Verifica-
tion (CAV 2010), volume 6174 of Lecture Notes in Computer Science, pages
480–494, Edinburgh, UK, July 2010. Springer.
[CMST10b] Ernie Cohen, Micha l Moskal, Wolfram Schulte, and Stephan Tobies. Local
Verification of Global Invariants in Concurrent Programs. Technical Report
MSR-TR-2010-9, Microsoft Research, January 2010.
[Dau10] Matthias Daum. On the Formal Foundation of a Verification Approach
for System-Level Concurrent Programs. PhD thesis, Saarland University,
Saarbru¨cken, 2010.
181
Bibliography
[DDB08] Matthias Daum, Jan Do¨rrenba¨cher, and Sebastian Bogan. Model Stack
for the Pervasive Verification of a Microkernel-based Operating System. In
Bernhard Beckert and Gerwin Klein, editors, 5th International Verifica-
tion Workshop (VERIFY’08), volume 372 of CEUR Workshop Proceedings,
pages 56–70. CEUR-WS.org, 2008.
[DDW09] Matthias Daum, Jan Do¨rrenba¨cher, and Burkhart Wolff. Proving Fairness
and Implementation Correctness of a Microkernel Scheduler. J. Autom.
Reasoning, Special Issue on Operating System Verification, 42(2-4):349–388,
2009.
[DDWS08] Matthias Daum, Jan Do¨rrenba¨cher, Burkhart Wolff, and Mareike Schmidt.
A Verification Approach for System-Level Concurrent Programs. In Verified
Software: Theories, Tools, and Experiments, volume 5295 of LNCS, pages
161–176. Springer, October 2008.
[DHP05] Iakov Dalinger, Mark Hillebrand, and Wolfgang Paul. On the Verification of
Memory Management Mechanisms. In Dominique Borrione and Wolfgang
Paul, editors, CHARME, volume 3725 of LNCS, pages 301–316. Springer,
2005.
[DMB08] Leonardo De Moura and Nikolaj Bjørner. Z3: an efficient SMT solver.
In Proceedings of the Theory and practice of software, 14th international
conference on Tools and algorithms for the construction and analysis of
systems, TACAS’08/ETAPS’08, pages 337–340, Berlin, Heidelberg, 2008.
Springer-Verlag.
[DSS09] Matthias Daum, Norbert W. Schirmer, and Mareike Schmidt. Implemen-
tation Correctness of a Real-Time Operating System. In 7th IEEE Inter-
national Conference on Software Engineering and Formal Methods (SEFM
2009), 23–27 November 2009, Hanoi, Vietnam, pages 23–32. IEEE, 2009.
[DSS10] Matthias Daum, Norbert W. Schirmer, and Mareike Schmidt. From
Operating-System Correctness to Pervasively Verified Applications. In Do-
minique Me´ry and Stephan Merz, editors, Integrated Formal Methods, 8th
International Conference, Lecture Notes in Computer Science. Springer,
2010.
[Do¨r10] Jan Do¨rrenba¨cher. Formal Specification and Verification of a Microkernel.
PhD thesis, Saarland University, Saarbru¨cken, 2010.
[EKE08] Dhammika Elkaduwe, Gerwin Klein, and Kevin Elphinstone. Verified Pro-
tection Model of the seL4 Microkernel. In Jim Woodcock and Natarajan
Shankar, editors, Second IFIP Working Conference on Verified Software:
Theories, Tools, and Experiments (VSTTE 2008), volume 5295 of LNCS,
pages 99–114, Toronto, Canada, October 2008. Springer.
182
Bibliography
[EMST10] Erik Endres, Christian Mu¨ller, Andrey Shadrin, and Sergey Tverdyshev.
Towards the Formal Verification of a Distributed Real-Time Automotive
System. In Ce´sar Mun˜oz, editor, Proceedings of the Second NASA For-
mal Methods Symposium (NFM 2010), NASA/CP-2010-216215, pages 212–
216, Langley Research Center, Hampton VA 23681-2199, USA, April 2010.
NASA.
[End05] Endrawaty. Verification of the Fiasco IPC Implementation. Master’s thesis,
Technical University of Dresden, 2005.
[Eur03] European Commission (DG Enterprise and DG Information Society).
eSafety Forum: Summary Report 2003. Technical report, eSafety, March
2003.
[FHW04] Christian Ferdinand, Reinhold Heckmann, and Reinhard Wilhelm. Analyz-
ing the worst-case execution time by abstract interpretation of executable
code. In ASWSD, pages 1–14, 2004.
[FSDG08] Xinyu Feng, Zhong Shao, Yuan Dong, and Yu Guo. Certifying low-level
programs with hardware interrupts and preemptive threads. In PLDI, pages
170–182. ACM, 2008.
[GHLP05] Mauro Gargano, Mark Hillebrand, Dirk Leinenbach, and Wolfgang Paul. On
the Correctness of Operating System Kernels. In TPHOLs 2005, volume
3603 of LNCS, pages 1–16. Springer, 2005.
[Guy10] Jessica Guynn. Apple co-founder Steve Wozniak says his Toyota Prius
accelerates on its own. Los Angeles Times, February 3, 2010.
[HALM06] Constance L. Heitmeyer, Myla Archer, Elizabeth I. Leonard, and John D.
McLean. Formal specification and verification of data separation in a sep-
aration kernel for an embedded system. In ACM Conference on Computer
and Communications Security, pages 346–355. ACM, 2006.
[HEK+07] Gernot Heiser, Kevin Elphinstone, Ihor Kuz, Gerwin Klein, and Stefan M.
Petters. Towards trustworthy computing systems: taking microkernels to
the next level. Operating Systems Review, 41(4):3–11, July 2007.
[HF04] Reinhold Heckmann and Christian Ferdinand. Worst-Case Execution Time
Prediction by Static Program Analysis. White paper, AbsInt Angewandte
Informatik GmbH, 2004.
[HHF+05] Hermann Ha¨rtig, Michael Hohmuth, Norman Feske, Christian Helmuth,
Adam Lackorzynski, Frank Mehnert, and Michael Peter. The Nizza Secure-
System Architecture. In In IEEE CollaborateCom 2005, 2005.
[HIP05] Mark A. Hillebrand, Thomas In der Rieden, and Wolfgang J. Paul. Dealing
with I/O Devices in the Context of Pervasive System Verification. In ICCD,
pages 309–316. IEEE Computer Society, 2005.
183
Bibliography
[HP96] John L. Hennessy and David A. Patterson. Computer Architecture: A
Quantitative Approach. Morgan Kaufmann, San Mateo, CA, second edition,
1996.
[HP07] Mark A. Hillebrand and Wolfgang J. Paul. On the Architecture of System
Verification Environments. In Haifa Verification Conference, pages 153–168.
Springer, 2007.
[HTS02] Michael Hohmuth, Hendrik Tews, and Shane G. Stephens. Applying source-
code verification to a microkernel: the VFiasco project. In Proceedings of
the 10th workshop on ACM SIGOPS European workshop, EW 10, pages
165–169, New York, NY, USA, 2002. ACM.
[HW09] Florian Haftmann and Makarius Wenzel. Local Theory Specifications in
Isabelle/Isar. In TYPES, volume 5497 of LNCS, pages 153–168. Springer,
2009.
[IdR09] Thomas In der Rieden. Verified Linking for Modular Kernel Verification.
PhD thesis, Saarland University, Saarbru¨cken, 2009.
[IT08] Tom In der Rieden and Alexandra Tsyban. CVM – A Verified Framework
for Microkernel Programmers. In Systems Software Verification, volume 217
of ENTCS, pages 151–168. Elsevier Science B.V., 2008.
[Kai07] Robert Kaiser. Combining Partitioning and Virtualisation for Safety-critical
Systems. In Embedded World Conference 2007, Nuremberg, February 2007.
[KEH+09] Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David
Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski,
Michael Norrish, Thomas Sewell, Harvey Tuch, and Simon Winwood. seL4:
Formal Verification of an OS Kernel. In Proceedings of the 22nd ACM
Symposium on Operating Systems Principles, pages 207–220, Big Sky, MT,
USA, Oct 2009. ACM.
[KG94] Hermann Kopetz and Gu¨nter Gru¨nsteidl. TTP – A Protocol for Fault-
Tolerant Real-Time Systems. IEEE Computer, 27(1):14–23, 1994.
[Kle09a] Gerwin Klein. Correct OS Kernel? Proof? Done! USENIX ;login:,
34(6):28–34, December 2009.
[Kle09b] Gerwin Klein. Operating System Verification — An Overview. Sa¯dhana¯,
34(1):27–69, February 2009.
[Kna08] Steffen Knapp. The Correctness of a Distributed Real-Time System. PhD
thesis, Saarland University, July 2008.
184
Bibliography
[KP07a] Steffen Knapp and Wolfgang Paul. Realistic Worst Case Execution Time
Analysis in the Context of Pervasive System Verification. In Program Anal-
ysis and Compilation, Theory and Practice, volume 4444 of LNCS, pages
53–81. Springer, 2007.
[KP07b] Steffen Knapp and Wolfgang J. Paul. Pervasive Verification of Distributed
Realtime Systems. In T. Hoare M. Broy, J. Gru¨nbauer, editor, Software
System Reliability and Security, NATO Security Through Science Series.
Sub-Series: Information and Communication Vol.9. IOS Press, 2007.
[Lei08] Dirk Carsten Leinenbach. Compiler Verification in the Context of Pervasive
System Verification. PhD thesis, Saarland University, 2008.
[LP06] Markus Linnemann and Norbert Pohlmann. Scho¨ne neue Welt?! - Die
vertrauenswu¨rdige Sicherheitsplattform Turaya. In IT-Sicherheit Ausgabe,
volume 3-4, 2006.
[LP08] Dirk Leinenbach and Elena Petrova. Pervasive Compiler Verification: From
Verified Programs to Verified Systems. In Systems Software Verification,
volume 217 of ENTCS, pages 23–40. Elsevier Science B.V., 2008.
[LPP05] Dirk Leinenbach, Wolfgang J. Paul, and Elena Petrova. Towards the For-
mal Verification of a C0 Compiler: Code Generation and Implementation
Correctness. In SEFM, pages 2–12. IEEE Computer Society, 2005.
[LS09] Dirk Leinenbach and Thomas Santen. Verifying the Microsoft Hyper-V Hy-
pervisor with VCC. In Formal Methods (FM 2009), volume 5850 of Lecture
Notes in Computer Science, pages 806–809, Eindhoven, the Netherlands,
2009. Springer. Invited paper.
[MN05] Farhad Mehta and Tobias Nipkow. Proving Pointer Programs in Higher-
Order Logic. Information and Computation, 199:200–227, 2005.
[Moo02] J Strother Moore. A Grand Challenge Proposal for Formal Methods: A
Verified Stack. In 10th Anniversary Colloquium of UNU/IIST, pages 161–
172. Springer, 2002.
[MP00] Silvia M. Mueller and Wolfgang J. Paul. Computer Architecture: Complexity
and Correctness. Springer, 2000.
[MWTG00] W. Martin, P. White, F. S. Taylor, and A. Goldberg. Formal Construction of
the Mathematically Analyzed Separation Kernel. In Proceedings of the 15th
IEEE international conference on Automated software engineering, ASE
’00, pages 133–, Washington, DC, USA, 2000. IEEE Computer Society.
[NF03] Peter G. Neumann and Richard J. Feiertag. PSOS Revisited. In Proceedings
of the 19th Annual Computer Security Applications Conference, ACSAC
’03, pages 208–, Washington, DC, USA, 2003. IEEE Computer Society.
185
Bibliography
[NPW02] Tobias Nipkow, Lawrence C. Paulson, and Markus Wenzel. Isabelle/HOL:
A Proof Assistant for Higher-Order Logic, volume 2283 of LNCS. Springer,
2002.
[Pau94] Lawrence C. Paulson. Isabelle: A Generic Theorem Prover, volume 828 of
LNCS. Springer, 1994.
[Pau05] Wolfgang Paul. Towards a worldwide verification technology. In In Pro-
ceedings of the Verified Software: Theories, Tools, Experiments Conference
(VSTTE 2005), 2005.
[Pet07] Elena Petrova. Verification of the C0 Compiler Implementation on the
Source Code Level. PhD thesis, Saarland University, 2007.
[PRS+01] Birgit Pfitzmann, James Riordan, Christian Stu¨ble, Michael Waidner, and
Arnd Weber. The PERSEUS System Architecture. Technical Report RZ
3335(#93381), IBM Research Division, 2001.
[Sam08] Thaima Samman. Verifying 50,000 lines of C code. In Futures, Microsoft’s
European Innovation Magazine, volume 21, 2008.
[Sch05] Norbert Schirmer. A Verification Environment for Sequential Imperative
Programs in Isabelle/HOL. In LPAR, LNCS, pages 398–414. Springer, 2005.
[Sch06] Norbert Walter Schirmer. Verification of Sequential Imperative Programs
in Isabelle/HOL. PhD thesis, TU Munich, 2006.
[Sch07] E. Schierboom. Verification of Fiasco’s IPC implementation. Master’s the-
sis, Radboud Universiteit Nijmegen, 2007.
[SDD+04] Jonathan Shapiro, Ph. D, Michael Scott Doerrie, Eric Northup, Swaroop
Sridhar, and Mark Miller. Towards a verified, general-purpose operating
system kernel. In FM Workshop on OS Verification, Tech. Rep. 0401005T-
1, pages 1–19. National ICT Australia, 2004.
[ST08] Artem Starostin and Alexandra Tsyban. Correct Microkernel Primitives.
In Systems Software Verification, volume 217 of ENTCS, pages 169–185.
Elsevier Science B.V., 2008.
[Tew07] Hendrik Tews. Formal Methods in the Robin Project: Specification and Ver-
ification of the Nova Microhypervisor. In C/C++ Verification Workshop,
Tech. Rep. ICIS–R07015, pages 59–68. Radboud University Nijmegen, June
2007.
[Tic98] Walter F. Tichy. Should Computer Scientists Experiment More? IEEE
Computer, 31(5):32–40, 1998.
186
Bibliography
[TS08] Sergey Tverdyshev and Andrey Shadrin. Formal Verification of Gate-Level
Computer Systems. In Kristin Yvonne Rozier, editor, LFM 2008: Sixth
NASA Langley Formal Methods Workshop, NASA Scientific and Technical
Information (STI), pages 56–58. NASA, 2008.
[Tsy09] Alexandra Tsyban. Formal Verification of a Framework for Microkernel
Programmers. PhD thesis, Saarland University, Computer Science Depart-
ment, November 2009.
[VB10] Ralph Vartabedian and Ken Bensinger. Doubt cast on Toyota’s decision to
blame sudden acceleration on gas pedal defect. Los Angeles Times, January
30, 2010.
[WKP80] B. Walker, R. Kemmerer, and G. Popek. Specification and verification of
the UCLA Unix security kernel. Commun. ACM, 23(2):118–131, 1980.
[YTE04] Junfeng Yang, Paul Twohey, and Dawson Engler. Using Model Checking
to Find Serious File System Errors. pages 273–288, 2004.
187
Bibliography
188
A Appendix
A.1 Source Code of the OLOS Implementation
We give a short overview where the Olos implementation is located and the source code
sizes. Afterwards, we present the content of the files containing the C0 source code.
Implementation: implementation/software/∗
• Olos Implementation: olos/∗
– olos.c: Olos implementation (340 LOC)
– olos.h: Static implementation information
(e. g., system call names or register and port numbers)
– olos config.h: Configurable implementation information
(e. g., initial arrays for scheduling tables and ABC configuration)
• Olos System Call Library: libolos/∗
– syscall library.c: system call implementation (50 LOC)
– syscall library.h: message type definition
– directory t/∗: small test programs
A.1.1 OLOS Constant Definitions
File olos.h contains all the Olos specific constant definitions:
// General purpose register for System Calls
#define OLOS_GPR_ARG_01 11u
#define OLOS_GPR_ARG_02 12u
#define OLOS_GPR_ARG_RES 22u
// Length and initial values of the Configuration Buffer
#define CBLENGTH 8u
#define CB_CONF {SLOTCOUNT ,L_MSG ,OFF ,T_SL ,WAKEUP ,IWAIT ,SENDL1 ,
SENDL2}
// Identifier of the ABC device
#define ABC_ID 13u
// Port addresses (in Words)
// Send buffer
#define SENDB_PORT 0u
// Receive buffer
#define RECVB_PORT 256u
// Configuration buffer
#define CONFB_PORT 512u
189
A Appendix
// Command register
#define CMD_PORT 767u
// Commands for the ABC (clear interrupt , set ready)
#define CMD_CLRINT 0u
#define CMD_SETRD 1u
/** \name Defines: OLOS return codes for errors **/
#define OLOS_RC_INVALID_MSGNUMBER -1
#define OLOS_RC_INVALID_POINTER -2
/** \name Defines: OLOS system calls **/
#define OLOS_CALL_ExFinished 0u
#define OLOS_CALL_SendMsg 1u
#define OLOS_CALL_RecvMsg 2u
// Maximal Trap Number
#define MAX_CALL_ID 2u
A.1.2 Declarations
Global Olos variables and data structures declared in olos.c:
/* Messages */
typedef int t_kmsg[MSGLENGTH ];
typedef t_kmsg *p_kmsg;
p_msg MB[MSGCOUNT ];
/* Processes */
unsigned int ca;
#define IDLE 0u
/* Round Scheduling */
unsigned int AST[SLOTCOUNT ]; // Application Scheduling Table
unsigned int BT[SLOTCOUNT ]; // Message -Buffer Index Table
bool SPT[SLOTCOUNT ]; // Sending Permission Table (Bus
communication)
unsigned int csn; // current slotnumber
unsigned int PAGEC[PROCCOUNT + 1u]; // pagenumber per process
/* Interrupt type*/
/* Value of Sendflag indicates the type of timer interrupt:
1) Sendflag = true => wakeup interrupt
Start send phase (only occurs to ECUs sends the message to
the
bus in the next slot)
2) Sendflag = false => slotboundary is reached
Start receive phase (occurs after a compute or a send phase
depending on the sending permission of
the
ECU)
*/
190
A.1 Source Code of the OLOS Implementation
bool Sendflag;
// CVM functions for copy operations
DECLARE_CVM_PHYS_COPY(t_kmsg)
DECLARE_CVM_PHYS_IO_RANGE(t_kmsg)
A.1.3 The Interrupt Handler
C0 source code of function handle int in olos.c:
// *************************************
// Internal -CODE (Bus communication)
// *************************************
int handle_int (){
int dummy;
unsigned int result_ui;
if (Sendflag) { // send phase:
// select MB with message that is sent to the bus next
slot
// write message to ABC send buffer
result_ui = BT[(csn + 1u) % SLOTCOUNT ];
dummy = cvm_physIOOutRange_t_kmsg(MB[result_ui],ABC_ID ,
SEND_PORT);
ca = 0u; // set current application to IDLE
Sendflag = false; // lower send flag
} else { // recv phase:
// slot boundary: increase slot number
csn = (csn + 1u) % SLOTCOUNT;
// set sendflag to write permission of the next slot
Sendflag = SPT[(csn + 1u)% SLOTCOUNT ];
// select MB to store message received from the bus
// in the previous slot , read message from ABC
receive buffer
result_ui = BT[(csn + SLOTCOUNT - 1u)% SLOTCOUNT ];
dummy = cvm_physIOInRange_t_kmsg(ABC_ID ,RECV_PORT ,MB
[result_ui ]);
ca = AST[csn]; // activate currently scheduled
application
}
// Clear ABC interrupt
dummy = cvm_out_word(ABC_ID ,COMR_PORT , COM_CLRINT);
return 0;
}
A.1.4 The Trap Handler
C0 source code of function handle trap in olos.c:
// **************************************
191
A Appendix
// Dispatch and execution of kernel calls
// **************************************
int handle_trap (unsigned int n) {
int dummy , result;
unsigned int pmsg , mn;
;
if (n == OLOS_CALL_ExFinished) {ca = IDLE;}
else {
pmsg = cvm_get_vm_gpr(ca ,OLOS_GPR_ARG_01);
mn = cvm_get_vm_gpr(ca,OLOS_GPR_ARG_02);
if ((pmsg&3u) != 0u
|| pmsg >= PAGEC[ca] * PAGE_SIZE - 4u * MSGLENGTH)
{result = OLOS_RC_INVALID_POINTER ;}
else if (mn >= MSGCOUNT) {result = OLOS_RC_INVALID_MSGNUMBER ;}
else {result = 0;
if (n == OLOS_CALL_SendMsg){
result = cvm_v2pcopy_t_kmsg(ca , pmsg ,MB[mn])
;
}
else {result = cvm_p2vcopy_t_kmsg(MB[mn], ca ,
pmsg);
}
}
dummy = cvm_set_vm_gpr(ca,OLOS_GPR_ARG_RES ,UNSIGNED(
result));
}
return 0;
}
A.1.5 The Initialization Function
C0 source code of the initialization function olos init in olos.c:
// **************************************
// Initialization of OLOS
// **************************************
int olos_init () {
unsigned int CONFB [CBLENGTH ];
int dummy;
unsigned int n, next;
// Initialization of schedules and PAGEC
ASSIGN_ARRAY_VAL(AST ,unsigned[],AST_CONF);
ASSIGN_ARRAY_VAL(BT ,unsigned[],BT_CONF);
ASSIGN_ARRAY_VAL(SPT ,bool[],SPT_CONF);
192
A.1 Source Code of the OLOS Implementation
ASSIGN_ARRAY_VAL(PAGEC ,unsigned[], PAGEC_CONF);
// Initialization of OLOS internal data
csn = SLOTCOUNT - 1u;
ca = IDLE;
Sendflag = false;
n = 0u;
while (n < MSGCOUNT) {
MB[n] = new(t_kmsg);
n = n + 1u;
}
// Initialize processes
// PID 0 is reserved for kernel computation and not used for
applications
// PID 1 to PID PROCCOUNT are used for the applications
// In the boot image , PID 0 is at page offset 0.
// The application sizes are configured with the PAGEC_CONF
configuration item.
n = 1u;
next = 0u;
while (n <= PROCCOUNT) {
dummy = cvm_reset(n); // Initialize registers
dummy = cvm_alloc(n, PAGEC[n]); // Allocate memory
dummy = cvm_load_os(PAGEC[n], n, next); // Load
application
next = next + PAGEC[n];
n = n + 1u;
}
// Configure ABC device and send set -ready signal
ASSIGN_ARRAY_VAL(CONFB ,unsigned[],CB_CONF);
n = 0u;
while (n < CBLENGTH) {
dummy = cvm_out_word(ABC_ID ,CONFR_PORTu + n, CONFB[n]);
n = n + 1u;
}
dummy = cvm_out_word(ABC_ID ,COMR_PORT , COM_SETRD);
return 0;
A.1.6 OLOS Mainfunction
C0 source code of the dispatcher function kdispatch in olos.c:
// **************************************
// Kernel Dispatcher
// **************************************
unsigned int kdispatch(unsigned int eca , unsigned int edata) {
int dummy;
unsigned int result_ui;
193
A Appendix
// If there is reset , we do not care about the remaining bits
of eca
// Otherwise , we must handle no other interrupt than trap (5)
or ABC (13)
if ((eca & 1u) != 0u) { // Reset (0)
dummy = olos_init ();
}
else if ((eca &8192u)!= 0u) { // ABC interrupt
dummy = handle_int ();
}
else if ((eca & 32u) != 0u) { // trap / system call
if (edata <= MAX_CALL_ID) {
dummy = handle_trap (edata);
}
}
return ca;
}
A.1.7 Typed CVM Primitives
In file cvmolos.c, we define the following two macros to specify generic patterns for
individually typed copy functions. The additional parameter t kmsg defines that the
implementation of the copy functions uses the kernel message type.
DEFINE CVM PHYS COPY(t kmsg)
DEFINE CVM PHYS IO RANGE(t kmsg)
The preprocessor expands the first one to the typed functions cvm p2vcopy t kmsg
and cvm v2pcopy t kmsg that copy data between the kernel and a user process. The
second macro is expanded to the typed functions cvm physIOInRange t kmsg and cvm
physIOOutRange t kmsg which are used to exchange messages between the kernel and
a specified device.
The copy functions have a similar structure. Most notably, all these functions take a
message pointer as parameter. Then, a portion of inline assembly is used to compute
the start address and the size of the message (the start address is either the address
where the message is stored in the memory or where it will be copied). The first two
instructions load the address of the pointer and store this value into a local variable addr.
Furthermore, an instruction computes the size of the referenced data with function asm
sizeof. This value is stored in the local variable size. Afterwards, the underlying
copy functions are called with a boolean variable to distinguish between read and write
accesses of the kernel (i. e., true denotes that the kernel sends and false it receives data
from a device or user process, respectively). The source code of the expanded typed copy
functions is given below:
194
A.1 Source Code of the OLOS Implementation
int cvm_p2vcopy_t_kmsg(t_kmsg *ptr , unsigned int pid ,
unsigned int va)
{
int result; unsigned int addr; unsigned int size;
asm { lw(r11 ,r30 ,asm_offset(ptr));
sw(r11 ,r30 ,asm_offset(addr));
addi(r11 ,r0 ,asm_sizeof (*ptr));
sw(r11 ,r30 ,asm_offset(size)); };
result = cvm_phys_copy(true , pid , va , addr , size);
return 0;
}
int cvm_v2pcopy_t_kmsg(unsigned int pid , unsigned int va ,
t_kmsg *ptr)
{
int result; unsigned int addr; unsigned int size;
asm { lw(r11 ,r30 ,asm_offset(ptr));
sw(r11 ,r30 ,asm_offset(addr));
addi(r11 ,r0 ,asm_sizeof (*ptr));
sw(r11 ,r30 ,asm_offset(size)); };
result = cvm_phys_copy(false , pid , va , addr , size);
return 0;
}
int cvm_physIOInRange_t_kmsg(unsigned int device_id ,
unsigned int port , t_kmsg *ptr)
{
int result; unsigned int addr; unsigned int size;
asm { lw(r11 ,r30 ,asm_offset(ptr));
sw(r11 ,r30 ,asm_offset(addr));
addi(r11 ,r0 ,asm_sizeof (*ptr));
sw(r11 ,r30 ,asm_offset(size)); };
result = cvm_phys_io_range(false , device_id , port , addr , size);
return 0;
}
int cvm_physIOOutRange_t_kmsg(t_kmsg *ptr , unsigned int device_id ,
unsigned int port)
{
int result; unsigned int addr; unsigned int size;
asm { lw(r11 ,r30 ,asm_offset(ptr));
sw(r11 ,r30 ,asm_offset(addr));
addi(r11 ,r0 ,asm_sizeof (*ptr));
sw(r11 ,r30 ,asm_offset(size)); };
result = cvm_phys_io_range(true , device_id , port , addr , size);
return 0;
}
195
A Appendix
A.2 Source Code of the OLOS System Call Library
A.2.1 Message Structure
The message type is defined in syscall library.h:
typedef int TYPE_CMV;
typedef int TYPE_CCMV;
typedef int TYPE_CSMV;
typedef int TYPE_Signal;
typedef int TYPE_Contr_Signal;
struct TYPE_Coordinate{
int xCoord;
int yCoord;
};
struct TYPE_Message_Struct{
unsigned int Field;
TYPE_CMV crash19;
TYPE_CSMV connection_status;
TYPE_Signal c2eCall;
struct TYPE_Coordinate coord;
TYPE_Signal started23;
struct TYPE_Coordinate outCoord;
TYPE_CCMV connection_control;
TYPE_Signal finished26;
TYPE_CCMV connection_control27;
TYPE_Signal Taskmodel_connection_failed_channel;
struct TYPE_Coordinate coord29;
TYPE_Signal c2MP;
TYPE_Signal started31;
TYPE_Signal finished32;
TYPE_Signal c2GPS;
int x;
int y;
TYPE_Signal finished36;
TYPE_Signal started37;
TYPE_Signal end_eCall2c;
TYPE_Signal start_eCall2c;
TYPE_Signal start_mP2c;
TYPE_Signal start_GPS2c;
TYPE_Signal end_GPS2c;
TYPE_Signal end_mP2c;
int dummy [11];
};
typedef struct TYPE_Message_Struct t_msg;
typedef t_msg *p_msg;
196
A.2 Source Code of the OLOS System Call Library
A.2.2 System Call Functions
syscall library.c contains the definitions of all system call functions:
int olosExFinished ()
{
assembler (trap (0););
return 0;
}
int olosSendMsg(p_msg pmsg , unsigned int mn)
{
int result;
assembler(
loadlocal(r11 , pmsg);
loadlocal(r12 , mn);
trap (1);
storelocal(result , r22);
);
return result;
}
int olosRecvMsg(p_msg pmsg , unsigned int mn)
{
int result;
assembler(
loadlocal(r11 , pmsg);
loadlocal(r12 , mn);
trap (2);
storelocal(result , r22);
);
return result;
}
A.2.3 OLOS Program State
The tool c0 check, developed in the Verisoft project, generates from the Olos source
code a Simpl state representation. Table A.1 on the following page depicts the C0
variables and their generated counterparts side by side.
197
A Appendix
C0 variables Simpl variables
int t msg[MSGLENGTH]
´heap msg :: ref ⇒ int list
t msg *p msg
p msg MB[MSGCOUNT] ´MB :: ref list
unsigned int ca ´ca :: nat
unsigned int ST[SLOTCOUNT] ´AST :: nat list
unsigned int BT[SLOTCOUNT] ´BT :: nat list
bool SPT[SLOTCOUNT] ´SPT :: bool list
unsigned int csn ´csn :: nat
unsigned int PAGEC[SLOTCOUNT] ´PAGEC :: nat list
bool sendflag ´sendflag :: bool
Table A.1: Olos C0 variables and their Simpl representation
A.3 Theory Structure and Statistics
The following paragraph briefly shows the theory structure and its descriptions. Table
A.3 on the next page depicts the number of code lines. The theorems of this thesis and
the corresponding theorem names in the theories are presented in Table A.3 on page 201.
Specifications: verification/spec/∗
• ABC: Devices/abc.thy
specification of the ABC state and transition, appertaining lemmata
• Message Type: AutoLI/syscall library ss.thy
generated C0 small-step code from the implementation (230 LOC)
• Applications: AutoLI/∗
– UP.thy: abstract specification of applications and their behaviour
– ASM DELTA.thy: assembly applications, validity proof (180 LOC)
– C0 DELTA.thy: C0 applications, validity proof (240 LOC)
• ECU: OLOSDevices/∗
– ECUModel.thy: ECU specification
– ECUSimulation.thy: simulation proof of the global compute phase
Implementation Correctness: llverification/olos/∗
• llverification/cvmHoare/cvmHoare.thy:
definition of extended state, Simpl specification of used untyped Cvm primitives
• olos conf.thy:
definitions of Olos specific configurable values, appertaining lemmata
• cvmOlos.thy:
Simpl definitions of Olos specific Cvm primitives, appertaining lemmata
(LOC: 255)
198
A.3 Theory Structure and Statistics
Theory name LOC
ABC Device Σ: 842
abc 842
Applications Σ: 1857
UP 128
ASM DELTA 376
C0 DELTA 1353
ECU Model Σ: 1189
ECUModel 473
ECUSimulation 716
Impl. Correctness Σ: 3303
cvmHoare 191
olos conf 71
cvmOlos 255
olos impl 188
olos hoarespec 1163
interrupt lemmata 315
cvmstep simpl 850
olos simulation 270
Ext. Compiler Correct Σ: 10,917
syscall sim lemmata 484
send recv lemmata 2279
syscall sim ExFinished 899
syscall sim update result 1643
syscall sim RecvMsg 2864
syscall correctness 1921
compute phase sim 827
Table A.2: Verification Effort
199
A Appendix
• olos impl.thy:
generated Simpl code from C0 program of the Olos implementation
• olos hoarespec.thy:
Hoare triple proving the functional correctness of Olos
(size of init code: 490 LOC)
• interrupt lemmata.thy:
definition of the masked cause interrupt vector for Olos,
lemmata relating the output function of applications with interrupts
• cvmstep simpl.thy:
Simpl definition of an entire Cvm step, induction proofs
(size of induction step proof: 508 LOC)
• olos simulation.thy:
simulation proof of overall implementation step
Library Correctness: verification/proof/libolos/∗
• syscall sim lemmata.thy: useful lemmata for all system call proofs
• send recv lemmata.thy: lemmata for the message exchanging system calls
• syscall sim ExFinished.thy: Simulation of system call olosExFinished
• syscall sim RecvMsg.thy: Simulation of successful system call olosRecvMsg
• syscall sim update result.thy: Simulation of calls where only the result vari-
able is set
• syscall correctness.thy: extended compiler correctness theorem, appertaining
lemmata
(size of induction step proof: 900 LOC)
• compute phase sim.thy: Simulation of the Olos compute phase
Finally, we give a small example to demonstrate that proof size, execution time and
degree of difficulty do not correlate: A proof that shows the correctness of the relative
base address of all the elementary message values has the size of 87 proof lines and takes
about 1 minute to execute. In contrast, the computer executes 147 lines of code proving
properties after a SCall execution of olosSendMsg and olosRecvMsg in about 15 seconds.
Moreover, the former example was less demanding and very technically whereas the
latter required more creativity and reflection.
200
A.3 Theory Structure and Statistics
Theorem Name Reference Name in Theory
Application Model Validity
Assembly Theorem 4.3 instance ASMcore t ext type
C0 Theorem 4.4 instance processT
Global Compute Phase Simulation Theorem 4.8 OlosDevSimulation
Functional Correctness of
fun olos init Theorem 5.1 fun olos init spec
fun handle int Theorem 5.2 fun handle timer spec
fun handle trap Theorem 5.3 fun handle trap spec
fun kdispatch Theorem 5.4 fun dispatcher kernel spec
Induction Start Theorem 5.7 ind start weak
Induction Step Theorem 5.8 ind step
Invariant Preservation Theorem 5.9 invariant preserved under
dabc ext
Simulation Theorem 5.10 simulation
System Call Simulation of
olosRecvMsg Theorem 6.10 olosRecvMsg sim mono
olosExFinished Theorem 6.11 olosExFinished sim mono
Remaining cases Theorem 6.12 update result sim mono
Ext. Compiler-Correct. (Ind. Step) Theorem 6.13 c0proc correct step oi
Application Simulation Theorem 6.14 c0proc correctness oi
Cooperative Concurrent Simulation Theorem 6.15 proc consis over pi
Application Embedding Theorem 6.16 cc ecu sim
Table A.3: Theorems and their corresponding names in the theories
201
