Proving Fairness and Implementation Correctness of a Microkernel Scheduler by Matthias Daum et al.
Journal of Automated Reasoning manuscript No.
(will be inserted by the editor)
Proving Fairness and Implementation Correctness of a
Microkernel Scheduler
Matthias Daum · Jan D¨ orrenb¨ acher ·
Burkhart Wolff
Received: date / Accepted: date
Abstract We report on the formal proof of a microkernel’s key property, namely that its
multi-priority process scheduler guarantees progress, i.e., strong fairness. The proof archi-
tecture links a layer of behavioral reasoning over system-trace sets with a concrete, fairly
realistic implementation written in C.
Our microkernel provides an infrastructure for memory virtualization, for communica-
tion with hardware devices, for processes (represented as a sequence of assembly instruc-
tions, which are executed concurrently over an underlying, formally deﬁned processor), and
for inter-process communication (IPC) via synchronous message passing. The kernel es-
tablishes process switches according to IPCs and timer-events; the scheduling of process
switches, however, follows a hierarchy of priorities, favoring, e.g., system processes over
application processes over maintenance processes.
Besides the quite substantial models developed in Isabelle/HOL and the formal clar-
iﬁcation of their relationship, we provide a detailed analysis what formal requirements a
microkernel imposes on the key ingredients (hardware, timers, machine-dependent code) in
order to establish the correct operation of the overall system. On the methodological side,
we show how early modeling with foresight to the later veriﬁcation has substantially helped
our project.
Keywords Microkernel · Formal Veriﬁcation · Interactive Theorem Proving · Isabelle/HOL
1 Introduction
“Real system code” has recently been recognized as a fruitful target for formal veriﬁcation.
By this term, we refer to code actually found in typical operating systems, which implement
Work partially funded by the German Federal Ministry of Education and Research (BMBF) in the framework
of the Verisoft project under grant 01 IS C38.
M. Daum · J. D¨ orrenb¨ acher
Saarland University, Computer Science Dept.
E-mail: {md11,jandb}@wjpserver.cs.uni-sb.de
B. Wolff
Universit´ e Paris/Orsay, LRI
E-mail: wolff@lri.fr2
preemptive multi-tasking, are written in a mix of C and assembly, are compiled with opti-
mizing compilers, and run on modern processors with architecturally visible caches and in-
coherent memory. Since “real” C code characteristically relies on an architecture-dependent
execution model, it has long been considered to be “dirty” and out of the reach of formal ver-
iﬁcation in academia. With the availability of realistic models for hardware processors [12,
10,22,37] in interactive theorem provers, and with the advent of more powerful automated
theorem-proving techniques, this global picture has changed: Real system code veriﬁca-
tion is meanwhile at the brink of feasibility, albeit still representing a grand challenge. At
the same time, veriﬁcation efforts of system-level programs meet a growing demand by
software-engineers, which are confronted by both, the rising complexity of computer archi-
tectures as well as higher reliability requirements of their code.
We call real system-code veriﬁcation a grand challenge because, at present, all current
approaches — including ours — compromise in one way or the other: the logical founda-
tions are quite problematic, the computer architectures are simpler than industrial-strength
processors, the code size is fairly small, or the underlying execution model of C and assem-
bly makes severe simpliﬁcations (see Sect. 8.1).
The availability of a hardware-processor model also represents the foundational layer of
our work. This model describes, at gate level, the transitions of the RISC processor VAMP.
A small piece of software executed on the VAMP, called CVM, provides an abstract layer
running concurrently a system process as well as a number of user processes, i.e., lists of
assembly sequences assuming separate, linear memory. We implemented the microkernel
VAMOS, which is executed as this system process. Our implementation uses the C fragment
C0, which can be translated into assembly code by a veriﬁed compiler [32,31]. VAMOS pro-
vides a process scheduler, an infrastructure for communication with hardware devices, and
message passing between processes. All software layers are formally speciﬁed; reﬁnement
relations correlate the adjacent layers such that eventually, all speciﬁcation layers can be
mapped down to our hardware-processor model. The whole model stack is formalized in the
theorem prover Isabelle/HOL [39].
s
σ σ0
s0
abs rel abs rel
δ
kernel step
Fig. 1 Kernel step reﬁnement (simpliﬁed)
In more detail, CVM and VAMOS to-
gether realize an abstract transition δ by
an implementation function kernel step
as shown in Fig. 1. The transition function
δ represents the execution of a non-empty
portion of a user process including a possi-
ble process switch. Consequently, we need a
reﬁnement proof establishing that the imple-
mentation with its underlying state σ indeed
realizes the high-level state transition δ over
the corresponding abstract state s, where ab-
stract and concrete states are linked via a for-
mally deﬁned abstraction relation.
s s0 s00 s000 δ δ δ
Fig. 2 Kernel traces (simpliﬁed)
On top of the VAMOS layer, we put a
further theory layer for reasoning over the
temporal behavior of the kernel executions.
This layer arranges consecutive δ steps (see
Fig. 2) and provides the necessary infras-
tructure for the proof of a fairness property
ofthescheduler.Inparticular,wedeﬁnekey-3
notions like the set of all possible traces of VAMOS and formulate an invariant of the states
in a trace.
We formulate the fairness property of the scheduler in terms of liveness. More speciﬁ-
cally, it is a strong fairness property as classiﬁed by Francez [23]. In principle: If a certain
process is inﬁnitely often ready to compute, it will always eventually compute. Technically,
the matter is complicated by the fact that the scheduling policy supports static priorities. It
is the nature of static-priority scheduling that it limits fairness to processes of the same pri-
ority level. Switches to processes of a lower priority occur only if all processes of the higher
priorities are not ready to compute. As a consequence of this form of prioritization, a (group
of) high-level processes might diverge and low-level processes will never be executed. Our
notion of prioritized fairness reﬂects this phenomenon.
BasedonpriorworkstemmingfromtheVerisoftProject[26,3](inparticular VAMP [10],
CVM [27,48,49], C0 [31,32] and the proof environment Isabelle/Simpl [45,44]), we have
built our key contribution of this paper: It consists of the VAMOS layer, both speciﬁcation as
well as implementation, and a theory layer culminating in the fairness theorem of the VA-
MOS scheduler.1 To our knowledge, such a theorem has been shown over a realistic kernel
for the ﬁrst time. One might object that VAMP, C0 and VAMOS are built with foresight for
veriﬁcation and rather academic components than industrial-strength processors or micro-
kernel code. The VAMP, however, comprises all essential features of a RISC architecture
including translation look-aside buffers and memory management units, and VAMOS, with
its 3000 lines of C0 (excluding CVM), is not too far away from industrially developed mi-
crokernels (see discussion Sect. 8.1).
This paper proceeds essentially by following the proof architecture as outlined above:
after a background section explaining the context of this work as well as logical and tech-
nical preliminaries related to the used veriﬁcation technique, we present the model and the
implementation of the kernel, the reﬁnement proof linking these two, and the temporal the-
ory over kernel execution traces leading to our ﬁnal result: the proof of prioritized fairness
for the process scheduler.
2 Background
2.1 The Verisoft Project
Although not inherently necessary, it is perhaps instructive to outline the context of this
work: It is actually an extract of a stack of system models developed in the Verisoft project
(funded by the German Federal Ministry of Education and Research, it was ﬁnished in 2007;
currently,itssuccessorVerisoftXT2 isunderwaywithaslightlydifferentfocus).Theproject
adheres to the very idea of pervasive veriﬁcation [9,36]: Each abstraction layer is justiﬁed
by simulation theorems that permit transferring the results to the low-level models. All the
development is mechanized in the uniform logical framework of the interactive theorem
prover Isabelle/HOL and hence it is rigorously checked that all the results ﬁt together.
Our microkernel belongs to Verisoft’s so-called Academic System (as opposed to sys-
tems in subprojects with partners from industry), which is a distributed computer system for
the exchange and management of signed and encrypted e-mails. While the system is able to
receive external e-mails, each computer within the system uses identical hardware and the
1 The theory ﬁles are soon available at http://www.verisoft.de/VerisoftRepository.html.
2 The project’s homepage is http://www.verisoftxt.de/.4
same operating-system software. In Verisoft, we implemented and veriﬁed an e-mail client,
an e-mail server, and a cryptography server that run on top of this operating system.
Hardware
CVM
kdispatch primitives
VAMOS
S
y
s
t
e
m
m
o
d
e
App
OS
kcalls kcalls
App
U
s
e
r
m
o
d
e
Fig. 3 System stack
Fig. 3 depicts the hard- and software lay-
ers of a single computer in the system. The
lowest software layer is called communicat-
ing virtual machines (CVM). This layer en-
capsulates all the hardware-speciﬁc low-level
kernel functionality, which uses inlined as-
sembly. Technically, this software constitutes
the interrupt-service routine of the proces-
sor. CVM’s major task, however, is memory
virtualization and process separation. Hence,
CVM includes a page-fault handler with a
simple memory swapping facility [4]. The
remaining functionality of our microkernel
is implemented by the hardware-independent
kernel part. CVM exports an interface of so-
called primitives for the access to and manip-
ulation of user processes to this kernel part.
We have thereby established a solid frame-
work for microkernel construction.
Using this framework, we have implemented our microkernel VAMOS in the C variant
C0 without inlined assembly. When an interrupt occurs, CVM preserves the old processor
context, establishes a suitable C0 environment and calls the function kdispatch of VA-
MOS. For the manipulation of the user memory or registers, VAMOS may call the primitives
of CVM. The return value of kdispatch determines which process resumes when the kernel
execution ﬁnishes.
While CVM and VAMOS run in the privileged system mode of the processor, processes
run in the unprivileged user mode. In the ﬁgure, we labeled one process “OS” for the op-
erating system and the others “App” as abbreviation for application (e.g., e-mail client or
server). The OS process constitutes the highest layer of our operating system. It features an
advanced rights management with different users, implements a sophisticated access con-
trol to kernel services like process creation and provides further services like ﬁle-system and
network access. All processes interact with the kernel via kernel calls. The special instruc-
tion trap causes an exception, which is handled in VAMOS. VAMOS can examine and alter
the state of the process using CVM primitives, thus identifying the process’s speciﬁc request
and storing the kernel’s corresponding response.
2.2 Isabelle/HOL
HOL [13,5] is a classical logic based on the typed λ-calculus, where types can be built by
type variables α, β, γ, etc., type constructors like bool, int, α set, α list, and α⇒β, where
the latter is used to denote total functions. Further, there is the universal equality = of
type α⇒α⇒bool.
The logic HOL has been implemented as instance in the generic proof-assistant Is-
abelle [39]; nowadays, Isabelle/HOL is that instance of Isabelle, which is mostly used
and developed. A few axioms describe the logical core system based on the logical type
bool with the logical connectives ¬ , ∧ , ∨ and → , which are constants of type5
bool⇒bool or [bool,bool]⇒bool. Moreover, there are the quantiﬁers ∀x.P x and ∃x.P x
which can range over arbitrary types in HOL. In the literature on Isabelle, it is common
to distinguish the built-in (“meta-level”) implication =⇒ and equality ≡ from their
HOL-counterparts → and = ; throughout this paper, these two operators can be con-
sidered equivalent. We also use the notation [[A1;...;An]] =⇒ A as abbreviation for A1 =⇒
(... =⇒ (An =⇒ A)...).
This core language can be extended via axiomatic (“conservative”) deﬁnitions to large
libraries comprising Cartesian product types × with the usual projections fst and snd.
The set type α set can be introduced isomorphic to the function space α⇒bool, i.e., to
characteristic functions, and a typed set theory is introduced with the usual operators, e.g.,
∈ , ∪ , ∩ .
The HOL type constructor τ⊥ assigns to each type τ a type lifted by ⊥. The function
b c : α⇒α⊥ denotes the injection, the function d e : α⊥⇒α its inverse for deﬁned values;
for undeﬁned values the function is left unspeciﬁed (though it is technically deﬁned). Partial
functionsα*β arejustfunctionsα⇒β⊥,overwhichtheusualconceptslikepartialfunction
update f(a7→b) are deﬁned.
Isabelle/HOL supports record notation, which we use extensively. Record types are de-
noted, for example, by:
record T = a :: T1 b :: T2
which implicitly introduces the record constructor (|a = e1,b = e2|) as well as the update
of record r in ﬁeld a, written as r(|a := x|).
2.3 The Veriﬁcation Environment Isabelle/Simpl for C0
For the veriﬁcation of C0, we use a general program-veriﬁcation framework for sequential
imperative programming languages: Isabelle/Simpl [44,45]. It is build as a conservative
extension on top of Isabelle/HOL. The key feature of Isabelle/Simpl is the notion of a Hoare-
Triple:
G` P c Q
Inaprocedureenvironment G,thisstatementclaimsthatundertheassertionP ontheoriginal
program state, the assertion Q will hold after the execution of the code c given in the Simpl
language. The assertions P and Q are simply sets of states. In principle, Isabelle/Simpl is
polymorphic over the state space; we use records but hide the details by an Isabelle syntax,
such that {sv. svvar = 5} denotes the assertion that the value of program variable var in state
sv is ﬁve.
Expressions in Simpl are HOL expressions. In addition to the HOL operations, we have
deﬁned bitwise conjunction ∧u and disjunction ∨u over natural numbers. In contrast
to expressions, statements are represented by an abstract datatype. The statement syntax is
highly abstract, e.g., Basic f represents a state update using function f. In order to present
programs in conventional terms, we employ Isabelle’s powerful syntax translation machin-
ery and denote a program variable by 0var, an assignment by 0var :== 5, a conditional by
IF b THEN s1 ELSE s2 FI, a procedure call by 0var :== CALL update(5), etc. The
index g is used to instruct the parser to generate guards that protect against runtime faults
like overﬂows.
The procedure environment G is a partial function from procedure names to statements.
These statements constitute the procedure body and are deﬁned by the Isabelle/Simpl com-
mand procedures. The following command, for instance, deﬁnes the procedure update:6
procedures update(var | res nat) =
0res nat :==g
0var
It has one formal parameter called var and the result to return to the calling function is
held in variable res nat, i.e., the bar separates input and output parameters. When formally
specifying the functionality of the procedure, we write 0res nat :== PROC update(0var)
as shorthand for the code of procedure update:
G` {sv. svvar = x}
0res nat :== PROC update(0var)
{t. tres nat = x}
states that procedure update assigns the value of its argument to the return variable.
The framework includes a big-step semantics, a Hoare logic for partial as well as total
correctness and an automated veriﬁcation-condition generator for Simpl. Within this se-
quential core language, assembly fragments as well as the C fragment C0 are embedded
— thus, Isabelle/Simpl plays a similar role as Boogie for the Spec#/VCC environment [6]
or the WHY-tool for Caduceus [20]. The embedding is based on a compiler converting
C0-constructs in terms of operations provided by the small-step semantics of the VAMP ma-
chine. A correctness proof for this compiler, that links the small-step semantics to the Simpl
big-step semantics, is also provided [2]. This correctness theorem about the embedding of
C0 into Simpl allows for mapping low-level properties to more abstract ones formulated on
the big-step semantics of C0. Throughout this paper, we will present all algorithms in Simpl
(so that we can rely on a uniform Isabelle/HOL foundation); note, however, that this Simpl
code is the result of an automatic translation from the C0 code that is actually compiled and
runs on the machine. Alkassar et al. have dedicated a separate article [3] on the semantics
stack in Verisoft.
C0 is a well-typed language comprising compound values, i.e., structures and arrays.
We employ the HOL type system to model C0 programming language types. Isabelle’s type
inference then takes care of typing constraints that would otherwise have to be explicitly
maintained in the assertions. Propositions, however, that explicitly refer to the memory lay-
out or to hardware device registers cannot be proven on the C0-Hoare-Logic level; in these
situations, the veriﬁcation necessarily descends down to the VAMP level. Our approach is
to abstract the effect of those low-level computations into atomic XCalls (extended calls) in
all our semantic layers. In particular, the state-space of C0 is augmented with an additional
component that represents the state of the external component, e.g., a device. An XCall is
a procedure call that performs a transition on this external state and communicates with C0
via parameter passing and return values. With this model, it is straightforward to integrate
XCalls into the semantics and into Hoare logic reasoning. XCalls are typically implemented
in assembly.
2.4 Code Veriﬁcation in Isabelle/Simpl
The introduction presents a bird’s eye view on the reﬁnement as depicted in Fig. 1. In prin-
ciple, we can reformulate the depicted claim in Isabelle/Simpl as follows:
G` {sv. abs rel sv s}
PROC kernel step()
{t. abs rel t (d s)}
Assuming an abstraction relation abs rel that holds for a concrete state sv and an abstract
state s, the relation is preserved by the transitions kernel step on the concrete level and d7
on the abstract level. Just like the ﬁgure, this statement is an over-simpliﬁcation. We post-
pone the details to Sect. 6.
Our approach to code veriﬁcation combines reﬁnement and code correctness, i.e., con-
tracts are speciﬁed in terms of the abstract states. As a simple example, we assume a library
function append, which appends an element to a singly-linked list. In the implementation,
the list is represented as a pointer structure described by the variables 0head and 0next. In
order to prove that a speciﬁc pointer structure in the state t after a function invocation indeed
denotes a list, it is useful to know that the original pointer structure in state sv already de-
noted a list. We encapsulate the list property in a predicate invlist over the pointer variables
and formulate correctness of append(0head, 0elem) as follows:
G` {sv. invlist
svhead svnext ∧ abs rellist
svhead svnext xs}
PROC append(0head,0elem)
{t. invlist
thead tnext ∧ abs rellist
thead tnext (xs @ [svelem])}
i.e., we express the effect of the function in terms of its abstract representation, which is a
concatenation of lists.
Note that our approach to abstract representations of memory coincides with the idea of
“ghost ﬁelds” attached to C structures in Spec#/VCC [6]. In the pragmatics for Spec#/VCC,
one would provide a ghost ﬁeld to each list-node attaching to it what the node and the pointer
structure it points to represent.
3 Microkernel Design
The kernel of an operating system is the code that runs in the privileged mode of a processor,
i.e., this and only this code has unrestricted access to all hardware resources. Traditionally,
kernels provided an abstraction from the hardware processor and the external devices. When
kernels grew in size over the years because of a rising variety of hardware, and especially
external devices, the traditional systems were called monolithic and the idea of smaller mi-
crokernels was born.
The motivation for microkernels, however, is manifold. Microkernels became a popular
researchtopicinthelate1980stogetherwiththeideaofmulti-personalityoperatingsystems,
which demanded a more general hardware abstraction than the traditional approach. This
ﬁrst generation of microkernels such as Mach [41] or IBM’s Workplace OS [21] suffered
from a poor performance. When Jochen Liedtke analyzed these systems [35], he pinned the
problem down to a feature-overloaded mechanism for inter-process communication (IPC).
Together with a light-weight, ﬂexible IPC mechanism [33], he proposed the minimality of
hardware abstractions [34] in the kernel and suggested that servers implement the traditional
services of operating systems. Engler et al. [18] took the idea of minimality a step further
and banned (nearly) all abstractions from the kernel. Instead of resource management, the
kernel was restricted to resource protection. Abstractions were implemented in operating-
system libraries and directly linked to the user processes.
Our microkernel design is not as minimal as Engler or Liedtke proposed. We host all
functionality in the kernel that would be hard to verify if implemented in user processes.
Obeying this principle, the memory management, support for ﬁnite IPC timeouts, and the
scheduler live in our microkernel. Device drivers, which constitute the largest part of today’s
monolithic kernels, are implemented outside our microkernel. In the remainder of this sec-
tion, we describe the basic functionality of our kernel in more detail. Moreover, we regard
the design aspect of correctness, and ﬁnally, we explain our scheduling policy.8
Functionality. Our microkernel VAMOS performs the following tasks: (a) enforcement of
a minimal access control, (b) process management, (c) memory management, (d) priority-
based round-robin scheduling, (e) support for user-mode device drivers, and (f) inter-process
communication (IPC). Processes can control these tasks via the kernel’s application binary
interface (ABI). Table 1 lists the kernel calls that constitute the ABI.
A minimal access-control mechanism reserves most kernel calls for so-called privileged
processes. Thus, only a privileged process can bring up new processes or kill existing ones,
alter the memory consumption of processes, change their scheduling parameters, or control
the registration of device drivers. Any process, however, might use the IPC mechanism. We
presume that the privileged processes constitute the user-mode parts of the operating system
and implement a more sophisticated access-control mechanism. Non-privileged processes
may then communicate with the privileged processes in order to request kernel services on
their behalf.
When VAMOS boots, it launches one single process, the init process. This process is
privileged and has to set up the required servers of the operating system, start and register
the device drivers, and possibly run initial applications.
Adevicedriver isauserprocess,whichisdesignatedforthecommunicationwithcertain
devices. Only if a process is registered as a driver for a particular device, it may place read
or write requests from or to that device, respectively. Moreover, the device driver is notiﬁed
of interrupts from that device.
Design of a Correct Microkernel. Modern microkernels are strictly evaluated by their per-
formance. While efﬁciency is clearly essential for the applicability of a microkernel, many
implementationsevensacriﬁceperdurabilityforperformanceanddeclare,e.g.,aﬁniterange
of numbers as “sufﬁciently large” such that overﬂows should not occur during the expected
lifetime of the kernel. An old but even ABI-visible example is Liedtke’s [33] generation
Table 1 Application binary interface of the VAMOS kernel
Kernel Call Description
Access Control
SET PRIVILEGED p add a process to the set of privileged processes
Process Management
PROCESS CREATE p create a new process from a memory image
PROCESS CLONE p copy an already existing process
PROCESS KILL p kill a process
Memory Management
MEMORY ADD p increase the amount of virtual memory for a process
MEMORY FREE p decrease the amount of virtual memory for a process
Scheduling Mechanism
CHG SCHED PARAMS p change scheduling parameters
Device Driver Support
CHANGE DRIVER p (un)register a process as a driver for a set of devices
ENABLE INTERRUPTSd re-enable a set of interrupts after their successful handling
DEV READd / DEV WRITEd communicate with a certain device
Inter-Process Communication
IPC SEND/ IPC RECEIVE unidirectionally communicate with another process
IPC REQUEST send a message and immediately wait for a reply
CHANGE RIGHTS manipulate IPC rights
READ KERNEL INFO receive information from the kernel
p call is reserved for privileged processes d call is reserved for device drivers9
counter: In order to ensure a thread’s identity, the ﬁxed internal format of thread identi-
ﬁers reserves some bits for a counter, which is incremented on reincarnation. A possible
overﬂow, however, is just neglected. Although such an approach might be accepted for non-
critical systems, it does certainly not suit a critical, veriﬁed system; moreover, a restriction
on the lifetime contradicts the formal notion of liveness.
As a consequence, our kernel has no such “expiration date”. For this to work, we main-
tain a solely relative notion of time within the kernel. Furthermore, a capability-like man-
agement of process identiﬁers allows for a conceptually inﬁnite name space for identiﬁers.
Another design decision is related to provable correctness as well: the absence of a
so-called idle process. In some microkernels, this distinguished process is scheduled with
lowest priority and should implement a busy wait. We circumvent assumptions on user-
level processes if possible and have thus implemented the idle loop (which solely waits for
incoming interrupts) directly in the kernel.
Process Scheduling. The basic policy underlying the scheduler in VAMOS is round-robin
process selection. This basic policy, however, can be adjusted by two regulators: priorities
and timeslices. Our scheduler supports three different priority levels. Only processes in the
highest, non-empty priority class will be scheduled. Processes in a lower class wait until no
processes are ready to compute in any higher priority class. Within one priority class, the
timeslice determines how long a certain process may compute until it is preempted in favor
of another process of the same priority class. Thus, timeslices determine the relative weight
of process runtimes while priorities lead to the preemption of lower process classes.
4 The Implementation Layer
This section is devoted to the implementation of our microkernel. Recall that VAMOS is im-
plemented to run as CVM’s kernel machine. Certainly, we have to represent this framework
in our programming model. Hence, we describe in the ﬁrst subsection, how we model the
effects of CVM in Simpl as seen by a VAMOS programmer. The second subsection brieﬂy
introduces the top-level function kdispatch of VAMOS, which is called by CVM. Finally,
we present the code of the timer-interrupt handler, which constitutes the core component of
the VAMOS scheduler.
4.1 Representation of the Framework CVM
Though the CVM layer itself is not implemented in C, we can express its effects in terms of
Simpl code. Two CVM components are visible in our programming model: (a) a processor
abstraction containing the user processes with separate registers and linear, virtual memory
and (b) a device subsystem, which communicates with the processor via memory-mapped
I/O. Both components are combined in the global variable 0cvmX.
The processor abstraction cvm ups 0cvmX comprises not only the actual user machines
userprocesses, but additionally a current-process identiﬁer currentp and a status register
statusreg storing the currently enabled interrupts. The function exceptvec p computes the
vector of the exceptions that occur during the next step of a process p. Some exceptions
write an exception-data register; its content is computed by edata nat p. We call the device
component cvm devs 0cvmX and deﬁne the function intvec, which computes the interrupt
vector from a state of the device subsystem.10
procedures kernel step() =
0up :==g cvm ups 0cvmX;
IFg currentp 0up = ⊥ THEN (∗ CVM is idle ∗)
0eca :==g statusreg 0up ∧u intvec (cvm devs 0cvmX);
0edata :==g 0
ELSE
0proc :==g (userprocesses 0up) dcurrentp 0upe;
0eca :==g statusreg 0up ∧u (exceptvec 0proc ∨u intvec (cvm devs 0cvmX));
0edata :==g edata nat 0proc;
0cvmX :==g (0up (|userprocesses := dup (userprocesses 0up) dcurrentp 0upe|),
cvm devs 0cvmX)
FI;
IFg
0eca > 0 THEN (∗ has an enabled interrupt been raised? −− Then call kdispatch ∗)
0cp :== CALLg kdispatch (0eca, 0edata );
0cvmX :==g ( (cvm ups 0cvmX)(|currentp := if 0cp ∈ procnumT
then bAbs procnumT 0cpc
else ⊥|),
cvm devs 0cvmX )
FI
Fig. 4 Simpl function kernel step, which represents a combined step of CVM and VAMOS
The pseudo-code of a CVM transition is shown in Fig. 4. This transition consists of up to
two phases: First, the current process executes one (assembly) step if existing.3 Second, the
CVM layer computes the vector of enabled interrupts and invokes the kernel’s kdispatch
function if an enabled interrupt has been raised. There are two possible sources of inter-
rupts: The current process may cause an exception, and external devices may raise their in-
terrupt line. Interrupts are ignored when not enabled in the status register. The return value
of kdispatch describes the process to be run next: If the value is a valid process number,
this process is elected, otherwise, the system idles until the next device interrupt occurs.
4.2 The top-level function of VAMOS
Upon kernel entry, the CVM routine calls the function kdispatch of VAMOS. Fig. 5 shows
the implementation of the function kdispatch of our microkernel. This function handles
the incoming interrupts that could not be taken care of by CVM. The function takes two
parameters: The exception cause eca, which is a bit vector of occurred interrupts, and the
exception data edata, which contains the trap number if a trap has occurred.
As the name kdispatch suggests, the function is characterized by a number of case
distinctions. We distinguish:
Initialization. After power-up, the processor generates a reset interrupt. In this case, the
CVM framework sets up its internal data structures (not shown in kernel step) and
then passes the interrupt on to the kdispatch function. If called with the reset-interrupt
bit set, kdispatch calls the function vamos init, which initializes the data structures
of VAMOS. The remaining interrupt vector is ignored.
Process Exceptions. The current process may cause a number of exceptions during its exe-
cution. From the kernel’s perspective, there are only two alternatives: a fatal exception
like an illegal page fault or a trap. In the former case, there is no reasonable recover
procedure, and thus, the process is simply killed by VAMOS. The semantics of a fatal
3 Recall that we do not rely on the existence of an idle process. Hence, there might be no current process.11
procedures kdispatch (eca, edata | res nat) =
IFg (0eca ∧u 1) 6= 0 THEN
0dummy i :== CALLg vamos init()
ELSE
0old cup :==g
0current process;
IFg (0eca ∧u UEXCEPT MASK) 6= 0 THEN
0dummy i :== CALLg process kill(HANDLE SELF)
ELSE
IFg (0eca ∧u EXCEPT TRAP) 6= 0 THEN
0dummy i :== CALLg handle trap(0edata)
FI
FI;
IFg (0eca ∧u DEVICE TIMER BIT) 6= 0 THEN
0dummy i :== CALLg handle timer(0old cup)
FI;
IFg (0eca ∧u UEXT INT MASK) 6= 0 THEN
0dummy i :== CALLg int delivery(0eca)
FI
FI;
IFg
0current process 6= Null THEN
0res nat :==g
0current process → 0pid
ELSE
0res nat :==g 0
FI
Fig. 5 The kernel-dispatcher function of VAMOS
exception is exactly the same as if the process had requested to be killed via the ker-
nel call process kill. Hence, we reuse this function. In case of a trap, the function
trap handler is called. This function is essentially a huge case distinction over trap
numbers.
Timer Interrupt. Independently from the process exceptions, we check for the timer inter-
rupt, which is passed on to the function handle timer. This function implements the
scheduler (see Sect. 4.3).
Device Interrupts. If external devices have raised interrupts, the function int delivery is
invoked in order to disable the interrupts and then either immediately deliver the inter-
rupts, if thecorresponding device-driver processes arewaiting, or schedule theinterrupts
for later delivery.
The function kdispatch determines its return value using the global variable 0current
process, which is a pointer into the process information block (PIB) of the current process.
If there is no current process, the pointer is NULL and we return 0 (meaning “wait for inter-
rupts”). Otherwise, we retrieve the process identiﬁer (PID) of the current process from the
PIB. Once, the function kdispatch returns, the CVM framework transfers the CPU to the
process identiﬁed by the return value.
4.3 The Timer-Interrupt Handler
When a timer interrupt occurs, kdispatch calls the function handle timer (see Fig. 6).
This function constitutes the heart of our scheduler and performs the following tasks:
– acknowledge the timer interrupt by reading a word from the timer device such that the
latter may lower its interrupt line.12
procedures handle timer(old cup | res int) =
(∗ acknowledge the timer interrupt ∗)
0dummy :== CALLg cvm in word(DEVICE TIMER, 0);
(∗ detect and handle elapsed IPC timeouts ∗)
IFg
0next timeout 6= INFINITE TIMEOUT THEN
0current time :==g
0current time + 1
FI;
IFg
0current time ≥ 0next timeout THEN
0dummy i :== CALLg check elapsed timeouts()
FI;
(∗ charge the process that computed in the last step ∗)
IFg
0old cup 6= Null ∧ 0old cup → 0state = READY STATE THEN
IFg
0old cup→0consumed time ≥ 0old cup→0timeslice THEN
0ready lists ! (0old cup→0priority) :==
CALLg queueDelete(0ready lists ! (0old cup→0priority), 0old cup);
0ready lists ! (0old cup→0priority) :==
CALLg queueAppend(0ready lists ! (0old cup→0priority), 0old cup);
0old cup→0consumed time :==g 0
ELSE
0old cup→0consumed time :==g
0old cup→0consumed time + 1
FI
FI;
(∗ select the process that runs in the next step ∗)
0dummy i :== CALLg search next process();
0res int :==g 0
Fig. 6 Function handle timer
– increase the current time and check for elapsed timeouts. This check is encapsulated
in function check elapsed timeouts, which traverses the wait queue, wakes up all
processes with elapsed timeouts, and subtracts the current time from all other time-
outs. Finally, the current time is set to zero. This approach avoids the overﬂow of the
0current time variable at relatively low cost.4
– charge the process 0old cup that computed in the last step if it is still ready. If the so
far consumed time of 0old cup is greater than or equal to its timeslice, the process is
moved to the end of its ready queue and the consumed time is set to zero. Otherwise, the
consumed time is increased by one.
– elect the process that runs in the next step by invoking function search next process,
which returns the ﬁrst element in the ready queue with the current maximum priority.
5 The Abstract System Layer
At the abstract layer, we describe our computer system by a number of communicating
automata. Fig. 7 depicts the situation: Automaton AV+D speciﬁes the overall system and is
composedofthedeviceautomatonAD andthe VAMOS automatonAV.Theformerdescribes
4 We have compared the described timeout adjustment with an overﬂow-aware implementation. The latter
does not prevent overﬂows but the check for elapsed timeouts takes overﬂows into account. To our surprise,
the overﬂow-aware implementation comprises 122 instructions more than the timeout adjustment. This over-
head is caused by the more involved comparison between the current time and the timeouts. Apparently, the
expression evaluation for lazy operators is comparatively costly.13
AD AV
AV+D
SvV
WV
SvD
WD
SvV+D
WV+D
Fig. 7 The input/output automata of the abstract system layer and their relationship
thebehavioroftheexternaldeviceslikethekeyboard,thetimerorthenetworkcardwhilethe
latter formalizes the behavior of the processor with VAMOS running on it. The automata AD
and AV communicate using the alphabet SvV (from the device subsystem to the processor)
and the alphabet WV (from the processor to the devices). Our kernel uses memory-mapped
I/O for device communication. Hence, the output alphabet WV comprises read and write
accesses to device addresses whereas the input alphabet SvV consists of interrupt lines and
optionally incoming data.
In addition, the devices may interact by an external interface with the environment in
order to receive keystrokes, for example, or send network packages. We deﬁne this interface
by the alphabets SvD and WD. This external device interface is exposed by the overall system
(alphabets SvV+D and WV+D).
We specify VAMOS running on the VAMP by AV = (SV, S 0
V, SvV, WV, wV, dV) with
the state space SV, the set of initial states S 0
V ⊂ SV, the input alphabet SvV, the output
alphabet WV, the output function wV, and the transition function dV. Likewise, we deﬁne
AD and AV+D. In this article, we focus on AV and AV+D. Alkassar and Hillebrand [1]
describe the device model in detail.
ThestatesSV+D oftheoverallsystemarepairsofa VAMOS statesV ∈ SV andadevice-
system state sD ∈ SD. The input alphabet SvV+D is used to determine which subsystem takes
the next step. It extends SvD (indicating a device step) by the value ⊥ for a processor step.
The output alphabets are the same, i.e., WV+D = WD. Note that the output of the device
subsystem depends on the transition, i.e., dD returns pairs (sD, w) of a successor state sD
and an output w. Consequently, there is no separate output function for AV+D.
Transitions dV+D of the overall system inspect the input and distinguish three cases:
1. An external device transition is performed, if the input i ∈ SvV+D contains an input for
the device subsystem. The VAMOS component remains constant in this case.
2. A local kernel transition is performed if the input is ⊥ and the VAMOS output wV sV is
idleWV.
3. A kernel-device transition is performed if it is the processor’s turn (overall input ⊥) and
the kernel requests a device communication, i.e., wV sV = readWV device port count or
wV sV = writeWV device port data. In this case, dV+D passes the VAMOS output with
the transition function dD to the device subsystem. In response, the device subsystem
delivers an output w, which contains the read data if requested. Using this data, dV+D
ﬁnally performs the VAMOS transition dV.
In the remainder, we describe the VAMOS automaton in more detail. This automaton
speciﬁes the interaction between the kernel and the user processes. User processes are mod-
eled as assembly machines interacting with the kernel via a well-deﬁned interface, the kernel
ABI. In analogy to AV, we specify a process by a self-contained input/output automaton.
The following tuple represents a user process:
Aasm = (Sasm, initasm, Svasm, Wasm, wasm, dasm)
with the state space Sasm, the initialization function initasm, the input alphabet Svasm, the
output alphabet Wasm, the output function wasm, and the transition function dasm.14
[[current instr sasm = trap 13; ¬ fatal excpt sasm]]
=⇒ wasm sasm =
dev read (reg2devnum (sasm.gprs ! 11)) (reg2port (sasm.gprs ! 12)) (regs2buﬀer sasm 13 14)
dasm err unprivileged sasm = sasm
(|gprs := sasm.gprs[22 := −4], dpc := sasm.pcp, pcp := (sasm.pcp + 4) mod 232|)
Fig. 8 Formal deﬁnition of output and transition function of assembly processes for the call DEV READ
A state sasm ∈ Sasm contains a normal and a delayed program counter (implementing
the delayed branch mechanism), a ﬁle of general-purpose registers, and a byte-addressable
linear memory. The initialization function initasm takes a binary program as parameter and
determines the according initial process state. The output alphabet Wasm enumerates all pos-
sible kernel calls, a few error conditions, and the output eW denoting the intention to perform
a local computation. The input alphabet Svasm contains all responses to kernel calls and error
conditions as well as the input eSv for a process-local transition.
Fig. 8 depicts the formal deﬁnition of the output function wasm and the transition func-
tion dasm, for a dev read call. We assume that sasm is the state of an assembly process. If
the current instruction encodes a trap 13 and no fatal exception (e.g., an illegal page fault)
occurred, the output function returns dev read with the speciﬁed device number (register
11), port number (register 12), and the buffer (registers 12 and 13).
Letusnowassumethatthekernelrecognizesthisoutputbuttheprocessisnotprivileged.
In this case, the kernel informs the process of this error by passing err unprivileged on
to the transition function dasm of the process. For this input, the transition function updates
the result register 22 with -4. Furthermore, the delayed program counter dpc is set to the
former value of the normal program counter pcp and pcp is increased by 4 modulo 232.
After this brief introduction of the user processes, we describe the components of AV in
more detail. Finally, we formally specify the VAMOS scheduler.
The State Space. A state of the VAMOS automaton is an abstraction of the implementa-
tion state. While we avoid redundancy, we resemble the information that is required for the
observable kernel behavior.
A state sV ∈ SV comprises the following components:
sV.procs is a partial function mapping process identiﬁers (PIDs) to their assembly states
sasm ∈ Sasm.
sV.priodb is a partial function mapping PIDs to their priorities.
sV.schedds contains the scheduling data structures like wait and ready queues as well as
process-speciﬁc accounting information like the length of the timeslice.
sV.rightsdb contains information for the IPC rights management and the set of privileged
processes.
sV.sndstatdb aretheremainsoftheprocessstatusintheimplementation.Usually,themem-
bership in a ready or wait queue determines the current process status—except for one
case: An IPC REQUEST call has a send and a receive phase, which might both require
waiting. The send status database sV.sndstatdb keeps track of the phase.
sV.devds contains data for device communication.
Note, that the partial functions are only deﬁned for the PIDs of the currently active
processes.15
[[wasm dsV.procs dv cup sV.scheddsee = dev read bdevidc bportc buffer;
buffer 6= BufUndeﬁned;
buffer 6= BufUnavailable;
dsV.devds.driver devide = dv cup sV.scheddse]]
=⇒ wV sV = readWV devid port (bufLength buffer)
Fig. 9 Formal deﬁnition of the output function for the call DEV READ
The Output Function. The function wV determines the output in a certain VAMOS state
and is used in the function dV+D to ﬁgure out whether a device interaction is desired. VA-
MOS interacts with the device subsystem by read or write requests. A device interaction is
initiated,iftheoutputofthecurrentlyrunningprocess wasm dsV.procs dv cup sV.scheddsee
indicates a dev read or dev write call, the arguments are valid, and the process is the
driver for the speciﬁed device. Fig. 9 depicts the formal deﬁnition of the output function wV
for the call dev read.
The Transition Function. The transition function dV takes two parameters: (a) an input d
from the device subsystem, which contains data read from a device, and (b) a VAMOS state
sV. It returns a successor state s 0
V. Within a transition, we distinguish up to three phases:
1. If the current process cp = dv cup sV.scheddse is deﬁned, we consult its output wasm
dsV.procs cpe ∈ Wasm and compute the response according to the current VAMOS state.
For instance, if a process calls dev read, we check for sufﬁcient privileges and choose
the corresponding response res ∈ Svasm for success or failure. With this response, we
advance the current process by calling its transition function:
sV(|procs := sV.procs(cp 7→ dasm res dsV.procs cpe)|)
On success, res comprises the device data d, and otherwise an error value.
2. If the timer-interrupt line is raised, the timer-interrupt handler is invoked (see Sect. 4.3).
3. Finally, VAMOS delivers the occurred interrupts to the according drivers (assuming that
the latter are waiting; otherwise, the interrupts are saved in sV.devds for a later delivery).
Each phase is encapsulated in its own speciﬁcation function. For space restrictions, we
cannot present all of them but content ourselves with the speciﬁcation of the timer-interrupt
handler handleTimer. We formally deﬁne this function in the following section.
5.1 The Scheduler
On the abstract level, the scheduler is deﬁned by the component schedds of the VAMOS
state space and the VAMOS transition function. Below, we describe the data structures. The
transition function, however, is far too complex for a full presentation in this article. Hence,
we conﬁne ourselves to the core of the scheduler: the timer-interrupt handler.
Data Structures. The component sV.schedds is divided into sub components. The current
time time ∈N is a counter for clock ticks. Process-speciﬁc scheduling information for active
processes is collected in the partial function procdb that maps PIDs to a record of (a) the
timeslice tsl, (b) the amount of consumed time ctsl, and (c) the absolute timeout timeout.
If a process is found to be computing when a timer interrupt raises, the component ctsl
is increased until the process has ﬁnally run for tsl ticks. In this case, another process is16
checkTimeouts sV ≡ sV
(|procs := λx. if expiredTimeout sV.schedds x
then if is process sending sV.procs sV.sndstatdb x
then bdasm err snd timeout dsV.procs xec
else bdasm err rcv timeout dsV.procs xec
else sV.procs x,
schedds := sV.schedds
(|ready := λp. sV.schedds.ready p @
[x∈sV.schedds.wait . expiredTimeout sV.schedds x ∧ dsV.priodb xe = p],
wait := [x∈sV.schedds.wait . ¬ expiredTimeout sV.schedds x],
procdb := λx. if expiredTimeout sV.schedds x then bdsV.schedds.procdb xe(|ctsl := 0|)c
else sV.schedds.procdb x|),
sndstatdb := λx. if expiredTimeout sV.schedds x then bFalsec else sV.sndstatdb x|)
Fig. 10 Speciﬁcation of checkTimeouts
scheduled. If a process calls the kernel for IPC and no partner is ready for communication,
the absolute timeout timeout is computed from the current time and the relative timeout that
has been speciﬁed with the call.
Moreover, the scheduler maintains different queues for scheduling. They are repre-
sented as ﬁnite sequences in the VAMOS speciﬁcation. Namely, there is a ready queue
sV.schedds.ready prio of schedulable processes for each priority prio. Additionally, all pro-
cesses currently not ready to be scheduled (because they are waiting for an IPC partner) are
held in the queue sV.schedds.wait. Inactive ones are stored in sV.schedds.inactive.
In VAMOS, the current process is the ﬁrst process in the highest, non-empty ready queue.
If all ready queues are empty, the current process is undeﬁned. Or more technically, we
concatenate the ready queues from the highest to the lowest and specify the ﬁrst process in
this list as current:
v cup schedds ≡
case concat (map schedds.ready [high prio, med prio, low prio]) of [] ⇒ ⊥ | x · xs ⇒ bxc
Handling Timer-Interrupts. The abstract function handleTimer speciﬁes the semantics of
the timer-interrupt handling in VAMOS. It increases the current time whereby timeouts of
waiting processes might elapse. All processes with elapsed timeouts are woken up and no-
tiﬁed about the timeout. Furthermore, the handler charges the current process in order to
ensure prioritized fairness in our scheduling algorithm: If the current process has consumed
its whole timeslice, it is moved to the end of its ready queue; otherwise, the value of the
consumed timeslice is increased.
Following the implementation, we specify handleTimer as composite of two functions
checkTimeouts and reschedule, i.e.,
handleTimer sV cp ≡
reschedule (checkTimeouts (sV(|schedds := sV.schedds(|time := sV.schedds.time + 1|)|))) cp
The former describes the handling of elapsed timeouts, i.e., it awakes waiting processes
with an elapsed timeout and notices the affected processes. The latter balances the timeslice
account of the current process.
The formal deﬁnition of checkTimeouts is given in Fig. 10. We encapsulate the check
for an expired timeout of a waiting process in the predicate expiredTimeout. If the timeout
of a user process expires, the process is noticed by an error value. With the error value, we
distinguish whether it has been waiting in the send phase (predicate is process sending
holds) or in the receive phase.17
reschedule sV cp ≡
let procdb = sV.schedds.procdb dcpe; ready = sV.schedds.ready dsV.priodb dcpee
in sV(|schedds := if cp = ⊥ ∨ dcpe / ∈ set ready then sV.schedds
else if dprocdbe.tsl ≤ dprocdbe.ctsl
then sV.schedds
(|ready := sV.schedds.ready
(dsV.priodb dcpee := [x∈ready . x 6= dcpe] @ [dcpe]),
procdb := sV.schedds.procdb(dcpe 7→ dprocdbe(|ctsl := 0|))|)
else sV.schedds
(|procdb := sV.schedds.procdb(dcpe 7→ dprocdbe
(|ctsl := dprocdbe.ctsl + 1|))|)|)
Fig. 11 Speciﬁcation of reschedule
In addition, we wake up each notiﬁed process pid: At ﬁrst, the process is removed from
the wait queue and appended to the ready queue according to their priority. At second, it
retrieves its full timeslice, i.e., we reset its consumed time dsV.schedds.procdb pide.ctsl
to zero. At third, we reset its send status sV.sndstatdb pid to False: Recall that this value
determines whether the process is waiting in the receive phase of an IPC request call after a
successful send phase. With the canceled IPC call, this condition cannot hold any longer.
The function reschedule takes two parameters: The resulting state after checkTimeouts,
at the one hand, and the identiﬁer cp of the current process at kernel entry, at the other hand.
Note that the latter is necessary because the current process might change while handling
kernel calls (phase 1 of the transition function dV) and the VAMOS state does not hold the
current process as a distinguished value but rather generates it from the current state of the
ready queues. Nevertheless, it is important to charge that process cp that actually computed
immediately before the kernel entry.
The formal deﬁnition of reschedule is given in Fig. 11. Three situations are determined
while updating the scheduling data structures:
In the ﬁrst one, there has been no current process at kernel entry, i.e., cp = ⊥ or this
process cp has been rescheduled in the meantime. In this case, the current process has “paid”
in the sense that it is not computing anymore. Thus, there is nothing to do but to increase the
current time.
In the second situation, the current process cp at kernel entry is still ready to compute.
In order to preserve the fairness of the scheduling, we check whether cp consumed all of
its assigned timeslice. If so, we shift cp to the end of its ready queue and ensure that the
processisnotscheduledagainuntilallotherprocessesinthequeuehadachancetocompute.
Technically, we ﬁrst remove it from the according queue and then append it again. For the
next computation phase, cp should again get its full timeslice. Hence, we set its consumed
time to 0.
In the third situation, the current process cp at kernel entry is as well ready to compute
but its timeslice is not yet fully consumed. In this case, the consumed time of process cp is
increased by 1 but it is allowed to proceed with its computation.
6 Reﬁnement
In the last sections, we have introduced the VAMOS implementation and the abstract system
model. In this section, we formally relate both layers by a proof of functional correctness.
As mentioned in the introduction, the function kernel step of the CVM layer implements
together with the VAMOS code a transition dV+D of the abstract system model. For the18
sV+D
sv t
s 0
V+D
abs relV+D abs relV+D
dV+D
kernel step
Fig. 12 Kernel step reﬁnement
reﬁnement proof, we link the abstract states sV+D, s 0
V+D and the implementation states sv, t
via the formally deﬁned abstraction relation abs relV+D.
Fig. 12 visualizes the kernel step reﬁnement whereas the following theorem gives a
formal statement:
Theorem 1 (Kernel Correctness) If the invariant invi holds for an implementation state
sv, the abstraction relation abs relV+D correlates sv and the abstract state sV+D, and the
function kernel step is executed, then abs relV+D again correlates the resulting imple-
mentation state t and the abstract state obtained by dV+D ⊥ sV+D, and the invariant invi
holds for t.
G` {sv. abs relV+D sv sV+D ∧ invi sv}
PROC kernel step()
{t. abs relV+D t (fst (dV+D ⊥ sV+D)) ∧ invi t}
Most notably, the abstraction relation abs relV+D is the conjunction of two independent
abstraction relations for the kernel data structures, on the one hand, and the device subsys-
tem, on the other hand. We introduce abs relV+D and the implementation invariant invi in
more detail in the following subsections.
Recall that the transition function dV+D uses its input parameter to determine whether
the kernel or solely the device subsystem (e.g., by receiving a network package) advance
during a transition of the overall system. If this input is not ⊥, the kernel remains constant.
Knowing that the abstraction relation of the kernel data structures and the one of the device
subsystem are independent, we may consequently disregard changes that are limited to the
device subsystem in the consideration of the kernel reﬁnement. While we are interested in
the kernel-device interaction, we disregard any external device input from the environment
and the according output to it. As a consequence, this input is ﬁxed at ⊥ in the theorem
above. Recall that the transition function dV+D returns a pair of the updated state and the
external output. We are, however, only interested in the updated state, and thus, take the ﬁrst
component of this pair, i.e., s 0
V+D = fst (dV+D ⊥ sV+D).
Proof (Idea) The correctness of this statement is based on the correctness of all functions
applied in the scope of kernel step. Thus, for all functions we have to deﬁne and prove
lemmata stating their correctness. Eventually, we connect these lemmata in order to prove
the correctness of the overall system.
The proof of Theorem 1 mainly relies on the correctness of the function kdispatch rep-
resenting the main function of the VAMOS implementation. The correctness of kdispatch,
in turn, depends on the correctness of its four different parts: the initialization, the handling
of process exceptions, the timer-interrupt handler and the delivery of device interrupts (see
Sect. 4.2). u t19
Due to complexity, we cannot provide deep insights on the correctness of all these parts.
We rather conﬁne ourselves in the remaining section to the timer-interrupt handler as an
example. Stating the correctness of the function handle timer relies on the abstraction
relation and the implementation invariant. Thus, we ﬁrst sketch both before we deal with the
actual correctness of the handler.
6.1 Abstraction Relation
In this section we are concerned with the abstraction relation abs relV+D. Together with the
state invariant invi, which we present in Sect. 6.2, it constitutes a crucial part throughout the
complete functional veriﬁcation. A wrong or insufﬁcient formulation would question our
overall correctness result as stated in Theorem 1.
The abstraction relation abs relV+D relates an implementation state sv with an according
abstract state sV+D, where sV+D is a pair consisting of a VAMOS state sV and a state sD of
the device system. Formally, the relation is deﬁned as follows:
abs relV+D sv (sV, sD) ≡ abs relv sv sV ∧ sD = cvm devs svcvmX
The right-hand side of the conjunction is an equality for the device subsystem states be-
cause both, the implementation and the speciﬁcation, share the same device representation.
Much more effort is necessary to relate the kernel implementation and the abstract VA-
MOS state sV. The deﬁnition of abs relv comprises several conjunctions that reﬂect the
structure of a VAMOS state. Each conjunction is dedicated to a certain component of sV
relating relevant implementation variables with their abstract counterparts:
abs relv sv sV ≡
rel procsv sv sV.schedds.inactive sV.schedds.wait sV.procs ∧
rel scheddsv sv sV.schedds ∧
rel priodbv sv sV.schedds.inactive sV.priodb ∧
rel sndstatdbv sv sV.procs sV.sndstatdb ∧
rel rightsdbv sv sV.schedds.inactive sV.rightsdb ∧ rel devdsv sv sV.devds
The relations for the following components actually hide functional abstractions: the
devicedatastructures,thesendstatusdatabase,therightsdatabase,andtheprioritydatabase.
For space restrictions we cannot provide the formal speciﬁcation for all of these abstractions
but take rel priodbv as an example.
For this relation, however, we use some basic abstractions that bridge the implementa-
tion and the speciﬁcation regarding the process identiﬁers and the priorities. The implemen-
tationrepresentsprocessidentiﬁersandprioritiesasunsigned32-bitintegers,whilethespec-
iﬁcation uses ﬁnite subtypes of natural numbers, namely procnumT ≡ {1..<PID MAX}
and prioT ≡ {0..<3}. The function Abs procnumT takes an unsigned 32-bit integer value
and computes the corresponding abstract process number. The inverse function is called
Rep procnumT. For priorities, we have the functions Abs prioT and Rep prioT, respec-
tively.
With these basic abstractions at hand, we formally specify:
rel priodbv sv sV.schedds.inactive sV.priodb ≡
sV.priodb =
(λp. if p ∈ set sV.schedds.inactive then ⊥
else bAbs prioT (svpriority (svpib ! Rep procnumT p))c)
The component sV.priodb deﬁnes a partial mapping between process identiﬁers and priori-
ties. Inactive processes are not assigned with any priority but with ⊥. Processes are inactive20
iff they are in the inactive queue sV.schedds.inactive. For active processes we have to ex-
plore the priority as assigned in the implementation. Thereby, the crucial point is to obtain
the pointer corresponding to process p. Pointers to the process information blocks of all user
processes are collected in the list svpib. By design we know, that the corresponding pointer
to process p is stored at the index, which we get by converting the process number p to a
natural number. Based on the pointer, the heap function svpriority delivers the priority, which
ﬁnally is abstracted by Abs prioT.
The relation rel priodbv relies on the inactive queue, which is obtained by abstracting
the inactive list in the implementation. The implementation describes a list by a pointer
head to the ﬁrst element of the list. A list can be traversed by means of the previous and
next pointers provided by the functions prev and next. In contrast, the model solely talks
about lists of process numbers. We base our abstraction of these process queues on predicate
Queue:
Queue head next prev pid Ls ≡
∃Rs lst.
(Path head next Null Rs ∧ Path lst prev Null (rev Rs)) ∧
map (Abs procnumT ◦ pid) Rs = Ls
where Path h n e l tests whether the list l can be constructed starting with element h and
collecting further elements by recursively applying function n until element e is reached.
The formal deﬁnition of Path is:
Path x h y [] = (x = y)
Path x h y (p · ps) = (x = p ∧ x 6= Null ∧ Path (h x) h y ps)
The ﬁrst two conjunctions of Queue specify a doubly-linked list Rs of references using
predicate Path. The last conjunction states that the list Ls of process numbers can be con-
structed from list Rs by applying the function Abs procnumT ◦ pid to each element. Using
this predicate, we abstract the inactive list from the implementation variables svinactive list,
svqueue next, svqueue prev, and svpid. By design we know, that the variables specify a
doubly-linked list of references representing the list of waiting processes. Thus, in conjunc-
tion with the abstraction relation we can formulate the following statement:
[[rel scheddsv sv sV.schedds; Path svinactive list svqueue next Null Ps;
Path lst svqueue prev Null (rev Ps)]]
=⇒ Queue svinactive list svqueue next svqueue prev svpid sV.schedds.inactive
Inananalogousway,wecanabstracttheotherlists,whichcoverbigpartsoftheschedul-
ing data structures. Nevertheless, abstracting the remaining parts – the time and the process-
speciﬁc scheduling data – is slightly more interesting, caused by the diverse notion of time.
On the abstract level we specify points in time as unbounded natural numbers while the
implementation uses unsigned 32-bit integers to represent those times.
Thus, the speciﬁcation reﬂects the abstract idea of a monotonic increasing time while
the implementation employs the fact that only a ﬁnite range of time points is relevant at a
certain execution step. Consequently, there is a growing offset between the implementation
time and the abstract time. We formulate this fact in the following statement:
rel scheddsv sv sV.schedds =⇒
∃n. svcurrent time + n = sV.schedds.time ∧
(∀p. p / ∈ set sV.schedds.inactive ∧ p ∈ set sV.schedds.wait −→
abs timeout (svtimeout (svpib ! Rep procnumT p)) += n =
dsV.schedds.procdb pe.timeout)
A natural number n deﬁnes the offset of the implementation variable svcurrent time and
the component time in the scheduling data structures of the model. This same number is the
offset between the (absolute) timeouts of the non-inactive waiting processes.21
The implementation stores timeouts as unsigned 32-bit integers, where the maximal
value represents an inﬁnite timeout. In the speciﬁcation, we use the predeﬁned Isabelle/
HOL type inat that extends the natural numbers by the value ∞. We have deﬁned the func-
tion abs timeout to convert the implementation value into the abstract one. For abstract
timeouts, we deﬁned the operation += in order to increment a timeout by a natural number.
The processes are also connected via an abstraction relation. We remember, that the
implemented system stores the interrupt information in the exception-cause and exception-
data registers and performs a step of the current process, by applying dup, before entering the
kernel (cf. Sect. 4). In contrast, the model does not save the information regarding interrupts,
but rather computes it indirectly via wasm, if needed. Thus, in order to get the proper output,
the process in the model must be kept in the original state until (possible) interrupts are
completely handled. If the occurred interrupts, e.g., a trap, can be handled within one kernel
phase, the user step in the model is performed within dV+D, and when leaving the kernel,
both machines are synchronous again. A different situation occurs, if processes have to wait
while performing an IPC operation with no suited partner at hand. In this case, they wait
until a partner appears or the timeout for the operation expires. Thus, while the process in
the implementation already performed a step, the model keeps the original state and thereby
has the possibility to explore the pending operation. Consequently, it might happen, that the
states of waiting processes in the implementation and in the model differ over several kernel
phases.
For clariﬁcation: We know about waiting processes, that they eventually have been the
current process performing a trap instruction without fatal errors. Otherwise, no IPC opera-
tion would be possible.
The semantics of dup in case of a trap instruction without fatal errors is given by solely
increasing the program counters. Thus, the relation between waiting processes in the imple-
mentation and the ones in the model is deﬁned as follows:
[[rel procsv sv sV.schedds.inactive sV.schedds.wait sV.procs;
x / ∈ set sV.schedds.inactive;
x ∈ set sV.schedds.wait;
∃i. current instr dsV.procs xe = trap i]]
=⇒ dsV.procs xe(|dpc := dsV.procs xe.pcp, pcp := (dsV.procs xe.pcp + 4) mod 232|) =
(cvm ups svcvmX).userprocesses x
Waiting processes x are performing an IPC operation which was triggered by a trap instruc-
tion of type trap i. In the model, the state of a non-inactive but waiting process x is that
one, that, after increasing the program counters, again corresponds with the implementation
state of process x.
States of waiting processes have to be abstracted in a relational manner because the
increasing of the counters is not invertible.
In contrast, for non-waiting processes the functional abstraction is possible. Inactive
ones are assigned with ⊥ whereas all others are mapped one-to-one.
6.2 Implementation Invariant
This section deals with the second main ingredient of the correctness theorem: the state
invariant.
Encapsulated in the predicate invi, it establishes validity requirements on implementa-
tion states. These requirements reach from ordinary range restrictions of values to those
affecting the concrete implementation design. Previous statements like “we know by de-22
sign” must be discharged by the invariant. Thus, similar to abs relV+D a careful and well-
considered formulation of invi is essential.
Formally, the invariant is deﬁned as:
invi sv ≡
validProcs sv ∧ validRanges sv ∧ validRights sv ∧ validPIB sv ∧ validLists sv ∧ validDevds sv
where sv represents an implementation state. With some exemplary excerpts, we communi-
cate the ﬂavor of the invariant. Space restrictions and complexity do not allow the complete
presentation.
Predicate validProcs states the validity of the user processes. It ensures, for instance,
that each process has 32 general purpose registers and that register values ﬁt into 32 bits.
Rangesof thekernel variablesare ﬁxedthroughvalidRanges.Thus, theprocess identiﬁersin
the implementation are restricted to the range between 0 and PID MAX. Furthermore, the
length of the list keeping the pointers to the process information blocks equals the number
of processes, i.e., PID MAX, and the time value is smaller than MAX TIME.
validRanges sv =⇒
(∀p∈set svpib. 0 < svpid p < PID MAX) ∧
length svpib = PID MAX ∧ svcurrent time < MAX TIME
Recall that in the abstraction relation rel priodbv, we knew by design, that the corre-
sponding pointer to process p is stored at the index of svpib, which we get by converting the
process number p to a natural number. This fact can be derived from predicate validPIB and
the properties derived above:
[[validPIB sv; ∀p∈set svpib. 0 < svpid p < PID MAX; length svpib = PID MAX]]
=⇒ ∀p. ∃x∈set svpib. svpib ! Rep procnumT p = x
To be right with rel priodbv, let us consider the validity statements regarding the inac-
tive list and lists in general. Statements regarding the lists are subsumed by the predicate
validLists. Mainly, they are characterized through the relation between the state of a process
and its list membership. Hence, for the inactive list this means, that processes are only in the
inactive list iff their state is also set to inactive:
[[validLists sv; Path svinactive list svqueue next Null Inact;
Path lst svqueue prev Null (rev Inact)]]
=⇒ ∀p∈set svpib. (svstate p = INACTIVE STATE) = (p ∈ set Inact)
We can derive similar statements for the wait and ready queues.
The predicates validRights and validDevds tie down the design regarding the rights and
device data structures. Both data structures are not relevant for this paper, thus, we leave out
any further details.
6.3 Implementation Correctness of the Timer-Interrupt Handler
Stating the correctness of the timer-interrupt handler does not rely on the complete abstrac-
tion relation abs relV+D, due to the fact that occurring device steps can be moved to the
overall step function dV+D. To reﬂect the situation before calling the timer-interrupt handler,
we even have to adjust abs relv regarding the user processes. If a timer interrupt occurs, the
timer-interrupt handler is either called after the trap handler or directly after entering the
kernel. Both situations have different impact on the user processes, especially regarding the
one of the current process. To deal with this, we deﬁne a relation rel procsT as a more ﬁne-
grained process abstraction than provided by rel procsv. The resulting abstraction relation
abs relT is equal to abs relv with rel procsT replacing rel procsv.23
In order to show the functional correctness of the timer-interrupt handler, we start with
the formal correctness of the function check elapsed timeouts.
Theorem 2 (Correctness of the check elapsed timeouts routine) The semantic effects
of the function check elapsed timeouts are described by the abstract function check-
Timeouts.
G` {sv. abs relT sv s ∧ invi
0 sv ∧ pre sv}
0res int :== PROC check elapsed timeouts()
{t. abs relT t (checkTimeouts s) ∧ invi
0 t ∧ post sv}
Note, the function check elapsed timeouts is applied after increasing the time in func-
tion handle timer. This may lead to a situation where, e.g., the time is no longer smaller
than MAX TIME. Thus, in the precondition we can only assume a weaker state invariant
invi
0, where among others, the time-related properties of invi are extracted. However, the
predicate pre keeps track of such extracted and adjusted properties as well as of properties
implicitly given by the implementation.
In the postcondition this part is taken over by the predicate post. For instance, invi
0
does not fulﬁll the complete validity requirements for ready queues. Actually, the head
of the ready list of the highest priority determines the current process. Waking up pro-
cesses, as it happens in check elapsed timeouts, could violate this property, because
the highest priority might change. This violation is not resolved to the point where function
search next process is called in handle timer. In the meantime, predicate post keeps
track on this situation.
Proof The main ingredient for this proof is the formulation of the loop-invariant for the
iteration over the wait queue, which resembles the ﬁlter function over the abstract lists. The
invariant itself is a rather technical detail, which we do not elaborate on in this paper. Once
we found this invariant, the proof was straight forward. u t
Using the correctness result of this routine, we can ﬁnally prove the correctness of the
function handle timer:
Theorem 3 (Correctness of the Timer-Interrupt Handler) The semantic effects of the
function handle timer are described by the abstract function handleTimer.
G` {sv. abs relT sv s ∧ invi sv}
0res int :== PROC handle timer(0old cup)
{t. let pid = if svold cup = Null then ⊥ else bAbs procnumT (svpid svold cup)c
in abs relT t (handleTimer s pid) ∧ invi t}
Proof The proof of this function involves at the one hand, a distinction over the three cases
distinguished in the implementation. Hence, we show that the scheduling policy is correctly
implemented with regard to the speciﬁcation function reschedule. At the other hand, we
have to establish the precondition for check elapsed timeouts. With this prerequisite
in place, we use its speciﬁcation checkTimeouts to establish the claim of our theorem.
Additionally, the state invariant invi is again recovered. u t
Together with the remaining steps of kdispatch and dV+D we derive abs relV+D and ﬁ-
nally prove Theorem 1.24
readyhigh
readymed
readylow
wait



1 2
3 4
5
−






2
3 4
5
1






2
3 4
5
1






−
3 4
5
1 2






−
3 4
5
1 2






2
4 3
5
1






2
4 3
5
1






2
4 3
5
1






−
4 3
5
1 2






−
4 3
5
1 2






2
4 3
5
1



step 1 2 3 4 5 6 7 8 9 10 11        
1 2 2
3 3
2 2 2
4 4
2 2 high
med
low
Fig. 13 An exemplary execution trace of VAMOS together with its scheduling data structures
7 A Temporal Property: Scheduler Fairness
In this section, we extend the formal VAMOS model for the reasoning about temporal be-
havior, we develop the notion of prioritized fairness and ﬁnally prove that our scheduler
conforms with this deﬁnition.
At ﬁrst, however, let us consider an example trace as shown in Fig. 13. The matrices
at the top represent the ready queues and the wait queue of VAMOS. Our scheduler elects
always the ﬁrst process in the highest, non-empty ready queue for computation. In the ﬁrst
shown step, two processes are in the highest priority class, and process 1 is computing
(as shown at the bottom) because it is the ﬁrst in the highest ready queue. The elected
process runs until it generates an exception or an external interrupt occurs. In the example,
we assume that process 1 issues an IPC call and then has to wait for a suitable partner such
that process 2 is computing in the second step.
A timer interrupt occurs (indicated by  ) and process 2 is charged for its computation in
step 2, i.e., the counter ds.schedds.procdb (Abs procnumT 2)e.ctsl is increased. Process
2, however, is the only one in its ready queue and continues to compute in step 3. Now,
we assume that process 2 issues an open IPC receive and is found waiting in step 4 while
process 3 computes. In step 5, a timer interrupt occurs, which charges process 3. For this
example, we assume that all processes have a single timeslice—hence, process 3 will be
preempted as its timeslice ran out. Moreover, we assume that a timeout wakes up process
2. Now, process 2 continues to compute until, e.g., it issues again an IPC call and starts
waiting in step 8. We will later return to this example.
There are various notions of fairness. In the operating-system community, fairness of
static-priority scheduling is typically measured by the ratio of the CPU usage among equally
prioritized tasks. Fagin and Williams [19] have illustrated this quantitative fairness notion
by the carpool problem. We, in contrast, formalize the liveness property of strong fairness
according to the taxonomy of Francez [23]. Certainly, it would be desirable to predict at
least the waiting time of a certain process until it ﬁnally computes but this task is hard to
achieve.
In principle, the waiting time of the most prioritized processes is linear and an upper
bound for the waiting time could be given. In general, however, the waiting time of the pro-
cesses necessarily depends on the computations of all more prioritized processes. In theory,
this problem might be solvable by static program analysis [24], which reliably predicts an
upper bound for the worst-case execution time of programs in real-time operating systems
[30] with static scheduling. In practice, the predicted time bound or the complexity of the
predicting computation would be farcically high in our setting.25
Recall, for example, that the paging mechanism is built into our kernel. The execution
of a single instruction on the VAMP can involve up to two memory accesses at independent
addresses, namely, an instruction fetch and a data load or store. Each memory access in the
user mode might trigger a page fault, which is handled in more than 14,000 instructions.
Similarly, a cache access in hardware is by orders of magnitude faster than the direct access
of the physical memory in case of a cache miss.
A static analysis can either assume that every user-mode instruction involves about
28,000 instructions in system mode, or it has to regard the whole computer system from
the hardware including caches and the timer device via the kernel implementation up to the
user processes at once in all its detail. Measurements [47,40] produce considerably lower
time bounds but are not exhaustive and might thus miss an unlikely worst case. Our ap-
proach, on the contrary, abstracts from the implementation, focuses on the kernel behavior
and is thus limited to a liveness property.
Besides the difﬁculty to prove a quantitative fairness property, the temporal property
simply sufﬁces for our original motivation: The here presented work is part of a larger proof
effort that establishes the formal foundation of a veriﬁcation environment for concurrent
programs [16]. In this context, it is only relevant that a single process under concern will
eventually progress in the concurrent environment. Even total correctness in the concurrent
environment can be established without a detailed timing analysis.
Liveness properties are deﬁned over inﬁnite transition sequences, or traces. We regard
only the VAMOS processor model AV, here, because the kernel does not rely on a speciﬁc
device system AD. We represent the traces as two functions states and inputs that map
the step number to the current state sV ∈ SV and to the input i ∈ SvV for the next step,
respectively.
Deﬁnition 1 (Trace) Two functions states and inputs describe a trace iff they meet the
following conditions:
states 0 ∈ S 0
V
∀n. states (n + 1) = dV (inputs n) (states n)
In order to reason about the behavior of a trace, we need an invariant inva over the
abstract-state sequences. The complete invariant is quite elaborate, hence, we only sketch
two queue-related properties, which we will refer to later on in the fairness proof:
– An active process is either in the wait or in the ready queue, and an inactive process is
in neither queue. Formally:
inva s =⇒
if s.procs p = ⊥ then p / ∈ set s.schedds.wait ∧ (∀i. p / ∈ set (s.schedds.ready i))
else (p ∈ set s.schedds.wait) 6= (p ∈ set (s.schedds.ready ds.priodb pe))
– A waiting process pid is in the process of an IPC operation, i.e.,
[[inva s; pid ∈ set s.schedds.wait]] =⇒ is ipc (wasm ds.procs pide)
We show that the constant inva is indeed an invariant over the abstract traces:
Theorem 4 (Abstract invariant) Predicate inva is an invariant over traces, formally:
inva (states m) holds for arbitrary m.
Proof We prove this statement by induction. At ﬁrst, we establish inva for the initial states:
sV ∈ S 0
V =⇒ inva sV. At second, we show that inva is maintained by the transition function,
i.e., inva sV =⇒ inva (dV i sV). Finally, we derive our claim inva (states m) by the
deﬁnition of traces. u t26
Based on Deﬁnition 1, an unconditioned fairness property is:
∃l≥k. progress ((states l).procs pid) ((states (l + 1)).procs pid)
where the predicate progress p q holds iff q can be produced by a transition from p, i.e.,
q = dasm i p.5 This statement, however, is too strong for the VAMOS scheduler because it
neglects several aspects of our system:
– Processes are dynamic entities and PIDs may be reused. Thus, the process pid in step l
might not be the same as the one in step k.
– A process pid might start an IPC operation with an inﬁnite timeout. If there is never
another process willing to communicate with process pid, the latter starves.
– Prioritization leads to the preemption of less prioritized process classes – without any
time bound (according to our scheduling policy as described in Sect. 3).
– The implementation relies on a live timer device because the scheduler is activated only
by the timer interrupt (see Sect. 4.3).
Consequently, we have to weaken our notion of fairness in this context. At ﬁrst, we
recall that liveness conditions are formulated over inﬁnite traces. Hence, we exclude all
terminating processes, i.e., ∀n≥k. (states n).procs pid 6= ⊥, where pid is an arbitrary,
ﬁxed process ID.
At second, we assume a predicate pending inﬁnite ipc s pid, which examines a state
s and holds iff the process pid is pending in an IPC operation with an inﬁnite timeout. If
a process forever remains pending in this state, it is certainly not the fault of the scheduler
but a programming or protocol error. Thus, we do not consider such starving processes, i.e.,
∀n≥k. ∃m. n ≤ m ∧ ¬ pending inﬁnite ipc (states m) pid.
At third, the priority of a process is runtime-conﬁgurable by the kernel call CHG SCHED
PARAMS. Upon a priority change, the process will be removed from its old priority’s ready
queue and appended to the new one. As long as the priority is only conﬁgured at the be-
ginning (or more precisely: changed only a ﬁnite number of times), we can ﬁnd an inﬁnite
subtrace without a priority change. If, however, there are inﬁnitely many changes, the pro-
cess may starve. We exclude this case because it contradicts the concept of static-priority
scheduling, and state: ∀n≥k. (states (n + 1)).priodb pid = (states n).priodb pid.
At fourth, we assume that the timer device produces inﬁnitely often timer interrupts as
part of the inputs, i.e., ∀n≥k. ∃m≥n. is timer on (inputs m). Note that this condition is
our only assumption about the device system AD.
So far, our restrictions have been evident adjustments to the considered system. The
remaining problem, which regards priorities, is somewhat more involved. Let us consider a
process pid in the highest priority class, i.e., (states k).priodb pid = bhigh prioc. From
the assumptions above, we can show that this process pid will eventually make progress,
i.e.,
∃l≥k. progress ((states l).procs pid) ((states (l + 1)).procs pid)
This formulation of fairness, however, states nothing about the processes residing in
lower priority classes. A statement over fairness for the latter necessarily depends on the
(intermittent) absence of a process in a higher priority class, which is ready to compute.
All processes, which are willing to compute, are enqueued in the ready queue of its prior-
ity. Thus, we can determine the absence of a prioritized, ready process by examining the
according ready queues, i.e., process pid has the maximal priority in state s if
5 Technically, the matter is complicated by the fact that the amount of process memory is held with the
processes. Transitions changing only this amount, are certainly not considered as progress.27
∀prio>ds.priodb pide. s.schedds.ready prio = []
We encapsulate this property in a predicate has maxprio s pid.
In order to extend our fairness statement to all processes, we examine our exact schedul-
ing mechanism more carefully: The currently computing process cup is charged by increas-
ing its consumed time ds.schedds.procdb cupe.ctsl (and eventually preempted) if and only
if the timer interrupt occurs. In other words, a process must have the maximal priority in-
ﬁnitely often while the timer interrupt occurs, i.e.,
∀n≥k. ∃m≥n. has maxprio (states m) pid ∧ is timer on (inputs m)
Note that this assumption implies timer liveness.
readyhigh
readymed
readylow
wait



2
4 3
5
1






−
4 3
5
1 2






−
4 3
5
1 2






2
4 3
5
1



step 8 9 10 11    
2
4 4
2 2 high
med
low
Fig. 14 A VAMOS trace with a race condition
The execution trace shown in Fig. 14 il-
lustrates this problem: In step 8, process 2
computes and issues, say, an IPC receive.
When the timer interrupt occurs, the sched-
uler recognizes that process 2 has been com-
puting at the last step. Process 4 starts to com-
pute in step 9 and sends a message to process
2 in step 10, which causes the latter to wake
up. Thus, process 2 is found computing when
the timer arrives in step 11. If the sequence of
events between step 8 and 11 continues, pro-
cess 4 will never get charged and process 3
starves although it has frequently the maxi-
mal priority.
Of course, it is possible to change the scheduling mechanism such that all processes
found running in between two timer interrupts will be charged. This code change, however,
would require extra bookkeeping during the IPC path, which is the most critical one for
system performance. Most L4 kernels even completely skip the scheduler for performance
reasons after some IPC operations [42,17]. Hence, we favored the shorter path over an opti-
mized scheduling.
It is crucial to understand the implications of this design choice, in particular, the pos-
sible exploits by malicious processes and the mechanisms to its prevention by prioritized
processes. For an active exploit, the user process needs a clock of higher precision than the
timer tick, which can only be achieved by another external timer device. If we exclude this
unlikely setting, the process cannot predict the time when the tick arrives and the consistent
recurrence of the race condition becomes exponentially unlikely.
An informal statement of likeliness, however, is not satisfactory to an assumption of a
formal proof. Hence, we examine the necessary preconditions for the race condition. There
are three possibilities for a switch to higher priority between timer ticks: (a) A process of
higher priority might be created, (b) the scheduling priority of an existing process might
be raised, or (c) an IPC call might resume a prioritized, waiting process. The former two
are caused by kernel calls reserved for privileged processes. These processes are typically
most prioritized and have to be trusted anyways. The latter requires the collaboration of the
prioritized process. We regard this situation as a special form of priority inheritance [42].
Concluding, we state:
Corollary 1 (Prioritized Fairness) The VAMOS scheduler is fair with respect to priority
classes, i.e., at all sufﬁxes of an inﬁnite trace, all processes will eventually make progress,
iff they (a) never terminate, (b) remain forever at the same priority class, (c) do not starve in28
an IPC operation with an inﬁnite timeout, and (d) have inﬁnitely often the maximal priority
while the timer interrupt is raised.
We formalize this fact as:
[[(∗ trace ∗) states 0 ∈ S 0
V; ∀n. states (n + 1) = dV (inputs n) (states n);
(∗ a ∗) ∀n≥k. (states n).procs pid 6= ⊥;
(∗ b ∗) ∀n≥k. (states (n + 1)).priodb pid = (states n).priodb pid;
(∗ c ∗) ∀n≥k. ∃m≥n. ¬ pending inﬁnite ipc (states m) pid;
(∗ d ∗) ∀n≥k. ∃m≥n. has maxprio (states m) pid ∧ is timer on (inputs m)]]
=⇒ ∃l≥k. progress ((states l).procs pid) ((states (l + 1)).procs pid)
Proof We prove the theorem by case distinction. From the invariant inva we know that a
process pid can either be inactive, waiting, or ready. The ﬁrst case immediately contradicts
Assumption (a).
If a process is waiting, we can infer from the invariant inva that this process is in the
process of an IPC operation, i.e., is ipc (wasm ds.procs pide) and that there is no suitable
partner ready for communication.
Let us assume that the process forever remains in the wait queue. If the process has
issued an inﬁnite IPC call, we have a contradiction with Assumption (c). If, however, a ﬁnite
timeout was speciﬁed with the call, the timeout will eventually elapse. We know this because
of timer liveness and the fact that handle timer is invoked whenever the timer interrupt
occurs (by kdispatch, see Fig. 5). Upon each method invocation, handle timer increases
the variable current time and checks for elapsed timeouts (as speciﬁed in handleTimer,
see Sect. 5.1). Once, the timeout is elapsed, the process is dequeued from the wait queue (as
speciﬁed in checkTimeouts, see Fig. 10).
Thus, we know that the process cannot remain forever in the wait queue. The transition
function dV speciﬁes exactly two cases, where a process is dequeued from the wait queue:
(a) there is a partner issuing a kernel call for IPC or (b) the operation times out. In both
cases, VAMOS responds to the process with a result value that indicates success or failure.
Formally: The transition function dV involves an update of the process s.procs pid by dasm
res ds.procs pide with the result value res—our deﬁnition of progress.
The remaining case is that process pid is ready at step k. We know that ready processes
reside in the ready queue corresponding to their priority. When examining dV, we can ob-
serve that a process will be dequeued from a ready queue only if (a) it becomes inactive,
(b) its priority changes, or (c) it has been computing. The ﬁrst two cases lead to a contradic-
tion with our assumptions (a) and (b)).
Computing usually means that the process makes progress immediately. Most notably,
ourimplementationguaranteesliveness,i.e.,astarteduserprocessperformsatleastonestep
between two subsequent kernel entries (ﬁrst phase in dV). Still, there might be no immediate
progress if a computing process calls the kernel for an IPC operation. In this case, however,
the kernel will enqueue the process in the wait queue, and we have shown fairness for all
processes in this queue.
Finally, we regard the case that a process forever remains in the ready queue. Together
with Assumption (d), we can infer that the process will move forward in the ready queue
until it is the ﬁrst one: The assumption ensures that the process has the current maximum
priority inﬁnitely often while the timer interrupt is active. When the timer interrupt occurs,
the scheduler function handle timer is invoked, and it charges the current process cup,
i.e., the ﬁrst process in pid’s ready queue (see Fig. 11). Charging a process means increasing
the consumed time ds.schedds.procdb cupe.ctsl unless it exceeds the timeslice, and moving
the process to the end of its ready queue if the timeslice is exceeded. Thus, the consumed
time value of cup increases strictly monotonic as long as the current process remains the ﬁrst29
in its ready queue. Moreover, timeslices are bound by a ﬁxed value because they are stored
in a 32-bit number in the implementation. Hence, the consumed time eventually exceeds the
timeslice, and cup is moved to the end of its ready queue. That means, cup appears after pid
in the ready queue. By induction, we can infer that process pid will eventually be the ﬁrst
in its ready queue and thus, when it eventually has the maximum priority, it is the current
process. The current process computes in the next step and we have already shown that a
computing process eventually makes progress. u t
Temporal properties like our prioritized fairness are often described in temporal logics.
The advantage of such a logic is succinctness while the Isabelle/HOL formalization (Corol-
lary 1) is crucial for the property transfer. We have combined the best of both worlds by
an embedding of future-time linear temporal logic (LTL) into Isabelle/HOL. Thus, we can
ﬁnally present our main result in LTL:
Theorem 5 (Prioritized Fairness) The VAMOS scheduler is fair with respect to priority
classes, i.e., if a process pid (a) ﬁnally never terminates, (b) ﬁnally remains forever at the
same priority class, (c) does inﬁnitely often not pend in an IPC operation with an inﬁnite
timeout, and (d) has inﬁnitely often the maximal priority while the timer interrupt is raised,
it will always eventually progress.
Formally:
hS 0
V, SvV, dViA|=(∗ a ∗) ♦ (λ(i, s, n). s.procs pid 6= ⊥) −→
(∗ b ∗) ♦ (λ(i, s, n). n.priodb pid = s.priodb pid) −→
(∗ c ∗) ♦ (λ(i, s, n). ¬ pending inﬁnite ipc s pid) −→
(∗ d ∗) ♦ (λ(i, s, n). has maxprio s pid ∧ is timer on i) −→
♦ (λ(i, s, n). progress (s.procs pid) (n.procs pid))
The term hS 0
V, SvV, dViA describes an action Kripke structure. This structure deﬁnes the set
of all inﬁnite traces that can be produced by the set of initial states S 0
V, the input alphabet
SvV, and the transition function dV. Each trace in this set is a function from natural numbers
to triples (s, i, n), where s is the current state, i is the input for the transition, and n is the
next state.
Proof We deduce the theorem from Corollary 1 mainly by the expansion of the LTL deﬁni-
tions. An LTL formula f is valid for a Kripke structure K, i.e., K |=f, iff f is valid for all
its traces:
K |=f ≡ ∀t∈K. (t,0)|=f
whereas the validity (t,j)|=f of a formula f for trace t at position j is deﬁned by cases, i.e.,
(t,j)|= P ≡ P (t j)
(t,j)|=f ≡ ∀k≥j. (t,k)|=f
(t,j)|=♦f ≡ ∃k≥j. (t,k)|=f
Ultimately, Corollary 1 all-quantiﬁes over a single sufﬁx while in LTL, Assumption (a),
Assumption (b), and the conclusion might hold for different sufﬁxes. We instantiate the
position k in the corollary with the maximal position of the tree sufﬁxes and derive our
claim. u t
According to Francez [23], the classic deﬁnition of strong fairness is formalized in LTL
as: ♦enabled −→ ♦selected, i.e., if a certain process is inﬁnitely often ready to com-
pute (LTL-predicate enabled), it will always eventually compute (selected). Technically, our
theorem has a different structure.30
If we examine the Assumptions (a) and (b), however, we observe that these assumptions
are of a very basic kind: It is certainly impossible to prove temporal fairness for a termi-
nating process, and a changed priority contradicts the notion of static-priority scheduling.
We maintain that any real system has similar basic assumptions and do not consider these
conditions as part of the enabledness.
We may conﬁne our consideration to a system with a static number of processes and
without priority changes, i.e., after a time of system set up, the kernel calls process kill
and chg sched params are no longer used. In this scenario, the Assumptions (a) and (b)
become set up conditions and we just consider the state after set up as the initial state. In this
system, we have only two enabledness assumptions of the kind ♦enabled. This artifact is
important because the conjunction of both enabledness assumptions would be considerably
weaker.
8 Conclusion
We provide a formal proof of a microkernel’s key property, namely the temporal fairness
property of its multi-priority process scheduler. The proof architecture links a layer of be-
havioral reasoning over system-trace sets over a concrete, fairly realistic implementation of
the VAMOS kernel written in C down to a formal, foundational model of a RISC processor
called VAMP. To our knowledge, such a proof based on a model stack of this concrete level
of detail and with such a clean, seamless logical foundation has been undertaken for the ﬁrst
time.
We believe that our work represents a signiﬁcant step towards the grand challenge of
“real code veriﬁcation”, although we compromised in a number of ways in order to achieve
our goal:
– the VAMP is not a “real”, i.e., industrial-strength processor,
– C0 is a typed, simpliﬁed fragment of C; this forces to shift more low-level computations
into assembly programs as necessary in a more powerful C execution model,
– the compiler of C0 is not optimizing, and
– the VAMOS code has been written by the veriﬁcation engineers themselves, and often
with foresight to the tool-chain and the veriﬁcation task.
Despite these simpliﬁcations, which were partly applied for project-pragmatic reasons, we
maintain that our models are still not too far away from industrial-strength processors, C
code and microkernel implementations such as the PikeOS kernel. Whether it is ever pos-
sible to verify system-level programming code of a substantial size written without any
foresight to veriﬁcation is a fully open question at present.
We would like to argue that the possibility of adapting speciﬁcations, code, and tool-
chain to each other greatly simpliﬁed the task of achieving our goal. Besides the obvious
foresight that all code was written in C0 and had to live with the restrictions imposed by our
tool-chain, we see the following (incomplete) list of mutual inﬂuences:
– The abstract modeluses inﬁnite datatypes to modelkey entities like time, processes,etc.,
whiletheconcreteimplementationoftheseentitiesisboundtobit-vectorrepresentations
of numbers. We ensured the reﬁnement relation by using a solely relative notion of
time within the kernel. Furthermore, a capability-like management of process identiﬁers
allows for a conceptually inﬁnite name space of identiﬁers.
– The function kernel_step assures that at least one assembly step of a user process is
executed (actually, an earlier version of the CVM layer contained a ﬂaw in this respect).
Without this property of kernel_step, our global theorem breaks.31
– The fairly simple reﬁnement scheme between kernel_step and δV+D required a lot of
experimenting within the deﬁnition of the abstraction relation, which has to cope with
the fact that parts of the concrete computations “overtake” their abstract counterparts
and vice versa.
– The precise form of the contracts and the invariants in the implementation certainly
needed the foresight on what was actually required in the proofs at higher levels.
Itturnedoutthatamajorobstacleofourworkwasthelackofearly,systematicvalidation
of the speciﬁcation; at the end, we found substantially more errors there than in the (fairly
well-tested) implementation, although some intricate bugs could only be revealed by the
veriﬁcation. One of the bugs revealed during the veriﬁcation was a race condition involving
the coincidence of four special cases at the same time: If (a) a process issued an IPC call,
(b) the IPC partner was not yet waiting, and in the same processor cycle, (c) the timer
interrupt was raised, and (d) the timeslice of the process was used up, then, the process was
erroneously re-added to the ready queue.
In conclusion, we point out that there is a fundamental difference between our pervasive
approach and the idea of an incremental veriﬁcation focusing at one layer at a time. In
the course of our work, we detected several ﬂaws in the kernel design, in its speciﬁcation,
and in its implementation. Most notably, we found the above mentioned ﬂaw in the CVM
layer during the veriﬁcation of the fairness property, which demonstrates that bugs are not
necessarily revealed during the veriﬁcation of a single layer. It has been crucial for our
success that we thought pervasive right from the beginning.
Furthermore, we experienced that pervasiveness entails more than just cumulative ver-
iﬁcation efforts on several (isolated) layers. In fact, it was a challenging task to integrate
models and proofs into a uniform, coherent theory. The effort for the actual fairness proof
on the abstract level is a small fraction (about ten person months) compared to the whole
veriﬁcation effort establishing its foundation, the abstract kernel model (more than two per-
son years for VAMOS excluding CVM). Besides that, there was a considerable effort for the
management of change throughout the different abstraction layers. Apart from the neces-
sary effort, however, we are conﬁdent that our methodology can be adapted and reapplied in
similar contexts.
The formal veriﬁcation work of this paper is complete with the exception of the con-
tracts for the CVM operations, which have been shown by Tsyban et al. [27,48,49] but on
a substantially lower abstraction level than the form used in this paper. The missing link is
a transfer lemma similar to the one shown by Alkassar et al. [4]. Moreover, for some of the
kernel subroutines, the implementation correctness has not yet been shown.
8.1 Related Work
The Kit Project [8,9,36] can only be referred as groundbreaking to the area of pervasive
operating-system veriﬁcation. The main difference to more recent veriﬁcation attempts of
“real software” is that it relies on a LISP execution model that is nowadays considered
fairly abstract. Moreover, the corner stone theorem of this work is on memory separation of
processes.
Since then, a number of smaller and larger operating system veriﬁcation projects have
been started. In the former category fall projects like the FLINT project [38], the MASK
project, the AAMP7 project, the EMBEDDED DEVICE project and EROS/Coyotos [46], for
all of which we refer the interested reader to the excellent and comprehensive overview by
Klein [29].32
Larger veriﬁcation projects currently aim at the complete code-level veriﬁcation of the
following operating system kernels:
PikeOS kernel [28]. This 6,000 loc L4-derivative is part of a commercial product available
for Intel’s x86, PowerPC, and ARM. At the time of writing, the veriﬁcation just started
as part of the Verisoft XT project. The proofs are carried out by the VCC veriﬁcation
environment (a descendant of the Spec# program-veriﬁcation environment of Microsoft
Research), which uses a trusted tool chain comprising the C translator VCC, the veriﬁca-
tion condition generator Boogie, and the automated theorem prover Z3. The supported C
fragment is a large fragment of ANSI C. It is too early to make estimates on the portion
of veriﬁed code.
seL4 [25]. The 10,000 loc kernel is at the brink of becoming a commercial product and
based on the ARM11 platform. The veriﬁcation project L4.veriﬁed links a “Formal
Low-Level Design” (i.e., a model mechanically derived from a Haskell Prototype) to the
efﬁcient C implementation. At the time of writing, this effort is claimed to be to 70%
complete. The approach uses a trusted compiler to the veriﬁed Isabelle/Simpl frame-
work. The supported C fragment is a large fragment of ANSI C.
HYPER-V [43]. The 50,000 loc kernel is part of a commercial virtualization environment
based on Intel’s x86 (plus additional hardware for MMU virtualization). The veriﬁcation
is realized by the VCC veriﬁcation environment (see above); proofs are performed by
Z3 and Isabelle/HOL-Boogie [11] using the axiomatization of the VCC memory model
as foundation. The supported C fragment is a large fragment of ANSI C. While the 30
person year project is well under way, is too early to make estimates on the portion of
veriﬁed code.
Summing up, we have to state a trade-off between the code size, the supported C fragment,
the complexity of the underlying machine model, and the trustworthiness of the logical
foundations of the used tool chain. With respect to the latter, the L4.veriﬁed approach comes
closest to our work. Still, the approach requires trust on the abstraction of the architecture
(whose informal description comprises about 800 pages of natural text) into a C execution
model and its compilation into Isabelle/Simpl: this is not exactly easy to swallow for the
skeptic and the paranoid. The VCC technology [15] demands an even higher level of trust:
The current VCC version uses an architecture-dependent axiomatization of the execution
model consisting of about 200 axioms, which introduce some rather abstract concepts like
concurrency and ownership of references. Though critical subproblems of the foundation
are tackled by informal as well as formal proof methods, the integration into a uniform
foundational theory is signiﬁcantly less prioritized.
Inthisrespect,theVerisoftXTapproachisfundamentallypost-hoc;toolchains,method-
ologies etc. are driven by the need to deal with the existing code that can only be changed
if errors have been revealed. In contrast, we based our work on a model stack covering the
processor architecture formally, consequently we wrote our code in a restricted C subset and
developed our kernel implementation with foresight to our tool chain. While the post-hoc
approach has the advantage to complement the conventional development workﬂow and to
focus the veriﬁcation efforts on well-established code, we maintain that our methodology in
adapting all three — speciﬁcations, tools, implementations — to each other can be pursued
with a substantially higher effectivity and with a cleaner semantic foundation.
With respect to the proof architecture — separating a reﬁnement proof relating abstract
and concrete system steps from a proof establishing behavioral properties on the abstract
level — our work is rather typical: Cock et al. [14] have applied this architecture to estab-
lish security properties (e.g., termination of the kernel calls and well-typedness of kernel33
objects) on the behavioral level over an abstraction of the L4 Microkernel. The range of ab-
straction levels and the involved models resembles our work; the target property, however, is
from a completely different domain. Another application of the architecture is the DARMA
case study [7], where a client-server system for the digital signature of critical documents
is proven to establish a number of high-level security properties (e.g., no client will ever
get a digital signature without having a valid session with the server). Again this work is
different in that it targets a temporal top-level property stemming from the security domain;
in contrast to our work, however, the abstraction level of the “concrete level” in DARMA is
fairly coarse.
8.2 Future Work
We foresee various possible extensions of our work with widely varying realization efforts.
An apparent and less expensive extension is a detailed analysis of the effective runtime costs
for the bookkeeping of process switches between timer interrupts. An accompanying study
on the possible consequences of priority inversion for the programming model of prioritized
processes would permit a well-balanced choice for either a simpler programming model at
additional runtime IPC costs or the current, faster solution.
Certainly, additional microkernel features could extend our work. As an example, we
could introduce multi-threading generalizing the multi-processing of VAMOS. This feature
amounts to sharable address spaces (possibly including user-level paging) and is primarily
anextension ofthe CVM framework.We assumeonlyasmall impactonthe codeveriﬁcation
because VAMOS alters processes only via CVM primitives. Certainly, the progress predicate
needs to be adjusted but we do not foresee any complications because the progress of a
process necessarily implies altered registers, not only memory changes.
A similar extension is the mapping of device addresses directly into user memory. This
change would abandon the kernel calls DEV READ and DEV WRITE for device communica-
tion, and thus substantially improve the system performance by reducing both, the size of the
kernel and the frequency of kernel calls. Despite these beneﬁts, we complicate the abstract
kernel model with respect to device communication because we need a more sophisticated
detection of device accesses. For that reason, we did not implement this optimization right
from the beginning. From our experience today, however, we do not foresee substantial ob-
stacles in this change.
Following the last two arguments, we could even strive for the direct memory access
(DMA) by devices. Admittedly, this feature requires a more elaborate reorganization of
the abstract kernel models and prevents the clean isolation of processor and devices as we
currently maintain it for the fairness proof.
Another direction of further research is a port of the CVM framework to a mass-market
processor such as an embedded PowerPC core or to an optimizing compiler supporting a
larger subset of C. In contrast to additional microkernel features, this change would not
necessarily require changes to the implementation of VAMOS (apart from CVM). Provided
that the port maintains the same CVM speciﬁcation, we could hence draw on the current
proofs of code correctness and fairness.
Acknowledgements We thank Andrew Baumann, Sebastian Bogan, Christian Hennrich, Sarah Hoffmann,
and the anonymous reviewers during the publication process for reviewing, constructive criticism and helpful
suggestions, as well as Norbert Schirmer for taming Isabelle’s document-generation system.34
References
1. Alkassar, E., Hillebrand, M.A.: Formal functional veriﬁcation of device drivers. In: J. Woodcock,
N. Shankar (eds.) Veriﬁed Software: Theories, Tools, and Experiments, LNCS, vol. 5295, pp. 225–239.
Springer (2008)
2. Alkassar, E., Hillebrand, M.A., Leinenbach, D., Schirmer, N.W., Starostin, A.: The Verisoft approach
to systems veriﬁcation. In: N. Shankar, J. Woodcock (eds.) Veriﬁed Software: Theories, Tools, and
Experiments, LNCS, vol. 5295, pp. 209–224. Springer (2008)
3. Alkassar, E., Hillebrand, M.A., Leinenbach, D.C., Schirmer, N.W., Starostin, A., Tsyban, A.: Balancing
the load – leveraging a semantics stack for systems veriﬁcation. J. Autom. Reasoning, Special Issue on
Operating System Veriﬁcation (2009). To appear in this volume.
4. Alkassar, E., Schirmer, N., Starostin, A.: Formal pervasive veriﬁcation of a paging mechanism. In:
TACAS, LNCS, vol. 4963, pp. 109–123. Springer (2008)
5. Andrews, P.B.: An Introduction to Mathematical Logic and Type Theory: To Truth Through Proof.
Kluwer Academic Publishers (2002)
6. Barnett, M., Chang, B.Y.E., DeLine, R., Jacobs, B., Leino, K.R.M.: Boogie: A modular reusable veriﬁer
for object-oriented programs. In: F.S. de Boer, M.M. Bonsangue, S. Graf, W.P. de Roever (eds.) Formal
Methods for Components and Objects: 4th International Symposium, FMCO 2005, LNCS, vol. 4111, pp.
364–387. Springer (2006)
7. Basin, D.A., Kuruma, H., Miyazaki, K., Takaragi, K., Wolff, B.: Verifying a signature architecture: a
comparative case study. Formal Asp. Comput. 19(1), 63–91 (2007)
8. Bevier, W.R.: Kit and the short stack. J. Autom. Reasoning 5(4), 519–530 (1989)
9. Bevier, W.R., Hunt, Jr., W.A., Moore, J.S., Young, W.D.: An approach to systems veriﬁcation. J. Autom.
Reasoning 5(4), 411–428 (1989)
10. Beyer, S., Jacobi, C., Kr¨ oning, D., Leinenbach, D., Paul, W.J.: Putting it all together: Formal veriﬁcation
of the VAMP. STTT 8(4-5), 411–430 (2006)
11. B¨ ohme, S., Leino, K.R.M., Wolff, B.: HOL-Boogie - an interactive prover for the Boogie program-
veriﬁer. In: O.A. Mohamed, C. Mu˜ noz, S. Tahar (eds.) TPHOLs, LNCS, vol. 5170, pp. 150–166. Springer
(2008)
12. Brock,B.,Kaufmann,M.,Moore,J.S.:ACL2theoremsaboutcommercialmicroprocessors. In:FMCAD,
pp. 275–293 (1996)
13. Church, A.: A formulation of the simple theory of types. J. Symb. Log. 5(2), 56–68 (1940)
14. Cock, D., Klein, G., Sewell, T.: Secure microkernels, state monads and scalable reﬁnement. In: O.A.
Mohamed, C. Mu˜ noz, S. Tahar (eds.) TPHOLs, LNCS, vol. 5170, pp. 167–182. Springer (2008)
15. Cohen, E., Moskal, M., Schulte, W., Tobies, S.: A precise yet efﬁcient memory model for C (2008).
Availabe via http://research.microsoft.com/apps/pubs/default.aspx?id=77174
16. Daum, M., D¨ orrenb¨ acher, J., Wolff, B., Schmidt, M.: A veriﬁcation approach for system-level concurrent
programs. In: J. Woodcock, N. Shankar (eds.) Veriﬁed Software: Theories, Tools, and Experiments,
LNCS, vol. 5295, pp. 161–176. Springer (2008)
17. Elphinstone, K., Greenaway, D., Ruocco, S.: Lazy scheduling and direct process switch – merit or
myths? In: Workshop on Operating System Platforms for Embedded Real-Time Applications. Pisa, Italy
(2007). Availabe at http://www.ertos.nicta.com.au/publications/papers/Elphinstone
GR 07.pdf
18. Engler, D.R., Kaashoek, M.F., O’Toole, J.: Exokernel: An operating system architecture for application-
level resource management. In: SOSP, pp. 251–266. ACM (1995)
19. Fagin, R., Williams, J.H.: A fair carpool scheduling algorithm. IBM Journal of Research and Develop-
ment 27(2), 133–139 (1983)
20. Filliˆ atre, J.C., March´ e, C.: The Why/Krakatoa/Caduceus platform for deductive program veriﬁcation. In:
CAV, pp. 173–177 (2007)
21. Fleisch, B.D., Co, M.A.A.: Workplace microkernel and OS: a case study. Softw. Pract. Exper. 28(6),
569–591 (1998)
22. Fox, A.C.J.: Formal speciﬁcation and veriﬁcation of ARM6. In: TPHOLs, pp. 25–40 (2003)
23. Francez, N.: Fairness. Springer (1986)
24. Heckmann, R., Ferdinand, C.: Worst-case execution time prediction by static program analysis. White
paper, AbsInt Angewandte Informatik GmbH (2004). Availabe via http://www.absint.com/wcet.
htm
25. Heiser, G., Elphinstone, K., Kuz, I., Klein, G., Petters, S.M.: Towards trustworthy computing systems:
taking microkernels to the next level. Operating Systems Review 41(4), 3–11 (2007)
26. Hillebrand, M.A., Paul, W.J.: On the architecture of system veriﬁcation environments. In: Haifa Veriﬁ-
cation Conference, pp. 153–168. Springer (2007)35
27. In der Rieden, T., Tsyban, A.: CVM – a veriﬁed framework for microkernel programmers. In: Systems
Software Veriﬁcation, ENTCS, vol. 217, pp. 151–168. Elsevier Science B.V. (2008)
28. Kaiser, R.: Combining partitioning and virtualization for safety-critical systems. White Paper
WP CPV 10 A4 R10, SYSGO AG (2007). Availabe via http://www.sysgo.com/news-events/
whitepapers/
29. Klein,G.:Operatingsystemveriﬁcation—anoverview. Tech.Rep.NRL-955,NICTA,Sydney,Australia
(2008)
30. Knapp, S., Paul, W.: Realistic worst case execution time analysis in the context of pervasive system
veriﬁcation. In: T. Reps, M. Sagiv, J. Bauer (eds.) Program Analysis and Compilation, Theory and
Practice: Essays Dedicated to Reinhard Wilhelm on the Occasion of His 60th Birthday, Lecture Notes in
Computer Science, vol. 4444, pp. 53–81. Springer (2007). URL http://www.verisoft.de/.rsrc/
PublikationSeite/KP06.pdf
31. Leinenbach, D.: Compiler veriﬁcation in the context of pervasive system veriﬁcation. Ph.D. thesis,
Saarland University, Saarbrcken (2008). URL http://www-wjp.cs.uni-sb.de/publikationen/
Lei08.pdf
32. Leinenbach, D., Paul, W.J., Petrova, E.: Towards the formal veriﬁcation of a C0 compiler: Code genera-
tion and implementation correctness. In: SEFM, pp. 2–12. IEEE Computer Society (2005)
33. Liedtke, J.: Improving IPC by kernel design. In: SOSP, pp. 175–188. ACM (1993)
34. Liedtke, J.: On µ-kernel construction. In: SOSP, pp. 237–250. ACM (1995)
35. Liedtke, J.: Towards real microkernels. Commun. ACM 39(9), 70–77 (1996)
36. Moore, J.S.: A grand challenge proposal for formal methods: A veriﬁed stack. In: 10th Anniversary
Colloquium of UNU/IIST, pp. 161–172. Springer (2002)
37. Moore, J.S., Lynch, T.W., Kaufmann, M.: A mechanically checked proof of the AMD5K86TM ﬂoating
point division program. IEEE Trans. Computers 47(9), 913–926 (1998)
38. Ni, Z., Yu, D., Shao, Z.: Using XCAP to certify realistic systems code: Machine context management.
In: TPHOLs, LNCS, vol. 4732, pp. 189–206. Springer (2007)
39. Nipkow, T., Paulson, L.C., Wenzel, M.: Isabelle/HOL: A Proof Assistant for Higher-Order Logic, LNCS,
vol. 2283. Springer (2002)
40. Petters,S.M.,Zadarnowski,P.,Heiser,G.:Measurementsorstaticanalysisorboth? In:C.Rochange(ed.)
WCET, Dagstuhl Seminar Proceedings, vol. 07002. Internationales Begegnungs- und Forschungszen-
trum f¨ ur Informatik (IBFI), Schloss Dagstuhl, Germany (2007)
41. Rashid, R., Avadis Tevanin, J., Young, M., Golub, D., Baron, R.: Machine-independent virtual memory
management for paged uniprocessor and multiprocessor architectures. IEEE Trans. Comput. 37(8), 896–
908 (1988)
42. Ruocco, S.: Real-time programming and L4 microkernels. In: Workshop on Operating System Platforms
for Embedded Real-Time Applications. Dresden, Germany (2006). Availabe at http://www.ertos.
nicta.com.au/publications/papers/Ruocco 06.pdf
43. Samman, T.: Verifying 50,000 lines of C code. Futures, Microsoft’s European Innovation Magazine (21)
(2008)
44. Schirmer, N.: A veriﬁcation environment for sequential imperative programs in Isabelle/HOL. In:
LPAR, LNCS, pp. 398–414. Springer (2005). URL http://isabelle.in.tum.de/∼schirmer/
pub/hoare-lpar04.html
45. Schirmer, N.: Veriﬁcation of sequential imperative programs in Isabelle/HOL. Ph.D. thesis, TU Munich
(2006)
46. Shapiro, J., Doerrie, M.S., Northup, E., Sridhar, S., Miller, M.: Towards a veriﬁed, general-purpose op-
erating system kernel. In: FM Workshop on OS Veriﬁcation, Tech. Rep. 0401005T-1, pp. 1–19. Na-
tional ICT Australia (2004). URL http://www.coyotos.org/docs/osverify-2004/osverify-
2004.pdf
47. Singal, M., Petters, S.M.: Issues in analysing L4 for its WCET. In: Workshop on Microkernels for
Embedded Systems. Sydney, Australia (2007). Availabe at http://www.ertos.nicta.com.au/
publications/papers/Singal Petters 07.pdf
48. Starostin, A., Tsyban, A.: Correct microkernel primitives. In: Systems Software Veriﬁcation, ENTCS,
vol. 217, pp. 169–185. Elsevier Science B.V. (2008)
49. Starostin, A., Tsyban, A.: Veriﬁed process-context switch for C-programmed kernels. In: N. Shankar,
J. Woodcock (eds.) Veriﬁed Software: Theories, Tools, and Experiments, LNCS, vol. 5295, pp. 240–254.
Springer (2008)