Formal specification and verification of a microkernel by Dörrenbächer, Jan
Formal Specification and
Verification of a Microkernel
U
N I
V E R S IT A S
S
A R A V I E N
S I
S
Dissertation
zur Erlangung des Grades
des Doktors der Ingenieurwissenschaften (Dr.-Ing.)
der Naturwissenschaftlich-Technischen Fakulta¨ten
der Universita¨t des Saarlandes
Jan Do¨rrenba¨cher
jandb@wjpserver.cs.uni-saarland.de
Saarbru¨cken, November 2010
Tag des Kolloquiums: 23.11.2010
Dekan: Prof. Dr. Holger Hermanns
Vorsitzender des Pru¨fungsausschusses: Prof. Dr.-Ing. Philipp Slusallek
1. Berichterstatter: Prof. Dr. Wolfgang J. Paul
2. Berichterstatter: Prof. Dr. Bernhard Beckert
3. Berichterstatter: PD Dr. Werner Stephan
akademischer Mitarbeiter: Dr. Eyad Alkassar
Eidesstattliche Versicherung
Hiermit versichere ich an Eides statt, dass ich die vorliegende Arbeit selbst-
sta¨ndig und ohne Benutzung anderer als der angegebenen Hilfsmittel ange-
fertigt habe. Die aus anderen Quellen oder indirekt u¨bernommenen Daten
und Konzepte sind unter Angabe der Quelle gekennzeichnet. Die Arbeit
wurde bisher weder im In- noch im Ausland in gleicher oder a¨hnlicher Form
in einem Verfahren zur Erlangung eines akademischen Grades vorgelegt.
Saarbru¨cken, November 2010

Danksagung
Ich mo¨chte mich an dieser Stelle bei allen bedanken, die zum Gelingen dieser
Arbeit beigetragen haben.
An erster Stelle gilt dieser Dank meiner Familie, deren Unterstu¨tzung
ich mir immer sicher sein konnte und die mir stets mit Rat und Tat zur
Seite stand.
Herrn Prof. Wolfgang Paul danke ich fu¨r die Mo¨glichkeit zur Promotion
und fu¨r die wissenschaftliche Betreuung der Arbeit.
Ein großer Dank geht an meine Kollegen fu¨r die interessanten und frucht-
baren, manchmal aber auch anstrengenden Diskussionen, die zum Gelingen
dieser Arbeit von unscha¨tzbarem Wert waren. Im Besonderen Eyad Alkas-
sar, Sebastian Bogan, Matthias Daum, Mark Hillebrand, Norbert Schirmer
und Burkhardt Wolff. Insgesamt mo¨chte ich mich bei allen Mitarbeitern am
Lehrstuhl Paul fu¨r die gute Arbeits- und Feierabendatmospha¨re bedanken.
Nicht zuletzt mo¨chte ich mich bei meinen Freunden bedanken, die mich
nicht nur tatkra¨ftig unterstu¨tzt haben, sondern mich stets aufbauten und
fu¨r die erforderliche Abwechslung sorgten.
Diese Arbeit wurde teilweise im Rahmen des Verisoft Projekts vom Bun-
desministerium fu¨r Bildung und Forschung (BMBF) unter dem Fo¨rderkenn-
zeichen 01 IS C38 gefo¨rdert.
This work has been partially funded by the German Federal Ministry of
Education and Research (BMBF) in the framework of the Verisoft project
under grant 01 IS C38.

Abstract
This thesis basically splits up into two parts. The first part introduces the
abstract model of the Vamos kernel. The Vamos kernel provides the infras-
tructure for process and memory management, priority-based round-robin
scheduling, communication with external devices, as well as inter-process
communication. In the second part, we formulate a simulation theorem be-
tween the abstract Vamos model and the concrete Vamos implementation.
The crucial points of the theorem are, on the one hand, the abstraction
relation connecting the datastructures of the implementation with those of
the model and, on the other hand, the implementation invariant formulating
validity statements on the datastructures. Besides the exact formal defini-
tions of the abstraction relation and the implementation invariant, we prove
substantial parts of the simulation theorem.
This work is part of the Verisoft project which aims at the pervasive
formal verification of computer systems. For the modelling and the ver-
ification of the Vamos kernel this entails the integration of various com-
putational models, for instance, Communicating Virtual Machines (Cvm)
encapsulating the hardware-specific low-level functionality, and devices.
The models and proofs presented in this thesis are formalized in the
uniform logical framework of the interactive theorem prover Isabelle/HOL,
and hence, it is rigorously checked that all verification results fit together.
Zusammenfassung
Die vorliegende Arbeit teilt sich im Wesentlichen in zwei Teile auf. Im
ersten Teil wird das abstrakte Modell des Vamos-Kernels vorgestellt. Der
Vamos-Kernel liefert die Infrastruktur fu¨r Prozess- und Speicherverwaltung,
priorita¨ts-basiertes Round-Robin-Scheduling, Kommunikation mit externen
Gera¨ten, sowie Interprozesskommunikation. Im zweiten Teil der Arbeit
formulieren wir ein Simulationstheorem zwischen dem abstrakten Vamos-
Modell und der konkreten Vamos-Implementierung. Kernpunkte dieses
Theorems sind zum einen die Abstraktionsrelation, die die Datenstrukturen
der Implementierung mit denen des Modells in Beziehung setzt und zum
anderen die Implementierungsinvariante, die Gu¨ltigkeitsaussagen u¨ber die
Datenstrukturen trifft. Neben den exakten Definitionen der Abstraktionsre-
lation und der Implementierungsinvariante, werden wesentliche Teile dieses
Simulationstheorems bewiesen.
Die Arbeit wurde im Rahmen des Verisoft Projekts angefertigt, das die
durchga¨ngige formale Verifikation von Computersystemen zum Ziel hat. Fu¨r
die Modellierung und Verifikation des Vamos-Kernels hat dies zur Folge,
dass diverse Berechnungsmodelle integriert werden mu¨ssen, unter anderem
das Gera¨temodell und Communicating Virtual Machines (Cvm), das die
hardwarespezifische und systemnahe Funktionalita¨t kapselt.
Alle Modelle und Beweise, die in dieser Arbeit vorgestellt werden, sind
in dem interaktiven Theorembeweiser Isabelle/HOL formalisiert worden,
womit sichergestellt ist, dass alle Ergebnisse der Verifikation zusammen-
passen.
Ausfu¨hrliche Zusammenfassung
Die zunehmende Komplexita¨t und Vernetzung heutiger Computersysteme
stellt immer ho¨here Anforderungen an die Verla¨sslichkeit und Fehlerfreiheit
der Systeme und ihrer Komponenten. Der sicherste Ansatz, um schon beim
Systementwurf konzeptionelle und menschliche Unzula¨nglichkeiten auszu-
merzen, stellt die durchga¨ngige formale Verifikation dar.
Das Verisoft Projekt, in dessen Rahmen diese Arbeit entstanden ist, ver-
folgt genau diesen Ansatz. Zu diesem Zweck wird jede einzelne Schicht des
betrachteten Systems durch ein mathematisches Modell beschrieben. Durch
sogenannte Simulationsbeweise wird bewiesen, dass die jeweiligen Schich-
ten tatsa¨chlich diesen Modellen genu¨gen. Durchga¨ngigkeit bedeutet, dass
zum Schluss eine Korrektheitsaussage u¨ber das Gesamtsystem steht, die al-
le Schichten einbezieht, wobei Annahmen in ho¨heren Schichten durch die
darunterliegenden entlastet werden. Dadurch, dass alle Beweise durch einen
Computer u¨berpru¨ft werden, sprechen wir von formaler Verifikation.
Betriebssysteme geho¨ren unzweifelhaft zu den essentiellen Komponenten
von Computersystemen und tragen somit wesentlich zur Verla¨sslichkeit der
Gesamtsysteme bei.
In dieser Arbeit beschreiben wir die Modellierung und formale Verifikati-
on des Betriebssystemkernels Vamos in einem durchga¨ngigen Kontext. Die
Funktionalita¨t des Vamos-Kernels umfasst Prozess- und Speicherverwal-
tung, priorita¨ts-basiertes Round-Robin-Scheduling, Kommunikation mit ex-
ternen Gera¨ten, sowie Interprozesskommunikation. Ein mathematisches Mo-
dell liefert die Spezifikation des Kernels. Dass die Vamos-Implementierung
tatsa¨chlich diesem Modell genu¨gt wird duch einen Simulationsbeweis ge-
zeigt. Um die Datenstrukturen der Implementierung mit denen des Modells
in Beziehung zu setzen, definieren wir eine Abstraktionsrelation. Deswei-
teren definieren eine Implementierungsinvariante, die Gu¨ltigkeitsaussagen
u¨ber die Datenstrukturen trifft. Basierend darauf werden wesentliche Teile
des Simulationstheorems bewiesen.
Die Tatsache, dass das Vamos-Modell eine gu¨ltige Spezifikation des Va-
mos-Kernels darstellt, liefert die Grundlage dafu¨r, dass das Modell verla¨sslich
in ho¨heren Schichten benutzt werden kann. So werden zum Beispiel Defini-
tionen des Vamos-Modells direkt von Bogan [15] benutzt, um ein einfaches
Betriebssystem zu spezifizieren. Desweiteren wird in [25] der Beweis er-
bracht, dass der Vamos Scheduler fair ist.
Zusammengefasst umfasst die Arbeit drei Teile. Im ersten Teil beschrei-
ben wir allgemein den Ansatz zur durchga¨ngigen formalen Verifikation im
Verisoft Projekt. Desweiteren fu¨hren wir die Berechnungsmodelle ein, die in
das Vamos-Modell integriert werden. Unter anderem ein generisches Modell
fu¨r externe Gera¨te und Communicating Virtual Machines (Cvm), das die
hardwarespezifische und systemnahe Funktionalita¨t kapselt.
Im zweiten Teil definieren wir das Vamos-Modell als U¨bergangssystem,
das die Basis fu¨r den Simulationsbeweis darstellt, mit dem wir uns im dritten
Teil dieser Arbeit bescha¨ftigen.
Alle Modelle und Beweise, die in dieser Arbeit vorgestellt werden, sind in
dem interaktiven Theorembeweiser Isabelle/HOL formalisiert worden, wo-
mit sichergestellt ist, dass alle Ergebnisse der Verifikation zusammenpassen.
Contents
1 Introduction 19
1.1 Document Outline . . . . . . . . . . . . . . . . . . . . . . . . 20
1.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
1.3 Motivation and Contribution . . . . . . . . . . . . . . . . . . 25
1.4 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2 Background 29
2.1 The Academic System: Software Stack . . . . . . . . . . . . . 30
2.2 The Academic System: Semantic Stack . . . . . . . . . . . . 31
2.2.1 The Language C0 . . . . . . . . . . . . . . . . . . . . 32
2.2.2 The Vamp Assembly Language . . . . . . . . . . . . . 33
2.2.3 Isabelle/Simpl - A Verification Environment for C0 . . 35
2.3 Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
2.4 Communicating Virtual Machines . . . . . . . . . . . . . . . . 39
2.4.1 Cvm State . . . . . . . . . . . . . . . . . . . . . . . . 40
2.4.2 Cvm Transitions . . . . . . . . . . . . . . . . . . . . . 41
2.4.3 Cvm Primitives . . . . . . . . . . . . . . . . . . . . . . 42
2.4.4 Cvm in Isabelle/Simpl . . . . . . . . . . . . . . . . . . 42
2.5 Vamos Microkernel: Design and Implementation . . . . . . . 43
2.5.1 Vamos Functionality . . . . . . . . . . . . . . . . . . . 45
2.5.2 Vamos in Isabelle/Simpl . . . . . . . . . . . . . . . . 50
3 The Abstract System Layer 57
3.1 The Overall System - A Bird’s Eye View . . . . . . . . . . . . 57
3.2 Abstract Types . . . . . . . . . . . . . . . . . . . . . . . . . . 59
3.3 The Vamp Assembly Process Model . . . . . . . . . . . . . . 61
3.3.1 Process Initialization . . . . . . . . . . . . . . . . . . . 62
3.3.2 Process Interface . . . . . . . . . . . . . . . . . . . . . 62
3.3.3 Output Functions . . . . . . . . . . . . . . . . . . . . 65
3.3.4 Process Transitions . . . . . . . . . . . . . . . . . . . . 69
11
4 The Vamos Model 73
4.1 The Vamos State Space . . . . . . . . . . . . . . . . . . . . . 73
4.1.1 Virtual User Machines . . . . . . . . . . . . . . . . . . 74
4.1.2 Priorities . . . . . . . . . . . . . . . . . . . . . . . . . 75
4.1.3 Scheduling Data Structures . . . . . . . . . . . . . . . 75
4.1.4 Rights Datastructures . . . . . . . . . . . . . . . . . . 77
4.1.5 Send Status Database . . . . . . . . . . . . . . . . . . 78
4.1.6 Device Data Structures . . . . . . . . . . . . . . . . . 79
4.1.7 Initial Vamos States . . . . . . . . . . . . . . . . . . . 79
4.2 The Output Function . . . . . . . . . . . . . . . . . . . . . . 81
4.3 The Transition Function . . . . . . . . . . . . . . . . . . . . . 82
4.4 Vamos Trap Handler . . . . . . . . . . . . . . . . . . . . . . . 82
4.4.1 Access Control . . . . . . . . . . . . . . . . . . . . . . 84
4.4.2 Memory Management . . . . . . . . . . . . . . . . . . 85
4.4.3 Process Management . . . . . . . . . . . . . . . . . . . 90
4.4.4 Scheduling Mechanism . . . . . . . . . . . . . . . . . . 100
4.4.5 Device Driver Support . . . . . . . . . . . . . . . . . . 101
4.4.6 Inter-Process Communication . . . . . . . . . . . . . . 105
4.4.7 Read Kernel Information . . . . . . . . . . . . . . . . 128
4.5 Vamos Scheduler . . . . . . . . . . . . . . . . . . . . . . . . . 128
4.6 Vamos Interrupt Delivery . . . . . . . . . . . . . . . . . . . . 131
5 Vamos Correctness 133
5.1 Data Abstraction . . . . . . . . . . . . . . . . . . . . . . . . . 134
5.1.1 Abstracting the User Processes . . . . . . . . . . . . . 135
5.1.2 Abstracting the Scheduling Datastructures . . . . . . 136
5.1.3 Abstracting the Priorities . . . . . . . . . . . . . . . . 137
5.1.4 Abstracting the Send Status Database . . . . . . . . . 138
5.1.5 Abstracting the Rights Datastructures . . . . . . . . . 138
5.1.6 Abstracting the Device Datastructures . . . . . . . . . 141
5.1.7 The Vamos Abstraction Relation . . . . . . . . . . . . 142
5.2 Implementation Invariant . . . . . . . . . . . . . . . . . . . . 143
5.2.1 Value Bounds . . . . . . . . . . . . . . . . . . . . . . . 144
5.2.2 Validity and Consistency Requirements . . . . . . . . 144
5.2.3 Miscellaneous Requirements . . . . . . . . . . . . . . . 151
5.2.4 Summing Up . . . . . . . . . . . . . . . . . . . . . . . 156
5.3 The Simulation Theorem . . . . . . . . . . . . . . . . . . . . . 156
6 Implementation Correctness 159
6.1 Weakening the Abstraction Relation . . . . . . . . . . . . . . 161
6.2 Auxiliary Functions . . . . . . . . . . . . . . . . . . . . . . . 163
6.3 Correctness of the Timer-Interrupt Handler . . . . . . . . . . 165
6.3.1 Implementation Correctness of check elapsed timeouts 166
6.3.2 Implementation Correctness of handle timer . . . . . . 168
6.4 Correctness of the Trap Handler . . . . . . . . . . . . . . . . 169
6.4.1 Implementation Correctness of Function set privileges 170
6.4.2 Implementation Correctness of Function
process change scheduling param . . . . . . . . . . . . 172
6.4.3 Implementation Correctness of IPC . . . . . . . . . . . 174
6.4.4 Implementation Correctness of Function
dispatcher kernel call . . . . . . . . . . . . . . . . . . . 181
6.5 Correctness of the Vamos Top-level Function . . . . . . . . . 184
6.6 Correctness of a System Step . . . . . . . . . . . . . . . . . . 187
7 Conclusion 189
7.1 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
8 Appendix 193
8.1 Formal Specification of the Vamos Trap Dispatcher . . . . . 193
Bibliography 206

List of Figures
1.1 Kernel step refinement (simplified) . . . . . . . . . . . . . . . 26
2.1 System stack . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
2.2 Semantic Stack . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.3 Simpl function system step, which represents a combined step
of Cvm and Vamos . . . . . . . . . . . . . . . . . . . . . . . 44
2.4 The kernel-dispatcher function of Vamos . . . . . . . . . . . 55
3.1 The input/output automata of the abstract system layer and
their relationship . . . . . . . . . . . . . . . . . . . . . . . . . 57
4.1 Memory Management in the Overall System . . . . . . . . . . 85
5.1 Simulation between implementation and model . . . . . . . . 133
6.1 Call Graph of the Vamos Implementation . . . . . . . . . . . 160
6.2 Data abstraction in the case of trap handling . . . . . . . . . 161
6.3 Function handle timer . . . . . . . . . . . . . . . . . . . . . . 167
15

List of Tables
2.1 Application binary interface of the Vamos kernel . . . . . . . 46
2.2 General Datastructures in Vamos . . . . . . . . . . . . . . . 51
2.3 Process-specific Data in Vamos . . . . . . . . . . . . . . . . . 53
17

Chapter 1
Introduction
Contents
1.1 Document Outline . . . . . . . . . . . . . . . . . . 20
1.2 Related Work . . . . . . . . . . . . . . . . . . . . . 21
1.3 Motivation and Contribution . . . . . . . . . . . 25
1.4 Preliminaries . . . . . . . . . . . . . . . . . . . . . 27
Without a doubt, there is a steadily growing impact of computers on
our daily life. A couple decades ago, only a few people – mostly for profes-
sional reasons – were confronted with the phenomenon “computer”. That
has certainly changed. Meanwhile, while driving a car various programs –
from the entertainment system to the airbag control – assist us and usu-
ally ensure that we reach our destination safely. We use computers for
banking transactions and the state-of-the-art-technology already deals with
computers assisting physicians during difficult surgeries. Even the leisure
sector observes an increasing entry of technology. It seems that nowadays
nearly nobody is able to ride a bike without tracking the route by GPS or
run without listening to music. Not to mention that the thereby achieved
performances are immediately shared with the rest of the world via social
networks like Facebook.
A reason for the triumphal procession of these new technologies is that
– most of the time – they ease our lives and work properly. And when
sometimes things go wrong, this is annoying, but usually no severe or even
live-threatening consequences are entailed.
However, there are definitely computer systems where malfunctions could
result in dramatic consequences. One just has to think of systems flying air-
planes, controling nuclear power plants or pacemakers dictating the beat
of human hearts. Thanks to outstanding engineering skills, until now, we
remained widely spared from any severe scenarios. Nevertheless, it is no
longer a rarity that the media reports on flaws in computer systems with
19
20 1. Introduction
far-reaching consequences. At the beginning of the year 2010, for instance,
nearly 30 million bank customers in Germany were incapable of withdraw-
ing money at cash points. The reason for that could be traced back to a
programming error in a security chip on the bank cards. Another software
bug was recently reported in conjunction with the acceleration mechanism
in vehicles of Toyota’s model Prius. Such occurrences certainly scratch on
the image of the companies concerned, without mentioning the financial
drawbacks.
There is some indication that such reports will accumulate in the future.
That is not because the system engineers today are worse than in the past
or became lazy in testing their systems. The reason is simply founded in the
increasing complexity of such systems which makes it more and more difficult
for human beings to keep the overview. Furthermore, the new technologies
reach out into new areas. A few years ago it would have been unthinkable
that computers assist in medical surgeries or computer-controlled robots
even accomplish them. Today we accept computer-assisted surgical planning
as normal.
If, however, such a system fails, severe consequences are possible. There-
fore, it is expected that the demand for truly robust, safe, and secure systems
will constantly grow in the next years. In order to achieve this, a detailed
and profound analysis of such computer systems is required. Previous ap-
proaches to satisfy the desire for reliable systems often focused on exhaustive
testing of the systems. However, only limited reliability can be achieved this
way, because testing never proves the absence of errors and often relies on
assumptions on other system components (e. g., underlying system software)
which may behave differently than expected.
A different approach constitutes the pervasively formalization and veri-
fication of computer systems. In [55], J. S. Moore, principal researcher of
the CLI stack project [12], declares the formal verification of a “practical
computing system” as a grand challenge problem.
The Verisoft projects exactly tackles this problem and aims at the per-
vasive modeling, implementation, and verification of a complete computer
system reaching from gate-level hardware to applications running on top of
an operating system. Certainly, a corner stone of this system is the micro-
kernel constituting the interface between the hardware and the operating
system.
In this thesis, we describe the modeling and verification of the microker-
nel in a pervasive context.
1.1 Document Outline
In the remainder of this chapter, we discuss related work and present the
motivation and contribution of this thesis. It concludes with some basic no-
1.2. Related Work 21
tation. Chapter 2 describes background information about the context and
prerequisites of this thesis. It introduces the languages C0 and assembly
which are used to implement the kernel and sketches the verification ap-
proach. Furthermore, it presents the computational models for the devices
and the communicating virtual machines (CVM). The chapter concludes
with an overview on the design and implementation of the Vamos kernel.
Chapter 3 gives a bird’s eye view on the abstract system layer, which is
concretized in Chapter 4 with the model of the Vamos kernel.
Chapter 5 states the Vamos correctness theorem and Chapter 6 deals
with the actual proofs.
We conclude in Chapter 7 with a summary and an outlook on future
work.
1.2 Related Work
Early attempts regarding the formal verification of operating system ker-
nels already took place in the 1970s and early 1980s. The Provably Secure
Operating System (Psos) comprised hardware and software and aimed at
a useful general purpose operating system with demonstrable security prop-
erties, as a retrospective report [58] from 2003 describes. Even if no code
proofs were undertaken, Psos introduced concepts for OS verification and
aimed at applying formal methods throughout the whole implementation of
the OS.
The verification of a kernel supporting threads, a capability-based access
control, virtual memory, and device accesses, was the aim of the UCLA
Secure Unix project [79]. It relied on the assumptions that the compiler and
the hardware work correct. They report that about 90% of the specifications
and 20% of the code proofs were completed.
The Kit kernel [11, 12, 55] is the first kernel that can be considered
as formally verified. However, it can only be referred as groundbreaking to
the area of pervasive operating-system verification. The main difference to
more recent verification attempts of “real software” is that it relies on a LISP
execution model that is nowadays considered fairly abstract. Moreover, the
corner stone theorem of this work is on memory separation of processes.
While they pioneered the field, none of the above projects comes up with
a realistic operating system kernel (written in an imperative language) with
full implementation proofs. The main reason for this were the missing or to a
large extend underdeveloped tool environments. It took until the early 2000s
to remedy this deplorable state of affairs, before projects again engaged in
increasing the confidence in system software by means of formal methods.
Various approaches cover only specific aspects of an operating system kernel
and apply formal methods to it. Though these approaches are promising,
they would not produce a formally verified operating system kernel. Thus,
22 1. Introduction
we do not consider them in the context of this thesis but rather concentrate
on the approaches examining complete kernels. Subsequently, we refer to
the most prominent projects. For the interested reader, we also recommend
the excellent and comprehensive overview by Klein [43].
Most of the projects deal with the verification of an operating system
kernel by following the single-layer approach. They apply formal methods
to the kernel layer with the aim to show, that this layer fulfills a certain
specification and (possibly) some properties. In contrast to the pervasive
approach (we are aiming at), the lower layers are considered as correct and
respective properties are assumed to hold. Additionally, while defining the
particular specifications, it is usually not ensured (at least not apparently)
how these specifications could be integrated or used in higher layers, for
instance, in order to specify an operating system.
An exponent of the single-layer approach is the Mask project [54] stand-
ing for mathematically analyzed separation kernel. It guarantees a separation
property that is provided by construction in the highest-level model, and by
multiple formal refinement proofs down to a low-level design, which is close
to an implementation. Code proofs, however, were not attempted.
The VFiasco project [39] aims at the verification of the microkernel
Fiasco implemented in a subset of C++. Besides model checking of basic
safety properties in Spin [31] for a strongly limited and simplified version of
Fiasco IPC, three properties concerning ready and waiting lists have been
verified in PVS [67]. However, this work is less than full code verification
since C++ code was transformed (only for this purpose) into PVS without
defining a formal semantics of the used C++ subset. Even some functions
were only described by their semantical effects, and hence the obtained
implementation model is rather a specification.
With Eros/Coyotos [70], Shapiro and Weber define a capability based
kernel system and prove certain security policies to hold. For the successor
project Coyotos, a complete formal specification of the microkernel and
the used programming language BitC has been finished. No formal proofs
have been reported yet.
Other projects, for instance, Embedded Device [37, 36], were successful
in the verification but did not reach down to the implementation level. In
the Flint project [60], an assembly code verification framework is developed
and code for context switching on a x86 machine was formally proven to be
correct. The presented code is in functionality and size very similar to
the process switch implemented in the Cvm, and also reported verification
efforts are comparable to those in Verisoft. Although a verification logic
for assembler code is presented, no integration of results into high level
programming languages has been undertaken yet.
Besides the verification of the Vamos kernel, the Verisoft project also
dealt with the correctness of the real-time operating system Olos. The
functional correctness of this tiny real-time operating system also relies on
1.2. Related Work 23
the Cvm layer and has completely been shown [29]. Compared to the Vamos
kernel, however, the complexity of Olos with only three rather low-level
system calls is much lower.
Further verification projects are L4.verified and Verisoft XT both
aiming at the complete code-level verification of operating system kernels.
L4.verified. L4.verified focuses on the seL4 kernel [35], which is based
on the ARM11 platform. It is a third generation microkernel of L4 prove-
nance and comprises 8,700 lines of C and 600 lines of assembly code. Relying
on [42, 44], the L4.verified project is providing a machine-checked proof
of the functional correctness of the seL4 microkernel with respect to a high
level, formal description of its expected behaviour.
The lowest level of the verification and of the refinement is a high-
performance C and ARM assembly implementation of the seL4 microkernel.
The next level up, the low-level design, is a detailed, executable specification
of the intended behaviour of the C implementation. This executable spec-
ification is derived automatically from a prototype of the kernel which was
written in the high-level, functional programming language Haskell. While
trying to avoid messy specifics of how data structures and code are optimized
in C, the executable specification still represents a pretty concrete view on
the kernel implementation. For instance, it still contains doubly-linked lists,
i. e., pointer structures. The highest refinement layer is the high-level de-
sign, an abstract, operational specification of the kernel. Usually, this is
accompanied with a high level of abstraction. It is reported, however, that
this layer precisely describes argument formats, encodings and error report-
ing. Thus, for instance, some of the C-level size restrictions become visible
on this level. On the other hand, the specification uses non-determinism in
order to avoid an explicit description of the system. For example, neither
a scheduling policy is defined at the abstract level nor the correctness of
the interrupt controller management is modeled in detail. The refinement
proofs are machine-checked in the interactive theorem prover Isabelle/HOL.
In [18, 30], they also defined an abstract access control model of seL4
that captures how capabilities (the kernel’s access control mechanism) are
distributed in the system and showed the isolation of security domains based
on this model. The access control model, however, is not formally connected
to the high-level design of seL4 which is used in the refinement proof.
Without doubt, the results of the L4.verified project are very promiss-
ing. However, the following issues have to be observed: Firstly, the approach
assumes the correctness of the C compiler, the assembly code, and the hard-
ware. Furthermore, in contrast to the Verisoft project, there is no obvious
technology to integrate and combine all these entities into one coherent the-
ory. Secondly, the abstraction level of the high-level design seems to be
comparatively low (which reduces the effort regarding the refinement proof)
24 1. Introduction
and unsuitable to show, for instance, properties of the access control mecha-
nism. Instead, these proofs rely on a (probably) more abstract model which
is not formally connected to the high-level design in the refinement proof.
Thirdly, the abstract models are not applied, in the sense that they are used
to specify an operating system, for instance.
Based on these issues, we define the scope of our work. The model of the
Vamos kernel presented in this work is completely integrated into a model
stack reaching from applications down to the hardware. Relying literally on
definitions of the lower layers, on the one hand, the Vamos model exports
definitions to higher layers, on the other hand. Bogan [15], for instance,
based his operating system model on Vamos and uses definitions from it
literally.
The seamless integration into the model stack is not the only remark-
able difference between the high-level design of seL4 and the Vamos model.
Similar as above, the Vamos model serves as basis for the functional cor-
rectness of the Vamos implementation. Thereby, the model establishes an
abstraction level that is high enough, such that it can be used to show a
pretty complex property of the Vamos kernel, namely the fairness of the
Vamos scheduler [25, 27].
Verisoft XT. The Verisoft XT project aims at the complete code-level
verification of the following operating system kernels:
PikeOS kernel [41]. This L4-derivate comprises 6,000 lines of code (loc)
and is part of a commercial product available for Intel’s x86, Pow-
erPC, and ARM. The proofs are carried out by the VCC verification
environment [21] (a descendant of the Spec# program-verification en-
vironment of Microsoft Research), which uses a trusted tool chain
comprising the automatic verifier for concurrent C code VCC, the ver-
ification condition generator Boogie [16, 17], and the automated theo-
rem prover Z3 [56]. The supported C fragment is a large fragment of
ANSI C.
Recent publications [8, 7] mainly introduce the tool chain and method-
ology. Apart from the verification of a simple system call which
changes the priority of a thread, there are no reports yet on the portion
of verified code.
Hyper-V [66]. The kernel comprises 100,000 lines of C and 5,000 lines of
assembly code and is part of a commercial virtualization environment.
The hypervisor turns a single real multi-processor x64 machine (with
AMD SVM or Intel VMX virtualization extensions) into a number
of virtual multi-processor x64 machines. The verification is realized
by the VCC verification environment (see above); the supported C
fragment is a large fragment of ANSI C. Recent publications [20, 22,
1.3. Motivation and Contribution 25
23] in this context mainly focus on the methodology of VCC and its
application.
Baby Hyper-V. Alkassar et al. [5], report on the successful verification of
the so-called baby hypervisor. In comparison to the Hyper-V, the
baby hypervisor and the architecture it virtualizes are very simple be-
cause it only includes the initialization of the guest partitions and a
simple shadow page table algorithm for memory virtualization. How-
ever, it played an important role of driving the development of the
VCC technology and applying it to system verification.
The VCC technology [22] demands a high level of trust: The current
VCC version uses an axiomatization of the execution model consisting of
various axioms, which introduce some rather abstract concepts like con-
currency and ownership of references. Though critical subproblems of the
foundation are tackled by informal as well as formal proof methods, the in-
tegration into a uniform foundational theory is significantly less prioritized.
In this respect, the tool chains, methodologies etc. are driven by the need
to deal with the existing code that can only be changed, if errors have been
revealed.
1.3 Motivation and Contribution
Summing up the last section, we can state that real system-code verification
represents a grand challenge. Current approaches – including ours – compro-
mise in one way or the other: the logical foundations are quite problematic,
the computer architectures are simpler than industrial-strength processors,
the code size is fairly small, or the underlying execution model of C and
assembly makes severe simplifications. In addition, we have to deal with
an ambiguous notion of functional correctness which mainly concerns the
abstract model, the functional correctness relies on. Thus, we have to be
aware of the following issues:
• is the abstract model confirmed by underlying models or is it based on
the informal understanding of the lower layers and respective proper-
ties
• which level of abstraction provides the model and which parts of the
concrete system are actually modeled
• is the model tailor-made to show a particular system property, or is
it able to serve as basis for higher layers, e. g., an operating system
model
Taking up these issues, the abstract model for the Vamos kernel, which
we present in this thesis, is completely integrated into a model stack reaching
26 1. Introduction
s
σ σ′
s′
Abs Abs
δ
system step
Figure 1.1: Kernel step refinement (simplified)
from applications down to the hardware (cf. Section 2.1). While defining
the model, we literally use definitions from the lower layers, for instance, in
order to describe visible parts of the processor. The abstraction level of the
Vamos model is so high, that it is possible to show a pretty complex prop-
erty of the Vamos kernel, namely the fairness of the scheduler [25, 27]. In
addition, Bogan [15] based his operating system model on Vamos and uses
definitions from it literally. The integration into the overall model stack cer-
tainly justifies the relevance of the Vamos model. This relevance, however,
will be further backed by a simulation proof establishing the relation be-
tween this abstract model and the concrete, fairly realistic implementation
of the Vamos kernel.
The availability of a hardware-processor model represents the founda-
tional layer of our work. This model describes, at gate level, the transi-
tions of the Risc processor Vamp. A small piece of software executed on
the Vamp, called Cvm, provides an abstract layer running concurrently a
system process as well as a number of user processes. The implemented
microkernel Vamos is executed as this system process. Its implementation
uses the C fragment C0, which can be translated into assembly code by
a verified compiler [49, 48]. Vamos provides a process scheduler, an in-
frastructure for communication with hardware devices, and message passing
between processes. All software layers are formally specified; simulation re-
lations correlate the adjacent layers such that eventually, all specification
layers can be mapped down to our hardware-processor model. The whole
model stack is formalized in the theorem prover Isabelle/HOL [61].
In more detail, Cvm and the Vamos implementation together realize an
abstract transition δ by an implementation function system step as shown
in Figure 1.1. The transition function δ represents the execution of a non-
empty portion of a user process including a possible process switch. The
simulation proof establishes that the implementation with its underlying
state σ indeed realizes the high-level state transition δ over the corresponding
abstract state s, where abstract and concrete states are linked via a formally
defined abstraction relation Abs.
To our knowledge, such a proof based on a model stack of this concrete
level of detail and with such a clean, seamless logical foundation has been
1.4. Preliminaries 27
undertaken for the first time.
1.4 Preliminaries
The formalizations presented in this thesis are mechanized and checked
within the generic interactive theorem prover Isabelle[62] 1. Isabelle is called
generic as it provides a framework to formalize various object logics that are
declared via natural deduction style inference rules within Isabelle’s meta-
logic Pure. The object logic that we employ for our formalization is the
higher order logic of Isabelle/HOL[61].
This thesis is written using Isabelle’s document generation facilities,
which guarantees that the presented theorems correspond to formally proven
ones. We distinguish formal entities typographically from other text. We
use a sans serif font for types and constants (including functions and pred-
icates), e. g., replicate, a slanted serif font for free variables, e. g., x, and
a slanted sans serif font for bound variables, e. g., x . Small capitals are
used for data type constructors, e. g., Foo. HOL keywords are typeset in
type-writer font, e. g., let.
As Isabelle’s inference kernel manipulates rules and theorems at the Pure
level the meta-logic becomes visible to the user and also in this article when
we present theorems and lemmas. The Pure logic itself is intuitionistic
higher order logic, where universal quantification is
∧
, implication is =⇒
and equality is ≡. Nested implications like P1 =⇒ P2 =⇒ P3 =⇒ C are
abbreviated with [[P1; P2; P3]] =⇒ C , where we refer to P1, P2, and P3 as
the premises and to C as the conclusion.
In the object logic HOL universal quantification is ∀, implication is −→
and equality is =. Isabelle/HOL provides a library of standard types like
Booleans, natural numbers, integers, total functions, pairs, lists, and sets
as well as packages to define new data types and records. We only present
them shortly in the following.
Functions. In HOL all functions are total. An unamed function can be
specified using the λ-operator, e. g., λx . x is the identiy function. In general,
we prefer curried functions over functions taking an n-tupel as argument,
e. g., f a b instead of f (a, b). Note that function application binds tighter
than any other operator, i. e., f i + g j means (f i) + (g j). Function update
is f (y := v) ≡ λx . if x = y then v else f x and function composition is
f ◦ g ≡ λx . f (g x). Partial functions are usually formalized in HOL with
an optional type. This type is a data type with two constructors, one to
inject values of the base type, e. g., bxc, and the additional element ⊥. With
dye, the original base value x can be obtained such that y = bxc. There
1For taming Isabelle’s powerful document-generation mechanism in general, and in
particular for the major part of this section, we are indebted to Schirmer et al. [69, 4]
28 1. Introduction
is no base value x iff y = ⊥. As HOL is a total logic the term d⊥e is still
a well-defined yet unspecified value. Partial functions can be represented
by the type ′a ⇒ ′b option, abbreviated as ′a ⇀ ′b. For an update of a
partial function, we write f (y 7→ x). For data types, we write the structural
case distinction over some value v as case v of ⊥ ⇒ g | bxc ⇒ f x . Some
data types might have many constructors, which are all treated in the same
fashion in a certain situation. In this situation, we may write case v of Foo
⇒ x | ⇒ y , which means value x, if v has the value Foo, and otherwise
value y .
Sets and Intervalls. Sets come along with the standard operations for
union, i. e., A ∪ B, intersection, i. e., A ∩ B and membership, i. e., x ∈ A.
The set image f ‘ A yields a new set by applying function f to every element
in set A.
We denote the intervall of the numbers a and b excluding the endpoints
by {a<..<b}, and including the endpoints by {a..b}. Furthermore, we write
a ≤ c < b to denote that a number c is in the interval {a..<b}.
Lists. The syntax and the operations for lists are similar to functional
programming languages like ML or Haskell. The empty list is [ ], with x ·
xs the element x is ‘consed’ to the list xs, the head of list xs is hd xs and
the remainder, its tail, is tl xs. With xs @ ys list ys is appended to list xs.
With map f xs the function f is applied to all elements in xs. The length of
a list is length xs, the n-th element of a list can be selected with xs ! n and
updated via xs[n := v ]. With set xs we obtain the set of elements in list xs.
Filtering those elements from a list for which predicate P holds is achieved
by [x∈xs . P x ]. Removing an element e from a list xs is also realized by
filtering, i. e., [x∈xs . x 6= e]. The function takeWhile P xs yields elements
from a list xs while a property P is true and then skips the remainder of
the sequence. The function dropWhile P xs removes elements from a list xs
while a property P is true and returns the remainder of the sequence. With
replicate n e we denote a list that consists of n elements e. The function
list sum xs sums up the elements of list xs.
Records and Tupels. A record is constructed by assigning all of its fields,
e. g., (|fld1 = v1, fld2 = v2|). Field fld1 of record r is selected by r.fld1 and
updated with a value x via r(|fld1 := x|).
The first and second component of a pair can be accessed with the func-
tions fst and snd. Tuples with more than two components are pairs nested
to the right.
Chapter 2
Background
Contents
2.1 The Academic System: Software Stack . . . . . 30
2.2 The Academic System: Semantic Stack . . . . . 31
2.3 Devices . . . . . . . . . . . . . . . . . . . . . . . . 38
2.4 Communicating Virtual Machines . . . . . . . . 39
2.5 Vamos Microkernel: Design and Implementation 43
The present work was done in the context of the German Verisoft project,
a large scale effort bringing together industrial and academic partners to
push the state of the art in formal verification for realistic computer systems,
comprising hard- and software. Our microkernel belongs to Verisoft’s so-
called Academic System (as opposed to systems in subprojects with partners
from industry), which is a distributed computer system for the exchange
and management of signed and encrypted e-mails. This computer system is
designed as part of an open network with a number of trusted computers.
While the system is open to receive e-mails from arbitrary computers in
the network, each trusted computer uses identical hardware and the same
operating-system software. As application software, we implemented and
verified an e-mail client [10, 9], an e-mail server [45, 46], and a cryptography
server that run on top of this operating system. These applications might
be arbitrarily distributed over the trusted computers in the network.
This section continues with a short introduction of the implementation
layers in our computer system. Furthermore, we summarize the general ver-
ification approach that has been developed for sequential programs within
Verisoft in Section 2.2. A key feature of this approach is, that it can cope
with mixed-language implementations as they frequently occur in system-
level software. In our case, these languages are C0 and assembly. Assembly
is used in the lowest software layer, a low-level microkernel. The device
29
30 2. Background
Hardware
Cvm
dispatcher kernel primitives
Vamos
Sy
st
em
m
od
e
App
OS
kernel calls
App
U
se
r
m
od
e
Figure 2.1: System stack
model in Section 2.3 together with the computational model Communicat-
ing Virtual Machines (Cvm) introduced in Section 2.4, abstract from this
lowest software layer. On top of it, Section 2.5 introduces the Vamos mi-
crokernel which is completely implemented in C0. It relies on the Cvm
framework and represents the top-level microkernel with utilities like inter-
process communication, memory management and process scheduling.
2.1 The Academic System: Software Stack
Figure 2.1 depicts the hard- and software layers of a single computer in the
system. The lowest software layer is called communicating virtual machines
(Cvm). This layer encapsulates all the hardware-specific low-level kernel
functionality, which uses inlined assembly. Technically, this software con-
stitutes the interrupt-service routine of the processor. Cvm’s major task is
memory virtualization and process separation. Hence, Cvm includes a page-
fault handler with a simple memory swapping facility [6]. The remaining
functionality of our microkernel is implemented by the hardware-indepen-
dent kernel part. Cvm exports an interface of so-called primitives for the
access to and manipulation of user processes to this kernel part. We have
thereby established a solid framework for microkernel construction.
Using this framework, we have implemented our microkernel Vamos in
the C variant C0 without inlined assembly. When an interrupt occurs, Cvm
preserves the old processor context, establishes a suitable C0 environment
and calls the function dispatcher kernel of Vamos. For the manipulation of
the user memory or registers, Vamos may call the primitives of Cvm. The
return value of dispatcher kernel determines which process resumes when the
kernel execution finishes.
While Cvm and Vamos run in the privileged system mode of the proces-
2.2. The Academic System: Semantic Stack 31
Simpl
C0
asm
Transfer Theorems
Compiler Correctness
Figure 2.2: Semantic Stack
sor, processes run in the unprivileged user mode. In the figure, we labeled
one process “OS” for the operating system and the others “App” as ab-
breviation for application (e. g., e-mail client or server). The OS process
constitutes the highest layer of the operating system [15]. It features an ad-
vanced rights management with different users, implements a sophisticated
access control to kernel services like process creation and provides further
services like file-system and network access. All processes interact with the
kernel via kernel calls. The instruction set architecture (ISA) provides a
special instruction trap causing an exception, which is handled in Vamos.
Vamos can examine and alter the state of the process using Cvm primi-
tives, thus identifying the process’s specific request and storing the kernel’s
corresponding response.
2.2 The Academic System: Semantic Stack
As Figure 2.1 depicts, a computer system comprises a stack of hardware
and software layers. Along the implementation layers, we assemble com-
putational models which we use to specify and verify the system. Each of
these layers introduce a higher abstraction level to improve the effectiveness
of reasoning. In addition, these layers often employ different implementation
languages. Cvm, for example, provides the abstraction of separate processes
with virtual memory, and is implemented in a mixture of C0 and inlined as-
sembly. The reason for two implementation languages is apparent: C0 is a
C-like high-level programming language and can be comfortably employed
at a reasonable abstraction layer for most programming tasks. Specific low-
level functionality, however, cannot be expressed in C0. For these tasks, we
employ the assembly language.
In a large-scale verification project, the key to success is a verification ap-
32 2. Background
proach that follows the system design. Applied to the Verisoft project, this
means that verification does not only extend along the software levels but
also takes into account the mixed-language architecture [3]. The verifica-
tion approach is two-dimensional: The first axis, called system stack, traces
the different implementation layers. Along the implementation layers, we
assemble computational models which we use to specify and verify the sys-
tem. Figure Figure 2.2 depicts the so-called semantics stack [4] combining
all the different language semantics.
The assembly language marks the bottom layer, followed by C0 and
Simpl at the top. Despite of the former two, Simpl is a generic programming
language model for sequential imperative programming languages. This
generic model provides the basis for the versatile verification environment
Isabelle/Simpl. The major challenge of a pervasive verification is to develop
a coherent theory that allows to transfer the correctness results down to
the lowest layer. Thus, an important result of the Verisoft project is the
correctness theorem of a simple non-optimizing compiler that links C0 and
the assembly language [49, 63, 50]. Furthermore, transfer theorems [69]
establish an embedding of C0 into the generic programming model Simpl.
In the following sections, we present the – for microkernel programming
relevant – implementation languages C0 and Vamp assembly. The chapter
concludes with the introduction of the verification environment Isabelle/
Simpl which is used to conduct the actual proofs.
In the scope of this work, we solely focus on the correctness proofs per-
formed in Isabelle/Simpl. Mapping down the results achieved would rely on
the previously mentioned transfer theorems and the compiler correctness.
Starostin [72] already successfully applied the semantic stack in the context
of the formal verification of the demand paging mechanism in Cvm.
2.2.1 The Language C0
ANSI C has a complex and highly underspecified semantics. However, low-
level kernel programs such as drivers explicitly use properties of a particular
compiler on a target hardware, for example, its little-endian-ness or a par-
ticular atomicity of assembly operations. They can therefore not be verified
based only on the vague ANSI C semantics. In our approach, we constrained
ourselves to the C-like imperative language C0, which has sufficient features
to implement low-level software, but which is interpreted by a mathemati-
cally well-defined semantics. It is type safe and designed with verification in
mind. An elaborate description of the big-step semantics is given in [69] and
the small-step semantics is introduced in [48]. An overview on the simulation
theorems between the semantical layers can be found in [3].
C0’s most important limitations compared to ANSI C are:
• expressions must be free of side effects and do not contain function
calls,
2.2. The Academic System: Semantic Stack 33
• there are no implicit type conversions, especially not from arrays to
pointers,
• pointers are strongly typed and must not point to functions or stack
variables (i. e., there are neither void pointers nor pointer arithmetic),
and
• low-level data types (like unions and bit fields) and control-flow state-
ments (like switch and goto) are not supported.
Syntax. C0 supports fundamental types, aggregate types and pointers.
The first category comprises Booleans, 8-bit-wide characters, as well as
signed and unsigned 32-bit integers. Aggregate types in C0 are arrays and
structures. Pointers may point to all types of data but not to functions.
Expressions are variable names and literals. Moreover, if e and i are ex-
pressions and n is a component name, array access e[i], access to structure
components e.n, dereferencing ∗e, and the ‘address-of’ operation &e are ex-
pressions. Additionally, C0 supports the usual unary and binary operators.
Finally, C0 supports statements for assignments, dynamic memory al-
location, sequential composition, conditional and repeated execution, inline
assembly, function calls and returns from functions.
Small-step Semantics. C0 programs are statically represented by the
program environment Γ, which comprises a symbol table of global variables,
a type-name environment, and a function table. The symbol table is a list
of pairs of variable names and types. The type-name environment maps
type names to types. The function table maps function names to functions,
which are represented by a tuple consisting of (a) a symbol table for the
function’s parameters, (b) a symbol table for the stack variables, (c) the
function’s return type, and (d) a statement representing the function body.
The dynamically changing state sC0 of a C0 program in execution com-
prises:
• the remaining program sC0.prog , and
• the current state of the program variables sC0.mem.
The transition relation δC0 of this semantics is deterministic, i. e., a partial
function.
2.2.2 The Vamp Assembly Language
The DLX architecture [38] lays the foundation of the Vamp architecture
which was initially presented in [57]. An implementation of the Vamp has
been formally verified [13, 14]. Since then, the Vamp has been extended
with address translation and support for I/O devices [24, 1, 77].
There are three models [4, 77] related to the Vamp architecture. The
most concrete one is the gate-level implementation followed by the instruc-
tion set architecture (ISA) specification and the assembly-language speci-
34 2. Background
fication. The adjacent models are related via simulation proofs, such that
properties shown at the assembly level can eventually be transferred down
to the gate-level.
In the context of this work, we only rely on the Vamp assembly language
specification. Details on the gate-level implementation and its verification
can be found in [77].
The Vamp assembly language is the target language of the verified C0
compiler and represents a convenient layer for the implementation and the
verification of hardware-dependent programs. Its specification abstracts
from certain aspects of the lower layers, which are irrelevant for these pur-
poses. For instance, the Vamp assembly machine employs a linear mem-
ory model with a conventional memory semantics, i. e.,. it abstracts from
memory-mapped device I/O and the paging mechanism of the processor.
This abstraction is useful for assembly code executed in the untranslated
system mode as well as in the user mode with a transparent handling of
address translation and page faults.
Furthermore, the bit vectors from the ISA specification are superceded in
the VAMP assembly machine (a) by integers for data, (b) by naturals for ad-
dresses, and (c) by a tailored abstract data type for instructions. While this
representation is optimized for assembly programs working with integers,
arguments regarding naturals and bit-vector operations require the conver-
sion from / to integers. Thus, we define, for instance, the two functions
to int32 and to nat32 converting between 32-bit integers and naturals.
Assembly Semantics. An assembly state sasm is a record with the fol-
lowing components:
• two program counters sasm.dpc and sasm.pcp for implementing the de-
layed branch mechanism, which hold the byte addresses of the current
and next instruction,
• general purpose and special-purpose register files sasm.gprs and sasm.sprs
both holding lists of data, and
• main memory sasm.mm, which is a map from word addresses to data.
A Vamp assembly configuration is called valid, if it fulfills certain basic
well-formedness conditions: (a) the program counters must be 32-bit nat-
urals, (b) register files must contain 32 registers, and (c) all registers and
memory cells must be 32-bit integers 1. Formally, the predicate is ASMcore
encapsulates these well-formedness conditions:
1Note that register sasm.gprs ! 0 is always 0 and can thus be represented as 32-bit
integer.
2.2. The Academic System: Semantic Stack 35
is ASMcore sasm ≡
0 ≤ sasm.dpc < 232 ∧ 0 ≤ sasm.pcp < 232 ∧ length sasm.gprs = 32 ∧
length sasm.sprs = 32 ∧ (∀i∈{0<..<32}. −231 ≤ sasm.gprs ! i < 231) ∧
(∀i∈used sprs. −231 ≤ sasm.sprs ! i < 231) ∧ (∀ad . −231 ≤ sasm.mm ad < 231)
Instructions are represented by an abstract data type and converted on
instruction fetch from memory cells using the conversion function cell2instr.
Thus, the function
current instr sasm ≡ cell2instr (sasm.mm (sasm.dpc div 4))
denotes the instruction that is executed next in the assembly machine. Note
that the byte address sasm.dpc is divided by 4 in order to get the word address
of the current instruction in the main memory of sasm.
The assembly semantics can equally be employed in user- and system
mode. The mode is determined by the special-purpose register SPR MODE.
In user mode, it is illegal to access the special-purpose registers and solely
the page-table length register SPR PTL is relevant for us. It determines
the size of the main memory in pages of 1024 words. For convenience, we
encapsulate this fact in the function sizeasm and define:
sizeasm sasm ≡ to nat32 (sasm.sprs ! SPR PTL + 1)
The page table length is incremented by 1 because it is initially set to −1
which denotes that no virtual memory is allocated for the process.
A memory access beyond the specified size generates an exception in the
real system and an illegal exception in the assembly semantics.
The Vamp assembly transition function dasm computes for a given as-
sembly state sasm the next state. Essentially, the transition is specified by
a case distinction over current instr sasm.
2.2.3 Isabelle/Simpl - A Verification Environment for C0
For the verification of C0, we use a general program-verification framework
for sequential imperative programming languages: Isabelle/Simpl [68, 69]. It
is built as a conservative extension on top of Isabelle/HOL. The key feature
of Isabelle/Simpl is the notion of a Hoare-Triple:
Γ ` P c Q
In a procedure environment G , this statement claims that under the assertion
P on the original program state, the assertion Q will hold after the execution
of the code c given in the Simpl language. The assertions P and Q are
simply sets of states. In principle, Isabelle/Simpl is polymorphic over the
state space; we use records but hide the details by an Isabelle syntax, such
that {|sv. svvar = 5|} denotes the assertion that the value of program variable
var in state sv is five. Whenever we implicitly refer to the state, the name
36 2. Background
will be decorated by the acute prefix ′. For example, ′x will refer to field x
in the state record.
Expressions in Simpl are HOL expressions. In addition to the HOL
operations, we have defined bitwise conjunction x ∧u y and disjunction x ∨u
y over natural numbers (unsigned integers) x and y . Both operators first
convert the natural numbers x and y into bit vectors of the same length.
Afterwards, the corresponding bitwise operation is applied to the particular
bits resulting in a bit vector which is finally converted into a natural number
again. While the conjunction as well as the disjunction work on arbitrary
natural numbers, the result of a bitwise negation depends on the width of the
data type. Thus, ¬u/32 x denotes the bitwise negation of a 32-bit natural
number x. As above, x is first converted into a bit vector of length 32.
Afterwards, the particular bits are negated and the resulting bit vector is
converted into a natural number again. In a similar way, we proceed with
shift operations. With x u/32 y we define a left shift of the 32-bit natural
number x by y bits. Similarily, we define a right shift x u/32 y .
In contrast to expressions, statements are represented by an abstract
datatype. The statement syntax is highly abstract, e. g., Basic f represents
a state update using function f . In order to present programs in conven-
tional terms, we employ Isabelle’s powerful syntax translation machinery
and denote a program variable by ′var, an assignment by ′var :== 5, a con-
ditional by IF b THEN s1 ELSE s2 FI, a procedure call by ′var :== CALL
update(5), etc. The index g is used to instruct the parser to generate guards
that protect against runtime faults like overflows.
The procedure environment G is a partial function from procedure names
to statements. These statements constitute the procedure body and are
defined by the Isabelle/Simpl command procedures. The following com-
mand, for instance, defines the procedure update:
procedures update(var | res nat) =
′res nat :==g ′var
It has one formal parameter called var and the result to return to the calling
function is held in variable res nat, i. e., the bar separates input and output
parameters. When formally specifying the functionality of the procedure, we
write ′res nat :== PROC update( ′var) as shorthand for the code of procedure
update.
The Hoare-Triple
Γ ` {|σv. svvar = x|} ′res nat :== PROC update( ′var) {|τ. tres nat = x|}
states that procedure update assigns the value of its argument to the return
variable.
The framework includes a big-step semantics, a Hoare logic for partial as
well as total correctness and an automated verification-condition generator
for Simpl. Within this sequential core language, assembly fragments as well
2.2. The Academic System: Semantic Stack 37
as the C fragment C0 are embedded. The embedding is based on a compiler
converting C0-constructs in terms of operations provided by the small-step
semantics of the Vamp machine. A correctness proof for this compiler,
which links the small-step semantics to the Simpl big-step semantics, is
also provided [3]. This correctness theorem about the embedding of C0
into Simpl allows for mapping low-level properties to more abstract ones
formulated on the big-step semantics of C0. Thus, throughout this paper,
we will present all algorithms in Simpl (so that we can rely on a uniform
Isabelle/HOL foundation); note that this Simpl code is the result of an
automatic translation from the C0 code that is actually compiled and runs
on the machine.
We employ the HOL type system to model C0 programming language
types. Isabelle’s type inference then takes care of typing constraints that
would otherwise have to be explicitly maintained in the assertions. Propo-
sitions that explicitly refer to the memory layout or to hardware device
registers cannot be proven on the C0-Hoare-Logic level; in these situations,
the verification necessarily descends down to the Vamp level. Our approach
is to abstract the effect of those low-level computations into atomic XCalls
(extended calls) in all our semantic layers. In particular, the state-space of
C0 is augmented with an additional component that represents the state of
the external component, e. g., a device. An XCall is a procedure call that
performs a transition on this external state and communicates with C0 via
parameter passing and return values. With this model, it is straightfor-
ward to integrate XCalls into the semantics and into Hoare logic reasoning.
XCalls are typically implemented in assembly.
Code Verification in Isabelle/Simpl
The introduction presents a bird’s eye view on the refinement, as depicted in
Figure 1.1. In principle, we can reformulate the depicted claim in Isabelle/
Simpl as follows:
Γ ` {σv. Abs σv s} PROC system step() {τ. Abs τ (δ s)}
Assuming an abstraction relation Abs that holds for a concrete state sv and
an abstract state s, the relation is preserved by the transitions system step
on the concrete level and d on the abstract level. Just like the figure, this
statement is an over-simplification. We postpone the details to Chapter 5.
Our approach to code verification combines refinement and code cor-
rectness, i. e., contracts are specified in terms of the abstract states. As a
simple example, we assume a library function append, which appends an
element to a singly-linked list. In the implementation, the list is represented
as a pointer structure described by the variables head and next. In order to
prove that a specific pointer structure in the state t after a function invo-
cation indeed denotes a list, it is useful to know that the original pointer
38 2. Background
structure in state sv already denoted a list. We encapsulate the list property
in a predicate invlist over the pointer variables and formulate correctness of
append(head, elem) as follows:
Γ ` {|σv. invlist svhead svnext ∧ abs rellist svhead svnext xs|} PROC append( ′head, ′elem)
{|τ. invlist thead tnext ∧ abs rellist thead tnext (xs @ [svelem])|}
i. e., we express the effect of the function in terms of its abstract represen-
tation, which is a concatenation of lists.
2.3 Devices
Devices may communicate with an external environment and the processor.
The former is used to model non-determinism and communication; a net-
work interface card, for example, sends and receives network packets. The
processor accesses a device by reading or writing special addresses. The de-
vices, in turn, can signal interrupts to the processor. So far, direct memory
access (DMA) is not supported.
Device communication happens on many different layers throughout our
system. In Verisoft, we established a uniform way of interacting with devices
by developing a generic device framework featuring standardized transition
functions for all layers. The detailed discussion of this model goes far beyond
the scope of this work and it is not necessary for the further developing.
Alkassar and Hillebrand [2] describe the model in detail.
In a nutshell, the device model is pseudo-parallel in the sense that we
either do an internal step – the device consumes a processor input – or an
external step – the device consumes an external input, but never both at
the same time. We use the automaton
AD = (SD, S0D, Σvint, Ωint, ωD, δDint, Σvext, Ωext, δDext)
to describe the devices. The state SD of the device system subsumes the
particular device configurations with S0D ⊂ SD representing the set of the
initial configurations. Devices communicate with the kernel resp. the proces-
sor by using the alphabet Svint (from the device subsystem to the processor)
and the alphabet Wint (from the processor to the devices). Our kernel uses
memory-mapped I/O for device communication. Hence, the output alpha-
bet Wint comprises read and write accesses to device addresses whereas the
input alphabet Svint consists of interrupt lines and optionally incoming data.
The kernel can access the device system by means of the output function
wD which returns the interrupt vector of currently active interrupts. Kernel-
initiated communication is performed by the transition function dDint. Based
on an input from the kernel, it does not only yield a successor device state,
but also output to the kernel and, potentially, to the environment.
The communication with the environment is based on an external inter-
face in order to receive keystrokes, for example, or send network packages.
2.4. Communicating Virtual Machines 39
It is defined by the alphabets Svext and Wext. Inputs from the environment
consist of a device ID and an external device input. The external transition
function dDext takes this input and computes the next state. While internal
steps may result in both external and internal output, external steps only
produce external output.
2.4 Communicating Virtual Machines
Virtually every modern operating system kernel is devided in a hardware-
dependent and a hardware-independent part. Usually, the former part is
small but employs inline assembly code, while the latter one is larger in size
but written in a high-level programming language. From the verification
perspective, inline assembly code requires a logic with much more machine
details than that of a well-designed high-level language. Hence, the parti-
tioning regarding functionality is very useful for our intended verification as
well.
Based on these observations, we encapsulate all hardware-specific low-
level functionality, which is possibly using inline assembly, in the layer of
communicating virtual machines (Cvm), which was first introduced in [34]
and further developed in [65, 76]. We identify three major tasks for this
abstraction layer: memory virtualization [72, 6], switching between differ-
ent threads of execution [74], and data exchange [76]. For the hardware-
independent part, Cvm provides the means for access and manipulation
of user machines by so-called primitives [73]. Examples are cvm copy, for
copying data between two user machines, cvm alloc for increasing the vir-
tual memory space, and cvm get gpr for reading a general purpose register
of a user machine. The Cvm primitives are simply functions that operate
on Cvm data structures and might possibly contain inline assembly. From
the programmer’s view, we have thus established a solid framework for mi-
crokernel construction [40]. Programmers can implement microkernels using
Cvm primitives and plain C0 without extra inline-assembler portions.
From the verification perspective, we established a semi-parallel model
of computation that formalizes concurrent user machines interacting with a
kernel. These user machines are abstract processors with virtual memory.
The so-called abstract kernel is represented as an abstract C0 machine with
typed memory. In addition to usual C0 functions, the kernel code might
call Cvm primitives. Hence, the primitives must have been declared in the
C0 machine. Moreover, a function called dispatcher kernel must be defined,
which Cvm will call when an interrupt occurs. In order to obtain an exe-
cutable, we have to link the Cvm implementation with the abstract kernel
[65]. We call the resulting executable the concrete kernel.
In the following, we will only briefly summarize the formal model of
Cvm. Apart from that, we refer to the mentioned literature.
40 2. Background
2.4.1 Cvm State
A Cvm state sCVM is a record with the following components:
• the abstract kernel cvm kernel,
• the virtual user processes cvm up, and
• the state of the device system cvm devs.
In Cvm, the abstract kernel cvm kernel is modelled as a C0 machine. The
component cvm up contains information on the virtual machines of the user
processes. We denote the number of user processes including the kernel
that are allowed to run in our system by the constant PID MAX = 128.
For identifiers of user processes, we introduce the data type procnumT =
{1..<PID MAX}, whereas identifier 0 is used for the kernel. Cvm applies the
Vamp assembly semantics to model the virtual user machines. Accordingly,
component cvm up.userprocesses provides a mapping between process iden-
tifiers and Vamp assembly states. The component cvm up.currentp holds
the identifier of the current process, which is determined by the process
identifier bpidc, if process pid is running and ⊥, if the kernel is running.
Common to all processes is the interrupt mask cvm up.statusreg which is
represented as a 32-bit natural number.
Initial Cvm State. An initial Cvm state represents the situation after a
reset and is described by the function init cvm sys. As the abstract kernel
as well as the devices are parameters of the Cvm model, they have to be
provided as input:
init cvm sys ak devs ≡
(|cvm kernel = init cvm ak, cvm up = init cvmup, cvm dev = init dev devs|)
In a nutshell, init cvm initializes the local stack and the program rest of
the abstract C0 kernel machine ak, whereas init dev initializes the devices
devs. Function init cvmup is used to initialize the abstraction of the virtual
user processes, i. e., the program counters are set to 0, and the memory
as well as the general- and most of the special-purpose registers are filled
with zeroes. However, the page table origin in register SPR PTO is process-
specific, whereas the page table length in register SPR PTL is set to −1,
which denotes that no virtual memory is allocated for the process so far.
In addition, the SPR MODE register is set to 1 intending that the machine
runs in user mode.
So far, no process is running, i. e., the current process identifier is set to
⊥. Finally, the status register enables the interrupts for illegal instructions,
misalignment, page faults, traps, and the timer device.
For more formal details, we refer to [65, 76].
2.4. Communicating Virtual Machines 41
Valid Virtual Machines. In the remainder of this thesis and, in par-
ticular, in the correctness proof of our kernel, we rely on certain validity
requirements for the virtual machines. Predicate is valid cvmup formally
encapsulates these requirements:
is valid cvmup up ≡
∀i . is ASMcore (up.userprocesses i) ∧
(up.userprocesses i).sprs ! SPR MODE 6= 0 ∧
−1 ≤ (up.userprocesses i).sprs ! SPR PTL < to int32 TVM MAXPAGES
First of all, each virtual machine represents a Vamp assembler machine in
terms of is ASMcore and runs in user mode. Furthermore, a virtual machine
is either occupied with no memory, i. e., its page table length equals −1, or
the number of pages is less than TVM MAXPAGES.
2.4.2 Cvm Transitions
A Cvm transition dCVM takes a Cvm state sCVM and an external device
input dinext as parameters, yielding either a next configuration bsCVM ′c or
⊥, if a run-time error has occurred, and potentially a device output to the
environment.
Depending on the external device input dinext and the current-process
identifier sCVM.cvm up.currentp, the Cvm transition function dCVM distin-
guishes three cases2:
1. If dinext 6= ⊥, a device step is performed. In this case, only the de-
vice component of sCVM is updated with the new device configuration
(obtained by dDext). Additionally, a device output to the environment
might be generated.
2. If there is no external device input and the current process identifier
is ⊥, the abstract kernel makes a step.
3. Otherwise, the current process makes a step.
In the latter case, Cvm distinguishes three sub-cases: (a) an user step
without interrupts, (b) an user step with an interrupt that aborts the user
execution (illegal instruction, misalignment, etc.), and (c) an user step with
an interrupt, but one which allows the current process to take a step (exter-
nal interrupts, trap, and overflow).
User steps without interrupts boil down to an application of the Vamp
assembly transition function dasm to the virtual machine of the current pro-
cess. Steps with interrupts result in an invocation of the abstract kernel.
2Note that, in this context, we only consider live executions meaning that the kernel,
the user processes and the devices are executed infinitely often. Thus, it may not happen
that, for instance, device steps might block the kernel forever.
42 2. Background
Whether thereby the current process takes a step depends on the kind of
interrupts. In case of a runtime error, i. e., the user execution is aborted,
the virtual machine of the current process remains unchanged. Otherwise,
the current process makes a step according to dasm.
The update of the virtual machine vmcp of the current process in case
of a user step determines function userstep:
userstep vmcp ≡ if user step progress vmcp then δasm vmcp else vmcp
Predicate user step progress holds, as long as no runtime errors occur during
the execution of the current instruction.
2.4.3 Cvm Primitives
Cvm primitives [73] provide mechanisms for process management, inter-
process and device communication. The abstract kernel uses these primitives
to implement a scheduler, interrupt delivery and kernel calls, allowing user
processes to interact with each other and with devices.
While implementing the abstract Vamos kernel, we use the following
set of Cvm primitives: cvm reset and cvm clone for process initialization,
cvm alloc for increasing and cvm free for decreasing memory of an user pro-
cess, cvm copy to copy data from one process to another, cvm get gpr and
cvm set gpr to read and write user process register, for device communica-
tion cvm in word, cvm out word and cvm virt io, cvm set mask for setting
the Cvm interrupt mask, and cvm load os for loading the operating system
into the memory.
2.4.4 Cvm in Isabelle/Simpl
The code correctness proof for the Vamos microkernel completely relies on
the verification environment Isabelle/Simpl. Recall, however, that Vamos
is implemented to run as Cvm’s kernel machine. For this reason, we have
to represent this framework in our programming model and describe, how
we model the effects of Cvm in Simpl as seen by a Vamos programmer.
We do this by introducing an external state component cvmX subsuming
the visible remnants of a Cvm state: (a) the processor abstraction cvm up,
and (b) the device subsystem cvm devs. The abstract C0 kernel machine is
missing, because it is instantiated with the concrete Vamos implementation.
Based on component cvmX, we are able to model the steps in Cvm
before invoking and after leaving the Vamos kernel, i. e., the function dis-
patcher kernel.
Figure 2.3 depicts the pseudo-code of a Cvm transition.
Formally, the component cvmX is represented as a tuple and we define
the function cvm ups cvmX in order to get the first component with the
virtual processes and cvm devs cvmX to get the second one with the devices.
2.5. Vamos Microkernel: Design and Implementation 43
Furthermore, we define function mca nat up devs stat, which computes the
vector of the exceptions that occur during the next step, under consideration
of the virtual machine vm of the current process, the device system devs
and the status register stat. Some possible exceptions, like traps, write an
exception-data register; its content is computed by edata nat vm.
After power-up, the processor generates a reset signal which, according
to Figure 2.3, leads to the initialization of the Cvm component. Apart from
a reset, a transition consists of up to two phases: First, the current process
executes one (assembly) step if existing.3 Second, the Cvm layer computes
the vector of enabled interrupts and invokes the kernel’s dispatcher kernel
function, if an enabled interrupt has been raised. There are two possible
sources of interrupts: The current process may cause an exception, and
external devices may raise their interrupt line. Interrupts are ignored when
not enabled in the status register. The return value of dispatcher kernel
describes the process to be run next: If the value is a valid process number,
this process is elected, otherwise, the system idles until the next device
interrupt occurs.
We address the actual implementation of dispatcher kernel resp. the Va-
mos microkernel in Section 2.5.2.
Apart from modelling the Cvm steps around the Vamos invocation,
there is another reason for the introduction of cvmX. Applying the concept
of XCalls, it enables the possibility that low-level accesses of the Vamos
kernel, like setting register values, become visible in the code specification.
This is crucial, as we do not only want to specify the C0 parts of the kernel
but aim at an overall model of kernel executions.
In consequence, with the integration of Cvm into Simpl, we provide an
optimal background for both, proving the Vamos implementation correct
and combining Cvm and Vamos, in order to get an overall kernel correctness
theorem.
2.5 Vamos Microkernel: Design and Implementa-
tion
The kernel of an operating system is the code that runs in the privileged
mode of a processor, i. e., this and only this code has unrestricted access
to all hardware resources. Traditionally, kernels provided an abstraction
from the hardware processor and the external devices. When kernels grew
in size over the years because of a rising variety of hardware, and especially
external devices, the traditional systems were called monolithic and the idea
of smaller microkernels was born.
The motivation for microkernels, however, is manifold. Microkernels be-
3Recall that we do not rely on the existence of an idle process. Hence, there might be
no current process.
44 2. Background
procedures system step() =
IFg ′reset THEN (∗ CVM Reset ∗)
′reset :==g False;
′eca :==g 1;
′edata :==g 0;
′cvmX :==g (init cvmup, init dev (cvm devs ′cvmX))
ELSE
′up :==g cvm ups ′cvmX;
IFg currentp ′up = ⊥ THEN (∗ CVM is idle ∗)
′eca :==g mca nat None (cvm devs ′cvmX) (statusreg (cvm ups ′cvmX));
′edata :==g 0
ELSE
′proc :==g (userprocesses ′up) dcurrentp ′upe;
′eca :==g mca nat (b ′procc) (cvm devs ′cvmX) (statusreg (cvm ups ′cvmX));
′edata :==g edata nat ′proc;
′cvmX :==g ( ′up (|userprocesses :=
(userprocesses ′up)
(dcurrentp ′upe := userstep (userprocesses ′up dcurrentp ′upe))|),
cvm devs ′cvmX)
FI
FI;
IFg ′eca > 0 THEN (∗ has an interrupt been raised? −− call dispatcher kernel ∗)
′cp :== CALLg dispatcher kernel ( ′eca, ′edata );
′cvmX :==g ( (cvm ups ′cvmX)
(|currentp := if ′cp ∈ {1..<PID MAX} then bAbs procnumT ′cpc
else ⊥|),
cvm devs ′cvmX )
FI
Figure 2.3: Simpl function system step, which represents a combined step
of Cvm and Vamos
2.5. Vamos Microkernel: Design and Implementation 45
came a popular research topic in the late 1980s together with the idea of
multi-personality operating systems, which demanded a more general hard-
ware abstraction than the traditional approach. This first generation of
microkernels such as Mach [64] or IBM’s Workplace OS [33] suffered from
a poor performance. When Jochen Liedtke analyzed these systems [53],
he pinned the problem down to a feature-overloaded mechanism for inter-
process communication (IPC). Together with a light-weight, flexible IPC
mechanism [51], he proposed the minimality of hardware abstractions [52]
in the kernel and suggested that servers implement the traditional services
of operating systems. Engler et al. [32] took the idea of minimality a
step further and banned (nearly) all abstractions from the kernel. Instead
of resource management, the kernel was restricted to resource protection.
Abstractions were implemented in operating-system libraries and directly
linked to the user processes.
Our microkernel design is not as minimal as Engler or Liedtke proposed.
We host all functionality in the kernel that would be hard to verify if imple-
mented in user processes. Obeying this principle, the memory management,
support for finite IPC timeouts, and the scheduler live in our microkernel.
Device drivers, which constitute the largest part of today’s monolithic ker-
nels, are implemented outside our microkernel.
An initial version of the VAMOS microkernel had been implemented by
Stefan Maus and Dominik Rester under the supervision of Mauro Gargano.
Over time, many students and staff improved and extended the kernel –
its implementation as well as its design. In particular, Matthias Daum
introduced the capability-like concept of process identifiers and implemented
the overflow-safe management of timeouts and a generic debug library.
The next section describes the basic functionality of our kernel in more
detail. The chapter concludes with the representation of the Vamos imple-
mentation in Isabelle/Simpl. As it is taken as basis for the later verification,
we do not elaborate on the details of the C0 implementation. Anyways, both
representations are quite similar.
2.5.1 Vamos Functionality
Our microkernel Vamos performs the following tasks: (a) enforcement of a
minimal access control, (b) process management, (c) memory management,
(d) priority-based round-robin scheduling, (e) support for user-mode device
drivers, and (f) inter-process communication (IPC). Processes can control
these tasks via the kernel’s application binary interface (ABI). Table 2.1 lists
the kernel calls that constitute the ABI.
Subsequently, we present the basic concepts incorporated in Vamos to
achieve the desired functionality.
46 2. Background
Access Control and Initial Process. A minimal access-control mecha-
nism reserves most kernel calls for so-called privileged processes. Thus, only
a privileged process can bring up new processes or kill existing ones, alter
the memory consumption of processes, change their scheduling parameters,
or control the registration of device drivers. Any process, however, might
use the IPC mechanism.
When Vamos boots, it launches one privileged single process, the init
process. We presume that the process constitutes the user-mode parts of the
operating system, for instance, the simple operating system (SOS) of Bo-
gan [15]. It has to set up the required servers of the operating system, start
and register the device drivers, and possibly implement a more sophisticated
access-control mechanism. Non-privileged processes may then communicate
with the privileged processes, in order to request kernel services on their
behalf.
Table 2.1: Application binary interface of the Vamos kernel
Kernel Call Description
Access Control
set privileges p add process to set of privileged processes
Process Management
process create p create a new process from a memory image
process clone p copy an already existing process
process kill p kill a process
Memory Management
memory add p increase the memory amount of a process
memory free p decrease the memory amount of a process
Scheduling Mechanism
chg sched params p change scheduling parameters
Device Driver Support
change driver p (un)register a driver for a set of devices
enable interrupts d re-enable a set of interrupts
dev read d / dev write d communicate with a certain device
Inter-Process Communication
ipc send / ipc receive unidirectionally communicate with process
ipc request send and immediately wait for a reply
change rights manipulate IPC rights
read kernel info receive information from the kernel
p call is reserved for privileged processes
d call is reserved for device drivers
2.5. Vamos Microkernel: Design and Implementation 47
Handles and a Capability-like Access-Control Mechanism for IPC.
Our system, i. e., the Vamos kernel, identifies the different user processes by
unique numbers. These process numbers, in principle, would also be suitable
for user processes to refer to each other. However, an identification based on
the plain process numbers would permit the guessing of these numbers, such
that processes might find (possibly) unauthorized communication channels.
Furthermore, the reuse of process numbers of terminated processes is some-
how tricky. Liedke, for instance, introduced a generation counter for process
numbers but this counter might overflow and is not well suited in the con-
text of formal verification. Thus, the Vamos kernel introduces a layer of
indirection which allows processes to refer to each other only via process-
local alias names, so-called handles. A handle can only be used in the local
context of a process and has to be translated to the actual process number
by the kernel. The translation, however, is attached to certain conditions.
Furthermore, the concept of handles lays the foundation for a capability-like
access-control mechanism for IPC. The latter is necessary as, in the context
of IPC, the distinction between privileged and unprivileged processes is too
coarse.
For this to work, the kernel maintains for each process x a list which we
call the handle database of the process. A handle hn points to one entry e in
this handle database which, in turn, stores information on the corresponding
handle.
The handle hn is considered as valid, i. e., the process it refers to is known
by x, if it is marked as known in the entry e. Only in this case, the process
x may safely use the handle hn and the kernel translates it into a process
number, if needed.
The handle databases, however, are dynamic datastructures. Thus, pro-
cess x might, for instance, release the handle hn from its own database.
While such operations are noncritical as they are initiated by the process
itself, things are different, if a privileged process, for instance, selectively
steals the handle hn from x’s handle database or the process, hn refers to,
has been terminated. Both actions result in the invalidation of handle hn
in x’s handle database, i. e., it is no longer marked as known. However,
neither the stealing nor the process termination do necessarily go on with
the knowledge of x. Thus, although hn is invalidated, the process x might
continue to believe that hn is still valid. Normally, this misunderstanding
will only be resolved, if x tries to use handle hn and the kernel responds with
an according error message. While designing the Vamos kernel, however,
we aimed to reduce such errors. For this purpose, we mark handles like
hn as stolen. Based on that, the kernel tries to inform the processes about
the existence of stolen handles by means of kernel notifications which are
supplied with each IPC message. While the latter only inform about the
existence of stolen handles, the Vamos call read kernel info provides a
detailed listing of the stolen handles in the handle database of the calling
48 2. Background
process. In this way, the kernel can be sure that the owners of stolen handles
are notified and does no longer mark the corresponding handles as stolen.
Thus, they may be reused for other processes.
With the concept of handles we allow for a conceptional infinite name
space of process identifiers and improve the reuse of such identifiers in com-
parison to Liedke’s generation counter which might overflow. Moreover, the
handles prevent from guessing any process numbers which may lead to unau-
thorized communication. The only drawback of this indirection is the extra
maintenance effort in the Vamos kernel. However, with a very basic handle
database, we keep the costs as low as possible. There are only two special
handles regarding the process identification. Handle HN SELF enables a
process to identify itself, e. g., if it wants to clone itself. Furthermore, han-
dle HN PARENT refers to the parent process. In all other cases, we use a
one-to-one mapping between process numbers and handles.
Apart from the process identification, the concept of handles lays the
foundation for a capability-like access-control mechanism for IPC. For this
reason, each valid handle is associated with IPC rights controlling the com-
munication with the corresponding process it refers to. We distinguish four
different rights which are also part of the handle database entries. A process
is cut off from the communication with another process, if none of the rights
in the corresponding handle database entry is set. Apart from that, the
request right is the weakest one. It only allows combined send and receive
calls and forces, for instance, that a client waits for a server’s response. The
timeout of the waiting is infinite, as long as the client does not have the
finite right which abolishes the limitation and enables the client to initi-
ate a request with a finite receive timeout. The send right is the strongest
one. It allows an unrestricted communication, i. e., no limitations regarding
timeouts and the possibility to perform only a send without waiting for a
response. However, unless the multiple right is not set, existing rights will
be cleared after the first send operation. Receiving from a known process is
always possible.
Inter-Process Communication. IPC is the only way how processes in
Vamos may communicate with each other. The communication is syn-
chronous, i. e., if the IPC partner is not already waiting, the calling process
is blocked until either the partner is ready or the timeout is exceeded. For
sending and receiving, the VAMOS kernel provides the calls ipc send and
ipc receive. In addition to that, the call ipc request enables a combined
send and receive with the same communication partner which is typically
used by clients to place requests on some servers.
As described above, processes identify the desired communication part-
ners by means of handles and the kernel checks whether the corresponding
IPC rights are sufficient for the intended communication.
2.5. Vamos Microkernel: Design and Implementation 49
Apart from the ordinary receiving from another process, the Vamos call
ipc receive supports two further operation modes. The open-receive mode
enables a process to be simultaneously available for more than one sender.
A prominent application area of this mode is found with servers that rely on
the possibility to receive requests from various clients. The actual request
handling, however, is based on first-come, first-served. Nevertheless, a server
may restrict the circle of clients by means of the IPC rights.
The remaining operating mode is tailor-made for device drivers. Ulti-
mately, device drivers take a great interest in receiving external interrupts
as fast as possible. In order to meet this desire, the call ipc receive pro-
vides the possibility of a so-called closed kernel-receive. This option restricts
the receiving to notifications from the Vamos kernel only. In doing so, the
VAMOS kernel is qualified to deliver according notifications as soon as inter-
rupts for the driver occur. A more detailed view on that provides Section 4.6.
With the basic functional principles at the back, we now take a look
at the data that can be transferred via IPC. Data, in the context of IPC,
is considered as message and comprises multiple parts. The most common
one is the memory message. Specified by the sender, it describes a memory
region that should be transferred to the receiver. For this to work, the
receiver also has to specify a suitable memory region to buffer this message.
Another part of an IPC message comprises rights. A sender may grant IPC
rights to a receiver, on which the latter relies on in future communications
with the sender. The receiver is informed about the new rights by the so-
called return rights which describe the combination of the (possibly) already
existing rights and the new ones. On the one hand, these return rights are
stored in the receiver’s handle database and, on the other one, they are
made available for the receiver in an according result register. In addition
to that, it is possible that the sender introduces new processes (together
with associated rights) to the receiver. Thus, the operating system may, for
instance, introduce a server to a newly created process and provide it with
the corresponding rights for the communication. As above, an according
handle together with the rights are stored in the handle database of the new
process and published in according result registers.
Finally, an IPC message also delivers notifications from the kernel. Thus,
as mentioned before, they inform the receiver on stolen handles or occurred
interrupts the receiver acts as driver for.
Process Scheduling. The basic policy underlying the Vamos scheduler
is round-robin process selection. This basic policy can be adjusted by two
regulators: priorities and timeslices. Our scheduler supports three different
priority levels. Only processes in the highest, non-empty priority class will
be scheduled. Processes in a lower class wait until no processes are ready to
compute in any higher priority class. Within one priority class, the timeslice
50 2. Background
determines how long a certain process may compute until it is preempted
in favor of another process of the same priority class. Thus, timeslices
determine the relative weight of process runtimes while priorities lead to the
preemption of lower process classes.
Device Drivers. A device driver is a user process, which is designated
for the communication with certain devices. Only if a process is registered
as a driver for a particular device, it may place read or write requests from
or to that device, respectively. Moreover, the device driver is notified of
interrupts from that device.
2.5.2 Vamos in Isabelle/Simpl
In Section 2.4.4, we got a first impression on the implementation layer of
the Vamos microkernel. The Cvm framework in Simpl provides a solid
background to argue on a mixed language implementation, like we have with
Cvm and Vamos. It allows the modelling of the low-level entities before
and after the invocation of Vamos, as well as accesses to these entities from
within Vamos.
Due to this, we are able to implement the Vamos microkernel in pure
C0. Accesses to low-level entities, like process registers, are only provided
by Cvm primitives. These primitives are implemented as XCalls and can be
treated as normal C0 function calls. However, in terms of Isabelle/Simpl,
they operate on the external state component cvmX according to the corre-
sponding primitive semantics and communicate with the C0 implementation
via parameter passing and return values.
In addition, the Vamos kernel maintains several datastructures in order
to provide its intended functionality. These so-called kernel datastructures,
together with the external component cvmX, form the Vamos state space
which will be introduced subsequently. The section concludes with the rep-
resentation of the top-level function of Vamos.
Vamos Implementation State
The Vamos implementation state in Isabelle/Simpl is a record whose in-
dividual elements are global and local variables from the Vamos imple-
mentation. In contrast to C0, Isabelle/Simpl does not support variables of
structural types, like structs, but flattens them, i. e., for each individual
field there is a separate component in the state space. In addition to that,
each pointer variable or pointer structure field is replaced by a heap function
in the state space. Thus, we have one heap variable f of type ref ⇒ value
for each component f of type value of the struct. To clarify the matter, we
consider a typical structure list to represent a linked list in the heap:
2.5. Vamos Microkernel: Design and Implementation 51
struct list {
int data;
list *next;
};
The structure contains two components: the data element data and a
pointer next to the next node. Thus, we would get two heaps in the state
space record: data of type ref ⇒ int and next of type ref ⇒ ref.
Against this background, we proceed with the different (global) datas-
tructures in the Vamos state. In order to provide its intended functionality,
Vamos maintains general as well as process-specific data. The former is
used to accomplish tasks like process scheduling, interrupt delivery or mem-
ory management. An overview on the particular state components is given
in Table 2.2. Process-specific data gives a more fine-grained view on the
particular processes and is provided in so-called process information blocks.
Implemented as a struct in C0, Simpl provides heap functions for the partic-
ular components, see Table 2.3. These heap functions are applied to process
pointers in order to get the process-specific value of the corresponding com-
ponent, like the state or priority of the process.
General Data. The process pointers are given by the array pib. It is of
length PID MAX and thus provides a unique pointer to each of the processes.
Table 2.2: General Datastructures in Vamos
State Component Description
Process Scheduling
inactive list :: ref head of the inactive queue
wakeup list :: ref head of the wait queue
ready lists :: ref list array of heads of the particular ready queues
Time Management
current time :: nat current time in clock ticks
next timeout :: nat next point in time when an timeout expires
Interrupt Management
intmask :: nat currently enabled interrupts
inthd :: nat interrupts with registered handlers
intocc :: nat occured, but not yet delivered interrupts
Miscellaneous
pib :: ref list array with all process pointers available
current process :: ref pointer to the currently running process
vamos pages used total number of used memory pages
current max priority :: nat current maximum priority
52 2. Background
The indices are the according process identifiers.
All processes are organized in one of the scheduling lists. By means
of these queues, the processes are classified into inactive, ready or waiting
ones. The implementation enables the access to these queues by pointers to
their heads. State components inactive list denotes the head to the inactive
list, whereas wakeup list denotes the one to the wait list. Due to the three
priority levels in Vamos, the access to the according ready lists is provided
by the array ready lists. The current maximum priority is stored in com-
ponent current max priority. The head of the ready list assigned with this
priority determines the currently running process. Additionally, the pointer
is explicitly stored in component current process.
Vamos measures the time in clock ticks which are actually interrupts
from the external timer device4. Thus, component current time holds the
number of kernel entries as consequence of timer interrupts. The time might
also influence pending IPC operations of waiting processes, if any timeouts
expired. Component next timeout specifies the minimum of the timeout
values of waiting processes, i. e., the next point in time, when one of these
timeouts expires.
Vamos only accepts interrupts from enabled devices. An according
mask is given by intmask, which actually represents the user-visible portion
of Cvm’s status register. However, enabled interrupts are not necessarily
handled by a driver. Those assigned to a driver are subsumed in inthd.
Whenever interrupts occur, the Vamos kernel tries to deliver them to the
according drivers as fast as possible. However, it might happen that a driver
is not ready to receive the interrupt notification. In this case, Vamos stores
these occurred but not yet delivered interrupts in intocc for a later delivery.
As Vamos has to cope with restricted memory, it stores the number of
used memory pages in vamos pages used. Based on this number, it decides
whether new processes may be launched and whether existing processes may
allocate new memory.
Process-specific Data. Together with the process creation, the process-
specific data of the new process is set up.
As already said, the process-specific data is provided by heap functions
which, applied to process pointers, return the desired information.
First of all, the process-specific data states some general properties of
the process. Component pid denotes the unique identifier of the process and
parent holds the identifier of the parent. Actually, the list membership de-
termines the status of a process. However, especially for waiting processes,
a more-fine grained notion of state is necessary and provided by component
state. For inactive and ready processes it returns INACTIVE STATE resp.
READY STATE, whereas it distinguishes three cases for waiting processes:
4We assume the existence and liveness of the timer device.
2.5. Vamos Microkernel: Design and Implementation 53
The state of a waiting process reflects the IPC operation it is currently
waiting for. Thus, a pending ipc send call leads to the state SEND STATE,
whereas SEND RECEIVE STATE denotes a pending ipc request. If a pro-
cess waits due to an ipc receive call, its state is set to RECEIVE STATE.
The latter is also used to denote the receive phase of an ipc request call.
Table 2.3: Process-specific Data in Vamos
State Component Description
General Information
state :: ref ⇒ nat state of a process
pid :: ref ⇒ nat process identifier
parent :: ref ⇒ nat process identifier of the parent
fip :: ref ⇒ nat first invalid page
privileged :: ref ⇒ bool privileged status
Scheduling Parameters
priority :: ref ⇒ nat priority of the process
timeslice :: ref ⇒ nat how long will the process be active
consumed time :: ref ⇒ nat how long is the process already active
timeout :: ref ⇒ nat when will the process be ready again
queue next :: ref ⇒ ref next pointer for the scheduling queue
queue prev :: ref ⇒ ref previous pointer for the scheduling queue
Handles and Rights
handle db :: ref ⇒ nat list handle database
stolen count :: ref ⇒ nat number of currently stolen handles
Interrupt Handling
reg devices :: ref ⇒ nat mask of interrupts handled by process
IPC Arguments
ipc pid :: ref ⇒ nat process identifier of desired IPC partner
ipc rights :: ref ⇒ nat rights to grant to the receiver
ipc snd msg :: ref ⇒ nat pointer to send message
ipc snd len :: ref ⇒ nat length of send message
ipc rcv msg :: ref ⇒ nat pointer to receive buffer
ipc rcv len :: ref ⇒ nat length of receive buffer
ipc add pid :: ref ⇒ nat process identifier of additional process
ipc add rights :: ref ⇒ nat rights to assign with the additional process
ipc snd timeout :: ref ⇒ int timeout for the send operation
ipc rcv timeout :: ref ⇒ int timeout for the receive operation
send queue :: ref pointer to send queue of process
send queue next :: ref ⇒ ref next pointer for send queue
send queue prev :: ref ⇒ ref previous pointer for send queue
54 2. Background
Whether a process is privileged determines flag privileged. Its current
memory consumption is returned by fip denoting the index of the first invalid
page.
Furthermore, each active process is involved in the priority-based round-
robin scheduling. For this reason, Vamos stores the priority of a process
in priority, the timeslice in timeslice and the already consumed time in con-
sumed time. Each process is classified in one of the scheduling lists. In
order to identify its neighbours, each process is equipped with pointers to
the previous and next element of the queue, it is currently contained in. The
corresponding components are queue next and queue prev.
As already mentioned, processes identify each other by means of handles.
These handles are process-local and stored in the component handle db. The
number of stolen handles in a handle database is given by stolen count.
Function reg device delivers the mask of interrupts that are handled by
a process.
If a process performs an IPC operation, Vamos stores the according
arguments as process-specific data. We do not dwell on the particular ar-
guments, but refer to Table 2.3. However, in the context of IPC, Vamos
also maintains so-call send lists. The send list of a process p contains all
pointers to processes which are currently willing to send to p. Similar to
the scheduling lists, head pointers send queue provide the access to the send
lists. The traversing is enabled by next and previous pointers, i. e., send
queue next and send queue prev, respectively.
The top-level function of Vamos
Upon kernel entry, the Cvm routine calls the function dispatcher kernel,
which is the actual implementation of the Vamos kernel. As intended by
the name, the Vamos kernel mainly acts as dispatcher handling the incoming
interrupts that could not be taken care of by Cvm. It takes two parameters:
The exception cause eca, which encodes the occurred interrupts, and the
exception data edata, which contains the trap number, if a trap has occurred.
Figure 2.4 shows the implementation of the function dispatcher kernel of our
microkernel.
The function is characterized by a number of case distinctions. We dis-
tinguish:
Initialization. After power-up, the processor generates a reset interrupt.
In this case, the Cvm framework sets up its internal data structures
and then passes the interrupt on to the dispatcher kernel function.
If called with the reset-interrupt bit set, dispatcher kernel calls the
function vamos init, which initializes the data structures of Vamos.
Process Exceptions. The current process may cause a number of excep-
tions during its execution. From the kernel’s perspective, there are
2.5. Vamos Microkernel: Design and Implementation 55
procedures dispatcher kernel (eca, edata | res nat) =
IFg ( ′eca ∧u 1) 6= 0 THEN
′dummy i :== CALLg vamos init()
ELSE
′old cup :==g ′current process;
IFg ( ′eca ∧u UEXCEPT MASK) 6= 0 THEN
′dummy i :== CALLg process kill(HANDLE SELF)
ELSE
IFg ( ′eca ∧u EXCEPT TRAP) 6= 0 THEN
′dummy i :== CALLg handle trap( ′edata)
FI
FI;
IFg ( ′eca ∧u DEVICE TIMER BIT) 6= 0 THEN
′dummy i :== CALLg handle timer( ′old cup)
FI;
IFg ( ′eca ∧u UEXT INT MASK) 6= 0 THEN
′dummy i :== CALLg int delivery( ′eca)
FI
FI;
IFg ′current process 6= Null THEN
′res nat :==g ′current process → ′pid
ELSE
′res nat :==g 0
FI
Figure 2.4: The kernel-dispatcher function of Vamos
56 2. Background
only two alternatives: a fatal exception like an illegal page fault or a
trap. In the former case, there is no reasonable recover procedure, and
thus, the process is simply killed by Vamos. The semantics of a fatal
exception is exactly the same as if the process had requested to be
killed via the kernel call process kill. Hence, we reuse the function
process kill. In case of a trap, the function handle trap is called. This
function is essentially a huge case distinction over trap numbers.
Timer Interrupt. Independently from the process exceptions, we check
for the timer interrupt, which is passed on to the function handle
timer. This function implements the scheduler.
Device Interrupts. If external devices have raised interrupts, the function
int delivery is invoked in order to disable the interrupts and then either
immediately deliver the interrupts, if the corresponding device-driver
processes are waiting, or buffer the interrupts for later delivery.
The function dispatcher kernel determines its return value using the
global variable current process. If there is no current process, the pointer is
Null and we return 0 (meaning “wait for interrupts”). Otherwise, we retrieve
the process number of the current process from heap function pid. Once, the
function dispatcher kernel returns, the Cvm framework transfers the CPU
to the process identified by the return value.
Chapter 3
The Abstract System Layer
Contents
3.1 The Overall System - A Bird’s Eye View . . . . 57
3.2 Abstract Types . . . . . . . . . . . . . . . . . . . . 59
3.3 The Vamp Assembly Process Model . . . . . . . 61
3.1 The Overall System - A Bird’s Eye View
The abstract layer describes our system: on top of the Vamp processor runs
the Vamos kernel and communicates with external devices.
As Figure 3.1 depicts, we use a number of communicating automata for
the specification. Automaton AV+D encapsulates the overall system and
consolidates the device automaton AD and the Vamos automaton AV.
The former was already introduced in Section 2.3 and describes the be-
havior of the external devices like the keyboard, the timer or the network
card. The devices may interact by an external interface with the environ-
ment in order to receive keystrokes, for example, or network packages. The
alphabets SvD and WD define this interface, which is adopted by the overall
system (alphabets SvV+D and WV+D).
The interface with the alphabets SvV (from the device subsystem to the
processor) and WV (from the processor to the devices) connects the devices
AD AV
AV+D
SvV
WV
SvD
WD
SvV+D
WV+D
Figure 3.1: The input/output automata of the abstract system layer and
their relationship
57
58 3. The Abstract System Layer
with the Vamos automaton. Our kernel uses memory-mapped I/O for de-
vice communication. Hence, the output alphabet WV comprises read and
write accesses to device addresses, whereas the input alphabet SvV consists
of interrupt lines and optionally incoming data.
Subsequently, we focus on AV and use it, together with AD, to assemble
AV+D.
We specify Vamos running on the Vamp by AV = (SV, S0V, SvV, WV, wV,
dV) with the state space SV, the set of initial states S0V ⊂ SV, the input
alphabet SvV, the output alphabet WV, the output function wV, and the
transition function dV. Likewise, we define AV+D.
The states SV+D of the overall system are pairs of a Vamos state sV ∈
SV and a device-system state sD ∈ SD.
The input alphabet SvV+D is used to determine the subsystem which
takes the next step. It extends SvD (indicating a device step) by the value ⊥
for a processor step. The output alphabets are the same, i. e., WV+D = WD.
Note that the output of the device subsystem depends on the transition,
i. e., dDint returns a tupel (sD, w) of a successor state sD and an output w .
Consequently, there is no separate output function for AV+D.
Transitions dV+D of the overall system inspect the input i and distinguish
three cases:
1. An external device transition is performed, if the input i ∈ SvV+D
contains an input for the device subsystem. The Vamos state remains
constant in this case.
2. A local kernel transition is performed, if the input is ⊥ and the Vamos
output wV sV = idleWV. Formally, this transition is performed by dV
without any device input.
3. A kernel-device transition is performed, if it is the processor’s turn
(overall input ⊥) and the kernel requests a device communication, i. e.,
wV sV = readWV device port count or wV sV = writeWV device port data.
In this case, dV+D passes the Vamos output with the transition func-
tion dDint to the device subsystem. In response, the device subsystem
delivers an output which contains the read data, if requested. Using
this data, dV+D finally performs the Vamos transition dV.
In the context of this thesis, we do not consider any autonomous device
transitions but only those which are triggered by the kernel. Accordingly,
the external input to the transition function dV+D is set to ⊥. The linchpin
of both, local kernel and kernel-device transitions, is the Vamos kernel.
Before we give its formal specification, we first introduce some basic types
used in the specification and introduce the model for user processes.
The complete formalization is available from the public Verisoft Repos-
itory [78] and directory verification/spec/vamos/ contains the theory
files related to the Vamos kernel.
3.2. Abstract Types 59
3.2 Abstract Types
While specifying the Vamos kernel, we make use of the advanced type sys-
tem in Isabelle/HOL.
So-called type synonyms allow new names for an existing construction
which mainly increases the readability of the theories. Furthermore, Isabelle
insists that all terms and formulae must be well-typed. Thus, defining new
types and datatypes prevents us, amongst others, from writing nonsense.
Hence, we avoid by construction any type mismatches within the specifica-
tion.
Process Numbers, Priorities, Devices and Ports. The easiest way
to introduce new types is the type definition, where any non-empty subset
of an existing type is turned into a new one. Vamos distinguishes between
PID MAX user processes classified into PRIOCNT different priority levels.
Device communication is limited to DEV COUNT devices which are identi-
fied by device numbers. The sets of process numbers and priorities as well as
the set of device numbers are subsets of the natural numbers. Consequently,
the corresponding types define three non-empty subsets of type nat.
As already introduced in Section 2.4.1, process identifiers are of type
procnumT. Type prioT = {0..<PRIOCNT} subsumes the priorities and de-
vnumT = {1..DEV COUNT} defines the type of device numbers. Device
interrupts are closely related to the devices and represented as set of de-
vice numbers. Formally, device interrupts are represented by the type intsT.
Each device is equipped with PORT COUNT ports represented by the type
portT = {0..<PORT COUNT}.
IPC Rights. In the context of IPC rights, we rather want to talk on
a more abstract and intuitive level. For this reason, Isabelle provides the
possibility to define datatypes. With it, an individual right is represented
by the datatype rightT with the constructors:
• v requestR – the right to send, but with the duty to immediately
wait for the response of the receiver,
• v sendR – the right to send to a process without waiting for the
response,
• v multipleR – the right to perform multiple IPC operations, and
• v finiteR – the right to perform IPC operations with finite timeout
As rights usually come in sets, type rightsT is used as synonym for rightT
set.
60 3. The Abstract System Layer
Memory Objects. Besides the transfer of rights, IPC also provides the
possibility to send and receive data in form of memory objects. A memory
object specifies a memory region in the virtual memory of a process, starting
at a certain address and ranging over a certain length. Both parameters,
the start address as well as the length of the memory object are specified by
the process and might be erroneous.
The datatype memobjT represents a memory object and also reflects the
possible errors:
• MObjUndefined – either the start address or the length are not
word-aligned,
• MObjUnavailable – the specified memory region is not available in
the memory of the process, and
• MObjSeq s – the content of the memory region as sequence s of
integers
The first two constructors imply errors due to the specified values for the
start address and the length. The former indicates mis-alignment whereas
the second one indicates that the memory region is not completely located
in the virtual memory of the process. A well-defined memory object gives
the memory content as a sequence of integers. The start address as well as
the length are not of interest any longer and are abstracted away. For a
well-defined memory object, the accessor mObjSeq returns the sequence s of
integers, i. e., mObjSeq (MObjSeq s) = s.
A memory object acting as buffer of an IPC receive operation, for in-
stance, is defined in a similar way. For a well-defined memory object, we
are not interested in its content but in its length. Consequently, datatype
bufferT consists of the following constructors:
• BufUndefined – either the start address or the length are not word-
aligned,
• BufUnavailable – the specified memory region is not available in
the memory of the process, and
• BufLength len – the length len of the actual buffer
As before, the accessor bufLength returns the length len of a well-defined
buffer, i. e., bufLength (BufLength len) = len
Kernel Notifications. If a process explicitly wants to receive any kernel
notifications, it has to specify the type of notifications. Notifications are rep-
resented by the datatype kinfoT which currently comprises only constructor
StolenHandles.
3.3. The Vamp Assembly Process Model 61
IPC Timeouts. Timeouts are represented by the existing type, natural
numbers with infinity. Hence, the datatype timeoutT comes with two con-
structors: Fin n, for finite timeout values, and ∞ for infinity For abstract
timeouts, we defined the operation +=, in order to increment a timeout by
a natural number.
Process Handles. Process handles are integers but represented by the
type handleT.
3.3 The Vamp Assembly Process Model
Our formalization is based on the observation that Vamos interacts with
processes only via a well-defined interface, which is the kernel ABI. Hence,
we can encapsulate processes in a self-contained input-output automaton,
thereby hiding the internal state and exposing only the interface. The tailor-
made model for Vamp assembly processes defines an input-output automa-
ton represented by the tupel:
Aproc = (Sproc, initproc, Σvproc, Ωproc, ωproc, sizeproc, δproc)
As state space Sproc for the assembly processes, we reuse the one of the
Vamp assembly semantics (cf. Section 2.2.2). Similarily, we chose function
sizeproc to be sizeasm, in order to determine the current memory assumption
of a process. More elaborate are the definitions of the other components
which we present below. The complete formalization can be found in the
theory file vamosAsmProc.thy.
Note that the Vamp assembly process model which has been defined in
this work, is an instance of a generic process model which goes back to Daum
and which is described in more detail in [25, 26]. From the kernel perspective,
the Vamp assembly process model is rather a matter of taste than necessity
because only assembly processes are involved in the interaction with the
kernel. However, the Vamos model serves as basis for more abstract models,
which indeed rely on this generic framework, as described in [28].
The Vamp assembly process model also satisfies certain well-formedness
constraints. Thus, the processes fulfill the requirements encapsulated in
predicate is valid cvmup. Daum [25] showed that these constraints are pre-
served by process transitions under valid inputs. We do not dwell on this
here, but refer to Section 5.2 which describes the implementation invariant.
The latter plays an essential role regarding the functional verification of the
Vamos kernel and (among other things) takes up the requirements on the
Vamp assembly processes in this context.
62 3. The Abstract System Layer
3.3.1 Process Initialization
The function initproc initializes an assembly machine with a memory image
img and supplies the machine with pgs memory pages:
initproc img pgs ≡
(|dpc = 0, pcp = 4, gprs = replicate 32 0,
sprs = replicate 32 0[SPR PTL := to int32 pgs − 1, SPR MODE := 1],
mm = λad . if ad < length img then img ! ad else 0|)
In principle, we adopt the initialization of the virtual assembly processes
as described by function init cvmup in Section 2.4.1. However, the func-
tion initproc initializes a virtual assembly machine in the sense that it starts
executing. Thus, the program counters dpc and pcp of the delayed branch
mechanism are set to the first addresses, i. e., 0 and 4. Furthermore, starting
at address 0, the memory is filled with the image img which is given as a
sequence of integers. Memory cells with addresses greater than the length
of img are initialized with zeros. In addition, the machine is provided with
pgs memory pages. Accordingly, the page table has length pgs − 1. The
remaining components are initialized as before. Setting register SPR MODE
to 1 implies that the machine runs in user mode. The remaining special and
general purpose registers are filled with zeros.
After the initialization, the process starts its execution with the instruc-
tion at address dpc (= 0), i. e., the instruction at the beginning of the mem-
ory image.
3.3.2 Process Interface
Output alphabet Wproc enumerates all possible kernel calls, a few error con-
ditions, and the output eW denoting the intention to perform a process-local
computation.
In contrast, the input alphabet Svproc contains all responses to kernel calls
and error conditions, as well as the input eSv for a process-local transition.
Formally, Wproc is defined as a datatype with the following constructors:
• Kernel Calls:
– set privileges hn – Privilege process (identified by handle) hn.
– process create tsl prio img pgs – Create a new process of pri-
ority prio and with timeslice tsl . The process should be assigned
with pgs virtual memory pages holding the initial memory image
img .
– process clone hn – Clone process hn
– process kill hn – Kill process hn
– memory add hn pgs – Provide process hn with pgs additional
memory pages
3.3. The Vamp Assembly Process Model 63
– memory free hn pgs – Release pgs pages in the virtual memory
of process hn
– chg sched params hn tsl prio – Change the scheduling param-
eters of process hn: the timeslice should be set to tsl , the priority
to prio
– change driver hn devs register – Register (if register = True)
or deregister process hn as driver for the set devs of devices
– enable interrupts devs – Re-enable the interrupts of the de-
vices devs
– dev read dev port buffer – Read from port port of device dev
and store the content in the memory buffer buffer of the calling
process
– dev write dev port msg – Write the memory object msg to the
port port of device dev
– ipc send hnrcv rightssnd msg hnadd rightsadd timeout snd – Send
a memory object msg together with the rights rightssnd to the
sender to process hnrcv. Furthermore, there is the opportunity
to send an additional handle hnadd which can be provided with
the rights rightsadd. The timeout of this operation is given by
timeout snd.
– ipc receive hnsnd buffer timout rcv – Receive a message from
process hnsnd and store it in the memory buffer buffer within the
next timout rcv clock ticks
– ipc send receive hnrcv rightssnd msg hnadd rightsadd timeout snd
buffer timeout rcv – Send to and receive immediately afterwards
from process hnrcv.
– change rights hnsubj hnobj grant rights – Grant (if grant =
True) or revoke the rights rights to process hnobj of process hnsubj
– read kernel info type – request kernel notifications of type
type
• Error conditions:
– undefined trap – the current instruction is a trap instruction
but specifies a wrong trap number
– runtime error – the current instruction causes a runtime error,
like an illegal page fault
• Process-local Transition:
– proc no output– the current instruction causes no exception,
i. e., a process-local transition is accomplished
64 3. The Abstract System Layer
Process inputs either comprise (a) kernel responses to previous kernel
calls, (b) kernel commands in order to manipulate the process state, or
(c) empty messages intending a process-local transition. Accordingly, the
input alphabet Svproc contains the following constructors:
• Responses to successful kernel calls:
– success – response to a successful operation
– succ dev read data – response to a successful read operation
where data contains the data from the device
– succ receive hnsnd reused snd rightssnd msg hnadd reusedadd
rightsadd stolen infy to devs – response to a successful receive op-
eration in the context of either an ipc receive or ipc request
call. The process handle hnsnd points to the sender and is reused
for the sender iff reused snd = True. Currently, the receiver as-
sociates the rights rightssnd with process hnsnd. The sender sent
the sequence msg of words and the additional handle hnadd. The
handle is reused iff reusedadd = True. The receiver associates the
rights rightsadd with process hnadd. The remaining three param-
eters subsume the kernel notifications: stolen is set iff there are
stolen handles in the receiver’s handle database, infy to is active
iff the sender performs an ipc request and waits with inifinite
timeout for the response, and the set devs collects all occurred
device interrupts handled by the receiver.
– succ new process hn – response to a successful process cre-
ation. The new process can be identified by handle hn
– succ kinfo staleh hns – response to requested kernel notifica-
tions with the set hns of stolen handles
• Responses to unsuccessful kernel calls:
– err out of mem – the request to create or clone a process failed
due to insufficient memory resources
– err out of pids – the request to create or clone a process failed
because the maximum number of processes is reached
– err process not ready – the request to change the memory
amount of a process failed because the specified process is not
ready for this
– err unprivileged – the desired operation failed due to lacking
privileges or insufficient IPC rights
– err invalid args – the arguments specified with the call are
invalid
3.3. The Vamp Assembly Process Model 65
– err int already handled – changing the registration of a dri-
ver failed because the specified interrupts are already handled
– err invalid handle – the specified handle is not valid in the
context of the caller
– err invalid subj handle /err invalid obj handle /
err snd invalid handle /err rcv invalid handle – some
kernel calls take more than one handle. In this case we distinguish
the invalid handle by a more detailed error code.
– err snd timeout /err rcv timeout – the timeout for the de-
sired IPC operation expired
– err snd buffer ovfl – the sending of a message failed because
the message was to large to fit into the receive buffer
– err snd segv /err rcv segv – the specified message or buffer
is not accessible in the memory
• Kernel Commands:
– add memory pgs – increase the memory amount by pgs pages
– free memory pgs – decrease the memory amount by pgs pages
• Process-Local Computation:
– proc no output – perform a process-local step
Later on in the Vamos model, we use predicate is error, in order to
determine errors during the execution of kernel calls. It only applies for the
error responses and delivers False for all other components of the alphabet
Svproc.
3.3.3 Output Functions
The output functions permit Vamos a limited and indirect access to the
state of an assembler machine sproc.
Memory Consumption. Vamos applies the function sizeproc, in order to
determine the current memory amount. As we only consider Vamp assembly
processes, we adopt function sizeasm, i. e., sizeproc = sizeasm.
User-Generated Outputs. While sizeproc can be considered as rather
passive, function wproc delivers the active process output to the kernel. It
relies on exceptions, i. e., user-generated interrupts. Only two kinds of user-
generated interrupts are passed on to the kernel: runtime-errors and traps.
Both may arise while executing the current instruction. Runtime-errors
subsume errors occuring during the execution of the current instruction,
66 3. The Abstract System Layer
like illegal pagefaults. In most cases, they are traceable to erroneous pro-
gramming and the Vamos kernel responds by killing the process causing the
error.
Traps, in turn, constitute a possibility to place a request to the kernel.
A process may trigger a trap exception by means of a trap instruction
defined within the Vamp assembly semantics. Together with the associated
immediate constant imm, traps are mapped to Vamos calls which provide
the intended functionality. Instructions that neither cause runtime-error
nor trap exceptions do not involve the kernel and are executed in the local
context of the process.
In order to determine the different situations, our process model provides
the output function wproc:
ωproc sproc =
(if runtimeError sproc then runtime error
else if ∃imm. current instr sproc = trap imm then trap dispatch sproc else εW)
Runtime errors are signaled by the output runtime error. If the current
instruction denotes a trap instructions, the Vamos kernel is involved and
function trap dispatch determines the corresponding output. In all other
cases, output eW implies that the process operates in its local context.
As the name suggests, trap dispatch considers the current instruction of
sproc and realizes a case distinction over the values of imm.
Due to the fact that Vamos provides 16 different Vamos calls, the formal
definition of trap dispatch is quite substantial. Thus, in this section, we
restrict ourselves to a couple of exemplary excerpts. The complete formal
definition of function trap dispatch is given in Section 8.1.
For a start, we chose the case imm = 6, which is affiliated with the
Vamos call set privileges. According to the ABI, register 11 contains
the handle to the process that should become privileged. Thus, from the
definition of trap dispatch, we can derive the following implication:
current instr sproc = trap 6 =⇒
trap dispatch sproc ≡ set privileged (sproc.gprs ! 11)
The definition is pretty easy for this case and benefits from the fact that
concrete as well as abstract handles are represented by 32-bit integer values.
Things get more elaborate, when more complex types are involved. As an
example, we chose trap 15 which is mapped to theVamos call ipc request:
current instr sproc = trap 15 =⇒
trap dispatch sproc ≡
let hnrcv = sproc.gprs ! 11; rightssnd = sproc.gprs ! 12;
msgad = sproc.gprs ! 13; msglen = sproc.gprs ! 14;
hnadd = sproc.gprs ! 17; rightsadd = sproc.gprs ! 18;
tosnd = sproc.gprs ! 19; bufad = sproc.gprs ! 15;
buflen = sproc.gprs ! 16; torcv = sproc.gprs ! 20
3.3. The Vamp Assembly Process Model 67
in ipc request hnrcv (num2rights rightssnd)
(build memobj sproc (to nat32 msgad) (to nat32 msglen)) hnadd
(num2rights rightsadd) (int2timeout tosnd)
(build buffer sproc (to nat32 bufad) (to nat32 buflen))
(int2timeout torcv)
Not only the sheer number of arguments constitutes the complexity of the
definition, but also the various conversion functions.
As before, the ABI specifies the register locations of the particular argu-
ments. For instance, register 11 contains the handle hnrcv to the receiver and
register 13 specifies the start address msgad of the message. The registers
always deliver 32-bit integer values. This is fine regarding the handles, but
requires conversions with other arguments.
The call ipc request provides the opportunity that the sender grants
rights to the receiver, such that the receiver later on, for instance, is allowed
to send to the sender. These rights are encoded in the value of rightssnd
located in register 12. Based on this value, function num2rights extracts the
respective set of abstract rights:
num2rights r ≡
if r < 0 ∨ 15 < r then ⊥
else b(if r mod 2 = 1 then {v finiteR} else {}) ∪
(if r mod 4 div 2 = 1 then {v multipleR} else {}) ∪
(if r mod 8 div 4 = 1 then {v requestR} else {}) ∪
(if r div 8 = 1 then {v sendR} else {})c
The numerical register value r actually represents a bit vector, whereas
four bits suffice to encode arbitrary sets of rights. The least significant
bit represents the right v finiteR, followed by v multipleR, v requestR and
v sendR. A 4-bit vector can only encode numerical values ranging from 0 to
15. Thus, values r out of this range are considered as invalid and result in
⊥. Otherwise, the various bits can be extracted by ordinary division (div)
and modulo (mod) operations.
We proceed in the same way with extracting the rights to the (possibly)
additional process from rightsadd.
The memory message is specified by the start address msgad and the
length msglen. Based on these values, function build memobj generates the
corresponding abstract memory object:
build memobj sproc objaddr objlen ≡
if objlen = 0 then MObjSeq [ ]
else if objaddr mod 4 6= 0 ∨ objlen mod 4 6= 0 then MObjUndefined
else if sizeasm sproc ∗ PAGE SIZE ≤ objaddr + objlen then MObjUnavailable
else MObjSeq (mem part access sproc.mm objaddr objlen)
For a start address objaddr and a length objlen, it returns an empty memory
object, i. e., MObjSeq [ ], if objlen = 0. The memory object is undefined, if
objaddr or objlen are not word-aligned. If the last address (objaddr + objlen)
68 3. The Abstract System Layer
of the memory object is not available in the virtual memory, the object is
considered as unavailable. A valid memory object contains a sequence of
32-bit integers of length objlen starting from address objaddr. The sequence
is obtained by function mem part access.
It is almost the same with the receive buffer starting at addresss bufad
and with length buflen. The function build buffer generates an abstract
buffer, where objaddr denotes the start address and objlen the buffer length:
build buffer sproc objaddr objlen ≡
if objlen = 0 then BufLength 0
else if objaddr mod 4 6= 0 ∨ objlen mod 4 6= 0 then BufUndefined
else if sizeasm sproc ∗ PAGE SIZE ≤ objaddr + objlen then BufUnavailable
else BufLength (objlen div 4)
In case that objlen = 0, the resulting buffer has also length 0. The buffer is
undefined, if either the start address or the length is not word-aligned. If
the specified memory region is defined and available, the buffer is of length
objlen div 4. The division by 4 is due to the fact, that users specify the
length of a memory region in bytes whereas the kernel uses words.
Converting the specified timeout values tosnd and torcv is straightforward,
as the definition of int2timeout suggests:
int2timeout r ≡ if r < 0 then ∞ else Fin (nat r)
For negative values r it returns ∞. Positive values are first converted to
natural numbers before the result Fin (nat r) is returned.
There are other conversion functions used in the context of wasm. In this
document, however, we only mention them and give a short description but
leave out their exact formal definitions and refer to the according theory file
in Isabelle/HOL instead.
The function reg2prio converts integer numbers n into abstract priorities.
It delivers ⊥, if n cannot be mapped to any value of prioT. Otherwise,
reg2prio returns the corresponding abstract priority. It is used with the calls
process create and chg sched params.
Regarding the device communication, wproc applies the conversion func-
tions reg2devnum and reg2port, both converting integer numbers to abstract
device and port numbers, respectively. In addition, function reg2ints ex-
tracts a set of device interrupts out of an integer number.
Finally, we present a special case of wproc, namely, if the immediate
constant imm specifies an undefined trap number. We use predicate unde-
fined trapnr to determine this situation and the according output is unde-
fined trap:
[[current instr sproc = trap i; undefined trapnr i]]
=⇒ trap dispatch sproc = undefined trap
3.3. The Vamp Assembly Process Model 69
3.3.4 Process Transitions
The function dproc defines the transition of a Vamp assembly process au-
tomaton. As input, it takes the current state sproc and an input i from the
kernel. Finally, dproc acts as wrapper for function dasm, while taking the ker-
nel input i into account. The kernel input follows the input alphabet Svproc
and provides the basis for the particular case distinctions. As with function
wproc, the definition of dproc is pretty substantial. For this purpose, we limit
ourselves again to exemplary excerpts.
The easiest case treats the input eSv from the kernel. It implies that
the process has not initiated a kernel request before and that the execution
of the current instruction happens in the local context of the process. The
definition of dproc handles this case by a simple call of the assembly transition
function dasm:
δproc εSv sproc ≡ δasm sproc
Vamos uses kernel commands to enforce changes on the process state.
Commands are only used in the context of the memory management and
allow the increasing or demand the decreasing of the memory amount. Both
actions are encapsulated as commands, because they might be triggered by
other processes.
Increasing the memory amount of a process is based on the kernel input
add memory and the provided number pgs of pages:
δproc (add memory pgs) sproc ≡ sproc
(|sprs := sproc.sprs[SPR PTL := sproc.sprs ! SPR PTL + to int32 pgs],
mm := λi . if sizeasm sproc ∗ 1024 ≤ i < (sizeasm sproc + pgs) ∗ 1024 then 0
else sproc.mm i |)
Due to the additional memory pages, the page table length is incremented
by pgs and again stored in register SPR PTL. Furthermore, the additional
memory region is initialized with zeros. Note that function sizeasm returns
the size of the memory of process sproc in pages of 1024 words.
Releasing memory pages only involves the decreasing of the page table
length. Again, the number pgs of pages is included in the input message
free memory:
δproc (free memory pgs) sproc ≡ sproc
(|sprs := sproc.sprs
[SPR PTL :=
if sproc.sprs ! SPR PTL < to int32 pgs then −1
else sproc.sprs ! SPR PTL − to int32 pgs]|)
If the number of released pages is greater than the actual number of occupied
pages, the page table length is set to −1. Otherwise, the length is decreased
by pgs.
70 3. The Abstract System Layer
The remaining kernel inputs can all be traced back to previous kernel
requests. Thus, the process has initiated a kernel request by means of a trap
instruction, the kernel has handled this trap and now returns its results by
means of input i to the process. Independent from the result of the kernel
computation, the trap instruction is executed in the context of dasm. The
semantics of trap is the incrementation of the program counters as the
following statement suggests:
current instr sproc = trap i =⇒ δasm sproc ≡ incPcs sproc
with
incPcs sproc = sproc(|dpc := sproc.pcp, pcp := (sproc.pcp + 4) mod 232|)
In addition to that, dproc also writes result registers and data into the
process’s virtual memory.
Minor effort is involved with error responses or ‘simple’ success messages.
The former arise, for instance, if the kernel’s memory amount does not
suffice to create a new process. The kernel acknowledges this situation with
err out of mem and dproc updates the process state as follows:
δproc err out of mem sproc ≡ incPcs sproc(|gprs := sproc.gprs[22 := −2]|)
Register 22 denotes the standard result register and is set to value −2, the
respective integer value to error code err out of mem. Other error codes
are of course associated with different integer values.
The kernel message succ new process signals a successful process
creation and is accompanied with the handle hnnew to the new process. The
latter is written into the result register, such that from now on the process
can use this handle to communicate with its child:
δproc (succ new process hnnew) sproc ≡
incPcs (sproc(|gprs := sproc.gprs[22 := hnnew]|))
Things get more elaborate, when one result register does not suffice or
when abstract values have to be converted into register values. As examples,
we consult the impact of responses to successful dev read and ipc receive
calls.
In the former case, the response succ dev read also comprises device
data is represented as a sequence of 32-bit integers. Depending on a single
or burst read, the device data needs to be written into a register or the
process’s memory:
δproc (succ dev read is) sproc ≡
let readsingle = instr mem read sproc.mm sproc.dpc = trap 19;
ssingle = sproc(|gprs := sproc.gprs[13 := hd is]|);
bufaddr = to nat32 (sproc.gprs ! 13);
sblock = sproc(|mm := mem part update sproc.mm bufaddr is|)
in if readsingle then incPcs (ssingle(|gprs := ssingle.gprs[22 := 0]|))
else incPcs (sblock(|gprs := sblock.gprs[22 := 0]|))
3.3. The Vamp Assembly Process Model 71
The distinction between single and burst reads relies on the trap number.
Instruction trap 19 implies a single read, trap 13 a burst read operation.
In the former case, only the first word of the data sequence is is written into
register 13.
While performing a burst read, register 13 contains the start address
bufaddr of the buffer, the device data should be stored in. As the operation
was acknowledged with a succ dev read message, it is ensured that the
device data fits into the specified buffer. The actual data transfer is done by
means of mem part update which simply takes the sequence is and writes it
into the virtual memory, starting at address bufaddr. In both cases, register
22 finally contains the value 0 (meaning “success”) and the program counters
are increased.
Even more complex is the impact of the response succ receive to an
ipc receive call. It contains the message and handles as well as the rights
to the sender and (possibly) to an additional process:
δproc (succ receive rhnsnd reusedsnd rrightssnd msgrcv rhnadd reusedadd rrightsadd
stolen toinf ty irqs)
sproc ≡
let bufaddr = to nat32 (sproc.gprs ! 15); rightssnd = rights2num rrightssnd;
rightsadd =
if rhnadd = HN NONE then sproc.gprs ! 18 else rights2num rrightsadd;
res = combine notifications reusedsnd reusedadd stolen toinf ty irqs
in incPcs
(sproc
(|mm := mem part update sproc.mm bufaddr msgrcv,
gprs := sproc.gprs
[11 := rhnsnd, 12 := rightssnd, 16 := to int32 (length msgrcv ∗ 4),
17 := rhnadd, 18 := rightsadd, 22 := res]|))
The message msgrcv is given as a sequence of integers and copied, by
means of function mem part update, into the memory of the process starting
at the specified address bufaddr in register 15. The length of the sequence
is written into register 16. Remember that users measure the length in
bytes whereas the kernel uses words. Thus, we multiply the length with
4. Registers 11 and 17 finally contain the handles rhnsnd and rhnadd to
the sender and to an additional process, respectively. Besides the process
handles, the receiver obtains rights. Set rrightssnd contains the rights to the
sender and rrightsadd specifies the rights to the additional process. Function
rights2num converts these abstract set representations into the corresponding
numerical ones:
rights2num rights ≡
(if v finiteR ∈ rights then 1 else 0) +
(if v multipleR ∈ rights then 2 else 0) +
(if v requestR ∈ rights then 4 else 0) +
(if v sendR ∈ rights then 8 else 0)
72 3. The Abstract System Layer
For a well-defined set of rights rights, it determines the active rights and
sums up the associated numerical values. In our case, the results are buffered
in rightssnd and rightsadd and finally stored in registers 12 and 18. However, if
no additional process was specified, i. e., rhnadd = HN NONE, rightsadd is set
to the value of register 18, i. e., in this case the register remains unchanged.
Finally, the function combine notifications takes all kinds of kernel noti-
fications and generates a result value res which is stored in register 22:
combine notifications reusedsnd reusedadd stolen toinf ty irqs ≡
(if reusedsnd then 1 else 0) + (if reusedadd then 2 else 0) +
(if toinf ty then 4 else 0) +
(if stolen then 8 else 0) +
(
∑
i∈irqs. 2dev2nat i )
Chapter 4
The Vamos Model
Contents
4.1 The Vamos State Space . . . . . . . . . . . . . . . 73
4.2 The Output Function . . . . . . . . . . . . . . . . 81
4.3 The Transition Function . . . . . . . . . . . . . . 82
4.4 Vamos Trap Handler . . . . . . . . . . . . . . . . 82
4.5 Vamos Scheduler . . . . . . . . . . . . . . . . . . . 128
4.6 Vamos Interrupt Delivery . . . . . . . . . . . . . 131
This chapter deals with the details of the Vamos automaton describing
the Vamos kernel and the user processes running on it. The devices are not
included but associated by a communication interface.
As already introduced, the tupel AV describes the Vamos automaton:
AV = (SV, S0V, SvV, WV, wV, dV)
Subsequently, we give a precise description of the particular components
starting with the Vamos state space SV. We continue with the communi-
cation between the kernel and the devices which is based on the interface
established by the alphabets SvV and WV and the output function wV. The
chapter concludes with the transition function dV processing possible input
from the devices and defining the interaction with the user processes.
4.1 The Vamos State Space
The Vamos state space SV represents the abstract counterpart of the Vamos
implementation state, which was introduced in Section 2.5.2. For efficiency
reasons, the latter maintains partly redundant datastructures. On the ab-
stract level, we avoid these redundancies and reduce SV to the essential.
Formally, a record describes the Vamos state space and a state sV ∈ SV
comprises the following components:
73
74 4. The Vamos Model
• the mapping of virtual assembly machines sV.procs of the user pro-
cesses,
• the priority database sV.priodb,
• the scheduling datastructures sV.schedds,
• the datastructures sV.rightsdb containing information for the IPC rights
management and the set of privileged processes,
• the send status database sV.sndstatdb, and
• the datastructures sV.devds containing data for the device communi-
cation.
More details on the particular components present the following para-
graphs. Afterwards we present the initial states represented by S0V ⊂ SV.
4.1.1 Virtual User Machines
Regarding the user machines, the Vamos model uses the same level of ab-
straction as the implementation: virtual assembly machines. Vamos em-
ploys unique process numbers of type procnumT to identify the user pro-
cesses. Accordingly, component sV.procs realizes a partial mapping between
process numbers and virtual assembly machines:
sV.procs ∈ procnumT⇀Sasm
The model only maintains the machines of active processes. Entries for
inactive processes are set to ⊥.
Apart from actually representing the virtual user machines, the state
component sV.procs also implicitly carries system-relevant information. Thus,
based on sV.procs, Vamos determines free resources regarding new processes
and memory.
Availability of Processes. New processes are taken out of the set of
inactive ones. As a consequence, the existence of inactive processes is a
main prerequisite regarding the process creation. Based on the observa-
tion that entries in sV.procs for inactive processes are set to ⊥, predicate
procs available checks for available virtual machines that can be assigned to
a new process:
procs available sV.procs ≡ ∃p. sV.procs p = ⊥
4.1. The Vamos State Space 75
Availability of Memory. Another prerequisite concerns the availability
of memory. Function total mem computes the current memory consumption
of Vamos, i. e., the memory amount of all active processes. Based on the
output function sizeproc for user processes, it sums up the memory amounts
of the active processes:
total mem sV.procs ≡
list sum (map (λx . case sV.procs x of ⊥ ⇒ 0 | bpc ⇒ sizeproc p) [1..<PID MAX])
The total virtual memory amount of the Vamos kernel is restricted to
TVM MAXPAGES pages. Thus, if a new process should be equipped with n
pages, the predicate mem available has to hold:
mem available sV.procs n ≡ total mem sV.procs + n < TVM MAXPAGES
It determines the overall memory amount and checks whether this value to-
gether with the additional n pages does exceed the limit of TVM MAXPAGES
pages.
4.1.2 Priorities
Similar to the implementation, the model also supports three different pri-
ority levels. Priority values are of type prioT and the mapping sV.priodb
assigns such values to the particular processes:
sV.priodb ∈ procnumT⇀prioT
Again, process numbers are used to distinguish between the different pro-
cesses and entries for inactive ones are set to ⊥.
4.1.3 Scheduling Data Structures
The component sV.schedds represents the scheduling data structures. De-
fined as record of type scheddsT they provide global as well as process-specific
scheduling data:
• the current time sV.schedds.time ∈ N,
• the ready queues sV.schedds.ready∈ prioT⇀procnumT∗,
• the wait queue sV.schedds.wait ∈ procnumT∗
• the inactive queue sV.schedds.inactive ∈ procnumT∗, and
• the process-specific scheduling information
sV.schedds.procdb ∈ procnumT⇀procdbT.
76 4. The Vamos Model
The current time sV.schedds.time is a counter for clock ticks, i. e., inter-
rupts from the external timer device. To realize the scheduling, the Vamos
scheduler maintains different queues. They are represented as finite se-
quences of process numbers in the Vamos specification. There is a ready
queue sV.schedds.ready prio of schedulable processes for each priority prio.
Additionally, all processes currently not ready to be scheduled (because
they are waiting for an IPC partner) are held in the queue sV.schedds.wait.
Inactive ones are stored in sV.schedds.inactive which, at the same time, de-
termines the order of the reuse of the process numbers.
Only active processes participate in the scheduling mechanism. The rel-
evant information is collected in a record of type procdbT with the following
components:
• the timeslice tsl ∈ N,
• the amount of consumed time ctsl ∈ N, and
• the absolute timeout timeout ∈ timeoutT.
If a process is found to be computing when a timer interrupt raises, the
component ctsl is increased until the process has finally run for tsl ticks. In
this case, another process is scheduled. If a process calls the kernel for IPC
and no partner is ready for communication, the absolute timeout timeout
is computed from the current time and the relative timeout that has been
specified with the call. Timeouts are defined as natural numbers with infinity
which are represented by type timeoutT.
As usual, the mapping is not defined for inactive processes.
Current Process. In Vamos, the current process is the first process in
the highest, non-empty ready queue. If all ready queues are empty, the
current process is undefined. Or more technically, we concatenate the ready
queues from the highest to the lowest and specify the first process in this
list as current:
v cup schedds ≡
case concat (map schedds.ready [high prio, med prio, low prio]) of [ ] ⇒ ⊥
| x · xs ⇒ bxc
While specifying the Vamos kernel we often have to wake up or put
processes to sleep. Both actions only concern the scheduling datastructures
and are encapsulated in dedicated functions.
Waking Up Processes. Usually, a waiting process x is part of the wait
queue sV.schedds.wait. After waking up, however, x is no longer located in
this queue but appended to the ready queue of its priority. In addition,
x gets back its full timeslice again, i. e., the consumed time is reset to 0.
4.1. The Vamos State Space 77
All these actions are combined in function v wkp updt schedds; it provides
the possibility to wake up several processes simultaneously. Candidates are
given as a list wkp which also defines the order of reintegration into the ready
queues. In order to determine the process priorities the function takes the
priority database priodb and updates the scheduling datastructures schedds:
v wkp updt schedds schedds wkp priodb ≡ schedds
(|ready := λp. schedds.ready p @ [x∈wkp . dpriodb xe = p],
wait := [x∈schedds.wait . ¬ x mem wkp],
procdb := λx . if x ∈ set wkp then bdschedds.procdb xe(|ctsl := 0|)c
else schedds.procdb x |)
Putting Processes To Sleep. Putting processes to sleep is provided by
the function v ipc wait updt schedds. It is mainly used in the context of
IPC, where processes are often forced to wait for an IPC partner. If a process
pwait of priority priowait has to wait, it is removed from the corresponding
ready queue and appended to the wait queue. The duration of waiting
depends on the relative timeout value towait which is added to the current
time. The formal definition of these actions is given as follows:
v ipc wait updt schedds schedds pwait priowait towait ≡ schedds
(|ready := schedds.ready(priowait := [x∈schedds.ready priowait . x 6= pwait]),
wait := schedds.wait @ [pwait],
procdb := schedds.procdb(pwait 7→ dschedds.procdb pwaite
(|timeout := towait += schedds.time|))|)
4.1.4 Rights Datastructures
As in the implementation, the abstract rights datastructures are process-
specific and hold information regarding the IPC rights management and the
set of privileged processes:
sV.rightsdb ∈ procnumT⇀rightsdataT
The entries for active processes describe record values of type rightsdataT
with the following components:
• the privileged flag priv ∈ bool,
• the process number parent ∈ procnumT⊥ of the parent,
• the handle database hdb ∈ handleT⇀procnumT,
• the set of stolen handles stolen ∈ handleT set, and
• the rights database rdb ∈ procnumT⊥⇀rightsT.
78 4. The Vamos Model
The privileged flag priv determines whether a process is privileged or not.
Component parent denotes the identifier of the parent. For a process p,
it delivers ⊥, if p is either the initial process (the OS) or a direct child
of the OS, or if the parent has been terminated in the meantime. The
component hdb maintains the mapping between the process-local handles
and the actual process numbers. If a handle is stolen, it is added to the
set stolen. Component rdb finally determines the rights to other processes.
Entry dsV.rightsdb pe.rdb q specifies, for instance, the rights of process p to
a process q. However, if q does not denote a valid process number, i. e., q
= ⊥, the rights database returns ⊥.
Privileged Processes. The privileged flag priv plays a decisive role in
the Vamos specification later on and is therefore encapsulated in predicate
privileged:
privileged sV.rightsdb p ≡ dsV.rightsdb pe.priv
Valid Handles. Predicate valid handle signals a valid handle hn in the
context of process p:
valid handle sV.rightsdb p hn ≡ ∃phn. dsV.rightsdb pe.hdb hn = bphnc
It only holds, if the access to the handle database of process p with handle
hn returns a process number. If hn is invalid, the access results in ⊥.
Converting Handles to Process Numbers. The opposite direction,
i. e., determining the handle hn to process q in the handle database of process
p, defines function to hn:
to hn rightsdb p q ≡ if bqc = drightsdb pe.parent then HN PARENT else int q
If q denotes the process number of p’s parent, handle HN PARENT is re-
turned. Otherwise, to hn realizes the one-to-one mapping between handles
and process numbers.
Known Processes. The model also determines known processes by means
of the handle database hdb. A process q is known by process p iff there exists
a handle hn in the context of p pointing to q. The corresponding predicate
is known is defined as follows:
is known rightsdb p q ≡ ∃hn. drightsdb pe.hdb hn = bqc
4.1.5 Send Status Database
The remaining component of the process state in the implementation defines
the send status database
4.1. The Vamos State Space 79
sV.sndstatdb ∈ procnumT⇀bool
Usually, the membership in one of the scheduling queues determines the
current process status—except for one case: An ipc request call has a
send and a receive phase, which might both require waiting. The send
status database sV.sndstatdb keeps track of the phase.
4.1.6 Device Data Structures
The state component sV.devds encapsulates the device datastructures which
are represented as a record of type devdsT with the following components:
• the driver registry driver ∈ devnumT⇀procnumT,
• the currently enabled device interrupts enabled ∈ intsT, and
• the occured and saved device interrupts saved ∈ intsT.
The driver registry assigns device numbers with the corresponding pro-
cess numbers of the drivers. For instance, if process p acts as driver for
device d, dsV.devds.driver de = p. If no driver is assigned with device d, the
mapping delivers ⊥.
The set of currently enabled interrupts is given by sV.devds.enabled.
It might happen that drivers are not ready to handle arising interrupts,
for instance, when they are currently handling interrupts from other devices.
In order to prevent any interrupt losses, Vamos stores occurred but not yet
handled interrupts in component saved for a later delivery.
4.1.7 Initial Vamos States
The initial Vamos state (i. e., the state describing the system when it
switches to the user mode for the first time after the reset signal) depends
on the code image OS IMAGE for the user-level operating system (OS).
In the implementation, this image is stored at the swap harddisk, which is
abstracted away in the Cvm model. Furthermore, the initial size of the OS-
process memory is configured in the implementation via the macro-constant
OS PAGES. This constant has to be smaller than TVM MAXPAGES, the
maximum virtual memory size supported by Cvm. We represent the OS
image as a list of integers and require that (a) the OS image is not too large
with respect to OS PAGES and (b) all list elements are valid integers with
respect to the 32-bit target Vamp machine. Furthermore, Vamos deter-
mines some constants regarding the OS: The operating system is identified
by process number OS PID and classified in the priority class OS PRIO.
Furthermore, its timeslice is specified with OS TSL.
Based on these observations function initialConf delivers the initial Va-
mos state:
80 4. The Vamos Model
initialConf OS IMAGE OS PAGES ≡
let os procdb = (|tsl = OS TSL, ctsl = 0, timeout = ∞|);
init schedds =
(|time = 0, ready = λpri . if pri = OS PRIO then [OS PID] else [ ],
wait = [ ],
inactive =
[x∈map Abs procnumT (rev [1..<PID MAX]) . x 6= OS PID],
procdb = [OS PID 7→ os procdb]|);
os rightsdb =
(|priv = True, hdb = [HN SELF 7→ OS PID], rdb = empty,
stolen = {}, parent = ⊥|);
init devds = (|driver = empty, enabled = {DEV TIMER}, saved = {}|)
in (|procs = [OS PID 7→ initproc OS IMAGE OS PAGES],
schedds = init schedds, priodb = [OS PID 7→ OS PRIO],
sndstatdb = [OS PID 7→ False],
rightsdb = [OS PID 7→ os rightsdb], devds = init devds|)
The only entry in the partial mapping of procs relates to OS PID. Relying on
the given code image OS IMAGE together with the number OS PAGES,
function initproc (cf. Section 3.3) sets up the initial virtual machine for the
OS.
The component time of the initial scheduling datastructures init schedds
starts counting at 0. As the only running process, the OS is put into the
ready queue of priority OS PRIO. The other ready queues as well as the wait
queue are empty because all remaining processes are classified as inactive
and reside in the queue inactive. The latter orders the processes by their
process numbers where PID MAX denotes the head and 1 the end of the
queue. Certainly, process number OS PID is left out.
The OS-specific scheduling information os procdb pretends that the OS
did not yet consumed any time of its timeslice OS TSL and that there is no
pending timeout denoted by ∞.
Similar to procs, the partial mappings priodb, sndstatdb and rightsdb only
contain a single valid entry, namely, the one for OS PID. While the priority
of the OS is set to OS PRIO, the entry in sndstatdb is initialized with False.
As the initial rights datastructures os rightsdb suggest, the OS runs in
privileged mode. The only valid entry in the handle database hdb describes
the self-reference. The partial mapping of rdb is empty because no other
processes yet exist and, thus, no rights need to be maintained. The set
stolen is empty and component parent is set to ⊥.
Finally, initialConf sets up the initial device datastructures init devds.
The only enabled interrupts are the ones from the timer device (DEV TIMER)
which are handled by Vamos itself. So far, no drivers are assigned to any
devices and no interrupts are saved for later delivery.
4.2. The Output Function 81
4.2 The Output Function
Similar to the process automata, the Vamos automaton AV possesses an
output function wV, in order to generate the kernel’s output to the devices.
As only processes can initiate device interaction by invoking the correspond-
ing Vamos calls, wV reverts to the process outputs. In particular, the output
of the Vamos kernel in state sV depends on the currently running process.
The definition of wV points this out:
ωV sV ≡
case v cup sV.schedds of ⊥ ⇒ idleWV
| bpcpc ⇒ ωproc2devout (ωproc dsV.procs pcpe) sV.devds pcp
A non-existent running process, i. e., v cup sV.schedds = ⊥, cannot activate
any device interaction. Thus, wV returns idleWV.
If a current process pcp exists, Vamos applies function wproc2devout.
For the output outcp of pcp and the device datastructures devds it returns
the according output to the devices:
ωproc2devout outcp devds pcp ≡
case outcp of
dev read devid devport buffer ⇒
if is error (vamos result dev read devds pcp devid devport buffer)
then idleWV else readWV ddevide ddevporte (bufLength buffer)
| dev write devid devport data ⇒
if is error (vamos result dev write devds pcp devid devport data)
then idleWV else writeWV ddevide ddevporte (map to nat32 (mObjSeq data))
| ⇒ idleWV
All process outputs outcp different from dev read and dev write have
no bearing on the devices and thus result in the output idleWV. However,
as the kernel only forwards promising requests, dev read and dev write
do not automatically cause kernel outputs. At first, it must be ensured
that the corresponding kernel call will not result in any error message. For
the dev read call this happens with function vamos result dev read and
function vamos result dev write performs this task for the call dev write.
For the proper definitions of both result functions we refer to the specifica-
tions of the just mentioned Vamos calls (cf. Section 4.4.5). In a nutshell, if
the kernel detects any errors while requesting any device, e. g., pcp is not a
registered driver, the result functions return the corresponding error code.
Any error code satisfies predicate is error and Vamos represses the device
interaction, i. e., the output denotes idleWV. In case that Vamos detects no
errors, function wproc2devout takes the process output outcp and converts it
into output to the devices. An output of type readWV initiates a read request
whereas writeWV is used for writing.
82 4. The Vamos Model
4.3 The Transition Function
The intention of the Vamos kernel is the handling and processing of (a) ex-
ternal device interrupts and data, and (b) user-generated interrupts. All
actions are encapsulated in the transition function dV carrying the Vamos
automaton from one state over into an adjacent one. As the devices are not
part of the Vamos model, function dV gets additional external input. This
input is given as a tuple consisting of a set of interrupts irqs and device data
w . Requests from the user processes can be derived from a Vamos state sV.
Accordingly, the definition of dV looks as follows:
δV (irqs, w) sV ≡
let handle trap =
λs. if v cup s.schedds 6= ⊥ then vamosDispatcher s w else s;
handle timer =
λs. if DEV TIMER ∈ irqs
then vamosScheduler s (v cup sV.schedds) else s;
handle extint =
λs. vamosInterruptDelivery s (irqs − {DEV TIMER})
in handle extint (handle timer (handle trap sV))
Within a transition, the Vamos kernel traverses up to three phases:
1. If the current process pcp = dv cup sV.scheddse is defined, we call the
Vamos trap handler vamosDispatcher. It consults the output wproc
dsV.procs pcpe ∈ Wproc and computes the response according to the
current Vamos state and the (possible) device data w (cf. Section 4.4).
2. If the timer-interrupt line is raised, i. e., DEV TIMER ∈ irqs, the timer-
interrupt handler vamosScheduler is invoked (cf. Section 4.5).
3. Finally, Vamos delivers the occurred interrupts to the according drivers.
The interrupt delivery is defined by function vamosInterruptDelivery
and introduced in Section 4.6.
The upcoming sections introduce the dedicated specification functions
of the particular phases.
4.4 Vamos Trap Handler
The main purpose of the Vamos trap handler is the handling of user-
generated exceptions, like traps or runtime errors. A single run of the kernel
only considers the exceptions of the currently running process pcp. Hence,
the invocation of function vamosDispatcher is bounded to the existence of
pcp. For a Vamos state sV, this process is given by pcp = dv cup sV.scheddse.
Handling traps leads to the invocation of the respective kernel calls which, in
4.4. Vamos Trap Handler 83
turn, might involve device interaction. As described in Section 4.3, the pos-
sible device data is given as input datadev to vamosDispatcher and integrated
into the subsequent operations which update the original state sV:
vamosDispatcher sV datadev ≡
let pcp = dv cup sV.scheddse
in case ωproc dsV.procs pcpe of
process create tsl prio img pgs ⇒
vamos process create sV tsl prio img pgs
| process clone hn ⇒ vamos process clone sV hn
| process kill hn ⇒ vamos process kill sV hn
| chg sched params hn tsl prio ⇒
vamos change sched param sV hn tsl prio
| set privileged hn ⇒ vamos set privileges sV hn
| memory add hn pages ⇒ vamos memory add sV hn pages
| memory free hn pages ⇒ vamos memory free sV hn pages
| change driver hn irqs register ⇒
vamos change driver sV hn irqs register
| enable interrupts irqs ⇒ vamos enable interrupts sV irqs
| dev read devid port buffer ⇒
vamos dev read sV devid port buffer datadev
| dev write devid port data ⇒ vamos dev write sV devid port data
| ipc send hnrcv rightssnd msg hnadd rightsadd tosnd ⇒
vamos ipc send sV hnrcv rightssnd msg hnadd rightsadd tosnd
| ipc receive hnsnd msg torcv ⇒ vamos ipc receive sV hnsnd msg torcv
| ipc request hnrcv rightssnd msg hnadd rightsadd tosnd buffer torcv ⇒
vamos ipc send receive sV hnrcv rightssnd msg hnadd rightsadd
tosnd buffer torcv
| change rights hnsubj hnobj grant rights ⇒
vamos change rights sV hnsubj hnobj grant rights
| read kernel info note ⇒ vamos read kernel info sV note
| undefined trap ⇒ sV
(|procs := sV.procs(pcp 7→ δproc err unprivileged dsV.procs pcpe)|)
| runtime error ⇒ vamos process kill sV HN SELF
| εW ⇒ sV(|procs := sV.procs(pcp 7→ δproc εSv dsV.procs pcpe)|)
Linchpin of the definition of vamosDispatcher is the case distinction over
the output wproc dsV.procs pcpe of the current process. Outputs like pro-
cess create or memory add imply the invocation of Vamos calls. Ac-
cordingly, vamosDispatcher describes the effects by the respective specifi-
cation functions. The output undefined trap implies that the current
instruction of pcp denotes an undefined trap instruction. The acknowledge-
ment of Vamos comprises the error message err unprivileged which is
delivered to pcp by function dproc. Runtime errors are signaled by the output
runtime error and usually serve as indication of malicious programming.
The Vamos kernel handles this kind of error in a pretty rigorous way: It sim-
ply terminates the causing process. In order to describe the effects of this ex-
traordinary process termination, Vamos diverts function vamos process kill
84 4. The Vamos Model
from its intended use, namely describing the effects of the Vamos call pro-
cess kill. The invocation with handle HN SELF, however, intends the
self-destruction of process pcp. More details on that presents Section 4.4.3.
However, not all steps of process pcp involve the kernel. Local transitions
are implied by the output eW and performed by dproc with input eSv.
This section continues with the specifications of the various Vamos calls.
As a matter of clarity, we categorize them into the fields: Access Control,
Memory Management, Process Management, Scheduling Mechanism, Device
Driver Support, and Inter-Process Communication.
4.4.1 Access Control
The minimal access control in Vamos reserves most kernel calls for so-called
privileged processes. Consequently, passing on privileges in itself is subject
to privileged processes. Furthermore, the process pcp can only contract
privileges out to processes which are valid in its context.
Function vamos result set privileges checks for possible violations of these
restrictions by computing the response to the caller pcp:
vamos result set privileges rightsdb pcp hnobj ≡
if ¬ privileged rightsdb pcp then err unprivileged
else if ¬ valid handle rightsdb pcp hnobj then err invalid handle
else success
Whenever the caller pcp is not privileged or the handle hnobj to the object
is not valid, pcp will receive an error message. Otherwise, a success message
is returned. In the success case, the privileged status of the object is ad-
ditionally set active. Formally, function vamos set privileges describes the
according state updates:
vamos set privileges sV hnobj ≡
let pcp = dv cup sV.scheddse; pobj = dsV.rightsdb pcpe.hdb hnobj;
res = vamos result set privileges sV.rightsdb pcp hnobj
in if is error res then sV(|procs := sV.procs(pcp 7→ δproc res dsV.procs pcpe)|)
else sV(|procs := sV.procs(pcp 7→ δproc res dsV.procs pcpe),
rightsdb := sV.rightsdb(dpobje 7→ dsV.rightsdb dpobjee
(|priv := True|))|)
The calling process pcp is obtained by function v cup and pobj denotes the
process number of the object process. The latter results from the access
to pcp’s handle database with hnobj. As pobj is only relevant in the success
case, this access is valid because hnobj is valid. In all cases, res denotes the
result of the operation and dproc delivers it to pcp. Only if res does not signal
an error, the privilege status of pobj is set to active.
4.4. Vamos Trap Handler 85
Vamos
memory add
OS
ipc request
. . . p . . .
Figure 4.1: Memory Management in the Overall System
4.4.2 Memory Management
The memory management in Vamos is restricted to the in- and decreasing
of the memory amount of particular user processes. The former reflects
the allocation, the latter the releasing of memory pages. For this purpose,
Vamos provides the calls memory add and memory free. By means of
these calls, privileged processes are enabled to take care of their own but
also to manipulate the memory amount of other processes.
In particular, for the latter case, it is essential that a process p affected
by the memory manipulation is advised of this. An allocation of additional
pages is of no avail unless p knows about it. Things are even worse, if
the manipulation reduces the memory. Note that accesses to the released
memory regions cause runtime errors which, in turn, lead to the termination
of p.
In order to avoid such scenarios, Vamos attaches certain conditions to
the memory manipulations and thereby relies on the memory management
in the overall system.
Memory Management in the Overall System. In the overall system
as depicted in Figure 4.1, the privileged processes will constitute the OS itself
or at least parts of the OS, like servers. Thus, the operating system (OS)
runs as privileged process on top of the Vamos kernel and interacts with
the user processes. Requests to the OS or to the servers can be triggered by
means of the Vamos call ipc request which is open to all user processes.
Thus, if an unprivileged process p, for instance, wants to increase its memory
amount, it utilizes ipc request to place its demand and waits for a response
of the OS. As privileged process, the OS forwards this request to the Va-
mos kernel. If the request succeeds, Vamos increases the memory amount
of p and reports a success message to the OS. Accordingly, a failure is
86 4. The Vamos Model
acknowledged with an error message. In both cases, the OS transfers the
kernel response to p which still waits in the receive phase of ipc request.
Important in the context of the Vamos kernel is the following observa-
tion: If the calling process pcp wants to manipulate the memory amount of
a different process p, this process p must reside in the wait state, i. e., in
the wait queue.
Against that background, we proceed with the formal specification of
the Vamos calls memory add and memory free.
Increasing the Memory Amount
Increasing the memory amount of a process is rather straightforward and
only affects the virtual machines. The calling process pcp specifies a handle
hnvictim to identify the process whose memory should be increased by pgs
pages.
As usual, the invocation of a Vamos call either succeeds or not. Va-
mos uses function vamos result memory add to compute the corresponding
response to pcp:
vamos result memory add uprocs rightsdb waitingvictim pcp hnvictim pgs ≡
if ¬ privileged rightsdb pcp then err unprivileged
else if ¬ valid handle rightsdb pcp hnvictim then err invalid handle
else if ¬ mem available uprocs pgs then err out of mem
else if ¬ waitingvictim ∧ hnvictim 6= HN SELF
then err process not ready else success
Checking the privileges of pcp, the validity of hnvictim and the availability
of further memory was introduced before. The last check, however, takes
the aformentioned scenario into account. Everything is fine, if pcp wants
to increase its own memory amount, i. e., hnvictim = HN SELF. Otherwise,
pcp is only enabled to increase the memory amount of the victim, if this is
waiting. The latter is denoted by the additional flag waitingvictim.
Based on the result of vamos result memory add, the overall specifica-
tion function vamos memory add describes the effects of the memory in-
creasing on a Vamos state sV:
vamos memory add sV hnvictim pgs ≡
let pcp = dv cup sV.scheddse; pvictim = ddsV.rightsdb pcpe.hdb hnvictime;
waitingvictim = pvictim ∈ set sV.schedds.wait;
res = vamos result memory add sV.procs sV.rightsdb waitingvictim pcp
hnvictim pgs;
procsadd = sV.procs(pvictim 7→ δproc (add memory pgs) dsV.procs pvictime)
in if is error res then sV(|procs := sV.procs(pcp 7→ δproc res dsV.procs pcpe)|)
else sV(|procs := procsadd(pcp 7→ δproc success dprocsadd pcpe)|)
In case of failure, only the error message is delivered to the calling pro-
cess pcp. For the success case, the definition obtains the process number
4.4. Vamos Trap Handler 87
pvictim of the victim by accessing pcp’s handle database with hnvictim and
flag waitingvictim abbreviates the fact that pvictim is part of the wait queue.
The intermediate update procsadd describes the allocation of pgs additional
memory pages and is obtained by the application of function dproc with mes-
sage add memory to the virtual machine of pvictim. Based on procsadd,
Vamos finally delivers the success message to process pcp.
Note that the application of dproc with message add memory only in-
creases the page table length but not the program counters. This is due
to the fact, that pvictim is expected to be still in the receive phase of an
ipc request. The program counters are increased not until this call is
completed, i. e., when the OS responds to the request. With the OS re-
sponse, the Vamos kernel sends a succ receive message to pvictim which
involves the increasing of the program counters.
Decreasing the Memory Amount
Similar to the increasing, the calling process pcp specifies a handle hnvictim
in order to identify the victim whose memory amount should be decreased
by pgs pages. The result function vamos result memory free adopts most
error checks from above, as its definition illustrates:
vamos result memory free uprocs rightsdb waitingvictim pcp hnvictim pgs ≡
let pvictim = drightsdb pcpe.hdb hnvictim
in if ¬ privileged rightsdb pcp then err unprivileged
else if ¬ valid handle rightsdb pcp hnvictim then err invalid handle
else if sizeproc duprocs dpvictimee ≤ pgs then err invalid args
else if ¬ waitingvictim ∧ hnvictim 6= HN SELF
then err process not ready else success
Being in the process of freeing memory makes the check for memory re-
sources superfluous. Instead, vamos result memory free introduces an op-
posite check. Releasing the whole memory of a process would result in its
termination. As this is not the intended meaning of the free memory call,
Vamos restricts the number of released pages. Thus, pgs must be smaller
than the number of pages the victim occupies. The latter is obtained by
applying function sizeproc to the virtual machine of pvictim. The process
number pvictim is taken from pcp’s handle database.
In many cases, it is more effort to remove than to add something. With
the decreasing of the memory amount it is exactly the same. While adding
memory pages only affects the virtual machines, releasing memory pages
might also affect pending IPC operations of the victim. The latter happens,
if involved memory regions become unavailable. Vamos determines this
situation by predicate is ipc memory err:
is ipc memory err freedvictim sndstatvictim ≡
case ωproc freedvictim of
ipc send hnrecv rightssend msg hnadd rightsadd timeoutsend ⇒
88 4. The Vamos Model
msg = MObjUnavailable
| ipc receive hnsend buffer timeoutrecv ⇒ buffer = BufUnavailable
| ipc request hnrecv rightssend msg hnadd rightsadd timeoutsend buffer
timeoutrecv ⇒
buffer = BufUnavailable ∨ ¬ sndstatvictim ∧ msg = MObjUnavailable
| ⇒ True
Let freedvictim determine the virtual machine of the victim after the memory
release and sndstatvictim the victim’s send status. In order to figure out any
errors regarding the memory used in a (possible) IPC operation, we apply
function wproc to freedvictim. The predicate applies, if any specified message
or buffer becomes unavailable by the memory release. In this case, Vamos
decreases the memory amount of the victim and additionally aborts the
operation with an according error message.
The overall specification function vamos memory free encapsulates the
relevant updates:
vamos memory free sV hnvictim pgs ≡
let pcp = dv cup sV.scheddse;
waitingvictim =
ddsV.rightsdb pcpe.hdb hnvictime ∈ set sV.schedds.wait;
res =
vamos result memory free sV.procs sV.rightsdb waitingvictim
pcp hnvictim pgs
in if is error res then sV(|procs := sV.procs(pcp 7→ δproc res dsV.procs pcpe)|)
else sV(|procs := v memory free updt procs sV.procs sV.priodb
sV.rightsdb sV.sndstatdb waitingvictim pcp hnvictim
pgs,
schedds := v memory free updt schedds sV.schedds sV.procs
sV.priodb sV.rightsdb sV.sndstatdb pcp hnvictim
pgs,
sndstatdb := v memory free updt sndstatdb sV.sndstatdb sV.procs
sV.rightsdb waitingvictim pcp hnvictim pgs|)
In case of success, dedicated functions encapsulate the particular state up-
dates. Otherwise, only the error message is delivered to the calling process
pcp.
Updating the Virtual Machines. The update of the virtual machines
comprises the delivery of the success message to the calling process pcp, on
the one hand, and the decreasing of pvictim’s memory amount together with
a (possible) error message, on the other one.
Formally, function v memory free updt procs describes the update:
v memory free updt procs uprocs priodb rightsdb sndstatdb waitingvictim pcp
hnvictim pgs ≡
let pvictim = ddrightsdb pcpe.hdb hnvictime;
freedvictim = δproc (free memory pgs) duprocs pvictime;
4.4. Vamos Trap Handler 89
errorvictim =
waitingvictim ∧ is ipc memory err freedvictim dsndstatdb pvictime;
resvictim =
if vamosIsSending uprocs sndstatdb pvictim then err snd segv
else err rcv segv;
updtvictim = if errorvictim then δproc resvictim freedvictim else freedvictim
in if pvictim = pcp then uprocs(pvictim 7→ δproc success updtvictim)
else uprocs(pvictim 7→ updtvictim, pcp 7→ δproc success duprocs pcpe)
The definition introduces a couple of abbreviations. Process number pvictim
of the victim is obtained by accessing pcp’s handle database with hnvictim.
The update of pvictim’s virtual machine comes in two steps: The first one
freedvictim results from the application of dproc with input free memory
and releases pgs memory pages. The second step leads to the final update
updtvictim of pvictim’s virtual machine. If the releasing entails an IPC error,
updtvictim additionally comprises the delivery of the according error message
resvictim. Otherwise, it is equal to freedvictim. The flag errorvictim signals the
arising of an IPC error. It is active, if pvictim is waiting and predicate
is ipc memory err applies.
Based on these abbreviations, v memory free updt procs performs the
actual update of the virtual machines uprocs. If pvictim = pcp, only the
success message is delivered. Note that in this case updtvictim = freedvictim,
because pcp is not waiting, i. e., ¬ errorvictim. Otherwise, the entries for
pvictim and pcp are set seperately.
As with the memory increasing, the application of function dproc with
the input free memory does not increase the program counters.
Updating the Scheduling Datastructures. The scheduling datastruc-
tures only need an update, if an IPC error occurs. In this case, the victim
is put back into the ready state.
Function v memory free updt schedds gives the formal specification:
v memory free updt schedds schedds uprocs priodb rightsdb sndstatdb pcp hnvictim
pgs ≡
let pvictim = ddrightsdb pcpe.hdb hnvictime;
freedvictim = δproc (free memory pgs) duprocs pvictime;
waitingvictim = pvictim ∈ set schedds.wait;
errorvictim =
waitingvictim ∧ is ipc memory err freedvictim dsndstatdb pvictime
in if errorvictim then v wkp updt schedds schedds [pvictim] priodb
else schedds
As above, an active flag errorvictim signals an IPC error. The awakening of
pvictim describes function v wkp updt schedds.
Updating the Send Status Database. As with the scheduling datas-
tructures, the send status database is only updated, if an IPC error occurs.
90 4. The Vamos Model
If so, the entry of pvictim is reset to ⊥.
Accordingly, the formal definition of v memory free updt sndstatdb is
straightforward:
v memory free updt sndstatdb sndstatdb uprocs rightsdb waitingvictim pcp
hnvictim pgs ≡
let pvictim = ddrightsdb pcpe.hdb hnvictime;
freedvictim = δproc (free memory pgs) duprocs pvictime;
errorvictim =
waitingvictim ∧ is ipc memory err freedvictim dsndstatdb pvictime
in if errorvictim then sndstatdb(pvictim 7→ False) else sndstatdb
4.4.3 Process Management
The process management in Vamos provides the possibility to dynamically
create, clone and terminate processes. In the kernel’s ABI, these opera-
tions are represented by the calls process create, process clone and
process kill. The two former calls are reserved for privileged processes
only, whereas self-termination is allowed to all processes. Terminating other
processes, however, requires again the privileged status.
Creating a New Process
If the calling process pcp wants to create a new process, it has to specify
several arguments. Regarding the scheduling, pcp has to determine the
priority pri and the timeslice tsl for the new process. In order to configure
the initial memory, pcp specifies the number pgs of memory pages that
should be allocated for the new process and provides the initial memory
image img .
The process creation only succeeds, if the parameters fulfill certain re-
quirements. In addition, system-related sources of failure must be excluded.
For this reason, we define function vamos result create determining the ker-
nel’s response to the calling process:
vamos result create uprocs rightsdb pcp pri img pgs ≡
if ¬ privileged rightsdb pcp then err unprivileged
else if pri = ⊥ ∨
img ∈ {MObjUndefined, MObjUnavailable} ∨
(∃wl . img = MObjSeq wl ∧ pgs ∗ PAGE SIZE < length wl) ∨
pgs = 0 ∨ TVM MAXPAGES ≤ pgs
then err invalid args
else if ¬ procs available uprocs then err out of pids
else if ¬ mem available uprocs
(mem img length img div PAGE SIZE)
then err out of mem else success
As long as the calling process pcp is not privileged, the call is aborted with
the error message err unprivileged. If pcp is privileged, function va-
4.4. Vamos Trap Handler 91
mos result create inspects the validity of the arguments. Process pcp has in-
voked process create with invalid arguments, if either: (a) the priority is
invalid, i. e., pri = ⊥, (b) the memory image img is undefined or unavailable,
(c) the memory image img indeed denotes a sequence ws of words but its
length would exceed the assigned memory, or (d) the new process should be
occupied with 0 or more than TVM MAXPAGES memory pages. In all cases,
Vamos cancels the call and delivers the error message err invalid args.
Finally, vamos result create checks the system resources. A process cre-
ation is not possible, if all processes are in use. In this case, Vamos returns
err out of pids to pcp. The same applies for lacking memory resources
which are acknowledged with error err out of mem.
In the absence of any errors, function vamos result create returns suc-
cess and initiates thereby the updates of the kernel datastructures in the
overall specification function vamos process create:
vamos process create sV tsl pri img pgs ≡
let pcp = dv cup sV.scheddse; pnew = hd sV.schedds.inactive;
res = vamos result create sV.procs sV.rightsdb pcp pri img pgs
in if is error res then sV(|procs := sV.procs(pcp 7→ δproc res dsV.procs pcpe)|)
else sV(|procs := v create updt procs sV.procs sV.rightsdb pcp pnew
(initproc (mObjSeq img) pgs),
schedds := v create updt schedds sV.schedds pcp pnew tsl
dprie,
priodb := sV.priodb(pnew := pri),
sndstatdb := sV.sndstatdb(pnew 7→ False),
rightsdb := v create updt rightsdb sV.rightsdb pcp pnew|)
Function v cup delivers the calling process pcp, whereas the head of the
inactive list determines the process number pnew of the new process. Setting
the priority and the send status is easy enough to be done directly. The
entry pnew in the priority database is set to pri and the send status is set
to False. Dedicated functions complete the updates of the remaining state
components.
Updating the User Machines. As shown in the definition above, the
update function v create updt procs takes the initial machine procnew for
the new process pnew as input. It is based on the memory image img and
computed by the initialization function initproc for user processes.
Apart from setting the entry pnew in the user machine mapping uprocs
to procnew, the update also comprises the delivery of the success message to
the caller pcp:
v create updt procs uprocs rightsdb pcp pnew procnew ≡
let hnnew = to hn rightsdb pcp pnew
in uprocs(pcp 7→ δproc (succ new process hnnew) duprocs pcpe, pnew 7→
procnew)
92 4. The Vamos Model
The success message succ new process also contains the handle hnnew
to the newly created process. Based on the process number pnew, it is
computed by the function to hn.
Updating the Scheduling Datastructures. The new process pnew needs
to be integrated into the scheduling mechanism. Consequently, it is ap-
pended to the ready queue of priority pri and removed from the inactive
queue. Regarding the process-specific scheduling data of pnew, Vamos in-
herits the specified value tsl as new timeslice. By default, no time is yet
consumed and the timeout is infinite. Function v create updt schedds for-
malizes this:
v create updt schedds schedds pcp pnew tsl pri ≡ schedds
(|ready := schedds.ready(pri := schedds.ready pri @ [pnew]),
inactive := [x∈schedds.inactive . x 6= pnew],
procdb := schedds.procdb(pnew 7→ (|tsl = tsl, ctsl = 0, timeout = ∞|))|)
Updating the Rights Datastructures. The update of the rights data-
structures splits up into two parts: (a) updating the rights datastructures
of the calling process pcp, and (b) initializing the ones of the new process
pnew.
Formally, these parts are described by function v create updt rightsdb:
v create updt rightsdb rightsdb pcp pnew ≡
let hnnew = to hn rightsdb pcp pnew;
rightsdbcp = drightsdb pcpe
(|hdb := drightsdb pcpe.hdb(hnnew 7→ pnew),
rdb := drightsdb pcpe.rdb(bpnewc 7→
{v sendR, v requestR, v multipleR, v finiteR})|);
rightsdbnew =
(|priv = False, hdb = [HN PARENT 7→ pcp, HN SELF 7→ pnew],
rdb = [bpcpc 7→ {v requestR}], stolen = {}, parent = bpcpc|)
in rightsdb(pcp 7→ rightsdbcp, pnew 7→ rightsdbnew)
The definition abbreviates the update of the caller’s rights datastructures by
rightsdbcp. Within rightsdbcp, handle hnnew refers to the new process pnew.
It corresponds to the one in the success message and enables pcp to identify
the new process pnew. In addition, pcp is fit out with all rights to pnew.
The initial rights datastructures rightsdbnew of pnew comprise no priv-
ileges, an empty set of stolen handles and pcp as parent. The latter is
reflected in the handle database by HN PARENT pointing to pcp. Further-
more, HN SELF is assigned to pnew. The only right owned by pnew is the
v requestR right to pcp.
Cloning a Process
Cloning creates a new process that acts as duplicate of the original process.
For this to work, the calling process pcp has to specify a handle hncl to the
4.4. Vamos Trap Handler 93
process that should be cloned. Again, a function vamos result clone checks,
whether the cloning will be successful and returns the response to pcp if not:
vamos result clone uprocs rightsdb waitingcl pcp hncl ≡
let pcl = ddrightsdb pcpe.hdb hncle
in if ¬ privileged rightsdb pcp then err unprivileged
else if ¬ valid handle rightsdb pcp hncl then err invalid handle
else if ¬ procs available uprocs then err out of pids
else if ¬ mem available uprocs (sizeproc duprocs pcle)
then err out of mem
else if ¬ waitingcl ∧ hncl 6= HN SELF
then err process not ready else success
The response comprises a failure notice in case of (a) an unprivileged call-
ing process pcp, (b) an invalid handle hncl, (c) insufficient system-resources
regarding available processes and memory, or (d) the process to be cloned is
not pcp and not waiting. As with the calls memory free and memory add,
if the calling process pcp wants to clone a process pcl which is different from
itself, i. e., hncl 6= HN SELF, this process pcl must reside in the wait state,
i. e., in the wait queue. The latter is denoted by the additional flag waitingcl.
As long as vamos result clone detects any errors, only the error message
is passed on to the caller by means of function dproc. The remaining internal
kernel datastructures remain untouched. Only the response success enables
the process cloning and the involved updates.
The overall formalization is given by function vamos process clone:
vamos process clone sV hncl ≡
let pcp = dv cup sV.scheddse; pcl = ddsV.rightsdb pcpe.hdb hncle;
pnew = hd sV.schedds.inactive;
res = vamos result clone sV.procs sV.rightsdb (pcl mem sV.schedds.wait)
pcp hncl
in if is error res then sV(|procs := sV.procs(pcp 7→ δproc res dsV.procs pcpe)|)
else sV(|procs := v clone updt procs sV.procs sV.rightsdb pcp pcl pnew,
schedds := v clone updt schedds sV.schedds sV.procs sV.sndstatdb
sV.rightsdb pcl pnew dsV.priodb pcle,
priodb := sV.priodb(pnew := sV.priodb pcl),
sndstatdb := sV.sndstatdb(pnew := sV.sndstatdb pcl),
rightsdb := v clone updt rightsdb sV.rightsdb pcp pcl pnew|)
In case of success, the process number pcl of the cloned process is obtained
by accessing pcp’s handle database with handle hncl. Again, the head of the
inactive queue determines the process number pnew of the new process.
Similar as above, the updates of the priority and the send status databases
are straightforward: Vamos simply adopts the values of pcl and assigns them
to pnew. Dedicated functions describe the remaining ones.
Updating the User Machines. Creating and cloning of processes has
a similar impact on the user machines. The calling process pcp is informed
94 4. The Vamos Model
about the successful operation and the new process pnew is assigned to a
virtual assembly machine. In the context of cloning, however, Vamos does
not associate pnew with an initial machine but with the one of the cloned
process pcl. The definition of v clone updt procs reflects this:
v clone updt procs uprocs rightsdb pcp pcl pnew ≡
let hnnew = to hn rightsdb pcp pnew
in λx . if x = pcp then bδproc (succ new process hnnew) duprocs pcpec
else if x = pnew ∧ pcl = pcp
then bδproc (succ new process HN NONE) duprocs pcpec
else if x = pnew then uprocs pcl else uprocs x
Updating the virtual machine of pcp is clear enough such that we directly
move on to the one of process pnew. While assigning the virtual machine to
pnew, function v clone updt procs has to take into account that the process
pcp might have cloned itself, i. e., pcl = pcp. If so, pnew – as duplicate of pcp
– expects a kernel response and Vamos delivers it. In this case, however,
the response does not contain a process handle but HN NONE. In case that
pcl 6= pcp, pnew is assigned to the virtual machine of pcl. All other virtual
machines remain untouched.
Updating the Scheduling Datastructures. The update of the schedul-
ing datastructures entails the integration of pnew into the Vamos process
scheduling. It is removed from the inactive queue and its consumed time
is set to 0. Depending on the state of the cloned process pcl, it is either
appended to a ready or the wait queue.
The formal specification is given by function v clone updt schedds:
v clone updt schedds schedds uprocs sndstatdb rightsdb pcl pnew pricl ≡
let readycl = pcl ∈ set (schedds.ready pricl)
in schedds
(|ready := schedds.ready
(pricl :=
if readycl then schedds.ready pricl @ [pnew]
else schedds.ready pricl),
inactive := [x∈schedds.inactive . x 6= pnew],
wait := if readycl then schedds.wait else schedds.wait @ [pnew],
procdb := schedds.procdb(pnew 7→ dschedds.procdb pcle(|ctsl := 0|))|)
In the definition, flag readycl is active, if pcl is member of the ready queue
schedds.ready pricl, where pricl denotes its priority. As pnew will have the
same state as pcl, Vamos appends pnew to schedds.ready pricl, if readycl is
active and to schedds.wait, otherwise.
Updating the Rights Datastructures The update of the caller’s rights
datastructures rightsdbcp happens in perfect analogy to the one within the
process creation. Regarding the rights datastructures rightsdbnew of the new
4.4. Vamos Trap Handler 95
process, Vamos mainly copies the ones of pcl. Only the entry HN SELF in
the handle database is reset to pnew:
v clone updt rightsdb rightsdb pcp pcl pnew ≡
let hnnew = to hn rightsdb pcp pnew;
rightsdbcp = drightsdb pcpe
(|hdb := drightsdb pcpe.hdb(hnnew 7→ pnew),
rdb := drightsdb pcpe.rdb(bpnewc 7→
{v sendR, v requestR, v multipleR, v finiteR})|);
rightsdbnew = drightsdb pcle(|hdb := drightsdb pcle.hdb(HN SELF 7→ pnew)|)
in rightsdb(pcp 7→ rightsdbcp, pnew 7→ rightsdbnew)
Killing a Process
Process termination in Vamos is a pretty elaborate issue. The main steps on
the way to terminate a process pvictim are (a) its removal from the scheduling
queues, (b) its deregistration as device driver, (c) the invalidation of handles
pointing to pvictim, and (d) the abortion of pending IPC operations involving
it.
In particular, the two latter steps are the most complex ones. They
might entail the delivery of notifications or error messages which comes along
with the awakening of the processes concerned. In order to identify these
situations later on in the formal specification, we introduce some auxiliary
predicates.
A process p only receives a notification, if it is active and prepared for
receiving, on the one hand, and if it knows the victim process pvictim, on the
other one. Formally, predicate knotify after kill describes this situation:
knotify after kill uprocs rightsdb pvictim p ≡
case uprocs p of ⊥ ⇒ False
| bxc ⇒ case ωproc x of
ipc receive hnsend msg timeoutrecv ⇒
hnsend ∈ {HN NONE, HN KERNEL} ∧ is known rightsdb p pvictim
| ⇒ False
Process p is prepared for receiving notifications, if ipc receive describes
the output and handle hnsnd either specifies an open receive (HN NONE) or
an explicit request to the kernel (HN KERNEL). Whether p knows pvictim
determines predicate is known.
Another situation, why a process p receives a message, arises, if p resides
in a pending IPC operation, where pvictim is involved as receiver, sender, or
additional process. The predicate killed assigned recv describes this situa-
tion:
killed assigned recv uprocs rightsdb pvictim p ≡
case uprocs p of ⊥ ⇒ False
| bxc ⇒ case ωproc x of
ipc send hnrcv rightssend msg hnadd rightsadd timeoutsend ⇒
96 4. The Vamos Model
drightsdb pe.hdb hnrcv = bpvictimc
| ipc request hnrcv rightssend msg hnadd rightsadd timeoutsend buffer
timeoutrecv ⇒
drightsdb pe.hdb hnrcv = bpvictimc
| ⇒ False
For an arbitrary process p, the predicate holds, if p entails three properties:
(a) it is active, (b) the output denotes a send operation, i. e., ipc send or
ipc request, and (c) the specified handle hnrcv refers to pvictim in p’s han-
dle database. Similar predicates killed assigned snd and killed assigned add
help to determine the remaining situations.
However, these situations only arise, if the process termination succeeds.
Thus, as usual, we define a function vamos result kill that checks possible
invocation errors. The only argument that the calling process pcp has to
specify is a handle hnvictim to the process that should be terminated. Based
on it, the definition of function vamos result kill looks as follows:
vamos result kill rightsdb pcp hnvictim ≡
if hnvictim 6= HN SELF ∧ ¬ privileged rightsdb pcp then err unprivileged
else if ¬ valid handle rightsdb pcp hnvictim then err invalid handle
else success
A special case describes hnvictim = HN SELF. It either indicates the volun-
tary self-termination of pcp or its forced termination by the Vamos kernel.
The latter happens in the context of the runtime-error handling (cf. Sec-
tion 4.4). Anyways, in both cases, the operation is not attached to any
conditions and always succeeds.
Things are different, if hnvictim 6= HN SELF, i. e., no self-termination
is desired. In this case, success is only returned, if pcp owns privileges
and handle hnvictim is valid. Lacking privileges result in the error message
err unprivileged, an invalid handle in err invalid handle.
The actual delivery of the error message and the state update in the
success case describes function vamos process kill:
vamos process kill sV hnvictim ≡
let pcp = dv cup sV.scheddse;
pvictim = dsV.rightsdb pcpe.hdb hnvictim;
res = vamos result kill sV.rightsdb pcp hnvictim
in if is error res then sV(|procs := sV.procs(pcp 7→ δproc res dsV.procs pcpe)|)
else sV(|procs := v kill updt procs sV.procs sV.rightsdb sV.devds
(set sV.schedds.wait) pcp dpvictime,
schedds := v kill updt schedds sV.schedds sV.procs sV.priodb
sV.rightsdb dpvictime,
priodb := sV.priodb(dpvictime := ⊥),
sndstatdb := v kill updt sndstatdb sV.sndstatdb sV.procs
sV.rightsdb dpvictime,
rightsdb := v kill updt rightsdb sV.rightsdb dpvictime,
devds := v kill updt devds sV.devds dpvictime|)
4.4. Vamos Trap Handler 97
In case of success, the access to pcp’s handle database with handle hnvictim
is valid and delivers the process number pvictim. Setting the entry of pvictim
in the priority database to ⊥ is done directly. Dedicated update functions
describe the effects on the remaining state components.
Updating the Virtual Machines. The update of the virtual machines
affects the entries for the calling process pcp, the terminated process pvictim
and the processes which are either informed about the abortion of their
pending IPC operation or the loss of handles in their handle database.
Function v kill updt procs formally defines the update:
v kill updt procs uprocs rightsdb devds waitQ pcp pvictim ≡
let rightsdbnew = v kill updt rightsdb rightsdb pvictim;
knote = deliverNotifications rightsdbnew devds devds.saved
in λx . if x = pvictim then ⊥
else if x = pcp then bδproc success duprocs pcpec
else if x ∈ waitQ ∧ killed assigned recv uprocs rightsdb pvictim x
then bδproc err snd invalid handle duprocs xec
else if x ∈ waitQ ∧
killed assigned add uprocs rightsdb pvictim x
then bδproc err invalid handle duprocs xec
else if x ∈ waitQ ∧
killed assigned snd uprocs rightsdb pvictim x
then bδproc err rcv invalid handle duprocs xec
else if x ∈ waitQ ∧
knotify after kill uprocs rightsdb pvictim
x
then bδproc (knote x) duprocs xec else uprocs x
Due to the successful termination, process pvictim is no longer associated
with a virtual machine and the caller pcp gets a success message. Aborting
the pending IPC operations of waiting processes x involves an error message
passing. The actual message is determined by means of the predicates in-
troduced above. Thus, x receives err snd invalid handle, if predicate
killed assigned recv applies. Finally, Vamos delivers kernel notifications to
all processes x that fulfill predicate knotify after kill. The virtual machines
of the remaining processes remain untouched.
Kernel notifications are assembled by function deliverNotifications which
relies on the updated rights datastructures given by v kill updt rightsdb. As
we will see later on, it provides the set of stolen handles of a process x after
the termination of process pvictim containing the handle hn that pointed to
pvictim.
Based on the updated rights datastructures rightsdb, the device datas-
tructures devds and the saved interrupts irqs, the notification for process x
contains the following information:
98 4. The Vamos Model
deliverNotifications rightsdb devds irqs x ≡
let irqshandled = {i ∈ irqs. devds.driver i = bxc};
stolenhns = case rightsdb x of ⊥ ⇒ False | bac ⇒ a.stolen 6= {}
in succ receive HN KERNEL False {} [ ] HN NONE False {} stolenhns False
irqshandled
In the definition, irqshandled abbreviates the set of interrupts i ∈ irqs han-
dled by x. Flag stolenhns is active, if the entry of x in the rights datas-
tructures rightsdb comprises a non-empty set stolen. Both irqshandled and
stolenhns represent the main content of the kernel notification to x. Handle
HN KERNEL identifies the kernel as sender, whereas the remaining parts do
not communicate any relevant data.
Updating the Scheduling Datastructures. The udpate of the schedul-
ing datastructures comprises the awakening of all waiting processes p that
either receive a kernel notification or an error message. Furthermore, the
terminated process pvictim is taken out of the Vamos process scheduling, i. e.,
it is removed from the scheduling queues (wait or ready queues) and put into
the inactive queue. Moreover, the process-specific scheduling information is
deleted.
Function v kill updt schedds gives the formal specification of all these
actions:
v kill updt schedds schedds uprocs priodb rightsdb pvictim ≡
let scheddstmp =
v wkp updt schedds schedds
(filter (v kill wkp uprocs rightsdb pvictim) schedds.wait) priodb
in scheddstmp
(|inactive := scheddstmp.inactive @ [pvictim],
procdb := scheddstmp.procdb(pvictim := ⊥),
ready := λp. [x∈scheddstmp.ready p . x 6= pvictim],
wait := [x∈scheddstmp.wait . x 6= pvictim]|)
In a first step, v kill updt schedds realizes the awakening of all waiting pro-
cesses p that fulfill predicate v kill wkp and stores this intermediate result
in scheddstmp. The predicate itself realizes a disjunction of the predicates
introduced above:
v kill wkp uprocs rightsdb pvictim p ≡
killed assigned recv uprocs rightsdb pvictim p ∨
killed assigned add uprocs rightsdb pvictim p ∨
killed assigned snd uprocs rightsdb pvictim p ∨
knotify after kill uprocs rightsdb pvictim p
Based on scheddstmp, pvictim is appended to the inactive queue and the entry
for pvictim in the process-specific scheduling information is set to ⊥. The act
of removing pvictim from the scheduling queues is quite brute force. Vamos
does not distinguish whether pvictim previously resided in the wait or the
ready queue but simply removes it from all of these queues.
4.4. Vamos Trap Handler 99
Updating the Rights Datastructures. After the termination, Vamos
does no longer hold any information on pvictim. Accordingly, the entry for
pvictim in the rights database is set to ⊥. Furthermore, all entries regarding
pvictim in the handle and rights databases of processes p are set to ⊥. In
addition, handles hn refering to pvictim are added to the according sets of
stolen handles.
The formal semantics encapsulates function v kill updt rightsdb:
v kill updt rightsdb rightsdb pvictim ≡
λp. if p = pvictim then ⊥
else case rightsdb p of ⊥ ⇒ ⊥
| bdbc ⇒
bdb(|hdb := λhn. if db.hdb hn = bpvictimc then ⊥ else db.hdb hn,
rdb := db.rdb(bpvictimc := ⊥),
stolen := db.stolen ∪ {hn. db.hdb hn = bpvictimc}|)c
Note that Vamos does not allow multiple handles on a single process, i. e.,
{hn. db.hdb hn = bpvictimc} is a singleton or empty.
Updating the Send Status Database. Updating the send status data-
base is rather straightforward. The entry of pvictim is set to ⊥. Entries
of awaken processes (those for which predicate v kill wkp holds) are set to
False because they no longer perform any IPC operation. The remaining
entries stay untouched.
Formally, function v kill updt sndstatdb describes the update:
v kill updt sndstatdb sndstatdb uprocs rightsdb pvictim ≡
λp. if p = pvictim then ⊥
else if v kill wkp uprocs rightsdb pvictim p then bFalsec else sndstatdb p
Updating the Device Datastructures. Terminating a process might
also shut down a driver. This reflects the update of the device datastructures
described by function v kill updt devds:
v kill updt devds devds pvictim ≡
let irqs = {i . devds.driver i = bpvictimc}
in devds
(|driver := λi . if i ∈ irqs then ⊥ else devds.driver i ,
enabled := devds.enabled − irqs, saved := devds.saved − irqs|)
The definition first determines the set irqs of interrupts served by process
pvictim. Based on this set, the actual update of the device datastructures
devds is performed. All interrupts i ∈ irqs are no longer handled or assigned
to any driver, i. e., the entry i in driver is set to ⊥. As long as no other device
driver is assigned, the interrupts are disabled and, hence, subtracted from
the set enabled. Finally, Vamos removes interrupts associated to the driver
pvictim from the set saved because a delivery is no longer possible.
100 4. The Vamos Model
4.4.4 Scheduling Mechanism
The process scheduling in Vamos highly depends on the so-called scheduling
parameters which comprise the priority and the timeslice of a process. Both
values are initially determined during the process creation (cf. Section 4.4.3)
and play, as we will see in Section 4.5, an essential role within the decision
of the Vamos scheduler.
The Vamos call chg sched params provides the possibility to dynam-
ically change these values. As arguments, the calling process pcp has to
specify a handle hnvictim which identifies the process whose scheduling pa-
rameters should be changed to the new timeslice tslnew and priority prionew.
The call only succeeds, if pcp is privileged, hnvictim is valid, and prionew
denotes a valid priority, i. e., prionew 6= ⊥.
Function vamos result change sched param checks for possible errors
and delivers the corresponding response to pcp:
vamos result change sched param rightsdb pcp hnvictim prionew ≡
if ¬ privileged rightsdb pcp then err unprivileged
else if ¬ valid handle rightsdb pcp hnvictim then err invalid handle
else if prionew = ⊥ then err invalid args else success
The response of vamos result change sched param is used in the over-
all specification function vamos change sched param, in order to determine
between success and failure:
vamos change sched param sV hnvictim tslnew prionew ≡
let pcp = dv cup sV.scheddse; pvictim = ddsV.rightsdb pcpe.hdb hnvictime;
res = vamos result change sched param sV.rightsdb pcp hnvictim prionew
in if is error res then sV(|procs := sV.procs(pcp 7→ δproc res dsV.procs pcpe)|)
else sV(|procs := sV.procs(pcp 7→ δproc success dsV.procs pcpe),
schedds := v chng sched param updt schedds sV.schedds sV.priodb
sV.rightsdb pcp hnvictim tslnew dprionewe,
priodb := sV.priodb(pvictim := prionew)|)
If the call fails, the only update concerns the error message passing to pcp.
Otherwise, the message turns into success and the scheduling parameters
are changed. The process number pvictim of the victim is obtained by ac-
cessing pcp’s handle database with hnvictim. Based on pvictim, Vamos sets
the entry in the priority database to prionew and describes the update of the
scheduling datastructures by means of v chng sched param updt schedds:
v chng sched param updt schedds schedds priodb rightsdb pcp hnvictim
tslnew prionew ≡
let pvictim = ddrightsdb pcpe.hdb hnvictime;
prioold = dpriodb pvictime
in if pvictim ∈ set schedds.wait ∨ prionew = prioold
then schedds
(|procdb := schedds.procdb(pvictim 7→ dschedds.procdb pvictime
(|tsl := tslnew|))|)
4.4. Vamos Trap Handler 101
else schedds
(|ready := schedds.ready
(prionew := schedds.ready prionew @ [pvictim],
prioold := [x∈schedds.ready prioold . x 6= pvictim]),
procdb := schedds.procdb(pvictim 7→ dschedds.procdb pvictime
(|tsl := tslnew, ctsl := 0|))|)
In addition to pvictim, the definition also relies on the old priority prioold of
pvictim. The first case deals with the situation that either pvictim is waiting
or the priority of pvictim does not change, i. e., prionew = prioold. Both results
in the same update, namely, that only the timeslice of pvictim is set to tslnew.
Due to the rearrangement of the ready queues, the second case is a bit more
elaborate. Vamos removes pvictim from the ready queue of priority prioold
and appends it to the one of priority prionew. For this reason, its consumed
time ctsl is reset to 0. Again, the timeslice is set to tslnew.
4.4.5 Device Driver Support
The Vamos kernel itself only handles the external interrupts from the timer
device. For the remaining external interrupts, Vamos shifts the responsibil-
ity to so-called device drivers. Device drivers in Vamos are dedicated user
processes that handle the interrupts from and interact with the external de-
vices. Nevertheless, the Vamos kernel still acts as interface between these
drivers and the devices. On the one hand, it receives the interrupts and
passes them on to the associated drivers and, on the other hand, it forwards
the requests of the drivers to the devices.
A user process may only act as driver, if it was previously registered by
means of theVamos call change driver. Regarding a dynamic assignment
of drivers and devices, the call additionally allows to unregister drivers.
As Section 4.6 illustrates, Vamos uses IPC for the interrupt delivery.
Along with the actual delivery, Vamos also disables the respective inter-
rupts. An interrupt i remains disabled as long as its driver d completed
the handling. Not until then d re-enables i by means of the Vamos call
enable interrupts.
Among other duties, the main task of a driver is reading from and writing
to a device. Thus, Vamos provides the corresponding calls dev read and
dev write.
Based on this brief introduction, the section proceeds with the formal
specifications of the device-related Vamos calls.
Assignment of Device Drivers
The Vamos call change driver enables the dynamic assignment of device
drivers. Primarily, it allows the registration and deregistration of drivers but
also provides the opportunity to dynamically change the set of interrupts
handled by a certain driver.
102 4. The Vamos Model
Accordingly, a calling process pcp has to specify the handle hndriver to the
desired driver and the set irqs of interrupts, the driver should be registered
for or deregistered from. The latter is determined by a flag register.
Function vamos result change driver decides on success or failure:
vamos result change driver rightsdb devds pcp hndriver irqs ≡
if ¬ privileged rightsdb pcp then err unprivileged
else if ¬ valid handle rightsdb pcp hndriver then err invalid handle
else if irqs = ⊥ ∨ DEV TIMER ∈ dirqse then err invalid args
else if ∃i∈dirqse.
devds.driver i 6= ⊥ ∧
devds.driver i 6= drightsdb pcpe.hdb hndriver
then err int already handled else success
The call change driver only succeeds, if the calling process pcp is privi-
leged and provides a valid handle hndriver. Furthermore, the set irqs must
neither be empty nor contain the interrupt for the timer device. Apart
from this, Vamos does not allow more than one driver for each inter-
rupt. In consequence of that, Vamos responses with the error message
err int already handled, if an interrupt i out of irqs is already as-
signed to a driver which does not correspond to the one chosen by pcp.
The overall function vamos change driver uses the response from the
function above and specifies the corresponding update of a Vamos state sV:
vamos change driver sV hndriver irqs register ≡
let pcp = dv cup sV.scheddse;
res = vamos result change driver sV.rightsdb sV.devds pcp hndriver irqs
in if is error res then sV(|procs := sV.procs(pcp 7→ δproc res dsV.procs pcpe)|)
else sV(|procs := sV.procs(pcp 7→ δproc success dsV.procs pcpe),
devds := v chg drv updt devds sV.devds sV.rightsdb pcp hndriver irqs
register|)
Delivering the result message to the caller pcp goes on as usual. The
remaining changes only affect the device datastructures and are described
by the dedicated update function v chg drv updt devds:
v chg drv updt devds devds rightsdb pcp hndriver irqs register ≡
let pdriver = drightsdb pcpe.hdb hndriver
in if register
then devds
(|driver := λi . if i ∈ dirqse then pdriver else devds.driver i ,
enabled := devds.enabled ∪ dirqse|)
else devds
(|driver := λi . if i ∈ dirqse then ⊥ else devds.driver i ,
saved := devds.saved − dirqse, enabled := devds.enabled − dirqse|)
The process number pdriver of the driver is obtained by accessing pcp’s handle
database with hndriver. Two cases are distinguished. In the first one, pdriver
should be registered as driver for the interrupts irqs. Accordingly, for each
4.4. Vamos Trap Handler 103
interrupt i ∈ dirqse, the entry in the driver registry is set to pdriver. Adding
the newly assigned interrupts to the set enabled turns the interrupt delivery
on.
The second case deals with the deregistration. According entries in driver
are set to ⊥ and the interrupts are taken out of the sets saved and enabled.
Enabling Interrupts
Specifying the call enable interrupts is straightforward. The calling pro-
cess pcp usually acts as driver and specifies a set irqs that should be re-
enabled. Function vamos result enable interrupts determines whether this
request succeeds or fails:
vamos result enable interrupts devds pcp irqs ≡
if ∃i∈dirqse. devds.driver i 6= bpcpc ∨ irqs = ⊥ then err unprivileged
else success
The latter happens, if either the interrupts are given in an invalid format or
at least one of the specified interrupts does not belong to the caller pcp.
The overall specification function vamos enable interrupts reflects the
low complexity of enable interrupts:
vamos enable interrupts sV irqs ≡
let pcp = dv cup sV.scheddse;
res = vamos result enable interrupts sV.devds pcp irqs
in if is error res then sV(|procs := sV.procs(pcp 7→ δproc res dsV.procs pcpe)|)
else sV(|procs := sV.procs(pcp 7→ δproc success dsV.procs pcpe),
devds := sV.devds(|enabled := sV.devds.enabled ∪ dirqse|)|)
As usual, Vamos either reports success or failure to the caller pcp. In the
former case, the interrupts dirqse are additionally added to the set of enabled
interrupts.
Reading from a Device
The Vamos call dev read enables a driver to read from a device. Thus,
as calling process pcp, the driver has to specify a device number devid, a
port number devport and a memory region buffer in its virtual memory that
should be used to store the device data.
Specifying invalid device and port numbers are one source of failure.
Another one is the memory region. To be used as buffer, it has to be
defined and available in the virtual memory of pcp. Furthermore, Vamos
only enables a read operation, if pcp is registered as driver for devid.
Formally, function vamos result dev read checks for these errors and de-
livers an according response:
vamos result dev read devds pcp devid devport buffer ≡
if devid = ⊥ ∨ devport = ⊥ ∨ buffer ∈ {BufUndefined, BufUnavailable}
104 4. The Vamos Model
then err invalid args
else if devds.driver ddevide 6= bpcpc then err unprivileged else success
Range violations as well as an invalid buffer lead to err invalid args.
The attempt to read from device devid without being registered as driver
is rejected with the error message err unprivileged. Otherwise, the call
succeeds and success is returned.
The overall specification function vamos dev read does not describe the
acquisition of the device data but only its delivery to the driver. As described
in Section 3.1, the actual interaction between the device devid and the Va-
mos kernel takes place in the overall transition function dV+D, where a
succeeding interaction results in the device data devdata. Function dV+D
then uses this data with the Vamos transition function dV which, in turn,
passes devdata on to the Vamos trap handler, where it finally arrives at
vamos dev read (cf. Section 4.3 and Section 4.4).
Accordingly, vamos dev read takes – apart from the Vamos state sV and
the parameters specified by the calling process pcp – the device data devdata
as input:
vamos dev read sV devid devport buffer devdata ≡
let pcp = dv cup sV.scheddse;
res = vamos result dev read sV.devds pcp devid devport buffer;
data = mifo norm (bufLength buffer) devdata
in if is error res then sV(|procs := sV.procs(pcp 7→ δproc res dsV.procs pcpe)|)
else sV(|procs := sV.procs(pcp 7→ δproc (succ dev read data) dsV.procs pcpe)|)
If dev read fails, the cause of fault is delivered to process pcp. Oth-
erwise, process pcp is provided with the device data in form of message
succ dev read. The message, however, comprises the normalized device
data data, which is obtained by function mifo norm. In a nutshell, function
mifo norm positions devdata at the beginning of the buffer and, if necessary,
adds zeroes, if the buffer is bigger than the actual data portion.
Writing to a Device
Write accesses to a device are provided with the Vamos call dev write. A
calling process pcp has to specify the target by means of a device number
devid and a port number devport. The data that should be written to the
device is specified by a memory region msg .
Writing to and reading from a device are attached with similar condi-
tions, as the definition of vamos result dev write reflects:
vamos result dev write devds pcp devid devport msg ≡
if devid = ⊥ ∨ devport = ⊥ ∨ msg ∈ {MObjUndefined, MObjUnavailable}
then err invalid args
else if devds.driver ddevide 6= bpcpc then err unprivileged else success
4.4. Vamos Trap Handler 105
Instead of the buffer, in this context the message msg has to be defined and
available in the virtual memory of pcp.
The only issue regarding the Vamos state update is the result delivery.
The actual write access to device devid is again handled outside by dV+D.
Accordingly, the definition of vamos dev write is quite simple:
vamos dev write sV devid devport msg ≡
let pcp = dv cup sV.scheddse;
res = vamos result dev write sV.devds pcp devid devport msg
in sV(|procs := sV.procs(pcp 7→ δproc res dsV.procs pcpe)|)
4.4.6 Inter-Process Communication
As the name suggests, IPC gives the user processes the opportunity to com-
municate with each other. For sending and receiving, the Vamos kernel
provides the calls ipc send and ipc receive. In addition to that, the call
ipc request enables a combined send and receive with the same commu-
nication partner.
Usually, IPC calls traverse several phases. The invocation phase checks
the various IPC arguments for their validity. After successfully passing this
phase, the operation enters the pre-transmission phase. It searches for pos-
sible communication partners and proceeds into the actual transmission, if a
rendez-vous situation can be established. If no suitable partner is available,
it prepares the calling process for waiting or aborts the call, if the caller
specified an immediate timeout. Both, the invocation as well as the pre-
transmission phase are call-specific, whereas the transmission has the same
semantics for each call.
Accordingly, we first specify the effects of the transmission phase and
embed it afterwards in the particular specifications of the IPC calls.
This section concludes with the specification of the call change rights.
It does not enable any communication but the administration of the IPC
rights.
IPC transmission
The transmission phase finalizes a succeeding IPC operation and relies on
a rendez-vous situation between a sender psnd and a receiver prcv. During
this phase, the IPC message of psnd is transferred to prcv and the Vamos
kernel updates its datastructures, accordingly. As the transmission follows
the invocation and pre-transmission phase, we assume the validity of the
involved arguments.
The IPC message itself comprises multiple parts. The most common
one is the memory message msgsnd. It is specified by the sender psnd and
describes the memory region that is transferred to the receiver. The receiver,
in turn, specifies a memory region bufrcv to store msgsnd.
106 4. The Vamos Model
The sender psnd may also grant rights rightssnd to the receiver prcv.
These rights are combined with the (possibly) existing ones of prcv to psnd
and stored in the corresponding entry in prcv’s rights database. The updated
entry denotes the so-called return rights rrightssnd and is advertised to prcv
as part of the result message succ receive.
Furthermore, psnd is allowed to introduce an additional process padd to
prcv. For this purpose, psnd specifies a handle hnadd and rights rightsadd. As
hnadd is only valid in psnd’s context, the kernel translates it and provides an
according return handle rhnadd. In the handle database, Vamos connects
rhnadd with padd and, as above, updates the according entry in the rights
database. Again, the handle rhnadd and the return rights rrightsadd are
advertised by means of the result message to prcv.
In addition, the succ receive message to prcv also carries notifications
from the kernel. Thus, prcv is informed about stolen or reused handles and
occurred interrupts, if acting as driver.
The transmission phase involves various updates on the Vamos state
which are, as usual, encapsulated in dedicated functions.
Updating the Rights Datastructures. The most complex component
update in the scope of an IPC transmission is the one for the rights datas-
tructures rightsdb. Updating the rights datastructures regarding the sender
psnd is rather straightforward and encapsulated in function snd rightsdb:
snd rightsdb rightsdb psnd prcv ≡
let rightsrcv =
if ddrightsdb psnde.rdb prcve ∩ {v multipleR} = {} then b{}c
else drightsdb psnde.rdb prcv
in drightsdb psnde(|rdb := drightsdb psnde.rdb(prcv := rightsrcv)|)
The sender psnd only keeps the rights to prcv, if it is equipped with the right
v multipleR. Otherwise, Vamos revokes all rights.
Much more effort is involved with the updates regarding the database
of the receiver which mainly rely on the return handles and rights. We use
auxiliary functions to determine the particular values.
Function rhn snd computes the return handle rhnsnd to the sender:
rhn snd rightsdb prcv psnd ≡
if bpsndc = drightsdb dprcvee.parent then HN PARENT else int psnd
If the sender psnd is prcv’s parent, the function returns HN PARENT. Oth-
erwise, psnd is converted into a handle, i. e., transformed into an integer
number. The return rights rrightssnd to the sender result from function
rrights snd:
rrights snd rightsdb prcv psnd rightssnd ≡
if is known rightsdb dprcve psnd
then bddrightsdb dprcvee.rdb bpsndce ∪ drightssndec else rightssnd
4.4. Vamos Trap Handler 107
If the sender is already known to the receiver, the return rights describe the
combination of the already existing ones with those of rightssnd. Otherwise,
rightssnd denotes the initial rights to the sender.
The updates of prcv’s entries in the rights datastructures rightsdb regard-
ing the sender are encapsulated in function rcv rightsdb snd:
rcv rightsdb snd rightsdb prcv psnd rhnsnd rrightssnd ≡
rightsdb(dprcve 7→ drightsdb dprcvee
(|hdb := drightsdb dprcvee.hdb(rhnsnd 7→ psnd),
rdb := drightsdb dprcvee.rdb(bpsndc := rrightssnd),
stolen := drightsdb dprcvee.stolen − {rhnsnd}|))
Within the handle database of prcv, rhnsnd is connected with the process
number psnd and rrightssnd is stored in the according entry in the rights
database. Finally, rhnsnd is removed from the set of stolen handles. This
operation has no effect as long as rhnsnd has not been marked as stolen.
Otherwise, it is now reused and no longer stolen. Nevertheless, later on we
will see, that prcv is notified about this replacement by marking rhnsnd as
reused in the result message.
More complex are the computations of the return handle rhnadd and
the return rights rrightsadd, because we have to take into account that no
additional process has been announced at all or that the process corresponds
with the receiver. This leads to the following definition of the auxiliary
function rhn add delivering rhnadd:
rhn add rightsdb prcv psnd padd hnadd ≡
if hnadd = HN NONE then HN NONE
else if padd = prcv then HN SELF
else if padd = drightsdb dprcvee.parent then HN PARENT else int dpadde
In case that no additional process has been announced by the sender, i. e.,
hnadd = HN NONE, the return handle rhnadd is also HN NONE. Handle
HN SELF is returned, if the additional process padd corresponds with the
receiver. The return handle denotes HN PARENT, if padd denotes the re-
ceiver’s parent. Otherwise, padd is converted into a handle.
The return rights rrightsadd to the additional process result from function
rrights add:
rrights add rightsdb prcv psnd padd hnadd rightsadd ≡
if hnadd = HN NONE then ⊥
else if padd = prcv then drightsdb dprcvee.rdb padd
else if is known rightsdb dprcve dpadde
then bddrightsdb dprcvee.rdb padde ∪ drightsaddec else rightsadd
The return rights rrightsadd denote ⊥, if no additional process was specified,
i. e., hnadd = HN NONE. If the additional process is equal to the receiver,
they denote the corresponding entry in the rights database. In all other
108 4. The Vamos Model
cases, they describe the combination of already existing rights with rightsadd,
if the additional process was known, and are equal to rightsadd, otherwise.
The updates of prcv’s entries in the rights datastructures rightsdb regard-
ing the additional process are similar to the ones regarding the sender, as
the definition of function rcv rightsdb add suggests:
rcv rightsdb add rightsdb prcv psnd padd rhnadd rrightsadd ≡ rightsdb(dprcve 7→
drightsdb dprcvee
(|hdb := drightsdb dprcvee.hdb(rhnadd := padd),
rdb := drightsdb dprcvee.rdb(padd := rrightsadd),
stolen := drightsdb dprcvee.stolen − {rhnadd}|))
Function rcv rightsdb combines the updates of the receiver’s rights data-
structures:
rcv rightsdb rightsdb prcv psnd rightssnd hnadd rightsadd ≡
let rhnsnd = rhn snd rightsdb prcv psnd;
rrightssnd = rrights snd rightsdb prcv psnd rightssnd;
rightsdb ′ = rcv rightsdb snd rightsdb prcv psnd rhnsnd rrightssnd;
padd = drightsdb psnde.hdb hnadd;
rhnadd = rhn add rightsdb prcv psnd padd hnadd;
rrightsadd = rrights add rightsdb ′ prcv psnd padd hnadd rightsadd;
rightsdb ′′ = rcv rightsdb add rightsdb ′ prcv psnd padd rhnadd rrightsadd
in drightsdb ′′ dprcvee
Based on the original rights datastructures rightsdb, the definition first com-
putes the return handle rhnsnd and rights rrightssnd to the sender. Both are
provided as input to function rcv rightsdb snd which computes the inter-
mediate update rightsdb ′. Afterwards, the definition computes the return
handle rhnadd to the additional process padd. Note that the latter is only de-
fined, if hnadd 6= HN NONE. The computation of the return rights rrightsadd
is based on the rights datastructures rightsdb ′ and performed by function
rrights add. The rights datastructures rightsdb ′ also serve as basis for func-
tion rcv rightsdb add which computes the updates of prcv’s rights database
regarding the additional process. The result is stored in rightsdb ′′. Finally,
function rcv rightsdb returns the entry of the receiver in rightsdb ′′.
The combination of the functions snd rightsdb and rcv rightsdb delivers
the overall update of the rights datastructures:
v ipc trans updt rightsdb rightsdb psnd hnrcv hnadd rightssnd rightsadd ≡
let prcv = drightsdb psnde.hdb hnrcv;
rightsdbrcv = rcv rightsdb rightsdb prcv psnd rightssnd hnadd rightsadd;
rightsdbsnd = snd rightsdb rightsdb psnd prcv
in rightsdb(dprcve 7→ rightsdbrcv, psnd 7→ rightsdbsnd)
Updating the Virtual Machines. The update of the virtual machines
mainly comprises the result messages to the sender and the receiver. How-
ever, the former only gets a success message, if the sending was not part of
4.4. Vamos Trap Handler 109
an ipc request call. If so, the intended operation is not completed because
the receive phase will still follow.
In contrast, receiving always terminates an IPC operation. Consequently,
the receiver prcv is notified about the successful transmission by means of a
succ receive message. Main content of the message are the return han-
dles together with the associated rights and the actual memory message
from the sender. In addition, prcv is provided with some administrative in-
formation, for instance, whether the returned handles have previously been
used for other processes or any interrupts occurred or, if the handle database
contains any invalid handles.
Function v ipc trans updt procs encapsulates the formal description of
the message delivery:
v ipc trans updt procs uprocs rightsdb devds psnd req hnrcv rightssnd
msg hnadd rightsadd ≡
let prcv = drightsdb psnde.hdb hnrcv;
padd = drightsdb psnde.hdb hnadd;
rhnsnd = to hn rightsdb dprcve psnd;
reusedsnd = rhnsnd ∈ drightsdb dprcvee.stolen;
rhnadd = rhn add rightsdb prcv psnd padd hnadd;
reusedadd = rhnadd 6= rhnsnd ∧ rhnadd ∈ drightsdb dprcvee.stolen;
rightsdbpost =
v ipc trans updt rightsdb rightsdb psnd hnrcv hnadd rightssnd
rightsadd;
rrightssnd = ddrightsdbpost dprcvee.rdb bpsndce;
rrightsadd =
if padd = prcv then {} else ddrightsdbpost dprcvee.rdb padde;
stolen = drightsdbpost dprcvee.stolen 6= {};
irqs = {i ∈ devds.saved. devds.driver i = prcv};
toinf = timeoutInfinite uprocs psnd
in λx . if x = psnd ∧ ¬ req then bδproc success duprocs xec
else if x = dprcve
then bδproc (succ receive rhnsnd reusedsnd rrightssnd
(mObjSeq msg) rhnadd reusedadd rrightsadd
stolen toinf irqs)
duprocs xec
else uprocs x
An additional input parameter req determines whether the sender psnd per-
forms an ipc request. Depending on this, its virtual machine is either
provided with a success message or remains unchanged.
Assembling the succ receive message for prcv describes the remain-
ing parts of the definition. The return handles rhnsnd and rhnadd are com-
puted as before and marked as reused, if they were previously contained in
the stolen set of prcv. We use the flags reusedsnd and reusedadd to signal
a re-use, whereas the latter is only active, if rhnadd is additionally differ-
ent from rhnsnd. The returned rights rely on the updated rights datas-
tructures rightsdbpost which result from the previously introduced function
110 4. The Vamos Model
v ipc trans updt rightsdb. Actually, the rights rrightssnd and rrightsadd cor-
respond to the entries in the rights database. The latter, however, describes
the empty set, if the additional process is the receiver itself. Invalid handles
in the updated handle database of prcv are signaled by the flag stolen. It is
active, if the set of stolen handles is not empty. The state component saved
stores all occurred but not yet handled external device interrupts. If prcv
acts as driver for any of these interrupts, Vamos uses the succ receive
message for the interrupt delivery. For this purpose, set irqs subsumes all
interrupts which are handled by prcv.
With prcv acting as server, it might be interesting to know, whether
the transmission was part of an ipc request initiated by psnd and, in par-
ticular, whether the upcoming receive phase is performed with an infinite
timeout. If so, flag toinf is active, which is formally determined by predicate
timeoutInfinite:
timeoutInfinite uprocs p ≡
∃rcv hn snd rights msg add hn add rights snd timeout buffer .
ωproc duprocs pe =
ipc request rcv hn snd rights msg add hn add rights snd timeout buffer ∞
Updating the Send Status Database. The update of the send status
database is straightforward. From the receiver’s point of view the IPC op-
eration is completed. Consequently, the send status is set to False. After
sending, the status of the sender depends on its actual operation. If the
send phase was part of an ipc request, the send status is active, i. e., set
to True. Otherwise, the status is inactive. Vamos determines both situation
by means of the flag req.
v ipc trans updt sndstatdb sndstatdb psnd prcv req ≡ sndstatdb(psnd 7→ req, prcv
7→ False)
Updating the Device Datastructures. As seen before, the message
succ receive is used to deliver occurred interrupts to prcv. Hence, from
the kernel’s point of view there is no need to store them any longer. Thus,
Vamos removes the delivered interrupts from the set of saved interrupts.
The function v ipc trans updt devds specifies the according effects on
the device datastructures:
v ipc trans updt devds devds prcv ≡
let irqsdel = {i . devds.driver i = bprcvc} in devds(|saved := devds.saved − irqsdel|)
IPC Send
In order to invoke the Vamos call ipc send, the (expected) sender psnd
has to specify (a) the handle hnrcv to the receiver together with the rights
4.4. Vamos Trap Handler 111
rightssnd that should be granted, (b) the handle hnadd to a (potential) ad-
ditional process associated with the rights rightsadd for the receiver, (c) the
memory message msgsnd, and (d) the timeout tosnd.
Based on these values, Vamos performs error checks which reflect the
different phases of ipc send. We first introduce these checks in the following
paragraphs before we proceed with the overall specification.
Invocation. In order to pass the invocation phase, the input arguments
specified by the sender psnd, have to fulfill certain requirements. These
requirements bear on the correct specification of the arguments but also
take the required IPC rights into account.
Formally, function ipc send invoc err describes the error checks:
ipc send invoc err rightsdb psnd hnrcv rightssnd msg hnadd rightsadd ≡
if hnrcv = HN SELF ∨ ¬ valid handle rightsdb psnd hnrcv
then err snd invalid handle
else if hnadd 6= HN NONE ∧ ¬ valid handle rightsdb psnd hnadd
then err invalid handle
else if ¬ valid snd args rightssnd rightsadd hnadd msg
then err invalid args
else if msg = MObjUnavailable then err snd segv
else if ¬ allowed snd op rightsdb psnd hnrcv rightsadd
then err unprivileged else success
Vamos rejects the receiver handle hnrcv with err snd invalid handle,
if it intends a self-reference or if it is invalid.
Error err invalid handle is returned, as soon as psnd wants to pub-
lish an additional process, i. e., hnadd 6= HN NONE, but hnadd is not valid.
The requirements for the specified rights and the memory message en-
capsulates predicate valid snd args:
valid snd args rightssnd rightsadd hnadd msg ≡
rightssnd 6= ⊥ ∧ rightsadd 6= ⊥ ∧ msg 6= MObjUndefined
It demands valid rights, i. e., rightssnd and rightsadd are not equal to ⊥, and
a defined memory message, i. e., msgsnd 6= MObjUndefined. Any violations
lead to the error value err invalid args.
An unavailable memory message is acknowledged with the error message
err snd segv, whereas err unprivileged indicates insufficient rights.
The latter is checked by means of predicate allowed snd op:
allowed snd op rightsdb psnd hnrcv rightsadd ≡
let prcv = drightsdb psnde.hdb hnrcv
in v sendR ∈ ddrightsdb psnde.rdb prcve ∧
(rightsadd = b{}c ∨ privileged rightsdb psnd)
Two prerequisites have to be fulfilled by the sender: (a) it needs the send
right v sendR to the receiver, and (b) it needs privileges to assign a non-
empty set rightsadd of rights to the additional process.
112 4. The Vamos Model
The invocation phase succeeds, if function ipc send invoc err returns
success.
Pre-Transmission. After successfully passing the invocation phase, the
ipc send operation enters the pre-transmission phase. The aim of this phase
is to determine whether the desired communication partner is ready to re-
ceive and, at the same time, meets all requirements for the operation, i. e.,
that the specified buffer bufrcv is big enough for msgsnd.
Vamos uses the predicate ipc send rendez vous to determine the readi-
ness of the receiver:
ipc send rendez vous uprocs schedds sndstatusdb rightsdb psnd hnrcv ≡
let prcv = ddrightsdb psnde.hdb hnrcve
in prcv ∈ set schedds.wait ∧
(case ωproc duprocs prcve of
ipc receive hnsnd buffer torcv ⇒
drightsdb prcve.hdb hnsnd = bpsndc ∨ hnsnd = HN NONE
| ipc request hnrcv rightssnd msg hnadd rightsadd tosnd buffer torcv ⇒
dsndstatusdb prcve ∧ drightsdb prcve.hdb hnrcv = bpsndc
| ⇒ False)
Due to the validity of hnrcv, the process number prcv of the receiver can be
taken from the handle database of psnd. The predicate only applies, if prcv
is waiting while looking forward to a receive operation with psnd involved.
The former is denoted by prcv’s membership in the wait queue schedds.wait,
whereas the latter is determined by the process output. The will to receive
is signaled by the outputs ipc receive and ipc request. In the former
case, prcv is ready to receive from psnd, if the handle hnsnd either specifies an
open-receive, i. e., hnsnd = HN NONE, or points to psnd. With ipc request
no open-receives are possible. Thus, hnsnd has to point to psnd. In addition,
the send phase has to be completed, which is indicated by an active send
status.
Note that the calls ipc receive and ipc request already passed the
invocation phase, before they have been forced to wait. Thus, demanding
the wait state of prcv ensures, that the call arguments are valid and can
safely be used.
Predicate ipc send buffer ovfl determines, whether the receive buffer
bufrcv is big enough for msgsnd. Relying on the validity of msgsnd as well as
bufrcv, it simply compares their sizes:
ipc send buffer ovfl uprocs rightsdb psnd hnrcv msgsnd ≡
let prcv = ddrightsdb psnde.hdb hnrcve; procrcv = duprocs prcve
in get buflen (ωproc procrcv) < length (mObjSeq msgsnd)
Both are compatible, if the length of msgsnd is smaller than the one of bufrcv.
Otherwise, a buffer overflow occurs.
4.4. Vamos Trap Handler 113
Overall Specification. Vamos distinguishes the different phases of the
Vamos call ipc send by means of the output of function ipc send err:
ipc send err uprocs schedds sndstatusdb rightsdb hnrcv rightssnd msg hnadd
rightsadd tosnd ≡
let psnd = dv cup scheddse;
res = ipc send invoc err rightsdb psnd hnrcv rightssnd msg hnadd rightsadd
in if is error res then res
else if ipc send rendez vous uprocs schedds sndstatusdb rightsdb psnd hnrcv
then if ipc send buffer ovfl uprocs rightsdb psnd hnrcv msg
then err snd buffer ovfl else success
else if tosnd = 0 then err snd timeout else εSv
Based on the current process acting as sender psnd and the result res from the
function ipc send invoc err, the definition reflects the different phases. The
invocation phase is represented by function ipc send invoc err and its result
res, respectively. If any invocation error occurred, predicate is error holds
and res is returned. The pre-transmission phase is represented by the predi-
cates ipc send rendez vous and ipc send buffer ovfl. If the former holds, it
depends on the latter whether the transmission starts or fails. A buffer over-
flow aborts the operation with the error message err snd buffer ovfl
whereas success initiates an immediate transmission. The timeout tosnd
comes into play, if no rendez-vous is detected. An immediate timeout, i. e.,
tosnd = 0, results in the error err snd timeout, whereas res = eSv indi-
cates the will to wait.
The overall specification is given by function vamos ipc send:
vamos ipc send sV hnrcv rightssnd msg hnadd rightsadd tosnd ≡
let uprocs = sV.procs; schedds = sV.schedds; priodb = sV.priodb;
sndstatdb = sV.sndstatdb; rightsdb = sV.rightsdb;
devds = sV.devds;
res =
ipc send err uprocs schedds sndstatdb rightsdb hnrcv rightssnd
msg hnadd rightsadd tosnd;
psnd = dv cup scheddse; prcv = ddrightsdb psnde.hdb hnrcve
in if is error res then sV(|procs := uprocs(psnd 7→ δproc res duprocs psnde)|)
else if res = εSv
then sV(|schedds := v ipc wait updt schedds schedds psnd
dpriodb psnde tosnd|)
else sV(|procs := v ipc trans updt procs uprocs rightsdb devds
psnd False hnrcv rightssnd msg hnadd rightsadd,
schedds := v wkp updt schedds schedds [prcv] priodb,
sndstatdb := v ipc trans updt sndstatdb sndstatdb psnd prcv
False,
rightsdb := v ipc trans updt rightsdb rightsdb psnd hnrcv
hnadd rightssnd rightsadd,
devds := v ipc trans updt devds devds prcv|)
The process number psnd of the sender is given by function v cup. Accessing
psnd’s handle database with hnrcv delivers the process number prcv of the
114 4. The Vamos Model
receiver and res holds the result of function ipc send err.
The latter forms the basis for the following case distinctions. As usual,
if res denotes an error, Vamos delivers the according error message to
the calling process, i. e., psnd. If the return value of function ipc send err
denotes eSv, the sender is put into the wait state. Accordingly, function
v ipc wait updt schedds describes the changes on the scheduling datastruc-
tures. The remaining case covers the transmission which is described by the
dedicated functions.
IPC Receive
In order to invoke the Vamos call ipc receive, the (expected) receiver prcv
has to specify (a) a handle hnsnd, (b) a buffer bufrcv, and (c) the timeout
torcv.
In Section 2.5.1, we already mentioned that the Vamos call ipc receive
can be operated in different modes. Thereby, handle hnsnd plays a special
role as it choses between the different operating modes. The first mode
reflects the ordinary communication between processes. As invoking process,
the receiver specifies the desired sender by means of the process handle hnsnd
and commits itself to this particular process as only possible sender. Apart
from that, ipc receive can also be operated as an open-receive which is
made for servers that rely on the possibility to receive requests from various
clients. This option is enabled by setting hnsnd to HN NONE and allows
to be simultaneously available for more than one sender. The remaining
operating mode is tailor-made for device drivers which take a great interest
in receiving external interrupts as fast as possible. In order to meet this
desire, the call ipc receive provides the possibility for a closed-receive
from the kernel. This option is selected by setting hnsnd to HN KERNEL
and restricts the receiving to notifications from the Vamos kernel only. In
doing so, the Vamos kernel is qualified to deliver according notifications
as soon as interrupts for the driver occur. A more detailed view on that
provides Section 4.6.
The specified arguments are checked for their validity in the invocation
phase. The detection of errors leads to the abortion of the call and prcv
gets an according error message. Otherwise, the following pre-transmission
phase looks for an appropriate sender. The pre-transmission phase largely
depends on the operating mode of ipc receive. Especially in the case of an
open-receive, the determination of a sender could affect various processes.
As a consequence, the updates of the particular state components get more
involved which is why they are encapsulated in dedicated functions.
The outline of the remainder of this section looks as follows. We first
introduce the checks regarding invocation errors. After that, we describe
the determination of a sender and associated effects which we formally en-
capsulate into functions. Finally, we combine everything in order to get the
4.4. Vamos Trap Handler 115
overall specification of the call ipc receive.
Invocation. Due to the small number of arguments, checking for invo-
cation errors is quite straightforward. Formally, function ipc rcv invoc err
describes the error checks:
ipc rcv invoc err rightsdb prcv hnsnd buffer ≡
if hnsnd = HN SELF ∨
hnsnd /∈ {HN NONE, HN KERNEL} ∧ ¬ valid handle rightsdb prcv hnsnd
then err rcv invalid handle
else if buffer = BufUndefined then err invalid args
else if buffer = BufUnavailable then err rcv segv else success
The receiver prcv is not allowed to receive from itself, and, as long as it
does neither perform an open-receive nor a closed-receive from the ker-
nel, the specified handle hnsnd has to be valid. Otherwise, error code
err rcv invalid handle is returned. Furthermore, the buffer has to be
defined and available. Violating the former condition leads to the error mes-
sage err invalid args while an unavailable buffer leads to err rcv segv.
Every output from ipc rcv invoc err not equal to success leads to an abor-
tion of the operation accompanied by an error notification to the originat-
ing process. The output success, however, heralds the start of the pre-
transmission phase.
Pre-Transmission. The simplest case depicts a closed-receive from the
kernel. Except for prcv, no other process is involved and the Vamos kernel
solely checks whether there are any notifications for prcv. If so, Vamos deliv-
ers an according message to prcv and thereby completes the call. Otherwise,
either prcv waits or the call is aborted due to a timeout error.
Determining the communication partner, in case of a closed-receive from
another process, is similar as with ipc send. With the validity of handle
hnsnd, the desired sender psnd can be identified by accessing the handle
database of prcv with hnsnd. By means of predicate v is sending to, Vamos
further checks whether psnd is willing to send to prcv:
v is sending to uprocs sndstatdb rightsdb psnd prcv ≡
case ωproc duprocs psnde of
ipc send hnrcv rightssnd msg hnadd rightsadd tosnd ⇒
drightsdb psnde.hdb hnrcv = bprcvc
| ipc request hnrcv rightssnd msg hnadd rightsadd tosnd buffer torcv ⇒
drightsdb psnde.hdb hnrcv = bprcvc ∧ sndstatdb psnd = bFalsec
| ⇒ False
Basically, that is the case, if the output denotes ipc send or ipc request
and the handle hnsnd points to prcv. While a combined send and receive,
however, the send phase may not yet be completed, i. e., the send status has
to be inactive. A transmission comes about, if the message msgsnd of psnd
116 4. The Vamos Model
fits into the receive buffer bufrcv. Otherwise, prcv is put into the wait state
or the call is aborted with a timeout message to prcv.
Things get more elaborate, if prcv performs an open-receive. Thereby, the
communication is no longer restricted to the kernel or one particular process,
but various processes come into consideration as potential sender. Namely,
all those which are waiting for a send operation with prcv as receiver. These
processes are subsumed in a so-called send queue sqrcv, which is specific to
prcv. The send queue sqrcv results from the wait queue and is generated by
function v gen sq:
v gen sq uprocs schedds sndstatdb rightsdb prcv ≡
[p∈schedds.wait . v is sending to uprocs sndstatdb rightsdb p prcv]
The resulting queue contains all waiting processes p that fulfill the predicate
v is sending to, where prcv is assigned as receiver. Note that sqrcv preserves
the chronological order of the wait queue and thus enables the request han-
dling on the basis of first-come, first-serve. Following the chronological order,
the head phd of sqrcv ought to be the actual sender. However, Vamos first
checks whether phd’s message fits into bufrcv. If not, phd gets the error mes-
sage err snd buffer ovfl and Vamos continues traversing sqrcv, unless
it finds an appropriate sender (with compatible message size) or no process
remains.
Against this background, we define function ipc rcv split sq, which takes
all contingencies regarding the determination of a sender into account:
ipc rcv split sq uprocs rightsdbrcv sqrcv hnsnd bufrcv ≡
let sqef f =
if hnsnd = HN KERNEL then [ ]
else if hnsnd = HN NONE then sqrcv
else filter (op = drightsdbrcv.hdb hnsnde) sqrcv;
buf ovfl = λp. bufLength bufrcv < get msglen (ωproc duprocs pe)
in (takeWhile buf ovfl sqef f , dropWhile buf ovfl sqef f)
Based on the queue sqrcv with the processes willing to send to prcv, the
function first computes an effective send queue sqef f . This queue is empty,
if prcv performs a closed-receive from the kernel, i. e., hnsnd = HN KERNEL,
and equivalent to sqrcv while an open-receive, i. e., hnsnd = HN NONE. In
case of a closed-receive, the process number of the desired sender is obtained
by accessing prcv’s handle database with hnsnd. If this process number is
contained in sqrcv, it describes the only element of sqef f . Otherwise, sqef f is
empty.
With the effective send queue sqef f at hand, Vamos continues with check-
ing the compatibility of the send messages and the receive buffer bufrcv. As
a consequence, sqef f is split into two queues. The former is the longest pre-
fix of sqef f with oversized messages, the latter is the remaining queue after
stripping the prefix. In doing so, bufLength determines the size of bufrcv and
get msglen the ones of the send messages.
4.4. Vamos Trap Handler 117
In case that the remaining queue is not empty, its head determines the
actual sender for the transmission. Otherwise, no transmission takes place
but prcv could at least receive kernel notifications. Whether notifications
are delivered decides predicate knotify which is also used in the context of a
closed-receive from the kernel:
knotify rightsdb devds hnsnd prcv ≡
hnsnd ∈ {HN NONE, HN KERNEL} ∧
¬ (drightsdb prcve.stolen = {} ∧
{i ∈ devds.saved. devds.driver i = bprcvc} = {})
In general, a receiver prcv is ready to receive kernel notifications while per-
forming an open-receive or a closed-receive from the kernel. The Vamos
kernel, however, only delivers notifications, if there is a reason, i. e., if there
are invalid handles in prcv’s handle database or pending interrupts with prcv
as registered driver. Regarding the definition of knotify this means, that
Vamos only sends a notification, if either the set of stolen handle of prcv is
not empty or set saved contains interrupts handled by prcv.
Updating the User Processes. The update of the user processes is fairly
elaborate and comprises several case distinctions. Common to all cases is,
that processes causing buffer overflows are provided with an according error
message. Apart from that, Vamos distinguishes two main cases. The first
one describes the situation that no suitable sender was found. Based on this,
Vamos determines whether it is possible that notification can be delivered to
prcv. If so, Vamos assembles an according message and sends it to prcv. In
case that no notifications can be delivered, the timeout torcv decides whether
prcv receives a timeout error. The effects of a transmission are described by
function v ipc trans updt procs.
Formally, function v ipc rcv updt procs combines all these case distinc-
tions:
v ipc rcv updt procs uprocs rightsdb devds sqrcv prcv hnsnd buffer
torcv ≡
let (sendQbovf l, sendQsnd) =
ipc rcv split sq uprocs drightsdb prcve sqrcv hnsnd buffer;
uprocsbovf l =
λp. if p ∈ set sendQbovf l
then bδproc err snd buffer ovfl duprocs pec else uprocs p;
irqs = {i ∈ devds.saved. devds.driver i = bprcvc};
stolen = drightsdb prcve.stolen 6= {};
knot =
succ receive HN KERNEL False {} [ ] HN NONE False {} stolen False
irqs
in case sendQsnd of
[ ] ⇒ if knotify rightsdb devds hnsnd prcv
then uprocsbovf l(prcv 7→ δproc knot duprocs prcve)
118 4. The Vamos Model
else if torcv = 0
then uprocsbovf l(prcv 7→ δproc err rcv timeout duprocs prcve)
else uprocsbovf l
| psnd · ps ⇒
let req = is send receive (ωproc duprocs psnde);
(hnrcv, rightssnd, msg , hnadd, rightsadd) =
get sender args (ωproc duprocs psnde)
in v ipc trans updt procs uprocsbovf l rightsdb devds psnd req
hnrcv rightssnd msg hnadd rightsadd
Based on the send queue sqrcv, function ipc rcv split sq is used to sub-
sume the processes causing buffer overflows in sendQbovf l whereas sendQsnd
denotes the remainder of sqrcv. The intermediate update uprocsbovf l of the
virtual machines describes the delivery of message err snd buffer ovfl
to all processes in sendQbovf l. Relying on this update, we proceed with the
remaining case distinctions.
An empty queue sendQsnd denotes the fact that no appropriate sender is
ready. However, if predicate knotify applies, it is at least possible to deliver
any notifications to prcv. The according message is generated by function
deliverNotifications and abbreviated by knot. If the delivery of notifcations
is not possible, prcv either receives the error message err rcv timeout
or the virtual machines uprocsbovf l remain untouched.
The sender psnd, in case of a transmission, is given by the head of
sendQsnd. Function get sender args delivers the according arguments and
the predicate is send receive determines, whether the sender psnd performs
an ipc request call.
Based on these values, the function v ipc trans updt procs performs the
relevant updates.
Updating the Rights Datastructures. Taking the preceding consid-
erations into account, the update of the rigths datastructures is straight-
forward. The function v ipc trans updt rightsdb delivers the update, if a
transition takes place. Otherwise, the datastructures stay untouched:
v ipc rcv updt rightsdb rightsdb uprocs sendQ prcv hnsnd buffer ≡
case snd (ipc rcv split sq uprocs drightsdb prcve sendQ hnsnd buffer) of
[ ] ⇒ rightsdb
| p · ps ⇒
let (hnrcv, rightssnd, msg , hnadd, rightsadd) =
get sender args (ωproc duprocs pe)
in v ipc trans updt rightsdb rightsdb p hnrcv hnadd rightssnd rightsadd
A transmission only takes place, if the the second component of the tuple
returned by ipc rcv split sq is not empty. The head is chosen as sender and
function get sender args determines its specified arguments and passes them
on to the transmission function.
4.4. Vamos Trap Handler 119
Updating the Scheduling Datastructures. The update of the schedul-
ing datastructures follows the same structure as the one for the virtual ma-
chines. First of all, processes causing buffer overflows are waken up. Apart
from that, Vamos again distinguishes whether a transmission takes place or
not. If not, prcv is put into the wait state, as long as no kernel notifications
can be delivered and no timeout occurrs. After a transmission initiated
by an ipc receive, the sender psnd is usually put back to the ready state.
However, this is only true, if psnd does not perform an ipc request. Other-
wise, it is forced to wait again for a response from prcv and only its timeout
is recomputed.
Formally, Vamos uses function v ipc rcv updt schedds to describe the
relevant updates:
v ipc rcv updt schedds schedds uprocs rightsdb priodb sndstatusdb
devds sendQ prcv hnsnd buffer torcv ≡
let (sendQbovf l, sendQsnd) =
ipc rcv split sq uprocs drightsdb prcve sendQ hnsnd buffer;
scheddsbovf l = v wkp updt schedds schedds sendQbovf l priodb
in case sendQsnd of
[ ] ⇒ if ¬ knotify rightsdb devds hnsnd prcv ∧ torcv 6= 0
then v ipc wait updt schedds scheddsbovf l prcv dpriodb prcve
torcv
else scheddsbovf l
| psnd · ps ⇒
if is send receive (ωproc duprocs psnde)
then scheddsbovf l
(|procdb := scheddsbovf l.procdb(psnd 7→
dscheddsbovf l.procdb psnde
(|timeout := compute new timeout uprocs scheddsbovf l psnd|))|)
else v wkp updt schedds scheddsbovf l [psnd] priodb
Again, the split send queue (sendQbovf l, sendQsnd) is the linchpin. The
awakening of the processes in sendQbovf l results in the intermediate update
scheddsbovf l which lays the foundation for the remaining steps.
If no sender is involved, i. e., sendQsnd is empty, the receiver either waits
or gets a timeout error. The former happens, if the timeout value torcv does
not intend an immediate timeout and no delivery of kernel notifications
is possible. Accordingly, the pre-defined function v ipc wait updt schedds
describes the semantic effects. Otherwise, the scheduling datastructures
scheddsbovf l stay unchanged.
A transmission takes place, if sendQsnd is not empty. As long as psnd
does not perform an ipc request, it is put back into the ready state which
is described by function v wkp updt schedds. If the sending was part of an
ipc request, psnd switches over into the receive phase, whereas function
compute new timeout determines the new timeout value:
120 4. The Vamos Model
compute new timeout uprocs schedds p ≡
case ωproc duprocs pe of
ipc request hnrcv rightssnd msg hnadd rightsadd tosnd buffer torcv ⇒
torcv += schedds.time
| ⇒ dschedds.procdb pe.timeout
The specified receive timeout torcv is added to the current time.
Updating the Send Status Database. The send status database is only
updated, if the receiver’s send queue sqrcv contains a suitable sender. In this
case, the pre-defined transmission function v ipc trans updt sndstatdb han-
dles the update. Otherwise, the send status database remains unchanged.
Function v ipc rcv updt sndstatdb encapsulates the semantic effects:
v ipc rcv updt sndstatdb sndstatdb uprocs rightsdb sendQ prcv hnsnd
buffer ≡
case snd (ipc rcv split sq uprocs drightsdb prcve sendQ hnsnd
buffer) of
[ ] ⇒ sndstatdb
| p · ps ⇒
v ipc trans updt sndstatdb sndstatdb p prcv
(is send receive (ωproc duprocs pe))
Updating the Device Datastructures. A transmission as well as kernel
notifications involve the delivery of interrupts to the receiver. Thus, in
both situations, an update of the device datastructures is to be expected.
Function v ipc rcv updt devds formally defines this update while relying on
function v ipc trans updt devds:
v ipc rcv updt devds devds rightsdb uprocs sendQ prcv hnsnd buffer ≡
if snd (ipc rcv split sq uprocs drightsdb prcve sendQ hnsnd buffer) 6= [ ] ∨
knotify rightsdb devds hnsnd prcv
then v ipc trans updt devds devds prcv else devds
Overall Specification. The abstract function vamos ipc receive puts ev-
erything together and describes the overall specification of the Vamos call
ipc receive:
vamos ipc receive sV hnsnd buffer torcv ≡
let procs = sV.procs; schedds = sV.schedds; priodb = sV.priodb;
sndstatdb = sV.sndstatdb; rightsdb = sV.rightsdb;
devds = sV.devds; prcv = dv cup scheddse;
res = ipc rcv invoc err rightsdb prcv hnsnd buffer;
sqrcv = v gen sq procs schedds sndstatdb rightsdb prcv
in if is error res then sV(|procs := procs(prcv 7→ δproc res dprocs prcve)|)
else sV(|procs := v ipc rcv updt procs procs rightsdb devds sqrcv prcv
hnsnd buffer torcv,
schedds := v ipc rcv updt schedds schedds procs rightsdb
4.4. Vamos Trap Handler 121
priodb sndstatdb devds sqrcv prcv hnsnd buffer
torcv,
sndstatdb := v ipc rcv updt sndstatdb sndstatdb procs rightsdb
sqrcv prcv hnsnd buffer,
rightsdb := v ipc rcv updt rightsdb rightsdb procs sqrcv prcv
hnsnd buffer,
devds := v ipc rcv updt devds devds rightsdb procs sqrcv
prcv hnsnd buffer|)
IPC Request
The semantics of the ipc request call is pretty similar to the one of
ipc send. They only differ in two points: the invocation errors and the
update of the scheduling datastructures in case of a transmission.
Due to the additional call arguments the check for invocation errors has
to be extended, as the definition of function ipc sr invoc err illustrates:
ipc sr invoc err rightsdb psnd hnrcv rightssnd msg hnadd rightsadd buffer
torcv ≡
if hnrcv = HN SELF ∨ ¬ valid handle rightsdb psnd hnrcv
then err snd invalid handle
else if hnadd 6= HN NONE ∧ ¬ valid handle rightsdb psnd hnadd
then err invalid handle
else if ¬ valid sr args rightssnd rightsadd msg buffer hnadd torcv
then err invalid args
else if msg = MObjUnavailable then err snd segv
else if buffer = BufUnavailable then err rcv segv
else if ¬ allowed sr op rightsdb psnd hnrcv rightsadd
torcv
then err unprivileged else εSv
Regarding the handles hnrcv and hnadd the same conditions apply as within
ipc send. The predicate valid sr args is based on the former predicate
valid snd args and additionally checks for a defined buffer and a finite receive
timeout:
valid sr args rightssnd rightsadd msg buffer hnadd torcv ≡
valid snd args rightssnd rightsadd hnadd msg ∧
buffer 6= BufUndefined ∧ torcv 6= 0
Besides an available message, an ipc request call also requires an available
buffer. The sender is only allowed to perform the combined send and receive
operation, if predicate allowed sr op holds:
allowed sr op rightsdb psnd hnrcv rightsadd torcv ≡
let prcv = drightsdb psnde.hdb hnrcv; rightscurr = ddrightsdb psnde.rdb prcve
in rightscurr ∩ {v sendR, v requestR} 6= {} ∧
(privileged rightsdb psnd ∨ rightsadd = b{}c) ∧
(torcv = ∞ ∨ rightscurr ∩ {v sendR, v finiteR} 6= {})
122 4. The Vamos Model
Three prerequisites have to be fulfilled by the sender: (a) it needs the send
or the request right to the receiver, (b) it needs privileges to assign a non-
empty set rightsadd of rights to the additional process, and (c) the timeout
value torcv is either infinite or it has the permission to send with a finite
timeout. The latter is fulfilled, if one of the rights v sendR or v finiteR is
owned. In an analagous way as with ipc send err, we use ipc sr invoc err
to define the predicate ipc sr err.
The second difference occurs while updating the scheduling datastruc-
tures in case of a transmission. In contrast to ipc send, a combined send
and receive operation is not completed after the send phase. The sender
rather switches its role and is forced to wait for a response. This interferes
with the update of the scheduling datastructures, which is performed by
means of function v ipc wkp wait updt schedds. The receiver is waken up
and the sender is forced to wait. Furthermore, its new timeout value is set
according to torcv.
Taking all the differences into account, the formal specification looks as
follows:
vamos ipc send receive sV hnrcv rightssnd msg hnadd rightsadd tosnd
buffer torcv ≡
let procs = sV.procs; schedds = sV.schedds; priodb = sV.priodb;
sndstatdb = sV.sndstatdb; rightsdb = sV.rightsdb;
devds = sV.devds; psnd = dv cup scheddse;
prcv = ddrightsdb psnde.hdb hnrcve;
res =
ipc sr err procs schedds sndstatdb rightsdb hnrcv rightssnd
msg hnadd rightsadd tosnd buffer torcv
in if is error res then sV(|procs := procs(psnd 7→ δproc res dprocs psnde)|)
else if res = εSv
then sV(|schedds := v ipc wait updt schedds schedds psnd
dpriodb psnde tosnd|)
else sV(|procs := v ipc trans updt procs procs rightsdb devds psnd
True hnrcv rightssnd msg hnadd rightsadd,
schedds := v ipc wkp wait updt schedds schedds prcv psnd
priodb torcv,
sndstatdb := v ipc trans updt sndstatdb sndstatdb psnd prcv
True,
rightsdb := v ipc trans updt rightsdb rightsdb psnd hnrcv
hnadd rightssnd rightsadd,
devds := v ipc trans updt devds devds prcv|)
Changing IPC Rights
We have just seen, that IPC enables the sender to provide the receiver of the
IPC message with additional rights. In this context, Vamos synchronously
updates the handle and rights databases and informs the receiver on these
changes by means of the result message. However, IPC only allows to grant
4.4. Vamos Trap Handler 123
rights but not to revoke them. In addition to that, it should be possible
to reset entries in the handle and rights databases. This is necessary in
order to clean up the databases, on the one hand, and to invalidate handles,
on the other one. All this functionality is encapsulated in the Vamos call
change rights. For this to work, a calling process pcp has to specify the
following parameters: (a) the handle hnsubj to the subject whose databases
should be changed, (b) the handle hnobj to the object to which the new rights
should apply, (c) the flag grant determining whether the rights are granted
or revoked, and (d) the description rightsobj how to change the rights.
As always, user-specified parameters might be erroneous and therefore
have to pass the validity checks. The latter are encapsulated in function
vamos result change rights:
vamos result change rights rightsdb pcp rightsobj hnsubj hnobj ≡
if rightsobj = ⊥ then err invalid args
else if ¬ valid handle rightsdb pcp hnsubj
then err invalid subj handle
else if ¬ valid handle rightsdb pcp hnobj
then err invalid obj handle
else if ¬ legal op rightsdb pcp hnsubj hnobj rightsobj
then err unprivileged
else if ¬ known obj rightsdb pcp hnsubj hnobj
then err invalid handle else success
First of all, the specified rights rightsobj must follow the given rights format.
Otherwise, rightsobj = ⊥ and error err invalid args is triggered. Quite
apart from the fact that the handles hnsubj and hnobj have to be valid in
the context of pcp, the operation has to be legal and the object needs to be
known by the subject. The former is checked by predicate legal op:
legal op rightsdb pcp hnsubj hnobj rights ≡
privileged rightsdb pcp ∨
hnsubj = HN SELF ∧ rights = b{}c ∨ hnobj = HN SELF
Privileged processes are allowed to do any changes on the rights datas-
tructures. Without privileges, pcp is only allowed to either update its own
databases or entries in others, as long as they refer to itself. The calling
process pcp expresses the will to clean up its own handle database by setting
hnsubj to HN SELF. As this operation does not involve the granting or re-
voking of rights, it is additionally required that rights = b{}c. In case that
hnsubj 6= HN SELF, the handle to the object must denote HN SELF. This
ensures that only entries refering to pcp are changed.
In order to change the entries in the subject’s rights datastructures, the
object even needs to be known by the subject. Predicate known obj formally
encapsulates this prerequisite:
known obj rightsdb pcp hnsubj hnobj ≡
hnsubj 6= hnobj ∧
124 4. The Vamos Model
(let psubj = ddrightsdb pcpe.hdb hnsubje
in ∃hn. drightsdb psubje.hdb hn = drightsdb pcpe.hdb hnobj)
The notion of known processes is mainly used in the context of IPC. As a
process might not communicate with itself, we regard a process as unknown
to itself. Moreover, it does not make any sense that a process changes the
rights to itself. The first conjunction hnsubj 6= hnobj formalizes this. The
second conjunction ensures, that there exists a handle in the subject’s handle
database pointing to the object. Note that psubj is well-defined because the
validity of hnsubj was previously checked. The same applies for the handle
database access with hnobj.
Based on the result of vamos result change rights, the overall specifica-
tion function vamos change rights describes the effects on a Vamos state:
vamos change rights sV hnsubj hnobj grant rights ≡
let pcp = dv cup sV.scheddse;
waitingsubj =
ddsV.rightsdb pcpe.hdb hnsubje mem sV.schedds.wait;
res =
vamos result change rights sV.rightsdb pcp rights hnsubj hnobj
in if is error res then sV(|procs := sV.procs(pcp 7→ δproc res dsV.procs pcpe)|)
else sV(|procs := v chg rights updt procs sV.procs sV.rightsdb
waitingsubj pcp hnsubj hnobj grant rights,
schedds := v chg rights updt schedds sV.schedds sV.procs
sV.priodb sV.rightsdb pcp hnsubj hnobj grant
rights,
rightsdb := v chg rights updt rightsdb sV.rightsdb sV.procs pcp
hnsubj hnobj grant rights,
sndstatdb := v chg rights updt sndstatdb sV.sndstatdb sV.procs
sV.rightsdb waitingsubj pcp hnsubj hnobj grant
rights|)
The error case only involves the error message passing to the calling process
pcp. As the manipulation of rights might abort pending IPC operations of
the subject, the according state updates are not only restricted to the rights
datastructures but also involve the virtual machines and the send status
databases.
Function res if pending ipc has the decision on the abortion of an IPC
operation:
res if pending ipc uprocs rightsdb psubj pobj grant rights ≡
let hdbsubj = drightsdb psubje.hdb; rdbsubj = drightsdb psubje.rdb
in case ωproc duprocs psubje of
ipc send hnrcv rightssnd msg hnadd rightsadd tosnd ⇒
if hdbsubj hnrcv = bpobjc ∧ rights = {} then err snd invalid handle
else if hdbsubj hnadd = bpobjc ∧ rights = {} then err invalid handle
else if ¬ grant ∧
hdbsubj hnrcv = bpobjc ∧
4.4. Vamos Trap Handler 125
v sendR /∈ drdbsubj bpobjce − rights
then err unprivileged else εSv
| ipc receive hnsnd buffer torcv ⇒
if hdbsubj hnsnd = bpobjc ∧ rights = {}
then err rcv invalid handle
else if hnsnd ∈ {HN NONE, HN KERNEL} ∧
rights = {} ∧ psubj 6= pobj ∧ is known rightsdb psubj pobj
then succ receive HN KERNEL False {} [ ] HN NONE False {} True
False {}
else εSv
| ipc request hnrcv rightssnd msg hnadd rightsadd tosnd buffer torcv ⇒
if hdbsubj hnrcv = bpobjc ∧ rights = {}
then err snd invalid handle
else if hdbsubj hnadd = bpobjc ∧ rights = {}
then err invalid handle
else if ¬ grant ∧
hdbsubj hnrcv = bpobjc ∧
revoked req rights hdbsubj rdbsubj rights pobj hnrcv
torcv
then err unprivileged else εSv
| ⇒ εSv
The definition assumes that psubj denotes the process number of the subject
and pobj the one of the object. Furthermore, it abbreviates the subject’s
handle database with hdbsubj and the rights database with rdbsubj. Relying
on that, it inspects the ouput of psubj. The function returns eSv, as long as
either the output does not denote an IPC operation or the intended IPC
operation is not affected by the rights manipulation. Otherwise, it returns
the corresponding error code.
An ipc send operation is aborted, if the handles hnrcv or hnadd become
invalid. The invalidation of the handles to pobj is indicated by rights =
{}. Accordingly, handle hnrcv becomes invalid, if it points to pobj. The
resulting error message is err snd invalid handle. Similarily, result
err invalid handle is returned, if the handle hnadd points to pobj. Be-
sides the handle invalidation, the revocation of rights may also influence the
send operation. It is implied by an inactive flag grant and aborts the opera-
tion, if pobj is assigned as receiver and psubj loses the v sendR right to pobj.
Due to this, psubj is no longer allowed to send to pobj and obtains the error
message err unprivileged. In a similar way, Vamos proceeds, if psubj
performs an ipc request. In this case, however, things are more elaborate
regarding the revocation of rights. Vamos considers psubj as unprivileged,
if predicate revoked req rights holds:
revoked req rights hdbsubj rdbsubj rights pobj hnrcv torcv ≡
if hdbsubj hnrcv = bpobjc ∧
((drdbsubj bpobjce − rights) ∩ {v sendR, v requestR} = {} ∨
(drdbsubj bpobjce − rights) ∩ {v sendR, v finiteR} = {} ∧ torcv 6= ∞)
then True else False
126 4. The Vamos Model
First of all, the involved receiver must again correspond to pobj. The process
psubj does no longer hold sufficient rights for the operation, if after the
revocation (a) it neither owns the v sendR nor the v requestR right, or (b) it
neither owns the v sendR nor the v finiteR right and the specified timeout
for the receive part is not infinite.
An ipc receive operation of psubj is only affected by a process invalida-
tion. The obvious case covers the correspondence of the invalidated process
pobj with the intended sender. Error message err rcv invalid handle
denotes this. However, ipc receive could also be terminated with a ker-
nel notification. Usually, a process invalidation comes along with moving
the corresponding handle into the stolen set. As seen before, a non-empty
stolen set triggers a kernel notification, if the receiver performs either an
open-receive or a closed-receive from the kernel. However, the invalidation
of pobj affects psubj only, if pobj was previously known by psubj. Furthermore,
a notification is only passed on to psubj, if it is different from pobj because a
process cannot be invalidated in its own context.
With these preliminary remarks at hand, we proceed with the particular
updates of the state components.
Updating the User Processes The update of the user processes passes
a success message on to the calling process pcp. In addition, if psubj was
waiting in a pending IPC operation that has been aborted, it gets the cor-
responding error notification.
The function v chg rights updt procs delivers the formal specification:
v chg rights updt procs uprocs rightsdb waitingsubj pcp hnsubj hnobj grant
rights ≡
let psubj = ddrightsdb pcpe.hdb hnsubje; pobj = ddrightsdb pcpe.hdb hnobje;
resipc = res if pending ipc uprocs rightsdb psubj pobj grant drightse
in λx . if x = pcp then bδproc success duprocs xec
else if x = psubj ∧ resipc 6= εSv ∧ waitingsubj
then bδproc resipc duprocs xec else uprocs x
The flag waitingsubj indicates whether psubj is in the wait queue.
Updating the Scheduling Datastructures The scheduling datastruc-
tures are only affected by an aborted IPC operation. In this case, psubj
is waken up. The pre-defined function v wkp updt schedds describes the
semantic effect.
Function v chg rights updt schedds encapsulates the overall update:
v chg rights updt schedds schedds uprocs priodb rightsdb pcp hnsubj hnobj grant
rights ≡
let psubj = ddrightsdb pcpe.hdb hnsubje; pobj = ddrightsdb pcpe.hdb hnobje;
resipc = res if pending ipc uprocs rightsdb psubj pobj grant drightse;
waitingsubj = psubj mem schedds.wait
4.4. Vamos Trap Handler 127
in if resipc 6= εSv ∧ waitingsubj then v wkp updt schedds schedds [psubj] priodb
else schedds
Updating the Rights Datastructures The update of the rights datas-
tructures distinguishes three cases: (a) the process invalidation or deletion,
(b) the rights granting, and (c) the rights revocation.
The function v chg rights updt rightsdb encapsulates the corresponding
updates:
v chg rights updt rightsdb rightsdb uprocs pcp hnsubj hnobj grant rights ≡
let psubj = ddrightsdb pcpe.hdb hnsubje; pobj = ddrightsdb pcpe.hdb hnobje;
hdbsubj = drightsdb psubje.hdb; rdbsubj = drightsdb psubje.rdb;
stolensubj = drightsdb psubje.stolen
in rightsdb(psubj 7→
if drightse = {}
then drightsdb psubje
(|hdb := λhn. if hdbsubj hn = bpobjc then ⊥ else hdbsubj hn,
rdb := rdbsubj(bpobjc := ⊥),
stolen := stolensubj ∪ {hn. hnsubj 6= HN SELF ∧ hdbsubj hn = bpobjc}|)
else if grant
then drightsdb psubje
(|rdb := rdbsubj(bpobjc 7→ drdbsubj bpobjce ∪ drightse)|)
else drightsdb psubje
(|rdb := rdbsubj(bpobjc 7→ drdbsubj bpobjce − drightse)|))
Accesses to the handle database of the calling process pcp with the handles
hnsubj and hnobj deliver the process numbers of the subject psubj and the
object pobj. The subject’s handle and rights databases are abbreviated with
hdbsubj and rdbsubj. For the set of stolen handles we use stolensubj.
Object pobj is invalidated resp. deleted in the context of psubj, if the
parameter rights represents an empty set. The indices of handles in hdbsubj
pointing to pobj are set to ⊥, as well as the entry of pobj in the rights database
rdbsubj. Additionally, the handles pointing to pobj are inserted into the stolen
set stolensubj, as long as it does not conform with HN SELF. Note that due
to the uniqueness of handles only one handle in hdbsubj points to pobj.
Granting and revoking of rights is straightforward. The specified rights
rights are either added to or subtracted from the former rights.
Updating the Send Status Database Updating the send status data-
base is straightforward. If an IPC operation of psubj is aborted, the entry of
psubj is set to False. Otherwise, it remains untouched:
v chg rights updt sndstatdb sndstatdb uprocs rightsdb waitingsubj pcp hnsubj
hnobj grant rights ≡
let psubj = ddrightsdb pcpe.hdb hnsubje; pobj = ddrightsdb pcpe.hdb hnobje;
resipc = res if pending ipc uprocs rightsdb psubj pobj grant drightse
in if resipc 6= εSv ∧ waitingsubj then sndstatdb(psubj 7→ False) else sndstatdb
128 4. The Vamos Model
4.4.7 Read Kernel Information
The reading of kernel information is provided by the call read kernel info.
When the kernel detects a condition or event, like a stale handle or
an external interrupt, it sends a notification with the next receive oper-
ation. However, the number of the notification bits is very limited and
there might be much more useful information. Once a user process was
notified about a certain notification type, it can ask for more information
by read kernel info. Currently, there is only one notification type sup-
ported: The stale-handle notification. However, we can use this mechanism
as well, if we would like to carry more information on external interrupts,
for instance, the keypress timestamps for the T-Systems project [47].
Function vamos read kernel info specifies the semantic effects of reading
kernel information:
vamos read kernel info sV note ≡
let pcp = dv cup sV.scheddse; stolen = dsV.rightsdb pcpe.stolen;
res = if note = ⊥ then err invalid args else success
in if is error res then sV(|procs := sV.procs(pcp 7→ δproc res dsV.procs pcpe)|)
else sV(|procs := sV.procs(pcp 7→
δproc (succ kinfo staleh stolen) dsV.procs pcpe),
rightsdb := sV.rightsdb(pcp 7→ dsV.rightsdb pcpe(|stolen := {}|))|)
The calling process pcp gets an err invalid args message, if the noti-
fication was not well-defined. Otherwise, pcp is informed about all stolen
handles in its handle database by means of a succ kinfo staleh mes-
sage. After receiving the message, pcp knows about the stolen handles and
could initiate further steps. In any case, the set of stolen handles is empty,
afterwards.
4.5 Vamos Scheduler
On the abstract level, the Vamos scheduler is part of the Vamos transition
function dV and copes with the handling of timer-interrupts. The func-
tion handleTimer, which delivers the specification of the Vamos scheduler,
accomplishes three steps:
handleTimer sV pcup ≡
charge (checkTimeouts (sV(|schedds := sV.schedds(|time := sV.schedds.time + 1|)|)))
pcup
In the first step, the current time time is incremented. Afterwards, the
scheduler checks by means of function checkTimeouts for expired timeouts.
Processes with expired timeouts are informed about this circumstance by
means of an error message and set back to the ready state. Finally, the
computing time of the current time is charged from its timeslice. This
charging is formally described by the function charge.
4.5. Vamos Scheduler 129
Note that the current process pcup is provided as a parameter because in
the first phase of a Vamos transition, the queues might change. Hence, we
may not assume that v cup sV.schedds has been computing in the last step.
Instead, the current process is stored in pcup at kernel entry and provided
as input to handleTimer.
Subsequently, we introduce the definitions of checkTimeouts and charge
and, thus, complete the formal specification of the Vamos scheduler.
Checking for Elapsed Timeouts. As shown in the definition of handle-
Timer, each timer-interrupt involves the incrementation of the current time.
The task of the scheduler is to check whether the timeout of an arbitrary
process p has thereby expired. If so, the scheduler sends a corresponding
error message and puts p back into the ready state. Formally, this task is
described by function checkTimeouts:
checkTimeouts sV ≡ sV
(|procs := λp. if expiredTimeout sV.schedds p
then if vamosIsSending sV.procs sV.sndstatdb p
then bδproc err snd timeout dsV.procs pec
else bδproc err rcv timeout dsV.procs pec
else sV.procs p,
schedds := v wkp updt schedds sV.schedds
(filter (expiredTimeout sV.schedds) sV.schedds.wait)
sV.priodb,
sndstatdb := λp. if expiredTimeout sV.schedds p then bFalsec
else sV.sndstatdb p|)
A prominent role plays the predicate expiredTimeout. Relying on scheduling
datastructures schedds, it figures out whether the timeout for an arbitrary
process p has expired:
expiredTimeout schedds p ≡
p ∈ set schedds.wait ∧
(∃data.
schedds.procdb p = bdatac ∧ (∃t. data.timeout = Fin t ∧ t ≤ schedds.time))
As the first conditions reflects, timeouts in Vamos only apply to waiting
processes p. Actually, the existence of the process-specific scheduling in-
formation data is implicitly given because p is not inactive. However, the
predicate explicitly demands its existence and the last part of the conjunc-
tion establishes the basic message: Timeout t of p has expired, if t denotes
a finite value Fin t and t is smaller than or equal to the current time denoted
by schedds.time.
Relying on predicate expiredTimeout, the actual state updates appear as
follows. All processes p with expired timeouts get an according error mes-
sage. Thereby, Vamos distinguishes whether a process p has been waiting in
the send or the receive phase of an IPC operation. The former applies, if the
130 4. The Vamos Model
previously defined predicate vamosIsSending is true for p. Setting a process
p back into the ready state involves to dequeue it from the wait queue and
to append it again on the ready queue of p’s priortiy. All these actions only
affect the scheduling datastructures and are encapsulated in the previously
defined function v wkp updt schedds. The list of processes that should be
woken up comprises all processes out of sV.schedds.wait which fulfill predi-
cate expiredTimeout. In addition, the send status of these processes is reset
to False.
Charging the Computing Time of the Current Process. The Va-
mos kernel concedes to each process a certain computing time of tsl clock
ticks, whereas clock ticks are a measurment for occurred timer interrupts.
Already consumed clock ticks are recorded in the component ctsl. Thus, if
the current process pcup is found to be computing when a timer interrupt
raises, the scheduler increases ctsl of pcup. This is repeated as long as process
pcup is either displaced by a higher-prioritized process or the value of ctsl
has reached tsl. Latter involves a break of pcup’s computation and a new
process is scheduled. This means for pcup, that its consumed time ctsl is
reset and that pcup is put to the end of its ready queue.
Function charge gives the formal specification:
charge sV pcup ≡
let procdbcup = sV.schedds.procdb dpcupe;
readycup = sV.schedds.ready dsV.priodb dpcupee
in sV(|schedds := if pcup = ⊥ ∨ dpcupe /∈ set readycup then sV.schedds
else if dprocdbcupe.tsl ≤ dprocdbcupe.ctsl
then sV.schedds
(|ready := sV.schedds.ready
(dsV.priodb dpcupee :=
[p∈readycup . p 6= dpcupe] @ [dpcupe]),
procdb := sV.schedds.procdb(dpcupe 7→ dprocdbcupe
(|ctsl := 0|))|)
else sV.schedds
(|procdb := sV.schedds.procdb(dpcupe 7→ dprocdbcupe
(|ctsl := dprocdbcupe.ctsl + 1|))|)|)
All in all, function charge distinguishes two situations: The first one reflects
that either no current process pcup existed at kernel entry or that pcup has
been rescheduled in the meantime. As Vamos accepts the rescheduling of
pcup as ‘payment’, both cases do not involve any changes on sV.schedds.
The second situation reflects the actual charging of the current process
pcup as described above. In this context, the definition of charge abbreviates
the process-specific scheduling datastructures of pcup with procdbcup and the
ready queue of pcup’s priority with readycup. Two cases are considered.
The first case deals with a computing current process pcup whose times-
lice tsl is exhausted. The result is that the consumed time is reset to 0
4.6. Vamos Interrupt Delivery 131
and pcup is appended to the end of readycup. For this purpose, it is first
completely removed and then appended at the end, again.
If the timeslice is not exhausted, pcup is allowed to continue its compu-
tation but the consumed time ctsl is increased.
4.6 Vamos Interrupt Delivery
In the third phase of aVamos transition dV, the kernel delivers the interrupts
that have occurred. The set irqs of interrupts that have been active at kernel
entry are provided as input parameter to dV. The transition function, in
turn, passes them on to function vamosInterruptDelivery which specifies the
interrupt delivery:
vamosInterruptDelivery sV irqs ≡
let driverstbn =
filter (notifyHandler sV.procs sV.devds irqs) sV.schedds.wait;
irqpend = {i ∈ irqs. ∃x . x /∈ set driverstbn ∧ sV.devds.driver i = bxc}
in sV(|procs := λx . if x ∈ set driverstbn
then bδproc (deliverNotifications sV.rightsdb sV.devds irqs x)
dsV.procs xec
else sV.procs x ,
schedds := v wkp updt schedds sV.schedds driverstbn sV.priodb,
devds := sV.devds
(|enabled := sV.devds.enabled − irqs, saved := sV.devds.saved ∪ irqpend|)|)
Predicate notifyHandler is the basis of the definition. Relying on virtual
machines uprocs, device datastructures devds and the set irqs of active
interrupts, it determines whether an arbitrary process p is registered as
handler for at least one interrupt i ∈ irqs and, in addition, ready to accept
possible interrupts for the handling:
notifyHandler uprocs devds irqs p ≡
∃proc .
uprocs p = bprocc ∧
(∃hnsnd buffer torcv.
ωasm proc = ipc receive hnsnd buffer torcv ∧
hnsnd ∈ {HN NONE, HN KERNEL} ∧ (∃i∈irqs. devds.driver i = bpc))
Whether a process, in principle, is ready to receive any interrupts, depends
on its current state. For this purpose, notifyHandler inspects the output of p.
Therefore, the basic requirement is that process p is assigned with a virtual
machine proc, i. e., p is not inactive. Applying the output function wasm
to proc delivers p’s current output. Regarding the reception of interrupts,
this output must denote ipc receive. Furthermore, it must specify an
open receive or a closed receive to the kernel. Both cases are distinguished
by handle hnsnd. Former is denoted by HN NONE, latter by HN KERNEL.
Process p is only notified about interrupts, if it is a registered handler for
at least one of the interrupts i ∈ irqs, i. e., devds.driver i = bpc.
132 4. The Vamos Model
Based on notifyHandler the definition of vamosInterruptDelivery abbre-
viates the list of processes to be notified with handlerstbn. It contains all
waiting processes p which fulfill predicate notifyHandler. In addition, irqpend
denotes the set of still pending interrupts, i. e., those interrupts whose han-
dlers are not ready to receive.
According to that, the update of state sV is performed as follows. Each
notified process p receives a notification from the Vamos kernel. This no-
tification is generated by function deliverNotifications, which was already
introduced in Section 4.4.3. After the interrupt delivery, the notified han-
dlers are set back to the ready state. Corresponding effects describes the
pre-defined function v wkp updt schedds. Finally, the device datastructures
are updated. As all interrupts irqs have been captured by the Vamos kernel,
they are disabled until their definite handling. Interrupts irqpend, that have
not been delivered in this kernel run, remain pending and are added to the
set saved.
Chapter 5
Vamos Correctness
Contents
5.1 Data Abstraction . . . . . . . . . . . . . . . . . . 134
5.2 Implementation Invariant . . . . . . . . . . . . . 143
5.3 The Simulation Theorem . . . . . . . . . . . . . . 156
In the last chapter, we introduced the abstract model of the Vamos
kernel. It constitutes a compact and easily accessible representation of the
Vamos functionality, without going into any implementation details. Thus,
the Vamos model can be taken as basis for higher-level models and further
verification attempts. For instance, Bogan [15] relies on Vamos while spec-
ifying the operating system in the academic system and Daum [25] showed
the fairness of the Vamos scheduler.
However, we certainly have to ensure that the Vamos model is a true ab-
straction of the Vamos implementation. For this reason, we aim at a formal
simulation proof between implementation and specification by induction. As
Figure 5.1 suggests, our induction start is based on the fact that the state
sv1 after the first system step at a reset can be abstracted via an abstrac-
sv0 sv1 sv2 sv3 svn
s1V+D s
2
V+D s
3
V+D s
n
V+D
A
b
s V
+
D
A
b
s V
+
D
A
b
s V
+
D
A
b
s V
+
D
system step system step
dV+D
system step
dV+D
· · ·
· · ·
Figure 5.1: Simulation between implementation and model
133
134 5. Vamos Correctness
tion relation AbsV+D to an initial state s1V+D of the Vamos model. The
induction step formalizes that the semantic effects of the kernel execution
can be expressed by the transition function dV+D of the model and that the
abstraction relation is preserved.
It turned out, that the induction step also requires various properties
to hold during the kernel executions. We combine these properties in the
so-called implementation invariant.
In the remainder of this chapter, we define the abstraction relation and
state the implementation invariant. Based on these prerequisites, the chap-
ter finally concludes with the formulation of the simulation theorem. The
correctness of this theorem is based on the implementation correctness of
all functions applied in the scope of system step. We have not shown the
implementation correctness of all functions. However, the functions which
have not been proven so far are specified and completely integrated into the
overall proof. The details on the already accomplished correctness proofs
and the integration of the function specifications are postponed to the next
chapter.
The formal definitions of the abstraction relation and the implementa-
tion invariant as well as the functional correctness proofs are given in the
repository directory llverification/vamos.
5.1 Data Abstraction
Data abstraction, in general, enables a (for certain purposes) more man-
ageable representation of datastructures. Take, for instance, the scheduling
queues in the Vamos model. Represented as queues of process numbers,
they deliver the relevant information: which process is at which position in
which queue. The fact that the concrete counterparts are implemented as
doubly-linked lists is of no interest anymore and thus abstracted away. How-
ever, it must be ensured that there is a relation between the representation
of the scheduling lists in the implementation and the queues in the model.
This is where the abstraction relations come into play connecting the
datastructures of an implementation state sv with their abstract counterparts
of a model state sV+D. In the following, we present the abstractions for the
particular Vamos state components.
While abstracting the datastructures, we have to take into account that
the model identifies processes by means of abstract process numbers, whereas
the implementation uses pointers. Function to ptr defines a mapping from
abstract process numbers to process pointers:
to ptr σv p ≡ svpib ! p
By design, accessing pib with the process number p delivers the correpsond-
ing process pointer.
5.1. Data Abstraction 135
5.1.1 Abstracting the User Processes
The relation rel procsv connects the virtual user-machines of the implemen-
tation with those of the model. Both, implementation and model, use the
same granularity of virtual machines. However, some differences must be
pointed out.
First, no virtual machine but ⊥ is assigned to inactive processes. Sec-
ond, the virtual machine states of waiting processes differ. We address this
issue in more detail in Section 6.1. In a nutshell, a process only has to wait
while performing an IPC operation with no suitable communication part-
ner. An IPC operation, in turn, is triggered by a trap exception. In the
implementation, this kind of exception arises while executing a trap in-
struction which happens within function userstep before calling the Vamos
kernel (cf. Section 2.4.4). Thus, the process first runs into the exception
and then waits for its handling by the Vamos kernel. The semantic effects
of userstep in case of a trap instruction without runtime errors boils down
to the incrementation of the program counters, as the following implication
states:
[[current instr vm = trap i; user step progress vm]] =⇒ userstep vm = incPcs vm
The Vamos model, in contrast, handles exceptions in advance. It de-
termines the corresponding process output by means of the function wproc
which inspects the next instruction of the current process before the actual
execution. Moreover, it executes the instruction not until the exception han-
dling is completed. Accordingly, the virtual machines of waiting processes
in the implementation are ahead of their abstract counterparts.
Incorporating these observations leads to the formal definition of the
abstraction relation rel procsv:
rel procsv σv inactQ waitQ uprocs ≡
∀x . if x ∈ set inactQ then uprocs x = ⊥
else if x ∈ set waitQ
then incPcs duprocs xe = (cvm ups svcvmX).userprocesses x ∧
uprocs x 6= ⊥
else uprocs x = b(cvm ups svcvmX).userprocesses xc
The implementation state is given by sv, inactQ and waitQ denote the in-
active and wait queue, and uprocs represents the virtual user machines in
the model. Note that it would have been possible to derive the process
states from the implementation state sv, as well. However, using the ab-
stract queues is a bit more comfortable. Their abstraction is covered in
Section 5.1.2.
For any process x residing in inactQ, the entry in uprocs is set to ⊥.
If x is waiting, the corresponding virtual machine uprocs x is the one that
after the incrementation of the process counters corresponds to the machine
(cvm ups cvmX).userprocesses x in the implementation. In all other cases,
the virtual machine states are identical.
136 5. Vamos Correctness
5.1.2 Abstracting the Scheduling Datastructures
The Vamos state component schedds contains general as well as process-
specific scheduling datastructures.
Abstracting the Scheduling Queues. A large part of the general data
concerns the scheduling queues which are represented as doubly-linked lists
in the implementation. The implementation identifies such a list with a
pointer head to the first element and uses the next pointers next and pre-
vious pointers prev to traverse the list. In a first step, these lists are ab-
stracted to HOL lists of references. Thereby, predicate Path head next e
Ps tests whether the list Ps can be constructed starting with element head
and collecting further elements by recursively applying function next until
element e is reached. The formal definition of Path is:
Path x h y [ ] = (x = y)
Path x h y (p · ps) = (x = p ∧ x 6= Null ∧ Path (h x) h y ps)
Doubly-linked lists are nothing but two singly-linked lists traversed in op-
posite directions. Accordingly, we use predicate dList for the abstraction,
where lst denotes the last element of the list:
dList head next prev lst Ps ≡
Path head next Null Ps ∧ Path lst prev Null (rev Ps)
The model, however, uses abstract queues of process numbers. We base
our abstraction of these process queues on predicate Queue:
Queue head next prev pid Ps ≡
∃Rs lst. dList head next prev lst Rs ∧ map (λx . pid x) Rs = Ps
The first conjunction of Queue specifies a doubly-linked list Rs of references
using predicate dList. The second conjunction states that the queue Ps of
process numbers can be constructed from list Rs by applying the function
pid to each element.
Using this predicate, we abstract the inactive list from the implementa-
tion variables inactive list, queue next, queue prev, and pid. In an analogous
way, we can abstract the wait and ready queues. The pointer to the wait
list is given by wait list, whereas those of the ready lists are contained in
the array ready lists.
Abstracting the Time and Process-specific Data. Abstracting the
remaining parts – the time and the process-specific scheduling data – is
more interesting, because, on the abstract level, we specify points in time as
unbounded natural numbers, while the implementation uses unsigned 32-bit
integers to represent those times.
Thus, the specification reflects the abstract idea of a monotonicly in-
creasing time while the implementation employs the fact that only a finite
5.1. Data Abstraction 137
range of time points is relevant at a certain execution step. Consequently,
there is a growing offset between the implementation time and the abstract
time. A natural number n defines the offset of the implementation variable
current time and the component time in the scheduling data structures of
the model.
The same number n is used with function rel procdbv, which abstracts
the process-specific scheduling data procdbp of an active process p:
rel procdbv σv procdbp waitQ p n ≡
(p ∈ set waitQ −→
procdbp.timeout =
(if svtimeout (to ptr σv p) = INFINITE TIMEOUT then ∞
else Fin (svtimeout (to ptr σv p) + n))) ∧
procdbp.tsl = svtimeslice (to ptr σv p) ∧
procdbp.ctsl = svconsumed time (to ptr σv p)
If p is waiting, n describes the offset between the (absolute) timeouts. The
implementation stores timeouts as 32-bit naturals, where the maximal value
INFINITE TIMEOUT represents an infinite timeout. Accordingly, if the heap
function timeout delivers the maximal value for process p, the abstract time-
out is set to∞. Otherwise, the timeout is finite and denotes the value in the
implementation incremented by n. The values for the timeslice tsl and the
consumed time ctsl are directly taken from the implementation. The former
is obtained by the heap function timeslice, the latter by consumed time.
Summing Up. Based on these prerequisites, the definition of the abstrac-
tion relation rel scheddsv looks as follows:
rel scheddsv σv schedds ≡
(∀p. Queue (svready lists ! p) svqueue next svqueue prev svpid
(schedds.ready p)) ∧
Queue svwakeup list svqueue next svqueue prev svpid schedds.wait ∧
Queue svinactive list svqueue next svqueue prev svpid schedds.inactive ∧
(∃n. schedds.time = svcurrent time + n ∧
(∀p. if p ∈ set schedds.inactive then schedds.procdb p = ⊥
else schedds.procdb p 6= ⊥ ∧
rel procdbv σv dschedds.procdb pe schedds.wait p n))
5.1.3 Abstracting the Priorities
Both, the implementation and the model, distinguish three priority levels.
The implementation maintains the process priorities in the heap function
priority, whereas the model stores them in the state component priodb. The
abstraction is established by rel priodbv:
rel priodbv σv priodb inactQ ≡
priodb = (λp. if p ∈ set inactQ then ⊥ else bsvpriority (to ptr σv p)c)
138 5. Vamos Correctness
No priority but ⊥ is assigned to inactive processes. For the remaining ones,
we adopt the priority levels from the implementation.
5.1.4 Abstracting the Send Status Database
The Vamos call ipc request comprises a send as well as a receive opera-
tion. Process states in the implementation help to distinguish between both
phases, whereas RECEIVE STATE signals the successful completion of the
send phase. The model abstracts from the particular process states and
determines the current status on the basis of the queue memberships. As
both phases of ipc request might involve waiting, it is not possible to
distinguish the situation in terms of the wait queue membership. For this
purpose, the Vamos model maintains a send status database sndstatdb. The
abstraction is established by predicate rel sndstatdbv:
rel sndstatdbv σv uprocs sndstatdb ≡
sndstatdb =
(λp. if svstate (to ptr σv p) = INACTIVE STATE then ⊥
else if ∃rcv hn snd rights msg add hn add rights snd timeout buffer
rcv timeout.
ωproc duprocs pe =
ipc request rcv hn snd rights msg add hn add rights snd timeout
buffer rcv timeout ∧
svstate (to ptr σv p) = RECEIVE STATE
then bTruec else bFalsec)
Inactive processes are neither in the send nor the receive phase and thus the
send status denotes ⊥. Apart from that, only processes p with an output
denoting ipc request come into consideration. The database entry for p
is only True, if the corresponding process state is set to RECEIVE STATE.
Otherwise, it is False.
5.1.5 Abstracting the Rights Datastructures
Rights datastructures are process-specific and provide data concerning the
privilege level, handles and IPC rights as well as the process parent. In
the implementation, heap function privileged provides the privileged level
of a process, parent denotes its parent and handle db contains the handle
databases. The latter combines information on the process-local handles
and the assigned IPC rights.
Preliminaries. Subsequently, we use auxiliary functions to extract the
information provided by the handle databases.
A handle hn is considered as known by a process p, if the KNOWN bit
is active. Predicate knownBit denotes this fact:
knownBit σv p hn ≡ (svhandle db p ! hn ∧u KNOWN) 6= 0
5.1. Data Abstraction 139
Handles may also be marked as stolen by means of an active STOLEN bit.
Similar as above, predicate stolenBit encapsulates this bit:
stolenBit σv p hn ≡ (svhandle db p ! hn ∧u STOLEN) 6= 0
Each handle hn in the handle database of a process p is associated with
IPC rights. These rights are encoded in the four least significant bits of the
corresponding entry. Function ipcRights returns the numerical value of the
rights which process p owns to the process identified by handle hn:
ipcRights s p hn ≡ shandle db p ! hn ∧u 15
The model maintains the rights datastructures in the Vamos state com-
ponent rightsdb. In the following paragraphs, we define the functions which
provide the abstractions for the sub-components of rightsdb.
Abstracting the Handle Database. Function abs hdb abstracts the
concrete information in the handle database of a process p and returns the
corresponding abstract handle database hdb:
abs hdb σv p ≡
λhn. if hn = HN SELF then bsvpid pc
else if hn = HN NONE ∨ hn = to int32 (svparent p) then ⊥
else if hn = HN PARENT ∧
(svhandle db p ! svparent p ∧u KNOWN) 6= 0 ∧
0 < svparent p < PID MAX
then bsvparent pc
else if (svhandle db p ! to nat32 hn ∧u KNOWN) 6= 0 ∧
0 < to nat32 hn < PID MAX
then bto nat32 hnc else ⊥
Handle HN SELF enables a process to determine its own identifier pid p.
Handle HN NONE is not associated to any process and delivers ⊥. The
same applies for accesses with to int32 (parent p) which are considered as
invalid. The only way to obtain the identifier of the parent, is accessing
the handle database with handle HN PARENT. However, the access only
returns the corresponding process number of the parent, if parent p holds a
valid process-identifier and the corresponding entry in the handle database
is marked as known. Accessing the handle database with any handle hn
delivers the corresponding process number bto nat32 hnc, as long as hn is
in-range, i. e., represents a valid process number, and the known bit is active.
Otherwise, the entry of hn is set to ⊥.
Abstracting the Rights Database. The rights database rdb of a process
realizes a mapping from process numbers to rights and is obtained by the
abstraction function abs rdb. As above, function abs rdb takes a process
pointer p as input in order to determine the data from handle db:
140 5. Vamos Correctness
abs rdb σv p ≡
option case ⊥
(λx . if knownBit σv p x then num2rights (to int32 (ipcRights σv p x)) else ⊥)
Accesses with invalid process numbers ⊥, return ⊥. Furthermore, rdb only
stores information on known processes x. For this purpose, abs rdb takes the
concrete rights obtained by ipcRights and converts them into the abstract
ones by means of the already introduced conversion function num2rights.
Note that the numerical value of the concrete rights is represented as natural
number, whereas num2rights expects integer values. Thus, we apply to int32
to convert between both representations.
The entries of unknown processes are set to ⊥.
Abstracting the Stolen Handles. Instead of explicitly marking the han-
dles as stolen, the model subsumes all stolen handles in the handle database
of a process in the set stolen. Accordingly, the task of function abs stolen is
to collect all stolen handles in the concrete handle database of a process p
and put them into a set:
abs stolen σv p ≡
let stolentmp =
to int32 ‘ {x ∈ {0<..<PID MAX}. x 6= svparent p ∧ stolenBit σv p x}
in if svparent p < PID MAX ∧ stolenBit σv p (svparent p)
then {HN PARENT} ∪ stolentmp else stolentmp
In search of stolen handles, function abs stolen inspects all entries of p’s
handle database. The indices 0 < x < PID MAX which fulfill predicate
stolenBit, are converted into handles (by means of to int32) and stored in the
set stolentmp. However, while collecting stolen handles, the special meaning
of HN PARENT becomes apparent again. As parent p does not represent the
actual handle to the parent process, it is excluded from stolentmp. Instead,
handle HN PARENT is added to the set stolentmp, if parent p is a valid
process-identifier and fulfills predicate stolenBit.
Summing Up. Based on these prerequisites, the definition of the abstrac-
tion relation rel rightsdbv looks as follows:
rel rightsdbv σv inactQ rightsdb ≡
rightsdb =
(λp. if p ∈ set inactQ then ⊥
else b(|priv = svprivileged (to ptr σv p), hdb = abs hdb σv (to ptr σv p),
rdb = abs rdb σv (to ptr σv p),
stolen = abs stolen σv (to ptr σv p),
parent =
if 0 < svparent (to ptr σv p) < PID MAX
then bsvparent (to ptr σv p)c else ⊥|)c)
5.1. Data Abstraction 141
The model only stores data for active processes p. Entries for inactive ones
are set to ⊥. For active processes p, the privilege status is directly adopted
from the implementation. Thereby, function to ptr is used to determine the
corresponding process pointer of p. Together with the abstraction functions
abs hdb and abs rdb, this process pointer is also used in order to get the
handle and rights databases hdb and rdb of process p. The model component
parent is set to ⊥, if the return value of the heap function parent is no valid
process-identifier. Otherwise, this value is taken as abstract process number.
5.1.6 Abstracting the Device Datastructures
One of Vamos’s responsibilities is the interrupt delivery, i. e., accepting
the interrupts from the external devices and forwarding them to the corre-
sponding drivers. For this purpose, all relevant data is stored in the device
datastructures. The implementation stores process-specific device data in
the heap function reg devices, and occurred and enabled interrupts in the
global variables intocc and intmask. The latter actually represents the user-
visible parts of the Cvm status register (cvm ups cvmX).statusreg. The
double book-keeping is necessary, because the Vamos implementation has
no means to read out the status register of Cvm1.
In the implementation, all the device-relevant data is encoded in 32-bit
natural numbers. These natural numbers, however, actually represent bit
masks. For this reason, we use function to bv32 to convert the natural
numbers into their bit vector representation. Based on these bit vectors,
the relevant device data is delivered by the entries with indices representing
the device numbers. For instance, if an interrupt of device d has occured,
the according bit to bv32 intocc ! d is active.
During the abstraction, we have to take into account that the implemen-
tation represents the device numbers as 32-bit natural numbers, whereas the
model abstracts device numbers. Function dev2nat converts the abstract de-
vice numbers to the concrete ones.
With it, the definition of rel devdsv is given as follows:
rel devdsv σv devds ≡
(∀d p. devds.driver d =
(if p ∈ set svpib ∧ to bv32 (svreg devices p) ! dev2nat d = 1
then bsvpid pc else ⊥)) ∧
devds.enabled = {d . to bv32 (cvm ups svcvmX).statusreg ! dev2nat d = 1} ∧
devds.saved = {d . to bv32 svintocc ! dev2nat d = 1}
The three conjunctions reflect the structure of the Vamos state component
devds. Sub-component driver maps device numbers to process numbers. In
general, devds.driver d = bqc denotes the fact, that device d is handled by
1Note that there is no Cvm primitive that delivers the value of the status register of
Cvm.
142 5. Vamos Correctness
driver q. If d is not handled by any driver, its entry is set to ⊥. In order
to establish a relation to the implementation, we take an arbitrary process
pointer p and check whether it is registered as driver for d . A driver is found,
if bit dev2nat d of the vector Bind p. to bv32 (reg devices p) is active. In
this case, the entry for d in driver is set to the process number pid p. If no
such process pointer p can be found, the entry is set to ⊥. Note that, by
design, there exists at most one such p which is registered as driver for d .
The set enabled contains all device numbers whose interrupts are enabled.
A relation to the implementation is established, if each device number d out
of enabled is also enabled in the Cvm status register, i. e., to bv32 (cvm ups
cvmX).statusreg ! dev2nat d = 1.
Based on intocc, the abstraction proceeds in a similar way, in order to
obtain the set saved of device numbers with raised but not yet delivered
interrupts.
5.1.7 The Vamos Abstraction Relation
The overall Vamos abstraction relation relies on the abstractions for the
particular Vamos state components described above:
AbsV+D σv (sV, sD) ≡
cvm devs svcvmX = sD ∧
rel procsv σv sV.schedds.inactive sV.schedds.wait sV.procs ∧
rel scheddsv σv sV.schedds ∧
rel priodbv σv sV.priodb sV.schedds.inactive ∧
rel sndstatdbv σv sV.procs sV.sndstatdb ∧
rel rightsdbv σv sV.schedds.inactive sV.rightsdb ∧
rel devdsv σv sV.devds ∧ (cvm ups svcvmX).currentp = v cup sV.schedds
The first conjunction is an equality for the device subsystem states because
both, the implementation and the model, share the same device representa-
tion. For the remaining state components, we use the abstraction functions
introduced above. In addition, the last part of the conjunction enforces the
equivalence between the current process identifier currentp of Cvm and the
one v cup of the Vamos model.
The theory file vamosAbstractions.thy contains the complete formal
definitions of the Vamos abstraction relation.
Summary. A key feature of the Vamos abstraction relation is that it
allows the usage of infinite datatypes in the abstract model, while the im-
plementation is bound to the 32-bit representation of numbers. Thus, on
the abstract level, we specify points in time as unbounded natural numbers,
while the implementation uses unsigned 32-bit integers to represent those
times. With the abstract idea of a monotonicly increasing time, we further
avoid the handling of possible overflows as it is required in the implemen-
tation (cf. Section 6.3). Consequently, the abstraction relation has to deal
5.2. Implementation Invariant 143
with an growing offset between the implementation time and the abstract
time.
Another crucial point is the abstraction of the user processes. Although
both, the implementation and the model, use the same granularity of virtual
machines, the abstraction is not as simple as one might suppose. The reason
for this are the differing virtual machines of waiting processes and (possibly)
the one of the current process. In retrospect, this fact seems to be rather
natural. However, we only became aware of these differing machines, when
we considered the entire system, i. e., the steps before and after the actual
Vamos execution.
In contrast, abstracting the remaining kernel datastructures is rather
straightforward.
5.2 Implementation Invariant
Each kernel execution is constrained by certain properties and requirements.
They are encapsulated in the implementation invariant which is established
at the initialization and preserved by the kernel executions and user steps.
The main ingredients are:
• value bounds: The target 32-bit Vamp architectur as well as the design
of the Vamos kernel itself lead to various bounds.
• validity and consistency requirements: We have to ensure that the de-
sign guidelines are not violated. Thus, a handle, for instance, must
not be simultaneously marked as stolen and known. Furthermore,
for efficiency reasons, the implementation maintains redundant datas-
tructures. For instance, the process priorities that actually could be
derived from the ready list memberships. Certainly, the redundant
information must not be contradicting.
• miscellaneous requirements: Mainly used in the context of IPC and
waiting processes, they relate concrete with abstract properties, e. g.,
that a process with state SEND STATE in the implementation pro-
duces the output ipc send in the model.
We formulate the requirements of the two former categories solely over
the implementation states, whereas the latter also involves abstract model
states. It definitely would have been possible to formulate these properties
over the implementation states, as well. The implementation invariant, how-
ever, is a proof tool and in the proof, we are often confronted with a mixture
of concrete and abstract statements. Thus, it turned out to be reasonable
to adapt this combination for stating certain properties.
The following sections introduce various predicates encapsulating the
particular properties. Later on, these predicates are combined to the overall
implementation invariant.
144 5. Vamos Correctness
5.2.1 Value Bounds
The target Vamp architecture and the design of the Vamos kernel itself
involve various bounds. Those which affect the variables of the implementa-
tion state sv are subsumed in predicate valueBoundsv. The formal definition
of the predicate is quite uniform and lengthy. For this reason, we merely
present representative excerpts of the definition to convey the general nature
of the value ranges.
Recall that many variables of the Vamos implementation state represent
natural and integer numbers. The limiting factor, however, is the 32-bit
Vamp architecture, the Vamos kernel runs on. Thus, natural numbers x
can only describe values in the range 0 ≤ x < 232, and the values of integer
numbers y are limited to −231 ≤ y ≤ 231 − 1.
Furthermore, our system relies on a restricted amount of memory and
the Vamos kernel may only allocate a total of TVM MAXPAGES memory
pages. Accordingly, TVM MAXPAGES is the upper bound for the value
of the global variable vamos pages used, which incidentally also applies for
the entries in the heap function fip denoting the number of memory pages
occupied by an individual process.
The bounds are not only induced by the target architecture but also
by the kernel design itself. For instance, our system only allows process-
identifiers in the range {1<..<PID MAX}. Accordingly, the heap function
pid may only return values that fit into this range. By means of process
pointers, Vamos enables the access to the corresponding process information
blocks. The respective pointers are contained in the array pib which is of
length PID MAX, accordingly. Limiting the number of priority levels to
PRIOCNT also has an impact. The entries in the heap function priority range
between 0 and PRIOCNT, and the value current max prio of the current
maximum priority is always smaller than PRIOCNT.
5.2.2 Validity and Consistency Requirements
The validity and consistency requirements ensure the conformance with the
design guidelines and the consistency between redundant datastructures.
Requirements for the Current Process
The implemenation identifies the current process by the process pointer
current process. No current process is apparent, if current process = Null.
Otherwise, current process denotes a process pointer out of pib. In addition,
its state has to be READY STATE.
Formally, predicate validCupv encapsulates these requirements:
validCupv σv ≡
svcurrent process = Null ∨
svcurrent process ∈ set svpib ∧ svstate svcurrent process = READY STATE
5.2. Implementation Invariant 145
Requirements for the Virtual Machines
By means of the Cvm framework and, in particular, by means of the external
state component cvmX, we are able to argue about low-level entities, like
process registers or memory. These entities are not a direct part of the Va-
mos implementation but have an indirect impact on it, and thus have to
fulfill certain requirements.
Formally, predicate validVMsv encapsulates all demanded properties:
validVMsv σv ≡
is valid cvmup (cvm ups svcvmX) ∧
(∀p∈{x ∈ set svpib. svstate x 6= INACTIVE STATE}.
svfip p = sizeasm ((cvm ups svcvmX).userprocesses (svpid p)) ∧
0 < svfip p) ∧
svvamos pages used =
(
∑
i∈{0<..<PID MAX}. sizeasm ((cvm ups svcvmX).userprocesses i))
An essential part of the definition is predicate is valid cvmup ensuring the
validity of the virtual user machines, as introduced in Section 2.4. The
remaining requirements are due to the double book-keeping regarding the
memory management. Data regarding the memory consumption can ac-
tually be derived from the virtual machines. Due to the limited access,
however, the implementation maintains the heap function fip which stores
the memory amount of the particular processes. Some kernel actions, like
the process creation, require the total memory amount of all processes. For
efficiency reasons, the kernel maintains the global variable vamos pages used
which denotes the total amount and prevents the kernel from explicitly sum-
ming up the individual process amounts.
Nevertheless, these datastructures have to reflect the conditions given by
the machines, where function sizeasm returns the current memory amount of
a machine. Thus, for an active process p, the value of fip p corresponds to
the result of sizeasm applied to the corresponding virtual machine. As active
processes occupy at least one memory page, this value has to be greater
than 0.
In addition, the total memory amount results from summing up the
individual memory amounts of all user machines.
Unique Process Identification
We already mentioned that the array pib contains the pointers to the process
information blocks. Each of these pointers is exclusively assigned to one
process, i. e., the elements of pib have to be distinct. In addition to that,
no Null pointers are allowed as array entries. The process pointers enable
the access to the process information blocks which contain (amongst others)
the process-identifiers pid. By design, a process-identifier corresponds to the
index i of the corresponding pointer in pib, i. e., pid (pib ! i) = i. In addition,
146 5. Vamos Correctness
process-identifiers are unique, i. e., two pointers p and q are equal iff the
application of pid returns the same values.
The predicate uniqueProcIdv formally states these properties:
uniqueProcIdv σv ≡
distinct svpib ∧
(∀i<length svpib. svpib ! i 6= Null ∧ svpid (svpib ! i) = i) ∧
(∀x∈set svpib. ∀y∈set svpib. (svpid x = svpid y) = (x = y))
Requirements for the Rights Datastructures
The rights datastructures in the Vamos implementation are process-specific
and maintained by the heap function handle db. For any process p, this
function delivers an array of size PID MAX. The array indices are connected
to process handles. As already pointed out in Section 5.1.5, the array entries
store natural numbers which encode the IPC rights associated to the handle
and also whether the handle is known or stolen.
This information has to follow certain requirements which we define sub-
sequently. Thereby, we mainly concentrate on the information regarding
active processes. The implemenation considers a process as active, if the
respective pointer p is out of pib and its status is different from INAC-
TIVE STATE. In order to distinguish between known and stolen handles,
we rely on the predicates knownBit and stolenBit.
Special Handle Database Entries. Predicate specialHdbEntries deals
with special entries in the handle databases:
specialHdbEntries σv ≡
let active = {x ∈ set svpib. svstate x 6= INACTIVE STATE};
inactive = {x ∈ set svpib. svstate x = INACTIVE STATE}
in ∀p∈active.
svhandle db p ! 0 = 0 ∧
svhandle db p ! svpid p = 0 ∧
(∀q∈inactive. svhandle db p ! svpid q = 0 ∨ stolenBit σv p (svpid q))
There are two fixed entries in each handle database of an active process
p storing 0 by default, i. e., no information. First, the entry with index 0,
because no process with identifier 0 exists in Vamos. Second, the entry with
index pid p, because Vamos does not allow processes to send to or receive
from themselves. Entries for inactive processes q are either 0 or consist
of an active stolen bit. The latter occurs, if q was known by p before its
termination and p is not yet notified about this termination.
Consistent Counting of Stolen Handles. In order to figure out the
current number of stolen handles in the handle database of an arbitrary
process, the Vamos kernel maintains the heap function stolen count. Effi-
ciency is the only reason for this function, because this information could
5.2. Implementation Invariant 147
also be derived from the particular handle databases. Predicate validStolen-
Count ensures that the information in stolen count does not contradict with
the situation in the handle databases:
validStolenCount σv ≡
let active = {x ∈ set svpib. svstate x 6= INACTIVE STATE}
in ∀p∈active. svstolen count p = card {x ∈ {0<..<PID MAX}. stolenBit σv p x}
For an active process p, the set {x ∈ {0<..<PID MAX}. stolenBit s p x}
subsumes the stolen handles. The cardinality of this set must be equal to
the value stored in stolen count p.
Properties on Known and Stolen Handles. As long as a process is
known, i. e., the known bit is raised, it is not inactive. Furthermore, process
handles are not simultaneously known and stolen.
Predicate propKnownStolen encapsulates these properties:
propKnownStolen σv ≡
(∀p∈set svpib.
∀q∈set svpib. knownBit σv p (svpid q) −→ svstate q 6= INACTIVE STATE) ∧
(∀p∈set svpib.
∀q<length (svhandle db p).
(stolenBit σv p q −→ ¬ knownBit σv p q) ∧
(knownBit σv p q −→ ¬ stolenBit σv p q))
Summing Up. The predicate validRightsv combines the requirements for
the rights datastructures:
validRightsv σv ≡ specialHdbEntries σv ∧ validStolenCount σv ∧ propKnownStolen σv
Requirements for the Lists
The Vamos microkernel uses queues for process scheduling, on the one hand,
and matching communication partners for IPC, on the other one.
During the abstraction in Section 5.1.7, we claimed that the scheduling
queues are implemented as doubly-linked lists. This assumption, however,
must be discharged by the implementation invariant, as well as the require-
ment that only process pointers are contained in these lists. In addition to
that, the invariant also establishes the connection between the process states
and the list memberships.
More involved are the requirements for the send lists. Apart from the
aforementioned properties they must also satisfy certain consistency require-
ments as they actually represent parts of the wait list.
The requirements for the list represent a conjunction of various sub-
predicates for the particular lists.
148 5. Vamos Correctness
Valid Inactive List. Predicate validInactv encapsulates the requirements
for the inactive list:
validInactv σv ≡
∃Inact lst.
dList svinactive list svqueue next svqueue prev lst Inact ∧
(∀p. p ∈ set Inact −→ p ∈ set svpib) ∧
(∀p. p ∈ set svpib −→ (p ∈ set Inact) = (svstate p = INACTIVE STATE))
It states that the inactive list is implemented as a doubly-linked list with
inactive list pointing to the head, and queue next and queue prev denot-
ing the next and previous pointers. Furthermore, all elements are process
pointers out of pib. Finally, a process is in the inactive list iff its state is
INACTIVE STATE.
Valid Wait List. The predicate validWkpv is similar to validInactv and
encapsulates the properties of the wait list. As the definition suggests, only
the process states are adjusted:
validWkpv σv ≡
∃Wkp lst.
dList svwakeup list svqueue next svqueue prev lst Wkp ∧
(∀p. p ∈ set Wkp −→ p ∈ set svpib) ∧
(∀p. p ∈ set svpib −→
(p ∈ set Wkp) =
(svstate p ∈ {SEND STATE, RECEIVE STATE, SEND RECEIVE STATE}))
Valid Ready Lists. The quintessence of both predicates above is also
found in the predicate validRdysv which states the validity requirements for
the ready lists. In addition, the different priority classes as well as the
current process are taken into account: Let p denote a process and Rdy the
ready list of priority i. Process p is in the ready list Rdy iff its state is
READY STATE and, in addition, its priority is i. Furthermore, p is in Rdy
and simultaneously denotes the current process iff it is the head of Rdy and
the priority i is equal to the current maximum priority current max prio:
validRdysv σv ≡
∀i<length svready lists.
∃Rdy lst.
dList (svready lists ! i) svqueue next svqueue prev lst Rdy ∧
(∀p. p ∈ set Rdy −→ p ∈ set svpib) ∧
(∀p. p ∈ set svpib −→
(p ∈ set Rdy) = (svstate p = READY STATE ∧ svpriority p = i) ∧
(p ∈ set Rdy ∧ p = svcurrent process) =
(p = svready lists ! i ∧ i = svcurrent max prio))
5.2. Implementation Invariant 149
Valid Send Lists. In order to determine potential communication part-
ners for IPC-receive operations, the Vamos implementation organizes so-
called send lists. Send lists exist solely for performance reasons, because
they can actually be derived from the wait list. Hence, these lists have to
fulfill – apart from the usual properties – certain consistency requirements.
The predicate SqsInWkp formalizes the forementioned property that the
send lists are contained in the wait list:
SqsInWkp σv ≡
∃Wkp lst.
dList svwakeup list svqueue next svqueue prev lst Wkp ∧
(∀p∈set svpib.
let Sq = [x∈Wkp .
svstate x ∈ {SEND STATE, SEND RECEIVE STATE} ∧
svipc pid x = svpid p]
in ∃lst. dList (svsend queue p) svsend queue next svsend queue prev lst
Sq)
Starting point is the existence of the wait list Wkp. The send list Sq of an
arbitrary process p is derived from Wkp by filtering all processes x with state
SEND STATE or SEND RECEIVE STATE and which specified p as commu-
nication partner, i. e., ipc pid x = pid p. In addition, Sq must represent a
doubly-linked list.
The predicate distinctSqs ensures that the send lists of two different pro-
cesses p and q have no elements in common, i. e., processes are not allowed
to send to more than one process at the same time:
distinctSqs σv ≡
∀p∈set svpib.
∀q∈set svpib.
p 6= q −→
(∃Sq Sq2 sq lst sq lst2 .
dList (svsend queue p) svsend queue next svsend queue prev sq lst Sq ∧
dList (svsend queue q) svsend queue next svsend queue prev sq lst2 Sq2 ∧
set Sq ∩ set Sq2 = {})
Only processes currently performing a send operation may reside in send
lists. A process is not part of a send list, as long as the according next and
previous pointers in its process control block are Null. Thus, if the state of
a process p neither denotes SEND STATE nor SEND RECEIVE STATE, it
is not in a send list. Predicate onlySendersInSqs formalizes this requirement:
onlySendersInSqs σv ≡
∀p∈set svpib.
svstate p 6= SEND STATE ∧ svstate p 6= SEND RECEIVE STATE −→
svsend queue next p = Null ∧ svsend queue prev p = Null
The predicate openRcvSqs states that waiting in case of an open-receive
implies an empty send list:
150 5. Vamos Correctness
openRcvSqs σv ≡
∀p∈set svpib.
svstate p = RECEIVE STATE ∧ svipc pid p = 0 −→ svsend queue p = Null
A process p waits while performing an open receive operation, if its state is
set to RECEIVE STATE and ipc pid p = 0. The empty send list is denoted
by send queue p = Null.
Finally, predicate validSqsv combines all the requirements for the send
lists:
validSqsv σv ≡ SqsInWkp σv ∧ distinctSqs σv ∧ onlySendersInSqs σv ∧ openRcvSqs σv
Summing Up. The overall predicate validListsv formulates the require-
ments for the lists in the Vamos implementation:
validListsv σv ≡ validRdysv σv ∧ validWkpv σv ∧ validInactv σv ∧ validSqsv σv
Requirements for the Device Datastructures
In the following, we discuss the particular aspects of requirements for the
device datastructures. Again, we first define sub-predicates and combine
them, later on.
Interrupt Mask Format. Vamos stores device relevant data in 32-bit
natural numbers. However, as already mentioned, we rather argue on bitvec-
tors or interrupt masks. Again, function to bv32 is used to convert the 32-bit
natural numbers into bitvectors.
External interrupt handling in Vamos is restricted to the user-visible
devices. Starting with device number DEVFIRST, a total of DEVCOUNT
devices is handled. Referring to the bitvectors, the relevant data is contained
in the bitfields reaching from DEVFIRST to DEVFIRST + DEVCOUNT − 1.
The predicate intFormats is based on these observations:
intFormats σv ≡
let validIntFormat =
λx . ∀i<length (to bv32 x).
i < DEVFIRST ∨ DEVFIRST + DEVCOUNT ≤ i −→
to bv32 x ! i = 0
in validIntFormat svinthd ∧
validIntFormat svintocc ∧
(∀p. p ∈ set svpib −→ validIntFormat (svreg devices p))
The auxiliary function validIntFormat ensures, that only the bits of user-
visible devices may be active and is applied to all device-relevant data.
No Inactive Interrupt Handlers. Naturally, inactive processes cannot
handle any device interrupts. However, this property has to be fixed with
predicate inactNoHd:
5.2. Implementation Invariant 151
inactNoHd σv ≡
∀p∈set svpib. svstate p = INACTIVE STATE −→ svreg devices p = 0
Unique Device Registration. The Vamos implementation does not al-
low multiple handlers for one device interrupt. Thus, if arbitrary processes
p and q handle the same device i, they have to be equal.
Predicate uniqueDevReg formalizes this requirement:
uniqueDevReg σv ≡
∀p∈set svpib.
∀q∈set svpib.
∀i<32.
to bv32 (svreg devices p) ! i = 1 ∧
to bv32 (svreg devices q) ! i = 1 −→
p = q
Handled and Registered Interrupts. For any handled interrupt i there
exists a driver. Accordingly, each interrupt registered to a driver is also
marked as handled.
The consistency between the variables reg devices and inthd states pred-
icate intHdregDev:
intHdregDev σv ≡
(∀i<32. to bv32 svinthd ! i = 1 −→
(∃!p. to bv32 (svreg devices p) ! i = 1)) ∧
(∀p∈set svpib.
∀i<32. to bv32 (svreg devices p) ! i = 1 −→ to bv32 svinthd ! i = 1)
Only Handled Interrupts Occur. Vamos stores only occurrences of
handled interrupts.
Predicate intOccHd encapsulates this fact:
intOccHd σv ≡ ∀i<32. to bv32 svintocc ! i = 1 −→ to bv32 svinthd ! i = 1
Summing Up. Predicate validDevdsv constitutes the combination of the
above properties:
validDevdsv σv ≡
intFormats σv ∧ inactNoHd σv ∧ uniqueDevReg σv ∧ intHdregDev σv ∧ intOccHd σv
5.2.3 Miscellaneous Requirements
The implementation of the Vamos kernel contains a number of global vari-
ables for which there are no analogous components in the abstract model
state. However, these variables have precise meanings and their values can
be expressed as formulas over the abstract Vamos state. Apart from these
152 5. Vamos Correctness
general requirements, we also demand certain properties on waiting pro-
cesses and IPC operations.
Subsequently, we define the corresponding predicates.
General Requirements.
The Vamos model uses the identifier v cup to determine the currently run-
ning process. If no process is running, it denotes ⊥, otherwise, the corre-
sponding abstract process number. In contrast, the implementation uses the
pointer current process to identify the currently running process. If no such
process exists, the pointer denotes Null. Thus, for consistency reasons, the
abstract identifier v cup delivers ⊥ iff current process denotes Null.
The global implementation variable current max prio also does not have
a direct counterpart in a Vamos state space. However, its value has to
correspond to the highest priority of the non-empty ready queues in the
model.
In addition to that, we have to fix that the interrupts of the timer device
are always enabled. Interrupts of the swap device, in contrast, are not visible
by the kernel anymore and thus disabled.
The predicate generalProps formally encapsulates these properties:
generalProps σv sV ≡
(v cup sV.schedds = ⊥) = (svcurrent process = Null) ∧
svcurrent max prio =
Max ({i . i < PRIOCNT ∧ sV.schedds.ready i 6= [ ]} ∪ {0}) ∧
DEV TIMER ∈ sV.devds.enabled ∧ DEV SWAP /∈ sV.devds.enabled
Note that the current maximum priority is set to 0, if no process is ready.
Properties of Waiting Processes
Apart from waiting, the respective processes have to fulfill certain properties
which are formalized in predicate waitProps:
waitProps σv sV ≡
(∀p∈set sV.schedds.wait. ∃imm. current instr dsV.procs pe = trap imm) ∧
(∀p∈set sV.schedds.wait. svnext timeout ≤ svtimeout (svpib ! p)) ∧
(svcurrent time < svnext timeout −→
(∀p∈set sV.schedds.wait. ¬ expiredTimeout sV.schedds p))
Waiting processes p are contained in queue sV.schedds.wait. In Vamos, pro-
cesses p only wait for pending IPC operations. IPC operations, in turn, are
initiated by trap instructions. Thus, the first conjunction constitutes that
the current instruction of a waiting process p denotes a trap. IPC opera-
tions are usually bounded by timeouts. In the implementation, the actual
timeouts of processes are stored in the heap function timeout. The minimum
of these values is stored in the global variable next timeout. It determines
5.2. Implementation Invariant 153
the point in time, when the next timeout expires. Keeping the consistency
between the heap function timeout and variable next timeout requires, that
each entry in timeout has to be greater than or equal to next timeout.
Finally, the wait queue does not contain processes with expired timeouts
as long as the time current time is smaller than the value of next timeout.
Properties of Inter-Process Communications
We already mentioned, that the implementation distinguishes the IPC op-
erations by means of the process states, whereas the model uses the process
outputs. Certainly, we have to establish a relation between these both rep-
resentations.
In addition to that, pending IPC operations already passed the invoca-
tion phase. Thus, the arguments specified by the corresponding process can
be considered as valid.
The predicate ipcProps fixes these properties:
ipcProps σv sV ≡
∀p∈set svpib.
(svstate p = SEND STATE −→
consisStateOutSEND σv sV p ∧ ipcArgsSEND σv sV p) ∧
(svstate p = SEND RECEIVE STATE −→
consisStateOutSENDRCV σv sV p ∧ ipcArgsSENDRCV σv sV p) ∧
(svstate p = RECEIVE STATE −→
consisStateOutRCV σv sV p ∧ ipcArgsRCV σv sV p) ∧
(svstate p 6= INACTIVE STATE −→ consisStateOutGeneral σv sV p)
The definition is based on arbitrary process pointers p and distinguishes
the particular operations by means of the concrete process states. The re-
quirements for the particular operations are two-fold. In case of an ipc send
operation, for instance, predicate consisStateOutSEND fixes the abstract pro-
cess output, whereas predicate ipcArgsSEND states the validity requirements
for the according arguments. Similarily, we proceed in the other cases. The
respective predicates are defined below.
IPC States and Process Outputs. For a process p residing in the state
SEND STATE, predicate consisStateOutSEND encapsulates the requirement
that the corresponding process output denotes ipc send:
consisStateOutSEND σv sV p ≡
case ωproc dsV.procs (svpid p)e of
ipc send hnrcv rightssnd msg hnadd rightsadd tosnd ⇒ True | ⇒ False
In a similar way, we define predicate consisStateOutSENDRCV for processes
in state SEND RECEIVE STATE. However, in case of an ordinary receive
operation, we have to take two situations into account, as the definition of
predicate consisStateOutRCV suggests:
154 5. Vamos Correctness
consisStateOutRCV σv sV p ≡
case ωproc dsV.procs (svpid p)e of ipc receive hnsnd buf torcv ⇒ True
| ipc request hnrcv rightssnd msg hnadd rightsadd tosnd buf torcv ⇒
dsV.sndstatdb (svpid p)e ∧ p 6= svcurrent process
| ⇒ False
The state RECEIVE STATE may denote an ipc receive call but also the
receive phase of an ipc request operation. Predicate consisStateOutRCV
takes both possibilities into account and holds, if the process output is ei-
ther ipc receive or ipc request. In addition, however, the latter case
requires an active send status and the process must be different from the
currently running process.
Furthermore, the predicate consisStateOutGeneral encapsulates some gen-
eral properties regarding the output of an active process p:
consisStateOutGeneral σv sV p ≡
case ωproc dsV.procs (svpid p)e of
ipc receive hnsnd buf torcv ⇒
svstate p 6= RECEIVE STATE −→ svpid p /∈ set sV.schedds.wait
| ipc request hnrcv rightssnd msg hnadd rightsadd tosnd buf torcv ⇒
dsV.sndstatdb (svpid p)e = (svstate p = RECEIVE STATE)
| ⇒ True
As long as the implementation state of a process, performing an ipc receive
call, is not set to RECEIVE STATE, the process is not part of the wait queue.
Furthermore, the send status of a process performing an ipc request call
is active iff its state in the implementation denotes RECEIVE STATE.
IPC Registers and Arguments Validity. Each IPC operation comes
along with various input arguments determining, for instance, the desired
communication partner or the message to be sent. Before the initiation of
an IPC operation, the calling process has to specify these arguments in dedi-
cated registers. The Vamos kernel takes these values out of the registers and
performs several validity checks. Erroneously specified or invalid arguments
lead to the abortion of the operation. In case of no errors, the arguments are
stored in dedicated components of the process control block of the calling
process. The state of the process is set according to the desired operation
and the pre-transmission phase is entered. In the correctness proof, however,
we have to retain the situation that the arguments – stored in the process
information blocks of processes in IPC states – fulfill certain properties.
The particular definitions of the predicates above are quite substantial
and elaborate but all follow the same structure. Hence, we only cite parts
of the definition of ipcArgsSEND as an example.
An implemenation state sv, an abstract Vamos state sV and a process
pointer p identifying a process performing an ipc send operation are the
basis:
5.2. Implementation Invariant 155
ipcArgsSEND σv sV p =⇒
let hnrcv = dsV.procs (svpid p)e.gprs ! 11;
rightssnd = to nat32 (dsV.procs (svpid p)e.gprs ! 12);
msgptr = to nat32 (dsV.procs (svpid p)e.gprs ! 13);
msglen = to nat32 (dsV.procs (svpid p)e.gprs ! 14)
in hnrcv /∈ {HN SELF, HN NONE} ∧
bsvipc pid pc = dsV.rightsdb (svpid p)e.hdb hnrcv ∧
svipc rights p = rightssnd ∧
(svipc rights p ∧u ¬u/32 15) = 0 ∧
svipc snd msg p = msgptr ∧ svipc snd len p = msglen ∧ validMsg σv p
The definition first introduces various abbreviations for the values in the
source registers. Register 11 stores the handle hnrcv to the desired receiver
and register 12 contains the rights rightssnd that should be granted to it.
Furthermore, process p specifies the start address msgptr of the send message
in register 13, followed by its length msglen in register 14.
Based on these prerequisites, predicate ipcArgsSEND claims (apart from
others) the following properties: The handle hnrcv is valid, i. e., it is neither
HN SELF nor HN NONE and it points to the desired IPC partner. In the
implementation, the process-identifier of the latter is stored in ipc pid p.
Accordingly, an access with hnrcv to the abstract handle database of p results
in its abstracted process number. The rights rightssnd, as well as the start
address msgptr and the length msglen of the send message are stored in the
according components of the process information block. In addition, they
fulfill the validity requirements. The rights follow the right format, i. e.,
(ipc rights p ∧u ¬u/32 15) 6= 0. Note that ipc rights p is a natural numbers
actually encoding a bit vector. Within this bit vector, it is only allowed
to use the four least significant bits to express the desired combination of
rights. In order to meet the correct format, the remaining bits must be
0. Transferred to the natural number representation, the operation above
reflects this requirement.
Furthermore, the send message is defined and available in the virtual
memory of p. Predicate validMsg encapsulates this property:
validMsg σv p ≡
(svipc snd len p ∧u 3) = 0 ∧
(svipc snd len p = 0 ∨
(svipc snd msg p ∧u 3) = 0 ∧
svipc snd msg p < svfip p u/32 12 ∧
svipc snd len p + svipc snd msg p < svfip p u/32 12)
The message length is a multiple of the word length (measured in bytes),
and the start address is word-aligned as long as the length is not 0. In case of
the latter, the message resides within the boundaries of the virtual memory.
The value fip p denotes the first invalid memory page, whereas each page
consists of PAGE SIZE = 212 words. We obtain the first invalid address by
shifting fip p by 12 to the left. Accordingly, the start address as well as the
156 5. Vamos Correctness
end address of the message are smaller than the first invalid address.
The definitions of the predicates ipcArgsSENDRCV and ipcArgsRCV are
quite similar. The former is based on ipcArgsSEND, but additionally de-
mands some requirements regarding the receive phase which can also be
found in the latter.
5.2.4 Summing Up
The predicate implInv combines the properties and requirements from above
and establishes the Vamos implementation invariant:
implInv s sV ≡
valueBoundsv s ∧ validVMsv s ∧ validCupv s ∧ validRightsv s ∧ uniqueProcIdv s ∧
validListsv s ∧ validDevdsv s ∧ generalProps s sV ∧ waitProps s sV ∧
ipcProps s sV
The theory file vamosAbstractions.thy contains the complete formal def-
initions of the Vamos implementation invariant.
5.3 The Simulation Theorem
The overall correctness statement – we are aiming at in this thesis – ap-
plies to a complete kernel step, i. e., the Vamos kernel embedded into the
Cvm framework. An illustration of this statement was already given in
Figure 5.1. The proof of this statement shows the simulation between the
implementation and the model. We express this statement as a Hoare triple.
Theorem 5.3.1 (Kernel Correctness) This theorem actually represents
two cases: a reset and a normal system step. A reset is signaled by an
active reset and causes the initialization of the datastructures leading to
the state t. On the abstract level, the initialization of the Vamos kernel
is described by the function initialConf. This initial state together with the
devices sD ′ and the implementation state t fulfill the abstraction relation and
the implementation invariant.
Apart from the reset case, let sv be the implementation state before and
t the one after the application of function system step. Furthermore, (sV,
sD) denotes an abstract state and (sV ′, sD ′) its adjacent one after applying
dV+D. Whenever the abstraction relation AbsV+D holds between sv and (sV,
sD) and implInv holds before the invocation of system step, AbsV+D holds
between t and (sV ′, sD ′) and implInv is preserved.
In short, the transition function dV+D models the system execution sys-
tem step.
5.3. The Simulation Theorem 157
Γ `t {σv. svreset ∨ AbsV+D σv (sV, sD) ∧ implInv σv sV} PROC system step()
{τ. let (sV ′, sD ′) =
if svreset
then (initialConf (getOSimg sD) OS PAGES,
init dev (cvm devs svcvmX))
else fst (δV+D ⊥ (sV, sD))
in AbsV+D τ (sV ′, sD ′) ∧ implInv τ sV ′}
Recall that the transition function dV+D uses its input parameter to de-
termine whether the kernel or solely the device subsystem (e. g., by receiving
a network package) advance during a transition of the overall system. If this
input is not ⊥, the kernel remains constant. Knowing that the abstraction
relation of the kernel data structures and the one of the device subsystem
are independent, we may consequently disregard changes that are limited to
the device subsystem in the consideration of the kernel simulation. While
we are interested in the kernel-device interaction, we disregard any external
device input from the environment and the according output to it. As a
consequence, this input is fixed at ⊥ in the theorem above. Furthermore,
the transition function dV+D returns a pair of the updated state and the
external output. We are, however, only interested in the updated state and
thus take the first component of this pair, i. e., (sV ′, sD ′) = fst (dV+D ⊥ (sV,
sD)).
Proof Sketch The correctness of the simulation theorem is based on the
correctness of all functions applied in the scope of system step. Thus, for
all functions we have to define and prove lemmata stating their correctness.
Eventually, we connect these lemmata in order to prove the correctness of
the overall system. The proof of the theorem mainly relies on the correctness
of the function dispatcher kernel representing the main function of the Va-
mos implementation. The correctness of dispatcher kernel, in turn, depends
on the correctness of its four different parts: the initialization, the handling
of process exceptions, the timer-interrupt handler and the delivery of device
interrupts.
We have not completed the proof of the whole theorem but mayor parts
of it. The next chapter presents the already proven ones.

Chapter 6
Implementation Correctness
Contents
6.1 Weakening the Abstraction Relation . . . . . . . 161
6.2 Auxiliary Functions . . . . . . . . . . . . . . . . . 163
6.3 Correctness of the Timer-Interrupt Handler . . 165
6.4 Correctness of the Trap Handler . . . . . . . . . 169
6.5 Correctness of the Vamos Top-level Function . . 184
6.6 Correctness of a System Step . . . . . . . . . . . 187
The C0 implementation of the Vamos kernel is based on the Cvm primi-
tives provided by the Cvm framework. Apart from that, the implementation
relies on a library of functions on doubly-linked lists which was specified and
verified in the Hoare logic against its C0 implementation [59, 71].
Except the functions of the list library and the Cvm primitives, Fig-
ure 6.1 depicts the call graph of the Vamos implementation.
The functions highlighted in green are completely verified, the correct-
ness of the ones in yellow is shown but the proof relies on specifications of
sub-functions which are not yet proven.
Often recurring operations are encapsulated in auxiliary functions. Sub-
sequently, we briefly introduce their functionalities and specifications. Based
on these functions, we proceed with the correctness statements for the timer-
interrupt handler handle timer and the trap handler which is implemented
in function dispatcher kernel call. Under the assumption that the remaining
parts, i. e., the initialization, the interrupt delivery and the termination of
processes are correctly implemented, we formulate and prove the correctness
of the Vamos top-level function dispatcher kernel. Finally, the Vamos cor-
rectness statement is integrated in function system step and we prove the
overall correctness statement as formulated in Theorem 5.3.1.
The correctness statement of the Vamos kernel relies on a slightly ad-
justed abstraction relation which takes the invocation context of function
159
160 6. Implementation Correctness
handle_timer
process_change_scheduling_param
dispatch_kernel_call
ipc_send
ipc_send_receive
process_create
unmask_interrupts
dev_write_word
dev_write
dev_read_word
dev_read
ipc_receive
process_clone
process_set_privileges
memory_add
change_driver
memory_free
change_rights
process_kill
read_kernel_info
int_delivery
vamos_init
cancel_pending_ipc
resolve_handle
deliver_notifications
ipc_schedule_receive
update_hdb
ipc_communication
ipc_initiate_send
search_next_process
put_process_to_sleep
wake_up
compute_max_prio
check_elapsed_timeouts
dispatcher_kernel
Figure 6.1: Call Graph of the Vamos Implementation
6.1. Weakening the Abstraction Relation 161
sv1 sv2 sv3 sv4
s1V+D s
2
V+D
A
b
s V
+
D
weakAbs
V
+
D we
ak
Ab
s V
+
D
A
b
s V
+
D
userstep dispatch kernel call
vamosDispatcher
dV+D
system step
Figure 6.2: Data abstraction in the case of trap handling
dispatcher kernel into account. Thus, we first introduce this weakening of
the abstraction relation in the next section and proceed than as described
above.
6.1 Weakening the Abstraction Relation
The weakening of the abstraction relation AbsV+D only affects the abstrac-
tion of the virtual machines. As mentioned in Section 5.1.1, the reason for
this is the different handling of the user-generated exceptions in the imple-
mentation and the model.
In general, the user-generated exception handling in the concrete system
happens as follows: The current process computes on the Vamp processor
and executes an instruction. Executing this instruction triggers an exception
and the Vamp calls the interrupt service routine (ISR). The ISR passes the
exception on to the Vamos kernel which – on the basis of the exception
cause and data – handles this exception. Thus, the current process runs
into the exception which is then handled in a sequential way.
The Vamos model, in contrast, abstracts from the sequential exception
handling and combines it into one step. Thereby, the main difference is that
the instruction causing the exception is not executed right at the beginning
in order to determine any exceptions. The model rather considers the corre-
sponding process output by means of the function wproc which inspects the
next instruction of the current process before the actual execution. If the
execution of the instruction would lead to an exception, the model handles
the exception in advance and delivers the result in the same moment as it
162 6. Implementation Correctness
executes the instruction. Thus, the virtual machine is kept in the original
state as long as the exception handling is not completed.
We exemplify the different approaches by the trap handling and explain
by this example, how we adjust the abstraction of the virutal machines to
cope with this situation in the proofs.
Figure 6.2 illustrates the situation on the concrete and abstract levels.
In our setting, the kernel-visible effects of the ISR are described by function
system step. It executes the instruction of the current process by means of
userstep and calls function dispatcher kernel which implements the Vamos
kernel. As we only consider the trap handling in this case, the invocation
of the Vamos kernel mainly boils down to the function dispatch kernel call.
The model represents a kernel step by means of the transition function dV+D.
As in the implementation, this function results in calling vamosDispatcher.
In our example, the states sv1 and s1V+D are correlated with each other
via the abstraction relation AbsV+D and represent the situation before the
actual kernel step. In the concrete system, the trap instruction is executed
by means of function userstep and function dispatch kernel call is invoked in
state sv2. Executing the trap instruction in the concrete system does not
yet have a counterpart in the model, i. e., the model still resides in state
s1V+D.
As we want to use function vamosDispatcher for describing the semantic
effect of the function dispatch kernel call, we establish a weak abstraction
relation weakAbsV+D between sv2 and s1V+D. It is pretty similar to the
overall abstraction relation weakAbsV+D but certainly takes the differing
virtual machine states of the current process into account.
The latter is reflected in the weak abstraction relation weak rel procsv
for the virtual user machines:
weak rel procsv σv ptrcp diff inactQ waitQ uprocs ≡
∀x . if x ∈ set inactQ then uprocs x = ⊥
else if x ∈ set waitQ
then incPcs duprocs xe = (cvm ups svcvmX).userprocesses x ∧
uprocs x 6= ⊥
else if diff ∧ ptrcp 6= Null ∧ x = svpid ptrcp
then userstep duprocs xe = (cvm ups svcvmX).userprocesses x ∧
uprocs x 6= ⊥
else uprocs x = b(cvm ups svcvmX).userprocesses xc
Virtual machines of inactive and waiting processes are abstracted in the
same way as with rel procsv. Expressing the differing virtual machine states
of the current process is made possible by two additional arguments: a
pointer ptrcp to the current process at kernel entry and a flag diff denoting
whether its virtual machine states differ. If a current process existed, i. e.,
ptrcp 6= Null and, in addition, flag diff is active, the virtual machine of the
current process in the model is the one that after the application of userstep
corresponds with its machine in the implementation. In all other cases, the
6.2. Auxiliary Functions 163
virtual machines are identical, again.
The relation weak rel procsv is also applicable in the postcondition of
dispatch kernel call in order to relate the virtual machines in the implemen-
tation state sv3 and the ones in s2V+D. If the trap handling succeeds, function
dispatch kernel call writes the corresponding result into the result register
of the current process. In the model, function vamosDispatcher also delivers
the result and executes the trap instruction. As a consequence, the states
of the virtual machines of the current process are in-sync again. The same
applies, if the trap handling failed and the current process received an error
message.
In the remaining cases, the trap handling is not yet finished. For in-
stance, if the current process triggered an IPC operation but no suitable
communication partner was available. As it has not received an error mes-
sage, it is apparently willing to wait. Accordingly, it is put into the wait
queue. For members of the wait queue, predicate weak rel procsv establishes
the corresponding relation between the virtual machine states.
In a similar way, we can use weak rel procsv in the other application
areas, i. e., in the pre- and postconditions of the Vamos scheduler or the
interrupt delivery. These entities, however, also involve the remaining datas-
tructures. Thus, we define a weak abstraction relation weakAbsV+D:
weakAbsV+D σv cup pendingStep (sV, sD) ≡
cvm devs svcvmX = sD ∧
weak rel procsv σv cup pendingStep sV.schedds.inactive sV.schedds.wait
sV.procs ∧
rel scheddsv σv sV.schedds ∧
rel priodbv σv sV.priodb sV.schedds.inactive ∧
rel sndstatdbv σv sV.procs sV.sndstatdb ∧
rel rightsdbv σv sV.schedds.inactive sV.rightsdb ∧ rel devdsv σv sV.devds
It is similar to AbsV+D but uses weak rel procsv instead of rel procsv to ab-
stract the virtual machines. In addition, it does not enforce the equivalence
between the current process identifiers of Cvm and Vamos.
6.2 Auxiliary Functions
While specifying the auxiliary functions, sv denotes the implementation state
before the invocation and t the one after the execution. We do not describe
the complete Hoare triples but only the semantic effect of the particular
functions. The complete formal definitions of the pre- and postconditions
comprise many technical details. For instance, in most cases, we cannot
rely on the complete implementation invariant but only on (adjusted) parts
of it. Furthermore, the postconditions contain information on how certain
variables have changed. Thus, a more detailed inspection would be tedious
and result rather in confusion than clarification. For this reason, we only
164 6. Implementation Correctness
focus on the essential aspects. However, the formal definitions of the pre-
and postconditions together with the corresponding Hoare triples and the
functional correctness proofs can be found in the provided theory files.
Resolving Handles. The function resolve handle implements the map-
ping from process-local handles to process-identifiers. Invoked by a process
p, it resolves the given handle hn in p’s context and returns the corre-
sponding process-identifier pid. The specification basically relies on the
assumption that rel rightsdbv establishes a relation between the concrete
rights datastructures in sv and the abstract ones rightsdb. Return values pid
∈ {0, PID MAX} indicate that handle hn is invalid in the context of p. On
the abstract level, this situation is expressed by drightsdb (svpid p)e.hdb hn
= ⊥ and ¬ valid handle rightsdb (svpid p) hn. The handle hn is valid, if pid
denotes a process-identifier. Accordingly, the entry in the abstract handle
database of p stores the corresponding process number, i. e., drightsdb (svpid
p)e.hdb hn = bpidc.
The theory file vamosResolveHandle.thy contains the corresponding
Hoare triple together with the functional correctness proof. Proving the
functional correctness of function resolve handle is rather simple which is
reflected by only around 60 proof steps.
Putting processes to sleep and waking them up. The task of putting
a process to sleep is encapsulated in function put process to sleep and func-
tion wake up is used to wake up processes. At the very beginning, the spec-
ifications rely on the assumption that the concrete scheduling lists in sv can
be related to their abstract counterparts via Queue. In both cases, the ready
queues RdyQs and the wait queue waitQ are used to describe the semantic
effect. Furthermore, there is the abstract priority database priodb which is
obtained by rel priodbv.
Putting a process p to sleep involves its removal from the ready queue
and its appending to the wait queue. The former is described by RdyQs(priop
:= [x∈RdyQs priop . x 6= svpid p]), where priop = dpriodb (svpid p)e. Updat-
ing the wait queue is also straightforward: WkpQ @ [svpid p]. The function
put process to sleep does not set the timeout value of p. Apart from that,
its semantic complies with function v ipc wait updt schedds.
The theory file vamosPutProcessToSleep.thy contains the Hoare triple
for put process to sleep together with the functional correctness proof. The
most effort is necessary to establish the invariants regarding the wait and
the ready lists. In total, the proof comprises around 570 steps.
The awakening of a process p involves its removal from waitQ and its
appending to RdyQs priop. Function wake up, however, does not reset
the consumed time to 0. Nevertheless, apart from the latter, the semantic
effect on the ready and wait queues complies with the one described by
6.3. Correctness of the Timer-Interrupt Handler 165
v wkp updt schedds.
The theory file vamosWakeUp.thy contains the Hoare triple for wake up
together with the functional correctness proof. Again, the most effort is
necessary to establish the invariants regarding the wait and the ready lists.
The proof comprises ca. 640 steps.
Computing the current maximum priority. As the call graph illus-
trates, putting a process to sleep entails the re-computation of the maximal
priority current max prio by the function compute max prio. Based on ab-
stract ready queues RdyQs, the result of this computation can be expressed
as follows: tcurrent max prio = Max ({i . i < PRIOCNT ∧ sV.schedds.ready i
6= [ ]} ∪ {0}).
The theory file vamosComputeMaxPrio.thy contains the corresponding
Hoare triple together with the functional correctness proof. Proving the
functional correctness is rather straightforward and the proof only requires
60 steps.
Searching the next process. Usually, the awakening of a process or
putting it to sleep requires the re-computation of the current process cur-
rent process. The function search next process encapsulates this task. Its
specification relies on the assumption that, at the beginning, ready queues
RdyQs can be abstracted from the implementation state sv via Queue. Set-
ting current process to Null is equivalent with the statement that the ready
queue of the highest priority is empty: (tcurrent process = Null) = (RdyQs
svcurrent max prio = [ ]). If tcurrent process 6= Null, the corresponding pro-
cess number denotes the head of the ready queue with the highest priority,
i. e., tpid tcurrent process = hd (RdyQs svcurrent max prio).
The theory file searchNextProcess.thy contains the Hoare triple to-
gether with the functional correctness proof which comprises around 30
steps.
6.3 Correctness of the Timer-Interrupt Handler
The implementation correctness of the timer-interrupt handler was already
briefly covered in [27]1 and lays the foundation for the fairness proof of the
Vamos scheduler [27, 25].
The Vamos scheduler is implemented in function handle timer (see Fig-
ure 6.3), which is called by dispatcher kernel, whenever a timer interrupt
1A very early attempt of showing the implementation correctness of the timer-interrupt
handler presents [19]. However, we only mention this work for the sake of completeness.
On the one hand, the specification of the Vamos scheduler has significantly changed in
the course of time and, on the other hand, the work only presents rudimentary approaches
regarding the actual functional verification.
166 6. Implementation Correctness
occurs. Recall that the scheduler might be invoked after the trap handling
which might change the variable current process. In order to charge the cor-
rect process, we store the pointer current process at the very beginning in
variable old cup and provide this variable as input to function handle timer
which performs the following tasks:
• acknowledge the timer interrupt by reading a word from the timer
device by calling cvm in word, such that the latter may lower its in-
terrupt line.
• if there exist finite timeouts, i. e., next timeout 6= INFINITE TIMEOUT,
increase the current time and check for elapsed timeouts. This check is
encapsulated in function check elapsed timeouts, which traverses the
wait queue, wakes up all processes with elapsed timeouts, and sub-
tracts the current time from all other timeouts. Finally, the current
time is set to zero which avoids the overflow of the current time vari-
able.
• charge the process old cup that computed in the last step, if it is
still ready. If the so far consumed time of old cup is greater than or
equal to its timeslice, the process is moved to the end of its ready list.
Therefore, it is first deleted from the list and then appended again. In
addition, the consumed time is set to zero. Otherwise, the consumed
time is increased by one.
• elect the process that runs in the next kernel step by means of the
function search next process, which returns the first element in the
ready list with the current maximum priority.
The functional correctness of the timer-interrupt handler mainly relies on
the functional correctness of check elapsed timeouts. Thus, we first briefly
describe the proof of the latter and continue afterwards with the correctness
theorem of the timer-interrupt handler.
6.3.1 Implementation Correctness of check elapsed timeouts
As with the auxiliary functions, we do not present the complete formal spec-
ification of function check elapsed timeouts but only describe its semantic
effect. For more details, we refer to the corresponding theory file.
The semantic effect of function check elapsed timeouts only affects the
virtual machines and the scheduling datastructures. Accordingly, the proof
is based on the assumption that the relations rel procsv and rel scheddsv
can be established between the concrete and abstract datastructures. Note
that the precondition cannot assume the complete implementation invari-
ant implInv but only a part of it together with several adjusted proper-
ties. Recall that check elapsed timeouts is applied after increasing the time
6.3. Correctness of the Timer-Interrupt Handler 167
procedures handle timer(old cup | res int) =
(∗ acknowledge the timer interrupt ∗)
′dummy :== CALLg cvm in word(DEVICE TIMER, 0);
(∗ detect and handle elapsed IPC timeouts ∗)
IFg ′next timeout 6= INFINITE TIMEOUT THEN
′current time :==g ′current time + 1
FI;
IFg ′current time ≥ ′next timeout THEN
′dummy i :== CALLg check elapsed timeouts()
FI;
(∗ charge the process that computed in the last step ∗)
IFg ′old cup 6= Null ∧ ′old cup → ′state = READY STATE THEN
IFg ′old cup→ ′consumed time ≥ ′old cup→ ′timeslice THEN
′ready lists ! ( ′old cup→ ′priority) :==
CALLg queueDelete( ′ready lists ! ( ′old cup→ ′priority), ′old cup);
′ready lists ! ( ′old cup→ ′priority) :==
CALLg queueAppend( ′ready lists ! ( ′old cup→ ′priority), ′old cup);
′old cup→ ′consumed time :==g 0
ELSE
′old cup→ ′consumed time :==g ′old cup→ ′consumed time + 1
FI
FI;
(∗ select the process that runs in the next step ∗)
′dummy i :== CALLg search next process();
′res int :==g 0
Figure 6.3: Function handle timer
168 6. Implementation Correctness
in function handle timer, which may lead to a situation where, e. g., the
time is no longer smaller than MAX TIME. Thus, in the precondition for
check elapsed timeouts, we have to adjust, among other things, the time-
related properties of implInv, accordingly. The same applies for the post-
condition. For instance, we cannot establish the complete validity require-
ments for ready lists, where the head of the ready list of the highest prior-
ity determines the current process. Waking up processes, as it happens in
check elapsed timeouts could violate this property, because the highest pri-
ority might change. This violation is not resolved until the point, where func-
tion search next process is called in handle timer. Apart from that the post-
condition also states the semantic effect of calling check elapsed timeouts.
Both, the virtual machines and the scheduling datastructures, are updated
in the way as described by the model function checkTimeouts. The Hoare
triple of checkTimeouts and the formal functional correctness proof can be
found in the theory file vamosCheckElapsedTimeouts proof.thy. Due to
the traversing of the wait queue and the awakening of processes, showing the
functional correctness of function checkTimeouts is pretty elaborate which
is reflected in almost 4700 proof steps.
6.3.2 Implementation Correctness of handle timer
For a better reusability in the correctness proof of function dispatcher kernel,
we encapsulate the pre- and postconditions of function handle timer in pred-
icates.
The predicate handleTimerpre formulates the precondition:
handleTimerpre σv old cup diff sV sD ≡ weakAbsV+D σv old cup diff (sV, sD) ∧
implInv σv sV ∧ old cup = Null ∨ old cup ∈ set svpib ∧
(old cup 6= Null ∧ diff −→ svpid old cup /∈ set sV.schedds.wait)
Relation weakAbsV+D depends on old cup and diff , whereas implInv is stated
as usual. The old cup is either Null or denotes a pointer to a process infor-
mation block. Furthermore, if a current process old cup has been apparent
at kernel entry and flag diff is active, the process is not waiting. This
statement actually reflects the situation that old cup has neither triggered
a runtime-error nor a trap exception but performed a process-local transi-
tion. Accordingly, the timer-interrupt handler is the first function which is
called in the Vamos kernel and the virtual machines of old cup still differ.
This property allows to exclude process old cup from the check for elapsed
timeouts and is thus passed on as a precondition of check elapsed timeouts.
The postcondition is stated by the predicate handleTimerpost:
handleTimerpost τ σv old cup diffcp sV sD =⇒
let sD ′ = fst (δDint (readWV DEV TIMER 0 1) sD);
sV
′ = handleTimer sV (if old cup = Null then ⊥ else bsvpid old cupc)
in weakAbsV+D τ old cup diffcp (sV ′, sD ′) ∧ implInv τ sV ′
6.4. Correctness of the Trap Handler 169
The abstract device state sD ′ reflects the acknowledgement of the timer in-
terrupt by reading one word from port 0 and function handleTimer computes
the adjacent Vamos state sV ′. Similar to handle timer, it gets the identifier
of the current process at kernel entry. This identifier denotes ⊥, if no cur-
rent process was apparent at kernel entry, i. e., old cup = Null. Otherwise,
it delivers the corresponding abstract process number. Again, weakAbsV+D
and implInv are preserved.
Note that the postcondition comprises also statements that some datas-
tructures are not changed during execution. This information is rather tech-
nical and thus omitted in this presentation.
With the assumption that the Cvm primitive cvm in word, the list li-
brary, and the functions check elapsed timeouts and search next process are
implemented correctly, we finally can prove the correctness of the function
handle timer:
Theorem 6.3.1 (Correctness of the Timer-Interrupt Handler) The
semantic effect of the function handle timer can be described by handleTimer
and the execution preserves the abstraction relation weakAbsV+D and the im-
plementation invariant implInv.
∀σv diff sV sD.
Γ `t {|σv. handleTimerpre σv svold cup diff sV sD|}
′res int :== PROC handle timer( ′old cup)
{|τ. handleTimerpost τ σv svold cup diff sV sD|}
Proof The proof of this function involves at the one hand, a case split over
the three cases distinguished in the implementation. Hence, we show that
the charging policy is correctly implemented with regard to the specification
function charge. At the other hand, we have to establish the precondition
for check elapsed timeouts. With this prerequisite in place, we use its spec-
ification checkTimeouts to establish the claim of our theorem. Additionally,
the state invariant implInv is again recovered. The Hoare triple of function
handle timer and the functional correctness proof can be found in theory file
vamosHandleTimer proof.thy. Almost 4900 proof steps are necessary to
show the latter. uunionsq
6.4 Correctness of the Trap Handler
The function dispatch kernel call represents the Vamos trap handler in the
implementation. Whenever the current process has triggered a trap excep-
tion, it is called by the Vamos kernel and provided with the trap number
trapnr as input. Based on this trap number, dispatch kernel call implements
a case distinction, reads the arguments out of the registers of the current
process and executes the desired kernel call. For example, the trap number
6 is associated with the Vamos call set privileges, which is realized by
170 6. Implementation Correctness
the function set privileges. Except for the IPC calls, the dedicated functions
return with a result value, which is written into the result register of the
current process. The result delivery in case of an IPC call is more elaborate
and accomplished within the according functions. Nevertheless, writing the
result value completes the trap handling and dispatch kernel call returns to
dispatcher kernel.
The implementation correctness of dispatch kernel call involves the im-
plementation correctness of the particular Vamos calls. Subsequently, we
sketch the specifications and proofs of the already proven ones and combine
them to the correctness statement of the Vamos trap handler, later on.
6.4.1 Implementation Correctness of Function set privileges
The Vamos trap handler calls function set privileges, if the trap number
denotes 6. As input parameter, it provides a handle hn, which is taken out
of the register 11 of the current process.
Functionality. In a first step, function set privileges resolves the handle
hn by means of function resolve handle. If the return value pid denotes a
process-identifier and the current process is privileged, it activates the priv-
ileged status of process pid. In addition, it signals the successful operation
by setting the return value to 0. The return value is set to an error code,
if either the current process is not privileged or pid does not denote a valid
process identifier, i. e., hn is invalid.
Precondition. Predicate setPrivilegespre describes the precondition and
must be discharged in the context of dispatcher kernel call, whenever it calls
the function set privileges:
setPrivilegespre σv hn sV sD ≡
weakAbsV+D σv svcurrent process True (sV, sD) ∧ implInv σv sV ∧
svcurrent process 6= Null ∧ 0 ≤ hn < 232 ∧
(∃hn. ωproc dsV.procs dv cup sV.scheddsee = set privileged hn)
The implementation state sv together with the abstract states sV and sD fulfill
the abstraction relation weakAbsV+D and the state invariant implInv. As a
trap instruction was triggered, it is further assumed that the current process
exists, i. e., current process 6= Null. This also involves that the flag diff in
weakAbsV+D is set to True. In addition, hn denotes a 32-bit natural number
and the process output of the current process denotes set privileged.
Postcondition. The predicate setPrivilegespost encapsulates the postcon-
ditions of function set privileges:
setPrivilegespost τ σv res hn sV sD =⇒
let sD ′ = sD; sV ′ = vamos set privileges inter sV (to int32 hn)
6.4. Correctness of the Trap Handler 171
in res =
result value int
(vamos result set privileges sV.rightsdb dv cup sV.scheddse (to int32 hn)) ∧
weakAbsV+D τ svcurrent process True (sV ′, sD ′) ∧ implInv τ sV ′
It denotes the implementation state after the execution with t, the result of
set privileges with res and the handle to the process whose privileged status
should be activated with hn. Furthermore, sV and sD represent the original
abstract states.
While the devices remain unchanged, the new abstractVamos state sV ′ is
determined by function vamos set privileges inter. This function is similar
to the specification function vamos set privileges but does not yet specify
the result delivery to the current process. The reason for this is, that not
set privileges writes the result into the corresponding register of the current
process but dispatch kernel call. Thus, set privileges is only concerned with
setting the privileged status and with the computation of the result value.
Hence, we define:
vamos set privileges inter sV hn ≡
let pcp = dv cup sV.scheddse; phn = dsV.rightsdb pcpe.hdb hn;
res = vamos result set privileges sV.rightsdb pcp hn
in if is error res then sV
else sV(|rightsdb := sV.rightsdb(dphne 7→ dsV.rightsdb dphnee(|priv := True|))|)
Apart from that, setPrivilegespost claims that the result value res is equal
to the one returned by vamos result set privileges. Finally, the abstraction
relation and the state invariant are preserved.
Note that the trap handling is only completed with writing the result
register of the current process. As this does not yet happen in set privileges,
the virtual machines of the current process still differ after the execution.
Thus, the flag diff in weakAbsV+D is still True.
Correctness. Based on the pre- and postconditions, we formulate the
following correctness theorem.
Theorem 6.4.1 (Correctness of set privileges) The semantic effect of the
function set privileges is described by vamos set privileges inter. Further-
more, the execution of the function set privileges preserves the abstraction
relation weakAbsV+D and the implementation invariant implInv.
∀σv sV sD.
Γ `t {|σv. setPrivilegespre σv ′hn sV sD|}
′res int :== PROC process set privileges( ′hn)
{|τ. setPrivilegespost τ σv ′res int svhn sV sD|}
Proof The precondition for function resolve handle directly follows from
the one of set privileges. With it, we get the relation between pid (the re-
sult from resolving the handle) and the abstract process number phn used in
172 6. Implementation Correctness
vamos set privileges inter. Furthermore, we have to establish the relations
between the errors in the implementation and their counterparts in the spec-
ification. Remember that the Vamos call set privileges is reserved for
privileged processes. Thus, we have to show, for instance, that privileged
sV.rightsdb dv cup sV.scheddse only applies iff privileged current process.
Based on such relations, we can show that the result value res int cor-
responds with the value returned by vamos result set privileges. In case of
success, the actual setting of the privileged status is straightforward.
The theory file vamosSetPrivileges proof.thy contains the correspond-
ing Hoare triple and the functional proof which comprises 100 steps. uunionsq
6.4.2 Implementation Correctness of Function
process change scheduling param
Changing the scheduling parameters of a process is encapsulated in function
process change scheduling param. It is called by the Vamos trap handler,
if the current process executed a trap instruction with trap number 4. As
input parameters, it takes a handle hn, a timeslice tsl and a priority prio,
which are taken out of the registers of the current process.
Functionality. In a first step, function process change scheduling param
resolves the handle hn by means of function resolve handle. If the return
value pid does not represent a process-identifier or one of the remaining
arguments is invalid, it only sets the return value to the corresponding error
code. Otherwise, function process change scheduling param performs the
following tasks:
• If the priority of an ready process pid should be changed, the process
is taken out of its former ready list and appended to the one of priority
prio. In addition to that, its consumed time is reset to 0. Changing
the priority might change the current maximum priority as well as
the current process. The former is computed by compute max prio
and function search next process is used to elect the process that runs
next.
• Otherwise, only the values of the timeslice and the priority are updated
to tsl and prio, respectively.
Precondition. The precondition chngSchedParamspre is similar to the one
for set privileges and defined as follows:
chngSchedParamspre σv hn tsl prio sV sD ≡
weakAbsV+D σv svcurrent process True (sV, sD) ∧ implInv σv sV ∧
svcurrent process 6= Null ∧ 0 ≤ hn < 232 ∧ 0 ≤ tsl < 232 ∧
0 ≤ prio < 232 ∧
6.4. Correctness of the Trap Handler 173
(∃hn tsl prio.
ωproc dsV.procs dv cup sV.scheddsee = chg sched params hn tsl prio)
Postcondition. The postcondition chgSchedParamspost is also similar to
the one of set privileges. Again, a function vamos change sched param inter
is defined which, except for the result delivery, corresponds with the speci-
fication function vamos change sched param:
vamos change sched param inter sV hnvictim tslnew prionew ≡
let pcp = dv cup sV.scheddse; pvictim = ddsV.rightsdb pcpe.hdb hnvictime;
res = vamos result change sched param sV.rightsdb pcp hnvictim prionew
in if is error res then sV
else sV(|schedds := v chng sched param updt schedds sV.schedds sV.priodb
sV.rightsdb pcp hnvictim tslnew dprionewe,
priodb := sV.priodb(pvictim := prionew)|)
Accordingly, the postcondition claims that the new Vamos state sV ′
is determined by function vamos change sched param inter. The result res
has to correspond to the value returned by vamos result change sched param
and the abstraction relation as well as the implementation invariant have to
be preserved:
chgSchedParamspost τ σv res hn tsl prio sV sD =⇒
let sV ′ = vamos change sched param inter sV (to int32 hn) tsl
(reg2prio (to int32 prio));
sD
′ = sD
in res =
result value int
(vamos result change sched param sV.rightsdb dv cup sV.scheddse
(to int32 hn) (reg2prio (to int32 prio))) ∧
weakAbsV+D τ svcurrent process True (sV ′, sD ′) ∧ implInv τ sV ′
Correctness. Based on the assertions above, we formulate the following
correctness theorem.
Theorem 6.4.2 (Correctness of process change scheduling param) The
semantic effect of function process change scheduling param is described by
the abstract function vamos change sched param inter. Furthermore, the
execution of process change scheduling param preserves the abstraction re-
lation weakAbsV+D and the implementation invariant implInv.
∀σv sV sD.
Γ `t {|σv. chngSchedParamspre σv ′hn ′tsl ′prio sV sD|}
′res int :== PROC process change scheduling param( ′hn, ′tsl,
′prio)
{|τ. chgSchedParamspost τ σv ′res int svhn svtsl svprio sV sD|}
Proof Similar as above, the precondition for function resolve handle di-
rectly follows from the one of process change scheduling param. With it, we
174 6. Implementation Correctness
get the relation between pid (the result from resolving the handle) and the
abstract process number pvictim used in vamos change sched param inter to
determine the process whose scheduling parameters should be changed. We
also establish the relations between the different error representations in the
concrete and abstract levels. More effort is involved, if a rearrangement of
the ready queues is necessary. In this case, we have to show that the semantic
effect can be described by the function v chng sched param updt schedds
and that the list properties, as required by implInv, are preserved. The lat-
ter is ensured by the application of the functions compute max prio and
search next process. Showing the correspondance of the updates of the
timeslice and the priority, in contrast, is straightforward.
The theory file vamosChngSchedParams proof.thy contains the corre-
sponding Hoare triple together with the functional correctness proof com-
prising 1700 steps. uunionsq
6.4.3 Implementation Correctness of IPC
As in the specification, the IPC implementation breaks up into several
stages. The first-level functions are those directly called by function dis-
patch kernel call with corresponding arguments. Accordingly, the Vamos
call ipc send is realized by the function ipc send and ipc receive is as-
sociated with ipc receive. Function ipc send receive realizes the combined
call ipc request. Within these functions, the implementation checks for
invocation errors, stores the call arguments in the process information block
of the calling process and, as shown in the call graph in Figure 6.1, invokes
the second-level functions.
The linchpin of these second-level functions is ipc communication which
implements the actual transmission. As the call graph depicts, it invokes
various auxiliary functions. One of it is ipc schedule receive which is also
used in the context of ipc receive. It is invoked by the latter, if neither a
suitable sender exists nor the delivery of kernel notifications is possible. In
this case, the receiver either gets an timeout error (if an immediate timeout
was specified) or is prepared for waiting. Both actions are implemented by
ipc schedule receive. In the context of ipc communication, only preparing a
process for waiting is necessary. If the transmission was part of a combined
send and receive operation, the sender is forced to wait.
Before the actual transmission, ipc send and ipc send receive first call
function ipc initiate send. It tries to establish a rendez-vous situation with
a receiver and, in case of success, calls ipc communication. Otherwise, it
puts the sender to sleep or writes an timeout error into its result register
and aborts the call, after a new current process was elected.
Subsequently, we briefly introduce the functionality and specification of
function ipc communication. Later on, we use the specification and sketch
the implementation correctness proofs of the particular IPC calls.
6.4. Correctness of the Trap Handler 175
Implementation Correctness of Function ipc communication
The call graph in Figure 6.1 illustrates that the implementation of the func-
tion ipc communication is far too complex for being presented, here. Thus,
we confine ourselves to the intended functionality and relate the different
parts to their rough abstract counterparts.
The function ipc communication realizes the communication between two
processes, as seen from the receiver’s point of view. For this reason, it
is occupied with the process-identifier rcv pid of the receiving process as
input. The corresponding pointer receiver can be obtained from the list of
process pointers, i. e., pib ! rcv pid. The execution of this function relies on
the assumption, that the arguments are stored in the PIBs of the processes
involved and that these arguments already passed through the initial checks,
i. e., are valid.
Determining the Sender. In a first step, ipc communication determines
the sender. The desired IPC partner of the receiver is stored in ipc pid
receiver. If this entry delivers 0, the receiver performs an open-receive and
the potential senders can be found in the send queue accessed by send queue
receiver. Otherwise, the entry denotes the PID of the desired sender.
The implementation actually performs the same checks as in the spec-
ification. If the message length of a potential sender is too large, the cor-
responding process is provided with an error message and waken up. The
awakening of a process is taken over by the function wake up. Setting the
result register is done by means of the Cvm primitive cvm set vm gpr.
The description of the semantic effect of the error message delivery is
included in the specification function v ipc rcv updt procs. Waking up the
processes is covered by function v ipc rcv updt schedds.
The theory file vamosIpcComm determineSender.thy contains the Hoare
triple of the part which determines the sender and the functional correct-
ness proof. Due to the various case distinctions, this proof is complex and
requires around 4600 steps.
Transmission. If a suitable sender remains after the checks above, the
actual transmission starts. Thus, the send message is copied into the virtual
memory of the receiver and, according to the call arguments of the sender,
the receiver’s handle database is updated. The former is done by means of
the Cvm primitive cvm copy, whereas the update of an entry in the handle
database is encapsulated into the auxiliary function update hdb. For details
regarding the Hoare triple of update hdb and the corresponding proof of the
implementation correctness (around 800 steps), see vamosUpdateHdb.thy.
Apart from the updates of the internal kernel datastructures, the sender
as well as the receiver are informed about the successful operation. For
this purpose, the kernel uses the Cvm primitive cvm set vm gpr to write
176 6. Implementation Correctness
the according result registers. In addition, the receiver is also provided
with kernel notifications which are written into certain registers, as well.
The semantic effect of the message copying and the result delivery is part
of the specification function v ipc trans updt procs. Updating the handle
database is covered by function v ipc trans updt rightsdb.
In the remaining steps, the kernel cleans up and sets the implementation
into a consistent state again. Thus, as long as the sender is not allowed to
perform multiple send operations to the receiver, the Vamos kernel revokes
all its rights to the receiver. The effect of this revoking describes the update
of the sender’s rights database in v ipc trans updt rightsdb.
A transmission also affects the process states. Thereby, the kernel dis-
tinguishes whether the receiver or the sender acted as current process. If
the receiver represents the current process, it suffices to set its state to
ready again. Otherwise, it has been waiting before and function wake up
is applied in order to wake it up again. The effects of the latter opera-
tion describes v wkp updt schedds. Regarding the sender, the kernel dis-
tinguishes whether the transmission was part of an ordinary send or a com-
bined send and receive operation. In the former case, the sender has to
be waken up as long as it is not the current process. Otherwise, only its
state is set to ready again. In the latter case, the sender is prepared for
the succeeding receive phase. The auxiliary function ipc schedule receive
encapsulates the required steps. In this situation, the specification func-
tion v ipc wait updt schedds describes its semantic effect. The theory file
vamosIpcScheduleReceive.thy contains the Hoare triple of the function
ipc schedule receive and the corresponding formal correctness proof com-
prising almost 400 steps.
No Transmission. In case that no suitable sender can be found, the
Vamos kernel examines the possibility of delivering kernel notifications. If
possible, the auxiliary function deliver notifications writes the relevant infor-
mation into dedicated registers of the receiver. Otherwise, the receiver either
receives an error message due to a timeout error or is prepared for waiting.
For this purpose, the kernel again uses function ipc schedule receive. The
semantic effect is part of the specification functions v ipc rcv updt procs
and v ipc rcv updt schedds, if no communication takes place.
Summary. Specifying and proving the implementation correctness of func-
tion ipc communication is pretty elaborate, because many invocation sce-
narios have to be taken into account. Although not explicitly specified in
this way, in the overall context of an IPC operation, the semantic effect of
ipc communication can be described, more or less accurately, by the ded-
icated update functions defined in the context of vamos ipc receive, like
v ipc rcv updt procs for the virtual machine update. If ipc communication
6.4. Correctness of the Trap Handler 177
is called in the context of an IPC send operation, these functions boil down
to the transition functions, i. e., v ipc trans updt procs, etc.. The com-
plete formal specification of the function ipc communication together with
the associated implementation correctness proof can be found in the theory
file vamosIpcCommunication.thy. The complexity of ipc communication is
also reflected in the correctness proof which altogether comprises around
20.000 steps. Thereby, the parts which determine the sender (4600 steps),
update the handle databases (1500 steps), and update the process states
(1600 steps) are the most complex ones. Furthermore, the combination of
all these particular parts entails a lot of effort.
Implementation Correctness of Function ipc send
The IPC send operation is encapsulated in function ipc send. It is called by
the Vamos trap handler, if the current process executed a trap instruction
with trap number 12. As input parameters, it takes the handle rcv handle
to the desired receiver and the rights snd rights that should be granted,
the handle add handle to the additional process together with the rights
add rights, the start address snd msg ptr and the length snd msglen of
the memory message, and the timeout snd timeout.
Functionality. By means of function resolve handles, function ipc send
first resolves the given handles. If this results in invalid process-identifiers or
if the other arguments are invalid, an error code is written into the result reg-
ister of the current process and the call is aborted. Otherwise, the arguments
are stored in the corresponding components of the PIB of the current process
and function ipc initiate send is invoked. This function tries to establish a
rendez-vous situation with a receiver and invokes ipc communication, in case
of success. Otherwise, the sender either gets a timeout message or is sched-
uled for a later sending. The latter involves function put process to sleep
in order to put the sender into the wait list. This, in turn, may change the
current process and function search next process is invoked to elect the next
one.
Precondition. The precondition ipcSendpre of function ipc send is defined
as follows:
ipcSendpre σv rcv handle snd rights add handle add rights snd timeout
snd msg ptr snd msglen sV sD ≡
weakAbsV+D σv svcurrent process True (sV, sD) ∧ implInv σv sV ∧
svcurrent process 6= Null ∧
(∃hnrcv rightssnd msg hnadd rightsadd tosnd.
ωproc dsV.procs dv cup sV.scheddsee =
ipc send hnrcv rightssnd msg hnadd rightsadd tosnd) ∧
to nat32 (dsV.procs (svpid svcurrent process)e.gprs ! 11) =
178 6. Implementation Correctness
rcv handle ∧
to nat32 (dsV.procs (svpid svcurrent process)e.gprs ! 12) =
snd rights ∧
to nat32 (dsV.procs (svpid svcurrent process)e.gprs ! 13) =
snd msg ptr ∧
to nat32 (dsV.procs (svpid svcurrent process)e.gprs ! 14) =
snd msglen ∧
to nat32 (dsV.procs (svpid svcurrent process)e.gprs ! 18) =
add rights ∧
dsV.procs (svpid svcurrent process)e.gprs ! 19 = snd timeout ∧
to nat32 (dsV.procs (svpid svcurrent process)e.gprs ! 17) =
add handle
As usual, the precondition requires the abstraction relation and the imple-
mentation invariant. Furthermore, the current process (the sender) must
exist, i. e., current process 6= Null. Apart from that, predicate ipcSendpre
also fixes the sources registers of the arguments. This is necessary in order
to preserve the properties of IPC operations as requested by ipcProps. For
the same reason, it is also required that the process output of the current
process denotes ipc send.
Postcondition. The predicate ipcSendpost describes the postcondition of
function ipc send:
ipcSendpost τ σv rcv handle rights add handle add rights snd timeout
snd msg ptr snd msglen sV sD =⇒
let sV ′ =
vamos ipc send sV (to int32 rcv handle)
(num2rights (to int32 rights))
(build memobj dsV.procs dv cup sV.scheddsee snd msg ptr
snd msglen)
(to int32 add handle) (num2rights (to int32 add rights))
(int2timeout snd timeout);
sD
′ = sD
in weakAbsV+D τ svcurrent process False (sV ′, sD ′) ∧ implInv τ sV ′
The devices remain unchanged and the new Vamos state sV ′ is computed
by the specification function vamos ipc send. Together with the new im-
plementation state t, it fulfills the abstraction relation as well as the imple-
mentation invariant.
Correctness. The implementation correctness of ipc send is stated with
the following theorem.
Theorem 6.4.3 (Correctness of ipc send) The semantic effect of func-
tion ipc send is described by the model function vamos ipc send. Further-
more, the execution of the function ipc send preserves the abstraction rela-
tion weakAbsV+D and the implementation invariant implInv.
6.4. Correctness of the Trap Handler 179
∀σv sV sD.
Γ `t {|σv. ipcSendpre σv ′rcv handle ′rights ′add handle ′add rights
′snd timeout ′snd msg ptr ′snd msglen sV sD|}
′res int :== PROC ipc send( ′rcv handle, ′rights, ′snd msg ptr,
′snd msglen, ′add handle, ′add rights, ′snd timeout)
{|τ. ipcSendpost τ σv svrcv handle svrights svadd handle svadd rights
svsnd timeout svsnd msg ptr svsnd msglen sV sD|}
Proof The initial checks regarding the validity of the call arguments basi-
cally realize the abstract function ipc send invoc err. Calling initiate send
has the following impacts: If a transmission is possible, it calls the func-
tion ipc communication. Thus, we have to discharge the precondition of
ipc communication and may then use its specification to establish the claim
of the theorem. If no transmission is possible, initiate send either calls
put process to sleep to prepare the sender for waiting or sends an error
message due to a timeout error. Both actions can directly be related to the
effects described in vamos ipc send.
The theory file vamosInitiateSend.thy contains the Hoare triple and
the functional correctness proof (1300 steps) of function initiate send. Rely-
ing on this, vamosIpcSend proof.thy presents the same one for the function
vamos ipc send. Showing the functional correctness of vamos ipc send re-
quires approximately 2000 steps. uunionsq
In a similar way, we can specify and show the implementation correctness
of the function ipc send receive.
The theory file vamosIpcSendReceive proof.thy contains the corre-
sponding Hoare triple and the functional correctness proof. The latter com-
prises 2100 steps.
Implementation Correctness of Function ipc receive
Function ipc receive implements the IPC receive operation. It is called
by the Vamos trap handler, if the current process executed a trap in-
struction with trap number 11. As input parameters, it takes the handle
snd handle to the desired sender, the start address rcv msg ptr and the
length rcv msglen of the buffer, and the timeout rcv timeout.
Functionality. By means of function resolve handles, ipc receive first re-
solves the handle to the sender. If this results in an invalid process-identifier
and neither an open-receive nor a closed-receive from the kernel is desired,
the according error code is written into the result register and the call is
aborted. The same happens, if the remaining arguments are invalid. Other-
wise, the arguments are stored in the corresponding components of the PIB
of the current process.
180 6. Implementation Correctness
If a rendez-vous situation can be established, ipc receive initiates the
transmission by calling function ipc communication. If no rendez-vous sit-
uation can be established and the receiver is ready to receive kernel no-
tifications, function deliver notifications is called. Otherwise, the receiver
either gets an error message due a timeout or is prepared for waiting. For
both actions function ipc schedule receive is used. In addition, function
search next process elects the next current process.
Precondition. The precondition ipcReceivepre of function ipc receive is
similar to the one of ipc send. Only the source registers and the process
output are adjusted:
ipcReceivepre σv snd handle rcv msg ptr rcv msglen rcv timeout sV sD ≡
weakAbsV+D σv svcurrent process True (sV, sD) ∧ implInv σv sV ∧
svcurrent process 6= Null ∧
(∃hnsnd buffer torcv.
ωproc dsV.procs dv cup sV.scheddsee =
ipc receive hnsnd buffer torcv) ∧
to nat32 (dsV.procs (svpid svcurrent process)e.gprs ! 11) =
snd handle ∧
to nat32 (dsV.procs (svpid svcurrent process)e.gprs ! 15) =
rcv msg ptr ∧
to nat32 (dsV.procs (svpid svcurrent process)e.gprs ! 16) =
rcv msglen ∧
dsV.procs (svpid svcurrent process)e.gprs ! 20 = rcv timeout
Postcondition. The predicate ipcReceivepost describes the postcondition
of ipc receive:
ipcReceivepost τ σv snd handle rcv msg ptr rcv msglen rcv timeout sV
sD =⇒
let sV ′ =
vamos ipc receive sV (to int32 snd handle)
(build buffer dsV.procs dv cup sV.scheddsee rcv msg ptr
rcv msglen)
(int2timeout rcv timeout);
sD
′ = sD
in weakAbsV+D τ svcurrent process False (sV ′, sD ′) ∧ implInv τ sV ′
The devices remain unchanged and the new Vamos state sV ′ is computed
by the specification function vamos ipc receive. Together with the new im-
plementation state t, it fulfills the abstraction relation as well as the imple-
mentation invariant.
Correctness. The implementation correctness of ipc receive is stated with
the following theorem.
6.4. Correctness of the Trap Handler 181
Theorem 6.4.4 (Correctness of ipc receive) The semantic effect of func-
tion ipc receive is described by the model function vamos ipc receive. Fur-
thermore, the execution of ipc receive preserves the abstraction relation
weakAbsV+D and the implementation invariant implInv.
∀σv sV sD.
Γ `t {|σv. ipcReceivepre σv ′snd handle ′rcv msg ptr ′rcv msglen
′rcv timeout sV sD|}
′res int :== PROC ipc receive( ′snd handle, ′rcv msg ptr,
′rcv msglen, ′rcv timeout)
{|τ. ipcReceivepost τ σv svsnd handle svrcv msg ptr svrcv msglen
svrcv timeout sV sD|}
Proof The initial checks can basically be described by the abstract func-
tion ipc rcv invoc err. We have to discharge the precondition of the func-
tion ipc communication, if a transmission is possible. With its specifica-
tion, we are able to establish the claim of the theorem. If no transmission
is possible but the delivery of kernel notifications, we have to discharge
the precondition of deliver notifications. In this case, the abstract function
v ipc rcv updt procs describes the updates of the virtual machines. The
remaining datastructures remain untouched and we can establish the claim
of the theorem. Otherwise, we have to discharge the preconditions of the
functions ipc schedule receive and search next process and use their post-
conditions to proof the theorem.
The theory file vamosIpcReceive proof.thy contains the Hoare triple
and the functional correctness proof with almost 2900 steps. uunionsq
6.4.4 Implementation Correctness of Function
dispatcher kernel call
The previous sections introduced the correctness statements and proofs of
the IPC functions, process change sched param and set privileges. In a
similar way, we can formulate such statements for the remaining Vamos
calls. Even if not proven, the particular specifications can be used for the
correctness proof of the Vamos trap handler implemented in function dis-
patcher kernel call.
As usual, the correctness statement relies on a pre- and postcondition.
Precondition. The predicate handleTrappre encapsulates the precondi-
tion:
handleTrappre σv trapnr sV sD ≡
weakAbsV+D σv svcurrent process True (sV, sD) ∧
implInv σv sV ∧
svcurrent process 6= Null ∧
(mca nat (sV.procs (svpid svcurrent process)) sD (cvm ups svcvmX).statusreg ∧u
182 6. Implementation Correctness
UEXCEPT MASK) =
0 ∧
(mca nat (sV.procs (svpid svcurrent process)) sD (cvm ups svcvmX).statusreg ∧u
EXCEPT TRAP) 6=
0 ∧
edata nat dsV.procs (svpid svcurrent process)e = trapnr
Apart from claiming the abstraction relation, the implementation invariant
and an existing current process, handleTrappre also makes some demands
on the invocation context of dispatch kernel call. In function system step,
we have already seen, that the exception cause and data are computed by
means of the functions mca nat and edata nat. The precondition repro-
duces this computations and thus establishes a relation to the invocation
context. In particular, it demands that the exception cause signals a trap
instruction without runtime errors. The former corresponds to an active bit
EXCEPT TRAP, the latter is ensured by excluding any active bits in the
mask UEXCEPT MASK. In addition, the trap number trapnr provided as
input has to correspond to the value returned from edata nat.
Postcondition. The effects of the trap handling are described by the post-
condition handleTrappost:
handleTrappost τ σv sV sD =⇒
let datadev = if ωV sV = idleWV then idleSvV else fst (snd (δDint (ωV sV) sD));
sD
′ = if ωV sV = idleWV then sD else fst (δDint (ωV sV) sD);
sV
′ = vamosDispatcher sV datadev
in weakAbsV+D τ svcurrent process False (sV ′, sD ′) ∧ implInv τ sV ′
We distinguish two kinds of traps resp. Vamos calls: those with and those
without device interaction. In the latter case, the Vamos output wV to
the device subsystem is idleWV. Accordingly, the devices remain untouched
and no device data is provided as input to vamosDispatcher which computes
the new abstract Vamos state sV ′. If device interaction is involved, we
first perform the request to the device system. This is done by applying
dDint with the according Vamos output as input. As result, we get the new
state sD ′ of the device system, on the one hand, and the response in form
of device data datadev, on the other one. The latter is provided as input
to vamosDispatcher. Finally, the concrete as well as the abstract states are
related via weakAbsV+D and implInv is preserved.
Note that the virtual machines of the current process do no longer need a
separate handling. The trap is either completely handled and the machines
are in-sync again or the process is waiting in a pending IPC operation.
Correctness. The implementation correctness of dispatch kernel call is
stated with the following theorem.
6.4. Correctness of the Trap Handler 183
Theorem 6.4.5 (Correctness of the Trap Handler) The semantic ef-
fect of function dispatch kernel call is described by the model function va-
mosDispatcher. Furthermore, the execution of dispatch kernel call preserves
the abstraction relation weakAbsV+D and the implementation invariant im-
plInv.
∀σv sV sD.
Γ `t {|σv. handleTrappre σv svi sV sD|} ′res int :== PROC dispatch kernel call( ′i)
{|τ. handleTrappost τ σv sV sD|}
Proof The proof of this function mainly involves a distinction over the var-
ious possible trap numbers. Establishing the preconditions of the particular
functions is the main effort. With these prerequisites in place, we use the
specifications to establish the claim of our theorem.
As an example, we consider the case that the trap number equals 6, i. e.,
the current process triggered the Vamos call set privileges.
The precondition setPrivilegespre claims the abstraction relation and the
implementation invariant as well as the existence of the current process.
All of these properties can directly be derived from the precondition of the
function dispatch kernel call. Furthermore, it claims that the handle hn
to the process (whose privileges should be activated) represents a 32-bit
natural number. As the handle hn is taken out of a virtual machine register
of the current process, this property directly follows from the requirements
for the virtual machines which are part of the implementation invariant
and encapsulated in predicate validVMsv. Finally, we have to show that
the invocation context causes the process output set privileged on the
abstract level. This property states the following lemma:
[[weakAbsV+D σv svcurrent process True (sV, sD); implInv σv sV;
svcurrent process 6= Null;
(mca nat (sV.procs (svpid svcurrent process)) sD
(cvm ups svcvmX).statusreg ∧u
UEXCEPT MASK) =
0;
(mca nat (sV.procs (svpid svcurrent process)) sD
(cvm ups svcvmX).statusreg ∧u
EXCEPT TRAP) 6=
0;
edata nat dsV.procs (svpid svcurrent process)e = 6]]
=⇒ ∃hn. ωproc dsV.procs dv cup sV.scheddsee = set privileged hn
With discharging the precondition setPrivilegespre, we can use the post-
condition setPrivilegespost to establish the claim of the theorem above. The
remaining steps are straightforward and concern the result delivery to the
virtual machine of the current process. Finally, the virtual machines of the
current process are in-sync, again.
In a similar way, we proceed with the remaining Vamos calls. The
theory file vamosDispatchKernelCall proof.thy contains the Hoare triple
184 6. Implementation Correctness
of dispatch kernel call and the functional correctness proof with 2000 steps.
uunionsq
6.5 Correctness of the Vamos Top-level Function
Function dispatcher kernel describes the top-level function of the Vamos
kernel and is invoked by the Cvm framework. This framework also computes
the two input parameters of dispatcher kernel: the exception cause eca and
the corresponding data edata. As the call graph suggests, the Vamos kernel
combines the function representing the initialization, the handling of user-
generated exceptions, the scheduler, and the interrupt delivery. The previous
sections introduced the functions regarding the trap handling and the Va-
mos scheduler and their specifications. In a similar way, we can specify
the remaining functions and use them in the context of the implementation
correctness proof of function dispatcher kernel.
Subsequently, we first define the pre- and postcondition of the Vamos
kernel and state the correctness statement, afterwards.
Precondition. The precondition kdispatchpre encapsulates the require-
ments for the invocation context:
kdispatchpre σv eca edata sV sD ≡
((eca ∧u 1) 6= 0 −→ svcvmX = (init cvmup, sD)) ∧
((eca ∧u 1) = 0 −→
weakAbsV+D σv svcurrent process (v cup sV.schedds 6= ⊥) (sV, sD) ∧
implInv σv sV ∧
eca =
mca nat
(if v cup sV.schedds 6= ⊥ then sV.procs dv cup sV.scheddse else ⊥) sD
(cvm ups svcvmX).statusreg ∧
edata =
(if v cup sV.schedds 6= ⊥ then edata nat dsV.procs dv cup sV.scheddsee
else 0))
Based on eca, it distinguishes two cases. The first case consists of a reset
which is denoted by (eca ∧u 1) 6= 0. In this situation, the precondition solely
claims that the external state component cvmX is initialized as described in
system step.
Apart from the reset case, the precondition requires the abstraction re-
lation weakAbsV+D followed by the implementation invariant implInv. The
former has to cope with differing virtual machines, if a current process ex-
ists, i. e., v cup sV.schedds 6= ⊥. In addition, the input arguments eca and
edata have to fulfill certain requirements which reflect the computations in
the Cvm framework. The exception cause has to correspond to the value
returned by function mca nat whereas data is either 0 (if no process is run-
ning) or the return value of edata nat.
6.5. Correctness of the Vamos Top-level Function 185
Postcondition. As the precondition, the postcondition kdispatchpost also
distinguishes two cases:
kdispatchpost τ σv res eca edata sV sD =⇒
let (sV ′, sD ′) =
if (eca ∧u 1) 6= 0 then (initialConf (getOSimg sD) OS PAGES, sD)
else fst (δV+D ⊥ (sV, sD))
in weakAbsV+D τ tcurrent process False (sV ′, sD ′) ∧
implInv τ sV ′ ∧
v cup sV
′.schedds = (if 1 ≤ res < PID MAX then bresc else ⊥)
The semantic effect of the initialization is described by the abstract state
sV, which is obtained by function initialConf. Function getOSimage delivers
the operating system image by reading it from the harddisk. Parameter
OS PAGES determines the number of memory pages reserved for the OS.
For all other cases, we use function dV+D to specify the resulting abstract
states. The abstract state together with the concrete one satisfy weakAbsV+D
as well as implInv. Finally, kdispatchpost establishes a connection between
the result value res and the current process of sV ′. Later on, this statement
helps to reproduce the correspondence between the current process in the
Cvm framework and the Vamos model.
Recall that the transition function dV+D uses its input parameter to de-
termine whether the kernel or solely the device subsystem (e. g., by receiving
a network package) advance during a transition of the overall system. If this
input is not ⊥, the kernel remains constant. Knowing that the abstraction
relation of the kernel data structures and the one of the device subsystem
are independent, we may consequently disregard changes that are limited to
the device subsystem in the consideration of the kernel refinement. While
we are interested in the kernel-device interaction, we disregard any external
device input from the environment and the according output to it. As a
consequence, this input is fixed at ⊥ in the theorem above. Furthermore,
the transition function dV+D returns a pair of the updated state and the
external output. We are, however, only interested in the updated state and
thus take the first component of this pair, i. e., (sV ′, sD ′) = fst (dV+D ⊥ (sV,
sD)).
Correctness. The implementation correctness of dispatcher kernel is stated
with the following theorem.
Theorem 6.5.1 (Correctness of the Vamos Top-level Function) The
semantic effect of the function dispatcher kernel is described by the transi-
tion function dV+D of the Vamos model. Furthermore, the execution of
dispatcher kernel preservers the abstraction relation weakAbsV+D and the
implementation invariant implInv.
186 6. Implementation Correctness
∀σv sV sD.
Γ `t {|σv. kdispatchpre σv sveca svedata sV sD|}
′res nat :== PROC dispatcher kernel( ′eca, ′edata)
{|τ. kdispatchpost τ σv ′res nat sveca svedata sV sD|}
Proof As illustrated in the sections Section 6.3 and Section 6.4, we use the
abstract model functions to describe the semantic effect of the particular
parts of the Vamos kernel.
Aim of this proof is the combination of these single parts to the overall
transition function dV+D. In doing this, the crux of the matter is to follow
the different case distinctions of the implementation in the model. For this
reason, we have to establish a series of relations. The abstract states are
given, as usual, by sV and sD. Furthermore, we use the following abbrevia-
tions: vmcp denotes the virtual machine of the current process and stat the
value of the status register, such that eca = mca nat vmcp sD stat denotes
the exception cause. Subsequently, we only give the claims of the lemmata.
The complete proofs can be found in mcaLemmata.thy.
1. The implementation uses the bits of mask UEXCEPT MASK in the
status register to determine runtime errors. In the model, the process
output runtime error denotes runtime errors. Thus, if the imple-
mentation recognizes runtime errors, the model as well has to recognize
them:
(eca ∧u UEXCEPT MASK) 6= 0 =⇒ ωasm dvmcpe = runtime error
2. An active bit EXCEPT TRAP in eca signals a trap exception and
causes the invocation of dispatch kernel call. The model, in turn, han-
dles traps with function vamosDispatcher which is called as long as a
current process exists:
(eca ∧u EXCEPT TRAP) 6= 0 =⇒ v cup sV.schedds 6= ⊥
3. Timer interrupts are identified by an active bit DEVICE TIMER BIT
in eca. In contrast, the model utilizes predicate isTimer for this pur-
pose. The following statement establishes a relation between both:
((eca ∧u DEVICE TIMER BIT) 6= 0) = isTimer {x . is int devs single (sD x)}
4. The implementation uses the bitmask UEXT INT MASK to identify
external device interrupts. The model subsumes the external inter-
rupts in the set {x. is int devs single sD} ∩ v mask (v devds sV) −
{DEV TIMER}. The relation is given by:
((eca ∧u UEXT INT MASK) = 0) =
({x . is int devs single (sD x)} ∩ sV.devds.enabled − {DEV TIMER} = {})
6.6. Correctness of a System Step 187
In order to ensure that the implementation and the model serve the
same interrupts, the following relation is estabished:
dmca2ints ecae =
{x . is int devs single (sD x)} ∩ sV.devds.enabled − {DEV TIMER}
These relations enable the model to reproduce the function calls in the
implementation. Combining the particular parts is tedious due to the various
case distinctions but straightforward in the end.
The remaining steps in dispatcher kernel apply to the return value of the
Vamos invocation. It contains the process identifier of the process to be
scheduled next, if any such process exists. Otherwise, the Vamos kernel
returns 0. Establishing the connection between this return value and the
current process identifier v cup in the model, as required in the postcon-
dition, is straightforward Later on, this connection is used to establish the
equivalence between currentp in Cvm and v cup in the Vamos model.
The theory file vamosDispatcherKernel proof.thy contains the Hoare
triple of dispatcher kernel and the functional correctness proof with around
1300 steps. uunionsq
6.6 Correctness of a System Step
Theorem 5.3.1 already introduced the overall correctness statement of a
system step.
Proof The proof of the theorem mainly depends on the correctness state-
ment for the Vamos kernel in Theorem 6.5.1. Comparing pre- and post-
conditions of the functions system step and dispatcher kernel reveals great
analogies. Differences are the abstraction relations and the representation
of the reset case.
As shown in the definition, AbsV+D requires, compared to weakAbsV+D,
the equivalence of the current processes in Cvm and Vamos. This relation
is not needed in the context of the Vamos kernel and simply ignored in
its precondition kdispatchpre. Thus, we just have to deal with the different
representations of the reset case, i. e., on the one hand, the external signal
reset and, on the other hand, the first bit of the exception cause eca.
Looking into the implementation of system step displays that an active
reset entails the setting of values eca to 1 and edata to 0. Thus, on the
level of dispatcher kernel, an active reset is equivalent to (eca ∧u 1) 6= 0.
With the external component cvmX initialized as requested, the precondition
kdispatchpre follows immediately.
Without an active reset signal, the functions mca nat and edata nat
determine the values of eca and edata. Additionally, the running process (if
it exists) is advanced through userstep before the Vamos kernel comes into
188 6. Implementation Correctness
play. Again, deriving the precondition of dispatcher kernel from this context
is rather straightforward. Instead of currentp, the precondition kdispatchpre
determines the current process by means of v cup. The equivalence of both
is given by AbsV+D. Furthermore, the values for eca and edata rely on the
concrete virtual machine of the current process, whereas kdispatchpre uses
the abstract one to recompute the values. Both computations, however,
are consistent because both machines are in-sync before the application of
userstep.
With discharging the precondition of the Vamos kernel, its postcondition
kdispatchpost becomes available. With it, the remaining proof steps apply
to the re-establishing of the equivalence of currentp and v cup. Postcondi-
tion kdispatchpost does not preserve this equivalence but lays the foundation
by relating the current process identifier v cup of the Vamos model with
the result value of function dispatcher kernel. Setting the current process
currentp of Cvm in accordance to this result value establishes the relation
between currentp and v cup as required by AbsV+D.
The theory file kernelStep.thy contains the Hoare triple of system step
and the functional correctness proof with around 300 steps. uunionsq
Chapter 7
Conclusion
This work deals with the Vamos kernel as part of Verisoft’s Academic Sys-
tem. Both the kernel implementation as well as the abstract model are
fully embedded into the complete system. The Vamos kernel runs on the
verified Vamp processor and provides enough functionality to serve as basis
for a simple operating system [15] which, in turn, enables applications for
exchanging and managing signed and encrypted e-mails.
On the abstract level, the Vamos model is also completely integrated
in the model stack. It is directly based on the underlying layers, like Cvm,
and uses definitions from there literally. In a similar way, subsequent mod-
els, such as Coup [25] or Sos [15], literally rely on definitions of Vamos.
However, the seamless integration of both, the implementation and the ab-
stract model of the Vamos kernel, is not the only achievement. In addition,
the Vamos model is used to show the functional correctness of the Vamos
implementation.
It can therefore be stated that the Vamos model represents a general-
purpose kernel model that is not tailor-made for one specific purpose. This
fact contributes significantly to the relevance of the Vamos model and con-
stitutes the fundamental difference between our pervasive approach com-
pared to isolated approaches that only focus on a single layer. In the latter
approaches, the models are usually adapted to the actual verification goal.
If it is the only goal to show that the formal specification precisely describes
the implementation, the specification tends to move closely towards the im-
plementation. If a model is used as fundament of an underlying component
without a proof, there is a likelihood that the model over-abstracts the
actual implementation. Furthermore, regarding one single layer at a time
necessarily leads to self-contained, independent models. When combining
those different layers later on, there is a tremendous proof effort necessary
to establish simulation theorems between the adjacent layers. Our approach
prevents this effort by the specification design.
Establishing a simulation proof between the abstract Vamos model and
189
190 7. Conclusion
the concrete, fairly realistic implementation of the Vamos kernel is a further
achievement and ensures that the model can safely be used in the upper
layers, as it happened with the operating system model of Bogan [15] and
Daum’s proof of the Vamos scheduler fairness [25].
To our knowledge, such a proof based on a model stack of this concrete
level of detail and with such a clean, seamless logical foundation has been
undertaken for the first time.
We believe that our work represents a significant step towards the grand
challenge of “real code verification”, although we compromised in a number
of ways in order to achieve our goal:
• the Vamp is not a “real”, i. e., industrial-strength processor,
• C0 is a typed, simplified fragment of C; this forces to shift more low-
level computations into assembly programs as necessary in a more
powerful C execution model, and
• the Vamos code has been written by the verification engineers them-
selves, and often with an eye on the tool-chain and the verification
task.
Despite these simplifications, which were partly applied for project-prag-
matic reasons, we maintain that our models are still not too far away
from industrial-strength processors, C code and microkernel implementa-
tions such as the PikeOS kernel. Whether it is ever possible to verify system-
level programming code of a substantial size written without any regard to
verification is a fully open question at present.
We would like to argue that the possibility of adapting specifications,
code, and tool-chain to each other simplified the task of achieving our goal.
Besides the obvious foresight that all code was written in C0 and had to
live with the restrictions imposed by our tool-chain, we see the following
(incomplete) list of mutual influences:
• The abstract model uses infinite datatypes to model key entities like
time, processes, etc., while the concrete implementation of these enti-
ties is bound to bit-vector representations of numbers. We ensured the
abstraction relation by using a solely relative notion of time within the
kernel. Furthermore, a capability-like management of process identi-
fiers allows for a conceptually infinite name space of identifiers.
• The fairly simple abstraction scheme between system step and δV+D
required a lot of experimenting within the definition of the abstraction
relation, which has to cope with the fact that parts of the concrete
computations “overtake” their abstract counterparts and vice versa.
• The precise form of the contracts and the invariants in the implementa-
tion certainly needed the consideration on what was actually required
in the proofs at higher levels.
191
It turned out that an obstacle to our work was the lack of early, system-
atic validation of the specification; at the end, we found substantially more
errors there than in the (fairly well-tested) implementation, although some
intricate bugs could only be revealed by the verification. One of the bugs re-
vealed during the verification was a race condition involving the coincidence
of four special cases at the same time: If (a) a process issued an IPC call,
(b) the IPC partner was not yet waiting, and in the same processor cycle,
(c) the timer interrupt was raised, and (d) the timeslice of the process was
used up, then, the process was erroneously re-added to the ready queue.
That bugs are not necessarily revealed during the verification of a single
layer examplifies the following: An earlier version of function system step
did not assure that at least one assembly step of the current process is
executed. That was not a problem regarding the code correctness proof but
breaks the fairness theorem of the Vamos scheduler.
Thus, in conclusion, we point out that there is a fundamental differ-
ence between our pervasive approach and the idea of an isolated verification
focusing at one layer at a time.
Furthermore, we experienced that pervasiveness entails more than just
cumulative verification efforts on several (isolated) layers. In fact, it was
a challenging task to integrate models and proofs into a uniform, coherent
theory.
Establishing the abstract Vamos model took nearly two person years
and comprises about 2.000 lines of code in Isabelle/HOL.
Our kernel implementation (without Cvm) consists of roughly three
thousand lines of C0 code. The functional correctness proof covers around
two thirds of theVamos implementation and comprises approximately 60.000
proof steps. With about 30.000 proof steps, a large portion of these steps
applies to the IPC-relevant parts. Showing the functional correctness of the
Vamos scheduler involves roughly 9.000 proof steps. The remaining steps
were mainly deployed to combine the particular parts of the Vamos ker-
nel and thus to show Theorem 5.3.1. The total effort regarding the code
correctness proofs was around two person years.
Note that the specifications of the not yet proven parts of the Vamos
kernel are completely integrated in our framework and used to show the
overall kernel correctness. The remaining proofs would be time-consuming
(approximately 12 to 15 person months) but clearly follow the same scheme
as the ones that have already been accomplished.
Due to the usage of while-loops in the initialization, we expect some effort
in order to find the corresponding loop-invariants. Once found, however,
the proof will probably be straightforward. Proving the correctness of the
functions process kill und change rights might also be a bit expensive as
they affect pending IPC operations. Nevertheless, we do not see any serious
difficulties because the influences are similar to those, the timer-interrupt
handler has on IPC operations. The main effort regarding the remaining
192 7. Conclusion
functions is to show that the error cases in the implementation correspond
to those in the model. Here again, we see no difficulties.
The formal verification work of this thesis is complete with the exception
of the contracts for the Cvm operations, which have been shown by Tsyban
et al. [40, 73, 75] but on a lower abstraction level than the form used in the
thesis. The missing link is a transfer lemma similar to the one shown by
Alkassar et al. [6].
7.1 Future Work
Additional microkernel features could certainly extend our work. As an ex-
ample, we could introduce multi-threading generalizing the multi-processing
of Vamos. This feature amounts to sharable address spaces (possibly includ-
ing user-level paging) and is primarily an extension of the Cvm framework.
A similar extension is the mapping of device addresses directly into
user memory. This change would abandon the kernel calls dev read and
dev write for device communication, and thus substantially improve the
system performance by reducing both, the size of the kernel and the fre-
quency of kernel calls. Despite these benefits, we complicate the abstract
kernel model with respect to device communication because we need a more
sophisticated detection of device accesses. For that reason, we did not im-
plement this optimization right from the beginning. From our experience
today, however, we do not foresee substantial obstacles in this change.
Following the last two arguments, we could even strive for the direct
memory access (DMA) by devices. Admittedly, this feature requires a more
elaborate reorganization of the abstract kernel models and prevents the clean
isolation of processor and devices.
Another direction of further research is a port of the Cvm framework
to a mass-market processor such as an embedded PowerPC core or to an
optimizing compiler supporting a larger subset of C. In contrast to additional
microkernel features, this change would not necessarily require changes to
the implementation of Vamos (apart from Cvm). Provided that the ported
hardware maintains the same Cvm specification, we could hence draw on
the current proofs of the code correctness.
Chapter 8
Appendix
8.1 Formal Specification of the Vamos Trap Dis-
patcher
As soon as the current instruction of the current process denotes a trap
instruction, the Vamos kernel invokes the trap handler. Each trap instruc-
tion comes with an immediate constant imm and the trap handles realizes a
case distinction over the different values of imm. Based on that, it specifies
the argument passing and converts the register values into the abstract ones
in order to determine the corresponding abstract process output.
Function trap dispatch encapsulates the formal specification of the Va-
mos trap handler. As the formal definition of trap dispatch is quite sub-
stantial, we split its definition up into several parts and present them (as
already done in Section 3.3.3) in form of implications, subsequently.
Creating a new process. The Vamos call process create is associ-
ated with the trap number 1:
current instr sproc = trap 1 =⇒
trap dispatch sproc ≡
let tslreg = sproc.gprs ! 11; prioreg = sproc.gprs ! 12;
saddrreg = sproc.gprs ! 13; lenreg = sproc.gprs ! 14;
pgsreg = sproc.gprs ! 15
in process create (to nat32 tslreg) (reg2prio prioreg)
(build memobj sproc (to nat32 saddrreg) (to nat32 lenreg))
(to nat32 pgsreg)
Register 11 specifies the timeslice for the new process while register 12 de-
termines its priority. The initial memory image is taken from the virtual
memory of the calling process and specified by the start address in regis-
ter 13 and the length in register 14. The number of pages that should be
allocated for the new process is stored in register 15. Based on these reg-
ister values, function trap dispatch determines the corresponding abstract
193
194 8. Appendix
process output.
Cloning a process. The Vamos call process clone is associated with
the trap number 2:
current instr sproc = trap 2 =⇒
trap dispatch sproc ≡ process clone (sproc.gprs ! 11)
Register 11 specifies the handle to the process that should be cloned. Based
on this handle, function trap dispatch determines the corresponding abstract
process output.
Terminating a process. The Vamos call process kill is associated
with the trap number 3:
current instr sproc = trap 3 =⇒
trap dispatch sproc ≡ process kill (sproc.gprs ! 11)
Register 11 specifies the handle to the process that should be terminated.
Based on this handle, function trap dispatch determines the corresponding
abstract process output.
Changing the scheduling parameters of a process. The Vamos call
chg sched params is associated with the trap number 4:
current instr sproc = trap 4 =⇒
trap dispatch sproc ≡
let hnreg = sproc.gprs ! 11; tslreg = sproc.gprs ! 12;
prioreg = sproc.gprs ! 13
in chg sched params hnreg (to nat32 tslreg) (reg2prio prioreg)
Register 11 specifies the handle to the process whose parameters should
be changed. The registers 12 and 13 specify the new timeslice and prior-
ity. Based on these register values, function trap dispatch determines the
corresponding abstract process output.
Setting the privileges of a process. The Vamos call set privileges
is associated with the trap number 6:
current instr sproc = trap 6 =⇒
trap dispatch sproc ≡ set privileged (sproc.gprs ! 11)
Register 11 specifies the handle to the process whose privileges should be set.
Based on this handle, function trap dispatch determines the corresponding
abstract process output.
8.1. Formal Specification of the Vamos Trap Dispatcher 195
Increasing the memory amount of a process. The Vamos call mem-
ory add is associated with the trap number 7:
current instr sproc = trap 7 =⇒
trap dispatch sproc ≡
let hnreg = sproc.gprs ! 11; pgsreg = sproc.gprs ! 12
in memory add hnreg (to nat32 pgsreg)
Register 11 specifies the handle to the process that should get more memory
and register 12 contains the number of the additional memory pages. Based
on these register values, function trap dispatch determines the corresponding
abstract process output.
Decreasing the memory amount of a process. The Vamos call mem-
ory add is associated with the trap number 8:
current instr sproc = trap 8 =⇒
trap dispatch sproc ≡
let hnreg = sproc.gprs ! 11; pgsreg = sproc.gprs ! 12
in memory free hnreg (to nat32 pgsreg)
Register 11 specifies the handle to the process and register 12 contains the
number of the memory pages that should be released. Based on these register
values, function trap dispatch determines the corresponding abstract process
output.
Changing a driver. The Vamos call change driver is associated with
the trap number 9:
current instr sproc = trap 9 =⇒
trap dispatch sproc ≡
let hnreg = sproc.gprs ! 11; intsreg = sproc.gprs ! 12
in change driver hnreg
(reg2ints (if reg2ints intsreg 6= ⊥ then intsreg else ¬s/32 intsreg))
(reg2ints intsreg 6= ⊥)
Register 11 specifies the handle to the corresponding driver and register
12 the interrupts that should be registered or deregistered. Based on these
register values, function trap dispatch determines the corresponding abstract
process output.
Enabling Interrupts. The Vamos call enable interrupts is associ-
ated with the trap number 10:
current instr sproc = trap 10 =⇒
trap dispatch sproc ≡ enable interrupts (reg2ints (sproc.gprs ! 11))
Register 11 specifies the interrupts that should be enabled. Based on this
register value, function trap dispatch determines the corresponding abstract
process output.
196 8. Appendix
Receiving from a process. The Vamos call ipc receive is associated
with the trap number 11:
current instr sproc = trap 11 =⇒
trap dispatch sproc ≡
let shnreg = sproc.gprs ! 11; saddrreg = sproc.gprs ! 15;
lenreg = sproc.gprs ! 16; toreg = sproc.gprs ! 20
in ipc receive shnreg
(build buffer sproc (to nat32 saddrreg) (to nat32 lenreg))
(int2timeout toreg)
Register 11 specifies the handle to the sender. The buffer is determined by
the start address in register 15 and the length in register 16. The timeout
for this operation is stored in register 20. Based on these register values,
function trap dispatch determines the corresponding abstract process out-
put.
Sending to a process. The Vamos call ipc send is associated with the
trap number 12:
current instr sproc = trap 12 =⇒
trap dispatch sproc ≡
let rhnreg = sproc.gprs ! 11; srightsreg = sproc.gprs ! 12;
saddrreg = sproc.gprs ! 13; lenreg = sproc.gprs ! 14;
ahnreg = sproc.gprs ! 17; arightsreg = sproc.gprs ! 18;
toreg = sproc.gprs ! 19
in ipc send rhnreg (num2rights srightsreg)
(build memobj sproc (to nat32 saddrreg) (to nat32 lenreg)) ahnreg
(num2rights arightsreg) (int2timeout toreg)
The handle to the receiver is given in register 11 and register 12 specifies
the rights, the sender wants to grant to the receiver. By means of the start
address in register 13 and the length in register 14, the sender determines
the memory message. If an additional process should be introduced, register
17 contains the corresponding handle and register 18 the associated rights.
Register 19 determines the timeout of the operation. Based on these register
values, function trap dispatch determines the corresponding abstract process
output.
Combined Sending and Receiving. The Vamos call ipc request is
associated with the trap number 15:
current instr sproc = trap 15 =⇒
trap dispatch sproc ≡
let hnrcv = sproc.gprs ! 11; rightssnd = sproc.gprs ! 12;
msgad = sproc.gprs ! 13; msglen = sproc.gprs ! 14;
hnadd = sproc.gprs ! 17; rightsadd = sproc.gprs ! 18;
tosnd = sproc.gprs ! 19; bufad = sproc.gprs ! 15;
8.1. Formal Specification of the Vamos Trap Dispatcher 197
buflen = sproc.gprs ! 16; torcv = sproc.gprs ! 20
in ipc request hnrcv (num2rights rightssnd)
(build memobj sproc (to nat32 msgad) (to nat32 msglen)) hnadd
(num2rights rightsadd) (int2timeout tosnd)
(build buffer sproc (to nat32 bufad) (to nat32 buflen))
(int2timeout torcv)
The combined sending and receiving was already described in Section 3.3.3.
Reading from a device. The Vamos call dev read is associated with
the trap numbers 13 and 19, whereas the former denotes a single read and
the latter a burst read:
current instr sproc = trap 13 ∨ current instr sproc = trap 19 =⇒
trap dispatch sproc ≡
let devreg = sproc.gprs ! 11; portreg = sproc.gprs ! 12;
saddrreg = sproc.gprs ! 13; lenreg = sproc.gprs ! 14
in Let (if current instr sproc = trap 19 then BufLength 1
else build buffer sproc (to nat32 saddrreg) (to nat32 lenreg))
(dev read (reg2devnum devreg) (reg2port portreg))
Register 11 contains the device number and register 12 the corresponding
port number. The buffer which is specified by the start address in register
13 and the length in register 14 is only required in the context of a burst
read. Based on these register values, function trap dispatch determines the
corresponding abstract process output.
Writing to a device. The Vamos call dev write is associated with the
trap numbers 14 and 20, whereas the former denotes a single write and the
latter a burst write:
current instr sproc = trap 14 ∨ current instr sproc = trap 20 =⇒
trap dispatch sproc ≡
let devreg = sproc.gprs ! 11; portreg = sproc.gprs ! 12;
saddrreg = sproc.gprs ! 13; lenreg = sproc.gprs ! 14
in Let (if current instr sproc = trap 20 then MObjSeq [sproc.gprs ! 13]
else build memobj sproc (to nat32 saddrreg) (to nat32 lenreg))
(dev write (reg2devnum devreg) (reg2port portreg))
Register 11 contains the device number and register 12 the corresponding
port number. The message which is specified by the start address in register
13 and the length in register 14 is only relevant in case of a burst write.
Otherwise, only the data at the start address is written to the device. Based
on these register values, function trap dispatch determines the corresponding
abstract process output.
Changing IPC rights. The Vamos call change rights is associated
with the trap number 16:
198 8. Appendix
current instr sproc = trap 16 =⇒
trap dispatch sproc ≡
let subj hnreg = sproc.gprs ! 11; obj hnreg = sproc.gprs ! 12;
rightsreg = sproc.gprs ! 13
in change rights subj hnreg obj hnreg (rightsreg ≤ 15)
(num2rights (if rightsreg ≤ 15 then rightsreg else ¬s/32 rightsreg))
Register 11 contains the handle to the subject, whereas register 12 contains
the handle to the object. The rights are specified in register 13. Based on
these register values, function trap dispatch determines the corresponding
abstract process output.
Reading Kernel Information. The Vamos call change rights is as-
sociated with the trap number 17:
current instr sproc = trap 17 =⇒
trap dispatch sproc ≡ read kernel info (int2kinfo (sproc.gprs ! 11))
Register 11 specifies the type of kernel notifications. Based on this type,
function trap dispatch determines the corresponding abstract process out-
put.
Undefined Traps. A trap number imm is considered as undefined, if it
fulfills the predicate undefined trapnr:
undefined trapnr imm ≡
imm /∈ {1, 2, 3, 4, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 19, 20}
The specification of an undefined trap number leads to the process output
undefined trap which is reflected in the following implication:
[[current instr sproc = trap i; undefined trapnr i]]
=⇒ trap dispatch sproc = undefined trap
Bibliography
[1] Alkassar, E., Hillebrand, M., Knapp, S., Rusev, R., Tverdyshev, S.:
Formal device and programming model for a serial interface. In:
B. Beckert (ed.) Proceedings, 4th International Verification Work-
shop (VERIFY), Bremen, Germany, pp. 4–20. CEUR-WS Workshop
Proceedings (2007). URL http://www-wjp.cs.uni-saarland.de/
publikationen/Alkassar_AHK-.pdf
[2] Alkassar, E., Hillebrand, M.A.: Formal functional verification of device
drivers. In: J. Woodcock, N. Shankar (eds.) Verified Software: Theories,
Tools, and Experiments, LNCS, vol. 5295, pp. 225–239. Springer (2008)
[3] Alkassar, E., Hillebrand, M.A., Leinenbach, D., Schirmer, N.W.,
Starostin, A.: The Verisoft approach to systems verification. In:
N. Shankar, J. Woodcock (eds.) Verified Software: Theories, Tools,
and Experiments, LNCS, vol. 5295, pp. 209–224. Springer (2008)
[4] Alkassar, E., Hillebrand, M.A., Leinenbach, D.C., Schirmer, N.W.,
Starostin, A., Tsyban, A.: Balancing the load – leveraging a seman-
tics stack for systems verification. J. Autom. Reasoning, Special Issue
on Operating System Verification (2009). To appear in this volume.
[5] Alkassar, E., Hillebrand, M.A., Paul, W., Petrova, E.: Automated ver-
ification of a small hypervisor. In: P. O’Hearn, G.T. Leavens, S. Raja-
mani (eds.) Verified Software: Theories, Tools, Experiments (VSTTE
2010), Lecture Notes in Computer Science. Springer, Edinburgh, UK
(2010). To appear.
[6] Alkassar, E., Schirmer, N., Starostin, A.: Formal pervasive verification
of a paging mechanism. In: TACAS, LNCS, vol. 4963, pp. 109–123.
Springer (2008)
[7] Baumann, C., Beckert, B., Blasum, H., Bormer, T.: Better avionics
software reliability by code verification – A glance at code verification
methodology in the Verisoft XT project. In: Embedded World 2009
Conference. Franzis Verlag, Nuremberg, Germany (2009). URL http:
//www.uni-koblenz.de/~beckert/pub/embeddedworld2009.pdf. To
appear.
199
200 BIBLIOGRAPHY
[8] Baumann, C., Beckert, B., Blasum, H., Bormer, T.: Formal verification
of a microkernel used in dependable software systems. In: B. Buth,
G. Rabe, T. Seyfarth (eds.) Computer Safety, Reliability, and Security
(SAFECOMP 2009), Lecture Notes in Computer Science, vol. 5775, pp.
187–200. Springer, Hamburg, Germany (2009). URL http://www.uni-
koblenz.de/~beckert/pub/safecomp2009.pdf
[9] Beckert, B., Beuster, G.: Formal specification of security-relevant prop-
erties of user interfaces. In: Proceedings, 3rd International Work-
shop on Critical Systems Development with UML, pp. 139–146. Lisbon,
Portugal (2004). URL http://wwwbib.informatik.tu-muenchen.de/
infberichte/2004/TUM-I0415.pdf. TU Munich Technical Report
TUM-I0415
[10] Beuster, G., Henrich, N., Wagner, M.: Real world verification
– Experiences from the Verisoft email client. In: G. Sutcliffe,
R. Schmidt, S. Schulz (eds.) Proceedings of the FLoC’06 Work-
shop on Empirically Successful Computerized Reasoning (ESCoR
2006), CEUR Workshop Proceedings, vol. 192, pp. 112–125. CEUR-
WS.org (2006). URL http://ftp.informatik.rwth-aachen.de/
Publications/CEUR-WS/Vol-192/paper08.pdf
[11] Bevier, W.R.: Kit and the short stack. J. Autom. Reasoning 5(4),
519–530 (1989)
[12] Bevier, W.R., Hunt, Jr., W.A., Moore, J.S., Young, W.D.: An approach
to systems verification. J. Autom. Reasoning 5(4), 411–428 (1989)
[13] Beyer, S., Jacobi, C., Kro¨ning, D., Leinenbach, D., Paul, W.: Instan-
tiating uninterpreted functional units and memory system: functional
verification of the vamp. In: D. Geist, E. Tronci (eds.) CHARME
2003, LNCS, vol. 2860, pp. 51–65. Springer (2003). URL http://www-
wjp.cs.uni-saarland.de/publikationen/BJKLP03.pdf
[14] Beyer, S., Jacobi, C., Kro¨ning, D., Leinenbach, D., Paul, W.J.: Putting
it all together: Formal verification of the VAMP. STTT 8(4-5), 411–430
(2006)
[15] Bogan, S.: Formal specification of a simple operating system. Ph.D.
thesis, Saarland University, Saarbru¨cken (2008). URL http://www-
wjp.cs.uni-saarland.de/publikationen/Bog08.pdf
[16] Bo¨hme, S., Leino, K.R.M., Wolff, B.: HOL-Boogie—An interactive
prover for the Boogie program-verifier
[17] Bo¨hme, S., Moskal, M., Schulte, W., Wolff, B.: HOL-Boogie — An
interactive prover-backend for the Verifying C Compiler. Journal of
BIBLIOGRAPHY 201
Automated Reasoning 44(1–2), 111–144 (2010). DOI http://dx.doi.
org/10.1007/s10817-009-9142-9
[18] Boyton, A.: A verified shared capability model. In: G. Klein, R. Huuck,
B. Schlich (eds.) Proceedings of the 4th Workshop on Systems Software
Verification, Electronic Notes in Computer Science, vol. 254, pp. 25–44.
Elsevier, Aachen, Germany (2009)
[19] Chebiryak, Y.: Formal specification and verification of functions of
vamos scheduler. Master thesis, Saarland University (2005)
[20] Cohen, E., Alkassar, E., Boyarinov, V., Dahlweid, M., Degenbaev, U.,
Hillebrand, M., Langenstein, B., Leinenbach, D., Moskal, M., Obua,
S., Paul, W., Pentchev, H., Petrova, E., Santen, T., Schirmer, N.,
Schmaltz, S., Schulte, W., Shadrin, A., Tobies, S., Tsyban, A., Tverdy-
shev, S.: Invariants, modularity, and rights. In: Perspectives of Systems
Informatics (PSI 2009), Lecture Notes in Computer Science. Springer
(2009). Invited paper, to appear.
[21] Cohen, E., Dahlweid, M., Hillebrand, M., Leinenbach, D., Moskal, M.,
Santen, T., Schulte, W., Tobies, S.: VCC: A practical system for veri-
fying concurrent C. In: S. Berghofer, T. Nipkow, C. Urban, M. Wenzel
(eds.) Theorem Proving in Higher Order Logics (TPHOLs 2009), Lec-
ture Notes in Computer Science, vol. 5674, pp. 23–42. Springer, Munich,
Germany (2009). Invited paper.
[22] Cohen, E., Moskal, M., Schulte, W., Tobies, S.: A precise yet effi-
cient memory model for C (2008). Availabe via http://research.
microsoft.com/apps/pubs/default.aspx?id=77174
[23] Cohen, E., Moskal, M., Schulte, W., Tobies, S.: Local verification
of global invariants in concurrent programs. In: B. Cook, P. Jack-
son, T. Touili (eds.) Computer Aided Verification (CAV 2010), Lecture
Notes in Computer Science. Springer, Edinburgh, UK (2010). To ap-
pear.
[24] Dalinger, I., Hillebrand, M., Paul, W.: On the verification of mem-
ory management mechanisms. In: D. Borrione, W. Paul (eds.)
CHARME 2005, LNCS. Springer (2005). URL http://www-wjp.cs.
uni-saarland.de/publikationen/DHP05.pdf
[25] Daum, M.: On the formal foundation of a verification approach for
system-level concurrent programs. Ph.D. thesis, Saarland University,
Computer Science Department (2010)
[26] Daum, M., Do¨rrenba¨cher, J., Bogan, S.: Model stack for the per-
vasive verification of a microkernel-based operating system. In:
202 BIBLIOGRAPHY
B. Beckert, G. Klein (eds.) 5th International Verification Workshop
(VERIFY’08), CEUR Workshop Proceedings, vol. 372, pp. 56–70.
CEUR-WS.org (2008). URL http://www-wjp.cs.uni-saarland.de/
publikationen/DaumDB-VERIFY08-.pdf
[27] Daum, M., Do¨rrenba¨cher, J., Wolff, B.: Proving fairness and im-
plementation correctness of a microkernel scheduler. Journal of Au-
tomated Reasoning: Special Issue on Operating System Verification
42, Numbers 2-4, 349–388 (2009). URL http://www-wjp.cs.uni-
saarland.de/publikationen/DaumDW-jarosv08.pdf
[28] Daum, M., Do¨rrenba¨cher, J., Wolff, B., Schmidt, M.: A verification
approach for system-level concurrent programs. In: J. Woodcock,
N. Shankar (eds.) Verified Software: Theories, Tools, and Experiments,
LNCS, vol. 5295, pp. 161–176. Springer (2008)
[29] Daum, M., Schirmer, N.W., Schmidt, M.: Implementation correctness
of a real-time operating system. In: 7th IEEE International Conference
on Software Engineering and Formal Methods (SEFM 2009), 23–27
November 2009, Hanoi, Vietnam, pp. 23–32. IEEE (2009)
[30] Elkaduwe, D., Klein, G., Elphinstone, K.: Verified protection model of
the seL4 microkernel. In: J. Woodcock, N. Shankar (eds.) Proceedings
of Verified Software: Theories, Tools and Experiments 2008, Lecture
Notes in Computer Science, vol. 5295, pp. 99–114. Springer, Toronto,
Canada (2008)
[31] Endrawaty: Verification of the Fiasco IPC implementation. Master’s
thesis, Dresden University of Technology (2005)
[32] Engler, D.R., Kaashoek, M.F., O’Toole, J.: Exokernel: An operat-
ing system architecture for application-level resource management. In:
SOSP, pp. 251–266. ACM (1995)
[33] Fleisch, B.D., Co, M.A.A.: Workplace microkernel and OS: a case
study. Softw. Pract. Exper. 28(6), 569–591 (1998)
[34] Gargano, M., Hillebrand, M., Leinenbach, D., Paul, W.: On the cor-
rectness of operating system kernels. In: J. Hurd, T.F. Melham (eds.)
TPHOLs 2005, LNCS, vol. 3603, pp. 1–16. Springer (2005). URL
http://www-wjp.cs.uni-sb.de/publikationen/GHLP05.pdf
[35] Heiser, G., Elphinstone, K., Kuz, I., Klein, G., Petters, S.M.: Towards
trustworthy computing systems: taking microkernels to the next level.
Operating Systems Review 41(4), 3–11 (2007)
BIBLIOGRAPHY 203
[36] Heitmeyer, C., Archer, M., Leonard, E., McLean, J.: Applying for-
mal methods to a certifiably secure software system. IEEE Trans-
actions on Software Engineering 34, 82–98 (2008). DOI http://doi.
ieeecomputersociety.org/10.1109/TSE.2007.70772
[37] Heitmeyer, C.L., Archer, M., Leonard, E.I., Mclean, J.: Formal specifi-
cation and verification of data separation in a separation kernel for an
embedded system. In: In CCS, pp. 346–355. ACM (2006)
[38] Hennessy, J.L., Patterson, D.A.: Computer Architecture: A Quantita-
tive Approach, 2nd Edition. Morgan Kaufmann (1996)
[39] Hohmuth, M., Tews, H., Stephens, S.G.: Applying source-code ver-
ification to a microkernel: the VFiasco project. In: ACM SIGOPS
European Workshop, pp. 165–169. ACM (2002). DOI http://doi.acm.
org/10.1145/1133373.1133405
[40] In der Rieden, T., Tsyban, A.: CVM – a verified framework for micro-
kernel programmers. In: Systems Software Verification, ENTCS, vol.
217, pp. 151–168. Elsevier Science B.V. (2008)
[41] Kaiser, R.: Combining partitioning and virtualization for safety-critical
systems. White Paper WP CPV 10 A4 R10, SYSGO AG (2007). Avail-
abe via http://www.sysgo.com/news-events/whitepapers/
[42] Klein, G.: Correct OS kernel? proof? done! USENIX ;login: 34(6),
28–34 (2009)
[43] Klein, G.: Operating system verification — an overview. Sa¯dhana¯
34(1), 27–69 (2009)
[44] Klein, G., Andronick, J., Elphinstone, K., Heiser, G., Cock, D., Derrin,
P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell,
T., Tuch, H., Winwood, S.: seL4: Formal verification of an OS kernel.
Communications of the ACM 53(6), 107–115 (2010)
[45] Langenstein, B., Nonnengart, A., Rock, G., Stephan, W.: A history-
based verification of distributed applications. In: B. Beckert (ed.)
Proceedings, 4th International Verification Workshop (VERIFY), Bre-
men, Germany, CEUR Workshop Proceedings, vol. 259, pp. 70–84.
CEUR-WS.org (2007). URL http://ftp.informatik.rwth-aachen.
de/Publications/CEUR-WS/Vol-259/paper08.pdf
[46] Langenstein, B., Nonnengart, A., Rock, G., Stephan, W.: Verification
of distributed applications. In: F. Saglietti, N. Oster (eds.) Computer
Safety, Reliability, and Security, 26th International Conference, SAFE-
COMP 2007, Nuremberg, Germany, September 18–21, 2007, Lecture
Notes in Computer Science, vol. 4680, pp. 315–328. Springer (2007)
204 BIBLIOGRAPHY
[47] Lassmann, G., Rock, G., Schwan, M., Cheikhrouhou, L.: Verisoft secure
biometric identification system. URL http://www.informatik.hu-
berlin.de/forschung/gebiete/algorithmenII/Publikationen/
Papers/Verisoft.pdf. T-Systems International University Confer-
ence, Du¨sseldorf, 10.-11. October 2005
[48] Leinenbach, D.: Compiler verification in the context of pervasive system
verification. Ph.D. thesis, Saarland University (2008). URL http:
//www-wjp.cs.uni-sb.de/publikationen/Lei08.pdf
[49] Leinenbach, D., Paul, W.J., Petrova, E.: Towards the formal verifica-
tion of a C0 compiler: Code generation and implementation correctness.
In: SEFM, pp. 2–12. IEEE Computer Society (2005)
[50] Leinenbach, D., Petrova, E.: Pervasive compiler verification: From ver-
ified programs to verified systems. In: Systems Software Verification,
ENTCS, vol. 217, pp. 23–40. Elsevier Science B.V. (2008)
[51] Liedtke, J.: Improving IPC by kernel design. In: SOSP, pp. 175–188.
ACM (1993)
[52] Liedtke, J.: On µ-kernel construction. In: SOSP, pp. 237–250. ACM
(1995)
[53] Liedtke, J.: Towards real microkernels. Commun. ACM 39(9), 70–77
(1996)
[54] Martin, W., White, P., Taylor, F.S., Goldberg, A.: Formal construc-
tion of the mathematically analyzed separation kernel. In: ASE ’00:
Proceedings of the 15th IEEE international conference on Automated
software engineering, p. 133. IEEE Computer Society, Washington, DC,
USA (2000)
[55] Moore, J.S.: A grand challenge proposal for formal methods: A verified
stack. In: 10th Anniversary Colloquium of UNU/IIST, pp. 161–172.
Springer (2002)
[56] Moura, L.D., Bjørner, N.: Z3: An efficient smt solver. In: In Conference
on Tools and Algorithms for the Construction and Analysis of Systems
(TACAS (2008)
[57] Mu¨ller, S., Paul, W.: Computer Architecture, Complexity and Correct-
ness. Springer Verlag (2000)
[58] Neumann, P.G., Feiertag, R.J.: PSOS revisited. In: ACSAC, pp. 208–
216. IEEE Computer Society (2003)
[59] Nguiekom, V.: Verifikation von doppelt verketteten listen auf point-
erebene. Master’s thesis, Saarland University (2005)
BIBLIOGRAPHY 205
[60] Ni, Z., Yu, D., Shao, Z.: Using XCAP to certify realistic systems code:
Machine context management. In: TPHOLs, LNCS, vol. 4732, pp.
189–206. Springer (2007)
[61] Nipkow, T., Paulson, L.C., Wenzel, M.: Isabelle/HOL: A Proof Assis-
tant for Higher-Order Logic, LNCS, vol. 2283. Springer (2002)
[62] Paulson, L.C.: Isabelle: A Generic Theorem Prover. Springer (1994).
LNCS 828
[63] Petrova, E.: Verification of the C0 compiler implementation on the
source code level. Ph.D. thesis, Saarland University (2007)
[64] Rashid, R., Avadis Tevanin, J., Young, M., Golub, D., Baron, R.:
Machine-independent virtual memory management for paged unipro-
cessor and multiprocessor architectures. IEEE Trans. Comput. 37(8),
896–908 (1988)
[65] In der Rieden, T.: Verified linking for modular kernel verification. Ph.D.
thesis, Saarland University, Saarbru¨cken (2009). URL http://www-
wjp.cs.uni-sb.de/publikationen/Idr09.pdf
[66] Samman, T.: Verifying 50,000 lines of C code. Futures, Microsoft’s
European Innovation Magazine 21 (2008)
[67] Schierboom, E.: Verification of Fiasco’s IPC implementation. Master’s
thesis, Radboud Universiteit Nijmegen (2007)
[68] Schirmer, N.: A verification environment for sequential imperative pro-
grams in Isabelle/HOL. In: LPAR, LNCS, pp. 398–414. Springer
(2005). URL http://isabelle.in.tum.de/~schirmer/pub/hoare-
lpar04.html
[69] Schirmer, N.: Verification of sequential imperative programs in Is-
abelle/HOL. Ph.D. thesis, TU Munich (2006)
[70] Shapiro, J., Doerrie, M.S., Northup, E., Sridhar, S., Miller, M.: To-
wards a verified, general-purpose operating system kernel. In: FM
Workshop on OS Verification, Tech. Rep. 0401005T-1, pp. 1–19. Na-
tional ICT Australia (2004). URL http://www.coyotos.org/docs/
osverify-2004/osverify-2004.pdf
[71] Starostin, A.: Formal verification of a c-library for strings. Master’s
thesis, Saarland University (2006). URL http://www-wjp.cs.uni-
saarland.de/publikationen/St06.pdf
[72] Starostin, A.: Formal verification of demand paging. Ph.D. thesis,
Saarland University, Saarbru¨cken (2010). URL http://www-wjp.cs.
uni-saarland.de/publikationen/St10.pdf
206 BIBLIOGRAPHY
[73] Starostin, A., Tsyban, A.: Correct microkernel primitives. In: Systems
Software Verification, ENTCS, vol. 217, pp. 169–185. Elsevier Science
B.V. (2008)
[74] Starostin, A., Tsyban, A.: Verified process-context switch for c-
programmed kernels. In: N. Shankar, J. Woodcock (eds.) 2nd IFIP
Working Conference on Verified Software: Theories, Tools, and Exper-
iments (VSTTE’08), LNCS, vol. 5295, pp. 240–254. Springer (2008)
[75] Starostin, A., Tsyban, A.: Verified process-context switch for C-
programmed kernels. In: N. Shankar, J. Woodcock (eds.) Verified Soft-
ware: Theories, Tools, and Experiments, LNCS, vol. 5295, pp. 240–254.
Springer (2008)
[76] Tsyban, A.: Cvm - a verified framework for microkernel programmers.
Ph.D. thesis, Saarland University, Saarbru¨cken (2009)
[77] Tverdyshev, S.: Formal verification of gate-level computer sys-
tems. Ph.D. thesis, Saarland University, Computer Science De-
partment (2009). URL http://www-wjp.cs.uni-saarland.de/
publikationen/Tv09.pdf
[78] Verisoft Project: Verisoft repository (2010). URL http://www.
verisoft.de/VerisoftRepository.html
[79] Walker, B.J., Kemmerer, R.A., Popek, G.J.: Specification and verifica-
tion of the ucla unix security kernel. Commun. ACM 23(2), 118–131
(1980). DOI http://doi.acm.org/10.1145/358818.358825
