## Formal Specification and Verification of a Microkernel



#### Dissertation

zur Erlangung des Grades des Doktors der Ingenieurwissenschaften (Dr.-Ing.) der Naturwissenschaftlich-Technischen Fakultäten der Universität des Saarlandes

Jan Dörrenbächer

jandb@wjpserver.cs.uni-saarland.de

Saarbrücken, November 2010

Tag des Kolloquiums: 23.11.2010

Dekan: Prof. Dr. Holger Hermanns

Vorsitzender des Prüfungsausschusses: Prof. Dr.-Ing. Philipp Slusallek

Berichterstatter: Prof. Dr. Wolfgang J. Paul
 Berichterstatter: Prof. Dr. Bernhard Beckert
 Berichterstatter: PD Dr. Werner Stephan

akademischer Mitarbeiter: Dr. Eyad Alkassar

### Eidesstattliche Versicherung

Hiermit versichere ich an Eides statt, dass ich die vorliegende Arbeit selbstständig und ohne Benutzung anderer als der angegebenen Hilfsmittel angefertigt habe. Die aus anderen Quellen oder indirekt übernommenen Daten und Konzepte sind unter Angabe der Quelle gekennzeichnet. Die Arbeit wurde bisher weder im In- noch im Ausland in gleicher oder ähnlicher Form in einem Verfahren zur Erlangung eines akademischen Grades vorgelegt.

Saarbrücken, November 2010

#### Danksagung

Ich möchte mich an dieser Stelle bei allen bedanken, die zum Gelingen dieser Arbeit beigetragen haben.

An erster Stelle gilt dieser Dank meiner Familie, deren Unterstützung ich mir immer sicher sein konnte und die mir stets mit Rat und Tat zur Seite stand.

Herrn Prof. Wolfgang Paul danke ich für die Möglichkeit zur Promotion und für die wissenschaftliche Betreuung der Arbeit.

Ein großer Dank geht an meine Kollegen für die interessanten und fruchtbaren, manchmal aber auch anstrengenden Diskussionen, die zum Gelingen dieser Arbeit von unschätzbarem Wert waren. Im Besonderen Eyad Alkassar, Sebastian Bogan, Matthias Daum, Mark Hillebrand, Norbert Schirmer und Burkhardt Wolff. Insgesamt möchte ich mich bei allen Mitarbeitern am Lehrstuhl Paul für die gute Arbeits- und Feierabendatmosphäre bedanken.

Nicht zuletzt möchte ich mich bei meinen Freunden bedanken, die mich nicht nur tatkräftig unterstützt haben, sondern mich stets aufbauten und für die erforderliche Abwechslung sorgten.

Diese Arbeit wurde teilweise im Rahmen des Verisoft Projekts vom Bundesministerium für Bildung und Forschung (BMBF) unter dem Förderkennzeichen 01 IS C38 gefördert.

This work has been partially funded by the German Federal Ministry of Education and Research (BMBF) in the framework of the Verisoft project under grant 01 IS C38.

#### Abstract

This thesis basically splits up into two parts. The first part introduces the abstract model of the VAMOS kernel. The VAMOS kernel provides the infrastructure for process and memory management, priority-based round-robin scheduling, communication with external devices, as well as inter-process communication. In the second part, we formulate a simulation theorem between the abstract VAMOS model and the concrete VAMOS implementation. The crucial points of the theorem are, on the one hand, the abstraction relation connecting the datastructures of the implementation with those of the model and, on the other hand, the implementation invariant formulating validity statements on the datastructures. Besides the exact formal definitions of the abstraction relation and the implementation invariant, we prove substantial parts of the simulation theorem.

This work is part of the Verisoft project which aims at the pervasive formal verification of computer systems. For the modelling and the verification of the VAMOS kernel this entails the integration of various computational models, for instance, *Communicating Virtual Machines* (CVM) encapsulating the hardware-specific low-level functionality, and devices.

The models and proofs presented in this thesis are formalized in the uniform logical framework of the interactive theorem prover Isabelle/HOL, and hence, it is rigorously checked that all verification results fit together.

### Zusammenfassung

Die vorliegende Arbeit teilt sich im Wesentlichen in zwei Teile auf. Im ersten Teil wird das abstrakte Modell des VAMOS-Kernels vorgestellt. Der VAMOS-Kernel liefert die Infrastruktur für Prozess- und Speicherverwaltung, prioritäts-basiertes Round-Robin-Scheduling, Kommunikation mit externen Geräten, sowie Interprozesskommunikation. Im zweiten Teil der Arbeit formulieren wir ein Simulationstheorem zwischen dem abstrakten VAMOS-Modell und der konkreten VAMOS-Implementierung. Kernpunkte dieses Theorems sind zum einen die Abstraktionsrelation, die die Datenstrukturen der Implementierung mit denen des Modells in Beziehung setzt und zum anderen die Implementierungsinvariante, die Gültigkeitsaussagen über die Datenstrukturen trifft. Neben den exakten Definitionen der Abstraktionsrelation und der Implementierungsinvariante, werden wesentliche Teile dieses Simulationstheorems bewiesen.

Die Arbeit wurde im Rahmen des Verisoft Projekts angefertigt, das die durchgängige formale Verifikation von Computersystemen zum Ziel hat. Für die Modellierung und Verifikation des VAMOS-Kernels hat dies zur Folge, dass diverse Berechnungsmodelle integriert werden müssen, unter anderem das Gerätemodell und Communicating Virtual Machines (CVM), das die

hardwarespezifische und systemnahe Funktionalität kapselt.

Alle Modelle und Beweise, die in dieser Arbeit vorgestellt werden, sind in dem interaktiven Theorembeweiser Isabelle/HOL formalisiert worden, womit sichergestellt ist, dass alle Ergebnisse der Verifikation zusammenpassen.

#### Ausführliche Zusammenfassung

Die zunehmende Komplexität und Vernetzung heutiger Computersysteme stellt immer höhere Anforderungen an die Verlässlichkeit und Fehlerfreiheit der Systeme und ihrer Komponenten. Der sicherste Ansatz, um schon beim Systementwurf konzeptionelle und menschliche Unzulänglichkeiten auszumerzen, stellt die durchgängige formale Verifikation dar.

Das Verisoft Projekt, in dessen Rahmen diese Arbeit entstanden ist, verfolgt genau diesen Ansatz. Zu diesem Zweck wird jede einzelne Schicht des betrachteten Systems durch ein mathematisches Modell beschrieben. Durch sogenannte Simulationsbeweise wird bewiesen, dass die jeweiligen Schichten tatsächlich diesen Modellen genügen. Durchgängigkeit bedeutet, dass zum Schluss eine Korrektheitsaussage über das Gesamtsystem steht, die alle Schichten einbezieht, wobei Annahmen in höheren Schichten durch die darunterliegenden entlastet werden. Dadurch, dass alle Beweise durch einen Computer überprüft werden, sprechen wir von formaler Verifikation.

Betriebssysteme gehören unzweifelhaft zu den essentiellen Komponenten von Computersystemen und tragen somit wesentlich zur Verlässlichkeit der Gesamtsysteme bei.

In dieser Arbeit beschreiben wir die Modellierung und formale Verifikation des Betriebssystemkernels VAMOS in einem durchgängigen Kontext. Die Funktionalität des VAMOS-Kernels umfasst Prozess- und Speicherverwaltung, prioritäts-basiertes Round-Robin-Scheduling, Kommunikation mit externen Geräten, sowie Interprozesskommunikation. Ein mathematisches Modell liefert die Spezifikation des Kernels. Dass die VAMOS-Implementierung tatsächlich diesem Modell genügt wird duch einen Simulationsbeweis gezeigt. Um die Datenstrukturen der Implementierung mit denen des Modells in Beziehung zu setzen, definieren wir eine Abstraktionsrelation. Desweiteren definieren eine Implementierungsinvariante, die Gültigkeitsaussagen über die Datenstrukturen trifft. Basierend darauf werden wesentliche Teile des Simulationstheorems bewiesen.

Die Tatsache, dass das VAMOS-Modell eine gültige Spezifikation des VAMOS-Kernels darstellt, liefert die Grundlage dafür, dass das Modell verlässlich in höheren Schichten benutzt werden kann. So werden zum Beispiel Definitionen des VAMOS-Modells direkt von Bogan [15] benutzt, um ein einfaches Betriebssystem zu spezifizieren. Desweiteren wird in [25] der Beweis erbracht, dass der VAMOS Scheduler fair ist.

Zusammengefasst umfasst die Arbeit drei Teile. Im ersten Teil beschreiben wir allgemein den Ansatz zur durchgängigen formalen Verifikation im Verisoft Projekt. Desweiteren führen wir die Berechnungsmodelle ein, die in das Vamos-Modell integriert werden. Unter anderem ein generisches Modell für externe Geräte und *Communicating Virtual Machines* (CVM), das die hardwarespezifische und systemnahe Funktionalität kapselt.

Im zweiten Teil definieren wir das Vamos-Modell als Übergangssystem, das die Basis für den Simulationsbeweis darstellt, mit dem wir uns im dritten Teil dieser Arbeit beschäftigen.

Alle Modelle und Beweise, die in dieser Arbeit vorgestellt werden, sind in dem interaktiven Theorembeweiser Isabelle/HOL formalisiert worden, womit sichergestellt ist, dass alle Ergebnisse der Verifikation zusammenpassen.

## Contents

| 1 | Intr | oduction                               | 19 |
|---|------|----------------------------------------|----|
|   | 1.1  | Document Outline                       | 20 |
|   | 1.2  | Related Work                           | 21 |
|   | 1.3  | Motivation and Contribution            | 25 |
|   | 1.4  |                                        | 27 |
| 2 | Bac  | kground                                | 29 |
|   | 2.1  | The Academic System: Software Stack    | 30 |
|   | 2.2  | The Academic System: Semantic Stack    | 31 |
|   |      | 2.2.1 The Language C0                  | 32 |
|   |      | 2.2.2 The Vamp Assembly Language       | 33 |
|   |      |                                        | 35 |
|   | 2.3  | Devices                                | 38 |
|   | 2.4  | Communicating Virtual Machines         | 39 |
|   |      | 2.4.1 CVM State                        | 40 |
|   |      | 2.4.2 CVM Transitions                  | 41 |
|   |      | 2.4.3 CVM Primitives                   | 42 |
|   |      | 2.4.4 CVM in Isabelle/Simpl            | 42 |
|   | 2.5  | ·                                      | 43 |
|   |      |                                        | 45 |
|   |      |                                        | 50 |
| 3 | The  | Abstract System Layer                  | 57 |
|   | 3.1  | The Overall System - A Bird's Eye View | 57 |
|   | 3.2  | Abstract Types                         | 59 |
|   | 3.3  | The VAMP Assembly Process Model        | 61 |
|   |      | 3.3.1 Process Initialization           | 62 |
|   |      |                                        | 62 |
|   |      |                                        | 65 |
|   |      |                                        | 69 |

| 4 | The | Vamo    | os Model                                             | 73  |
|---|-----|---------|------------------------------------------------------|-----|
|   | 4.1 | The $V$ | VAMOS State Space                                    | 73  |
|   |     | 4.1.1   | Virtual User Machines                                | 74  |
|   |     | 4.1.2   | Priorities                                           | 75  |
|   |     | 4.1.3   | Scheduling Data Structures                           | 75  |
|   |     | 4.1.4   | Rights Datastructures                                | 77  |
|   |     | 4.1.5   | Send Status Database                                 | 78  |
|   |     | 4.1.6   | Device Data Structures                               | 79  |
|   |     | 4.1.7   | Initial Vamos States                                 | 79  |
|   | 4.2 |         | Output Function                                      | 81  |
|   | 4.3 |         | Transition Function                                  | 82  |
|   | 4.4 | Vamo    | os Trap Handler                                      | 82  |
|   |     | 4.4.1   | Access Control                                       | 84  |
|   |     | 4.4.2   | Memory Management                                    | 85  |
|   |     | 4.4.3   | Process Management                                   | 90  |
|   |     | 4.4.4   | Scheduling Mechanism                                 | 100 |
|   |     | 4.4.5   | Device Driver Support                                | 101 |
|   |     | 4.4.6   | Inter-Process Communication                          | 105 |
|   |     | 4.4.7   | Read Kernel Information                              | 128 |
|   | 4.5 | Vamo    | os Scheduler                                         | 128 |
|   | 4.6 | VAMO    | os Interrupt Delivery                                | 131 |
| 5 | Van | nos Co  | orrectness                                           | 133 |
|   | 5.1 | Data .  | Abstraction                                          | 134 |
|   |     | 5.1.1   | Abstracting the User Processes                       | 135 |
|   |     | 5.1.2   | Abstracting the Scheduling Datastructures            | 136 |
|   |     | 5.1.3   | Abstracting the Priorities                           | 137 |
|   |     | 5.1.4   | Abstracting the Send Status Database                 | 138 |
|   |     | 5.1.5   | Abstracting the Rights Datastructures                | 138 |
|   |     | 5.1.6   | Abstracting the Device Datastructures                | 141 |
|   |     | 5.1.7   | The Vamos Abstraction Relation                       | 142 |
|   | 5.2 | Imple   | mentation Invariant                                  | 143 |
|   |     | 5.2.1   | Value Bounds                                         | 144 |
|   |     | 5.2.2   | Validity and Consistency Requirements                | 144 |
|   |     | 5.2.3   | Miscellaneous Requirements                           | 151 |
|   |     | 5.2.4   | Summing Up                                           | 156 |
|   | 5.3 | The S   | Simulation Theorem                                   | 156 |
| 6 | Imp | olemen  | ntation Correctness                                  | 159 |
|   | 6.1 | Weak    | ening the Abstraction Relation                       | 161 |
|   | 6.2 |         | iary Functions                                       |     |
|   | 6.3 |         | ctness of the Timer-Interrupt Handler                |     |
|   |     | 6.3.1   | Implementation Correctness of check_elapsed_timeouts |     |
|   |     | 6.3.2   | Implementation Correctness of handle_timer           |     |
|   |     |         |                                                      |     |

|   | 6.4                    | Correctness of the Trap Handler                             | 169 |
|---|------------------------|-------------------------------------------------------------|-----|
|   |                        | 6.4.1 Implementation Correctness of Function set_privileges | 170 |
|   |                        | 6.4.2 Implementation Correctness of Function                |     |
|   |                        | process_change_scheduling_param                             | 172 |
|   |                        | 6.4.3 Implementation Correctness of IPC                     | 174 |
|   |                        | 6.4.4 Implementation Correctness of Function                |     |
|   |                        | dispatcher_kernel_call                                      | 181 |
|   | 6.5                    | Correctness of the VAMOS Top-level Function                 | 184 |
|   | 6.6                    | Correctness of a System Step                                | 187 |
| 7 | Coı                    | nclusion                                                    | 189 |
|   | 7.1                    | Future Work                                                 | 192 |
| 8 | $\mathbf{A}\mathbf{p}$ | pendix                                                      | 193 |
|   | 8.1                    | Formal Specification of the VAMOS Trap Dispatcher           | 193 |
| B | iblio                  | graphy                                                      | 206 |

# List of Figures

| 1.1 | Kernel step refinement (simplified)                          | 26 |
|-----|--------------------------------------------------------------|----|
| 2.1 | System stack                                                 | 30 |
| 2.2 |                                                              | 31 |
| 2.3 | Simpl function system_step, which represents a combined step |    |
|     | of CVM and VAMOS                                             | 44 |
| 2.4 | The kernel-dispatcher function of VAMOS                      | 55 |
| 3.1 | The input/output automata of the abstract system layer and   |    |
|     | their relationship                                           | 57 |
| 4.1 | Memory Management in the Overall System                      | 85 |
| 5.1 | Simulation between implementation and model 1                | 33 |
| 6.1 | Call Graph of the VAMOS Implementation                       | 60 |
| 6.2 | Data abstraction in the case of trap handling                | 61 |
| 6.3 | Function handle_timer                                        | 67 |

## List of Tables

| 2.1 | Application binary interface of the | VAMOS | kernel | l . |  |  | 46     |
|-----|-------------------------------------|-------|--------|-----|--|--|--------|
| 2.2 | General Datastructures in VAMOS     |       |        |     |  |  | 51     |
| 2.3 | Process-specific Data in VAMOS      |       |        |     |  |  | <br>53 |

## Chapter 1

## Introduction

| $\alpha$ | 4  |    | 4                      |
|----------|----|----|------------------------|
| $C_0$    | nt | en | $\mathbf{t}\mathbf{s}$ |

| 1.1 | Document Outline               |
|-----|--------------------------------|
| 1.2 | Related Work                   |
| 1.3 | Motivation and Contribution 25 |
| 1.4 | Preliminaries                  |
|     |                                |

Without a doubt, there is a steadily growing impact of computers on our daily life. A couple decades ago, only a few people – mostly for professional reasons – were confronted with the phenomenon "computer". That has certainly changed. Meanwhile, while driving a car various programs – from the entertainment system to the airbag control – assist us and usually ensure that we reach our destination safely. We use computers for banking transactions and the state-of-the-art-technology already deals with computers assisting physicians during difficult surgeries. Even the leisure sector observes an increasing entry of technology. It seems that nowadays nearly nobody is able to ride a bike without tracking the route by GPS or run without listening to music. Not to mention that the thereby achieved performances are immediately shared with the rest of the world via social networks like Facebook.

A reason for the triumphal procession of these new technologies is that – most of the time – they ease our lives and work properly. And when sometimes things go wrong, this is annoying, but usually no severe or even live-threatening consequences are entailed.

However, there are definitely computer systems where malfunctions could result in dramatic consequences. One just has to think of systems flying airplanes, controling nuclear power plants or pacemakers dictating the beat of human hearts. Thanks to outstanding engineering skills, until now, we remained widely spared from any severe scenarios. Nevertheless, it is no longer a rarity that the media reports on flaws in computer systems with

20 1. Introduction

far-reaching consequences. At the beginning of the year 2010, for instance, nearly 30 million bank customers in Germany were incapable of withdrawing money at cash points. The reason for that could be traced back to a programming error in a security chip on the bank cards. Another software bug was recently reported in conjunction with the acceleration mechanism in vehicles of Toyota's model Prius. Such occurrences certainly scratch on the image of the companies concerned, without mentioning the financial drawbacks.

There is some indication that such reports will accumulate in the future. That is not because the system engineers today are worse than in the past or became lazy in testing their systems. The reason is simply founded in the increasing complexity of such systems which makes it more and more difficult for human beings to keep the overview. Furthermore, the new technologies reach out into new areas. A few years ago it would have been unthinkable that computers assist in medical surgeries or computer-controlled robots even accomplish them. Today we accept computer-assisted surgical planning as normal.

If, however, such a system fails, severe consequences are possible. Therefore, it is expected that the demand for truly robust, safe, and secure systems will constantly grow in the next years. In order to achieve this, a detailed and profound analysis of such computer systems is required. Previous approaches to satisfy the desire for reliable systems often focused on exhaustive testing of the systems. However, only limited reliability can be achieved this way, because testing never proves the absence of errors and often relies on assumptions on other system components (e. g., underlying system software) which may behave differently than expected.

A different approach constitutes the pervasively formalization and verification of computer systems. In [55], J. S. Moore, principal researcher of the CLI stack project [12], declares the formal verification of a "practical computing system" as a grand challenge problem.

The Verisoft projects exactly tackles this problem and aims at the pervasive modeling, implementation, and verification of a complete computer system reaching from gate-level hardware to applications running on top of an operating system. Certainly, a corner stone of this system is the microkernel constituting the interface between the hardware and the operating system.

In this thesis, we describe the modeling and verification of the microkernel in a pervasive context.

#### 1.1 Document Outline

In the remainder of this chapter, we discuss related work and present the motivation and contribution of this thesis. It concludes with some basic no1.2. Related Work

tation. Chapter 2 describes background information about the context and prerequisites of this thesis. It introduces the languages C0 and assembly which are used to implement the kernel and sketches the verification approach. Furthermore, it presents the computational models for the devices and the communicating virtual machines (CVM). The chapter concludes with an overview on the design and implementation of the VAMOS kernel.

Chapter 3 gives a bird's eye view on the abstract system layer, which is concretized in Chapter 4 with the model of the VAMOS kernel.

Chapter 5 states the VAMOS correctness theorem and Chapter 6 deals with the actual proofs.

We conclude in Chapter 7 with a summary and an outlook on future work.

#### 1.2 Related Work

Early attempts regarding the formal verification of operating system kernels already took place in the 1970s and early 1980s. The Provably Secure Operating System (Psos) comprised hardware and software and aimed at a useful general purpose operating system with demonstrable security properties, as a retrospective report [58] from 2003 describes. Even if no code proofs were undertaken, Psos introduced concepts for OS verification and aimed at applying formal methods throughout the whole implementation of the OS.

The verification of a kernel supporting threads, a capability-based access control, virtual memory, and device accesses, was the aim of the UCLA Secure Unix project [79]. It relied on the assumptions that the compiler and the hardware work correct. They report that about 90% of the specifications and 20% of the code proofs were completed.

The KIT kernel [11, 12, 55] is the first kernel that can be considered as formally verified. However, it can only be referred as groundbreaking to the area of pervasive operating-system verification. The main difference to more recent verification attempts of "real software" is that it relies on a LISP execution model that is nowadays considered fairly abstract. Moreover, the corner stone theorem of this work is on memory separation of processes.

While they pioneered the field, none of the above projects comes up with a realistic operating system kernel (written in an imperative language) with full implementation proofs. The main reason for this were the missing or to a large extend underdeveloped tool environments. It took until the early 2000s to remedy this deplorable state of affairs, before projects again engaged in increasing the confidence in system software by means of formal methods. Various approaches cover only specific aspects of an operating system kernel and apply formal methods to it. Though these approaches are promising, they would not produce a formally verified operating system kernel. Thus,

22 1. Introduction

we do not consider them in the context of this thesis but rather concentrate on the approaches examining complete kernels. Subsequently, we refer to the most prominent projects. For the interested reader, we also recommend the excellent and comprehensive overview by Klein [43].

Most of the projects deal with the verification of an operating system kernel by following the single-layer approach. They apply formal methods to the kernel layer with the aim to show, that this layer fulfills a certain specification and (possibly) some properties. In contrast to the pervasive approach (we are aiming at), the lower layers are considered as correct and respective properties are assumed to hold. Additionally, while defining the particular specifications, it is usually not ensured (at least not apparently) how these specifications could be integrated or used in higher layers, for instance, in order to specify an operating system.

An exponent of the single-layer approach is the MASK project [54] standing for mathematically analyzed separation kernel. It guarantees a separation property that is provided by construction in the highest-level model, and by multiple formal refinement proofs down to a low-level design, which is close to an implementation. Code proofs, however, were not attempted.

The VFIASCO project [39] aims at the verification of the microkernel Fiasco implemented in a subset of C++. Besides model checking of basic safety properties in Spin [31] for a strongly limited and simplified version of Fiasco IPC, three properties concerning ready and waiting lists have been verified in PVS [67]. However, this work is less than full code verification since C++ code was transformed (only for this purpose) into PVS without defining a formal semantics of the used C++ subset. Even some functions were only described by their semantical effects, and hence the obtained implementation model is rather a specification.

With Eros/Coyotos [70], Shapiro and Weber define a capability based kernel system and prove certain security policies to hold. For the successor project COYOTOS, a complete formal specification of the microkernel and the used programming language BitC has been finished. No formal proofs have been reported yet.

Other projects, for instance, EMBEDDED DEVICE [37, 36], were successful in the verification but did not reach down to the implementation level. In the FLINT project [60], an assembly code verification framework is developed and code for context switching on a x86 machine was formally proven to be correct. The presented code is in functionality and size very similar to the process switch implemented in the CVM, and also reported verification efforts are comparable to those in Verisoft. Although a verification logic for assembler code is presented, no integration of results into high level programming languages has been undertaken yet.

Besides the verification of the VAMOS kernel, the Verisoft project also dealt with the correctness of the real-time operating system OLOS. The functional correctness of this tiny real-time operating system also relies on

1.2. Related Work

the CVM layer and has completely been shown [29]. Compared to the VAMOS kernel, however, the complexity of OLOS with only three rather low-level system calls is much lower.

Further verification projects are L4.VERIFIED and VERISOFT XT both aiming at the complete code-level verification of operating system kernels.

**L4.verified.** L4.VERIFIED focuses on the seL4 kernel [35], which is based on the ARM11 platform. It is a third generation microkernel of L4 provenance and comprises 8,700 lines of C and 600 lines of assembly code. Relying on [42, 44], the L4.VERIFIED project is providing a machine-checked proof of the functional correctness of the seL4 microkernel with respect to a high level, formal description of its expected behaviour.

The lowest level of the verification and of the refinement is a highperformance C and ARM assembly implementation of the seL4 microkernel. The next level up, the low-level design, is a detailed, executable specification of the intended behaviour of the C implementation. This executable specification is derived automatically from a prototype of the kernel which was written in the high-level, functional programming language Haskell. While trying to avoid messy specifics of how data structures and code are optimized in C, the executable specification still represents a pretty concrete view on the kernel implementation. For instance, it still contains doubly-linked lists, i.e., pointer structures. The highest refinement layer is the high-level design, an abstract, operational specification of the kernel. Usually, this is accompanied with a high level of abstraction. It is reported, however, that this layer precisely describes argument formats, encodings and error reporting. Thus, for instance, some of the C-level size restrictions become visible on this level. On the other hand, the specification uses non-determinism in order to avoid an explicit description of the system. For example, neither a scheduling policy is defined at the abstract level nor the correctness of the interrupt controller management is modeled in detail. The refinement proofs are machine-checked in the interactive theorem prover Isabelle/HOL.

In [18, 30], they also defined an abstract access control model of seL4 that captures how capabilities (the kernel's access control mechanism) are distributed in the system and showed the isolation of security domains based on this model. The access control model, however, is not formally connected to the high-level design of seL4 which is used in the refinement proof.

Without doubt, the results of the L4.VERIFIED project are very promissing. However, the following issues have to be observed: Firstly, the approach assumes the correctness of the C compiler, the assembly code, and the hardware. Furthermore, in contrast to the Verisoft project, there is no obvious technology to integrate and combine all these entities into one coherent theory. Secondly, the abstraction level of the high-level design seems to be comparatively low (which reduces the effort regarding the refinement proof)

24 1. Introduction

and unsuitable to show, for instance, properties of the access control mechanism. Instead, these proofs rely on a (probably) more abstract model which is not formally connected to the high-level design in the refinement proof. Thirdly, the abstract models are not applied, in the sense that they are used to specify an operating system, for instance.

Based on these issues, we define the scope of our work. The model of the VAMOS kernel presented in this work is completely integrated into a model stack reaching from applications down to the hardware. Relying literally on definitions of the lower layers, on the one hand, the VAMOS model exports definitions to higher layers, on the other hand. Bogan [15], for instance, based his operating system model on VAMOS and uses definitions from it literally.

The seamless integration into the model stack is not the only remarkable difference between the high-level design of seL4 and the VAMOS model. Similar as above, the VAMOS model serves as basis for the functional correctness of the VAMOS implementation. Thereby, the model establishes an abstraction level that is high enough, such that it can be used to show a pretty complex property of the VAMOS kernel, namely the fairness of the VAMOS scheduler [25, 27].

**Verisoft XT.** The Verisoft XT project aims at the complete code-level verification of the following operating system kernels:

PIKEOS kernel [41]. This L4-derivate comprises 6,000 lines of code (loc) and is part of a commercial product available for Intel's x86, PowerPC, and ARM. The proofs are carried out by the VCC verification environment [21] (a descendant of the Spec# program-verification environment of Microsoft Research), which uses a trusted tool chain comprising the automatic verifier for concurrent C code VCC, the verification condition generator Boogie [16, 17], and the automated theorem prover Z3 [56]. The supported C fragment is a large fragment of ANSI C.

Recent publications [8, 7] mainly introduce the tool chain and methodology. Apart from the verification of a simple system call which changes the priority of a thread, there are no reports yet on the portion of verified code.

HYPER-V [66]. The kernel comprises 100,000 lines of C and 5,000 lines of assembly code and is part of a commercial virtualization environment. The hypervisor turns a single real multi-processor x64 machine (with AMD SVM or Intel VMX virtualization extensions) into a number of virtual multi-processor x64 machines. The verification is realized by the VCC verification environment (see above); the supported C fragment is a large fragment of ANSI C. Recent publications [20, 22,

23] in this context mainly focus on the methodology of VCC and its application.

Baby Hyper-V. Alkassar et al. [5], report on the successful verification of the so-called baby hypervisor. In comparison to the Hyper-V, the baby hypervisor and the architecture it virtualizes are very simple because it only includes the initialization of the guest partitions and a simple shadow page table algorithm for memory virtualization. However, it played an important role of driving the development of the VCC technology and applying it to system verification.

The VCC technology [22] demands a high level of trust: The current VCC version uses an axiomatization of the execution model consisting of various axioms, which introduce some rather abstract concepts like concurrency and ownership of references. Though critical subproblems of the foundation are tackled by informal as well as formal proof methods, the integration into a uniform foundational theory is significantly less prioritized. In this respect, the tool chains, methodologies etc. are driven by the need to deal with the existing code that can only be changed, if errors have been revealed.

#### 1.3 Motivation and Contribution

Summing up the last section, we can state that real system-code verification represents a grand challenge. Current approaches – including ours – compromise in one way or the other: the logical foundations are quite problematic, the computer architectures are simpler than industrial-strength processors, the code size is fairly small, or the underlying execution model of C and assembly makes severe simplifications. In addition, we have to deal with an ambiguous notion of functional correctness which mainly concerns the abstract model, the functional correctness relies on. Thus, we have to be aware of the following issues:

- is the abstract model confirmed by underlying models or is it based on the informal understanding of the lower layers and respective properties
- which level of abstraction provides the model and which parts of the concrete system are actually modeled
- is the model tailor-made to show a particular system property, or is it able to serve as basis for higher layers, e.g., an operating system model

Taking up these issues, the abstract model for the VAMOS kernel, which we present in this thesis, is completely integrated into a model stack reaching

26 1. Introduction



Figure 1.1: Kernel step refinement (simplified)

from applications down to the hardware (cf. Section 2.1). While defining the model, we literally use definitions from the lower layers, for instance, in order to describe visible parts of the processor. The abstraction level of the VAMOS model is so high, that it is possible to show a pretty complex property of the VAMOS kernel, namely the fairness of the scheduler [25, 27]. In addition, Bogan [15] based his operating system model on VAMOS and uses definitions from it literally. The integration into the overall model stack certainly justifies the relevance of the VAMOS model. This relevance, however, will be further backed by a simulation proof establishing the relation between this abstract model and the concrete, fairly realistic implementation of the VAMOS kernel.

The availability of a hardware-processor model represents the foundational layer of our work. This model describes, at gate level, the transitions of the RISC processor VAMP. A small piece of software executed on the VAMP, called CVM, provides an abstract layer running concurrently a system process as well as a number of user processes. The implemented microkernel VAMOS is executed as this system process. Its implementation uses the C fragment C0, which can be translated into assembly code by a verified compiler [49, 48]. VAMOS provides a process scheduler, an infrastructure for communication with hardware devices, and message passing between processes. All software layers are formally specified; simulation relations correlate the adjacent layers such that eventually, all specification layers can be mapped down to our hardware-processor model. The whole model stack is formalized in the theorem prover Isabelle/HOL [61].

In more detail, CVM and the VAMOS implementation together realize an abstract transition  $\delta$  by an implementation function system\_step as shown in Figure 1.1. The transition function  $\delta$  represents the execution of a non-empty portion of a user process including a possible process switch. The simulation proof establishes that the implementation with its underlying state  $\sigma$  indeed realizes the high-level state transition  $\delta$  over the corresponding abstract state s, where abstract and concrete states are linked via a formally defined abstraction relation Abs.

To our knowledge, such a proof based on a model stack of this concrete level of detail and with such a clean, seamless logical foundation has been 1.4. Preliminaries

undertaken for the first time.

#### 1.4 Preliminaries

The formalizations presented in this thesis are mechanized and checked within the generic interactive theorem prover Isabelle[62]<sup>1</sup>. Isabelle is called generic as it provides a framework to formalize various *object logics* that are declared via natural deduction style inference rules within Isabelle's metalogic Pure. The object logic that we employ for our formalization is the higher order logic of Isabelle/HOL[61].

This thesis is written using Isabelle's document generation facilities, which guarantees that the presented theorems correspond to formally proven ones. We distinguish formal entities typographically from other text. We use a sans serif font for types and constants (including functions and predicates), e.g., replicate, a slanted serif font for free variables, e.g., x, and a slanted sans serif font for bound variables, e.g., x. Small capitals are used for data type constructors, e.g., Foo. HOL keywords are typeset in type-writer font, e.g., let.

As Isabelle's inference kernel manipulates rules and theorems at the Pure level the meta-logic becomes visible to the user and also in this article when we present theorems and lemmas. The Pure logic itself is intuitionistic higher order logic, where universal quantification is  $\bigwedge$ , implication is  $\Longrightarrow$  and equality is  $\equiv$ . Nested implications like  $P_1 \Longrightarrow P_2 \Longrightarrow P_3 \Longrightarrow C$  are abbreviated with  $[\![P_1; P_2; P_3]\!] \Longrightarrow C$ , where we refer to  $P_1, P_2$ , and  $P_3$  as the premises and to C as the conclusion.

In the object logic HOL universal quantification is  $\forall$ , implication is  $\longrightarrow$  and equality is =. Isabelle/HOL provides a library of standard types like Booleans, natural numbers, integers, total functions, pairs, lists, and sets as well as packages to define new data types and records. We only present them shortly in the following.

**Functions.** In HOL all functions are total. An unamed function can be specified using the  $\lambda$ -operator, e. g.,  $\lambda x$ . x is the identity function. In general, we prefer curried functions over functions taking an n-tupel as argument, e. g., f a b instead of f(a, b). Note that function application binds tighter than any other operator, i. e., f i + g j means (f i) + (g j). Function update is  $f(y := v) \equiv \lambda x$ . if x = y then v else f x and function composition is  $f \circ g \equiv \lambda x$ . f (g x). Partial functions are usually formalized in HOL with an optional type. This type is a data type with two constructors, one to inject values of the base type, e. g.,  $\lfloor x \rfloor$ , and the additional element  $\bot$ . With  $\lceil y \rceil$ , the original base value x can be obtained such that y = |x|. There

<sup>&</sup>lt;sup>1</sup>For taming Isabelle's powerful document-generation mechanism in general, and in particular for the major part of this section, we are indebted to Schirmer *et al.* [69, 4]

28 1. Introduction

is no base value x iff  $y = \bot$ . As HOL is a total logic the term  $\lceil \bot \rceil$  is still a well-defined yet unspecified value. Partial functions can be represented by the type  $a \Rightarrow b$  option, abbreviated as  $a \to b$ . For an update of a partial function, we write  $f(y \mapsto x)$ . For data types, we write the structural case distinction over some value x as x as x as x and x as x as x as x and x as x as x as x as x as x as x and x as x as x and x as x as x and x are the following partial functions, we may write x as x and x and x are the following partial functions are the following partial functions as x and x are the following partial functions are the following partial functions as x and x are the following partial functions are the following partial functions as x and x are the following partial functions are the following partial functions as x and x are the following partial functions are the following partial functions as x and x are the following partial functions are the following partial functions as x and x are the following partial functions are the following partial functions are the following partial functions as x and x are the following partial functions are the following partial functio

**Sets and Intervalls.** Sets come along with the standard operations for union, i.e.,  $A \cup B$ , intersection, i.e.,  $A \cap B$  and membership, i.e.,  $x \in A$ . The set image f ' A yields a new set by applying function f to every element in set A.

We denote the intervall of the numbers a and b excluding the endpoints by  $\{a<...< b\}$ , and including the endpoints by  $\{a..b\}$ . Furthermore, we write  $a \le c < b$  to denote that a number c is in the interval  $\{a...< b\}$ .

**Records and Tupels.** A record is constructed by assigning all of its fields, e.g., ( $|\mathsf{fld}_1 = v_1, \mathsf{fld}_2 = v_2|$ ). Field  $\mathsf{fld}_1$  of record r is selected by  $r.\mathsf{fld}_1$  and updated with a value x via  $r(|\mathsf{fld}_1 := x|)$ .

The first and second component of a pair can be accessed with the functions fst and snd. Tuples with more than two components are pairs nested to the right.

### Chapter 2

## Background

| 2.1 | The Academic System: Software Stack          | 30 |
|-----|----------------------------------------------|----|
| 2.2 | The Academic System: Semantic Stack          | 31 |
| 2.3 | Devices                                      | 38 |
| 2.4 | Communicating Virtual Machines               | 39 |
| 2.5 | Vamos Microkernel: Design and Implementation | 43 |
|     |                                              |    |

The present work was done in the context of the German Verisoft project, a large scale effort bringing together industrial and academic partners to push the state of the art in formal verification for realistic computer systems, comprising hard- and software. Our microkernel belongs to Verisoft's so-called Academic System (as opposed to systems in subprojects with partners from industry), which is a distributed computer system for the exchange and management of signed and encrypted e-mails. This computer system is designed as part of an open network with a number of trusted computers. While the system is open to receive e-mails from arbitrary computers in the network, each trusted computer uses identical hardware and the same operating-system software. As application software, we implemented and verified an e-mail client [10, 9], an e-mail server [45, 46], and a cryptography server that run on top of this operating system. These applications might be arbitrarily distributed over the trusted computers in the network.

This section continues with a short introduction of the implementation layers in our computer system. Furthermore, we summarize the general verification approach that has been developed for sequential programs within Verisoft in Section 2.2. A key feature of this approach is, that it can cope with mixed-language implementations as they frequently occur in system-level software. In our case, these languages are C0 and assembly. Assembly is used in the lowest software layer, a low-level microkernel. The device

30 2. Background



Figure 2.1: System stack

model in Section 2.3 together with the computational model Communicating Virtual Machines (CVM) introduced in Section 2.4, abstract from this lowest software layer. On top of it, Section 2.5 introduces the VAMOS microkernel which is completely implemented in C0. It relies on the CVM framework and represents the top-level microkernel with utilities like interprocess communication, memory management and process scheduling.

#### 2.1 The Academic System: Software Stack

Figure 2.1 depicts the hard- and software layers of a single computer in the system. The lowest software layer is called *communicating virtual machines* (CVM). This layer encapsulates all the hardware-specific low-level kernel functionality, which uses inlined assembly. Technically, this software constitutes the interrupt-service routine of the processor. CVM's major task is memory virtualization and process separation. Hence, CVM includes a page-fault handler with a simple memory swapping facility [6]. The remaining functionality of our microkernel is implemented by the hardware-independent kernel part. CVM exports an interface of so-called *primitives* for the access to and manipulation of user processes to this kernel part. We have thereby established a solid framework for microkernel construction.

Using this framework, we have implemented our microkernel VAMOS in the C variant  $C\theta$  without inlined assembly. When an interrupt occurs, CVM preserves the old processor context, establishes a suitable C0 environment and calls the function dispatcher\_kernel of VAMOS. For the manipulation of the user memory or registers, VAMOS may call the primitives of CVM. The return value of dispatcher\_kernel determines which process resumes when the kernel execution finishes.

While CVM and VAMOS run in the privileged system mode of the proces-



Figure 2.2: Semantic Stack

sor, processes run in the unprivileged user mode. In the figure, we labeled one process "OS" for the operating system and the others "App" as abbreviation for application (e.g., e-mail client or server). The OS process constitutes the highest layer of the operating system [15]. It features an advanced rights management with different users, implements a sophisticated access control to kernel services like process creation and provides further services like file-system and network access. All processes interact with the kernel via kernel calls. The instruction set architecture (ISA) provides a special instruction TRAP causing an exception, which is handled in VAMOS. VAMOS can examine and alter the state of the process using CVM primitives, thus identifying the process's specific request and storing the kernel's corresponding response.

### 2.2 The Academic System: Semantic Stack

As Figure 2.1 depicts, a computer system comprises a stack of hardware and software layers. Along the implementation layers, we assemble computational models which we use to specify and verify the system. Each of these layers introduce a higher abstraction level to improve the effectiveness of reasoning. In addition, these layers often employ different implementation languages. CVM, for example, provides the abstraction of separate processes with virtual memory, and is implemented in a mixture of C0 and inlined assembly. The reason for two implementation languages is apparent: C0 is a C-like high-level programming language and can be comfortably employed at a reasonable abstraction layer for most programming tasks. Specific low-level functionality, however, cannot be expressed in C0. For these tasks, we employ the assembly language.

In a large-scale verification project, the key to success is a verification ap-

32 2. Background

proach that follows the system design. Applied to the Verisoft project, this means that verification does not only extend along the software levels but also takes into account the mixed-language architecture [3]. The verification approach is two-dimensional: The first axis, called system stack, traces the different implementation layers. Along the implementation layers, we assemble computational models which we use to specify and verify the system. Figure Figure 2.2 depicts the so-called *semantics stack* [4] combining all the different language semantics.

The assembly language marks the bottom layer, followed by C0 and Simpl at the top. Despite of the former two, Simpl is a generic programming language model for sequential imperative programming languages. This generic model provides the basis for the versatile verification environment Isabelle/Simpl. The major challenge of a pervasive verification is to develop a coherent theory that allows to transfer the correctness results down to the lowest layer. Thus, an important result of the Verisoft project is the correctness theorem of a simple non-optimizing compiler that links C0 and the assembly language [49, 63, 50]. Furthermore, transfer theorems [69] establish an embedding of C0 into the generic programming model Simpl.

In the following sections, we present the – for microkernel programming relevant – implementation languages C0 and VAMP assembly. The chapter concludes with the introduction of the verification environment Isabelle/Simpl which is used to conduct the actual proofs.

In the scope of this work, we solely focus on the correctness proofs performed in Isabelle/Simpl. Mapping down the results achieved would rely on the previously mentioned transfer theorems and the compiler correctness. Starostin [72] already successfully applied the semantic stack in the context of the formal verification of the demand paging mechanism in CVM.

#### 2.2.1 The Language C0

ANSI C has a complex and highly underspecified semantics. However, low-level kernel programs such as drivers explicitly use properties of a particular compiler on a target hardware, for example, its little-endian-ness or a particular atomicity of assembly operations. They can therefore not be verified based only on the vague ANSI C semantics. In our approach, we constrained ourselves to the C-like imperative language  $C\theta$ , which has sufficient features to implement low-level software, but which is interpreted by a mathematically well-defined semantics. It is type safe and designed with verification in mind. An elaborate description of the big-step semantics is given in [69] and the small-step semantics is introduced in [48]. An overview on the simulation theorems between the semantical layers can be found in [3].

C0's most important limitations compared to ANSI C are:

• expressions must be free of side effects and do not contain function calls,

- there are no implicit type conversions, especially not from arrays to pointers,
- pointers are strongly typed and must not point to functions or stack variables (i. e., there are neither void pointers nor pointer arithmetic), and
- low-level data types (like unions and bit fields) and control-flow statements (like switch and goto) are not supported.

**Syntax.** C0 supports fundamental types, aggregate types and pointers. The first category comprises Booleans, 8-bit-wide characters, as well as signed and unsigned 32-bit integers. Aggregate types in C0 are arrays and structures. Pointers may point to all types of data but not to functions.

Expressions are variable names and literals. Moreover, if e and i are expressions and n is a component name, array access e[i], access to structure components e.n, dereferencing \*e, and the 'address-of' operation &e are expressions. Additionally, C0 supports the usual unary and binary operators.

Finally, C0 supports statements for assignments, dynamic memory allocation, sequential composition, conditional and repeated execution, inline assembly, function calls and returns from functions.

Small-step Semantics. C0 programs are statically represented by the program environment  $\Gamma$ , which comprises a symbol table of global variables, a type-name environment, and a function table. The symbol table is a list of pairs of variable names and types. The type-name environment maps type names to types. The function table maps function names to functions, which are represented by a tuple consisting of (a) a symbol table for the function's parameters, (b) a symbol table for the stack variables, (c) the function's return type, and (d) a statement representing the function body.

The dynamically changing state  $s_{\mathsf{C0}}$  of a C0 program in execution comprises:

- the remaining program  $s_{C0}$ . proq. and
- the current state of the program variables  $s_{C0}.mem$ .

The transition relation  $\delta_{C0}$  of this semantics is deterministic, i. e., a partial function.

#### 2.2.2 The Vamp Assembly Language

The DLX architecture [38] lays the foundation of the VAMP architecture which was initially presented in [57]. An implementation of the VAMP has been formally verified [13, 14]. Since then, the VAMP has been extended with address translation and support for I/O devices [24, 1, 77].

There are three models [4, 77] related to the VAMP architecture. The most concrete one is the gate-level implementation followed by the instruction set architecture (ISA) specification and the assembly-language speci-

34 2. Background

fication. The adjacent models are related via simulation proofs, such that properties shown at the assembly level can eventually be transferred down to the gate-level.

In the context of this work, we only rely on the VAMP assembly language specification. Details on the gate-level implementation and its verification can be found in [77].

The VAMP assembly language is the target language of the verified C0 compiler and represents a convenient layer for the implementation and the verification of hardware-dependent programs. Its specification abstracts from certain aspects of the lower layers, which are irrelevant for these purposes. For instance, the VAMP assembly machine employs a linear memory model with a conventional memory semantics, i.e.,. it abstracts from memory-mapped device I/O and the paging mechanism of the processor. This abstraction is useful for assembly code executed in the untranslated system mode as well as in the user mode with a transparent handling of address translation and page faults.

Furthermore, the bit vectors from the ISA specification are superceded in the VAMP assembly machine (a) by integers for data, (b) by naturals for addresses, and (c) by a tailored abstract data type for instructions. While this representation is optimized for assembly programs working with integers, arguments regarding naturals and bit-vector operations require the conversion from / to integers. Thus, we define, for instance, the two functions to\_int32 and to\_nat32 converting between 32-bit integers and naturals.

**Assembly Semantics.** An assembly state  $s_{asm}$  is a record with the following components:

- two program counters s<sub>asm</sub>.dpc and s<sub>asm</sub>.pcp for implementing the delayed branch mechanism, which hold the byte addresses of the current and next instruction,
- general purpose and special-purpose register files  $s_{\mathsf{asm}}.\mathsf{gprs}$  and  $s_{\mathsf{asm}}.\mathsf{sprs}$  both holding lists of data, and
- main memory  $s_{asm}$ .mm, which is a map from word addresses to data.

A VAMP assembly configuration is called *valid*, if it fulfills certain basic well-formedness conditions: (a) the program counters must be 32-bit naturals, (b) register files must contain 32 registers, and (c) all registers and memory cells must be 32-bit integers <sup>1</sup>. Formally, the predicate is\_ASMcore encapsulates these well-formedness conditions:

<sup>&</sup>lt;sup>1</sup>Note that register  $s_{asm}.gprs$  ! 0 is always 0 and can thus be represented as 32-bit integer.

```
is_ASMcore s_{\mathsf{asm}} \equiv 0 \le s_{\mathsf{asm}}.\mathsf{dpc} < 2^{32} \land 0 \le s_{\mathsf{asm}}.\mathsf{pcp} < 2^{32} \land \mathsf{length} \ s_{\mathsf{asm}}.\mathsf{gprs} = 32 \land \mathsf{length} \ s_{\mathsf{asm}}.\mathsf{sprs} = 32 \land (\forall i \in \{0 < ... < 32\}. \ -2^{31} \le s_{\mathsf{asm}}.\mathsf{gprs} \ ! \ i < 2^{31}) \land (\forall i \in \mathsf{used\_sprs}. \ -2^{31} \le s_{\mathsf{asm}}.\mathsf{sprs} \ ! \ i < 2^{31}) \land (\forall \mathit{ad}. \ -2^{31} \le s_{\mathsf{asm}}.\mathsf{mm} \ \mathit{ad} < 2^{31})
```

Instructions are represented by an abstract data type and converted on instruction fetch from memory cells using the conversion function cell2instr. Thus, the function

```
current_instr s_{asm} \equiv cell2instr (s_{asm}.mm (s_{asm}.dpc div 4))
```

denotes the instruction that is executed next in the assembly machine. Note that the byte address  $s_{\mathsf{asm}}.\mathsf{dpc}$  is divided by 4 in order to get the word address of the current instruction in the main memory of  $s_{\mathsf{asm}}$ .

The assembly semantics can equally be employed in user- and system mode. The mode is determined by the special-purpose register SPR\_MODE. In user mode, it is illegal to access the special-purpose registers and solely the page-table length register SPR\_PTL is relevant for us. It determines the size of the main memory in pages of 1024 words. For convenience, we encapsulate this fact in the function size<sub>asm</sub> and define:

```
size_{asm} s_{asm} \equiv to\_nat32 (s_{asm}.sprs ! SPR\_PTL + 1)
```

The page table length is incremented by 1 because it is initially set to -1 which denotes that no virtual memory is allocated for the process.

A memory access beyond the specified size generates an exception in the real system and an illegal exception in the assembly semantics.

The VAMP assembly transition function  $\delta_{asm}$  computes for a given assembly state  $s_{asm}$  the next state. Essentially, the transition is specified by a case distinction over current\_instr  $s_{asm}$ .

#### 2.2.3 Isabelle/Simpl - A Verification Environment for C0

For the verification of C0, we use a general program-verification framework for sequential imperative programming languages: Isabelle/Simpl [68, 69]. It is built as a conservative extension on top of Isabelle/HOL. The key feature of Isabelle/Simpl is the notion of a Hoare-Triple:

```
\Gamma \vdash P \ c \ Q
```

In a procedure environment  $\Gamma$ , this statement claims that under the assertion P on the original program state, the assertion Q will hold after the execution of the code c given in the Simpl language. The assertions P and Q are simply sets of states. In principle, Isabelle/Simpl is polymorphic over the state space; we use records but hide the details by an Isabelle syntax, such that  $\{\sigma, \sigma^{\text{var}} = 5\}$  denotes the assertion that the value of program variable var in state  $\sigma$  is five. Whenever we implicitly refer to the state, the name

36 2. Background

will be decorated by the acute prefix '. For example, 'x will refer to field x in the state record.

Expressions in Simpl are HOL expressions. In addition to the HOL operations, we have defined bitwise conjunction  $x \wedge_u y$  and disjunction  $x \vee_u y$  over natural numbers (unsigned integers) x and y. Both operators first convert the natural numbers x and y into bit vectors of the same length. Afterwards, the corresponding bitwise operation is applied to the particular bits resulting in a bit vector which is finally converted into a natural number again. While the conjunction as well as the disjunction work on arbitrary natural numbers, the result of a bitwise negation depends on the width of the data type. Thus,  $\neg_{u/32} x$  denotes the bitwise negation of a 32-bit natural number x. As above, x is first converted into a bit vector of length 32. Afterwards, the particular bits are negated and the resulting bit vector is converted into a natural number again. In a similar way, we proceed with shift operations. With  $x \ll_{u/32} y$  we define a left shift of the 32-bit natural number x by y bits. Similarily, we define a right shift  $x \gg_{u/32} y$ .

In contrast to expressions, statements are represented by an abstract datatype. The statement syntax is highly abstract, e.g., Basic f represents a state update using function f. In order to present programs in conventional terms, we employ Isabelle's powerful syntax translation machinery and denote a program variable by 'var, an assignment by 'var :== 5, a conditional by IF b THEN  $s_1$  ELSE  $s_2$  FI, a procedure call by 'var :== CALL update(5), etc. The index g is used to instruct the parser to generate guards that protect against runtime faults like overflows.

The procedure environment  $\Gamma$  is a partial function from procedure names to statements. These statements constitute the procedure body and are defined by the Isabelle/Simpl command **procedures**. The following command, for instance, defines the procedure update:

```
\begin{array}{l} \mathbf{procedures} \ \mathsf{update}(\mathsf{var} \mid \mathsf{res\_nat}) = \\ \mathsf{'res\_nat} :==_{\mathsf{g}} \ \mathsf{'var} \end{array}
```

It has one formal parameter called var and the result to return to the calling function is held in variable res\_nat, i. e., the bar separates input and output parameters. When formally specifying the functionality of the procedure, we write 'res\_nat :== PROC update('var) as shorthand for the code of procedure update.

The Hoare-Triple

```
\Gamma \vdash \{\sigma. \ \sigma \text{var} = x\} \ \text{res\_nat} :== \mathbf{PROC} \ \mathsf{update}(\text{var}) \ \{\tau. \ \tau \text{res\_nat} = x\}
```

states that procedure update assigns the value of its argument to the return variable.

The framework includes a big-step semantics, a Hoare logic for partial as well as total correctness and an automated verification-condition generator for Simpl. Within this sequential core language, assembly fragments as well

as the C fragment C0 are embedded. The embedding is based on a compiler converting C0-constructs in terms of operations provided by the small-step semantics of the VAMP machine. A correctness proof for this compiler, which links the small-step semantics to the Simpl big-step semantics, is also provided [3]. This correctness theorem about the embedding of C0 into Simpl allows for mapping low-level properties to more abstract ones formulated on the big-step semantics of C0. Thus, throughout this paper, we will present all algorithms in Simpl (so that we can rely on a uniform Isabelle/HOL foundation); note that this Simpl code is the result of an automatic translation from the C0 code that is actually compiled and runs on the machine.

We employ the HOL type system to model C0 programming language types. Isabelle's type inference then takes care of typing constraints that would otherwise have to be explicitly maintained in the assertions. Propositions that explicitly refer to the memory layout or to hardware device registers cannot be proven on the C0-Hoare-Logic level; in these situations, the verification necessarily descends down to the VAMP level. Our approach is to abstract the effect of those low-level computations into atomic XCalls (extended calls) in all our semantic layers. In particular, the state-space of C0 is augmented with an additional component that represents the state of the external component, e.g., a device. An XCall is a procedure call that performs a transition on this external state and communicates with C0 via parameter passing and return values. With this model, it is straightforward to integrate XCalls into the semantics and into Hoare logic reasoning. XCalls are typically implemented in assembly.

#### Code Verification in Isabelle/Simpl

The introduction presents a bird's eye view on the refinement, as depicted in Figure 1.1. In principle, we can reformulate the depicted claim in Isabelle/Simpl as follows:

$$\Gamma \vdash \{\sigma. \text{ Abs } \sigma s\} \text{ PROC system\_step}() \{\tau. \text{ Abs } \tau (\delta s)\}$$

Assuming an abstraction relation Abs that holds for a concrete state  $\sigma$  and an abstract state s, the relation is preserved by the transitions system\_step on the concrete level and  $\delta$  on the abstract level. Just like the figure, this statement is an over-simplification. We postpone the details to Chapter 5.

Our approach to code verification combines refinement and code correctness, i.e., contracts are specified in terms of the abstract states. As a simple example, we assume a library function append, which appends an element to a singly-linked list. In the implementation, the list is represented as a pointer structure described by the variables head and next. In order to prove that a specific pointer structure in the state  $\tau$  after a function invocation indeed denotes a list, it is useful to know that the original pointer

structure in state  $\sigma$  already denoted a list. We encapsulate the list property in a predicate inv<sub>list</sub> over the pointer variables and formulate correctness of append(head, elem) as follows:

```
\Gamma \vdash \{\sigma. \text{ inv}_{\mathsf{list}} \text{ }^{\sigma} \text{head } \text{ }^{\sigma} \text{next } \land \text{ abs\_rel}_{\mathsf{list}} \text{ }^{\sigma} \text{head } \text{ }^{\sigma} \text{next } xs \} \text{ PROC append('head,'elem)} \\ \{\tau. \text{ inv}_{\mathsf{list}} \text{ }^{\tau} \text{head } \text{ }^{\tau} \text{next } \land \text{ abs\_rel}_{\mathsf{list}} \text{ }^{\tau} \text{head } \text{ }^{\tau} \text{next } (xs @ [\sigma \text{elem}]) \}
```

i.e., we express the effect of the function in terms of its abstract representation, which is a concatenation of lists.

#### 2.3 Devices

Devices may communicate with an external environment and the processor. The former is used to model non-determinism and communication; a network interface card, for example, sends and receives network packets. The processor accesses a device by reading or writing special addresses. The devices, in turn, can signal interrupts to the processor. So far, direct memory access (DMA) is not supported.

Device communication happens on many different layers throughout our system. In Verisoft, we established a uniform way of interacting with devices by developing a generic device framework featuring standardized transition functions for all layers. The detailed discussion of this model goes far beyond the scope of this work and it is not necessary for the further developing. Alkassar and Hillebrand [2] describe the model in detail.

In a nutshell, the device model is pseudo-parallel in the sense that we either do an internal step – the device consumes a processor input – or an external step – the device consumes an external input, but never both at the same time. We use the automaton

$$\mathcal{A}_{D} = (\mathcal{S}_{D},\,\mathcal{S}_{D}^{0},\,\Sigma_{int},\,\Omega_{int},\,\omega_{D},\,\delta_{Dint},\,\Sigma_{ext},\,\Omega_{ext},\,\delta_{Dext})$$

to describe the devices. The state  $\mathcal{S}_D$  of the device system subsumes the particular device configurations with  $\mathcal{S}_D^0 \subset \mathcal{S}_D$  representing the set of the initial configurations. Devices communicate with the kernel resp. the processor by using the alphabet  $\Sigma_{int}$  (from the device subsystem to the processor) and the alphabet  $\Omega_{int}$  (from the processor to the devices). Our kernel uses memory-mapped I/O for device communication. Hence, the output alphabet  $\Omega_{int}$  comprises read and write accesses to device addresses whereas the input alphabet  $\Sigma_{int}$  consists of interrupt lines and optionally incoming data. The kernel can access the device system by means of the output function  $\omega_D$  which returns the interrupt vector of currently active interrupts. Kernelinitiated communication is performed by the transition function  $\delta_{Dint}$ . Based on an input from the kernel, it does not only yield a successor device state, but also output to the kernel and, potentially, to the environment.

The communication with the environment is based on an *external inter*face in order to receive keystrokes, for example, or send network packages. It is defined by the alphabets  $\Sigma_{ext}$  and  $\Omega_{ext}$ . Inputs from the environment consist of a device ID and an external device input. The external transition function  $\delta_{Dext}$  takes this input and computes the next state. While internal steps may result in both external and internal output, external steps only produce external output.

## 2.4 Communicating Virtual Machines

Virtually every modern operating system kernel is devided in a hardware-dependent and a hardware-independent part. Usually, the former part is small but employs inline assembly code, while the latter one is larger in size but written in a high-level programming language. From the verification perspective, inline assembly code requires a logic with much more machine details than that of a well-designed high-level language. Hence, the partitioning regarding functionality is very useful for our intended verification as well.

Based on these observations, we encapsulate all hardware-specific low-level functionality, which is possibly using inline assembly, in the layer of communicating virtual machines (CVM), which was first introduced in [34] and further developed in [65, 76]. We identify three major tasks for this abstraction layer: memory virtualization [72, 6], switching between different threads of execution [74], and data exchange [76]. For the hardware-independent part, CVM provides the means for access and manipulation of user machines by so-called primitives [73]. Examples are cvm\_copy, for copying data between two user machines, cvm\_alloc for increasing the virtual memory space, and cvm\_get\_gpr for reading a general purpose register of a user machine. The CVM primitives are simply functions that operate on CVM data structures and might possibly contain inline assembly. From the programmer's view, we have thus established a solid framework for microkernel construction [40]. Programmers can implement microkernels using CVM primitives and plain C0 without extra inline-assembler portions.

From the verification perspective, we established a semi-parallel model of computation that formalizes concurrent user machines interacting with a kernel. These user machines are abstract processors with virtual memory. The so-called abstract kernel is represented as an abstract C0 machine with typed memory. In addition to usual C0 functions, the kernel code might call CVM primitives. Hence, the primitives must have been declared in the C0 machine. Moreover, a function called dispatcher\_kernel must be defined, which CVM will call when an interrupt occurs. In order to obtain an executable, we have to link the CVM implementation with the abstract kernel [65]. We call the resulting executable the concrete kernel.

In the following, we will only briefly summarize the formal model of CVM. Apart from that, we refer to the mentioned literature.

#### 2.4.1 Cvm State

A CVM state  $s_{\text{CVM}}$  is a record with the following components:

- the abstract kernel cvm\_kernel,
- the virtual user processes cvm\_up, and
- the state of the device system cvm\_devs.

In CVM, the abstract kernel cvm\_kernel is modelled as a C0 machine. The component cvm\_up contains information on the virtual machines of the user processes. We denote the number of user processes including the kernel that are allowed to run in our system by the constant PID\_MAX = 128. For identifiers of user processes, we introduce the data type procnumT =  $\{1...<PID\_MAX\}$ , whereas identifier 0 is used for the kernel. CVM applies the VAMP assembly semantics to model the virtual user machines. Accordingly, component cvm\_up.userprocesses provides a mapping between process identifiers and VAMP assembly states. The component cvm\_up.currentp holds the identifier of the current process, which is determined by the process identifier  $\lfloor pid \rfloor$ , if process pid is running and  $\bot$ , if the kernel is running. Common to all processes is the interrupt mask cvm\_up.statusreg which is represented as a 32-bit natural number.

Initial Cvm State. An initial CvM state represents the situation after a reset and is described by the function init\_cvm\_sys. As the abstract kernel as well as the devices are parameters of the CvM model, they have to be provided as input:

```
init_cvm_sys ak \ devs \equiv (|cvm_kernel = init_cvm ak, cvm_up = init_cvmup, cvm_dev = init_dev devs)
```

In a nutshell, init\_cvm initializes the local stack and the program rest of the abstract C0 kernel machine ak, whereas init\_dev initializes the devices devs. Function init\_cvmup is used to initialize the abstraction of the virtual user processes, i.e., the program counters are set to 0, and the memory as well as the general- and most of the special-purpose registers are filled with zeroes. However, the page table origin in register SPR\_PTO is process-specific, whereas the page table length in register SPR\_PTL is set to -1, which denotes that no virtual memory is allocated for the process so far. In addition, the SPR\_MODE register is set to 1 intending that the machine runs in user mode.

So far, no process is running, i.e., the current process identifier is set to  $\bot$ . Finally, the status register enables the interrupts for illegal instructions, misalignment, page faults, traps, and the timer device.

For more formal details, we refer to [65, 76].

Valid Virtual Machines. In the remainder of this thesis and, in particular, in the correctness proof of our kernel, we rely on certain validity requirements for the virtual machines. Predicate is\_valid\_cvmup formally encapsulates these requirements:

```
is_valid_cvmup up \equiv \forall i. is_ASMcore (up.userprocesses i) \land (up.userprocesses i).sprs ! SPR_MODE \neq 0 \land -1 \leq (up.userprocesses i).sprs ! SPR_PTL < to_int32 TVM_MAXPAGES
```

First of all, each virtual machine represents a VAMP assembler machine in terms of is\_ASMcore and runs in user mode. Furthermore, a virtual machine is either occupied with no memory, i. e., its page table length equals -1, or the number of pages is less than TVM\_MAXPAGES.

#### 2.4.2 Cym Transitions

A CVM transition  $\delta_{\text{CVM}}$  takes a CVM state  $s_{\text{CVM}}$  and an external device input  $din_{\text{ext}}$  as parameters, yielding either a next configuration  $\lfloor s_{\text{CVM}}' \rfloor$  or  $\perp$ , if a run-time error has occurred, and potentially a device output to the environment.

Depending on the external device input  $\mathit{din}_{ext}$  and the current-process identifier  $s_{CVM}.cvm\_up.currentp$ , the CVM transition function  $\delta_{CVM}$  distinguishes three cases<sup>2</sup>:

- 1. If  $din_{\mathsf{ext}} \neq \bot$ , a device step is performed. In this case, only the device component of  $s_{\mathsf{CVM}}$  is updated with the new device configuration (obtained by  $\delta_{\mathsf{Dext}}$ ). Additionally, a device output to the environment might be generated.
- 2. If there is no external device input and the current process identifier is ⊥, the abstract kernel makes a step.
- 3. Otherwise, the current process makes a step.

In the latter case, CVM distinguishes three sub-cases: (a) an user step without interrupts, (b) an user step with an interrupt that aborts the user execution (illegal instruction, misalignment, etc.), and (c) an user step with an interrupt, but one which allows the current process to take a step (external interrupts, trap, and overflow).

User steps without interrupts boil down to an application of the VAMP assembly transition function  $\delta_{asm}$  to the virtual machine of the current process. Steps with interrupts result in an invocation of the abstract kernel.

<sup>&</sup>lt;sup>2</sup>Note that, in this context, we only consider *live* executions meaning that the kernel, the user processes and the devices are executed infinitely often. Thus, it may not happen that, for instance, device steps might block the kernel forever.

Whether thereby the current process takes a step depends on the kind of interrupts. In case of a runtime error, i.e., the user execution is aborted, the virtual machine of the current process remains unchanged. Otherwise, the current process makes a step according to  $\delta_{asm}$ .

The update of the virtual machine  $vm_{cp}$  of the current process in case of a user step determines function  $user_{step}$ :

 $\mathsf{user}_{\mathsf{step}}\ \mathit{vm}_{\mathsf{cp}} \equiv \mathbf{if}\ \mathsf{user\_step\_progress}\ \mathit{vm}_{\mathsf{cp}}\ \mathbf{then}\ \delta_{\mathsf{asm}}\ \mathit{vm}_{\mathsf{cp}}\ \mathbf{else}\ \mathit{vm}_{\mathsf{cp}}$ 

Predicate user\_step\_progress holds, as long as no runtime errors occur during the execution of the current instruction.

#### 2.4.3 Cvm Primitives

CVM primitives [73] provide mechanisms for process management, interprocess and device communication. The abstract kernel uses these primitives to implement a scheduler, interrupt delivery and kernel calls, allowing user processes to interact with each other and with devices.

While implementing the abstract Vamos kernel, we use the following set of CVM primitives: cvm\_reset and cvm\_clone for process initialization, cvm\_alloc for increasing and cvm\_free for decreasing memory of an user process, cvm\_copy to copy data from one process to another, cvm\_get\_gpr and cvm\_set\_gpr to read and write user process register, for device communication cvm\_in\_word, cvm\_out\_word and cvm\_virt\_io, cvm\_set\_mask for setting the CvM interrupt mask, and cvm\_load\_os for loading the operating system into the memory.

#### 2.4.4 Cvm in Isabelle/Simpl

The code correctness proof for the VAMOS microkernel completely relies on the verification environment Isabelle/Simpl. Recall, however, that VAMOS is implemented to run as CVM's kernel machine. For this reason, we have to represent this framework in our programming model and describe, how we model the effects of CVM in Simpl as seen by a VAMOS programmer.

We do this by introducing an external state component cvmX subsuming the visible remnants of a Cvm state: (a) the processor abstraction cvm\_up, and (b) the device subsystem cvm\_devs. The abstract C0 kernel machine is missing, because it is instantiated with the concrete VAMOS implementation.

Based on component cvmX, we are able to model the steps in CVM before invoking and after leaving the VAMOS kernel, i.e., the function dispatcher\_kernel.

Figure 2.3 depicts the pseudo-code of a CVM transition.

Formally, the component cvmX is represented as a tuple and we define the function cvm\_ups cvmX in order to get the first component with the virtual processes and cvm\_devs cvmX to get the second one with the devices. Furthermore, we define function mca\_nat up devs stat, which computes the vector of the exceptions that occur during the next step, under consideration of the virtual machine vm of the current process, the device system devs and the status register stat. Some possible exceptions, like traps, write an exception-data register; its content is computed by edata\_nat vm.

After power-up, the processor generates a reset signal which, according to Figure 2.3, leads to the initialization of the CVM component. Apart from a reset, a transition consists of up to two phases: First, the current process executes one (assembly) step if existing. Second, the CVM layer computes the vector of enabled interrupts and invokes the kernel's dispatcher\_kernel function, if an enabled interrupt has been raised. There are two possible sources of interrupts: The current process may cause an exception, and external devices may raise their interrupt line. Interrupts are ignored when not enabled in the status register. The return value of dispatcher\_kernel describes the process to be run next: If the value is a valid process number, this process is elected, otherwise, the system idles until the next device interrupt occurs.

We address the actual implementation of dispatcher\_kernel resp. the VA-MOS microkernel in Section 2.5.2.

Apart from modelling the CVM steps around the VAMOS invocation, there is another reason for the introduction of cvmX. Applying the concept of XCalls, it enables the possibility that low-level accesses of the VAMOS kernel, like setting register values, become visible in the code specification. This is crucial, as we do not only want to specify the C0 parts of the kernel but aim at an overall model of kernel executions.

In consequence, with the integration of CVM into Simpl, we provide an optimal background for both, proving the VAMOS implementation correct and combining CVM and VAMOS, in order to get an overall kernel correctness theorem.

## 2.5 Vamos Microkernel: Design and Implementation

The *kernel* of an operating system is the code that runs in the privileged mode of a processor, i.e., this and only this code has unrestricted access to all hardware resources. Traditionally, kernels provided an abstraction from the hardware processor and the external devices. When kernels grew in size over the years because of a rising variety of hardware, and especially external devices, the traditional systems were called *monolithic* and the idea of smaller *microkernels* was born.

The motivation for microkernels, however, is manifold. Microkernels be-

<sup>&</sup>lt;sup>3</sup>Recall that we do not rely on the existence of an idle process. Hence, there might be no current process.

```
procedures system_step() =
     IF<sub>g</sub> 'reset THEN
                                                                          (* CVM Reset *)
                 '\mathsf{reset} :==_{\mathsf{g}} \mathsf{False};
                 'eca :==_{g} 1;
                 'edata :==_{g} 0;
                 ' cvmX :==_g (init\_cvmup, init\_dev (cvm\_devs 'cvmX))
      ELSE
           'up :==_g cvm\_ups 'cvmX;
           \textbf{IF}_{g} \text{ currentp } 'up = \bot \textbf{ THEN}
                                                                                                                          (* CVM is idle *)
                 'eca :==<sub>g</sub> mca_nat None (cvm_devs 'cvmX) (statusreg (cvm_ups 'cvmX));
                 'edata :==_g 0
                  'proc :==_{g} (userprocesses 'up) \lceilcurrentp 'up\rceil;
                  '\mathsf{eca} :==_{\mathsf{g}} \mathsf{mca\_nat} \ (\lfloor '\mathsf{proc} \rfloor) \ (\mathsf{cvm\_devs} \ '\mathsf{cvmX}) \ (\mathsf{statusreg} \ (\mathsf{cvm\_ups} \ '\mathsf{cvmX}));
                 'edata :==_g edata_nat 'proc;
                 'cvmX :==_g ('up (|userprocesses :=
                                                                   (userprocesses 'up)
                                                                        (\lceil \mathsf{currentp} \ '\mathsf{up} \rceil := \mathsf{user}_{\mathsf{step}} \ (\mathsf{userprocesses} \ '\mathsf{up} \ \lceil \mathsf{currentp} \ '\mathsf{up} \rceil))),
                                                 cvm\_devs \ 'cvmX)
           FΙ
     FI:
     {
m IF_g} 'eca > 0 THEN (* has an interrupt been raised? -- call dispatcher_kernel *)
           \begin{subarray}{ll} \begin{
           ' cvmX :==_g ( (cvm\_ups 'cvmX) 
                                                        [currentp := if 'cp \in \{1..<PID\_MAX\} then [Abs\_procnumT 'cp]]
                                                                                           else \perp),
                                                                  cvm_devs 'cvmX )
     FI
```

Figure 2.3: Simpl function system\_step, which represents a combined step of CVM and VAMOS

came a popular research topic in the late 1980s together with the idea of multi-personality operating systems, which demanded a more general hardware abstraction than the traditional approach. This first generation of microkernels such as Mach [64] or IBM's Workplace OS [33] suffered from a poor performance. When Jochen Liedtke analyzed these systems [53], he pinned the problem down to a feature-overloaded mechanism for interprocess communication (IPC). Together with a light-weight, flexible IPC mechanism [51], he proposed the minimality of hardware abstractions [52] in the kernel and suggested that servers implement the traditional services of operating systems. Engler et al. [32] took the idea of minimality a step further and banned (nearly) all abstractions from the kernel. Instead of resource management, the kernel was restricted to resource protection. Abstractions were implemented in operating-system libraries and directly linked to the user processes.

Our microkernel design is not as minimal as Engler or Liedtke proposed. We host all functionality in the kernel that would be hard to verify if implemented in user processes. Obeying this principle, the memory management, support for finite IPC timeouts, and the scheduler live in our microkernel. Device drivers, which constitute the largest part of today's monolithic kernels, are implemented outside our microkernel.

An initial version of the VAMOS microkernel had been implemented by Stefan Maus and Dominik Rester under the supervision of Mauro Gargano. Over time, many students and staff improved and extended the kernel – its implementation as well as its design. In particular, Matthias Daum introduced the capability-like concept of process identifiers and implemented the overflow-safe management of timeouts and a generic debug library.

The next section describes the basic functionality of our kernel in more detail. The chapter concludes with the representation of the VAMOS implementation in Isabelle/Simpl. As it is taken as basis for the later verification, we do not elaborate on the details of the C0 implementation. Anyways, both representations are quite similar.

#### 2.5.1 Vamos Functionality

Our microkernel VAMOS performs the following tasks: (a) enforcement of a minimal access control, (b) process management, (c) memory management, (d) priority-based round-robin scheduling, (e) support for user-mode device drivers, and (f) inter-process communication (IPC). Processes can control these tasks via the kernel's application binary interface (ABI). Table 2.1 lists the kernel calls that constitute the ABI.

Subsequently, we present the basic concepts incorporated in VAMOS to achieve the desired functionality.

Access Control and Initial Process. A minimal access-control mechanism reserves most kernel calls for so-called *privileged processes*. Thus, only a privileged process can bring up new processes or kill existing ones, alter the memory consumption of processes, change their scheduling parameters, or control the registration of device drivers. Any process, however, might use the IPC mechanism.

When VAMOS boots, it launches one privileged single process, the *init* process. We presume that the process constitutes the user-mode parts of the operating system, for instance, the simple operating system (SOS) of Bogan [15]. It has to set up the required servers of the operating system, start and register the device drivers, and possibly implement a more sophisticated access-control mechanism. Non-privileged processes may then communicate with the privileged processes, in order to request kernel services on their behalf.

Table 2.1: Application binary interface of the Vamos kernel

| Kernel Call                           | Description                                |  |  |
|---------------------------------------|--------------------------------------------|--|--|
| Access Control                        |                                            |  |  |
| SET_PRIVILEGES <sup>p</sup>           | add process to set of privileged processes |  |  |
| Process Management                    |                                            |  |  |
| PROCESS_CREATE $^p$                   | create a new process from a memory image   |  |  |
| PROCESS_CLONE p                       | copy an already existing process           |  |  |
| PROCESS_KILL $^p$                     | kill a process                             |  |  |
| Memory Management                     |                                            |  |  |
| $\overline{\mathrm{MEMORY\_ADD}^{p}}$ | increase the memory amount of a process    |  |  |
| $MEMORY\_FREE^{p}$                    | decrease the memory amount of a process    |  |  |
| Scheduling Mechanism                  |                                            |  |  |
| ${ m CHG\_SCHED\_PARAMS}^{p}$         | change scheduling parameters               |  |  |
| Device Driver Support                 |                                            |  |  |
| CHANGE_DRIVER <sup>p</sup>            | (un)register a driver for a set of devices |  |  |
| ENABLE_INTERRUPTS d                   | re-enable a set of interrupts              |  |  |
| DEV_READ $^d$ / DEV_WRITE $^d$        | communicate with a certain device          |  |  |
| Inter-Process Communication           |                                            |  |  |
| IPC_SEND / IPC_RECEIVE                | unidirectionally communicate with process  |  |  |
| IPC_REQUEST                           | send and immediately wait for a reply      |  |  |
| CHANGE_RIGHTS                         | manipulate IPC rights                      |  |  |
| READ_KERNEL_INFO                      | receive information from the kernel        |  |  |

 $<sup>^</sup>p$  call is reserved for privileged processes

<sup>&</sup>lt;sup>d</sup> call is reserved for device drivers

#### Handles and a Capability-like Access-Control Mechanism for IPC.

Our system, i. e., the VAMOS kernel, identifies the different user processes by unique numbers. These process numbers, in principle, would also be suitable for user processes to refer to each other. However, an identification based on the plain process numbers would permit the guessing of these numbers, such that processes might find (possibly) unauthorized communication channels. Furthermore, the reuse of process numbers of terminated processes is somehow tricky. Liedke, for instance, introduced a generation counter for process numbers but this counter might overflow and is not well suited in the context of formal verification. Thus, the VAMOS kernel introduces a layer of indirection which allows processes to refer to each other only via processlocal alias names, so-called handles. A handle can only be used in the local context of a process and has to be translated to the actual process number by the kernel. The translation, however, is attached to certain conditions. Furthermore, the concept of handles lays the foundation for a capability-like access-control mechanism for IPC. The latter is necessary as, in the context of IPC, the distinction between privileged and unprivileged processes is too coarse.

For this to work, the kernel maintains for each process x a list which we call the *handle database* of the process. A handle hn points to one entry e in this handle database which, in turn, stores information on the corresponding handle

The handle hn is considered as valid, i. e., the process it refers to is known by x, if it is marked as known in the entry e. Only in this case, the process x may safely use the handle hn and the kernel translates it into a process number, if needed.

The handle databases, however, are dynamic datastructures. Thus, process x might, for instance, release the handle hn from its own database. While such operations are noncritical as they are initiated by the process itself, things are different, if a privileged process, for instance, selectively steals the handle hn from x's handle database or the process, hn refers to, has been terminated. Both actions result in the invalidation of handle hnin x's handle database, i.e., it is no longer marked as known. However, neither the stealing nor the process termination do necessarily go on with the knowledge of x. Thus, although hn is invalidated, the process x might continue to believe that hn is still valid. Normally, this misunderstanding will only be resolved, if x tries to use handle hn and the kernel responds with an according error message. While designing the Vamos kernel, however, we aimed to reduce such errors. For this purpose, we mark handles like hn as stolen. Based on that, the kernel tries to inform the processes about the existence of stolen handles by means of kernel notifications which are supplied with each IPC message. While the latter only inform about the existence of stolen handles, the VAMOS call READ\_KERNEL\_INFO provides a detailed listing of the stolen handles in the handle database of the calling

process. In this way, the kernel can be sure that the owners of stolen handles are notified and does no longer mark the corresponding handles as stolen. Thus, they may be reused for other processes.

With the concept of handles we allow for a conceptional infinite name space of process identifiers and improve the reuse of such identifiers in comparison to Liedke's generation counter which might overflow. Moreover, the handles prevent from guessing any process numbers which may lead to unauthorized communication. The only drawback of this indirection is the extra maintenance effort in the VAMOS kernel. However, with a very basic handle database, we keep the costs as low as possible. There are only two special handles regarding the process identification. Handle HN\_SELF enables a process to identify itself, e.g., if it wants to clone itself. Furthermore, handle HN\_PARENT refers to the parent process. In all other cases, we use a one-to-one mapping between process numbers and handles.

Apart from the process identification, the concept of handles lays the foundation for a capability-like access-control mechanism for IPC. For this reason, each valid handle is associated with IPC rights controlling the communication with the corresponding process it refers to. We distinguish four different rights which are also part of the handle database entries. A process is cut off from the communication with another process, if none of the rights in the corresponding handle database entry is set. Apart from that, the request right is the weakest one. It only allows combined send and receive calls and forces, for instance, that a client waits for a server's response. The timeout of the waiting is infinite, as long as the client does not have the finite right which abolishes the limitation and enables the client to initiate a request with a finite receive timeout. The send right is the strongest one. It allows an unrestricted communication, i.e., no limitations regarding timeouts and the possibility to perform only a send without waiting for a response. However, unless the multiple right is not set, existing rights will be cleared after the first send operation. Receiving from a known process is always possible.

Inter-Process Communication. IPC is the only way how processes in VAMOS may communicate with each other. The communication is synchronous, i.e., if the IPC partner is not already waiting, the calling process is blocked until either the partner is ready or the timeout is exceeded. For sending and receiving, the VAMOS kernel provides the calls IPC\_SEND and IPC\_RECEIVE. In addition to that, the call IPC\_REQUEST enables a combined send and receive with the same communication partner which is typically used by clients to place requests on some servers.

As described above, processes identify the desired communication partners by means of handles and the kernel checks whether the corresponding IPC rights are sufficient for the intended communication.

Apart from the ordinary receiving from another process, the VAMOS call IPC\_RECEIVE supports two further operation modes. The *open-receive* mode enables a process to be simultaneously available for more than one sender. A prominent application area of this mode is found with servers that rely on the possibility to receive requests from various clients. The actual request handling, however, is based on first-come, first-served. Nevertheless, a server may restrict the circle of clients by means of the IPC rights.

The remaining operating mode is tailor-made for device drivers. Ultimately, device drivers take a great interest in receiving external interrupts as fast as possible. In order to meet this desire, the call IPC\_RECEIVE provides the possibility of a so-called *closed kernel-receive*. This option restricts the receiving to notifications from the VAMOS kernel only. In doing so, the VAMOS kernel is qualified to deliver according notifications as soon as interrupts for the driver occur. A more detailed view on that provides Section 4.6.

With the basic functional principles at the back, we now take a look at the data that can be transferred via IPC. Data, in the context of IPC, is considered as message and comprises multiple parts. The most common one is the memory message. Specified by the sender, it describes a memory region that should be transferred to the receiver. For this to work, the receiver also has to specify a suitable memory region to buffer this message. Another part of an IPC message comprises rights. A sender may grant IPC rights to a receiver, on which the latter relies on in future communications with the sender. The receiver is informed about the new rights by the socalled return rights which describe the combination of the (possibly) already existing rights and the new ones. On the one hand, these return rights are stored in the receiver's handle database and, on the other one, they are made available for the receiver in an according result register. In addition to that, it is possible that the sender introduces new processes (together with associated rights) to the receiver. Thus, the operating system may, for instance, introduce a server to a newly created process and provide it with the corresponding rights for the communication. As above, an according handle together with the rights are stored in the handle database of the new process and published in according result registers.

Finally, an IPC message also delivers notifications from the kernel. Thus, as mentioned before, they inform the receiver on stolen handles or occurred interrupts the receiver acts as driver for.

**Process Scheduling.** The basic policy underlying the VAMOS scheduler is round-robin process selection. This basic policy can be adjusted by two regulators: priorities and timeslices. Our scheduler supports three different priority levels. Only processes in the highest, non-empty priority class will be scheduled. Processes in a lower class wait until no processes are ready to compute in any higher priority class. Within one priority class, the timeslice

determines how long a certain process may compute until it is preempted in favor of another process of the same priority class. Thus, timeslices determine the relative weight of process runtimes while priorities lead to the preemption of lower process classes.

**Device Drivers.** A device driver is a user process, which is designated for the communication with certain devices. Only if a process is registered as a driver for a particular device, it may place read or write requests from or to that device, respectively. Moreover, the device driver is notified of interrupts from that device.

#### 2.5.2 Vamos in Isabelle/Simpl

In Section 2.4.4, we got a first impression on the implementation layer of the VAMOS microkernel. The CVM framework in Simpl provides a solid background to argue on a mixed language implementation, like we have with CVM and VAMOS. It allows the modelling of the low-level entities before and after the invocation of VAMOS, as well as accesses to these entities from within VAMOS.

Due to this, we are able to implement the VAMOS microkernel in pure C0. Accesses to low-level entities, like process registers, are only provided by CVM primitives. These primitives are implemented as XCalls and can be treated as normal C0 function calls. However, in terms of Isabelle/Simpl, they operate on the external state component cvmX according to the corresponding primitive semantics and communicate with the C0 implementation via parameter passing and return values.

In addition, the VAMOS kernel maintains several datastructures in order to provide its intended functionality. These so-called *kernel datastructures*, together with the external component cvmX, form the VAMOS state space which will be introduced subsequently. The section concludes with the representation of the top-level function of VAMOS.

#### Vamos Implementation State

The VAMOS implementation state in Isabelle/Simpl is a record whose individual elements are global and local variables from the VAMOS implementation. In contrast to C0, Isabelle/Simpl does not support variables of structural types, like structs, but flattens them, i.e., for each individual field there is a separate component in the state space. In addition to that, each pointer variable or pointer structure field is replaced by a heap function in the state space. Thus, we have one heap variable f of type ref  $\Rightarrow$  value for each component f of type value of the struct. To clarify the matter, we consider a typical structure list to represent a linked list in the heap:

```
struct list {
  int data;
  list *next;
};
```

The structure contains two components: the data element data and a pointer next to the next node. Thus, we would get two heaps in the state space record: data of type ref  $\Rightarrow$  int and next of type ref  $\Rightarrow$  ref.

Against this background, we proceed with the different (global) datastructures in the VAMOS state. In order to provide its intended functionality, VAMOS maintains general as well as process-specific data. The former is used to accomplish tasks like process scheduling, interrupt delivery or memory management. An overview on the particular state components is given in Table 2.2. Process-specific data gives a more fine-grained view on the particular processes and is provided in so-called *process information blocks*. Implemented as a struct in C0, Simpl provides heap functions for the particular components, see Table 2.3. These heap functions are applied to *process pointers* in order to get the process-specific value of the corresponding component, like the state or priority of the process.

**General Data.** The process pointers are given by the array pib. It is of length PID\_MAX and thus provides a unique pointer to each of the processes.

| State Component             | Description                                   |
|-----------------------------|-----------------------------------------------|
| Process Scheduling          |                                               |
| inactive_list :: ref        | head of the inactive queue                    |
| wakeup_list :: ref          | head of the wait queue                        |
| ready_lists :: ref list     | array of heads of the particular ready queues |
| Time Management             |                                               |
| current_time :: nat         | current time in clock ticks                   |
| next_timeout :: nat         | next point in time when an timeout expires    |
| Interrupt Management        |                                               |
| intmask :: nat              | currently enabled interrupts                  |
| inthd :: nat                | interrupts with registered handlers           |
| intocc :: nat               | occured, but not yet delivered interrupts     |
| Miscellaneous               |                                               |
| pib :: ref list             | array with all process pointers available     |
| current_process :: ref      | pointer to the currently running process      |
| vamos_pages_used            | total number of used memory pages             |
| current_max_priority :: nat | current maximum priority                      |

Table 2.2: General Datastructures in VAMOS

The indices are the according process identifiers.

All processes are organized in one of the scheduling lists. By means of these queues, the processes are classified into inactive, ready or waiting ones. The implementation enables the access to these queues by pointers to their heads. State components inactive\_list denotes the head to the inactive list, whereas wakeup\_list denotes the one to the wait list. Due to the three priority levels in VAMOS, the access to the according ready lists is provided by the array ready\_lists. The current maximum priority is stored in component current\_max\_priority. The head of the ready list assigned with this priority determines the currently running process. Additionally, the pointer is explicitly stored in component current\_process.

Vamos measures the time in clock ticks which are actually interrupts from the external timer device<sup>4</sup>. Thus, component current\_time holds the number of kernel entries as consequence of timer interrupts. The time might also influence pending IPC operations of waiting processes, if any timeouts expired. Component next\_timeout specifies the minimum of the timeout values of waiting processes, i. e., the next point in time, when one of these timeouts expires.

Vamos only accepts interrupts from enabled devices. An according mask is given by intmask, which actually represents the user-visible portion of Cvm's status register. However, enabled interrupts are not necessarily handled by a driver. Those assigned to a driver are subsumed in inthd. Whenever interrupts occur, the Vamos kernel tries to deliver them to the according drivers as fast as possible. However, it might happen that a driver is not ready to receive the interrupt notification. In this case, Vamos stores these occurred but not yet delivered interrupts in intocc for a later delivery.

As VAMOS has to cope with restricted memory, it stores the number of used memory pages in vamos\_pages\_used. Based on this number, it decides whether new processes may be launched and whether existing processes may allocate new memory.

**Process-specific Data.** Together with the process creation, the process-specific data of the new process is set up.

As already said, the process-specific data is provided by heap functions which, applied to process pointers, return the desired information.

First of all, the process-specific data states some general properties of the process. Component pid denotes the unique identifier of the process and parent holds the identifier of the parent. Actually, the list membership determines the status of a process. However, especially for waiting processes, a more-fine grained notion of state is necessary and provided by component state. For inactive and ready processes it returns INACTIVE\_STATE resp. READY\_STATE, whereas it distinguishes three cases for waiting processes:

<sup>&</sup>lt;sup>4</sup>We assume the existence and liveness of the timer device.

The state of a waiting process reflects the IPC operation it is currently waiting for. Thus, a pending IPC\_SEND call leads to the state SEND\_STATE, whereas SEND\_RECEIVE\_STATE denotes a pending IPC\_REQUEST. If a process waits due to an IPC\_RECEIVE call, its state is set to RECEIVE\_STATE. The latter is also used to denote the receive phase of an IPC\_REQUEST call.

Table 2.3: Process-specific Data in VAMOS

| State Component                              | Description                                  |  |  |  |  |
|----------------------------------------------|----------------------------------------------|--|--|--|--|
| General Information                          |                                              |  |  |  |  |
| state :: ref ⇒ nat                           | state of a process                           |  |  |  |  |
| $pid :: ref \Rightarrow nat$                 | process identifier                           |  |  |  |  |
| parent :: ref $\Rightarrow$ nat              | process identifier of the parent             |  |  |  |  |
| $fip :: ref \Rightarrow nat$                 | first invalid page                           |  |  |  |  |
| privileged :: ref $\Rightarrow$ bool         | privileged status                            |  |  |  |  |
| Scheduling Parameters                        |                                              |  |  |  |  |
| priority :: ref $\Rightarrow$ nat            | priority of the process                      |  |  |  |  |
| timeslice :: ref $\Rightarrow$ nat           | how long will the process be active          |  |  |  |  |
| $consumed\_time :: ref \Rightarrow nat$      | how long is the process already active       |  |  |  |  |
| timeout :: ref $\Rightarrow$ nat             | when will the process be ready again         |  |  |  |  |
| $queue\_next :: ref \Rightarrow ref$         | next pointer for the scheduling queue        |  |  |  |  |
| queue_prev :: ref $\Rightarrow$ ref          | previous pointer for the scheduling queue    |  |  |  |  |
| Handles and Rights                           |                                              |  |  |  |  |
| $handle\_db :: ref \Rightarrow nat list$     | handle database                              |  |  |  |  |
| $stolen\_count :: ref \Rightarrow nat$       | number of currently stolen handles           |  |  |  |  |
| Interrupt Handling                           |                                              |  |  |  |  |
| $reg\_devices :: ref \Rightarrow nat$        | mask of interrupts handled by process        |  |  |  |  |
| IPC Arguments                                |                                              |  |  |  |  |
| $ipc\_pid :: ref \Rightarrow nat$            | process identifier of desired IPC partner    |  |  |  |  |
| ipc_rights :: ref ⇒ nat                      | rights to grant to the receiver              |  |  |  |  |
| ipc_snd_msg :: ref ⇒ nat                     | pointer to send message                      |  |  |  |  |
| $ipc\_snd\_len :: ref \Rightarrow nat$       | length of send message                       |  |  |  |  |
| ipc_rcv_msg :: ref ⇒ nat                     | pointer to receive buffer                    |  |  |  |  |
| ipc_rcv_len :: ref ⇒ nat                     | length of receive buffer                     |  |  |  |  |
| $ipc\_add\_pid :: ref \Rightarrow nat$       | process identifier of additional process     |  |  |  |  |
| ipc_add_rights :: ref ⇒ nat                  | rights to assign with the additional process |  |  |  |  |
| $ipc\_snd\_timeout :: ref \Rightarrow int$   | timeout for the send operation               |  |  |  |  |
| $  ipc\_rcv\_timeout :: ref \Rightarrow int$ | timeout for the receive operation            |  |  |  |  |
| send_queue :: ref                            | pointer to send queue of process             |  |  |  |  |
| $send\_queue\_next :: ref \Rightarrow ref$   | next pointer for send queue                  |  |  |  |  |
| $send\_queue\_prev :: ref \Rightarrow ref$   | previous pointer for send queue              |  |  |  |  |

Whether a process is privileged determines flag privileged. Its current memory consumption is returned by fip denoting the index of the first invalid page.

Furthermore, each active process is involved in the priority-based round-robin scheduling. For this reason, VAMOS stores the priority of a process in priority, the timeslice in timeslice and the already consumed time in consumed\_time. Each process is classified in one of the scheduling lists. In order to identify its neighbours, each process is equipped with pointers to the previous and next element of the queue, it is currently contained in. The corresponding components are queue\_next and queue\_prev.

As already mentioned, processes identify each other by means of handles. These handles are process-local and stored in the component handle\_db. The number of stolen handles in a handle database is given by stolen\_count.

Function reg\_device delivers the mask of interrupts that are handled by a process.

If a process performs an IPC operation, VAMOS stores the according arguments as process-specific data. We do not dwell on the particular arguments, but refer to Table 2.3. However, in the context of IPC, VAMOS also maintains so-call send lists. The send list of a process p contains all pointers to processes which are currently willing to send to p. Similar to the scheduling lists, head pointers  $send_queue$  provide the access to the  $send_queue_next$  and  $send_queue_prev$ , respectively.

#### The top-level function of Vamos

Upon kernel entry, the CVM routine calls the function dispatcher\_kernel, which is the actual implementation of the VAMOS kernel. As intended by the name, the VAMOS kernel mainly acts as dispatcher handling the incoming interrupts that could not be taken care of by CVM. It takes two parameters: The exception cause eca, which encodes the occurred interrupts, and the exception data edata, which contains the trap number, if a trap has occurred. Figure 2.4 shows the implementation of the function dispatcher\_kernel of our microkernel

The function is characterized by a number of case distinctions. We distinguish:

Initialization. After power-up, the processor generates a reset interrupt. In this case, the CVM framework sets up its internal data structures and then passes the interrupt on to the dispatcher\_kernel function. If called with the reset-interrupt bit set, dispatcher\_kernel calls the function vamos\_init, which initializes the data structures of VAMOS.

**Process Exceptions.** The current process may cause a number of exceptions during its execution. From the kernel's perspective, there are

```
procedures dispatcher_kernel (eca, edata | res_nat) =
   \textbf{IF}_g \ (\text{'eca} \ \wedge_u \ 1) \neq 0 \ \textbf{THEN}
      'dummy_i :== CALL<sub>g</sub> vamos_init()
   ELSE
       ' \mathsf{old\_cup} :==_{\mathsf{g}} ' \mathsf{current\_process};
      \mathbf{IF}_{g} ('eca \wedge_{u} UEXCEPT_MASK) \neq 0 THEN
          'dummy_i :== CALL_g process_kill(HANDLE_SELF)
          \textbf{IF}_g \ (\text{'eca} \ \land_u \ \mathsf{EXCEPT\_TRAP}) \neq 0 \ \textbf{THEN}
             'dummy_i :== CALL_g handle_trap('edata)
          FΙ
      \textbf{IF}_g \ (\text{'eca} \ \land_u \ \mathsf{DEVICE\_TIMER\_BIT}) \neq 0 \ \textbf{THEN}
          'dummy_i :== CALL<sub>g</sub> handle_timer('old_cup)
      \textbf{IF}_g \ (\text{'eca} \ \land_u \ \mathsf{UEXT\_INT\_MASK}) \neq 0 \ \textbf{THEN}
          'dummy_i :== CALL_g int\_delivery('eca)
      FΙ
   FI;
   \textbf{IF}_g \ \text{'current\_process} \neq \text{Null } \textbf{THEN}
      'res_nat :==_{\sf g} 'current_process 
ightarrow 'pid
   ELSE
       'res_nat :==_{g} 0
   FI
```

Figure 2.4: The kernel-dispatcher function of VAMOS

only two alternatives: a *fatal exception* like an illegal page fault or a *trap*. In the former case, there is no reasonable recover procedure, and thus, the process is simply killed by VAMOS. The semantics of a fatal exception is exactly the same as if the process had requested to be killed via the kernel call PROCESS\_KILL. Hence, we reuse the function process\_kill. In case of a trap, the function handle\_trap is called. This function is essentially a huge case distinction over trap numbers.

Timer Interrupt. Independently from the process exceptions, we check for the timer interrupt, which is passed on to the function handle\_timer. This function implements the scheduler.

**Device Interrupts.** If external devices have raised interrupts, the function int\_delivery is invoked in order to disable the interrupts and then either immediately deliver the interrupts, if the corresponding device-driver processes are waiting, or buffer the interrupts for later delivery.

The function dispatcher\_kernel determines its return value using the global variable current\_process. If there is no current process, the pointer is Null and we return 0 (meaning "wait for interrupts"). Otherwise, we retrieve the process number of the current process from heap function pid. Once, the function dispatcher\_kernel returns, the CVM framework transfers the CPU to the process identified by the return value.

## Chapter 3

# The Abstract System Layer

#### Contents

| 3.1 | The Overall System - A Bird's Eye View | 57        |
|-----|----------------------------------------|-----------|
| 3.2 | Abstract Types                         | <b>59</b> |
| 3.3 | The Vamp Assembly Process Model        | 61        |
|     |                                        |           |

## 3.1 The Overall System - A Bird's Eye View

The abstract layer describes our system: on top of the VAMP processor runs the VAMOS kernel and communicates with external devices.

As Figure 3.1 depicts, we use a number of communicating automata for the specification. Automaton  $\mathcal{A}_{V+D}$  encapsulates the overall system and consolidates the device automaton  $\mathcal{A}_D$  and the VAMOS automaton  $\mathcal{A}_V$ .

The former was already introduced in Section 2.3 and describes the behavior of the external devices like the keyboard, the timer or the network card. The devices may interact by an external interface with the environment in order to receive keystrokes, for example, or network packages. The alphabets  $\Sigma_D$  and  $\Omega_D$  define this interface, which is adopted by the overall system (alphabets  $\Sigma_{V+D}$  and  $\Omega_{V+D}$ ).

The interface with the alphabets  $\Sigma_V$  (from the device subsystem to the processor) and  $\Omega_V$  (from the processor to the devices) connects the devices



Figure 3.1: The input/output automata of the abstract system layer and their relationship

with the VAMOS automaton. Our kernel uses memory-mapped I/O for device communication. Hence, the output alphabet  $\Omega_V$  comprises read and write accesses to device addresses, whereas the input alphabet  $\Sigma_V$  consists of interrupt lines and optionally incoming data.

Subsequently, we focus on  $\mathcal{A}_V$  and use it, together with  $\mathcal{A}_D$ , to assemble  $\mathcal{A}_{V+D}$ .

We specify VAMOS running on the VAMP by  $\mathcal{A}_V = (\mathcal{S}_V, \mathcal{S}_V^0, \Sigma_V, \Omega_V, \omega_V, \delta_V)$  with the state space  $\mathcal{S}_V$ , the set of initial states  $\mathcal{S}_V^0 \subset \mathcal{S}_V$ , the input alphabet  $\Sigma_V$ , the output alphabet  $\Omega_V$ , the output function  $\omega_V$ , and the transition function  $\delta_V$ . Likewise, we define  $\mathcal{A}_{V+D}$ .

The states  $S_{V+D}$  of the overall system are pairs of a VAMOS state  $s_V \in S_V$  and a device-system state  $s_D \in S_D$ .

The input alphabet  $\Sigma_{V+D}$  is used to determine the subsystem which takes the next step. It extends  $\Sigma_D$  (indicating a device step) by the value  $\bot$  for a processor step. The output alphabets are the same, i.e.,  $\Omega_{V+D} = \Omega_D$ . Note that the output of the device subsystem depends on the transition, i.e.,  $\delta_{Dint}$  returns a tupel  $(s_D, w)$  of a successor state  $s_D$  and an output w. Consequently, there is no separate output function for  $\mathcal{A}_{V+D}$ .

Transitions  $\delta_{V+D}$  of the overall system inspect the input *i* and distinguish three cases:

- 1. An external device transition is performed, if the input  $i \in \Sigma_{V+D}$  contains an input for the device subsystem. The VAMOS state remains constant in this case.
- 2. A local kernel transition is performed, if the input is  $\bot$  and the VAMOS output  $\omega_V$   $s_V = \mathsf{idle}_{\Omega V}$ . Formally, this transition is performed by  $\delta_V$  without any device input.
- 3. A kernel-device transition is performed, if it is the processor's turn (overall input  $\bot$ ) and the kernel requests a device communication, i. e.,  $\omega_{V} s_{V} = \text{read}_{\Omega V}$  device port count or  $\omega_{V} s_{V} = \text{write}_{\Omega V}$  device port data. In this case,  $\delta_{V+D}$  passes the Vamos output with the transition function  $\delta_{Dint}$  to the device subsystem. In response, the device subsystem delivers an output which contains the read data, if requested. Using this data,  $\delta_{V+D}$  finally performs the Vamos transition  $\delta_{V}$ .

In the context of this thesis, we do not consider any autonomous device transitions but only those which are triggered by the kernel. Accordingly, the external input to the transition function  $\delta_{V+D}$  is set to  $\bot$ . The linchpin of both, local kernel and kernel-device transitions, is the VAMOS kernel. Before we give its formal specification, we first introduce some basic types used in the specification and introduce the model for user processes.

The complete formalization is available from the public Verisoft Repository [78] and directory verification/spec/vamos/ contains the theory files related to the VAMOS kernel.

3.2. Abstract Types 59

## 3.2 Abstract Types

While specifying the VAMOS kernel, we make use of the advanced type system in Isabelle/HOL.

So-called type synonyms allow new names for an existing construction which mainly increases the readability of the theories. Furthermore, Isabelle insists that all terms and formulae must be well-typed. Thus, defining new types and datatypes prevents us, amongst others, from writing nonsense. Hence, we avoid by construction any type mismatches within the specification.

Process Numbers, Priorities, Devices and Ports. The easiest way to introduce new types is the type definition, where any non-empty subset of an existing type is turned into a new one. VAMOS distinguishes between PID\_MAX user processes classified into PRIOCNT different priority levels. Device communication is limited to DEV\_COUNT devices which are identified by device numbers. The sets of process numbers and priorities as well as the set of device numbers are subsets of the natural numbers. Consequently, the corresponding types define three non-empty subsets of type nat.

As already introduced in Section 2.4.1, process identifiers are of type procnumT. Type prioT =  $\{0...<PRIOCNT\}$  subsumes the priorities and devnumT =  $\{1..DEV\_COUNT\}$  defines the type of device numbers. Device interrupts are closely related to the devices and represented as set of device numbers. Formally, device interrupts are represented by the type intsT. Each device is equipped with PORT\\_COUNT ports represented by the type portT =  $\{0...<PORT\_COUNT\}$ .

**IPC Rights.** In the context of IPC rights, we rather want to talk on a more abstract and intuitive level. For this reason, Isabelle provides the possibility to define datatypes. With it, an individual right is represented by the datatype rightT with the constructors:

- V\_REQUESTR the right to send, but with the duty to immediately wait for the response of the receiver.
- V\_SENDR the right to send to a process without waiting for the response,
- V\_MULTIPLER the right to perform multiple IPC operations, and
- V\_FINITER the right to perform IPC operations with finite timeout

As rights usually come in sets, type rightsT is used as synonym for rightT set.

Memory Objects. Besides the transfer of rights, IPC also provides the possibility to send and receive data in form of memory objects. A memory object specifies a memory region in the virtual memory of a process, starting at a certain address and ranging over a certain length. Both parameters, the start address as well as the length of the memory object are specified by the process and might be erroneous.

The datatype memobjT represents a memory object and also reflects the possible errors:

- MOBJUNDEFINED either the start address or the length are not word-aligned,
- MOBJUNAVAILABLE the specified memory region is not available in the memory of the process, and
- $\bullet$  MOBJSEQ s the content of the memory region as sequence s of integers

The first two constructors imply errors due to the specified values for the start address and the length. The former indicates mis-alignment whereas the second one indicates that the memory region is not completely located in the virtual memory of the process. A well-defined memory object gives the memory content as a sequence of integers. The start address as well as the length are not of interest any longer and are abstracted away. For a well-defined memory object, the accessor mObjSeq returns the sequence s of integers, i. e., mObjSeq (MObjSeq s) = s.

A memory object acting as buffer of an IPC receive operation, for instance, is defined in a similar way. For a well-defined memory object, we are not interested in its content but in its length. Consequently, datatype bufferT consists of the following constructors:

- BUFUNDEFINED either the start address or the length are not wordaligned,
- BUFUNAVAILABLE the specified memory region is not available in the memory of the process, and
- Buflength len the length len of the actual buffer

As before, the accessor bufLength returns the length len of a well-defined buffer, i.e., bufLength (BufLength len) = len

**Kernel Notifications.** If a process explicitly wants to receive any kernel notifications, it has to specify the type of notifications. Notifications are represented by the datatype kinfoT which currently comprises only constructor STOLENHANDLES.

**IPC Timeouts.** Timeouts are represented by the existing type, natural numbers with infinity. Hence, the datatype timeout T comes with two constructors: Fin n, for finite timeout values, and  $\infty$  for infinity For abstract timeouts, we defined the operation +=, in order to increment a timeout by a natural number.

**Process Handles.** Process handles are integers but represented by the type handleT.

## 3.3 The Vamp Assembly Process Model

Our formalization is based on the observation that VAMOS interacts with processes only via a well-defined interface, which is the kernel ABI. Hence, we can encapsulate processes in a self-contained input-output automaton, thereby hiding the internal state and exposing only the interface. The tailor-made model for VAMP assembly processes defines an input-output automaton represented by the tupel:

```
\mathcal{A}_{\text{proc}} = (\mathcal{S}_{\text{proc}}, \, \text{init}_{\text{proc}}, \, \Sigma_{\text{proc}}, \, \Omega_{\text{proc}}, \, \omega_{\text{proc}}, \, \text{size}_{\text{proc}}, \, \delta_{\text{proc}})
```

As state space  $\mathcal{S}_{proc}$  for the assembly processes, we reuse the one of the VAMP assembly semantics (cf. Section 2.2.2). Similarly, we chose function  $size_{proc}$  to be  $size_{asm}$ , in order to determine the current memory assumption of a process. More elaborate are the definitions of the other components which we present below. The complete formalization can be found in the theory file vamosAsmProc.thy.

Note that the VAMP assembly process model which has been defined in this work, is an instance of a generic process model which goes back to Daum and which is described in more detail in [25, 26]. From the kernel perspective, the VAMP assembly process model is rather a matter of taste than necessity because only assembly processes are involved in the interaction with the kernel. However, the VAMOS model serves as basis for more abstract models, which indeed rely on this generic framework, as described in [28].

The VAMP assembly process model also satisfies certain well-formedness constraints. Thus, the processes fulfill the requirements encapsulated in predicate <code>is\_valid\_cvmup</code>. Daum [25] showed that these constraints are preserved by process transitions under valid inputs. We do not dwell on this here, but refer to Section 5.2 which describes the implementation invariant. The latter plays an essential role regarding the functional verification of the VAMOS kernel and (among other things) takes up the requirements on the VAMP assembly processes in this context.

#### 3.3.1 Process Initialization

The function init<sub>proc</sub> initializes an assembly machine with a memory image *img* and supplies the machine with *pgs* memory pages:

```
\begin{array}{l} \mathsf{init}_{\mathsf{proc}} \ \mathit{img} \ \mathit{pgs} \equiv \\ (|\mathsf{dpc} = \mathsf{0}, \ \mathsf{pcp} = \mathsf{4}, \ \mathsf{gprs} = \mathsf{replicate} \ \mathsf{32} \ \mathsf{0}, \\ \mathsf{sprs} = \mathsf{replicate} \ \mathsf{32} \ \mathsf{0}[\mathsf{SPR\_PTL} := \mathsf{to\_int32} \ \mathit{pgs} - \mathsf{1}, \ \mathsf{SPR\_MODE} := \mathsf{1}], \\ \mathsf{mm} = \lambda \mathit{ad}. \ \mathsf{if} \ \mathit{ad} < \mathsf{length} \ \mathit{img} \ \mathsf{then} \ \mathit{img} \ ! \ \mathit{ad} \ \mathsf{else} \ \mathsf{0}) \end{array}
```

In principle, we adopt the initialization of the virtual assembly processes as described by function  $init\_cvmup$  in Section 2.4.1. However, the function  $init\_proc$  initializes a virtual assembly machine in the sense that it starts executing. Thus, the program counters dpc and pcp of the delayed branch mechanism are set to the first addresses, i. e., 0 and 4. Furthermore, starting at address 0, the memory is filled with the image img which is given as a sequence of integers. Memory cells with addresses greater than the length of img are initialized with zeros. In addition, the machine is provided with pgs memory pages. Accordingly, the page table has length pgs-1. The remaining components are initialized as before. Setting register SPR\_MODE to 1 implies that the machine runs in user mode. The remaining special and general purpose registers are filled with zeros.

After the initialization, the process starts its execution with the instruction at address dpc (= 0), i. e., the instruction at the beginning of the memory image.

#### 3.3.2 Process Interface

Output alphabet  $\Omega_{proc}$  enumerates all possible kernel calls, a few error conditions, and the output  $\varepsilon_{\Omega}$  denoting the intention to perform a process-local computation.

In contrast, the input alphabet  $\Sigma_{\text{proc}}$  contains all responses to kernel calls and error conditions, as well as the input  $\epsilon_{\Sigma}$  for a process-local transition.

Formally,  $\Omega_{proc}$  is defined as a datatype with the following constructors:

#### • Kernel Calls:

- SET\_PRIVILEGES hn Privilege process (identified by handle) hn.
- PROCESS\_CREATE tsl prio img pgs Create a new process of priority prio and with timeslice tsl. The process should be assigned with pgs virtual memory pages holding the initial memory image imq.
- Process\_clone hn Clone process hn
- Process\_Kill hn Kill process hn
- MEMORY\_ADD hn pgs Provide process hn with pgs additional memory pages

- MEMORY\_FREE hn pgs Release pgs pages in the virtual memory of process hn
- CHG\_SCHED\_PARAMS  $hn\ tsl\ prio$  Change the scheduling parameters of process hn: the timeslice should be set to tsl, the priority to prio
- CHANGE\_DRIVER  $hn\ devs\ register$  Register (if register = True) or deregister process hn as driver for the set devs of devices
- ENABLE\_INTERRUPTS devs Re-enable the interrupts of the devices devs
- DEV\_READ dev port buffer Read from port port of device dev and store the content in the memory buffer buffer of the calling process
- DEV\_WRITE dev port msg Write the memory object msg to the port port of device dev
- IPC\_SEND  $hn_{\text{rcv}}$   $rights_{\text{snd}}$  msg  $hn_{\text{add}}$   $rights_{\text{add}}$   $timeout_{\text{snd}}$  Send a memory object msg together with the rights  $rights_{\text{snd}}$  to the sender to process  $hn_{\text{rcv}}$ . Furthermore, there is the opportunity to send an additional handle  $hn_{\text{add}}$  which can be provided with the rights  $rights_{\text{add}}$ . The timeout of this operation is given by  $timeout_{\text{snd}}$ .
- IPC\_RECEIVE  $hn_{snd}$  buffer  $timout_{rcv}$  Receive a message from process  $hn_{snd}$  and store it in the memory buffer buffer within the next  $timout_{rcv}$  clock ticks
- IPC\_SEND\_RECEIVE  $hn_{rcv}$  rights<sub>snd</sub> msg  $hn_{add}$  rights<sub>add</sub> timeout<sub>snd</sub> buffer timeout<sub>rcv</sub> Send to and receive immediately afterwards from process  $hn_{rcv}$ .
- CHANGE\_RIGHTS  $hn_{subj}$   $hn_{obj}$  grant rights Grant (if grant = True) or revoke the rights rights to process  $hn_{obj}$  of process  $hn_{subj}$
- READ\_KERNEL\_INFO type- request kernel notifications of type type

#### • Error conditions:

- UNDEFINED\_TRAP the current instruction is a trap instruction but specifies a wrong trap number
- RUNTIME\_ERROR the current instruction causes a runtime error, like an illegal page fault

#### • Process-local Transition:

PROC\_NO\_OUTPUT— the current instruction causes no exception,
 i. e., a process-local transition is accomplished

Process inputs either comprise (a) kernel responses to previous kernel calls, (b) kernel commands in order to manipulate the process state, or (c) empty messages intending a process-local transition. Accordingly, the input alphabet  $\Sigma_{\mathsf{proc}}$  contains the following constructors:

#### • Responses to successful kernel calls:

- SUCCESS response to a successful operation
- SUCC\_DEV\_READ data response to a successful read operation where data contains the data from the device
- SUCC\_RECEIVE  $hn_{\rm snd}$  reused\_{\rm snd} rights\_{\rm snd} msg  $hn_{\rm add}$  reused\_{\rm add} rights\_{add} stolen infy\_{to} devs response to a successful receive operation in the context of either an IPC\_RECEIVE or IPC\_REQUEST call. The process handle  $hn_{\rm snd}$  points to the sender and is reused for the sender iff  $reused_{\rm snd}$  = True. Currently, the receiver associates the rights  $rights_{\rm snd}$  with process  $hn_{\rm snd}$ . The sender sent the sequence msg of words and the additional handle  $hn_{\rm add}$ . The handle is reused iff  $reused_{\rm add}$  = True. The receiver associates the rights  $rights_{\rm add}$  with process  $hn_{\rm add}$ . The remaining three parameters subsume the kernel notifications: stolen is set iff there are stolen handles in the receiver's handle database,  $infy_{\rm to}$  is active iff the sender performs an IPC\_REQUEST and waits with inifinite timeout for the response, and the set devs collects all occurred device interrupts handled by the receiver.
- SUCC\_NEW\_PROCESS hn response to a successful process creation. The new process can be identified by handle hn
- SUCC\_KINFO\_STALEH hns response to requested kernel notifications with the set hns of stolen handles

#### • Responses to unsuccessful kernel calls:

- ERR\_OUT\_OF\_MEM the request to create or clone a process failed due to insufficient memory resources
- ERR\_OUT\_OF\_PIDS the request to create or clone a process failed because the maximum number of processes is reached
- ERR\_PROCESS\_NOT\_READY the request to change the memory amount of a process failed because the specified process is not ready for this
- ERR\_UNPRIVILEGED the desired operation failed due to lacking privileges or insufficient IPC rights
- ERR\_INVALID\_ARGS the arguments specified with the call are invalid

- ERR\_INT\_ALREADY\_HANDLED changing the registration of a driver failed because the specified interrupts are already handled
- ERR\_INVALID\_HANDLE the specified handle is not valid in the context of the caller
- ERR\_INVALID\_SUBJ\_HANDLE / ERR\_INVALID\_OBJ\_HANDLE / ERR\_SND\_INVALID\_HANDLE / ERR\_RCV\_INVALID\_HANDLE some kernel calls take more than one handle. In this case we distinguish the invalid handle by a more detailed error code.
- ERR\_SND\_TIMEOUT / ERR\_RCV\_TIMEOUT the timeout for the desired IPC operation expired
- ERR\_SND\_BUFFER\_OVFL the sending of a message failed because the message was to large to fit into the receive buffer
- ERR\_SND\_SEGV /ERR\_RCV\_SEGV the specified message or buffer is not accessible in the memory

#### • Kernel Commands:

- ADD\_MEMORY pgs increase the memory amount by pgs pages
- FREE\_MEMORY pqs decrease the memory amount by pqs pages
- Process-Local Computation:
  - PROC\_NO\_OUTPUT perform a process-local step

Later on in the VAMOS model, we use predicate is\_error, in order to determine errors during the execution of kernel calls. It only applies for the error responses and delivers False for all other components of the alphabet  $\Sigma_{\text{proc}}$ .

#### 3.3.3 Output Functions

The output functions permit VAMOS a limited and indirect access to the state of an assembler machine  $s_{\text{proc}}$ .

**Memory Consumption.** Vamos applies the function  $size_{proc}$ , in order to determine the current memory amount. As we only consider Vamp assembly processes, we adopt function  $size_{asm}$ , i.e.,  $size_{proc} = size_{asm}$ .

User-Generated Outputs. While  $size_{proc}$  can be considered as rather passive, function  $\omega_{proc}$  delivers the active process output to the kernel. It relies on exceptions, i.e., user-generated interrupts. Only two kinds of user-generated interrupts are passed on to the kernel: runtime-errors and traps. Both may arise while executing the current instruction. Runtime-errors subsume errors occurring during the execution of the current instruction,

like illegal pagefaults. In most cases, they are traceable to erroneous programming and the VAMOS kernel responds by killing the process causing the error.

Traps, in turn, constitute a possibility to place a request to the kernel. A process may trigger a trap exception by means of a TRAP instruction defined within the VAMP assembly semantics. Together with the associated immediate constant *imm*, traps are mapped to VAMOS calls which provide the intended functionality. Instructions that neither cause runtime-error nor trap exceptions do not involve the kernel and are executed in the local context of the process.

In order to determine the different situations, our process model provides the output function  $\omega_{proc}$ :

```
\omega_{\text{proc}} \ s_{\text{proc}} =
(if runtimeError s_{\text{proc}} then RUNTIME_ERROR
else if \exists imm. current_instr s_{\text{proc}} = \text{TRAP} \ imm then trap_dispatch s_{\text{proc}} else \epsilon_{\Omega})
```

Runtime errors are signaled by the output RUNTIME\_ERROR. If the current instruction denotes a TRAP instructions, the VAMOS kernel is involved and function trap\_dispatch determines the corresponding output. In all other cases, output  $\epsilon_{\Omega}$  implies that the process operates in its local context.

As the name suggests, trap\_dispatch considers the current instruction of  $s_{proc}$  and realizes a case distinction over the values of imm.

Due to the fact that VAMOS provides 16 different VAMOS calls, the formal definition of trap\_dispatch is quite substantial. Thus, in this section, we restrict ourselves to a couple of exemplary excerpts. The complete formal definition of function trap\_dispatch is given in Section 8.1.

For a start, we chose the case imm = 6, which is affiliated with the VAMOS call SET\_PRIVILEGES. According to the ABI, register 11 contains the handle to the process that should become privileged. Thus, from the definition of trap\_dispatch, we can derive the following implication:

```
current_instr s_{\text{proc}} = \text{TRAP 6} \Longrightarrow
trap_dispatch s_{\text{proc}} \equiv \text{SET\_PRIVILEGED } (s_{\text{proc}}.\text{gprs} ! 11)
```

The definition is pretty easy for this case and benefits from the fact that concrete as well as abstract handles are represented by 32-bit integer values.

Things get more elaborate, when more complex types are involved. As an example, we chose TRAP 15 which is mapped to the VAMOS call IPC\_REQUEST:

```
current_instr s_{\text{proc}} = \text{TRAP } 15 \Longrightarrow
trap_dispatch s_{\text{proc}} \equiv
let hn_{\text{rcv}} = s_{\text{proc}}.\text{gprs} ! 11; rights_{\text{snd}} = s_{\text{proc}}.\text{gprs} ! 12;
msg_{\text{ad}} = s_{\text{proc}}.\text{gprs} ! 13; msg_{\text{len}} = s_{\text{proc}}.\text{gprs} ! 14;
hn_{\text{add}} = s_{\text{proc}}.\text{gprs} ! 17; rights_{\text{add}} = s_{\text{proc}}.\text{gprs} ! 18;
to_{\text{snd}} = s_{\text{proc}}.\text{gprs} ! 19; buf_{\text{ad}} = s_{\text{proc}}.\text{gprs} ! 15;
buf_{\text{len}} = s_{\text{proc}}.\text{gprs} ! 16; to_{\text{rcv}} = s_{\text{proc}}.\text{gprs} ! 20
```

```
in IPC_REQUEST hn_{\text{rcv}} (num2rights rights_{\text{snd}}) (build_memobj s_{\text{proc}} (to_nat32 msg_{\text{ad}}) (to_nat32 msg_{\text{len}})) hn_{\text{add}} (num2rights rights_{\text{add}}) (int2timeout to_{\text{snd}}) (build_buffer s_{\text{proc}} (to_nat32 buf_{\text{ad}}) (to_nat32 buf_{\text{len}})) (int2timeout to_{\text{rcv}})
```

Not only the sheer number of arguments constitutes the complexity of the definition, but also the various conversion functions.

As before, the ABI specifies the register locations of the particular arguments. For instance, register 11 contains the handle  $hn_{\sf rcv}$  to the receiver and register 13 specifies the start address  $msg_{\sf ad}$  of the message. The registers always deliver 32-bit integer values. This is fine regarding the handles, but requires conversions with other arguments.

The call IPC\_REQUEST provides the opportunity that the sender grants rights to the receiver, such that the receiver later on, for instance, is allowed to send to the sender. These rights are encoded in the value of <code>rights\_snd</code> located in register 12. Based on this value, function <code>num2rights</code> extracts the respective set of abstract rights:

```
num2rights r \equiv if r < 0 \lor 15 < r then \bot else \lfloor (\text{if } r \text{ mod } 2 = 1 \text{ then } \{\text{v\_finiteR}\} \text{ else } \{\}) \cup (if r \text{ mod } 4 \text{ div } 2 = 1 \text{ then } \{\text{v\_multipleR}\} \text{ else } \{\}) \cup (if r \text{ mod } 8 \text{ div } 4 = 1 \text{ then } \{\text{v\_requestR}\} \text{ else } \{\}) \cup (if r \text{ div } 8 = 1 \text{ then } \{\text{v\_sendR}\} \text{ else } \{\}))
```

The numerical register value r actually represents a bit vector, whereas four bits suffice to encode arbitrary sets of rights. The least significant bit represents the right v\_finiteR, followed by v\_multipleR, v\_requestR and v\_sendR. A 4-bit vector can only encode numerical values ranging from 0 to 15. Thus, values r out of this range are considered as invalid and result in  $\bot$ . Otherwise, the various bits can be extracted by ordinary division (div) and modulo (mod) operations.

We proceed in the same way with extracting the rights to the (possibly) additional process from  $rights_{add}$ .

The memory message is specified by the start address  $msg_{\tt ad}$  and the length  $msg_{\tt len}$ . Based on these values, function <code>build\_memobj</code> generates the corresponding abstract memory object:

```
build_memobj s_{\text{proc}} obj_{\text{addr}} obj_{\text{len}} \equiv if obj_{\text{len}} = 0 then MObjSeq [] else if obj_{\text{addr}} mod 4 \neq 0 \lor obj_{\text{len}} mod 4 \neq 0 then MObjUndefined else if size<sub>asm</sub> s_{\text{proc}} * \mathsf{PAGE\_SIZE} \leq obj_{\text{addr}} + obj_{\text{len}} then MObjUnavailable else MObjSeq (mem_part_access s_{\text{proc}}.mm obj_{\text{addr}} obj_{\text{len}})
```

For a start address  $obj_{addr}$  and a length  $obj_{len}$ , it returns an empty memory object, i.e., MObjSeq [], if  $obj_{len} = 0$ . The memory object is undefined, if  $obj_{addr}$  or  $obj_{len}$  are not word-aligned. If the last address  $(obj_{addr} + obj_{len})$ 

of the memory object is not available in the virtual memory, the object is considered as unavailable. A valid memory object contains a sequence of 32-bit integers of length  $obj_{len}$  starting from address  $obj_{addr}$ . The sequence is obtained by function mem\_part\_access.

It is almost the same with the receive buffer starting at addresss  $buf_{ad}$  and with length  $buf_{len}$ . The function build\_buffer generates an abstract buffer, where  $obj_{addr}$  denotes the start address and  $obj_{len}$  the buffer length:

```
build_buffer s_{\mathsf{proc}} obj_{\mathsf{addr}} obj_{\mathsf{len}} \equiv \mathbf{if} obj_{\mathsf{len}} = \mathbf{0} then BufLength 0 else \mathbf{if} obj_{\mathsf{addr}} mod 4 \neq 0 \lor obj_{\mathsf{len}} mod 4 \neq 0 then BufUndefined else \mathbf{if} size<sub>asm</sub> s_{\mathsf{proc}} * \mathsf{PAGE\_SIZE} \le obj_{\mathsf{addr}} + obj_{\mathsf{len}} then BufUnavailable else BufLength (obj_{\mathsf{len}} div 4)
```

In case that  $obj_{len} = 0$ , the resulting buffer has also length 0. The buffer is undefined, if either the start address or the length is not word-aligned. If the specified memory region is defined and available, the buffer is of length  $obj_{len}$  div 4. The division by 4 is due to the fact, that users specify the length of a memory region in bytes whereas the kernel uses words.

Converting the specified timeout values  $to_{snd}$  and  $to_{rcv}$  is straightforward, as the definition of int2timeout suggests:

```
int2timeout r \equiv \mathbf{if} \ r < 0 \ \mathbf{then} \ \infty \ \mathbf{else} \ \mathsf{Fin} \ (\mathsf{nat} \ r)
```

For negative values r it returns  $\infty$ . Positive values are first converted to natural numbers before the result Fin (nat r) is returned.

There are other conversion functions used in the context of  $\omega_{asm}$ . In this document, however, we only mention them and give a short description but leave out their exact formal definitions and refer to the according theory file in Isabelle/HOL instead.

The function reg2prio converts integer numbers n into abstract priorities. It delivers  $\bot$ , if n cannot be mapped to any value of prioT. Otherwise, reg2prio returns the corresponding abstract priority. It is used with the calls PROCESS\_CREATE and CHG\_SCHED\_PARAMS.

Regarding the device communication,  $\omega_{proc}$  applies the conversion functions reg2devnum and reg2port, both converting integer numbers to abstract device and port numbers, respectively. In addition, function reg2ints extracts a set of device interrupts out of an integer number.

Finally, we present a special case of  $\omega_{proc}$ , namely, if the immediate constant *imm* specifies an undefined trap number. We use predicate undefined\_trapnr to determine this situation and the according output is UNDE-FINED\_TRAP:

```
[current_instr s_{proc} = TRAP \ i; undefined_trapnr i] \implies trap_dispatch s_{proc} = UNDEFINED_TRAP
```

#### 3.3.4 Process Transitions

The function  $\delta_{proc}$  defines the transition of a VAMP assembly process automaton. As input, it takes the current state  $s_{proc}$  and an input i from the kernel. Finally,  $\delta_{proc}$  acts as wrapper for function  $\delta_{asm}$ , while taking the kernel input i into account. The kernel input follows the input alphabet  $\Sigma_{proc}$  and provides the basis for the particular case distinctions. As with function  $\omega_{proc}$ , the definition of  $\delta_{proc}$  is pretty substantial. For this purpose, we limit ourselves again to exemplary excerpts.

The easiest case treats the input  $\epsilon_{\Sigma}$  from the kernel. It implies that the process has not initiated a kernel request before and that the execution of the current instruction happens in the local context of the process. The definition of  $\delta_{proc}$  handles this case by a simple call of the assembly transition function  $\delta_{asm}$ :

```
\delta_{\mathsf{proc}} \; \epsilon_{\Sigma} \; \mathit{S}_{\mathsf{proc}} \equiv \delta_{\mathsf{asm}} \; \mathit{S}_{\mathsf{proc}}
```

Vamos uses kernel commands to enforce changes on the process state. Commands are only used in the context of the memory management and allow the increasing or demand the decreasing of the memory amount. Both actions are encapsulated as commands, because they might be triggered by other processes.

Increasing the memory amount of a process is based on the kernel input ADD\_MEMORY and the provided number pgs of pages:

Due to the additional memory pages, the page table length is incremented by pgs and again stored in register SPR\_PTL. Furthermore, the additional memory region is initialized with zeros. Note that function  $size_{asm}$  returns the size of the memory of process  $s_{proc}$  in pages of 1024 words.

Releasing memory pages only involves the decreasing of the page table length. Again, the number pgs of pages is included in the input message FREE\_MEMORY:

```
\begin{split} \delta_{\text{proc}} & \left( \text{FREE\_MEMORY } pgs \right) \, s_{\text{proc}} \equiv s_{\text{proc}} \\ & \left( \text{[sprs} := s_{\text{proc}}.\text{sprs} \right. \\ & \left[ \text{SPR\_PTL} := \right. \\ & \text{if } s_{\text{proc}}.\text{sprs} \, ! \, \text{SPR\_PTL} < \text{to\_int32 } pgs \, \text{then } -1 \\ & \text{else } s_{\text{proc}}.\text{sprs} \, ! \, \text{SPR\_PTL} - \, \text{to\_int32 } pgs \, ] ) \end{split}
```

If the number of released pages is greater than the actual number of occupied pages, the page table length is set to -1. Otherwise, the length is decreased by pgs.

The remaining kernel inputs can all be traced back to previous kernel requests. Thus, the process has initiated a kernel request by means of a TRAP instruction, the kernel has handled this trap and now returns its results by means of input i to the process. Independent from the result of the kernel computation, the TRAP instruction is executed in the context of  $\delta_{asm}$ . The semantics of TRAP is the incrementation of the program counters as the following statement suggests:

```
current_instr s_{proc} = \text{TRAP } i \Longrightarrow \delta_{asm} \ s_{proc} \equiv \text{incPcs } s_{proc} with \text{incPcs } s_{proc} = s_{proc} (\text{dpc} := s_{proc}.\text{pcp}, \ \text{pcp} := (s_{proc}.\text{pcp} + 4) \ \text{mod} \ 2^{32})
```

In addition to that,  $\delta_{proc}$  also writes result registers and data into the process's virtual memory.

Minor effort is involved with error responses or 'simple' success messages. The former arise, for instance, if the kernel's memory amount does not suffice to create a new process. The kernel acknowledges this situation with ERR\_OUT\_OF\_MEM and  $\delta_{proc}$  updates the process state as follows:

```
\delta_{\mathsf{proc}} \; \mathrm{ERR\_OUT\_OF\_MEM} \; s_{\mathsf{proc}} \equiv \mathsf{incPcs} \; s_{\mathsf{proc}} (|\mathsf{gprs} := s_{\mathsf{proc}}.\mathsf{gprs}[22 := -2])
```

Register 22 denotes the standard result register and is set to value -2, the respective integer value to error code ERR\_OUT\_OF\_MEM. Other error codes are of course associated with different integer values.

The kernel message SUCC\_NEW\_PROCESS signals a successful process creation and is accompanied with the handle  $hn_{\text{new}}$  to the new process. The latter is written into the result register, such that from now on the process can use this handle to communicate with its child:

```
\begin{split} &\delta_{\mathsf{proc}} \; \big( \text{SUCC\_NEW\_PROCESS} \; h n_{\mathsf{new}} \big) \; s_{\mathsf{proc}} \equiv \\ & \mathsf{incPcs} \; \big( s_{\mathsf{proc}} \big( \mathsf{gprs} := s_{\mathsf{proc}}.\mathsf{gprs} [22 := h n_{\mathsf{new}}] \big) \big) \end{split}
```

Things get more elaborate, when one result register does not suffice or when abstract values have to be converted into register values. As examples, we consult the impact of responses to successful DEV\_READ and IPC\_RECEIVE calls.

In the former case, the response SUCC\_DEV\_READ also comprises device data is represented as a sequence of 32-bit integers. Depending on a single or burst read, the device data needs to be written into a register or the process's memory:

```
\begin{array}{l} \delta_{\text{proc}} \; \left( \text{SUCC\_DEV\_READ} \; is \right) \; s_{\text{proc}} \equiv \\ \text{let} \; \textit{read}_{\text{single}} = \text{instr\_mem\_read} \; s_{\text{proc}}.\text{mm} \; s_{\text{proc}}.\text{dpc} = \text{TRAP 19}; \\ s_{\text{single}} = s_{\text{proc}} (|\text{gprs}:=s_{\text{proc}}.\text{gprs}[13:=\text{hd} \; is]|); \\ \textit{buf}_{\text{addr}} = \text{to\_nat32} \; \left( s_{\text{proc}}.\text{gprs} \; ! \; 13 \right); \\ s_{\text{block}} = s_{\text{proc}} (|\text{mm}:=\text{mem\_part\_update} \; s_{\text{proc}}.\text{mm} \; \textit{buf}_{\text{addr}} \; is|) \\ \text{in if} \; \textit{read}_{\text{single}} \; \text{then incPcs} \; \left( s_{\text{single}} (|\text{gprs}:=s_{\text{single}}.\text{gprs}[22:=0]|)) \\ \text{else incPcs} \; \left( s_{\text{block}} (|\text{gprs}:=s_{\text{block}}.\text{gprs}[22:=0]|)) \end{array}
```

The distinction between single and burst reads relies on the trap number. Instruction TRAP 19 implies a single read, TRAP 13 a burst read operation. In the former case, only the first word of the data sequence is is written into register 13.

While performing a burst read, register 13 contains the start address  $buf_{\sf addr}$  of the buffer, the device data should be stored in. As the operation was acknowledged with a SUCC\_DEV\_READ message, it is ensured that the device data fits into the specified buffer. The actual data transfer is done by means of  $mem\_part\_update$  which simply takes the sequence is and writes it into the virtual memory, starting at address  $buf_{\sf addr}$ . In both cases, register 22 finally contains the value 0 (meaning "success") and the program counters are increased.

Even more complex is the impact of the response SUCC\_RECEIVE to an IPC\_RECEIVE call. It contains the message and handles as well as the rights to the sender and (possibly) to an additional process:

```
\begin{split} &\delta_{\text{proc}} \; (\text{SUCC\_RECEIVE} \; rhn_{\text{snd}} \; reused_{\text{snd}} \; rrights_{\text{snd}} \; msg_{\text{rcv}} \; rhn_{\text{add}} \; reused_{\text{add}} \; rrights_{\text{add}} \\ & stolen \; to_{\text{infty}} \; irqs) \\ &s_{\text{proc}} \equiv \\ &\text{let} \; buf_{\text{addr}} = \text{to\_nat32} \; (s_{\text{proc}}.\text{gprs} \; ! \; 15); \; rights_{\text{snd}} = \text{rights2num} \; rrights_{\text{snd}}; \\ & rights_{\text{add}} = \\ & \text{if} \; rhn_{\text{add}} = \text{HN\_NONE} \; \text{then} \; s_{\text{proc}}.\text{gprs} \; ! \; 18 \; \text{else} \; \text{rights2num} \; rrights_{\text{add}}; \\ & res = \text{combine\_notifications} \; reused_{\text{snd}} \; reused_{\text{add}} \; stolen \; to_{\text{infty}} \; irqs \\ & \text{in} \; \text{incPcs} \\ & (s_{\text{proc}} \\ & (\text{mm} := \text{mem\_part\_update} \; s_{\text{proc}}.\text{mm} \; buf_{\text{addr}} \; msg_{\text{rcv}}, \\ & \text{gprs} := s_{\text{proc}}.\text{gprs} \\ & [11 := rhn_{\text{snd}}, \; 12 := rights_{\text{snd}}, \; 16 := \text{to\_int32} \; (\text{length} \; msg_{\text{rcv}} * \; 4), \\ & 17 := rhn_{\text{add}}, \; 18 := rights_{\text{add}}, \; 22 := res])) \end{split}
```

The message  $msg_{rcv}$  is given as a sequence of integers and copied, by means of function  $mem\_part\_update$ , into the memory of the process starting at the specified address  $buf_{addr}$  in register 15. The length of the sequence is written into register 16. Remember that users measure the length in bytes whereas the kernel uses words. Thus, we multiply the length with 4. Registers 11 and 17 finally contain the handles  $rhn_{snd}$  and  $rhn_{add}$  to the sender and to an additional process, respectively. Besides the process handles, the receiver obtains rights. Set  $rrights_{snd}$  contains the rights to the sender and  $rrights_{add}$  specifies the rights to the additional process. Function rights2num converts these abstract set representations into the corresponding numerical ones:

```
rights2num rights \equiv (if v_finiteR \in rights then 1 else 0) + (if v_multipleR \in rights then 2 else 0) + (if v_requestR \in rights then 4 else 0) + (if v_sendR \in rights then 8 else 0)
```

For a well-defined set of rights rights, it determines the active rights and sums up the associated numerical values. In our case, the results are buffered in  $rights_{add}$  and finally stored in registers 12 and 18. However, if no additional process was specified, i. e.,  $rhn_{add} = HN\_NONE$ ,  $rights_{add}$  is set to the value of register 18, i. e., in this case the register remains unchanged.

Finally, the function combine\_notifications takes all kinds of kernel notifications and generates a result value *res* which is stored in register 22:

```
combine_notifications reused_{\sf snd} reused_{\sf add} stolen to_{\sf infty} irqs \equiv (\textbf{if} \ reused_{\sf snd} \ \textbf{then} \ 1 \ \textbf{else} \ 0) + (\textbf{if} \ reused_{\sf add} \ \textbf{then} \ 2 \ \textbf{else} \ 0) + (\textbf{if} \ to_{\sf infty} \ \textbf{then} \ 4 \ \textbf{else} \ 0) + (\textbf{if} \ stolen \ \textbf{then} \ 8 \ \textbf{else} \ 0) + (\sum i \in irqs. \ 2^{\mathsf{dev2nat} \ i})
```

# Chapter 4

# The Vamos Model

## Contents

| 4.1 | The Vamos State Space     | 3 |
|-----|---------------------------|---|
| 4.2 | The Output Function 8     | 1 |
| 4.3 | The Transition Function 8 | 2 |
| 4.4 | Vamos Trap Handler 8      | 2 |
| 4.5 | Vamos Scheduler           | 8 |
| 4.6 | Vamos Interrupt Delivery  | 1 |
|     |                           |   |

This chapter deals with the details of the VAMOS automaton describing the VAMOS kernel and the user processes running on it. The devices are not included but associated by a communication interface.

As already introduced, the tupel  $A_V$  describes the VAMOS automaton:

$$\mathcal{A}_{V} = (\mathcal{S}_{V},\,\mathcal{S}_{V}^{0},\,\Sigma_{V},\,\Omega_{V},\,\omega_{V},\,\delta_{V})$$

Subsequently, we give a precise description of the particular components starting with the VAMOS state space  $\mathcal{S}_V$ . We continue with the communication between the kernel and the devices which is based on the interface established by the alphabets  $\Sigma_V$  and  $\Omega_V$  and the output function  $\omega_V$ . The chapter concludes with the transition function  $\delta_V$  processing possible input from the devices and defining the interaction with the user processes.

# 4.1 The Vamos State Space

The Vamos state space  $S_V$  represents the abstract counterpart of the Vamos implementation state, which was introduced in Section 2.5.2. For efficiency reasons, the latter maintains partly redundant datastructures. On the abstract level, we avoid these redundancies and reduce  $S_V$  to the essential. Formally, a record describes the Vamos state space and a state  $s_V \in S_V$  comprises the following components:

the mapping of virtual assembly machines s<sub>V</sub>.procs of the user processes,

- the priority database s<sub>V</sub>.priodb,
- the scheduling datastructures s<sub>V</sub>.schedds,
- the datastructures s<sub>V</sub>.rightsdb containing information for the IPC rights management and the set of privileged processes,
- the send status database s<sub>V</sub>.sndstatdb, and
- $\bullet$  the datastructures  $s_V$ .devds containing data for the device communication.

More details on the particular components present the following paragraphs. Afterwards we present the initial states represented by  $\mathcal{S}_{V}^{0} \subset \mathcal{S}_{V}$ .

#### 4.1.1 Virtual User Machines

Regarding the user machines, the VAMOS model uses the same level of abstraction as the implementation: virtual assembly machines. VAMOS employs unique process numbers of type procnumT to identify the user processes. Accordingly, component s<sub>V</sub>.procs realizes a partial mapping between process numbers and virtual assembly machines:

$$\mathit{s}_{\mathsf{V}}.\mathsf{procs} \in \mathsf{procnum}\mathsf{T} {\rightharpoonup} \mathcal{S}_{\mathsf{asm}}$$

The model only maintains the machines of active processes. Entries for inactive processes are set to  $\perp$ .

Apart from actually representing the virtual user machines, the state component  $s_V$ .procs also implicitly carries system-relevant information. Thus, based on  $s_V$ .procs, VAMOS determines free resources regarding new processes and memory.

Availability of Processes. New processes are taken out of the set of inactive ones. As a consequence, the existence of inactive processes is a main prerequisite regarding the process creation. Based on the observation that entries in  $s_V$ .procs for inactive processes are set to  $\bot$ , predicate procs\_available checks for available virtual machines that can be assigned to a new process:

procs\_available  $s_V$ .procs  $\equiv \exists p. s_V$ .procs  $p = \bot$ 

**Availability of Memory.** Another prerequisite concerns the availability of memory. Function total\_mem computes the current memory consumption of VAMOS, i.e., the memory amount of all active processes. Based on the output function size<sub>proc</sub> for user processes, it sums up the memory amounts of the active processes:

```
total_mem s_V.procs \equiv list_sum (map (\lambda x. case s_V.procs x of \perp \Rightarrow 0 \mid |p| \Rightarrow \mathsf{size}_{\mathsf{proc}} p) [1..<\mathsf{PID\_MAX}])
```

The total virtual memory amount of the VAMOS kernel is restricted to TVM\_MAXPAGES pages. Thus, if a new process should be equipped with *n* pages, the predicate mem\_available has to hold:

```
mem_available s_V.procs n \equiv \text{total\_mem } s_V.procs + n < \text{TVM\_MAXPAGES}
```

It determines the overall memory amount and checks whether this value together with the additional n pages does exceed the limit of TVM\_MAXPAGES pages.

#### 4.1.2 Priorities

Similar to the implementation, the model also supports three different priority levels. Priority values are of type prioT and the mapping  $s_V$ .priodb assigns such values to the particular processes:

```
s_V.priodb \in procnumT \rightarrow prioT
```

Again, process numbers are used to distinguish between the different processes and entries for inactive ones are set to  $\perp$ .

#### 4.1.3 Scheduling Data Structures

The component  $s_V$ .schedds represents the scheduling data structures. Defined as record of type schedds T they provide global as well as process-specific scheduling data:

- the current time  $s_{V}$ .schedds.time  $\in \mathbb{N}$ ,
- the ready queues sy.schedds.ready $\in$  prioT $\rightarrow$ procnumT\*,
- the wait queue  $s_V$ .schedds.wait  $\in$  procnum $T^*$
- the inactive queue  $s_V$ .schedds.inactive  $\in$  procnum $T^*$ , and
- the process-specific scheduling information

```
s_V.schedds.procdb \in procnumT \rightarrow procdbT.
```

The current time s<sub>V</sub>.schedds.time is a counter for clock ticks, i. e., interrupts from the external timer device. To realize the scheduling, the VAMOS scheduler maintains different queues. They are represented as finite sequences of process numbers in the VAMOS specification. There is a ready queue s<sub>V</sub>.schedds.ready prio of schedulable processes for each priority prio. Additionally, all processes currently not ready to be scheduled (because they are waiting for an IPC partner) are held in the queue s<sub>V</sub>.schedds.wait. Inactive ones are stored in s<sub>V</sub>.schedds.inactive which, at the same time, determines the order of the reuse of the process numbers.

Only active processes participate in the scheduling mechanism. The relevant information is collected in a record of type procdbT with the following components:

- the timeslice  $tsl \in \mathbb{N}$ ,
- the amount of consumed time ctsl  $\in \mathbb{N}$ , and
- the absolute timeout timeout  $\in$  timeout  $\top$ .

If a process is found to be computing when a timer interrupt raises, the component ctsl is increased until the process has finally run for tsl ticks. In this case, another process is scheduled. If a process calls the kernel for IPC and no partner is ready for communication, the absolute timeout timeout is computed from the current time and the relative timeout that has been specified with the call. Timeouts are defined as natural numbers with infinity which are represented by type timeout T.

As usual, the mapping is not defined for inactive processes.

Current Process. In VAMOS, the current process is the first process in the highest, non-empty ready queue. If all ready queues are empty, the current process is undefined. Or more technically, we concatenate the ready queues from the highest to the lowest and specify the first process in this list as current:

```
v_cup schedds \equiv case concat (map schedds.ready [high_prio, med_prio, low_prio]) of [] \Rightarrow \bot \mid x \cdot xs \Rightarrow \lfloor x \rfloor
```

While specifying the VAMOS kernel we often have to wake up or put processes to sleep. Both actions only concern the scheduling datastructures and are encapsulated in dedicated functions.

Waking Up Processes. Usually, a waiting process x is part of the wait queue  $s_V$ .schedds.wait. After waking up, however, x is no longer located in this queue but appended to the ready queue of its priority. In addition, x gets back its full timeslice again, i.e., the consumed time is reset to 0.

All these actions are combined in function  $v_wkp_updt_schedds$ ; it provides the possibility to wake up several processes simultaneously. Candidates are given as a list wkp which also defines the order of reintegration into the ready queues. In order to determine the process priorities the function takes the priority database priodb and updates the scheduling datastructures schedds:

Putting Processes To Sleep. Putting processes to sleep is provided by the function  $v\_ipc\_wait\_updt\_schedds$ . It is mainly used in the context of IPC, where processes are often forced to wait for an IPC partner. If a process  $p_{wait}$  of priority  $prio_{wait}$  has to wait, it is removed from the corresponding ready queue and appended to the wait queue. The duration of waiting depends on the relative timeout value  $to_{wait}$  which is added to the current time. The formal definition of these actions is given as follows:

```
\label{eq:vait_updt_schedds} $$ v_{\text{wait}} = schedds $$ p_{\text{wait}} = schedds $$ (\text{pready} := schedds.\text{ready}(prio_{\text{wait}} := [x \in schedds.\text{ready} prio_{\text{wait}} : x \neq p_{\text{wait}}]), $$ wait := schedds.\text{wait} @ [p_{\text{wait}}], $$ procdb := schedds.\text{procdb}(p_{\text{wait}} \mapsto \lceil schedds.\text{procdb} p_{\text{wait}} \rceil) $$ (\text{timeout} := to_{\text{wait}} += schedds.\text{time})) $$ (
```

#### 4.1.4 Rights Datastructures

As in the implementation, the abstract rights datastructures are process-specific and hold information regarding the IPC rights management and the set of privileged processes:

```
s_V.rightsdb \in procnumT \rightarrow rightsdataT
```

The entries for active processes describe record values of type rightsdataT with the following components:

- the privileged flag priv  $\in$  bool,
- the process number parent  $\in$  procnum $T_{\perp}$  of the parent,
- the handle database  $hdb \in handleT \rightarrow procnumT$ ,
- the set of stolen handles stolen  $\in$  handleT set, and
- the rights database  $rdb \in procnumT_{\perp} \rightarrow rightsT$ .

The privileged flag priv determines whether a process is privileged or not. Component parent denotes the identifier of the parent. For a process p, it delivers  $\bot$ , if p is either the initial process (the OS) or a direct child of the OS, or if the parent has been terminated in the meantime. The component hdb maintains the mapping between the process-local handles and the actual process numbers. If a handle is stolen, it is added to the set stolen. Component rdb finally determines the rights to other processes. Entry  $\lceil s_V.rightsdb \ p \rceil.rdb \ q$  specifies, for instance, the rights of process p to a process q. However, if q does not denote a valid process number, i.e.,  $q = \bot$ , the rights database returns  $\bot$ .

**Privileged Processes.** The privileged flag priv plays a decisive role in the VAMOS specification later on and is therefore encapsulated in predicate privileged:

```
privileged s_V.rightsdb p \equiv [s_V.rightsdb p].priv
```

**Valid Handles.** Predicate valid\_handle signals a valid handle *hn* in the context of process *p*:

```
valid_handle s_V.rightsdb p hn \equiv \exists p_{hn}. [s_V.rightsdb p].hdb hn = \lfloor p_{hn} \rfloor
```

It only holds, if the access to the handle database of process p with handle hn returns a process number. If hn is invalid, the access results in  $\perp$ .

Converting Handles to Process Numbers. The opposite direction, i. e., determining the handle hn to process q in the handle database of process p, defines function to\_hn:

```
to_hn rightsdb p q \equiv if |q| = [rightsdb p].parent then HN_PARENT else int <math>q
```

If q denotes the process number of p's parent, handle HN\_PARENT is returned. Otherwise, to\_hn realizes the one-to-one mapping between handles and process numbers.

**Known Processes.** The model also determines known processes by means of the handle database hdb. A process q is known by process p iff there exists a handle hn in the context of p pointing to q. The corresponding predicate is\_known is defined as follows:

```
is_known rightsdb p \neq \exists hn. \lceil rightsdb \mid p \rceil.hdb \mid hn = \mid q \mid
```

#### 4.1.5 Send Status Database

The remaining component of the process state in the implementation defines the send status database

#### $s_V$ .sndstatdb $\in$ procnum $T \rightarrow$ bool

Usually, the membership in one of the scheduling queues determines the current process status—except for one case: An IPC\_REQUEST call has a send and a receive phase, which might both require waiting. The send status database sy.sndstatdb keeps track of the phase.

#### 4.1.6 Device Data Structures

The state component  $s_V$ .devds encapsulates the device datastructures which are represented as a record of type devdsT with the following components:

- the driver registry driver ∈ devnumT→procnumT,
- the currently enabled device interrupts enabled  $\in$  intsT, and
- the occured and saved device interrupts saved  $\in$  intsT.

The driver registry assigns device numbers with the corresponding process numbers of the drivers. For instance, if process p acts as driver for device d,  $\lceil s_{V}.devds.driver d \rceil = p$ . If no driver is assigned with device d, the mapping delivers  $\bot$ .

The set of currently enabled interrupts is given by sv.devds.enabled.

It might happen that drivers are not ready to handle arising interrupts, for instance, when they are currently handling interrupts from other devices. In order to prevent any interrupt losses, VAMOS stores occurred but not yet handled interrupts in component saved for a later delivery.

#### 4.1.7 Initial Vamos States

The initial VAMOS state (i.e., the state describing the system when it switches to the user mode for the first time after the reset signal) depends on the code image  $OS\_IMAGE$  for the user-level operating system (OS). In the implementation, this image is stored at the swap harddisk, which is abstracted away in the CVM model. Furthermore, the initial size of the OS-process memory is configured in the implementation via the macro-constant  $OS\_PAGES$ . This constant has to be smaller than TVM\_MAXPAGES, the maximum virtual memory size supported by CVM. We represent the OS image as a list of integers and require that (a) the OS image is not too large with respect to  $OS\_PAGES$  and (b) all list elements are valid integers with respect to the 32-bit target VAMP machine. Furthermore, VAMOS determines some constants regarding the OS: The operating system is identified by process number OS\\_PID and classified in the priority class OS\_PRIO. Furthermore, its timeslice is specified with OS\_TSL.

Based on these observations function initial Conf delivers the initial VA-MOS state:

```
initialConf OS\_IMAGE OS\_PAGES \equiv
 let os\_procdb = (|ts| = OS\_TSL, cts| = 0, timeout = \infty);
      init_schedds =
       (time = 0, ready = \lambda pri. if pri = OS_PRIO then [OS_PID] else [],
          wait = [],
          inactive =
            [x \in \text{map Abs\_procnumT} (rev [1..<\text{PID_MAX}]) . x \neq \text{OS\_PID}],
          procdb = [OS\_PID \mapsto os\_procdb]);
      os_rightsdb =
       (priv = True, hdb = [HN\_SELF \mapsto OS\_PID], rdb = empty,
          \mathsf{stolen} = \{\}, \, \mathsf{parent} = \bot \};
      init\_devds = \{ driver = empty, enabled = \{ DEV\_TIMER \}, saved = \{ \} \}
 in (procs = [OS\_PID \mapsto init_{proc} OS\_IMAGE OS\_PAGES],
       schedds = init\_schedds, priodb = [OS\_PID \mapsto OS\_PRIO],
       sndstatdb = [OS\_PID \mapsto False],
       rightsdb = [OS\_PID \mapsto os\_rightsdb], devds = init\_devds]
```

The only entry in the partial mapping of procs relates to OS\_PID. Relying on the given code image OS\_IMAGE together with the number OS\_PAGES, function initproc (cf. Section 3.3) sets up the initial virtual machine for the OS.

The component time of the initial scheduling datastructures <code>init\_schedds</code> starts counting at 0. As the only running process, the OS is put into the ready queue of priority OS\_PRIO. The other ready queues as well as the wait queue are empty because all remaining processes are classified as inactive and reside in the queue <code>inactive</code>. The latter orders the processes by their process numbers where PID\_MAX denotes the head and 1 the end of the queue. Certainly, process number OS\_PID is left out.

The OS-specific scheduling information  $os\_procdb$  pretends that the OS did not yet consumed any time of its timeslice OS\_TSL and that there is no pending timeout denoted by  $\infty$ .

Similar to procs, the partial mappings priodb, sndstatdb and rightsdb only contain a single valid entry, namely, the one for OS\_PID. While the priority of the OS is set to OS\_PRIO, the entry in sndstatdb is initialized with False.

As the initial rights datastructures  $os\_rightsdb$  suggest, the OS runs in privileged mode. The only valid entry in the handle database hdb describes the self-reference. The partial mapping of rdb is empty because no other processes yet exist and, thus, no rights need to be maintained. The set stolen is empty and component parent is set to  $\bot$ .

Finally, initialConf sets up the initial device datastructures *init\_devds*. The only enabled interrupts are the ones from the timer device (DEV\_TIMER) which are handled by VAMOS itself. So far, no drivers are assigned to any devices and no interrupts are saved for later delivery.

## 4.2 The Output Function

Similar to the process automata, the VAMOS automaton  $\mathcal{A}_V$  possesses an output function  $\omega_V$ , in order to generate the kernel's output to the devices. As only processes can initiate device interaction by invoking the corresponding VAMOS calls,  $\omega_V$  reverts to the process outputs. In particular, the output of the VAMOS kernel in state  $s_V$  depends on the currently running process. The definition of  $\omega_V$  points this out:

```
\begin{array}{l} \omega_{V} \; s_{V} \equiv \\ \text{case v\_cup } s_{V}.\text{schedds of } \bot \Rightarrow \text{idle}_{\Omega V} \\ \mid \lfloor p_{\mathsf{cp}} \rfloor \Rightarrow \omega \text{proc2devout } (\omega_{\mathsf{proc}} \lceil s_{V}.\text{procs } p_{\mathsf{cp}} \rceil) \; s_{V}.\text{devds } p_{\mathsf{cp}} \end{array}
```

A non-existent running process, i. e.,  $v\_{cup}\ s_V.schedds = \bot$ , cannot activate any device interaction. Thus,  $\omega_V$  returns  $idle_{\Omega V}$ .

If a current process  $p_{\sf cp}$  exists, Vamos applies function  $\omega {\sf proc2devout}$ . For the output  $out_{\sf cp}$  of  $p_{\sf cp}$  and the device datastructures devds it returns the according output to the devices:

```
 \begin{aligned} & \text{wproc2devout } out_{\text{cp}} \ devds \ p_{\text{cp}} \equiv \\ & \text{case } out_{\text{cp}} \ \text{of} \\ & \text{DEV\_READ } \ dev_{\text{id}} \ dev_{\text{port}} \ buffer \Rightarrow \\ & \text{if } \text{is\_error } (\text{vamos\_result\_dev\_read } \ devds \ p_{\text{cp}} \ dev_{\text{id}} \ dev_{\text{port}} \ buffer) \\ & \text{then } \text{idle}_{\Omega V} \ else \ \text{read}_{\Omega V} \ \lceil dev_{\text{id}} \rceil \ \lceil dev_{\text{port}} \rceil \ (\text{bufLength } \ buffer) \\ & \mid \text{DEV\_WRITE } \ dev_{\text{id}} \ dev_{\text{port}} \ data \Rightarrow \\ & \text{if } \text{is\_error } (\text{vamos\_result\_dev\_write } \ devds \ p_{\text{cp}} \ dev_{\text{id}} \ dev_{\text{port}} \ data) \\ & \text{then } \text{idle}_{\Omega V} \ else \ \text{write}_{\Omega V} \ \lceil dev_{\text{id}} \rceil \ \lceil dev_{\text{port}} \rceil \ (\text{map to\_nat32 } (\text{mObjSeq } \ data)) \\ & \mid \ \_ \Rightarrow \text{idle}_{\Omega V} \end{aligned}
```

All process outputs  $out_{cp}$  different from DEV\_READ and DEV\_WRITE have no bearing on the devices and thus result in the output  $idle_{\Omega V}$ . However, as the kernel only forwards promising requests, DEV\_READ and DEV\_WRITE do not automatically cause kernel outputs. At first, it must be ensured that the corresponding kernel call will not result in any error message. For the DEV\_READ call this happens with function vamos\_result\_dev\_read and function vamos\_result\_dev\_write performs this task for the call DEV\_WRITE. For the proper definitions of both result functions we refer to the specifications of the just mentioned Vamos calls (cf. Section 4.4.5). In a nutshell, if the kernel detects any errors while requesting any device, e.g.,  $p_{cp}$  is not a registered driver, the result functions return the corresponding error code. Any error code satisfies predicate is\_error and VAMOS represses the device interaction, i.e., the output denotes  $idle_{\Omega V}$ . In case that VAMOS detects no errors, function  $\omega proc2devout$  takes the process output  $out_{cp}$  and converts it into output to the devices. An output of type  $read_{\Omega V}$  initiates a read request whereas write $\Omega V$  is used for writing.

## 4.3 The Transition Function

The intention of the VAMOS kernel is the handling and processing of (a) external device interrupts and data, and (b) user-generated interrupts. All actions are encapsulated in the transition function  $\delta_V$  carrying the VAMOS automaton from one state over into an adjacent one. As the devices are not part of the VAMOS model, function  $\delta_V$  gets additional external input. This input is given as a tuple consisting of a set of interrupts irqs and device data w. Requests from the user processes can be derived from a VAMOS state  $s_V$ . Accordingly, the definition of  $\delta_V$  looks as follows:

```
\begin{array}{l} \delta_{V}\;(irqs,\,w)\;s_{V}\equiv\\ \text{let}\;\textit{handle\_trap}=\\ \quad \lambda s.\;\text{if}\;\textit{v\_cup}\;\textit{s\_schedds}\neq \bot\;\text{then}\;\text{vamosDispatcher}\;\textit{s}\;w\;\text{else}\;\textit{s};\\ \textit{handle\_timer}=\\ \quad \lambda s.\;\text{if}\;\mathsf{DEV\_TIMER}\in irqs\\ \quad \quad \text{then}\;\text{vamosScheduler}\;\textit{s}\;(\textit{v\_cup}\;\textit{s_{V}}.\text{schedds})\;\text{else}\;\textit{s};\\ \textit{handle\_extint}=\\ \quad \lambda s.\;\text{vamosInterruptDelivery}\;\textit{s}\;(irqs-\{\texttt{DEV\_TIMER}\})\\ \text{in}\;\textit{handle\_extint}\;(\textit{handle\_timer}\;(\textit{handle\_trap}\;\textit{s_{V}})) \end{array}
```

Within a transition, the VAMOS kernel traverses up to three phases:

- 1. If the current process  $p_{cp} = \lceil v\_{cup} \ s_V.{schedds} \rceil$  is defined, we call the VAMOS trap handler vamosDispatcher. It consults the output  $\omega_{proc} \lceil s_V.{procs} \ p_{cp} \rceil \in \Omega_{proc}$  and computes the response according to the current VAMOS state and the (possible) device data w (cf. Section 4.4).
- 2. If the timer-interrupt line is raised, i. e., DEV\_TIMER  $\in irqs$ , the timer-interrupt handler vamosScheduler is invoked (cf. Section 4.5).
- 3. Finally, Vamos delivers the occurred interrupts to the according drivers. The interrupt delivery is defined by function vamosInterruptDelivery and introduced in Section 4.6.

The upcoming sections introduce the dedicated specification functions of the particular phases.

# 4.4 Vamos Trap Handler

The main purpose of the VAMOS trap handler is the handling of user-generated exceptions, like traps or runtime errors. A single run of the kernel only considers the exceptions of the currently running process  $p_{cp}$ . Hence, the invocation of function vamosDispatcher is bounded to the existence of  $p_{cp}$ . For a VAMOS state  $s_V$ , this process is given by  $p_{cp} = \lceil v\_cup s_V.schedds \rceil$ . Handling traps leads to the invocation of the respective kernel calls which, in

turn, might involve device interaction. As described in Section 4.3, the possible device data is given as input  $data_{dev}$  to vamosDispatcher and integrated into the subsequent operations which update the original state  $s_V$ :

```
vamosDispatcher s_V data_{dev} \equiv
  let p_{cp} = [v\_cup \ s_V.schedds]
  in case \omega_{\text{proc}} [s_{\text{V}}.\text{procs } p_{\text{cp}}] of
      PROCESS_CREATE tsl prio img pgs \Rightarrow
        vamos_process_create s<sub>V</sub> tsl prio img pgs
       PROCESS_CLONE hn \Rightarrow \text{vamos\_process\_clone } s_V hn
       PROCESS_KILL hn \Rightarrow vamos\_process\_kill s_V hn
       CHG_SCHED_PARAMS hn tsl prio ⇒
         vamos_change_sched_param s<sub>V</sub> hn tsl prio
        SET_PRIVILEGED hn \Rightarrow vamos\_set\_privileges s_V hn
        MEMORY_ADD hn pages \Rightarrow vamos_memory_add s_V hn pages
        MEMORY_FREE hn pages \Rightarrow vamos_memory_free s_V hn pages
       CHANGE_DRIVER hn irqs register \Rightarrow
         vamos_change_driver sv hn irqs register
       ENABLE_INTERRUPTS irgs \Rightarrow vamos\_enable\_interrupts s_V irgs
      | DEV_READ devid port buffer ⇒
         vamos_dev_read s<sub>V</sub> devid port buffer data<sub>dev</sub>
       DEV_WRITE devid port data \Rightarrow vamos_dev_write s_V devid port data
      | IPC_SEND hn_{rcv} rights<sub>snd</sub> msg hn_{add} rights<sub>add</sub> to<sub>snd</sub> \Rightarrow
         vamos_ipc_send sv hnrcv rightssnd msg hnadd rightsadd tosnd
      | IPC_RECEIVE hn_{snd} msg to_{rcv} \Rightarrow vamos\_ipc\_receive s_V hn_{snd} msg to_{rcv}
      | IPC_REQUEST hn_{rcv} rights<sub>snd</sub> msg hn_{add} rights<sub>add</sub> to<sub>snd</sub> buffer to<sub>rcv</sub> \Rightarrow
         vamos_ipc_send_receive sv hnrcv rightssnd msg hnadd rightsadd
           to<sub>snd</sub> buffer to<sub>rcv</sub>
      | CHANGE_RIGHTS hn_{subj} hn_{obj} grant rights \Rightarrow
         vamos_change_rights s<sub>V</sub> hn<sub>subj</sub> hn<sub>obj</sub> grant rights
        READ_KERNEL_INFO note \Rightarrow vamos_read_kernel_info s<sub>V</sub> note
      | UNDEFINED_TRAP \Rightarrow s_V
          \{ procs := s_{V}.procs(p_{cp} \mapsto \delta_{proc} \text{ ERR\_UNPRIVILEGED } [s_{V}.procs p_{cp}]) \}
       RUNTIME_ERROR \Rightarrow vamos_process_kill s_V HN_SELF
      |\epsilon_{\Omega} \Rightarrow s_{V}(|procs := s_{V}.procs(p_{cp} \mapsto \delta_{proc} \epsilon_{\Sigma} [s_{V}.procs p_{cp}])|)
```

Linchpin of the definition of vamosDispatcher is the case distinction over the output  $\omega_{proc}$  [sv.procs  $p_{cp}$ ] of the current process. Outputs like PROCESS\_CREATE or MEMORY\_ADD imply the invocation of VAMOS calls. Accordingly, vamosDispatcher describes the effects by the respective specification functions. The output UNDEFINED\_TRAP implies that the current instruction of  $p_{cp}$  denotes an undefined TRAP instruction. The acknowledgement of VAMOS comprises the error message ERR\_UNPRIVILEGED which is delivered to  $p_{cp}$  by function  $\delta_{proc}$ . Runtime errors are signaled by the output RUNTIME\_ERROR and usually serve as indication of malicious programming. The VAMOS kernel handles this kind of error in a pretty rigorous way: It simply terminates the causing process. In order to describe the effects of this extraordinary process termination, VAMOS diverts function vamos\_process\_kill

from its intended use, namely describing the effects of the VAMOS call PROCESS\_KILL. The invocation with handle HN\_SELF, however, intends the self-destruction of process  $p_{cp}$ . More details on that presents Section 4.4.3.

However, not all steps of process  $p_{\sf cp}$  involve the kernel. Local transitions are implied by the output  $\epsilon_{\Omega}$  and performed by  $\delta_{\sf proc}$  with input  $\epsilon_{\Sigma}$ .

This section continues with the specifications of the various VAMOS calls. As a matter of clarity, we categorize them into the fields: Access Control, Memory Management, Process Management, Scheduling Mechanism, Device Driver Support, and Inter-Process Communication.

#### 4.4.1 Access Control

The minimal access control in VAMOS reserves most kernel calls for so-called privileged processes. Consequently, passing on privileges in itself is subject to privileged processes. Furthermore, the process  $p_{cp}$  can only contract privileges out to processes which are valid in its context.

Function vamos\_result\_set\_privileges checks for possible violations of these restrictions by computing the response to the caller  $p_{cp}$ :

```
vamos_result_set_privileges rightsdb\ p_{cp}\ hn_{obj}\equiv if \neg privileged rightsdb\ p_{cp}\ then\ ERR\_UNPRIVILEGED else if \neg valid_handle rightsdb\ p_{cp}\ hn_{obj}\ then\ ERR\_INVALID\_HANDLE else SUCCESS
```

Whenever the caller  $p_{cp}$  is not privileged or the handle  $hn_{obj}$  to the object is not valid,  $p_{cp}$  will receive an error message. Otherwise, a success message is returned. In the success case, the privileged status of the object is additionally set active. Formally, function vamos\_set\_privileges describes the according state updates:

```
 \begin{array}{l} \mathsf{vamos\_set\_privileges} \ s_V \ hn_{\mathsf{obj}} \equiv \\ \mathsf{let} \ p_{\mathsf{cp}} = \lceil \mathsf{v\_cup} \ s_V.\mathsf{schedds} \rceil; \ p_{\mathsf{obj}} = \lceil s_V.\mathsf{rightsdb} \ p_{\mathsf{cp}} \rceil.\mathsf{hdb} \ hn_{\mathsf{obj}}; \\ \mathit{res} = \mathsf{vamos\_result\_set\_privileges} \ s_V.\mathsf{rightsdb} \ p_{\mathsf{cp}} \ hn_{\mathsf{obj}}; \\ \mathsf{in} \ \mathsf{if} \ \mathsf{is\_error} \ \mathit{res} \ \mathsf{then} \ s_V ( \mathsf{procs} := s_V.\mathsf{procs}(p_{\mathsf{cp}} \mapsto \delta_{\mathsf{proc}} \ \mathit{res} \ \lceil s_V.\mathsf{procs} \ p_{\mathsf{cp}} \rceil) ) \\ \mathsf{else} \ s_V ( \mathsf{procs} := s_V.\mathsf{procs}(p_{\mathsf{cp}} \mapsto \delta_{\mathsf{proc}} \ \mathit{res} \ \lceil s_V.\mathsf{procs} \ p_{\mathsf{cp}} \rceil), \\ \mathsf{rightsdb} := s_V.\mathsf{rightsdb}(\lceil p_{\mathsf{obj}} \rceil \mapsto \lceil s_V.\mathsf{rightsdb} \ \lceil p_{\mathsf{obj}} \rceil) \rceil \\ ( \lceil \mathsf{priv} := \mathsf{True} \rceil) ) \end{aligned}
```

The calling process  $p_{cp}$  is obtained by function v\_cup and  $p_{obj}$  denotes the process number of the object process. The latter results from the access to  $p_{cp}$ 's handle database with  $hn_{obj}$ . As  $p_{obj}$  is only relevant in the success case, this access is valid because  $hn_{obj}$  is valid. In all cases, *res* denotes the result of the operation and  $\delta_{proc}$  delivers it to  $p_{cp}$ . Only if *res* does not signal an error, the privilege status of  $p_{obj}$  is set to active.



Figure 4.1: Memory Management in the Overall System

### 4.4.2 Memory Management

The memory management in VAMOS is restricted to the in- and decreasing of the memory amount of particular user processes. The former reflects the allocation, the latter the releasing of memory pages. For this purpose, VAMOS provides the calls MEMORY\_ADD and MEMORY\_FREE. By means of these calls, privileged processes are enabled to take care of their own but also to manipulate the memory amount of other processes.

In particular, for the latter case, it is essential that a process p affected by the memory manipulation is advised of this. An allocation of additional pages is of no avail unless p knows about it. Things are even worse, if the manipulation reduces the memory. Note that accesses to the released memory regions cause runtime errors which, in turn, lead to the termination of p.

In order to avoid such scenarios, VAMOS attaches certain conditions to the memory manipulations and thereby relies on the memory management in the overall system.

Memory Management in the Overall System. In the overall system as depicted in Figure 4.1, the privileged processes will constitute the OS itself or at least parts of the OS, like servers. Thus, the operating system (OS) runs as privileged process on top of the VAMOS kernel and interacts with the user processes. Requests to the OS or to the servers can be triggered by means of the VAMOS call IPC\_REQUEST which is open to all user processes. Thus, if an unprivileged process p, for instance, wants to increase its memory amount, it utilizes IPC\_REQUEST to place its demand and waits for a response of the OS. As privileged process, the OS forwards this request to the VAMOS kernel. If the request succeeds, VAMOS increases the memory amount of p and reports a Success message to the OS. Accordingly, a failure is

acknowledged with an error message. In both cases, the OS transfers the kernel response to p which still waits in the receive phase of IPC\_REQUEST.

Important in the context of the VAMOS kernel is the following observation: If the calling process  $p_{\sf cp}$  wants to manipulate the memory amount of a different process p, this process p must reside in the wait state, i.e., in the wait queue.

Against that background, we proceed with the formal specification of the VAMOS calls MEMORY\_ADD and MEMORY\_FREE.

#### **Increasing the Memory Amount**

Increasing the memory amount of a process is rather straightforward and only affects the virtual machines. The calling process  $p_{\sf cp}$  specifies a handle  $hn_{\sf victim}$  to identify the process whose memory should be increased by pgs pages.

As usual, the invocation of a VAMOS call either succeeds or not. VAMOS uses function vamos\_result\_memory\_add to compute the corresponding response to  $p_{cp}$ :

```
vamos_result_memory_add uprocs\ rightsdb\ waiting_{victim}\ p_{cp}\ hn_{victim}\ pgs \equiv if \neg privileged rightsdb\ p_{cp} then ERR_UNPRIVILEGED else if \neg valid_handle rightsdb\ p_{cp}\ hn_{victim} then ERR_INVALID_HANDLE else if \neg mem_available uprocs\ pgs then ERR_OUT_OF_MEM else if \neg waiting_{victim} \land hn_{victim} \neq HN_SELF then ERR_PROCESS_NOT_READY else SUCCESS
```

Checking the privileges of  $p_{cp}$ , the validity of  $hn_{\text{victim}}$  and the availability of further memory was introduced before. The last check, however, takes the aformentioned scenario into account. Everything is fine, if  $p_{cp}$  wants to increase its own memory amount, i.e.,  $hn_{\text{victim}} = \text{HN\_SELF}$ . Otherwise,  $p_{cp}$  is only enabled to increase the memory amount of the victim, if this is waiting. The latter is denoted by the additional flag waitingvictim.

Based on the result of vamos\_result\_memory\_add, the overall specification function vamos\_memory\_add describes the effects of the memory increasing on a VAMOS state s<sub>V</sub>:

```
 \begin{array}{l} {\rm vamos\_memory\_add} \ s_V \ hn_{\rm victim} \ pgs \equiv \\ {\rm let} \ p_{\rm cp} = \lceil v\_{\rm cup} \ s_V.{\rm schedds} \rceil; \ p_{\rm victim} = \lceil \lceil s_V.{\rm rightsdb} \ p_{\rm cp} \rceil.{\rm hdb} \ hn_{\rm victim} \rceil; \\ {\it waiting}_{\rm victim} = p_{\rm victim} \in {\rm set} \ s_V.{\rm schedds.wait}; \\ {\it res} = {\rm vamos\_result\_memory\_add} \ s_V.{\rm procs} \ s_V.{\rm rightsdb} \ waiting_{\rm victim} \ p_{\rm cp} \\ {\it hn}_{\rm victim} \ pgs; \\ {\it procs}_{\rm add} = s_V.{\rm procs}(p_{\rm victim} \mapsto \delta_{\rm proc} \ ({\rm ADD\_MEMORY} \ pgs) \ \lceil s_V.{\rm procs} \ p_{\rm victim} \rceil) \\ {\rm in} \ {\rm if} \ {\rm is\_error} \ {\it res} \ {\rm then} \ s_V(|{\rm procs} := s_V.{\rm procs}(p_{\rm cp} \mapsto \delta_{\rm proc} \ res \ \lceil s_V.{\rm procs} \ p_{\rm cp} \rceil)) \\ {\rm else} \ s_V(|{\rm procs} := procs_{\rm add}(p_{\rm cp} \mapsto \delta_{\rm proc} \ {\rm SUCCESS} \ \lceil procs_{\rm add} \ p_{\rm cp} \rceil)) \\ \end{array}
```

In case of failure, only the error message is delivered to the calling process  $p_{cp}$ . For the success case, the definition obtains the process number

 $p_{\text{victim}}$  of the victim by accessing  $p_{\text{cp}}$ 's handle database with  $hn_{\text{victim}}$  and flag  $waiting_{\text{victim}}$  abbreviates the fact that  $p_{\text{victim}}$  is part of the wait queue. The intermediate update  $procs_{\text{add}}$  describes the allocation of pgs additional memory pages and is obtained by the application of function  $\delta_{\text{proc}}$  with message ADD\_MEMORY to the virtual machine of  $p_{\text{victim}}$ . Based on  $procs_{\text{add}}$ , VAMOS finally delivers the SUCCESS message to process  $p_{\text{cp}}$ .

Note that the application of  $\delta_{proc}$  with message ADD\_MEMORY only increases the page table length but not the program counters. This is due to the fact, that  $p_{\text{victim}}$  is expected to be still in the receive phase of an IPC\_REQUEST. The program counters are increased not until this call is completed, i.e., when the OS responds to the request. With the OS response, the VAMOS kernel sends a SUCC\_RECEIVE message to  $p_{\text{victim}}$  which involves the increasing of the program counters.

#### Decreasing the Memory Amount

Similar to the increasing, the calling process  $p_{\sf cp}$  specifies a handle  $hn_{\sf victim}$  in order to identify the victim whose memory amount should be decreased by pgs pages. The result function  ${\sf vamos\_result\_memory\_free}$  adopts most error checks from above, as its definition illustrates:

```
vamos_result_memory_free uprocs rightsdb waiting_victim p_{cp} hn_{victim} pgs \equiv let p_{victim} = \lceil rightsdb \ p_{cp} \rceil.hdb hn_{victim} in if \neg privileged rightsdb \ p_{cp} then ERR_UNPRIVILEGED else if \neg valid_handle rightsdb \ p_{cp} hn_{victim} then ERR_INVALID_HANDLE else if size_{proc} \lceil uprocs \lceil p_{victim} \rceil \rceil \leq pgs then ERR_INVALID_ARGS else if \neg waiting_victim \wedge hn_{victim} \neq HN_SELF then ERR_PROCESS_NOT_READY else SUCCESS
```

Being in the process of freeing memory makes the check for memory resources superfluous. Instead, vamos\_result\_memory\_free introduces an opposite check. Releasing the whole memory of a process would result in its termination. As this is not the intended meaning of the FREE\_MEMORY call, VAMOS restricts the number of released pages. Thus, pgs must be smaller than the number of pages the victim occupies. The latter is obtained by applying function  $size_{proc}$  to the virtual machine of  $p_{victim}$ . The process number  $p_{victim}$  is taken from  $p_{cp}$ 's handle database.

In many cases, it is more effort to remove than to add something. With the decreasing of the memory amount it is exactly the same. While adding memory pages only affects the virtual machines, releasing memory pages might also affect pending IPC operations of the victim. The latter happens, if involved memory regions become unavailable. Vamos determines this situation by predicate is\_ipc\_memory\_err:

```
 \begin{array}{l} \text{is\_ipc\_memory\_err} \ \mathit{freed}_{\mathsf{victim}} \ \mathit{sndstat}_{\mathsf{victim}} \equiv \\ \mathbf{case} \ \omega_{\mathsf{proc}} \ \mathit{freed}_{\mathsf{victim}} \ \mathbf{of} \\ \text{IPC\_SEND} \ \mathit{hn}_{\mathsf{recv}} \ \mathit{rights}_{\mathsf{send}} \ \mathit{msg} \ \mathit{hn}_{\mathsf{add}} \ \mathit{rights}_{\mathsf{add}} \ \mathit{timeout}_{\mathsf{send}} \Rightarrow \\ \end{array}
```

```
msg = MObjUnavailable
| IPC\_RECEIVE \ hn_{send} \ buffer \ timeout_{recv} \Rightarrow buffer = BufUnavailable
| IPC\_REQUEST \ hn_{recv} \ rights_{send} \ msg \ hn_{add} \ rights_{add} \ timeout_{send} \ buffer
timeout_{recv} \Rightarrow buffer = BufUnavailable \lor \neg sndstat_{victim} \land msg = MObjUnavailable
| \_ \Rightarrow True
```

Let  $freed_{victim}$  determine the virtual machine of the victim after the memory release and  $sndstat_{victim}$  the victim's send status. In order to figure out any errors regarding the memory used in a (possible) IPC operation, we apply function  $\omega_{proc}$  to  $freed_{victim}$ . The predicate applies, if any specified message or buffer becomes unavailable by the memory release. In this case, VAMOS decreases the memory amount of the victim and additionally aborts the operation with an according error message.

The overall specification function vamos\_memory\_free encapsulates the relevant updates:

```
 \begin{array}{l} {\rm vamos\_memory\_free} \ s_V \ hn_{\rm victim} \ pgs \equiv \\ {\rm let} \ p_{\rm cp} = \lceil v\_{\rm cup} \ s_V.{\rm schedds} \rceil; \\ waiting_{\rm victim} = \\ {\lceil s_V.{\rm rightsdb} \ p_{\rm cp} \rceil.{\rm hdb} \ hn_{\rm victim} \rceil} \in {\rm set} \ s_V.{\rm schedds.wait}; \\ res = \\ {\rm vamos\_result\_memory\_free} \ s_V.{\rm procs} \ s_V.{\rm rightsdb} \ waiting_{\rm victim} \\ p_{\rm cp} \ hn_{\rm victim} \ pgs \\ {\rm in} \ {\rm if} \ {\rm is\_error} \ res \ {\rm then} \ s_V (|{\rm procs} := s_V.{\rm procs}(p_{\rm cp} \mapsto \delta_{\rm proc} \ res \ \lceil s_V.{\rm procs} \ p_{\rm cp} \rceil)|) \\ {\rm else} \ s_V (|{\rm procs} := v\_{\rm memory\_free\_updt\_procs} \ s_V.{\rm priodb} \ s_V.{\rm priodb} \ s_V.{\rm sndstatdb} \ waiting_{\rm victim} \ p_{\rm cp} \ hn_{\rm victim} \\ pgs, \\ {\rm schedds} := v\_{\rm memory\_free\_updt\_sndstatdb} \ s_V.{\rm sndstatdb} \ s_V.{\rm procs} \\ {\rm s_V.{\rm priodb} \ s_V.{\rm rightsdb} \ waiting_{\rm victim} \ p_{\rm cp} \ hn_{\rm victim} \\ pgs, \\ {\rm sndstatdb} := v\_{\rm memory\_free\_updt\_sndstatdb} \ s_V.{\rm sndstatdb} \ s_V.{\rm procs} \\ {\rm s_V.{\rm rightsdb} \ waiting_{\rm victim} \ p_{\rm cp} \ hn_{\rm victim} \\ pgs)} \\ \end{array}
```

In case of success, dedicated functions encapsulate the particular state updates. Otherwise, only the error message is delivered to the calling process  $\rho_{\sf cp}$ .

**Updating the Virtual Machines.** The update of the virtual machines comprises the delivery of the success message to the calling process  $p_{cp}$ , on the one hand, and the decreasing of  $p_{\text{victim}}$ 's memory amount together with a (possible) error message, on the other one.

Formally, function v\_memory\_free\_updt\_procs describes the update:

```
\label{eq:v_memory_free_updt_procs} $$v\_memory\_free\_updt\_procs \ uprocs \ priodb \ rightsdb \ sndstatdb \ waiting_{victim} \ p_{cp} \\ hn_{victim} \ pgs \equiv \\ \textbf{let} \ p_{victim} = \lceil \lceil rightsdb \ p_{cp} \rceil . \textbf{hdb} \ hn_{victim} \rceil; \\ freed_{victim} = \delta_{proc} \ (\texttt{FREE\_MEMORY} \ pgs) \ \lceil uprocs \ p_{victim} \rceil; \\ \end{cases}
```

```
\begin{array}{l} \textit{error}_{\mathsf{victim}} = \\ \textit{waiting}_{\mathsf{victim}} \land \mathsf{is\_ipc\_memory\_err} \; \textit{freed}_{\mathsf{victim}} \; \lceil \mathit{sndstatdb} \; p_{\mathsf{victim}} \rceil; \\ \textit{res}_{\mathsf{victim}} = \\ \mathbf{if} \; \mathsf{vamoslsSending} \; \textit{uprocs} \; \textit{sndstatdb} \; p_{\mathsf{victim}} \; \mathbf{then} \; \mathsf{ERR\_SND\_SEGV} \\ \mathbf{else} \; \mathsf{ERR\_RCV\_SEGV}; \\ \textit{updt}_{\mathsf{victim}} = \mathbf{if} \; \textit{error}_{\mathsf{victim}} \; \mathbf{then} \; \delta_{\mathsf{proc}} \; \textit{res}_{\mathsf{victim}} \; \textit{freed}_{\mathsf{victim}} \; \mathbf{else} \; \textit{freed}_{\mathsf{victim}} \\ \mathbf{in} \; \mathbf{if} \; p_{\mathsf{victim}} = p_{\mathsf{cp}} \; \mathbf{then} \; \textit{uprocs}(p_{\mathsf{victim}} \mapsto \delta_{\mathsf{proc}} \; \mathsf{SUCCESS} \; \textit{updt}_{\mathsf{victim}}) \\ \mathbf{else} \; \textit{uprocs}(p_{\mathsf{victim}} \mapsto \textit{updt}_{\mathsf{victim}}, \; p_{\mathsf{cp}} \mapsto \delta_{\mathsf{proc}} \; \mathsf{SUCCESS} \; \lceil \mathit{uprocs} \; p_{\mathsf{cp}} \rceil) \end{array}
```

The definition introduces a couple of abbreviations. Process number  $p_{\text{victim}}$  of the victim is obtained by accessing  $p_{cp}$ 's handle database with  $hn_{\text{victim}}$ . The update of  $p_{\text{victim}}$ 's virtual machine comes in two steps: The first one  $freed_{\text{victim}}$  results from the application of  $\delta_{\text{proc}}$  with input FREE\_MEMORY and releases pgs memory pages. The second step leads to the final update  $updt_{\text{victim}}$  of  $p_{\text{victim}}$ 's virtual machine. If the releasing entails an IPC error,  $updt_{\text{victim}}$  additionally comprises the delivery of the according error message  $res_{\text{victim}}$ . Otherwise, it is equal to  $freed_{\text{victim}}$ . The flag  $error_{\text{victim}}$  signals the arising of an IPC error. It is active, if  $p_{\text{victim}}$  is waiting and predicate is\_ipc\_memory\_err applies.

Based on these abbreviations, v\_memory\_free\_updt\_procs performs the actual update of the virtual machines uprocs. If  $p_{\text{victim}} = p_{\text{cp}}$ , only the success message is delivered. Note that in this case  $updt_{\text{victim}} = freed_{\text{victim}}$ , because  $p_{\text{cp}}$  is not waiting, i.e.,  $\neg error_{\text{victim}}$ . Otherwise, the entries for  $p_{\text{victim}}$  and  $p_{\text{cp}}$  are set separately.

As with the memory increasing, the application of function  $\delta_{proc}$  with the input FREE\_MEMORY does not increase the program counters.

Updating the Scheduling Datastructures. The scheduling datastructures only need an update, if an IPC error occurs. In this case, the victim is put back into the ready state.

Function v\_memory\_free\_updt\_schedds gives the formal specification:

 $\begin{aligned} & \text{v\_memory\_free\_updt\_schedds} \ schedds \ uprocs \ priodb \ rightsdb \ sndstatdb \ p_{\text{cp}} \ hn_{\text{victim}} \\ & pgs \equiv \\ & \text{let} \ p_{\text{victim}} = \lceil\lceil rightsdb \ p_{\text{cp}} \rceil. \text{hdb} \ hn_{\text{victim}} \rceil; \\ & \textit{freed}_{\text{victim}} = \delta_{\text{proc}} \ (\text{FREE\_MEMORY} \ pgs) \ \lceil uprocs \ p_{\text{victim}} \rceil; \\ & \textit{waiting}_{\text{victim}} = p_{\text{victim}} \in \text{set} \ schedds. \text{wait}; \\ & \textit{error}_{\text{victim}} = \\ & \textit{waiting}_{\text{victim}} \ \land \text{is\_ipc\_memory\_err} \ \textit{freed}_{\text{victim}} \ \lceil sndstatdb \ p_{\text{victim}} \rceil \\ & \text{in} \ \textit{if} \ \textit{error}_{\text{victim}} \ \textit{then} \ \text{v\_wkp\_updt\_schedds} \ \textit{schedds} \ \lceil p_{\text{victim}} \rceil \ \textit{priodb} \end{aligned}$ 

As above, an active flag  $error_{victim}$  signals an IPC error. The awakening of  $p_{victim}$  describes function  $v_{wkp\_updt\_schedds}$ .

Updating the Send Status Database. As with the scheduling datastructures, the send status database is only updated, if an IPC error occurs.

If so, the entry of  $p_{\text{victim}}$  is reset to  $\perp$ .

Accordingly, the formal definition of  $v_memory_free_updt_sndstatdb$  is straightforward:

```
v_memory_free_updt_sndstatdb sndstatdb uprocs\ rightsdb\ waiting_{victim}\ p_{cp}\ hn_{victim}\ pgs \equiv \\ let\ p_{victim} = \lceil\lceil rightsdb\ p_{cp}\rceil.hdb\ hn_{victim}\rceil; \\ freed_{victim} = \delta_{proc}\ (FREE\_MEMORY\ pgs)\ \lceil uprocs\ p_{victim}\rceil; \\ error_{victim} = \\ waiting_{victim}\ \land\ is\_ipc\_memory\_err\ freed_{victim}\ \lceil sndstatdb\ p_{victim}\rceil \\ in\ if\ error_{victim}\ then\ sndstatdb(p_{victim}\ \mapsto\ False)\ else\ sndstatdb
```

## 4.4.3 Process Management

The process management in Vamos provides the possibility to dynamically create, clone and terminate processes. In the kernel's ABI, these operations are represented by the calls PROCESS\_CREATE, PROCESS\_CLONE and PROCESS\_KILL. The two former calls are reserved for privileged processes only, whereas self-termination is allowed to all processes. Terminating other processes, however, requires again the privileged status.

#### Creating a New Process

If the calling process  $p_{\sf cp}$  wants to create a new process, it has to specify several arguments. Regarding the scheduling,  $p_{\sf cp}$  has to determine the priority pri and the timeslice tsl for the new process. In order to configure the initial memory,  $p_{\sf cp}$  specifies the number pgs of memory pages that should be allocated for the new process and provides the initial memory image img.

The process creation only succeeds, if the parameters fulfill certain requirements. In addition, system-related sources of failure must be excluded. For this reason, we define function vamos\_result\_create determining the kernel's response to the calling process:

```
vamos_result_create uprocs rightsdb p_{\text{cp}} pri img pgs \equiv \text{if} \neg \text{privileged } rightsdb \ p_{\text{cp}} then \text{ERR\_UNPRIVILEGED} else if pri = \bot \lor img \in \{\text{MObjUndefined}, \text{MObjUnavailable}\} \lor (\exists \textit{wl. img} = \text{MObjSeq} \ \textit{wl} \land pgs * \text{PAGE\_SIZE} < \text{length} \ \textit{wl}) \lor pgs = 0 \lor \text{TVM\_MAXPAGES} \le pgs then \text{ERR\_INVALID\_ARGS} else if \neg \text{procs\_available} \ uprocs then \text{ERR\_OUT\_OF\_PIDS} else if \neg \text{mem\_available} \ uprocs (mem_img_length img div PAGE_SIZE) then \text{ERR\_OUT\_OF\_MEM} else \text{SUCCESS}
```

As long as the calling process  $p_{cp}$  is not privileged, the call is aborted with the error message ERR\_UNPRIVILEGED. If  $p_{cp}$  is privileged, function va-

mos\_result\_create inspects the validity of the arguments. Process  $p_{cp}$  has invoked PROCESS\_CREATE with invalid arguments, if either: (a) the priority is invalid, i. e.,  $pri = \bot$ , (b) the memory image img is undefined or unavailable, (c) the memory image img indeed denotes a sequence ws of words but its length would exceed the assigned memory, or (d) the new process should be occupied with 0 or more than TVM\_MAXPAGES memory pages. In all cases, VAMOS cancels the call and delivers the error message ERR\_INVALID\_ARGS. Finally, vamos\_result\_create checks the system resources. A process creation is not possible, if all processes are in use. In this case, VAMOS returns ERR\_OUT\_OF\_PIDS to  $p_{cp}$ . The same applies for lacking memory resources which are acknowledged with error ERR\_OUT\_OF\_MEM.

In the absence of any errors, function <code>vamos\_result\_create</code> returns <code>SUCCESS</code> and initiates thereby the updates of the kernel datastructures in the overall specification function <code>vamos\_process\_create</code>:

```
vamos_process_create s_V tsl pri img pgs \equiv 1 let p_{\sf cp} = \lceil v\_{\sf cup} \ s_V.{\sf schedds} \rceil; \ p_{\sf new} = \mathsf{hd} \ s_V.{\sf schedds.inactive}; \ res = \mathsf{vamos\_result\_create} \ s_V.{\sf procs} \ s_V.{\sf rightsdb} \ p_{\sf cp} \ pri \ img \ pgs in if is_error res then s_V(\lceil \mathsf{procs} := s_V.{\sf procs}(p_{\sf cp} \mapsto \delta_{\sf proc} \ res \ \lceil s_V.{\sf procs} \ p_{\sf cp} \rceil)) else s_V(\lceil \mathsf{procs} := \mathsf{v\_create\_updt\_procs} \ s_V.{\sf procs} \ s_V.{\sf rightsdb} \ p_{\sf cp} \ p_{\sf new} (init_{proc} (mObjSeq img) pgs), schedds := \mathsf{v\_create\_updt\_schedds} \ s_V.{\sf schedds} \ p_{\sf cp} \ p_{\sf new} \ tsl \lceil pri \rceil, priodb := s_V.{\sf priodb}(p_{\sf new} := pri), sndstatdb := s_V.{\sf sndstatdb}(p_{\sf new} \mapsto \sf False), rightsdb := v\_{\sf create\_updt\_rightsdb} \ s_V.{\sf rightsdb} \ p_{\sf cp} \ p_{\sf new})
```

Function  $v_{\text{cup}}$  delivers the calling process  $p_{\text{cp}}$ , whereas the head of the inactive list determines the process number  $p_{\text{new}}$  of the new process. Setting the priority and the send status is easy enough to be done directly. The entry  $p_{\text{new}}$  in the priority database is set to pri and the send status is set to False. Dedicated functions complete the updates of the remaining state components.

**Updating the User Machines.** As shown in the definition above, the update function  $v_{\text{create\_updt\_procs}}$  takes the initial machine  $proc_{\text{new}}$  for the new process  $p_{\text{new}}$  as input. It is based on the memory image img and computed by the initialization function  $init_{\text{proc}}$  for user processes.

Apart from setting the entry  $p_{\sf new}$  in the user machine mapping uprocs to  $proc_{\sf new}$ , the update also comprises the delivery of the success message to the caller  $p_{\sf cp}$ :

```
v_create_updt_procs uprocs rightsdb p_{cp} p_{new} proc_{new} \equiv let hn_{new} = to\_hn \ rightsdb \ p_{cp} \ p_{new} in uprocs(p_{cp} \mapsto \delta_{proc} \ (SUCC\_NEW\_PROCESS \ hn_{new}) \ \lceil uprocs \ p_{cp} \rceil, \ p_{new} \mapsto proc_{new})
```

The success message SUCC\_NEW\_PROCESS also contains the handle  $hn_{\text{new}}$  to the newly created process. Based on the process number  $p_{\text{new}}$ , it is computed by the function to\_hn.

Updating the Scheduling Datastructures. The new process  $p_{\text{new}}$  needs to be integrated into the scheduling mechanism. Consequently, it is appended to the ready queue of priority pri and removed from the inactive queue. Regarding the process-specific scheduling data of  $p_{\text{new}}$ , VAMOS inherits the specified value tsl as new timeslice. By default, no time is yet consumed and the timeout is infinite. Function  $v_{\text{create\_updt\_schedds}}$  formalizes this:

```
\label{eq:v_create_updt_schedds} $$ v_{\text{cp}} \ p_{\text{new}} \ tsl \ pri \equiv schedds $$ (\text{ready} := schedds.\text{ready}(pri := schedds.\text{ready} \ pri @ [p_{\text{new}}]), $$ inactive := [x \in schedds.\text{inactive} \ . \ x \neq p_{\text{new}}], $$ procdb := schedds.\text{procdb}(p_{\text{new}} \mapsto (\text{tsl} = tsl, \ \text{ctsl} = 0, \ \text{timeout} = \infty))) $$ (\text{tsl} = tsl, \ \text{ctsl} = 0, \ \text{timeout} = \infty)$$ (\text{tsl} = tsl, \ \text{tsl} = 0, \ \text{timeout} = \infty)$$ (\text{tsl} = tsl, \ \text{tsl} = 0, \ \text{timeout} = \infty)$$ (\text{tsl} = tsl, \ \text{tsl} = 0, \ \text{timeout} = \infty)$$ (\text{tsl} = tsl, \ \text{tsl} = 0, \ \text{timeout} = \infty)$$ (\text{tsl} = tsl, \ \text{tsl} = 0, \ \text{timeout} = \infty)$$ (\text{tsl} = tsl, \ \text{tsl} = 0, \ \text{timeout} = \infty)$$ (\text{tsl} = tsl, \ \text{tsl} = 0, \ \text{timeout} = \infty)$$ (\text{tsl} = tsl, \ \text{tsl} = 0, \ \text{timeout} = \infty)$$ (\text{tsl} = tsl, \ \text{tsl} = 0, \ \text{timeout} = \infty)$$ (\text{tsl} = tsl, \ \text{tsl} = 0, \ \text{timeout} = \infty)$$ (\text{tsl} = tsl, \ \text{tsl} = 0, \ \text{timeout} = \infty)$$ (\text{tsl} = tsl, \ \text{tsl} = 0, \ \text{timeout} = \infty)$$ (\text{tsl} = tsl, \ \text{tsl} = 0, \ \text{timeout} = \infty)$$ (\text{tsl} = tsl, \ \text{tsl} = 0, \ \text{tsl} = 0,
```

**Updating the Rights Datastructures.** The update of the rights datastructures splits up into two parts: (a) updating the rights datastructures of the calling process  $p_{cp}$ , and (b) initializing the ones of the new process  $p_{new}$ .

Formally, these parts are described by function v\_create\_updt\_rightsdb:

The definition abbreviates the update of the caller's rights datastructures by  $rightsdb_{cp}$ . Within  $rightsdb_{cp}$ , handle  $hn_{new}$  refers to the new process  $p_{new}$ . It corresponds to the one in the success message and enables  $p_{cp}$  to identify the new process  $p_{new}$ . In addition,  $p_{cp}$  is fit out with all rights to  $p_{new}$ .

The initial rights datastructures  $rightsdb_{new}$  of  $p_{new}$  comprise no privileges, an empty set of stolen handles and  $p_{cp}$  as parent. The latter is reflected in the handle database by HN\_PARENT pointing to  $p_{cp}$ . Furthermore, HN\_SELF is assigned to  $p_{new}$ . The only right owned by  $p_{new}$  is the v\_requestR right to  $p_{cp}$ .

#### Cloning a Process

Cloning creates a new process that acts as duplicate of the original process. For this to work, the calling process  $p_{cp}$  has to specify a handle  $hn_{cl}$  to the

process that should be cloned. Again, a function vamos\_result\_clone checks, whether the cloning will be successful and returns the response to  $p_{cp}$  if not:

```
vamos_result_clone uprocs rightsdb waiting_cl p_{cp} hn_{cl} \equiv  let p_{cl} = \lceil \lceil rightsdb \ p_{cp} \rceil.hdb hn_{cl} \rceil in if \neg privileged rightsdb p_{cp} then ERR_UNPRIVILEGED else if \neg valid_handle rightsdb p_{cp} hn_{cl} then ERR_INVALID_HANDLE else if \neg procs_available uprocs then ERR_OUT_OF_PIDS else if \neg mem_available uprocs (size_{proc} \lceil uprocs \ p_{cl} \rceil) then ERR_OUT_OF_MEM else if \neg waiting_cl \wedge hn_{cl} \neq HN_SELF then ERR_PROCESS_NOT_READY else SUCCESS
```

The response comprises a failure notice in case of (a) an unprivileged calling process  $p_{cp}$ , (b) an invalid handle  $hn_{cl}$ , (c) insufficient system-resources regarding available processes and memory, or (d) the process to be cloned is not  $p_{cp}$  and not waiting. As with the calls MEMORY\_FREE and MEMORY\_ADD, if the calling process  $p_{cp}$  wants to clone a process  $p_{cl}$  which is different from itself, i. e.,  $hn_{cl} \neq HN\_SELF$ , this process  $p_{cl}$  must reside in the wait state, i. e., in the wait queue. The latter is denoted by the additional flag waiting<sub>cl</sub>.

As long as  $vamos\_result\_clone$  detects any errors, only the error message is passed on to the caller by means of function  $\delta_{proc}$ . The remaining internal kernel datastructures remain untouched. Only the response SUCCESS enables the process cloning and the involved updates.

The overall formalization is given by function vamos\_process\_clone:

```
\begin{aligned} &\mathsf{vamos\_process\_clone}\ s_V\ hn_\mathsf{cl} \equiv \\ &\mathsf{let}\ p_\mathsf{cp} = \lceil \mathsf{v\_cup}\ s_\mathsf{V}.\mathsf{schedds} \rceil;\ p_\mathsf{cl} = \lceil \lceil s_\mathsf{V}.\mathsf{rightsdb}\ p_\mathsf{cp} \rceil.\mathsf{hdb}\ hn_\mathsf{cl} \rceil;\\ &p_\mathsf{new} = \mathsf{hd}\ s_\mathsf{V}.\mathsf{schedds}.\mathsf{inactive};\\ &\mathit{res} = \mathsf{vamos\_result\_clone}\ s_\mathsf{V}.\mathsf{procs}\ s_\mathsf{V}.\mathsf{rightsdb}\ (p_\mathsf{cl}\ \mathsf{mem}\ s_\mathsf{V}.\mathsf{schedds}.\mathsf{wait})\\ &p_\mathsf{cp}\ hn_\mathsf{cl}\\ &\mathsf{in}\ \mathsf{if}\ \mathsf{is\_error}\ \mathit{res}\ \mathsf{then}\ s_\mathsf{V}(|\mathsf{procs} := s_\mathsf{V}.\mathsf{procs}(p_\mathsf{cp} \mapsto \delta_\mathsf{proc}\ \mathit{res}\ \lceil s_\mathsf{V}.\mathsf{procs}\ p_\mathsf{cp} \rceil)|)\\ &\mathsf{else}\ s_\mathsf{V}(|\mathsf{procs} := \mathsf{v\_clone\_updt\_procs}\ s_\mathsf{V}.\mathsf{procs}\ s_\mathsf{V}.\mathsf{rightsdb}\ p_\mathsf{cp}\ p_\mathsf{cl}\ p_\mathsf{new},\\ &\mathsf{schedds} := \mathsf{v\_clone\_updt\_schedds}\ s_\mathsf{V}.\mathsf{schedds}\ s_\mathsf{V}.\mathsf{procs}\ s_\mathsf{V}.\mathsf{sndstatdb}\\ &s_\mathsf{V}.\mathsf{rightsdb}\ p_\mathsf{cl}\ p_\mathsf{new}\ \lceil s_\mathsf{V}.\mathsf{priodb}\ p_\mathsf{cl} \rceil,\\ &\mathsf{priodb} := s_\mathsf{V}.\mathsf{priodb}(p_\mathsf{new} := s_\mathsf{V}.\mathsf{priodb}\ p_\mathsf{cl}),\\ &\mathsf{rightsdb} := \mathsf{v\_clone\_updt\_rightsdb}\ s_\mathsf{V}.\mathsf{rightsdb}\ p_\mathsf{cp}\ p_\mathsf{cl}\ p_\mathsf{new}) \end{aligned}
```

In case of success, the process number  $p_{cl}$  of the cloned process is obtained by accessing  $p_{cp}$ 's handle database with handle  $hn_{cl}$ . Again, the head of the inactive queue determines the process number  $p_{new}$  of the new process.

Similar as above, the updates of the priority and the send status databases are straightforward: VAMOS simply adopts the values of  $p_{cl}$  and assigns them to  $p_{new}$ . Dedicated functions describe the remaining ones.

Updating the User Machines. Creating and cloning of processes has a similar impact on the user machines. The calling process  $p_{cp}$  is informed

about the successful operation and the new process  $p_{\sf new}$  is assigned to a virtual assembly machine. In the context of cloning, however, VAMOS does not associate  $p_{\sf new}$  with an initial machine but with the one of the cloned process  $p_{\sf cl}$ . The definition of  $v_{\sf clone\_updt\_procs}$  reflects this:

```
v_clone_updt_procs uprocs rightsdb p_{\text{cp}} p_{\text{cl}} p_{\text{new}} \equiv \text{let } h n_{\text{new}} = \text{to\_hn } rightsdb \; p_{\text{cp}} \; p_{\text{new}} in \lambda x. if x = p_{\text{cp}} then \lfloor \delta_{\text{proc}} \; (\text{SUCC\_NEW\_PROCESS} \; h n_{\text{new}}) \; \lceil uprocs \; p_{\text{cp}} \rceil \rfloor else if x = p_{\text{new}} \; \wedge \; p_{\text{cl}} = p_{\text{cp}} then \lfloor \delta_{\text{proc}} \; (\text{SUCC\_NEW\_PROCESS} \; \text{HN\_NONE}) \; \lceil uprocs \; p_{\text{cp}} \rceil \rfloor else if x = p_{\text{new}} \; \text{then} \; uprocs \; p_{\text{cl}} \; \text{else} \; uprocs \; x
```

Updating the virtual machine of  $p_{cp}$  is clear enough such that we directly move on to the one of process  $p_{new}$ . While assigning the virtual machine to  $p_{new}$ , function v\_clone\_updt\_procs has to take into account that the process  $p_{cp}$  might have cloned itself, i. e.,  $p_{cl} = p_{cp}$ . If so,  $p_{new}$  – as duplicate of  $p_{cp}$  – expects a kernel response and VAMOS delivers it. In this case, however, the response does not contain a process handle but HN\_NONE. In case that  $p_{cl} \neq p_{cp}$ ,  $p_{new}$  is assigned to the virtual machine of  $p_{cl}$ . All other virtual machines remain untouched.

**Updating the Scheduling Datastructures.** The update of the scheduling datastructures entails the integration of  $p_{new}$  into the VAMOS process scheduling. It is removed from the inactive queue and its consumed time is set to 0. Depending on the state of the cloned process  $p_{cl}$ , it is either appended to a ready or the wait queue.

The formal specification is given by function v\_clone\_updt\_schedds:

```
 \begin{aligned} &\text{v\_clone\_updt\_schedds} \ schedds \ uprocs \ sndstatdb \ rightsdb \ p_{\text{cl}} \ p_{\text{new}} \ pri_{\text{cl}} \equiv \\ &\text{let} \ ready_{\text{cl}} = p_{\text{cl}} \in \text{set} \ (schedds.\text{ready} \ pri_{\text{cl}}) \\ &\text{in} \ schedds \\ &\text{(|ready} := schedds.\text{ready} \\ &\text{(|pri_{\text{cl}} := if} \ ready_{\text{cl}} \ then \ schedds.\text{ready} \ pri_{\text{cl}} \ @ \ [p_{\text{new}}] \\ &\text{else} \ schedds.\text{ready} \ pri_{\text{cl}}), \\ &\text{inactive} := [x \in schedds.\text{inactive} \ . \ x \neq p_{\text{new}}], \\ &\text{wait} := \text{if} \ ready_{\text{cl}} \ then \ schedds.\text{wait} \ else \ schedds.\text{wait} \ @ \ [p_{\text{new}}], \\ &\text{procdb} := schedds.\text{procdb}(p_{\text{new}} \mapsto \lceil schedds.\text{procdb} \ p_{\text{cl}} \rceil) (|\text{ctsl} := 0|))) \end{aligned}
```

In the definition, flag  $ready_{cl}$  is active, if  $p_{cl}$  is member of the ready queue  $schedds.ready\ pri_{cl}$ , where  $pri_{cl}$  denotes its priority. As  $p_{new}$  will have the same state as  $p_{cl}$ , VAMOS appends  $p_{new}$  to  $schedds.ready\ pri_{cl}$ , if  $ready_{cl}$  is active and to schedds.wait, otherwise.

Updating the Rights Datastructures The update of the caller's rights datastructures  $rightsdb_{cp}$  happens in perfect analogy to the one within the process creation. Regarding the rights datastructures  $rightsdb_{new}$  of the new

process, VAMOS mainly copies the ones of  $p_{cl}$ . Only the entry HN\_SELF in the handle database is reset to  $p_{new}$ :

```
 \begin{aligned} & \text{v\_clone\_updt\_rightsdb} \ \textit{rightsdb} \ \textit{p}_{\text{cp}} \ \textit{p}_{\text{cl}} \ \textit{p}_{\text{new}} \equiv \\ & \text{let} \ \textit{hn}_{\text{new}} = \text{to\_hn} \ \textit{rightsdb} \ \textit{p}_{\text{cp}} \ \textit{p}_{\text{new}}; \\ & \textit{rightsdb}_{\text{cp}} = \lceil \textit{rightsdb} \ \textit{p}_{\text{cp}} \rceil. \text{hdb}(\textit{hn}_{\text{new}} \mapsto \textit{p}_{\text{new}}), \\ & \text{(hdb} := \lceil \textit{rightsdb} \ \textit{p}_{\text{cp}} \rceil. \text{rdb}(\lfloor \textit{p}_{\text{new}} \rfloor \mapsto \textit{p}_{\text{new}}), \\ & \text{rdb} := \lceil \textit{rightsdb} \ \textit{p}_{\text{cp}} \rceil. \text{rdb}(\lfloor \textit{p}_{\text{new}} \rfloor \mapsto \textit{p}_{\text{new}}), \\ & \text{\{v\_sendR, v\_requestR, v\_multipleR, v\_finiteR\})} ; \\ & \textit{rightsdb}_{\text{new}} = \lceil \textit{rightsdb} \ \textit{p}_{\text{cl}} \rceil (\text{hdb} := \lceil \textit{rightsdb} \ \textit{p}_{\text{cl}} \rceil. \text{hdb}(\text{HN\_SELF} \mapsto \textit{p}_{\text{new}})) \\ & \text{in} \ \textit{rightsdb}(\textit{p}_{\text{cp}} \mapsto \textit{rightsdb}_{\text{cp}}, \ \textit{p}_{\text{new}} \mapsto \textit{rightsdb}_{\text{new}}) \end{aligned}
```

#### Killing a Process

Process termination in VAMOS is a pretty elaborate issue. The main steps on the way to terminate a process  $p_{\text{victim}}$  are (a) its removal from the scheduling queues, (b) its deregistration as device driver, (c) the invalidation of handles pointing to  $p_{\text{victim}}$ , and (d) the abortion of pending IPC operations involving it.

In particular, the two latter steps are the most complex ones. They might entail the delivery of notifications or error messages which comes along with the awakening of the processes concerned. In order to identify these situations later on in the formal specification, we introduce some auxiliary predicates.

A process p only receives a notification, if it is active and prepared for receiving, on the one hand, and if it knows the victim process  $p_{\text{victim}}$ , on the other one. Formally, predicate knotify\_after\_kill describes this situation:

Process p is prepared for receiving notifications, if IPC\_RECEIVE describes the output and handle  $hn_{\sf snd}$  either specifies an open receive (HN\_NONE) or an explicit request to the kernel (HN\_KERNEL). Whether p knows  $p_{\sf victim}$  determines predicate is\_known.

Another situation, why a process p receives a message, arises, if p resides in a pending IPC operation, where  $p_{\text{victim}}$  is involved as receiver, sender, or additional process. The predicate killed\_assigned\_recv describes this situation:

```
killed_assigned_recv uprocs rightsdb p_{\text{victim}} p \equiv
case uprocs p of \bot \Rightarrow False
| \lfloor x \rfloor \Rightarrow \text{case } \omega_{\text{proc}} \times \text{of}
| \text{IPC\_SEND } \textit{hn}_{\text{rcv}} \text{ rights}_{\text{send}} \text{ msg } \textit{hn}_{\text{add}} \text{ rights}_{\text{add}} \text{ timeout}_{\text{send}} \Rightarrow
```

For an arbitrary process p, the predicate holds, if p entails three properties: (a) it is active, (b) the output denotes a send operation, i.e., IPC\_SEND or IPC\_REQUEST, and (c) the specified handle  $hn_{\sf rcv}$  refers to  $p_{\sf victim}$  in p's handle database. Similar predicates killed\_assigned\_snd and killed\_assigned\_add help to determine the remaining situations.

However, these situations only arise, if the process termination succeeds. Thus, as usual, we define a function  $vamos\_result\_kill$  that checks possible invocation errors. The only argument that the calling process  $p_{cp}$  has to specify is a handle  $hn_{victim}$  to the process that should be terminated. Based on it, the definition of function  $vamos\_result\_kill$  looks as follows:

```
vamos_result_kill rightsdb\ p_{\sf cp}\ hn_{\sf victim} \equiv  if hn_{\sf victim} \neq {\sf HN\_SELF}\ \land \neg privileged rightsdb\ p_{\sf cp} then {\sf ERR\_UNPRIVILEGED} else if \neg valid_handle rightsdb\ p_{\sf cp}\ hn_{\sf victim} then {\sf ERR\_INVALID\_HANDLE} else {\sf SUCCESS}
```

A special case describes  $hn_{\text{victim}} = \text{HN\_SELF}$ . It either indicates the voluntary self-termination of  $p_{\text{cp}}$  or its forced termination by the VAMOS kernel. The latter happens in the context of the runtime-error handling (cf. Section 4.4). Anyways, in both cases, the operation is not attached to any conditions and always succeeds.

Things are different, if  $hn_{\text{victim}} \neq \text{HN\_SELF}$ , i.e., no self-termination is desired. In this case, SUCCESS is only returned, if  $p_{cp}$  owns privileges and handle  $hn_{\text{victim}}$  is valid. Lacking privileges result in the error message ERR\_UNPRIVILEGED, an invalid handle in ERR\_INVALID\_HANDLE.

The actual delivery of the error message and the state update in the success case describes function vamos\_process\_kill:

```
 \begin{array}{l} \mathsf{vamos\_process\_kill} \ s_{\mathsf{V}} \ hn_{\mathsf{victim}} \equiv \\ \mathsf{let} \ p_{\mathsf{cp}} = \lceil \mathsf{v\_cup} \ s_{\mathsf{V}}.\mathsf{schedds} \rceil; \\ p_{\mathsf{victim}} = \lceil s_{\mathsf{V}}.\mathsf{rightsdb} \ p_{\mathsf{cp}} \rceil.\mathsf{hdb} \ hn_{\mathsf{victim}}; \\ res = \mathsf{vamos\_result\_kill} \ s_{\mathsf{V}}.\mathsf{rightsdb} \ p_{\mathsf{cp}} \ hn_{\mathsf{victim}} \\ \mathsf{in} \ \mathsf{if} \ \mathsf{is\_error} \ res \ \mathsf{then} \ s_{\mathsf{V}} (\mathsf{procs} := s_{\mathsf{V}}.\mathsf{procs} (p_{\mathsf{cp}} \mapsto \delta_{\mathsf{proc}} \ res \ \lceil s_{\mathsf{V}}.\mathsf{procs} \ p_{\mathsf{cp}} \rceil))) \\ \mathsf{else} \ s_{\mathsf{V}} (\mathsf{procs} := \mathsf{v\_kill\_updt\_procs} \ s_{\mathsf{V}}.\mathsf{procs} \ s_{\mathsf{V}}.\mathsf{rightsdb} \ s_{\mathsf{V}}.\mathsf{devds} \\ (\mathsf{set} \ s_{\mathsf{V}}.\mathsf{schedds}.\mathsf{wait}) \ p_{\mathsf{cp}} \ \lceil p_{\mathsf{victim}} \rceil, \\ \mathsf{schedds} := \mathsf{v\_kill\_updt\_schedds} \ s_{\mathsf{V}}.\mathsf{schedds} \ s_{\mathsf{V}}.\mathsf{procs} \ s_{\mathsf{V}}.\mathsf{priodb} \\ s_{\mathsf{V}}.\mathsf{rightsdb} \ \lceil p_{\mathsf{victim}} \rceil, \\ \mathsf{priodb} := s_{\mathsf{V}}.\mathsf{priodb} (\lceil p_{\mathsf{victim}} \rceil, \\ \mathsf{sndstatdb} := \mathsf{v\_kill\_updt\_sndstatdb} \ s_{\mathsf{V}}.\mathsf{rightsdb} \ \lceil p_{\mathsf{victim}} \rceil, \\ \mathsf{rightsdb} := \mathsf{v\_kill\_updt\_rightsdb} \ s_{\mathsf{V}}.\mathsf{rightsdb} \ \lceil p_{\mathsf{victim}} \rceil, \\ \mathsf{devds} := \mathsf{v\_kill\_updt\_devds} \ s_{\mathsf{V}}.\mathsf{devds} \ \lceil p_{\mathsf{victim}} \rceil, \\ \end{aligned}
```

In case of success, the access to  $p_{cp}$ 's handle database with handle  $hn_{victim}$  is valid and delivers the process number  $p_{victim}$ . Setting the entry of  $p_{victim}$  in the priority database to  $\perp$  is done directly. Dedicated update functions describe the effects on the remaining state components.

**Updating the Virtual Machines.** The update of the virtual machines affects the entries for the calling process  $p_{cp}$ , the terminated process  $p_{victim}$  and the processes which are either informed about the abortion of their pending IPC operation or the loss of handles in their handle database.

Function v\_kill\_updt\_procs formally defines the update:

```
v_kill_updt_procs uprocs \ rightsdb \ devds \ waitQ \ p_{cp} \ p_{victim} \equiv
  let rightsdb_{new} = v_kill\_updt\_rightsdb rightsdb p_{victim};
       knote = deliverNotifications \ rightsdb_{new} \ devds \ devds.saved
  in \lambda x. if x = p_{\text{victim}} then \perp
           else if x = p_{cp} then \lfloor \delta_{proc} SUCCESS \lfloor uprocs p_{cp} \rfloor \rfloor
                  else if x \in waitQ \land killed\_assigned\_recv uprocs rightsdb p_{victim} x
                        then |\delta_{proc} ERR_SND_INVALID_HANDLE [uprocs x]|
                        else if x \in waitQ \land
                                  killed_assigned_add uprocs \ rightsdb \ p_{\sf victim} \ x
                               then \lfloor \delta_{proc} \text{ ERR\_INVALID\_HANDLE } \lceil uprocs x \rceil \rfloor
                              else if x \in waitQ \land
                                         killed_assigned_snd uprocs \ rightsdb \ p_{\sf victim} \ x
                                     then |\delta_{proc} ERR_{RCV_{INVALID_{HANDLE}}}[uprocs x]|
                                     else if x \in waitQ \land
                                               knotify_after_kill uprocs rightsdb p<sub>victim</sub>
                                            then |\delta_{proc}(knote x)| [uprocs x] | else uprocs x
```

Due to the successful termination, process  $p_{\text{victim}}$  is no longer associated with a virtual machine and the caller  $p_{\text{cp}}$  gets a SUCCESS message. Aborting the pending IPC operations of waiting processes x involves an error message passing. The actual message is determined by means of the predicates introduced above. Thus, x receives ERR\_SND\_INVALID\_HANDLE, if predicate killed\_assigned\_recv applies. Finally, VAMOS delivers kernel notifications to all processes x that fulfill predicate knotify\_after\_kill. The virtual machines of the remaining processes remain untouched.

Kernel notifications are assembled by function deliverNotifications which relies on the updated rights datastructures given by  $v_kill_updt_rightsdb$ . As we will see later on, it provides the set of stolen handles of a process x after the termination of process  $p_{victim}$  containing the handle hn that pointed to  $p_{victim}$ .

Based on the updated rights data structures rightsdb, the device datastructures devds and the saved interrupts irqs, the notification for process x contains the following information:

```
deliverNotifications rightsdb devds irqs x \equiv let irqs_{\mathsf{handled}} = \{i \in irqs. \ devds. \ driver i = \lfloor x \rfloor\}; stolen_{\mathsf{hns}} = \mathbf{case} \ rightsdb x of \bot \Rightarrow \mathsf{False} \mid \lfloor a \rfloor \Rightarrow a. \mathsf{stolen} \neq \{\} in Succ_receive HN_KERNEL False \{\} [] HN_NONE False \{\} stolen_{\mathsf{hns}} False irqs_{\mathsf{handled}}
```

In the definition,  $irqs_{handled}$  abbreviates the set of interrupts  $i \in irqs$  handled by x. Flag  $stolen_{hns}$  is active, if the entry of x in the rights datastructures rightsdb comprises a non-empty set stolen. Both  $irqs_{handled}$  and  $stolen_{hns}$  represent the main content of the kernel notification to x. Handle  $HN_KERNEL$  identifies the kernel as sender, whereas the remaining parts do not communicate any relevant data.

Updating the Scheduling Datastructures. The udpate of the scheduling datastructures comprises the awakening of all waiting processes p that either receive a kernel notification or an error message. Furthermore, the terminated process  $p_{\text{victim}}$  is taken out of the VAMOS process scheduling, i. e., it is removed from the scheduling queues (wait or ready queues) and put into the inactive queue. Moreover, the process-specific scheduling information is deleted

Function  $v_kill_updt_schedds$  gives the formal specification of all these actions:

```
 \begin{array}{l} \text{v\_kill\_updt\_schedds} \ schedds \ uprocs \ priodb \ rightsdb \ p_{\text{victim}} \equiv \\ \text{let} \ schedds_{\text{tmp}} = \\ \text{v\_wkp\_updt\_schedds} \ schedds \\ \text{(filter (v\_kill\_wkp \ uprocs \ rightsdb \ p_{\text{victim}}) \ schedds.wait)} \ priodb \\ \text{in } \ schedds_{\text{tmp}} \\ \text{(linactive := } \ schedds_{\text{tmp}}.\text{inactive } @ \ [p_{\text{victim}}], \\ \text{procdb := } \ schedds_{\text{tmp}}.\text{procdb}(p_{\text{victim}} := \bot), \\ \text{ready := } \ \lambda p. \ [x \in schedds_{\text{tmp}}.\text{ready } p \ . \ x \neq p_{\text{victim}}], \\ \text{wait := } \ [x \in schedds_{\text{tmp}}.\text{wait } . \ x \neq p_{\text{victim}}]) \end{array}
```

In a first step,  $v_kill_updt_schedds$  realizes the awakening of all waiting processes p that fulfill predicate  $v_kill_wkp$  and stores this intermediate result in  $schedds_{tmp}$ . The predicate itself realizes a disjunction of the predicates introduced above:

```
v_kill_wkp uprocs rightsdb p_{\text{victim}} p \equiv killed_assigned_recv uprocs rightsdb p_{\text{victim}} p \lor killed_assigned_add uprocs rightsdb p_{\text{victim}} p \lor killed_assigned_snd uprocs rightsdb p_{\text{victim}} p \lor knotify_after_kill uprocs rightsdb p_{\text{victim}} p
```

Based on  $schedds_{tmp}$ ,  $p_{victim}$  is appended to the inactive queue and the entry for  $p_{victim}$  in the process-specific scheduling information is set to  $\bot$ . The act of removing  $p_{victim}$  from the scheduling queues is quite brute force. VAMOS does not distinguish whether  $p_{victim}$  previously resided in the wait or the ready queue but simply removes it from all of these queues.

**Updating the Rights Datastructures.** After the termination, VAMOS does no longer hold any information on  $p_{\text{victim}}$ . Accordingly, the entry for  $p_{\text{victim}}$  in the rights database is set to  $\bot$ . Furthermore, all entries regarding  $p_{\text{victim}}$  in the handle and rights databases of processes p are set to  $\bot$ . In addition, handles hn referring to  $p_{\text{victim}}$  are added to the according sets of stolen handles.

The formal semantics encapsulates function v\_kill\_updt\_rightsdb:

```
 \begin{array}{l} \mathsf{v\_kill\_updt\_rightsdb} \ \mathit{rightsdb} \ \mathit{p}_\mathsf{victim} \equiv \\ \lambda \mathit{p.} \ \mathbf{if} \ \mathit{p} = \mathit{p}_\mathsf{victim} \ \mathbf{then} \ \bot \\ & \quad \mathsf{else} \ \mathbf{case} \ \mathit{rightsdb} \ \mathit{p} \ \mathbf{of} \ \bot \Rightarrow \bot \\ & \quad | \ \lfloor \mathit{db} \rfloor \Rightarrow \\ & \quad \lfloor \mathit{db} \| \mathsf{hdb} := \lambda \mathit{hn.} \ \mathbf{if} \ \mathit{db.} \mathsf{hdb} \ \mathit{hn} = \lfloor \mathit{p}_\mathsf{victim} \rfloor \ \mathbf{then} \ \bot \ \mathbf{else} \ \mathit{db.} \mathsf{hdb} \ \mathit{hn}, \\ & \quad \mathsf{rdb} := \mathit{db.} \mathsf{rdb} (\lfloor \mathit{p}_\mathsf{victim} \rfloor := \bot), \\ & \quad \mathsf{stolen} := \mathit{db.} \mathsf{stolen} \cup \{\mathit{hn.} \ \mathit{db.} \mathsf{hdb} \ \mathit{hn} = \lfloor \mathit{p}_\mathsf{victim} \rfloor \} \} ) \\ \end{tabular}
```

Note that VAMOS does not allow multiple handles on a single process, i.e.,  $\{hn.\ db.hdb\ hn = |p_{victim}|\}$  is a singleton or empty.

**Updating the Send Status Database.** Updating the send status database is rather straightforward. The entry of  $p_{\text{victim}}$  is set to  $\bot$ . Entries of awaken processes (those for which predicate  $v_{\text{kill}}$ \_wkp holds) are set to False because they no longer perform any IPC operation. The remaining entries stay untouched.

Formally, function v\_kill\_updt\_sndstatdb describes the update:

```
v_kill_updt_sndstatdb sndstatdb uprocs\ rightsdb\ p_{\text{victim}} \equiv \lambda p.\ if\ p = p_{\text{victim}}\ then\ \bot else if v_kill_wkp uprocs\ rightsdb\ p_{\text{victim}}\ p\ then\ |\text{False}|\ else\ sndstatdb\ p
```

**Updating the Device Datastructures.** Terminating a process might also shut down a driver. This reflects the update of the device datastructures described by function  $v_kill_updt_devds$ :

```
v_kill_updt_devds devds\ p_{\text{victim}} \equiv  let irqs = \{i.\ devds. \text{driver}\ i = \lfloor p_{\text{victim}} \rfloor \} in devds (|driver := \lambda i. if i \in irqs then \bot else devds. \text{driver}\ i, enabled := devds. \text{enabled}\ - irqs, saved := devds. \text{saved}\ - irqs)
```

The definition first determines the set irqs of interrupts served by process  $p_{\text{victim}}$ . Based on this set, the actual update of the device datastructures devds is performed. All interrupts  $i \in irqs$  are no longer handled or assigned to any driver, i. e., the entry i in driver is set to  $\bot$ . As long as no other device driver is assigned, the interrupts are disabled and, hence, subtracted from the set enabled. Finally, VAMOS removes interrupts associated to the driver  $p_{\text{victim}}$  from the set saved because a delivery is no longer possible.

#### 4.4.4 Scheduling Mechanism

The process scheduling in VAMOS highly depends on the so-called scheduling parameters which comprise the priority and the timeslice of a process. Both values are initially determined during the process creation (cf. Section 4.4.3) and play, as we will see in Section 4.5, an essential role within the decision of the VAMOS scheduler.

The VAMOS call CHG\_SCHED\_PARAMS provides the possibility to dynamically change these values. As arguments, the calling process  $p_{cp}$  has to specify a handle  $hn_{\text{victim}}$  which identifies the process whose scheduling parameters should be changed to the new timeslice  $tsl_{\text{new}}$  and priority  $prio_{\text{new}}$ .

The call only succeeds, if  $p_{\sf cp}$  is privileged,  $hn_{\sf victim}$  is valid, and  $prio_{\sf new}$  denotes a valid priority, i. e.,  $prio_{\sf new} \neq \bot$ .

Function vamos\_result\_change\_sched\_param checks for possible errors and delivers the corresponding response to  $p_{cp}$ :

```
vamos_result_change_sched_param rightsdb p_{cp} hn_{victim} prio_{new} \equiv if \neg privileged rightsdb p_{cp} then ERR_UNPRIVILEGED else if \neg valid_handle rightsdb p_{cp} hn_{victim} then ERR_INVALID_HANDLE else if prio_{new} = \bot then ERR_INVALID_ARGS else SUCCESS
```

The response of vamos\_result\_change\_sched\_param is used in the overall specification function vamos\_change\_sched\_param, in order to determine between success and failure:

```
 \begin{array}{l} {\rm vamos\_change\_sched\_param} \ s_V \ hn_{\rm victim} \ tsl_{\rm new} \ prio_{\rm new} \equiv \\ {\rm let} \ p_{\rm cp} = \lceil v\_{\rm cup} \ s_V.{\rm schedds} \rceil; \ p_{\rm victim} = \lceil \lceil s_V.{\rm rightsdb} \ p_{\rm cp} \rceil.{\rm hdb} \ hn_{\rm victim} \rceil; \\ res = {\rm vamos\_result\_change\_sched\_param} \ s_V.{\rm rightsdb} \ p_{\rm cp} \ hn_{\rm victim} \ prio_{\rm new} \\ {\rm in} \ {\rm if} \ {\rm is\_error} \ res \ {\rm then} \ s_V (|{\rm procs} := s_V.{\rm procs}(p_{\rm cp} \mapsto \delta_{\rm proc} \ res \ \lceil s_V.{\rm procs} \ p_{\rm cp} \rceil))) \\ {\rm else} \ s_V (|{\rm procs} := s_V.{\rm procs}(p_{\rm cp} \mapsto \delta_{\rm proc} \ {\rm SUCCESS} \ \lceil s_V.{\rm procs} \ p_{\rm cp} \rceil), \\ {\rm schedds} := v\_{\rm chng\_sched\_param\_updt\_schedds} \ s_V.{\rm schedds} \ s_V.{\rm priodb} \\ {\rm s_V.rightsdb} \ p_{\rm cp} \ hn_{\rm victim} \ tsl_{\rm new} \ \lceil prio_{\rm new} \rceil, \\ {\rm priodb} := s_V.{\rm priodb}(p_{\rm victim} := prio_{\rm new}))) \end{array}
```

If the call fails, the only update concerns the error message passing to  $p_{cp}$ . Otherwise, the message turns into SUCCESS and the scheduling parameters are changed. The process number  $p_{\text{victim}}$  of the victim is obtained by accessing  $p_{cp}$ 's handle database with  $hn_{\text{victim}}$ . Based on  $p_{\text{victim}}$ , VAMOS sets the entry in the priority database to  $prio_{\text{new}}$  and describes the update of the scheduling datastructures by means of  $v\_{\text{chng\_sched\_param\_updt\_schedds}}$ :

```
\label{eq:vchng_sched_param_updt_schedds} \begin{split} \text{v.chng\_sched\_param\_updt\_schedds} & schedds \ priodb \ rightsdb \ p_{\text{cp}} \ hn_{\text{victim}} \\ & tsl_{\text{new}} \ prio_{\text{new}} \equiv \\ \text{let} \ p_{\text{victim}} = \lceil\lceil rightsdb \ p_{\text{cp}} \rceil. \text{hdb} \ hn_{\text{victim}} \rceil; \\ & prio_{\text{old}} = \lceil priodb \ p_{\text{victim}} \rceil \\ & \text{in if } p_{\text{victim}} \in \text{set } schedds. \text{wait} \lor prio_{\text{new}} = prio_{\text{old}} \\ & \text{then } schedds \\ & (|\text{procdb}:= schedds. \text{procdb}(p_{\text{victim}} \mapsto \lceil schedds. \text{procdb} \ p_{\text{victim}} \rceil) \\ & (|\text{tsl}:= tsl_{\text{new}}|))) \end{split}
```

```
else schedds
(|ready := schedds.ready)
(prio_{new} := schedds.ready prio_{new} @ [p_{victim}],
prio_{old} := [x \in schedds.ready prio_{old} . x \neq p_{victim}]),
procdb := schedds.procdb(p_{victim} \mapsto [schedds.procdb p_{victim}])
(|tsl := tsl_{new}, ctsl := 0|))
```

In addition to  $p_{\text{victim}}$ , the definition also relies on the old priority  $prio_{\text{old}}$  of  $p_{\text{victim}}$ . The first case deals with the situation that either  $p_{\text{victim}}$  is waiting or the priority of  $p_{\text{victim}}$  does not change, i. e.,  $prio_{\text{new}} = prio_{\text{old}}$ . Both results in the same update, namely, that only the timeslice of  $p_{\text{victim}}$  is set to  $tsl_{\text{new}}$ . Due to the rearrangement of the ready queues, the second case is a bit more elaborate. Vamos removes  $p_{\text{victim}}$  from the ready queue of priority  $prio_{\text{old}}$  and appends it to the one of priority  $prio_{\text{new}}$ . For this reason, its consumed time ctsl is reset to 0. Again, the timeslice is set to  $tsl_{\text{new}}$ .

### 4.4.5 Device Driver Support

The Vamos kernel itself only handles the external interrupts from the timer device. For the remaining external interrupts, Vamos shifts the responsibility to so-called device drivers. Device drivers in Vamos are dedicated user processes that handle the interrupts from and interact with the external devices. Nevertheless, the Vamos kernel still acts as interface between these drivers and the devices. On the one hand, it receives the interrupts and passes them on to the associated drivers and, on the other hand, it forwards the requests of the drivers to the devices.

A user process may only act as driver, if it was previously registered by means of the VAMOS call CHANGE\_DRIVER. Regarding a dynamic assignment of drivers and devices, the call additionally allows to unregister drivers.

As Section 4.6 illustrates, Vamos uses IPC for the interrupt delivery. Along with the actual delivery, Vamos also disables the respective interrupts. An interrupt i remains disabled as long as its driver d completed the handling. Not until then d re-enables i by means of the Vamos call Enable\_Interrupts.

Among other duties, the main task of a driver is reading from and writing to a device. Thus, VAMOS provides the corresponding calls DEV\_READ and DEV\_WRITE.

Based on this brief introduction, the section proceeds with the formal specifications of the device-related VAMOS calls.

#### **Assignment of Device Drivers**

The Vamos call Change\_driver enables the dynamic assignment of device drivers. Primarily, it allows the registration and deregistration of drivers but also provides the opportunity to dynamically change the set of interrupts handled by a certain driver.

Accordingly, a calling process  $p_{cp}$  has to specify the handle  $hn_{driver}$  to the desired driver and the set irqs of interrupts, the driver should be registered for or deregistered from. The latter is determined by a flag register.

Function vamos\_result\_change\_driver decides on success or failure:

```
vamos_result_change_driver rightsdb devds p_{cp} hn_{driver} irqs \equiv if \neg privileged rightsdb p_{cp} then ERR_UNPRIVILEGED else if \neg valid_handle rightsdb p_{cp} hn_{driver} then ERR_INVALID_HANDLE else if irqs = \bot \lor \mathsf{DEV\_TIMER} \in \lceil irqs \rceil then ERR_INVALID_ARGS else if \exists i \in \lceil irqs \rceil.

devds.\mathsf{driver} \ i \neq \bot \land devds.\mathsf{driver} \ i \neq \lceil rightsdb \ p_{cp} \rceil.\mathsf{hdb} \ hn_{driver} then ERR_INT_ALREADY_HANDLED else SUCCESS
```

The call CHANGE\_DRIVER only succeeds, if the calling process  $p_{cp}$  is privileged and provides a valid handle  $hn_{driver}$ . Furthermore, the set irqs must neither be empty nor contain the interrupt for the timer device. Apart from this, VAMOS does not allow more than one driver for each interrupt. In consequence of that, VAMOS responses with the error message ERR\_INT\_ALREADY\_HANDLED, if an interrupt i out of irqs is already assigned to a driver which does not correspond to the one chosen by  $p_{cp}$ .

The overall function vamos\_change\_driver uses the response from the function above and specifies the corresponding update of a VAMOS state s<sub>V</sub>:

```
vamos_change_driver s_V \ hn_{\text{driver}} \ irqs \ register \equiv let p_{\text{cp}} = \lceil v_{\text{cup}} \ s_V.\text{schedds} \rceil; res = \text{vamos\_result\_change\_driver} \ s_V.\text{rightsdb} \ s_V.\text{devds} \ p_{\text{cp}} \ hn_{\text{driver}} \ irqs in if is_error res then s_V(\lceil \text{procs} := s_V.\text{procs}(p_{\text{cp}} \mapsto \delta_{\text{proc}} \ res \ \lceil s_V.\text{procs} \ p_{\text{cp}} \rceil)) else s_V(\lceil \text{procs} := s_V.\text{procs}(p_{\text{cp}} \mapsto \delta_{\text{proc}} \ \text{SUCCESS} \ \lceil s_V.\text{procs} \ p_{\text{cp}} \rceil), devds := v_{\text{chg\_drv\_updt\_devds}} \ s_V.\text{devds} \ s_V.\text{rightsdb} \ p_{\text{cp}} \ hn_{\text{driver}} \ irqs \ register))
```

Delivering the result message to the caller  $p_{\sf cp}$  goes on as usual. The remaining changes only affect the device data structures and are described by the dedicated update function  $v_{\sf chg\_drv\_updt\_devds}$ :

```
v_chg_drv_updt_devds devds rightsdb p_{cp} hn_{driver} irqs register \equiv let p_{driver} = \lceil rightsdb p_{cp} \rceil.hdb hn_{driver} in if register then devds  (|driver := \lambda i. \text{ if } i \in \lceil irqs \rceil \text{ then } p_{driver} \text{ else } devds.\text{driver } i, \\ \text{ enabled } := devds.\text{enabled } \cup \lceil irqs \rceil) )  else devds  (|driver := \lambda i. \text{ if } i \in \lceil irqs \rceil \text{ then } \bot \text{ else } devds.\text{driver } i, \\ \text{ saved } := devds.\text{saved } - \lceil irqs \rceil, \text{ enabled } := devds.\text{enabled } - \lceil irqs \rceil) )
```

The process number  $p_{\text{driver}}$  of the driver is obtained by accessing  $p_{cp}$ 's handle database with  $hn_{\text{driver}}$ . Two cases are distinguished. In the first one,  $p_{\text{driver}}$  should be registered as driver for the interrupts irqs. Accordingly, for each

interrupt  $i \in \lceil irqs \rceil$ , the entry in the driver registry is set to  $p_{driver}$ . Adding the newly assigned interrupts to the set enabled turns the interrupt delivery on.

The second case deals with the deregistration. According entries in driver are set to  $\bot$  and the interrupts are taken out of the sets saved and enabled.

#### **Enabling Interrupts**

Specifying the call ENABLE\_INTERRUPTS is straightforward. The calling process  $p_{\sf cp}$  usually acts as driver and specifies a set irqs that should be reenabled. Function <code>vamos\_result\_enable\_interrupts</code> determines whether this request succeeds or fails:

```
vamos_result_enable_interrupts devds\ p_{\sf cp}\ irqs \equiv  if \exists i \in \lceil irqs \rceil. devds.driver i \neq \lfloor p_{\sf cp} \rfloor \lor irqs = \bot then ERR_UNPRIVILEGED else SUCCESS
```

The latter happens, if either the interrupts are given in an invalid format or at least one of the specified interrupts does not belong to the caller  $p_{cp}$ .

The overall specification function vamos\_enable\_interrupts reflects the low complexity of ENABLE\_INTERRUPTS:

As usual, VAMOS either reports success or failure to the caller  $p_{cp}$ . In the former case, the interrupts  $\lceil irqs \rceil$  are additionally added to the set of enabled interrupts.

#### Reading from a Device

The VAMOS call DEV\_READ enables a driver to read from a device. Thus, as calling process  $p_{cp}$ , the driver has to specify a device number  $dev_{id}$ , a port number  $dev_{port}$  and a memory region buffer in its virtual memory that should be used to store the device data.

Specifying invalid device and port numbers are one source of failure. Another one is the memory region. To be used as buffer, it has to be defined and available in the virtual memory of  $p_{\sf cp}$ . Furthermore, VAMOS only enables a read operation, if  $p_{\sf cp}$  is registered as driver for  $dev_{\sf id}$ .

Formally, function vamos\_result\_dev\_read checks for these errors and delivers an according response:

```
vamos_result_dev_read devds\ p_{cp}\ dev_{id}\ dev_{port}\ buffer \equiv

if dev_{id} = \bot \lor dev_{port} = \bot \lor buffer \in \{BufUndefined, BufUnavailable\}
```

```
then ERR_INVALID_ARGS else if devds.driver \lceil dev_{id} \rceil \neq \lfloor p_{cp} \rfloor then ERR_UNPRIVILEGED else SUCCESS
```

Range violations as well as an invalid buffer lead to ERR\_INVALID\_ARGS. The attempt to read from device  $dev_{id}$  without being registered as driver is rejected with the error message ERR\_UNPRIVILEGED. Otherwise, the call succeeds and SUCCESS is returned.

The overall specification function vamos\_dev\_read does not describe the acquisition of the device data but only its delivery to the driver. As described in Section 3.1, the actual interaction between the device  $dev_{id}$  and the VAMOS kernel takes place in the overall transition function  $\delta_{V+D}$ , where a succeeding interaction results in the device data  $dev_{data}$ . Function  $\delta_{V+D}$  then uses this data with the VAMOS transition function  $\delta_V$  which, in turn, passes  $dev_{data}$  on to the VAMOS trap handler, where it finally arrives at vamos\_dev\_read (cf. Section 4.3 and Section 4.4).

Accordingly, vamos\_dev\_read takes – apart from the VAMOS state  $s_{V}$  and the parameters specified by the calling process  $p_{cp}$  – the device data  $dev_{data}$  as input:

```
 \begin{aligned} & \mathsf{vamos\_dev\_read} \ s_V \ dev_{\mathsf{id}} \ dev_{\mathsf{port}} \ buffer \ dev_{\mathsf{data}} \equiv \\ & \mathsf{let} \ p_{\mathsf{cp}} = \lceil \mathsf{v\_cup} \ s_V.\mathsf{schedds} \rceil; \\ & \mathit{res} = \mathsf{vamos\_result\_dev\_read} \ s_V.\mathsf{devds} \ p_{\mathsf{cp}} \ dev_{\mathsf{id}} \ dev_{\mathsf{port}} \ buffer; \\ & \mathit{data} = \mathsf{mifo\_norm} \ (\mathsf{bufLength} \ buffer) \ dev_{\mathsf{data}} \\ & \mathsf{in} \ \mathsf{if} \ \mathsf{is\_error} \ \mathit{res} \ \mathsf{then} \ s_V ( \mathsf{procs} := s_V.\mathsf{procs}(p_{\mathsf{cp}} \mapsto \delta_{\mathsf{proc}} \ \mathit{res} \ \lceil s_V.\mathsf{procs} \ p_{\mathsf{cp}} \rceil ) ) \\ & \mathsf{else} \ s_V ( \mathsf{procs} := s_V.\mathsf{procs}(p_{\mathsf{cp}} \mapsto \delta_{\mathsf{proc}} \ (\mathsf{SUCC\_DEV\_READ} \ \mathit{data}) \ \lceil s_V.\mathsf{procs} \ p_{\mathsf{cp}} \rceil ) ) ) \end{aligned}
```

If DEV\_READ fails, the cause of fault is delivered to process  $p_{cp}$ . Otherwise, process  $p_{cp}$  is provided with the device data in form of message SUCC\_DEV\_READ. The message, however, comprises the normalized device data data, which is obtained by function mifo\_norm. In a nutshell, function mifo\_norm positions  $dev_{data}$  at the beginning of the buffer and, if necessary, adds zeroes, if the buffer is bigger than the actual data portion.

#### Writing to a Device

Write accesses to a device are provided with the VAMOS call DEV\_WRITE. A calling process  $p_{cp}$  has to specify the target by means of a device number  $dev_{id}$  and a port number  $dev_{port}$ . The data that should be written to the device is specified by a memory region msg.

Writing to and reading from a device are attached with similar conditions, as the definition of vamos\_result\_dev\_write reflects:

```
vamos_result_dev_write devds\ p_{cp}\ dev_{id}\ dev_{port}\ msg \equiv if dev_{id} = \bot \lor dev_{port} = \bot \lor msg \in \{MObjUndefined,\ MObjUnavailable\} then ERR_INVALID_ARGS else if devds.driver\ \lceil dev_{id} \rceil \neq \lfloor p_{cp} \rfloor then ERR_UNPRIVILEGED else SUCCESS
```

Instead of the buffer, in this context the message msg has to be defined and available in the virtual memory of  $p_{cp}$ .

The only issue regarding the VAMOS state update is the result delivery. The actual write access to device  $\text{dev}_{id}$  is again handled outside by  $\delta_{V+D}$ .

Accordingly, the definition of vamos\_dev\_write is quite simple:

```
\begin{array}{l} \mathsf{vamos\_dev\_write} \ s_{\mathsf{V}} \ dev_{\mathsf{id}} \ dev_{\mathsf{port}} \ msg \equiv \\ \mathsf{let} \ p_{\mathsf{cp}} = \lceil \mathsf{v\_cup} \ s_{\mathsf{V}}.\mathsf{schedds} \rceil; \\ \mathit{res} = \mathsf{vamos\_result\_dev\_write} \ s_{\mathsf{V}}.\mathsf{devds} \ p_{\mathsf{cp}} \ dev_{\mathsf{id}} \ dev_{\mathsf{port}} \ msg \\ \mathsf{in} \ s_{\mathsf{V}} (\lceil \mathsf{procs} := s_{\mathsf{V}}.\mathsf{procs}(p_{\mathsf{cp}} \mapsto \delta_{\mathsf{proc}} \ res \ \lceil s_{\mathsf{V}}.\mathsf{procs} \ p_{\mathsf{cp}} \rceil)) \end{array}
```

#### 4.4.6 Inter-Process Communication

As the name suggests, IPC gives the user processes the opportunity to communicate with each other. For sending and receiving, the VAMOS kernel provides the calls IPC\_SEND and IPC\_RECEIVE. In addition to that, the call IPC\_REQUEST enables a combined send and receive with the same communication partner.

Usually, IPC calls traverse several phases. The invocation phase checks the various IPC arguments for their validity. After successfully passing this phase, the operation enters the pre-transmission phase. It searches for possible communication partners and proceeds into the actual transmission, if a rendez-vous situation can be established. If no suitable partner is available, it prepares the calling process for waiting or aborts the call, if the caller specified an immediate timeout. Both, the invocation as well as the pre-transmission phase are call-specific, whereas the transmission has the same semantics for each call.

Accordingly, we first specify the effects of the transmission phase and embed it afterwards in the particular specifications of the IPC calls.

This section concludes with the specification of the call CHANGE\_RIGHTS. It does not enable any communication but the administration of the IPC rights.

#### IPC transmission

The transmission phase finalizes a succeeding IPC operation and relies on a rendez-vous situation between a sender  $p_{\sf snd}$  and a receiver  $p_{\sf rcv}$ . During this phase, the IPC message of  $p_{\sf snd}$  is transferred to  $p_{\sf rcv}$  and the VAMOS kernel updates its datastructures, accordingly. As the transmission follows the invocation and pre-transmission phase, we assume the validity of the involved arguments.

The IPC message itself comprises multiple parts. The most common one is the memory message  $msg_{\sf snd}$ . It is specified by the sender  $p_{\sf snd}$  and describes the memory region that is transferred to the receiver. The receiver, in turn, specifies a memory region  $buf_{\sf rcv}$  to store  $msg_{\sf snd}$ .

The sender  $p_{snd}$  may also grant rights  $rights_{snd}$  to the receiver  $p_{rcv}$ . These rights are combined with the (possibly) existing ones of  $p_{rcv}$  to  $p_{snd}$  and stored in the corresponding entry in  $p_{rcv}$ 's rights database. The updated entry denotes the so-called return rights  $rrights_{snd}$  and is advertised to  $p_{rcv}$  as part of the result message SUCC\_RECEIVE.

Furthermore,  $p_{\sf snd}$  is allowed to introduce an additional process  $p_{\sf add}$  to  $p_{\sf rcv}$ . For this purpose,  $p_{\sf snd}$  specifies a handle  $hn_{\sf add}$  and rights  $rights_{\sf add}$ . As  $hn_{\sf add}$  is only valid in  $p_{\sf snd}$ 's context, the kernel translates it and provides an according return handle  $rhn_{\sf add}$ . In the handle database, VAMOS connects  $rhn_{\sf add}$  with  $p_{\sf add}$  and, as above, updates the according entry in the rights database. Again, the handle  $rhn_{\sf add}$  and the return rights  $rrights_{\sf add}$  are advertised by means of the result message to  $p_{\sf rcv}$ .

In addition, the SUCC\_RECEIVE message to  $p_{\sf rcv}$  also carries notifications from the kernel. Thus,  $p_{\sf rcv}$  is informed about stolen or reused handles and occurred interrupts, if acting as driver.

The transmission phase involves various updates on the Vamos state which are, as usual, encapsulated in dedicated functions.

Updating the Rights Datastructures. The most complex component update in the scope of an IPC transmission is the one for the rights datastructures rightsdb. Updating the rights datastructures regarding the sender  $p_{snd}$  is rather straightforward and encapsulated in function  $snd_rightsdb$ :

```
\begin{split} &\mathsf{snd\_rightsdb}\ rightsdb\ p_{\mathsf{snd}}\ p_{\mathsf{rcv}} \equiv \\ &\mathsf{let}\ \mathit{rights}_{\mathsf{rcv}} = \\ &\mathsf{if}\ \lceil\lceil \mathit{rightsdb}\ p_{\mathsf{snd}}\rceil.\mathsf{rdb}\ p_{\mathsf{rcv}}\rceil \cap \{\mathsf{v\_multipleR}\} = \{\}\ \mathsf{then}\ \lfloor\{\}\rfloor \\ &\mathsf{else}\ \lceil \mathit{rightsdb}\ p_{\mathsf{snd}}\rceil.\mathsf{rdb}\ p_{\mathsf{rcv}} \\ &\mathsf{in}\ \lceil \mathit{rightsdb}\ p_{\mathsf{snd}}\rceil (\!|\mathsf{rdb} := \lceil \mathit{rightsdb}\ p_{\mathsf{snd}}\rceil.\mathsf{rdb}(p_{\mathsf{rcv}} := \mathit{rights}_{\mathsf{rcv}})) \end{split}
```

The sender  $p_{snd}$  only keeps the rights to  $p_{rcv}$ , if it is equipped with the right v\_multipleR. Otherwise, VAMOS revokes all rights.

Much more effort is involved with the updates regarding the database of the receiver which mainly rely on the return handles and rights. We use auxiliary functions to determine the particular values.

Function rhn\_snd computes the return handle rhn\_snd to the sender:

```
rhn_snd rightsdb p_{rcv} p_{snd} \equiv if \lfloor p_{snd} \rfloor = \lceil rightsdb \lceil p_{rcv} \rceil \rceil.parent then HN_PARENT else int p_{snd}
```

If the sender  $p_{snd}$  is  $p_{rcv}$ 's parent, the function returns HN\_PARENT. Otherwise,  $p_{snd}$  is converted into a handle, i.e., transformed into an integer number. The return rights  $rrights_{snd}$  to the sender result from function rrights\_snd:

```
rrights_snd rightsdb \ p_{rcv} \ p_{snd} \ rights_{snd} \equiv  if is_known rightsdb \ [p_{rcv}] \ p_{snd} then \lfloor \lceil [rightsdb \ [p_{rcv}] \rceil .rdb \ [p_{snd}] \rfloor \cup \lceil rights_{snd} \rceil \rfloor else rights_{snd}
```

If the sender is already known to the receiver, the return rights describe the combination of the already existing ones with those of  $rights_{snd}$ . Otherwise,  $rights_{snd}$  denotes the initial rights to the sender.

The updates of  $p_{rcv}$ 's entries in the rights datastructures rightsdb regarding the sender are encapsulated in function rcv\_rightsdb\_snd:

```
 \begin{array}{l} \text{rcv\_rightsdb\_snd} \ \ rightsdb \ \ p_{\text{rcv}} \ \ p_{\text{snd}} \ \ rhn_{\text{snd}} \ rrights_{\text{snd}} \equiv \\ rightsdb(\lceil p_{\text{rcv}} \rceil \mapsto \lceil rightsdb \ \lceil p_{\text{rcv}} \rceil \rceil \\ (\text{hdb} := \lceil rightsdb \ \lceil p_{\text{rcv}} \rceil \rceil.\text{hdb}(rhn_{\text{snd}} \mapsto p_{\text{snd}}), \\ \text{rdb} := \lceil rightsdb \ \lceil p_{\text{rcv}} \rceil \rceil.\text{rdb}(\lfloor p_{\text{snd}} \rfloor := rrights_{\text{snd}}), \\ \text{stolen} := \lceil rightsdb \ \lceil p_{\text{rcv}} \rceil \rceil.\text{stolen} - \{rhn_{\text{snd}}\} \} ) \\ \end{aligned}
```

Within the handle database of  $p_{\sf rcv}$ ,  $rhn_{\sf snd}$  is connected with the process number  $p_{\sf snd}$  and  $rrights_{\sf snd}$  is stored in the according entry in the rights database. Finally,  $rhn_{\sf snd}$  is removed from the set of stolen handles. This operation has no effect as long as  $rhn_{\sf snd}$  has not been marked as stolen. Otherwise, it is now reused and no longer stolen. Nevertheless, later on we will see, that  $p_{\sf rcv}$  is notified about this replacement by marking  $rhn_{\sf snd}$  as reused in the result message.

More complex are the computations of the return handle  $rhn_{\sf add}$  and the return rights  $rrights_{\sf add}$ , because we have to take into account that no additional process has been announced at all or that the process corresponds with the receiver. This leads to the following definition of the auxiliary function  $rhn_{\sf add}$  delivering  $rhn_{\sf add}$ :

```
rhn_add rightsdb p_{rcv} p_{snd} p_{add} hn_{add} \equiv if hn_{add} = HN\_NONE then HN\_NONE else if p_{add} = p_{rcv} then HN\_SELF else if p_{add} = \lceil rightsdb \lceil p_{rcv} \rceil \rceil.parent then HN\_PARENT else int \lceil p_{add} \rceil
```

In case that no additional process has been announced by the sender, i.e.,  $hn_{\sf add} = \mathsf{HN\_NONE}$ , the return handle  $rhn_{\sf add}$  is also  $\mathsf{HN\_NONE}$ . Handle  $\mathsf{HN\_SELF}$  is returned, if the additional process  $p_{\sf add}$  corresponds with the receiver. The return handle denotes  $\mathsf{HN\_PARENT}$ , if  $p_{\sf add}$  denotes the receiver's parent. Otherwise,  $p_{\sf add}$  is converted into a handle.

The return rights  $rrights_{add}$  to the additional process result from function rrights\_add:

```
 \begin{array}{l} \text{rrights\_add } rightsdb \; p_{\text{rcv}} \; p_{\text{snd}} \; p_{\text{add}} \; hn_{\text{add}} \; rights_{\text{add}} \equiv \\ \text{if } hn_{\text{add}} = \text{HN\_NONE then } \bot \\ \text{else if } p_{\text{add}} = p_{\text{rcv}} \; \text{then } \lceil rightsdb \; \lceil p_{\text{rcv}} \rceil \rceil. \text{rdb } p_{\text{add}} \\ \text{else if } \text{is\_known } rightsdb \; \lceil p_{\text{rcv}} \rceil \; \lceil p_{\text{add}} \rceil \\ \text{then } \lfloor \lceil rightsdb \; \lceil p_{\text{rcv}} \rceil \rceil. \text{rdb } p_{\text{add}} \rceil \cup \lceil rights_{\text{add}} \rceil \rfloor \; \text{else } rights_{\text{add}} \end{aligned}
```

The return rights  $rrights_{add}$  denote  $\perp$ , if no additional process was specified, i.e.,  $hn_{add} = HN\_NONE$ . If the additional process is equal to the receiver, they denote the corresponding entry in the rights database. In all other

cases, they describe the combination of already existing rights with  $rights_{add}$ , if the additional process was known, and are equal to  $rights_{add}$ , otherwise.

The updates of  $p_{rcv}$ 's entries in the rights datastructures rightsdb regarding the additional process are similar to the ones regarding the sender, as the definition of function  $rcv_rightsdb_add$  suggests:

```
 \begin{array}{l} \operatorname{rcv\_rightsdb\_add} \ \operatorname{rightsdb} \ p_{\mathsf{rcv}} \ p_{\mathsf{snd}} \ p_{\mathsf{add}} \ \operatorname{rhn_{\mathsf{add}}} \ \operatorname{rrights_{\mathsf{add}}} \equiv \operatorname{rightsdb}(\lceil p_{\mathsf{rcv}} \rceil) \mapsto \lceil \operatorname{rightsdb} \lceil p_{\mathsf{rcv}} \rceil \rceil \\ (\mathsf{hdb} := \lceil \operatorname{rightsdb} \lceil p_{\mathsf{rcv}} \rceil \rceil.\mathsf{hdb}(\operatorname{rhn_{\mathsf{add}}} := p_{\mathsf{add}}), \\ \mathsf{rdb} := \lceil \operatorname{rightsdb} \lceil p_{\mathsf{rcv}} \rceil \rceil.\mathsf{rdb}(p_{\mathsf{add}} := \operatorname{rrights_{\mathsf{add}}}), \\ \mathsf{stolen} := \lceil \operatorname{rightsdb} \lceil p_{\mathsf{rcv}} \rceil \rceil.\mathsf{stolen} - \lceil \operatorname{rhn_{\mathsf{add}}} \rceil)) \\ \end{array}
```

Function rcv\_rightsdb combines the updates of the receiver's rights datastructures:

```
 \begin{array}{l} {\rm rcv\_rightsdb} \ rightsdb \ p_{\rm rcv} \ p_{\rm snd} \ rights_{\rm snd} \ hn_{\rm add} \ rights_{\rm add} \equiv \\ {\rm let} \ rhn_{\rm snd} = {\rm rhn\_snd} \ rightsdb \ p_{\rm rcv} \ p_{\rm snd}; \\ rrights_{\rm snd} = {\rm rrights\_snd} \ rightsdb \ p_{\rm rcv} \ p_{\rm snd} \ rights_{\rm snd}; \\ rightsdb' = {\rm rcv\_rightsdb\_snd} \ rightsdb \ p_{\rm rcv} \ p_{\rm snd} \ rhn_{\rm snd} \ rrights_{\rm snd}; \\ p_{\rm add} = \left\lceil rightsdb \ p_{\rm snd} \right\rceil. {\rm hdb} \ hn_{\rm add}; \\ rhn_{\rm add} = {\rm rhn\_add} \ rightsdb \ p_{\rm rcv} \ p_{\rm snd} \ p_{\rm add} \ hn_{\rm add}; \\ rrights_{\rm add} = {\rm rrights\_add} \ rightsdb' \ p_{\rm rcv} \ p_{\rm snd} \ p_{\rm add} \ hn_{\rm add} \ rights_{\rm add}; \\ rightsdb'' = {\rm rcv\_rightsdb\_add} \ rightsdb' \ p_{\rm rcv} \ p_{\rm snd} \ p_{\rm add} \ rhn_{\rm add} \ rrights_{\rm add} \\ {\rm in} \ \left\lceil rightsdb'' \left\lceil p_{\rm rcv} \right\rceil \right\rceil \end{array}
```

Based on the original rights datastructures rightsdb, the definition first computes the return handle  $rhn_{snd}$  and rights  $rrights_{snd}$  to the sender. Both are provided as input to function  $rcv\_rightsdb\_snd$  which computes the intermediate update rightsdb'. Afterwards, the definition computes the return handle  $rhn_{add}$  to the additional process  $p_{add}$ . Note that the latter is only defined, if  $hn_{add} \neq HN\_NONE$ . The computation of the return rights  $rrights_{add}$  is based on the rights datastructures rightsdb' and performed by function  $rrights\_add$ . The rights datastructures rightsdb' also serve as basis for function  $rcv\_rightsdb\_add$  which computes the updates of  $p_{rcv}$ 's rights database regarding the additional process. The result is stored in rightsdb''. Finally, function  $rcv\_rightsdb$  returns the entry of the receiver in rightsdb''.

The combination of the functions snd\_rightsdb and rcv\_rightsdb delivers the overall update of the rights datastructures:

```
 \begin{array}{l} {\rm v\_ipc\_trans\_updt\_rightsdb} \ \it rightsdb \ \it p_{snd} \ \it hn_{rcv} \ \it hn_{add} \ \it rights_{snd} \ \it rights_{add} \equiv \\ {\rm let} \ \it p_{rcv} = \lceil \it rightsdb \ \it p_{snd} \rceil. hdb \ \it hn_{rcv}; \\ \it \it rightsdb_{rcv} = \rm rcv\_rightsdb \ \it rightsdb \ \it p_{rcv} \ \it p_{snd} \ \it rights_{snd} \ \it hn_{add} \ \it rights_{add}; \\ \it \it rightsdb_{snd} = \rm snd\_rightsdb \ \it rightsdb \ \it p_{snd} \ \it p_{rcv} \\ {\rm in} \ \it rightsdb(\lceil \it p_{rcv} \rceil \ \mapsto \ \it rightsdb_{rcv}, \ \it p_{snd} \ \mapsto \ \it rightsdb_{snd}) \\ \end{array}
```

**Updating the Virtual Machines.** The update of the virtual machines mainly comprises the result messages to the sender and the receiver. However, the former only gets a SUCCESS message, if the sending was not part of

an IPC\_REQUEST call. If so, the intended operation is not completed because the receive phase will still follow.

In contrast, receiving always terminates an IPC operation. Consequently, the receiver  $p_{\sf rcv}$  is notified about the successful transmission by means of a SUCC\_RECEIVE message. Main content of the message are the return handles together with the associated rights and the actual memory message from the sender. In addition,  $p_{\sf rcv}$  is provided with some administrative information, for instance, whether the returned handles have previously been used for other processes or any interrupts occurred or, if the handle database contains any invalid handles.

Function v\_ipc\_trans\_updt\_procs encapsulates the formal description of the message delivery:

```
v_ipc_trans_updt_procs uprocs rightsdb devds p<sub>snd</sub> req hn<sub>rcv</sub> rights<sub>snd</sub>
 msg \ hn_{add} \ rights_{add} \equiv
  let p_{rcv} = [rightsdb \ p_{snd}].hdb \ hn_{rcv};
        p_{add} = [rightsdb \ p_{snd}].hdb \ hn_{add};
        \textit{rhn}_{\mathsf{snd}} = \mathsf{to\_hn} \; \textit{rightsdb} \; \lceil p_{\mathsf{rcv}} \rceil \; p_{\mathsf{snd}};
        reused_{snd} = rhn_{snd} \in [rightsdb [p_{rcv}]].stolen;
        rhn_{add} = rhn_{add} \ rightsdb \ p_{rcv} \ p_{snd} \ p_{add} \ hn_{add};
        reused_{add} = rhn_{add} \neq rhn_{snd} \land rhn_{add} \in [rightsdb [p_{rcv}]].stolen;
        rightsdb_{post} =
          v_ipc_trans_updt_rightsdb rightsdb p_{snd} hn_{rcv} hn_{add} rights_{snd}
           rights_{add};
        rrights_{snd} = \lceil \lceil rightsdb_{post} \lceil p_{rcv} \rceil \rceil .rdb \lfloor p_{snd} \rfloor \rceil;
          if p_{add} = p_{rcv} then \{\} else [[rightsdb_{post} [p_{rcv}]].rdb <math>p_{add}];
        stolen = \lceil rightsdb_{post} \lceil p_{rcv} \rceil \rceil.stolen \neq \{\};
        irgs = \{i \in devds.saved. devds.driver i = p_{rev}\};
        to_{inf} = timeoutInfinite uprocs p_{snd}
  in \lambda x. if x = p_{snd} \land \neg req then [\delta_{proc} SUCCESS [uprocs x]]
             else if x = \lceil p_{rcv} \rceil
                    then \lfloor \delta_{proc} (SUCC_RECEIVE rhn_{snd} reused_{snd} rrights_{snd}
                                         (mObjSeq msg) rhnadd reusedadd rrightsadd
                                         stolen to<sub>inf</sub> irqs)
                                 [uprocs x]
                    else uprocs x
```

An additional input parameter req determines whether the sender  $p_{\sf snd}$  performs an IPC\_REQUEST. Depending on this, its virtual machine is either provided with a SUCCESS message or remains unchanged.

Assembling the SUCC\_RECEIVE message for  $p_{rcv}$  describes the remaining parts of the definition. The return handles  $rhn_{snd}$  and  $rhn_{add}$  are computed as before and marked as reused, if they were previously contained in the stolen set of  $p_{rcv}$ . We use the flags  $reused_{snd}$  and  $reused_{add}$  to signal a re-use, whereas the latter is only active, if  $rhn_{add}$  is additionally different from  $rhn_{snd}$ . The returned rights rely on the updated rights datastructures  $rightsdb_{post}$  which result from the previously introduced function

v\_ipc\_trans\_updt\_rightsdb. Actually, the rights  $rrights_{snd}$  and  $rrights_{add}$  correspond to the entries in the rights database. The latter, however, describes the empty set, if the additional process is the receiver itself. Invalid handles in the updated handle database of  $p_{rcv}$  are signaled by the flag stolen. It is active, if the set of stolen handles is not empty. The state component saved stores all occurred but not yet handled external device interrupts. If  $p_{rcv}$  acts as driver for any of these interrupts, VAMOS uses the SUCC\_RECEIVE message for the interrupt delivery. For this purpose, set irqs subsumes all interrupts which are handled by  $p_{rcv}$ .

With  $p_{\sf rcv}$  acting as server, it might be interesting to know, whether the transmission was part of an IPC\_REQUEST initiated by  $p_{\sf snd}$  and, in particular, whether the upcoming receive phase is performed with an infinite timeout. If so, flag  $to_{\sf inf}$  is active, which is formally determined by predicate timeoutlnfinite:

```
timeoutInfinite uprocs\ p \equiv \exists rcv\_hn\ snd\_rights\ msg\ add\_hn\ add\_rights\ snd\_timeout\ buffer. \omega_{proc}\ \lceil uprocs\ p \rceil = \\ \text{IPC\_REQUEST}\ rcv\_hn\ snd\_rights\ msg\ add\_hn\ add\_rights\ snd\_timeout\ buffer\ \infty
```

Updating the Send Status Database. The update of the send status database is straightforward. From the receiver's point of view the IPC operation is completed. Consequently, the send status is set to False. After sending, the status of the sender depends on its actual operation. If the send phase was part of an IPC\_REQUEST, the send status is active, i. e., set to True. Otherwise, the status is inactive. VAMOS determines both situation by means of the flag req.

```
v_ipc_trans_updt_sndstatdb sndstatdb p_{snd} p_{rcv} req \equiv sndstatdb(p_{snd} \mapsto req, p_{rcv} \mapsto False)
```

Updating the Device Datastructures. As seen before, the message SUCC\_RECEIVE is used to deliver occurred interrupts to  $p_{rcv}$ . Hence, from the kernel's point of view there is no need to store them any longer. Thus, VAMOS removes the delivered interrupts from the set of saved interrupts.

The function  $v_{ipc\_trans\_updt\_devds}$  specifies the according effects on the device datastructures:

```
v_ipc_trans_updt_devds devds\ p_{rcv} \equiv  let irqs_{del} = \{i.\ devds.driver i = \lfloor p_{rcv} \rfloor \} in devds(|saved := devds.saved - irqs_{del})
```

#### **IPC Send**

In order to invoke the VAMOS call IPC\_SEND, the (expected) sender  $p_{snd}$  has to specify (a) the handle  $hn_{rcv}$  to the receiver together with the rights

 $rights_{\sf snd}$  that should be granted, (b) the handle  $hn_{\sf add}$  to a (potential) additional process associated with the rights  $rights_{\sf add}$  for the receiver, (c) the memory message  $msg_{\sf snd}$ , and (d) the timeout  $to_{\sf snd}$ .

Based on these values, VAMOS performs error checks which reflect the different phases of IPC\_SEND. We first introduce these checks in the following paragraphs before we proceed with the overall specification.

**Invocation.** In order to pass the invocation phase, the input arguments specified by the sender  $p_{snd}$ , have to fulfill certain requirements. These requirements bear on the correct specification of the arguments but also take the required IPC rights into account.

Formally, function ipc\_send\_invoc\_err describes the error checks:

```
ipc_send_invoc_err rightsdb p_{\rm snd} hn_{\rm rcv} rights_{\rm snd} msg hn_{\rm add} rights_{\rm add} \equiv if hn_{\rm rcv} = HN_SELF \vee \neg valid_handle rightsdb p_{\rm snd} hn_{\rm rcv} then ERR_SND_INVALID_HANDLE else if hn_{\rm add} \neq HN_NONE \wedge \neg valid_handle rightsdb p_{\rm snd} hn_{\rm add} then ERR_INVALID_HANDLE else if \neg valid_snd_args rights_{\rm snd} rights_{\rm add} hn_{\rm add} msg then ERR_INVALID_ARGS else if msg = MObjUnavailable then ERR_SND_SEGV else if \neg allowed_snd_op rightsdb p_{\rm snd} hn_{\rm rcv} rights_{\rm add} then ERR_UNPRIVILEGED else SUCCESS
```

VAMOS rejects the receiver handle  $hn_{rcv}$  with ERR\_SND\_INVALID\_HANDLE, if it intends a self-reference or if it is invalid.

Error ERR\_INVALID\_HANDLE is returned, as soon as  $p_{snd}$  wants to publish an additional process, i. e.,  $hn_{add} \neq HN\_NONE$ , but  $hn_{add}$  is not valid.

The requirements for the specified rights and the memory message encapsulates predicate valid\_snd\_args:

```
valid_snd_args rights_{snd} rights_{add} hn_{add} msg \equiv rights_{snd} \neq \bot \land rights_{add} \neq \bot \land msg \neq MObjUndefined
```

It demands valid rights, i. e.,  $rights_{snd}$  and  $rights_{add}$  are not equal to  $\bot$ , and a defined memory message, i. e.,  $msg_{snd} \neq MObjUndefined$ . Any violations lead to the error value ERR\_INVALID\_ARGS.

An unavailable memory message is acknowledged with the error message ERR\_SND\_SEGV, whereas ERR\_UNPRIVILEGED indicates insufficient rights. The latter is checked by means of predicate allowed\_snd\_op:

```
allowed_snd_op rightsdb p_{snd} hn_{rcv} rights_{add} \equiv  let p_{rcv} = \lceil rightsdb p_{snd} \rceil.hdb hn_{rcv} in v_sendR \in \lceil \lceil rightsdb p_{snd} \rceil.rdb p_{rcv} \rceil \land  (rights_{add} = \lfloor \{ \} \rfloor \lor privileged rightsdb p_{snd})
```

Two prerequisites have to be fulfilled by the sender: (a) it needs the send right  $v\_sendR$  to the receiver, and (b) it needs privileges to assign a non-empty set  $rights_{add}$  of rights to the additional process.

The invocation phase succeeds, if function <code>ipc\_send\_invoc\_err</code> returns <code>success</code>.

**Pre-Transmission.** After successfully passing the invocation phase, the IPC\_SEND operation enters the pre-transmission phase. The aim of this phase is to determine whether the desired communication partner is ready to receive and, at the same time, meets all requirements for the operation, i.e., that the specified buffer *buf*<sub>rcv</sub> is big enough for *msg*<sub>snd</sub>.

Vamos uses the predicate ipc\_send\_rendez\_vous to determine the readiness of the receiver:

```
\begin{split} & \text{ipc\_send\_rendez\_vous} \ uprocs \ schedds \ sndstatusdb \ rightsdb \ p_{\mathsf{snd}} \ hn_{\mathsf{rcv}} \equiv \\ & \text{let} \ p_{\mathsf{rcv}} = \lceil\lceil rightsdb \ p_{\mathsf{snd}} \rceil. \text{hdb} \ hn_{\mathsf{rcv}} \rceil \\ & \text{in} \ p_{\mathsf{rcv}} \in \mathsf{set} \ schedds. \text{wait} \ \land \\ & (\mathbf{case} \ \omega_{\mathsf{proc}} \ \lceil uprocs \ p_{\mathsf{rcv}} \rceil \ \mathsf{of} \\ & \text{IPC\_RECEIVE} \ hn_{\mathsf{snd}} \ buffer \ to_{\mathsf{rcv}} \Rightarrow \\ & \lceil rightsdb \ p_{\mathsf{rcv}} \rceil. \text{hdb} \ hn_{\mathsf{snd}} = \lfloor p_{\mathsf{snd}} \rfloor \ \lor \ hn_{\mathsf{snd}} = \mathsf{HN\_NONE} \\ & | \text{IPC\_REQUEST} \ hn_{\mathsf{rcv}} \ rights_{\mathsf{snd}} \ msg \ hn_{\mathsf{add}} \ rights_{\mathsf{add}} \ to_{\mathsf{snd}} \ buffer \ to_{\mathsf{rcv}} \Rightarrow \\ & \lceil sndstatusdb \ p_{\mathsf{rcv}} \rceil \ \land \lceil rightsdb \ p_{\mathsf{rcv}} \rceil. \text{hdb} \ hn_{\mathsf{rcv}} = \lfloor p_{\mathsf{snd}} \rfloor \\ & | \ \_ \Rightarrow \mathsf{False}) \end{split}
```

Due to the validity of  $hn_{\rm rcv}$ , the process number  $p_{\rm rcv}$  of the receiver can be taken from the handle database of  $p_{\rm snd}$ . The predicate only applies, if  $p_{\rm rcv}$  is waiting while looking forward to a receive operation with  $p_{\rm snd}$  involved. The former is denoted by  $p_{\rm rcv}$ 's membership in the wait queue schedds.wait, whereas the latter is determined by the process output. The will to receive is signaled by the outputs IPC\_RECEIVE and IPC\_REQUEST. In the former case,  $p_{\rm rcv}$  is ready to receive from  $p_{\rm snd}$ , if the handle  $hn_{\rm snd}$  either specifies an open-receive, i. e.,  $hn_{\rm snd} = HN\_NONE$ , or points to  $p_{\rm snd}$ . With IPC\_REQUEST no open-receives are possible. Thus,  $hn_{\rm snd}$  has to point to  $p_{\rm snd}$ . In addition, the send phase has to be completed, which is indicated by an active send status.

Note that the calls IPC\_RECEIVE and IPC\_REQUEST already passed the invocation phase, before they have been forced to wait. Thus, demanding the wait state of  $p_{rcv}$  ensures, that the call arguments are valid and can safely be used.

Predicate ipc\_send\_buffer\_ovfl determines, whether the receive buffer  $buf_{rcv}$  is big enough for  $msg_{snd}$ . Relying on the validity of  $msg_{snd}$  as well as  $buf_{rcv}$ , it simply compares their sizes:

```
ipc_send_buffer_ovfl uprocs\ rightsdb\ p_{snd}\ hn_{rcv}\ msg_{snd}\equiv let p_{rcv}=\lceil\lceil rightsdb\ p_{snd}\rceil.hdb\ hn_{rcv}\rceil;\ proc_{rcv}=\lceil uprocs\ p_{rcv}\rceil in get_buflen (\omega_{proc}\ proc_{rcv})< length (mObjSeq msg_{snd})
```

Both are compatible, if the length of  $msg_{snd}$  is smaller than the one of  $buf_{rcv}$ . Otherwise, a buffer overflow occurs.

**Overall Specification.** VAMOS distinguishes the different phases of the VAMOS call IPC\_SEND by means of the output of function ipc\_send\_err:

```
ipc_send_err uprocs schedds sndstatusdb rightsdb hn_{rcv} rights_{snd} msg hn_{add} rights_{add} to_{snd} \equiv let p_{snd} = \lceil v\_{cup} \ schedds \rceil; res = ipc_send_invoc_err rightsdb p_{snd} hn_{rcv} rights_{snd} msg hn_{add} rights_{add} in if is_error res then res else if ipc_send_rendez_vous uprocs schedds sndstatusdb rightsdb p_{snd} hn_{rcv} then if ipc_send_buffer_ovfl uprocs rightsdb p_{snd} hn_{rcv} msg then ERR_SND_BUFFER_OVFL else SUCCESS else if to_{snd} = 0 then ERR_SND_TIMEOUT else \epsilon_{\Sigma}
```

Based on the current process acting as sender  $p_{snd}$  and the result res from the function  $ipc\_send\_invoc\_err$ , the definition reflects the different phases. The invocation phase is represented by function  $ipc\_send\_invoc\_err$  and its result res, respectively. If any invocation error occurred, predicate  $is\_error$  holds and res is returned. The pre-transmission phase is represented by the predicates  $ipc\_send\_rendez\_vous$  and  $ipc\_send\_buffer\_ovfl$ . If the former holds, it depends on the latter whether the transmission starts or fails. A buffer overflow aborts the operation with the error message ERR\\_SND\\_BUFFER\\_OVFL whereas SUCCESS initiates an immediate transmission. The timeout  $to_{snd}$  comes into play, if no rendez-vous is detected. An immediate timeout, i. e.,  $to_{snd} = 0$ , results in the error ERR\_SND\_TIMEOUT, whereas  $res = \epsilon_{\Sigma}$  indicates the will to wait.

The overall specification is given by function vamos\_ipc\_send:

```
vamos_ipc_send s_V hn_{rcv} rights_{snd} msg hn_{add} rights_{add} to_{snd} \equiv
 let uprocs = s_V.procs; schedds = s_V.schedds; priodb = s_V.priodb;
      sndstatdb = s_V.sndstatdb; rightsdb = s_V.rightsdb;
       devds = s_V.devds;
       res =
        ipc_send_err uprocs schedds sndstatdb rightsdb hnrcv rightssnd
         msg \ hn_{add} \ rights_{add} \ to_{snd};
       p_{snd} = [v\_cup \ schedds]; p_{rcv} = [[rightsdb \ p_{snd}].hdb \ hn_{rcv}]
 in if is_error res then s_V([procs := uprocs(p_{snd} \mapsto \delta_{proc} res [uprocs p_{snd}]))
     else if res = \varepsilon_{\Sigma}
            \mathbf{then}\ s_{\mathsf{V}}(\mathbf{schedds}:=\mathsf{v\_ipc\_wait\_updt\_schedds}\ \mathit{schedds}\ \mathit{p}_{\mathsf{snd}}
                                       [priodb p_{snd}] to_{snd}]
            else s_V(procs := v\_ipc\_trans\_updt\_procs uprocs rightsdb devds
                                   p_{snd} False hn_{rcv} rights_{snd} msg hn_{add} rights_{add},
                        schedds := v_wkp_updt_schedds [p_{rcv}] priodb,
                        sndstatdb := v_ipc_trans_updt_sndstatdb sndstatdb p_{snd} p_{rcv}
                        rightsdb := v\_ipc\_trans\_updt\_rightsdb \ rightsdb \ p_{snd} \ hn_{rcv}
                                        hn_{add} rights_{snd} rights_{add},
                        devds := v_{ipc\_trans\_updt\_devds} devds p_{rcv}
```

The process number  $p_{snd}$  of the sender is given by function  $v_{cup}$ . Accessing  $p_{snd}$ 's handle database with  $hn_{rcv}$  delivers the process number  $p_{rcv}$  of the

receiver and *res* holds the result of function ipc\_send\_err.

The latter forms the basis for the following case distinctions. As usual, if res denotes an error, VAMOS delivers the according error message to the calling process, i.e.,  $p_{snd}$ . If the return value of function ipc\_send\_err denotes  $\epsilon_{\Sigma}$ , the sender is put into the wait state. Accordingly, function v\_ipc\_wait\_updt\_schedds describes the changes on the scheduling datastructures. The remaining case covers the transmission which is described by the dedicated functions.

#### **IPC** Receive

In order to invoke the VAMOS call IPC\_RECEIVE, the (expected) receiver  $p_{rcv}$  has to specify (a) a handle  $hn_{snd}$ , (b) a buffer  $buf_{rcv}$ , and (c) the timeout  $to_{rcv}$ .

In Section 2.5.1, we already mentioned that the VAMOS call IPC\_RECEIVE can be operated in different modes. Thereby, handle  $hn_{snd}$  plays a special role as it choses between the different operating modes. The first mode reflects the ordinary communication between processes. As invoking process, the receiver specifies the desired sender by means of the process handle  $hn_{snd}$ and commits itself to this particular process as only possible sender. Apart from that, IPC\_RECEIVE can also be operated as an open-receive which is made for servers that rely on the possibility to receive requests from various clients. This option is enabled by setting hn<sub>snd</sub> to HN\_NONE and allows to be simultaneously available for more than one sender. The remaining operating mode is tailor-made for device drivers which take a great interest in receiving external interrupts as fast as possible. In order to meet this desire, the call IPC\_RECEIVE provides the possibility for a closed-receive from the kernel. This option is selected by setting  $hn_{\sf snd}$  to  ${\sf HN\_KERNEL}$ and restricts the receiving to notifications from the VAMOS kernel only. In doing so, the VAMOS kernel is qualified to deliver according notifications as soon as interrupts for the driver occur. A more detailed view on that provides Section 4.6.

The specified arguments are checked for their validity in the invocation phase. The detection of errors leads to the abortion of the call and  $p_{\sf rcv}$  gets an according error message. Otherwise, the following pre-transmission phase looks for an appropriate sender. The pre-transmission phase largely depends on the operating mode of IPC\_RECEIVE. Especially in the case of an open-receive, the determination of a sender could affect various processes. As a consequence, the updates of the particular state components get more involved which is why they are encapsulated in dedicated functions.

The outline of the remainder of this section looks as follows. We first introduce the checks regarding invocation errors. After that, we describe the determination of a sender and associated effects which we formally encapsulate into functions. Finally, we combine everything in order to get the

overall specification of the call IPC\_RECEIVE.

**Invocation.** Due to the small number of arguments, checking for invocation errors is quite straightforward. Formally, function <code>ipc\_rcv\_invoc\_err</code> describes the error checks:

```
ipc_rcv_invoc_err rightsdb\ p_{rcv}\ hn_{snd}\ buffer \equiv
if hn_{snd} = HN\_SELF \lor
hn_{snd} \notin \{HN\_NONE, HN\_KERNEL\} \land \neg\ valid\_handle\ rightsdb\ p_{rcv}\ hn_{snd}
then ERR\_RCV\_INVALID\_HANDLE
else if buffer = BufUndefined\ then\ ERR\_INVALID\_ARGS
else if buffer = BufUnavailable\ then\ ERR\_RCV\_SEGV\ else\ SUCCESS
```

The receiver  $p_{\text{rcv}}$  is not allowed to receive from itself, and, as long as it does neither perform an open-receive nor a closed-receive from the kernel, the specified handle  $hn_{\text{snd}}$  has to be valid. Otherwise, error code ERR\_RCV\_INVALID\_HANDLE is returned. Furthermore, the buffer has to be defined and available. Violating the former condition leads to the error message ERR\_INVALID\_ARGS while an unavailable buffer leads to ERR\_RCV\_SEGV Every output from ipc\_rcv\_invoc\_err not equal to SUCCESS leads to an abortion of the operation accompanied by an error notification to the originating process. The output SUCCESS, however, heralds the start of the pretransmission phase.

**Pre-Transmission.** The simplest case depicts a closed-receive from the kernel. Except for  $p_{\sf rcv}$ , no other process is involved and the VAMOS kernel solely checks whether there are any notifications for  $p_{\sf rcv}$ . If so, VAMOS delivers an according message to  $p_{\sf rcv}$  and thereby completes the call. Otherwise, either  $p_{\sf rcv}$  waits or the call is aborted due to a timeout error.

Determining the communication partner, in case of a closed-receive from another process, is similar as with IPC\_SEND. With the validity of handle  $hn_{\sf snd}$ , the desired sender  $p_{\sf snd}$  can be identified by accessing the handle database of  $p_{\sf rcv}$  with  $hn_{\sf snd}$ . By means of predicate v\_is\_sending\_to, VAMOS further checks whether  $p_{\sf snd}$  is willing to send to  $p_{\sf rcv}$ :

```
v_is_sending_to uprocs sndstatdb rightsdb p_{\sf snd} p_{\sf rcv} \equiv case \omega_{\sf proc} [uprocs p_{\sf snd}] of IPC_SEND hn_{\sf rcv} rights_{\sf snd} msg hn_{\sf add} rights_{\sf add} to_{\sf snd} \Rightarrow [rightsdb p_{\sf snd}].hdb hn_{\sf rcv} = [p_{\sf rcv}] | IPC_REQUEST hn_{\sf rcv} rights_{\sf snd} msg hn_{\sf add} rights_{\sf add} to_{\sf snd} buffer to_{\sf rcv} \Rightarrow [rightsdb p_{\sf snd}].hdb hn_{\sf rcv} = [p_{\sf rcv}] \land sndstatdb p_{\sf snd} = [False] | \neg \Rightarrow False
```

Basically, that is the case, if the output denotes IPC\_SEND or IPC\_REQUEST and the handle  $hn_{\sf snd}$  points to  $p_{\sf rcv}$ . While a combined send and receive, however, the send phase may not yet be completed, i. e., the send status has to be inactive. A transmission comes about, if the message  $msg_{\sf snd}$  of  $p_{\sf snd}$ 

fits into the receive buffer  $buf_{rcv}$ . Otherwise,  $p_{rcv}$  is put into the wait state or the call is aborted with a timeout message to  $p_{rcv}$ .

Things get more elaborate, if  $p_{\mathsf{rcv}}$  performs an open-receive. Thereby, the communication is no longer restricted to the kernel or one particular process, but various processes come into consideration as potential sender. Namely, all those which are waiting for a send operation with  $p_{\mathsf{rcv}}$  as receiver. These processes are subsumed in a so-called send queue  $sq_{\mathsf{rcv}}$ , which is specific to  $p_{\mathsf{rcv}}$ . The send queue  $sq_{\mathsf{rcv}}$  results from the wait queue and is generated by function  $\mathsf{v}_{\mathsf{-gen}\_\mathsf{sq}}$ :

```
v_gen_sq uprocs schedds sndstatdb rightsdb p_{rcv} \equiv [p \in schedds.wait . v_is_sending_to uprocs sndstatdb rightsdb <math>p p_{rcv}]
```

The resulting queue contains all waiting processes p that fulfill the predicate  $v_{is\_sending\_to}$ , where  $p_{rcv}$  is assigned as receiver. Note that  $sq_{rcv}$  preserves the chronological order of the wait queue and thus enables the request handling on the basis of first-come, first-serve. Following the chronological order, the head  $p_{hd}$  of  $sq_{rcv}$  ought to be the actual sender. However, VAMOS first checks whether  $p_{hd}$ 's message fits into  $buf_{rcv}$ . If not,  $p_{hd}$  gets the error message ERR\_SND\_BUFFER\_OVFL and VAMOS continues traversing  $sq_{rcv}$ , unless it finds an appropriate sender (with compatible message size) or no process remains.

Against this background, we define function <code>ipc\_rcv\_split\_sq</code>, which takes all contingencies regarding the determination of a sender into account:

```
\begin{split} &\text{ipc\_rcv\_split\_sq} \ uprocs \ rightsdb_{\text{rcv}} \ sq_{\text{rcv}} \ hn_{\text{snd}} \ buf_{\text{rcv}} \equiv \\ &\text{let} \ sq_{\text{eff}} = \\ &\text{if} \ hn_{\text{snd}} = \text{HN\_KERNEL then []} \\ &\text{else if} \ hn_{\text{snd}} = \text{HN\_NONE then } sq_{\text{rcv}} \\ &\text{else filter (op = \lceil rightsdb_{\text{rcv}}.\text{hdb } hn_{\text{snd}} \rceil) \ sq_{\text{rcv}};} \\ &buf\_ovfl = \lambda p. \ \text{bufLength } buf_{\text{rcv}} < \text{get\_msglen } (\omega_{\text{proc}} \lceil uprocs \ p \rceil) \\ &\text{in (takeWhile } buf\_ovfl \ sq_{\text{eff}}, \ dropWhile \ buf\_ovfl \ sq_{\text{eff}}) \end{split}
```

Based on the queue  $sq_{rcv}$  with the processes willing to send to  $p_{rcv}$ , the function first computes an effective send queue  $sq_{eff}$ . This queue is empty, if  $p_{rcv}$  performs a closed-receive from the kernel, i. e.,  $hn_{snd} = HN\_KERNEL$ , and equivalent to  $sq_{rcv}$  while an open-receive, i. e.,  $hn_{snd} = HN\_NONE$ . In case of a closed-receive, the process number of the desired sender is obtained by accessing  $p_{rcv}$ 's handle database with  $hn_{snd}$ . If this process number is contained in  $sq_{rcv}$ , it describes the only element of  $sq_{eff}$ . Otherwise,  $sq_{eff}$  is empty.

With the effective send queue  $sq_{\rm eff}$  at hand, VAMOS continues with checking the compatibility of the send messages and the receive buffer  $buf_{\rm rcv}$ . As a consequence,  $sq_{\rm eff}$  is split into two queues. The former is the longest prefix of  $sq_{\rm eff}$  with oversized messages, the latter is the remaining queue after stripping the prefix. In doing so, bufLength determines the size of  $buf_{\rm rcv}$  and  $get\_msglen$  the ones of the send messages.

In case that the remaining queue is not empty, its head determines the actual sender for the transmission. Otherwise, no transmission takes place but  $p_{\sf rcv}$  could at least receive kernel notifications. Whether notifications are delivered decides predicate knotify which is also used in the context of a closed-receive from the kernel:

```
knotify rightsdb\ devds\ hn_{\sf snd}\ p_{\sf rcv} \equiv hn_{\sf snd} \in \{\sf HN\_NONE,\ HN\_KERNEL\} \land \\ \neg (\lceil rightsdb\ p_{\sf rcv} \rceil. {\sf stolen} = \{\} \land \\ \{i \in devds. {\sf saved}.\ devds. {\sf driver}\ i = \lfloor p_{\sf rcv} \rfloor \} = \{\})
```

In general, a receiver  $p_{\sf rcv}$  is ready to receive kernel notifications while performing an open-receive or a closed-receive from the kernel. The VAMOS kernel, however, only delivers notifications, if there is a reason, i. e., if there are invalid handles in  $p_{\sf rcv}$ 's handle database or pending interrupts with  $p_{\sf rcv}$  as registered driver. Regarding the definition of knotify this means, that VAMOS only sends a notification, if either the set of stolen handle of  $p_{\sf rcv}$  is not empty or set saved contains interrupts handled by  $p_{\sf rcv}$ .

Updating the User Processes. The update of the user processes is fairly elaborate and comprises several case distinctions. Common to all cases is, that processes causing buffer overflows are provided with an according error message. Apart from that, VAMOS distinguishes two main cases. The first one describes the situation that no suitable sender was found. Based on this, VAMOS determines whether it is possible that notification can be delivered to  $p_{rcv}$ . If so, VAMOS assembles an according message and sends it to  $p_{rcv}$ . In case that no notifications can be delivered, the timeout  $to_{rcv}$  decides whether  $p_{rcv}$  receives a timeout error. The effects of a transmission are described by function  $v_{ipc\_trans\_updt\_procs}$ .

Formally, function v\_ipc\_rcv\_updt\_procs combines all these case distinctions:

```
v_ipc_rcv_updt_procs uprocs rightsdb devds sq_{rcv} p_{rcv} hn_{snd} buffer to_{rcv} \equiv
let (sendQ_{bovfl}, sendQ_{snd}) =
ipc_rcv_split_sq uprocs \lceil rightsdb p_{rcv} \rceil sq_{rcv} hn_{snd} buffer;
uprocs_bovfl =
\lambda p. \text{ if } p \in set sendQ_{bovfl}
then \lfloor \delta_{proc} ERR\_SND\_BUFFER\_OVFL \lceil uprocs p \rceil \rfloor else uprocs p;
irqs = \{i \in devds.saved. devds.driver i = \lfloor p_{rcv} \rfloor \};
stolen = \lceil rightsdb p_{rcv} \rceil.stolen \neq \{\};
knot =
SUCC\_RECEIVE HN\_KERNEL False \{\} [] HN\_NONE False \{\} stolen False irqs
in case sendQ_{snd} of
[] \Rightarrow \text{ if } knotify rightsdb devds hn_{snd} p_{rcv}
then uprocs_{bovfl}(p_{rcv} \mapsto \delta_{proc} knot \lceil uprocs p_{rcv} \rceil)
```

```
else if to_{rcv} = 0

then \ uprocs_{bovfl}(p_{rcv} \mapsto \delta_{proc} \ ERR\_RCV\_TIMEOUT \ [uprocs \ p_{rcv}])

else uprocs_{bovfl}

| p_{snd} \cdot ps \Rightarrow

let req = is\_send\_receive \ (\omega_{proc} \ [uprocs \ p_{snd}]);

(hn_{rcv}, rights_{snd}, msg, hn_{add}, rights_{add}) =

get\_sender\_args \ (\omega_{proc} \ [uprocs \ p_{snd}])

in v\_ipc\_trans\_updt\_procs \ uprocs_{bovfl} \ rights_{add}

hn_{rcv} \ rights_{snd} \ msg \ hn_{add} \ rights_{add}
```

Based on the send queue  $sq_{rcv}$ , function ipc\_rcv\_split\_sq is used to subsume the processes causing buffer overflows in  $sendQ_{bovfl}$  whereas  $sendQ_{snd}$  denotes the remainder of  $sq_{rcv}$ . The intermediate update  $uprocs_{bovfl}$  of the virtual machines describes the delivery of message ERR\_SND\_BUFFER\_OVFL to all processes in  $sendQ_{bovfl}$ . Relying on this update, we proceed with the remaining case distinctions.

An empty queue  $sendQ_{snd}$  denotes the fact that no appropriate sender is ready. However, if predicate knotify applies, it is at least possible to deliver any notifications to  $p_{rcv}$ . The according message is generated by function deliverNotifications and abbreviated by knot. If the delivery of notifications is not possible,  $p_{rcv}$  either receives the error message ERR\_RCV\_TIMEOUT or the virtual machines  $uprocs_{bovfl}$  remain untouched.

The sender  $p_{snd}$ , in case of a transmission, is given by the head of  $sendQ_{snd}$ . Function get\_sender\_args delivers the according arguments and the predicate is\_send\_receive determines, whether the sender  $p_{snd}$  performs an IPC\_REQUEST call.

Based on these values, the function v\_ipc\_trans\_updt\_procs performs the relevant updates.

Updating the Rights Datastructures. Taking the preceding considerations into account, the update of the rights datastructures is straightforward. The function v\_ipc\_trans\_updt\_rightsdb delivers the update, if a transition takes place. Otherwise, the datastructures stay untouched:

```
 \begin{split} \text{v\_ipc\_rcv\_updt\_rightsdb} \ \textit{rightsdb} \ \textit{uprocs} \ \textit{sendQ} \ \textit{p}_{\text{rcv}} \ \textit{h} \textit{n}_{\text{snd}} \ \textit{buffer} \equiv \\ \text{case} \ \text{snd} \ (\text{ipc\_rcv\_split\_sq} \ \textit{uprocs} \ \lceil \textit{rightsdb} \ \textit{p}_{\text{rcv}} \rceil \ \textit{sendQ} \ \textit{h} \textit{n}_{\text{snd}} \ \textit{buffer}) \ \textbf{of} \\ [] \Rightarrow \textit{rightsdb} \\ | \ \textit{p} \cdot \textit{ps} \Rightarrow \\ \text{let} \ (\textit{h} \textit{n}_{\text{rcv}}, \textit{rights}_{\text{snd}}, \textit{msg}, \textit{h} \textit{n}_{\text{add}}, \textit{rights}_{\text{add}}) = \\ \text{get\_sender\_args} \ (\omega_{\text{proc}} \ \lceil \textit{uprocs} \ \textit{p} \rceil) \\ \text{in} \ \textit{v\_ipc\_trans\_updt\_rightsdb} \ \textit{rightsdb} \ \textit{p} \ \textit{h} \textit{n}_{\text{rcv}} \ \textit{h} \textit{n}_{\text{add}} \ \textit{rights}_{\text{snd}} \ \textit{rights}_{\text{add}} \end{split}
```

A transmission only takes place, if the the second component of the tuple returned by <code>ipc\_rcv\_split\_sq</code> is not empty. The head is chosen as sender and function <code>get\_sender\_args</code> determines its specified arguments and passes them on to the transmission function.

Updating the Scheduling Datastructures. The update of the scheduling datastructures follows the same structure as the one for the virtual machines. First of all, processes causing buffer overflows are waken up. Apart from that, VAMOS again distinguishes whether a transmission takes place or not. If not,  $p_{rcv}$  is put into the wait state, as long as no kernel notifications can be delivered and no timeout occurrs. After a transmission initiated by an IPC\_RECEIVE, the sender  $p_{snd}$  is usually put back to the ready state. However, this is only true, if  $p_{snd}$  does not perform an IPC\_REQUEST. Otherwise, it is forced to wait again for a response from  $p_{rcv}$  and only its timeout is recomputed.

Formally, VAMOS uses function v\_ipc\_rcv\_updt\_schedds to describe the relevant updates:

```
v_ipc_rcv_updt_schedds schedds uprocs rightsdb priodb sndstatusdb
 devds \ sendQ \ p_{rcv} \ hn_{snd} \ buffer \ to_{rcv} \equiv
 let (sendQ_{boyfl}, sendQ_{snd}) =
         ipc_rcv_split_sq uprocs [rightsdb \ p_{rcv}] \ sendQ \ hn_{snd} \ buffer;
       schedds_{bovfl} = v_wkp_updt_schedds schedds sendQ_{bovfl} priodb
 in case sendQ_{snd} of
      ] \Rightarrow \mathbf{if} \neg \mathsf{knotify} \ rightsdb \ devds \ hn_{\mathsf{snd}} \ p_{\mathsf{rcv}} \land \ to_{\mathsf{rcv}} \neq 0
              then v_ipc_wait_updt_schedds schedds_{bovfl} p_{rcv} [priodb p_{rcv}]
                        to_{\mathsf{rcv}}
              else scheddsbovfl
      |p_{\mathsf{snd}} \cdot ps \Rightarrow
          if is_send_receive (\omega_{proc} [uprocs p_{snd}])
          then schedds<sub>bovfl</sub>
                   (procdb := schedds_{bovfl}.procdb(p_{snd} \mapsto
                       \lceil schedds_{boyfl}.procdb p_{snd} \rceil
                       \{timeout := compute\_new\_timeout uprocs schedds_{bovfl} p_{snd}\}\}
          else v_wkp_updt_schedds \mathit{schedds}_{\mathsf{bovfl}} [\mathit{p}_{\mathsf{snd}}] \mathit{priodb}
```

Again, the split send queue  $(sendQ_{bovfl}, sendQ_{snd})$  is the linchpin. The awakening of the processes in  $sendQ_{bovfl}$  results in the intermediate update  $schedds_{bovfl}$  which lays the foundation for the remaining steps.

If no sender is involved, i.e.,  $sendQ_{snd}$  is empty, the receiver either waits or gets a timeout error. The former happens, if the timeout value  $to_{rcv}$  does not intend an immediate timeout and no delivery of kernel notifications is possible. Accordingly, the pre-defined function  $v_{ipc\_wait\_updt\_schedds}$  describes the semantic effects. Otherwise, the scheduling datastructures  $schedds_{bovfl}$  stay unchanged.

A transmission takes place, if  $sendQ_{snd}$  is not empty. As long as  $p_{snd}$  does not perform an IPC\_REQUEST, it is put back into the ready state which is described by function  $v_{wkp\_updt\_schedds}$ . If the sending was part of an IPC\_REQUEST,  $p_{snd}$  switches over into the receive phase, whereas function compute\_new\_timeout determines the new timeout value:

```
compute_new_timeout uprocs schedds p \equiv case \omega_{proc} \lceil uprocs p \rceil of IPC_REQUEST hn_{rcv} rights<sub>snd</sub> msg hn_{add} rights<sub>add</sub> to<sub>snd</sub> buffer to<sub>rcv</sub> \Rightarrow to_{rcv} += schedds.time |\_ \Rightarrow \lceil schedds.procdb p \rceil.timeout
```

The specified receive timeout  $to_{\mathsf{rcv}}$  is added to the current time.

Updating the Send Status Database. The send status database is only updated, if the receiver's send queue  $sq_{rcv}$  contains a suitable sender. In this case, the pre-defined transmission function  $v_{ipc\_trans\_updt\_sndstatdb}$  handles the update. Otherwise, the send status database remains unchanged. Function  $v_{ipc\_rcv\_updt\_sndstatdb}$  encapsulates the semantic effects:

```
\label{eq:v_ipc_rcv_updt_sndstatdb} $\operatorname{vndstatdb} \ \operatorname{uprocs} \ \operatorname{rightsdb} \ \operatorname{sendQ} \ p_{\mathsf{rcv}} \ \operatorname{hn_{\mathsf{snd}}} \\ buffer \equiv \\ \mathbf{case} \ \mathsf{snd} \ (\mathsf{ipc\_rcv\_split\_sq} \ \operatorname{uprocs} \ \lceil \operatorname{rightsdb} \ p_{\mathsf{rcv}} \rceil \ \operatorname{sendQ} \ \operatorname{hn_{\mathsf{snd}}} \\ buffer) \ \mathbf{of} \\ [] \Rightarrow sndstatdb \\ | \ p \cdot ps \Rightarrow \\ \mathbf{v\_ipc\_trans\_updt\_sndstatdb} \ \operatorname{sndstatdb} \ p \ p_{\mathsf{rcv}} \\ (\mathsf{is\_send\_receive} \ (\omega_{\mathsf{proc}} \ \lceil \operatorname{uprocs} \ p \rceil)) \\ \end{aligned}
```

**Updating the Device Datastructures.** A transmission as well as kernel notifications involve the delivery of interrupts to the receiver. Thus, in both situations, an update of the device datastructures is to be expected. Function  $v_ipc_rcv_updt_devds$  formally defines this update while relying on function  $v_ipc_trans_updt_devds$ :

```
v_ipc_rcv_updt_devds devds rightsdb uprocs sendQ p_{rcv} hn_{snd} buffer \equiv if snd (ipc_rcv_split_sq uprocs \lceil rightsdb p_{rcv} \rceil sendQ hn_{snd} buffer) \neq [] \lor knotify rightsdb devds hn_{snd} p_{rcv} then v_ipc_trans_updt_devds devds p_{rcv} else devds
```

**Overall Specification.** The abstract function vamos\_ipc\_receive puts everything together and describes the overall specification of the VAMOS call IPC\_RECEIVE:

```
vamos_ipc_receive s_V hn_{snd} buffer to_{rcv} \equiv let procs = s_V.procs; schedds = s_V.schedds; priodb = s_V.priodb; sndstatdb = s_V.sndstatdb; rightsdb = s_V.rightsdb; devds = s_V.devds; p_{rcv} = \lceil v\_cup \ schedds \rceil; res = ipc\_rcv\_invoc\_err \ rightsdb \ p_{rcv} \ hn_{snd} \ buffer; sq_{rcv} = v\_gen\_sq \ procs \ schedds \ sndstatdb \ rightsdb \ p_{rcv} in if is_error res \ then \ s_V(\lceil procs := procs(p_{rcv} \mapsto \delta_{proc} \ res \ \lceil procs \ p_{rcv} \rceil)) else s_V(\lceil procs := v\_ipc\_rcv\_updt\_procs \ rightsdb \ devds \ sq_{rcv} \ p_{rcv} \ hn_{snd} \ buffer \ to_{rcv}, schedds := v\_ipc\_rcv\_updt\_schedds \ schedds \ procs \ rightsdb
```

```
\begin{array}{c} \textit{priodb sndstatdb devds } \textit{sq}_{\text{rcv}} \textit{ p}_{\text{rcv}} \textit{ } \textit{hn}_{\text{snd}} \textit{ } \textit{buffer} \\ \textit{to}_{\text{rcv}}, \\ \text{sndstatdb} := \textit{v}\_\textit{ipc}\_\textit{rcv}\_\textit{updt}\_\textit{sndstatdb } \textit{sndstatdb procs rightsdb} \\ \textit{sq}_{\text{rcv}} \textit{ } \textit{pr}_{\text{rcv}} \textit{ } \textit{hn}_{\text{snd}} \textit{ } \textit{buffer}, \\ \text{rightsdb} := \textit{v}\_\textit{ipc}\_\textit{rcv}\_\textit{updt}\_\textit{rightsdb } \textit{rightsdb procs } \textit{sq}_{\text{rcv}} \textit{ } \textit{pr}_{\text{rcv}} \\ \textit{hn}_{\text{snd}} \textit{ } \textit{buffer}, \\ \text{devds} := \textit{v}\_\textit{ipc}\_\textit{rcv}\_\textit{updt}\_\textit{devds } \textit{devds rightsdb procs } \textit{sq}_{\text{rcv}} \\ \textit{pr}_{\text{rcv}} \textit{ } \textit{hn}_{\text{snd}} \textit{ } \textit{buffer}) \\ \end{array}
```

#### **IPC** Request

The semantics of the IPC\_REQUEST call is pretty similar to the one of IPC\_SEND. They only differ in two points: the invocation errors and the update of the scheduling datastructures in case of a transmission.

Due to the additional call arguments the check for invocation errors has to be extended, as the definition of function <code>ipc\_sr\_invoc\_err</code> illustrates:

```
ipc_sr_invoc_err rightsdb p_{snd} hn_{rcv} rights_{snd} msg hn_{add} rights_{add} buffer to_{rcv} \equiv
if hn_{rcv} = HN\_SELF \lor \neg valid_handle rightsdb p_{snd} hn_{rcv}
then ERR\_SND\_INVALID\_HANDLE
else if hn_{add} \neq HN\_NONE \land \neg valid_handle rightsdb p_{snd} hn_{add}
then ERR\_INVALID\_HANDLE
else if \neg valid_sr_args rights_{snd} rights_{add} msg buffer hn_{add} to_{rcv}
then ERR\_INVALID\_ARGS
else if msg = MObjUnavailable then ERR\_SND\_SEGV
else if buffer = BufUnavailable then ERR\_RCV\_SEGV
else if \neg allowed_sr_op rightsdb p_{snd} hn_{rcv} rights_{add}
to_{rcv}
then ERR\_UNPRIVILEGED else \epsilon_{\Sigma}
```

Regarding the handles  $hn_{rcv}$  and  $hn_{add}$  the same conditions apply as within IPC\_SEND. The predicate valid\_sr\_args is based on the former predicate valid\_snd\_args and additionally checks for a defined buffer and a finite receive timeout:

```
valid_sr_args rights_{\rm snd} rights_{\rm add} msg buffer hn_{\rm add} to_{\rm rcv} \equiv {\rm valid\_snd\_args} rights_{\rm snd} to_{\rm rcv} to_{\rm rcv} \equiv {\rm valid\_snd\_args} to_{\rm rcv} \equiv {\rm valid\_snd\_args}
```

Besides an available message, an IPC\_REQUEST call also requires an available buffer. The sender is only allowed to perform the combined send and receive operation, if predicate allowed\_sr\_op holds:

```
allowed_sr_op rightsdb p_{\mathsf{snd}} hn<sub>rcv</sub> rights<sub>add</sub> to<sub>rcv</sub> \equiv let p_{\mathsf{rcv}} = \lceil rightsdb \; p_{\mathsf{snd}} \rceil.hdb hn<sub>rcv</sub>; rights<sub>curr</sub> = \lceil \lceil rightsdb \; p_{\mathsf{snd}} \rceil.rdb p_{\mathsf{rcv}} \rceil in rights<sub>curr</sub> \cap {v_sendR, v_requestR} \neq {} \wedge (privileged rightsdb p_{\mathsf{snd}} \vee rights_{\mathsf{add}} = \lfloor \{\} \rfloor) \wedge (to<sub>rcv</sub> = \infty \vee rights_{\mathsf{curr}} \cap \{\mathsf{v\_sendR}, \mathsf{v\_finiteR}\} \neq \{\})
```

Three prerequisites have to be fulfilled by the sender: (a) it needs the send or the request right to the receiver, (b) it needs privileges to assign a non-empty set  $rights_{add}$  of rights to the additional process, and (c) the timeout value  $to_{rcv}$  is either infinite or it has the permission to send with a finite timeout. The latter is fulfilled, if one of the rights v\_sendR or v\_finiteR is owned. In an analagous way as with ipc\_send\_err, we use ipc\_sr\_invoc\_err to define the predicate ipc\_sr\_err.

The second difference occurs while updating the scheduling datastructures in case of a transmission. In contrast to IPC\_SEND, a combined send and receive operation is not completed after the send phase. The sender rather switches its role and is forced to wait for a response. This interferes with the update of the scheduling datastructures, which is performed by means of function v\_ipc\_wkp\_wait\_updt\_schedds. The receiver is waken up and the sender is forced to wait. Furthermore, its new timeout value is set according to  $to_{rcv}$ .

Taking all the differences into account, the formal specification looks as follows:

```
vamos_ipc_send_receive s_V hn_{rcv} rights_{snd} msg hn_{add} rights_{add} to_{snd}
 buffer to_{rcv} \equiv
  let procs = s_V.procs; schedds = s_V.schedds; priodb = s_V.priodb;
        sndstatdb = s_V.sndstatdb; rightsdb = s_V.rightsdb;
        devds = s_V.devds; p_{snd} = [v\_cup schedds];
        p_{rcv} = \lceil \lceil rightsdb \ p_{snd} \rceil .hdb \ hn_{rcv} \rceil;
        res =
          ipc_sr_err procs schedds sndstatdb rightsdb hn_{rcv} rights<sub>snd</sub>
           msg hn<sub>add</sub> rights<sub>add</sub> to<sub>snd</sub> buffer to<sub>rcv</sub>
  \mathbf{in} \ \mathbf{if} \ \mathsf{is\_error} \ \mathit{res} \ \mathsf{then} \ \mathit{s}_{\mathsf{V}}(\mathsf{procs} := \mathit{procs}(\mathit{p}_{\mathsf{snd}} \mapsto \delta_{\mathsf{proc}} \ \mathit{res} \ \lceil \mathit{procs} \ \mathit{p}_{\mathsf{snd}} \rceil)))
      else if res = \varepsilon_{\Sigma}
              then s_V (schedds := v_ipc_wait_updt_schedds schedds p_{snd}
                                              [priodb p_{snd}] to_{snd}]
              else s_V(\text{procs} := v_{\text{ipc\_trans\_updt\_procs}} \text{ } procs \text{ } rightsdb \text{ } devds \text{ } p_{\text{snd}}
                                         True hn_{rcv} rights_{snd} msg hn_{add} rights_{add},
                            schedds := v_{ipc_wkp_wait_updt_schedds} p_{rcv} p_{snd}
                                              priodb to_{rcv},
                            sndstatdb := v_ipc_trans_updt_sndstatdb sndstatdb p_{snd} p_{rcv}
                                                 True.
                            rightsdb := v_{ipc\_trans\_updt\_rightsdb} p_{snd} hn_{rcv}
                                               hnadd rightsand rightsadd,
                            devds := v_ipc_trans_updt_devds devds p_{rcv}
```

#### Changing IPC Rights

We have just seen, that IPC enables the sender to provide the receiver of the IPC message with additional rights. In this context, VAMOS synchronously updates the handle and rights databases and informs the receiver on these changes by means of the result message. However, IPC only allows to grant

rights but not to revoke them. In addition to that, it should be possible to reset entries in the handle and rights databases. This is necessary in order to clean up the databases, on the one hand, and to invalidate handles, on the other one. All this functionality is encapsulated in the VAMOS call CHANGE\_RIGHTS. For this to work, a calling process  $p_{cp}$  has to specify the following parameters: (a) the handle  $hn_{subj}$  to the subject whose databases should be changed, (b) the handle  $hn_{obj}$  to the object to which the new rights should apply, (c) the flag grant determining whether the rights are granted or revoked, and (d) the description  $rights_{obj}$  how to change the rights.

As always, user-specified parameters might be erroneous and therefore have to pass the validity checks. The latter are encapsulated in function vamos\_result\_change\_rights:

```
vamos_result_change_rights rightsdb p_{cp} rights_{obj} hn_{subj} hn_{obj} \equiv if rights_{obj} = \bot then err_invalid_args else if \neg valid_handle rightsdb p_{cp} hn_{subj} then err_invalid_subj_handle else if \neg valid_handle rightsdb p_{cp} hn_{obj} then err_invalid_obj_handle else if \neg legal_op rightsdb p_{cp} hn_{subj} hn_{obj} rights_{obj} then err_invalid_obj else if \neg known_obj rightsdb p_{cp} hn_{subj} hn_{obj} then err_invalid_obj else if \neg known_obj else el
```

First of all, the specified rights  $rights_{obj}$  must follow the given rights format. Otherwise,  $rights_{obj} = \bot$  and error ERR\_INVALID\_ARGS is triggered. Quite apart from the fact that the handles  $hn_{subj}$  and  $hn_{obj}$  have to be valid in the context of  $p_{cp}$ , the operation has to be legal and the object needs to be known by the subject. The former is checked by predicate  $legal\_op$ :

```
\begin{split} & \text{legal\_op } rightsdb \ p_{\text{cp}} \ hn_{\text{subj}} \ hn_{\text{obj}} \ rights \equiv \\ & \text{privileged } rightsdb \ p_{\text{cp}} \ \lor \\ & hn_{\text{subj}} = \text{HN\_SELF} \ \land \ rights = \lfloor \{\} \rfloor \ \lor \ hn_{\text{obj}} = \text{HN\_SELF} \end{split}
```

Privileged processes are allowed to do any changes on the rights datastructures. Without privileges,  $p_{\sf cp}$  is only allowed to either update its own databases or entries in others, as long as they refer to itself. The calling process  $p_{\sf cp}$  expresses the will to clean up its own handle database by setting  $hn_{\sf subj}$  to HN\_SELF. As this operation does not involve the granting or revoking of rights, it is additionally required that  $rights = \lfloor \{\} \rfloor$ . In case that  $hn_{\sf subj} \neq {\sf HN\_SELF}$ , the handle to the object must denote HN\_SELF. This ensures that only entries refering to  $p_{\sf cp}$  are changed.

In order to change the entries in the subject's rights datastructures, the object even needs to be known by the subject. Predicate known\_obj formally encapsulates this prerequisite:

```
known_obj rightsdb p_{cp} hn_{subj} hn_{obj} \equiv hn_{subj} \neq hn_{obj} \wedge
```

```
(let p_{subj} = \lceil \lceil rightsdb \ p_{cp} \rceil.hdb hn_{subj} \rceil
in \exists hn. \lceil rightsdb \ p_{subj} \rceil.hdb hn = \lceil rightsdb \ p_{cp} \rceil.hdb hn_{obj} \rceil
```

The notion of known processes is mainly used in the context of IPC. As a process might not communicate with itself, we regard a process as unknown to itself. Moreover, it does not make any sense that a process changes the rights to itself. The first conjunction  $hn_{\mathsf{subj}} \neq hn_{\mathsf{obj}}$  formalizes this. The second conjunction ensures, that there exists a handle in the subject's handle database pointing to the object. Note that  $p_{\mathsf{subj}}$  is well-defined because the validity of  $hn_{\mathsf{subj}}$  was previously checked. The same applies for the handle database access with  $hn_{\mathsf{obj}}$ .

Based on the result of vamos\_result\_change\_rights, the overall specification function vamos\_change\_rights describes the effects on a VAMOS state:

```
vamos_change_rights s_V \ hn_{subj} \ hn_{obj} \ grant \ rights \equiv
let \ p_{cp} = \lceil v\_cup \ s_V.schedds \rceil;
waiting_{subj} = \\ \lceil \lceil s_V.rightsdb \ p_{cp} \rceil.hdb \ hn_{subj} \rceil \ mem \ s_V.schedds.wait;
res = \\ vamos\_result\_change\_rights \ s_V.rightsdb \ p_{cp} \ rights \ hn_{subj} \ hn_{obj}
in \ if \ is\_error \ res \ then \ s_V (\lceil procs := s_V.procs(p_{cp} \mapsto \delta_{proc} \ res \ \lceil s_V.procs \ p_{cp} \rceil)))
else \ s_V (\lceil procs := v\_chg\_rights\_updt\_procs \ s_V.procs \ s_V.rightsdb
waiting_{subj} \ p_{cp} \ hn_{subj} \ hn_{obj} \ grant \ rights,
schedds := v\_chg\_rights\_updt\_rightsdb \ s_V.schedds \ s_V.procs
s_V.priodb \ s_V.rightsdb \ p_{cp} \ hn_{subj} \ hn_{obj} \ grant
rightsdb := v\_chg\_rights\_updt\_rightsdb \ s_V.rightsdb \ s_V.procs
s_V.procs \ p_{cp} \ hn_{subj} \ hn_{obj} \ grant \ rights,
sndstatdb := v\_chg\_rights\_updt\_sndstatdb \ s_V.sndstatdb \ s_V.procs
s_V.rightsdb \ waiting_{subj} \ p_{cp} \ hn_{subj} \ hn_{obj} \ grant \ rights)
```

The error case only involves the error message passing to the calling process  $p_{\rm cp}$ . As the manipulation of rights might abort pending IPC operations of the subject, the according state updates are not only restricted to the rights datastructures but also involve the virtual machines and the send status databases.

Function res\_if\_pending\_ipc has the decision on the abortion of an IPC operation:

```
res_if_pending_ipc uprocs rightsdb p_{subj} p_{obj} grant rights \equiv let hdb_{subj} = \lceil rightsdb \ p_{subj} \rceil.hdb; rdb_{subj} = \lceil rightsdb \ p_{subj} \rceil.rdb in case \omega_{proc} \lceil uprocs \ p_{subj} \rceil of IPC_SEND hn_{rcv} rights_{snd} msg hn_{add} rights_{add} to_{snd} \Rightarrow if hdb_{subj} hn_{rcv} = \lfloor p_{obj} \rfloor \land rights = \{\} then ERR_SND_INVALID_HANDLE else if hdb_{subj} hn_{add} = \lfloor p_{obj} \rfloor \land rights = \{\} then ERR_INVALID_HANDLE else if \neg grant \land hdb_{subj} hn_{rcv} = \lfloor p_{obj} \rfloor \land
```

```
v_{sendR} \notin [rdb_{subj} | p_{obj} |] - rights
                then ERR_UNPRIVILEGED else \varepsilon_{\Sigma}
| IPC_RECEIVE hn_{snd} buffer to_{rcv} \Rightarrow
    if hdb_{subj} hn_{snd} = \lfloor p_{obj} \rfloor \land rights = \{\}
    \mathbf{then}\ \mathtt{ERR\_RCV\_INVALID\_HANDLE}
    else if hn_{snd} \in \{HN\_NONE, HN\_KERNEL\} \land
               rights = \{\} \land p_{subj} \neq p_{obj} \land is\_known \ rightsdb \ p_{subj} \ p_{obj}
           then SUCC_RECEIVE HN_KERNEL False {} [] HN_NONE False {} True
                     False {}
           else \varepsilon_{\Sigma}
| IPC_REQUEST hn_{rcv} rights_{snd} msg hn_{add} rights_{add} to_{snd} buffer to_{rcv} \Rightarrow
    if hdb_{subj} hn_{rcv} = \lfloor p_{obj} \rfloor \land rights = \{\}
    then ERR_SND_INVALID_HANDLE
    else if hdb_{subj} hn_{add} = \lfloor p_{obj} \rfloor \land rights = \{\}
           {f then} ERR_INVALID_HANDLE
           else if \neg grant \land
                      hdb_{\mathsf{subj}} \ hn_{\mathsf{rcv}} = \lfloor p_{\mathsf{obj}} \rfloor \land
                      revoked_req_rights hdb_{subj} rdb_{subj} rights p_{obj} hn_{rcv}
                  then ERR_UNPRIVILEGED else \epsilon_{\Sigma}
| \ _{-} \Rightarrow \epsilon_{\Sigma}
```

The definition assumes that  $p_{\mathsf{subj}}$  denotes the process number of the subject and  $p_{\mathsf{obj}}$  the one of the object. Furthermore, it abbreviates the subject's handle database with  $hdb_{\mathsf{subj}}$  and the rights database with  $rdb_{\mathsf{subj}}$ . Relying on that, it inspects the output of  $p_{\mathsf{subj}}$ . The function returns  $\varepsilon_{\Sigma}$ , as long as either the output does not denote an IPC operation or the intended IPC operation is not affected by the rights manipulation. Otherwise, it returns the corresponding error code.

An IPC\_SEND operation is aborted, if the handles  $hn_{rcv}$  or  $hn_{add}$  become invalid. The invalidation of the handles to  $p_{obj}$  is indicated by  $rights = \{\}$ . Accordingly, handle  $hn_{rcv}$  becomes invalid, if it points to  $p_{obj}$ . The resulting error message is ERR\_SND\_INVALID\_HANDLE. Similarly, result ERR\_INVALID\_HANDLE is returned, if the handle  $hn_{add}$  points to  $p_{obj}$ . Besides the handle invalidation, the revocation of rights may also influence the send operation. It is implied by an inactive flag grant and aborts the operation, if  $p_{obj}$  is assigned as receiver and  $p_{subj}$  loses the  $v_sendR$  right to  $p_{obj}$ . Due to this,  $p_{subj}$  is no longer allowed to send to  $p_{obj}$  and obtains the error message ERR\_UNPRIVILEGED. In a similar way, VAMOS proceeds, if  $p_{subj}$  performs an IPC\_REQUEST. In this case, however, things are more elaborate regarding the revocation of rights. VAMOS considers  $p_{subj}$  as unprivileged, if predicate revoked\_req\_rights holds:

```
revoked_req_rights hdb_{\mathsf{subj}} rdb_{\mathsf{subj}} rights p_{\mathsf{obj}} hn_{\mathsf{rcv}} to_{\mathsf{rcv}} \equiv \mathbf{if} \ hdb_{\mathsf{subj}} \ hn_{\mathsf{rcv}} = \lfloor p_{\mathsf{obj}} \rfloor \ \land \ ((\lceil rdb_{\mathsf{subj}} \ \lfloor p_{\mathsf{obj}} \rfloor \rceil - rights) \cap \{\mathsf{v\_sendR}, \, \mathsf{v\_requestR}\} = \{\} \lor (\lceil rdb_{\mathsf{subj}} \ \lfloor p_{\mathsf{obj}} \rfloor \rceil - rights) \cap \{\mathsf{v\_sendR}, \, \mathsf{v\_finiteR}\} = \{\} \land to_{\mathsf{rcv}} \neq \infty) then True else False
```

First of all, the involved receiver must again correspond to  $p_{obj}$ . The process  $p_{subj}$  does no longer hold sufficient rights for the operation, if after the revocation (a) it neither owns the  $v\_sendR$  nor the  $v\_requestR$  right, or (b) it neither owns the  $v\_sendR$  nor the  $v\_finiteR$  right and the specified timeout for the receive part is not infinite.

An IPC\_RECEIVE operation of  $p_{\mathsf{subj}}$  is only affected by a process invalidation. The obvious case covers the correspondence of the invalidated process  $p_{\mathsf{obj}}$  with the intended sender. Error message ERR\_RCV\_INVALID\_HANDLE denotes this. However, IPC\_RECEIVE could also be terminated with a kernel notification. Usually, a process invalidation comes along with moving the corresponding handle into the stolen set. As seen before, a non-empty stolen set triggers a kernel notification, if the receiver performs either an open-receive or a closed-receive from the kernel. However, the invalidation of  $p_{\mathsf{obj}}$  affects  $p_{\mathsf{subj}}$  only, if  $p_{\mathsf{obj}}$  was previously known by  $p_{\mathsf{subj}}$ . Furthermore, a notification is only passed on to  $p_{\mathsf{subj}}$ , if it is different from  $p_{\mathsf{obj}}$  because a process cannot be invalidated in its own context.

With these preliminary remarks at hand, we proceed with the particular updates of the state components.

**Updating the User Processes** The update of the user processes passes a SUCCESS message on to the calling process  $p_{cp}$ . In addition, if  $p_{subj}$  was waiting in a pending IPC operation that has been aborted, it gets the corresponding error notification.

The function v\_chg\_rights\_updt\_procs delivers the formal specification:

```
\label{eq:vchg_rights} \begin{split} & \text{v\_chg\_rights\_updt\_procs} \ \textit{uprocs} \ \textit{rightsdb} \ \textit{waiting}_{\texttt{subj}} \ \textit{p}_{\texttt{cp}} \ \textit{hn}_{\texttt{subj}} \ \textit{hn}_{\texttt{obj}} \ \textit{grant} \\ & \textit{rights} \equiv \\ & \text{let} \ \textit{p}_{\texttt{subj}} = \lceil\lceil \textit{rightsdb} \ \textit{p}_{\texttt{cp}} \rceil. \text{hdb} \ \textit{hn}_{\texttt{subj}} \rceil; \ \textit{p}_{\texttt{obj}} = \lceil\lceil \textit{rightsdb} \ \textit{p}_{\texttt{cp}} \rceil. \text{hdb} \ \textit{hn}_{\texttt{obj}} \rceil; \\ & \textit{res}_{\texttt{ipc}} = \texttt{res\_if\_pending\_ipc} \ \textit{uprocs} \ \textit{rightsdb} \ \textit{p}_{\texttt{subj}} \ \textit{p}_{\texttt{obj}} \ \textit{grant} \ \lceil \textit{rights} \rceil \\ & \text{in} \ \textit{\lambda}x. \ \textit{if} \ \textit{x} = \textit{p}_{\texttt{cp}} \ \textit{then} \ \lfloor \delta_{\texttt{proc}} \ \textit{success} \ \lceil \textit{uprocs} \ \textit{x} \rceil \rfloor \\ & \text{else} \ \textit{if} \ \textit{x} = \textit{p}_{\texttt{subj}} \ \land \ \textit{res}_{\texttt{ipc}} \ \lceil \textit{uprocs} \ \textit{x} \rceil \rfloor \ \textit{else} \ \textit{uprocs} \ \textit{x} \end{split}
```

The flag waiting<sub>subj</sub> indicates whether  $p_{subj}$  is in the wait queue.

**Updating the Scheduling Datastructures** The scheduling datastructures are only affected by an aborted IPC operation. In this case,  $p_{\mathsf{subj}}$  is waken up. The pre-defined function  $\mathsf{v}_{\mathsf{wkp\_updt\_schedds}}$  describes the semantic effect.

Function v\_chg\_rights\_updt\_schedds encapsulates the overall update:

```
v_chg_rights_updt_schedds schedds uprocs priodb rightsdb p_{cp} hn_{subj} hn_{obj} grant rights \equiv
```

```
let p_{subj} = \lceil \lceil rightsdb \ p_{cp} \rceil.hdb hn_{subj} \rceil; p_{obj} = \lceil \lceil rightsdb \ p_{cp} \rceil.hdb hn_{obj} \rceil; res_{ipc} = res\_if\_pending\_ipc \ uprocs \ rightsdb \ p_{subj} \ p_{obj} \ grant \ \lceil rights \rceil; waiting_{subj} = p_{subj} \ mem \ schedds.wait
```

in if  $\textit{res}_{ipc} \neq \epsilon_{\Sigma} \land \textit{waiting}_{subj}$  then v\_wkp\_updt\_schedds  $[\textit{p}_{subj}]$  priodb else schedds

**Updating the Rights Datastructures** The update of the rights datastructures distinguishes three cases: (a) the process invalidation or deletion, (b) the rights granting, and (c) the rights revocation.

The function  $v\_chg\_rights\_updt\_rightsdb$  encapsulates the corresponding updates:

```
 \begin{aligned} &\text{v\_chg\_rights\_updt\_rightsdb} \ \textit{vightsdb} \ \textit{uprocs} \ \textit{p}_{cp} \ \textit{hn}_{subj} \ \textit{hn}_{obj} \ \textit{grant} \ \textit{rights} \equiv \\ &\text{let} \ \textit{p}_{subj} = \lceil \textit{rightsdb} \ \textit{p}_{cp} \rceil. \text{hdb} \ \textit{hn}_{subj} \rceil; \ \textit{p}_{obj} = \lceil \textit{rightsdb} \ \textit{p}_{cp} \rceil. \text{hdb} \ \textit{hn}_{obj} \rceil; \\ &\textit{hdb}_{subj} = \lceil \textit{rightsdb} \ \textit{p}_{subj} \rceil. \text{hdb}; \ \textit{rdb}_{subj} = \lceil \textit{rightsdb} \ \textit{p}_{subj} \rceil. \text{rdb}; \\ &\textit{stolen}_{subj} = \lceil \textit{rightsdb} \ \textit{p}_{subj} \rceil. \text{stolen} \\ &\text{in} \ \textit{rightsdb} (\textit{p}_{subj}) \mapsto \\ &\text{if} \ \lceil \textit{rights} \rceil = \{ \} \\ &\text{then} \ \lceil \textit{rightsdb} \ \textit{p}_{subj} \rceil \\ &\text{(} \| \text{hdb} := \lambda \textit{hn}. \ \text{if} \ \textit{hdb}_{subj} \ \textit{hn} = \lfloor \textit{p}_{obj} \rfloor \ \text{then} \ \bot \ \text{else} \ \textit{hdb}_{subj} \ \textit{hn}, \\ &\text{rdb} := \textit{rdb}_{subj} (\lfloor \textit{p}_{obj} \rfloor := \bot), \\ &\text{stolen} := \textit{stolen}_{subj} \cup \{ \textit{hn}. \ \textit{hn}_{subj} \neq \text{HN\_SELF} \land \textit{hdb}_{subj} \ \textit{hn} = \lfloor \textit{p}_{obj} \rfloor \} \} \\ &\text{else} \ \text{if} \ \textit{grant} \\ &\text{then} \ \lceil \textit{rightsdb} \ \textit{p}_{subj} \\ &\text{(} \ \textit{rdb} := \textit{rdb}_{subj} (\lfloor \textit{p}_{obj} \rfloor \mapsto \lceil \textit{rdb}_{subj} \ \lfloor \textit{p}_{obj} \rfloor) \cup \lceil \textit{rights} \rceil) \} ) \\ &\text{else} \ \lceil \textit{rightsdb} \ \textit{p}_{subj} \rceil \\ &\text{(} \ \textit{rdb} := \textit{rdb}_{subj} (\lfloor \textit{p}_{obj} \rfloor \mapsto \lceil \textit{rdb}_{subj} \ \lfloor \textit{p}_{obj} \rfloor) - \lceil \textit{rights} \rceil) \} ) ) \end{aligned}
```

Accesses to the handle database of the calling process  $p_{cp}$  with the handles  $hn_{subj}$  and  $hn_{obj}$  deliver the process numbers of the subject  $p_{subj}$  and the object  $p_{obj}$ . The subject's handle and rights databases are abbreviated with  $hdb_{subj}$  and  $rdb_{subj}$ . For the set of stolen handles we use  $stolen_{subj}$ .

Object  $p_{obj}$  is invalidated resp. deleted in the context of  $p_{subj}$ , if the parameter rights represents an empty set. The indices of handles in  $hdb_{subj}$  pointing to  $p_{obj}$  are set to  $\bot$ , as well as the entry of  $p_{obj}$  in the rights database  $rdb_{subj}$ . Additionally, the handles pointing to  $p_{obj}$  are inserted into the stolen set  $stolen_{subj}$ , as long as it does not conform with HN\_SELF. Note that due to the uniqueness of handles only one handle in  $hdb_{subj}$  points to  $p_{obj}$ .

Granting and revoking of rights is straightforward. The specified rights rights are either added to or subtracted from the former rights.

**Updating the Send Status Database** Updating the send status database is straightforward. If an IPC operation of  $p_{\mathsf{subj}}$  is aborted, the entry of  $p_{\mathsf{subj}}$  is set to False. Otherwise, it remains untouched:

```
v_chg_rights_updt_sndstatdb sndstatdb uprocs\ rightsdb\ waiting_{subj}\ p_{cp}\ hn_{subj} hn_{obj}\ grant\ rights\equiv let p_{subj}=\lceil\lceil rightsdb\ p_{cp}\rceil.hdb hn_{subj}\rceil; p_{obj}=\lceil\lceil rightsdb\ p_{cp}\rceil.hdb hn_{obj}\rceil; res_{ipc}=res\_if\_pending\_ipc\ uprocs\ rightsdb\ p_{subj}\ p_{obj}\ grant\ \lceil rights\rceil in if res_{ipc}\neq\epsilon_{\Sigma} \land waiting_{subj} then sndstatdb(p_{subj}\mapsto False) else sndstatdb
```

#### 4.4.7 Read Kernel Information

The reading of kernel information is provided by the call READ\_KERNEL\_INFO. When the kernel detects a condition or event, like a stale handle or an external interrupt, it sends a notification with the next receive operation. However, the number of the notification bits is very limited and there might be much more useful information. Once a user process was notified about a certain notification type, it can ask for more information by READ\_KERNEL\_INFO. Currently, there is only one notification type supported: The stale-handle notification. However, we can use this mechanism as well, if we would like to carry more information on external interrupts, for instance, the keypress timestamps for the T-Systems project [47].

Function vamos\_read\_kernel\_info specifies the semantic effects of reading kernel information:

```
vamos_read_kernel_info s_V note \equiv let \ p_{cp} = \lceil v\_cup \ s_V.schedds \rceil; \ stolen = \lceil s_V.rightsdb \ p_{cp} \rceil.stolen; \ res = if \ note = \bot then \ ERR\_INVALID\_ARGS \ else \ SUCCESS \ in if is\_error res then \ s_V(procs := s_V.procs(p_{cp} \mapsto \delta_{proc} \ res \ \lceil s_V.procs \ p_{cp} \rceil))) \ else \ s_V(procs := s_V.procs(p_{cp} \mapsto \delta_{proc} \ (SUCC\_KINFO\_STALEH \ stolen) \ \lceil s_V.procs \ p_{cp} \rceil), \ rightsdb := s_V.rightsdb(p_{cp} \mapsto \lceil s_V.rightsdb \ p_{cp} \rceil)(stolen := \{\})))
```

The calling process  $p_{\sf cp}$  gets an ERR\_INVALID\_ARGS message, if the notification was not well-defined. Otherwise,  $p_{\sf cp}$  is informed about all stolen handles in its handle database by means of a SUCC\_KINFO\_STALEH message. After receiving the message,  $p_{\sf cp}$  knows about the stolen handles and could initiate further steps. In any case, the set of stolen handles is empty, afterwards.

# 4.5 Vamos Scheduler

On the abstract level, the VAMOS scheduler is part of the VAMOS transition function  $\delta_V$  and copes with the handling of timer-interrupts. The function handleTimer, which delivers the specification of the VAMOS scheduler, accomplishes three steps:

```
\begin{aligned} & \mathsf{handleTimer} \ s_\mathsf{V} \ p_\mathsf{cup} \equiv \\ & \mathsf{charge} \ (\mathsf{checkTimeouts} \ (s_\mathsf{V}(|\mathsf{schedds}:=s_\mathsf{V}.\mathsf{schedds}(|\mathsf{time}:=s_\mathsf{V}.\mathsf{schedds}.\mathsf{time} + 1|\!|)|\!|)) \\ & p_\mathsf{cup} \end{aligned}
```

In the first step, the current time is incremented. Afterwards, the scheduler checks by means of function checkTimeouts for expired timeouts. Processes with expired timeouts are informed about this circumstance by means of an error message and set back to the ready state. Finally, the computing time of the current time is charged from its timeslice. This charging is formally described by the function charge.

4.5. Vamos Scheduler 129

Note that the current process  $p_{\mathsf{cup}}$  is provided as a parameter because in the first phase of a VAMOS transition, the queues might change. Hence, we may not assume that  $\mathsf{v\_cup}\ s_\mathsf{V}$ .schedds has been computing in the last step. Instead, the current process is stored in  $p_{\mathsf{cup}}$  at kernel entry and provided as input to handleTimer.

Subsequently, we introduce the definitions of checkTimeouts and charge and, thus, complete the formal specification of the VAMOS scheduler.

Checking for Elapsed Timeouts. As shown in the definition of handle-Timer, each timer-interrupt involves the incrementation of the current time. The task of the scheduler is to check whether the timeout of an arbitrary process p has thereby expired. If so, the scheduler sends a corresponding error message and puts p back into the ready state. Formally, this task is described by function checkTimeouts:

```
checkTimeouts s_{V} \equiv s_{V} (|procs := \lambda p. if expiredTimeout s_{V}.schedds p then if vamoslsSending s_{V}.procs s_{V}.sndstatdb p then \lfloor \delta_{\text{proc}} \; \text{ERR\_SND\_TIMEOUT} \; \lceil s_{V}.\text{procs} \; p \rceil \rfloor else \lfloor \delta_{\text{proc}} \; \text{ERR\_RCV\_TIMEOUT} \; \lceil s_{V}.\text{procs} \; p \rceil \rfloor else s_{V}.\text{procs} \; p, schedds := v_{\text{wkp\_updt\_schedds}} \; s_{V}.\text{schedds} (filter (expiredTimeout s_{V}.\text{schedds}) s_{V}.\text{schedds.wait}) s_{V}.\text{priodb}, sndstatdb := \lambda p. if expiredTimeout s_{V}.\text{schedds} \; p then \lfloor \text{False} \rfloor else s_{V}.\text{sndstatdb} \; p \rfloor)
```

A prominent role plays the predicate expiredTimeout. Relying on scheduling datastructures schedds, it figures out whether the timeout for an arbitrary process p has expired:

```
expiredTimeout schedds\ p \equiv p \in \mathsf{set}\ schedds.\mathsf{wait}\ \land \ (\exists data. \\ schedds.\mathsf{procdb}\ p = |data|\ \land (\exists t.\ data.\mathsf{timeout} = \mathsf{Fin}\ t\ \land\ t \leq schedds.\mathsf{time}))
```

As the first conditions reflects, timeouts in VAMOS only apply to waiting processes p. Actually, the existence of the process-specific scheduling information data is implicitly given because p is not inactive. However, the predicate explicitly demands its existence and the last part of the conjunction establishes the basic message: Timeout t of p has expired, if t denotes a finite value Fin t and t is smaller than or equal to the current time denoted by schedds.time.

Relying on predicate expired Timeout, the actual state updates appear as follows. All processes p with expired timeouts get an according error message. Thereby, VAMOS distinguishes whether a process p has been waiting in the send or the receive phase of an IPC operation. The former applies, if the

previously defined predicate vamoslsSending is true for p. Setting a process p back into the ready state involves to dequeue it from the wait queue and to append it again on the ready queue of p's priortiy. All these actions only affect the scheduling datastructures and are encapsulated in the previously defined function  $v_wkp_updt_schedds$ . The list of processes that should be woken up comprises all processes out of  $s_V$ .schedds.wait which fulfill predicate expiredTimeout. In addition, the send status of these processes is reset to False.

Charging the Computing Time of the Current Process. The VA-MOS kernel concedes to each process a certain computing time of tsl clock ticks, whereas clock ticks are a measurment for occurred timer interrupts. Already consumed clock ticks are recorded in the component ctsl. Thus, if the current process  $p_{\text{cup}}$  is found to be computing when a timer interrupt raises, the scheduler increases ctsl of  $p_{\text{cup}}$ . This is repeated as long as process  $p_{\text{cup}}$  is either displaced by a higher-prioritized process or the value of ctsl has reached tsl. Latter involves a break of  $p_{\text{cup}}$ 's computation and a new process is scheduled. This means for  $p_{\text{cup}}$ , that its consumed time ctsl is reset and that  $p_{\text{cup}}$  is put to the end of its ready queue.

Function charge gives the formal specification:

```
\begin{split} \text{charge } s_{V} \ p_{\text{cup}} &\equiv \\ \text{let } \textit{procdb}_{\text{cup}} = s_{V}.\text{schedds.procdb} \ \lceil p_{\text{cup}} \rceil; \\ \textit{ready}_{\text{cup}} &= s_{V}.\text{schedds.ready} \ \lceil s_{V}.\text{priodb} \ \lceil p_{\text{cup}} \rceil \rceil \\ \text{in } s_{V} \\ \text{(schedds} &:= \text{if } p_{\text{cup}} = \bot \lor \lceil p_{\text{cup}} \rceil \notin \text{steready}_{\text{cup}} \text{ then } s_{V}.\text{schedds} \\ &= \text{else } \text{if } \lceil \textit{procdb}_{\text{cup}} \rceil.\text{tsl} \le \lceil \textit{procdb}_{\text{cup}} \rceil.\text{ctsl} \\ &= \text{then } s_{V}.\text{schedds} \\ \\ & (\lceil s_{V}.\text{priodb} \ \lceil p_{\text{cup}} \rceil \rceil) := \\ &  \qquad \qquad \lceil p \in \textit{ready}_{\text{cup}} \cdot p \ne \lceil p_{\text{cup}} \rceil \rceil \ @ \ \lceil \lceil p_{\text{cup}} \rceil \rceil), \\ &= \text{procdb} := s_{V}.\text{schedds.procdb} (\lceil p_{\text{cup}} \rceil \mapsto \lceil \textit{procdb}_{\text{cup}} \rceil) \\ &= \text{else } s_{V}.\text{schedds} \\ & (\lceil \text{procdb} := s_{V}.\text{schedds.procdb} (\lceil p_{\text{cup}} \rceil \mapsto \lceil \textit{procdb}_{\text{cup}} \rceil) \\ &= (\mid \text{ctsl} := \lceil \textit{procdb}_{\text{cup}} \rceil.\text{ctsl} + 1 \rceil)) \\ \end{pmatrix}) \end{split}
```

All in all, function charge distinguishes two situations: The first one reflects that either no current process  $p_{\mathsf{cup}}$  existed at kernel entry or that  $p_{\mathsf{cup}}$  has been rescheduled in the meantime. As VAMOS accepts the rescheduling of  $p_{\mathsf{cup}}$  as 'payment', both cases do not involve any changes on  $s_{\mathsf{V}}$ .schedds.

The second situation reflects the actual charging of the current process  $p_{\text{cup}}$  as described above. In this context, the definition of charge abbreviates the process-specific scheduling datastructures of  $p_{\text{cup}}$  with  $procdb_{\text{cup}}$  and the ready queue of  $p_{\text{cup}}$ 's priority with  $procdb_{\text{cup}}$ . Two cases are considered.

The first case deals with a computing current process  $p_{\text{cup}}$  whose timeslice tsl is exhausted. The result is that the consumed time is reset to 0

and  $p_{\text{cup}}$  is appended to the end of  $ready_{\text{cup}}$ . For this purpose, it is first completely removed and then appended at the end, again.

If the timeslice is not exhausted,  $p_{\text{cup}}$  is allowed to continue its computation but the consumed time ctsl is increased.

# 4.6 Vamos Interrupt Delivery

In the third phase of a Vamos transition  $\delta_V$ , the kernel delivers the interrupts that have occurred. The set *irqs* of interrupts that have been active at kernel entry are provided as input parameter to  $\delta_V$ . The transition function, in turn, passes them on to function vamosInterruptDelivery which specifies the interrupt delivery:

Predicate notifyHandler is the basis of the definition. Relying on virtual machines uprocs, device datastructures devds and the set irqs of active interrupts, it determines whether an arbitrary process p is registered as handler for at least one interrupt  $i \in irqs$  and, in addition, ready to accept possible interrupts for the handling:

```
notifyHandler uprocs devds irqs p \equiv \exists proc.
uprocs \ p = \lfloor proc \rfloor \land \\ (\exists hn_{\mathsf{snd}} \ buffer \ to_{\mathsf{rcv}}.
\omega_{\mathsf{asm}} \ proc = \mathsf{IPC\_RECEIVE} \ hn_{\mathsf{snd}} \ buffer \ to_{\mathsf{rcv}} \land \\ hn_{\mathsf{snd}} \in \{\mathsf{HN\_NONE}, \ \mathsf{HN\_KERNEL}\} \land (\exists i \in irqs. \ devds. \mathsf{driver} \ i = \lfloor p \rfloor))
```

Whether a process, in principle, is ready to receive any interrupts, depends on its current state. For this purpose, notifyHandler inspects the output of p. Therefore, the basic requirement is that process p is assigned with a virtual machine proc, i.e., p is not inactive. Applying the output function  $\omega_{asm}$  to proc delivers p's current output. Regarding the reception of interrupts, this output must denote IPC\_RECEIVE. Furthermore, it must specify an open receive or a closed receive to the kernel. Both cases are distinguished by handle  $hn_{snd}$ . Former is denoted by HN\_NONE, latter by HN\_KERNEL. Process p is only notified about interrupts, if it is a registered handler for at least one of the interrupts  $i \in irqs$ , i.e., devds.driver i = |p|.

Based on notifyHandler the definition of vamosInterruptDelivery abbreviates the list of processes to be notified with  $handlers_{tbn}$ . It contains all waiting processes p which fulfill predicate notifyHandler. In addition,  $irq_{pend}$  denotes the set of still pending interrupts, i. e., those interrupts whose handlers are not ready to receive.

According to that, the update of state  $s_V$  is performed as follows. Each notified process p receives a notification from the VAMOS kernel. This notification is generated by function deliverNotifications, which was already introduced in Section 4.4.3. After the interrupt delivery, the notified handlers are set back to the ready state. Corresponding effects describes the pre-defined function  $v_wkp_updt_schedds$ . Finally, the device datastructures are updated. As all interrupts irqs have been captured by the VAMOS kernel, they are disabled until their definite handling. Interrupts  $irq_{pend}$ , that have not been delivered in this kernel run, remain pending and are added to the set saved.

# Chapter 5

# Vamos Correctness

# Contents

| 5.1 | Data Abstraction         | 134 |
|-----|--------------------------|-----|
| 5.2 | Implementation Invariant | 143 |
| 5.3 | The Simulation Theorem   | 156 |

In the last chapter, we introduced the abstract model of the VAMOS kernel. It constitutes a compact and easily accessible representation of the VAMOS functionality, without going into any implementation details. Thus, the VAMOS model can be taken as basis for higher-level models and further verification attempts. For instance, Bogan [15] relies on VAMOS while specifying the operating system in the academic system and Daum [25] showed the fairness of the VAMOS scheduler.

However, we certainly have to ensure that the VAMOS model is a true abstraction of the VAMOS implementation. For this reason, we aim at a formal simulation proof between implementation and specification by induction. As Figure 5.1 suggests, our induction start is based on the fact that the state  $\sigma_1$  after the first system\_step at a reset can be abstracted via an abstrac-



Figure 5.1: Simulation between implementation and model

5. Vamos Correctness

tion relation  $\mathsf{Abs}_{\mathsf{V}+\mathsf{D}}$  to an initial state  $s^1_{\mathsf{V}+\mathsf{D}}$  of the VAMOS model. The induction step formalizes that the semantic effects of the kernel execution can be expressed by the transition function  $\delta_{\mathsf{V}+\mathsf{D}}$  of the model and that the abstraction relation is preserved.

It turned out, that the induction step also requires various properties to hold during the kernel executions. We combine these properties in the so-called implementation invariant.

In the remainder of this chapter, we define the abstraction relation and state the implementation invariant. Based on these prerequisites, the chapter finally concludes with the formulation of the simulation theorem. The correctness of this theorem is based on the implementation correctness of all functions applied in the scope of system\_step. We have not shown the implementation correctness of all functions. However, the functions which have not been proven so far are specified and completely integrated into the overall proof. The details on the already accomplished correctness proofs and the integration of the function specifications are postponed to the next chapter.

The formal definitions of the abstraction relation and the implementation invariant as well as the functional correctness proofs are given in the repository directory llverification/vamos.

#### 5.1 Data Abstraction

Data abstraction, in general, enables a (for certain purposes) more manageable representation of datastructures. Take, for instance, the scheduling queues in the VAMOS model. Represented as queues of process numbers, they deliver the relevant information: which process is at which position in which queue. The fact that the concrete counterparts are implemented as doubly-linked lists is of no interest anymore and thus abstracted away. However, it must be ensured that there is a relation between the representation of the scheduling lists in the implementation and the queues in the model.

This is where the abstraction relations come into play connecting the datastructures of an implementation state  $\sigma$  with their abstract counterparts of a model state  $s_{V+D}$ . In the following, we present the abstractions for the particular VAMOS state components.

While abstracting the datastructures, we have to take into account that the model identifies processes by means of abstract process numbers, whereas the implementation uses pointers. Function to\_ptr defines a mapping from abstract process numbers to process pointers:

to\_ptr 
$$\sigma p \equiv {}^{\sigma}$$
pib !  $p$ 

By design, accessing pib with the process number p delivers the corresponding process pointer.

5.1. Data Abstraction 135

#### 5.1.1 Abstracting the User Processes

The relation  $rel\_procs_v$  connects the virtual user-machines of the implementation with those of the model. Both, implementation and model, use the same granularity of virtual machines. However, some differences must be pointed out.

First, no virtual machine but  $\bot$  is assigned to inactive processes. Second, the virtual machine states of waiting processes differ. We address this issue in more detail in Section 6.1. In a nutshell, a process only has to wait while performing an IPC operation with no suitable communication partner. An IPC operation, in turn, is triggered by a TRAP exception. In the implementation, this kind of exception arises while executing a TRAP instruction which happens within function  $\mathsf{user}_{\mathsf{step}}$  before calling the VAMOS kernel (cf. Section 2.4.4). Thus, the process first runs into the exception and then waits for its handling by the VAMOS kernel. The semantic effects of  $\mathsf{user}_{\mathsf{step}}$  in case of a TRAP instruction without runtime errors boils down to the incrementation of the program counters, as the following implication states:

```
\llbracket \mathsf{current\_instr} \ vm = \mathsf{TRAP} \ i; \ \mathsf{user\_step\_progress} \ vm \rrbracket \Longrightarrow \mathsf{user_{step}} \ vm = \mathsf{incPcs} \ vm
```

The VAMOS model, in contrast, handles exceptions in advance. It determines the corresponding process output by means of the function  $\omega_{\text{proc}}$  which inspects the next instruction of the current process before the actual execution. Moreover, it executes the instruction not until the exception handling is completed. Accordingly, the virtual machines of waiting processes in the implementation are ahead of their abstract counterparts.

Incorporating these observations leads to the formal definition of the abstraction relation  $\mathsf{rel\_procs}_v$ :

```
 \begin{split} \operatorname{rel\_procs}_{\forall} & \sigma \; inactQ \; waitQ \; uprocs \equiv \\ & \forall x. \; \mathbf{if} \; x \in \operatorname{set} \; inactQ \; \mathbf{then} \; uprocs \; x = \bot \\ & \quad \mathbf{else} \; \mathbf{if} \; x \in \operatorname{set} \; waitQ \\ & \quad \mathbf{then} \; \operatorname{incPcs} \; \lceil uprocs \; x \rceil = (\operatorname{cvm\_ups} \; ^{\sigma} \operatorname{cvmX}). \operatorname{userprocesses} \; x \; \land \\ & \quad uprocs \; x \neq \bot \\ & \quad \mathbf{else} \; uprocs \; x = |(\operatorname{cvm\_ups} \; ^{\sigma} \operatorname{cvmX}). \operatorname{userprocesses} \; x| \end{split}
```

The implementation state is given by  $\sigma$ , inactQ and waitQ denote the inactive and wait queue, and uprocs represents the virtual user machines in the model. Note that it would have been possible to derive the process states from the implementation state  $\sigma$ , as well. However, using the abstract queues is a bit more comfortable. Their abstraction is covered in Section 5.1.2.

For any process x residing in inactQ, the entry in uprocs is set to  $\bot$ . If x is waiting, the corresponding virtual machine uprocs x is the one that after the incrementation of the process counters corresponds to the machine (cvm\_ups cvmX).userprocesses x in the implementation. In all other cases, the virtual machine states are identical.

5. Vamos Correctness

#### 5.1.2 Abstracting the Scheduling Datastructures

The Vamos state component schedds contains general as well as process-specific scheduling datastructures.

Abstracting the Scheduling Queues. A large part of the general data concerns the scheduling queues which are represented as doubly-linked lists in the implementation. The implementation identifies such a list with a pointer head to the first element and uses the next pointers next and previous pointers prev to traverse the list. In a first step, these lists are abstracted to HOL lists of references. Thereby, predicate Path head next e Ps tests whether the list Ps can be constructed starting with element head and collecting further elements by recursively applying function next until element e is reached. The formal definition of Path is:

```
Path x\ h\ y\ [\ ]=(x=y)
Path x\ h\ y\ (p\cdot ps)=(x=p\land x\neq \mathsf{Null}\land \mathsf{Path}\ (h\ x)\ h\ y\ ps)
```

Doubly-linked lists are nothing but two singly-linked lists traversed in opposite directions. Accordingly, we use predicate dList for the abstraction, where *lst* denotes the last element of the list:

```
dList head next prev lst Ps \equiv
Path head next Null Ps \land Path lst prev Null (rev Ps)
```

The model, however, uses abstract queues of process numbers. We base our abstraction of these process queues on predicate Queue:

```
Queue head next prev pid Ps \equiv \exists Rs \ \text{lst. dList head next prev lst } Rs \land \mathsf{map} \ (\lambda x. \ \mathsf{pid} \ x) \ Rs = Ps
```

The first conjunction of Queue specifies a doubly-linked list Rs of references using predicate dList. The second conjunction states that the queue Ps of process numbers can be constructed from list Rs by applying the function pid to each element.

Using this predicate, we abstract the inactive list from the implementation variables inactive\_list, queue\_next, queue\_prev, and pid. In an analogous way, we can abstract the wait and ready queues. The pointer to the wait list is given by wait\_list, whereas those of the ready lists are contained in the array ready\_lists.

Abstracting the Time and Process-specific Data. Abstracting the remaining parts – the time and the process-specific scheduling data – is more interesting, because, on the abstract level, we specify points in time as unbounded natural numbers, while the implementation uses unsigned 32-bit integers to represent those times.

Thus, the specification reflects the abstract idea of a monotonicly increasing time while the implementation employs the fact that only a finite

5.1. Data Abstraction

range of time points is relevant at a certain execution step. Consequently, there is a growing offset between the implementation time and the abstract time. A natural number n defines the offset of the implementation variable current\_time and the component time in the scheduling data structures of the model.

The same number n is used with function  $rel\_procdb_v$ , which abstracts the process-specific scheduling data  $procdb_p$  of an active process p:

```
\label{eq:constraints} \begin{split} \text{rel\_procdb}_{\text{v}} & \sigma \operatorname{procdb}_{\text{p}} \ \operatorname{wait} Q \ p \ n \equiv \\ & (p \in \operatorname{set} \ \operatorname{wait} Q \longrightarrow \\ & \operatorname{procdb}_{\text{p}}.\operatorname{timeout} = \\ & (\mathbf{if} \ ^{\sigma}\operatorname{timeout} \ (\operatorname{to\_ptr} \ \sigma \ p) = \operatorname{INFINITE\_TIMEOUT} \ \mathbf{then} \ \infty \\ & \text{else} \ \operatorname{Fin} \ (^{\sigma}\operatorname{timeout} \ (\operatorname{to\_ptr} \ \sigma \ p) + n))) \ \land \\ & \operatorname{procdb}_{\text{p}}.\operatorname{tsl} = \ ^{\sigma}\operatorname{timeslice} \ (\operatorname{to\_ptr} \ \sigma \ p) \ \land \\ & \operatorname{procdb}_{\text{p}}.\operatorname{ctsl} = \ ^{\sigma}\operatorname{consumed\_time} \ (\operatorname{to\_ptr} \ \sigma \ p) \end{split}
```

If p is waiting, n describes the offset between the (absolute) timeouts. The implementation stores timeouts as 32-bit naturals, where the maximal value INFINITE\_TIMEOUT represents an infinite timeout. Accordingly, if the heap function timeout delivers the maximal value for process p, the abstract timeout is set to  $\infty$ . Otherwise, the timeout is finite and denotes the value in the implementation incremented by n. The values for the timeslice tsl and the consumed time ctsl are directly taken from the implementation. The former is obtained by the heap function timeslice, the latter by consumed\_time.

**Summing Up.** Based on these prerequisites, the definition of the abstraction relation rel\_schedds<sub>v</sub> looks as follows:

```
rel_schedds, \sigma schedds \equiv
(\forall p. \ Queue \ (\sigma ready\_lists! \ p) \ \sigma queue\_next \ \sigma queue\_prev \ \sigma pid \ (schedds.ready \ p)) \ \land
Queue \ \sigma wakeup\_list \ \sigma queue\_next \ \sigma queue\_prev \ \sigma pid \ schedds.wait \ \land
Queue \ \sigma inactive\_list \ \sigma queue\_next \ \sigma queue\_prev \ \sigma pid \ schedds.inactive \ \land
(\exists n. \ schedds.time = \ \sigma current\_time + n \ \land
(\forall p. \ if \ p \in set \ schedds.inactive \ then \ schedds.procdb \ p = \bot \ else \ schedds.procdb \ p \neq \bot \ \land
rel\_procdb_v \ \sigma \ [schedds.procdb \ p] \ schedds.wait \ p \ n))
```

#### 5.1.3 Abstracting the Priorities

Both, the implementation and the model, distinguish three priority levels. The implementation maintains the process priorities in the heap function priority, whereas the model stores them in the state component priodb. The abstraction is established by rel\_priodb<sub>v</sub>:

```
rel_priodb<sub>v</sub> \sigma priodb inactQ \equiv priodb = (\lambda p. if <math>p \in \text{set } inactQ \text{ then } \perp \text{ else } | ^{\sigma} priority (to_ptr <math>\sigma p) |)
```

5. Vamos Correctness

No priority but  $\bot$  is assigned to inactive processes. For the remaining ones, we adopt the priority levels from the implementation.

# 5.1.4 Abstracting the Send Status Database

The VAMOS call IPC\_REQUEST comprises a send as well as a receive operation. Process states in the implementation help to distinguish between both phases, whereas RECEIVE\_STATE signals the successful completion of the send phase. The model abstracts from the particular process states and determines the current status on the basis of the queue memberships. As both phases of IPC\_REQUEST might involve waiting, it is not possible to distinguish the situation in terms of the wait queue membership. For this purpose, the VAMOS model maintains a send status database sndstatdb. The abstraction is established by predicate rel\_sndstatdb<sub>v</sub>:

```
 \begin{split} \text{rel\_sndstatdb}_{\text{v}} & \sigma \; uprocs \; sndstatdb \equiv \\ & sndstatdb = \\ & (\lambda p. \; \text{if} \; ^{\sigma} \text{state} \; (\text{to\_ptr} \; \sigma \; p) = \text{INACTIVE\_STATE} \; \text{then} \; \bot \\ & \text{else} \; \text{if} \; ^{\exists} rcv\_hn \; snd\_rights \; msg \; add\_hn \; add\_rights \; snd\_timeout \; buffer \\ & rcv\_timeout. \\ & \omega_{\text{proc}} \; \lceil uprocs \; p \rceil = \\ & \text{IPC\_REQUEST} \; rcv\_hn \; snd\_rights \; msg \; add\_hn \; add\_rights \; snd\_timeout \\ & buffer \; rcv\_timeout \; \land \\ & \sigma_{\text{state}} \; (\text{to\_ptr} \; \sigma \; p) = \text{RECEIVE\_STATE} \\ & \text{then} \; \lceil \text{True} \rceil \; \text{else} \; \lceil \text{False} \rceil ) \end{aligned}
```

Inactive processes are neither in the send nor the receive phase and thus the send status denotes  $\bot$ . Apart from that, only processes p with an output denoting IPC\_REQUEST come into consideration. The database entry for p is only True, if the corresponding process state is set to RECEIVE\_STATE. Otherwise, it is False.

### 5.1.5 Abstracting the Rights Datastructures

Rights datastructures are process-specific and provide data concerning the privilege level, handles and IPC rights as well as the process parent. In the implementation, heap function privileged provides the privileged level of a process, parent denotes its parent and handle\_db contains the handle databases. The latter combines information on the process-local handles and the assigned IPC rights.

**Preliminaries.** Subsequently, we use auxiliary functions to extract the information provided by the handle databases.

A handle hn is considered as known by a process p, if the KNOWN bit is active. Predicate knownBit denotes this fact:

```
knownBit \sigma p \ hn \equiv (^{\sigma} \text{handle\_db} \ p \ ! \ hn \land_{\mathsf{u}} \mathsf{KNOWN}) \neq \mathsf{0}
```

5.1. Data Abstraction 139

Handles may also be marked as stolen by means of an active STOLEN bit. Similar as above, predicate stolenBit encapsulates this bit:

```
stolenBit \sigma p \ hn \equiv (\sigma \text{handle\_db} \ p \ ! \ hn \land_{\mathsf{u}} \mathsf{STOLEN}) \neq \mathsf{0}
```

Each handle hn in the handle database of a process p is associated with IPC rights. These rights are encoded in the four least significant bits of the corresponding entry. Function ipcRights returns the numerical value of the rights which process p owns to the process identified by handle hn:

```
ipcRights s p hn \equiv {}^{s}handle_db p ! hn \wedge_{u} 15
```

The model maintains the rights datastructures in the VAMOS state component rightsdb. In the following paragraphs, we define the functions which provide the abstractions for the sub-components of rightsdb.

**Abstracting the Handle Database.** Function  $abs\_hdb$  abstracts the concrete information in the handle database of a process p and returns the corresponding abstract handle database hdb:

```
abs_hdb \sigma p \equiv \lambda hn. if hn = \text{HN\_SELF} then \lfloor \sigma \text{pid } p \rfloor else if hn = \text{HN\_NONE} \lor hn = \text{to\_int32} (\sigma \text{parent } p) then \bot else if hn = \text{HN\_PARENT} \land  (\sigma \text{handle\_db } p \mid \sigma \text{parent } p \land_{\text{u}} \text{ KNOWN}) \neq 0 \land 0 < \sigma \text{parent } p < \text{PID\_MAX} then \lfloor \sigma \text{parent } p \rfloor else if (\sigma \text{handle\_db } p \mid \text{to\_nat32} \ hn \land_{\text{u}} \text{ KNOWN}) \neq 0 \land 0 < \text{to\_nat32} \ hn < \text{PID\_MAX} then | \text{to\_nat32} \ hn | \text{else } \bot
```

Handle HN\_SELF enables a process to determine its own identifier pid p. Handle HN\_NONE is not associated to any process and delivers  $\bot$ . The same applies for accesses with to\_int32 (parent p) which are considered as invalid. The only way to obtain the identifier of the parent, is accessing the handle database with handle HN\_PARENT. However, the access only returns the corresponding process number of the parent, if parent p holds a valid process-identifier and the corresponding entry in the handle database is marked as known. Accessing the handle database with any handle hn delivers the corresponding process number  $\lfloor to_nat32 \ hn \rfloor$ , as long as hn is in-range, i. e., represents a valid process number, and the known bit is active. Otherwise, the entry of hn is set to  $\bot$ .

**Abstracting the Rights Database.** The rights database rdb of a process realizes a mapping from process numbers to rights and is obtained by the abstraction function abs\_rdb. As above, function abs\_rdb takes a process pointer p as input in order to determine the data from handle\_db:

5. Vamos Correctness

```
abs_rdb \sigma p \equiv option_case \bot (\lambda x. \text{ if knownBit } \sigma p x \text{ then num2rights (to_int32 (ipcRights } \sigma p x)) else <math>\bot)
```

Accesses with invalid process numbers  $\bot$ , return  $\bot$ . Furthermore, rdb only stores information on known processes x. For this purpose, abs\_rdb takes the concrete rights obtained by ipcRights and converts them into the abstract ones by means of the already introduced conversion function num2rights. Note that the numerical value of the concrete rights is represented as natural number, whereas num2rights expects integer values. Thus, we apply to\_int32 to convert between both representations.

The entries of unknown processes are set to  $\perp$ .

**Abstracting the Stolen Handles.** Instead of explicitly marking the handles as stolen, the model subsumes all stolen handles in the handle database of a process in the set stolen. Accordingly, the task of function abs\_stolen is to collect all stolen handles in the concrete handle database of a process p and put them into a set:

```
abs_stolen \sigma p \equiv let stolen_{\mathsf{tmp}} = to_int32 ' \{x \in \{0<...<\mathsf{PID\_MAX}\}. \ x \neq {}^{\sigma}\mathsf{parent} \ p \land \mathsf{stolenBit} \ \sigma \ p \ x\} in if {}^{\sigma}\mathsf{parent} \ p < \mathsf{PID\_MAX} \land \mathsf{stolenBit} \ \sigma \ p \ ({}^{\sigma}\mathsf{parent} \ p) then \{\mathsf{HN\_PARENT}\} \cup \mathit{stolen}_{\mathsf{tmp}} \ \mathsf{else} \ \mathit{stolen}_{\mathsf{tmp}}
```

In search of stolen handles, function <code>abs\_stolen</code> inspects all entries of p's handle database. The indices  $0 < x < \mathsf{PID\_MAX}$  which fulfill predicate stolenBit, are converted into handles (by means of to\_int32) and stored in the set  $stolen_{\mathsf{tmp}}$ . However, while collecting stolen handles, the special meaning of  $\mathsf{HN\_PARENT}$  becomes apparent again. As parent p does not represent the actual handle to the parent process, it is excluded from  $stolen_{\mathsf{tmp}}$ . Instead, handle  $\mathsf{HN\_PARENT}$  is added to the set  $stolen_{\mathsf{tmp}}$ , if parent p is a valid process-identifier and fulfills predicate  $\mathsf{stolen}_{\mathsf{ltmp}}$ .

**Summing Up.** Based on these prerequisites, the definition of the abstraction relation rel\_rightsdb $_{v}$  looks as follows:

```
 \begin{split} \operatorname{rightsdb}_{\mathsf{v}} & \sigma \operatorname{inact} Q \operatorname{rightsdb} \equiv \\ \operatorname{rightsdb} &= \\ & (\lambda p. \ \mathbf{if} \ p \in \operatorname{set} \operatorname{inact} Q \ \mathbf{then} \ \bot \\ & \operatorname{else} \ \lfloor ((\operatorname{priv} = {}^{\sigma}\operatorname{privileged} \ (\operatorname{to\_ptr} \ \sigma \ p), \ \operatorname{hdb} = \operatorname{abs\_hdb} \ \sigma \ (\operatorname{to\_ptr} \ \sigma \ p), \\ & \operatorname{rdb} &= \operatorname{abs\_rdb} \ \sigma \ (\operatorname{to\_ptr} \ \sigma \ p), \\ & \operatorname{stolen} &= \operatorname{abs\_stolen} \ \sigma \ (\operatorname{to\_ptr} \ \sigma \ p), \\ & \operatorname{parent} &= \\ & \operatorname{if} \ 0 < {}^{\sigma}\operatorname{parent} \ (\operatorname{to\_ptr} \ \sigma \ p) < \operatorname{PID\_MAX} \\ & \operatorname{then} \ | {}^{\sigma}\operatorname{parent} \ (\operatorname{to\_ptr} \ \sigma \ p) \ | \ \operatorname{else} \ \bot \| \ |) \end{split}
```

5.1. Data Abstraction 141

The model only stores data for active processes p. Entries for inactive ones are set to  $\bot$ . For active processes p, the privilege status is directly adopted from the implementation. Thereby, function to\_ptr is used to determine the corresponding process pointer of p. Together with the abstraction functions  $abs\_hdb$  and  $abs\_rdb$ , this process pointer is also used in order to get the handle and rights databases hdb and rdb of process p. The model component parent is set to  $\bot$ , if the return value of the heap function parent is no valid process-identifier. Otherwise, this value is taken as abstract process number.

#### 5.1.6 Abstracting the Device Datastructures

One of VAMOS's responsibilities is the interrupt delivery, i.e., accepting the interrupts from the external devices and forwarding them to the corresponding drivers. For this purpose, all relevant data is stored in the device datastructures. The implementation stores process-specific device data in the heap function reg\_devices, and occurred and enabled interrupts in the global variables intocc and intmask. The latter actually represents the user-visible parts of the CVM status register (cvm\_ups cvmX).statusreg. The double book-keeping is necessary, because the VAMOS implementation has no means to read out the status register of CVM<sup>1</sup>.

In the implementation, all the device-relevant data is encoded in 32-bit natural numbers. These natural numbers, however, actually represent bit masks. For this reason, we use function to\_bv32 to convert the natural numbers into their bit vector representation. Based on these bit vectors, the relevant device data is delivered by the entries with indices representing the device numbers. For instance, if an interrupt of device d has occurred, the according bit to\_bv32 intocc! d is active.

During the abstraction, we have to take into account that the implementation represents the device numbers as 32-bit natural numbers, whereas the model abstracts device numbers. Function dev2nat converts the abstract device numbers to the concrete ones.

With it, the definition of rel\_devds<sub>v</sub> is given as follows:

```
rel_devds, \sigma devds \equiv (\forall d \ p. \ devds. driver \ d =  (\text{if} \ p \in \text{set} \ ^{\sigma} \text{pib} \land \text{to\_bv32} \ (^{\sigma} \text{reg\_devices} \ p) \ ! \ \text{dev2nat} \ d = 1 \text{then} \ \lfloor^{\sigma} \text{pid} \ p \rfloor \ \text{else} \ \bot)) \land  devds. \text{enabled} = \{d. \ \text{to\_bv32} \ (\text{cvm\_ups} \ ^{\sigma} \text{cvmX}). \text{statusreg} \ ! \ \text{dev2nat} \ d = 1\} \land  devds. \text{saved} = \{d. \ \text{to\_bv32} \ ^{\sigma} \text{intocc} \ ! \ \text{dev2nat} \ d = 1\}
```

The three conjunctions reflect the structure of the VAMOS state component devds. Sub-component driver maps device numbers to process numbers. In general, devds.driver  $d = \lfloor q \rfloor$  denotes the fact, that device d is handled by

 $<sup>^{1}</sup>$ Note that there is no CVM primitive that delivers the value of the status register of CVM.

5. Vamos Correctness

driver q. If d is not handled by any driver, its entry is set to  $\bot$ . In order to establish a relation to the implementation, we take an arbitrary process pointer p and check whether it is registered as driver for d. A driver is found, if bit dev2nat d of the vector Bind p. to\_bv32 (reg\_devices p) is active. In this case, the entry for d in driver is set to the process number pid p. If no such process pointer p can be found, the entry is set to  $\bot$ . Note that, by design, there exists at most one such p which is registered as driver for d.

The set enabled contains all device numbers whose interrupts are enabled. A relation to the implementation is established, if each device number d out of enabled is also enabled in the CVM status register, i. e., to\_bv32 (cvm\_ups cvmX).statusreg ! dev2nat d = 1.

Based on intocc, the abstraction proceeds in a similar way, in order to obtain the set saved of device numbers with raised but not yet delivered interrupts.

#### 5.1.7 The Vamos Abstraction Relation

The overall Vamos abstraction relation relies on the abstractions for the particular Vamos state components described above:

```
Abs_{V+D} \sigma (s_V, s_D) \equiv cvm_devs ^{\sigma}cvmX = s_D \land rel_procs_v \sigma s_V.schedds.inactive s_V.schedds.wait s_V.procs \land rel_schedds_v \sigma s_V.schedds \land rel_priodb_v \sigma s_V.priodb s_V.schedds.inactive \land rel_sndstatdb_v \sigma s_V.procs s_V.sndstatdb \land rel_rightsdb_v \sigma s_V.schedds.inactive s_V.rightsdb \land rel_devds_v \sigma s_V.devds \land (cvm_ups ^{\sigma}cvmX).currentp = v_cup s_V.schedds
```

The first conjunction is an equality for the device subsystem states because both, the implementation and the model, share the same device representation. For the remaining state components, we use the abstraction functions introduced above. In addition, the last part of the conjunction enforces the equivalence between the current process identifier  ${\tt currentp}$  of  ${\tt CVM}$  and the one  ${\tt v\_cup}$  of the VAMOS model.

The theory file vamosAbstractions.thy contains the complete formal definitions of the VAMOS abstraction relation.

**Summary.** A key feature of the VAMOS abstraction relation is that it allows the usage of infinite datatypes in the abstract model, while the implementation is bound to the 32-bit representation of numbers. Thus, on the abstract level, we specify points in time as unbounded natural numbers, while the implementation uses unsigned 32-bit integers to represent those times. With the abstract idea of a monotonicly increasing time, we further avoid the handling of possible overflows as it is required in the implementation (cf. Section 6.3). Consequently, the abstraction relation has to deal

with an growing offset between the implementation time and the abstract time.

Another crucial point is the abstraction of the user processes. Although both, the implementation and the model, use the same granularity of virtual machines, the abstraction is not as simple as one might suppose. The reason for this are the differing virtual machines of waiting processes and (possibly) the one of the current process. In retrospect, this fact seems to be rather natural. However, we only became aware of these differing machines, when we considered the entire system, i. e., the steps before and after the actual VAMOS execution.

In contrast, abstracting the remaining kernel datastructures is rather straightforward.

# 5.2 Implementation Invariant

Each kernel execution is constrained by certain properties and requirements. They are encapsulated in the implementation invariant which is established at the initialization and preserved by the kernel executions and user steps. The main ingredients are:

- value bounds: The target 32-bit VAMP architectur as well as the design of the VAMOS kernel itself lead to various bounds.
- validity and consistency requirements: We have to ensure that the design guidelines are not violated. Thus, a handle, for instance, must not be simultaneously marked as stolen and known. Furthermore, for efficiency reasons, the implementation maintains redundant datastructures. For instance, the process priorities that actually could be derived from the ready list memberships. Certainly, the redundant information must not be contradicting.
- miscellaneous requirements: Mainly used in the context of IPC and waiting processes, they relate concrete with abstract properties, e.g., that a process with state SEND\_STATE in the implementation produces the output IPC\_SEND in the model.

We formulate the requirements of the two former categories solely over the implementation states, whereas the latter also involves abstract model states. It definitely would have been possible to formulate these properties over the implementation states, as well. The implementation invariant, however, is a proof tool and in the proof, we are often confronted with a mixture of concrete and abstract statements. Thus, it turned out to be reasonable to adapt this combination for stating certain properties.

The following sections introduce various predicates encapsulating the particular properties. Later on, these predicates are combined to the overall implementation invariant.

5. Vamos Correctness

#### 5.2.1 Value Bounds

The target VAMP architecture and the design of the VAMOS kernel itself involve various bounds. Those which affect the variables of the implementation state  $\sigma$  are subsumed in predicate valueBounds. The formal definition of the predicate is quite uniform and lengthy. For this reason, we merely present representative excerpts of the definition to convey the general nature of the value ranges.

Recall that many variables of the VAMOS implementation state represent natural and integer numbers. The limiting factor, however, is the 32-bit VAMP architecture, the VAMOS kernel runs on. Thus, natural numbers x can only describe values in the range  $0 \le x < 2^{32}$ , and the values of integer numbers y are limited to  $-2^{31} \le y \le 2^{31} - 1$ .

Furthermore, our system relies on a restricted amount of memory and the VAMOS kernel may only allocate a total of TVM\_MAXPAGES memory pages. Accordingly, TVM\_MAXPAGES is the upper bound for the value of the global variable vamos\_pages\_used, which incidentally also applies for the entries in the heap function fip denoting the number of memory pages occupied by an individual process.

The bounds are not only induced by the target architecture but also by the kernel design itself. For instance, our system only allows process-identifiers in the range {1<..<PID\_MAX}. Accordingly, the heap function pid may only return values that fit into this range. By means of process pointers, VAMOS enables the access to the corresponding process information blocks. The respective pointers are contained in the array pib which is of length PID\_MAX, accordingly. Limiting the number of priority levels to PRIOCNT also has an impact. The entries in the heap function priority range between 0 and PRIOCNT, and the value current\_max\_prio of the current maximum priority is always smaller than PRIOCNT.

# 5.2.2 Validity and Consistency Requirements

The validity and consistency requirements ensure the conformance with the design guidelines and the consistency between redundant datastructures.

### Requirements for the Current Process

The implementaion identifies the current process by the process pointer current\_process. No current process is apparent, if current\_process = Null. Otherwise, current\_process denotes a process pointer out of pib. In addition, its state has to be READY\_STATE.

Formally, predicate  $validCup_v$  encapsulates these requirements:

```
\label{eq:current_process} \begin{array}{l} \mathsf{validCup_v} \ \sigma \equiv \\ \quad \  ^\sigma \mathsf{current\_process} = \mathsf{Null} \ \lor \\ \quad \  ^\sigma \mathsf{current\_process} \in \mathsf{set} \ ^\sigma \mathsf{pib} \ \land \ ^\sigma \mathsf{state} \ ^\sigma \mathsf{current\_process} = \mathsf{READY\_STATE} \end{array}
```

### Requirements for the Virtual Machines

By means of the CVM framework and, in particular, by means of the external state component cvmX, we are able to argue about low-level entities, like process registers or memory. These entities are not a direct part of the VAMOS implementation but have an indirect impact on it, and thus have to fulfill certain requirements.

Formally, predicate validVMs<sub>v</sub> encapsulates all demanded properties:

```
 \begin{array}{l} {\sf validVMs_v} \ \sigma \equiv \\ {\sf is\_valid\_cvmup} \ ({\sf cvm\_ups} \ ^\sigma {\sf cvmX}) \ \land \\ (\forall p \in \{x \in {\sf set} \ ^\sigma {\sf pib}. \ ^\sigma {\sf state} \ x \neq {\sf INACTIVE\_STATE}\}. \\ {} \ ^\sigma {\sf fip} \ p = {\sf size_{\sf asm}} \ (({\sf cvm\_ups} \ ^\sigma {\sf cvmX}). {\sf userprocesses} \ (^\sigma {\sf pid} \ p)) \ \land \\ 0 < {} \ ^\sigma {\sf fip} \ p) \ \land \\ {} \ ^\sigma {\sf vamos\_pages\_used} = \\ (\sum i \in \{0 < .. < {\sf PID\_MAX}\}. \ {\sf size_{\sf asm}} \ (({\sf cvm\_ups} \ ^\sigma {\sf cvmX}). {\sf userprocesses} \ i)) \end{array}
```

An essential part of the definition is predicate is\_valid\_cvmup ensuring the validity of the virtual user machines, as introduced in Section 2.4. The remaining requirements are due to the double book-keeping regarding the memory management. Data regarding the memory consumption can actually be derived from the virtual machines. Due to the limited access, however, the implementation maintains the heap function fip which stores the memory amount of the particular processes. Some kernel actions, like the process creation, require the total memory amount of all processes. For efficiency reasons, the kernel maintains the global variable vamos\_pages\_used which denotes the total amount and prevents the kernel from explicitly summing up the individual process amounts.

Nevertheless, these data structures have to reflect the conditions given by the machines, where function  $\mathsf{size}_{\mathsf{asm}}$  returns the current memory amount of a machine. Thus, for an active process p, the value of  $\mathsf{fip}\ p$  corresponds to the result of  $\mathsf{size}_{\mathsf{asm}}$  applied to the corresponding virtual machine. As active processes occupy at least one memory page, this value has to be greater than 0.

In addition, the total memory amount results from summing up the individual memory amounts of all user machines.

### **Unique Process Identification**

We already mentioned that the array pib contains the pointers to the process information blocks. Each of these pointers is exclusively assigned to one process, i.e., the elements of pib have to be distinct. In addition to that, no Null pointers are allowed as array entries. The process pointers enable the access to the process information blocks which contain (amongst others) the process-identifiers pid. By design, a process-identifier corresponds to the index i of the corresponding pointer in pib, i. e., pid (pib! i) = i. In addition,

5. Vamos Correctness

process-identifiers are unique, i.e., two pointers p and q are equal iff the application of pid returns the same values.

The predicate  $uniqueProcld_v$  formally states these properties:

```
uniqueProcId<sub>v</sub> \sigma \equiv distinct {}^{\sigma}pib \wedge (\forall i < \text{length } {}^{\sigma}pib. {}^{\sigma}pib ! i \neq \text{Null } \wedge {}^{\sigma}pid ({}^{\sigma}pib ! i) = i) \wedge (\forall x \in \text{set } {}^{\sigma}pib. \forall y \in \text{set } {}^{\sigma}pib. ({}^{\sigma}pid x = {}^{\sigma}pid y) = (x = y))
```

#### Requirements for the Rights Datastructures

The rights datastructures in the VAMOS implementation are process-specific and maintained by the heap function  $handle\_db$ . For any process p, this function delivers an array of size  $PID\_MAX$ . The array indices are connected to process handles. As already pointed out in Section 5.1.5, the array entries store natural numbers which encode the IPC rights associated to the handle and also whether the handle is known or stolen.

This information has to follow certain requirements which we define subsequently. Thereby, we mainly concentrate on the information regarding active processes. The implemenation considers a process as active, if the respective pointer p is out of pib and its status is different from INACTIVE\_STATE. In order to distinguish between known and stolen handles, we rely on the predicates knownBit and stolenBit.

**Special Handle Database Entries.** Predicate specialHdbEntries deals with special entries in the handle databases:

```
specialHdbEntries \sigma \equiv
let active = \{x \in \text{set }^{\sigma}\text{pib. }^{\sigma}\text{state }x \neq \text{INACTIVE\_STATE}\};
inactive = \{x \in \text{set }^{\sigma}\text{pib. }^{\sigma}\text{state }x = \text{INACTIVE\_STATE}\}
in \forall p \in active.

\sigma^{\sigma}\text{handle\_db }p ! 0 = 0 \land
\sigma^{\sigma}\text{handle\_db }p ! \sigma^{\sigma}\text{pid }p = 0 \land
(\forall q \in inactive. \sigma^{\sigma}\text{handle\_db }p ! \sigma^{\sigma}\text{pid }q = 0 \lor \text{stolenBit }\sigma p (\sigma^{\sigma}\text{pid }q))
```

There are two fixed entries in each handle database of an active process p storing 0 by default, i.e., no information. First, the entry with index 0, because no process with identifier 0 exists in VAMOS. Second, the entry with index pid p, because VAMOS does not allow processes to send to or receive from themselves. Entries for inactive processes q are either 0 or consist of an active stolen bit. The latter occurs, if q was known by p before its termination and p is not yet notified about this termination.

Consistent Counting of Stolen Handles. In order to figure out the current number of stolen handles in the handle database of an arbitrary process, the VAMOS kernel maintains the heap function stolen\_count. Efficiency is the only reason for this function, because this information could

also be derived from the particular handle databases. Predicate validStolen-Count ensures that the information in stolen\_count does not contradict with the situation in the handle databases:

```
validStolenCount \sigma \equiv let active = \{x \in \text{set }^{\sigma} \text{pib. }^{\sigma} \text{state } x \neq \text{INACTIVE\_STATE} \} in \forall p \in active. \sigma \in \{0 < ... < \text{PID\_MAX} \}. stolenBit \sigma \in \{0 < ... < \text{PID\_MAX} \}.
```

For an active process p, the set  $\{x \in \{0 < ... < PID\_MAX\}$ . stolenBit  $s p x\}$  subsumes the stolen handles. The cardinality of this set must be equal to the value stored in stolen\_count p.

**Properties on Known and Stolen Handles.** As long as a process is known, i. e., the known bit is raised, it is not inactive. Furthermore, process handles are not simultaneously known and stolen.

Predicate propKnownStolen encapsulates these properties:

```
propKnownStolen \sigma \equiv (\forall p \in \operatorname{set}^{\sigma} \operatorname{pib}. \forall q \in \operatorname{set}^{\sigma} \operatorname{pib}. \text{ knownBit } \sigma \ p \ (^{\sigma} \operatorname{pid} \ q) \longrightarrow ^{\sigma} \operatorname{state} \ q \neq \operatorname{INACTIVE\_STATE}) \land (\forall p \in \operatorname{set}^{\sigma} \operatorname{pib}. \forall q < \operatorname{length} \ (^{\sigma} \operatorname{handle\_db} \ p). \\ (\operatorname{stolenBit} \ \sigma \ p \ q \longrightarrow \neg \ \operatorname{knownBit} \ \sigma \ p \ q) \land (\operatorname{knownBit} \ \sigma \ p \ q \longrightarrow \neg \ \operatorname{stolenBit} \ \sigma \ p \ q))
```

Summing Up. The predicate  $validRights_v$  combines the requirements for the rights datastructures:

 $\mathsf{validRights_v}\ \sigma \equiv \mathsf{specialHdbEntries}\ \sigma \land \mathsf{validStolenCount}\ \sigma \land \mathsf{propKnownStolen}\ \sigma$ 

### Requirements for the Lists

The VAMOS microkernel uses queues for process scheduling, on the one hand, and matching communication partners for IPC, on the other one.

During the abstraction in Section 5.1.7, we claimed that the scheduling queues are implemented as doubly-linked lists. This assumption, however, must be discharged by the implementation invariant, as well as the requirement that only process pointers are contained in these lists. In addition to that, the invariant also establishes the connection between the process states and the list memberships.

More involved are the requirements for the send lists. Apart from the aforementioned properties they must also satisfy certain consistency requirements as they actually represent parts of the wait list.

The requirements for the list represent a conjunction of various subpredicates for the particular lists. 5. Vamos Correctness

Valid Inactive List. Predicate validInact<sub>v</sub> encapsulates the requirements for the inactive list:

```
validInact_{\lor} \sigma \equiv \exists \mathit{Inact lst}.

dList ^{\sigma}inactive_list ^{\sigma}queue_next ^{\sigma}queue_prev \mathit{lst Inact} \land (\forall p. \ p \in \mathsf{set } \mathit{Inact} \longrightarrow p \in \mathsf{set } ^{\sigma} \mathsf{pib}) \land (\forall p. \ p \in \mathsf{set } ^{\sigma} \mathsf{pib} \longrightarrow (p \in \mathsf{set } \mathit{Inact}) = (^{\sigma} \mathsf{state } p = \mathsf{INACTIVE\_STATE}))
```

It states that the inactive list is implemented as a doubly-linked list with inactive\_list pointing to the head, and queue\_next and queue\_prev denoting the next and previous pointers. Furthermore, all elements are process pointers out of pib. Finally, a process is in the inactive list iff its state is INACTIVE\_STATE.

Valid Wait List. The predicate validWkp<sub>v</sub> is similar to validInact<sub>v</sub> and encapsulates the properties of the wait list. As the definition suggests, only the process states are adjusted:

```
\label{eq:continuous_problem} \begin{array}{l} \mbox{validWkp}_{\mbox{$\vee$}} \ \sigma \equiv \\ \exists \textit{Wkp lst.} \\ \mbox{dList $^{\sigma}$wakeup\_list $^{\sigma}$queue\_next $^{\sigma}$queue\_prev $\textit{lst Wkp}$ $\land$} \\ \mbox{$(\forall p.\ p \in \text{set $Wkp \longrightarrow p \in \text{set $^{\sigma}$pib})$} $\land$} \\ \mbox{$(\forall p.\ p \in \text{set $^{\sigma}$pib} \longrightarrow \\ \mbox{$(p \in \text{set $Wkp)$} = \\ \mbox{$(^{\sigma}$state $p \in \{\text{SEND\_STATE}, \text{RECEIVE\_STATE}, \text{SEND\_RECEIVE\_STATE}\}))$} \end{array}
```

Valid Ready Lists. The quintessence of both predicates above is also found in the predicate validRdys $_{v}$  which states the validity requirements for the ready lists. In addition, the different priority classes as well as the current process are taken into account: Let p denote a process and Rdy the ready list of priority i. Process p is in the ready list Rdy iff its state is READY\_STATE and, in addition, its priority is i. Furthermore, p is in Rdy and simultaneously denotes the current process iff it is the head of Rdy and the priority i is equal to the current maximum priority current\_max\_prio:

```
 \begin{array}{l} \mathsf{validRdys_v} \ \sigma \equiv \\ \forall i < \mathsf{length} \ ^\sigma \mathsf{ready\_lists}. \\ \exists \mathit{Rdy} \ \mathit{lst}. \\ \mathsf{dList} \ (^\sigma \mathsf{ready\_lists} \ ! \ i) \ ^\sigma \mathsf{queue\_next} \ ^\sigma \mathsf{queue\_prev} \ \mathit{lst} \ \mathit{Rdy} \ \land \\ (\forall p. \ p \in \mathsf{set} \ \mathit{Rdy} \longrightarrow p \in \mathsf{set} \ ^\sigma \mathsf{pib}) \ \land \\ (\forall p. \ p \in \mathsf{set} \ ^\sigma \mathsf{pib} \longrightarrow \\ (p \in \mathsf{set} \ \mathit{Rdy}) = (^\sigma \mathsf{state} \ p = \mathsf{READY\_STATE} \ \land \ ^\sigma \mathsf{priority} \ p = i) \ \land \\ (p \in \mathsf{set} \ \mathit{Rdy} \ \land \ p = \ ^\sigma \mathsf{current\_process}) = \\ (p = \ ^\sigma \mathsf{ready\_lists} \ ! \ i \ \land \ i = \ ^\sigma \mathsf{current\_max\_prio})) \end{array}
```

Valid Send Lists. In order to determine potential communication partners for IPC-receive operations, the VAMOS implementation organizes so-called send lists. Send lists exist solely for performance reasons, because they can actually be derived from the wait list. Hence, these lists have to fulfill – apart from the usual properties – certain consistency requirements.

The predicate SqsInWkp formalizes the forementioned property that the send lists are contained in the wait list:

Starting point is the existence of the wait list Wkp. The send list Sq of an arbitrary process p is derived from Wkp by filtering all processes x with state SEND\_STATE or SEND\_RECEIVE\_STATE and which specified p as communication partner, i.e., ipc\_pid x = pid p. In addition, Sq must represent a doubly-linked list.

The predicate  $\mathsf{distinctSqs}$  ensures that the send lists of two different processes p and q have no elements in common, i.e., processes are not allowed to send to more than one process at the same time:

```
distinctSqs \sigma \equiv \forall p \in \operatorname{set}^{\sigma} \operatorname{pib}. \forall q \in \operatorname{set}^{\sigma} \operatorname{pib}. \forall q \in \operatorname{set}^{\sigma} \operatorname{pib}. p \neq q \longrightarrow (\exists Sq \ Sq2 \ sq\_lst \ sq\_lst2. dList (\sigma \operatorname{send\_queue} p) \ \sigma \operatorname{send\_queue\_next}^{\sigma} \operatorname{send\_queue\_prev} \ sq\_lst \ Sq \land \operatorname{dList}(\sigma \operatorname{send\_queue} q) \ \sigma \operatorname{send\_queue\_next}^{\sigma} \operatorname{send\_queue\_prev} \ sq\_lst2 \ Sq2 \land \operatorname{set} \ Sq \cap \operatorname{set} \ Sq2 = \{\})
```

Only processes currently performing a send operation may reside in send lists. A process is not part of a send list, as long as the according next and previous pointers in its process control block are Null. Thus, if the state of a process p neither denotes SEND\_STATE nor SEND\_RECEIVE\_STATE, it is not in a send list. Predicate onlySendersInSqs formalizes this requirement:

```
onlySendersInSqs \sigma \equiv \forall p \in \text{set }^{\sigma} \text{pib.}
 {}^{\sigma} \text{state } p \neq \text{SEND\_STATE} \wedge {}^{\sigma} \text{state } p \neq \text{SEND\_RECEIVE\_STATE} \longrightarrow {}^{\sigma} \text{send\_queue\_next } p = \text{Null} \wedge {}^{\sigma} \text{send\_queue\_prev } p = \text{Null}
```

The predicate openRcvSqs states that waiting in case of an open-receive implies an empty send list:

5. Vamos Correctness

```
openRcvSqs \sigma \equiv \forall p \in \text{set } \sigma \text{pib.}
\sigma \text{state } p = \text{RECEIVE\_STATE} \wedge \sigma \text{ipc\_pid } p = 0 \longrightarrow \sigma \text{send\_queue } p = \text{Null}
```

A process p waits while performing an open receive operation, if its state is set to RECEIVE\_STATE and ipc\_pid p = 0. The empty send list is denoted by send\_queue p = Null.

Finally, predicate  $\mathsf{validSqs}_\mathsf{v}$  combines all the requirements for the send lists:

```
\mathsf{validSqs_v}\ \sigma \equiv \mathsf{SqsInWkp}\ \sigma \land \ \mathsf{distinctSqs}\ \sigma \land \ \mathsf{onlySendersInSqs}\ \sigma \land \ \mathsf{openRcvSqs}\ \sigma
```

**Summing Up.** The overall predicate validLists<sub>v</sub> formulates the requirements for the lists in the VAMOS implementation:

```
\mathsf{validLists_v}\ \sigma \equiv \mathsf{validRdys_v}\ \sigma \land \mathsf{validWkp_v}\ \sigma \land \mathsf{validInact_v}\ \sigma \land \mathsf{validSqs_v}\ \sigma
```

### Requirements for the Device Datastructures

In the following, we discuss the particular aspects of requirements for the device datastructures. Again, we first define sub-predicates and combine them, later on.

Interrupt Mask Format. Vamos stores device relevant data in 32-bit natural numbers. However, as already mentioned, we rather argue on bitvectors or interrupt masks. Again, function to\_bv32 is used to convert the 32-bit natural numbers into bitvectors.

External interrupt handling in VAMOS is restricted to the user-visible devices. Starting with device number DEVFIRST, a total of DEVCOUNT devices is handled. Referring to the bitvectors, the relevant data is contained in the bitfields reaching from DEVFIRST to DEVFIRST + DEVCOUNT -1.

The predicate intFormats is based on these observations:

```
 \begin{aligned} & \text{intFormats } \sigma \equiv \\ & \text{let } \textit{validIntFormat} = \\ & \lambda x. \ \forall i < \text{length } (\text{to\_bv32 } x). \\ & i < \text{DEVFIRST} \ \lor \text{DEVFIRST} + \text{DEVCOUNT} \le i \longrightarrow \\ & \text{to\_bv32 } x \ ! \ i = 0 \\ & \text{in } \textit{validIntFormat } ^{\sigma} \text{inthd } \land \\ & \textit{validIntFormat } ^{\sigma} \text{intocc } \land \\ & (\forall p. \ p \in \text{set } ^{\sigma} \text{pib} \longrightarrow \textit{validIntFormat } (^{\sigma} \text{reg\_devices } p)) \end{aligned}
```

The auxiliary function *validIntFormat* ensures, that only the bits of user-visible devices may be active and is applied to all device-relevant data.

**No Inactive Interrupt Handlers.** Naturally, inactive processes cannot handle any device interrupts. However, this property has to be fixed with predicate inactNoHd:

```
inactNoHd \sigma \equiv \forall p \in \text{set } \sigma \text{pib. } \sigma \text{state } p = \text{INACTIVE\_STATE} \longrightarrow \sigma \text{reg\_devices } p = 0
```

Unique Device Registration. The VAMOS implementation does not allow multiple handlers for one device interrupt. Thus, if arbitrary processes p and q handle the same device i, they have to be equal.

Predicate uniqueDevReg formalizes this requirement:

```
\begin{array}{l} \text{uniqueDevReg } \sigma \equiv \\ \forall p \in \operatorname{set} \ ^{\sigma} \operatorname{pib}. \\ \forall q \in \operatorname{set} \ ^{\sigma} \operatorname{pib}. \\ \forall i < 32. \\ \operatorname{to\_bv32} \ (^{\sigma} \operatorname{reg\_devices} \ p) \ ! \ i = 1 \ \land \\ \operatorname{to\_bv32} \ (^{\sigma} \operatorname{reg\_devices} \ q) \ ! \ i = 1 \ \longrightarrow \\ p = q \end{array}
```

**Handled and Registered Interrupts.** For any handled interrupt *i* there exists a driver. Accordingly, each interrupt registered to a driver is also marked as handled.

The consistency between the variables reg\_devices and inthd states predicate intHdregDev:

```
intHdregDev \sigma \equiv (\forall i < 32. \text{ to\_bv32} \ ^{\sigma} \text{inthd} \ ! \ i = 1 \longrightarrow (\exists ! p. \text{ to\_bv32} \ (^{\sigma} \text{reg\_devices} \ p) \ ! \ i = 1)) \land (\forall p \in \text{set} \ ^{\sigma} \text{pib}. 
\forall i < 32. \text{ to\_bv32} \ (^{\sigma} \text{reg\_devices} \ p) \ ! \ i = 1 \longrightarrow \text{to\_bv32} \ ^{\sigma} \text{inthd} \ ! \ i = 1)
```

Only Handled Interrupts Occur. Vamos stores only occurrences of handled interrupts.

Predicate intOccHd encapsulates this fact:

```
intOccHd \sigma \equiv \forall i < 32. to_bv32 ^{\sigma}intocc ! i=1 \longrightarrow to_bv32 ^{\sigma}inthd ! i=1
```

**Summing Up.** Predicate  $validDevds_v$  constitutes the combination of the above properties:

```
 \mathsf{validDevds_v} \ \sigma \equiv \\ \mathsf{intFormats} \ \sigma \land \mathsf{inactNoHd} \ \sigma \land \mathsf{uniqueDevReg} \ \sigma \land \mathsf{intHdregDev} \ \sigma \land \mathsf{intOccHd} \ \sigma
```

### 5.2.3 Miscellaneous Requirements

The implementation of the VAMOS kernel contains a number of global variables for which there are no analogous components in the abstract model state. However, these variables have precise meanings and their values can be expressed as formulas over the abstract VAMOS state. Apart from these

5. Vamos Correctness

general requirements, we also demand certain properties on waiting processes and IPC operations.

Subsequently, we define the corresponding predicates.

### General Requirements.

The VAMOS model uses the identifier  $v\_{cup}$  to determine the currently running process. If no process is running, it denotes  $\bot$ , otherwise, the corresponding abstract process number. In contrast, the implementation uses the pointer current\\_process to identify the currently running process. If no such process exists, the pointer denotes Null. Thus, for consistency reasons, the abstract identifier  $v\_{cup}$  delivers  $\bot$  iff current\\_process denotes Null.

The global implementation variable current\_max\_prio also does not have a direct counterpart in a VAMOS state space. However, its value has to correspond to the highest priority of the non-empty ready queues in the model.

In addition to that, we have to fix that the interrupts of the timer device are always enabled. Interrupts of the swap device, in contrast, are not visible by the kernel anymore and thus disabled.

The predicate general Props formally encapsulates these properties:

```
generalProps \sigma s_{V} \equiv (v\_{cup} \ s_{V}.schedds = \bot) = (\sigma_{current\_process} = Null) \land \sigma_{current\_max\_prio} = Max (\{i.\ i < PRIOCNT \land s_{V}.schedds.ready \ i \neq []\} \cup \{0\}) \land DEV\_TIMER \in s_{V}.devds.enabled \land DEV\_SWAP \notin s_{V}.devds.enabled
```

Note that the current maximum priority is set to 0, if no process is ready.

### **Properties of Waiting Processes**

Apart from waiting, the respective processes have to fulfill certain properties which are formalized in predicate waitProps:

```
waitProps \sigma s_{V} \equiv (\forall p \in \text{set } s_{V}.\text{schedds.wait. } \exists \textit{imm.} \text{ current\_instr } \lceil s_{V}.\text{procs } p \rceil = \text{TRAP } \textit{imm}) \land (\forall p \in \text{set } s_{V}.\text{schedds.wait. } \sigma \text{next\_timeout } \leq \sigma \text{timeout } (\sigma \text{pib } ! p)) \land (\sigma \text{current\_time} < \sigma \text{next\_timeout } \longrightarrow (\forall p \in \text{set } s_{V}.\text{schedds.wait. } \neg \text{ expiredTimeout } s_{V}.\text{schedds } p))
```

Waiting processes p are contained in queue sy.schedds.wait. In VAMOS, processes p only wait for pending IPC operations. IPC operations, in turn, are initiated by TRAP instructions. Thus, the first conjunction constitutes that the current instruction of a waiting process p denotes a TRAP. IPC operations are usually bounded by timeouts. In the implementation, the actual timeouts of processes are stored in the heap function timeout. The minimum of these values is stored in the global variable next\_timeout. It determines

the point in time, when the next timeout expires. Keeping the consistency between the heap function timeout and variable next\_timeout requires, that each entry in timeout has to be greater than or equal to next\_timeout.

Finally, the wait queue does not contain processes with expired timeouts as long as the time current\_time is smaller than the value of next\_timeout.

### **Properties of Inter-Process Communications**

We already mentioned, that the implementation distinguishes the IPC operations by means of the process states, whereas the model uses the process outputs. Certainly, we have to establish a relation between these both representations.

In addition to that, pending IPC operations already passed the invocation phase. Thus, the arguments specified by the corresponding process can be considered as valid.

The predicate ipcProps fixes these properties:

```
ipcProps \sigma s_V \equiv \forall p \in \text{set }^{\sigma} \text{pib.}
(^{\sigma} \text{state } p = \text{SEND\_STATE} \longrightarrow \text{consisStateOutSEND } \sigma s_V p \land \text{ipcArgsSEND } \sigma s_V p) \land (^{\sigma} \text{state } p = \text{SEND\_RECEIVE\_STATE} \longrightarrow \text{consisStateOutSENDRCV } \sigma s_V p \land \text{ipcArgsSENDRCV } \sigma s_V p) \land (^{\sigma} \text{state } p = \text{RECEIVE\_STATE} \longrightarrow \text{consisStateOutRCV } \sigma s_V p \land \text{ipcArgsRCV } \sigma s_V p) \land (^{\sigma} \text{state } p \neq \text{INACTIVE\_STATE} \longrightarrow \text{consisStateOutGeneral } \sigma s_V p)
```

The definition is based on arbitrary process pointers p and distinguishes the particular operations by means of the concrete process states. The requirements for the particular operations are two-fold. In case of an IPC\_SEND operation, for instance, predicate consisStateOutSEND fixes the abstract process output, whereas predicate ipcArgsSEND states the validity requirements for the according arguments. Similarily, we proceed in the other cases. The respective predicates are defined below.

**IPC** States and Process Outputs. For a process *p* residing in the state SEND\_STATE, predicate consisStateOutSEND encapsulates the requirement that the corresponding process output denotes IPC\_SEND:

```
 \begin{array}{l} \text{consisStateOutSEND} \ \sigma \ s_{\text{V}} \ p \equiv \\ \text{case} \ \omega_{\text{proc}} \ \lceil s_{\text{V}}. \text{procs} \ (^{\sigma} \text{pid} \ p) \rceil \ \textbf{of} \\ \text{IPC\_SEND} \ \textit{hn}_{\text{rcv}} \ \textit{rights}_{\text{snd}} \ \textit{msg} \ \textit{hn}_{\text{add}} \ \textit{rights}_{\text{add}} \ \textit{to}_{\text{snd}} \Rightarrow \text{True} \ | \ \_ \Rightarrow \text{False} \\ \end{array}
```

In a similar way, we define predicate consisStateOutSENDRCV for processes in state SEND\_RECEIVE\_STATE. However, in case of an ordinary receive operation, we have to take two situations into account, as the definition of predicate consisStateOutRCV suggests:

5. Vamos Correctness

```
consisStateOutRCV \sigma sv p \equiv case \omega_{\text{proc}} \lceil s_{\text{V}}.\text{procs} (\sigma_{\text{pid}} p) \rceil of IPC_RECEIVE hn_{\text{snd}} buf to_{\text{rcv}} \Rightarrow \text{True} | IPC_REQUEST hn_{\text{rcv}} rights<sub>snd</sub> msg hn_{\text{add}} rights<sub>add</sub> to_{\text{snd}} buf to_{\text{rcv}} \Rightarrow \lceil s_{\text{V}}.\text{sndstatdb} (\sigma_{\text{pid}} p) \rceil \land p \neq \sigma_{\text{current\_process}} | \_ \Rightarrow \text{False}
```

The state RECEIVE\_STATE may denote an IPC\_RECEIVE call but also the receive phase of an IPC\_REQUEST operation. Predicate consisStateOutRCV takes both possibilities into account and holds, if the process output is either IPC\_RECEIVE or IPC\_REQUEST. In addition, however, the latter case requires an active send status and the process must be different from the currently running process.

Furthermore, the predicate consisStateOutGeneral encapsulates some general properties regarding the output of an active process p:

```
consisStateOutGeneral \sigma s_V p \equiv case \omega_{\text{proc}} \lceil s_V.\text{procs} (\sigma_{\text{pid}} p) \rceil of IPC_RECEIVE hn_{\text{snd}} buf to_{\text{rcv}} \Rightarrow \sigma_{\text{state}} p \neq \text{RECEIVE\_STATE} \longrightarrow \sigma_{\text{pid}} p \notin \text{set } s_V.\text{schedds.wait} \mid \text{IPC\_REQUEST} \ hn_{\text{rcv}} \ rights_{\text{snd}} \ msg \ hn_{\text{add}} \ rights_{\text{add}} \ to_{\text{snd}} \ buf \ to_{\text{rcv}} \Rightarrow \lceil s_V.\text{sndstatdb} \ (\sigma_{\text{pid}} p) \rceil = (\sigma_{\text{state}} p = \text{RECEIVE\_STATE}) \mid \ \ \ \Rightarrow \ \ \text{True}
```

As long as the implementation state of a process, performing an IPC\_RECEIVE call, is not set to RECEIVE\_STATE, the process is not part of the wait queue. Furthermore, the send status of a process performing an IPC\_REQUEST call is active iff its state in the implementation denotes RECEIVE\_STATE.

IPC Registers and Arguments Validity. Each IPC operation comes along with various input arguments determining, for instance, the desired communication partner or the message to be sent. Before the initiation of an IPC operation, the calling process has to specify these arguments in dedicated registers. The VAMOS kernel takes these values out of the registers and performs several validity checks. Erroneously specified or invalid arguments lead to the abortion of the operation. In case of no errors, the arguments are stored in dedicated components of the process control block of the calling process. The state of the process is set according to the desired operation and the pre-transmission phase is entered. In the correctness proof, however, we have to retain the situation that the arguments – stored in the process information blocks of processes in IPC states – fulfill certain properties.

The particular definitions of the predicates above are quite substantial and elaborate but all follow the same structure. Hence, we only cite parts of the definition of ipcArgsSEND as an example.

An implementation state  $\sigma$ , an abstract VAMOS state  $s_V$  and a process pointer p identifying a process performing an IPC\_SEND operation are the basis:

```
ipcArgsSEND \sigma s_V p \Longrightarrow let hn_{\text{rcv}} = \lceil s_V.\text{procs} \ (\sigma \text{pid} \ p) \rceil.\text{gprs} \ ! \ 11; rights_{\text{snd}} = \text{to\_nat}32 \ (\lceil s_V.\text{procs} \ (\sigma \text{pid} \ p) \rceil.\text{gprs} \ ! \ 12); msg_{\text{ptr}} = \text{to\_nat}32 \ (\lceil s_V.\text{procs} \ (\sigma \text{pid} \ p) \rceil.\text{gprs} \ ! \ 13); msg_{\text{len}} = \text{to\_nat}32 \ (\lceil s_V.\text{procs} \ (\sigma \text{pid} \ p) \rceil.\text{gprs} \ ! \ 14) in hn_{\text{rcv}} \notin \{\text{HN\_SELF}, \ \text{HN\_NONE}\} \land \\ \lfloor \sigma \text{ipc\_pid} \ p \rfloor = \lceil s_V.\text{rightsdb} \ (\sigma \text{pid} \ p) \rceil.\text{hdb} \ hn_{\text{rcv}} \land \\ \sigma \text{ipc\_rights} \ p = rights_{\text{snd}} \land \\ (\sigma \text{ipc\_rights} \ p \land _{\text{u}} \neg_{\text{u}/32} \ 15) = 0 \land \\ \sigma \text{ipc\_snd\_msg} \ p = msg_{\text{ptr}} \land \sigma \text{ipc\_snd\_len} \ p = msg_{\text{len}} \land \text{validMsg} \ \sigma \ p
```

The definition first introduces various abbreviations for the values in the source registers. Register 11 stores the handle  $hn_{rcv}$  to the desired receiver and register 12 contains the rights  $rights_{snd}$  that should be granted to it. Furthermore, process p specifies the start address  $msg_{ptr}$  of the send message in register 13, followed by its length  $msg_{len}$  in register 14.

Based on these prerequisites, predicate ipcArgsSEND claims (apart from others) the following properties: The handle  $hn_{rcv}$  is valid, i. e., it is neither HN\_SELF nor HN\_NONE and it points to the desired IPC partner. In the implementation, the process-identifier of the latter is stored in ipc\_pid p. Accordingly, an access with  $hn_{rcv}$  to the abstract handle database of p results in its abstracted process number. The rights  $rights_{snd}$ , as well as the start address  $msg_{ptr}$  and the length  $msg_{len}$  of the send message are stored in the according components of the process information block. In addition, they fulfill the validity requirements. The rights follow the right format, i. e., (ipc\_rights  $p \land_u \lnot_{u/32} 15$ )  $\neq 0$ . Note that ipc\_rights p is a natural numbers actually encoding a bit vector. Within this bit vector, it is only allowed to use the four least significant bits to express the desired combination of rights. In order to meet the correct format, the remaining bits must be 0. Transferred to the natural number representation, the operation above reflects this requirement.

Furthermore, the send message is defined and available in the virtual memory of p. Predicate validMsg encapsulates this property:

```
\begin{array}{l} \mathsf{validMsg} \ \sigma \ p \equiv \\ (\sigma \mathsf{ipc\_snd\_len} \ p \ \wedge_\mathsf{u} \ 3) = 0 \ \wedge \\ (\sigma \mathsf{ipc\_snd\_len} \ p = 0 \ \vee \\ (\sigma \mathsf{ipc\_snd\_msg} \ p \ \wedge_\mathsf{u} \ 3) = 0 \ \wedge \\ \sigma \mathsf{ipc\_snd\_msg} \ p \ < \ \sigma \mathsf{fip} \ p \ll_{\mathsf{u}/32} 12 \ \wedge \\ \sigma \mathsf{ipc\_snd\_len} \ p \ + \ \sigma \mathsf{ipc\_snd\_msg} \ p \ < \ \sigma \mathsf{fip} \ p \ll_{\mathsf{u}/32} 12) \end{array}
```

The message length is a multiple of the word length (measured in bytes), and the start address is word-aligned as long as the length is not 0. In case of the latter, the message resides within the boundaries of the virtual memory. The value fip p denotes the first invalid memory page, whereas each page consists of PAGE\_SIZE =  $2^{12}$  words. We obtain the first invalid address by shifting fip p by 12 to the left. Accordingly, the start address as well as the

5. Vamos Correctness

end address of the message are smaller than the first invalid address.

The definitions of the predicates <code>ipcArgsSENDRCV</code> and <code>ipcArgsRCV</code> are quite similar. The former is based on <code>ipcArgsSEND</code>, but additionally demands some requirements regarding the receive phase which can also be found in the latter.

### 5.2.4 Summing Up

The predicate implined combines the properties and requirements from above and establishes the VAMOS implementation invariant:

```
implInv s s_{\text{V}} \equiv valueBounds_{\text{V}} s \land validVMs_{\text{V}} s \land validCup_{\text{V}} s \land validRights_{\text{V}} s \land uniqueProcld_{\text{V}} s \land validLists_{\text{V}} s \land validDevds_{\text{V}} s \land generalProps s s_{\text{V}} \land waitProps s s_{\text{V}} \land ipcProps s s_{\text{V}}
```

The theory file vamosAbstractions.thy contains the complete formal definitions of the VAMOS implementation invariant.

### 5.3 The Simulation Theorem

The overall correctness statement – we are aiming at in this thesis – applies to a complete kernel step, i.e., the Vamos kernel embedded into the CVM framework. An illustration of this statement was already given in Figure 5.1. The proof of this statement shows the simulation between the implementation and the model. We express this statement as a Hoare triple.

Theorem 5.3.1 (Kernel Correctness) This theorem actually represents two cases: a reset and a normal system step. A reset is signaled by an active reset and causes the initialization of the datastructures leading to the state  $\tau$ . On the abstract level, the initialization of the VAMOS kernel is described by the function initialConf. This initial state together with the devices  $s_D{}'$  and the implementation state  $\tau$  fulfill the abstraction relation and the implementation invariant.

Apart from the reset case, let  $\sigma$  be the implementation state before and  $\tau$  the one after the application of function system\_step. Furthermore,  $(s_V, s_D)$  denotes an abstract state and  $(s_V', s_D')$  its adjacent one after applying  $\delta_{V+D}$ . Whenever the abstraction relation  $Abs_{V+D}$  holds between  $\sigma$  and  $(s_V, s_D)$  and impliny holds before the invocation of system\_step,  $Abs_{V+D}$  holds between  $\tau$  and  $(s_V', s_D')$  and impliny is preserved.

In short, the transition function  $\delta_{V+D}$  models the system execution system\_step.

5.3. The Simulation Theorem 157

```
\begin{split} \varGamma\vdash_{\mathsf{t}} \{\sigma. \ ^{\sigma}\mathsf{reset} \ \lor \ \mathsf{Abs}_{\mathsf{V}+\mathsf{D}} \ \sigma \ (s_{\mathsf{V}}, \ s_{\mathsf{D}}) \ \land \ \mathsf{implInv} \ \sigma \ s_{\mathsf{V}} \} \ \mathsf{PROC} \ \mathsf{system\_step}() \\ \{\tau. \ \mathsf{let} \ (s_{\mathsf{V}}', \ s_{\mathsf{D}}') = \\ & \quad \mathsf{if} \ ^{\sigma}\mathsf{reset} \\ & \quad \mathsf{then} \ (\mathsf{initialConf} \ (\mathsf{getOSimg} \ s_{\mathsf{D}}) \ \mathsf{OS\_PAGES}, \\ & \quad \mathsf{init\_dev} \ (\mathsf{cvm\_devs} \ ^{\sigma}\mathsf{cvmX})) \\ & \quad \mathsf{else} \ \mathsf{fst} \ (\delta_{\mathsf{V}+\mathsf{D}} \perp (s_{\mathsf{V}}, \ s_{\mathsf{D}})) \\ & \quad \mathsf{in} \ \mathsf{Abs}_{\mathsf{V}+\mathsf{D}} \ \tau \ (\mathsf{s_{\mathsf{V}}}', \ \mathsf{s_{\mathsf{D}}}') \ \land \ \mathsf{implInv} \ \tau \ \mathsf{s_{\mathsf{V}}}' \} \end{split}
```

Recall that the transition function  $\delta_{V+D}$  uses its input parameter to determine whether the kernel or solely the device subsystem (e.g., by receiving a network package) advance during a transition of the overall system. If this input is not  $\bot$ , the kernel remains constant. Knowing that the abstraction relation of the kernel data structures and the one of the device subsystem are independent, we may consequently disregard changes that are limited to the device subsystem in the consideration of the kernel simulation. While we are interested in the kernel-device interaction, we disregard any external device input from the environment and the according output to it. As a consequence, this input is fixed at  $\bot$  in the theorem above. Furthermore, the transition function  $\delta_{V+D}$  returns a pair of the updated state and the external output. We are, however, only interested in the updated state and thus take the first component of this pair, i. e.,  $(s_V', s_D') = \text{fst } (\delta_{V+D} \bot (s_V, s_D))$ .

Proof Sketch The correctness of the simulation theorem is based on the correctness of all functions applied in the scope of system\_step. Thus, for all functions we have to define and prove lemmata stating their correctness. Eventually, we connect these lemmata in order to prove the correctness of the overall system. The proof of the theorem mainly relies on the correctness of the function dispatcher\_kernel representing the main function of the VA-MOS implementation. The correctness of dispatcher\_kernel, in turn, depends on the correctness of its four different parts: the initialization, the handling of process exceptions, the timer-interrupt handler and the delivery of device interrupts.

We have not completed the proof of the whole theorem but mayor parts of it. The next chapter presents the already proven ones.

## Chapter 6

## Implementation Correctness

| 6 | .1 | Weakening the Abstraction Relation            | 161 |
|---|----|-----------------------------------------------|-----|
| 6 | .2 | Auxiliary Functions                           | 163 |
| 6 | .3 | Correctness of the Timer-Interrupt Handler $$ | 165 |
| 6 | .4 | Correctness of the Trap Handler               | 169 |
| 6 | .5 | Correctness of the Vamos Top-level Function   | 184 |
| 6 | .6 | Correctness of a System Step                  | 187 |

The C0 implementation of the Vamos kernel is based on the CVM primitives provided by the CVM framework. Apart from that, the implementation relies on a library of functions on doubly-linked lists which was specified and verified in the Hoare logic against its C0 implementation [59, 71].

Except the functions of the list library and the CVM primitives, Figure 6.1 depicts the call graph of the VAMOS implementation.

The functions highlighted in green are completely verified, the correctness of the ones in yellow is shown but the proof relies on specifications of sub-functions which are not yet proven.

Often recurring operations are encapsulated in auxiliary functions. Subsequently, we briefly introduce their functionalities and specifications. Based on these functions, we proceed with the correctness statements for the timer-interrupt handler handle\_timer and the trap handler which is implemented in function dispatcher\_kernel\_call. Under the assumption that the remaining parts, i.e., the initialization, the interrupt delivery and the termination of processes are correctly implemented, we formulate and prove the correctness of the VAMOS top-level function dispatcher\_kernel. Finally, the VAMOS correctness statement is integrated in function system\_step and we prove the overall correctness statement as formulated in Theorem 5.3.1.

The correctness statement of the VAMOS kernel relies on a slightly adjusted abstraction relation which takes the invocation context of function



Figure 6.1: Call Graph of the VAMOS Implementation



Figure 6.2: Data abstraction in the case of trap handling

dispatcher\_kernel into account. Thus, we first introduce this weakening of the abstraction relation in the next section and proceed than as described above.

### 6.1 Weakening the Abstraction Relation

The weakening of the abstraction relation  $\mathsf{Abs}_{\mathsf{V}+\mathsf{D}}$  only affects the abstraction of the virtual machines. As mentioned in Section 5.1.1, the reason for this is the different handling of the user-generated exceptions in the implementation and the model.

In general, the user-generated exception handling in the concrete system happens as follows: The current process computes on the VAMP processor and executes an instruction. Executing this instruction triggers an exception and the VAMP calls the interrupt service routine (ISR). The ISR passes the exception on to the VAMOS kernel which – on the basis of the exception cause and data – handles this exception. Thus, the current process runs into the exception which is then handled in a sequential way.

The VAMOS model, in contrast, abstracts from the sequential exception handling and combines it into one step. Thereby, the main difference is that the instruction causing the exception is not executed right at the beginning in order to determine any exceptions. The model rather considers the corresponding process output by means of the function  $\omega_{\text{proc}}$  which inspects the next instruction of the current process before the actual execution. If the execution of the instruction would lead to an exception, the model handles the exception in advance and delivers the result in the same moment as it

executes the instruction. Thus, the virtual machine is kept in the original state as long as the exception handling is not completed.

We exemplify the different approaches by the trap handling and explain by this example, how we adjust the abstraction of the virutal machines to cope with this situation in the proofs.

Figure 6.2 illustrates the situation on the concrete and abstract levels. In our setting, the kernel-visible effects of the ISR are described by function system\_step. It executes the instruction of the current process by means of user<sub>step</sub> and calls function dispatcher\_kernel which implements the VAMOS kernel. As we only consider the trap handling in this case, the invocation of the VAMOS kernel mainly boils down to the function dispatch\_kernel\_call. The model represents a kernel step by means of the transition function  $\delta_{V+D}$ . As in the implementation, this function results in calling vamosDispatcher.

In our example, the states  $\sigma_1$  and  $s^1_{V+D}$  are correlated with each other via the abstraction relation  $Abs_{V+D}$  and represent the situation before the actual kernel step. In the concrete system, the TRAP instruction is executed by means of function  $user_{step}$  and function  $dispatch\_kernel\_call$  is invoked in state  $\sigma_2$ . Executing the TRAP instruction in the concrete system does not yet have a counterpart in the model, i.e., the model still resides in state  $s^1_{V+D}$ .

As we want to use function vamosDispatcher for describing the semantic effect of the function dispatch\_kernel\_call, we establish a weak abstraction relation weakAbs<sub>V+D</sub> between  $\sigma_2$  and  $s^1_{V+D}$ . It is pretty similar to the overall abstraction relation weakAbs<sub>V+D</sub> but certainly takes the differing virtual machine states of the current process into account.

The latter is reflected in the weak abstraction relation weak\_rel\_procs<sub>v</sub> for the virtual user machines:

```
weak_rel_procs_v \sigma ptr_{cp} diff inactQ waitQ uprocs \equiv \forall x. if x \in \text{set } inactQ then uprocs x = \bot else if x \in \text{set } waitQ then incPcs \lceil uprocs \ x \rceil = (\text{cvm\_ups}\ ^{\sigma}\text{cvmX}).\text{userprocesses}\ x \land uprocs\ x \neq \bot else if diff \land ptr_{cp} \neq \text{Null}\ \land x = ^{\sigma}\text{pid}\ ptr_{cp} then user_{step} \lceil uprocs\ x \rceil = (\text{cvm\_ups}\ ^{\sigma}\text{cvmX}).\text{userprocesses}\ x \land uprocs\ x \neq \bot else uprocs\ x = \lfloor (\text{cvm\_ups}\ ^{\sigma}\text{cvmX}).\text{userprocesses}\ x \rfloor
```

Virtual machines of inactive and waiting processes are abstracted in the same way as with  $rel\_procs_v$ . Expressing the differing virtual machine states of the current process is made possible by two additional arguments: a pointer  $ptr_{cp}$  to the current process at kernel entry and a flag diff denoting whether its virtual machine states differ. If a current process existed, i.e.,  $ptr_{cp} \neq Null$  and, in addition, flag diff is active, the virtual machine of the current process in the model is the one that after the application of  $user_{step}$  corresponds with its machine in the implementation. In all other cases, the

virtual machines are identical, again.

The relation weak\_rel\_procs<sub>v</sub> is also applicable in the postcondition of dispatch\_kernel\_call in order to relate the virtual machines in the implementation state  $\sigma_3$  and the ones in  $s^2_{V+D}$ . If the trap handling succeeds, function dispatch\_kernel\_call writes the corresponding result into the result register of the current process. In the model, function vamosDispatcher also delivers the result and executes the TRAP instruction. As a consequence, the states of the virtual machines of the current process are in-sync again. The same applies, if the trap handling failed and the current process received an error message.

In the remaining cases, the trap handling is not yet finished. For instance, if the current process triggered an IPC operation but no suitable communication partner was available. As it has not received an error message, it is apparently willing to wait. Accordingly, it is put into the wait queue. For members of the wait queue, predicate weak\_rel\_procs\_v establishes the corresponding relation between the virtual machine states.

In a similar way, we can use weak\_rel\_procs<sub>v</sub> in the other application areas, i.e., in the pre- and postconditions of the VAMOS scheduler or the interrupt delivery. These entities, however, also involve the remaining datastructures. Thus, we define a weak abstraction relation weakAbs<sub>V+D</sub>:

```
weakAbs_V+D \sigma cup\ pendingStep\ (s_V,\ s_D) \equiv cvm_devs \sigmacvmX = s_D \wedge weak_rel_procs_v \sigma cup\ pendingStep\ s_V.schedds.inactive s_V.schedds.wait s_V.procs \wedge rel_schedds_v \sigma s_V.schedds \wedge rel_priodb_v \sigma s_V.priodb s_V.schedds.inactive \wedge rel_sndstatdb_v \sigma s_V.procs s_V.sndstatdb \wedge rel_rightsdb_v \sigma s_V.schedds.inactive s_V.rightsdb \wedge rel_devds_v \sigma s_V.devds
```

It is similar to  $Abs_{V+D}$  but uses  $weak\_rel\_procs_v$  instead of  $rel\_procs_v$  to abstract the virtual machines. In addition, it does not enforce the equivalence between the current process identifiers of CVM and VAMOS.

### 6.2 Auxiliary Functions

While specifying the auxiliary functions,  $\sigma$  denotes the implementation state before the invocation and  $\tau$  the one after the execution. We do not describe the complete Hoare triples but only the semantic effect of the particular functions. The complete formal definitions of the pre- and postconditions comprise many technical details. For instance, in most cases, we cannot rely on the complete implementation invariant but only on (adjusted) parts of it. Furthermore, the postconditions contain information on how certain variables have changed. Thus, a more detailed inspection would be tedious and result rather in confusion than clarification. For this reason, we only

focus on the essential aspects. However, the formal definitions of the preand postconditions together with the corresponding Hoare triples and the functional correctness proofs can be found in the provided theory files.

Resolving Handles. The function resolve\_handle implements the mapping from process-local handles to process-identifiers. Invoked by a process p, it resolves the given handle hn in p's context and returns the corresponding process-identifier pid. The specification basically relies on the assumption that rel\_rightsdb<sub>V</sub> establishes a relation between the concrete rights datastructures in  $\sigma$  and the abstract ones rightsdb. Return values  $pid \in \{0, \text{PID\_MAX}\}$  indicate that handle hn is invalid in the context of p. On the abstract level, this situation is expressed by  $\lceil rightsdb \ (\sigma pid \ p) \rceil$ .hdb  $hn = \bot$  and  $\lnot$  valid\_handle  $rightsdb \ (\sigma pid \ p)$  hn. The handle hn is valid, if pid denotes a process-identifier. Accordingly, the entry in the abstract handle database of p stores the corresponding process number, i. e.,  $\lceil rightsdb \ (\sigma pid \ p) \rceil$ .hdb  $hn = \lfloor pid \rfloor$ .

The theory file vamosResolveHandle.thy contains the corresponding Hoare triple together with the functional correctness proof. Proving the functional correctness of function resolve\_handle is rather simple which is reflected by only around 60 proof steps.

Putting processes to sleep and waking them up. The task of putting a process to sleep is encapsulated in function put\_process\_to\_sleep and function wake\_up is used to wake up processes. At the very beginning, the specifications rely on the assumption that the concrete scheduling lists in  $\sigma$  can be related to their abstract counterparts via Queue. In both cases, the ready queues RdyQs and the wait queue waitQ are used to describe the semantic effect. Furthermore, there is the abstract priority database priodb which is obtained by rel\_priodb<sub>v</sub>.

Putting a process p to sleep involves its removal from the ready queue and its appending to the wait queue. The former is described by  $RdyQs(prio_p) := [x \in RdyQs\ prio_p\ .\ x \neq {}^{\sigma}pid\ p])$ , where  $prio_p = [priodb\ ({}^{\sigma}pid\ p)]$ . Updating the wait queue is also straightforward: WkpQ @  $[{}^{\sigma}pid\ p]$ . The function  $put\_process\_to\_sleep$  does not set the timeout value of p. Apart from that, its semantic complies with function  $v\_ipc\_wait\_updt\_schedds$ .

The theory file vamosPutProcessToSleep.thy contains the Hoare triple for put\_process\_to\_sleep together with the functional correctness proof. The most effort is necessary to establish the invariants regarding the wait and the ready lists. In total, the proof comprises around 570 steps.

The awakening of a process p involves its removal from waitQ and its appending to RdyQs  $prio_p$ . Function  $wake\_up$ , however, does not reset the consumed time to 0. Nevertheless, apart from the latter, the semantic effect on the ready and wait queues complies with the one described by

v\_wkp\_updt\_schedds.

The theory file vamosWakeUp.thy contains the Hoare triple for wake\_up together with the functional correctness proof. Again, the most effort is necessary to establish the invariants regarding the wait and the ready lists. The proof comprises ca. 640 steps.

Computing the current maximum priority. As the call graph illustrates, putting a process to sleep entails the re-computation of the maximal priority current\_max\_prio by the function compute\_max\_prio. Based on abstract ready queues RdyQs, the result of this computation can be expressed as follows:  ${}^{\tau}$ current\_max\_prio = Max ( $\{i.\ i < \mathsf{PRIOCNT} \land s_{\mathsf{V}}.\mathsf{schedds.ready}\ i \neq []\} \cup \{0\}$ ).

The theory file vamosComputeMaxPrio.thy contains the corresponding Hoare triple together with the functional correctness proof. Proving the functional correctness is rather straightforward and the proof only requires 60 steps.

Searching the next process. Usually, the awakening of a process or putting it to sleep requires the re-computation of the current process current\_process. The function search\_next\_process encapsulates this task. Its specification relies on the assumption that, at the beginning, ready queues RdyQs can be abstracted from the implementation state  $\sigma$  via Queue. Setting current\_process to Null is equivalent with the statement that the ready queue of the highest priority is empty: ( ${}^{\tau}$ current\_process = Null) = (RdyQs  ${}^{\sigma}$ current\_max\_prio = []). If  ${}^{\tau}$ current\_process  $\neq$  Null, the corresponding process number denotes the head of the ready queue with the highest priority, i. e.,  ${}^{\tau}$ pid  ${}^{\tau}$ current\_process = hd (RdyQs  ${}^{\sigma}$ current\_max\_prio).

The theory file searchNextProcess.thy contains the Hoare triple together with the functional correctness proof which comprises around 30 steps.

### 6.3 Correctness of the Timer-Interrupt Handler

The implementation correctness of the timer-interrupt handler was already briefly covered in [27]<sup>1</sup> and lays the foundation for the fairness proof of the VAMOS scheduler [27, 25].

The VAMOS scheduler is implemented in function handle\_timer (see Figure 6.3), which is called by dispatcher\_kernel, whenever a timer interrupt

<sup>&</sup>lt;sup>1</sup>A very early attempt of showing the implementation correctness of the timer-interrupt handler presents [19]. However, we only mention this work for the sake of completeness. On the one hand, the specification of the Vamos scheduler has significantly changed in the course of time and, on the other hand, the work only presents rudimentary approaches regarding the actual functional verification.

occurs. Recall that the scheduler might be invoked after the trap handling which might change the variable current\_process. In order to charge the correct process, we store the pointer current\_process at the very beginning in variable old\_cup and provide this variable as input to function handle\_timer which performs the following tasks:

- acknowledge the timer interrupt by reading a word from the timer device by calling cvm\_in\_word, such that the latter may lower its interrupt line.
- if there exist finite timeouts, i. e., next\_timeout ≠ INFINITE\_TIMEOUT, increase the current time and check for elapsed timeouts. This check is encapsulated in function check\_elapsed\_timeouts, which traverses the wait queue, wakes up all processes with elapsed timeouts, and subtracts the current time from all other timeouts. Finally, the current time is set to zero which avoids the overflow of the current\_time variable.
- charge the process old\_cup that computed in the last step, if it is still ready. If the so far consumed time of old\_cup is greater than or equal to its timeslice, the process is moved to the end of its ready list. Therefore, it is first deleted from the list and then appended again. In addition, the consumed time is set to zero. Otherwise, the consumed time is increased by one.
- elect the process that runs in the next kernel step by means of the function search\_next\_process, which returns the first element in the ready list with the current maximum priority.

The functional correctness of the timer-interrupt handler mainly relies on the functional correctness of check\_elapsed\_timeouts. Thus, we first briefly describe the proof of the latter and continue afterwards with the correctness theorem of the timer-interrupt handler.

### 6.3.1 Implementation Correctness of check\_elapsed\_timeouts

As with the auxiliary functions, we do not present the complete formal specification of function check\_elapsed\_timeouts but only describe its semantic effect. For more details, we refer to the corresponding theory file.

The semantic effect of function <code>check\_elapsed\_timeouts</code> only affects the virtual machines and the scheduling datastructures. Accordingly, the proof is based on the assumption that the relations <code>rel\_procs\_v</code> and <code>rel\_schedds\_v</code> can be established between the concrete and abstract datastructures. Note that the precondition cannot assume the complete implementation invariant <code>impllnv</code> but only a part of it together with several adjusted properties. Recall that <code>check\_elapsed\_timeouts</code> is applied after increasing the time

```
procedures handle_timer(old_cup | res_int) =
  (* acknowledge the timer interrupt *)
  '\mathsf{dummy} :== \textbf{CALL}_g \ \mathsf{cvm\_in\_word}(\mathsf{DEVICE\_TIMER}, \, 0);
  (* detect and handle elapsed IPC timeouts *)
  \mathbf{IF}_{g} 'next_timeout \neq INFINITE_TIMEOUT THEN
    'current_time :==_{g} 'current_time + 1
  IF_g 'current_time \geq 'next_timeout THEN
    'dummy_i :== CALL_g check_elapsed_timeouts()
  (* charge the process that computed in the last step *)
  \textbf{IF}_{g} \ ' old\_cup \neq Null \ \land \ ' old\_cup \rightarrow \ ' state = READY\_STATE \ \ \textbf{THEN}
    \mathsf{IF}_\mathsf{g} 'old_cup\to'consumed_time \geq 'old_cup\to'timeslice THEN
      'ready_lists! ('old_cup→'priority) :==
             \textbf{CALL}_g \ \ \mathsf{queueDelete}(\text{'ready\_lists} \ ! \ (\text{'old\_cup} \rightarrow \text{'priority}), \ \text{'old\_cup});
      'ready_lists! ('old_cup→'priority) :==
             \textbf{CALL}_g \ \mathsf{queueAppend}(\text{'ready\_lists} \ ! \ (\text{'old\_cup} \rightarrow \text{'priority}), \ \mathsf{'old\_cup});
      'old\_cup \rightarrow 'consumed\_time :==_g 0
    ELSE
      ' old\_cup {\rightarrow} ' consumed\_time :==_{\sf g} \ ' old\_cup {\rightarrow} ' consumed\_time + 1
    FI
 FI;
  (* select the process that runs in the next step *)
  {}^\prime dummy\_i :== CALL_g search\_next\_process(); {}^\prime res\_int :==_g 0
```

Figure 6.3: Function handle\_timer

in function handle\_timer, which may lead to a situation where, e.g., the time is no longer smaller than MAX\_TIME. Thus, in the precondition for check\_elapsed\_timeouts, we have to adjust, among other things, the timerelated properties of impliny, accordingly. The same applies for the postcondition. For instance, we cannot establish the complete validity requirements for ready lists, where the head of the ready list of the highest priority determines the current process. Waking up processes, as it happens in check\_elapsed\_timeouts could violate this property, because the highest priority might change. This violation is not resolved until the point, where function search\_next\_process is called in handle\_timer. Apart from that the postcondition also states the semantic effect of calling check\_elapsed\_timeouts. Both, the virtual machines and the scheduling datastructures, are updated in the way as described by the model function checkTimeouts. The Hoare triple of checkTimeouts and the formal functional correctness proof can be found in the theory file vamosCheckElapsedTimeouts\_proof.thy. Due to the traversing of the wait queue and the awakening of processes, showing the functional correctness of function checkTimeouts is pretty elaborate which is reflected in almost 4700 proof steps.

### 6.3.2 Implementation Correctness of handle\_timer

For a better reusability in the correctness proof of function dispatcher\_kernel, we encapsulate the pre- and postconditions of function handle\_timer in predicates.

The predicate handle Timer pre formulates the precondition:

```
\begin{array}{l} \mathsf{handleTimer}_{\mathsf{pre}} \ \sigma \ old\_cup \ diff \ s_{\mathsf{V}} \ s_{\mathsf{D}} \equiv \mathsf{weakAbs}_{\mathsf{V+D}} \ \sigma \ old\_cup \ diff \ (s_{\mathsf{V}}, \ s_{\mathsf{D}}) \ \land \\ \mathsf{implInv} \ \sigma \ s_{\mathsf{V}} \ \land \ old\_cup = \mathsf{Null} \ \lor \ old\_cup \in \mathsf{set} \ {}^{\sigma}\mathsf{pib} \ \land \\ (old\_cup \neq \mathsf{Null} \ \land \ diff \ \longrightarrow \ {}^{\sigma}\mathsf{pid} \ old\_cup \notin \mathsf{set} \ s_{\mathsf{V}}.\mathsf{schedds.wait}) \end{array}
```

Relation weakAbs<sub>V+D</sub> depends on old\_cup and diff, whereas impllnv is stated as usual. The old\_cup is either Null or denotes a pointer to a process information block. Furthermore, if a current process old\_cup has been apparent at kernel entry and flag diff is active, the process is not waiting. This statement actually reflects the situation that old\_cup has neither triggered a runtime-error nor a trap exception but performed a process-local transition. Accordingly, the timer-interrupt handler is the first function which is called in the VAMOS kernel and the virtual machines of old\_cup still differ. This property allows to exclude process old\_cup from the check for elapsed timeouts and is thus passed on as a precondition of check\_elapsed\_timeouts.

The postcondition is stated by the predicate handleTimerpost:

```
handleTimer<sub>post</sub> \tau \sigma old\_cup diff_{cp} s_V s_D \Longrightarrow let s_D{'}= fst (\delta_{Dint} (read_{\Omega V} DEV_TIMER 0 1) s_D); s_V{'}= handleTimer s_V (if old\_cup= Null then \bot else \lfloor \sigmapid old\_cup \rfloor) in weakAbs_{V+D} \tau old\_cup diff_{cp} (s_V{'}, s_D{'}) \land implInv \tau s_V{'}
```

The abstract device state  $s_D$ ' reflects the acknowledgement of the timer interrupt by reading one word from port 0 and function handleTimer computes the adjacent VAMOS state  $s_V$ '. Similar to handle\_timer, it gets the identifier of the current process at kernel entry. This identifier denotes  $\bot$ , if no current process was apparent at kernel entry, i. e.,  $old\_cup = Null$ . Otherwise, it delivers the corresponding abstract process number. Again, weakAbs $_{V+D}$  and implinv are preserved.

Note that the postcondition comprises also statements that some datastructures are not changed during execution. This information is rather technical and thus omitted in this presentation.

With the assumption that the CVM primitive cvm\_in\_word, the list library, and the functions check\_elapsed\_timeouts and search\_next\_process are implemented correctly, we finally can prove the correctness of the function handle\_timer:

Theorem 6.3.1 (Correctness of the Timer-Interrupt Handler) The semantic effect of the function handle\_timer can be described by handleTimer and the execution preserves the abstraction relation weakAbs<sub>V+D</sub> and the implementation invariant implinv.

```
 \forall \sigma \ \textit{diff} \ \ s_{V} \ s_{D}.   \Gamma \vdash_{\mathsf{t}} \ \{ \sigma. \ \mathsf{handleTimer}_{\mathsf{pre}} \ \sigma \ \sigma \mathsf{old\_cup} \ \textit{diff} \ \ s_{V} \ s_{D} \}   \text{'res\_int} :== \mathbf{PROC} \ \mathsf{handle\_timer}(\text{'old\_cup})   \{ \tau. \ \mathsf{handleTimer}_{\mathsf{post}} \ \tau \ \sigma \ \sigma \mathsf{old\_cup} \ \textit{diff} \ \ s_{V} \ s_{D} \}
```

Proof The proof of this function involves at the one hand, a case split over the three cases distinguished in the implementation. Hence, we show that the charging policy is correctly implemented with regard to the specification function charge. At the other hand, we have to establish the precondition for check\_elapsed\_timeouts. With this prerequisite in place, we use its specification checkTimeouts to establish the claim of our theorem. Additionally, the state invariant impllnv is again recovered. The Hoare triple of function handle\_timer and the functional correctness proof can be found in theory file vamosHandleTimer\_proof.thy. Almost 4900 proof steps are necessary to show the latter.  $\Box$ 

### 6.4 Correctness of the Trap Handler

The function dispatch\_kernel\_call represents the Vamos trap handler in the implementation. Whenever the current process has triggered a trap exception, it is called by the Vamos kernel and provided with the trap number trapnr as input. Based on this trap number, dispatch\_kernel\_call implements a case distinction, reads the arguments out of the registers of the current process and executes the desired kernel call. For example, the trap number 6 is associated with the Vamos call Set\_Privileges, which is realized by

the function set\_privileges. Except for the IPC calls, the dedicated functions return with a result value, which is written into the result register of the current process. The result delivery in case of an IPC call is more elaborate and accomplished within the according functions. Nevertheless, writing the result value completes the trap handling and dispatch\_kernel\_call returns to dispatcher\_kernel.

The implementation correctness of dispatch\_kernel\_call involves the implementation correctness of the particular VAMOS calls. Subsequently, we sketch the specifications and proofs of the already proven ones and combine them to the correctness statement of the VAMOS trap handler, later on.

### 6.4.1 Implementation Correctness of Function set\_privileges

The VAMOS trap handler calls function set\_privileges, if the trap number denotes 6. As input parameter, it provides a handle hn, which is taken out of the register 11 of the current process.

**Functionality.** In a first step, function set\_privileges resolves the handle hn by means of function resolve\_handle. If the return value pid denotes a process-identifier and the current process is privileged, it activates the privileged status of process pid. In addition, it signals the successful operation by setting the return value to 0. The return value is set to an error code, if either the current process is not privileged or pid does not denote a valid process identifier, i. e., hn is invalid.

**Precondition.** Predicate setPrivileges<sub>pre</sub> describes the precondition and must be discharged in the context of dispatcher\_kernel\_call, whenever it calls the function set\_privileges:

```
setPrivileges<sub>pre</sub> \sigma hn s_V s_D \equiv weakAbs<sub>V+D</sub> \sigma \sigmacurrent_process True (s_V, s_D) \wedge implInv \sigma s_V \wedge \sigmacurrent_process \neq Null \wedge 0 \leq hn < 2<sup>32</sup> \wedge (\exists hn. \ \omega_{proc} \ [s_V.procs \ [v\_cup \ s_V.schedds]] = SET\_PRIVILEGED \ hn)
```

The implementation state  $\sigma$  together with the abstract states  $s_V$  and  $s_D$  fulfill the abstraction relation weakAbs<sub>V+D</sub> and the state invariant impllnv. As a trap instruction was triggered, it is further assumed that the current process exists, i.e., current\_process  $\neq$  Null. This also involves that the flag diff in weakAbs<sub>V+D</sub> is set to True. In addition, hn denotes a 32-bit natural number and the process output of the current process denotes SET\_PRIVILEGED.

**Postcondition.** The predicate setPrivileges<sub>post</sub> encapsulates the postconditions of function set\_privileges:

```
setPrivileges<sub>post</sub> \tau \sigma res \ hn \ s_V \ s_D \Longrightarrow
let s_D' = s_D; s_V' = vamos\_set\_privileges\_inter \ s_V \ (to\_int32 \ hn)
```

```
in res = result_value_int (vamos_result_set_privileges s_V.rightsdb [v_cup s_V.schedds] (to_int32 hn)) \land weakAbs_{V+D} \tau \sigmacurrent_process True (s_V', s_D') \land implInv \tau s_V'
```

It denotes the implementation state after the execution with  $\tau$ , the result of set\_privileges with res and the handle to the process whose privileged status should be activated with hn. Furthermore,  $s_V$  and  $s_D$  represent the original abstract states.

While the devices remain unchanged, the new abstract VAMOS state  $s_V$ ' is determined by function vamos\_set\_privileges\_inter. This function is similar to the specification function vamos\_set\_privileges but does not yet specify the result delivery to the current process. The reason for this is, that not set\_privileges writes the result into the corresponding register of the current process but dispatch\_kernel\_call. Thus, set\_privileges is only concerned with setting the privileged status and with the computation of the result value. Hence, we define:

```
vamos_set_privileges_inter s_V hn \equiv
let p_{cp} = \lceil v\_{cup \ s_V.schedds} \rceil; p_{hn} = \lceil s_V.rightsdb \ p_{cp} \rceil.hdb hn;

res = vamos\_result\_set\_privileges \ s_V.rightsdb \ p_{cp} \ hn
in if is_error res then s_V
else s_V(\lceil rightsdb := s_V.rightsdb(\lceil p_{hn} \rceil \mapsto \lceil s_V.rightsdb \lceil p_{hn} \rceil \rceil) (priv := True)))
```

Apart from that, setPrivileges<sub>post</sub> claims that the result value res is equal to the one returned by vamos\_result\_set\_privileges. Finally, the abstraction relation and the state invariant are preserved.

Note that the trap handling is only completed with writing the result register of the current process. As this does not yet happen in set\_privileges, the virtual machines of the current process still differ after the execution. Thus, the flag diff in weakAbsv+D is still True.

**Correctness.** Based on the pre- and postconditions, we formulate the following correctness theorem.

Theorem 6.4.1 (Correctness of set\_privileges) The semantic effect of the function set\_privileges is described by vamos\_set\_privileges\_inter. Furthermore, the execution of the function set\_privileges preserves the abstraction relation weakAbsv+D and the implementation invariant implinv.

```
 \begin{array}{l} \forall \sigma \; s_{V} \; s_{D}. \\ \varGamma \vdash_{t} \; \big\{ \sigma. \; \text{setPrivileges}_{\mathsf{pre}} \; \sigma \; \text{'hn} \; s_{V} \; s_{D} \big\} \\ \text{'res\_int} \; :== \; \textbf{PROC} \; \text{process\_set\_privileges}(\text{'hn}) \\ \big\{ \tau. \; \text{setPrivileges}_{\mathsf{post}} \; \tau \; \sigma \; \text{'res\_int} \; {}^{\sigma} \text{hn} \; s_{V} \; s_{D} \big\} \end{array}
```

**Proof** The precondition for function resolve\_handle directly follows from the one of set\_privileges. With it, we get the relation between pid (the result from resolving the handle) and the abstract process number  $p_{hn}$  used in

<code>vamos\_set\_privileges\_inter</code>. Furthermore, we have to establish the relations between the errors in the implementation and their counterparts in the specification. Remember that the VAMOS call <code>SET\_PRIVILEGES</code> is reserved for privileged processes. Thus, we have to show, for instance, that <code>privileged sv.rightsdb [v\_cup sv.schedds]</code> only applies iff <code>privileged current\_process</code>.

Based on such relations, we can show that the result value res\_int corresponds with the value returned by vamos\_result\_set\_privileges. In case of success, the actual setting of the privileged status is straightforward.

The theory file  $vamosSetPrivileges\_proof.thy$  contains the corresponding Hoare triple and the functional proof which comprises 100 steps.  $\Box$ 

# 6.4.2 Implementation Correctness of Function process\_change\_scheduling\_param

Changing the scheduling parameters of a process is encapsulated in function process\_change\_scheduling\_param. It is called by the VAMOS trap handler, if the current process executed a TRAP instruction with trap number 4. As input parameters, it takes a handle hn, a timeslice tsl and a priority prio, which are taken out of the registers of the current process.

**Functionality.** In a first step, function process\_change\_scheduling\_param resolves the handle *hn* by means of function resolve\_handle. If the return value *pid* does not represent a process-identifier or one of the remaining arguments is invalid, it only sets the return value to the corresponding error code. Otherwise, function process\_change\_scheduling\_param performs the following tasks:

- If the priority of an ready process *pid* should be changed, the process is taken out of its former ready list and appended to the one of priority *prio*. In addition to that, its consumed time is reset to 0. Changing the priority might change the current maximum priority as well as the current process. The former is computed by compute\_max\_prio and function search\_next\_process is used to elect the process that runs next.
- Otherwise, only the values of the timeslice and the priority are updated to *tsl* and *prio*, respectively.

**Precondition.** The precondition chngSchedParams<sub>pre</sub> is similar to the one for set\_privileges and defined as follows:

```
chngSchedParams_{pre} \sigma hn tsl prio s_{V} s_{D} \equiv weakAbs_{V+D} \sigma ^{\sigma}current_{process} True (s_{V}, s_{D}) \wedge implInv \sigma s_{V} \wedge ^{\sigma}current_{process} \neq Null \wedge 0 \leq hn < 2<sup>32</sup> \wedge 0 \leq tsl < 2<sup>32</sup> \wedge 0 \leq prio < 2<sup>32</sup> \wedge
```

```
 (\exists \textit{hn tsl prio}. \\ \omega_{proc} \ [\textit{s_V.procs} \ [\textit{v\_cup s_V.schedds}]] = \mathtt{CHG\_SCHED\_PARAMS} \ \textit{hn tsl prio})
```

**Postcondition.** The postcondition chgSchedParams<sub>post</sub> is also similar to the one of set\_privileges. Again, a function vamos\_change\_sched\_param\_inter is defined which, except for the result delivery, corresponds with the specification function vamos\_change\_sched\_param:

```
\begin{split} \text{vamos\_change\_sched\_param\_inter } s_{\text{V}} \; hn_{\text{victim}} \; tsl_{\text{new}} \; prio_{\text{new}} \equiv \\ \text{let } p_{\text{cp}} = \lceil \text{v\_cup } s_{\text{V}}.\text{schedds} \rceil; \; p_{\text{victim}} = \lceil \lceil s_{\text{V}}.\text{rightsdb } p_{\text{cp}} \rceil.\text{hdb } hn_{\text{victim}} \rceil; \\ \textit{res} = \text{vamos\_result\_change\_sched\_param } s_{\text{V}}.\text{rightsdb } p_{\text{cp}} \; hn_{\text{victim}} \; prio_{\text{new}} \\ \text{in if is\_error } \textit{res then } s_{\text{V}} \\ \text{else } s_{\text{V}} ( \mid \text{schedds} := \text{v\_chng\_sched\_param\_updt\_schedds } s_{\text{V}}.\text{schedds } s_{\text{V}}.\text{priodb} \\ s_{\text{V}}.\text{rightsdb } p_{\text{cp}} \; hn_{\text{victim}} \; tsl_{\text{new}} \; \lceil prio_{\text{new}} \rceil, \\ \text{priodb} := s_{\text{V}}.\text{priodb} (p_{\text{victim}} := prio_{\text{new}}) ) \end{split}
```

Accordingly, the postcondition claims that the new VAMOS state  $s_V{}'$  is determined by function vamos\_change\_sched\_param\_inter. The result res has to correspond to the value returned by vamos\_result\_change\_sched\_param and the abstraction relation as well as the implementation invariant have to be preserved:

**Correctness.** Based on the assertions above, we formulate the following correctness theorem.

Theorem 6.4.2 (Correctness of process\_change\_scheduling\_param) The semantic effect of function process\_change\_scheduling\_param is described by the abstract function vamos\_change\_sched\_param\_inter. Furthermore, the execution of process\_change\_scheduling\_param preserves the abstraction relation weakAbsv+D and the implementation invariant implinv.

```
 \forall \sigma \; s_{V} \; s_{D}.   \varGamma \vdash_{t} \; \{ \sigma. \; \mathsf{chngSchedParams}_{\mathsf{pre}} \; \sigma \; \mathsf{'hn} \; \mathsf{'tsl} \; \mathsf{'prio} \; s_{V} \; s_{D} \}   \mathsf{'res\_int} :== \; \mathsf{PROC} \; \mathsf{process\_change\_scheduling\_param}(\mathsf{'hn}, \mathsf{'tsl}, \mathsf{'prio})   \{ \tau. \; \mathsf{chgSchedParams}_{\mathsf{post}} \; \tau \; \sigma \; \mathsf{'res\_int} \; {}^{\sigma}\mathsf{hn} \; {}^{\sigma}\mathsf{tsl} \; {}^{\sigma}\mathsf{prio} \; s_{V} \; s_{D} \}
```

**Proof** Similar as above, the precondition for function resolve\_handle directly follows from the one of process\_change\_scheduling\_param. With it, we

get the relation between pid (the result from resolving the handle) and the abstract process number  $p_{\text{victim}}$  used in vamos\_change\_sched\_param\_inter to determine the process whose scheduling parameters should be changed. We also establish the relations between the different error representations in the concrete and abstract levels. More effort is involved, if a rearrangement of the ready queues is necessary. In this case, we have to show that the semantic effect can be described by the function v\_chng\_sched\_param\_updt\_schedds and that the list properties, as required by implinv, are preserved. The latter is ensured by the application of the functions compute\_max\_prio and search\_next\_process. Showing the correspondance of the updates of the timeslice and the priority, in contrast, is straightforward.

The theory file vamosChngSchedParams\_proof.thy contains the corresponding Hoare triple together with the functional correctness proof comprising 1700 steps.  $\Box$ 

### 6.4.3 Implementation Correctness of IPC

As in the specification, the IPC implementation breaks up into several stages. The first-level functions are those directly called by function dispatch\_kernel\_call with corresponding arguments. Accordingly, the VAMOS call IPC\_SEND is realized by the function ipc\_send and IPC\_RECEIVE is associated with ipc\_receive. Function ipc\_send\_receive realizes the combined call IPC\_REQUEST. Within these functions, the implementation checks for invocation errors, stores the call arguments in the process information block of the calling process and, as shown in the call graph in Figure 6.1, invokes the second-level functions.

The linchpin of these second-level functions is <code>ipc\_communication</code> which implements the actual transmission. As the call graph depicts, it invokes various auxiliary functions. One of it is <code>ipc\_schedule\_receive</code> which is also used in the context of <code>ipc\_receive</code>. It is invoked by the latter, if neither a suitable sender exists nor the delivery of kernel notifications is possible. In this case, the receiver either gets an timeout error (if an immediate timeout was specified) or is prepared for waiting. Both actions are implemented by <code>ipc\_schedule\_receive</code>. In the context of <code>ipc\_communication</code>, only preparing a process for waiting is necessary. If the transmission was part of a combined send and receive operation, the sender is forced to wait.

Before the actual transmission, ipc\_send and ipc\_send\_receive first call function ipc\_initiate\_send. It tries to establish a rendez-vous situation with a receiver and, in case of success, calls ipc\_communication. Otherwise, it puts the sender to sleep or writes an timeout error into its result register and aborts the call, after a new current process was elected.

Subsequently, we briefly introduce the functionality and specification of function <code>ipc\_communication</code>. Later on, we use the specification and sketch the implementation correctness proofs of the particular IPC calls.

### Implementation Correctness of Function ipc\_communication

The call graph in Figure 6.1 illustrates that the implementation of the function ipc\_communication is far too complex for being presented, here. Thus, we confine ourselves to the intended functionality and relate the different parts to their rough abstract counterparts.

The function <code>ipc\_communication</code> realizes the communication between two processes, as seen from the receiver's point of view. For this reason, it is occupied with the process-identifier <code>rcv\_pid</code> of the receiving process as input. The corresponding pointer <code>receiver</code> can be obtained from the list of process pointers, i.e., <code>pib! rcv\_pid</code>. The execution of this function relies on the assumption, that the arguments are stored in the PIBs of the processes involved and that these arguments already passed through the initial checks, i.e., are valid.

**Determining the Sender.** In a first step, ipc\_communication determines the sender. The desired IPC partner of the receiver is stored in ipc\_pid receiver. If this entry delivers 0, the receiver performs an open-receive and the potential senders can be found in the send queue accessed by send\_queue receiver. Otherwise, the entry denotes the PID of the desired sender.

The implementation actually performs the same checks as in the specification. If the message length of a potential sender is too large, the corresponding process is provided with an error message and waken up. The awakening of a process is taken over by the function wake\_up. Setting the result register is done by means of the CVM primitive cvm\_set\_vm\_gpr.

The description of the semantic effect of the error message delivery is included in the specification function  $v\_ipc\_rcv\_updt\_procs$ . Waking up the processes is covered by function  $v\_ipc\_rcv\_updt\_schedds$ .

The theory file vamosIpcComm\_determineSender.thy contains the Hoare triple of the part which determines the sender and the functional correctness proof. Due to the various case distinctions, this proof is complex and requires around 4600 steps.

**Transmission.** If a suitable sender remains after the checks above, the actual transmission starts. Thus, the send message is copied into the virtual memory of the receiver and, according to the call arguments of the sender, the receiver's handle database is updated. The former is done by means of the CvM primitive cvm\_copy, whereas the update of an entry in the handle database is encapsulated into the auxiliary function update\_hdb. For details regarding the Hoare triple of update\_hdb and the corresponding proof of the implementation correctness (around 800 steps), see vamosUpdateHdb.thy.

Apart from the updates of the internal kernel datastructures, the sender as well as the receiver are informed about the successful operation. For this purpose, the kernel uses the CVM primitive cvm\_set\_vm\_gpr to write

the according result registers. In addition, the receiver is also provided with kernel notifications which are written into certain registers, as well. The semantic effect of the message copying and the result delivery is part of the specification function v\_ipc\_trans\_updt\_procs. Updating the handle database is covered by function v\_ipc\_trans\_updt\_rightsdb.

In the remaining steps, the kernel cleans up and sets the implementation into a consistent state again. Thus, as long as the sender is not allowed to perform multiple send operations to the receiver, the VAMOS kernel revokes all its rights to the receiver. The effect of this revoking describes the update of the sender's rights database in v\_ipc\_trans\_updt\_rightsdb.

A transmission also affects the process states. Thereby, the kernel distinguishes whether the receiver or the sender acted as current process. If the receiver represents the current process, it suffices to set its state to ready again. Otherwise, it has been waiting before and function wake\_up is applied in order to wake it up again. The effects of the latter operation describes v\_wkp\_updt\_schedds. Regarding the sender, the kernel distinguishes whether the transmission was part of an ordinary send or a combined send and receive operation. In the former case, the sender has to be waken up as long as it is not the current process. Otherwise, only its state is set to ready again. In the latter case, the sender is prepared for the succeeding receive phase. The auxiliary function ipc\_schedule\_receive encapsulates the required steps. In this situation, the specification function v\_ipc\_wait\_updt\_schedds describes its semantic effect. The theory file vamosIpcScheduleReceive.thy contains the Hoare triple of the function ipc\_schedule\_receive and the corresponding formal correctness proof comprising almost 400 steps.

No Transmission. In case that no suitable sender can be found, the VAMOS kernel examines the possibility of delivering kernel notifications. If possible, the auxiliary function deliver\_notifications writes the relevant information into dedicated registers of the receiver. Otherwise, the receiver either receives an error message due to a timeout error or is prepared for waiting. For this purpose, the kernel again uses function ipc\_schedule\_receive. The semantic effect is part of the specification functions v\_ipc\_rcv\_updt\_procs and v\_ipc\_rcv\_updt\_schedds, if no communication takes place.

Summary. Specifying and proving the implementation correctness of function ipc\_communication is pretty elaborate, because many invocation scenarios have to be taken into account. Although not explicitly specified in this way, in the overall context of an IPC operation, the semantic effect of ipc\_communication can be described, more or less accurately, by the dedicated update functions defined in the context of vamos\_ipc\_receive, like v\_ipc\_rcv\_updt\_procs for the virtual machine update. If ipc\_communication

is called in the context of an IPC send operation, these functions boil down to the transition functions, i.e., v\_ipc\_trans\_updt\_procs, etc.. The complete formal specification of the function ipc\_communication together with the associated implementation correctness proof can be found in the theory file vamosIpcCommunication.thy. The complexity of ipc\_communication is also reflected in the correctness proof which altogether comprises around 20.000 steps. Thereby, the parts which determine the sender (4600 steps), update the handle databases (1500 steps), and update the process states (1600 steps) are the most complex ones. Furthermore, the combination of all these particular parts entails a lot of effort.

### Implementation Correctness of Function ipc\_send

The IPC send operation is encapsulated in function ipc\_send. It is called by the VAMOS trap handler, if the current process executed a TRAP instruction with trap number 12. As input parameters, it takes the handle rcv\_handle to the desired receiver and the rights snd\_rights that should be granted, the handle add\_handle to the additional process together with the rights add\_rights, the start address snd\_msg\_ptr and the length snd\_msglen of the memory message, and the timeout snd\_timeout.

Functionality. By means of function resolve\_handles, function ipc\_send first resolves the given handles. If this results in invalid process-identifiers or if the other arguments are invalid, an error code is written into the result register of the current process and the call is aborted. Otherwise, the arguments are stored in the corresponding components of the PIB of the current process and function ipc\_initiate\_send is invoked. This function tries to establish a rendez-vous situation with a receiver and invokes ipc\_communication, in case of success. Otherwise, the sender either gets a timeout message or is scheduled for a later sending. The latter involves function put\_process\_to\_sleep in order to put the sender into the wait list. This, in turn, may change the current process and function search\_next\_process is invoked to elect the next one.

**Precondition.** The precondition ipcSend<sub>pre</sub> of function ipc\_send is defined as follows:

```
ipcSend_{pre} \sigma rcv_handle snd_rights add_handle add_rights snd_timeout snd_msg_ptr snd_msglen s_V s_D \equiv weakAbs_V+D \sigma ocurrent_process True (s_V, s_D) \wedge impllnv \sigma s_V \wedge ocurrent_process \neq Null \wedge (\exists hn_{rcv} rights_snd msg hn_{add} rights_add to_snd. \omega_{proc} [s_V.procs [v_cup s_V.schedds]] \equiv IPC_SEND hn_{rcv} rights_snd msg hn_{add} rights_add to_snd) \wedge to_nat32 ([s_V.procs (\sigmapid ocurrent_process)].gprs! 11) \equiv
```

```
 \begin{array}{l} rcv\_handle \; \land \\ to\_nat32 \; (\lceil s_V.procs \; (^\sigma pid \; ^\sigma current\_process) \rceil.gprs \; ! \; 12) = \\ snd\_rights \; \land \\ to\_nat32 \; (\lceil s_V.procs \; (^\sigma pid \; ^\sigma current\_process) \rceil.gprs \; ! \; 13) = \\ snd\_msg\_ptr \; \land \\ to\_nat32 \; (\lceil s_V.procs \; (^\sigma pid \; ^\sigma current\_process) \rceil.gprs \; ! \; 14) = \\ snd\_msglen \; \land \\ to\_nat32 \; (\lceil s_V.procs \; (^\sigma pid \; ^\sigma current\_process) \rceil.gprs \; ! \; 18) = \\ add\_rights \; \land \\ \lceil s_V.procs \; (^\sigma pid \; ^\sigma current\_process) \rceil.gprs \; ! \; 19 = \\ snd\_timeout \; \land \\ to\_nat32 \; (\lceil s_V.procs \; (^\sigma pid \; ^\sigma current\_process) \rceil.gprs \; ! \; 17) = \\ add\_handle \\ \end{array}
```

As usual, the precondition requires the abstraction relation and the implementation invariant. Furthermore, the current process (the sender) must exist, i.e., current\_process  $\neq$  Null. Apart from that, predicate ipcSend<sub>pre</sub> also fixes the sources registers of the arguments. This is necessary in order to preserve the properties of IPC operations as requested by ipcProps. For the same reason, it is also required that the process output of the current process denotes IPC\_SEND.

**Postcondition.** The predicate ipcSend<sub>post</sub> describes the postcondition of function ipc\_send:

```
ipcSend_post \tau \sigma rcv_handle rights add_handle add_rights snd_timeout snd_msg_ptr snd_msglen s_V s_D \Longrightarrow let s_{V}' = vamos_ipc_send s_V (to_int32 rcv_handle) (num2rights (to_int32 rights)) (build_memobj [s_V.procs [v_cup s_V.schedds]] snd_msg_ptr snd_msglen) (to_int32 add_handle) (num2rights (to_int32 add_rights)) (int2timeout snd_timeout); s_D' = s_D in weakAbs_V+D \tau \sigma current_process False (s_V', s_D') \wedge implInv \tau s_V'
```

The devices remain unchanged and the new VAMOS state  $s_V'$  is computed by the specification function vamos\_ipc\_send. Together with the new implementation state  $\tau$ , it fulfills the abstraction relation as well as the implementation invariant.

**Correctness.** The implementation correctness of ipc\_send is stated with the following theorem.

**Theorem 6.4.3 (Correctness of ipc\_send)** The semantic effect of function ipc\_send is described by the model function vamos\_ipc\_send. Furthermore, the execution of the function ipc\_send preserves the abstraction relation weakAbs $_{V+D}$  and the implementation invariant impline.

```
 \forall \sigma \text{ s}_{V} \text{ s}_{D}.   \Gamma \vdash_{\mathsf{t}} \{ \sigma. \text{ ipcSend}_{\mathsf{pre}} \text{ } \sigma \text{ } '\mathsf{rcv\_handle} \text{ } '\mathsf{rights} \text{ } '\mathsf{add\_handle} \text{ } '\mathsf{add\_rights} \text{ } '\mathsf{snd\_timeout} \text{ } '\mathsf{snd\_msg\_ptr} \text{ } '\mathsf{snd\_msglen} \text{ } \mathsf{s}_{V} \text{ } \mathsf{s}_{D} \}   '\mathsf{res\_int} :== \mathbf{PROC} \text{ ipc\_send}( '\mathsf{rcv\_handle}, '\mathsf{rights}, '\mathsf{snd\_msg\_ptr}, \text{ } '\mathsf{snd\_msglen}, '\mathsf{add\_handle}, '\mathsf{add\_rights}, '\mathsf{snd\_timeout})   \{ \tau. \text{ ipcSend}_{\mathsf{post}} \text{ } \tau \text{ } \sigma \text{ } \sigma \mathsf{rcv\_handle} \text{ } \sigma \mathsf{rights} \text{ } \sigma \mathsf{add\_handle} \text{ } \sigma \mathsf{add\_rights} \text{ } \sigma \mathsf{snd\_timeout} \text{ } \sigma \mathsf{snd\_msg\_ptr} \text{ } \sigma \mathsf{snd\_msglen} \text{ } \mathsf{s}_{V} \text{ } \mathsf{s}_{D} \}
```

Proof The initial checks regarding the validity of the call arguments basically realize the abstract function <code>ipc\_send\_invoc\_err</code>. Calling <code>initiate\_send</code> has the following impacts: If a transmission is possible, it calls the function <code>ipc\_communication</code>. Thus, we have to discharge the precondition of <code>ipc\_communication</code> and may then use its specification to establish the claim of the theorem. If no transmission is possible, <code>initiate\_send</code> either calls <code>put\_process\_to\_sleep</code> to prepare the sender for waiting or sends an error message due to a timeout error. Both actions can directly be related to the effects described in <code>vamos\_ipc\_send</code>.

The theory file vamosInitiateSend.thy contains the Hoare triple and the functional correctness proof (1300 steps) of function initiate\_send. Relying on this, vamosIpcSend\_proof.thy presents the same one for the function vamos\_ipc\_send. Showing the functional correctness of vamos\_ipc\_send requires approximately 2000 steps.

In a similar way, we can specify and show the implementation correctness of the function <code>ipc\_send\_receive</code>.

The theory file vamosIpcSendReceive\_proof.thy contains the corresponding Hoare triple and the functional correctness proof. The latter comprises 2100 steps.

#### Implementation Correctness of Function ipc\_receive

Function ipc\_receive implements the IPC receive operation. It is called by the Vamos trap handler, if the current process executed a TRAP instruction with trap number 11. As input parameters, it takes the handle snd\_handle to the desired sender, the start address rcv\_msg\_ptr and the length rcv\_msglen of the buffer, and the timeout rcv\_timeout.

Functionality. By means of function resolve\_handles, ipc\_receive first resolves the handle to the sender. If this results in an invalid process-identifier and neither an open-receive nor a closed-receive from the kernel is desired, the according error code is written into the result register and the call is aborted. The same happens, if the remaining arguments are invalid. Otherwise, the arguments are stored in the corresponding components of the PIB of the current process.

If a rendez-vous situation can be established, ipc\_receive initiates the transmission by calling function ipc\_communication. If no rendez-vous situation can be established and the receiver is ready to receive kernel notifications, function deliver\_notifications is called. Otherwise, the receiver either gets an error message due a timeout or is prepared for waiting. For both actions function ipc\_schedule\_receive is used. In addition, function search\_next\_process elects the next current process.

**Precondition.** The precondition ipcReceive<sub>pre</sub> of function ipc\_receive is similar to the one of ipc\_send. Only the source registers and the process output are adjusted:

```
ipcReceive_{pre} \sigma snd\_handle rcv\_msg\_ptr rcv\_msglen rcv\_timeout s_V s_D \equiv weakAbs_{V+D} \sigma \sigma current\_process True (s_V, s_D) \wedge impllnv \sigma s_V \wedge \sigma current\_process \neq Null \wedge (\exists hn_{snd} buffer to_{rcv}.

\omega_{proc} [s_V.procs [v\_cup s_V.schedds]] = IPC\_RECEIVE hn_{snd} buffer to_{rcv} \wedge to_nat32 ([s_V.procs (\sigma_{pid} \sigma_{current\_process})].gprs ! 11) = snd\_handle \wedge to_nat32 ([s_V.procs (\sigma_{pid} \sigma_{current\_process})].gprs ! 15) = rcv\_msg\_ptr \wedge to_nat32 ([s_V.procs (\sigma_{pid} \sigma_{current\_process})].gprs ! 16) = rcv\_msglen \wedge [s_V.procs (\sigma_{pid} \sigma_{current\_process})].gprs ! 20 = rcv\_timeout
```

**Postcondition.** The predicate ipcReceive<sub>post</sub> describes the postcondition of ipc\_receive:

```
\begin{array}{l} \mathsf{ipcReceive}_{\mathsf{post}} \ \tau \ \sigma \ snd\_handle \ rcv\_msg\_ptr \ rcv\_msglen \ rcv\_timeout \ s_{\mathsf{V}} \\ s_{\mathsf{D}} \Longrightarrow \\ \mathsf{let} \ \mathsf{s}_{\mathsf{V}}' = \\ \quad \mathsf{vamos\_ipc\_receive} \ s_{\mathsf{V}} \ (\mathsf{to\_int32} \ snd\_handle) \\ \quad (\mathsf{build\_buffer} \ \lceil \mathsf{s}_{\mathsf{V}}.\mathsf{procs} \ \lceil \mathsf{v\_cup} \ s_{\mathsf{V}}.\mathsf{schedds} \rceil \rceil \ rcv\_msg\_ptr \\ \quad rcv\_msglen) \\ \quad (\mathsf{int2timeout} \ rcv\_timeout); \\ \quad \mathsf{s}_{\mathsf{D}}' = s_{\mathsf{D}} \\ \mathsf{in} \ \mathsf{weakAbs}_{\mathsf{V}+\mathsf{D}} \ \tau \ {}^{\sigma}\mathsf{current\_process} \ \mathsf{False} \ (\mathsf{s}_{\mathsf{V}}', \ \mathsf{s}_{\mathsf{D}}') \ \land \ \mathsf{implInv} \ \tau \ \mathsf{s}_{\mathsf{V}}' \end{array}
```

The devices remain unchanged and the new VAMOS state  $s_V'$  is computed by the specification function vamos\_ipc\_receive. Together with the new implementation state  $\tau$ , it fulfills the abstraction relation as well as the implementation invariant.

**Correctness.** The implementation correctness of ipc\_receive is stated with the following theorem.

Theorem 6.4.4 (Correctness of ipc\_receive) The semantic effect of function ipc\_receive is described by the model function vamos\_ipc\_receive. Furthermore, the execution of ipc\_receive preserves the abstraction relation weakAbs\_V+D and the implementation invariant impliny.

**Proof** The initial checks can basically be described by the abstract function ipc\_rcv\_invoc\_err. We have to discharge the precondition of the function ipc\_communication, if a transmission is possible. With its specification, we are able to establish the claim of the theorem. If no transmission is possible but the delivery of kernel notifications, we have to discharge the precondition of deliver\_notifications. In this case, the abstract function v\_ipc\_rcv\_updt\_procs describes the updates of the virtual machines. The remaining datastructures remain untouched and we can establish the claim of the theorem. Otherwise, we have to discharge the preconditions of the functions ipc\_schedule\_receive and search\_next\_process and use their post-conditions to proof the theorem.

The theory file vamosIpcReceive\_proof.thy contains the Hoare triple and the functional correctness proof with almost 2900 steps.

# 6.4.4 Implementation Correctness of Function dispatcher\_kernel\_call

The previous sections introduced the correctness statements and proofs of the IPC functions, process\_change\_sched\_param and set\_privileges. In a similar way, we can formulate such statements for the remaining VAMOS calls. Even if not proven, the particular specifications can be used for the correctness proof of the VAMOS trap handler implemented in function dispatcher\_kernel\_call.

As usual, the correctness statement relies on a pre- and postcondition.

**Precondition.** The predicate handleTrap<sub>pre</sub> encapsulates the precondition:

```
handleTrap<sub>pre</sub> \sigma trapnr s_V s_D \equiv weakAbs<sub>V+D</sub> \sigma \sigmacurrent_process True (s_V, s_D) \land implInv \sigma s_V \land \sigmacurrent_process \neq Null \land (mca_nat (s_V.procs (\sigma pid \sigma current_process)) <math>s_D (cvm_ups \sigmacvmX).statusreg \land_u
```

```
UEXCEPT_MASK) = 0 \land (mca_nat (s_V.procs ({}^{\sigma}pid {}^{\sigma}current_process)) s_D (cvm_ups {}^{\sigma}cvmX).statusreg \land_u EXCEPT_TRAP) \neq 0 \land edata_nat [s_V.procs ({}^{\sigma}pid {}^{\sigma}current_process)] = trapnr
```

Apart from claiming the abstraction relation, the implementation invariant and an existing current process, handleTrappre also makes some demands on the invocation context of dispatch\_kernel\_call. In function system\_step, we have already seen, that the exception cause and data are computed by means of the functions mca\_nat and edata\_nat. The precondition reproduces this computations and thus establishes a relation to the invocation context. In particular, it demands that the exception cause signals a trap instruction without runtime errors. The former corresponds to an active bit EXCEPT\_TRAP, the latter is ensured by excluding any active bits in the mask UEXCEPT\_MASK. In addition, the trap number trapnr provided as input has to correspond to the value returned from edata\_nat.

**Postcondition.** The effects of the trap handling are described by the postcondition handleTrap<sub>post</sub>:

```
handleTrap<sub>post</sub> \tau \sigma s_V s_D \Longrightarrow

let data_{\text{dev}} = \mathbf{if} \ \omega_V \ s_V = \mathrm{idle}_{\Omega V} \ \mathbf{then} \ \mathrm{idle}_{\Sigma V} \ \mathbf{else} \ \mathsf{fst} \ (\mathsf{snd} \ (\delta_{\mathsf{Dint}} \ (\omega_V \ s_V) \ s_D));

s_D' = \mathbf{if} \ \omega_V \ s_V = \mathrm{idle}_{\Omega V} \ \mathbf{then} \ s_D \ \mathbf{else} \ \mathsf{fst} \ (\delta_{\mathsf{Dint}} \ (\omega_V \ s_V) \ s_D);

s_V' = \mathsf{vamosDispatcher} \ s_V \ data_{\mathsf{dev}}

in weakAbs<sub>V+D</sub> \tau \ \sigma_{\mathsf{current\_process}} \ \mathsf{False} \ (s_V', s_D') \ \land \ \mathsf{implInv} \ \tau \ s_V'
```

We distinguish two kinds of traps resp. Vamos calls: those with and those without device interaction. In the latter case, the Vamos output  $\omega_V$  to the device subsystem is  $\mathsf{idle}_{\Omega V}$ . Accordingly, the devices remain untouched and no device data is provided as input to  $\mathsf{vamosDispatcher}$  which computes the new abstract Vamos state  $\mathsf{s}_V$ . If device interaction is involved, we first perform the request to the device system. This is done by applying  $\delta_{\mathsf{Dint}}$  with the according Vamos output as input. As result, we get the new state  $\mathsf{s}_D$  of the device system, on the one hand, and the response in form of device data  $\mathsf{data}_{\mathsf{dev}}$ , on the other one. The latter is provided as input to  $\mathsf{vamosDispatcher}$ . Finally, the concrete as well as the abstract states are related via  $\mathsf{weakAbs}_{V+D}$  and  $\mathsf{implInv}$  is preserved.

Note that the virtual machines of the current process do no longer need a separate handling. The trap is either completely handled and the machines are in-sync again or the process is waiting in a pending IPC operation.

**Correctness.** The implementation correctness of dispatch\_kernel\_call is stated with the following theorem.

Theorem 6.4.5 (Correctness of the Trap Handler) The semantic effect of function dispatch\_kernel\_call is described by the model function vamosDispatcher. Furthermore, the execution of dispatch\_kernel\_call preserves the abstraction relation weakAbs\_V+D and the implementation invariant impllnv.

```
\forall \sigma \ s_{V} \ s_{D}.

\Gamma \vdash_{t} \{ \sigma. \ \text{handleTrap}_{\mathsf{pre}} \ \sigma \ \sigma \ i \ s_{V} \ s_{D} \} \ '\text{res\_int} :== \mathbf{PROC} \ \text{dispatch\_kernel\_call}('i) \}
\{ \tau. \ \text{handleTrap}_{\mathsf{post}} \ \tau \ \sigma \ s_{V} \ s_{D} \}
```

**Proof** The proof of this function mainly involves a distinction over the various possible trap numbers. Establishing the preconditions of the particular functions is the main effort. With these prerequisites in place, we use the specifications to establish the claim of our theorem.

As an example, we consider the case that the trap number equals 6, i.e., the current process triggered the VAMOS call SET\_PRIVILEGES.

The precondition  $setPrivileges_{pre}$  claims the abstraction relation and the implementation invariant as well as the existence of the current process. All of these properties can directly be derived from the precondition of the function  $dispatch\_kernel\_call$ . Furthermore, it claims that the handle hn to the process (whose privileges should be activated) represents a 32-bit natural number. As the handle hn is taken out of a virtual machine register of the current process, this property directly follows from the requirements for the virtual machines which are part of the implementation invariant and encapsulated in predicate  $validVMs_v$ . Finally, we have to show that the invocation context causes the process output SET\_PRIVILEGED on the abstract level. This property states the following lemma:

With discharging the precondition setPrivileges<sub>pre</sub>, we can use the post-condition setPrivileges<sub>post</sub> to establish the claim of the theorem above. The remaining steps are straightforward and concern the result delivery to the virtual machine of the current process. Finally, the virtual machines of the current process are in-sync, again.

In a similar way, we proceed with the remaining VAMOS calls. The theory file vamosDispatchKernelCall\_proof.thy contains the Hoare triple

of dispatch\_kernel\_call and the functional correctness proof with 2000 steps.  $\Box$ 

#### 6.5 Correctness of the Vamos Top-level Function

Function dispatcher\_kernel describes the top-level function of the VAMOS kernel and is invoked by the CVM framework. This framework also computes the two input parameters of dispatcher\_kernel: the exception cause eca and the corresponding data edata. As the call graph suggests, the VAMOS kernel combines the function representing the initialization, the handling of usergenerated exceptions, the scheduler, and the interrupt delivery. The previous sections introduced the functions regarding the trap handling and the VAMOS scheduler and their specifications. In a similar way, we can specify the remaining functions and use them in the context of the implementation correctness proof of function dispatcher\_kernel.

Subsequently, we first define the pre- and postcondition of the VAMOS kernel and state the correctness statement, afterwards.

**Precondition.** The precondition kdispatch<sub>pre</sub> encapsulates the requirements for the invocation context:

```
 \begin{array}{l} \mathsf{kdispatch}_{\mathsf{pre}} \ \sigma \ eca \ edata \ s_{\mathsf{V}} \ s_{\mathsf{D}} \equiv \\ & ((eca \ \land_{\mathsf{u}} \ 1) \neq 0 \longrightarrow {}^{\sigma} \mathsf{cvmX} = (\mathsf{init\_cvmup}, \ s_{\mathsf{D}})) \ \land \\ & ((eca \ \land_{\mathsf{u}} \ 1) = 0 \longrightarrow \\ & \mathsf{weakAbs}_{\mathsf{V}+\mathsf{D}} \ \sigma \ {}^{\sigma} \mathsf{current\_process} \ (\mathsf{v\_cup} \ s_{\mathsf{V}}.\mathsf{schedds} \neq \bot) \ (s_{\mathsf{V}}, \ s_{\mathsf{D}}) \ \land \\ & \mathsf{implInv} \ \sigma \ s_{\mathsf{V}} \ \land \\ & eca = \\ & \mathsf{mca\_nat} \\ & (\mathsf{if} \ \mathsf{v\_cup} \ s_{\mathsf{V}}.\mathsf{schedds} \neq \bot \ \mathsf{then} \ s_{\mathsf{V}}.\mathsf{procs} \ \lceil \mathsf{v\_cup} \ s_{\mathsf{V}}.\mathsf{schedds} \rceil \ \mathsf{else} \ \bot) \ s_{\mathsf{D}} \\ & (\mathsf{cvm\_ups} \ {}^{\sigma} \mathsf{cvmX}).\mathsf{statusreg} \ \land \\ & edata = \\ & (\mathsf{if} \ \mathsf{v\_cup} \ s_{\mathsf{V}}.\mathsf{schedds} \neq \bot \ \mathsf{then} \ \mathsf{edata\_nat} \ \lceil s_{\mathsf{V}}.\mathsf{procs} \ \lceil \mathsf{v\_cup} \ s_{\mathsf{V}}.\mathsf{schedds} \rceil \rceil \\ & \mathsf{else} \ 0)) \end{array}
```

Based on eca, it distinguishes two cases. The first case consists of a reset which is denoted by  $(eca \wedge_u 1) \neq 0$ . In this situation, the precondition solely claims that the external state component cvmX is initialized as described in system\_step.

Apart from the reset case, the precondition requires the abstraction relation  $\mathsf{weakAbs}_{\mathsf{V}+\mathsf{D}}$  followed by the implementation invariant  $\mathsf{implInv}$ . The former has to cope with differing virtual machines, if a current process exists, i.e.,  $\mathsf{v\_cup}\ s_\mathsf{V}.\mathsf{schedds} \neq \bot$ . In addition, the input arguments eca and edata have to fulfill certain requirements which reflect the computations in the CVM framework. The exception cause has to correspond to the value returned by function  $\mathsf{mca\_nat}$  whereas data is either 0 (if no process is running) or the return value of  $\mathsf{edata\_nat}$ .

**Postcondition.** As the precondition, the postcondition kdispatch<sub>post</sub> also distinguishes two cases:

```
 \begin{array}{l} \mathsf{kdispatch_{post}} \ \tau \ \sigma \ res \ eca \ edata \ s_V \ s_D \Longrightarrow \\ \mathbf{let} \ (s_V', s_D') = \\ \qquad \qquad \mathbf{if} \ (eca \land_u \ 1) \neq 0 \ \mathbf{then} \ (\mathsf{initialConf} \ (\mathsf{getOSimg} \ s_D) \ \mathsf{OS\_PAGES}, \ s_D) \\ \qquad \qquad \mathbf{else} \ \mathsf{fst} \ (\delta_{V+D} \perp (s_V, s_D)) \\ \mathbf{in} \ \mathsf{weakAbs}_{V+D} \ \tau^\tau \mathsf{current\_process} \ \mathsf{False} \ (s_V', s_D') \land \\ \qquad \mathsf{implInv} \ \tau \ s_V' \land \\ \mathsf{v\_cup} \ s_V'. \mathsf{schedds} = (\mathbf{if} \ 1 \leq \mathit{res} < \mathsf{PID\_MAX} \ \mathbf{then} \ |\mathit{res}| \ \mathbf{else} \ \bot) \\ \end{array}
```

The semantic effect of the initialization is described by the abstract state  $s_V$ , which is obtained by function initialConf. Function getOSimage delivers the operating system image by reading it from the harddisk. Parameter OS\_PAGES determines the number of memory pages reserved for the OS.

For all other cases, we use function  $\delta_{V+D}$  to specify the resulting abstract states. The abstract state together with the concrete one satisfy weakAbs<sub>V+D</sub> as well as impllnv. Finally, kdispatch<sub>post</sub> establishes a connection between the result value res and the current process of  $s_V$ . Later on, this statement helps to reproduce the correspondence between the current process in the CVM framework and the VAMOS model.

Recall that the transition function  $\delta_{V+D}$  uses its input parameter to determine whether the kernel or solely the device subsystem (e.g., by receiving a network package) advance during a transition of the overall system. If this input is not  $\bot$ , the kernel remains constant. Knowing that the abstraction relation of the kernel data structures and the one of the device subsystem are independent, we may consequently disregard changes that are limited to the device subsystem in the consideration of the kernel refinement. While we are interested in the kernel-device interaction, we disregard any external device input from the environment and the according output to it. As a consequence, this input is fixed at  $\bot$  in the theorem above. Furthermore, the transition function  $\delta_{V+D}$  returns a pair of the updated state and the external output. We are, however, only interested in the updated state and thus take the first component of this pair, i. e.,  $(s_V', s_D') = \text{fst } (\delta_{V+D} \bot (s_V, s_D))$ .

**Correctness.** The implementation correctness of dispatcher\_kernel is stated with the following theorem.

Theorem 6.5.1 (Correctness of the Vamos Top-level Function) The semantic effect of the function dispatcher\_kernel is described by the transition function  $\delta_{V+D}$  of the VAMOS model. Furthermore, the execution of dispatcher\_kernel preservers the abstraction relation weakAbs<sub>V+D</sub> and the implementation invariant impline.

```
orall \sigma \; s_{V} \; s_{D}.
\Gamma \vdash_{t} \; \{ \sigma. \; \text{kdispatch}_{\text{pre}} \; \sigma \; ^{\sigma} \text{eca} \; ^{\sigma} \text{edata} \; s_{V} \; s_{D} \} 
' \text{res\_nat} :== \mathbf{PROC} \; \text{dispatcher\_kernel}('\text{eca},'\text{edata}) 
\{ \tau. \; \text{kdispatch}_{\text{post}} \; \tau \; \sigma \; '\text{res\_nat} \; ^{\sigma} \text{eca} \; ^{\sigma} \text{edata} \; s_{V} \; s_{D} \}
```

**Proof** As illustrated in the sections Section 6.3 and Section 6.4, we use the abstract model functions to describe the semantic effect of the particular parts of the VAMOS kernel.

Aim of this proof is the combination of these single parts to the overall transition function  $\delta_{V+D}$ . In doing this, the crux of the matter is to follow the different case distinctions of the implementation in the model. For this reason, we have to establish a series of relations. The abstract states are given, as usual, by  $s_V$  and  $s_D$ . Furthermore, we use the following abbreviations:  $vm_{cp}$  denotes the virtual machine of the current process and stat the value of the status register, such that  $eca = mca_nat \ vm_{cp} \ s_D \ stat$  denotes the exception cause. Subsequently, we only give the claims of the lemmata. The complete proofs can be found in mcalemmata.thy.

1. The implementation uses the bits of mask UEXCEPT\_MASK in the status register to determine runtime errors. In the model, the process output RUNTIME\_ERROR denotes runtime errors. Thus, if the implementation recognizes runtime errors, the model as well has to recognize them:

```
(eca \land_u \mathsf{UEXCEPT\_MASK}) \neq 0 \Longrightarrow \omega_{\mathsf{asm}} \lceil \mathit{vm}_{\mathsf{cp}} \rceil = \mathtt{RUNTIME\_ERROR}
```

2. An active bit EXCEPT\_TRAP in eca signals a trap exception and causes the invocation of dispatch\_kernel\_call. The model, in turn, handles traps with function vamosDispatcher which is called as long as a current process exists:

```
(eca \land_{\mathsf{u}} \mathsf{EXCEPT\_TRAP}) \neq 0 \Longrightarrow \mathsf{v\_cup} \ s_{\mathsf{V}}.\mathsf{schedds} \neq \bot
```

3. Timer interrupts are identified by an active bit DEVICE\_TIMER\_BIT in eca. In contrast, the model utilizes predicate isTimer for this purpose. The following statement establishes a relation between both:

```
((eca \land_{\mathsf{u}} \mathsf{DEVICE\_TIMER\_BIT}) \neq 0) = \mathsf{isTimer} \{x. \mathsf{is\_int\_devs\_single} (s_\mathsf{D} x)\}
```

4. The implementation uses the bitmask UEXT\_INT\_MASK to identify external device interrupts. The model subsumes the external interrupts in the set  $\{x. is\_int\_devs\_single s_D\} \cap v\_mask (v\_devds s_V) - \{DEV\_TIMER\}$ . The relation is given by:

```
\begin{array}{l} ((eca \land_u \mathsf{UEXT\_INT\_MASK}) = 0) = \\ (\{x.\ \mathsf{is\_int\_devs\_single}\ (s_D\ x)\} \cap s_V.\mathsf{devds.enabled} - \{\mathsf{DEV\_TIMER}\} = \{\}) \end{array}
```

In order to ensure that the implementation and the model serve the same interrupts, the following relation is established:

```
\lceil mca2ints \ eca \rceil = \{x. \ is_int_devs_single \ (s_D \ x)\} \cap s_V.devds.enabled - \{DEV_TIMER\}
```

These relations enable the model to reproduce the function calls in the implementation. Combining the particular parts is tedious due to the various case distinctions but straightforward in the end.

The remaining steps in dispatcher\_kernel apply to the return value of the VAMOS invocation. It contains the process identifier of the process to be scheduled next, if any such process exists. Otherwise, the VAMOS kernel returns 0. Establishing the connection between this return value and the current process identifier v\_cup in the model, as required in the postcondition, is straightforward Later on, this connection is used to establish the equivalence between currentp in CVM and v\_cup in the VAMOS model.

The theory file  $vamosDispatcherKernel\_proof.thy$  contains the Hoare triple of  $dispatcher\_kernel$  and the functional correctness proof with around 1300 steps.  $\Box$ 

#### 6.6 Correctness of a System Step

Theorem 5.3.1 already introduced the overall correctness statement of a system step.

**Proof** The proof of the theorem mainly depends on the correctness statement for the VAMOS kernel in Theorem 6.5.1. Comparing pre- and post-conditions of the functions system\_step and dispatcher\_kernel reveals great analogies. Differences are the abstraction relations and the representation of the reset case.

As shown in the definition,  $Abs_{V+D}$  requires, compared to  $weakAbs_{V+D}$ , the equivalence of the current processes in CVM and VAMOS. This relation is not needed in the context of the VAMOS kernel and simply ignored in its precondition  $kdispatch_{pre}$ . Thus, we just have to deal with the different representations of the reset case, i. e., on the one hand, the external signal reset and, on the other hand, the first bit of the exception cause eca.

Looking into the implementation of system\_step displays that an active reset entails the setting of values eca to 1 and edata to 0. Thus, on the level of dispatcher\_kernel, an active reset is equivalent to (eca  $\wedge_u$  1)  $\neq$  0. With the external component cvmX initialized as requested, the precondition kdispatch<sub>pre</sub> follows immediately.

Without an active reset signal, the functions mca\_nat and edata\_nat determine the values of eca and edata. Additionally, the running process (if it exists) is advanced through user<sub>step</sub> before the VAMOS kernel comes into

play. Again, deriving the precondition of dispatcher\_kernel from this context is rather straightforward. Instead of currentp, the precondition  $kdispatch_{pre}$  determines the current process by means of  $v_cup$ . The equivalence of both is given by  $Abs_{V+D}$ . Furthermore, the values for eca and edata rely on the concrete virtual machine of the current process, whereas  $kdispatch_{pre}$  uses the abstract one to recompute the values. Both computations, however, are consistent because both machines are in-sync before the application of  $user_{step}$ .

With discharging the precondition of the Vamos kernel, its postcondition kdispatch<sub>post</sub> becomes available. With it, the remaining proof steps apply to the re-establishing of the equivalence of currentp and v\_cup. Postcondition kdispatch<sub>post</sub> does not preserve this equivalence but lays the foundation by relating the current process identifier v\_cup of the Vamos model with the result value of function dispatcher\_kernel. Setting the current process currentp of Cvm in accordance to this result value establishes the relation between currentp and v\_cup as required by Absv+D.

The theory file kernelStep.thy contains the Hoare triple of system\_step and the functional correctness proof with around 300 steps. □

## Chapter 7

## Conclusion

This work deals with the VAMOS kernel as part of Verisoft's Academic System. Both the kernel implementation as well as the abstract model are fully embedded into the complete system. The VAMOS kernel runs on the verified VAMP processor and provides enough functionality to serve as basis for a simple operating system [15] which, in turn, enables applications for exchanging and managing signed and encrypted e-mails.

On the abstract level, the Vamos model is also completely integrated in the model stack. It is directly based on the underlying layers, like CVM, and uses definitions from there literally. In a similar way, subsequent models, such as Coup [25] or Sos [15], literally rely on definitions of Vamos. However, the seamless integration of both, the implementation and the abstract model of the Vamos kernel, is not the only achievement. In addition, the Vamos model is used to show the functional correctness of the Vamos implementation.

It can therefore be stated that the VAMOS model represents a general-purpose kernel model that is not tailor-made for one specific purpose. This fact contributes significantly to the relevance of the VAMOS model and constitutes the fundamental difference between our *pervasive* approach compared to *isolated* approaches that only focus on a single layer. In the latter approaches, the models are usually adapted to the actual verification goal. If it is the only goal to show that the formal specification precisely describes the implementation, the specification tends to move closely towards the implementation. If a model is used as fundament of an underlying component without a proof, there is a likelihood that the model over-abstracts the actual implementation. Furthermore, regarding one single layer at a time necessarily leads to self-contained, independent models. When combining those different layers later on, there is a tremendous proof effort necessary to establish simulation theorems between the adjacent layers. Our approach prevents this effort by the specification design.

Establishing a simulation proof between the abstract Vamos model and

7. Conclusion

the concrete, fairly realistic implementation of the VAMOS kernel is a further achievement and ensures that the model can safely be used in the upper layers, as it happened with the operating system model of Bogan [15] and Daum's proof of the VAMOS scheduler fairness [25].

To our knowledge, such a proof based on a model stack of this concrete level of detail and with such a clean, seamless logical foundation has been undertaken for the first time.

We believe that our work represents a significant step towards the grand challenge of "real code verification", although we compromised in a number of ways in order to achieve our goal:

- the VAMP is not a "real", i.e., industrial-strength processor,
- C0 is a typed, simplified fragment of C; this forces to shift more lowlevel computations into assembly programs as necessary in a more powerful C execution model, and
- the VAMOS code has been written by the verification engineers themselves, and often with an eye on the tool-chain and the verification task.

Despite these simplifications, which were partly applied for project-pragmatic reasons, we maintain that our models are still not too far away from industrial-strength processors, C code and microkernel implementations such as the PikeOS kernel. Whether it is ever possible to verify system-level programming code of a substantial size written without any regard to verification is a fully open question at present.

We would like to argue that the possibility of adapting specifications, code, and tool-chain to each other simplified the task of achieving our goal. Besides the obvious foresight that all code was written in C0 and had to live with the restrictions imposed by our tool-chain, we see the following (incomplete) list of mutual influences:

- The abstract model uses infinite datatypes to model key entities like time, processes, etc., while the concrete implementation of these entities is bound to bit-vector representations of numbers. We ensured the abstraction relation by using a solely relative notion of time within the kernel. Furthermore, a capability-like management of process identifiers allows for a conceptually infinite name space of identifiers.
- The fairly simple abstraction scheme between system\_step and  $\delta_{V+D}$  required a lot of experimenting within the definition of the abstraction relation, which has to cope with the fact that parts of the concrete computations "overtake" their abstract counterparts and vice versa.
- The precise form of the contracts and the invariants in the implementation certainly needed the consideration on what was actually required in the proofs at higher levels.

It turned out that an obstacle to our work was the lack of early, systematic validation of the specification; at the end, we found substantially more errors there than in the (fairly well-tested) implementation, although some intricate bugs could only be revealed by the verification. One of the bugs revealed during the verification was a race condition involving the coincidence of four special cases at the same time: If (a) a process issued an IPC call, (b) the IPC partner was not yet waiting, and in the same processor cycle, (c) the timer interrupt was raised, and (d) the timeslice of the process was used up, then, the process was erroneously re-added to the ready queue.

That bugs are not necessarily revealed during the verification of a single layer examplifies the following: An earlier version of function <code>system\_step</code> did not assure that at least one assembly step of the current process is executed. That was not a problem regarding the code correctness proof but breaks the fairness theorem of the VAMOS scheduler.

Thus, in conclusion, we point out that there is a fundamental difference between our pervasive approach and the idea of an isolated verification focusing at one layer at a time.

Furthermore, we experienced that pervasiveness entails more than just cumulative verification efforts on several (isolated) layers. In fact, it was a challenging task to integrate models and proofs into a uniform, coherent theory.

Establishing the abstract VAMOS model took nearly two person years and comprises about 2.000 lines of code in Isabelle/HOL.

Our kernel implementation (without CVM) consists of roughly three thousand lines of C0 code. The functional correctness proof covers around two thirds of the VAMOS implementation and comprises approximately 60.000 proof steps. With about 30.000 proof steps, a large portion of these steps applies to the IPC-relevant parts. Showing the functional correctness of the VAMOS scheduler involves roughly 9.000 proof steps. The remaining steps were mainly deployed to combine the particular parts of the VAMOS kernel and thus to show Theorem 5.3.1. The total effort regarding the code correctness proofs was around two person years.

Note that the specifications of the not yet proven parts of the VAMOS kernel are completely integrated in our framework and used to show the overall kernel correctness. The remaining proofs would be time-consuming (approximately 12 to 15 person months) but clearly follow the same scheme as the ones that have already been accomplished.

Due to the usage of while-loops in the initialization, we expect some effort in order to find the corresponding loop-invariants. Once found, however, the proof will probably be straightforward. Proving the correctness of the functions process\_kill und change\_rights might also be a bit expensive as they affect pending IPC operations. Nevertheless, we do not see any serious difficulties because the influences are similar to those, the timer-interrupt handler has on IPC operations. The main effort regarding the remaining

192 7. Conclusion

functions is to show that the error cases in the implementation correspond to those in the model. Here again, we see no difficulties.

The formal verification work of this thesis is complete with the exception of the contracts for the CVM operations, which have been shown by Tsyban et al. [40, 73, 75] but on a lower abstraction level than the form used in the thesis. The missing link is a transfer lemma similar to the one shown by Alkassar et al. [6].

#### 7.1 Future Work

Additional microkernel features could certainly extend our work. As an example, we could introduce multi-threading generalizing the multi-processing of Vamos. This feature amounts to sharable address spaces (possibly including user-level paging) and is primarily an extension of the CVM framework.

A similar extension is the mapping of device addresses directly into user memory. This change would abandon the kernel calls DEV\_READ and DEV\_WRITE for device communication, and thus substantially improve the system performance by reducing both, the size of the kernel and the frequency of kernel calls. Despite these benefits, we complicate the abstract kernel model with respect to device communication because we need a more sophisticated detection of device accesses. For that reason, we did not implement this optimization right from the beginning. From our experience today, however, we do not foresee substantial obstacles in this change.

Following the last two arguments, we could even strive for the direct memory access (DMA) by devices. Admittedly, this feature requires a more elaborate reorganization of the abstract kernel models and prevents the clean isolation of processor and devices.

Another direction of further research is a port of the CVM framework to a mass-market processor such as an embedded PowerPC core or to an optimizing compiler supporting a larger subset of C. In contrast to additional microkernel features, this change would not necessarily require changes to the implementation of Vamos (apart from CVM). Provided that the ported hardware maintains the same CVM specification, we could hence draw on the current proofs of the code correctness.

## Chapter 8

# **Appendix**

# 8.1 Formal Specification of the Vamos Trap Dispatcher

As soon as the current instruction of the current process denotes a TRAP instruction, the VAMOS kernel invokes the trap handler. Each TRAP instruction comes with an immediate constant *imm* and the trap handles realizes a case distinction over the different values of *imm*. Based on that, it specifies the argument passing and converts the register values into the abstract ones in order to determine the corresponding abstract process output.

Function trap\_dispatch encapsulates the formal specification of the VA-MOS trap handler. As the formal definition of trap\_dispatch is quite substantial, we split its definition up into several parts and present them (as already done in Section 3.3.3) in form of implications, subsequently.

Creating a new process. The VAMOS call PROCESS\_CREATE is associated with the trap number 1:

```
current_instr s_{\text{proc}} = \text{TRAP 1} \Longrightarrow
trap_dispatch s_{\text{proc}} \equiv
let tsl_{\text{reg}} = s_{\text{proc}}.\text{gprs ! 11}; \ prio_{\text{reg}} = s_{\text{proc}}.\text{gprs ! 12};
saddr_{\text{reg}} = s_{\text{proc}}.\text{gprs ! 13}; \ len_{\text{reg}} = s_{\text{proc}}.\text{gprs ! 14};
pgs_{\text{reg}} = s_{\text{proc}}.\text{gprs ! 15}
in PROCESS_CREATE (to_nat32 tsl_{\text{reg}}) (reg2prio prio_{\text{reg}})
(build_memobj s_{\text{proc}} (to_nat32 saddr_{\text{reg}}) (to_nat32 len_{\text{reg}}))
(to_nat32 pgs_{\text{reg}})
```

Register 11 specifies the timeslice for the new process while register 12 determines its priority. The initial memory image is taken from the virtual memory of the calling process and specified by the start address in register 13 and the length in register 14. The number of pages that should be allocated for the new process is stored in register 15. Based on these register values, function trap\_dispatch determines the corresponding abstract

194 8. Appendix

process output.

Cloning a process. The VAMOS call PROCESS\_CLONE is associated with the trap number 2:

```
current_instr s_{proc} = \text{TRAP } 2 \Longrightarrow
trap_dispatch s_{proc} \equiv \text{PROCESS\_CLONE } (s_{proc}.gprs ! 11)
```

Register 11 specifies the handle to the process that should be cloned. Based on this handle, function trap\_dispatch determines the corresponding abstract process output.

**Terminating a process.** The VAMOS call PROCESS\_KILL is associated with the trap number 3:

```
current_instr s_{proc} = \text{TRAP } 3 \Longrightarrow
trap_dispatch s_{proc} \equiv \text{PROCESS\_KILL } (s_{proc}.gprs ! 11)
```

Register 11 specifies the handle to the process that should be terminated. Based on this handle, function trap\_dispatch determines the corresponding abstract process output.

Changing the scheduling parameters of a process. The VAMOS call CHG\_SCHED\_PARAMS is associated with the trap number 4:

```
current_instr s_{\text{proc}} = \text{TRAP 4} \Longrightarrow
trap_dispatch s_{\text{proc}} \equiv
let hn_{\text{reg}} = s_{\text{proc}}.\text{gprs ! 11}; tsl_{\text{reg}} = s_{\text{proc}}.\text{gprs ! 12};
prio_{\text{reg}} = s_{\text{proc}}.\text{gprs ! 13}
in CHG_SCHED_PARAMS hn_{\text{reg}} (to_nat32 tsl_{\text{reg}}) (reg2prio prio_{\text{reg}})
```

Register 11 specifies the handle to the process whose parameters should be changed. The registers 12 and 13 specify the new timeslice and priority. Based on these register values, function trap\_dispatch determines the corresponding abstract process output.

Setting the privileges of a process. The VAMOS call SET\_PRIVILEGES is associated with the trap number 6:

```
current_instr s_{proc} = \text{TRAP 6} \Longrightarrow
trap_dispatch s_{proc} \equiv \text{SET}\_PRIVILEGED (s_{proc}.gprs ! 11)
```

Register 11 specifies the handle to the process whose privileges should be set. Based on this handle, function trap\_dispatch determines the corresponding abstract process output.

Increasing the memory amount of a process. The VAMOS call MEMORY\_ADD is associated with the trap number 7:

```
current_instr s_{proc} = \text{TRAP } 7 \Longrightarrow

trap_dispatch s_{proc} \equiv

let hn_{reg} = s_{proc}.\text{gprs } ! 11; pgs_{reg} = s_{proc}.\text{gprs } ! 12

in MEMORY_ADD hn_{reg} (to_nat32 pgs_{reg})
```

Register 11 specifies the handle to the process that should get more memory and register 12 contains the number of the additional memory pages. Based on these register values, function trap\_dispatch determines the corresponding abstract process output.

**Decreasing the memory amount of a process.** The VAMOS call MEMORY\_ADD is associated with the trap number 8:

```
current_instr s_{proc} = \text{TRAP 8} \Longrightarrow

trap_dispatch s_{proc} \equiv

let hn_{reg} = s_{proc}.\text{gprs ! 11; } pgs_{reg} = s_{proc}.\text{gprs ! 12}

in MEMORY_FREE hn_{reg} (to_nat32 pgs_{reg})
```

Register 11 specifies the handle to the process and register 12 contains the number of the memory pages that should be released. Based on these register values, function trap\_dispatch determines the corresponding abstract process output.

**Changing a driver.** The VAMOS call CHANGE\_DRIVER is associated with the trap number 9:

```
current_instr s_{\text{proc}} = \text{TRAP } 9 \Longrightarrow trap_dispatch s_{\text{proc}} \equiv let hn_{\text{reg}} = s_{\text{proc}}.\text{gprs } ! 11; ints_{\text{reg}} = s_{\text{proc}}.\text{gprs } ! 12 in CHANGE_DRIVER hn_{\text{reg}} (reg2ints (if reg2ints ints_{\text{reg}} \neq \bot then ints_{\text{reg}} else \neg_{\text{s/32}} ints_{\text{reg}})) (reg2ints ints_{\text{reg}} \neq \bot)
```

Register 11 specifies the handle to the corresponding driver and register 12 the interrupts that should be registered or deregistered. Based on these register values, function trap\_dispatch determines the corresponding abstract process output.

**Enabling Interrupts.** The VAMOS call ENABLE\_INTERRUPTS is associated with the trap number 10:

```
current_instr s_{proc} = \text{TRAP } 10 \Longrightarrow
trap_dispatch s_{proc} \equiv \text{ENABLE\_INTERRUPTS } (\text{reg2ints } (s_{proc}.\text{gprs } ! 11))
```

Register 11 specifies the interrupts that should be enabled. Based on this register value, function trap\_dispatch determines the corresponding abstract process output.

196 8. Appendix

Receiving from a process. The VAMOS call IPC\_RECEIVE is associated with the trap number 11:

```
current_instr s_{\text{proc}} = \text{TRAP } 11 \Longrightarrow
\text{trap\_dispatch } s_{\text{proc}} \equiv
\text{let } shn_{\text{reg}} = s_{\text{proc}}.\text{gprs } ! \; 11; \; saddr_{\text{reg}} = s_{\text{proc}}.\text{gprs } ! \; 15;
len_{\text{reg}} = s_{\text{proc}}.\text{gprs } ! \; 16; \; to_{\text{reg}} = s_{\text{proc}}.\text{gprs } ! \; 20
\text{in } \text{IPC\_RECEIVE } shn_{\text{reg}}
\text{(build\_buffer } s_{\text{proc}} \; \text{(to\_nat32 } saddr_{\text{reg}}\text{)} \; \text{(to\_nat32 } len_{\text{reg}}\text{)})
\text{(int2timeout } to_{\text{reg}}\text{)}
```

Register 11 specifies the handle to the sender. The buffer is determined by the start address in register 15 and the length in register 16. The timeout for this operation is stored in register 20. Based on these register values, function trap\_dispatch determines the corresponding abstract process output.

**Sending to a process.** The VAMOS call IPC\_SEND is associated with the trap number 12:

```
current_instr s_{\text{proc}} = \text{TRAP } 12 \Longrightarrow trap_dispatch s_{\text{proc}} \equiv let rhn_{\text{reg}} = s_{\text{proc}}.\text{gprs} ! 11; srights_{\text{reg}} = s_{\text{proc}}.\text{gprs} ! 12; saddr_{\text{reg}} = s_{\text{proc}}.\text{gprs} ! 13; len_{\text{reg}} = s_{\text{proc}}.\text{gprs} ! 14; ahn_{\text{reg}} = s_{\text{proc}}.\text{gprs} ! 17; arights_{\text{reg}} = s_{\text{proc}}.\text{gprs} ! 18; to_{\text{reg}} = s_{\text{proc}}.\text{gprs} ! 19 in IPC_SEND rhn_{\text{reg}} (num2rights srights_{\text{reg}}) (build_memobj s_{\text{proc}} (to_nat32 saddr_{\text{reg}}) (to_nat32 len_{\text{reg}})) ahn_{\text{reg}} (num2rights arights_{\text{reg}}) (int2timeout to_{\text{reg}})
```

The handle to the receiver is given in register 11 and register 12 specifies the rights, the sender wants to grant to the receiver. By means of the start address in register 13 and the length in register 14, the sender determines the memory message. If an additional process should be introduced, register 17 contains the corresponding handle and register 18 the associated rights. Register 19 determines the timeout of the operation. Based on these register values, function trap\_dispatch determines the corresponding abstract process output.

Combined Sending and Receiving. The VAMOS call IPC\_REQUEST is associated with the trap number 15:

```
current_instr s_{\text{proc}} = \text{TRAP } 15 \Longrightarrow
\text{trap\_dispatch } s_{\text{proc}} \equiv
\text{let } hn_{\text{rcv}} = s_{\text{proc.gprs}} ! 11; \ \textit{rights}_{\text{snd}} = s_{\text{proc.gprs}} ! 12;
msg_{\text{ad}} = s_{\text{proc.gprs}} ! 13; \ msg_{\text{len}} = s_{\text{proc.gprs}} ! 14;
hn_{\text{add}} = s_{\text{proc.gprs}} ! 17; \ \textit{rights}_{\text{add}} = s_{\text{proc.gprs}} ! 18;
to_{\text{snd}} = s_{\text{proc.gprs}} ! 19; \ buf_{\text{ad}} = s_{\text{proc.gprs}} ! 15;
```

```
\begin{array}{l} \textit{buf}_{\text{len}} = \textit{s}_{\text{proc}}.\text{gprs} \; ! \; 16; \; \textit{to}_{\text{rcv}} = \textit{s}_{\text{proc}}.\text{gprs} \; ! \; 20 \\ \textbf{in} \; \text{IPC\_REQUEST} \; \textit{hn}_{\text{rcv}} \; (\text{num2rights} \; \textit{rights}_{\text{snd}}) \\ & (\text{build\_memobj} \; \textit{s}_{\text{proc}} \; (\text{to\_nat32} \; \textit{msg}_{\text{ad}}) \; (\text{to\_nat32} \; \textit{msg}_{\text{len}})) \; \textit{hn}_{\text{add}} \\ & (\text{num2rights} \; \textit{rights}_{\text{add}}) \; (\text{int2timeout} \; \textit{to}_{\text{snd}}) \\ & (\text{build\_buffer} \; \textit{s}_{\text{proc}} \; (\text{to\_nat32} \; \textit{buf}_{\text{ad}}) \; (\text{to\_nat32} \; \textit{buf}_{\text{len}})) \\ & (\text{int2timeout} \; \textit{to}_{\text{rcv}}) \end{array}
```

The combined sending and receiving was already described in Section 3.3.3.

Reading from a device. The Vamos call Dev\_read is associated with the trap numbers 13 and 19, whereas the former denotes a single read and the latter a burst read:

```
\begin{array}{l} \text{current\_instr } s_{\mathsf{proc}} = \text{TRAP 13} \ \lor \ \mathsf{current\_instr } s_{\mathsf{proc}} = \text{TRAP 19} \Longrightarrow \\ \mathsf{trap\_dispatch } s_{\mathsf{proc}} \equiv \\ \mathsf{let } \ \mathit{dev}_{\mathsf{reg}} = s_{\mathsf{proc}}.\mathsf{gprs} \ ! \ 11; \ \mathit{port}_{\mathsf{reg}} = s_{\mathsf{proc}}.\mathsf{gprs} \ ! \ 12; \\ s\mathit{addr}_{\mathsf{reg}} = s_{\mathsf{proc}}.\mathsf{gprs} \ ! \ 13; \ \mathit{len}_{\mathsf{reg}} = s_{\mathsf{proc}}.\mathsf{gprs} \ ! \ 14 \\ \mathsf{in \ Let \ (if \ current\_instr } s_{\mathsf{proc}} = \mathsf{TRAP 19 \ then \ BufLength 1} \\ & \quad \mathsf{else \ build\_buffer } s_{\mathsf{proc}} \ (\mathsf{to\_nat32} \ \mathit{saddr}_{\mathsf{reg}}) \ (\mathsf{to\_nat32} \ \mathit{len}_{\mathsf{reg}}))} \\ & \quad (\mathsf{DEV\_READ \ (reg2devnum \ \mathit{dev}_{\mathsf{reg}}) \ (\mathsf{reg2port \ } \mathit{port}_{\mathsf{reg}}))} \end{array}
```

Register 11 contains the device number and register 12 the corresponding port number. The buffer which is specified by the start address in register 13 and the length in register 14 is only required in the context of a burst read. Based on these register values, function trap\_dispatch determines the corresponding abstract process output.

Writing to a device. The VAMOS call DEV\_WRITE is associated with the trap numbers 14 and 20, whereas the former denotes a single write and the latter a burst write:

```
current_instr s_{\text{proc}} = \text{TRAP } 14 \ \lor \ \text{current\_instr } s_{\text{proc}} = \text{TRAP } 20 \Longrightarrow trap_dispatch s_{\text{proc}} \equiv let dev_{\text{reg}} = s_{\text{proc}}.\text{gprs } ! \ 11; \ port_{\text{reg}} = s_{\text{proc}}.\text{gprs } ! \ 12; saddr_{\text{reg}} = s_{\text{proc}}.\text{gprs } ! \ 13; \ len_{\text{reg}} = s_{\text{proc}}.\text{gprs } ! \ 14 in Let (if current_instr s_{\text{proc}} = \text{TRAP } 20 \ \text{then MObjSeq } [s_{\text{proc}}.\text{gprs } ! \ 13] else build_memobj s_{\text{proc}} (to_nat32 saddr_{\text{reg}}) (to_nat32 len_{\text{reg}})) (DEV_WRITE (reg2devnum dev_{\text{reg}}) (reg2port port_{\text{reg}}))
```

Register 11 contains the device number and register 12 the corresponding port number. The message which is specified by the start address in register 13 and the length in register 14 is only relevant in case of a burst write. Otherwise, only the data at the start address is written to the device. Based on these register values, function trap\_dispatch determines the corresponding abstract process output.

Changing IPC rights. The VAMOS call CHANGE\_RIGHTS is associated with the trap number 16:

198 8. Appendix

```
current_instr s_{\text{proc}} = \text{TRAP } 16 \Longrightarrow
trap_dispatch s_{\text{proc}} \equiv
let subj\_hn_{\text{reg}} = s_{\text{proc}}.\text{gprs } ! 11; obj\_hn_{\text{reg}} = s_{\text{proc}}.\text{gprs } ! 12;
rights_{\text{reg}} = s_{\text{proc}}.\text{gprs } ! 13
in CHANGE_RIGHTS subj\_hn_{\text{reg}} obj\_hn_{\text{reg}} (rights_{\text{reg}} \leq 15)
(\text{num2rights } (\text{if } rights_{\text{reg}} \leq 15 \text{ then } rights_{\text{reg}} \text{ else } \neg_{\text{s/32}} rights_{\text{reg}}))
```

Register 11 contains the handle to the subject, whereas register 12 contains the handle to the object. The rights are specified in register 13. Based on these register values, function trap\_dispatch determines the corresponding abstract process output.

**Reading Kernel Information.** The Vamos call Change\_rights is associated with the trap number 17:

```
current_instr s_{\text{proc}} = \text{TRAP } 17 \Longrightarrow \text{trap\_dispatch } s_{\text{proc}} \equiv \text{READ\_KERNEL\_INFO (int2kinfo } (s_{\text{proc}}.\text{gprs} ! 11))
```

Register 11 specifies the type of kernel notifications. Based on this type, function trap\_dispatch determines the corresponding abstract process output.

**Undefined Traps.** A trap number *imm* is considered as undefined, if it fulfills the predicate undefined\_trapnr:

```
undefined_trapnr imm \equiv imm \notin \{1, 2, 3, 4, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 19, 20\}
```

The specification of an undefined trap number leads to the process output UNDEFINED\_TRAP which is reflected in the following implication:

# **Bibliography**

- [1] Alkassar, E., Hillebrand, M., Knapp, S., Rusev, R., Tverdyshev, S.: Formal device and programming model for a serial interface. In: B. Beckert (ed.) Proceedings, 4th International Verification Workshop (VERIFY), Bremen, Germany, pp. 4–20. CEUR-WS Workshop Proceedings (2007). URL http://www-wjp.cs.uni-saarland.de/publikationen/Alkassar\_AHK-.pdf
- [2] Alkassar, E., Hillebrand, M.A.: Formal functional verification of device drivers. In: J. Woodcock, N. Shankar (eds.) Verified Software: Theories, Tools, and Experiments, LNCS, vol. 5295, pp. 225–239. Springer (2008)
- [3] Alkassar, E., Hillebrand, M.A., Leinenbach, D., Schirmer, N.W., Starostin, A.: The Verisoft approach to systems verification. In: N. Shankar, J. Woodcock (eds.) Verified Software: Theories, Tools, and Experiments, *LNCS*, vol. 5295, pp. 209–224. Springer (2008)
- [4] Alkassar, E., Hillebrand, M.A., Leinenbach, D.C., Schirmer, N.W., Starostin, A., Tsyban, A.: Balancing the load leveraging a semantics stack for systems verification. J. Autom. Reasoning, Special Issue on Operating System Verification (2009). To appear in this volume.
- [5] Alkassar, E., Hillebrand, M.A., Paul, W., Petrova, E.: Automated verification of a small hypervisor. In: P. O'Hearn, G.T. Leavens, S. Rajamani (eds.) Verified Software: Theories, Tools, Experiments (VSTTE 2010), Lecture Notes in Computer Science. Springer, Edinburgh, UK (2010). To appear.
- [6] Alkassar, E., Schirmer, N., Starostin, A.: Formal pervasive verification of a paging mechanism. In: TACAS, LNCS, vol. 4963, pp. 109–123. Springer (2008)
- [7] Baumann, C., Beckert, B., Blasum, H., Bormer, T.: Better avionics software reliability by code verification A glance at code verification methodology in the Verisoft XT project. In: Embedded World 2009 Conference. Franzis Verlag, Nuremberg, Germany (2009). URL http://www.uni-koblenz.de/~beckert/pub/embeddedworld2009.pdf. To appear.

[8] Baumann, C., Beckert, B., Blasum, H., Bormer, T.: Formal verification of a microkernel used in dependable software systems. In: B. Buth, G. Rabe, T. Seyfarth (eds.) Computer Safety, Reliability, and Security (SAFECOMP 2009), Lecture Notes in Computer Science, vol. 5775, pp. 187-200. Springer, Hamburg, Germany (2009). URL http://www.unikoblenz.de/~beckert/pub/safecomp2009.pdf

- [9] Beckert, B., Beuster, G.: Formal specification of security-relevant properties of user interfaces. In: Proceedings, 3rd International Workshop on Critical Systems Development with UML, pp. 139–146. Lisbon, Portugal (2004). URL http://wwwbib.informatik.tu-muenchen.de/infberichte/2004/TUM-I0415.pdf. TU Munich Technical Report TUM-I0415
- [10] Beuster, G., Henrich, N., Wagner, M.: Real world verification Experiences from the Verisoft email client. In: G. Sutcliffe, R. Schmidt, S. Schulz (eds.) Proceedings of the FLoC'06 Workshop on Empirically Successful Computerized Reasoning (ESCoR 2006), CEUR Workshop Proceedings, vol. 192, pp. 112–125. CEUR-WS.org (2006). URL http://ftp.informatik.rwth-aachen.de/Publications/CEUR-WS/Vol-192/paper08.pdf
- [11] Bevier, W.R.: Kit and the short stack. J. Autom. Reasoning **5**(4), 519–530 (1989)
- [12] Bevier, W.R., Hunt, Jr., W.A., Moore, J.S., Young, W.D.: An approach to systems verification. J. Autom. Reasoning 5(4), 411–428 (1989)
- [13] Beyer, S., Jacobi, C., Kröning, D., Leinenbach, D., Paul, W.: Instantiating uninterpreted functional units and memory system: functional verification of the vamp. In: D. Geist, E. Tronci (eds.) CHARME 2003, *LNCS*, vol. 2860, pp. 51–65. Springer (2003). URL http://www-wjp.cs.uni-saarland.de/publikationen/BJKLP03.pdf
- [14] Beyer, S., Jacobi, C., Kröning, D., Leinenbach, D., Paul, W.J.: Putting it all together: Formal verification of the VAMP. STTT 8(4-5), 411–430 (2006)
- [15] Bogan, S.: Formal specification of a simple operating system. Ph.D. thesis, Saarland University, Saarbrücken (2008). URL http://www-wjp.cs.uni-saarland.de/publikationen/Bog08.pdf
- [16] Böhme, S., Leino, K.R.M., Wolff, B.: HOL-Boogie—An interactive prover for the Boogie program-verifier
- [17] Böhme, S., Moskal, M., Schulte, W., Wolff, B.: HOL-Boogie An interactive prover-backend for the Verifying C Compiler. Journal of

- Automated Reasoning 44(1-2), 111-144 (2010). DOI http://dx.doi. org/10.1007/s10817-009-9142-9
- [18] Boyton, A.: A verified shared capability model. In: G. Klein, R. Huuck, B. Schlich (eds.) Proceedings of the 4th Workshop on Systems Software Verification, *Electronic Notes in Computer Science*, vol. 254, pp. 25–44. Elsevier, Aachen, Germany (2009)
- [19] Chebiryak, Y.: Formal specification and verification of functions of vamos scheduler. Master thesis, Saarland University (2005)
- [20] Cohen, E., Alkassar, E., Boyarinov, V., Dahlweid, M., Degenbaev, U., Hillebrand, M., Langenstein, B., Leinenbach, D., Moskal, M., Obua, S., Paul, W., Pentchev, H., Petrova, E., Santen, T., Schirmer, N., Schmaltz, S., Schulte, W., Shadrin, A., Tobies, S., Tsyban, A., Tverdyshev, S.: Invariants, modularity, and rights. In: Perspectives of Systems Informatics (PSI 2009), Lecture Notes in Computer Science. Springer (2009). Invited paper, to appear.
- [21] Cohen, E., Dahlweid, M., Hillebrand, M., Leinenbach, D., Moskal, M., Santen, T., Schulte, W., Tobies, S.: VCC: A practical system for verifying concurrent C. In: S. Berghofer, T. Nipkow, C. Urban, M. Wenzel (eds.) Theorem Proving in Higher Order Logics (TPHOLs 2009), Lecture Notes in Computer Science, vol. 5674, pp. 23–42. Springer, Munich, Germany (2009). Invited paper.
- [22] Cohen, E., Moskal, M., Schulte, W., Tobies, S.: A precise yet efficient memory model for C (2008). Available via http://research.microsoft.com/apps/pubs/default.aspx?id=77174
- [23] Cohen, E., Moskal, M., Schulte, W., Tobies, S.: Local verification of global invariants in concurrent programs. In: B. Cook, P. Jackson, T. Touili (eds.) Computer Aided Verification (CAV 2010), Lecture Notes in Computer Science. Springer, Edinburgh, UK (2010). To appear.
- [24] Dalinger, I., Hillebrand, M., Paul, W.: On the verification of memory management mechanisms. In: D. Borrione, W. Paul (eds.) CHARME 2005, LNCS. Springer (2005). URL http://www-wjp.cs.uni-saarland.de/publikationen/DHP05.pdf
- [25] Daum, M.: On the formal foundation of a verification approach for system-level concurrent programs. Ph.D. thesis, Saarland University, Computer Science Department (2010)
- [26] Daum, M., Dörrenbächer, J., Bogan, S.: Model stack for the pervasive verification of a microkernel-based operating system. In:

B. Beckert, G. Klein (eds.) 5th International Verification Workshop (VERIFY'08), CEUR Workshop Proceedings, vol. 372, pp. 56-70. CEUR-WS.org (2008). URL http://www-wjp.cs.uni-saarland.de/publikationen/DaumDB-VERIFY08-.pdf

- [27] Daum, M., Dörrenbächer, J., Wolff, B.: Proving fairness and implementation correctness of a microkernel scheduler. Journal of Automated Reasoning: Special Issue on Operating System Verification 42, Numbers 2-4, 349–388 (2009). URL http://www-wjp.cs.uni-saarland.de/publikationen/DaumDW-jarosv08.pdf
- [28] Daum, M., Dörrenbächer, J., Wolff, B., Schmidt, M.: A verification approach for system-level concurrent programs. In: J. Woodcock, N. Shankar (eds.) Verified Software: Theories, Tools, and Experiments, LNCS, vol. 5295, pp. 161–176. Springer (2008)
- [29] Daum, M., Schirmer, N.W., Schmidt, M.: Implementation correctness of a real-time operating system. In: 7th IEEE International Conference on Software Engineering and Formal Methods (SEFM 2009), 23–27 November 2009, Hanoi, Vietnam, pp. 23–32. IEEE (2009)
- [30] Elkaduwe, D., Klein, G., Elphinstone, K.: Verified protection model of the seL4 microkernel. In: J. Woodcock, N. Shankar (eds.) Proceedings of Verified Software: Theories, Tools and Experiments 2008, Lecture Notes in Computer Science, vol. 5295, pp. 99–114. Springer, Toronto, Canada (2008)
- [31] Endrawaty: Verification of the Fiasco IPC implementation. Master's thesis, Dresden University of Technology (2005)
- [32] Engler, D.R., Kaashoek, M.F., O'Toole, J.: Exokernel: An operating system architecture for application-level resource management. In: SOSP, pp. 251–266. ACM (1995)
- [33] Fleisch, B.D., Co, M.A.A.: Workplace microkernel and OS: a case study. Softw. Pract. Exper. 28(6), 569–591 (1998)
- [34] Gargano, M., Hillebrand, M., Leinenbach, D., Paul, W.: On the correctness of operating system kernels. In: J. Hurd, T.F. Melham (eds.) TPHOLs 2005, *LNCS*, vol. 3603, pp. 1–16. Springer (2005). URL http://www-wjp.cs.uni-sb.de/publikationen/GHLP05.pdf
- [35] Heiser, G., Elphinstone, K., Kuz, I., Klein, G., Petters, S.M.: Towards trustworthy computing systems: taking microkernels to the next level. Operating Systems Review 41(4), 3–11 (2007)

[36] Heitmeyer, C., Archer, M., Leonard, E., McLean, J.: Applying formal methods to a certifiably secure software system. IEEE Transactions on Software Engineering **34**, 82–98 (2008). DOI http://doi.ieeecomputersociety.org/10.1109/TSE.2007.70772

- [37] Heitmeyer, C.L., Archer, M., Leonard, E.I., Mclean, J.: Formal specification and verification of data separation in a separation kernel for an embedded system. In: In CCS, pp. 346–355. ACM (2006)
- [38] Hennessy, J.L., Patterson, D.A.: Computer Architecture: A Quantitative Approach, 2nd Edition. Morgan Kaufmann (1996)
- [39] Hohmuth, M., Tews, H., Stephens, S.G.: Applying source-code verification to a microkernel: the VFiasco project. In: ACM SIGOPS European Workshop, pp. 165–169. ACM (2002). DOI http://doi.acm.org/10.1145/1133373.1133405
- [40] In der Rieden, T., Tsyban, A.: CVM a verified framework for microkernel programmers. In: Systems Software Verification, ENTCS, vol. 217, pp. 151–168. Elsevier Science B.V. (2008)
- [41] Kaiser, R.: Combining partitioning and virtualization for safety-critical systems. White Paper WP\_CPV\_10\_A4\_R10, SYSGO AG (2007). Availabe via http://www.sysgo.com/news-events/whitepapers/
- [42] Klein, G.: Correct OS kernel? proof? done! USENIX; login: **34**(6), 28–34 (2009)
- [43] Klein, G.: Operating system verification an overview. Sādhanā **34**(1), 27–69 (2009)
- [44] Klein, G., Andronick, J., Elphinstone, K., Heiser, G., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: seL4: Formal verification of an OS kernel. Communications of the ACM 53(6), 107–115 (2010)
- [45] Langenstein, B., Nonnengart, A., Rock, G., Stephan, W.: A history-based verification of distributed applications. In: B. Beckert (ed.) Proceedings, 4th International Verification Workshop (VERIFY), Bremen, Germany, CEUR Workshop Proceedings, vol. 259, pp. 70-84. CEUR-WS.org (2007). URL http://ftp.informatik.rwth-aachen.de/Publications/CEUR-WS/Vol-259/paper08.pdf
- [46] Langenstein, B., Nonnengart, A., Rock, G., Stephan, W.: Verification of distributed applications. In: F. Saglietti, N. Oster (eds.) Computer Safety, Reliability, and Security, 26th International Conference, SAFE-COMP 2007, Nuremberg, Germany, September 18–21, 2007, Lecture Notes in Computer Science, vol. 4680, pp. 315–328. Springer (2007)

[47] Lassmann, G., Rock, G., Schwan, M., Cheikhrouhou, L.: Verisoft secure biometric identification system. URL http://www.informatik.huberlin.de/forschung/gebiete/algorithmenII/Publikationen/ Papers/Verisoft.pdf. T-Systems International University Conference, Düsseldorf, 10.-11. October 2005

- [48] Leinenbach, D.: Compiler verification in the context of pervasive system verification. Ph.D. thesis, Saarland University (2008). URL http://www-wjp.cs.uni-sb.de/publikationen/Lei08.pdf
- [49] Leinenbach, D., Paul, W.J., Petrova, E.: Towards the formal verification of a C0 compiler: Code generation and implementation correctness. In: SEFM, pp. 2–12. IEEE Computer Society (2005)
- [50] Leinenbach, D., Petrova, E.: Pervasive compiler verification: From verified programs to verified systems. In: Systems Software Verification, ENTCS, vol. 217, pp. 23–40. Elsevier Science B.V. (2008)
- [51] Liedtke, J.: Improving IPC by kernel design. In: SOSP, pp. 175–188. ACM (1993)
- [52] Liedtke, J.: On  $\mu$ -kernel construction. In: SOSP, pp. 237–250. ACM (1995)
- [53] Liedtke, J.: Towards real microkernels. Commun. ACM **39**(9), 70–77 (1996)
- [54] Martin, W., White, P., Taylor, F.S., Goldberg, A.: Formal construction of the mathematically analyzed separation kernel. In: ASE '00: Proceedings of the 15th IEEE international conference on Automated software engineering, p. 133. IEEE Computer Society, Washington, DC, USA (2000)
- [55] Moore, J.S.: A grand challenge proposal for formal methods: A verified stack. In: 10th Anniversary Colloquium of UNU/IIST, pp. 161–172. Springer (2002)
- [56] Moura, L.D., Bjørner, N.: Z3: An efficient smt solver. In: In Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS (2008)
- [57] Müller, S., Paul, W.: Computer Architecture, Complexity and Correctness. Springer Verlag (2000)
- [58] Neumann, P.G., Feiertag, R.J.: PSOS revisited. In: ACSAC, pp. 208–216. IEEE Computer Society (2003)
- [59] Nguiekom, V.: Verifikation von doppelt verketteten listen auf pointerebene. Master's thesis, Saarland University (2005)

[60] Ni, Z., Yu, D., Shao, Z.: Using XCAP to certify realistic systems code: Machine context management. In: TPHOLs, LNCS, vol. 4732, pp. 189–206. Springer (2007)

- [61] Nipkow, T., Paulson, L.C., Wenzel, M.: Isabelle/HOL: A Proof Assistant for Higher-Order Logic, *LNCS*, vol. 2283. Springer (2002)
- [62] Paulson, L.C.: Isabelle: A Generic Theorem Prover. Springer (1994). LNCS 828
- [63] Petrova, E.: Verification of the C0 compiler implementation on the source code level. Ph.D. thesis, Saarland University (2007)
- [64] Rashid, R., Avadis Tevanin, J., Young, M., Golub, D., Baron, R.: Machine-independent virtual memory management for paged uniprocessor and multiprocessor architectures. IEEE Trans. Comput. 37(8), 896–908 (1988)
- [65] In der Rieden, T.: Verified linking for modular kernel verification. Ph.D. thesis, Saarland University, Saarbrücken (2009). URL http://www-wjp.cs.uni-sb.de/publikationen/Idr09.pdf
- [66] Samman, T.: Verifying 50,000 lines of C code. Futures, Microsoft's European Innovation Magazine 21 (2008)
- [67] Schierboom, E.: Verification of Fiasco's IPC implementation. Master's thesis, Radboud Universiteit Nijmegen (2007)
- [68] Schirmer, N.: A verification environment for sequential imperative programs in Isabelle/HOL. In: LPAR, LNCS, pp. 398-414. Springer (2005). URL http://isabelle.in.tum.de/~schirmer/pub/hoare-lpar04.html
- [69] Schirmer, N.: Verification of sequential imperative programs in Isabelle/HOL. Ph.D. thesis, TU Munich (2006)
- [70] Shapiro, J., Doerrie, M.S., Northup, E., Sridhar, S., Miller, M.: Towards a verified, general-purpose operating system kernel. In: FM Workshop on OS Verification, Tech. Rep. 0401005T-1, pp. 1-19. National ICT Australia (2004). URL http://www.coyotos.org/docs/osverify-2004/osverify-2004.pdf
- [71] Starostin, A.: Formal verification of a c-library for strings. Master's thesis, Saarland University (2006). URL http://www-wjp.cs.uni-saarland.de/publikationen/St06.pdf
- [72] Starostin, A.: Formal verification of demand paging. Ph.D. thesis, Saarland University, Saarbrücken (2010). URL http://www-wjp.cs.uni-saarland.de/publikationen/St10.pdf

[73] Starostin, A., Tsyban, A.: Correct microkernel primitives. In: Systems Software Verification, ENTCS, vol. 217, pp. 169–185. Elsevier Science B.V. (2008)

- [74] Starostin, A., Tsyban, A.: Verified process-context switch for c-programmed kernels. In: N. Shankar, J. Woodcock (eds.) 2nd IFIP Working Conference on Verified Software: Theories, Tools, and Experiments (VSTTE'08), LNCS, vol. 5295, pp. 240–254. Springer (2008)
- [75] Starostin, A., Tsyban, A.: Verified process-context switch for C-programmed kernels. In: N. Shankar, J. Woodcock (eds.) Verified Software: Theories, Tools, and Experiments, *LNCS*, vol. 5295, pp. 240–254. Springer (2008)
- [76] Tsyban, A.: Cvm a verified framework for microkernel programmers. Ph.D. thesis, Saarland University, Saarbrücken (2009)
- [77] Tverdyshev, S.: Formal verification of gate-level computer systems. Ph.D. thesis, Saarland University, Computer Science Department (2009). URL http://www-wjp.cs.uni-saarland.de/publikationen/Tv09.pdf
- [78] Verisoft Project: Verisoft repository (2010). URL http://www.verisoft.de/VerisoftRepository.html
- [79] Walker, B.J., Kemmerer, R.A., Popek, G.J.: Specification and verification of the ucla unix security kernel. Commun. ACM 23(2), 118–131 (1980). DOI http://doi.acm.org/10.1145/358818.358825