Formal Methods: A Practical Tool for OS Implementors

The formal methods community has long known about the need to formally analyze concurrent software, but the OS community has been slow to adopt such methods. The foremost reasons for this are the cultural and knowledge gaps between formalists and OS hackers, fostered by three beliefs: inaccessibility of the tools, the disabling gap between the validated model and actual implementation, and the intractable size of operating systems. In this paper, we show these beliefs to be untrue for appropriately structured operating systems. We applied formal methods to verify properties of the implementation of the Fluke microkernel’s IPC subsystem, a major component of the kernel. In particular, we have verified, in many scenarios, certain liveness properties and lack of deadlock, with results that apply to both SMP and uniprocessor environments. The SPIN model checker provided an exhaustive concurrency analysis of the IPC subsystem, unattainable through traditional OS testing methods. SPIN is easily accessible to programmers inexperienced with formal methods. We present our results as a starting point for a more comprehensive inclusion of formal methods in practical OS development. This research was supportedin part by the Defense AdvancedResearch Projects Agency, monitored by the Department of the Army under contract number DABT63–94–C–0058, and Rome Laboratory, Air Force Material Command, USAF, underagreementnumberF30602–96–2–0269. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright annotation hereon. y U.S. Department of Defense. Copyright1997 IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposesor for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.