Certifying LowLevel Programs with Hardware Interrupts and Preemptive
![Example: Teeter-Totter left 50 while(true){ right 50 timer: cli; if([right] == 0){ if([left] ==](https://slidetodoc.com/presentation_image/5320a15c70ee09c3f2a5a6d52e7b9aa6/image-7.jpg "Example: Teeter-Totter left 50 while(true){ right 50 timer: cli; if([right] == 0){ if([left] ==")
![Separation Logic to Enforce Partition [Ithtiaq & O’Hearn’ 01, Reynolds’ 02] emp l n](https://slidetodoc.com/presentation_image/5320a15c70ee09c3f2a5a6d52e7b9aa6/image-10.jpg "Separation Logic to Enforce Partition [Ithtiaq & O’Hearn’ 01, Reynolds’ 02] emp l n")
- Slides: 22
Certifying Low-Level Programs with Hardware Interrupts and Preemptive Threads Xinyu Feng Toyota Technological Institute at Chicago Joint work with Zhong Shao (Yale), Yuan Dong (Tsinghua Univ. ) and Yu Guo (USTC)
How to verify safety & correctness of OS kernels / Hypervisors? Many challenges: Low-level C/Assembly code Is verification possible? Code loading Concurrency Interrupts Device drivers & I/O … How to do it in a clean & modular way?
Layering of Simplified Kernel Code B: concurrent code with explicit interrupts How to verify ? ? ?
Concurrency with Interrupts: Challenges irq 0 ) (1 ) (4 ) irq 1 (3 (5 ) ) (2 Asymmetric preemption between handlers and non-handler code Intertwining between threads and handlers Asymmetric synchronization: cli/sti are different from locks
Our Contributions A Hoare-style program logic for modular verification of low-level programs with interrupts and concurrency.
AIM – I : Single Threaded-Code with Interrupts f 1: f 2: ih: (data heap) H I 1 pc 0 I 2 1 2 r 1 r 2 r 3 ISR … (code heap) C : : ={f I}* … … rn (register file) R ie (state) S : : =(H, R, ie) (program) P: : =(C, S, pc) addu … cli sti iret … j f
Example: Teeter-Totter left 50 while(true){ right 50 timer: cli; if([right] == 0){ if([left] == 0){ sti; print(“right wins!”); break; iret; } } [right] : = [right]-1; [left] [right] : = [right]+1; : = [left]+1; sti; : = [left]-1; iret; } print(“left wins!”); How to guarantee non-interference?
Non-Interference? Program invariant: There is always a partition of memory among concurrent entities, and each concurrent entity only access its own part. But note: The partition is dynamic: ownership of memory can be dynamically transferred. cli/sti can be modeled as operations that trigger memory ownership transfer.
AIM – I : The Memory Model - {INV Ph } Memory B Non-handler A Handler - INV { Ph } sti … cli … iret The memory partition is logical, not physical!
Separation Logic to Enforce Partition [Ithtiaq & O’Hearn’ 01, Reynolds’ 02] emp l n p q empty heap l n p q p q
AIM – I : cli/sti INV B A INV cli B B A sti B B INV ie = 1 INV ie = 0
Example: Teeter-Totter INV: m, n. (left m) (right n) (m+n = 100) while(true){ } left 50 right 50 timer: -{emp ie=1} -{INV} cli; if([left] == 0){ -{emp * INV} print(“right wins!”); . . . -{INV} [right] : = [right]-1; sti [left] cli : = [left]+1; iret; } -{INV} [left] sti; [right] : = [right]+1; -{emp ie=1} -{INV} iret; : = [left]-1;
AIM-II : Multi-threaded code with interrupts (data heap) H f 1 : f 2 : ih : (code heap) C R pc 0 1 2 r 1 r 2 r 3 … pc … R pc (ready. queue) Q … rn (register file) R ie (state) S : : =(H, R, ie) pc R cli/sti switch block w unblock w w 1 w 2 … wn (program) P : : =(C, S, B, Q, pc) B
Non-interference? R (data heap) H f 1 : pc f 2 : ih : (code heap) C 0 1 2 r 1 r 2 r 3 pc … R pc (ready. queue) Q … … rn (register file) R ie (state) S : : =(H, R, ie) pc R cli/sti switch block w unblock w w 1 w 2 … wn Use memory partition to control interference! B
AIM – II : Memory Model INV B T 1 A T 2 C A INV 1 INV
AIM – II : cli/sti T 1 T 2 T 1 C A INV 1 INV T 1: cli T 2 T 1 : C T 1 : A INV 1 INV T 1 C' A' INV 1 INV ie = 1 T 2 T 1: sti T 2 T 1: C' T 1: A' INV 1 INV ie = 0
AIM – II : switch T 1 T 2 T 1 : C T 1 : A INV 1 INV T 1: switch T 2 : C T 2 : A INV 1 INV … sti … cli … untouched switch INV 1 * INV preserved T 1 T 2 T 1: C' T 1: A' INV 1 INV T 2: switch ie = 0 T 2: C' T 2: A' INV 1 INV
AIM-II: block/unblock T 1 ? T 2 T 1 : C T 1 : A INV 1 INV block ! TT 22 T 2 : C T 2 : A INV 1 INV block T 1 ! unblock T 1 ! T 2 T 1: C' T 1 : A' INV 1 INV Thread 1 switch ! T 2 : C' T 2 : A' INV 1 INV Thread 2
AIM-II : block/unblock Threads block themselves to wait for resources. locks: wait for resources protected by locks condition variables: wait for conditions to come true w 1 R 1 w 2 R 2 … wn Unifies different semantics of Condition Variables: Mesa style Rn B R can be empty Hoare style Brinch-Hansen style Read our paper for details!
Implementations – An Infrastructure for x 86 verification 26, 000 12, 000 Locks, Condition variables Timer handler, yield/sleep switch, block, unblock AIM Logic & Soundness 26, 000 Sep. Logic 6, 300 SCAP 3, 000 Utilities (e. g. Queues) 4, 000 x 86 semantics (a subset) 3, 300 Coq (Higher-Order Logic with Inductive Def. ) Around 82, 000 lines of Coq code See http: //flint. cs. yale. edu/publications/aim. html
Summary • Abstract Machine & Program Logic – Hardware interrupts + preemptive threads – Ownership transfer semantics • cli, sti, switch, block, unblock • Implementations – Infrastructure for x 86 code verification – Certified x 86 modules • Future work – Multi-processor platforms – Liveness properties – Verification of C programs
Thank you!
Completing a death certificate geeky medics
Hardware interrupts and dpcs
Multiple irp complete requests windows 10
What are hardware interrupts
Ivt table in 8086
Types of hardware interrupt
Software interrupts in 8086
Disadvantages of waterfall model in software engineering
Internal parts of computer
Difference between preemptive and nonpreemptive scheduling
Difference between preemptive and nonpreemptive scheduling
Goal programming
Goal programming formulation example
Creative brief
Priority scheduling algorithm example
Preemptive problem solving
Preemptive scheduling incurs greater overhead.
Generic cognitive message strategy
Defense involves occupying the most desirable
Multitasking in java
Preemptive round robin
Preemptive creative style
Contoh vv
