Practical Rely/Guarantee Verification of an Efficient Lock for seL4 on Multicore Architectures

Robert J. Colvin; Ian J. Hayes; Scott Heiner; Peter Höfner; Larissa Meinicke; Roger C. Su

doi:10.1007/978-3-031-66676-6_4

Practical Rely/Guarantee Verification of an Efficient Lock for seL4 on Multicore Architectures

Robert J. Colvin^*, Ian J. Hayes, Scott Heiner, Peter Höfner, Larissa Meinicke, Roger C. Su

^*Corresponding author for this work

School of Computing

Research output: Chapter in Book/Report/Conference proceeding › Chapter › peer-review

Abstract

Developers of low-level systems code providing core functionality for operating systems and kernels must address micro-architectural features of modern multicore processors, including and especially pipelined out-of-order execution of the code as written. The effects of out-of-order execution are typically summarised by a weak memory model, a term which includes further complicating factors that may be introduced by compiler optimisations. In many cases, the nondeterminism inherent in weak memory models can be expressed as micro-parallelism, i.e., parallelism within threads and not just between them. Fortunately Jones’ rely/guarantee reasoning provides a compositional method for verification of shared-variable concurrency, whether that be in terms of communication between top-level threads or micro-parallelism within threads. In this paper we provide an in-depth specification and verification of the lock algorithm used in the seL4 microkernel, using rely/guarantee to handle both inter-thread communication and micro-parallelism introduced by weak memory models. The proof is machine-checked in Isabelle/HOL, building on an existing theory for rely/guarantee reasoning, extended with rules specialised for data type invariants, spin loops, and nested parallelism.

Original language	English
Title of host publication	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	65-87
Number of pages	23
DOIs	https://doi.org/10.1007/978-3-031-66676-6_4
Publication status	Published - 2024

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	LNCS 14780
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Access to Document

10.1007/978-3-031-66676-6_4

Cite this

Colvin, R. J., Hayes, I. J., Heiner, S., Höfner, P., Meinicke, L., & Su, R. C. (2024). Practical Rely/Guarantee Verification of an Efficient Lock for seL4 on Multicore Architectures. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (pp. 65-87). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. LNCS 14780). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-66676-6_4

Colvin, Robert J. ; Hayes, Ian J. ; Heiner, Scott et al. / Practical Rely/Guarantee Verification of an Efficient Lock for seL4 on Multicore Architectures. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Springer Science and Business Media Deutschland GmbH, 2024. pp. 65-87 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inbook{185edc583b93445a9a2ab3034e71882e,

title = "Practical Rely/Guarantee Verification of an Efficient Lock for seL4 on Multicore Architectures",

abstract = "Developers of low-level systems code providing core functionality for operating systems and kernels must address micro-architectural features of modern multicore processors, including and especially pipelined out-of-order execution of the code as written. The effects of out-of-order execution are typically summarised by a weak memory model, a term which includes further complicating factors that may be introduced by compiler optimisations. In many cases, the nondeterminism inherent in weak memory models can be expressed as micro-parallelism, i.e., parallelism within threads and not just between them. Fortunately Jones{\textquoteright} rely/guarantee reasoning provides a compositional method for verification of shared-variable concurrency, whether that be in terms of communication between top-level threads or micro-parallelism within threads. In this paper we provide an in-depth specification and verification of the lock algorithm used in the seL4 microkernel, using rely/guarantee to handle both inter-thread communication and micro-parallelism introduced by weak memory models. The proof is machine-checked in Isabelle/HOL, building on an existing theory for rely/guarantee reasoning, extended with rules specialised for data type invariants, spin loops, and nested parallelism.",

keywords = "Concurrency, Lock algorithms, Multicore architectures, Rely/Guarantee, Verification, Weak memory models",

author = "Colvin, {Robert J.} and Hayes, {Ian J.} and Scott Heiner and Peter H{\"o}fner and Larissa Meinicke and Su, {Roger C.}",

note = "Publisher Copyright: {\textcopyright} The Author(s), under exclusive license to Springer Nature Switzerland AG 2024.",

year = "2024",

doi = "10.1007/978-3-031-66676-6_4",

language = "English",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "65--87",

booktitle = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

address = "Germany",

}

Colvin, RJ, Hayes, IJ, Heiner, S, Höfner, P, Meinicke, L & Su, RC 2024, Practical Rely/Guarantee Verification of an Efficient Lock for seL4 on Multicore Architectures. in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. LNCS 14780, Springer Science and Business Media Deutschland GmbH, pp. 65-87. https://doi.org/10.1007/978-3-031-66676-6_4

Practical Rely/Guarantee Verification of an Efficient Lock for seL4 on Multicore Architectures. / Colvin, Robert J.; Hayes, Ian J.; Heiner, Scott et al.
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Springer Science and Business Media Deutschland GmbH, 2024. p. 65-87 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. LNCS 14780).

Research output: Chapter in Book/Report/Conference proceeding › Chapter › peer-review

TY - CHAP

T1 - Practical Rely/Guarantee Verification of an Efficient Lock for seL4 on Multicore Architectures

AU - Colvin, Robert J.

AU - Hayes, Ian J.

AU - Heiner, Scott

AU - Höfner, Peter

AU - Meinicke, Larissa

AU - Su, Roger C.

N1 - Publisher Copyright: © The Author(s), under exclusive license to Springer Nature Switzerland AG 2024.

PY - 2024

Y1 - 2024

N2 - Developers of low-level systems code providing core functionality for operating systems and kernels must address micro-architectural features of modern multicore processors, including and especially pipelined out-of-order execution of the code as written. The effects of out-of-order execution are typically summarised by a weak memory model, a term which includes further complicating factors that may be introduced by compiler optimisations. In many cases, the nondeterminism inherent in weak memory models can be expressed as micro-parallelism, i.e., parallelism within threads and not just between them. Fortunately Jones’ rely/guarantee reasoning provides a compositional method for verification of shared-variable concurrency, whether that be in terms of communication between top-level threads or micro-parallelism within threads. In this paper we provide an in-depth specification and verification of the lock algorithm used in the seL4 microkernel, using rely/guarantee to handle both inter-thread communication and micro-parallelism introduced by weak memory models. The proof is machine-checked in Isabelle/HOL, building on an existing theory for rely/guarantee reasoning, extended with rules specialised for data type invariants, spin loops, and nested parallelism.

AB - Developers of low-level systems code providing core functionality for operating systems and kernels must address micro-architectural features of modern multicore processors, including and especially pipelined out-of-order execution of the code as written. The effects of out-of-order execution are typically summarised by a weak memory model, a term which includes further complicating factors that may be introduced by compiler optimisations. In many cases, the nondeterminism inherent in weak memory models can be expressed as micro-parallelism, i.e., parallelism within threads and not just between them. Fortunately Jones’ rely/guarantee reasoning provides a compositional method for verification of shared-variable concurrency, whether that be in terms of communication between top-level threads or micro-parallelism within threads. In this paper we provide an in-depth specification and verification of the lock algorithm used in the seL4 microkernel, using rely/guarantee to handle both inter-thread communication and micro-parallelism introduced by weak memory models. The proof is machine-checked in Isabelle/HOL, building on an existing theory for rely/guarantee reasoning, extended with rules specialised for data type invariants, spin loops, and nested parallelism.

KW - Concurrency

KW - Lock algorithms

KW - Multicore architectures

KW - Rely/Guarantee

KW - Verification

KW - Weak memory models

UR - http://www.scopus.com/inward/record.url?scp=85205128858&partnerID=8YFLogxK

U2 - 10.1007/978-3-031-66676-6_4

DO - 10.1007/978-3-031-66676-6_4

M3 - Chapter

AN - SCOPUS:85205128858

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 65

EP - 87

BT - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

PB - Springer Science and Business Media Deutschland GmbH

ER -

Colvin RJ, Hayes IJ, Heiner S, Höfner P, Meinicke L, Su RC. Practical Rely/Guarantee Verification of an Efficient Lock for seL4 on Multicore Architectures. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Springer Science and Business Media Deutschland GmbH. 2024. p. 65-87. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-031-66676-6_4

Practical Rely/Guarantee Verification of an Efficient Lock for seL4 on Multicore Architectures

Abstract

Publication series

Access to Document

Other files and links

Fingerprint

Cite this