Hardware interrupts are widely used in the world's critical software systems to support preemptive threads, device drivers, operating system kernels, and hypervisors. Handling interrupts properly is an essential component of low-level system programming. Unfortunately, interrupts are also extremely hard to reason about: they dramatically alter the program control flow and complicate the invariants in low-level concurrent code (e.g., implementation of synchronization primitives). Existing formal verification techniquesincluding Hoare logic, typed assembly language, concurrent separation logic, and the assume-guarantee method-have consistently ignored the issues of interrupts; this severely limits the applicability and power of today's program verification systems.In this paper we present a novel Hoare-logic-like framework for certifying low-level system programs involving both hardware interrupts and preemptive threads. We show that enabling and disabling interrupts can be formalized precisely using simple ownership-transfer semantics, and the same technique also extends to the concurrent setting. By carefully reasoning about the interaction among interrupt handlers, context switching, and synchronization libraries, we are able to-for the first time-successfully certify a preemptive thread implementation and a large number of common synchronization primitives. Our work provides a foundation for reasoning about interrupt-based kernel programs and makes an important advance toward building fully certified operating system kernels and hypervisors.
Modern computer systems consist of a multitude of abstraction layers (e.g., OS kernels, hypervisors, device drivers, network protocols), each of which defines an interface that hides the implementation details of a particular set of functionality. Client programs built on top of each layer can be understood solely based on the interface, independent of the layer implementation. Despite their obvious importance, abstraction layers have mostly been treated as a system concept; they have almost never been formally specified or verified. This makes it difficult to establish strong correctness properties, and to scale program verification across multiple layers. In this paper, we present a novel language-based account of abstraction layers and show that they correspond to a strong form of abstraction over a particularly rich class of specifications which we call deep specifications. Just as data abstraction in typed functional languages leads to the important representation independence property, abstraction over deep specification is characterized by an important implementation independence property: any two implementations of the same deep specification must have contextually equivalent behaviors. We present a new layer calculus showing how to formally specify, program, verify, and compose abstraction layers. We show how to instantiate the layer calculus in realistic programming languages such as C and assembly, and how to adapt the CompCert verified compiler to compile certified C layers such that they can be linked with assembly layers. Using these new languages and tools, we have successfully developed multiple certified OS kernels in the Coq proof assistant, the most realistic of which consists of 37 abstraction layers, took less than one person year to develop, and can boot a version of Linux as a guest.
Lijiang River is an essential drinking water source and natural scenery in the Guilin City. For the rst time, implications of rainstorm were taken into consideration by investigating spatial and temporal variation of dissolved heavy metals (HMs) in the Lijiang River water. A total of 68 water samples were collected during low ow (normal) season and high ow (rainstorm) season from 34 sampling sites. Dissolved HMs including Cr, Mn, Co, Cu, Zn, As, Cd, Sb, and Pb were found to meet the respective drinking water standards, while higher concentration was observed after the rainstorm season, except for Cr. Multivariate statistical analysis showed Co, Cu, Cr, Zn, Sb, and Pb in normal season are mainly controlled by anthropogenic sources. Furthermore, higher concentration of Mn, Cu, Cd, Pb, Co and Zn during the high ow season is attributed to rainstorm. The water quality index (WQI) showed good grades, and comparatively lower in rainstorm season. The results of health risk assessment revealed that HMs in Lijiang River pose limited health risk, however, As poses potential health risk during rainstorm season. It is suggested to adopt preventive measures in mining activities and industrial waste-water discharge at the river's upstream and downstream.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.