Operating system (OS) kernels form the backbone of system software. They can have a significant impact on the resilience and security of today's computers. Recent efforts have demonstrated the feasibility of formally verifying simple general-purpose kernels, but they have ignored the important issues of concurrency, which include not just user and I/O concurrency on a single core, but also multicore parallelism with fine-grained locking. In this work, we present CertiKOS, a novel compositional framework for building verified concurrent OS kernels. Concurrency allows interleaved execution of programs belonging to different abstraction layers and running on different CPUs/ threads. Each such layer can have a different set of observable events. In CertiKOS, these layers and their observable events can be formally specified, and each module can then be verified at the abstraction level it belongs to. To link all the verified pieces together, CertiKOS enforces a so-called contextual refinement property for every such piece, which states that the implementation will behave like its specification under any concurrent context with any valid interleaving. Using CertiKOS, we have successfully developed a practical concurrent OS kernel, called mC2, and built the formal proofs of its correctness in Coq. The mC2 kernel is written in 6500 lines of C and x86 assembly and runs on stock x86 multicore machines. To our knowledge, this is the first correctness proof of a general-purpose concurrent OS kernel with fine-grained locking.
In this study, a series of sloshing model tests were conducted for type-C tanks, particularly to observe the effects of the inner bulkhead and rings. In regular pitch motion, the internal flow by swash bulkhead and rings located inside the tank was observed. The frequency range near the resonance frequency was checked at filling heights of 70%, and sloshing-induced impact pressures were investigated. Through this study, the global flows inside the tank and local flows during impact occurrence at the hemispherical end of the tank were systematically observed, and the impact pressure pattern for each frequency ratio was compared. Due to the swash bulkhead located in the center of the tank, the flow does not move at once and the velocity of the flow is reduced by the inner rings. The flows passing through the swash bulkhead proceed with a time difference, overlapping with the first wave, generating various types of sloshing impact. The results of computational fluid dynamics calculation and the experiment were also compared for limited conditions.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.