Using Crash Hoare logic for certifying the FSCQ file system

Chen, Haogang; Ziegler, Daniel; Chajed, Tej; Chlipala, Adam; Kaashoek, M. Frans; Zeldovich, Nickolai

doi:10.1145/2815400.2815402

Cited by 175 publications

(147 citation statements)

References 44 publications

Supporting

Mentioning

144

Contrasting

Unclassified

Order By: Relevance

“…Like us, Charguéraud [2010Charguéraud [ , 2011 generates shallow embeddings to facilitate mechanical proofs, but unlike us they do not prove compilation correctness. Chen et al [2015] formally show in Coq [Bertot and Castéran 2004] full crash-resilience of FSCQ. FSCQ is smaller than ext2 and BilbyFs, and an order of magnitude slower than asynchronous ext4.…”

Section: Related Workmentioning

confidence: 99%

“…Its implementation relies on generating Haskell code from Coq, and executing that code with a full Haskell runtime in userspace. We focus on bridging high-level specification and lowlevel implementation, on efficiency, and on providing a small trusted computing base, while Chen et al [2015] assume all these are given and focus on crash resilience. The approaches are complementary, i.e.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Refinement through restraint: bringing down the cost of verification

O'ConnorLiam¹,

ChenZilin²,

RizkallahChristine³

et al. 2016

SIGPLAN Not.

View full text Add to dashboard Cite

We present a framework aimed at significantly reducing the cost of verifying certain classes of systems software, such as file systems. Our framework allows for equational reasoning about systems code written in our new language, Cogent. Cogent is a restricted, polymorphic, higher-order, and purely functional language with linear types and without the need for a trusted runtime or garbage collector. Linear types allow us to assign two semantics to the language: one imperative, suitable for efficient C code generation; and one functional, suitable for equational reasoning and verification. As Cogent is a restricted language, it is designed to easily interoperate with existing C functions and to connect to existing C verification frameworks.Our framework is based on certifying compilation: For a welltyped Cogent program, our compiler produces C code, a high-level shallow embedding of its semantics in Isabelle/HOL, and a proof that the C code correctly refines this embedding. Thus one can reason about the full semantics of real-world systems code productively and equationally, while retaining the interoperability and leanness of C. The compiler certificate is a series of language-level proofs and per-program translation validation phases, combined into one coherent top-level theorem in Isabelle/HOL.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Refinement through restraint: bringing down the cost of verification

O'ConnorLiam¹,

ChenZilin²,

RizkallahChristine³

et al. 2016

SIGPLAN Not.

View full text Add to dashboard Cite

show abstract

“…Frost et al (Frost et al 2007) present abstractions to make file-system dependencies explicit (e.g., a read must be done after a write). Formal specifications of file systems (Chen et al 2015;Amani et al 2016) are a recent breakthrough in the formal specification of operating systems. Like these works, we aim to prove high level properties of systems, with the added difficulty of handling concurrent operations.…”

Section: Related Workmentioning

confidence: 99%

Towards Proving Optimistic Multicore Schedulers

Lepers

Zwaenepoel

Lozi

et al. 2017

Proceedings of the 16th Workshop on Hot Topics in Operating Systems

View full text Add to dashboard Cite

Operating systems have been shown to waste machine resources by leaving cores idle while work is ready to be scheduled. This results in suboptimal performance for user applications, and wasted power.Recent progress in formal verification methods have led to operating systems being proven safe, but operating systems have yet to be proven free of performance bottlenecks. In this paper we instigate the first effort in proving performance properties of operating systems by designing a multicore scheduler that is proven to be work-conserving.

show abstract

“…In independent work, Chen et al introduced Crash Hoare Logic (CHL) to reason about host failures and applied it to a substantial sequential journaling file system (FSCQ) written in Coq [2]. CHL extends Hoare triples with faultconditions and provides highly automated reasoning about host failures.…”

Section: Related Workmentioning

confidence: 99%

Fault-Tolerant Resource Reasoning

Ntzik

Pinto

Gardner

2015

Programming Languages and Systems

View full text Add to dashboard Cite

Abstract. Separation logic has been successful at verifying that programs do not crash due to illegal use of resources. The underlying assumption, however, is that machines do not fail. In practice, machines can fail unpredictably for various reasons, e.g. power loss, corrupting resources. Critical software, e.g. file systems, employ recovery methods to mitigate these effects. We introduce an extension of the Views framework to reason about such methods. We use concurrent separation logic as an instance of the framework to illustrate our reasoning, and explore programs using write-ahead logging, e.g. an ARIES recovery algorithm.

show abstract

Using Crash Hoare logic for certifying the FSCQ file system

Cited by 175 publications

References 44 publications

Refinement through restraint: bringing down the cost of verification

Refinement through restraint: bringing down the cost of verification

Towards Proving Optimistic Multicore Schedulers

Fault-Tolerant Resource Reasoning

Contact Info

Product

Resources

About