Close
About
FAQ
Home
Collections
Login
USC Login
Register
0
Selected
Invert selection
Deselect all
Deselect all
Click here to refresh results
Click here to refresh results
USC
/
Digital Library
/
Computer Science Technical Report Archive
/
USC Computer Science Technical Reports, no. 654 (1997)
(USC DC Other)
USC Computer Science Technical Reports, no. 654 (1997)
PDF
Download
Share
Open document
Flip pages
Contact Us
Contact Us
Copy asset link
Request this asset
Transcript (if available)
Content
A Surv ey on Kernel Sp ecication and V erication
Ahmed Helm y
email ahelm yuscedu
Ma y
Abstract
F ormal metho ds ha v e b een traditionally used to mo del and v erify op erating systems Dif
feren t metho ds v erify dieren t op erating systems prop erties suc h as pro cess managemen t
m utual exclusion and in terpro cess comm unication Moreo v er v arious metho ds ma y capture
dieren t design errors suc h as deadlo c ks or unsp ecied receptions
The system k ernel supp orts higherlev el system services Hence k ernel v erication is es
sen tial for the prop er op eration of the system In addition pro viding clear k ernel sp ecication
impro v es the in terop erabilitybet w een its v arious implemen tations
In this pap er w e describ e commonly used metho ds for k ernel sp ecication and v erication
Some metho ds pro vide a mathematical mo del and use logic to pro v e prop erties of in terest
These include PVS and Bo y erMo ore logic Others use a programming language to sim ulate
the system then apply v erication to ols to capture system errors These include the SPIN
to ol
Distributed op erating systems are susceptible to unexp ected failure ev en ts complicating
the issue of system robustness This issue is not addressed explicitly b y traditional v erication
metho ds W e presen t a new STRESS metho d that can b e used to analyze system robustness
STRESS is based on a sim ulation framew ork and facilitates fault sim ulation for distributed
op erating systems and k ernels
Finally our comparison sho ws that some of the metho ds discussed are complemen tary Th us sev eral metho ds ma y b e used to obtain b etter fault co v erage of the target system
Keyw ords Op er ating Systems Kernel F ormal Metho ds V eric ation Sp e cic ation R o
bustness In tro duction
In general k ernels are mo deled as comm unicating nite state mac hines FSM The denition of a
FSM requires a set of mac hine states and a denition of transitions on these states In our case
k ernel op erations con trol the c hanges to the mac hine states
Goals for obtaining a k ernel mo del are manifold First to pro vide a precise do cumen tation b y
dening the required b eha vior of the k ernel in terface and ignoring implemen tation issues Second to
dene a con tract b et w een k ernel users and implemen tors This enhances the programs p ortabilit y b y pro viding unam biguous statemen t of the required features of a k ernel implemen tation Third
to facilitate pro of of correctness of application programs whic h run on the k ernel using mec hanical
pro of c hec k ers In this researc h pap er a surv ey of the metho ds used commonly to v erify and v alidate k ernel
sp ecications and implemen tations is presen ted This study is not mean t to be exhaustiv e rather
illustrativ e with emphasis on the limitations and shortfalls of the con v en tional metho ds
In addition w e describ e a new metho d based up on a sim ulation mo del to analyze the robustness
of distributed op erating systems and k ernels under loss and failure scenarios W e call our metho d
Systematic T esting of R obustness by Examination of Sele cte d Sc enarios STRESS All the metho ds describ ed share a common ultimate goal that is to test correctness asp ects of
the system
In general correctness implies the absence of errors System errors are discussed next
System Errors
There are t w o t yp es of errors addressed b y k ernel design design errors and op erational
errors
Design errors address a safet y b liv eness and c resp onsiv eness prop erties of a system
Safety prop erties ensure that the system nev er en ters undesirable states and include freedom from
deadlo c ks assertion violations improp er termination and unsp ecied receptions Liveness prop er
ties ensure that the system p erforms its in tended functions with resp ect to service sp ecication and
include detection of acceptance cycles those that pass through acceptance states and absence of
nonprogress cycles those that do not pass through an y progressstate R esp onsiveness prop erties
include timeliness and fault tolerance whic hreco v ers the system to a legal state to resume normal
execution from an illegal state
Op erational errors relate to the implemen tation en vironmen t Reco v ery mec hanisms deal
with transien t op erational errors whic h mayc hange the state of a system but ma y not c hange its
beha vior
This wide sp ectrum of p oten tial errors motiv ated the dev elopmen t of v arious approac hes for
correct system design A highlev el classication of these approac hes is outlined next
T axonom y
The main issues addressed b y the metho ds discussed in this pap er are sp e cic ation and veric ation Throughout this do cumentwecon v enien tly in terc hange system and kernel since the k ernel is the target system
of this study
Sp e cic ation is the pro cess of describing a system and its desired prop erties F ormal sp ecication
uses a language with a mathematicallydened syn tax and seman tics System prop erties include
functional b eha vior timing b eha vior p erformance c haracteristics or in ternal structure
V eric ation go es one step bey ond sp ecication to analyze a system for the desired prop erties
The t w o approac hes for v erication are theorem pro ving and mo del c hec king Theorem pro ving
In theorem pro ving system prop erties are expressed in logic form ulas dening a set of axioms
and rules In con trast to mo del c hec king theorem pro ving can deal with innite state spaces
Ho w ev er in teractiv e theorem pro v ers require h uman in terv en tion and hence are slo w and
errorprone
Theorem pro ving includes mo delb ase d and lo gicb ase d formalisms Mo delbased formalisms
suc h as Z and VDM are suitable for k ernel sp ecications in a succinct manner but lac k the
to ol supp ort for eectiv e pro of of prop erties The use of rst order logic allo ws the use of
theorem pro v ers suc h as Nqthm but ma y result in sp ecications that are dicult to read
Higher order logic suc h as PVS pro vides expressiv e po w er to pro vide clear descriptions and
pro of capabilities for k ernel prop erties
W e shall describ e the application of Nqthm and PVS to k ernel v erication in section Mo del c hec king
Mo del c hec king relies on building a nite mo del of a system and c hec king that a desired
prop ert y holds It is usually used for r e achability analysis The c hec k is p erformed as an
exhaustiv e searc h and ma y suer from the state explosion problem
In this mo del a program is used to sim ulate the b eha vior of the system SPIN and STRESS
fall under this category and are describ ed further in section F or brevit y w e shall only address a subset of these metho ds that ha v e actually b een used
for mo deling and v erication of k ernels The rest of the pap er is organized as follo ws Section discusses the surv ey ed metho ds with the corresp onding case studies A comparison of the metho ds
is presen ted in section Finally section pro vides the conclusion of this study V erication Metho ds
In this section w e discuss individual v erication to ols and presen t some case studies on k ernel
v erication As previously discussed v erication metho ds include theorem pro ving and mo del
c hec king Theorem pro ving is presen ted rst This discusses the Nqthm pro v er with a case study
on Mac h and the PVS system with a case study on a realtime k ernel Then mo del c hec king
metho ds are discussed presen ting the SPIN to ol with a case study on the Harmon yk ernel
Our new STRESS metho d concludes this section
Theorem Pro ving
Ak ernel state consists of en tities suc h as memory ob jects pro cesses and threads Axioms constrain
the relations b et w een en tities in a v alid k ernel state This is illustrated b y the follo wing case studies
Mac h Math mo del using Nqthm
This case study in v estigates a simple mo del of some prop erties of the Machk ernel using the Bo y er
Mo ore logic and Nqthm
Nqthm Nqthm is an automated reasoning system also kno wn as the Bo y erMo ore Theorem
Pro v er Nqthm is a Common Lisp program for pro ving mathematical theorems The logic of
Nqthm is a quan tierfree rst order logic with equalit y The rules of inference of the logic are those
of prop ositional logic and equalit y with the addition of mathematical induction Using Nqthm logic
concepts and axioms are in tro duced and are used to deriv e lemmas New functions m ust satisfy the
concepts and axioms T o b etter understand ho w suc h logic is used in k ernel mo deling w e discuss
its application to Mac h
Mac h math mo del Mac h is a microk ernel that minimizes the abstractions pro vided b y the
k ernel and pro vides a ric h set of seman tics asso ciated with these abstractions
The Mac h k ernel state consists of en tities suc h as tasks threads p orts messages pages and
memory ob jects
En tities ma y participate in relations F or example a p ort right is a relation in v olving a task and
a port that c haracterizes a tasks capabilit y on a port Axioms place constrain ts on the relations
that mayholdina k ernel state for instance at most one task may hold a r e c eive right on a given
p ort The description of en tities relations and constrain ts c haracterizes a legal Mac h state
Kernel requiremen ts are expressed as a collection of functions predicates and axioms A recog
nizer predicate is iden tied for eac h Mac h en tit y class F or example an en tit y x that satises the
predicate task p x is a task in state A thread is recognized b y the predicate thr eadp x
F ollo wing are four axioms dening the relations b et w een tasks and threads
Axiom Disjoin tness of task p and thr eadp
task p x thr eadp x Axiom The relation task thr ead formalizes thread o wnership The expression task thr ead t th holds in state if th is a thread in task t task p t thr eadp th task thr ead t th Axiom A thread can only b e o wned b y one task
task thr ead t
th task thr ead t
th t
t
Axiom The set of threads asso ciated with task t is expressed as thr eads t A thread th
is an elemen t of thr eads t if and only if it is o wned b y t th thr eads t task thr ead t th T o dene the Mac h state w e construct the cl osur es for the axioms F or example the closure of
Axiom is
x task p x thr eadp x Denition A legal Mac h state can b e dened as the conjunction of the closures of the axioms
leg al state x task p x thr eadp x
Kernel transitions eg Mac h atomic actions m ust preserv e legalit y ie pro duce legal state
from legal state
One can metho dically examine all the relations giv en and iden tify the desired actions in eac h
class whic h can b e deriv ed from that relation This pro cedure ho w ev er is not en tirely algorithmic
since within eac h class practical issues m ust be addressed
Limitations The Mac h mo del for atomic actions and lo c ks includes more than relations axioms and functions The fact that axiomatization is not algorithmic ma y limit the use of
Nqthm
Realtime k ernel mo del using PVS
W e presen t a sp ecication analysis of a real time k ernel using the PVS Protot yp e V erication
System system
PVS PVS is a v erication system that is a sp ecication language in tegrated with supp ort to ols
and a theorem pro v er It is based on classical higher order logic extended with a t yping system
The follo wing case study giv es the approac h of PVS to k ernel sp ecication and v erication
Realtime k ernel sp ecication Realtime op erating systems are vital for safet y critical systems
and their correctness is essen tial for the in tegrit y of suc h systems Here w e presen t a simplied
sp ecication of a realtime k ernel The sp ecication includes abstract mo del of the functional and
timing requiremen ts for the k ernel and a minimal mo del of the system supp orted
The k ernel requiremen ts include no dynamic task creation for simplify of analysis asyn
c hronous IPC via shared data allo w ed b y Adas protected ob jects and m utual exclusion pro vided
b y a priorit y proto col
The prop erties of the k ernel that need to b e v eried are a the highest priorit y task is executed
and b m utual exclusion is main tained for protected ob jects
The approac h pro duces a high lev el k ernel sp ecication including minimal mo del of application
program and in teractions b et w een application and k ernel This pro vides a description of the k ernel
functionalit y and application prop erties required for prop er op eration of the system The mo del of
in teractions allo ws global system prop erties to b e analyzed with the assistance of a theorem pro v er
The high lev el k ernel sp ecication comprises of the timing pr op erties the kernel envir onment
and the kernel state Timing pr op erties are expressed using realtime logic R TL The logic is based on an ev en t
action mo del where actions are time consuming sections of w ork and ev en ts are temp oral mark ers
corresp onding to external stim uli the start and end of actions and system state c hanges
The basic t yp es for the kernel envir onment include T ASK protected ob jects PO and in ter
rupts The state of a task can be either ready to run or susp ended F or protected ob jects the
v alue of the guard for eachPO en try is up dated bythe k ernel under m utual exclusion Axioms are
used to express these requiremen ts F or example e ach task is assigne d a unique b ase priority The kernel state consists of state v ariables state of eac h task in the system and state of eac h
protected ob ject
The k ernel op erations consist of Dela y op erations to susp end tasks op erations on protected
ob jects and the Dispatc her In terfaces bet w een k ernel and the system in terms of k ernel state and
dened op erations The state of the system is the state of the k ernel com bined with the state of
the program
T o execute the giv en op eration in the system the go o dop er ation predicate is ev aluated It
consists of the conjunction of the follo wing four prop erties
a no p oten tially blo c king op erations are executed b y a task within a protected ob ject
b a task can only exit from a protected ob ject if it is in one
c the ob ject m ust be a v ailable for a task that is attempting to en ter it and
d the ob ject from whic h a task is exiting m ust be the last one that it en tered
The op eration of the system is mo deled as a nite sequence of op erations Eac h op eration tak es
a nite b ounded time to execute ensuring the termination of execution
Sequences of k ernel op erations are mo deled b y the t yp e HIS T ORY and then the state of the
k ernel after suc h a sequence is dened b yanin terpreter function Int Int tak es an initial state and
a history and returns the state of the k ernel after this sequence of op erations
Mo deling all p ossible states in whic h the system ma y exist is ac hiev ed b y applying the in
terpreter function to the initial system state with all p ossible sequences of op erations Hence the
v alidity ofanin v arian t prop ert y P s is expressed as
h H istor y P Int Init h where Init is the initial state of the system
The general class of prop erties that can be analyzed in this manner are those that can be
expressed as an in v arianton the system state
Limitations a In general PVS suers a similar limitation to that of Nqthm whic h is the
denition of a large n um ber of relations and axioms
b PVS is a large complex system Learning it ma y consume a long time and requires lots of
exp ertise
c Another limitation is related to the use of Ada Ada rendezv ous requires t w o pro cesses to
both reac h sync hronization poin ts whic h can cause un b ounded dela ys and is not easily amenable
to standard analysis tec hniques
Mo del Chec king
One ma y classify mo del c hec king metho ds in to lo gic mo delche cker and onthey L o gic mo del
che cker w orks with a t w opass v erication pro cess In the rst pass the basic b eha vior of the system
is explored and an abstract represen tation is obtained In the second pass the represen tation is
used to pro v e or dispro v e the system correctness
Onthey v erication w orks with onepass v erication pro cess It stores in memory minim um
information needed for correctness v erication hence onthey systems can handle larger problem
sizes and faster than a mo del c hec k er SPIN lies in this category and is discussed next
Harmon y k ernel v erication using SPIN
SPIN SPIN is a general v erication to ol for pro ving correctness prop erties of distributed or con
curren t systems These systems in teract through shared memory rendezv ous op erations or buered
message passing Problems that these in teractions ma y create can b e debugged b y SPIN Once the
system design is obtained a pro of of its correctness can be pro vided
SPIN uses the v alidation mo deling language PR OMELA whic h is based on Hoares CSP lan
guage PR OMELA mo dels comm unicating sequen tial pro cesses whic h maybe created dynam
ically and comm unicate async hronously or sync hronously b y messages through c hannels
SPIN supp orts the follo wing features
a Automated v erication based on the principles of reac habilit y analysis with the use
of space reduction tec hniques
b Complexit y proling statistics gathered during v erication can be used to iden tify the
hot sp ots in the v alidation mo del
c Searc h for safet y and liv eness prop erties Safet y errors captured include assertion vi
olation in v alid end states unsp ecied receptions and unreac hable co de segmen ts Also liv eness
prop erties suc h as acceptance cycles and nonprogress cycles are detected
Twot yp es of sim ulations are supp orted irandomsim ulation that uses a randomizer for non
deterministic selection of the pro cess sc heduling algorithm and ii guided sim ulation where an
error trail in terms of states or transitions is follo w ed A guided sim ulation can only b e p erformed
if a v erication run w as done rst that rev ealed an error in the system
SPIN is in tended to be b oth a testb ed for the dev elopmen t and ev aluation of new v erication
tec hniques and to presen t an en vironmen t for v erication of concurren t systems
Harmon y Harmon y is a realtime m ultitasking m ultipro cessor op erating system It is based on
a microk ernel and system serv ers It features in terrupts priorit y preemptiv e sc heduling in tertask
comm unication sendreceiv ereply sc heme and dynamic tasks Mutual exclusion across pro cessor
b oundaries is ac hiev ed b y an o wnership proto col rather than lo c ks
The rst step is to formalize the mo dels of the system the scenarios and the prop erties that are
to b e c hec k ed F o cus is giv en on deadlo c ks liv elo c ks and other safet y prop erties for the primitiv es of
Harmon y PR OMELA c hannels are used for abstracting in tertask comm unications Then exhaustiv e
v erication of the in tertask comm unication and task managemen t features of Harmonyw as carried
out b y mo delc hec king
F ollo wing w e discuss mo deling and v erication of in tertask comm unication and task manage
men t
I The in tertask comm unication mo del is comp osed of the follo wing mo dules a k ernel
mo dule including parameters suc h as n um ber of pro cessors and denitions of eac h part of the
system and scenarios b task descriptor mo dule including the task state its corresp onden t its
pro cessor and its send queue c pro cessor mo dule mo dels the in terrupt masking primitiv es Lo cal
m utual exclusion relies on in terrupt masking d in terrupt mo del uses nondeterministic sc heduling
and e queuing primitiv es
V erication of in tertask comm unication includes absence of deadlo c ks or liv elo c ks appropriate
return co de and c hec king that all the used co de T o ac hiev e this an attempt is made to nd a set
of scenarios that exhibit all p ossible comm unication sc hemes Reduction tec hniques can b e used to
reduce the n um ber of scenarios in v estigated for example b y considering system symmetries suc h
as all pro cessors are considered iden tical
II T ask managemen t and creation ma y be dynamic but ma y in tro duce innite state space
at v alidation time Hence a b ounded n um ber of application tasks is sc heduled at initization The
In terpro cessor in terrupt handling tak es priorityo v er the running tasks if they are not mask ed
V erication is attained b y sim ulating and v erifying basic scenarios in v olving the use of k ernel
primitiv es
Limitations a The fact that the v alidator indicates that all the co de is reac hed do es not pro v e
that ev ery situation in the co de w as reac hed though F or example
if c c then pro c else pro c F our p ossible v alues for c and c but mayencoun ter only of them to co v er the co de
b It tak es a long time to get acceptable mo dels for v alidation
Scenario
Generation
End-point
Scenarios
Topology
Loss &
Failures
End Point
Tracing
State
Annotated
Simulation & Tracing
Output Analysis
End Point
Errors
Transition
Code
Profiling
Simulation
Set-up
Specific
Tracing
Simulation
Engine
Code
Tracing
Transition
Tracing
Errors
Figure STRESS metho d blo c k diagram o v erview
c Ev en with a partial mo del and a restricted scenario w ema y b e faced with a state explosion
P artial order reduction tec hnique in tegrated in to SPIN ameliorates this problem Nev ertheless high
rate of comm unication in teraction ob viates the b enet of reduction tec hniques
d When the problem size is large it is dicult to follo wthe path that lead to the error
STRESS
One of the shortfalls of the metho ds discussed so far is that they do not explicitly supp ort fault
and error mo deling In realit y systems consist of v arious soft w are and hardw are comp onen ts The
failure of an y comp onentma y aect the correctness of the o v erall system In order to design robust
and correct systems it is crucial to consider failure scenarios as an in tegral part of the system
design
This motiv ates our next metho d whic hw e call STRESS for Systematic T esting of Robustness
b y Examination of Selected Scenarios By r obustness w e refer to the abilit y of a system to react
correctly in the face of failures F or brevit y w e shall only presen t an o v erview of STRESS
STRESS is based on a sim ulation framew ork and supp orted b y a set of v erication to ols The
main approac h aims to capture and analyze a set of error prone scenarios under v arious failure and
loss conditions This is ac hiev ed b y in v estigating r epr esentative parts of the state space and the
denition of err or c onditions As sho wn in gure the three main stages of our approac h are a
scenario generation b tracing and c output analysis
Scenario generation Scenarios are the collection of top ologies and sequences of ev en ts input
stim uli and state transitions that describ e the sim ulation con text Analysis of these sequences can
un v eil w eaknesses in the system design Elemen ts of a scenario include
i top ology is the system infrastructure including the comm unication buses and in tercon
nects memory registers and queues T op ology mo dules are designed with full con trollabilit y
o v er failures and loss F or example a queue deliv ers messages to a programmable loss mo dule that
either deliv ers the message or drops it
ii endp oin t scenarios are the com bination of p ossible actions b y the end p oin t Dep ending
on the system mo deled the end poin t ma y corresp ond to microactions suc h as readwrite to
registers or macroactions suc h as exc hanging messages bet w een user tasks W e adopt the latter
approac h in general where the end poin t is the user task
T o reduce the n um b er of endp oin t scenarios w ein tro duce the notion of r epr esentative sc enarios These are simple scenarios that co v er a large p ortion of the state space of part of the k ernel under
study A scenario lter is used in c ho osing suc h scenarios remo ving impractical com binations or
redundan t ev en ts due to symmetry or equiv alence in top ology iii failures include a loss or corruption of data on the comm unication bus and b loss of
state k ept in memory or in registers
T racing T racing collects information during sim ulation T races are used in the output analysis
stage and include
i endp oin t or macro traces giving information ab out endp oin t ev en ts suc h as a system
call and its returned co de
ii state transition or micro traces pro viding ne grain information ab out the k ernel detailed
transitions suc h as reads and writes to registers
iii sp ecic traces for giv en message t yp e call t yp e or comp onen t F or example one ma yw an t
to trace the ev en t of op ening ra w so c k ets as a call This information is fed bac k in to the scenario
generator to program the infrastructure loss mo dules to lose suc h a call in further sim ulations This
guides the sim ulation and giv es con trollabilityo v er the loss scenarios
vi annotated co de tracing for use in the proler in a later stage P artial tracing of k ey
poin ts is allo w ed reducing the time and space required to trace other pieces of co de
Output Analysis A t this stage the data traced during the sim ulation are analyzed for errors and
proling It includes the follo wing elemen ts
i endp oin t errors are extracted from the endp oin t trace according to a sp ecied error
condition The error condition mayin v olv e correctness or p erformance F or example a correctness
error ma y indicate the loss of a return co de While a p erformance error ma y indicate the arriv al
of the return co de after a time limit Endp oin t errors are t ypically used to guide the analysis of
transition errors in the k ernel
ii transition errors are obtained from both the endp oin t errors and the transition traces
After an endp oin t error is disco v ered the trace is r ol le db ack in time to relate that error to an error
in the k ernel transitions
iii proling con v eys information ab out the segmen ts of annotated co de that w ere not executed
and the hot sp ots in the executed co de This is similar to reac habilit y analysis
Once the sim ulation en vironmen t is setup the v erier runs the sim ulations feeds bac k the
sp ecic traces then analyzes the output T o obtain the scenarios causing the error the basic steps
are revisited in rev erse order ie from the output analysis to the tracer then to the scenario
generator
The scenarios obtained can be further used to stress k ernel implemen tations
Limitations a Co de co v erage ma y not corresp ond directly to state co v erage and is not accurate
as has been sho wn for SPIN
b Ma y suer explosion in state space and n um ber of failure scenarios Scenario and space
reduction tec hniques are used to ameliorate this problem Eciency of suc h tec hniques dep ends on
the feedbac k from the sp ecic trace and the size of the system and top ology c If the error trail is long it ma y be hard to follo w Non theless the rollbac k tec hnique and
the use of endp oin t traces guide the error trace
Summary and Comparison
In this section w e presen t a summary and comparison for general prop erties of the discussed meth
ods Although the comparison is not detailed it giv es an outline of the ma jor dierences w e ha v e
inferred from the study Nqthm PVS SPIN STRESS
V erication formal pro of formal pro of reac habilit y analysis reac habilit y analysis
rst order logic higher order logic state co de co v erage co de scenario co v erage
Used for Sp ecication Sp ecication Analysis partial Analysis implemen tation
analysis analysis conformance testing stress testing
Robustness no explicit supp ort no explicit supp ort no explicit supp ort supp orts loss
failure analysis
Limitations No of axioms No of axioms state explosion scenario explosion
Reusabilit y lo w lo w mo derate c hannels high infrastructure
As sho wn in the table formal metho ds eg Nqthm or PVS pro vide precise do cumen tation and
hence can be used for sp ecication as w ell as analysis through pro ofs On the other hand SPIN
and STRESS are mainly used for analysis and testing
All metho ds ha v e limitations F or SPIN and STRESS reac habilit y analysis suers from the
state space explosion Both metho ds ho w ev er dev elop space reduction tec hniques to circum v en t
this problem With the a v ailabilit y of more computation and storage resources w e do not consider
this a sev ere limitation F or PVS and Nqthm the n um ber of relations and axioms b ecomes a
problem with the gro wth of the system
F or Reusabilit y formal metho ds redene en tities relations and axioms for the new system
SPIN pro vides comm unication c hannels while STRESS pro vides a system infrastructure that can
be reused
Conclusion
W e ha v e presen ted v arious systematic metho ds for k ernel v erication These metho ds address a
wide arra y of system errors suc h as liv eness safet y resp onsiv eness and op erational errors
V erication metho ds use either theorem pro ving or mo del c hec king Theorem pro ving metho ds
be used for sp ecication as w ell as analysis but require the construction of mathematical pro ofs
Mo del c hec king metho ds are used in analysis and testing but ma y exp erience state explosion
problems
Our comparison sho ws that for large systems no single metho d can b e used eectiv ely to sp ecify analyze and test the system In tegration of these metho ds in a useful manner ma y solv e this problem
but requires clear understanding of the metho ds and the target system
References
A Agarw al and J W A t w ood A Unied Approac hto F aultT olerance in Comm unication Proto cols Based on
Reco v ery Pro cedures IEEEA CM T r ansactions on Networking V ol No pages Oct W R Bevier Kit A Study in Op erating System V erication IEEE T r ansactions on Softwar e Engine ering No v W R Bevier and L M Smith A Mathematical Mo del of the Mac h Kernel A tomic Actions and Lo c ks
Computational L o gic Inc T e chnic al R ep ort URL httpwwwclic omindexhtml page Apr W R Bevier and L M Smith A Mathematical Mo del of the Mac h Kernel En tities and Relations Computa
tional L o gic Inc T e chnic al R ep ort URL httpwwwclic omindexhtml page Apr T Cattel Mo delization and V erication of a Multipro cessor Real Time OS Kernel Pr o c e e dings of F OR TE
Bern Switzerland URL httpwwwseliitnr cc aabstr actsNR C ab s Oct K M Chandy and L Lamp ort Distributed Snapshots Determining Global States of Distributed Systems
A CM T r ansactions on Computer Systems V ol No pages F eb E M Clark e and J M Wing F ormal Metho ds State of the Art and F uture Directions CMU Computer
ScienceT e chnic al R ep ort CMUCS page Aug S F o wler and A W ellings F ormal Analysis of a RealTime Kernel Sp ecication pr esente d at FTR TFT
Uppsala Swe den URL httpdcpucsyorkacuk simonfftrtfthtml D M Goldsc hlag Mec hanically V erifying Concurren t Programs with the Bo y erMo ore Pro v er IEEE T r ans
actions on Softwar e Engine ering A lso available fr om Computational L o gic as te chnic al r ep ort URL
httpwwwclic omindexhtml page Sept C Hoare Comm unicating Sequen tial Pro cesses Communic ations of the A CM V ol No pages
Aug G Holzmann Design and V alidation of Computer Proto cols Pr entic e Hal l A TT Bel l L abs
G J Holzmann Whats New in SPIN v ersion Bel l L ab or atories New Jersey page No v H Liu and R E Miller Generalized F air Reac habilit y Analysis for Cyclic Proto cols IEEEA CM T r ansactions
on Networking V olNo pages Apr
Linked assets
Computer Science Technical Report Archive
Conceptually similar
PDF
USC Computer Science Technical Reports, no. 657 (1997)
PDF
USC Computer Science Technical Reports, no. 649 (1997)
PDF
USC Computer Science Technical Reports, no. 770 (2002)
PDF
USC Computer Science Technical Reports, no. 837 (2004)
PDF
USC Computer Science Technical Reports, no. 716 (1999)
PDF
USC Computer Science Technical Reports, no. 755 (2002)
PDF
USC Computer Science Technical Reports, no. 781 (2002)
PDF
USC Computer Science Technical Reports, no. 859 (2005)
PDF
USC Computer Science Technical Reports, no. 644 (1997)
PDF
USC Computer Science Technical Reports, no. 663 (1998)
PDF
USC Computer Science Technical Reports, no. 857 (2005)
PDF
USC Computer Science Technical Reports, no. 814 (2004)
PDF
USC Computer Science Technical Reports, no. 856 (2005)
PDF
USC Computer Science Technical Reports, no. 674 (1998)
PDF
USC Computer Science Technical Reports, no. 673 (1998)
PDF
USC Computer Science Technical Reports, no. 884 (2006)
PDF
USC Computer Science Technical Reports, no. 812 (2003)
PDF
USC Computer Science Technical Reports, no. 778 (2002)
PDF
USC Computer Science Technical Reports, no. 753 (2002)
PDF
USC Computer Science Technical Reports, no. 788 (2003)
Description
Ahmed Helmy. "A survey on kernel specification and verification ." Computer Science Technical Reports (Los Angeles, California, USA: University of Southern California. Department of Computer Science) no. 654 (1997).
Asset Metadata
Creator
Helmy, Ahmed
(author)
Core Title
USC Computer Science Technical Reports, no. 654 (1997)
Alternative Title
A survey on kernel specification and verification (
title
)
Publisher
Department of Computer Science,USC Viterbi School of Engineering, University of Southern California, 3650 McClintock Avenue, Los Angeles, California, 90089, USA
(publisher)
Tag
OAI-PMH Harvest
Format
12 pages
(extent),
technical reports
(aat)
Language
English
Unique identifier
UC16270843
Identifier
97-654 A Survey on Kernel Specification and Verification (filename)
Legacy Identifier
usc-cstr-97-654
Format
12 pages (extent),technical reports (aat)
Rights
Department of Computer Science (University of Southern California) and the author(s).
Internet Media Type
application/pdf
Copyright
In copyright - Non-commercial use permitted (https://rightsstatements.org/vocab/InC-NC/1.0/
Source
20180426-rozan-cstechreports-shoaf
(batch),
Computer Science Technical Report Archive
(collection),
University of Southern California. Department of Computer Science. Technical Reports
(series)
Access Conditions
The author(s) retain rights to their work according to U.S. copyright law. Electronic access is being provided by the USC Libraries, but does not grant the reader permission to use the work if the desired use is covered by copyright. It is the author, as rights holder, who must provide use permission if such use is covered by copyright.
Repository Name
USC Viterbi School of Engineering Department of Computer Science
Repository Location
Department of Computer Science. USC Viterbi School of Engineering. Los Angeles\, CA\, 90089
Repository Email
csdept@usc.edu
Inherited Values
Title
Computer Science Technical Report Archive
Description
Archive of computer science technical reports published by the USC Department of Computer Science from 1991 - 2017.
Coverage Temporal
1991/2017
Repository Email
csdept@usc.edu
Repository Name
USC Viterbi School of Engineering Department of Computer Science
Repository Location
Department of Computer Science. USC Viterbi School of Engineering. Los Angeles\, CA\, 90089
Publisher
Department of Computer Science,USC Viterbi School of Engineering, University of Southern California, 3650 McClintock Avenue, Los Angeles, California, 90089, USA
(publisher)
Copyright
In copyright - Non-commercial use permitted (https://rightsstatements.org/vocab/InC-NC/1.0/