Temporal analysis of a microkernel

This item was submitted to Loughborough University's Institutional Repository by the/an author.

Citation: HUSSAK, W., 1995. Temporal analysis of a microkernel. Software Engineering Journal, 10 (1), pp. 21-26

Additional Information:

- This article was published online in the journal, Software Engineering Journal [© IEEE]. It is also available at: http://ieeexplore.ieee.org/
  Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.

Metadata Record: https://dspace.lboro.ac.uk/2134/4168

Version: Published

Publisher: © IEEE

Please cite the published version.
This item was submitted to Loughborough's Institutional Repository (https://dspace.lboro.ac.uk/) by the author and is made available under the following Creative Commons Licence conditions.

For the full text of this licence, please go to:
http://creativecommons.org/licenses/by-nc-nd/2.5/
Temporal analysis of a microkernel

by Walter Hussak

Temporal logic techniques have been proposed as a way of achieving a very natural transition from informal requirements to a formal specification of the requirements. The paper presents a case study of a real-life system developed using such techniques. Both a top-level specification and implementation semantics are given in temporal logic. In particular, the progression from statements in English to temporal logic is highlighted. A correctness proof that the implemented system satisfies the specification has been produced.

1 Introduction

In the formal development of any system, an important issue is the clarity of the formalisms used. Ultimately, formal methods can only give assurance of the correct functioning of the system. At the transition from informal to top-level formal specification stage of development, comprehension of the formalisms used increases assurance that the customers' requirements have been properly represented. Thus, the clarity of the formalisms contributes directly to this assurance of the system. A discussion of this aspect of assurance has been described elsewhere [1].

Formal developments of concurrent systems have to address additional problems. For example, what constitutes a high-level requirements specification on the concurrent system? The best known approaches are the process algebras such as CCS [2] and the π-calculus [3], along with tools such as the Concurrency Workbench [4] which support the verification methods offered by these approaches.

In this paper, we report on the formal development of a real-life concurrent system using temporal logic. The difficulty of producing the formal high-level requirements amounts to analysing existing informal requirements written in English. The advantage of using temporal logic is that it addresses concurrency as well as providing an easy transition from informal to formal requirements. A good illustration of this is the specification of a lift system [5], where it is shown how an informal specification can translate very naturally into temporal logic. In this paper, a real-life system is developed in a similar manner [5]. Furthermore, two levels of development are given, for which a proof has been produced. The stages of development are as follows.

Specification
1. Give informal high-level requirements in English.
2. Perform a temporal analysis of the informal requirements.
3. Produce a temporal specification \( \sigma \) of the requirements.

Implementation
1. Implement the system.
2. Perform a temporal analysis of the implemented system.
3. Produce a temporal \( \tau \) semantics of the implemented system.

Verification
1. Prove the formula \( \tau \Rightarrow \sigma \) valid.

The specified system is a microkernel used on the Esprit II European Declarative System (EDS) Project. The operating system for the EDS [6] was to be UNIX-like with a multi-level process model. As part of the early experimentation with this type of model, a lightweight microkernel was layered on top of standard UNIX processes. This microkernel enabled lightweight microprocesses to be scheduled, thus providing fine-grained non-deterministic multi-programming. The microkernel is documented informally elsewhere [7]. The formal specification of the microkernel contained in this paper is a derivative of the original version [8] and gives full semantics for the temporal logic used. A correctness proof for the version in this paper is documented elsewhere [9].

In the next Section, a first-order temporal logic with a slightly unusual semantics is defined. It is used to specify the microkernel. We describe a top-level formal specification of the microkernel by analysing the informal requirements given previously [7]. This is followed by the temporal semantics of the implementation produced by a temporal analysis of the implemented system as described previously [7].

* The parts of that work [7] that relate to the formal specification here are reproduced in this paper.
2 Temporal language

The system is specified in a first-order temporal logic where predicates as well as propositions have time-dependent meaning. This differs from possibly the more common usage where predicates have time-independent meanings. The latter are termed 'rigid' predicates and the former 'flexible' predicates \[lo\], and so the language below is denoted FLTL. Flexible predicates are useful for specifying resources shared in examples elsewhere \[I 1, 12\]. The domain of the predicates is understood to be the non-negative integers \(N\). These represent processes in the microkernel specification, and the predicates are statements about the processes. The full overall system state of the implemented system is denoted \(\mathcal{M}\) by modifying its assignment function \(\alpha\) to map the variables \(n_1, \ldots, n_k\) to \(a_1, \ldots, a_k\), respectively.

\[
\begin{align*}
\mathcal{M}_{a_1} & \vdash P & \iff & l_{P_{a_1}}(P, s_0) \\
\mathcal{M}_{a_2} & \vdash p(n) & \iff & l_{P_{a_2}}(P, s_0 (n)) \\
\mathcal{M}_{a_3} & \vdash n_1 = n_2 & \iff & a(n_1) = a(n_2) \\
\mathcal{M}_{a_4} & \vdash \neg \phi & \iff & \neg \mathcal{M}_{a_4} \vdash \phi = \text{false} \\
\mathcal{M}_{a_5} & \vdash \phi_1 \wedge \phi_2 & \iff & \mathcal{M}_{a_5} \vdash \phi_1 \text{ and } \mathcal{M}_{a_5} \vdash \phi_2 \\
\mathcal{M}_{a_6} & \vdash \phi_1 \lor \phi_2 & \iff & \mathcal{M}_{a_6} \vdash \phi_1 \text{ or } \mathcal{M}_{a_6} \vdash \phi_2 \\
\mathcal{M}_{a_7} & \vdash \forall n \cdot \phi & \iff & \mathcal{M}_{a_7} \vdash \langle n \rightarrow \ldots \rangle \phi, \text{ for all } a \in \mathbb{N} \\
\mathcal{M}_{a_8} & \vdash \exists n \cdot \phi & \iff & \mathcal{M}_{a_8} \vdash \langle n \rightarrow \ldots \rangle \phi, \text{ for some } a \in \mathbb{N} \\
\mathcal{M}_{a_9} & \vdash P \circ \phi & \iff & \mathcal{M}_{a_9} \vdash \phi \\
\mathcal{M}_{a_{10}} & \vdash \phi_1 \text{ for some } i \in \mathbb{N} \\
\mathcal{M}_{a_{11}} & \vdash \phi_1 \psi \phi_2 & \iff & \text{for some } i \in \mathbb{N}, \mathcal{M}_{a_{11}} \vdash \phi_1 \text{ and } \\
\mathcal{M}_{a_{12}} & \vdash \mu \phi & \iff & \text{for some } i \in \mathbb{N}, \mathcal{M}_{a_{12}} \vdash \phi_1 \\
\end{align*}
\]

Despite the unpleasant appearance of the semantics, it is shown below that the specifications can be easily understood by reading \(\circ\) as 'next point in time', \(\mu\) as 'always', \(\psi\) as 'sometimes' and \(\vee\) as 'until'.

3 Specification of requirements

Informally, the system has the following components: processes and a scheduler.

The system involves processes being serviced by the processor and switched by the scheduler on expiry of their allotted time slice. This is caused by a timer signal. However, a problem arises

'... when the timer causes a signal to occur whilst a process is in kernel mode. The switcher (scheduler) must not schedule another process since to do so might lead to the corruption of kernel data structures, but on the other hand to give the currently executing process another time slice would be unfair to other processes which are ready to run. Indeed if this solution was adopted then a process could continue indefinitely by always being in kernel when the timer signal is received. A compromise solution is to allow a process to continue after its time slice ends if it is in kernel mode when this happens, but to force a context switch when kernel mode is left ...

In order to provide a formal specification of this, it is necessary to define a system state formally.

3.1 Aspects of system state

The full overall system state of the implemented system is described later. The aspects of this state that appear in the high-level specification are discussed here. They correspond to predicates which are either true or false at a
The following are the constraints on how the processes may switch.

1. When the active process is finished with its time slice, it must switch.
2. The process may switch after its time slice expires and continues, if in kernel mode.
3. A process switch occurs when a timer signal is occurring.
4. A new process will be scheduled at the next instant.

The required system is a set of sequences of states represented by a formula in FLTL whose set of models yields this set of sequences precisely.

### 3.2 Temporal specification of requirements

The following are the constraints on how the processes may switch. From the informal requirements, a process is to continue after its time slice ends if it is in kernel mode, but must be forced to context switch when kernel mode is left. From this, it is clear that two situations are allowed to occur.

1. The process is switched at the end of its time slice as it is not in kernel mode.
2. The process is in kernel mode when its time slice expires, and so it continues in an active state until it has completed that block of kernel work and, at the end of that, a process switch occurs.

This behaviour is expressed formally by describing what may happen between consecutive process switches. In other words, if a switch occurs at some point in time, what can happen up to the next process switch? The appropriate condition for the switching constraints is thus of the form

\[ \sigma = [\sigma_1 \lor \sigma_2] \]

where \( \sigma_1 \) and \( \sigma_2 \) correspond to the two situations given above.

\[
\sigma_1 = \exists n. \ (\neg \mathsf{sw} \land \neg \mathsf{sg} \land \mathsf{p}(n)) \lor \\
(\mathsf{sg} \land \mathsf{sw} \land \mathsf{p}(n) \land (\neg \mathsf{k}(n) \lor \mathsf{end})))
\]

is the normal situation where, after a process switch, there is no process switch, no timer signal, and the process is active until a timer signal occurs, at which point there is a process switch as the active process was either not in kernel or at the point of exit from kernel mode.

\[
\sigma_2 = \exists n. \ (\neg \mathsf{sw} \land \neg \mathsf{sg} \land \mathsf{p}(n)) \lor \\
(\mathsf{sg} \land \neg \mathsf{sw} \land \mathsf{k}(n) \land \mathsf{end}(n) \lor \\
(\neg \mathsf{sg} \land \neg \mathsf{sw} \land \neg \mathsf{start}(n)) \lor \\
(\mathsf{sw} \land \mathsf{end}(n)))
\]

is when, after a process switch, there is a period of no switching and no timer signal until a timer signal occurs when the active process is in kernel mode. Thus, it continues, without being interrupted by either a timer signal or process switch and without starting new kernel work, up to the point at which it completes its portion of kernel work and finally a process switch occurs. Notice how closely the verbal description follows the temporal logic.

### 4 Implementation semantics

#### 4.1 System state

The implemented system has as its parallel components an arbitrary number of processes and a scheduler.

The execution of the overall system takes place in discrete steps. Each discrete step is associated with an overall system state or program state [13]. A program state [13] comprises

1. the values of variables accessed by the components.
2. the label of the next instruction to be executed in each individual component.
3. the next component to be scheduled.

Condition 1 is a statement about the values of variables. Conditions 2 and 3 are statements relating to the scheduling of components. Here, the system (program) state is given by 21 propositions or predicates as follows:

1. (Boolean) variables:
   - \( c \): the critical flag is set to true
   - \( s_x \): the switch on exit flag is set to true

2. (a) Label of instruction being executed by a process \( n \), one of:
   - \( \text{label}_1(n) \), \( \text{label}_2(n) \), \( \text{label}_3(n) \), \( \text{label}_4(n) \), \( \text{label}_5(n) \), \( \text{label}_6(n) \), \( \text{label}_7(n) \), \( \text{label}_8(n) \)

   (b) Properties of instruction being executed:
   - \( \mathsf{p}(n) \): process \( n \) is active
   - \( \mathsf{k}(n) \): process \( n \) is in kernel mode
   - \( \mathsf{start}(n) \): process \( n \) is performing start of kernel work
   - \( \mathsf{end}(n) \): process \( n \) on the point of completing kernel work

   setc: the critical flag is being set
   - \( \mathsf{psetsu} \): the switch on exit flag is being set by a process
   - \( \mathsf{psw} \): a process switch is being initiated by a process

3. Scheduling:
   - \( \mathsf{sw} \): a process switch is being initiated
   - \( \mathsf{ssw} \): a process switch is being initiated by the scheduler

   \( \mathsf{ssel} \): the switch on exit flag is being set by the scheduler
   - \( \mathsf{sg} \): a timer signal is occurring

**Remarks**

(i) The required scheduling is implemented by the use of two flags, critical and switch on exit, which are set at various times, and on the basis of which a process switch is initiated either by a process or the scheduler component.

(ii) The system state is seen to last for the whole duration of the current time, rather than be some entry or exit condition [13]. For example, if \( s_w \) is true, a process switch is being initiated, although the old process remains active.
throughout this point in time. A new process will be active throughout the next point in time. As another example, the setting of a flag, such as described by setc, lasts for the duration of current time and is deemed to coincide with obtaining and having this new value throughout this current time (and so, in this last respect, it differs from the process switching situation).

(iii) As is seen below, the test of the condition in an if statement executed by a process takes an instant in time.

The semantics of the system are the sequences of system states that are allowed to occur. These will be expressed as solutions to FLTL formulae. The allowable sequences of states are affected by the constraints of the process components and the constraints of the scheduler component.

The constraints of the process components are given below, by analysing the previous C code [7]. The scheduler constraints are given by analysing the description of the low-level scheduler used previously [7].

4.2 Process component constraints

4.2.1 Interleaving of labelled statements: each process is modelled as executing infinitely, occasionally in kernel mode, and sometimes executing an exit protocol on completion of kernel mode. Precisely, each process $n$ repeatedly executes the ‘cycle’ of labelled statements given below.

\[
\begin{align*}
\text{label1}(n): & \text{(some non-kernel mode instruction)}; \\
\text{label2}(n): & \text{(some kernel mode instruction)}; \\
\text{label3}(n): & \text{(critical)}; \\
\text{label4}(n): & \text{if (switch-on-exit) \{ } \\
& \text{label5}(n): \text{switch-on-exit \} \text{critical};} \\
\text{label6}(n): & \text{switch-on-exit = FALSE;} \\
\text{label7}(n): & \text{do_switch();} \\
\text{label8}(n): & \text{(some non-kernel mode instruction)};
\end{align*}
\]

where the C code on the right-hand side of the labels is taken from the earlier work [7]. The function _do_switch is a routine which performs a process switch and resets the _critical flag.

The behaviour of all the processes together is an interleaving of the labelled statements executed by the individual processes. To avoid excessive use of brackets, the following notation is used:†

\[
\text{period } \phi_1, \text{point } \phi_2, \ldots, \text{period } \phi_{2m-1}, \text{point } \phi_{2m}
\]

\[
\text{def } = \phi_1 \land (\ldots (\phi_{2m-1} \land \phi_2 \land \ldots) \land \phi_1 )
\]

It indicates several steps taking place over a period of time alternated with a step at a single point in time. The interleaving of the processes is given by the following four formulae:

\[
i_1 = \Box \forall n. (\text{label1}(n)) \\
\Rightarrow \left\{ \begin{align*}
\text{period } (\neg p(n)) \\
\text{point } (\text{label1}(n)) \\
\text{period } (\neg p(n)) \\
\text{period } (\neg p(n)) \\
\text{point } (\text{label1}(n))
\end{align*} \right.
\]

\[
i_2 = \forall n. (\neg p(n) \lor (p(n) \land \neg \text{label1}(n))) \\
i_3 = \Box \exists n \exists l. \text{label1}(n) \\
i_4 = \Box \forall n \forall m \forall i. [(\neg \text{label1}(n) \lor \neg \text{label1}(m) \lor \neg \text{label1}(i) = i) \\
\Rightarrow \neg (\text{label1}(m) \land \text{label1}(n))] \\
\]

The effect of these four expressions is to say that the behaviour of all the processes together is an interleaving of the cycles of labelled statements executed by the individual processes. The last two expressions state that exactly one labelled statement is being executed at a given time.

In the first expression, the large disjunction results from the testing of the switch_on_exit flag and the execution of additional code if the value is true.

4.2.2 Properties of labelled statements: the interpretation of the labelled statements in terms of $p(n), k(n), \text{start}(n), \text{end}(n), \text{psw}, \text{setc}, \text{psetsx}, c$ and $s$ based on the C code given above is as follows:

\[
\begin{align*}
\text{label1}(n): & \iff p(n) \land k(n) \land \text{start}(n) \land \neg \text{end}(n) \\
\text{label2}(n): & \iff p(n) \land k(n) \land \neg \text{start}(n) \land \neg \text{end}(n) \\
\text{label3}(n): & \iff p(n) \land k(n) \land \neg \text{start}(n) \land \text{end}(n) \\
\text{label4}(n): & \iff p(n) \land \neg \text{start}(n) \land \neg \text{end}(n)
\end{align*}
\]

† The intention in this paper is to keep the basic connectives as simple as possible and to introduce suitable ‘higher level’ ones to aid readability. More brevity was achieved previously [8] by use of the ‘chop’ operator and a fixed point constructor, at the expense of readability. A compositional [14] specification was also given.

‡ Quantifying over $i$ in label1 is a slight abuse of notation used to shorten the expression. The meaning should be clear.
\[ \text{label}4(n) \leftrightarrow p(n) \land \neg k(n) \land \neg \text{start}(n) \land \neg \text{end}(n) \]
\[ \land p(n) \land \text{setc} \land \neg \text{psetsx} \]
\[ \text{label}5(n) \leftrightarrow p(n) \land k(n) \land \neg \text{start}(n) \land \neg \text{end}(n) \]
\[ \land p(n) \land \text{psetsx} \land \text{setc} \land \neg \text{psetsx} \land \neg \text{sx} \]
\[ \text{label}6(n) \leftrightarrow p(n) \land k(n) \land \neg \text{start}(n) \land \neg \text{end}(n) \]
\[ \land \neg \text{psetsx} \land \text{setc} \land \neg \text{psetsx} \land \neg \text{sx} \]
\[ \text{label}7(n) \leftrightarrow p(n) \land k(n) \land \neg \text{start}(n) \land \neg \text{end}(n) \]
\[ \land \neg \text{psetsx} \land \text{setc} \land \neg \text{psetsx} \land \neg \text{sx} \]
\[ \text{label}8(n) \leftrightarrow p(n) \land \neg k(n) \land \neg \text{start}(n) \land \neg \text{end}(n) \]
\[ \land \neg \text{psetsx} \land \text{setc} \land \neg \text{psetsx} \land \neg \text{sx} \]

The conjunction of these nine conditions is denoted by \( i_5 \).

4.2.3 Properties of flag variables: if the critical and switch_on_exit flags are not set, conditions have to be given to indicate that they do not change

\[ i_6 \leftrightarrow \Box ((c \land \neg c) \lor (\neg c \land c) \Rightarrow \neg \text{setc}) \]

\[ i_7 \leftrightarrow \Box ((s\text{x} \land \neg s\text{x}) \lor (\neg s\text{x} \land s\text{x}) \Rightarrow \neg \text{ssetsx}) \]

The switch_on_exit flag may be set either by a process or the scheduler (see below)

\[ i_8 \leftrightarrow \Box (\text{setc} \Rightarrow \text{ssetsx} \land \text{ssetsx}) \]

Initially, both flags are false

\[ i_9 \leftrightarrow \neg \Box c \land \neg \Box \text{sx} \land \Box \neg \text{psetsx} \]

4.3 Scheduler component constraints

4.3.1 Basic process switching constraints: first, the basic property of process switching is given. A process remains active if no switch occurs

\[ i_{10} \leftrightarrow \Box \forall n. (\neg \text{psw} \land p(n) \Rightarrow \neg p(n)) \]

If a switch occurs, there is a change in process at the next instant in time

\[ i_{11} \leftrightarrow \Box \forall n. (\text{psw} \land p(n) \Rightarrow \neg \neg p(n)) \]

A switch may be initiated by a process or by the scheduler

\[ i_{12} \leftrightarrow \Box (\text{psw} \Rightarrow \text{psw} \lor \neg \text{ssetsx}) \]

4.3.2 Low-level scheduler constraints: the low-level scheduler used has the following properties [7]:

'A scheduler initiated action can only occur at a point at which a timer signal is occurring'

\[ i_{13} \leftrightarrow \Box \neg \text{sssw} \lor \Box \text{setsx} \lor \Box \text{ssetsx} \Rightarrow \neg \text{sg} \]

'At the instant of a process switch the timer is set up for the next time slice'

\[ i_{14} \leftrightarrow \Box (\text{psw} \Rightarrow \Box ((\neg \text{sg} \land \neg \text{suw}) \lor \neg \Box (\text{psw} \land \neg \text{sg}))) \]

This last requirement states that a switch is followed by a period of no switching and no timer signal until a timer signal or another switch occurs.

'Software Engineering Journal January 1995'
existence such as dp [15]. However, it is hoped that having available a temporal development of a real-life system will suggest suitable proof assistants that might be produced and used, perhaps in conjunction with the development of improved theorem-provers, to elevate such rigorous arguments to full formal proofs. At the very least, it provides an idea of what it will take to formally develop and verify such a real-life concurrent system.

6 Acknowledgments

The author would like to thank Sean Holdsworth who designed the microkernel and the referee who made extensive comments on a previous version of this paper. This work was partly supported under ESPRIT II grant EP2025, the EDS Project.

7 References

[7] HOLDsworth, S.: 'A proposal for the provision of an environment for studying distributed operating system issues', EDS Project document, Department of Computer Science, University of Manchester, UK, 1989

© IEE: 1995

The paper was first received 3 May and in revised form 24 October 1994.

The author is with the Department of Computer Studies, Loughborough University of Technology, Loughborough, Leicestershire LE11 3TU, UK.