Patrick Tullmann, Jeff Turner, John McCorquodale, Jay Lepreau,
Aday Chitturi, Godmar Back
{tullmann, sjt, mcq, lepreau, chitturi, gback}@cs.utah.edu
University of Utah Department of Computer Science
3190 MEB, Salt Lake City, Utah 84112
We applied formal methods to verify properties of the implementation of the Fluke microkernel's IPC subsystem, a major component of the kernel. In particular, we have verified, in many scenarios, the lack of deadlock and certain liveness properties, with results that apply to both SMP and uniprocessor environments. The SPIN model checker provided an exhaustive concurrency analysis of the IPC subsystem, unattainable through traditional OS testing methods. SPIN is easily accessible to programmers inexperienced with formal methods. We present our results as a starting point for a more comprehensive inclusion of formal methods in practical OS development.
Full paper presented at and appears in Proceedings of the Sixth IEEE Workshop on Hot Topics in Operating Systems, May 1997.