TY - GEN
T1 - Applying formal verification to microkernel IPC at meta
AU - Carbonneaux, Quentin
AU - Zilberstein, Noam
AU - Klee, Christoph
AU - O'Hearn, Peter W.
AU - Zappa Nardelli, Francesco
N1 - Publisher Copyright:
© 2022 Owner/Author.
PY - 2022/1/11
Y1 - 2022/1/11
N2 - We use Iris, an implementation of concurrent separation logic in the Coq proof assistant, to verify two queue data structures used for inter-process communication in an operating system under development. Our motivations are twofold. First, we wish to leverage formal verification to boost confidence in a delicate piece of industrial code that was subject to numerous revisions. Second, we aim to gain information on the cost-benefit tradeoff of applying a state-of-the-art formal verification tool in our industrial setting. On both fronts, our endeavor has been a success. The verification effort proved that the queue algorithms are correct and uncovered four algorithmic simplifications as well as bugs in client code. The simplifications involve the removal of two memory barriers, one atomic load, and one boolean check, all in a performance-sensitive part of the OS. Removing the redundant boolean check revealed unintended uses of uninitialized memory in multiple device drivers, which were fixed. The proof work was completed in person months, not years, by engineers with no prior familiarity with Iris. These findings are spurring further use of verification at Meta.
AB - We use Iris, an implementation of concurrent separation logic in the Coq proof assistant, to verify two queue data structures used for inter-process communication in an operating system under development. Our motivations are twofold. First, we wish to leverage formal verification to boost confidence in a delicate piece of industrial code that was subject to numerous revisions. Second, we aim to gain information on the cost-benefit tradeoff of applying a state-of-the-art formal verification tool in our industrial setting. On both fronts, our endeavor has been a success. The verification effort proved that the queue algorithms are correct and uncovered four algorithmic simplifications as well as bugs in client code. The simplifications involve the removal of two memory barriers, one atomic load, and one boolean check, all in a performance-sensitive part of the OS. Removing the redundant boolean check revealed unintended uses of uninitialized memory in multiple device drivers, which were fixed. The proof work was completed in person months, not years, by engineers with no prior familiarity with Iris. These findings are spurring further use of verification at Meta.
KW - circular queue
KW - concurrency
KW - program verification
KW - separation logic
KW - systems
UR - https://www.scopus.com/pages/publications/85123982264
U2 - 10.1145/3497775.3503681
DO - 10.1145/3497775.3503681
M3 - Conference contribution
AN - SCOPUS:85123982264
T3 - CPP 2022 - Proceedings of the 11th ACM SIGPLAN International Conference on Certified Programs and Proofs, co-located with POPL 2022
SP - 116
EP - 129
BT - CPP 2022 - Proceedings of the 11th ACM SIGPLAN International Conference on Certified Programs and Proofs, co-located with POPL 2022
A2 - Popescu, Andrei
A2 - Zdancewic, Steve
PB - Association for Computing Machinery, Inc
T2 - 11th ACM SIGPLAN International Conference on Certified Programs and Proofs, CPP 2022 - co-located with POPL 2022
Y2 - 17 January 2022 through 18 January 2022
ER -