Skip to main content
Springer Nature Link
Log in

Automated verification of the FreeRTOS scheduler in Hip/Sleek

  • Tase 12
  • Published:
International Journal on Software Tools for Technology Transfer Aims and scope Submit manuscript

Abstract

Automated verification of operating system kernels is a challenging problem, partly due to the use of shared mutable data structures. In this paper, we show how we can automatically verify memory safety and functional correctness properties of the task scheduler component of the FreeRTOS kernel using the verification system Hip/Sleek. We show how some of Hip/Sleek features such as user-defined predicates and lemmas make the specifications highly expressive and the verification process viable. To the best of our knowledge, this is the first code-level verification of memory safety and functional correctness properties of the FreeRTOS scheduler. The outcome of our experiment confirms that Hip/Sleek can indeed be used to verify code that is used in production. Moreover, since the properties that we verify are quite general, we envisage that the same approach can be adopted to verify components of other operating systems.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18
Fig. 19

Similar content being viewed by others

Notes

  1. Note that FreeRTOS does not guarantee any deadlines for the execution of tasks. The only guarantee is that the highest priority task that is ready to execute will run as soon as possible.

  2. The work described in this paper is based on version 6.1.1 of FreeRTOS. Have in mind that the data structures and the algorithms involved may have changed since that version.

  3. To simplify the presentation, we do not include fields specific to architectures that have a Memory Protection Unit (MPU), nor fields related with debugging. Also, the order of the fields has been rearranged.

  4. Here, we use the term non-empty to qualify a list that has at least one TCB; that is, we do not consider xListEnd as a list item.

  5. In fact, listGET_OWNER_OF_NEXT_ENTRY is defined as a C macro, but we define it here as a function. Also, we use Hip ’s notation so that the reader can see an example of a Hip program. Note that we use a dot for accessing fields, rather than C’s arrow notation -> . We also use the keyword ref to express that the value of pxTCB is returned by reference.

  6. It is important to note that in this work we do not verify if TCBs’ stack and code pointers are valid. Invalid TCBs can affect context switching, but here we focus on ensuring that the scheduler makes the right choices.

  7. By treating the field xListEnd as a normal xListItem, our model adds two extra fields to the end marker: pvContainer and pvOwner. However, since these fields are never accessed for the end marker, this simplification is safe.

References

  1. The SafeRTOS™ project website. http://www.freertos.org/safertos.html. Accessed 11 Mar 2014

  2. Hoare, T.: The verifying compiler: a grand challenge for computing research. J. ACM 50, 63–69 (2003)

    Google Scholar 

  3. Jones, C., O’Hearn, P., Woodcock, J.: Verified software: a grand challenge. Computer 39, 93–95 (2006)

    Google Scholar 

  4. The FreeRTOS™ project website. http://www.freertos.org. Accessed 11 Mar 2014

  5. Woodcock, J.: Grand challenge in software verification. In: SBMF (2008)

  6. Sagiv, M., Reps, T., Wilhelm, R.: Parametric shape analysis via 3-valued logic. In: POPL (1999)

  7. Reynolds, J.C.: Separation logic: a logic for shared mutable data structures. In: LICS (2002)

  8. Chin, W.N., David, C., Nguyen, H.H., Qin, S.: Automated verification of shape, size and bag properties via user-defined predicates in separation logic. Sci. Computer Progr. 77, 1006–1036 (2012)

    Article  MATH  Google Scholar 

  9. Nguyen, H.H., David, C., Qin, S., Chin, W.N.: Automated verification of shape and size properties via separation logic. In: VMCAI (2007)

  10. Klarlund, N., Møller, A.: MONA version 1.4 user manual (2001)

  11. Calcagno, C., Distefano, D., O’Hearn, P.W., Yang, H.: Compositional shape analysis by means of bi-abduction. J. ACM 58(6), 26 (2011)

    Article  MathSciNet  Google Scholar 

  12. Distefano, D., O’Hearn, P.W., Yang, H.: A local shape analysis based on separation logic. In: TACAS, pp. 287–302 (2006)

  13. Chin, W.N., Gherghina, C., Voicu, R., Le, Q.L., Craciun, F., Qin, S.: A specialization calculus for pruning disjunctive predicates to support verification. In: CAV (2011)

  14. Klein, G.: Operating system verification—an overview. Sadhana 34, 27–69 (2009)

    Article  MATH  MathSciNet  Google Scholar 

  15. Blanchet, B., Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Monniaux, D., Rival, X.: A static analyzer for large safety-critical software. In: PLDI (2003)

  16. Ball, T., Bounimova, E., Cook, B., Levin, V., Lichtenberg, J., McGarvey, C., Ondrusek, B., Rajamani, S.K., Ustuner, A.: Thorough static analysis of device drivers. In: EuroSys (2006)

  17. Henzinger, T.A., Jhala, R., Majumdar, R., McMillan, K.L.: Abstractions from proofs. In: POPL (2004)

  18. Sputh, B.H.C., Faust, O., Verhulst, E., Mezhuyev, V.: Opencomrtos: a runtime environment for interacting entities. In: CPA (2009)

  19. Baumann, C., Beckert, B., Blasum, H., Bormer, T.: Formal verification of a microkernel used in dependable software systems. In: SAFECOMP (2009)

  20. Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: sel4: formal verification of an os kernel. In: SOSP (2009)

  21. Nipkow, T., Paulson, L.C., Wenzel, M.: Isabelle/HOL—A Proof Assistant for Higher-Order Logic, LNCS, vol. 2283. Springer, London (2002)

  22. Berdine, J., Calcagno, C., O’Hearn, P.W.: Smallfoot: Modular automatic assertion checking with separation logic. In: FMCO (2005)

  23. Yang, H., Lee, O., Berdine, J., Calcagno, C., Cook, B., Distefano, D., O’Hearn, P.W.: Scalable shape analysis for systems code. In: CAV (2008)

  24. Magill, S., Tsai, M.H., Lee, P., Tsay, Y.K.: Thor: A tool for reasoning about shape and arithmetic. In: CAV (2008)

  25. Mühlberg, J.T., Leo, F.: Verifying FreeRTOS: from requirements to binary code. In: AVoCS (2011)

  26. Jacobs, B., Smans, J., Piessens, F.: A quick tour of the verifast program verifier. In: APLAS (2010)

  27. Cook, B., Koskinen, E., Vardi, M.Y.: Temporal property verification as a program analysis task. In: CAV (2011)

  28. Qin, S., He, G., Luo, C., Chin, W.N.: Loop invariant synthesis in a combined domain. In: ICFEM (2010)

  29. Qin, S., He, G., Luo, C., Chin, W.N., Chen, X.: Loop invariant synthesis in a combined abstract domain. J. Symb. Comput. 50(0), 386–408 (2013)

    Article  MATH  MathSciNet  Google Scholar 

  30. Qin, S., Luo, C., Chin, W.N., He, G.: Automatically refining partial specifications for program verification. In: FM (2011)

  31. Qin, S., He, G., Luo, C., Chin, W.N., Yang, H.: Automatically refining partial specifications for heap-manipulating programs. Sci. Comput Program 82, 56–76 (2014)

    Google Scholar 

  32. Sharma, A., Hobor, A., Chin, W.N.: Specifying compatible sharing in data structures. In preparation (2013)

  33. Lee, O., Yang, H., Petersen, R.: Program analysis for overlaid data structures. In: CAV (2011)

  34. Lee, O., Yang, H., Petersen, R.: A divide-and-conquer approach for analysing overlaid data structures. Formal Methods Syst. Design 41(1), 4–24 (2012)

    Article  MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Computing, Teesside University, Middlesbrough, UK

    João F. Ferreira, Guanhua He & Shengchao Qin

  2. HASLab/INESC TEC, Universidade do Minho, Braga, Portugal

    João F. Ferreira

  3. Singapore University of Technology and Design, Singapore, Singapore

    Cristian Gherghina

  4. Shenzhen University, Shenzhen, China

    Shengchao Qin

  5. National University of Singapore, Singapore, Singapore

    Wei-Ngan Chin

Authors
  1. João F. Ferreira
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Cristian Gherghina
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Guanhua He
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Shengchao Qin
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Wei-Ngan Chin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Shengchao Qin.

Additional information

This work was supported in part by the EPSRC project EP/G042322 and NNSFC project 61373033.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Ferreira, J.F., Gherghina, C., He, G. et al. Automated verification of the FreeRTOS scheduler in Hip/Sleek . Int J Softw Tools Technol Transfer 16, 381–397 (2014). https://doi.org/10.1007/s10009-014-0307-4

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10009-014-0307-4

Keywords

Search

Navigation

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy