checking the hardware- software interface in spec# kevin bierhoff (cmu) chris hawblitzel (microsoft...
TRANSCRIPT
![Page 1: Checking the Hardware- Software Interface in Spec# Kevin Bierhoff (CMU) Chris Hawblitzel (Microsoft Research)](https://reader035.vdocuments.site/reader035/viewer/2022072013/56649e605503460f94b5b43f/html5/thumbnails/1.jpg)
Checking the Hardware-Software Interface in Spec#
Kevin Bierhoff (CMU)
Chris Hawblitzel (Microsoft Research)
![Page 2: Checking the Hardware- Software Interface in Spec# Kevin Bierhoff (CMU) Chris Hawblitzel (Microsoft Research)](https://reader035.vdocuments.site/reader035/viewer/2022072013/56649e605503460f94b5b43f/html5/thumbnails/2.jpg)
Safe OS code, statically typed (?)
kernel
TCP/IP
web server
web plug-in
single hardware address space
Singularity OS Typed Untyped
Safe
Unsafe
MLJava
LISP
C assembler
networkdriver
...uint mode = csr6.Read32(); mode &= ~(CSR6.SR | CSR6.ST); csr6.Write32(mode); rxRing.Reset();csr3.Write32(rxRing.BaseAddress.ToUInt32());txRing.Reset();csr4.Write32(txRing.BaseAddress.ToUInt32());...
![Page 3: Checking the Hardware- Software Interface in Spec# Kevin Bierhoff (CMU) Chris Hawblitzel (Microsoft Research)](https://reader035.vdocuments.site/reader035/viewer/2022072013/56649e605503460f94b5b43f/html5/thumbnails/3.jpg)
Tulip Network Adaptor
host memory
csr3
Tulip deviceentry
entry
entry
entry
entry
RX ringown flags
flags size1 size2
buffer1 address
buffer2 address
entry
csr4
csr6
![Page 4: Checking the Hardware- Software Interface in Spec# Kevin Bierhoff (CMU) Chris Hawblitzel (Microsoft Research)](https://reader035.vdocuments.site/reader035/viewer/2022072013/56649e605503460f94b5b43f/html5/thumbnails/4.jpg)
Safe Hardware Interaction Layer
...internal void StartRxTxMiiSym()requires RxConfigured && TxConfigured;modifies this.rxStarted, this.txStarted;ensures RxConfigured && TxConfigured && RxStarted && TxStarted;{ csr6.Write32( CSR6.MBO | CSR6.HBD | CSR6.PS | (3u << CSR6.TR_ROLL) | CSR6.ST | CSR6.SR ); rxStarted = txStarted = true;} ...
device csr6
network driver
safe code(Spec#)
SHIL(Spec#)
Spec# = C# + logical annotations
![Page 5: Checking the Hardware- Software Interface in Spec# Kevin Bierhoff (CMU) Chris Hawblitzel (Microsoft Research)](https://reader035.vdocuments.site/reader035/viewer/2022072013/56649e605503460f94b5b43f/html5/thumbnails/5.jpg)
Bug: SHIL pre-condition violatedinternal void ConfigureHostBus( uint cacheMask, uint busMask, uint cacheAlignment, uint burstLength)
requires (RxStarted == false) && (TxStarted == false);
requires (cacheMask & ~(CSR0.WIE | CSR0.RLE | CSR0.RME)) == 0;requires busMask == 0 || busMask == CSR0.BAR;requires cacheAlignment >= 0 && cacheAlignment <= 3;requires burstLength == 0 || burstLength == 1 || burstLength == 2 || burstLength == 4 || burstLength == 8 || burstLength == 16 || burstLength == 32;
ensures (RxStarted == false) && (TxStarted == false);
{ csr0.Write32(cacheMask | busMask | (cacheAlignment << CSR0.CAL_ROLL) | (burstLength << CSR0.PBL_ROLL));}
Was violated in original implementation and is
now fixed
![Page 6: Checking the Hardware- Software Interface in Spec# Kevin Bierhoff (CMU) Chris Hawblitzel (Microsoft Research)](https://reader035.vdocuments.site/reader035/viewer/2022072013/56649e605503460f94b5b43f/html5/thumbnails/6.jpg)
Buffer ownership
kernel
networkdriver
TCP/IP
web server
web plug-in
single hardware address space
own flags
flags size1 size2
buffer1 address
buffer2 address
buffer
class TulipRxDescriptor {... internal void Buffer1Claim(Packet! packet) requires packet.Full; requires !Buffer1Set; ensures packet.Empty; ensures Buffer1Set {...}...}
class TulipRxRing {... internal void GiveToDevice( TulipRxDescriptor! descriptor) requires !descriptor.OwnedByDevice; requires descriptor.Buffer1Set && descriptor.Buffer2Set; ensures descriptor.OwnedByDevice; ... {...}...}
![Page 7: Checking the Hardware- Software Interface in Spec# Kevin Bierhoff (CMU) Chris Hawblitzel (Microsoft Research)](https://reader035.vdocuments.site/reader035/viewer/2022072013/56649e605503460f94b5b43f/html5/thumbnails/7.jpg)
Driver, SHIL code size
device(200-pagedoc)
csr6
network driver
drivercode
device(200-pagedoc)
csr6
network driver
safe code
SHIL
1800lines
original code revised code (5 person-weeks)
1800lines
1400lines
![Page 8: Checking the Hardware- Software Interface in Spec# Kevin Bierhoff (CMU) Chris Hawblitzel (Microsoft Research)](https://reader035.vdocuments.site/reader035/viewer/2022072013/56649e605503460f94b5b43f/html5/thumbnails/8.jpg)
Conclusions
• Static verification tools have improved– automation– data structures, aliasing, objects, concurrency...– (run-time checking also possible)
• Properties are interconnected– memory safety relies on state
• Hardware is diverse (and complicated)– packet fragments
• Incremental approach on existing code• Future work: declarative SHIL language
ML,JavaSpec#
LISP
C assembler