checking the hardware- software interface in spec# kevin bierhoff (cmu) chris hawblitzel (microsoft...
TRANSCRIPT
Checking the Hardware-Software Interface in Spec#
Kevin Bierhoff (CMU)
Chris Hawblitzel (Microsoft Research)
Safe OS code, statically typed (?)
kernel
TCP/IP
web server
web plug-in
single hardware address space
Singularity OS Typed Untyped
Safe
Unsafe
MLJava
LISP
C assembler
networkdriver
...uint mode = csr6.Read32(); mode &= ~(CSR6.SR | CSR6.ST); csr6.Write32(mode); rxRing.Reset();csr3.Write32(rxRing.BaseAddress.ToUInt32());txRing.Reset();csr4.Write32(txRing.BaseAddress.ToUInt32());...
Tulip Network Adaptor
host memory
csr3
Tulip deviceentry
entry
entry
entry
entry
RX ringown flags
flags size1 size2
buffer1 address
buffer2 address
entry
csr4
csr6
Safe Hardware Interaction Layer
...internal void StartRxTxMiiSym()requires RxConfigured && TxConfigured;modifies this.rxStarted, this.txStarted;ensures RxConfigured && TxConfigured && RxStarted && TxStarted;{ csr6.Write32( CSR6.MBO | CSR6.HBD | CSR6.PS | (3u << CSR6.TR_ROLL) | CSR6.ST | CSR6.SR ); rxStarted = txStarted = true;} ...
device csr6
network driver
safe code(Spec#)
SHIL(Spec#)
Spec# = C# + logical annotations
Bug: SHIL pre-condition violatedinternal void ConfigureHostBus( uint cacheMask, uint busMask, uint cacheAlignment, uint burstLength)
requires (RxStarted == false) && (TxStarted == false);
requires (cacheMask & ~(CSR0.WIE | CSR0.RLE | CSR0.RME)) == 0;requires busMask == 0 || busMask == CSR0.BAR;requires cacheAlignment >= 0 && cacheAlignment <= 3;requires burstLength == 0 || burstLength == 1 || burstLength == 2 || burstLength == 4 || burstLength == 8 || burstLength == 16 || burstLength == 32;
ensures (RxStarted == false) && (TxStarted == false);
{ csr0.Write32(cacheMask | busMask | (cacheAlignment << CSR0.CAL_ROLL) | (burstLength << CSR0.PBL_ROLL));}
Was violated in original implementation and is
now fixed
Buffer ownership
kernel
networkdriver
TCP/IP
web server
web plug-in
single hardware address space
own flags
flags size1 size2
buffer1 address
buffer2 address
buffer
class TulipRxDescriptor {... internal void Buffer1Claim(Packet! packet) requires packet.Full; requires !Buffer1Set; ensures packet.Empty; ensures Buffer1Set {...}...}
class TulipRxRing {... internal void GiveToDevice( TulipRxDescriptor! descriptor) requires !descriptor.OwnedByDevice; requires descriptor.Buffer1Set && descriptor.Buffer2Set; ensures descriptor.OwnedByDevice; ... {...}...}
Driver, SHIL code size
device(200-pagedoc)
csr6
network driver
drivercode
device(200-pagedoc)
csr6
network driver
safe code
SHIL
1800lines
original code revised code (5 person-weeks)
1800lines
1400lines
Conclusions
• Static verification tools have improved– automation– data structures, aliasing, objects, concurrency...– (run-time checking also possible)
• Properties are interconnected– memory safety relies on state
• Hardware is diverse (and complicated)– packet fragments
• Incremental approach on existing code• Future work: declarative SHIL language
ML,JavaSpec#
LISP
C assembler