Formal methods: a practical tool for OS implementors

The formal methods community has long known about the need to formally analyze concurrent software, but the operating systems (OS) community has been slow to adopt such methods. The foremost reasons for this are the cultural and knowledge gaps between formalists and OS hackers, fostered by three beliefs: inaccessibility of the tools, the disabling gap between the validated model and actual implementation, and the intractable size of OSs. In this paper, we show these beliefs to be untrue for appropriately structured OSs. We applied formal methods to verify properties of the implementation of the Fluke microkernel´s IPC (interprocess communication) subsystem, a major component of the kernel. In particular, we have verified, in many scenarios, certain liveness properties and lack of deadlock, with results that apply to both SMP (scalable multiprocessor) and uniprocessor environments. The SPIN model checker provided an exhaustive concurrency analysis of the IPC subsystem, unattainable through traditional OS testing methods. SPIN is easily accessible to programmers inexperienced with formal methods. We present our results as a starting point for a more comprehensive inclusion of formal methods in practical OS development