SMU SRG reading by Tey Chee Meng:
Gerwin Klein and Harvey Tuch, “Towards
Verified Virtual Memory in L4,” in TPHOLs
Emerging Trends '04, ed. Konrad Slind
(Park City, Utah, USA, 2004), 16 pages.
All figures in this presentation are taken from the paper
What the paper is trying to
present
Proof of functionality of the VM
subsystem of the L4 microkernel
• L4 - microkernel (10000 lines of C++ and
assembly code)
• Main abstractions:
– threads
– address space
– IPC
Scope
• Paper covers
– abstract model + properties derived from
abstract model
– Refinement + how properties were preserved
• This SRG covers only the first part
Abstract address space model
Operations - unmap
• unmap n v
– 'a space n unmaps v if it removes all
mappings that depend on Virtual n v, or in
terms of paths if it removes all edges leading
to Virtual n v'
Operations - unmap
• unmap implemented using function clear
• clear:
– 'given name n, page v, and address space σ
in a state s, returns σ with all v' leading to
Virtual n v mapped to None'
Isabelle/HOL explanations
Operations - unmap
• For every v' in the space σ in state s
– For the case v' has no mapping, return unchanged
– For the case where there is some mapping m
• if m leads to a path to virtual n v, then remove the mapping
• else leave it unchanged
Operations - unmap
• For every space n' in the state s
– For the case where n' does not correspond to
any space, return unchanged
– For the case where n' is defined, execute the
function n v s σ
Operations - flush
• flush n v
– 'unmap followed by setting n,v to None'
Operations - map
• map n v n' v' s
– 'Address space n maps page v to n' at v'. The
destination n',v' is first flushed and then
updated with the new mapping Virtual n v. '
Preliminary definitions
• m valid in state s
– if it is a physical page
– or if it is of the form Virtual n v and is the
source of some direct path
Preliminary definitions
• update
– Before the kernel establishes a new value, the
destination is always flushed. This may
invalidate the source. The operation only
continues if the source is still valid, otherwise
it stops
Operations - map
• if the mapping virtual n,v is not valid,
return unchanged
• else update n',v' with virtual n v
Operations - grant
• grant n v n' v' s
– 'updates n', v' to the value of n at v and
flushes the source n,v '
Operations - grant
• if the mapping virtual n,v is not valid, return
unchanged
• else
– substitute σ for state s, space name n
– substitute m for space σ space v
– flush n,v, then update n', v' with mapping m
MMU lookup
• MMU lookup leads to a physical page r
• or MMU lookup leads to None
– if there exists a space σ corresponding to
state s space name n but there is no mapping
for virtual address v in n
– or the space name n does not exist
Initial state and changes
Properties
Properties
Properties
Conclusion
• Defined an abstract model of virtual
memory subsystem of L4
• Proved 3 properties using the proof
assistant Isabelle/HOL