Controlled Owicki-Gries Concurrency: Reasoning about the Preemptible eChronos Embedded Operating System

Abstract

We introduce a controlled concurrency framework, derived from the Owicki-Gries method, for describing a hardware interface in detail sufficient to suppor t the modelling and verification of small, embedded operating systems (OS’s) whose run-time responsiveness is paramount. Such real- time systems run with interrupts mostly enabled, including during scheduling. That differs from many other successfully modelled and verified OS’s that typically reduce the complexity of concurrency by running on uniprocessor platforms and by switching interrupts off as much as possible. Our framework builds on the traditional Owicki-Gries method, for its fine-grained concurrency is needed for high-performance system code. We adapt it to support explicit concurrency control, by providing a simple, faithful representation of the hardware interface that allows software to control the degree of interleaving between user code, OS code, interrupt handlers and a scheduler that controls context switching. We then apply this framework to model the interleaving behavior of the eChronos OS, a preemptible real-time OS for embedded micro-controllers. We discuss the accuracy and usability of our approach when instantiated to model the eChronos OS. Both our framework and the eChronosmodel are formalised in the Isabelle/HOL theorem prover, taking advantage of the high level of automation in modern reasoning tools.