Subversion Repositories HelenOS-doc

        Please note that the titles of the following sections do not follow any particular established

        Please note that the titles of the following sections do not follow any particular established

        taxonomy. We have simply chosen the names to be intuitivelly descriptive.

        taxonomy. We have simply chosen the names to be intuitivelly descriptive.

        \subsection{C Language Compiler and Continuous Integration Tool}

        \subsection{C Language Compiler and Continuous Integration Tool}

            \label{clang}

            \label{clang}

            Besides the requirement to support 7 hardware platforms, the system's compile-time configuration

            Besides the requirement to support 7 hardware platforms, the system's compile-time configuration

            These configuration options are bound by logical propositions in conjunctive or disjunctive

            These configuration options are bound by logical propositions in conjunctive or disjunctive

            normal forms and while some options are freely configurable, the value of others gets inferred

            normal forms and while some options are freely configurable, the value of others gets inferred

            HelenOS can be compiled is at least one order of magnitude larger than the plain number

            HelenOS can be compiled is at least one order of magnitude larger than the plain number

            of supported hardware platforms.

            of supported hardware platforms.

            Various configuration options affect conditional compilation and linking. The programmers

            Various configuration options affect conditional compilation and linking. The programmers

            are used to make sure that the source code compiles and links fine with respect to the

            are used to make sure that the source code compiles and links fine with respect to the

            A straightforward solution is to generate all distinct configurations, starting from the

            A straightforward solution is to generate all distinct configurations, starting from the

            open variables and inferring the others. This can be part of the continuous integration

            open variables and inferring the others. This can be part of the continuous integration

            process which would try to compile and link the sources in all distinct configurations.

            process which would try to compile and link the sources in all distinct configurations.

            level verification methods on all configurations generated by this step. That would certainly

            level verification methods on all configurations generated by this step. That would certainly

            require to multiply the time required by the verification methods at least by the number

            require to multiply the time required by the verification methods at least by the number

            of the distinct configurations. Constraining the set of configurations to just the most

            of the distinct configurations. Constraining the set of configurations to just the most

        \subsection{Regression and Unit Tests}

        \subsection{Regression and Unit Tests}

            We need to setup an automated network of physical machines and simulators which can run the

            We need to setup an automated network of physical machines and simulators which can run the

            appropriate compilation outputs for the specific platforms. We need to be able to reboot

            appropriate compilation outputs for the specific platforms. We need to be able to reboot

            them remotely and distribute the boot images to them. And last but not least, we need to be

            them remotely and distribute the boot images to them. And last but not least, we need to be

            able to gather the results from them.

            able to gather the results from them.

        \subsection{Instrumentation}

        \subsection{Instrumentation}

            Instrumentation tools for detecting memory leaks, performance bottlenecks and soft-deadlocks

            Instrumentation tools for detecting memory leaks, performance bottlenecks and soft-deadlocks

            If some regression or unit tests fail, they sometimes do not give sufficient information to

            If some regression or unit tests fail, they sometimes do not give sufficient information to

            tell immediately what is the root cause of the issue. In that case running the faulting tests

            tell immediately what is the root cause of the issue. In that case running the faulting tests

            on manually or automatically instrumented executable code might provide more data and point

            on manually or automatically instrumented executable code might provide more data and point

            more directly to the actual bug.

            more directly to the actual bug.

        \subsection{Verifying C Language Compiler}

        \subsection{Verifying C Language Compiler}

            As the optimization passes and general maturity of the compilers improve over time,

            As the optimization passes and general maturity of the compilers improve over time,

            the compilers try to extract and use more and more semantic information from the source code.

            the compilers try to extract and use more and more semantic information from the source code.

            The C language is quite poor on explicit semantic information, but the verifying compilers

            The C language is quite poor on explicit semantic information, but the verifying compilers

            try to rely on vendor-specific language extensions and on the fact that some semantic information

            try to rely on vendor-specific language extensions and on the fact that some semantic information

            The checks done by the verifying compilers cannot result in fatal errors in the usual cases (they

            The checks done by the verifying compilers cannot result in fatal errors in the usual cases (they

            are just warnings). Firstly, the compilers still need to successfully compile a well-formed C source

            are just warnings). Firstly, the compilers still need to successfully compile a well-formed C source

            code compliant to some older standard (e.g. C89) even when it is not up with the current quality

            code compliant to some older standard (e.g. C89) even when it is not up with the current quality

            expectations. Old legacy source code should still pass the compilation as it did decades ago.

            expectations. Old legacy source code should still pass the compilation as it did decades ago.

            The checks are usually conservative. The verifying compilers identify code constructs which are suspicious,

            The checks are usually conservative. The verifying compilers identify code constructs which are suspicious,

            which might arise out of programmer's bad intuition and so on, but even these code snippets cannot be

            which might arise out of programmer's bad intuition and so on, but even these code snippets cannot be

            tagged as definitive bugs (since the programmer can be simply in a position where he/she really wants to

            tagged as definitive bugs (since the programmer can be simply in a position where he/she really wants to

            do something very strange, but nevertheless legitimate). It is upon the programmer

            do something very strange, but nevertheless legitimate). It is upon the programmer

            to examine the root cause of the compiler warning, tell whether it is really a bug or just a false

            to examine the root cause of the compiler warning, tell whether it is really a bug or just a false

            positive and fix the issue by either amending some additional semantic information (e.g. adding an

            positive and fix the issue by either amending some additional semantic information (e.g. adding an

            explicit typecast or a vendor-specific language extension) or rewriting the code.

            explicit typecast or a vendor-specific language extension) or rewriting the code.

        \subsection{Static Analyzer}

        \subsection{Static Analyzer}

            Static analyzers try to go deeper than verifying compilers. Besides detecting common antipatterns of

            Static analyzers try to go deeper than verifying compilers. Besides detecting common antipatterns of

            bugs, they also use techniques such as abstract interpretation to check for more complex properties.

            bugs, they also use techniques such as abstract interpretation to check for more complex properties.

            from the memory access model, allocation and deallocation rules, tracking of references and tracking of

            from the memory access model, allocation and deallocation rules, tracking of references and tracking of

            concurrency locks.

            concurrency locks.

            The biggest advantage of static analyzers is that they can be easily included in the development or

            The biggest advantage of static analyzers is that they can be easily included in the development or

            continuous integration process as an additional automated step, very similar to the verifying compilers.

            continuous integration process as an additional automated step, very similar to the verifying compilers.

            deallocation of resources and release of locks, etc.). Unfortunately, many static analyzers

            deallocation of resources and release of locks, etc.). Unfortunately, many static analyzers

            only analyze a single-threaded control flow and are thus unable to detect concurrency issues

            only analyze a single-threaded control flow and are thus unable to detect concurrency issues

            such as deadlocks.

            such as deadlocks.

        \subsection{Static Verifier}

        \subsection{Static Verifier}

            and have the capability to check proper locking order, hand-over-hand locking and even liveliness.

            and have the capability to check proper locking order, hand-over-hand locking and even liveliness.

            In the context of an operating system kernel and core libraries two kinds of properties are

            In the context of an operating system kernel and core libraries two kinds of properties are

            common:

            common:

                      to be manipulated by some related set of subroutines. Checking for these

                      to be manipulated by some related set of subroutines. Checking for these

                      properties ensures that data structures and internal states will not get corrupt due

                      properties ensures that data structures and internal states will not get corrupt due

                      to bugs in the functions and methods which are designed to manipulate them.

                      to bugs in the functions and methods which are designed to manipulate them.

                      a set of subroutines should be used by the rest of the code. Checking for these properties

                      a set of subroutines should be used by the rest of the code. Checking for these properties

                      ensures that some API is always used by the rest of the code in a specified way

                      ensures that some API is always used by the rest of the code in a specified way

        \subsection{Model Checker}

        \subsection{Model Checker}

            \label{modelcheck}

            \label{modelcheck}

            On the first sight it does not seem to be reasonable to consider general model checkers as

            On the first sight it does not seem to be reasonable to consider general model checkers as

            relevant independent tools for formal verification of an existing operating system. While many

            relevant independent tools for formal verification of an existing operating system. While many

            If the implementation of these algorithms and protocols do not behave correctly, we can be sure

            If the implementation of these algorithms and protocols do not behave correctly, we can be sure

            that the root cause is in the non-compliance between the design and implementation and not a

            that the root cause is in the non-compliance between the design and implementation and not a

            fundamental flaw of the design itself.

            fundamental flaw of the design itself.

            snapshot of the dynamic run-time architecture. This snapshot fixed in time is equivalent to

            snapshot of the dynamic run-time architecture. This snapshot fixed in time is equivalent to

            a statically defined architecture.

            a statically defined architecture.

            Horizontal and vertical compliance checking can be done exhaustively. This is a fundamental property

            Horizontal and vertical compliance checking can be done exhaustively. This is a fundamental property

            Assuming that the lower-level verification methods (described in Sections \ref{clang} to \ref{modelcheck})

            Assuming that the lower-level verification methods (described in Sections \ref{clang} to \ref{modelcheck})

            prove some specific properties of the primitive components, we can be sure that the composition of

            prove some specific properties of the primitive components, we can be sure that the composition of

            does not break these properties.

            does not break these properties.

            The feasibility of many lower-level verification methods from Sections \ref{clang} to \ref{modelcheck}

            The feasibility of many lower-level verification methods from Sections \ref{clang} to \ref{modelcheck}

            individual primitive components can be verified against a large number of properties. Thanks to the

            individual primitive components can be verified against a large number of properties. Thanks to the

            recursive component composition we can then be sure that these properties also hold for the entire system.

            recursive component composition we can then be sure that these properties also hold for the entire system.

            \medskip

            \medskip

            The compliance between the behavior specification and the actual behavior of the implementation is, unfortunately,

            The compliance between the behavior specification and the actual behavior of the implementation is, unfortunately,

            the missing link in the chain. This compliance cannot be easily verified in an exhaustive manner. If there is

            the missing link in the chain. This compliance cannot be easily verified in an exhaustive manner. If there is

            specification. Although the comparison might not provide clean-cut results, it can still be

            specification. Although the comparison might not provide clean-cut results, it can still be

            helpful to confront the more-or-less informal user expectations on the system with the exact formal description.

            helpful to confront the more-or-less informal user expectations on the system with the exact formal description.

        \subsection{Summary}

        \subsection{Summary}

            \label{missing}

            \label{missing}

            \medskip

            \medskip

            We have spoken only about the functional properties. In general, we cannot apply the same formalisms

            We have spoken only about the functional properties. In general, we cannot apply the same formalisms

            and methods on extra-functional properties (e.g. timing properties, performance properties, etc.).

            and methods on extra-functional properties (e.g. timing properties, performance properties, etc.).

        \label{evaluation}

        \label{evaluation}

        This section copies the structure of the previous Section \ref{analysis} and adds HelenOS-specific

        This section copies the structure of the previous Section \ref{analysis} and adds HelenOS-specific

        evaluation of the the proposed formalisms and tools. As this is still largely a work-in-progress,

        evaluation of the the proposed formalisms and tools. As this is still largely a work-in-progress,

        in many cases just the initial observations can be made.

        in many cases just the initial observations can be made.

        \subsection{Verifying C Language Compiler and Continuous Integration Tool}

        \subsection{Verifying C Language Compiler and Continuous Integration Tool}

            The primary C compiler used by HelenOS is \emph{GNU GCC 4.4.3} (all platforms)~\cite{gcc} and \emph{Clang 2.6.0}

            The primary C compiler used by HelenOS is \emph{GNU GCC 4.4.3} (all platforms)~\cite{gcc} and \emph{Clang 2.6.0}

            (IA-32)~\cite{clang}. We have taken some effort to support also \emph{ICC} and \emph{Sun Studio} C compilers,

            (IA-32)~\cite{clang}. We have taken some effort to support also \emph{ICC} and \emph{Sun Studio} C compilers,

            but the compatibility with these compilers in not guaranteed.

            but the compatibility with these compilers in not guaranteed.

            as fatal errors, thus the code base must pass without any warnings.

            as fatal errors, thus the code base must pass without any warnings.

            We also turn on several more specific and strict checks. These checks helped to discover several

            We also turn on several more specific and strict checks. These checks helped to discover several

            latent bugs in the source code:

            latent bugs in the source code:

                      usage of equal comparator on floats is usually misguided due to the inherent computational errors

                      usage of equal comparator on floats is usually misguided due to the inherent computational errors

                      of floats.

                      of floats.

                      requirement. On many RISC-based platforms this can cause run-time unaligned access exceptions.

                      requirement. On many RISC-based platforms this can cause run-time unaligned access exceptions.

                      between signed and unsigned integers or between integers with different number of bits) can

                      between signed and unsigned integers or between integers with different number of bits) can

                      cause the actual value to change.

                      cause the actual value to change.

            To enhance the semantic information in the source code, we use GCC-specific language extensions to annotate

            To enhance the semantic information in the source code, we use GCC-specific language extensions to annotate

            some particular kernel and core library routines:

            some particular kernel and core library routines:

                      of the current sequential execution flow. The most common case are the routines which restore previously saved

                      of the current sequential execution flow. The most common case are the routines which restore previously saved

                      execution context.

                      execution context.

                      the point of view of the current sequential execution flow. This is the case of routines which save the current

                      the point of view of the current sequential execution flow. This is the case of routines which save the current

                      execution context (first the function returns as usual, but the function can eventually ``return again''

                      execution context (first the function returns as usual, but the function can eventually ``return again''

                      when the context is being restored).

                      when the context is being restored).

            The use of these extensions has pointed out to several hard-to-debug bugs on the IA-64 platform.

            The use of these extensions has pointed out to several hard-to-debug bugs on the IA-64 platform.

            \medskip

            \medskip

            and prone to human omissions. An automated approach is definitively going to be very helpful.

            and prone to human omissions. An automated approach is definitively going to be very helpful.

        \subsection{Instrumentation}

        \subsection{Instrumentation}

            We are in the process of implementing our own code instrumentation framework which is motivated mainly

            We are in the process of implementing our own code instrumentation framework which is motivated mainly

            by the need to support MMU-less architectures in the future. But this framework might be also very helpful

            by the need to support MMU-less architectures in the future. But this framework might be also very helpful

        \subsection{Static Analyzer}

        \subsection{Static Analyzer}

            The integration of various static analyzers into the HelenOS continuous integration process is underway.

            The integration of various static analyzers into the HelenOS continuous integration process is underway.

            For the initial evaluation we have used \emph{Stanse}~\cite{stanse} and \emph{Clang Analyzer}~\cite{clanganalyzer}.

            For the initial evaluation we have used \emph{Stanse}~\cite{stanse} and \emph{Clang Analyzer}~\cite{clanganalyzer}.

            Both of them showed to be moderately helpful to point out instances of unreachable dead code, use of language

            Both of them showed to be moderately helpful to point out instances of unreachable dead code, use of language

            primitive) and futexes (basic user space thread synchronization primitive) using \emph{Promela} and

            primitive) and futexes (basic user space thread synchronization primitive) using \emph{Promela} and

            verify several formal properties (deadlock freedom, fairness) in \emph{Spin}~\cite{spin}. As both the Promela language

            verify several formal properties (deadlock freedom, fairness) in \emph{Spin}~\cite{spin}. As both the Promela language

            and the Spin model checker are mature and commonly used tools for such purposes, we expect no major problems

            and the Spin model checker are mature and commonly used tools for such purposes, we expect no major problems

            with this approach. Because both synchronization primitives are relatively complex, utilizing a model checker

            with this approach. Because both synchronization primitives are relatively complex, utilizing a model checker

            should provide a much more trustworthy proof of the required properties than ``paper and pencil''.

            should provide a much more trustworthy proof of the required properties than ``paper and pencil''.

            Both the architecture and behavior description is readily available as part of the source code repository

            Both the architecture and behavior description is readily available as part of the source code repository

            of HelenOS, including tools which can preprocess the Behavior Protocols according to the architecture description

            of HelenOS, including tools which can preprocess the Behavior Protocols according to the architecture description

            and create an output suitable for \emph{bp2promela} checker~\cite{bp}.

            and create an output suitable for \emph{bp2promela} checker~\cite{bp}.

            As the resulting complexity of the description is larger than any of the previously published case studies

            As the resulting complexity of the description is larger than any of the previously published case studies

            \medskip

            \medskip

        \subsection{Behavior Description Generator}

        \subsection{Behavior Description Generator}

    \section{Conclusion}

    \section{Conclusion}

        \label{conclusion}

        \label{conclusion}

        Thanks to the properties of state-of-the-art microkernel multiserver operating

        Thanks to the properties of state-of-the-art microkernel multiserver operating

        \medskip

        \medskip

        We also argue that the approach should be suitable for the mainstream

        We also argue that the approach should be suitable for the mainstream

        general-purpose operating systems in the near future, because they are gradually

        general-purpose operating systems in the near future, because they are gradually

        incorporating more microkernel-based features and fine-grained software components.

        incorporating more microkernel-based features and fine-grained software components.

        Although the evaluation of the proposed approach on HelenOS is still work-in-progress, the

        Although the evaluation of the proposed approach on HelenOS is still work-in-progress, the

        preliminary results and estimates are promising.

        preliminary results and estimates are promising.

        \medskip

        \medskip

        This work was partially supported by the Ministry of Education of the Czech Republic

        This work was partially supported by the Ministry of Education of the Czech Republic

        (grant MSM\-0021620838).

        (grant MSM\-0021620838).

    \begin{thebibliography}{99}

    \begin{thebibliography}{99}