Huan Sun,Ziyu Mao,Jingyi Wang,Ziyan Zhao,Wenhai Wang

DOI: https://doi.org/10.1007/978-3-031-43681-9_13

2023-01-01

Abstract:Real-time operating systems (RTOSs) such as mu C/OS-II are critical components of many industrial systems, which makes it of vital importance to verify their correctness. However, earlier specifications for verification of RTOSs often do not explicitly specify the behavior of possible unbounded kernel service invocations. To address the problem, a new event-based modelling approach is recently proposed to treat the operating system as a concurrent reactive system (CRS). Besides, a respective parametric rely-guarantee style reasoning framework called PiCore is developed to verify such systems effectively. Witnessing the advancement, we conduct a case study to investigate the use of PiCore to compositionally verify two important entangled modules of a practical RTOS mu C/OS-II, i.e., the memory management module and the mailbox module. Several desirable safety properties regarding the memory pools and mailboxes are formally defined and proved with PiCore (approximate to 2500 lines of specifications and proof scripts in Isabelle/HOL) based on a formal execution model considering the two modules simultaneously. We also discuss the shortcomings of PiCore for our case study and present possible improvement directions.

Huan Sun,Ziyu Mao,Jingyi Wang,Ziyan Zhao,Wenhai Wang

DOI: https://doi.org/10.1007/978-3-031-43681-9_13

2023-01-01

Abstract:Real-time operating systems (RTOSs) such as C/OS-II are critical components of many industrial systems, which makes it of vital importance to verify their correctness. However, earlier specifications for verification of RTOSs often do not explicitly specify the behavior of possible unbounded kernel service invocations. To address the problem, a new event-based modelling approach is recently proposed to treat the operating system as a concurrent reactive system (CRS). Besides, a respective parametric rely-guarantee style reasoning framework called PiCore is developed to verify such systems effectively. Witnessing the advancement, we conduct a case study to investigate the use of PiCore to compositionally verify two important entangled modules of a practical RTOS C/OS-II, i.e., the memory management module and the mailbox module. Several desirable safety properties regarding the memory pools and mailboxes are formally defined and proved with PiCore ( 2500 lines of specifications and proof scripts in Isabelle/HOL) based on a formal execution model considering the two modules simultaneously. We also discuss the shortcomings of PiCore for our case study and present possible improvement directions.

Fei-yi SHEN,Yan-yuan ZHANG,Yi LIN

DOI: https://doi.org/10.3969/j.issn.1006-2475.2015.07.023

2015-01-01

Abstract:Memory management is important in real-time system. This paper develops a new dynamic memory management algo-rithm based on Buddy system and TLSF algorithm on consideration of both real-time and fragmentation rate. The new algorithm deals with large and small pieces of memory in different ways. Buddy system is used to manage small pieces while large ones are organized by two-level segregating indices. This paper performs experimental study on μCos-III OS by implementing the new method and which shows good performance in both time-consuming and fragmentation rate. At present the method has been ap-plied to an actual project.

Zhen-jiang QIAN,Yong-jun LIU,Yu-feng YAO,Li TANG,Hao HUANG,Fang-min SONG

DOI: https://doi.org/10.3969/j.issn.0372-2112.2017.01.035

2017-01-01

Abstract:The correctness of design and implementation of operating systems is difficult to be described with the traditional quantitative methods,because of the enormous size and complexity.This paper illustrates our method of formal design and verification of microkernel operating system.We construct the system model with the non-deterministic automaton in the assembly level,and use the Hoare triples to describe the previous and post conditions of the interface functions,as the definitions of function correctness.We take the module of memory management in the self-implemented VSOS (Verified Secure Operating System) as an example,to illustrate our formal method.Meanwhile,we formally describe the constructed memory management model and operation semantics of system behaviors in the Isabelle/HOL theorem prover,and verify the correctness of design and implementation of the memory management.The result shows that the method proposed is feasible and efficient.

Bin Fang,Mihaela Sighireanu,Geguang Pu,Wen Su,Jean-Raymond Abrial,Mengfei Yang,Lei Qiao

DOI: https://doi.org/10.1007/s11432-017-9280-9

2018-01-01

Abstract:Existing implementations of dynamic memory allocators (DMA) employ a large spectrum of policies and techniques. The formal specifications of these techniques are quite complicated in isolation and very complex when combined. Therefore, the formal reasoning on a specific DMA implementation is difficult for automatic tools and mostly single-use. This paper proposes a solution to this problem by providing formal models for a full class of DMA, the class using various kinds of lists to manage the memory blocks controlled by the DMA. To obtain reusable formal models and tractable formal reasoning, we organise these models in a hierarchy ranked by refinement relations. We prove the soundness of models and the refinement relations using the modeling framework Event-B and the theorem prover Rodin. We demonstrate that our hierarchy is a basis for an algorithm theory for list based DMA: it abstracts various existing implementations of DMA and leads to new DMA implementations. The applications of this formalisation include model-based code generation, testing, and static analysis.

Jian-xin WANG,Xue-zeng PAN

DOI: https://doi.org/10.3969/j.issn.1671-7147.2005.04.011

2005-01-01

Abstract:To develop an embedded real-time operating system with own property rights, we combined memory management characteristic of uCLinux with real-time characteristic of RTAI. With elaborate design in main modules such as architecture, memory management, process management, exception and interrupt handling and timer, we eventually made a hard real-time embedded operating system——ZDRTOS.

Lei QIAO,Meng-Fei YANG,Yan-Liang TAN,Ge-Guang PU,Hua YANG

DOI: https://doi.org/10.13328/j.cnki.jos.005218

2017-01-01

Abstract:In the safety-critical system of spacecraft,memory management system is the essential part of operating system kernels to provide allocation and cleanup mechanism at the lowest level and is obviously critical to the reliability and safety of spacecraft computer systems.The memory management system should satisfy strict constraints such as rcal-time response,space usage limit,allocation efficiency and many boundary conditions.It has to use very complex data structures and algorithm to manage the whole memory space.In order to make the complex memory management system of spacecraft highly reliable,the formal verification of the system also becomes much more complicated as it embodies formal verification of complex data structures such as two level segregated double linked list with two level bitmaps,specification of operations,modeling on behavior,assertion definition of inner function,loop invariant definition and real-time verification.This paper provides an in-depth analysis on these problems and characteristics of spacecraft memory management system to find certain general method and theory based on hierarchical iteration for verifying a concrete operating system used on spacecraft.The results of this study offer potential benefits in improving the reliability of the spacecrafts of China.

Liu Zhongshi,Dai Jinhai,Gui Xianzhou

DOI: https://doi.org/10.3321/j.issn:1002-8331.2006.05.012

2006-01-01

Abstract:Memory management of Real-Time Operating System is studied.The advantages and disadvantages of static memory allocation and dynamic memory allocation are concluded.The features,architecture and target system's memory map of Real-Time Operating System SACOS are introduced.Dynamic memory management of SACOS and implementations of allocation and garbage collection of heap which is the foundation of dynamic memory management are reported in detail.The dynamic memory management of SACOS can decrease efficiently the memory management overhead and memory fragmentation and improve the memory utilization.

Xiangzhen Ouyang,Yian Zhu

DOI: https://doi.org/10.1145/3533724

2022-01-01

ACM Transactions on Embedded Computing Systems

Abstract:Dynamic memory allocation plays a vital role in modern application programs. Modern lock-free memory allocators based on hardware atomic primitives usually provide good performance. However, threads may starve in these lock-free implementations, leading to unbounded worst-case execution time that is not allowed in real-time embedded systems. This article presents decentralized dynamic memory management, wfspan, based on non-linearizable wait-free lists. It employs a helping mechanism to ensure no starvation in the lock-free implementation. From the perspective of design tradeoff, wfspan guarantees bounded execution steps in both allocation and deallocation procedure, at the cost of increasing bounded worst-case memory footprint. The results of running benchmarks on an x86/64 and an aarch64 machine illustrate that wfspan achieves competitive performance and memory footprint compared to lock-based and lock-free practical memory allocators while showing superior to other allocators in terms of worst-case execution time.

Yongwang Zhao,David Sanan

2023-09-17

Abstract:Formal verification of concurrent operating systems (OSs) is challenging, in particular the verification of the dynamic memory management due to its complex data structures and allocation algorithm. An incorrect specification and implementation of the memory management may lead to system crashes or exploitable attacks. This article presents the first formal specification and mechanized proof of a concurrent memory management for a real-world OS concerning a comprehensive set of properties, including functional correctness, safety and security. To achieve the highest assurance evaluation level, we develop a fine-grained formal specification of the Zephyr RTOS buddy memory management, which closely follows the C code easing validation of the specification and the source code. The rely-guarantee-based compositional verification technique has been enforced over the formal model. To support formal verification of the security property, we extend our rely-guarantee framework PiCore by a compositional reasoning approach for integrity. Whilst the security verification of the design shows that it preserves the integrity property, the verification of the functional properties shows several problems. These verification issues are translated into finding three bugs in the C implementation of Zephyr, after inspecting the source code corresponding to the design lines breaking the properties.

Software Engineering

WANG Zhao-wen,JIANG Ze-jun,CHEN Jin-chao

DOI: https://doi.org/10.3969/j.issn.1000-3428.2014.09.058

2014-01-01

Abstract:To the problem of imperfection in real-time property of memory management under Linux system,this paper designs a solution to improve the timeliness. It works in three aspects:establishing a mapping relationship between virtual address and physical address to reduce the switch between the user mode and kernel mode,locking memory to avoid page exchanging,improving the original algorithm of memory management to remove the nondeterministic operations. The modified memory management algorithm is based on the principle of partitioned management and best fit, whose time complexity is O(1). Experimental results show that this solution is a good way to improve the performance of memory management,in the environment of memory tension,its effect is more obvious,and performance improvement rate can reach 49. 5%. It meets the requirement of real-time.

hu zhe,zhang jun,luo xiling

DOI: https://doi.org/10.1109/ITST.2006.288827

2006-01-01

Abstract:In the embedded software design of efficient intelligent transportation system, the real-time capability and system stability is strictly required. However, it is restricted by some elements in traditional memory management mechanism, such as complex implementation, memory fragmentations, etc. Therefore, in this paper, a novel method of memory management is proposed for real-time application which integrates the static allocation of memory with the dynamic allocation. At the end of this paper, the performance comparison of this design with other mechanisms is given.

Zhang Feng,Zhao Yongwang,Ma Dianfu,Niu Wensheng

DOI: https://doi.org/10.1109/isorc.2019.00013

2019-01-01

Abstract:Bugs in memory management of Operating Systems may lead to crashing. This paper presents a case study of formal verification on the buddy memory allocation component of the Zephyr RTOS kernel. The algorithm of the component allows memory blocks of 4-power sizes to be dynamically allocated by efficiently partitioning larger blocks into smaller ones, and then be released supporting immediate and automatic combining of smaller blocks. The execution of memory allocation is preemptive, which means that the allocation may invoke rescheduling when there is no block available for memory requests. In this paper, we provide a fine-grained formal specification of buddy memory allocation and formally verify its safety via invariants and functional correctness. The specification covers all the elements of the data structure as well as all statements of memory initialization, allocation, and release presented in the C source code. During the formal verification, we found a functional flaw in the C code. To the best of our knowledge, this paper is the first effort of formal verification at a fine-grained level on buddy memory allocation in Operating Systems.

Guoxi Li,Wenzhi Chen,Yang Xiang

DOI: https://doi.org/10.1109/tc.2020.3009124

2021-01-01

Abstract:Currently, with the booming growth of cloud computing, workloads from broad ranges of functions and demands are crammed into a single physical machine. They lay considerable stress on the need of evolution of the operating system underneath, especially the memory subsystem. Even enhancing large pages with main memory compression is not intuitively straightforward due to rigid rules imposed by the state-of-the-art manager Buddy System from the beginning of the design. To relieve the aforementioned problems and provide broader design space for system designers, we propose Zweilous, a clean slate physical memory management framework. It is self-contained, highly decoupled, and thus can co-exist with the vanilla memory manager. Separate self-contained metadata/functions guarantee a flexible extension with little modification to current frameworks. To show it is easy to add enhanced functions that accelerate the evolution of the memory management subsystem, we implement Hzmem, a new large page memory manager redesign enhanced with the function of main memory compression. Our method achieves competitive performance compared with native and virtualized large page support, effective memory size increased and fewer impacts on other parts of the operating system.

Miao Zhang,Zhiwen Jiang,Yiping Yao,Tianlin Li

DOI: https://doi.org/10.1145/3173519.3173542

2017-01-01

Abstract:As an important branch of simulation technology, realtime hardware-in-the-loop simulation has been widely used in industrial design and equipment testing. The current real-time simulation software is mostly based on proprietary systems or realtime transformation of the Windows system and cannot run in the general Linux system with a large number of users. At the same time, the existing memory management algorithm has low utilization rate and cannot adapt to the needs for a long time simulation. In view of this problem, this paper combines the design method of the existing real-time software to design the real-time simulation framework in Linux environment, and improves the memory management method to meet the needs of largescale and long-term simulation. The experimental results

Yu Zhang,Yongwang Zhao,David Sanán,Lei Qiao,Jinkun Zhang

DOI: https://doi.org/10.1007/978-3-030-35540-1_8

2019-01-01

Abstract:Formal verification of real-time services is important because they are usually associated with safety-critical systems. In this paper, we present a verified Two-Level Segregated Fit (TLSF) memory management model. TLSF is a dynamic memory allocator and is designed for real-time operating systems. We formalize the specification of TLSF algorithm based on the client requirements. The specification contains both functional correctness of allocation and free services and invariants and constraints of the global memory state. Then we implement an abstract TLSF memory allocator using state monads in Isabelle/HOL. The allocator model is built from a high-level view and the details of data structures are simplified but it covers all the behavioral principles and procedures of a concrete TLSF implementation. Finally, we verify that our TLSF model is correct w.r.t. the specification using a verification condition generator (VCG) and verification tools in Isabelle/HOL.

Yongwang Zhao,David Sanán

DOI: https://doi.org/10.1007/978-3-030-25543-5_29

2019-01-01

Abstract:Formal verification of concurrent operating systems (OSs) is challenging, and in particular the verification of the dynamic memory management due to its complex data structures and allocation algorithm. Up to our knowledge, this paper presents the first formal specification and mechanized proof of a concurrent buddy memory allocation for a real-world OS. We develop a fine-grained formal specification of the buddy memory management in Zephyr RTOS. To ease validation of the specification and the source code, the provided specification closely follows the C code. Then, we use the rely-guarantee technique to conduct the compositional verification of functional correctness and invariant preservation. During the formal verification, we found three bugs in the C code of Zephyr.

Ke Jiang,David Sanan,Yongwang Zhao,Shuanglong Kan,Yang Liu

DOI: https://doi.org/10.1109/iceccs.2019.00023

2019-01-01

Abstract:Buddy memory allocation algorithms are widely adopted by various memory management systems for managing memory layouts. Rigorous mathematical proofs provide strong assurance to improve the confidence on the reliability of a memory management system. In this paper, we model and formally verify, in the interactive theorem prover Isabelle/HOL, a buddy memory allocation model, which preserves functional correctness and security properties. Firstly, we construct a specification consisting of operations to allocate and dispose memory blocks according to a buddy memory allocation algorithm. Then we verify that the specification preserves key invariants over the memory to guarantee functional correctness of the algorithm. Finally, we verify that the specification also preserves the integrity of the memory. Therefore, they do not affect other memory blocks previously allocated.

Yong Li,Yu Zhang,Yi-Yun Chen,Ming Fu

DOI: https://doi.org/10.1007/s11390-010-9369-2

2010-01-01

Abstract:Transactional memory (TM) is an easy-using parallel programming model that avoids common problems associated with conventional locking techniques. Several researchers have proposed a large amount of alternative hardware and software TM implementations. However, few ones focus on formal reasoning about these TM programs. In this paper, we propose a framework at assembly level for reasoning about lazy software transactional memory (STM) programs. First, we give a software TM implementation based on lightweight locks. These locks are also one part of the shared memory. Then we define the semantics of the model operationally, and the lightweight locks in transaction are non-blocking, avoiding deadlocks among transactions. Finally we design a logic — a combination of permission accounting in separation logic and concurrent separation logic — to verify various properties of concurrent programs based on this machine model. The whole framework is formalized using a proof-carrying-code (PCC) framework.

SUN Xiao-hui,WANG Jin-lin,CHEN Xiao

DOI: https://doi.org/10.3969/j.issn.1000-3428.2008.08.027

2008-01-01

Abstract:Memory allocation is an important issue in developing real-time and embedded applications.This paper introduces a novel memory allocation algorithm which uses hybrid of bitmap fit and segregated fit.It uses a double bitmap fit when the memory block is small,which uses a double segregate list to manage larger memory blocks in order to lower fragmentation.Experimental results show the method has low fragmentation and a bounded response time,which is suit for real-time systems.