Controlled Owicki-Gries Concurrency: Reasoning about the Preemptible eChronos Embedded Operating System

TL;DR

This paper presents a formal framework based on the Owicki-Gries method for modeling and verifying preemptible real-time embedded operating systems, exemplified by the eChronos OS, using Isabelle/HOL.

Contribution

It adapts the Owicki-Gries concurrency method to explicitly model hardware interfaces and preemption in embedded OSs, enabling detailed verification of high-performance, interrupt-driven systems.

Findings

Framework accurately models eChronos OS behavior.

Supports explicit concurrency control for embedded systems.

Formalization in Isabelle/HOL enhances automation and reliability.

Abstract

We introduce a controlled concurrency framework, derived from the Owicki-Gries method, for describing a hardware interface in detail sufficient to support the modelling and verification of small, embedded operating systems (OS's) whose run-time responsiveness is paramount. Such real-time systems run with interrupts mostly enabled, including during scheduling. That differs from many other successfully modelled and verified OS's that typically reduce the complexity of concurrency by running on uniprocessor platforms and by switching interrupts off as much as possible. Our framework builds on the traditional Owicki-Gries method, for its fine-grained concurrency is needed for high-performance system code. We adapt it to support explicit concurrency control, by providing a simple, faithful representation of the hardware interface that allows software to control the degree of interleaving between user code, OS code, interrupt handlers and a scheduler that controls context switching. We then apply this framework to model the interleaving behavior of the eChronos OS, a preemptible real-time OS for embedded micro-controllers. We discuss the accuracy and usability of our approach when instantiated to model the eChronos OS. Both our framework and the eChronos model are formalised in the Isabelle/HOL theorem prover, taking advantage of the high level of automation in modern reasoning tools.