Verification of the Tree-Based Hierarchical Read-Copy Update in the Linux Kernel

TL;DR

This paper presents the first formal verification of a significant part of Linux kernel's Tree RCU implementation using model checking, enhancing reliability and safety assurance of this critical synchronization mechanism.

Contribution

It introduces a method to directly model Tree RCU's C source code for formal verification with CBMC, avoiding error-prone translation and enabling integration into kernel testing.

Findings

Verified safety and liveness properties of Tree RCU

First formal verification of a major part of Linux RCU source code

Demonstrated feasibility of integrating formal methods into kernel testing

Abstract

Read-Copy Update (RCU) is a scalable, high-performance Linux-kernel synchronization mechanism that runs low-overhead readers concurrently with updaters. Production-quality RCU implementations for multi-core systems are decidedly non-trivial. Giving the ubiquity of Linux, a rare "million-year" bug can occur several times per day across the installed base. Stringent validation of RCU's complex behaviors is thus critically important. Exhaustive testing is infeasible due to the exponential number of possible executions, which suggests use of formal verification. Previous verification efforts on RCU either focus on simple implementations or use modeling languages, the latter requiring error-prone manual translation that must be repeated frequently due to regular changes in the Linux kernel's RCU implementation. In this paper, we first describe the implementation of Tree RCU in the Linux kernel. We then discuss how to construct a model directly from Tree RCU's source code in C, and use the CBMC model checker to verify its safety and liveness properties. To our best knowledge, this is the first verification of a significant part of RCU's source code, and is an important step towards integration of formal verification into the Linux kernel's regression test suite.