ThreadAbs: A template to build verified thread-local interfaces with software scheduler abstractions

This paper presents ThreadAbs, an extension of the layer-based software formal verification toolkit CCAL (Gu et al., 2018). ThreadAbs is specifically designed to provide better expressiveness and proof management for thread abstraction in multithreaded libraries. Thread abstraction isolates the behavior of each thread from others when providing a top-level formal specification for software. Compared to the original CCAL, ThreadAbs offers significant improvements in this regard. CCAL is a verification framework that enables a layered approach to building certified software, as demonstrated by multiple examples (Gu et al. 2016; Li et al. 2021; Shin et al. 2019). Obviously, its main targets usually include multithread libraries, which support significant improvement in the utilization and isolation of system resources. However, it poses new challenges for formal verification. Firstly, it requires a sudden change in the granularity of concurrency during the implementation and verification of the target software. Typically, systems are associated with software schedulers that are built on top of several underlying components in the system (e.g., thread spawn, yield, sleep, and wake-up). Due to the software scheduler, these systems can be divided into low-level components consisting of modules that the software scheduler depends on (e.g., allocators for shared resources and scheduling queues) and high-level components that use software schedulers (e.g., condition variables, semaphores, and IPCs). Therefore, software formal verification on those systems has to provide proper method to deal with those distinct features, which is usually abstracting other threads’ behavior as much as possible to provide an independent thread model and its formal specification. Secondly, it requires handling side effects from other threads, such as dynamic resource allocation from parents with proper isolation of all threads from each other. CCAL has limited support for two crucial aspects of formal verification in multithreaded systems. Firstly, its previous thread abstraction method does not handle the side effects caused by a parent thread during dynamic initial state allocation properly. Secondly, the proofs produced by CCAL are tied to CertiKOS, which makes it challenging to use them for similar proofs that use CCAL as their verification toolkit. To address these issues, we introduce ThreadAbs, a new mechanized methodology that provides proper thread abstraction to reason about multithreaded programs in conjunction with CCAL. We also extend the previous CertiKOS proof with ThreadAbs to demonstrate its usability and expressiveness.