A Simple Virtual Memory Scheme Formalized in IMPS*

Joshua D. Guttman
The MITRE Corporation

Abstract. In this paper we formalize a simple virtual memory scheme derived from Mach and Multics. It is represented by state machine operations in IMPS, an Interactive Mathematical Proof System. We prove that a store with a global page table faithfully refines an abstract machine in which processes may perform fetch and store operations against a set of persistent memory objects. Both safety conditions and liveness conditions are proved. Some fine points treated in the model include the finiteness of virtual address spaces and physical store; the ability to map a portion of a permanent memory object into the address space; initialization of newly allocated memory to zero; and the need for page-aligned addresses in some operations.

The paper has two main purposes. First, it illustrates how naturally IMPS can model this sort of problem, can prove the necessary theorems, and can present the results. Technical details are presented as typeset automatically by IMPS. Second, it illustrates how virtual memory systems can be specified and, at least at the first refinement levels, verified. Lower refinement levels would, however, raise additional issues of concurrency and of hardware dependencies.

1 Introduction

IMPS, an Interactive Mathematical Proof System [6], aims to provide mechanical support for traditional methods and activities of mathematics, and for traditional styles of classical mathematical proof. The bulk of IMPS work has focused on mathematics [7, 5]. However, the same broadly understandable techniques are also valuable for formal methods. This paper will illustrate that IMPS provides an attractive and flexible modeling framework for formal methods, and that IMPS provides adequate interactive theorem proving power to expose errors in specifications and to prove correct refinements.

A second goal is to describe a style in which virtual memory systems can be specified, and, at least at the highest refinement levels, verified. Our motivation for doing so derives from a recently begun effort (called VMACH) which is devoted

* Supported by the United States Army cecom under contract DAAB07-94-C-H601. The development of IMPS was supported by the MITRE-Sponsored Research Program. Author's address: The MITRE Corporation, 202 Burlington Rd, Bedford MA 01730-1420 USA; E-mail: guttm@mitre.org; Telephone: 617-271-2654; Fax: 617-271-3816.
to specifying and verifying critical subsystems of the Mach microkernel [10]; initial emphasis is on the Mach virtual memory system. Our reasons for undertaking this are partly research goals, and partly driven by the applications needs.

The research goal for VMACH is to study techniques for applying formal methods to portions of complex, multi-threaded software. Mach offers clever optimizations, such as the copy-on-write optimization, that interrelate virtual memory and inter-process communication [10, Chapters 4–5]. It also allows user-level processes called external memory managers to participate in virtual memory management, and to offer persistent memory objects that processes can map directly into their address spaces. The protocols between the Mach kernel and the external memory managers raise concurrency control problems [11]. But there is also a more immediately practical motivation for VMACH.

Mach is considered a promising architecture for workstations and other end systems in networks for which assurance is critical. These may include, for instance, networks processing financial transactions, or multiple levels of classified information, or air-traffic control information. Mach’s microkernel architecture is advantageous because it allows many different applications-specific facilities, including widely varying security policies, to be built on top of a single kernel. The basic services of this kernel may be designed, verified and implemented once. The cost of applying formal methods may thus be amortized over a wide range of high-assurance applications.

The modest-sized example presented in this paper, which one person developed, debugged, and completely proved during a three week period, touches on only a few of the issues VMACH will eventually face. In particular, this paper will not consider concurrency problems. Rather, it describes a sequential specification, to which a well-behaved multi-threaded implementation may conform. Moreover, the example takes a form more reminiscent of Multics’s style of virtual addressing [12] than of Mach’s.

**IMPS as a Specification language.** IMPS supports mathematics, and formal methods, using the “little theories” version of the axiomatic method [5]. The IMPS user develops a collection of axiomatic theories, all within a single fixed logic. Theories may be related in two main ways: a theory may extend a number of other theories, and a theory interpretation may translate one theory into another. The example in this paper introduces four new theories. By contrast, a more detailed IMPS formalization of the Mach system state (based on [1]) introduces a dozen in 15 pages of text.

The fixed IMPS logic is intended not to be novel, but rather to provide a natural framework for formalizing classical mathematics. We have selected a version of classical simple type theory, which offers a convenient notation for functions and a syntactic “type-checking” discipline in its type system.

---

2 For information on how VMACH relates to other formal methods work at The MITRE Corporation, see [8].
We have, however, introduced two characteristics which are more unusual in classical logics [3, 4]. These two areas represent ways that the logical tradition appears to have diverged from the dominant style of careful rigorous mathematics.

First, in IMPS the functions occurring in higher types include partial functions rather than just total functions. Partial functions are treated in a direct way: if, for instance, the value that \( t \) denotes is not in the domain of the function that \( f \) denotes, then the expression \( f(t) \) simply has no denotation.

Second, within the framework of simple type theory we have introduced a mechanism of sub-types. For instance, if in some theory \( \mathbb{R} \) is a type representing the real numbers, \( \mathbb{Q} \) and \( \mathbb{Z} \) may be sub-types representing the rationals and the integers. Any non-empty subset of a type may be distinguished as a sub-type.

Types and their sub-types are jointly called sorts.

These two characteristics fit together quite smoothly in simple type theory. A function type, \( \mathbb{Z} \rightarrow \mathbb{Q} \), for instance, represents the set of partial functions with domain included in \( \mathbb{Z} \) and range included in \( \mathbb{Q} \). It is a subtype of \( \mathbb{R} \rightarrow \mathbb{R} \).

The IMPS logic is nevertheless classical in its treatment of formulas; for instance, a formula is a (propositional) tautology in the IMPS logic if and only if it is a classical tautology. We arrange this by two main conventions:

1. The denotation of any predicate is a total function into \( \{ \text{True, False} \} \);
2. An atomic formula is false if any of its immediate constituents has no denotation.

**Intuitive Content of the Specification.** The specification describes the service which a virtual memory system provides to the user-level processes executing on the system. This service makes available a set of potentially persistent memory objects which one or more processes can include directly within their virtual address space. A process is said to map a memory object into its address space when it allocates a range of virtual addresses to be used to reference the contents of that memory object. When a process maps a memory object, it specifies what part of its virtual address space it wishes to use for this purpose.

We will follow Multics terminology and refer to the part of the address space allocated in a single map operation as a segment.\(^3\) The segments in an address space may be identified by number, and a simple addressing scheme, derived from Multics, is to regard the upper bits of a virtual address as determining a segment number \( s \), while the lower bits determine an offset \( o \) within that portion of memory. This addressing scheme may be regarded as a two-dimensional arrangement, in which a word is accessed by a segment/offset pair \( (s, o) \).

A map operation takes as arguments not only the process \( p \) performing it, the desired segment number \( s \), and the memory object \( m \) to be mapped, but also two additional numbers. These are a base \( b \), which is the index within the

---

\(^3\) In Multics a segment had a (quite small) maximum size, and the whole issue was intricately intertwined with hardware considerations [12]. However, neither of these facts is essential, and neither is relevant to Mach. See, e.g., [13, Section 3.7] for a recent general discussion of segmented memory systems.
memory object at which the mapped portion will begin; and a length $\ell$, which is the number of words to map. The process will have access to the $\ell$ words beginning with the $b$th word contained in the object $m$. The virtual address $(s, o)$ will reference the word $b + o$ within $m$ if $o < \ell$; otherwise the reference is illegal and will cause a segmentation error.

In addition to the map operation, our specification will also offer unmap, fetch, and store. The unmap operation deallocates a segment $s$, so that addresses $(s, o)$ will be henceforth illegal. A fetch communicates the value of the word associated with the virtual address $(s, o)$ to the user process $p$, while store allows $p$ to communicate a new value $w$ which will henceforth occupy the $(b + o)$th position within $m$.

Thus our example provides only four typical operations, rather than the dozen that would be needed for a full description of the virtual memory interface to Mach; the state is similarly simplified. The Multics-style two-dimensional addressing also makes it easier to determine what memory object has been referenced by a virtual address.

The state itself has four components, each of them a partial function. The first three components, $\alpha$, $\beta$, and $\Lambda$, take as arguments a process $p$ and a segment $s$. They return, respectively, the memory object (if any) mapped by $p$ in segment $s$, the base of the mapped portion, and the length of the mapped portion. The operations respect an invariant regarding these three state components: if $\sigma$ is an accessible state, then if any one of the three terms $\alpha(\sigma)(p, s)$, $\beta(\sigma)(p, s)$, and $\Lambda(\sigma)(p, s)$ is well-defined, then all three of them are well-defined. When these terms are not well-defined, that means that $p$ has no object mapped in the particular segment $s$. Thus the domain of the partial functions expresses important state information.

The fourth state component $\gamma$ is a partial function taking as arguments a memory object $m$ and a natural number index $i$. The value $\gamma(\sigma)(m, i)$, if well-defined, returns the word at the $i$th location in $m$, in state $\sigma$. Nothing in the specification entails that the unary function $\lambda i. \gamma(\sigma)(m, i)$ is defined on an initial segment of the natural numbers. For instance, to represent a common architecture, of which MIPS is an example, in which bytes are addressable but fetches are made only from word-aligned addresses, we could specify it to be well-defined only if $i \mod 4 = 0$.

**Modeling Virtual Memory.** The main ingredient in a virtual memory scheme is that the operating system uses the primary physical store ("main memory") as a cache for parts of the address space of processes. When a process references a location that is represented in the store, the operating system translates the virtual address to determine the page of store and the offset within that page to access. Hardware and operating system software cooperate in this translation. When a process attempts to reference a location that is not represented in the store, it takes a page fault. The operating system attempts to page the needed

---

4. We could alternatively have had a single state component which returned a triple when defined, containing memory object, base, and length.
portion of the address space in from secondary store. To do so, it may need to
free a page in primary store by flushing its current contents out to secondary
store. When these maneuvers are complete, the operating system restarts the
process at the same instruction that caused the page fault.

To justify using virtual memory to provide the services we have just de-
scribed, we must extend the notion of state. In our approach, we will enrich it
with a single global page table $\pi$, which determines what page (if any) in pri-
mary store represents a portion of a persistent memory object. We will also add
a physical store $\mu$, which, given a page and an offset within it, determines the
word physically present at that location. Thus an implementation state $\sigma_i$ has
three components, namely $\text{vsig}_{i}$, $\pi$, and $\mu$, which represent the embedded virtual
memory specification state, the global page table, and the physical memory of
the system respectively.

An implementation fetch or store then uses $\pi$ to determine whether the re-
quested virtual address is resident. The current store contents $\mu$ determines the
word fetched or the function to be updated by the assignment, respectively. An
implementation fetch or store cannot occur if the page is not resident. The im-
plementation offers two additional operations, $\text{page\_in}$ and $\text{page\_out}$, to cause a
page’s worth of data to become resident, and to clear a page’s worth of store for
new data.

The Abstraction Function. The states of the implementation are related to those
of the specification using a traditional abstraction function [9]. For any imple-
mentation state, there is at most one specification state it represents, although
the same specification state may be represented by many implementation states.

The heart of the abstraction function $\text{abstr}$ is to overlay the physical store
contents in $\mu(\sigma_i)$ over the “disk copies” of the memory objects, $\gamma(\text{vsig}(\sigma_i))$. The
auxiliary function $\gamma_{\text{tabstr}}$ uses the page table $\pi$ to do so. The rest of the abstract
state contains values from the embedded state $\text{vsig}(\sigma_i)$.

When $f$, a function on implementation states, is a composition of state ma-
chine operations, we will call it an abstract no-op when $\text{abstr}(f(\sigma_i)) = \text{abstr}(\sigma_i)$.

The Main Theorems. We include a few theorems that indicate that the opera-
tions have been specified properly. However, the main theorems are refinement
theorems. They establish a safety condition and a liveness condition. Suppose
first that $g$ is one of the four specified operations, with parameters fixed, and $h$
is the implementation version of that operation. Then the safety condition states
that

$$h(\sigma_i) \downarrow \Rightarrow \text{abstr}(h(\sigma_i)) = g(\text{abstr}(\sigma_i)),$$

where $\downarrow$ means “is defined.”

To state the liveness constraints we need to define the assertion $s \simeq t$ (read
“$s$ is quasi-equivalent to $t$”). It abbreviates the assertion $(s \downarrow \forall t \downarrow) \Rightarrow s = t$.
Quasi-equivalence says that the terms have the same denotation or lack thereof,
and in the IMPS logic it is the condition that justifies substitution of $s$ for $t$,
wherever $s$ is free for $t$. 
The liveness condition states that there is an abstract no-op \( f \) such that

\[
\text{abstr}(h(f(\sigma_i))) \simeq g(\text{abstr}(\sigma_i)).
\]

We call this a liveness condition because it entails that when the abstract machine can undergo operation \( g \) from \( \text{abstr}(\sigma_i) \), then even if the implementation cannot undergo \( h \) from \( \sigma_i \), it can evolve to an indistinguishable state \( f(\sigma_i) \) from which it can undergo \( h \). In our case study, the abstract no-op \( f \) consists of a \textit{page in} operation, if needed, preceded by a \textit{page out} operation, if needed.

If by contrast \( h \) is \textit{page in} or \textit{page out} operation, to which nothing in the abstract version corresponds, then the safety condition is that \( h \) is an abstract no-op, \( \text{abstr}(h(\sigma_i)) = \sigma_i \). There is no liveness constraint for this case.

These properties entail that every computation\(^5\) of the abstract state machine corresponds to a computation of the implementation machine and \textit{vice versa}, in the following sense of “correspond.” If \( C_i \) is a computation of the implementation, then an abstract computation \( C \) \textit{corresponds to} \( C_i \) if there is a non-decreasing function \( f : \mathbb{N} \rightarrow \mathbb{N} \) onto the domain of \( C \) such that \( \text{abstr}(C_i(j)) \simeq C(f(j)) \).

\[\text{Remainder of this Paper.}\] The remainder of this paper consists of \textsc{imps}-generated typeset output together with explanatory prose. All of the \textbf{Theory, Definition, Theorem}, and similar environments have been constructed by \textsc{imps} directly from the fully verified source files. In a few places linefeeds or indentation have been added manually to the formulas. Many auxiliary lemmas have been deleted, partly to save space and partly to highlight the main theorems for the reader.

We emphasize the \textsc{imps} \LaTeX{} facility because we think it important that a formal method provide a comprehensible transcript of the specifications and theorems that have been developed.

2 Virtual Memory Specification

2.1 Basic Vocabulary and State Definition

We begin by introducing a formal language or signature to use to talk about the virtual memory specification and its operations. This language extends the \textsc{imps} language for real arithmetic. It contains four additional basic types, namely \texttt{mem_obj}, \texttt{word}, \texttt{process}, and \texttt{page}. It also distinguishes two sub-sorts of the natural numbers, one to be used as segment numbers, the other to be used for offsets within segments. A virtual address is in effect a pair \( (s, o) \) for some segment number \( s \) and offset \( o \). The two subsorts are unspecified, so that this specification is consistent with a wide range of constraints on segment numbers and offsets. For instance, the sorts can be interpreted as finite, and the allowable values may be restricted to have an alignment property, such as being divisible by \( 2^n \).

\( ^5 \) That is, a finite or infinite sequence \( C \) of states such that \( C(0) \) is an initial state, and for every \( j \) where \( C(j + 1) \downarrow \), there is an operation \( h \) such that \( C(j + 1) = h(C(j)) \).
Two new individual constants are also introduced, namely \texttt{null\_word} and \texttt{pagesize}, which are used respectively to represent the value to be inserted in newly initiaized memory and the hardware-determined size of a page frame.

The "language" definition that follows—along with all "definitions," "sort definitions," "theorems," and similar environments—is generated automatically by \texttt{IMPS}. The parenthesized identifier is the name of the item being introduced, in this case, a new language.

\textbf{Language 2.1 (vm-language)}

Embedded language: \texttt{h-o-real-arithmetic}

Base types: \texttt{mem\_obj word process page}

Sorts: \texttt{seg \ll N} \hspace{1em} \texttt{off \ll N}

Constants: \texttt{null\_word : word} \hspace{1em} \texttt{pagesize : off}

We will need to assume that \texttt{pagesize} is not 0, so that page-aligned addresses will make sense in Section 3.

\begin{table}[h]
\centering
\begin{tabular}{|l|}
\hline
\textbf{Component theory:} \texttt{h-o-real-arithmetic} \\
\textbf{Top level axioms:} \\
\hspace{1em} \texttt{pagesize\_non\_zero} \hspace{1em} \neg(pagesize = 0). \\
\hline
\end{tabular}
\caption{Components and axioms for \texttt{vm-1}}
\end{table}

\textbf{Theory 2.2 (vm-1)}

Language: \texttt{vm-language}

Component Theories and Axioms: \textit{See Figure 1}.

We now introduce a freely generated datatype (or "BNF") into \texttt{IMPS}. As a consequence, \texttt{IMPS} constructs a new theory extending \texttt{vm-1}, which will be named \texttt{vm-spec}. We will work within this theory throughout the remainder of this section.

The new objects will belong to a logical type called \texttt{pre\_state}. In general, a BNF may have a number of atoms, as well as a number of constructors, which may recursively construct new datatype elements from old. In this case, there are no atoms and only a single non-recursive constructor named \texttt{make\_state}, so that the new datatype is effectively a tuple type. The four selectors extract the tuple components. \texttt{IMPS} constructs the expected "no junk" (induction) and "no confusion" axioms, and equips the theory with a good deal of other structure which is useful when the datatype definition is recursive.

\textbf{Data Type Theory 2.3 (vm-spec)}

Component Theory: \texttt{vm-1}

Primary Type: \texttt{pre\_state}

Constructor:
make_vstate : \([\text{process} \times \text{seg} \rightarrow \text{mem}_{\text{obj}}] \times \text{process} \times \text{seg} \rightarrow \text{N}] \times \text{process} \times \text{seg} \rightarrow \text{off}] \times [	ext{mem}_{\text{obj}} \times \text{N} \rightarrow \text{word}] \rightarrow \text{pre_vstate}, \text{ with selectors:}
\alpha : [\text{pre_vstate} \rightarrow \text{process} \times \text{seg} \rightarrow \text{mem}_{\text{obj}}]]
\beta : [\text{pre_vstate} \rightarrow \text{process} \times \text{seg} \rightarrow \text{N}]]
\Lambda : [\text{pre_vstate} \rightarrow \text{process} \times \text{seg} \rightarrow \text{off}]]
\gamma : [\text{pre_vstate} \rightarrow [\text{mem}_{\text{obj}} \times \text{N} \rightarrow \text{word}]]

A \text{pre_vstate} is in effect the quadruple of its \alpha, \beta, \Lambda, \text{ and } \gamma \text{ components. Of these, } \alpha(\sigma)(p, s) \text{ is the memory object that } p \text{ has mapped in segment } s, \beta(\sigma)(p, s) \text{ is the base at which its mapped portion begins, } \Lambda(\sigma)(p, s) \text{ is the length of the mapped portion, and } \gamma(\sigma)(m, i) \text{ returns the } i \text{th word contained in } m. \n
Among the \text{pre_vstates}, we are only concerned with ones where the \alpha, \beta, \Lambda \text{ components have the same domain. We segregate them into a sort } \text{vstate}. \text{ The accessible states of our machine belong to this sort. Some work must be done to show that an operation such as } \text{map} \text{ preserves this invariant, and returns a value within the subsort } \text{vstate}. \text{ But this work must generally still be done using other approaches to formalization; in } \text{IMPS} \text{ one then benefits from the system’s ability to use sorting information effectively in reasoning about the domain and range of functions [6].}

The sort definition that follows, generated automatically by \text{IMPS}, introduces a subsort of \text{pre_vstate} named \text{vstate}. The theory being extended by this definition is \text{vm-spec}. The members of the new sort are those satisfying the predicate that follows, namely those \sigma : \text{pre_vstate} such that the conjunction of the two bulleted assertions holds true. The notation \([\text{args} \rightarrow \text{body}]\) is \text{IMPS’s presentation of the } \lambda\text{-expression } \lambda\text{args} . \text{body}. \text{ This bracket notation can be nested; for instance}
\[ x : R \mapsto [y : R \mapsto x + y] \]

represents the curried function that, given \(x\) , returns the function that adds \(x\) to its argument. The word “conjunction” preceding bulleted items should be read “The following conjunction holds;” as the word “implication” should be read “The following implication holds;” and the biconditional sign \(\iff\) should be read “The following are equivalent.”

**Sort Definition 2.4 (vstate)** Theory: \text{vm-spec}
\[ \sigma : \text{pre_vstate} \mapsto \text{conjunction} \]

1. \(\forall p : \text{process}, s : \text{seg} \quad \alpha(\sigma)(p, s) \downarrow \iff \beta(\sigma)(p, s) \downarrow \]
2. \(\forall p : \text{process}, s : \text{seg} \quad \alpha(\sigma)(p, s) \downarrow \iff \Lambda(\sigma)(p, s) \downarrow \]

**2.2 Some Auxiliary Definitions**

The following function resolves a \(p, s, o\) triple in the current vstate to an index into the memory object. In this definition, the parenthesized identifier \text{res_off} is defined to be equal to the expression which follows. In this case and most others, that expression is a function. Thus \text{res_off} is introduced as a function constant of sort \([\text{vstate} \times \text{process} \times \text{seg} \times \text{off} \rightarrow \text{N}]\). In this definition, the \(\bot \text{N}\) is a term
with no denotation, but which has syntactic sort $\mathbb{N}$. It ensures that $\text{res\_off}$ is defined only if $o < \Lambda(\sigma)(p, s)$.

**Definition 2.5 (res\_off)** Theory: vm-spec

$[\sigma : \text{vstate}, p : \text{process}, s : \text{seg}, o : \text{off} \rightarrow$

conditionally, if $o < \Lambda(\sigma)(p, s)$
- then $\beta(\sigma)(p, s) + o$
- else $\perp \mathbb{N}$.

The predicate $\text{ref\_legal}$ characterizes when an $s, o$ pair represents a legal virtual address for the process $p$. It requires that $p$ should have something mapped in segment $s$, and also that the offset $o$ is not too large.

**Definition 2.6 (ref\_legal)** Theory: vm-spec

$[\sigma : \text{vstate}, p : \text{process}, s : \text{seg}, o : \text{off} \rightarrow$

conjunction
- $\alpha(\sigma)(p, s) \downarrow$
- $o < \Lambda(\sigma)(p, s)$.

The function $\text{assign}_v$ is defined to return an altered version of the function given as its last argument $c$; the result differs in that its value for $(m, i)$ is $w$. It is used to define the store operation.

**Definition 2.7 (assign\_v)** Theory: vm-spec

$[m : \text{mem\_obj}, i : \mathbb{N}, w : \text{word}, c : \text{mem\_obj} \times \mathbb{N} \rightarrow \text{word} \rightarrow$

$[m_1 : \text{mem\_obj}, j : \mathbb{N} \rightarrow$

if $m_1 = m \land i = j$ then $w$ else $c(m_1, j)]$.

### 2.3 The Four Operations of the Specification

**The Store Operation** The definition of the store operation applies $\text{assign}_v$ to obtain the contents component $\gamma$ for the resulting state. The functions $\alpha$ and $\text{res\_off}$ are used to return the memory object and index to alter.

**Definition 2.8 (store)** Theory: vm-spec

$[\sigma : \text{vstate}, p : \text{process}, s : \text{seg}, o : \text{off}, v : \text{word} \rightarrow$

\[
\text{make\_vstate} : \{ \\
\alpha(\sigma), \\
\beta(\sigma), \\
\Lambda(\sigma), \\
\text{assign}_v(\alpha(\sigma)(p, s), \text{res\_off}(\sigma, p, s, o), v, \gamma(\sigma)) \\
\}.
\]

The $\text{ref}$ auxiliary function determines a user process’s view of the contents of memory. It uses $\alpha$ to determine the object referenced, and then uses $\text{res\_off}$ to retrieve an index into the object. If the object is undefined for the index, $\text{ref}$ specifies that the user process sees null-filled initialized memory. This is the behavior of Mach’s $\text{vm\_allocate}$ kernel operation [10].
Definition 2.9 (ref) Theory: vm-spec
\[ \sigma : \text{vstate}, p : \text{process}, s : \text{seg}, o : \text{off} \rightarrow \]
conditionally
\begin{itemize}
  \item if \( \gamma(\sigma)(\alpha(\sigma)(p, s), \text{res off}(\sigma, p, s, o)) \) \( \downarrow \) then \( \gamma(\sigma)(\alpha(\sigma)(p, s), \text{res off}(\sigma, p, s, o)) \)
  \item else if \( \text{ref legal}(\sigma, p, s, o) \) then \text{null word}
  \item otherwise \( \perp \text{word} \).
\end{itemize}

The ref function allows us to state a pair of correctness theorems for store, of which we will show only the first here. It states that when we reference the same location which has previously been stored, we retrieve the stored value. The omitted theorem states that when we reference a different location, we retrieve the same value that the previous state \( \sigma \) gave.

Theorem 1. (store-ref-same) Theory: vm-spec
\( \forall \sigma : \text{vstate}, p_0, p_1 : \text{process}, s_0, s_1 : \text{seg}, \alpha_0, \alpha_1 : \text{off}, v : \text{word} \rightarrow \text{implication} \)
\begin{itemize}
  \item conjunction
    \begin{itemize}
      \item \( \text{ref legal}(\sigma, p_0, s_0, \alpha_0) \)
      \item \( \text{ref legal}(\sigma, p_1, s_1, \alpha_1) \)
      \item \( \alpha(\sigma)(p_1, s_1) = \alpha(\sigma)(p_0, s_0) \)
      \item \( \text{res off}(\sigma, p_1, s_1, \alpha_1) = \text{res off}(\sigma, p_0, s_0, \alpha_0) \)
      \item \( \text{ref}(\text{store}(\sigma, p_0, s_0, \alpha_0, v), p_1, s_1, \alpha_1) = v. \)
    \end{itemize}
\end{itemize}

The Fetch Operation We have arranged that all of the four operations are formalized as functions yielding the resulting state as their values. In the case of fetch, there is of course also another relevant piece of information, namely the value communicated from virtual memory to the process executing the fetch. We treat this as a parameter to the operation. The fetch returns the current state unchanged if this parameter has the right value, and is undefined if it is wrong. Thus, the operation is like a predicate which determines whether the value is correct or incorrect.

This approach was suggested by CSP’s non-directional view of communication events (see [2, Section 4.1] for a similar example). In fact, the state machine presented here can be easily and naturally transformed into a CSP-style process description. This is desirable because it sketches a specification for an ultimately multi-threaded implementation.

Definition 2.10 (fetch) Theory: vm-spec
\[ \sigma : \text{vstate}, p : \text{process}, s : \text{seg}, o : \text{off}, v : \text{word} \rightarrow \]
conditionally, if \( v = \text{ref}(\sigma, p, s, o) \)
\begin{itemize}
  \item then \( \sigma \)
  \item else \( \perp \text{vstate} \).
\end{itemize}

The Unmap and Map Operations We use an auxiliary function to cause state components to become undefined for \( (p, s) \).
Definition 2.11 (free_seg) Theory: vm-spec
\[ p : \text{process}, s : \text{seg} \mapsto \]
\[ \{ p_1 : \text{process}, s_1 : \text{seg} \mapsto \]
\[ \text{if } p_1 = p \land s_1 = s \text{ then } \bot \text{seg } \text{else } s_1 \} \] \]

Unmap is then straightforward to define, and map is equally predictable.

Definition 2.12 (unmap) Theory: vm-spec
\[ \sigma : \text{vstate}, p : \text{process}, s : \text{seg} \mapsto \]
\[ \text{make_vstate : } \]
\[ \{ \]
\[ \{ p_1 : \text{process}, s_1 : \text{seg} \mapsto \alpha(\sigma)(p_1, \text{free}_\text{seg}(p, s)(p_1, s_1)) \}, \]
\[ \{ p_1 : \text{process}, s_1 : \text{seg} \mapsto \beta(\sigma)(p_1, \text{free}_\text{seg}(p, s)(p_1, s_1)) \}, \]
\[ \{ p_1 : \text{process}, s_1 : \text{seg} \mapsto \Lambda(\sigma)(p_1, \text{free}_\text{seg}(p, s)(p_1, s_1)) \} \]
\[ \}. \]

Definition 2.13 (map) Theory: vm-spec
\[ \sigma : \text{vstate}, p : \text{process}, s : \text{seg}, b : \mathbb{N}, \text{len} : \text{off}, m : \text{mem_obj} \mapsto \]
\[ \text{make_vstate : } \]
\[ \{ \]
\[ \{ p_1 : \text{process}, s_1 : \text{seg} \mapsto \text{if } p_1 = p \land s_1 = s \text{ then } m \text{ else } \alpha(\sigma)(p_1, s_1) \}, \]
\[ \{ p_1 : \text{process}, s_1 : \text{seg} \mapsto \text{if } p_1 = p \land s_1 = s \text{ then } b \text{ else } \beta(\sigma)(p_1, s_1) \}, \]
\[ \{ p_1 : \text{process}, s_1 : \text{seg} \mapsto \text{if } p_1 = p \land s_1 = s \text{ then len } e \text{ else } \Lambda(\sigma)(p_1, s_1) \} \]
\[ \}. \]

3 A Rudimentary Implementation

3.1 Preliminaries: Page Offsets and Page-aligned Addresses

The function align returns the largest page-aligned address less than its argument i, while p returns the difference between i and the page-aligned value. A variety of arithmetical lemmas about these were proved. The sort of page aligned natural numbers is introduced as the set of natural numbers i such that align(i) = i. 0 was provided to IMPS as witness that this set is non-empty.

Definition 3.1 (rho) Theory: vm-spec
\[ i : \mathbb{N} \mapsto \]
\[ i \text{ mod pagesize} \].

Definition 3.2 (align) Theory: vm-spec
\[ i : \mathbb{N} \mapsto \]
\[ \text{div}(i, \text{pagesize}) \cdot \text{pagesize} \].

Sort Definition 3.3 (aligned) Theory: vm-spec
\[ i : \mathbb{N} \mapsto \]
\[ \text{align}(i) = i \].
3.2 The State of the Implementation

The following BNF form introduces another tuple type. Here, one component of the tuple is an embedded `vstate`. The other two components represent a global page table \( \pi \) (defined only for page-aligned indices) and a store \( \mu \).

**Data Type Theory 3.4 (vm-impl)**

Component Theory: `vm-spec`

Primary Type: `pre_jstate`

Constructor:

\[
\begin{align*}
\text{make_jstate} & : [\text{vstate} \times [\text{mem_obj} \times \text{aligned} \rightarrow \text{page}] \times [\text{page} \times \text{N} \rightarrow \text{word}] \rightarrow \text{pre_jstate}], \text{with selectors:} \\
\text{vsig} & : [\text{pre_jstate} \rightarrow \text{vstate}] \\
\pi & : [\text{pre_jstate} \rightarrow [\text{mem_obj} \times \text{aligned} \rightarrow \text{page}]] \\
\mu & : [\text{pre_jstate} \rightarrow [\text{page} \times \text{N} \rightarrow \text{word}]]
\end{align*}
\]

The implementation state obeys a crucial invariant, namely that \( \pi(\sigma_i) \) has an injective function as its value. If this were not the case, then when we altered a single location in physical store, we would in effect have changed more than one abstract memory object location. Hence, in that case the implementation store operation would be unfaithful. We canonize this invariant in the definition of the sub-sort `istate`.

**Sort Definition 3.5 (istate) Theory: vm-impl**

\[
[\sigma_i : \text{pre_jstate} \Rightarrow \\
\forall m_0, m_1 : \text{mem_obj}, a_0, a_1 : \text{aligned s.t. } \pi(\sigma_i)(m_0, a_0) = \pi(\sigma_i)(m_1, a_1), \\
\text{conjunction} \\
\quad \bullet m_0 = m_1 \\
\quad \bullet a_0 = a_1].
\]

*The Abstraction Function.* Suppose \( m \) is a memory object and \( i \) is an index into it. We regard \( \langle m, i \rangle \) as resident in physical store in state \( \sigma_i \) when \( \langle m, \text{align}(i) \rangle \) is in the domain of the function \( \pi(\sigma_i) \).

**Definition 3.6 (resident) Theory: vm-impl**

\[
[\sigma_i : \text{istate}, m : \text{mem_obj}, i : \text{N} \Rightarrow \\
\pi(\sigma_i)(m, \text{align}(i)) \downarrow].
\]

To determine the abstract contents of memory objects determined by an implementation state \( \sigma_i \), we combine physical store with the disk copies. If an address is resident, then \( \pi \) and \( \mu \) determine its current value. Otherwise, the contents function \( \gamma \) of the embedded `vstate` determines its value.

**Definition 3.7 (gamma_abstr) Theory: vm-impl**

\[
[\sigma_i : \text{istate} \Rightarrow \\
[ m : \text{mem_obj}, i : \text{N} \Rightarrow \\
\quad \text{if resident}(\sigma_i, m, i) \text{ then } \mu(\sigma_i)(\pi(\sigma_i)(m, \text{align}(i)), \rho(i)) \text{ else } \gamma(\text{vsig}(\sigma_i))(m, i) ]].
\]
The abstraction function modifies the embedded vstate to use $\gamma_{\text{abstr}}$ in place of $\gamma$.

**Definition 3.8 (abstr)** Theory: vm-impl

$[\sigma_i : \text{istate} \mapsto$

\[\begin{align*}
&\text{let } \sigma : \text{vstate be } \text{vsig}(\sigma_i) \text{ in} \\
&\left\{ \begin{array}{l}
\alpha(\sigma), \\
\beta(\sigma), \\
\Lambda(\sigma), \\
\gamma_{\text{abstr}}(\sigma_i) \end{array} \right. \\
&\text{make_vstate :} \\
\end{align*} \]

$]$. 

### 3.3 The Operations Supported by the Implementation

The map and unmap operations remain essentially unchanged in the implementation, and will be omitted from this presentation to save space. The page-out and page-in operations may occur freely at any time; page-in enables ifetch and istore to occur, as the latter two are possible only if the target address is resident in the store.

**The Istore Operation** To define istore, we define an assignment function for physical store, as well as some auxiliaries to package up address translation.

**Definition 3.9 (assign)** Theory: vm-impl

$[p : \text{page}, i : \mathbb{N}, w : \text{word}, c : \text{page} \times \mathbb{N} \rightarrow \text{word} \mapsto$

\[\begin{align*}
&[p_1 : \text{page}, j : \mathbb{N} \mapsto \\
&\quad \text{if } p_1 = p \land i = j \text{ then } w \text{ else } c(p_1, j)]]. \\
\end{align*} \]

**Definition 3.10 (va_to_page)** Theory: vm-impl

$[\sigma_i : \text{istate}, p : \text{process}, s : \text{seg}, o : \text{off} \mapsto$

\[\begin{align*}
&\text{let } \sigma : \text{vstate be } \text{vsig}(\sigma_i) \text{ in} \\
&\quad \pi(\sigma_i)(\alpha(\sigma)(p, s), \text{align}(\text{res_off}(\sigma_i, p, s, o)))]. \\
\end{align*} \]

**Definition 3.11 (va_resident)** Theory: vm-impl

$[\sigma_i : \text{istate}, p : \text{process}, s : \text{seg}, o : \text{off} \mapsto$

\[\begin{align*}
&\text{va_to_page}(\sigma_i, p, s, o) \downarrow]. \\
\end{align*} \]

**Definition 3.12 (va_res_off)** Theory: vm-impl

$[\sigma_i : \text{istate}, p : \text{process}, s : \text{seg}, o : \text{off} \mapsto$

\[\begin{align*}
&\rho(\text{res_off}(\text{vsig}(\sigma_i), p, s, o))]. \\
\end{align*} \]

**Definition 3.13 (istore)** Theory: vm-impl

$[\sigma_i : \text{istate}, p : \text{process}, s : \text{seg}, o : \text{off}, v : \text{word} \mapsto$

\[\begin{align*}
&\text{make_istate(}\text{vsig}(\sigma_i), \\
&\quad \pi(\sigma_i), \\
&\quad \text{assign}_i(\text{va_to_page}(\sigma_i, p, s, o), \text{va_res_off}(\sigma_i, p, s, o), v, \mu(\sigma_i)))]. \\
\end{align*} \]

The first of the main refinement theorems is shown in Figure 2.
**Theorem 2. (istore-impl-correct)** Theory: vm-impl
\[ \forall \sigma_i : \text{state}, p : \text{process}, s : \text{seg}, o : \text{off}, v : \text{word} \]
\[ s.t. \text{ varesident}(\sigma_i, p, s, o), \]
\[ \text{abstr(istore}(\sigma_i, p, s, o, v)) = \text{store(abstr}(\sigma_i), p, s, o, v). \]

**Fig. 2. Safety Theorem for istore Operation**

**The Ifetch Operation** The implementation function iref is conceptually similar to ref, but references physical store rather than abstract memory objects. It uses the virtual-to-physical address translations defined above. At this abstraction level, physical store is not viewed as being truly initialized to a null value; rather, iref manipulates the way that a user process sees it. Initialized physical store can be justified in a further refinement step using methods like those described in this paper.

**Definition 3.14 (iref)** Theory: vm-impl
\[ [\sigma_i : \text{state}, p : \text{process}, s : \text{seg}, o : \text{off} \Rightarrow \]
\[ \text{let } pg : \text{page be } \text{va_to_page}(\sigma_i, p, s, o) \text{ and } i : N \text{ be } \text{va_res_off}(\sigma_i, p, s, o) \text{ in} \]
\[ \text{conditionally, if } \mu(\sigma_i)(pg, i) \downarrow \]
\[ \bullet \text{ then } \mu(\sigma_i)(pg, i) \]
\[ \bullet \text{ else null_word}. \]

**Definition 3.15 (ifetch)** Theory: vm-impl
\[ [\sigma_i : \text{state}, p : \text{process}, s : \text{seg}, o : \text{off}, v : \text{word} \Rightarrow \]
\[ \text{conditionally, if } v = \text{iref}(\sigma_i, p, s, o) \]
\[ \bullet \text{ then } \sigma_i \]
\[ \bullet \text{ else } \_\text{Listate}. \]

**Fig. 3. Safety Theorem for ifetch Operation**

The second main refinement theorem is shown in Figure 3.

**The Paging Operations** The operation to page in data from a memory object transfers one page's worth of words, starting at a page-aligned address \( a \), from the permanent memory object to physical store. The function \( \text{page_at} \) returns
a function that, when applied to a natural number $i$ less than the page size, retrieves the word at location $a + i$. This function determines the behavior of physical store after a page has been brought in.

**Definition 3.16 (page.at)** Theory: vm-impl

$[\sigma_i : \text{istate}, m : \text{mem}_\text{obj}, a : \text{aligned} \Rightarrow$

$[i : \mathbb{N} \Rightarrow$

$\text{if } i < \text{pagesize then } \gamma(\text{vsig}(\sigma_i))(m, a + i) \text{ else } \bot \text{word}]]$.

To retrieve a page of data, the target page frame must be free, and the data must not yet be resident. If the former failed, the page table might no longer be injective, while if the latter failed, it might no longer be a functional relation. We have omitted the series of definitions that introduces page.free for the sake of space; however,

$\text{page.free}(\sigma_i, p) \iff \neg(\exists m : \text{mem}_\text{obj}, a : \text{aligned} \ \pi(\sigma_i)(m, a) = p)$.

**Definition 3.17 (page.in.guard)** Theory: vm-impl

$[\sigma_i : \text{istate}, p : \text{page}, m : \text{mem}_\text{obj}, a : \text{aligned} \Rightarrow$

conjunction

- $\text{page.free}(\sigma_i, p)$
- $\neg(\text{resident}(\sigma_i, m, a))$]]$.

The page.in operation must update the page table $\pi$ to map the abstract memory to $p$, and it must update physical store $\mu$ at $p$ to reflect the contents of the page’s worth of data being transferred.

**Definition 3.18 (page.in)** Theory: vm-impl

$[\sigma_i : \text{istate}, p : \text{page}, m : \text{mem}_\text{obj}, a : \text{aligned} \Rightarrow$

conditionally, if $\text{page.in.guard}(\sigma_i, p, m, a)$

- $\text{then make.istate(\text{vsig}(\sigma_i))}$,

$[m_1 : \text{mem}_\text{obj}, a_1 : \text{aligned} \Rightarrow \text{if } m_1 = m \land a_1 = a \text{ then } p \text{ else } \pi(\sigma_i)(m_1, a_1)]$;

$[p_1 : \text{page}, i : \mathbb{N} \Rightarrow \text{if } p_1 = p \text{ then } \text{page.at(\sigma_i, m, a)(i) else } \mu(\sigma_i)(p_1, i)]$)

- $\text{else } \bot \text{istate}]]$.

**Theorem 4. (page.in-impl-correctness)** Theory: vm-impl

$\forall \sigma_i : \text{istate}, p : \text{page}, m : \text{mem}_\text{obj}, a : \text{aligned}$

$s. t. \ \text{page.in.guard}(\sigma_i, p, m, a)$,

$\text{abstr(\text{page.in}(\sigma_i, p, m, a))) = \text{abstr}(\sigma_i)$.

**Fig. 4. Safety Theorem for page.in**

The safety theorem for page.in, which does not implement any abstract operation, states that it is an abstract no-op (Figure 4).
The *page-out* operation is similar to the *page-in* operation, except that it must instead flush a page’s worth of data from physical store back out to disk. The page table is modified to mask out the entry for the newly flushed page. To save space, we will not present the details here.

### 3.4 Liveness of the Implementation

To state and prove the liveness theorems, we introduce the operating system notion of a paging strategy. We extend the language of *vm-impl* with two function constants. One, \textit{selected\_page}, returns the page frame which the operating system would select as target for a *page\_in* operation in the current state. It is assumed that this is a free page, whenever there is any free page at all. The other, \textit{rejected\_page}, returns the page frame which the operating system would flush during a *page\_out* operation in the current state. It is assumed never to return a free page as its value, and to be well-defined whenever the state has a page frame in use. These assumptions are formalized in *vm-impl*.

#### Language 3.19 (vm-impl+-language)

Embedded language: *vm-impl*

Constants: \textit{selected\_page} : [istate \rightarrow page] \hspace{0.5cm} \textit{rejected\_page} : [istate \rightarrow page]

<table>
<thead>
<tr>
<th>Component theory: vm-impl</th>
</tr>
</thead>
<tbody>
<tr>
<td>Top level axioms:</td>
</tr>
<tr>
<td>\textit{rejected_page_unfree} \forall \sigma_i : istate \quad \neg(\text{page_free}(\sigma_i, \text{rejected_page}(\sigma_i))).</td>
</tr>
<tr>
<td>\textit{rejected_page_defined} \forall \sigma_i : istate \quad \exists p : page \quad \neg(\text{page_free}(\sigma_i, p)),</td>
</tr>
<tr>
<td>\textit{selected_page_free} \forall \sigma_i : istate \quad \exists p : page \quad \text{page_free}(\sigma_i, p),</td>
</tr>
<tr>
<td>\text{page_free}(\sigma_i, \text{selected_page}(\sigma_i)).</td>
</tr>
</tbody>
</table>

---

**Fig. 5.** Components and axioms for vm-impl+

### Theory 3.20 (vm-impl+)

Language: *vm-impl+-language*

Component Theories and Axioms: See Figure 5.

#### Definition 3.21 (maybe\_flush) Theory: vm-impl+

[\sigma_i : istate \rightarrow 

conditionally, if \(\exists p : page \quad \text{page\_free}(\sigma_i, p)\)

- then \(\sigma_i\)
- else page\_out(\(\sigma_i, \text{rejected\_page}(\sigma_i)\)).]
We give the following definition in \( \beta \)-unreduced form because it is a little more compact and maybe clearer; in the \textit{else} clause, \( \sigma_j \) takes the value \( \text{maybe\_flush}(\sigma_i) \).

**Definition 3.22 (maybe\_page\_in)** Theory: \( \text{vm\_impl}\+)

\[
[\sigma_i : \text{istate}, m : \text{mem\_obj}, a : \text{aligned} \Rightarrow
\begin{align*}
\text{conditionally, if } & \text{resident}(\sigma_i, m, a) \\
\text{then } & \sigma_i \\
\text{else } & [\sigma_j : \text{istate} \Rightarrow \text{page\_in}(\sigma_j, \text{selected\_page}(\sigma_j), m, a) | \text{maybe\_flush}(\sigma_i)]
\end{align*}
\]

We now state the last two main refinement theorems, the liveliness theorems for \( \text{istore} \) and \( \text{ifetch} \). Each of them asserts that the operation commutes with \text{abstr}, after any necessary paging activity has been performed. That is, if \( \sigma_j \) results from \( \sigma_i \) by maybe paging in the required data (which in turn may require flushing a page frame), then

\[
\text{abstr}(h(\sigma_j)) \simeq g(\text{abstr}(\sigma_i))
\]

where \( h \) is the implementation operation (for the chosen parameters), and \( g \) is the specification operation (for the same parameters). Again, the \( \simeq \) sign here means quasi-equivalence; the formula is true if the left and right hand sides have the same value or lack thereof. Hence, the liveliness theorem entails that when the specification operation \( g \) can occur, then the implementation operation \( h \) can also occur, although possibly after the paging activity. This is the main content added to the safety theorems (Theorems 2 and 3), which are used as lemmas in the proofs of the liveliness theorems.

In the local definition of \( \sigma_j \), the term \( \alpha(vsig(\sigma_i))(p, s) \) selects the permanent memory object that references to the virtual address \( \langle p, s \rangle \) concern. The term \( \text{align}(\text{res\_off}(vsig(\sigma_i), p, s, o)) \) returns the page-aligned address immediately preceding the resolved offset into the object.

**Theorem 5. (istore\_liveness\_theorem)** Theory: \( \text{vm\_impl}\+)

\[
\forall \sigma_j : \text{istate}, p : \text{process}, s : \text{seg}, o : \text{off}, v : \text{word}
\begin{align*}
\text{let } & \sigma_j : \text{istate} \\
& \text{be } \text{maybe\_page\_in}(\sigma_i, \alpha(vsig(\sigma_i))(p, s), \text{align}(\text{res\_off}(vsig(\sigma_i), p, s, o))) \text{ in} \\
& \text{abstr}(\text{istore}(\sigma_j, p, s, o, v)) \simeq \text{store}(\text{abstr}(\sigma_i), p, s, o, v).
\end{align*}
\]

**Theorem 6. (ifetch\_liveness\_theorem)** Theory: \( \text{vm\_impl}\+)

\[
\forall \sigma_j : \text{istate}, p : \text{process}, s : \text{seg}, o : \text{off}, v : \text{word}
\begin{align*}
\text{let } & \sigma_j : \text{istate} \\
& \text{be } \text{maybe\_page\_in}(\sigma_i, \alpha(vsig(\sigma_i))(p, s), \text{align}(\text{res\_off}(vsig(\sigma_i), p, s, o))) \text{ in} \\
& \text{abstr}(\text{ifetch}(\sigma_j, p, s, o, v)) \simeq \text{fetch}(\text{abstr}(\sigma_i), p, s, o, v).
\end{align*}
\]

**Fig. 6.** Liveness Theorems for \( \text{istore} \) and \( \text{ifetch} \)
3.5 Conclusion

These theorems establish that the implementation is a refinement of the specification. More specifically, every computation of the abstract machine corresponds to a computation of the implementation, and conversely. We have not yet, however, formalized and derived this theorem about computations within IMPS.

The paper was intended to demonstrate a style for specifying and, at least for the initial stages, verifying refinements of a virtual memory system. A realistic verification of a virtual memory system requires many additional ingredients. In particular, issues of concurrency are unavoidably raised; an operating system must schedule a different process when one process takes a page fault and waits for paging to complete. As a consequence, the state at the time that a paging operation completes may differ in other ways from the state at the time it began. Thus, an element of non-determinism arises. In Mach, our primary focus, the multi-threaded character of the kernel ensures that other concurrency control issues also arise.

Nevertheless, state information is indispensable in characterizing the behavior of an operating system, and we believe that these refinement techniques play a crucial role in the state-oriented aspects of providing a reliable, rigorously understood computing system.

Acknowledgment. I am deeply grateful to Bill Farmer and Javier Thayer, my colleagues in developing IMPS.

References

and Carnegie-Mellon University.
Foundation, Cambridge, MA, July 1992. Jointly copyright by Open Software Found-
dation and Carnegie-Mellon University.
12. Elliott I. Organick. The Multics System: An Examination of its Structure. The
# Table of Contents

1 Introduction .......................................................... 1

2 Virtual Memory Specification ........................................... 6
   2.1 Basic Vocabulary and State Definition ............................. 6
   2.2 Some Auxiliary Definitions .......................................... 8
   2.3 The Four Operations of the Specification ............................ 9
      The Store Operation ................................................. 9
      The Fetch Operation ............................................... 10
      The Unmap and Map Operations ..................................... 10

3 A Rudimentary Implementation .......................................... 11
   3.1 Preliminaries: Page Offsets and Page-aligned Addresses .......... 11
   3.2 The State of the Implementation .................................... 12
   3.3 The Operations Supported by the Implementation ................... 13
      The Istore Operation .............................................. 13
      The Ifetch Operation ............................................. 14
      The Paging Operations ............................................ 14
   3.4 Liveness of the Implementation ..................................... 16
   3.5 Conclusion .......................................................... 18

This article was processed using the \LaTeX\ macro package with LLNCS style