State and history in operating systems

A method of using recursive functions to describe state change is applied to process switching in UNIX-like operating systems.

💡 Research Summary

The paper presents a formal, mathematically rigorous approach to modeling and reasoning about process switching in UNIX‑like operating systems. It begins by dissecting the classic V6 UNIX switch routine, which consists of a call to save() that captures the current process’s context and returns 1, followed by a conditional call to resume(next) that restores the state of another process and transfers control. The author treats this “save‑resume” pair as two atomic events and builds a recursive, event‑sequence based representation of the entire system state.

The core abstraction is an event sequence w, representing the history of events that have occurred up to the current moment. The operator w ⊕ a denotes the sequence obtained by appending a new event a. Using this notation, the paper defines a hierarchy of state‑dependent functions: simple counters such as Count(w), location descriptors Loc(w; p) = (CFunc(w; p), CLine(w; p)) that give the current function and line number for process p, and variable accessors V(w; p; x) that return the value of variable x in the context of p. These functions are defined recursively, allowing the author to express complex properties of the system without enumerating the full state space.

Two key propositions formalize the desired behavior of the switch code. Proposition 1.1 (safety) asserts that any path from the entry point of a switch to its exit must be decomposable into sub‑paths that respect the intermediate “switch” states, guaranteeing that a process that initiates a switch will eventually return to a well‑defined state. Proposition 2.1 (liveness) introduces a bound t_switch and requires that the time elapsed between the start of a switch and the moment the target process becomes runnable does not exceed this bound; otherwise the system could deadlock. Proposition 2.2 (non‑shared state preservation) ensures that variables classified as non‑shared remain unchanged throughout the switch operation, which is essential for correctness when both shared and private data coexist.

To make these propositions concrete, the paper assumes a suite of low‑level primitives: Reg(w; c; r) for the content of register r on core c, Mem(w; c; ℓ) for memory location ℓ on core c, and derived predicates such as Running(w; p), Ready(w; p), and ValidProcess(w; p). Time is captured by a function Time(w), and a waiting time accumulator Waiting(w; p) is defined so that a system is considered “live” if Waiting(w; p) < t_live for all processes. These definitions allow the author to express and verify temporal properties without needing an exhaustive enumeration of all possible states.

The paper then extends the model to multi‑core parallelism. It acknowledges that registers and memory may differ across cores and that events can occur concurrently. An abstract process model f is introduced, with three mutually exclusive states: Running, `Waiting