article

Verifying Time Partitioning in the DEOS Scheduling Kernel

Authors:

Seungjoon Park,

Corina Pasareanu,

Nicholas WeiningerAuthors Info & Claims

Formal Methods in System Design, Volume 26, Issue 2

Pages 103 - 135

https://doi.org/10.1007/s10703-005-1490-4

Published: 01 March 2005 Publication History

Abstract

This paper describes an experiment to use the Spin model checking system to support automated verification of time partitioning in the Honeywell DEOS real-time scheduling kernel. The goal of the experiment was to investigate whether model checking with minimal abstraction could be used to find a subtle implementation error that was originally discovered and fixed during the standard formal review process. The experiment involved translating a core slice of the DEOS scheduling kernel from C++ into Promela, constructing an abstract "test-driver" environment and carefully introducing several abstractions into the system to support verification. Attempted verification of several properties related to time-partitioning led to the rediscovery of the known error in the implementation. The case study indicated several limitations in existing tools to support model checking of software. The most difficult task in the original DEOS experiment was constructing an adequate environment to close the system for verification. The fidelity of the environment was of crucial importance for achieving meaningful results during model checking. In this paper, we describe the initial environment modeling effort and a follow-on experiment with using semi-automated environment generation methods. Program abstraction techniques were also critical for enabling verification of DEOS. We describe an implementation scheme for predicate abstraction, an approach based on abstract interpretation, which was developed to support DEOS verification.

References

[1]

1. R. Allen, D. Garlan, and J. Ivers, "Formal modeling and analysis of the HLA component integration standard," in Proc. 6th SIGSOFT FSE, Lake Buena Vista, Florida, November 1998. ACM.]]

Digital Library

[2]

2. J. M. Atlec and J. Gannon, "State-based model checking of event-driven systems requirements," IEEE TSE, Vol. 19, No. 1, pp. 24-40, 1993.]]

Digital Library

[3]

3. T. Ball, A. Podelski, and S. Rajamani, "Boolean and cartesian abstractions for model checking C programs," in Proc. of TACAS 2001, Volume 2031 of LNCS, Genova, Italy, Springer-Verlag, April 2001.]]

Digital Library

[4]

4. T. Ball, A. Podelski, and S. K. Rajamani, "Relative completeness of abstraction refinement for software model checking," in Proc. of TACAS 2002., Volume 2280 of LNCS, Grenoble, France, Springer-Verlag, April 2002.]]

Digital Library

[5]

5. T. Ball and S. Rajamani, "Bebop: A symbolic Model Checker for Boolean Programs," in Proc. 7th International SPIN Workshop, Volume 1885 of LNCS, Stanford University, California, USA, Springer-Verlag, August 2000.]]

Digital Library

[6]

6. B. Beizer, Software Testing Techniques, 2nd ed, Van Nostrand Reinhold, New York, 1990.]]

Digital Library

[7]

7. B. Boehm, Software Engineering Economics. Prentice Hall, 1981.]]

Digital Library

[8]

8. G. Booch, J. Rumbaugh, and I. Jacobson, The unified modeling language user guide. Addison-Wesley, 1998.]]

Digital Library

[9]

9. D. Bosnacki and D. Dams, "Integrating real time into Spin: A prototype implementation," in Proc. FORTE/PSTV XVIII, Kluwer, 1998, pp. 423-439.]]

Digital Library

[10]

10. E. Brinksma and A. Mader, "Verification and optimization of a PLC control schedule," in Proc. 7th SPIN Workshop, Springer-Verlag, 2000, pp. 73-92.]]

Digital Library

[11]

11. B. Bruegge and A. H. Dutoit, "Object-oriented software engineering: Conquering complex and changing systems." Prentice Hall, 2000.]]

Digital Library

[12]

12. R.W.Butler and G. B. Finelli, "The infeasibility of quantifying the reliability of life critical real-time software," IEEE TSE, Vol. 19, No. 1, pp. 3-12, 1993.]]

Digital Library

[13]

13. J. Falk C. Kaner and H.Q. Nguyen, Testing computer Software, 2nd ed, Wiley, 1993.]]

Digital Library

[14]

14. W. Chan, R. Andersen, P. Beame, D. Jones, D. Notkin, and W. Warner, "Decoupling synchronization from local control for efficient symbolic model checking of statecharts," in Proc. 21st International Conference on Software Engineering, ACM Press: Los Angeles, May 1999, pp. 142-151.]]

Digital Library

[15]

15. W. Chan, R. J. Anderson, P. Beame, S. Burns, F. Modugno, D. Notkin, and J. D. Reese, "Model checking large software specifications," IEEE TSE, Vol. 24, No. 7, pp. 498-520, 1998.]]

Digital Library

[16]

16. J.J. Chilenski and S.P. Miller, "Applicability of modied condition/decision coverage to software testing." Software Engineering Journal, Vol. 9, No. 5, 1994.]]

[17]

17. E. Clarke, A. Gupta, J. Kukula, and O. Strichman, "SAT based abstraction-refinement using ILP and machine learning techniques," in Proc. 14th Conference on Computer-Aided Verification, INCS. Springer-Verlag, July 2002.]]

Digital Library

[18]

18. E.M. Clarke, E.A. Emerson, and A.P. Sistla, "Automatic verification of finite-state concurrent systems using temporal logic specifications," ACM Trans. on Programming Languages and Systems, Vol. 8, No. 2, pp. 244-263, 1986.]]

Digital Library

[19]

19. J. M. Cobleigh, D. Giannakopoulou, and C. S. Pasareanu, "Learning assumptions for compositional verification," in Proc, of TACAS 2003, volume 2619 of LNCS, Springer-Verlag, April 2003.]]

[20]

20. M. Colón and T. Uribe, Generating finite-state abstractions of reactive systems using decision procedures," in Proc. 10th Conference on Computer-Aided Verification, volume 1427 of LNCS, Springer-Verlag, July 1998.]]

Digital Library

[21]

21. J. Corbett, "Constructing compact models of concurrent Java programs," in M. Young, (ed.), Proc. Intl. Symposium on Software Testing and Analysis, Software Engieering Notes, SIGSOFT, ACM, March 1998, pp. 1-10.]]

Digital Library

[22]

22. J. C. Corbett. M. B. Dwyer, J. Hatcliff, S. laubach, C. S. Pasareanu, Robby, and H. Zheng. "Bandera : Extracting finite-state models from Java source code," in Proc. 22nd Intl. Conf. on Software Engineering. ACM Press, June 2000.]]

Digital Library

[23]

23. P. Cousot and R. Cousot, "Comparing the Galois connection and widening/narrowing approaches to abstract interpretation," in M. Bruynooghe and M. Wirsing, (eds.), Proc. Fourth International Symposium on Programming Language Implementation and Programming, volume 631 of LNCS, Leuven, Belgium, 1992. Springer-Verlag, pp. 269-295.]]

Digital Library

[24]

24. Z. Dang and R. Kemmerer, "Using the astral model checker to analyze mobile IP," in Proc. IEEE 21st International Conference on Software Engineering, Los Angeles, May 1999. ACM Press, pp. 132- 141.]]

Digital Library

[25]

25. S. Das, D. Dill, and S. Park, "Experience with predicate abstraction," in Proc. International Conference on Computer-aided Verification (CAV'99), volume 1633 of LNCS, Springer-Verlag, 1999, pp. 160-171.]]

Digital Library

[26]

26. C. Demartini, R. Iosif, and R. Sist, "A deadlock detection tool for concurrent Java programs," Software Practice and Experience, Vol. 29, No. (7), pp. 577-603, 1999.]]

Digital Library

[27]

27. C. Demartini, R. Iosif, and R. Sisto, "dSPIN: A dynamic extension of SPIN," in Proc. 6th SPIN Workshop, volume 1680 of LNCS, Springer-Verlag, 1999.]]

Digital Library

[28]

28. N. Dor, M. Rodeh, and S. Sagiv, "Detecting memory errors via static pointer analysis (preliminary experience)," in Workshop on Program Analysis For Software Tools and Engineering, ACM, 1998, pp. 27-34.]]

Digital Library

[29]

29. M. Dwyer, J. Hatcliff, R. Joehanes, S. Laubach, C. Pasareanu, Robby, W. Visser, and H. Zheng, "Tool-supported program abstraction for finite-state verification," in Proc. 23rd International Conference on Software Engineering, Toronto, Cananda, ACM Press, May 2001.]]

Digital Library

[30]

30. M. Dwyer and C. Pasareanu, "Filter-based model checking of partial systems," in Proc. 6th ACM SIGSOFT FSE, ACM SIGSOFT, November 1998.]]

Digital Library

[31]

31. D. Evans, "Static detection of dynamic memory errors," in Conference on Programming Language Design and Implementation, ACM, 1996, pp. 44-53.]]

Digital Library

[32]

32. P. Godefroid, "Model checking for programming languages using Verisoft," in Symp. on Principles of Programming Languages, ACM, 1997, pp. 174-186.]]

Digital Library

[33]

33. S. Graf and H.Saidi, "Construction of abstract state, graphs with PVS," in Proc. 9th International Conference on Computer Aided Verification, volume 1254 of LNCS, Springer-Verlag, 1997, pp. 174-186.]]

Digital Library

[34]

34. A. Groce and W. Visser, "Model checking Java programs using structural heuristics," in Proc. Intl. Symp. on Software Testing and Analysis. ACM Press, July 2002.]]

Digital Library

[35]

35. K. Havelund, M. Lowry, S. Park, C. Pecheur, J. Penix, W. Visser, and J. L. White, "Formal analysis of the remote agent before and after flight," in 5th NASA Langley Formal Methods Workshop. NASA, 2000.]]

[36]

36. K. Havelund and T. Pressburger, "Model checking Java programs using Java PathFinder," Intl. Journal on Software Tools for Technology Transfer, 1999.]]

[37]

37. K. J. Hayhurst, C. A. Dorsey, J. C. Knight, N. G. Leveson, and G. F. McCormick, "Streamlining software aspects of certification: Report on the SSAC survey," Technical Report NASA/TM-1999-209519, NASA Langley Research Center, 1999.]]

Digital Library

[38]

38. C. Heitmeyer, "Using abstraction and model checking to detect safety violations in requirements specifications," IEEE TSE, Vol. 24, No. 11, pp. 927-948, 1998.]]

Digital Library

[39]

39. T. Henzinger, R. Jhala, R. Majumdar, and G. Sutre, "Lazy abstraction," in Proc. Symp. on Principles of Programming Languages, ACM, 2002, pp. 179-190.]]

Digital Library

[40]

40. G. Holzmann, "The model checker SPIN," IEEE TSE, Vol. 23, No. 5, pp. 279-295, 1997.]]

Digital Library

[41]

41. G. J. Holzmann and M. H. Smith, "An automated verification method for distributed systems software based on model extraction," IEEE TSE, Vol. 28, No. 4, pp. 364-377, 2002.]]

Digital Library

[42]

42. G.J. Holzmann, "Logic verification of ansi-c code with spin" in Proc. 7th International SPIN Workshop, volume 1885 of LNCS, Springer Verlag, Sep. 2000, pp. 131-147.]]

Digital Library

[43]

43. G. Hwang, K. Tai, and T. Hunag, "Reachability testing: An approach to testing concurrent software," Journal of Software Engineering and Knowledge Engineering, Vol. 5, No. 4, December 1995.]]

[44]

44. D. Jackson and M. Vaziri, "Finding bugs with a constraint solver," in Mary Jean Harrold, (ed.), Proc. International Symposium on Software Testing and Analysis, Software Engineering Notes, Portland, Oregon, August 2000, pp. 14-25, ACM Press.]]

Digital Library

[45]

45. JPL Special Review Board, Report on the loss of the Mars Polar lander and Deep Space 2 missions, March 2000.]]

[46]

46. S. Khurshid, C. S. Pasareanu, and W. Visser, "Generalized symbolic execution for model checking and testing," in Proc. of TACAS 2003. volume 2619 of LNCS, Springer-Verlag, April 2003.]]

[47]

47. R. Lutz, "Analyzing software requirements errors in safety-critcal embedded systems, in Proc. IEEE International Symposium on Requirements Engineering, IEEE Computer Society, January 1993.]]

[48]

48. K.L. McMillan, Symbolic Model Checking, Kluwer Academic, 1993.]]

Digital Library

[49]

49. G. Naumovich, G. S. Avrunin, and L. A. Clarke, "Data flow analysis for checking properties of concurrent Java programs," in Proc. 21st International Conference on Software Engineering, ACM Press, May 1999, pp. 399-410.]]

Digital Library

[50]

50. J. Penix, W. Visser, E. Engstrom, A. Larson, and N. Weininger, "Verification of time partitioning in the deos scheduler kernel," in Proc. 22nd International Conference on Software Engineering, ACM Press, June 2000.]]

Digital Library

[51]

51. A. Pnueli, "The Temporal Logic of Programs," in 18th annual IEEE-CS Symposium on Foundations of Computer Science, pp. 46-57, 1977.]]

[52]

52. A. Pnueli, "In transition from global to modular temporal reasoning about programs," in K. Apt (ed.), Logic and Models of Concurrent Systems, vol. 13, New York, Springer, pp. 123-144, 1984.]]

Digital Library

[53]

53. PolySpace. http://www.polyspace.com.]]

[54]

54. C. Pasareanu, M. Dwyer, and M. Huth, "Assume guarantee model checking of software: A comparative case study," in Proc. 6th SPIN Workshop, volume 1680 of LNCS, Springer-Verlag, 1999.]]

Digital Library

[55]

55. C.S.Pasareanu, M.B. Dwyer, and W. Visser, "Finding feasible counter-examples when model checking abstracted Java programs." in Proc. of TACAS 2001, volume 2031 of LNCS, Springer-Verlag, 2001.]]

Digital Library

[56]

56. J.P. Queille and J. Sifakis, "Specification and Verification of Concurrent Systems in CESAR," in International Symposium on Programming, volume 137 of LNCS, Springer-Verlag, 1982.]]

Digital Library

[57]

57. Robby, M. B. Dwyer, and J. Hatcliff, "Bogor: an extensible and highly-modular software model checking framework," in ESEC 9/FSE 10, Sep. 2003, pp. 267-276.]]

Digital Library

[58]

58. RTCA Special Committee 167, "Software considerations in airborne systems and equipment certification," Technical Report DO-178B, RTCA, Inc., dec 1992.]]

[59]

59. J. Rushby, "Partitioning for safety and security: Requirements, mechanisms, and assurance," NASA Contractor Report CR-1999-209347, NASA Langley Research Center, June 1999. Also to be issued by the FAA.]]

Digital Library

[60]

60. H. Saidi, "Modular and Incremental Analysis of Concurrent Software Systems," in Proc. 14th IEEE International Conference on Automated Software Engineering, IEEE Computer Society, October 1999, pp. 92-101.]]

Digital Library

[61]

61. H. Saidi and N. Shankar, "Abstract and model check while you prove," in Proc. 11th Conference on Computer-Aided Verification, volume 1633 of LNCS, Springer-Verlag, July 1999, pp. 443-454.]]

Digital Library

[62]

62. Sha, Klcin, and J. Goodenough, "Rate monotonic anaysis for real-time systems," Foundations of Real-Time Computing, pp. 129-155, 1991.]]

[63]

63. G.S. Shedler, "Regenerative Stochastic Simulation," Academic Press, 1993.]]

[64]

64. Microsoft Spec and Check Workshop, 2001, http://research.microsoft.com/specncheck/.]]

[65]

65. S. D. Stoller. "Model-checking multi-threaded distributed Java programs," in SPIN Model Checking and Software Verification, volume 1885 of LNCS, Springer-Verlag, August 2000, pp. 224-244.]]

Digital Library

[66]

66. S. Tripakis and C. Courcoubetis, "Extending Promela and Spin for real time," in Proc. of TACAS 1996, volume LNCS 1055. Springer, 1998.]]

Digital Library

[67]

67. M. Vardi, "An automata-theoretic approach to linear temporal logic," in F. Moller and G. Birtwistle (eds.), Logics for Concurrency, LNCS, 1043, Springer Verlag, 1996, pp. 238-266.]]

Digital Library

[68]

68. W. Visser, K. Havelund, G. Brat, and S. Park, "Model checking programs," in Proc. 14th IEEE International Automated Software Engineering Conference, IEEE Computer Society, September 2000.]]

Digital Library

[69]

69. W. Visser, S. Park, and J. Penix, "Using predicate abstraction to reduce objected-oriented programs for model checking," in Mats P.E. Heimdahl (ed.), Proc. Third ACM Workshop on Formal Methods in Software Practice, Portland, Oregon, ACM Press, August 2000, pp. 3-12.]]

Digital Library

[70]

70. C. D. Yang, A. L. Souter, and L. L. Pollock, "All-du-path coverage for parallel programs," International Symposium on Software Testing and Analysis, ACM Press, 1998, pp. 153-162.]]

Digital Library

Cited By

Mousavi HEbnenasir AMahmoudzadeh E(2023)Formal Specification, Verification and Repair of Contiki’s SchedulerACM Transactions on Cyber-Physical Systems10.1145/36059487:4(1-28)Online publication date: 14-Oct-2023
https://dl.acm.org/doi/10.1145/3605948
Zhao YYang ZMa D(2017)A survey on formal specification and verification of separation kernelsFrontiers of Computer Science: Selected Publications from Chinese Universities10.5555/3128671.312868111:4(585-607)Online publication date: 1-Aug-2017
https://dl.acm.org/doi/10.5555/3128671.3128681
Holzmann G(2016)Cloud-Based Verification of Concurrent SoftwareProceedings of the 17th International Conference on Verification, Model Checking, and Abstract Interpretation - Volume 958310.1007/978-3-662-49122-5_15(311-327)Online publication date: 17-Jan-2016
https://dl.acm.org/doi/10.1007/978-3-662-49122-5_15
Show More Cited By

Index Terms

Verifying Time Partitioning in the DEOS Scheduling Kernel

Recommendations

Verification of SpecC using predicate abstraction

Languages such as SystemC or SpecC offer modeling of hardware and whole system designs at a high level of abstraction. However, formal verification techniques are widely applied in the hardware design industry only for low level designs, such as a ...
Efficient Verification of Sequential and Concurrent C Programs

There has been considerable progress in the domain of software verification over the last few years. This advancement has been driven, to a large extent, by the emergence of powerful yet automated abstraction techniques such as predicate abstraction. ...
Word level predicate abstraction and refinement for verifying RTL verilog
DAC '05: Proceedings of the 42nd annual Design Automation Conference

Model checking techniques applied to large industrial circuits suffer from the state space explosion problem. A major technique to address this problem is abstraction. The most commonly used abstraction technique for hardware verification is ...

Comments

Information & Contributors

Information

Published In

cover image Formal Methods in System Design

Formal Methods in System Design Volume 26, Issue 2

March 2005

141 pages

ISSN:0925-9856

Issue’s Table of Contents

Copyright © Copyright © 2005 Springer Science + Business Media, Inc.

Publisher

Kluwer Academic Publishers

United States

Publication History

Published: 01 March 2005

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 03 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Mousavi HEbnenasir AMahmoudzadeh E(2023)Formal Specification, Verification and Repair of Contiki’s SchedulerACM Transactions on Cyber-Physical Systems10.1145/36059487:4(1-28)Online publication date: 14-Oct-2023
https://dl.acm.org/doi/10.1145/3605948
Zhao YYang ZMa D(2017)A survey on formal specification and verification of separation kernelsFrontiers of Computer Science: Selected Publications from Chinese Universities10.5555/3128671.312868111:4(585-607)Online publication date: 1-Aug-2017
https://dl.acm.org/doi/10.5555/3128671.3128681
Holzmann G(2016)Cloud-Based Verification of Concurrent SoftwareProceedings of the 17th International Conference on Verification, Model Checking, and Abstract Interpretation - Volume 958310.1007/978-3-662-49122-5_15(311-327)Online publication date: 17-Jan-2016
https://dl.acm.org/doi/10.1007/978-3-662-49122-5_15
Choi YPark MByun TKim D(2015)Efficient safety checking for automotive operating systems using property-based slicing and constraint-based environment generationScience of Computer Programming10.1016/j.scico.2014.10.006103:C(51-70)Online publication date: 1-Jun-2015
https://dl.acm.org/doi/10.1016/j.scico.2014.10.006
Galler SAichernig B(2014)Survey on test data generation toolsInternational Journal on Software Tools for Technology Transfer (STTT)10.1007/s10009-013-0272-316:6(727-751)Online publication date: 1-Nov-2014
https://dl.acm.org/doi/10.1007/s10009-013-0272-3
Yatake KAoki T(2012)Model checking of OSEK/VDX OS design model based on environment modelingProceedings of the 9th international conference on Theoretical Aspects of Computing10.1007/978-3-642-32943-2_15(183-197)Online publication date: 24-Sep-2012
https://dl.acm.org/doi/10.1007/978-3-642-32943-2_15
Yatake KAoki T(2010)Automatic generation of model checking scripts based on environment modelingProceedings of the 17th international SPIN conference on Model checking software10.5555/1928137.1928144(58-75)Online publication date: 27-Sep-2010
https://dl.acm.org/doi/10.5555/1928137.1928144
Jhala RMajumdar R(2009)Software model checkingACM Computing Surveys10.1145/1592434.159243841:4(1-54)Online publication date: 9-Oct-2009
https://dl.acm.org/doi/10.1145/1592434.1592438
Long BDingel JGraham TSchäfer WDwyer MGruhn V(2008)Experience applying the SPIN model checker to an industrial telecommunications systemProceedings of the 30th international conference on Software engineering10.1145/1368088.1368187(693-702)Online publication date: 15-May-2008
https://dl.acm.org/doi/10.1145/1368088.1368187
Holzmann GJoshi RGroce A(2008)Tackling Large Verification Problems with the Swarm ToolProceedings of the 15th international workshop on Model Checking Software10.1007/978-3-540-85114-1_11(134-143)Online publication date: 10-Aug-2008
https://dl.acm.org/doi/10.1007/978-3-540-85114-1_11
Show More Cited By

View Options

View options

Figures

Tables

Media

View Issue’s Table of Contents