Peter Mehlitz

Communicated by Editor’s name The Real Time Specification for Java (RTSJ) is an augmentation of Java for real time applications of various degrees of hardness. The central features of RTSJ are real time threads; user defined schedulers; asynchronous events, handlers, and control transfers; a priority inheritance based default scheduler; non-heap memory areas such as immortal and scoped, and non-heap real time threads whose execution is not impeded by garbage collection. The Robust Software Systems group at NASA Ames Research Center has Java PathFinder (JPF) under development, a Java model checker. JPF at its core is a state exploring Java virtual machine (JVM) which can examine alternative paths in a Java program (e.g., via backtracking) by trying all nondeterministic choices, including thread scheduling order. This paper describes our implementation of an RTSJ profile (subset) in JPF, including requirements, design decisions, and current implementation status. Two examples are anal...

We present jpf-hmi, a Java Pathfinder (JPF) extension that supports the description and analysis of human machine interaction (HMI) systems. The extension is built on top of jpf-statechart, but differentiates between events in terms of commands, observations and internal actions, as it is typical in the HMI domain. jpf-hmi implements two algorithms for generating concise system models for human operators. It also supports the detection of several types of HMI-specific anomalies known as “automation surprises”, such as non full-control determinism and mode confusion. These capabilities are provided in addition to the existing more generic property verification that is supported by JPF, and which can also be applied to HMI systems.

In recent years there has been an increasing move towards analyzing software programs with the aid of model checking. In this tutorial we will focus on one of the first model checkers developed specifically for analyzing programs–Java PathFinder (JPF). JPF was awarded ...

Completed design and implementation are often regarded as prerequisites of any verification. While recent development methods establish testability as a design criterion, there is no corresponding design support for other verification methods like model checking and static analysis. Since these methods have inherent scalability problems, their application becomes more difficult where it is most needed - for complex systems. Our

ABSTRACT Strategies to achieve confidence that high-dependability applications are correctly implemented include testing and automated verification. Testing deals mainly with a limited number of expected execution paths. Verification usually attempts to deal with a larger number of possible execution paths. While the impact of architecture design on testing is well known, its impact on most verification methods is not as well understood. The Design for Verification approach considers verification from the application development perspective, in which system architecture is designed explicitly according to the application's key properties. The D4V-hypothesis is that the same general architecture and design principles that lead to good modularity, extensibility and complexity/functionality ratio can be adapted to overcome some of the constraints on verification tools, such as the production of hand-crafted models and the limits on dynamic and static analysis caused by state space explosion.

ABSTRACT Hardware faults caused by radiation-induced Single Event Effects (SEEs) are a serious issue in space flight, especially affecting scientific missions in earth orbits crossing the poles or the South Atlantic Anomaly. Traditionally, SEEs are treated as a hardware problem, for example mitigated by radiation-hardened processors and shielding. Rad-hardened processors are expensive, exhibit a decade performance gap compared to COTS technology, have a larger form factor and require more power. Shielding is ineffective for high energy particles and increases launch weight. Hardware approaches cannot dynamically adapt protection levels for different radiation scenarios depending on solar activity and flight phase. Future hardware will exacerbate the problem due to higher chip densities and lower power levels. An alternative approach is to use software to mitigate SEEs. This "Radiation Hardened Software" (RHS) approach has two components: (1) RHS library and application design guidelines To increase robustness, we combine SEE countermeasures in three areas: prevention and detection; recovery; and reconfiguration. Prevention and detection includes an application- and heap-aware memory scanner, and dynamically adapted software Error Correction Codes to handle cache and multi-bit errors. Recovery mechanisms include exception firewalls and transaction-based software design patterns, to minimize data loss. Reconfiguration includes a heap manager to avoid damaged memory areas. (2) Software-based SEE Simulation Probabilistic effects require extensive simulation, with test environments that do not require original flight hardware and can simulate various SEE profiles. We use processor emulation software, interfaced to a debugger, to analyze SEE propagation and optimize RHS mechanisms. The simulator runs unmodified binary flight code, enables injecting randomized transient and permanent memory errors, providing execution traces and precise failure reproduction. The goal of RHS is to verify that effective SEE software countermeasures are implementable at reasonable runtime costs, enabling use of more COTS hardware with significant performance gains for science applications.

Components are mainly used in commercial software development to reduce time to market. While some effort has been spent on formal aspects of components, most of this was done in the context of integration into programming languages or operating system frameworks. As a consequence, increased reliability of composed systems is merely regarded as a side effect of a more rigid testing of pre-fabricated components. In contrast to this, Design for Verification (D4V) puts the focus on component specific property guarantees, which are used to design systems with high reliability requirements. D4V components are domain specific design pattern instances with well-defined property guarantees and usage rules, which are suitable for automatic verification. The guaranteed properties are explicitly used to select components according to key system requirements. The D4V hypothesis is that the same general architecture and design principles leading to good modularity, extensibility and complexity/f...

ABSTRACT Symbolic PathFinder (SPF) is a software analysis tool that combines symbolic execution with model checking for automated test case generation and error detection in Java bytecode programs. In SPF, programs are executed on symbolic inputs representing multiple concrete inputs and the values of program variables are represented by expressions over those symbolic inputs. Constraints over these expressions are generated from the analysis of different paths through the program. The constraints are solved with off-the-shelf solvers to determine path feasibility and to generate test inputs. Model checking is used to explore different symbolic program executions, to systematically handle aliasing in the input data structures, and to analyze the multithreading present in the code. SPF incorporates techniques for handling input data structures, strings, and native calls to external libraries, as well as for solving complex mathematical constraints. We describe the tool and its application at NASA, in academia, and in industry.

Abstract—We present jpf-hmi, a Java Pathfinder (JPF) extension that supports the description and analysis of human machine interaction (HMI) systems. The extension is built on top of jpf-statechart, but differentiates between events in terms of commands, observations and internal actions, as it is typical in the HMI domain. jpf-hmi implements two algorithms for generating concise system models for human operators. It also supports the detection of several types of HMI-specific anomalies known as “automation surprises”, ...

Page 1. xii Additional Reviewers for ASE 2003 Luciano Baresi Davide Balzarotti Guillaume Brat Yu Chen Jianguo Ding John Doherty Shariar Fakher Klaus Gotthardt Paul Graunke Mark Greenwood Stephen Hailes Klaus Havelund Geoff Holmes Dang van Hung Binling Jin Hans Friedrich Koetter Flavio Lerda Martin Leucker Zhiming Liu Crista Lopes Shourong Lu Petra Malik Robi Malik Vincenzo Martena Peter Mehlitz Shilpa Murthy Tsz Hin Ng Corina Pasareanu Justin Pearson MarieLaure Potet Divya Ramasubban Lucia Rapanotti Greg Reeve ...