Skip to main content
SpringerLink
Log in

Verifying Time Partitioning in the DEOS Scheduling Kernel

  • Published:
Formal Methods in System Design Aims and scope Submit manuscript

Abstract

This paper describes an experiment to use the Spin model checking system to support automated verification of time partitioning in the Honeywell DEOS real-time scheduling kernel. The goal of the experiment was to investigate whether model checking with minimal abstraction could be used to find a subtle implementation error that was originally discovered and fixed during the standard formal review process. The experiment involved translating a core slice of the DEOS scheduling kernel from C++ into Promela, constructing an abstract “test-driver” environment and carefully introducing several abstractions into the system to support verification. Attempted verification of several properties related to time-partitioning led to the rediscovery of the known error in the implementation. The case study indicated several limitations in existing tools to support model checking of software. The most difficult task in the original DEOS experiment was constructing an adequate environment to close the system for verification. The fidelity of the environment was of crucial importance for achieving meaningful results during model checking. In this paper, we describe the initial environment modeling effort and a follow-on experiment with using semi-automated environment generation methods. Program abstraction techniques were also critical for enabling verification of DEOS. We describe an implementation scheme for predicate abstraction, an approach based on abstract interpretation, which was developed to support DEOS verification.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. R. Allen, D. Garlan, and J. Ivers, “Formal modeling and analysis of the HLA component integration standard,” in Proc. 6th SIGSOFT FSE, Lake Buena Vista, Florida, November 1998. ACM.

  2. J. M. Atlee and J. Gannon, “State-based model checking of event-driven systems requirements,” IEEE TSE, Vol. 19, No. 1, pp. 24–40, 1993.

    Google Scholar 

  3. T. Ball, A. Podelski, and S. Rajamani, “Boolean and cartesian abstractions for model checking C programs,” in Proc. of TACAS 2001, Volume 2031 of LNCS, Genova, Italy, Springer-Verlag, April 2001.

  4. T. Ball, A. Podelski, and S. K. Rajamani, “Relative completeness of abstraction refinement for software model checking,” in Proc. of TACAS 2002., Volume 2280 of LNCS, Grenoble, France, Springer-Verlag, April 2002.

  5. T. Ball and S. Rajamani, “Bebop: A symbolic Model Checker for Boolean Programs,” in Proc. 7th International SPIN Workshop, Volume 1885 of LNCS, Stanford University, California, USA, Springer-Verlag, August 2000.

  6. B. Beizer, Software Testing Techniques, 2nd ed, Van Nostrand Reinhold, New York, 1990.

    Google Scholar 

  7. B. Boehm, Software Engineering Economics. Prentice Hall, 1981.

  8. G. Booch, J. Rumbaugh, and I. Jacobson, The unified modeling language user guide. Addison-Wesley, 1998.

  9. D. Bosnacki and D. Dams, “Integrating real time into Spin: A prototype implementation,” in Proc. FORTE/PSTV XVIII, Kluwer, 1998, pp. 423–439.

  10. E. Brinksma and A. Mader, “Verification and optimization of a PLC control schedule,” in Proc. 7th SPIN Workshop, Springer-Verlag, 2000, pp. 73–92.

  11. B. Bruegge and A. H. Dutoit, “Object-oriented software engineering: Conquering complex and changing systems.” Prentice Hall, 2000.

  12. R. W. Butler and G. B. Finelli, “The infeasibility of quantifying the reliability of life-critical real-time software,” IEEE TSE, Vol. 19, No. 1, pp. 3–12, 1993.

    Google Scholar 

  13. J. Falk C. Kaner and H.Q. Nguyen, Testing computer Software, 2nd ed, Wiley, 1993.

  14. W. Chan, R. Andersen, P. Beame, D. Jones, D. Notkin, and W. Warner, “Decoupling synchronization from local control for efficient symbolic model checking of statecharts,” in Proc. 21st International Conference on Software Engineering, ACM Press: Los Angeles, May 1999, pp. 142–151.

  15. W. Chan, R. J. Anderson, P. Beame, S. Burns, F. Modugno, D. Notkin, and J. D. Reese, “Model checking large software specifications,” IEEE TSE, Vol. 24, No. 7, pp. 498–520, 1998.

    Google Scholar 

  16. J.J. Chilenski and S.P. Miller, “Applicability of modied condition/decision coverage to software testing,” Software Engineering Journal, Vol. 9, No. 5, 1994.

  17. E. Clarke, A. Gupta, J. Kukula, and O. Strichman, “SAT based abstraction-refinement using ILP and machine learning techniques,” in Proc. 14th Conference on Computer-Aided Verification, LNCS. Springer-Verlag, July 2002.

  18. E.M. Clarke, E.A. Emerson, and A.P. Sistla, “Automatic verification of finite-state concurrent systems using temporal logic specifications,” ACM Trans. on Programming Languages and Systems, Vol. 8, No. 2, pp. 244–263, 1986.

    Article  Google Scholar 

  19. J. M. Cobleigh, D. Giannakopoulou, and C. S. Păsăreanu, “Learning assumptions for compositional verification,” in Proc. of TACAS 2003, volume 2619 of LNCS, Springer-Verlag, April 2003.

  20. M. Colón and T. Uribe, Generating finite-state abstractions of reactive systems using decision procedures,” in Proc. 10th Conference on Computer-Aided Verification, volume 1427 of LNCS, Springer-Verlag, July 1998.

  21. J. Corbett, “Constructing compact models of concurrent Java programs,” in M. Young, (ed.), Proc. Intl. Symposium on Software Testing and Analysis, Software Engineering Notes, SIGSOFT, ACM, March 1998, pp. 1–10.

  22. J. C. Corbett, M. B. Dwyer, J. Hatcliff, S. Laubach, C. S. Pasareanu, Robby, and H. Zheng, “Bandera : Extracting finite-state models from Java source code,” in Proc. 22nd Intl. Conf. on Software Engineering. ACM Press, June 2000.

  23. P. Cousot and R. Cousot, “Comparing the Galois connection and widening/narrowing approaches to abstract interpretation,” in M. Bruynooghe and M. Wirsing, (eds.), Proc. Fourth International Symposium on Programming Language Implementation and Logic Programming, volume 631 of LNCS, Leuven, Belgium, 1992. Springer-Verlag, pp. 269–295.

  24. Z. Dang and R. Kemmerer, “Using the astral model checker to analyze mobile IP,” in Proc. IEEE 21st International Conference on Software Engineering, Los Angeles, May 1999. ACM Press, pp. 132– 141.

  25. S. Das, D. Dill, and S. Park, “Experience with predicate abstraction,” in Proc. International Conference on Conputer-aided Verification (CAV’99), volume 1633 of LNCS, Springer-Verlag, 1999, pp. 160–171.

  26. C. Demartini, R. Iosif, and R. Sist, “A deadlock detection tool for concurrent Java programs,” Software Practice and Experience, Vol. 29. No. (7), pp. 577–603, 1999.

    Article  Google Scholar 

  27. C. Demartini, R. Iosif, and R. Sisto, “dSPIN: A dynamic extension of SPIN,” in Proc. 6th SPIN Workshop, volume 1680 of LNCS, Springer-Verlag, 1999.

  28. N. Dor, M. Rodeh, and S. Sagiv, “Detecting memory errors via static pointer analysis (preliminary experience),” in Workshop on Program Analysis For Software Tools and Engineering, ACM, 1998, pp. 27–34.

  29. M. Dwyer, J. Hatcliff, R. Joehanes, S. Laubach, C. Pasareanu, Robby, W. Visser, and H. Zheng, “Tool-supported program abstraction for finite-state verification,” in Proc. 23rd International Conference on Software Engineering, Toronto, Cananda., ACM Press, May 2001.

  30. M. Dwyer and C. Pasareanu, “Filter-based model checking of partial systems,” in Proc. 6th ACM SIGSOFT FSE, ACM SIGSOFT, November 1998.

  31. D. Evans, “Static detection of dynamic memory errors,” in Conference on Programming Language Design and Implementation, ACM, 1996, pp. 44–53.

  32. P. Godefroid, “Model checking for programming languages using Verisoft,” in Symp. on Principles of Programming Languages, ACM, 1997, pp. 174–186.

  33. S. Graf and H. Saidi, “Construction of abstract state graphs with PVS,” in Proc. 9th International Conference on Computer Aided Vericifaction, volume 1254 of LNCS, Springer-Verlag, 1997, pp. 174–186.

  34. A. Groce and W. Visser, “Model checking Java programs using structural heuristics,” in Proc. Intl. Symp. on Software Testing and Analysis. ACM Press, July 2002.

  35. K. Havelund, M. Lowry, S. Park, C. Pecheur, J. Penix, W. Visser, and J. L. White, “Formal analysis of the remote agent before and after flight,” in 5th NASA Langley Formal Methods Workshop. NASA, 2000.

  36. K. Havelund and T. Pressburger, “Model checking Java programs using Java PathFinder,” Intl. Journal on Software Tools for Technology Transfer, 1999.

  37. K. J. Hayhurst, C. A. Dorsey, J. C. Knight, N. G. Leveson, and G. F. McCormick, “Streamlining software aspects of certification: Report on the SSAC survey,” Technical Report NASA/TM-1999-209519, NASA Langley Research Center, 1999.

  38. C. Heitmeyer, “Using abstraction and model checking to detect safety violations in requirements specifications,” IEEE TSE, Vol. 24, No. 11, pp. 927–948, 1998.

    Google Scholar 

  39. T. Henzinger, R. Jhala, R. Majumdar, and G. Sutre, “Lazy abstraction,” in Proc. Symp. on Principles of Programming Languages, ACM, 2002, pp. 179–190

  40. G. Holzmann, “The model checker SPIN,” IEEE TSE, Vol. 23, No. 5, pp. 279–295, 1997.

    Google Scholar 

  41. G. J. Holzmann and M. H. Smith, “An automated verification method for distributed systems software based on model extraction,” IEEE TSE, Vol. 28, No. 4, pp. 364–377, 2002.

    Google Scholar 

  42. G.J. Holzmann, “Logic verification of ansi-c code with spin,” in Proc. 7th International SPIN Workshop, volume 1885 of LNCS, Springer Verlag, Sep. 2000, pp. 131–147.

  43. G. Hwang, K. Tai, and T. Hunag, “Reachability testing: An approach to testing concurrent software,” Journal of Software Engineering and Knowledge Engineering, Vol. 5, No. 4, December 1995.

  44. D. Jackson and M. Vaziri, “Finding bugs with a constraint solver,” in Mary Jean Harrold, (ed.), Proc. International Symposium on Software Testing and Analysis, Software Engineering Notes, Portland, Oregon, August 2000, pp. 14–25, ACM Press.

  45. JPL Special Review Board, Report on the loss of the Mars Polar Lander and Deep Space 2 missions, March 2000.

  46. S. Khurshid, C. S. Păsăreanu, and W. Visser, “Generalized symbolic execution for model checking and testing,” in Proc. of TACAS 2003, volume 2619 of LNCS, Springer-Verlag, April 2003.

  47. R. Lutz, “Analyzing software requirements errors in safety-critcal embedded systems, in Proc. IEEE International Symposium on Requirements Engineering, IEEE Computer Society, January 1993.

  48. K.L. McMillan, Symbolic Model Checking, Kluwer Academic, 1993.

  49. G. Naumovich, G. S. Avrunin, and L. A. Clarke, “Data flow analysis for checking properties of concurrent Java programs,” in Proc. 21st International Conference on Software Engineering, ACM Press, May 1999, pp. 399–410.

  50. J. Penix, W. Visser, E. Engstrom, A. Larson, and N. Weininger, “Verification of time partitioning in the deos scheduler kernel,” in Proc. 22nd International Conference on Software Engineering, ACM Press, June 2000.

  51. A. Pnueli, “The Temporal Logic of Programs,” in 18th annual IEEE-CS Symposium on Foundations of Computer Science, pp. 46–57, 1977.

  52. A. Pnueli, “In transition from global to modular temporal reasoning about programs,” in K. Apt (ed.), Logic and Models of Concurrent Systems, vol. 13, New York, Springer, pp. 123–144, 1984.

  53. PolySpace. http://www.polyspace.com.

  54. C. Păsăreanu, M. Dwyer, and M. Huth, “Assume-guarantee model checking of software: A comparative case study,” in Proc. 6th SPIN Workshop, volume 1680 of LNCS, Springer-Verlag, 1999.

  55. C.S. Păsăreanu, M.B. Dwyer, and W. Visser, “Finding feasible counter-examples when model checking abstracted Java programs,” in Proc. of TACAS 2001, volume 2031 of LNCS, Springer-Verlag, 2001.

  56. J.P. Queille and J. Sifakis, “Specification and Verification of Concurrent Systems in CESAR,” in International Symposium on Programming, volume 137 of LNCS. Springer-Verlag, 1982.

  57. Robby, M. B. Dwyer, and J. Hatcliff, “Bogor: an extensible and highly-modular software model checking framework,” in ESEC 9/FSE 10, Sep. 2003, pp. 267–276.

  58. RTCA Special Committee 167, “Software considerations in airborne systems and equipment certification,” Technical Report DO-178B, RTCA, Inc., dec 1992.

  59. J. Rushby, “Partitioning for safety and security: Requirements, mechanisms, and assurance,” NASA Contractor Report CR-1999-209347, NASA Langley Research Center, June 1999. Also to be issued by the FAA.

  60. H. Saidi, “Modular and Incremental Analysis of Concurrent Software Systems,” in Proc. 14th IEEE International Conference on Automated Software Engineering, IEEE Computer Society, October 1999, pp. 92–101.

  61. H. Saidi and N. Shankar, “Abstract and model check while you prove,” in Proc. 11th Conference on Computer-Aided Verification, volume 1633 of LNCS, Springer-Verlag, July 1999, pp. 443–454.

  62. Sha, Klein, and J. Goodenough, “Rate monotonic anaysis for real-time systems,” Foundations of Real-Time Computing, pp. 129–155, 1991.

  63. G.S. Shedler, “Regenerative Stochastic Simulation,” Academic Press, 1993.

  64. Microsoft Spec and Check Workshop, 2001, http://research.microsoft.com/specncheck/.

  65. S. D. Stoller, “Model-checking multi-threaded distributed Java programs,” in SPIN Model Checking and Software Verification, volume 1885 of LNCS, Springer-Verlag, August 2000, pp. 224–244.

  66. S. Tripakis and C. Courcoubetis, “Extending Promela and Spin for real time,” in Proc. of TACAS 1996, volume LNCS 1055. Springer, 1998.

  67. M. Vardi, “An automata-theoretic approach to linear temporal logic,” in F. Moller and G. Birtwistle (eds.), Logics for Concurrency, LNCS, 1043, Springer Verlag, 1996, pp. 238–266.

  68. W. Visser, K. Havelund, G. Brat, and S. Park, “Model checking programs,” in Proc. 14th IEEE International Automated Software Engineering Conference, IEEE Computer Society, September 2000.

  69. W. Visser, S. Park, and J. Penix, “Using predicate abstraction to reduce objected-oriented programs for model checking,” in Mats P. E. Heimdahl (ed.), Proc. Third ACM Workshop on Formal Methods in Software Practice, Portland, Oregon, ACM Press, August 2000, pp. 3–12.

  70. C. D. Yang, A. L. Souter, and L. L. Pollock, “All-du-path coverage for parallel programs,” in International Symposium on Software Testing and Analysis, ACM Press, 1998, pp. 153–162.

Download references

Author information

Authors and Affiliations

  1. Intelligent Systems Division, NASA Ames Research Center, Moffett Field, CA, 94035

    John Penix

  2. Research Institute for Advanced Computer Science, NASA Ames Research Center, Moffett Field, CA, 94035

    Willem Visser & SeungJoon Park

  3. Kestrel Technologies, NASA Ames Research Center, Moffett Field, CA, 94035

    Corina Pasareanu

  4. Honeywell Technology Center, Minneapolis, MN, 55418, USA

    Eric Engstrom, Aaron Larson & Nicholas Weininger

Authors
  1. John Penix
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Willem Visser
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. SeungJoon Park
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Corina Pasareanu
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Eric Engstrom
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Aaron Larson
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Nicholas Weininger
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to John Penix.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Penix, J., Visser, W., Park, S. et al. Verifying Time Partitioning in the DEOS Scheduling Kernel. Form Method Syst Des 26, 103–135 (2005). https://doi.org/10.1007/s10703-005-1490-4

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10703-005-1490-4

Keywords

Search

Navigation