Aaron Larson

Verifying Time Partitioning in the DEOS Scheduling Kernel

This paper describes an experiment to use the Spin model checking system to support automated verification of time partitioning in the Honeywell DEOS real-time scheduling kernel. The goal of the experiment was to investigate whether model checking with minimal abstraction could be used to find a subtle implementation error that was originally discovered and fixed during the standard formal review process. The experiment involved translating a core slice of the DEOS scheduling kernel from C++ into Promela, constructing an abstract “test-driver” environment and carefully introducing several abstractions into the system to support verification. Attempted verification of several properties related to time-partitioning led to the rediscovery of the known error in the implementation. The case study indicated several limitations in existing tools to support model checking of software. The most difficult task in the original DEOS experiment was constructing an adequate environment to close the system for verification. The fidelity of the environment was of crucial importance for achieving meaningful results during model checking. In this paper, we describe the initial environment modeling effort and a follow-on experiment with using semi-automated environment generation methods. Program abstraction techniques were also critical for enabling verification of DEOS. We describe an implementation scheme for predicate abstraction, an approach based on abstract interpretation, which was developed to support DEOS verification.

A methodology for prototyping-in-the-large

The authors define prototyping as an experimental activity intended to reduce risk of failure in a software product. In this context, they explore the effect of scale in prototyping and then describe a methodology for prototyping a large application. The authors describe a system being developed to evaluate this methodology, featuring a pair of languages (Promo and Moblog) to serve both large-scale and component-level prototyping needs. The authors conclude with a presentation of how the proposed methodology would be applied to a sample problem, a fault-prediction subsystem within the Space Station Freedom project.<<ETX>>

Epochs, configuration schema, and version cursors in the KBSA framework CCM model

The KBSA Framework Change and Configuration Management model encapsulates our understanding of the approach required to support CCM in the context of an advanced engineering objectbase. Change is not represented by copying individual objects, but rather by viewing a configuration as a state repository (epoch) capturing the changes which occurred during one design transaction; all accesses to objects’ state must occur in the context of some epoch. A design transaction is a longduration set of operations performed by multiple agents on an epoch; it starts with one consistent configuration and yields another. Configuration history trees are annotated with compatibility attributes, indicating which versions of objects may be substituted for each other; these record the results of static analysis, testing, and experience. A configuration schema describes how to construct or recognize a consistent configuration built from acceptable components. It may include crosaconfiguration references (version cursors); dynamic version cursors specify a search rule for locating an acceptable source configuration. An in-house project has implemented part of the model to solve CCM problems in a prototype avionics design capture system; their experience is described.