Belgacem Ben Hedia

Specifying and Verifying Concurrent C Programs with TLA

Verifying software systems automatically from their source code rather than modelling them in a dedicated language gives more confidence in establishing their properties. Here we propose a formal specification and verification approach for concurrent C programs directly based on the semantics of C. We define a set of translation rules and implement it in a tool (C2TLA+) that automatically translates C code into a TLA+ specification. The TLC model checker can use this specification to generate a model, allowing to check the absence of runtime errors and dead code in the C program in a given configuration. In addition, we show how translated specifications interact with manually written ones to: check the C code against safety or liveness properties; provide concurrency primitives or model hardware that cannot be expressed in C; and use abstract versions of translated C functions to address the state explosion problem. All these verifications have been conducted on an industrial case study, which is a part of the microkernel of the PharOS real-time system.

Poster Abstract: Towards Correct Transformation: From High-Level Models to Time-Triggered Implementations

Developing embedded real-time systems based on the TT paradigm is a challenging task due to the increasing complexity of such systems and the necessity to manage, already in the programming model, the fine-grained temporal constraints and the low-level communication primitives imposed by the temporal firewall abstraction. In embedded systems, high-level component-based design approaches have been proposed in order to allow specification and design of complex real-time systems. However, their final implementations mostly rely on the generation of code for generic execution platforms. On the other hand, a variety of Real-Time Operating System (RTOS), in particular when based on the Time-Triggered (TT) paradigm, guarantee the temporal and behavioural determinism of the executed software. However, these TT-based RTOS do not provide high-level design frameworks enabling the scalable design of complex safety-critical real-time systems. The goal of our work is to couple a high-level component-based design approach based on the RT-BIP (Real-Time Behaviour-Interaction-Priority) framework with a safety-oriented real-time execution platform, implementing the TT approach. Thus, we combine their complementary advantages, by deriving correct-by-construction TT implementations from high-level componentised models. To this end, we propose an automatic transformation process from RT-BIP models into applications for the target platform based on the TT execution model. The process consists in a two-step transformation. The first step transforms a generic RT-BIP model into a restricted one, which lends itself well to an implementation based on TT communication primitives. This step was presented in previous work. The second step, which is the subject of this paper, transforms the resulting model into the TT implementation provided by the PharOS RTOS. We identify the key difficulties in defining this transformation, propose solutions to address these difficulties and study how this transformation can be proven to be semantics-preserving. This transformation is already partially implemented.

TT-BIP: using correct-by-design BIP approach for modelling real-time system with time-triggered paradigm

In order to combine advantages of real-time operating systems implementing the time-triggered (TT) execution model and model-based design frameworks, we aim at proposing a correct-by-design methodology that derives correct TT implementations from high-level models. This methodology consists of two main steps: (1) transforming the high-level model into an intermediate model which respects the TT communication principles and where all communications between components are simple send/receive interactions, and (2) transforming the obtained intermediate model into the programming language of the target platform. In this paper, we focus on the presentation of the transformational methodology of the first step of this design flow. This methodology produces a correct-by-construction TT model by starting from a high-level model of the application software in behaviour, interaction, priority (BIP). BIP is a component-based framework with formal semantics that rely on multiparty interactions for synchronizing components. Commonly in TT implementations, tasks interact with each other through a communication medium. Our methodology transforms, depending on a user-defined task mapping, high-level BIP models where communication between components is strongly synchronized, into TT model that integrates a communication medium. Thus, only inter-task communications and components participating in such interactions are concerned by the transformation process. We also provide correctness proofs of the transformation and apply it on an industrial case study.

TT-BIP: Using Correct-by-Design BIP Approach for Modelling Real-Time System with Time-Triggered Paradigm

In order to combine advantages of Real-Time Operating Systems (RTOS) implementing the Time-Triggered (TT) execution model and model-based design frameworks, we aim at proposing a correct-by-design methodology that derives correct TT implementations from high-level models. This methodology consists of two main steps; (1) transforming the high-level model into an intermediate which respects the TT communication principles and where all communication between components are simple send/receive interactions, and (2) transforming the obtained intermediate model into the programming language of the target platform.

Modeling legacy code with BIP: how to reduce the gap between formal description and real-time implementation

To reduce the gap between high-level functional descriptions and real-time multitasking implementation, this paper proposes a set of modeling and code generation principles. Modeling principles are based on integration of a specific BIP concurrent component. This component follows a specific behavioral pattern based on periodic activation of data consumption, data processing and data production. It acts as a periodic task at execution stage. The pattern proposes two variants for eventtriggered and time-triggered platforms. The approach has been tested on three case studies, showing the interest of formalization for behavioral verification. The proposed pattern allows real-time validation and offers classical advantages of high-level modeling.

Qualité de service des pilotes d'équipements pour les systèmes d'acquisition de données

In the field of real time application (especially for control purpose), validation is based on a fine knowledge of temporal properties of used data (in form of tosses and delays...) If the data are processed using a dedicated sofhvare (called driver), its necessary to model the consequence of this software part on the quality of service of the data. In This study we present a formal model of equipment driver based on timed automata and we show the influence of the characteristics of the driver (polling period...) on the offered quality of service.