Huixing Fang

ORIENTAIS: Formal Verified OSEK/VDX Real-Time Operating System

In this paper, we report on the formal, machine-verified operating system - ORIENTAIS. ORIENTAIS is an OSEK/VDX standard based real-time operating system for automotive applications. About 8000 lines of C and 60 lines of assembler are comprised in the ORIENTAIS. The operating system is of vital importance to embedded systems, especially for some time sensitive and accurate controlling applications just like automotive applications. We prove that the implementation of ORIENTAIS application programming interfaces strictly follow the OSEK/VDX specification which we formalized from natural language expressed OSEK/VDX specification. Meanwhile, we model the high level interaction behaviors with CSP and verify the properties just like deadlock-free. To guarantee the safety of memory access and bounded response time with interrupt program involved, binary code level verification is developed based on xBIL which is a binary intermediate language we proposed. We introduce a series of techniques and approaches for verifying the ORIENTAIS. Our approach is an efficient work for the verification of ORIENTAIS, with whose help several bugs are detected. Now, ORIENTAIS has been certificated by OSEK certification group and installed on more than 1.38 million cars in China.

Verification and Performance Evaluation of Timed Game Strategies

Control synthesis techniques, based on timed games, derive strategies to ensure a given control objective, e.g., time-bounded reachability. Model checking verifies correctness properties of systems. Statistical model checking can be used to analyse performance aspects of systems, e.g., energy consumption. In this work, we propose to combine these three techniques. In particular, given a strategy synthesized for a timed game and a given control objective, we want to make a deeper examination of the consequences of adopting this strategy. Firstly, we want to apply model checking to the timed game under the synthesized strategy in order to verify additional correctness properties. Secondly, we want to apply statistical model checking to evaluate various performance aspects of the synthesized strategy. For this, the underlying timed game is extended with relevant price and stochastic information. We first explain the principle of translating a strategy produced by Uppaal-tiga into a timed automaton, thus enabling the deeper examination. However, our main contribution is a new extension of Uppaal that automatically synthesizes a strategy of a timed game for a given control objective, then verifies and evaluates this strategy with respect to additional properties. We demonstrate the usefulness of this new branch of Uppaal using two case-studies.

Comparative Modeling and Verification of Pthreads and Dthreads

The POSIX threads (Pthreads) library is a thread API for C/C++ to control parallel threads and spawn concurrent process flows. Programming in Pthreads usually suffers from undesirable deadlock and data race problems due to the potential non-deterministic execution behaviors between parallel threads. Dthreads is another multithreading model re-implementing Pthreads, which was proposed by Liu et al. for efficient deterministic multithreading. Under specific test cases, they found out that Dthreads can effectively prevent data races. But they have not made comparison test with Pthreads. In order to formally compare Pthreads with Dthreads over deadlocks and data races, in this paper, we apply CSP (Communicating Sequential Processes) to model part of APIs in Pthreads and Dthreads, as well as two classical example programs. By using the model checker PAT (Process Analysis Toolkit), for our considered examples, we verify that deadlocks and data races exist in Pthreads, but do not exist in Dthreads. Our comparative modeling and verification of Pthreads and Dthreads show that Dthreads is better than Pthreads on eliminating data races and preventing deadlocks.

Binary Code Level Verification for Interrupt Safety Properties of Real-Time Operating System

Interrupt mechanism is indispensable in embedded software due to lots of factors such as switching context and enhancing efficiency. In this context, the traditional way to ensure the correctness of software will not remain in force. Having the interrupt is envolved, the complicated and nondeterminism environment should be taken into consideration during the verification process. In this paper, we propose a novel way to verify the interrupt safety properties based on low-level binary code. At first, an Abstract xBIL is transformed from the xBIL with the time and interrupt properties reserved. xBIL [1] is a binary intermediate language we proposed to represent the machine instructions on multiple architectures. Afterwards, we present an automatic way to construct the Discrete-Time Markov Chains [2] from the Abstract xBIL code. After that, the properties can be easily generated and quantitative analysis could be performed. To prove the feasibility of our approach, we have applied our method to the verification of a commercial automotive operating system and it is proved to be of great help with the development of software.

Formal Verification and Simulation: Co-verification for Subway Control Systems

For hybrid systems, hybrid automata based tools are capable of verification while Matlab Simulink/Stateflow is proficient in simulation. In this paper, a methodology is developed in which the formal verification tool PHAVer and simulation tool Matlab are integrated to analyze and verify hybrid systems. For application of this methodology, a Platform Screen Doors System (abbreviated as PSDS), a subsystem of the subway, is modeled with formal verification techniques based on hybrid automata and Matlab Simulink/Stateflow charts, respectively. The models of PSDS are simulated by Matlab and verified by PHAVer. It is verified that the sandwich situation can be avoided under time interval conditions. We conclude that this integration methodology is competent in verifying Platform Screen Doors System.

SMT-Based Symbolic Encoding and Formal Analysis of HML Models

Hybrid system is a dynamic system that involves continuous, discrete behaviors, and the interactions between continuous physical components and discrete controllers. In this paper a hybrid modeling language (called HML) for hybrid systems is extended with templates to achieve code reuse. For the formal analysis of the corresponding hybrid system models in this modeling language, these models are translated into SMT (satisfiability modulo theories) formulas as the input to an SMT solver dReal which retains the capability of bounded reachability analysis for non-linear hybrid systems. Moreover, dReal can produce data for potential traces of hybrid systems, thus it can be employed to simulate on hybrid systems. In this paper the simulation and reachability analysis are integrated in a prototype tool (open source). We present a case study for an inverted pendulum with PID (Proportional-Integral-Derivative) controllers and a rod reactor system for temperature control, both are verified to demonstrate the efficiency of the prototype tool. We conclude that, this modeling language is capable of modeling and verification of hybrid systems based on simulation and bounded reachability analysis.

An Object-Oriented Language for Modeling of Hybrid Systems

Hybrid systems arise in embedded control from the interaction between continuous physical behavior and discrete digital controllers. In this paper, we propose Apricot as a novel object-oriented language for modeling hybrid systems. The language takes the advantages of domain-specific and object-oriented languages, which fills the gap between the design and implementation. With respect to the application of Apricot, we demonstrate the model for urgent distance control in subway control systems. In addition, the comparison with hybrid automata is discussed, which indicates the scalability and conciseness of the Apricot model. Moreover, we develop a prototype modeling tool (a plug-in for Eclipse) for our proposed language. According to the characteristics of object-orientation and the component architecture of Apricot, we conclude that it is suitable for modeling hybrid systems without losing many key features.

xBIL -- A Hardware Resource Oriented Binary Intermediate Language

In the modern world, program analysis and verification on binary code have been widely used. While on embedded system, a variety of platforms make the binary analyzing and verifying work bump up against difficulties. But the problem of expressing instruction cycle time, interrupt and pipeline mechanism in binary intermediate language has not been addressed. In this paper, we show how we attack this problem by introducing a hardware resource oriented binary intermediate language - xBIL, which can be used to present the instructions with instruction cycle time and interrupt properties reserved. We also propose the execution algorithm and semantics of this language. xBIL has been applied on the analysis of a commercial automotive operating system which is used on over 1.38M cars in China and successfully found several bugs.

Formal Verification of OSEK/VDX Real-Time Operating System (Empirical Report)

As a standard of operating system in automotive industry, OSEK/VDX is applied on dozens of mature industrial operating systems and widely installed on the products of major automotive manufacturers. In this empirical report, we introduce our experience on verifying OSEK/VDX real-time operating system. From both source code and binary code level, the OSEK/VDX operating system is verified based on approaches comprising Hoare Logic, Communicating Sequential Processes, Binary Code Analysis and Discrete-Time Markov Chains model checking. Based on our approach, a commercial OSEK/VDX standard automotive operating system is verified and it is proved to be of great help to the development of software.