Jan Olaf Blech

Analysis and optimization of fault-tolerant task scheduling on multiprocessor embedded systems

Reliability is a major requirement for most safety-related systems. To meet this requirement, fault-tolerant techniques such as hardware replication and software re-execution are often utilized. In this paper, we tackle the problem of analysis and optimization of fault-tolerant task scheduling for multiprocessor embedded systems. A set of existing fault-and process-models are adopted and a Binary Tree Analysis (BTA) is proposed to compute the system-level reliability in the presence of software/hardware redundancy. The BTA is integrated into a multi-objective evolutionary algorithm via a two-step encoding to perform reliability-aware design optimization. The optimization results contain the mapping of tasks to processing elements, the exact task and message schedule and the fault-tolerance policy assignment. Based on the observation that permanent faults need to be considered together with transient faults to achieve optimal system design, we propose a virtual mapping technique to take both types of faults into account. To the best of our knowledge, this is the first approach in fault-tolerant task scheduling that considers permanent and transient faults in a unified manner. The effectiveness of our approach is illustrated using several case studies.

Formal verification of dead code elimination in Isabelle/HOL

Correct compilers are a vital precondition to ensure software correctness. Optimizations are the most error-prone phases in compilers. In this paper, we formally verify dead code elimination (DCE) within the theorem prover Isabelle/HOL. DCE is a popular optimization in compilers which is typically performed on the intermediate representation. In our work, we reformulate the algorithm for DCE so that it is applicable to static single assignment (SSA) form which is a state of the art intermediate representation in modern compilers, thereby showing that DCE is significantly simpler on SSA form than on classical intermediate representations. Moreover, we formally prove our algorithm correct within the theorem prover Isabelle/HOL. Our program equivalence criterion used in this proof is based on bisimulation and, hence, captures also the case of non-termination adequately. Finally we report on our implementation of this verified DCE algorithm in the industrial-strength scale compiler system.

Behavioral specification based runtime monitors for OSGi services

Abstract constraint specifications --- such as interoperability contracts --- of the behavior of a system are frequently stated as requirements during early design phases. During the development process, these abstract specifications get refined until one reaches a deployable implementation. Especially in systems with components being dynamically added or replaced, it is critical that the constraints stated are met by the running system. The size of abstract constraint specifications is typically very small compared to the final implementation. In this paper, we sketch a process, where abstract constraint specifications are used as a basis for runtime monitors and checks. These monitors and checks ensure that in cases of deviations from the original specification, the system takes compensating actions such as turning the system into a safe state. We particularly focus on systems where components can be exchanged, added or removed during runtime. We discuss a concrete application scenario: The usage of specification-based monitors for OSGi-based services in the domain of home automation.

A Certifying Code Generation Phase

Guaranteeing correctness of compilation is a vital precondition for correct software. Code generation can be one of the most error-prone tasks in a compiler. One way to achieve trusted compilation is certifying compilation. A certifying compiler generates for each run a proof that it has performed the compilation run correctly. The proof is checked in a separate theorem prover. If the theorem prover is content with the proof one can be sure that the compiler produced correct code. This paper reports on the construction of a certifying code generation phase for a compiler. It is part of a larger project aimed at guaranteeing the correctness of a complete compiler. We emphasize on demonstrating the feasibility of the certifying compilation approach to code generation and focus on the implementation and practical issues. It turns out that the checking of the certificates is the actual bottleneck of certifying compilation. We present a proof schema to overcome this bottleneck. Hence we show the applicability of the certifying compilation approach for small sized programs processed by a compilers code generation phase.

Verification of PLC properties based on formal semantics in Coq

Programmable Logic Controllers (PLC) are widely used in embedded systems for the industrial automation domain. We propose a formal semantics of two languages defined in the IEC 61131-3 standard for PLC programming. The first one is the Instruction List (IL) language, an assembly like language. The second one is the Sequential Function Charts (SFC) language, a graphical high-level language that allows to describe the main control-flow of the system. A PLC system description may comprise SFC and IL code. We formalized the semantics in the proof assistant Coq. Furthermore, we present an associated tool for automatically generating SFC representations from a graphical description - the text based IL code can be handled in Coq directly - and its usage for verification purposes. We demonstrate our approach to prove safety properties of a PLC in a real industrial demonstrator.

A Model-Based Toolchain to Verify Spatial Behavior of Cyber-Physical Systems

A method preserving cyber-physical systems to operate safely in a joint physical space is presented. It comprises the model-based development of the control software and simulators for the continuous physical environment as well as proving the models for spatial and real-time properties. The corresponding toolchain is based on the model-based engineering tool Reactive Blocks and the spatial model checker BeSpaceD. The real-time constraints to be kept by the controller are proven using the model checker UPPAAL.

Model-Based Engineering and Analysis of Space-Aware Systems Communicating via IEEE 802.11

We propose a model-driven development approach for autonomous control systems with emphasis on the physical space and the communication via wireless connections. In particular, we combine model-based engineering with simulation and emulation techniques for mobile communication. The design and implementation is done using our Reactive Blocks Framework. For the mobile communication we use the popular IEEE 802.11 WLAN protocol which is simulated using software tools in order to get estimations of connection delays. The spatial constraints are verified with our Be Spaced tool. As an example, we present the design and verification of autonomous robots performing services in a large factory hall and coordinating by means of wireless communication which is based on several access points.

Optimizing Code Generation from SSA Form: A Comparison Between Two Formal Correctness Proofs in Isabelle/HOL

Correctness of compilers is a vital precondition for the correctness of the software translated by them. In this paper, we present two approaches for the formalization of static single assignment (SSA) form together with two corresponding formal proofs in the Isabelle/HOL system, each showing the correctness of code generation. Our comparison between the two proofs shows that it is very important to find adequate formalizations in formal proofs since they can simplify the verification task considerably. Our formal correctness proofs do not only verify the correctness of a certain class of code generation algorithms but also give us sufficient, easily checkable correctness criteria characterizing correct compilation results obtained from implementations (compilers) of these algorithms. These correctness criteria can be used in a compiler result checker.

Applying Model Checking to Industrial-Sized PLC Programs

Programmable logic controllers (PLCs) are embedded computers widely used in industrial control systems. Ensuring that a PLC software complies with its specification is a challenging task. Formal verification has become a recommended practice to ensure the correctness of safety-critical software, but is still underused in industry due to the complexity of building and managing formal models of real applications. In this paper, we propose a general methodology to perform automated model checking of complex properties expressed in temporal logics [e.g., computation tree logic (CTL) and linear temporal logic (LTL)] on PLC programs. This methodology is based on an intermediate model (IM) meant to transform PLC programs written in various standard languages [structured text (ST), sequential function chart (SFC), etc.] to different modeling languages of verification tools. We present the syntax and semantics of the IM, and the transformation rules of the ST and SFC languages to the nuXmv model checker passing through the IM. Finally, two real cases studies of the European Organization for Nuclear Research (CERN) PLC programs, written mainly in the ST language, are presented to illustrate and validate the proposed approach.

Towards a formal foundation of behavioral types for UML state-machines

Behavioral types for model-based development comprise abstract behavioral aspects of the models they are associated with. Behavioral types allow checking that a model fulfills these behavioral aspects. Furthermore, as types can be related with each other, they support more complex checks and guarantees like compatibility in composition and refinement of models in a model based development process. We propose a behavioral type system and explain its properties, specically targeting a subset of UML state-machines. We present an early implementation that generates behavioral type definitions out of an Eclipse-based modeling environment. These type definitions are generated for the higher-order proof assistant Coq as files. We present checking and comparison techniques based on these files for behavioral aspects that can be derived from the model definition.