Kenro Yatake

Automatic generation of model checking scripts based on environment modeling

When applying model checking to the design models of the embedded systems, it is necessary to model not only the behavior of the target system but also that of the environment interacting with the system. In this paper, we present a method to model the environment and to automatically generate all possible environments from the model. In our method, we can flexibly model the structural variation of the environment and the sequences of the function calls using a class model and statechart models. We also present a tool to generate Promela scripts of SPIN from the environment model. As a practical experiment, we applied our tool to the verification of an OSEK/VDX RTOS design model.

SMT-Based Bounded Model Checking for OSEK/VDX Applications

With the growing demands for automotive auxiliary functions, more and more complex applications have been developed based on OSEK/VDX OS. However, how to check the developed applications is becoming a challenge for developers. Although some invaluable formal methods have been proposed to check actual software, these methods cannot be directly employed to check OSEK/VDX applications. In this paper, we describe and develop an approach to check OSEK/VDX applications using SMT-based bounded model checking. We also implement a prototype tool and conduct many experiments on several examples. The experiment results show that our approach can completely check the properties associated with (i) variables, (ii) mutual exclusion, (iii) service API, and (iv) tasks execution sequences of developed applications.

SMT-based enumeration of object graphs from UML class diagrams

This paper presents an encoding of the UML class diagram with OCL invariants in an SMT solver for enumerating all the object graphs from the class diagram. Enumeration of all the object graphs was necessary for our verification of operating systems by model checking, i.e., exhaustively enumerate all the structural variations of the environments to be checked against an operating system. We present our encoding in the SMT solver Yices with the technique of optimization and isomorphism elimination.

Model checking of OSEK/VDX OS design model based on environment modeling

This paper presents a model-checking experiment for a design model of a practical real-time operating system (RTOS) based on environment modeling. In previous work, we developed a tool called the environment generator to generate environments for model-checking general RTOS models in Spin. This tool takes a general model of the environments, called the environment model, as an input and generates all possible environments within the bounds of the model. Here, we applied the tool to verify the design model of an OSEK/VDX OS, the RTOS for controlling automotive systems. In this paper, we explain the details of constructing the environment models for verifying various aspects of the RTOS. We also show the results of an experiment using our tool.

An Approach for Checking OSEK/VDX Applications

With the growing demands for automotive auxiliary functions, more and more complex applications have been developed based on OSEK/VDX OS. However, how to completely check developed applications is becoming a challenge for developers. In this paper, we describe and develop an approach to check developed applications based on the SMT-based BMC. We have implemented a prototype tool and conducted some experiments. The experiments results show that our approach can be completely used to check the properties associated with (i) variables, (ii) mutual exclusion, (iii) service API and (iv) tasks execution sequences.

Implementing application-specific object-oriented theories in HOL

This paper presents a theory of Object-Oriented concepts embedded shallowly in HOL for the verification of OO analysis models. The theory is application-specific in the sense that it is automatically constructed depending on the type information of the application. This allows objects to have attributes of arbitrary types, making it possible to verify models using not only basic types but also highly abstracted types specific to the target domain. The theory is constructed by definitional extension based on the operational semantics of a heap memory model, which guarantees the soundness of the theory. This paper mainly focuses on the implementation details of the theory.

Verifying OSEK/VDX OS Design Using Its Formal Specification

Automotive systems are widely used in industry and our dailylife. As the reliability of automotive systems is becoming a greater challenge in our community, increasingly more automotive companies are interested in applying formal methods to improve the reliability of automotive systems. We focus on automotive operating systems conforming to the OSEK/VDX standard. Such operating systems are considered as important components to ensure the reliability of the automotive systems. Inprevious work, we proposed a framework to verify the design models of reactive systems against their specifications. This framework allows us to check whether the design model conforms to the specification based on a simulation relation. This paper shows a case study in which the framework is applied to a real design of the OSEK/VDX operating system. As aresult, we found that we were able to check several important properties of the design model. We show the effectiveness and practicality of the framework based on the results of the case study.

Combined Model Checking and Testing Create Confidence—A Case on Commercial Automotive Operating System

The safety and reliability of automotive systems are becoming a big concern in our daily life. Recently, a functional safety standard which specializes in automotive systems has been proposed by the ISO. In addition, electrical throttle systems have been inspected by NHTSA and NASA due to the unintended acceleration problems of Toyota’s cars. In light of such recent circumstances, we are researching practical applications of formal methods to ensure the high quality of automotive operating systems. An operating system which we focus on is the one conforming to the OSEK/VDX standard. This chapter shows a case study where model checking is applied to a commercial automotive operating system. In this case study, the model checking is combined with testing in order to efficiently and effectively verify the operating system. As a result, we gained the confidence that the quality of the operating system is very high.

Checking the Conformance of a Promela Design to its Formal Specification in Event-B

Verification of a design with respect to its requirement specification is important to prevent errors before constructing an actual implementation. Existing works focus on verification tasks where specifications are described using temporal logics or using the same languages as that used to describe designs. In this paper, we consider cases where specifications and designs are described using different languages. For verifying such cases, we propose a framework to check if a design conforms to its specification based on their simulation relation. Specifically, we define the semantics of specifications and designs commonly as labelled transition systems (LTS), and check if a design conforms to its specification based on the simulation relation of their LTS. In this paper, we present our framework for the verification of reactive systems, and we present the case where specifications and the designs are described in Event-B and Promela/Spin, respectively. As a case study, we show an experiment of applying our framework to the conformance check of the specification and the design of OSEK/VDX OS.

An UPPAAL Framework for Model Checking Automotive Systems with FlexRay Protocol

This paper introduces a method and a framework for verifying automotive system designs using model checking. The framework is based on UPPAAL, a timed model checker, and focuses on checking automotive system designs with FlexRay communication protocol, a de facto standard of automotive communication protocols. The framework is composed of FlexRay model and application model where the former is built by abstractions to the specifications of FlexRay protocol. In the framework, FlexRay model is reusable for different application models with appropriate parameter settings. To the best of our knowledge, the framework is the first attempt on model checking automotive system designs considering communication protocols. Checking of core properties including timing properties are conducted to evaluate the framework.