Steffen Knapp

Towards the formal verification of lower system layers in automotive systems

The mission of the Verisoft project is (i) to develop techniques, which permit the pervasive formal verification of computer systems comprising hardware, system software, communication systems, and applications, (ii) to apply these techniques in an industrial context to verify prototypical systems. One such application is an emergency call, which is automatically placed on the mobile phone net after the sensors of a car have detected that it was involved in a crash. The application runs on a system of several electronic control units (ECUs). The local application programs of the ECUs run on top of a simple real time operating system kernel like described in the OSEKTime standard. ECUs are connected via a FlexRay bus. We outline the structure of an overall correctness proof for such a parallel system from the gate to the kernel level for the communication system hardware one has to combine existing correctness proofs for components of time triggered architectures (e.g. clock synchronization) and arguments about hardware correctness into a single theorem. Results on processor, driver, and kernel correctness can to a large extent be imported from existing research in the Verisoft project. worst case execution time bounds are derived with advanced industrial tools based on abstract interpretation.

On the correctness of upper layers of automotive systems

Formal verification of software systems is a challenge that is particularly important in the area of safety-critical automotive systems. Here, approaches like direct code verification are far too complicated, unless the verification is restricted to small textbook examples. Furthermore, the verification of application logic is of limited use in industrial context, unless the underlying operating system and the hardware are verified, too. This paper introduces a generic model stack, allowing the verification of all system layers as well as the concrete application models being used in the upper layers. The presented models and proofs close the gap between the correctness proof for the lower layers of car electronics developed at the Saarland University and the verification procedure for distributed applications developed at the Technische Universität München.

Realistic worst-case execution time analysis in the context of pervasive system verification

We describe a gate level design of a FlexRay-like bus interface. An electronic control unit (ECU) is obtained by integrating this interface into the design of the verified VAMP processor.We get a time triggered distributed real-time system by connecting several such ECUs via a common bus. We define a programming model for such a system at the instruction set architecture (ISA) level and prove that it is correctly implemented at the gate level. The proof combines theories of processor correctness, communication systems, program correctness and realistic worst-case execution time (WCET) analysis into a single unified mathematical theory.

An approach to the pervasive formal specification and verification of an automotive system: status report

The Verisoft project aims at the pervasive formal verification of entire computer systems. In particular, the verification of functional and timing properties of the Automotive System is attempted. This is a distributed system, whose components consist of hardware (processor and devices), a real-time operating system, and applications. In this paper we give an overview of the system architecture and its industrial relevance. We will discuss in detail the model layers from the hardware up to a computational model for concurrent user processes interacting with a generic microkernel written in C. This is work in progress, so we will report on its current status, our goals and the next steps we want to take.

Correctness of a Fault-Tolerant Real-Time Scheduler and its Hardware Implementation

We formalize the correctness of a fault-tolerant scheduler in a time-triggered architecture. Where previous research elaborated on real-time protocol correctness, we extend this work to gate-level hardware. This requires a sophisticated analysis of analog bit-level synchronization and transmission. Our case-study is a concrete automotive bus controller (ABC), inspired by the FlexRay standard. For a set of interconnected ABCs, vulnerable to sudden failure, we prove at gate-level, that all operating ABCs are synchronized tightly enough such that messages are broadcast correctly. This includes formal arguments for startup, failures, and reintegration of nodes at arbitrary times. To the best of our knowledge, this is the first effort tackling fault-tolerant scheduling correctness at gate-level.

Formal Correctness of an Automotive Bus Controller Implementation at Gate-Level

We formalize the correctness of a real-time scheduler in a time-triggered architecture. Where previous research elaborated on real-time protocol correctness, we extend this work to gate-level hardware. This requires a sophisticated analysis of analog bit-level synchronization and message transmission. Our case-study is a concrete automotive bus controller (ABC). For a set of interconnected ABCs we formally prove at gate-level, that all ABCs are synchronized tight enough such that messages are broadcast correctly. Proofs have been carried out in the interactive theorem prover Isabelle/HOL using the NuSMV model checker. To the best of our knowledge, this is the first effort formally tackling scheduler correctness at gatelevel.

The Correctness of a Distributed Real-Time System

In this thesis we review and extend the pervasive correctness proof for an asynchronous distributed real-time system published in [KP07a]. We take a two-step approach: first, we argue about a single electronic control unit (ECU) consisting of a processor (running the OSEKtime-like operating system OLOS) and a FlexRay-like interface called automotive bus controller (ABC). We extend [KP07a] among others by a local OLOS model [Kna08] and go into details regarding the handling of interrupts and the treatment of devices. Second, we connect several ECUs via the ABCs and reason about the complete distributed system, see also [KP07b]. Note that the formalization of the scheduling correctness is reported in [ABK08b]. Through several abstraction layers we prove the correctness of the distributed system with respect to a new lock-step model COA that completely abstracts from the ABCs. By establishing the DISTR model [Kna08] it becomes possible to literally reuse the arguments from the first part of this thesis and therefore to simplify the analysis of the complete distributed system. To illustrate the applicability of DISTR, we have formally proven the top-level correctness theorem in the theorem prover Isabelle/HOL. Throughout the thesis we tie together theorems regarding: processor, ABC, compiler, micro kernel, operating system, and the worst case execution time analysis of applications and systems software. In dieser Arbeit betrachten und erweitern wir den durchgangigen Korrektheitsbeweis fur ein asynchrones verteiltes Echtzeitsystem aus [KP07a]. Wir gehen in zwei Schritten vor: Zuerst betrachten wir eine einzelne elektronische Kontrolleinheit (ECU) bestehend aus einem Prozessor (welcher das OSEKtime ahnliche Betriebsystem OLOS ausfuhrt) und einem FlexRay ahnlichem Interface, auch automobiler Bus Controller (ABC) genannt. Wir erweitern [KP07a] unter anderem um ein lokales OLOS Model [Kna08] und detaillieren die Behandlung von Interrupts sowie den Umgang mit Geraten. Im zweiten Schritt verbinden wir mehrere ECUs durch die ABCs und argumentieren uber das gesamte System, siehe auch [KP07b]. Uber die Formalisierung der Scheduler Korrektheit wird in [ABK08b] berichtet. Uber mehrere Abstraktionsebenen beweisen wir die Korrektheit des verteilten Systems bezuglich eines neuen gleichgetakteten Modells COA in dem vollstandig von den ABCs abstrahiert wird. Durch die Einfuhrung des DISTR Models [Kna08] ist es moglich die Argumente aus dem ersten Teil dieser Arbeit in der Analyse des gesamten verteilten Systems wortlich wieder zu verwenden. Um die Anwendbarkeit von DISTR zu verdeutlichen haben wir formal die oberste Korrektheits-Aussage im Theorembeweiser Isabelle/HOL bewiesen. Im Zuge dieser Arbeit verbinden wir Theoreme bezuglich: Prozessor, ABC, Compiler, Mikrokern, Betriebsystem und der Worst-Case Laufzeit-Analyse von Applikationen und System Software.

Pervasive Layered Verification of a Distributed Real-Time System

We deal with a distributed time-triggered system consisting of several electronic control units (ECUs). Each ECU contains a processor and a FlexRay-like interface that is connected to a bus. An OSEKtime-like operating system is running on all ECUs. We develop a detailed model of this system and prove its correctness. To do so we formally argue about operating system and driver correctness, termination of applications, and the communication behavior.