Yanhong Huang

Modeling and Verifying the Code-Level OSEK/VDX Operating System with CSP

As an automotive industry standard of operating system specification, OSEK/VDX is widely applied in the process of designing and implementing the static operating system and the corresponding interfaces for automotive electronics. It is challenging to explore an effective method to support large-scale correctness verification of OSEK/VDX specification. In this paper, we employ process algebra CSP to describe and reason about a real code-level OSEK/VDX operating system. Thus the whole system is formally modeled as a CSP process which is encoded and implemented in process analysis toolkit (PAT). Furthermore, the expected properties are described and expressed in terms of the first-order logic. The properties are also established and verified in our framework. The result indicates that the whole system is deadlock-free and the scheduling scheme is sound with respect to the specification.

ORIENTAIS: Formal Verified OSEK/VDX Real-Time Operating System

In this paper, we report on the formal, machine-verified operating system - ORIENTAIS. ORIENTAIS is an OSEK/VDX standard based real-time operating system for automotive applications. About 8000 lines of C and 60 lines of assembler are comprised in the ORIENTAIS. The operating system is of vital importance to embedded systems, especially for some time sensitive and accurate controlling applications just like automotive applications. We prove that the implementation of ORIENTAIS application programming interfaces strictly follow the OSEK/VDX specification which we formalized from natural language expressed OSEK/VDX specification. Meanwhile, we model the high level interaction behaviors with CSP and verify the properties just like deadlock-free. To guarantee the safety of memory access and bounded response time with interrupt program involved, binary code level verification is developed based on xBIL which is a binary intermediate language we proposed. We introduce a series of techniques and approaches for verifying the ORIENTAIS. Our approach is an efficient work for the verification of ORIENTAIS, with whose help several bugs are detected. Now, ORIENTAIS has been certificated by OSEK certification group and installed on more than 1.38 million cars in China.

Formal Model of Interrupt Program from a Probabilistic Perspective

Interrupt behaviors are extremely difficult to verify and reason about in the development of operating system due to their randomicity and nondeterminism. This paper proposes a formal model of interrupt program which is an extension of Dijkstras language of guarded commands. The probabilistic operational semantics exhibiting how the effect of interrupt is produced is explored for the interrupt program. A number of algebraic laws for the computation properties that underlie the language are established in terms of the suggested probabilistic operational semantics. Furthermore, the time constraint of the interrupt program is elaborately specified and the corresponding verification can be carried out in our framework.

Investigating time properties of interrupt-driven programs

In design of dependable software for real-time embedded systems, time analysis is an important but challenging problem due in part to the randomicity and nondeterminism of interrupt handling behaviors. Time properties are generally determined by the behavior of the main program and the interrupt handling programs. In this paper, we present a small but expressive language for interrupt-driven programs and propose a timed operational semantics for it which can be used to explore various time properties. A number of algebraic laws for the computation properties that underlie the language are established on top of the proposed operational semantics. We depict a number of important time properties and illustrate them using the operational semantics via a small case study.

Semantic theories of programs with nested interrupts

In the design of dependable software for embedded and real-time operating systems, time analysis is a crucial but extremely difficult issue, the challenge of which is exacerbated due to the randomness and nondeterminism of interrupt handling behaviors. Thus research into a theory that integrates interrupt behaviors and time analysis seems to be important and challenging. In this paper, we present a programming language to describe programs with interrupts that is comprised of two essential parts: main program and interrupt handling programs.We also explore a timed operational semantics and a denotational semantics to specify the meanings of our language. Furthermore, a strategy of deriving denotational semantics from the timed operational semantics is provided to demonstrate the soundness of our operational semantics by showing the consistency between the derived denotational semantics and the original denotational semantics.

Deadline analysis of AUTOSAR OS periodic tasks in the presence of interrupts

AUTOSAR, the open and emerging global standard for automotive embedded systems, offers a timing protection mechanism to protect tasks from missing their deadlines. However, in practice, it is difficult to predict when a deadline is violated, because a task missing its deadline may be caused by unrelated tasks or by the presence of interrupts. In this paper, we propose an abstract formal model to represent AUTOSAR OS programs with timing protection. We are able to determine schedulability properties and to calculate constraints on the allowed time that interrupts can take for a given task in a given period. We implement our model in Mathematica and give a case study to illustrate the utility of our method. Based on the results, we believe that our work can help designers and implementors of AUTOSAR OS programs check whether their programs satisfy crucial timing properties.

Formalizing Application Programming Interfaces of the OSEK/VDX Operating System Specification

OSEK/VDX Operating System Specification is a standard in automotive industry with a long history. Dozens of mature industrial operating systems are based on this specification and widely applied in the products of major automotive manufacturers. The verification of the operating system products is always a hard nut to crack. In this paper, we propose a formal specification of OSEK/VDX Operating System based on Hoare Logic, which helps us to get rid of the confusion and ambiguities of the informal specification. In this framework, the formalization of all the Application Programming Interfaces are made. As a case study, we link our framework to the formal verification tool VCC. Some errors are detected in a market-upcoming operating system product based on our framework. We conclude that our framework is feasible in verification of operating system.

A Denotational Model for Interrupt-Driven Programs

In design of dependable software for real-time embedded systems, the interrupt mechanism plays an important role. Due to the randomicity and nondeterminism of interrupt handling behaviors, the analysis about program behaviors as well as time properties is an important but challenging problem. In a previous work, we presented a small but expressive language for interrupt-driven programs, and suggested a timed operational semantics to specify the meaning of the programs. In this paper, we explore a denotational semantics under a discrete time model for the interrupt-driven programming language. It can deal with the features of the language. We also define a transition which can link the operational semantics and denotational semantics.

Probabilistic Model of System Survivability

The paper completely formalizes the concept of system survivability on the basis of Knights research in \cite{Knight03}. We present a computable probabilistic model of survivable system which is divided into two layers, i.e. the function and service. The probabilistic refinement is introduced to reason about the survivable system, which is modeled by a probabilistic choice of accepted services with respect to the operating environment. Furthermore, we present an elegant survivability specification and the differences with Knights related works are discussed. The command-and-control example is also revisited in our framework.

pIML -- An Interrupt Program Modelling Language for Real-Time and Embedded Systems

In the design of dependable software for real-time and embedded systems, the quantitative analysis of program behavior and system performance is a crucial but extremely difficult issue, the challenge of which is exacerbated due to the random city and nondeterminism of interrupt events and the corresponding handling behaviors. Moreover, time analysis is also need to be taken into account for such kinds of systems. Thus the research on a theory which integrates interrupt behaviors and time analysis seems to be important and challenging. In this paper, we propose an interrupt modeling language pIML including the probabilistic feature to describe the programs with interrupts. We explore a probabilistic operational semantics to depict the actions of pIML. Meanwhile, we also implement this operational semantics we proposed on Maude platform, which fill the gap between the theory and practice. Maude supports rewriting logic, equational logic, and etc. The rewrite rules of rewriting logic can very well implement the transition rules of probabilistic operational semantics. Based on this implementation, it is very convenient to simulate the program written in pIML and analyze the behaviors of program in the presence of interrupts quantitatively.