Verification of time partitioning in the DEOS scheduler kernel

Authors:
John Penix

Automated Software Engineering Group, NASA Ames Research Center, Moffet Field, CA

Automated Software Engineering Group, NASA Ames Research Center, Moffet Field, CA
View Profile

,
Willem Visser

Automated Software Engineering Group, NASA Ames Research Center, Moffet Field, CA

Automated Software Engineering Group, NASA Ames Research Center, Moffet Field, CA
View Profile

,
Eric Engstrom

Honeywell Technology Center, 3660 Technology Drive, Minneapolis, MN

Honeywell Technology Center, 3660 Technology Drive, Minneapolis, MN
View Profile

,
Aaron Larson

Honeywell Technology Center, 3660 Technology Drive, Minneapolis, MN

Honeywell Technology Center, 3660 Technology Drive, Minneapolis, MN
View Profile

,
Nicholas Weininger

Honeywell Technology Center, 3660 Technology Drive, Minneapolis, MN

Honeywell Technology Center, 3660 Technology Drive, Minneapolis, MN
View Profile

ICSE '00: Proceedings of the 22nd international conference on Software engineeringJune 2000Pages 488–497https://doi.org/10.1145/337180.337364

Published:01 June 2000Publication History

ICSE '00: Proceedings of the 22nd international conference on Software engineering

Pages 488–497

ABSTRACT

This paper describes an experiment to use the Spin model checking system to support automated verification of time partitioning in the Honeywell DEOS real-time scheduling kernel. The goal of the experiment was to investigate whether model checking could be used to find a subtle implementation error that was originally discovered and fixed during the standard formal review process. To conduct the experiment, a core slice of the DEOS scheduling kernel was first translated without abstraction from C++ into Promela (the input language for Spin). We constructed an abstract “test-driver” environment and carefully introduced several abstractions into the system to support verification. Several experiments were run to attempt to verify that the system implementation adhered to the critical time partitioning requirements. During these experiments, the known error was rediscovered in the time partitioning implementation. We believe this case study provides several insights into how to develop cost-effective methods and tools to support the software design and implementation review process.

References

1.R. J. Anderson, P. Beame, S. Burns, W. Chan, F. Modugno, D. Notkin, and J. D. Reese. Model checking large software specifications. In Proceedings of the 4th ACM SIGSOFT Symposium on the Foundations of Software Engineering, volume 21 of SIGSOFT Software Engineering Notes, pages 156-166. ACM, October 1996.]] Google ScholarDigital Library
2.Pam Binns. Design document for slack scheduling in deos, draft alpha.3. Honeywell, September 1998.]]Google Scholar
3.W. Chan, R. Andersen, P. Beame, D. Jones, D. Notkin, and W. Warner. Decoupling Synchronization from Local control for Efficient Symbolic Model Checking of Statecharts. In ICSE 21, pages 142-151, Los Angeles, May 1999.]] Google ScholarDigital Library
4.E. Clarke, O. Grumberg, and D. Long. Verification Tools for Finite-State Concurrent Systems. In A Decade of Concurrency: Reflections and Perspectives, Lecture Notes in Computer Science 803, 1993.]] Google ScholarDigital Library
5.E. Clarke, O. Grumberg, and D. Long. Model checking and abstraction. ACM Translactions on Program Languages and Systems, 16(4), sep 1994.]] Google ScholarDigital Library
6.E.M. Clarke, E.A. Emerson, and A.P. Sistla. Automatic Verification of Finite-State Concurrent Systems Using Temporal Logic Specifications. ACM Transactions on Programming Languages and Systems, 8(2):244-263, April 1986.]] Google ScholarDigital Library
7.Z. Dang and R. Kemmerer. Using the ASTRAL Model Checker to Analyze Mobile IP. In Proceedings of the 21st International Conference on Software Engineering, pages 132-141, Los Angeles, May 1999.]] Google ScholarDigital Library
8.S. Das, D. Dill, and S. Park. Experience with predicate abstraction. In Proceedings of CAV'99, pages 160-171, 1999. Lecture Notes in Computer Science 1633.]] Google ScholarDigital Library
9.C. Demartini, R. Iosif, and R. Sisto. dSPIN: A Dynamic Extension of SPIN. In Proceedings of the 6th SPIN Workshop, Lecture Notes in Computer Science 1680, 1999.]] Google ScholarDigital Library
10.M. Dwyer and C. Pasareanu. Filter-based model checking of partial systems. In Proceedings of the 6th ACM SIGSOFT Symposium on the Foundations of Software Engineering. ACM SIGSOFT, November 1998.]] Google ScholarDigital Library
11.S. Graf and H. Saidi. Construction of abstract state graphs with PVS. In Proceedings of the 9th International Conference on Computer Aided Vericifaction, Lecture Notes in Computer Science 1254, pages 72-83, 1997.]] Google Scholar
12.J. Hatcliff, M. Dwyer, S. Laubach, and D. Schmidt. Staging static analyses using abstraction-based program specialization. In LNCS 1490 Principles of Declarative Programming: 10th International Symposium, sep 1998.]] Google ScholarDigital Library
13.K. Havelund and T. Pressburger. Model checking java programs using java pathfinder. International Journal on Software Tools for Technology Transfer, 1999.]]Google Scholar
14.G. Holzmann. The model checker SPIN. IEEE Transactions on Software Engineering, 23(5):279-295, 1997.]] Google ScholarDigital Library
15.G. Holzmann and M. Smith. Software model checking - Extracting verification models from source code. In Formal Methods for Protocol Engineering and Distributed Systems, pages 481-497. Kluwer, October 1999.]] Google Scholar
16.J. Penix, W. Visser, E. Engstrom, A. Larson, and N. Weininger. Translation and verification of the DEOS scheduling kernel. Technical report, NASA Ames Research Center / Honeywell Technology Center, October 1999.]]Google Scholar
17.C. P~ as~ areanu, M. Dwyer, and M. Huth. Assumeguarantee model checking of software: A comparative case study. In Proceedings of the 6th SPIN Workshop, Lecture Notes in Computer Science 1680, 1999.]] Google ScholarDigital Library
18.J.P. Queille and J. Sifakis. Specification and Verification of Concurrent Systems in CESAR. In Interna-tional Symposium on Programming, Lecture Notes in Computer Science 137, 1982.]] Google ScholarDigital Library
19.RTCA Special Committee 167. Software considerations in airborne systems and equipment certification. Technical Report DO-178B, RTCA, Inc., dec 1992.]]Google Scholar
20.T. Uribe. Abstraction-based Deductive-Algorithmic Verification of Reactive Systems. PhD thesis, Stanford University, April 1999.]] Google ScholarDigital Library
21.W. Visser, K. Havelund, and J. Penix. Adding Active Objects to SPIN. In Proceedings of the 5th SPIN Workshop, Trento, Italy, July 1999.]]Google Scholar

Index Terms

Recommendations

Verifying Time Partitioning in the DEOS Scheduling Kernel

This paper describes an experiment to use the Spin model checking system to support automated verification of time partitioning in the Honeywell DEOS real-time scheduling kernel. The goal of the experiment was to investigate whether model checking with ...
Read More
Automated verification of the FreeRTOS scheduler in Hip/Sleek

Automated verification of operating system kernels is a challenging problem, partly due to the use of shared mutable data structures. In this paper, we show how we can automatically verify memory safety and functional correctness properties of the task ...
Read More
Automated Verification of the FreeRTOS Scheduler in HIP/SLEEK
TASE '12: Proceedings of the 2012 Sixth International Symposium on Theoretical Aspects of Software Engineering

Automated verification of operating system kernels is a challenging problem, partly due to the use of shared mutable data structures. In this paper, we show how we can automatically verify memory safety and functional correctness of the task scheduler ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ICSE '00: Proceedings of the 22nd international conference on Software engineering
June 2000
843 pages
ISBN:1581132069
DOI:10.1145/337180
Chairmen:
Carlo Ghezzi
Politecnico di Milano, Milau, Italy
,
Mehdi Jazayeri
Technical Univ. of Vienna, Vienna, Austria
,
Alexander L. Wolf
Univ. of Colorado, Boulder, USA
Copyright © 2000 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 1 June 2000
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Qualifiers
- Article
Conference

Acceptance Rates
Overall Acceptance Rate276of1,856submissions,15%

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 62
  Total Citations
  View Citations
- 476
  Total Downloads
- Downloads (Last 12 months)25
- Downloads (Last 6 weeks)3
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Verification of time partitioning in the DEOS scheduler kernel

ICSE '00: Proceedings of the 22nd international conference on Software engineering

ABSTRACT

References

Cited By

Index Terms

Recommendations

Verifying Time Partitioning in the DEOS Scheduling Kernel

Automated verification of the FreeRTOS scheduler in Hip/Sleek

Automated Verification of the FreeRTOS Scheduler in HIP/SLEEK