Huan Sun,Ziyu Mao,Jingyi Wang,Ziyan Zhao,Wenhai Wang

DOI: https://doi.org/10.1007/978-3-031-43681-9_13

2023-01-01

Abstract:Real-time operating systems (RTOSs) such as mu C/OS-II are critical components of many industrial systems, which makes it of vital importance to verify their correctness. However, earlier specifications for verification of RTOSs often do not explicitly specify the behavior of possible unbounded kernel service invocations. To address the problem, a new event-based modelling approach is recently proposed to treat the operating system as a concurrent reactive system (CRS). Besides, a respective parametric rely-guarantee style reasoning framework called PiCore is developed to verify such systems effectively. Witnessing the advancement, we conduct a case study to investigate the use of PiCore to compositionally verify two important entangled modules of a practical RTOS mu C/OS-II, i.e., the memory management module and the mailbox module. Several desirable safety properties regarding the memory pools and mailboxes are formally defined and proved with PiCore (approximate to 2500 lines of specifications and proof scripts in Isabelle/HOL) based on a formal execution model considering the two modules simultaneously. We also discuss the shortcomings of PiCore for our case study and present possible improvement directions.

Huan Sun,Ziyu Mao,Jingyi Wang,Ziyan Zhao,Wenhai Wang

DOI: https://doi.org/10.1007/978-3-031-43681-9_13

2023-01-01

Abstract:Real-time operating systems (RTOSs) such as C/OS-II are critical components of many industrial systems, which makes it of vital importance to verify their correctness. However, earlier specifications for verification of RTOSs often do not explicitly specify the behavior of possible unbounded kernel service invocations. To address the problem, a new event-based modelling approach is recently proposed to treat the operating system as a concurrent reactive system (CRS). Besides, a respective parametric rely-guarantee style reasoning framework called PiCore is developed to verify such systems effectively. Witnessing the advancement, we conduct a case study to investigate the use of PiCore to compositionally verify two important entangled modules of a practical RTOS C/OS-II, i.e., the memory management module and the mailbox module. Several desirable safety properties regarding the memory pools and mailboxes are formally defined and proved with PiCore ( 2500 lines of specifications and proof scripts in Isabelle/HOL) based on a formal execution model considering the two modules simultaneously. We also discuss the shortcomings of PiCore for our case study and present possible improvement directions.

Haibin Cai,Hao Wu

DOI: https://doi.org/10.1007/s10586-017-1319-0

2018-01-01

Cluster Computing

Abstract:Modern smart phones are typically equipped with multicore processors. In this paper, we address the problem of determining schedulability of a real-time periodic taskset with fixed release offsets and possible release jitters on a multicore processor with global Fixed-Priority (FP) or EDF (Earliest Deadline First) scheduling algorithms, using the model-checker UPPAAL for Timed Automata. In addition to yes/no schedulability analysis for hard real-time systems, we also apply statistical model checking to estimate the probability of unschedulability for soft real-time systems, described with two statistical parameters (confidence and accuracy).

Ke Xu,Yuexuan Wang,Cheng Wu

DOI: https://doi.org/10.1007/11745693_53

2006-01-01

Abstract:Ensuring the reliability and robustness of complex scientific grid applications is a critical issue for managing and sharing expensive scientific instruments. However, guaranteeing the correct processing of grid applications under all circumstances is difficult and not fully addressed by existing grid infrastructure. Hidden flaws in the applications including unexpected internal behaviors, dissatisfaction of real-time constraints, incompatibility in service interactions, etc may lead to subtle failures in grid systems. This work tries to enhance the trustworthiness of grid applications by investigating existing formal techniques and their extensions. A formal framework based on extensions of Pi calculus is proposed which also integrates formal techniques of model checking and bisimulation analysis to enable the reasoning of grid applications from three perspectives: data, time and behavior. In addition, both application examples and our current implementation architecture are also concluded.

Wei Sheng,Gangyong Jia,Li Xi,Xuehai Zhou

DOI: https://doi.org/10.1109/ICCSN.2011.6013976

2011-01-01

Abstract:In this paper, we propose a method to verify whether a model is consistent to the scheduling point constraints in OSEK specification for non preemptive tasks. A simple operating system model is constructed and used to be the verification object. For verification, we build an auxiliary task set to interact with OS model, which makes the violation of scheduling point constraints appear. The property LTL formulae are generated from the constraints, which are verified by model checker SPIN. It is shown that our method can detect design mistakes. © 2011 IEEE.

Weigang Ma,Xinhong Hei

DOI: https://doi.org/10.1109/ICCASM.2010.5620084

2010-01-01

Abstract:A modeling and verification methodology is presented for railway interlocking system which is regarded as a safety-critical system. The methodology utilizes UML (Unified Modeling Language) to model the function requirement and FSM (Finite State Machine) to verify the safety requirements of the specification. The device specifications of railway interlocking system are modeled with UML, and dynamic behaviors of the device and whole system are modeled with FSM, the safety specification is translated LTL (Linear Temporal Logic) and analyzed with NuSMV. We try to show the feasibility of improving the reliability and reducing revalidation efforts when designing and developing a decentralized railway signaling system.

Weigang Ma,Xinhong Hei

DOI: https://doi.org/10.2991/iccasm.2012.212

2012-01-01

Abstract:A verification methodology is presented for railway interlocking system which is regarded as a safety-critical system.The methodology utilizes UML to model the function requirement and LTL to verify the safety requirements of the specification.The device specifications of railway interlocking system are modeled with UML, then translate into FSM.The safety specification is translated LTL and analyzed with NuSMV.We try to show the feasibility of improving the reliability and reducing revalidation efforts when designing and developing a decentralized railway signaling system.

Gang Ren,Pan Deng,Chao Yang,Jianwei Zhang,Qingsong Hua

DOI: https://doi.org/10.1007/978-3-319-38904-2_33

2015-01-01

Abstract:In recent year, distributed systems have become a mainstream paradigm in industry and how to ensure correctness and reliability is a great challenge for practicing engineers. Therefore, in this paper a formal approach is proposed for modelling and verification of distributed systems, which integrates UML sequence diagram, pi-calculus and NuSMV within one framework. Moreover, the practicality of the proposed approach is illuminated though a case study of scheduling road emergency service.

Xiaoying Bai,Ming Wang,Hao Lu,Weitek Tsai

2012-01-01

Abstract:A systematic approach for modeling and verifying timing constraints was developed to ensure timing constraints in the real-time systems. The approach defines the basic time concepts and gives a timing constraint model based on the simple temporal problem-improved (STP-I) method. A verification algorithm is given for consistence checking of the constraint graph model using a constraint resolver. A transformation mechanism is also given to transform complex timing constraints to basic expressions. A case study of a real-time data process unit (DPU) system illustrates the approach. This approach gives a more systematic analysis of typical fault models for real-time systems than existing designs, hence it can model the constraints more accurately using the concepts of time points and time intervals that facilitate effective time defect detection.

Li Li,Jun Sun,Yang Liu,Meng Sun,Jin Song Dong

DOI: https://doi.org/10.1109/TSE.2017.2712621

IF: 7.4

2018-01-01

IEEE Transactions on Software Engineering

Abstract:Nowadays, protocols often use time to provide better security. For instance, critical credentials are often associated with expiry dates in system designs. However, using time correctly in protocol design is challenging, due to the lack of time related formal specification and verification techniques. Thus, we propose a comprehensive analysis framework to formally specify as well as automatically ...

Jin Lv,Yongxin Zhao,Xi Wu,Yongjian Li,Qiang Wang

DOI: https://doi.org/10.1109/tr.2020.3026689

IF: 5.883

2021-09-01

IEEE Transactions on Reliability

Abstract:Time sensitive networking (TSN) is an emerging technology for in-vehicle networks, which has strict timing constraints and dependability requirements. The performance and efficiency of TSN depend on a reliable scheduling mechanism for real-time communications. Traditionally, the TSN scheduler is analyzed using simulations and testing, which are error-prone and inaccurate. In this article, we employ a timed model checker UPPAAL to formally model and analyze the TSN scheduler with a consideration of its transmission latency and time utilization. We first use the build-in assertion in UPPAAL to verify the deadlock-free property, safety property, and starvation-free property of our model. Then, we calculate the time utilization and the transmission delay of audio video bridging data frame under two scheduling mechanisms according to the simulation process. Then, we compared the time performance of this two scheduling mechanisms and found that each of them has their own advantages and disadvantages. This article provides a formal analysis framework for investigating scheduling strategies in TSN, which facilitates the designers to have a better understanding and development of TSN schedulers in the future.

engineering, electrical & electronic,computer science, software engineering, hardware & architecture

Qian-Qian Lin,Shu-Ling Wang,Bo-Hua Zhan,Bin Gu

DOI: https://doi.org/10.1007/s11390-020-0537-8

IF: 1.871

2020-11-01

Journal of Computer Science and Technology

Abstract:Real-Time Publish and Subscribe (RTPS) protocol is a protocol for implementing message exchange over an unreliable transport in data distribution service (DDS). Formal modelling and verification of the protocol provide stronger guarantees of its correctness and efficiency than testing alone. In this paper, we build formal models for the RTPS protocol using Uppaal and Simulink/Stateflow. Modelling using Simulink/Stateflow allows analyzing the protocol through simulation, as well as generate executable code. Modelling using Uppaal allows us to verify properties of the model stated in TCTL (Timed Computation Tree Logic), as well as estimate its performance using statistical model checking. We further describe a procedure for translation from Stateflow to timed automata, where a subset of major features in Stateflow is supported, and prove the soundness statement that the Stateflow model is a refinement of the translated timed automata model. As a consequence, any property in a certain fragment of TCTL that we have verified for the timed automata model in Uppaal is preserved for the original Stateflow model.

computer science, software engineering, hardware & architecture

HU Jun,YU Xiao-Feng,ZHANG Yan,LI Xuan-Dong,ZHENG Guo-Liang

DOI: https://doi.org/10.1360/jos170048

2006-01-01

Journal of Software

Abstract:For real-time software systems, this paper considers the problem of checking component-based designs for timing scenario-based specifications, which is one of the challenges in real-time computing domain. Firstly the timing scenario-based specifications are specified by UML sequence diagrams with a set of boolean expressions, then the interface automata for modeling real time systems through adding time intervals on the actions is extened. The component-based designs are modeled by a real-time interface automaton network which contains a set of real-time interface automata synchronized by shared actions. Based on analyzing the compatible integer state space of a real-time interface automata network, a corresponding reachability graph is constructed and finally an algorithm for checking the consistency between the real-time component-based designs and the timing scenario-based specifications is developed.

M Zhu,JN Bian,WM Wu

DOI: https://doi.org/10.1016/j.compind.2006.04.006

IF: 10

2006-01-01

Computers in Industry

Abstract:The conventional methods cannot easily handle the verification task of increasingly complex hardware designs. This research proposes a novel collaborative scheme for verifying functional properties of a design. The classified properties are designed for three verification engines, i.e. module simulation, BDD-based (Binary Decision Diagram) model checking and CDFG (Control Data Flow Graph) static analysis. The cooperative scheme is performed on a refined model from CDFG structure and three methods are employed to complete the properties verification interactively and collectively. For speeding up the verification process, optimization techniques are introduced, such as variables reordering, properties pre-grouping, and model refining. The benchmarks ITC'99 (International Test Conference) are used to demonstrate the validity and practicality of the collaborative scheme.

Yu Jiang,Yixiao Yang,Han Liu,Hui Kong,Ming Gu,Jiaguang Sun,Lui Sha

DOI: https://doi.org/10.1109/rtas.2016.7461337

2016-01-01

Abstract:Simulink is widely used for model driven development (MDD) of industrial software systems. Typically, the Simulink based development is initiated from Stateflow modeling, followed by simulation, validation and code generation mapped to physical execution platforms. However, recent industrial trends have raised the demands of rigorous verification on safety-critical applications, which is unfortunately challenging for Simulink. In this paper, we present an approach to bridge the Stateflow based model driven development and a well- defined rigorous verification. First, we develop a self- contained toolkit to translate Stateflow model into timed automata, where major advanced modeling features in Stateflow are supported. Taking advantage of the strong verification capability of Uppaal, we can not only find bugs in Stateflow models which are missed by Simulink Design Verifier, but also check more important temporal properties. Next, we customize a runtime verifier for the generated nonintrusive VHDL and C code of Stateflow model for monitoring. The major strength of the customization is the flexibility to collect and analyze runtime properties with a pure software monitor, which opens more opportunities for engineers to achieve high reliability of the target system compared with the traditional act that only relies on Simulink Polyspace. We incorporate these two parts into original Stateflow based MDD seamlessly. In this way, safety-critical properties are both verified at the model level, and at the consistent system implementation level with physical execution environment in consideration. We apply our approach on a train controller design, and the verified implementation is tested and deployed on a real hardware platform.

Xiaohong Chen,Zhiwei Zhong,Zhi Jin,Min Zhang,Tong Li,Xiang Chen,Tingliang Zhou

DOI: https://doi.org/10.1109/re.2019.00040

2019-01-01

Abstract:Consistency verification of safety requirements is an important but still challenging task for safety-critical systems such as rail transit systems. That is mainly because requirements are typically written in natural language and with strong time constraints. Driven by the practical need from industry, in this paper we propose a systematic approach to specify safety requirements in a quasi-natural language and automatically verify their consistency using formal methods. Specifically, we define a domain specific language SafeNL to specify safety requirements, and then automatically transform them into formal constraints defined in the Clock Constraint Specification Language (CCSL). The transformed constraints can be automatically and efficiently verified by model checking. We conduct two practical case studies to analyze the safety requirements of an interlocking system in CASCO Signal Ltd. Results of the studies show the validity and utility of our approach can pragmatically contribute to industrial practice. We also report some lessons learned from case studies.

Mohammed Foughali,Alexander Zuepke

DOI: https://doi.org/10.3389/frobt.2022.791757

2022-04-13

Abstract:Due to the severe consequences of their possible failure, robotic systems must be rigorously verified as to guarantee that their behavior is correct and safe. Such verification, carried out on a model, needs to cover various behavioral properties (e.g., safety and liveness), but also, given the timing constraints of robotic missions, real-time properties (e.g., schedulability and bounded response). In addition, in order to obtain valid and useful verification results, the model must faithfully represent the underlying robotic system and should therefore take into account all possible behaviors of the robotic software under the actual hardware and OS constraints (e.g., the scheduling policy and the number of cores). These requirements put the rigorous verification of robotic systems at the intersection of at least three communities: the robotic community, the formal methods community, and the real-time systems community. Verifying robotic systems is thus a complex, interdisciplinary task that involves a number of disciplines/techniques (e.g., model checking, schedulability analysis, component-based design) and faces a number of challenges (e.g., formalization, automation, scalability). For instance, the use of formal verification (formal methods community) is hindered by the state-space explosion problem, whereas schedulability analysis (real-time systems) is not suitable for behavioral properties. Moreover, current real-time implementations of robotic software are limited in terms of predictability and efficiency, leading to, e.g., unnecessary latencies. This is flagrant, in particular, at the level of locking protocols in robotic software. Such situation may benefit from major theoretical and practical findings of the real-time systems community. In this paper, we propose an interdisciplinary approach that, by joining forces of the different communities, provides a scalable and unified means to efficiently implement and rigorously verify real-time robots. First, we propose a scalable two-step verification solution that combines formal methods and schedulability analysis to verify both behavioral and real-time properties. Second, we devise a new multi-resource locking mechanism that is efficient, predictable, and suitable for real-time robots and show how it improves the latter's real-time behavior. In both cases, we show, using a real drone example, how our approach compares favorably to that in the literature. This paper is a major extension of the RTCSA 2020 publication "A Two-Step Hybrid Approach for Verifying Real-Time Robotic Systems."

Junyan Qian,Baowen Xu

2007-01-01

Abstract:we present a methodology for automatically verifying programs against safety specifications based on finite state machine. Firstly, computing the abstract transition between abstract states is done by calling a theorem prover, and then an initial abstract model automatically is extracted from concrete program using predicate abstraction. However, the process of abstraction can be exponential in the number of predicates used. Program slicing, predicate inference and partitioning the set of candidate predicates into subsets make abstract model construction effective. By counterexample-guided abstraction refinement scheme, the abstraction refines incrementally until the specification is either satisfied or refuted. Finally, our methods can be extended to verifying concurrency programs by parallel composition.

Yu Jiang,Hehua Zhang,Xiaoyu Song,William N. N. Hung,Ming Gu,Jiaguang Sun

DOI: https://doi.org/10.1109/compsac.2013.89

2013-01-01

Abstract:The train control system is a safety-critical embedded system. In this system, all buses and devices share the real time communication protocol, which is described in the standard IEC 61375. Many systems that comply the standard have been implemented and used in the real world railway, however, their safety checking is highly nontrivial. In this paper, we focus on the formal verification and implementation of the protocol described in the standard. The protocol is modeled as a network of timed automata, which are synchronized to describe the procedure of connection establishment and data transmission among vehicles. The stochastic factors such as time delay and packet loss are modeled in the channel module. Afterwards, we abstract some safety critical properties that are important to guarantee the correctness of the protocol. These properties are verified with the model checker Uppaal. Two properties are violated in the verification, and two corresponding bugs in the standard are fixed and proposed to the IEC. In order to prove the bugs we find, we implement two versions of the standard. The first is for the original description of the standard, and the second is for our fixed description. Both versions are tested with the D113 (a widely used general Multifunction Vehicle Bus control system implemented by the Duagon company), and we find that the second version works well, while the first fails. The second version for the fixed protocol is now used in the real world subway.

Lu Chen,Jian Jiao,Jiping Fan,Fuchun Ren

DOI: https://doi.org/10.1109/rams.2016.7447978

2016-01-01

Abstract:Fault propagation identification is an indispensable task in complex system safety analysis. With the growing of system scale and complexity, it is hard for the traditional safety analysis techniques, which depend mainly on analysts' personal skills and experiences, to keep completeness and timeliness; moreover, some failure modes may be neglected and failure effects misjudged during the analysis. Formal science provides a new way to solve this problem, where formal verification method such as model checking can automatically validate whether the system design satisfies the given safety requirements, which can reduce an analysts' repetitive work and design cost, and improve the efficiency and quality of safety analysis. However, there is lack of a deliberate and reasonable way to build system models because of the diversity and flexibility of languages used for model checking, which results in that it is difficult to specify and model system quickly and accurately, and leads to some deviation in model checking. In this paper, a system modeling and safety property specifying approach using symbolic language SMV is proposed, including guidance on the mapping relationships between the formal language elements and system functions, architecture and failure modes; moreover, how to define system specifications and safety requirements using temporal logic formulas is discussed as well. Finally, a case study about airborne system safety analysis is provided, in which the counter-examples that do not meet system specifications can be identified automatically using model checker NuSMV to find out fault events and their propagation that can result in accidents.