Abstract
A timing enforcer not only allocates CPU cycles to threads but also uses timers to enforce time budgets. An approach for verifying safety properties of timing enforcers at the source code level is presented. We assume that the enforcer is implemented as a set of entry functions that are executed atomically on critical system-level events, such as arrival and departure of periodic jobs. The key idea is to express the safety property as an invariant, and prove that it is inductive across all the entry functions. The approach is validated by proving correctness of the enforcement of CPU cycle budgets for tasks by a mixed-criticality scheduler called zsrm that is implemented in C. The inductiveness of the necessary zsrm invariants is proved by expressing them as function contracts using the acsl specification language, and verifying the contracts using the frama-c tool.
- M. Abadi and L. Lamport. An Old-Fashioned Recipe for Real-Time. TOPLAS, 16(5), 1994.Google Scholar
- ACSL website. http://frama-c.com/acsl.html.Google Scholar
- AdaCore. Ada 2012: Contracts and Aspects, 2012. http://www.adacore.com/uploads/technical-papers/Ada2012 Rationale Chp1 contracts and aspects.pdf.Google Scholar
- E. Cohen, M. Dahlweid, M. A. Hillebrand, D. Leinenbach, M. Moskal, T. Santen, W. Schulte, and S. Tobies. VCC: A Practical System for Verifying Concurrent C. In Proc. of TPHOLs, 2009.Google Scholar
Digital Library
- D. de Niz, K. Lakshmanan, and R. Rajkumar. On the Scheduling of Mixed-Criticality Real-Time Task Sets. In Proc. of RTSS, 2009.Google Scholar
- Frama-C website. http://frama-c.com.Google Scholar
- C. Hoare. An axiomatic basis for computer programming. CACM, 12(10), 1969. Google Scholar
Digital Library
- G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. seL4: formal verification of an OS kernel. In Proc. of SOSP, 2009. Google Scholar
Digital Library
- C. L. Liu and J. W. Layland. Scheduling Algorithms for Multiprogramming in a Hard-Real-Time Environment. JACM, 20(1), 1973. Google Scholar
Digital Library
- J. Tschannen, C. A. Furia, M. Nordio, and N. Polikarpova. AutoProof: Auto-Active Functional Verification of Object-Oriented Programs. In Proc. Of TACAS, 2015.Google Scholar
Digital Library
Index Terms
(auto-classified)Contract-Based Verification of Timing Enforcers: [Extended Abstract]
Recommendations
Deductive Verification Based Abstraction for Software Model Checking
Leveraging Applications of Formal Methods, Verification and Validation. Verification PrinciplesAbstractThe research community working on formal software verification has historically evolved into two main camps, grouped around two verification methods that are typically referred to as Deductive Verification and Model Checking. In this paper, we ...
Formal Verification of a Timing Enforcer Implementation
Special Issue ESWEEK 2017, CASES 2017, CODES + ISSS 2017 and EMSOFT 2017A timing enforcer is a scheduler that not only allocates CPU cycles to threads, but also uses timers to enforce time budgets. An approach for verifying safety properties of timing enforcers at the source code level is presented. We assume that the ...
Full contract verification for ATL using symbolic execution
The Atlas Transformation Language (ATL) is currently one of the most used model transformation languages and has become a de facto standard in model-driven engineering for implementing model transformations. At the same time, it is understood by the ...






Comments