Abstract
A timing enforcer is a scheduler that not only allocates CPU cycles to threads, but also uses timers to enforce time budgets. An approach for verifying safety properties of timing enforcers at the source code level is presented. We assume that the enforcer is implemented as a set of “enforcer” functions that are executed atomically on critical system-level events, such as the arrival and departure of jobs, and triggering of timers. The key idea is to express the safety property as an invariant, and prove that it is inductive across all the enforcer functions. A formal semantics of timing enforcers is presented, including the semantics of functions used to read the system clock and set timers. Using this semantics, the verification approach is presented, and its soundness proved. Further, the approach also takes into consideration the periodicity of tasks. It is validated by proving the correctness of the enforcement of CPU cycle budgets for tasks by the Zero-Slack Rate Monotonic (zsrm) scheduler, which is implemented in C as a Linux kernel module. The inductiveness of the necessary zsrm invariants is proved by expressing them as function contracts using the acsl specification language, and verifying the contracts using the frama-c tool.
- Martín Abadi and Leslie Lamport. 1994. An old-fashioned recipe for real-time. ACM Transactions on Programming Languages and System (TOPLAS) 16, 5 (September 1994), 1543--1571. Google Scholar
Digital Library
- Yasmina Abdeddaïm, Eugene Asarin, and Oded Maler. 2006. Scheduling with timed automata. Theoretical Computer Science (TCS) 354, 2 (March 2006), 272--300. Google Scholar
Digital Library
- ACSL website. {n.d.}. ({n.d.}). http://frama-c.com/acsl.html.Google Scholar
- Bernard Blackham, Yao Shi, Sudipta Chattopadhyay, Abhik Roychoudhury, and Gernot Heiser. 2011. Timing analysis of a protected operating system kernel. In Proceedings of the 32nd Real-Time Systems Symposium (RTSS’11). IEEE Computer Society, Vienna, Austria, 339--348. Google Scholar
Digital Library
- Antoine Blin, Cédric Courtaud, Julien Sopena, Julia L. Lawall, and Gilles Muller. 2016. Maximizing parallelism without exploding deadlines in a mixed criticality embedded system. In Proceedings of the 28th Euromicro Conference on Real-Time Systems (ECRTS’16). IEEE Computer Society, Toulouse, France, 109--119.Google Scholar
Cross Ref
- Alan Burns and Robert I. Davis. 2015. Mixed Criticality Systems - A Review. (2015). http://www-users.cs.york.ac.uk/burns/review.pdf.Google Scholar
- Sagar Chaki and Dionisio de Niz. 2016. Contract-based verification of timing enforcers. In Proc. of HILT.Google Scholar
- Ernie Cohen, Markus Dahlweid, Mark A. Hillebrand, Dirk Leinenbach, Michal Moskal, Thomas Santen, Wolfram Schulte, and Stephan Tobies. 2009. VCC: A practical system for verifying concurrent C. In Proceedings of the 22nd International Conference on Theorem Proving in Higher Order Logics (TPHOLs’09) (Lecture Notes in Computer Science), Stefan Berghofer, Tobias Nipkow, Christian Urban, and Makarius Wenzel (Eds.), Vol. 5674. Springer-Verlag, Munich, Germany, 23--42. Google Scholar
Digital Library
- Leonardo Mendonça de Moura and Nikolaj Bjørner. 2008. Z3: An efficient SMT solver. In Proceedings of the 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’08) (Lecture Notes in Computer Science), C. R. Ramakrishnan and Jakob Rehof (Eds.), Vol. 4963. Springer-Verlag, Budapest, Hungary, 337--340. Google Scholar
Digital Library
- Dionisio de Niz, Karthik Lakshmanan, and Ragunathan Rajkumar. 2009. On the scheduling of mixed-criticality real-time task sets. In Proceedings of the 30th Real-Time Systems Symposium (RTSS’09). IEEE Computer Society, Washington, DC, USA, 291--300. Google Scholar
Digital Library
- Dionisio de Niz and Linh T. X. Phan. 2014. Partitioned scheduling of multi-modal mixed-criticality real-time systems on multiprocessor platforms. In Proceedings of the 20th IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS’14). IEEE Computer Society, Berlin, Germany, 111--122.Google Scholar
- Frama-C website. {n.d.}. ({n.d.}). http://frama-c.com.Google Scholar
- Jonathan L. Herman, Christopher J. Kenna, Malcolm S. Mollison, James H. Anderson, and Daniel M. Johnson. 2012. RTOS support for multicore mixed-criticality systems. In Proceedings of the 18th IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS’12). IEEE Computer Society, Beijing, China, 197--208. Google Scholar
Digital Library
- Ranjit Jhala and Rupak Majumdar. 2009. Software model checking. ACM Computing Surveys (CSUR) 41, 4 (2009). Google Scholar
Digital Library
- Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, Thomas Sewell, Harvey Tuch, and Simon Winwood. 2009. seL4: Formal verification of an OS kernel. In Proceedings of the 22nd ACM Symposium on Operating Systems Principles (SOSP’09). Association for Computing Machinery, Big Sky, Montana, 207--220. Google Scholar
Digital Library
- Angeliki Kritikakou, Claire Pagetti, Olivier Baldellon, Matthieu Roy, and Christine Rochange. 2014. Run-time control to increase task parallelism in mixed-critical systems. In Proceedings of the 26th Euromicro Conference on Real-Time Systems (ECRTS’14). IEEE Computer Society, Madrid, Spain, 119--128. Google Scholar
Digital Library
- John P. Lehoczky, Lui Sha, and Jay K. Strosnider. 1987. Enhanced aperiodic responsiveness in hard real-time environments. In Proceedings of the 8th Real-Time Systems Symposium (RTSS’87). IEEE Computer Society, San Jose, CA, USA, 261--270.Google Scholar
- Clifford W. Mercer, Stefan Savage, and Hideyuki Tokuda. 1994. Processor capacity reserves: Operating system support for multimedia applications. In Proceedings of the International Conference on Multimedia Computing and Systems (ICMCS’94). IEEE Computer Society, Boston, Massachusetts, USA, 90--99.Google Scholar
Cross Ref
- Shuichi Oikawa and Ragunathan Rajkumar. 1999. Portable RK: A portable resource kernel for guaranteed and enforced timing behavior. In Proceedings of the 5th IEEE Real-Time Technology and Applications Symposium (RTAS’99). IEEE Computer Society, Vancouver, British Columbia, Canada, 111--120. Google Scholar
Digital Library
- Louchka Popova-Zeugmann. 2013. Time and Petri Nets. Springer-Verlag. Google Scholar
- Slawomir Samolej. 2011. ARINC specification 653 based real-time software engineering. e-Informatica 5, 1 (2011), 39--49.Google Scholar
- Thomas Sewell, Felix Kam, and Gernot Heiser. 2016. Complete, high-assurance determination of loop bounds and infeasible paths for WCET analysis. In Proceedings of the 22nd IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS’16). IEEE Computer Society, Vienna, Austria, 185--195.Google Scholar
Cross Ref
- Lui Sha, John P. Lehoczky, and Ragunathan Rajkumar. 1986. Solutions for some practical problems in prioritized preemptive scheduling. In Proceedings of the 7th Real-Time Systems Symposium (RTSS’86). IEEE Computer Society, New Orleans, Louisiana, USA, 181--191.Google Scholar
- Brinkley Sprunt, Lui Sha, and John P. Lehoczky. 1989. Aperiodic task scheduling for hard real-time systems. Real-Time Systems (RTS) 1, 1 (1989), 27--60.Google Scholar
Cross Ref
- Jay K. Strosnider, John P. Lehoczky, and Lui Sha. 1995. The deferrable server algorithm for enhanced aperiodic responsiveness in hard real-time environments. IEEE Transactions on Computers (TC) 44, 1 (January 1995), 73--91. Google Scholar
Digital Library
- Julian Tschannen, Carlo A. Furia, Martin Nordio, and Nadia Polikarpova. 2015. AutoProof: Auto-active functional verification of object-oriented programs. In Proceedings of the 21st International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’15) (Lecture Notes in Computer Science), Christel Baier and Cesare Tinelli (Eds.), Vol. 9035. Springer-Verlag, London, UK, 566--580. Google Scholar
Digital Library
- Steve Vestal. 2007. Preemptive scheduling of multi-criticality systems with varying degrees of execution time assurance. In Proceedings of the 28th Real-Time Systems Symposium (RTSS’07). IEEE Computer Society, Tucson, Arizona, USA, 239--243. Google Scholar
Digital Library
Index Terms
Formal Verification of a Timing Enforcer Implementation
Recommendations
Efficient Verification of Sequential and Concurrent C Programs
There has been considerable progress in the domain of software verification over the last few years. This advancement has been driven, to a large extent, by the emergence of powerful yet automated abstraction techniques such as predicate abstraction. ...
A Framework for the Verification of Certifying Computations
Formal verification of complex algorithms is challenging. Verifying their implementations goes beyond the state of the art of current automatic verification tools and usually involves intricate mathematical theorems. Certifying algorithms compute in ...
Closed-loop verification of medical devices with model abstraction and refinement
The design and implementation of software for medical devices is challenging due to the closed-loop interaction with the patient, which is a stochastic physical environment. The safety-critical nature and the lack of existing industry standards for ...






Comments