Abstract
Interrupt-driven software is difficult to test and debug, especially when interrupts can be nested and subject to priorities. Interrupts can arrive at arbitrary times, leading to an exponential blow-up in the number of cases to consider. We present a new formal approach to verifying interrupt-driven software based on symbolic execution. The approach leverages recent advances in the encoding of the execution traces of interacting, concurrent threads. We assess the performance of our method on benchmarks drawn from embedded systems code and device drivers, and experimentally compare it to conventional approaches that use source-to-source transformations. Our results show that our method significantly outperforms these techniques. To the best of our knowledge, our work is the first to demonstrate effective verification of low-level embedded software with nested interrupts.
- Aws Albarghouthi, Arie Gurfinkel, and Marsha Chechik. 2012a. Craig interpretation. In Proceedings of the 19th International Symposium on Static Analysis (LNCS), Vol. 7460. Springer, 300--316. Google Scholar
Digital Library
- Aws Albarghouthi, Arie Gurfinkel, and Marsha Chechik. 2012b. From under-approximations to over-approximations and back. In Proceedings of the 18th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (LNCS), Vol. 7214. Springer, 157--172. Google Scholar
Digital Library
- Aws Albarghouthi, Arie Gurfinkel, and Marsha Chechik. 2012c. Whale: An interpolation-based algorithm for inter-procedural verification. In Proceedings of the 13th International Conference on Verification, Model Checking, and Abstract Interpretation (LNCS), Vol. 7148. Springer, 39--55. Google Scholar
Digital Library
- Aws Albarghouthi, Yi Li, Arie Gurfinkel, and Marsha Chechik. 2012d. UFO: A framework for abstraction- and interpolation-based software verification. In Proceedings of the 24th International Conference on Computer Aided Verification (LNCS), Vol. 7358. Springer, 672--678. Google Scholar
Digital Library
- Jade Alglave, Daniel Kroening, and Michael Tautschnig. 2013. Partial orders for efficient bounded model checking of concurrent software. In Proceedings of the 25th International Conference on Computer Aided Verification (LNCS), Vol. 8044. Springer, 141--157.Google Scholar
Cross Ref
- Jade Alglave, Luc Maranget, Susmit Sarkar, and Peter Sewell. 2012. Fences in weak memory models (extended version). Formal Methods Syst. Design 40, 2 (2012), 170--205. Google Scholar
Digital Library
- Doina Bucur and Marta Z. Kwiatkowska. 2011. On software verification for sensor nodes. Softw. Syst. 84, 10 (2011), 1693--1707. Google Scholar
Digital Library
- Andy Chou, Junfeng Yang, Benjamin Chelf, Seth Hallem, and Dawson R. Engler. 2001. An empirical study of operating system errors. In Proceedings of the 18th ACM Symposium on Operating System Principles. ACM, 73--88. Google Scholar
Digital Library
- Edmund M. Clarke, Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith. 2000. Counterexample-guided abstraction refinement. In Proceedings of the 12th International Conference on Computer Aided Verification (LNCS), Vol. 1855. Springer, 154--169. Google Scholar
Digital Library
- Edmund M. Clarke, Orna Grumberg, and Doron Peled. 2001. Model Checking. MIT Press.Google Scholar
- Edmund M. Clarke, Daniel Kroening, and Flavio Lerda. 2004. A tool for checking ANSI-C programs. In Proceedings of the 10th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (LNCS), Vol. 2988. Springer, 168--176.Google Scholar
Cross Ref
- Edmund M. Clarke, Daniel Kroening, Natasha Sharygina, and Karen Yorav. 2005. SATABS: SAT-based predicate abstraction for ANSI-C. In Proceedings of the 11th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (LNCS), Vol. 3440. Springer, 570--574. Google Scholar
Digital Library
- Edmund M. Clarke, Daniel Kroening, and Karen Yorav. 2003. Behavioral consistency of C and verilog programs using bounded model checking. In Proceedings of the 40th Design Automation Conference. ACM, 368--371. Google Scholar
Digital Library
- Matthias Dangl, Stefan Löwe, and Philipp Wendler. 2015. CPAchecker with support for recursive programs and floating-point arithmetic (competition contribution). In Proceedings of the 21st International Conference on Tools and Algorithms for the Construction and Analysis of Systems (LNCS), Vol. 9035. Springer, 423--425. Google Scholar
Digital Library
- Patrice Godefroid. 1994. Partial-Order Methods for the Verification of Concurrent Systems—An Approach to the State-Explosion Problem. Ph.D. Dissertation. University of Liege, Computer Science Department.Google Scholar
- Patrice Godefroid and Pierre Wolper. 1991. Using partial orders for the efficient verification of deadlock freedom and safety properties. In Proceedings of the 3rd International Workshop on Computer Aided Verification (LNCS), Vol. 575. Springer, 332--342. Google Scholar
Digital Library
- Ashutosh Gupta, Corneliu Popeea, and Andrey Rybalchenko. 2011. Predicate abstraction and refinement for verifying multi-threaded programs. In Proceedings of the 38th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. ACM, 331--344. Google Scholar
Digital Library
- Gerard J. Holzmann. 1997. The model checker SPIN. IEEE Trans. Software Eng. 23, 5 (1997), 279--295. Google Scholar
Digital Library
- Omar Inverso, Truc L. Nguyen, Bernd Fischer, Salvatore La Torre, and Gennaro Parlato. 2015. Lazy-CSeq: A context-bounded model checking tool for multi-threaded C-programs. In Proceedings of the 30th IEEE/ACM International Conference on Automated Software Engineering. IEEE, 807--812.Google Scholar
Digital Library
- Shmuel Katz and Doron Peled. 1988. An efficient verification method for parallel and distributed programs. In Proceedings of the Workshop on Linear Time, Branching Time, and Partial Order in Logics and Models for Concurrency (LNCS), Vol. 354. Springer, 489--507. Google Scholar
Digital Library
- Nicholas Kidd, Suresh Jagannathan, and Jan Vitek. 2010. One stack to run them all -- Reducing concurrent analysis to sequential analysis under priority scheduling. In Proceedings of the 17th International SPIN Workshop on Model Checking Software (LNCS), Vol. 6349. Springer, 245--261. Google Scholar
Digital Library
- Leslie Lamport. 1997. How to make a correct multiprocess program execute correctly on a multiprocessor. IEEE Trans. Comput. 46, 7 (1997), 779--782. Google Scholar
Digital Library
- Chunxiao Li, Anand Raghunathan, and Niraj K. Jha. 2013. Improving the trustworthiness of medical device software with formal verification methods. Embed. Syst. Lett. 5, 3 (2013), 50--53.Google Scholar
Cross Ref
- Han Liu, Yu Jiang, Huafeng Zhang, Ming Gu, and Jiaguang Sun. 2016. Taming interrupts for verifying industrial multifunction vehicle bus controllers. In Proceedings of the 21st International Symposium on Formal Methods (LNCS), Vol. 9995. Springer, 764--771.Google Scholar
Cross Ref
- Kenneth L. McMillan. 2006. Lazy abstraction with interpolants. In Proceedings of the 18th International Conference on Computer Aided Verification (LNCS), Vol. 4144. Springer, 123--136. Google Scholar
Digital Library
- Jeremy Morse, Mikhail Ramalho, Lucas C. Cordeiro, Denis Nicole, and Bernd Fischer. 2014. ESBMC 1.22 (competition contribution). In Proceedings of the 20th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (LNCS), Vol. 8413. Springer, 405--407.Google Scholar
- Abdelraouf Ouadjaout, Antoine Miné, Noureddine Lasla, and Nadjib Badache. 2016. Static analysis by abstract interpretation of functional properties of device drivers in TinyOS. Softw. Syst. 120 (2016), 114--132. Google Scholar
Digital Library
- Nicolas Palix, Gaël Thomas, Suman Saha, Christophe Calvès, Julia L. Lawall, and Gilles Muller. 2011. Faults in linux: Ten years later. In Proceedings of the 16th International Conference on Architectural Support for Programming Languages and Operating Systems. ACM, 305--318. Google Scholar
Digital Library
- Doron Peled. 1994. Combining partial order reductions with on-the-fly model-checking. In Proceedings of the 6th International Conference on Computer Aided Verification (LNCS), Vol. 818. Springer, 377--390. Google Scholar
Digital Library
- Corneliu Popeea and Andrey Rybalchenko. 2013. Threader: A verifier for multi-threaded programs (competition contribution). In Proceedings of the 19th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (LNCS), Vol. 7795. Springer, 633--636. Google Scholar
Digital Library
- John Regehr and Nathan Cooprider. 2007. Interrupt verification via thread verification. Electron. Notes Theor. Comput. Sci. 174, 9 (2007), 139--150. Google Scholar
Digital Library
- Bastian Schlich, Thomas Noll, Jörg Brauer, and Lucas Brutschy. 2009. Reduction of interrupt handler executions for model checking embedded software. In Proceedings of the 5th International Haifa Verification Conference on Hardware and Software: Verification and Testing (LNCS), Vol. 6405. Springer, 5--20. Google Scholar
Digital Library
- Martin D. Schwarz, Helmut Seidl, Vesal Vojdani, and Kalmer Apinis. 2014. Precise analysis of value-dependent synchronization in priority scheduled programs. In Proceedings of the 15th International Conference on Verification, Model Checking, and Abstract Interpretation (LNCS), Vol. 8318. Springer, 21--38. Google Scholar
Digital Library
- Pavel Shved, Mikhail U. Mandrykin, and Vadim S. Mutilin. 2012. Predicate analysis with BLAST 2.7 (competition contribution). In Proceedings of the 18th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (LNCS), Vol. 7214. Springer, 525--527. Google Scholar
Digital Library
- Nishant Sinha and Chao Wang. 2010. Staged concurrent program analysis. In Proceedings of the 18th ACM SIGSOFT International Symposium on Foundations of Software Engineering. ACM, 47--56. Google Scholar
Digital Library
- Nishant Sinha and Chao Wang. 2011. On interference abstractions. In Proceedings of the 38th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. ACM, 423--434. Google Scholar
Digital Library
- Thilo Vörtler, Benny Höckner, Petra Hofstedt, and Thomas Klotz. 2015. Formal verification of software for the contiki operating system considering interrupts. In Proceedings of the 18th International Symposium on Design and Diagnostics of Electronic Circuits and Systems (DDECS’15). IEEE, 295--298. Google Scholar
Digital Library
- Björn Wachter, Daniel Kroening, and Joël Ouaknine. 2013. Verifying multi-threaded software with impact. In Proceedings of the International Conference on Formal Methods in Computer-Aided Design. IEEE, 210--217.Google Scholar
Cross Ref
- Thomas Witkowski, Nicolas Blanc, Daniel Kroening, and Georg Weissenbacher. 2007. Model checking concurrent linux device drivers. In Proceedings of the 22nd IEEE/ACM International Conference on Automated Software Engineering. ACM, 501--504. Google Scholar
Digital Library
- Xueguang Wu, Yanjun Wen, Liqian Chen, Wei Dong, and Ji Wang. 2013. Data race detection for interrupt-driven programs via bounded model checking. In Proceedings of the 7th International Conference on Software Security and Reliability. IEEE, 204--210. Google Scholar
Digital Library
Index Terms
Effective Verification for Low-Level Software with Competing Interrupts
Recommendations
Effective verification of low-level software with nested interrupts
DATE '15: Proceedings of the 2015 Design, Automation & Test in Europe Conference & ExhibitionInterrupt-driven software is difficult to test and debug, especially when interrupts can be nested and subject to priorities. Interrupts can arrive at arbitrary times, leading to an explosion in the number of cases to be considered. We present a new ...
Random testing of interrupt-driven software
EMSOFT '05: Proceedings of the 5th ACM international conference on Embedded softwareInterrupt-driven embedded software is hard to thoroughly test since it usually contains a very large number of executable paths. Developers can test more of these paths using random interrupt testing---firing random interrupt handlers at random times. ...
Static Data Race Detection for Interrupt-Driven Embedded Software
SSIRI-C '11: Proceedings of the 2011 Fifth International Conference on Secure Software Integration and Reliability Improvement - CompanionInterrupt mechanisms are widely used to process multiple concurrent tasks in the software without OS abstraction layer in various cyber physical systems (CPSs), such as space flight control systems. Data races caused by interrupt preemption frequently ...






Comments