The correctness of a distributed real-time system

In this thesis we review and extend the pervasive correctness proof for an asynchronous distributed real-time system published in [KP07a]. We take a two-step approach: first, we argue about a single electronic control unit (ECU) consisting of a processor (running the OSEKtime-like operating system OLOS) and a FlexRay-like interface called automotive bus controller (ABC). We extend [KP07a] among others by a local OLOS model [Kna08] and go into details regarding the handling of interrupts and the treatment of devices. Second, we connect several ECUs via the ABCs and reason about the complete distributed system, see also [KP07b]. Note that the formalization of the scheduling correctness is reported in [ABK08b]. Through several abstraction layers we prove the correctness of the distributed system with respect to a new lock-step model COA that completely abstracts from the ABCs. By establishing the DISTR model [Kna08] it becomes possible to literally reuse the arguments from the first part of this thesis and therefore to simplify the analysis of the complete distributed system. To illustrate the applicability of DISTR, we have formally proven the top-level correctness theorem in the theorem prover Isabelle/HOL. Throughout the thesis we tie together theorems regarding: processor, ABC, compiler, micro kernel, operating system, and the worst case execution time analysis of applications and systems software. In dieser Arbeit betrachten und erweitern wir den durchgangigen Korrektheitsbeweis fur ein asynchrones verteiltes Echtzeitsystem aus [KP07a]. Wir gehen in zwei Schritten vor: Zuerst betrachten wir eine einzelne elektronische Kontrolleinheit (ECU) bestehend aus einem Prozessor (welcher das OSEKtime ahnliche Betriebsystem OLOS ausfuhrt) und einem FlexRay ahnlichem Interface, auch automobiler Bus Controller (ABC) genannt. Wir erweitern [KP07a] unter anderem um ein lokales OLOS Model [Kna08] und detaillieren die Behandlung von Interrupts sowie den Umgang mit Geraten. Im zweiten Schritt verbinden wir mehrere ECUs durch die ABCs und argumentieren uber das gesamte System, siehe auch [KP07b]. Uber die Formalisierung der Scheduler Korrektheit wird in [ABK08b] berichtet. Uber mehrere Abstraktionsebenen beweisen wir die Korrektheit des verteilten Systems bezuglich eines neuen gleichgetakteten Modells COA in dem vollstandig von den ABCs abstrahiert wird. Durch die Einfuhrung des DISTR Models [Kna08] ist es moglich die Argumente aus dem ersten Teil dieser Arbeit in der Analyse des gesamten verteilten Systems wortlich wieder zu verwenden. Um die Anwendbarkeit von DISTR zu verdeutlichen haben wir formal die oberste Korrektheits-Aussage im Theorembeweiser Isabelle/HOL bewiesen. Im Zuge dieser Arbeit verbinden wir Theoreme bezuglich: Prozessor, ABC, Compiler, Mikrokern, Betriebsystem und der Worst-Case Laufzeit-Analyse von Applikationen und System Software.

[1]  Hendrik Tews,et al.  The VFiasco approach for a verified operating system , 2005 .

[2]  William R. Bevier,et al.  The Proof of Correctness of a Fault-Tolerant Circuit Design , 1992 .

[3]  H. Pfeifer,et al.  Formal verification for time-triggered clock synchronization , 1999, Dependable Computing for Critical Applications 7.

[4]  Satnam Singh,et al.  System Level Design and Verification Using a Synchronous Language , 2003, ICCAD 2003.

[5]  John M. Rushby,et al.  An Overview of Formal Verification for the Time-Triggered Architecture , 2002, FTRTFT.

[6]  J. Strother Moore,et al.  An approach to systems verification , 1989, Journal of Automated Reasoning.

[7]  Iakov Dalinger,et al.  Formal verification of a processor with memory management units , 2013 .

[8]  Lawrence Charles Paulson,et al.  Isabelle/HOL: A Proof Assistant for Higher-Order Logic , 2002 .

[9]  Julien Schmaltz,et al.  A Formal Model of Lower System Layers , 2006, 2006 Formal Methods in Computer Aided Design.

[10]  Sergey Tverdyshev,et al.  Efficient Bit-Level Model Reductions for Automated Hardware Verification , 2008, 2008 15th International Symposium on Temporal Representation and Reasoning.

[11]  Dirk Carsten Leinenbach,et al.  Compiler verification in the context of pervasive system verification , 2008 .

[12]  Christian Jacobi,et al.  Putting it all together – Formal verification of the VAMP , 2006, International Journal on Software Tools for Technology Transfer.

[13]  Steffen Knapp,et al.  Pervasive Layered Verification of a Distributed Real-Time System , 2008, Third International Conference on Systems (icons 2008).

[14]  Reinhard Wilhelm,et al.  Cache Behavior Prediction by Abstract Interpretation , 1996, Sci. Comput. Program..

[15]  Hendrik Tews,et al.  Applying source-code verification to a microkernel: the VFiasco project , 2002, EW 10.

[16]  Michael Norrish C formalised in HOL , 1998 .

[17]  Daniel Kroening,et al.  Instantiating Uninterpreted Functional Units and Memory System: Functional Verification of the VAMP , 2003, CHARME.

[18]  Reinhard Wilhelm,et al.  Cache Behavior Prediction by Abstract Interpretation , 1996, SAS.

[19]  J. S. Moore,et al.  A Grand Challenge Proposal for Formal Methods: A Verified Stack , 2002, 10th Anniversary Colloquium of UNU/IIST.

[20]  Thomas In der Rieden,et al.  An approach to the pervasive formal specification and verification of an automotive system: status report , 2005, FMICS '05.

[21]  Amir Pnueli,et al.  Translation Validation , 1998, TACAS.

[22]  Flemming Nielson,et al.  Semantics with applications - a formal introduction , 1992, Wiley professional computing.

[23]  Edsger W. Dijkstra,et al.  The humble programmer , 1972, CACM.

[24]  Mark A. Hillebrand,et al.  Formal Device and Programming Model for a Serial Interface , 2007, VERIFY.

[25]  Natarajan Shankar,et al.  PVS: A Prototype Verification System , 1992, CADE.

[26]  Alexandra Tsyban,et al.  Formal Verication of a Framework for Microkernel Programmers , 2009 .

[27]  Manfred Broy,et al.  On the correctness of upper layers of automotive systems , 2008, Formal Aspects of Computing.

[28]  Peter Bohm Formal Verification of a Clock Synchronization Method in a Distributed Automotive System , 2007 .

[29]  David A. Patterson,et al.  Computer Architecture: A Quantitative Approach , 1969 .

[30]  Mark A. Hillebrand,et al.  On the Verification of Memory Management Mechanisms , 2005, CHARME.

[31]  Mark A. Hillebrand,et al.  On the Correctness of Operating System Kernels , 2005, TPHOLs.

[32]  Daniel Kroening,et al.  Formal verification of pipelined microprocessors , 2001, Ausgezeichnete Informatikdissertationen.

[33]  Alexandra Tsyban,et al.  Correct Microkernel Primitives , 2008, Electron. Notes Theor. Comput. Sci..

[34]  Zhong Shao,et al.  Using XCAP to Certify Realistic Systems Code: Machine Context Management , 2007, TPHOLs.

[35]  Thomas In der Rieden,et al.  CVM - A Verified Framework for Microkernel Programmers , 2008, SSV.

[36]  Nancy A. Lynch,et al.  A New Fault-Tolerance Algorithm for Clock Synchronization , 1988, Inf. Comput..

[37]  Steven D. Johnson,et al.  Verification of an optimized fault-tolerant clock synchronization circuit , 1996 .

[38]  Daniel Kroening,et al.  Proving the Correctness of Processors with Delayed Branch Using Delayed PC , 2000 .

[39]  Lee Pike,et al.  Modeling Time-Triggered Protocols and Verifying Their Real-Time Schedules , 2007, Formal Methods in Computer Aided Design (FMCAD'07).

[40]  Wolfgang J. Paul,et al.  Computer architecture - complexity and correctness , 2000 .

[41]  Bo Zhang On the Formal Verification of the FlexRay Communication Protocol , 2006 .

[42]  Natarajan Shankar Mechanical Verification of a Generalized Protocol for Byzantine Fault Tolerant Clock Synchronization , 1992, FTRTFT.

[43]  Steffen Knapp,et al.  Pervasive Verification of Distributed Real Time Systems , 2007 .

[44]  P. M. Melliar-Smith,et al.  Synchronizing clocks in the presence of faults , 1985, JACM.

[45]  John M. Rushby,et al.  Systematic Formal Verification for Fault-Tolerant Time-Triggered Algorithms , 1999, IEEE Trans. Software Eng..

[46]  Gernot Heiser,et al.  Towards a Practical, Verified Kernel , 2007, HotOS.

[47]  Jun Sawada,et al.  Processor Verification with Precise Exeptions and Speculative Execution , 1998, CAV.

[48]  Elena Petrova,et al.  Verification of the C0 compiler implementation on the source code level , 2007 .

[49]  Sam Weber,et al.  Verifying the EROS confinement mechanism , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[50]  Elena Petrova,et al.  Pervasive Compiler Verification - From Verified Programs to Verified Systems , 2008, Electron. Notes Theor. Comput. Sci..

[51]  Mark A. Hillebrand,et al.  Dealing with I/O devices in the context of pervasive system verification , 2005, 2005 International Conference on Computer Design.

[52]  Mark A. Hillebrand,et al.  Towards the formal verification of lower system layers in automotive systems , 2005, 2005 International Conference on Computer Design.

[53]  Wolfgang J. Paul,et al.  Realistic Worst-Case Execution Time Analysis in the Context of Pervasive System Verification , 2006, Program Analysis and Compilation.

[54]  Mark A. Hillebrand,et al.  Formal Verification of Gate-Level Computer Systems , 2009, CSR.

[55]  Stefan M. Petters,et al.  Towards trustworthy computing systems: taking microkernels to the next level , 2007, OPSR.

[56]  Mark A. Hillebrand,et al.  Address spaces and virtual memory: specification, implementation, and correctness , 2005 .

[57]  Lee Pike,et al.  Easy Parameterized Verification of Biphase Mark and 8N1 Protocols , 2006, TACAS.

[58]  Glynn Winskel,et al.  The formal semantics of programming languages - an introduction , 1993, Foundation of computing series.