Real-Time System Verification by Kappa-Induction

We report the first formal verification of a reintegration protocol for a safety-critical, fault-tolerant, real-time distributed embedded system. A reintegration protocol increases system survivability by allowing a node that has suffered a fault to regain state consistent with the operational nodes. The protocol is verified in the Symbolic Analysis Laboratory (SAL), where bounded model checking and decision procedures are used to verify infinite-state systems by k-induction. The protocol and its environment are modeled as synchronizing timeout automata. Because k-induction is exponential with respect to k, we optimize the formal model to reduce the size of k. Also, the reintegrator's event-triggered behavior is conservatively modeled as time-triggered behavior to further reduce the size of k and to make it invariant to the number of nodes modeled. A corollary is that a clique avoidance property is satisfied.

[1]  Nancy A. Lynch,et al.  Distributed Algorithms , 1992, Lecture Notes in Computer Science.

[2]  Sandip Ray,et al.  Proof Styles in Operational Semantics , 2004, FMCAD.

[3]  Natarajan Shankar,et al.  The ICS Decision Procedures for Embedded Deduction , 2004, IJCAR.

[4]  Natarajan Shankar,et al.  Formal Verification for Fault-Tolerant Architectures: Prolegomena to the Design of PVS , 1995, IEEE Trans. Software Eng..

[5]  Fakultät für Informatik,et al.  Formal Analysis of Fault-Tolerant Algorithms in the Time-Triggered Architecture , 2003 .

[6]  Mary Sheeran,et al.  Checking Safety Properties Using Induction and a SAT-Solver , 2000, FMCAD.

[7]  Michael Paulitsch,et al.  An investigation of membership and clique avoidance in TTP/C , 2000, Proceedings 19th IEEE Symposium on Reliable Distributed Systems SRDS-2000.

[8]  Günter Grünsteidl,et al.  TTP - A Protocol for Fault-Tolerant Real-Time Systems , 1994, Computer.

[9]  Stavros Tripakis,et al.  The Tool KRONOS , 1996, Hybrid Systems.

[10]  John M. Rushby,et al.  Bus Architectures for Safety-Critical Embedded Systems , 2001, EMSOFT.

[11]  Leslie Lamport,et al.  The Byzantine Generals Problem , 1982, TOPL.

[12]  Wilfredo Torres-Pomales,et al.  Model Checking Failed Conjectures in Theorem Proving: A Case Study , 2013 .

[13]  Martín Abadi,et al.  An old-fashioned recipe for real time , 1994, TOPL.

[14]  John M. Rushby Verification Diagrams Revisited: Disjunctive Invariants for Easy Verification , 2000, CAV.

[15]  George S. Fishman,et al.  Discrete-event simulation , 2001 .

[16]  Wilfredo Torres-Pomales,et al.  Robus-2: A Fault-Tolerant Broadcast Communication System , 2013 .

[17]  Rajeev Alur,et al.  Timed Automata , 1999, CAV.

[18]  Wang Yi,et al.  Uppaal in a nutshell , 1997, International Journal on Software Tools for Technology Transfer.

[19]  Donal Heffernan,et al.  Expanding Automotive Electronic Systems , 2002, Computer.

[20]  Niklas Sörensson,et al.  Temporal induction by incremental SAT solving , 2003, BMC@CAV.

[21]  Bruno Dutertre,et al.  Modeling and Verification of a Fault-Tolerant Real-Time Startup Protocol Using Calendar Automata , 2004, FORMATS/FTRTFT.

[22]  Thomas A. Henzinger,et al.  HYTECH: a model checker for hybrid systems , 1997, International Journal on Software Tools for Technology Transfer.

[23]  Bruno Dutertre,et al.  Timed Systems in SAL , 2004 .

[24]  César Muñoz,et al.  An Overview of SAL , 2000 .

[25]  Alfons Geser,et al.  A Unified Fault-Tolerance Protocol , 2004, FORMATS/FTRTFT.

[26]  Zohar Manna,et al.  Temporal Verification Diagrams , 1994, TACS.