Proving Absence of Starvation by Means of Abstract Interpretation and Model Checking

  • Helmut SeidlEmail author
  • Ralf Vogler
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10482)


The Avionics Application Software Standard Interface ARINC 653 is meant to increase predictability of safety-critical software systems. It allows to coordinate multiple tasks by means of priorities, semaphores, setting and waiting for events as well as by sending suspend and resume signals. Thus, it is a major challenge to verify that no such tightly coupled task gets ultimately stuck, e.g., by infinitely waiting for an event or a resume signal by another task. We explain how abstract interpretation together with model checking may nicely cooperate to guarantee absence of such concurrency flaws and report on practical experiments.


Model Checking Abstract Interpretation Global Memory State Periodic Tasks Exact Execution Time 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Amato, G., Scozzari, F., Seidl, H., Apinis, K., Vojdani, V.: Efficiently intertwining widening and narrowing. Sci. Comput. Program. 120, 1–24 (2016)CrossRefGoogle Scholar
  2. 2.
    Apinis, K., Seidl, H., Vojdani, V.: Side-effecting constraint systems: a swiss army knife for program analysis. In: Jhala, R., Igarashi, A. (eds.) APLAS 2012. LNCS, vol. 7705, pp. 157–172. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-35182-2_12 CrossRefGoogle Scholar
  3. 3.
    Apinis, K., Seidl, H., Vojdani, V.: How to combine widening and narrowing for non-monotonic systems of equations. In: 34th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pp. 377–386. ACM (2013)Google Scholar
  4. 4.
    Bertrane, J., Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Rival, X.: Static analysis and verification of aerospace software by abstract interpretation. Found. Trends Program. Lang. 2(2–3), 71–190 (2015)CrossRefGoogle Scholar
  5. 5.
    Bertrane, J., Cousot, P., Cousot, R., Jérôme Feret, L.M., Miné, A., Rival, X.: Static analysis and verification of aerospace software by abstract interpretation. In: AIAA Infotech@Aerospace 2010, number AIAA-2010-3385, pp. 1–38. American Institue of Aeronautics and Astronautics, April 2010Google Scholar
  6. 6.
    Bertrane, J., Cousot, P., Cousot, R., Jérôme Feret, L.M., Miné, A., Rival, X.: Static analysis by abstract interpretation of embedded critical software. Softw. Eng. Notes 36(1), 1–8 (2011)CrossRefGoogle Scholar
  7. 7.
    Bourke, T., Brun, L., Dagand, P., Leroy, X., Pouzet, M., Rieg, L.: A formally verified compiler for lustre. In: Cohen and Vechev [9], pp. 586–601Google Scholar
  8. 8.
    Chaki, S., Clarke, E.M., Ouaknine, J., Sharygina, N., Sinha, N.: Concurrent software verification with states, events, and deadlocks. Formal Asp. Comput. 17(4), 461–483 (2005)CrossRefzbMATHGoogle Scholar
  9. 9.
    Cohen, A., Vechev, M.T. (eds.): Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2017, Barcelona, Spain, June 18–23, 2017. ACM (2017)Google Scholar
  10. 10.
    Cousot, P., Cousot, R.: An abstract interpretation framework for termination. In: Field, J., Hicks, M. (eds.) Proceedings of the 39th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2012, Philadelphia, Pennsylvania, USA, January 22–28, 2012, pp. 245–258. ACM (2012)Google Scholar
  11. 11.
    de Boer, F.S., Bravetti, M., Grabe, I., Lee, M., Steffen, M., Zavattaro, G.: A petri net based analysis of deadlocks for active objects and futures. In: Păsăreanu, C.S., Salaün, G. (eds.) FACS 2012. LNCS, vol. 7684, pp. 110–127. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-35861-6_7 CrossRefGoogle Scholar
  12. 12.
    de la Cámara, P., del Mar Gallardo, M., Merino, P.: Model extraction for ARINC 653 based avionics software. In: Bošnački, D., Edelkamp, S. (eds.) SPIN 2007. LNCS, vol. 4595, pp. 243–262. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-73370-6_16 CrossRefGoogle Scholar
  13. 13.
    Engler, D.R., Ashcraft, K.: Racerx: effective, static detection of race conditions and deadlocks. In: Scott, M.L., Peterson, L.L. (eds.) Proceedings of the 19th ACM Symposium on Operating Systems Principles 2003, SOSP 2003, Bolton Landing, NY, USA, October 19–22, 2003, pp. 237–252. ACM (2003)Google Scholar
  14. 14.
    Flores-Montoya, A.E., Albert, E., Genaim, S.: May-happen-in-parallel based deadlock analysis for concurrent objects. In: Beyer, D., Boreale, M. (eds.) FMOODS/FORTE -2013. LNCS, vol. 7892, pp. 273–288. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-38592-6_19 CrossRefGoogle Scholar
  15. 15.
    Schulze Frielinghaus, S., Seidl, H., Vogler, R.: Enforcing termination of interprocedural analysis. In: Rival, X. (ed.) SAS 2016. LNCS, vol. 9837, pp. 447–468. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53413-7_22 CrossRefGoogle Scholar
  16. 16.
    Hahn, S., Reineke, J., Wilhelm, R.: Toward compact abstractions for processor pipelines. In: Meyer, R., Platzer, A., Wehrheim, H. (eds.) Correct System Design. LNCS, vol. 9360, pp. 205–220. Springer, Cham (2015). doi: 10.1007/978-3-319-23506-6_14 CrossRefGoogle Scholar
  17. 17.
    Holzmann, G.J.: The model checker SPIN. IEEE Trans. Softw. Eng. 23(5), 279–295 (1997)CrossRefGoogle Scholar
  18. 18.
    Jourdan, J., Laporte, V., Blazy, S., Leroy, X., Pichardie, D.: A formally-verified C static analyzer. In: Rajamani, S.K., Walker, D. (eds.) Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2015, Mumbai, India, January 15–17, 2015, pp. 247–259. ACM (2015)Google Scholar
  19. 19.
    Klein, G., Andronick, J., Elphinstone, K., Murray, T.C., Sewell, T., Kolanski, R., Heiser, G.: Comprehensive formal verification of an OS microkernel. ACM Trans. Comput. Syst. 32(1), 2:1–2:70 (2014)CrossRefGoogle Scholar
  20. 20.
    Kroening, D., Tautschnig, M.: CBMC - C Bounded Model Checker, pp. 389–391. Springer, Heidelberg (2014)Google Scholar
  21. 21.
    Lemieux, J.: Programming in the OSEK/VDX Environment. CMP Media Inc., USA (2001)Google Scholar
  22. 22.
    Lv, M., Guan, N., Reineke, J., Wilhelm, R., Yi, W.: A survey on static cache analysis for real-time systems. LITES 3(1), 5:1–5:48 (2016)Google Scholar
  23. 23.
    McMillan, K.L., Rival, X. (eds.): VMCAI 2014. LNCS, vol. 8318. Springer, Heidelberg (2014)zbMATHGoogle Scholar
  24. 24.
    Miné, A.: The octagon abstract domain. High. Order Symbol. Comput. 19(1), 31–100 (2006)CrossRefzbMATHGoogle Scholar
  25. 25.
    Miné, A.: Relational thread-modular static value analysis by abstract interpretation. In: McMillan and Rival [23], pp. 39–58Google Scholar
  26. 26.
    Naik, M., Park, C., Sen, K., Gay, D.: Effective static deadlock detection. In: 31st International Conference on Software Engineering, ICSE 2009, May 16–24, 2009, Vancouver, Canada, Proceedings, pp. 386–396. IEEE (2009)Google Scholar
  27. 27.
    Podelski, A., Rybalchenko, A.: Transition invariants and transition predicate abstraction for program termination. In: Abdulla, P.A., Leino, K.R.M. (eds.) TACAS 2011. LNCS, vol. 6605, pp. 3–10. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-19835-9_2 CrossRefGoogle Scholar
  28. 28.
    Santhiar, A., Kanade, A.: Static deadlock detection for asynchronous c# programs. In: Cohen and Vechev [9], pp. 292–305Google Scholar
  29. 29.
    Schwarz, M.D., Seidl, H., Vojdani, V., Apinis, K.: Precise analysis of value-dependent synchronization in priority scheduled programs. In: McMillan and Rival [23], pp. 21–38Google Scholar
  30. 30.
    Schwarz, M.D., Seidl, H., Vojdani, V., Lammich, P., Müller-Olm, M.: Static analysis of interrupt-driven programs synchronized via the priority ceiling protocol. In: Ball, T., Sagiv, M. (eds.) Proceedings of the 38th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2011, Austin, TX, USA, January 26–28, 2011, pp. 93–104. ACM (2011)Google Scholar
  31. 31.
    Thompson, S., Brat, G.P., Venet, A.: Software model checking of ARINC-653 flight code with MCP. In: Muñoz, C.A. (ed.) Second NASA Formal Methods Symposium - NFM 2010, Proceedings, Washington D.C., USA, April 13–15, 2010. NASA Conference Proceedings, vol. NASA/CP-2010-216215, pp. 171–181 (2010)Google Scholar
  32. 32.
    Urban, C., Miné, A.: A decision tree abstract domain for proving conditional termination. In: Müller-Olm, M., Seidl, H. (eds.) SAS 2014. LNCS, vol. 8723, pp. 302–318. Springer, Cham (2014). doi: 10.1007/978-3-319-10936-7_19 Google Scholar
  33. 33.
    Vojdani, V., Apinis, K., Rõtov, V., Seidl, H., Vene, V., Vogler, R.: Static race detection for device drivers: the goblint approach. In: Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering, ASE 2016, pp. 391–402. ACM (2016)Google Scholar
  34. 34.
    Walli, S.R.: The posix family of standards. StandardView 3(1), 11–17 (1995)CrossRefGoogle Scholar
  35. 35.
    Wilhelm, R., Altmeyer, S., Burguière, C., Grund, D., Herter, J., Reineke, J., Wachter, B., Wilhelm, S.: Static timing analysis for hard real-time systems. In: Barthe, G., Hermenegildo, M. (eds.) VMCAI 2010. LNCS, vol. 5944, pp. 3–22. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-11319-2_3 CrossRefGoogle Scholar
  36. 36.
    Williams, A., Thies, W., Ernst, M.D.: Static deadlock detection for java libraries. In: Black, A.P. (ed.) ECOOP 2005. LNCS, vol. 3586, pp. 602–629. Springer, Heidelberg (2005). doi: 10.1007/11531142_26 CrossRefGoogle Scholar
  37. 37.
    Zuleger, F., Gulwani, S., Sinn, M., Veith, H.: Bound analysis of imperative programs with the size-change abstraction. In: Yahav, E. (ed.) SAS 2011. LNCS, vol. 6887, pp. 280–297. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-23702-7_22 CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Fakultät für InformatikTU MünchenGarchingGermany

Personalised recommendations