Skip to main content
SpringerLink
Log in

Applying Formal Verification to an Open-Source Real-Time Operating System

  • Chapter
  • First Online:
Theories of Programming and Formal Methods

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14080))

  • 315 Accesses

Abstract

This paper describes work done using formal methods to verify parts of the RTEMS real-time operating system, as part of an activity sponsored by the European Space Agency to qualify multi-core processors for spaceflight. A variety of formalisms were investigated, keeping in mind the need to be a good fit with the RTEMS community in general. The technique that was deployed used Promela to model aspects of the operating system behavior, and the SPIN model-checker to do test generation. This involved developing Promela models, which are formal artifacts, and then developing a simple machine-readable observation language that made it easy to connect model behavior to the generation of C test code. The observation language was then refined to code using a dictionary mapping observable elements to test code snippets. Neither the observable language of the dictionary mapping are formal, so this paper also explores how these might be given UTP semantics, and linked together, in which the research of He Jifeng plays a key role. It finishes defining a future research agenda that uses this work with a real-world application to drive the research.

Supported by ESA Contract No. 4000125572/18NL/GLC/as, and assistance from Lero and the RTEMS community.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
eBook
USD 16.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 16.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Real-Time Executive for Multiprocessor Systems.

  2. 2.

    ESA uses qualification to refer to an entire mission. RTEMS is a sub-component of a mission, so such partial treatments are called pre-qualifications.

References

  1. RTEMS Central GIT repository. https://git.rtems.org/rtems-central

  2. RTEMS GIT repositories. https://git.rtems.org/

  3. RTEMS Improvement by Edisoft. https://www.esa.int/Enabling_Support/Space_Engineering_Technology/Software_Systems_Engineering/RTEMS_EDISOFT

  4. RTEMS Improvement by Embedded Brains. https://www.esa.int/Enabling_Support/Space_Engineering_Technology/Software_Systems_Engineering/RTEMS-SMP_Improvement_for_LEON_multi-core

  5. RTEMS website. https://www.rtems.org/

  6. Aichernig, B.K.: A testing perspective on algebraic, denotational, and operational semantics. In: Ribeiro, P., Sampaio, A. (eds.) UTP 2019. LNCS, vol. 11885, pp. 22–38. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-31038-7_2

    Chapter  Google Scholar 

  7. Aichernig, B.K., He, J.: Mutation testing in UTP. Form. Asp. Comput. 21(1–2), 33–64 (2009). https://doi.org/10.1007/s00165-008-0083-6

    Article  MATH  Google Scholar 

  8. Anderson, H., Ciobanu, G., Freitas, L.: UTP and temporal logic model checking. In: Butterfield, A. (ed.) UTP 2008. LNCS, vol. 5713, pp. 22–41. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14521-6_3

    Chapter  Google Scholar 

  9. Banham, D., et al.: MISRA C:2012 Guidelines for the Use of the C Language in Critical Systems. MISRA Limited, March 2013

    Google Scholar 

  10. Bevier, W.R.: Toward an operational semantics of PROMELA in ACL2. In: SPIN’97. Twente University, Enshede, Netherlands, pp. 1–20 (1997). https://spinroot.com/spin/symposia/ws97/bevier.pdf

  11. Bloom, G., Sherrill, J., Hu, T., Bertolotti, I.C.: Real-Time Systems Development with RTEMS and Multicore Processors, 1st edn. CRC Press, Boca Raton, November 2020

    Google Scholar 

  12. Brandenburg, B.B.: A fully preemptive multiprocessor semaphore protocol for latency-sensitive real-time applications. In: Proceedings of the 25th Euromicro Conference on Real-Time Systems (ECRTS 2013), pp. 292–302 (2013). http://www.mpi-sws.org/~bbb/papers/pdf/ecrts13b.pdf

  13. Burns, A., Wellings, A.J.: A schedulability compatible multiprocessor resource sharing protocol - MrsP. In: Proceedings of the 25th Euromicro Conference on Real-Time Systems (ECRTS 2013) (2013). http://www-users.cs.york.ac.uk/~burns/MRSPpaper.pdf

  14. Butterfield, A.: Formal RTEMS-SMP repository. https://github.com/andrewbutterfield/RTEMS-SMP-Formal

  15. Butterfield, A.: UTCP: compositional semantics for shared-variable concurrency. In: Cavalheiro, S., Fiadeiro, J. (eds.) SBMF 2017. LNCS, vol. 10623, pp. 253–270. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70848-5_16

    Chapter  Google Scholar 

  16. Butterfield, A., Sherif, A., Woodcock, J.: Slotted-circus. In: Davies, J., Gibbons, J. (eds.) IFM 2007. LNCS, vol. 4591, pp. 75–97. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73210-5_5

    Chapter  Google Scholar 

  17. Callahan, J., Schneider, F., Easterbrook, S.: Automated software testing using model-checking, pp. 118–127 (1996)

    Google Scholar 

  18. Catellani, S., Bonato, L., Huber, S., Mezzetti, E.: Challenges in the implementation of MrsP. In: Reliable Software Technologies - Ada-Europe 2015, pp. 179–195 (2015)

    Google Scholar 

  19. Cavalcanti, A., Gaudel, M.-C.: A note on traces refinement and the conf relation in the unifying theories of programming. In: Butterfield, A. (ed.) UTP 2008. LNCS, vol. 5713, pp. 42–61. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14521-6_4

    Chapter  MATH  Google Scholar 

  20. Cavalcanti, A., Gaudel, M.-C.: Specification coverage for testing in circus. In: Qin, S. (ed.) UTP 2010. LNCS, vol. 6445, pp. 1–45. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-16690-7_1

    Chapter  MATH  Google Scholar 

  21. Cavalcanti, A., Harwood, W., Woodcock, J.: Pointers and records in the unifying theories of programming. In: Dunne, S., Stoddart, B. (eds.) UTP 2006. LNCS, vol. 4010, pp. 200–216. Springer, Heidelberg (2006). https://doi.org/10.1007/11768173_12

    Chapter  MATH  Google Scholar 

  22. Dijkstra, E.W.: Guarded commands, nondeterminacy and formal derivation of programs. Commun. ACM 18(8), 453–457 (1975). https://doi.org/10.1145/360933.360975

  23. ECSS: ECSS-E-ST-40C - Software general requirements. European Cooperation for Space Standardization (2009). https://ecss.nl/standard/ecss-e-st-40c-software-general-requirements/

  24. ECSS: ECSS-Q-ST-80C Rev. 1 - Software product assurance. European Cooperation for Space Standardization (2017). https://ecss.nl/standard/ecss-q-st-80c-rev-1-software-product-assurance-15-february-2017/

  25. Foster, S., Baxter, J., Cavalcanti, A., Miyazawa, A., Woodcock, J.: Automating verification of state machines with reactive designs and Isabelle/UTP. In: Bae, K., Ölveczky, P.C. (eds.) FACS 2018. LNCS, vol. 11222, pp. 137–155. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-02146-7_7

    Chapter  Google Scholar 

  26. Foster, S., Cavalcanti, A., Canham, S., Woodcock, J., Zeyda, F.: Unifying theories of reactive design contracts. Theor. Comput. Sci. 802, 105–140 (2020). https://doi.org/10.1016/j.tcs.2019.09.017

    Article  MathSciNet  MATH  Google Scholar 

  27. Gaudel, M.-C.: Testing can be formal, too. In: Mosses, P.D., Nielsen, M., Schwartzbach, M.I. (eds.) CAAP 1995. LNCS, vol. 915, pp. 82–96. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-59293-8_188

    Chapter  Google Scholar 

  28. Gomes, R.: Analysis of MrsP Protocol in RTEMS Operating System. Master’s thesis, CISTER, Departmento de Engenharia Informática, Instituto Superior de Engenharia do Porto (ISEP), Portugal (2019)

    Google Scholar 

  29. Jifeng, H.: Transaction calculus. In: Butterfield, A. (ed.) UTP 2008. LNCS, vol. 5713, pp. 2–21. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14521-6_2

    Chapter  Google Scholar 

  30. He, J., Li, Q.: A new roadmap for linking theories of programming and its applications on GCL and CSP. Sci. Comput. Program. 162, 3–34 (2018). https://doi.org/10.1016/j.scico.2017.10.009

    Article  Google Scholar 

  31. He, J., Xu, Q.: An operational semantics of a simulator algorithm. In: Arabnia, H.R. (ed.) Proceedings of the International Conference on Parallel and Distributed Processing Techniques and Applications, PDPTA 2000, 24–29 June 2000, Las Vegas, Nevada, USA. CSREA Press (2000)

    Google Scholar 

  32. Hierons, R.M., et al.: Using formal specifications to support testing. ACM Comput. Surv. 41(2), 9:1–9:76 (2009). https://doi.org/10.1145/1459352.1459354

  33. Hoare, C.A.R., He, J.: Unifying Theories of Programming. Prentice-Hall, Hoboken (1998). http://unifyingtheories.org

  34. Hoare, C.A.R., Jifeng, H.: A trace model for pointers and objects. In: Guerraoui, R. (ed.) ECOOP 1999. LNCS, vol. 1628, pp. 1–18. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48743-3_1

    Chapter  Google Scholar 

  35. Holzmann, G.J.: The SPIN Model Checker - Primer and Reference Manual. Addison-Wesley, Boston (2004)

    Google Scholar 

  36. Kirchner, F., Kosmatov, N., Prevosto, V., Signoles, J., Yakobowski, B.: Frama-c: a software analysis perspective. Form. Asp. Comput. 27(3), 573–609 (2015). https://doi.org/10.1007/s00165-014-0326-7

  37. Li, J., Pu, G., Zhang, L., Wang, Z., He, J., Guldstrand Larsen, K.: On the relationship between LTL normal forms and Büchi automata. In: Liu, Z., Woodcock, J., Zhu, H. (eds.) Theories of Programming and Formal Methods. LNCS, vol. 8051, pp. 256–270. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39698-4_16

    Chapter  MATH  Google Scholar 

  38. Natajaran, V., Holzmann, G.J.: Outline for an operational semantics of PROMELA. In: SPIN’96. Rutgers University, NJ, USA, pp. 1–17 (1996). https://spinroot.com/spin/symposia/ws96/Na.pdf

  39. Paulson, L.C., Nipkow, T., Wenzel, M.: From LCF to Isabelle/HOL. Form. Asp. Comput. 31(6), 675–698 (2019). https://doi.org/10.1007/s00165-019-00492-1

    Article  MathSciNet  MATH  Google Scholar 

  40. Sheng, F., Zhu, H., He, J., Yang, Z., Bowen, J.P.: Theoretical and practical aspects of linking operational and algebraic semantics for MDESL. ACM Trans. Softw. Eng. Methodol. 28(3), 14:1–14:46 (2019). https://doi.org/10.1145/3295699

  41. Sheng, F., Zhu, H., He, J., Yang, Z., Bowen, J.P.: Theoretical and practical approaches to the denotational semantics for MDESL based on UTP. Form. Asp. Comput. 32(2–3), 275–314 (2020). https://doi.org/10.1007/s00165-020-00513-4

    Article  MathSciNet  MATH  Google Scholar 

  42. Sherif, A., Jifeng, H.: Towards a time model for circus. In: George, C., Miao, H. (eds.) ICFEM 2002. LNCS, vol. 2495, pp. 613–624. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36103-0_62

    Chapter  Google Scholar 

  43. Smith, M.A., Gibbons, J.: Unifying theories of locations. In: Butterfield, A. (ed.) UTP 2008. LNCS, vol. 5713, pp. 161–180. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14521-6_10

    Chapter  MATH  Google Scholar 

  44. The RTEMS Project contributors: RTEMS Classic API Guide (2021). https://docs.rtems.org/branches/master/c-user/index.html

  45. The RTEMS Project contributors: RTEMS Software Engineering (2021). https://docs.rtems.org/branches/master/eng/

  46. The RTEMS Project contributors: RTEMS User Manual (2021). https://docs.rtems.org/branches/master/user/

  47. Weiglhofer, M., Aichernig, B.K.: Unifying input output conformance. In: Butterfield, A. (ed.) UTP 2008. LNCS, vol. 5713, pp. 181–201. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14521-6_11

    Chapter  MATH  Google Scholar 

  48. Weise, C.: An incremental formal semantics for PROMELA. In: SPIN’97. Twente University, Enshede, Netherlands, pp. 1–20 (1997). https://spinroot.com/spin/symposia/ws97/weise.pdf

  49. Woodcock, J., Foster, S., Butterfield, A.: Heterogeneous semantics and unifying theories. In: Margaria, T., Steffen, B. (eds.) ISoLA 2016. LNCS, vol. 9952, pp. 374–394. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-47166-2_26

    Chapter  Google Scholar 

  50. Huibiao, Z., Bowen, J.P., Jifeng, H.: From operational semantics to denotational semantics for Verilog. In: Margaria, T., Melham, T. (eds.) CHARME 2001. LNCS, vol. 2144, pp. 449–464. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44798-9_34

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Trinity College Dublin, Dublin, Ireland

    Andrew Butterfield

  2. Simon Fraser University, Burnaby, BC, Canada

    Frédéric Tuong

Authors
  1. Andrew Butterfield
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Frédéric Tuong
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Andrew Butterfield .

Editor information

Editors and Affiliations

  1. London South Bank University, London, UK

    Jonathan P. Bowen

  2. East China Normal University, Shanghai, China

    Qin Li

  3. University of Macau, Macau, China

    Qiwen Xu

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Butterfield, A., Tuong, F. (2023). Applying Formal Verification to an Open-Source Real-Time Operating System. In: Bowen, J.P., Li, Q., Xu, Q. (eds) Theories of Programming and Formal Methods. Lecture Notes in Computer Science, vol 14080. Springer, Cham. https://doi.org/10.1007/978-3-031-40436-8_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-40436-8_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-40435-1

  • Online ISBN: 978-3-031-40436-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation