A Spin-based model checking for the simple concurrent program on a
  preemptive RTOS by Lin, Chen-Kai et al.
A Spin-based model checking for the simple concurrent
program on a preemptive RTOS
Chen-Kai Lin
Institute of Information Science,
Academia Sinica
Taipei, Taiwan
kai.zsv@gmail.com
Ching-Chun (Jim) Huang
Department of Computer Science and
Information Engineering, NCKU
Tainan, Taiwan
jserv@ccns.ncku.edu.tw
Bow-Yaw Wang
Institute of Information Science,
Academia Sinica
Taipei, Taiwan
bywang@iis.sinica.edu.tw
ABSTRACT
We adapt an existing preemptive scheduling model of RTOS ker-
nel by eChronos from machine-assisted proof to Spin-based model
checker. The model we constructed can be automatically verified
rather than formulating proofs by hand. Moreover, we look into the
designs of a Linux-like real-time kernel–Piko/RT and the specifica-
tion of ARMv7-M architecture to reconstruct the model, and use
LTL to specify a simple concurrent programs–consumer/producer
problem during the development stage of the kernel. We show that
under the preemptive scheduling and the mechanism of ARMv7-M,
the program will not suffer from race condition, starvation, and
deadlock.
KEYWORDS
model checking, concurrent program, preemptive scheduling
1 INTRODUCTION
Model checking [6, 7] is first introduced by Edmund Clarke and
Allen Emerson in 1981 to solve the Concurrent Program Verifica-
tion. It has a state-transition graph (denote as a model) and some
logic formulas (denote as properties). The algorithm of model check-
ing will try to claim that all paths of the model are satisfied the
properties. In other words, if we write a property about mutual
exclusion and the model checker says the property is unsatisfied,
we can trace the error messages back to the situation and inspect
whether the model or the real-world system will suffer from the
race condition.
Concurrent errors are hard to detect by code review or test
case, because we can not guarantee the asynchronous processes
executing in a specific order. Another way to ensure the correctness
of concurrent programs is by proof, one example is that Lamport
proves the correctness of a fast mutual exclusion algorithm in
1987 [15]. But, this strong guarantee requires the preliminary of
proof tactic and constructs by hands. Model checking, though, has
weaker guarantee but is more expeditious only if the abstract model
and the real-world system are homogeneous. Furthermore, the
correctness of the algorithm can not stand for the correctness of
the implementation on other hardware or software mechanisms,
i.e. interrupt or softirq. Holzmann [10] indicates model checking
is one of the three topics that the Mars Science Laboratory (MSL,
launched by NASA) has used to reduce risk in complex software
systems. He also points out that they had successfully verified
several concurrent issues on key parts of the spacecraft, including
Cassini, Deep Space One, and the Mars Exploration rovers.
Piko/RT [12], developed at National Cheng Kung University, is
a non-trivial operating system but small enough for verification
purpose. One of the key features is real-time capability. It enables
interrupts (exceptions) almost all the executing time to handle the
incoming IRQs. Moreover, it is optimized for the ARM Cortex-M
series. Until 2015 [5], ARM had shipped 20.6 billion Cortex-M units
within six years and the number is growing. It is hard to debug if
such a number of devices deployed around in different areas. Not
to mention the software system must not behave unexpectedly in
the critical usages.
In this paper, we address the problem of verifying the simple
concurrent programs will not act unexpectedly (no race condition,
starvation, and deadlock) under the specific conditions (preemptive
scheduling and interrupt-driven mechanisms). We first construct an
abstract model on the Spin model checker based on three domains:
proof framework of eChronos, source code of Piko/RT, and refer-
ence manual of ARMv7-M, discussing in section 3. Next, write three
properties (race condition free, starvation free, and deadlock free)
and verify in Spin (section 4 and 5). Last but not least, discuss the
background knowledge and summarize the conclusions in section
2 and 6. All our model1 is in the public domain.
2 BACKGROUND
We use Spin as our model checking tool and build an abstract sched-
uling model on. In this section, we discuss some topics about Spin
model checker and the real-time scheduling before approaching to
the model. And then, talk about several related works of this paper.
2.1 The model checker
2.1.1 Spin. Spin [3, 9, 11] is an open-source verification tool of
multi-threaded software developed in the Computing Science Re-
search group of Bell Lab. The theory behind Spin is theω-automaton,
which is the variation of classic finite state automata with accep-
tance conditions on infinite executions. Consider Figure 1a, note
that the termination of the automata would not necessarily be a
desirable result. We can declare some state that will be visited infin-
itely often by labeling accept, i.e. Run state, as a legal run. Because
the states are finite, the infinite run (ω-run) will anyway repeat
itself at the certain degree just like Figure 1b shows. If Spin find an
ω-run with some state labeling accept, it can claim that the automata
is accepted. This is so called the Büchi acceptance.
1https://github.com/kaizsv/pikoRT-Spin.git
ar
X
iv
:1
80
8.
04
23
9v
1 
 [c
s.O
S]
  7
 A
ug
 20
18
2(a) Finite state infinite run au-
tomata.
(b) A path of ω-run
Figure 1: Example of ω-automaton
Figure 2: Semantics of Global and Future operators
Every thread in Spin is an automata and product altogether in
the verifying stage. Spin supports a meta language: PROMELA,
which interpreting readable script into automata, like common
condition statements, if or do. It also provides channel allowing
the communication between two threads. And the most important
one in this paper is the guard. guard is a true of false expression
that guard the execution of the following statements only if it is
true, otherwise the thread will be blocked until it becomes true.
2.1.2 Linear temporal logic. Safety and liveness. We need to dis-
cuss these two kinds of properties before going to linear temporal
logic, which are introduced by Lamport in 1977 [14]. Safety prop-
erty guarantees nothing bad ever happens, e.g., more than two
processes access same critical section at the same time will never
happen. Liveness property denotes as something good eventually
happens, e.g., if a process wants to enter its critical section, it can
eventually enter. Above is only the informal expression of two types
of properties.
Fairness is another issue of temporal logic. We can not assume
relative speeds of asynchronous processes, there might exist a run
that when a process can execute, but never be executed. This is
called the unfair processes. Two commonly used variants of fairness
are:
weak fairness: If a statement is continuously enabled, it will
eventually be executed
strong fairness: If a statement is enabled infinitely often, it will
eventually be executed
Temporal logic allows us to formalize the properties of a run
unambiguously with some special operators. Most relevant to the
Figure 3: Mutual exclusion
verification of asynchronous process systems is a specific branch
of temporal logic, linear temporal logic (LTL). LTL is sufficient to
describe two operators in the scope of this paper. Let f be a LTL
formula. Operators in f such as not, and, or, implication, and
equivalence are still a LTL formula. Two further temporal opera-
tors global and future are introduced below and Figure 2:
□f : f is true now and forever in rest of the run
^ f : f is true eventually in the future run
Let us consider an example of mutual exclusion. Figure 3 contains
two processes and CS is the critical section of that process. Each
process is first in non-critical section. If one process wants to access
its shared variables in critical section, it must try to gain lock first
at Try-CS state and leave the critical section as soon as possible.
We can write down the LTL formula about mutual exclusion free,
starvation free, and deadlock free as follows:
mutual exclusion free: □¬(CS1 ∧ CS2)
starvation free: □^Try-CS1 → □^CS1
deadlock free: □^(Try-CS1 ∧ Try-CS2) → □^(CS1 ∨ CS2)
The first property is simple. Both processes can not access its
critical section at the same time in every state of a run. The rest
are the liveness properties. Starvation free means if a process try to
enter its critical section infinitely often, it will be in critical section
infinitely often. And deadlock free property means if both processes
try to enter each critical section infinitely often, at least one process
can enter its critical section infinitely often. Note that “infinitely
often” represents the properties are strong fairness. This is will be
discuss later in section 4.
To understand how Spin verifies LTL formula, consider it as a
game. Spin negates the LTL formula and converts it into never claim.
The never claim is also an automaton that can product together
with the model. The Spin model checker then try to find a path that
satisfied the negated formula which means there exists a counterex-
ample in the model that violates the property. On the contrary, if
never claim never reaches the acceptance state (never finds a path
that violates the formula) means the model satisfied the formula.
2.2 Real-time scheduling
A real-time system is a set of tasks which running interleaving
on uniprocessor or concurrently on multi-processors that can sim-
ply classify into preemptive and non-preemptive scheduling. Non-
preemptive scheduling has lower context switch latency but the
interrupt handler might violate the deadline. And preemptive sched-
uling forces each task to process under a limited time and the task
might be blocked (pending) even if within its timeslice. In this
A Spin-based model checking for the simple concurrent program on a preemptive RTOS 3
section we discuss several factors which affect the behavior of pre-
emptive scheduling from the hardware and software aspects. The
hardware is the mechanisms of ARMv7-M architecture and the
software is the implementation of the case study.
2.2.1 Exception of ARMv7-M architecture. ARMv7-M architec-
ture [2, 17] uses “exception” as a response to system event and
“interrupt” as a peripheral request. Exception (or interrupt) with
higher priority level can preempt the lower one. Moreover, syn-
chronous exception like non-maskable interrupt (reset, hardware
fault), system fault, and SVCall must execute before the context
switch. This means synchronous exception can only be preempted
by higher priority level exception before changing to the next task.
The incoming exception will be pending if the priority level is less
than or equal to the current one. Other exceptions are considered
asynchronous that we can not guarantee the timing of executing,
even after the context switching.
Exception entry and exception return are the mechanism before
and after the exception handler take place on ARMv7-M architec-
ture. While an exception occurs, the hardware will compare the
priority of current task and the coming exception. The exception
entry will push parts of the context into the stack and reset return
values of current context if the coming exception is allowed to pre-
empt according to the interrupt policy. After finishing the handler
task, the exception return will choose a proper task (from the stack
or the pending state) to switch to.
Tail-chaining is the further extension of the exception return.
Tail-chaining can continue to process the pending exception at the
exception return stage. Rather than restoring to the return context
from the stack and saving it back again to the stack, tail-chaining
can directly switch to the pending exception with less timing gap.
Context switch is a significant issue in this paper. Context switch
typically requires processor to execute at a critical region of in-
terrupt disabled to avoid the corruption of data during the switch,
However, the busy waiting might cause pending the coming excep-
tion and violate the deadline. ARMv7-M supports interrupt enabled
context switch. SVCall is a synchronous exception and triggered
by the svc instruction from user tasks to perform supervisor call.
PendSV is an asynchronous software interrupt and handles the
scheduling point enabled by the systick handler. To enable interrupt
during context switch, the ARMv7-M reference manual suggests
to configure both exceptions with the lowest priority level so that
they can not preempt each other.
2.2.2 Preemptive scheduling. Preemptive scheduling causes the
task to stop and resume executing frequently. One reason is the
task reaches its timeslice and does not finish yet, the scheduler
need switch to the next task from the runqueue. Another reason
is when a task with higher priority added into the runqueue, at
any scheduling point the system needs to guarantee the priority
of current task is always the highest one in the runqueue. The
following lists several aspects which will influence the behavior of
the preemptive scheduling.
Bitmap scheduler has 32 priority levels and two priority arrays,
active and expired, which can be swapped in constant time. The
scheduler always chooses the highest priority task from the ac-
tive priority runqueue and selected in round-robin way if multiple
tasks exist in the same priority level. The implementation of array
data structure and the bitwise operations make time complexity in
constant time.
Softirq and tasklet. Interrupt handlers are asynchronous and of-
ten timing-critical so there are several limitations, such as respond
rapidly and cannot be blocked. Softirq is the mechanism that moves
the execution of the non-critical job (bottom half task) from inter-
rupt handlers to the user task (softirq process). Moreover, softirq
maintains a bitmap scheduler with only one runqueue to manage
the different bottom half tasks, called tasklet.
Mutual exclusion is one of the solutions to prevent race condition
and has different implementations. In this paper, we focus on a
pair of load-link/store-conditional instructions, ldrex and strex,
supported by a state machine exclusive monitor provided by ARMv7-
M architecture. Each processor has a exclusive monitor called local
monitor (we only consider uniprocessor situation here), which will
mark a segment of memory address (register) as exclusive by the
calling of ldrex instruction. One local monitor can only mark one
register at the same time, ldrex will load a value from the address
to the register and clear the previous mark and mark the address as
exclusive. strex conditionally stores the value back to the address
if the address is marked as exclusive and clear the mark at the same
time, otherwise the store will fail notifying by the return value. In
brief, no matter how many times ldrexmark the address, only one
can update the value of that address by strex. And finally, all mark
will be cleared at every exception return stage. This make sure the
atomic operations of the mutex variables.
Condition variable is an extension of mutual exclusion. It will
temporary release the lock and move itself out of the runqueue
if the condition is not satisfied (condition wait). While others get
the lock and satisfy the condition statement, it signals the blocked
one by returning the lock and enqueuing the blocked one again
(condition signal). This is more efficient than busy waiting because
the blocked one will temporarily gives up the processor’s resources
and turns to the process.
2.3 Related work
eChronos [1] is a tiny real-time OS running on ARM Cortex-M3
platform developed by Data61 in Australia. They provide a frame-
work and prove the property “the running task is always in the
highest priority” on the Isabelle/HOL proof assistant based on the
Owicki-Gries [16] method. The OG method is the parallel version
of Hoare logic, known as the pre- and post- condition style, guar-
anteeing the shared variables are not interleaving by the parallel
programs. Their framework is delicate and scalable that simulates
both software and hardware behaviors in one model. But the chal-
lenge of their work is the exhausting hand constructed proof and
the lack of implementation details. The reason of the later one is
the proof strategy that they do not declare the explicit interrupt
policy, causing all exceptions can preempt each other. Instead, they
have proved a larger range of the exception behavior is correct that
can implicate to the limited and real one.
OSEK-Spin, Zhang, et al. [18] use Spin to verify the application of
a standard automobile OS, OSEK/VDX, which is widely adopted by
many automobile manufacturers. To enhance the user experience,
different applications are developed based on the OS. To check
whether the applications can run correctly, the researcher provide
4a Spin-based model that can replicate the executions on OSEK. The
correctness means under the concurrent running task, synchronous
event, and context switch, the user application will not suffer from
race condition or priority inversion. They also developed bounded
model checking to verify more complex applications. However, the
model considered only the software aspect and did not contain the
specific hardware behavior.
The two researches list above are the most related to our paper.
Moreover, there are lots of corresponding work about verifying
software or hardware by mathematical proof, for example, seL4
[13]. However, the design of seL4 kernel is optimized for the formal
verification, there are some limitations. Although seL4 had analyzed
the WCET [4], its kernel code only has few interrupt points, others
with interrupt disabled. This is different from the common design
of RTOS.
3 THE MODEL
In section 2, we had discussed several factors of scheduling. In this
section, we show how we model those factors by PROMELA. The
model consists of three static processes (SVC, PendSV, and softirq)
and an amount of user tasks and interrupts (number of interrupt
must contain one systick). Figure 4 is a schema of 2 user tasks and
2 interrupts. The model can separate into three parts: user task
for the orange box, exception for the blue one, and two special
exceptions SVC and PendSV for the green one. Each process has a
PID listed at the top of Figure 4.
3.1 Overview
We had mentioned that each process are executed in asynchronous
order, we use this feature to simulate the incoming of the IRQs.
But to determine which process is the legal one to occupy the
resource of processor, eChronos introduced a guard called AWAITS
to control the executing of the processes. Another variable AT
(active task) records which process is the legal on to be executed.
Every statement in the model will be wrap by AWAITS and can be
executed only if the AT becomes its PID, otherwise, the statement
will be blocked until AT becomes its PID again. There is also an
A_AWAITS statement which do the same thing as AWAITS, because
there are two atomic statements in PROMELA, d_step and atomic.
Both statements guarantee no other processes can interleave within
the scope of the statement. The difference is that in verification
stage, the d_step is seen as one step while the atomic is depend on
the statements inside. Note that each statement in the code segment
surrounding by a frame is wrapped by the AWAITS or A_AWAITS
statements which are the unit operation in our model.
Starting from SVC handler first, we modeled five system calls,
including, mutex lock, mutex unlock, condition wait, condition sig-
nal, and pthread yield. Consider that SVC is synchronous, we use
a synchronous channel called rendezvous channel in PROMELA
to perform the behavior of calling the system call. It is something
like the client/server model that the SVC handler is the server and
serves several user tasks. The difference is that other processes
remain blocked during the communication. Recall the interrupt
enabled context switch, PendSV is asynchronous and used to re-
spond the scheduling request from the systick. Simultaneously,
the systick handler will insert its bottom half task into the tasklet
runqueue waiting to be executed in softirq process. Another inter-
rupt handler do nothing in the model. Last, we choose the classic
consumer/producer program as our application to verify and the
softirq will discuss later.
3.2 Exceptions of ARMv7-M architecture
Figure 4 shows that every exception is starts with ITake or PendSV-
Take and ends with IRet (except SVC is synchronous) which models
exception entry and exception return. There are two situations in
ITake. First, we refer to the manual of ARMv7-M to implement the
interrupt policy, including the priority and the pending state to
determine whether the incoming IRQs can preempt the current
process. PendSVTake is a simplified ITake and only affects to the
PendSV process. An array ATStack stores the preempted processes
that has not finished its job yet. IRet elects the next running task
from the top element of ATStack or the highest priority of pending
state when the current interrupt handler is finished. If the exception
priority of the top of the ATStack is higher, pop the exception di-
rectly to theAT. If not, remember that the exception in pending state
has not been executed yet, an additional variable ghost_direct_AT
is introduced to record this situation and can be detected by the
second condition of ITake. The choosing of pending state running
first is similar to the tail-chaining mechanism in ARMv7-M
The design of ATStack is an array data structure that the last
element in it must be user task, others are exceptions in priority
order. The formalization of context switch is to change the last
element in ATStack. Because context switch only occurs in SVC or
PendSV processes, the only element in ATStack must be current
user task and the AT must be the PID of SVC or PendSV. We add
several assert to check this scene and change the last element in
ATStack to reproduce the behavior of context switch.
3.3 Preemptive scheduling
Two priority runqueues, which contain an unsigned map and a
queue, form the structure of bitmap scheduler. One key difference
between the model and the source code is the swap of two prior-
ity runqueues. The source code uses pointer to swap each other,
however, the model uses bitwise operations to do that. Two priority
runqueues sched_bm[2] are defined in the model. Another global
bit SCHED_STATE_SWAP is helped to distinguish each runqueue.
To swap the runqueues, just xor the swap bit. Additionally, the
ACTIVE and EXPIRED thread state are designed in the same way.
ACTIVE: (0|SCHED_STATE_SWAP)
EXPIRED: (1 ⊕ SCHED_STATE_SWAP)
In short, the softirq is a user process which executes the bottom
half task of the interrupts. And the tasklet is a one priority runqueue
managing which bottom half tasks take place first. If no more
bottom half task can be executed, the softirq process will give up
the processor’s resource by calling the pthread yield system call.
But notice that if the softirq has higher priority than other user
processes, the system call still choose softirq as next process.
The lock and unlock of mutex can split into two stages: non-
privilege and privilege because of the supporting of load-link/store-
conditional (LL/SC) instructions. Take mutex lock for example, if
the lock is free then gain lock directly in the non-privilege mode by
A Spin-based model checking for the simple concurrent program on a preemptive RTOS 5
Figure 4: The schema of the model (2 user tasks, 2 interrupts)
the mechanism of LL/SC, otherwise, calling the mutex lock system
call to give up the execution (moving itself out of the runqueue).
Another point to note that, there must have a place to store the
tasks moving out of the runqueue by mutex. The implementation of
the source code is a linked list structure, we use an array structure
in PROMELA, instead. However, to reduce the size of the model,
there is only one slot in the array currently and scalable depending
on the applications.
Implementation of condition variable is based on the mutex that
will temporarily release the lock and gain lock again if the condition
is satisfied. Nonetheless, this is difficult to implement in PROMELA.
In source code, every process performing context switch in SVC or
PendSV handlers which will stop at a specific point in the handler
and resuming when switching back. If we want to emulate this
behavior in PROMELA model, the SVC and PendSV handler must
duplicate times of the number of user task. This is a great effort for
model checking that we need to share the SVC and PendSV handler
within each user task. This leads to another problem that we can
not place two scheduling points in one exception handler and the
scheduling point must establish just before the IRet. This limits the
modeling of condition wait system call that we need to use two
system calls (condition wait and mutex lock) and wrap together
with atomic statement to complete the one system call’s job.
4 STRATEGY OF VERIFICATION
We had talked about the model, now discussing the properties and
how we verify the model by Spin model checker.
4.1 The properties
These two methods are used to verify the correctness of the model:
i) assert for safety property, ii) LTL for liveness properties. The
assert is not only the safety property but also a useful tool to check
whether the model is correct during the process of modeling. We
use assert in the following ways.
• The insertion of the queue will not induce buffer overflow
and the deletion of the queue must succeed.
• If the value of map is not zero, there must be some elements
in the queue.
• If the scheduler chooses idle as next thread, the current
thread must not be idle.
• The modification of IRQ pending state must be the interrupt
process.
• The tail-chaining only happens when no other exception
priority in pending state is higher than itself.
• The ATStack will not have buffer overflow.
• PendSV can only preempt the user task.
• The consumer/producer will not suffer from race condition
using two global bits cs_c and cs_p to record the entrance of
critical section.
• Only user tasks can perform the system call when there is
no pending exception.
• Only user tasks can perform context switch when there is
no other active exception (excluding SVC and PendSV).
• The last element in ATStack is a user task; others are UN-
KNOWN 2 during the context switch.
• Mutex list (array) must not be empty if the value of mutex is
larger than zero.
• The value of mutex must not smaller than -1.
For LTL, we label the condition loop as want, it means that the pro-
cess wants to enter its critical section but blocked at the condition
loop. The @ symbol means the execution is at the statement with
specific label. Note that we apply the strong fairness in the LTL
formula. If not, the model checker will consider the situation that
the systick preempt itself forever. But this is impossible that the
duration of systick is 1ms in the real-world system.
consumer starvation free: □^consumer@want→ □^cs_c
producer starvation free: □^producer@want→ □^cs_p
deadlock free:□^(consumer@want∧producer@want) → □^(cs_c∨
cs_p)
2ARMv7-M resets the register with UNKNOWN value
6Table 1: Options of Spin model checker
Spin Version 6.4.8 - 2 March 2018
Spin options Verification options Runtime options
Safety properties -a -DXUSAFE, -DCOLLAPSE, -m100000000
-DSAFETY, -DNOCLAIM, (-m<changeable>)
(-DMA=24), -DNOFAIR,
-DMEMLIM=<changeable>
LTL acceptance -a, -DXUSAFE, -DCOLLAPSE, -m100000000,
cycles -DLTL (-DMA=24), -DNOFAIR, -a,
-DMEMLIM=<changeable> -N <ltl name>
4.2 Spin options
The hardware environment in this paper is a 1TB memory machine
with Xeon 6134M 3.2GHz processors. Table 1 is the Spin options
for Safety and LTL verifications. The search algorithm in this paper
is the DFS. Looking at Spin options first, -a is needed to gener-
ate the verification code and -DLTL is a custom macro that used
to load the LTL properties. In Verification options, -DXUSAFE,
-DCOLLAPSE, and -DNOFAIR are used in both properties, the first
one is to disable the usage of xr and xs assertions, the second one
is to compress each state to reduce the memory usage, the third
one is to disable the weak fairness provided by Spin (we use strong
fairness in LTL formula). -DNOCLAIM is to disable the usage of never
claim, but enables while verifying the LTL properties. -DSAFETY
is used in safety property only. -DMEMLIM is the maxima memory
that Spin can use and -DMA is the algorithm of minima automata
which saving the memory but spending lots of running time. Next,
the -m<changeable> is the maxima depth for the DFS algorithm
and -N used to choose which LTL property to verify.
Spin model checker will provide statistics if the verification is
completed under the memory and maxima depth boundary. It also
provides a list of unreached statements in the model but never be
executed. To analyze this list, there are eight scheduling points in
the model. We copy the macro of scheduling points eight times
with different names. With this setting, we can tell the difference
between the eight scheduling points by the different lines of code
and analyze them later.
5 DISCUSSION
We verify a classic concurrent program–consumer/producer in this
paper and use a bit to denote the data buffer. This application is also
one of the test case of Piko/RT (cond_3). Table 2 shows the results
of the four verifications. Note that the Safety case uses only assert
to verify race condition, which is more efficient than other liveness
cases. Because the previous one only checks the specific variable at
the point, however, the LTL checks the variables along everyω-runs
(Figure 1b). Moreover, the meaning of depth and states in Table 2
are that the former represents the longest depth of the ω-run and
the later is the number of states that Spin had verified. The state is
the set of all global variables in the model, each statement in the
model might causes the migration from one state to another.
The most interesting point is that the usage of memory is ex-
treme high, is it really worth it to consume such effort to build the
Table 2: The 4 verification results
Depth States Memory Time
Safety 23,619,898 5.84e+09 314 GB 3.2 hours
consu_starv 49,295,820 1.01e+10 707 GB 10.4 hours
produ_starv 49,678,300 1.01e+10 707 GB 10.4 hours
Deadlock 40,484,755 8.11e+09 477.2 GB 6.75 hours
verifications? Remember we had mentioned about AWAITS state-
ment, it is the watershed separating the atomic and concurrent
executing. Between each AWAITS (or A_AWAITS) statement is an
interrupt point that allowed every non-blocked process to be exe-
cuted in different order. There are total 67 AWAITS (and A_AWAITS)
statements in our model, and this is not counting the repeated ones
(the inline function of PROMELA will be expended like macro in
C language). For example, there are nine scheduling points in the
model (8 in SVC and 1 in PendSV) which means we have to multiple
nine times the number of interrupt points under the inline func-
tion of scheduling point. It is hard for us to consider such amount
of scheduling points at the same time by code review or test cases,
how can we check a vulnerability at the depth of 50 million steps?
However, with the help of the Model Checking and the powerful
machine, we can verify those properties within sustainable time.
All we have to do is to construct an elegant model which can use
less steps to represent the real-world system.
Moreover, Spin also provides us an unreached statement list
to analyze. The followings reasons are certain for the unreached
statements. Note that both priority runqueues are not empty at the
scheduling points (never switch to idle thread) in this paper.
• The scheduling point in PendSV needs to insert current task
to the expired runqueue, while the scheduling point in SVC
don’t. This causes the unreached statements.
• If the active runqueue always has some elements, the sched-
uler does not need to perform swap statements and the con-
dition of next thread equals idle will not be checked. This is
because there is an enqueue point just before the scheduling
point.
• If the active runqueue is empty and the expired runqueue
has some elements, the condition of next thread equals idle
will not be checked.
A Spin-based model checking for the simple concurrent program on a preemptive RTOS 7
• If the next task is equal to the current task, need not to
perform context switch. This happens only in the pthread
yield system call.
• Two scheduling points in mutex unlock system call never
been executed.
The last reason is complicated that we need to consider two con-
ditions about the mutex unlock system call. First is the system call
from the condition of LL/SC. The second is called via the condition
wait system call. In the first situation, consider that the current
process has the lock, the thread state must not be BLOCKED. The
first scheduling point in mutex unlock system call is guarded by the
thread state equals BLOCKED condition will never be executed un-
der first situation. However, the first scheduling point will always
be approached in the second situation. Because the conditional
statement in mutex unlock system call is deterministic while the
second scheduling point in mutex unlock system call will never be
executed. Those are the reason why there are two scheduling point
not be executed.
6 CONCLUSIONS
We adapt an existing machine-assisted framework to fit the require-
ment of model checking and verify several properties of a sim-
ple concurrent program under the specific conditions. The model
contains the simulation of hardware and software aspects. More-
over, we do not construct any mathematical proof, the PROMELA
language is C-like that anyone can rebuild at any stages of the
system life cycle by their own (the effort of this paper is about 7
man-months and the Piko/RT is still in development) and the veri-
fication time is within one day (3 hours for safety property). This
means model checking have its advantage on verifying a real-world
system at the early stage comparing to the system optimized for
formal verification.
However, there are still some defects in this paper that need to
be accomplished.
(1) The cost (time and memory usage) of adding one process
to verify is too expensive in checking the OS source code.
There are two possible ways to deal with. First, split the
model into several layers and verify each layer one by one.
Another way is to construct proof by hand, Delzanno et al.
[8] has proved that using a limited number of process can
represent the situation of n processes in Spin.
(2) How to claim the abstract model and the real-world system
are truly homogeneous. One possible way is to construct a
mechanism that extract the PROMELA model from the C
source code automatically rather than builds by human.
For the second point, we can not claim the model in this paper
is totally correct, yet. But we can tell the behave is similar to the
target system by adding assert, analyzing the unreached statements
or error message, and applying the test cases. In this paper, we use
condition variable to deal with the mutual exclusion problem. We
also adapted a mutex test case before, and currently, we are trying
to deal with the idle thread problem to look inside the behavior of
the model.
REFERENCES
[1] June Andronick, Corey Lewis, Daniel Matichuk, Carroll Morgan, and Chris-
tine Rizkallah. 2016. Proof of OS Scheduling Behavior in the Presence of
Interrupt-Induced Concurrency. In Interactive Theorem Proving - 7th Interna-
tional Conference, ITP 2016, Nancy, France, August 22-25, 2016, Proceedings. 52–68.
https://doi.org/10.1007/978-3-319-43144-4_4
[2] ARM Limited 2014. ARMv7-MArchitecture Reference Manual. ARM Limited. https:
//developer.arm.com/docs/ddi0403/e/armv7-m-architecture-reference-manual.
[3] Mordechai Ben-Ari. 2008. Principles of the Spin Model Checker (1 ed.). Springer-
Verlag London.
[4] B. Blackham, Y. Shi, S. Chattopadhyay, A. Roychoudhury, and G. Heiser. 2011.
Timing Analysis of a Protected Operating System Kernel. In 2011 IEEE 32nd
Real-Time Systems Symposium. 339–348. https://doi.org/10.1109/RTSS.2011.38
[5] Phillip Burr. 2016. ARM CPU Solutions for IoT. (Aug. 2016). Retrieved April 12,
2018 from https://www.arm.com/files/pdf/20160830_03_ARM_CPU_Solutions_
for_IoT_PhillipBurr.pdf Product Marketing Manager CPU Group, ARM.
[6] Edmund M. Clarke. 2008. 25 Years of Model Checking. Springer-Verlag, Berlin,
Heidelberg, Chapter The Birth of Model Checking, 1–26. https://doi.org/10.1007/
978-3-540-69850-0_1
[7] EdmundM. Clarke, Jr., Orna Grumberg, and DoronA. Peled. 1999.Model Checking.
MIT Press, Cambridge, MA, USA.
[8] Giorgio Delzanno, Michele Tatarek, and Riccardo Traverso. 2014. Model Checking
Paxos in Spin. In Proceedings Fifth International Symposium onGames, Automata,
Logics and Formal Verification,Verona, Italy, 10th - 12th September 2014 (Electronic
Proceedings in Theoretical Computer Science), Adriano Peron and Carla Piazza
(Eds.), Vol. 161. Open Publishing Association, 131–146. https://doi.org/10.4204/
EPTCS.161.13
[9] Gerard J. Holzmann. 2003. Spin Model Checker, the: Primer and Reference Manual
(first ed.). Addison-Wesley Professional.
[10] Gerard J. Holzmann. 2014. Mars Code. Commun. ACM 57, 2 (Feb. 2014), 64–73.
https://doi.org/10.1145/2560217.2560218
[11] Gerard J. Holzmann. 2018. Spin - Formal Verification. (2018). Retrieved April 11,
2018 from http://spinroot.com
[12] Jim Huang, Yen-Kuan Wu, and Louie Lu. 2018. pikoRT. (2018). Retrieved April
11, 2018 from https://github.com/PikoRT/pikoRT
[13] Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock,
Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael
Norrish, Thomas Sewell, Harvey Tuch, and Simon Winwood. 2009. seL4: Formal
Verification of an OS Kernel. In Proceedings of the ACM SIGOPS 22Nd Symposium
on Operating Systems Principles (SOSP ’09). ACM, New York, NY, USA, 207–220.
https://doi.org/10.1145/1629575.1629596
[14] Leslie Lamport. 1977. Proving the Correctness of Multiprocess Programs. IEEE
Trans. Softw. Eng. 3, 2 (March 1977), 125–143. https://doi.org/10.1109/TSE.1977.
229904
[15] Leslie Lamport. 1987. A Fast Mutual Exclusion Algorithm. ACM Trans. Comput.
Syst. 5, 1 (Jan. 1987), 1–11. https://doi.org/10.1145/7351.7352
[16] Susan Owicki and David Gries. 1976. An Axiomatic Proof Technique for Par-
allel Programs I. Acta Inf. 6, 4 (Dec. 1976), 319–340. https://doi.org/10.1007/
BF00268134
[17] Joseph Yiu. 2013. The Definitive Guide to ARM Cortex-M3 and Cortex-M4 Processors
(3rd ed.). Newnes, Newton, MA, USA.
[18] Haitao Zhang, Toshiaki Aoki, and Yuki Chiba. 2015. A Spin-Based Approach
for Checking OSEK/VDX Applications. In Formal Techniques for Safety-Critical
Systems, Cyrille Artho and Peter Csaba Ölveczky (Eds.). Springer International
Publishing, Cham, 239–255.
