Formal Executable Models for Automatic Detection of Timing Anomalies

A timing anomaly is a counterintuitive timing behavior in the sense that a local fast execution slows down an overall global execution. The presence of such behaviors is inconvenient for the WCET analysis which requires, via abstractions, a certain monotony property to compute safe bounds. In this paper we explore how to systematically execute a previously proposed formal definition of timing anomalies. We ground our work on formal designs of architecture models upon which we employ guided model checking techniques. Our goal is towards the automatic detection of timing anomalies in given computer architecture designs

An Approach for Verifying Concurrent C Programs

International audienceAs software system and its complexity are fast growing, software correctness becomes more and more a crucial issue. We address the problem of verifying functional properties of real-time operating system (microkernel) implemented with C. We present a work-in-progress approach for formally specifying and verifying concurrent C programs directly based on the semantics of C. The basis of this approach is to automatically translate a C code into a TLA+ specification which can be checked by the TLC model checker. We define a set of translation rules and implement it in a tool (C2TLA+) that automatically translates C code into a TLA+ specification. Generated specifications can be integrated with manually written specifications that provide primitives that cannot be expressed in C, or that provide abstract versions of the generated specifications to address the state-explosion problem

Towards Time-triggered Component-based System Models

International audienceIn this paper, we propose a methodology for producing correct-by-construction Time-Triggered (TT) physical model by starting from a high-level model of the application software in Behaviour, Interaction, Priority (BIP). BIP is a component-based framework with formal semantics that rely on multi-party interactions for synchronizing components. Commonly in TT implementations, processes interact with each other through a communication medium. Our methodology transforms, depending on a user-defined task mapping, high-level BIP models where communication between components is strongly synchronized, into TT physical model that integrates a communication medium. Thus, only inter-task communications and components participating in such interactions are concerned by the transformation process. The transformation consists of: (1) breaking atomicity of actions in components by replacing strong synchronizations with asynchronous send/receive interactions, (2) inserting communication media that coordinate execution of inter-task interactions according to a user-defined task mapping, (3) extending the model with an algorithm for handling conflicts between different communication media and (4) instantiating task components and adding local priority rules for handling conflicts between inter-task and intra-task interactions. We also prove the correctness of our transformation, which preserves safety properties. I. INTRODUCTION A Time-Triggered (TT) system initiates all system activities-task activation, message transmission, and message detection-at predetermined points in time. Ideally, in a time-triggered operating system there is only one interrupt signal: the ticks generated by the local periodic clock. These statically defined activation instants enforce regularity and make TT systems more predictable than Event-Triggered (ET) systems. This approach is well-suited for hard real-time systems. In [1] and [2], Kopetz presents an approach for real-time system design based on the TT paradigm which comprises three essential elements: The global notion of time: It must be established by a periodic clock synchronization in order to enable a TT communication and computation, The temporal control structure of each task: In a sequence of computational or communication processes (called tasks), the start of a task is triggered by the progression of the global time, independently from the involved data of the task. The worst-case execution time and thus the worst-case termination instant are also assumed to be known a priori. These statically predefined start and worst-case termination instants, define the temporal control structure of the task

C2TLA+ : Traduction automatique du code C vers TLA+

National audienceNous nous intéressons dans ce papier à l'automatisation de la traduction d'un code source C vers un modèle écrit dans le langage de spécification TLA+. Nous proposons alors un outil C2TLA+ pour automatiser le passage d'un code source C vers un modèle écrit dans un langage combinant une logique temporelle avec une logique des actions afin qu'il soit vérifié par le model-checker TLC. Ce papier illustre les règles de représentation et de traduction utilisées pour passer d'une implémentation à une spécification TLA+

Correct Transformation of High-Level Models into Time-Triggered Implementations

A number of component-based frameworks have been proposed to tackle the complexity of the design of concurrent software and systems and, in particular, to allow modelling and simulation of critical embedded applications. Such design frameworks usually provide a capability for automatic generation of C++ or Java code, which has to be compiled for the selected target platform. Thus, guaranteeing hard real-time constraints is, at best, difficult. On the other hand, a variety of Real-Time Operating System (RTOS), in particular, those based on the Time-Triggered (TT) paradigm, guarantee the temporal and behavioural determinism of the executed software. However, such TT-based RTOS do not provide high-level design frameworks enabling the scalable design of complex safety-critical real-time systems. In this report, we combine advantages of the two approaches, by deriving correct-by-construction TT implementations from high-level componentised models. We present an automatic semantics-preserving transformation from RT-BIP (Real-Time Behaviour-Interaction-Priority) to PharOS—a safety-oriented RTOS, implementing the TT paradigm. The transformation has been implemented; we prove its correctness and illustrate it with a realistic case-study

Analyse temporelle des systèmes d\u27acquisition de données : une approche a base d\u27automates temporisés communicants et d\u27observateurs

Dans le cadre des applications temps réel de contrôle de procédé, la thèse propose une théorie et des outils formels pour caractériser temporellement le retard des données acquises sur létat du procédé, acquisition réalisée via un logiciel dédié appelé pilote. Le contexte et le domaine détude de la thèse se base sur les éléments constituant une chaîne dacquisition de données dans un contexte de contrôle de procédé, les différentes caractéristiques temporelles et les approches pour les évaluer vis-à-vis des flots de données acheminés dans la chaîne dacquisition. Ce travail sappuie sur un ensemble des bases théoriques requises pour cette caractérisation, particulièrement les automates temporisés communicants, les systèmes de transitions étiquetées et la vérification formelle de propriétés sur ces automates, et en particulier les observateurs. Nous proposons dabord de formaliser les principes formels de lévaluation des propriétés temporelles des flots des données. Lapproche se concentre sur le comportement des occurrences dun flot de données dans une chaîne dacquisition et sur la mise en place de lobservation pour lévaluation de leurs caractéristiques temporelles et spécialement le retard. Ensuite, nous donnons les clefs techniques de la modélisation de notre approche en IF et nous proposons des exemples de modélisation de quelques éléments de la chaîne dacquisition, mais aussi la modélisation de lobservation pour lévaluation des caractéristiques temporelles. Cette modélisation sappuie sur deux approches différentes de modélisation de la chaîne dacquisition, un premier à un niveau de spécification et un autre à un niveau dimplémentation. Enfin, nous donnons les résultats de lapproche proposée sur des exemples de chaînes dacquisition, et nous présentons plusieurs utilisations possibles des résultats obtenus (paramétrage ou tuning dun pilote déquipement, détermination du langage de retard pour une chaîne dacquisition). Au final, létude de lévaluation du retard montre linfluence des paramètres de configuration du pilote sur les retards des données traitées par lapplication

Preface to the VECoS 2020 & 2021 special issue of ISSE

International audienceThis special issue contains extended versions of selected papers from the 14th and 15th editions of the International Conference on Verification and Evaluation of Computer andCommunication Systems (VECoS 2020/21)

Formal evaluation of Quality of Service for data acquisition systems

In the field of real-time control applications, validation relies on a precise knowledge of the temporal characteristics of the used data such as delays and loss rates. These data are provided by a dedicated software called the driver. Consequently, it is necessary to evaluate the impact of the driver on the QoS (Quality of Service) of the data. This work proposes a formal model of data drivers based on communicating timed automata and shows how parameters of the driver impact the provided QoS of data. 1

Externalisation of Time-Triggered communication system in BIP high level models

International audienceTo target a wider spectrum of Time-Triggered(TT) implementations of hard real-time systems, we consider approaches for building component-based systems that provide a physical model from a high-level model of the system and TT specifications. The obtained physical model is thus suitable for direct transformation into languages of specific TT platforms. In addition, if these approaches provide correctness-by-construction, they can help to avoid the monolithic a posteriori validation. In this paper, we focus on the TT interface concept of the TT paradigm. And we present a method that transforms the interaction in classic BIP (Behavior, Interaction, Priority) Model into a TT interface by source-to-source transformations. The method is based on the successive application of two types of source-to-source transformations; Transfer functions internalisation and n + 1-ary connector to TT interface transformation. The first simplifies the connector transfer functions by modifying components automata. The second transforms connector with simple transfer function into TT interfaces

Formal modelling framework of data acquisition software using a synchronous approach for timing analysis

International audienc