Pervasive System Verification: Distributed Real Time Systems

1
Pervasive System Verification Distributed Real
Time Systems

• W. Paul
• Universität Saarbrücken
• wiss. Gesamtprojektleiter
• bmbf Projekt Verisoft
• www.verisoft.de

2
Overview

• (Part of) Verisoft Project
• ISA
• memory management (Charme 2005)
• C0 compiler (SEFM 2005)
• OS kernel (TPHOLs 2005)
• Automotive Subproject (ICCD 2005 lecture notes
• http//www-wjp.cs.uni-sb.de/lehre/vorlesung/r
  echnerarchitektur2/ws0506/temp/
• 060302_CA2_AUTO.pdf)
• ISA in (distributed) real time systems
• serial interfaces
• flex ray (like) bus interfaces
• processors interfaces on a bus
• program correctness and worst case execution time
  (WCET)
• OSEKTime (like) real time OS
• modelling applications by automata

3
Verisoft Mission

• Develop (paper and pencil theory,) tools and
  methods for pervasive system verification
• hardware
• system software
• communication system
• applications
• CLI stack style
• Demonstrate with applications of industrial
  interest

4
Verisoft

• Consortium
• Infineon, T-Systems, BMW, AbsInt, OneSpin
  Solutions (2005 14 Mio venture capital)
• TU Munich, Uni SB, TU Darmstadt, Uni Koblenz
• DFKI, MPI, OFFIS
• Funding
• 3.5 Mio /year
• now in 3rd year

5
Verisoft

• Consortium
• Infineon, T-Systems, BMW, AbsInt, OneSpin
  Solutions (2005 14 Mio venture capital)
• TU Munich, Uni SB, TU Darmstadt, Uni Koblenz
• DFKI, MPI, OFFIS
• Funding
• 3.5 Mio /year
• now in 3rd year
• Maximize insight/

6
Project Structure

• Tools
• interactive provers Isabelle HOL and VSE
• Hoare logic
• integration of automatic methods
• Demonstrators
• textbook (everything public)
• hardware (infineon, OneSpin Solutions)
• automotive (BMW, Absint)
• biometric identification system (T-systems)

7
tools example

• Hoare logic for C0 (PhD thesis Norbert Schirmer)
• int treated as natural numbers BUT
• guards generated for each arithmetic operation
  (prove x lt 2 32 )
• usually discharged automatically (like array
  bounds check)
• automatic termination analysis (A. Podelski)

8
textbook system

• underwent Lipton-DeMillo-Perlis screening
• VAMP processor (Charme 04/05)
• out of order, precise maskable interrupts, IEEE
  compatible FPU, split cache, MMUs
• C0 compiler (SEFM 05)
• CVM generic operating system kernel (TPHOLs 05)
• Disk and drivers (ICCD 05)
• Simple OS
• TCP/IP
• SMTP email client
• electronic signature

Diss. D. Kröning ...
9
A side remark VAMP hardware

• synthesized (Suggestion of C. Jacobi)
• v high end controller
• 1.5 Mio gate equivalents
• never tested
• up and runnig
• some results of multiplication of denormalized
  numbers ? results of certain (for normalized
  numbers verified) Intel fpu's

10
systems with industry partners

• Infineon, OneSpin Solutions TriCore2 (high end
  controller)
• T-Systems
• PC (VAMP, C0, CVM, Simple OS)
• card reader
• chip card, biometric algorithms (not verified)
• cryptographic protocols
• BMW, Absint reverse engineered/public (ICCD 05)
• VAMP/TriCore 2
• FlexRay like bus interface (with SIO and clock
  synchronisation)
• OSEKTime like real time OS (CVM dialect)
• Worst case execution time (WCET)

11
virtual machines, configuration d
Virtual memory
d.vm(i)
cpu
d.R
12
virtual machines, next state c, store word
d.vm(i)
d.R

• no page fault interrupts

13
physical machines
swap memory

• swap memory c.sm
• registers
• d.mode
• d.pto (page table origin)
• d.ptl (page table length)
• adress translation if d.mode 1
• page fault interrupts

physical memory
d.sm(j)
d.pm(i)
d.R
14
address translation (sequential)

• virtual address va
• va (va.px, va.bx)
• px page index,
• bx byte index
• d DLX configuration
• hardware support by MMUs
• pipelined realisation not trivial (self
  modifikation of page tables possible)
• formally verified (Charme 05)

pma(d, v)
15
Simulation of virtual machines by phys. machines

• dV.vm(va)
• d.pm(pma(va))
• pt(d, va.px).v 1
• (in Cache)
• d.sm(sma(va)) otherwise
• d.pm is cache for dV.vm
• theorem phys. DLX page fault handler simulate
  virtual DLX
• livesness do not swap out most recently loaded
  page

16
C0 Pascal with C Syntax

• Hoare logic
• Equivalent to big steps operational semantics
• Shallow embedding in Isabelle-HOL very productive
  (1 page code/person week)
• Small steps operational semantics
• used for Interleaving of programs (kernel/several
  users)
• imports results from Hoare logic

17
C0 configurations ( M. Norrish)

• c ( pr, rd, lms, hm)
• pr program rest
• rd recursion depth
• lms 0 recursion depth!local memories
• hm heap memory
• parameters
• TT type names!type descriptors
• FTfunction names!typesXbodies
• subvariables
• (m,i)17.gpr3
• value of pointers subvariables !

memory m
va(c,(m,i))
size(m,i)
ba(m,i)
18
funktion call semantics
top(c)
e_i
id
top(c)
lms(0)
19
simulation relation consis(c, alloc, d)
d.vm
alloc(c,y)
y
alloc(c,p)
p
20
step by step simulation
proof induktion on T for c-consis folklore
theorem about second statement of program rest.
21
second statement of program rest
call
return
ifte
while
body(g)
body(f)
22
c'.pr what is next(c.pr,s)head(r') ?

• s ? return

23
key observation/ folklore theorem
24
C0A C0 with in line assembler code
25
CVMCommunicating Virtual Machines

• abstract (pseudo) parallel user model of the
  kernel
• cvm (ca, ..., vm(i),...,vmsize(i),..., cp ,...)
• ca C0-configuration of abstract kernel k
• vm(i) DLX-configuration of i'th user
• cp 0 kernel running (current process)
• cp i vm(i) running
• parameter kernel call definition
• trap i calls funktion kcd(i) of kernel k
• No in line code in CVM user processes visible in
  the parallel model !

26
CVM implementation by konkrete kernel K ² C0A

• additional data structures of K
• PCBi process control block save/restore
  registers
• pt page tables
• spt swap memory page tables
• formal theory of linking
• ...

27
CVM semantics and implementierung (1)
28
CVM semantics and implementation (2)
29
CVM semantics and implementation (3)
30
CVM correctness

• step by step simulation
• cp0 compiler correctness
• cpgt0 virtual memory simulation
• at borders (save/restore, startnext) or copy data
  between users use in line assembler semantics
• induction with 3 computations
• cvm with abstr. kernel k and users vm(i)
• phys. DLX
• konkrete kernel K
• Formal induction hypothesis formulated

31
Induction step

• Case c.cp c'.cp 0 (system running)
• C0 code compiler linker correctness
• Case c.cp c'.cp u gt0 (user running)
• virtual memory simulation
• case fault handler/disk driver/C0 A
• Case c.cp ? c'.p (process switch user/system)
• C0 A code
• Case c.cp 0 CVM primitive (e.g. copy)
• C0 A code
• We are in the process of combining the formal
  proofs for the cases

32
automotive application e-callautomatic emergency
call

• e-call exercises
• CPUs
• network interface (flex ray like)
• drivers
• real time operating system

33
Verisoft subproject Automotive
ecall (several ECU's)
FlexRay (like)
OSEKTime (like)
CVM (generic academic kernel)
TriCore2/VAMP processor
gates/registers
34
ISA programmers model I
dv.p dv.f
ECUv
fbus
slot s
round r
35
ISA programmers model II
dv.p dv.f
ECUv
fbus
slot s
round r
36
solve 4 problems in 1 theory !
dv.p dv.f
ECUv
fbus
slot s
round r
37
Pure WCET above RTL level of processor

• is either by measurements
• guarantees usually nothing
• or
• like guaranteeing a speed of at least 4.07 km/h
  for this car
• because
• cache penalties can affect execution time of an
  ISA intruction by factor 100

38
set up time, hold time, clock drift
cks
S
fbus
R
ckr
R'
es(i)
er(j)
ts
th
39
serial interface, low level clock sync
sb
autom.
start
S
fbus
R
autom.
rb
40
f-interface hardware
h.f.sb(par)
h.f.rb(par)
mod ns1
mod T
h.f.timer
ovf
s
cy
ts(r,s)
te(r,s)
send
off
off
T
41
f-bus schedule
te(r,s)
ts(r,s)
ECUsend(s)
ECUx
ECU u
u((r,s)1)
u(r,s)
42
f-bus schedule
te(r,s)
ts(r,s)
ECUsend(s)
ECUx
ECU u
u((r,s)1)
u(r,s)
43
memory mapped I/O
memory map
d.f
ba
dfin
cpu
d.p.R
dti
d.p.m
R gpr(x), pc, dpc,...
44
isolating the nondeterminism
memory map
d.f
ba
dfin
cpu
d.p.R
dti
d.p.m
R gpr(x), pc, dpc,...
45
simulation relation
mainm
ad
icache
d
ad
dcache
d
hardware memory system
46
scheduling functions
stage k'
stage k
47
processor correctness
IF
issue
reservation stations
mem
funct. units
mem1
ROB
WB
48
Correctness proof for uninterrupted computations
49
Worst Case Execution Time (WCET)
50
OSEKTime (like) programming model

• A(i,j) application i on ECU j
• C0 programs
• code(A(i,j)) ISA programs
• FTCom (like) OS data structure on ECU j
• shared variables SV(j)x, each lt l bytes
• Schedule during slot s
• A(run(j,s),j) runs on ECU j
• System calls application A(i,j) can
• read each SV(j)x by system call ttrec(x, Var)
• write each SV(j)x by system call ttsend(x, Var)
• ttex return to OS HALT
• Broadcast during slot s
• SV(send(s))broadcast(s) broadcast
• readable from all SV(j) broadcast(s)) in slot
  s1

51
OSEKTime (like) implementation, slot s

• CVM on each ECU j
• driver Rec copy rb into SV(j)broadcast(s-1)
• schedule A(run(j,s),j) for runing cp run(j,s)
• startnext run ISA program (virtual machine)
  code(A(run(j,s),j))
• trap
• or extra timer interrupt for non trusted programs
• driver Send copy SV(j)broadcast(s1) into sb
• if j send(s1)
• a idle loop

Rec
Send
code(A(run(j,s),j))
52
(local) C0 with OS data structures
53
parallel model for one slot
54
OLOS OSEKTime (like) OS
On slot level communicating automata
55
Uniform formal theory

• Models
• detailed timing
• digital hardware
• ISA
• C0 semantics
• small step
• big step
• Hoare Logic
• C0 A
• CVM
• OLOS
• communicating automata

• Correctness proofs
• serial interface
• clock sync
• processor devices
• WCET
• compiler
• kernel
• driver
• OS
• (applications)

56
Uniform formal theory

• Models
• detailed timing
• .......
• communicating automata
• Correctness proofs
• serial interface
• ........
• OS
• (applications)

• Handling all this formally requires shared
  repository of
• tools
• definitions
• constructions
• proofs
• documentation