MEMICS - Memory Interval Constraint Solving of (concurrent) Machine Code

Dirk Nowotka\(^1\), Johannes Traub\(^2\)

\(^1\)Department of Computer Science, Kiel University,
dn@informatik.uni-kiel.de
\(^2\)E/E- and Software-Technologies, Daimler AG,
johannes.traub@daimler.com

Abstract: Runtime errors occurring sporadically in automotive control units are often hard to detect. A common reason for such errors are critical race conditions. The introduction of multicore hardware enables software to be run in parallel, and hence, drastically increases the vulnerability to such errors. Race conditions are difficult to discover by testing or monitoring, only. Hence, a static analysis of code is required to effectively reduce the occurrence of such errors. In this paper we introduce a new Bounded Model Checking tool, which in its core is an Interval Constraint Solver, operating on a machine code based model and is able to handle memory instructions directly. As control units are usually running on task-based operating systems like AUTOSAR or OSEK, our tool features a task model, which is able to handle sequential and concurrent task scheduling.

1 Introduction

Every control unit used in the automotive environment, e.g. driver assistance systems, is running on software systems and it is obvious that the reliability, safety, and security of such systems is of utmost importance. Possible runtime errors software can suffer from are e.g. arithmetic overflows, division by zero, NULL pointer dereferences, race conditions, stack overflows. A detailed list of runtime errors is shown in Section 3 in Table 1. Especially race conditions are hard to detect even in software running on singlecore hardware, however when it comes to multicore hardware it is far more difficult. A common task in the verification of software is the search for such runtime errors. The complexity of this problem is quickly growing with the complexity of the software itself and made much worse when parallel hardware is involved.

In contrast to common static analysis tools like Astrée [CCF+05] and Polyspace [pol], which analyse the source code via Abstract Interpretation [CC77a] and may suffer from potential false positives, this paper is focused on the formal verification of software. One of the techniques used in formal verification of software is Bounded Model Checking (BMC) [BCC+03]. In BMC a model, which in this case is the structural representation of the software, is unrolled up to some fixed depth and passed to a standard proof engine. Such a proof engine is e.g. a SAT-/SMT-Solver, which is used to solve the satisfiability (SAT)
problem or the satisfiability modulo theories (SMT) problem, like in CBMC [CKL04], F-Soft [IYG+04], and LLBMC [SFM10]. The main challenges that we address with the proposed tool are

- **Efficient model unrolling** which does directly affect the size of the formula,
- **Internal handling of memory access** of the code to be verified, and
- **Implementation of a task model** which provides the possibility to check software implementing a task-based operating system like AUTOSAR [Con] and OSEK [ose].

In the following, we elaborate on the aforementioned points and after that conclude the introduction by pointing out where our tool MEMICS advances the state of the art.

### 1.1 Model Unrolling

In Bounded Model Checking there exist various ways of unrolling the model. The two major approaches are: external and internal. In the external variant the model is first unrolled into a logic formula and then passed to an independent proof engine. In each run the engine is started with an entirely new formula. Hence, it cannot reuse assignments already learnt from previous runs. In case of the internal variant the proof engine is directly embedded into the Model Checking tool. This allows for reusing already learnt clauses from previous runs achieved by conflict analysis during the search process. A Model Checker supporting internal unrolling is HySAT [FHT+07].

In [Tra10] we came up with the approach to use HySAT as proof engine in order to take advantage of the Bounded Model Checker and its underlying Interval Constraint Solver. Our approach was working fine for small problems. However, with the problem size exceeding around a hundred lines of code, HySAT was not able to handle the resulting model any more. We located the bottleneck inside the internal unrolling procedure of HySAT. In each iteration every variable of the HySAT model is newly initialized with its defined interval, unless it is not forced to keep its value of the current iteration. Due to that reason each variable representing a memory location must be encoded to store its value as long as the location is not part of a write operation in the current iteration. Therefore, the model and respectively the resulting formula are quickly growing to a prohibitively large size.

### 1.2 Interval Constraint Solving

Interval Constraint Solving (ICS) is a technique used to find a solution for a SMT input problem, but compared to a SMT-Solver ICS is operating on variable ranges. The search procedure of ICS, which is used in HySAT, is very similar to the common search algorithm used in standard SAT-/SMT-Solvers. An example of such a search algorithm based on the Davis-Putnam-Logemann-Loveland (DPLL) algorithm [DLL62] is given in the Fig. 1. The main difference between ICS and this algorithm resides within the two functions
decide() and bcp(). Instead of computing a new variable decision in decide() the ICS computes new interval bounds for the variable to decide. A default splitting strategy for the interval \([min, max]\) can be \([min, \frac{max+min}{2}]\) and \([\frac{max+min}{2}, max]\). The function bcp() - abbreviating “boolean constraint propagation” - serves as an in place substitute for “interval constraint propagation” (icp) in ICS. In icp the current interval decision gets propagated through all the clauses containing the affected variable. If there exists a clause, which is false under the current interval decision, icp returns this clause as the conflict clause. If this conflict can not be resolved the input formula is unsatisfiable. If no conflicting clause exists the search procedure continues.

```
while (true) {
    if (!decide())
        return SAT;
    while (!bcp()) {
        if (!resolveConflict())
            return UNSAT;
    }
}
```

Figure 1: Basic Search Algorithm of a SAT-Solver from Chaff [MMZ+01].

1.3 Memory Access

Memory Access is a big challenge in BMC of software, because it has to be encoded into a logical formula. The memory access instruction for a n-byte integer with a common memory representation where an address has a size of one byte may have the following logic encoding:

\[
\text{load: } \quad result_0 = \text{memory}[address] \land \\
\left( \bigwedge_{i=1}^{n} result_i = result_{i-1} \land (\text{memory}[address + i] \ll (i \times 8)) \right)
\]

\[
\text{store: } \quad \bigwedge_{i=0}^{n} \text{memory}[address + i] = (\text{value} \gg (i \times 8)) \& \& 0xff
\]

Every memory access, which depends on a variable with a type-size of greater than one byte, results in at least two clauses in the logic formula. If the variable itself is a pointer, it can point to \(m\) different memory addresses, which results in \(m\) times bytesize(variable) clauses. Hence, the logic encoding of a function with memory access and even containing some pointers can quickly reach an enormous size.
1.4 Task Model

The introduction of a task model requires a proper scheduling mechanism. Scheduling in task-based operating systems like AUTOSAR and OSEK is based on different priorities per task and whether a task is preemptive or not. Also, interrupt service routines (ISRs) have to be considered, as an ISR is able to interrupt every task. To provide a proper logic encoding of such a task model and its scheduler is a big challenge. Especially the unrolling procedure has to be efficient, since all possible interleavings between tasks and ISRs have to be considered, which might quickly lead to a state explosion in the logic encoding.

In the present paper we introduce a new BMC tool consisting of an interval constraint solver, which

- handles memory access internally,
- supports floating point variables,
- is capable of handling sequential and concurrent task-based systems, and
- can reuse already learnt clauses from conflict analysis of previous iterations.

The introduction of this tool is located in Section 2. Section 3 shows some results of our implementation from several test runs on a set of testcases. Finally, we conclude our paper in Section 4 and also discuss potential future work.

2 The MEMICS tool

The MEMICS Model Checker operates based on the architecture shown in Fig. 2. First, the C/C++ source code is compiled into the LLVM Intermediate Representation (IR) [Lat] using the Clang [Fan10] compiler front-end of LLVM [LA04]. Second, the MEMICS model is created by invoking the LLVM code generator on the LLVM IR. The actual MEMICS process starts with unrolling the model into a logic encoding in Static Single Assignment [CC77b] form, which results in a set of clauses. If this set of clauses is empty, the model is safe. If not, the solve process is started. In case the solver does not find a solution for the current state, the next iteration step is computed. If the current state is satisfiable, the solver encountered a runtime error and has a valid counterexample.

The LLVM IR still features data structures like arrays and pointers. In addition the LLVM environment allocates virtual memory for each local variable in a function. Instead of providing a new lowering mechanism, when it comes to the transformation into a proper logic encoding, we decided to reuse the one already provided inside the LLVM Code Generator. As the LLVM IR is based on a MIPS like instruction set, we chose the MIPS Assembly language as a base for the MEMICS model. Hence using the LLVM Backend and the resulting MIPS Assembly Language to generate our model has the following advantages:
no dereferenciation of pointers,

- no derivation of Phi functions, and

- no assurance of memory allocation for local variables.

The only memory instructions, which we need to deduce, are those for heap based memory management: malloc and free.

2.1 The MEMICS Model

The model, the ICS operates on, is the state transition system $M$, consisting of a set of states $S = \{s_1, \ldots, s_n\}$ (the instructions) and a set of transitions $T = \{t_1, \ldots, t_m\}$. A transition $t_i$ is defined as the 4-tuple: $< s_i, a, c, s_i' >$. Where $s_i$ is the current state or instruction, $a$ the actual action to execute, $c$ an obligatory condition to take the transition, and finally $s_i'$ the successor state. The instruction set our model is operating on, is derived from the MIPS Assembly Language [Swe06]. In order to properly handle this language our model also features a representation of a MIPS-CPU. Therefore the model has 32 variables representing the 32-bit registers, a stack pointer register and as well a program counter register in order to traverse over the transition system. Our model supports as many processor cores as required, where each core has the same amount of internal registers including a separate program counter register as well as a separate stack pointer register. The model also contains a vector of byte sized intervals representing the memory. The access to the memory, which is part of the solver itself, is described in Section 2.2.
2.1.1 Task Model

The task model is a set of tasks $R = \{r_1, \ldots, r_p\}$, where each task $r_j$ consists of a subset of states $S' = \{s_{j1}, \ldots, s_{jk}\} \subseteq S$ of the MEMICS model $M$ and a subset of transitions $T' = \{t_{j'1}, \ldots, t_{j'\ell}\} \subseteq T$. A transition $t_i$ of a task is defined as the following 11-tuple:

$$< s_{i'}, a, c, s_{i''}, idle, run, start, wait, preempt, prio, freq >,$$

where $s_{i'}$, $a$, $c$, and $s_{i''}$ are defined as in the MEMICS model. The other components are required to provide a proper scheduling mechanism, where idle, run, start, and wait represent the current status of the task, preempt states whether it is preemptive or not, prio defines its priority and freq is the frequency, which the task is started with. The MEMICS model has also been equipped with a clock $clk$, in order to define the scheduling. The logic encoding of a non-conditional instruction is for example defined as:

$$(s_{i'} \land run \rightarrow a \land s_{i''}) \land (s_{i'} \land \lnot run \land \lnot wait \rightarrow s_{i'})$$

The first implication is used to execute the current instruction of a task, if the task is running, otherwise the second implication takes place, which keeps the tasks waiting. In Fig. 3 the scheduling of a task is illustrated. The task can only be in one of the states: idle, start, run, wait at once. If a task is idle and the rule $clk \mod (freq - 2) == 0$ holds the start flag of the task is enabled. From start the task will either be set to run or wait, according to its priority. Finally if a task finished it will be set to idle again. Please note, that the state idle is not implemented into the logic, hence it can be represented as: $\lnot run \land \lnot wait \land \lnot start$.

Figure 3: Scheduling of task

For a proper scheduling of all tasks on each core the following rules must hold, where the priority of $t_i$ is higher than the priority of $t_k$:

1. $\sum_{j=1}^{n} run_j \leq 1$

2. $start_i \land \bigwedge_{f=1}^{i-1} start_f + run_f = 0 \land \bigwedge_{k=i+1}^{n} run_k + preempt_k \leq 1$

$$\rightarrow run_i \land wait_k$$

$^1$Please note, $wait_k$ is enabled if an according task was running $run_k$
3. \( \text{start}_i \land \bigwedge_{f=1}^{i-1} \text{start}_f + \text{run}_f > 0 \lor \bigwedge_{k=i+1}^{n} \text{run}_k + \text{preempt}_k = 2 \)
   \( \rightarrow \text{wait}_i \)

4. \( \text{wait}_i \land \bigwedge_{f=1}^{i-1} \text{wait}_f + \text{run}_f = 0 \land \bigwedge_{k=i+1}^{n} \text{run}_k + \text{preempt}_k \leq 1 \)
   \( \rightarrow \text{run}_i \land \text{wait}_k \) \( \lor \)

5. \( (\text{clk}) \text{ modulo } (\text{freq}_i - 2) = 0 \rightarrow \text{start}_i \)

The first rule ensures that only one task is running in a cycle per core. With the second rule, we assure that from a set of tasks to be started only that task with the highest priority is enabled, unless there is no task running with a higher priority or a non-preemptive one. All other tasks also having the start flag set are set to wait according to the third rule. The fourth rule ensures only that waiting task with the highest priority becomes active unless no task with higher priority or a non-preemptive one is running. The last rule guarantees that each task is correctly started according to its frequency. Note, since run is only valid one cycle after start and start also needs one cycle to become active, start has to be set two cycles in advance.

In our model we handle an interrupt service routine (ISR) as a task with highest priority. The only difference compared to a task is that an ISR can occur in every cycle. With this task model we are also able to handle POSIX threads. Each thread can be treated as a task as well, except it only gets started once after its creation, but can still be interrupted.

### 2.1.2 Efficient Model Unwinding

In this BMC approach the model is not entirely unrolled in each iteration, instead the model is only unwound instruction per instruction. For all instruction types the unwinding process is self-evident, except the branch instructions have to be considered separately. Fig. 4 shows an example of an instruction list containing a branch and a jump instruction. The branch instruction \((s_i)\) has two possible successor instructions. If the condition \(\text{cond}\) is fulfilled the successor instruction is \(s_l\), otherwise \(s_{l+1}\). In SAT-/SMT-Solver a decision made on the root-level (0) is irreversible. All other decisions are hypothetical and can be cancelled. Hence, to unroll a branch instruction based on the condition \(\text{cond}\) two cases have to be taken in account:

![Figure 4: Linked Instruction List containing a Branch Instruction \((s_i)\) and a Jump Instruction \((s_k)\).](image)
1. If \( \text{cond} \) has a pending decision, which was made on decision level (DL) 0:
   \( \Rightarrow \) Either if \( \text{cond} \) is true only instruction \( s_i \) is unrolled,
   \( \Rightarrow \) or if \( \text{cond} \) is false only instruction \( s_{i+1} \) is unrolled.

2. If \( \text{cond} \) has a pending decision, which was made on any decision level greater than 0 or has no pending decision:
   \( \Rightarrow \) Both instructions \( s_{i+1} \) and \( s_i \) are unrolled.

If the second case occurs the list of next instructions to unroll increases, but is still a lot smaller than as all instructions were to be unrolled in each iteration.

The described unrolling procedure can also be applied to the task model. Like a branch instruction a task instruction has two possible successor instructions. If it is running the successor instruction is the next instruction in line and if it is waiting it is the instruction itself. In case the variables \( \text{run} \) and \( \text{wait} \) of a task have an assignment on DL zero, only the corresponding instruction is going to be unrolled.

### 2.2 The MEMICS Solver

The solver of MEMICS is an Interval Constraint Solver, for which the overall solve process is shown in Fig. 5.

```c
01: bool solve() {  
02:     if (!init())  
03:         return false;  
04:     do {  
05:         if (!update())  
06:             result = false;  
07:         else  
08:             if (endOfFile)  
09:                 return false;  
10:             result = search();  
11:         } while (result != true);  
12:     return true;  
13: }
```

Figure 5: The Solve Process of MEMICS.

First, the solver gets initialized in function \( \text{init}() \) (Fig.5 line 02) with the registers of the model and the initial instructions. Then the actual procedure begins, which runs until either a runtime error has occurred or no further instruction is reachable. The unrolling process of the model is represented by the function \( \text{update}() \) (Fig.5 line 06). In this procedure the successor instruction(s), which are reachable from the current state(s) of the model, are transformed into a set of clauses in conjunctive normal form (CNF). The variables occurring in these clauses are in SSA form. If this set of clauses is empty no further instructions are reachable, indicating the safety of the model. Otherwise the search
process is invoked. In case the search also did not find any runtime error, the procedure continues with the next unrolling step. If the process has finished without finding any runtime error, the model and the corresponding source code is free of runtime errors. Please note, this result is only valid for those runtime errors our solver can currently detect. All discovered errors are architecture specific. There might exist architectures on which errors, that we find, do not hold. We also have to state that there is currently no support for passing specific bounds for the unrolling of internal loops, but the user can set an overall model unrolling bound.

```plaintext
01: bool search() {
02:     while (true) {
03:         conflict = icp();
04:         if (conflict) {
05:             if (DL == 0)
06:                 return false;
07:             level = analyze(conflict, learnt);
08:             backtrackAndAddLearnt(level, learnt);
09:         } else {
10:             if (!decide())
11:                 return true;
12:         }
13:     }
14: }
15: }
```

Figure 6: The Search Process of MEMICS.

Fig. 6 illustrates the overall search procedure. Initially, interval constraint propagation is used in function `icp()` (Fig. 6 line 03) to apply the new interval deductions to the current system, which occurred while adding the new clauses in `update()` (Fig. 5 line 05). If this propagation leads to a conflict on decision level (DL) zero, a conflict on the root level has been found. This indicates that the formula of the current iteration is unsatisfiable. If the conflict does not occur on the root level, the reasons for this conflict are computed in `analyze()` (Fig. 6 line 07). The result of this process is a clause eliminating this conflict for the succeeding runs, which is added to the system. On the other hand if no conflict occurred, there also exist two possible cases. If there exists no assignment for all variables leading to a run time error, which means that the model is “safe” (in the current iteration) and the solve process continues. If not, the next variable is picked from the variable queue, a new interval decision is computed for it and the process continues in line 3.

### 2.2.1 Memory Access Handling

In order to handle memory access the instruction set of the solver contains load and store instructions, as well as malloc and free instructions.

The load instruction (32-bit value) is defined as:

```
lw <target-register, base-address + offset>
```
The target-register is a common 32-bit variable and the base-address + offset the address inside the memory vector of the model. The base-address is either the current value of the stackpointer register sp, or it can also be a value stored in a common register. If the resulting address from base-address + offset is outside the allocated range of the base-address an index out of bound error is thrown. When interpreting the instruction, the solver reads the 4 bytes starting at the base-address and assigns the corresponding value to the target-register. The load instructions lb (8-bit value) and lh (16-bit value) operate likewise.

The syntax of the store instruction (32-bit value) is defined as:

\[ sw <\text{source-register, base-address + offset}> \]

This instruction as well as sb (8-bit value) and sh (16-bit value) are working analogously to the load instructions.

### 2.2.2 Memory Allocation

In order to support dynamic memory management, we have equipped the solver with the table \( MT = \{m_1, \ldots, m_n\} \), where an entry \( m_i \) is defined as the tuple \( m_i = <\text{address, size}> \). The instruction set has also been extended with the instructions malloc and free. The new instructions are defined as:

\[ \text{malloc} <\text{target-register, size}> \]
\[ \text{free} <\text{base-address}> \]

Whenever a malloc instruction occurs, the solver consults the table, returns the first available address by considering the required size and marks that area occupied by inserting an entry into the table. In case of a free instruction, the solver searches for the base-address inside the table. This search process can lead to three different results:

1. The base-address is found and the memory addresses according to the size entry in the table get cleared.
2. In case the base-address is found but at least one of the memory addresses is already freed, which results in a double free error.
3. If the base-address is not found, it results in an invalid free error.

### 2.3 Race Condition

A race condition [NM92] is a type of defect, where access to shared data among different tasks/threads is leading to undefined behaviour of the software itself. One kind of race condition is a lost update, which is described in the following example.
**Lost update example**  Assumed there are two tasks, task A and task B, which are concurrently executed on different cores. Task A is reading a global variable `ext1` twice. But in between the to read operations task B has written an new value to `ext1`. Unless that behaviour is claimed, task B continues with a corrupt value. Using the instruction set of the MEMICS model a load and store transition can have the logic encoding:

\[
s_i' \land \text{run}_{\text{task}_i} \rightarrow lw(dest, ext1) \land lw_{\text{task}_i}.ext1_k = \text{clk}_x \land s_i''
\]

\[
s_j' \land \text{run}_{\text{task}_j} \rightarrow sw(value, ext1) \land sw_{\text{task}_j}.ext1_l = \text{clk}_y \land s_j''.
\]

Using this encoding, the following rule has to hold for \( o > m \) in order to find a lost update error as described above:

\[
lw_{\text{task}_i}.ext1_o - lw_{\text{task}_i}.ext1_m < \text{freq}_{\text{task}_i} \land \\
lw_{\text{task}_i}.ext1_o > sw_{\text{task}_j}.ext1_p \land sw_{\text{task}_j}.ext1_p > lw_{\text{task}_i}.ext1_m
\]

### 3 Results

The implementation of the MEMICS tool was tested on a test set containing different types of runtime errors based on the error classes from the Common Weakness Enumeration (CWE) [cwe] database. In Table 1 the results of a comparison between our tool and CBMC and LLBMC are shown.

<table>
<thead>
<tr>
<th>Class</th>
<th>Benchmark</th>
<th>CWE-ID</th>
<th>MEMICS</th>
<th>CBMC</th>
<th>LLBMC</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>Arithmetic</strong></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td></td>
<td>DivByZeroFloat</td>
<td>369</td>
<td>✓</td>
<td>✓</td>
<td>✓</td>
</tr>
<tr>
<td></td>
<td>DivByZeroInt</td>
<td>369</td>
<td>✓</td>
<td>✓</td>
<td>✓</td>
</tr>
<tr>
<td></td>
<td>IntOver</td>
<td>190</td>
<td>✓</td>
<td>✓</td>
<td>✓</td>
</tr>
<tr>
<td><strong>Memory</strong></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td></td>
<td>DoubleFree</td>
<td>415</td>
<td>✓</td>
<td>✓</td>
<td>✓</td>
</tr>
<tr>
<td></td>
<td>InvalidFree</td>
<td>590</td>
<td>✓</td>
<td>✓</td>
<td>✓</td>
</tr>
<tr>
<td></td>
<td>NullDereference</td>
<td>476</td>
<td>✓</td>
<td>✓</td>
<td>✓</td>
</tr>
<tr>
<td></td>
<td>PointertToStack</td>
<td>465</td>
<td>✓</td>
<td>-</td>
<td>✓</td>
</tr>
<tr>
<td></td>
<td>SizeOfOnPointers</td>
<td>467</td>
<td>✓</td>
<td>-</td>
<td>✓</td>
</tr>
<tr>
<td></td>
<td>UseAfterFree</td>
<td>416</td>
<td>✓</td>
<td>-</td>
<td>✓</td>
</tr>
<tr>
<td><strong>Pointer Arithmetic</strong></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td></td>
<td>Scaling</td>
<td>468</td>
<td>✓</td>
<td>-</td>
<td>✓</td>
</tr>
<tr>
<td></td>
<td>Subtraction</td>
<td>469</td>
<td>✓</td>
<td>-</td>
<td>✓</td>
</tr>
<tr>
<td><strong>Race Condition</strong></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td></td>
<td>LostUpdate</td>
<td>567(^2)</td>
<td>✓</td>
<td></td>
<td></td>
</tr>
<tr>
<td></td>
<td>MissingSynchronisation</td>
<td>820</td>
<td>✓</td>
<td></td>
<td></td>
</tr>
<tr>
<td><strong>Synchronization</strong></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td></td>
<td>DeadLock</td>
<td>833</td>
<td>✓</td>
<td></td>
<td></td>
</tr>
<tr>
<td></td>
<td>DoubleLock</td>
<td>667</td>
<td>✓</td>
<td></td>
<td></td>
</tr>
</tbody>
</table>

Table 1: Results of MEMICS compared to CBMC and LLBMC

The first column of the table shows the overall class the test cases reside in and column two shows their subclasses. In the third column the official CWE-ID of each subclass is given.

\(^2\)We did not find a straight forward ID for a lost update, but the example in this entry describes one.
With that id, one can look up the detailed description of the runtime error on the CWE website. Column three shows the results of our MEMICS tool, compared to CBMC in column four and LLBMC in column five, where ✓ represents a correct verification result, - a false one and a whitespace signals that the tool does not support the class of the test cases.

The results provided in Table 1 show that our MEMICS tool is already able to handle a wide range of test cases and in contrast to BMC tools like CBMC and LLBMC is able to identify concurrency issues like race conditions and synchronization problems. In order to give an example on how our tool is dealing with a task based system, Fig. 7 shows a portion of C code implementing a global variable signal, a global event trigger and two tasks, a 1ms and a 100ms one. The 1ms task is first reading from the global variable signal (line: 06) and then assigns 1 to it (line: 07). The 100ms task assigns the value from signal to its local variable x (line: 12) and is, in the following, waiting for the event trigger (line: 13). Once the event occurred, the 100ms task checks if the value contained in signal is negative (line: 15). If it is negative the previous local variable is assigned with its absolute value (line: 16). This scenario describes a lost update error, as described in the example in Section 2.3. The configuration for the system of the task example (Fig. 7) is shown in Fig. 8. The system features a processor with two cores

```c
01: int signal;
02: event trigger;
03: void task_1ms()
04: {
05: int x = 2*signal;
06: signal = 1;
07: ...
08: }
09: 
10: void task_100ms()
11: {
12: int x = signal;
13: wait_on(trigger);
14: if (signal < 0)
15: x = -x;
16: ...
17: }

Figure 7: Simple Task Based System: task.c
```

```c
BASE {
    NUMOCORES = 2,
    FREQUENCY = 100,
    MEMSIZE = 256
};
TASK {
    NAME = task_100ms,
    FREQUENCY = 100,
    PRIORITY = 1,
    CORE = 1,
};
TASK {
    NAME = task_1ms,
    FREQUENCY = 1,
    PRIORITY = 1,
    CORE = 0,
};
EVENT {
    NAME = trigger,
    FREQUENCY = 0.1
};

Figure 8: System Configuration File to the Task Example: example.conf
```
running at 100MHz and 256MB of main memory, assigns the 1ms task to the first and
the 100ms task to the second core, and defines the event trigger to be raised every
100µs.

The resulting output of our MEMICS tool applied to the task example from Fig. 7 with the
configuration from Fig. 8 is shown in Fig. 9. It shows that our tool finds a lost update error
as described above. On top of that our tool is able to print the entire trace leading to the
error by adding the option -print-counterexample. Currently this output is only
provided in a MIPS like assembly style and is therefore not shown here, but a mapping
back to the C/C++ code is work in progress.

```
user@memics:~/$ memics -task-conf=example.conf task.c

Model is CORRUPTED
Run time error: lost update
occurred in file: task.c @ line: 15
  if (signal < 0)
in conflict with statement @ line: 9
    signal = 1;
triggered from line: 12
  int x = signal;
```

Figure 9: MEMICS called on the Task Example Code.

### 4 Conclusions and Future Work

In this paper we have introduced the new MEMICS tool for software verification. Its core
is a new Interval Constraint Solver, that is directly operating on a machine code based
model and is capable of handling memory access internally. In addition, the model, our
tool is working on, features an efficient model unrolling strategy. The results from Section
3 have shown that our tool can already verify a large number of error classes. In compari-
son to tools like CBMC and LLBMC, our tool is able to handle software implementing a
task-based operating system like AUTOSAR or OSEK. On top of that it is already capable
of handling concurrent software. The last point is essential, as the growing application of
multicore processors especially in the field of embedded devices, leads to the need of a
method for the verification of concurrent software.

The main goal we want to achieve in the near future is to test our tool on industry software
in order to check its scalability. Another huge aspect is to find a suitable partitioning
strategy for our model, to run the verification process itself in parallel. This task is of large
relevance as the complexity of concurrent software is, compared to sequential software,
growing very fast, especially with increasing size.
References


