1. Introduction

2. Related Works

• B. Schlich studies a new method for verifying the assembly code of model checking software for microcontrollers [4]. A simulator based on static analysis constructs a state space, abstracts time, handles non-determinism, and over-approximates the behavior exhibited by the actual microcontroller. On the other hand, our previous paper has developed a model checker that uses static and dynamic analysis, such as undefined values [5]. This paper and the reference [4] adopt different approaches as follows. In the reference, when the model checker requests a successor to a state it has not yet generated, the state space generates the successor on the fly using the simulator. In this paper, the verification system completes the state transition system and passes it to the simulator.
  This article generates the entire CFG upfront. The latter is bette [4]r and we will achieve it in the future.
• B. Schlich et al. have studied IHER to reduce the number of Interrupt Handler executions [3]. B. Schlich et al. also study various abstraction techniques based on static program analysis [6]. In this paper, we extend this IHER.
• S. Yamane and others conducted a study using IHER to enable verification using SMT solvers [7] together with Assembly Code Block (ACB) [8]. We focus on timer interrupt and does not use SMT solver for verification.
• Matthew Kuo and others [9] calculate the Worst-Case Response Time (WCRT) using reachability to analyze the assembly code. However, the model is different from our study, Matthew Kuo and others generate TCCFG (Timed Concurrent Control Flow Graph) by static analysis from each assembly code, but we verify microcontrollers that run on a single thread and perform model checking.
• Wu Yajun [10] defined a timed Kripke structure and verified its real-time nature. Timed Kripke structure is nondeterministic finite automaton but it is not appropriate for our study because its model does not hold the instruction element of the program. We have to control a model by the value of the program counter and the edges should hold the instruction.
• R. Alur and D. L. Dill studied timed automata [11]. Timed automaton is an extension of a finite state automaton and is a model that describes the system by both discrete event and continuous time-lapse according to state transitions. On the other hand, in this study, we develop timed CFA for the execution time of assembly program. Our study is different from timed automata. The proposed structure deals with discrete time in our study, and we use the execution time of each instruction of the assembly program in each state.
• The previous study in reference [12] reduces timer interrupts to include real-time performance. On the other hand, this study differs in that it does not consider real-time performance but defines the algorithm more concretely and conducts experiments using multiple timer interrupts in a case study.
• Recently, L. Lihao et al. proposed an efficient verification of low-level embedded C software with interrupts based on partial-order coding and symbolic execution [13]. On the other hand, this paper verifies an assembly program with an algorithm that also reduces timer interrupts based on the reduction of the number of interrupt handlers by IHER; if the method of Lihao Liang et al. is adopted, nested interrupts can be handled effectively in this paper.

3. IHER

• Detect dependencies between IHs
  Step 1 performs when two or more IHs exist. $i,j\in$ IH depend on each other if either of the following conditions is true. Access here means both writing and reading.
  • one IH enables or disables the other IH,
  • one IH writes to a memory location accessed by the other IH, or
  • one IH writes to the memory location used in an atomic proposition (AP).
  Examples of APs include a variable being equal to a certain value. IHs that manipulate the memory location of an AP manipulate the core of the program. So, It is therefore necessarily associated with all IHs. In other words, only one IH is mentioned, and if one IH writes the memory location used by the AP, then all IHs are dependent on each other.
• Detect dependencies between program locations and IHs
  step 2 shows the conditions under which two labels, the $executio{n}_i$ label and the $barrie{r}_i$ label, are attached on locations to detect dependencies between the program and IH. An $executio{n}_i$ label allows the execution of an IH executed after the execution of the program instruction. On the other hand, the label $barrie{r}_i$ denotes that there exists a dependency between that program location and an IH, and therefore, this IH needs to be executed before the instruction at that location is executed. In determining the label, we assume that program location k is a direct predecessor of program location l. Let program location k be a direct predecessor of program location l. Formally, for each $i\in IH$, l is labeled with $executio{n}_i$ if one of the following conditions is satisfied:
  • k enables or disables i,
  • k writes a memory location that i accessed, or
  • k writes a memory location that is used in an AP.
  Also, for each $i\in$ IH, a program location l is labeled with $barrie{r}_i$ if one of the following conditions is satisfied.
  • i writes a memory location that l accessed,
  • l enables or disables i,
  • l writes a memory location that i accessed, or
  • l writes a memory location that is used in an AP.
• Refine results
  Step 3 performs refinement on the $executio{n}_i$ label. Each $executio{n}_i$ label is moved until one of the following conditions is satisfied.
  • a program location labeled with $barrie{r}_i$ is reached,
  • a loop entry is found, or
  • a loop exit is found.
• Label blocking locations
  In the last step, all program node positions are labeled IH. At this point $i\in$ IH, we assign a $blockin{g}_i$ label to any location without an $executio{n}_i$ label.

4. Formal Model of an Assembly Program

-

L : a set of program locations,

-

$l{}_0$: $l{}_0\subset$L, and the initial location of the program,

-

O : a finite set of instructions in main (non-interrupt),

-

I : a finite set of executinos of interrupt handlers,

-

T : execution times such as OT and IT of each instruction in O and I at each program location,

-

→ : →⊆$L\times O\times OT\times I\times IT\times L$, the set of transition relations.

5. Proposed Method of timed IHER

5.1. Verification system

This subsection describes the verification system used in this paper. As a premise, this study uses the assembly code corresponding to the H8/3687F microcontroller [22] manufactured by Electronics Corporation as the verification target and conducts implementation and experiments. The details are explained in the experiment chapter. First, the assembly code is lexical analysis and syntax analysis by the lexer and parser, respectively. We use JFlex [23], and BYACC/J [24] for Java to develop Lexer and Parser. Next, Timed CFA is constructed from the memory map and the parsed code. Then, a static analysis called Timed IHER, the proposed method, is performed to output a Timed CFA with reduced interrupt executable locations. The Timed CFA is then input to the model checker along with the verification properties to confirm that the state space can be reduced.

Figure 2. Verification system.

Figure 2. Verification system.

5.2. Algorithm

The Timed IHER algorithm is described in Algorithm 1. The central idea is to suppress execution at the node of occurrence by strictly calculating the execution time not only for interrupts due to events but also for timer interrupts.

In step 1, the dependencies between interrupts are detected. This is detected under the same conditions as in existing research [3]. If the timer interrupt is ready to be executed, it must be executed in the same way as when the dependent interrupt is executed.

In step 2, the execution time is calculated and the label is determined. For this purpose, the labels are determined for each interrupt in order of execution priority, and the cases are divided into timer interrupts and other interrupts. In the latter case, the conventional $executio{n}_i$ and $barrie{r}_i$ are used to determine the label. In the former case, it first determines whether the total instruction execution time $T{M}_i$ exceeds the $period\_i{h}_i$, which is the timer period. Then, if the same conditions as for the $executio{n}_i$ label are satisfied, the $timer\_executio{n}_i$ is labeled with the node, and the execution time of the interrupt process is added to all $T{M}_i$, and $T{M}_i$ is assigned to it divided by $period\_i{h}_i$. If $T{M}_i$ has not exceeded $period\_i{h}_i$, the current timer time is stored in $pre\_time\left[j\right]\left[i\right]$ for use in step 3, $T{M}_i$ is assigned by subtracting it by $period\_i{h}_i$, and $pre\_timer\_executio{n}_i$ is labeled. Also, if the same conditions for the $barrie{r}_i$ label are satisfied, then the node should be labeled $timer\_barrie{r}_i$. Finally, the instruction time of the main program of the current node is added, and the next node is checked.

Algorithm 1:Timed IHER

In step 3, refinements are made to the $timer\_executio{n}_i$ and $executio{n}_i$ labels. The $timer\_executio{n}_i$ label is moved until reaching the $timer\_barrie{r}_i$ label, the entrance or exit of the loop. The $executio{n}_i$ label is moved until reaching the $barrie{r}_i$ label, the entrance or exit of the loop. If one of the following is satisfied, we label the node with the $timer\_executio{n}_i$ or $executio{n}_i$ and x is the node number after the transition. On the other hand, in case of $pre\_timer\_executio{n}_i$ label, we add the execution time of the instruction of the node which has passed to $pre\_time\left[j\right]\left[i\right]$ including instruction of interrupt when it reaches a node satisfied with the same conditions as the $timer\_executio{n}_i$ label in the transition. If this $pre\_time\left[j\right]\left[i\right]$ exceeds the $period\_i{h}_i$, the $timer\_barrie{r}_i$ is labeled, and we add the execution time of the interrupt to $pre\_time\left[j\right]\left[i\right]$ after the transitioned node destination. In other words, even if the timer period has not been elapsed in step 2, if it is elapsed at the destination, the execution of the timer interrupt is permitted. We can accurately calculate the time by adding the execution time to the timer of $pre\_timer\_executio{n}_i$ label and other timer interrupt after the node after the transition, to the extent that we did not add them in step 2.

In step 4, $blockin{g}_i$ is labeled to block interrupts at node positions other than those where no $executio{n}_i$ or $timer\_executio{n}_i$ are labeled. This is the algorithm of proposed method.

The reason for the subtraction at line 24 is to distinguish $pre\_timer\_executio{n}_i$ from the $timer\_executio{n}_i$ label and to prevent execution even though permission to execute has not been granted. For example, if both nodes before and after the $pre\_timer\_executio{n}_i$ label are converted to the $timer\_executio{n}_i$ label at step 3, and the node is actually executed, the timer at the later node may not have overflowed.

6. Experiment

7. Conclusions

References

1. Edmund, M. Clarke Jr., Orna Grumberg, Doron Peled. Model Checking. The MIT Press, 1999.
2. Schlich, B.; Kowalewski, S. Model checking C source code for embedded systems. Int. J. Softw. Tools Technol. Transf. 2009, 11, 187–202. [Google Scholar] [CrossRef]
3. Bastian Schlich, Thomas Noll, Jorg Brauer, and Lucas Brutschy. Reduction of interrupt handler executions for model checking embedded software. In Haifa Verification Conference, pp. 5?20. Springer, 2009.
4. Schlich, B. Model Checking of Software for Microcontrollers. ACM Trans. Embed. Comput. Syst. 2010, 9, 1–27. [Google Scholar] [CrossRef]
5. Yamane, S.; Konoshita, R.; Kato, T. Model checking of embedded assembly program based on simulation. IEICE Trans. Inf. Syst. 2017, 100, 1819–1826. [Google Scholar] [CrossRef]
6. Schlich, B.; Brauer, J.; Kowalewski, S. Application of static analyses for state-space reduction to the microcontroller binary code. Sci. Comput. Program 2011, 76, 100–118. [Google Scholar] [CrossRef]
7. Armando, A.; Mantovani, J.; Platania, L. Bounded model checking of software using SMT solvers instead of SAT solvers. Int. J. Softw. Tools Technol. Transf. 2009, 11, 69–83. [Google Scholar] [CrossRef]
8. Yamane, Satoshi; Kobashi, Junpei; Uemura, Kosuke. Verification Method of Safety Properties of Embedded Assembly Program by Combining SMT-Based Bounded Model Checking and Reduction of Interrupt Handler Executions. Electronics, 2020, 9.7: 1060.
9. Matthew Kuo, Roopak Sinha, and Partha Roop. 2011. Efficient WCRT analysis of synchronous programs using reachability. In Proceedings of the 48th Design Automation Conference (DAC ’11). Association for Computing Machinery, New York, NY, USA, 480?485.
10. Wu, Yajun, and Satoshi Yamane. "Model Checking of Real-Time Properties for Embedded Assembly Program Using Real-Time Temporal Logic RTCTL and Its Application to Real Microcontroller Software." IEICE TRANSACTIONS on Information and Systems 103.4 (2020): 800-812.
11. Alur, Rajeev, and David Dill. "The theory of timed automata." Real-Time: Theory in Practice: REX Workshop Mook, The Netherlands, ?7, 1991 Proceedings. Springer Berlin Heidelberg, 1992. 3 June.
12. KIRIYAMA, Taro; WU, Yajun; YAMANE, Satoshi. Reduction of Timer Interrupts for Embedded Assembly Programs Based on Reduction of Interrupt Handler Executions. In: 2021 IEEE 10th Global Conference on Consumer Electronics (GCCE). IEEE, 2021. p. 464-466.
13. Liang, L.; Melham, T.; Kroening, D.; Schrammel, P.; Tautschnig, M. Effective Verification for Low-Level Software with Competing Interrupts. ACM Trans. Embed. Comput. Syst. 2018, 17, 36:1–36:26. [Google Scholar] [CrossRef]
14. Peled, D. : Ten years of partial order reduction. In: Y. Vardi, M. (ed.) CAV 1998. LNCS, vol. 1427, pp. 17?28. Springer, Heidelberg (1998).
15. Browne, M.C.; Clarke, E.M.; Grumberg, O. Characterizing Finite Kripke Structures in Propositional Temporal Logic. Theor. Comput. Sci. 1988, 59, 115–131. [Google Scholar] [CrossRef]
16. Dirk Beyer, Thomas A Henzinger, Ranjit Jhala, and Rupak Majumdar, The software model checker blast. International Journal on Software Tools for Technology Transfer, Vol. 9, No. 5-6, pp. 505 525, 2007.
17. Muchnick, S. Advanced Compiler Design and Implementation; Morgan Kaufmann Publishers Inc.: Burlington, MA, USA, 1997. [Google Scholar]
18. Aho, A.V.; Sethi, R.; Ullman, J.D. Compilers: Principles, Techniques and Tools, 2 Revised ed of International ed.; Pearson: London, UK, 2006. [Google Scholar]
19. Toth, T.; and Majzik, I. : Formal Modeling of Real-Time Systems with Data Processing. In Pataki, B., editor(s), Proceedings of the 23rd PhD Mini-Symposium, pages 46-49, 2016.
20. Andreas Ermedahl, Jakob Engblom: Execution Time Analysis for Embedded Real-Time Systems. 2007.
21. Gang Hou, Weiqiang Kong, Kuanjiu Zhou, Jie Wang, Xun Cao, Akira Fukuda: Analysis of Interrupt Behavior Based on Probabilistic Model Checking. IIAI-AAI 2018: 86-91.
22. Corporation, R. E. : Renesas Electronics, Renesas Electronics Corporation (online), http://japan.renesas.com/.
23. JFlex-The Fast Scanner Generator for Java. 2015. Available online: http://jflex.de/ (accessed on 3 September 2022).
24. BYACC/J Java Extension. 2013. Available online: http://byaccj.sourceforge.net/ (accessed on 3 September 2022).
25. van Glabbeek, R., Weijland, W.: Branching time and abstraction in bisimulation semantics. Journal of the ACM 43(3), 555-600 (1996).
26. ZMP Inc. Nuvo R WHEEL. 2010. Available online: https://robot.watch.impress.co.jp/cda/news/2006/07/12/81.html (accessed on 3 September 2022).