Analysis-Aware Design of Embedded Systems Software Thesis by Mihai Florian In Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy California Institute of Technology Pasadena, California 2014 (Submitted November 6, 2013) ii © 2014 Mihai Florian All Rights Reserved iii To my family and friends. iv Acknowledgements I would like to extend my gratitude to my advisor, Dr. Gerard J. Holzmann, for many insightful discussions that led to the ideas presented in this thesis and for his support throughout my time at Caltech and JPL. This work would not have been possible without his distinguished mentorship. I am extremely grateful to have had the privilege of working with and learning from Gerard. I would like to thank my committee: Prof. K. Mani Chandy, Dr. Klaus Havelund, Dr. Rajeev Joshi, and Prof. Richard Murray for their valuable advice and support. I am thankful to Klaus for his mentorship and for his suggestions for improving this thesis. I also want to thank Rajeev for sharing some of his ideas with me. My graduate student life at Caltech would not have been as pleasant without my close friends Alexandra, Annie, Dan, Ned, and Paula. I want to thank them all for our time together. I am thankful to my dear friend Andreea for her support and for keeping me motivated. I would like to thank the CS department at Caltech. I am indebted to Maria Lopez for making my life in the department a lot simpler. Last, but not least, I am thankful to my parents, Alexandru and Lodovica, for their love and continuous support. The work was supported by NSF Grant CCF-0926190. v Abstract In the past many different methodologies have been devised to support software development and different sets of methodologies have been developed to support the analysis of software artefacts. We have identified this mismatch as one of the causes of the poor reliability of embedded systems software. The issue with software development styles is that they are “analysis-agnostic.” They do not try to structure the code in a way that lends itself to analysis. The analysis is usually applied post-mortem after the software was developed and it requires a large amount of effort. The issue with software analysis methodologies is that they do not exploit available information about the system being analyzed. In this thesis we address the above issues by developing a new methodology, called “analysis- aware” design, that links software development styles with the capabilities of analysis tools. This methodology forms the basis of a framework for interactive software development. The framework consists of an executable specification language and a set of analysis tools based on static analysis, testing, and model checking. The language enforces an analysis-friendly code structure and offers primitives that allow users to implement their own testers and model checkers directly in the lan- guage. We introduce a new approach to static analysis that takes advantage of the capabilities of a rule-based engine. We have applied the analysis-aware methodology to the development of a smart home application. vi Contents Acknowledgements iv Abstract v 1 Introduction 1 1.1 Motivation . 1 1.2 Analysis-Aware Design . 3 1.3 Design-Aware Analysis . 4 1.4 Outline . 5 2 Background 6 2.1 Interactive Analysis . 6 2.2 Formal Semantics and Type Systems . 8 2.3 Static Analysis . 10 2.4 Concrete and Symbolic Testing . 11 2.5 Model Checking . 13 3 Analysis-Aware Design 15 3.1 Overview . 15 3.2 Language Features That Facilitate Analysis . 17 3.3 Concurrency Model . 19 3.4 Memory Model and Ownership Model . 20 3.5 Syntax . 21 vii 3.6 Type System . 38 3.7 Semantics . 45 3.7.1 Expression Evaluation . 45 3.7.2 Small-step Operational Semantics . 48 3.7.3 Transition Systems . 48 3.7.4 State Representation . 49 3.7.5 The Transition Relation . 50 3.7.6 Semantics in the Presence of a Scheduler Process . 51 4 Design-Aware Analysis 52 4.1 Interactive Analysis . 52 4.2 Type Checking . 54 4.3 Static Analysis . 64 4.3.1 The Control Flow Graph . 65 4.3.2 Static Analysis Framework as a Rule-based Engine . 65 4.3.3 The CLIPS Language . 67 4.3.4 Encoding the Abstract Syntax Tree and the Control Flow Graph . 69 4.3.5 Computing the Reachability Relation . 71 4.3.6 Examples of Static Analysis Rules . 71 4.4 Dynamic Analyses . 76 4.4.1 Closing an Open System . 76 4.4.2 Testing . 85 4.4.3 Model Checking . 90 5 Case Study: A Smart Home 98 5.1 Architecture . 99 5.2 Interfaces . 100 5.3 Specifications . 103 viii 5.4 Implementation . 111 5.5 Analysis . 114 6 Conclusions and Future Directions 119 6.1 Summary . 119 6.2 Future Directions . 121 A Notation 123 A.1 Preliminaries . 123 A.2 Language Syntax . 126 A.3 Proof Format . 127 B Details of the Semantics 129 B.1 Proof of Lemma 3 . 129 B.2 Expression Evaluation . 130 B.3 Proof of Theorem 1 . 132 Bibliography 135 ix List of Figures 3.1 interactive development . 16 3.2 a running program in AAL . 20 3.3 a small AAL program . 21 3.4 systems in AAL . 22 3.5 modules in AAL . 23 3.6 examples of modules in AAL . 24 3.7 interfaces in AAL . 25 3.8 an example of an interface in AAL . 26 3.9 schedulers in AAL . 26 3.10 configurations in AAL . 28 3.11 an example of a configuration in AAL . 28 3.12 processes in AAL . 29 3.13 example of a process in AAL . 30 3.14 scheduler processes in AAL . 31 3.15 reflection API in AAL . 31 3.16 types in AAL . 32 3.17 examples of types in AAL . 33 3.18 variables and constants in AAL . 33 3.19 functions in AAL . 34 3.20 expressions in AAL . 35 3.21 lvals in AAL . 36 x 3.22 statements in AAL . 37 4.1 screen shot of the IDE . 53 4.2 incorrect recursive type declarations and definitions . 55 4.3 correct recursive type declarations and definitions . 55 4.4 the type checking algorithm for programs . 57 4.5 the type checking algorithm for statements . 57 4.6 the type checking algorithm for assignments . 58 4.7 the type checking algorithm for variable definitions . 59 4.8 the type checking algorithm for user defined function calls . 59 4.9 the type checking algorithm for if statements . ..