Verifying Real-Time Software Is Not Reasonable (Today) - Abstract of Invited Talk

Verification is about demonstrating that a formal system holds certain properties. It is particularly important to verify safety-critical real-time control software, such as aircraft or automotive control systems. Unfortunately, many of the properties that need to be verified for such systems are not actually part of the formal system defined by the software. It therefore makes no sense to verify the software. So what should be verified? It is glib to say that ”the system” must be verified, because ”the system” is not a formal system. It is a bundle of silicon and wires. Only a model of the system can be verified. What model? If the semantics of software is extended to include temporal properties, then verifying real-time software becomes possible. In this talk, I will argue that such extensions are practical and effective, but that they require rethinking software abstractions at a rather fundamental level. Moreover, they require reengineering of many performance optimizations that computer architects, compiler designers, and operating system designers have instituted. I will show for some of these that such reengineering yields designs that have competitive performance and verifiable timing. The work reported in this talk was supported in part by the Center for Hybrid and Embedded Software Systems (CHESS) at UC Berkeley (supported by the National Science Foundation, NSF awards #0720882 (CSR-EHS: PRET) and #0931843 (ActionWebs), the Naval Research Laboratory (NRL #N0013-12-1-G015), and the following companies: Bosch, National Instruments, and Toyota). A. Biere, A. Nahir, and T. Vos (Eds.): HVC 2012, LNCS 7857, p. 2, 2013. c © Springer-Verlag Berlin Heidelberg 2013