Formal Specifications and Verification of AUTOSAR-compliant RTOS

In this paper we propose a method for formal specification of AUTOSAR SWS_OS and verify that a given implementation adheres to the standard. Our methodology has 3 steps:

1. Identify and formally specify the relevant requirements from the SWS_OS as a formula in first-order logic.
2. Abstract the implementation to a formula in first-order logic using SP Calculus.
3. Prove the invariance of the implementation in time showing that the implementation adheres to the requirements.

Artefacts for the paper on Formal Specifications of AutoCoreOS using Dafny. The artefacts include:

1. Dafny code with formal specifications and the required lemmas for the task state machine and the HLP state machine (SMSpecs and hip).
2. The specifications of a task, a shared resource and the methods and functions related to ready queue management (enqueueLink)
3. An incomplete but working SP generator taken from the course material of CMU: https://www.cs.cmu.edu/~15414/s22/lectures/11-post.pdf

To install Dafny, please refer here. The easiest way is to install the VSCode Dafny plugin. We used Dafny v4.7.0.0 on VSCode running on MacOS 14.6. The Dafny plugin allows "live" verification, i.e., the verifier verifies as we code. Therefore, for these artefacts, there is no need to compile the code or use the Dafny command line to verify if we use the VSCode plugin. A successful verification is indicated by a vertical green line on the left-hand side of the Dafny implementation. An unsuccessful verification is indicated by a vertical red line. To observe an unsuccessful verification, please uncomment the "wrong" lemmas in the code (for instance, "InvarianceFalse" lemma). The theorem prover also shows what condition it is unable to prove. Dafny also provides a shortcut to see counter examples of a wrong theorem.

The Elektrobit Tresos^R AutoCoreOS is widely used industrial grade automotive operating system developed by Elektrobit GmbH. The software package can be downloaded from Elektrobit's website. The evaluation package is available with a limited license which is issued with an official email ID. The installer installs the Tresos configuration generator and also the source code of the OS we used in this work.

To compile the OS, we used the TASKING compiler from Tasking GmbH for Infineon TriCore TC387 microcontroller platform.