A Simulation Based Model Checker for Real Time Java Gary Lindstrom School of Computing University of Utah Salt Lake City, UT 84112-9205 USA gary@cs.utah.edu Peter C. Mehlitz NASA Ames Research Center Mail Code 269-2 Moffett Field, CA 94035-1000 USA pcmehlitz@email.arc.nasa.gov Willem Visser NASA Ames Research Center Mail Code 269-2 Moffett Field, CA 94035-1000 USA wvisser@email.arc.nasa.gov ABSTRACT The Real Time Specification for Java (RTSJ) is an augmen- tation of Java for real time applications. The possibility of applying a model checker to RTSJ has great appeal given the complexity and safety requirements of its intended applica- tions. The Robust Software Systems group at NASA Ames Research Center has Java PathFinder (JPF) under devel- opment, a Java model checker. JPF at its core is a state ex- ploring JVM which can examine alternative paths in a Java program (e.g., via backtracking) by trying all nondetermin- istic choices, including thread scheduling order. This paper describes our implementation of an RTSJ profile (subset) in JPF, including requirements, design decisions, and potential future extensions. The implementation relies on a discrete event simulation library, which enables modeling and ver- ification of an RTSJ application under a programmed test environment. The primary advantage of this approach is the possibility of direct execution of the combined model on ordinary Java systems (without the benefit of state back- tracking or cost accounting); the primary drawback is the difficulty of implementing important RTSJ features such as non-heap memory areas and asynchronous control transfers. The utility of a general model checker such as JPF in find- ing RTSJ logic and timing errors is discussed, as well as opportunities presented by JPF for more advanced forms of program analysis such as symbolic execution and test input generation. Categories and Subject Descriptors I.6.3 [Simulation and Modeling]: Applications; D.4.1 [Process Management]: Scheduling; D.3.2 [Language Classifications]: Object-oriented Languages General Terms Discrete event simulation, real time systems, software veri- fication Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Copyright 200X ACM X-XXXXX-XX-X/XX/XX ...$5.00. Keywords Real time Java, model checking 1. OVERVIEW The possibility of using Real Time Specification for Java (RTSJ) [9] software on future missions is under considera- tion at NASA, for all the familiar reasons: standardized (i.e., platform independent) semantics, a rich and vigorous mar- ketplace of implementations and tools, and the overall soft- ware engineering advantages of Java as a type safe object- oriented programming language. RTSJ is not based on any Java core language extensions; rather, all its capabilities are conveyed by new classes with special semantics, albeit with some refinement of semantics for existing Java classes. This design decision in effect strikes a bargain: less compile time static structure, hence less run time predictability, in ex- change for language stability. An alternative choice might have been to enhance the declarative content of the language in the interest of stronger compile time program validation, as was done for example with exceptions in Java. The dual consequence of this design decision is inadequacy of static analysis for RTSJ software verification and valida- tion, and a corresponding vital need for techniques perform- ing dynamic analysis, e.g., model checking. In particular, many of the dynamic features of RTSJ in their full gener- ality are beyond the scope of current worst-case execution time (WCET) analysis techniques. While RTSJ program- mers can in principle restrict themselves to an RTSJ subset amendable to WCET analysis, this would significantly re- duce the appeal and advantages of using RTSJ over existing real time languages. We report here on an application of the Java PathFinder model checker (JPF) [23, 13] to RTSJ programs, focusing on the latter’s dynamic, time quantified behavior, with the goal of developing a tool capable of val- idating RTSJ applications, ideally to the level of mission deployability. Our approach emphasizes the central issue of temporal correctness (e.g., threads meeting deadlines) un- der nondeterministic choices; correctness of memory usages and asynchronous control flow are reserved for future work. Thus we are focusing on classical correctness issues in real time software, rather than issues related to specialized JVM behavior. Our approach uses discrete event simulation (DES) as a basis for modeling time. Real time threads are modeled as ordinary Java threads, constrained to run one at a time, i.e., as coroutine’s. Their interactions, e.g., through CPU scheduling, are modeled by resource contention techniques familiar to DES programming (a summary of DES concepts