SOFTWARE TESTING, VERIFICATION AND RELIABILITY Softw. Test. Verif. Reliab. (2012) Published online in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/stvr.1482 Model checking Trampoline OS: a case study on safety analysis for automotive software ‡ Yunja Choi * ,† School of Computer Science and Engineering, Kyungpook National University, Daegu, Korea SUMMARY Model checking is an effective technique used to identify subtle problems in software safety using a comprehensive search algorithm. However, this comprehensiveness requires a large number of resources and is often too expensive to be applied in practice. This work strives to find a practical solution to model- checking automotive operating systems for the purpose of safety analysis, with minimum requirements and a systematic engineering approach for applying the technique in practice. The paper presents methods for converting the Trampoline kernel code into formal models for the model checker SPIN, a series of experiments using an incremental verification approach, and the use of embedded C constructs for performance improvement. The conversion methods include functional modularization and treatment for hardware-dependent code, such as memory access for context switching. The incremental verification approach aims at increasing the level of confidence in the verification even when comprehensiveness cannot be provided because of the limitations of the hardware resource. We also report on potential safety issues found in the Trampoline operating system during the experiments and present experimental evidence of the performance improvement using the embedded C constructs in SPIN. Copyright © 2012 John Wiley & Sons, Ltd. Received 24 January 2011; Revised 30 July 2012; Accepted 30 July 2012 KEY WORDS: model checking; Trampoline operating system; safety analysis; OSEK/VDX;SPIN 1. INTRODUCTION The operating system is the core part of automotive control software; its malfunction can cause crit- ical errors in the automotive system, which in turn may result in loss of lives and assets. Much effort has been spent on developing a standard domain-specific development framework in automotive software [2,3] to support a systematic and cost-effective safety analysis/assurance method. So far, safety analysis for such systems is typically applied at the system level [4, 5] or at the small-scale source code level [6–8], separately with different kinds of focuses. Although interna- tional standards for the safe development of electronic/electrical devices, such as IEC 61508 and ISO 26262, recommend formal verification methods as a safety verification technique, practical experiences with processes or methods for applying formal methods in this domain are still rare, with little related literature on this matter [9–12]. In fact, most existing work is focused on a certain aspect of an operating system, such as the scheduling algorithm and timing analysis, and requires extensive human expertise for effective verification, which is application dependent. This work studies how automated formal verification techniques, such as model checking, can be systematically and efficiently used for the safety analysis of an automotive operating system *Correspondence to: Yunja Choi, School of Computer Science and Engineering, Kyungpook National University, Daegu, Korea. † E-mail: yuchoi76@knu.ac.kr ‡ This is an extended version of [1] and [40]. Copyright © 2012 John Wiley & Sons, Ltd.