Verifying concurrent scheduling—especially preemptive scheduling—in operating systems is notoriously challenging; manual review and unit testing often fail to cover complex execution paths, leading to undetected race conditions and logical flaws. This paper introduces a novel, co-designed paradigm for concurrent software development targeting the autonomous-driving OS Awkernel, integrating model checking with runtime verification. We formalize the scheduler using TLA+/PlusCal and perform exhaustive model checking; concurrently, we inject custom assertions and lightweight tracing probes into the Rust async runtime to enable semantically consistent, bidirectional closed-loop validation. This approach bridges the semantic gap between abstract modeling and concrete execution. Applied to Awkernel, it successfully uncovered multiple race conditions and scheduling logic defects invisible to conventional testing methods, thereby significantly enhancing the reliability assurance of preemptive asynchronous scheduling behavior.

In operating system development, concurrency poses significant challenges. It is difficult for humans to manually review concurrent behaviors or to write test cases covering all possible executions, often resulting in critical bugs. Preemption in schedulers serves as a typical example. This paper proposes a development method for concurrent software, such as schedulers. Our method incorporates model checking as an aid for tracing code, simplifying the analysis of concurrent behavior; we refer to this as model checking-assisted code review. While this approach aids in tracing behaviors, the accuracy of the results is limited because of the semantics gap between the modeling language and the programming language. Therefore, we also introduce runtime verification to address this limitation in model checking-assisted code review. We applied our approach to a real-world operating system, Awkernel, as a case study. This new operating system, currently under development for autonomous driving, is designed for preemptive task execution using asynchronous functions in Rust. After implementing our method, we identified several bugs that are difficult to detect through manual reviews or simple tests.