Safety Analysis of Trampoline OS Using Model Checking: An Experience Report.