Showing papers presented at "Formal Methods for Industrial Critical Systems in 2007"

Integration of formal analysis into a model-based software development process

Abstract: The next generation of military aerospace systems will includeadvanced control systems whose size and complexity will challenge currentverification and validation approaches. The recent adoption by the aerospaceindustry of model-based development tools such as Simulink® and SCADESuite™ is removing barriers to the use of formal methods for the verification ofcritical avionics software. Formal methods use mathematics to prove that softwaredesign models meet their requirements, and so can greatly increase confidencein the safety and correctness of software. Recent advances in formalanalysis tools have made it practical to formally verify important properties ofthese models to ensure that design defects are identified and corrected early inthe lifecycle. This paper describes how formal analysis tools can be insertedinto a model-based development process to decrease costs and increase qualityof critical avionics software.

An action/state-based model-checking approach for the analysis of communication protocols for service-oriented applications

Abstract: In this paper we present an action/state-based logical frameworkfor the analysis and verification of complex systems, which relies onthe definition of doubly labelled transition systems. The defined temporallogic, called UCTL, combines the action paradigm--classically usedto describe systems using labelled transition systems--with predicatesthat are true over states--as captured when using Kripke structures assemantic model. An efficient model checker for UCTL has been realized,exploiting an on-the-fly algorithm. We then show how to use UCTL, andits model checker, in the design phase of an asynchronous extension of thecommunication protocol SOAP, called aSOAP. For this purpose, we describeaSOAP as a set of communicating UML state machines, for whicha semantics over doubly labelled transition systems has been provided.

Static analysis of the accuracy in control systems: principles and experiments

Abstract: Finite precision computations can severely affect the accuracyof computed solutions. We present a complete survey of a static analysisbased on abstract interpretation, and a prototype implementing this analysisfor C code, for studying the propagation of rounding errors occurringat every intermediary step in floating-point computations. In the first partof this paper, we briefly present the domains and techniques used in the implementedanalyzer, called FLUCTUAT. We describe in the second part,the experiments made on real industrial codes, at Institut de Radioprotectionet de Surete Nucleaire and at Hispano-Suiza, respectively comingfrom the nuclear industry and from aeronautics industry. This paper aimsat filling in the gaps between some theoretical aspects of the static analysisof floating-point computations that have been described in [13,14,21], andthe necessary choices of algorithms and implementation, in accordancewith practical motivations drawn from real industrial cases.

Reverse engineered formal models for GUI testing

Abstract: This paper describes a process to reverse engineer structural and behaviouralformal models of a GUI application by a dynamic technique, mixingmanual with automatic exploration. The goal is to diminish the effort requiredto construct the model and mapping information needed in a model-based GUItesting process. A skeleton of a state machine model of the GUI, represented ina formal pre/post specification language, is generated automatically by the explorationprocess. Mapping information between the model and the implementationis also generated along the way. The model extracted automatically isthen completed manually in order to get an executable model which can be usedas a test oracle. Abstract test cases, including expected outputs, can be generatedautomatically from the final model and executed over the GUI application,using the mapping information generated during the exploration process.

Synchronous design and verification of critical embedded systems using SCADE and Esterel

Abstract: SCADE (Safety Critical Application Design Environment) is a design environment dedicated to safety-critical embedded software applications. It is widely used for avionics, railways, heavy industry, and automotive applications. For instance, most critical systems of the Airbus A380 have been developed with SCADE. The core element is the Scade synchronous formalism, which can be viewed as a graphical version of Lustre coupled with synchronous hierarchical state machines. The Scade to C compiler is certifiable at level A of DO-178B avionics norm, which removes the need for unit-testing the embedded C code and brings big savings in the certification process. The SCADE tools encompasses a simulator, a model coverage analyzer, a formal verifier, a display generator, and gateways to numerous other prototyping or software engineering tools. Esterel Studio is a similar hardware modeling, design, and verification environment based on the Esterel v7 formal synchronous language. Esterel Studio is used by major semiconductor companies to specify, verify, and synthesize complex hardware designs. It can generate both an optimized circuit and a behaviorally equivalent software model from a single formal specification. It also supports simulation and formal verification, which is widely used in production applications. We discuss the advantages and limitations of the underlying synchronous concurrency model. We explain why the same core science and technology can be applied to such different domains, however with quite different integration in global system-level design flows according used in the different industries.

An approach to formalization and analysis of message passing libraries

Abstract: Message passing using libraries implementing the MessagePassing Interface (MPI) standard is the dominant communication mechanismin high performance computing (HPC) applications. Yet, the lackof an implementation independent formal semantics for MPI is a hugevoid that must be filled, especially given the fact that MPI will be implementedon novel hardware platforms in the near future. To help reasonabout programs that use MPI for communication, we have developed aformal TLA+ semantic definition of the point to point communicationoperations to augment the existing standard. The proposed semantics includes42 MPI functions, including all 35 point to point operations, manyof which have not been formally modeled previously. We also present aframework to extract models from SPMD-style C programs, so that designersmay understand the semantics of MPI by exercising short, yetpithy, communication scenarios written in C/MPI. In this paper, wedescribe (i) the TLA+ MPI model features, such as handling the explicitmemory for each process to facilitate the modeling of C pointers,and some of the widely used MPI operations, (ii) the model extractionframework and the simplifications made to the model that help facilitateexplicit-state model checking of formal semantic definitions, (iii) a customizedmodel checker for MPI that performs much faster model checking,and features a dynamic partial-order reduction algorithm whose correctnessis directly based on the formal semantics, and (iv) an error trailreplay facility in the Visual Studio environment. Our effort has helpedidentify a few omissions in the MPI reference standard document. Thesebenefits suggest that a formal semantic definition and exploration approachas described here must accompany every future effort in creatingparallel and distributed programming libraries.

Application of static analyses for state space reduction to microcontroller assembly code

Abstract: This paper describes how static analyses can be applied tomicrocontroller assembly code to tackle the state explosion problem arisingfrom explicit state model checking. It presents difficulties, which occurwhen trying to apply static analyses to microcontroller assemblycode, caused by, for example, interrupts, hardware dependency, recursions,and indirect control. Enhancements of two reduction techniques(namely Dead Variable Reduction and Path Reduction) and their underlyingstatic analyses are detailed, which make these techniques applicableto microcontroller assembly code. A short case study is presented inwhich five programs are used to demonstrate the state space reductionsthat can be achieved using these two techniques.

Automatic interoperability test case generation based on formal definitions

Abstract: The objective of this study is to provide methods for derivingautomatically interoperability tests based on formal definitions. First,we give interoperability formal definitions taking into account both objectivesof interoperability: the implementations must interact correctlyand the expected service must be provided. Based on these definitions,a method for generating interoperability test cases is described. Thismethod is equivalent to classical methods in terms of noninteroperability detection and avoids state-space explosion problem. Classical and proposedmethods were implemented using the CADP Toolbox and appliedon a connection protocol to illustrate this contribution.

Automatic certification of Java source code in rewriting logic

Abstract: In this paper we propose an abstract certification techniquefor Java which is based on rewriting logic, a very general logical and semanticframework efficiently implemented in the functional programminglanguage Maude. Starting from a specification of the Java semantics writtenin Maude, we develop an abstract, finite-state operational semanticsalso written in Maude which is appropriate for program verification. Asa by-product of the abstract verification, a dependable safety certificateis delivered which consists of a set of (abstract) rewriting proofs thatcan be easily checked by the code consumer using a standard rewritinglogic engine. Our certification methodology extends to other programminglanguages by simply replacing the concrete semantics of Java by asemantics for the programming language at hand. The abstract proofcarryingcode technique has been implemented and successfully testedon several examples, which demonstrate the feasibility of our approach.

Introducing time in an industrial application of model-checking

Abstract: The safety of many industrial systems is directly related totime. Model checking has been used to verify that safety requirementsare met by a model of the system. In many cases, however, time is excludedto limit the state space explosion. Two approaches to include timeconstraints are either to use model checking for timed systems, or to integratean explicit model of time using standard model checking. Thispaper presents a case study using the latter approach. We have workedclosely with one of Australia's largest railway companies, QueenslandRail, on a real industrial environment to produce models to verify thesafety of railway interlockings. Our models are written and optimised forthe symbolic model checker NuSMV. In this paper we introduce time intoour existing models and examine time in the context of level crossings.We also present quantitative data to show the feasibility of the approach.

Analysis of a session-layer protocol in MCRL2: verification of a real-life industrial implementation

Abstract: This paper reports the analysis of an industrial implementationof the session-layer of a load-balancing software system. This softwarecomprises 7.5 thousand lines of C code. It is used for distributionof the print jobs among several document processors (workers). A largepart of this commercially used software system has been modeled closelyand analyzed using process-algebraic techniques. Several critical issueswere discovered. Since the model was close to the code, all problems thatwere found in the model, could be traced back to the actual code resultingin concrete suggestions for improvement of the code. All in all, theanalysis significantly improved the quality of this real-life system.

Formal verification with Isabelle/HOL in practice: finding a bug in the GCC scheduler

Abstract: Software bugs can cause tremendous financial loss and are aserious threat to life or physical condition in safety-critical areas. Formalsoftware verification with theorem provers aims at ensuring that no errorsare present but is too expensive to be employed for full-scale systems.We show that these costs can be reduced significantly by reusing proofsand by the checker approach. We demonstrate the applicability of ourapproach by a case study checking the correctness of the scheduler of thepopular GCC compiler for a VLIW processor where we indeed found anerror.

Model classifications and automated verification

Abstract: Due to the significant progress in automated verification,there are often several techniques for a particular verification problem.In many circumstances different techniques are complementary -- eachtechnique works well for different type of input instances. Unfortunately,it is not clear how to choose an appropriate technique for a specific instanceof a problem. In this work we argue that this problem, selection ofa technique and tuning its parameter values, should be considered as astandalone problem (a verification meta-search). We propose several classificationsof models of asynchronous system and discuss applications ofthese classifications in the context of explicit finite state model checking.

Checking the TWIN elevator system by translating object-Z to SMV

Abstract: In the context of large scale industrial installations, modelchecking often fails to tap its full potential because of a missing linkbetween a system's specification and its functional and nonfunctional requirements, like safety. Our work bridges this gap by providing a translationfrom the formal specification language Object-Z to the SMV modelchecker input language to combine their advantages. This paper focuses on the translation of the object-oriented featuresof Object-Z: operation promotion and communication between objects.We demonstrate the feasibility of our approach using the example ofthe TWIN Elevator system and embed the translation process in theindustrial software production workflow.

Machine checked formal proof of a scheduling protocol for smartcard personalization

Abstract: Using PVS (Prototype Verification System), we prove thatan industry designed scheduler for a smartcard personalization machineis safe and optimal. This scheduler has previously been the subject ofresearch in model checked scheduling synthesis and verification. Theseverification and synthesis efforts had only been done for a limited numberof personalization stations. We have created an executable modeland have proven the scheduling algorithm to be optimal and safe forany number of personalization stations. This result shows that theoremprovers can be successfully used for industrial problems in cases wheremodel checkers suffer from state explosion.

Verification of embedded software: from mars to actions

Abstract: Embedded controllers are more and more pervasive and feature more and more advanced capabilities. For space applications in particular, the development of autonomous controllers is seen as a critical technology to enable new mission objectives and scale down operating costs. On the flip side, the validation of intelligent control software poses a huge challenge, both due to the increased complexity of the system itself and the broad spectrum of normal and abnormal conditions in which it has to be able to operate. This talk will follow our journey in applying some modern, analytical verification technologies and tools to the validation of autonomy software, in the context of space applications, at NASA Ames Research Center in California. This route will take us from the concrete, practical dependability requirements for space-bound software that motivated the work down to the deeper, broader issues in formal methods that emerged as part of that work.

Computing worst-case response times in real-time avionics applications

Abstract: The work in this paper builds upon our prior work to analyze propertiesof applications running on top of the Deos real-time operating system. Wedescribe how a control application's worst-case response time to an event can be"computed" using the model checker SPIN. We lay out the steps involved in reusingour existing models for this analysis, and our solution to reducing thememory required to perform the analysis. This work highlights the benefit of expandingthe use of formal models, and the necessity of changing existing abstractions(such as the timer model in this work) to reflect changed verification goals.