Figure 7 - uploaded by Adrien Champion
Content may be subject to copyright.
Source publication
This paper addresses the issue of lemma generation in a k-induction-based
formal analysis of transition systems, in the linear real/integer arithmetic
fragment. A backward analysis, powered by quantifier elimination, is used to
output preimages of the negation of the proof objective, viewed as unauthorized
states, or gray states. Two heuristics are...
Context in source publication
Context 1
... a property such as "No more than one channel shall be in command at any time", or "The actuator must never stay idle for more than m 4 steps" are more challenging because they cover all three channels simultaneously and drag many state variables in their cone of influence. For instance, the formal verification of the second property is done by assembling a model of the distributed system and by using the synchronous observer technique as shown in Figure 7. The observer uses a timer and is coded so that its output becomes true as soon as the absence of control of the actuator has been confirmed for the requested amount of m 4 consecutive steps. ...
Similar publications
Bug-fixing in deeply embedded portions of the logic is typically accompanied by the post-facto addition to new assertions which cover the bug scenario. Formally verifying properties defined over such deeply embedded portions of the logic is challenging because formal methods do not scale to the size of the entire logic, and verifying the property o...
Citations
... Simply increasing the k value often leads to a rapid performance degradation such that k-induction becomes inoperant. This paper is an extended version of a previous paper [8], where we introduced a new property-directed technique for relational invariant discovery, called HullQe, which uses quantifier elimination and convex hull computation. Here we study in more details its integration in our collaborative formal verification framework based on k-induction, named Tuff 2 . ...
This paper addresses the issue of potential invariant generation in the formal analysis of transition systems with k-induction, in the linear real/integer arithmetic fragment. First, quantifier elimination is used to find parameters for generic templates such that the said templates become inductive. Second, a backward analysis, also using quantifier elimination, outputs preimages of the negation of the proof objective, viewed as unauthorized states, or gray states. Two heuristics are proposed to take advantage of this source of information and generate potential invariants: a thorough exploration of the possible partitionings of the gray state space, and an inexact exploration regrouping and over-approximating disjoint areas of the gray state space. Both aim at discovering hidden relations between state variables. K-induction is used to isolate actual invariants and to check if they make the proof objective inductive. These heuristics can be used on the first preimage of the backward exploration, and each time a new one is output, refining the information on the gray states. We show, on examples of interest in the application field of critical embedded systems, that our approach is able to prove properties for which other academic or commercial tools fail. The different methods are introduced as components of a collaborative formal verification framework based on k-induction and are motivated through two examples, one of which was provided by Rockwell Collins.
... Rantanplan by Franzén [14] is an incremental SMT-based verification tool for the inductive verification of LUSTRE programs; Franzén compared his tool with NBAC and Luke. Champion et al. [9] proposed to enhance k-induction based verification for LUSTRE by automated lemma generation. In the STUFF tool they joined property-directed heuristics and the arbitrary combination of system variables to come up with invariants that allow to strenghten the property to be proven. ...
... If the k-induction is not able to prove the property within a specifiable depth, lamasmt can produce candidate-counterexamples from the induction step. These may be used later to generate lemmas, to strengthen the induction hypothesis, e.g. by adapting ideas from Champion et al. [9]. ...
... As Table 1 shows, the pure k-induction strategy does not work very well on the provided model. This confirms an observation made in [9] that without further heuristics k-induction does not scale up very well as a property may require a k that leads to a too large unfolding of the model, or it may not be k-inductive at all. ...
Scade is an industrial strength synchronous language and tool suite for the development of the software of safety-critical systems. It supports formal verification using the so-called Design Verifier. Here we start developing a freely available alternative to the Design Verifier intended to support the academic study of verification techniques tailored for SCADE programs. Inspired by work of Hagen and Tinelli on the SMT-based verification of LUSTRE programs, we develop an SMT-based verification method for Scade programs. We introduce Lama as an intermediate language into which Scade programs can be translated and which easily can be transformed into SMT solver instances. We also present first experimental results of our approach using the SMT solver Z3.
... • la vérification des modèles par rapport à leur spécification formelle [16,17,23,55,12,6] permettent de prouver que la spécification est respectée ; ...
... Cette méthode de QE basée SMT se trouve au coeur de notre cadre logiciel pour l'analyse de systèmes réactifs synchrones : dans [16], un calcul de préimage itéré est utilisé pour alimenter un générateur de lemmes potentiels afin de prouver une propriété sur un système de transitions. Dans cette application, c'est l'étape de QE qui constituait le principal goulot d'étranglement, ce qui nous conduisit à améliorer l'algorithme original de [56], en modifiant la phase d'extrapolation de l'algorithme. ...
... Les formules de test sont des problèmes de vérification générés par notre outil Stuff [16], et correspondent à des itérations de calcul de préimage symbolique à partir de la négation d'un objectif de preuve sur un système de transition. Plus précisément, si T (s, s ) est la relation de transition du système, appliquée à l'état courant s et à un successeur s , le calcul de préimage itéré est défini ainsi : ...
This work deals with the verification of software components of avionics critical embedded systems. Failure of such systems has catastrophic consequences, it is thus rewarding to make sure they are consistent with their specification. Formal verification consists in proving this consistency if it is true, or produce a counterexample if
it is not. Unfortunately current methods are unable to address the verification challenges stemming from realistic critical systems because of the combinatorial explosion of the state space. This calls for the discovery of additional information (invariants) on the system to reduce the search space and hopefully strengthen the proof objective, i.e. discover enough information for methods to conclude "easily".
We define a parallel architecture allowing the cooperation of invariant discovery methods around a k-induction engine. In this context we propose a new potential invariant generation heuristic based on pre-image calculus by quantifier elimination and convex hulls, called HullQe. We show that HullQe is able to automatically strengthen proof objectives corresponding to safety properties on common avionics design patterns which, to the best of our knowledge, elude the capabilities of current verification methods. We detail our improvements to Monniaux's SMT-based quantifier elimination algorithm so that the pre-image calculus scales up to our systems. Our prototype
formal framework Stuff implements this parallel architecture and features an implementation of HullQe, a template-based invariant discovery technique and a generalization of PDR to arithmetics.
This book constitutes the proceedings of the 19th International Conference on Formal Methods for Industrial Critical Systems, FMICS 2014, held in Florence, Italy, in September 2014. The 13 papers presented in this volume were carefully reviewed and selected from 26 submissions. They are organized in topical sections named: cyber-physical systems; computer networks; railway control systems; verification methods; and hardware and software testing.
In the aerospace industry, it has become possible to use formal analysis results as certification evidence thanks to the new version of the standard DO-178C and its formal methods supplement DO-333. Furthermore, formal proof has a high potential of cost reduction. On the other hand, it is not possible to replace testing completely by formal analysis, because the latter only considers more or less abstract models of the system under analysis, and can fail due to a too high complexity. But since certain verification tasks can be carried out by formal analysis with an advantage compared to testing, the question arises how both techniques, i.e. proof and test, can be combined in the best way. The European project MBAT gives answers to this question, and in this article we show how the combined approach has been applied to a relevant use case from Rockwell Collins. Copyright © 2014 SCITEPRESS - Science and Technology Publications. All rights reserved.
Critical control systems are often built as a combination of a control core with safety mechanisms allowing to recover from failures. For example a PID controller used with triplicated inputs. Typically those systems would be designed at the model level in a synchronous language like Lustre or Simulink, and their code automatically generated from those models. In previous SAE symposium, we addressed the formal analysis of such systems - focusing on the safety parts - using a combination of formal techniques, ie. k-induction and abstract interpretation. The approach developed here extends the analysis of the system to the control core. We present a new analysis framework combining the analysis of open-loop stable controller with those safety constructs. We introduce the basic analysis approaches: abstract interpretation synthesizing quadratic invariants and backward analysis based on quantifier elimination. Then we apply it on a simple but representative example that no other available state-of-the-art technique is able to analyze. This contribution is another step towards early use of formal methods for critical embedded software such as the ones of the aerospace industry.