Certifying Auto-generated Flight Code Ewen Denney Robust Software Engineering NASA Ames Research Center California, USA

Auto-generated code at NASA Most NASA missions and projects use modeling tools like Simulink and Matlab Commercial code generators (e.g., Real-Time Workshop and MatrixX) are available and have been successfully used –X-43 Hyper-X: On-board flight- software generated from Simulink models –RASCAL: Helicopter control laws implemented using Real-Time Workshop "We never found any errors in the automatically generated code, so we were confident in creating a quick prototype for NASA.

Orion Software process

Autocode issues Dear Ewen, If you are using R14SP3 Simulink code generation products, please review the following information. If you are not using R14SP3 versions of MathWorks products, please disregard this message. We have identified bugs in R14SP3 Simulink^® code generation products, which in rare instances generate incorrect code that is not easily detected. These bugs have been fixed in subsequent releases: R2006a, R2006b, or the upcoming R2007a release. To prevent impact from these bugs, R14SP3 code generation software users should take the following actions: *Review Related Bug Reports with Potential Workarounds* You can find the documented issues and potential workarounds through the following links (login required): Bug Report Bug Report Bug Report Bug Report Bug Report Frequent updates - bug reports, work-arounds and fixes

Autocode issues Commercial code generators are black boxes –Not qualified so need to analyze generated code Historically buggy: despite extensive heritage, rare bugs still remain Cannot detect many bugs at model level or via simulation Code can be difficult to understand and review Math intensive code requires powerful analysis techniques Diverse source of knowledge Models not good for expressing requirements

Assurance strategies for autocoders Documentation –explain the code generation (and certification) process –increases transparency and trust in process Traceability –link elements of generation process –mandated by NASA standards Proof –for all possible inputs, –if the safety assumptions hold –then for all possible execution paths, –the safety requirements hold.

Product-oriented assurance Augment code generator to generate certificates together with code (aka. the verifying compiler approach) No need to qualify/re-qualify code generator Code certificates: –evidence of compliance with specific requirement –can be independently verified –generate automatically Support engineers doing software assurance –generate safety documentation for human analysts

AutoCert A code generator plug-in for certifying mathematical properties of auto-generated code

AutoCert/RTW A Real-Time Workshop plug-in for certifying mathematical properties of auto-generated code

Technical approach Combine generator with certification plug-in: AutoCert Generate certificates which can be verified independently (IV&V) Based on formal logic –Range of safety properties –Inferred annotations drive source-code analysis –Fully automated –Analysis provides tracing and documentation

Example: Coordinate systems Level 2 Coordinate Systems (CxP 70138): All pertinent geometric technical data … shall be in the coordinate systems described in this document. Problem: –Not directly represented in model or code –Transformations involve matrix algebra, etc.

Example: Coordinate systems tmpRe = 0.0; for( row = 0; row < 3; row++) for( col = row + 1; col<3; col++) { tmpRe = mx[row * 3 + col]; mx[row * 3 + col] = mx[col * 3 + row]; mx[col * 3 + row] = tmpRe; }

Example: Coordinate systems tmpRe = 0.0; for( row = 0; row < 3; row++) for( col = row + 1; col<3; col++) { tmpRe = mx[row * 3 + col]; mx[row * 3 + col] = mx[col * 3 + row]; mx[col * 3 + row] = tmpRe; } post forall x : int, y : int & (0 mx_prime(x + 3 * y) == mx(y + 3 * x)

Example: Coordinate systems tmpRe = 0.0; for( row = 0; row < 3; row++) for( col = row + 1; col<3; col++) { tmpRe = mx[row * 3 + col]; mx[row * 3 + col] = mx[col * 3 + row]; mx[col * 3 + row] = tmpRe; } post mx == trans(prime(mx))

Example: Coordinate systems tmpRe = 0.0; for( row = 0; row < 3; row++) for( col = row + 1; col<3; col++) { tmpRe = mx[row * 3 + col]; mx[row * 3 + col] = mx[col * 3 + row]; mx[col * 3 + row] = tmpRe; } post has_frame(prime(mx), dcm(ned, ecef)) & mx == trans(prime(mx)) has_frame(mx, dcm(ecef, ned))

Covariance matrices (PM, PP) in a Kalman filter must remain symmetric during update Individual matrix operations in the generated code must be checked: R+H*PM*H is symmetric Annotations are required Analysis tool generates annotations based upon idiomatic code patterns Example: Matrix symmetry K=PM*H'*inv(R+H*PM*H'); PP = (I-K*H)*PM*(I-K*H)' + K*R*K'; Embedded Matlab … for (eml_i0 = 0; eml_i0 < 2; eml_i0++) { for (eml_i1 = 0; eml_i1 < 2; eml_i1++) { eml_x11 = 0.0; for (eml_i2 = 0; eml_i2 < 2; eml_i2++) { eml_x11 += eml_dv0[eml_i0 + (eml_i2 << 1)] * eml_dv1[eml_i2 + (eml_i1 << 1)]; } eml_x[eml_i0 + (eml_i1 << 1)] = eml_R[eml_i0 + (eml_i1 << 1)] + eml_x11; }} RTW /* post forall eml_i0: int, eml_i1: int 0 <= eml_i0 < 2 & 0 <= eml_i1 < 2 => eml_x[eml_i0 + (eml_i1 << 1)] = eml_x[eml_i1 + (eml_i0 << 1)] */

Execution safety memory safety (array bounds) –Buffer overflows often lead to unsafe programs variable initialization before use –Uninitialized variables can cause unpredictable/unrepeatable behavior –Compilers only check for initialization of scalars –e.g.: RTW bug: uninitialized variables in demux blocks Execution safety requires that the constraints of the target language are not violated.

Other safety properties Vector/matrix properties –symmetry, triangularity, positive definiteness –quaternion, probability vector normalization Representation conventions –consistent use of physical units, coordinate systems –Euler angles: YPR vs RPY –quaternion handedness Signal properties –all bus data used, updated

Traceability Traceability: the ability to link requirements back to rationales and forward to corresponding design artifacts, code, and test cases

Traceability Traceability: the ability to link requirements back to rationales and forward to corresponding design artifacts, code, and proofs why is this line of code safe? code verification conditions assumptions how is this requirement satisfied? property verification conditions code

Autocode safety reports Verification says that the code is safe Certification says why the code is safe Code analysis generates safety report: explain how code complies with safety properties –Make assumptions and requirements explicit –Algorithms, formulas, equations used to implement blocks –Chain of reasoning from assumptions to requirements the variable rtb_GetVeci is in the coordinate frame Earth-Centric Inertial because it is defined by applying the ECEF to ECI transformation to the variable … which is in turn … support code reviews Traces between code, documentation and V&V artifacts

Certification browser Auto-generated code Proof Status Show obligations Safety Obligations Highlight code Formula or explanation

Advantages of approach Low to no false positives/negatives –Accurate analysis of loops, EML, buses Tight integration with Matlab tool suite –Minimal impact to existing process Can encode mathematical properties –Use automated theorem proving to check math Generates safety documentation –Multiple forms of evidence Traces code and model to verification artifacts Supports independent V&V Qualifiable: small kernel of trusted components

Future work Greater domain coverage –More Simulink blocks/EML functions –More properties (e.g., checking control laws) More extensive documentation –Integrated report for multiple properties, subsystems –Safety cases Tighter Matlab integration

Extra Slides

Example: Vector norms Intuitively: Probability vectors must be normalized Show preservation of norm by update operations Domain-specific requirement Requires code annotations

Tool architecture Small kernel of untrusted components - patterns and annotations untrusted

Qualification A code generator is qualified –with respect to a given standard –for a given project if there is sufficient evidence about the generator itself so that V&V need not be carried out on the generated code to certify it Must be done for every project, version –can obtain verification credit Generators are rarely qualified –ASCET-SE (IEC 61508), SCADE, VAPS (DO-178B) Qualifying code generators is (almost) infeasible!