Presentation is loading. Please wait.

Presentation is loading. Please wait.

B. Sharma, S.D. Dhodapkar, S. Ramesh 1 Assertion Checking Environment (ACE) for Formal Verification of C Programs Babita Sharma, S.D.Dhodapkar RCnD, BARC,

Published byBraeden Bayse Modified over 9 years ago

Similar presentations

Presentation on theme: "B. Sharma, S.D. Dhodapkar, S. Ramesh 1 Assertion Checking Environment (ACE) for Formal Verification of C Programs Babita Sharma, S.D.Dhodapkar RCnD, BARC,"— Presentation transcript:

1 B. Sharma, S.D. Dhodapkar, S. Ramesh 1 Assertion Checking Environment (ACE) for Formal Verification of C Programs Babita Sharma, S.D.Dhodapkar RCnD, BARC, Mumbai, India babita@apsara.barc.ernet.in, sdd@magnum.barc.ernet.in S.Ramesh CFDVS, IIT Bombay, Mumbai, India ramesh@cfdvs.iitb.ac.in

2 B. Sharma, S.D. Dhodapkar, S. Ramesh 2 Introduction Safety Critical Systems –Process, Automobile and Aircraft Control –Mission critical avionics applications Bugs are Costly –Pentium bug, Ariane 5 failure –Stringent Reliability Requirements –High level of Software Integrity Requirements

3 B. Sharma, S.D. Dhodapkar, S. Ramesh 3 Rigorous Development Verification –Freedom from defects –Rigorous Verification practices essential Safety Integrity Levels –Various guidelines and standards –MISRA guidelines, IEC 1508 –1 to 4 (low to high integrity) –Formal Specification and Verification

4 B. Sharma, S.D. Dhodapkar, S. Ramesh 4 Traditional Approaches Peer Review, formal Inspection and Dynamic Testing Effective in detecting presence of bugs never their absence Late detection of bugs When to stop testing? –Coverage criteria 60% of time spent on V&V Rigorous methods that establish absence of defects required –Formal Verification

5 B. Sharma, S.D. Dhodapkar, S. Ramesh 5 Formal Methods More rigorous approach Founded on Mathematical methods Proves correctness of Systems Increased confidence Early Detection of bugs –Design Verification Complementary to traditional techniques

6 B. Sharma, S.D. Dhodapkar, S. Ramesh 6 Verification Environment For industrial software Assertion Checking Environment (ACE) Static Checking of assertions about program units –safety properties of program units Safety Subsets of Programming languages MISRA C Checking Procedure –Static –Theorem Proving Techniques

7 B. Sharma, S.D. Dhodapkar, S. Ramesh 7 Static vs Dynamic checking Classical Code Verification methods based on Dynamic Testing & Assertion Checking Effectiveness determined by test cases –more testing, more confidence in Verification Static Assertion Checking equivalent to exhaustive testing –leads to higher level of assurance of code correctness Static Assertion Checking not new! –Classical Hoare Logic, Manna’s inductive assertion method The Central issue –Applying to industrial systems

8 B. Sharma, S.D. Dhodapkar, S. Ramesh 8 Formal Verification Methodology

9 B. Sharma, S.D. Dhodapkar, S. Ramesh 9 Program Verification Methodology Important Features –Abstract Models –Formal Specification –Verification Engine

10 B. Sharma, S.D. Dhodapkar, S. Ramesh 10 Models Abstract, High Level descriptions Modeling an error-prone activity Major bottleneck in using formal methods Real Languages pose several problems Our proposal –Language Subsets –Consistent with Safety considerations –Safe subset of C MISRA C –Motor Industry Standard –Safe features of C

11 B. Sharma, S.D. Dhodapkar, S. Ramesh 11 Specification Formal Specification using mathematical Logic Assertions at specific program control points –Conditions satisfied by program variables –Input Constraints or Pre-Conditions –Output Properties or Post-Conditions –Loop Invariants Compositional Specifications –Individual and independent specification of program units

12 B. Sharma, S.D. Dhodapkar, S. Ramesh 12 Verification Formal Procedures to check correctness of assertions Theorem Proving Capabilities STeP –Powerful Theorem Prover from Stanford U. –Strategies for Verification –Programmable using tactics and tacticals Translation tools –STeP uses SPL models –MISRA C need to be translated

13 B. Sharma, S.D. Dhodapkar, S. Ramesh 13 ACE

14 B. Sharma, S.D. Dhodapkar, S. Ramesh 14 MISRA C Safe subset of C for embedded automotive systems General C has a lot of problems –complex operator prec. rules, side effecting expressions, run-time checks, pointer arithmetics MISRA recommends a set of rules –No dependence on operator precedence rules –goto statement shall not be used. –Every case clause terminated with a break statement. –A function should have a single point of exit. –Pointer arithmetic not to be used. –Unions shall not be used to access the sub-parts of larger data types..

15 B. Sharma, S.D. Dhodapkar, S. Ramesh 15 C2SPL Important Component of ACE converts MISRA C program to SPL programs converts pre, post conditions and assertions into SPEC file in STeP format c2spl Pre-conditions Assertions/ Post-conditions SPL Model axioms Properties MISRA C

16 B. Sharma, S.D. Dhodapkar, S. Ramesh 16 Compositional Verification

17 B. Sharma, S.D. Dhodapkar, S. Ramesh 17 Compositional Verification prefunc and postfunc type of annotations prefunc captures the pre-condition of the called function postfunc captures post-condition of the called function both prefunc and postfunc annotations are automatically inserted by ACE Discharging the proofs for a function containing prefunc and postfunc annotations –prefunc type annotations become additional proof obligations, –postfunc type annotations become axioms

18 B. Sharma, S.D. Dhodapkar, S. Ramesh 18 Example struct RCD3_data { double X, Y; }; void get_inputsXY(struct RCD3_data *final_data) { ret1 = read_from_reg( 1, &InputX ); /*postfunc ( InputX >= 0 /\ InputX <= 4095 ) end*/ change_to_v(InputX, input_src, &tempX ); /*assert !(tempX 5) end*/ final_data->X= tempX; convert_to_d(1, tempX, final_data); /*post (#X final_data >= -180) /\ (#X final_data <= 180) end*/ }

19 B. Sharma, S.D. Dhodapkar, S. Ramesh 19 SPL Program get_inputsXY :: [ local final_data : RCD3_data local InputX, InputY : WORD … ret1 := read_from_reg(1,InputX); postf1 : skip; prefunc2 : skip; void_var := change_to_v(InputX,input_src,tempX); postf3 : skip; assert4 : skip; #X final_data := tempX; prefunc5 : skip; void_var := convert_to_d(1,tempX,final_data); postf6 : skip; assert7 : skip ]

20 B. Sharma, S.D. Dhodapkar, S. Ramesh 20 Specification SPEC AXIOM postf1 : postf1 ==> ( InputX >= 0 /\ InputX <= 4095 ) AXIOM prefunc2 : prefunc2 ==> (input_src = 2) \/ (input_src = 3) PROPERTY postf3 : postf3 ==> ((input_src = 3) /\ (tempX = ((5/4096) * InputX))) \/ ((input_src=2) /\ (tempX = ((5/2048) * InputX - 5.0))) PROPERTY assert4 : assert4 ==> !(tempX 5) PROPERTY prefunc5 : prefunc5 ==> (1 = 1) \/ (1 = 2)

21 B. Sharma, S.D. Dhodapkar, S. Ramesh 21 Industrial Experience Verification of many real programs Safety-critical Applications –Control –Process Interlock –Data Acquisition and Display

22 B. Sharma, S.D. Dhodapkar, S. Ramesh 22 Process Interlock Software tool-generated C code (translation validation) Logic diagrams to code Annotations derived from input logic diagrams 6000 lines of code, 54 functions, roughly 500 assertions proved

23 B. Sharma, S.D. Dhodapkar, S. Ramesh 23 Data acquisition system Manual development of programs and specifications 4000 lines of code, 40 functions, 110 assertions proved Properties Verified –Range Checks –arithmetic computations, –performance of software controlled actions, –intermediate values of variables etc. –one program required slicing to reduce model size

24 B. Sharma, S.D. Dhodapkar, S. Ramesh 24 Conclusions Initial Experience with the tool encouraging Future Enhancements –Use of slicing techniques –Finite State machine abstractions –Concurrency aspects

Download ppt "B. Sharma, S.D. Dhodapkar, S. Ramesh 1 Assertion Checking Environment (ACE) for Formal Verification of C Programs Babita Sharma, S.D.Dhodapkar RCnD, BARC,"

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Copyright W. Howden1 Programming by Contract CSE 111 6/4/2014.

Copyright W. Howden1 Programming by Contract CSE 111 6/4/2014.
PZ03D Programming Language design and Implementation -4th Edition Copyright©Prentice Hall, 2000 1 PZ03D - Program verification Programming Language Design.

PZ03D Programming Language design and Implementation -4th Edition Copyright©Prentice Hall, PZ03D - Program verification Programming Language Design.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Software Engineering-II Sir zubair sajid. What’s the difference? Verification – Are you building the product right? – Software must conform to its specification.

Software Engineering-II Sir zubair sajid. What’s the difference? Verification – Are you building the product right? – Software must conform to its specification.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Copyright © 2006 Addison-Wesley. All rights reserved. 3.5 Dynamic Semantics Meanings of expressions, statements, and program units Static semantics – type.

Copyright © 2006 Addison-Wesley. All rights reserved. 3.5 Dynamic Semantics Meanings of expressions, statements, and program units Static semantics – type.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
CS 355 – Programming Languages

CS 355 – Programming Languages
Software Reliability CIS 640 Adapted from the lecture notes by Doron Pelel (www.dcs.warwick.ac.uk/~doron/notes.html)

Software Reliability CIS 640 Adapted from the lecture notes by Doron Pelel (
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.

An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
VIDE Integrated Environment for Development and Verification of Programs.

VIDE Integrated Environment for Development and Verification of Programs.
OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.

OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Formal methods Basic concepts. Introduction  Just as models, formal methods is a complement to other specification methods.  Standard is model-based.

Formal methods Basic concepts. Introduction  Just as models, formal methods is a complement to other specification methods.  Standard is model-based.
Describing Syntax and Semantics

Describing Syntax and Semantics
School of Computer ScienceG53FSP Formal Specification1 Dr. Rong Qu Introduction to Formal Specification

School of Computer ScienceG53FSP Formal Specification1 Dr. Rong Qu Introduction to Formal Specification
Formal verification Marco A. Peña Universitat Politècnica de Catalunya.

Formal verification Marco A. Peña Universitat Politècnica de Catalunya.
Verification and Validation CIS 376 Bruce R. Maxim UM-Dearborn.

Verification and Validation CIS 376 Bruce R. Maxim UM-Dearborn.

Similar presentations

Ads by Google