Formal Verification of Spacecraft Control Programs (Experience Report) by Mokhov A et al.
Formal Verification of Spacecraft Control Programs
(Experience Report)
Andrey Mokhov
Newcastle University
United Kingdom
andrey.mokhov@ncl.ac.uk
Georgy Lukyanov
Newcastle University
United Kingdom
g.lukyanov2@ncl.ac.uk
Jakob Lechner
RUAG Space GmbH
Austria
jakob.lechner@gmx.net
Abstract
Verification of correctness of control programs is an essential
task in the development of space electronics; it is difficult
and typically outweighs design and programming tasks in
terms of development hours. This experience report presents
a verification approach designed to help spacecraft engineers
reduce the effort required for formal verification of low-level
control programs executed on custom hardware.
The verification approach is demonstrated on an industrial
case study. We present REDFIN, a processing core used in
space missions, and its formal semantics expressed using the
proposed metalanguage for state transformers, followed by
examples of verification of simple control programs.
CCS Concepts • Software and its engineering;
Keywords formal verification, instruction set architecture
ACM Reference Format:
Andrey Mokhov, Georgy Lukyanov, and Jakob Lechner. 2019. For-
mal Verification of Spacecraft Control Programs (Experience Re-
port). In Proceedings of the 12th ACM SIGPLAN International Haskell
Symposium (Haskell ’19), August 22–23, 2019, Berlin, Germany.ACM,
NewYork, NY, USA, 7 pages. https://doi.org/10.1145/3331545.3342593
1 Introduction
Software bugs play a major role in the history of space-
craft accidents [Leveson 2004]. Some of the known mission-
ending bugs, e.g. due to software updates, would have been
difficult to prevent, but integer overflows [Ben-Ari 2001]
and incorrect unit conversion [NASA 1999] should have
been eradicated long ago. This paper combines known for-
mal verification and programming languages techniques and
presents a formal verification approach for simple control
tasks, such as satellite power management, which are exe-
cuted on a real processing core used in space missions.
Fig. 1 shows an overview of our approach. The bottom
part corresponds to conventional code generation and test,
Permission to make digital or hard copies of part or all of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that copies
bear this notice and the full citation on the first page. Copyrights for third-
party components of this work must be honored. For all other uses, contact
the owner/author(s).
Haskell ’19, August 22–23, 2019, Berlin, Germany
© 2019 Copyright held by the owner/author(s).
ACM ISBN 978-1-4503-6813-1/19/08.
https://doi.org/10.1145/3331545.3342593
Figure 1. Overview of the presented verification approach.
where REDFIN1 assembly language is executed by simulat-
ing the effect of each instruction on the state of the processor
and memory. The corresponding state transformer is typi-
cally implicit and intertwined with the rest of the simulation
infrastructure. The main idea of our approach is to represent
the state transformer explicitly so that it can be symbolically
manipulated and used not only for simulation but also for
formal verification. The latter is achieved by compiling state
transformers to SMT formulas and using an SMT solver, e.g.
Z3 [De Moura and Bjørner 2008], to verify that certain cor-
rectness properties hold, for example, that integer overflow
cannot occur regardless of input parameters and that the
program always terminates within stated time.
By using Haskell as the host language we can readily
implement compilers from higher-level typed languages to
untyped assembly, eradicating incorrect number and unit
conversion bugs. As shown at the top of Fig. 1, engineers can
write high-level control programs for the REDFIN architec-
ture directly in a small subset of Haskell. These high-level
programs can be used for type-safe code generation and as
executable specifications of intended functionality for the
purposes of program synthesis and equivalence checking.
We first introduce the REDFIN processing core (§2), then
present our verification approach (§3-§4), and conclude by a
discussion (§5) and a review of related work (§6).
1REDFIN stands for ‘REDuced instruction set for Fixed-point & INteger
arithmetic’. This instruction set and the corresponding processing core were
developed by RUAG Space Austria GmbH for space missions (see §2).
Haskell ’19, August 22–23, 2019, Berlin, Germany Andrey Mokhov, Georgy Lukyanov, and Jakob Lechner
2 The REDFIN Architecture Overview
Many spacecraft subsystems rely on integrated circuits to
perform control tasks or simple data processing. Typically,
these integrated circuits are realisedwith Field Programmable
Gate Arrays (FPGAs) benefiting from their flexibility and low
cost. Modern space-qualified FPGAs that can withstand radi-
ation in Earth orbit or deep space have a limited amount of
programmable resources, and it is often not feasible to imple-
ment a fully-fledged processor system in such an FPGA next
to the mission-specific circuitry. The REDFIN instruction set
was developed to address this issue and meet the following
goals: (i) simple instruction set with a small hardware foot-
print, (ii) reduced complexity to support formal verification
of programs, and (iii) deterministic real-time behaviour.
2.1 REDFIN Instruction Set and Microarchitecture
REDFIN instructions have a fixed width of 16 bits. The in-
struction set is based on a register-memory architecture, i.e.
instructions can fetch their operands from registers as well as
directly from the memory. This architecture favours a small
register set, which minimises the hardware footprint of the
processing core. Furthermore, the number of instructions in
a program is typically smaller in comparison to traditional
load/store architectures where all operands have to be trans-
ferred to registers before any operations can be performed.
There are 47 instructions of the following types:
• Load/store instructions for moving data between reg-
isters and memory, and loading of immediate values.
• Integer and fixed-point arithmetic operations.
• Bitwise logical and shift operations.
• Control flow instructions and comparison operations.
• Bus access instructions for read & write operations on
an AMBA AHB bus (not covered in this paper).
The REDFIN processing core fetches instruction and data
words from a small and fast on-chip SRAM. This only allows
for execution of simple programs, however, it also eliminates
the need to implement caches and thus removes a source of
non-determinism of conventional processors. High perfor-
mance is not one of the main goals, hence the core is not
pipelined and does not need to resolve data/control hazards
or perform any form of speculative execution. These proper-
ties greatly simplify worst-case execution time analysis.
2.2 Requirements for Formal Verification
Verification of functional correctness of REDFIN programs, as
defined by a requirement specification, clearly is an essential
task for the development of space electronics. There are also
important non-functional requirements, such as worst-case
execution time and energy consumption, which rely on the
implementation guarantees provided by the processing core.
To reduce verification complexity, the REDFIN core only
allows to execute a single subroutine whose execution is
triggered by a higher-level controller in the system. The
implementation guarantees that concurrent bus accesses to
data State = State
{ registers :: RegisterBank
, memory :: Memory
, instructionCounter :: InstructionAddress
, instructionRegister :: InstructionCode
, program :: Program
, flags :: Flags
, clock :: Clock }
type Register = SymbolicValue Word2
type Value = SymbolicValue Int64
type RegisterBank = SymbolicArray Word2 Int64
type MemoryAddress = SymbolicValue Word8
type Memory = SymbolicArray Word8 Int64
type InstructionAddress = SymbolicValue Word8
type InstructionCode = SymbolicValue Word16
type Program = SymbolicArray Word8 Word16
data Flag = Condition | Overflow | Halt ...
type Flags = SymbolicArray Flag Bool
type Clock = SymbolicValue Word64
Figure 2. Basic types for modelling REDFIN.
the processor registers or memory do not affect the subrou-
tine execution time. Furthermore, the processor does not
implement interrupt handling. All these measures are taken
to provide real-time subroutine execution guarantees and
make the verification of non-functional properties feasible.
Despite these restrictions, the REDFIN core has already
proven its effectiveness for simple control tasks and arith-
metic computations as part of an antenna pointing unit for
satellites. Nevertheless, verification can be difficult and time-
consuming, even for small and simple programs. Verification
activities, following engineering standards for space elec-
tronics, typically outweigh programming and design tasks
by a factor of two in terms of development hours. Usually
verification is performed via program execution on an in-
struction set simulator or a hardware model of the processor.
Manually deriving test cases from the specification is cum-
bersome and error-prone and simulation times can become
prohibitively long with a large number of tests that are often
needed to reach the desired functional and code coverage.
Formal verification methods can prove that a program sat-
isfies certain properties for all possible test cases and are
therefore immensely valuable for completing the verifica-
tion with superior efficiency and quality.
3 Modelling REDFIN in Haskell
In this section we formally define the REDFIN microarchi-
tecture and express the semantics of the instruction set as
an explicit and symbolic state transformer.
3.1 The REDFIN Microarchitecture State
The main idea of our approach is to use an explicit state
transformer semantics of the REDFINmicroarchitecture. The
State of the entire processing core is a product of states of
every component, see Fig. 2. We define SymbolicValue and
Formal Verification of Spacecraft Control Programs Haskell ’19, August 22–23, 2019, Berlin, Germany
SymbolicArray on top of the SBV library [Erkok 2019] that
we use as a frontend for SMT translation and verification.
There are 4 registers (addressed by Word2) and 256 mem-
ory cells (addressed by Word8) that store 64-bit values (Int64).
The register bank and memory are represented by symbolic
arrays that can be accessed via SBV’s functions readArray
and writeArray. REDFIN uses 16-bit InstructionCodes,
whose 6 leading bits contain the opcode, and the remaining
10 bits hold instruction arguments. The Program maps 8-bit
instruction addresses to instruction codes.
The microarchitecture status Flags support conditional
branching, track integer overflow, and terminate the program
(we omit a few other flags for brevity). The Clock is a 64-bit
counter incremented on each clock cycle. Status flags and
the clock are used for diagnostics, formal verification, and
worst-case execution time analysis.
3.2 Instruction and Program Semantics
We can now define the formal semantics of REDFIN instruc-
tions and programs as a state transformer T : S → S , i.e. a
function that maps states to states. We distinguish instruc-
tions and programs by using Haskell’s list notation, e.g.Tnop
is the semantics of the instruction nop ∈ I , whereasT[nop] is
the semantics of the single-instruction program [nop] ∈ P .
Definition (program semantics): The semantics of a pro-
gram p ∈ P is inductively defined as follows:
The semantics of the empty program [] ∈ P coincides
with the semantics of the instruction nop and is the identity
state transformer: T[] = Tnop = id.
The semantics of a single-instruction program [i] ∈ P is a
composition of (i) fetching the instruction from the program
memory Tfetch, (ii) incrementing the instruction counter Tinc,
and (iii) the state transformer of the instruction itself Ti;
or, using the order of state components from Fig. 2:
Tfetch = (r ,m, ic, ir ,p, f , c ) 7→ (r ,m, ic,p[ic],p, f , c + 1)
Tinc = (r ,m, ic, ir ,p, f , c ) 7→ (r ,m, ic + 1, ir ,p, f , c )
T[i] = Ti ◦Tinc ◦Tfetch
The semantics of a composite program i:p ∈ P , where the
operator : prepends an instruction i ∈ I to a program p ∈ P ,
is defined as Ti:p = Tp ◦T[i].
We represent state transformers in Haskell using the state
monad, a classic approach to emulating mutable state in a
purely functional programming language [Wadler 1990]. We
call our state monad Redfin and define it as follows:
data Redfin a = Redfin
{ transform :: State -> (a, State) }
A computation of type Redfin a yields a value of type a and
possibly alters the State of the REDFIN microarchitecture.
The type Redfin () describes a computation that does not
produce any value as part of the state transformation; such
computations directly correspond to state transformers.
For example, here is the state transformer Tinc:
incrementInstructionCounter :: Redfin ()
incrementInstructionCounter =
Redfin $ \current -> ((), next)
where
next = current { instructionCounter =
instructionCounter current + 1 }
In words, the state transformer looks up the value of the
instructionCounter in the current state and replaces it
in the next state with the incremented value. We can com-
pose such primitive computations into more complex state
transformers using Haskell’s do-notation:
readInstructionRegister :: Redfin InstructionCode
readInstructionRegister =
Redfin $ \s -> (instructionRegister s, s)
executeInstruction :: Redfin ()
executeInstruction = do
fetchInstruction
incrementInstructionCounter
instructionCode <- readInstructionRegister
decodeAndExecute instructionCode
Here readInstructionRegister reads the instruction code
from the current state without modifying it, and is subse-
quently used in executeInstruction, which defines the se-
mantics of the REDFIN execution cycle. We omit definitions
of fetchInstruction and decodeAndExecute for brevity.
The latter is a case analysis of 47 opcodes that returns the
matching instruction. We discuss several instructions below.
3.2.1 Halting the Processor
The instruction halt sets the flag Halt, thereby stopping
the execution of the current subroutine until a new one is
started by a higher-level system controller that resets Halt.
halt :: Redfin ()
halt = writeFlag Halt true
The auxiliary function writeFlag modifies the flag:
writeFlag :: Flag -> SymbolicValue Bool -> Redfin ()
writeFlag flag value = Redfin $ \s -> ((), s’)
where
s’ = s { flags =
writeArray (flags s) (flagId flag) value }
In the rest of the paper we will use auxiliary functions
readRegister, writeRegister, readState, etc.; they are
simple state transformers defined similarly to writeFlag.
3.2.2 Arithmetics
The instruction abs is more involved: it reads a register and
writes back the absolute value of its contents. The seman-
tics accounts for the potential integer overflow that leads to
the negative resulting value when the input is −263 (REDFIN
uses the common two’s complement signed number repre-
sentation). The overflow is flagged by setting Overflow. We
use SBV’s symbolic if-then-else operation ite to merge two
Haskell ’19, August 22–23, 2019, Berlin, Germany Andrey Mokhov, Georgy Lukyanov, and Jakob Lechner
symbolic values — in this case two possible next states, one
of which is a state with the Overflow flag set:
abs :: Register -> Redfin ()
abs reg = do
state <- readState
result <- fmap Prelude.abs (readRegister reg)
let (_, state’) =
transform (writeFlag Overflow true) state
writeState $ ite (result .< 0) state’ state
writeRegister reg result
3.2.3 Conditional Branching
As an example of a control flow instruction consider jmpi_ct,
which tests the Condition flag, and adds the provided offset
to the instruction counter if the flag is set.
jmpi_ct :: SymbolicValue Int8 -> Redfin ()
jmpi_ct offset = do
ic <- readInstructionCounter
condition <- readFlag Condition
let ic’ = ite condition (ic + offset) ic
writeInstructionCounter ic’
We use our Haskell encoding of the state transformer as
a metalanguage: we operate the REDFIN core as a puppet
master, using external meta-notions of addition, comparison
and let-binding. From the processor’s point of view, we have
infinite memory and act instantly, which gives us unlimited
modelling power. For example, we can simulate the proces-
sor environment in an external tool and feed its result to
writeRegister as if it was obtained in one clock cycle.
3.3 Symbolic Simulation
Having defined the semantics of REDFIN programs, we can
perform symbolic processor simulation. The function simulate
takes a number of simulation steps N and an initial sym-
bolic State as input, and runs executeInstruction defined
above N times. In each state swemerge two possible futures:
(i) if the Halt flag is set, we remain in the current state, since
in this case the processor must remain idle; (ii) otherwise,
we continue the simulation from the next state.
simulate :: Int -> State -> State
simulate steps s = if steps <= 0 then s else
ite halted s (simulate (steps - 1) next)
where
halted = readArray (flags s) (flagId Halt)
next = snd (transform executeInstruction s)
Symbolic simulation is very powerful. It allows us to formally
verify properties of REDFIN programs by fixing some parts
of the state to constant values (e.g., the program), and then
making assertions on the resulting values of the symbolic
part of the state, as demonstrated in the next section §4.
4 Formal Verification
This section presents a formal verification framework devel-
oped on top of the REDFIN semantic core (§3).
The verification workflow comprises the following steps:
• Develop programs in low-level REDFIN assembly, and
in a high-level typed language embedded in Haskell.
• Test REDFIN programs on concrete input values.
• Define functional correctness andworst case execution
time properties in the SBV property language.
• Verify the properties or obtain counterexamples.
Consider the following simple spacecraft control task.
Let t1 and t2 be two different time points (measured
in ms), and p1 and p2 be two power values (measured
in mW). Calculate the estimate of the total energy
consumption during this period using linear approx-
imation, rounding down to the nearest integer:
energyEstimate(t1, t2,p1,p2) =
⌊ |t1 − t2 | ∗ (p1 + p2)
2
⌋
.
This task looks too simple, but in fact it has a few pitfalls
that, if left unattended, may lead to the failure of the space
mission. Examples of subtle bugs in seemingly simple pro-
grams leading to a catastrophe include 64-bit to 16-bit num-
ber conversion overflow causing the destruction of Ariane 5
rocket [Ben-Ari 2001] and the loss of NASA’s Mars orbiter
due to incorrect unit conversion [NASA 1999]. Let us develop
and verify a REDFIN program for this task.
We can write programs in the untyped REDFIN assembly,
or in a typed higher-level expression language. The former
allows engineers to hand-craft highly optimised programs
under tight resource constraints, while the latter brings type-
safety and faster prototyping. We start with the high-level
approach and define an expression that can be used both as
a Haskell function and a high-level REDFIN expression:
energyEstimate :: Integral a => a -> a -> a -> a -> a
energyEstimate t1 t2 p1 p2 =
abs (t1 - t2) * (p1 + p2) `div` 2
Thanks to polymorphism, we can treat energyEstimate
both as a numeric function, and as an abstract syntax tree
that can be compiled into a REDFIN assembly Script. Due
to the lack of space we omit the implementation of Script,
but one can think of it as a restricted version of the Redfin
state transformer, which we use to write programs that can
manipulate the processor state only by executing instructions,
e.g. the only way to set the Overflow flag is to execute an
arithmetic instruction that might cause an overflow.
energyEstimateHighLevel :: Script
energyEstimateHighLevel = do
let t1 = read (IntegerVariable 0)
t2 = read (IntegerVariable 1)
p1 = read (IntegerVariable 2)
p2 = read (IntegerVariable 3)
temp = Temporary 4
stack = Stack 5
compile r0 stack temp (energyEstimate t1 t2 p1 p2)
halt
Formal Verification of Spacecraft Control Programs Haskell ’19, August 22–23, 2019, Berlin, Germany
Here the type IntegerVariable is used to statically distin-
guish between integer and fixed-point numbers, Temporary
to mark temporary words, so they cannot be mixed with
inputs and outputs, and Stack to denote the location of the
stack pointer. The let block declares six adjacent memory
addresses: four input values {t1, t2,p1,p2}, a temporary word,
and a stack pointer. We compile the high-level expression
energyEstimate into the assembly language by translating
it to a sequence of REDFIN instructions. The first argument
of the compile function holds the register r0which contains
the estimated energy value after the program execution.
We can run symbolic simulation for 100 steps, initialising
the program and data memory of the processor using the
function simulate defined above and a helper function boot.
main = do
let dataMemory = [10, 5, 3, 5, 0, 100]
finalState = simulate 100 $
boot energyEstimateHighLevel dataMemory
printMemoryDump 0 5 (memory finalState)
putStrLn $ "R0: " ++ show
(readArray (registers finalState) r0)
As the simulation result we get a finalState. We inspect it
by printing relevant components: the values of the first six
memory cells, and the result of the computation located in
the register r0. Note that the stack pointer (cell 5) holds 100,
as in the initial state, which means the stack is empty.
Memory dump: [10, 5, 3, 5, 5, 100]
R0: 20
Simulating programs with specific inputs is useful for di-
agnostics and test, but SMT solvers allow us to verify the
correctness for all valid input combinations. To demonstrate
this, let us discover a problem in our energy estimation pro-
gram. Consider the following correctness property.
Assuming that valuesp1 andp2 are non-negative inte-
gers, the energy estimation subroutine must always
return a non-negative integer value.
To check that the program meets this requirement, we
translate energyEstimateHighLevel into an SMT formula,
and formulate the corresponding theorem:
theorem = do
t1 <- forall "t1" -- Initialise symbolic variables
t2 <- forall "t2"
p1 <- forall "p1"
p2 <- forall "p2" -- And then add constraints:
constrain $ p1 .>= 0 &&& p2 .>= 0
-- Initialise the data memory with symbolic variables:
let dataMemory = [t1, t2, p1, p2, 0, 100]
finalState = simulate 100 $
boot energyEstimateHighLevel dataMemory
result = readArray (registers finalState) r0
halted = readArray (flags finalState) (flagId Halt)
return $ halted &&& result .>= 0
&&& result .== energyEstimate t1 t2 p1 p2
We extract the computed result and the value of the flag Halt
from the finalState, and then assert that the processor has
halted, the result is non-negative, and is equal to that com-
puted by the high-level Haskell expression energyEstimate.
The resulting SMT formula can be checked by Z3 in 3.0s2:
> proveWith z3 theorem
Falsifiable. Counter-example:
t1 = 5190405167614263295 :: Int64
t2 = 0 :: Int64
p1 = 149927859193384455 :: Int64
p2 = 157447350457463356 :: Int64
Z3 has found a counterexample demonstrating that the pro-
gram does not satisfy the above property. Indeed, the expres-
sion evaluates to a negative value on the provided inputs
due to an integer overflow. We therefore refine the property:
According to the spacecraft power system specifica-
tion, p1 and p2 are non-negative integers not exceed-
ing 1W. The time is measured from the mission start,
hence t1 and t2 are non-negative and do not exceed
the time span of themission, which is 30 years. Under
these assumptions, the energy estimation subroutine
must return a non-negative integer value.
We need to modify time and power constraints accordingly:
constrain $ p1 .<= toMilliWatts ( 1 :: Watt)
&&& t1 .<= toMilliSeconds (30 :: Year)
&&& t1 .>= 0 &&& t2 .>= 0 &&& ... -- etc.
Rerunning Z3 produces the desired QED outcome in 4.8s.
The refinement has rendered the integer overflow impos-
sible; in particular, abs can never be called with −263 within
the mission parameters. Such guarantee fundamentally re-
quires solving an SMT problem, even if it is done at the type
level, e.g. using refinement types [Vazou et al. 2014].
The statically typed high-level expression language is very
convenient for writing REDFIN programs, however, an ex-
perienced engineer can often find a way to improve the
resulting code. In some resource-constrained situations, a
fully hand-crafted assembly code may be required. As an
example, consider the following low-level program:
energyEstimateLowLevel :: Script
energyEstimateLowLevel = do
let { t1 = 0; t2 = 1; p1 = 2; p2 = 3 }
ld r0 t1
sub r0 t2
abs r0
ld r1 p1
add r1 p2
st r1 p2
mul r0 p2
sra_i r0 1
halt
2We use a laptop with 2.90GHz Intel Core i5-4300U processor, 8GB RAM
(3MB cache), and the SMT solver Z3 version 4.5.1 (64-bit).
Haskell ’19, August 22–23, 2019, Berlin, Germany Andrey Mokhov, Georgy Lukyanov, and Jakob Lechner
This program computes the energy estimate using only 9
instructions, whereas a direct unoptimised translation of the
energyEstimate expression into assembly uses 79 instruc-
tions, most of them for stack manipulation.
To support the development of hand-crafted code, we use
Z3 to check the equivalence of REDFIN programs by verifying
that they produce the same output on all valid inputs. This
allows an engineer to optimise a high-level prototype and
have a guarantee that no bugs were introduced in the process.
equivalence = do
t1 <- forall "t1"
t2 <- forall "t2"
p1 <- forall "p1"
p2 <- forall "p2"
constrain $ p1 .>= 0 &&& p2 .>= 0
&&& t1 .>= 0 &&& t2 .>= 0
&&& p1 .<= toMilliWatts ( 1 :: Watt)
&&& p2 .<= toMilliWatts ( 1 :: Watt)
&&& t1 .<= toMilliSeconds (30 :: Year)
&&& t2 .<= toMilliSeconds (30 :: Year)
let memory = [t1, t2, p1, p2, 0, 100]
llState = simulate 100 $
boot energyEstimateLowLevel memory
hlState = simulate 100 $
boot energyEstimateHighLevel memory
llResult = readArray (registers llState) r0
hlResult = readArray (registers hlState) r0
return $ llResult .== hlResult
The equivalence check succeeds and takes 11.5s.
Every call of the executeInstruction function advances
the clock field of the State (see Fig. 2) by the appropriate
number of cycles, precisely matching the hardware imple-
mentation. This allows us to perform best/worst-case exe-
cution timing analysis using the optimisation facilities of
SBV and Z3. As an example, let us determine the minimum
and maximum number of clock cycles required for execut-
ing energyEstimateLowLevel. To make this example more
interesting, we modified the semantics of the instruction abs
and added 1 extra clock cycle in case of a negative argument.
timingAnalysis = optimize Independent $ do
... -- Initialise and run symbolic simulation
minimize "Best case" (clock finalState)
maximize "Worst case" (clock finalState)
The total delay of the program depends only on the sign
of t1 − t2, thus the best and worst cases differ only by one
clock cycle. The worst case is achieved when the difference
is negative (t1 − t2 = −2), as shown below. Z3 finishes in 0.5s.
Objective "Best case":
Optimal model:
t1 = 549755813888
t2 = 17179869184
p1 = 0
p2 = 0
Best case = 12
Objective "Worst case":
Optimal model:
t1 = 65535
t2 = 65537
p1 = 0
p2 = 0
Worst case = 13
5 Discussion
As the previous section §4 demonstrates, the presented ap-
proach provides a unified specification, testing, and formal
verification framework. It allows the REDFIN engineering
team to co-develop REDFIN software and hardware, by ex-
tending and modifying the default instruction semantics. By
using Haskell as a metalanguage, one can implement higher-
level languages on top of the REDFIN assembly, such as our
simple statically-typed language for arithmetic expressions.
Static typing, polymorphism, do-notation, and availability
of a mature symbolic manipulation library (SBV) were the
key factors for choosing Haskell for this project. We also
have a prototype implementation in the dependently-typed
language Idris [Brady 2013] that allows us to verify more
sophisticated properties at the type level, however at the
time of writing there is no equivalent of the SBV library in
Idris, which is a significant practical disadvantage.
The Script monad was engineered to provide familiar
assembly mnemonics and directives (e.g. labels), which al-
lows engineers to start using the framework for developing
REDFIN programs even without prior Haskell experience,
hopefully increasing the uptake of the framework.
Thanks to symbolic simulation, we can uniformly handle
both concrete and symbolic values, reusing the same code
base and infrastructure for testing and formal verification.
Testing yields trivial SMT problems that can be solved in sub-
second time. Formal verification is more expensive: in our
experiments, realistic programs (e.g. for controlling a stepper
motor in antenna and solar panel positioning units, with a
loop and ≈100 instructions) required 10-30 minutes, but one
can easily construct tiny programs that will grind any SMT
solver to a halt: for example, analysis of a single multiplica-
tion instruction can take half an hour if it is required to factor
64-bit numbers — try to factor 4611686585363088391 with an
SMT solver! In such cases, conservatively proving some of
the correctness properties at the type level can significantly
increase the productivity. As a microbenchmark, we verified
the correctness of an array summation program, reporting
the number of SMT clauses and Z3 runtime for low-level
(LL) and high-level (HL) programs:
Benchmark Array Clauses Clauses Time Time
size LL HL LL HL
Overflow: 9 286 260 1.482s 0.443s
values not 12 492 453 3.604s 1.365s
constrained 15 740 688 49.969s 7.362s
18 1030 965 76.757s 88.458s
No overflow: 9 318 292 0.467s 0.119s
all values 12 549 510 0.739s 0.682s
in [1, 1000] 15 828 776 1.839s 6.408s
18 1155 1090 9.944s 72.880s
Equivalence 9 258 261 0.039s 0.097s
to the sum 12 495 459 0.053s 0.647s
function 15 708 702 0.311s 7.322s
18 1005 990 2.633s 71.896s
Formal Verification of Spacecraft Control Programs Haskell ’19, August 22–23, 2019, Berlin, Germany
6 Related Work
There is a vast body of literature available on the topic of
formal verification, including verification of hardware pro-
cessing cores and low-level software programs. Our work
builds in a substantial way on a few known ideas that we
will review in this section. We thank the formal verification
and programming languages communities and hope that the
formal semantics of the REDFIN processing core will provide
a new interesting benchmark for future studies.
We model the REDFIN microarchitecture using a monadic
state transformer metalanguage – an idea with a long his-
tory. Fox and Myreen [2010] formalise the Arm v7 instruc-
tion set architecture in HOL4 and give a careful account to
bit-accurate proofs of the instruction decoder correctness.
Later, Kennedy et al. [2013] formalised a subset of the x86
architecture in Coq, using monads for instruction execution
semantics, and do-notation for assembly language embed-
ding. Degenbaev [2012] formally specified the complete x86
instruction set – a truly monumental effort! – using a custom
domain-specific language that can be translated to a formal
proof system. Arm’s Architecture Specification Language
(ASL) has been developed for the same purpose to formalise
the Arm v8 instruction set [Reid et al. 2016]. The SAIL lan-
guage [Armstrong et al. 2019] has been designed as a generic
language for ISA specification and was used to specify the
semantics of ARMv8-A, RISC-V, and CHERI-MIPS. Our spec-
ification approach is similar to these three works, but we
operate on a much smaller scale of the REDFIN core and
focus on verifying whole programs.
Our metalanguage is embedded in Haskell and does not
have a rigorous formalisation, i.e. we cannot prove the cor-
rectness of the REDFIN semantics itself, which is a com-
mon concern, e.g. see Reid [2017]. Moreover, our verifica-
tion workflow mainly relies on automated theorem proving,
rather than on interactive one. This is motivated by the cost
of precise proof assistant formalisations in terms of human
resources: automated techniques are more CPU-intensive,
but cause less “human-scaling issues” [Reid et al. 2016]. Our
goal was to create a framework that could be seamlessly
integrated into an existing spacecraft engineering workflow,
therefore it needed to have as much proof automation as
possible. The automation is achieved by means of symbolic
program execution. Currie et al. [2006] applied symbolic exe-
cution with uninterpreted functions to prove equivalence of
low-level assembly programs. The framework we present al-
lows not only proving the equivalence of low-level programs,
but also their compliance with higher-level specifications
written in a subset of Haskell.
Finally, we would like to acknowledge the projects and
talks that provided an initial inspiration for this work: the
‘Monads to Machine Code’ compiler by Diehl [2017], RISC-V
semantics byMIT [2017], the assemblymonad byWall [2017],
and SMT-based program analysis by Jelvis [2016].
Acknowledgements
We would like to thank Vitaly Bragilevsky, Neil Mitchell,
Charles Morisset, Artem Pelenitsyn, Danil Sokolov, as well
as the three Haskell Symposium reviewers for their helpful
feedback on an earlier version of this paper.
References
Alasdair Armstrong, Thomas Bauereiss, Brian Campbell, Alastair Reid,
Kathryn E. Gray, Robert M. Norton, Prashanth Mundkur, Mark Wassell,
Jon French, Christopher Pulte, Shaked Flur, Ian Stark, Neel Krishnaswami,
and Peter Sewell. 2019. ISA Semantics for ARMv8-a, RISC-v, and CHERI-
MIPS. Proc. ACM Program. Lang. 3, POPL, Article 71 (Jan. 2019), 31 pages.
https://doi.org/10.1145/3290384
Mordechai Ben-Ari. 2001. The Bug That Destroyed a Rocket. SIGCSE Bull.
33, 2 (June 2001), 58–59.
Edwin Brady. 2013. Idris, a general-purpose dependently typed program-
ming language: Design and implementation. Journal of Functional Pro-
gramming 23 (9 2013), 552–593. Issue 05.
David Currie, Xiushan Feng, Masahiro Fujita, Alan J. Hu, Mark Kwan, and
Sreeranga Rajan. 2006. Embedded Software Verification Using Symbolic
Execution and Uninterpreted Functions. International Journal of Parallel
Programming 34, 1 (2006), 61–91.
Leonardo De Moura and Nikolaj Bjørner. 2008. Z3: An efficient SMT solver.
Tools and Algorithms for the Construction and Analysis of Systems (2008),
337–340.
Ulan Degenbaev. 2012. Formal specification of the x86 instruction set archi-
tecture. Ph.D. Dissertation. Saarland University.
Stephen Diehl. 2017. Monads to Machine Code. https://web.archive.org/
web/20171207020256/http://www.stephendiehl.com/posts/monads_
machine_code.html.
Levent Erkok. 2019. SBV: SMT Based Verification in Haskell. http://
leventerkok.github.io/sbv/
Anthony Fox and Magnus O Myreen. 2010. A trustworthy monadic for-
malization of the ARMv7 instruction set architecture. In International
Conference on Interactive Theorem Proving. Springer, 243–258.
Tikhon Jelvis. 2016. Analyzing Programs with Z3 (video recording of Com-
pose Conference talk). https://web.archive.org/web/20170205204536/http:
//jelv.is/talks/compose-2016/.
Andrew Kennedy, Nick Benton, Jonas B Jensen, and Pierre-Evariste Dagand.
2013. Coq: the world’s best macro assembler?. In Proceedings of the 15th
Symposium on Principles and Practice of Declarative Programming. ACM,
13–24.
Nancy G. Leveson. 2004. Role of Software in Spacecraft Accidents. Journal
of Spacecraft and Rockets 41, 4 (2004), 564–575.
MIT. 2017. A formal specification of the RISC-V ISA written in Haskell.
https://github.com/mit-plv/riscv-semantics.
NASA. 1999. Mars Climate Orbiter Mishap Investigation Board Phase I Report.
Technical Report.
Alastair Reid. 2017. Who Guards the Guards? Formal Validation of the Arm
V8-m Architecture Specification. Proc. ACM Program. Lang. 1, OOPSLA
(2017), 88:1–88:24.
Alastair Reid, Rick Chen, Anastasios Deligiannis, David Gilday, David Hoyes,
Will Keen, Ashan Pathirane, Owen Shepherd, Peter Vrabel, and Ali Zaidi.
2016. End-to-end verification of processors with ISA-Formal. In Interna-
tional Conference on Computer Aided Verification. Springer, 42–58.
Niki Vazou, Eric L Seidel, Ranjit Jhala, Dimitrios Vytiniotis, and Simon
Peyton-Jones. 2014. Refinement types for Haskell. In ACM SIGPLAN
Notices, Vol. 49. ACM, 269–282.
Philip Wadler. 1990. Comprehending monads. In Proceedings of the 1990
ACM conference on LISP and functional programming. ACM, 61–78.
Lewis Wall. 2017. An ASM Monad. https://web.archive.org/web/
20190519181416/http://wall.org/~lewis/2013/10/15/asm-monad.html.
