The interest of industries in model checking software for microcontrollers is increasing. However, there are currently no appropriate tools that can be applied by embedded systems developers for the direct verification of software for microcontrollers without the need for manual modeling. This article describes a new approach to model checking software for microcontrollers, which verifies the assembly code of the software. The state space is built using a tailored simulator, which abstracts from time, handles nondeterminism, and creates an overapproximation of the behavior shown by the real microcontroller. Within this simulator, we apply abstraction techniques to tackle the stateexplosion problem. In our approach, we combine different formal methods, namely, model checking, static analysis, and abstract interpretation. We also combine explicit and symbolic model checking techniques. This article presents a case study using several programs to demonstrate the efficiency of the applied abstraction techniques and to show the applicability of this approach. 
INTRODUCTION
Embedded systems are widely used in our daily life. They are, for example, employed in airplanes, cars, mobile phones, and household appliances. Embedded systems consist of hardware and software. The importance of the software on 36:2 • B. Schlich these devices is increasing because more and more functionality is implemented within the software and no longer realized by the hardware. The software of embedded systems has to be tested extensively and validated because errors may lead to severe or even fatal events, as in case of the Ariane 5 disaster [Lions 1996 ], or high costs and loss of reputation, as in the case of the Toyota Prius bug [Kanellos 2005 ].
Many embedded systems are based on microcontrollers, which are specialpurpose computers on a single chip. They are often specifically developed for single applications. The software for microcontrollers is mostly written in C or in assembly language. Removing errors in microcontroller software is difficult in the field because deploying the updates is complicated and cost intensive. In contrast to software run on general-purpose computers, it is often not possible for users to update microcontroller software themselves. For example, the software of a car can only be updated in a garage. In some cases, the software cannot be updated at all due to the type of memory used to store the program. This may render the affected microcontrollers useless.
Full or extensive testing of microcontroller software is often not possible because it is too time consuming for the desired time-to-market or too expensive for the specific product. Also, testing alone is not sufficient for safety-critical systems as there are errors that are difficult to find by testing. There are standards such as IEC61508 [International Electrotechnical Commission 1998 ] that strongly recommend the application of formal methods if a system requires a certain safety level. Formal methods mentioned in this standard include verification techniques such as model checking [Baier and Katoen 2008; Clarke et al. 1999; Manna and Pnueli 1995; Schneider 2004] and automatic theorem proving.
Model checking is able to automatically verify systems. It uses an exhaustive search over all reachable system states to check whether the system (model) satisfies a given property (specification). If the system does not satisfy the property, the model checker provides a counterexample which details the error.
Industries such as the automotive industry are interested in using model checking for the analysis of software for microcontrollers. In the development of software for microcontrollers, however, model checkers are far from being well established. Besides the state-explosion problem, one of the limiting factors is that most of the available model checkers are not able to handle all constructs needed to check microcontroller programs out-of-the-box [Schlich and Kowalewski 2005; Schlich 2008] or use custom input models. Consequently, developers have to remodel specifications and implementations to feed them into the model checker. They have to do this every time the system is changed. This is usually not considered to be worth the effort as it is time consuming and error prone. Furthermore, many model checkers are not intuitively usable and differ from development tools usually applied by developers.
To solve these problems, we propose an approach that verifies the microcontroller assembly code using model checking. The state space is built using a tailored simulator, which abstracts from time, handles nondeterminism, and builds an overapproximation of the behavior shown by the real microcontroller. Using abstraction techniques, we tackle the state-explosion problem. In this approach, we combine different formal methods, namely, model checking, static analysis, and abstract interpretation.
The rest of this article is structured as follows. First, Section 2 compares model checking of C code and model checking of assembly code and details our approach to model check microcontroller software. Then, the implementation of this approach within our [MC]SQUARE model checker is described in Section 3. Section 4 details the model of the microcontroller, which is used within the simulator. The static analyses that are used in our approach are presented in Section 5. Section 6 reports on logics that are preserved by the different abstraction techniques. The case study described in Section 7 illustrates the efficiency of the applied abstraction techniques and shows that this approach can successfully be used to model check microcontroller assembly code. Section 8 describes related work, and the last section concludes this article.
MODEL CHECKING C CODE VS. ASSEMBLY CODE
This section compares model checking of microcontroller C code with model checking of microcontroller assembly code. It lists and judges advantages and disadvantages. The main focus is on specifics of microcontroller software and the problems that arise when model checking software for microcontrollers. In the end of this section, we introduce our approach to model check microcontroller software.
C Code
Software for microcontrollers is mostly written in C or assembly language. Therefore, our first idea was to use existing C code model checkers to check C code for microcontrollers. In a paper [Schlich and Kowalewski 2005] , we described a case study in which we tried to apply 13 existing C code model checkers to C code for microcontrollers. This was not successful because the existing C code model checkers aim for the verification of hardware-independent ANSI C code, but C code used for microcontrollers contains more features than defined in ANSI C.
Beside ANSI C features, microcontroller C programs comprise additional features such as compiler-specific constructs, hardware-dependent constructs, interrupt handlers, and embedded assembly statements. All these features are not handled by the existing C code model checkers [Schlich and Kowalewski 2005] .
Microcontroller C programs often access the memory directly as certain functions of microcontrollers are controlled by specific registers, which are located at fixed memory addresses. An example of this kind of registers is an I/O register, which is used to read input from the environment. Direct memory accesses are reported as errors by most C code model checkers because they can lead to errors in systems where dynamic linking and loading is supported. Using direct memory accesses in conjunction with dynamic linking and binding is error prone because wrong parts of the memory can be accessed, which can be an issue for code and stack safety, for example.
Another problem is that C code model checkers aim at verifying hardwareindependent ANSI C programs. They do not use a model of the hardware the program will be running on, and therefore, they have to ignore peculiarities of the underlying hardware. Hence, they cannot find errors that are hardwaredependent such as errors in interrupt handling, stack overflows, and certain arithmetic overflows. The occurrence of arithmetic overflows depends on the actual sizes of data types on the target hardware, which are not defined in ANSI C. Figure 1 shows a typical microcontroller C program that controls an automotive power window lift. The program is one of the programs used in the case study described in Section 7. At first sight, the programs looks like an ANSI C program. It contains function calls, assignments, if clauses, and while loops. Most variables are read and written by the program, while a couple of the variables, such as TCCR1B, are only written. These specific variables are used to control the microcontroller. Some C code model checkers remove or ignore variables that are only written and thus disregard important parts of microcontroller C programs. Figure 2 displays the program shown in Figure 1 after being preprocessed. This figure evidences that the window lift program is not an ANSI C program but a typical microcontroller C program. It contains embedded assembly statements, direct memory accesses, and accesses to certain microcontroller functions. None of the C code model checkers considered can handle these constructs out-of-the-box. Some C code model checkers produce warnings, while others just ignore these features. In case of direct memory accesses, a couple of the C code model checkers show error messages because, as aforementioned, direct memory accesses are considered as errors in ANSI C programs running on general-purpose computers that support dynamic linking and loading. 
Assembly Code
An alternative is to model check assembly code instead of C code. Assembly code is the artifact that is deployed to the microcontroller and not an intermediate representation such as the C code. Therefore, model checking of assembly code has various advantages compared to model checking of C code [Balakrishnan et al. 2008; Mehler 2005; Mercer and Jones 2005; .
The assembly code is the outcome at the end of the development process. Hence, all errors introduced during the complete development process can possibly be found. These errors include errors not visible in intermediate representations (e.g., reentrance errors), compiler errors, postcompilation errors (e.g., errors introduced by instrumentation code), and hardware-dependent errors (e.g., stack overflows, arithmetic overflows, interrupt handling errors, and writing reserved registers).
Furthermore, assembly language usually has a clean and well-documented semantics. Vendors of microcontrollers provide documentation describing the semantics of the provided assembly constructs. This makes assembly constructs easier to handle than certain C constructs such as pointer arithmetics or function calls via pointers. Assembly statements that are embedded into the C code are considered appropriately by the model checker when model checking the assembly code and are not ignored as done by most existing C code model checkers.
When model checking assembly code, the model checker does not have to exploit the compiler behavior, hardware-dependent constructs can be handled, and the source code (C code) of the software is not required. Hence, even programs that use libraries not available in source code can be analyzed.
Another advantage is that programs consisting of components written in different programming languages can be verified. When model checking the 36:6
• B. Schlich source code, only single components can be verified, and for each programming language used, a specific model checker has to be utilized.
Beside these various advantages, model checking assembly code has some disadvantages. A model checker for microcontroller assembly code is hardware dependent. That is, the model checker has to be adapted for each new microcontroller that should be supported. Since assembly code features more lines of code and involves more details than the corresponding C code, the state spaces created during model checking of assembly code tend to be larger than the state spaces created during model checking of C code. This may also lead to longer counterexamples. Another disadvantage is that it can be difficult for users to relate the C code and the corresponding assembly code. This can complicate the formulation of properties and hinder the comprehensibility of counterexamples.
Approach
Model checking assembly code has some advantages compared to model checking intermediate languages such as C code. Therefore, we decided to use the assembly code of microcontroller programs as input for model checking. The key concepts of our approach are to use all available information of the microcontroller during state space generation, to combine explicit and symbolic techniques, to utilize different abstraction techniques, and to apply static analysis and abstract interpretation to support model checking. Some of these concepts are already used within other model checkers, but we had to adapt these solutions to deal with the peculiarities of assembly code.
To use all available information of the microcontroller during state space generation, the state space is created using a tailored simulator in our approach. This simulator abstracts from time, handles nondeterminism, and creates an over-approximation of the behavior shown by the real microcontroller. The microcontroller-specific information is used to tackle the state-explosion problem and to accurately model the behavior of the microcontroller, which allows propositions about internals of the microcontroller such as registers, I/O registers, and values of other memory locations. We have modeled different microcontrollers within the simulator. One such model is described in Section 4.
To tackle the state-explosion problem, different abstraction techniques are used within the tailored simulator. These abstraction techniques exploit microcontroller-specific information such as different memory regions or behavior of external devices. Some of these abstraction techniques introduce so-called lazy states, which contain explicit and symbolic parts. A lazy state no longer represents a single state but a set of states. Although parts of a lazy state may be symbolic, still explicit model checking algorithms are used.
Some of the applied abstraction techniques utilize static analysis or abstract interpretation to annotate the program before state space generation. These annotations are used by the simulator to limit the size of the state space during creation. This method is also used by other model checkers, but we have to cope with the peculiarities of assembly code such as indirect loads and stores, direct memory accesses, and interrupts. Section 5 details some of the applied static analyses.
•
36:7
To relate the assembly code to the corresponding C code, debug information is used. Thus, users can make propositions about C constructs and analyze counterexamples in C code. They only have to look at the assembly code if an error is not visible in the C code.
To treat the hardware-dependency of our approach, we divided the different parts of the model checking process into components. Through this partitioning, the simulator is the only hardware-dependent component. Therefore, only the simulator has to be adapted for different microcontrollers. The components are loosely coupled and can easily be exchanged. The next section details our approach. Clarke et al. [1999] , a local CTL algorithm first introduced by Vergauwen and Lewi [1993] and later adapted by Heljanko [1997] , and an algorithm to check invariants.
[MC]SQUARE
During state space creation, [MC]SQUARE uses various abstraction techniques to lower the size of the state space. These abstraction techniques include, for example, dead variable reduction, path reduction, and delayed nondeterminism. Users can choose abstraction techniques that are applied during model checking. Thereby, they are able to adjust the granularity of abstractions used and hence, influence the size of the resulting state space. Furthermore, they can select other options to lower memory consumption such as different compression levels and storage of states on hard disk. [MC]SQUARE presents counterexamples and witnesses, which are created during model checking, in the assembly code, in the Control Flow Graph (CFG) of the assembly code, in the C code, and as a state space graph. This allows users to pick the representation that suits their needs best. In each of these representations, they can analyze the values of any memory location and the truth values of formulas and subformulas.
Model Checking Process
This section describes the model checking process applied in [MC]SQUARE using the local model checking algorithm. A local model checking algorithm checks whether in a model M a given state s satisfies a given formula f (M , s |= f ). In contrast to global model checking algorithms, a local model checking algorithm only needs to evaluate the subformulas and visit the states that are needed to evaluate the truth value of the formula in the given state s, which is in most cases the initial state of the model. Therefore, it is possible to generate the state space on-the-fly during model checking. In contrast, a global model checking algorithm evaluates truth values of all subformulas in all states. Figure 3 shows the model checking process applied in [MC]SQUARE. Every step of the model checking process is implemented within a separate component. Additionally, generation of states and managing state spaces are separated into single components, namely the simulator and the state space. Communication between components is conducted by means of well-defined interfaces. Therefore, single parts of the model checking process can be exchanged independently. By separating model checking from the generation of states, model checking is conducted independently from the underlying microcontroller. The different steps of this process are detailed in the following.
Parser and Static
Analyzer. In the first step, the binary file, the C file (if provided), and the CTL formula are parsed and transformed into their internal representations. Then, static analysis is conducted and the assembly program is annotated. As part of the static analysis, abstract interpretation is used. Static analysis is only accomplished if users chose abstraction techniques that require static analysis. Abstraction techniques that require static analysis to annotate the program are, for example, dead variable reduction and path reduction.
During static analysis, information from the formula, namely addresses of memory locations used within atomic propositions, is used to preserve validity of the model checking results. In the first step of the static analysis, a CFG of the assembly program is created. In the end, the assembly program is tagged with annotations which are used by abstraction techniques implemented in the simulator to reduce state spaces. Section 5 details the implemented static analyses.
Model Checker.
After static analysis is finished, model checking is started for the annotated program. First, the model checker requests the initial state from the state space and checks whether the initial state satisfies the formula or certain subformulas. Depending on the result of this check, the model checker requests successor states of the current state from the state space. Then, it is checked whether these successors satisfy the formula or specific subformulas. The process continues until a goal state is reached that proves or disproves the validity of the formula or until the complete state space is built.
3.2.3
Simulator. If the model checker requests successors of a state which are not created yet, the state space uses the simulator to create the successors on-the-fly. To create successor states the simulator conducts the following steps. First, the state of the microcontroller is loaded into the microcontroller model. Then, it is checked whether there is nondeterminism that has to be resolved. Nondeterminism has to be resolved if handling interrupts or executing the next instruction accesses a memory location holding a nondeterministic value. Nondeterministic values are introduced by the microcontroller model. In the model of the ATmega16, for example, accessing a timer, reading input from the environment, and handling of interrupts introduces nondeterminism.
To correctly handle the nondeterminism and to guarantee the validity of the model checking results, the simulator has to create an overapproximation of the behavior shown by the real microcontroller. This is achieved by assigning all needed value combinations to memory locations holding nondeterministic values. Which value combinations actually are needed is influenced by the specific microcontroller and applied abstraction techniques.
If, for example, input is read from the environment and written into a register, all possible values are written into the corresponding register. If, for instance, occurrence of a single nondeterministic interrupt is possible, two successor states are created. In one successor state the interrupt is triggered, while in the other successor state the interrupt is not triggered.
For each assignment, a new state is created. If the assignment triggers an interrupt, the corresponding Interrupt Handler (IH) is called. Otherwise, the next instruction is executed. When calling an IH, the return address is pushed onto the stack, the address of the IH is written into the program counter, and the Global Interrupt Enable bit is disabled.
An instruction is executed by simulating its effect using the model of the microcontroller. As an example, consider the instruction ADD R1 R2. An ADD instruction sums up the values of two registers, in this case, R1 and R2. Here, it is assumed that nondeterminism is not involved. To execute the instruction, first the PC is incremented by two, which is the size of the ADD instruction. Then, registers R1 and R2 are read and summed up, the bits in the status register are set accordingly, and the result of the operation is written into register R1.
After an IH is called or an instruction is executed, the truth values of the atomic propositions are evaluated for the new state. By evaluating the truth values of atomic propositions within the simulator, the actual model checking algorithm does not have to account for microcontroller-specific information.
Counterexample Generator.
As the last step, a counterexample or a witness is created depending on the formula and the result of the model checking process. The counterexample or the witness is presented in the assembly code, in the CFG of the assembly code, in the C code, and as a state space graph.
MODEL OF THE MICROCONTROLLER
This section describes the model of the ATMEL ATmega16 microcontroller. The model of the microcontroller within the simulator together with the implemented abstraction techniques is the most important part of our approach. First the model of the ATmega16 is detailed and then one of the implemented abstraction techniques is described.
Model for Simulation
The model of the microcontroller influences the expressiveness and size of state spaces. If the model is too inaccurate, users cannot check all their properties because needed details are not present in the state space. On the other side, if the model is too accurate, [MC]SQUARE cannot build the complete state space due to the state-explosion problem. Therefore, we had to find the right degree of abstraction within the model of the microcontroller.
In the model of the microcontroller, there are components that show deterministic behavior and there are components that show nondeterministic behavior. Components of the microcontroller that show deterministic behavior include, for example, the core, the registers, the SRAM, and the stack. Components with nondeterministic behavior are, for instance, I/O registers, analog to digital converters, and timers. The nondeterministic behavior of these components has two different causes, namely, interaction with the environment and the modeling. Components such as I/O registers and analog to digital converters are nondeterministic because they interact with the environment, whereas, for example, timers are nondeterministic due to our modeling.
We have modeled the microcontroller without considering cycles. That is, we have not modeled CPU cycles within the simulator, but the model takes into account whether a timer is running or not. This makes propositions about CPU cycles impossible, but it still allows to make propositions about timers. Although timer interrupts can now occur at all locations where they are enabled and timers are running, state spaces are reduced because when considering cycles all locations could be visited with all timer value combinations (two 8-bit timers and one 16-bit timer). The following sections describe the modeling of the memory and the modeling of the I/O ports. 4.1.1 Memory. The ATmega16 uses a Harvard architecture as every AVR microcontroller. In a Harvard architecture, memory spaces and buses for program and data are separated. The memory of the ATmega16 microcontroller is divided into three memory spaces: SRAM data memory space, EEPROM data memory space, and program memory space.
The ATmega16 SRAM data memory comprises 1120 bytes. The first 96 bytes contain the register file and the I/O registers. The registers are used by the core to conduct calculations and to store values. The I/O registers are used to access certain features and devices of the ATmega16 microcontroller such as timers, I/O ports, or interrupts. The internal data SRAM is accessed through the last 1024 bytes. It is used to store variable values and the stack. The EEPROM data memory is nonvolatile and can be used by the developer to store values permanently. Its size is 512 bytes, and it is 8 bits wide. The program memory stores the program. Its size is 16kB, and it is 16 bits wide.
All memory regions except I/O registers show a deterministic behavior. We have modeled them using arrays. The arrays for the SRAM data memory and for the EEPROM data memory are 8 bits wide while the array for the program memory is 16 bits wide as on the real microcontroller.
For the SRAM data memory, we additionally use a second array which stores whether values of certain memory locations are deterministic or nondeterministic. This is needed although all memory regions in the SRAM except I/O registers show a deterministic behavior as they have to be able to store nondeterministic values which are introduced by abstraction techniques such as delayed nondeterminism or models of devices such as timers.
I/O Ports.
The ATmega16 features four I/O ports. Each of these ports has three distinct I/O memory address locations: one for the data register PORTx, one for the data direction register DDRx, and a third one for the port input pins PINx. The lowercase x can be replaced with letters A to D representing Port A to Port D. Beside the general digital I/O functionality, each port has alternate functions which interfere with the general digital I/O functionality. The DDRx register selects the direction of the pins of an I/O port. If a bit of this register is set to one, the corresponding pin is used as an output pin. If a bit of this register is set to zero, the respective pin is used as an input pin. That is, this register determines which pins of this port are used for output and which pins are used for input. It influences the behavior of the other two registers of this port, namely, PORTx register and PINx register.
The PORTx register serves two purposes. If the port is used as an input port, PORTx activates and deactivates the pull-up resistors of the pins. When the port is used as an output port, the value of PORTx is used as the output: writing a one drives the pin high and writing a zero drives it low.
The PINx register is used to read the actual value of the port. If a pin is used as an input pin, the value externally applied to the pin is read. If a pin is used as output, the value written to the corresponding bit in PORTx is read. Whether the port is used as input or output is determined by the DDRx register. If the complete port is used as input, reading the PINx register returns 256 different values. If only one bit of the port is used as input, only two different values are returned by the PINx register.
In our model, the values of these three registers are stored in the representation of the SRAM data memory. The DDRx register and the PORTx register show a deterministic behavior while PINx returns deterministic or nondeterministic values depending on the value of DDRx. This behavior is encoded in the model of the microcontroller.
Modeling the devices accurately helps to reduce state spaces and to reflect the behavior of the microcontroller. If I/O ports are not modeled accurately, reading a PINx register always returns all 256 possible values even if the port is used for output. This is an overapproximation of the behavior of ports that is too coarse for verifying interesting properties involving ports.
Delayed Nondeterminism
An abstraction technique that is used when instantiating nondeterminism, that is, when replacing abstract values with concrete values, is Delayed NonDeterminism (DND) [Noll and Schlich 2008] . It features two aspects. First, it only instantiates needed parts reducing the number of different successors, and second, it delays the instantiation of nondeterminism, that is, the splitup into different successors. DND tries to maintain a single trace as long as possible and to create only few varying traces if splitting is required.
When not using DND, [MC]SQUARE instantiates nondeterministic values immediately and completely. It instantiates them whenever it accesses them, for example, while handling interrupts or executing an instruction that reads an I/O port, and it assigns all possible value combinations to affected memory locations even if they are not used afterwards. This can lead to an exponential blow-up of the state space size. DND tries to avoid this overhead. It introduces lazy states into [MC]SQUARE , which are a symbolic representation because it can retain nondeterministic values of memory locations in contrast to immediate instantiation. In the following, we distinguish between DND for interrupt handling and DND for executing instructions.
Without using DND for interrupt handling, nondeterministic interrupt flags are instantiated the moment interrupt handling is performed during the generation of successor states. Interrupt flags store whether certain interrupts occurred. An interrupt can occur if its source is enabled even if the interrupt itself is not enabled. In this case, however, the interrupt is not handled until it is finally enabled. Sources of interrupts are certain devices such as timers and analog to digital converters. Therefore, interrupt flag registers are instantiated if the corresponding sources are enabled even if the interrupts themselves are not enabled, which is determined by the Global Interrupt Enable bit and the enable bit of the particular interrupt. Of course, interrupts that are not enabled are only instantiated causing different successors but not handled. This has to be done because otherwise interrupt occurrences could be missed if, for example, an interrupt and its source are only enabled separately.
When utilizing DND, a nondeterministic interrupt flag is only instantiated if the corresponding interrupt can be handled. An interrupt can be handled if the interrupt and its source are enabled or if the interrupt is enabled and marked to be nondeterministic, indicating that the source was enabled before. Additionally, the interrupt must not be blocked by a higher-priority interrupt. If the interrupt cannot be handled, its flag is not instantiated and remains nondeterministic. Therefore, in contrast to 2 s successors, where s is the number of enabled interrupt sources, DND only creates a + 1 successors, where a ≤ s is the number of enabled interrupts. This is not an underapproximation but the way interrupts are treated on the ATmega16, which handles interrupts according to the same conditions as used by DND.
Without using DND for the execution of instructions, [MC]SQUARE instantiates all nondeterministic values immediately when it accesses them and instantiates them completely, that is, it assigns all possible value combinations to affected memory locations. When using DND, [MC]SQUARE delays the instantiation until it actually requires the values for a computation, and it instantiates only required parts of these values, for example, single bits or the complete byte.
Whether values have to be instantiated and which parts of the values have to be instantiated depends on the instruction and the memory locations accessed by the instruction. There are instructions for which nondeterministic values may be instantiated, such as LDS (load direct from data space), and instructions for which nondeterministic values must be instantiated, for example ADD (add without carry).
In the may case, instantiation is only performed if nondeterminism is to be copied into memory locations where it is not allowed. It is not allowed in certain I/O registers because these registers control the model of the microcontroller, and it is not allowed in memory locations that are utilized within the formula because [MC]SQUARE uses explicit model checking techniques and these techniques cannot cope with nondeterminism in atomic propositions. For all other memory locations, instantiation is not performed and nondeterministic values are only copied.
In the must case, nondeterministic values are always instantiated because they are needed for the execution of the instruction. For example, an ADD instruction adds up the values of two registers and writes the result to one of the involved registers. During this operation, it sets the bits of the status register, for which nondeterministic values are forbidden. These bits can only be set if the result of the operation is known. When such an instruction is executed, the nondeterminism in affected memory locations is instantiated by creating all required combinations of values.
The DND abstraction technique is hardware dependent. For the ATmega16, it works very efficiently, as shown in Section 7. There are microcontrollers for which this abstraction technique is not very efficient because they set bits in the status register during the execution of each instruction. We are currently working on an extension that can be used for these microcontrollers.
STATIC ANALYSIS
Static analyses in [MC]SQUARE are used to annotate the program under verification for model checking. These annotations are used during state space generation to reduce state spaces.
This section first presents the challenges that arise when applying static analysis to assembly code and then describes four of the analyses implemented in [MC]SQUARE . The first two of these analyses, namely stack analysis and interrupt flag analysis, are used to improve the accuracy of other analyses. The last two analyses described are used to prepare the program under verification for the application of two abstraction techniques, namely dead variable reduction and path reduction.
Challenges
Static analysis of microcontroller assembly code involves some challenges due to the nature of assembly code and the underlying microcontroller. Microcontroller assembly code contains indirect accesses, indirect control, interrupts, and recursions. Functions and IHs are implicitly declared, and all memory locations are globally accessible. Furthermore, I/O registers, which influence the behavior of the microcontroller, are accessed directly.
To account for these peculiarities, the static analyses implemented in [MC]SQUARE use an accurate model of the microcontroller which includes features such as registers, I/O registers, SRAM, stack, timers, and interrupts. This model is not as accurate as the model used for state space building (refer to Section 4) due to the degree of abstraction.
Despite the accurate modeling of the microcontroller, indirect accesses such as indirect reads and writes are challenging as the values of pointer registers are not statically known. The ATmega16 features three 16-bit pointer registers called X, Y, and Z.
[MC]SQUARE determines direct writes to these pointer registers, but indirect writes and writes within loops are not tracked. Therefore, the values of these pointer registers are not always known. If an indirect access is evaluated and the value of the corresponding pointer register is not known, [MC]SQUARE overapproximates the behavior of the instruction by accessing the complete memory.
[MC]SQUARE has to overapproximate the behavior of instructions to guarantee the validity of the results.
36:15
In the ATMEL ATmega16 architecture not all indirect writes can access the complete memory because in a Harvard architecture different memory spaces and regions, respectively, are accessed by different instructions. Therefore, many instructions can only access a certain region of the memory and hence access only the corresponding memory regions completely in case of indirect accesses.
Indirect accesses are only present in small fragments of the code such as initialization or certain functions. The results, which are presented in Section 7, show that, despite the existence of indirect accesses, the presented analyses significantly improve time and space needed for model checking.
The basis for most analyses is the CFG of the program, which is created using a control flow analysis [Schlich 2008; Schlich et al. 2008b] . If a program contains indirect control, all static analyses except for the analysis used for path reduction (see Section 5.5) fail as the CFG cannot be created. Creating an overapproximation of the CFG by adding edges from the location of the indirect jump to all program locations is too coarse. In general, the set of possible target locations cannot be restricted without a precise pointer analysis. Indirect control, however, is not used frequently. If it is used in a program, the program can still be model checked without using the affected static analyses.
Stack Analysis
In assembly code, the stack is used to temporarily store the contents of working registers used within a function. At the beginning of a function, the values of the working registers are put onto the stack, and at the end of the function, the values of these registers are restored from the stack. Hence, a data flow analysis determines that the function reads and writes these registers, although it does neither use nor define the values of these registers.
[MC]SQUARE uses the stack analysis to find out whether these registers are actually read or written by a function to improve the results of other data flow analysis. In order to achieve this, [MC]SQUARE attempts to determine static stack configurations for all locations of a function. Due to the dynamic nature of the stack, a configuration of the stack at a specific program location depends on the actual execution. Therefore, [MC]SQUARE uses an abstract interpretation to determine, for each program location, an approximation of the stack configuration.
The abstract interpretation used in this analysis observes all accesses to the stack by means of PUSH and POP operations, changes of the stack pointer, and write accesses to the memory region of the stack. It is carried out in a depth-first search manner starting at the first location of the function. For every location where the stack is accessed the corresponding action is evaluated. If a value is taken from the stack, [MC]SQUARE checks whether it is written to the original register, that is, the register from which the value originated.
The stack analysis fails if the stack pointer is changed directly, if the memory region of the stack is directly accessed, or if the stack is changed within a loop without maintaining the stack size.
[MC]SQUARE cannot handle the first two situations because statically it only knows the relative (not the absolute) position of the stack. It cannot handle the last situation as it cannot statically determine loop bounds. For IHs, [MC]SQUARE additionally checks whether the size of the stack becomes negative or positive (relatively) because they should not exchange values with other functions or IHs using the stack.
If the stack analysis is successful, other data flow analyses can use the results to remove working registers from the behavior of the corresponding functions. This, for example, increases the number of variables that can be reset by dead variable reduction. If the analysis fails, however, the working registers cannot be removed.
Interrupt Flag Analysis
The Global Interrupt Enable bit (I bit), which is located in the status register, defines whether interrupts are globally enabled or not. Without an analysis that determines the value of this bit, data flow analyses implemented in [MC]SQUARE assume that interrupts are enabled at all program locations. This leads to rather coarse overapproxaimations in these analyses. To improve the results of these analyses, [MC] SQUARE uses an analysis that determines for each program location an overapproximation of the state of the I bit. Here, overapproximation means that the state of the I bit is enabled if interrupts are enabled or if it is not known whether they are enabled, and it is disabled if interrupts are certainly disabled. This overapproximation is needed to preserve the validity of the results.
This analysis is an interprocedural, context-insensitive data flow analysis which uses abstract interpretation. It only evaluates instructions that possibly influence the state of the status register and thus the I bit. These instructions include SEI and CLI, which disable and enable interrupts, and direct and indirect writes that can access the status register. In the ATMEL ATmega16 architecture, however, not all direct and indirect writes can access the status register. To determine the possible values of memory locations, this analysis uses the results of the interprocedural, context-sensitive reaching definitions analysis [Schlich 2008; Schlich et al. 2008b] .
Using a fixed point algorithm, [MC]SQUARE determines the effect of each instruction, function, and IH on the I bit. That is, it determines whether they enable, disable, or leave the I bit. Using these results, the status of the I bit is identified for all program locations. The status of the I bit at all program locations is then used by other data flow analyses to handle interrupts accordingly.
Dead Variable Reduction
The idea behind Dead Variable Reduction (DVR) [Holzmann 1999; Yorav and Grumberg 2004] is that states only differing in dead variables are equivalent and hence can be merged into a single state. A dead variable is a variable that is not in the set of live variables. That is, a dead variable is a variable that is redefined (written) before it is used (read), and therefore, its value is no longer of interest. In microcontroller assembly code, we do not deal with variables but with memory locations, which are more general.
36:17
To apply DVR, [MC]SQUARE first uses an interprocedural, context-insensitive live variables analysis [Schlich 2008; Schlich et al. 2008b ] to determine for each location the set of live variables. After that, the set D of dying variables is determined for each program location. A variable dies at location l , that is, after the execution of the statement of l , if it is alive at location l and dead at location l . From this set D, two kinds of elements are removed. First, all memory locations used in the formula are removed to preserve validity of the model checking results. Second, all addresses of I/O registers are removed because resetting I/O registers could have side-effects on the behavior of the microcontroller such as the deactivation of interrupts. Then, every program location is annotated with its corresponding set D indicating the addresses of memory locations that can be reset during state space building. Thus, states that differ only in the value of this memory location are automatically merged.
One important effect of DVR when model checking microcontroller assembly code is that it counteracts a compiler optimization, which leads to larger state spaces. The compiler maps local variables to registers trying to use as few registers as possible. Therefore, different local variables of different functions are mapped to the same registers. Thus, when model checking assembly code, two independent functions become dependent as their local variables share the same registers. Thereby, the interleaving between these functions is accounted for, which increases state space sizes. Using DVR, working registers are identified, and the locations where they die are annotated. During state space generation, the values of the identified working registers are reset, and thus, the functions no longer influence their values. Thereby, DVR removes the unneeded dependencies.
Path Reduction
Path Reduction (PR) [Yorav and Grumberg 2004] is an abstraction technique that compresses single successor paths, which are paths consisting of states having only single successors, into a single step. Storing only the first and the last state of such a path reduces memory consumption.
This abstraction technique comprises two parts. The first part is a static analysis that determines locations whose states have to be stored. These locations are called Breaking Points (BPs) by Yorav and Grumberg [2004] . The second part is a runtime component which only stores states created at these specific locations. Yorav and Grumberg [2004] defined for the WHILE language six criteria for a location to be a BP, which can all be checked statically. For microcontroller assembly code, however, some criteria differ and others cannot be checked statically. Therefore, we have adapted some of the criteria, and for others, we have implemented a check that is dynamically conducted during state space generation. In the following, the differing criteria are detailed.
The criterion that all locations of nondeterministic assignments are BPs can be checked statically for the WHILE language because there is a special instruction for nondeterministic assignments. In microcontroller assembly code there is no such instruction. Varying memory locations can introduce nondeterminism and are accessed via different instructions. A memory location can change back and forth between deterministic and nondeterministic behavior when, for example, an I/O port is switched to output or a timer is activated. Using a static analysis to check this criterion leads to an overapproximation that is too coarse. Therefore, [MC]SQUARE checks this criterion dynamically during state space generation.
In the WHILE language , the heads of while loops are BPs which can be determined statically. This criterion is needed to ensure termination of the model checking process. If there is a loop consisting of only single successor states, the state space generation does not terminate without this criterion because the loop is never detected as none of its states is stored. In microcontroller assembly code, however, there are no while loops. Loops in microcontroller assembly code are closed using jumps or indirect jumps, which can both be determined statically by [MC]SQUARE as the locations of jumps and indirect jumps are of interest and not their targets.
Another criterion is that the location of a communication instruction and its succeeding instruction are BPs. In the WHILE language , this can be checked statically. In microcontroller assembly code, however, there are no communication instructions as there are no parallel processes, but there are interrupts which act similar to parallel processes. The communication between IHs and the main process is done implicitly as all memory locations can be accessed globally. Hence, all locations where interrupts are enabled have to be labeled as BPs.
[MC]SQUARE checks this criterion dynamically during state space creation because the status of interrupts is not known statically and an overapproximation of their status is too coarse.
Most microcontroller programs use interrupts extensively, and all locations where interrupts are enabled are BPs. As all states have to be stored that are created from BPs, PR seems to be inefficient when model checking microcontroller assembly programs. Interrupts, however, are not enabled at all program locations. For example, during the execution of IHs, interrupts are usually disabled. Thus, IHs are generally long, single successor chains and hence can be reduced efficiently using PR.
The other three criteria remain unchanged and are checked statically by [MC]SQUARE as in the original approach. They include the initial and the final location of the program, locations of assignments changing a variable used within the formula, and locations of call statements and their succeeding locations. The dynamic checking of criteria increases the runtime, but it also increases the accuracy. We decided to check all criteria statically that do not yield overapproximations that are too coarse and to check all other criteria dynamically during state space generation.
INFLUENCE ON VALIDITY OF FORMULAS
We have implemented two CTL model checking algorithms in [MC]SQUARE . They check whether a model, in this case the state space of an assembly program, satisfies a CTL formula. Furthermore, we have implemented several abstraction techniques in [MC]SQUARE . These abstraction techniques influence the validity of the formulas checked. The abstraction techniques are not implemented in the model checker, but in the simulator. Users can enable and disable most of them, but they have to be aware of the influence on the validity of the formulas. In the following, we list for each of the three abstraction techniques described in this article whether it preserves CTL, ACTL [Emerson 1991] , which is the universal fragment of CTL, or another sublogic of CTL.
DVR does not influence the validity of formulas because it is not applied for variables that are used within the formula, and hence, it preserves validity of CTL formulas [Yorav and Grumberg 2004] . DND preserves the validity of ACTL formulas. Noll and Schlich [2008] provide a proof. PR preserves CTL*-X as shown by Yorav and Grumberg [2004] . That is, it preserves CTL-X formulas in our case. From our point of view, the loss of the next operator is not critical.
[MC]SQUARE conducts model checking on the assembly program, but developers usually work on the C code. Thus, the semantics of the next operator may not be obvious to developers. Therefore, we recommend not to use the X operator.
If users apply all three abstraction techniques together, [MC]SQUARE preserves the validity of ACTL-X formulas. If they want to use the next operator, they have to disable PR. Preserving ACTL means that if [MC]SQUARE determines that an ACTL formula is true, this is also true for the concrete system. The same holds if [MC]SQUARE finds out that an ECTL formula is false. However, if [MC]SQUARE finds out that an ACTL formula is false or that an ECTL formula is true, users have to check if this also holds for the concrete system.
CASE STUDY
This case study demonstrates the effects of three abstraction techniques implemented in [MC]SQUARE and shows that our approach is feasible. We used six different programs written for the ATMEL ATmega16 microcontroller, which were all written by students in lab courses, during diploma theses, or in exercises. None of these programs was intentionally written to be model checked afterwards. The sizes of the programs vary between 148 and 930 lines of assembly code. The number of parallel enabled interrupts ranges from 0 to 3. The case study was conducted on a server equipped with AMD Dual-Core Opteron 8220 processors running at 2.8 GHz and 256GB main memory. We used revision 4229 of [MC]SQUARE for this case study.
We chose programs of this size because we wanted to compare the effects of the different abstraction techniques. For larger programs, we have to enable all abstraction techniques to build the state spaces as their state spaces are too large without using abstraction techniques. As we were not interested in the results of the model checking, but in the sizes of state spaces, we used the formula AG true. This formula does not influence the abstraction techniques and therefore enables a fair comparison. We published case studies interested in the outcome of the model checking using real specifications for the window lift program and for different versions of the CAN speed program . Table I shows the results of this case study. The first column gives the name of the program. The second column indicates the options that were used for model checking. The third column presents the number of states that were stored, and the fourth column presents the number of states that were created including revisits. The fifth column gives the size of the state space in main memory. The sixth column shows the time in seconds needed for model checking, including creation of the state space and all preparatory steps such as preprocessing, parsing, and static analysis. The last column shows the reduction of the number of states stored in percent.
In [MC]SQUARE only DND for the execution of instructions can be deactivated. DND for interrupt handling was activated in all runs, and hence, its influence cannot be judged. Before we implemented DND for interrupt handling, however, some of these programs could not be model checked at all as the state spaces were too large. For some of the programs, DND did not show an effect because it only has an influence on programs reading input from the environment. The three programs where DND did not show an influence do not read input from the environment. In the other three programs, which read input from the environment, DND showed a significant effect on both state space sizes and time needed for model checking.
DVR worked for some of the six programs. In general, DVR works for programs that contain many functions, use local variables, and do not use global variables in all functions. One effect of DVR is that it removes the coupling between functions introduced by compiler optimizations. A problem of DVR is that it cannot be used for variables that are utilized within the formula.
PR significantly reduced the number of states stored in all six programs, especially in programs using interrupts. Time needed, however, was not reduced due to revisits. It is a trade-off between time and space. As space is the limiting factor, PR should always be used. The loss of validity of the next operator is not a problem for us as we do not use the next operator in our specifications.
Combining DVR and PR helped to decrease the number of states created. PR reduced the number of states stored and DVR reduced the number of states created and hence the runtime. In this situation DVR supported PR. Combining all three abstraction techniques showed in many cases an improvement compared to the application of single abstraction techniques. It did not show an improvement in cases where some of the involved abstraction techniques did not show any effect.
As none of the abstraction techniques showed a negative effect, users of [MC]SQUARE should always use all abstraction techniques together. In the worst case, they show no improvement, but usually they significantly reduce state spaces and time needed for model checking.
Transferring the results to industrial-sized programs, we think that the window lift program reflects the structure of general embedded software better than the other programs because it uses interrupts and communicates with the environment at the same time. Hence, we expect that the abstraction techniques used in this case study will show the same behavior on industrial-sized programs as they showed for the window lift program.
RELATED WORK
[MC]SQUARE is related to both model checking of assembly code and static analysis of assembly code. Therefore, this section presents related work regarding assembly code model checking first and then related work regarding static analysis of assembly code.
Model Checking Assembly Code
Model checkers that model check machine code or byte code are: CODESURFER/X86 and WPDS++ [Balakrishnan et al. 2005] , ESTES [Mercer and Jones 2005] , JAVA PATHFINDER [Visser et al. 2003 ], MCESS [Rohrbach 2006] , and STEAM [Mehler 2005 ]. All these model checkers, except the CODESURFER/X86 and WPDS++ tool set, are explicit model checkers. Most of them are not able to handle interrupts, which play an important role in microcontroller assembly code.
The model checking tool set consisting of CODESURFER/X86, PATH INSPECTOR, and WPDS++ uses a translation approach to model check x86 executables. CODESURFER/X86 extracts a model of the CFG in the form of a weighted pushdown automaton from the x86 executable. Then, the WPDS++ library checks the weighted push-down automaton using a symbolic reachability algorithm. The properties that are checked with this tool set are reachability in the CFG and specific interprocedural data flow properties, which are usually checked by static analyzers. The CODESURFER/X86 and WPDS++ tool set uses an abstract semantics which is similar to semantics used in static analysis. Another tool that conducts static analyses with the help of model checking is GOANNA [Fehnker et al. 2007] , which checks C and C++ code rather than machine code.
[MC]SQUARE uses a different approach. It creates state spaces directly from the machine code. Furthermore, the semantic model used by [MC] SQUARE is richer.
[MC]SQUARE simulates the effects of instructions using a concrete semantics. Therefore, state spaces created by [MC]SQUARE are generally larger, but contain more information. Hence, [MC]SQUARE can be used to verify arbitrary userspecified properties of the program given in CTL. The CODESURFER/X86 and WPDS++ tool set and GOANNA, however, can check larger programs.
The ESTES model checker checks code written for the Motorola 68hc11 and the Hitachi H8/300 processors. State spaces are built using the real hardware or a back-end simulator through the GNU debugger. An advantage of using the GNU debugger is that ESTES does not have to deal with the semantics of the instructions. A disadvantage is that the creation of state spaces cannot be influenced by, for example, abstraction techniques or variable modelings. To check a program, users have to provide an environment written in C++. This environment is primarily a set of program locations where an environment response is needed or where property invariants need to be checked. Users have to compile the environment together with the source code of the model checker. Additionally, users have to specify the parts of the memory that have to be stored in states, that is, users have to declare the memory abstraction. ESTES can check for invariants, stack overflows, and read-only violations. Since ESTES uses a notion of discrete time, the state-explosion problem is more severe than when model checking without time.
Despite the different supported hardware platforms, [MC]SQUARE and ESTES differ in other ways.
[MC]SQUARE abstracts from time, preserving an overapproximation, and therefore, the generated state spaces tend to be smaller than in ESTES. In our approach, we concentrate on the creation of state spaces using microcontroller-specific abstraction techniques. We do not use existing simulators as we think that significant savings in space and time can be achieved by a tailored implementation. Properties that can be checked with [MC]SQUARE are not restricted to invariants but can be arbitrary CTL formulas. Furthermore, [MC]SQUARE conducts the same checks as ESTES does, for example, it checks for stack overflows and unintended uses of microcontroller features. Moreover, users do not have to provide an environment that deals with nondeterminism.
In the simulator, a default environment is modeled which assumes that the environment behaves nondeterministically. If users, however, want to model the environment in [MC]SQUARE , they can use the so-called user-defined environments described by Schlich et al. [2008a] .
JAVA STEAM focuses on checking parallel, hardware-independent C++ programs. It model checks these programs by checking the machine code of these programs, which is compiled for the Internet C Virtual Machine (ICVM). It builds state spaces by monitoring a modified version of the ICVM which simulates the program at the machine code level. STEAM uses a modified version of the GNU C Compiler (GCC) to compile the C++ code. To use a newer version of the GCC, the ICVM has to be readapted. In contrast to STEAM, our approach aims at the verification of assembly code written for a specific microcontroller. As aforementioned, our main focus is the customization of the simulator that is used to build state spaces. Thereby, we can influence the state space creation and adapt the degree of overapproximation using various abstraction techniques.
Static Analysis of Assembly Code
Static analysis of assembly code is used for different purposes. Cifuentes and Fraboulet [1997] describe an approach that uses intraprocedural static analysis to conduct slicing of assembly programs. In this approach, however, the stack and interrupts are not supported. Brylow et al. [2001] describe an interprocedural stack analysis that determines the depth of the stack and performs abstract type checking of stack elements. It can handle interrupts, but it can only handle immediate writes to interrupt registers.
[MC]SQUARE , in contrast, checks for stack corruption and can handle arbitrary writes to interrupt registers. Linn et al. [2004] present a stack analysis for x86 assembly code which is similar to our stack analysis. In their approach, interrupts are not supported. Regehr et al. [2005] describe an analysis that uses abstract interpretation to check for stack overflows. This approach uses abstract interpretation as [MC]-SQUARE does, but [MC]SQUARE uses the abstract interpretation to check for stack corruption and not for stack overflows.
In all these approaches, static analysis is used to check properties that users are interested in. In [MC]SQUARE , however, static analysis is only used to annotate the program for model checking, that is, the actual properties are checked by model checking and not by static analysis.
CONCLUSION AND FUTURE WORK
This article describes a new approach for model checking software for microcontrollers which uses assembly code as input. We have shown that model checking assembly code enables us to find errors that cannot be found in intermediate representations such as C code. These errors include compiler errors, reentrance problems, stack overflows, interrupt handling errors, and unintended use of microcontroller features.
We have implemented the approach in our model checker [MC]SQUARE . In this approach, we combine different formal methods, namely, static analysis, abstract interpretation, and model checking. Moreover, we combine explicit and symbolic techniques. To cope with the hardware dependency of the approach, we have developed an architecture in which each step of the model checking process is implemented in a separate component.
The state space is built using a component that simulates the effect of instructions on the model of the microcontroller. For this purpose, we have developed a tailored simulator which natively handles nondeterminism and creates an overapproximation of the behavior shown by the real microcontroller to preserve the validity of the results. We tackle the state-explosion problem by accurately modeling important hardware features and by abstracting hardware features that are not required. The right degree of abstraction is mandatory for successfully applying model checking to microcontroller assembly code. If the abstraction is too coarse, interesting properties cannot be shown. If no abstractions are used, the state-explosion problem is likely to occur. Implementing the abstraction techniques within the simulator allows the application of microcontroller-specific abstraction techniques. Some of the implemented abstraction techniques require static analysis or abstract interpretation.
One very important artifact when applying model checking is the counterexample. It allows users to locate errors within the program. The different representations of the counterexample provided by [MC]SQUARE enable users to choose the representation that suits their needs best.
Using a case study, we have shown that this approach can successfully be used for model checking microcontroller assembly programs. The case study describes the use of [MC]SQUARE on small programs, which are not written with the intention to be model checked, without any manual preparation.
Summarizing, we think that applying model checking to microcontroller assembly code is practical. The impact of the state-explosion problem is not as significant as when model checking general-purpose computer programs. The accurate modeling of the microcontroller within the simulator and the use of hardware-dependent abstraction techniques help to tackle the state-explosion problem. Furthermore, microcontroller programs are not as large as programs run on personal computers. In its current status, [MC]SQUARE can already be used in academia and education and can find errors in real-world programs. To use [MC]SQUARE in industry projects, further research is needed to tackle the state-explosion problem.
Currently, there exists ongoing research into this direction. We are investigating whether we can extend the DND abstraction technique to automatically remove further unused details. In doing that, we also need to understand the consequences of this extension on properties. This research is focused on the abstraction of timers.
As abstraction techniques are very important in this approach, future research should focus on the development of new hardware-dependent abstraction techniques and the adaptation of known abstraction techniques to microcontroller assembly code. We think that the combination of explicit and symbolic techniques is promising. Therefore, it should be determined whether there are other symbolic techniques that could be integrated into this approach.
Further research into static analysis should concentrate on increasing the accuracy of the different static analyses. This can be achieved by, for example, improving the accuracy of the pointer analysis implemented in [MC]SQUARE. Additionally, the accuracy of the microcontroller model used in the static analysis could be improved. Moreover, different static analyses for finding errors independently of model checking can be added.
To ease the creation of new simulators, research has to focus on techniques for automatically generating simulators from models given in hardware description languages. Approaches for the generation of simulators from hardware description languages have been proposed by Halambi et al. [1999] , Hartoog et al. [1997] , Pees et al. [1999] , Qin et al. [2004] , and Ramsey and Davidson [1998] . Simulators created by these approaches, however, are not suited for model checking. Simulators used for model checking have to handle nondeterminism, create an overapproximation of the behavior shown by real microcontrollers, and evaluate truth values of atomic propositions. Furthermore, abstraction techniques should be automatically integrated into the simulators.
