Source Code Verification for Embedded Systems using Prolog

System relevant embedded software needs to be reliable and, therefore, well tested, especially for aerospace systems. A common technique to verify programs is the analysis of their abstract syntax tree (AST). Tree structures can be elegantly analyzed with the logic programming language Prolog. Moreover, Prolog offers further advantages for a thorough analysis: On the one hand, it natively provides versatile options to efficiently process tree or graph data structures. On the other hand, Prolog's non-determinism and backtracking eases tests of different variations of the program flow without big effort. A rule-based approach with Prolog allows to characterize the verification goals in a concise and declarative way. In this paper, we describe our approach to verify the source code of a flash file system with the help of Prolog. The flash file system is written in C++ and has been developed particularly for the use in satellites. We transform a given abstract syntax tree of C++ source code into Prolog facts and derive the call graph and the execution sequence (tree), which then are further tested against verification goals. The different program flow branching due to control structures is derived by backtracking as subtrees of the full execution sequence. Finally, these subtrees are verified in Prolog. We illustrate our approach with a case study, where we search for incorrect applications of semaphores in embedded software using the real-time operating system RODOS. We rely on computation tree logic (CTL) and have designed an embedded domain specific language (DSL) in Prolog to express the verification goals.Comment: In Proceedings WLP'15/'16/WFLP'16, arXiv:1701.0014

Model-Based Framework for On-Board-Software

Satellites carry different payloads, but the basic design in hard- and software is generally similar for small satellites. For example, they all receive telecommands, distribute them and generate telemetry packets. Reusing existing components is desirable, especially with limited time and financial budgets. This is where the Corfu comes in, which we present in this work. Corfu is a software framework for safety-critical on-board software. It follows a model-based approach. Developers formally define the structure of the software. The software design is app-centric, i.e. on-board software in Corfu is a composition of apps. Apps define a clear communication interface using a publish/-subscribe principle. This allows on-board software to connect apps among each other. Developers can use and connect apps in different on-board software and even on different missions. This encourages reusability. Based on the information of software definition, Corfu applies two tasks: formal verification of the software structure and generation of source code. In the verification step, Corfu examines the timing properties across all apps that are included into the software. Having a formal definition that is used for both static analysis and code generation, makes in possible to identify structural problems early. The generation process creates code that it can derive from the software specification. This includes communication handling, such as subscribing to topics, distributing telecommands and collecting telemetry. In addition, the generated code also covers thread handling. The result of the generation process is a collection of classes. Most of those classes are abstract, which include abstract methods that the developer fills with mission-specific code. Developers do this by inheriting from those abstract classes and overriding all the abstract methods by carrying out the desired behavior. Developers can focus on implementing the mission relevant code. The software specification defines the communication interface between space and ground as well; therefore, it is sensible to use the same definition for the ground software. Corfu comes with a library for ground software, which parses the configuration file and makes it available to the developer. It also comes with a link interface towards the space segment. Based on the library, Corfu provides a ready-to-use generic ground software with a graphical user interface printing telemetry data and for sending telemetry — according to the software definition. Beyond formal verification of the software definition, Corfu comes with an elaborated testing framework, which provides unit and integration tests to the developers. By generating test-specific classes, Corfu gives developers access to internal software parts to allow more accurate unit testing. By automatically sending telecommands and evaluating telemetry data, developers accomplish integration tests of the full on-board software stack. Corfu already comes with applications and concepts that are common to general on-board software, such as publish/subscribe communication between applications, anomaly and event handling, telecommand distribution among applications, telemetry collection, housekeeper, etc

Designing uncomplicated software

The Agile Manifesto prescribes less focus on tools and processes, and more focus on human interactions. This is avery important and powerful concept; however, many development organizations have interpreted it in terms ofno procedures and no processes. This is understandable as many activities, such as the design workflow, are thanklessand laborious. When a proper design is missing, the resulting source code may become overly complicated anddifficult to maintain. The software design does not have to be arduous as this workflow can be done without painthrough an adaptation called Responsibility-Driven Design. This adaptation assigns personalities to the internalcomponents of the software to humanize the operation. The new design workflow is completely compatible withagile concepts such as customer interaction, and produces a credible candidate architecture ultimately resulting inthe creation of a less complicated software.El Manifiesto Ágil prescribe disminuir el foco en las herramientas y procesos para centrarlo en las interacciones humanas. Este es un concepto muy importante y potente; sin embargo, muchos equipos de desarrollo lo han traducido en términos de no procedimientos y no procesos. Esto es comprensible ya que muchas actividades, entre ellas el flujo de trabajo del diseño, son ingratas y laboriosas. Cuando no se realiza un diseño apropiado, el resultado puede ser un código demasiado complejo y difícil de mantener. El diseño de un software no tiene que ser arduo y el flujo de trabajo puede aliviarse con una adaptación denominada “diseño conducido por la responsabilidad” (Responsibility-Driven Design). Esta adaptación asigna personalidades a los componentes internos del software para humanizar la tarea. El nuevo flujo de diseño es completamente compatible con los conceptos de agilidad, como la interacción con el cliente, y produce una arquitectura candidata con credibilidad que resultará en la creación de un software no complicado