Advances in Usability of Formal Methods for Code Verification with Frama-C

Industrial usage of code analysis tools based on semantic analysis, such as the Frama-C platform, poses several challenges, from the setup of analyses to the exploitation of their results.  In this paper, we discuss two of these challenges.  First, such analyses require detailed information about the code structure and the build process, which are often not documented, being part of the implicit build chain used by the developers.  Unlike heuristics-based tools, which can deal with incomplete information, semantics-based tools require stubs or specifications for external library functions, compiler builtins, non-standard extensions, etc.  Setting up a new analysis has a high cost, which precludes industrial users from trying such tools, since the return on investment is not clear in advance: the analysis may reveal itself of little use w.r.t. the invested time.  Improving the usability of this first step is essential for the widespread adoption of formal methods in software development.  A second aspect that is essential for successful analyses is understanding the data and navigating it.  Visualizing data and rendering it in an interactive manner allows users to considerably speed up the process of refining the analysis results.  We present some approaches to both of these issues, derived from experience with code bases given by industrial partners

Strong Induction in Hardware Model Checking

Symbolic Model checking is a widely used technique for automated verification of both hardware and software systems. Unbounded SAT-based Symbolic Model Checking (SMC) algorithms are very popular in hardware verification. The principle of strong induction is one of the first techniques for SMC. While elegant and simple to apply, properties as such can rarely be proven using strong induction and when they can be strengthened, there is no effective strategy to guess the depth of induction. It has been mostly displaced by techniques that compute inductive strengthenings based on interpolation and property directed reachability (PDR). In this thesis, we prove that strong induction is more concise than induction. We then present kAvy, an SMC algorithm that effectively uses strong induction to guide interpolation and PDR-style incremental inductive invariant construction. Unlike pure strong induction, kAvy uses PDR-style generalization to compute and strengthen an inductive trace. Unlike pure PDR, kAvy uses relative strong induction to construct an inductive invariant. The depth of induction is adjusted dynamically by minimizing a proof of unsatisfiability. We have implemented kAvy within the Avy Model Checker and evaluated it on HWMCC instances. Our results show that kAvy is more effective than both Avy and PDR, and that using strong induction leads to faster running time and solving more instances. Further, on a class of benchmarks, called shift, kAvy is orders of magnitude faster than Avy, PDR and pure strong induction

Scalable reaction network modeling with automatic validation of consistency in Event-B

Constructing a large biological model is a difficult, error-prone process. Small errors in writing a part of the model cascade to the system level and their sources are difficult to trace back. In this paper we extend a recent approach based on Event-B, a state-based formal method with refinement as its central ingredient, allowing us to validate for model consistency step-by-step in an automated way. We demonstrate this approach on a model of the heat shock response in eukaryotes and its scalability on a model of the ErbB signaling pathway. All consistency properties of the model were proved automatically with computer support.</p

Get rid of inline assembly through verification-oriented lifting

Formal methods for software development have made great strides in the last two decades, to the point that their application in safety-critical embedded software is an undeniable success. Their extension to non-critical software is one of the notable forthcoming challenges. For example, C programmers regularly use inline assembly for low-level optimizations and system primitives. This usually results in driving state-of-the-art formal analyzers developed for C ineffective. We thus propose TInA, an automated, generic, trustable and verification-oriented lifting technique turning inline assembly into semantically equivalent C code, in order to take advantage of existing C analyzers. Extensive experiments on real-world C code with inline assembly (including GMP and ffmpeg) show the feasibility and benefits of TInA

Design patterns for models of interactive systems

Building models of safety-critical interactive systems (in healthcare, transport, avionics and finance, to name but a few) as part of the design process is essential. It is also advised for non-safety critical interactive systems if we want to be certain they will behave as intended in all circumstances. However, modelling interactive systems is also challenging. The levels of complexity in modern user interfaces and the wealth of interaction possibilities means that modelling at a suitable level of abstraction is crucial to ensure our models remain reasonably sized, readable, and therefore usable. The decisions we make about how to abstract the system to retain enough detail to be able to reason about it without running into known modelling problems (state-explosion, verbosity, unread ability) are complex, even for experienced modellers. We have identified a number of commonly seen problems in such models based on occurrences of common properties of interactive systems, and in order to help both experienced and novice modellers we propose model-patterns as a solution to this

Direct methods for deductive verification of temporal properties in continuous dynamical systems

This thesis is concerned with the problem of formal verification of correctness specifications for continuous and hybrid dynamical systems. Our main focus will be on developing and automating general proof principles for temporal properties of systems described by non-linear ordinary differential equations (ODEs) under evolution constraints. The proof methods we consider will work directly with the differential equations and will not rely on the explicit knowledge of solutions, which are in practice rarely available. Our ultimate goal is to increase the scope of formal deductive verification tools for hybrid system designs. We give a comprehensive survey and comparison of available methods for checking set invariance in continuous systems, which provides a foundation for safety verification using inductive invariants. Building on this, we present a technique for constructing discrete abstractions of continuous systems in which spurious transitions between discrete states are entirely eliminated, thereby extending previous work. We develop a method for automatically generating inductive invariants for continuous systems by efficiently extracting reachable sets from their discrete abstractions. To reason about liveness properties in ODEs, we introduce a new proof principle that extends and generalizes methods that have been reported previously and is highly amenable to use as a rule of inference in a deductive verification calculus for hybrid systems. We will conclude with a summary of our contributions and directions for future work

Animating user interface prototypes with formal models

Dissertação de mestrado integrado em Informatics EngineeringThe User Interface (UI) provides the first impression of an interactive system and should, thus, be intuitive, in order to guide users effectively and efficiently in performing their tasks. User interface prototyping is a common activity in UI development, as it supports early exploration of the UI design by potential users. UI quality plays a crucial role in safety-critical contexts, where design errors can poten tially lead to catastrophic events. Model-based analysis approaches aim to detect usability and performance issues early in the design process by leveraging formal analysis. They complement prototyping, which supports user involvement, but not an exhaustive analysis of the designs. The IVY Workbench emerges as a model-based analysis tool intended for non-expert usage. The tool was originally focused on supporting modelling and verification, but more recently an effort began to combine the formal model capabilities with UI mock-ups, to produce more interactive prototypes than traditional mock-up editors support. This work addresses the enhancement of the prototyping features of the IVY Workbench. The improvements of such features include the creation of a dynamic widget library that can vastly improve the quality of prototypes. Such a library, however, should be compatible with several mock-up editors to attract a broader design community. The results of this work include an analysis of alternative prototyping tools, identifying potential features that can enhance the IVY Workbench, the creation of a dynamic widget library that is compatible with several mock-up editors, and several improvements to IVY’s prototyping plugin, including the addition of code exporting functionalities. Usability tests were conducted to validate the new features of the tool, with positive results. Two mobile applications were also created, allowing users to test prototypes in their mobile devices.A UI proporciona o primeiro contacto entre um utilizador e um sistema interativo. Assim, a UI deverá ser capaz de guiar o utilizador na execução das suas tarefas, de um modo eficiente e eficaz. A prototipagem de interfaces é uma atividade comum no processo de desenvolvimento de UIs, já que permite a exploração antecipada do design de uma UI com potenciais utilizadores. A UI tem um papel bastante relevante no contexto de sistemas críticos, onde falhas no design podem gerar eventos catastróficos. As metodologias de análise baseadas em modelos procuram detetar potenciais falhas de usabilidade e desempenho, em fases iniciais do processo de desenvolvimento, através de análise formal. Estas metodologias complementam o processo de prototipagem, que suporta o envolvimento dos utilizadores mas não oferece uma análise exaustiva do design. A IVY Workbench surge como uma ferramenta de análise baseada em modelos que visa suportar utilizadores sem grandes conhecimentos de análise formal. Embora originalmente focada na modelação e verificação, surgiu recentemente um esforço para combinar as capacidades da análise formal com mock-ups da UI. O objetivo é produzir protótipos com maior nível de interação do que os produzidos pelos tradicionais editores de mock-ups. O presente trabalho apresenta melhorias das capacidades de prototipagem da ferramenta IVY Workbench. Estas melhorias incluem a criação de uma biblioteca de widgets dinâmicos, que aperfeiçoa a qualidade dos protótipos desta ferramenta. Esta biblioteca deverá ser compatível com múltiplos editores de mock-ups, de modo a atrair uma vasta comunidade de designers. Os resultados deste trabalho incluem uma análise de alternativas de ferramentas de prototipagem, onde são identificadas funcionalidades que podem aprimorar a ferramenta IVY Workbench; a criação de uma biblioteca de widgets dinâmicos, compatível com inúmeros editores de mock-ups; assim como várias melhorias efetuadas no plugin de prototipagem desta ferramenta, incluindo a adição de funcionalidades de exportação de código fonte. Foram realizados testes de usabilidade para validar as novas funcionalidades da ferramenta com utilizadores, onde foram obtidos resultados positivos. Finalmente, foram criadas duas aplicações móveis que permitem que os utilizadores testem os protótipos nos seus dispositivos móveis