Incremental bounded model checking for embedded software

Program analysis is on the brink of mainstream usage in embedded systems development. Formal verification of behavioural requirements, finding runtime errors and test case generation are some of the most common applications of automated verification tools based on bounded model checking (BMC). Existing industrial tools for embedded software use an off-the-shelf bounded model checker and apply it iteratively to verify the program with an increasing number of unwindings. This approach unnecessarily wastes time repeating work that has already been done and fails to exploit the power of incremental SAT solving. This article reports on the extension of the software model checker CBMC to support incremental BMC and its successful integration with the industrial embedded software verification tool BTC EMBEDDED TESTER. We present an extensive evaluation over large industrial embedded programs, mainly from the automotive industry. We show that incremental BMC cuts runtimes by one order of magnitude in comparison to the standard non-incremental approach, enabling the application of formal verification to large and complex embedded software. We furthermore report promising results on analysing programs with arbitrary loop structure using incremental BMC, demonstrating its applicability and potential to verify general software beyond the embedded domain

S.: Guaranteed termination in the verification of LTL properties of non-linear robust discrete time hybrid systems

Abstract. We present a novel approach to the automatic verification of LTL requirements of non-linear discrete-time hybrid systems. The verification tool uses an interval-based constraint solver for non-linear robust constraints to compute incrementally refined abstractions. Although the problem is undecidable, we prove termination of abstraction refinement based verification of such properties for the class of robust non-linear hybrid systems, thus significantly extending previous semi-decidability results. We argue, that safety critical control applications are robust hybrid systems. We give first results on the application of this approach to a variant of an aircraft collision avoidance protocol.

Providing Evidence for the Validity of the Virtual Verification of Automated Driving Systems

With the increasing complexity of automated driving systems, formal verification as well as statistical verification that solely relies on real-world testing methods, become infeasible. Virtual testing seems like a promising alternative to traditional methods, especially as part of a scenario-based verification and validation methodology. But in order to transfer the test results of a system from a simulation to the real world, we need to argue the validity of the virtual tests. Our proposed method enables this validity argumentation by comparing the virtual test traces against traces that have sufficiently similar recorded real-world traces. To reduce the amount of required real-world data, the method involves two mechanisms to generalize the validity statement of a single real-world trace to a set of virtual traces. The reduction of required data is showcased in a proof of concept that compares the needed amounts of data with a "naive" validation method and here presented enhancements in an ablation study

Providing Evidence for the Validity of the Virtual Verification of Automated Driving Systems

With the increasing complexity of automated driving systems, formal verification as well as statistical verification that solely relies on real-world testing methods, become infeasible. Virtual testing seems like a promising alternative to traditional methods, especially as part of a scenario-based verification and validation methodology. But in order to transfer the test results of a system from a simulation to the real world, we need to argue the validity of the virtual tests. Our proposed method enables this validity argumentation by comparing the virtual test traces against traces that have sufficiently similar recorded real-world traces. To reduce the amount of required real-world data, the method involves two mechanisms to generalize the validity statement of a single real-world trace to a set of virtual traces. The reduction of required data is showcased in a proof of concept that compares the needed amounts of data with a "naive" validation method and here presented enhancements in an ablation study

Successful use of incremental BMC in the automotive industry

Program analysis is on the brink of mainstream usage in embedded systems development. Formal verification of behavioural requirements, finding runtime errors and automated test case generation are some of the most common applications of automated verification tools based on Bounded Model Checking (BMC). Existing industrial tools for embedded software use an off-the-shelf Bounded Model Checker and apply it iteratively to verify the program with an increasing number of unwindings. This approach unnecessarily wastes time repeating work that has already been done and fails to exploit the power of incremental SAT solving. This paper reports on the extension of the software model checker CBMC to support incremental BMC and its successful integration with the industrial embedded software verification tool BTC EMBEDDEDTESTER. We present an extensive evaluation over large industrial embedded programs, mainly from automotive industry. We show that incremental BMC cuts runtimes by one order of magnitude in comparison to the standard non-incremental approach, enabling the application of formal verification to large and complex embedded software

Interoperable Toolchain for Requirements-Driven Model-Based Development

International audienceThis paper introduces a toolchain for requirements-driven model-baseddevelopment of embedded software as used in the automotive industry.Development usually starts with textual functional requirements written innatural language.Verification of functional requirements required in safety critical systemsneeds traceability on system level andon implementation level. Therefore, the formalization of the providedtextual requirements is of vital importance. This however is a challenging taskingeneral, which we approach using an intuitive and graphical formalizationlanguage, namely simplified universal pattern. Having the requirementsformalized, as a second step an analysis is done to ensure that therequirements are in a consistent state. This is important as within agiledevelopment, functionalities are evolving over time and textual requirementsare continuously enhanced. To keep track of the implementation, an aggregationof model changes wrt, e.g., consistency, model test status, formal requirementcoverage, or modeling guideline conformance during project runtime isdone, while all information is visualized inside a single dashboard. Anexpressive running example implemented as Simulink model will beused to show the formalization and verification workflow using the providedtoolchain