Generating Property-Directed Potential Invariants By Backward Analysis

This paper addresses the issue of lemma generation in a k-induction-based formal analysis of transition systems, in the linear real/integer arithmetic fragment. A backward analysis, powered by quantifier elimination, is used to output preimages of the negation of the proof objective, viewed as unauthorized states, or gray states. Two heuristics are proposed to take advantage of this source of information. First, a thorough exploration of the possible partitionings of the gray state space discovers new relations between state variables, representing potential invariants. Second, an inexact exploration regroups and over-approximates disjoint areas of the gray state space, also to discover new relations between state variables. k-induction is used to isolate the invariants and check if they strengthen the proof objective. These heuristics can be used on the first preimage of the backward exploration, and each time a new one is output, refining the information on the gray states. In our context of critical avionics embedded systems, we show that our approach is able to outperform other academic or commercial tools on examples of interest in our application field. The method is introduced and motivated through two main examples, one of which was provided by Rockwell Collins, in a collaborative formal verification framework.Comment: In Proceedings FTSCS 2012, arXiv:1212.657

Collaboration of formal techniques for the verification of safety properties over transition systems

Ce travail porte sur la vérification de composants logiciels dans les systèmes embarqués critiques avioniques. Les conséquences d’une erreur dans de tels systèmes pouvant s'avérer catastrophiques, il se doivent de respecter leur spécification. La vérification formelle tend à prouver cette adéquation si elle est vraie, ou à produire un contre-exemple si elle ne l’est pas. Les méthodes actuelles ne sont pas capable de traiter les les systèmes industriels. La découverte d’informations supplémentaires (invariants) sur le système permet de réduire l’espace de recherche afin de renforcer l’objectif de preuve: les informations découvertes sont suffisantes pour conclure “facilement”. Nous définissons une architecture parallèle permettant à des méthodes de découverte d’invariants de collaborer autour d’un moteur de kinduction. Dans ce contexte nous proposons HullQe, une nouvelle heuristique de génération d’invariants potentiels combinant un calcul de pré-image par élimination de quantificateurs et des calculs d’enveloppes convexes. Nous montrons que HullQe est capable, automatiquement, de renforcer des objectifs de preuve correspondant à la vérification de patrons de conception courants en avionique. Pour autant que nous sachions, les méthodes actuelles sont incapables de conclure sur ces problèmes. Nous détaillons nos améliorations de l’algorithme d’élimination de quantificateurs de Monniaux afin d’assurer le passage à l’échelle sur nos systèmes. Notre framework formel Stuff est une implémentation de notre architecture parallèle composée de HullQe, d'une technique de découverte d’invariants basée sur des templates, et d'une généralisation de PDR à l’arithmétique.This work studies the verification of software components in avionics critical embedded systems. As the failure of suchsystems can have catastrophic consequences, it is mandatory to make sure they are consistent with their specification.Formal verification consists in proving that a system respects its specification if it does, or to produce a counterexample if itdoes not. Current methods are unable to handle the verification problems stemming from realistic systems. Discoveringadditional information (invariants) on the system can however restrict the search space enough to strengthen the proofobjective: the information discovered allow to "easily" reach a conclusion. We define a parallel architecture for invariantdiscovery methods allowing them to collaborate around a k-induction engine. In this context we propose a new heuristic forthe generation of potential invariants by combining an iterated preimage calculus by quantifier elimination with convexhull computations, called HullQe. We show that HullQe is able to automatically strengthen proof objectives correspondingto safety properties on widespread design patterns in our field. To the best of our knowledge, these systems elude currenttechniques. We also detail our improvements to the quantifier elimination algorithm by David Monniaux in 2008, so that itscales to computing preimages on our systems. Our formal framework Stuff is an implementation of the parallel architecturewe propose in which we implemented not only HullQe, but also a template-based invariant discovery technique, and ageneralisation to Property Directed Reachability to linear real arithmetic and integer octagons

Formal verification of automotive embedded software

International audienceThe ever-increasing complexity of automotive embedded systems and the need for safe advanced driver assistance systems (ADAS) represent a great challenge for car manufacturers. Furthermore, we expect that in the near future, authorities require a software certification in order to get convinced that ADAS are safe enough. Theoretical research and experience show that when using conventional design approaches it is impossible to guarantee high confidence to those systems. The way taken by some industries (e.g. aerospace, railway, nuclear) was by partially using formal verification techniques. In this paper, we first present a background of the formal verification techniques and how they can contribute to achieve the requirements of some safety standards. Next, we share our experience with the application of those techniques that seem to be mature enough to be used in an industrial context: Static analysis based on Abstract Interpretation, SMT-based software Model checking and Deductive proof. Finally, we make a detailed analysis about our experiments and propose an approach introducing formal methods into the development of automotive embedded software. CCS CONCEPTS • Software and its engineering → Software verification; KEYWORDS Software verification · Formal methods · ADAS · Certification ACM Reference Format: Vassil Todorov, Frédéric Boulanger, and Safouan Taha. 2018. Formal verification of automotive embedded software. In FormaliSE '18: FormaliS

ICE-based Refinement Type Discovery for Higher-Order Functional Programs

<div>This dataset contains the code and benchmarks needed to replicate the experimental results presented in the TACAS 2016 paper "ICE-based Refinement Type Discovery for Higher-Order Functional Programs".</div><div><br></div><div>The verification of higher-order functional programs is a challenging problem, the existing approaches to which are hampered by the need for predicates describing loops and components behave in order for verification to be possible. Here, a novel approach intended to overcome these requirements by combining the existing refinement types approach with the invariant discovery framework ICE is presented.</div><div><br></div><div>This novel implementation consists of two parts. First, a front end written in OCaml, named RType (https://github.com/hopv/r_type), that generates Horn clauses from programs written in a subset of OCaml (as described in section 2 of the accompanying paper). Second, a Horn clause solver written in Rust, named HoIce (https://github.com/hopv/hoice), that implements the modified ICE framework presented in the accompanying paper.</div><div><br></div><div>The novel implementation as well as the benchmarks and scripts needed to reproduce its evaluation are presented here. Further details on those benchmarks and instructions on running them can be found in the <b>README</b> file.</div

Estimation of tropical forest biomass with image texture of radar images

International audienceInterest in the world forests has grown to unprecedented heights, especially with growing awareness of their role in the global carbon cycle. Quantifying carbon in forests is therefore of crucial importance for estimating carbon fluxes at the regional and global scale. Carbon quantities are estimated by inferring wood biomass from forest biomass, and then converting it into carbon by using a value of approximately 0.5 ton of carbon for 1 ton of wood. In order to determine the bio-mass of a forest, significant relationships have therefore been established between radar mean intensity and biophysical variables. However, for mature stands (about 80 t/ha and more) increasing biomass reduces the sensitivity of the backscattering coefficient sigma/biomass relationships. Recent studies have shown that texture could be used instead of the usual intensity-age relationships, even for mature stands up to 140 t/ha, the highest biomass value observed for studied forests (monospecific, even-aged forest, subject to identical silvicultural practices and sampling covering all forest stages from sowing to harvest). The present paper aims at extending these observations to tropical forests which is a large component of the terrestrial carbon pool and the carbon sources generated by deforestation in the tropics. Radar images at P-Band were acquired during the TropiSAR experiment in 2009 over the Paracou experimental site with the SETHI ONERA airborne instrument. Paracou is located in a lowland tropical rain forest near Sinnamary, French Guiana where 15 permanent plots of 6.25 ha each were mapped and regularly measured. Three sets of treatments applied to the 15 forest stands provide biomass values from 260 to 470 T/ha. Plots were selected inside the 15th experimental stands with paying attention to the local topogra-phy. Plots with similar slopes were thus compared. Statistical features were then derived a) from gray level statistics (mean sigma, variance, skewness...) and b) the statistics of pixel pairs (energy, contrast, correlation...) for each plot on the basis of the gray level co-occurrence matrix. It is shown for radar images at P-band and polarisation HV that despite the very homogeneous shape of this regenerating forest, linear relationships between some statistical features and forest biomass can be established which does not saturate even for biomass of more than 350 t/ha. These preliminary results are encouraging and further analysis should be carried out to explore the influence of the different treatments on the retrieval performance

Estimation of tropical forest biomass using image texture of radar images

International audienceQuantifying forest biomass is of crucial importance for estimating carbon fluxes on the regional and global scale in climate change studies. Significant relationships have already been established between radar mean intensity and forest biomass, but these relationships show a reduced sensitivity to biomass variations for mature stands (about 80 t.ha-1 and more). On the contrary, recent studies have shown that image texture is significantly related to biomass even for mature stands for a temperate, monospecific, even-aged forest of which the biomass is 140 t.ha-1 at its highest point. The present paper aims at extending these observations to tropical forests which represent a large terrestrial biomass pool with values higher than 450 t.ha-1. Radar images were acquired during the TropiSAR experiment in 2009, which took place over a tropical rain forest located in French Guyana with the use of SETHI ONERA airborne instrument. Three sets of treatments applied to 15 forest stands provided biomass values from 260 to 470 t.ha-1 and permanent plots of 6.25 ha each were mapped and regularly measured. Homogeneous patches were selected inside each of the 15 experimental stands. Statistical features were then derived for each patch: a) from gray level statistics; b) from the statistics of pixel pairs on the basis of the gray level co-occurrence matrix. It is shown that linear relationships between texture features and forest biomass are heavily influenced by stand structure and the local topography and soil of the experimental plots

Canopy structure effect on SAR image texture versus forest biomass relationships

International audienc