On the Generation of Test Cases for Embedded Software in Avionics or Overview of CESAR

Similar documents
Simulink 모델과 C/C++ 코드에대한매스웍스의정형검증툴소개 The MathWorks, Inc. 1

Programming Embedded Systems

Automated Requirements-Based Testing

An Introduction to Lustre

Seminar in Software Engineering Presented by Dima Pavlov, November 2010

DIVERSITY TG Automatic Test Case Generation from Matlab/Simulink models. Diane Bahrami, Alain Faivre, Arnault Lapitre

BITCOIN MINING IN A SAT FRAMEWORK

Abstraction techniques for Floating-Point Arithmetic

Applications of Program analysis in Model-Based Design

Guidelines for deployment of MathWorks R2010a toolset within a DO-178B-compliant process

Finite State Verification. CSCE Lecture 14-02/25/2016

Verification and Validation of Models for Embedded Software Development Prashant Hegde MathWorks India Pvt. Ltd.

More on Verification and Model Checking

Leveraging Formal Methods for Verifying Models and Embedded Code Prashant Mathapati Application Engineering Group

ISO Compliant Automatic Requirements-Based Testing for TargetLink

Bounded Model Checking Of C Programs: CBMC Tool Overview

Test-Case Generation for Embedded Simulink via Formal Concept Analysis

Finite State Verification. CSCE Lecture 21-03/28/2017

Automatic Software Verification

Developing AUTOSAR Compliant Embedded Software Senior Application Engineer Sang-Ho Yoon

ISO compliant verification of functional requirements in the model-based software development process

A Case Study on Model Checking and Deductive Verification Techniques of Safety-Critical Software

Tightening Test Coverage Metrics: A Case Study in Equivalence Checking using k-induction

Model-Based Design for High Integrity Software Development Mike Anthony Senior Application Engineer The MathWorks, Inc.

Testing. Lydie du Bousquet, Ioannis Parissis. TAROT Summer School July (TAROT 2009)

The SMT-LIB 2 Standard: Overview and Proposed New Theories

What s New with the MATLAB and Simulink Product Families. Marta Wilczkowiak & Coorous Mohtadi Application Engineering Group

Verification, Validation and Test in Model Based Design Manohar Reddy

Software Model Checking. Xiangyu Zhang

Specification Centered Testing

SMT-LIB for HOL. Daniel Kroening Philipp Rümmer Georg Weissenbacher Oxford University Computing Laboratory. ITP Workshop MSR Cambridge 25 August 2009

Introduction to CBMC: Part 1

Cover Page. The handle holds various files of this Leiden University dissertation

WHITE PAPER. 10 Reasons to Use Static Analysis for Embedded Software Development

DRYING CONTROL LOGIC DEVELOPMENT USING MODEL BASED DESIGN

Utilisation des Méthodes Formelles Sur le code et sur les modèles

CSE507. Practical Applications of SAT. Computer-Aided Reasoning for Software. Emina Torlak

Seminar Software Quality and Safety

SCADE S E M I N A R I N S O F T W A R E E N G I N E E R I N G P R E S E N T E R A V N E R B A R R

Generating MC/DC Adequate Test Sequences Through Model Checking

ExCuSe A Method for the Model-Based Safety Assessment of Simulink and Stateflow Models

Model Checking and Its Applications

Application of Propositional Logic II - How to Test/Verify my C program? Moonzoo Kim

Certification Authorities Software Team (CAST) Position Paper CAST-25

Jay Abraham 1 MathWorks, Natick, MA, 01760

From Design to Production

CS 267: Automated Verification. Lecture 13: Bounded Model Checking. Instructor: Tevfik Bultan

Introduction to CBMC. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel December 5, 2011

APPLICATION OF THE V-CYCLE DEVELOPMENT IN THE AEROSPACE INDUSTRY

Simulink 를이용한 효율적인레거시코드 검증방안

Simulation-based Test Management and Automation Sang-Ho Yoon Senior Application Engineer

Verification and Test with Model-Based Design

CISC836: Models in Software Development: Methods, Techniques and Tools

Changing the way the world does software

A Model-Based Reference Workflow for the Development of Safety-Related Software

Translation validation: from Simulink to C

Formal Verification in Aeronautics: Current Practice and Upcoming Standard. Yannick Moy, AdaCore ACSL Workshop, Fraunhofer FIRST

Tools for Formally Reasoning about Systems. June Prepared by Lucas Wagner

Symbolic and Concolic Execution of Programs

Verifying Temporal Properties via Dynamic Program Execution. Zhenhua Duan Xidian University, China

Simulink Design Verifier vs. SPIN a Comparative Case Study

To be or not programmable Dimitri Papadimitriou, Bernard Sales Alcatel-Lucent April 2013 COPYRIGHT 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED.

Model-Based Design for Safety-Critical and Mission-Critical Applications Bill Potter Technical Marketing April 17, 2008

Software verification for ubiquitous computing

Verification and Validation Introducing Simulink Design Verifier

Programming Embedded Systems

SAT-based Model Checking for C programs

Cyber Physical System Verification with SAL

Implementation and Verification Daniel MARTINS Application Engineer MathWorks

LusRegTes: A Regression Testing Tool for Lustre Programs

This project has received funding from the European Union s Horizon 2020 research and innovation programme under grant agreement No

Towards an industrial use of FLUCTUAT on safety-critical avionics software

Lecture 2: Symbolic Model Checking With SAT

Sciduction: Combining Induction, Deduction and Structure for Verification and Synthesis

Applications of Logic in Software Engineering. CS402, Spring 2016 Shin Yoo

CIS 890: Safety Critical Systems

HySAT. what you can use it for how it works example from application domain final remarks. Christian Herde /12

CSC313 High Integrity Systems/CSCM13 Critical Systems. CSC313/CSCM13 Chapter 1 1/ 38

Rubicon: Scalable Bounded Verification of Web Applications

The University of Iowa. 22c181: Formal Methods in Software Engineering. Spring Course Overview

Testen zur Absicherung automatisierter Transformationsschritte im Model-Based Design

Operational Semantics. One-Slide Summary. Lecture Outline

Xuandong Li. BACH: Path-oriented Reachability Checker of Linear Hybrid Automata

Automated Test Generation using CBMC

Automated Oracle Data Selection Support

Ensuring the Observability of Structural Test Obligations

Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions

Generating Tests for Detecting Faults in Feature Models

Making the Most of your MATLAB Models to Improve Verification

Industrial Verification Using the KIND Model Checker Lucas Wagner Jedidiah McClurg

Programming Embedded Systems

Combining Complementary Formal Verification Strategies to Improve Performance and Accuracy

Static program checking and verification

Research Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001

Evolutionary Methods for State-based Testing

Testing TargetLink. Models and C Code with Reactis

Interpolation-based Software Verification with Wolverine

Test and Evaluation of Autonomous Systems in a Model Based Engineering Context

SafeRiver SME. Added Value Solutions for Embedded Systems. Tools for FuSa and Software Security. Packaged Services. CIR agreed

Bounded Verification of Voting Software

Transcription:

1 / 16 On the Generation of Test Cases for Embedded Software in Avionics or Overview of CESAR Philipp Rümmer Oxford University, Computing Laboratory philr@comlab.ox.ac.uk 8th KeY Symposium May 19th 2009

The Wonderful World of Oz Model Checking 2 / 16 Background: I recently joined Daniel Kröning s group in Oxford (... after 8 years of KeY... ) Now employed by the CESAR project Outline of the talk: Overview of CESAR Model checking Matlab/Simulink (Bounded) Model checking to generate test cases

CESAR 3 / 16 Cost-Efficient methods and processes for SAfety Relevant embedded systems Artemis project Project started March 1st 2009 Some universities involved: Oxford, Manchester, INRIA, KTH, Athens, + Fraunhofer Some industry partners: Airbus/EADS, Volvo, Thales Overall project topic: Introduction of formal methods in development of embedded software Domains: Aerospace, Automotive, Rail, Industrial automation

CESAR: Most relevant sub-projects 4 / 16 SP2: Requirements engineering Define a formalised requirements capturing language In particular also: non-functional requirements Support requirement validation: consistency, completeness SP3: Component-based development Defined a component-based design language Incremental approaches for validation, verification, certification and qualification

Simulink as de facto standard for embedded software 5 / 16

Simulink for embedded software (2) 6 / 16 Graphical dataflow language on top of Mathwork s Matlab Supports discrete + continuous dataflow + stateflows Automatic simulation and code generation S-functions Further relevant language: Lustre/Scade

Simulink for embedded software (2) Graphical dataflow language on top of Mathwork s Matlab Supports discrete + continuous dataflow + stateflows Automatic simulation and code generation S-functions Further relevant language: Lustre/Scade Issues with Simulink Quite low-level No (strong) encapsulation Unclear semantics 6 / 16

CESAR SP3: Component-based development 7 / 16 New high-level component-based modelling/design language (CBD language) Mainly: University of Manchester Verification methods for: CBD language, Simulink, Lustre, etc. Primary approach: white-box test-case generation Model checking as underlying method Focus on: compositionality, replicated components Tool support Compositionality and coverage criteria Mainly: Oxford University

Model Checking 8 / 16 Algorithmic verification approach (in contrast to: deductive) Applicable to properties in temporal logic Can generate counterexamples for violated properties Two kinds of model checking that are mostly unrelated: (Full) Model checking Bounded model checking

Full model checking 9 / 16 Basically: Exhaustive search in the state space of a program Explicit or symbolic Abstraction to make state space small/finite Tool developed in Oxford: SatAbs

Bounded model checking Principle of bounded model checking Examine finite unwinding of program: I(s 0 ) R(s 0, s 1 ) R(s n 1, s n ) P(s n ) I(s)... Initial states R(s, s )... Transition relation of program P(s)... Safety property to be checked Typically: completely propositional encoding Incomplete for verification, but complete for disproving safety properties Quite similar to KeY... (yes it is!) How to encode heap? ( answered by Carsten) Tool developed in Oxford: CBMC 10 / 16

Test case generation using model checking Basic idea: Specify trap properties and use counterexample from model checker as a test case Idea goes back to 1996, Callahan, Engels Model-based testing technique Example (Model checking to achieve statement coverage) 1: void f(int x) { 2:... 3: if (x > 10000) 4: causesegfault(...); 5: } How to reach the blue statement? Trap property: (pc 4) Counterexample found: f(10001) 11 / 16

Test case generation using model checking (2) Criteria that are most relevant for us: Structural coverage Trap properties to cover: Statements, control edges, MC/DC Dataflows Mutation detection Generate faulty mutants of program: Exchange operators, literals, introduce bit-faults, etc. Try to verify equivalence of original program and mutant Use counterexample as test case Hypothesis: coupling effect Tests that detect simple faults probably also detect complex faults 12 / 16

Verification of Simulink programs using CBMC 13 / 16 For discrete dataflow and stateflows: Compile Simulink model to imperative program Statically generate schedule for program (order in which Simulink blocks are executed) C library with implementations of blocks Simply include code for S-functions Resulting code can be model-checked Counterexamples/tests can be translated back to Simulink Alternative approach: compile Simulink to Lustre PhD student working on Simulink front-end for CBMC: Michele Mazzucchi (ETH) Unclear: how to handle continuous dataflow?

Floating-point arithmetic Essential to analyse Simulink models Difficult to handle also in bounded model checking Bit-precise encoding: large and very hard for SAT-solvers Interval arithmetic: no counterexamples unusable Approach currently investigated in our group Bit-precise encoding Combination under- and over-approximation Over-approximation: Only include clauses for higher-valued bits Under-approximation: Assert that lowest-valued bits are zero PhD student working on floating-point support: Angelo Brillout (ETH) 14 / 16

Conclusion 15 / 16 Overall goal of CESAR: Improve quality + reduce costs of embedded software using formal methods Testing Independent of compilers correctness, hardware, etc. (in contrast to deductive verification) Bounded model checking to generate tests CESAR includes pilot applications for evaluation: Aerospace, Automotive, Rail, Industrial automation Future work: basically everything

Thanks for your attention! 16 / 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback