Advertisement

Verification of Embedded Software: Problems and Perspectives

  • Patrick Cousot
  • Radhia Cousot
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2211)

Abstract

Computer aided formal methods have been very successful for the verification or at least enhanced debugging of hardware. The cost of correction of a hardware bug is huge enough to justify high investments in alternatives to testing such as correctness verification. This is not the case for software for which bugs are a quite common situation which can be easily handled through online updates. However in the area of embedded software, errors are hardly tolerable. Such embedded software is often safety-critical, so that a software failure might create a safety hazard in the equipment and put human life in danger. Thus embedded software verification is a research area of growing importance. Present day software verification technology can certainly be useful but is yet too limited to cope with the formidable challenge of complete software verification. We highlight some of the problems to be solved and envision possible abstract interpretation based static analysis solutions.

Keywords

Model Check Formal Method Safety Property Abstract Interpretation Concrete Model 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [1]
    J. A. Abraham. The myth of fault tolerance in complex systems, keynote speech. In The Pacific Rim International Symposium on Dependable Computing, PRDC’99, Hong Kong, CN. IEEE Comp. Soc. Press, 16–17 Dec. 1999. http://www.cerc.utexas.edu/~jaa/talks/prdc-1999/.
  2. [2]
    S. Abramsky, D. M. Gabbay, and T. S. E. Maibaum, eds. Semantic Modelling, volume 4 of Handbook of Logic in Computer Science. Clarendon Press, 1995.Google Scholar
  3. [3]
    J.-R. Abrial. The B-Book. Cambridge U. Press, 1996.Google Scholar
  4. [4]
    R. Alur and D. L. Dill. A theory of timed automata. Theoret. Comput. Sci., 126(2):183–235, 1994.Google Scholar
  5. [5]
    T. Ball and S. K. Rajamani. Bebop: A symbolic model checker for boolean programs. In K. Havelund, J. Penix, and W. Visser, eds., Proc. 7th SPIN Workshop, Stanford, CA, LNCS 1885, pages 113–130. Springer-Verlag, Aug. 30-Sep. 1, 2000.Google Scholar
  6. [6]
    I. Beer, S. Ben-David, C. Eisner, D. Geist, L. Gluhovsky, T. Heyman, A. Landver, P. Paanah, Y. Rodeh, G. Ronin, and Y. Wolfsthal. RuleBase: Model checking at IBM. In O. Grumberg, editor, Proc. 9th Int. Conf. CAV’97, Haifa, IL, LNCS 1254, pages 480–483. Springer-Verlag, 22-25 Jul. 1997.Google Scholar
  7. [7]
    A. M. Ben-Amram and N. D. Jones. Computational complexity via programming languages: constant factors do matter. Acta Informat., 37(2):83–120, 2000.zbMATHCrossRefMathSciNetGoogle Scholar
  8. [8]
    A. Benveniste, P. Le Guernic, and C. Jacquemot. Synchronous programming with events and relations: the Signal language and its semantics. Sci. Comput. Programming, 16(2):103–149, 1991.zbMATHCrossRefMathSciNetGoogle Scholar
  9. [9]
    A. Biere, A. Cimatti, E. M. Clarke, M. Fujita, and Y. Zhu. Symbolic model checking using SAT procedures instead of BDDs. In Proc. 36th Conf. DAC’99, New Orleans, LA, pages 317–320. ACM Press, 21-25 June 1999.Google Scholar
  10. [10]
    B. Boigelot and P. Godefroid. Symbolic verification of communication protocols with infinite state spaces using QDDs (extended abstract). In R. Alur and T.A. Henzinger, eds., Proc. 8th Int. Conf. CAV’96, New Brunswick, NJ, LNCS 1102, pages 1–12. Springer-Verlag, 31 Jul.-3 Aug. 1996.Google Scholar
  11. [11]
    F. Bourdoncle. Abstract debugging of higher-order imperative languages. In Proc. ACM SIGPLAN’ 93 Conf. PLDI. ACM SIGPLAN Not. 28(6), pages 46–55, Albuquerque, NM,23-25 June 1993. ACM Press.CrossRefGoogle Scholar
  12. [12]
    J. R. Burch, E. M. Clarke, K. L. McMillan, D.L. Dill, and L.J. Hwang. Symbolic model checking: 1020 states and beyond. Inform. and Comput., 98(2):142–170, June 1992.zbMATHCrossRefMathSciNetGoogle Scholar
  13. [13]
    Cadencer® “formalcheck” model checking verification. http://www.cadence.com/datasheets/formalcheck.html.
  14. [14]
    P. Caspi, D. Pilaud, N. Halbwachs, and J. Plaice. Lustre: a declarative language for programming synchronous systems. In 14th POPL, Munchen, DE, 1987. ACM Press.Google Scholar
  15. [15]
    Y-A. Chen, E. M. Clarke, P. H. Ho, Y. Hoskote, T. Kam, M. Khaira, J. O’Leary, and X. Zhao. Verification of all circuits in a floating-point unit using word-level model checking. In M.S. Srivas and A. J. Camilleri, eds., Proc. 1st Int. Conf. on Formal Methods in Computer-Aided Design, FMCAD’96, number 1166 in LNCS, pages 19–33, Palo Alto, CA, 6-8 Nov. 1996. Springer-Verlag.CrossRefGoogle Scholar
  16. [16]
    E. M. Clarke and E. A. Emerson. Synthesis of synchronization skeletons for branching time temporal logic. In IBM Workshop on Logics of Programs, Yorktown Heights, NY, US, LNCS 131. Springer-Verlag, May 1981.Google Scholar
  17. [17]
    E. M. Clarke, E. A. Emerson, S. Jha, and A. P. Sistla. Symmetry reductions in model checking. In A.J. Hu and M.Y. Vardi, eds., Proc. 10th Int. Conf. CAV’98, Vancouver, BC, CA,LNCS 1427, pages 147–158. Springer-Verlag, 28 June-2 Jul. 1998.Google Scholar
  18. [18]
    E. M. Clarke, O. Grumberg, S. Jha, Y. Lu, and. Veith. Counterexample-guided abstraction refinement. In E. A. Emerson and A. P. Sistla, eds., Proc. TWELFTHInt. Conf. CAV’00, Chicago, IL, LNCS 1855, pages 154–169. Springer-Verlag, 15-19 Jul. 2000.Google Scholar
  19. [19]
    E. M. Clarke, O. Grumberg, S. Jha, Y. Lu, and. Veith. Progress on the state explosion problem in model checking. In R. Wilhelm, editor, ≪ Informatics — 10 Years Back, 10 Years Ahead ≫, volume 2000 of LNCS, pages 176–194. Springer-Verlag, 2000.Google Scholar
  20. [20]
    E. M. Clarke, O. Grumberg, and D. A. Peled. Model Checking. MIT Press, 1999.Google Scholar
  21. [21]
    E. M. Clarke, S. Jha, Y. Lu, and D. Wang. Abstract BDDs: A technique for using abstraction in model checking. In L. Pierre and T. Kropf, eds., Correct Hardware Design and Verification Methods, Proc. 10th IFIP WG 10.5 Adv. Res. Work. Conf. CHARME’99, Bad Herrenalp, DE, LNCS 1703, pages 172–186. Springer-Verlag, 27-29 Sep. 1999.Google Scholar
  22. [22]
    R. Cleaveland, P. Iyer, and D. Yankelevitch. Optimality in abstractions of model checking. In A. Mycroft, editor, Proc. 2nd Int. Symp. SAS’ 95, Glasgow, UK, 25-27 Sep. 1995, LNCS 983, pages 51–63. Springer-Verlag, 1995.Google Scholar
  23. [23]
    P. Cousot. Méthodes itératives de construction et d’approximation de points fixes d’opérateurs monotones sur un treillis, analyse sémantique de programmes. Thése d’État és sciences mathématiques, Université scientifique et médicale de Grenoble, Grenoble, FR, 21 Mar. 1978.Google Scholar
  24. [24]
    P. Cousot. Semantic foundations of program analysis. In S.S. Muchnick and N.D. Jones, eds., Program Flow Analysis: Theory and Applications, chapter 10, pages 303–342. Prentice-Hall, 1981.Google Scholar
  25. [25]
    P. Cousot. Methods and logics for proving programs. In J. van Leeuwen, editor, Formal Models and Semantics, volume B of Handbook of Theoretical Computer Science, chapter 15, pages 843–993. Elsevier, 1990.Google Scholar
  26. [26]
    P. Cousot. Abstract interpretation based formal methods and future challenges, invited paper. In R. Wilhelm, editor, ≪ Informatics — 10 Years Back, 10 Years Ahead ≫, volume 2000 of LNCS, pages 138–156. Springer-Verlag, 2000.Google Scholar
  27. [27]
    P. Cousot. Partial completeness of abstract fixpoint checking, invited paper. In B.Y. Choueiry and T. Walsh, eds., Proc. 4th Int. Symp. SARA’2000, Horseshoe Bay, TX, LNAI 1864, pages 1–25. Springer-Verlag, 26-29 Jul. 2000.Google Scholar
  28. [28]
    P. Cousot. Compositional separate modular static analysis of programs by abstract interpretation. Proc. SSGRR 2001-Advances in Infrastructure for Electronic Business, Science, and Education on the Internet, 6-10 Aug. 2001.Google Scholar
  29. [29]
    P. Cousot and R. Cousot. Static determination of dynamic properties of programs. In Proc. 2nd Int. Symp. on Programming, pages 106–130. Dunod, 1976.Google Scholar
  30. [30]
    P. Cousot and R. Cousot. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In 4th POPL, pages 238–252, Los Angeles, CA, 1977. ACM Press.Google Scholar
  31. [31]
    P. Cousot and R. Cousot. Static determination of dynamic properties of recursive procedures. In E.J. Neuhold, editor, IFIP Conf. on Formal Description of Programming Concepts, St-Andrews, N.B., CA, pages 237–277. North-Holland, 1977.Google Scholar
  32. [32]
    P. Cousot and R. Cousot. Systematic design of program analysis frameworks. In 6th POPL, pages 269–282, San Antonio, TX, 1979. ACM Press.Google Scholar
  33. [33]
    P. Cousot and R. Cousot.’ `A la Floyd’ induction principles for proving inevitability properties of programs. In M. Nivat and J. Reynolds, eds., Algebraic Methods in Semantics, chapter 8, pages 277–312. Cambridge U. Press, 1985.Google Scholar
  34. [34]
    P. Cousot and R. Cousot. Comparison of the Galois connection and widening/ narrowing approaches to abstract interpretation. Actes JTASPEFL’ 91, Bordeaux, FR. BIGRE, 74:107–110, Oct. 1991.Google Scholar
  35. [35]
    P. Cousot and R. Cousot. Abstract interpretation and application to logic programs. J. Logic Programming, 13(2-3):103–179, 1992. (The editor of J. Logic Programming has mistakenly published the unreadable galley proof. For a correct version of this paper, see http://www.di.ens.fr/~cousot.)CrossRefMathSciNetGoogle Scholar
  36. [36]
    P. Cousot and R. Cousot. Comparing the Galois connection and widening/ narrowing approaches to abstract interpretation, invited paper. In M. Bruynooghe and M. Wirsing, eds., Proc. 4th Int. Symp. PLILP’ 92, Leuven, BE, 26-28 Aug. 1992, LNCS 631, pages 269–295. Springer-Verlag, 1992.Google Scholar
  37. [37]
    P. Cousot and R. Cousot. Galois connection based abstract interpretations for strictness analysis, invited paper. In D. Bjørner, M. Broy, and I.V. Pottosin, eds., Proc. FMPA, Akademgorodok, Novosibirsk, RU, LNCS 735, pages 98–127. Springer-Verlag, 28 June-2 Jul. 1993.Google Scholar
  38. [38]
    P. Cousot and R. Cousot. Higher-order abstract interpretation (and application to comportment analysis generalizing strictness, termination, projection and PER analysis of functional languages), invited paper. In Proc. 1994 ICCL, pages 95–112, Toulouse, FR, 16-19 May 1994.Google Scholar
  39. [39]
    P. Cousot and R. Cousot. Abstract interpretation based program testing, invited paper. In Proc. SSGRR 2000 Computer & eBusiness International Conference, Compact disk paper 248 and electronic proceedings http://www.ssgrr.it/en/ssgrr2000/proceedings.htm, L’Aquila, IT, 31 Jul.-6 Aug. 2000.
  40. [40]
    P. Cousot and R. Cousot. Temporal abstract interpretation. In 27th POPL, pages 12–25, Boston, MA, Jan. 2000. ACM Press.Google Scholar
  41. [41]
    P. Cousot and N. Halbwachs. Automatic discovery of linear restraints among variables of a program. In 5th POPL, pages 84–97, Tucson, AZ, 1978. ACM Press.Google Scholar
  42. [42]
    N. Dor, M. Rodeh, and M. Sagiv. Cleanness checking of string manipulations in c programs via integer analysis. In P. Cousot, editor, Proc. 8th Int. Symp. SAS’ 01, Paris, FR, LNCS 2126, pages 194–212. Springer-Verlag,16-18 Jul. 2001.Google Scholar
  43. [43]
    N. Dor, M. Rodeh, and M. Sagiv. Checking cleanness in linked lists. In J. Palsberg, editor, Proc. 7th Int. Symp. SAS’ 2000, Santa Barbara, CA, LNCS 1824, pages 115–134. Springer-Verlag, 29 June-1 Jul. 2000.Google Scholar
  44. [44]
    J. Feret. Abstract interpretation-based static analysis of mobile ambients. In P. Cousot, editor, Proc. 8th Int. Symp. SAS’ 01, Paris, FR, LNCS 2126, pages 413–431. Springer-Verlag, 16-18 Jul. 2001.Google Scholar
  45. [45]
    J. Feret. Occurrence counting analysis for the ?-calculus. ENTCS, 39, 2001. http://www.elsevier.nl/locate/entcs/volume39.html.
  46. [46]
    J. Feret. Confidentiality analysis of mobile systems. In J. Palsberg, editor, Proc. 7th Int. Symp. SAS’ 2000, Santa Barbara, CA, LNCS 1824, pages 135–154. Springer-Verlag, 29 June-1 Jul. 2000.Google Scholar
  47. [47]
    P. Flajolet, B. Salvy, and P. Zimmermann. Automatic average-case analysis of algorithm. Theoret. Comput. Sci., 79(1):37–109, 1991.CrossRefMathSciNetGoogle Scholar
  48. [48]
    R.W. Floyd. Assigning meaning to programs. In J.T. Schwartz, editor, Proc. Symposium in Applied Mathematics, volume 19, pages 19–32. AMS, 1967.Google Scholar
  49. [49]
    R. Giacobazzi and E. Quintarelli. Incompleteness, counterexamples and refinements in abstract model-checking. In P. Cousot, editor, Proc. 8th Int. Symp. SAS’ 01, Paris, FR, LNCS 2126, pages 356–373. Springer-Verlag, 16-18 Jul. 2001.Google Scholar
  50. [50]
    É. Goubault. Static analyses of the precision of floating-point operations. In P. Cousot, editor, Proc. 8th Int. Symp. SAS’ 01, Paris, FR, LNCS 2126, pages 234–259. Springer-Verlag, 16-18373 Jul. 2001.Google Scholar
  51. [51]
    N. Halbwachs. About synchronous programming and abstract interpretation. In B. Le Charlier, editor, Proc. 1st Int. Symp. SAS’ 94, Namur, BE, 20-22 Sep. 1994, LNCS 864, pages 179–192. Springer-Verlag, 1994.Google Scholar
  52. [52]
    N. Halbwachs, F. Lagnier, and C. Ratel. An experience in proving regular networks of processes by modular model checking. Acta Informat., 29(6/7):523–543, 1992.Google Scholar
  53. [53]
    C. Hankin and S. Hunt. Approximate fixed points in abstract interpretation. Sci. Comput. Programming, 22(3):283–306, 1994. Erratum: Sci. Comput. Programming 23(1): 103 (1994).Google Scholar
  54. [54]
    ø. Haugen. From MSC-2000 to UML2.0-the future of sequence diagrams. In R. Reed and J. Reed, eds., Proc. SDL 2001: Meeting UML, 10th Int. SDL Forum, Copenhagen, DK, 27-29 June 2001, LNCS 2078, pages 38–51. Springer-Verlag, 2001.Google Scholar
  55. [55]
    G.J. Holzmann. From code to models. In Proc. 2nd Int. Conf. ACSD’01, Newcastle upon Tyne, GB. IEEEpress, 25–29 June 2001.Google Scholar
  56. [56]
    G.J. Holzmann and M.H. Smith. Software model checking: Extracting verification models from source code. In Proc. Formal Methods in Software Engineering and Distributed Systems, PSTV/FORTE99, Beijng china, pages 481–497. Kluwer Acad. Pub., Oct. 1999.Google Scholar
  57. [57]
    M. Huth, R. Jagadeesan, and D.A. Schmidt. Modal transition systems: A foundation for three-valued program analysis. In D. Sands, editor, Proc. 10th ESOP’01, LNCS 2028, pages 155–169, Genova, IT, 2-6 Apr. 2001. Springer-Verlag.Google Scholar
  58. [58]
    Joint Technical Committee ISO/IEC JTC1, Information Technology. The ISO/IEC 9899:1990 standard for Programming Language C. 1 Dec. 1990.Google Scholar
  59. [59]
    Joint Technical Committee ISO/IEC JTC1, Information Technology. The ISO/IEC 9899:1999 standard for Programming Language C. 1 Dec. 1999.Google Scholar
  60. [60]
    Joint Technical Committee ISO/IEC JTC1, Information Technology. The Technical Corrigendum 1 (ISO/IEC 9899 TCOR1) to ISO/IEC 9899:1990 standard for Programming Language C. http://anubis.dkuug.dk/JTC1/SC22/WG14/www/docs/tc2.htm, 1995.
  61. [61]
    N.D. Jones. Program analysis for implicit computational complexity. In 0. Danvy and A. Filinski, eds., Proc. 2nd Symp. PADO’2001, ?Arhus, DK, 21-23 May 2001, LNCS 2053, page 1. Springer-Verlag, 2001.Google Scholar
  62. [62]
    Y. Kesten and A. Pnueli. Modularization and abstraction: The keys to formal verification. In L. Brim, J. Gruska, and J. Zlatuska, eds., 23rd Int. Symp. MFCS’ 98, LNCS 1450, pages 54–71. Springer-Verlag, 1998.Google Scholar
  63. [63]
    D. Kozen. Results on the propositional ?-calculus. Theoret. Comput. Sci., 27:333–354, 1983.CrossRefMathSciNetGoogle Scholar
  64. [64]
    O. Kupferman and M. Y. Vardi. Vacuity detection in temporal model checking. In L. Pierre and T. Kropf, eds., Correct Hardware Design and Verification Methods, Proc. 10th IFIP WG 10.5 Adv. Res. Work. Conf. CHARME’99, Bad Herrenalp, DE, LNCS 1703, pages 82–96. Springer-Verlag,27-29 Sep. 1999.Google Scholar
  65. [65]
    P. Lacan, J. N. Monfort, L. V. Q. Ribal, A. Deutsch, and G. Gonthier. The software reliability verification process: The Ariane 5 example. In Proceedings DASIA 98-DAta Systems In Aerospace, Athens, GR. ESA Publications, SP-422, 25-28 May 1998.Google Scholar
  66. [66]
    W. Lee, A. Pardo, J.-Y. Jang, G. Hachtel, and F. Somenzi. Tearing based automatic abstraction for CTLmo del checking. In ICCAD 1996, San Jose, CA, pages 76–81. IEEE Comp. Soc. Press, Nov. 10-14 1996.Google Scholar
  67. [67]
    M. Leuschel. On the power of homeomorphic embedding for online termination. In G. Levi, editor, Proc. 5th Int. Symp. SAS’ 98, Pisa, IT, 14-16 Sep. 1998, LNCS 1503, pages 200–214. Springer-Verlag, 1998.Google Scholar
  68. [68]
    J. L. Lions (Chairman of the Board). Ariane 5 flight 501 failure, report by the inquiry board. http://www.esrin.esa.it/htdocs/tidc/Press/Press96/ariane5rep.html, see also http://vlsi.colorado.edu/~abel/pubs/anecdote.html\#ariane.
  69. [69]
    T. Margaria and W. Yi, eds. Branching vs. Linear Time: Final Showdown, Genova, IT, LNCS 2031. Springer-Verlag, 2-6Apr. 2001.Google Scholar
  70. [70]
    F. Martin, M. Alt, R. Wilhelm, and C. Ferdinand. Analysis of loops. In K. Koskimies, editor, Proc. 7th Int. Conf. CC’98, Lisbon, PT, LNCS 1383, pages 80–94. Springer-Verlag, 28 Mar.-4 Apr. 1998.Google Scholar
  71. [71]
    L. Mauborgne. Abstract interpretation using typed decision graphs. Sci. Comput. Programming, 31(1):91–112, May 1998.CrossRefMathSciNetGoogle Scholar
  72. [72]
    A. Miné. A new numerical abstract domain based on difference-bound matrices. In 0. Danvy and A. Filinski, eds., Proc. 2nd Symp. PADO’2001, ?Arhus, DK, 21-23 May 2001, LNCS 2053, pages 155–172. Springer-Verlag, 2001.Google Scholar
  73. [73]
    S. E. Panitz and M. Schmidt-Schauß. TEA: Automatically proving termination of programs in a non-strict higher-order functional language. In P. Van Hentenryck, editor, Proc. 4th Int. Symp. SAS’ 97, Paris, FR, 8-10 Sep. 1997, LNCS 1302, pages 345–360. Springer-Verlag, 1997.Google Scholar
  74. [74]
    J.-P. Queille and J. Sifakis. Verification of concurrent systems in Cesar. In Proc. Int. Symp. on Programming, LNCS 137, pages 337–351. Springer-Verlag, 1982.Google Scholar
  75. [75]
    F. Ranzato. On the completeness of model checking. In D. Sands, editor, Proc. 10th ESOP’2001, Genova, IT, 2-6 Apr. 2001, LNCS 2028, pages 137–154. Springer-Verlag, 2001.Google Scholar
  76. [76]
    J. Rushby. Automated deduction and formal methods. In R. Alur and T.A. Henzinger, eds., Proc. 8th Int. Conf. CAV’96, number 1102 in LNCS, pages 169–183, New Brunswick, NJ, Jul. /Aug. 1996. Springer-Verlag.Google Scholar
  77. [77]
    B. G. Ryder, W. Landi, P. A. Stocks, S. Zhang, and R. Altucher. A schema for interprocedural side effect analysis with pointer aliasing. TOPLAS, 2001. To appear.Google Scholar
  78. [78]
    S. Saïdi. Model checking guided abstraction and analysis. In J. Palsberg, editor, Proc. 7th Int. Symp. SAS’ 2000, Santa Barbara, CA, LNCS 1824, pages 377–396. Springer-Verlag, 29 June-1 Jul. 2000.Google Scholar
  79. [79]
    D. A. Schmidt. Data-flow analysis is model checking of abstract interpretations. In 25th POPL, pages 38–48, San Diego, CA, 19-21Jan. 1998. ACM Press.Google Scholar
  80. [80]
    C. Speirs, Z. Somogyi, and H. Søndergaard. Termination analysis for Mercury. In P. Van Hentenryck, editor, Proc. 4th Int. Symp. SAS’ 97, Paris, FR, 8-10 Sep. 1997, LNCS 1302, pages 160–171. Springer-Verlag, 1997.Google Scholar
  81. [81]
    H. Theiling, C. Ferdinand, and R. Wilhelm. Fast and precise WCET prediction by separated cache and path analyses. Real-Time Syst., 18(2-3):157–179, 2000.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Patrick Cousot
    • 1
  • Radhia Cousot
    • 2
  1. 1.Département d’informatiqueÉcole normale supérieureParis cedex 05France
  2. 2.CNRS & École polytechniqueLaboratoire d’informatiquePalaiseau cedexFrance

Personalised recommendations