Abstract
The interest of industries in model checking software for microcontrollers is increasing. However, there are currently no appropriate tools that can be applied by embedded systems developers for the direct verification of software for microcontrollers without the need for manual modeling. This article describes a new approach to model checking software for microcontrollers, which verifies the assembly code of the software. The state space is built using a tailored simulator, which abstracts from time, handles nondeterminism, and creates an overapproximation of the behavior shown by the real microcontroller. Within this simulator, we apply abstraction techniques to tackle the state-explosion problem. In our approach, we combine different formal methods, namely, model checking, static analysis, and abstract interpretation. We also combine explicit and symbolic model checking techniques. This article presents a case study using several programs to demonstrate the efficiency of the applied abstraction techniques and to show the applicability of this approach.
- Baier, C. and Katoen, J.-P. 2008. Principles of Model Checking. The MIT Press. Google Scholar
Digital Library
- Balakrishnan, G., Reps, T., Kidd, N., Lal, A., Lim, J., Melski, D., Gruian, R., Yong, S.-H., Chen, C. H., and Teitelbaum, T. 2005. Model checking x86 executables with CodeSurfer/x86 and WPDS++. In Proceedings of the Conference on Computer Aided Verification (CAV'05). Lecture Notes in Computer Science, vol. 3576. Springer, 158--163. Google Scholar
Digital Library
- Balakrishnan, G., Reps, T., Melski, D., and Teitelbaum, T. 2008. WYSINWYX: What you see is not what you execute. In Proceedings of the Conference on Verified Software: Theories, Tools, Experiments (VSTTE'05). Lecture Notes in Computer Science, vol. 4171. Springer, 202--213. Google Scholar
Digital Library
- Brylow, D., Damgaard, N., and Palsberg, J. 2001. Static checking of interrupt-driven software. In Proceedings of the Conference on Software Engineering (ICSE'01). IEEE Computer Society Press, 47--56. Google Scholar
Digital Library
- Cifuentes, C. and Fraboulet, A. 1997. Intraprocedural static slicing of binary executables. In Proceedings of the Conference on Software Maintenance (ICSM'97). IEEE Computer Society Press, 188--195. Google Scholar
Digital Library
- Clarke, E. M., Grumberg, O., and Peled, D. A. 1999. Model Checking. The MIT Press. Google Scholar
Digital Library
- Emerson, E. A. 1991. Handbook of Theoretical Computer Science. Vol. B. The MIT Press, Chapter Temporal and Modal Logics, 995--1072. Google Scholar
Digital Library
- Fehnker, A., Huuck, R., Jayet, P., Lussenburg, M., and Rauch, F. 2007. Model checking software at compile-time. In Theoretical Aspects of Software Engineering (TASE'07). IEEE Computer Society Press, 45--56. Google Scholar
Digital Library
- Halambi, A., Grun, P., Ganesh, V., Khare, A., Dutt, N., and Nicolau, A. 1999. EXPRESSION: A language for architecture exploration through compiler/simulator retargetability. In Proceedings of the Design, Automation and Test in Europe (DATE'99). ACM, 485--490. Google Scholar
Digital Library
- Hartoog, M. R., Rowson, J. A., Reddy, P. D., Desai, S., Dunlop, D. D., Harcourt, E. A., and Khullar, N. 1997. Generation of software tools from processor descriptions for hardware/software codesign. In Proceedings of the Conference on Design Automation (DAC'97). ACM, 303--306. Google Scholar
Digital Library
- Heljanko, K. 1997. Model checking the branching time temporal logic CTL. Res. rep. A45, Helsinki University of Technology, Digital Systems Laboratory, Espoo, Finland.Google Scholar
- Holzmann, G. J. 1999. The engineering of a model checker: The Gnu i-protocol case study revisited. In Proceedings of the Conference on Theoretical and Practical Aspects of SPIN Model Checking (SPIN'99). Lecture Notes in Computer Science, vol. 1680. Springer, 232--244. Google Scholar
Digital Library
- International Electrotechnical Commission. 1998. Functional safety for electrical/electronic/programmable electronic safety-related systems. IEC61508.Google Scholar
- Kanellos, M. 2005. Software glitch stalls some Toyota hybrids. http://www.news.com/Software-glitch-stalls-some-Toyota-hybrids/2100-11389_3-5895574.html.Google Scholar
- Linn, C., Debray, S., Andrews, G., and Schwarz, B. 2004. Stack analysis of x86 executables. http://www.cs.arizona.edu/~debray/Publications/stack-analysis.pdf.Google Scholar
- Lions, J. L. 1996. Ariane 5 flight 501 failure: Report of the inquiry board. http://www.esa.int.Google Scholar
- Manna, Z. and Pnueli, A. 1995. Temporal Verification of Reactive Systems. Springer. Google Scholar
Digital Library
- Mehler, T. 2005. Challenges and applications of assembly-level software model checking. Ph.D. thesis, Universität Dortmund.Google Scholar
- Mercer, E. and Jones, M. 2005. Model checking machine code with the GNU debugger. In Proceedings of the Conference on Model Checking Software (SPIN'05). Lecture Notes in Computer Science, vol. 3639. Springer, 251--265. Google Scholar
Digital Library
- Noll, T. and Schlich, B. 2008. Delayed nondeterminism in model checking embedded systems assembly code. In Proceedings of the Conference on Hardware and Software: Verification and Testing (HVC'07). Lecture Notes in Computer Science, vol. 4899. Springer, 185--201. Google Scholar
Digital Library
- Pees, S., Hoffmann, A., Zivojnovic, V., and Meyr, H. 1999. LISA—Machine description language for cycle-accurate models of programmable dsp architectures. In Proceedings of the Conference on Design Automation Conference (DAC'99). ACM, 933--938. Google Scholar
Digital Library
- Qin, W., Rajagopalan, S., and Malik, S. 2004. A formal concurrency model based architecture description language for synthesis of software development tools. In Proceedings of the Conference on Languages, Compilers, and Tools for Embedded Systems (LCTES'04). ACM, 47--56. Google Scholar
Digital Library
- Ramsey, N. and Davidson, J. W. 1998. Machine descriptions to build tools for embedded systems. In Proceedings of the Conference on Languages, Compilers, and Tools for Embedded Systems (LCTES'98). Lecture Notes in Computer Science, vol. 1474. Springer, 172—188. Google Scholar
Digital Library
- Regehr, J., Reid, A., and Webb, K. 2005. Eliminating stack overflow by abstract interpretation. Trans. Embed. Comput. Syst. 4, 4, 751--778. Google Scholar
Digital Library
- Rohrbach, M. 2006. An approach for model checking embedded systems software. M.S. thesis, RWTH Aachen University, Aachen, Germany.Google Scholar
- Schlich, B. 2008. Model checking of software for microcontrollers. Ph.D. thesis, RWTH Aachen University, Aachen, Germany.Google Scholar
- Schlich, B., Gückel, D., and Kowalewski, S. 2008a. Modeling the environment of microcontrollers to tackle the state-explosion problem in model checking. In Proceedings of the Conference on Formal Methods for Automation and Safety in Railway and Automotive Systems (FORMS/FORMAT'08), G. Tarnai and E. Schnieder, Eds. 27--34.Google Scholar
- Schlich, B. and Kowalewski, S. 2005. Model checking C source code for embedded systems. In Proceedings of the IEEE/NASA Workshop on Leveraging Applications of Formal Methods, Verification, and Validation (ISoLA'05), T. Margaria, B. Steffen, and M. G. Hinchey, Eds. 65--77. NASA/CP-2005-212788.Google Scholar
- Schlich, B. and Kowalewski, S. 2006. {mc}square: A model checker for microcontroller code. In Proceedings of the Conference on Leveraging Applications of Formal Methods, Verification and Validation (ISoLA'06). IEEE Computer Society Press, 466--473. Google Scholar
Digital Library
- Schlich, B. and Kowalewski, S. 2007. An extendable architecture for model checking hardware-specific automotive microcontroller code. In Proceedings of the Conference on Formal Methods for Automation and Safety in Railway and Automotive Systems (FORMS/FORMAT'07), E. Schnieder and G. Tarnai, Eds. 202--212.Google Scholar
- Schlich, B., Löll, J., and Kowalewski, S. 2008b. Application of static analyses for state space reduction to microcontroller assembly code. In Proceedings of the Conference on Formal Methods for Industrial Critical Systems (FMICS'07). Lecture Notes in Computer Science, vol. 4916. Springer, 21--37. Google Scholar
Digital Library
- Schlich, B., Rohrbach, M., Weber, M., and Kowalewski, S. 2006. Model checking software for microcontrollers. Tech. rep. AIB-2006-11, RWTH Aachen University, Aachen, Germany.Google Scholar
- Schlich, B., Salewski, F., and Kowalewski, S. 2007. Applying model checking to an automotive microcontroller application. In Proceedings of the Conference on Industrial Embedded Systems (SIES'07). IEEE Computer Society Press, 209--216.Google Scholar
- Schneider, K. 2004. Verification of Reactive Systems. Texts in Theoretical Computer Science, EATCS Series. Springer. Google Scholar
Digital Library
- TIS Committee. 1995. Tool interface standard executable and linking format specification version 1.2. http://x86.ddj.com/ftp/manuals/tools/elf.pdf.Google Scholar
- Vergauwen, B. and Lewi, J. 1993. A linear local model checking algorithm for CTL. In Proceedings of the International Conference on Concurrency Theory (CONCUR'93). Lecture Notes in Computer Science, vol. 715. Springer, 447--461. Google Scholar
Digital Library
- Visser, W., Havelund, K., Brat, G., Park, S., and Lerda, F. 2003. Model checking programs. Autom. Softw. Engin. J. 10, 2, 203--232. Google Scholar
Digital Library
- Weber, M. 2007. An embeddable virtual machine for state space generation. In Proceedings of the Conference on Model Checking Software (SPIN'07). Lecture Notes in Computer Science, vol. 4595. Springer, 168--186. Google Scholar
Digital Library
- Yorav, K. and Grumberg, O. 2004. Static analysis for state-space reductions preserving temporal logics. Formal Meth. Syst. Des. 25, 1, 67--96. Google Scholar
Digital Library
Index Terms
Model checking of software for microcontrollers
Recommendations
Conditional model checking: a technique to pass information between verifiers
FSE '12: Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software EngineeringSoftware model checking, as an undecidable problem, has three possible outcomes: (1) the program satisfies the specification, (2) the program does not satisfy the specification, and (3) the model checker fails. The third outcome usually manifests itself ...
Combining Theorem Proving with Model Checking through Predicate Abstraction
This article presents a procedure for proving invariants of infinite-state reactive systems using a combination of two formal verification techniques: theorem proving and model checking. This method uses term rewriting on the definition of the target ...
Bounded model checking of high-integrity software
HILT '13: Proceedings of the 2013 ACM SIGAda annual conference on High integrity language technologyModel checking [5] is an automated algorithmic technique for exhaustive verification of systems, described as finite state machines, against temporal logic [9] specifications. It has been used successfully to verify hardware at an industrial scale [6]. ...






Comments