Abstract
Verification of correctness of control programs is an essential task in the development of space electronics; it is difficult and typically outweighs design and programming tasks in terms of development hours. This article presents a verification approach designed to help spacecraft engineers reduce the effort required for formal verification of low-level control programs executed on custom hardware.
The verification approach is demonstrated on an industrial case study. We present a REDuced instruction set for Fixed-point and INteger arithmetic (REDFIN), a processing core used in space missions, and its formal semantics expressed using the proposed metalanguage for state transformers, followed by examples of verification of simple control programs.
- Alasdair Armstrong, Thomas Bauereiss, Brian Campbell, Alastair Reid, Kathryn E. Gray, Robert M. Norton, Prashanth Mundkur, Mark Wassell, Jon French, Christopher Pulte, Shaked Flur, Ian Stark, Neel Krishnaswami, and Peter Sewell. 2019. ISA semantics for ARMv8-a, RISC-v, and CHERI-MIPS. In Proceedings of the ACM Program. Lang. 3, POPL, Article 71 (Jan. 2019), 31 pages. DOI:https://doi.org/10.1145/3290384Google Scholar
Digital Library
- Roberto Baldoni, Emilio Coppa, Daniele Cono D’Elia, Camil Demetrescu, and Irene Finocchi. 2018. A survey of symbolic execution techniques. ACM Computing Surveys 51, 3, Article 50 (2018).Google Scholar
Digital Library
- Mordechai Ben-Ari. 2001. The bug that destroyed a rocket. SIGCSE Bull. 33, 2 (June 2001), 58--59.Google Scholar
Digital Library
- Edwin Brady. 2013. Idris, a general-purpose dependently typed programming language: Design and implementation. Journal of Functional Programming 23 (9 2013), 552--593. Issue 5.Google Scholar
- David Currie, Xiushan Feng, Masahiro Fujita, Alan J. Hu, Mark Kwan, and Sreeranga Rajan. 2006. Embedded software verification using symbolic execution and uninterpreted functions. International Journal of Parallel Programming 34, 1 (2006), 61--91.Google Scholar
Digital Library
- Leonardo De Moura and Nikolaj Bjørner. 2008. Z3: An efficient SMT solver. Tools and Algorithms for the Construction and Analysis of Systems (2008), 337--340.Google Scholar
Digital Library
- Ulan Degenbaev. 2012. Formal Specification of the x86 Instruction Set Architecture. Ph.D. Dissertation. Saarland University.Google Scholar
- Stephen Diehl. 2017. Monads to Machine Code. Retrieved from https://web.archive.org/web/20171207020256/http://www.stephendiehl.com/posts/monads_machine_code.html.Google Scholar
- Levent Erkok. 2019. SBV: SMT Based Verification in Haskell. Retrieved from http://leventerkok.github.io/sbv/.Google Scholar
- Anthony Fox and Magnus O. Myreen. 2010. A trustworthy monadic formalization of the ARMv7 instruction set architecture. In Proceedings of the International Conference on Interactive Theorem Proving. Springer, 243--258.Google Scholar
- Tikhon Jelvis. 2016. Analyzing Programs with Z3 (video recording of Compose Conference talk). Retrieved from http://jelv.is/talks/compose-2016.Google Scholar
- Andrew Kennedy, Nick Benton, Jonas B Jensen, and Pierre-Evariste Dagand. 2013. Coq: The world’s best macro assembler? In Proceedings of the 15th Symposium on Principles and Practice of Declarative Programming. ACM, 13--24.Google Scholar
Digital Library
- Nancy G. Leveson. 2004. Role of software in spacecraft accidents. Journal of Spacecraft and Rockets 41, 4 (2004), 564--575.Google Scholar
Cross Ref
- MIT. 2017. A formal specification of the RISC-V ISA written in Haskell. Retrieved from https://github.com/mit-plv/riscv-semantics.Google Scholar
- Andrey Mokhov, Georgy Lukyanov, and Jakob Lechner. 2019. Formal verification of spacecraft control programs (experience report). In Proceedings of the 12th ACM SIGPLAN International Symposium on Haskell (Haskell 2019). ACM, New York, NY, 139--145. DOI:https://doi.org/10.1145/3331545.3342593Google Scholar
Digital Library
- NASA. 1999. Mars Climate Orbiter Mishap Investigation Board Phase I Report. Technical Report.Google Scholar
- Alastair Reid. 2017. Who guards the guards? Formal validation of the arm V8-m architecture specification. ACM Programming Languages 1, OOPSLA (2017), 88:1--88:24.Google Scholar
- Alastair Reid, Rick Chen, Anastasios Deligiannis, David Gilday, David Hoyes, Will Keen, Ashan Pathirane, Owen Shepherd, Peter Vrabel, and Ali Zaidi. 2016. End-to-end verification of processors with ISA-Formal. In Proceedings of the International Conference on Computer Aided Verification. Springer, 42--58.Google Scholar
Cross Ref
- Niki Vazou, Eric L. Seidel, Ranjit Jhala, Dimitrios Vytiniotis, and Simon Peyton-Jones. 2014. Refinement types for Haskell. In ACM SIGPLAN Notices, Vol. 49. ACM, 269--282.Google Scholar
Digital Library
- Philip Wadler. 1990. Comprehending monads. In Proceedings of the 1990 ACM Conference on LISP and Functional Programming. ACM, 61--78.Google Scholar
Digital Library
- Lewis Wall. 2017. An ASM Monad. Retrieved from http://wall.org/ lewis/2013/10/15/asm-monad.html.Google Scholar
Index Terms
Formal Verification of Spacecraft Control Programs
Recommendations
Formal verification of spacecraft control programs (experience report)
Haskell 2019: Proceedings of the 12th ACM SIGPLAN International Symposium on HaskellVerification of correctness of control programs is an essential task in the development of space electronics; it is difficult and typically outweighs design and programming tasks in terms of development hours. This experience report presents a ...
Formal verification of ASMs using MDGs
We present a framework for the formal verification of abstract state machine (ASM) designs using the multiway decision graphs (MDG) tool. ASM is a state based language for describing transition systems. MDG provides symbolic representation of transition ...
Coverage metrics for formal verification
In formal verification, we verify that a system is correct with respect to a specification. Even when the system is proven to be correct, there is still a question of how complete the specification is and whether it really covers all the behaviors of ...






Comments