Model checking aircraft controller software: a case study

Chen, Zhe; Gu, Yu; Huang, Zhiqiu; Zheng, Jun; Liu, Chang; Liu, Ziyi

doi:10.1002/spe.2242

Cited by 23 publications

(15 citation statements)

References 34 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…(tail1 -beg1 -tail2) % DATA_FRAME_LENGTH == 0] void = if inline$process_frame (pf_buf | gv_get (pf_read)) then let val () = gv_set (pf_read | gv_get (pf_read) + 8) val tail = gv_get (pf_len) val tail1 = tail -gv_get (pf_read) in if tail1 >= DATA_FRAME_LENGTH then loop (pf_read, pf_len, pf_buf) else let val () = inline$move_data (pf_buf | gv_get (pf_read), tail) val () = gv_set (pf_len | tail1) in end end else let val () = gv_set (pf_read | gv_get (pf_read) + 8) // val () = gv_set (pf_read | gv_get (pf_read) + 8) // (*) val tail = gv_get (pf_len) val tail1 = tail -gv_get (pf_read) in if tail1 >= DATA_FRAME_LENGTH then loop (pf_read, pf_len, pf_buf) else let val () = inline$move_data (pf_buf | gv_get (pf_read), tail) val () = gv_set (pf_len | tail1) in end end val () = gv_set (pf_read | 0) in loop (pf_read, pf_len, pf_buf) end end While it is easy to find the cause of an error via type checking, it is very difficult to diagnose a bug in model checking. In this example, the same error was also found in the previous research (Chen et al, 2015) via model checking. However, the original problem turns into an integer overflow, and is then captured by the model checker as an array out-of-bound subscription error.…”

Section: Dependent Types and Linear Typessupporting

confidence: 86%

“…My work is partly motivated by a previous research on verifying an interrupt-driven Slats and Flaps Control Unit Software programmed in C via model checking (Chen et al, 2015). The authors of the paper took part of the C code of the control unit, which had passed the unit testing stage and rewrote it in PROMELA so that model checking techniques can be applied to find slipped faults.…”

Section: Dependent Types and Linear Typesmentioning

confidence: 99%

See 1 more Smart Citation

Combining type-checking with model-checking for system verification

Ren

2016

2016 ACM/IEEE International Conference on Formal Methods and Models for System Design (MEMOCODE)

View full text Add to dashboard Cite

Type checking is widely used in mainstream programming languages to detect programming errors at compile time. Model checking is gaining popularity as an automated technique for systematically analyzing behaviors of systems. My research focuses on combining these two software verification techniques synergically into one platform for the creation of correct models for software designs. This thesis describes two modeling languages ATS/PML and ATS/Veri that inherit the advanced type system from an existing programming language ATS, in which both dependent types of Dependent ML style and linear types are supported. A detailed discussion is given for the usage of advanced types to detect modeling errors at the stage of model construction. Going further, various modeling primitives with well-designed types are introduced into my modeling languages to facilitate a synergic combination of type checking with model checking. The semantics of ATS/PML is designed to be directly rooted in a well-known modeling language PROMELA. Rules for translation from ATS/PML to PROMELA are designed and a compiler is developed accordingly so that the SPIN model checker can v be readily employed to perform checking on models constructed in ATS/PML. AT-S/Veri is designed to be a modeling language, which allows a programmer to construct models for real-world multi-threaded software applications in the same way as writing a functional program with support for synchronization, communication, and scheduling among threads. Semantics of ATS/Veri is formally defined for the development of corresponding model checkers and a compiler is built to translate ATS/Veri into CSP# and exploit the state-of-the-art verification platform PAT for model checking ATS/Veri models. The correctness of such a transformational approach is illustrated based on the semantics of ATS/Veri and CSP#. In summary, the primary contribution of this thesis lies in the creation of a family of modeling languages with highly expressive types for modeling concurrent software systems as well as the related platform supporting verification via model checking. As such, we can combine type checking and model checking synergically to ensure software correctness with high confidence. vi

show abstract

Section: Dependent Types and Linear Typessupporting

confidence: 86%

Section: Dependent Types and Linear Typesmentioning

confidence: 99%

Combining type-checking with model-checking for system verification

Ren

2016

2016 ACM/IEEE International Conference on Formal Methods and Models for System Design (MEMOCODE)

View full text Add to dashboard Cite

show abstract

“…The case study is based on the Slats and Flaps Control Unit (SFCU), which is one of the core units in Flight Control Systems. Our previous work focused on the verification of SFCU on code level. In this paper, we focus on model level safety analysis.…”

Section: Case Studymentioning

confidence: 99%

Detecting safety‐related components in statecharts through traceability and model slicing

Kan

Huang

2017

Softw Pract Exp

Self Cite

View full text Add to dashboard Cite

With rapid development in software technology, more and more safety-critical systems are software intensive. Safety issues become important when software is used to control such systems. However, there are 2 important problems in software safety analysis: (1) there is often a significant traceability gap between safety requirements and software design, resulting in safety analysis and software design are often conducted separately; and (2) the growing complexity of safety-critical software makes it difficult to determine whether software design fulfills safety requirements. In this paper, we propose a technique to address the above 2 important problems on the model level. The technique is based on statecharts, which are used to model the behavior of software, and fault tree safety analysis. This technique contains the following 2 parts, which are corresponding to the 2 problems, respectively. The first part is to build a metamodel of traceability between fault trees and statecharts, which is to bridge their traceability gap. A collection of rules for the creation and maintenance of traceability links is provided. The second part is a model slicing technique to reduce the complexity of statecharts with respect to the traceability information. The slicing technique can deal with the characteristics of hierarchy, concurrency, and synchronization of statecharts. The reduced statecharts are much smaller than their original statecharts, which are helpful to successive safety analysis. Finally, we illustrate the effectiveness and the importance of the method by a case study of slats and flaps control units in flight control systems. /journal/spe Softw Pract Exper. 2018;48:428-448. We now introduce 6 dependence relations through Definitions 6 to 11. These relations aim at detecting other safety-related elements which are not in slicing criteria. Definition 6. (Data Dependence within a Single Automaton) Let el 1 and el 2 be 2 elements (states or transitions) in a single automaton. el 2 is data dependent on el 1 denoted by el 2 → dd el 1 if there exists a path from el 1 to el 2 such that RCUV (el 2 ) ∩ UpdV(el 1 ) − ⋃ el i ∈ITD(el 1 ,el 2 ) UpdV(el i ) ≠ ∅. Definition 7. (Data Dependence among Automata) Let A, B, and C be 3 automata in an EHA. Let el A be an element of A, el B be an element of B, and s C be a state in σ C , and they satisfy A, B ∈ ρ(s C ). el A is data dependent on el B denoted by el A → pd el B if RCUV (el A ) ∩ UpdV(el B ) ≠ ∅. Definition 8. (Control Dependence among Automata) Let A, B, and C be 3 automata in an EHA. Let el A be an element of A, el B be an element of B, and s C be a state of C, and they satisfy A, B ∈ ρ(s C ). el A is control dependent on el B denoted by el A → sd el B if TE(el A ) ∩ GE(el B ) ≠ ∅ Definition 9. (Control dependence within a Single Automaton) Let el be an element and t be a transition in a single automaton. el is control dependent on t denoted by el→ cd t if there exists a path from t to el such that the set E = {el ′ |t→ xd el ′ (→ xd represents → dd , → pd , → sd )} sati...

show abstract

“…In this section, we will give a brief introduction to Promela and LTL. More details could be found in the literature [4] [3]. 1) Promela: A Promela program usually includes data objects, processes and message channels.…”

Section: B Model Checker Spinmentioning

confidence: 99%

“…If the properties are not satisfied, it provides a counter example. SPIN [2] [3] is an important model checker which has been widely applied in industrial [4] [5]. It is easy to use the Promela language and linear temporal logic (LTL) formulas to describe concurrent systems and properties respectively.…”

Section: Introductionmentioning

confidence: 99%

Model Checking the Convergence Property of BGP Networks

Yin¹,

Ma²,

Chen³

2014

JSW

Self Cite

View full text Add to dashboard Cite

The Border Gateway Protocol (BGP) is an important inter-domain routing protocol, which is widely used in Internet. It allows independent policies to be designed for each Autonomous System (AS). However, the flexibility in designing independent policies causes the convergence problem, i.e., a BGP network may constantly send routing information between ASes and cannot reach a stable state. In this paper, we propose an approach for model checking the convergence property of BGP networks. We firstly establish a formal model of BGP networks and define its convergence property. Then we use the Promela language to describe this model and analyze its convergence. The model is generic enough, thus different instances of BGP networks can be simulated and verified by only modifying parameters and policies. Finally, as examples, we simulate and verify some typical instances of BGP networks by using the SPIN model checker.

show abstract

Model checking aircraft controller software: a case study

Cited by 23 publications

References 34 publications

Combining type-checking with model-checking for system verification

Combining type-checking with model-checking for system verification

Detecting safety‐related components in statecharts through traceability and model slicing

Model Checking the Convergence Property of BGP Networks

Contact Info

Product

Resources

About