Formal verification of low-level code in a model-based refinement process

Abstract

Embedded systems often control safety critical environments, such as cars, airplanes, traffic control, or pacemakers. Embedded systems are often non-terminating and communicating. To confine the complexity of those systems (e.g. introduced by communication details), comprehensive verification and simulation is usually done on an abstract model (e.g. a formal specification) instead of the implemented system itself. However, it is still an open problem how to relate the actual executable low-level code with the abstract models. In industrial practice, embedded systems in safety critical areas are commonly designed with model-based approaches. The model-based development of (embedded) systems starts with the verification (or simulation) of properties on an abstract model. There are two important categories of properties: safety properties, which exclude bad behavior, and liveness properties, which ensure good behavior. The abstract model is implemented and/or compiled to executable low-level code, but there is a large verification gap between the model whose properties are verified and the system that is actually executed. Both manual implementation and the compilation process are complex and error prone. Furthermore, complexity of the verification rises even higher when concurrent systems that communicate with each other are developed. We address the problem that the executed low-level code is not guaranteed to have the same safety and liveness properties as the abstract model. To overcome this problem, we present a formal framework that enables rigorous verification of preservation of safety and liveness properties from an abstract model to low-level code. The key idea of our approach is to divide the relation between abstract model and low-level code into two steps to achieve compositionality : • A compositional relation between the abstract model and an intermediate model, and • a non-compositional relation between the intermediate model and the low-level code. This separation enables us to reason compositionally about the first half, relating the abstract model and the intermediate model, and use a general theorem for the second half, which results in an overall compositional verification. With our framework, we enable the verification of the conformance of a program in low-level code to its Communicating Sequential Processes (CSP) specification, i. e., that all safety and liveness properties are preserved. To this end, we have transferred and extended the notion of CSP refinement to also cover low-level code. To separate the verification into two steps, we define our low-level language with abstract communication Communicating Unstructured Code (CUC) as intermediate model. To relate the specification in CSP and the intermediate model in CUC, we present a Hoare calculus which allows us to reason over the communication behavior of a (possibly non-terminating) CUC program. To relate the intermediate model in CUC with our low-level language Shared Variables (SV), we define our notion of handshake refinement and prove in a general theorem the preservation of both safety and liveness properties for related CUC and SV programs. Our formalization in a theorem prover enables users to mechanize and reuse their proofs. Together with the compositionality of our approach, this makes it possible to provide rigorous guarantees of concurrent low-level programs in a way that scales with the number of components.