Manuel Gesell

Solving Games Using Incremental Induction

Recently, IC3 has been presented as a new algorithm for formal verification. Based on incremental induction, it is often much faster compared to otherwise used fixpoint-based model checking algorithms. In this paper, we use the idea of incremental induction for solving two-player concurrent games. While formal verification requires to prove that a given system satisfies a given specification, game solving aims at automatically synthesizing a system to satisfy the specification. This involves both universal (player 1) and existential quantification (player 2) over the formulas that represent state transitions. Hence, algorithms for solving games are usually implemented with BDD packages that offer both kinds of quantification. In this paper, we show how to compute a solution of games by using incremental induction.

Safe automotive software

For automotive manufacturers and tier-1 suppliers, the upcoming safety standard ISO 26262 results in new requirements for the development of embedded electronics and software. In particular, the variety of driver assistance systems that autonomously influence the driving dynamics of a vehicle may have a high risk potential and require development in accordance with the normative guidelines. But especially for those systems whose function is typically not based solely on hardware but on complex software algorithms, safety certification can be very complex or even impossible. In this paper the problems of development of vehicle systems according to ISO 26262 are described. Finally an approach for a safety-oriented reference architecture is presented that introduces adaptive software safety cages. This architecture enables application of formal verification methods. Supported by multisensor data fusion this allows to reduce safety requirements for vehicle control systems.

An asymptotically correct finite path semantics for LTL

Runtime verification of temporal logic properties requires a definition of the truth value of these properties on the finite paths that are observed at runtime. However, while the semantics of temporal logic on infinite paths has been precisely defined, there is not yet an agreement on the definition of the semantics on finite paths. Recently, it has been observed that the accuracy of runtime verification can be improved by a 4-valued semantics of temporal logic on finite paths. However, as we argue in this paper, even a 4-valued semantics is not sufficient to achieve a semantics on finite paths that converges to the semantics on infinite paths. To overcome this deficiency, we consider in this paper Manna and Pnuelis temporal logic hierarchy consisting of safety, liveness (guarantee), co-Buchi (persistence), and Buchi (recurrence) properties. We propose the use of specialized semantics for each of these subclasses to improve the accuracy of runtime verification. In particular, we prove that our new semantics converges to the infinite path semantics which is an important property that has not been achieved by previous approaches.

Modular Verification of Synchronous Programs

In this paper, we develop an approach to the modular verification of synchronous programs. To this end, we have to solve two major problems: First, if a synchronous module is verified without its later context, outputs may not be completely determined (since the calling module may add further actions on the outputs of the called module). It is not difficult to see that the open system obtained by modular compilation simulates the closed one obtained by the linker, and therefore, we can preserve all universal temporal properties. Second, a module call may replace the formal input parameters by expressions which corresponds with a substitution of variables in the symbolic transition relation. In particular, this affects the starting point and potential preemption conditions of the module and can therefore dramatically affect the behavior of the module. For this reason, we have to modify the temporal specifications accordingly. We prove a preservation result for this transformation that defines a simulation preorder modulo substitution. Our results finally determine a proof rule for the verification of module calls in imperative synchronous programs.

A hoare calculus for the verification of synchronous languages

The synchronous model of computation divides the execution of a program into macro steps that consist of finitely many atomic micro steps (like assignments). The micro steps of a macro step are executed within the same variable environment (i.e. in parallel) but all updates to the variables are synchronously performed at the level of macro steps. The availability of a formally defined semantics allows one to use formal methods for the verification of synchronous programs. To this end, model checking is already widely used for synchronous programs, but the use of interactive verification e.g. by using a Hoare calculus, is only in its infancies. One reason for this situation is that the assignment rule of the classic Hoare calculus implicitly defines a sequential programming model which is only a special case of the synchronous model of computation. In this paper, we therefore suggest a generalization of the classic Hoare calculus to deal with synchronous programs. The main idea is thereby that the assignment rule refers to all assignments made in a macro step so that the synchronous model of computation is axiomatized. It is possible to rewrite all synchronous programs so that the assignments of every macro step are collected in a single tuple assignment. This way, our generalization of the assignment rule is applicable to arbitrary synchronous programs. We present non-trivial case studies that show the feasibility of our approach.

Generating hardware specific code at different abstraction levels using Averest

In general, embedded systems can be designed at different levels of abstraction, e.g., as pure hardware circuit designs, as bare-iron level programs (without an operating system), as programs based on a real-time operating system, and as models of a model-driven development. This paper focuses on a synchronous model-driven development tool called Averest. Using Averest, we describe how we consider and combine system descriptions at the mentioned four levels of abstraction. We discuss a case study targeting a distributed embedded system where these different levels have been used.

Targeting different abstraction layers by model-based design methods for embedded systems: A case study

In this paper, we show how code can be generated at different levels of abstraction from a single source description. To this end, we use a model-driven development tool called Averest that is based on a synchronous programming language. We illustrate our approach by means of a case study from the domain of distributed real-time automotive embedded systems. This paper focuses thereby mainly on the use of the Averest toolkit to generate code at different levels of abstraction.

Interactive verification of synchronous systems

We propose a new approach to the interactive verification of synchronous systems. Our approach is based on two system representations: Systems to be verified are given as synchronous programs that are considered for the selection of proof rules, while the proof rules are applied on equivalent sets of synchronous guarded actions that are obtained by an automatic translation from the programs. Since the obtained guarded actions contain assumptions and assertions, they are directly used as proof goals in our approach. Due to a back-annotation via control flow locations, there is still a direct correspondence between the two system representations. This way, the user can still consider the more readable program code while the implementation of the proof system on top of the guarded actions allows much more flexible decompositions of the verification goals.

Lifting Verification Results for Preemption Statements

The normal operation of synchronous modules may be temporarily suspended or finally aborted due to requests of their environment. Hence, if a temporal logic specification has already been verified for a synchronous module, then the available verification result can typically only be used if neither suspension nor abortion will take place. Also, the simulation of synchronous modules has to be finally aborted so that temporal logic specifications referring to infinite behaviors cannot be completely answered. In this paper, we therefore define transformations on temporal logic specifications to lift available verification results for synchronous modules without suspension or abortion to refined temporal logic specifications that take care of these preemption statements. This way, one can establish simulation and modular verification of synchronous modules in contexts where preemptions are used.