Automated Deductive Verification of Safety-Critical Embedded Software

Abstract: Embedded systems are everywhere in society, and in many industries, such as the automotive industry, embedded systems are safety-critical. Embedded systems are today also increasingly controlled by software, with advances in, for example, autonomous driving. Because of this, there is naturally a need for methods that can ensure the correctness of such software, and for processes and frameworks to deal with the ever-increasing size and complexity of the software. Contract-based design is a well-established design methodology within embedded system design, where the complexity of an embedded system is managed through the use of contracts, for dividing the responsibilities to the different components of a system. This thesis presents a formal contract framework, or theory, following the principles of contract-based design. The theory is developed for procedural software, and is defined at the semantic level, allowing it to be instantiated with different languages for defining the contracts and components, depending on what is appropriate for different uses. The theory is parametric on the semantic domain, allowing different types of behaviours to be reasoned about. The thesis also presents different instantiations of the theory, showing both how low-level properties can be specified using Hoare logic or ACSL, as well as high-level temporal properties using temporal logics such as TLA+. The theory also allows different semantic domains to be combined. Within the theory, low-level components can be verified against their contracts in such a way that more abstract, high-level properties can be ensured, when the components are composed.A common method for verifying the correctness of low-level software is deductive verification, and Frama-C is a well-known framework in which deductive verification of C code can be performed. This thesis also presents work in the area of contract inference, in the form of a tool in which intermediary contracts to be used in verification can be automatically generated. The method uses the C model checker TriCera as a back-end and infers contracts for use in Frama-C. Finally, the thesis also presents a framework for program instrumentation, which makes certain properties easier to verify. Here, programs with assertions over properties that are typically hard to verify are transformed into new programs with assertions not containing those properties, in such a way that if the new program is correct, then the original program is also correct. The thesis presents concrete instrumentations for so-called extended quantifiers, which are a type of aggregation over arrays, such as finding the sum of all values, or the maximum value, in an array.