Constructing a Safety Case for Automatically Generated Code from Formal Program Verification Information

Basir, Nurlida; Denney, Ewen; Fischer, Bernd

doi:10.1007/978-3-540-87698-4_22

Cited by 12 publications

(16 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…These subgoals are delayed here as well, to keep the safety case compact. Their expanded structure again follows the lines of our previous work [5], and uses the argumentation shown in Fig. 5 (Tier III) of the safety case there with small modifications; in particular, the notion of safety condition needs to be replaced by that of safety requirement.…”

Section: Arguing From System-level Safety Requirements To Component-lmentioning

confidence: 99%

“…This is a straightforward modification of our previous work on programs without hierarchical system structure (see Fig. 3 Tier I: Explaining the Safety Notion in [5]). Here, we thus focus on the lower part of the safety case that explains that, and how, the generated source code Nav.cpp satisfies the given safety requirements by providing formal proofs as evidence (see Fig.…”

Section: Arguing From System-level Safety Requirements To Component-lmentioning

confidence: 99%

“…This is predicated on the assumptions that the applied Hoare-calculus is sound, and that the VCG is implemented correctly, which need to be justified elsewhere. Since the rest of the safety case is constructed as described in our previous work [5], we do not expand it here any further.…”

Section: Arguing From Component-level Safety Requirements To Source Codementioning

confidence: 99%

“…However, since code generators are typically not qualified, there is no guarantee that their output is correct or even safe, and additional evidence of its safety is required. In previous work [5], we have thus constructed safety cases [19] from information collected during a formal verification of the generated code. We also have constructed safety cases that correspond to the formal proofs found by automated theorem provers of the verification conditions, and reveal the underlying proof argumentation structure and top-level assumptions [6].…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Deriving Safety Cases for Hierarchical Structure in Model-Based Development

Basir

Denney

Fischer

2010

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. Model-based development and automated code generation are increasingly used for actual production code, in particular in mathematical and engineering domains. However, since code generators are typically not qualified, there is no guarantee that their output satisfies the system requirements, or is even safe. Here we present an approach to systematically derive safety cases that argue along the hierarchical structure in model-based development. The safety cases are constructed mechanically using a formal analysis, based on automated theorem proving, of the automatically generated code. The analysis recovers the model structure and component hierarchy from the code, providing independent assurance of both code and model. It identifies how the given system safety requirements are broken down into component requirements, and where they are ultimately established, thus establishing a hierarchy of requirements that is aligned with the hierarchical model structure. The derived safety cases reflect the results of the analysis, and provide a high-level argument that traces the requirements on the model via the inferred model structure to the code. We illustrate our approach on flight code generated from hierarchical Simulink models by Real-Time Workshop.

show abstract

Section: Arguing From System-level Safety Requirements To Component-lmentioning

confidence: 99%

Section: Arguing From System-level Safety Requirements To Component-lmentioning

confidence: 99%

Section: Arguing From Component-level Safety Requirements To Source Codementioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Deriving Safety Cases for Hierarchical Structure in Model-Based Development

Basir

Denney

Fischer

2010

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…For example, in the schema mtrans int shown in Figure 8, the variable A is computed as the transpose of T , so that its frame depends on T 's frame. 5 The mtrans int schema uses a syntactic variant, where the additional (sixth) argument [T] indicates that T is a dependent hot variable for A. Inference will thus proceed past this definition for A and restart, looking for a definition for the new hot variable T .…”

Section: Dependent Hot Variablesmentioning

confidence: 99%

Generating customized verifiers for automatically generated code

Denney

Fischer

2008

Proceedings of the 7th International Conference on Generative Programming and Component Engineering

Self Cite

View full text Add to dashboard Cite

Program verification using Hoare-style techniques requires many logical annotations. We have previously developed a generic annotation inference algorithm that weaves in all annotations required to certify safety properties for automatically generated code. It uses patterns to capture generator-and property-specific code idioms and property-specific meta-program fragments to construct the annotations. The algorithm is customized by specifying the code patterns and integrating them with the meta-program fragments for annotation construction. However, this is difficult since it involves tedious and error-prone low-level term manipulations.Here, we describe an approach that automates this customization task using generative techniques. It uses a small annotation schema compiler that takes a collection of high-level declarative annotation schemas tailored towards a specific code generator and safety property, and generates all customized analysis functions and glue code required for interfacing with the generic algorithm core, thus effectively creating a customized annotation inference algorithm. The compiler raises the level of abstraction and simplifies schema development and maintenance. It also takes care of some more routine aspects of formulating patterns and schemas, in particular handling of irrelevant program fragments and irrelevant variance in the program structure, which reduces the size, complexity, and number of different patterns and annotation schemas required. The improvements described here make it easier and faster to customize the system to a new safety property or a new generator, and we demonstrate this by customizing it to certify frame safety of space flight navigation code that was automatically generated from Simulink models by MathWorks' Real-Time Workshop.

show abstract

On Teaching Applied Formal Methods in Aerospace Engineering

Rozier

2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

As formal methods come into broad industrial use for verification of safety-critical hardware, software, and cyber-physical systems, there is an increasing need to teach practical skills in applying formal methods at both the undergraduate and graduate levels. In the aerospace industry, flight certification requirements like the FAA's DO-178B, DO-178C, DO-333, and DO-254, along with a series of high-profile accidents, have helped turn knowledge of formal methods into a desirable job skill for a wide range of engineering positions. We approach the question of verification from a safety-case perspective: the primary teaching goal is to impart students with the ability to look at a verification question and identify what formal methods are applicable, which tools are available, what the outputs from those tools will say about the system, and what they will not, e.g., what parts of the safety case need to be provided by other means. We overview the lectures, exercises, exams, and student projects in a mixed-level (undergraduate/graduate) Applied Formal Methods course 1 taught in an Aerospace Engineering department. We highlight the approach, tools, and techniques aimed at imparting a good sense of both the state of the art and the state of the practice of formal methods in an effort to effectively prepare students headed for jobs in an increasingly formal world.

show abstract

Constructing a Safety Case for Automatically Generated Code from Formal Program Verification Information

Cited by 12 publications

References 21 publications

Deriving Safety Cases for Hierarchical Structure in Model-Based Development

Deriving Safety Cases for Hierarchical Structure in Model-Based Development

Generating customized verifiers for automatically generated code

On Teaching Applied Formal Methods in Aerospace Engineering

Contact Info

Product

Resources

About