Practical Verification of Embedded Software

A dvances in processor speed, memory capacities , sensors, and peripherals have enabled the inexpensive fabrication of sophisticated products ranging from mobile phones and hi-fi equipment to highly complex software in cars and airplanes. Unfortunately, the lack of good design methods and tools is a major bottleneck in the development of these products, particularly those with a short life cycle such as consumer electronics and household appliances. Developing embedded software for large, complicated applications requires models that are both intellectually manageable and physically realizable. Choosing a modeling technique is a compromise between conflicting goals: Models must be easy to comprehend and construct, but they also must be practicable and provide platforms for analysis. Academia and commercial tool developers have proposed various embedded software models that represent different emphases on these goals. 1-3 In the model we describe, efficient realizations and correctness receive high priority at the expense of descriptive features. Because embedded software is firmware—and therefore difficult or impossible to replace—its correctness is of paramount importance. Furthermore, embedded applications are often manufactured in large quantities, making it expensive to correct software errors. Exhaustive verification—a technique that implicitly checks all possible computations—is a practical alternative for ensuring the correctness of embedded software. Our work demonstrates that the visualState commercial design tool can verify even the largest industrial applica-tions—comprising more than 1,000 concurrent compo-nents—in a few minutes on a standard PC. The compositional backward technique is a new algorithm that dramatically improves runtimes compared with the algorithms traditionally used for exhaustive verification. We developed this algorithm to check safety properties, but it has been extended to handle a larger class of properties including liveness. Our algorithm dramatically improves verification runtimes by decoupling independent states and collapsing states that behave similarly. We have obtained encouraging results using this algorithm to exhaustively verify embedded controllers used in large industrial applications. Previous versions of visualState (http://www.visualstate.com), the commercial tool that incorporates the compositional backward technique for developing embedded software, have been used in hundreds of industrial applications. As with most other software, manufacturers use tests to verify the correctness of embedded software. However, a simple example demonstrates why— despite its extensive use—software testing is grossly insufficient to ensure the correctness of even modestly complex embedded software. Assume that a human operator uses the control panel shown in Figure 1 to control two plane motors. The control panel has several buttons and two warning lights (the …