Model-based' design and automated code generation are being used increasingly at NASA. Many NASA projects now use MathWorks Simulink and Real- Time Workshop for at least some of their modeling and code development. The trend is to move beyond simulation and prototyping to actual flight code, particularly in the Guidance, Navigation, and Control domain. However, there are substantial obstacles to more widespread adoption of code generators in such safety-critical domains. Since code generators are typically not qualified, there is no guarantee that their output is correct, and consequently the generated code still needs to be fully tested and certified. Moreover, the regeneration of code can require complete recertification, which offsets many of the advantages of using a generator. Indeed, manual review of autocode can be more challenging than for hand-written code. Since the direct V&V of code generators is too laborious and complicated due to their complex (and often proprietary) nature, we have developed a generator plug-in to support the subsequent certification of the code that is generated. Specifically, the AutoCert tool supports certification by formally verifying that the generated code is free of different safety violations, by constructing an independently verifiable certificate, and by explaining its analysis in a textual form suitable for code reviews. This enables missions to obtain assurance about the safety and reliability of the code without excessive manual V&V effort and, as a consequence, increases the acceptance of code generators in safety-critical contexts. The generation of explicit certificates and textual reports is particularly well-suited to supporting independent V&V. The key technical idea of our approach is to exploit the idiomatic nature of auto-generated code in order to automatically infer logical annotations. These allow the automatic formal verification of the safety properties without requiring access to the internals of the code generator. The approach is independent of the particular generator used but is currently being adapted to code generated using MathWorks Real-Time Workshop, an automatic code generator that translates from Simulink/Stateflow models into embedded C code.
[1]
Ingo Stürmer,et al.
Overview of existing safeguarding techniques for automatically generated code
,
2005,
ACM SIGSOFT Softw. Eng. Notes.
[2]
Ewen Denney,et al.
Certifiable program generation
,
2005,
GPCE'05.
[3]
Ingo Stürmer,et al.
Test suite design for code generation tools
,
2003,
18th IEEE International Conference on Automated Software Engineering, 2003. Proceedings..
[4]
Tom Erkkinen,et al.
Production Code Generation for Safety-Critical Systems
,
2004
.
[5]
Ewen Denney,et al.
A generic annotation inference algorithm for the safety certification of automatically generated code
,
2006,
GPCE '06.
[6]
Ewen Denney,et al.
Correctness of Source-Level Safety Policies
,
2003,
FME.
[7]
Johann Schumann,et al.
An Empirical Evaluation of Automated Theorem Provers in Software Certification
,
2013,
Int. J. Artif. Intell. Tools.
[8]
Hoyt Lougee,et al.
SOFTWARE CONSIDERATIONS IN AIRBORNE SYSTEMS AND EQUIPMENT CERTIFICATION
,
2001
.
[9]
Ewen Denney,et al.
Annotation Inference for Safety Certification of Automatically Generated Code (Extended Abstract)
,
2006,
21st IEEE/ACM International Conference on Automated Software Engineering (ASE'06).