ABSTRACT
Bounded model checking is a formal verification technique for checking reachability of unwanted behaviour within a bounded number of steps. In the context of PLC software, specifications treat the whole program as a single step, only considering the controller's observable state at the end of an execution-cycle. For a program containing loops, standard approaches will characterise shorter steps, losing the relation to the original bound, or try to unroll the loops statically.
We propose a combination of symbolic execution and adjustable-block encoding to achieve an efficient, incremental, monotonic logical characterisation which lifts the step-size to whole cycles. Evaluation of our prototypical implementation on examples from the PLC Safety library shows its applicability to such specifications, compared to leading BMC approaches.
- Christel Baier and Joost-Pieter Katoen. 2008. Principles of model checking. MIT Press. Google ScholarDigital Library
- Michael Barnett and K. Rustan M. Leino. 2005. Weakest-precondition of unstructured programs. In Proceedings of the 2005 ACM SIGPLAN-SIGSOFT Workshop on Program Analysis For Software Tools and Engineering, PASTE'05, Lisbon, Portugal, September 5-6, 2005. 82--87. Google ScholarDigital Library
- Dirk Beyer. 2017. Software Verification with Validation of Results - (Report on SV-COMP 2017). In Tools and Algorithms for the Construction and Analysis of Systems - 23rd International Conference, TACAS 2017, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2017, Uppsala, Sweden, April 22-29, 2017, Proceedings, Part II. 331--349. Google ScholarDigital Library
- Dirk Beyer, Alessandro Cimatti, Alberto Griggio, M. Erkan Keremoglu, and Roberto Sebastiani. 2009. Software model checking via large-block encoding. In Proceedings of 9th International Conference on Formal Methods in Computer-Aided Design, FMCAD 2009, 15-18 November 2009, Austin, Texas, USA. 25--32. Google ScholarDigital Library
- Dirk Beyer and M. Erkan Keremoglu. 2011. CPAchecker: A Tool for Configurable Software Verification. In Computer Aided Verification - 23rd International Conference, CAV 2011, Snowbird, UT, USA, July 14-20, 2011. Proceedings. 184--190. Google ScholarDigital Library
- Dirk Beyer, M. Erkan Keremoglu, and Philipp Wendler. 2010. Predicate abstraction with adjustable-block encoding. In Proceedings of 10th International Conference on Formal Methods in Computer-Aided Design, FMCAD 2010, Lugano, Switzerland, October 20-23. 189--197. Google ScholarDigital Library
- Sebastian Biallas, Jörg Brauer, and Stefan Kowalewski. 2012. Arcade.PLC: a verification platform for programmable logic controllers. In IEEE/ACM International Conference on Automated Software Engineering, ASE'12, Essen, Germany, September 3-7, 2012. 338--341. Google ScholarDigital Library
- Armin Biere, Alessandro Cimatti, Edmund M. Clarke, and Yunshan Zhu. 1999. Symbolic Model Checking without BDDs. In Tools and Algorithms for Construction and Analysis of Systems, 5th International Conference, TACAS '99, Held as Part of the European Joint Conferences on the Theory and Practice of Software, ETAPS'99, Amsterdam, The Netherlands, March 22-28, 1999, Proceedings. 193--207. Google ScholarCross Ref
- Alessandro Cimatti, Edmund M. Clarke, Enrico Giunchiglia, Fausto Giunchiglia, Marco Pistore, Marco Roveri, Roberto Sebastiani, and Armando Tacchella. 2002. NuSMV 2: An OpenSource Tool for Symbolic Model Checking. In Computer Aided Verification, 14th International Conference, CAV 2002, Copenhagen, Denmark, July 27-31, 2002, Proceedings. 359--364. Google ScholarDigital Library
- Edmund M. Clarke, Daniel Kroening, and Flavio Lerda. 2004. A Tool for Checking ANSI-C Programs. In Tools and Algorithms for the Construction and Analysis of Systems, 10th International Conference, TACAS 2004, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2004, Barcelona, Spain, March 29 - April 2, 2004, Proceedings. 168--176.Google ScholarCross Ref
- Lucas C. Cordeiro, Bernd Fischer, and João Marques-Silva. 2012. SMT-Based Bounded Model Checking for Embedded ANSI-C Software. IEEE Trans. Software Eng. 38, 4 (2012), 957--974. Google ScholarDigital Library
- Dániel Darvas, István Majzik, and Enrique Blanco Viñuela. 2016. Formal Verification of Safety PLC Based Control Software. In Integrated Formal Methods - 12th International Conference, IFM 2016, Reykjavik, Iceland, June 1-5, 2016, Proceedings. 508--522. Google ScholarDigital Library
- Leonardo Mendonça de Moura and Nikolaj Bjørner. 2008. Z3: An Efficient SMT Solver. In Tools and Algorithms for the Construction and Analysis of Systems, 14th International Conference, TACAS 2008, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2008, Budapest, Hungary, March 29-April 6, 2008. Proceedings. 337--340. Google ScholarCross Ref
- Niklas Eén and Niklas Sörensson. 2003. Temporal induction by incremental SAT solving. Electr. Notes Theor. Comput. Sci. 89, 4 (2003), 543--560.Google ScholarCross Ref
- Cormac Flanagan and James B. Saxe. 2001. Avoiding exponential explosion: generating compact verification conditions. In Conference Record of POPL 2001: The 28th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, London, UK, January 17-19, 2001. 193--205. Google ScholarDigital Library
- Gordon Fraser, Franz Wotawa, and Paul Ammann. 2009. Testing with model checkers: a survey. Softw. Test., Verif. Reliab. 19, 3 (2009), 215--261. Google ScholarDigital Library
- James C. King. 1976. Symbolic Execution and Program Testing. Commun. ACM 19, 7 (1976),385--394. Google ScholarDigital Library
- Tim Lange, Martin R. Neuhäußer, and Thomas Noll. 2013. Speeding Up the Safety Verification of Programmable Logic Controller Code. In Hardware and Software: Verification and Testing - 9th International Haifa Verification Conference, HVC 2013, Haifa, Israel, November 5-7, 2013, Proceedings. 44--60.Google Scholar
- K. Loeis, Mohammed Bani Younis, and Georg Frey. 2005. Application of symbolic and bounded model checking to the verification of logic control systems. In Proceedings of 10th IEEE International Conference on Emerging Technologies and Factory Automation, ETFA 2005, September 19-22, 2005, Catania, Italy.Google ScholarCross Ref
- Tolga Ovatman, Atakan Aral, Davut Polat, and Ali Osman Ünver. 2016. An overview of model checking practices on verification of PLC software. Software and System Modeling 15, 4 (2016), 937--960. Google ScholarDigital Library
- PLCopen TC5. 2006. Safety Software Technical Specification, Version 1.0, Part 1: Concepts and Function Blocks. PLCopen, Germany.Google Scholar
- PLCopen TC5. 2008. Safety Software Technical Specification, Version 1.01, Part 2: User Examples. PLCopen, Germany.Google Scholar
- Peter Schrammel, Daniel Kroening, Martin Brain, Ruben Martins, Tino Teige, and Tom Bienmüller. 2015. Successful Use of Incremental BMC in the Automotive Industry. In Formal Methods for Industrial Critical Systems - 20th International Workshop, FMICS 2015, Oslo, Norway, June 22-23, 2015 Proceedings. 62--77.Google Scholar
- Koushik Sen, Darko Marinov, and Gul Agha. 2005. CUTE: a concolic unit testing engine for C. In Proceedings of the 10th European Software Engineering Conference held jointly with 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering, 2005, Lisbon, Portugal, September 5-9, 2005. 263--272. Google ScholarDigital Library
Index Terms
- Cycle-bounded model checking of PLC software via dynamic large-block encoding
Recommendations
Bounded model checking of high-integrity software
HILT '13: Proceedings of the 2013 ACM SIGAda annual conference on High integrity language technologyModel checking [5] is an automated algorithmic technique for exhaustive verification of systems, described as finite state machines, against temporal logic [9] specifications. It has been used successfully to verify hardware at an industrial scale [6]. ...
Bounded model checking of high-integrity software
HILT '13Model checking [5] is an automated algorithmic technique for exhaustive verification of systems, described as finite state machines, against temporal logic [9] specifications. It has been used successfully to verify hardware at an industrial scale [6]. ...
Three-valued logic in bounded model checking
MEMOCODE '05: Proceedings of the 2nd ACM/IEEE International Conference on Formal Methods and Models for Co-DesignIn principle, bounded model checking (BMC) leads to semi-decision procedures that can be used to verify liveness properties and to falsify safety properties. If the procedures fail, there is usually no information about the validity of the considered ...
Comments