Formal Analysis and Verification of Airborne Software Based on DO-333

electronics

Article Formal Analysis and Veriﬁcation of Airborne Software Based on DO-333

Zongyu Cao 1,*, Wanyou Lv 1, Yanhong Huang 1,2,*, Jianqi Shi 1,3 and Qin Li 2

1 National Trusted Embedded Software Engineering Technology Research Center, East China Normal University, Shanghai 200062, China; [email protected] (W.L.); [email protected] (J.S.) 2 Shanghai Key Laboratory of Trustworthy Computing, Shanghai 200062, China; [email protected] 3 Hardware/software Co-Design Technology and Application Engineering Research Center, Shanghai 200062, China * Correspondence: [email protected] (Z.C.); [email protected] (Y.H.)

Received: 25 December 2019; Accepted: 11 February 2020; Published: 14 February 2020

Abstract: With rapid technological advances in airborne control systems, it has become imperative to ensure the reliability, robustness, and adaptability of airborne software since failure of these software could result in catastrophic loss of property and life. DO-333 is a supplement to the DO-178C standard, which is dedicated to guiding the application of formal methods in the review and analysis of airborne software development processes. However, DO-333 lacks theoretical guidance on how to choose appropriate formal methods and tools to achieve verification objectives at each stage of the verification process, thereby limiting their practical application. This paper is intended to illustrate the formal methods and tools available in the verification process to lay down a general guide for the formal development and verification of airborne software. We utilized the Air Data Computer (ADC) software as the research object and applied different formal methods to verify software lifecycle artifacts. This example explains how to apply formal methods in practical applications and proves the effectiveness of formal methods in the verification of airborne software.

Keywords: formal veriﬁcation; airborne software; DO-333

1. Introduction The aviation industry has seen a gradual increase in the application of software in airborne systems. The software’s failure to perform the designated task, however, can have undesirable consequences, such as equipment damage and risk to human life. The Boeing 737 crashes in 2018 and 2019 have made this concern even more pronounced. Hence, strict verification processes must be followed while creating safety-critical software so as to ensure their reliability and security. The Radio Technical Commission for Aeronautics (RTCA) released the DO-178B Airworthiness Certification Standard [1] in 1992 to illustrate the software lifecycle and provide guidance on the development process of airborne software. However, with steady growth in the scale and complexity of airborne software, the number of components, modules, and interfaces required for an enhanced development process has also increased. Such substantial increase brings with it a higher probability of software failure with unpredictable consequences. In 2011, the RTCA passed the DO-178C standard [2], together with four development technology supplements. DO-333 [3] is the formal supplement for DO-178C, to guide the application of formal methods in software development and verification processes. In recent years, research on the formal verification of airborne software has received extensive attention, and several formal methods have been applied in the industry. Souyris et al. show how the Airbus has been integrating several abstract interpretation-based analysis tools into the development

Electronics 2020, 9, 327; doi:10.3390/electronics9020327 www.mdpi.com/journal/electronics Electronics 2020, 9, 327 2 of 20 process of avionics software products [4]. Odile and Thomas et al. both discuss how Airbus applies model-checking techniques on the Safety Critical Application Development Environment (SCADE) to the validation and verification process of avionics systems [5,6]. NASA applies theorem proving, model checking, and abstract interpretation techniques to achieve different verification objectives in its case study on the Dual-Channel Flight Guidance System [7]. There are some case studies ([8–10]) that focus on applying formal methods to artifacts and objectives at a certain software verification stage. With reference to relevant cases, it is observed that the application of formal verification for airborne software in the industry was mostly focused on applying SCADE to the software development cycle or using a single formal method to verify the artifacts at a certain software development stage. At present, there is a lack of systematic guidance for the application of formal methods for airborne software verification, and several methods and tools that have been successfully applied in other industries is yet to be introduced here. This paper proposes a methodology for formal analysis and verification of airborne software based on DO-333 to provide guidance in integrating formal methods in software development and verification. It showcases the Air Data Computer (ADC) software to illustrate how this research’s methodology could be applied and how formal methods and tools have to be selected to verify specific objectives. We hope that the readers can derive inspiration from our case. The contributions of this study can be presented as follows: Present a comprehensive formal verification methodology for the airborne software. • According to the software lifecycle defined for DO-178C, this study divides verification activity into three parts: requirements and design, source code, and executable object code. The methodology used summarizes the commonly used formal analysis and verification methods in each phase and enumerates some frequently used mature formal models and tools. This research covers the entire A-level software verification process defined in DO-333, which can guide the formal analysis and verification of airborne software. Demonstrate the practical application of formal methods using the ADC software • For the software discussed in this study, all the requirements were formalized with Event-B and objectives like compliance and traceability were verified by Rodin. This was followed by the extraction of formal specifications from the behavior model and compiling with VCC annotations to automatically verify the software at the source code level. Furthermore, a static analysis tool called PolySpace was used to detect runtime errors in the source code level. For verification of the binary code, we analyzed the minimum subset of the source code structure to verify the traceability of the executable object code to the source code. By using this approach, the correctness of the verification of the executable object code was converted into formal analysis in the source code level. After formal verification and review of the ADC software, a total of 16 errors were identified. This shows that the formal method is an effective verification method. The rest of the paper is organized as follows: Section2 provides a brief introduction of airworthiness certification standards and formal methods; Section3 describes the methodology used, providing advice on how to apply formal methods to the software development process (based on DO-333); Section4 illustrates ADC software’s formal verification process and shows how to use formal methods to verify specific objectives; and Section5 concludes the work and discusses further research.

2. Background

2.1. Airworthiness Certification Standards To establish development guidelines for airborne systems and equipment software that ensure that it could perform its intended safety functions according to airworthiness requirements, the RTCA published the DO-178B (Software Considerations in Airborne Systems and Equipment Certification) in 1992. In DO-178B, the safety conditions are divided into five levels (A-E level) based on their effects on the aircraft, crew, and passengers. However, the increasing size and complexity of modern Electronics 2020, 9, 327 3 of 20 avionics software have raised questions on the viability of the DO-178B. The guideline takes little or no account of current development and validation methods, such as model-based development and object-oriented techniques. Therefore, in 2011, the RTCA passed the DO-178C standard and prepared four supplementary documents: tool identification (DO-330), model-based development and verification (DO-331), object-oriented technology (OOT) and related technologies (DO-332), and formal methods (DO-333). DO-333 is a supplementary document for the DO-178C. It discusses the use of formal methods in the software lifecycle for software produced following the DO-178C. DO-333 is used to describe how verification objectives, activities, explanatory texts, and software lifecycle data in DO-178C should be addressed when formal methods are used as part of the software lifecycle. This includes artifacts that could be expressed using formal notations and the verification foundation derived from them. It guides the applicants and certification or approval authorities in facilitating the use of formal methods. Based on the DO-333, the formal methods used in this paper carry out formal verification of the objectives defined in DO-178C.

2.2. Formal Methods Formal methods are mathematically based techniques for the specification, development, and verification of the software aspects of digital systems. They use mathematical methods for all phases of the system, so that the behavior of the system can be accurately described and characterized [11]. Further extensions are supported based on formal models, thus ensuring that the properties of the developed system meet requirements and determine the correctness and robustness of the design. Formal methods usually involve the following three types of activities [12]: 1. System modeling: formal model is an abstract representation of software for analysis, simulation, and code generation. 2. Formal specification: formal specification is a description of some properties that the system must satisfy. 3. Formal verification: formal verification is used to verify that the formal model of the system satisfies the formal specification. Formal verification methods can typically be classified into three categories: model checking, theorem proving, and abstract interpretation.

Model checking explores all possible behaviors of a formal model to determine whether a specified • property is satisfied. If the property does not hold, the model checking algorithm generates a counterexample. Model checking can realize fully automated verification with high efficiency. However, the increase of scale and complexity of the software causes great difficulties in the modeling and may lead to the explosion of state space. Theorem proving models the system and the specification as logic formulae and proves the • satisfaction relation between them by deductive proof calculus. It uses inductive methods to describe the behavior and attributes of the program, which can well solve the “state explosion” problem. However, theorem proving cannot be automated at present. When encountering complex problems with a large scale of code, the proof work needs to be completed with the help of the user’s heuristics. Abstract interpretation is used to construct semantics-based analysis algorithms for the automatic, • static, and sound determination of dynamic properties of infinite-state programs. The essence of abstract interpretation is to sacrifice accuracy for computational feasibility and efficiency, which will limit its application.

The drawbacks of formal methods can be worked on by continuous development and application; however, it is not the focus of this paper. Based on existing technology, this paper discusses the formal technologies and tools that can be applied to airborne software and provides guidance for industrial applications. Electronics 2020, 9, 327 4 of 20 Electronics 2020, 9, x FOR PEER REVIEW 4 of 20

3. Methodology and Process 3. Methodology and Process The DO-333 standard was introduced in 2011 as a supplement to the formal verification method The DO-333 standard was introduced in 2011 as a supplement to the formal verification method of of DO-178C for airworthiness certifications. For specific verification objectives in DO-178C, it refers to DO-178C for airworthiness certifications. For specific verification objectives in DO-178C, it refers to artifacts that could be expressed using formal notations and the verification evidence derived from artifacts that could be expressed using formal notations and the verification evidence derived from them. them. Figure1 depicts the data items, development activities, and verification activities involved in Figure 1 depicts the data items, development activities, and verification activities involved in the the requirement, design, and coding processes of A-level software. requirement, design, and coding processes of A-level software.

Figure 1. Level A software verification veriﬁcation processes.

Figure1 1lists lists the the objectives objectives of each of verificationeach verifica activity,tion includingactivity, including accuracy, consistency,accuracy, consistency, compliance, andcompliance, traceability, and among traceability, others. among Consistency others. means Consistency there is means no logical there conflict is no logical between conflict two data between items (requirementstwo data items or source(requirements code). Compliance or source referscode). to Co thempliance satisfaction refers relationship to the satisfaction between two relationship data items; forbetween example, two thedata compliance items; for ofexampl high-levele, the requirementscompliance of (HLR) high-level to system requirements requirements. (HLR) Traceability to system refersrequirements. to the association Traceability between refers datato the items; association it usually between refers data to two-way items; it tracking usually relationships.refers to two-way For example,tracking relationships. traceability between For example, HLR and traceabilit Low-Levely between Requirements HLR and (LLR). Low-Level All HLR Requirements are developed (LLR). into moreAll HLR detailed are developed LLR, while into all more LLR candetailed correspond LLR, whil to thee all HLR. LLR Basedcan correspond on accurate to the and HLR. unambiguous Based on formalaccurate descriptions and unambiguous of software formal lifecycle descriptions data items, of formalsoftware methods lifecycle can data prove items, (or combineformal methods with review can andprove other (or combine methods with to prove) review whether and other the datamethods items to meet prove) the whether above verification the data items objectives. meet the above verificationIt is imperative objectives. to mention that formal analysis may be applied to a small portion of the verificationIt is imperative objectives orto asmention the primary that sourceformalof analysis evidence may for accomplishingbe applied to thea small desired portion development of the andverification verification objectives objectives. or Someas the objectives primary may source be fully of compliantevidence withfor formalaccomplishing methods, whilethe desired others maydevelopment require additional and verification verification, objectives. such as Some testing ob injectives an integrated may be target fully computer.compliant Thus,with review,formal analysismethods, and while testing others are may also presentedrequire additional as means verification, of attaining thesesuch verificationas testing in objectives. an integrated target computer.According Thus, to Figurereview,1, weanalysis divide and the entiretesting verification are also processpresented into as three means parts: of requirements attaining these and design,verification source objectives. code, and executable object code. The following sections will summarize some of the formalAccording techniques to andFigure methods 1, we divide that can the be entire applied. verification process into three parts: requirements and design, source code, and executable object code. The following sections will summarize some of the formal techniques and methods that can be applied. Electronics 2020, 9, 327 5 of 20 Electronics 2020, 9, x FOR PEER REVIEW 5 of 20

3.1. Formal Analysis of Requirements and Design 3.1. Formal Analysis of Requirements and Design AsAs shownshown inin Figure Figure2, the2, mainthe main idea ofidea formal of form analysisal analysis of requirements of requirements and design and is to design respectively is to respectivelyestablish behavior establish and behavior requirements and requirements models to depict models the systemto depict to the be veriﬁedsystem andto be the verified properties and thatthe propertiesthe system that must the satisfy. system There must are satisfy. two main There formal are two analysis main formal methods analysis for this methods process: for model this checkingprocess: modeland theorem checking proving. and theorem proving.

FigureFigure 2. 2. FormalFormal methods methods of of requirement requirement and and behavior behavior models. models.

ModelModel checking isis used used to to verify verify whether whether the the behavior behavior model model can satisfy can satisfy the specifications the specifications written writtenin temporal in temporal logic, likelogic, LTL, like CTL, LTL, TCTLCTL, TCTL [13], etc.[13], Thisetc. This logic logic focuses focuses on theon the sequence sequence and and timing timing of ofevents, events, and and can can describe describe a a wide wide range range ofof properties,properties, such as safety, reachability, aliveness, aliveness, fairness, fairness, andand real-time. real-time. For For formal formal specifications specifications written written usin usingg temporal temporal logic, logic, the the behavior behavior model model needs needs to be to describedbe described with with the thecorresponding corresponding formal formal language, language, like like CSP CSP [14], [14 ],Promela Promela [15], [15 ],BDD BDD [16], [16], TA TA [17], [17], etc.etc. If If the the model model and and specificat specificationsions are are formalized formalized correctly, correctly, the the model model checker checker will will automatically automatically determinedetermine whether thethe propertyproperty is is satisfied. satisfied. Applicable Applicable model model checkers checkers for thefor selectedthe selected temporal temporal logic logicandmodeling and modeling language language include include PAT [18 ],PAT SPIN [18], [19], SPIN SMV [[19],20], UPPAALSMV [20], [21 UPPAAL], etc. Their [21], relationship etc. Their is relationshipshown in Figure is shown2. in Figure 2. TheoremTheorem proving proving verifies verifies formal formal specifications specifications written written in predicate in predicate logic, logic,like FOL, like HOL FOL, [22], HOL etc. [22 In], theetc. theorem In thetheorem prover, requirement prover, requirement specifications specifications are written areinto written theorems, into and theorems, then they and are automatically then they are orautomatically semi-automatically or semi-automatically proved by adding proved defined by adding axioms defined and induction axioms andrules. induction Commonly rules. used Commonly theorem proversused theorem are ACL2 provers [23], arePVS ACL2 [24], [Isabelle/HOL23], PVS [24], Isabelle[25], Coq/HOL [26], [25etc.], Among Coq [26 ],them etc., Amongthe ACL2 them, specification the ACL2 languagespecification is based language on FOL, is basedwhile onPVS, FOL, Isabelle/HOL, while PVS, and Isabelle Coq /areHOL, based and on Coq HOL. are based on HOL. ThereThere are are certain certain integrated integrated development development tools tools th thatat not not only only provide provide a a modeling modeling environment, environment, butbut also also have have certain certain embedded embedded model model checkers checkers or or theorem theorem provers provers to to directly directly verify verify the the model’s model’s accuracy.accuracy. The The most most familiar familiar integrated integrated developme developmentnt environment environment is is SCADE, SCADE, which which can can cover cover all all developmentdevelopment phases phases from from requirem requirementsents to to code, code, including including requirement requirement modeling, modeling, model model checking, checking, simulation,simulation, formal formal verification, verification, code code generation, generation, and more [27]. [27]. Therefore, Therefore, it it has has been been widely widely used used in in industrialindustrial applications. applications. In In addition, addition, there there are are some some open-source open-source platform platformss that that support support embedded formalformal verification verification tools, tools, like like Rodin, Rodin, the the platform platform for Event-B modeling [28]. [28]. WhenWhen the the models models are are built built by by different different formal languages, model model transformation transformation needs needs to to be be considered.considered. The The idea idea of of model model transformation transformation can can be beused used for forshortcomings shortcomings between between two twomodels. models. On theOn one the onehand, hand, when when a model a model is not is not sufficient sufficient to todesc describeribe certain certain properties, properties, itit can can be be converted converted into into anotheranother model model to to realize realize system system modeling modeling more more effi efficiently.ciently. On On the the other other hand, hand, a a model model written written in in a a semi-formal language needs to be converted into a formal model for model checking, like SysML [29], AADL [30], etc. Electronics 2020, 9, 327 6 of 20

Electronics 2020, 9, x FOR PEER REVIEW 6 of 20 semi-formal language needs to be converted into a formal model for model checking, like SysML [29], AADLThe [30 above], etc. mentioned formal methods and tools are commonly used in academia and industry. WithThe continuous above mentioned research and formal development methods and of fo toolsrmal are methods, commonly many used novel in academia formal languages and industry. and Withtools continuoushave appeared research and are and widely development used, like of formal NuSMV methods, [31], CCS many [32], novel RSML formal−e [33], languages etc. We do and not tools list e havethem appearedin Figureand 2, but are in widely the following used, like sections, NuSMV [we31], will CCS cite [32 ],a RSMLfew research− [33], etc.papers We doand not show list themtheir inapplications. Figure2, but in the following sections, we will cite a few research papers and show their applications. 3.2. Formal Analysis of Source Code 3.2. Formal Analysis of Source Code Figure3 shows that the veriﬁcation of source code can be divided into the compliance of source Figure 3 shows that the verification of source code can be divided into the compliance of source code to requirement speciﬁcations, traceability between source code and behavior models, and static code to requirement specifications, traceability between source code and behavior models, and static analysis of source code. This paper focused on a single target language, namely C, for the reason that analysis of source code. This paper focused on a single target language, namely C, for the reason that most airborne software is written in it. most airborne software is written in it.

Figure 3. Formal methods of design layer and source code.

Theorem proving and model checking offer offer a solutionsolution to verifyverify compliancecompliance of source code with requirement specifications. specifications. To To apply apply theorem theorem proving, proving, the the specifications specifications need need to be to extracted be extracted as pre- as pre-and andpost-conditions post-conditions and then and converted then converted to annotations to annotations in the C in program; the C program; finally, finally,deductive deductive reasoning reasoning is used isto usedverify to the verify annotations. the annotations. Here, we list Here, two we theorem list two proving theorem tools proving that are tools commonly that are used commonly in the industry: used in theVCC industry: [34] and Frama-C VCC [34 ][35]. and Another Frama-C verification [35]. Another meth verificationod is based method on model is basedchecking. on modelBy constructing checking. Bya formal constructing model afrom formal the model source from code, the sourceand using code, the and temporal using the logic temporal (primarily logic (primarilyLTL and LTLCTL) and to CTL)represent to represent requirements requirements specifications, specifications, model chec modelking checking tools can tools provide can provide a counter-example a counter-example path pathwhen when the system the system is not is notsatisfied. satisfied. There There are aremany many model model checkers checkers such such as as SPIN SPIN [36], [36], SMV SMV [20], [20], NuSMV [37], [37], etc., which can be used to achieve thethe objective of compliance of source code with requirement specifications.specifications. In thethe developmentdevelopment processprocess based based on on formal formal methods, methods, this this is anis an excellent excellent method method to improveto improve the modelthe model utilization utilization rate by rate directly by directly converting converti the verifiedng the formal verified models formal into models source code.into source Furthermore, code. developmentFurthermore, cyclesdevelopment can be shortenedcycles can significantlybe shortened with significantly automatic with code automatic generation. code SCADE generation. from EsterelSCADE Technologies, from Esterel Technologies, Simulink [38] Simulink from Mathworks, [38] from and Mathworks, many other and tools many like other Rodin tools have like built-in Rodin codehave generatorsbuilt-in code that generators can transform that can behavior transform models behavior into equivalent models into C code. equivalent The code C generatedcode. The fromcode thegenerated formal from model the ensures formal traceability model ensures from traceability the source codefrom tothe the source behavior code model.to the behavior model. The static analysis tool used does not actually need to run the program in in the target hardware, but ratherrather analyzes analyzes control control and and data data flow, flow, combined combined with abstract with abstract interpretation interpretation and symbolic and executionsymbolic execution techniques, to check for data overflow, divide-by-zero, out-of-bounds array access, and other run-time errors in the source code, and realize the accurate location of the problems [39]. Commonly used static analysis tools include Astre’ e [40], PolySpace [41], Fluctuat [42] (based on Electronics 2020, 9, 327 7 of 20 techniques, to check for data overflow, divide-by-zero, out-of-bounds array access, and other run-time errors in the source code, and realize the accurate location of the problems [39]. Commonly used static analysis tools include Astre’ e [40], PolySpace [41], Fluctuat [42] (based on abstract interpretation), SLAM [43], BLAST [44], and CBMC [45] (based on model checking), among others.

3.3. Formal Analysis of Executable Object Code Figure1 shows that the verification objectives of the executable object code (EOC) are chiefly achieved by testing and assisted by reviews and analysis, as indicated in DO-178C. Since DO-178C allows formal verification to replace certain forms of testing, this section summarizes the formal methods that can be used to supplement or replace test activities. 1. Static Analysis of Worst-case Execution Time and Stack Usage Worst-case execution time (WCET) and stack usage must be analyzed at the EOC level because compilers, linkers, and some hardware features may have a non-negligible impact on them. Based on the information flow of the program, the static analysis method estimates the WCET of the program according to the characteristics of the target processor, rather than directly executing on the hardware. The tools aiT [46] from AbsInt GmbH, and Bound-T [47] from Tidorum Ltd. both use this approach. Similarly, StackAnalyzer [48] which is also from AbsInt GmbH and Bound-T, can compute the worst-case stack usage of the program in its binary form, which contributes to proving that execution of the program will not cause stack overflow. 2. Verification of Property Preservation Between Source and Executable Object Code FM.6.7, item f in DO-333, states, “By verifying the correctness of the translation of source to object code, formal analysis performed at the Source Code level against high or low-level requirements can be used to infer correctness of the Executable Object Code against high or low-level requirements.” Therefore, the main work at the binary code level is focused on verifying the traceability of the EOC to the source code. There are two mainstream approaches to verify correctness of the translation from source code to EOC.

Analysis of the minimum subset of the source code structure • Proving this property indirectly by formal verification of the compiler • In the verification process of ADC software, the method of analyzing the minimum subset of the source code structure is used to verify traceability from the EOC to source code. The specific process is described in Section 4.4. The formal verification of airborne software is a hot research topic in the field of safety-critical software. Many researchers have carried out relevant work, and some of their academic papers and industrial reports are cited in this paper. We list the formal methods or tools used in their studies and associate the verification work in these reports with the verification objectives in DO-333. According to the methodology of this paper, we divide all verification work into three stages; the final results are shown in Table1. Electronics 2020, 9, 327 8 of 20

Table 1. An overview of the veriﬁcation objectives achieved by formal methods in related work.

Stage Requirements and Design Source Code EOC Formal Ref Method or Compatibility Accuracy Conformance Conformance Accuracy Completeness Tools with the Algorithm and Verifiability to Compliance Traceability Verifiability to and Compliance Traceability and Traceability Target Accuracy Consistency Standards Standards Consistency Correctness Computer Caveat, Astrée, Souyris Frama-C, et al. [4] aiT, •••••• Stackanalyzer, Fluctuat Laurent SCADE [5] •••••••••• PVS, Kind, Cofer Simulink, et al. [7] Astrée, ••••••••••• PolySpace Fernandes Frama-C et al. [8] •••• Chaudemar Event-B et al. [9] •••••• Torens NuSMV et al. [10] • ◦ • • • • Lesar, SMV, Boniol SCADE, et al. [49] ••••••• Uppaal Miller Simulink, et al. [50] NuSMV • • • • ◦ Brauer RTT-STO et al. [51] ◦ • Webster Agent JPF et al. [52] • • • • ◦ RSML e, Tribble − PVS, et al. [53] ••••••• NuSMV Heitmeyer finite-state et al. [54] automaton •••••• indicates that the verification objective is fully satisfied. indicates that the verification objective is partially satisfied. • ◦ Electronics 2020, 9, 327 9 of 20

4. Formal Verification of Air Data Computer Software Electronics 2020, 9, x FOR PEER REVIEW 9 of 20 In this section, we conduct a complete formal verification process for Air Data Computer (ADC) software, which comprehensively demonstrates how our methodology can be applied to engineering projects.4. Formal Through Verification the demonstration of Air Data of Computer this case, Software we hope that readers will have a certain understanding of how to use formal methods to achieve the verification objectives in DO-333, and how to choose In this section, we conduct a complete formal verification process for Air Data Computer (ADC) the correspondingsoftware, which comprehensively formal methods demonstrates and tools. Forhow practicalour methodology applications, can be applied we should to engineering consider the characteristicsprojects. Through of the software the demonstration while carrying of this out case verification, we hope activities. that readers will have a certain understandingADC is an A-level of how software to use formal that receives methods the to input achieve signal the verification of the aircraft objectives airspeed in tube,DO-333, converts and it intohow a digital to choose signal the through corresponding analog quantity,formal methods and outputs and tools. atmospheric For practical parameters applications, after we calculation. should The softwareconsider the consists characteristics of 12 modules, of the software and we while will showcarrying part out of verification our experimental activities. contents and results. We selectADC the is parameter an A-level validitysoftware modulethat receives to demonstrate the input signal the of verification the aircraft airspeed process. tube, It analyzes converts the validityit into of a 15 digital parameters, signal through including analog static quantity, pressure, and total outputs pressure, atmospheric and total parameters temperature, after calculation. among others. We takeThe software total pressure consists parameters of 12 modules, as an and example we will andshow describe part of our its requirementsexperimental contents as follows: and results. We select the parameter validity module to demonstrate the verification process. It analyzes the validity ofIf 15 the parameters, combination including of total static pressure pressure, total sensor pressure, fails, and total total pressure temperature, is indicated among others. as invalid; We take else, • totaltotal pressure pressure parameters is valid. as an example and describe its requirements as follows: If the current total pressure value exceeds the limit but does not meet 10 consecutive cycles, • If the combination of total pressure sensor fails, total pressure is indicated as invalid; else, total totalpressure pressure is isvalid. set to be valid, and the value is set as that of the last period; if not, total pressure is invalid,If the current and the total value pressure obtained value is exceeds set as criticalthe limit value. but does not meet 10 consecutive cycles, total pressure is set to be valid, and the value is set as that of the last period; if not, total pressure is Theinvalid, primary and verification the value processobtained for is thisset as case critical is shown value. in Figure4. Since the ADC software contains many modules, the functions of the entire software are considered first during the requirements design The primary verification process for this case is shown in Figure 4. Since the ADC software phase, and different functions are detailed in the specific module. Therefore, refinement strategies contains many modules, the functions of the entire software are considered first during the can be considered in verification at the requirements level. This is why we chose to use Event-B, requirements design phase, and different functions are detailed in the specific module. Therefore, which is based on model refinement to verify the relationship between HLR and LLR, as shown in refinement strategies can be considered in verification at the requirements level. This is why we chose Sectionto use 4.1 Event-B,. In terms which of traceability is based on model between refinemen sourcet codeto verify and the requirements, relationship between we need HLR to individuallyand LLR, verifyas whethershown in theSection code 4.1. of eachIn terms module of traceability in ADC canbetween realize source the requirements.code and requirements, Therefore, we we need consider to the VCCindividually tool, which verify canwhether separate the code each of each module module independently in ADC can realize and achieve the requirements. separate Therefore requirements, verificationwe consider objectives the VCC without tool, requiringwhich can a separate full scan ea ofch the module entire independently software code. and The achieve relevant separate content is describedrequirements in Section verification 4.2. In Sectionobjectives 4.3 without, PolySpace requiring is used a full to scan detect of the the entire source software code code. statically, The relevant because it is a relativelycontent is described mature tool in Section for static 4.2. analysis In Section of 4.3, codes, PolySpace which is can used detect to detect runtime the source errors code without statically, running programsbecause in it theis a relatively actual environment. mature tool for Finally,static anal weysis verify of codes, the which traceability can detect between runtime the errors EOC without and the sourcerunning code programs by analyzing in the the actual minimum environment. subset Finally of the, we source verify code the traceability structure between (Section the 4.4 EOC). The and detailed the verificationsource code process by analyzing will be describedthe minimum below. subset of the source code structure (Section 4.4). The detailed verification process will be described below.

FigureFigure 4. 4.Veriﬁcation Verification processprocess of ADC ADC Software. Software.

Electronics 2020, 9, 327 10 of 20

Electronics 2020, 9, x FOR PEER REVIEW 10 of 20 4.1. Compliance and Traceability from Low- to High-Level Requirements 4.1. Compliance and Traceability from Low- to High-Level Requirements To verify the relationship between HLR and LLR, a refinement strategy is considered. The modeling To verify the relationship between HLR and LLR, a refinement strategy is considered. The process commences from an abstract model and attains the final form of an efficient system through modeling process commences from an abstract model and attains the final form of an efficient system continuous refinement, which ensures traceability between the LLR and HLR. Event-B is a modeling through continuous refinement, which ensures traceability between the LLR and HLR. Event-B is a language based on refinement strategy, which allows controlling of the complexity of a system with modeling language based on refinement strategy, which allows controlling of the complexity of a progressive and safe development. Rodin is the application platform for Event-B language. Its crucial system with progressive and safe development. Rodin is the application platform for Event-B functions include modeling, static syntax analysis, model verification, etc. Rodin can automatically language. Its crucial functions include modeling, static syntax analysis, model verification, etc. Rodin generate proof obligations, and integrate SMT solvers (such as Z3, CVC3) and theorem prover (Isabella) can automatically generate proof obligations, and integrate SMT solvers (such as Z3, CVC3) and for automatic or interactive verification for validity of the generated proof obligation [55]. The accuracy theorem prover (Isabella) for automatic or interactive verification for validity of the generated proof of the refinement can be guaranteed by verifying the proof obligation in the model. Figure5 is obligation [55]. The accuracy of the refinement can be guaranteed by verifying the proof obligation the Event-B model based on requirement specifications and behavior descriptions of the parameter in the model. Figure 5 is the Event-B model based on requirement specifications and behavior validity module. descriptions of the parameter validity module.

Figure 5. Event-B model. Figure 5. Event-B model.

In mac1, we refined the state value of Ptfail, which was a Boolean variable, and counted the In mac1, we refined the state value of Ptfail, which was a Boolean variable, and counted the numbernumber of of times times the the total total pressure pressure value value exceeded exceeded the the boundary. boundary. If If the the total total pressure pressure value value exceeded exceeded the limit and reached 10 consecutive times, Ptfail was set to be true; otherwise, its value was false. At the limit and reached 10 consecutive times, Ptfail was set to be true; otherwise, its value was false. Atthe the same same time, time, we we used used two two gluing gluing invariables invariables in in mac1 mac1 to to describe the conversional relationshiprelationshipof of Ptfail between the two machines. Ptfail between the two machines. After the model was built, Rodin generated proof obligations, for example: failcount1/actinvalid/SIM. After the model was built, Rodin generated proof obligations, for example: failcount1/actinvalid/SIM. SIMSIM means means “simulation “simulation proof proof obligation”, obligation”, its its purpose purpose is is to to make make sure sure that that each each action action in in an an abstract abstract event is correctly simulated in the corresponding refinement. Another example is failcount1/gluing1/INV. event is correctly simulated in the corresponding refinement. Another example is failcount1/gluing1/INV. INVINV means means “invariant “invariant preservation preservation proofproof obligation”;obligation”; itit ensuresensures thatthat eacheach invariant invariant inin a a machine machine is is preservedpreserved by by each each event. event. SomeSome ofof Rodin’s Rodin’s built-inbuilt-intheorem theoremprovers provers can can automatically automatically verify verify most most of of thethe proof proof obligations. obligations. For For the the remaining remaining obligations, obligations, we we manually manually add add certain certain qualifications qualifications to to show show thethe satisfaction satisfaction of these invalidated invalidated rules rules or or prove prove them them interactively interactively by byusing using the theintegrated integrated provers provers with withinductive inductive rules. rules. Verification Verification of all ofthe all proof the proofobligati obligationon rules can rules ensure can ensure correctness correctness of the model, of the model,as well asas wellconsistency as consistency between between HLR and HLR LLR. and LLR. InIn thisthis case,case, we established established the the original original model model according according to to the the requirements requirements document document and and the therefined refined model model using using the the detailed detailed design design document; document; we wefound found that that certain certain SIM SIM obligations obligations could could not notbe beautomatically automatically verified. verified. After After exploring exploring the the reas reasons,ons, it itwas was found found that that some datadata outsideoutside thethe boundaryboundary values values were were not not further further processed processed in in the the detailed detailed design. design. AfterAfter wewe hadhad identifiedidentified a a further further refinementrefinement of of the the requirements, requirements, we we added added the the qualification qualification conditions conditions in in the the refined refined model model and and made made aa corresponding corresponding supplementary supplementary operation. operation. All All of of the the proof proof obligations obligations were were then then verified. verified. Since LLR was refined from HLR, we were able to achieve verification goals in DO-178C Appendix A [5], including: Electronics 2020, 9, 327 11 of 20

Since LLR was refined from HLR, we were able to achieve verification goals in DO-178C Appendix A[5], including: Electronics 2020, 9, x FOR PEER REVIEW 11 of 20 Table FM. A-4, Objective FM1: Low-level requirements comply with high-level requirements. • TableTable FM.FM. A-4,A-4, ObjectiveObjective FM6:FM1: Low-levelLow-level requirementsrequirements arecomply traceable with to high-level high-level requirements. requirements. • Table FM. A-4, Objective FM6: Low-level requirements are traceable to high-level requirements. At the same time, we formalized the requirements in mathematics based on natural language, At the same time, we formalized the requirements in mathematics based on natural language, which gets rid of ambiguity and integrates them to be dispersed in different chapters, without any which gets rid of ambiguity and integrates them to be dispersed in different chapters, without any interference and consideration from the real code. This process can also verify the accuracy, consistency, interference and consideration from the real code. This process can also verify the accuracy, and verifiability of requirements (Table FM. A-3: Objective FM2, FM4; Table FM. A-4: Objective FM2, consistency, and verifiability of requirements (Table FM. A-3: Objective FM2, FM4; Table FM. A-4: FM4, etc.). Objective FM2, FM4, etc.). 4.2. Compliance from Source Code to Requirements 4.2. Compliance from Source Code to Requirements The ADC software is implemented in C code. To realize automatic verification in C code, we appliedThe ADC Verifying software C is Compiler implemented (VCC), in aC toolcode. developed To realize by automatic Microsoft verification Research, in to C guarantee code, we complianceapplied Verifying from source C Compiler code to requirements.(VCC), a tool VCCdeveloped is based by onMicrosoft a Satisfiability Research, Modulo to guarantee Theories (SMT)compliance solver from called source Z3 [56 code]. It to uses requirements. the patterns VCC of deductive is based proofon a Satisfiabi to generatelity aModulo certain Theories number of(SMT) validity solver specifications. called Z3 [56]. By It using uses VCC,the patterns we first of formalized deductive proof the specification to generate bya certain Hoare number Logic and of manuallyvalidity specifications. transformed theBy pre-using and VCC, post-conditions we first formalized into annotations the specification that can beby acceptedHoare Logic by VCC. and VCCmanually generates transformed a logic languagethe pre- and (Boogie post-conditions PL) program into through annotations the annotated that can Cbe program, accepted andby VCC. then generatesVCC generates a standard a logic input language of theorem (Boogie provers PL) prog suchram as Z3 through for verification. the annotated All of theC program, specifications and then and othergenerates required a standard information input shouldof theorem be manually provers addedsuch as as Z3 annotations for verification. to the sourceAll of the code, specifications which may requireand other some required expertise; information following shou this,ld VCC be manually will automatically added as verify annotations the code. to Thethe verificationsource code, process which ismay shown require in Figure some6 expertise;. following this, VCC will automatically verify the code. The verification process is shown in Figure 6.

Figure 6. VerificationVeriﬁcation processprocess ofof compliancecompliance fromfrom sourcesource codecode toto requirements.requirements.

IfIf thethe proofproof isis successful,successful, VCCVCC willwill assumeassume thatthat thethe programprogram meetsmeets thethe specifications.specifications. IfIf thethe proofproof fails,fails, VCCVCC will will reflect reflect on on the the reason reason for failure.for failure. VCC VCC sometimes sometimes reports reports some (potential) some (potential) errors because errors webecause do not we provide do not enough provide information enough information to let VCC infer to let that VCC this infer suspected that this error suspected may not occur.error may Usually, not thisoccur. “error” Usually, can this be solved “error” by can strengthening be solved by the strengthening annotations. the annotations. TheThe followingfollowing isis aa samplesample ofof thethe annotationsannotations forfor validityvalidity ofof totaltotal pressurepressure parameters.parameters. DetailedDetailed grammargrammar rulesrules areare foundfound inin [[57].57]. TheThe fullfull versionversion ofof thethe formalformal specificationspecification ofof thethe modulemodule containscontains formalizationsformalizations ofof 15 15 parameters—about parameters—about 72 properties—and72 properties—and cost cost approximately approximately two man-weeks.two man-weeks. After theAfter verification, the verification, we found we found an (potential) an (potential) error: error: the specification the specification on checking on checking the rationality the rationality of some of datasome cannot data cannot be satisfied be satisfied by the by program. the program. Electronics 2020, 9, 327 12 of 20 Electronics 2020, 9, x FOR PEER REVIEW 12 of 20 Electronics 2020, 9, x FOR PEER REVIEW 12 of 20

requires(thread_local(&ad_air_data) && mutable(&pt_last) requires(thread_local(&ad_air_data) && mutable(&pt_last) &&mutable(&in_air_data)&& mutable(&fail_count)) &&mutable(&in_air_data)&& mutable(&fail_count)) writes(span(&ad_air_data)) writes(span(&ad_air_data)) writes(&pt_last) writes(&pt_last) ensures(fail_count.pt_fail > fail_count.last_fail || ((fail_count.pt_fail & 0x3ff) == 0x3ff)) ensures(fail_count.pt_fail > fail_count.last_fail || ((fail_count.pt_fail & 0x3ff) == 0x3ff)) ==>((ad_air_data.pt>PT_MAX_VALUE)|| (ad_air_data.pt((ad_air_data.pt>PT_MAX_VALUE)|| (ad_air_data.ptPT_MAX_VALUE)) ensures((((ad_air_data.pt < PT_MIN_VALUE) || (ad_air_data.pt>PT_MAX_VALUE)) ((fail_count.pt_fail & 0x3ff)! = 0x3ff)) ==>(ad_air_data.pt == pt_last)) ((fail_count.pt_fail & 0x3ff)! = 0x3ff)) ==>(ad_air_data.pt == pt_last)) ensures(((ad_air_data.pt >= PT_MIN_VALUE) && (ad_air_data.pt<=PT_MAX_VALUE)) ensures(((ad_air_data.pt >= PT_MIN_VALUE) && (ad_air_data.pt<=PT_MAX_VALUE)) ==>pt_last == ad_air_data.pt) ==>pt_last == ad_air_data.pt) The verification objective can be achieved by reviewing and resolving the error: Table FM. A-5, ObjectiveTheThe verificationverification FM1: Source objectiveobjective code can cancomplies bebe achievedachieved with low-level byby reviewingreviewing requirements. andand resolvingresolving thethe error:error: Table FM.FM. A-5,A-5, ObjectiveObjective FM1:FM1: SourceSource codecode compliescomplies withwith low-levellow-level requirements.requirements. 4.3. Static Analysis of Source Code Level 4.3.4.3. StaticStatic AnalysisAnalysis ofof SourceSource CodeCode LevelLevel The static analysis technique can be used to detect and prove run-time errors in source code. PolySpaceTheThe staticstatic is analysis analysisa static analysis techniquetechnique tool cancan that bebe focuses usedused toto on detectdet theect embedded andand proveprove systems run-timerun-time market, errorserrors involving inin sourcesource safety code.code. or PolySpacePolySpacelife-critical isis aa applications, staticstatic analysisanalysis which tooltool that thatis suitable focusesfocuses for onon airb thetheorne embeddedembedded software. systemssystems In this market,market, case, we involvinginvolving chose the safetysafety PolySpace oror life-criticallife-criticalCode Prover applications,applications, to statically whichwhich analyze isis suitablesuitable the source forfor airborneairb code.orne software.Itsoftware. can prove InIn thisthisthe case,absencecase, wewe of chosechose overflow, thethe PolySpacePolySpace divide-by- CodeCodezero, ProverProver out-of- to to statically boundsstatically array analyze analyze access, the the source and source other code. code. run-time It canIt can prove errors prove the in the absence C andabsence C++ of overflow, sourceof overflow, code divide-by-zero, [58]. divide-by- out-of-zero, out-of- boundsWe created bounds array a access,arraynew project access, and other inand PolySpace, run-timeother run-time errorsplaced errors in the C andcode in C together ++andsource C++ with source code its [ code58associated]. [58]. headers in theWeWe same created created folder, a a new new and project projectthen inran in PolySpace, thePolySpace, code prover. placed placed theAfter the code codethe together operation, together with with each its associatedits code associated statement headers headers was in thecolor- in samethecoded same folder, tofolder, andindicate then and whether ranthen the ran code it the is prover.free code of prover. run-time After the After e operation,rrors, the provenoperation, each to code fail, each statement unreachable, code statement was or color-coded unproven. was color- to The indicatecodedanalysis to whether indicate results it whether of is freethe ofparameter it run-timeis free of va errors,run-timelidity provenmodule errors, to are proven fail, displayed unreachable, to fail, in unreachable, Figure or unproven. 7. As or can unproven. The be analysisseen Thein the resultsanalysisfigure, of resultsthe there parameter are of thesome parameter validity unreachable module validity codes are module displayed(dead code).are indisplayed FigureOn clicking7. Asin Figure canon the be 7. seensection As in can thewe be are figure, seen focusing therein the on, arefigure,the some programthere unreachable are jumpssomecodes unreachable to the (dead relevant code). codes code On(dead area. clicking code). A ma on Onnual the clicking section review on we observed the are section focusing that we on,certain arethe focusing programlogic errorson, jumpstheresult program to thein a relevant jumpsdead code.to code the area.Somerelevant Aprogram manual code area. reviewblocks A ma observedcannual never review that be certainexecuted observed logic because that errors certain resultthe correspondinglogic in a errors dead code.resultconditionsSome in a programdead will code.never blocks Somebe satisfied. can program never be blocks executed can because never be the executed corresponding because conditions the corresponding will never beconditions satisfied. will never be satisfied.

FigureFigure 7. Result 7. Result of PolySpace of PolySpace analysis. analysis. Figure 7. Result of PolySpace analysis. By solvingBy solving the problemsthe problems found byfound PolySpace, by PolySpace, we can achieve we can the achieve following the veriﬁcation following objectives: verification objectives:By solving the problems found by PolySpace, we can achieve the following verification objectives:Table FM. A-5, Objective FM3: Source Code is veriﬁable. • • Table FM. A-5, Objective FM3: Source Code is verifiable. • Table FM. A-5, Objective FM6: Source Code is accurate and consistent. • • TableTable FM. FM. A-5, A-5, Objective Objective FM3: FM6: Source Source Code Code is verifiable.is accurate and consistent. • Table FM. A-5, Objective FM6: Source Code is accurate and consistent.

Electronics 2020, 9, 327 13 of 20

Electronics 2020, 9, x FOR PEER REVIEW 13 of 20 4.4. Traceability from Executable Object Code to Source Code 4.4. Traceability from Executable Object Code to Source Code As explained in RTCA/DO-178C, airborne software structure coverage analysis can be performed As explained in RTCA/DO-178C, airborne software structure coverage analysis can be at the source code level. If the software is at the A level and the object code generated during the performed at the source code level. If the software is at the A level and the object code generated compilation cannot be traced back to the source code, additional validation must be performed at the during the compilation cannot be traced back to the source code, additional validation must be object code level to ensure correctness of the object code [59]. Hence, for the object code generated performed at the object code level to ensure correctness of the object code [59]. Hence, for the object by the A-level airborne software, in addition to source code level coverage analysis, the traceability code generated by the A-level airborne software, in addition to source code level coverage analysis, analysis between the source code and the object code must be completed, and the additional object the traceability analysis between the source code and the object code must be completed, and the code that cannot be traced back to the source code should be further veriﬁed. The methods mentioned additional object code that cannot be traced back to the source code should be further verified. The in Section 3.3 will be applied to verify traceability from EOC to source code so that the veriﬁcation methods mentioned in Section 3.3 will be applied to verify traceability from EOC to source code so objectives of the EOC can be achieved. that the verification objectives of the EOC can be achieved. In general, traceability from EOC to source code can be performed using two strategies: In general, traceability from EOC to source code can be performed using two strategies: comprehensive object code analysis and minimum subset of source code structure analysis. comprehensive object code analysis and minimum subset of source code structure analysis. Comprehensive object code analysis compiles the source code into assembly code, and thereafter Comprehensive object code analysis compiles the source code into assembly code, and thereafter manually determines which object code is not required to run the source code. The main purpose of manually determines which object code is not required to run the source code. The main purpose of analyzing the minimum subset of the source code structure is to write the sample code according to the analyzing the minimum subset of the source code structure is to write the sample code according to constraints of the software coding standard, compile it, and use manual analysis to examine the trace the constraints of the software coding standard, compile it, and use manual analysis to examine the relationship between the object code of the sample code and the source code [60]. In comparison to trace relationship between the object code of the sample code and the source code [60]. In comparison comprehensive code analysis, the work for traceability analysis of the source code structure minimum to comprehensive code analysis, the work for traceability analysis of the source code structure subset analysis method is greatly reduced, and the analysis report can be reused in multiple onboard minimum subset analysis method is greatly reduced, and the analysis report can be reused in software projects [61]. To demonstrate the versatility of this method, minimum subset of code structure multiple onboard software projects [61]. To demonstrate the versatility of this method, minimum analysis was applied to verify the traceability from EOC to source code, based on three aspects subset of code structure analysis was applied to verify the traceability from EOC to source code, (discussed below). The method is displayed in Figure8. based on three aspects (discussed below). The method is displayed in Figure 8.

Figure 8. Analysis of minimum subset of the source code.

1. Traceability Traceability from from sample object code to sample source code:code: According to ADC software coding standards, standards, the the programming programming language, language, rules, rules, complexity, complexity, etc. etc. used used in software in software coding coding are first are ﬁrstconstrained constrained and andlimited; limited; thereafter, thereafter, the theminimum minimum su subsetbset of ofsoftware software source source code code structures structures is extracted asas per per the the constraints constraints and and restrictions restrictions in the in ADC the softwareADC software coding standard.coding standard. This is followed This is byfollowed comparison by comparison of the source of the code source of the code ADC ofsoftware the ADC project software with project the minimum with the subsetminimum of the subset source of codethe source structure; code this structure; helps determine this helps whether determine the minimum whether the subset minimum of the source subset code of the structure source covers code allstructure source covers code structuresall source incode the structures ADC software in the project. ADC software Subsequently, project. theSubsequently, sample source the codesample is compiled,source code according is compiled, to the according minimum to subsetthe minimum of the source subset code of the structure. source code The samplestructure. source The sample code is actuallysource code compiled is actually in the compiled same compilation in the same environment, compilation which environment, includes which the use includes of the same the use compiler of the andsame setting compiler of the and same setting options of the to compilesame options the sample to compile code. Thisthe sample is followed code. by This manual is followed analysis by of traceabilitymanual analysis from of sample traceability EOC to from sample sample source EOC code. to sample source code. 2. Consistency from sample object code to ADC software object code: On comparing the sample object code and the ADC software object code through manual analysis, we verify that the ADC software structure coverage meets the requirements of RTCA/DO-178C at the object code level. Electronics 2020, 9, 327 14 of 20

2. Consistency from sample object code to ADC software object code: On comparing the sample object code and the ADC software object code through manual analysis, we verify that the ADC softwareElectronics structure 2020, 9, x FOR coverage PEER REVIEW meets the requirements of RTCA/DO-178C at the object code level.14 of 20 Electronics3. Consistency 2020, 9, x FOR from PEER sample REVIEW source code to source code decompiled by ADC software14 object of 20 code: Based3. Consistency on the existing from sample object codesource of code ADC to software, source code the IDA decompiled Pro was by utilized ADC insoftware this project object as a 3. Consistency from sample source code to source code decompiled by ADC software object code: Based on the existing object code of ADC software, the IDA Pro was utilized in this project as disassemblycode: Based tool. on The the assemblyexisting object instructions code of acquired ADC soft byware, IDA the Pro IDA was Pro shown was inutilized Figure in9. this As mentioned project as a disassembly tool. The assembly instructions acquired by IDA Pro was shown in Figure 9. As previously,a disassembly it is a powerfultool. The assembly and complicated instructions tool, acquired as it consists by IDA of Pro several was plugins.shown in The Figure Hex-Rays 9. As mentioned previously, it is a powerful and complicated tool, as it consists of several plugins. The Decompiler,mentioned which previously, is one it ofis itsa powerful well-known and complicated plug-ins for tool, automatic as it consists decompilation, of several plugins. was used The to Hex-Rays Decompiler, which is one of its well-known plug-ins for automatic decompilation, was decompileHex-Rays the Decompiler, assembly instructions which is one into of C its files. well-known More importantly, plug-ins itfor supports automatic the decompilation, compiler-generated was used to decompile the assembly instructions into C files. More importantly, it supports the compiler- codeused for theto decompile x86, x64, ARM32,the assembly ARM64 instructions and PowerPC into C processors,files. More importantly, satisfying the it supports needs of mostthe compiler- airborne generated code for the x86, x64, ARM32, ARM64 and PowerPC processors, satisfying the needs of most softwaregenerated decompilations code for the x86, [62]. x64, The ARM32, Hex-Rays ARM64 Decompiler and PowerPC was processors used to decompile, satisfying thethe objectneeds of code most of airborne software decompilations [62]. The Hex-Rays Decompiler was used to decompile the object code the ADCairborne software software to decompilations acquire the decompiled [62]. The Hex-Rays source Decompiler code, as displayed was used to in decompile Figure 10 .the By object manually code of the ADC software to acquire the decompiled source code, as displayed in Figure 10. By manually analyzingof the ADC the sample software source to acquire code andthe decompiled the generated source source code, code as decompileddisplayed in fromFigure the 10. ADC By manually software analyzing the sample source code and the generated source code decompiled from the ADC software objectanalyzing code, not the onlysample can source the object code codeand the that generate cannotd besource traced code back decompiled to the source from codethe ADC be identified, software object code, not only can the object code that cannot be traced back to the source code be identified, but it but itobject can code, also confirmnot only thatcan the the object additional code that object cannot code be istraced correct back by to combining the source code the first be identified, aspect. but it can also confirm that the additional object code is correct by combining the first aspect. can also confirm that the additional object code is correct by combining the first aspect.

Figure 9. Assembly instructions. FigureFigure 9. 9.Assembly Assembly instructions. instructions.

Figure 10. Obtained C code. FigureFigure 10. 10.Obtained Obtained C C code. code. By verifying the traceability of the target code to the source code, the objective can be By verifying the traceability of the target code to the source code, the objective can be guaranteed. guaranteed.  Table FM. A-7, Objective FM9: Verification of property preservation between source and object code.  Table FM. A-7, Objective FM9: Verification of property preservation between source and object code. Electronics 2020, 9, 327 15 of 20

By verifying the traceability of the target code to the source code, the objective can be guaranteed.

Table FM. A-7, Objective FM9: Veriﬁcationof property preservation between source and object code. • Then, the properties of the executable object code can be speculated by analyzing the source code.

4.5. Analysis of the Verification Results In this paper, we introduced the verification properties and results of the ADC software’s parameter validity module at each step, and analyzed the errors found by formal verification. In Table2, we summarize the issues observed in the case study of the ADC software.

Table 2. Formal veriﬁcation results of the ADC software.

Properties under Verification Process Potential Errors Identified Errors Time-Consuming Verification Formal analysis of 276 3 3 2 man-months requirements and design Compliance from source 342 8 6 3 man-months code to requirements Static analysis in source 90 min 230 13 7 code level (running time) Formal analysis of 201 30 0 4 man-months executable object code Total number 1049 54 16 9 man-months

The ADC software has a total of 12 modules. Formal verification of each module was conducted separately, as per the process mentioned above. The verification process was divided into four stages: formal analysis of requirements and design, compliance from source code to requirements, static analysis in source code level, and formal analysis of the executable object code. The properties under verification refer to the properties that the artifacts produced at each stage need to be satisfying. The total number of the verified properties in ADC software was 1049. After the formal verification process, we found some unsatisfied properties at various stages, known as potential errors. These errors had to be reviewed and analyzed again as the formal tools used in the verification process were not qualified. After a manual review, some potential errors were eliminated, and the rest identified as errors. Through modeling in Event-B, certain inconsistencies were observed in the abstract and the refined model, which indicated logic problems in the requirement and design documents. Some potential errors detected by VCC were determined to be caused by not qualifying the conditions of the annotations. Hence, the actual number of errors was less than the potential errors. For static analysis in the source code level, PolySpace detected some potential errors such as bad return value, uninitialized variables, dead code, etc. After retesting, it was observed that certain potential errors would never occur. The reason for such phenomenon is that static analysis usually adopts an abstract model of the program, which can result in the loss of some information, thereby producing false alarms. During verification of the binary code, we found that some additional generated object codes could not be traced back to the source code. By validating the additional generated object codes through manual review and analysis, we found that they were generated automatically for functions such as handling exceptions and checking the boundaries of the array. In the last column of Table2, the time spent on each phase of the project is displayed. The ADC software was tested prior to formal verification. It can be seen in Table2 that formal verification can detect certain errors that testing cannot find, especially for products that are in the early stages of development, such as requirement and design documentation. This shows that formal verification can identify errors much earlier in the design cycle, as compared to testing, which potentially saves money, due to less scrap and rework. Besides, static analysis can detect errors, which, in practice cannot be identified by testing, like dead codes. However, formal verification is time-consuming, Electronics 2020, 9, 327 16 of 20 incurs high costs, and requires the verifier to be highly skilled. Therefore, the application of formal methods is highly recommended as a supplement to testing and to identify problems that testing alone cannot resolve. Electronics 2020, 9, x FOR PEER REVIEW 16 of 20 The verification objectives implemented in this case are summarized in Figure 11. - indicate that verification objective is fully satisfied. - • indicate that verification objective is fully satisfied. - indicate that verification objective is partially satisfied. - ◦ indicate that verification objective is partially satisfied.

Figure 11. Achieved verification objectives. Figure 11. Achieved verification objectives. Some verification objectives are partially satisfied, indicating that only a portion of the properties requiredSome by verification the objectives objectives can be are verified. partially Forsatisfied, example, indicating the objective that only of a high-levelportion of the requirements properties requiredconforming by tothe standards objectives that can can be onlyverified. be partially For example, proved; the in objective this project, of high-level only the Event-B requirements model conformingthat describes to thestandards high-level that requirements can only be partially conforms proved; to the syntaxin this standardsproject, only ofEvent-B. the Event-B Due model to the thattwo-way describes tracking the relationshiphigh-level requirements of traceability, conforms traceability to the from syntax source standards code to low-levelof Event-B. requirements Due to the verifiedtwo-way by tracking VCC can relationship only show of that traceability, all low-level tracea requirementsbility from source are developed code to low-level into source requirements code, but it verifiedcannot be by inferred VCC can that only all show source that code all low-level can be traced requirements to some low-levelare developed requirements, into source which code, can but be it cannotillustrated be inferred through that a review. all source code can be traced to some low-level requirements, which can be illustratedDO-178C through states a thatreview. the tools used to generate software or to verify software must be verified to ensureDO-178C degree states of accuracy. that the This tools process used to of generate verifying soft theware accuracy or to verify of tools software is known must as be qualification. verified to ensureSince the degree tools of applied accuracy. in this This case process can automateof verifying the the verification accuracy processof tools andis known their outputsas qualification. used to Sincejustify the the tools elimination applied of in or this reduction case can in automate verification the processes, verification these process tools mustand their be qualified, outputs asused these to processesjustify the mayelimination fail to detect of or reduction errors. The in specificverification tool processes, qualification these process tools shouldmust be refer qualified, to the as DO-330 these (Softwareprocesses Toolmay Qualificationfail to detect errors. Considerations) The specific issued tool byqualification the RTCA. process The verification should refer results to the can DO-330 also be (Softwaredouble-checked Tool Qualification through review Considerations) techniques andissued other by the analysis RTCA. methods. The verification In the software results can life also cycle, be double-checkedreviewing methods through such review as planning, techniques requirements, and other design, analysis code, methods. and peer In reviewsthe software can belife used cycle, to reviewingreview software methods products such as in planning, different requirements, development periods.design, code, Analysis and peer methods reviews include can be functional used to reviewhazard software assessment products (FHA), in failure different modes developmen and effectst periods. analysis Analysis (FMEA), meth failureods tree include analysis functional (FTA), hazardcommon assessment cause analysis (FHA), (CCA), failure etc. modes A double-check and effects refers analysis to verification (FMEA), failure using tree another analysis method (FTA), for commonobjectives cause that haveanalysis not been(CCA), verified. etc. A double-check For example, refers in the verificationto verification of traceabilityusing another of objectmethod code, for objectivesif the object that code have produces not been a redundant verified. For code, example, then the in impact the verification of this part of of traceability the code must of object be explained code, if thethrough object analysis. code produces In addition, a redundant simulation code, and then testing the im arepact common of this part software of the verification code must methods.be explained throughThis analysis. example In shows addition, in detail simulation howto and select testing an appropriateare commonformal software method verification based methods. on the level and characteristicsThis example shows of the software.in detail how During to select the verification an appropriate process, formal we method divided based the activity on the intolevel three and characteristicsstages and selected of the di software.fferent formal During methods the verification for each stage.process, The we selection divided ofthe specific activity verification into three stagestools is and based selected on the different characteristics formal methods of the softwarefor each stage. and the The verification selection of objectivesspecific verification to be realized. tools isFor based example, on the in the characteristics requirements of stage, the insoftware order to and verify the the verification compliance objectives and traceability to be betweenrealized. HLR For example,and LLR, wein the considered requirements the Event-B stage, modelin order based to verify on refinement the compliance strategy, and which traceability can ensure between transitivity HLR andbetween LLR, the we two considered layers’ models the throughEvent-B themodel built-in based prover on ofrefinement the Rodin strategy, platform. which In actual can industrial ensure transitivityapplications, between we need the to two refer layers’ to the models verification through objectives the built-in of diff provererent levels of the of Rodin airborne platform. software In actualdefined industrial in tables FM.applications, A-3 to FM. we A-7 need in DO-333 to refer to to consider the verification the formal objectives verification of methodsdifferent to levels be used. of airborneDue to the software cost and defined difficulty in tables of formal FM. verification,A-3 to FM. A-7 review in DO-333 and analysis to consider remain the theformal primary verification means methods to be used. Due to the cost and difficulty of formal verification, review and analysis remain the primary means of airborne software verification. On this basis, for some verification objectives that are difficult to achieve through review and analysis methods, appropriate formal methods should be selected for verification based on the characteristics of the software.

5. Conclusion and Future Work Electronics 2020, 9, 327 17 of 20 of airborne software verification. On this basis, for some verification objectives that are difficult to achieve through review and analysis methods, appropriate formal methods should be selected for verification based on the characteristics of the software.

5. Conclusion and Future Work Based on research on DO-333, this paper proposes a methodology to apply formal methods to the development and verification processes of airborne software. The methodology described in this paper covers the entire verification process of A-level software, as stipulated in DO-333. In this paper, the ADC software was cited to illustrate how the recommended methodology can be practically applied. A reference has been provided for the software verification process, which applies several formal verification tools mentioned in the methodology at different stages of the verification process to achieve multiple objectives. As is evident from the examples, formal methods can be applied to various stages of the software development process to identify certain errors at an early stage. Correcting these errors can reduce the cost of testing and reworking. In addition, it is not difficult to infer that formal methods are particularly convincing as they provide strong guarantees based on rigorous mathematical theories. It is hoped that readers of this paper are inspired by this example to practically apply formal methods. This paper successfully demonstrated the role of formal methods in the airworthiness certification process of airborne software. We are convinced that techniques, methods, and tools combining formal verification are the future of system verification. It can be safely assumed that in the near future, as more theories and tools become available for avionics, more formal verification techniques will be applied. These techniques are an effective approach to address the dramatic increase in issues arising from complexity of software, especially when safety is at stake. However, the abstraction and complexity of formal development methods make it difficult for non-professionals to comprehend and apply these methods effectively. It is very likely that substantial efforts and capital will be expended on the analysis of requirement modeling, software design, verification, and qualified tools. Therefore, we have decided to utilize a qualified toolchain for formal verification of airborne software in our next research endeavor. We are still working on advancing the application of formal methods on airborne software based on DO-333.

Author Contributions: Conceptualization, Y.H. and Q.L.; methodology, Z.C. and W.L.; resources, J.S. and Y.H.; formal analysis and verification, Z.C. and W.L.; project administration, J.S.; supervision, Y.H.; writing, Z.C and W.L. All authors have read and agreed to the published version of the manuscript. Funding: This research was funded by the National Natural Science Foundation of China under Grant No. 61602178, No. 61602177, and in part by the Shanghai Science and Technology Committee Rising-Star Program under Grant No. 18QB1402000. Conflicts of Interest: The authors declare no conflict of interest.

References

1. RTCA. DO-178B: Software Considerations in Airborne Systems and Equipment Certification; Boeing Commercial Airplane Group: Washington, DC, USA, 1992. 2. RTCA. DO-178C: Software Considerations in Airborne Systems and Equipment Certification; Boeing Commercial Airplane Group: Washington, DC, USA, 2011. 3. RTCA. DO-333: Formal Methods Supplement to DO-178C and DO-278A; Boeing Commercial Airplane Group: Washington, DC, USA, 2011. 4. Souyris, J.; Wiels, V.; Delmas, D.; Delseny, H. Formal verification of avionics software products. In International Symposium on Formal Methods; Springer: Berlin/Heidelberg, Germany, 2009; pp. 532–546. 5. Laurent, O. Using formal methods and testability concepts in the avionics systems validation and verification (v&v) process. In Proceedings of the Third International Conference on Software Testing, Verification and Validation, Paris, France, 6–10 April 2010; pp. 1–10. Electronics 2020, 9, 327 18 of 20

6. Bochot, T.; Virelizier, P.; Waeselynck, H.; Wiels, V. Model checking flight control systems: The airbus experience. In Proceedings of the 31st International Conference on Software Engineering—Companion Volume, Vancouver, BC, Canada, 16–24 May 2009; pp. 18–27. 7. Cofer, D.; Miller, S.P. Formal Methods Case Studies for DO-333; Rockwell Collins: Cedar Rapids, IA, USA, 2014; pp. 1–15. 8. Fernandes-Pires, A.; Polacsek, T.; Wiels, V.; Duprat, S. Use of formal methods in embedded software development: Stakes, constraints and proposal. In Proceedings of the Embedded Real Time Software and Systems (ERTS), Toulouse, France, 5–7 February 2014. 9. Chaudemar, J.-C.; Bensana, E.; Seguin, C. Model Based Safety Analysis for an Unmanned Aerial System; Open Archive Toulouse Archive Ouverte: Toulouse, France, 2010. 10. Torens, C.; Adolf, F. Using Formal Requirements and Model-Checking for Verification and Validation of an Unmanned Rotorcraft; AIAA Infotech @ Aerospace: Kissimmee, FL, USA, 2015; p. 1645. 11. Wing, J.M. A specifier’s introduction to formal methods. Computer 1990, 23, 8–22. [CrossRef] 12. Clarke, E.M.; Wing, J.M. Formal methods: State of the art and future directions. ACM Comput. Surv. 1996, 28, 626–643. [CrossRef] 13. Yamane, S. Deductive verification method of real-time safety properties for embedded assembly programs. Electronics 2019, 8, 1163. [CrossRef] 14. Hoare, C.A.R. For communicating sequential. In Logic of Programming and Calculi of Discrete Design: International Summer School; Bauer, F.L., Broy, M., Dijkstra, E.W., Hoare, C.A.R., Eds.; Springer: Berlin/Heidelberg, Germany, 2012; Volume 36, p. 277. 15. Mikk, E.; Lakhnech, Y.; Siegel, M.; Holzmann, G.J. Implementing statecharts in promela/spin. In Proceedings of the 2nd IEEE Workshop on Industrial Strength Formal Specification Techniques, Boca Raton, FL, USA, 23 October 1998; pp. 90–101. 16. Burch, J.R.; Clarke, E.M.; Mcmillan, K.L.; Dill, D.L.; Hwang, L.J. Symbolic model checking: 1020 states and beyond. Inf. Comput. 1992, 98, 142–170. [CrossRef] 17. Alur, R.; Dill, D.L. A theory of timed automata. Theor. Comput. Sci. 1994, 126, 183–235. [CrossRef] 18. Sun, J.; Liu, Y.; Dong, J.S. Model checking CSP revisited: Introducing a process analysis toolkit. In International Symposium on Leveraging Applications of Formal Methods, Verification and Validation; Springer: Berlin/Heidelberg, Germany, 2008; pp. 307–322. 19. Holzmann, G.J. The SPIN Model Checker: Primer and Reference Manual; Addison-Wesley: Boston, MA, USA, 2004. 20. McMillan, K.L. The SMV System: Symbolic Model Checking; Springer: Boston, MA, USA, 1993; pp. 61–85. 21. Kunnappilly, A.; Marinescu, R.; Seceleanu, C. A model-checking-based framework for analyzing ambient assisted living solutions. Sensors 2019, 19, 5057. [CrossRef][PubMed] 22. Grimm, T.; Lettnin, D.; Hübner, M. A survey on formal verification techniques for safety-critical systems-on-chip. Electronics 2018, 7, 81. [CrossRef] 23. Kaufmann, M.; Moore, J.S. ACL2: An industrial strength version of Nqthm. In Proceedings of the 11th Annual Conference on Computer Assurance, Gaithersburg, MD, USA, 17–21 June 1996; pp. 23–34. 24. Owre, S.; Rushby, J.M.; Shankar, N. PVS: A prototype verification system. In Proceedings of the International Conference on Automated Deduction, New York, NY, USA, 15–18 June 1992; pp. 748–752. 25. Nipkow, T.; Paulson, L.C.; Wenzel, M. Isabelle/HOL: A Proof Assistant for Higher-Order Logic; Springer Science & Business Media: Berlin/Heidelberg, Germany, 2002; Volume 2283. 26. Delahaye, D. A tactic language for the system coq. In Proceedings of the International Conference on Logic for Programming Artificial Intelligence and Reasoning, Reunion Island, France, 11–12 November 2000; pp. 85–95. 27. Abdulla, P.A.; Deneux, J.; Lmarck, G.S.; Gren, H.A.; Kerlund, O.A. Designing safe, reliable systems using scade. In Proceedings of the International Conference on Leveraging Applications of Formal Methods, Paphos, Cyprus, 30 October–2 November 2004. 28. Abrial, J.-R.; Hallerstede, S. Refinement, decomposition, and instantiation of discrete models: Application to event-b. Fundam. Inform. 2007, 77, 1–28. 29. Huang, E.; Ramamurthy, R.; McGinnis, L.F. System and simulation modeling using sysml. In Proceedings of the 39th Conference on Winter Simulation, Piscataway, NJ, USA, 13–16 December 2007; pp. 796–803. Electronics 2020, 9, 327 19 of 20

30. Wei, X.; Dong, Y.; Sun, P.; Xiao, M. Safety analysis of AADL models for grid cyber-physical systems via model checking of stochastic games. Electronics 2019, 8, 212. [CrossRef] 31. Cimatti, A.; Clarke, E.; Giunchiglia, F.; Roveri, M. Nusmv: A new symbolic model verifier. In Proceedings of the International Conference on Computer Aided Verification, Trento, Italy, 6–10 July 1999; pp. 495–499. 32. Honda, K.; Tokoro, M. An object calculus for asynchronous communication. In Proceedings of the European Conference on Object-Oriented Programming, Geneva, Switzerland, 15–19 July 1991; pp. 133–147. 33. Whalen, M.W. A formal semantics for RSML-e. Comput. Sci. Eng. 2000, 2–10. 34. Cohen, E.; Dahlweid, M.; Hillebrand, M.; Leinenbach, D.; Moskal, M.; Santen, T.; Schulte, W.; Tobies, S. VCC: A practical system for verifying concurrent C. In Proceedings of the International Conference on Theorem Proving in Higher Order Logics, Munich, Germany, 17–20 August 2009; pp. 23–42. 35. Kirchner, F.; Kosmatov, N.; Prevosto, V.; Signoles, J.; Yakobowski, B. Frama-C: A software analysis perspective. Form. Asp. Comput. 2015, 27, 573–609. [CrossRef] 36. Corbett, J.C.; Dwyer, M.B.; Hatcliff, J.; Laubach, S.; Pasareanu, C.S.; Robby; Zheng, H. Bandera: Extracting finite-state models from Java source code. In Proceedings of the International Conference on Software Engineering, Limerick, Ireland, 4–11 June 2000; pp. 439–448. 37. Cavada, R.; Cimatti, A.; Dorigatti, M.; Griggio, A.; Mariotti, A.; Micheli, A.; Mover, S.; Roveri, M.; Tonetta, S. The nuXmv symbolic model checker. In Proceedings of the International Conference on Computer Aided Verification, Vienna, Austria, 18–22 July 2014; pp. 334–342. 38. Tzitzilonis, V.; Malandrakis, K.; Zanotti Fragonara, L.; Domingo, J.A.G.; Avdelidis, N.P.; Tsourdos, A.; Forster, K. Inspection of aircraft wing panels using unmanned aerial vehicles. Sensors 2019, 19, 1824. [CrossRef][PubMed] 39. Bertrane, J.; Cousot, P.; Cousot, R.; Feret, J.; Mauborgne, L.; Mine’, A.; Rival, X. Static analysis and verification of aerospace software by abstract interpretation. Found. Trends Progr. Lang. 2015, 2, 71–190. [CrossRef] 40. Cousot, P.; Cousot, R.; Feret, J.; Mauborgne, L.; Mine’, A.; Monniaux, D.; Rival, X. The astre’e analyzer. In European Symposiumon Programming; Springer: Berlin/Heidelberg, Germany, 2005; pp. 21–30. 41. Prover, P.C. Static Analysis with Polyspace Products; Mathworks: Natick, MA, USA, 2014. 42. Delmas, D.; Goubault, E.; Putot, S.; Souyris, J.; Tekkal, K.; Ve’drine, F. Towards an industrial use of fluctuat on safety-critical avionics software. In International Workshop on Formal Methods for Industrial Critical Systems; Springer: Berlin/Heidelberg, Germany, 2009; pp. 53–69. 43. Ball, T.; Rajamani, S.K. The SLAM project: Debugging system software via static analysis. In Proceedings of the 29th ACM Sigplan-Sigact Symposium on Principles of Programming Languages, Portland, OR, USA, 16–18 January 2002; pp. 1–3. 44. Henzinger, T.A.; Jhala, R.; Majumdar, R.; Sutre, G. Software verification with blast. In International SPIN Workshop on Model Checking of Software; Springer: Berlin/Heidelberg, Germany, 2003; pp. 235–239. 45. Kroening, D.; Tautschnig, M. CBMC—C bounded model checker. In Proceedings of the International Conference on Tools and Algorithms for the Construction and Analysis of Systems, Barcelona, Spain, 29 March–2 April 2014; pp. 389–391. 46. Ferdinand, C.; Heckmann, R. AiT: Worst-case execution time prediction by static program analysis. In Building the Information Society; Springer: Berlin/Heidelberg, Germany, 2004; pp. 377–383. 47. Holsti, N.; Saarinen, S. Status of the Bound-T Wcet Tool; Space Systems Finland Ltd.: Espoo, Finland, 2002. 48. Ferdinand, C.; Heckmann, R.; Le Sergent, T.; Lopes, D.; Martin, B.; Fornari, X.; Martin, F. Combining a high-level design tool for safety-critical systems with a tool for wcet analysis of executables. In Proceedings of the 4th European Congress on Embedded Real Time Software (ERTS), Toulouse, France, 29 January–1 February 2008. 49. Boniol, F.; Wiels, V.; Ledinot, E. Experiences in using model checking to verify real time properties of a landing gear control system. In Proceedings of the 3rd European Congress Embedded Real Time Software, Toulouse, France, 25–27 January 2006. 50. Miller, S.; Anderson, E.; Wagner, L.; Whalen, M.W.; Heimdahl, M.P.E. Formal verification of flight critical software. In Proceedings of the AIAA Guidance, Navigation, and Control Conference and Exhibit, San Francisco, CA, USA, 14–17 August 2005; p. 6431. 51. Brauer, J.; Dahlweid, M.; Pankrath, T.; Peleska, J. Source-code-to-object-code traceability analysis for avionics software: Don’t trust your compiler. In Proceedings of the International Conference on Computer Safety, Reliability, and Security, Florence, Italy, 10–12 September 2014; pp. 427–440. Electronics 2020, 9, 327 20 of 20

52. Webster, M.; Cameron, N.; Jump, M.; Fisher, M. Towards Certification of Autonomous Unmanned Aircraft Using Formal Model Checking and Simulation; InfoTech @ Aerospace: Kissimmee, FL, USA, 2012; p. 2573. 53. Tribble, A.C.; Lempia, D.L.; Miller, S.P. Software safety analysis of a flight guidance system. In Proceedings of the 21st Digital Avionics Systems Conference, Irvine, CA, USA, 27–31 October 2002. 54. Heitmeyer, C.L.; Jeffords, R.D.; Labaw, B.G. Automated consistency checking of requirements specifications. ACM Trans. Softw. Eng. Methodol. 1996, 5, 231–261. [CrossRef] 55. Abrial, J.R.; Butler, M.; Hallerstede, S.; Hoang, T.S.; Mehta, F.; Voisin, L. Rodin: An open toolset for modelling and reasoning in event-b. Int. J. Softw. Tools Technol. Transf. 2010, 12, 447–466. [CrossRef] 56. de Moura, L.; Bjørner, N. Z3: An efficient smt solver. In Proceedings of the International Conference on Tools and Algorithms for the Construction and Analysis of Systems, Budapest, Hungary, 29 March–6 April 2008; pp. 337–340. 57. Moskal, M.; Schulte, W.; Cohen, E.; Hillebrand, M.A.; Tobies, S. Verifying C Programs: A VCC Tutorial; EMIC: Aachen, Germany, 2012. 58. Emanuelsson, P.; Nilsson, U. A comparative study of industrial static analysis tools. Electron. Notes Theor. Comput. Sci. 2008, 217, 5–21. [CrossRef] 59. Kos, T.; Mernik, M.; Kosar, T. A tool support for model-driven development: An industrial case study from a measurement domain. Appl. Sci. 2019, 9, 4553. [CrossRef] 60. Brockhoffand, D.; Zitzler, E. Dimensionality reduction in multiobjective optimization: The minimum objective subset problem. In Operations Research; Springer: Berlin/Heidelberg, Germany, 2007; pp. 423–429. 61. Browning, B. Floss: Flexible ordered subset analysis for linkage mapping of complex traits. Bioinformatics 2005, 22, 512–513. [CrossRef][PubMed] 62. Luo, Z.; Wang, B.; Tang, Y.; Xie, W. Semantic-based representation binary clone detection for cross-architectures in the internet of things. Appl. Sci. 2019, 9, 3283. [CrossRef]

© 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).