LCV: A Verification Tool for Linear Controller Software Junkil Park 1(B) , Miroslav Pajic 2 , Oleg Sokolsky 1 , and Insup Lee 1 1 Department of Computer and Information Science, University of Pennsylvania, Philadelphia, PA, USA {park11,sokolsky,lee}@cis.upenn.edu 2 Department of Electrical and Computer Engineering, Duke University, Durham, NC, USA miroslav.pajic@duke.edu Abstract. In the model-based development of controller software, the use of an unverified code generator/transformer may result in introducing unintended bugs in the controller implementation. To assure the correct- ness of the controller software in the absence of verified code genera- tor/transformer, we develop Linear Controller Verifier (LCV), a tool to verify a linear controller implementation against its original linear con- troller model. LCV takes as input a Simulink block diagram model and a C code implementation, represents them as linear time-invariant system models respectively, and verifies an input-output equivalence between them. We demonstrate that LCV successfully detects a known bug of a widely used code generator and an unknown bug of a code transformer. We also demonstrate the scalability of LCV and a real-world case study with the controller of a quadrotor system. 1 Introduction Most safety-critical embedded and cyber-physical systems have a software-based controller at their core. The safety of these systems rely on the correct operation of the controller. Thus, in order to have a high assurance for such systems, it is imperative to ensure that controller software is correctly implemented. Nowadays, controller software is developed in a model-based fashion, using industry-standard tools such as Simulink [31] and Stateflow [36]. In this devel- opment process, first of all, the controller model is designed and analyzed. Con- troller design is performed using a mathematical model of the control system that captures both the dynamics of the “plant”, the entity to be controlled, and the controller itself. With this model, analysis is performed to conclude whether the plant model adequately describes the system to be controlled, and whether the controller achieves the desired goals of the control system. Once the control engineer is satisfied with the design, a software implementation is automatically produced by code generation from the mathematical model of the controller. Code generation tools such as Embedded Coder [30] and Simulink Coder [32] c  The Author(s) 2019 T. Vojnar and L. Zhang (Eds.): TACAS 2019, Part I, LNCS 11427, pp. 213–225, 2019. https://doi.org/10.1007/978-3-030-17462-0_12