Convex Optimization Proves Software Correctness Mardavij Roozbehani, Alexandre Megretski, and Eric Feron Abstract— This paper concerns analysis of real- time, safety-critical, embedded software. Software analysis is expected to verify whether the computer code will execute safely, free of run-time errors. The main properties to be analyzed to prove or disprove safe execution include boundedness of all variables and termination of the program in finite-time. Herein the concepts of Lyapunov invariance and associated computational procedures are brought within the context of software analysis. Dynamical system representations of software systems along with specific models that are suitable for analysis via Lyapunov-like functions are developed. General forms for the Lyapunov-like invariants are then constructed in a way to certify the desired prop- erties. Convex optimization methods such as linear programming and/or semidefinite programming are then employed for finding appropriate functions that fit into these general forms and therefore, automat- ically establish the key properties of software. Index Terms— Software, Verification, Lyapunov Invariants, Optimization I. INTRODUCTION Software and software enabled control systems are instrumental in the design and implemen- tation of real-time, embedded control systems operating in uncertain environments. Examples include human operated avionic vehicles, au- tonomous aerospace systems and multiple coor- dinating UAVs. As functionality and performance of these mission-critical systems rely heavily on software, it is crucially important to verify relia- bility and correctness of the embedded software. The very least to require is that the software must be free of run-time errors. On the other hand, the dramatically growing complexity of these mod- ern control systems demands equal growth in the complexity of the underlying software. The complexity issue brings significant computational Mardavij Roozbehani is currently with the department of Aeronautics and Astronautics at Massachusetts Institute of Technology, Cambridge, MA. E-mail: mardavij@mit.edu Alexandre Megretski is currently an associate professor of Electrical engineering at MIT. E-mail: ameg@mit.edu Eric Feron is currently an associate professor of Aeronautics and Astronautics at MIT. E-mail: feron@mit.edu. and mathematical challenges in analysis of the embedded software, as far as verification of cer- tain properties is concerned. The software properties that are critical for safe execution include: (1) absence of variable over- flow, (2) absence of ‘array index out-of-bounds’ calls, (3) termination of the functions and sub- functions and if required, the program itself in finite time. Some additional properties that might be desired in a reliable, safety-critical software include: (4) robustness to uncertain inputs, includ- ing feedback from analog systems, (5) validity of certain inequalities relating inputs and outputs, and (6) absence of ‘dead-code’. The first property is in some sense equivalent to the stability property of (nonlinear) dynamical systems, which is known to be undecidable even for the simplest cases (for instance piecewise linear systems). Moreover, it is well known that a general procedure that takes a computer program as an input and correctly decides if the program terminates in finite time does not exist. We there- fore, are not aiming at finding computationally efficient algorithms that are guaranteed to work on all instances of computer programs. Instead, we search for efficient algorithms that work rea- sonably well for most practical instances. Pioneered by the works of Cousot, perhaps the most noteworthy results in the literature that deal with software verification are based on the notion of abstract interpretation. See for instance [4],[6]. See also [7],[8]. Abstract interpretation is a theory for approximating the semantics of software and is used for statically analyzing the dynamical properties of computer programs. According to [4], abstract interpretation is defined as an approx- imate program semantics derived from the domain of concrete semantic operations by replacing it with a domain of abstract semantic operations. In essence, the abstraction-based techniques perform approximate/abstract symbolic executions of the program, until an inductive assertion which re- mains invariant under further executions of the 2005 American Control Conference June 8-10, 2005. Portland, OR, USA 0-7803-9098-9/05/$25.00 ©2005 AACC WeC08.1 1395