Automated Formal Verification and Testing of C Programs for Embedded Systems * Susanne Kandl, Raimund Kirner, Peter Puschner Institut f¨ ur Technische Informatik Technische Universit¨at Wien Treitlstraße 3/182/1 A-1040 Wien, Austria {susanne, raimund, peter}@vmars.tuwien.ac.at Abstract In this paper we introduce an approach for auto- mated verification and testing of ANSI C programs for embedded systems. We automatically extract an au- tomaton model from the C code of the SUT (system under test). This automaton model is on the one hand used for formal verification of the requirements defined in the system specification, on the other hand, we can derive test cases from this model, for both methods we use a model checker. We describe our techniques for test case generation, based on producing counterexam- ples with a model checker by formulating trap proper- ties. The resulting test cases can then be applied to the SUT on different test levels. An important issue for model checking C-source code, is the correct modeling of the semantics of a C program for an embedded sys- tem. We focus on challenges and possible restrictions that appear, when model checking is used for the veri- fication of C-source code. We specifically show how to deal with arithmetic expressions in the model checker NuSMV and how to preserve the numerical results in case of modeling the platform-specific semantics of C. 1 Introduction Due to the increasing capacity of processors used in embedded systems, the complexity of the applied software is growing. Thus, more and more effort is needed for testing embedded systems software. Beside * This work has been partially supported by the FIT-IT re- search project “Systematic test case generation for safety-critical distributed embedded real time systems with different SIL levels (TeDES)”; the project is carried out in cooperation with TU- Graz, Magna Steyr, and TTTech. conventional testing techniques [6], new testing meth- ods are starting to gain ground. The goal is to op- timize the effort of testing and thus it is an aim to automate most parts of the testing process. Accord- ing to safety-relevant embedded systems applications, safety-standards like the IEC 61508 [25] apply that de- fine strict conditions for the software quality and the demanded testing process. One way for automated ver- ification and test case generation is based on formal methods. The SUT (system under test) is described as an automaton model. A model checker is used to verify the properties defined in the system specifica- tion. In our approach we automatically extract the model from the C code of the SUT. Verifying a prop- erty on the model means, that this property holds on the C-source code. Within the model extraction pro- cess we have to deal, amongst other issues, with trans- forming arithmetic operations, appearing in the appli- cation, correctly to the automaton model. In a second step we use the model for deriving test cases automat- ically, these test cases can then be applied to the SUT. Depending on the execution environment of the pro- duced test cases, we can find failures of the different representations of the SUT. The article is organized as follows: In Section 2 we describe our 2-step approach for verification and test- ing of the system. In the Section 3 the model extrac- tion process is demonstrated on an example. Section 4 refers to the formal verification step. In Section 5 we explain our techniques for test case generation. Sec- tion 6 deals with the challenges when a model checker is used for the verification of C programs. In Section 7 we discuss the solution, how we deal with arithmetic operations in the model checker NuSMV. Subsequently we present our preliminary results and give an overview on related work. Finally we conclude with a summary.