Formal verification of the Paparazzi autopilot

Last updated on Jul 20, 2021

This project is a fork of Paparazzi UAV autopilot repository (https://github.com/paparazzi/paparazzi). The aim of this project is to verify the pprz_algebra library using Frama-C.

The GitLab project adds ACSL annotations and provides a script to automatically launch Frama-C. Frama-C analyses the code, checks for the absence of RTE (RunTime Errors) and verify some functional properties.

Required software

To run the verification, the following software are required:

Frama-C 23.0 (Vanadium)
Alt-Ergo 2.4.0
CVC4 1.9-prerelease
Z3 4.8.6
Coq 8.12.2
Why3 1.4.0
ctags

How to launch the verification process

First, go to the sw/airborne directory:

cd sw/airborne

Update the variable FRAMAC_PREFIX in frama-c-analysis.sh with the path of the directory containing Frama-C binary. Then, launch the script that starts the analysis:

./frama-c-analysis.sh

The WP smoke tests can be enabled with the environment variable SMOKE as follows:

SMOKE=1 ./frama-c-analysis.sh

Quick description of modified files

sw/airborne/frama-c-analysis.sh: a shell script that automatically launches the verification using Frama-C.
sw/airborne/output-frama-c-analysis.sh: a Python script used by frama-c-analysis.sh to read and analyse the results from Frama-C.
sw/airborne/math/pprz_algebra_(int|float|double).(h|c): the mathematical library of Paparazzi that has been verified. These files have been annotated with ACSL.
sw/airborne/math/pprz_algebra_(int|float|double)_frama_c.h: files containing definition of predicates, lemmas and logical functions used to verify the absence of RTE in the library.
sw/airborne/math/pprz_algebra_float_convert_rmat_frama_c.h: definition of predicates, lemmas and logical functions for the verification of functional properties.
sw/airborne/.frama-c/wp/interactive: Coq scripts containing the proof lemmas.
sw/airborne/.frama-c/wp/script: WP scripts containing the tactics used to prove some goals.

Verification process

The verification process combines the analysis of the EVA and WP plugins of Frama-C. The EVA plugin requires a program entry point (a main or a function) to start its analysis. The script frama-c-analysis.sh finds automatically all the names of the functions in the library using ctags. Then, verification is launched for every function FUNCTION with the following parameters:

-rte: adds RTE annotations in the code.
-no-warn-left-shift-negative: allows left shift for negative values.
-eva -lib-entry -main $FUNCTION: launches EVA analysis with $FUNCTION as the entry point. The initial state is determined by the preconditions specified in the contract of the function.
-wp-fct $FUNCTION: launches the WP verification with the following options:
- -wp-cache update: enables and uses cache.
- -wp-model real+Cast+ref: enables the real model to represent the arithmetic on floating-point numbers. The Cast option enables the usage of cast in the code. Finally, the ref option is used to enable optimization for reference parameters.
- -wp-prover alt-ergo,cvc4-strings-ce,z3,z3-ce,z3-nobv,coq,tip: adds the different provers needed to verify the goals.
- -wp-check-memory-model: Insert memory model hypotheses in the function contracts. Necessary as we use the ref memory model.
-cpp-extra-args=-I../include: adds the include directory of Paparazzi.
-cpp-extra-args=-DFRAMA_C_ANALYSIS: defines a C constant in order to remove certain portions of code that are not supported by Frama-C.

More information about Paparazzi

To have information about Paparazzi, go directly on the website or on the GitLab project.

Frama-C Paparazzi

Publications

Formal Verification of an UAV autopilot: Static analysis and Verified Code Generation

Ensuring safety of critical systems is crucial and is often attained by extensive testing of the system. Formal methods are now commonly accepted as powerful tools to obtain guarantees on such systems, even if it is generally not possible to formally prove the safety and correctness of the whole system. This thesis deals with the formal verification of some software components of an autopilot. These components have been selected according to their criticality and should therefore be correct by construction and/or by verification. The goal of this thesis is first to review the formal verification and program proof methods that can be applied to such software in order to apply them on these components of the Paparazzi autopilot developed at ENAC. This thesis also aims to see if the analysis process using such techniques and associated tools can be applied on projects that already exist and are not designed for the verification tools. This thesis focuses on two techniques for the verification of two specific components of Paparazzi.

The first component is a Paparazzi mathematical library verified using the Frama-C platform. This library provides different UAV state representations and associated conversion functions that are used by the drone control system in order to take flight decisions. The Frama-C platform is used with the WP, EVA and RTE plugins to verify the absence of runtime errors in the library and some interesting functional properties on floating-point conversion functions. This verification work required the specification of the correctness properties in the form of function contracts (pre and post condition). The majority of the contracts were automatically verified by the SMT solvers except for some functional properties that must be manually helped using the Coq proof assistant.

The second component verified is a flight plan generator. Paparazzi has a domain specific language called FPL, used to specify flight plans. It is a programming and modelling language allowing the expression of complex missions. FPL missions are compiled into C code that is directly embedded into the autopilot code. The FPL to C code generator, currently written in OCaml, is therefore a critical component when addressing the drone safety. This thesis formally verifies the FPL compilation process. First, three-pass code generator, targeting the Clight intermediate language from the CompCert suite has been developed in Coq. Then, an operational semantics have been formally defined. Finally, the generator has been formally verified by manually proving a bisimulation relation between FPL semantics and Clight semantics. In the course of the formalization and verification process, we have also unveiled several problems in the original Paparazzi code generator.

Baptiste Pollien, PhD

Project Project Slides

Verifying the Mathematical Library of a UAV Autopilot with Frama-C

Baptiste Pollien, PhD, Christophe Garion, Gautier Hattenberger, Pierre Roux, Xavier Thirioux

PDF Project Slides Teaser Video

Vérification d'une bibliothèque mathématique d'un autopilote avec Frama-C

This french article presents the verification of a mathematical library of the autopilot Paparazzi, using the Frama-C tool, in order to guarantee the absence of runtime error and some functional properties.

Baptiste Pollien, PhD

PDF Project Slides