VFPG

Last updated on Mar 20, 2023

VFPG: Verified Flight Plan Generator

VFPG is a generator of flight plan developed in Ocaml and Coq. The generator takes as input an XML describing a flight plan and it generates a C code that can be compiled and embedded on a drone.

This project is mainely designed to work with the Paparazzi UAV autopilot https://github.com/paparazzi/paparazzi. However, the generator has a modular architecture that can be adapted to easily support other autopilots.

Dependencies

Coq (tested with version 8.15)
OCaml (tested with version 4.13.1)
OCamlbuild (tested with version 0.14.1)
xml-light (tested with version 2.4)

MathComp is required and can be installed using OPAM (version 2.0 or later):

opam repo add coq-released https://coq.inria.fr/opam/released
opam install coq-mathcomp-ssreflect

Using the Generator

The project needs the source of Paparazzi and CompCert@9d3521b4. The sources must be modified and compiled in order to use the generator. These steps can be easily retrieved with the following script.

./configure

The generator can then be built using the Makefile.

make build

The description of the build process is described here

The generator can then be used with the following command:

./vfpg.native [XML input file] [C output file]

The Makefile can also launch tests.

make tests

All the tests available are described here

It is also possible to test the Clight generator using the command:

make CommonFP

This command will use CompCert to generate a Clight version of the file common-c-code/common_flight_plan.c (saved in the file generated/CommonFP.v). This file is then converted into C code using the CompCert printer. The result is written in out/common_flight_plan.h file.

Description of folders in the project

common-c-code: The common C code for all the flight plan.
docs: The documentation of the project.
frontend: The frontend Ocaml code for the generator.
generated: The Clight files generated with clightgen. They are stored as they are used in Coq proofs.
ocaml-generator: The Ocaml code of the previous Flight Plan generator of Paparazzi. This code has been extracted from the whole Paparazzi project for testing purpose. In this folder you can find:
- The folder src containing the main source of the previous generator.
- The folder src_paparazzi that contains all the libraries needed by the generator.
- The script run.sh that build and run the generator. It will produce in the out folder the C flight plan corresponding to examples/new_features.xml.
src: All the Coq sources of the generator. A description of these files can be found here.
tests: The scripts that launch all tests described here.
tools: Script use during the build process

Generate Coq Doc

make doc
firefox html/toc.html

A description of all Coq files can be found here.

New Features added

Forbidden deroute: Possibility to forbid certain deroute between blocks.
The filed on_enter and on_exit has been added for the blocks.
Height added to the oval (not added everywhere)
Return an errors if a flight plan contains more thant 256 blocks or stages.

Current Limitations

Currently, all the features are not implemented and some modifications from the original flight plan generator has been made:

When a C code is used for a condition, we considered that the execution return an integer value, evaluated as a boolean (returned value are converted into 0 or 1 only).
The parameter last_wp is a string.
Exceptions and forbidden deroute in loops are ignored.
on_enter option do not work for the first block.
If the next block is forbidden then the execution state does not change.
If there is an exception but the block is forbidden, then no deroute will occur.
The field exec must be an instruction.
The constant NB_BLOCK has been replaced by constant variables.
When there is a deroute, the current stage is not changed. In the case of a return, we jump in the deroute stage.
TODO: The proof uses a simplified version of the whole CommonFP.

More information about Paparazzi

To have information about Paparazzi, go directly on the website or on the GitLab project.

Publications

Formal Verification of an UAV autopilot: Static analysis and Verified Code Generation

Ensuring safety of critical systems is crucial and is often attained by extensive testing of the system. Formal methods are now commonly accepted as powerful tools to obtain guarantees on such systems, even if it is generally not possible to formally prove the safety and correctness of the whole system. This thesis deals with the formal verification of some software components of an autopilot. These components have been selected according to their criticality and should therefore be correct by construction and/or by verification. The goal of this thesis is first to review the formal verification and program proof methods that can be applied to such software in order to apply them on these components of the Paparazzi autopilot developed at ENAC. This thesis also aims to see if the analysis process using such techniques and associated tools can be applied on projects that already exist and are not designed for the verification tools. This thesis focuses on two techniques for the verification of two specific components of Paparazzi.

The first component is a Paparazzi mathematical library verified using the Frama-C platform. This library provides different UAV state representations and associated conversion functions that are used by the drone control system in order to take flight decisions. The Frama-C platform is used with the WP, EVA and RTE plugins to verify the absence of runtime errors in the library and some interesting functional properties on floating-point conversion functions. This verification work required the specification of the correctness properties in the form of function contracts (pre and post condition). The majority of the contracts were automatically verified by the SMT solvers except for some functional properties that must be manually helped using the Coq proof assistant.

The second component verified is a flight plan generator. Paparazzi has a domain specific language called FPL, used to specify flight plans. It is a programming and modelling language allowing the expression of complex missions. FPL missions are compiled into C code that is directly embedded into the autopilot code. The FPL to C code generator, currently written in OCaml, is therefore a critical component when addressing the drone safety. This thesis formally verifies the FPL compilation process. First, three-pass code generator, targeting the Clight intermediate language from the CompCert suite has been developed in Coq. Then, an operational semantics have been formally defined. Finally, the generator has been formally verified by manually proving a bisimulation relation between FPL semantics and Clight semantics. In the course of the formalization and verification process, we have also unveiled several problems in the original Paparazzi code generator.

Baptiste Pollien, PhD

PDF Project Project Slides

A Verified UAV Flight Plan Generator

FPL is a domain specific language used to specify complex drone missions for the Paparazzi open-source autopilot. FPL missions are compiled into C code that is directly embedded into the autopilot code. The FPL to C code generator, currently written in OCaml, is therefore a critical component when addressing the drone safety. This paper presents the formal verification of the FPL compilation process. First, we have developed in Coq a new three-pass code generator, targeting the Clight intermediate language from the CompCert suite. We have then formally defined an operational semantics for FPL. Finally, we have proved a bisimulation relation between FPL semantics and Clight semantics. In the course of the formalization and verification process, we have also unveiled several problems in the original Paparazzi code generator.

Baptiste Pollien, PhD, Christophe Garion, Gautier Hattenberger, Pierre Roux, Xavier Thirioux

PDF Project Slides