Automatically finding bugs in a commercial cyber-physical system development tool chain with SLforge

Authors:
Shafiul Azam Chowdhury

University of Texas at Arlington

University of Texas at Arlington
View Profile

,
Soumik Mohian

University of Texas at Arlington

University of Texas at Arlington
View Profile

,
Sidharth Mehra

University of Texas at Arlington

University of Texas at Arlington
View Profile

,
Siddhant Gawsane

University of Texas at Arlington

University of Texas at Arlington
View Profile

,
Taylor T. Johnson

Vanderbilt University

Vanderbilt University
View Profile

,
Christoph Csallner

University of Texas at Arlington

University of Texas at Arlington
View Profile

ICSE '18: Proceedings of the 40th International Conference on Software EngineeringMay 2018Pages 981–992https://doi.org/10.1145/3180155.3180231

Published:27 May 2018Publication History

ICSE '18: Proceedings of the 40th International Conference on Software Engineering

Pages 981–992

ABSTRACT

Cyber-physical system (CPS) development tool chains are widely used in the design, simulation, and verification of CPS data-flow models. Commercial CPS tool chains such as MathWorks' Simulink generate artifacts such as code binaries that are widely deployed in embedded systems. Hardening such tool chains by testing is crucial since formally verifying them is currently infeasible. Existing differential testing frameworks such as CyFuzz can not generate models rich in language features, partly because these tool chains do not leverage the available informal Simulink specifications. Furthermore, no study of existing Simulink models is available, which could guide CyFuzz to generate realistic models.

To address these shortcomings, we created the first large collection of public Simulink models and used the collected models' properties to guide random model generation. To further guide model generation we systematically collected semi-formal Simulink specifications. In our experiments on several hundred models, the resulting SLforge generator was more effective and efficient than the state-of-the-art tool CyFuzz. SLforge also found 8 new confirmed bugs in Simulink.

References

H. Alemzadeh, R. K. Iyer, Z. Kalbarczyk, and J. Raman. 2013. Analysis of Safety-Critical Computer Failures in Medical Devices. IEEE Security Privacy 11, 4 (July 2013), 14--26. Google ScholarDigital Library
Rajeev Alur. 2011. Formal verification of hybrid systems. InProc. 11th International Conference on Embedded Software, (EMSOFT) 2011. ACM, 273--278. Google ScholarDigital Library
Rajeev Alur, Aditya Kanade, S. Ramesh, and K. C. Shashidhar. 2008. Symbolic analysis for improving simulation coverage of Simulink/Stateflow models. In Proc. 8th ACM & IEEE International Conference on Embedded Software (EMSOFT). ACM, 89--98. Google ScholarDigital Library
Stanley Bak, Sergiy Bogomolov, and Taylor T. Johnson. 2015. HYST: A Source Transformation and Translation Tool for Hybrid Automaton Models. In Proc. 18th International Conference on Hybrid Systems: Computation and Control (HSCC). ACM, 128--133. Google ScholarDigital Library
Boris Beizer. 1990. Software testing techniques (second ed.). Van Nostrand Rein-hold. Google ScholarDigital Library
Olivier Bouissou and Alexandre Chapoutot. 2012. An Operational Semantics for Simulink's Simulation Engine. In Proc. 13th ACM SIGPLAN/SIGBED International Conference on Languages, Compilers, Tools and Theory for Embedded Systems (LCTES). ACM, 129--138. Google ScholarDigital Library
Angelo Brillout, Nannan He, Michele Mazzucchi, Daniel Kroening, Mitra Purandare, Philipp Rümmer, and Georg Weissenbacher. 2009. Mutation-Based Test Case Generation for Simulink Models. In 8th International Symposium on Formal Methods for Components and Objects (FMCO). Springer, 208--227. Google ScholarDigital Library
Junjie Chen, Wenxiang Hu, Dan Hao, Yingfei Xiong, Hongyu Zhang, Lu Zhang, and Bing Xie. 2016. An Empirical Comparison of Compiler Testing Techniques. In Proc. 38th International Conference on Software Engineering (ICSE). ACM, 180--190. Google ScholarDigital Library
R. J. Chevance and T. Heidet. 1978. Static Profile and Dynamic Behavior of Cobol Programs. SIGPLAN Not. 13, 4 (April 1978), 44--57. Google ScholarDigital Library
Shafiul Azam Chowdhury. 2018. Project Homepage. https://github.com/verivital/slsf_randgen/wiki. (2018). Accessed Feb 2018.Google Scholar
Shafiul Azam Chowdhury, Taylor T. Johnson, and Christoph Csallner. 2016. CyFuzz: A differential testing framework for cyber-physical systems development environments. In Proc. 6th Workshop on Design, Modeling and Evaluation of Cyber Physical Systems (CyPhy). Springer.Google Scholar
Christian S. Collberg, Ginger Myles, and Michael Stepp. 2007. An empirical study of Java bytecode programs. Softw., Pract. Exper. 37, 6 (2007), 581--641. Google ScholarDigital Library
T.H. Cormen, C.E. Leiserson, R.L. Rivest, and C. Stein. 2001. Introduction To Algorithms. MIT Press. Google ScholarDigital Library
Christoph Csallner and Yannis Smaragdakis. 2004. JCrasher: An automatic robustness tester for Java. Software---Practice & Experience 34, 11 (Sept. 2004), 1025--1050. Google ScholarDigital Library
Yanja Dajsuren, Mark G.J. van den Brand, Alexander Serebrenik, and Serguei Roubtsov. 2013. Simulink Models Are Also Software: Modularity Assessment. In Proc. 9th International ACM SIGSOFT Conference on Quality of Software Architectures (QoSA). ACM, 99--106. Google ScholarDigital Library
Florian Deissenboeck, Benjamin Hummel, Elmar Juergens, Michael Pfaehler, and Bernhard Schaetz. 2010. Model Clone Detection in Practice. In Proc. 4th International Workshop on Software Clones (IWSC). ACM, 57--64. Google ScholarDigital Library
Kyle Dewey, Jared Roesch, and Ben Hardekopf. 2015. Fuzzing the Rust Type-checker Using CLP. In Proc. 30th IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, 482--493.Google ScholarDigital Library
V. D'Silva, D. Kroening, and G. Weissenbacher. 2008. A Survey of Automated Techniques for Formal Software Verification. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 27, 7 (July 2008), 1165--1178. Google ScholarDigital Library
P. Fehér, T. Mészáros, L. Lengyel, and P. J. Mosterman. 2013. Data Type Propagation in Simulink Models with Graph Transformation. In Proc. 3rd Eastern European Regional Conference on the Engineering of Computer Based Systems. 127--137. Google ScholarDigital Library
K. Ghani, J. A. Clark, and Y. Zhan. 2009. Comparing algorithms for search-based test data generation of Matlab Simulink models. In Proc. IEEE Congress on Evolutionary Computation. 2940--2947. Google ScholarDigital Library
Antoine Girard, A. Agung Julius, and George J. Pappas. 2008. Approximate Simulation Relations for Hybrid Systems. Discrete Event Dynamic Systems 18, 2 (2008), 163--179. Google ScholarDigital Library
Mark Grechanik, Collin McMillan, Luca DeFerrari, Marco Comi, Stefano Crespi, Denys Poshyvanyk, Chen Fu, Qing Xie, and Carlo Ghezzi. 2010. An Empirical Investigation into a Large-scale Java Open Source Code Repository. In Proc. ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM). ACM, 11:1--11:10. Google ScholarDigital Library
C. Guger, A. Schlogl, C. Neuper, D. Walterspacher, T. Strein, and G. Pfurtscheller. 2001. Rapid prototyping of an EEG-based brain-computer interface (BCI). IEEE Transactions on Neural Systems and Rehabilitation Engineering 9, 1 (March 2001), 49--58.Google ScholarCross Ref
Grégoire Hamon and John Rushby. 2007. An operational semantics for Stateflow. International Journal on Software Tools for Technology Transfer 9, 5 (2007), 447--456.Google ScholarDigital Library
Christian Holler, Kim Herzig, and Andreas Zeller. 2012. Fuzzing with Code Fragments. In Proc. 21th USENIX Security Symposium. USENIX Association, 445--458. https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/holler Google ScholarDigital Library
Ishtiaque Hussain, Christoph Csallner, Mark Grechanik, Qing Xie, Sangmin Park, Kunal Taneja, and B.M. Mainul Hossain. 2016. RUGRAT: Evaluating program analysis and testing tools and compilers with large generated random benchmark applications. Software---Practice & Experience 46, 3 (March 2016), 405--431. Google ScholarDigital Library
Xiaoqing Jin, Jyotirmoy V. Deshmukh, James Kapinski, Koichi Ueda, and Ken Butts. 2017. Benchmarks for Model Transformations and Conformance Checking. https://cps-vo.org/node/12108. (2017). Accessed Feb 2018.Google Scholar
Aditya Kanade, Rajeev Alur, Franjo Ivancic, S. Ramesh, Sriram Sankaranarayanan, and K. C. Shashidhar. 2009. Generating and Analyzing Symbolic Traces of Simulink/Stateflow Models. In Proc. 21st International Conference on Computer Aided Verification (CAV). Springer, 430--445. Google ScholarDigital Library
Donald E. Knuth. 1971. An Empirical Study of FORTRAN Programs. Softw., Pract. Exper. 1, 2 (1971), 105--133.Google ScholarCross Ref
Vu Le, Mehrdad Afshari, and Zhendong Su. 2014. Compiler validation via equivalence modulo inputs. In Proc. ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). ACM, 216--226. Google ScholarDigital Library
Christopher Lidbury, Andrei Lascu, Nathan Chong, and Alastair F. Donaldson. 2015. Many-core Compiler Fuzzing. In Proc. 36th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). ACM, 65--76. Google ScholarDigital Library
B. Liu, Lucia, S. Nejati, and L. C. Briand. 2017. Improving fault localization for Simulink models using search-based testing and prediction models. In Proc. 24th IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER). 359--370.Google Scholar
Reza Matinnejad, Shiva Nejati, Lionel C. Briand, and Thomas Bruckmann. 2016. SimCoTest: A test suite generation tool for Simulink/Stateflow controllers. In Proc. 38th International Conference on Software Engineering, (ICSE). ACM, 585--588. Google ScholarDigital Library
William M. McKeeman. 1998. Differential Testing for Software. Digital Technical Journal 10, 1 (1998), 100--107. http://www.hpl.hp.com/hpjournal/dtj/vol10num1/vol10num1art9.pdfGoogle Scholar
Barton P. Miller, Louis Fredriksen, and Bryan So. 1990. An Empirical Study of the Reliability of Unix Utilities. Commun. ACM 33, 12 (Dec. 1990), 32--44. Google ScholarDigital Library
M. Mohaqeqi and M. R. Mousavi. 2016. Sound Test-Suites for Cyber-Physical Systems. In 10th International Symposium on Theoretical Aspects of Software Engineering (TASE). 42--48.Google Scholar
Luan Viet Nguyen, Khaza Hoque, Stanley Bak, Steven Drager, and Taylor T. Johnson. 2018. Cyber-Physical Specification Mismatches. ACM Transactions on Cyber-Physical Systems (<a href="http://www.acm.org/TCPS/">TCPS</a>) (2018).Google Scholar
Luan Viet Nguyen, Christian Schilling, Sergiy Bogomolov, and Taylor T. Johnson. 2015. Runtime Verification of Model-based Development Environments. In Proc. 15th International Conference on Runtime Verification (RV).Google Scholar
Marta Olszewska, Yanja Dajsuren, Harald Altinger, Alexander Serebrenik, Marina A. Waldén, and Mark G. J. van den Brand. 2016. Tailoring complexity metrics for Simulink models. In Proc. 10th European Conference on Software Architecture Workshops. 5. http://dl.acm.org/citation.cfm?id=3004853 Google ScholarDigital Library
Vera Pantelic, Steven Postma, Mark Lawford, Monika Jaskolka, Bennett Mackenzie, Alexandre Korobkine, Marc Bender, Jeff Ong, Gordon Marks, and Alan Wassyng. 2017. Software engineering practices and Simulink: bridging the gap. International Journal on Software Tools for Technology Transfer (2017), 1--23. Google ScholarDigital Library
N. H. Pham, H. A. Nguyen, T. T. Nguyen, J. M. Al-Kofahi, and T. N. Nguyen. 2009. Complete and accurate clone detection in graph-based models. In Proc. 31st IEEE International Conference on Software Engineering (ICSE). 276--286. Google ScholarDigital Library
Pierre Giroux. 2018. Grid-Connected PV Array - File Exchange - Matlab Central. http://www.mathworks.com/matlabcentral/fileexchange/34752-grid-connected-pv-array. (Feb. 2018). Accessed Feb 2018.Google Scholar
A. C. Rajeev, Prahladavaradan Sampath, K. C. Shashidhar, and S. Ramesh. 2010. CoGenTe: A tool for code generator testing. In Proc. 25th IEEE/ACM International Conference on Automated Software Engineering (ASE). ACM, 349--350. Google ScholarDigital Library
Steven Rasmussen, Jason Mitchell, Chris Schulz, Corey Schumacher, and Phillip Chandler. {n. d.}. A multiple UAV simulation for researchers. In AIAA Modeling and Simulation Technologies Conference and Exhibit. 5684.Google Scholar
Jesse Ruderman. 2007. Introducing jsfunfuzz. https://www.squarefree.com/2007/08/02/introducing-jsfunfuzz/. (2007). Accessed Feb 2018.Google Scholar
Prahladavaradan Sampath, A. C. Rajeev, S. Ramesh, and K. C. Shashidhar. 2007. Testing Model-Processing Tools for Embedded Systems. In Proc. 13th IEEE RealTime and Embedded Technology and Applications Symposium. IEEE, 203--214. Google ScholarDigital Library
S. Sims, R. Cleaveland, K. Butts, and S. Ranville. 2001. Automated validation of software models. In Proc. 16th Annual International Conference on Automated Software Engineering (ASE). 91--96. Google ScholarDigital Library
A. Sridhar, D. Srinivasulu, and D. P. Mohapatra. 2013. Model-based test-case generation for Simulink/Stateflow using dependency graph approach. In Proc. 3rd IEEE International Advance Computing Conference (IACC). 1414--1419.Google Scholar
Ingo Stürmer and Mirko Conrad. 2003. Test suite design for code generation tools. In Proc. 18th IEEE International Conference on Automated Software Engineering (ASE). 286--290. Google ScholarDigital Library
Ingo Stürmer, Mirko Conrad, Heiko Dörr, and Peter Pepper. 2007. Systematic Testing of Model-Based Code Generators. IEEE Transactions on Software Engineering (TSE) 33, 9 (Sept. 2007), 622--634. Google ScholarDigital Library
Giancarlo Succi, Witold Pedrycz, Snezana Djokic, Paolo Zuliani, and Barbara Russo. 2005. An Empirical Exploration of the Distributions of the Chidamber and Kemerer Object-Oriented Metrics Suite. Empirical Software Engineering 10, 1 (2005), 81--104. Google ScholarDigital Library
E. Tempero, C. Anslow, J. Dietrich, T. Han, J. Li, M. Lumpe, H. Melton, and J. Noble. 2010. The Qualitas Corpus: A Curated Collection of Java Code for Empirical Studies. In 2010 Asia Pacific Software Engineering Conference. 336--345. Google ScholarDigital Library
The MathWorks Inc. 2018. NASA HL-20 Lifting Body Airframe - Matlab & Simulink. https://www.mathworks.com/help/aeroblks/nasa-hl-20-lifting-body-airframe.html. (2018). Accessed Feb 2018.Google Scholar
The MathWorks Inc. 2018. Simulink Documentation. http://www.mathworks.com/help/simulink/. (2018). Accessed Feb 2018.Google Scholar
U.S. Consumer Product Safety Commission (CPSC). 2010. Recall 11-702: Fire Alarm Control Panels Recalled by Fire-Lite Alarms Due to Alert Failure. http://www.cpsc.gov/en/Recalls/2011/Fire-Alarm-Control-Panels-Recalled-by-Fire-Lite-Alarms-Due-to-Alert-Failure. (Oct. 2010). Accessed Feb 2018.Google Scholar
U.S. National Highway Traffic Safety Administration (NHTSA). 2014. Defect Information Report 14V-053. http://www-odi.nhtsa.dot.gov/acms/cs/jaxrs/download/doc/UCM450071/RCDNN-14V053-0945.pdf. (Feb. 2014).Google Scholar
U.S. National Institute of Standards and Technology (NIST). 2002. The economic impacts of inadequate infrastructure for software testing: Planning report 02-3. (May 2002).Google Scholar
Xuejun Yang, Yang Chen, Eric Eide, and John Regehr. 2011. Finding and understanding bugs in C compilers. In Proc. 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). ACM, 283--294. Google ScholarDigital Library
Hongyu Zhang and Hee Beng Kuan Tan. 2007. An Empirical Study of Class Sizes for Large Java Systems. In Proc. 14th Asia-Pacific Software Engineering Conference (APSEC). 230--237. Google ScholarDigital Library
Liang Zou, Naijun Zhan, Shuling Wang, and Martin Fränzle. 2015. Formal Verification of Simulink/Stateflow Diagrams. In Proc. 13th International Symposium on Automated Technology for Verification and Analysis (ATVA), Bernd Finkbeiner, Geguang Pu, and Lijun Zhang (Eds.). Springer, 464--481.Google ScholarCross Ref

Index Terms

Automatically finding bugs in a commercial cyber-physical system development tool chain with SLforge
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging
  2. Software organization and properties
    1. Software system structures
      1. Software system models
        Model-driven software engineering

Recommendations

Automatically finding bugs in commercial cyber-physical system development tool chains
ICSE '18: Proceedings of the 40th International Conference on Software Engineering: Companion Proceeedings

Commercial Cyber-physical System (CPS) development tools (e.g. MathWorks' Simulink) are widely used to design, simulate and automatically generate artifacts which are deployed in safety-critical embedded hardware. CyFuzz, the state-of-the-art CPS tool ...
Read More
Understanding and improving cyber-physical system models and development tools
ICSE '18: Proceedings of the 40th International Conference on Software Engineering: Companion Proceeedings

Recent years have seen an increasing interest in understanding and analyzing cyber-physical system (CPS) models and their development tools. Existing work in this area is limited by the lack of an open corpus of CPS models, which we aim to address by ...
Read More
Debugging Cyber-Physical Systems with Pharo: An Experience Report
IWST '17: Proceedings of the 12th edition of the International Workshop on Smalltalk Technologies

Cyber-Physical Systems (CPS) integrate sensors and actuators to collect data and control entities in the physical world. Debugging CPS systems is hard due to the time-sensitive nature of a distributed applications combined with the lack of control on ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ICSE '18: Proceedings of the 40th International Conference on Software Engineering
May 2018
1307 pages
ISBN:9781450356381
DOI:10.1145/3180155
Conference Chair:
Michel Chaudron
Chalmers University of Technology, University of Gothenburg, Sweden
,
General Chair:
Ivica Crnkovic
Chalmers University of Technology, University of Gothenburg, Sweden
,
Program Chairs:
Marsha Chechik
University of Toronto, Canada
,
Mark Harman
Facebook and University College London, United Kingdom
Copyright © 2018 Owner/Author
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 27 May 2018
Check for updates
Author Tags
cyber-physical systems
differential testing
tool chain bugs
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate276of1,856submissions,15%

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 32
  Total Citations
  View Citations
- 946
  Total Downloads
- Downloads (Last 12 months)169
- Downloads (Last 6 weeks)18
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Automatically finding bugs in a commercial cyber-physical system development tool chain with SLforge

ICSE '18: Proceedings of the 40th International Conference on Software Engineering

ABSTRACT

References

Cited By

Index Terms

Recommendations

Automatically finding bugs in commercial cyber-physical system development tool chains

Understanding and improving cyber-physical system models and development tools

Debugging Cyber-Physical Systems with Pharo: An Experience Report