Arnaud Venet

Precise and efficient static array bound checking for large embedded C programs

In this paper we describe the design and implementation of a static array-bound checker for a family of embedded programs: the flight control software of recent Mars missions. These codes are large (up to 280 KLOC), pointer intensive, heavily multithreaded and written in an object-oriented style, which makes their analysis very challenging. We designed a tool called C Global Surveyor (CGS) that can analyze the largest code in a couple of hours with a precision of 80%. The scalability and precision of the analyzer are achieved by using an incremental framework in which a pointer analysis and a numerical analysis of array indices mutually refine each other. CGS has been designed so that it can distribute the analysis over several processors in a cluster of machines. To the best of our knowledge this is the first distributed implementation of static analysis algorithms. Throughout the paper we will discuss the scalability setbacks that we encountered during the construction of the tool and their impact on the initial design decisions.

Experimental Evaluation of Verification and Validation Tools on Martian Rover Software

We report on a study to determine the maturity of different verification and validation technologies (V&V) applied to a representative example of NASA flight software. The study consisted of a controlled experiment where three technologies (static analysis, runtime analysis and model checking) were compared to traditional testing with respect to their ability to find seeded errors in a prototype Mars Rover controller. What makes this study unique is that it is the first (to the best of our knowledge) controlled experiment to compare formal methods based tools to testing on a realistic industrial-size example, where the emphasis was on collecting as much data on the performance of the tools and the participants as possible. The paper includes a description of the Rover code that was analyzed, the tools used, as well as a detailed description of the experimental setup and the results. Due to the complexity of setting up the experiment, our results cannot be generalized, but we believe it can still serve as a valuable point of reference for future studies of this kind. It confirmed our belief that advanced tools can outperform testing when trying to locate concurrency errors. Furthermore, the results of the experiment inspired a novel framework for testing the next generation of the Rover.

Abstract Cofibered Domains: Application to the Alias Analysis of Untyped Programs

We present a class of domains for Abstract Interpretation, the cofibered domains, that are obtained by “glueing∝ a category of partially ordered sets together. The internal structure of these domains is well suited to the compositional design of approximations and widening operators, and we give generic methods for performing such constructions. We illustrate the interest of these domains by developing an alias analysis of untyped programs handling structured data. The results obtained with this analysis are comparable in accuracy to those obtained with the most powerful alias analyses existing for typed languages.

A Scalable Nonuniform Pointer Analysis for Embedded Programs

In this paper we present a scalable pointer analysis for embedded applications that is able to distinguish between instances of recursively defined data structures and elements of arrays. The main contribution consists of an efficient yet precise algorithm that can handle multithreaded programs. We first perform an inexpensive flow-sensitive analysis of each function in the program that generates semantic equations describing the effect of the function on the memory graph. These equations bear numerical constraints that describe nonuniform points-to relationships. We then iteratively solve these equations in order to obtain an abstract storage graph that describes the shape of data structures at every point of the program for all possible thread interleavings. We bring experimental evidence that this approach is tractable and precise for real-size embedded applications.

IKOS: A Framework for Static Analysis Based on Abstract Interpretation

The RTCA standard (DO-178C) for developing avionic software and getting certification credits includes an extension (DO-333) that describes how developers can use static analysis in certification. In this paper, we give an overview of the IKOS static analysis framework that helps developing static analyses that are both precise and scalable. IKOS harnesses the power of Abstract Interpretation and makes it accessible to a larger class of static analysis developers by separating concerns such as code parsing, model development, abstract domain management, results management, and analysis strategy. The benefits of the approach is demonstrated by a buffer overflow analysis applied to flight control systems.

Static analysis for software assurance: soundness, scalability and adaptiveness

Standard approaches to software assurance are either process-based or test-based. We propose to include static analysis by Abstract interpretation to the software development cycle. Static analysis by Abstract Interpretation provides a high level of assurance as well as ground-truth evidence in support of its findings. Successes in the verification of large industrial codes demonstrate the readiness of this technology. However, in order to be practical in real development environments, static analysis must be able to scale and yield few false positives without the need for expert hand-tuning. We present a research agenda to reach this goal based on the development of adaptive static analysis algorithms.

NASA Formal Methods

Since its dramatic landing on Mars on the night of Aug 5, 2012, the Curiosity Rover has been busy exploring Gale crater, looking for evidence of past habitable environments. To accomplish its ambitious scientific goal, Curosity is armed with a suite of sophisticated instruments, including cameras capable of 720p high definition stereo video, a gigawatt laser, a radiation detector, a weather monitoring station, and a sample delivery system that can drill into rocks and deliver the resulting powder to instruments that can determine its chemical composition. As a result, Curiosity is a rover capable of gathering large amounts of both scientific data (with results of experiments commanded by the science team) and engineering data (with critical information about rover health). This data volume is too large to be sent directly to Earth via Curiosity’s high-gain antenna (whose bandwidth is measured in hundreds of bits per second). Instead, most of the data acquired by the rover must be relayed to Earth via two orbiting spacecraft. Curiosity achieves this by autonomously engaging in “communication windows” with the orbiters, often by waking itself up in the middle of the night to avail itself of a passing overflight. The asynchronous nature of relay communications necessitates on-board software for reliably storing data captured by multiple scientific experiments, for processing requests from Earth to reprioritize, retransmit and delete data, and for autonomously selecting, retrieving and packaging data for orbiters in time for communication windows. These functions are implemented in rover flight software by a collection of modules called the data management subsystem, which includes filesystems for volatile (RAM) and non-volatile (flash) memory, an on-the-fly compression engine, and a mini-database for cataloging and retrieving data. In this talk, we describe the challenges involved in designing and implementing Curiosity’s data management subsystem, and the important role played by formal methods in the design and testing of this software. We also discuss ongoing work on building tools based on formal methods for analyzing spacecraft telemetry for early anomaly detection during mission operations. Certification Challenges When Using Formal Methods, Including Needs and Issues