8/9/2005Kestrel Technology LLC Page 1 C Global Surveyor Arnaud Venet Kestrel Technology, LLC 3260...

8/9/2005 Kestrel Technology LLC

C Global Surveyor

Arnaud Venet

Kestrel Technology, LLC3260 Hillview AvenuePalo Alto, CA 94304

[email protected]

Static Analysis of Large NASA Flight Software: Experience, Lessons and

Perspectives


Motivations

• At the starting point of our study are two questions:• Can we achieve the precise verification of

pointer-intensive applications automatically?• Can we do this for the whole program at once?

• No existing tool met both requirements• We designed and developed C Global Surveyor• Context of our study:

• Conducting research at NASA Ames• Available software from the Mars Exploration

Program


Verification of Array Manipulations

• Arrays are the basic data structures in embedded programs

• Out-of-bounds array access:• One of the most common runtime errors• One the most difficult to trace back

double a[10];

for (i = 0; i < 10; i++)

a[i] = ...;

if (...)

a[i] = ...;

0 <= i < 10

i = 10


Roadmap

1. The structure of flight software for Mars missions

2. Initial design of C Global Surveyor3. Reviewing the design of the analyzer4. Experiments on existing flight codes5. What next?


Roadmap


2. Initial design of C Global Surveyor3. Reviewing the design of the analyzer 4. Experiments on existing flight codes5. What next?


The MPF Family

• Mars Path Finder (MPF):• Experimental mission for testing new

technologies (airbag landing)• New software architecture

• Subsequent missions shared the architecture and programming style inherited from MPF:• Mars Path Finder: 140 KLOC, 20 threads• Deep Space 1 (DS1): 280 KLOC, 40 threads• Mars Exploration Rovers (MER): 550 KLOC,

100 threads


Object-Oriented Design

assign (double *p, double *q, int n) {

int i;

for (i = 0; i < n; i++)

p[i] = q[i];

}

assign (&A, &B, 10) assign (&pS->f, &A[2], m)

10...1000 call sites

Thousands of such functions Almost all of them contain

loops


Runtime Structure

Thread

Thread Thread

Queue

HeapQueue

Shallow

Large


Roadmap


2. Initial design of C Global Surveyor3. Reviewing the design of the analyzer 4. Experiments on existing flight codes5. What next?


Design Choices

• Symbolic information (access paths) is bulky and difficult to mix with numerical information (array indices)• All-numerical representation

• Context-sensitivity is required• We can’t afford performing 1000 fixpoint iterations with widening and

narrowing for a single function• Compute a summary of the function using a relational numerical lattice

&S.f[2][3] &S + offset(f) + 2 * size(row)

+ 3 * size(elem)


Design Choices

• The structure of the memory graph is shallow and stable over time• Use Steensgaard & Das’ pointer analysis

• Precision is required for loop invariants and array indices• Convex polyhedra have exponential

complexity• Use Difference-Bound Matrices: O(n3)

• Relevant numerical information is mostly carried by function parameters• Abstract away all integers in the heap


Memory Graph Construction

Abstract Heap

(sound approximation)

thr1

f

thr2

init

g

Refined Abstract Heap

(sound approximation)

READ

WRITE

ITERATE


Database

Equationsfor file1.c

Equationsfor file2.c

Cluster of machines

Analyzefunction f

Analyzefunction g

Distributed Architecture

PostgreSQL

PVM


Roadmap




First Experiments

• The execution times were very long (tens of hours)• The difference-bound matrices were large and

dense• The cubic time complexity was always attained

• The memory graph was very large and imprecise:• A lot of pointers were transmitted between

threads through message queues• The approximation of message queues by

Steensgaard’s analysis was too coarse


CGS Tune-Up

• Adaptive clustering of variables in difference-bound matrices:• Variables are grouped in small-size packets (average

size: 4)• Packets are dynamically constructed during the

analysis• Significant speedup (15 min 5 sec for a function)

• Extending Das one-level flow optimization to an arbitrary depth within data structures:• Spectrum of pointer analyses between Steensgaard

and Andersen• Depth 3 analysis was sufficient to recover enough

precision


Roadmap




Performance Results

• Overall precision: 80% of all array accesses statically checked for MPF, DS1 and MER

• Performances:• Over 100 KLOC/hour for MPF and DS1• 20 hours for MER

• Main issue: • Massive amount of artifacts clogs up the

database• The database architecture is difficult to

optimize (B-trees)• A standard relational database is not adequate


Impact of Parallelization

Analysis Times

0

2000

4000

6000

8000

10000

12000

1 2 4 6 8

CPUs

Se

co

nd

s

DS1

MPF


Main Conclusions

• Experiments conducted on dual-processor machines

• Significant speedup when the network is not used, negligible otherwise

• Main source of imprecision: important data passing across low-level structures• Message queues• EEPROM

• Recovering a high-level abstraction from a low-level representation is extremely difficult


Experiments with CGS

• CGS is currently used at:• JPL• Marshall Space Center• Ames Research Center

• It has been applied to a variety of codes including:• The Advanced Video Guidance Sensor (Shuttle)• The Boot Loader for the Shuttle engine controller• The Urine Processor Assembly of the ISS• The Habitat Holding Rack (ISS)• The Materials Science Research Rack (ISS)


Roadmap




Static Analysis at the Spec Level

Specs Code

Static AnalysisStatic Analysis

Implementation

Synthesis

Refinement

Code Certification

FunctionalValidation


Model-Centric Safety-Critical Java for Exploration (NASA ESMD)

DSL

SC JavaHandwritten

Java

• Power Management

• Guidance & Control

• …

Verificationof

SystemRequirements

Static Analysi

s

Verificationof

Real-TimeRequirements

Static Analysi

s

Provably Correct Code Generation


Whole System Analysis

Modelof the

Evironment

Modelof theUser

Modelof the

System

Static Analysis• System-Level verification

• Automated test generation

• System reengineering

• …


More Information

• Online papers• MXJ Project: “Model-Centric Safety-Critical Java

for Exploration”

Visit our web site:

www.kestreltechnology.com

8/9/2005Kestrel Technology LLC Page 1 C Global Surveyor Arnaud Venet Kestrel Technology, LLC 3260...

Documents

Transcript of 8/9/2005Kestrel Technology LLC Page 1 C Global Surveyor Arnaud Venet Kestrel Technology, LLC 3260...