AstréeA: A Static Analyzer for Large Embedded Multi-Task Software

Antoine Miné 1, *
* Auteur correspondant
1 ANTIQUE - Analyse Statique par Interprétation Abstraite
DI-ENS - Département d'informatique de l'École normale supérieure, Inria Paris-Rocquencourt
Abstract : Embedded critical systems, such as planes and cars, cannot be easily fixed during missions and any error can have catastrophic consequences. It is thus primordial to ensure the correctness of their controlling software before they are deployed. At the very least, critical embedded software must be exempt from runtime errors, including ill-defined operations according to the specification of the language (such as arithmetic or memory overflows) as well as failure of programmer-inserted assertions. Sound and approximate static analysis can help, by providing tools able to analyze the large codes found in the industry in a fully automated way and without missing any real error. Sound and scalable static analyzers are sometimes thought to be too imprecise and report too many false alarms to be of any use in the context of verification. This claim was dis-proved when, a decade ago, the Astrée static analyzer successfully analyzed the runtime errors in several Airbus control flight software, with few or no false alarm. This result could be achieved by employing abstract interpretation, a principled framework to define and compose modular sound-by-construction and parametric abstractions, but also by adopting a design-by-refinement development strategy. Starting from an efficient and easy to design, but rather coarse, fully flow-and context-sensitive interval analyzer, we integrated more complex abstractions (carefully chosen from the literature, such as octagons, adapted from it, such as trace partitioning, or specifically invented for our needs, such as digital filter domains) to remove large sets of related false alarms, until we reached our precision target. In this presentation, we discuss our on-going efforts towards a similar goal: the efficient and precise sound verification of the absence of run-time errors, but targeting another, more complex class of software: shared-memory concurrent embedded C software. Such software are already present in critical systems and will likely become the norm with the generalization of multi-core processors in embedded systems, leading to new challenging demands in verification. Our analyzer is named AstréeA, in reference to Astrée on which it takes its inspiration and on the code base of which it elaborates. AstréeA's specialization target is a family of several embedded avionic codes, each featuring a small fixed set of a dozen threads, more than 1.5 Mlines of C code, implicit communication through the shared memory, and running under a real-time OS based on the ARINC 653 specification. One major challenge is that a concurrent program execution does not fol-low a fixed sequential order, but one of many interleavings of executions from different tasks chosen by the scheduler. A sound analysis must consider all possible interleavings in order to cover every corner case and race condition. As it is impractical to build a fully flow-sensitive analysis by enumerating explicitly all interleavings, we took inspiration from thread-modular methods: we analyze each thread individually, in an environment consisting of (an abstraction of) the effect of the other threads. This is a form of rely-guarantee reasoning, but in a fully automatic static analysis settings formalized as abstract interpretation. Contrary to Jones' seminal rely-guarantee proof method or its more recent incarnations, our method does not require manual annotations: thread interferences are automatically inferred by the analysis (including which variables are actually shared and their possible values). Following the classic methodology of abstract interpretation, a thread-modular static analysis is now viewed as a computable abstraction of a complete concrete thread-modular semantics. This permits a fine control between precision and efficiency, and opens the way to analysis specialization: any given safety property of a given program can be theoretically inferred given the right abstract domain. Following the design-by-refinement principle of Astrée, our first prototype AstréeA used a very coarse but efficient flow-insensitive and non-relational notion of thread interference: it gathered independently for each variable and each thread an interval abstraction of the values the thread can store into the variable along its execution, and injected these values as non-deterministic writes into other threads. This abstraction allowed us to scale up to our target applications, in efficiency (a few tens of hours of computation) if not in precision (a few tens of thousands alarms). This presentation will describe our subsequent work in improving the precision of AstréeA by specialization on our target applications, and the interesting abstractions we developed along the way. For instance, we developed new interference abstractions enabling a limited but controllable (for efficiency) degree of relationality and flow-sensitivity. We also designed abstractions able to exploit our knowledge of the real-time scheduler used in the analysis target: i.e., it schedules tasks on a single core and obeys a strict priority scheme.
Type de document :
Communication dans un congrès
16th International Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI'15), Jan 2015, Mumbai, India. Springer, 8931, pp.3, Lecture Notes in Computer Science
Liste complète des métadonnées

Littérature citée [12 références]  Voir  Masquer  Télécharger
Contributeur : Antoine Miné <>
Soumis le : mardi 20 janvier 2015 - 15:41:22
Dernière modification le : jeudi 11 janvier 2018 - 06:25:39
Document(s) archivé(s) le : mardi 21 avril 2015 - 10:15:17


Fichiers produits par l'(les) auteur(s)


  • HAL Id : hal-01105235, version 1



Antoine Miné. AstréeA: A Static Analyzer for Large Embedded Multi-Task Software. 16th International Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI'15), Jan 2015, Mumbai, India. Springer, 8931, pp.3, Lecture Notes in Computer Science. 〈hal-01105235〉



Consultations de la notice


Téléchargements de fichiers