280 likes | 464 Views
C Global Surveyor. Static Analysis of Large NASA Flight Software: Experience, Lessons and Perspectives. Arnaud Venet Kestrel Technology, LLC 3260 Hillview Avenue Palo Alto, CA 94304 arnaud@kestreltechnology.com. Motivations. At the starting point of our study are two questions:
E N D
C Global Surveyor Static Analysis of Large NASA Flight Software: Experience, Lessons and Perspectives Arnaud Venet Kestrel Technology, LLC 3260 Hillview Avenue Palo Alto, CA 94304 arnaud@kestreltechnology.com Kestrel Technology LLC
Motivations • At the starting point of our study are two questions: • Can we achieve the precise verification of pointer-intensive applications automatically? • Can we do this for the whole program at once? • No existing tool met both requirements • We designed and developed C Global Surveyor • Context of our study: • Conducting research at NASA Ames • Available software from the Mars Exploration Program Kestrel Technology LLC
double a[10]; for (i = 0; i < 10; i++) a[i] = ...; if (...) a[i] = ...; 0 <= i < 10 i = 10 Verification of Array Manipulations • Arrays are the basic data structures in embedded programs • Out-of-bounds array access: • One of the most common runtime errors • One the most difficult to trace back Kestrel Technology LLC
Roadmap • The structure of flight software for Mars missions • Initial design of C Global Surveyor • Reviewing the design of the analyzer • Experiments on existing flight codes • What next? Kestrel Technology LLC
Roadmap • The structure of flight software for Mars missions • Initial design of C Global Surveyor • Reviewing the design of the analyzer • Experiments on existing flight codes • What next? Kestrel Technology LLC
The MPF Family • Mars Path Finder (MPF): • Experimental mission for testing new technologies (airbag landing) • New software architecture • Subsequent missions shared the architecture and programming style inherited from MPF: • Mars Path Finder: 140 KLOC, 20 threads • Deep Space 1 (DS1): 280 KLOC, 40 threads • Mars Exploration Rovers (MER): 550 KLOC, 100 threads Kestrel Technology LLC
Object-Oriented Design 10...1000 call sites assign (&A, &B, 10) assign (&pS->f, &A[2], m) assign (double *p, double *q, int n) { int i; for (i = 0; i < n; i++) p[i] = q[i]; } Thousands of such functions Almost all of them contain loops Kestrel Technology LLC
Runtime Structure Thread Thread Thread Large Heap Queue Queue Shallow Kestrel Technology LLC
Roadmap • The structure of flight software for Mars missions • Initial design of C Global Surveyor • Reviewing the design of the analyzer • Experiments on existing flight codes • What next? Kestrel Technology LLC
Design Choices • Symbolic information (access paths) is bulky and difficult to mix with numerical information (array indices) • All-numerical representation • Context-sensitivity is required • We can’t afford performing 1000 fixpoint iterations with widening and narrowing for a single function • Compute a summary of the function using a relational numerical lattice &S.f[2][3] &S + offset(f) + 2 * size(row) + 3 * size(elem) Kestrel Technology LLC
Design Choices • The structure of the memory graph is shallow and stable over time • Use Steensgaard & Das’ pointer analysis • Precision is required for loop invariants and array indices • Convex polyhedra have exponential complexity • Use Difference-Bound Matrices: O(n3) • Relevant numerical information is mostly carried by function parameters • Abstract away all integers in the heap Kestrel Technology LLC
Memory Graph Construction thr1 thr2 Refined Abstract Heap (sound approximation) Abstract Heap (sound approximation) f init READ WRITE g ITERATE Kestrel Technology LLC
Distributed Architecture PostgreSQL Database Equations for file1.c Equations for file2.c Analyze function f Analyze function g Cluster of machines PVM Kestrel Technology LLC
Roadmap • The structure of flight software for Mars missions • Initial design of C Global Surveyor • Reviewing the design of the analyzer • Experiments on existing flight codes • What next? Kestrel Technology LLC
First Experiments • The execution times were very long (tens of hours) • The difference-bound matrices were large and dense • The cubic time complexity was always attained • The memory graph was very large and imprecise: • A lot of pointers were transmitted between threads through message queues • The approximation of message queues by Steensgaard’s analysis was too coarse Kestrel Technology LLC
CGS Tune-Up • Adaptive clustering of variables in difference-bound matrices: • Variables are grouped in small-size packets (average size: 4) • Packets are dynamically constructed during the analysis • Significant speedup (15 min 5 sec for a function) • Extending Das one-level flow optimization to an arbitrary depth within data structures: • Spectrum of pointer analyses between Steensgaard and Andersen • Depth 3 analysis was sufficient to recover enough precision Kestrel Technology LLC
Roadmap • The structure of flight software for Mars missions • Initial design of C Global Surveyor • Reviewing the design of the analyzer • Experiments on existing flight codes • What next? Kestrel Technology LLC
Performance Results • Overall precision: 80% of all array accesses statically checked for MPF, DS1 and MER • Performances: • Over 100 KLOC/hour for MPF and DS1 • 20 hours for MER • Main issue: • Massive amount of artifacts clogs up the database • The database architecture is difficult to optimize (B-trees) • A standard relational database is not adequate Kestrel Technology LLC
Impact of Parallelization Kestrel Technology LLC
Main Conclusions • Experiments conducted on dual-processor machines • Significant speedup when the network is not used, negligible otherwise • Main source of imprecision: important data passing across low-level structures • Message queues • EEPROM • Recovering a high-level abstraction from a low-level representation is extremely difficult Kestrel Technology LLC
Experiments with CGS • CGS is currently used at: • JPL • Marshall Space Center • Ames Research Center • It has been applied to a variety of codes including: • The Advanced Video Guidance Sensor (Shuttle) • The Boot Loader for the Shuttle engine controller • The Urine Processor Assembly of the ISS • The Habitat Holding Rack (ISS) • The Materials Science Research Rack (ISS) Kestrel Technology LLC
Roadmap • The structure of flight software for Mars missions • Initial design of C Global Surveyor • Reviewing the design of the analyzer • Experiments on existing flight codes • What next? Kestrel Technology LLC
Static Analysis at the Spec Level Implementation Specs Code Synthesis Refinement Static Analysis Static Analysis Functional Validation Code Certification Kestrel Technology LLC
Model-Centric Safety-Critical Java for Exploration (NASA ESMD) Static Analysis Verification of System Requirements DSL • Power Management • Guidance & Control • … Provably Correct Code Generation Static Analysis Verification of Real-Time Requirements SC Java Handwritten Java Kestrel Technology LLC
Whole System Analysis Model of the Evironment Model of the User Model of the System Static Analysis • System-Level verification • Automated test generation • System reengineering • … Kestrel Technology LLC
More Information Visit our web site: www.kestreltechnology.com • Online papers • MXJ Project: “Model-Centric Safety-Critical Java for Exploration” Kestrel Technology LLC