1 / 26

C Global Surveyor

C Global Surveyor. Static Analysis of Large NASA Flight Software: Experience, Lessons and Perspectives. Arnaud Venet Kestrel Technology, LLC 3260 Hillview Avenue Palo Alto, CA 94304 arnaud@kestreltechnology.com. Motivations. At the starting point of our study are two questions:

yitro
Download Presentation

C Global Surveyor

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. C Global Surveyor Static Analysis of Large NASA Flight Software: Experience, Lessons and Perspectives Arnaud Venet Kestrel Technology, LLC 3260 Hillview Avenue Palo Alto, CA 94304 arnaud@kestreltechnology.com Kestrel Technology LLC

  2. Motivations • At the starting point of our study are two questions: • Can we achieve the precise verification of pointer-intensive applications automatically? • Can we do this for the whole program at once? • No existing tool met both requirements • We designed and developed C Global Surveyor • Context of our study: • Conducting research at NASA Ames • Available software from the Mars Exploration Program Kestrel Technology LLC

  3. double a[10]; for (i = 0; i < 10; i++) a[i] = ...; if (...) a[i] = ...; 0 <= i < 10 i = 10 Verification of Array Manipulations • Arrays are the basic data structures in embedded programs • Out-of-bounds array access: • One of the most common runtime errors • One the most difficult to trace back Kestrel Technology LLC

  4. Roadmap • The structure of flight software for Mars missions • Initial design of C Global Surveyor • Reviewing the design of the analyzer • Experiments on existing flight codes • What next? Kestrel Technology LLC

  5. Roadmap • The structure of flight software for Mars missions • Initial design of C Global Surveyor • Reviewing the design of the analyzer • Experiments on existing flight codes • What next? Kestrel Technology LLC

  6. The MPF Family • Mars Path Finder (MPF): • Experimental mission for testing new technologies (airbag landing) • New software architecture • Subsequent missions shared the architecture and programming style inherited from MPF: • Mars Path Finder: 140 KLOC, 20 threads • Deep Space 1 (DS1): 280 KLOC, 40 threads • Mars Exploration Rovers (MER): 550 KLOC, 100 threads Kestrel Technology LLC

  7. Object-Oriented Design 10...1000 call sites assign (&A, &B, 10) assign (&pS->f, &A[2], m) assign (double *p, double *q, int n) { int i; for (i = 0; i < n; i++) p[i] = q[i]; } Thousands of such functions Almost all of them contain loops Kestrel Technology LLC

  8. Runtime Structure Thread Thread Thread Large Heap Queue Queue Shallow Kestrel Technology LLC

  9. Roadmap • The structure of flight software for Mars missions • Initial design of C Global Surveyor • Reviewing the design of the analyzer • Experiments on existing flight codes • What next? Kestrel Technology LLC

  10. Design Choices • Symbolic information (access paths) is bulky and difficult to mix with numerical information (array indices) • All-numerical representation • Context-sensitivity is required • We can’t afford performing 1000 fixpoint iterations with widening and narrowing for a single function • Compute a summary of the function using a relational numerical lattice &S.f[2][3] &S + offset(f) + 2 * size(row) + 3 * size(elem) Kestrel Technology LLC

  11. Design Choices • The structure of the memory graph is shallow and stable over time • Use Steensgaard & Das’ pointer analysis • Precision is required for loop invariants and array indices • Convex polyhedra have exponential complexity • Use Difference-Bound Matrices: O(n3) • Relevant numerical information is mostly carried by function parameters • Abstract away all integers in the heap Kestrel Technology LLC

  12. Memory Graph Construction thr1 thr2 Refined Abstract Heap (sound approximation) Abstract Heap (sound approximation) f init READ WRITE g ITERATE Kestrel Technology LLC

  13. Distributed Architecture PostgreSQL Database Equations for file1.c Equations for file2.c Analyze function f Analyze function g Cluster of machines PVM Kestrel Technology LLC

  14. Roadmap • The structure of flight software for Mars missions • Initial design of C Global Surveyor • Reviewing the design of the analyzer • Experiments on existing flight codes • What next? Kestrel Technology LLC

  15. First Experiments • The execution times were very long (tens of hours) • The difference-bound matrices were large and dense • The cubic time complexity was always attained • The memory graph was very large and imprecise: • A lot of pointers were transmitted between threads through message queues • The approximation of message queues by Steensgaard’s analysis was too coarse Kestrel Technology LLC

  16. CGS Tune-Up • Adaptive clustering of variables in difference-bound matrices: • Variables are grouped in small-size packets (average size: 4) • Packets are dynamically constructed during the analysis • Significant speedup (15 min  5 sec for a function) • Extending Das one-level flow optimization to an arbitrary depth within data structures: • Spectrum of pointer analyses between Steensgaard and Andersen • Depth 3 analysis was sufficient to recover enough precision Kestrel Technology LLC

  17. Roadmap • The structure of flight software for Mars missions • Initial design of C Global Surveyor • Reviewing the design of the analyzer • Experiments on existing flight codes • What next? Kestrel Technology LLC

  18. Performance Results • Overall precision: 80% of all array accesses statically checked for MPF, DS1 and MER • Performances: • Over 100 KLOC/hour for MPF and DS1 • 20 hours for MER • Main issue: • Massive amount of artifacts clogs up the database • The database architecture is difficult to optimize (B-trees) • A standard relational database is not adequate Kestrel Technology LLC

  19. Impact of Parallelization Kestrel Technology LLC

  20. Main Conclusions • Experiments conducted on dual-processor machines • Significant speedup when the network is not used, negligible otherwise • Main source of imprecision: important data passing across low-level structures • Message queues • EEPROM • Recovering a high-level abstraction from a low-level representation is extremely difficult Kestrel Technology LLC

  21. Experiments with CGS • CGS is currently used at: • JPL • Marshall Space Center • Ames Research Center • It has been applied to a variety of codes including: • The Advanced Video Guidance Sensor (Shuttle) • The Boot Loader for the Shuttle engine controller • The Urine Processor Assembly of the ISS • The Habitat Holding Rack (ISS) • The Materials Science Research Rack (ISS) Kestrel Technology LLC

  22. Roadmap • The structure of flight software for Mars missions • Initial design of C Global Surveyor • Reviewing the design of the analyzer • Experiments on existing flight codes • What next? Kestrel Technology LLC

  23. Static Analysis at the Spec Level Implementation Specs Code Synthesis Refinement Static Analysis Static Analysis Functional Validation Code Certification Kestrel Technology LLC

  24. Model-Centric Safety-Critical Java for Exploration (NASA ESMD) Static Analysis Verification of System Requirements DSL • Power Management • Guidance & Control • … Provably Correct Code Generation Static Analysis Verification of Real-Time Requirements SC Java Handwritten Java Kestrel Technology LLC

  25. Whole System Analysis Model of the Evironment Model of the User Model of the System Static Analysis • System-Level verification • Automated test generation • System reengineering • … Kestrel Technology LLC

  26. More Information Visit our web site: www.kestreltechnology.com • Online papers • MXJ Project: “Model-Centric Safety-Critical Java for Exploration” Kestrel Technology LLC

More Related