RELIABLE SOFTWARE SYSTEMS

Similar documents
Verification Using Static Analysis

Static Analysis of C++ Projects with CodeSonar

Verification by Static Analysis

Understanding Undefined Behavior

Using Static Code Analysis to Find Bugs Before They Become Failures

Computer aided verification

Using Code Coverage to Improve the Reliability of Embedded Software. Whitepaper V

Formal Verification Techniques for GPU Kernels Lecture 1

Static Analysis in C/C++ code with Polyspace

Steps for project success. git status. Milestones. Deliverables. Homework 1 submitted Homework 2 will be posted October 26.

Undefined Behaviour in C

CERT C++ COMPLIANCE ENFORCEMENT

Leveraging Formal Methods for Verifying Models and Embedded Code Prashant Mathapati Application Engineering Group

CSE 550: Introduction to Computer Systems Research. Arvind Krishnamurthy

C++ Undefined Behavior What is it, and why should I care?

DEBUGGING: DYNAMIC PROGRAM ANALYSIS

Regression testing. Whenever you find a bug. Why is this a good idea?

"Secure" Coding Practices Nicholas Weaver

Motivation & examples Threads, shared memory, & synchronization

Software architecture in ASPICE and Even-André Karlsson

CS 261 Fall Mike Lam, Professor. Threads

Language Security. Lecture 40

Course Information. Course Basics. Course Format. Arvind Krishnamurthy. Instructor: Arvind Krishnamurthy. TA: Naveen Sharma

Warm-up question (CS 261 review) What is the primary difference between processes and threads from a developer s perspective?

Clang Static Analyzer Documentation

SQLite with a Fine-Toothed Comb. John Regehr Trust-in-So1 / University of Utah

CSE 303, Winter 2006, Final Examination 16 March Please do not turn the page until everyone is ready.

Testing. ECE/CS 5780/6780: Embedded System Design. Why is testing so hard? Why do testing?

Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui

Safety and Reliability of Software-Controlled Systems Part 14: Fault mitigation

CS 520 Theory and Practice of Software Engineering Fall 2018

Verification and Test with Model-Based Design

Grigore Rosu Founder, President and CEO Professor of Computer Science, University of Illinois

Great Reality #2: You ve Got to Know Assembly Does not generate random values Arithmetic operations have important mathematical properties

Principles of Software Construction: Objects, Design, and Concurrency (Part 2: Designing (Sub )Systems)

17. Assertions. Outline. Built-in tests. Built-in tests 3/29/11. Jelle Slowack, Bart Smets, Glenn Van Loon, Tom Verheyen

The Spin Model Checker : Part I/II

CS 153 Lab4 and 5. Kishore Kumar Pusukuri. Kishore Kumar Pusukuri CS 153 Lab4 and 5

High Performance Managed Languages. Martin Thompson

17. Assertions. Jelle Slowack, Bart Smets, Glenn Van Loon, Tom Verheyen

Intro to Proving Absence of Errors in C/C++ Code

Important From Last Time

One-Slide Summary. Lecture Outline. Language Security

WHITE PAPER. 10 Reasons to Use Static Analysis for Embedded Software Development

7/6/2015. Motivation & examples Threads, shared memory, & synchronization. Imperative programs

Program Correctness and Efficiency. Chapter 2

Page 1. Today. Last Time. Is the assembly code right? Is the assembly code right? Which compiler is right? Compiler requirements CPP Volatile

Automatic program generation for detecting vulnerabilities and errors in compilers and interpreters

Performance Improvement via Always-Abort HTM

1. Introduction to Concurrent Programming

TSW Reliability and Fault Tolerance

Automated Software Analysis Techniques For High Reliability: A Concolic Testing Approach. Moonzoo Kim

Call Paths for Pin Tools

Principles of Software Construction: Objects, Design and Concurrency. Static Analysis. toad Spring 2013

EMBEDDED SYSTEMS PROGRAMMING More About Languages

Intro to C: Pointers and Arrays

Testing & Continuous Integration. Kenneth M. Anderson University of Colorado, Boulder CSCI 5828 Lecture 20 03/19/2010

Simple Overflow. #include <stdio.h> int main(void){ unsigned int num = 0xffffffff;

740: Computer Architecture Memory Consistency. Prof. Onur Mutlu Carnegie Mellon University

MISRA-C. Subset of the C language for critical systems

Introduction Disks RAID Tertiary storage. Mass Storage. CMSC 420, York College. November 21, 2006

CS24 Week 3 Lecture 1

C++ Undefined Behavior

Program Testing via Symbolic Execution

Scalable Program Analysis Using Boolean Satisfiability: The Saturn Project

Managing data for Curiosity, fun and profit. Rajeev Joshi NASA / Jet Propulsion Laboratory, California Institute of Technology

CSE 403: Software Engineering, Fall courses.cs.washington.edu/courses/cse403/16au/ Static Analysis. Emina Torlak

Identifying Ad-hoc Synchronization for Enhanced Race Detection

[0569] p 0318 garbage

Page 1. Stuff. Last Time. Today. Safety-Critical Systems MISRA-C. Terminology. Interrupts Inline assembly Intrinsics

Data-flow Analysis for Interruptdriven Microcontroller Software

AstréeA From Research To Industry

Causes of Software Failures

A framework for verification of Program Control Unit of VLIW processors

Program Analysis. CSCE Lecture 16-03/03/2016

ENCM 501 Winter 2019 Assignment 9

ESBMC 1.22 (Competition Contribution) Jeremy Morse, Mikhail Ramalho, Lucas Cordeiro, Denis Nicole, Bernd Fischer

Buffer Overflow Defenses

Research on the Static Analysis Method of the Localization Embedded Platform Software Code Zhijie Gaoa, Ling Lu, Wen Jiao

Effective Data-Race Detection for the Kernel

Safety and liveness for critical sections

Advances in Programming Languages: Regions

Lecture 2: C Programm

Three General Principles of QA. COMP 4004 Fall Notes Adapted from Dr. A. Williams

Lecture Notes on Memory Layout

CMSC Computer Architecture Lecture 15: Memory Consistency and Synchronization. Prof. Yanjing Li University of Chicago

High Performance Managed Languages. Martin Thompson

Control Abstraction. Hwansoo Han

CERT Secure Coding Initiative. Define security requirements. Model Threats 11/30/2010

Threads and Java Memory Model

MEMORY MANAGEMENT TEST-CASE GENERATION OF C PROGRAMS USING BOUNDED MODEL CHECKING

Networks and distributed computing

System Software Assignment 1 Runtime Support for Procedures

On the C11 Memory Model and a Program Logic for C11 Concurrency

Caching and reliability

Fault-Injection testing and code coverage measurement using Virtual Prototypes on the context of the ISO standard

Parallelism Marco Serafini

Entwicklung zuverlässiger Software-Systeme, Stuttgart 30.Juni 2011

Why testing and analysis. Software Testing. A framework for software testing. Outline. Software Qualities. Dependability Properties

Compiling Parallel Algorithms to Memory Systems

Transcription:

gh@jpl.nasa.gov RELIABLE SOFTWARE SYSTEMS

+50 1969 2019 LM: less than 10K lines of code (C-equiv) (36K ROM, 2K RAM, 43Khz cycle) Altair: est. 10M lines of code (est. 1GB RAM, est. 1Ghz cycle) 3 orders of magnitude more code did the problem get harder? 2

all aerospace software (military, commercial, space) top: manned bottom: robotic 3

software complexity A system is complex if its design is unsuitable for the application of exhaustive simulation and test, and therefore its behavior cannot be verified by exhaustive testing. Defense Standard 00-54 Requirements for safety related electronic hardware in defense equipment UK Ministry of Defense, 1999 4

exhaustive testing single-threaded code: does full statement and branch coverage guarantee an exhaustive test? 5

single-threaded code small example: test1: foo(0,0) test2: foo(1,1) bug: foo(0,1) void foo(int x, int y) { int *p = NULL; if (x!= 0) { p = &x; } false int *p = 0 x!=0 true p =&x int *p = 0 x!=0 p =&x int *p = 0 x!=0 p =&x } if (y!= 0) { *p = y; } true *p=y y!=0 false *p=y y!=0 *p=y y!=0 100% statement and branch coverage missed path with nil-pointer dereference 6

exhaustive testing single-threaded code: does full statement and branch coverage guarantee an exhaustive test? answer: no! multi-threaded code: does full statement and branch coverage plus complete coverage of the input domain guarantee an exhaustive test? 7

multi-threaded code int *p = 0 the number of interleaved thread executions can now become very large false x!=0 true f t f t p =&x X x = 1-y *p=y true y!=0 false added thread changing the value of x once t f t f threads can step on each other s data, causing data corruption for a subset of thread interleavings 8

can 100% data + statement + branch coverage detect all defects in multi-threaded code? x,y=0,0 3 possible interleavings, no error x!=0 y!=0 n x=1-y y p =&x p =&x p =&x x,y=1,0 4 possible interleavings, no error n n 4 possible in multi-threaded input combinations software it s not just important which statements are executed, it s can also be important when they are executed: determined in part by the relative speed of process execution x,y=0,1 x,y=1,1 1 of 4 possible interleavings show the defect 75% of the runs miss it *p=y p =&x *p=y p =&x *p=y *p=y 1 of 5 possible interleavings show the defect 80% of the runs miss it 9

exhaustive testing single-threaded code: does full statement and branch coverage guarantee an exhaustive test? answer: no! multi-threaded code: does full statement and branch coverage plus complete coverage of the input domain guarantee an exhaustive test? answer: no! 10

the difficulty of testing multi-threaded software consider: 3 concurrent threads with 3 statements in each thread the number of possible execution interleavings is: 9! 6! 3! ----- ----- ---- = 1,680 executions 6!.3! 3!.3! 3! start 1 3 2 are all these executions okay? can/should we test them all? the standard test process would cover perhaps 1% -- how do we select the right 1%? the best way to rule out race conditions and synchronization errors is in the software design 11

failure in complex systems major failures in complex systems often happen when relatively small defects combine in unpredictable ways adding backups (or fault protection) can increase complexity and introduce new hidden dependencies Perrow s leading example: the 1979 partial meltdown of the Three Mile Island nuclear plant. (1984) 12

residual defects defect insertion 6 23 46 1 reqs 2 5 25 2 design coding testing 4 20 26 24 residual defects per KLOC post-testing (a.k.a. software anomalies) defect propagation defect removal i.e., find ways to catch defects as close to the point of introduction as possible even the small ones 13

reliable systems from unreliable parts is standard in other disciplines hardware: redundant components [von Neumann, 1948] communication: redundant encodings [Shannon, 1948] software: Is there a similar basis for making software (more) reliable? 14

good places to look design / structure architectural principles coding standards + compliance checking code scrub: fixing even small problems model based engineering e.g., logic design verification with model checkers fault containment decoupling margin and memory barrier patterns hierarchical backup 15

principles for protecting a system against the unanticipated design : the first layer of defense against residual defects simplicity redundancy fault protection paranoia: the second layer expect the unexpected 1852 simplified backup fault containment the Otis safety Elevator (1852) 16

simplified software redundancy a simplified backup for critical software modules the module is designed for performance and functionality the backup is designed for verifiability, survivability and recovery from unanticipated software defects fp unit fp unit prime module full functionality optimal performance not fully verifiable small simple & verifiable backup prime module full functionality optimal performance not fully verifiable small simple & verifiable backup fault normal operation fault containment mode 17

logic design verification 6 M states ~7 seconds 18

routine code scrub combines peer comments with automatically generated tool reports (using static analyzers) in a uniform view collects & saves discussion trail of peer & tool reports meant to make large code reviews more efficient (and less painful) machine-generated tool reports are always available for all current and archived modules (meant to catch little errors early) 19

generating tool reports (nightly) Current Build make Build Log (~18K lines) extract compiler calls (~3K lines) Defect Detection Coding Rule Compliance gcc gcc strict coverity codesonar uno P10 JPL standard MSL rules suppressed warnings Global Analysis (~10hrs) Module Analysis (~5min) SCRUB database 20

synopsis reliability is a system property a system is designed to be (more) reliable by: being aware of the limitations of standard testing adding e.g., randomized testing methods ( fuzz testing) aggressively using logic design verification tools the Spin model checker was designed for these types of problems making fault propagation harder using decoupling, containment, margins, barriers using redundancy and encoding using simplified backups ( crippled mode ) more broadly enabling memory protection, stack protection, etc. catching defects early, and eliminating even simple defects preventing hidden pathways for coupling 21

thank you! 22

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback