AstréeA From Research To Industry

Similar documents
StackAnalyzer Proving the Absence of Stack Overflows

Safety Manual. for ait, Astrée, StackAnalyzer. AbsInt Angewandte Informatik GmbH

Static Analysis by A. I. of Embedded Critical Software

Static analysis of concurrent avionics software

Automatic Qualification of Abstract Interpretation-based Static Analysis Tools. Christian Ferdinand, Daniel Kästner AbsInt GmbH 2013

Simulink 모델과 C/C++ 코드에대한매스웍스의정형검증툴소개 The MathWorks, Inc. 1

SOFTWARE QUALITY OBJECTIVES FOR SOURCE CODE

Leveraging Formal Methods for Verifying Models and Embedded Code Prashant Mathapati Application Engineering Group

Towards an industrial use of FLUCTUAT on safety-critical avionics software

Static Analysis in C/C++ code with Polyspace

AUTOBEST: A microkernel-based system (not only) for automotive applications. Marc Bommert, Alexander Züpke, Robert Kaiser.

Leveraging Formal Methods Based Software Verification to Prove Code Quality & Achieve MISRA compliance

WHITE PAPER. 10 Reasons to Use Static Analysis for Embedded Software Development

정형기법을활용한 AUTOSAR SWC 의구현확인및정적분석

Verification and Test with Model-Based Design

From Design to Production

CSE 403: Software Engineering, Fall courses.cs.washington.edu/courses/cse403/16au/ Static Analysis. Emina Torlak

Bounded Model Checking Of C Programs: CBMC Tool Overview

Verification & Validation of Open Source

Chapter 6: Process Synchronization

Application Programming

The Java Memory Model

State of Practice. Automatic Verification of Embedded Control Software with ASTRÉE and beyond

Computer Systems A Programmer s Perspective 1 (Beta Draft)

Intro to Proving Absence of Errors in C/C++ Code

Dealing with Issues for Interprocess Communication

AUTOBEST: A United AUTOSAR-OS And ARINC 653 Kernel. Alexander Züpke, Marc Bommert, Daniel Lohmann

Subject: Operating System (BTCOC403) Class: S.Y.B.Tech. (Computer Engineering)

Synchronization I. Jo, Heeseung

MultiJav: A Distributed Shared Memory System Based on Multiple Java Virtual Machines. MultiJav: Introduction

Typed Assembly Language for Implementing OS Kernels in SMP/Multi-Core Environments with Interrupts

Entwicklung zuverlässiger Software-Systeme, Stuttgart 30.Juni 2011

Implementation and Verification Daniel MARTINS Application Engineer MathWorks

ait: WORST-CASE EXECUTION TIME PREDICTION BY STATIC PROGRAM ANALYSIS

Threads and Synchronization. Kevin Webb Swarthmore College February 15, 2018

CS370 Operating Systems Midterm Review

IT 540 Operating Systems ECE519 Advanced Operating Systems

Midterm Exam. October 20th, Thursday NSC

Static program checking and verification

Concurrency, Thread. Dongkun Shin, SKKU

Synopsys Static Analysis Support for SEI CERT C Coding Standard

Operating System Services

Static Analysis of Embedded Systems

Concurrency in Java Prof. Stephen A. Edwards

Concurrency: a crash course

Computer Architecture and OS. EECS678 Lecture 2

Concurrent and Distributed Systems Introduction

Fiji VM Safety Critical Java

Synchronization for Concurrent Tasks

Concurrency Control. Synchronization. Brief Preview of Scheduling. Motivating Example. Motivating Example (Cont d) Interleaved Schedules

CPSC/ECE 3220 Fall 2017 Exam Give the definition (note: not the roles) for an operating system as stated in the textbook. (2 pts.

CS370 Operating Systems

7/6/2015. Motivation & examples Threads, shared memory, & synchronization. Imperative programs

CSE 153 Design of Operating Systems

Programming Languages for Real-Time Systems. LS 12, TU Dortmund

ID 025C: An Introduction to the OSEK Operating System

Verification of Real-Time Systems Resource Sharing

Numerical Static Analysis of Interrupt-Driven Programs via Sequentialization

Data-Flow Based Detection of Loop Bounds

Introduction to Multicore Programming

Motivation & examples Threads, shared memory, & synchronization

CS533 Concepts of Operating Systems. Jonathan Walpole

IDE for medical device software development. Hyun-Do Lee, Field Application Engineer

Industrial Embedded Systems - Design for Harsh Environment -

CSE 451: Operating Systems Winter Lecture 7 Synchronization. Steve Gribble. Synchronization. Threads cooperate in multithreaded programs

Cyber security mechanisms for connected vehicles

Achieving Predictable Multicore Execution of Automotive Applications Using the LET Paradigm

AUTOSAR Extensions for Predictable Task Synchronization in Multi- Core ECUs

Product Information Embedded Operating Systems

Message-Passing Shared Address Space

Automated Freedom from Interference Analysis for Automotive Software

Chapter 3: Processes. Operating System Concepts 8th Edition, modified by Stewart Weiss

Java Monitors. Parallel and Distributed Computing. Department of Computer Science and Engineering (DEI) Instituto Superior Técnico.

Synchronization COMPSCI 386

University of Waterloo Midterm Examination Model Solution CS350 Operating Systems

7/20/2008. What Operating Systems Do Computer-System Organization

Foundations of the C++ Concurrency Memory Model

Multitasking / Multithreading system Supports multiple tasks

Overview. CMSC 330: Organization of Programming Languages. Concurrency. Multiprocessors. Processes vs. Threads. Computation Abstractions

(Refer Slide Time: 1:26)

Lecture 6. Abstract Interpretation

Real-Time Component Software. slide credits: H. Kopetz, P. Puschner

CS 31: Introduction to Computer Systems : Threads & Synchronization April 16-18, 2019

Process Management And Synchronization

Synchronization for Concurrent Tasks

Lecture notes Lectures 1 through 5 (up through lecture 5 slide 63) Book Chapters 1-4

Static Analysis methods and tools An industrial study. Pär Emanuelsson Ericsson AB and LiU Prof Ulf Nilsson LiU

Developing AUTOSAR Compliant Embedded Software Senior Application Engineer Sang-Ho Yoon

Model Based Development of Embedded Control Software

Multicore for safety-critical embedded systems: challenges andmarch opportunities 15, / 28

Last Time. Think carefully about whether you use a heap Look carefully for stack overflow Especially when you have multiple threads

CMSC 330: Organization of Programming Languages

A Model-based Approach for Conditioning Software to Multi-Core using AUTOSAR

Dr. Rafiq Zakaria Campus. Maulana Azad College of Arts, Science & Commerce, Aurangabad. Department of Computer Science. Academic Year

CSE 451: Operating Systems Winter Lecture 7 Synchronization. Hank Levy 412 Sieg Hall

Sharing Objects Ch. 3

CS 571 Operating Systems. Midterm Review. Angelos Stavrou, George Mason University

Grigore Rosu Founder, President and CEO Professor of Computer Science, University of Illinois

Interprocess Communication By: Kaushik Vaghani

MULTITHREADING AND SYNCHRONIZATION. CS124 Operating Systems Fall , Lecture 10

Transcription:

AstréeA From Research To Industry Dr.-Ing. Stephan Wilhelm, AbsInt GmbH Workshop on Static Analysis of Concurrent Software Edinburgh, 2016

2 AbsInt Angewandte Informatik GmbH Provides advanced development tools for embedded systems and tools for validation, verification, and certification of safety-critical software. Founded in February 1998 by six researchers of Saarland University, Germany, from the group of programming languages and compiler construction of Prof. Dr. Dr. h.c. mult. R. Wilhelm. Privately held by the founders. Headquarters in Saarbrücken, Germany. Our customers come from all industry sectors where safety-relevant software is used: Aerospace & defense Automotive Nuclear & wind energy Railway control Medical devices

3 Astrée for C Sound static analysis based on abstract interpretation to prove absence of runtime errors. Astrée detects: Array index out of bounds Int/float division by 0 Invalid pointer dereferences Arithmetic overflows and wrap-arounds Floating point overflows and invalid operations (Inf and NaN) Uninitialized variables Data races, inconsistent locking + Floating-point rounding errors taken into account + User-defined assertions, unreachable code, non-terminating loops + Supports MISRA, CERT, CWE AstréeA

4 ASTRÉE(A) Timeline ASTRÉE ENS Paris ASTRÉEA ENS Paris Astrée for C AbsInt 15.10 AbsInt Subjects of this talk Practical Use Various industries 2001 2009 2016

PRODUCT INTEGRATION 5

6 The Average Industrial User Is not an expert C programmer or computer scientist! Often has a background in testing and doesn t know the software under analysis. Separate teams for development and testing/validation/verification. Model based development (=> C code is generated). Expects: a simple, automatic setup procedure, that the analysis runs fast and scales to complex systems, that results are reliable, precise and easy to understand. A static analysis tool must save time and money!

7 Consequences for Integrating AstréeA 1. Simplification of the setup procedure. 2. User friendlier display of new results like data races. 3. Tuning of performance and precision to typical user codes.

8 Concurrent Analysis Setup AstréeA was built around abstract OS models. OS models are shipped with the product and integrated with the preprocessing phase. OS models have been extended to report invalid usages of OS services. Simplified setup for OSEK by evaluation of OIL files.

9 Data Races vs. Classic RTEs Classic run-time error: Detected in a single code location in multiple analysis contexts. Aggregating analyzer findings per code location results in a relatively small number of places that the user has to check. Data race: Detected in many code locations. Which of these code locations access the same variable? Which parallel processes are involved?

10 Displaying Data Races Aggregate findings about data races per memory location. Show involved functions in the call tree.

RESULTS AND FEEDBACK 11

12 Example Automotive Projects Development versions of 2 projects with known issues: Automotive 1 (Auto_1) Partial OSEK project, configured by.oil file 3 application components, 1 handwritten application component (control) 2 application components generated by TargetLink (logic and control) 2 tasks Automotive 2 (Auto_2) Complete AUTOSAR 3.2. project, including entire ECU code and AUTOSAR stack except NvM and CAN. Configured by.oil file. Application code mostly generated by TargetLink with some handwritten parts (e.g. CDD) 11 tasks, 13 ISRs, 2 counters and 9 alarms

13 Initial Results Project Auto_1 Auto_2 LOC (preprocessed, without blank/comment lines) 177.576 2.574.481 Selectivitiy (number of lines proven correct) 99.5% 99.9% Potential Run-time errors 774 702 Number of Shared variables 851 1874 Variables with data races (number/percentage) 6 (0.7%) 1481 (79%) Data flow anomalies (infinite loops) 2 3 Reached code 78% 64% Max RAM 2.6 GB 28.4 GB Analysis time 30 m 1d 10h 8m All 6 findings about data races in Auto_1 were justified. Lots of false alarms in Auto_2.

14 General User Feedback Analysis works very well for smaller and medium sized codes. Higher analysis times on large codes (compared to sequential analysis) can be problematic. Users also asked for Deadlock detection (new in next release 16.10). OS model for POSIX threads (not yet available in the product). Precision improvements for software running on OSEK/AUTOSAR (see next section).

15 CHALLENGES AND IMPROVEMENTS

16 OSEK / AUTOSAR Priority Ceiling Protocol (PCP). Tasks dynamically change their priorities. Original implementation was sound but imprecise. Precise priorities are available with new release 16.10. Implicit Global Locking. Use of [Suspend Resume][All OS]Interrupts functions as main synchronization primitives instead of explicit mutex locks. SuspendAllInterrupts(); /* write to shared variables */ ResumeAllInterrupts(); Original implementation assumed impossible interactions.

17 Initializations in Concurrent Phase Additional initializations precede periodic tasks. Problem: Exclude impossible data races between initialization and periodic phase. t Task 1 Task 2 Task 3 Task 4 Task 5 Init 2 No data races possible Init 1 Init 3 seq. init

18 Example: Auto_2 Current Situation Project original improved LOC (preprocessed, without blank/comment lines) 2.574.481 2.574.481 Variables with data races (number/percentage) 1481 (79%) 205 (10.9%) Reached code 64% 72% Max RAM 28.4 GB 23.3 GB Analysis time 1d 10h 8m 14h 24m The improved analysis uses More precise handling of dynamic priorities. More precise handling of [Suspend Resume][All OS]Interrupts. Separation of initialization and periodic phase. [Development feature] Improvements for analyzing AUTOSAR libraries.

19 Example: Lock-Free Implementations Process 1 1. append data to buffer Process 2 read buffer entries up to max_valid index 2. increase max_valid buffer index No locking is required if all accesses to max_valid and buffer entries are atomic operations. Notion of atomic memory accesses has been added to the analyzer. Specified per type in the ABI settings. Option: no data race alarms for unprotected accesses to volatile shared variables if all accesses are atomic.

20 The Future: Big Multicore Systems Example automotive setup: An application is a collection of tasks. Applications are mapped to cores. Usually one application per core. Each core has its own scheduler and OS. Shared memory between cores. Applications are synchronized by spinlocks. A task on core 1 can access application on core 2. Event set in task on core 1, received by application on core 2. Task chaining between applications on different cores using events or spinlocks.

21 Conclusion The majority of safety critical software is concurrent. Concurrent software is nowadays successfully analyzed by industrial users of Astrée. We are continuously working on improving precision and performance in relevant use cases. We expect the automatic sound analysis of concurrent software to become more and more common in the relevant industries.

22 Thank you! email: info@absint.com http://www.absint.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback