Upload
darcy-flowers
View
216
Download
1
Embed Size (px)
Citation preview
14 April 2008
Airbus Experience in Static Analysis
Dagstuhl Seminar 08161
Presented by
Jean SouyrisAirbus France S.A.S.
Scalable Program Analysis
14 April 2008 Page 2© A
IRB
US
S.A
.S.
All
right
s re
serv
ed.
Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent.
Overview
What part of Airbus?
Involvement in the static analysis field
Static analysis based verification activities
Next transfers
Static analysers in the development cycle
14 April 2008 Page 3© A
IRB
US
S.A
.S.
All
right
s re
serv
ed.
Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent.
What part of Airbus ?
Avionics and simulation products (EDYY)Avionics products: hardware and software development of:
Flight Control computers
Warning functions
Board – ground communication functions
Maintainance functions
For all Airbus’ aircraft families
Simulation software products:Training
Aircraft development
Prospective
For all Airbus’ aircraft families
Current target for static analysis: avionics software
14 April 2008 Page 4© A
IRB
US
S.A
.S.
All
right
s re
serv
ed.
Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent.
Involvement in the static analysis field
Static analysers in use at Airbus’
On already certified (DO178B) avionics software products (A320, A330/340 and A380)
AbsInt’s aiT family (Worst Case Execution Time computation)
–Processors: Texas TMS320C33 and Freescale PowerPC MPC755
AbsInt’s Stackanalyser family
–Processors: TMS320C3x; x86; PowerPCsCaveat (made by the French nuclear research centre (CEA)):
not an Abstract interpretation based static analyser; Hoare/Dijkstra + theorem proving – proof of first order logic user-specified properties
14 April 2008 Page 5© A
IRB
US
S.A
.S.
All
right
s re
serv
ed.
Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent.
Involvement in the static analysis field
Static analysers in use at Airbus’
On not yet certified (DO178B) avionics software products (A400M and A350)
Astrée (Patrick Cousot’s team at Ecole normale supérieure de Paris)
–Proof of absence of Run Time Errors • on synchronous programs
• on sequential programs
Fluctuat (CEA):–Precision of floating-point calculus on –small- pieces of
synchronous programsAbsInt’s aiTs and Stackanalysers
–Processors: PowerPCs other than 755
14 April 2008 Page 6© A
IRB
US
S.A
.S.
All
right
s re
serv
ed.
Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent.
Involvement in the static analysis field
Static analysers in use at Airbus’
Still as technological research prototypeslcertify (Patrick Cousot’s team at Ecole normale supérieure de
Paris)
–Semantic equivalence between C source code and binary • first targets: synchronous programs
• binary code produced by the C compiler Diab C/C++ for PowerPC
AbsInt’s utilities aiV and aiTV
14 April 2008 Page 7© A
IRB
US
S.A
.S.
All
right
s re
serv
ed.
Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent.
Involvement in the static analysis field
Current motivations for static analysisIncrease of cost effectivenessWhen the static analysis method is more efficient (in case of
substitution one-to-one) Always less specific hardware than for testingMaturity achieved earlier in the life-cycleVerification task automation allow developers to focus on critical non
automated ones
Replacement of no longer applicable techniquesWhen hardware/software complexity is such that legacy techniques
become obsolete (e.g., WCET demonstration with superscalar processor)
Optimisation of hardware resources (CPU, memory)When a static analyser’s precision is higher than legacy techniqueAt design time as well as in maintenance
14 April 2008 Page 8© A
IRB
US
S.A
.S.
All
right
s re
serv
ed.
Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent.
Involvement in the static analysis field
Static analysis user’s knowledge levelKnowing underlying static analyser’s basics is mandatory for:Clearly understand what a tool does what it does not
–Soundness– Industrial efficiency
Evaluating and helping the tool provider’s capability to adapt a static analyser to the user’s industrial context (first specialisation level)
–To the computational characteristics of the target programs–To the existing methods and processes
Convincing regulation authoritiesBut also for:Using a tool
–Result interpretation–Fine-tuning of the analysis (second specialisation level)
14 April 2008 Page 9© A
IRB
US
S.A
.S.
All
right
s re
serv
ed.
Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent.
Involvement in the static analysis field
Knowledge level (cont’d)Trainings followed by Airbus’ employees:Abstract Interpretation basicsCaveat: tool usage,tool underlying principles
Access to basics via publications, thesis or documentsaiT (WCET), Astrée, lcertify and Fluctuat: theses and papers.
14 April 2008 Page 10© A
IRB
US
S.A
.S.
All
right
s re
serv
ed.
Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent.
Involvement in the static analysis field
Past and ongoing research Projects IST
– DAEDALUS: Abstract Interpretation from upstream research to industrial applications; ENS, X, CEA, DIKU, Saarland, Trier andTel Aviv Universities, AbsInt and Polyspace Technologies ; 2000-2002
French civilian aviation
– “Preuve exacte”: Caveat: fine-tuning and method of use; 1999 – 2001
– “Preuve approchée”: upstream research at ENS’ and X, Fluctuat 2001 – 2003
– ASBAPROD: Product based assurance; ONERA, ENS, CEA, AbsInt 2005 - 2009
RNTL (French government)
– ASTREE: RTE in synchronous programs (ENS, Astrée); 2002 – 2005
– Thesee: RTE in asynchronous programs; ENS, EDF; 2006 – 2009– CAT: C Analysis Toolkit ; CEA, INRIA, Dassault aviation, Siemens
VDO, France télécom; 2006 - 2009
14 April 2008 Page 11© A
IRB
US
S.A
.S.
All
right
s re
serv
ed.
Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent.
Involvement in the static analysis field
Contribution to the development of toolsAbsIntDevelopment from Airbus’ orders (complete tools or adaptation of
existing prototypes)Research contractCaveat and Fluctuat (CEA)Airbus’ contribution to development costs: 50%
–Since 1998 for Caveat–Since 2003 for Fluctuat
Research contract
14 April 2008 Page 12© A
IRB
US
S.A
.S.
All
right
s re
serv
ed.
Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent.
Static Analysis Based Verification Activities
AbsInt’s aiTsFeatures and application domainFeatures: Computes a safe upper-bound of a task’s WCETApplication domain: analysis of binaries for Texas TMS320C33,
PowerPC MPC755 (EABI rules)aiTs analyse whole application binariesAdaptations to Airbus’ contextModel of an Airbus’ chipset; new annotations for improving precision;
new worst path search
Verification activityReplaces measurement and/or intellectual analysis; better precision
14 April 2008 Page 13© A
IRB
US
S.A
.S.
All
right
s re
serv
ed.
Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent.
Static Analysis Based Verification Activities
AbsInt’s aiTsVerification activity (cont’d)Computational characteristics of the targets:
–Application 1: aiT PPC755; Scade; linear control flow; limited use of cache;very deterministic behaviour
–Application 2: aiT PPC755; hand-written except configuration tables; less limited use of the cache, non linear control flow; a little less deterministic
–Applications 3: aiT C33; small IO hand-written code; no cache; very deterministic behaviour
Scade application: Airbus developed an annotation generator (basic components are macros, not functions)
Certification credit qualification as a verification tool (achieved)Tool assessmentGood precision wrt Airbus’ legacy method
14 April 2008 Page 14© A
IRB
US
S.A
.S.
All
right
s re
serv
ed.
Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent.
Some results
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
aiT Refresh Async Archi Measurements
ColdFire, Legacy Method
1 2 3 4 5 6 7 8 9 10 11 12
WCET Measurements
Measurements are not Worst Case
14 April 2008 Page 15© A
IRB
US
S.A
.S.
All
right
s re
serv
ed.
Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent.
Some results
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
aiT Refresh Measures
Comparison between aiT results and measurements, detail for task 6
aiT Measures
14 April 2008 Page 16© A
IRB
US
S.A
.S.
All
right
s re
serv
ed.
Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent.
Some results
TMS C33 I/O Software, Tasks Load
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Measurements WCET AIT
14 April 2008 Page 17© A
IRB
US
S.A
.S.
All
right
s re
serv
ed.
Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent.
Static Analysis Based Verification Activities
AbsInt’s StackanalyzersFeatures and application domain Features: Computes a safe upper-bound of a task’s stack usage Application domain: analysis of binaries for Texas TMS320C33, PowerPC
MPC755 (EABI rules) and x86 (LinuxWorks (former Lynx OS) compiler) Stackanalyzers analyse whole application binaries
Verification activity Replaces measurement and/or intellectual analysis Computational characteristics of the targets: no recursion, few function pointers Certification credit qualification as a verification tool (achieved)
Tool assessment Good precision; ease of use; widely deployed at EYYW’s
14 April 2008 Page 18© A
IRB
US
S.A
.S.
All
right
s re
serv
ed.
Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent.
Next transfers: Astrée
Features and application domainFeatures: proof of absence of Run Time Errors in C codeAstrée “favourite” Application domain: Synchronous programs,
preferably automatically generated (e.g., from SCADE)Astrée analyses complete applications (in other terms: it scales up)
Future Verification activityAstrée Will address a DO178B concern which is currently not handled
by an unique verification activityComputational characteristics of the targets:
– Application type 1: synchronous code automatically generated from SCADE specs; linear control flow (“encoded in booleans”); almost no pointers; intense floating-point calculus; digital filters; “automatics laws”
– Application type 2: hand-written sequential code (“driver like” code);
14 April 2008 Page 19© A
IRB
US
S.A
.S.
All
right
s re
serv
ed.
Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent.
.c.c ASTRÉEASTRÉE alarms?alarms?
pre-processed C source code
false alarm
bug
.conf.conf
config file: input ranges, nb of clock ticks
options: entry point, loop unrolling, etc.
directives: hints & assertions
The RTE analysis process
no
alarm
investigation
alarm
investigation
yes
variable ranges
14 April 2008 Page 20© A
IRB
US
S.A
.S.
All
right
s re
serv
ed.
Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent.
Improving the precision: G_P
• Overflow or division by zero:...
G2=R3+1;
Z1=(X1-C1[R2])*(*(C4+(TAILLE_X)*R3+R2)) + (*(C3+(TAILLE_X+1)*R3+R2));
Z2=(X1-C1[R2])*(*(C4+(TAILLE_X)*G2+R2)) + (*(C3+(TAILLE_X+1)*G2+R2));
return(Z2*(Y2-C2[R3])+Z1*(C2[G2]-Y2))/(C2[G2]-C2[R3]);
__ASTREE_partition_begin((R3));
__ASTREE_partition_merge(());
G2=R3+1C2[i+1]-C2[i]>1 for any index i
false alarm
14 April 2008 Page 21© A
IRB
US
S.A
.S.
All
right
s re
serv
ed.
Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent.
Alarm analysis: G_P
• Early in the data-flow:several alarms on linear interpolation function G_Pdivisions by zero & floating-point overflows
• Reduced example:
PADN13 = fabs(DQM);
PADN12 = fabs(PHI1F);
X271Z14 = G_P(PADN13, PADN12, ...conf tables...);
• Same alarms as full program
volatile input [-37.5559, 37.5559]volatile input [-199.22, 199.22]
14 April 2008 Page 22© A
IRB
US
S.A
.S.
All
right
s re
serv
ed.
Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent.
Industrial applicability
• Metrics (2.6 GHz, 16 Gb RAM PC):
Analysed program k LOC False alarms Analysis time
Sequential 1 18 3 1 h 14
Sequential 2 37 2 10 min
Synchronous 1 100 3 7 h 15
Synchronous 2 76 0 6 h
Synchronous 3 500 2 30 h
• Next step: industrial use & qualification
14 April 2008 Page 23© A
IRB
US
S.A
.S.
All
right
s re
serv
ed.
Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent.
Next transfers: Fluctuat
Features and application domainFeatures:
–Computes a safe over-approximation of rounding errors (accumulation of) in floating point calculus
– functional verification of small numerical algorithms (sqrt, trigonometric operators)
First Application domain: numerical operators used in code generation (e.g., from SCADE specs)
Future Verification activityFluctuat will Replace an intellectual analysis
Tool assessmentSome little work is required for industrial use
14 April 2008 Page 24© A
IRB
US
S.A
.S.
All
right
s re
serv
ed.
Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent.
Static Analyzers in the development Cycle
Specification
Software architecture
LL requirements
Code
Unit Verification
Integration Verification
Validation level checks
Astrée, Fluctuat (R&T)
aiV, aiT, Stackanalyzer
Caveat (IP, R&T), Frama-C, aiV, aiT, Stackanalyzer
Caveat (UP), Frama-C, Fluctuat aiV, aiT, Stackanalyzer
Translation Validation (R&T)
Automatic Coding
Frama-C
Executable
14 April 2008 Page 25© A
IRB
US
S.A
.S.
All
right
s re
serv
ed.
Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent.
QUESTIONS?
14 April 2008 Page 26© A
IRB
US
S.A
.S.
All
right
s re
serv
ed.
Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent.
Static Analysis Based verification Activities
CAVEATFeatures and application domainFeatures
–Data flow analysis–A la Hoare proof of properties on C code – Theorem
proving–First order logic
Application domain
–Sequential c programs, no parallelism–No recursion, no aliases, no function pointers
Adaptations to Airbus’ contextLow level programming (drivers), e.g., bit-wise operators, shifts, volatile
typeBatch mode and script language
14 April 2008 Page 27© A
IRB
US
S.A
.S.
All
right
s re
serv
ed.
Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent.
Static Analysis Based verification Activities
CAVEAT (con’d)Verification activity: Unit Proving in replacement of Unit TestingProof that each C function satisfies its formal specification (Low Level
Requirements)The callees are “stubbed”Used on an A380 avionics program
–DO178B DAL A–31000 loc in 307 C functions – 38000 lines of properties
Dedicated method (categories of properties, conditions on input, partition of the input space)
Computational characteristics of the target: low-level programming (driver-like); neither fixed-point nor floating-point calculus
Certification credit qualification as a verification tool (achieved)
14 April 2008 Page 28© A
IRB
US
S.A
.S.
All
right
s re
serv
ed.
Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent.
Static Analysis Based verification Activities
CAVEAT (con’d)Tool usage assessmentPOSITIVE ASPECTS
Comparaison TU/PU : taille PTU vs taille Code Vérifié
2,78
1,72
0
0,5
1
1,5
2
2,5
3
SYST (TU) SFTY (PU)
Rat
io (
NbL
igne
sPla
nVer
if / N
bLig
nesC
odée
s )
Résultats de preuve
5,4%
0,1%
94,4%
Preuve Automatique
Preuve Interactive
Preuve Dérogée
Nb Lignes de code conçues et vérifiées par Heure
4,25
3,60
0
1
2
3
4
Dev Preuve Unitaire Dev Test Unitaire
14 April 2008 Page 29© A
IRB
US
S.A
.S.
All
right
s re
serv
ed.
Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent.
Static Analysis Based verification Activities
CAVEAT (the End)Tool usage assessment: negative aspectsThe effort for building the automatic framework has been under-
estimated
–But it will be reusedThe method for writing the properties has been defined during the
development
–But it will be reused Internal support to be improved
–For future utilisations of Caveat
14 April 2008 Page 30© A
IRB
US
S.A
.S.
All
right
s re
serv
ed.
Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent.
Design
• Specific Software Design Standard (SDS_CAV)• Drafting of LLR using the properties• Definition of the unit proof plan using properties• Re-reading of the Design based on properties
Coding
Unit Proofs
• Definition of the Unit Proof environment and complements to the properties (MRP)• Automatic verification of the data/control flow• Verification of compliance of C-source to properties
Integration
Designer / CoderDesigner / Prover
Independence
APPLICATION TO THE A380 PRIM COMPUTER Formal methods and development cycle
Subset Specification
Retour