Title: C Global Surveyor
1C Global Surveyor
Static Analysis of Large NASA Flight Software
Experience, Lessons and Perspectives
- Arnaud Venet
- Kestrel Technology, LLC
- 3260 Hillview Avenue
- Palo Alto, CA 94304
- arnaud_at_kestreltechnology.com
2Motivations
- At the starting point of our study are two
questions - Can we achieve the precise verification of
pointer-intensive applications automatically? - Can we do this for the whole program at once?
- No existing tool met both requirements
- We designed and developed C Global Surveyor
- Context of our study
- Conducting research at NASA Ames
- Available software from the Mars Exploration
Program
3Verification of Array Manipulations
- Arrays are the basic data structures in embedded
programs - Out-of-bounds array access
- One of the most common runtime errors
- One the most difficult to trace back
4Roadmap
- The structure of flight software for Mars
missions - Initial design of C Global Surveyor
- Reviewing the design of the analyzer
- Experiments on existing flight codes
- What next?
5Roadmap
- The structure of flight software for Mars
missions - Initial design of C Global Surveyor
- Reviewing the design of the analyzer
- Experiments on existing flight codes
- What next?
6The MPF Family
- Mars Path Finder (MPF)
- Experimental mission for testing new technologies
(airbag landing) - New software architecture
- Subsequent missions shared the architecture and
programming style inherited from MPF - Mars Path Finder 140 KLOC, 20 threads
- Deep Space 1 (DS1) 280 KLOC, 40 threads
- Mars Exploration Rovers (MER) 550 KLOC, 100
threads
7Object-Oriented Design
10...1000 call sites
assign (A, B, 10)
assign (pS-gtf, A2, m)
assign (double p, double q, int n) int i
for (i 0 i lt n i) pi qi
Thousands of such functions Almost all of them
contain loops
8Runtime Structure
Thread
Thread
Thread
Large
Heap
Queue
Queue
Shallow
9Roadmap
- The structure of flight software for Mars
missions - Initial design of C Global Surveyor
- Reviewing the design of the analyzer
- Experiments on existing flight codes
- What next?
10Design Choices
- Symbolic information (access paths) is bulky and
difficult to mix with numerical information
(array indices) - All-numerical representation
- Context-sensitivity is required
- We cant afford performing 1000 fixpoint
iterations with widening and narrowing for a
single function - Compute a summary of the function using a
relational numerical lattice
S.f23 ? S offset(f) 2 size(row)
3 size(elem)
11Design Choices
- The structure of the memory graph is shallow and
stable over time - Use Steensgaard Das pointer analysis
- Precision is required for loop invariants and
array indices - Convex polyhedra have exponential complexity
- Use Difference-Bound Matrices O(n3)
- Relevant numerical information is mostly carried
by function parameters - Abstract away all integers in the heap
12Memory Graph Construction
thr1
thr2
Refined Abstract Heap (sound approximation)
Abstract Heap (sound approximation)
f
init
READ
WRITE
g
ITERATE
13Distributed Architecture
PostgreSQL
Database
Equations for file1.c
Equations for file2.c
Analyze function f
Analyze function g
Cluster of machines
PVM
14Roadmap
- The structure of flight software for Mars
missions - Initial design of C Global Surveyor
- Reviewing the design of the analyzer
- Experiments on existing flight codes
- What next?
15First Experiments
- The execution times were very long (tens of
hours) - The difference-bound matrices were large and
dense - The cubic time complexity was always attained
- The memory graph was very large and imprecise
- A lot of pointers were transmitted between
threads through message queues - The approximation of message queues by
Steensgaards analysis was too coarse
16CGS Tune-Up
- Adaptive clustering of variables in
difference-bound matrices - Variables are grouped in small-size packets
(average size 4) - Packets are dynamically constructed during the
analysis - Significant speedup (15 min ? 5 sec for a
function) - Extending Das one-level flow optimization to an
arbitrary depth within data structures - Spectrum of pointer analyses between Steensgaard
and Andersen - Depth 3 analysis was sufficient to recover enough
precision
17Roadmap
- The structure of flight software for Mars
missions - Initial design of C Global Surveyor
- Reviewing the design of the analyzer
- Experiments on existing flight codes
- What next?
18Performance Results
- Overall precision 80 of all array accesses
statically checked for MPF, DS1 and MER - Performances
- Over 100 KLOC/hour for MPF and DS1
- 20 hours for MER
- Main issue
- Massive amount of artifacts clogs up the database
- The database architecture is difficult to
optimize (B-trees) - A standard relational database is not adequate
19Impact of Parallelization
20Main Conclusions
- Experiments conducted on dual-processor machines
- Significant speedup when the network is not used,
negligible otherwise - Main source of imprecision important data
passing across low-level structures - Message queues
- EEPROM
- Recovering a high-level abstraction from a
low-level representation is extremely difficult
21Experiments with CGS
- CGS is currently used at
- JPL
- Marshall Space Center
- Ames Research Center
- It has been applied to a variety of codes
including - The Advanced Video Guidance Sensor (Shuttle)
- The Boot Loader for the Shuttle engine controller
- The Urine Processor Assembly of the ISS
- The Habitat Holding Rack (ISS)
- The Materials Science Research Rack (ISS)
22Roadmap
- The structure of flight software for Mars
missions - Initial design of C Global Surveyor
- Reviewing the design of the analyzer
- Experiments on existing flight codes
- What next?
23Static Analysis at the Spec Level
Implementation
Specs
Code
Synthesis
Refinement
Static Analysis
Static Analysis
Code Certification
Functional Validation
24Model-Centric Safety-Critical Java for
Exploration (NASA ESMD)
Static Analysis
Verification of System Requirements
DSL
- Power Management
- Guidance Control
-
Provably Correct Code Generation
Static Analysis
Verification of Real-Time Requirements
SC Java
Handwritten Java
25Whole System Analysis
Model of the Evironment
Model of the User
Model of the System
Static Analysis
- System-Level verification
- Automated test generation
- System reengineering
-
26More Information
Visit our web site www.kestreltechnology.com
- Online papers
- MXJ Project Model-Centric Safety-Critical Java
for Exploration