Docstoc

Static analysis of large NASA flight software - MIT

Document Sample
Static analysis of large NASA flight software - MIT Powered By Docstoc
					               C Global Surveyor

           Static Analysis of Large NASA Flight
           Software: Experience, Lessons and
                       Perspectives

                       Arnaud Venet

                     Kestrel Technology, LLC
                      3260 Hillview Avenue
                       Palo Alto, CA 94304
                arnaud@kestreltechnology.com


8/9/2005                 Kestrel Technology LLC   Page 1
           Motivations

 • At the starting point of our study are two questions:
    • Can we achieve the precise verification of pointer-
      intensive applications automatically?
    • Can we do this for the whole program at once?
 • No existing tool met both requirements
 • We designed and developed C Global Surveyor
 • Context of our study:
    • Conducting research at NASA Ames
    • Available software from the Mars Exploration
      Program

8/9/2005                Kestrel Technology LLC              Page 2
           Verification of Array Manipulations

 • Arrays are the basic data structures in embedded
   programs
 • Out-of-bounds array access:
    • One of the most common runtime errors
    • One the most difficult to trace back
           double a[10];
           for (i = 0; i < 10; i++)
            a[i] = ...;                        0 <= i < 10
           if (...)
            a[i] = ...;                        i = 10

8/9/2005              Kestrel Technology LLC                 Page 3
              Roadmap

 1.    The structure of flight software for Mars missions
 2.    Initial design of C Global Surveyor
 3.    Reviewing the design of the analyzer
 4.    Experiments on existing flight codes
 5.    What next?




8/9/2005                  Kestrel Technology LLC            Page 4
              Roadmap

 1.    The structure of flight software for Mars missions
 2.    Initial design of C Global Surveyor
 3.    Reviewing the design of the analyzer
 4.    Experiments on existing flight codes
 5.    What next?




8/9/2005                  Kestrel Technology LLC            Page 5
           The MPF Family

 • Mars Path Finder (MPF):
    • Experimental mission for testing new technologies
      (airbag landing)
    • New software architecture
 • Subsequent missions shared the architecture and
   programming style inherited from MPF:
    • Mars Path Finder: 140 KLOC, 20 threads
    • Deep Space 1 (DS1): 280 KLOC, 40 threads
    • Mars Exploration Rovers (MER): 550 KLOC, 100
      threads


8/9/2005               Kestrel Technology LLC             Page 6
               Object-Oriented Design

                        10...1000 call sites
   assign (&A, &B, 10)              assign (&pS->f, &A[2], m)



           assign (double *p, double *q, int n) {
               int i;
               for (i = 0; i < n; i++)
                 p[i] = q[i];
           }
                   Thousands of such functions
                  Almost all of them contain loops
8/9/2005                 Kestrel Technology LLC                 Page 7
                Runtime Structure


           Thread       Thread                   Thread




  Heap                                                Large
                Queue            Queue

Shallow



8/9/2005                Kestrel Technology LLC                Page 8
              Roadmap

 1.    The structure of flight software for Mars missions
 2.    Initial design of C Global Surveyor
 3.    Reviewing the design of the analyzer
 4.    Experiments on existing flight codes
 5.    What next?




8/9/2005                  Kestrel Technology LLC            Page 9
            Design Choices

 • Symbolic information (access paths) is bulky and
   difficult to mix with numerical information (array
   indices)
    • All-numerical representation
           &S.f[2][3]  &S + offset(f) + 2 * size(row)
                                    + 3 * size(elem)
 • Context-sensitivity is required
    • We can’t afford performing 1000 fixpoint iterations
      with widening and narrowing for a single function
    • Compute a summary of the function using a
      relational numerical lattice
8/9/2005                Kestrel Technology LLC              Page 10
           Design Choices

 • The structure of the memory graph is shallow and
   stable over time
    • Use Steensgaard & Das’ pointer analysis
 • Precision is required for loop invariants and array
   indices
    • Convex polyhedra have exponential complexity
    • Use Difference-Bound Matrices: O(n3)
 • Relevant numerical information is mostly carried by
   function parameters
    • Abstract away all integers in the heap


8/9/2005               Kestrel Technology LLC            Page 11
             Memory Graph Construction


                      thr1        thr2
       Abstract                                  Refined
        Heap           f                         Abstract
                                  init            Heap
       (sound
      approxim READ        g
                                         WRITE    (sound
        ation)                                   approxim
                                                   ation)

                           ITERATE

8/9/2005              Kestrel Technology LLC                Page 12
              Distributed Architecture
                                                     PostgreSQL
                         Database




      Equations     Equations            Analyze      Analyze
      for file1.c   for file2.c         function f   function g
                                             Cluster of machines

                      PVM

8/9/2005                    Kestrel Technology LLC                 Page 13
              Roadmap

 1.    The structure of flight software for Mars missions
 2.    Initial design of C Global Surveyor
 3.    Reviewing the design of the analyzer
 4.    Experiments on existing flight codes
 5.    What next?




8/9/2005                  Kestrel Technology LLC            Page 14
           First Experiments

 • The execution times were very long (tens of hours)
    • The difference-bound matrices were large and
      dense
    • The cubic time complexity was always attained
 • The memory graph was very large and imprecise:
    • A lot of pointers were transmitted between threads
      through message queues
    • The approximation of message queues by
      Steensgaard’s analysis was too coarse


8/9/2005               Kestrel Technology LLC              Page 15
              CGS Tune-Up

 • Adaptive clustering of variables in difference-bound
   matrices:
       • Variables are grouped in small-size packets (average
         size: 4)
       • Packets are dynamically constructed during the analysis
       • Significant speedup (15 min  5 sec for a function)
 • Extending Das one-level flow optimization to an
   arbitrary depth within data structures:
       • Spectrum of pointer analyses between Steensgaard and
         Andersen
       • Depth 3 analysis was sufficient to recover enough
         precision
8/9/2005                   Kestrel Technology LLC                  Page 16
              Roadmap

 1.    The structure of flight software for Mars missions
 2.    Initial design of C Global Surveyor
 3.    Reviewing the design of the analyzer
 4.    Experiments on existing flight codes
 5.    What next?




8/9/2005                  Kestrel Technology LLC            Page 17
            Performance Results

 • Overall precision: 80% of all array accesses statically
   checked for MPF, DS1 and MER
 • Performances:
    • Over 100 KLOC/hour for MPF and DS1
    • 20 hours for MER
 • Main issue:
    • Massive amount of artifacts clogs up the database
    • The database architecture is difficult to optimize (B-
      trees)
    • A standard relational database is not adequate


8/9/2005                Kestrel Technology LLC                 Page 18
                      Impact of Parallelization

                                 Analysis Times

                     12000
                     10000
           Seconds




                      8000
                                                               DS1
                      6000
                                                               MPF
                      4000
                      2000
                         0
                             1    2       4        6       8
                                       CPUs



8/9/2005                          Kestrel Technology LLC             Page 19
           Main Conclusions

 • Experiments conducted on dual-processor machines
 • Significant speedup when the network is not used,
   negligible otherwise
 • Main source of imprecision: important data passing
   across low-level structures
    • Message queues
    • EEPROM
 • Recovering a high-level abstraction from a low-level
   representation is extremely difficult


8/9/2005               Kestrel Technology LLC             Page 20
           Experiments with CGS

 • CGS is currently used at:
    • JPL
    • Marshall Space Center
    • Ames Research Center
 • It has been applied to a variety of codes including:
    • The Advanced Video Guidance Sensor (Shuttle)
    • The Boot Loader for the Shuttle engine controller
    • The Urine Processor Assembly of the ISS
    • The Habitat Holding Rack (ISS)
    • The Materials Science Research Rack (ISS)

8/9/2005               Kestrel Technology LLC             Page 21
              Roadmap

 1.    The structure of flight software for Mars missions
 2.    Initial design of C Global Surveyor
 3.    Reviewing the design of the analyzer
 4.    Experiments on existing flight codes
 5.    What next?




8/9/2005                  Kestrel Technology LLC            Page 22
                Static Analysis at the Spec Level

                             Implementation

              Specs                                       Code
                               Synthesis


                              Refinement
           Static Analysis                        Static Analysis




             Functional                                   Code
             Validation                                 Certification



8/9/2005                       Kestrel Technology LLC                   Page 23
                  Model-Centric Safety-Critical Java for
                  Exploration (NASA ESMD)

                                                        Static
           • Power Management                                          Verification
                                                       Analysis             of
           • Guidance & Control       DSL                               System
           •…                                                         Requirements

                       Provably Correct
                       Code Generation


                                                            Static
                                                           Analysis    Verification
             Handwritten                                                    of
                                   SC Java                             Real-Time
                Java
                                                                      Requirements




8/9/2005                          Kestrel Technology LLC                              Page 24
              Whole System Analysis


             Model                 Model                  Model
             of the                 of the                of the
           Evironment              System                 User




                                             • System-Level verification
              Static Analysis
                                             • Automated test generation
                                             • System reengineering
                                             •…


8/9/2005                        Kestrel Technology LLC                     Page 25
             More Information

    Visit our web site:


             www.kestreltechnology.com

 • Online papers
 • MXJ Project: “Model-Centric Safety-Critical Java for
   Exploration”




8/9/2005                  Kestrel Technology LLC          Page 26

				
DOCUMENT INFO