ee analyzer
play

EE Analyzer Xavier R IVAL rival@di.ens.fr Certification of embedded - PowerPoint PPT Presentation

Mar 04, 2023 •127 likes •491 views

The A STR EE Analyzer Xavier R IVAL rival@di.ens.fr Certification of embedded softwares Safety critical applications avionic softwares but also automotive, space... synchronous Properties to prove to guarantee safety:

  1. The A STR ´ EE Analyzer Xavier R IVAL rival@di.ens.fr

  2. Certification of embedded softwares • Safety critical applications � avionic softwares but also automotive, space... � synchronous • Properties to prove to guarantee safety: � absence of runtime errors no crash, no violation of application specific constraints � synchronous requirement, i.e., time constraint critical sections should take a bounded amount of time i.e., the software must be responsive recursion is forbidden � resource usage ◮ no dynamic memory allocation ◮ stack usage The A STR ´ EE Analyzer – p.2/36

  3. What A STR ´ EE is ? • A static analyzer � Inputs a C program (some restrictions, see later) � User-defined assumptions about the input values (ranges) � Computes an over-approximation of the reachable states � Produces an alarm when an operation is not proved safe ◮ Sound: detects all errors ◮ Incomplete: false alarms are possible Detecting all errors exactly: undecidable! • Developped in the École Normale Supérieure (Paris, France) Joint work with B. B LANCHET , P . C OUSOT , R. C OUSOT , J. F ERET , L. M AUBORGNE , A. M IN ´ E , D. M ONNIAUX • A STR ´ EE addresses: � Runtime errors � Non specified behaviors The A STR ´ EE Analyzer – p.3/36

  4. What A STR ´ EE is not ? • Testing: � A STR ´ EE covers all executions, hence is sound; testing is unsound � A STR ´ EE does sound approximation, hence incompleteness � Cost considerations: Weeks of heavy test processes vs. a few hours of computation • Model checking: � A STR ´ EE is designed to implement the C semantics No separate model extraction phase � A STR ´ EE uses a quasi-infinite predicate set � A STR ´ EE lagging for automatic refinement (work in progress) • User-assisted theorem proving: � A STR ´ EE is automatic with little to no user interaction Cost efficient! � But A STR ´ EE needs to infer indecidable properties; hence is incomplete The A STR ´ EE Analyzer – p.4/36

  5. Development of A STR ´ EE • Fall 2001: Request for a precise and fast analyzer (Airbus) A STR ´ EE project started : � Scalability = main goal (data structures, algorithms) � Simple non-relational domains: intervals + first refinements � Analysis of a 10 kLOCs software, few alarms (2002) • From 2003, analysis of industrial softwares: � Inspection of alarms: ⇒ True error ? ⇒ Imprecision in the analysis ? if yes, find origin of imprecisions � Improve precision, with new abstractions, solving imprecisions, but preserving scalability � Successful analysis of two families of industrial applications • Commercial diffusion, since 2009, by Absint The A STR ´ EE Analyzer – p.5/36

  6. A Specialized Analyzer • Specialization with respect to some families of embedded softwares: Synchronous, real-time programs: declare and initialize state variables; loop forever read volatile input variables, compute output and state variables, write to volatile output variables; wait for next clock tick (10 ms) end loop • Properties to establish: Absence of runtime errors; broad definition � No fatal error as defined by the semantics of the C language e.g., division by 0 , out of segment access � No overflow in integer or floating point computations � User defined properties: e.g., no NaN! � Architecture dependant properties (data-type sizes) The A STR ´ EE Analyzer – p.6/36

  7. Specific Features of A STR ´ EE • Simplifications: � Not all C: no malloc, no recursion � Mostly static data ; a few local variables • Issues: � Size of programs to analyze: > 100 kLOC, > 10 000 variables More typically 1 MLOC, > 50 , 000 variables � Floating point computation should be analyzed precisely DSP filetering, non linear control, retroactions, interpolation functions � Intricate dependencies between variables: ◮ Stability of computation should be established ◮ Relations between numerical and boolean data to infer ◮ Long sequences of dependences between inputs and outputs e.g., slicing ineffective The A STR ´ EE Analyzer – p.7/36

  8. Outline · Context √ Structure of the Analyzer · Abstract Domain · Results Overview The A STR ´ EE Analyzer – p.8/36

  9. Principle of the Analyzer Computation of an over-approximation of reachable states • Model of C : operational semantics � P � = set of executions (aka, traces) of P � C-99 standard � IEEE 754-1985 norm (floating point computations) � Assumptions about the target architecture and the area of application : ◮ size of integer data-types ◮ initialization of static variables ◮ ranges for inputs; duration of an execution • Abstraction = approximation defined by an abstract domain • Systematic derivation of a sound and automatic analyzer • Certification of a piece of code, in two automatic stages: 1. Computation of an approximation ( 99 . 9% of the work...) 2. Checking of safety conditions The A STR ´ EE Analyzer – p.9/36

  10. Abstraction EE computes an invariant I ∈ D ♯ ( D ♯ : our abstract domain): • A STR ´ � For each control point l � For each context κ (e.g., calling stack) ⇒ an approximation I ( l , κ ) ∈ D ♯ M of a set of stores D ♯ M expresses a (usually infinite) set of predicates • Soundness: � I should account for all executions in P � Meaning of I : γ ( I ) � Soundness statement: � P � ⊆ γ ( I ) where � P � is a formal concrete semantics • Next question: How to compute I ? Definition of a generic interpretation scheme The A STR ´ EE Analyzer – p.10/36

  11. Abstract Interpretation: Computing Invariants Principle: run all computations in a unique abstract computation • Analysis of an atomic statement x = e : � Use an abstract transfer function assign ( x = e ) : D ♯ M → D ♯ M � D ♯ M : manages addition and removal of constraints � Soundness: this operation should over-approximate concrete executions M , d ♯ ∈ D ♯ • Denotational form engine: � For each concrete, elementary step F , a sound approximation computed by an abstract store transformer F ♯ : M , ρ ∈ γ ( d ♯ ) = ⇒ F ( ρ ) ⊆ γ ( F ♯ ( d ♯ )) ∀ ρ ∈ � D ♯ M provides such sound transfer functions: guard , . . . • Control flow joins (after a conditional): D ♯ M provides a sound approximation ⊔ of ∪ The A STR ´ EE Analyzer – p.11/36

  12. Analysis of Loops • Loops should require infinitely many iterations • Solution: use a widening operator � A sound approximation ∇ of ⊔ ; � Termination is enforced by the widening properties memorized abstract invariants while (...) { ... } U U U propagated abstract invariants Program Iterative invariant computation The A STR ´ EE Analyzer – p.12/36

  13. Widening Operator � termination: for any increasing sequence ( y n ) n ∈ N of elements of D ♯ sequence ( x n ) n ∈ N of elements of D ♯ • Definition: N , x n +1 = x n ∇ y n is not strictly increasing � sound approximation of join: ∀ x, y ∈ D ♯ M , γ ( x ) ∪ γ ( y ) ⊑ x ∇ y M , the M defined by x 0 = y 0 and ∀ n ∈ • Widening: � Example, with intervals: I 0 : 0 ≤ x ≤ 10; I 1 : 1 ≤ x ≤ 11; I 0 ∇ I 1 : 0 ≤ x � In practice: remove unstable constraints Convergence: ensured by the finiteness of the number of constraints at the first iteration Though: analysis may still involve unbounded number of predicates domain may still be infinite widening chains are still unbounded The A STR ´ EE Analyzer – p.13/36

  14. Widening Improvements • “Unrolling” of the first iterations (better precision) � Idea: postpone widening to iteration 2 or 3 � More precision in the first abstract join operations • Thresholds: � Principle: when x < 4 is not stable, x < 8 may be stable � Threshold widening: ordered families of constraints T ∇ gives a chance to each constraint c ∈ T to stabilize � Implementation based on strategies such as: if x == 4 appears in the code, automatically add step 4 for x in ∇ • Note: Better precision smaller state space ⇒ shorter widening chains ⇒ A precise analysis is NOT incompatible with efficiency Practical experience: imprecise analyses with many alarms are very slow The A STR ´ EE Analyzer – p.14/36

  15. Outline · Context · Structure of the Analyzer √ Abstract Domain √ Generalities · A relational numerical domain: Octagons · A symbolic domain: Trace partitioning · Other domains · Results Overview The A STR ´ EE Analyzer – p.15/36

  16. Abstract Domain • Abstractions of sets of states (e.g., stores) • Usual transfer functions: � Guard: for conditions ( if , while , assert ,...) � Assign � Variable creation, disposal... • A widening operator, a lower upper bound • Ordering: usually a sound approximation of the concrete ordering � If inf ♯ ( x ♯ , y ♯ ) returns TRUE , then γ ( x ♯ ) ⊆ γ ( y ♯ ) � But the test may fail! (decidability!) • Support for communication with other abstract domains: � Dozens of domains implemented in A STR ´ EE ... � Need for information communication across domains Different domains typically establish complimentary properties The A STR ´ EE Analyzer – p.16/36

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Infrared Gas Analyzer - component analyzer - component analyzer Type: ZRJ Standard type Type:

Infrared Gas Analyzer - component analyzer - component analyzer Type: ZRJ Standard type Type:

Arbitraryrangesettingisallowedwithinspecifiedrange. Stand-alone type Infrared Gas Analyzer - component analyzer - component analyzer Type: ZRJ Standard type Type: ZKJ High performance type Ideal for combustion

278 views • 4 slides
BC-5300 Auto Hematology Analyzer Satisfaction in test BC-5300 Auto Hematology Analyzer The new

BC-5300 Auto Hematology Analyzer Satisfaction in test BC-5300 Auto Hematology Analyzer The new

BC-5300 Auto Hematology Analyzer Satisfaction in test BC-5300 Auto Hematology Analyzer The new BC-5300 Auto Hematology Analyzer is a bench top system, combining three mainstream technologies: laser scatter, flow cytometry and chemical dye to

276 views • 4 slides
BC-5380 Auto Hematology Analyzer Satisfaction in test BC-5380 Auto Hematology Analyzer The new

BC-5380 Auto Hematology Analyzer Satisfaction in test BC-5380 Auto Hematology Analyzer The new

BC-5380 Auto Hematology Analyzer Satisfaction in test BC-5380 Auto Hematology Analyzer The new BC-5380 Auto Hematology Analyzer provides rapid and reliable test from just 20uL of blood. Utilizing three mainstream technologies: laser scatter,

668 views • 4 slides
Developing the Clang Static Analyzer Artem Dergachev, Apple Clang Static Analyzer Finds bugs

Developing the Clang Static Analyzer Artem Dergachev, Apple Clang Static Analyzer Finds bugs

Developing the Clang Static Analyzer Artem Dergachev, Apple Clang Static Analyzer Finds bugs at compile time by inspecting your source code Bugs it finds are more sophisticated than warnings or Clang-Tidy Clang Static Analyzer 1

544 views • 29 slides
valgrind code analyzer Valgrind is another injection-based profiler/analyzer Can be used to

valgrind code analyzer Valgrind is another injection-based profiler/analyzer Can be used to

valgrind code analyzer Valgrind is another injection-based profiler/analyzer Can be used to do analysis of run time based on counts of clock cycles or machine code instructions run Can also be used to do analysis of

1.42k views • 7 slides
Hand-held laser analyzer chemical composition metals and alloys Elemental Laser AN ANalyzer

Hand-held laser analyzer chemical composition metals and alloys Elemental Laser AN ANalyzer

Hand-held laser analyzer chemical composition metals and alloys Elemental Laser AN ANalyzer Ivan Kuratev Estonia +372 63 46310 Russia +7 499 380-62-92 Ivan Kuratev, doctor of physics and mathematics, author of Kazakhstan +7 717

750 views • 8 slides
CA-6 Colorimetric Analyzer Presented by; Steve Rupert Sr. Product Manager January 2011 E

CA-6 Colorimetric Analyzer Presented by; Steve Rupert Sr. Product Manager January 2011 E

CA-6 Colorimetric Analyzer Presented by; Steve Rupert Sr. Product Manager January 2011 E LECTRO- C HEMICAL D EVICES Why choose the CA-6 Analyzer? Simple Easy Installation Touch Screen Interface User Friendly Menu Structure

511 views • 18 slides
Modeling Electrons in an Electrostatic Analyzer Max Gibiansky Based on a clinic project

Modeling Electrons in an Electrostatic Analyzer Max Gibiansky Based on a clinic project

Modeling Electrons in an Electrostatic Analyzer Max Gibiansky Based on a clinic project sponsored by SwRI. JUNO Satellite Magnetic Field Sensor ESA 60 ESA 300 ESA 180 Electrostatic Analyzer Measures velocity distribution of electrons

754 views • 12 slides
PSL Analyzer Products PQube 3e PQube 3v PQube 3 PQube 3 - the best power analyzer PQube 3 is

PSL Analyzer Products PQube 3e PQube 3v PQube 3 PQube 3 - the best power analyzer PQube 3 is

PSL Analyzer Products PQube 3e PQube 3v PQube 3 PQube 3 - the best power analyzer PQube 3 is : 1. an Advanced Intelligent Sensor 2. a Strip Chart Recorder 3. a Set of advanced oscilloscopes An advanced intelligent sensor

280 views • 17 slides
Introducing USB Based T1 E1 Analyzer Unit 818 West Diamond Avenue - Third Floor, Gaithersburg,

Introducing USB Based T1 E1 Analyzer Unit 818 West Diamond Avenue - Third Floor, Gaithersburg,

Introducing USB Based T1 E1 Analyzer Unit 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301) 670-4784 Fax: (301) 670-9187 Email: info@gl.com 1 1 Website: http://www.gl.com Portable USB T1 E1 Analyzer Unit T1 and

337 views • 20 slides
FC80 Free Chlorine Analyzer E LECTRO- C HEMICAL D EVICES FC80 System Configuration Free

FC80 Free Chlorine Analyzer E LECTRO- C HEMICAL D EVICES FC80 System Configuration Free

FC80 Free Chlorine Analyzer E LECTRO- C HEMICAL D EVICES FC80 System Configuration Free Chlorine Analyzer 1) Constant Head Flow Controller 2) S80- pH with Temperature Sensor 3) Free Chlorine Sensor (FCS) 4) T80- Analyzer and

522 views • 14 slides
The Maude-NRL Protocol Analyzer Santiago Escobar 1 Catherine Meadows 2 e Meseguer 3 Jos Sonia

The Maude-NRL Protocol Analyzer Santiago Escobar 1 Catherine Meadows 2 e Meseguer 3 Jos Sonia

The Maude-NRL Protocol Analyzer The Maude-NRL Protocol Analyzer Santiago Escobar 1 Catherine Meadows 2 e Meseguer 3 Jos Sonia Santiago 1 Ralf Sasse 3 1 Universidad Polit ecnica de Valencia (Spain) 2 Naval Research Laboratory (USA) 3

939 views • 75 slides
Lexical and Syntax Analysis Part I 1 Introduction Every implementation of Programming

Lexical and Syntax Analysis Part I 1 Introduction Every implementation of Programming

Lexical and Syntax Analysis Part I 1 Introduction Every implementation of Programming Languages (i.e. a compiler) uses a Lexical Analyzer and a Syntax Analyzer in its initial stages. The Lexical Analyzer tokenizes the input program

538 views • 25 slides
Learning a Static Analyzer from Data by Pavol Bielik, Veselin Raychev, and Martin Vechev Daniel

Learning a Static Analyzer from Data by Pavol Bielik, Veselin Raychev, and Martin Vechev Daniel

Learning a Static Analyzer from Data by Pavol Bielik, Veselin Raychev, and Martin Vechev Daniel Perez The University of Tokyo January 29, 2018 Static analyzers Writing a static analyzer is hard JavaScript points-to sample global.length = 4;

299 views • 15 slides
Datacom Analyzer 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301)

Datacom Analyzer 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301)

Datacom Analyzer 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301) 670-4784 Fax: (301) 670-9187 Email: info@gl.com 1 1 Website: http://www.gl.com tProbe with Datacom Analyzer 2 Introduction The tProbe

614 views • 60 slides
SiteHawk Transcom Instruments www.transcomwireless.com What Does Cable &amp; Antenna Analyzer

SiteHawk Transcom Instruments www.transcomwireless.com What Does Cable &amp; Antenna Analyzer

Handheld Cable &amp; Antenna Analyzer SiteHawk Transcom Instruments www.transcomwireless.com What Does Cable &amp; Antenna Analyzer Do? Tests the overall integrity of an antenna system installation Verifies antenna system components meet

752 views • 19 slides
LumiCal Design Options 2020.04.15 15:00 indico.ihep.ac.cn/event/11684/ Suen Hou Academia

LumiCal Design Options 2020.04.15 15:00 indico.ihep.ac.cn/event/11684/ Suen Hou Academia

LumiCal Design Options 2020.04.15 15:00 indico.ihep.ac.cn/event/11684/ Suen Hou Academia Sinica Outline BHLUMI : Bhabha cross section boost by beam crossing, small beam pipe &lt; 30 mRad ( Bhabha) &gt; ~ 50 nb OVAL beampipe to

472 views • 35 slides
Solvers Principles and Architecture (SPA) Part 2 Abstract Interpretation (Basics) Master

Solvers Principles and Architecture (SPA) Part 2 Abstract Interpretation (Basics) Master

Solvers Principles and Architecture (SPA) Part 2 Abstract Interpretation (Basics) Master Sciences Informatique (Sif) September, 2019 Rennes Khalil Ghorbal k halil.ghorbal@inria.fr K. Ghorbal (INRIA) 1 SIF M2 1 / 13 Abstract

771 views • 38 slides
The octagon method for finding exceptional points, and application to hydrogen-like systems in

The octagon method for finding exceptional points, and application to hydrogen-like systems in

Institute of Theoretical Physics, University of Stuttgart, in collaboration with M. Feldmaier, F. Schweiner, J. Main, and H. Cartarius The octagon method for finding exceptional points, and application to hydrogen-like systems in parallel

445 views • 30 slides
Gaps of saddle connection directions for some branched covers of tori Anthony Sanchez

Gaps of saddle connection directions for some branched covers of tori Anthony Sanchez

Gaps of saddle connection directions for some branched covers of tori Anthony Sanchez asanch33@uw.edu West Coast Dynamics Seminar May 14 th , 2020 Translation surfaces A translation surface is a collection of polygons with edge identifications

1.9k views • 142 slides
Nonlinear Polynomials, Interpolants and Invariant Generation for System Analysis Deepak Kapur

Nonlinear Polynomials, Interpolants and Invariant Generation for System Analysis Deepak Kapur

Nonlinear Polynomials, Interpolants and Invariant Generation for System Analysis Deepak Kapur Department of Computer Science University of New Mexico Albuquerque, NM, USA with Rodriguez-Carbonell, Zhihai Zhang, Hengjun Zhao, Stephan Falke,

2.07k views • 183 slides
Squaring the Circle: How Framedness influences User Behavior around a Seamless Cylindrical

Squaring the Circle: How Framedness influences User Behavior around a Seamless Cylindrical

Squaring the Circle: How Framedness influences User Behavior around a Seamless Cylindrical Display Gilbert Beyer, Florian Kttner, Manuel Schiewe, Ivo Haulsen, Andreas Butz University of Munich and Fraunhofer FOKUS Shaped Displays Digital

640 views • 52 slides
Effective Approaches to Abstraction Refinement for an Explicit Value Analysis Stefan Lwe

Effective Approaches to Abstraction Refinement for an Explicit Value Analysis Stefan Lwe

Effective Approaches to Abstraction Refinement for an Explicit Value Analysis Stefan Lwe SoSy-Lab Software Systems Outline of my Thesis Outline of my Talk Value Analysis by Example Value Analysis by Example Value Analysis by the Numbers

318 views • 27 slides
Universal Quantum Computation with AKLT States and Spectral Gap of AKLT Models Tzu-Chieh Wei (

Universal Quantum Computation with AKLT States and Spectral Gap of AKLT Models Tzu-Chieh Wei (

Universal Quantum Computation with AKLT States and Spectral Gap of AKLT Models Tzu-Chieh Wei ( ) C.N. Yang Institute for Theoretical Physics Workshop on Statistical Physics of Quantum Matter, Taipei, July 2013 Outline I.

715 views • 40 slides

More recommend