Section: Software
The AstréeA Static Analyzer of Asynchronous Software
Participants : Patrick Cousot [project scientifique leader, correspondent] , Radhia Cousot, Jérôme Feret, Antoine Miné, Xavier Rival.
Absence of runtime error, Abstract interpretation, Data races, Interference, Memory model, Parallel software, Static analysis, Verifier.
AstréeA is a static analyzer prototype for parallel software based on abstract interpretation [43] , [44] , [36] . It started with support from Thésée ANR project (2006–2010) and is continuing within the AstréeA project (2012–2015).
The AstréeA prototype http://www.astreea.ens.fr/ is a fork of the Astrée static analyzer (see 5.2 ) that adds support for analyzing parallel embedded C software.
AstréeA analyzes C programs composed of a fixed set of threads that communicate through a shared memory and synchronization primitives (mutexes, FIFOs, blackboards, etc.), but without recursion nor dynamic creation of memory, threads nor synchronization objects. AstréeA assumes a real-time scheduler, where thread scheduling strictly obeys the fixed priority of threads. Our model follows the ARINC 653 OS specification used in embedded industrial aeronautic software. Additionally, AstréeA employs a weakly-consistent memory semantics to model memory accesses not protected by a mutex, in order to take into account soundly hardware and compiler-level program transformations (such as optimizations). AstréeA checks for the same run-time errors as Astrée , with the addition of data-races.
Compared to Astrée , AstréeA features: a new iterator to compute thread interactions, a refined memory abstraction that takes into account the effect of interfering threads, and a new scheduler partitioning domain. This last domain allows discovering and exploiting mutual exclusion properties (enforced either explicitly through synchronization primitives, or implicitly by thread priorities) to achieve a precise analysis.
AstréeA is currently being applied to analyze a large industrial avionic software: 1.6 MLines of C and 15 threads, completed with a 2,500-line model of the ARINC 653 OS developed for the analysis. The analysis currently takes a few tens of hours on a 2.9 GHz 64-bit intel server using one core and generates around 1,200 alarms. The low computation time (only a few times larger than the analysis time by Astrée of synchronous programs of a similar size and structure) shows the scalability of the approach (in particular, we avoid the usual combinatorial explosion associated to thread interleavings). Precision-wise, the result, while not as impressive as that of Astrée , is quite encouraging. The development of AstréeA continues within the scope of the AstréeA ANR project (Section 8.1.1.2 ).