Abstract
Like other contemporary safety standards EN-50128 requires to identify potential functional and non-functional hazards and to demonstrate that the software does not violate the relevant safety goals. Examples of safety-relevant non-functional hazards are violations of resource bounds, especially stack overflows and deadline violations, as well as run-time errors and data races. They can cause erroneous and erratic program behavior, invalidate separation mechanisms in mixed-criticality software, and even trigger software crashes. Classical software verification methods like code review and testing with measurements cannot really guarantee the absence of errors. Abstract interpretation is a formal method for static program analysis which supports formal soundness proofs (it can be proven that no error is missed) and which scales. This article gives an overview of abstract interpretation and its application to compute safe worst-case execution time and stack bounds, and to find all potential run-time errors, and data races. We discuss the tool qualification of abstract interpretation-based static analyzers and describe their contribution with respect to EN-50128 compliant verification processes. We also illustrate their integration in the development process and report on practical experience.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
AbsInt. The Static Analyzer Astrée – User Documentation for AAL Annotations (2015)
Barr, M.: Bookout v. Toyota, 2005 Camry software Analysis by Michael Barr (2013). http://www.safetyresearch.net/Library/BarrSlides_FINAL_SCRUBBED.pdf
Blanchet, B., Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Monniaux, D., Rival, X.: A static analyzer for large safety-critical software. In: Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2003), pp. 196–207, San Diego, California, USA, 7–14 June 2003. ACM Press (2003)
CENELEC EN 50128. Railway applications - Communication, signalling and processing systems - Software for railway control and protection systems (2011)
Cousot, P., Cousot, R., Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: 4th POPL, pp. 238–252. ACM Press, Los Angeles (1977)
Delmas, D., Souyris, J.: Astrée: from research to industry. In: Riis Nielson, H., Filé, G. (eds.) SAS 2007. LNCS, vol. 4634, pp. 437–451. Springer, Heidelberg (2007)
Ferdinand, C., Heckmann, R.: Worst-case execution time - a tool provider’s perspective. In: Proceedings of the International Symposium on Object-Oriented Real-Time Distributed Computing (ISORC), pp. 340–345. IEEE Computer Society, Orlando, May 2008
Ferdinand, C., Heckmann, R., Jersak, M., Martin, F., Richter, K.: Integrating system-level and code-level timing analysis for dependable system development. In: 4th European Congress ERTS Embedded Real Time Software, Toulouse, France, January 2008
Feret, J.: Static analysis of digital filters. In: Schmidt, D. (ed.) ESOP 2004. LNCS, vol. 2986, pp. 33–48. Springer, Heidelberg (2004)
Gebhard, G.: Static Timing Analysis Tool Validation in the Presence of Timing Anomalies. PhD thesis, Saarland University (2013)
Kästner, D., Pister, M., Gebhard, G., Schlickling, M., Ferdinand, C.: Confidence in Timing. Safecomp 2013 Workshop: Next Generation of System Assurance Approaches for Safety-Critical Systems (SASSUR), September 2013
Kästner, D., Pohland, J.: Program analysis on evolving software. In: Roy, M. (ed.) CARS 2015 - Critical Automotiveapplications: Robustness & Safety, Paris, September 2015
Kästner, D., Schlickling, M., Pister, M., Cullmann, C., Gebhard, G., Heckmann, R., Ferdinand, C.: Meeting real-time requirements with multi-core processors. Safecomp 2012 Workshop: Next Generation of System Assurance Approaches for Safety-Critical Systems (SASSUR), September 2012
Kästner, D., Wilhelm, S., Nenova, S., Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Rival, X.: Astrée: Proving the Absence of Runtime Errors. Embedded Real Time Software and Systems Congress \(ERTS^2\) (2010)
Lions, J., et al.: ARIANE 5, Flight 501 Failure. Report by the Inquiry Board (1996)
Miné, A.: The octagon abstract domain. Higher-Order Symbolic Comput. 19(1), 31–100 (2006)
Miné, A.: Static analysis of run-time errors in embedded real-time parallel C programs. Logical Methods Comput. Sci. (LMCS) 8(26), 63 (2012)
Miné, A., Delmas, D.: Towards an industrial use of sound static analysis for the verification of concurrent embedded avionics software. In: Proceeding of the 15th International Conference on Embedded Software (EMSOFT 2015), pp. 65–74. IEEE CS Press, October 2015
Miné, A., Mauborgne, L., Rival, X., Feret, J., Cousot, P., Kästner, D., Wilhelm, S., Ferdinand, C.: Taking Static Analysis to the Next Level: Proving the Absence ofRun-Time Errors and Data Races with Astrée. Embedded Real Time Software and Systems Congress \(ERTS^2\) (2016)
NASA Engineering and Safety Center. Technical Support to the National Highway Traffic Safety Administration (NHTSA) on the Reported Toyota Motor Corporation (TMC) Unintended Acceleration (UA) Investigation (2011)
Radio Technical Commission for Aeronautics. Formal Methods Supplement to DO-178C and DO-278A (2011)
Radio Technical Commission for Aeronautics. RTCA DO-178C. Software Considerations in Airborne Systems and Equipment Certification (2011)
Souyris, J., Pavec, E.L., Himbert, G., Jégu, V., Borios, G., Heckmann, R.: Computing the worst case execution time of an avionics program by abstract interpretation. In: Proceedings of the 5th International Workshop on Worst-case Execution Time (WCET 2005), Mallorca, pp. 21–24 (2005)
Transcript of Morning Trial Proceedings had on the 14th day of October 2013 Before the Honorable Patricia G. Parrish, District Judge, Case No.CJ-2008-7969, October 2013. http://www.safetyresearch.net/Library/Bookout_v_Toyota_Barr_REDACTED.pdf
Wilhelm, R., Engblom, J., Ermedahl, A., Holsti, N., Thesing, S., Whalley, D., Bernat, G., Ferdinand, C., Heckmann, R., Mitra, T., Mueller, F., Puaut, I., Puschner, P., Staschulat, J., Stenström, P.: The worst-case execution-time problem–overview of methods and survey of tools. ACM Trans. Embedded Comput. Syst. 7(3), 1–53 (2008)
Wilhelm, R., Grund, D., Reineke, J., Pister, M., Schlickling, M., Ferdinand, C.: Memory hierarchies, pipelines, and buses for future time-critical embedded architectures. IEEE TCAD 28(7), 966–978 (2009)
Acknowledgement
The work presented in this paper has been supported by the European FP7 project INTERESTED, and is supported by the European ITEA3 project ASSUME and the German BMBF (FORTISSIMO project).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Kästner, D., Ferdinand, C. (2016). Applying Abstract Interpretation to Verify EN-50128 Software Safety Requirements . In: Lecomte, T., Pinger, R., Romanovsky, A. (eds) Reliability, Safety, and Security of Railway Systems. Modelling, Analysis, Verification, and Certification. RSSRail 2016. Lecture Notes in Computer Science(), vol 9707. Springer, Cham. https://doi.org/10.1007/978-3-319-33951-1_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-33951-1_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-33950-4
Online ISBN: 978-3-319-33951-1
eBook Packages: Computer ScienceComputer Science (R0)