Presentation is loading. Please wait.

Presentation is loading. Please wait.

Table of Contents Program Model Checking: Case Studies and Practitioner’s Guide John Penix, ARC Owen O’Malley, QSS Lawrence Markosian, QSS Peter Mehlitz,

Published byAbraham May Modified over 8 years ago

Similar presentations

Presentation on theme: "Table of Contents Program Model Checking: Case Studies and Practitioner’s Guide John Penix, ARC Owen O’Malley, QSS Lawrence Markosian, QSS Peter Mehlitz,"— Presentation transcript:

1 Table of Contents Program Model Checking: Case Studies and Practitioner’s Guide John Penix, ARC Owen O’Malley, QSS Lawrence Markosian, QSS Peter Mehlitz, CSC Masoud Mansouri-Semani, CSC Howard Hu, JSC Tanya Lippencott, GDDS Mark Coats, GDDS

2 Program Model Checking Case Studies and Practitioner’s Guide Objectives ► Overall objectives ▀ Assemble the emerging best practices in program model checking ▀ Demonstrate and validate their use in several case studies ▀ Document the results in a Practitioner’s Guide for Program Model Checking ► Year 1 - Analysis & Baseline ▀ Determine critical requirements and verification coverage requirements for initial case study ▀ Set up test environment for the selected application at Ames ▀ Apply and document basic model checking techniques and determine coverage of verification goals.

3 Program Model Checking Case Studies and Practitioner’s Guide Initial Case Study: Shuttle Abort Flight Manager (SAFM) ► SAFM provides situational awareness and decision support for shuttle pilots in case of an abort prior to orbit. ▀ abort performance assessment during powered flight ▀ landing site evaluation and monitoring during glided flight ► Developed by NASA Johnson Space Center and General Dynamics Decision Systems ► Runs on-board shuttle and on the ground ► About 38K SLOC C++ ► Scheduled to fly in 2006

4 Model Checking as a Best Practice ► Model checking best practices must address: ▀ Identifying critical components and properties ▀ Constructing test drivers and environment models ▀ Developing “models” or abstractions of system ▀ Tuning model checking algorithms/tools ▀ Assessing verification results – coverage and error reports ► Apply model checking a part of integrated best practices: ▀ Manual and automated software inspections ▀ Testing ▀ Model-checking

5 Program Model Checking Case Studies and Practitioner’s Guide Accomplishments ► Evaluation of SAFM source code and requirements for applicability to model checking & identify critical issues ▀ Identified Sequencer as a critical subsystem where model checking can be applied ▀ Manual and automated code inspections ► Hosted SAFM test lead at ARC for a week and to elicit requirements and design properties that are currently unchecked. ▀ Identified critical properties ► Set up SAFM build & test environment at ARC ▀ Gathered data on existing test coverage

6 Identifying Critical Subsystem - Sequencer ► Focus on the Executive Controller and Sequencer ▀ Top level control logic for SAFM including error handling ▀ Manages evaluation of the various potential abort scenarios ▀ Complex scenario interactions that are difficult to test Scenario Input Manager Output Manager Exec Controller Sequencer System Software Calls

7 Model Checking - Sequencer ► Use non-determinism to simplify the input and state space ▀ “Stub-out” most of the numeric computation and replace with non-deterministic choice ▀ Abstract data values by collapsing multiple floating point values into a single boolean. ► Example properties: ▀ Child scenarios don’t use data from unavailable or invalid parents ▀ How many scenarios can run in the same cycle?

8 ► Properties: “low level” requirements that characterize valid sequences of program states (“executions”) ► Many application specific properties: ▀ All dynamic memory (de)allocation must happen during initialization and shutdown ▀ No scenario uses data from a parent scenario that was not applicable or valid ► General properties: ▀ No memory leaks ▀ No array bounds overflows Critical Properties

9 ► Manual inspections discovered: ▀ Duplicated code and data ▀ Inconsistencies between the description of functions and their implementations - maintainability issue ► Automated inspections discovered: ▀ Incorrect overloading of binary & instead of unary & ▀ Single argument constructors that are not explicit ▀ Missing assignment operator (e.g. += when + is defined) ▀ Missing inverse operator (e.g. >= when < is defined) ► Similar issues in the System Software Manual and Automated Code Inspection

10 Program Model Checking Case Studies and Practitioner’s Guide Approach - Testing ► Ported the subsystem (L2) test driver to run under Unix (e.g. Linux and Mac OS) and added additional testing flexibility ► Applied testing tools ▀ Memcheck (array bounds and memory leaks) ▀ Gcov (statement coverage and counts) ▀ Kcachegrind (performance measurements) ► Used test data from General Dynamics that was generated by shuttle simulator

11 Testing - Code Coverage ► Used GNU’s gcov tool to determine code coverage of the current set of test cases. ► Statement coverage after running all test cases was 83%. ► Some surprising hotspots involved getting mnemonic names (~2 billion times) and string comparison on mnemonic names (~1.5 billion times).

12 Testing - Verifying Properties ► All dynamic memory allocations happen during SafmInitialize and all deallocations happen during ~SafmExecutiveController ▀ Overloaded operator new and delete ▀ Used control flags to ensure they weren’t called at the wrong time ► No memory leaks ▀ Used valgrind and only found 1 leak in the testing stubs

13 ► Model Checking (MC): systematically check all transitions of an automaton for property violations ► Program Model Checking (PMC): execute all potential execution sequences (paths) of a program ► PMC measure of choice when not all execution paths can be tested: Concurrency (scheduler not controllable in test) ► BUT: SAFM has no internal concurrency (threads)… Approaches - Model Checking

14 ► SMC also good for checking program responses to non- deterministic input → very suitable for SAFM (GNC input data variations) ► BUT: model checkers usually do this by enumerating all possible input values → not feasible for infinite value sets like float intervals Approaches - Model Checking

15 ► JPF solution for SAFM: Heuristic Choice Generators Approaches - Model Checking

16 Lessons Incountered To Date ► C++ is a new platform for shuttle software and has many pitfalls for even experienced programmers ► Testing and model checking effort significantly eased with good design. ▀ Coding standards can encourage good design, but need to be flexible to handle special cases. (e.g. a friend class to enhance data visibility during testing) ► Difficulty in testing and sustaining engineering arises from— ▀ An impoverished development environment for flight software ▀ “Distance” between development environment and runtime environment ► Development team support is required for obtaining required domain expertise ► Goals for model checking must be carefully selected ► Understand where model checking fits into overall verification program

Download ppt "Table of Contents Program Model Checking: Case Studies and Practitioner’s Guide John Penix, ARC Owen O’Malley, QSS Lawrence Markosian, QSS Peter Mehlitz,"

Similar presentations

Automating Software Module Testing for FAA Certification Usha Santhanam The Boeing Company.

Automating Software Module Testing for FAA Certification Usha Santhanam The Boeing Company.
Verification and Validation

Verification and Validation
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
1 Integration Testing CS 4311 I. Burnstein. Practical Software Testing, Springer-Verlag, 2003.

1 Integration Testing CS 4311 I. Burnstein. Practical Software Testing, Springer-Verlag, 2003.
CEN 4021 2 nd Lecture CEN 4021 Software Engineering II Instructor: Masoud Sadjadi Software Process Models.

CEN nd Lecture CEN 4021 Software Engineering II Instructor: Masoud Sadjadi Software Process Models.
Alternate Software Development Methodologies

Alternate Software Development Methodologies
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development.
Software Construction

Software Construction
Testing Without Executing the Code Pavlina Koleva Junior QA Engineer WinCore Telerik QA Academy Telerik QA Academy.

Testing Without Executing the Code Pavlina Koleva Junior QA Engineer WinCore Telerik QA Academy Telerik QA Academy.
Software testing.

Software testing.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.
Software Testing and Quality Assurance

Software Testing and Quality Assurance
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.
SQM - 1DCS - ANULECTURE 11-2005 Software Quality Management Software Quality Management Processes V & V of Critical Software & Systems Ian Hirst.

SQM - 1DCS - ANULECTURE Software Quality Management Software Quality Management Processes V & V of Critical Software & Systems Ian Hirst.
Testing an individual module

Testing an individual module
Functional Testing.

Functional Testing.
Introduction to Software Testing

Introduction to Software Testing
Software System Integration

Software System Integration
1 Software Testing Techniques CIS 375 Bruce R. Maxim UM-Dearborn.

1 Software Testing Techniques CIS 375 Bruce R. Maxim UM-Dearborn.

Similar presentations

Ads by Google