Astrée: Design and Experience

Abstract

Safety-critical embedded software has to satisfy stringent quality requirements. Testing and validation consumes a large and growing fraction of development cost. One class of errors which are hard to find by testing are runtime errors, e.g., arithmetic overflows, array bound violations, or invalid pointer accesses. The consequences of runtime errors range from erroneous program behavior to crashes. Since they are non-functional errors, it is usually not possible to achieve reasonable coverage by writing a set of specific test cases. Unsound static analysis tools can find some bugs, but there is no guarantee that all bugs have been detected. Sound static runtime error analyzers provide full control and data coverage so that every potential runtime error is discovered. When the analyzer reports zero alarms, the absence of runtime errors has been proven. However they can produce false alarms: any alarm which is not reported as a definite error might be a true error, or a false alarm. In the past, usually there were so many false alarms that manually inspecting each alarm was too time-consuming. Therefore not all alarms could be removed and no proof of the absence of runtime errors could be given. Astree is a sound static analyzer designed to find all potential runtime errors in C programs while achieving zero false alarms. It has successfully been used to analyze large-scale safety-critical avionics software with zero false alarms. This talk gives an overview of the history and the design of Astree, discusses important industry requirements, and illustrates the industrialization process from an academical research tool to a commercial product. It also outlines ongoing development and future research issues.