Proving the Absence of Stack Overflows

In safety-critical embedded systems the stack typically is the only dynamically allocated memory area. However, the maximal stack usage must be statically known: at configuration time developers have to reserve enough stack space for each task. Stack overflow errors are often hard to find but can cause the system to crash or behave erroneously. All current safety standards, e.g., ISO-26262, require upper estimations of the storage space; due to its dynamic behavior the stack is an especially critical storage area. Typically neither testing and measuring nor static source code analysis can provide safe bounds on the worst-case stack usage. A safe upper bound can be computed by whole-program static analysis at the executable code level. When an Abstract Interpretation based static analyzer is used, it can be formally proven that the maximal stack usage will never be underestimated. The challenge for binary-code level analyzers is to minimize the necessary amount of user interactions, e.g., for function pointer calls. To minimize user interaction, the analysis has to be precise, and the annotation mechanism has to be flexible and easy-to-use. The analyzer configuration has to be done once for each software project; afterwards the analysis can be run automatically, supporting continuous verification. In this article we describe the principles of Abstract Interpretation based stack analysis. We present an annotation language addressing all properties of typical automotive and avionics software and report on practical experience.

[1]  Jens Palsberg,et al.  Stack Size Analysis for Interrupt-Driven Programs , 2003, SAS.

[2]  Sung Ho Park,et al.  Compiler-Assisted Maximum Stack Usage Measurement Technique for Efficient Multi-threading in Memory-Limited Embedded Systems , 2011 .

[3]  Roger Lee Computers,Networks, Systems, and Industrial Engineering 2011 , 2011 .

[4]  John Regehr,et al.  Random testing of interrupt-driven software , 2005, EMSOFT.

[5]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[6]  Deitel Operating System , 2008 .

[7]  John Regehr,et al.  Eliminating stack overflow by abstract interpretation , 2003, TECS.

[8]  Robert Szewczyk,et al.  System architecture directions for networked sensors , 2000, ASPLOS IX.

[9]  L. M. Sherer,et al.  RADIO TECHNICAL COMMISSION FOR AERONAUTICS , 1947 .

[10]  Reinhold Heckmann,et al.  Combining a High-Level Design Tool for Safety-Critical Systems with a Tool for WCET Analysis on Executables , 2008 .

[11]  Stephan Thesing,et al.  Safe and precise WCET determination by abstract interpretation of pipeline models , 2004 .

[12]  Ian F. Akyildiz,et al.  Wireless sensor networks , 2007 .

[13]  Reinhard Wilhelm,et al.  On Predicting Data Cache Behavior for Real-Time Systems , 1998, LCTES.

[14]  Jens Palsberg,et al.  Static checking of interrupt-driven software , 2001, Proceedings of the 23rd International Conference on Software Engineering. ICSE 2001.

[15]  Rajeev Barua,et al.  Memory overflow protection for embedded systems using run-time checks, reuse and compression , 2004, CASES '04.

[16]  Daniel Kästner,et al.  Confidence in Timing , 2013, SASSUR@SAFECOMP.

[17]  Jens Palsberg,et al.  Testing versus Static Analysis of Maximum Stack Size , 2013, 2013 IEEE 37th Annual Computer Software and Applications Conference.

[18]  Hojung Cha,et al.  Multithreading Optimization Techniques for Sensor Network Operating Systems , 2007, EWSN.

[19]  A. Miné Weakly Relational Numerical Abstract Domains , 2004 .

[20]  Henrik Theiling,et al.  Extracting safe and precise control flow from binaries , 2000, Proceedings Seventh International Conference on Real-Time Computing Systems and Applications.

[21]  Ralf S. Engelschall Portable Multithreading-The Signal Stack Trick for User-Space Thread Creation , 2000, USENIX Annual Technical Conference, General Track.