The demise of the Mars Orbiter and Mars Polar Lander missions has highlighted the criticality of software reliability for Mars missions. In both cases, problems manifested themselves at the software level, even if the causes are to be found somewhere else (e.g., design process). Therefore, it is fair to assume that many problems could be caught during software verification provided that one uses the right tools and looks for the right types of errors. In this paper, we describe a study in which we apply this theory to the flight software of a current mission, i.e., the Mars Exploration Rover mission (MER). The study consists of applying a static analysis tool to the MER code to identify runtime errors, such as un-initialized variables, out-of-bound array accesses, and arithmetic overflows and underflows. The goal is both to demonstrate the usefulness of formal methods in a real software development context, and more importantly, to participate in the verification of the code that will fly during this mission. The work was conducted by a tool expert and a code expert. All identified problems were passed on to the appropriate developers. This paper describes the setup of the study, the findings, and proposals for integrating such a tool in a software development process. It also includes illustrative examples of the problems found by the analysis.
[1]
Alexander Aiken,et al.
Program Analysis Using Mixed Term and Set Constraints
,
1997,
SAS.
[2]
Patrick Cousot,et al.
Design and Implementation of a Special-Purpose Static Program Analyzer for Safety-Critical Real-Time Embedded Software
,
2002,
The Essence of Computation.
[3]
Patrick Cousot,et al.
Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints
,
1977,
POPL.
[4]
William Landi,et al.
Interprocedural aliasing in the presence of pointers
,
1992
.
[5]
Patrick Cousot,et al.
Static determination of dynamic properties of programs
,
1976
.