An application of KLEE to aerospace industrial software

(1)

An application of KLEE to aerospace industrial software

Juan Francisco Garc´ıa, Daniel Jurjo, Fernando Mac´ıas, Jos´e F. Morales, Alessandra Gorla

IMDEA Software Institute

June 10, 2021

IMDEA MFoC June 10, 2021 1 / 17

(2)

Motivation

Testing is a critical process in aerospace software.

Unit test generation is currently done manually, in a trial and error process.

(3)

Aerospace Software Nature

Loops are bounded.

1 f o r ( i = 0 ; i <= 2 ; i ++) {

2 . . .

3 }

4

(4)

Aerospace Software Nature

The decision variables are mostly:

Boolean.

Floating point, usually normalized in a range.

1 f o r ( i = 0 ; i <= 2 ; i ++) {

2 i f ( v a l i d i t y [ i ] ){

3 i f ( s e n s o r [ i ]>t h r e s h o l d ){

4 s t a t u s [ i ]=1

5 }

6 }

7 }

8

(5)

The company approach

Build Simulink

Model

Verify using physics

simu- lations

Generate C code from the

model

Make tests inputs by

“ramp- ing”

Run the tests inputs on the model

Run tests inputs on the code

Check I/O conformance with model

(6)

The company approach

Model is assumed to be correct if it passes series of tests designed from the physical/engineering perspective.

There is a lack of specification.

(7)

The company approach

(8)

Our approach

Build Simulink

Model

Verify using physics

simu- lations

Generate C code from the

model

Parse C and generate symbolic calls

Run KLEE

Get outputs

from KLEE

tests

Check I/O conformance with model

(9)

Simulink and C code conformance

Make state symbolic, get pairs of values for state and input (S,I). It is needed to reach stateS in the model to test the input I.

(10)

Simulink and C code conformance

Make state symbolic, get pairs of values for state and input (S,I).

It is needed to reach stateS in the model to test the input I.

(11)

Results

Experiment Company Approach Our approach Tests Decision

Coverage¹ Tests Decision Coverage¹

Exp. 1 6000 78% 54 100%

Exp. 2 34 100% 6 100%

Exp. 3 10 100% 2 100%

1Measured with Simulink Coverage Tool

(12)

Benefits of our approach

An equivalent process that is automatic.

Reduce human bias. Reduce number of tests.

Assure path coverage instead of decision coverage.

(13)

Benefits of our approach

Reduce human bias.

Reduce number of tests.

(14)

Benefits of our approach

Reduce human bias.

(15)

Benefits of our approach

Reduce human bias.

(16)

Challenge: Floating Point

KLEE does not support floating point. The alternatives we have considered are:

KLEE-Float.

Fuzzing.

Combining KLEE with Fuzzers.

(17)

Work in progress: libFuzzer

Why libFuzzer?

Function oriented.

Structure-aware fuzzing. Coverage-guided.

Custom mutation and recombination function.

(18)

Work in progress: libFuzzer

Why libFuzzer?

Function oriented.

Structure-aware fuzzing.

Coverage-guided.

(19)

Work in progress: libFuzzer

Why libFuzzer?

Function oriented.

Coverage-guided.

(20)

Work in progress: libFuzzer

Why libFuzzer?

Function oriented.

Coverage-guided.

(21)

Work in progress: libFuzzer

It does not generate a test for each path.

1 f o r ( i = 0 ; i <= 2 ; i ++) {

2 i f ( b o o l e a n [ i ] ){

3 . . .

4 }

5 }

6

(22)

Work in progress: libFuzzer

It does not generate a test for each path.

It provides meaningful values for floating point.

1 f o r ( i = 0 ; i <= 2 ; i ++) {

2 i f ( f p v a l u e [ i ]>t h r e s h o l d ){

3 . . .

4 }

5 }

6

(23)

Work in progress: KLEE-Float

It works well on the simpler models.

It suffers of path explosion on more complex ones.

(24)

Future lines

Evaluate KLEE/KLEE-Float+fuzz with different configurations.

Memory-based equivalence relation for better oracles.

Perform symbolic execution of the hardware constants.

(25)

An application of KLEE to aerospace industrial software