Astree-Sound static analysis and provable WCET for safety-critical avionics

Home » Astree-Sound static analysis and provable WCET for safety-critical avionics

Sightsys is the official Israeli distributor of AbsInt. AbsInt is the German specialist behind tools that generate the math evidence required by DO-178C, ED-12C, ISO 26262, IEC 61508, EN 50128, and IEC 62304. Specifically, AbsInt offers four flagship products: aiT WCET Analyzer, StackAnalyzer, Astrée, and CompCert. Notably, all four hold TÜV qualification for the highest assurance levels. Furthermore, AbsInt tools power the verification of the Airbus A340 and A380 flight control software — widely regarded as the highest-assurance code in commercial aviation.

aiT WCET Analyzer — Provable Worst-Case Execution Time

DO-178C, ED-12C, and ISO 26262 demand provable upper bounds on task execution time. Specifically, you must show that every safety-critical function completes within its time budget. Moreover, the proof must hold under every possible input and every execution path. Unfortunately, testing alone cannot deliver this proof on modern processors.

Why not? Modern chips include caches, branch predictors, speculative execution, and out-of-order pipelines. As a result, the same code can take very different times depending on processor state. Therefore, measurement is unreliable.

aiT solves this problem. Notably, aiT uses abstract interpretation to compute mathematically sound WCET bounds straight from the binary. As a result, aiT gives you a tight, provable upper bound that no testing campaign could ever produce. Importantly, certification authorities accept this evidence as compliant.

Why Sound WCET Analysis Matters

Three approaches compete for timing analysis today. Critically, only one fits high-assurance avionics:

  • Measurement-based timing analysis (MBTA). The code runs with test inputs. Then the tool records the longest observed time. Unfortunately, worst-case paths often hide from test inputs. Therefore, MBTA cannot deliver DO-178C DAL A evidence.
  • Hybrid analysis. This approach mixes measurement with limited static reasoning. As a result, gaps remain. Increasingly, certification authorities reject these gaps at the highest assurance levels.
  • Sound static WCET analysis (aiT). Here, abstract interpretation proves an upper bound for every input and every path. Specifically, this approach satisfies DO-178C Section 6.3.4f and Tool Qualification at TQL-1.

How aiT Computes a Sound WCET Bound

First, aiT reconstructs the control flow graph from the binary. Then, four coordinated analyses run side by side:

  • Value analysis tracks possible register and memory values at each program point. As a result, aiT can discover loop bounds and predict indirect jump targets.
  • Cache analysis predicts hits and misses for every memory access. Specifically, it models the full cache hierarchy: L1, L2, shared L3, write-through vs write-back, and replacement policy.
  • Pipeline analysis models the pipeline stages, branch predictor, out-of-order execution, and store buffers. Therefore, aiT computes timing for each basic block.
  • Path analysis combines block timings with feasible paths via Implicit Path Enumeration Technique (IPET). As a result, aiT finds the actual worst-case path.

Finally, aiT produces three artifacts: a numeric WCET bound, a worst-case path visualization, and a detailed timing breakdown. All three fit straight into DO-178C verification documents.

Multi-Core WCET — The Hardest Problem in Modern Avionics

Modern avionics chips run on multi-core processors. Unfortunately, cores share L2/L3 caches, memory controllers, and interconnect bandwidth. As a result, cross-core interference destroys timing predictability.

Fortunately, aiT supports multi-core WCET analysis. Specifically, it models shared resources and bounds interference. Furthermore, when paired with SYSGO PikeOS Cache Coloring (also sold by Sightsys), interference drops at the hardware level. Therefore, aiT’s bounds become significantly tighter. Notably, the AbsInt + PikeOS combination remains one of the few proven solutions for DO-178C DAL A multi-core certification.

Supported Processors

aiT covers the full range of avionics-relevant processors:

  • Arm Cortex-M — including M0, M3, M4, M7, M33, and M55
  • Arm Cortex-R — including R5 and lockstep R52 cores
  • Arm Cortex-A — including A53, A55, A72, and A78AE for multi-core avionics
  • PowerPC — including e200, e500, e600, and NXP QorIQ families
  • Infineon AURIX TriCore — TC27x, TC29x, TC3xx, and TC4xx
  • Renesas RH850 and V850
  • MIPS, SPARC/LEON, and other space-grade architectures

aiT Certification Coverage

Importantly, aiT ships with tool qualification kits for every major standard:

  • DO-178C / ED-12C at TQL-1 — the highest level, suitable for DAL A
  • ISO 26262 at ASIL D with TCL3 evidence
  • IEC 61508 at SIL 4
  • EN 50128 at SW-SIL 4
  • IEC 62304 at Class C

Astrée — Sound Static Analyzer to Prove the Absence of Errors

Astrée is a sound parametric static analyzer that proves the absence of runtime errors and data races. Specifically, Astrée flags program defects from unspecified or undefined behavior in C and C++. Moreover, Astrée catches defects from invalid concurrent behavior. Importantly, it also computes program properties relevant for functional safety.

What “Sound” Actually Means

A sound analyzer has zero false negatives. In other words, Astrée never misses a possible runtime error. Importantly, this property is exactly what DO-178C DAL A and ED-12C demand. By contrast, most commercial bug-finders are unsound. Specifically, they report many errors but can silently miss real ones. Therefore, they cannot serve high-assurance avionics.

What Astrée Proves

Astrée mathematically proves the absence of entire classes of runtime errors:

  • Division by zero and modulo by zero
  • Integer overflow, underflow, and wrap-around
  • Floating-point overflow, NaN, and invalid operations
  • Out-of-bounds array access on read or write
  • Invalid pointer dereference — null, uninitialized, or dangling
  • Buffer overflow and underflow
  • Reads from uninitialized variables
  • Data races and deadlocks in concurrent code
  • Violations of MISRA-C:2012 and MISRA-C++:2008
  • CWE, CERT-C, and CERT-C++ security rule violations

Real-World Pedigree

Famously, Astrée verifies the flight control software of the Airbus A340 and A380. Widely, the industry regards this code as the highest-assurance code in commercial aviation. Furthermore, Astrée serves nuclear, automotive ASIL D, railway, and space programs around the world.

StackAnalyzer — Maximum Stack Usage Proof

Stack overflow ranks among the most insidious failure modes in embedded software. Specifically, it shows up as random memory corruption rather than a clean crash. As a result, stack bugs often pass pre-flight testing only to fail in production.

Conveniently, StackAnalyzer proves the maximum stack depth your application can ever reach. Like aiT, it uses sound static analysis on the binary executable. Therefore, you can size your stack with full confidence. Furthermore, you generate the certification evidence DO-178C and ISO 26262 require.

Importantly, StackAnalyzer handles every tricky case:

  • Recursive function calls — bounded via loop analysis
  • Indirect calls and function pointers — resolved via value analysis
  • Interrupt nesting — accounts for worst-case interrupt-on-interrupt stack growth
  • RTOS task stacks — per-task worst-case usage in FreeRTOS, embOS-Safe, SafeRTOS, PikeOS, and others

CompCert — Formally Verified C Compiler

CompCert is the world’s first commercially supported C compiler with formally proven correctness. Specifically, the compilation process itself carries a mathematical proof. Notably, the proof is written and checked in the Coq proof assistant. As a result, the generated machine code is guaranteed to preserve the semantics of the source code.

In practice, CompCert eliminates an entire class of compiler-introduced bugs. Ordinarily, these bugs require extensive verification under DO-178C tool qualification. Therefore, CompCert is the right choice for the highest-assurance avionics, defense, and security-critical code. Furthermore, the formal proof significantly reduces the certification burden for the compilation step.

AbsInt + Sightsys Toolchain — The Complete DO-178C Stack

AbsInt tools fit seamlessly into the broader Sightsys avionics portfolio:

  • IAR Embedded Workbench (Functional Safety) — the qualified compiler whose output aiT and StackAnalyzer analyze
  • SYSGO PikeOS — the ARINC 653 hypervisor whose Cache Coloring makes aiT’s multi-core WCET bounds much tighter
  • SEGGER embOS-Safe — the TÜV-certified RTOS that Astrée verifies for runtime error freedom and StackAnalyzer sizes per task
  • Axivion Suite — MISRA-C and architecture verification that complements Astrée’s runtime analysis
  • QA Systems Cantata — MC/DC unit testing that proves the paths Astrée and aiT analyzed actually get exercised
  • Solid Sands SuperTest — compiler validation evidence that complements aiT’s binary-level analysis

As a result, an Israeli avionics team buying through Sightsys gets a single integrated stack. Specifically: a qualified compiler, a certified RTOS or hypervisor, MISRA-C enforcement, sound runtime error analysis, provable WCET, provable stack bounds, and compiler qualification evidence. Moreover, all of this comes from one local distributor with Hebrew technical support and certification expertise.

Talk to the Sightsys AbsInt Team

Do you need to prove DO-178C DAL A WCET on a multi-core flight computer? Or to eliminate runtime errors from a FreeRTOS-based UAV stack with Astrée? Perhaps you need to size stack budgets for an ASIL D ECU with StackAnalyzer. Or maybe to deploy a formally verified compiler for the highest-assurance defense code. In every case, the Sightsys AbsInt team can scope your project, supply evaluation licenses, and deliver certification evidence ready for FAA, EASA, and Israeli regulatory submission.

To request a quote, an evaluation license, or an AbsInt toolchain consultation, contact the Sightsys team directly. Additionally, learn more on the official AbsInt website.

Astree-Sound static analysis and provable WCET for safety-critical avionics

 

Most static analyzers do not consider all possible run­time errors. Others specifically focus on the most probable ones.

As a result, almost all competing tools can only be used for static testing (i.e. finding some frequently occurring bugs), but never for verification (i.e. proving the absence of any run­time errors).

In contrast, Astrée is sound. It always exhaustively considers all pos­sible run­time errors. It will never omit pointing out a potential run­time error. This is crucial for verification of safety-critical software. At the same time, Astrée is capable of producing exactly zero false alarms.

In 2020, the US National Institute of Standards and Technology determined Astrée to be one out of only two tools in total that satisfy their criteria for sound static code analysis.

 

Automatic generation

Zero false negatives & false positives

Lower false negatives mean more confidence the analysis has not missed problems. Lower false positives mean less wasted effort on assessing and discarding as ‘false’ a reported violation (alarm).

 

Lower cost

Sound data & control flow coupling

Astrée computes data and control flow reports containing a detailed listing of accesses to global and static variables sorted by functions or variables, and caller/callee relationships between functions.

 

Lower risk

Error classes reported

Astrée is sound for floating-point computations and handles them precisely and safely. It takes all potential rounding errors into account.