|Subject:||Re: [Paparazzi-devel] Source code analysis of paparazzi|
|Date:||Wed, 5 Nov 2014 16:46:34 +0100|
Do you mean that you would execute the formal verification of the paparazzi code base? It would propel the code quality of this autopilot well above any other available autopilot solutions!
I have checked Frama-C some times ago and think it is a very promising approach. I am just wondering if you would make the analysis framework available including all artifacts that would make then possible to repeat the analysis?
Do you plan to analyze the complete embedded code base including libopencm3? I do know that the latter is full of static analysis issues so it is very likely that you will detect many during the formal verification.
Karoly> From: address@hidden
> To: address@hidden
> Date: Wed, 5 Nov 2014 10:32:01 +0100
> Subject: [Paparazzi-devel] Source code analysis of paparazzi
> First let me introduce myself: I am a researcher at CEA working on
> Frama-C, a source-code analysis platform for C code. I am currently
> working with SRI and UCSC on a DARPA project named CHEKOFV, whose goal
> is to crowd-source part of verification work by having players finding
> verification invariants without knowing, by playing on a game (you can
> find the games on http://verigames.com/). To that purpose, we have
> chosen Paparazzi to be our next target of verification.
> So (if you allow me) I will regularly post on this mailing list to
> report to you about potential bugs I found in the source code during the
> verification process. Forgive me if I don't use the very latest version
> of the code; as I sometimes have to make changes to the source code to
> simplify the verification, it is simpler for me if I stick to one
> version. Also, I must warn you that I know nothing about UAVs or
> Paparazzi configurations.
> The first bug I have found happens in the "Booz2" configuration. In
> src/sw/airborne/led.h, there is a led_init() function, which calls a
> a bunch of LED_INIT macros, one of set translating to:
> ((gpioRegs_t *)0xE0028000)->dir1 |= (unsigned long)(1 << 31);
> This code is incorrect, as 1 is signed, 1 << 31 results in a signed
> overflow which is an undefined behaviour. The correct replacement is
> ((unsigned long) 1 << 31).
> I have also found something unusual (but maybe this is done on purpose):
> on the Microjet configuration, there is a periodic_telemetry_send_Fbw
> function which is static inline; and contains a lot of static
> variables. Which means that the variable will be duplicated in different
> compilation units, which appears to happen in practice. But may this is
> something that you want?
> Best regards,
> Matthieu Lemerre
> Paparazzi-devel mailing list
Paparazzi-devel mailing list
|[Prev in Thread]||Current Thread||[Next in Thread]|