Participant : Antoine Miné [correspondent] .

The Thésée prototype is a fork of the Astrée static analyzer (see 5.1 ) that adds support for analyzing parallel embedded C software.

Thésée analyzes C programs composed of a fixed set of threads that communicate through a shared memory and synchronization primitives (mutexes, FIFOs, blackboards, etc.), but without recursion nor dynamic creation of memory, threads nor synchronization objects. Thésée assumes a real-time scheduler, where thread scheduling strictly obeys the fixed priority of threads. Our model follows the ARINC 653 OS specification used in embedded industrial aeronautic software. Additionally, Thésée employs a weakly-consistent memory semantics to model memory accesses not protected by a mutex, in order to take into account soundly hardware and compiler-level program transformations (such as optimizations). Thésée checks for the same run-time errors as Astrée .

Compared to Astrée , Thésée features: a new iterator to compute thread interactions, a refined memory abstraction that takes into account the effect of interfering threads, and a new scheduler partitioning domain. This last domain allows discovering and exploiting mutual exclusion properties (enforced either explicitly through synchronization primitives, or implicitly by thread priorities) to achieve a precise analysis.

Thésée is currently being applied to analyze a large industrial avionic software: 1.6 MLines of C and 15 threads, completed with a 2500-line model of the ARINC 653 OS developed for the analysis. The analysis currently takes 14h on a 2.66 GHz 64-bit intel server using one core and generates around 7600 alarms, which proves the scalability of the approach. Ongoing work aims at reducing the number of alarms. Thésée is introduced in [17] (§ VI) and [28] . The Thésée prototype is closed source; it has been delivered to Airbus France.


