* College Intern, West Virginia Wesleyan, Buckhannon, WV.
-
Upload
elias-sevick -
Category
Documents
-
view
216 -
download
0
Transcript of * College Intern, West Virginia Wesleyan, Buckhannon, WV.
![Page 1: * College Intern, West Virginia Wesleyan, Buckhannon, WV.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649c745503460f94926aa0/html5/thumbnails/1.jpg)
Anatomy of a Spacecraft Anomaly:An IV&V Perspective
Joel Abraham*On-Orbit Anomaly Research
NASA IV&V FacilityFairmont, WV
4th International Workshop on Independent Verification & Validation of Software
September 11 - 13, 2012Morgantown, WV
* College Intern, West Virginia Wesleyan , Buckhannon, WV
![Page 2: * College Intern, West Virginia Wesleyan, Buckhannon, WV.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649c745503460f94926aa0/html5/thumbnails/2.jpg)
2
Agenda
On-Orbit Anomaly Research
Description of Anomaly
Causes of Anomaly
Root Cause: Operating System Fault
Proximate Cause: FSW Bounds-Checking Deficiency
IV&V Observations
![Page 3: * College Intern, West Virginia Wesleyan, Buckhannon, WV.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649c745503460f94926aa0/html5/thumbnails/3.jpg)
3
On-Orbit Anomaly Research (OOAR)at NASA IV&V Facility
Study anomalies and mishaps associated with
NASA space missions
Assist with on-going NASA IV&V analysis of heritage software with
past faulty history
Help improve NASA IV&V processes
![Page 4: * College Intern, West Virginia Wesleyan, Buckhannon, WV.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649c745503460f94926aa0/html5/thumbnails/4.jpg)
4
Description of Anomaly
![Page 5: * College Intern, West Virginia Wesleyan, Buckhannon, WV.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649c745503460f94926aa0/html5/thumbnails/5.jpg)
5
Sequential Causes of Anomaly
![Page 6: * College Intern, West Virginia Wesleyan, Buckhannon, WV.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649c745503460f94926aa0/html5/thumbnails/6.jpg)
6
Sequential Causes of Anomaly (cont’d)
![Page 7: * College Intern, West Virginia Wesleyan, Buckhannon, WV.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649c745503460f94926aa0/html5/thumbnails/7.jpg)
7
Sequential Causes of Anomaly (cont’d)
• In summary: ANOMALY
64-bit floating-pt. Vx too big to convert to a 32-bit integer
x component of velocity, Vx, became too large
cos(l) and x component of position flipped signs
fmod (l,2p) returned incorrect value, off by p
Incorrect Implementation of fmod in the (COTS) OS
Proximate Cause
Root Cause
![Page 8: * College Intern, West Virginia Wesleyan, Buckhannon, WV.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649c745503460f94926aa0/html5/thumbnails/8.jpg)
8
Root Cause: Operating System Faultfmod Overview
• fmod (a , b) returning remainder of a ÷ b• Example:
fmod (16 , 3) = 1 16 = (3 x 5) + 1• Human implementation:
Calculate the remainder r by finding the largest integer n in 16 = (3 x n) + r such that:
0 ≤ r = 16 – (3 x n) < 3
![Page 9: * College Intern, West Virginia Wesleyan, Buckhannon, WV.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649c745503460f94926aa0/html5/thumbnails/9.jpg)
9
Root Cause: Operating System Faultfmod Overview
![Page 10: * College Intern, West Virginia Wesleyan, Buckhannon, WV.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649c745503460f94926aa0/html5/thumbnails/10.jpg)
10
Root Cause: Operating System FaultOS Comparison of Numbers in fmod
![Page 11: * College Intern, West Virginia Wesleyan, Buckhannon, WV.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649c745503460f94926aa0/html5/thumbnails/11.jpg)
11
Root Cause: Operating System FaultOS Comparison of Numbers in fmod
![Page 12: * College Intern, West Virginia Wesleyan, Buckhannon, WV.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649c745503460f94926aa0/html5/thumbnails/12.jpg)
12
Root Cause: Operating System FaultOS Comparison of Numbers in fmod
• For certain values of l slightly larger than odd multiples of 2p, fmod (l , 2p) failed at the last steps:
![Page 13: * College Intern, West Virginia Wesleyan, Buckhannon, WV.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649c745503460f94926aa0/html5/thumbnails/13.jpg)
13
Proximate Cause: FSW Bounds-Checking Deficiency
Requirement: Transform (cast) double-precision floating-point 64-bit value into int16 16-bit signed integer
FSW implementation: Conversion performed in two steps:
• 64-bit floating-point to 32-bit signed integer• 32-bit signed integer to 16-bit signed integer
64-bit value: -14900351502.5752239
• Requiring a 35-bit signed integer to properly convert• 32-bit signed integer not able to hold values less than -2147483648• Failure to transform into 32-bit signed integer
![Page 14: * College Intern, West Virginia Wesleyan, Buckhannon, WV.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649c745503460f94926aa0/html5/thumbnails/14.jpg)
14
Proximate Cause: FSW Bounds-Checking Deficiency
No bounds-checking, of values to be typecast, performed by FSW• Anomaly could have been prevented if 64-bit
floating-point value checked
![Page 15: * College Intern, West Virginia Wesleyan, Buckhannon, WV.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649c745503460f94926aa0/html5/thumbnails/15.jpg)
15
OOAR Observations
To prevent similar anomalies in the
future:
Apply IV&V to code external to flight software
IV&V verification of bounds checking in flight
software
![Page 16: * College Intern, West Virginia Wesleyan, Buckhannon, WV.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649c745503460f94926aa0/html5/thumbnails/16.jpg)
16
OOAR Observations (cont’d)
• Ex: OS running FSW, an integral element of S/C operation• May be the “weak link” if not analyzed along with FSW• Issues with FSW may originate in external code, e.g., fmod
bug in OS• New software interacting with FSW may warrant IV&V
analysis• Critical space missions may justify analyzing external code• Past problems (e.g., a specific OS) may indicate a need for
further assessment.
Apply IV&V to Code External to Flight Software (FSW)
![Page 17: * College Intern, West Virginia Wesleyan, Buckhannon, WV.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649c745503460f94926aa0/html5/thumbnails/17.jpg)
17
OOAR Observations (cont’d)
• Challenges– Full-cycle analysis may not be possible, e.g., OS already developed
• Comprehensive testing may be only option• Testing cannot catch all bugs
– Ex.: fmod bug becoming active on the S/C once every two years at two instances a few seconds apart, which may or may not become an issue depending on whether a SW application happens to “consume” the bug at those instances
– Bugs may be too subtle to be detected easily (cf. fmod bug)– Limited IV&V resources to do both FSW and external software analysis– May not be cost-effective to analyze external software with long,
successful track records
Apply IV&V to Code External to FSW (cont’d):
![Page 18: * College Intern, West Virginia Wesleyan, Buckhannon, WV.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649c745503460f94926aa0/html5/thumbnails/18.jpg)
18
OOAR Observations (cont’d)
IV&V Verification of Bounds Checking in FSW
• Examples of bounds checking:– Array index checking– Checking for division by zero– Screening for taking the square root of a negative number
• Bounds checking effective as fault protection in the code– Bounds checking of typecasting would have prevented the fmod bug from
leading to an anomaly• Some compilers may not provide automatic run-time bounds checking.• Verification of bounds checking, e.g., array index checking, readily
performed by static code analysis tools• Relatively easy to manually inspect the code to verify bounds-checking of
pre-identified operations, e.g., typecasting, square root, etc.
![Page 19: * College Intern, West Virginia Wesleyan, Buckhannon, WV.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649c745503460f94926aa0/html5/thumbnails/19.jpg)
19
OOAR Observations (cont’d)
• Challenges– Some bounds checking requires dynamic code analysis tools
• Logistics of dynamic code analysis complicated– Correct configuration of code analysis tools may also require
significant time investment
IV&V Verification of Bounds Checking in FSW (cont’d):
![Page 20: * College Intern, West Virginia Wesleyan, Buckhannon, WV.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649c745503460f94926aa0/html5/thumbnails/20.jpg)
20
Questions?
• Thank you for your participation!• Contact Info:
– Joel Abraham [[email protected]] – Joseph Painter [[email protected]]– Koorosh Mirfakhraie [[email protected]]– Ken Costello [[email protected]]– Sam Cilento [[email protected]]