Embedded software often involves intensive numerical computations and suffers from a number of runtime errors. The technique of numerical static analysis is of practical importance for checking the correctness of embedded software. However, most of the existing approaches of numerical static analysis consider sequential programs, while interrupts are a commonly used facility that introduces concurrency in embedded systems. Therefore, a numerical static analysis approach is highly desired for embedded software with interrupts. In this article, we propose a static analysis approach specifically for interrupt-driven programs based on sequentialization techniques. We present a method to sequentialize interrupt-driven programs into nondeterministic sequential programs according to the semantics of interrupts. The key benefit of using sequentialization is the ability to leverage the power of state-of-the-art analysis and verification techniques for sequential programs to analyze interrupt-driven programs, for example, the power of numerical abstract interpretation to analyze numerical properties of the sequentialized programs. Furthermore, to improve the analysis precision and scalability, we design specific abstract domains to analyze sequentialized interruptdriven programs by considering their specific features. Finally, we present encouraging experimental results obtained by our prototype implementation.
INTRODUCTION
An interrupt is a signal to the processor indicating an event that needs immediate attention, necessitating the interruption of the current code that the processor is executing. Interrupts are commonly used in embedded systems to introduce concurrency, which is required for real-time applications. For example, embedded control software Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies show this notice on the first page or initial screen of a display along with the full citation. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, to redistribute to lists, or to use any component of this work in other works requires prior specific permission and/or a fee. Permissions may be requested from Publications Dept., ACM, Inc., 2 Penn Plaza, Suite 701, New York, NY 10121-0701 USA, fax +1 (212) 869-0481, or permissions@acm.org. often uses interrupts to obtain sensor data from the physical environment. In a program, during the running of normal tasks, an interrupt service routine (ISR) is invoked once an interrupt alerts the processor to a higher-priority condition. Such a program is said to be interrupt-driven. In interrupt-driven programs (IDP), interrupts may cause unexpected interleaving and even unexpected erroneous behaviors [Yang et al. 2015] . Therefore, there is a great need in practice to ensure that IDPs work correctly in the presence of interrupts, since IDPs are often used in safety critical fields such as avionics, spaceflight, and automotive. However, analyzing and verifying IDPs are challenging. The main reason is that an ISR may be triggered at any time and the number of possible execution interleavings caused by concurrency between tasks and ISRs is quite huge.
IDPs often appear in embedded systems, while embedded software usually involves intensive numerical computations that have the potential to cause numerical runtime errors (such as division by zero, arithmetic overflow and array out-of-bound) [Blanchet et al. 2003 ]. Hence, analyzing numerical properties of IDPs is of significant importance to check for the correctness of embedded software. Numerical static analysis is a commonly used technique to discover numerical properties of programs. However, most of the existing numerical static analysis approaches consider only sequential programs. For IDPs, if we perform numerical static analysis over each task and each ISR separately without considering the interleaving between them, the analysis results may be not sound. Figure 1 shows a motivating example, in which the functions task() and ISR1() represent the entry functions of a task and an interrupt service routine, respectively. task() performs the division operation only when x is strictly less than y. ISR1() increases x by 1 and decreases y by 1. Performing numerical static analysis over task() without considering interrupts would indicate that the program is safe. However, when taking interrupts into consideration, the task() function is not safe. For example, if x = 1, y = 3 and the interrupt is triggered between Lines 3 and 4 of task(), there will be a divisionby-zero error in this program. Thereby, a sound numerical static analysis method is desired for IDPs.
Recently, a few numerical static analysis approaches have been proposed for general concurrent programs such as multithreaded programs [Miné 2011 [Miné , 2014 , but very few approaches have considered the specific features of IDPs [Cooprider and Regehr 2006; Monniaux 2007] . Compared with multithreaded programs, IDPs have their own specific features. For example, higher-priority interrupts will never be interrupted by lower ones. In other words, tasks and lower-priority interrupts will never be aware of the intermediate states of higher-priority interrupts during their running. Moreover, IDPs in embedded systems usually make use of hardware features such as interrupt mask registers (IMRs) to control the interference between tasks and interrupts.
In this article, we propose a sound numerical static analysis approach specifically for IDPs, which enables the use of existing analysis and verification techniques for sequential programs. The basic idea is to sequentialize IDPs by a semantic sound program transformation and then to analyze the resulting sequential programs by abstract interpretation enriched with newly designed abstract domains specific to the features of IDPs. The main contributions are as follows.
(1) We present a method to sequentialize IDPs into nondeterministic sequential programs according to the semantics of interrupts and the interaction between tasks and interrupts. The dataflow dependency and IMR information are used to optimize the transformation and reduce the size of the resulting sequential programs. (2) We design specific abstract domains to improve the precision of numerical static analysis with reasonable scalability. These abstract domains incorporate the specific features that often appear in the sequentialized interrupt-driven programs. (3) We conduct a set of experiments to evaluate the approach on both benchmarks and real-world programs from open-source communities as well as industrial communities. The preliminary results show that our approach is promising.
The rest of this article is organized as follows. Section 2 presents the program syntax of IDPs. Section 3 presents methods for sequentializing IDPs. In Section 4, we show how to use abstract interpretation to analyze the sequentialized IDPs. Section 5 contains our implementation and preliminary experimental results. Section 6 discusses some related work. Conclusions, as well as suggestions for future work, are presented in Section 7.
This article is an extended version of our EMSOFT 2015 paper [Wu et al. 2015] . Supplementing Wu et al. [2015] , we have added more algorithms and examples to describe our approach in detail (Section 3). We have designed a new specific abstract domain, the syntactic equality abstract domain, to improve the precision of the analysis of sequentialized IDPs (Section 4). We have collected more benchmarks and real-world IDPs from open-source communities as well as aerospace industrial communities, and have conducted more experiments (Section 5).
INTERRUPT-DRIVEN PROGRAMS
An IDP consists of a fixed set of a finite number of tasks and interrupts, each of which has an entry function. In this article, recursive functions are not allowed in IDPs, and all functions have been inlined (except the entry functions of tasks and interrupts). Tasks are scheduled in a cooperative, round-robin manner, and interrupts are assigned priorities. Moreover, the tasks execute with interleaved semantics (on a uniprocessor) and each task can finish its job within the given time slice. Each interrupt has a fixed priority level attribute p, which is a positive integer, and a larger priority level means higher priority. It means that higher-priority interrupts can preempt lower-priority interrupts and tasks, but the opposite preemption cannot happen. Without loss of generality, we use the following two assumptions throughout this article: 1) We assume that an IDP consists of only a single task. Since tasks are scheduled in a cooperative, round-robin manner, for an IDP including multiple tasks, we can design a wrapper function that consists of calling each of the tasks one by one in sequence to simulate the round-robin scheduling of multitasks. 2) We assume that each priority level contains only one interrupt. For an IDP that contains multiple interrupts with the same priority, we can design a new wrapper ISR of that priority to overapproximate the program behaviors. The new wrapper ISR consists of a loop in which each iteration nondeterministically calls one of the original interrupts of that priority.
We now present a simple language to model IDPs. The syntax of our language is depicted in Figure 2 . An IDP consists of one task and N interrupts. ISR := entry, p represents the ISR entry function of an interrupt and its priority. Without loss of generality, we use ISR i to represent the interrupt with priority p = i, where i ∈ [1, N]. enableISR(i) and disableISR(i) represent the instructions that enable and disable the ith interrupt, respectively, by writing to the IMR. We assume that at the exit point of an ISR, the IMR is reset to the initial value of IMR at the entry point of this ISR. We use SV and NV , respectively, to represent the set of shared and nonshared variables. We restrict the task to having only one return statement.
For the sake of simplicity, but without loss of generality, we restrict the task to having shared variables that can only appear in the following two kinds of statements: -l = g, which represents reading the value from a shared variable g to a nonshared variable l, and -g = l, which represents writing the value of a nonshared variable l to a shared variable g.
In fact, any program statement involving shared variables can be transformed into these forms by introducing auxiliary variables. For example, a test {if(g > e) . . . } can be transformed into the sequence {l = g; if(l > e) . . . }. Moreover, we assume that the statements g = l and l = g are atomic.
In this article, we consider analyzing IDPs at the level of source code rather than that of machine code. However, one program statement in the source code can be translated into several machine instructions. Thus, an interrupt may be triggered during the running of a program statement if the statement is not atomic. For example, consider an IDP that contains one task {z = x+y; } and one interrupt whose ISR is {x = 1; y = 1; }. Suppose that both shared variables x, y are initialized to 0. If we consider only the case that the interrupt is triggered before or after the assignment statement {z = x + y; } in the task, the value of variable z can be 0 or 2. However, the interrupt may be triggered during the running of this statement at machine instruction level. For example, the interrupt may be triggered after reading x and before reading y; the value of variable z can be 1 in this case. In order to avoid this ambiguity, we allow only two kinds of statements (i.e., l = g and g = l) that are atomic to access a shared variable, variable g in the syntax shown in Figure 2 .
SEQUENTIALIZING INTERRUPT-DRIVEN PROGRAMS
In this section, we will describe how to sequentialize IDPs into nondeterministic sequential programs in a sound way. In other words, we will guarantee that the program behaviors of the sequentialized program are an overapproximation of the behaviors of the original IDP. We will first show, in Section 3.1, how to sequentialize IDPs into sequential programs by considering IDPs as priority preemptive scheduling systems. Then, in Section 3.2, we will make use of dataflow dependency information between tasks and interrupts to remove unnecessary scheduling. In Section 3.3, we will consider further the IMR information at program points to remove unnecessary scheduling. In Section 3.4, we will consider the interrupts that have no dataflow dependency with tasks. On this basis, we will give the overall algorithm of our sequentialization approach in Section 3.5. Finally, we will discuss the soundness of our sequentialization approach in Section 3.6.
Sequentializing IDPs by Simulating Priority Preemptive Scheduling
First, let us review the running process of an IDP. During the running of a task, the ith interrupt may be triggered before any program statement of the task. If the ith interrupt is triggered, the task is preempted and resumes only when ISR i has finished. Thus, this situation can be simulated by calling the ISR i function in the stack once the ith interrupt is triggered. Similarly, before each program statement of the ith interrupt, if the jth interrupt with higher priority (i.e., satisfying i < j) is triggered, ISR i is preempted and resumes only when ISR j has finished. This situation also can be simulated by calling the ISR j function in the stack when the jth interrupt is triggered. In general, because the ISR of a preempted lower-priority interrupt (or task) will not resume until the ISR of a higher-priority interrupt has finished, the task and ISRs in an IDP can share the same stack. It means that, in IDPs, interrupt preemption can be modeled as merely a function call.
Based on this insight, inspired from Kidd et al. [2010] The Schedule() function works as follows: It passes through the interrupts the priority that is higher than the current running task or ISR, and nondeterministically calls the ISR function of a higher-priority interrupt that has not yet been triggered. For the sake of presentation, in this section, we make the following assumption temporarily: Each statement in the task and ISRs is atomic and a higherpriority interrupt can be triggered at most once before each program statement of the task or a lower-priority interrupt. We use this assumption in this section to make the sequentialization method in Kidd et al. [2010] easy to understand, and we will show how to remove this assumption in Section 3.2. Figure 3 shows the sequentialized program of the motivating example by adding explicit Schedule() function before each program statement of the task and ISRs. In Figure Note that, more generally, the call to Schedule() can be omitted in the interrupt of the highest priority, since it cannot be preempted by other interrupts as well as itself.
Sequentializing IDPs by Considering Dataflow Dependency
In Section 3.1, we have described an approach to sequentialize IDPs by adding explicit calls to a Schedule() function before each program statement. However, the scale of the resulting sequentialized program may become very large, especially when an IDP Using a loop to wrap a number of calls to the Schedule() function has a key benefit: the resulting sequentialized program will significantly fewer code lines. Note that loops can be analyzed efficiently by using extrapolation techniques. Moreover, we could delay widening and even unroll the loop to achieve a trade-off between efficiency and precision.
In fact, in practical IDPs, only a very small percentage of program statements will read from/write to shared variables. Moreover, the sets of shared variables between the task and different interrupts are usually different. Before a program statement l = g that reads a shared variable g, we need to consider only those interrupts that, when triggered, will affect the value of g. Similarly, after a program statement g = l that writes to a shared variable g, we need to consider only those ISRs that, when triggered, will be affected by the value of g. 
The influenced interrupt group for interrupt ISR i is defined as follows:
Example 1. Suppose that in an IDP, there are two shared variables x, y, three interrupts ISR 1 , ISR 2 , ISR 3 , and
The dataflow dependency relationships among ISRs can be described by a directed graph, which we call a dependency graph. Each vertex of the graph denotes an interrupt and there exists a directed edge from ISR i to ISR j if ISR i → ISR j . Then, the problem of computing the dependent/influenced interrupt group for ISR i can be reduced to a reachability problem in a directed graph. We use a matrix DG ∈ {0, 1} N×N to encode the graph, where N is the number of interrupts and
We use two procedures, CompDepGroup() and CompInfGroup(), to compute, respectively, the dependent and influenced interrupt groups for an interrupt, which can be essentially computed by the transitive closure of direct-dependency relations among ISRs (encoded by the matrix DG).
Considering only statements that access a shared variable. As we have mentioned, if a program statement does not access any shared variable, it makes no difference whether an interrupt is triggered before or after this statement. For a program statement that reads a shared variable, we need to consider the influence from those ISRs that affect the value of this shared variable. For a program statement that writes into a shared variable, we need to consider the influence of this statement on those interrupts that may be affected by the value change of this shared variable.
Based on this insight, we propose the following strategy for sequentializing IDPs: We only add Schedule() functions before statements that read shared variables and after statements that write to shared variables. We give the detail as follows:
-Before a statement (in the form of l = g) that reads a shared variable g, we consider
invoking ISRs in S 1 ∪ S 2 , where -
where S 1 represents the set of ISRs that directly write to shared variable g and S 2 represents the set of ISRs that are in the dependent interrupt groups of any ISR in S 1 . We use procedure ReadDepISRs() to compute S 1 ∪ S 2 .
-After a statement (in the form of g = l) that writes to a shared variable g, we consider
invoking ISRs in S 3 ∪ S 4 , where
}, where S 3 represents the set of ISRs that directly read shared variable g and S 4 represents the set of ISRs that are in the influenced interrupt groups of any ISR in S 3 . We use procedure WriteInfISRs() to compute S 3 ∪ S 4 .
On this basis, we introduce a new schedule function, ScheduleG(group), to nondeterministically call those ISRs in group, as shown in Figure 4 . According to this strategy, we consider adding the schedule functions only before and after a statement St that accesses shared variables, but we do not know how many times an interrupt may be triggered before the statement St. In fact, in practical IDPs, an interrupt is never triggered too frequently in each task period; otherwise, the program may disobey the real-time restriction. In particular, the system designers of real-time embedded systems often know an upper bound on the number of firing times of each interrupt during one task period. Based on this insight, to guarantee the soundness of the sequentialization following this strategy, we add the following assumption:
-We assume that the upper bound on the number of firing times of each interrupt during one task period is given by K, where K is a positive integer that can be +∞.
The bound K is given by the user, but the user can always say +∞ if the user does not know. We guarantee that the semantics of the sequentialized program is sound with respect to K. In certain applications, K can be automatically inferred. For example, for nxtOSEK [Chikamasa et al. 2010] programs, some interrupts are periodically triggered and their periods are explicitly specified in an OIL (OSEK Implementation Language) file. In this case, the upper bounds K for these interrupts can be automatically inferred according to their periods.
In Figure 4 , we introduce the function ScheduleG Ks(group, K) to call the ScheduleG() function K times. In the case in which K cannot be specified, we can put K to +∞ (then, the loop in ScheduleG Ks() becomes an unbounded loop that can stop at any time or loop forever), which can still guarantee the soundness of the sequentialization following this strategy. Now, we introduce two functions, InvokeBefore (St, group) When the interrupt groups grp 1 and grp 2 are the same, the invoking of ScheduleG Ks(grp 2 , K 2 ) is unnecessary.
Based on this insight, we design a simplification procedure, Simplify(), to remove unnecessary invocations of ScheduleG Ks(). The Simplify() procedure removes the second invocation of ScheduleG Ks(grp 1 , K 1 ) in the following two patterns:
where for all i ∈ [2, n − 1], the statement St i does not write to any shared variable.
Sequentializing IDPs by Considering IMR
IDPs usually use an IMR to control the interference between tasks and interrupts. Each bit of IMR corresponds to an interrupt and represents whether that interrupt is enabled or disabled. In our IDPs, programmers use disableISR(i) and enableISR(i) to change the value of IMR to disable and enable the ith interrupt, respectively. Thus, the value of IMR may be different at different program points. 
Computing dataflow dependency considering IMR.
To obtain a precise analysis of dataflow dependency, we need to consider only enabled interrupts when computing the dataflow dependency among interrupts. In order to get the set of enabled interrupts, we need to compute the IMR value at each program point.
Preanalysis for analyzing the value of IMR. In order to obtain the value of IMR at each program point, we use a simple preanalysis (for each entry function of the task and interrupts separately) prior to the actual sequentialization. As explained in Section 2, all function calls are inlined. We do not need to consider function calls during the computation of IMR value. We recall the assumption related to IMR (described in Section 2), that is, at the exit point of an ISR, the IMR is reset to the initial value of IMR at the entry point of this ISR. Based on this assumption, we omit the effects of interruptions during the computation of IMR value. We design a procedure, ComputeIMR(), to compute the value of IMR at each program point for each entry function of the task and interrupts separately. The value of IMR is modeled as a bit vector. For the ith bit, we use 0 to represent that the ith interrupt is disabled, 1 to represent that the ith interrupt is enabled or inconclusive (i.e., either enabled or disabled). Note that when we cannot conclude whether the ith interrupt is enabled or disabled, we assign 1 to the ith bit of IMR, which means that the interrupt is enabled in this case. As shown in Algorithm 1, the procedure ComputeIMR() performs a flow-sensitive dataflow analysis using a bitwise abstract domain. For disableISR(i) and enableISR(i) statements, we set the ith bit of the IMR bit-vector to 0 and 1, respectively. For the branch statement, at the control-flow join, we perform the bitwise OR operation over the two resulting bit vectors from different branches. In other words, for each bit, the join operation returns 0 if and only if the two corresponding input bits are 0; otherwise, it returns 1. 
Invoking ISRs for enableISR(i) and disableISR(i).
Until now, we have considered adding calls to the Schedule() function only before statements that read shared variables and after statements that write into shared variables. However, when an IDP includes statements enableISR(i) and disableISR(i), this strategy may miss some invocations of certain ISRs. For example, Figure 5 shows an IDP involving statements enableISR(i) and disableISR(i), in which y is the shared variable. If we add invocations of ISRs only before statements that read shared variables and after statements that write to shared variables, we will not invoke ISR1 because ISR1 is disabled when the shared variable y is read (i.e., in Line 7). However, this program may cause a division-by-zero error when ISR1 is triggered between Lines 5 and 6 in the task().
Thus, when handling statements enableISR(i) and disableISR(i), we may also need to add an invocation of certain related ISRs. We use the following strategy: when handling disableISR(i), we presume that all shared variables in WSVars(ISR i ) will be read during the execution of the interrupt masking segment starting at disableISR(i). In this situation, we need to add the Schedule() function to invoke ISR i and all those interrupts in dGroup [ISR i ] before disableISR(i). Similarly, when handling enableISR(i), we presume that all shared variables in RSVars(ISR i ) have been written to during the execution of the interrupt masking segment ending at enableISR(i). In this situation, we need to add the Schedule() function to invoke ISR i and all those interrupts in iGroup [ISR i 
] after enableISR(i).
Algorithm 2 shows how to insert calls to related ISRs before each statement. IMRValTbl represents a map from each program statement to its IMR value, which is computed by computeIMR(). InvokeBefore() and InvokeAfter() represent a call to the corresponding sequentialized interrupts before or after a statement. CompDepGroup(i, p, imr) (CompInfGroup) computes the dependent (influenced) interrupt group of ISR i for the considered statement that lies in a task or an interrupt with priority p under the IMR value imr. ReadDepISRs(g, p, imr) (WriteInfISRs) computes the dependent (influenced) interrupt group for the considered statement that reads from (writes to) the shared variable g in a task or an interrupt with priority p under the IMR value imr.
Sequentializing IDPs by Considering ISRs Having no Dataflow Dependency with Tasks
The resulting sequentialized IDPs given by this method consist of entry functions of the sequentialized task and the sequentialized ISRs. The entry function of the task is the main entry function of the whole IDP. In most cases, the sequentialized task will invoke all sequentialized ISRs. However, there may exist special cases in which an interrupt ISR i may never be invoked in the sequentialized result of the task function when using dataflow dependency to optimize the sequentialization process. This is exemplified by Example 2. This situation may happen when there is no (direct or transitive) dataflow Example 2. Suppose that an IDP consists of one task and two interrupts:
where ISR 2 is of higher priority than ISR 1 , x is a shared variable, and tmp, tmp1, tmp2 are nonshared variables. Following the strategy that we only consider invoking relevant ISRs before statements reading shared variables and after statements writing shared variables, ISR 1 will never be invoked in the sequentialization result of the task. In other words, whether ISR 1 happens or not will not affect the running of the task, and the running of the task will not affect the running of ISR 1 , when fired. However, in this IDP, there will be a division-by-zero in ISR 1 when ISR 2 is triggered before ISR 1 .
To enclose the firing situation of this kind of interrupts, after sequentializing the IDPs, we invoke the interrupts that are not invoked in the sequentialized task before the return statement of the task. We use a procedure CompNonInvokedISR() to compute the set of interrupts that are not invoked in the sequentialized task. The simplest way to implement CompNonInvokedISR() is to remember the set of interrupts that are invoked during sequentialization, then the set of the rest of the interrupts are not invoked.
The Overall Sequentialization Algorithm Considering Dataflow Dependency and IMR
Algorithm 3 shows the overall sequentialization algorithm considering both the dataflow dependency and IMR. In Algorithm 3, the procedure SeqIDP() is the main entry function of the overall sequentialization algorithm. N is the number of interrupts. task and ISRs[N] , respectively, represent the entry function of the task and interrupts. IMRValTbl is a hash table that maps each program statement to the value of IMR at that statement. IMRValTbl is computed by the procedure computeIMR() discussed in Section 3.3. We use the function SeqEach(entry, p) to sequentialize the task and an interrupt with function entry and priority p separately. Without loss of generality, we set the priority of the task to 0.
For an IDP consisting of one task and N interrupts, the overall sequentialization algorithm shown in Algorithm 3 works as follows: First, we compute the value of IMR at each program point and build the dataflow dependency graph among ISRs. Then, we sequentialize the task and each interrupt separately. 
Soundness of Sequentialization
Our sequentialization algorithm considering dataflow dependency will give a sound sequentialized program for an IDP, which means that the set of the program behaviors of the sequentialized program is an overapproximation of that of the original IDP. In other words, all program behaviors of the original IDP are included in that of the sequentialized program. The soundness of the sequentialization can be justified as follows:
(1) As described in Section 2, after transformation, an IDP only contains two kinds of statements accessing shared variables: reading from a shared variable (i.e., l = g) and writing to a shared variable (i.e., g = l). Moreover, we assume that all accesses to shared variables (i.e., l = g or g = l) are atomic. Then, before each program statement St, we add the following code:
where K is the upper bound of the number of firing times of any interrupt during one task period (we could conservatively set K to +∞ for soundness). If the considered statement St does not access any shared variables, although it may be compiled into several instructions in binary code, when the interrupt is triggered (between any two instructions) during the execution of St will not affect the execution result of St. Thus, the program behaviors caused by triggering interrupts before or during the execution of St are included in this sequentialized program fragment. If the statement St accesses shared variables (i.e., either l = g or g = l), since we have assumed that it is atomic, the program behaviors caused by triggering interrupts before St are also included in this sequentialized program fragment.
(2) In addition to (1) when St i , i ∈ [1, n − 1] does not access any shared variables and only St n accesses a shared variable. This is because the situation that an interrupt is triggered before St i (where i ∈ [1, n − 1]) can be simulated by triggering it just before St n . Note that the happening of the interrupt does not have any effects over the execution result of the statements {St 1 ; . . . ; St n−1 ; }. Besides, the number of firing times of any interrupt during the execution of {St 1 ; . . . ; St n−1 ; St n ; } is less than K. Second, we utilize the dataflow dependency to remove unnecessary invocations of certain interrupts in the Schedule() function. To be more clear, in the Schedule() function, we do not invoke those interrupts that have no effects over the execution of the considered statement that accesses a shared variable. Before the statement {l = g; }, we consider only those interrupts whose triggering will (directly or indirectly) affect the value of shared variable g. Indeed, during the real execution of the IDP, an interrupt ISR i whose triggering will not affect the value of g may be triggered exactly before {l = g; }. However, although we do not consider ISR i before statement {l = g; }, following our sequentialization approach, we will consider ISR i before a later statement {l = g ; } if ISR i 's triggering will affect the value of shared variable g . In other words, in the set of program behaviors of the whole sequentialized program, the firing of the interrupt ISR i is still soundly considered. Similarly, after the statement {g = l; }, we consider only those interrupts whose triggering will be (directly or indirectly) affected by the value of shared variable g. The soundness of this case is similar to that of the case for {l = g; }.
To sum up, the program behaviors of the original IDP are overapproximated by the sequentialized program. In other words, our sequentialization approach is sound for the IDP model considered in this article (under the assumptions listed in Section 2).
ANALYZING SEQUENTIALIZED IDPS VIA ABSTRACT INTERPRETATION
As we mentioned before, embedded software often involves lots of numerical computations, thus has the potential to contain errors related to numeric computations. In this section, we make use of abstract interpretation [Cousot and Cousot 1977 ] to analyze numerical properties of IDPs. We leverage existing numerical abstract interpretation techniques for sequential programs to analyze numerical properties of sequentialized IDPs given by the methods described in Section 3.
To perform numerical static analysis, there exist a variety of numerical abstract domains in the literature. For example, the interval abstract domain [Cousot and Cousot 1976 ] is a kind of nonrelational abstract domain that can be used to infer numerical bounds for variables, that is, x ∈ [c, d] . The octagon abstract domain [Miné 2006 ] is a kind of weakly relational abstract domain that can be used to infer numerical invariants in the form of ±x ± y ≤ c (where c is a constant). We employ these general numerical abstract domains for analyzing IDPs.
However, sequentialized IDPs also have their own specific features that may be uncommon in generic programs. These features may provide opportunities to get a better balance of precision and scalability of analysis, that is, to design certain specific abstract domains according to the specific features of IDPs. In the following, we give two examples of specific abstract domains for IDPs.
Boolean flag abstract domain for specific ISRs. From practical IDPs, we observe that there is a specific family of interrupts that are fired after a fixed time interval. For example, some interrupts are triggered by timers. We call this kind of interrupt periodic interrupts. Furthermore, there is a kind of periodic interrupt whose periods are larger than one task period, which means that this kind of periodic interrupt is fired at most once during one task period. In this article, we call this specific kind of interrupt an at-most-once fired periodic interrupt.
During numerical static analysis of IDPs that involve an at-most-once fired periodic interrupt ISR i , whether ISR i has been fired or not is an important information for the precision of the analysis. However, numerical abstract interpretation often performs flow-sensitive analysis rather than path-sensitive analysis. For example, it cannot distinguish whether an at-most-once fired interrupt has been fired or not. Consider analyzing {if(nondet()) ISRi(); }. Let A 1 denote the abstract state (i.e., a map from program variables to values) in an abstract domain before this statement. For example, when using the box abstract domain, an abstract state is a map from program variables to their value ranges. After this statement, abstract interpretation will perform a join operation (which computes the least upper bound of two abstract states) to compute the post-abstract state as A 1 A 2 , where
with [[ISRi()]] denoting the abstract transfer function of ISRi().
Intuitively, in A 1 A 2 , A 1 denotes the abstract state when ISR i has never been fired, while A 2 denotes the abstract state after ISR i has been fired. However, after the join operation, most numerical abstract domains will lose the information that the abstract states are different for the case in which ISR i has been fired and for the case in which it has not been fired.
To handle this kind of imprecision, our basic idea is using a Boolean flag variable f in the abstract domain to distinguish whether an at-most-once fired periodic interrupt has already been fired or not. In the abstract domain, the domain representation is A Most domain operations, such as join and widening, can be applied element-wise as follows:
, and i ∈ [1, n]. The transfer functions for the abstract domain can be applied element-wise like these domain operations, except the transfer function for the branch statement, which nondeterministically calls an at-most-once fired periodic interrupt, that is, {if( * ) ISRi(); }, for which we use " * " . Then, at the end of control-flow join, we perform an element-wise join operation to compute the post-abstract state. This process can be formulated as
The Boolean flag domain generally can be considered as a special case of partitioning technique (such as dynamic partitioning [Bourdoncle 1992; Jeannet et al. 1999 ] and trace partitioning [Mauborgne and Rival 2005] ). However, it has its own specialities, tailored to analyze IDPs. The partitioning in this domain is designed according to the semantics of interrupts, rather than derived from the program syntax (e.g., using conditions for partitioning).
There exist two approaches to include Boolean flags in our abstract states, providing different cost versus precision trade-offs. One approach is to partition the abstract state with respect to a bit vector in which each bit denotes a flag: the bit is set to one if that interrupt has been fired once and zero if that interrupt has never been fired, under the assumption that such interrupts cannot be fired more than once. In other words, one bit vector represents the firing states of all interrupts. For example, a bit vector (consisting of 3 bits) 101 means that ISR 1 and ISR 3 have been fired while ISR 2 has not been fired yet. This partitioning is of high precision, as it tracks every possible combination of interrupts. However, it may cause an exponential number of partitions. Another approach to include Boolean flags is to represent each flag as an independent Boolean variable. Assume that the set of periodic interrupts that are fired at most once is {ISR 1 , . . . , ISR n }. For each ISR i , we associate a Boolean variable f i to represent whether ISR i has already been fired (when f i = true) or not (when f i = f alse). This representation ignores the relationships between the status of ISRs, thus is less precise. However, it will be more efficient, leading to only 2n cases instead of 2 n . For example, suppose that there is a program fragment:
If we use techniques such as trace partitioning to enumerate all possible paths, there exists 8 paths, which means that, after the last statement, we need to maintain 8 abstract states. If we use only a flag to represent whether an interrupt has been fired or not, we need only 6 (i.e., 2×3) abstract states. In this article, we use the later manner for the sake of efficiency. Syntactic equality abstract domain for sequentialized IDPs. From the sequentialized IDPs, we observe that there is a frequently appearing code pattern that is assigning a shared variable to a temporary variable and then testing whether the temporary variable satisfies some branch conditions. The existence of such a code pattern is due to the fact that we transform all program statements involving shared variables into the form allowing only two kinds of atomic statements that can access shared variables (i.e., g = l and l = g), by introducing auxiliary variables as we described in Section 2. All shared variables appearing in branch conditions in the original IDPs will be transformed into this code pattern. In Figure 6 (a), the original program tests whether a shared variable thetaE satisfies some branch conditions and updates the shared variables according to the result of the test. In Figure 6 (b), we show the resulting program satisfying our IDP syntax after transformation by introducing a temporary variable tmpthetaE.
When using nonrelational abstract domains, this kind of code pattern may cause loss of analysis precision. For example, during numerical static analysis of the transformed program in Figure 6 (b), the interval abstract domain cannot infer that the invariant thetaE >= 0x1F F holds at Line 5. We could use some relational abstract domains, such as octagons and polyhedra, which can infer more precise invariants than the interval abstract domain. However, relational abstract domains are too costly for large-scale IDPs. In this article, our idea is to solve the imprecision problem caused by this kind of code pattern by using a lightweight abstract domain.
Our main idea is tracking the syntactic equality relations between variables besides the value range information inferred by the interval abstract domain. Before testing branch conditions, we leverage the syntactic equality relations between variables to refine the value range in the interval abstract domain. Let A EQ denote the abstract state of syntactic equality relations between variables, which maps each program variable to a set of program variables that have syntactic equality relations with it. Let E[ 
where x, y represent program variables. Transfer function (1) represents adding a syntactic equality relation for those assignments whose left and right operands both are variables (rather than constants or compound expressions). For other forms of assignments, such as assigning a constant (e.g., x = 1) and assigning an expression (e.g., x = y + z), our method clears the syntactic equality relations of the assigned variable for the reason that these assignments destroy the previous syntactic equality relations. Function (2) defines the join operator of the syntactic equality abstract domain. Here, we need must syntactic equality relations; thus, our method uses the set intersection to get the common syntactic equality relations existing in both abstract states. When testing a branch condition, we enumerate all forms of conditions derived by replacing each variable in the test condition by its corresponding syntactic equality variables. During testing those derived branch conditions, our method propagates the syntactic equality relations to the value range abstract domain. In other words, we make use of syntactic equality relations to update the value ranges of variables. For example, in Figure 6 , we get thetaE ≥ 0x1F F after Line 4. Our syntactic equality abstract domain is similar to the variable equality abstract domain in Feret [2004] , who used an equality abstract domain to refine the digital filter analysis. Here, we make use of our syntactic equality domain to deal with the special code pattern in transformed IDPs.
We use equivalence classes to implement the syntactic equality relations. Moreover, we use a hash table to map each program variable to an equivalence class, which is an ordered set of program variables. In order to save the space, we use the UnionFind algorithm to implement the operations of equivalence classes. Thus, the space complexity of the syntactic equality abstract domain is O(n), where n is the number of program variables. The time complexity of assignment transfer function is O(log 2 (n)) because it has the same time complexity as the problem of inserting an element into an ordered set. The time complexity for the join operator is O(n) for the reason that we need n times comparison to put n variables into different equivalence classes during the intersect operation on ordered sets. Both the space and time complexity of our syntax abstract domain are O(n). Compared with other relational abstract domains-such as the octagon abstract domain, which has space complexity O(n 2 ) and time complexity O(n 3 )-our syntactic equality abstract domain is more lightweight.
IMPLEMENTATION AND EXPERIMENTAL RESULTS
We have implemented a prototype tool to sequentialize IDPs, which uses CIL [Necula et al. 2002] as its front end. We have also developed a numerical static analyzer for analyzing sequentialized IDPs based on the front-end CIL and the Apron [Jeannet and Miné 2009 ] numerical abstract domain library. We use a CIL-supported inline tool to handle function calls. For pointers, we first use a flow-insensitive alias analysis as preanalysis before sequentialization to obtain an overapproximation result of possible aliases for shared pointer variables that will be used during sequentialization. During the analysis of sequentialized programs, we use a flow-sensitive pointer analysis to capture possible aliases for both shared and nonshared pointer variables. However, we do not allow tasks and interrupts to access the same memory cell through pointer arithmetic over physical addresses without using an explicit variable name to represent that memory cell. For structures, we use an access path-based memory model to identify different fields of the structure. For unions, we use an offset-based memory model to analyze the potential shared variables. Although the field names of a union type are various, the offset with respect to the starting address is canonical. Our experiments were conducted on a selection of benchmarks and real-world programs listed in Figure 7 . Motv Ex is the motivating example shown in Figure 1 . DataRace Ex and Privatize come from a data race detection tool for IDPs: Goblint [Schwarz et al. 2011] . Nxt gs 1 is a robot control program from LEGO company samples that implements a two-wheeled robot keeping balance and avoiding obstacles. UART (Universe Asynchronous Receiver and Transmitter) 2 is from an open-source website that implements a First-In First-Out (FIFO) buffer. i Robot3 3 coming from Kotker and Dorsa Sadigh [2011] is a simplified control software used in the autonomous robot platform of iRobot Create. The goal of i Robot3 is to control a cleaner robot, avoiding obstacles and cliffs. HBM (Heart Beat Monitor) 4 is an application for a micro-controller at89s51(8051) that counts the heart beat number by a sensor and displays the number on an LCD screen every minute. The last three benchmarks are coming from aerospace industry applications. Ping pong is an implementation of ping-pong buffer (or double buffering, a technique that uses two buffers to speed up a computer that can overlap I/O with processing). ADC Ctl (Analog-Digital Conversion Control) is an application in aerospace embedded systems, which samples analog data, converts the analog data to digital data, and sends the digital data through a peripheral bus. Sat Ctl is a control software for an aerocraft that gets data from sensors and controls the flying trace of the aerocraft. Some of these programs originally do not include interrupts, such as Nxt gs, but the tasks in these programs are scheduled using a priority-based real-time scheduler, which behaves similarly to IDPs. Thus, we adapt them into IDPs during our experiments. Figure 7 shows the sequentialization results of all benchmarks. OLT and OLI represent, respectively, the original code size in lines of task and interrupts. #Vars represents the number of variables in programs. #ISR represents the number of interrupts. SEQ represents the sequentialization method described in Section 3.1 that is inspired from Kidd et al. [2010] . DF SEQ represents the sequentialization method described in Section 3.5 that considers dataflow dependency and IMR. From the results, we can see that the code size of the program given by DF SEQ is much smaller than that given by SEQ. For example, for Sat Ctl, the code size of the program given by DF SEQ is around 5% of the code size of that given by SEQ. Figure 8 shows the results of analyzing sequentialized IDPs by numerical abstract interpretation. We use the box and octagon abstract domains in the APRON library to analyze the sequentialized IDPs. We use "-" to represent that the numerical analysis runs out of memory. For Motv Ex, we find the expected division-by-zero error. For DataRace Ex and Privatize, our method can prove their assertions. For example, Privatize asserts that a shared variable is always equal to 1. For Nxt gs, our analysis issues a number of integer overflow alarms. This is due to the fact that, in Nxt gs, many variables are assigned data from sensors. For soundness, our analysis sets these variables to the full range of the data type; then, arithmetic operations over these variables may cause integer overflow. For UART and Ping Pong, our method can prove that there is no array-out-of-bound error. For iRobot3, our method issues two integral overflow alarms due to the same reason as Nxt gs.
For HBM, using the box abstract domain issues 4 integer overflow alarms. Without considering the application scenario, two of the alarms are false alarms that can be eliminated using the octagon abstract domain. When we consider the application scenario, the other two alarms are also false alarms and can be eliminated by adding some assumptions. As we explained before, HBM is an application for heart beat monitoring, which consists of one task and two interrupts. The lower-priority interrupt reads some sensors and increments a program variable bt by 1 to store the heart beat number. The higher-priority interrupt is a timer and increments a program variable min by 1 every 60s. Our method issues two integer overflow alarms for the incrementation of variables bt and min for the reason that the upper bounds on the firing number of these two interrupts are unknown. However, we can infer reasonable upper bounds on the firing number of these two interrupts by considering the real-world application scenario. For instance, suppose that the upper bound of heart beat counting interrupt can be set to 200 (i.e., assuming heart beat number is less than 200 times in 1min) and the upper bound of the timer interrupt is 60 in every minute. In such a case, these two integer overflow alarms can be eliminated by using the octagon abstract domain combined with these upper-bound assumptions.
For ADC Ctl, our method issues 70 arithmetic overflow alarms. After analyzing these alarms, we can divide these alarms into two classes: 20 potential overflow alarms and 50 false positives. For those potential overflow alarms, there are two kinds of typical alarms. One kind is caused by the program incrementing a global variable by 1 without resetting it. In Figure 9 (a), when the state variable state AD is abnormal, the variable emg is incremented by 1 at Line 9, but without being reset. During the execution, there may be integer overflow over this variable because this program fragment may be executed for an unbounded number of times. This kind of integer overflow may cause a serious accident in critical embedded systems. For examle, an integer overflow bug found in Boeing 787 control software may result in loss of control of the airplane [Goodin 2015] . According to Goodin [2015] , the integer overflow is caused by continuously adding a counter but without resetting it, which is quite similar to the case of integer overflow alarms found in ADC Ctl. Another set of alarms is caused by assigning negative values to unsigned variables, as shown in Figure 9 (b). At Line 7, the program variable speed with unsigned integer type will be assigned by a negative value. In fact, for the same value (i.e., binary representation), the results are quite different, when considering signed and unsigned. For example, in Figure 9 (b), for an unsigned integer the value of speed after Line 7 is about 4 × 10 9 , while for signed integer, the value is −839. Although, in the program, we found that all accesses of speed only manipulate the low 24 bits, this is still an unsafe use. The last 50 false positives are caused by the overapproximation of our static analysis method. Furthermore, we will show how to remove part of those false positives by our syntactic equality abstract domain in the later part.
For Sat Ctl, our method issues 538 warnings, including 473 arithmetic overflow alarms, 19 division-by-zero alarms, and 46 array-out-of-bounds alarms. Most of arithmetic overflow alarms are caused by type cast assignments, such as assigning an unsigned integer to a char. All of the division-by-zero alarms are caused by the fact that the divider is a result of a nonlinear function. For example, when the program uses the result of sin(x) as the divider, our analysis will return the interval [−1, 1] as the result of sin(x), which contains zero and thus causes division-by-zero alarms. Some of the array-out-of-bound alarms are due to the fact that our analysis of array indices in nested loops is not precise enough.
From the analysis time, we can see that analyzing the sequentialized program given by DF SEQ is much faster than analyzing the one given by SEQ. This is due to the fact that the code size of the resulting sequentialized IDPs given by DF SEQ is much smaller than that given by SEQ. Although the resulting sequentialized IDPs given by DF SEQ may contain more loops, abstract interpretation can deal with loops efficiently using extrapolation techniques such as widening.
In order to know how many warnings are caused by interrupts, we also analyze the IDPs after disabling all interrupts (i.e., only analyzing the tasks) and enabling all interrupts (i.e., removing all the interrupt-disabling statements in the programs). The results are shown in Figure 10 , in which OF represents arithmetic overflow, DivZ represents division by zero and AOB represents array out of bound. We select ADC Ctl and Sat Ctl as the benchmarks because the other programs do not contain enable and disable interrupt statements (Motv Ex) or there is no interrupt-disabling statements after the initialization process of the main application (DataRace Ex,Privatize,UART,Ping pong). For ADC Ctl, comparing the analysis results of disabling all interrupts and enabling all interrupts, we see that most of the warnings are caused by interrupts. Compared with the analysis results of DF SEQ, enabling all interrupts finds 2 more warnings, including 1 true division-by-zero error and 1 arithmetic overflow false alarm. For Sat Ctl, compared with the analysis results of DF SEQ, enabling all interrupts issues only few more warnings. The reason is that the purpose of disabling interrupt statements in Sat Ctl is to avoid functional incorrectness, for example, to avoid data inconsistency, whereas our method focuses on finding runtime errors. Figure 11 shows the results of analyzing IDPs with at-most-once-fired periodic interrupts. In Figure 11 , BF denotes the Boolean flag abstract domain described in Section 4. #FP denotes the number of false alarms. Example 4 is an adapted version of the program in Example 4 in Section 4 by adding an assertion x ≤ 20 at the end of the task. Division Ex is an example that involves a division operation in the task. For Example 4 and Division Ex, the analysis using only the octagon domain issues false alarms, while using our Boolean flag abstract domain in addition to the octagon domain (denoted by BF+OCT) can eliminate these false alarms. This is because our Boolean flag abstract domain can make use of the information that the interrupt is an at-most-once-fired periodic interrupt. SeekRobot 5 is a nxtOSEK platform application, which consists of priority tasks. Moreover, tasks in SeekRobot are periodic tasks and satisfy at-most-once-fired constraints. For example, given one task with priority 1 and period 50ms while another task with priority 5 and period 100ms, we know that, during one execution of the lower-priority task, the higher-priority task can be triggered at most once. As we mentioned before, our method supports this kind of program by considering tasks with priority as interrupts. We adapt the lower-priority task to contain a loop that increments a shared variable of type char by 1 until 126 (which is the upper bound of type char minus one). For the higher-priority task, we add a statement that increments the shared variable by 1. According to the at-most-once-fired constraints, there will be no overflow for this shared variable. When performing analysis using the octagon abstract domain, there will be 1 overflow alarm for the incrementation of the shared variable. Our Boolean flag abstract domain in addition to the octagon abstract domain can eliminate this false alarm by considering that the highest-priority task is fired at most once during one execution of the lower-priority task. 
Experimental results on Boolean flag abstract domain.

Posix Ex
6 is an application in Trampoline [2015] , which is a static RTOS for small embedded systems. Posix Ex consists of 2 tasks. The period of the lower-priority task is 100ms, while the period of the higher-priority task is 1000ms. Thus, the higherpriority task of Posix Ex satisfies the at-most-once-fired constraints. We adapt the lower-priority task to contain a loop that reads data from a shared buffer and increments the index of the buffer. For the higher-priority task, we add a statement that reads the shared buffer and increments the index of the buffer. When we perform the analysis using the octagon abstract domain, there will be 1 array out-of-bound false alarm over the accessing of the shared buffer. Our Boolean flag abstract domain on top of the octagon abstract domain can eliminate this false alarm by taking the at-most-once-fired constraints into consideration.
For the analysis time, we can see that analyzing the sequentialized program given by BF+OCT is slower than OCT. This is due to the fact that our Boolean flag abstract domain needs to maintain extra information for at-most-once-fired interrupts.
Experimental results on syntactic equality abstract domain. Figure 12 shows the results of analyzing IDPs using the syntactic equality abstract domain. In Figure 12 , EQ denotes the syntactic equality abstract domain described in Section 4. #Warnings denotes the number of warnings issued by each abstract domain. For UART and Ping pong, our syntactic equality abstract domain combined with the interval abstract domain (denoted by EQ+BOX) issues no warning, the same as the results given by the interval and octagon abstract domain. For i Robot, as we mentioned before, these two warnings are caused by unknown values from sensors, which cannot be eliminated by improving the ability of abstract domain. For HBM, the syntactic equality abstract domain can eliminate one false alarm due to the fact that in HBM, a shared variable in a branch condition is replaced with temporary variables. As a nonrelational abstract domain, the interval abstract domain cannot find the equality relations between these variables, while our syntactic equality abstract domain maintains these equality relations and eliminates this false alarm. The octagon abstract domain is a weakly relational abstract domain, which can infer equality relationship invariants (such as x − y ≤ 0 ∧ y − x ≤ 0); thus, the octagon abstract domain can eliminate this false alarm as well. Moreover, when adding the upper bound on the firing number of each interrupt, the octagon abstract domain infers the relations between shared variables and the upper bounds (e.g., x ≤ y ∧ 0 ≤ y ≤ c) and eliminates the other two false alarms. However, the interval and the syntactic equality abstract domain cannot infer this kind of invariant. For ADC Ctl, compared with only using the interval abstract domain, the syntactic equality abstract domain eliminates 8 false alarms for a similar reason as HBM. For Sat Ctl, compared with using only the interval abstract domain, the syntactic equality abstract domain eliminates 3 false alarms, including 1 arithmetic-overflow alarm and 2 array-out-of-bound alarms for a similar reason as HBM. However, the octagon abstract domain runs out of memory for these two programs ADC Ctl and Sat Ctl.
For the analysis time, compared with using only the interval abstract domain, the syntactic equality abstract domain causes some overhead. For small-scale programs, this overhead can almost be neglected. For ADC Ctl and Sat Ctl, the overhead is less than 1.4 times to the analysis time of using the interval abstract domain. Compared with the time consumption of the octagon abstract domain, the syntactic equality abstract domain has a speed of the same order of magnitude as using only the interval abstract domain.
RELATED WORK
Sequentialization. Much work has been done on sequentializing concurrent programs. Qadeer and Wu [2004] propose a context bounded analysis (CBA) method for concurrent programs via sequentialization. Their sequentialization method adds nondeterministic calling function of other threads and nondeterministic return statements to the previous executing thread before each program statement. Their method finds numerous bugs in device drivers with a fixed context bound 2. However, their method cannot be generalized to an arbitrary context bound. Lal et al. [2008] propose a CBA method based on sequentialization for concurrent programs with an arbitrary given context bound. Their sequentialization method uses different copies of the shared global memory in a different context and uses assumptions to prune infeasible runs. However, their method uses a large number of extra variables, which cause a high degree of nondeterminism. Inverso et al. [2014] propose a CBA method based on sequentialization for concurrent programs. Their method reduces the nondeterminism of sequentialized programs to avoid exponentially growing formula sizes in the model checking of sequentialized programs. Recently, Chaki et al. [2013] present a CBA method for analyzing periodic programs based on sequentialization. Kidd et al. [2010] propose a sequentialization method for priority preemptive scheduling systems in which each task is periodic. The key idea is to use a single stack for all tasks and to model preemptions by function calls. Edwards [2003] surveys a variety of approaches for translating concurrent specifications (which are more abstract than concurrent programs) into sequential code that can be efficiently executed.
Compared with these works, our sequentialization method is specifically designed for IDPs. Moreover, our method makes use of the dataflow dependency among tasks and interrupts to reduce the size of the sequentialized program. In addition, we consider analyzing numerical properties of the sequentialized programs using numerical abstract interpretation.
Numerical static analysis of embedded software. Most of the existing numerical static analysis approaches consider sequential programs. Astrée [Blanchet et al. 2003 ] is one of the famous numerical static analyzers for sequential programs, which has been successfully used in analyzing flight control software. Miné [2011] proposes a numerical static analysis method for parallel embedded software. Their method iterates each thread in turn until all thread interferences stabilize. The interference is used to abstract the effects of a thread on the shared variables. One main difference between interferences and the dataflow dependency is that interferences consider the influences of each thread to shared variables, whereas our dataflow dependency considers both the dependency and influence relations among interrupts, linked through shared variables. Recently, their work has extended to support relational numerical properties [Miné 2014 ]. The scalability of their method is very good due to the fact that the method is thread-modular. Compared with their work, our work targets IDPs, and we take into consideration the priority and firing times of interrupts; thus, we can get more precise analysis results for IDPs. Cooprider and Regehr [2006] propose a static analysis method for embedded software to reduce the code size. Beckschulze et al. [2012] propose a data race analysis method for lockless micro-controller programs considering hardware architecture. Compared with their work, our method focuses on numerical properties of IDPs and considers dataflow dependency among tasks and interrupts. Monniaux [2007] proposes a numerical static analysis method for a concurrent USB driver. Their method dynamically invokes interrupts for every access to the shared memory in tasks. Compared with their method, our method first sequentializes the concurrent program to the sequential program, which has a key benefit: the ability to leverage the power of state-of-the-art analysis and verification techniques for sequential programs to analyze IDPs.
Analysis of interrupt-driven programs. In the literature, there are a few works on analyzing and verifying IDPs. Brylow et al. [2001] propose a static analysis method for interrupt-driven Z86-based software. Their method first generates the control flow graph of the IDPs, which considers the effects from interrupts. Based on the control flow graph, the approach uses a model-checking algorithm of pushdown systems to analyze the upper bounds of stack sizes and interrupt latencies of IDPs. Most of the existing works focus on object code and consider problems such as interrupt latency [Brylow and Palsberg 2004] , stack size [Regehr et al. 2005] , and data race [Schwarz et al. 2011] .
Compared with these works, our method analyzes the source code of IDPs rather than object code and focuses on numerical properties of IDPs.
CONCLUSION
We have presented a sound numerical static analysis approach for IDPs. The key idea is to sequentialize IDPs into sequential programs before analysis. The idea of sequentializing IDPs into sequential programs enables the use of existing analysis and verification techniques (e.g., bounded model checking, symbolic execution, and so on) for sequential programs to analyze and verify IDPs. We have proposed a sequentialization algorithm specifically for IDPs, by considering the dataflow dependency among ISRs and specific hardware features of IDPs. We then showed how to use numerical abstract interpretation to analyze numerical properties of the sequentialized IDPs. By considering specific features of the sequentialized IDPs, we design and make use of specific abstract domains to analyze the sequentialized IDPs. The preliminary results show that our method is promising.
For future work, we will consider designing more specific abstract domains that fit IDPs and conducting more experiments on large realistic IDPs. We plan to extend our IDP model and our sequentialization method to support mixing of interrupts and multithreads. We also plan to extend our IDP model to support weak memory models.
