A Static Analyzer for Large Safety-Critical Software. Considered Programs and Semantics. Automatic Program Verification by Abstract Interpretation



Similar documents
Abstract Interpretation-based Static Analysis Tools:

InvGen: An Efficient Invariant Generator

Regression Verification: Status Report

Static analysis of numerical programs

Astrée: Building a Static Analyzer for Real-Life Programs

IKOS: A Framework for Static Analysis based on Abstract Interpretation (Tool Paper)

Formal verification of contracts for synchronous software components using NuSMV

Static Program Transformations for Efficient Software Model Checking

Section IV.1: Recursive Algorithms and Recursion Trees

How To Develop A Static Analysis System For Large Programs

Introduction to Static Analysis for Assurance

Numerical Matrix Analysis

Sources: On the Web: Slides will be available on:

Boolean Expressions, Conditions, Loops, and Enumerations. Precedence Rules (from highest to lowest priority)

Software Testing & Analysis (F22ST3): Static Analysis Techniques 2. Andrew Ireland

The programming language C. sws1 1

µz An Efficient Engine for Fixed points with Constraints

ECE 0142 Computer Organization. Lecture 3 Floating Point Representations

Rigorous Software Development CSCI-GA

(Refer Slide Time: 00:01:16 min)

Introduction to Python

Static Analysis. Find the Bug! : Analysis of Software Artifacts. Jonathan Aldrich. disable interrupts. ERROR: returning with interrupts disabled

A Tool for Generating Partition Schedules of Multiprocessor Systems

CHAPTER 3 Boolean Algebra and Digital Logic

Static Taint-Analysis on Binary Executables

Software Verification: Infinite-State Model Checking and Static Program

Software Testing. Definition: Testing is a process of executing a program with data, with the sole intention of finding errors in the program.

Enforcing Security Policies. Rahul Gera

How To Test Automatically

Varieties of Static Analyzers: A Comparison with ASTRÉE

Informatica e Sistemi in Tempo Reale

ASSEMBLY PROGRAMMING ON A VIRTUAL COMPUTER

Introduction to Programming (in C++) Loops. Jordi Cortadella, Ricard Gavaldà, Fernando Orejas Dept. of Computer Science, UPC

Example. Introduction to Programming (in C++) Loops. The while statement. Write the numbers 1 N. Assume the following specification:

Instruction Set Design

Static analysis: from theory to practice

VHDL Test Bench Tutorial

Instruction Set Architecture (ISA)

Scheduling Home Health Care with Separating Benders Cuts in Decision Diagrams

New Hash Function Construction for Textual and Geometric Data Retrieval

Specification and Analysis of Contracts Lecture 1 Introduction

Mathematical Induction

Chair of Software Engineering. Software Verification. Assertion Inference. Carlo A. Furia

Automatic Test Data Synthesis using UML Sequence Diagrams

Static Analysis of Dynamic Properties - Automatic Program Verification to Prove the Absence of Dynamic Runtime Errors

Object Oriented Software Design

Automated Program Behavior Analysis

6.080/6.089 GITCS Feb 12, Lecture 3

Software Testing. Quality & Testing. Software Testing

Adaptive Stable Additive Methods for Linear Algebraic Calculations

Model Checking: An Introduction

FROM SAFETY TO SECURITY SOFTWARE ASSESSMENTS AND GUARANTEES FLORENT KIRCHNER (LIST)

Object Oriented Software Design

Computers. Hardware. The Central Processing Unit (CPU) CMPT 125: Lecture 1: Understanding the Computer

Why? A central concept in Computer Science. Algorithms are ubiquitous.

Embedded Systems. Review of ANSI C Topics. A Review of ANSI C and Considerations for Embedded C Programming. Basic features of C

Module 10. Coding and Testing. Version 2 CSE IIT, Kharagpur

Algorithms are the threads that tie together most of the subfields of computer science.

A Brief Introduction to Static Analysis

Lecture Notes on Linear Search

Chapter 11 Monte Carlo Simulation

Towards practical reactive security audit using extended static checkers 1

APPROACHES TO SOFTWARE TESTING PROGRAM VERIFICATION AND VALIDATION

Comprehensive Static Analysis Using Polyspace Products. A Solution to Today s Embedded Software Verification Challenges WHITE PAPER

A New Paradigm for Synchronous State Machine Design in Verilog

Static Analysis and Validation of Composite Behaviors in Composable Behavior Technology

Divide: Paper & Pencil. Computer Architecture ALU Design : Division and Floating Point. Divide algorithm. DIVIDE HARDWARE Version 1

Simulink Modeling Guidelines for High-Integrity Systems

Memory Allocation Technique for Segregated Free List Based on Genetic Algorithm

Symbol Tables. Introduction

Testing static analyzers with randomly generated programs

Software testing. Objectives

Testing LTL Formula Translation into Büchi Automata

Overview Motivating Examples Interleaving Model Semantics of Correctness Testing, Debugging, and Verification

1 Description of The Simpletron

Arithmetic Coding: Introduction

AUTOMATED TEST GENERATION FOR SOFTWARE COMPONENTS

PowerPC Microprocessor Clock Modes

Handout #1: Mathematical Reasoning

First Steps with CoDeSys. Last update:

Chapter 8 Software Testing

1. Prove that the empty set is a subset of every set.

Chapter 2 Basic Structure of Computers. Jin-Fu Li Department of Electrical Engineering National Central University Jungli, Taiwan

Standard for Software Component Testing

Transcription:

PLDI 03 A Static Analyzer for Large Safety-Critical Software B. Blanchet, P. Cousot, R. Cousot, J. Feret L. Mauborgne, A. Miné, D. Monniaux,. Rival CNRS École normale supérieure École polytechnique Paris France Automatic Program Verification by Abstract Interpretation Result: Can produce zero or very few false alarms while checking non-trivial properties (absence of Run-Time Error); Does scale up. How? We specialize the abstract interpreter for a family of programs (which correctness proofs would be similar). The abstract domains are generic invariants automatically instantiated by the analyzer (to make these proofs). PLDI 03 - A Static Analyzer for Large Safety-Critical Software 1/21 Which Programs are Considered? Embedded avionic programs; Considered Programs and Semantics Automatically generated from a proprietary graphical system control language (à lasimulink); Synchronous real-time critical programs: declare volatile input, state, and output variables; initialize state variables; loop forever read volatile input variables, compute output and state variables, write to volatile output variables; wait for next clock tick end loop PLDI 03 - A Static Analyzer for Large Safety-Critical Software 2/21

Main Characteristics of the Programs Difficulties: Many global variables and arrays (> 10 000); A huge loop (> 75 000 lines after simplification); Each iteration depends on the state of the previous iterations (state variables); Floating-point computations (80% of the code implements non-linear control with feed-back); Everything is interdependent (live variables analysis, slicing ineffective); Abstraction by elimination of any variable is too imprecise. Simplicities: All data is statically allocated; Pointers are restricted to call-by-reference, no pointer arithmetics; Structured, recursion-free control flow. Semantics The standard ISO C99 semantics: arrays should not be accessed out of their bounds,... restricted by: The machine semantics: integer arithmetics is 2 s complement, floating point arithmetics is IEEE 754-1985, int and float are 32-bit, short is 16-bit,... restricted by: The user s semantics: integer arithmetics should not wrap-around, some IEEE exceptions (invalid operation, overflow, division by zero) should not occur,... PLDI 03 - A Static Analyzer for Large Safety-Critical Software 3/21 PLDI 03 - A Static Analyzer for Large Safety-Critical Software 4/21 Goal of the Program Static Analyzer Information about the Program Execution Automatically Inferred by the Analyzer Correctness verification. Nothing can go wrong at execution: no integer overflow or division by zero, no exception, NaN, or ± generated by IEEE floating-point arithmetics, no out of bounds array access, no erroneous type conversion. The execution semantics on the machine never reaches an indetermination or an error case in the standard / machine / user semantics. The analyzer effectively computes a finitely represented, compact overapproximation of the immense reachable state space. The information is valid for any execution interacting with any possible environment (through undetermined volatiles). It is inferred automatically by abstract interpretation of the collecting semantics and convergence acceleration (, ). PLDI 03 - A Static Analyzer for Large Safety-Critical Software 5/21 PLDI 03 - A Static Analyzer for Large Safety-Critical Software 6/21

Iterations to Over-Approximate the Reachable States while (...) {... } memorized abstract invariants Abstract Domains U U U propagated abstract invariants Program Iterative invariant computation PLDI 03 - A Static Analyzer for Large Safety-Critical Software 7/21 Choice of the Abstract Domains Interval Abstract Domain Abstract Domain: Computer representation of a class of program properties; Transformers for propagation through expressions and commands; Primitives for convergence acceleration:,. Composition of Abstract Domains: Essentially approximate reduced product (conjunction with simplification). Design of Abstract Domains: Know-how; Experimentation. Classical domain [Cousot Cousot 76]; Minimum information needed to check the correctness conditions; Not precise enough to express a useful inductive invariant (thousands of false alarms); = must be refined by: combining with existing domains through reduced product, designing new domains, until all false alarms are eliminated. PLDI 03 - A Static Analyzer for Large Safety-Critical Software 8/21 PLDI 03 - A Static Analyzer for Large Safety-Critical Software 9/21

Clock Abstract Domain Code Sample: Octagon Abstract Domain Code Sample: R = 0; while (1) { if (I) { R = R+1; } else { R = 0; } T = (R>=n); wait for clock (); } Output T is true iff the volatile input I has been true for the last n clock ticks. The clock ticks every s seconds for at most h hours, thus R is bounded. To prove that R cannot overflow, we must prove that R cannot exceed the elapsed clock ticks (impossible using only intervals). while (1) { R = A-Z; L = A; if (R>V) { L = Z+V; } } At, the interval domain gives L max(max A, (maxz)+(max V)). In fact, we have L A. To discover this, we must know at that R = A-Z and R > V. Solution: we need a numerical relational abstract domain. Solution: We add a phantom variable clock in the concrete user semantics to track elapsed clock ticks. For each variable, weabstract three intervals:, +clock, and -clock. If +clock or -clock is bounded, so is. The octagon abstract domain [Miné 03] is a good cost / precision trade-off. Invariants of the form ± x± y c, with O(N 2 ) memory and O(N 3 ) time cost. Here, R = A-Z cannot be discovered, but we get L-Z max R which is sufficient. We use many octagons on small packs of variables instead of a large one using all variables to cut costs. PLDI 03 - A Static Analyzer for Large Safety-Critical Software 10/21 PLDI 03 - A Static Analyzer for Large Safety-Critical Software 11/21 Ellipsoid Abstract Domain Decision Tree Abstract Domain 2 d Order Filter Sample: a b - + ++ z -1 z -1 t Unit delay Unit delay Switch Switch x(n) Switch j B i Computes n = { αn 1 + β n 2 + n I n The concrete computation is bounded, which must be proved in the abstract. There is no stable interval or octagon. The simplest stable surface is an ellipsoid. Synchronous reactive programs encode control flow in boolean variables. Code Sample: bool B1,B2,B3; float N,,; N = f(b1); if (B1) { = g(n); } else { = h(n); } Decision Tree: B 2 B 1 B 3 Numerical abstract domains BDD F() U F() unstable interval F() U F() stable ellipsoid There are too many booleans (4 000) tobuild one big tree so we: limit the BDD height to 3 (analysis parameter); use a syntactic criterion to select variables in the BDD and the numerical parts. PLDI 03 - A Static Analyzer for Large Safety-Critical Software 12/21 PLDI 03 - A Static Analyzer for Large Safety-Critical Software 13/21

Relational Domains on Floating-Point Problems: Relational numerical abstract domains rely on a perfect mathematical concrete semantics (in R or Q). Perfect arithmetics in R or Q is costly. IEEE 754-1985 floating-point concrete semantics incurs rounding. Iteration Strategies for Fixpoint Approximation Solution: Build an abstract mathematical semantics in R that over-approximates the concrete floating-point semantics, including rounding. Implement the abstract domains on R using floating-point numbers rounded in a sound way. PLDI 03 - A Static Analyzer for Large Safety-Critical Software 14/21 Iteration Refinement: Loop Unrolling Iteration Refinement: Trace Partitioning Principle: Principle: Semantically equivalent to: while (B) { C } = if (B) { C }; while (B) { C } More precise in the abstract: less concrete execution paths are merged in the abstract. Semantically equivalent to: if (B) { C1 } else { C2 }; C3 if (B) { C1; C3 } else { C2; C3 }; More precise in the abstract: concrete execution paths are merged later. Application: Isolate the initialization phase in a loop (e.g. first iteration). Application: if (B) { =0; =1; } else { =1; =0; } R = 1 / (-); / cannot result in a division by zero PLDI 03 - A Static Analyzer for Large Safety-Critical Software 15/21 PLDI 03 - A Static Analyzer for Large Safety-Critical Software 16/21

Convergence Accelerator: Widening Principle: Brute-force widening: Widening with thresholds: Thresholds Examples: 1., 10., 100., 1000., etc. for floating-point variables; maximal values of data types; syntactic program constants, etc. PLDI 03 - A Static Analyzer for Large Safety-Critical Software 17/21 Fixpoint Stabilization for Floating-point Problem: Mathematically, we look for an abstract invariant inv such that F(inv) inv. Unfortunately, abstract computation uses floating-point and incurs rounding: maybe F ε (inv) inv! Solution: attractiveness rounding error Inv F ε F ε Inv Widen inv to inv ε with the hope to jump into a stable zone of F ε. Works if F has some attractiveness property that fights against rounding errors (otherwise iteration goes on). ε is an analysis parameter. PLDI 03 - A Static Analyzer for Large Safety-Critical Software 18/21 Results Example of Analysis Session PLDI 03 - A Static Analyzer for Large Safety-Critical Software 19/21

Results Conclusion Efficient: tested on two 75 000 lines programs, 120 min and 37 min computation time on a 2.8GHz PC, 200 Mb memory usage. Precise: 11 and 3 lines containing a warning. Exhaustive: full control and data coverage (unlike checking, testing, simulation). Success story: we succeed where a commercial abstract interpretation-based static analysis tool failed (because of prohibitive time and memory consumption and very large number of false alarms); Usable in practice for verification: directly applicable to other similar programs by changing some analyzer parameters, approach generalizable to other program families by including new abstract domains and specializing the iteration strategy. (Work in progress: power-on self-test for a family of embedded systems.) PLDI 03 - A Static Analyzer for Large Safety-Critical Software 20/21 PLDI 03 - A Static Analyzer for Large Safety-Critical Software 21/21

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information