context generation from formal specifications for c
play

Context Generation from Formal Specifications for C Analysis Tools - PowerPoint PPT Presentation

Aug 04, 2023 •216 likes •575 views

Context Generation from Formal Specifications for C Analysis Tools Michele Alberti 1 Julien Signoles 2 1 TrustInSoft 2 CEA LIST, Software Reliability and Security Laboratory LOPSTR 2017, Namur, Belgium 1 Code Analysis Tools Effective enough

  1. Context Generation from Formal Specifications for C Analysis Tools Michele Alberti 1 Julien Signoles 2 1 TrustInSoft 2 CEA LIST, Software Reliability and Security Laboratory LOPSTR 2017, Namur, Belgium 1

  2. Code Analysis Tools • Effective enough for real-world code; • Based on different approaches: • Abstract interpretation; • Symbolic execution; • Testing. • Work best on whole programs; • Start from the main entry point of the program. 2

  3. Single Function Analysis Common scenario: Analysis of single functions. • Third-party software ( e.g. libraries); • Core/Critical functions only. Q: How to analyze single functions? int foo ( int *a, size_t size) { /* some interesting computation */ } 3

  4. Single Function Analysis Common scenario: Analysis of single functions. • Third-party software ( e.g. libraries); • Core/Critical functions only. Q: How to analyze single functions? int foo ( int *a, size_t size) { /* some interesting computation */ } A: Set the function in question as the entry point (here, foo ). 3

  5. Single Function Analysis Common scenario: Analysis of single functions. • Third-party software ( e.g. libraries); • Core/Critical functions only. Q: How to analyze single functions? int foo ( int *a, size_t size) { /* some interesting computation */ } A: Set the function in question as the entry point (here, foo ). Outcome Mostly imprecise and useless analysis results. 3

  6. Function Context Bottom Line Analyzing single functions requires an appropriate context. Function context: • Initialization of function parameters and globals; • Actual entry point to start the analysis from. 4

  7. Function Context Bottom Line Analyzing single functions requires an appropriate context. Function context: • Initialization of function parameters and globals; • Actual entry point to start the analysis from. Common approaches: • Write the context by-hand: Error-prone; 4

  8. Function Context Bottom Line Analyzing single functions requires an appropriate context. Function context: • Initialization of function parameters and globals; • Actual entry point to start the analysis from. Common approaches: • Write the context by-hand: Error-prone; • Make analysis tools support a specification language: Arduous (if ever possible) and to be done for every tool. 4

  9. This Work Idea Automatic contexts generation from formal specifications. Contributions: • System of inference rules for computing symbolic ranges; • Precise and sound formalization; • Prototype implementation as Frama-C plug-in. 5

  10. Outline Background: Frama-C and ACSL Simplifying ACSL Preconditions Generating C Function Contexts 6

  11. Frama-C • Suite of tools for the source code analysis of C programs; • Extensible and collaborative platform: • Modular plug-in architecture based on a common kernel; • Combination of analysis to provide more precise results. • Main available analysis: • Variable variation domains via abstract interpretation; • Deductive verification via weakest precondition calculus. • Frama-C is open source software. 7

  12. ACSL: ANSI/ISO C Specification Language • Behavioral specification language for C programs; • Specifications via code annotations of the form /*@ ... */ ; • Function contracts given by pre- and postconditions: /*@ requires \valid (a); @ requires 0 <= size <= 32; @ requires size % 16 == 0; @ ensures \forall integer i; 0 <= i < size ==> *(a+i) == 0; */ int foo ( int *a, size_t size) { ... } 8

  13. ACSL: ANSI/ISO C Specification Language • Behavioral specification language for C programs; • Specifications via code annotations of the form /*@ ... */ ; • Function contracts given by pre- and postconditions: /*@ requires \valid (a); @ requires 0 <= size <= 32; @ requires size % 16 == 0; @ ensures \forall integer i; 0 <= i < size ==> *(a+i) == 0; */ int foo ( int *a, size_t size) { ... } • This work considers preconditions only ( i.e. requires ). 8

  14. Core Specification Language P ::= T {≡ , ≤ , < } T term comparison | defined ( M ) M is defined | P ∧ P | P ∨ P | ¬ P logic formula T ::= z integer constant ( z ∈ Z ) | M memory value | T { + , - , × , / , % } T arithmetic operation M ::= L left value | M ++ T displacement L ::= x C variable | ⋆ M dereference 9

  15. Outline Background: Frama-C and ACSL Simplifying ACSL Preconditions Generating C Function Contexts 10

  16. How to turn a precondition into a context? /*@ requires defined (buf + (0..size-1)); @ requires 4 <= size <= 16; @ requires size % 2 == 0; @ requires *(buf + n) == 0xC0000001; */ int bar ( int *buf, int size, int n) 11

  17. How to turn a precondition into a context? /*@ requires defined (buf + (0..size-1)); @ requires 4 <= size <= 16; @ requires size % 2 == 0; @ requires *(buf + n) == 0xC0000001; */ int bar ( int *buf, int size, int n) First attempt: Directly implement predicates one-by-one. • Declare and properly initialize each left value involved; • Turn term comparisons into conditionals. int size; make_int(&size, 1); int * buf = ( int *) malloc(size * sizeof ( int )); make_int(buf, size); if (4 <= size) && (size <= 16) { ... } 11

  18. How to turn a precondition into a context? /*@ requires defined (buf + (0..size-1)); @ requires 4 <= size <= 16; @ requires size % 2 == 0; @ requires *(buf + n) == 0xC0000001; */ int bar ( int *buf, int size, int n) First attempt: Directly implement predicates one-by-one. • Declare and properly initialize each left value involved; • Turn term comparisons into conditionals. int size; make_int(&size, 1); int * buf = ( int *) malloc(size * sizeof ( int )); make_int(buf, size); if (4 <= size) && (size <= 16) { ... } Shortcoming: Erratic dependencies among left values. 11

  19. How to turn a precondition into a context? /*@ requires defined (buf + (0..size-1)); @ requires 4 <= size <= 16; @ requires size % 2 == 0; @ requires *(buf + n) == 0xC0000001; */ int bar ( int *buf, int size, int n) Revision: Pre-compute dependency graph among left values. int size, n; make_int(&size, 1); make_int(&n, 1); if (4 <= size) && (size <= 16) { if (size % 2 == 0) { int * buf = ( int *) malloc(size * sizeof ( int )); make_int(buf, size); *(buf + n) = 0xC0000001; bar(buf, size, n); } } 12

  20. How to turn a precondition into a context? /*@ requires defined (buf + (0..size-1)); @ requires 4 <= size <= 16; @ requires size % 2 == 0; @ requires *(buf + n) == 0xC0000001; */ int bar ( int *buf, int size, int n) Revision: Pre-compute dependency graph among left values. int size, n; make_int(&size, 1); make_int(&n, 1); if (4 <= size) && (size <= 16) { if (size % 2 == 0) { int * buf = ( int *) malloc(size * sizeof ( int )); make_int(buf, size); *(buf + n) = 0xC0000001; bar(buf, size, n); } } Shortcoming: Relation between size and n is overlooked. 12

  21. Simplify Predicates into State Constraints Each predicate is turned into: • Symbolic variation domain computed for every left value; • Side-condition to be checked at runtime ( i.e. runtime check). 13

  22. Simplify Predicates into State Constraints Each predicate is turned into: • Symbolic variation domain computed for every left value; • Side-condition to be checked at runtime ( i.e. runtime check). /*@ requires defined (buf + (0..size-1)); // (1) @ requires 4 <= size <= 16; // (2) @ requires size % 2 == 0; // (3) @ requires *(buf + n) == 0xC0000001; // (4) */ int bar ( int *buf, int size, int n) 13

  23. Simplify Predicates into State Constraints Each predicate is turned into: • Symbolic variation domain computed for every left value; • Side-condition to be checked at runtime ( i.e. runtime check). /*@ requires defined (buf + (0..size-1)); // (1) @ requires 4 <= size <= 16; // (2) @ requires size % 2 == 0; // (3) @ requires *(buf + n) == 0xC0000001; // (4) */ int bar ( int *buf, int size, int n) • From (1) : { buf �→ [ 0 , size − 1 ] , size �→ [ −∞ , + ∞ ] } ; 13

  24. Simplify Predicates into State Constraints Each predicate is turned into: • Symbolic variation domain computed for every left value; • Side-condition to be checked at runtime ( i.e. runtime check). /*@ requires defined (buf + (0..size-1)); // (1) @ requires 4 <= size <= 16; // (2) @ requires size % 2 == 0; // (3) @ requires *(buf + n) == 0xC0000001; // (4) */ int bar ( int *buf, int size, int n) • From (1) : { buf �→ [ 0 , size − 1 ] , size �→ [ −∞ , + ∞ ] } ; • From (2) : size �→ [ −∞ , + ∞ ] ⊓ [ 4 , 16 ] = [ 4 , 16 ] ; 13

  25. Simplify Predicates into State Constraints Each predicate is turned into: • Symbolic variation domain computed for every left value; • Side-condition to be checked at runtime ( i.e. runtime check). /*@ requires defined (buf + (0..size-1)); // (1) @ requires 4 <= size <= 16; // (2) @ requires size % 2 == 0; // (3) @ requires *(buf + n) == 0xC0000001; // (4) */ int bar ( int *buf, int size, int n) • From (1) : { buf �→ [ 0 , size − 1 ] , size �→ [ −∞ , + ∞ ] } ; • From (2) : size �→ [ −∞ , + ∞ ] ⊓ [ 4 , 16 ] = [ 4 , 16 ] ; • From (3) : size �→ [ 4 , 16 ] , 0 % 2; 13

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Types of Formal Specifications for Assertions Concurrent and Reactive Systems Assertions

Types of Formal Specifications for Assertions Concurrent and Reactive Systems Assertions

Outline Formal specifications CISC422/853: Formal Methods Types of formal specifications: in Software Engineering: assertions invariants Computer-Aided Verification safety and liveness properties How to express safety

226 views • 22 slides
Automatic Generation of Program Specifications Jeremy Nimmer MIT Lab for Computer Science

Automatic Generation of Program Specifications Jeremy Nimmer MIT Lab for Computer Science

Automatic Generation of Program Specifications Jeremy Nimmer MIT Lab for Computer Science http://pag.lcs.mit.edu/ Joint work with Michael Ernst Jeremy Nimmer, page 1 Synopsis Specifications are useful for many tasks Use of specifications

485 views • 29 slides
Specifications and formal program development in-the-large What are specifications for? For

Specifications and formal program development in-the-large What are specifications for? For

Specifications and formal program development in-the-large What are specifications for? For the system user: specification captures the properties of the system the user can rely on. For the system developer: specification captures all the

297 views • 26 slides
Formal Formal Component Component Models Models for for Context Context

Formal Formal Component Component Models Models for for Context Context

Formal Formal Component Component Models Models for for Context Context Awareness Awareness Deploy FP7 MatsNeovius andKaisaSere FMCO2008 boAkademi FacultyofTechnology, 1 22.10.2008

431 views • 22 slides
Lecture 4. Formal specifications: LTL, CTL ELEC-E8110 Automation Systems Synthesis and Analysis

Lecture 4. Formal specifications: LTL, CTL ELEC-E8110 Automation Systems Synthesis and Analysis

Lecture 4. Formal specifications: LTL, CTL ELEC-E8110 Automation Systems Synthesis and Analysis Igor Buzhinsky igor.buzhinskii@aalto.fi 2018 Igor Buzhinsky Lecture 4. Formal specifications: LTL, CTL 2018 1 / 37 State (reachability) graph of

1.14k views • 94 slides
Formal and Incremental Verification of SysML Specifications for the Design of Component-Based

Formal and Incremental Verification of SysML Specifications for the Design of Component-Based

Formal and Incremental Verification of SysML Specifications for the Design of Component-Based Systems Oscar Carrillo Dpartement dInformatique des Systmes Complexes (DISC), Femto-ST UMR 6174 CNRS Encadrement : Hassan Mountassir et Samir

972 views • 65 slides
On the Horizontal Dimension of Software Architecture in Formal Specifications of Reactive

On the Horizontal Dimension of Software Architecture in Formal Specifications of Reactive

On the Horizontal Dimension of Software Architecture in Formal Specifications of Reactive Systems Mika Katara, Reino Kurki-Suonio and Tommi Mikkonen Institute of Software Systems Tampere University of Technology Finland Outline 1.

1.03k views • 21 slides
A Context-aware Natural Language Generation Dataset for Dialogue Systems Ondej Duek and Filip

A Context-aware Natural Language Generation Dataset for Dialogue Systems Ondej Duek and Filip

. . . . . . . . . . . . . . A Context-aware Natural Language Generation Dataset for Dialogue Systems Ondej Duek and Filip Jurek Institute of Formal and Applied Linguistics Charles University in Prague May 28, 2016 LREC

911 views • 49 slides
Lessons learned Techniques Limitations of formal specifications Cost of technical staff

Lessons learned Techniques Limitations of formal specifications Cost of technical staff

CRIM Lessons learned Techniques Limitations of formal specifications Cost of technical staff training Ease of communication between different system stakeholders by using object- oriented modeling techniques and OMT as notational

302 views • 9 slides
Teaching Transition Systems and Formal Specifications with TLA + Philippe Qu Philippe Mauran

Teaching Transition Systems and Formal Specifications with TLA + Philippe Qu Philippe Mauran

Teaching Transition Systems and Formal Specifications with TLA + Philippe Qu Philippe Mauran einnec Xavier Thirioux Universit e de Toulouse, France Institut de Recherche en Informatique de Toulouse { mauran,queinnec,thirioux } @enseeiht.fr

606 views • 19 slides
Comparative Study of Eight Formal Specifications of the Message Authenticator Algorithm Hubert

Comparative Study of Eight Formal Specifications of the Message Authenticator Algorithm Hubert

Comparative Study of Eight Formal Specifications of the Message Authenticator Algorithm Hubert Garavel Lina Marsso Inria Grenoble LIG Universit Grenoble Alpes http://convecs.inria.fr Outline The Message Authenticator Algorithm (MAA)

741 views • 39 slides
PDDL PDDL Introduction Introduction WordPad WordPad PDDL PDDL

PDDL PDDL Introduction Introduction WordPad WordPad PDDL PDDL

FORMAL SPECIFICATIONS FORMAL SPECIFICATIONS USING USING PDDL PDDL Introduction Introduction WordPad WordPad PDDL PDDL Formal Specification INTRO Formal Specification INTRO We can describe a system using

542 views • 28 slides
1 FM does not replace testing! Why Use Formal Methods Reduces burden on testing phases to

1 FM does not replace testing! Why Use Formal Methods Reduces burden on testing phases to

Topics Introduction and terminology Overview of Formal Methods FM and Software Engineering Applications of FM Propositional and Predicate Logic Program derivation Intuitive program verification Algebraic Specifications

174 views • 5 slides
FORMAL REASONING GROUP http://www-formal.stanford.edu/ John McCarthy (logical AI +) Carolyn

FORMAL REASONING GROUP http://www-formal.stanford.edu/ John McCarthy (logical AI +) Carolyn

FORMAL REASONING GROUP http://www-formal.stanford.edu/ John McCarthy (logical AI +) Carolyn Talcott (math of programs) Tom Costello (logical AI +) Sa sa Buva c (formal theories of context) (finishing) Eyal Amir( object oriented logic)

394 views • 25 slides
Improving Link Discovery using context-aware link specifications LDOW 2016 PhD candidate Andrea

Improving Link Discovery using context-aware link specifications LDOW 2016 PhD candidate Andrea

Improving Link Discovery using context-aware link specifications LDOW 2016 PhD candidate Andrea Cimmino Supervised by David Ruiz, University of Seville, Spain Carlos R. Rivero, Rochester Institute of Technology, USA Hi! My name is Andrea

615 views • 32 slides
A Formal Model and Composition Language for Context-Aware Service Protocols Javier Cubo, Carlos

A Formal Model and Composition Language for Context-Aware Service Protocols Javier Cubo, Carlos

A Formal Model and Composition Language for Context-Aware Service Protocols A Formal Model and Composition Language for Context-Aware Service Protocols Javier Cubo, Carlos Canal, Ernesto Pimentel, Gwen Sala un University of M alaga, Spain

603 views • 10 slides
Functions and Header/Source files in C++ Based on materials by Dianna Xu and Bjarne Stroustrup

Functions and Header/Source files in C++ Based on materials by Dianna Xu and Bjarne Stroustrup

Functions and Header/Source files in C++ Based on materials by Dianna Xu and Bjarne Stroustrup (www.stroustrup.com/Programming) Declarations A declaration introduces a name into a scope. A declaration also specifies a type for the named

723 views • 49 slides
Singularity of discriminant varieties in characteristic 2 and 3 Ichiro Shimada (Hokkaido

Singularity of discriminant varieties in characteristic 2 and 3 Ichiro Shimada (Hokkaido

Singularity of discriminant varieties in characteristic 2 and 3 Ichiro Shimada (Hokkaido University, Sapporo, JAPAN) We work over an algebraically closed field k . 1 1. An Example Let E P 2 be a smooth cubic plane curve. We fix a flex

1.24k views • 19 slides
Bindex An Introduction to Naming Theory of Programming Languages Computer Science Department

Bindex An Introduction to Naming Theory of Programming Languages Computer Science Department

Introduction Bindex Bindex syntax A concrete syntax for Bindex Bindex An Introduction to Naming Theory of Programming Languages Computer Science Department Wellesley College Introduction Bindex Bindex syntax A concrete syntax for Bindex

252 views • 6 slides
Lecture 2 Struct and Functions Variable (1 of 2) Consists of: Name so we can refer to

Lecture 2 Struct and Functions Variable (1 of 2) Consists of: Name so we can refer to

Lecture 2 Struct and Functions Variable (1 of 2) Consists of: Name so we can refer to its storage location at lower level converted to an adress in memory can be aliased by way of reference Value what we store in the

1.01k views • 33 slides
Model Checking Early Requirements Specifications in Tropos Ariel Fuxman and John Mylopoulos

Model Checking Early Requirements Specifications in Tropos Ariel Fuxman and John Mylopoulos

Model Checking Early Requirements Specifications in Tropos Ariel Fuxman and John Mylopoulos (Univ. of Toronto) Marco Pistore and Paolo Traverso (IRST, Italy) RE01 Toronto, 30 August 2001 Motivations Early Requirements Specification is

338 views • 22 slides
REQUIREMENT Requirement specification SPECIFICATION motivation and basics Today:

REQUIREMENT Requirement specification SPECIFICATION motivation and basics Today:

REQUIREMENT Requirement specification SPECIFICATION motivation and basics Today: Requirements Specification Requirement specification is generally a crucial phase of an Jyrki Nummenmaa University of Tampere, CS Department Jyrki

244 views • 3 slides
Towards a formal theory of program construction Christoph Kreitz Abstract Principles of a

Towards a formal theory of program construction Christoph Kreitz Abstract Principles of a

Towards a formal theory of program construction Christoph Kreitz Abstract Principles of a unified formal theory on reasoning about programs and program con- struction built on top of Intuitionistic Type Theory. 1 OVERVIEW 1. Motivation and

398 views • 20 slides
Objectives You should be able to... In order to express the meaning of a program, we need a

Objectives You should be able to... In order to express the meaning of a program, we need a

Introduction Formal Systems A Simple Imperative Programming Language Church Rosser Introduction Formal Systems A Simple Imperative Programming Language Church Rosser Objectives You should be able to... In order to express the meaning of a

100 views • 7 slides

More recommend