frama c training session introduction to acsl and its gui
play

Frama-C Training Session Introduction to ACSL and its GUI Virgile - PowerPoint PPT Presentation

Aug 22, 2022 •205 likes •612 views

Frama-C Training Session Introduction to ACSL and its GUI Virgile Prevosto CEA List October 21 st , 2010 outline Presentation ACSL Specifications Function contracts First-order logic Loops Assertions Deductive Verification Hoare logic

  1. Frama-C Training Session Introduction to ACSL and its GUI Virgile Prevosto CEA List October 21 st , 2010

  2. outline Presentation ACSL Specifications Function contracts First-order logic Loops Assertions Deductive Verification Hoare logic Pointers and Memory Jessie Plugin

  3. Presentation ACSL Specifications Function contracts First-order logic Loops Assertions Deductive Verification Hoare logic Pointers and Memory Jessie Plugin

  4. Presentation Motivations Main objective Statically determine some semantic properties of a program ◮ safety: pointer are all valid, no arithmetic overflow, ... ◮ termination ◮ functional properties ◮ dead code ◮ ... Embedded code ◮ Much simpler than desktop applications ◮ Some parts are critical, i.e. a bug have severe consequences (financial loss, or even dead people) ◮ Thus a good target for static analysis

  5. Presentation Some tools Polyspace Verifier Checks for (absence of) run-time error C/C++/Ada) http: //www.mathworks.com/products/polyspace/ ASTRÉE Absence of error without false alarm in SCADE-generated code http: //www.di.ens.fr/~cousot/projets/ASTREE/ Coverity Checks for various code defects (C/C++/Java) http://www.coverity.com

  6. Presentation Some tools (cont’d) a3 Worst-case execution time and Stack depth http://www.absint.com/ FLUCTUAT Accuracy of floating-point computations and origin of rounding errors http: //www-list.cea.fr/labos/fr/LSL/fluctuat/ Frama-C A toolbox for analysis of C programs http://frama-c.com/

  7. Presentation A brief history ◮ 90’s: CAVEAT, an Hoare logic-based tool for C programs ◮ 2000’s: CAVEAT used by Airbus during certification process of the A380 ◮ 2002: Why and its C front-end Caduceus ◮ 2006: Joint project to write a successor to CAVEAT and Caduceus ◮ 2008: First public release of Frama-C (Hydrogen) ◮ today: ◮ Frama-C Boron ◮ Multiple projects around the platform ◮ A growing community of users

  8. Presentation Architecture ◮ A modular architecture ◮ Kernel: ◮ CIL (U. Berkeley) library for the C front-end ◮ ACSL front-end ◮ Global management of analyzer’s state ◮ Various plug-ins for the analysis ◮ Value analysis (abstract interpretation) ◮ Jessie (translation to Why) ◮ Slicing ◮ Impact analysis ◮ ...

  9. Presentation ACSL: ANSI/ISO C Specification Language Presentation ◮ Based on the notion of contract, à la Eiffel ◮ Allow the users to specify functional properties of their programs ◮ Allow communication between the various plugin ◮ Independent from a particular analysis Basic Components ◮ First-order logic ◮ Pure C expressions ◮ C types + Z ( integer ) and R ( real ) ◮ Built-ins predicates and logic functions, particularly over pointers: \valid (p) , \valid (p+0..2) , \separated (p+0..2,q+0..5) , \block_length (p) ,...

  10. Presentation ACSL Specifications Function contracts First-order logic Loops Assertions Deductive Verification Hoare logic Pointers and Memory Jessie Plugin

  11. ACSL Specifications - Function contracts Key Ingredients Specification of a function ◮ Contract between caller and callee ◮ Callee requires some pre-conditions from the caller ◮ Callee ensures some post-conditions hold when it returns A first example unsigned int M; /*@ requires \valid (p) && \valid (q); ensures M == (*p + *q) / 2; */ void mean( unsigned int * p, unsigned int * q) { if (*p >= *q) { M = (*p - *q) / 2 + *q; } else { M = (*q - *p) / 2 + *p; } }

  12. ACSL Specifications - Function contracts Specification of Side Effects The specification /*@ requires \valid (p) && \valid (q); ensures M == (*p + *q) / 2; */ void mean( unsigned int * p, unsigned int * q); A valid implementation

  13. ACSL Specifications - Function contracts Specification of Side Effects The specification /*@ requires \valid (p) && \valid (q); ensures M == (*p + *q) / 2; */ void mean( unsigned int * p, unsigned int * q); A valid implementation void mean( int *p, int * q) { *p = *q = M = 0; }

  14. ACSL Specifications - Function contracts Specification of Side Effects The specification /*@ requires \valid (p) && \valid (q); ensures M == (*p + *q) / 2; ensures *p == \old (*p) && *q == \old (*q); */ void mean( unsigned int * p, unsigned int * q); A valid implementation

  15. ACSL Specifications - Function contracts Specification of Side Effects The specification /*@ requires \valid (p) && \valid (q); ensures M == (*p + *q) / 2; ensures *p == \old (*p) && *q == \old (*q); */ void mean( unsigned int * p, unsigned int * q); A valid implementation int A = 42; void mean( int *p, int * q) { if (*p >= *q) ... else ... A = 0; }

  16. ACSL Specifications - Function contracts Specification of Side Effects The specification /*@ requires \valid (p) && \valid (q); ensures M == (*p + *q) / 2; assigns M; */ void mean( unsigned int * p, unsigned int * q); A valid implementation

  17. ACSL Specifications - Function contracts Specification of Side Effects The specification /*@ requires \valid (p) && \valid (q); ensures M == (*p + *q) / 2; assigns M; */ void mean( unsigned int * p, unsigned int * q); A valid implementation void mean( int *p, int * q) { if (*p >= *q) { M = (*p - *q) / 2 + *q; } else { M = (*q - *p) / 2 + *p; } }

  18. ACSL Specifications - Function contracts A more advanced example Informal spec ◮ Input: a sorted array and its length, an element to search. ◮ Output: index of the element or -1 if not found Towards a formal specification int find_array( int * arr , int length , int query ); ◮ How to specify the two distinct outcome? ◮ What does that mean for arr to be sorted ? ◮ How to prove the implementation? Deductive Verification

  19. ACSL Specifications - Function contracts Behaviors /*@ behavior found: assumes \exists integer i; 0<=i<length && arr[i] == query; ensures 0<= \result <length && arr[ \result ] == query; behavior not_found: assumes \forall integer i; 0<=i<length ==> arr[i] != query; ensures \result == -1; complete behaviors ; disjoint behaviors ; */ int find_array( int * arr , int length , int query );

  20. ACSL Specifications - First-order logic Predicate definition /*@ predicate sorted{L}( int * arr , int length) = \forall integer i,j; 0<=i<=j<length ==> arr[i] <= arr[j]; */ /*@ requires sorted{Here }(arr ,length ); requires \valid (arr +(0.. length -1)); requires length >= 0; */ int find_array( int * arr , int length , int query );

  21. ACSL Specifications - First-order logic Axiomatic definition /*@ inductive sorted{L}( int * arr , int length) { case singleton{L}: \forall int * arr; sorted{L}(arr ,0); case trans{L}: \forall int * arr , integer length; sorted{L}(arr ,length) && arr[length -1] <= arr[length] ==> sorted{L}(arr ,length + 1); } */ /*@ requires sorted{Here }(arr ,length ); requires \valid (arr +(0.. length -1)); requires length >= 0; */ int find_array( int * arr , int length , int query );

  22. ACSL Specifications - Loops Implementation of find_array int find_array( int * arr , int length , int query) { int min = 0; int max = length - 1; int mean; while (min <= max) { mean = min + (max - min) / 2; if (arr[mean] == query) return mean; if (arr[mean] < query) min = mean + 1; else max = mean - 1; } return -1; }

  23. ACSL Specifications - Loops Loop annotations /*@ loop invariant 0<= min < length; loop invariant 0<= max < length; loop invariant \forall integer i; 0<=i<min ==> arr[i] < query; loop invariant \forall integer i; max <i<length ==> arr[i] > query; loop assigns mean , min , max; loop variant max - min; */ while (min <= max) { ... }

  24. while (min <= max) { mean = min + (max - min) / 2; /*@ assert min <= mean <= max; */ if (arr[mean] == query) return mean; if (arr[mean] < query) min = mean + 1; else max = mean - 1;

  25. Presentation ACSL Specifications Function contracts First-order logic Loops Assertions Deductive Verification Hoare logic Pointers and Memory Jessie Plugin

  26. Deductive Verification - Hoare logic Hoare logic ◮ Introduced by Floyd and Hoare (70s) ◮ Hoare triple: { P } s { Q } , meaning: If P holds, then Q will hold after the execution of statement s ◮ Deduction rules on Hoare triples: Axiomatic semantic

  27. Deductive Verification - Hoare logic Some rule examples Q ′ ⇒ Q { P ′ } s { Q ′ } P ⇒ P ′ { P } s { Q } { P }{ P } { P } s_1 { R } { R } s_2 { Q } e evaluates without error { P } s_1;s_2 { Q } { P [ x ← e ] } x=e; { P } { P ∧ e } s_1 { Q } { P ∧ !e } s_2 { Q } { P } if (e) s_1 else s_2 { Q } { I ∧ e } s { I } { I } while (e) s { I ∧ !e }

  28. Deductive Verification - Hoare logic Weakest pre-condition ◮ Program seen as a predicate transformer ◮ Given a function s , a pre-condition Pre and a post-condition Post ◮ We start from Post at the end of the function and go backwards ◮ At each step, we have a property Q and a statement s , and compute the weakest pre-condition P such that { P } s { Q } is a valid Hoare triple. ◮ When we reach the beginning of the function with property P , we must prove Pre ⇒ P .

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

PVS Linear Algebra Libraries for Verification of Control Software Algorithms in C/ACSL Heber

PVS Linear Algebra Libraries for Verification of Control Software Algorithms in C/ACSL Heber

Introduction Stability and correctness Defining quadratic invariants as code annotations Verification conditions Mapping PVS Linear Algebra Libraries for Verification of Control Software Algorithms in C/ACSL Heber Herencia-Zapana, Romain

990 views • 75 slides
Open Data for Urban Research Session 4 Presenting Data frama.link/odur-2018-s4 This course

Open Data for Urban Research Session 4 Presenting Data frama.link/odur-2018-s4 This course

Open Data for Urban Research Session 4 Presenting Data frama.link/odur-2018-s4 This course Open Data for Urban Research This session Presenting Data, Spatial Visualization Replication material github.com/datactivist/

659 views • 64 slides
STM32F7 - Welcome Revision 1.0 Hello, and welcome to the STM32F7 training session. 1 Training

STM32F7 - Welcome Revision 1.0 Hello, and welcome to the STM32F7 training session. 1 Training

STM32F7 - Welcome Revision 1.0 Hello, and welcome to the STM32F7 training session. 1 Training session organization 2 Introduction System Memory Security &amp; Safety Analog Communication &amp; Peripherals Watchdogs &amp; Timers

272 views • 10 slides
Introduction to the MusiQuE Peer- Reviewers Training Session o Why this workshop? offering

Introduction to the MusiQuE Peer- Reviewers Training Session o Why this workshop? offering

Introduction to the MusiQuE Peer- Reviewers Training Session o Why this workshop? offering elements of training and professional development provide further information about MusiQuE o For whom is it? potential and confirmed MusiQuE

754 views • 46 slides
CONC 2 SEQ : A Frama-C Plugin for the Verification of Parallel Compositions of C Programs Allan

CONC 2 SEQ : A Frama-C Plugin for the Verification of Parallel Compositions of C Programs Allan

CONC 2 SEQ : A Frama-C Plugin for the Verification of Parallel Compositions of C Programs Allan Blanchard 3 , 2 Nikolai Kosmatov 2 Frdric Loulergue 1 , 3 1 School of Informatics, 2 CEA LIST 3 Laboratoire dInformatique Computing, and Cyber

661 views • 19 slides
1 Facilitator Training Facilitator Training Facilitator Training Facilitator Training 2

1 Facilitator Training Facilitator Training Facilitator Training Facilitator Training 2

1 Facilitator Training Facilitator Training Facilitator Training Facilitator Training 2 Introduction Introduction Introduction Introduction Facilitators ensure that group participants remain focused on a prearranged agenda or set of

382 views • 21 slides
Training will begin soon Thanks for joining HQ RIO for our first virtual training session!

Training will begin soon Thanks for joining HQ RIO for our first virtual training session!

Training will begin soon Thanks for joining HQ RIO for our first virtual training session! The chat function you see is moderated; if you post there, you wont see it until the moderators answer and make it public. Please only use it for

411 views • 22 slides
Towards Secure Things, or How to Verify IoT Software with Frama-C Tutorial at ZINC 2018 Allan

Towards Secure Things, or How to Verify IoT Software with Frama-C Tutorial at ZINC 2018 Allan

Towards Secure Things, or How to Verify IoT Software with Frama-C Tutorial at ZINC 2018 Allan Blanchard, Nikolai Kosmatov, Fr ed eric Loulergue some slides authored by Julien Signoles Email: allan.blanchard@inria.fr,

1.79k views • 151 slides
Pension Board Training Firefighter Pension Schemes 22 nd August 2017 Morning Session

Pension Board Training Firefighter Pension Schemes 22 nd August 2017 Morning Session

Pension Board Training Firefighter Pension Schemes 22 nd August 2017 Morning Session Introduction and group session Introduction to the Fire Pension Schemes Firefighters Pension Fund Quiz Background to Governance The

2.25k views • 192 slides
Frama-C WP Tutorial Virgile Prevosto , Nikolay Kosmatov and Julien Signoles June 11 th , 2013

Frama-C WP Tutorial Virgile Prevosto , Nikolay Kosmatov and Julien Signoles June 11 th , 2013

Frama-C WP Tutorial Virgile Prevosto , Nikolay Kosmatov and Julien Signoles June 11 th , 2013 Motivation Main objective: Rigorous, mathematical proof of semantic properties of a program functional properties safety: all memory

704 views • 47 slides
A Case Study on Formal Verification of the Anaxagoros Paging System with Frama-C Allan

A Case Study on Formal Verification of the Anaxagoros Paging System with Frama-C Allan

A Case Study on Formal Verification of the Anaxagoros Paging System with Frama-C Allan Blanchard Nikolai Kosmatov Matthieu Lemerre Fr ed eric Loulergue FMICS 2015 June 22, 2015 CONTENTS Anaxagoros Virtual Memory Formal

590 views • 31 slides
Reviewers Training Session o Who we are? MusiQuE Board members MusiQuE Team MusiQuE

Reviewers Training Session o Who we are? MusiQuE Board members MusiQuE Team MusiQuE

Introduction to the MusiQuE Peer- Reviewers Training Session o Who we are? MusiQuE Board members MusiQuE Team MusiQuE Trainers o Who are you? Introduction to the MusiQuE Peer- Reviewers Training Session o Why this workshop?

627 views • 50 slides
ADOPT -A- HIGHWAY TRAINING SESSION ADOPT-A-HIGHWAY Why do I need training to pick up garbage?

ADOPT -A- HIGHWAY TRAINING SESSION ADOPT-A-HIGHWAY Why do I need training to pick up garbage?

ADOPT -A- HIGHWAY TRAINING SESSION ADOPT-A-HIGHWAY Why do I need training to pick up garbage? There are several answers to that question.. LIABILITY The Ministry of Transportation must provide training to groups working on the

340 views • 31 slides
Secure Your Things: Verification of IoT Software with Frama-C Tutorial at HPCS 2018 Allan

Secure Your Things: Verification of IoT Software with Frama-C Tutorial at HPCS 2018 Allan

Secure Your Things: Verification of IoT Software with Frama-C Tutorial at HPCS 2018 Allan Blanchard, Nikolai Kosmatov, Fr ed eric Loulergue some slides authored by Julien Signoles Email: allan.blanchard@inria.fr, nikolai.kosmatov@cea.fr,

1.52k views • 151 slides
Annual Training Session Todays topic: Private Business Use I. Introduction Nancy Winkler,

Annual Training Session Todays topic: Private Business Use I. Introduction Nancy Winkler,

Post-Issuance Tax Compliance Annual Training Session Todays topic: Private Business Use I. Introduction Nancy Winkler, City Treasurer Private Business Use 10/4/13 1 II. Overview Private Use 101 Kim Betterton Ballard Spahr Private

285 views • 14 slides
1 A map to the training session content Interfolio is a software company, RPT is one of their

1 A map to the training session content Interfolio is a software company, RPT is one of their

Introduce session and presenter. Recommended to have 2 screens or 2 laptops 1 A map to the training session content Interfolio is a software company, RPT is one of their products, which we have branded TCNJ Faculty Process given its uses here.

341 views • 18 slides
ROYAL SIGNALS LEADERS IN A DIGITAL AGE The CADUCEUS Programme A Corps for the 21 st Century

ROYAL SIGNALS LEADERS IN A DIGITAL AGE The CADUCEUS Programme A Corps for the 21 st Century

ROYAL SIGNALS LEADERS IN A DIGITAL AGE The CADUCEUS Programme A Corps for the 21 st Century Burning Platform 1 The Future Operating Environment Burning Platform 2 Information, not networks, is key Burning Platform 3 The STEM Environment The

353 views • 18 slides
RoHS Geir Hrthe Jon Ivar Tidemann 2017-12-13 1 The RoHS directive Restriction of

RoHS Geir Hrthe Jon Ivar Tidemann 2017-12-13 1 The RoHS directive Restriction of

RoHS Geir Hrthe Jon Ivar Tidemann 2017-12-13 1 The RoHS directive Restriction of Hazardous Substances European Directive (2011/65/EU) Requiring CE marking Covers majority of electrical equipment Temporary exemptions where

550 views • 26 slides
FOR THE GLOBAL APPAREL VALUE CHAIN TPP AND TEXTILES AND APPAREL A STORYBOARD MAUREEN GRAY

FOR THE GLOBAL APPAREL VALUE CHAIN TPP AND TEXTILES AND APPAREL A STORYBOARD MAUREEN GRAY

TPP OPPORTUNITIES FOR THE GLOBAL APPAREL VALUE CHAIN TPP AND TEXTILES AND APPAREL A STORYBOARD MAUREEN GRAY CHAIRMAN U.S. ASSOCIATION OF IMPORTERS OF TEXTILES &amp; APPAREL OCTOBER 23, 2011 A STORYBOARD THE GLOBAL VALUE CHAIN STORYBOARD

584 views • 23 slides
Summary of New Air Emissions Regulations and Requirements Overview What is the new federal

Summary of New Air Emissions Regulations and Requirements Overview What is the new federal

Summary of New Air Emissions Regulations and Requirements Overview What is the new federal rule? Why is this rule needed? What is a Target HAP? What is a source? What sources are covered by this rule? What sources are

517 views • 26 slides
WE CAN TOGETHER Advancement &amp; Donor Relations Guiding Principle Strong Membership + Strong

WE CAN TOGETHER Advancement &amp; Donor Relations Guiding Principle Strong Membership + Strong

WE CAN TOGETHER Advancement &amp; Donor Relations Guiding Principle Strong Membership + Strong Foundation FND + Strong PAC NCMS = Exponentially More Effective NCMS 2019 Annual Campaign Goals NCMS Foundation Sustainers Campaign (individuals)

644 views • 12 slides
t r ts t

t r ts t

trt ts tss ss s s t r

1.36k views • 100 slides
q r t q

q r t q

q r t q s r ssstt t s rr t rrt

505 views • 26 slides
Microsoft Powerpoint Presentation Surgery At A Glance Visual Techniques Assent Professionally

Microsoft Powerpoint Presentation Surgery At A Glance Visual Techniques Assent Professionally

Microsoft Powerpoint Presentation Surgery At A Glance Visual Techniques Assent Professionally Teach Microsoft Official Manual 2002 Isbn 4891003219 Japanese Import.pdf Microsoft Powerpoint Presentation Surgery At A Glance Visual Techniques Assent

766 views • 53 slides

More recommend