v rification de l absence d erreurs
play

Vrification de labsence derreurs all satisfy a formal - PowerPoint PPT Presentation

Dec 18, 2023 •464 likes •700 views

Abstract Software verification consists in proving that executions of the software in any admissible execution environment Vrification de labsence derreurs all satisfy a formal specification. In the case of the Astre static

  1. Abstract Software verification consists in proving that executions of the software in any admissible execution environment « Vérification de l’absence d’erreurs à all satisfy a formal specification. In the case of the Astrée static analyser ( www.astree.ens.fr ), the specification is implicit: no execution can lead to a “runtime error” (RTE) (such as buffer overrun, dangling pointer, division l’exécution dans des logiciels industriels by zero, float overflow, modular integer arithmetic overflow, . . . ). The Astrée static analyser is designed by abstract interpretation of the semantics of a subset of the C programming language (without dynamic memory critiques de contrôle/commande par allocation, recursive function calls, no system and library calls as found in most embedded software). Abstract interpretation is a theory of abstraction, that is to say of safe approximation allowing for automatic formal proofs by considering an over-approximation of the set of all possible executions of the program. Contrary to interprétation abstraite » bug-finding methods (e.g. by test, bounded model-checking or error pattern search), no potential error is ever omitted. Hence the proof of satisfaction of the specification is mathematically valid. However, some executions considered in the abstract, that is in the over-approximation, might lead to an error while not corresponding to a concrete, that is actual, execution. Such spurious executions are then said to lead to a “false alarm”. All Patrick Cousot the difficulty of the undecidable verification problem is therefore to design safe/sound over-approximations that École normale supérieure are coarse enough to be effectively computable by the static analyzer and precise enough to avoid false alarms (the errors leading to true alarms can only be eliminated by correcting the program that does not satisfy the 45 rue d’Ulm, 75230 Paris cedex 05, France specification). In practice, knowing only the over-approximation computed by the static analyser, it is difficult to distinguish false alarms from actual ones. So the radical solution is to reach zero false alarm which provides a full Patrick.Cousot@ens.fr www.di.ens.fr/~cousot verification. To do so, Astrée is specialized both to precise program properties (i.e. RTEs) and a precise family of C programs (i.e. real-time synchronous control/command C applications preferably automatically generated from a synchronous language). The Astrée static analyser uses generalist abstractions (like intervals, octagons, XIVes Rencontres INRIA – Industrie, Confiance et Sécurité — decision trees, symbolic execution, etc) and abstractions for the specific application domain (to cope with filters, Rocquencourt — Jeudi 11 octobre 2007 integrators, slow divergences due to rounding errors, etc). Since 2003, these domain-specific abstractions allowed for the verification of the absence of RTEs in several large avionic software, a world première. Rencontres INRIA–Industrie, 11/10/2007 — 1 — ľ P. Cousot Rencontres INRIA–Industrie, 11/10/2007 — 3 — ľ P. Cousot Résumé Contents La vérification d’un logiciel consiste à démontrer que toutes les exécutions d”un programme satisfont une spécification. Dans le cas de l’analyseur statique Astrée www.astree.ens.fr), la spécification est implicite : aucune exécution ne peut conduire à une “erreur à l’exécution” Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . 5 (débordement de tableau, pointeur indéfini, division par zéro, débordement arithmétique, Informal introduction to abstract interpretation . . . . . . . . . . 13 etc.). L’interprétation abstraite est une théorie de l’abstraction, c’est-à-dire des approxima- tions sûres permettant de faire la preuve automatiquement en considérant des sur-ensembles The Astrée static analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 des comportements possibles du programme. Contrairement aux méthodes de recherche The industrial use of Astrée . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 d’erreurs comme le model-checking borné ou le test, aucun cas possible n’est omis et la preuve d’erreurs à l’exécution est donc mathématiquement valide. Certaines exécutions dans la sur-approximation peuvent conduire à une erreur sans pour autant correspondre à une exécution réelle (encore dite concrète). On parle dans ce cas d’une “fausse alarme”. Toute la difficulté du problème indécidable de la vérification est de choisir des approximations sûres sans aucune fausse alarme (les erreurs conduisent à de vraies alarmes ne peuvent être éliminées qu’en les corrigeant). Dans le cas d’ Astrée , les programmes écrits en C sont des logiciels synchrones de contrôle commande temps réel. Astrée contient des abstractions généralistes (intervalles, octogones, etc) et des abstractions spécifiques au domaine d’application (avec filtres, intégrateurs, divergences lentes à cause d’erreurs d’arrondis, etc). Cette adaptation au domaine d’application a permis de vérifier formellement l’absence d’erreurs à l’exécution dans des logiciels avioniques critiques de grande taille, une première mondiale. Rencontres INRIA–Industrie, 11/10/2007 — 2 — ľ P. Cousot Rencontres INRIA–Industrie, 11/10/2007 — 4 — ľ P. Cousot

  2. A Strong Need for Software Better Quality – Poor software quality is not acceptable in safety and mission critical software applications. 1. Motivation – The present state of the art in software engineering does not offer sufficient quality garantees Rencontres INRIA–Industrie, 11/10/2007 — 5 — ľ P. Cousot Rencontres INRIA–Industrie, 11/10/2007 — 7 — ľ P. Cousot Bugs Now Show-Up in Everyday Life Tool-Based Software Design Methods – Bugs now appear frequently in everyday life (banks, – New tool-based software design methods will have to cars, telephones, . . . ) emerge to face the unprecedented growth and complex- – Example (HSBC bank ATM 1 at 19 Boulevard Sébas- ification of critical software topol in Paris, failure on Nov. 21 st 2006 at 8:30 am): – E.g. FCPC (Flight Control Primary Computer) - A220: 20 000 LOCs, - A340: 130 000 LOCS (V1), 250 000 LOCS (V2), - A380: 1.000.000 LOCS 1 cash machine, cash dispenser, automatic teller machine. Rencontres INRIA–Industrie, 11/10/2007 — 6 — ľ P. Cousot Rencontres INRIA–Industrie, 11/10/2007 — 8 — ľ P. Cousot

  3. Problems with Formal Methods Disadvantages of Static Analysis – Formal specifications (abstract machines, temporal logic, – Imprecision (acceptable in some applications like WCET . . . ) are costly, complex, error-prone, difficult to main- or program optimization) tain, not mastered by casual programmers – Incomplete for program verification – Formal semantics of the specification and program- – False alarms are due to unsuccessful automatic proofs ming language are inexistant, informal, irrealistic or in 5 to 15% of the cases complex – Formal proofs are partial (static analysis), do not scale up (model checking) or need human assistance (theo- rem proving & proof assistants) ) High costs (for specification, proof assistance, etc). Rencontres INRIA–Industrie, 11/10/2007 — 9 — ľ P. Cousot Rencontres INRIA–Industrie, 11/10/2007 — 11 — ľ P. Cousot Avantages of Static Analysis Remedies to False Alarms in Astrée – Formal specifications are implicit (no need for explicit, – Astrée is specialized to specific program properties 2 user-provided specifications) – Astrée is specialized to real-time synchronous con- – Formal semantics are approximated by the static ana- trol/command programs lyzer (no user-provided models of the program) – Astrée offers possibilities of refinement 3 – Formal proofs are automatic (no required user-interaction) – Costs are low (no modification of the software produc- tion methodology) – Scales up to 100.000 to 1.000.000 LOCS – Large diffusion in embedded software production in- 2 proof of absence of runtime errors dustries 3 parametrizations and analysis directives Rencontres INRIA–Industrie, 11/10/2007 — 10 — ľ P. Cousot Rencontres INRIA–Industrie, 11/10/2007 — 12 — ľ P. Cousot

  4. 2. Informal Introduction to Ab- stract Interpretation Principle of Abstraction Rencontres INRIA–Industrie, 11/10/2007 — 13 — ľ P. Cousot Rencontres INRIA–Industrie, 11/10/2007 — 15 — ľ P. Cousot Abstract Interpretation Operational semantics There are two fundamental concepts in computer science x ( t ) (and in sciences in general) : – Abstraction : to reason on complex systems – Approximation : to make effective undecidable com- putations These concepts are formalized by abstract interpretation References [POPL ’77] P. Cousot and R. Cousot. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In 4 th ACM POPL . [Thesis ’78] P. Cousot. Méthodes itératives de construction et d’approximation de points fixes d’opérateurs monotones sur un treillis, t analyse sémantique de programmes. Thèse ès sci. math. Grenoble, march 1978. P. Cousot & R. Cousot. Systematic design of program analysis frameworks. In 6 th ACM POPL . [POPL ’79] Rencontres INRIA–Industrie, 11/10/2007 — 14 — ľ P. Cousot Rencontres INRIA–Industrie, 11/10/2007 — 16 — ľ P. Cousot

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

and Symb mbolic olic Ve Verif rification ication Kim Ki m G. . La Lars rsen Aa Aalb

and Symb mbolic olic Ve Verif rification ication Kim Ki m G. . La Lars rsen Aa Aalb

Dec ecidab idability ility and Symb mbolic olic Ve Verif rification ication Kim Ki m G. . La Lars rsen Aa Aalb lborg org Univ iversity ersity, , DENMARK NMARK Dec Decid idabi ability lity Reachability chability ? a b

723 views • 70 slides
Sickness absence review March 2010 Sickness absence review Sickness absence review Current

Sickness absence review March 2010 Sickness absence review Sickness absence review Current

Sickness absence review March 2010 Sickness absence review Sickness absence review Current position Short-term absence Each year around 150m working days are lost to sickness absence. Much of this absence is short-term Long-term absence

942 views • 5 slides
Employee Absence Reduction Project Background Existing arrangements Current absence

Employee Absence Reduction Project Background Existing arrangements Current absence

Employee Absence Reduction Project Background Existing arrangements Current absence policy implemented April 2015. Allowed greater flexibility and removed triggers. Range of health and wellbeing support confidential

448 views • 22 slides
Eugene School District 4J Leave of Absence COVID 19 August 2020 What is a leave of absence? A

Eugene School District 4J Leave of Absence COVID 19 August 2020 What is a leave of absence? A

Eugene School District 4J Leave of Absence COVID 19 August 2020 What is a leave of absence? A leave of absence is needed when an employee is absent from work for an extended period. 4J defines an extended period as more than five (5) work days.

291 views • 8 slides
U.S. Leave of Absence Program (Informational Guide) Program features Wescos Leave of

U.S. Leave of Absence Program (Informational Guide) Program features Wescos Leave of

U.S. Leave of Absence Program (Informational Guide) Program features Wescos Leave of Absence Program Common Leave Requests Overview of Family Medical Leave Intermittent Leave Leave of Absence Management Process

476 views • 26 slides
HOW TO MANAGE INCAPACITY AND UNAUTHORISED ABSENCE IN THE WORKPLACE IMASA CONFERENCE: 18 OCTOBER

HOW TO MANAGE INCAPACITY AND UNAUTHORISED ABSENCE IN THE WORKPLACE IMASA CONFERENCE: 18 OCTOBER

HOW TO MANAGE INCAPACITY AND UNAUTHORISED ABSENCE IN THE WORKPLACE IMASA CONFERENCE: 18 OCTOBER 2018 Annalene de Beer INDEX Applicable Legislation Principles Approved absence Abuse of sick leave Incapacity Ill Health

1.1k views • 22 slides
All absence is genuine Support employee wellbeing at an individual level Enhance

All absence is genuine Support employee wellbeing at an individual level Enhance

FirstCare Core Principles All absence is genuine Support employee wellbeing at an individual level Enhance manager role in absence management Improve wellbeing across the organisation Maintain confidentiality and data integrity

505 views • 22 slides
Absence, Substitutability and Productivity: Evidence from Teachers Asma Benhenda Paris School of

Absence, Substitutability and Productivity: Evidence from Teachers Asma Benhenda Paris School of

Absence, Substitutability and Productivity: Evidence from Teachers Asma Benhenda Paris School of Economics UC Berkeley April 19, 2017 Still Preliminary 1 / 39 Motivation Worker absence : frequent in many countries (2 to 3 % of annual

663 views • 38 slides
Absence, Substitutability and Productivity: Evidence from Teachers Asma Benhenda Paris School of

Absence, Substitutability and Productivity: Evidence from Teachers Asma Benhenda Paris School of

Absence, Substitutability and Productivity: Evidence from Teachers Asma Benhenda Paris School of Economics December 2016 Still Very Preliminary 1 / 45 Motivation (1/2) Worker absence : frequent in many countries 2 to 3 % of annual

1.17k views • 45 slides
CAPABILITY SEMINAR SICKNESS ABSENCE AND CAPABILITY DISMISSALS LAW PRACTICE AND HIDDEN TRAPS

CAPABILITY SEMINAR SICKNESS ABSENCE AND CAPABILITY DISMISSALS LAW PRACTICE AND HIDDEN TRAPS

CAPABILITY SEMINAR SICKNESS ABSENCE AND CAPABILITY DISMISSALS LAW PRACTICE AND HIDDEN TRAPS JAMIE JENKINS BARRISTER INTRODUCTION Some figures from the CIPD 2016 Survey: 6.3 days sickness absence per employee 522 median cost of

528 views • 14 slides
Health at Work An Independent Review of Sickness Absence Terms of Reference to explore

Health at Work An Independent Review of Sickness Absence Terms of Reference to explore

Health at Work An Independent Review of Sickness Absence Terms of Reference to explore how the current sickness absence system could be changed to help people stay in work, reduce costs and contribute to economic growth to examine

378 views • 10 slides
Prevention Cure The Yerkes & Dodson Law Stress Absence 57p 2018 HSE Stats show that 57% of

Prevention Cure The Yerkes & Dodson Law Stress Absence 57p 2018 HSE Stats show that 57% of

Amplification of existing Mental Health issues Development of new issues Prevention Cure The Yerkes & Dodson Law Stress Absence 57p 2018 HSE Stats show that 57% of work absence is stress related. Over 75% of all Doctors appointments

744 views • 39 slides
Dr. Masters taught us: Absence of Proof is Not Proof of Absence. "Anyone who has never

Dr. Masters taught us: Absence of Proof is Not Proof of Absence. "Anyone who has never

Many Thanks to Dr. Sam Donta, who taught me how to use the best antibiotics to make so many people feel so much better and finally well. His patients tell me they are grateful to him for how he has helped them, and I am grateful for his guidance

439 views • 12 slides
TOTAL ABSENCE MANAGEMENT April 19, 2018 The CareWorks Team Scott Vaka Chief Sales Officer

TOTAL ABSENCE MANAGEMENT April 19, 2018 The CareWorks Team Scott Vaka Chief Sales Officer

A fresh start to TOTAL ABSENCE MANAGEMENT April 19, 2018 The CareWorks Team Scott Vaka Chief Sales Officer CareWorks Absence Management (614) 760-3536 Scott.Vaka@ CareWorks.com 2 CareWorks Absence Management PROPRIETARY

1.07k views • 41 slides
OVERVIEW AND SCRUTINY PANEL Update on Adult Services Absence Avril Wilson, Director of Adult

OVERVIEW AND SCRUTINY PANEL Update on Adult Services Absence Avril Wilson, Director of Adult

ADULT CARE AND WELL BEING OVERVIEW AND SCRUTINY PANEL Update on Adult Services Absence Avril Wilson, Director of Adult Services Richard Keble, Assistant Director 6 November 2018 www.worcestershire.gov.uk 2 WCC Absence Rates 2017/18 Ave Sick

236 views • 9 slides
Employer Basics 101: Purchasing Service Credit and Leaves of Absence 50-403, 9/20/E How To

Employer Basics 101: Purchasing Service Credit and Leaves of Absence 50-403, 9/20/E How To

STATE TEACHERS RETIREMENT SYSTEM OF OHIO Employer Basics 101: Purchasing Service Credit and Leaves of Absence EMPLOYER EDUCATION Employer Basics 101: Purchasing Service Credit and Leaves of Absence 50-403, 9/20/E How To Use GoToWebinar

265 views • 9 slides
A posteriori error estimators for FFT-based numerical techniques Sbastien Brisard 1 Ludovic

A posteriori error estimators for FFT-based numerical techniques Sbastien Brisard 1 Ludovic

A posteriori error estimators for FFT-based numerical techniques Sbastien Brisard 1 Ludovic Chamoin 2 1 Universit Paris-Est, Laboratoire Navier (UMR 8205), CNRS, ENPC, IFSTTAR, F-77455 Marne-la-Valle 2 LMT (ENS Cachan/CNRS/Universit Paris

533 views • 26 slides
Rate-Independent Evolution Problems in Elasto-Plasticity: a Variational Approach Main reference:

Rate-Independent Evolution Problems in Elasto-Plasticity: a Variational Approach Main reference:

Rate-Independent Evolution Problems in Elasto-Plasticity: a Variational Approach Main reference: G. Dal Maso, A. DeSimone, M.G. Mora: Quasistatic evolution problems for linearly elastic - perfectly plastic materials. Preprint SISSA, Trieste,

449 views • 44 slides
Power variation and p -variation of sample functions of stochastic processes Rimas Norvai sa

Power variation and p -variation of sample functions of stochastic processes Rimas Norvai sa

Power variation and p -variation of sample functions of stochastic processes Rimas Norvai sa Department of Econometric Analysis Vilnius University 15 November 2014, Guanajuato, Mexico 5th Workshop on Game-Theoretic Probability and Related

739 views • 20 slides
Quasistatic Evolution as Limit of Dynamic Evolutions: the Case of Perfect Plasticity Gianni Dal

Quasistatic Evolution as Limit of Dynamic Evolutions: the Case of Perfect Plasticity Gianni Dal

Quasistatic Evolution as Limit of Dynamic Evolutions: the Case of Perfect Plasticity Gianni Dal Maso and Riccardo Scala SISSA, Trieste, Italy Levico Diffuse Inteface Models September 13, 2013 Gianni Dal Maso (SISSA) Dynamic Quasistatic

896 views • 60 slides
Embedded systems soon > 50 % of market ! With more and more importance of software "

Embedded systems soon > 50 % of market ! With more and more importance of software "

Real time system modeling with UML : current status and some prospects Franois Terrier, Sbastien Grard LETI (CEA - Technologies Avances) DEIN CEA/Saclay F-91191 Gif sur Yvette Cedex France Phone: +33 1 69 08 62 59 ; Fax: +33 1 69 08 83

902 views • 49 slides
UML Temps Rel Franois Terrier, Sbastien Grard LETI (CEA - Technologies Avances) DEIN

UML Temps Rel Franois Terrier, Sbastien Grard LETI (CEA - Technologies Avances) DEIN

UML Temps Rel Franois Terrier, Sbastien Grard LETI (CEA - Technologies Avances) DEIN CEA/Saclay F-91191 Gif sur Yvette Cedex France Phone: +33 1 69 08 62 59 ; Fax: +33 1 69 08 83 95 Francois.Terrier@cea.fr ; Sebastien.Gerard@cea.fr

1.41k views • 91 slides
Statistical analysis analysis of simulation of simulation Statistical experiments: :

Statistical analysis analysis of simulation of simulation Statistical experiments: :

Statistical analysis analysis of simulation of simulation Statistical experiments: : experiments Challenges for industrial industrial applications applications Challenges for Bertrand Iooss Bertrand Iooss

688 views • 34 slides
Application of radare2 illustrated by Shylock/Caphaw.D and Snakso.A analysis Anton Kochkov

Application of radare2 illustrated by Shylock/Caphaw.D and Snakso.A analysis Anton Kochkov

Application of radare2 illustrated by Shylock/Caphaw.D and Snakso.A analysis Anton Kochkov PHDays IV, May 21, 2014 Intro radare2 Please use radare2 from git Warnings There is a nasty bug in r2 for now, please bear with us This is a

606 views • 26 slides

More recommend