verasco formal verification of a c static analyzer based
play

Verasco: Formal verification of a C static analyzer based on - PowerPoint PPT Presentation

Oct 10, 2023 •246 likes •885 views

Verasco: Formal verification of a C static analyzer based on abstract interpretation Jacques-Henri Jourdan, Vincent Laporte Sandrine Blazy, Xavier Leroy , David Pichardie Inria / U. Rennes 1 / ENS Rennes Workshop on Realistic Program

  1. Verasco: Formal verification of a C static analyzer based on abstract interpretation Jacques-Henri Jourdan, Vincent Laporte Sandrine Blazy, Xavier Leroy , David Pichardie Inria / U. Rennes 1 / ENS Rennes Workshop on Realistic Program Verification, 2015-12-02 X. Leroy et al (Inria) The Verasco verified analyzer 2015-12-02 1 / 48

  2. Plan An overview of static analysis 1 The abstract interpretation approach 2 Scaling up: the Verasco project 3 Technical zoom: the abstract interpreter and its proof 4 Conclusions and perspectives 5 X. Leroy et al (Inria) The Verasco verified analyzer 2015-12-02 2 / 48

  3. Static analysis in a nutshell Statically infer properties of a program that hold for all its executions. At this program point, 0 < x ≤ y and pointer p is not NULL . Emphasis on infer: no help from the programmer. (E.g. loop invariants are not written in the source.) Emphasis on statically: The inputs to the program are not known. The analysis must terminate. The analysis must run in reasonable time and space. X. Leroy et al (Inria) The Verasco verified analyzer 2015-12-02 3 / 48

  4. Example of properties that can be inferred Properties of the value of one variable: (value analysis) x = a constant propagation x > 0 ou x = 0 ou x < 0 signs x ∈ [ a , b ] intervalles x = a (mod b ) congruences valid ( p [ a . . . b ]) memory validity p pointsTo x or p � = q (non-) aliasing between pointers ( a , b , c are constants inferred by the analyzer.) X. Leroy et al (Inria) The Verasco verified analyzer 2015-12-02 4 / 48

  5. Example of properties that can be inferred Properties of several variables: (relational analysis) � a i x i ≤ c polyhedra ± x 1 ± · · · ± x n ≤ c octagons expr 1 = expr 2 Herbrand equivalences doubly-linked-list ( p ) shape analysis Non-functional properties: Memory consumption. Worst-case execution time (WCET). X. Leroy et al (Inria) The Verasco verified analyzer 2015-12-02 5 / 48

  6. Using static analysis for code optimization Apply algebraic identities when their conditions are met: → if analysis says x ≥ 0 x / 4 x >> 2 Optimize array accesses and pointer dereferences: a[i]=1; a[j]=2; x=a[i]; → a[i]=1; a[j]=2; x=1; if analysis says i � = j → *p = a; x = *q; x = *q; *p = a; if analysis says p � = q Automatic parallelization: loop 1 ; loop 2 → loop 1 � loop 2 if polyh ( loop 1 ) ∩ polyh ( loop 2 ) = ∅ X. Leroy et al (Inria) The Verasco verified analyzer 2015-12-02 6 / 48

  7. Using static analysis for verification Use the results of static analysis to prove the absence of certain run-time errors: y ∈ [ a , b ] ∧ 0 / ∈ [ a , b ] = ⇒ x / y cannot fail valid ( p [ a . . . b ]) ∧ i ∈ [ a , b ] = ⇒ p [ i ] cannot fail Report an alarm otherwise. X. Leroy et al (Inria) The Verasco verified analyzer 2015-12-02 7 / 48

  8. Using static analysis for verification Use the results of static analysis to prove the absence of certain run-time errors: y ∈ [ a , b ] ∧ 0 / ∈ [ a , b ] = ⇒ x / y cannot fail valid ( p [ a . . . b ]) ∧ i ∈ [ a , b ] = ⇒ p [ i ] cannot fail Report an alarm otherwise. X. Leroy et al (Inria) The Verasco verified analyzer 2015-12-02 7 / 48

  9. True alarms, false alarms True alarm False alarm (wrong behavior) (analysis too imprecise) More precise analysis (octagons instead of intervals): the false alarm goes away. X. Leroy et al (Inria) The Verasco verified analyzer 2015-12-02 8 / 48

  10. Some properties verifiable by static analysis Absence of run-time errors: Arrays and pointers: ◮ No out-of-bound accesses. ◮ No dereferencing the null pointer. ◮ No access after a free . ◮ Alignment constraints are respected. Integer arithmetic: ◮ No division by zero. ◮ No (signed) arithmetic overflows. Floating-point arithmetic: ◮ No arithmetic overflows (result is ±∞ ) ◮ No undefined operations (result Not a Number ) ◮ No catastrophic cancellation. Simple programmer-inserted assertions: e.g. assert (0 <= x && x < sizeof(tbl)) . X. Leroy et al (Inria) The Verasco verified analyzer 2015-12-02 9 / 48

  11. Plan An overview of static analysis 1 The abstract interpretation approach 2 Scaling up: the Verasco project 3 Technical zoom: the abstract interpreter and its proof 4 Conclusions and perspectives 5 X. Leroy et al (Inria) The Verasco verified analyzer 2015-12-02 10 / 48

  12. Abstract interpretation in a nutshell Execute (“interpret”) the program with a nonstandard semantics that: Computes over an abstract domain of the desired properties (e.g. “ x ∈ [ a , b ] ′′ for interval analysis) instead of computing with concrete values and states (e.g. numbers). Handles Boolean conditions even if they cannot be resolved statically: ◮ The then and else branches of an if are both taken → joins. ◮ Loops and recursions execute arbitrarily many times → fixpoints. Always terminates. X. Leroy et al (Inria) The Verasco verified analyzer 2015-12-02 11 / 48

  13. Example of abstract interpretation with intervals x ∈ [ −∞ , ∞ ] IF x < 0 THEN x := 0; ELSE IF x > 1000 THEN x := 1000; ELSE SKIP; ENDIF X. Leroy et al (Inria) The Verasco verified analyzer 2015-12-02 12 / 48

  14. Example of abstract interpretation with intervals x ∈ [ −∞ , ∞ ] IF x < 0 THEN x := 0; x ∈ [0 , 0] ELSE IF x > 1000 THEN x := 1000; ELSE SKIP; ENDIF X. Leroy et al (Inria) The Verasco verified analyzer 2015-12-02 12 / 48

  15. Example of abstract interpretation with intervals x ∈ [ −∞ , ∞ ] IF x < 0 THEN x := 0; x ∈ [0 , 0] ELSE IF x > 1000 THEN x ∈ [1000 , 1000] x := 1000; ELSE SKIP; ENDIF X. Leroy et al (Inria) The Verasco verified analyzer 2015-12-02 12 / 48

  16. Example of abstract interpretation with intervals x ∈ [ −∞ , ∞ ] IF x < 0 THEN x := 0; x ∈ [0 , 0] ELSE IF x > 1000 THEN x ∈ [1000 , 1000] x := 1000; ELSE x ∈ [0 , ∞ ] ∩ [ −∞ , 1000] = [0 , 1000] SKIP; ENDIF X. Leroy et al (Inria) The Verasco verified analyzer 2015-12-02 12 / 48

  17. Example of abstract interpretation with intervals x ∈ [ −∞ , ∞ ] IF x < 0 THEN x := 0; x ∈ [0 , 0] ELSE IF x > 1000 THEN x ∈ [1000 , 1000] x := 1000; ELSE x ∈ [0 , ∞ ] ∩ [ −∞ , 1000] = [0 , 1000] SKIP; ENDIF x ∈ [0 , 0] ∪ [1000 , 1000] ∪ [0 , 1000] = [0 , 1000] X. Leroy et al (Inria) The Verasco verified analyzer 2015-12-02 12 / 48

  18. Example of abstract interpretation with intervals x ∈ [0 , 0] x := 0; WHILE x <= 1000 DO x := x + 1; DONE X. Leroy et al (Inria) The Verasco verified analyzer 2015-12-02 13 / 48

  19. Example of abstract interpretation with intervals x ∈ [0 , 0] x := 0; WHILE x <= 1000 DO x ∈ [0 , 0] ∩ [ −∞ , 1000] = [0 , 0] x := x + 1; x ∈ [1 , 1] DONE X. Leroy et al (Inria) The Verasco verified analyzer 2015-12-02 13 / 48

  20. Example of abstract interpretation with intervals x ∈ [0 , 0] x := 0; WHILE x <= 1000 DO x ∈ ([0 , 0] ∪ [1 , 1]) ∩ [ −∞ , 1000] = [0 , 1] x := x + 1; x ∈ [1 , 2] DONE X. Leroy et al (Inria) The Verasco verified analyzer 2015-12-02 13 / 48

  21. Example of abstract interpretation with intervals x ∈ [0 , 0] x := 0; WHILE x <= 1000 DO x ∈ ([0 , 0] ∪ [1 , 2]) ∩ [ −∞ , 1000] = [0 , 2] x := x + 1; x ∈ [1 , 3] DONE X. Leroy et al (Inria) The Verasco verified analyzer 2015-12-02 13 / 48

  22. Example of abstract interpretation with intervals x ∈ [0 , 0] x := 0; WHILE x <= 1000 DO x ∈ [0 , ∞ ] x := x + 1; x ∈ [1 , ∞ ] DONE Widening heuristic to accelerate convergence X. Leroy et al (Inria) The Verasco verified analyzer 2015-12-02 13 / 48

  23. Example of abstract interpretation with intervals x ∈ [0 , 0] x := 0; WHILE x <= 1000 DO x ∈ ([0 , 0] ∪ [1 , ∞ ]) ∩ [ −∞ , 1000] = [0 , 1000] x := x + 1; x ∈ [1 , 1001] DONE Narrowing iteration to improve the result X. Leroy et al (Inria) The Verasco verified analyzer 2015-12-02 13 / 48

  24. Example of abstract interpretation with intervals x ∈ [0 , 0] x := 0; WHILE x <= 1000 DO x ∈ ([0 , 0] ∪ [1 , 1001]) ∩ [ −∞ , 1000] = [0 , 1000] x := x + 1; x ∈ [1 , 1001] DONE Fixpoint reached! X. Leroy et al (Inria) The Verasco verified analyzer 2015-12-02 13 / 48

  25. Example of abstract interpretation with intervals x ∈ [0 , 0] x := 0; WHILE x <= 1000 DO x ∈ ([0 , 0] ∪ [1 , 1001]) ∩ [ −∞ , 1000] = [0 , 1000] x := x + 1; x ∈ [1 , 1001] DONE x ∈ [1001 , ∞ ] ∩ [1 , 1001] = [1001 , 1001] Fixpoint reached! X. Leroy et al (Inria) The Verasco verified analyzer 2015-12-02 13 / 48

  26. Fixpoint computations with widening and narrowing F ( X ) Narrowing X n +1 = F ( X n ) Tarski iteration X n +1 = F ( X n ) Widened iteration X n +1 = X n ∇ F ( X n ) X X. Leroy et al (Inria) The Verasco verified analyzer 2015-12-02 14 / 48

  27. Non-relational vs. relational analysis Non-relational analysis: abstract environment = variable �→ abstract value (Like simple typing environments.) Relational analysis: abstract environments are a domain of their own, featuring: a semi-lattice structure: ⊥ , ⊤ , ⊏ , ⊔ an abstract operation for assignment / binding. Example: polyhedra, i.e. conjunctions of linear inequalities � a i x i ≤ c . X. Leroy et al (Inria) The Verasco verified analyzer 2015-12-02 15 / 48

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Formal verification of a static analyzer: abstract interpretation in type theory Xavier Leroy

Formal verification of a static analyzer: abstract interpretation in type theory Xavier Leroy

Formal verification of a static analyzer: abstract interpretation in type theory Xavier Leroy Inria Paris-Rocquencourt TYPES meeting, 2014-05-14 X. Leroy (Inria) Verified static analyzer 2014-05-14 1 / 57 In memoriam Radhia Cousot, 2014

647 views • 63 slides
Summary-based inter-unit analysis for Clang Static Analyzer Aleksei Sidorin 2016-11-01 . S

Summary-based inter-unit analysis for Clang Static Analyzer Aleksei Sidorin 2016-11-01 . S

Summary-based inter-unit analysis for Clang Static Analyzer Aleksei Sidorin 2016-11-01 . S amsung R &amp;D Institute, R ussia 1 . . . . . Clang Static Analyzer Source-based analysis of high-level programming languages (C, C++,

631 views • 27 slides
Developing the Clang Static Analyzer Artem Dergachev, Apple Clang Static Analyzer Finds bugs

Developing the Clang Static Analyzer Artem Dergachev, Apple Clang Static Analyzer Finds bugs

Developing the Clang Static Analyzer Artem Dergachev, Apple Clang Static Analyzer Finds bugs at compile time by inspecting your source code Bugs it finds are more sophisticated than warnings or Clang-Tidy Clang Static Analyzer 1

544 views • 29 slides
Faster, Stronger C++ Analysis with the Clang Static Analyzer George Karpenkov, Apple Artem

Faster, Stronger C++ Analysis with the Clang Static Analyzer George Karpenkov, Apple Artem

Faster, Stronger C++ Analysis with the Clang Static Analyzer George Karpenkov, Apple Artem Dergachev, Apple Agenda Introduction to Clang Static Analyzer Using coverage-based iteration order Improved C++ constructor and destructor

789 views • 40 slides
Rigorous Timing, Static occam , and Classic CSP: Formal Verification for IoT A Fringe

Rigorous Timing, Static occam , and Classic CSP: Formal Verification for IoT A Fringe

Rigorous Timing, Static occam , and Classic CSP: Formal Verification for IoT A Fringe Presentation for CPA2017 by Lawrence J. Dickson Space Sciences Corporation Lemitar, NM, USA Jeremy M. R. Martin Lloyds London, UK Ground Truth

359 views • 20 slides
Learning a Static Analyzer from Data Pavol Bielik Veselin Raychev Martin Vechev Department of

Learning a Static Analyzer from Data Pavol Bielik Veselin Raychev Martin Vechev Department of

Learning a Static Analyzer from Data Pavol Bielik Veselin Raychev Martin Vechev Department of Computer Science CAV 2017 ETH Zurich July 22-28, Heidelberg Writing a Static Analyzer Framework for Java Static Type Checker Static Type

805 views • 46 slides
Static and dynamic verification Software inspections Concerned with analysis of the static

Static and dynamic verification Software inspections Concerned with analysis of the static

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis Software

430 views • 12 slides
Learning a Static Analyzer from Data by Pavol Bielik, Veselin Raychev, and Martin Vechev Daniel

Learning a Static Analyzer from Data by Pavol Bielik, Veselin Raychev, and Martin Vechev Daniel

Learning a Static Analyzer from Data by Pavol Bielik, Veselin Raychev, and Martin Vechev Daniel Perez The University of Tokyo January 29, 2018 Static analyzers Writing a static analyzer is hard JavaScript points-to sample global.length = 4;

299 views • 15 slides
Static and dynamic verification Software inspections Concerned with analysis of the

Static and dynamic verification Software inspections Concerned with analysis of the

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis

310 views • 12 slides
Static and dynamic verification Static and dynamic V&amp;V Software inspections Concerned

Static and dynamic verification Static and dynamic V&amp;V Software inspections Concerned

1 2 Static and dynamic verification Static and dynamic V&amp;V Software inspections Concerned with analysis of the static system Static representation to discover problems (static verification verification) May be supplement by

107 views • 6 slides
Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA

Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA

Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA http://www.clifford.at/papers/2018/riscv-formal/ About assertion based formal verification (formal ABV) Assertion based verification (ABV) Uses

781 views • 39 slides
Trust in programming tools: the formal verification of compilers and static analysers Xavier

Trust in programming tools: the formal verification of compilers and static analysers Xavier

Trust in programming tools: the formal verification of compilers and static analysers Xavier Leroy Inria Paris Verified trustworthy software systems, April 2016 X. Leroy (Inria) Trust in tools 2016-04-05 1 / 35 Tool-assisted formal

731 views • 52 slides
Using the Clang Static Analyzer Vince Bridgers About this tutorial Soup to nuts

Using the Clang Static Analyzer Vince Bridgers About this tutorial Soup to nuts

Using the Clang Static Analyzer Vince Bridgers About this tutorial Soup to nuts Small amount of theory to a practical example Why Static Analysis? Static Analysis in Continuous Integration What is Cross Translation Unit

480 views • 34 slides
Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on slides developed by Natasha Sharygina 17-654/17-754: Analysis of Software Artifacts Spring 2006 1 Formal Verification by Model Checking Domain:

380 views • 13 slides
Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on slides developed by Natasha Sharygina 15-413: Introduction to Software Engineering Fall 2005 3 Formal Verification by Model Checking Domain:

289 views • 24 slides
Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply mathematical arguments to prove the correctness of systems Systems have bugs Formal verification aims to find and correct such bugs Why? Computer systems

1.42k views • 122 slides
Camilo Thorne, Diego Calvanese KRDB Centre Free University of Bozen-Bolzano Via della Mostra 4

Camilo Thorne, Diego Calvanese KRDB Centre Free University of Bozen-Bolzano Via della Mostra 4

Exploring Controlled English OBDA Camilo Thorne, Diego Calvanese KRDB Centre Free University of Bozen-Bolzano Via della Mostra 4 39100 - Italy CNL 2009, Maretimmo, 9/6/09 (1) The The Problem Problem Ontology-based systems

618 views • 38 slides
Fourier Law and Non-Isothermal Boundary in the Boltzmann Theory Joint work with Raffaele

Fourier Law and Non-Isothermal Boundary in the Boltzmann Theory Joint work with Raffaele

Fourier Law and Non-Isothermal Boundary in the Boltzmann Theory Joint work with Raffaele Esposito, Yan Guo, Rossana Marra Chanwoo Kim DPMMS, University of Cambridge ICERM November 8, 2011 Steady Boltzmann Equation Steady Boltzmann Equation v

261 views • 25 slides
Equinox: A C++11 platform for realtime SDR applications FOSDEM 2019 Manolis Surligas

Equinox: A C++11 platform for realtime SDR applications FOSDEM 2019 Manolis Surligas

Equinox: A C++11 platform for realtime SDR applications FOSDEM 2019 Manolis Surligas surligas@csd.uoc.gr Libre Space Foundation &amp; Computer Science Department, University of Crete Introduction Software Radio Platforms Every SDR needs a

391 views • 28 slides
MAD families, splitting families and large continuum Vera Fischer Kurt G odel Research Center

MAD families, splitting families and large continuum Vera Fischer Kurt G odel Research Center

Introduction Con ( b = a = &lt; s = ) The forcing construction Open Questions MAD families, splitting families and large continuum Vera Fischer Kurt G odel Research Center University of Vienna April 2012 Vera Fischer MAD families,

559 views • 26 slides
Motore di calcolo Sistemi di Output Conclusioni A.A. 2017-2018 2/80

Motore di calcolo Sistemi di Output Conclusioni A.A. 2017-2018 2/80

Introduzione alla Realt Virtuale Parte I Prof. Alberto Borghese alberto.borghese@unimi.it A.A. 2017-2018 1/80 http:\\borghese.di.unimi.it\ Sommario Introduzione Sistemi di Input Generatori di mondi Motore di calcolo

408 views • 40 slides
Evaluation of accuracy, integrity and availability of ARNS multi-constellation signals for

Evaluation of accuracy, integrity and availability of ARNS multi-constellation signals for

Department of Spatial Sciences Evaluation of accuracy, integrity and availability of ARNS multi-constellation signals for aviation users in Australia Manoj Deo &amp; A/Prof Ahmed El-Mowafy International Global Navigation Satellite Systems

447 views • 19 slides
The Johnson-Lindenstrauss Lemma in Linear Programming Leo Liberti , Vu Khac Ky, Pierre-Louis

The Johnson-Lindenstrauss Lemma in Linear Programming Leo Liberti , Vu Khac Ky, Pierre-Louis

The Johnson-Lindenstrauss Lemma in Linear Programming Leo Liberti , Vu Khac Ky, Pierre-Louis Poirion CNRS LIX Ecole Polytechnique, France Aussois COW 2016 The gist Goal : solving very large LPs min { c x | Ax = b x 0 }

530 views • 31 slides
Weighted Automata and Logics for Infinite Nested Words Manfred Droste and Stefan D uck

Weighted Automata and Logics for Infinite Nested Words Manfred Droste and Stefan D uck

Nested Words Weighted Automata and Logics Weighted Automata and Logics for Infinite Nested Words Manfred Droste and Stefan D uck Leipzig University, Germany 8th LATA, March 2014 Manfred Droste and Stefan D uck Weighted Automata and

776 views • 46 slides

More recommend