Ariane 5.01 failure Patriot failure Mars orbiter loss (overflow) - PowerPoint PPT Presentation

Motivation (1 mn) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Abstract interpretation, reminder (10 mn) . . . . . . . . . . . . . . . . . . 6 Applications of abstract interpretation (2 mn) . . . . . . . . . . . . . 21 A practical application to the ASTRÉE static analyzer (15 mn) 24 Examples of abstractions in ASTRÉE (15 mn) . . . . . . . . . . . . 40 Conclusion (2 mn) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 x x � x x x x � x x x § § IBM Research January 20, 2006 — 2 — ľ P. Cousot Ariane 5.01 failure Patriot failure Mars orbiter loss (overflow) (float rounding) (unit error) It is preferable to verify that mission/safety-critical pro- grams do not go wrong before running them. IBM Research January 20, 2006 — 3 — ľ P. Cousot IBM Research January 20, 2006 — 4 — ľ P. Cousot

analyze the program at compile-time to verify a program runtime property (e.g. the absence of some categories of bugs) Undecidability ` ! e ff ectively compute an abstraction/ sound approximation of the program semantics, Reference which is precise enough to imply the desired [POPL ’77] P. Cousot and R. Cousot. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In 4 th ACM POPL . property, and [Thesis ’78] P. Cousot. Méthodes itératives de construction et d’approximation de points fixes d’opérateurs monotones sur un treillis, analyse sémantique de programmes. Thèse ès sci. math. Grenoble, march 1978. coarse enough to be e ffi ciently computable. P. Cousot & R. Cousot. Systematic design of program analysis frameworks. In 6 th ACM POPL . [POPL ’79] IBM Research January 20, 2006 — 5 — ľ P. Cousot IBM Research January 20, 2006 — 6 — ľ P. Cousot X variables X 2 X x ( t ) types T 2 T T E arithmetic expressions E 2 E boolean expressions B 2 B B D ::= T X R ��������� D 0 j T X ������������ E ; C ::= X commands C 2 C B C 0 j B C 0 C 00 j S � P � R C 1 . . . C n j , ( n – 0) t P ::= D C program P 2 P IBM Research January 20, 2006 — 7 — ľ P. Cousot IBM Research January 20, 2006 — 8 — ľ P. Cousot

Values of given type: Concrete semantic domain for reachability properties: V � T � : values of type T 2 T def sets of states def D � P � = } ( ˚ � P � ) = f z 2 Z j min _ int » z » max _ int g V � int � Program states ˚ � P � 1 : i.e. program properties where „ is implication, ; is false, [ is disjunction. def ˚ � D C � = ˚ � D � def = f X g 7! V � T � ˚ � T X � def ˚ � T X D � = ( f X g 7! V � T � ) [ ˚ � D � 1 States  2 ˚ � P � of a program P map program variables X to their values  ( X ) IBM Research January 20, 2006 — 9 — ľ P. Cousot IBM Research January 20, 2006 — 10 — ľ P. Cousot def = f  [ X E � E �  ] j  2 R \ dom ( E ) g S � X E ; � R def def hD ] � P � ; v ; ? ; ti  [ X v ]( X ) = v;  [ X v ]( Y ) =  ( Y ) def S � if B C 0 � R = S � C 0 � ( B � B � R ) [ B � : B � R such that: def = f  2 R \ dom ( B ) j B holds in  g B � B � R ‚ S � if B C 0 else C 00 � R def = S � C 0 � ( B � B � R ) [ S � C 00 � ( B � : B � R ) ` ` ` ` hD ] � P � ; vi hD � P � ; „i ` ` `! ` ! ¸ „ def S � while B C 0 � R ; – X R [ S � C 0 � ( B � B � X ) = let W = i.e. in ( B � : B � W ) def 8 X 2 D � P � ; Y 2 D ] � P � : ¸ ( X ) v Y S � fg � R = R ( ) X „ ‚ ( Y ) def = S � C n � ‹ : : : ‹ S � C 1 � S � f C 1 : : : C n g � R n > 0 hence hD ] � P � ; v ; ? ; ti is a complete lattice such that def (uninitialized variables) S � D C � R = S � C � ( ˚ � D � ) ? = ¸ ( ; ) and t X = ¸ ( [ ‚ ( X )) Not computable (undecidability). IBM Research January 20, 2006 — 11 — ľ P. Cousot IBM Research January 20, 2006 — 12 — ľ P. Cousot

Traces: set of finite or infinite maximal sequences of Traces: set of finite or infinite maximal sequences of states for the operational transition semantics states for the operational transition semantics ¸ ¸ 1 ! Strongest liberal postcondition: final states s reachable ! Set of reachable states: set of states appearing at least from a given precondition P once along one of these traces (global invariant) ¸ ( X ) = –P f s j 9 ff 0 ff 1 : : : ff n 2 X : ff 0 2 P ^ s = ff n g ¸ 1 ( X ) = f ff i j ff 2 X ^ 0 » i < j ff jg ¸ 2 We have ( ˚ : set of states, _ „ pointwise): ! Partitionned set of reachable states: project along each control point (local invariant) ‚ [ h } ( ˚ 1 ) ; „i ` ` ` ` ` ! } ( ˚ ) ; _ h } ( ˚ ) 7` „i ` `! ` ! ¸ 2 ( fh c i ;  i i j i 2 ´ g ) = –c f  i j i 2 ´ ^ c = c i g ¸ IBM Research January 20, 2006 — 13 — ľ P. Cousot IBM Research January 20, 2006 — 14 — ľ P. Cousot ¸ 3 ! Partitionned cartesian set of reachable states: project To combine abstractions along each program variable (relationships between vari- ‚ 1 ‚ 2 hD ] hD ] ` ` ` ` ` ` ables are now lost) 1 ; v 1 i and hD ; „i ` hD ; „i ` 2 ; v 2 i ` ` ! ` ` ! ¸ 1 ¸ 2 ¸ 3 ( –c f  i j i 2 ´ c g ) = –c – X f  i ( X ) j i 2 ´ c g the reduced product is ¸ 4 ! Partitionned cartesian interval of reachable states: take def ¸ ( X ) = ufh x; y i j X „ ‚ 1 ( x ) ^ X „ ‚ 2 ( y ) g min and max of the values of the variables 2 def such that v = v 1 ˆ v 2 and ¸ 4 ( –c – X f v i j i 2 ´ c; X g = ‚ 1 ˆ ‚ 2 ` ` ` ` ` ` ` hD ; „i ` h ¸ ( D ) ; vi –c – X h min f v i j i 2 ´ c; X g ; max f v i j i 2 ´ c; X gi ` ` ` ` `! ` ! ¸ ¸ 1 , ¸ 2 , ¸ 3 and ¸ 4 , whence ¸ 4 ‹ ¸ 3 ‹ ¸ 2 ‹ ¸ 1 are lower- Example: x 2 [1 ; 9] ^ x mod 2 = 0 reduces to x 2 [2 ; 8] ^ adjoints of Galois connections x mod 2 = 0 2 assuming these values to be totally ordered. IBM Research January 20, 2006 — 15 — ľ P. Cousot IBM Research January 20, 2006 — 16 — ľ P. Cousot

def S ] � X Abstract domain = ¸ ( f  [ X E � E �  ] j  2 ‚ ( R ) \ dom ( E ) g ) E ; � R � � � F F � def F S ] � if B C 0 � R = S ] � C 0 � ( B ] � B � R ) t B ] � : B � R � F � F ⊥ def B ] � B � R = ¸ ( f  2 ‚ ( R ) \ dom ( B ) j B holds in  g ) S ] � if B C 0 else C 00 � R def = S ] � C 0 � ( B ] � B � R ) t S ] � C 00 � ( B ] � : B � R ) Approximation v relation � S ] � while B C 0 � R def ? – X R t S ] � C 0 � ( B ] � B � X ) = let W = in ( B ] � : B � W ) def S ] � fg � R = R F def S ] � f C 1 : : : C n g � R = S ] � C n � ‹ : : : ‹ S ] � C 1 � F n > 0 F ] F ⊥ F def F S ] � D C � R = S ] � C � ( > ) Concrete domain F (uninitialized variables) F ‹ ‚ v ‚ ‹ F ] ) F ] ) F v ‚ ( IBM Research January 20, 2006 — 17 — ľ P. Cousot IBM Research January 20, 2006 — 18 — ľ P. Cousot 3 def S ] � X � = ¸ ( f  [ X E � E �  ] j  2 ‚ ( R ) \ dom ( E ) g ) E ; � R � Abstract domain F � S ] � if B C 0 � R def = S ] � C 0 � ( B ] � B � R ) t B ] � : B � R F � � def B ] � B � R = ¸ ( f  2 ‚ ( R ) \ dom ( B ) j B holds in  g ) F � def S ] � if B C 0 else C 00 � R = S ] � C 0 � ( B ] � B � R ) t S ] � C 00 � ( B ] � : B � R ) � � F ⊥ def = let F ] = – X let Y = R t S ] � C 0 � ( B ] � B � X ) S ] � while B C 0 � R � in if Y v X then X else X Approximation Y relation � v ? F ] in ( B ] � : B � W ) and W = def S ] � fg � R = R def S ] � f C 1 : : : C n g � R = S ] � C n � ‹ : : : ‹ S ] � C 1 � n > 0 F F F def S ] � D C � R = S ] � C � ( > ) ] (uninitialized variables) F ⊥ F F Concrete domain F 3 Note: F ] not monotonic! IBM Research January 20, 2006 — 19 — ľ P. Cousot IBM Research January 20, 2006 — 20 — ľ P. Cousot

[POPL ’77], [POPL ’78], [POPL ’79] including [POPL ’79], [POPL ’00], [FPCA ’95], [Manna’s festschrift ’03], . . . [TCS 290(1) 2002] [POPL ’92], [TCS 277(1–2) 2002] [POPL ’97] IBM Research January 20, 2006 — 21 — ľ P. Cousot IBM Research January 20, 2006 — 22 — ľ P. Cousot [POPL ’00] [POPL ’02] [POPL ’04] [RT-ESOP ’04] All these techniques involve sound approximations that can be formalized by abstract interpretation Reference [1] IBM Research January 20, 2006 — 23 — ľ P. Cousot IBM Research January 20, 2006 — 24 — ľ P. Cousot