context generation from formal specifications for c
play

Context Generation from Formal Specifications for C Analysis Tools - PowerPoint PPT Presentation

Aug 04, 2023 •216 likes •575 views

Context Generation from Formal Specifications for C Analysis Tools Michele Alberti 1 Julien Signoles 2 1 TrustInSoft 2 CEA LIST, Software Reliability and Security Laboratory LOPSTR 2017, Namur, Belgium 1 Code Analysis Tools Effective enough

  1. Context Generation from Formal Specifications for C Analysis Tools Michele Alberti 1 Julien Signoles 2 1 TrustInSoft 2 CEA LIST, Software Reliability and Security Laboratory LOPSTR 2017, Namur, Belgium 1

  2. Code Analysis Tools • Effective enough for real-world code; • Based on different approaches: • Abstract interpretation; • Symbolic execution; • Testing. • Work best on whole programs; • Start from the main entry point of the program. 2

  3. Single Function Analysis Common scenario: Analysis of single functions. • Third-party software ( e.g. libraries); • Core/Critical functions only. Q: How to analyze single functions? int foo ( int *a, size_t size) { /* some interesting computation */ } 3

  4. Single Function Analysis Common scenario: Analysis of single functions. • Third-party software ( e.g. libraries); • Core/Critical functions only. Q: How to analyze single functions? int foo ( int *a, size_t size) { /* some interesting computation */ } A: Set the function in question as the entry point (here, foo ). 3

  5. Single Function Analysis Common scenario: Analysis of single functions. • Third-party software ( e.g. libraries); • Core/Critical functions only. Q: How to analyze single functions? int foo ( int *a, size_t size) { /* some interesting computation */ } A: Set the function in question as the entry point (here, foo ). Outcome Mostly imprecise and useless analysis results. 3

  6. Function Context Bottom Line Analyzing single functions requires an appropriate context. Function context: • Initialization of function parameters and globals; • Actual entry point to start the analysis from. 4

  7. Function Context Bottom Line Analyzing single functions requires an appropriate context. Function context: • Initialization of function parameters and globals; • Actual entry point to start the analysis from. Common approaches: • Write the context by-hand: Error-prone; 4

  8. Function Context Bottom Line Analyzing single functions requires an appropriate context. Function context: • Initialization of function parameters and globals; • Actual entry point to start the analysis from. Common approaches: • Write the context by-hand: Error-prone; • Make analysis tools support a specification language: Arduous (if ever possible) and to be done for every tool. 4

  9. This Work Idea Automatic contexts generation from formal specifications. Contributions: • System of inference rules for computing symbolic ranges; • Precise and sound formalization; • Prototype implementation as Frama-C plug-in. 5

  10. Outline Background: Frama-C and ACSL Simplifying ACSL Preconditions Generating C Function Contexts 6

  11. Frama-C • Suite of tools for the source code analysis of C programs; • Extensible and collaborative platform: • Modular plug-in architecture based on a common kernel; • Combination of analysis to provide more precise results. • Main available analysis: • Variable variation domains via abstract interpretation; • Deductive verification via weakest precondition calculus. • Frama-C is open source software. 7

  12. ACSL: ANSI/ISO C Specification Language • Behavioral specification language for C programs; • Specifications via code annotations of the form /*@ ... */ ; • Function contracts given by pre- and postconditions: /*@ requires \valid (a); @ requires 0 <= size <= 32; @ requires size % 16 == 0; @ ensures \forall integer i; 0 <= i < size ==> *(a+i) == 0; */ int foo ( int *a, size_t size) { ... } 8

  13. ACSL: ANSI/ISO C Specification Language • Behavioral specification language for C programs; • Specifications via code annotations of the form /*@ ... */ ; • Function contracts given by pre- and postconditions: /*@ requires \valid (a); @ requires 0 <= size <= 32; @ requires size % 16 == 0; @ ensures \forall integer i; 0 <= i < size ==> *(a+i) == 0; */ int foo ( int *a, size_t size) { ... } • This work considers preconditions only ( i.e. requires ). 8

  14. Core Specification Language P ::= T {≡ , ≤ , < } T term comparison | defined ( M ) M is defined | P ∧ P | P ∨ P | ¬ P logic formula T ::= z integer constant ( z ∈ Z ) | M memory value | T { + , - , × , / , % } T arithmetic operation M ::= L left value | M ++ T displacement L ::= x C variable | ⋆ M dereference 9

  15. Outline Background: Frama-C and ACSL Simplifying ACSL Preconditions Generating C Function Contexts 10

  16. How to turn a precondition into a context? /*@ requires defined (buf + (0..size-1)); @ requires 4 <= size <= 16; @ requires size % 2 == 0; @ requires *(buf + n) == 0xC0000001; */ int bar ( int *buf, int size, int n) 11

  17. How to turn a precondition into a context? /*@ requires defined (buf + (0..size-1)); @ requires 4 <= size <= 16; @ requires size % 2 == 0; @ requires *(buf + n) == 0xC0000001; */ int bar ( int *buf, int size, int n) First attempt: Directly implement predicates one-by-one. • Declare and properly initialize each left value involved; • Turn term comparisons into conditionals. int size; make_int(&size, 1); int * buf = ( int *) malloc(size * sizeof ( int )); make_int(buf, size); if (4 <= size) && (size <= 16) { ... } 11

  18. How to turn a precondition into a context? /*@ requires defined (buf + (0..size-1)); @ requires 4 <= size <= 16; @ requires size % 2 == 0; @ requires *(buf + n) == 0xC0000001; */ int bar ( int *buf, int size, int n) First attempt: Directly implement predicates one-by-one. • Declare and properly initialize each left value involved; • Turn term comparisons into conditionals. int size; make_int(&size, 1); int * buf = ( int *) malloc(size * sizeof ( int )); make_int(buf, size); if (4 <= size) && (size <= 16) { ... } Shortcoming: Erratic dependencies among left values. 11

  19. How to turn a precondition into a context? /*@ requires defined (buf + (0..size-1)); @ requires 4 <= size <= 16; @ requires size % 2 == 0; @ requires *(buf + n) == 0xC0000001; */ int bar ( int *buf, int size, int n) Revision: Pre-compute dependency graph among left values. int size, n; make_int(&size, 1); make_int(&n, 1); if (4 <= size) && (size <= 16) { if (size % 2 == 0) { int * buf = ( int *) malloc(size * sizeof ( int )); make_int(buf, size); *(buf + n) = 0xC0000001; bar(buf, size, n); } } 12

  20. How to turn a precondition into a context? /*@ requires defined (buf + (0..size-1)); @ requires 4 <= size <= 16; @ requires size % 2 == 0; @ requires *(buf + n) == 0xC0000001; */ int bar ( int *buf, int size, int n) Revision: Pre-compute dependency graph among left values. int size, n; make_int(&size, 1); make_int(&n, 1); if (4 <= size) && (size <= 16) { if (size % 2 == 0) { int * buf = ( int *) malloc(size * sizeof ( int )); make_int(buf, size); *(buf + n) = 0xC0000001; bar(buf, size, n); } } Shortcoming: Relation between size and n is overlooked. 12

  21. Simplify Predicates into State Constraints Each predicate is turned into: • Symbolic variation domain computed for every left value; • Side-condition to be checked at runtime ( i.e. runtime check). 13

  22. Simplify Predicates into State Constraints Each predicate is turned into: • Symbolic variation domain computed for every left value; • Side-condition to be checked at runtime ( i.e. runtime check). /*@ requires defined (buf + (0..size-1)); // (1) @ requires 4 <= size <= 16; // (2) @ requires size % 2 == 0; // (3) @ requires *(buf + n) == 0xC0000001; // (4) */ int bar ( int *buf, int size, int n) 13

  23. Simplify Predicates into State Constraints Each predicate is turned into: • Symbolic variation domain computed for every left value; • Side-condition to be checked at runtime ( i.e. runtime check). /*@ requires defined (buf + (0..size-1)); // (1) @ requires 4 <= size <= 16; // (2) @ requires size % 2 == 0; // (3) @ requires *(buf + n) == 0xC0000001; // (4) */ int bar ( int *buf, int size, int n) • From (1) : { buf �→ [ 0 , size − 1 ] , size �→ [ −∞ , + ∞ ] } ; 13

  24. Simplify Predicates into State Constraints Each predicate is turned into: • Symbolic variation domain computed for every left value; • Side-condition to be checked at runtime ( i.e. runtime check). /*@ requires defined (buf + (0..size-1)); // (1) @ requires 4 <= size <= 16; // (2) @ requires size % 2 == 0; // (3) @ requires *(buf + n) == 0xC0000001; // (4) */ int bar ( int *buf, int size, int n) • From (1) : { buf �→ [ 0 , size − 1 ] , size �→ [ −∞ , + ∞ ] } ; • From (2) : size �→ [ −∞ , + ∞ ] ⊓ [ 4 , 16 ] = [ 4 , 16 ] ; 13

  25. Simplify Predicates into State Constraints Each predicate is turned into: • Symbolic variation domain computed for every left value; • Side-condition to be checked at runtime ( i.e. runtime check). /*@ requires defined (buf + (0..size-1)); // (1) @ requires 4 <= size <= 16; // (2) @ requires size % 2 == 0; // (3) @ requires *(buf + n) == 0xC0000001; // (4) */ int bar ( int *buf, int size, int n) • From (1) : { buf �→ [ 0 , size − 1 ] , size �→ [ −∞ , + ∞ ] } ; • From (2) : size �→ [ −∞ , + ∞ ] ⊓ [ 4 , 16 ] = [ 4 , 16 ] ; • From (3) : size �→ [ 4 , 16 ] , 0 % 2; 13

Recommend

Types of Formal Specifications for Assertions Concurrent and Reactive Systems Assertions

Types of Formal Specifications for Assertions Concurrent and Reactive Systems Assertions

Outline Formal specifications CISC422/853: Formal Methods Types of formal specifications: in Software Engineering: assertions invariants Computer-Aided Verification safety and liveness properties How to express safety

226 views • 22 slides
Automatic Generation of Program Specifications Jeremy Nimmer MIT Lab for Computer Science

Automatic Generation of Program Specifications Jeremy Nimmer MIT Lab for Computer Science

Automatic Generation of Program Specifications Jeremy Nimmer MIT Lab for Computer Science http://pag.lcs.mit.edu/ Joint work with Michael Ernst Jeremy Nimmer, page 1 Synopsis Specifications are useful for many tasks Use of specifications

485 views • 29 slides
Specifications and formal program development in-the-large What are specifications for? For

Specifications and formal program development in-the-large What are specifications for? For

Specifications and formal program development in-the-large What are specifications for? For the system user: specification captures the properties of the system the user can rely on. For the system developer: specification captures all the

297 views • 26 slides
Formal Formal Component Component Models Models for for Context Context

Formal Formal Component Component Models Models for for Context Context

Formal Formal Component Component Models Models for for Context Context Awareness Awareness Deploy FP7 MatsNeovius andKaisaSere FMCO2008 boAkademi FacultyofTechnology, 1 22.10.2008

431 views • 22 slides
Lecture 4. Formal specifications: LTL, CTL ELEC-E8110 Automation Systems Synthesis and Analysis

Lecture 4. Formal specifications: LTL, CTL ELEC-E8110 Automation Systems Synthesis and Analysis

Lecture 4. Formal specifications: LTL, CTL ELEC-E8110 Automation Systems Synthesis and Analysis Igor Buzhinsky igor.buzhinskii@aalto.fi 2018 Igor Buzhinsky Lecture 4. Formal specifications: LTL, CTL 2018 1 / 37 State (reachability) graph of

1.14k views • 94 slides
Formal and Incremental Verification of SysML Specifications for the Design of Component-Based

Formal and Incremental Verification of SysML Specifications for the Design of Component-Based

Formal and Incremental Verification of SysML Specifications for the Design of Component-Based Systems Oscar Carrillo Dpartement dInformatique des Systmes Complexes (DISC), Femto-ST UMR 6174 CNRS Encadrement : Hassan Mountassir et Samir

972 views • 65 slides
On the Horizontal Dimension of Software Architecture in Formal Specifications of Reactive

On the Horizontal Dimension of Software Architecture in Formal Specifications of Reactive

On the Horizontal Dimension of Software Architecture in Formal Specifications of Reactive Systems Mika Katara, Reino Kurki-Suonio and Tommi Mikkonen Institute of Software Systems Tampere University of Technology Finland Outline 1.

1.03k views • 21 slides
A Context-aware Natural Language Generation Dataset for Dialogue Systems Ondej Duek and Filip

A Context-aware Natural Language Generation Dataset for Dialogue Systems Ondej Duek and Filip

. . . . . . . . . . . . . . A Context-aware Natural Language Generation Dataset for Dialogue Systems Ondej Duek and Filip Jurek Institute of Formal and Applied Linguistics Charles University in Prague May 28, 2016 LREC

911 views • 49 slides
Lessons learned Techniques Limitations of formal specifications Cost of technical staff

Lessons learned Techniques Limitations of formal specifications Cost of technical staff

CRIM Lessons learned Techniques Limitations of formal specifications Cost of technical staff training Ease of communication between different system stakeholders by using object- oriented modeling techniques and OMT as notational

302 views • 9 slides
Teaching Transition Systems and Formal Specifications with TLA + Philippe Qu Philippe Mauran

Teaching Transition Systems and Formal Specifications with TLA + Philippe Qu Philippe Mauran

Teaching Transition Systems and Formal Specifications with TLA + Philippe Qu Philippe Mauran einnec Xavier Thirioux Universit e de Toulouse, France Institut de Recherche en Informatique de Toulouse { mauran,queinnec,thirioux } @enseeiht.fr

606 views • 19 slides
Comparative Study of Eight Formal Specifications of the Message Authenticator Algorithm Hubert

Comparative Study of Eight Formal Specifications of the Message Authenticator Algorithm Hubert

Comparative Study of Eight Formal Specifications of the Message Authenticator Algorithm Hubert Garavel Lina Marsso Inria Grenoble LIG Universit Grenoble Alpes http://convecs.inria.fr Outline The Message Authenticator Algorithm (MAA)

741 views • 39 slides
PDDL PDDL Introduction Introduction WordPad WordPad PDDL PDDL

PDDL PDDL Introduction Introduction WordPad WordPad PDDL PDDL

FORMAL SPECIFICATIONS FORMAL SPECIFICATIONS USING USING PDDL PDDL Introduction Introduction WordPad WordPad PDDL PDDL Formal Specification INTRO Formal Specification INTRO We can describe a system using

542 views • 28 slides
1 FM does not replace testing! Why Use Formal Methods Reduces burden on testing phases to

1 FM does not replace testing! Why Use Formal Methods Reduces burden on testing phases to

Topics Introduction and terminology Overview of Formal Methods FM and Software Engineering Applications of FM Propositional and Predicate Logic Program derivation Intuitive program verification Algebraic Specifications

174 views • 5 slides
FORMAL REASONING GROUP http://www-formal.stanford.edu/ John McCarthy (logical AI +) Carolyn

FORMAL REASONING GROUP http://www-formal.stanford.edu/ John McCarthy (logical AI +) Carolyn

FORMAL REASONING GROUP http://www-formal.stanford.edu/ John McCarthy (logical AI +) Carolyn Talcott (math of programs) Tom Costello (logical AI +) Sa sa Buva c (formal theories of context) (finishing) Eyal Amir( object oriented logic)

394 views • 25 slides
Improving Link Discovery using context-aware link specifications LDOW 2016 PhD candidate Andrea

Improving Link Discovery using context-aware link specifications LDOW 2016 PhD candidate Andrea

Improving Link Discovery using context-aware link specifications LDOW 2016 PhD candidate Andrea Cimmino Supervised by David Ruiz, University of Seville, Spain Carlos R. Rivero, Rochester Institute of Technology, USA Hi! My name is Andrea

615 views • 32 slides
A Formal Model and Composition Language for Context-Aware Service Protocols Javier Cubo, Carlos

A Formal Model and Composition Language for Context-Aware Service Protocols Javier Cubo, Carlos

A Formal Model and Composition Language for Context-Aware Service Protocols A Formal Model and Composition Language for Context-Aware Service Protocols Javier Cubo, Carlos Canal, Ernesto Pimentel, Gwen Sala un University of M alaga, Spain

603 views • 10 slides
Appropriate LVRR Standards and Specifications for Lao PDR Presented by Bounta Meksavanh 1 Key

Appropriate LVRR Standards and Specifications for Lao PDR Presented by Bounta Meksavanh 1 Key

SEACAP 3.01 Appropriate LVRR Standards and Specifications for Lao PDR Presented by Bounta Meksavanh 1 Key Aims The development &amp; mainstreaming of appropriate rural road standards based on road function &amp; available resources Formal

365 views • 14 slides
Science Framework, And Next Generation Science Standards Context Education is US is a

Science Framework, And Next Generation Science Standards Context Education is US is a

Science Framework, And Next Generation Science Standards Context Education is US is a controlled at the state and local level. Common Core Math and Language Arts -- 47+ states choosing common standards Next Generation Science

534 views • 24 slides
Discovering Relational Specifications by Calvin Smith, Gabriel Ferns, Aws Albarghouthi Muqsit

Discovering Relational Specifications by Calvin Smith, Gabriel Ferns, Aws Albarghouthi Muqsit

Discovering Relational Specifications Discovering Relational Specifications by Calvin Smith, Gabriel Ferns, Aws Albarghouthi Muqsit Azeem TRDDC, Pune July 21, 2018 Formal Methods Update Meeting, BITS Pilani, Goa Campus Muqsit Azeem TRDDC, Pune

843 views • 51 slides
Generating Verifiable Java Code from Verified PVS Specifications NFM2012 Generating Verifiable

Generating Verifiable Java Code from Verified PVS Specifications NFM2012 Generating Verifiable

Leonard Lensink, Sjaak Smetsers and Marko van Eekelen Generating Verifiable Java Code from Verified PVS Specifications NFM2012 Generating Verifiable Java Code from Verified PVS Specifications Overview Motivation Code generation

544 views • 26 slides
Pumping Lemma for Context-Free Languages CSCI 3130 Formal Languages and Automata Theory Siu On

Pumping Lemma for Context-Free Languages CSCI 3130 Formal Languages and Automata Theory Siu On

Pumping Lemma for Context-Free Languages CSCI 3130 Formal Languages and Automata Theory Siu On CHAN Fall 2019 Chinese University of Hong Kong 1/18 regular context-free These languages are not regular Are they context-free? 2/18 L 1 = { a n

554 views • 19 slides
Real-time Java API Specifications for High Coverage Test Generation Wolfgang Ahrendt Wojciech

Real-time Java API Specifications for High Coverage Test Generation Wolfgang Ahrendt Wojciech

Real-time Java API Specifications for High Coverage Test Generation Wolfgang Ahrendt Wojciech Gabriele Paganelli Mostowski Chalmers Technical Chalmers Technical University University University of Twente Contributions JML Formalisation

452 views • 44 slides
Exploiting the hierarchical structure of rule-based specifications for decision planning Alberto

Exploiting the hierarchical structure of rule-based specifications for decision planning Alberto

Exploiting the hierarchical structure of rule-based specifications for decision planning Alberto Lluch Artur Boronat Roberto Bruni Ugo Montanari Generoso Paolillo IFIP International Conference on Formal T echniques for Distributed Systems

1.29k views • 94 slides
A Crash Course on A Crash Course on Temporal Specifications Temporal Specifications [Kansas

A Crash Course on A Crash Course on Temporal Specifications Temporal Specifications [Kansas

A Crash Course on A Crash Course on Temporal Specifications Temporal Specifications [Kansas State] John Hatcliff Work on specification patterns by Matthew Dwyer, Jay Corbett, and George Avrunin http://www.cis.ksu.edu/santos/bandera

303 views • 29 slides

More recommend