frama c training session introduction to acsl and its gui
play

Frama-C Training Session Introduction to ACSL and its GUI Virgile - PowerPoint PPT Presentation

Aug 22, 2022 •205 likes •612 views

Frama-C Training Session Introduction to ACSL and its GUI Virgile Prevosto CEA List October 21 st , 2010 outline Presentation ACSL Specifications Function contracts First-order logic Loops Assertions Deductive Verification Hoare logic

  1. Frama-C Training Session Introduction to ACSL and its GUI Virgile Prevosto CEA List October 21 st , 2010

  2. outline Presentation ACSL Specifications Function contracts First-order logic Loops Assertions Deductive Verification Hoare logic Pointers and Memory Jessie Plugin

  3. Presentation ACSL Specifications Function contracts First-order logic Loops Assertions Deductive Verification Hoare logic Pointers and Memory Jessie Plugin

  4. Presentation Motivations Main objective Statically determine some semantic properties of a program ◮ safety: pointer are all valid, no arithmetic overflow, ... ◮ termination ◮ functional properties ◮ dead code ◮ ... Embedded code ◮ Much simpler than desktop applications ◮ Some parts are critical, i.e. a bug have severe consequences (financial loss, or even dead people) ◮ Thus a good target for static analysis

  5. Presentation Some tools Polyspace Verifier Checks for (absence of) run-time error C/C++/Ada) http: //www.mathworks.com/products/polyspace/ ASTRÉE Absence of error without false alarm in SCADE-generated code http: //www.di.ens.fr/~cousot/projets/ASTREE/ Coverity Checks for various code defects (C/C++/Java) http://www.coverity.com

  6. Presentation Some tools (cont’d) a3 Worst-case execution time and Stack depth http://www.absint.com/ FLUCTUAT Accuracy of floating-point computations and origin of rounding errors http: //www-list.cea.fr/labos/fr/LSL/fluctuat/ Frama-C A toolbox for analysis of C programs http://frama-c.com/

  7. Presentation A brief history ◮ 90’s: CAVEAT, an Hoare logic-based tool for C programs ◮ 2000’s: CAVEAT used by Airbus during certification process of the A380 ◮ 2002: Why and its C front-end Caduceus ◮ 2006: Joint project to write a successor to CAVEAT and Caduceus ◮ 2008: First public release of Frama-C (Hydrogen) ◮ today: ◮ Frama-C Boron ◮ Multiple projects around the platform ◮ A growing community of users

  8. Presentation Architecture ◮ A modular architecture ◮ Kernel: ◮ CIL (U. Berkeley) library for the C front-end ◮ ACSL front-end ◮ Global management of analyzer’s state ◮ Various plug-ins for the analysis ◮ Value analysis (abstract interpretation) ◮ Jessie (translation to Why) ◮ Slicing ◮ Impact analysis ◮ ...

  9. Presentation ACSL: ANSI/ISO C Specification Language Presentation ◮ Based on the notion of contract, à la Eiffel ◮ Allow the users to specify functional properties of their programs ◮ Allow communication between the various plugin ◮ Independent from a particular analysis Basic Components ◮ First-order logic ◮ Pure C expressions ◮ C types + Z ( integer ) and R ( real ) ◮ Built-ins predicates and logic functions, particularly over pointers: \valid (p) , \valid (p+0..2) , \separated (p+0..2,q+0..5) , \block_length (p) ,...

  10. Presentation ACSL Specifications Function contracts First-order logic Loops Assertions Deductive Verification Hoare logic Pointers and Memory Jessie Plugin

  11. ACSL Specifications - Function contracts Key Ingredients Specification of a function ◮ Contract between caller and callee ◮ Callee requires some pre-conditions from the caller ◮ Callee ensures some post-conditions hold when it returns A first example unsigned int M; /*@ requires \valid (p) && \valid (q); ensures M == (*p + *q) / 2; */ void mean( unsigned int * p, unsigned int * q) { if (*p >= *q) { M = (*p - *q) / 2 + *q; } else { M = (*q - *p) / 2 + *p; } }

  12. ACSL Specifications - Function contracts Specification of Side Effects The specification /*@ requires \valid (p) && \valid (q); ensures M == (*p + *q) / 2; */ void mean( unsigned int * p, unsigned int * q); A valid implementation

  13. ACSL Specifications - Function contracts Specification of Side Effects The specification /*@ requires \valid (p) && \valid (q); ensures M == (*p + *q) / 2; */ void mean( unsigned int * p, unsigned int * q); A valid implementation void mean( int *p, int * q) { *p = *q = M = 0; }

  14. ACSL Specifications - Function contracts Specification of Side Effects The specification /*@ requires \valid (p) && \valid (q); ensures M == (*p + *q) / 2; ensures *p == \old (*p) && *q == \old (*q); */ void mean( unsigned int * p, unsigned int * q); A valid implementation

  15. ACSL Specifications - Function contracts Specification of Side Effects The specification /*@ requires \valid (p) && \valid (q); ensures M == (*p + *q) / 2; ensures *p == \old (*p) && *q == \old (*q); */ void mean( unsigned int * p, unsigned int * q); A valid implementation int A = 42; void mean( int *p, int * q) { if (*p >= *q) ... else ... A = 0; }

  16. ACSL Specifications - Function contracts Specification of Side Effects The specification /*@ requires \valid (p) && \valid (q); ensures M == (*p + *q) / 2; assigns M; */ void mean( unsigned int * p, unsigned int * q); A valid implementation

  17. ACSL Specifications - Function contracts Specification of Side Effects The specification /*@ requires \valid (p) && \valid (q); ensures M == (*p + *q) / 2; assigns M; */ void mean( unsigned int * p, unsigned int * q); A valid implementation void mean( int *p, int * q) { if (*p >= *q) { M = (*p - *q) / 2 + *q; } else { M = (*q - *p) / 2 + *p; } }

  18. ACSL Specifications - Function contracts A more advanced example Informal spec ◮ Input: a sorted array and its length, an element to search. ◮ Output: index of the element or -1 if not found Towards a formal specification int find_array( int * arr , int length , int query ); ◮ How to specify the two distinct outcome? ◮ What does that mean for arr to be sorted ? ◮ How to prove the implementation? Deductive Verification

  19. ACSL Specifications - Function contracts Behaviors /*@ behavior found: assumes \exists integer i; 0<=i<length && arr[i] == query; ensures 0<= \result <length && arr[ \result ] == query; behavior not_found: assumes \forall integer i; 0<=i<length ==> arr[i] != query; ensures \result == -1; complete behaviors ; disjoint behaviors ; */ int find_array( int * arr , int length , int query );

  20. ACSL Specifications - First-order logic Predicate definition /*@ predicate sorted{L}( int * arr , int length) = \forall integer i,j; 0<=i<=j<length ==> arr[i] <= arr[j]; */ /*@ requires sorted{Here }(arr ,length ); requires \valid (arr +(0.. length -1)); requires length >= 0; */ int find_array( int * arr , int length , int query );

  21. ACSL Specifications - First-order logic Axiomatic definition /*@ inductive sorted{L}( int * arr , int length) { case singleton{L}: \forall int * arr; sorted{L}(arr ,0); case trans{L}: \forall int * arr , integer length; sorted{L}(arr ,length) && arr[length -1] <= arr[length] ==> sorted{L}(arr ,length + 1); } */ /*@ requires sorted{Here }(arr ,length ); requires \valid (arr +(0.. length -1)); requires length >= 0; */ int find_array( int * arr , int length , int query );

  22. ACSL Specifications - Loops Implementation of find_array int find_array( int * arr , int length , int query) { int min = 0; int max = length - 1; int mean; while (min <= max) { mean = min + (max - min) / 2; if (arr[mean] == query) return mean; if (arr[mean] < query) min = mean + 1; else max = mean - 1; } return -1; }

  23. ACSL Specifications - Loops Loop annotations /*@ loop invariant 0<= min < length; loop invariant 0<= max < length; loop invariant \forall integer i; 0<=i<min ==> arr[i] < query; loop invariant \forall integer i; max <i<length ==> arr[i] > query; loop assigns mean , min , max; loop variant max - min; */ while (min <= max) { ... }

  24. while (min <= max) { mean = min + (max - min) / 2; /*@ assert min <= mean <= max; */ if (arr[mean] == query) return mean; if (arr[mean] < query) min = mean + 1; else max = mean - 1;

  25. Presentation ACSL Specifications Function contracts First-order logic Loops Assertions Deductive Verification Hoare logic Pointers and Memory Jessie Plugin

  26. Deductive Verification - Hoare logic Hoare logic ◮ Introduced by Floyd and Hoare (70s) ◮ Hoare triple: { P } s { Q } , meaning: If P holds, then Q will hold after the execution of statement s ◮ Deduction rules on Hoare triples: Axiomatic semantic

  27. Deductive Verification - Hoare logic Some rule examples Q ′ ⇒ Q { P ′ } s { Q ′ } P ⇒ P ′ { P } s { Q } { P }{ P } { P } s_1 { R } { R } s_2 { Q } e evaluates without error { P } s_1;s_2 { Q } { P [ x ← e ] } x=e; { P } { P ∧ e } s_1 { Q } { P ∧ !e } s_2 { Q } { P } if (e) s_1 else s_2 { Q } { I ∧ e } s { I } { I } while (e) s { I ∧ !e }

  28. Deductive Verification - Hoare logic Weakest pre-condition ◮ Program seen as a predicate transformer ◮ Given a function s , a pre-condition Pre and a post-condition Post ◮ We start from Post at the end of the function and go backwards ◮ At each step, we have a property Q and a statement s , and compute the weakest pre-condition P such that { P } s { Q } is a valid Hoare triple. ◮ When we reach the beginning of the function with property P , we must prove Pre ⇒ P .

Recommend

PVS Linear Algebra Libraries for Verification of Control Software Algorithms in C/ACSL Heber

PVS Linear Algebra Libraries for Verification of Control Software Algorithms in C/ACSL Heber

Introduction Stability and correctness Defining quadratic invariants as code annotations Verification conditions Mapping PVS Linear Algebra Libraries for Verification of Control Software Algorithms in C/ACSL Heber Herencia-Zapana, Romain

990 views • 75 slides
Open Data for Urban Research Session 4 Presenting Data frama.link/odur-2018-s4 This course

Open Data for Urban Research Session 4 Presenting Data frama.link/odur-2018-s4 This course

Open Data for Urban Research Session 4 Presenting Data frama.link/odur-2018-s4 This course Open Data for Urban Research This session Presenting Data, Spatial Visualization Replication material github.com/datactivist/

659 views • 64 slides
STM32F7 - Welcome Revision 1.0 Hello, and welcome to the STM32F7 training session. 1 Training

STM32F7 - Welcome Revision 1.0 Hello, and welcome to the STM32F7 training session. 1 Training

STM32F7 - Welcome Revision 1.0 Hello, and welcome to the STM32F7 training session. 1 Training session organization 2 Introduction System Memory Security &amp; Safety Analog Communication &amp; Peripherals Watchdogs &amp; Timers

272 views • 10 slides
Introduction to the MusiQuE Peer- Reviewers Training Session o Why this workshop? offering

Introduction to the MusiQuE Peer- Reviewers Training Session o Why this workshop? offering

Introduction to the MusiQuE Peer- Reviewers Training Session o Why this workshop? offering elements of training and professional development provide further information about MusiQuE o For whom is it? potential and confirmed MusiQuE

754 views • 46 slides
CONC 2 SEQ : A Frama-C Plugin for the Verification of Parallel Compositions of C Programs Allan

CONC 2 SEQ : A Frama-C Plugin for the Verification of Parallel Compositions of C Programs Allan

CONC 2 SEQ : A Frama-C Plugin for the Verification of Parallel Compositions of C Programs Allan Blanchard 3 , 2 Nikolai Kosmatov 2 Frdric Loulergue 1 , 3 1 School of Informatics, 2 CEA LIST 3 Laboratoire dInformatique Computing, and Cyber

661 views • 19 slides
1 Facilitator Training Facilitator Training Facilitator Training Facilitator Training 2

1 Facilitator Training Facilitator Training Facilitator Training Facilitator Training 2

1 Facilitator Training Facilitator Training Facilitator Training Facilitator Training 2 Introduction Introduction Introduction Introduction Facilitators ensure that group participants remain focused on a prearranged agenda or set of

382 views • 21 slides
Training will begin soon Thanks for joining HQ RIO for our first virtual training session!

Training will begin soon Thanks for joining HQ RIO for our first virtual training session!

Training will begin soon Thanks for joining HQ RIO for our first virtual training session! The chat function you see is moderated; if you post there, you wont see it until the moderators answer and make it public. Please only use it for

411 views • 22 slides
Towards Secure Things, or How to Verify IoT Software with Frama-C Tutorial at ZINC 2018 Allan

Towards Secure Things, or How to Verify IoT Software with Frama-C Tutorial at ZINC 2018 Allan

Towards Secure Things, or How to Verify IoT Software with Frama-C Tutorial at ZINC 2018 Allan Blanchard, Nikolai Kosmatov, Fr ed eric Loulergue some slides authored by Julien Signoles Email: allan.blanchard@inria.fr,

1.79k views • 151 slides
Pension Board Training Firefighter Pension Schemes 22 nd August 2017 Morning Session

Pension Board Training Firefighter Pension Schemes 22 nd August 2017 Morning Session

Pension Board Training Firefighter Pension Schemes 22 nd August 2017 Morning Session Introduction and group session Introduction to the Fire Pension Schemes Firefighters Pension Fund Quiz Background to Governance The

2.25k views • 192 slides
Frama-C WP Tutorial Virgile Prevosto , Nikolay Kosmatov and Julien Signoles June 11 th , 2013

Frama-C WP Tutorial Virgile Prevosto , Nikolay Kosmatov and Julien Signoles June 11 th , 2013

Frama-C WP Tutorial Virgile Prevosto , Nikolay Kosmatov and Julien Signoles June 11 th , 2013 Motivation Main objective: Rigorous, mathematical proof of semantic properties of a program functional properties safety: all memory

704 views • 47 slides
A Case Study on Formal Verification of the Anaxagoros Paging System with Frama-C Allan

A Case Study on Formal Verification of the Anaxagoros Paging System with Frama-C Allan

A Case Study on Formal Verification of the Anaxagoros Paging System with Frama-C Allan Blanchard Nikolai Kosmatov Matthieu Lemerre Fr ed eric Loulergue FMICS 2015 June 22, 2015 CONTENTS Anaxagoros Virtual Memory Formal

590 views • 31 slides
Reviewers Training Session o Who we are? MusiQuE Board members MusiQuE Team MusiQuE

Reviewers Training Session o Who we are? MusiQuE Board members MusiQuE Team MusiQuE

Introduction to the MusiQuE Peer- Reviewers Training Session o Who we are? MusiQuE Board members MusiQuE Team MusiQuE Trainers o Who are you? Introduction to the MusiQuE Peer- Reviewers Training Session o Why this workshop?

627 views • 50 slides
ADOPT -A- HIGHWAY TRAINING SESSION ADOPT-A-HIGHWAY Why do I need training to pick up garbage?

ADOPT -A- HIGHWAY TRAINING SESSION ADOPT-A-HIGHWAY Why do I need training to pick up garbage?

ADOPT -A- HIGHWAY TRAINING SESSION ADOPT-A-HIGHWAY Why do I need training to pick up garbage? There are several answers to that question.. LIABILITY The Ministry of Transportation must provide training to groups working on the

340 views • 31 slides
Secure Your Things: Verification of IoT Software with Frama-C Tutorial at HPCS 2018 Allan

Secure Your Things: Verification of IoT Software with Frama-C Tutorial at HPCS 2018 Allan

Secure Your Things: Verification of IoT Software with Frama-C Tutorial at HPCS 2018 Allan Blanchard, Nikolai Kosmatov, Fr ed eric Loulergue some slides authored by Julien Signoles Email: allan.blanchard@inria.fr, nikolai.kosmatov@cea.fr,

1.52k views • 151 slides
Annual Training Session Todays topic: Private Business Use I. Introduction Nancy Winkler,

Annual Training Session Todays topic: Private Business Use I. Introduction Nancy Winkler,

Post-Issuance Tax Compliance Annual Training Session Todays topic: Private Business Use I. Introduction Nancy Winkler, City Treasurer Private Business Use 10/4/13 1 II. Overview Private Use 101 Kim Betterton Ballard Spahr Private

285 views • 14 slides
1 A map to the training session content Interfolio is a software company, RPT is one of their

1 A map to the training session content Interfolio is a software company, RPT is one of their

Introduce session and presenter. Recommended to have 2 screens or 2 laptops 1 A map to the training session content Interfolio is a software company, RPT is one of their products, which we have branded TCNJ Faculty Process given its uses here.

341 views • 18 slides
UKALL14 TRAINING AND Q&amp;A SESSION 1 UKALL14 Registration only sub -study training slides

UKALL14 TRAINING AND Q&amp;A SESSION 1 UKALL14 Registration only sub -study training slides

UKALL14 TRAINING AND Q&amp;A SESSION 1 UKALL14 Registration only sub -study training slides v1.0 15Nov2017 Registration only sub -study - overview From implementation of protocol v.11.0 onwards, newly-diagnosed B-cell patients can

480 views • 14 slides
e-DoI and e-CV submission: Why Who What How ? Training session for patients and

e-DoI and e-CV submission: Why Who What How ? Training session for patients and

e-DoI and e-CV submission: Why Who What How ? Training session for patients and consumers involved in EMA activities 25 November 2014 Presented by Luc Van Santvliet Scientific Committee Support Department An agency of the

266 views • 26 slides
Commonwealth Corps December Training &amp; Reflection Session Thank you for. Overview

Commonwealth Corps December Training &amp; Reflection Session Thank you for. Overview

Commonwealth Corps December Training &amp; Reflection Session Thank you for. Overview Reminders &amp; Announcements Training Stress Management &amp; Burnout Making &amp; Continuing Powerful Connections in our Communities

330 views • 15 slides
SESSION TWO LOGISTICS Session Two: Understanding Behavior Duration: 2 hours Session Goals: This

SESSION TWO LOGISTICS Session Two: Understanding Behavior Duration: 2 hours Session Goals: This

CYFDs Mandated Foster Parent Training: Promoting Successful Placements and Child-Well Being SESSION TWO LOGISTICS Session Two: Understanding Behavior Duration: 2 hours Session Goals: This session builds on earlier content, emphasizing that many

935 views • 50 slides
SESSION TWO LOGISTICS Session Two: Understanding Behavior Duration: 2 hours Session Goals: This

SESSION TWO LOGISTICS Session Two: Understanding Behavior Duration: 2 hours Session Goals: This

CYFDs Mandated Foster Parent Training: Promoting Successful Placements and Child-Well Being SESSION TWO LOGISTICS Session Two: Understanding Behavior Duration: 2 hours Session Goals: This session builds on earlier content, emphasizing that many

1.05k views • 51 slides
A One-Day GME Quality and GME Quality &amp; Safety Training Safety Training Session for 1. Teach

A One-Day GME Quality and GME Quality &amp; Safety Training Safety Training Session for 1. Teach

3/30/2016 A One-Day GME Quality and GME Quality &amp; Safety Training Safety Training Session for 1. Teach new residents/fellows concepts of patient safety and quality improvement processes Housestaff: 2. Inspire housestaff engagement in

365 views • 4 slides
Hello, and welcome to the STM32L4 series introduction training session. This presentation

Hello, and welcome to the STM32L4 series introduction training session. This presentation

Hello, and welcome to the STM32L4 series introduction training session. This presentation provides information about the various product lines available in the STM32L4 series. 1 The STM32L4 series is divided into product lines differentiated by

414 views • 9 slides
Introduction to training offering by EMA Training Module PhV-M0 This module provides an overview

Introduction to training offering by EMA Training Module PhV-M0 This module provides an overview

Introduction to training offering by EMA Training Module PhV-M0 This module provides an overview of all training offerings planned by EMA in the area of EudraVigilance, EVDAS, ADR reporting and signal detection providing learning paths for new

342 views • 23 slides

More recommend