Static Analysis of Embedded Control/Command Software by Abstract Interpretation Motivation Patrick Cousot Radhia Cousot École normale supérieure CNRS & École polytechnique Paris, France Palaiseau, France cousot ens fr Radhia.Cousot polytechnique edu www.di.ens.fr/~cousot www.polytechnique.fr/enseignants/rcousot Kestrel Technology, Palo Alto, CA, Nov. 7 th , 2005 — 3 — All Computer Scientists Have Experienced Bugs Talk Outline - Motivation (2 mn) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 - - - Abstract interpretation, reminder (12 mn) . . . . . . . . . . . . . . . . . . 8 - - - Applications of abstract interpretation (2 mn) . . . . . . . . . . . . . 24 - - - A practical application to the ASTRÉE static analyzer (18 mn) 24 - - - Examples of abstractions in ASTRÉE (12 mn) . . . . . . . . . . . . 44 - - Ariane 5.01 failure Patriot failure Mars orbiter loss - Static analysis of systems (6 mn) . . . . . . . . . . . . . . . . . . . . . . . . . . 58 - - (overflow) (float rounding) (unit error) - Conclusion (2 mn) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 - - It is preferable to verify that mission/safety-critical pro- � x § x § x x x � x x x x grams do not go wrong before running them. Nov. 7 th , 2005 Kestrel Technology, Palo Alto, CA — 2 — ľ P. & R. Cousot — 4 — ľ P. & R. Cousot
� Static Analysis by Abstract Interpretation Syntax of programs X variables X 2 X Static analysis: analyze the program at compile-time to T types T 2 T verify a program runtime property E arithmetic expressions E 2 E Undecidability ` B boolean expressions B 2 B ! D ::= T X ; Abstract interpretation: effectively compute an abstraction/ T X ; D 0 j sound approximation of the program semantics, C ::= X = E ; commands C 2 C - which is precise enough to imply the desired - - while B C 0 j property, and if B C 0 else C 00 j - coarse enough to be efficiently computable. - - { C 1 . . . C n } , ( n – 0) j P ::= D C program P 2 P — 5 — — 7 — Abstract Interpretation, Reminder Postcondition semantics using a simple example x ( t ) Reference [POPL ’77] P. Cousot and R. Cousot. Abstract interpretation: a unified lattice model for static analysis of ��������� programs by construction or approximation of fixpoints. In 4 th ACM POPL . ������������ [Thesis ’78] P. Cousot. Méthodes itératives de construction et d’approximation de points fixes d’opérateurs monotones sur un treillis, analyse sémantique de programmes. Thèse ès sci. math. Grenoble, march 1978. P. Cousot & R. Cousot. Systematic design of program analysis frameworks. In 6 th ACM POPL . [POPL ’79] � � � � � Nov. 7 th , 2005 Kestrel Technology, Palo Alto, CA — 6 — ľ P. & R. Cousot — 8 — ľ P. & R. Cousot t
States Concrete Reachability Semantics of Programs def = f [ X E � E � ] j 2 R \ dom ( E ) g Values of given type: S � X = E ; � R def def [ X v ]( X ) = v; [ X v ]( Y ) = ( Y ) V � T � : values of type T 2 T def S � if B C 0 � R = S � C 0 � ( B � B � R ) [ B � : B � R def = f z 2 Z j min _ int » z » max _ int g V � int � def = f 2 R \ dom ( B ) j B holds in g B � B � R def S � if B C 0 else C 00 � R = S � C 0 � ( B � B � R ) [ S � C 00 � ( B � : B � R ) Program states ˚ � P � 1 : „ def S � while B C 0 � R ; – X . R [ S � C 0 � ( B � B � X ) = let W = lfp def in ( B � : B � W ) ˚ � D C � = ˚ � D � def def S � fg � R = R ˚ � T X ; � = f X g 7! V � T � def = S � C n � ‹ : : : ‹ S � C 1 � R S � f C 1 : : : C n g � R n > 0 def ˚ � T X ; D � = ( f X g 7! V � T � ) [ ˚ � D � def (uninitialized variables) S � D C � R = S � C � ( ˚ � D � ) — 11 — Not computable (undecidability). Abstract Semantic Domain of Programs — 9 — hD ] � P � ; v ; ? ; ti Concrete Semantic Domain of Programs such that: ‚ Concrete semantic domain for reachability properties: ` ` ` ` hD ] � P � ; vi hD � P � ; „i ` ` `! ` ! ¸ def sets of states D � P � = } ( ˚ � P � ) i.e. 8 X 2 D � P � ; Y 2 D ] � P � : ¸ ( X ) v Y i.e. program properties where „ is implication, ; is false, ( ) X „ ‚ ( Y ) [ is disjunction. hence hD ] � P � ; v ; ? ; ti is a complete lattice such that ? = ¸ ( ; ) and t X = ¸ ( [ ‚ ( X )) 1 States 2 ˚ � P � of a program P map program variables X to their values ( X ) Nov. 7 th , 2005 Kestrel Technology, Palo Alto, CA — 10 — ľ P. & R. Cousot — 12 — ľ P. & R. Cousot
Example 1 of Abstraction ¸ 3 ! Partitionned cartesian set of reachable states: project along each program variable (relationships between vari- Set of traces: set of finite or infinite maximal sequences ables are now lost) of states for the operational transition semantics ¸ 3 ( –c . f i j i 2 ´ c g ) = –c . – X . f i ( X ) j i 2 ´ c g ¸ ! Strongest liberal postcondition: final states s reachable ¸ 4 ! Partitionned cartesian interval of reachable states: take from a given precondition P min and max of the values of the variables 2 ¸ ( X ) = –P . f s j 9 ff 0 ff 1 : : : ff n 2 X : ff 0 2 P ^ s = ff n g ¸ 4 ( –c . – X . f v i j i 2 ´ c; X g = We have ( ˚ : set of states, _ „ pointwise): –c . – X . h min f v i j i 2 ´ c; X g ; max f v i j i 2 ´ c; X gi ‚ h } ( ˚ 1 ) ; „i ` [ ` ` ` ` ! } ( ˚ ) ; _ h } ( ˚ ) 7` „i ` `! ` ! ¸ 0 , ¸ 1 , ¸ 2 , ¸ 3 and ¸ 4 , whence ¸ 4 ‹ ¸ 3 ‹ ¸ 2 ‹ ¸ 1 ‹ ¸ 0 are ¸ lower-adjoints of Galois connections — 15 — — 13 — Example 2 of Abstraction Example 3: Reduced Product of Abstract Domains Set of traces: set of finite or infinite maximal sequences To combine abstractions of states for the operational transition semantics ‚ 1 ‚ 2 hD ] hD ] ` ` ` ` ` ` 1 ; v 1 i and hD ; „i ` hD ; „i ` 2 ; v 2 i ` ` ! ` ` ! ¸ 0 ¸ 1 ¸ 2 ! Trace of sets of states: sequence of set of states appear- the reduced product is ing at a given time along at least one of these traces def ¸ ( X ) = ufh x; y i j X „ ‚ 1 ( x ) ^ X „ ‚ 2 ( y ) g ¸ 0 ( X ) = –i . f ff i j ff 2 X ^ 0 » i < j ff jg def ¸ 1 such that v = v 1 ˆ v 2 and ! Set of reachable states: set of states appearing at least ‚ 1 ˆ ‚ 2 once along one of these traces (global invariant) ` ` ` ` ` ` ` hD ; „i ` h ¸ ( D ) ; vi ` ` ` ` `! ` ! ¸ ¸ 1 ( ˚ ) = S f ˚ i j 0 » i < j ˚ jg ¸ 2 ! Partitionned set of reachable states: project along each Example: x 2 [1 ; 9] ^ x mod 2 = 0 reduces to x 2 [2 ; 8] ^ control point (local invariant) x mod 2 = 0 ¸ 2 ( fh c i ; i i j i 2 ´ g ) = –c . f i j i 2 ´ ^ c = c i g 2 assuming these values to be totally ordered. Nov. 7 th , 2005 Kestrel Technology, Palo Alto, CA — 14 — ľ P. & R. Cousot — 16 — ľ P. & R. Cousot
Approximate Fixpoint Abstraction Convergence Acceleration with Widening Abstract domain ♯ ▽ ♯ Abstract domain F ♯ ♯ F F ♯ ♯ F F ♯ F ♯ ▽ F ⊥ ♯ F ▽ ♯ Approximation ♯ F ⊥ relation ⊑ Approximation relation ⊑ F F F ] F ⊥ F F Concrete domain F F F F ] F ‹ ‚ v ‚ ‹ F ] ) lfp F v ‚ ( lfp F ] ) F ⊥ F F Concrete domain F — 19 — — 17 — Abstract Semantics with Convergence Acceleration 3 Abstract Reachability Semantics of Programs def S ] � X = E ; � R = ¸ ( f [ X E � E � ] j 2 ‚ ( R ) \ dom ( E ) g ) def S ] � X = E ; � R = ¸ ( f [ X E � E � ] j 2 ‚ ( R ) \ dom ( E ) g ) def S ] � if B C 0 � R = S ] � C 0 � ( B ] � B � R ) t B ] � : B � R S ] � if B C 0 � R def = S ] � C 0 � ( B ] � B � R ) t B ] � : B � R def B ] � B � R = ¸ ( f 2 ‚ ( R ) \ dom ( B ) j B holds in g ) def B ] � B � R = ¸ ( f 2 ‚ ( R ) \ dom ( B ) j B holds in g ) def S ] � if B C 0 else C 00 � R = S ] � C 0 � ( B ] � B � R ) t S ] � C 00 � ( B ] � : B � R ) S ] � if B C 0 else C 00 � R def = S ] � C 0 � ( B ] � B � R ) t S ] � C 00 � ( B ] � : B � R ) def = let F ] = – X . let Y = R t S ] � C 0 � ( B ] � B � X ) S ] � while B C 0 � R v � def S ] � while B C 0 � R ? – X . R t S ] � C 0 � ( B ] � B � X ) = let W = lfp in if Y v X then X else X Y in ( B ] � : B � W ) v ? F ] in ( B ] � : B � W ) and W = lfp def S ] � fg � R = R def S ] � fg � R = R def S ] � f C 1 : : : C n g � R = S ] � C n � ‹ : : : ‹ S ] � C 1 � R n > 0 def S ] � f C 1 : : : C n g � R = S ] � C n � ‹ : : : ‹ S ] � C 1 � R n > 0 def S ] � D C � R = S ] � C � ( > ) (uninitialized variables) def S ] � D C � R = S ] � C � ( > ) (uninitialized variables) 3 Note: F ] not monotonic! Nov. 7 th , 2005 Kestrel Technology, Palo Alto, CA — 18 — ľ P. & R. Cousot — 20 — ľ P. & R. Cousot
Recommend
More recommend
![Indoor Places Lukas Kuster Motivation GPS for localization [7] 2 Motivation Indoor](https://c.sambuz.com/951195/indoor-places-s.jpg)
