Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Static Analyzer for Large Safety-­Critical Software Presented by Dario Bösch, ETH Zürich 07.03.2016 Research Topics in Software Engineering 2003 1Dario.

Published byGervais Harper Modified over 7 years ago

Similar presentations

Presentation on theme: "A Static Analyzer for Large Safety-­Critical Software Presented by Dario Bösch, ETH Zürich 07.03.2016 Research Topics in Software Engineering 2003 1Dario."— Presentation transcript:

1 A Static Analyzer for Large Safety-­Critical Software Presented by Dario Bösch, ETH Zürich 07.03.2016 Research Topics in Software Engineering 2003 1Dario Bösch Bruno Blanchet Laurent Mauborgne Patrick Cousot Antoine Miné Radhia cousot David Monniaux Jérôme Feret Xavier Rival

2 Example 2Research Topics in Software EngineeringDario Bösch void foo(int n){ int x = 0; while(x <= n){ x++; } assert(x >= n); }

3 Static Analysis 3Research Topics in Software EngineeringDario Bösch Analyze Code before Execution Allows: Optimizations Documentation Validation

4 Abstract Interpretation 4Research Topics in Software EngineeringDario Bösch Map variable values to abstract domain Example: Interval Domain int x = -1; if(…){ x = 1; } return 1 / x; concrete abstract γ α [-1,-1] [1,1] [-1,1]

5 Overview 5 General Static Analyzer using Abstract Interpretation Static Analyzer for Safety – Critical Software Static Analyzer for Large Safety- Critical Software Commercially available in 2002 Paper from 2002 This Paper Research Topics in Software EngineeringDario Bösch

6 Analyzer in 2002 6Research Topics in Software EngineeringDario Bösch Analyzer Automated Performance vs. Precision Optimizations

7 Goal & Specifications 7Research Topics in Software EngineeringDario Bösch Goal: Automated verification of large safety – critical code Specification: C code, but: No Recursion No Gotos No dynamic memory allocation Never aborting execution

8 Requirements 8Research Topics in Software EngineeringDario Bösch Precision Efficiency CorrectnessAutomationScalability

9 Manipulations of the Program 9Research Topics in Software EngineeringDario Bösch 132’000 LOC smaller file Constant Propagation Ignoring Functions & Variables Constant Propagation Ignoring Functions & Variables Preprocess & Merge

10 Iterative Construction 10Research Topics in Software EngineeringDario Bösch 1: Static Analysis 2: Manual Backward Inspection 3: Refinement False alarms Invariants missed or not expressible New domain or parameters

11 Widening 11Research Topics in Software EngineeringDario Bösch void foo(int n){ int counter = 2*n; for(int i = 0; i < n; i++){ counter--; } return 1/n; } [2n, 2n] [2n-1, 2n-1] [2n-2, 2n-2] [2n-3, 2n-3] [-∞, -∞] Widening [-∞, 2n] Join FALSE ALARM Threshold at 1

12 Loop Unrolling 12Research Topics in Software EngineeringDario Bösch void foo(int n){ int first = 1; int counter = -n; for(int i = 0; i < n; i++){ if(first){ counter = 1; first = 0; } else counter++; } void foo(int n){ int first = 1; int counter = -n; counter = 1; first = 0; for(int i = 1; i < n; i++){ if(first){ counter = 1; first = 0; } else counter++; } void foo(int n){ int first = 1; int counter = -n; counter = 1; first = 0; for(int i = 1; i < n; i++){ counter++; }

13 Octagon Abstract Domain 13Research Topics in Software EngineeringDario Bösch void foo(int m, int n, int max){ int left = m – n; int right = m; if(left > max){ right = n + max; } assert(right <= m); } left = m – n && left > max n + max < m right < m Capture linear inequalities:

14 Abstract Domains 14Research Topics in Software EngineeringDario Bösch Interval Clocked Octagon Ellipsoid Boolean Relation

15 Storing Abstract Values: Interval 15Research Topics in Software EngineeringDario Bösch One cell for each variable Arrays? One cell for each index (expanded) One cell for whole array (smashed) 14-2 [1,1][4,4][-2,-2] [-2, 4] precise efficient

16 Storing Abstract Values: Integer cont. 16Research Topics in Software EngineeringDario Bösch {0,2}[0,2] concrete abstract γ α For non-relational domains: + Performance Array Too slow Balanced binary search tree

17 Storing Abstract Values: Relational 17Research Topics in Software EngineeringDario Bösch Too many variables (relations) Variable Packing: Concentrate on subset

18 Conclusion 18Research Topics in Software EngineeringDario Bösch Very high precision rate Reasonable power and time consumption Appropriate Abstraction through parameterization

19 Criticism 19Research Topics in Software EngineeringDario Bösch Good analyzer for the concidered family of programs But a lot of requirements, specifications If these differ: Validations may not work anymore Refinement process needed Eventually new abstract domain needed

20 Impact 20Research Topics in Software EngineeringDario Bösch 574 Citations Used in framework Astrée (Airbus) Still impact on current papers (2016) Showed that the analyzer can be used for validation Pushed research in this topic

Download ppt "A Static Analyzer for Large Safety-­Critical Software Presented by Dario Bösch, ETH Zürich 07.03.2016 Research Topics in Software Engineering 2003 1Dario."

Similar presentations

Recursion.

Recursion.
Semantic Analysis Chapter 6. Two Flavors  Static (done during compile time) –C –Ada  Dynamic (done during run time) –LISP –Smalltalk  Optimization.

Semantic Analysis Chapter 6. Two Flavors  Static (done during compile time) –C –Ada  Dynamic (done during run time) –LISP –Smalltalk  Optimization.
Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol.

Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol.
Relational Inductive Shape Analysis Bor-Yuh Evan Chang University of California, Berkeley Xavier Rival INRIA POPL 2008.

Relational Inductive Shape Analysis Bor-Yuh Evan Chang University of California, Berkeley Xavier Rival INRIA POPL 2008.
Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions.

Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc06.html.

Program analysis Mooly Sagiv html://
Denotational Semantics Syntax-directed approach, generalization of attribute grammars: –Define context-free abstract syntax –Specify syntactic categories.

Denotational Semantics Syntax-directed approach, generalization of attribute grammars: –Define context-free abstract syntax –Specify syntactic categories.
An Overview on Program Analysis Mooly Sagiv Tel Aviv University 640-6706 Textbook: Principles of Program.

An Overview on Program Analysis Mooly Sagiv Tel Aviv University Textbook: Principles of Program.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc08.html.

Program analysis Mooly Sagiv html://
ISBN 0-321-19362-8 Lecture 01 Preliminaries. Copyright © 2004 Pearson Addison-Wesley. All rights reserved.1-2 Lecture 01 Topics Motivation Programming.

ISBN Lecture 01 Preliminaries. Copyright © 2004 Pearson Addison-Wesley. All rights reserved.1-2 Lecture 01 Topics Motivation Programming.
Overview of program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc05.html.

Overview of program analysis Mooly Sagiv html://
CSC 402, Fall 20001 Requirements Analysis for Special Properties Systems Engineering (def?) –why? increasing complexity –ICBM’s (then TMI, Therac, Challenger...)

CSC 402, Fall Requirements Analysis for Special Properties Systems Engineering (def?) –why? increasing complexity –ICBM’s (then TMI, Therac, Challenger...)
1 ES 314 Advanced Programming Lec 2 Sept 3 Goals: Complete the discussion of problem Review of C++ Object-oriented design Arrays and pointers.

1 ES 314 Advanced Programming Lec 2 Sept 3 Goals: Complete the discussion of problem Review of C++ Object-oriented design Arrays and pointers.
Overview of program analysis Mooly Sagiv html://www.math.tau.ac.il/~msagiv/courses/wcc03.html.

Overview of program analysis Mooly Sagiv html://
Generative Programming. Generic vs Generative Generic Programming focuses on representing families of domain concepts Generic Programming focuses on representing.

Generative Programming. Generic vs Generative Generic Programming focuses on representing families of domain concepts Generic Programming focuses on representing.
Inline Function. 2 Expanded in a line when it is invoked Ie compiler replace the function call with function code To make a function inline the function.

Inline Function. 2 Expanded in a line when it is invoked Ie compiler replace the function call with function code To make a function inline the function.
An Overview on Static Program Analysis Mooly Sagiv.

An Overview on Static Program Analysis Mooly Sagiv.
Language Evaluation Criteria

Language Evaluation Criteria
Search algorithms for vectors Jordi Cortadella Department of Computer Science.

Search algorithms for vectors Jordi Cortadella Department of Computer Science.
Generative Programming. Automated Assembly Lines.

Generative Programming. Automated Assembly Lines.

Similar presentations

Ads by Google