A Static Analyzer for Large Safety-­Critical Software Presented by Dario Bösch, ETH Zürich 07.03.2016 Research Topics in Software Engineering 2003 1Dario.

Slides:



Advertisements
Similar presentations
Recursion.
Advertisements

Semantic Analysis Chapter 6. Two Flavors  Static (done during compile time) –C –Ada  Dynamic (done during run time) –LISP –Smalltalk  Optimization.
Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol.
Relational Inductive Shape Analysis Bor-Yuh Evan Chang University of California, Berkeley Xavier Rival INRIA POPL 2008.
Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions.
Program analysis Mooly Sagiv html://
Denotational Semantics Syntax-directed approach, generalization of attribute grammars: –Define context-free abstract syntax –Specify syntactic categories.
An Overview on Program Analysis Mooly Sagiv Tel Aviv University Textbook: Principles of Program.
Program analysis Mooly Sagiv html://
ISBN Lecture 01 Preliminaries. Copyright © 2004 Pearson Addison-Wesley. All rights reserved.1-2 Lecture 01 Topics Motivation Programming.
Overview of program analysis Mooly Sagiv html://
CSC 402, Fall Requirements Analysis for Special Properties Systems Engineering (def?) –why? increasing complexity –ICBM’s (then TMI, Therac, Challenger...)
1 ES 314 Advanced Programming Lec 2 Sept 3 Goals: Complete the discussion of problem Review of C++ Object-oriented design Arrays and pointers.
Overview of program analysis Mooly Sagiv html://
Generative Programming. Generic vs Generative Generic Programming focuses on representing families of domain concepts Generic Programming focuses on representing.
Inline Function. 2 Expanded in a line when it is invoked Ie compiler replace the function call with function code To make a function inline the function.
An Overview on Static Program Analysis Mooly Sagiv.
Language Evaluation Criteria
Search algorithms for vectors Jordi Cortadella Department of Computer Science.
Generative Programming. Automated Assembly Lines.
Predicate Abstraction of ANSI-C Programs Using SAT By Edmund Clarke, Daniel Kroening, Natalia Sharygina, Karen Yorav Presented by Yunho Kim Provable Software.
Bill J. Ellis Dependable Systems Group Heriot-Watt University (Project page: Proving Exception.
Data Structure Introduction.
Page 1 5/2/2007  Kestrel Technology LLC A Tutorial on Abstract Interpretation as the Theoretical Foundation of CodeHawk  Arnaud Venet Kestrel Technology.
Convergence of Model Checking & Program Analysis Philippe Giabbanelli CMPT 894 – Spring 2008.
1 Languages and Compilers (SProg og Oversættere) Compiler Optimizations Bent Thomsen Department of Computer Science Aalborg University With acknowledgement.
1 Proving program termination Lecture 5 · February 4 th, 2008 TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A.
/ PSWLAB Thread Modular Model Checking by Cormac Flanagan and Shaz Qadeer (published in Spin’03) Hong,Shin Thread Modular Model.
Abstraction and Abstract Interpretation. Abstraction (a simplified view) Abstraction is an effective tool in verification Given a transition system, we.
Recursion ITFN The Stack. A data structure maintained by each program at runtime. Push Pop.
Phoenix Based Dynamic Slicing Debugging Tool Eric Cheng Lin Xu Matt Gruskin Ravi Ramaseshan Microsoft Phoenix Intern Team (Summer '06)
Spring 2017 Program Analysis and Verification
Chapter Topics Chapter 16 discusses the following main topics:
Code Optimization Overview and Examples
Test 2 Review Outline.
Planning & System installation
Recursion DRILL: Please take out your notes on Recursion
5.13 Recursion Recursive functions Functions that call themselves
CSC 427: Data Structures and Algorithm Analysis
OBJECT ORIENTED PROGRAMMING II LECTURE 23 GEORGE KOUTSOGIANNAKIS
CSC 427: Data Structures and Algorithm Analysis
GC211Data Structure Lecture2 Sara Alhajjam.
Cinda Heeren / Geoffrey Tien
Verification and Validation
Chapter 5 - Functions Outline 5.1 Introduction
Verification and Validation
Chapter 5 - Functions Outline 5.1 Introduction
Recursion "To understand recursion, one must first understand recursion." -Stephen Hawking.
Iterative Program Analysis Abstract Interpretation
Building Java Programs
7 Arrays.
An Introduction to Java – Part I, language basics
Stacks & Recursion.
Introduction to Data Structures
What is CS 253 about? Contrary to the wide spread belief that the #1 job of computers is to perform calculations (which is why the are called “computers”),
Object Oriented Programming in java
Compiler Code Optimizations
Effective and Efficient memory Protection Using Dynamic Tainting
Lecture 4: Data Abstraction CS201j: Engineering Software
Semantic Analysis Chapter 6.
Basics of Recursion Programming with Recursion
Code Refresher Test #1 Topics:
Pointer analysis.
Search algorithms for vectors
CSC 427: Data Structures and Algorithm Analysis
Languages and Compilers (SProg og Oversættere) Compiler Optimizations
The Zoo of Software Security Techniques
Recursion.
Ras Bodik WF 11-12:30 slides adapted from Mooly Sagiv
Searching.
Presentation transcript:

A Static Analyzer for Large Safety-­Critical Software Presented by Dario Bösch, ETH Zürich Research Topics in Software Engineering Dario Bösch Bruno Blanchet Laurent Mauborgne Patrick Cousot Antoine Miné Radhia cousot David Monniaux Jérôme Feret Xavier Rival

Example 2Research Topics in Software EngineeringDario Bösch void foo(int n){ int x = 0; while(x <= n){ x++; } assert(x >= n); }

Static Analysis 3Research Topics in Software EngineeringDario Bösch Analyze Code before Execution Allows: Optimizations Documentation Validation

Abstract Interpretation 4Research Topics in Software EngineeringDario Bösch Map variable values to abstract domain Example: Interval Domain int x = -1; if(…){ x = 1; } return 1 / x; concrete abstract γ α [-1,-1] [1,1] [-1,1]

Overview 5 General Static Analyzer using Abstract Interpretation Static Analyzer for Safety – Critical Software Static Analyzer for Large Safety- Critical Software Commercially available in 2002 Paper from 2002 This Paper Research Topics in Software EngineeringDario Bösch

Analyzer in Research Topics in Software EngineeringDario Bösch Analyzer Automated Performance vs. Precision Optimizations

Goal & Specifications 7Research Topics in Software EngineeringDario Bösch Goal: Automated verification of large safety – critical code Specification: C code, but: No Recursion No Gotos No dynamic memory allocation Never aborting execution

Requirements 8Research Topics in Software EngineeringDario Bösch Precision Efficiency CorrectnessAutomationScalability

Manipulations of the Program 9Research Topics in Software EngineeringDario Bösch 132’000 LOC smaller file Constant Propagation Ignoring Functions & Variables Constant Propagation Ignoring Functions & Variables Preprocess & Merge

Iterative Construction 10Research Topics in Software EngineeringDario Bösch 1: Static Analysis 2: Manual Backward Inspection 3: Refinement False alarms Invariants missed or not expressible New domain or parameters

Widening 11Research Topics in Software EngineeringDario Bösch void foo(int n){ int counter = 2*n; for(int i = 0; i < n; i++){ counter--; } return 1/n; } [2n, 2n] [2n-1, 2n-1] [2n-2, 2n-2] [2n-3, 2n-3] [-∞, -∞] Widening [-∞, 2n] Join FALSE ALARM Threshold at 1

Loop Unrolling 12Research Topics in Software EngineeringDario Bösch void foo(int n){ int first = 1; int counter = -n; for(int i = 0; i < n; i++){ if(first){ counter = 1; first = 0; } else counter++; } void foo(int n){ int first = 1; int counter = -n; counter = 1; first = 0; for(int i = 1; i < n; i++){ if(first){ counter = 1; first = 0; } else counter++; } void foo(int n){ int first = 1; int counter = -n; counter = 1; first = 0; for(int i = 1; i < n; i++){ counter++; }

Octagon Abstract Domain 13Research Topics in Software EngineeringDario Bösch void foo(int m, int n, int max){ int left = m – n; int right = m; if(left > max){ right = n + max; } assert(right <= m); } left = m – n && left > max n + max < m right < m Capture linear inequalities:

Abstract Domains 14Research Topics in Software EngineeringDario Bösch Interval Clocked Octagon Ellipsoid Boolean Relation

Storing Abstract Values: Interval 15Research Topics in Software EngineeringDario Bösch One cell for each variable Arrays? One cell for each index (expanded) One cell for whole array (smashed) 14-2 [1,1][4,4][-2,-2] [-2, 4] precise efficient

Storing Abstract Values: Integer cont. 16Research Topics in Software EngineeringDario Bösch {0,2}[0,2] concrete abstract γ α For non-relational domains: + Performance Array Too slow Balanced binary search tree

Storing Abstract Values: Relational 17Research Topics in Software EngineeringDario Bösch Too many variables (relations) Variable Packing: Concentrate on subset

Conclusion 18Research Topics in Software EngineeringDario Bösch Very high precision rate Reasonable power and time consumption Appropriate Abstraction through parameterization

Criticism 19Research Topics in Software EngineeringDario Bösch Good analyzer for the concidered family of programs But a lot of requirements, specifications If these differ: Validations may not work anymore Refinement process needed Eventually new abstract domain needed

Impact 20Research Topics in Software EngineeringDario Bösch 574 Citations Used in framework Astrée (Airbus) Still impact on current papers (2016) Showed that the analyzer can be used for validation Pushed research in this topic

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.