DOCSLIB.ORG

Static Analysis by Abstract Interpretation of Embedded Critical Software

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Static Analysis by Abstract Interpretation of Embedded Critical Software Static Analysis by Abstract Interpretation of Embedded Critical Software Julien Bertrane Patrick Cousot Radhia Cousot J´er^omeFeret Laurent Mauborgne ENS∗ ENS∗ & CIMSx CNRS & ENS∗ INRIA & ENS∗ IMDEA∗∗ Antoine Min´e Xavier Rival CNRS & ENS∗ INRIA & ENS∗ Abstract Formal methods are increasingly used to help ensuring the correctness of complex, critical embedded software systems. modeling We show how sound semantic static analyses based on Ab- S static analysis stract Interpretation may be used to check properties at var- A ious levels of a software design: from high level models to low O level binary code. After a short introduction to the Abstract code generation V Interpretation theory, we present a few current applications: a checking for run-time errors at the C level, translation val- l static analysis i idation from C to assembly, and analyzing SAO models of d C a communicating synchronous systems with imperfect clocks. t translation i We conclude by briefly proposing some requirements to ap- o compilation validation ply Abstract Interpretation to modeling languages such as n UML. B static analysis I keywords: Abstract interpretation, Critical software, Em- N test bedded systems, Static analysis, System design, System modeling, System verification. execution 1 Introduction Ensuring the correctness of software systems constitutes a Figure 1: Example workflow for designing an embedded ap- large part of software development budgets. It is particu- plication. larly important for critical embedded systems, such as found in automotive, aerospace and medical applications, as the slightest programming \bug" may have catastrophic finan- based static analysis, which always terminates and covers all cial and even human cost. In this article, we build a case executions, albeit in an over-approximated way. For example for using static analysis based on Abstract Interpretation to it can detect dead code (never executed) or dead data struc- help ensuring software correctness. tures (constructed but never used) but cannot always prove We illustrate a possible use for static analysis in Fig.1. In their absence. Moreover, static analysis can be applied at this drastically simplified workflow inspired from a real in- many levels: machine-readable specification, program source dustrial case [27], an engineer (not necessarily a programmer) or binary. The higher level the better, as it provides purer in- models a control system using the SAO graphical language, formation to the tool and its feedback is easier to understand a precursor and similar tool as SCADE [14] | a SimulinkTM to the designer. However, higher levels abstract away some fragment similar to SAO is also shown in Fig.2. It is then au- aspects of computations, which makes it impossible to check tomatically translated to the programming language C and some properties of actual executions. For instance, SAO and then compiled to produce the actual binary software exe- SCADE have real arithmetics and do not specify how actual cuted by the device. Validation includes testing, which re- numerical computations are performed nor the type of num- quires executing (part of) the binary with some monitoring bers, so that a static analysis of numeric overflows (as done and is able to check a wide range of properties (including by Astree´ [1, 11,5], Sec.3) or of the precision of floating- functional ones) but is costly and never achieves a full cover- point computations (as done by Fluctuat [17]) is done at the age of all possible executions (path- and data-coverage). For- C level | a static analysis of real expressions at the SCADE mal methods can also be employed. In particular, semantic- level may however be used to determine its numerically most precise float compilation to C [20]. Likewise, neither SAO nor (∗)Ecole´ Normale Sup´erieure, 45, rue d'Ulm, Paris, France, C make any guarantee about the worst-case execution time, Ls e.@tr .an rssfitF (x)Courant Institute of Mathematical Sciences, NYU, New York, NY so, such an analysis (as done by AbsInt's aiT [18]) is done at (∗∗)Fundaci´onIMDEA Software, 28660-Boadilla del Monte, Madrid, the binary level and for a specific processor. A SAO model Spain, m u oa eu amal .eibrrnt ordg [email protected] can also be enriched with non-software elements, such as real- 1 a b 2 Abstract Interpretation - We provide a succinct introduction to Abstract Interpreta- tion, more details are provided e.g. in [3]. ++ -1 + z z-1 t Unit delay Unit delay 2.1 Small-Step Operational Semantics Switch Switch In order to analyze the behavior of a computer system during x(n) Switch j B i execution, we start by providing a model of computations, that is, an operational semantics. An example of operational Figure 2: A second-order digital filter. semantics for UML-Statecharts is [31]. Such an operational semantics of a given program can be described as a transition system hS; I; E; ti. S is a set of states, including initial states I ⊆ S and bad or erroneous states E ⊆ S. t ⊆ S × S is a transition relation between a time clocks and communication lines with delays, to enable state s 2 S and its possible successors: for any state s0 2 S, a static analysis taking time into account (Sec.5). Finally, t(s; s0) is true if, and only if, s0 is a potential successor of s. 0 static analysis can also improve the confidence in compil- The blocking states have no successor B , fs 2 S j 8s 2 S : ers and code generators: translation validation (Sec.4) can :t(s; s0)g. check whether the source and output are equivalent, at least with respect to a class of properties, so that the analysis for 2.2 Big-Step Operational Semantics such properties at a higher level needs not be redone at the lowest level (which is often more difficult). The big-step operational semantics of hS; I; E; ti is hS; I; E; t?i where t? S tn is the reflexive transitive closure , n>0 Ideally, a static analyzer should extract automatically pre- (1) 0 of t, t , 1S , fhs; si j s 2 Sg is the identity relation on cise properties from a complete mathematical specification of n+1 n (2) S, t , t ◦ t where ◦ is the composition of relations. the analyzed system. Most properties are however undecid- ? ? We have t = T (t ) where T (r) , 1S [ r ◦ t since a state able, so, we resort to abstraction, i.e., the analyzer explores 0 s is reachable from s in n > 0 steps if and only if n = 0 and machine-representable supersets of actual behaviors of the s = s0 or n > 0 and s0 is reachable from a successor of s in system using tractable algorithms. As a consequence, the ? n − 1 steps. Moreover if T (r) = 1S [ t ◦ r ⊆ r then t ⊆ r. It analyzer may consider spurious behaviors and miss proper- ⊆ follows that t? = lfp T , by definition of the ⊆-least fixpoint ties, but the analysis is sound: all the properties that are ⊆ (3) found (absence of run-time errors, worst-case execution time, lfp T of T . Because all non-trivial properties of programs are undecid- etc.) are indeed true for all executions. A specificity of static ⊆ analysis is that it works directly on the concrete system that able, t? = lfp T is not computable for infinite state transi- is input to compilers or code generators, and the abstracted tion systems hS; I; E; ti (except for trivial programs t and system is derived automatically according to built-in abstrac- specifications E). tion mechanisms; no abstract system need to be provided | which would pose the question of whether it indeed corre- 2.3 Specification sponds to the concrete one. We use the Abstract Interpre- tation framework [8], a general theory of the approximation A typical verification problem is to prove that no execution of semantics, to design static analyzers that are sound by starting in an initial state can reach a bad state (e.g. where construction. There is no silver bullet: each static analyzer the next execution step would raise an error). The correct- should be tailored to a specific class of properties and pro- ness condition is 8s 2 I : 8s0 2 S : t?(s; s0) =) s0 62 E that grams to achieve both precision (low rate of missed prop- is no state s0 reachable from the initial states s is a bad state. erties) and efficiency. Thankfully, Abstract Interpretation For example, E can be the set of blocking states in order to provides a growing library of ready-to-use abstractions, and specify the absence of deadlocks. Error-freedom can also be 0 ? 0 the mean to design new ones in a principled way. written R ⊆ S n E where R , fs j 9s 2 I : t (s; s )g is the set of states reachable from the initial states and After a short formal introduction to Abstract Interpreta- X n Y , fx 2 X j x 62 Y g. tion theory in Sec.2, this article describes more informally (1) ? 0 It follows that t (s; s ) = 9n > 0 : 9s0; : : : ; sn : s = s0 ^ t(s0; s1) ^ several static analysis applications: checking for run-time 0 0 ::: ^ t(sn−1; sn) ^ sn = s , including the case s = s for n = 0. ´ (2) 00 0 errors with Astree (Sec.3), translation validation from ◦ is the composition of relations that is r1 ◦ r2 , fhx; x i j 9x : hx; 0 0 00 C to assembly (Sec.4), and analyzing communicating syn- x i 2 r1 ^ hx ; x i 2 r2g. v chronous systems with imperfect clocks (Sec.5). Section6 (3)The v-least fixpoint lfp f of an increasing map f on a poset v v concludes and suggests the application of Abstract Interpre- partially ordered by v is defined by f(lfp f) = lfp f and f(x) v x v tation to modeling languages such as UML.
Load more

Recommended publications
  • Integrated Program Debugging, Verification, and Optimization Using Abstract Interpretation (And the Ciao System Preprocessor)
    Integrated Program Debugging, Verification, and Optimization Using Abstract Interpretation (and The Ciao System Preprocessor) Manuel V. Hermenegildo a,b Germ´anPuebla a Francisco Bueno a Pedro L´opez-Garc´ıa a aDepartment of Computer Science, Technical University of Madrid (UPM) {herme,german,bueno,pedro.lopez}@fi.upm.es http://www.clip.dia.fi.upm.es/ bDepts. of Comp. Science and Electrical and Computer Eng., U. of New Mexico [email protected] – http://www.unm.edu/~herme Abstract The technique of Abstract Interpretation has allowed the development of very so- phisticated global program analyses which are at the same time provably correct and practical. We present in a tutorial fashion a novel program development frame- work which uses abstract interpretation as a fundamental tool. The framework uses modular, incremental abstract interpretation to obtain information about the pro- gram. This information is used to validate programs, to detect bugs with respect to partial specifications written using assertions (in the program itself and/or in system libraries), to generate and simplify run-time tests, and to perform high-level program transformations such as multiple abstract specialization, parallelization, and resource usage control, all in a provably correct way. In the case of valida- tion and debugging, the assertions can refer to a variety of program points such as procedure entry, procedure exit, points within procedures, or global computations. The system can reason with much richer information than, for example, traditional types. This includes data structure shape (including pointer sharing), bounds on data structure sizes, and other operational variable instantiation properties, as well as procedure-level properties such as determinacy, termination, non-failure, and bounds on resource consumption (time or space cost).
    [Show full text]
  • Abstract Interpretation and Abstract Domains with Special Attention to the Congruence Domain
    Malardalen¨ University Master Thesis Abstract Interpretation and Abstract Domains with special attention to the congruence domain Stefan Bygde May 2006 Department of Computer Science and Electronics Malardalen¨ University Vaster¨ as,˚ Sweden Abstract This thesis is a survey on a framework for program analysis known as Abstract interpre- tation. Abstract interpretation uses abstract semantics to obtain important properties of programs. Different abstract semantics can be used in abstract interpretation, to obtain different properties. For instance there are semantics that spots upper and lower limits for the values of the variables of the program. These different semantics are called abstract domains and this thesis is meant to summarize different numerical abstract domains as well as give mathematical properties to them. The thesis also offers a small survey of free software libraries that implements abstract domains. Special attention will be given to the congruence domain. The congruence domain was implemented in a program analysis tool developed at M¨alardalen University. In the congruence domain the property ”variable x is always congruent to n modulo m” is obtained. Abstract operators for this domain are presented and new bit-operators are introduced. Contents 1 Introduction 4 1.1 Static analysis and WCET . ..................... 4 1.2 SWEET . ................................ 5 1.3 Motivation and results ......................... 7 1.4 Related work . ......................... 7 1.5 Outline . ................................ 7 2 Collecting semantics 8 2.1 Definitions ................................ 8 2.2 The transition system . ......................... 9 3 Abstract Interpretation 9 3.1 The idea of abstraction ......................... 10 3.2 Galois connections . ......................... 10 3.2.1 An example . ......................... 11 3.3 Relational and non-relational domains ................
    [Show full text]
  • Abstract Interpretation
    Colloquium d’informatique de l’UPMC Sorbonne Universités Abstract Interpretation 29 septembre 2016, 18:00, Amphi 15 4 Place Jussieu, 75005 Paris Patrick Cousot [email protected]@yu.e1du cs.nyu.edu/~pcousot Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 1 © P. Cousot This is an abstract interpretation Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 2 © P. Cousot Scientific research Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 3 © P. Cousot Scientific research • In Mathematics/Physics: trend towards unification and synthesis through universal principles • In Computer science: trend towards dispersion and parcellation through a ever-growing collection of local ad-hoc techniques for specific applications An exponential process, will stop! Abstract interpretation, Colloquium d’informatique de l’UPMC Sorbonne Universités, 29 Septembre 2016 4 © P. Cousot Example: reasoning on computational structures WCET Operational Security protocole Systems biology Axiomatic verification semantics semantics analysis Abstraction Dataflow Model Database refinement Confidentiality checking analysis analysis query Type Partial Obfuscation Dependence Program evaluation inference synthesis Denotational analysis Separation Effect logic Grammar systems semantics CEGAR analysis Theories Program Termination Statistical Trace combination transformation proof semantics model-checking Interpolants Abstract Shape Code analysis
    [Show full text]
  • Precise and Scalable Static Program Analysis of NASA Flight Software
    Precise and Scalable Static Program Analysis of NASA Flight Software G. Brat and A. Venet Kestrel Technology NASA Ames Research Center, MS 26912 Moffett Field, CA 94035-1000 650-604-1 105 650-604-0775 brat @email.arc.nasa.gov [email protected] Abstract-Recent NASA mission failures (e.g., Mars Polar Unfortunately, traditional verification methods (such as Lander and Mars Orbiter) illustrate the importance of having testing) cannot guarantee the absence of errors in software an efficient verification and validation process for such systems. Therefore, it is important to build verification tools systems. One software error, as simple as it may be, can that exhaustively check for as many classes of errors as cause the loss of an expensive mission, or lead to budget possible. Static program analysis is a verification technique overruns and crunched schedules. Unfortunately, traditional that identifies faults, or certifies the absence of faults, in verification methods cannot guarantee the absence of errors software without having to execute the program. Using the in software systems. Therefore, we have developed the CGS formal semantic of the programming language (C in our static program analysis tool, which can exhaustively analyze case), this technique analyses the source code of a program large C programs. CGS analyzes the source code and looking for faults of a certain type. We have developed a identifies statements in which arrays are accessed out Of static program analysis tool, called C Global Surveyor bounds, or, pointers are used outside the memory region (CGS), which can analyze large C programs for embedded they should address.
    [Show full text]
  • Static Program Analysis Via 3-Valued Logic
    Static Program Analysis via 3-Valued Logic ¡ ¢ £ Thomas Reps , Mooly Sagiv , and Reinhard Wilhelm ¤ Comp. Sci. Dept., University of Wisconsin; [email protected] ¥ School of Comp. Sci., Tel Aviv University; [email protected] ¦ Informatik, Univ. des Saarlandes;[email protected] Abstract. This paper reviews the principles behind the paradigm of “abstract interpretation via § -valued logic,” discusses recent work to extend the approach, and summarizes on- going research aimed at overcoming remaining limitations on the ability to create program- analysis algorithms fully automatically. 1 Introduction Static analysis concerns techniques for obtaining information about the possible states that a program passes through during execution, without actually running the program on specific inputs. Instead, static-analysis techniques explore a program’s behavior for all possible inputs and all possible states that the program can reach. To make this feasible, the program is “run in the aggregate”—i.e., on abstract descriptors that repre- sent collections of many states. In the last few years, researchers have made important advances in applying static analysis in new kinds of program-analysis tools for identi- fying bugs and security vulnerabilities [1–7]. In these tools, static analysis provides a way in which properties of a program’s behavior can be verified (or, alternatively, ways in which bugs and security vulnerabilities can be detected). Static analysis is used to provide a safe answer to the question “Can the program reach a bad state?” Despite these successes, substantial challenges still remain. In particular, pointers and dynamically-allocated storage are features of all modern imperative programming languages, but their use is error-prone: ¨ Dereferencing NULL-valued pointers and accessing previously deallocated stor- age are two common programming mistakes.
    [Show full text]
  • Design of Semantics by Abstract Interpretation
    …/… Design of Semantics by Abstract Interpretation -- Abstraction of the relational into a nondeterministic Plotkin/- Smyth/Hoare denotational/functional semantics; -- Abstraction of the natural/demoniac relational into a determin­ istic denotational/functional semantics;Scott’ssemantics; Patrick COUSOT -- Abstraction of nondeterministic denotational semantics to weakest École Normale Supérieure precondition/strongest postcondition predicate transformer se­ DMI, 45, rue d’Ulm mantics; 75230 Paris cedex 05 Abstraction of predicate transformer semantics to à la Hoare France -- ax­ ;Programproofmethods; [email protected] iomatic semantics http://www.dmi.ens.fr/ cousot Extension to the λ-calculus. ˜ • MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, am Montag, dem 2. Juni 1997 um 14.15 Uhr 1 1 Extended version of the invited address at MFPS XIII, CMU, Pittsburgh, March 24, 1997 © P. Cousot 1 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 © P. Cousot 3 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 Content Application of abstract interpretation ideas to the design of formal semantics: Examples of Abstract Interpretations Examples of abstract interpretations; • Abstraction of fixpoint semantics; • -- Maximal trace semantics of nondeterministic transition systems; -- Abstraction of the trace into a natural/demoniac/angelic relational semantics; …/… © P. Cousot 2 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 © P. Cousot 4 MPI-Kolloquium,
    [Show full text]
  • Abstract Interpretation Based Program Testing
    1 Abstract Interpretation Based Program Testing Patrick Cousot and Radhia Cousot Département d’informatique Laboratoire d’informatique École normale supérieure École polytechnique 45 rue d’Ulm 91128 Palaiseau cedex, France 75230 Paris cedex 05, France [email protected] [email protected] http://lix.polytechnique.fr/˜rcousot http://www.di.ens.fr/˜cousot Abstract— Every one can daily experiment that programs II. An informal introduction to abstract are bugged. Software bugs can have severe if not catas­ testing trophic consequences in computer-based safety critical ap­ plications. This impels the development of formal methods, Abstract testing is the verification that the abstract se­ whether manual, computer-assisted or automatic, for verify­ mantics of a program satisfies an abstract specification. ing that a program satisfies a specification. Among the auto­ matic formal methods, program static analysis can be used The origin is the abstract interpretation based static check­ to check for the absence of run-time errors. In this case the ing of safety properties [1], [2] such as array bound checking specification is provided by the semantics of the program­ and the absence of run-time errors which was extended to ming language in which the program is written. Abstract in­ terpretation provides a formal theory for approximating this liveness properties such as termination [3], [4]. semantics, which leads to completely automated tools where Consider for example, the factorial program (the random run-time bugs can be statically and safely classified as un­ assignment ? is equivalent to the reading of an input value reachable, certain, impossible or potential. We discuss the or the passing of an unknown but initialized parameter extension of these techniques to abstract testing where speci­ fications are provided by the programmers.
    [Show full text]
  • Lecture Notes in Computer Science 1145 Edited by G
    Lecture Notes in Computer Science 1145 Edited by G. Goos, J. Hartmanis and J. van Leeuwen Advisory Board: W. Brauer D. Gries J. Stoer Radhia Cousot David A. Schmidt (Eds.) Static Analysis Third International Symposium, SAS '96 Aachen, Germany, September 24-26, 1996 Proceedings ~ Springer Series Editors Gerhard Goos, Karlsruhe University, Germany Juris Hartmanis, Cornell University, NY, USA Jan van Leeuwen, Utrecht University, The Netherlands Volume Editors Radhia Cousot l~cole Polytechnique, Laboratoire d'Inforrnatique F-91128 Palaiseau Cedex, France E-mail: radhia.cousot @lix.polytechnique.fr David A. Schmidt Kansas State University, Department of Computing and Information Sciences Manhattan, KS 66506, USA E-maih [email protected] Cataloging-in-Publication data applied for Die Deutsche Bibliothek - CIP-Einheitsaufnahme Static analysis : third international symposium ; proceedings / SAS '96, Aachen, Germany, September 24 - 26, 1996. Radhia Cousot ; David A. Schmidt (ed.). - Berlin ; Heidelberg ; New York ; Barcelona ; Budapest ; Hong Kong ; London ; Milan ; Paris ; Santa Clara ; Singapore ; Tokyo : Springer, 1996 (Lecture notes in computer science ; Vol. 1145) ISBN 3-540-61739-6 NE: Cousot, Radhia [Hrsg.]; SAS <3, 1996, Aachen>; GT CR Subject Classification (1991): D.1, D.2.8, D.3.2-3,F.3.1-2, F.4.2 ISSN 0302-9743 ISBN 3-540-61739-6 Springer-Verlag Berlin Heidelberg New York This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer -Verlag.
    [Show full text]
  • Abstract Interpretation of Programs for Model-Based Debugging
    Abstract Interpretation of Programs for Model-Based Debugging Wolfgang Mayer Markus Stumptner Advanced Computing Research Centre University of South Australia [mayer,mst]@cs.unisa.edu.au Language Abstract Semantics Test-Cases Developing model-based automatic debugging strategies has been an active research area for sev- Program eral years. We present a model-based debug- Conformance Test Components ging approach that is based on Abstract Interpre- Fault Conflict sets tation, a technique borrowed from program analy- Assumptions sis. The Abstract Interpretation mechanism is inte- grated with a classical model-based reasoning en- MBSD Engine gine. We test the approach on sample programs and provide the first experimental comparison with earlier models used for debugging. The results Diagnoses show that the Abstract Interpretation based model provides more precise explanations than previous Figure 1: MBSD cycle models or standard non-model based approaches. 2 Model-based debugging 1 Introduction Model-based software debugging (MBSD) is an application of Model-based Diagnosis (MBD) [19] techniques to locat- Developing tools to support the software engineer in locating ing errors in computer programs. MBSD was first intro- bugs in programs has been an active research area during the duced by Console et. al. [6], with the goal of identifying last decades, as increasingly complex programs require more incorrect clauses in logic programs; the approach has since and more effort to understand and maintain them. Several dif- been extended to different programming languages, includ- ferent approaches have been developed, using syntactic and ing VHDL [10] a n d JAVA [21]. semantic properties of programs and languages. The basic principle of MBD is to compare a model,ade- This paper extends past research on model-based diagnosis scription of the correct behaviour of a system, to the observed of mainstream object oriented languages, with Java as con- behaviour of the system.
    [Show full text]
  • Abstract Interpretation: a Unified Lattice Model for Static Analysis of Programs by Construction Or Approximation of Fixpoints
    ABSTRACT INTERPRETATION : ‘A UNIFIED LATTICE MODEL FOR STATIC ANALYSIS OF PROGRAMS BY CONSTRUCTION OR APPROXIMATION OF FIXPOINTS Patrick Cousot*and Radhia Cousot** Laboratoire d’Informatique, U.S.M.G., BP. 53 38041 Grenoble cedex, France 1. Introduction Abstract program properties are modeled by a com– plete semilattice, Birkhoff[611. Elementary Pro- A program denotes computations in some universe of gram constructs are locally interpreted by order objects. Abstract interpretation of programs con– preserving functions which are used to associate sists in using that denotation to describe compu– a system of recursive equations with a program. The tations in another universe of abstract objects, program global properties are then defined as one so that the results of abstract execution give of the extreme fixpoints of that system, Tarski [55]. some information on the actual computations. An The abstraction process is defined in section 6. It intuitive example (which we borrow from Sintzoff is shown that the program properties obtained by 172]) is the rule of signs. The text ‘1515* 17 an abstract interpretation of a program are consis– may be understood to denote computations on the tent with those obtained by a more refined inter– abstract universe {(+), (-), (~)} where the se- pretation of that program. In particular, an ab– mantics of arithmetic operators is defined by the stract interpretation may be shown to be consistent rule of signs. The abstract execution -1515* 17 with the formal semantics of the language. Levels => -(+) * (+) e> (–) * (+) => (–), proves that of abstraction are formalized by showing that con- –1515 * 17 is a negative number. Abstract interpre– sistent abstract interpretations form a lattice tation is concerned by a particular underlying (section 7).
    [Show full text]
  • Arxiv:1007.3250V1 [Cs.PL] 19 Jul 2010 Ple Opromhg-Adlwlvlotmztosand Optimizations Low-Level and High- Perform to Applied Ae Rpoesro the of Etc
    Verification of Java Bytecode using Analysis and Transformation of Logic Programs E. Albert1, M. G´omez-Zamalloa1, L. Hubert2, and G. Puebla2 1 DSIC, Complutense University of Madrid, E-28040 Madrid, Spain 2 CLIP, Technical University of Madrid, E-28660 Boadilla del Monte, Madrid, Spain {elvira,mzamalloa,laurent,german}@clip.dia.fi.upm.es Abstract. State of the art analyzers in the Logic Programming (LP) paradigm are nowadays mature and sophisticated. They allow inferring a wide variety of global properties including termination, bounds on re- source consumption, etc. The aim of this work is to automatically transfer the power of such analysis tools for LP to the analysis and verification of Java bytecode (jvml). In order to achieve our goal, we rely on well-known techniques for meta-programming and program specialization. More pre- cisely, we propose to partially evaluate a jvml interpreter implemented in LP together with (an LP representation of) a jvml program and then analyze the residual program. Interestingly, at least for the examples we have studied, our approach produces very simple LP representations of the original jvml programs. This can be seen as a decompilation from jvml to high-level LP source. By reasoning about such residual programs, we can automatically prove in the CiaoPP system some non-trivial prop- erties of jvml programs such as termination, run-time error freeness and infer bounds on its resource consumption. We are not aware of any other system which is able to verify such advanced properties of Java bytecode. 1 Introduction Verifying programs in the (Constraint) Logic Programming paradigm —(C)LP— offers a good number of advantages, an important one being the maturity and sophistication of the analysis tools available for it.
    [Show full text]
  • Verification by Abstract Interpretation
    Verification by Abstract Interpretation Patrick Cousot École normale supérieure, Département d’informatique 45 rue d’Ulm, 75230 Paris cedex 05, France [email protected], www.di.ens.fr/~cousot Dedicated to Zohar Manna, for his 26th birthday. Abstract. Abstract interpretation theory formalizes the idea of abstrac- tion of mathematical structures, in particular those involved in the spec- ification of properties and proof methods of computer systems. Verifica- tion by abstract interpretation is illustrated on the particular cases of predicate abstraction, which is revisited to handle infinitary abstractions, and on the new parametric predicate abstraction. 1 Introduction Abstract interpretation theory [7,8,9,11,13] formalizes the idea of abstraction of mathematical structures, in particular those involved in the specification of properties and proof methods of computer systems. Verification by abstract interpretation is illustrated on the particular cases of predicate abstraction [4,15,19] (where the finitary program-specific ground atomic propositional components of inductive invariants have to be provided) which is revisited (in that it is derived by systematic approximation of the con- crete semantics of a programming language using an infinitary abstraction) and on the new parametric predicate abstraction, a program-independent generaliza- tion (where parameterized infinitary predicates are automatically combined by reduction and instantiated to particular programs by approximation). 2 Elements of Abstract Interpretation Let us first recall a few elements of abstract interpretation from [7,9,11]. 2.1 Properties and Their Abstraction. Given a set Σ of objects (such as program states, execution traces, etc.), we represent properties P of objects s ∈ Σ as sets of objects P ∈ ℘(Σ) (which have the considered property).
    [Show full text]