Abstract Interpretation and Static Analysis. Introductory Motivations on Software Reliability. The Software Reliability Problem
|
|
- Joanna Sparks
- 6 years ago
- Views:
Transcription
1 Abstract Interpretation and Static Analsis Patrick COUSOT École Normale Supérieure, 45 rue d Ulm Paris cede 05, France mailto:cousot@ens.fr cousot IFIP WG 10.4, 40th Meeting on Formal Methods, Stenungsund, Sweden, Jul 4 8, 2001 The Software Reliabilit Problem The evolution of hardware b a factor of 10 6 over the past 25 ears has lead to the eplosion of the program sizes; The scope of application of ver large software is likel to widen rapidl in the net decade; These big programs will have to be modified and maintained during their lifetime (often over 20 ears); The size and efficienc of the programming and maintenance teams in charge of their design and follow-up cannot grow up in similar proportions; IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot The Software Reliabilit Problem (Cont d) Introductor Motivations on Software Reliabilit At a not so uncommon (and often optimistic) rate of one bug per thousand lines such huge programs might rapidl become hardl manageable in particular for safet critical sstems; Therefore in the net 10 ears, the software reliabilit problem is likel to become a major concern and challenge to modern highl computer-dependent societies. IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot
2 What Can We Do About It? The Verification/Validation Problem Use our intelligence (thinking/intellectual tools: abstract interpretation); Use our computer (mechanical tools : static program analsis/checking/testing,the earl idea of using computers to reason about computer). Computer program Programming language semantics Program semantics = model of actual program eecutions in all environments Satisfaction Formal specification Specification language semantics Specification semantics = model of required program eecutions in allowed environments IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Eample: Model Checking Software Verification and Validation Computer program Programming language semantics Program semantics = model of actual program eecutions in all environments??? Program model Model checking Checking Satisfaction Temporal specification? Formal specification Specification language semantics Specification semantics = model of required program eecutions in allowed environments IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot
3 Other Eamples of Software Verification/Validation Techniques Software testing; Simulation and prototping; Technical reviews; Requirements tracing; Formal correctness proofs; Etc. Fundamental Theoretical Limitations Undecidabilit: full automation of software verification/validation is impossible; Eamples of undecidable questions: Is m program bug-free? (i.e. correct with respect to a given specification); Can a program variable take two different values during eecution? IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Testing: Practical Limitations Testing all data on all paths is impossible; Formal methods: No formal specification perfectl reflects informal human epectations; Proofs grow eponentiall in the size of programs/specifications which is incompatible with friendl user interaction and full automation; etc. Undecidabilit and Approimation Since program verification is undecidable, computer aided program verification methods are all partial/incomplete; The all involve some form of approimation: restricted specifications or programs (e.g. finiteness), decidable questions or semi-algorithms, practical time/memor compleit limitations, require user interaction; Most of these approimations are formalized b Abstract Interpretation. IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot
4 Eamples of approimations Testing: coverage is partial (so errors are frequentl found until the end of the software lifetime); Proofs: specifications are often partial, debugging proofs is often harder that testing programs (so onl parts of ver large software can be formall proved correct); Model checking: the model must fit machine limitations (so some facets of program eecution must be left out) and be redesigned after program modifications; Tping: tpes are weak program properties (so tpe verification cannot be generalized to comple specifications). Semantics IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Content Introductor motivations on software reliabilit Software verification and validation...5 Semantics Abstract Interpretation Abstraction Conservative approimation & information loss Static program analsis Static program checking Static program testing Conclusion Semantics: intuition The semantics of a language defines the semantics of an program written in this language; The semantics of a program provides a formal mathematical model of all possible behaviors of a computer sstem eecuting this program (interacting with an possible environment); An semantics of a program can be defined as the solution of a fipoint equation; All semantics of a program can be organized in a hierarch b abstraction. IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot
5 Eample: trace semantics Initial states Intermediate states a b c d e g i k Final states of the finite traces Infinite traces l discrete time h f j Least Fipoints: intuition Behaviors = { is a final state} {... is an elementar step &... Behaviors + } { is an elementar step & Behaviors } In general, the equation has multiple solutions. Choose the least one for the partial ordering: «morefinitetraces&lessinfinitetraces». IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Eamples of computation traces Finite (C1+1=): Erroneous (C ): Abstract Interpretation Infinite (C ): IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot
6 Abstract Interpretation [1] Formalizes the idea of approimation of sets and set operations as considered in set (or categor) theor; A theor of approimation of the semantics of programming languages; Main application: formal method for inferring general runtime properties of programs. Usefulness of Abstract Interpretation Thinking tools: the idea of abstraction is central to reasoning (in particular on computer sstems); Mechanical tools: the idea of effective approimation leads to automatic semantics-based program manipulation tools. Reference [1] P. Cousot and R. Cousot. Abstract interpretation: a unified lattice model for static analsis of programs b construction or approimation of fipoints. In Conf. Record of the 4th Annual ACM SIGPLAN-SIGACT Smp. on Principles of Programming Languages POPL 77,LosAngeles,CA,1977.ACMPress,pp IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot The Theor of Abstract Interpretation Abstract interpretation is a theor of conservative approimation of the semantics of computer sstems. Approimation: observation of the behavior of a computer sstem at some level of abstraction, ignoring irrelevant details; Conservative: the approimation cannot lead to an erroneous conclusion. Abstraction IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot
7 Abstraction: intuition Approimations of an [in]finite set of points; Abstract interpretation formalizes the intuitive idea that a semantics is more or less precise according to the considered observation level of the program eecutions; Abstract interpretation theor formalizes this notion of approimation/abstraction in a mathematical setting which is independent of particular applications. {..., 19, 78,..., 20, 01,...} IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Approimations of an [in]finite set of points: From Below Intuition behind abstraction {..., 19, 78,...,...} IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot
8 Approimations of an [in]finite set of points: From Above Effective computable approimations of an [in]finite set of points; Signs [2]?????????? {..., 19, 78,..., 20, 01,?,?,...} Reference { 0 0 [2] P. Cousot and R. Cousot. Sstematic design of program analsis frameworks. In 6 th POPL,pages , San Antonio, T, ACM Press. IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Effective computable approimations of an [in]finite set of points; Intervals [3] Intuition Behind Effective Computable Abstraction { [19, 78] [20, 01] Reference [3] P. Cousot and R. Cousot. Static determination of dnamic properties of programs. In 2 nd Int. Smp. on Programming,pages Dunod,1976. IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot
9 Effective computable approimations of an [in]finite set of points; Octagons [4] Effective computable approimations of an [in]finite set of points; Simple congruences [6] { =19mod78 =20mod99 Reference [4] A. Miné. A New Numerical Abstract Domain Based on Difference-Bound Matrices. Proc. 2 nd Smp. on Programs as Data Objects PADO 2001,0.Danv&A.Filinski(Eds.),LNCS2053,Springer,2001,pp Reference [6] P. Granger. Static analsis of arithmetical congruences. Int. J. Comput. Math., 30: , IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Effective computable approimations of an [in]finite set of points; Polhedra [5] Effective computable approimations of an [in]finite set of points; Linear congruences [7] { { 1 +9 =7mod8 2 1 =9mod9 Reference [5] P. Cousot and N. Halbwachs. Automatic discover of linear restraints among variables of a program. In 5 th POPL,pages84 97,Tucson,AZ,1978.ACMPress. Reference [7] P. Granger. Static analsis of linear congruence equalities among variables of a program. CAAP 91,LNCS 493, pp Springer, IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot
10 Effective computable approimations of an [in]finite set of points; Trapezoidal linear congruences [8] { 1 +9 [0, 78] mod [0, 99] mod 11 Intuition Behind Sound/Conservative Approimation Reference [8] F. Masdupu. Arra operations abstraction using semantic analsis of trapezoid congruences. In ACM Int. Conf. on Supercomputing, ICS 92,pages ,1992. IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Conservative Approimation Conservative Approimation and Information Loss Is the operation 1/(+1-) well defined at run-time? Concrete semantics: es 1 IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot
11 Conservative Approimation Is the operation 1/(+1-) well defined at run-time? Testing : You never know! Conservative Approimation Is the operation 1/(+1-) well defined at run-time? Abstract semantics es? 1 1 IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Conservative Approimation Is the operation 1/(+1-) well defined at run-time? Abstract semantics Idon tknow Intuition Behind Information Loss 1 IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot
12 Information Loss Abstraction α Allanswers given b the abstract semantics are alwas correct with respect to the concrete semantics; Because of the information loss, not all questions can be definitel answered with the abstract semantics; The more concrete semantics can answer more questions; The more abstract semantics are more simple α {:[1,99], :[2,77]} 1 99 IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Basic Elements of Abstract Interpretation Theor 77 Concretization γ {:[2,77], :[2,99]} IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot
13 The Abstraction α is Monotone The γ α Composition α α {:[33,89], :[48,61]} {:[1,99], :[2,99]} 77 2 α {:[1,99], :[2,77]} Y α() α(y ) 1 99 γ α() IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot The Concretization γ is Monotone The α γ Composition {:[33,89], :[48,61]} {:[1,99], :[2,99]} 77 2 α {:[1,99], :[2,77]} = {:[1,99], :[2,77]} Y γ() γ(y ) 1 99 α γ(y )=Y IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot
14 Galois Connection 1 γ P, Q, α iff α is monotone γ is monotone γ α() α γ(y ) Y 1 formalizations using closure operators, ideals, etc. are equivalent. IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Eact/Approimate Fipoint Abstraction Abstract domain F F F F F F F F F F F F Concrete domain Approimation relation F = α F γ lfp F γ(lfp F ) IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Abstract domain F F α Concrete domain γ P, Q, α P mon Function Abstraction F = α F γ λf. γ F α P, λf. α F γ Q mon Q, Eact/Approimate Fipoint Abstraction Abstract domain F F F F F α α α α α Approimation relation F F F F F F F F F F F Concrete domain F = α F γ lfp F γ(lfp F ) IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot
15 Eact/Approimate Fipoint Abstraction Eact Abstraction: α(lfp F ) = lfp F Approimate Abstraction: α(lfp F ) lfp F AFewReferencesonFoundations [9] P. Cousot and R. Cousot. Abstract interpretation: a unified lattice model for static analsis of programs b construction or approimation of fipoints. In 4 th POPL, pages , Los Angeles, CA, ACM Press. [10] P. Cousot and R. Cousot. Sstematic design of program analsis frameworks. In 6 th POPL, pages , San Antonio, T, ACM Press. [11] P. Cousot and R. Cousot. Abstract interpretation frameworks. J. Logic and Comp., 2(4): , IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot α Eact/Approimate Fipoint Abstraction Abstract domain F F F F F α α α α α α Approimation relation Applications of Abstract Interpretation F F F F F F F Concrete domain α F = F α α(lfp F ) = lfp F IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot
16 Trace Semantics (Once Again) (1) Eact Abstractions Initial states Intermediate states a b c d e g i k Final states of the finite traces Infinite traces l discrete time h f j IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Eample 1 of Semantics Abstraction Abstractions of Semantics [12] Reference [12] P. Cousot. Constructive design of a hierarch of semantics of a transition sstem b abstract interpretation. To appear in Theoretical Computer Science,(2001). Initial states Intermediate states a b c d e g i k l discrete time h Trace semantics Final states of finite traces f j Infinite traces Initial states Final states a d α e g i k l f h j α a d e g i f h j Denotational semantics Natural semantics IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot
17 Eample 2 of Semantics Abstraction Initial states Transitions a a b b c d e e f g g h i k l i j k l (Small-Step) Operational Semantics Final states d f h j Hoare logics Weakest precondition semantics Denotational semantics Relational semantics Trace semantics angelic natural demoniac determinist infinite Lattice of Semantics τ ph τ th τ gh τ wlp τ wp τ gwp τ τ D τ τ τ S τ τ τ EM τ τ + τ? τ τ τ ω! τ τ ω τ + τ τ abstraction equivalence restriction IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Eample 3 of Semantics Abstraction Initial states Reachable states a a b c d e e f g g h i i k k l l j Final states d f h j (2) Effective Approimate Abstractions Partial Correctness / Invariance Semantics Reference [13] P. Cousot and R. Cousot. Abstract interpretation: a unified lattice model for static analsis of programs b construction or approimation of fipoints. POPL 77,ACMPress,pp IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot
18 Effective Abstractions of Semantics If the approimation is rough enough, the abstraction of a semantics can lead to a version which is less precise but is effectivel computable b a computer; The computation of this abstract semantics amounts to the effective iterative resolution of fipoint equations; B effective computation of the abstract semantics,thecomputer is able to analze the behavior of programs and of software before and without eecuting them. Objective of Static Program Analsis Program analsis is the automatic static determination of dnamic run-time properties of programs; The principle is to compute an approimate semantics of the program to check a given specification; Abstract interpretation is used to derive, from a standard semantics, the approimate and computable abstract semantics; This derivation is itself not (full) mechanizable. IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Basic Idea of Static Program Analsis Static Program Analsis Basic idea: use effective computable approimations of the program semantics; Advantage: full automatic, no need for error-prone user designed model or costl user interaction; Drawback: can onl handle properties captured b the approimation; Remed: ask the user to choose among a variet of possible approimations (abstract algebras) at various cost/precision ratio. IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot
19 Principle of a Static Program Analzer Program Generator Solver (Approimate) solution Diagnoser Diagnosis Specification Sstem of fipoint equations/constraints Program analzer Design of a Static Program Analzer b Abstract Interpretation Computer program Programming language semantics Program semantics = model of actual program eecutions in all environments Abstract program semantics Abstract Static Program Analsis ABSTRACTION Information about actual program eecutions in all environments Abstract Interpretation IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Generic Static Program Analzer Program Abstract algebra Generator Sstem of fipoint equations/constraints Solver (Approimate) solution Interfacor Information on program eecutions Program analzer Effective Smbolic Abstractions IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot
20 Effective Abstractions of Smbolic Structures Most structures manipulated b programs are smbolic structures such as control structures (call graphs), data structures (search trees), communication structures (distributed & mobile programs), etc; It is ver difficult to find compact and epressive abstractions of such sets of objects (languages, automata, trees, graphs, etc.). Eample of Abstractions of Infinite Sets of Infinite Trees Binar Decision Graphs: [15] Reference [15] L. Mauborgne. Binar decision graphs. SAS 99,LNCS1694,pp Springer,1999. IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Eample of Abstractions of Infinite Sets of Finite Trees Program : Eample of Abstractions of Infinite Sets of Infinite Trees (Cont d) Tree Schemata: [16, 17] Y := cop() Alias analsis: Eample of impossible configuration: Y := cop() {( (tl ) i hd, Y (tl ) j hd) i = j} Reference [14] A. Deutsch. Interprocedural ma-alias analsis for pointers: beond k-limiting. In PLDI 94,pp ,1994. Reference [16] L. Mauborgne. Improving the representation of infinite trees to deal with sets of trees. ESOP 2000,LNCS 1782, pp Springer, [17] L. Mauborgne. Tree schemata and fair termination. SAS 2000,LNCS1824,pp Springer,2000. IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot
21 AClassicalEample: Interval Analsis Eample: interval analsis (1975) 2 Equations (abstract interpretation of the semantics): 1 = [1, 1] 2 = ( 1 3 ) [, 9999] 3 = 2 [1, 1] while < do 4 = ( 1 3 ) [10000, + ] 2 =( 1 3 ) [, 9999] 3 = 2 [1, 1] 4 =( 1 3 ) [10000, + ] IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Eample: interval analsis (1975) 2 Program to be analzed: 2 =( 1 3 ) [, 9999] 3 = 2 [1, 1] while < do 4 =( 1 3 ) [10000, + ] 2 =( 1 3 ) [, 9999] 3 = 2 [1, 1] 4 =( 1 3 ) [10000, + ] IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Eample: interval analsis (1975) 2 Constraints (abstract interpretation of the semantics): 1 [1, 1] 2 ( 1 3 ) [, 9999] 3 2 [1, 1] while < do 4 ( 1 3 ) [10000, + ] 2 =( 1 3 ) [, 9999] 3 = 2 [1, 1] 4 =( 1 3 ) [10000, + ] IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot
22 Eample: interval analsis (1975) 2 Increasing chaotic iteration, initialization: 2 =( 1 3 ) [, 9999] 3 = 2 [1, 1] while < do 4 =( 1 3 ) [10000, + ] 1 = 2 = 3 = 4 = IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Eample: interval analsis (1975) 2 Increasing chaotic iteration: 2 =( 1 3 ) [, 9999] 3 = 2 [1, 1] while < do 4 =( 1 3 ) [10000, + ] 2 =[1, 1] 3 = 4 = IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Eample: interval analsis (1975) 2 Increasing chaotic iteration: 2 =( 1 3 ) [, 9999] 3 = 2 [1, 1] while < do 4 =( 1 3 ) [10000, + ] 2 = 3 = 4 = IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Eample: interval analsis (1975) 2 Increasing chaotic iteration: 2 =( 1 3 ) [, 9999] 3 = 2 [1, 1] while < do 4 =( 1 3 ) [10000, + ] 2 =[1, 1] 3 =[2, 2] 4 = IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot
23 Eample: interval analsis (1975) 2 Increasing chaotic iteration: 2 =( 1 3 ) [, 9999] 3 = 2 [1, 1] while < do 4 =( 1 3 ) [10000, + ] 2 =[1, 2] 3 =[2, 2] 4 = IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Eample: interval analsis (1975) 2 Increasing chaotic iteration: convergence?? 2 =( 1 3 ) [, 9999] 3 = 2 [1, 1] while < do 4 =( 1 3 ) [10000, + ] 2 =[1, 3] 3 =[2, 3] 4 = IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Eample: interval analsis (1975) 2 Increasing chaotic iteration: convergence? 2 =( 1 3 ) [, 9999] 3 = 2 [1, 1] while < do 4 =( 1 3 ) [10000, + ] 2 =[1, 2] 3 =[2, 3] 4 = IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Eample: interval analsis (1975) 2 Increasing chaotic iteration: convergence??? 2 =( 1 3 ) [, 9999] 3 = 2 [1, 1] while < do 4 =( 1 3 ) [10000, + ] 2 =[1, 3] 3 =[2, 4] 4 = IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot
24 Eample: interval analsis (1975) 2 Increasing chaotic iteration: convergence???? 2 =( 1 3 ) [, 9999] 3 = 2 [1, 1] while < do 4 =( 1 3 ) [10000, + ] 2 =[1, 4] 3 =[2, 4] 4 = IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Eample: interval analsis (1975) 2 Increasing chaotic iteration: convergence?????? 2 =( 1 3 ) [, 9999] 3 = 2 [1, 1] while < do 4 =( 1 3 ) [10000, + ] 2 =[1, 5] 3 =[2, 5] 4 = IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Eample: interval analsis (1975) 2 Increasing chaotic iteration: convergence????? 2 =( 1 3 ) [, 9999] 3 = 2 [1, 1] while < do 4 =( 1 3 ) [10000, + ] 2 =[1, 4] 3 =[2, 5] 4 = IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Eample: interval analsis (1975) 2 Increasing chaotic iteration: convergence??????? 2 =( 1 3 ) [, 9999] 3 = 2 [1, 1] while < do 4 =( 1 3 ) [10000, + ] 2 =[1, 5] 3 =[2, 6] 4 = IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot
25 Eample: interval analsis (1975) 2 Convergence speed-up b etrapolation: 2 =( 1 3 ) [, 9999] 3 = 2 [1, 1] while < do 4 =( 1 3 ) [10000, + ] 2 =[1, + ] widening 3 =[2, 6] 4 = IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Eample: interval analsis (1975) 2 Decreasing chaotic iteration: 2 =( 1 3 ) [, 9999] 3 = 2 [1, 1] while < do 4 =( 1 3 ) [10000, + ] 2 =[1, + ] 3 =[2, + ] 4 = IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot [,0] [,-1] [,-2] Widening [,+ ] [0,+ ] [-3,0] [-2,1] [-1,2] [0,3] [1,+ ] [-3,-1] [-2,0] [-1,1] [0,2] [1,3] [2,+ ] [-2,-1] [-1,0] [0,1] [1,2] [-2,-2] [-1,-1] [0,0] [1,1] [2,2] Ø Eample: interval analsis (1975) 2 Decreasing chaotic iteration: 2 =( 1 3 ) [, 9999] 3 = 2 [1, 1] while < do 4 =( 1 3 ) [10000, + ] 2 =[1, 9999] 3 =[2, + ] 4 = IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot
26 Eample: interval analsis (1975) 2 Decreasing chaotic iteration: 2 =( 1 3 ) [, 9999] 3 = 2 [1, 1] while < do 4 =( 1 3 ) [10000, + ] 2 =[1, 9999] 3 =[2, 10000] 4 = IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Eample: interval analsis (1975) 2 Result of the interval analsis: 2 =( 1 3 ) [, 9999] { =1} 3 = 2 [1, 1] while < do 4 =( 1 3 ) [10000, + ] { [1, 9999]} { [2, 10000]} 2 =[1, 9999] { =10000} 3 =[2, 10000] 4 =[10000, 10000] IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Eample: interval analsis (1975) 2 Final solution: 2 =( 1 3 ) [, 9999] 3 = 2 [1, 1] while < do 4 =( 1 3 ) [10000, + ] 2 =[1, 9999] 3 =[2, 10000] 4 =[10000, 10000] IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot AMoreIntriguingEample program Variant_of_McCarth_91_function; var, Y : integer; function F( : integer) :integer; begin if > 100 then F := 10 else F := F(F(F(F(F(F(F(F(F(F( + 90)))))))))); end; begin readln(); Y := F(); { Y [91, + ] } end. Reference [18] F. Bourdoncle. Efficient chaotic iteration strategies with widenings. In Proc. FMPA, LNCS 735, pages Springer, IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot
27 Probabilistic Program Analsis 4 double, i; assume (-1.0 < < 0.0); i = 0.0; while (i < 3.0) { += uniform(); i += 1.0; }; assert ( < 1.0); With 99% safet: the probabilit of the outcome ( <1) is less than 0.859, assuming: worst-case nondeterministic choices of the precondition ( 1.0 <<0.0), random choices uniform() chosen in [0, 1] with the Lebesgue uniform distribution. Static Program Checking 2 D. Monniau, SAS 00, POPL 01 IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Communication Topolog of Mobile Processes 3 Request A S B A A A Q2... Request Q2 Data echange Q1 S B P1 S P1 P2 S P1 P2... B Data echange Q1 Data echange B Q J. Feret, SAS 00, ENTCS Vol. 39 IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Objective of Static Program Checking Program Specification Program checker Diagnosis IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot
28 Principle of a Static Program Checker Program Generator Solver (Approimate) solution Diagnoser Diagnosis Specification Sstem of fipoint equations/constraints Program checker IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Eample: interval analsis (1975) 2 Eploitation of the result of the interval analsis: 2 =( 1 3 ) [, 9999] { =1} 3 = 2 [1, 1] while < do 4 =( 1 3 ) [10000, + ] { [1, 9999]} { [2, 10000]} no overflow 2 =[1, 9999] { =10000} 3 =[2, 10000] 4 =[10000, 10000] IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Design of a Static Program Checker b Abstract Interpretation Computer program Programming language semantics Program semantics = model of actual program eecutions in all environments Abstract Static Program Checking Checking Abstract program semantics Satisfaction Abstract semantics specification ABSTRACTION Formal specification Specification language semantics Specification semantics = model of required program eecutions in allowed environments IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Other Eamples of Faultless Eecution Checks Absence of runtime errors (arra bounds violations, arithmetic overflow, erroneous data accesses, etc.), Absence of memor leaks (dangling pointers, uninitialized variables, etc.), Handling of all possible runtime eceptions (failures of I/O and sstem calls, etc.), No resource contention and race conditions in concurrent programs (deadlocks & livelocks), Termination / non termination conditions, Etc. IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot
29 Combining Empirical and Formal Methods Static Program Testing The user provides local formal abstractions of the program specifications using predefined abstractions 4 ; The program is evaluated b abstract interpretation of the formal semantics of the program 5 ; If the local abstract specification cannot be proved correct, a more precise abstract domain must be considered 6 ; The process is repeated until appropriate coverage of the specification. 4 thus replacing infinitel man test data. 5 thus replacing program eecution on the test data. 6 similarl to different test data. IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Abstract checking versus Abstract Testing Abstract Program Testing Abstract checking: specification derived automaticall from the program (e.g. using the language specification for run-time errors); Abstract testing: specification provided b the programmer. Debugging Run the program On test data Checking if all right Providing more tests Until coverage Abstract testing Compute the abstract semantics Choosing a predefined abstraction Checking user-provided abstract assertions With more refined abstractions Until enough assertions proved or no predefined abstraction can do. IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot
30 Eample of predefined abstraction f n ATinEample 0: { n:[,+ ]?; f:[,+ ]? } static analzer inference read(n); diagnosis: definite error { n:[0,+ ]; f:[,+ ]? } f:=1; { n:[0,+ ]; f:[1,+ ] } while (n <> 0) do no error { n:[1,+ ]; f:[1,+ ] } f:=(f* n); { n:[1,+ ]; f:[1,+ ] } n:=(n-1) 5: { n:[0,+ ]; f:[1,+ ] } 6: { n:[0,0]; f:[1,+ ] } user program sometime true;; user specification potential error IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Eample of predefined abstraction: intervals f n ATinEample(Cont d) 0: { n: ; f: } static analzer inference initial (n < 0); user specification { n:[,-1]; f:[,+ ]? } f:= 1; user program { n:[,-1]; f:[,+ ] } while (n <> 0) do diagnosis: no error { n:[,-1]; f:[,+ ] } f:=(f* n); potential error { n:[,-1]; f:[,+ ] } n:=(n- 1) potential error 5: { n:[,-2]; f:[,+ ] } od 6: { n: ; f: } unreachable code IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot
31 AMoreIntriguingEample program Variant_of_McCarth_91_function; var, Y : integer; function F( : integer) :integer; begin if > 100 then F := 10 else F := F(F(F(F(F(F(F(F(F(F( + end; begin readln(); {% > 100 %} Y := F(); {% sometime true %} end )))))))))); Eample of ccle: F(100) F(190) F(180) F(170) F(160) F(150) F(140) F(130) F(120) F(110) F(100) Eamples of Functional Specifications for Abstract Testing Worst-case eecution/response time in real-time sstems running on a computer with pipelines and caches; Periodicit of some action over time/with respect to some clock; Possible reactions to real-time event/message sequences; Compatibilit with state/transition/sequence diagrams/charts; Absence of deadlock/livelock with different scheduling policies; IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Comparing with program debugging Similarit: user interaction, on the source code; Essential differences: user provided test data are replaced b abstract specifications; evaluation of an abstract semantics instead of program eecution/simulation; one can prove the absence of (some categories of) bugs, not onl their presence; abstract evaluation can be forward and/or backward (reverse eecution). Conclusion IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot
32 Concluding Remarks Program debugging is still the prominent industrial program verification method. Complementar program verification methods are needed; Full mechanized program verification b formal methods is either impossible (e.g. tping/program analsis) or etremel costl since it ultimatel requires user interaction (e.g. abstract model checking/deductive methods for large programs); For program verification, semantic abstraction is mandator but difficult whence hardl automatizable,evenwiththehelp of programmers; IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Does appl to an computer-related language with a wellspecified semantics describing computations (e.g. specification languages, data base languages, sequential, concurrent, distributed, mobile, logical, functional, object oriented, programming languages, etc.); Does appl to an propert and combinations of properties (such as safet, liveness, timing, event preconditions, ); Can follow up program modifications over time; Ver cost effective,especiallinearlphasesofprogramdevelopment. IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Concluding Suggestions Abstract interpretation introduces the idea of safe approimation within formal methods; So ou might think to use it for partial verification of the source specification/program code: Abstract checking (full automatic and ehaustive diagnosis on run-time safet properties), Abstract testing (interactive/planned diagnosis on functional, behavioural and resources-usage requirements), using tools providing predefined abstractions. / Industrialization of Static Analsis/Checking b Abstract Interpretation Connected Components Corporation (U.S.A.), L. Harrison, ; AbsInt Angewandte Informatik GmbH (German), R. Wilhelm & C. Ferdinand, 1998; Polspace Technologies (France), A. Deutsch & D. Pilaud, Internal use for compiler design. IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot
33 DA D LUS European project on the verification of critical real-time avionic software (oct sep. 2002): A E P. Cousot (ENS, France), scientific coordinator; R. Cousot (École poltechnique, France); A. Deutsch & D. Pilaud (Polspace Technologies, France); C. Ferdinand (AbsInt,German); É. Goubault (CEA, France); N. Jones (DIKU, Denmark); F. Randimbivololona & J. Souris (EADS Airbus, France), coord.; M. Sagiv (Univ. Tel Aviv, Israel); H. Seidel (Univ. Trier, German); R. Wilhelm (Univ. Sarrebrücken, German); IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot Areference(withalargebibliograph) P. Cousot. Abstract interpretation based formal methods and future challenges. In R. Wilhelm (editor), «Informatics 10YearsBack, 10 Years Ahead». Volume 2000 of Lecture Notes in Computer Science, pages Springer-Verlag, An etended electroning version is also available on Springer-Verlag web site together with a ver long electroning version with a complete bibliograph. IFIP WG 10.4, 40th Meeting,Jul4 8, P.Cousot
Verification of Embedded Software: Problems and Perspectives
Verification of Embedded Software: Problems and Perspectives Patrick COUSOT École Normale Supérieure 45 rue d Ulm 75230 Paris cedex 05, France Patrick.Cousot@ens.fr www.di.ens.fr/ cousot Radhia COUSOT
More informationLecture 6. Abstract Interpretation
Lecture 6. Abstract Interpretation Wei Le 2014.10 Outline Motivation History What it is: an intuitive understanding An example Steps of abstract interpretation Galois connection Narrowing and Widening
More informationStatic Analysis by A. I. of Embedded Critical Software
Static Analysis by Abstract Interpretation of Embedded Critical Software Julien Bertrane ENS, Julien.bertrane@ens.fr Patrick Cousot ENS & CIMS, Patrick.Cousot@ens.fr Radhia Cousot CNRS & ENS, Radhia.Cousot@ens.fr
More informationWidening Operator. Fixpoint Approximation with Widening. A widening operator 2 L ˆ L 7``! L is such that: Correctness: - 8x; y 2 L : (y) v (x y)
EXPERIENCE AN INTRODUCTION WITH THE DESIGN TOF A SPECIAL PURPOSE STATIC ANALYZER ABSTRACT INTERPRETATION P. Cousot Patrick.Cousot@ens.fr http://www.di.ens.fr/~cousot Biarritz IFIP-WG 2.3 2.4 meeting (1)
More informationThe Verification Grand Challenge and Abstract Interpretation
The Verification Grand Challenge and Abstract Interpretation Patrick Cousot École normale supérieure, 45 rue d Ulm 75230 Paris cedex 05, France Patrick.Cousot ens fr Visiting the Aeronautics and Astronautics
More informationThe Apron Library. Bertrand Jeannet and Antoine Miné. CAV 09 conference 02/07/2009 INRIA, CNRS/ENS
The Apron Library Bertrand Jeannet and Antoine Miné INRIA, CNRS/ENS CAV 09 conference 02/07/2009 Context : Static Analysis What is it about? Discover properties of a program statically and automatically.
More informationAbstract Interpretation Based Formal Methods and Future Challenges (Electronic Version)
Abstract Interpretation Based Formal Methods and Future Challenges (Electronic Version) Patrick Cousot École normale supérieure, Département d informatique, 45 rue d Ulm, 75230 Paris cede 05, France Patrick.Cousot@ens.fr
More informationCalculational Design of Semantics and Static Analyzers by Abstract Interpretation
Calculational Design of Semantics and Static Analyzers by Abstract Interpretation Patrick Cousot École Normale Supérieure DMI, 45, rue d Ulm 75230 Paris cedex 05 France cousot@dmi.ens.fr http://www.dmi.ens.fr/
More informationAutomatic Qualification of Abstract Interpretation-based Static Analysis Tools. Christian Ferdinand, Daniel Kästner AbsInt GmbH 2013
Automatic Qualification of Abstract Interpretation-based Static Analysis Tools Christian Ferdinand, Daniel Kästner AbsInt GmbH 2013 2 Functional Safety Demonstration of functional correctness Well-defined
More informationMotivation. Automatic Large-Scale Software Verification by Abstract Interpretation. Patrick Cousot. Content. Abstract
Automatic Large-Scale Software Verification b Abstract Interpretation cousot @ di.ens.fr di.ens.fr/~cousot Patrick Cousot pcousot @ cims. nu. edu cims. nu. edu /~pcousot Tsinghua Software Da Beijing, China
More informationTVLA: A SYSTEM FOR GENERATING ABSTRACT INTERPRETERS*
TVLA: A SYSTEM FOR GENERATING ABSTRACT INTERPRETERS* Tal Lev-Ami, Roman Manevich, and Mooly Sagiv Tel Aviv University {tla@trivnet.com, {rumster,msagiv}@post.tau.ac.il} Abstract TVLA (Three-Valued-Logic
More informationA Gentle Introduction to Program Analysis
A Gentle Introduction to Program Analysis Işıl Dillig University of Texas, Austin January 21, 2014 Programming Languages Mentoring Workshop 1 / 24 What is Program Analysis? Very broad topic, but generally
More informationait: WORST-CASE EXECUTION TIME PREDICTION BY STATIC PROGRAM ANALYSIS
ait: WORST-CASE EXECUTION TIME PREDICTION BY STATIC PROGRAM ANALYSIS Christian Ferdinand and Reinhold Heckmann AbsInt Angewandte Informatik GmbH, Stuhlsatzenhausweg 69, D-66123 Saarbrucken, Germany info@absint.com
More informationEECS 144/244: Fundamental Algorithms for System Modeling, Analysis, and Optimization
EECS 144/244: Fundamental Algorithms for System Modeling, Analysis, and Optimization Dataflow Lecture: SDF, Kahn Process Networks Stavros Tripakis University of California, Berkeley Stavros Tripakis: EECS
More informationAbstract Interpretation Based Static Analysis Parameterized by Semantics
Abstract Interpretation Based Static Analysis Parameterized by Semantics () Patrick Cousot École normale supérieure, DMI, 45 rue d Ulm, 75230 Paris cedex 05, France cousot@dmi.ens.fr http://www.dmi.ens.fr/
More informationAdvanced Programming Methods. Introduction in program analysis
Advanced Programming Methods Introduction in program analysis What is Program Analysis? Very broad topic, but generally speaking, automated analysis of program behavior Program analysis is about developing
More informationImproving the Static Analysis of Loops by Dynamic Partitioning Techniques
Improving the Static Analysis of Loops by Dynamic Partitioning echniques Matthieu Martel CEA - Recherche echnologique LIS-DSI-SLA CEA F91191 Gif-Sur-Yvette Cedex, France Matthieu.Martel@cea.fr Abstract
More informationThe ASTRÉE Analyzer Patrick Cousot 2, Radhia Cousot 1,3, Jerôme Feret 2, Laurent Mauborgne 2, Antoine Miné 2, David Monniaux 1,2, and Xavier Rival 2 1 CNRS 2 École Normale Supérieure, Paris, France Firstname.Lastname@ens.fr
More informationLookahead Widening. Denis Gopan 1 and Thomas Reps 1,2. 1 University of Wisconsin. 2 GrammaTech, Inc.
Lookahead Widening Denis Gopan and Thomas Reps,2 Universit of Wisconsin. 2 GrammaTech, Inc. {gopan,reps}@cs.wisc.edu Abstract. We present lookahead widening, a novel technique for using eisting widening
More informationUtilizing Static Analysis for Programmable Logic Controllers
Sébastien Bornot Ralf Huuck Ben Lukoschus Lehrstuhl für Softwaretechnologie Universität Kiel Preußerstraße 1 9, D-24105 Kiel, Germany seb rhu bls @informatik.uni-kiel.de Yassine Lakhnech Verimag Centre
More informationIterative Program Analysis Abstract Interpretation
Iterative Program Analysis Abstract Interpretation Summary by Ben Riva & Ofri Ziv Soundness Theorem Theorem: If a computation fixed-point is sound, then its least-fixed-point is sound. More precisely,
More informationDistributed Systems Programming (F21DS1) Formal Verification
Distributed Systems Programming (F21DS1) Formal Verification Andrew Ireland Department of Computer Science School of Mathematical and Computer Sciences Heriot-Watt University Edinburgh Overview Focus on
More informationRelational Abstract Domains for the Detection of Floating-Point Run-Time Errors
ESOP 2004 Relational Abstract Domains for the Detection of Floating-Point Run-Time Errors Antoine Miné École Normale Supérieure Paris FRANCE This work was partially supported by the ASTRÉE RNTL project
More informationProgramming Languages Third Edition
Programming Languages Third Edition Chapter 12 Formal Semantics Objectives Become familiar with a sample small language for the purpose of semantic specification Understand operational semantics Understand
More informationProgram Analysis and Verification
Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 12: Interprocedural Analysis + Numerical Analysis Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav 1 Procedural program void main()
More informationApplications of Program analysis in Model-Based Design
Applications of Program analysis in Model-Based Design Prahlad Sampath (Prahlad.Sampath@mathworks.com) 2018 by The MathWorks, Inc., MATLAB, Simulink, Stateflow, are registered trademarks of The MathWorks,
More information! Use of formal notations. ! in software system descriptions. ! for a broad range of effects. ! and varying levels of use. !
What Are Formal Methods? David S. Rosenblum ICS 221 Winter 2001! Use of formal notations! first-order logic, state machines, etc.! in software system descriptions! system models, constraints, specifications,
More informationAbstract Interpretation
Abstract Interpretation Ranjit Jhala, UC San Diego April 22, 2013 Fundamental Challenge of Program Analysis How to infer (loop) invariants? Fundamental Challenge of Program Analysis Key issue for any analysis
More informationCommunication Complexity and Parallel Computing
Juraj Hromkovic Communication Complexity and Parallel Computing With 40 Figures Springer Table of Contents 1 Introduction 1 1.1 Motivation and Aims 1 1.2 Concept and Organization 4 1.3 How to Read the
More informationState of Practice. Automatic Verification of Embedded Control Software with ASTRÉE and beyond
Automatic Verification of Embedded Control Software with ASTRÉE and beyond Patrick Cousot Jerome C. Hunsaker Visiting Professor Department of Aeronautics and Astronautics, MIT cousot mit edu www.mit.edu/~cousot
More informationVisual Programming with Interaction Nets
Visual Programming with Interaction Nets Abubakar Hassan, Ian Mackie, and Jorge Sousa Pinto 1 Department of Informatics, Universit of Susse, Falmer, Brighton BN1 9QJ, UK 2 LIX, École Poltechnique, 91128
More informationProgram Verification. Aarti Gupta
Program Verification Aarti Gupta 1 Agenda Famous bugs Common bugs Testing (from lecture 6) Reasoning about programs Techniques for program verification 2 Famous Bugs The first bug: A moth in a relay (1945)
More informationStatic Analysis and Verification of Aerospace Software
Static Analysis and Verification of Aerospace Software by Abstract Interpretation joint work with: Patrick Cousot Julien Bertrane and Radhia Cousot École normale supérieure, Paris Patrick Cousot, Courant
More informationResearch on the Static Analysis Method of the Localization Embedded Platform Software Code Zhijie Gaoa, Ling Lu, Wen Jiao
6th International Conference on Information Engineering for Mechanics and Materials (ICIMM 2016) Research on the Static Analysis Method of the Localization Embedded Platform Software Code Zhijie Gaoa,
More informationAlgebraic Program Analysis
Introduction to Algebraic Program Analysis Zachary Kincaid 1 Thomas Reps 2,3 1 Princeton University 2 University of Wisconsin-Madison 3 GrammaTech, Inc. January 8, 2018 1 Program analysis Design algorithms
More informationCOMP 763. Eugene Syriani. Ph.D. Student in the Modelling, Simulation and Design Lab School of Computer Science. McGill University
Eugene Syriani Ph.D. Student in the Modelling, Simulation and Design Lab School of Computer Science McGill University 1 OVERVIEW In the context In Theory: Timed Automata The language: Definitions and Semantics
More informationAutomatic synthesis of switching controllers for linear hybrid systems: Reachability control
Automatic synthesis of switching controllers for linear hybrid systems: Reachability control Massimo Benerecetti and Marco Faella Università di Napoli Federico II, Italy Abstract. We consider the problem
More informationLecture 16 Notes AVL Trees
Lecture 16 Notes AVL Trees 15-122: Principles of Imperative Computation (Fall 2015) Frank Pfenning 1 Introduction Binar search trees are an ecellent data structure to implement associative arras, maps,
More information6. Hoare Logic and Weakest Preconditions
6. Hoare Logic and Weakest Preconditions Program Verification ETH Zurich, Spring Semester 07 Alexander J. Summers 30 Program Correctness There are many notions of correctness properties for a given program
More informationInterval Polyhedra: An Abstract Domain to Infer Interval Linear Relationships
Interval Polyhedra: An Abstract Domain to Infer Interval Linear Relationships Liqian Chen 1,2 Antoine Miné 3,2 Ji Wang 1 Patrick Cousot 2,4 1 National Lab. for Parallel and Distributed Processing, Changsha,
More informationProgress on Abstract Interpretation Based Formal Methods and Future Challenges
Progress on Abstract Interpretation Based Formal Methods and Future Challenges Patrick Cousot Département d informatique, École normale supérieure, 45 rue d Ulm, 75230 Paris cedex 05, France Patrick.Cousot@ens.fr
More informationTubes are Fun. By: Douglas A. Ruby Date: 6/9/2003 Class: Geometry or Trigonometry Grades: 9-12 INSTRUCTIONAL OBJECTIVES:
Tubes are Fun B: Douglas A. Rub Date: 6/9/2003 Class: Geometr or Trigonometr Grades: 9-2 INSTRUCTIONAL OBJECTIVES: Using a view tube students will conduct an eperiment involving variation of the viewing
More informationImplementing Object-Oriented Languages. Implementing instance variable access. Implementing dynamic dispatching (virtual functions)
Implementing Object-Oriented Languages Implementing instance variable access Ke features: inheritance (possibl multiple) subtping & subtpe polmorphism message passing, dnamic binding, run-time tpe testing
More informationAbstract debugging of higher-order imperative languages
Abstract debugging of higher-order imperative languages François Bourdoncle DIGITAL Paris Research Laboratory Centre de Mathématiques Appliquées 85, avenue Victor Hugo Ecole des Mines de Paris 92500 Rueil-Malmaison
More informationWhy does ASTRÉE scale up?
Form Methods Syst Des (2009) 35: 229 264 DOI 10.1007/s10703-009-0089-6 Why does ASTRÉE scale up? Patrick Cousot Radhia Cousot Jérôme Feret Laurent Mauborgne Antoine Miné Xavier Rival Published online:
More informationLecture Notes on AVL Trees
Lecture Notes on AVL Trees 15-122: Principles of Imperative Computation Frank Pfenning Lecture 19 March 28, 2013 1 Introduction Binar search trees are an ecellent data structure to implement associative
More informationStatic Program Analysis Part 1 the TIP language
Static Program Analysis Part 1 the TIP language http://cs.au.dk/~amoeller/spa/ Anders Møller & Michael I. Schwartzbach Computer Science, Aarhus University Questions about programs Does the program terminate
More informationSimplifying Loop Invariant Generation Using Splitter Predicates. Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University
Simplifying Loop Invariant Generation Using Splitter Predicates Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University Loops and Loop Invariants Loop Head x = 0; while( x
More informationTechnical presentation
TOWARDS A COGNITIVE COMPUTING PLATFORM SUPPORTING A UNIFIED APPROACH TOWARDS PRIVACY, SECURITY AND SAFETY (PSS) OF IOT SYSTEMS The VESSEDIA Project Technical presentation Armand PUCCETTI, CEA Rome, 11th
More informationAbstract interpretation
The Verification Grand Challenge and Abstract Interpretation Patrick Cousot École normale supérieure, Paris, France cousot ens fr www.di.ens.fr/~cousot Verified Software: Theories, Tools, Experiments Zürich,
More information1.5 LIMITS. The Limit of a Function
60040_005.qd /5/05 :0 PM Page 49 SECTION.5 Limits 49.5 LIMITS Find its of functions graphicall and numericall. Use the properties of its to evaluate its of functions. Use different analtic techniques to
More informationPrinciples of Program Analysis. Lecture 1 Harry Xu Spring 2013
Principles of Program Analysis Lecture 1 Harry Xu Spring 2013 An Imperfect World Software has bugs The northeast blackout of 2003, affected 10 million people in Ontario and 45 million in eight U.S. states
More informationCS 6110 S14 Lecture 38 Abstract Interpretation 30 April 2014
CS 6110 S14 Lecture 38 Abstract Interpretation 30 April 2014 1 Introduction to Abstract Interpretation At this point in the course, we have looked at several aspects of programming languages: operational
More informationAn Annotated Language
Hoare Logic An Annotated Language State and Semantics Expressions are interpreted as functions from states to the corresponding domain of interpretation Operators have the obvious interpretation Free of
More informationResearch Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001
Research Collection Other Conference Item Formal background and algorithms Author(s): Biere, Armin Publication Date: 2001 Permanent Link: https://doi.org/10.3929/ethz-a-004239730 Rights / License: In Copyright
More informationAn Approach to Behavioral Subtyping Based on Static Analysis
TACoS 04 Preliminary Version An Approach to Behavioral Subtyping Based on Static Analysis Francesco Logozzo 1 STIX - École Polytechnique F-91128 Palaiseau, France Abstract In mainstream object oriented
More informationCoverability Graph and Fairness
Coverability Graph and Fairness prof.dr.ir. Wil van der Aalst www.vdaalst.com Recall reachability analysis or1 x r1 rg1 g1 go1 o1 r2 rg2 g2 go2 o2 or2 Petri net standard properties Boundedness Terminating
More informationDuet: Static Analysis for Unbounded Parallelism
Duet: Static Analysis for Unbounded Parallelism Azadeh Farzan and Zachary Kincaid University of Toronto Abstract. Duet is a static analysis tool for concurrent programs in which the number of executing
More informationFlight Systems are Cyber-Physical Systems
Flight Systems are Cyber-Physical Systems Dr. Christopher Landauer Software Systems Analysis Department The Aerospace Corporation Computer Science Division / Software Engineering Subdivision 08 November
More informationIntermediate Algebra. Gregg Waterman Oregon Institute of Technology
Intermediate Algebra Gregg Waterman Oregon Institute of Technolog c 2017 Gregg Waterman This work is licensed under the Creative Commons Attribution 4.0 International license. The essence of the license
More informationOn partial order semantics for SAT/SMT-based symbolic encodings of weak memory concurrency
On partial order semantics for SAT/SMT-based symbolic encodings of weak memory concurrency Alex Horn and Daniel Kroening University of Oxford April 30, 2015 Outline What s Our Problem? Motivation and Example
More informationThe Apron Library. Antoine Miné. CEA Seminar December the 10th, CNRS, École normale supérieure
Antoine Miné CNRS, École normale supérieure CEA Seminar December the 10th, 2007 CEA December the 10th, 2007 Antoine Miné p. 1 / 64 Outline Introduction Introduction Main goals Theoretical background The
More informationPROGRAM ANALYSIS & SYNTHESIS
Lecture 02 Structural Operational Semantics (SOS) PROGRAM ANALYSIS & SYNTHESIS EranYahav 1 Previously static analysis over-approximation of program behavior abstract interpretation abstraction, transformers,
More informationPolynomials. Math 4800/6080 Project Course
Polnomials. Math 4800/6080 Project Course 2. The Plane. Boss, boss, ze plane, ze plane! Tattoo, Fantas Island The points of the plane R 2 are ordered pairs (x, ) of real numbers. We ll also use vector
More informationTrace Partitioning in Abstract Interpretation Based Static Analyzers
Trace Partitioning in Abstract Interpretation Based Static Analyzers DI, Laurent Mauborgne and Xavier Rival École Normale Supérieure, 45 rue d Ulm, 75 230 Paris cedex 05, France Emails: Laurent.Mauborgne@ens.fr
More informationImproving Timing Analysis for Matlab Simulink/Stateflow
Improving Timing Analysis for Matlab Simulink/Stateflow Lili Tan, Björn Wachter, Philipp Lucas, Reinhard Wilhelm Universität des Saarlandes, Saarbrücken, Germany {lili,bwachter,phlucas,wilhelm}@cs.uni-sb.de
More informationProgram Static Analysis. Overview
Program Static Analysis Overview Program static analysis Abstract interpretation Data flow analysis Intra-procedural Inter-procedural 2 1 What is static analysis? The analysis to understand computer software
More informationLecture 5. Data Flow Analysis
Lecture 5. Data Flow Analysis Wei Le 2014.10 Abstraction-based Analysis dataflow analysis: combines model checking s fix point engine with abstract interpretation of data values abstract interpretation:
More informationSimple example. Analysis of programs with pointers. Program model. Points-to relation
Simple eample Analsis of programs with pointers := 5 ptr := & *ptr := 9 := program S1 S2 S3 S4 What are the defs and uses of in this program? Problem: just looking at variable names will not give ou the
More information2-1. The Language of Functions. Vocabulary
Chapter Lesson -1 BIG IDEA A function is a special tpe of relation that can be described b ordered pairs, graphs, written rules or algebraic rules such as equations. On pages 78 and 79, nine ordered pairs
More informationEE249 Discussion Petri Nets: Properties, Analysis and Applications - T. Murata. Chang-Ching Wu 10/9/2007
EE249 Discussion Petri Nets: Properties, Analysis and Applications - T. Murata Chang-Ching Wu 10/9/2007 What are Petri Nets A graphical & modeling tool. Describe systems that are concurrent, asynchronous,
More informationSoftware and Energy-aware Computing Fundamentals of static analysis of software
Software and Energy-aware Computing Fundamentals of static analysis of software John Gallagher Roskilde University ICT-Energy: Energy consumption in future ICT devices Summer School, Aalborg, Denmark,
More information2.3. Horizontal and Vertical Translations of Functions. Investigate
.3 Horizontal and Vertical Translations of Functions When a video game developer is designing a game, she might have several objects displaed on the computer screen that move from one place to another
More informationCITS5501 Software Testing and Quality Assurance Formal methods
CITS5501 Software Testing and Quality Assurance Formal methods Unit coordinator: Arran Stewart May 1, 2018 1 / 49 Sources Pressman, R., Software Engineering: A Practitioner s Approach, McGraw-Hill, 2005
More informationIntro to semantics; Small-step semantics Lecture 1 Tuesday, January 29, 2013
Harvard School of Engineering and Applied Sciences CS 152: Programming Languages Lecture 1 Tuesday, January 29, 2013 1 Intro to semantics What is the meaning of a program? When we write a program, we use
More informationStatic Analysis and Verification of Aerospace Software by Abstract Interpretation
Static Analysis and Verification of Aerospace Software by Abstract Interpretation Julien Bertrane École normale supérieure, Paris Patrick Cousot, Courant Institute of Mathematical Sciences, NYU, New York
More informationStatic Program Analysis
Static Program Analysis Thomas Noll Software Modeling and Verification Group RWTH Aachen University https://moves.rwth-aachen.de/teaching/ss-18/spa/ Preliminaries Outline of Lecture 1 Preliminaries Introduction
More informationIntroduction to Shape and Pointer Analysis
Introduction to Shape and Pointer Analsis CS 502 Lecture 11 10/30/08 Some slides adapted from Nielson, Nielson, Hankin Principles of Program Analsis Analsis of the Heap Thus far, we have focussed on control
More informationFormal proofs of code generation and verification tools
Formal proofs of code generation and verification tools Xavier Leroy To cite this version: Xavier Leroy. Formal proofs of code generation and verification tools. Dimitra Giannakopoulou and Gwen Salaün.
More information4/24/18. Overview. Program Static Analysis. Has anyone done static analysis? What is static analysis? Why static analysis?
Overview Program Static Analysis Program static analysis Abstract interpretation Static analysis techniques 2 What is static analysis? The analysis to understand computer software without executing programs
More informationGuided Static Analysis
Guided Static Analsis Denis Gopan and Thomas Reps,2 Universit of Wisconsin 2 GrammaTech, Inc. {gopan,reps}@cs.wisc.edu Abstract. In static analsis, the semantics of the program is epressed as a set of
More informationscience. In this course we investigate problems both algebraically and graphically.
Section. Graphs. Graphs Much of algebra is concerned with solving equations. Man algebraic techniques have been developed to provide insights into various sorts of equations and those techniques are essential
More informationVerifying C & C++ with ESBMC
Verifying C & C++ with ESBMC Denis A Nicole dan@ecs.soton.ac.uk CyberSecuritySoton.org [w] @CybSecSoton [fb & tw] ESBMC ESBMC, the Efficient SMT-Based Context-Bounded Model Checker was originally developed
More informationSymbolic Execution and Proof of Properties
Chapter 7 Symbolic Execution and Proof of Properties Symbolic execution builds predicates that characterize the conditions under which execution paths can be taken and the effect of the execution on program
More informationAreas related to SW verif. Trends in Software Validation. Your Expertise. Research Trends High level. Research Trends - Ex 2. Research Trends Ex 1
Areas related to SW verif. Trends in Software Validation Abhik Roychoudhury CS 6214 Formal Methods Model based techniques Proof construction techniques Program Analysis Static Analysis Abstract Interpretation
More informationImplicit differentiation
Roberto s Notes on Differential Calculus Chapter 4: Basic differentiation rules Section 5 Implicit differentiation What ou need to know alread: Basic rules of differentiation, including the chain rule.
More informationWeakly Relational Domains for Floating-Point Computation Analysis
Weakly Relational Domains for Floating-Point Computation Analysis Eric Goubault, Sylvie Putot CEA Saclay, F91191 Gif-sur-Yvette Cedex, France {eric.goubault,sylvie.putot}@cea.fr 1 Introduction We present
More informationAn Eclipse Plug-in for Model Checking
An Eclipse Plug-in for Model Checking Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala Electrical Engineering and Computer Sciences University of California, Berkeley, USA Rupak Majumdar Computer Science
More information20 Calculus and Structures
0 Calculus and Structures CHAPTER FUNCTIONS Calculus and Structures Copright LESSON FUNCTIONS. FUNCTIONS A function f is a relationship between an input and an output and a set of instructions as to how
More informationThe SPIN Model Checker
The SPIN Model Checker Metodi di Verifica del Software Andrea Corradini Lezione 1 2013 Slides liberamente adattate da Logic Model Checking, per gentile concessione di Gerard J. Holzmann http://spinroot.com/spin/doc/course/
More informationPart II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?
Part II. Hoare Logic and Program Verification Part II. Hoare Logic and Program Verification Dilian Gurov Props: Models: Specs: Method: Tool: safety of data manipulation source code logic assertions Hoare
More informationStatic Program Analysis
Static Program Analysis Lecture 1: Introduction to Program Analysis Thomas Noll Lehrstuhl für Informatik 2 (Software Modeling and Verification) noll@cs.rwth-aachen.de http://moves.rwth-aachen.de/teaching/ws-1415/spa/
More informationProgram verification. Generalities about software Verification Model Checking. September 20, 2016
Program verification Generalities about software Verification Model Checking Laure Gonnord David Monniaux September 20, 2016 1 / 43 The teaching staff Laure Gonnord, associate professor, LIP laboratory,
More informationTesting! Prof. Leon Osterweil! CS 520/620! Spring 2013!
Testing Prof. Leon Osterweil CS 520/620 Spring 2013 Relations and Analysis A software product consists of A collection of (types of) artifacts Related to each other by myriad Relations The relations are
More informationComputer Graphics. P04 Transformations. Aleksandra Pizurica Ghent University
Computer Graphics P4 Transformations Aleksandra Pizurica Ghent Universit Telecommunications and Information Processing Image Processing and Interpretation Group Transformations in computer graphics Goal:
More informationBuilding a specialized static analyzer
Building a specialized static analyzer The Astrée experience Antoine Miné CNRS, École Normale Supérieure Security and Reliability of Software Systems 12 December 2008 Antoine Miné Building a specialized
More informationWinter Compiler Construction T9 IR part 2 + Runtime organization. Announcements. Today. Know thy group s code
Winter 26-27 Compiler Construction T9 IR part 2 + Runtime organization Mool Sagiv and Roman Manevich School of Computer Science Tel-Aviv Universit Announcements What is epected in PA3 documentation (5
More informationSendmail crackaddr - Static Analysis strikes back
Sendmail crackaddr - Static Analysis strikes back Bogdan Mihaila Technical University of Munich, Germany December 6, 2014 Name Lastname < name@mail.org > ()()()()()()()()()... ()()() 1 / 25 Abstract Interpretation
More informationINFORMATION CODING AND NEURAL COMPUTING
INFORATION CODING AND NEURAL COPUTING J. Pedro Neto 1, Hava T. Siegelmann 2, and J. Féli Costa 1 jpn@di.fc.ul.pt, iehava@ie.technion.ac.il, and fgc@di.fc.ul.pt 1 Faculdade de Ciências da Universidade de
More informationHierarchical Shape Abstraction of Dynamic Structures in Static Blocks
Hierarchical Shape Abstraction of Dynamic Structures in Static Blocks Pascal Sotin and Xavier Rival INRIA 4 novembre 2013 P. Sotin, X. Rival (INRIA) Hierarchical Shape Abstraction 4 novembre 2013 1 / 29
More information