Static Analysis of Software Static Analysis of Software The Abstract Interpretation Edited by Jean-Louis Boulanger First published 2012 in Great Britain and the United States by ISTE Ltd and John Wiley & Sons, Inc.Adapted and updated from Utilisationsindustrielles des techniques formelles : interprétationabstraite published 2011 in France by Hermes Science/Lavoisier © LAVOISIER 2011 Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form or by any means, with the prior permission in writing of the publishers, or in the case of reprographic reproduction in accordance with the terms and licenses issued by the CLA. Enquiries concerning reproduction outside these terms should be sent to the publishers at the undermentioned address: ISTE Ltd John Wiley & Sons, Inc. 27-37 St George’s Road 111 River Street London SW19 4EU Hoboken, NJ 07030 UK USA www.iste.co.uk www.wiley.com © ISTE Ltd 2012 The rights of Jean-Louis Boulanger to be identified as the author of this work have been asserted by him in accordance with the Copyright, Designs and Patents Act 1988. ____________________________________________________________________________________ Library of Congress Cataloging-in-Publication Data Static analysis of software : the abstract interpretation / edited by Jean-Louis Boulanger. p. cm. Includes bibliographical references and index. ISBN 978-1-84821-320-3 1. Computer software--Testing. 2. Debugging in computer science. 3. Computer software--Quality control. I. Boulanger, Jean-Louis. QA76.76.T48S75 2011 005.1'4--dc23 2011039611 British Library Cataloguing-in-Publication Data A CIP record for this book is available from the British Library ISBN: 978-1-84821-320-3 Printed and bound in Great Britain by CPI Group (UK) Ltd., Croydon, Surrey CR0 4YY Table of Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Jean-LouisBoulanger Chapter1.FormalTechniquesforVerificationandValidation . . . . . . . 1 Jean-LouisBOULANGER 1.1.Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2.Realizationofasoftwareapplication. . . . . . . . . . . . . . . . . . . . . 1 1.3.Characteristicsofasoftwareapplication. . . . . . . . . . . . . . . . . . . 3 1.4.Realizationcycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.4.1.CycleinVandotherrealizationcycles. . . . . . . . . . . . . . . . . 4 1.4.2.Qualitycontrol(theimpactofISOstandard9001) . . . . . . . . . . 7 1.4.3.Verificationandvalidation . . . . . . . . . . . . . . . . . . . . . . . . 9 1.5.Techniques,methodsandpractices. . . . . . . . . . . . . . . . . . . . . . 13 1.5.1.Staticverification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 1.5.2.Dynamicverification. . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 1.5.3.Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 1.6.Newissueswithverificationandvalidation. . . . . . . . . . . . . . . . . 39 1.7.Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 1.8.Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Chapter2.Airbus:FormalVerificationinAvionics. . . . . . . . . . . . . . . 45 JeanSouyris,DavidDELMASandStéphaneDUPRAT 2.1.Industrialcontext . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 2.1.1.Avionicsystems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 2.1.2.Afewexamples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 2.1.3.Regulatoryframework. . . . . . . . . . . . . . . . . . . . . . . . . . . 47 2.1.4.Avionicfunctions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 2.1.5.Developmentofavionicslevels . . . . . . . . . . . . . . . . . . . . . 50 vi StaticAnalysisofSoftware 2.2.Twomethodsforformalverification. . . . . . . . . . . . . . . . . . . . . 52 2.2.1.Generalprincipleofprogramproof . . . . . . . . . . . . . . . . . . . 53 2.2.2.Staticanalysisbyabstractinterpretation . . . . . . . . . . . . . . . . 54 2.2.3.Programproofbycalculationoftheweakestprecondition . . . . . 61 2.3.Fourformalverificationtools . . . . . . . . . . . . . . . . . . . . . . . . . 66 2.3.1.Caveat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 2.3.2.Proofoftheabsenceofrun-timeerrors:Astrée . . . . . . . . . . . . 68 2.3.3.Stabilityandnumericalprecision:Fluctuat. . . . . . . . . . . . . . . 73 2.3.4.Calculationoftheworstcaseexecutiontime: aiT(AbsIntGmbH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 2.4.Examplesofindustrialuse. . . . . . . . . . . . . . . . . . . . . . . . . . . 80 2.4.1.UnitaryProof(verificationoflowlevelrequirements) . . . . . . . . . 80 2.4.2.Thecalculationofworstcaseexecutiontime . . . . . . . . . . . . . 97 2.4.3.Proofoftheabsenceofrun-timeerrors. . . . . . . . . . . . . . . . . 103 2.6.Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Chapter3.Polyspace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 PatrickMUNIER 3.1.Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 3.2.Introductiontosoftwarequalityandverificationprocedures. . . . . . . 114 3.3.Staticanalysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 3.4.Dynamictests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 3.5.Abstractinterpretation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 3.6.Codeverification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 3.7.Robustnessverificationorcontextualverification. . . . . . . . . . . . . 121 3.7.1.Robustnessverifications. . . . . . . . . . . . . . . . . . . . . . . . . . 122 3.7.2.Contextualverification. . . . . . . . . . . . . . . . . . . . . . . . . . . 122 3.8.ExamplesofPolyspace®results. . . . . . . . . . . . . . . . . . . . . . . . 123 3.8.1.Exampleofsafecode . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 3.8.2.Example:dereferencingofapointeroutsideitsbounds . . . . . . . 125 3.8.3.Example:inter-proceduralcalls . . . . . . . . . . . . . . . . . . . . . 126 3.9.CarryingoutacodeverificationwithPolyspace. . . . . . . . . . . . . . 128 3.10.UseofPolyspace®canimprovethequalityofembeddedsoftware . . 130 3.10.1.Beginbyestablishingmodelsandobjectivesforsoftware quality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 3.10.2.Exampleofasoftwarequalitymodelwithobjectives. . . . . . . . 130 3.10.3.Useofasubsetoflanguagestosatisfycodingrules. . . . . . . . . 132 3.10.4.UseofPolyspace®toreachsoftwarequalityobjectives . . . . . . 133 3.11.CarryingoutcertificationwithPolyspace® . . . . . . . . . . . . . . . . 135 3.12.Thecreationofcriticalonboardsoftware . . . . . . . . . . . . . . . . . 135 3.13.ConcreteusesofPolyspace®. . . . . . . . . . . . . . . . . . . . . . . . . 135 TableofContents vii 3.13.1.Automobile:Cumminsenginesimprovesthereliability ofitsmotor’scontrollers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 3.13.2.Aerospace:EADSguaranteesthereliabilityofsatellite launches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 3.13.3.Medicaldevices:acodeanalysisleadstoarecall ofthedevice. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 3.13.4.OtherexamplesoftheuseofPolyspace® . . . . . . . . . . . . . . . 139 3.14.Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 3.15.Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Chapter4.SoftwareRobustnesswithRegardstoDysfunctional ValuesfromStaticAnalysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 ChristèleFAURE,Jean-LouisBOULANGERandSamyAÏTKACI 4.1.Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 4.2.Normativecontext. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 4.3.Elaborationoftheproofoftherobustnessmethod. . . . . . . . . . . . . 146 4.4.Generaldescriptionofthemethod . . . . . . . . . . . . . . . . . . . . . . 151 4.4.1.Requiredoreffectivevaluecontrol . . . . . . . . . . . . . . . . . . . 151 4.4.2.Computationoftherequiredcontrol. . . . . . . . . . . . . . . . . . . 154 4.4.3.Verificationofeffectivecontrol . . . . . . . . . . . . . . . . . . . . . 155 4.5.Computationofthecontrolrequired . . . . . . . . . . . . . . . . . . . . . 157 4.5.1.Identificationofproduction/consumptionofinputs. . . . . . . . . . 159 4.5.2.Computationofvaluedomains. . . . . . . . . . . . . . . . . . . . . . 160 4.6.Verificationoftheeffectivecontrolofanindustrialapplication. . . . . 161 4.6.1.Targetsoftware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 4.6.2.Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 4.6.3.Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 4.7.Discussionandviewpoints. . . . . . . . . . . . . . . . . . . . . . . . . . . 172 4.8.Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 4.9.Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Chapter5.CodePeer–BeyondBug-findingwithStaticAnalysis . . . . . . 177 SteveBAIRD,ArnaudCHARLET,YannickMOYandTuckerTAFT 5.1.PositioningofCodePeer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 5.1.1.Mixingstaticcheckingandcodeunderstanding . . . . . . . . . . . 177 5.1.2.Generatingcontractsbyabstractinterpretation . . . . . . . . . . . . 179 5.2.AtourofCodePeercapabilities. . . . . . . . . . . . . . . . . . . . . . . . 182 5.2.1.Finddefectsincode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 5.2.2.Usingannotationsforcodereviews . . . . . . . . . . . . . . . . . . . 184 5.2.3.Categorizationofmessages. . . . . . . . . . . . . . . . . . . . . . . . 186 5.2.4.Helpwritingrun-timetests . . . . . . . . . . . . . . . . . . . . . . . . 187 5.2.5.Differentkindsofoutput . . . . . . . . . . . . . . . . . . . . . . . . . 188 viii StaticAnalysisofSoftware 5.3.CodePeer’sinnerworking . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 5.3.1.Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 5.3.2.FromAdatoSCIL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 5.3.3.Objectidentification . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 5.3.4.Staticsingleassignmentandglobalvaluenumbering . . . . . . . . 195 5.3.5.Possiblevaluepropagation . . . . . . . . . . . . . . . . . . . . . . . . 200 5.4.Conclusions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 5.5.Bibiliography. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Chapter6.FormalMethodsandCompliancetothe DO-178C/ED-12CStandardinAeronautics. . . . . . . . . . . . . . . . . . . . 207 EmmanuelLEDINOTandDillonPARIENTE 6.1.Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 6.2.PrinciplesoftheDO-178/ED-12standard. . . . . . . . . . . . . . . . . . 208 6.2.1.Inputsofthesoftwaredevelopmentprocess . . . . . . . . . . . . . . 208 6.2.2.Prescriptionofobjectives . . . . . . . . . . . . . . . . . . . . . . . . . 209 6.3.Verificationprocess. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 6.4.Theformalmethodstechnicalsupplement . . . . . . . . . . . . . . . . . 218 6.4.1.Classesofformalmethods . . . . . . . . . . . . . . . . . . . . . . . . 219 6.4.2.BenefitsofformalmethodstomeetDO-178C/ED-12C objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 6.4.3.Verificationoftheexecutablecodeatthesourcelevel. . . . . . . . 223 6.4.4.Revisionoftheroleofstructuralcoverage. . . . . . . . . . . . . . . 225 6.4.5.Verificationofthecompletenessofrequirements anddetectionofunintendedfunctions . . . . . . . . . . . . . . . . . . . . . 227 6.5.LLRverificationbymodel-checking. . . . . . . . . . . . . . . . . . . . . 229 6.6.Contributiontotheverificationofrobustnessproperties withFrama-C. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 6.6.1.IntroductiontoFrama-C . . . . . . . . . . . . . . . . . . . . . . . . . 234 6.6.2.Presentationofthecasestudy. . . . . . . . . . . . . . . . . . . . . . . 241 6.6.3.Analysisprocessofthecasestudy. . . . . . . . . . . . . . . . . . . . 243 6.6.4.Conclusiononthecasestudy. . . . . . . . . . . . . . . . . . . . . . . 252 6.7.Staticanalysisandpreservationofproperties. . . . . . . . . . . . . . . . 252 6.8.Conclusionandperspectives. . . . . . . . . . . . . . . . . . . . . . . . . . 256 6.9.Appendices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 6.9.1.Automaticallyannotatingasourcecode . . . . . . . . . . . . . . . . 258 6.9.2.Automaticallysubdividinginputintervals . . . . . . . . . . . . . . . 259 6.9.3.Introducingcutstrategiesfordeductiveverification . . . . . . . . . 261 6.9.4.Combiningabstractinterpretation,deductiveverification andfunctionswhichcanbeevaluatedinassertions . . . . . . . . . . . . . 263 6.9.5.ValidatingACSLlemmasbyformalcalculus . . . . . . . . . . . . . 265 6.9.6.Combiningstaticanddynamicanalysis. . . . . . . . . . . . . . . . . 266 TableofContents ix 6.9.7.Finalizing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 6.10.Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 6.11.Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 Chapter7.EfficientMethodDevelopedbyThalesforSafetyEvaluation ofReal-to-IntegerDiscretizationandOverflowsinSIL4Software . . . . . 273 AnthonyBAÏOTTO,FatehKAAKAÏ,RafaelMARCANOandDanielDRAGO 7.1.Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273 7.2.Discretizationerrorsintheembeddedcodeproductionchain . . . . . . 274 7.2.1.Presentationoftheissue . . . . . . . . . . . . . . . . . . . . . . . . . 274 7.2.2.Objectiveoftheanalysisofthereal-to-integerdiscretization. . . . 278 7.3.Modelingofthecreationandpropagationofuncertainties. . . . . . . . 280 7.3.1.Creationofuncertainties . . . . . . . . . . . . . . . . . . . . . . . . . 280 7.3.2.Propagationofuncertainties . . . . . . . . . . . . . . . . . . . . . . . 287 7.4.Goodpracticeofananalysisofreal-to-integerdiscretization . . . . . . 294 7.4.1.Codeextraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 7.4.2.Functionalcodereorganisation. . . . . . . . . . . . . . . . . . . . . . 294 7.4.3.Algorithmicbreakdowninbasicarithmeticrelations. . . . . . . . . 295 7.4.4.Computationofuncertainties. . . . . . . . . . . . . . . . . . . . . . . 295 7.5.Arithmeticoverflowanddivisionbyzero. . . . . . . . . . . . . . . . . . 297 7.5.1.Analysisofarithmeticoverflowrisk. . . . . . . . . . . . . . . . . . . 297 7.5.2.Analysisoftheriskofdivisionbyzero. . . . . . . . . . . . . . . . . 298 7.6.Applicationtoarailsignallingexample. . . . . . . . . . . . . . . . . . . 299 7.6.1.Generalpresentationofthecommunication-basedtrain controllersystem. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 7.6.2.Exampleofanalysisofthebehaviorofspeedcontrol . . . . . . . . 300 7.6.3.Industrialscaleview:afewnumbers . . . . . . . . . . . . . . . . . . 306 7.7.Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 7.8.Annexe:proofsupplements . . . . . . . . . . . . . . . . . . . . . . . . . . 308 7.8.1.Proof1:existenceandunicityofintegerdivision . . . . . . . . . . 308 7.8.2.Proof2:framingtheerrorofintegerdivision . . . . . . . . . . . . . 312 7.8.3.Proof3:rulesofthearithmeticofuncertaintyintervals . . . . . . . 314 7.8.4.Proof4:framingofuncertaintiesfromaproduct . . . . . . . . . . . 314 7.9.Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317 Conclusionandviewpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319 Jean-LouisBOULANGER Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 ListofAuthors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329 Introduction Context Although formal program analysis techniques (see works by Hoare [HOA 69] and Dijkstra [DIJ 75]) are quite old, the implementation of formal methods goes backtothe1980s.Thesetechniquesenableustoanalyzethebehaviorofasoftware applicationdescribedinprogramminglanguage.Programcorrection(goodbehavior, program stop, etc.) is then demonstrated by program proof based on the calculation oftheweakestprecondition[DIJ76]. It was not until the end of the 1990s that formal methods (Z [SPI 89], VDM [JON90])andtheBmethod[ABR96,ARA97]wereusedinindustrialapplications and could be applied in an industrial context. One of the obstacles to their use was how they could be implemented in an industrial application (large application, time and cost constraints, etc.). They could only be implemented using tools that were matureenoughandhadsufficientperformance. It is worth noting that in the context of critical applications, at least two formal methodshavearecognizedandcommonlyuseddesignenvironmentthatcoverspart of the realization of the code specification process while integrating one or several verification processes, that is to say the B method [ABR 96] and Lustre language [HAL 91, ARA 97] and its graphic version, called SCADE® [DOR 08]. The B method and SCADE® environment are associated with proven industrial tools. For example, AtelierB and Btoolkit, commercially produced by Clearsy and Bcore, respectively, are tools that completely cover the B method development cycle (specification,refinement,codegenerationandproof). IntroductionwrittenbyJean-LouisBOULANGER. xii StaticAnalysisofSoftware Formal methods are based on different formal verification techniques, such as proof,modelchecking[BAI08]and/orsimulation. Theuseof formal methods, though in full expansion, is still marginal compared to the number of code lines. Indeed, there are currently many more lines of Ada [ANS83],CandC++codethathavebeenmanuallyproducedviaaformal process only. For this reason other formal techniques have been implemented to verify the behavior of a software application written in a programming language such as C or Ada.Themaintechnique,calledabstractprograminterpretation[COU00],enables us to evaluatethe setof behaviors of a software applicationusing staticanalysis. In the past few years, this type of technique has given rise to several tools, such as Polyspace®1,Caveat2,Absint3,Frama-C4and/orAstrée5. Theefficiencyofthesestaticprogramanalysistechniqueshasgreatlyprogressed with the increase in the power of office equipment. It is worth noting that these techniques generally require the integration of complementary information into the manualcode,suchaspre-conditions,invariantsand/orpost-conditions. SPARKAda6isanapproachwhereAdahasbeenextended[BAR03]inorderto introduce additional elements (pre, post and invariant) and a sequence of adapted toolshasbeendefined. Objective In [BOW 95] and [ARA 97], we have the first feedback from industrialists regarding formal techniques, and in particular feedback on the B method, Lustre language [HAL 91, ARA 97] and SAO+ (SCADE®’s predecessor). Other works, suchas[MON00,MON02,HAD06]provideanoverviewofformalmethodsfrom ascientificpointofview. With regards to the presentation of context and the state of the literature, our objectiveistopresentconcreteexamplesoftheindustrialusesofformaltechniques. By formal techniques, we mean different approaches based on mathematics, which enable us to demonstrate that a software application respects a certain number of properties. 1Seewww.mathworks.com/products/polyspace/. 2Seewww-list.cea.fr/labos/fr/LSL/caveat/index.html. 3Seewebwww.absint.com. 4Tofindoutmore,seewebframa-c.com. 5Seewww.astree.ens.fr. 6Seewww.altran-praxis.com/spark.aspxcontainsadditionalinformationaboutSPARKAda.
Description: