GNAT Pro User Day: Latest Advances in AdaCore Static Analysis Tools
Post on 01-Dec-2014
738 Views
Preview:
DESCRIPTION
Transcript
Latest Advances in AdaCore Static Analysis
Tools
Arnaud CharletPresented by
What is Static Analysis?
• Basic Static Analysis: coding standard checking, metrics, compiler warnings and style checks
• Advanced Static Analysis: symbolic execution/interpretation of source code, whole program analysis to perform software verification
• Formal Verification: verify high level or abstract properties on your application, give strong guarantees
Why Use Static Analysis?• Make software more reliable at reasonable cost
• Full coverage of your code
• No missing check (no “false negatives”)
• Anticipate problems (get results before testing)
• Automate part of code review
• Express and verify your requirements and architecture
CodePeer Overview• Advanced static analysis tool for Ada
• Includes also basic static analysis (gnatcheck, gnatmetric)
• Detects runtime and logic errors
• Buffer overflow, division by zero, dead code, …
• Analyzes complete or partial programs (full Ada)
• Generates human readable annotations
Why Use CodePeer?
• Early testing (detect errors earlier on code modifications/new code)
• Find bugs (on existing code)
• Impact analysis
• Code review: help focusing on potential problems/complex code
Why Use CodePeer?
• Race conditions
• Provide evidence for program verification
SPARK Overview• Formal verification tool and language
developed by AdaCore and Altran
• Subset of Ada 2012: no pointers, no exceptions
• New aspects, pragmas, attributes
• Can add (executable) contracts for more precise analysis
• Can combine test and proof at subprogram level
• Allows 100% automatic proof
Why Use SPARK?
• Guarantee no runtime errors, no uninitialized variables
• Functional verification
• Check data flows (data coupling)
• Express and verify high level properties
Why Use SPARK?
When starting from existing code:
• You can start by adding incrementally annotations (pre/post)
• Get immediate benefit from tests
• Incrementally get additional benefits from the SPARK toolset
Why Use SPARK?
When (re)writing (new) code:
• Express your requirements in a way that can be reviewed by humans, checked by testing, and verified by SPARK
• Express your software architecture, and verify it automatically
SPARK CodePeer• Ada subset (no
pointers/exceptions)
• Requires more effort (add contracts)
• Find (and prove) all runtime errors
• Verify functional correctness and security properties
• Full Ada
• Very easy to run (easier than writing tests)
• Find possible runtime errors and suspicious code worth reviewing
• No functional error detection
• Can tune level of detection/false alarms
Next Release
SPARK 15.0 and CodePeer 3.0
What’s New in SPARK 15.0
• Improved proof capability
• Improved user interface
• New language features
Improved Proof Capability
• Local subprograms can be used without contracts
• Improved parallelism
• Use of Ada functions in contracts
• Improved handling of arrays, integers, floating-point
Improved User Interface
• Improved handling of error and warning messages
• More precise generation of contracts (Globals/Depends)
• Support for manual provers (e.g. Coq, Isabelle)
• Computation and display of remaining assumptions
• Improved documentation (examples, tutorials, …)
New Language Features• Support for tagged types and dynamic dispatching
• Library of (un)bounded indefinite containers
• Support for dynamic constants/types
• Improved usability of volatile objects
• Support for simple raise statements
• Support for proof-only (“ghost”) code
What’s New in CodePeer 3.0• DO178B and EN50128 qualification
• Support for IEEE 754 floating point semantics
• Symbolic debugger
• Enhanced project file support
• Improved support for non GNAT compilers
• Enhanced Messages
DO178B Qualification• CodePeer can be used to automate part of DO178B 6.3.4.f
The objective is to determine the correctness and consistency of the Source Code
• Qualified as a verification tool (TQL 5 in DO178C)
• Most checks have been qualified: overflow, range, index, division by zero, uninitialized variables
• Generation of a detailed report file (date of run, switches, messages, limitations, …)
EN50128 Qualification• Qualified as a tool class T2
• Boundary value analysis
• Null dereference, buffer overflow, numeric overflow, …
• Control flow analysis
• Unreachable code, redundant conditionals, …
• Data flow analysis
• Uninitialized variables, redundant assignments, …
IEEE 754 Floating Point• CodePeer used to approximate floating point using infinite
precision values (mathematical results)
• This could lead to missing potential errors, or false alarms
• IEEE 754 rounding and loss of precision now taken into account
• Reliable detection of possible overflows, division by zero
• Understand properties of mathematical functions (cos, sin, sqrt, …)
Symbolic Debugger
• Display of Backtraces on precondition messages
• Display of possible values for any variable
Enhanced Project File Support
• Aggregate projects
• Specifying main files on command line
• Analyzing closure of project
• Excluding some files from analysis
• Improved documentation on getting started with project files
Support for Other Compilers
• Compiler specific libraries
• Support for a target configuration file
• Ability to generate a target configuration file using target compiler
• Support for Ada 83 non portable or invalid code
Enhanced Messages
• New message: check on possible parameter aliasing
• New filter on security related vulnerabilities
• Support for CWE (Common Weakness Enumeration) cwe.mitre.org
• Compiler-like behavior: file by file quick incremental analysis
• More accurate messages, fewer false positives
Future Plans
SPARK 16.0 and CodePeer 3.1
SPARK 16.0• Generation of counter examples
• Integration with tests
• Symbolic debugger
• Improved proof
• Support for tasking
CodePeer 3.1
• Detection of dangling references
• Incremental (re)analysis
• Integration with GNATtest
• New HTML interface
• Integration with Jenkins
Questions?
top related