Abstract Interpretation & Applications Patrick COUSOT École normale supérieure, Paris, France sot u co ens fr www.di.ens.fr/ ~ cousot Seminar, MIT, April 3 rd , 2006 École Normale Supérieure (ENS) École Normale Supérieure (ENS) Normale Sup. (ENS) A few former students: Évariste Galois, Louis Pasteur, ...; No- bel prizes: Claude Cohen-Tannoudji, Pierre-Gilles de Gennes, Gabriel Lipp- mann, Louis Néel, Jean-Baptiste Per- rin, Paul Sabatier, . . . ; Fields Medal holders: Laurent Schwartz, Jean- Pierre Serre (1 st Abel Prize), René Thom, Alain Connes, Pierre-Louis Lions, Jean-Christophe Yoccoz, Laurent Lafforgue; Fictious mathematicians: Nico- las Bourbaki; Philosophers: Henri Bergson (Nobel Prize), Louis Althusser, Si- mone de Beauvoir, Émile Auguste Chartier “Alain”, Raymond Aron, Jean-Paul Sartre, Maurice Merleau-Ponty, Michel Foucault, Jacques Derrida, Bernard- Henri Lévy. . . ; Politicians: Jean Jaurès, Léon Blum, Édouard Herriot, Georges Pompidou, Alain Juppé, Laurent Fabius, Léopold Sédar Senghor,. . . ; Sociolo- gists: Émile Durkheim, Pierre Bourdieu, . . . ; Writers: Romain Rolland (Nobel Prize), Jean Giraudoux, Charles Péguy, Julien Gracq, . . . ;
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Abstract Interpretation & Applications
Patrick COUSOTÉcole normale supérieure, Paris, France
sotuco ! ens"fr www.di.ens.fr/~cousot
Seminar, MIT, April 3rd, 2006
École Normale Supérieure (ENS)
École Normale Supérieure (ENS)
Normale Sup. (ENS)A few former students: ÉvaristeGalois, Louis Pasteur, . . . ; No-bel prizes: Claude Cohen-Tannoudji,Pierre-Gilles de Gennes, Gabriel Lipp-mann, Louis Néel, Jean-Baptiste Per-rin, Paul Sabatier, . . . ; Fields Medalholders: Laurent Schwartz, Jean-
Pierre Serre (1st Abel Prize), René Thom, Alain Connes, Pierre-Louis Lions,Jean-Christophe Yoccoz, Laurent Lafforgue; Fictious mathematicians: Nico-las Bourbaki; Philosophers: Henri Bergson (Nobel Prize), Louis Althusser, Si-mone de Beauvoir, Émile Auguste Chartier “Alain”, Raymond Aron, Jean-PaulSartre, Maurice Merleau-Ponty, Michel Foucault, Jacques Derrida, Bernard-Henri Lévy. . . ; Politicians: Jean Jaurès, Léon Blum, Édouard Herriot, GeorgesPompidou, Alain Juppé, Laurent Fabius, Léopold Sédar Senghor,. . . ; Sociolo-gists: Émile Durkheim, Pierre Bourdieu, . . . ; Writers: Romain Rolland (NobelPrize), Jean Giraudoux, Charles Péguy, Julien Gracq, . . . ;
Two fundamental concepts in computer science (and en-gineering):--- Abstraction: to reason on complex systems;
--- Approximation: to make undecidable reasoning com-putationally feasible.
Formalized by Abstract Interpretation.References
[POPL ’77] P. Cousot and R. Cousot. Abstract interpretation: a unified lattice model for static analysis ofprograms by construction or approximation of fixpoints. In 4th ACM POPL.
[Thesis ’78] P. Cousot. Méthodes itératives de construction et d’approximation de points fixes d’opérateursmonotones sur un treillis, analyse sémantique de programmes. Thèse ès sci. math. Grenoble, march 1978.
[POPL ’79] P. Cousot & R. Cousot. Systematic design of program analysis frameworks. In 6th ACM POPL.
MIT Seminar, April 3rd, 2006 — 7 — ľ P. Cousot
Abstract Interpretation
--- Born to formalize static program analysis;--- Viewed today as a general formalism to reason aboutsemantics of computer systems at different levels of ab-straction;--- Successfully applied to automatic analysis of complexcomputer systems.
MIT Seminar, April 3rd, 2006 — 8 — ľ P. Cousot
A Few Applicationsof Abstract Interpretation
MIT Seminar, April 3rd, 2006 — 9 — ľ P. Cousot
A Few Applications of Abstract Interpretation (Cont’d)
All these techniques involve sound approximations thatcan be formalized by abstract interpretation
MIT Seminar, April 3rd, 2006 — 11 — ľ P. Cousot
Elements ofAbstract Interpretation
MIT Seminar, April 3rd, 2006 — 12 — ľ P. Cousot
Program Semantics
MIT Seminar, April 3rd, 2006 — 13 — ľ P. Cousot
Language Semantics
--- A language L is a set of program texts P 2 L--- A semantic domain D is a set of program semantics--- A program semantics is a mathematical object formallydescribing program executions (i.e. the effect of runninga program on a computer)--- A language semantics S maps programs P 2 L to theirsemantics S"P # 2 D
computational orderingMIT Seminar, April 3rd, 2006 — 19 — ľ P. Cousot
Program Properties
MIT Seminar, April 3rd, 2006 — 20 — ľ P. Cousot
Program Properties & Static Analysis
--- A program property P 2 }(D) is a set of possible se-mantics for that program (hence a subset of the seman-tic domain D)--- A property P 2 }(D) is stronger (or more precise) thana property Q 2 }(D) iff P „ Q (i.e. P implies Q,P ) Q)--- The strongest program property 1 is fS"P #g 2 }(D)--- A static analysis effectively approximates the strongestproperty of programs
--- Note for specialists: neither a safety nor a liveness prop-erty.
MIT Seminar, April 3rd, 2006 — 22 — ľ P. Cousot
Abstraction of Program Properties
MIT Seminar, April 3rd, 2006 — 23 — ľ P. Cousot
Abstraction
--- Replace actual/concrete properties P 2 }(D) by an ap-proximate abstract properties ¸(P)--- Examples:-- engineering:
¸(property of an object) = property of amodel of the object
-- partial correctness in computer science:¸(program property)= restriction of the prop-erty to finite executions
MIT Seminar, April 3rd, 2006 — 24 — ľ P. Cousot
Commonly Required Properties of the Abstraction
--- [In this talk,] we consider sound overapproximations:
P „ ¸(P)-- If the abstract property ¸(P) does hold then so does the concreteproperties P-- If the abstract property ¸(P) does not hold then the concrete propertiesP may hold or not! 2
--- All information is lost at once:¸(¸(P)) = ¸(P)
--- The abstraction of more precise properties is more pre-cise:
if P „ Q then ¸(P) „ ¸(Q)2 In this case we speak of “false alarm” .
MIT Seminar, April 3rd, 2006 — 25 — ľ P. Cousot
Galois Connection
--- We have got a Galois connection:
h}(D); „i `̀ !̀ ̀`̀¸1h}(D); „i
" "Concrete properties Abstract properties
--- With an isomorphic mathematical/computer represen-tation:
h}(D); „i `̀ !̀ ̀`̀¸
‚hD]; vi
" "Concrete properties Abstract domain
8P 2 }(D) : 8Q 2 D] : ¸(P) v Q () P „ ‚(Q)MIT Seminar, April 3rd, 2006 — 26 — ľ P. Cousot
Abstraction 1: Functions
--- Let h}(D); „i `̀ !̀ ̀`̀¸‚hD]; vi
--- How to abstract a property transformer F 2 }(D) m7 !̀
}(D)?--- The most precise sound overapproximation is
F] 2 D]m7 !̀ D]
F ] = ¸ ‹ F ‹ ‚
--- This is a Galois connection
h}(D)m7 !̀ }(D); „i `̀ `̀ `̀ `̀ `̀! ̀`̀ `̀ `̀ `̀`
–F .¸‹F ‹‚
–F ] . ‚‹F]‹¸hD]
m7 !̀ D]; vi
MIT Seminar, April 3rd, 2006 — 27 — ľ P. Cousot
Abstraction 2: Fixpoints
--- Let h}(D); „i `̀ !̀ ̀`̀¸‚hD]; vi
--- How to abstract a fixpoint property lfp„F where F 2
}(D)m7 !̀ }(D)?
--- Approximate Sound Abstraction:
lfp„F „ ‚(lfp
v¸ ‹ F ‹ ‚)
--- Complete Abstraction: if ¸ ‹ F = F] ‹ ¸ thenF] = ¸ ‹ F ‹ ‚; and
¸(lfp„F ) = lfp
vF]
MIT Seminar, April 3rd, 2006 — 28 — ľ P. Cousot
Abstract Interpretation-Based Static Analysis
--- an inductive compositional language semantics S 2 L 7!D
--- program concrete properties }(D)
--- an abstract domain h}(D); „i `̀ !̀ ̀`̀¸‚hD]; vi designed
inductively and compositionally to approximate the prop-erty to be analyzed--- the A.I. Theory is used to systematically derive thesound abstract semantics S]"P # w ¸(fS"P #g)--- the static analysis algorithm is the computation of theabstract semantics and is correct by constructionMIT Seminar, April 3rd, 2006 — 29 — ľ P. Cousot
Example 1: Trace SemanticsAbstraction
Reference
[TCS ’02] P. Cousot, Constructive Design of a Hierarchy of Semantics of a Transition System by AbstractInterpretation, Theoretical Computer Science„ 277(1—2):47—103, 2002.ľ Elsevier Science.
MIT Seminar, April 3rd, 2006 — 30 — ľ P. Cousot
Objective
--- A unifying formalization of the classical semantics asabstract interpretations of the trace semantics--- (. . . and of a few new ones)
4 States that must reach P by state transformer ˘ or block5 Non-blocking states that may reach Q by state transformer ˘6 Non-blocking states that must reach Q by state transformer ˘
MIT Seminar, April 3rd, 2006 — 36 — ľ P. Cousot
5 — Hoare Logic Abstractions
h}(˚)[7! }(˚ [ f?g); _„i `̀ `̀ !̀! ̀ `̀ `̀
¸H
‚Hh}(˚)˙ 7}(˚ [ f?g); _«i
" "Map of sets of initial Set of all Hoarestates to sets of final triples (generalized to
states or ? non-termination)--- ¸H(˘) = fhP;Qi j ˘(P ) „ Qg
predicate transformer to Hoare logic semantics
7 Semi-dual Shmuely tensor product.
MIT Seminar, April 3rd, 2006 — 37 — ľ P. Cousot
Lattice of SemanticsHoare logics
Weakest preconditionsemantics
Denotational semantics
Relational semantics
Trace semantics
equivalenceabstraction!
restrictioninfinite
demoniacdeterministnaturalangelic
fi!!
fi @
fi EM
fiD
fiPfi S fi ˚fi ]fi [
fi>fiwp
fi tHfi pH
fiwlp
fi ~+
fi+ fi!
fi ~!
fi gH
fi gwp
fi!?
fi \
fi1
fi ~1fi
"""# !
!!
!!
!!
!!
!!
!!!"
!
!
!
$$$
$$%!
! ! !
!
&
& &'''(
!
!
!""""""#
""""""#
""""""#
))))))*
))))))*
))))))*
))))))*
))))))* !
!
!
!
!
!!
!
!
!
!
##
##
##
##
##
''''''''''(
''''''(!
!
MIT Seminar, April 3rd, 2006 — 38 — ľ P. Cousot
6 — Safety Abstraction
--- Disjunctive abstraction: ¸u(P )´=S
P
h}(}(˚+ [˚!)); „i `̀ !̀ ̀ `̀¸u
‚uh}(˚+ [˚!); „i
--- Prefix abstraction (time invariance):¸p(P )
´= fff 2 ˚+ j 9ff0 2: ˚+ [˚! : ffff0 2 Pg
h}(˚+ [˚!); „i `̀ !̀ ̀ `̀¸p
‚ph}(˚+ [˚!); „i
--- Limit abstraction (infinite behaviors are not observable):¸‘(P )
´= fff 2 ˚! j ¸p(fffg) „ Pg
h}(˚+ [˚!); „i `̀ !̀ ̀ `̀¸‘
‚‘h}(˚+ [˚!); „i
--- Safety abstraction (can be monitored at runtime):
[POPL ’97] P. Cousot. Types as Abstract Interpretations. In Conference Record of the 24th ACM SIGACT-SIGMOD-SIGART Symposium on Principles of Programming Languages, pages 316–331, Paris, France,1997. ACM Press, New York, U.S.A.
MIT Seminar, April 3rd, 2006 — 40 — ľ P. Cousot
Objective
--- Show that static typing and type inference are abstractinterpretations of a semantics with runtime type check-ing--- (. . . and consider nontermination in type soundness)
MIT Seminar, April 3rd, 2006 — 41 — ľ P. Cousot
Syntax of the Eager Lambda Calculus
x;f; : : : 2 X : variables
e 2 E : expressionse ::= x variablej λx´ e abstractionj e1(e2) applicationj µf´λx´ e recursionj 1 onej e1 ` e2 differencej (e1 ? e2 : e3) conditional
MIT Seminar, April 3rd, 2006 — 42 — ľ P. Cousot
Semantic Domains
˙ wrong/runtime error value? non-termination
W´= f˙g wrong
z 2 Z integersu; f; ’ 2 U ‰= W? ˘ Z? ˘ [U 7! U]
8? values
R 2 R´= X 7! U environments
ffi 2 S´= R 7! U semantic domain
8 [U 7! U]: continuous, ?-strict, ˙-strict functions from values U to values U.
The Herbrand Abstraction to Get Hindley’s TypeInference Algorithm
h}(ground(T )); „; ;; ground(T ); [; \i
`̀ `̀ `!̀! ̀ `̀ `̀ `lcg
groundhT;=”; »; ;; [’a]”; lcg; gcii
where:--- T : set of terms with variables ’a, . . . ,
--- lcg: least common generalization,
--- ground: set of ground instances,
--- »: instance preordering,
--- gci: greatest common instance.
MIT Seminar, April 3rd, 2006 — 54 — ľ P. Cousot
Example 3: Termination Proofs
References
[VMCAI ’05] P. Cousot. Proving Program Invariance and Termination by Parametric Abstraction, LagrangianRelaxation and Semidefinite Programming. In Sixth International Conference on Verification, Model Check-ing and Abstract Interpretation (VMCAI’05), pages 1–24, Paris, France, January 17-19, 2005. Lecture Notesin Computer Science, volume 3385, Springer, Berlin.
MIT Seminar, April 3rd, 2006 — 55 — ľ P. Cousot
Objective
--- Show that program termination proofs are abstract in-terpretations of a relational semantics--- (. . . and automatize such proofs)
MIT Seminar, April 3rd, 2006 — 56 — ľ P. Cousot
Termination Proof--- Problem: prove that all executions of a programloop terminate
--- Principle 10: Exhibit a ranking function of the pro-gram variables in a well-founded set that strictlydecreases at each program step for reachable states.
10 Robert Floyd, 1967, note the similarity with Lyapunov, 1890, “an invariant set of a differential equation isstable in the sense that it attracts all solutions if one can find a function that is bounded from below anddecreases along all solutions outside the invariant set”.
MIT Seminar, April 3rd, 2006 — 57 — ľ P. Cousot
Termination Proof by Static Analysis
1. Perform an iterated forward/backward relational static anal-ysis of the loop to determine a necessary termination pre-condition
2. Assuming the termination precondition, perform an forwardrelational static analysis of the loop to determine the loopinvariant (overapproximating reachable states)
3. Assuming the loop invariant, perform an forward relationalstatic analysis of the loop body to determine the loop ab-stract operational semantics
4. Assuming the loop semantics, use an abstraction of Floyd’sranking function method to prove termination of the loop
MIT Seminar, April 3rd, 2006 — 58 — ľ P. Cousot
Example (Arithmetic Mean)
{x=y+2k,x>=y} necessary termination preconditionwhile (x <> y) do
{x=y+2k,x>=y+2} loop invariant{(x=x0)&(y=y0)&(k=k0)}k := k - 1;x := x - 1;y := y + 1{x+2=y+2k0,y=y0+1, loop abstract
operational semanticsN̂
i=1
ffi(k0; x0; y0; k; x; y) >i 0
x+1=x0,x=y+2k,x>=y}od
{k=0}
MIT Seminar, April 3rd, 2006 — 59 — ľ P. Cousot
Floyd’s Ranking Function Method
Find an R=Q=Z-valued unkown rank function r and ” >0 such that:--- The rank is nonnegative:
8 x0; x :N̂
i=1
ffi(x0; x) >i 0 ) r(x0) – 0
--- The rank is strictly decreasing :
8 x0; x :N̂
i=1
ffi(x0; x) >i 0 ) r(x0)` r(x)` ” – 0
MIT Seminar, April 3rd, 2006 — 60 — ľ P. Cousot
Abstraction
1. EliminateV
and ) by Lagrangian relaxation 11
2. Choose a parametric abstraction ra for the rank-ing function r in term of unkown parameters a e.g.ra(x) = a:x> (linear), ra(x) = a:(x 1)> (affine) orra(x) = (x 1):a:(x 1)> (quadratic)
3. Eliminate the universal quantification 8 using lin-ear matrix inequalities (LMIs) in favor of positivesemidefiniteness i.e. M(–) < 0 = 8X 2 RN :X>M(–)X > 0 where M(–) =M0 +
PNi=1 –iMi
11 [8x : (V
ifi(x) > 0)) (g(x) > 0)](= [9–i > 0 : 8x : g(x)`P
i –ifi(x) > 0], sound by Lagrange, completeby Farkas in linear case and Yakubovich’s S-procedure with one quadratic constraint)
MIT Seminar, April 3rd, 2006 — 61 — ľ P. Cousot
Abstract Floyd’s Ranking Function MethodFind R=Q=Z-valued unkown parameters a, such that:--- Nonnegative: 9– 2 [1; N ] 7! R+i :
Example of Challenge in Embedded SoftwareVerification
Given a control/command program, prove that requestshave responses in bounded time:
--- solved for synchronous programs by abstract inter-pretation-based worst-case execution time (WCET)static analysis; does scale up 12!
--- Opened challenge to scale up for asynchronous con-trol/command programs with real-time scheduling
12 See aiT WCET Analyzers of AbsInt Angewandte Informatik GmbH
MIT Seminar, April 3rd, 2006 — 65 — ľ P. Cousot
Example 4: Hardware Verification
MIT Seminar, April 3rd, 2006 — 66 — ľ P. Cousot
Objective
--- Show that hardware verification is an abstract interpre-tation of a monitored operational semantics--- (. . . and automatize such a verification without stateexplosion)
MIT Seminar, April 3rd, 2006 — 67 — ľ P. Cousot
Hardware Verification in VHDL (Code 13)loop
clk <= not clk;wait for 1;
end;
Clock clk = 0 1 01 0 1 0 1 . . .
loopif clk then
o <= x and not y;wait on clk;
end;
Action o := x ^ :y on“clk = 1” events
x <= 0; y <= 1;wait on clk;loop
x <= rnd;assert (o != 1);
wait on clk;end;
Runtime monitor:Specification› Generates allpossible entries› Checks the property
Static analysis show the assertion to always hold
13 Very High Speed Integrated Circuit Hardware Description Language (VHDL) pseudo-code at the BehavioralLevel.
MIT Seminar, April 3rd, 2006 — 68 — ľ P. Cousot
Hardware Verification in VHDL (Specification)loop
clk <= not clk;wait for 1;
end;
Clock clk = 0 1 01 0 1 0 1 . . .
loopif clk then
o <= x and not y;wait on clk;
end;
Action o := x ^ :y on“clk = 1” events
#
$
%! "!#
x <= 0; y <= 1;wait on clk;loop
x <= rnd;assert (o != 1);
wait on clk;end;
Runtime monitor:Specification› Generates allpossible entries› Checks the property
Static analysis shows the assertion to always hold
MIT Seminar, April 3rd, 2006 — 69 — ľ P. Cousot
Hardware Verification in VHDL (Monitoring)loop
clk <= not clk;wait for 1;
end;
Clock clk = 0 1 01 0 1 0 1 . . .
loopif clk then
o <= x and not y;wait on clk;
end;
Action o := x ^ :y on“clk = 1” events
x <= 0; y <= 1;wait on clk;loop
x <= rnd;assert (o != 1);
wait on clk;end;
Runtime monitor:› Generates allpossible entries› Checks the property
Model checking/static analysis show the assertion to always hold
MIT Seminar, April 3rd, 2006 — 69 — ľ P. Cousot
Hardware Verification in VHDL (Proof)loop
clk <= not clk;wait for 1;
end;
Clock clk = 0 1 01 0 1 0 1 . . .
loopif clk then
o <= x and not y;wait on clk;
end;
Action o := x ^ :y on“clk = 1” events
x <= 0; y <= 1;wait on clk;loop
x <= rnd;assert (o != 1);
wait on clk;end;
Runtime monitor:› Generates allpossible entries› Checks the property
Model checking/static analysis show the assertion to always hold
MIT Seminar, April 3rd, 2006 — 69 — ľ P. Cousot
Hardware Verification (Reed-Solomon – Code)
<..+.=/+..)/$#">'''1)/+1#">
<"/+1#">
? <@@A@
B)").%$)'")C$'''
D).$E.F%$#+"
B)").%$)'''")C$'1%$%
)"1
)"1
G)(
H+
Simulation: not exhaustiveModel-checking: state explosionStatic analysis: exhaustive
verification
MIT Seminar, April 3rd, 2006 — 69 — ľ P. Cousot
Hardware Verification (Reed-Solomon – Monitor)
<..+.=/+..)/$#">'''1)/+1#">
<"/+1#">
? <@@A@
B)").%$)'")C$'''
D).$E.F%$#+"
B)").%$)'''")C$'1%$%
)"1
)"1
G)(
H+
Simulation: not exhaustiveModel-checking: state explosionStatic analysis: exhaustive
verification
MIT Seminar, April 3rd, 2006 — 69 — ľ P. Cousot
Hardware Verification (Reed-Solomon – Proof)
<..+.=/+..)/$#">'''1)/+1#">
<"/+1#">
? <@@A@
B)").%$)'")C$'''
D).$E.F%$#+"
B)").%$)'''")C$'1%$%
)"1
)"1
G)(
H+
Simulation: not exhaustiveModel-checking: state explosionStatic analysis: exhaustive
verification
MIT Seminar, April 3rd, 2006 — 69 — ľ P. Cousot
Example of Challenge in Hardware/SoftwareVerification
--- Data transmission using USB/AFDX is now pre-ferred to avionic ARINC 429 transmit and receivechannels
--- Challenge: prove communications correct on a USBport, given
-- a software driver in C;-- a hardware controler in VHDL;-- a formal specification of “correct communica-tion”.
MIT Seminar, April 3rd, 2006 — 70 — ľ P. Cousot
Example 5: Static Analysis ofAvionic Safety-Critical Software
References
[ASTRÉE] P. Cousot, R. Cousot, J. Feret, L. Mauborgne, A. Miné, D. Monniaux, and X. Rival. The ASTRÉEanalyser. ESOP 2005, Edinburgh, LNCS 3444, pp. 21–30, Springer, 2005. www.astree.ens.fr
MIT Seminar, April 3rd, 2006 — 71 — ľ P. Cousot
Objective
--- Show that static analysis by abstract interpretation doesscale up--- (. . . and report on an industrialization success story)
MIT Seminar, April 3rd, 2006 — 72 — ľ P. Cousot
The Static Analysis Problem
--- Given a C control/command program and a configura-tion file 13,--- effectively compute a computer representation of anoverapproximation of the reachable program states fromthe initial states,--- in order to statically prove the absence of runtime anduser-defined errors.--- Extremely difficult to scale up!
13 Physical range hypotheses for some sensor inputs
MIT Seminar, April 3rd, 2006 — 73 — ľ P. Cousot
Example 1: CBMC--- CBMC is a Bounded Model Checker for ANSI-C pro-grams (started at CMU in 1999).--- Allows verifying array bounds (buffer overflows), pointersafety, exceptions and user-specified assertions.--- Aimed for embedded software, also supports dynamicmemory allocation using malloc.--- Done by unwinding theloops in the program andpassing the resulting equa-tion to a SAT solver.--- Problem (a.o.): does not scale up!MIT Seminar, April 3rd, 2006 — 74 — ľ P. Cousot
Example 2: ASTRÉE--- ASTRÉE is an abstract interpretation-based static an-alyzer for ANSI-C programs (started at ENS in 2001).--- Allows verifying array bounds (buffer overflows), pointersafety, exceptions and user-specified assertions.--- Aimed for embedded software, does not support dy-namic memory allocation.--- Done by abstracting thereachability fixpoint equa-tions for the program oper-ational semantics.--- Advantage (a.o.): does scale up!MIT Seminar, April 3rd, 2006 — 75 — ľ P. Cousot
Ellipsoid Abstract Domain for Filters2d Order Digital Filter:
j
Switch
-
a b
i
z-1
Unit delay
z-1
B
+++
t
x(n)
Unit delay
Switch
Switch
--- Computes Xn =
¸Xn`1 + ˛Xn`2 + YnIn
--- The concrete computation is bounded, whichmust be proved in the abstract.--- There is no stable interval or octagon.--- The simplest stable surface is an ellipsoid.
15 Outils de Vérification par Analyse Statique de Logiciels Embarqués/Embedded Software Product-basedAssurance
MIT Seminar, April 3rd, 2006 — 81 — ľ P. Cousot
THÉSÉE--- Verification of absence of runtime errors, data races anddeadlocks in asynhronous safety-critical real-time em-bedded control/command software--- 2006–2009--- ENS + Airbus + EDF In-ternational (1600-megawattEPR (Evolutionary PowerReactor) for the FinnishOlkiluoto 3 plant unit, tobe operational in 2009)
MIT Seminar, April 3rd, 2006 — 82 — ľ P. Cousot
ASBAPROD--- Translation validation (Scade ! C ! ASM)--- Verification of functional properties of safety-critical real-time embedded synhronous electric flight control soft-ware, for example:-- One and only one computer has control at any time,-- If some input i changes by ´i then some output ochanges by at most ´o, etc
--- 2006–2010--- ENS + Airbus
MIT Seminar, April 3rd, 2006 — 83 — ľ P. Cousot
CONTROVERT--- CONTROl system VERificaTion--- 2006–2009--- ENS (computer scientists) + ONERA Toulouse (controltheoreticians)
MIT Seminar, April 3rd, 2006 — 84 — ľ P. Cousot
The Current Situation 16
I+"$.+&&).'0+1)&
J&%"$'0+1)&
!"#$%"&
'(%$)%*+$,"#-
.(+-)%(-
%(/(%(#!(
J&%"$'0+1)&
!"#$%"&
'(%$)%*+$,"#-
.(+-)%(-
K$%$#/'%"%&L(#(
(1) Model design (3) Implementation
I+"$.+&&).'(#0E&%$+.
J&%"$'(#0E&%$+.
!"#$%"&
'(%$)%*+$,"#-0-,.)&+$,"#
.(+-)%(-
%(/(%(#!(0-,.)&+$,"#
J&%"$'0+1)&
!"#$%"&
'(%$)%*+$,"#-
.(+-)%(-
K$%$#/'%"%&L(#(
(2) Simulation (4) Program analysis
16 greatly simplified, system dependability is simply ignored!
MIT Seminar, April 3rd, 2006 — 85 — ľ P. Cousot
The Project 17
I+"$.+&&).'0+1)&
J&%"$'0+1)&
!"#$%"&
'(%$)%*+$,"#-
.(+-)%(-
%(/(%(#!(
!"#$%"&
'(%$)%*+$,"#-
.(+-)%(-
K$%$#/'%"%&L(#(
<"M#.+"0)"$'-LD+$-)()(J&%"$'
)C)/E$%F&)'0+1)&
(1) Model design (3) Program analysis
I+"$.+&&).')C)/E$%F&)'
0+1)&
J&%"$')C)/E$%F&)'
0+1)&!"#$%"&
'(%$)%*+$,"#-
.(+-)%(-
%(/(%(#!(
K$%$#/'%"%&L(#(
(2) Model analysis Example (response analysis)
17 greatly simplified, system dependability is simply ignored!
MIT Seminar, April 3rd, 2006 — 86 — ľ P. Cousot
Conclusion
MIT Seminar, April 3rd, 2006 — 87 — ľ P. Cousot
Formal Methods--- Formal methods have made considerable academic progressthese last 30 years--- Automatic formal methods still have to scale up foreveryday industrial practice--- The high-technology industries have imperative needsin software design & verification--- Static program analysis is progressively becoming anadvanced industrial practice--- Automatic verification from specification design downtoprogram implementation is a challenge
MIT Seminar, April 3rd, 2006 — 88 — ľ P. Cousot
Abstract Interpretation--- Theoretical foundations: deep unification of formal meth-ods, semantics, modularity/incrementability, parallelism/distribution/mobility, object-orientation, complex hard-ware/software/communication systems, integration ofcontinuous/discrete/probabilistic models of the physi-cal world/user interaction, . . .--- Abstractions: abstract domains for safety, security, . . . ,controlability, robustness, . . .--- Applications: beyond computer science, control/com-mand, biology, . . .
[2] P. Cousot. Méthodes itératives de construction et d’approximation de points fixes d’opérateurs mono-tones sur un treillis, analyse sémantique de programmes. Thèse d’État ès sciences mathématiques,Université scientifique et médicale de Grenoble, Grenoble, France, 21 March 1978.
[3] B. Blanchet, P. Cousot, R. Cousot, J. Feret, L. Mauborgne, A. Miné, D. Monniaux, and X. Ri-val. Design and implementation of a special-purpose static program analyzer for safety-critical real-timeembedded software. The Essence of Computation: Complexity, Analysis, Transformation. Essays Dedi-cated to Neil D. Jones, LNCS 2566, pp. 85–108. Springer, 2002.
[4] B. Blanchet, P. Cousot, R. Cousot, J. Feret, L. Mauborgne, A. Miné, D. Monniaux, and X. Rival.A static analyzer for large safety-critical software. PLDI’03, San Diego, pp. 196–207, ACM Press, 2003.
[POPL ’77] P. Cousot and R. Cousot. Abstract interpretation: a unified lattice model for static analysis ofprograms by construction or approximation of fixpoints. In Conference Record of the Fourth Annual ACMSIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 238–252, Los Angeles,California, 1977. ACM Press, New York, NY, USA.
[POPL ’78] P. Cousot and N. Halbwachs. Automatic discovery of linear restraints among variables of a pro-gram. In Conference Record of the Fifth Annual ACM SIGPLAN-SIGACT Symposium on Principles ofProgramming Languages, pages 84–97, Tucson, Arizona, 1978. ACM Press, New York, NY, U.S.A.
[PACJM ’79] P. Cousot and R. Cousot. Constructive versions of Tarski’s fixed point theorems. Pacific Journalof Mathematics 82(1):43–57 (1979).
MIT Seminar, April 3rd, 2006 — 91 — ľ P. Cousot
[POPL ’79] P. Cousot and R. Cousot. Systematic design of program analysis frameworks. In Conference Recordof the Sixth Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages269–282, San Antonio, Texas, 1979. ACM Press, New York, NY, U.S.A.
[POPL ’92] P. Cousot and R. Cousot. Inductive Definitions, Semantics and Abstract Interpretation. In Con-ference Record of the 19th ACM SIGACT-SIGMOD-SIGART Symposium on Principles of ProgrammingLanguages, pages 83–94, Albuquerque, New Mexico, 1992. ACM Press, New York, U.S.A.
[FPCA ’95] P. Cousot and R. Cousot. Formal Language, Grammar and Set-Constraint-Based Program Analysisby Abstract Interpretation. In SIGPLAN/SIGARCH/WG2.8 7th Conference on Functional Programmingand Computer Architecture, FPCA’95. La Jolla, California, U.S.A., pages 170–181. ACM Press, New York,U.S.A., 25-28 June 1995.
[POPL ’97] P. Cousot. Types as Abstract Interpretations. In Conference Record of the 24th ACM SIGACT-SIGMOD-SIGART Symposium on Principles of Programming Languages, pages 316–331, Paris, France,1997. ACM Press, New York, U.S.A.
[POPL ’00] P. Cousot and R. Cousot. Temporal abstract interpretation. In Conference Record of the Twen-tyseventh Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages12–25, Boston, Mass., January 2000. ACM Press, New York, NY.
[POPL ’02] P. Cousot and R. Cousot. Systematic Design of Program Transformation Frameworks by AbstractInterpretation. In Conference Record of the Twentyninth Annual ACM SIGPLAN-SIGACT Symposium onPrinciples of Programming Languages, pages 178–190, Portland, Oregon, January 2002. ACM Press, NewYork, NY.
[TCS 277(1–2) 2002] P. Cousot. Constructive Design of a Hierarchy of Semantics of a Transition System byAbstract Interpretation. Theoretical Computer Science 277(1–2):47–103, 2002.
MIT Seminar, April 3rd, 2006 — 92 — ľ P. Cousot
[TCS 290(1) 2002] P. Cousot and R. Cousot. Parsing as abstract interpretation of grammar semantics. Theo-ret. Comput. Sci., 290:531–544, 2003.
[Manna’s festschrift ’03] P. Cousot. Verification by Abstract Interpretation. Proc. Int. Symp. on Verification –Theory & Practice – Honoring Zohar Manna’s 64th Birthday, N. Dershowitz (Ed.), Taormina, Italy, June29 – July 4, 2003. Lecture Notes in Computer Science, vol. 2772, pp. 243–268.ľ Springer-Verlag, Berlin,Germany, 2003.
[POPL ’04] P. Cousot and R. Cousot. An Abstract Interpretation-Based Framework for Software Watermarking.In Conference Record of the Thirtyfirst Annual ACM SIGPLAN-SIGACT Symposium on Principles ofProgramming Languages, pages 173–185, Venice, Italy, January 14-16, 2004. ACM Press, New York, NY.
[VMCAI ’05] P. Cousot. Proving Program Invariance and Termination by Parametric Abstraction, LagrangianRelaxation and Semidefinite Programming. In Sixth International Conference on Verification, Model Check-ing and Abstract Interpretation (VMCAI’05), pages 1–24, Paris, France, January 17-19, 2005. Lecture Notesin Computer Science, volume 3385, Springer, Berlin.
[5] P. Cousot, R. Cousot, J. Feret, L. Mauborgne, A. Miné, D. Monniaux, and X. Rival. The ASTRÉE analyser.ESOP 2005, Edinburgh, LNCS 3444, pp. 21–30, Springer, 2005.
[6] J. Feret. Static analysis of digital filters. ESOP’04, Barcelona, LNCS 2986, pp. 33—-48, Springer, 2004.
[7] J. Feret. The arithmetic-geometric progression abstract domain. In VMCAI’05, Paris, LNCS 3385, pp. 42–58, Springer, 2005.
[8] C. Hymans. Checking safety properties of behavioral VHDL descriptions by abstract interpretation. SAS’02,LNCS 2477.
[9] C. Hymans. Design and implementation of an abstract interpreter for VHDL. CHARME ’03, LNCS 2860.
MIT Seminar, April 3rd, 2006 — 93 — ľ P. Cousot
[10] Laurent Mauborgne & Xavier Rival. Trace Partitioning in Abstract Interpretation Based Static Analyzers.ESOP’05, Edinburgh, LNCS 3444, pp. 5–20, Springer, 2005.
[11] A. Miné. A New Numerical Abstract Domain Based on Difference-Bound Matrices. PADO’2001, LNCS2053, Springer, 2001, pp. 155–172.
[12] A. Miné. Relational abstract domains for the detection of floating-point run-time errors. ESOP’04,Barcelona, LNCS 2986, pp. 3—17, Springer, 2004.
[DPG-ICALP ’05] M. Dalla Preda and R. Giacobazzi. Semantic-based Code Obfuscationby Abstract Interpretation. In Proc. 32nd Int. Colloquium on Automata, Languages and Pro-gramming (ICALP’05 – Track B). LNCS, 2005 Springer-Verlag. July 11-15, 2005, Lisboa, Portugal.
[EMSOFT ’01] C. Ferdinand, R. Heckmann, M. Langenbach, F. Martin, M. Schmidt, H. Theiling, S. Thesing,and R. Wilhelm. Reliable and precise WCET determination for a real-life processor. EMSOFT (2001),LNCS 2211, 469–485.
[RT-ESOP ’04] F. Ranzato and F. Tapparo. Strong Preservation as Completeness in Abstract Interpretation.ESOP 2004, Barcelona, Spain, March 29 - April 2, 2004, D.A. Schmidt (Ed), LNCS 2986, Springer, 2004,pp. 18–32.