GNAT Pro User Day: Latest Advances in AdaCore Static Analysis Tools

Latest Advances in AdaCore Static Analysis

Tools

Arnaud CharletPresented by

What is Static Analysis?

• Basic Static Analysis: coding standard checking, metrics, compiler warnings and style checks

• Advanced Static Analysis: symbolic execution/interpretation of source code, whole program analysis to perform software verification

• Formal Verification: verify high level or abstract properties on your application, give strong guarantees

Why Use Static Analysis?• Make software more reliable at reasonable cost

• Full coverage of your code

• No missing check (no “false negatives”)

• Anticipate problems (get results before testing)

• Automate part of code review

• Express and verify your requirements and architecture

CodePeer Overview• Advanced static analysis tool for Ada

• Includes also basic static analysis (gnatcheck, gnatmetric)

• Detects runtime and logic errors

• Buffer overflow, division by zero, dead code, …

• Analyzes complete or partial programs (full Ada)

• Generates human readable annotations

Why Use CodePeer?

• Early testing (detect errors earlier on code modifications/new code)

• Find bugs (on existing code)

• Impact analysis

• Code review: help focusing on potential problems/complex code

Why Use CodePeer?

• Race conditions

• Provide evidence for program verification

SPARK Overview• Formal verification tool and language

developed by AdaCore and Altran

• Subset of Ada 2012: no pointers, no exceptions

• New aspects, pragmas, attributes

• Can add (executable) contracts for more precise analysis

• Can combine test and proof at subprogram level

• Allows 100% automatic proof

Why Use SPARK?

• Guarantee no runtime errors, no uninitialized variables

• Functional verification

• Check data flows (data coupling)

• Express and verify high level properties

Why Use SPARK?

When starting from existing code:

• You can start by adding incrementally annotations (pre/post)

• Get immediate benefit from tests

• Incrementally get additional benefits from the SPARK toolset

Why Use SPARK?

When (re)writing (new) code:

• Express your requirements in a way that can be reviewed by humans, checked by testing, and verified by SPARK

• Express your software architecture, and verify it automatically

SPARK CodePeer• Ada subset (no

pointers/exceptions)

• Requires more effort (add contracts)

• Find (and prove) all runtime errors

• Verify functional correctness and security properties

• Full Ada

• Very easy to run (easier than writing tests)

• Find possible runtime errors and suspicious code worth reviewing

• No functional error detection

• Can tune level of detection/false alarms

Next Release

SPARK 15.0 and CodePeer 3.0

What’s New in SPARK 15.0

• Improved proof capability

• Improved user interface

• New language features

Improved Proof Capability

• Local subprograms can be used without contracts

• Improved parallelism

• Use of Ada functions in contracts

• Improved handling of arrays, integers, floating-point

Improved User Interface

• Improved handling of error and warning messages

• More precise generation of contracts (Globals/Depends)

• Support for manual provers (e.g. Coq, Isabelle)

• Computation and display of remaining assumptions

• Improved documentation (examples, tutorials, …)

New Language Features• Support for tagged types and dynamic dispatching

• Library of (un)bounded indefinite containers

• Support for dynamic constants/types

• Improved usability of volatile objects

• Support for simple raise statements

• Support for proof-only (“ghost”) code

What’s New in CodePeer 3.0• DO178B and EN50128 qualification

• Support for IEEE 754 floating point semantics

• Symbolic debugger

• Enhanced project file support

• Improved support for non GNAT compilers

• Enhanced Messages

DO178B Qualification• CodePeer can be used to automate part of DO178B 6.3.4.f

The objective is to determine the correctness and consistency of the Source Code

• Qualified as a verification tool (TQL 5 in DO178C)

• Most checks have been qualified: overflow, range, index, division by zero, uninitialized variables

• Generation of a detailed report file (date of run, switches, messages, limitations, …)

EN50128 Qualification• Qualified as a tool class T2

• Boundary value analysis

• Null dereference, buffer overflow, numeric overflow, …

• Control flow analysis

• Unreachable code, redundant conditionals, …

• Data flow analysis

• Uninitialized variables, redundant assignments, …

IEEE 754 Floating Point• CodePeer used to approximate floating point using infinite

precision values (mathematical results)

• This could lead to missing potential errors, or false alarms

• IEEE 754 rounding and loss of precision now taken into account

• Reliable detection of possible overflows, division by zero

• Understand properties of mathematical functions (cos, sin, sqrt, …)

Symbolic Debugger

• Display of Backtraces on precondition messages

• Display of possible values for any variable

Enhanced Project File Support

• Aggregate projects

• Specifying main files on command line

• Analyzing closure of project

• Excluding some files from analysis

• Improved documentation on getting started with project files

Support for Other Compilers

• Compiler specific libraries

• Support for a target configuration file

• Ability to generate a target configuration file using target compiler

• Support for Ada 83 non portable or invalid code

Enhanced Messages

• New message: check on possible parameter aliasing

• New filter on security related vulnerabilities

• Support for CWE (Common Weakness Enumeration) cwe.mitre.org

• Compiler-like behavior: file by file quick incremental analysis

• More accurate messages, fewer false positives

Future Plans

SPARK 16.0 and CodePeer 3.1

SPARK 16.0• Generation of counter examples

• Integration with tests

• Symbolic debugger

• Improved proof

• Support for tasking

CodePeer 3.1

• Detection of dangling references

• Incremental (re)analysis

• Integration with GNATtest

• New HTML interface

• Integration with Jenkins

Questions?