Software Analysis AdaCore

Transcription

1 Software Analysis AdaCore Yannick Moy LSL Seminar, CEA-LIST December 8 th, 2009

2 Outline Ada & AdaCore Dynamic Analysis AdaCore Static Analysis AdaCore Project Hi-Lite 1 / 46

3 Outline Ada & AdaCore Dynamic Analysis AdaCore Static Analysis AdaCore Project Hi-Lite 2 / 46

4 Ada Timeline 4 proposals selected Green, Red, Blue, Yellow 1977 Ada Ada201X 201X US DoD Green Strawman 1983 Ada Ada / 46

5 Integers in Ada 1 s u b t y p e Eggs_Number i s I n t e g e r r a n g e ; 2 t y p e Eggs_Number i s new I n t e g e r r a n g e ; 3 4 i f Eggs_Number ' F i r s t < Num and then 5 Num < Eggs_Number ' L a s t 6 t hen f o r Num i n Eggs_Number ' Range l o o p Val : I n t e g e r ; 11 Num := Eggs_Number ' ( Val ) ; 12 Num := Eggs_Number ( Val ) ; 4 / 46

6 Arrays, References and Pointers in Ada 1 t y p e A r r i s a r r a y ( Eggs_Number ) o f N a t u r a l ; 2 3 f o r Num i n Arr ' Range l o o p p r o c e d u r e S e t (X : out T ) ; 6 p r o c e d u r e Get (X : i n T ) ; 7 p r o c e d u r e Get_And_Set (X : i n out T ) ; 8 9 t y p e Pool_Ptr i s a c c e s s I n t e g e r ; 10 t y p e G e n e r a l _ P t r i s a c c e s s a l l I n t e g e r ; 11 t y p e Non_Null_Ptr i s not n u l l a c c e s s I n t e g e r ; p r o c e d u r e Get (X : a c c e s s I n t e g e r ) ; 5 / 46

7 AdaCore Timeline 1992 GNAT NYU/FSF AdaCore US AdaCore EU GPS 2000 C GtkAda GVD PolyORB C++ GNATbench GNATstack GPRbuild AJIS GNATcheck / 46

8 AdaCore Business 60 Engineers 20 PhD 5 Professors 10 Consultants Freely-licensed open-source products (FLOSS) Renewable non-locked subscription Subscription with Frontline support 7 / 46

9 AdaCore Customers 8 / 46

10 GNAT Pro & GPS 9 / 46

11 Outline Ada & AdaCore Dynamic Analysis AdaCore Static Analysis AdaCore Project Hi-Lite 10 / 46

12 Run-time Checking Constraint errors Array access outside its bounds Range overow Integer overow (-gnato) etc. Validity checks -gnatvcemoprst pragma Initialize_Scalars; X'Valid Assertions pragma Assert (test [, message]); 11 / 46

13 Run-time Checking Constraint errors Array access outside its bounds Range overow Integer overow (-gnato) etc. Validity checks -gnatvcemoprst pragma Initialize_Scalars; X'Valid Assertions pragma Assert (test [, message]); 12 / 46

14 Run-time Checking Constraint errors Array access outside its bounds Range overow Integer overow (-gnato) etc. Validity checks -gnatvcemoprst pragma Initialize_Scalars; X'Valid Assertions pragma Assert (test [, message]); 13 / 46

15 Run-time Checking Constraint errors Array access outside its bounds Range overow Integer overow (-gnato) etc. Validity checks -gnatvcemoprst pragma Initialize_Scalars; X'Valid Assertions pragma Assert (test [, message]); 14 / 46

16 Run-time Checking Constraint errors Array access outside its bounds Range overow Integer overow (-gnato) etc. Validity checks -gnatvcemoprst pragma Initialize_Scalars; X'Valid Assertions pragma Assert (test [, message]); 15 / 46

17 GNAT Annotation Language 1 p r o c e d u r e L i n e a r _ S e a r c h 2 ( T a b l e : i n I n t A r r a y ; 3 V a l u e : i n I n t e g e r ; 4 Found : out Boolean ; 5 I n d e x : out I n t e g e r ) ; 6 pragma P r e c o n d i t i o n ( C o u n t e r < I n t e g e r ' L a s t ) ; 7 pragma P o s t c o n d i t i o n ( not Found o r e l s e 8 ( T a b l e ( I n d e x ) = V a l u e and then 9 C o u n t e r = Counter ' Old + 1 ) ) ; p r o c e d u r e L i n e a r _ S e a r c h (... ) i s 12 b e g i n f o r J i n I n t e g e r r a n g e Table ' Range l o o p 15 pragma A s s e r t ( Found = F a l s e and 16 C o u n t e r < I n t e g e r ' L a s t and 17 C o u n t e r = Counter ' Old ) ; end l o o p ; 20 end L i n e a r _ S e a r c h ; 16 / 46

18 Memory, Stack & Exceptions Memory gnatmem/valgrind memory pools debug pools Stack -fstack-check gnatbind -u Exceptions exception traces exception actions : memory management : callbacks on (de-)allocation : callback on dereference : stack overow detection and recovery : post-execution analysis : trace all exceptions : callback on exceptions 17 / 46

19 Memory, Stack & Exceptions Memory gnatmem/valgrind memory pools debug pools Stack -fstack-check gnatbind -u Exceptions exception traces exception actions : memory management : callbacks on (de-)allocation : callback on dereference : stack overow detection and recovery : post-execution analysis : trace all exceptions : callback on exceptions 18 / 46

20 Memory, Stack & Exceptions Memory gnatmem/valgrind memory pools debug pools Stack -fstack-check gnatbind -u Exceptions exception traces exception actions : memory management : callbacks on (de-)allocation : callback on dereference : stack overow detection and recovery : post-execution analysis : trace all exceptions : callback on exceptions 19 / 46

21 Couverture & Proling gcov gprof xcov AUnit 20 / 46

22 Outline Ada & AdaCore Dynamic Analysis AdaCore Static Analysis AdaCore Project Hi-Lite 21 / 46

23 GNAT Warnings -gnatwc.cdfh.ijklm.op.pr.rtu.w.x Conditional expression known to be true or false at compile-time Hiding declaration Variable could be constant Unused entity 22 / 46

24 GNAT Style Checks -gnaty3aabbcdefhiiklnoprsstuxom80 Indentation level Boolean operators Separate specs Maximum line length pragma Restrictions pragma Prole 23 / 46

25 GNAT Style Checks -gnaty3aabbcdefhiiklnoprsstuxom80 Indentation level Boolean operators Separate specs Maximum line length pragma Restrictions pragma Prole 24 / 46

26 GNATmetric: Metrics Computation 25 / 46

27 GNATcheck: Coding Standard Checker 26 / 46

28 CodePeer: Modular Static Analysis.ads.adb gcc -gnatc.scil CodePeer OBJ SSA PVP Warnings + {Contracts} 27 / 46

29 CodePeer Warnings 28 / 46

30 CodePeer Contracts 29 / 46

31 SPARK: Formal Verication START Errors.ads.adb SPARKMake.idx.smf Examiner THE END! POGS.vcg.plg.prv + Checker.siv Simplier 30 / 46

32 SPARK Annotation Language 1 C o u n t e r : N a t u r a l := 0 ; 2 3 p r o c e d u r e L i n e a r _ S e a r c h 4 ( T a b l e : i n I n t A r r a y ; 5 V a l u e : i n I n t e g e r ; 6 Found : out Boolean ; 7 I n d e x : out I n t e g e r ) ; 8 9 # g l o b a l i n out C o u n t e r ; # d e r i v e s C o u n t e r from Counter, Table, V a l u e ; # p r e C o u n t e r < I n t e g e r ' L a s t ; 14 # p o s t Found > ( T a b l e ( I n d e x ) = V a l u e and 15 # C o u n t e r = C o u n t e r ~ + 1 ) ; 31 / 46

33 SPARK Subset of Ada 1 p r o c e d u r e L i n e a r _ S e a r c h (... ) i s 2 b e g i n 3 Found := F a l s e ; 4 I n d e x := 0 ; 5 6 f o r J i n I n t e g e r r a n g e Table ' Range l o o p 7 8 # a s s e r t Found = F a l s e and 9 # C o u n t e r < I n t e g e r ' L a s t and 10 # C o u n t e r = C o u n t e r ~; i f T a b l e ( J ) = V a l u e t hen 13 C o u n t e r := C o u n t e r + 1 ; 14 Found := True ; 15 I n d e x := J ; 16 e x i t ; 17 end i f ; 18 end l o o p ; 19 end L i n e a r _ S e a r c h ; 32 / 46

34 SPARK Examiner 33 / 46

35 SPARK Simplier 34 / 46

36 Outline Ada & AdaCore Dynamic Analysis AdaCore Static Analysis AdaCore Project Hi-Lite 35 / 46

37 Big Picture Testing Static Analysis Hi-Lite Formal Verication 36 / 46

38 Common Language for Properties User Input Inferred by Static Analysis Generated with Code from Model Executable Annotation Language Testing Static Analysis Formal Verication 37 / 46

39 State-of-the-art Free Software Tools Software Category Experts License GNAT Pro compiler AdaCore GNU GPL CodePeer analyser AdaCore GNU GPL Examiner verier and Praxis GNU GPL VC generator Simplier prover Praxis GNU GPL Why VC generator ProVal GNU LGPL Alt-Ergo prover ProVal CeCILL-C Frama-C analyser and CEA LIST GNU LGPL verier and ProVal 38 / 46

40 Workow Between Tools CodePeer SCIL ALFA GNAT SPARK Examiner FDL Simplier Ada SPARK GCC Why Why SMTLIB Alt-Ergo VC Generators Automatic Provers C/E-ACSL Frama-C 39 / 46

41 Many Possible Uses 40 / 46

42 Challenges Inferring more precise annotations Conditional contracts instead of soft contracts Non-overlapping of reference/pointer parameters Top-down propagation of calling contexts Verication of properties on containers Standard library of containers in SPARK Expressing quantication over containers Automatic proof of such properties Improved user interaction Modular interaction at dierent levels Path highlighting (warnings, verication conditions) Traceability of results 41 / 46

43 Challenges Inferring more precise annotations Conditional contracts instead of soft contracts Non-overlapping of reference/pointer parameters Top-down propagation of calling contexts Verication of properties on containers Standard library of containers in SPARK Expressing quantication over containers Automatic proof of such properties Improved user interaction Modular interaction at dierent levels Path highlighting (warnings, verication conditions) Traceability of results 42 / 46

44 Challenges Inferring more precise annotations Conditional contracts instead of soft contracts Non-overlapping of reference/pointer parameters Top-down propagation of calling contexts Verication of properties on containers Standard library of containers in SPARK Expressing quantication over containers Automatic proof of such properties Improved user interaction Modular interaction at dierent levels Path highlighting (warnings, verication conditions) Traceability of results 43 / 46

45 Beyond Formal Verication Copy-paste error Refactoring error 1 i f Some_Var then i f Some_Var then Dead defensive code 1 X : T ; 2 f u n c t i o n F (Y : T) i s 3 b e g i n 4 Use (X ) ; 5 end ; 6 F (X ) ; 1 X := F (... ) ; 2 c a s e X i n I n v a l i d _ V a l u e =>... Ada run-time errors bound check, null string, uninitialized scalar 44 / 46

46 Target Market 45 / 46

47 Consortium 46 / 46