software analysis otols @ adacore - open-do · ada timeline 3/46 1975 us dod strawman 4 proposals...

Software Analysis Tools @

AdaCore

Yannick Moy

LSL Seminar, CEA-LIST

December 8th, 2009

Outline

Ada & AdaCore

Dynamic Analysis Tools @ AdaCore

Static Analysis Tools @ AdaCore

Project Hi-Lite

1 / 46

Outline

Ada & AdaCore



Project Hi-Lite

2 / 46

Ada Timeline

3 / 46

1975US DoD

�Strawman�

4 proposals selectedGreen, Red, Blue, Yellow

1977

1979Green

1983Ada83

Ada951995

2005Ada2005

Ada201X201X

Integers in Ada

4 / 46

1 subtype Eggs_Number i s I n t e g e r range 0 . . 12 ;2 type Eggs_Number i s new I n t e g e r range 0 . . 12 ;34 i f Eggs_Number ' F i r s t < Num and then

5 Num < Eggs_Number ' Las t6 then . . .78 f o r Num i n Eggs_Number ' Range loop . . .910 Val : I n t e g e r ;11 Num := Eggs_Number ' ( Val ) ;12 Num := Eggs_Number ( Val ) ;

Arrays, References and Pointers in Ada

5 / 46

1 type Arr i s a r r a y ( Eggs_Number ) o f Natu ra l ;23 f o r Num i n Arr ' Range loop . . .45 procedure Set (X : out T) ;6 procedure Get (X : i n T) ;7 procedure Get_And_Set (X : i n out T) ;89 type Pool_Ptr i s a c ce s s I n t e g e r ;10 type Genera l_Ptr i s a c ce s s a l l I n t e g e r ;11 type Non_Null_Ptr i s not n u l l a c ce s s I n t e g e r ;1213 procedure Get (X : acce s s I n t e g e r ) ;

AdaCore Timeline

6 / 46

1992GNAT

NYU/FSF

AdaCore US1994

1996AdaCore EU

GPS2000

2009

2010

CGtkAdaGVD

PolyORBC++

GNATbenchGNATstackGPRbuildAJIS

GNATcheck...

AdaCore Business

7 / 46

Freely-licensed open-source products(FLOSS)

Renewable non-locked subscriptionSubscription with Frontline support

60 Engineers20 PhD5 Professors10 Consultants

AdaCore Customers

8 / 46

GNAT Pro & GPS

9 / 46

Outline

Ada & AdaCore



Project Hi-Lite

10 / 46

Run-time Checking

Constraint errors

Array access outside its boundsRange over�owInteger over�ow (-gnato)etc.

Validity checks

-gnatVce�moprst

pragma Initialize_Scalars; X'Valid

Assertions

pragma Assert (test [, message]);

11 / 46

Run-time Checking

Constraint errors


Validity checks

-gnatVce�moprst


Assertions


12 / 46

Run-time Checking

Constraint errors


Validity checks

-gnatVce�moprst


Assertions


13 / 46

Run-time Checking

Constraint errors


Validity checks

-gnatVce�moprst


Assertions


14 / 46

Run-time Checking

Constraint errors


Validity checks

-gnatVce�moprst


Assertions


15 / 46

GNAT Annotation Language

16 / 46

1 procedure L inear_Search2 ( Table : i n I n tA r r a y ;3 Value : i n I n t e g e r ;4 Found : out Boolean ;5 Index : out I n t e g e r ) ;6 pragma P r e c ond i t i o n ( Counter < I n t e g e r ' Las t ) ;7 pragma Po s t c o nd i t i o n ( not Found or e l s e

8 ( Table ( I ndex ) = Value and then

9 Counter = Counter ' Old + 1 ) ) ;1011 procedure L inear_Search ( . . . ) i s

12 beg in

13 . . .14 f o r J i n I n t e g e r range Table ' Range loop

15 pragma As s e r t ( Found = Fa l s e and

16 Counter < I n t e g e r ' Las t and

17 Counter = Counter ' Old ) ;18 . . .19 end loop ;20 end L inear_Search ;

Memory, Stack & Exceptions

Memory

gnatmem/valgrind : memory managementmemory pools : callbacks on (de-)allocationdebug pools : callback on dereference

Stack-fstack-check : stack over�ow detection and recoverygnatbind -u : post-execution analysis

Exceptions

exception traces : trace all exceptionsexception actions : callback on exceptions

17 / 46


Memory



Exceptions


18 / 46


Memory



Exceptions


19 / 46

Couverture & Pro�ling

20 / 46

gcov

xcov

gprof

AUnit

Outline

Ada & AdaCore



Project Hi-Lite

21 / 46

GNAT Warnings

22 / 46

Unusedentity

Variablecouldbe

constant

Hidingdeclaration

Conditionalexpression

knowntobe

true

orfalseatcompile-time

-gnatwc.cdfh.ijklm.op.pr.rtu.w.x

GNAT Style Checks

23 / 46

pragma Restrictions pragma Pro�le

Maximum

linelength

Separatespecs

Boolean

operators

Indentationlevel

-gnaty3aAbBcdefhiIklnOprsStuxoM80

GNAT Style Checks

24 / 46

pragma Restrictions pragma Pro�le

Maximum

linelength

Separatespecs

Boolean

operators

Indentationlevel

-gnaty3aAbBcdefhiIklnOprsStuxoM80

GNATmetric: Metrics Computation

25 / 46

GNATcheck: Coding Standard Checker

26 / 46

CodePeer: Modular Static Analysis

27 / 46

.ads

.adbgcc -gnatC .scil CodePeer

OBJ SSA PVP

Warnings+

{Contracts}

CodePeer Warnings

28 / 46

CodePeer Contracts

29 / 46

SPARK: Formal Veri�cation

30 / 46

START

.ads

.adbSPARKMake

.idx.smf

Examiner

Errors

.vcg

Simpli�er.sivChecker+.plg.prv

POGSTHE END!

SPARK Annotation Language

1 Counter : Na tu r a l := 0 ;23 procedure L inear_Search4 ( Table : i n I n tA r r a y ;5 Value : i n I n t e g e r ;6 Found : out Boolean ;7 Index : out I n t e g e r ) ;89 −−# g l o b a l i n out Counter ;1011 −−# d e r i v e s Counter from Counter , Table , Value ;1213 −−# pre Counter < I n t e g e r ' Las t ;14 −−# post Found −> ( Table ( I ndex ) = Value and

15 −−# Counter = Counter~ + 1 ) ;

31 / 46

SPARK Subset of Ada

1 procedure L inear_Search ( . . . ) i s

2 beg in

3 Found := Fa l s e ;4 I ndex := 0 ;56 f o r J i n I n t e g e r range Table ' Range loop

78 −−# a s s e r t Found = Fa l s e and

9 −−# Counter < I n t e g e r ' Las t and

10 −−# Counter = Counter ~;1112 i f Table ( J ) = Value then

13 Counter := Counter + 1 ;14 Found := True ;15 Index := J ;16 e x i t ;17 end i f ;18 end loop ;19 end L inear_Search ;

32 / 46

SPARK Examiner

33 / 46

SPARK Simpli�er

34 / 46

Outline

Ada & AdaCore



Project Hi-Lite

35 / 46

Big Picture

36 / 46

Hi-Lite

Testing Static Analysis

Formal Veri�cation

Common Language for Properties

37 / 46

Executable Annotation Language

User InputInferred by

Static AnalysisGenerated withCode from Model

Testing Static Analysis Formal Veri�cation

State-of-the-art Free Software Tools

Software Category Experts License

GNAT Pro compiler AdaCore GNU GPLCodePeer analyser AdaCore GNU GPLExaminer veri�er and Praxis GNU GPL

VC generatorSimpli�er prover Praxis GNU GPLWhy VC generator ProVal GNU LGPLAlt-Ergo prover ProVal CeCILL-CFrama-C analyser and CEA LIST GNU LGPL

veri�er and ProVal

38 / 46

Work�ow Between Tools

39 / 46

VC Generators Automatic Provers

GNAT

CodePeer

ALFA

Ada

SPARK

SPARK

SCIL

Why

Examiner FDL Simpli�er

Why SMTLIB Alt-Ergo

C/E-ACSL

GCC

Frama-C

Many Possible Uses

40 / 46

Challenges

Inferring more precise annotations

Conditional contracts instead of �soft� contractsNon-overlapping of reference/pointer parametersTop-down propagation of calling contexts

Veri�cation of properties on containers

Standard library of containers in SPARKExpressing quanti�cation over containersAutomatic proof of such properties

Improved user interaction

Modular interaction at di�erent levelsPath highlighting (warnings, veri�cation conditions)Traceability of results

41 / 46

Challenges







42 / 46

Challenges







43 / 46

Beyond Formal Veri�cation

Copy-paste error

1 i f Some_Var then

2 . . .3 i f Some_Var then

Dead defensive code

1 X := F ( . . . ) ;2 case X i n

3 . . .4 I n va l i d_Va l u e => . . .

Refactoring error

1 X : T;2 f u n c t i o n F (Y : T) i s

3 beg in

4 Use (X ) ;5 end ;6 F (X ) ;

Ada run-time errors

bound check, null string,uninitialized scalar

44 / 46

Target Market

45 / 46

Consortium

46 / 46

software analysis otols @ adacore - open-do · ada timeline 3/46 1975 us dod strawman 4 proposals...

Documents