Frama-C A Collaborative Framework for C Code Verification Tutorial at ISSRE 2017
Nikolai Kosmatov, Julien Signoles
Toulouse, October 26th , 2017
N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
1 / 106
Outline Formal Specification and Deductive Verification with WP Value Analysis Structural Unit Testing with PathCrawler Runtime Verification with E-ACSL Combinations of Analyses Conclusion
N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
2 / 106
Frama-C Open Source Distribution Framework for analyses of source code written in ISO 99 C [Kirchner & al in FAC’15] I
developed by CEA LIST since 2005
I
almost open source (LGPL 2.1)
I
first open-source release aka Hydrogen in 2008
I
last open-source release aka 15-Phosphorus in May 2017
http://frama-c.com I
analyze C code extended with ACSL annotations
I
also proprietary extensions and distributions
I
targets both academic and industrial usage
N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
3 / 106
Frama-C, a Collection of Tools Several tools inside a single platform I
plug-in architecture `a la Eclipse [S. @F-IDE’15]
I
tools provided as plug-ins
I
I
22 plug-ins in the open source distribution
I
outside open source plug-ins (e.g. Frama-Clang)
I
close source plug-ins, either at CEA (about 20) or outside
plug-ins connected to a kernel I
provides an uniform setting
I
provides general services
I
synthesizes useful information
I
analyzer combinations [Correnson & S. @FMICS’12]
N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
4 / 106
Frama-C Plug-ins Gallery
N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
5 / 106
Frama-C, a Development Platform I
developed in OCaml (≈ 180 kloc in the open source distribution, ≈ 300 kloc with proprietary extensions)
I
was based on Cil [Necula & al @CC’02]
I
library dedicated to analysis of C code development of plug-ins by third party
I
powerful low-cost analyser
I
dedicated plug-in for specific task (coding rules verifier)
I
dedicated plug-in for fine-grain parameterization
I
extension of existing analysers
N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
6 / 106
Formal Specification and Deductive Verification with WP
Outline Formal Specification and Deductive Verification with WP Overview of ACSL and WP Function contracts Programs with loops My proof fails... What to do? Value Analysis Structural Unit Testing with PathCrawler Runtime Verification with E-ACSL Combinations of Analyses Conclusion N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
7 / 106
Formal Specification and Deductive Verification with WP
Goal
In this part, we will see I
how to specify a C program using ACSL
I
how to prove it with an automatic tool using Frama-C/WP
I
how to understand and fix proof failures
N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
8 / 106
Formal Specification and Deductive Verification with WP
Objectives of Deductive Verification
Rigorous, mathematical proof of semantic properties of a program I I
functional properties safety: I I I
I
all memory accesses are valid, no arithmetic overflow, no division by zero, . . .
termination
N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
9 / 106
Formal Specification and Deductive Verification with WP
Overview of ACSL and WP
Outline Formal Specification and Deductive Verification with WP Overview of ACSL and WP Function contracts Programs with loops My proof fails... What to do? Value Analysis Structural Unit Testing with PathCrawler Runtime Verification with E-ACSL Combinations of Analyses Conclusion ] N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
10 / 106
Formal Specification and Deductive Verification with WP
Overview of ACSL and WP
ACSL: ANSI/ISO C Specification Language Presentation I
Based on the notion of contract, like in Eiffel, JML
I
Allows users to specify functional properties of programs
I
Allows communication between various plugins
I
Independent from a particular analysis
I
Manual at http://frama-c.com/acsl
Basic Components I
Typed first-order logic
I
Pure C expressions
I
C types + Z (integer) and R (real)
I
Built-ins predicates and logic functions, particularly over pointers: \valid(p), \valid(p+0..2), \separated(p+0..2,q+0..5), \block_length(p)
N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
11 / 106
Formal Specification and Deductive Verification with WP
Overview of ACSL and WP
WP plugin I
Hoare-logic based plugin, developed at CEA List
I
Proof of semantic properties of the program
I
Modular verification (function by function)
I
Input: a program and its specification in ACSL
I
WP generates verification conditions (VCs) Relies on Automatic Theorem Provers to discharge the VCs
I
I
I I
Alt-Ergo, Simplify, Z3, Yices, CVC3, CVC4 . . .
WP manual at http://frama-c.com/wp.html If all VCs are proved, the program respects the given specification I
Does it mean that the program is correct?
N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
12 / 106
Formal Specification and Deductive Verification with WP
Overview of ACSL and WP
WP plugin I
Hoare-logic based plugin, developed at CEA List
I
Proof of semantic properties of the program
I
Modular verification (function by function)
I
Input: a program and its specification in ACSL
I
WP generates verification conditions (VCs) Relies on Automatic Theorem Provers to discharge the VCs
I
I
I I
Alt-Ergo, Simplify, Z3, Yices, CVC3, CVC4 . . .
WP manual at http://frama-c.com/wp.html If all VCs are proved, the program respects the given specification I I
Does it mean that the program is correct? NO! If the specification is wrong, the program can be wrong!
N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
12 / 106
Formal Specification and Deductive Verification with WP
Function contracts
Outline Formal Specification and Deductive Verification with WP Overview of ACSL and WP Function contracts Programs with loops My proof fails... What to do? Value Analysis Structural Unit Testing with PathCrawler Runtime Verification with E-ACSL Combinations of Analyses Conclusion ] N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
13 / 106
Formal Specification and Deductive Verification with WP
Function contracts
Contracts
I I
Goal: specification of imperative functions Approach: give assertions (i.e. properties) about the functions I I
Precondition is supposed to be true on entry (ensured by the caller) Postcondition must be true on exit (ensured by the function)
I
Nothing is guaranteed when the precondition is not satisfied
I
Termination may be guaranteed or not (total or partial correctness)
Primary role of contracts I
Must reflect the informal specification
I
Should not be modified just to suit the verification tasks
N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
14 / 106
Formal Specification and Deductive Verification with WP
Function contracts
Example 1 Specify and prove the following program: // returns the absolute value of x int abs ( int x ) { if ( x >=0 ) return x ; return -x ; } Try to prove with Frama-C/WP using the basic command I
frama-c-gui -wp file.c
N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
15 / 106
Formal Specification and Deductive Verification with WP
Function contracts
Example 1 (Continued) The basic proof succeeds for the following program: /* @ ensures ( x >= 0 == > \result == x ) && ( x < 0 == > \result == -x ); */ int abs ( int x ) { if ( x >=0 ) return x ; return -x ; } I
The returned value is not always as expected.
N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
16 / 106
Formal Specification and Deductive Verification with WP
Function contracts
Example 1 (Continued) The basic proof succeeds for the following program: /* @ ensures ( x >= 0 == > \result == x ) && ( x < 0 == > \result == -x ); */ int abs ( int x ) { if ( x >=0 ) return x ; return -x ; } I
The returned value is not always as expected.
I
For x=INT_MIN, -x cannot be represented by an int and overflows
I
Example: on 32-bit, INT_MIN= −231 while INT_MAX= 231 − 1
N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
16 / 106
Formal Specification and Deductive Verification with WP
Function contracts
Safety warnings: arithmetic overflows
Absence of arithmetic overflows can be important to check I
A sad example: crash of Ariane 5 in 1996
WP can automatically check the absence of runtime errors I I
Use the command frama-c-gui -wp -wp-rte file.c It generates VCs to ensure that runtime errors do not occur I
I
in particular, arithmetic operations do not overflow
If not proved, an error may occur.
N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
17 / 106
Formal Specification and Deductive Verification with WP
Function contracts
Example 1 (Continued) - Solution This is the completely specified program: # include < limits .h > /* @ requires x > INT_MIN ; ensures ( x >= 0 == > \result == x ) && ( x < 0 == > \result == -x ); assigns \nothing ; */ int abs ( int x ) { if ( x >=0 ) return x ; return -x ; }
N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
18 / 106
Formal Specification and Deductive Verification with WP
Function contracts
Example 2
Specify and prove the following program: // returns the maximum of x and y int max ( int x , int y ) { if ( x >= y ) return x ; return y ; }
N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
19 / 106
Formal Specification and Deductive Verification with WP
Function contracts
Example 2 (Continued) - Find the error
The following program is proved. Do you see any error? /* @ ensures \result >= x && \result >= y ; */ int max ( int x , int y ) { if ( x >= y ) return x ; return y ; }
N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
20 / 106
Formal Specification and Deductive Verification with WP
Function contracts
Example 2 (Continued) - a wrong version This is a wrong implementation that is also proved. Why? # include < limits .h > /* @ ensures \result >= x && \result >= y ; */ int max ( int x , int y ) { return INT_MAX ; }
N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
21 / 106
Formal Specification and Deductive Verification with WP
Function contracts
Example 2 (Continued) - a wrong version This is a wrong implementation that is also proved. Why? # include < limits .h > /* @ ensures \result >= x && \result >= y ; */ int max ( int x , int y ) { return INT_MAX ; } I
Our specification is incomplete
I
Should say that the returned value is one of the arguments
N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
21 / 106
Formal Specification and Deductive Verification with WP
Function contracts
Example 2 (Continued) - Solution This is the completely specified program: /* @ ensures \result >= x && \result >= y ; ensures \result == x || \result == y ; assigns \nothing ; */ int max ( int x , int y ) { if ( x >= y ) return x ; return y ; }
N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
22 / 106
Formal Specification and Deductive Verification with WP
Function contracts
Example 3
Specify and prove the following program: // returns the maximum of * p and * q int max_ptr ( int *p , int * q ) { if ( * p >= * q ) return * p ; return * q ; }
N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
23 / 106
Formal Specification and Deductive Verification with WP
Function contracts
Example 3 (Continued) - Explain the proof failure Explain the proof failure with the option -wp-rte for the program: /* @ ensures \result >= * p && \result >= * q ; ensures \result == * p || \result == * q ; */ int max_ptr ( int *p , int * q ) { if ( * p >= * q ) return * p ; return * q ; }
N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
24 / 106
Formal Specification and Deductive Verification with WP
Function contracts
Example 3 (Continued) - Explain the proof failure Explain the proof failure with the option -wp-rte for the program: /* @ ensures \result >= * p && \result >= * q ; ensures \result == * p || \result == * q ; */ int max_ptr ( int *p , int * q ) { if ( * p >= * q ) return * p ; return * q ; } I
Nothing ensures that pointers p, q are valid
I
It must be ensured either by the function, or by its precondition
N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
24 / 106
Formal Specification and Deductive Verification with WP
Function contracts
Safety warnings: invalid memory accesses
An invalid pointer or array access may result in a segmentation fault or memory corruption. I WP can automatically generate VCs to check memory access validity I
I I
use the command frama-c-gui -wp -wp-rte file.c
They ensure that each pointer (array) access has a valid offset (index) If the function assumes that an input pointer is valid, it must be stated in its precondition, e.g. I I
\valid(p) for one pointer p \valid(p+0..2) for a range of offsets p, p+1, p+2
N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
25 / 106
Formal Specification and Deductive Verification with WP
Function contracts
Example 3 (Continued) - Find the error The following program is proved. Do you see any error? /* @ requires \valid ( p ) && ensures \result >= * p ensures \result == * p */ int max_ptr ( int *p , int if ( * p >= * q ) return * p ; return * q ; }
N. Kosmatov, J. Signoles (CEA LIST)
\valid ( q ); && \result >= * q ; || \result == * q ; *q ) {
Frama-C
2017-10-26
26 / 106
Formal Specification and Deductive Verification with WP
Function contracts
Example 3 (Continued) - a wrong version This is a wrong implementation that is also proved. Why? /* @ requires \valid ( p ) && ensures \result >= * p ensures \result == * p */ int max_ptr ( int *p , int * p = 0; * q = 0; return 0 ; }
N. Kosmatov, J. Signoles (CEA LIST)
\valid ( q ); && \result >= * q ; || \result == * q ; *q ) {
Frama-C
2017-10-26
27 / 106
Formal Specification and Deductive Verification with WP
Function contracts
Example 3 (Continued) - a wrong version This is a wrong implementation that is also proved. Why? /* @ requires \valid ( p ) && ensures \result >= * p ensures \result == * p */ int max_ptr ( int *p , int * p = 0; * q = 0; return 0 ; }
\valid ( q ); && \result >= * q ; || \result == * q ; *q ) {
I
Our specification is incomplete
I
Should say that the function cannot modify *p and *q
N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
27 / 106
Formal Specification and Deductive Verification with WP
Function contracts
Assigns clause
The clause assigns v1, v2, ... , vN; I
Part of the postcondition
I
Specifies which (non local) variables can be modified by the function
I
Avoids to state for all unchanged global variables v: ensures \old(v) == v;
I
Avoids to forget one of them: explicit permission is required
I
If nothing can be modified, specify assigns \nothing
N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
28 / 106
Formal Specification and Deductive Verification with WP
Function contracts
Example 3 (Continued) - Solution This is the completely specified program: /* @ requires \valid ( p ) && ensures \result >= * p ensures \result == * p assigns \nothing ; */ int max_ptr ( int *p , int if ( * p >= * q ) return * p ; return * q ; }
N. Kosmatov, J. Signoles (CEA LIST)
\valid ( q ); && \result >= * q ; || \result == * q ;
*q ) {
Frama-C
2017-10-26
29 / 106
Formal Specification and Deductive Verification with WP
Function contracts
Behaviors Specification by cases I
Global precondition (requires) applies to all cases
I
Global postcondition (ensures, assigns) applies to all cases
I
Behaviors define contracts (refine global contract) in particular cases For each case (each behavior)
I
I I
the subdomain is defined by assumes clause the behavior’s precondition is defined by requires clauses I
I
it is supposed to be true whenever assumes condition is true
the behavior’s postcondition is defined by ensures, assigns clauses I
it must be ensured whenever assumes condition is true
I
complete behaviors states that given behaviors cover all cases
I
disjoint behaviors states that given behaviors do not overlap
N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
30 / 106
Formal Specification and Deductive Verification with WP
Function contracts
Example 4
Specify using behaviors and prove the function abs: // returns the absolute value of x int abs ( int x ) { if ( x >=0 ) return x ; return -x ; }
N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
31 / 106
Formal Specification and Deductive Verification with WP
Function contracts
Example 4 (Continued) - Solution #i n c l u d e < l i m i t s . h> /∗@ r e q u i r e s x > INT MIN ; a s s i g n s \nothing ; behavior pos : assumes x >= 0 ; e n s u r e s \ r e s u l t == x ; b e h a v i o r neg : assumes x < 0 ; e n s u r e s \ r e s u l t == −x ; complete b e h a v i o r s ; d i s j o i n t behaviors ; ∗/ i n t abs ( i n t x ) { i f ( x >=0 ) return x ; r e t u r n −x ; }
N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
32 / 106
Formal Specification and Deductive Verification with WP
Function contracts
Contracts and function calls
Pre/post of the caller and of the callee have dual roles in the caller’s proof I
Pre of the caller is assumed, Post of the caller must be ensured
I
Pre of the callee must be ensured, Post of the callee is assumed
N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
33 / 106
Formal Specification and Deductive Verification with WP
Function contracts
Example 5 Specify and prove the function max_abs int abs ( int x ); int max ( int x , int y ); // returns maximum of absolute values of x and y int max_abs ( int x , int y ) { x = abs ( x ); y = abs ( y ); return max (x , y ); }
N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
34 / 106
Formal Specification and Deductive Verification with WP
Function contracts
Example 5 (Continued) - Explain the proof failure for #i n c l u d e < l i m i t s . h> /∗@ r e q u i r e s x > INT MIN ; e n s u r e s ( x >= 0 ==> \ r e s u l t == x ) && ( x < 0 ==> \ r e s u l t == −x ) ; a s s i g n s \ n o t h i n g ; ∗/ i n t abs ( i n t x ) ; /∗@ e n s u r e s \ r e s u l t >= x && \ r e s u l t >= y ; e n s u r e s \ r e s u l t == x | | \ r e s u l t == y ; a s s i g n s \ n o t h i n g ; ∗/ i n t max ( i n t x , i n t y ) ; /∗@ e n s u r e s \ r e s u l t >= x && \ r e s u l t >= −x && \ r e s u l t >= y && \ r e s u l t >= −y ; e n s u r e s \ r e s u l t == x | | \ r e s u l t == −x | | \ r e s u l t == y | | \ r e s u l t == −y ; a s s i g n s \ n o t h i n g ; ∗/ i n t max abs ( i n t x , i n t y ) { x=a b s ( x ) ; y=a b s ( y ) ; r e t u r n max ( x , y ) ; } N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
35 / 106
Formal Specification and Deductive Verification with WP
Function contracts
Example 5 (Continued) - Explain the proof failure for #i n c l u d e < l i m i t s . h> /∗@ r e q u i r e s x > INT MIN ; e n s u r e s ( x >= 0 ==> \ r e s u l t == x ) && ( x < 0 ==> \ r e s u l t == −x ) ; a s s i g n s \ n o t h i n g ; ∗/ i n t abs ( i n t x ) ; /∗@ e n s u r e s \ r e s u l t >= x && \ r e s u l t >= y ; a s s i g n s \ n o t h i n g ; ∗/ i n t max ( i n t x , i n t y ) ; /∗@ r e q u i r e s x > INT MIN ; r e q u i r e s y > INT MIN ; e n s u r e s \ r e s u l t >= x && \ r e s u l t >= −x && \ r e s u l t >= y && \ r e s u l t >= −y ; e n s u r e s \ r e s u l t == x | | \ r e s u l t == −x | | \ r e s u l t == y | | \ r e s u l t == −y ; a s s i g n s \ n o t h i n g ; ∗/ i n t max abs ( i n t x , i n t y ) { x=a b s ( x ) ; y=a b s ( y ) ; r e t u r n max ( x , y ) ; } N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
36 / 106
Formal Specification and Deductive Verification with WP
Function contracts
Example 5 (Continued) - Solution #i n c l u d e < l i m i t s . h> /∗@ r e q u i r e s x > INT MIN ; e n s u r e s ( x >= 0 ==> \ r e s u l t == x ) && ( x < 0 ==> \ r e s u l t == −x ) ; a s s i g n s \ n o t h i n g ; ∗/ i n t abs ( i n t x ) ; /∗@ e n s u r e s \ r e s u l t >= x && \ r e s u l t >= y ; e n s u r e s \ r e s u l t == x | | \ r e s u l t == y ; a s s i g n s \ n o t h i n g ; ∗/ i n t max ( i n t x , i n t y ) ; /∗@ r e q u i r e s x > INT MIN ; r e q u i r e s y > INT MIN ; e n s u r e s \ r e s u l t >= x && \ r e s u l t >= −x && \ r e s u l t >= y && \ r e s u l t >= −y ; e n s u r e s \ r e s u l t == x | | \ r e s u l t == −x | | \ r e s u l t == y | | \ r e s u l t == −y ; a s s i g n s \ n o t h i n g ; ∗/ i n t max abs ( i n t x , i n t y ) { x=a b s ( x ) ; y=a b s ( y ) ; r e t u r n max ( x , y ) ; } Kosmatov, J. Signoles (CEA LIST) N. Frama-C
2017-10-26
37 / 106
Formal Specification and Deductive Verification with WP
Programs with loops
Outline Formal Specification and Deductive Verification with WP Overview of ACSL and WP Function contracts Programs with loops My proof fails... What to do? Value Analysis Structural Unit Testing with PathCrawler Runtime Verification with E-ACSL Combinations of Analyses Conclusion ] N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
38 / 106
Formal Specification and Deductive Verification with WP
Programs with loops
Loops and automatic proof
I
What is the issue with loops? Unknown, variable number of iterations
I
The only possible way to handle loops: proof by induction Induction needs a suitable inductive property, that is proved to be
I
I I
I I
satisfied just before the loop, and satisfied after k + 1 iterations whenever it is satisfied after k ≥ 0 iterations
Such inductive property is called loop invariant The verification conditions for a loop invariant include two parts I I
loop invariant initially holds loop invariant is preserved by any iteration
N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
39 / 106
Formal Specification and Deductive Verification with WP
Programs with loops
Loop invariants - some hints How to find a suitable loop invariant? Consider two aspects: I identify variables modified in the loop I
I I
I
variable number of iterations prevents from deducing their values (relationships with other variables) define their possible value intervals (relationships) after k iterations use loop assigns clause to list variables that (might) have been assigned so far after k iterations
identify realized actions, or properties already ensured by the loop I I
I
what part of the job already realized after k iterations? what part of the expected loop results already ensured after k iterations? why the next iteration can proceed as it does? . . .
A stronger property on each iteration may be required to prove the final result of the loop Some experience may be necessary to find appropriate loop invariants N. Kosmatov, J. Signoles (CEA LIST)
Frama-C
2017-10-26
40 / 106
Formal Specification and Deductive Verification with WP
Programs with loops
Loop invariants - more hints Remember: a loop invariant must be true I
before (the first iteration of) the loop, even if no iteration is possible
I
after any complete iteration even if no more iterations are possible
I
in other words, any time before the loop condition check
In particular, a for loop f o r ( i =0; i =0 && \ v a l i d ( t + ( 0 . . n − 1 ) ) ; a s s i g n s \nothing ; e n s u r e s \ r e s u l t != 0 ( \ f o r a l l i n t e g e r j ; 0 t [ j ] == 0 ) ; ∗/ int a l l z e r o s ( int t [ ] , int n) { int k ; /∗@ loop i n v a r i a n t 0
