Project : vertecs
Section: New Results
Verification and Abstract Interpretation
Abstracting Call-Stacks for interprocedural verification of imperative programs
Keywords : Interprocedural Verification .
In the context of the ARC Modocop, we have proposed a new approach to interprocedural analysis/verification of programs, consisting in deriving an interprocedural analysis method by abstract interpretation of the standard operational semantics of programs . The advantages of this approach are twofold. From a methodological point of view, it provides a direct connection between the concrete semantics of the program and the effective analysis, which facilitates implementation and correction proofs. Moreover, this method subsumes/integrates two main, distincts methods for interprocedural analysis, namely the call-string and the functional approaches introduced by Sharir and Pnueli. This enables strictly more precise analysis and additional flexibility in the tradefoff between efficiency and precision of the analysis.
A tool is currently being implemented. Our final goal is to extend to recursive programs the sophisticated techniques implemented in the tool NBac for reactive programs.
Interprocedural Shape Analysis
Participant : Bertrand Jeannet.
This work has been done in cooperation with Thomas Reps, of the University of Wisconsin–Madison, during my three months stay in this place. The goal of the shape analysis is to analyze the possible memory configurations occuring during the execution of a program performing dynamic allocation of objects in the memory heap. Of course the configurations computed by such an analysis abstracts the concrete memory configurations, usually by using graphs representing memory cells and their pointer relations. We have applied the interprocedural analysis method described above to shape analysis, using the abstract lattice of 3-valued logical structures developped by Thomas Reps, M. Sagiv and R. Wilhelm. The challenge was to apply the interprocedural method with a very complex abstract lattice, and to extend the abstract lattice with interprocedural operations.
Automatic state reaching for debugging reactive programs
Participant : Bertrand Jeannet.
This work has been done in collaboration with the synchronous team of VERIMAG . Reactive systems are made of programs that permanently interact with their environment. Debuggers generally provide support for data and state inspection, given a sequence of inputs. But, because the reactive programs and their environments are interdependent, a very useful feature is to be able go the other way around; namely, given a state, obtain a sequence of inputs that leads to that state. The main technical contribution of this work is to propose an efficient solution to this problem for systems with numerical variables and inputs, which works well in practice, although the problem is equivalent to general safety properties verification, which is notoriously undecidable in presence of numeric variables. Three tools cooperate in order to solve the problem: the debugger Ludic isolates the relevant parts of the program using slicing techniques. Then the verification tool NBac computes the set of states that are both reachable from the starting (or initial) state and coreachable from the states satisfying the property P (or final states). Last, the sequence generator Lurette uses this information for an efficient search for a (short) execution starting from the initial state and leading to some final state.