Understanding the Origin of Alarms in Astrée

Static analyzers like Astree are incomplete, hence, may produce false alarms. We propose a framework for the investigation of the alarms produced by Astree , so as to help classifying them as true errors or false alarms that are due to the approximation inherent in the static analysis. Our approach is based on the computation of an approximation of a set of traces specified by an initial and a (set of) final state(s). Moreover, we allow for finer analyses to focus on some execution patterns or on some possible inputs. The underlying algorithms were implemented inside Astree and used successfully to track alarms in large, critical embedded applications.

[1]  Edmund M. Clarke,et al.  Counterexample-guided abstraction refinement , 2003, 10th International Symposium on Temporal Representation and Reasoning, 2003 and Fourth International Conference on Temporal Logic. Proceedings..

[2]  Guillaume Brat,et al.  Precise and efficient static array bound checking for large embedded C programs , 2004, PLDI '04.

[3]  Nicolas Halbwachs,et al.  Counter-example generation in symbolic abstract model-checking , 2004, International Journal on Software Tools for Technology Transfer.

[4]  Shmuel Sagiv,et al.  TVLA: A System for Implementing Static Analyses , 2000, SAS.

[5]  Mark Harman,et al.  CONSIT: a fully automated conditioned program slicer , 2004, Softw. Pract. Exp..

[6]  Michael Rodeh,et al.  CSSV: towards a realistic tool for statically detecting all buffer overflows in C , 2003, PLDI '03.

[7]  Bertrand Jeannet,et al.  Automatic State Reaching for Debugging Reactive Programs , 2003 .

[8]  Kousha Etessami,et al.  Analysis of Recursive Game Graphs Using Data Flow Equations , 2004, VMCAI.

[9]  Jérôme Feret,et al.  Static Analysis of Digital Filters , 2004, ESOP.

[10]  Aniello Cimitile,et al.  Conditioned program slicing , 1998, Inf. Softw. Technol..

[11]  Philippe Granger,et al.  Improving the Results of Static Analyses Programs by Local Decreasing Iteration , 1992, FSTTCS.

[12]  JeannetB. Dynamic Partitioning in Linear Relation Analysis , 2003 .

[13]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[14]  Antoine Mid The Octagon Abstract Domain , 2001 .

[15]  Mark Harman,et al.  Conditioned slicing supports partition testing , 2002, Softw. Test. Verification Reliab..

[16]  Patrick Cousot,et al.  Abstract Interpretation and Application to Logic Programs , 1992, J. Log. Program..

[17]  Patrick Cousot,et al.  A static analyzer for large safety-critical software , 2003, PLDI '03.

[18]  Bertrand Jeannet,et al.  Dynamic Partitioning in Linear Relation Analysis: Application to the Verification of Reactive Systems , 2003, Formal Methods Syst. Des..

[19]  David A. Schmidt,et al.  The essence of computation: complexity, analysis, transformation , 2002 .

[20]  Roberto Giacobazzi,et al.  Making abstract interpretations complete , 2000, JACM.

[21]  Patrick Cousot,et al.  Méthodes itératives de construction et d'approximation de points fixes d'opérateurs monotones sur un treillis, analyse sémantique des programmes , 1978 .

[22]  Neil D. Jones,et al.  Program Flow Analysis: Theory and Application , 1981 .

[23]  Patrick Cousot,et al.  Design and Implementation of a Special-Purpose Static Program Analyzer for Safety-Critical Real-Time Embedded Software, invited chapter , 2002 .

[24]  David W. Binkley,et al.  Interprocedural slicing using dependence graphs , 1990, TOPL.

[25]  Patrick Cousot,et al.  Design and Implementation of a Special-Purpose Static Program Analyzer for Safety-Critical Real-Time Embedded Software , 2002, The Essence of Computation.

[26]  Sorin Lerner,et al.  Speeding Up Dataflow Analysis Using Flow-Insensitive Pointer Analysis , 2002, SAS.

[27]  Andreas Podelski Software Model Checking with Abstraction Refinement , 2003, VMCAI.

[28]  A. Miné Weakly Relational Numerical Abstract Domains , 2004 .

[29]  Patrick Cousot,et al.  The ASTREÉ Analyzer , 2005, ESOP.

[30]  Mayur Naik,et al.  From symptom to cause: localizing errors in counterexample traces , 2003, POPL '03.

[31]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[32]  Joseph Robert Horgan,et al.  Dynamic program slicing , 1990, PLDI '90.

[33]  Patrick Cousot,et al.  Semantic foundations of program analysis , 1981 .

[34]  Antoine Miné,et al.  The octagon abstract domain , 2001, Proceedings Eighth Working Conference on Reverse Engineering.

[35]  Antoine Miné,et al.  Relational Abstract Domains for the Detection of Floating-Point Run-Time Errors , 2004, ESOP.

[36]  Xavier Rival,et al.  Trace Partitioning in Abstract Interpretation Based Static Analyzers , 2005, ESOP.

[37]  Patrick Cousot,et al.  The ASTR ´ EE Analyzer , 2005 .