Modular inference of subprogram contracts for safety checking

Contracts expressed by logic formulas allow one to formally specify expected behavior of programs. But writing such specifications manually takes a significant amount of work, in particular for uninteresting contracts which only aim at avoiding run-time errors during the execution. Thus, for programs of large size, it is desirable to at least partially infer such contracts. We propose a method to infer contracts expressed as boolean combinations of linear equalities and inequalities by combining different kinds of static analyses: abstract interpretation, weakest precondition computation and quantifier elimination. An important originality of our approach is to proceed modularly, considering subprograms independently. The practical applicability of our approach is demonstrated on experiments performed on a library and two benchmarks of vulnerabilities of C code.

[1]  John C. Reynolds,et al.  Syntactic control of interference , 1978, POPL.

[2]  Michael Karr,et al.  Affine relationships among variables of a program , 1976, Acta Informatica.

[3]  Serge Demeyer,et al.  Proceedings of the Workshop on Object-Oriented Technology , 1999 .

[4]  Artem Starostin Formal Verification of a C-Library for Strings , 2006 .

[5]  Sagar Chaki,et al.  Certifying the Absence of Buffer Overflows , 2006 .

[6]  Volker Weispfenning,et al.  Complexity and uniformity of elimination in Presburger arithmetic , 1997, ISSAC.

[7]  Claude Marché,et al.  The Why/Krakatoa/Caduceus Platform for Deductive Program Verification , 2007, CAV.

[8]  K. Rustan M. Leino,et al.  Checking Java Programs via Guarded Commands , 1999, ECOOP Workshops.

[9]  Jean-Christophe Filliâtre,et al.  Verification of non-functional programs using interpretations in type theory , 2003, J. Funct. Program..

[10]  Sumit Gulwani,et al.  Assertion Checking Unified , 2007, VMCAI.

[11]  K. Rustan M. Leino,et al.  Loop Invariants on Demand , 2005, APLAS.

[12]  K. Leino,et al.  Using widenings to infer loop invariants inside an SMT solver, or: A theorem prover as abstract domain , 2007 .

[13]  François Bourdoncle,et al.  Assertion-based Debugging of Imperative Programs by Abstract Interpretation , 1993, ESEC.

[14]  Morten V. Christiansen,et al.  Region-Based Memory Management in Java , 1998 .

[15]  Michael Norrish C formalised in HOL , 1998 .

[16]  David A. Schmidt,et al.  Proceedings of the Third International Symposium on Static Analysis , 1996 .

[17]  Vikram S. Adve,et al.  Making context-sensitive points-to analysis with heap cloning practical for the real world , 2007, PLDI '07.

[18]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[19]  Norihisa Suzuki,et al.  Implementation of an array bound checker , 1977, POPL.

[20]  Marsha Chechik,et al.  PtYasm: Software Model Checking with Proof Templates , 2008, 2008 23rd IEEE/ACM International Conference on Automated Software Engineering.

[21]  Alexander Aiken,et al.  Checking and inferring local non-aliasing , 2003, PLDI '03.

[22]  Yannick Moy Automatic modular static safety checking for C programs , 2009 .

[23]  Edsger W. Dijkstra,et al.  A Discipline of Programming , 1976 .

[24]  Peter W. O'Hearn,et al.  Footprint Analysis: A Shape Analysis That Discovers Preconditions , 2007, SAS.

[25]  Antoine Miné,et al.  The octagon abstract domain , 2001, High. Order Symb. Comput..

[26]  Claude Marché Jessie: an intermediate language for Java and C verification , 2007, PLPV '07.

[27]  Nicolas Halbwachs,et al.  Automatic discovery of linear restraints among variables of a program , 1978, POPL.

[28]  Bjarne Stroustrup,et al.  C++ Programming Language , 1986, IEEE Softw..

[29]  Donglin Liang,et al.  Efficient Computation of Parameterized Pointer Information for Interprocedural Analyses , 2001, SAS.

[30]  Sumit Gulwani,et al.  Combining abstract interpreters , 2006, PLDI '06.

[31]  Bjarne Steensgaard,et al.  Points-to analysis in almost linear time , 1996, POPL '96.

[32]  Nicolas Rousset Automatisation de la Spécification et de la Vérification d'applications Java Card , 2008 .

[33]  Zohar Manna,et al.  The calculus of computation - decision procedures with applications to verification , 2007 .

[34]  Wei-Ngan Chin,et al.  A practical and precise inference and specializer for array bound checks elimination , 2008, PEPM '08.

[35]  Barton P. Miller,et al.  Typestate Checking of Machine Code , 2001, ESOP.

[36]  Wolfram Schulte,et al.  VCC: Contract-based modular verification of concurrent C , 2009, 2009 31st International Conference on Software Engineering - Companion Volume.

[37]  Pierre Jouvelot,et al.  The type and effect discipline , 1992, [1992] Proceedings of the Seventh Annual IEEE Symposium on Logic in Computer Science.

[38]  Jean-François Couchot,et al.  A Graph-based Strategy for the Selection of Hypotheses ⋆ , 2007 .

[39]  Richard Lippmann,et al.  Testing static analysis tools using exploitable buffer overflows from open source code , 2004, SIGSOFT '04/FSE-12.

[40]  Brian W. Kernighan,et al.  The C Programming Language , 1978 .

[41]  Michael D. Ernst,et al.  An overview of JML tools and applications , 2003, Electron. Notes Theor. Comput. Sci..

[42]  Mikoláš Janota Assertion-based loop invariant generation , 2007 .

[43]  Robin Milner,et al.  A Metalanguage for interactive proof in LCF , 1978, POPL.

[44]  Gary T. Leavens,et al.  Alias-free Parameters in C for Better Reasoning and Optimization , 2001 .

[45]  Barton P. Miller,et al.  Safety checking of machine code , 2000, PLDI '00.

[46]  Simon L. Peyton Jones,et al.  Imperative functional programming , 1993, POPL '93.

[47]  J. Filliâtre,et al.  ACSL: ANSI/ISO C Specification Language , 2008 .

[48]  Marsha Chechik,et al.  A buffer overflow benchmark for software model checkers , 2007, ASE.

[49]  David Monniaux A Quantifier Elimination Algorithm for Linear Real Arithmetic , 2008, LPAR.

[50]  K. Rustan M. Leino,et al.  Houdini, an Annotation Assistant for ESC/Java , 2001, FME.

[51]  David Ryan Koes,et al.  Programmer specified pointer independence , 2004, MSP '04.

[52]  David L. Dill,et al.  Trace theory for automatic hierarchical verification of speed-independent circuits , 1989, ACM distinguished dissertations.

[53]  Pierre Jouvelot,et al.  Polymorphic type, region and effect inference , 1992, Journal of Functional Programming.

[54]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[55]  Philip Wadler,et al.  Views: a way for pattern matching to cohabit with data abstraction , 1987, POPL '87.

[56]  Zhe Yang,et al.  Modular checking for buffer overflows in the large , 2006, ICSE.

[57]  Gary T. Leavens,et al.  Behavioral interface specification languages , 2012, CSUR.

[58]  Xavier Rival,et al.  Understanding the Origin of Alarms in Astrée , 2005, SAS.

[59]  Henny B. Sipma,et al.  Linear Invariant Generation Using Non-linear Constraint Solving , 2003, CAV.

[60]  K. Rustan M. Leino,et al.  The Spec# Programming System: An Overview , 2004, CASSIS.