170 likes | 289 Views
Automated creation of verification models for C-programs. Yury Yusupov Saint-Petersburg State Polytechnic University. Prof. Vsevolod Kotlyarov Motorola Software Center. The Second Spring Young Researchers Colloquium on Software Engineering. Saint-Petersburg May 29-30 2008.
E N D
Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University Prof. Vsevolod Kotlyarov Motorola Software Center The Second Spring Young Researchers Colloquium onSoftware Engineering Saint-Petersburg May 29-30 2008
IntroductionProblems, goals, and solution One of the features of modern design – software component reuse Problems:how to reuse legacy code? Goals:to quickly understand legacy components for their reuse in a new product Solution:apply verification technologies • Automatic modeling of a legacy component at a higher abstraction level • Formal verification of model properties
Verification process Requirements Program system Implementation Formalization: Analysis of program or requirements and creation of model in formal language System properties System model Verification: Searching inconsistencies and checking system properties Verdict: the system does or does not meet its requirements
Types of errors found with verification Documentation inconsistencies – typos, missing or incorrect references, absence of definitions, etc. Transition inconsistency (non-determinism) –non- deterministic behavior. Safety violations – prohibited events may happen, security violation (unauthorized usage of a system) is a particular case. Deadlocks – incomplete specifications. Unreachability –unreachable (never used) system states. Certain run-time errors – like an uninitialized attribute usage or out of bounds error – lists overflow, incorrect array indexing, enumerated type overflow.
VRS-based verification process correction Behavior formal model in form of formalization verification System basic protocols VRS verdict reqs Behavior properties System can be presented with requirements, source program code, or UML model
Basic protocol –a simple MSC diagram, which specifies: pre-condition - the state of the system where the system shall perform some activity process part - the activity itself (transmission of a message or performance of an action) post-condition - the state of the system after the activity is performed pre-condition process part action message post-condition
Goal of the work Source system representation Behavior formal model in form of formalization basic protocols Reqs semi-automatic basic protocols UML automatic basic protocols C-program manual Problem: high efforts for manual formalization of source code Goal: reduce manual efforts through automation
Proposed solutionKlocwork™ as a tool for formalization • Static analysis • Control flow visualization • Graphical view of a program structure • … • Automated analysis of C, C++, and Java source code – checkers • Detect a wide variety of code defects and security vulnerabilities • Klocwork™ allows to write additional C and C++ code checkers • 2 application programming interfaces (API) • Code style analysis (AST – Abstract Syntax Tree) • Control and data flow (MIR – Medium-level Intermediate Representation) Klocwork provides automated source code analysis and creation of intermediate views of code
Klocwork™ extensibility featureDefect detection with checkers Source code custom checker custom defect Klocwork™ defects are reported defects enable/disable source file is analyzed, defects are detected config Klocwork + custom checker = instrument for C code analysis and translation into basic protocols
Custom checker: realization Source code Basic protocols Klocwork interface Checker interface Module of basic protocol generation Code analysis and AST creation Pre-condition Process part • Nodes • handling module: • expression • function call • if-then-else • for • while • switch-case • … Post-condition Tree traversal module Abstract Syntax Tree
The autoformalization featurebased on Klocwork™ toolset • BPX (Basic Protocol eXtractor) • plug-in for Klocwork in form of DLL (dynamically loaded library) • ~3.1 KLOC in C • Input data • Abstract Syntax Trees of source files • Output data • Basic protocols in MSC-PR (Phrase Representation) format • Reflect usage and change of variables • Reflect function calls • Preserve program control flow • Represent program semantics • Preserve the project structure Automatic extraction of basic protocols from Klocwork AST
… int function() { int a,b,c; c = 3; if ( c>5 ) {a = 1; } b = a; return 0; } … Simple example Basic protocols automatically extractedfrom a C-code
Verification of C-programswith extended VRS technology correction formalization C program verification Behavior formal model in form of basic protocols VRS KlocWork™ verdict BPX reqs Behavior properties
Creation of multilevel models and architecture recovering System High-level system model File level Function level Source code module level … … … … … Forward engineering Reverse engineering
10x Manual approach Time Automatic approach 1x medium large small Size of project source code First experiment results for C-projects • Decreasing: • formalization time • manual efforts • errors in program model • (human factor) • Simplifying: • program logic understanding • verification process Formalization time reduction ~10x vs manual formalization
Further work • Verification of large C-projects with VRS technology • Investigating the scalability limits • Creation multilevel behavior models • Generation of multilevel behavior scenarios • Adaptation to Java code • Reusing AST traversal and basic protocol generation algorithms for JAVA checker creation
THANK YOU • Q&A