10 research outputs found
Computing the smallest fixed point of order-preserving nonexpansive mappings arising in positive stochastic games and static analysis of programs
The problem of computing the smallest fixed point of an order-preserving map
arises in the study of zero-sum positive stochastic games. It also arises in
static analysis of programs by abstract interpretation. In this context, the
discount rate may be negative. We characterize the minimality of a fixed point
in terms of the nonlinear spectral radius of a certain semidifferential. We
apply this characterization to design a policy iteration algorithm, which
applies to the case of finite state and action spaces. The algorithm returns a
locally minimal fixed point, which turns out to be globally minimal when the
discount rate is nonnegative.Comment: 26 pages, 3 figures. We add new results, improvements and two
examples of positive stochastic games. Note that an initial version of the
paper has appeared in the proceedings of the Eighteenth International
Symposium on Mathematical Theory of Networks and Systems (MTNS2008),
Blacksburg, Virginia, July 200
Get rid of inline assembly through verification-oriented lifting
Formal methods for software development have made great strides in the last
two decades, to the point that their application in safety-critical embedded
software is an undeniable success. Their extension to non-critical software is
one of the notable forthcoming challenges. For example, C programmers regularly
use inline assembly for low-level optimizations and system primitives. This
usually results in driving state-of-the-art formal analyzers developed for C
ineffective. We thus propose TInA, an automated, generic, trustable and
verification-oriented lifting technique turning inline assembly into
semantically equivalent C code, in order to take advantage of existing C
analyzers. Extensive experiments on real-world C code with inline assembly
(including GMP and ffmpeg) show the feasibility and benefits of TInA
Affine Disjunctive Invariant Generation with Farkas' Lemma
Invariant generation is the classical problem that aims at automated
generation of assertions that over-approximates the set of reachable program
states in a program. We consider the problem of generating affine invariants
over affine while loops (i.e., loops with affine loop guards, conditional
branches and assignment statements), and explore the automated generation of
disjunctive affine invariants. Disjunctive invariants are an important class of
invariants that capture disjunctive features in programs such as multiple
phases, transitions between different modes, etc., and are typically more
precise than conjunctive invariants over programs with these features. To
generate tight affine invariants, existing constraint-solving approaches have
investigated the application of Farkas' Lemma to conjunctive affine invariant
generation, but none of them considers disjunctive affine invariants
Automatic modular abstractions for template numerical constraints
We propose a method for automatically generating abstract transformers for
static analysis by abstract interpretation. The method focuses on linear
constraints on programs operating on rational, real or floating-point variables
and containing linear assignments and tests. In addition to loop-free code, the
same method also applies for obtaining least fixed points as functions of the
precondition, which permits the analysis of loops and recursive functions. Our
algorithms are based on new quantifier elimination and symbolic manipulation
techniques. Given the specification of an abstract domain, and a program block,
our method automatically outputs an implementation of the corresponding
abstract transformer. It is thus a form of program transformation. The
motivation of our work is data-flow synchronous programming languages, used for
building control-command embedded systems, but it also applies to imperative
and functional programming
On the Practice and Application of Context-Free Language Reachability
The Context-Free Language Reachability (CFL-R) formalism relates to some of the most important computational problems facing researchers and industry practitioners. CFL-R is a generalisation of graph reachability and language recognition, such that pairs in a labelled graph are reachable if and only if there is a path between them whose labels, joined together in the order they were encountered, spell a word in a given context-free language. The formalism finds particular use as a vehicle for phrasing and reasoning about program analysis, since complex relationships within the data, logic or structure of computer programs are easily expressed and discovered in CFL-R. Unfortunately, The potential of CFL-R can not be met by state of the art solvers. Current algorithms have scalability and expressibility issues that prevent them from being used on large graph instances or complex grammars. This work outlines our efforts in understanding the practical concerns surrounding CFL-R, and applying this knowledge to improve the performance of CFL-R applications. We examine the major difficulties with solving CFL-R-based analyses at-scale, via a case-study of points-to analysis as a CFL-R problem. Points-to analysis is fundamentally important to many modern research and industry efforts, and is relevant to optimisation, bug-checking and security technologies. Our understanding of the scalability challenge motivates work in developing practical CFL-R techniques. We present improved evaluation algorithms and declarative optimisation techniques for CFL-R, capitalising on the simplicity of CFL-R to creating fully automatic methodologies. The culmination of our work is a general-purpose and high-performance tool called Cauliflower, a solver-generator for CFL-R problems. We describe Cauliflower and evaluate its performance experimentally, showing significant improvement over alternative general techniques
Détermination de propriétés de flot de données pour améliorer les estimations de temps d'exécution pire-cas
La recherche d'une borne supérieure au temps d'exécution d'un programme est une partie essentielle du processus de vérification de systèmes temps-réel critiques. Les programmes
de tels systèmes ont généralement des temps d'exécution variables et il est difficile, voire impossible, de prédire l'ensemble de ces temps possibles. Au lieu de cela, il est
préférable de rechercher une approximation du temps d'exécution pire-cas ou Worst-Case Execution Time (WCET).
Une propriété cruciale de cette approximation est qu'elle doit être sûre, c'est-à-dire qu'elle doit être garantie de majorer le WCET. Parce que nous cherchons à prouver que le
système en question se termine en un temps raisonnable, une surapproximation est le seul type d'approximation acceptable.
La garantie de cette propriété de sûreté ne saurait raisonnablement se faire sans analyse statique, un résultat se basant sur une série de tests ne pouvant être sûr sans un
traitement exhaustif des cas d'exécution. De plus, en l'absence de certification du processus de compilation (et de transfert des propriétés vers le binaire), l'extraction de
propriétés doit se faire directement sur le code binaire pour garantir leur fiabilité.
Toutefois, cette approximation a un coût : un pessimisme - écart entre le WCET estimé et le WCET réel - important entraîne des surcoûts superflus de matériel pour que le système
respecte les contraintes temporelles qui lui sont imposées. Il s'agit donc ensuite, tout en maintenant la garantie de sécurité de l'estimation du WCET, d'améliorer sa précision
en réduisant cet écart de telle sorte qu'il soit suffisamment faible pour ne pas entraîner des coûts supplémentaires démesurés.
Un des principaux facteurs de surestimation est la prise en compte de chemins d'exécution sémantiquement impossibles, dits infaisables, dans le calcul du WCET. Ceci est dû à
l'analyse par énumération implicite des chemins ou Implicit Path Enumeration Technique (IPET) qui raisonne sur un surensemble des chemins d'exécution. Lorsque le chemin
d'exécution pire-cas ou Worst-Case Execution Path (WCEP), correspondant au WCET estimé, porte sur un chemin infaisable, la précision de cette estimation est négativement
affectée.
Afin de parer à cette perte de précision, cette thèse propose une technique de détection de chemins infaisables, permettant l'amélioration de la précision des analyses statiques
(dont celles pour le WCET) en les informant de l'infaisabilité de certains chemins du programme. Cette information est passée sous la forme de propriétés de flot de données
formatées dans un langage d'annotation portable, FFX, permettant la communication des résultats de notre analyse de chemins infaisables vers d'autres analyses.
Les méthodes présentées dans cette thèse sont inclues dans le framework OTAWA, développé au sein de l'équipe TRACES à l'IRIT. Elles usent elles-mêmes d'approximations pour
représenter les états possibles de la machine en différents points du programme. Ce sont des abstractions maintenues au fil de l'analyse, et dont la validité est assurée par des
outils de la théorie de l'interprétation abstraite. Ces abstractions permettent de représenter de manière efficace - mais sûre - les ensembles d'états pour une classe de chemins
d'exécution jusqu'à un point du programme, et de détecter d'éventuels points du programme associés à un ensemble d'états possibles vide, traduisant un (ou plusieurs) chemin(s)
infaisable(s).
L'objectif de l'analyse développée, la détection de tels cas, est rendue possible par l'usage de solveurs SMT (Satisfiabilité Modulo des Théories). Ces solveurs permettent
essentiellement de déterminer la satisfiabilité d'un ensemble de contraintes, déduites à partir des états abstraits construits. Lorsqu'un ensemble de contraintes, formé à partir
d'une conjonction de prédicats, s'avère insatisfiable, aucune valuation des variables de la machine ne correspond à un cas d'exécution possible, et la famille de chemins
associée est donc infaisable.
L'efficacité de cette technique est soutenue par une série d'expérimentations sur divers suites de benchmarks, reconnues dans le domaine du WCET statique et/ou issues de cas
réels de l'industrie. Des heuristiques sont configurées afin d'adoucir la complexité de l'analyse, en particulier pour les applications de plus grande taille. Les chemins
infaisables détectés sont injectés sous la forme de contraintes de flot linéaires dans le système de Programmation Linéaire en Nombres Entiers ou Integer Linear Programming
(ILP) pilotant le calcul final de l'analyse WCET d'OTAWA. Selon le programme analysé, cela peut résulter en une réduction du WCET estimé, et donc une amélioration de sa
précision.The search for an upper bound of the execution time of a program is an essential part of the verification of real-time critical systems. The execution times of the programs of
such systems generally vary a lot, and it is difficult, or impossible, to predict the range of the possible times. Instead, it is better to look for an approximation of the
Worst-Case Execution Time (WCET).
A crucial requirement of this estimate is that it must be safe, that is, it must be guaranteed above the real WCET. Because we are looking to prove that the system in question
terminates reasonably quickly, an overapproximation is the only acceptable form of approximation.
The guarantee of such a safety property could not sensibly be done without static analysis, as a result based on a battery of tests could not be safe without an exhaustive
handling of test cases. Furthermore, in the absence of a certified compiler (and tech- nique for the safe transfer of properties to the binaries), the extraction of properties
must be done directly on binary code to warrant their soundness.
However, this approximation comes with a cost : an important pessimism, the gap between the estimated WCET and the real WCET, would lead to superfluous extra costs in hardware
in order for the system to respect the imposed timing requirements. It is therefore important to improve the precision of the WCET by reducing this gap, while maintaining the
safety property, as such that it is low enough to not lead to immoderate costs.
A major cause of overestimation is the inclusion of semantically impossible paths, said infeasible paths, in the WCET computation. This is due to the use of the Implicit Path
Enumeration Technique (IPET), which works on an superset of the possible execution paths. When the Worst-Case Execution Path (WCEP), corresponding to the estimated WCET, is
infeasible, the precision of that estimation is negatively affected.
In order to deal with this loss of precision, this thesis proposes an infeasible paths detection technique, enabling the improvement of the precision of static analyses (namely
for WCET estimation) by notifying them of the infeasibility of some paths of the program. This information is then passed as data flow properties, formatted in the FFX portable
annotation language, and allowing the communication of the results of our infeasible path analysis to other analyses.
The methods hereafter presented are included in the OTAWA framework, developed in TRACES team at the IRIT lab. They themselves make use of approximations in order to represent
the possible states of the machine in various program points. These approximations are abstractions maintained throughout the analysis, and which validity is ensured by abstract
interpretation tools. They enable us to represent the set of states for a family of execution paths up to a given program point in an efficient - yet safe - way, and to detect
the potential program points associated to an empty set of possible states, signalling one (or several) infeasible path(s).
As the end goal of the developed analysis, the detection of such cases is made possible by the use of Satisfiability Modulo Theory (SMT) solvers. Those solvers are notably able
to determine the satisfiability of a set of contraints, which we deduct from the abstract states. If a set of constraints, derived from a conjonction of predicates, is
unsatisfiable, then there exists no valuation of the machine variables that match a possible execution case, and thus the associated infeasible paths are infeasible.
The efficiency of this technique is asserted by a series of experiments on various benchmarks suites, some of which widely recognized in the domain of static WCET, some others
derived from actual industrial applications. Heuristics are set up in order to soften the complexity of the analysis, especially for the larger applications. The detected
infeasible paths are injected as Integer Linear Programming (ILP) linear data flow constraints in the final computation for the WCET estimation in OTAWA. Depending on the
analysed program, this can result in a reduction of the estimated WCET, thereby improving its precision
Design and implementation of WCET analyses : including a case study on multi-core processors with shared buses
For safety-critical real-time embedded systems, the worst-case execution time (WCET) analysis — determining an upper bound on the possible execution times of a program — is an important part of the system verification. Multi-core processors share resources (e.g. buses and caches) between multiple processor cores and, thus, complicate the WCET analysis as the execution times of a program executed on one processor core significantly depend on the programs executed in parallel on the concurrent cores. We refer to this phenomenon as shared-resource interference. This thesis proposes a novel way of modeling shared-resource interference during WCET analysis. It enables an efficient analysis — as it only considers one processor core at a time — and it is sound for hardware platforms exhibiting timing anomalies. Moreover, this thesis demonstrates how to realize a timing-compositional verification on top of the proposed modeling scheme. In this way, this thesis closes the gap between modern hardware platforms, which exhibit timing anomalies, and existing schedulability analyses, which rely on timing compositionality. In addition, this thesis proposes a novel method for calculating an upper bound on the amount of interference that a given processor core can generate in any time interval of at most a given length. Our experiments demonstrate that the novel method is more precise than existing methods.Die Analyse der maximalen Ausführungszeit (Worst-Case-Execution-Time-Analyse, WCET-Analyse) ist für eingebettete Echtzeit-Computer-Systeme in sicherheitskritischen Anwendungsbereichen unerlässlich. Mehrkernprozessoren erschweren die WCET-Analyse, da einige ihrer Hardware-Komponenten von mehreren Prozessorkernen gemeinsam genutzt werden und die Ausführungszeit eines Programmes somit vom Verhalten mehrerer Kerne abhängt. Wir bezeichnen dies als Interferenz durch gemeinsam genutzte Komponenten. Die vorliegende Arbeit schlägt eine neuartige Modellierung dieser Interferenz während der WCET-Analyse vor. Der vorgestellte Ansatz ist effizient und führt auch für Computer-Systeme mit Zeitanomalien zu korrekten Ergebnissen. Darüber hinaus zeigt diese Arbeit, wie ein zeitkompositionales Verfahren auf Basis der vorgestellten Modellierung umgesetzt werden kann. Auf diese Weise schließt diese Arbeit die Lücke zwischen modernen Mikroarchitekturen, die Zeitanomalien aufweisen, und den existierenden Planbarkeitsanalysen, die sich alle auf die Kompositionalität des Zeitverhaltens verlassen. Außerdem stellt die vorliegende Arbeit ein neues Verfahren zur Berechnung einer oberen Schranke der Menge an Interferenz vor, die ein bestimmter Prozessorkern in einem beliebigen Zeitintervall einer gegebenen Länge höchstens erzeugen kann. Unsere Experimente zeigen, dass das vorgestellte Berechnungsverfahren präziser ist als die existierenden Verfahren.Deutsche Forschungsgemeinschaft (DFG) as part of the Transregional Collaborative Research Centre SFB/TR 14 (AVACS