A Unified Approach to Abstract Interpretation,
Formal Verification and Testing of C/C++ Modules
Author: Jan Peleska
Abstract:
Starting from the perspective of safety-critical systems development in
avionics, railways and the automotive domain, we advocate an integrated
verification approach for C/C++ modules combining abstract interpretation,
formal verification by model checking and conventional testing. It is
illustrated how testing and formal verification can benefit from abstract
interpretation results and, vice versa, how test automation techniques may
help to reduce the well known problem of false alarms frequently
encountered in abstract interpretations. As a consequence, verification tools
integrating these different methodologies can provide a wider variety of
useful results to their users and facilitate the bug localisation processes
involved. From the practitioners' point of view, our approach is driven by the
applicable standards for safety-critical systems development in the railway
and avionic domains: The methods and techniques described should help to (1)
fulfil the software-quality related requirements of these standards more
efficiently and (2) facilitate the formal justification that these
requirements have been completely fulfilled.
We present an overview of the methods required to achieve these goals for
C/C++ code verification. The tasks involved can be roughly structured into 5
major building blocks: (1) A parser front-end is required to transform the
code into an intermediate model representation which is used for the analyses
to follow. The intermediate model representation contains a suitably
abstracted memory model which helps us to cope with the problems of aliasing,
type casts and mixed arithmetic and bit operations typically present in C/C++
code. (2) Verification tasks have to be decomposed into sub-tasks
investigating sub-models. A sub-model selector serves for this purpose. (3)
Concrete, symbolic and abstract interpreters are required to support the
process of constraint generation, the abstract interpreter serving the dual
purpose of runtime error checking and of constraint simplification. (4) A
constraint generator prepares the logical conditions accumulated by the
interpreters for the (5) constraint solver which is needed to calculate
concrete solution vectors as well as over and under approximations of the
constraint solution sets.
Our presentation focuses on the interplay between these building blocks and
provides references to more detailed elaborations of the technical problems
involved.
PDF file
(241KB)