2011/05/14 Boost.Frama-C  mzp /          1
mzp /        SE> ocaml-nagoya> ProofCafe>       Scala                 2
2/26   Ruby   02       4
Reject    5
Reject   →       5
@bleis             bf                           SQL@sunflat     Amazon EC2@yoya     PHP: ZendEngine@terurou    CommonJS@nar...
@bleis             bf                           SQL@sunflat     Amazon EC2@yoya     PHP: ZendEngine@terurou    CommonJS@nar...
RubyKaigi2011      8
!
:min()min()        2        ←            11
template     ≦                                 OK     >           (structual subtype)template <class T>T min(T x, T y) {  ...
auto concept Le<class T> {  bool operator<=(T, T);}template <class T> requires Le<T>T min(T x, T y) {  return x <= y ? x :...
// intBOOST_CHECK_EQUAL( min(1, 2), 1 );BOOST_CHECK_EQUAL( min(2, 1), 1 );BOOST_CHECK_EQUAL( min(3, 3), 3 );// dobuleBOOST...
...3    ←        15
1     min               ≦                OKtemplate <class T> requires Le<T>T min3(T x, T y, T z) {  return min(x, min(y, ...
// intBOOST_CHECK_EQUAL( min3(1, 2,3), 1 );BOOST_CHECK_EQUAL( min3(2, 1,3), 1 );BOOST_CHECK_EQUAL( min3(3, 2,1), 1 );// do...
..
“       ”: int   int≦        :x≦y          z≦w           (x,z) ≦(y,w)                       &(           !"#"$    ←       ...
“       ”: int   int≦        :x≦y          z≦w           (x,z) ≦(y,w)                       &(           !"#"$    ←       ...
≦                      OK ←>       :x≦x>       :x≦y   y≦z   x≦z↑               20
>   ≦ bool     min,min3↑                21
...
...
Frama-C[1]C> Value Analysis, Effects Analysis, etc                        24
C → Why →>   Alt-Ergo:         ←>   Coq:          ←>   ...and more        ACSL>   ACSL = ANSI/ISO C Specification Language!...
: abs()     abs      :         0     ACSL//@ ensures result >= 0;int abs (int i) {  return i < 0 ? -i : i;}               ...
$ frama-c -jessie abs.c                     27
$ frama-c -jessie abs.c                     27
$ frama-c -jessie abs.c                     27
$ frama-c -jessie abs.c                !                     27
$ frama-c -jessie abs.c                          INT_MIN                !                     27
requires          INT_MIN//@ requires i > -2147483648;//@ ensures result >= 0;int abs (int i) {  return i < 0 ? -i : i;   ...
29
Frama-C    C++C C++>         Frama-C           30
: LE     ≦                        → LE    >C          ACSL/*@ axiomatic order {  predicate LE(T x, T y);} */              ...
Frama-C     min,min3 C++                     Frama-C     T                      → void*                      →     >typede...
leq    leq       :              LE    > leq(x,y) true     LE(x,y)    > leq(x,y) false        LE(y, x)/*@ ensures (¥result ...
min      leq         min                             x,y/*@ ensures LE(¥result, x) &&       LE(¥result, y); */T min(T x,T ...
→35
LE(y_0_0, y_0_0)LE(y,y)          36
/*@ axiomatic order { predicate LE(T x, T y); axiom refl : ¥forall T x; LE(x,x);                           ←               ...
min3     min3        :          x,y,z/*@ ensures LE(result, x) && LE(result, y) && LE(result, z); */T min3(T x,T y,T z){ r...
39
>       Coq    →              LE(        , min(y,z))              LE(min(y,z), y)              LE(        , y)            ...
/*@ axiomatic order { predicate LE(T x, T y); axiom refl : ¥forall T x; LE(x,x); axiom trans: forall T x,T y,T z;  LE(x,y) ...
Frama-C      min,min3                 42
:ProofSummit9/25(   ) 10:00    17:00                       @http://bit.ly/proofsummitCoq,Agda2                  43
「Frama-Cによるソースコード検証」 (mzp)
「Frama-Cによるソースコード検証」 (mzp)
「Frama-Cによるソースコード検証」 (mzp)
Upcoming SlideShare
Loading in …5
×

「Frama-Cによるソースコード検証」 (mzp)

4,621 views

Published on

Published in: Technology, Economy & Finance
0 Comments
7 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,621
On SlideShare
0
From Embeds
0
Number of Embeds
431
Actions
Shares
0
Downloads
41
Comments
0
Likes
7
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • 「Frama-Cによるソースコード検証」 (mzp)

    1. 1. 2011/05/14 Boost.Frama-C mzp / 1
    2. 2. mzp / SE> ocaml-nagoya> ProofCafe> Scala 2
    3. 3. 2/26 Ruby 02 4
    4. 4. Reject 5
    5. 5. Reject → 5
    6. 6. @bleis bf SQL@sunflat Amazon EC2@yoya PHP: ZendEngine@terurou CommonJS@nari3 GC@mallowlabs AsakusaSattelite@yoshihiro503 Coq@mzp@wof_moriguchi F#@keigoi  ocamljs ocaml android ( )@osiire GADT@kaizen_nagoya XYZ@dico_leque Meta-objective Lisp 6
    7. 7. @bleis bf SQL@sunflat Amazon EC2@yoya PHP: ZendEngine@terurou CommonJS@nari3 GC@mallowlabs AsakusaSattelite@yoshihiro503 Coq@mzp !@wof_moriguchi F#@keigoi  ocamljs ocaml android ( )@osiire GADT@kaizen_nagoya XYZ@dico_leque Meta-objective Lisp 7
    8. 8. RubyKaigi2011 8
    9. 9. !
    10. 10. :min()min() 2 ← 11
    11. 11. template ≦ OK > (structual subtype)template <class T>T min(T x, T y) { return (x <= y) ? x : y;} 12
    12. 12. auto concept Le<class T> { bool operator<=(T, T);}template <class T> requires Le<T>T min(T x, T y) { return x <= y ? x : y;} 13
    13. 13. // intBOOST_CHECK_EQUAL( min(1, 2), 1 );BOOST_CHECK_EQUAL( min(2, 1), 1 );BOOST_CHECK_EQUAL( min(3, 3), 3 );// dobuleBOOST_CHECK_EQUAL( min(1., 2.), 1. );BOOST_CHECK_EQUAL( min(2., 1.), 1. ); 14
    14. 14. ...3 ← 15
    15. 15. 1 min ≦ OKtemplate <class T> requires Le<T>T min3(T x, T y, T z) { return min(x, min(y, z));} 16
    16. 16. // intBOOST_CHECK_EQUAL( min3(1, 2,3), 1 );BOOST_CHECK_EQUAL( min3(2, 1,3), 1 );BOOST_CHECK_EQUAL( min3(3, 2,1), 1 );// dobuleBOOST_CHECK_EQUAL( min3(1., 2.,4.), 1. );BOOST_CHECK_EQUAL( min3(2., 1.,4.), 1. ); 17
    17. 17. ..
    18. 18. “ ”: int int≦ :x≦y z≦w (x,z) ≦(y,w) &( !"#"$ ← !"#%$ !%#"$ )*( !%#%$ 19
    19. 19. “ ”: int int≦ :x≦y z≦w (x,z) ≦(y,w) &( !"#"$ ← !"#%$ !%#"$ )*( !%#%$ 19
    20. 20. ≦ OK ←> :x≦x> :x≦y y≦z x≦z↑ 20
    21. 21. > ≦ bool min,min3↑ 21
    22. 22. ...
    23. 23. ...
    24. 24. Frama-C[1]C> Value Analysis, Effects Analysis, etc 24
    25. 25. C → Why →> Alt-Ergo: ←> Coq: ←> ...and more ACSL> ACSL = ANSI/ISO C Specification Language!"#$#%& () *+,%-"./ 25 00&/1
    26. 26. : abs() abs : 0 ACSL//@ ensures result >= 0;int abs (int i) { return i < 0 ? -i : i;} 26
    27. 27. $ frama-c -jessie abs.c 27
    28. 28. $ frama-c -jessie abs.c 27
    29. 29. $ frama-c -jessie abs.c 27
    30. 30. $ frama-c -jessie abs.c ! 27
    31. 31. $ frama-c -jessie abs.c INT_MIN ! 27
    32. 32. requires INT_MIN//@ requires i > -2147483648;//@ ensures result >= 0;int abs (int i) { return i < 0 ? -i : i; 28
    33. 33. 29
    34. 34. Frama-C C++C C++> Frama-C 30
    35. 35. : LE ≦ → LE >C ACSL/*@ axiomatic order { predicate LE(T x, T y);} */ 31
    36. 36. Frama-C min,min3 C++ Frama-C T → void* → >typedef void* T;bool leq(T x, T y) { return true; } 32
    37. 37. leq leq : LE > leq(x,y) true LE(x,y) > leq(x,y) false LE(y, x)/*@ ensures (¥result == true ==> LE(x,y)) && (¥result == false ==> LE(y,x)); */bool leq(T x, T y){ ... } 33
    38. 38. min leq min x,y/*@ ensures LE(¥result, x) && LE(¥result, y); */T min(T x,T y){ return leq(x,y) ? x : y; } 34
    39. 39. →35
    40. 40. LE(y_0_0, y_0_0)LE(y,y) 36
    41. 41. /*@ axiomatic order { predicate LE(T x, T y); axiom refl : ¥forall T x; LE(x,x); ← 37
    42. 42. min3 min3 : x,y,z/*@ ensures LE(result, x) && LE(result, y) && LE(result, z); */T min3(T x,T y,T z){ return min(x, min(y,z)); 38
    43. 43. 39
    44. 44. > Coq → LE( , min(y,z)) LE(min(y,z), y) LE( , y) 40
    45. 45. /*@ axiomatic order { predicate LE(T x, T y); axiom refl : ¥forall T x; LE(x,x); axiom trans: forall T x,T y,T z; LE(x,y) ==> LE(y,z) ==> LE(x,z); ← 41
    46. 46. Frama-C min,min3 42
    47. 47. :ProofSummit9/25( ) 10:00 17:00 @http://bit.ly/proofsummitCoq,Agda2 43

    ×