Spring 2016 Program Analysis and Verification

Slides:



Advertisements
Similar presentations
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Advertisements

Abstract Interpretation Part II
Continuing Abstract Interpretation We have seen: 1.How to compile abstract syntax trees into control-flow graphs 2.Lattices, as structures that describe.
1 PROPERTIES OF A TYPE ABSTRACT INTERPRETATER. 2 MOTIVATION OF THE EXPERIMENT § a well understood case l type inference in functional programming à la.
Approximation Algorithms Chapter 14: Rounding Applied to Set Cover.
Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 5: Axiomatic Semantics II Roman Manevich Ben-Gurion University.
Discovering Affine Equalities Using Random Interpretation Sumit Gulwani George Necula EECS Department University of California, Berkeley.
1 Basic abstract interpretation theory. 2 The general idea §a semantics l any definition style, from a denotational definition to a detailed interpreter.
1 9. Evaluation of Queries Query evaluation – Quantifier Elimination and Satisfiability Example: Logical Level: r   y 1,…y n  r’ Constraint.
Approximation Algorithms
Abstract Interpretation Part I Mooly Sagiv Textbook: Chapter 4.
Data Flow Analysis Compiler Design Nov. 8, 2005.
1 Program Analysis Systematic Domain Design Mooly Sagiv Tel Aviv University Textbook: Principles.
Program Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
1 Tentative Schedule u Today: Theory of abstract interpretation u May 5 Procedures u May 15, Orna Grumberg u May 12 Yom Hatzamaut u May.
Outline Introduction The hardness result The approximation algorithm.
Reading and Writing Mathematical Proofs
Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 2: Operational Semantics I Roman Manevich Ben-Gurion University.
1 Iterative Program Analysis Abstract Interpretation Mooly Sagiv Tel Aviv University Textbook:
Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 11: Abstract Interpretation III Roman Manevich Ben-Gurion University.
Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 14: Numerical Abstractions Roman Manevich Ben-Gurion University.
Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 14: Numerical Abstractions Roman Manevich Ben-Gurion University.
Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 9: Abstract Interpretation I Roman Manevich Ben-Gurion University.
Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 4: Axiomatic Semantics I Roman Manevich Ben-Gurion University.
Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University.
Approximation Algorithms Department of Mathematics and Computer Science Drexel University.
CSE 589 Part V One of the symptoms of an approaching nervous breakdown is the belief that one’s work is terribly important. Bertrand Russell.
Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 4: Axiomatic Semantics I Roman Manevich Ben-Gurion University.
Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 13: Abstract Interpretation V Roman Manevich Ben-Gurion University.
1 Combining Abstract Interpreters Mooly Sagiv Tel Aviv University
Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University.
Program Analysis and Verification
1 Proving program termination Lecture 5 · February 4 th, 2008 TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A.
Program Analysis and Verification
1 Iterative Program Analysis Mooly Sagiv Tel Aviv University Textbook: Principles of Program.
1 Iterative Program Analysis Abstract Interpretation Mooly Sagiv Tel Aviv University Textbook:
Roman Manevich Ben-Gurion University Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 16: Shape Analysis.
1 Numeric Abstract Domains Mooly Sagiv Tel Aviv University Adapted from Antoine Mine.
Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 8: Static Analysis II Roman Manevich Ben-Gurion University.
Chaotic Iterations Mooly Sagiv Tel Aviv University Textbook: Principles of Program Analysis.
Abstraction and Abstract Interpretation. Abstraction (a simplified view) Abstraction is an effective tool in verification Given a transition system, we.
Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 8: Static Analysis II Roman Manevich Ben-Gurion University.
Program Analysis and Verification Spring 2016 Program Analysis and Verification Lecture 5: Axiomatic Semantics II Roman Manevich Ben-Gurion University.
Program Analysis Last Lesson Mooly Sagiv. Goals u Show the significance of set constraints for CFA of Object Oriented Programs u Sketch advanced techniques.
Spring 2017 Program Analysis and Verification
Spring 2016 Program Analysis and Verification
Spring 2017 Program Analysis and Verification
Spring 2016 Program Analysis and Verification
Spring 2017 Program Analysis and Verification
Spring 2016 Program Analysis and Verification
Spring 2016 Program Analysis and Verification
Spring 2016 Program Analysis and Verification
Instructor: Rajeev Alur
Lecture 22 Complexity and Reductions
Combining Abstract Interpreters
Symbolic Implementation of the Best Transformer
Fall Compiler Principles Lecture 8: Loop Optimizations
Iterative Program Analysis Abstract Interpretation
Spring 2017 Program Analysis and Verification Operational Semantics
Program Analysis and Verification
Software analysis SET seminar.
Program Analysis and Verification
Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM.
Fall Compiler Principles Lecture 10: Loop Optimizations
Formal Methods in software development
((a)) A a and c C ((c))
Formal Methods in software development
The Zoo of Software Security Techniques
Spring 2016 Program Analysis and Verification Operational Semantics
Spring 2016 Program Analysis and Verification
Presentation transcript:

Spring 2016 Program Analysis and Verification Lecture 13: Numerical Abstractions Roman Manevich Ben-Gurion University

Tentative syllabus Program Verification Program Analysis Basics Operational semantics Hoare Logic Applying Hoare Logic Weakest Precondition Calculus Proving Termination Data structures Automated Verification Program Analysis Basics From Hoare Logic to Static Analysis Control Flow Graphs Equation Systems Collecting Semantics Using Soot Abstract Interpretation fundamentals Lattices Fixed-Points Chaotic Iteration Galois Connections Domain constructors Widening/ Narrowing Analysis Techniques Numerical Domains Alias analysis Interprocedural Analysis Shape Analysis CEGAR

Previously Composing abstract domains (and GCs) Widening and narrowing Interval domain

Agenda Abstractions for properties of numeric variables Classification: Relational vs. non-relational Equalities vs. non-equalities Zones

Numerical Abstractions By Quilbert (own work, partially derived from en:Image:Poly.pov) [GPL (http://www.gnu.org/licenses/gpl.html)], via Wikimedia Commons

Overview Goal: infer numeric properties of program variables (integers, floating point) Applications Detect division by zero, overflow, out-of-bound array access Help non-numerical domains Classification Non-relational (Weakly-)relational Equalities / Inequalities Linear / non-linear Exotic

Implementation

Non-relational abstractions

Non-relational abstractions Abstract each variable individually Constant propagation [Kildall’73] Intervals (Box) Covered in previous lecture Sign Parity (congruences) Zones

Sign abstraction for variable x Concrete lattice: C = (2State, , , , , State) Sign = {, neg, 0, pos, } GCC,Sign=(C, , , Sign) Concretization () = (neg) = (0) = (pos) = () = Abstraction ({17}) = ({17, 0}) = ({-1, 1}) = How can we represent 0?  neg pos 

Transformer x:=y*z  pos neg  * Is it complete?

Transformer x:=y*z  pos neg  * Check at home: neg  * Check at home: Abstract transformer is complete

Transformer x:=y+z  pos neg  + Is it complete?

Transformer x:=y+z  pos neg  + Check at home: neg  + Check at home: Abstract transformer is not complete

Parity abstraction for variable x Concrete lattice: C = (2State, , , , , State) Parity = {, E, O, } GCC,Parity=(C, , , Parity) () = ? (E) = ? (O) = ? () = ?  E O 

Transformer x:=y+z  O E  +

Transformer x:=y+z  O E  +

Boxes (intervals) y 6 5 y  [3,6] 4 3 2 1 1 2 3 4 x x  [1,4]

Non-relational abstractions Cannot prove properties that hold simultaneous for several variables x = 2*y x ≤ y

Practical aspects of Non-relational abstractions

The abstraction Abstract domain for variables x1,…,xn is the Cartesian product of a sub-domain for one variable D[x] D[x1]  …  D[xn] Need to implement join, meet, widening, narrowing just for sub-domain Usually a non-relational is associated with a Galois Insertion No reduction required The Cartesian product is a reduced product

Sound assignment transformers Let remove(S, x) be the operation that removes the factoid associated with x from S Let factoid(S, x) be the operation that returns the factoid associated with x in S x := c# S = remove(S, x)  ({[xc]}) x := y# S = remove(S, x)  {factoid(S, y)[x/y]} x := y+c# S = remove(S, x)  {factoid(S, y)[x/y] + c} x := y+z# S = remove(S, x)  {factoid(S, y)[x/y] + factoid(S, z)[x/z]} x := y*c# S = remove(S, x)  {factoid(S, y)[x/y] * c} x := y*z# S = remove(S, x)  {factoid(S, y)[x/y] * factoid(S, z)[x/z]}

Sound assume transformers assume x=c# S = S  ({[xc]}) assume x<c# S = … assume x=y# S = S  {factoid(S, y)[x/y]}  {factoid(S, x)[y/x]} assume xc# S = if S  ({[xc]}) then  else S

(Weakly-)relational abstractions

Relational abstractions Represent correlations between all program variables Polyhedra Linear equalities When correlations exist only between few variables (usually 2) we say that the abstraction is weakly-relational Linear relations example (discussed in class) Zone abstraction (next) Octagons Two-variable polyhedra Usually abstraction is defined as the reduced product of the abstract domain for any pair of variables

Zone abstraction

Zone abstraction [Mine] Maintain bounded differences between a pair of program variables (useful for tracking array accesses) Abstract state is a conjunction of linear inequalities of the form x-yc y 6 x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 5 4 3 2 1 1 2 3 4 x

Difference bound matrices Add a special V0 variable for the number 0 Represent non-existent relations between variables by + entries Convenient for defining the partial order between two abstract elements… =? x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 y x V0 3 4 + -1 1

Ordering DBMs How should we order M1  M2? x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 V0 3 4 + -1 1 M1 = x ≤ 5 −x ≤ −1 y ≤ 3 x − y ≤ 1 y x V0 3 5 + -1 1 M2 =

Joining DBMs How should we join M1  M2? x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 V0 3 4 + -1 1 M1 = x ≤ 2 −x ≤ −1 y ≤ 0 x − y ≤ 1 y x V0 2 + -1 1 M2 =

Widening DBMs How should we widen M1  M2? x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 V0 3 4 + -1 1 M1 = x ≤ 5 −x ≤ −1 y ≤ 3 x − y ≤ 1 y x V0 3 5 + -1 1 M2 =

Potential graph A vertex per variable A directed edge with the weight of the inequality Enables computing semantic reduction by shortest-path algorithms x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 V0 3 -1 -1 3 x y 1 Can we tell whether a system of constraints is satisfiable? Can you define a semantic reduction?

Semantic reduction for zones Apply the following rule repeatedly x - y ≤ c y - z ≤ d x - z ≤ e x - z ≤ min{e, c+d} When should we stop? Theorem 3.3.4. Best abstraction of potential sets and zones m∗ = (Pot ◦ Pot)(m)

Zones assignment transformers remove(S, x): removes the x-factoids from S factoid(S, x): returns all x-factoids in S x := c# S = remove(S, x)  …? x := y+c# S = remove(S, x)  …? x := -y# S = remove(S, x)  …? x := y-z# S = remove(S, x)  …? x := y+z# S = …?

Zones assignment transformers remove(S, x): removes the x-factoids from S factoid(S, x): returns all x-factoids in S x := c# S = remove(S, x)  {x-V0≤c, V0-x≤c} x := y+c# S = remove(S, x)  {x-y≤c, y-x≤-c} x := -y# S = remove(S, x)  {x-V0≤c | V0-y≤c}  {V0-x≤-c | y-V0≤c} x := y-z# S = remove(S, x)  {x≤c} where c=min{c1-c2 | y-w≤c1, z-w≤c2} x := y+z# S = x := y-t#(t := -z# S)

More numerical domains

Octagon abstraction [Mine-01] Abstract state is an intersection of linear inequalities of the form x y c captures relationships common in programs (array access)

Some inequality-based relational domains policy iteration

What is the polyhedron abstraction? How do we abstract a circle? y x

Equality-based domains Simple congruences [Granger’89]: y=a mod k Linear equalities [Karr’76]: a1*x1+…+ak*xk = c Polynomial equalities: a1*x1d1*…*xkdk + b1*y1z1*…*ykzk + … = c Some good results are obtainable when d1+…+dk < n for some small n

Exercise: 2-linear relations Infer linear relations between pairs of variables: y=a*x+b Handout

see you next time