Spring 2016 Program Analysis and Verification Lecture 13: Numerical Abstractions Roman Manevich Ben-Gurion University

Tentative syllabus Program Verification Program Analysis Basics Operational semantics Hoare Logic Applying Hoare Logic Weakest Precondition Calculus Proving Termination Data structures Automated Verification Program Analysis Basics From Hoare Logic to Static Analysis Control Flow Graphs Equation Systems Collecting Semantics Using Soot Abstract Interpretation fundamentals Lattices Fixed-Points Chaotic Iteration Galois Connections Domain constructors Widening/ Narrowing Analysis Techniques Numerical Domains Alias analysis Interprocedural Analysis Shape Analysis CEGAR

Previously Composing abstract domains (and GCs) Widening and narrowing Interval domain

Agenda Abstractions for properties of numeric variables Classification: Relational vs. non-relational Equalities vs. non-equalities Zones

Numerical Abstractions By Quilbert (own work, partially derived from en:Image:Poly.pov) [GPL (http://www.gnu.org/licenses/gpl.html)], via Wikimedia Commons

Overview Goal: infer numeric properties of program variables (integers, floating point) Applications Detect division by zero, overflow, out-of-bound array access Help non-numerical domains Classification Non-relational (Weakly-)relational Equalities / Inequalities Linear / non-linear Exotic

Implementation

Non-relational abstractions

Non-relational abstractions Abstract each variable individually Constant propagation [Kildall’73] Intervals (Box) Covered in previous lecture Sign Parity (congruences) Zones

Sign abstraction for variable x Concrete lattice: C = (2State, , , , , State) Sign = {, neg, 0, pos, } GCC,Sign=(C, , , Sign) Concretization () = (neg) = (0) = (pos) = () = Abstraction ({17}) = ({17, 0}) = ({-1, 1}) = How can we represent 0?  neg pos 

Transformer x:=y*z  pos neg  * Is it complete?

Transformer x:=y*z  pos neg  * Check at home: neg  * Check at home: Abstract transformer is complete

Transformer x:=y+z  pos neg  + Is it complete?

Transformer x:=y+z  pos neg  + Check at home: neg  + Check at home: Abstract transformer is not complete

Parity abstraction for variable x Concrete lattice: C = (2State, , , , , State) Parity = {, E, O, } GCC,Parity=(C, , , Parity) () = ? (E) = ? (O) = ? () = ?  E O 

Transformer x:=y+z  O E  +

Transformer x:=y+z  O E  +

Boxes (intervals) y 6 5 y  [3,6] 4 3 2 1 1 2 3 4 x x  [1,4]

Non-relational abstractions Cannot prove properties that hold simultaneous for several variables x = 2*y x ≤ y

Practical aspects of Non-relational abstractions

The abstraction Abstract domain for variables x1,…,xn is the Cartesian product of a sub-domain for one variable D[x] D[x1]  …  D[xn] Need to implement join, meet, widening, narrowing just for sub-domain Usually a non-relational is associated with a Galois Insertion No reduction required The Cartesian product is a reduced product

Sound assignment transformers Let remove(S, x) be the operation that removes the factoid associated with x from S Let factoid(S, x) be the operation that returns the factoid associated with x in S x := c# S = remove(S, x)  ({[xc]}) x := y# S = remove(S, x)  {factoid(S, y)[x/y]} x := y+c# S = remove(S, x)  {factoid(S, y)[x/y] + c} x := y+z# S = remove(S, x)  {factoid(S, y)[x/y] + factoid(S, z)[x/z]} x := y*c# S = remove(S, x)  {factoid(S, y)[x/y] * c} x := y*z# S = remove(S, x)  {factoid(S, y)[x/y] * factoid(S, z)[x/z]}

Sound assume transformers assume x=c# S = S  ({[xc]}) assume x<c# S = … assume x=y# S = S  {factoid(S, y)[x/y]}  {factoid(S, x)[y/x]} assume xc# S = if S  ({[xc]}) then  else S

(Weakly-)relational abstractions

Relational abstractions Represent correlations between all program variables Polyhedra Linear equalities When correlations exist only between few variables (usually 2) we say that the abstraction is weakly-relational Linear relations example (discussed in class) Zone abstraction (next) Octagons Two-variable polyhedra Usually abstraction is defined as the reduced product of the abstract domain for any pair of variables

Zone abstraction

Zone abstraction [Mine] Maintain bounded differences between a pair of program variables (useful for tracking array accesses) Abstract state is a conjunction of linear inequalities of the form x-yc y 6 x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 5 4 3 2 1 1 2 3 4 x

Difference bound matrices Add a special V0 variable for the number 0 Represent non-existent relations between variables by + entries Convenient for defining the partial order between two abstract elements… =? x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 y x V0 3 4 + -1 1

Ordering DBMs How should we order M1  M2? x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 V0 3 4 + -1 1 M1 = x ≤ 5 −x ≤ −1 y ≤ 3 x − y ≤ 1 y x V0 3 5 + -1 1 M2 =

Joining DBMs How should we join M1  M2? x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 V0 3 4 + -1 1 M1 = x ≤ 2 −x ≤ −1 y ≤ 0 x − y ≤ 1 y x V0 2 + -1 1 M2 =

Widening DBMs How should we widen M1  M2? x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 V0 3 4 + -1 1 M1 = x ≤ 5 −x ≤ −1 y ≤ 3 x − y ≤ 1 y x V0 3 5 + -1 1 M2 =

Potential graph A vertex per variable A directed edge with the weight of the inequality Enables computing semantic reduction by shortest-path algorithms x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 V0 3 -1 -1 3 x y 1 Can we tell whether a system of constraints is satisfiable? Can you define a semantic reduction?

Semantic reduction for zones Apply the following rule repeatedly x - y ≤ c y - z ≤ d x - z ≤ e x - z ≤ min{e, c+d} When should we stop? Theorem 3.3.4. Best abstraction of potential sets and zones m∗ = (Pot ◦ Pot)(m)

Zones assignment transformers remove(S, x): removes the x-factoids from S factoid(S, x): returns all x-factoids in S x := c# S = remove(S, x)  …? x := y+c# S = remove(S, x)  …? x := -y# S = remove(S, x)  …? x := y-z# S = remove(S, x)  …? x := y+z# S = …?

Zones assignment transformers remove(S, x): removes the x-factoids from S factoid(S, x): returns all x-factoids in S x := c# S = remove(S, x)  {x-V0≤c, V0-x≤c} x := y+c# S = remove(S, x)  {x-y≤c, y-x≤-c} x := -y# S = remove(S, x)  {x-V0≤c | V0-y≤c}  {V0-x≤-c | y-V0≤c} x := y-z# S = remove(S, x)  {x≤c} where c=min{c1-c2 | y-w≤c1, z-w≤c2} x := y+z# S = x := y-t#(t := -z# S)

More numerical domains

Octagon abstraction [Mine-01] Abstract state is an intersection of linear inequalities of the form x y c captures relationships common in programs (array access)

Some inequality-based relational domains policy iteration

What is the polyhedron abstraction? How do we abstract a circle? y x

Equality-based domains Simple congruences [Granger’89]: y=a mod k Linear equalities [Karr’76]: a1*x1+…+ak*xk = c Polynomial equalities: a1*x1d1*…*xkdk + b1*y1z1*…*ykzk + … = c Some good results are obtainable when d1+…+dk < n for some small n

Exercise: 2-linear relations Infer linear relations between pairs of variables: y=a*x+b Handout

see you next time