Lifting Abstract Interpreters to Quantified Logical Domains Sumit Gulwani, MSR Bill McCloskey, UCB Ashish Tiwari, SRI 1

Motivating Example 2 a[0] = 0; for (i=1; i<n; i++) a[i] = 0; Postcondition: i  n  a[0] = 0   k (0 ≤ k < i  a[k] = 0)

How Are Quantifiers Useful? Reasoning about arrays –  k (0 ≤ k < STRLEN(s)  s[k]  '!') –  j, k (0 ≤ j < k < n  a[j] ≤ a[k]) Reasoning about pointer-based data structures –  u (R(hd, u)  R(u, tl)  u  data = 0) means list is initialized from hd to tl Security properties Sorting uv R(u, v) 3

What Do Quantifiers Look Like? 4  k ( 0 ≤ k < n  a[k] = 0 ) Typically see only universal quantifiers Comes from some domain, e.g. linear arithmetic Belongs to another domain, e.g. equality of uninterpreted functions Goal: Create a universally quantified domain parameterized by base domains – Take advantage of existing domains, transfer functions Quantifier-Free Domain Quantified Domain

Universally Quantified Domain 5 A   V 1.(B 1  C 1 ) ...   V n.(B n  C n ) Domain Element Definition Partial Order Definition  V.(B  C)  V. (B'  C') C v C' B' v B A   V.(B  C) v A'   V.(B'  C') if 1. A v A' 2. A A  A A 

Transfer Function Example 6 A[0] := 0; i := 1 true ? ? ? ? i = 1  A[0] = 0 i = 2  A[0] = 0  A[1] = 0 6 i < n TF ? A[i] := 0; i := i+1

Transfer Function Example 7 A[0] := 0; i := 1 true i = 1  A[0] = 0 i = 2  A[0] = 0  A[1] = 0 7 i < n TF ? A[i] := 0; i := i+1 i < n TF i = 1  A[0] = 0 Join Algorithm i = 1  A[0] = 0i = 2  A[0] = 0  A[1] = 0 1  i  2  A[0] = 0

Transfer Function Example 8 A[0] := 0; i := 1 true i = 1  A[0] = 0 i = 2  A[0] = 0  A[1] = 0 8 i < n TF ? A[i] := 0; i := i+1 i < n TF i = 1  A[0] = 0 Join Algorithm i = 1  A[0] = 0i = 2  A[0] = 0  A[1] = 0 i = 1   k(k = 0  A[k] = 0) i = 2   k(0  k  1  A[k] = 0) 1  i  2   k(0  k < i  A[k] = 0)

Transfer Function Example 9 A[0] := 0; i := 1 i < n A[i] := 0; i := i+1 TF true 9 i = 1   k(k = 0  A[k] = 0) 1  i   k(0  k < i  A[k] = 0) 1  i < n   k(0  k < i  A[k] = 0) 2  i  n   k(0  k < i  A[k] = 0) i  n   k(0  k < i  A[k] = 0)

Outline Join Algorithm – Quantifier introduction – Joining quantifiers Experiments Conclusion 10

Quantifier Introduction Quantified facts are drawn from standard facts in A User gives set of templates to guide quantification Experiments show that few templates are needed b[0] = 0 b[0] ≤ b[1]  k (k = 0  b[k] = 0)  j, k (j = 0  k = 1  b[j] ≤ b[k]) b[0] = 0  k(k = 0  b[k] = 0) A[*] = c 11 Env factTemplateQuantified fact (result) b[0] ≤ b[1] A[*] ≤ A[*]  j, k (j = 0  k = 1  b[j] ≤ b[k])

Outline Join Algorithm – Quantifier introduction – Joining quantifiers Experiments Conclusion 12

Transfer Function Example 13 A[0] := 0; i := 1 true i = 1  A[0] = 0 i = 2  A[0] = 0  A[1] = 0 13 i < n TF ? A[i] := 0; i := i+1 i < n TF i = 1  A[0] = 0 Join Algorithm i = 1  A[0] = 0i = 2  A[0] = 0  A[1] = 0 i = 1   k(k = 0  A[k] = 0) i = 2   k(0  k  1  A[k] = 0) 1  i  2   k(0  k < i  A[k] = 0)

Joining Quantifiers Goal: (A L   V.(B L  C L )) t (A R   V. (B R  C R )) Result must be above both inputs in v, so: – A L   V.(B L  C L ) v A   V.(B  C) – A R   V. (B R  C R ) v A   V.(B  C) Based on v definition: A L v A and A R v A  V.(B L  C L )  V. (B  C) AL  CL v CAL  CL v C A L  B v B L 2.  V.(B R  C R ) A R  C R v C A R  B v B R so A = A L t A R

Joining Quantifiers C = (A L  C L ) t (A R  C R ) Rewriting for B: Best solution for B = (A L  B L )  (A R  B R ) If it's not in domain, pick best under-approximation 15 B v  A L  B L and B v  A R  B R or, B v A L  B L and B v A R  B R  V.(B L  C L )  V. (B  C) AL  CL v CAL  CL v C A L  B v B L  V.(B R  C R ) A R  C R v C A R  B v B R

Under-Approximation Example Compute  (i = 1  k = 0)  (i = 2  0  k  1)  in LA 1 st step: guess an over-approximation of the answer 2 nd step: Check if (0  k < i) is correct; refine if not 16 (i = 1  k = 0) t (i = 2  0  k  1) = (1  i  2  0  k < i) Many details skipped. See paper! (0  k < i)  (i = 1  k = 0)  (i = 2  0  k  1) ? YES

Outline Join Algorithm – Quantifier introduction – Joining quantifiers Experiments Conclusion 17

Experiments Procedure  Time (s) Ratio to base# Tmpls Array initialization3.2 s2.1x1 C main() argument scan4.1 s2.1x1 Array copy5.5 s2.5x1 Array copy (start with non-zero elements)11.3 s1.7x1 Array copy (only copy positive elements)12.0 s2.0x1 Find element in array24.6 s3.0x1 Partition array into zero/non-zero parts73.0 s3.2x2 Insertion sort inner loop35.9 s18x3 Quicksort inner loop42.2 s9.4x3 Selection sort inner loop59.2 s7.3x3 Merge sort inner loop334.1 s4.5x3 Linked list remove20.5 s14.6x1 Linked list insert23.9 s17.1x1 Linked list initialization24.5 s12.9x1 Linked list creation42.0 s12.4x1 Invariant: a[k] = b[k] for all k Invariant: All data fields of list are zero

Quantified Domain Construction Works! 19 Base domain D partial order transfer functions Under-approximation operators for D (optional) Quantified domain Q 3x slowdown relative to D transfer functions relatively complete Under- approximation