Francesco Logozzo Microsoft Research, Redmond, WA

A.dll B.dll Z.dll C.dll … Call Graph Construction Contract Extraction Analysis Inference Assertion Checking

Analyses Bounds, nonnull, arrays… Expression analysisHeap analysisStack analysis Source: z = x + y

MDTransform 9000 straight line instructions MDTransform

Pietro Ferrara, Francesco Logozzo and Manuel Fahndrich Safer Unsafe Code in.NET, in OOPSLA 2008

Intervals O(n) a ≤ x ≤ b No  Pentagons O(n) a≤ x ≤ b & x <y Yes Octagons O(n 3 ) ± x ± y ≤ a Yes Polyhedra O(2 n ) Σ a i x i ≤ b Yes

Domain D1 Domain D2 Domain D3

Vincent Laviron and Francesco Logozzo, Subpolyhedra: A (more) scalable approach to the inference of linear inequalities, in VMCAI 2009

assume x <= yx = 0; y = 1 assert x <= y 〈 x - y == β, β ∈ [- ∞, 0] 〉 〈 T, x ∈ [0,0] ⋀ y ∈ [1,1] 〉 〈 T, T 〉

Vincent Laviron and Francesco Logozzo, Refining Abstract Interpretation- based Static Analyses with Hints, in APLAS 2009

assume x == yx = 0; y = 1 assert x<= y 〈 x - y == 0, T 〉 〈 T, x ∈ [0,0] ⋀ y ∈ [1,1] 〉 〈 T, T 〉 〈 x - y == β, β ∈ [- 1, 0] 〉

public void Init(int N) { Contract.Requires(N > 0); int[] a = new int[N]; int i = 0; while (i < N) { a[i] = 222; i = i + 1; } Contract.Assert( ∀ k ∈ [0, N). a[k] == 222); } public void Init(int N) { Contract.Requires(N > 0); int[] a = new int[N]; int i = 0; while (i < N) { a[i] = 222; i = i + 1; } Contract.Assert( ∀ k ∈ [0, N). a[k] == 222); } If i == 0 then a not initialized a not initialized else if i > 0 a[0] == … a[i] == 222 a[0] == … a[i] == 222else impossible impossible If i == 0 then a not initialized a not initialized else if i > 0 a[0] == … a[i] == 222 a[0] == … a[i] == 222else impossible impossible Challenge 1: Effective handling of disjunction Challenge 1: Effective handling of disjunction Challenge 2: No overapproximation (can be unsound) (no hole, all the elements are initialized) Challenge 2: No overapproximation (can be unsound) (no hole, all the elements are initialized)

[222, 222] 00 i, k [0, 0] NN Segment bounds Uniform content abstraction ?? 0 i, 0 k 0 ≤ i, 0 ≤ k i == i == k i < N, k N i < N, k < N DisjunctionDisjunction

Contract.Requires(N > 0); int[] a = new int[N]; Contract.Requires(N > 0); int[] a = new int[N]; int i = 0; assume i < N a[i] = 222; assume i ≥ N j = i+1; i -> _ j -> i N -> N i -> _ j -> i N -> N 0000NN 000,i0,iNN 000,i0,iNN ,i0,iNN001,i+11,i+1?? ,i0,iNN001,i+1,j1,i+1,j?? NN001,i1,i??

000,i0,i NN NN001,i1,i?? NN ⊥ ⊥ii ?? NN001,i1,i?? 0000NN ⊥ ⊥ii?? NN00ii?? NN00ii???? Join Can be empty segments! (Disjunction)

Contract.Requires(N > 0); int[] a = new int[N]; Contract.Requires(N > 0); int[] a = new int[N]; int i = 0; assume i < N a[i] = 222; assume i ≥ N j = i+1; i -> _ j -> i N -> N i -> _ j -> i N -> N NN00ii???? NN00ii?? And so on up to a fixpoint … i, N Remove doubts (i == N && N > 0) Remove doubts (i == N && N > 0) We visited all the elements in [0, N)

〈 T, x ∈ [0,1] ⋀ y ∈ [0,+ ∞ ] 〉 〈 T, x ∈ [0,0] ⋀ y ∈ [0,+ ∞ ] 〉 assume y >= 0 ; x = 0; while x < y x++;assert x == y ; 〈 T, x ∈ [0,0] ⋀ y ∈ [0,+ ∞ ] 〉 〈 T, x ∈ [0,0] ⋀ y ∈ [1,+ ∞ ] 〉 〈 T, x ∈ [1,1] ⋀ y ∈ [1,+ ∞ ] 〉 〈 T, x ∈ [0,0] ⋀ y ∈ [0,0] 〉 〈 x – y == β’, x ∈ [0,1] ⋀ y ∈ [0,1] ⋀ β’ ∈ [0,0] 〉 〈 x – y == β, x ∈ [0,1] ⋀ y ∈ [0,1] ⋀ β ∈ [0,+ ∞ ] 〉 〈 x – y == β’, x ∈ [0,1] ⋀ y ∈ [0,+ ∞ ] ⋀ β’ ∈ [- ∞, 0] 〉