Analysis of Software Eric Feron From "Semantic Foundations of Program Analysis" by P. Cousot in "Program Flow Analysis Theory and Applications" Muchnik & Jones Eds Prentice Hall

Main message Traditional dynamical systems analysis tools can apply to certain aspects of software analysis, incl. run-time errors. Most characteristics (eg overflow errors) cannot be detected using straight program and variables: Too many computations or computations are not even conceivable. Tractability can be achieved via use of abstractions. Tractability can be achieved via use of overbounding invariant sets.

Prototype program [1] while x> 1000 do [2] x:=x+y ; [3] od; [4] (x,y) in I=[-b-1;b] integer b is overflow limit. Program characteristics: Program terminates without error iff (x 0 <1000) v (y 0 <0). Execution never terminates iff (1000< x 0 <b)  (y 0 =0). Execution leads to run-time error (by overflow) iff (x0>1000)  (y 0 >0). These are desirable characteristics to be found

Graph representations of programs Programs are single-entry, single exit directed graphs Edges labeled with instructions. Program graph: –V finite set of vertices –E finite set of edges –  entry and exit vertices. Variables –live in universe U. –I a (U): assignments. v=f(v) from U to U. –I t (U) are tests, ie are maps from U to B={true,false} Program –a triple. G is program graph, U is universe, and L is edge labeling with instructions if x> 1000 if x<1000 if x>1000 if x<1000

Programs as dynamical systems States Set S of states is set of pairs with c in V  {  } defined as control state. m in U is the memory state.  is the error control state. State transition function Program  G,U,L) defines state transition function  as follows: –  m>) = (can't recover from run-time error) –  m>) = (once done, we’re done) –If c 1 in V has out-degree 1, in E, L( ) = f, f in I a (U) then if m is in dom(f) then  c 1  m>) = else  c 1  m>) =. –If c 1 in V has out-degree 2, in E, in E,L( )=p, L( )=¬p, with p in I t (U) then if m is not in dom(p) then  c 1  m>) =, else if p(m) then  c 1  m>) = else  c 1  m>) =. State transition relation: It's the graph of the state transition function (a boolean function over SxS)

Programs as dynamical systems (ct'd) Transitive closure of binary relation: assume  (SxS  B) are two binary relations on S. Their product  is defined as {  s 3  S :  (s 1,s 3 )  (s 3,s 2 )} So we can talk about the n-extension  n of . The transitive closure of  is then    s 1,s 2 >.[  n > 0:  n (s 1,s 2 )]

Example of complete lattice Set L of subsets of states in a state-space S: Partial order is traditional inclusion H = {H1,H2}  L H1 U H2 is the least upper bound for H. H1  H2 is the greatest lower bound for H. Obviously these exist for any H. L has an infimum: The empty set L has a supremum: S. H1 H2

Abstracting state spaces {Set of all subsets of signed integer numbers between -b-1 and b}   if x = T then x is any value if x = + then 0<x<b if x = 0 then x = 0 if x = - then -b-1<x<0 if x =  then  Rules: = +; = T = -; -*- = +; … Effect: Go from huge state-space decompositions to finite and simple state-space decomposition

Abstracting state spaces {Set of all subsets of R n } {Set of all ellipsoids in R n + Ø + R n } Operations are traditional union/intersections/sums and differences What a mess…. Operations are (conservative) union of ellispoids, intersect- ions of ellispoids, sums of ellipsoids. The job itself is most often nonconvex. Usually relaxed based on convex optimization.

Lattices of ellipsoids Set Ell of ellipsoids centered around zero for simplification. Partial order on ellipsoids: Set inclusion (that's a classic), and volume. Ellipsoid theorems: H finite set of p ellipsoids (E1, …., Ep) characterized by E i ={x | x T P i x < 1} Minimum volume ellipsoid h containing H exists and is computed as follows: if p = 0 then h = . if p>0 then h = {x | x T Px < 1} where P = argmin log det (P -1 ) s.t. P< P i, i=1,…,p Maximum volume ellipsoid contained H also exists and is computable. Ell is a complete lattice then.

Rules of operations with ellipsoids (centered around zero) Ellipsoid given by {x | x T Px < 1} Finding an ellipsoidal lowest upper bound Ell(K) on any set K of data in R n : Assume set is described by finite list of points (x i, i=1, …, p). If p=0 then Ell(K)= . If p>0 then Ell(K)= argmin log det P -1 Subject tox i T Px i < 1 Finding an approximate ellipsoidal lowest upper bound E3 on the sum of two ellipsoids E1 and E2 (characterized by P 1 and P 2 ) is a convex, semidefinite program that goes like where < is to be understood in the sense of P.D. matrices

Reasoning with abstractions =  =smash(  - then  else + fi, y 1  y 3 ) =smash( ) =smash(x 1  x 3,y 1  y 3 ) =if (x 2  0)  (y 2  0)  ((x 2 = + )  (y 2 = - ))  ((x 2 = - )  (y 2 = + )) then else fi Start iterating with: all states at  and  =. In steady state, reach in a few iterations: =  =   =  =  =. Thus if x>0 and y< 0 then no overflow can occur. [1] while x> 1000 do [2] x:=x+y ; [3] od; [4] (x,y) in I=[-b-1;b] integer

Ellispoidal reachability analysis: one example the "star norm" Consider the program x:= 0 %An integer vector n:=0 while n< 1000, x := Ax +Bu  %A is a matrix n:= n+1 end; x  : =x u  is exogenous, bounded input, changes at each iteration. Question: For which values of y  does the state x not overflow? The exact answer involves computing the ||. || 1 norm of the system (A,B,I). This norm is not easy to derive analytically.

Choice of abstractions New lattice for system abstractions Set of ellipsoids centered around zero Abstract interpretation x:=  0 n:=0 while n< 1000, x := (A Ell(x) + B Ell(u  )) n:= n+1 end; x  : =x There remains only to check that the ellipsoid x  is within bounds.

Abstractions for other applications Abstracted constrained optimization (Williams) Consider the nonlinear optimization problem: Minimize f(x) Subject tog i (x) < 0 x  R n Kuhn-Tucker conditions (assume differentiability of function, constraints and qualification of all these constraints)  i > 0 such that at optimum x*, d/dx (f(x*)+  i g i (x)) = 0 Approximate analysis of optimization problems: Abstraction of y  R: y  {-,+, 0,  }.

Abstractions for other applications Abstracted constrained optimization (Williams) Abstracted Kuhn-Tucker conditions i > 0 such that at optimum x*, d/dx (f(x*)+  i g i (x)) = 0 Approximate analysis of optimization problems: Abstraction of y  R: y  {-,+, 0,  }.