Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 14: Numerical Abstractions Roman Manevich Ben-Gurion University
Syllabus Semantics Natural Semantics Structural semantics Axiomatic Verification Static Analysis Automating Hoare Logic Control Flow Graphs Equation Systems Collecting Semantics Abstract Interpretation fundamentals LatticesFixed-Points Chaotic Iteration Galois Connections Domain constructors Widening/ Narrowing Analysis Techniques Numerical Domains Alias analysis Interprocedural Analysis Shape Analysis CEGAR Crafting your own Soot From proofs to abstractions Systematically developing transformers 2
Previously Composing abstract domains (and GCs) Widening and narrowing Interval domain 3
Today Abstractions for properties of numeric variables Classification: – Relational vs. non-relational – Equalities vs. non-equalities – Zones 4
Numerical Abstractions 5 By Quilbert (own work, partially derived from en:Image:Poly.pov) [GPL ( via Wikimedia Commons
Overview Goal: infer numeric properties of program variables (integers, floating point) Applications – Detect division by zero, overflow, out-of-bound array access – Help non-numerical domains Classification – Non-relational – (Weakly-)relational – Equalities / Inequalities – Linear / non-linear – Exotic 6
Implementation 7
Non-relational abstractions 8
Abstract each variable individually – Constant propagation [Kildall’73] – Intervals (Box) Covered in lecture 13 – Sign – Parity (congruences) – Assignment 3: arithmetic progressions 9
Sign abstraction for variable x Concrete lattice: C = (2 State, , , , , State) Sign = { , neg, 0, pos, } GC C,Sign =(C, , , Sign) ( ) = ? (neg) = ? (0) = ? (pos) = ? ( ) = ? How can we represent 0? 10 negpos 0
Transformer x:=y*z pos0neg * 0pos neg 0000 0 pos0neg pos 0 11 Check at home: Abstract transformer is complete
Transformer x:=y+z pos0neg + pos0neg 0 pos 12 Check at home: Abstract transformer is not complete
Parity abstraction for variable x Concrete lattice: C = (2 State, , , , , State) Parity = { , E, O, } GC C,Parity =(C, , , Parity) ( ) = ? (E) = ? (O) = ? ( ) = ? 13 EO
Transformer x:=y+z OE + OE E EO O 14
Boxes (intervals) x y 1 y [3,6] x [1,4]
Non-relational abstractions Cannot prove properties that hold simultaneous for several variables – x = 2*y – x ≤ y 16
Practical aspects of Non relational abstractions 17
The abstraction Abstract domain for variables x 1,…,x n is the Cartesian product of a mini-domain for one variable D[x] – D[x 1 ] … D[x n ] – Need to implement join, meet, widening, narrowing just for mini-domain Usually a non-relational is associated with a Galois Insertion – No reduction required – The Cartesian product is a reduced product 18
Sound assignment transformers Let remove(S, x) be the operation that removes the factoid associated with x from S Let factoid(S, x) be the operation that returns the factoid associated with x in S x := c # S = remove(S, x) ({[x c]}) x := y # S = remove(S, x) {factoid(S, y)[x/y]} x := y+c # S = remove(S, x) {factoid(S, y)[x/y] + c} x := y+z # S = remove(S, x) {factoid(S, y)[x/y] + factoid(S, z)[x/z]} x := y*c # S = remove(S, x) {factoid(S, y)[x/y] * c} x := y*z # S = remove(S, x) {factoid(S, y)[x/y] * factoid(S, z)[x/z]} 19
Sound assume transformers assume x=c # S = S ({[x c]}) assume x<c # S = … assume x=y # S = S {factoid(S, y)[x/y]} {factoid(S, x)[y/x]} assume x c # S = if S ({[x c]}) then else S 20
(Weakly-)relational abstractions 21
Relational abstractions Represent correlations between all program variables – Polyhedra – Linear equalities When correlations exist only between few variables (usually 2) we say that the abstraction is weakly- relational – Linear relations example (discussed in class) – Zone abstraction (next) – Octagons – Two-variable polyhedra – Usually abstraction is defined as the reduced product of the abstract domain for any pair of variables 22
Zone abstraction 23
Zone abstraction [Mine] Maintain bounded differences between a pair of program variables (useful for tracking array accesses) Abstract state is a conjunction of linear inequalities of the form x-y c x y 1 x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1
Difference bound matrices Add a special V0 variable for the number 0 Represent non-existent relations between variables by + entries Convenient for defining the partial order between two abstract elements… =? 25 x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 yxV0 34++ ++ ++ x ++ 1 y
Ordering DBMs How should we order M 1 M 2 ? 26 x ≤ 5 −x ≤ −1 y ≤ 3 x − y ≤ 1 yxV0 35++ ++ ++ x ++ 1++ y x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 yxV0 34++ ++ ++ x ++ 1 y M 1 = M 2 =
Joining DBMs How should we join M 1 M 2 ? 27 x ≤ 2 −x ≤ −1 y ≤ 0 x − y ≤ 1 yxV0 02++ ++ ++ x ++ 1++ y x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 yxV0 34++ ++ ++ x ++ 1 y M 1 = M 2 =
Widening DBMs How should we widen M 1 M 2 ? 28 x ≤ 5 −x ≤ −1 y ≤ 3 x − y ≤ 1 yxV0 35++ ++ ++ x ++ 1++ y x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 yxV0 34++ ++ ++ x ++ 1 y M 1 = M 2 =
Potential graph A vertex per variable A directed edge with the weight of the inequality Enables computing semantic reduction by shortest-path algorithms 29 x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 V0 xy Can we tell whether a system of constraints is satisfiable?
Semantic reduction for zones Apply the following rule repeatedly x - y ≤ cy - z ≤ d x - z ≤ e x - z ≤ min{e, c+d} When should we stop? Theorem Best abstraction of potential sets and zones m ∗ = ( Pot ◦ Pot )(m) 30
More numerical domains 31
Octagon abstraction [Mine-01] Abstract state is an intersection of linear inequalities of the form x y c 32 captures relationships common in programs (array access)
Some inequality-based relational domains 33 policy iteration
Equality-based domains Simple congruences [Granger’89]: y=a mod k Linear relations: y=a*x+b – Join operator a little tricky Linear equalities [Karr’76]: a 1 *x 1 +…+a k *x k = c Polynomial equalities: a 1 *x 1 d1 *…*x k dk + b 1 *y 1 z1 *…*y k zk + … = c – Some good results are obtainable when d 1 +…+d k < n for some small n 34
Next lecture: alias analysis