Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 14: Numerical Abstractions Roman Manevich Ben-Gurion University.

Slides:



Advertisements
Similar presentations
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Advertisements

Abstract Interpretation Part II
Continuing Abstract Interpretation We have seen: 1.How to compile abstract syntax trees into control-flow graphs 2.Lattices, as structures that describe.
1 PROPERTIES OF A TYPE ABSTRACT INTERPRETATER. 2 MOTIVATION OF THE EXPERIMENT § a well understood case l type inference in functional programming à la.
Approximation Algorithms Chapter 14: Rounding Applied to Set Cover.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Review for Test 3.
Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 5: Axiomatic Semantics II Roman Manevich Ben-Gurion University.
Discovering Affine Equalities Using Random Interpretation Sumit Gulwani George Necula EECS Department University of California, Berkeley.
1 Basic abstract interpretation theory. 2 The general idea §a semantics l any definition style, from a denotational definition to a detailed interpreter.
1 9. Evaluation of Queries Query evaluation – Quantifier Elimination and Satisfiability Example: Logical Level: r   y 1,…y n  r’ Constraint.
1 2. Constraint Databases Next level of data abstraction: Constraint level – finitely represents by constraints the logical level.
Approximation Algorithms
Abstract Interpretation Part I Mooly Sagiv Textbook: Chapter 4.
Data Flow Analysis Compiler Design Nov. 8, 2005.
1 Systematic Domain Design Some Remarks. 2 Best (Conservative) interpretation abstract representation Set of states concretization Abstract semantics.
Theory and Applications
1 Program Analysis Systematic Domain Design Mooly Sagiv Tel Aviv University Textbook: Principles.
Software Verification Bertrand Meyer Chair of Software Engineering Lecture 2: Axiomatic semantics.
The Design and Analysis of Algorithms
Program Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
Penn ESE535 Spring DeHon 1 ESE535: Electronic Design Automation Day 5: February 2, 2009 Architecture Synthesis (Provisioning, Allocation)
1 Tentative Schedule u Today: Theory of abstract interpretation u May 5 Procedures u May 15, Orna Grumberg u May 12 Yom Hatzamaut u May.
Pentagons: A Weakly Relational Abstract Domain for the Efficient Validation of Array Accesses Francesco Logozzo, Manuel Fahndrich Microsoft Research, Redmond.
Reading and Writing Mathematical Proofs
Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 2: Operational Semantics I Roman Manevich Ben-Gurion University.
1 Iterative Program Analysis Abstract Interpretation Mooly Sagiv Tel Aviv University Textbook:
Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 11: Abstract Interpretation III Roman Manevich Ben-Gurion University.
Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 14: Numerical Abstractions Roman Manevich Ben-Gurion University.
Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 9: Abstract Interpretation I Roman Manevich Ben-Gurion University.
Compiler Principles Fall Compiler Principles Lecture 0: Local Optimizations Roman Manevich Ben-Gurion University.
Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 4: Axiomatic Semantics I Roman Manevich Ben-Gurion University.
Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University.
A Logic of Partially Satisfied Constraints Nic Wilson Cork Constraint Computation Centre Computer Science, UCC.
CSE 589 Part V One of the symptoms of an approaching nervous breakdown is the belief that one’s work is terribly important. Bertrand Russell.
Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 4: Axiomatic Semantics I Roman Manevich Ben-Gurion University.
Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 13: Abstract Interpretation V Roman Manevich Ben-Gurion University.
1 Combining Abstract Interpreters Mooly Sagiv Tel Aviv University
Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University.
Program Analysis and Verification
1 Proving program termination Lecture 5 · February 4 th, 2008 TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A.
Program Analysis and Verification
1 Iterative Program Analysis Mooly Sagiv Tel Aviv University Textbook: Principles of Program.
1 Iterative Program Analysis Abstract Interpretation Mooly Sagiv Tel Aviv University Textbook:
Roman Manevich Ben-Gurion University Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 16: Shape Analysis.
1 Numeric Abstract Domains Mooly Sagiv Tel Aviv University Adapted from Antoine Mine.
Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 8: Static Analysis II Roman Manevich Ben-Gurion University.
Program Analysis and Verification Noam Rinetzky Lecture 8: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav.
Chaotic Iterations Mooly Sagiv Tel Aviv University Textbook: Principles of Program Analysis.
Approximation Algorithms based on linear programming.
Abstraction and Abstract Interpretation. Abstraction (a simplified view) Abstraction is an effective tool in verification Given a transition system, we.
Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 8: Static Analysis II Roman Manevich Ben-Gurion University.
Program Analysis and Verification Spring 2016 Program Analysis and Verification Lecture 5: Axiomatic Semantics II Roman Manevich Ben-Gurion University.
Program Analysis Last Lesson Mooly Sagiv. Goals u Show the significance of set constraints for CFA of Object Oriented Programs u Sketch advanced techniques.
Spring 2017 Program Analysis and Verification
Spring 2017 Program Analysis and Verification
Spring 2016 Program Analysis and Verification
Spring 2016 Program Analysis and Verification
Spring 2017 Program Analysis and Verification
Spring 2016 Program Analysis and Verification
Spring 2016 Program Analysis and Verification
Combining Abstract Interpreters
Symbolic Implementation of the Best Transformer
Iterative Program Analysis Abstract Interpretation
Spring 2017 Program Analysis and Verification Operational Semantics
Program Analysis and Verification
Program Analysis and Verification
((a)) A a and c C ((c))
Spring 2016 Program Analysis and Verification Operational Semantics
Spring 2016 Program Analysis and Verification
Presentation transcript:

Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 14: Numerical Abstractions Roman Manevich Ben-Gurion University

Syllabus Semantics Natural Semantics Structural semantics Axiomatic Verification Static Analysis Automating Hoare Logic Control Flow Graphs Equation Systems Collecting Semantics Abstract Interpretation fundamentals LatticesFixed-Points Chaotic Iteration Galois Connections Domain constructors Widening/ Narrowing Analysis Techniques Numerical Domains Alias analysis Interprocedural Analysis Shape Analysis CEGAR Crafting your own Soot From proofs to abstractions Systematically developing transformers 2

Previously Composing abstract domains (and GCs) Widening and narrowing Interval domain 3

Today Abstractions for properties of numeric variables Classification: – Relational vs. non-relational – Equalities vs. non-equalities – Zones 4

Numerical Abstractions 5 By Quilbert (own work, partially derived from en:Image:Poly.pov) [GPL ( via Wikimedia Commons

Overview Goal: infer numeric properties of program variables (integers, floating point) Applications – Detect division by zero, overflow, out-of-bound array access – Help non-numerical domains Classification – Non-relational – (Weakly-)relational – Equalities / Inequalities – Linear / non-linear – Exotic 6

Implementation 7

Non-relational abstractions 8

Abstract each variable individually – Constant propagation [Kildall’73] – Intervals (Box) Covered in lecture 13 – Sign – Parity (congruences) – Assignment 3: arithmetic progressions 9

Sign abstraction for variable x Concrete lattice: C = (2 State, , , , , State) Sign = { , neg, 0, pos,  } GC C,Sign =(C, , , Sign)  (  ) = ?  (neg) = ?  (0) = ?  (pos) = ?  (  ) = ? How can we represent  0? 10  negpos  0

Transformer x:=y*z  pos0neg  *   0pos  neg 0000  0  pos0neg  pos  0  11 Check at home: Abstract transformer is complete

Transformer x:=y+z  pos0neg  +     pos0neg  0  pos   12 Check at home: Abstract transformer is not complete

Parity abstraction for variable x Concrete lattice: C = (2 State, , , , , State) Parity = { , E, O,  } GC C,Parity =(C, , , Parity)  (  ) = ?  (E) = ?  (O) = ?  (  ) = ? 13  EO 

Transformer x:=y+z  OE  +   OE  E  EO  O  14

Boxes (intervals) x y 1 y  [3,6] x  [1,4]

Non-relational abstractions Cannot prove properties that hold simultaneous for several variables – x = 2*y – x ≤ y 16

Practical aspects of Non relational abstractions 17

The abstraction Abstract domain for variables x 1,…,x n is the Cartesian product of a mini-domain for one variable D[x] – D[x 1 ]  …  D[x n ] – Need to implement join, meet, widening, narrowing just for mini-domain Usually a non-relational is associated with a Galois Insertion – No reduction required – The Cartesian product is a reduced product 18

Sound assignment transformers Let remove(S, x) be the operation that removes the factoid associated with x from S Let factoid(S, x) be the operation that returns the factoid associated with x in S  x := c  # S = remove(S, x)   ({[x  c]})  x := y  # S = remove(S, x)  {factoid(S, y)[x/y]}  x := y+c  # S = remove(S, x)  {factoid(S, y)[x/y] + c}  x := y+z  # S = remove(S, x)  {factoid(S, y)[x/y] + factoid(S, z)[x/z]}  x := y*c  # S = remove(S, x)  {factoid(S, y)[x/y] * c}  x := y*z  # S = remove(S, x)  {factoid(S, y)[x/y] * factoid(S, z)[x/z]} 19

Sound assume transformers  assume x=c  # S = S   ({[x  c]})  assume x<c  # S = …  assume x=y  # S = S  {factoid(S, y)[x/y]}  {factoid(S, x)[y/x]}  assume x  c  # S = if S   ({[x  c]}) then  else S 20

(Weakly-)relational abstractions 21

Relational abstractions Represent correlations between all program variables – Polyhedra – Linear equalities When correlations exist only between few variables (usually 2) we say that the abstraction is weakly- relational – Linear relations example (discussed in class) – Zone abstraction (next) – Octagons – Two-variable polyhedra – Usually abstraction is defined as the reduced product of the abstract domain for any pair of variables 22

Zone abstraction 23

Zone abstraction [Mine] Maintain bounded differences between a pair of program variables (useful for tracking array accesses) Abstract state is a conjunction of linear inequalities of the form x-y  c x y 1 x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1

Difference bound matrices Add a special V0 variable for the number 0 Represent non-existent relations between variables by +  entries Convenient for defining the partial order between two abstract elements…  =? 25 x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 yxV0 34++ ++ ++ x ++ 1 y

Ordering DBMs How should we order M 1  M 2 ? 26 x ≤ 5 −x ≤ −1 y ≤ 3 x − y ≤ 1 yxV0 35++ ++ ++ x ++ 1++ y x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 yxV0 34++ ++ ++ x ++ 1 y M 1 = M 2 =

Joining DBMs How should we join M 1  M 2 ? 27 x ≤ 2 −x ≤ −1 y ≤ 0 x − y ≤ 1 yxV0 02++ ++ ++ x ++ 1++ y x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 yxV0 34++ ++ ++ x ++ 1 y M 1 = M 2 =

Widening DBMs How should we widen M 1  M 2 ? 28 x ≤ 5 −x ≤ −1 y ≤ 3 x − y ≤ 1 yxV0 35++ ++ ++ x ++ 1++ y x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 yxV0 34++ ++ ++ x ++ 1 y M 1 = M 2 =

Potential graph A vertex per variable A directed edge with the weight of the inequality Enables computing semantic reduction by shortest-path algorithms 29 x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 V0 xy Can we tell whether a system of constraints is satisfiable?

Semantic reduction for zones Apply the following rule repeatedly x - y ≤ cy - z ≤ d x - z ≤ e x - z ≤ min{e, c+d} When should we stop? Theorem Best abstraction of potential sets and zones m ∗ = (  Pot ◦  Pot )(m) 30

More numerical domains 31

Octagon abstraction [Mine-01] Abstract state is an intersection of linear inequalities of the form  x  y  c 32  captures relationships common in programs (array access)

Some inequality-based relational domains 33 policy iteration

Equality-based domains Simple congruences [Granger’89]: y=a mod k Linear relations: y=a*x+b – Join operator a little tricky Linear equalities [Karr’76]: a 1 *x 1 +…+a k *x k = c Polynomial equalities: a 1 *x 1 d1 *…*x k dk + b 1 *y 1 z1 *…*y k zk + … = c – Some good results are obtainable when d 1 +…+d k < n for some small n 34

Next lecture: alias analysis