Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University.

Slides:



Advertisements
Similar presentations
Combining Abstract Interpreters Sumit Gulwani Microsoft Research Redmond, Group Ashish Tiwari SRI RADRAD.
Advertisements

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Abstract Interpretation Part II
Continuing Abstract Interpretation We have seen: 1.How to compile abstract syntax trees into control-flow graphs 2.Lattices, as structures that describe.
1 How to transform an analyzer into a verifier. 2 OUTLINE OF THE LECTURE a verification technique which combines abstract interpretation and Park’s fixpoint.
Inferring Disjunctive Postconditions Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore - ASIAN
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 5: Axiomatic Semantics II Roman Manevich Ben-Gurion University.
Program Verification as Probabilistic Inference Sumit Gulwani Nebojsa Jojic Microsoft Research, Redmond.
1 Basic abstract interpretation theory. 2 The general idea §a semantics l any definition style, from a denotational definition to a detailed interpreter.
Abstract Interpretation Part I Mooly Sagiv Textbook: Chapter 4.
1 Program Analysis Systematic Domain Design Mooly Sagiv Tel Aviv University Textbook: Principles.
Describing Syntax and Semantics
Program Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
Claus Brabrand, ITU, Denmark DATA-FLOW ANALYSISMar 25, 2009 Static Analysis: Data-Flow Analysis II Claus Brabrand IT University of Copenhagen (
Claus Brabrand, UFPE, Brazil Aug 09, 2010DATA-FLOW ANALYSIS Claus Brabrand ((( ))) Associate Professor, Ph.D. ((( Programming, Logic, and.
1 Program Analysis Mooly Sagiv Tel Aviv University Textbook: Principles of Program Analysis.
1 Tentative Schedule u Today: Theory of abstract interpretation u May 5 Procedures u May 15, Orna Grumberg u May 12 Yom Hatzamaut u May.
Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 10: Abstract Interpretation II Roman Manevich Ben-Gurion University.
Compiler Construction Lecture 16 Data-Flow Analysis.
Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 2: Operational Semantics I Roman Manevich Ben-Gurion University.
1 Iterative Program Analysis Abstract Interpretation Mooly Sagiv Tel Aviv University Textbook:
Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 11: Abstract Interpretation III Roman Manevich Ben-Gurion University.
Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 14: Numerical Abstractions Roman Manevich Ben-Gurion University.
Program Analysis and Verification Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav.
Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 14: Numerical Abstractions Roman Manevich Ben-Gurion University.
Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 9: Abstract Interpretation I Roman Manevich Ben-Gurion University.
1 Bisimulations as a Technique for State Space Reductions.
Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 10: Abstract Interpretation II Roman Manevich Ben-Gurion University.
Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 4: Axiomatic Semantics I Roman Manevich Ben-Gurion University.
Predicate Abstraction. Abstract state space exploration Method: (1) start in the abstract initial state (2) use to compute reachable states (invariants)
Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 4: Axiomatic Semantics I Roman Manevich Ben-Gurion University.
Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 13: Abstract Interpretation V Roman Manevich Ben-Gurion University.
Compiler Principles Fall Compiler Principles Lecture 11: Loop Optimizations Roman Manevich Ben-Gurion University.
1 Combining Abstract Interpreters Mooly Sagiv Tel Aviv University
Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University.
Program Analysis and Verification
Program Analysis and Verification
1 Iterative Program Analysis Abstract Interpretation Mooly Sagiv Tel Aviv University Textbook:
Roman Manevich Ben-Gurion University Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 16: Shape Analysis.
Program Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 8: Static Analysis II Roman Manevich Ben-Gurion University.
Program Analysis and Verification Noam Rinetzky Lecture 8: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav.
Chaotic Iterations Mooly Sagiv Tel Aviv University Textbook: Principles of Program Analysis.
Chaotic Iterations Mooly Sagiv Tel Aviv University Textbook: Principles of Program Analysis.
Program Analysis and Verification
Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 6: Axiomatic Semantics III Roman Manevich Ben-Gurion University.
Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 6: Axiomatic Semantics III Roman Manevich Ben-Gurion University.
Abstraction and Abstract Interpretation. Abstraction (a simplified view) Abstraction is an effective tool in verification Given a transition system, we.
Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 8: Static Analysis II Roman Manevich Ben-Gurion University.
Program Analysis and Verification Spring 2016 Program Analysis and Verification Lecture 5: Axiomatic Semantics II Roman Manevich Ben-Gurion University.
Spring 2017 Program Analysis and Verification
Spring 2016 Program Analysis and Verification
Spring 2017 Program Analysis and Verification
Spring 2016 Program Analysis and Verification
Spring 2016 Program Analysis and Verification
Spring 2017 Program Analysis and Verification
Spring 2016 Program Analysis and Verification
Spring 2016 Program Analysis and Verification
Spring 2016 Program Analysis and Verification
Combining Abstract Interpreters
Symbolic Implementation of the Best Transformer
Iterative Program Analysis Abstract Interpretation
Spring 2017 Program Analysis and Verification Operational Semantics
Lecture 5 Floyd-Hoare Style Verification
Program Analysis and Verification
Program Analysis and Verification
((a)) A a and c C ((c))
Program Analysis and Verification
Spring 2016 Program Analysis and Verification Operational Semantics
Presentation transcript:

Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University

סקר הוראה מופץ באימייל אנונימי 2

Syllabus Semantics Natural Semantics Structural semantics Axiomatic Verification Static Analysis Automating Hoare Logic Control Flow Graphs Equation Systems Collecting Semantics Abstract Interpretation fundamentals LatticesFixed-Points Chaotic Iteration Galois Connections Domain constructors Widening/ Narrowing Analysis Techniques Numerical Domains Alias analysis Interprocedural Analysis Shape Analysis CEGAR Crafting your own Soot From proofs to abstractions Systematically developing transformers 3

Previously Solving monotone systems via chaotic iteration Relating abstract semantics and concrete semantics – Galois connection – Sound abstract transformers – Partial reduction – Completeness Implementing transformers 4

Agenda Question: given existing abstract interpreters (GC + transformers) can we reuse them to construct a new abstract interpreter? Composing abstract domains (and GCs) Reduced product Implementing composition of analyses 5

Composing lattices 6

Three example analyses Abstract states are conjunctions of constraints Variable Equalities – VE-factoids = { x=y | x, y  Var}  false VE = (2 VE-factoids, , , , false,  ) Constant Propagation – CP-factoids = { x=c | x  Var, c  Z}  false CP = (2 CP-factoids, , , , false,  ) Available Expressions – AE-factoids = { x=y+z | x  Var, y,z  Var  Z}  false AE = (2 AE-factoids, , , , false,  ) 7

Lattice combinators reminder Cartesian Product – L 1 = (D 1,  1,  1,  1,  1,  1 ) L 2 = (D 2,  2,  2,  2,  2,  2 ) – Cart(L 1, L 2 ) = (D 1  D 2,  cart,  cart,  cart,  cart,  cart ) Disjunctive completion – L = (D, , , , ,  ) – Disj(L) = (2 D,  ,  ,  ,  ,   ) Relational Product – Rel(L 1, L 2 ) = Disj(Cart(L 1, L 2 )) 8

Cartesian product of complete lattices For two complete lattices L 1 = (D 1,  1,  1,  1,  1,  1 ) L 2 = (D 2,  2,  2,  2,  2,  2 ) Define the poset L cart = (D 1  D 2,  cart,  cart,  cart,  cart,  cart ) as follows: – (x 1, x 2 )  cart (y 1, y 2 ) iff x 1  1 y 1 and x 2  2 y 2 Lemma: L is a complete lattice Define the Cartesian constructor L cart = Cart(L 1, L 2 ) 9

Composing Galois connections 10

Goal Given two Galois connections, can we combine them to form a new Galois connection? 11

Product connection: abstraction 12 CP  VE lattice {a=9, c=9}{c=a} {[a  9, c  9]} collecting lattice {} 

Product connection: concretization 13 CP  VE lattice {a=9}{c=a} {[a  9, c  0] [a  9, c  1] [a  9, c  9]... } collecting lattice {} {[a  9, c  9] [a  1, c  1] [a  2, c  2]... }  

Product connection: concretization 14 CP  VE lattice {a=9}{c=a} collecting lattice {}  {[a  9, c  9]}

Cartesian product of GCs GC A =(C,  A,  A, A) GC B =(C,  B,  B, B) Cartesian Product GC A  B = (C,  A  B,  A  B, A  B) –  A  B (X) = ? –  A  B (  Y 1,Y 2  ) = ? 15

Cartesian product of GCs GC A =(C,  A,  A, A) GC B =(C,  B,  B, B) Cartesian Product GC A  B = (C,  A  B,  A  B, A  B) –  A  B (X) =   A (X),  B (X)  –  A  B (  Y 1,Y 2  ) =  A (Y 1 )   B (Y 2 ) 16

Product vs. reduced product 17

Product vs. reduced product 18 CP  VE lattice {a=9}{c=a}{c=9}{c=a} {a=9, c=9}{c=a} {[a  9, c  9]} collecting lattice {}    

Reduced product For two complete lattices L 1 = (D 1,  1,  1,  1,  1,  1 ) L 2 = (D 2,  2,  2,  2,  2,  2 ) Define the reduced poset D 1  D 2 = {(d 1,d 2 )  D 1  D 2 | (d 1,d 2 ) =    (d 1,d 2 ) } L 1  L 2 = (D 1  D 2,  cart,  cart,  cart,  cart,  cart ) 19

Cartesian product transformers GC A =(C,  A,  A, A)F A [st] : A  A GC B =(C,  B,  B, B)F B [st] : B  B Cartesian Product GC A  B = (C,  A  B,  A  B, A  B) –  A  B (X) = (  A (X),  B (X)) –  A  B (Y) =  A (X)   B (X) How should we define F A  B [st] : A  B  A  B ? 20

Cartesian product transformers GC A =(C,  A,  A, A)F A [st] : A  A GC B =(C,  B,  B, B)F B [st] : B  B Cartesian Product GC A  B = (C,  A  B,  A  B, A  B) –  A  B (X) = (  A (X),  B (X)) –  A  B (Y) =  A (X)   B (X) How should we define F A  B [st] : A  B  A  B ? Idea: F A  B [st](a, b) = (F A [st] a, F B [st] b) Are component-wise transformers precise? 21

Cartesian product analysis example Abstract interpreter 1: Constant Propagation Abstract interpreter 2: Variable Equalities Let’s compare – Running them separately and combining results – Running the analysis with their Cartesian product 22 a := 9; b := 9; c := a; CP analysisVE analysis {a=9} {a=9, b=9} {a=9, b=9, c=9} {} {} {c=a}

Cartesian product analysis example Abstract interpreter 1: Constant Propagation Abstract interpreter 2: Variable Equalities Let’s compare – Running them separately and combining results – Running the analysis with their Cartesian product 23 CP analysis + VE analysis a := 9; b := 9; c := a; {a=9} {a=9, b=9} {a=9, b=9, c=9, c=a}

Cartesian product analysis example Abstract interpreter 1: Constant Propagation Abstract interpreter 2: Variable Equalities Let’s compare – Running them separately and combining results – Running the analysis with their Cartesian product 24 CP  VE analysis Missing {a=b, b=c} a := 9; b := 9; c := a; {a=9} {a=9, b=9} {a=9, b=9, c=9, c=a}

Transformers for Cartesian product Naïve (component-wise) transformers do not utilize information from both components – Same as running analyses separately and then combining results Can we treat transformers from each analysis as black box and obtain best transformer for their combination? 25

Can we combine transformers modularly? 26 No generic method for any abstract interpretations

Implementing approximate reduced product 27

Reducing values for CP  VE X = set of CP constraints of the form x=c (e.g., a=9 ) Y = set of VE constraints of the form x=y Reduce CP  VE (X, Y) = (X’, Y’) such that (X’, Y’)  (X’, Y’) Ideas? 28

Reducing values for CP  VE X = set of CP constraints of the form x=c (e.g., a=9 ) Y = set of VE constraints of the form x=y Reduce CP  VE (X, Y) = (X’, Y’) such that (X’, Y’)  (X’, Y’) ReduceLeft: – if a=c  X and a=b  Y then add b=c to X ReduceRight: – If a=c and b=c  X then add a=b to Y Keep applying ReduceLeft and ReduceRight and reductions on each domain separately until reaching a fixed-point 29

All the code you need to obtain a basic CP  VE implementation 30

Implementing reduction for CP  VE 31

Transformers for Cartesian product Do we get the best transformer by applying component-wise transformer followed by reduction? – Unfortunately, no (what’s the intuition?) Can we do better? – Logical Product [Gulwani and Tiwari, PLDI 2006] 32

A modular approach for approximating reduced product 33

Logical product-- Idea: use equalities as common reasoning tool to pass information between two domains Assume A=(D,…) is an abstract domain that supports two operations: for x  D – inferEqualities(x) = { a=b |  (x)  a=b } returns a set of equalities between variables that are satisfied in all states given by x – refineFromEqualities(x, {a=b}) = y such that  (x)=  (y) y  x 34

Need to implement interface 35 When interface not implemented default versions of these operations are used

VE 36

CP 37

Implementing CP  VE  AE 38

Reducing Cartesian elements 39

40

Logical Product- 41 basically the strongest postcondition safely abstracting the existential quantifier

Abstracting the existential 42 Reduce the pair Abstract away existential quantifier for each domain

Combined analysis example 43

Disjunctive completion for path sensitivity 44

Information loss example (CP) 45 if (…) b := 5 else b := -5 if (b>0) b := b-5 else b := b+5 assert b==0 {} {b=5} {b=-5} {true} can’t prove

Constant Propagation example 46 Lost all information about b at control-flow join

Disjunctive completion of a lattice For a complete lattice L = (D, , , , ,  ) Define the powerset lattice L  = (2 D,  ,  ,  ,  ,   )   = ?   = ?   = ?   = ?   = ? Lemma: L  is a complete lattice L  contains all subsets of D, which can be thought of as disjunctions of the corresponding predicates Define the disjunctive completion constructor L  = Disj(L) 47

Disjunctive completion for GCs GC A =(C,  A,  C, A) Disjunctive completion GC P(A) = (C,  P(A),  P(A), P(A)) –  P(A) (X) = ? –  P(A) (Y) = ? 48

Disjunctive completion for GCs GC A =(C,  A,  C, A) Disjunctive completion GC P(A) = (C,  P(A),  P(A), P(A)) –  P(A) (X) = {  A ({x}) | x  X} –  P(A) (Y) =  {  A (y) | y  Y} What about transformers? 49

Information loss example 50 if (…) b := 5 else b := -5 if (b>0) b := b-5 else b := b+5 assert b==0 {} {b=5} {b=-5} {b= 5  b=-5 } {b= 0 } proved

Disj(CP) example 51

The base lattice CP false 52 {x=0} true {x=-1}{x=-2}{x=1}{x=2} …… false

The disjunctive completion of CP false 53 true false {x=-2  x=-1}{x=-2  x=0}{x=-2  x=1}{x=1  x=2} ……… What is the height of this lattice? {x=0}{x=-1}{x=-2}{x=1}{x=2} …… {x=0  x=1  x=2}{x=-1  x=1  x=-2} ……… …

Mixing product and disjunctive completion 54

Taming disjunctive completion Disjunctive completion is very precise – Maintains distinction between different execution paths – Helps handle conditions precisely – But very expensive – number of abstract states grows exponentially in the number of conditions – May lead to non-termination Base analysis is less precise but terminates How can we increase precision and avoid non- termination? 55

Taming disjunctive completion Use different abstractions for different program locations – At loop heads use coarse abstraction (base) – At other points use disjunctive completion Termination is guaranteed (by base domain) Precision increased inside loop body 56

With Disj(CP) 57 while (…) { x := x+1 if (…) b := 5 else b := -5 if (b>0) b := b-5 else b := b+5 assert b==0 } Doesn’t terminate

With tamed Disj(CP) 58 while (…) { x := x+1 if (…) b := 5 else b := -5 if (b>0) b := b-5 else b := b+5 assert b==0 } terminates CP Disj(CP) What DisjunctiveDomain implements

DisjunctiveDomain(CP) example 59

Reducing disjunctive elements A disjunctive set X may contain within it an ascending chain Y=a  b  c… We only need max(Y) – remove all elements below 60

Relational product construction 61

Cartesian product example 62 Lost all information about b at control-flow join

Relational product of lattices L 1 = (D 1,  1,  1,  1,  1,  1 ) L 2 = (D 2,  2,  2,  2,  2,  2 ) L rel = (2 D 1  D 2,  rel,  rel,  rel,  rel,  rel ) as follows: – L rel = ? 63

Relational product of lattices L 1 = (D 1,  1,  1,  1,  1,  1 ) L 2 = (D 2,  2,  2,  2,  2,  2 ) L rel = (2 D 1  D 2,  rel,  rel,  rel,  rel,  rel ) as follows: – L rel = Disj(Cart(L 1, L 2 )) Lemma: L is a complete lattice What does it buy us? – How is it relative to Cart(Disj(L 1 ), Disj(L 2 ))? What about transformers? 64

Relational product of GCs GC A =(C,  A,  A, A) GC B =(C,  B,  B, B) Relational Product GC P(A  B) = (C,  P(A  B),  P(A  B), P(A  B)) –  P(A  B) (X) = ? –  P(A  B) (Y) = ? 65

Relational product of GCs GC A =(C,  A,  A, A) GC B =(C,  B,  B, B) Relational Product GC P(A  B) = (C,  P(A  B),  P(A  B), P(A  B)) –  P(A  B) (X) = {(  A ({x}),  B ({x})) | x  X} –  P(A  B) (Y) =  {  A (y A )   B (y B ) | (y A,y B )  Y} 66

Relational product example 67 Correlations preserved

Function space construction 68

Function space GC A =(C,  A,  C, A) GC B =(C,  B,  C, B) Denote the set of monotone functions from A to B by A  B Define  for elements of A  B as follows (a 1, b 1 )  (a 2, b 2 ) = if a 1 =a 2 then {(a 1, b 1  B b 1 )} else {(a 1, b 1 ), (a 2, b 2 )} Reduced cardinal power GC A  B = (C,  A  B,  A  B, A  B) –  A  B (X) =  {(  A ({x}),  B ({x})) | x  X} –  A  B (Y) =  {  A (y A )   B (y B ) | (y A,y B )  Y} Useful when A is small and B is much larger – E.g., typestate verification 69

Next lecture: abstract interpretation V