Download presentation
Presentation is loading. Please wait.
1
Spring 2016 Program Analysis and Verification
Lecture 13: Numerical Abstractions Roman Manevich Ben-Gurion University
2
Tentative syllabus Program Verification Program Analysis Basics
Operational semantics Hoare Logic Applying Hoare Logic Weakest Precondition Calculus Proving Termination Data structures Automated Verification Program Analysis Basics From Hoare Logic to Static Analysis Control Flow Graphs Equation Systems Collecting Semantics Using Soot Abstract Interpretation fundamentals Lattices Fixed-Points Chaotic Iteration Galois Connections Domain constructors Widening/ Narrowing Analysis Techniques Numerical Domains Alias analysis Interprocedural Analysis Shape Analysis CEGAR
3
Previously Composing abstract domains (and GCs) Widening and narrowing
Interval domain
4
Agenda Abstractions for properties of numeric variables
Classification: Relational vs. non-relational Equalities vs. non-equalities Zones
5
Numerical Abstractions
By Quilbert (own work, partially derived from en:Image:Poly.pov) [GPL ( via Wikimedia Commons
6
Overview Goal: infer numeric properties of program variables (integers, floating point) Applications Detect division by zero, overflow, out-of-bound array access Help non-numerical domains Classification Non-relational (Weakly-)relational Equalities / Inequalities Linear / non-linear Exotic
7
Implementation
8
Non-relational abstractions
9
Non-relational abstractions
Abstract each variable individually Constant propagation [Kildall’73] Intervals (Box) Covered in previous lecture Sign Parity (congruences) Zones
10
Sign abstraction for variable x
Concrete lattice: C = (2State, , , , , State) Sign = {, neg, 0, pos, } GCC,Sign=(C, , , Sign) Concretization () = (neg) = (0) = (pos) = () = Abstraction ({17}) = ({17, 0}) = ({-1, 1}) = How can we represent 0? neg pos
11
Transformer x:=y*z pos neg * Is it complete?
12
Transformer x:=y*z pos neg * Check at home:
neg * Check at home: Abstract transformer is complete
13
Transformer x:=y+z pos neg + Is it complete?
14
Transformer x:=y+z pos neg + Check at home:
neg + Check at home: Abstract transformer is not complete
15
Parity abstraction for variable x
Concrete lattice: C = (2State, , , , , State) Parity = {, E, O, } GCC,Parity=(C, , , Parity) () = ? (E) = ? (O) = ? () = ? E O
16
Transformer x:=y+z O E +
17
Transformer x:=y+z O E +
18
Boxes (intervals) y 6 5 y [3,6] 4 3 2 1 1 2 3 4 x x [1,4]
19
Non-relational abstractions
Cannot prove properties that hold simultaneous for several variables x = 2*y x ≤ y
20
Practical aspects of Non-relational abstractions
21
The abstraction Abstract domain for variables x1,…,xn is the Cartesian product of a sub-domain for one variable D[x] D[x1] … D[xn] Need to implement join, meet, widening, narrowing just for sub-domain Usually a non-relational is associated with a Galois Insertion No reduction required The Cartesian product is a reduced product
22
Sound assignment transformers
Let remove(S, x) be the operation that removes the factoid associated with x from S Let factoid(S, x) be the operation that returns the factoid associated with x in S x := c# S = remove(S, x) ({[xc]}) x := y# S = remove(S, x) {factoid(S, y)[x/y]} x := y+c# S = remove(S, x) {factoid(S, y)[x/y] + c} x := y+z# S = remove(S, x) {factoid(S, y)[x/y] + factoid(S, z)[x/z]} x := y*c# S = remove(S, x) {factoid(S, y)[x/y] * c} x := y*z# S = remove(S, x) {factoid(S, y)[x/y] * factoid(S, z)[x/z]}
23
Sound assume transformers
assume x=c# S = S ({[xc]}) assume x<c# S = … assume x=y# S = S {factoid(S, y)[x/y]} {factoid(S, x)[y/x]} assume xc# S = if S ({[xc]}) then else S
24
(Weakly-)relational abstractions
25
Relational abstractions
Represent correlations between all program variables Polyhedra Linear equalities When correlations exist only between few variables (usually 2) we say that the abstraction is weakly-relational Linear relations example (discussed in class) Zone abstraction (next) Octagons Two-variable polyhedra Usually abstraction is defined as the reduced product of the abstract domain for any pair of variables
26
Zone abstraction
27
Zone abstraction [Mine]
Maintain bounded differences between a pair of program variables (useful for tracking array accesses) Abstract state is a conjunction of linear inequalities of the form x-yc y 6 x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 5 4 3 2 1 1 2 3 4 x
28
Difference bound matrices
Add a special V0 variable for the number 0 Represent non-existent relations between variables by + entries Convenient for defining the partial order between two abstract elements… =? x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 y x V0 3 4 + -1 1
29
Ordering DBMs How should we order M1 M2? x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1
V0 3 4 + -1 1 M1 = x ≤ 5 −x ≤ −1 y ≤ 3 x − y ≤ 1 y x V0 3 5 + -1 1 M2 =
30
Joining DBMs How should we join M1 M2? x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1
V0 3 4 + -1 1 M1 = x ≤ 2 −x ≤ −1 y ≤ 0 x − y ≤ 1 y x V0 2 + -1 1 M2 =
31
Widening DBMs How should we widen M1 M2? x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1
V0 3 4 + -1 1 M1 = x ≤ 5 −x ≤ −1 y ≤ 3 x − y ≤ 1 y x V0 3 5 + -1 1 M2 =
32
Potential graph A vertex per variable
A directed edge with the weight of the inequality Enables computing semantic reduction by shortest-path algorithms x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 V0 3 -1 -1 3 x y 1 Can we tell whether a system of constraints is satisfiable? Can you define a semantic reduction?
33
Semantic reduction for zones
Apply the following rule repeatedly x - y ≤ c y - z ≤ d x - z ≤ e x - z ≤ min{e, c+d} When should we stop? Theorem Best abstraction of potential sets and zones m∗ = (Pot ◦ Pot)(m)
34
Zones assignment transformers
remove(S, x): removes the x-factoids from S factoid(S, x): returns all x-factoids in S x := c# S = remove(S, x) …? x := y+c# S = remove(S, x) …? x := -y# S = remove(S, x) …? x := y-z# S = remove(S, x) …? x := y+z# S = …?
35
Zones assignment transformers
remove(S, x): removes the x-factoids from S factoid(S, x): returns all x-factoids in S x := c# S = remove(S, x) {x-V0≤c, V0-x≤c} x := y+c# S = remove(S, x) {x-y≤c, y-x≤-c} x := -y# S = remove(S, x) {x-V0≤c | V0-y≤c} {V0-x≤-c | y-V0≤c} x := y-z# S = remove(S, x) {x≤c} where c=min{c1-c2 | y-w≤c1, z-w≤c2} x := y+z# S = x := y-t#(t := -z# S)
36
More numerical domains
37
Octagon abstraction [Mine-01]
Abstract state is an intersection of linear inequalities of the form x y c captures relationships common in programs (array access)
38
Some inequality-based relational domains
policy iteration
39
What is the polyhedron abstraction?
How do we abstract a circle? y x
40
Equality-based domains
Simple congruences [Granger’89]: y=a mod k Linear equalities [Karr’76]: a1*x1+…+ak*xk = c Polynomial equalities: a1*x1d1*…*xkdk + b1*y1z1*…*ykzk + … = c Some good results are obtainable when d1+…+dk < n for some small n
41
Exercise: 2-linear relations
Infer linear relations between pairs of variables: y=a*x+b Handout
42
see you next time
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.