Presentation is loading. Please wait.

Presentation is loading. Please wait.

Spring 2016 Program Analysis and Verification

Similar presentations


Presentation on theme: "Spring 2016 Program Analysis and Verification"— Presentation transcript:

1 Spring 2016 Program Analysis and Verification
Lecture 13: Numerical Abstractions Roman Manevich Ben-Gurion University

2 Tentative syllabus Program Verification Program Analysis Basics
Operational semantics Hoare Logic Applying Hoare Logic Weakest Precondition Calculus Proving Termination Data structures Automated Verification Program Analysis Basics From Hoare Logic to Static Analysis Control Flow Graphs Equation Systems Collecting Semantics Using Soot Abstract Interpretation fundamentals Lattices Fixed-Points Chaotic Iteration Galois Connections Domain constructors Widening/ Narrowing Analysis Techniques Numerical Domains Alias analysis Interprocedural Analysis Shape Analysis CEGAR

3 Previously Composing abstract domains (and GCs) Widening and narrowing
Interval domain

4 Agenda Abstractions for properties of numeric variables
Classification: Relational vs. non-relational Equalities vs. non-equalities Zones

5 Numerical Abstractions
By Quilbert (own work, partially derived from en:Image:Poly.pov) [GPL ( via Wikimedia Commons

6 Overview Goal: infer numeric properties of program variables (integers, floating point) Applications Detect division by zero, overflow, out-of-bound array access Help non-numerical domains Classification Non-relational (Weakly-)relational Equalities / Inequalities Linear / non-linear Exotic

7 Implementation

8 Non-relational abstractions

9 Non-relational abstractions
Abstract each variable individually Constant propagation [Kildall’73] Intervals (Box) Covered in previous lecture Sign Parity (congruences) Zones

10 Sign abstraction for variable x
Concrete lattice: C = (2State, , , , , State) Sign = {, neg, 0, pos, } GCC,Sign=(C, , , Sign) Concretization () = (neg) = (0) = (pos) = () = Abstraction ({17}) = ({17, 0}) = ({-1, 1}) = How can we represent 0? neg pos

11 Transformer x:=y*z pos neg * Is it complete?

12 Transformer x:=y*z  pos neg  * Check at home:
neg * Check at home: Abstract transformer is complete

13 Transformer x:=y+z pos neg + Is it complete?

14 Transformer x:=y+z  pos neg  + Check at home:
neg + Check at home: Abstract transformer is not complete

15 Parity abstraction for variable x
Concrete lattice: C = (2State, , , , , State) Parity = {, E, O, } GCC,Parity=(C, , , Parity) () = ? (E) = ? (O) = ? () = ? E O

16 Transformer x:=y+z O E +

17 Transformer x:=y+z O E +

18 Boxes (intervals) y 6 5 y  [3,6] 4 3 2 1 1 2 3 4 x x  [1,4]

19 Non-relational abstractions
Cannot prove properties that hold simultaneous for several variables x = 2*y x ≤ y

20 Practical aspects of Non-relational abstractions

21 The abstraction Abstract domain for variables x1,…,xn is the Cartesian product of a sub-domain for one variable D[x] D[x1]  …  D[xn] Need to implement join, meet, widening, narrowing just for sub-domain Usually a non-relational is associated with a Galois Insertion No reduction required The Cartesian product is a reduced product

22 Sound assignment transformers
Let remove(S, x) be the operation that removes the factoid associated with x from S Let factoid(S, x) be the operation that returns the factoid associated with x in S x := c# S = remove(S, x)  ({[xc]}) x := y# S = remove(S, x)  {factoid(S, y)[x/y]} x := y+c# S = remove(S, x)  {factoid(S, y)[x/y] + c} x := y+z# S = remove(S, x)  {factoid(S, y)[x/y] + factoid(S, z)[x/z]} x := y*c# S = remove(S, x)  {factoid(S, y)[x/y] * c} x := y*z# S = remove(S, x)  {factoid(S, y)[x/y] * factoid(S, z)[x/z]}

23 Sound assume transformers
assume x=c# S = S  ({[xc]}) assume x<c# S = … assume x=y# S = S  {factoid(S, y)[x/y]}  {factoid(S, x)[y/x]} assume xc# S = if S  ({[xc]}) then  else S

24 (Weakly-)relational abstractions

25 Relational abstractions
Represent correlations between all program variables Polyhedra Linear equalities When correlations exist only between few variables (usually 2) we say that the abstraction is weakly-relational Linear relations example (discussed in class) Zone abstraction (next) Octagons Two-variable polyhedra Usually abstraction is defined as the reduced product of the abstract domain for any pair of variables

26 Zone abstraction

27 Zone abstraction [Mine]
Maintain bounded differences between a pair of program variables (useful for tracking array accesses) Abstract state is a conjunction of linear inequalities of the form x-yc y 6 x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 5 4 3 2 1 1 2 3 4 x

28 Difference bound matrices
Add a special V0 variable for the number 0 Represent non-existent relations between variables by + entries Convenient for defining the partial order between two abstract elements… =? x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 y x V0 3 4 + -1 1

29 Ordering DBMs How should we order M1  M2? x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1
V0 3 4 + -1 1 M1 = x ≤ 5 −x ≤ −1 y ≤ 3 x − y ≤ 1 y x V0 3 5 + -1 1 M2 =

30 Joining DBMs How should we join M1  M2? x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1
V0 3 4 + -1 1 M1 = x ≤ 2 −x ≤ −1 y ≤ 0 x − y ≤ 1 y x V0 2 + -1 1 M2 =

31 Widening DBMs How should we widen M1  M2? x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1
V0 3 4 + -1 1 M1 = x ≤ 5 −x ≤ −1 y ≤ 3 x − y ≤ 1 y x V0 3 5 + -1 1 M2 =

32 Potential graph A vertex per variable
A directed edge with the weight of the inequality Enables computing semantic reduction by shortest-path algorithms x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 V0 3 -1 -1 3 x y 1 Can we tell whether a system of constraints is satisfiable? Can you define a semantic reduction?

33 Semantic reduction for zones
Apply the following rule repeatedly x - y ≤ c y - z ≤ d x - z ≤ e x - z ≤ min{e, c+d} When should we stop? Theorem Best abstraction of potential sets and zones m∗ = (Pot ◦ Pot)(m)

34 Zones assignment transformers
remove(S, x): removes the x-factoids from S factoid(S, x): returns all x-factoids in S x := c# S = remove(S, x)  …? x := y+c# S = remove(S, x)  …? x := -y# S = remove(S, x)  …? x := y-z# S = remove(S, x)  …? x := y+z# S = …?

35 Zones assignment transformers
remove(S, x): removes the x-factoids from S factoid(S, x): returns all x-factoids in S x := c# S = remove(S, x)  {x-V0≤c, V0-x≤c} x := y+c# S = remove(S, x)  {x-y≤c, y-x≤-c} x := -y# S = remove(S, x)  {x-V0≤c | V0-y≤c}  {V0-x≤-c | y-V0≤c} x := y-z# S = remove(S, x)  {x≤c} where c=min{c1-c2 | y-w≤c1, z-w≤c2} x := y+z# S = x := y-t#(t := -z# S)

36 More numerical domains

37 Octagon abstraction [Mine-01]
Abstract state is an intersection of linear inequalities of the form x y c captures relationships common in programs (array access)

38 Some inequality-based relational domains
policy iteration

39 What is the polyhedron abstraction?
How do we abstract a circle? y x

40 Equality-based domains
Simple congruences [Granger’89]: y=a mod k Linear equalities [Karr’76]: a1*x1+…+ak*xk = c Polynomial equalities: a1*x1d1*…*xkdk + b1*y1z1*…*ykzk + … = c Some good results are obtainable when d1+…+dk < n for some small n

41 Exercise: 2-linear relations
Infer linear relations between pairs of variables: y=a*x+b Handout

42 see you next time


Download ppt "Spring 2016 Program Analysis and Verification"

Similar presentations


Ads by Google