Download presentation
Presentation is loading. Please wait.
Published byWeston Rochester Modified over 9 years ago
1
Inferring Disjunctive Postconditions Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore - ASIAN 2006 -
2
2 Motivation: Infer Precise Invariants x:=0; while (x<len(A)) { if (…) { /* check if a new minimum has been found */ m:=x; } x:=x+1; } return A[m]; /* assert (0 · m < len(A)) */ Compute an invariant at l 1 over inputs (x,m,s) + outputs (x',m') (x,m,s,x',m') :- (x ¸ s Æ x'=x Æ m'=m) Ç (x < s Æ x'=s Æ m'=m) Ç (x < s Æ x'=s Æ x · m'< x') /* l 1 */ /* what invariant at l 1 proves assertion ?? */
3
3 Related: Numerical Abstract Domains Conjunctive Num-Abs-Domains: Interval domain: § x · c [Cousot et al: ISOP’76] Polyhedron domain: a 1 x 1 +.. + a n x n · c [Cousot et al: POPL’78] Disjunctive Num-Abs-Domains: Powerset extension of an abstract domain [Cousot et al: POPL’79] Powerset widening [Bagnara et al: VMCAI'04] [Gulavani et al: TACAS'06] Hulling based on Hausdorff distance [Sankaranarayanan et al: SAS'06]
4
4 Overview Constraint abstraction: collected from the method body. Conjunctive fixpoint analysis. Disjunctive fixpoint analysis. Experimental results.
5
5 Constraint Abstraction A method is translated to a constraint abstraction: void mnD (ref int x) { if x>0 { x:=x-1; mnD(x); } else () } Next step: derive the lfp of this rec-constraint. mnD(x,x') = (x · 0 Æ x'=x) Ç (x>0 Æ 9 x1.(x1=x-1 Æ mnD(x,x')))) - substitution from formal to actual args = [x ! x1, x' ! x']
6
6 Abstract Domain of Polyhedra [Cousot-Halbwachs: POPL'78] Defined as a lattice:, t, u > abstract element:conj. of linear inequalities (convex polyhedron) partial order:F1 v F2 = F1 ) F2 bottom: ? = False top: > = True lub:F1 t F2 = hull(F1 Ç F2) glb:F1 u F2 = F1 Æ F2 CAbst is a monotone function f: L -> L 8 F 1,F 2 2 L: if F 1 v F 2 then f(F 1 ) v f(F 2 )
7
7 Fixpoint Analysis mnD( ) = (x · 0 Æ x'=x) Ç (x>0 Æ 9 x1.(x1=x-1 Æ ) - relation over inputs (x) + outputs (x') mnD 0 = False mnD i+1 = mnD(mnD i ) Ascending chain: False v mnD 1 v mnD 2 v.. v mnD i v..
8
8 Conjunctive Fixpoint Analysis mnD 1 = mnD(False) = (x · 0 Æ x'=x) mnD 2 = mnD(mnD 1 ) = (x · 0 Æ x'=x) Ç (x>0 Æ 9 x1.(x1=x-1 Æ (mnD 1 ))) = hull((x · 0 Æ x'=x) Ç (x=1 Æ x'=0))hull = (x-1 · x' · x Æ x' · 0) mnD 3 = mnD(mnD 2 ) = (x-2 · x' · x Æ x' · 0) Lattice of polyhedra has infinite height: use widening operator. mnD W2 = widen(mnD 2,mnD 3 ) = (x' · x Æ x' · 0)widen A post-fixpoint has been found when: mnD(mnD i ) ) mnD i mnD W3 = mnD(mnD W2 ) = (x' · x Æ x' · 0)
9
9 Conjunctive Analysis mnD CONJ = (x' · x Æ x' · 0) mnD DISJ = (x · 0 Æ x'=x) Ç (x>0 Æ x'=0) mnD 1 = (x · 0 Æ x'=x) mnD 2 = (x · 0 Æ x'=x) Ç (x=1 Æ x'=0) mnD 3 = (x · 0 Æ x'=x) Ç (x=1 Æ x'=0) Ç (x=2 Æ x'=0)... More precision? Disjunctive Analysis
10
10 Powerset Abstract Domain of Polyhedra Defined as a semi-lattice:, t > abstract element:m-bounded disj of convex poly. partial order:F1 v F2 = F1 ) F2 bottom: ? = False top: > = True lub:F1 t F2 = hull m (F1 Ç F2)
11
11 Disjunctive Fixpoint Analysis Key Problems: Maintain precision at reasonable cost. Ensuring termination of analysis (with widening operator). Main contributions: Use disjunct affinity to lift both the hulling and widening operators from the conjunctive to the disjunctive domain. Precise and fairly-efficient disjunctive polyhedra analysis.
12
12 Hull m : Selective Hulling Given F= Ç n i=1 i (where i are conjunctive formulae) find the most affine disjuncts for hulling (according to some affinity measure) ensure the number of disjuncts does not exceed m
13
13 33 44 Geometrical Intuition for Affinity Compare 1 Ç 2 with hull 11 22 Identify perfect match (100% affinity) A good affinity-measure: should be able to quantify how precisely ( 1 Ç 2 ) can be approximated by hull (the convex-hull result)
14
14 Based on Hausdorff distance [SAS'06]: h-heur(P,Q) = max x 2 P { min y 2 Q {|x - y|}} Not able to distinguish among ( 1, 2 ) and ( 3, 4 ) (they have similar Haus-distances). Less appropriate for a relational domain. Affinity Measures (1) 11 22 33 44
15
15 Planar-Affinity: p-heur( 1, 2 ) = mset = { c 2 ( 1 [ 2 ) | hull ) c} Detects that ( 3, 4 ) has higher affinity. Suited for relational domains. Affinity Measures (2) 11 22 33 44
16
16 Example: Hull m and Planar-Affinity mnD 3 = (x · 0 Æ x'=x) Ç (x=1 Æ x'=0) Ç (x=2 Æ x'=0) (F1 Ç F2 Ç F3) Affin hull matrix (F1,F2,F3) hull 2 (F1 Ç F2 Ç F3) = (F1 Ç hull(F2 Ç F3)) = (x · 0 Æ x'=x) Ç (1 · x · 2 Æ x'=0) F1F2F3 F1-41 F2--100 F3---
17
17 Overview Collect a constraint abstraction corresponding to the method body. Background: Conjunctive fixpoint analysis. Disjunctive fixpoint analysis. find related disjuncts for hulling powerset widening operator Experimental results.
18
18 Powerset Widening Given F 1 = Ç d i and F 2 = Ç e j (d i, e j are conjunctive formulae): find pairs of related disjuncts d i and e j compute widening on the conjunctive domain: f i = (d i r e j ) result is: F 1 r m F 2 = Ç f i Related work: Bagnara et al [VMCAI'04]: propose to use a connector to combine elements in F 2 (e.g. each connected element will approximate some element from F 1 ) Gulavani et al [TACAS'06]: specify a recipe for a connector; but rely on the ability to find one minimal element from a set of polyhedra
19
19 ( d 1 Ç d 2 ) r m ( e 1 Ç e 2 ) = ( d 1 r e 1 ) Ç ( d 2 r e 2 ) Powerset Widening - r m Our solution: find pairs of related disjuncts based on planar-affinity Planar-affinity is a good indicator for the number of conjuncts preserved in the result of widening. d1d1 e1e1 d2d2 e2e2
20
20 Summary: Disjunctive Fixpoint Analysis mnD 1 = mnD(False) = (x · 0 Æ x'=x) mnD 2 = mnD(mnD 1 ) = hull 2 ((x · 0 Æ x'=x) Ç (x=1 Æ x'=0)) = (x · 0 Æ x'=x) Ç (x=1 Æ x'=0) mnD 3 = mnD(mnD 2 ) = hull 2 ((x · 0 Æ x'=x) Ç (x=1 Æ x'=0) Ç (x=2 Æ x'=0)) = (x · 0 Æ x'=x) Ç (1 · x · 2 Æ x'=0) Lattice has infinite height: use widening operator. mnD W2 = mnD 2 r m mnD 3 = (x · 0 Æ x'=x) Ç (x>0 Æ x'=0) A post-fixpoint has been found when: mnD(mnD i ) ) mnD i mnD W3 = mnD(mnD W2 )= (x · 0 Æ x'=x) Ç (x>0 Æ x'=0)
21
21 Implementation Haskell + Omega library [Pugh et al] Automate disjunctive postcondition inference. Does it give more precise results? Benchmarks: numerical programs written in C-like language.
22
22 Experimental Results Infer postconditions with different values for m. Most precise POST: m=2 (binary search, bubble sort, init array) m=3 (queens, quick sort, LU, Linpack) m=4 (SOR) m=5 (merge sort)
23
23 Experimental Results (II) Array bound checks elimination. Programs proved as safe: m=2 (bubble sort, init array) m=4 (merge sort, SOR) Planar-Affinity proves redundant more checks than the Hausdorff-based affinity. Disj-Analysis is useful: as m increases, no. of checks not proven decreases gradually.
24
24 Summary Disjunctive polyhedra analysis via affinity. selective hulling powerset widening Implementation of a modular static analyzer based on disjunctive polyhedra domain. potential for trade-off between precision and analysis cost
25
25 The End
26
26 x'=x x' x x-1=x' Convex-Hull Operator 1 = (x · 0 Æ x'=x) 2 = (x=1 Æ x'=0) hull( 1 Ç 2 ) = (x-1 · x' · x Æ x' · 0) x'=x x' x hull( 1 Ç 2 )
27
27 x' · x x' x x-1 · x' x' · x x' x widen( 1, 2 ) Widening Operator 1 = (x-1 · x' · x Æ x' · 0) 2 = (x-2 · x' · x Æ x' · 0) widen( 1, 2 ) = (x' · x Æ x' · 0) x' · x x' x x-2 · x'
28
28 Quick Sort Example
29
29 Quick Sort Example (II) Conjunctive analysis: discovers a lower bound for result: (res ¸ n) 3-Disjunctive analysis: result is a valid index: (0 · res < s)
30
30 References [Cousot-Halbwachs:POPL'78] Automatic discovery of linear restraints among variables of a program. [Bagnara et al: VMCAI'04] Widening Operators for Powerset Domains. [Gulavani-Rajamani: TACAS'06] Counterexample Driven Refinement for Abstract Interpretation. [Sankaranarayanan et al:SAS'06] Static Analysis in Disjunctive Numerical Domains.
31
31 Constraint Abstraction From a method, the analysis generates a constraint-abstraction: meth => Constraint language: ::= Æ j Ç j 9 x. j mn(x*) j s(constraint) s ::= a 1 x 1 +.. + a n x n · a(linear inequality) a 2 Z, x 2 Var, mn 2 Meth-Name
32
32 Hull m : Selective Hulling Given F= Ç n i=1 i (where i are conjunctive formulae) find the most affine disjuncts for hulling (according to some affinity measure) ensure the number of disjuncts does not exceed m hull m (F) = if (n · m) then F else hull m (F - { i, j } [ hull( i, j )) such that 8 a,b 2 1..n: affin hull ( i, j ) ¸ affin hull ( a, b )
33
33 Affinity for Hulling Compute: hull operation: hull = hull ( 1 Ç 2 ) approx. due to hull: approx = hull Æ : ( 1 Ç 2 ) affin hull ( 1, 2 ) = if ( approx =False) then 100 else if ( hull =True) then 0 else heur( 1, 2 )
34
34 Example: r m and Planar-Affinity mnD 3 = (x · 0 Æ x'=x) Ç (1 · x · 2 Æ x'=0) (d 1 Ç d 2 ) mnD 4 = (x · 0 Æ x'=x) Ç (1 · x · 3 Æ x'=0) (e 1 Ç e 2 ) Affin widen matrix mnD 3 r m mnD 4 = (d 1 r e 1 ) Ç (d 2 r e 2 ) = (x · 0 Æ x'=x) Ç (x>0 Æ x'=0) d1d1 d2d2 e1e1 10021 e2e2 4134
35
35 Loops are Analyzed as Methods Transform loops into tail-recursive functions. The proposed fixpoint analysis works both for loops and for general recursion. Nested loops Mutually-recursive methods
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.