Presentation is loading. Please wait.

Presentation is loading. Please wait.

Program Analysis with Dynamic Change of Precision Dirk Beyer Tom Henzinger Grégory Théoduloz Presented by: Pashootan Vaezipoor Directed Reading ASE 2008.

Published byAldous Lewis Modified over 9 years ago

Similar presentations

Presentation on theme: "Program Analysis with Dynamic Change of Precision Dirk Beyer Tom Henzinger Grégory Théoduloz Presented by: Pashootan Vaezipoor Directed Reading ASE 2008."— Presentation transcript:

1 Program Analysis with Dynamic Change of Precision Dirk Beyer Tom Henzinger Grégory Théoduloz Presented by: Pashootan Vaezipoor Directed Reading ASE 2008 – L’Aquila – 17 September 2008 Simon Fraser University, BC, Canada EPFL, Switzerland

2 Automatic Software Verification Overapproximation int main() { int a = foo(); int b = bar(a); assert(a == b); } int main() { int a = foo(); int b = bar(a); assert(a == b); } C program Verification Tool SAFE i.e. assertions cannot be violated UNSAFE Reachable states Error states General method: Create an overapproximation of the program states

3 Example Program We want to prove that ERR is not reachable Variables st, ok, cmd, p are tracked explicitly at first All of them except p encounter more than five values

4 Abstraction x = 1 y = 1 z = 2 p  { h = 3 } x = 1 y = 1 z = 2 p  { h = 3 } Concrete state x = y  z = 2 x  1, y  1, z  > p h=3 Shape graph Abstract state Predicate abstraction Explicit valuations

5 int f = 0, x = 1, y = 0; while (x > 0) { if (f == 0){ x = 50; f = 1; } else{ x--; y++; } } assert(y == 50); Few explicit values  Explicit domain Many values  Predicate abstraction

6 int f = 0, x = 1, y = 0; while (x > 0) { if (f == 0){ x = 50; f = 1; } else{ x--; y++; } } assert(y == 50); Fully Explicit Analysis f  0 x  1 y  0 f  0 x  1 y  0 f  1 x  50 y  0 f  1 x  50 y  0 f  1 x  49 y  1 f  1 x  49 y  1 f  1 x  48 y  2 f  1 x  48 y  2 f  1 x  47 y  3 f  1 x  47 y  3 … f  1 x  46 y  4 f  1 x  46 y  4 +cheap to compute -many states

7 Combined Analysis  Start with explicit  Precision of explicit: threshold on number of diff. values E.g. ¼ (x) = 3  Precision of predicate: set of tracked predicates E.g. ¼ = { x + y = 50, x ¸ 0, x = 0}  Switch to predicates when the explicit threshold is hit Note: Coming up with “good” predicates is an orthogonal problem int f = 0, x = 1, y = 0; while (x > 0) { if (f == 0){ x = 50; f = 1; } else{ x--; y++; } } assert(y == 50);

8 Combined Analysis f  0 x  1 y  0 f  0 x  1 y  0 f  1 x  50 y  0 f  1 x  50 y  0 f  1 x  49 y  1 f  1 x  49 y  1 f  1 x  48 y  2 f  1 x  48 y  2 f  1 x  48 y  2 f  1 x  48 y  2 x + y = 50 x ¸ 0 x + y = 50 x ¸ 0 f  1 x  48 y  2 f  1 x  48 y  2 x + y = 50 x = 0 x + y = 50 x = 0 Threshold hit for explicit analysis int f = 0, x = 1, y = 0; while (x > 0) { if (f == 0){ x = 50; f = 1; } else{ x--; y++; } } assert(y == 50);

9 Motivation  Flexible combination of abstract domains  Dynamically update their respective precisions  precision: set of predicates, variables, etc. to track  e.g. switch on/off analyses  e.g. use different analyses for different variables  …

10 Configurable Program Analysis [Beyer/Henzinger/T 2007] Reached, Frontier := { e 0 } while Frontier   do remove e from Frontier for each e’  post( e ) do for each e’’  Reached do e’’ new := merge( e’, e’’ ) if e’’ new  e’’ then replace e’’ in Reached, Frontier by e’’ new if  stop(e’, Reached ) add e’ to Reached, Frontier return Reached

11 Configurable Program Analysis -Better combination of abstractions  Configurable Program Analysis [CAV07] Unified framework that enables intermediate algorithms Imprecise Scalable Precise Expensive Data-flow analysis Model Checking CPA

12 Configurable Program Analysis [Beyer/Henzinger/T 2007] Reached, Frontier := { e 0 } while Frontier   do remove e from Frontier for each e’  post( e ) do for each e’’  Reached do e’’ new := merge( e’, e’’ ) if e’’ new  e’’ then replace e’’ in Reached, Frontier by e’’ new if  stop(e’, Reached ) add e’ to Reached, Frontier return Reached

13 Configurable Program Analysis with Dynamic Precision Adjustment Reached, Frontier := { ( e 0, π 0 ) } while Frontier   do remove ( e, π ) from Frontier ( ê, π new ) = prec( e, π, Reached )‏ for each e’  post( ê, π new ) do for each ( e’’, π’’ )  Reached do e’’ new := merge( e’, e’’, π new ) if e’’ new  e’’ then replace ( e’’, π’’ ) in Reached, Frontier by (e’’ new, π new ) if  stop(e’, Reached, π new ) add (e’, π new ) to Reached, Frontier return Reached (CPA+)‏

14 CPA+ Configurable program analysis with dynamic precision adjustment: - concrete system (C, c 0, ! ) - abstract domain (E, >, ?, v, t ) - a set of precisions ¦ - concretization function  : E ! 2 C - transfer function post µ E £ ¦  2 E - merge operator merge: E £ E £ ¦ ! E - termination check stop: E £ 2 E £ ¦ ! B - precision adjustment: prec: E £ ¦ £ 2 E £ ¦  E £ ¦ Note: Operators are required to be soundly overapproximating e e’ 1 e’ 2 … ¼ post e.e’ merge(e,e’, ¼ )‏ e1e1 e2e2 … R = e3e3 e stop(e,R, ¼ ) = true e ¼ ¼’ prec Reached e’

15 CPA+ Configurable program analysis with dynamic precision adjustment: - concrete system (C, c 0, ! ) - abstract domain (E, >, ?, v, t ) - a set of precisions ¦ - concretization function  : E ! 2 C - transfer function post µ E £ ¦  2 E - merge operator merge: E £ E £ ¦ ! Emerge sep (e,e’, ¼ ) = e’ merge join (e,e’, ¼ ) = e t e’ - termination check stop: E £ 2 E £ ¦ ! B stop sep (e,R, ¼ )= 9 e’ 2 R, e v e’ stop join (e,R, ¼ ) = e v t R - precision adjustment: prec: E £ ¦ £ 2 E £ ¦  E £ ¦ Note: Operators are required to be soundly overapproximating

16 Composite CPA+ E 1 £ E 2, ¦ 1 £ ¦ 2 post £, merge £, stop £, prec £ Composite CPA+ E 1 £ E 2, ¦ 1 £ ¦ 2 post £, merge £, stop £, prec £ Composite CPA+ D 1 E 1, ¦ 1 post 1, merge 1, stop 1, prec 1 D 1 E 1, ¦ 1 post 1, merge 1, stop 1, prec 1 D 2 E 2, ¦ 2 post 2, merge 2, stop 2, prec 2 D 2 E 2, ¦ 2 post 2, merge 2, stop 2, prec 2 Composite operators: Strengthening operators " 1, " 2

17 Composite CPA+ Example: Predicate Abstraction + Explicit Example of composite abstract element: ( 6,x > 0 Æ x = y,{ i  2, x  >, y  > })‏ L (locations)‏ P (predicate abstraction)‏ C (explicit analysis)‏

18 Domain and Precisions Abstract domainPrecisions / Precision Adjustment Predicate Abstraction E = 2 P ¦ = 2 P e.g. e = { x 0 } prec P (e, ¼,R) = (e, ¼ )‏ Explicit Analysis E = [ X  Z ] Z = Z [ { ?, > } ¦ = [ X  N ] e.g. e = { x  2, y  >, … } Set of tracked predicates Max. number of diff. values per variable CPA+ P C prec C (e, ¼,R) = (e’, ¼ )‏ if for all x 2 X: if |R(x)| ¸ ¼ (x), then e’(x) = > otherwise, e’(x) = e(x)‏

19 Example: Predicate Abstraction + Explicit Idea: Dynamically choose between explicit & predicate abstraction - Too many explicit values  predicate abstraction - Use explicit values to infer predicates Implementable in the composite prec operator Note: explicit analysis ¼ testing on some variables

20 Example: Predicate Abstraction + Explicit Composite precision adjustment: prec((l, P, v), ( ¼ L, ¼ P, ¼ C ), R) = ((l,P’,v’), ( ¼ L, ¼ ’ P, ¼ ’ C ))‏ if (v’, ¼’ C ) = prec C (v, ¼ C, {(v’’, ¼’’ C ) | ((l,P,v’’), ( ¢, ¢, ¼’’ C )) 2 R})‏ and ¼ ’ P = ¼ P [  x 2 X: v(x)  >Æ v’(x)= > abstract(x, {v’’|((l,P,v’’), ¢ ) 2 R}) P’= P [ { p 2 ( ¼ ’ P n ¼ P ) | v ² p }

21 Program Threshold Pred. only k = 0 Predicate + Explicit k = 1 k = 5 Explicit only k = 1 ex10.46 s0.17 s0.21 s― ex20.43 s0.16 s0.21 s1.00 s loop125.20 s26.01 s22.78 s0.16 s loop2279.84 s277.07 s258.79 s0.44 s square―――0.08 s Precision for explicit analysis: ¼ C (x) = k Program Threshold Pred. only k = 0 Predicate + Explicit k = 1 k = 2 s3_clnt (total)‏75.11 s10.40 s18.42 s s3_srvr (total)‏536.79 s24.23 s34.40 s

22 Another combination: Shapes + Explicit heap Composite CPA+ Idea:Switch to shape analysis triggered by then number of nodes in the explicit heap. Composite CPA+ Idea:Switch to shape analysis triggered by then number of nodes in the explicit heap. L (locations)‏ S (shape analysis)‏ H (explicit heap analysis)‏

23 Conclusion  Framework to express change of precision during the analysis (  refinement)‏  Useful when composing existing analyses  Make combination more effective/precise  Ongoing/Future work  Improve predicate inference from explicit values  Integration with refinement loop  Use explicit heap to infer good predicates for shape analysis (e.g. instrumentation predicates)‏

Download ppt "Program Analysis with Dynamic Change of Precision Dirk Beyer Tom Henzinger Grégory Théoduloz Presented by: Pashootan Vaezipoor Directed Reading ASE 2008."

Similar presentations

CHECKING MEMORY SAFETY AND TEST GENERATION USING B LAST By: Pashootan Vaezipoor Computing Science Dept of Simon Fraser University.

CHECKING MEMORY SAFETY AND TEST GENERATION USING B LAST By: Pashootan Vaezipoor Computing Science Dept of Simon Fraser University.
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.

Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.

Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.
Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.

Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.
3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.

3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.
CS412/413 Introduction to Compilers Radu Rugina Lecture 37: DU Chains and SSA Form 29 Apr 02.

CS412/413 Introduction to Compilers Radu Rugina Lecture 37: DU Chains and SSA Form 29 Apr 02.
Model-based reasoning meets code verification Michael Butler 21 May 2014 WG 2.3 Meeting 55, Orlando.

Model-based reasoning meets code verification Michael Butler 21 May 2014 WG 2.3 Meeting 55, Orlando.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani Simon Fraser University (Spring 09) Presentation By: Pashootan.

By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani Simon Fraser University (Spring 09) Presentation By: Pashootan.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Introducing BLAST Software Verification John Gallagher CS4117.

Introducing BLAST Software Verification John Gallagher CS4117.
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.

BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck.

Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck.
Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.

Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.

Similar presentations

Ads by Google