Presentation is loading. Please wait.

Presentation is loading. Please wait.

Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 14: Numerical Abstractions Roman Manevich Ben-Gurion University.

Similar presentations


Presentation on theme: "Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 14: Numerical Abstractions Roman Manevich Ben-Gurion University."— Presentation transcript:

1 Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 14: Numerical Abstractions Roman Manevich Ben-Gurion University

2 Syllabus Semantics Natural Semantics Structural semantics Axiomatic Verification Static Analysis Automating Hoare Logic Control Flow Graphs Equation Systems Collecting Semantics Abstract Interpretation fundamentals LatticesFixed-Points Chaotic Iteration Galois Connections Domain constructors Widening/ Narrowing Analysis Techniques Numerical Domains Alias analysis Interprocedural Analysis Shape Analysis CEGAR Crafting your own Soot From proofs to abstractions Systematically developing transformers 2

3 Previously Composing abstract domains (and GCs) Widening and narrowing Interval domain 3

4 Agenda Abstractions for properties of numeric variables Classification: – Relational vs. non-relational – Equalities vs. non-equalities – Zones 4

5 Numerical Abstractions 5 By Quilbert (own work, partially derived from en:Image:Poly.pov) [GPL (http://www.gnu.org/licenses/gpl.html)], via Wikimedia Commons

6 Overview Goal: infer numeric properties of program variables (integers, floating point) Applications – Detect division by zero, overflow, out-of-bound array access – Help non-numerical domains Classification – Non-relational – (Weakly-)relational – Equalities / Inequalities – Linear / non-linear – Exotic 6

7 Implementation 7

8 Non-relational abstractions 8

9 Abstract each variable individually – Constant propagation [Kildall’73] – Intervals (Box) Covered in lecture 13 – Sign – Parity (congruences) – Assignment 3: zones (tentative) 9

10 Sign abstraction for variable x Concrete lattice: C = (2 State, , , , , State) Sign = { , neg, 0, pos,  } GC C,Sign =(C, , , Sign)  (  ) = ?  (neg) = ?  (0) = ?  (pos) = ?  (  ) = ? How can we represent  0? 10  negpos  0

11 Transformer x:=y*z  pos0neg  *   0pos  neg 0000  0  pos0neg  pos  0  11 Check at home: Abstract transformer is complete

12 Transformer x:=y+z  pos0neg  +     pos0neg  0  pos   12 Check at home: Abstract transformer is not complete

13 Parity abstraction for variable x Concrete lattice: C = (2 State, , , , , State) Parity = { , E, O,  } GC C,Parity =(C, , , Parity)  (  ) = ?  (E) = ?  (O) = ?  (  ) = ? 13  EO 

14 Transformer x:=y+z  OE  +   OE  E  EO  O  14

15 Boxes (intervals) 15 023 1 2 3 4 5 4 6 x y 1 y  [3,6] x  [1,4]

16 Non-relational abstractions Cannot prove properties that hold simultaneous for several variables – x = 2*y – x ≤ y 16

17 Practical aspects of Non relational abstractions 17

18 The abstraction Abstract domain for variables x 1,…,x n is the Cartesian product of a mini-domain for one variable D[x] – D[x 1 ]  …  D[x n ] – Need to implement join, meet, widening, narrowing just for mini-domain Usually a non-relational is associated with a Galois Insertion – No reduction required – The Cartesian product is a reduced product 18

19 Sound assignment transformers Let remove(S, x) be the operation that removes the factoid associated with x from S Let factoid(S, x) be the operation that returns the factoid associated with x in S  x := c  # S = remove(S, x)   ({[x  c]})  x := y  # S = remove(S, x)  {factoid(S, y)[x/y]}  x := y+c  # S = remove(S, x)  {factoid(S, y)[x/y] + c}  x := y+z  # S = remove(S, x)  {factoid(S, y)[x/y] + factoid(S, z)[x/z]}  x := y*c  # S = remove(S, x)  {factoid(S, y)[x/y] * c}  x := y*z  # S = remove(S, x)  {factoid(S, y)[x/y] * factoid(S, z)[x/z]} 19

20 Sound assume transformers  assume x=c  # S = S   ({[x  c]})  assume x<c  # S = …  assume x=y  # S = S  {factoid(S, y)[x/y]}  {factoid(S, x)[y/x]}  assume x  c  # S = if S   ({[x  c]}) then  else S 20

21 (Weakly-)relational abstractions 21

22 Relational abstractions Represent correlations between all program variables – Polyhedra – Linear equalities When correlations exist only between few variables (usually 2) we say that the abstraction is weakly- relational – Linear relations example (discussed in class) – Zone abstraction (next) – Octagons – Two-variable polyhedra – Usually abstraction is defined as the reduced product of the abstract domain for any pair of variables 22

23 Zone abstraction 23

24 Zone abstraction [Mine] Maintain bounded differences between a pair of program variables (useful for tracking array accesses) Abstract state is a conjunction of linear inequalities of the form x-y  c 24 023 1 2 3 4 5 4 6 x y 1 x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1

25 Difference bound matrices Add a special V0 variable for the number 0 Represent non-existent relations between variables by +  entries Convenient for defining the partial order between two abstract elements…  =? 25 x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 yxV0 34++ ++ ++ x ++ 1 y

26 Ordering DBMs How should we order M 1  M 2 ? 26 x ≤ 5 −x ≤ −1 y ≤ 3 x − y ≤ 1 yxV0 35++ ++ ++ x ++ 1++ y x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 yxV0 34++ ++ ++ x ++ 1 y M 1 = M 2 =

27 Joining DBMs How should we join M 1  M 2 ? 27 x ≤ 2 −x ≤ −1 y ≤ 0 x − y ≤ 1 yxV0 02++ ++ ++ x ++ 1++ y x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 yxV0 34++ ++ ++ x ++ 1 y M 1 = M 2 =

28 Widening DBMs How should we widen M 1  M 2 ? 28 x ≤ 5 −x ≤ −1 y ≤ 3 x − y ≤ 1 yxV0 35++ ++ ++ x ++ 1++ y x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 yxV0 34++ ++ ++ x ++ 1 y M 1 = M 2 =

29 Potential graph A vertex per variable A directed edge with the weight of the inequality Enables computing semantic reduction by shortest-path algorithms 29 x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 V0 xy 1 3 3 Can we tell whether a system of constraints is satisfiable?

30 Semantic reduction for zones Apply the following rule repeatedly x - y ≤ cy - z ≤ d x - z ≤ e x - z ≤ min{e, c+d} When should we stop? Theorem 3.3.4. Best abstraction of potential sets and zones m ∗ = (  Pot ◦  Pot )(m) 30

31 Zones assignment transformers remove(S, x): removes the x-factoids from S factoid(S, x): returns all x-factoids in S  x := c  # S = remove(S, x)  …?  x := y+c  # S = remove(S, x)  …?  x := -y  # S = remove(S, x)  …?  x := y-z  # S = remove(S, x)  …?  x := y+z  # S = …? 31

32 Zones assignment transformers remove(S, x): removes the x-factoids from S factoid(S, x): returns all x-factoids in S  x := c  # S = remove(S, x)  {x-V0≤0, V0-x≤0}  x := y+c  # S = remove(S, x)  {x-y≤c, y-x≤-c}  x := -y  # S = remove(S, x)  {x≤c | V0-y≤c}  x := y-z  # S = remove(S, x)  {x≤c} where c=min{c 1 -c 2 | y-a≤c 1, z-a≤c 2 }  x := y+z  # S =  x := y-t  #(  t := -z  # S) 32

33 More numerical domains 33

34 Octagon abstraction [Mine-01] Abstract state is an intersection of linear inequalities of the form  x  y  c 34  captures relationships common in programs (array access)

35 Some inequality-based relational domains 35 policy iteration

36 What is the polyhedron abstraction? How do we abstract a circle? 36 x y

37 Equality-based domains Simple congruences [Granger’89]: y=a mod k Linear relations: y=a*x+b – Join operator a little tricky Linear equalities [Karr’76]: a 1 *x 1 +…+a k *x k = c Polynomial equalities: a 1 *x 1 d1 *…*x k dk + b 1 *y 1 z1 *…*y k zk + … = c – Some good results are obtainable when d 1 +…+d k < n for some small n 37

38 Next lecture: alias analysis


Download ppt "Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 14: Numerical Abstractions Roman Manevich Ben-Gurion University."

Similar presentations


Ads by Google