Download presentation
Presentation is loading. Please wait.
Published byBartholomew Carter Modified over 9 years ago
1
Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 14: Numerical Abstractions Roman Manevich Ben-Gurion University
2
Syllabus Semantics Natural Semantics Structural semantics Axiomatic Verification Static Analysis Automating Hoare Logic Control Flow Graphs Equation Systems Collecting Semantics Abstract Interpretation fundamentals LatticesFixed-Points Chaotic Iteration Galois Connections Domain constructors Widening/ Narrowing Analysis Techniques Numerical Domains Alias analysis Interprocedural Analysis Shape Analysis CEGAR Crafting your own Soot From proofs to abstractions Systematically developing transformers 2
3
Previously Composing abstract domains (and GCs) Widening and narrowing Interval domain 3
4
Agenda Abstractions for properties of numeric variables Classification: – Relational vs. non-relational – Equalities vs. non-equalities – Zones 4
5
Numerical Abstractions 5 By Quilbert (own work, partially derived from en:Image:Poly.pov) [GPL (http://www.gnu.org/licenses/gpl.html)], via Wikimedia Commons
6
Overview Goal: infer numeric properties of program variables (integers, floating point) Applications – Detect division by zero, overflow, out-of-bound array access – Help non-numerical domains Classification – Non-relational – (Weakly-)relational – Equalities / Inequalities – Linear / non-linear – Exotic 6
7
Implementation 7
8
Non-relational abstractions 8
9
Abstract each variable individually – Constant propagation [Kildall’73] – Intervals (Box) Covered in lecture 13 – Sign – Parity (congruences) – Assignment 3: zones (tentative) 9
10
Sign abstraction for variable x Concrete lattice: C = (2 State, , , , , State) Sign = { , neg, 0, pos, } GC C,Sign =(C, , , Sign) ( ) = ? (neg) = ? (0) = ? (pos) = ? ( ) = ? How can we represent 0? 10 negpos 0
11
Transformer x:=y*z pos0neg * 0pos neg 0000 0 pos0neg pos 0 11 Check at home: Abstract transformer is complete
12
Transformer x:=y+z pos0neg + pos0neg 0 pos 12 Check at home: Abstract transformer is not complete
13
Parity abstraction for variable x Concrete lattice: C = (2 State, , , , , State) Parity = { , E, O, } GC C,Parity =(C, , , Parity) ( ) = ? (E) = ? (O) = ? ( ) = ? 13 EO
14
Transformer x:=y+z OE + OE E EO O 14
15
Boxes (intervals) 15 023 1 2 3 4 5 4 6 x y 1 y [3,6] x [1,4]
16
Non-relational abstractions Cannot prove properties that hold simultaneous for several variables – x = 2*y – x ≤ y 16
17
Practical aspects of Non relational abstractions 17
18
The abstraction Abstract domain for variables x 1,…,x n is the Cartesian product of a mini-domain for one variable D[x] – D[x 1 ] … D[x n ] – Need to implement join, meet, widening, narrowing just for mini-domain Usually a non-relational is associated with a Galois Insertion – No reduction required – The Cartesian product is a reduced product 18
19
Sound assignment transformers Let remove(S, x) be the operation that removes the factoid associated with x from S Let factoid(S, x) be the operation that returns the factoid associated with x in S x := c # S = remove(S, x) ({[x c]}) x := y # S = remove(S, x) {factoid(S, y)[x/y]} x := y+c # S = remove(S, x) {factoid(S, y)[x/y] + c} x := y+z # S = remove(S, x) {factoid(S, y)[x/y] + factoid(S, z)[x/z]} x := y*c # S = remove(S, x) {factoid(S, y)[x/y] * c} x := y*z # S = remove(S, x) {factoid(S, y)[x/y] * factoid(S, z)[x/z]} 19
20
Sound assume transformers assume x=c # S = S ({[x c]}) assume x<c # S = … assume x=y # S = S {factoid(S, y)[x/y]} {factoid(S, x)[y/x]} assume x c # S = if S ({[x c]}) then else S 20
21
(Weakly-)relational abstractions 21
22
Relational abstractions Represent correlations between all program variables – Polyhedra – Linear equalities When correlations exist only between few variables (usually 2) we say that the abstraction is weakly- relational – Linear relations example (discussed in class) – Zone abstraction (next) – Octagons – Two-variable polyhedra – Usually abstraction is defined as the reduced product of the abstract domain for any pair of variables 22
23
Zone abstraction 23
24
Zone abstraction [Mine] Maintain bounded differences between a pair of program variables (useful for tracking array accesses) Abstract state is a conjunction of linear inequalities of the form x-y c 24 023 1 2 3 4 5 4 6 x y 1 x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1
25
Difference bound matrices Add a special V0 variable for the number 0 Represent non-existent relations between variables by + entries Convenient for defining the partial order between two abstract elements… =? 25 x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 yxV0 34++ ++ ++ x ++ 1 y
26
Ordering DBMs How should we order M 1 M 2 ? 26 x ≤ 5 −x ≤ −1 y ≤ 3 x − y ≤ 1 yxV0 35++ ++ ++ x ++ 1++ y x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 yxV0 34++ ++ ++ x ++ 1 y M 1 = M 2 =
27
Joining DBMs How should we join M 1 M 2 ? 27 x ≤ 2 −x ≤ −1 y ≤ 0 x − y ≤ 1 yxV0 02++ ++ ++ x ++ 1++ y x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 yxV0 34++ ++ ++ x ++ 1 y M 1 = M 2 =
28
Widening DBMs How should we widen M 1 M 2 ? 28 x ≤ 5 −x ≤ −1 y ≤ 3 x − y ≤ 1 yxV0 35++ ++ ++ x ++ 1++ y x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 yxV0 34++ ++ ++ x ++ 1 y M 1 = M 2 =
29
Potential graph A vertex per variable A directed edge with the weight of the inequality Enables computing semantic reduction by shortest-path algorithms 29 x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 V0 xy 1 3 3 Can we tell whether a system of constraints is satisfiable?
30
Semantic reduction for zones Apply the following rule repeatedly x - y ≤ cy - z ≤ d x - z ≤ e x - z ≤ min{e, c+d} When should we stop? Theorem 3.3.4. Best abstraction of potential sets and zones m ∗ = ( Pot ◦ Pot )(m) 30
31
Zones assignment transformers remove(S, x): removes the x-factoids from S factoid(S, x): returns all x-factoids in S x := c # S = remove(S, x) …? x := y+c # S = remove(S, x) …? x := -y # S = remove(S, x) …? x := y-z # S = remove(S, x) …? x := y+z # S = …? 31
32
Zones assignment transformers remove(S, x): removes the x-factoids from S factoid(S, x): returns all x-factoids in S x := c # S = remove(S, x) {x-V0≤0, V0-x≤0} x := y+c # S = remove(S, x) {x-y≤c, y-x≤-c} x := -y # S = remove(S, x) {x≤c | V0-y≤c} x := y-z # S = remove(S, x) {x≤c} where c=min{c 1 -c 2 | y-a≤c 1, z-a≤c 2 } x := y+z # S = x := y-t #( t := -z # S) 32
33
More numerical domains 33
34
Octagon abstraction [Mine-01] Abstract state is an intersection of linear inequalities of the form x y c 34 captures relationships common in programs (array access)
35
Some inequality-based relational domains 35 policy iteration
36
What is the polyhedron abstraction? How do we abstract a circle? 36 x y
37
Equality-based domains Simple congruences [Granger’89]: y=a mod k Linear relations: y=a*x+b – Join operator a little tricky Linear equalities [Karr’76]: a 1 *x 1 +…+a k *x k = c Polynomial equalities: a 1 *x 1 d1 *…*x k dk + b 1 *y 1 z1 *…*y k zk + … = c – Some good results are obtainable when d 1 +…+d k < n for some small n 37
38
Next lecture: alias analysis
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.