Presentation is loading. Please wait.

Presentation is loading. Please wait.

Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University.

Similar presentations


Presentation on theme: "Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University."— Presentation transcript:

1 Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University

2 Syllabus Semantics Natural Semantics Structural semantics Axiomatic Verification Static Analysis Automating Hoare Logic Control Flow Graphs Equation Systems Collecting Semantics Abstract Interpretation fundamentals LatticesFixed-Points Chaotic Iteration Galois Connections Domain constructors Widening/ Narrowing Analysis Techniques Numerical Domains CEGARAlias analysis Shape Analysis Interprocedural Analysis Crafting your own Soot From proofs to abstractions Systematically developing transformers 2

3 Previously Solving monotone systems via chaotic iteration Relating abstract semantics and concrete semantics – Galois connection – Sound abstract transformers – Partial reduction Implementing transformers 3

4 Vanilla algorithm Problem Definition: 1.Lattice of properties L of finite height (ACC) 2.For each statement define a monotone transformer Preparation: 1.Parse program into AST 2.Convert AST into CFG 3.Generate system of equations from CFG Analysis: 1.Initialize each analysis variable with  2.Update all analysis variables of each equation until reaching a fixed point 4 Non-incremental. Most variables don’t change.

5 Chaotic iteration 5 Input: – A cpo L = (D, , ,  ) satisfying ACC – L n = L  L  …  L – A monotone function f : D n  D n – A system of equations { X[i] | f(X) | 1  i  n } Output: lfp(f) A worklist-based algorithm for i:=1 to n do X[i] :=  WL = {1,…,n} while WL   do j := pop WL // choose index non-deterministically N := F[i](X) if N  X[i] then X[i] := N add all the indexes that directly depend on i to WL (X[j] depends on X[i] if F[j] contains X[i]) return X

6 Relating the concrete domain with the abstract domain 6

7 Galois Connection Given two complete lattices C = (D C,  C,  C,  C,  C,  C )– concrete domain A = (D A,  A,  A,  A,  A,  A )– abstract domain A Galois Connection (GC) is quadruple (C, , , A) that relates C and A via the monotone functions – The abstraction function  : D C  D A – The concretization function  : D A  D C for every concrete element c  D C and abstract element a  D A  (  (a))  a and c   (  (c)) Alternatively  (c)  a iff c   (a) 7

8 Galois Connection: c   (  (c)) 8 1   c 2 (c)(c) 3  (  (c))  The most precise (least) element in A representing c CA

9 Galois Connection:  (  (a))  a 9 1   3  (  (a)) 2 (a)(a) a  CA What a represents in C (its meaning)

10 Relating abstract transformers to concrete transformers 10

11 Sound abstract transformer Given two lattices C = (D C,  C,  C,  C,  C,  C ) A = (D A,  A,  A,  A,  A,  A ) and GC C,A =(C, , , A) with A concrete transformer f : D C  D C an abstract transformer f # : D A  D A We say that f # is a sound transformer (w.r.t. f) if  c: f(c)=c’   (f # (c))   (c’) For every a and a’ such that  (f(  (a)))  A f # (a) 11

12 Transformer soundness condition 1 12 12 CA f 3 4 f#f# 5   c: f(c)=c’   (f # (c))   (c’)

13 Transformer soundness condition 2 13 CA 12 f#f# 3 5 f 4   a: f # (a)=a’  f(  (a))   (a’)

14 Best (induced) transformer 14 CA 2 3 f f # (a)=  (f(  (a))) 1 f#f# 4 Problem:  incomputable directly

15 Best abstract transformer [CC’77] Best in terms of precision – Most precise abstract transformer – May be too expensive to compute Constructively defined as f # =   f   – Induced by the GC Not directly computable because first step is concretization We often compromise for a “good enough” transformer – Useful tool: partial concretization 15

16 Global (fixed point) Soundness theorems 16

17 Soundness theorem 1 17 CA  f  fn fn  … lpf(f)  f2 f2  f3f3 f #n  … lpf(f # )  f#2 f#2  f#3f#3 f# f#   a  D A : f(  (a))   (f # (a))   a  D A : f n (  (a))   (f #n (a))   a  D A : lfp(f n )(  (a))   (lfp(f #n )(a))  lfp(f)   lfp(f # ) 

18 Soundness theorem 2 18 CA   f  fn fn  … lpf(f)  f2 f2  f3f3 f #n  … lpf(f # )  f#2 f#2  f#3f#3 f# f#   c  D C :  (f(c))  f # (  (c))   c  D C :  (f n (c))  f #n (  (c))   c  D C :  (lfp(f)(c))  lfp(f # )(  (c))  lfp(f)   lfp(f # ) 

19 A recipe for a sound static analysis Define an “appropriate” operational semantics Define “collecting” structural operational semantics Establish a Galois connection between collecting states and abstract states Local correctness: show that the abstract interpretation of every atomic statement is sound w.r.t. the collecting semantics Global correctness: conclude that the analysis is sound 19

20 Today Question: given existing abstract interpreters GC + transformers) can we reuse them to construct a new abstract interpreter? Composing abstract domains (and GCs) Reduced product Implementing composition of analyses 20

21 Composing lattices 21

22 Three example analyses Abstract states are conjunctions of constraints Variable Equalities – VE-factoids = { x=y | x, y  Var}  false VE = (2 VE-factoids, , , , false,  ) Constant Propagation – CP-factoids = { x=c | x  Var, c  Z}  false CP = (2 CP-factoids, , , , false,  ) Available Expressions – AE-factoids = { x=y+z | x  Var, y,z  Var  Z}  false AE = (2 AE-factoids, , , , false,  ) 22

23 Lattice combinators reminder Cartesian Product – L 1 = (D 1,  1,  1,  1,  1,  1 ) L 2 = (D 2,  2,  2,  2,  2,  2 ) – Cart(L 1, L 2 ) = (D 1  D 2,  cart,  cart,  cart,  cart,  cart ) Disjunctive completion – L = (D, , , , ,  ) – Disj(L) = (2 D,  ,  ,  ,  ,   ) Relational Product – Rel(L 1, L 2 ) = Disj(Cart(L 1, L 2 )) 23

24 Cartesian product of complete lattices For two complete lattices L 1 = (D 1,  1,  1,  1,  1,  1 ) L 2 = (D 2,  2,  2,  2,  2,  2 ) Define the poset L cart = (D 1  D 2,  cart,  cart,  cart,  cart,  cart ) as follows: – (x 1, x 2 )  cart (y 1, y 2 ) iff x 1  1 y 1 and x 2  2 y 2 Lemma: L is a complete lattice Define the Cartesian constructor L cart = Cart(L 1, L 2 ) 24

25 Composing Galois connections 25

26 Goal Given two Galois connections, can we combine them to form a new Galois connection? 26

27 Product connection: abstraction 27 CP  VE lattice {a=9, c=9}{c=a} {[a  9, c  9]} collecting lattice {} 

28 Product connection: concretization 28 CP  VE lattice {a=9}{c=a} {[a  9, c  0] [a  9, c  1] [a  9, c  9]... } collecting lattice {} {[a  9, c  9] [a  1, c  1] [a  2, c  2]... }  

29 Product connection: concretization 29 CP  VE lattice {a=9}{c=a} collecting lattice {}  {[a  9, c  9]}

30 Cartesian product of GCs GC C,A =(C,  C,A,  A,C, A) GC C,B =(C,  C,B,  B,C, B) Cartesian Product GC C,A  B = (C,  C,A  B,  A  B,C, A  B) –  C,A  B (X)= ? –  A  B,C (Y) = ? 30

31 Cartesian product of GCs GC C,A =(C,  C,A,  A,C, A) GC C,B =(C,  C,B,  B,C, B) Cartesian Product GC C,A  B = (C,  C,A  B,  A  B,C, A  B) –  C,A  B (X) =   C,A (X),  C,B (X)  –  A  B,C (  Y 1,Y 2  ) =  A,C (Y 1 )   B,C (Y 2 ) 31

32 Product vs. reduced product 32

33 Product vs. reduced product 33 CP  VE lattice {a=9}{c=a}{c=9}{c=a} {a=9, c=9}{c=a} {[a  9, c  9]} collecting lattice {}    

34 Reduced product For two complete lattices L 1 = (D 1,  1,  1,  1,  1,  1 ) L 2 = (D 2,  2,  2,  2,  2,  2 ) Define the reduced poset D 1  D 2 = {(d 1,d 2 )  D 1  D 2 | (d 1,d 2 ) =    (d 1,d 2 ) } L 1  L 2 = (D 1  D 2,  cart,  cart,  cart,  cart,  cart ) 34

35 Cartesian product transformers GC C,A =(C,  C,A,  A,C, A)F A [st] : A  A GC C,B =(C,  C,B,  B,C, B)F B [st] : B  B Cartesian Product GC C,A  B = (C,  C,A  B,  A  B,C, A  B) –  C,A  B (X) = (  C,A (X),  C,B (X)) –  A  B,C (Y) =  A,C (X)   B,C (X) How should we define F A  B [st] : A  B  A  B ? 35

36 Cartesian product transformers GC C,A =(C,  C,A,  A,C, A)F A [st] : A  A GC C,B =(C,  C,B,  B,C, B)F B [st] : B  B Cartesian Product GC C,A  B = (C,  C,A  B,  A  B,C, A  B) –  C,A  B (X) = (  C,A (X),  C,B (X)) –  A  B,C (Y) =  A,C (X)   B,C (X) How should we define F A  B [st] : A  B  A  B ? Idea: F A  B [st](a, b) = (F A [st] a, F B [st] b) Are component-wise transformers precise? 36

37 Cartesian product analysis example Abstract interpreter 1: Constant Propagation Abstract interpreter 2: Variable Equalities Let’s compare – Running them separately and combining results – Running the analysis with their Cartesian product 37 a := 9; b := 9; c := a; CP analysisVE analysis {a=9} {a=9, b=9} {a=9, b=9, c=9} {} {} {c=a}

38 Cartesian product analysis example Abstract interpreter 1: Constant Propagation Abstract interpreter 2: Variable Equalities Let’s compare – Running them separately and combining results – Running the analysis with their Cartesian product 38 CP analysis + VE analysis a := 9; b := 9; c := a; {a=9} {a=9, b=9} {a=9, b=9, c=9, c=a}

39 Cartesian product analysis example Abstract interpreter 1: Constant Propagation Abstract interpreter 2: Variable Equalities Let’s compare – Running them separately and combining results – Running the analysis with their Cartesian product 39 CP  VE analysis Missing {a=b, b=c} a := 9; b := 9; c := a; {a=9} {a=9, b=9} {a=9, b=9, c=9, c=a}

40 Transformers for Cartesian product Naïve (component-wise) transformers do not utilize information from both components – Same as running analyses separately and then combining results Can we treat transformers from each analysis as black box and obtain best transformer for their combination? 40

41 Can we combine transformer modularly? 41 No generic method for any abstract interpretations

42 Implementing approximate reduced product 42

43 Reducing values for CP  VE X = set of CP constraints of the form x=c (e.g., a=9 ) Y = set of VE constraints of the form x=y Reduce CP  VE (X, Y) = (X’, Y’) such that (X’, Y’)  (X’, Y’) Ideas? 43

44 Reducing values for CP  VE X = set of CP constraints of the form x=c (e.g., a=9 ) Y = set of VE constraints of the form x=y Reduce CP  VE (X, Y) = (X’, Y’) such that (X’, Y’)  (X’, Y’) ReduceRight: – if a=b  X and a=c  Y then add b=c to Y ReduceLeft: – If a=c and b=c  Y then add a=b to X Keep applying ReduceLeft and ReduceRight and reductions on each domain separately until reaching a fixed-point 44

45 All the code you need to obtain a basic CP  VE implementation 45

46 Implementing reduction for CP  VE 46

47 Transformers for Cartesian product Do we get the best transformer by applying component-wise transformer followed by reduction? – Unfortunately, no (what’s the intuition?) – Can we do better? – Logical Product [Gulwani and Tiwari, PLDI 2006] 47

48 48

49 A modular approach for approximating reduced product 49

50 Logical product-- Assume A=(D,…) is an abstract domain that supports two operations: for x  D – inferEqualities(x) = { a=b |  (x)  a=b } returns a set of equalities between variables that are satisfied in all states given by x – refineFromEqualities(x, {a=b}) = y such that  (x)=  (y) y  x 50

51 Need to implement interface 51 When interface not implemented default versions of these operations are used

52 VE 52

53 CP 53

54 Implementing CP  VE  AE 54

55 Reducing Cartesian elements 55

56 Logical Product- 56 basically the strongest postcondition safely abstracting the existential quantifier

57 Abstracting the existential 57 Reduce the pair Abstract away existential quantifier for each domain

58 Combined analysis example 58

59 סקר הוראה מופץ באימייל אנונימי יוגרלו 20 פרסים של 1000 ₪ אני מעוניין במשוב שלכם – ( גם תוך - כדי הסמסטר ) 59

60 Disjunctive completion for path sensitivity 60

61 Information loss example (CP) 61 if (…) b := 5 else b := -5 if (b>0) b := b-5 else b := b+5 assert b==0 {} {b=5} {b=-5} {b=  } can’t prove

62 Constant Propagation example 62 Lost all information about d at control-flow join

63 Disjunctive completion of a lattice For a complete lattice L = (D, , , , ,  ) Define the powerset lattice L  = (2 D,  ,  ,  ,  ,   )   = ?   = ?   = ?   = ?   = ? Lemma: L  is a complete lattice L  contains all subsets of D, which can be thought of as disjunctions of the corresponding predicates Define the disjunctive completion constructor L  = Disj(L) 63

64 Disjunctive completion for GCs GC C,A =(C,  C,A,  A,C, A) Disjunctive completion GC C,P(A) = (C,  P(A),  P(A), P(A)) –  C,P(A) (X) = ? –  P(A),C (Y) = ? 64

65 Disjunctive completion for GCs GC C,A =(C,  C,A,  A,C, A) Disjunctive completion GC C,P(A) = (C,  P(A),  P(A), P(A)) –  C,P(A) (X) = {  C,A ({x}) | x  X} –  P(A),C (Y) =  {  P(A) (y) | y  Y} What about transformers? 65

66 Information loss example 66 if (…) b := 5 else b := -5 if (b>0) b := b-5 else b := b+5 assert b==0 {} {b=5} {b=-5} {b= 5  b=-5 } {b= 0 } proved

67 Disj(CP) example 67

68 The base lattice CP false 68 {x=0} true {x=-1}{x=-2}{x=1}{x=2} …… false

69 The disjunctive completion of CP false 69 true false {x=-2  x=-1}{x=-2  x=0}{x=-2  x=1}{x=1  x=2} ……… What is the height of this lattice? {x=0}{x=-1}{x=-2}{x=1}{x=2} …… {x=0  x=1  x=2}{x=-1  x=1  x=-2} ……… …

70 Mixing product and disjunctive completion 70

71 Taming disjunctive completion Disjunctive completion is very precise – Maintains correlations between states of different analyses – Helps handle conditions precisely – But very expensive – number of abstract states grows exponentially – May lead to non-termination Base analysis (usually product) is less precise – Analysis terminates if the analyses of each component terminates How can we combine them to get more precision yet ensure termination and state explosion? 71

72 Taming disjunctive completion Use different abstractions for different program locations – At loop heads use coarse abstraction (base) – At other points use disjunctive completion Termination is guaranteed (by base domain) Precision increased inside loop body 72

73 With Disj(CP) 73 while (…) { x := x+1 if (…) b := 5 else b := -5 if (b>0) b := b-5 else b := b+5 assert b==0 } Doesn’t terminate

74 With tamed Disj(CP) 74 while (…) { x := x+1 if (…) b := 5 else b := -5 if (b>0) b := b-5 else b := b+5 assert b==0 } terminates CP Disj(CP) What CartDomain implements

75 DisjunctiveDomain(CP) example 75

76 Reducing disjunctive elements A disjunctive set X may contain within it an ascending chain Y=a  b  c… We only need max(Y) – remove all elements below 76

77 Relational product construction 77

78 Cartesian product example 78 Lost all information about d at control-flow join

79 Relational product of lattices L 1 = (D 1,  1,  1,  1,  1,  1 ) L 2 = (D 2,  2,  2,  2,  2,  2 ) L rel = (2 D 1  D 2,  rel,  rel,  rel,  rel,  rel ) as follows: – L rel = ? 79

80 Relational product of lattices L 1 = (D 1,  1,  1,  1,  1,  1 ) L 2 = (D 2,  2,  2,  2,  2,  2 ) L rel = (2 D 1  D 2,  rel,  rel,  rel,  rel,  rel ) as follows: – L rel = Disj(Cart(L 1, L 2 )) Lemma: L is a complete lattice What does it buy us? – How is it relative to Cart(Disj(L 1 ), Disj(L 2 ))? What about transformers? 80

81 Relational product of GCs GC C,A =(C,  C,A,  A,C, A) GC C,B =(C,  C,B,  B,C, B) Relational Product GC C,P(A  B) = (C,  C,P(A  B),  P(A  B),C, P(A  B)) –  C,P(A  B) (X) = ? –  P(A  B),C (Y) = ? 81

82 Relational product of GCs GC C,A =(C,  C,A,  A,C, A) GC C,B =(C,  C,B,  B,C, B) Relational Product GC C,P(A  B) = (C,  C,P(A  B),  P(A  B),C, P(A  B)) –  C,P(A  B) (X) = {(  C,A ({x}),  C,B ({x})) | x  X} –  P(A  B),C (Y) =  {  A,C (y A )   B,C (y B ) | (y A,y B )  Y} 82

83 Relational product example 83 Correlations preserved

84 Function space construction 84

85 Function space GC C,A =(C,  C,A,  A,C, A) GC C,B =(C,  C,B,  B,C, B) Denote the set of monotone functions from A to B by A  B Define  for elements of A  B as follows (a 1, b 1 )  (a 2, b 2 ) = if a 1 =a 2 then {(a 1, b 1  B b 1 )} else {(a 1, b 1 ), (a 2, b 2 )} Reduced cardinal power GC C,A  B = (C,  C,A  B,  A  B,C, A  B) –  C,A  B (X) =  {(  C,A ({x}),  C,B ({x})) | x  X} –  A  B,C (Y) =  {  A,C (y A )   B,C (y B ) | (y A,y B )  Y} Useful when A is small and B is much larger – E.g., typestate verification 85

86 Next lecture: abstract interpretation V


Download ppt "Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University."

Similar presentations


Ads by Google