Spring 2014 Program Analysis and Verification Lecture 14: Numerical Abstractions

1. Spring 2014Program Analysis and Verification Lecture 14: Numerical Abstractions Roman Manevich Ben-Gurion University

2. Syllabus

3. Previously Composing abstract domains (and GCs) Widening and narrowing Interval domain

4. Today • Abstractions for properties of numeric variables • Classification: • Relational vs. non-relational • Equalities vs. non-equalities • Zones

5. Numerical Abstractions By Quilbert (own work, partially derived from en:Image:Poly.pov) [GPL (http://www.gnu.org/licenses/gpl.html)], via Wikimedia Commons

6. Overview • Goal: infer numeric properties of program variables (integers, floating point) • Applications • Detect division by zero, overflow, out-of-bound array access • Help non-numerical domains • Classification • Non-relational • (Weakly-)relational • Equalities / Inequalities • Linear / non-linear • Exotic

7. Implementation

8. Non-relational abstractions

9. Non-relational abstractions • Abstract each variable individually • Constant propagation [Kildall’73] • Intervals (Box) • Covered in lecture 13 • Sign • Parity (congruences) • Assignment 3: arithmetic progressions

10. Sign abstraction for variable x  neg pos 0  Concrete lattice: C = (2State, , , , , State) Sign = {, neg, 0, pos, } GCC,Sign=(C, , , Sign) () = ? (neg) = ? (0) = ? (pos) = ? () = ? How can we represent 0?

11. Transformer x:=y*z Check at home: Abstract transformer is complete

12. Transformer x:=y+z Check at home: Abstract transformer is not complete

13. Parity abstraction for variable x  E O  Concrete lattice: C = (2State, , , , , State) Parity = {, E, O, } GCC,Parity=(C, , , Parity) () = ? (E) = ? (O) = ? () = ?

14. Transformer x:=y+z

15. Boxes (intervals) y 6 5 y  [3,6] 4 3 2 1 0 1 2 3 4 x • x  [1,4]

16. Non-relational abstractions • Cannot prove properties that hold simultaneous for several variables • x = 2*y • x ≤ y

17. Practical aspectsof Non relational abstractions

18. The abstraction • Abstract domain for variables x1,…,xn is the Cartesian product of a mini-domain for one variable D[x] • D[x1]  …  D[xn] • Need to implement join, meet, widening, narrowing just for mini-domain • Usually a non-relational is associated with a Galois Insertion • No reduction required • The Cartesian product is a reduced product

19. Sound assignment transformers Let remove(S, x) be the operation that removes the factoid associated with x from S Let factoid(S, x) be the operation that returns the factoid associated with xin S x := c# S = remove(S, x)  ({[xc]}) x := y# S = remove(S, x)  {factoid(S, y)[x/y]} x := y+c# S = remove(S, x)  {factoid(S, y)[x/y] + c} x := y+z# S = remove(S, x)  {factoid(S, y)[x/y] + factoid(S, z)[x/z]} x := y*c# S = remove(S, x)  {factoid(S, y)[x/y] * c} x := y*z# S = remove(S, x)  {factoid(S, y)[x/y] * factoid(S, z)[x/z]}

20. Sound assumetransformers assumex=c# S = S  ({[xc]}) assumex<c# S = … assumex=y# S = S  {factoid(S, y)[x/y]}  {factoid(S, x)[y/x]} assumexc# S = if S  ({[xc]}) then  else S

21. (Weakly-)relational abstractions

22. Relational abstractions • Represent correlations between all program variables • Polyhedra • Linear equalities • When correlations exist only between few variables (usually 2) we say that the abstraction is weakly-relational • Linear relations example (discussed in class) • Zone abstraction (next) • Octagons • Two-variable polyhedra • Usually abstraction is defined as the reduced product of the abstract domain for any pair of variables

23. Zone abstraction

24. Zone abstraction [Mine] y 6 x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 5 4 3 2 1 0 1 2 3 4 x Maintain bounded differences between a pair of program variables (useful for tracking array accesses) Abstract state is a conjunction of linear inequalities of the form x-yc

25. Difference bound matrices x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 Add a special V0 variable for the number 0 Represent non-existent relations between variables by +entries Convenient for defining the partial order between two abstract elements… =?

26. Ordering DBMs x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 M1 = x ≤ 5 −x ≤ −1 y ≤ 3 x − y ≤ 1 M2 = How should we order M1 M2?

27. Joining DBMs x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 M1 = x ≤ 2 −x ≤ −1 y ≤ 0 x − y ≤ 1 M2 = How should we join M1 M2?

28. Widening DBMs x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 M1 = x ≤ 5 −x ≤ −1 y ≤ 3 x − y ≤ 1 M2 = How should we widen M1M2?

29. Potential graph x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 V0 3 -1 -1 3 x y 1 Can we tell whether a system of constraints is satisfiable? A vertex per variable A directed edge with the weight of the inequality Enables computing semantic reduction by shortest-path algorithms

30. Semantic reduction for zones Apply the following rule repeatedlyx - y ≤ c y - z ≤ d x - z ≤ e x - z ≤ min{e, c+d} When should we stop? Theorem 3.3.4. Best abstraction of potential sets and zones m∗ = (Pot ◦ Pot)(m)

31. More numerical domains

32. Octagon abstraction [Mine-01] • captures relationships common in programs (array access) Abstract state is an intersection of linear inequalities of the form x yc

33. Some inequality-basedrelational domains policy iteration

34. Equality-based domains • Simple congruences [Granger’89]: y=a mod k • Linear relations: y=a*x+b • Join operator a little tricky • Linear equalities [Karr’76]: a1*x1+…+ak*xk = c • Polynomial equalities:a1*x1d1*…*xkdk + b1*y1z1*…*ykzk+ … = c • Some good results are obtainable whend1+…+dk < n for some small n

35. Next lecture:alias analysis