1 / 40

Lifting Abstract Interpreters to Quantified Logical Domains (POPL’08)

This paper discusses the use of quantified abstract interpretation for reasoning about arrays, pointer-based data structures, and security properties in program analysis. It presents an overview of logical abstract interpretation, quantified abstract domains, and provides examples illustrating the usefulness of quantifiers in reasoning. The paper also covers partial orders, templates, join operations, transformers, soundness, correctness, termination, and under-approximation algorithms in the context of logical abstract interpretation.

ionab
Download Presentation

Lifting Abstract Interpreters to Quantified Logical Domains (POPL’08)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lifting Abstract Interpreters to Quantified Logical Domains(POPL’08) Presented by M.Raveendra Kumar Some of the slides adopted from author’s presentations

  2. Motivating Example a[0] = 0; for (i=1; i<n; i++) a[i] = 0; Post condition: i  n  a[0] = 0  k (0 ≤ k < i  a[k] = 0) Invariant: 1 ≤ i< n  k (0 ≤ k < i  a[k] = 0)

  3. How are Quantifiers Useful? • Reasoning about arrays • k (0 ≤ k < STRLEN(s)  s[k]  '!') • j, k (0 ≤ j < k < n  a[j] ≤ a[k]) • Reasoning about pointer-based data structures • u (R(hd, u)  R(u,tl)  udata = 0) means list is initialized from hd to tl Security properties Sorting u v R(u, v)

  4. Outline • Logical AI • Quantified abstract domain • Partial order • Templates & Quantifier introduction • Abstract interpretation • Join • Transformers • Soundness & correctness • Termination • Under-approximation algorithms

  5. Logical Abstract Interpretation • Logical Abstract Interpretation refers to the case when • D = logical formulas over theory T • ⊑= logical implication relationship, i.e., E ⊑E’ iff E ⟹TE’ • We will examine following examples of logical interpretation • D consists of finite conjunctions of atomic facts over T. • Combination of Linear Arithmetic and Uninterpreted Functions • D consists of universally quantified formulas over T which is our main topic

  6. G’ g G2 G1 False True G’ G2 = G’⋀¬:g G1 = G’⋀g y := e G =Join(G1,G2) = ⌈G1⋁G2⌉ Conditional Node G =Postcondition(y := e, G’) = ⌈ ∃y’: G’[y’/y] ⋀y=e[y’/y] ⌉ Join Node Assignment Node Transfer Functions for Logical A.I • TFs for a logical AI thus involve providing operators for over-approximating disjunction and existential quantifier elimination.

  7. Quantified Domain

  8. Lattice element • G isan element of quantified domain 𝓓⩝ • E , Fj , and ej are quantifier free facts from conjunctive domains 𝓓𝓪, 𝓓𝓫, and 𝓓𝓬. • These “base” domains are parameters to quantified domain. • Partial order, join operator and TFs of quantified defined in terms of “base” domain operators.

  9. Concreate Semantics • A program state iff, • and • For every , if is an extension of state with assignment to variables in such that , then, • In going forward we use “base” domains

  10. Running Example a[0] = 0; for (i=1; i<n; i++) a[i] = 0; i = 0; Program State a 3 i 50 n

  11. Partial order (⊑⩝) • Ideal partial order : G1 ⊑⩝ G2 if G1 ⟹⩝ G2 • Issues • Depends on base domain partial order • Induction to prove implication

  12. Partial order definition E  U.(F  e) ⊑⩝E'  U.(F'  e') if 1. E⊑E' E e⊑e' 2. U.(F  e) U. (F'  e') E F' ⊑F

  13. Example

  14. Abstract Interpreter - Overview • Quantifier introduction • Templates • Move facts from environment into quantified fact • Join computes ⌈⋁⌉ of two quantified facts which involves ⌊⋀⌋ of their quantifier guards • Assignment transfer function • ∃ quantifier elimination • Conditional transfer functions • Termination

  15. Quantifier Introduction • Quantified facts are drawn from standard facts in E • User gives set of templates to guide quantification • Experiments show that few templates are needed b[0] = 0 b[0] ≤ b[1] k (k = 0  b[k] = 0) j, k (j = 0  k = 1  b[j] ≤ b[k]) Env fact Template Quantified fact (result) A[*] = c b[0] = 0 k(k = 0  b[k] = 0) A[*] ≤A[*] j, k (j = 0  k = 1  b[j] ≤ b[k]) b[0] ≤ b[1]

  16. Join Ideal Join : GL⋁GR GL GR

  17. Ideal Join GL= ELV.(FLeL) ⊔⩝ GR = ER V.(FReR) EL¬ER⟹ FL ¬ELER⟹ FR ELER⟹ FLFR Not in the desired quantified fact form Valuations for quantified vars (FL,FR) Valuations to Environment Vars (EL,ER)

  18. Join G⩝ GL⋁GR GL GR Soundness : GL⟹ G⩝ and GR⟹ G⩝ Completeness : ifG#s.t GL⊑⩝G# and GR⊑⩝G#, thenG⩝ ⊑⩝G#

  19. Joining Quantifiers • Goal: (EL  U.(FL  eL))⊔⩝ (ER  U. (FR  eR)) • Result must be above both inputs in ⊔⩝, so: • EL  U.(FL  eL)⊑⩝E  U.(F  e) • ER  U.(FR  eR) ⊑⩝E  U.(F  e) • Based on ⊑⩝ definition: 1. EL⊑ E and ER⊑ E so E = EL⊔ER 2. EL eL⊑e ER eR⊑e U.(FL eL) U.(FR eR) F. (F  e) EL F⊑FL ER F⊑FR

  20. Joining Quantifiers • e = (EL eL) ⊔ (ER eR) • Rewriting for F: • Best solution for F = (EL FL)  (ER FR) • If it's not in domain, pick best under-approximation F ⊑ELFLand F ⊑ ER FR Why ? or, F ⊑ELFLand F ⊑ER FR EL eL⊑e ER eR⊑e U.(FL eL) U.(FR eR) F. (F  e) EL F⊑FL ER F⊑FR

  21. QuantifiedJoin Algorithm Join⩝ (EL  ⋀iUi.(FiL eiL))⊔⩝ (ER  ⋀iUi. (FiR eiR) • result:= Join𝒟(EL , ER) • foralli,j • F = ⌊ EL  FiL⋀ER FiR⌋ • e = Join𝒟 (EL⋀eiL, ER ⋀ eiR) • result := result ⋀ U(F  e ) • return result;

  22. Join - Example Requires Abduction

  23. AI Example true A[0] := 0; i := 1 i = 1  A[0] = 0 ? i = 2  A[0] = 0  A[1] = 0 ? i = 1  A[0] = 0 ? i < n T F ? i = 1  A[0] = 0 ? A[i] := 0; i := i+1 24

  24. AI Example true A[0] := 0; i := 1 Join Algorithm i = 1  A[0] = 0 i = 1  A[0] = 0 i = 2  A[0] = 0  A[1] = 0 i = 1  A[0] = 0 i = 1  A[0] = 0 i = 1  A[0] = 0 i = 2  A[0] = 0  A[1] = 0 i < n i < n i = 1  A[0] = 0 T T F F 1  i  2  A[0] = 0 ? i = 1  A[0] = 0 A[i] := 0; i := i+1 25

  25. AI Example true A[0] := 0; i := 1 Join Algorithm i = 1  A[0] = 0 i = 1  A[0] = 0 i = 2  A[0] = 0  A[1] = 0 i = 1  A[0] = 0 i = 2  A[0] = 0  A[1] = 0 i = 1  A[0] = 0 i = 1  A[0] = 0 i = 1  k(k = 0  A[k] = 0) i = 2  k(0  k  1  A[k] = 0) i < n i < n i = 1  A[0] = 0 T T F F ? i = 1  A[0] = 0 1  i  2  k(0  k < i  A[k] = 0) A[i] := 0; i := i+1 26

  26. AI Example true A[0] := 0; i := 1 2  i  n  k(0  k < i  A[k] = 0) i = 1  k(k = 0  A[k] = 0) 1  i  k(0  k < i  A[k] = 0) i < n T F 1  i < n  k(0  k < i  A[k] = 0) i  n  k(0  k < i  A[k] = 0) A[i] := 0; i := i+1 27

  27. Assignment Transfer function Eliminate 𝓵

  28. Assignment TF • Key observation : • If G is quantified fact before assignment statement y := exp • and G’ = Eliminate⩝(G,y) is fact after eliminating y from G • Then G ⊑⩝G’ • For a moment assume y does not effect terms involving quantifier variables. • E ⇒ E’ , therefore E’ = Eliminate(E,y) • E ⋀ F’ ⇒ F, therefore F’ = ⌊⩝y(E ⇒ F)⌋ • E ⋀ e ⇒ e’, therefore e’ = Eliminate(E ⋀ e, y)

  29. Assignment TF - Eliminate⩝ • Eliminate ⩝(G, y): • Let G be E ⋀⩝U(F ⇒ e) • T := { t | t occurs in F or e; Vars(t) ∩ U  ∅} • F := F ∧ ⋀t∈TNotEffect(<y,G>, t); • E’ := EliminateD(E,y); • e’ := EliminateD(e∧E,y); • F’ := ⩝y(E⇒F) • return (E’ ⋀⩝U(F’ ⇒ e’)) • NotEffect(<y,G>, t) denotes a constraint gs.t.G ∧ gimplies that ydoes not affect t.

  30. Eliminating ∃ • Fix F : Eliminate affected instances • Fix F : Eliminate y from F • Fix e : Eliminate y from e – Provided by base domain • Fix E : Eliminate y from E – Provided by base domain

  31. Remove affected instances {} s: A[0] = 1 • Remove only instances that are impacted and leave the rest as is

  32. Eliminate yfrom F s : • Removing i from the guard (and E) is not sound (why ??) • Solution: Under approximate universal quantification

  33. Example Let G = (F[0]>10∧⩝k: 0·k<F[0]⇒F[k]>F[0] ) Then Eliminate ⩝(G, F[0]) = true ∧⩝k: F’⇒ e’, where T = { k, F[k] } NotEffect(<F[0],G>, F[k]) = k0 NotEffect(<F[0],G>, F[k]) = true F1= 0·k<F[0]∧k  0∧true = 1≤k<F[0] F’ = ⌊⩝F[0]: F[0]>10⇒1·k<F[0]⌋= 1 ≤ k<10 e’ = Eliminate(F[k]>F[0]∧F[0]>10, F[0]) = F[k]<10

  34. Widening and termination • Look at the paper

  35. Under-approximation of Operators • We need Under-approximation operators for • ⌊⋀⌋ during join operation • ⌊⋁⌋ during quantifier merging (not covered) • ⌊⩝⌋ during quantifier elimination • Issues • Under-approximation results should be in conjunctive domain. • Under-approximations should be in the context of environment and two inputs may different inputs. ⩝

  36. Solution - Abduction • Process of reasoning of a fact (observations) with assumptions given a set of assumed facts (knowledge). • F = abduct( E,F’) where F’ is a given base fact; formally E ∧ F ⇒ F’ • ⌊⋀⌋((F1,E1),(F2,E2)) := abduct(E1,F1) ∩abduct(E2,F2)

  37. ⌊⋀⌋ Algorithm F’’ = ⌊⋁⌋ ((F1∧E1),(F2 ∧ E2)) F = ∧ ((F1,E1),(F2,E2)) ⌊ F ⌋

  38. Example • Example 2 • Ans :

  39. Abduction Key Observation

  40. ⌊⩝⌋ Algorithm Key Observation

More Related