1 / 18

Precise Inter-procedural Analysis

Precise Inter-procedural Analysis. using Random Interpretation. Sumit Gulwani George C. Necula. UC Berkeley. presented by Kian Win Ong. Quick Overview. true. false. *. a := 0 b := i. a := i – 2 b := 2. false. true. *. c := b – a. c := 2a + b. assert (a + b = i) assert (c = a + i).

kana
Download Presentation

Precise Inter-procedural Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Precise Inter-procedural Analysis using Random Interpretation Sumit GulwaniGeorge C. Necula UC Berkeley presented by Kian Win Ong

  2. Quick Overview true false * a := 0b := i a := i – 2b := 2 false true * c := b – a c := 2a + b assert (a + b = i)assert (c = a + i)

  3. Quick Overview true false * a := 0b := i a := i – 2b := 2 Random testing needs to execute all 4 paths to verify assertions false true * c := b – a c := 2a + b assert (a + b = i)assert (c = a + i) û

  4. Quick Overview i = 3 true false * a := 0b := i a := i – 2b := 2 w1 = 5 i = 3, a = 0, b = 3 i = 3, a = 1, b = 2 ajoin = w1Î afalse + ( 1 – w1 ) Î atrue i = 3, a = -4, b = 7 false true * c := b – a c := 2a + b assert (a + b = i)assert (c = a + i)

  5. Quick Overview i = 3 true false * a := 0b := i a := i – 2b := 2 w1 = 5 i = 3, a = 0, b = 3 i = 3, a = 1, b = 2 i = 3, a = -4, b = 7 false true * c := b – a c := 2a + b i = 3, a = -4, b = 7, c = -1 w2 = 2 i = 3, a = -4, b = 7, c = 11 i = 3, a = -4, b = 7, c = 23 assert (a + b = i)assert (c = a + i) û

  6. Random Interpretation • Random Testingdynamically testing the program using randomly generated input • Pros: Simple implementation • Cons: Limited code coverage • Abstract Interpretationstatically analyzing selected properties of the program using symbolic execution • Pros: Static analysis • Cons: Conservative / Complicated

  7. Random Interpretation • Random Interpretation • statically analyzing selected properties of the program using symbolic random states • Pros: Static analysis, Simple implementation • Cons: Probabilistically sound Small number of runs guarantee a high probability of soundness

  8. Intra-procedural Framework • Program Model: • State captured as polynomials, which are linear in program variables • Goal: • To detect equivalences between polynomials c := b – a c := 2a + b i = 3, a = -4, b = 7, c = -1 w = 2 i = 3, a = -4, b = 7, c = 11 i = 3, a = -4, b = 7, c = 23

  9. Intra-procedural Framework • Algorithm • Choose random values for input variables • Execute assignments • Use property-specific Eval() to abstract program state as polynomials • Execute both branches of conditionals • Use Affine Join to combine both program states at join points • Compare polynomials to decide equality

  10. Intra-procedural Framework • Design ofEval()s • Property (abstraction) specific • Linear arithmetice := x | e1§e2 | cÎeP(e) := e • Un-interpreted functionse := x | F(e)P(x) := xP(F(e)) := c1ÎP(e) + c2 • Completeness and Soundness • P(e1) = P(e2) iff e1 = e2 • Linearity • P(e) is linear in program variables

  11. Intra-procedural Framework • Affine Join • To combine (branched) program states at join points=w(1,2) true false * a := 0b := i a := i – 2b := 2 1 2 w = 5 i = 3, a = 0, b = 3 i = 3, a = 1, b = 2  i = 3, a = -4, b = 7 (x) := wÎ1(x) + (1-w)Î2(x)

  12. Intra-procedural Framework • Affine Join • CompletenessIf polynomials P1 and P2 are equivalent in states 1 and 2, Then they are also equivalent in state  • SoundnessIf polynomials P1 and P2 are not equivalent in either state 1 and 2, Then it is unlikely that they are equivalent in state  Generate a small number tof runs

  13. Inter-Procedural Extensions • Maintain symbolic state summaries • Generate multiple fresh runs

  14. Inter-Procedural Extensions i = 3 true false * a := 0b := i a := i – 2b := 2 w1 = 5 i = 3, a = 0, b = 3 i = 3, a = 1, b = 2 i = 3, a = -4, b = 7 false true * c := b – a c := 2a + b i = 3, a = -4, b = 7, c = -1 w2 = 2 i = 3, a = -4, b = 7, c = 11 i = 3, a = -4, b = 7, c = 23 assert (a + b = i)assert (c = a + i) û

  15. Inter-Procedural Extensions i = 3 i = 2 true false * a := 0b := i a := i – 2b := 2 w1 = 5 i = 2, a = 0, b = 2 i = 2, a = 0, b = 2 i = 2, a = 0, b = 2 false true * c := b – a c := 2a + b i = 2, a = 0, b = 2, c = 2 w2 = 2 i = 2, a = 0, b = 2, c = 2 i = 2, a = 0, b = 2, c = 2 assert (a + b = i)assert (c = a + i) ü û

  16. Inter-Procedural Extensions 1. Maintain symbolic state summaries i true false * a := 0b := i a := i – 2b := 2 w1 = 5 a = 0, b = i a = i - 2, b = 2 a = 8 – 4i, b = 5i - 8 false true * c := b – a c := 2a + b a = 8 – 4i, b = 5i – 8, c = 8 – 3i w2 = 2 a = 8 – 4i, b = 5i – 8,c = 9i - 16 a = 8 – 4i, b = 5i – 8, c = 21i - 40 assert (a + b = i)assert (c = a + i)

  17. Inter-Procedural Extensions Unsound way of summarizing multiple calls i true false x := A(2)y := A(1)z := A(1) * u := i + 1 u := 3 u = 3 u = i + 1 x = 3y = -2z = -2 w = 5 u = 5i - 7 assert (x = 3)assert (y = z) return u Procedure B Procedure A

  18. Inter-Procedural Extensions 2. Generate multiple fresh runs x := A(2)y := A(1)z := A(1) i x = 7(5i – 7,7 – 2i)y = 3(5i – 7,7 – 2i)z = 5(5i – 7,7 – 2i) true false * u := i + 1 u := 3 w1 = 5 u = 3 u = i + 1 x = 6(5i – 7,7 – 2i)y = 0(5i – 7,7 – 2i)z = 1(5i – 7,7 – 2i) w2 = -2 u = i + 1 u = 3 u = 5i - 7 u = 7 – 2i assert (x = 3)assert (y = z) return u Procedure A Procedure B

More Related