1 / 35

Inferring Disjunctive Postconditions

Inferring Disjunctive Postconditions. Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore. - ASIAN 2006 -. Motivation: Infer Precise Invariants. x:=0; while (x<len(A)) { if (…) { /* check if a new minimum has been found */ m:=x; }

kioshi
Download Presentation

Inferring Disjunctive Postconditions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Inferring Disjunctive Postconditions Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore - ASIAN 2006 -

  2. Motivation: Infer Precise Invariants x:=0; while (x<len(A)) { if (…) { /* check if a new minimum has been found */ m:=x; } x:=x+1; } return A[m]; /* assert (0·m < len(A)) */ Compute an invariant at l1 over inputs (x,m,s) + outputs (x',m') (x,m,s,x',m') :- (x¸s Æ x'=x Æ m'=m) Ç (x < s Æ x'=s Æ m'=m) Ç (x < s Æ x'=s Æ x·m'< x') /* l1 */ /* what invariant at l1 proves assertion ?? */

  3. Related: Numerical Abstract Domains Conjunctive Num-Abs-Domains: • Interval domain: §x · c [Cousot et al: ISOP’76] • Polyhedron domain: a1x1 + .. + anxn· c [Cousot et al: POPL’78] Disjunctive Num-Abs-Domains: • Powerset extension of an abstract domain [Cousot et al: POPL’79] • Powerset widening [Bagnara et al: VMCAI'04] [Gulavani et al: TACAS'06] • Hulling based on Hausdorff distance [Sankaranarayanan et al: SAS'06]

  4. Overview • Constraint abstraction: collected from the method body. • Conjunctive fixpoint analysis. • Disjunctive fixpoint analysis. • Experimental results.

  5. Constraint Abstraction • A method is translated to a constraint abstraction: void mnD (ref int x) { if x>0 { x:=x-1; mnD(x); } else () } • Next step: derive the lfp of this rec-constraint. mnD(x,x') = (x·0 Æ x'=x)Ç (x>0 Æ9x1.(x1=x-1Æ(mnD(x,x'))))  - substitution from formal to actual args= [x!x1, x'!x']

  6. Abstract Domain of Polyhedra[Cousot-Halbwachs: POPL'78] Defined as a lattice: <L, v, ?, >, t, u> • abstract element: conj. of linear inequalities (convex polyhedron) • partial order: F1vF2 = F1)F2 • bottom: ? = False • top: > = True • lub: F1 t F2 = hull(F1 Ç F2) • glb: F1 u F2 = F1 Æ F2 CAbst is a monotone function f: L -> L8F1,F22L: if F1vF2 then f(F1)vf(F2)

  7. Fixpoint Analysis mnD() = (x·0 Æ x'=x) Ç (x>0 Æ9x1.(x1=x-1 Æ)) - relation over inputs (x) + outputs (x') • mnD0 = False • mnDi+1 = mnD(mnDi) • Ascending chain:False v mnD1v mnD2v .. v mnDiv ..

  8. Conjunctive Fixpoint Analysis mnD1 = mnD(False) = (x·0Æx'=x) mnD2 = mnD(mnD1) = (x·0 Æ x'=x) Ç (x>0 Æ9x1.(x1=x-1 Æ(mnD1))) = hull((x·0Æx'=x) Ç (x=1Æx'=0)) = (x-1·x'·x Æ x'·0) mnD3 = mnD(mnD2) = (x-2·x'·x Æ x'·0) • Lattice of polyhedra has infinite height: use widening operator. mnDW2 = widen(mnD2,mnD3) = (x'·x Æ x'·0) • A post-fixpoint has been found when: mnD(mnDi) ) mnDi mnDW3 = mnD(mnDW2) = (x'·x Æ x'·0)

  9. Conjunctive Analysis • mnDCONJ = (x'·x Æ x'·0) • mnDDISJ = (x·0Æx'=x) Ç (x>0Æx'=0) mnD1 = (x·0Æx'=x) mnD2 = (x·0Æx'=x) Ç (x=1Æx'=0) mnD3 = (x·0Æx'=x) Ç (x=1Æx'=0) Ç (x=2Æx'=0) ... More precision? Disjunctive Analysis

  10. Powerset Abstract Domain of Polyhedra Defined as a semi-lattice: <L, v, ?, >, t> • abstract element: m-bounded disj of convex poly. • partial order: F1vF2 = F1)F2 • bottom: ? = False • top: > = True • lub: F1 t F2 = hullm(F1 Ç F2)

  11. Disjunctive Fixpoint Analysis • Key Problems: • Maintain precision at reasonable cost. • Ensuring termination of analysis (with widening operator). • Main contributions: • Use disjunct affinity to lift both the hulling and widening operators from the conjunctive to the disjunctive domain. • Precise and fairly-efficient disjunctive polyhedra analysis.

  12. Hullm: Selective Hulling • Given F= Çni=1i (where i are conjunctive formulae) • find the most affine disjuncts for hulling (according to some affinity measure) • ensure the number of disjuncts does not exceed m

  13. 1 2 3 4 Geometrical Intuition for Affinity • A good affinity-measure: • should be able to quantify how precisely (1Ç 2) can be approximated by hull (the convex-hull result) Compare 1Ç2 with hull Identify perfect match (100% affinity)

  14. 1 2 3 4 Affinity Measures (1) • Based on Hausdorff distance [SAS'06]: h-heur(P,Q) = maxx2 P{ miny 2 Q {|x - y|}} • Not able to distinguish among (1,2) and (3,4) (they have similar Haus-distances). • Less appropriate for a relational domain.

  15. 1 2 3 4 Affinity Measures (2) • Planar-Affinity: p-heur(1,2) = mset = { c 2 (1[2) | hull) c} • Detects that (3,4) has higher affinity. • Suited for relational domains.

  16. Example: Hullm and Planar-Affinity • mnD3 = (x·0Æx'=x) Ç (x=1Æx'=0) Ç (x=2Æx'=0) (F1 Ç F2 Ç F3) • Affinhull matrix (F1,F2,F3) • hull2(F1ÇF2ÇF3)= (F1 Ç hull(F2ÇF3)) = (x·0 Æ x'=x) Ç (1·x·2 Æ x'=0)

  17. Overview • Collect a constraint abstraction corresponding to the method body. • Background: Conjunctive fixpoint analysis. • Disjunctive fixpoint analysis. • find related disjuncts for hulling • powerset widening operator • Experimental results.

  18. Powerset Widening Given F1= Çdi and F2 = Çej (di, ej are conjunctive formulae): • find pairs of related disjuncts di and ej • compute widening on the conjunctive domain: fi = (direj) • result is: F1 rm F2 = Çfi Related work: • Bagnara et al [VMCAI'04]: propose to use a connector to combine elements in F2 (e.g. each connected element will approximate some element from F1) • Gulavani et al [TACAS'06]: specify a recipe for a connector; but rely on the ability to find one minimal element from a set of polyhedra

  19. e1 d1 d2 e2 Powerset Widening - rm • Our solution: • find pairs of related disjuncts based on planar-affinity • Planar-affinity is a good indicator for the number of conjuncts preserved in the result of widening. (d1Çd2)rm (e1Çe2) = (d1re1) Ç (d2re2)

  20. Summary: Disjunctive Fixpoint Analysis mnD1 = mnD(False) = (x·0Æx'=x) mnD2 = mnD(mnD1) = hull2((x·0Æx'=x) Ç (x=1Æx'=0)) = (x·0Æx'=x) Ç (x=1Æx'=0) mnD3 = mnD(mnD2) = hull2((x·0Æx'=x) Ç (x=1Æx'=0) Ç (x=2Æx'=0)) = (x·0Æx'=x) Ç (1·x·2Æx'=0) • Lattice has infinite height: use widening operator. mnDW2 = mnD2 rm mnD3 = (x·0 Æ x'=x) Ç (x>0 Æ x'=0) • A post-fixpoint has been found when: mnD(mnDi) ) mnDi mnDW3 = mnD(mnDW2) = (x·0 Æ x'=x) Ç (x>0 Æ x'=0)

  21. Implementation • Haskell + Omega library [Pugh et al] • Automate disjunctive postcondition inference. • Does it give more precise results? • Benchmarks: numerical programs written in C-like language.

  22. Experimental Results • Infer postconditions with different values for m. • Most precise POST: m=2 (binary search, bubble sort, init array) m=3 (queens, quick sort, LU, Linpack) m=4 (SOR) m=5 (merge sort)

  23. Experimental Results (II) • Array bound checks elimination. • Programs proved as safe:m=2 (bubble sort, init array)m=4 (merge sort, SOR) • Planar-Affinity proves redundant more checks than the Hausdorff-based affinity. • Disj-Analysis is useful: as m increases, no. of checks not proven decreases gradually.

  24. Summary • Disjunctive polyhedra analysis via affinity. • selective hulling • powerset widening • Implementation of a modular static analyzer based on disjunctive polyhedra domain. • potential for trade-off between precision and analysis cost

  25. The End

  26. x' x x'=x x' x x'=x x-1=x' hull(1Ç2) Convex-Hull Operator 1 = (x·0Æx'=x) 2 = (x=1Æx'=0) hull(1Ç2) = (x-1·x'·x Æ x'·0)

  27. x' x' x' x x x x'·x x'·x widen(1,2) x-1·x' x'·x x-2·x' Widening Operator 1= (x-1·x'·x Æ x'·0) 2= (x-2·x'·x Æ x'·0) widen(1,2) = (x'·x Æ x'·0)

  28. Quick Sort Example

  29. Quick Sort Example (II) • Conjunctive analysis: discovers a lower bound for result: (res ¸ n) • 3-Disjunctive analysis:result is a valid index: (0 · res < s)

  30. References • [Cousot-Halbwachs:POPL'78] Automatic discovery of linear restraints among variables of a program. • [Bagnara et al: VMCAI'04] Widening Operators for Powerset Domains. • [Gulavani-Rajamani: TACAS'06] Counterexample Driven Refinement for Abstract Interpretation. • [Sankaranarayanan et al:SAS'06] Static Analysis in Disjunctive Numerical Domains.

  31. Constraint Abstraction • From a method, the analysis generates a constraint-abstraction: meth =>  • Constraint language: ::= ÆjÇj9x.j mn(x*) j s (constraint) s ::= a1x1 + .. + anxn· a (linear inequality) a 2Z, x 2 Var, mn 2 Meth-Name

  32. Hullm: Selective Hulling • Given F= Çni=1i (where i are conjunctive formulae) • find the most affine disjuncts for hulling (according to some affinity measure) • ensure the number of disjuncts does not exceed m hullm (F) = if (n · m) then Felse hullm(F - {i,j} [ hull(i,j))such that 8 a,b21..n: affinhull(i,j) ¸ affinhull(a,b)

  33. Affinity for Hulling • Compute: • hull operation: hull = hull(1Ç2) • approx. due to hull: approx = hullÆ:(1Ç2) • affinhull(1,2) = if (approx=False) then 100 else if (hull=True) then 0 else heur(1,2)

  34. Example: rm and Planar-Affinity • mnD3 = (x·0 Æ x'=x) Ç (1·x·2 Æ x'=0) (d1Çd2) • mnD4 = (x·0 Æ x'=x) Ç (1·x·3 Æ x'=0) (e1Çe2) • Affinwiden matrix • mnD3 rm mnD4 = (d1r e1) Ç (d2r e2) = (x·0 Æ x'=x) Ç (x>0 Æ x'=0)

  35. Loops are Analyzed as Methods • Transform loops into tail-recursive functions. • The proposed fixpoint analysis works both for loops and for general recursion. • Nested loops • Mutually-recursive methods

More Related