1 / 19

Lifting Abstract Interpreters to Quantified Logical Domains

Explore lifting abstract interpreters to quantified logical domains for safer program analysis and verification. Learn how to reason about arrays, pointers, and security properties using quantifiers in software domains.

mjester
Download Presentation

Lifting Abstract Interpreters to Quantified Logical Domains

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lifting Abstract Interpreters to Quantified Logical Domains Sumit Gulwani, MSR Bill McCloskey, UCB Ashish Tiwari, SRI

  2. Motivating Example a[0] = 0; for (i=1; i<n; i++) a[i] = 0; Postcondition: i  n  a[0] = 0  k (0 ≤ k < i  a[k] = 0)

  3. How Are Quantifiers Useful? • Reasoning about arrays • k (0 ≤ k < STRLEN(s)  s[k]  '!') • j, k (0 ≤ j < k < n  a[j] ≤ a[k]) • Reasoning about pointer-based data structures • u (R(hd, u)  R(u, tl)  udata = 0) means list is initialized from hd to tl Security properties Sorting u v R(u, v)

  4. What Do Quantifiers Look Like? k ( 0 ≤ k < n  a[k] = 0 ) • Goal: Create a universally quantified domain parameterized by base domains • Take advantage of existing domains, transfer functions Typically see only universal quantifiers Comes from some domain, e.g. linear arithmetic Belongs to another domain, e.g. equality of uninterpreted functions Quantifier-Free Domain Quantified Domain

  5. Universally Quantified Domain Domain Element Definition A  V1.(B1  C1)  ...  Vn.(Bn  Cn) Partial Order Definition A  V.(B  C) vA'  V.(B'  C') if 1. Av A' A CvC' 2. V.(B  C) V. (B'  C') A B' vB

  6. Transfer Function Example true A[0] := 0; i := 1 i = 1  A[0] = 0 ? i = 2  A[0] = 0  A[1] = 0 ? i = 1  A[0] = 0 ? i < n T F ? i = 1  A[0] = 0 ? A[i] := 0; i := i+1 6

  7. Transfer Function Example true A[0] := 0; i := 1 Join Algorithm i = 1  A[0] = 0 i = 1  A[0] = 0 i = 2  A[0] = 0  A[1] = 0 i = 1  A[0] = 0 i = 1  A[0] = 0 i = 1  A[0] = 0 i = 2  A[0] = 0  A[1] = 0 i < n i < n i = 1  A[0] = 0 T T F F 1  i  2  A[0] = 0 ? i = 1  A[0] = 0 A[i] := 0; i := i+1 7

  8. Transfer Function Example true A[0] := 0; i := 1 Join Algorithm i = 1  A[0] = 0 i = 1  A[0] = 0 i = 2  A[0] = 0  A[1] = 0 i = 1  A[0] = 0 i = 2  A[0] = 0  A[1] = 0 i = 1  A[0] = 0 i = 1  A[0] = 0 i = 1  k(k = 0  A[k] = 0) i = 2  k(0  k  1  A[k] = 0) i < n i < n i = 1  A[0] = 0 T T F F ? i = 1  A[0] = 0 1  i  2  k(0  k < i  A[k] = 0) A[i] := 0; i := i+1 8

  9. Transfer Function Example true A[0] := 0; i := 1 2  i  n  k(0  k < i  A[k] = 0) i = 1  k(k = 0  A[k] = 0) 1  i  k(0  k < i  A[k] = 0) i < n T F 1  i < n  k(0  k < i  A[k] = 0) i  n  k(0  k < i  A[k] = 0) A[i] := 0; i := i+1 9

  10. Outline • Join Algorithm • Quantifier introduction • Joining quantifiers • Experiments • Conclusion

  11. Quantifier Introduction • Quantified facts are drawn from standard facts in A • User gives set of templates to guide quantification • Experiments show that few templates are needed b[0] = 0 b[0] ≤ b[1] k (k = 0  b[k] = 0) j, k (j = 0  k = 1  b[j] ≤ b[k]) Env fact Template Quantified fact (result) A[*] = c b[0] = 0 k(k = 0  b[k] = 0) A[*] ≤A[*] j, k (j = 0  k = 1  b[j] ≤ b[k]) b[0] ≤ b[1]

  12. Outline • Join Algorithm • Quantifier introduction • Joining quantifiers • Experiments • Conclusion

  13. Transfer Function Example true A[0] := 0; i := 1 Join Algorithm i = 1  A[0] = 0 i = 1  A[0] = 0 i = 2  A[0] = 0  A[1] = 0 i = 1  A[0] = 0 i = 2  A[0] = 0  A[1] = 0 i = 1  A[0] = 0 i = 1  A[0] = 0 i = 1  k(k = 0  A[k] = 0) i = 2  k(0  k  1  A[k] = 0) i < n i < n i = 1  A[0] = 0 T T F F ? i = 1  A[0] = 0 1  i  2  k(0  k < i  A[k] = 0) A[i] := 0; i := i+1 13

  14. Joining Quantifiers • Goal: (AL  V.(BL  CL))t (AR  V. (BR  CR)) • Result must be above both inputs in v, so: • AL  V.(BL  CL)vA  V.(B  C) • AR  V. (BR  CR) vA  V.(B  C) • Based on v definition: 1. ALv A and ARv A so A = ALtAR 2. AL CLvC AR CRvC V.(BL  CL) V.(BR  CR) V. (B  C) AL BvBL AR BvBR

  15. Joining Quantifiers AL CLvC AR CRvC • C = (AL CL) t (AR CR) • Rewriting for B: • Best solution for B = (AL BL)  (AR BR) • If it's not in domain, pick best under-approximation V.(BL  CL) V.(BR  CR) V. (B  C) AL BvBL AR BvBR B vALBLand B v AR BR or, B v ALBLand B v AR BR

  16. Under-Approximation Example • Compute (i = 1 k = 0) (i = 2 0  k  1) in LA • 1st step: guess an over-approximation of the answer • 2nd step: Check if (0  k < i) is correct; refine if not (i = 1 k = 0) t(i = 2 0  k  1) = (1  i  2  0  k < i) Many details skipped. See paper! ? (0  k < i)  (i = 1 k = 0) (i = 2 0  k  1) YES

  17. Outline • Join Algorithm • Quantifier introduction • Joining quantifiers • Experiments • Conclusion

  18. Experiments Invariant: a[k] = b[k] for all k Invariant: All data fields of list are zero

  19. Quantified Domain Construction Works! • Base domain D • partial order • transfer functions Under-approximation operators for D (optional) Under- approximation • Quantified domain Q • 3x slowdown relative to D • transfer functions relatively complete

More Related