1 / 42

Spring 2016 Program Analysis and Verification Lecture 13: Numerical Abstractions

Spring 2016 Program Analysis and Verification Lecture 13: Numerical Abstractions. Roman Manevich Ben-Gurion University. Tentative syllabus. Previously. Composing abstract domains (and GCs) Widening and narrowing Interval domain. Agenda. Abstractions for properties of numeric variables

rowdy
Download Presentation

Spring 2016 Program Analysis and Verification Lecture 13: Numerical Abstractions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Spring 2016Program Analysis and Verification Lecture 13: Numerical Abstractions Roman Manevich Ben-Gurion University

  2. Tentative syllabus

  3. Previously Composing abstract domains (and GCs) Widening and narrowing Interval domain

  4. Agenda • Abstractions for properties of numeric variables • Classification: • Relational vs. non-relational • Equalities vs. non-equalities • Zones

  5. Numerical Abstractions By Quilbert (own work, partially derived from en:Image:Poly.pov) [GPL (http://www.gnu.org/licenses/gpl.html)], via Wikimedia Commons

  6. Overview • Goal: infer numeric properties of program variables (integers, floating point) • Applications • Detect division by zero, overflow, out-of-bound array access • Help non-numerical domains • Classification • Non-relational • (Weakly-)relational • Equalities / Inequalities • Linear / non-linear • Exotic

  7. Implementation

  8. Non-relational abstractions

  9. Non-relational abstractions • Abstract each variable individually • Constant propagation [Kildall’73] • Intervals (Box) • Covered in previous lecture • Sign • Parity (congruences) • Zones

  10. Sign abstraction for variable x  neg pos 0  • Concrete lattice: C = (2State, , , , , State) • Sign = {, neg, 0, pos, } • GCC,Sign=(C, , , Sign) • Concretization • () = • (neg) = • (0) = • (pos) = • () = • Abstraction • ({17}) = • ({17, 0}) = • ({-1, 1}) = • How can we represent 0?

  11. Transformer x:=y*z Is it complete?

  12. Transformer x:=y*z Check at home: Abstract transformer is complete

  13. Transformer x:=y+z Is it complete?

  14. Transformer x:=y+z Check at home: Abstract transformer is not complete

  15. Parity abstraction for variable x  E O  Concrete lattice: C = (2State, , , , , State) Parity = {, E, O, } GCC,Parity=(C, , , Parity) () = ? (E) = ? (O) = ? () = ?

  16. Transformer x:=y+z

  17. Transformer x:=y+z

  18. Boxes (intervals) y 6 5 y  [3,6] 4 3 2 1 0 1 2 3 4 x • x  [1,4]

  19. Non-relational abstractions • Cannot prove properties that hold simultaneous for several variables • x = 2*y • x ≤ y

  20. Practical aspectsof Non-relational abstractions

  21. The abstraction • Abstract domain for variables x1,…,xn is the Cartesian product of a sub-domain for one variable D[x] • D[x1]  …  D[xn] • Need to implement join, meet, widening, narrowing just for sub-domain • Usually a non-relational is associated with a Galois Insertion • No reduction required • The Cartesian product is a reduced product

  22. Sound assignment transformers Let remove(S, x) be the operation that removes the factoid associated with x from S Let factoid(S, x) be the operation that returns the factoid associated with x in S x := c# S = remove(S, x)  ({[xc]}) x := y# S = remove(S, x)  {factoid(S, y)[x/y]} x := y+c# S = remove(S, x)  {factoid(S, y)[x/y] + c} x := y+z# S = remove(S, x)  {factoid(S, y)[x/y] + factoid(S, z)[x/z]} x := y*c# S = remove(S, x)  {factoid(S, y)[x/y] * c} x := y*z# S = remove(S, x)  {factoid(S, y)[x/y] * factoid(S, z)[x/z]}

  23. Sound assumetransformers assumex=c# S = S  ({[xc]}) assumex<c# S = … assumex=y# S = S  {factoid(S, y)[x/y]}  {factoid(S, x)[y/x]} assumexc# S = if S  ({[xc]}) then  else S

  24. (Weakly-)relational abstractions

  25. Relational abstractions • Represent correlations between all program variables • Polyhedra • Linear equalities • When correlations exist only between few variables (usually 2) we say that the abstraction is weakly-relational • Linear relations example (discussed in class) • Zone abstraction (next) • Octagons • Two-variable polyhedra • Usually abstraction is defined as the reduced product of the abstract domain for any pair of variables

  26. Zone abstraction

  27. Zone abstraction [Mine] y 6 x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 5 4 3 2 1 0 1 2 3 4 x Maintain bounded differences between a pair of program variables (useful for tracking array accesses) Abstract state is a conjunction of linear inequalities of the form x-yc

  28. Difference bound matrices x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 Add a special V0 variable for the number 0 Represent non-existent relations between variables by + entries Convenient for defining the partial order between two abstract elements… =?

  29. Ordering DBMs x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 M1 = x ≤ 5 −x ≤ −1 y ≤ 3 x − y ≤ 1 M2 = How should we order M1 M2?

  30. Joining DBMs x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 M1 = x ≤ 2 −x ≤ −1 y ≤ 0 x − y ≤ 1 M2 = How should we join M1 M2?

  31. Widening DBMs x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 M1 = x ≤ 5 −x ≤ −1 y ≤ 3 x − y ≤ 1 M2 = How should we widen M1M2?

  32. Potential graph x ≤ 4 −x ≤ −1 y ≤ 3 −y ≤ −1 x − y ≤ 1 V0 3 -1 -1 3 x y 1 Can we tell whether a systemof constraints is satisfiable? Can you define a semantic reduction? A vertex per variable A directed edge with the weight of the inequality Enables computing semantic reduction by shortest-path algorithms

  33. Semantic reduction for zones Apply the following rule repeatedlyx - y ≤ c y - z ≤ d x - z ≤ e x - z ≤ min{e, c+d} When should we stop? Theorem 3.3.4. Best abstraction of potential sets and zones m∗ = (Pot ◦ Pot)(m)

  34. Zones assignment transformers remove(S, x): removes the x-factoids from S factoid(S, x): returns all x-factoids in S x := c# S = remove(S, x)  …? x := y+c# S = remove(S, x)  …? x := -y# S = remove(S, x)  …? x := y-z# S = remove(S, x)  …? x := y+z# S = …?

  35. Zones assignment transformers remove(S, x): removes the x-factoids from S factoid(S, x): returns all x-factoids in S x := c# S = remove(S, x)  {x-V0≤c, V0-x≤c} x := y+c# S = remove(S, x)  {x-y≤c, y-x≤-c} x := -y# S = remove(S, x)  {x-V0≤c |V0-y≤c} {V0-x≤-c | y-V0≤c} x := y-z# S = remove(S, x)  {x≤c} wherec=min{c1-c2 | y-w≤c1, z-w≤c2} x := y+z# S = x := y-t#(t := -z# S)

  36. More numerical domains

  37. Octagon abstraction [Mine-01] • captures relationships common in programs (array access) Abstract state is an intersection of linear inequalities of the form x yc

  38. Some inequality-basedrelational domains policy iteration

  39. What is the polyhedron abstraction? y x How do we abstract a circle?

  40. Equality-based domains • Simple congruences [Granger’89]: y=a mod k • Linear equalities [Karr’76]: a1*x1+…+ak*xk = c • Polynomial equalities:a1*x1d1*…*xkdk + b1*y1z1*…*ykzk+ … = c • Some good results are obtainable whend1+…+dk < n for some small n

  41. Exercise: 2-linear relations Infer linear relations between pairs of variables: y=a*x+b Handout

  42. see you next time

More Related