Loading in 2 Seconds...

Spring 2014 Program Analysis and Verification Lecture 14: Numerical Abstractions

Loading in 2 Seconds...

- By
**inara** - Follow User

- 131 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about ' Spring 2014 Program Analysis and Verification Lecture 14: Numerical Abstractions' - inara

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Spring 2014Program Analysis and Verification

Lecture 14: Numerical Abstractions

Roman Manevich

Ben-Gurion University

Today

- Abstractions for properties of numeric variables
- Classification:
- Relational vs. non-relational
- Equalities vs. non-equalities
- Zones

Numerical Abstractions

By Quilbert (own work, partially derived from en:Image:Poly.pov) [GPL (http://www.gnu.org/licenses/gpl.html)], via Wikimedia Commons

Overview

- Goal: infer numeric properties of program variables (integers, floating point)
- Applications
- Detect division by zero, overflow, out-of-bound array access
- Help non-numerical domains
- Classification
- Non-relational
- (Weakly-)relational
- Equalities / Inequalities
- Linear / non-linear
- Exotic

Non-relational abstractions

- Abstract each variable individually
- Constant propagation [Kildall’73]
- Intervals (Box)
- Covered in lecture 13
- Sign
- Parity (congruences)
- Assignment 3: arithmetic progressions

Sign abstraction for variable x

neg

pos

0

Concrete lattice: C = (2State, , , , , State)

Sign = {, neg, 0, pos, }

GCC,Sign=(C, , , Sign)

() = ?

(neg) = ?

(0) = ?

(pos) = ?

() = ?

How can we represent 0?

Parity abstraction for variable x

E

O

Concrete lattice: C = (2State, , , , , State)

Parity = {, E, O, }

GCC,Parity=(C, , , Parity)

() = ?

(E) = ?

(O) = ?

() = ?

Non-relational abstractions

- Cannot prove properties that hold simultaneous for several variables
- x = 2*y
- x ≤ y

The abstraction

- Abstract domain for variables x1,…,xn is the Cartesian product of a mini-domain for one variable D[x]
- D[x1] … D[xn]
- Need to implement join, meet, widening, narrowing just for mini-domain
- Usually a non-relational is associated with a Galois Insertion
- No reduction required
- The Cartesian product is a reduced product

Sound assignment transformers

Let remove(S, x) be the operation that removes the factoid associated with x from S

Let factoid(S, x) be the operation that returns the factoid associated with xin S

x := c# S = remove(S, x) ({[xc]})

x := y# S = remove(S, x) {factoid(S, y)[x/y]}

x := y+c# S = remove(S, x) {factoid(S, y)[x/y] + c}

x := y+z# S = remove(S, x) {factoid(S, y)[x/y] + factoid(S, z)[x/z]}

x := y*c# S = remove(S, x) {factoid(S, y)[x/y] * c}

x := y*z# S = remove(S, x) {factoid(S, y)[x/y] * factoid(S, z)[x/z]}

Sound assumetransformers

assumex=c# S = S ({[xc]})

assumex<c# S = …

assumex=y# S = S {factoid(S, y)[x/y]} {factoid(S, x)[y/x]}

assumexc# S = if S ({[xc]}) then else S

Relational abstractions

- Represent correlations between all program variables
- Polyhedra
- Linear equalities
- When correlations exist only between few variables (usually 2) we say that the abstraction is weakly-relational
- Linear relations example (discussed in class)
- Zone abstraction (next)
- Octagons
- Two-variable polyhedra
- Usually abstraction is defined as the reduced product of the abstract domain for any pair of variables

Zone abstraction [Mine]

y

6

x ≤ 4

−x ≤ −1

y ≤ 3

−y ≤ −1

x − y ≤ 1

5

4

3

2

1

0

1

2

3

4

x

Maintain bounded differences between a pair of program variables (useful for tracking array accesses)

Abstract state is a conjunction of linear inequalities of the form x-yc

Difference bound matrices

x ≤ 4

−x ≤ −1

y ≤ 3

−y ≤ −1

x − y ≤ 1

Add a special V0 variable for the number 0

Represent non-existent relations between variables by +entries

Convenient for defining the partial order between two abstract elements… =?

Ordering DBMs

x ≤ 4

−x ≤ −1

y ≤ 3

−y ≤ −1

x − y ≤ 1

M1 =

x ≤ 5

−x ≤ −1

y ≤ 3

x − y ≤ 1

M2 =

How should we order M1 M2?

Joining DBMs

x ≤ 4

−x ≤ −1

y ≤ 3

−y ≤ −1

x − y ≤ 1

M1 =

x ≤ 2

−x ≤ −1

y ≤ 0

x − y ≤ 1

M2 =

How should we join M1 M2?

Widening DBMs

x ≤ 4

−x ≤ −1

y ≤ 3

−y ≤ −1

x − y ≤ 1

M1 =

x ≤ 5

−x ≤ −1

y ≤ 3

x − y ≤ 1

M2 =

How should we widen M1M2?

Potential graph

x ≤ 4

−x ≤ −1

y ≤ 3

−y ≤ −1

x − y ≤ 1

V0

3

-1

-1

3

x

y

1

Can we tell whether a system of constraints is satisfiable?

A vertex per variable

A directed edge with the weight of the inequality

Enables computing semantic reduction by shortest-path algorithms

Semantic reduction for zones

Apply the following rule repeatedlyx - y ≤ c y - z ≤ d x - z ≤ e x - z ≤ min{e, c+d}

When should we stop?

Theorem 3.3.4. Best abstraction of potential sets and zones m∗ = (Pot ◦ Pot)(m)

Octagon abstraction [Mine-01]

- captures relationships common in programs (array access)

Abstract state is an intersection of linear inequalities of the form x yc

Some inequality-basedrelational domains

policy iteration

Equality-based domains

- Simple congruences [Granger’89]: y=a mod k
- Linear relations: y=a*x+b
- Join operator a little tricky
- Linear equalities [Karr’76]: a1*x1+…+ak*xk = c
- Polynomial equalities:a1*x1d1*…*xkdk + b1*y1z1*…*ykzk+ … = c
- Some good results are obtainable whend1+…+dk < n for some small n

Download Presentation

Connecting to Server..