Spring 2014 Program Analysis and Verification Lecture 14: Numerical Abstractions

1 / 35

# Spring 2014 Program Analysis and Verification Lecture 14: Numerical Abstractions - PowerPoint PPT Presentation

Spring 2014 Program Analysis and Verification Lecture 14: Numerical Abstractions. Roman Manevich Ben-Gurion University. Syllabus. Previously. Composing abstract domains (and GCs) Widening and narrowing Interval domain. Today. Abstractions for properties of numeric variables

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about ' Spring 2014 Program Analysis and Verification Lecture 14: Numerical Abstractions' - inara

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Spring 2014Program Analysis and Verification

Lecture 14: Numerical Abstractions

Roman Manevich

Ben-Gurion University

Previously

Composing abstract domains (and GCs)

Widening and narrowing

Interval domain

Today
• Abstractions for properties of numeric variables
• Classification:
• Relational vs. non-relational
• Equalities vs. non-equalities
• Zones
Numerical Abstractions

By Quilbert (own work, partially derived from en:Image:Poly.pov) [GPL (http://www.gnu.org/licenses/gpl.html)], via Wikimedia Commons

Overview
• Goal: infer numeric properties of program variables (integers, floating point)
• Applications
• Detect division by zero, overflow, out-of-bound array access
• Help non-numerical domains
• Classification
• Non-relational
• (Weakly-)relational
• Equalities / Inequalities
• Linear / non-linear
• Exotic
Non-relational abstractions
• Abstract each variable individually
• Constant propagation [Kildall’73]
• Intervals (Box)
• Covered in lecture 13
• Sign
• Parity (congruences)
• Assignment 3: arithmetic progressions
Sign abstraction for variable x

neg

pos

0

Concrete lattice: C = (2State, , , , , State)

Sign = {, neg, 0, pos, }

GCC,Sign=(C, , , Sign)

() = ?

(neg) = ?

(0) = ?

(pos) = ?

() = ?

How can we represent 0?

Transformer x:=y*z

Check at home:

Abstract transformer is complete

Transformer x:=y+z

Check at home:

Abstract transformer is not complete

Parity abstraction for variable x

E

O

Concrete lattice: C = (2State, , , , , State)

Parity = {, E, O, }

GCC,Parity=(C, , , Parity)

() = ?

(E) = ?

(O) = ?

() = ?

Boxes (intervals)

y

6

5

y  [3,6]

4

3

2

1

0

1

2

3

4

x

• x  [1,4]
Non-relational abstractions
• Cannot prove properties that hold simultaneous for several variables
• x = 2*y
• x ≤ y
The abstraction
• Abstract domain for variables x1,…,xn is the Cartesian product of a mini-domain for one variable D[x]
• D[x1]  …  D[xn]
• Need to implement join, meet, widening, narrowing just for mini-domain
• Usually a non-relational is associated with a Galois Insertion
• No reduction required
• The Cartesian product is a reduced product
Sound assignment transformers

Let remove(S, x) be the operation that removes the factoid associated with x from S

Let factoid(S, x) be the operation that returns the factoid associated with xin S

x := c# S = remove(S, x)  ({[xc]})

x := y# S = remove(S, x)  {factoid(S, y)[x/y]}

x := y+c# S = remove(S, x)  {factoid(S, y)[x/y] + c}

x := y+z# S = remove(S, x)  {factoid(S, y)[x/y] + factoid(S, z)[x/z]}

x := y*c# S = remove(S, x)  {factoid(S, y)[x/y] * c}

x := y*z# S = remove(S, x)  {factoid(S, y)[x/y] * factoid(S, z)[x/z]}

Sound assumetransformers

assumex=c# S = S  ({[xc]})

assumex<c# S = …

assumex=y# S = S  {factoid(S, y)[x/y]}  {factoid(S, x)[y/x]}

assumexc# S = if S  ({[xc]}) then  else S

Relational abstractions
• Represent correlations between all program variables
• Polyhedra
• Linear equalities
• When correlations exist only between few variables (usually 2) we say that the abstraction is weakly-relational
• Linear relations example (discussed in class)
• Zone abstraction (next)
• Octagons
• Two-variable polyhedra
• Usually abstraction is defined as the reduced product of the abstract domain for any pair of variables
Zone abstraction [Mine]

y

6

x ≤ 4

−x ≤ −1

y ≤ 3

−y ≤ −1

x − y ≤ 1

5

4

3

2

1

0

1

2

3

4

x

Maintain bounded differences between a pair of program variables (useful for tracking array accesses)

Abstract state is a conjunction of linear inequalities of the form x-yc

Difference bound matrices

x ≤ 4

−x ≤ −1

y ≤ 3

−y ≤ −1

x − y ≤ 1

Add a special V0 variable for the number 0

Represent non-existent relations between variables by +entries

Convenient for defining the partial order between two abstract elements… =?

Ordering DBMs

x ≤ 4

−x ≤ −1

y ≤ 3

−y ≤ −1

x − y ≤ 1

M1 =

x ≤ 5

−x ≤ −1

y ≤ 3

x − y ≤ 1

M2 =

How should we order M1 M2?

Joining DBMs

x ≤ 4

−x ≤ −1

y ≤ 3

−y ≤ −1

x − y ≤ 1

M1 =

x ≤ 2

−x ≤ −1

y ≤ 0

x − y ≤ 1

M2 =

How should we join M1 M2?

Widening DBMs

x ≤ 4

−x ≤ −1

y ≤ 3

−y ≤ −1

x − y ≤ 1

M1 =

x ≤ 5

−x ≤ −1

y ≤ 3

x − y ≤ 1

M2 =

How should we widen M1M2?

Potential graph

x ≤ 4

−x ≤ −1

y ≤ 3

−y ≤ −1

x − y ≤ 1

V0

3

-1

-1

3

x

y

1

Can we tell whether a system of constraints is satisfiable?

A vertex per variable

A directed edge with the weight of the inequality

Enables computing semantic reduction by shortest-path algorithms

Semantic reduction for zones

Apply the following rule repeatedlyx - y ≤ c y - z ≤ d x - z ≤ e x - z ≤ min{e, c+d}

When should we stop?

Theorem 3.3.4. Best abstraction of potential sets and zones m∗ = (Pot ◦ Pot)(m)

Octagon abstraction [Mine-01]
• captures relationships common in programs (array access)

Abstract state is an intersection of linear inequalities of the form x yc

Equality-based domains
• Simple congruences [Granger’89]: y=a mod k
• Linear relations: y=a*x+b
• Join operator a little tricky
• Linear equalities [Karr’76]: a1*x1+…+ak*xk = c
• Polynomial equalities:a1*x1d1*…*xkdk + b1*y1z1*…*ykzk+ … = c
• Some good results are obtainable whend1+…+dk < n for some small n