Spring 2014
Download
1 / 35

Spring 2014 Program Analysis and Verification Lecture 14: Numerical Abstractions - PowerPoint PPT Presentation


  • 130 Views
  • Uploaded on

Spring 2014 Program Analysis and Verification Lecture 14: Numerical Abstractions. Roman Manevich Ben-Gurion University. Syllabus. Previously. Composing abstract domains (and GCs) Widening and narrowing Interval domain. Today. Abstractions for properties of numeric variables

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Spring 2014 Program Analysis and Verification Lecture 14: Numerical Abstractions' - inara


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Spring 2014Program Analysis and Verification

Lecture 14: Numerical Abstractions

Roman Manevich

Ben-Gurion University



Previously
Previously

Composing abstract domains (and GCs)

Widening and narrowing

Interval domain


Today
Today

  • Abstractions for properties of numeric variables

  • Classification:

    • Relational vs. non-relational

    • Equalities vs. non-equalities

    • Zones


Numerical abstractions
Numerical Abstractions

By Quilbert (own work, partially derived from en:Image:Poly.pov) [GPL (http://www.gnu.org/licenses/gpl.html)], via Wikimedia Commons


Overview
Overview

  • Goal: infer numeric properties of program variables (integers, floating point)

  • Applications

    • Detect division by zero, overflow, out-of-bound array access

    • Help non-numerical domains

  • Classification

    • Non-relational

    • (Weakly-)relational

    • Equalities / Inequalities

    • Linear / non-linear

    • Exotic




Non relational abstractions1
Non-relational abstractions

  • Abstract each variable individually

    • Constant propagation [Kildall’73]

    • Intervals (Box)

      • Covered in lecture 13

    • Sign

    • Parity (congruences)

    • Assignment 3: arithmetic progressions


Sign abstraction for variable x
Sign abstraction for variable x

neg

pos

0

Concrete lattice: C = (2State, , , , , State)

Sign = {, neg, 0, pos, }

GCC,Sign=(C, , , Sign)

() = ?

(neg) = ?

(0) = ?

(pos) = ?

() = ?

How can we represent 0?


Transformer x y z
Transformer x:=y*z

Check at home:

Abstract transformer is complete


Transformer x y z1
Transformer x:=y+z

Check at home:

Abstract transformer is not complete


Parity abstraction for variable x
Parity abstraction for variable x

E

O

Concrete lattice: C = (2State, , , , , State)

Parity = {, E, O, }

GCC,Parity=(C, , , Parity)

() = ?

(E) = ?

(O) = ?

() = ?



Boxes intervals
Boxes (intervals)

y

6

5

y  [3,6]

4

3

2

1

0

1

2

3

4

x

  • x  [1,4]


Non relational abstractions2
Non-relational abstractions

  • Cannot prove properties that hold simultaneous for several variables

    • x = 2*y

    • x ≤ y


Practical aspects of non relational abstractions
Practical aspectsof Non relational abstractions


The abstraction
The abstraction

  • Abstract domain for variables x1,…,xn is the Cartesian product of a mini-domain for one variable D[x]

    • D[x1]  …  D[xn]

    • Need to implement join, meet, widening, narrowing just for mini-domain

  • Usually a non-relational is associated with a Galois Insertion

    • No reduction required

    • The Cartesian product is a reduced product


Sound assignment transformers
Sound assignment transformers

Let remove(S, x) be the operation that removes the factoid associated with x from S

Let factoid(S, x) be the operation that returns the factoid associated with xin S

x := c# S = remove(S, x)  ({[xc]})

x := y# S = remove(S, x)  {factoid(S, y)[x/y]}

x := y+c# S = remove(S, x)  {factoid(S, y)[x/y] + c}

x := y+z# S = remove(S, x)  {factoid(S, y)[x/y] + factoid(S, z)[x/z]}

x := y*c# S = remove(S, x)  {factoid(S, y)[x/y] * c}

x := y*z# S = remove(S, x)  {factoid(S, y)[x/y] * factoid(S, z)[x/z]}


Sound assume transformers
Sound assumetransformers

assumex=c# S = S  ({[xc]})

assumex<c# S = …

assumex=y# S = S  {factoid(S, y)[x/y]}  {factoid(S, x)[y/x]}

assumexc# S = if S  ({[xc]}) then  else S



Relational abstractions
Relational abstractions

  • Represent correlations between all program variables

    • Polyhedra

    • Linear equalities

  • When correlations exist only between few variables (usually 2) we say that the abstraction is weakly-relational

    • Linear relations example (discussed in class)

    • Zone abstraction (next)

    • Octagons

    • Two-variable polyhedra

    • Usually abstraction is defined as the reduced product of the abstract domain for any pair of variables



Zone abstraction mine
Zone abstraction [Mine]

y

6

x ≤ 4

−x ≤ −1

y ≤ 3

−y ≤ −1

x − y ≤ 1

5

4

3

2

1

0

1

2

3

4

x

Maintain bounded differences between a pair of program variables (useful for tracking array accesses)

Abstract state is a conjunction of linear inequalities of the form x-yc


Difference bound matrices
Difference bound matrices

x ≤ 4

−x ≤ −1

y ≤ 3

−y ≤ −1

x − y ≤ 1

Add a special V0 variable for the number 0

Represent non-existent relations between variables by +entries

Convenient for defining the partial order between two abstract elements… =?


Ordering dbms
Ordering DBMs

x ≤ 4

−x ≤ −1

y ≤ 3

−y ≤ −1

x − y ≤ 1

M1 =

x ≤ 5

−x ≤ −1

y ≤ 3

x − y ≤ 1

M2 =

How should we order M1 M2?


Joining dbms
Joining DBMs

x ≤ 4

−x ≤ −1

y ≤ 3

−y ≤ −1

x − y ≤ 1

M1 =

x ≤ 2

−x ≤ −1

y ≤ 0

x − y ≤ 1

M2 =

How should we join M1 M2?


Widening dbms
Widening DBMs

x ≤ 4

−x ≤ −1

y ≤ 3

−y ≤ −1

x − y ≤ 1

M1 =

x ≤ 5

−x ≤ −1

y ≤ 3

x − y ≤ 1

M2 =

How should we widen M1M2?


Potential graph
Potential graph

x ≤ 4

−x ≤ −1

y ≤ 3

−y ≤ −1

x − y ≤ 1

V0

3

-1

-1

3

x

y

1

Can we tell whether a system of constraints is satisfiable?

A vertex per variable

A directed edge with the weight of the inequality

Enables computing semantic reduction by shortest-path algorithms


Semantic reduction for zones
Semantic reduction for zones

Apply the following rule repeatedlyx - y ≤ c y - z ≤ d x - z ≤ e x - z ≤ min{e, c+d}

When should we stop?

Theorem 3.3.4. Best abstraction of potential sets and zones m∗ = (Pot ◦ Pot)(m)



Octagon abstraction mine 01
Octagon abstraction [Mine-01]

  • captures relationships common in programs (array access)

Abstract state is an intersection of linear inequalities of the form x yc


Some inequality based relational domains
Some inequality-basedrelational domains

policy iteration


Equality based domains
Equality-based domains

  • Simple congruences [Granger’89]: y=a mod k

  • Linear relations: y=a*x+b

    • Join operator a little tricky

  • Linear equalities [Karr’76]: a1*x1+…+ak*xk = c

  • Polynomial equalities:a1*x1d1*…*xkdk + b1*y1z1*…*ykzk+ … = c

    • Some good results are obtainable whend1+…+dk < n for some small n


Next lecture alias analysis
Next lecture:alias analysis


ad