1 / 35

Spring 2014 Program Analysis and Verification Lecture 14: Numerical Abstractions - PowerPoint PPT Presentation

Spring 2014 Program Analysis and Verification Lecture 14: Numerical Abstractions. Roman Manevich Ben-Gurion University. Syllabus. Previously. Composing abstract domains (and GCs) Widening and narrowing Interval domain. Today. Abstractions for properties of numeric variables

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

PowerPoint Slideshow about ' Spring 2014 Program Analysis and Verification Lecture 14: Numerical Abstractions' - inara

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Spring 2014Program Analysis and Verification

Lecture 14: Numerical Abstractions

Roman Manevich

Ben-Gurion University

Composing abstract domains (and GCs)

Widening and narrowing

Interval domain

• Abstractions for properties of numeric variables

• Classification:

• Relational vs. non-relational

• Equalities vs. non-equalities

• Zones

By Quilbert (own work, partially derived from en:Image:Poly.pov) [GPL (http://www.gnu.org/licenses/gpl.html)], via Wikimedia Commons

• Goal: infer numeric properties of program variables (integers, floating point)

• Applications

• Detect division by zero, overflow, out-of-bound array access

• Help non-numerical domains

• Classification

• Non-relational

• (Weakly-)relational

• Equalities / Inequalities

• Linear / non-linear

• Exotic

• Abstract each variable individually

• Constant propagation [Kildall’73]

• Intervals (Box)

• Covered in lecture 13

• Sign

• Parity (congruences)

• Assignment 3: arithmetic progressions

neg

pos

0

Concrete lattice: C = (2State, , , , , State)

Sign = {, neg, 0, pos, }

GCC,Sign=(C, , , Sign)

() = ?

(neg) = ?

(0) = ?

(pos) = ?

() = ?

How can we represent 0?

Check at home:

Abstract transformer is complete

Check at home:

Abstract transformer is not complete

E

O

Concrete lattice: C = (2State, , , , , State)

Parity = {, E, O, }

GCC,Parity=(C, , , Parity)

() = ?

(E) = ?

(O) = ?

() = ?

y

6

5

y  [3,6]

4

3

2

1

0

1

2

3

4

x

• x  [1,4]

• Cannot prove properties that hold simultaneous for several variables

• x = 2*y

• x ≤ y

Practical aspectsof Non relational abstractions

• Abstract domain for variables x1,…,xn is the Cartesian product of a mini-domain for one variable D[x]

• D[x1]  …  D[xn]

• Need to implement join, meet, widening, narrowing just for mini-domain

• Usually a non-relational is associated with a Galois Insertion

• No reduction required

• The Cartesian product is a reduced product

Let remove(S, x) be the operation that removes the factoid associated with x from S

Let factoid(S, x) be the operation that returns the factoid associated with xin S

x := c# S = remove(S, x)  ({[xc]})

x := y# S = remove(S, x)  {factoid(S, y)[x/y]}

x := y+c# S = remove(S, x)  {factoid(S, y)[x/y] + c}

x := y+z# S = remove(S, x)  {factoid(S, y)[x/y] + factoid(S, z)[x/z]}

x := y*c# S = remove(S, x)  {factoid(S, y)[x/y] * c}

x := y*z# S = remove(S, x)  {factoid(S, y)[x/y] * factoid(S, z)[x/z]}

Sound assumetransformers

assumex=c# S = S  ({[xc]})

assumex<c# S = …

assumex=y# S = S  {factoid(S, y)[x/y]}  {factoid(S, x)[y/x]}

assumexc# S = if S  ({[xc]}) then  else S

Relational abstractions

• Represent correlations between all program variables

• Polyhedra

• Linear equalities

• When correlations exist only between few variables (usually 2) we say that the abstraction is weakly-relational

• Linear relations example (discussed in class)

• Zone abstraction (next)

• Octagons

• Two-variable polyhedra

• Usually abstraction is defined as the reduced product of the abstract domain for any pair of variables

y

6

x ≤ 4

−x ≤ −1

y ≤ 3

−y ≤ −1

x − y ≤ 1

5

4

3

2

1

0

1

2

3

4

x

Maintain bounded differences between a pair of program variables (useful for tracking array accesses)

Abstract state is a conjunction of linear inequalities of the form x-yc

x ≤ 4

−x ≤ −1

y ≤ 3

−y ≤ −1

x − y ≤ 1

Add a special V0 variable for the number 0

Represent non-existent relations between variables by +entries

Convenient for defining the partial order between two abstract elements… =?

x ≤ 4

−x ≤ −1

y ≤ 3

−y ≤ −1

x − y ≤ 1

M1 =

x ≤ 5

−x ≤ −1

y ≤ 3

x − y ≤ 1

M2 =

How should we order M1 M2?

x ≤ 4

−x ≤ −1

y ≤ 3

−y ≤ −1

x − y ≤ 1

M1 =

x ≤ 2

−x ≤ −1

y ≤ 0

x − y ≤ 1

M2 =

How should we join M1 M2?

x ≤ 4

−x ≤ −1

y ≤ 3

−y ≤ −1

x − y ≤ 1

M1 =

x ≤ 5

−x ≤ −1

y ≤ 3

x − y ≤ 1

M2 =

How should we widen M1M2?

x ≤ 4

−x ≤ −1

y ≤ 3

−y ≤ −1

x − y ≤ 1

V0

3

-1

-1

3

x

y

1

Can we tell whether a system of constraints is satisfiable?

A vertex per variable

A directed edge with the weight of the inequality

Enables computing semantic reduction by shortest-path algorithms

Apply the following rule repeatedlyx - y ≤ c y - z ≤ d x - z ≤ e x - z ≤ min{e, c+d}

When should we stop?

Theorem 3.3.4. Best abstraction of potential sets and zones m∗ = (Pot ◦ Pot)(m)

• captures relationships common in programs (array access)

Abstract state is an intersection of linear inequalities of the form x yc

Some inequality-basedrelational domains

policy iteration

• Simple congruences [Granger’89]: y=a mod k

• Linear relations: y=a*x+b

• Join operator a little tricky

• Linear equalities [Karr’76]: a1*x1+…+ak*xk = c

• Polynomial equalities:a1*x1d1*…*xkdk + b1*y1z1*…*ykzk+ … = c

• Some good results are obtainable whend1+…+dk < n for some small n

Next lecture:alias analysis