slide1
Download
Skip this Video
Download Presentation
Spring 2014 Program Analysis and Verification Lecture 14: Numerical Abstractions

Loading in 2 Seconds...

play fullscreen
1 / 35

Spring 2014 Program Analysis and Verification Lecture 14: Numerical Abstractions - PowerPoint PPT Presentation


  • 131 Views
  • Uploaded on

Spring 2014 Program Analysis and Verification Lecture 14: Numerical Abstractions. Roman Manevich Ben-Gurion University. Syllabus. Previously. Composing abstract domains (and GCs) Widening and narrowing Interval domain. Today. Abstractions for properties of numeric variables

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Spring 2014 Program Analysis and Verification Lecture 14: Numerical Abstractions' - inara


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Spring 2014Program Analysis and Verification

Lecture 14: Numerical Abstractions

Roman Manevich

Ben-Gurion University

previously
Previously

Composing abstract domains (and GCs)

Widening and narrowing

Interval domain

today
Today
  • Abstractions for properties of numeric variables
  • Classification:
    • Relational vs. non-relational
    • Equalities vs. non-equalities
    • Zones
numerical abstractions
Numerical Abstractions

By Quilbert (own work, partially derived from en:Image:Poly.pov) [GPL (http://www.gnu.org/licenses/gpl.html)], via Wikimedia Commons

overview
Overview
  • Goal: infer numeric properties of program variables (integers, floating point)
  • Applications
    • Detect division by zero, overflow, out-of-bound array access
    • Help non-numerical domains
  • Classification
    • Non-relational
    • (Weakly-)relational
    • Equalities / Inequalities
    • Linear / non-linear
    • Exotic
non relational abstractions1
Non-relational abstractions
  • Abstract each variable individually
    • Constant propagation [Kildall’73]
    • Intervals (Box)
      • Covered in lecture 13
    • Sign
    • Parity (congruences)
    • Assignment 3: arithmetic progressions
sign abstraction for variable x
Sign abstraction for variable x

neg

pos

0

Concrete lattice: C = (2State, , , , , State)

Sign = {, neg, 0, pos, }

GCC,Sign=(C, , , Sign)

() = ?

(neg) = ?

(0) = ?

(pos) = ?

() = ?

How can we represent 0?

transformer x y z
Transformer x:=y*z

Check at home:

Abstract transformer is complete

transformer x y z1
Transformer x:=y+z

Check at home:

Abstract transformer is not complete

parity abstraction for variable x
Parity abstraction for variable x

E

O

Concrete lattice: C = (2State, , , , , State)

Parity = {, E, O, }

GCC,Parity=(C, , , Parity)

() = ?

(E) = ?

(O) = ?

() = ?

boxes intervals
Boxes (intervals)

y

6

5

y  [3,6]

4

3

2

1

0

1

2

3

4

x

  • x  [1,4]
non relational abstractions2
Non-relational abstractions
  • Cannot prove properties that hold simultaneous for several variables
    • x = 2*y
    • x ≤ y
the abstraction
The abstraction
  • Abstract domain for variables x1,…,xn is the Cartesian product of a mini-domain for one variable D[x]
    • D[x1]  …  D[xn]
    • Need to implement join, meet, widening, narrowing just for mini-domain
  • Usually a non-relational is associated with a Galois Insertion
    • No reduction required
    • The Cartesian product is a reduced product
sound assignment transformers
Sound assignment transformers

Let remove(S, x) be the operation that removes the factoid associated with x from S

Let factoid(S, x) be the operation that returns the factoid associated with xin S

x := c# S = remove(S, x)  ({[xc]})

x := y# S = remove(S, x)  {factoid(S, y)[x/y]}

x := y+c# S = remove(S, x)  {factoid(S, y)[x/y] + c}

x := y+z# S = remove(S, x)  {factoid(S, y)[x/y] + factoid(S, z)[x/z]}

x := y*c# S = remove(S, x)  {factoid(S, y)[x/y] * c}

x := y*z# S = remove(S, x)  {factoid(S, y)[x/y] * factoid(S, z)[x/z]}

sound assume transformers
Sound assumetransformers

assumex=c# S = S  ({[xc]})

assumex<c# S = …

assumex=y# S = S  {factoid(S, y)[x/y]}  {factoid(S, x)[y/x]}

assumexc# S = if S  ({[xc]}) then  else S

relational abstractions
Relational abstractions
  • Represent correlations between all program variables
    • Polyhedra
    • Linear equalities
  • When correlations exist only between few variables (usually 2) we say that the abstraction is weakly-relational
    • Linear relations example (discussed in class)
    • Zone abstraction (next)
    • Octagons
    • Two-variable polyhedra
    • Usually abstraction is defined as the reduced product of the abstract domain for any pair of variables
zone abstraction mine
Zone abstraction [Mine]

y

6

x ≤ 4

−x ≤ −1

y ≤ 3

−y ≤ −1

x − y ≤ 1

5

4

3

2

1

0

1

2

3

4

x

Maintain bounded differences between a pair of program variables (useful for tracking array accesses)

Abstract state is a conjunction of linear inequalities of the form x-yc

difference bound matrices
Difference bound matrices

x ≤ 4

−x ≤ −1

y ≤ 3

−y ≤ −1

x − y ≤ 1

Add a special V0 variable for the number 0

Represent non-existent relations between variables by +entries

Convenient for defining the partial order between two abstract elements… =?

ordering dbms
Ordering DBMs

x ≤ 4

−x ≤ −1

y ≤ 3

−y ≤ −1

x − y ≤ 1

M1 =

x ≤ 5

−x ≤ −1

y ≤ 3

x − y ≤ 1

M2 =

How should we order M1 M2?

joining dbms
Joining DBMs

x ≤ 4

−x ≤ −1

y ≤ 3

−y ≤ −1

x − y ≤ 1

M1 =

x ≤ 2

−x ≤ −1

y ≤ 0

x − y ≤ 1

M2 =

How should we join M1 M2?

widening dbms
Widening DBMs

x ≤ 4

−x ≤ −1

y ≤ 3

−y ≤ −1

x − y ≤ 1

M1 =

x ≤ 5

−x ≤ −1

y ≤ 3

x − y ≤ 1

M2 =

How should we widen M1M2?

potential graph
Potential graph

x ≤ 4

−x ≤ −1

y ≤ 3

−y ≤ −1

x − y ≤ 1

V0

3

-1

-1

3

x

y

1

Can we tell whether a system of constraints is satisfiable?

A vertex per variable

A directed edge with the weight of the inequality

Enables computing semantic reduction by shortest-path algorithms

semantic reduction for zones
Semantic reduction for zones

Apply the following rule repeatedlyx - y ≤ c y - z ≤ d x - z ≤ e x - z ≤ min{e, c+d}

When should we stop?

Theorem 3.3.4. Best abstraction of potential sets and zones m∗ = (Pot ◦ Pot)(m)

octagon abstraction mine 01
Octagon abstraction [Mine-01]
  • captures relationships common in programs (array access)

Abstract state is an intersection of linear inequalities of the form x yc

equality based domains
Equality-based domains
  • Simple congruences [Granger’89]: y=a mod k
  • Linear relations: y=a*x+b
    • Join operator a little tricky
  • Linear equalities [Karr’76]: a1*x1+…+ak*xk = c
  • Polynomial equalities:a1*x1d1*…*xkdk + b1*y1z1*…*ykzk+ … = c
    • Some good results are obtainable whend1+…+dk < n for some small n
ad