From program slicing to abstract interpretation
This presentation is the property of its rightful owner.
Sponsored Links
1 / 26

From Program slicing to Abstract Interpretation PowerPoint PPT Presentation


  • 86 Views
  • Uploaded on
  • Presentation posted in: General

From Program slicing to Abstract Interpretation. Dr. Manuel Oriol. Topics. Program Slicing Static Dynamic Abstract Interpretation Soundness Completeness. Program slicing. A technique for analyzing programs regarding to a specific criterion.

Download Presentation

From Program slicing to Abstract Interpretation

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


From program slicing to abstract interpretation

From Program slicing to Abstract Interpretation

Dr. Manuel Oriol


Topics

Topics

  • Program Slicing

    • Static

    • Dynamic

  • Abstract Interpretation

    • Soundness

    • Completeness


Program slicing

Program slicing

  • A technique for analyzing programs regarding to a specific criterion.

  • More specifically, the analysis is meant to find the statements that participate to a result.


Intuition

Intuition

  • What are the statements leading to the value of b at the end?

  • a := 1

  • b := 5

  • if(b > 3)then

  • Result:= b

  • else

  • a:= 2

  • end

  • b := a


Key idea static slicing criteria

Key Idea: static slicing criteria

  • Slicing criterion:

  • (S, {variables})

A statement, a point in the program

The set of variables that matter


The static slice

The static slice

  • The set of statements that lead to the state of the variables at the chosen statement.

  • Example:

  • i:= 3

  • fact := 1

  • fromi:= 1untili> 10loop

  • fact :=fact *i

  • last_i:= i-- Middle

  • io.put("last I:" +last_i)

  • i:= i+ 1

  • end

  • (end,i)? (end,fact)? (middle,i)?


Key idea dynamic slicing criteria

Key Idea: dynamic slicing criteria

  • Slicing criterion:

  • (x, Sq, {variables})

The set of variables that matter

Input of the program

Statement S in qth position


The dynamic slice

The dynamic slice

  • The set of statements that lead to the state of the variables at the chosen statement given input x.

  • Example:

  • n := io.read_int

  • i:= 3

  • fact := 1

  • fromi:= 1untili> nloop

  • fact :=fact *i

  • last_i:= i-- Middle

  • io.put("last I:“ + last_i)

  • i:= i+ 1

  • end

  • (10,end1,i)? (0,end1,fact)? (5,middle2,i)?


Application debugging

Application: Debugging

  • Simpler: Easier to understand what’s wrong

  • Remove statements: Detect dead code

  • By comparing to an intended behavior: detects bugs in the behavior


Other applications

Other Applications

  • Software maintenance

  • Testing

  • Optimizations


Abstract interpretation

Abstract interpretation

  • A technique for analyzing the programs by modeling their values and operations.

  • It is an execution that one can make to prove facts.


Intuition1

Intuition

  • Set of values:

  • V::= integers

  • Expressions:

  • e::= e * e | i ∈ V

  • Language:

  • eval: e -> integers

  • eval(i) = i

  • eval(e1*e2) = eval(e1) x eval(e2)

  • How can we decide on the sign of the evaluated expressions?


Key idea the abstraction

Key Idea: the Abstraction!

How is this called?

Homomorphism

next

State

State

α

α

γ

next

Abstract State

Abstract State

α: abstraction function

γ: concretization function


Abstraction

Abstraction

Set of abstract values:

AV::= {+, -, 0}

Expressions:

e::= e * e | ai∈ AV

Language:

aeval: e -> AV

aeval(i>0) = +

aeval(i<0) = -

aeval(i=0) = 0

aeval(e1*e2) = aeval(e1)*aeval(e2)

where +*- = -

+*+=+

-*-=+

0*av=0

av*0=0

  • Set of values:

  • V::= integers

  • Expressions:

  • e::= e * e | i∈ V

  • Language:

  • eval: e -> integers

  • eval(i) = i

  • eval(e1*e2) = eval(e1) * eval(e2)

Adding unary minus?


If only the world would be so great

If only the world would be so great…

How is this called?

Semi-Homomorphism

next

State

State

α

α

next

Abstract State

Abstract State


Abstraction1

Abstraction

  • Set of values:

  • V::= integers

  • Expressions:

  • e::= e * e | -e | e + e | i∈ V

  • Language:

  • eval: e -> integers

  • eval(i) = i

  • eval(-e)=-eval(e)

  • eval(e1*e2) = eval(e1) * eval(e2)

  • eval(e1+e2) = eval(e1) + eval(e2)

Set of abstract values:

AV::= {+, -, 0, T}

Expressions:

e::= e * e | -e | e + e | av∈ AV

Language:

aeval: e -> AV

aeval(integer) = … as before

aeval(e1*e2) = … as before

aeval(-e) = … easy ;)

aeval(e1+e2) = aeval(e1)+aeval(e2)

where + + - = T

+ + + = +

- + - = -

0+av=av

av+0=av


Abstraction complete

Abstraction complete?

  • Set of values:

  • V::= integers

  • Expressions:

  • e::= e * e | -e | e + e | e/e | i∈ V

  • Language:

  • eval: e -> integers

  • eval(i) = i

  • eval(-e)=-eval(e)

  • eval(e1*e2) = eval(e1) * eval(e2)

  • eval(e1+e2) = eval(e1) + eval(e2)

  • eval(e1/e2) = eval(e1) / eval(e2)

Set of abstract values:

AV::= {+, -, 0, T, ⊥}

Expressions:

e::= e * e | -e | e + e | e/e | av∈ AV

Language:

aeval: e -> AV

aeval(integer) = … as before

aeval(e1*e2) = … as before

aeval(-e) = … easy ;)

aeval(e1/e2) = aeval(e1)/aeval(e2)

where av/0 = ⊥

av+ ⊥= ⊥


Significance of the results

Significance of the results?

  • It is sound!

  • (the results are correct)

  • It is far from complete!!!!!

  • (the results loose too much information)


Condition for soundness

Condition for Soundness

  • It should be a Galois insertion:

  • γ and α monotonic (x ⊆ y => f(x) ⊆ f(y))

  • for all S: S ⊆ γ(α(S))

  • α(γ(av)) = av


Monotonic functions

Monotonic Functions

  • In the example:

  • for α:(S, ⊆) → (AV,≤)

  • for γ:(av,≤) → (S,⊆)

T

-

+

0


Exercise

Exercise

  • Prove that the expression is divisible by 3.

Set of abstract values:

AV::= {true,false,T, ^}

Expressions:

e::= e * e | -e | e + e | e/e | ai∈ AV

Language:

aeval: e -> AV

aeval(3) = yes

aeval(e1*e2) = yes iffaeval(e1)=yes or

aeval(e2)=yes

aeval(-e) = … easy ;)

aeval(e1+e2) = aeval(e1) and aeval(e2)

aeval(e1/e2) = true if aeval(e1) and

not aeval(e2)


Presenting it

Presenting it…

  • Usually presented through the definition of transitions…

  • Prove that this program does not try to access a value outside the array’s definition, a of size 10 (from 1 to 10)

  • j := 0

  • fromi:= 1untili> 50loop

  • j :=j + (45 - a.item(i) + a.item(2*i))

  • i:=i+ 1

  • end


Using abstract interpretation

Using abstract interpretation…

  • What abstraction would you use to compute the call graph of a program?

  • What abstraction would you use to optimize the tests within a program?


Problems

Problems

  • How would you verify that loops terminate?

    • Is it sound? Is it complete?

  • How would you verify that a password read on the keyboard is not sent through a socket?

    • Is it sound? Is it complete?


Applications to trusted components

Applications to Trusted Components

  • Dataflow Analysis?

  • Program Slicing?

  • Abstract Interpretation?


Conclusions

Conclusions

  • Program Slicing

    • Static

    • Dynamic

  • Abstract Interpretation

    • Soundness

    • Completeness


  • Login