from program slicing to abstract interpretation n.
Download
Skip this Video
Download Presentation
From Program slicing to Abstract Interpretation

Loading in 2 Seconds...

play fullscreen
1 / 26

From Program slicing to Abstract Interpretation - PowerPoint PPT Presentation


  • 114 Views
  • Uploaded on

From Program slicing to Abstract Interpretation. Dr. Manuel Oriol. Topics. Program Slicing Static Dynamic Abstract Interpretation Soundness Completeness. Program slicing. A technique for analyzing programs regarding to a specific criterion.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'From Program slicing to Abstract Interpretation' - may


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
topics
Topics
  • Program Slicing
    • Static
    • Dynamic
  • Abstract Interpretation
    • Soundness
    • Completeness
program slicing
Program slicing
  • A technique for analyzing programs regarding to a specific criterion.
  • More specifically, the analysis is meant to find the statements that participate to a result.
intuition
Intuition
  • What are the statements leading to the value of b at the end?
  • a := 1
  • b := 5
  • if(b > 3)then
  • Result:= b
  • else
  • a:= 2
  • end
  • b := a
key idea static slicing criteria
Key Idea: static slicing criteria
  • Slicing criterion:
  • (S, {variables})

A statement, a point in the program

The set of variables that matter

the static slice
The static slice
  • The set of statements that lead to the state of the variables at the chosen statement.
  • Example:
  • i:= 3
  • fact := 1
  • fromi:= 1untili> 10loop
  • fact :=fact *i
  • last_i:= i-- Middle
  • io.put("last I:" +last_i)
  • i:= i+ 1
  • end
  • (end,i)? (end,fact)? (middle,i)?
key idea dynamic slicing criteria
Key Idea: dynamic slicing criteria
  • Slicing criterion:
  • (x, Sq, {variables})

The set of variables that matter

Input of the program

Statement S in qth position

the dynamic slice
The dynamic slice
  • The set of statements that lead to the state of the variables at the chosen statement given input x.
  • Example:
  • n := io.read_int
  • i:= 3
  • fact := 1
  • fromi:= 1untili> nloop
  • fact :=fact *i
  • last_i:= i-- Middle
  • io.put("last I:“ + last_i)
  • i:= i+ 1
  • end
  • (10,end1,i)? (0,end1,fact)? (5,middle2,i)?
application debugging
Application: Debugging
  • Simpler: Easier to understand what’s wrong
  • Remove statements: Detect dead code
  • By comparing to an intended behavior: detects bugs in the behavior
other applications
Other Applications
  • Software maintenance
  • Testing
  • Optimizations
abstract interpretation
Abstract interpretation
  • A technique for analyzing the programs by modeling their values and operations.
  • It is an execution that one can make to prove facts.
intuition1
Intuition
  • Set of values:
  • V::= integers
  • Expressions:
  • e::= e * e | i ∈ V
  • Language:
  • eval: e -> integers
  • eval(i) = i
  • eval(e1*e2) = eval(e1) x eval(e2)
  • How can we decide on the sign of the evaluated expressions?
key idea the abstraction
Key Idea: the Abstraction!

How is this called?

Homomorphism

next

State

State

α

α

γ

next

Abstract State

Abstract State

α: abstraction function

γ: concretization function

abstraction
Abstraction

Set of abstract values:

AV::= {+, -, 0}

Expressions:

e::= e * e | ai∈ AV

Language:

aeval: e -> AV

aeval(i>0) = +

aeval(i<0) = -

aeval(i=0) = 0

aeval(e1*e2) = aeval(e1)*aeval(e2)

where +*- = -

+*+=+

-*-=+

0*av=0

av*0=0

  • Set of values:
  • V::= integers
  • Expressions:
  • e::= e * e | i∈ V
  • Language:
  • eval: e -> integers
  • eval(i) = i
  • eval(e1*e2) = eval(e1) * eval(e2)

Adding unary minus?

if only the world would be so great
If only the world would be so great…

How is this called?

Semi-Homomorphism

next

State

State

α

α

next

Abstract State

Abstract State

abstraction1
Abstraction
  • Set of values:
  • V::= integers
  • Expressions:
  • e::= e * e | -e | e + e | i∈ V
  • Language:
  • eval: e -> integers
  • eval(i) = i
  • eval(-e)=-eval(e)
  • eval(e1*e2) = eval(e1) * eval(e2)
  • eval(e1+e2) = eval(e1) + eval(e2)

Set of abstract values:

AV::= {+, -, 0, T}

Expressions:

e::= e * e | -e | e + e | av∈ AV

Language:

aeval: e -> AV

aeval(integer) = … as before

aeval(e1*e2) = … as before

aeval(-e) = … easy ;)

aeval(e1+e2) = aeval(e1)+aeval(e2)

where + + - = T

+ + + = +

- + - = -

0+av=av

av+0=av

abstraction complete
Abstraction complete?
  • Set of values:
  • V::= integers
  • Expressions:
  • e::= e * e | -e | e + e | e/e | i∈ V
  • Language:
  • eval: e -> integers
  • eval(i) = i
  • eval(-e)=-eval(e)
  • eval(e1*e2) = eval(e1) * eval(e2)
  • eval(e1+e2) = eval(e1) + eval(e2)
  • eval(e1/e2) = eval(e1) / eval(e2)

Set of abstract values:

AV::= {+, -, 0, T, ⊥}

Expressions:

e::= e * e | -e | e + e | e/e | av∈ AV

Language:

aeval: e -> AV

aeval(integer) = … as before

aeval(e1*e2) = … as before

aeval(-e) = … easy ;)

aeval(e1/e2) = aeval(e1)/aeval(e2)

where av/0 = ⊥

av+ ⊥= ⊥

significance of the results
Significance of the results?
  • It is sound!
  • (the results are correct)
  • It is far from complete!!!!!
  • (the results loose too much information)
condition for soundness
Condition for Soundness
  • It should be a Galois insertion:
  • γ and α monotonic (x ⊆ y => f(x) ⊆ f(y))
  • for all S: S ⊆ γ(α(S))
  • α(γ(av)) = av
monotonic functions
Monotonic Functions
  • In the example:
  • for α: (S, ⊆) → (AV,≤)
  • for γ: (av,≤) → (S,⊆)

T

-

+

0

exercise
Exercise
  • Prove that the expression is divisible by 3.

Set of abstract values:

AV::= {true,false,T, ^}

Expressions:

e::= e * e | -e | e + e | e/e | ai∈ AV

Language:

aeval: e -> AV

aeval(3) = yes

aeval(e1*e2) = yes iffaeval(e1)=yes or

aeval(e2)=yes

aeval(-e) = … easy ;)

aeval(e1+e2) = aeval(e1) and aeval(e2)

aeval(e1/e2) = true if aeval(e1) and

not aeval(e2)

presenting it
Presenting it…
  • Usually presented through the definition of transitions…
  • Prove that this program does not try to access a value outside the array’s definition, a of size 10 (from 1 to 10)
  • j := 0
  • fromi:= 1untili> 50loop
  • j :=j + (45 - a.item(i) + a.item(2*i))
  • i:=i+ 1
  • end
using abstract interpretation
Using abstract interpretation…
  • What abstraction would you use to compute the call graph of a program?
  • What abstraction would you use to optimize the tests within a program?
problems
Problems
  • How would you verify that loops terminate?
    • Is it sound? Is it complete?
  • How would you verify that a password read on the keyboard is not sent through a socket?
    • Is it sound? Is it complete?
applications to trusted components
Applications to Trusted Components
  • Dataflow Analysis?
  • Program Slicing?
  • Abstract Interpretation?
conclusions
Conclusions
  • Program Slicing
    • Static
    • Dynamic
  • Abstract Interpretation
    • Soundness
    • Completeness