Post on 28-Jul-2020
Improving Static Analyses of C Programswith Conditional Predicates
Sandrine Blazy David Bühler Boris Yakobowski
IRISA - University of Rennes
CEA, LIST, Software Safety Lab
October 20, 2014
David Bühler Predicated Analysis October 20, 2014 0 / 23
Context Introduction
Context of our Work
I Static analysis of C programs to prove their safety.
I Flow-sensitive analysis.
I Well-known loss of precision when two control-flow paths meet.
I But path-sensitive analyses are often too costly.
David Bühler Predicated Analysis October 20, 2014 1 / 23
Context Abstract Interpretation
Abstract Interpretation
I Approximates a concrete not computable semantics throughabstract domains.
I Abstract domains usually represent sets of concrete states.I Sound analyses: those abstractions must capture all possible
behaviors of the program.I Continuing trade-off between precision and efficiency:
- abstract domains must be sufficiently precise to exclude errorcases and simple enough to be scalable.
David Bühler Predicated Analysis October 20, 2014 2 / 23
Context Abstract Interpretation
Simple Idealized Language
I Programs are represented as aControl Flow Graph.
I Edges are labelled by a statement:- assignment v := e- assume guards if (e)
1 x = 42 ;2 i f ( c > 0)3 y = −4;4 else5 y = 4 ;6 w = 1 ;
1
2
3 4
5
6
x := 42
if (c > 0) if (¬(c > 0))
y := −4 y := 4
w := 1
David Bühler Predicated Analysis October 20, 2014 3 / 23
Context Abstract Interpretation
Dataflow Analysis
1
2
S1
?
i
I For each statement, an abstract transferfunction over-approximates concrete semanticson abstract domain.
S2 = JiK] (S1)
1 2
3
S1 S2
?
I When two control-flow paths meet, a joinoperation t over-approximates the union of theconcrete states on each incoming edges.
S3 = S1 t S2
I Computation of a fixpoint from an initial state.
David Bühler Predicated Analysis October 20, 2014 4 / 23
Context Abstract Interpretation
Interval Domain
I At each program point, the possible value of each variable isrepresented by an interval.
I The analysis starts at the entry point with the special value >(the values of all variables are unknown).
I Abstract transfer functions follow interval arithmetics.
I Join operator:
S = λx. [x1, x2]S ′ = λx.
[x ′
1, x ′2]
S t S ′ = λx.[min
(x1, x ′
1),max
(x2, x ′
2)]
David Bühler Predicated Analysis October 20, 2014 5 / 23
Context Issue
Disjunction
1
2
3 4
3+ 4+
5
6
x := 42
if (c > 0) if (¬(c > 0))
y := −4 y := 4
w := 1
I The join operation often leads to loss ofprecision.
3+ x ∈ [42] c ∈ [1; +∞] y ∈ [−4]
4+ x ∈ [42] c ∈ [−∞; 0] y ∈ [4]
5 x ∈ [42] c ∈ > y ∈ [−4; 4]
I Here, y cannot be equal to 0.
David Bühler Predicated Analysis October 20, 2014 6 / 23
Context Issue
Disjunction
1
2
3 4
3+ 4+
5
6
x := 42
if (c > 0) if (¬(c > 0))
y := −4 y := 4
w := 1
I The join operation often leads to loss ofprecision.
3+ x ∈ [42] c ∈ [1; +∞] y ∈ [−4]
4+ x ∈ [42] c ∈ [−∞; 0] y ∈ [4]
5 x ∈ [42] c ∈ > y ∈ [−4; 4]
I Here, y cannot be equal to 0.
David Bühler Predicated Analysis October 20, 2014 6 / 23
Context Issue
How to minimize the loss of precision at join points ?
David Bühler Predicated Analysis October 20, 2014 7 / 23
Context State of the Art
Trace Partitioning
1
2
3 4
5
6
x := 42
if (c > 0) if (¬(c > 0))
y := −4 y := 4
w := 1
I A well-known technic: trace partitioning.
I Main idea: keep separate abstract statesfor different paths in the cfg.
5ifT : x ∈ [42] c ∈ [1; +∞] y ∈ [−4]
ifF : x ∈ [42] c ∈ [−∞; 0] y ∈ [4]
David Bühler Predicated Analysis October 20, 2014 8 / 23
Context State of the Art
Trace Partitioning
1
2
3 4
5
6
x := 42
if (c > 0) if (¬(c > 0))
y := −4 y := 4
w := 1
I Here, trace partitioning allows to excludethe potential error case where y = 0.
I Drawback: the analysis continues withmultiple states in parallel: more costly.
6ifT : x ∈ [42] c ∈ [1; +∞] y ∈ [−4] w ∈ [1]
ifF : x ∈ [42] c ∈ [−∞; 0] y ∈ [4] w ∈ [1]
David Bühler Predicated Analysis October 20, 2014 9 / 23
Predicated Analysis Overview
Predicated Analysis
I Our proposal: one abstract state with further information underpredicates.
5
true 7→{
x ∈ [42]y ∈ [−4; 4]
c > 0 7→ y ∈ [−4]
¬ (c > 0) 7→ y ∈ [4]
David Bühler Predicated Analysis October 20, 2014 10 / 23
Predicated Analysis Overview
Predicated Domain
The predicated domain is two-fold:I a set of implications from predicates (deriving from conditionals)
to values of the interval domain.- The value under the predicate true is always the broadestone.
- The values under non-true guards bring extra-informationcoming from merged branches.
I a context, namely a boolean predicate that holds at theconsidered point, used to create new implications at join points.
David Bühler Predicated Analysis October 20, 2014 11 / 23
Predicated Analysis Demonstration
Example
1
2
3 4
3+ 4+
5
6
x := 42
if (c > 0) if (¬(c > 0))
y := −4 y := 4
w := 1
context implications
1 true true 7→ >
2 true true 7→ x ∈ [42]
3 c > 0 true 7→ x ∈ [42]
3+ c > 0 true 7→ x ∈ [42] y ∈ [−4]
4 ¬ (c > 0) true 7→ x ∈ [42]
4+ ¬ (c > 0) true 7→ x ∈ [42] y ∈ [4]
David Bühler Predicated Analysis October 20, 2014 12 / 23
Predicated Analysis Demonstration
Example
1
2
3 4
3+ 4+
5
6
x := 42
if (c > 0) if (¬(c > 0))
y := −4 y := 4
w := 1
context implications
1 true true 7→ >
2 true true 7→ x ∈ [42]
3 c > 0 true 7→ x ∈ [42]
3+ c > 0 true 7→ x ∈ [42] y ∈ [−4]
4 ¬ (c > 0) true 7→ x ∈ [42]
4+ ¬ (c > 0) true 7→ x ∈ [42] y ∈ [4]
David Bühler Predicated Analysis October 20, 2014 12 / 23
Predicated Analysis Demonstration
Example
1
2
3 4
3+ 4+
5
6
x := 42
if (c > 0) if (¬(c > 0))
y := −4 y := 4
w := 1
context implications
1 true true 7→ >
2 true true 7→ x ∈ [42]
3 c > 0 true 7→ x ∈ [42]
3+ c > 0 true 7→ x ∈ [42] y ∈ [−4]
4 ¬ (c > 0) true 7→ x ∈ [42]
4+ ¬ (c > 0) true 7→ x ∈ [42] y ∈ [4]
David Bühler Predicated Analysis October 20, 2014 12 / 23
Predicated Analysis Demonstration
Example
1
2
3 4
3+ 4+
5
6
x := 42
if (c > 0) if (¬(c > 0))
y := −4 y := 4
w := 1
context implications
1 true true 7→ >
2 true true 7→ x ∈ [42]
3 c > 0 true 7→ x ∈ [42]
3+ c > 0 true 7→ x ∈ [42] y ∈ [−4]
4 ¬ (c > 0) true 7→ x ∈ [42]
4+ ¬ (c > 0) true 7→ x ∈ [42] y ∈ [4]
David Bühler Predicated Analysis October 20, 2014 12 / 23
Predicated Analysis Demonstration
Example
1
2
3 4
3+ 4+
5
6
x := 42
if (c > 0) if (¬(c > 0))
y := −4 y := 4
w := 1
context implications
3+ c > 0 true 7→ x ∈ [42] y ∈ [−4]
4+ ¬ (c > 0) true 7→ x ∈ [42] y ∈ [4]
5 true
true 7→{
x ∈ [42]y ∈ [−4; 4]
c > 0 7→ y ∈ [−4]
¬ (c > 0) 7→ y ∈ [4]
David Bühler Predicated Analysis October 20, 2014 12 / 23
Predicated Analysis Demonstration
Example
1
2
3 4
3+ 4+
5
6
x := 42
if (c > 0) if (¬(c > 0))
y := −4 y := 4
w := 1
context implications
5 true
true 7→{
x ∈ [42]y ∈ [−4; 4]
c > 0 7→ y ∈ [−4]
¬ (c > 0) 7→ y ∈ [4]
6 true
true 7→
x ∈ [42]y ∈ [−4; 4]w ∈ [1]
c > 0 7→ y ∈ [−4]
¬ (c > 0) 7→ y ∈ [4]
David Bühler Predicated Analysis October 20, 2014 12 / 23
Predicated Analysis Algorithm
Transfer Functions
1
2
S1
?
i
I apply the transfer function on intervals to eachvalue on the right side of the implications;
I on an assignment x := e, remove any predicatewhose truth value depends on x;
I on an assume guard if (e), add e to the currentcontext.
David Bühler Predicated Analysis October 20, 2014 13 / 23
Predicated Analysis Algorithm
Join
1 2
3
S1 S2
?
S1 :C1
{pi → vi}S2 :
C2
{qj → wj}
: context
: implications
I Disjunction of contexts: C1 ∨ C2
I Implications are:- the implications valid in both previous states
pi ∧ qj → vi t wj
- the implications valid in one state + negation of other context
¬C2 ∧ pi → vi
¬C1 ∧ qj → wj
David Bühler Predicated Analysis October 20, 2014 14 / 23
Predicated Analysis Algorithm
Avoiding redundancy
I Redundant values in implications impair the performance of theanalysis.
I To avoid redundancy, the underlying abstract domain mustprovide:
- a lighter transfer function for values under non-true guards,that avoids relearning information already modeled by thevalue under true;
- a difference operation able to extract the specific informationof each of two abstract values, not contained in their join.
David Bühler Predicated Analysis October 20, 2014 15 / 23
Predicated Analysis Summary
Genericity
I Dealing with predicates is challenging...I ... but at a join point, implications can precisely model the specific
information of each branch.
I Predicated analysis is a generic framework, independent of theunderlying domain.
I In particular, we instanciated such analyses on simple domains inthe Frama-C platform.
David Bühler Predicated Analysis October 20, 2014 16 / 23
Application Initialized Variables
Frama-Chttp://frama-c.com
I A modular platform dedicated to the analysis of C code throughseveral plugins.
I Among them, the Value Analysis:- Abstract interpretation based;- Emits alarms at potentially unsafe program points;- Domain: small sets of discrete values or intervals withcongruences + alias analysis for pointers;
- Trace partitioning: propagates separately multiple abstractstates, whose number is limited by a parameter called slevel.
David Bühler Predicated Analysis October 20, 2014 17 / 23
Application Initialized Variables
scade code
Predicated analyses are efficient to resolve usual pattern codes inscade-generated programs.
1 i f ( c ) {2 . . .3 v = expr ;4 }5 . . .6 i f ( c ) {7 /∗ a s s e r t Value : i n i t i a l i s a t i o n : \ i n i t i a l i z e d ( v ) ; ∗/8 x = v ;9 }
The trace partitioning of the Value Analysis handles such patterns, butis too costly on huge nested conditionals.
David Bühler Predicated Analysis October 20, 2014 18 / 23
Application Initialized Variables
More scade code
David Bühler Predicated Analysis October 20, 2014 19 / 23
Application Initialized Variables
Domain of Initialized Variables
I Set of variables that are garanteed to have been initialized before.
I Join operation:V1 t V2 , V1 ∩ V2
I Transfer functions:
Jif (e)K] (V) , V
Jx := eK] (V) ,
{V ∪ {x} if var (e) ⊆ VV\ {x} otherwise
David Bühler Predicated Analysis October 20, 2014 20 / 23
Application Implementation & Results
Implementation
I Plugin above the Value Analysis: uses its alias information toremove predicates whose truth value is modified.
I Predicates restricted to negation, conjunction and disjunction ofuninterpreted C expressions (stored in dnf form).
I Limitation over the number of litterals in predicates: clevel.
David Bühler Predicated Analysis October 20, 2014 21 / 23
Application Implementation & Results
Experimental Results
Tests on a scade generated program of ~5000 lines of code.
0
100
200
300
400
500
0 16s
29s
315s
524s
10116s
initialized
assertions
tobe
valid
ated
size of predicates (context and guards)
slevel = 1 (6.4s)slevel = 100 (38s)
slevel = 1000 (502s)
David Bühler Predicated Analysis October 20, 2014 22 / 23
The End To be continued...
Future Works
I Improve the interpretation of guards:- For now, C expressions used in predicates are not interpreted;- Goal: handle arithmetic entailments between guards like
x > 0 and x > 1.
I Select relevant predicates (and remove the others) by heuristics atjoin points or by a lighter pre-analysis.
- Goal: speed up the analysis.
I Apply predicated analysis over more complex domains.
David Bühler Predicated Analysis October 20, 2014 23 / 23