ImprovingStaticAnalysesofCPrograms...

Improving Static Analyses of C Programswith Conditional Predicates

Sandrine Blazy David Bühler Boris Yakobowski

IRISA - University of Rennes

CEA, LIST, Software Safety Lab

October 20, 2014

David Bühler Predicated Analysis October 20, 2014 0 / 23

Context Introduction

Context of our Work

I Static analysis of C programs to prove their safety.

I Flow-sensitive analysis.

I Well-known loss of precision when two control-flow paths meet.

I But path-sensitive analyses are often too costly.


Context Abstract Interpretation

Abstract Interpretation

I Approximates a concrete not computable semantics throughabstract domains.

I Abstract domains usually represent sets of concrete states.I Sound analyses: those abstractions must capture all possible

behaviors of the program.I Continuing trade-off between precision and efficiency:

- abstract domains must be sufficiently precise to exclude errorcases and simple enough to be scalable.



Simple Idealized Language

I Programs are represented as aControl Flow Graph.

I Edges are labelled by a statement:- assignment v := e- assume guards if (e)

1 x = 42 ;2 i f ( c > 0)3 y = −4;4 else5 y = 4 ;6 w = 1 ;

1

2

3 4

5

6

x := 42

if (c > 0) if (¬(c > 0))

y := −4 y := 4

w := 1



Dataflow Analysis

1

2

S1

?

i

I For each statement, an abstract transferfunction over-approximates concrete semanticson abstract domain.

S2 = JiK] (S1)

1 2

3

S1 S2

?

I When two control-flow paths meet, a joinoperation t over-approximates the union of theconcrete states on each incoming edges.

S3 = S1 t S2

I Computation of a fixpoint from an initial state.



Interval Domain

I At each program point, the possible value of each variable isrepresented by an interval.

I The analysis starts at the entry point with the special value >(the values of all variables are unknown).

I Abstract transfer functions follow interval arithmetics.

I Join operator:

S = λx. [x1, x2]S ′ = λx.

[x ′

1, x ′2]

S t S ′ = λx.[min

(x1, x ′

1),max

(x2, x ′

2)]


Context Issue

Disjunction

1

2

3 4

3+ 4+

5

6

x := 42

if (c > 0) if (¬(c > 0))

y := −4 y := 4

w := 1

I The join operation often leads to loss ofprecision.

3+ x ∈ [42] c ∈ [1; +∞] y ∈ [−4]

4+ x ∈ [42] c ∈ [−∞; 0] y ∈ [4]

5 x ∈ [42] c ∈ > y ∈ [−4; 4]

I Here, y cannot be equal to 0.


Context Issue

How to minimize the loss of precision at join points ?


Context State of the Art

Trace Partitioning

1

2

3 4

5

6

x := 42

if (c > 0) if (¬(c > 0))

y := −4 y := 4

w := 1

I A well-known technic: trace partitioning.

I Main idea: keep separate abstract statesfor different paths in the cfg.

5ifT : x ∈ [42] c ∈ [1; +∞] y ∈ [−4]

ifF : x ∈ [42] c ∈ [−∞; 0] y ∈ [4]


Context State of the Art

Trace Partitioning

1

2

3 4

5

6

x := 42

if (c > 0) if (¬(c > 0))

y := −4 y := 4

w := 1

I Here, trace partitioning allows to excludethe potential error case where y = 0.

I Drawback: the analysis continues withmultiple states in parallel: more costly.

6ifT : x ∈ [42] c ∈ [1; +∞] y ∈ [−4] w ∈ [1]

ifF : x ∈ [42] c ∈ [−∞; 0] y ∈ [4] w ∈ [1]


Predicated Analysis Overview

Predicated Analysis

I Our proposal: one abstract state with further information underpredicates.

5

true 7→{

x ∈ [42]y ∈ [−4; 4]

c > 0 7→ y ∈ [−4]

¬ (c > 0) 7→ y ∈ [4]


Predicated Analysis Overview

Predicated Domain

The predicated domain is two-fold:I a set of implications from predicates (deriving from conditionals)

to values of the interval domain.- The value under the predicate true is always the broadestone.

- The values under non-true guards bring extra-informationcoming from merged branches.

I a context, namely a boolean predicate that holds at theconsidered point, used to create new implications at join points.


Predicated Analysis Demonstration

Example

1

2

3 4

3+ 4+

5

6

x := 42

if (c > 0) if (¬(c > 0))

y := −4 y := 4

w := 1

context implications

1 true true 7→ >

2 true true 7→ x ∈ [42]

3 c > 0 true 7→ x ∈ [42]

3+ c > 0 true 7→ x ∈ [42] y ∈ [−4]

4 ¬ (c > 0) true 7→ x ∈ [42]

4+ ¬ (c > 0) true 7→ x ∈ [42] y ∈ [4]



Example

1

2

3 4

3+ 4+

5

6

x := 42

if (c > 0) if (¬(c > 0))

y := −4 y := 4

w := 1


3+ c > 0 true 7→ x ∈ [42] y ∈ [−4]

4+ ¬ (c > 0) true 7→ x ∈ [42] y ∈ [4]

5 true

true 7→{

x ∈ [42]y ∈ [−4; 4]

c > 0 7→ y ∈ [−4]

¬ (c > 0) 7→ y ∈ [4]



Example

1

2

3 4

3+ 4+

5

6

x := 42

if (c > 0) if (¬(c > 0))

y := −4 y := 4

w := 1


5 true

true 7→{

x ∈ [42]y ∈ [−4; 4]

c > 0 7→ y ∈ [−4]

¬ (c > 0) 7→ y ∈ [4]

6 true

true 7→

x ∈ [42]y ∈ [−4; 4]w ∈ [1]

c > 0 7→ y ∈ [−4]

¬ (c > 0) 7→ y ∈ [4]


Predicated Analysis Algorithm

Transfer Functions

1

2

S1

?

i

I apply the transfer function on intervals to eachvalue on the right side of the implications;

I on an assignment x := e, remove any predicatewhose truth value depends on x;

I on an assume guard if (e), add e to the currentcontext.



Join

1 2

3

S1 S2

?

S1 :C1

{pi → vi}S2 :

C2

{qj → wj}

: context

: implications

I Disjunction of contexts: C1 ∨ C2

I Implications are:- the implications valid in both previous states

pi ∧ qj → vi t wj

- the implications valid in one state + negation of other context

¬C2 ∧ pi → vi

¬C1 ∧ qj → wj



Avoiding redundancy

I Redundant values in implications impair the performance of theanalysis.

I To avoid redundancy, the underlying abstract domain mustprovide:

- a lighter transfer function for values under non-true guards,that avoids relearning information already modeled by thevalue under true;

- a difference operation able to extract the specific informationof each of two abstract values, not contained in their join.


Predicated Analysis Summary

Genericity

I Dealing with predicates is challenging...I ... but at a join point, implications can precisely model the specific

information of each branch.

I Predicated analysis is a generic framework, independent of theunderlying domain.

I In particular, we instanciated such analyses on simple domains inthe Frama-C platform.


Application Initialized Variables

Frama-Chttp://frama-c.com

I A modular platform dedicated to the analysis of C code throughseveral plugins.

I Among them, the Value Analysis:- Abstract interpretation based;- Emits alarms at potentially unsafe program points;- Domain: small sets of discrete values or intervals withcongruences + alias analysis for pointers;

- Trace partitioning: propagates separately multiple abstractstates, whose number is limited by a parameter called slevel.


http://frama-c.com


scade code

Predicated analyses are efficient to resolve usual pattern codes inscade-generated programs.

1 i f ( c ) {2 . . .3 v = expr ;4 }5 . . .6 i f ( c ) {7 /∗ a s s e r t Value : i n i t i a l i s a t i o n : \ i n i t i a l i z e d ( v ) ; ∗/8 x = v ;9 }

The trace partitioning of the Value Analysis handles such patterns, butis too costly on huge nested conditionals.



More scade code



Domain of Initialized Variables

I Set of variables that are garanteed to have been initialized before.

I Join operation:V1 t V2 , V1 ∩ V2

I Transfer functions:

Jif (e)K] (V) , V

Jx := eK] (V) ,

{V ∪ {x} if var (e) ⊆ VV\ {x} otherwise


Application Implementation & Results

Implementation

I Plugin above the Value Analysis: uses its alias information toremove predicates whose truth value is modified.

I Predicates restricted to negation, conjunction and disjunction ofuninterpreted C expressions (stored in dnf form).

I Limitation over the number of litterals in predicates: clevel.


Application Implementation & Results

Experimental Results

Tests on a scade generated program of ~5000 lines of code.

0

100

200

300

400

500

0 16s

29s

315s

524s

10116s

initialized

assertions

tobe

valid

ated

size of predicates (context and guards)

slevel = 1 (6.4s)slevel = 100 (38s)

slevel = 1000 (502s)


The End To be continued...

Future Works

I Improve the interpretation of guards:- For now, C expressions used in predicates are not interpreted;- Goal: handle arithmetic entailments between guards like

x > 0 and x > 1.

I Select relevant predicates (and remove the others) by heuristics atjoin points or by a lighter pre-analysis.

- Goal: speed up the analysis.

I Apply predicated analysis over more complex domains.


ImprovingStaticAnalysesofCPrograms...

Documents

Transcript of ImprovingStaticAnalysesofCPrograms...