Spring 2014Program Analysis and Verification

Lecture 14: Numerical Abstractions

Roman ManevichBen-Gurion University

2

Syllabus

Semantics

NaturalSemantics

Structural semantics

AxiomaticVerification

StaticAnalysis

AutomatingHoare Logic

Control Flow Graphs

Equation Systems

CollectingSemantics

AbstractInterpretation fundamentals

Lattices

Fixed-Points

Chaotic Iteration

Galois Connections

Domain constructors

Widening/Narrowing

AnalysisTechniques

Numerical Domains

Alias analysis

InterproceduralAnalysis

ShapeAnalysis

CEGAR

Crafting your own

Soot

From proofs to abstractions

Systematically developing

transformers

3

Previously

• Composing abstract domains (and GCs)• Widening and narrowing• Interval domain

4

Today

• Abstractions for properties of numeric variables

• Classification:– Relational vs. non-relational– Equalities vs. non-equalities– Zones

5

Numerical Abstractions

By Quilbert (own work, partially derived from en:Image:Poly.pov) [GPL (http://www.gnu.org/licenses/gpl.html)], via Wikimedia Commons

6

Overview• Goal: infer numeric properties of program variables

(integers, floating point)• Applications– Detect division by zero, overflow, out-of-bound array access– Help non-numerical domains

• Classification– Non-relational– (Weakly-)relational– Equalities / Inequalities– Linear / non-linear– Exotic

7

Implementation

8

Non-relational abstractions

9

Non-relational abstractions

• Abstract each variable individually– Constant propagation [Kildall’73]– Intervals (Box)• Covered in lecture 13

– Sign– Parity (congruences)– Assignment 3: arithmetic progressions

10

Sign abstraction for variable x• Concrete lattice: C = (2State, , , , , State) • Sign = {, neg, 0, pos, }• GCC,Sign=(C, , , Sign)• () = ?• (neg) = ?• (0) = ?• (pos) = ?• () = ?• How can we represent 0?

neg pos

0

11

Transformer x:=y*z

pos 0 neg *

neg 0 pos neg

0 0 0 0 0

pos 0 neg pos

0

Check at home:Abstract transformer is complete

12

Transformer x:=y+z

pos 0 neg +

neg neg neg

pos 0 neg 0

pos pos pos

Check at home:Abstract transformer is not complete

13

Parity abstraction for variable x

• Concrete lattice: C = (2State, , , , , State) • Parity = {, E, O, }• GCC,Parity=(C, , , Parity)• () = ?• (E) = ?• (O) = ?• () = ?

E O

14

Transformer x:=y+z

O E +

O E E

E O O

15

Boxes (intervals)

0 2 312345

4

6

x

y

1

y [3,6]

x [1,4]

16

Non-relational abstractions

• Cannot prove properties that hold simultaneous for several variables– x = 2*y– x ≤ y

17

Practical aspectsof Non relational abstractions

18

The abstraction

• Abstract domain for variables x1,…,xn is the Cartesian product of a mini-domain for one variable D[x]– D[x1] … D[xn]– Need to implement join, meet, widening, narrowing

just for mini-domain• Usually a non-relational is associated with a

Galois Insertion– No reduction required– The Cartesian product is a reduced product

19

Sound assignment transformers• Let remove(S, x) be the operation that removes the factoid

associated with x from S• Let factoid(S, x) be the operation that returns the factoid

associated with x in S• x := c# S = remove(S, x) ({[xc]})• x := y# S = remove(S, x) {factoid(S, y)[x/y]}• x := y+c# S = remove(S, x) {factoid(S, y)[x/y] + c}• x := y+z# S = remove(S, x)

{factoid(S, y)[x/y] + factoid(S, z)[x/z]}• x := y*c# S = remove(S, x) {factoid(S, y)[x/y] * c}• x := y*z# S = remove(S, x)

{factoid(S, y)[x/y] * factoid(S, z)[x/z]}

20

Sound assume transformers

• assume x=c# S = S ({[xc]})• assume x<c# S = …• assume x=y# S = S {factoid(S, y)[x/y]}

{factoid(S, x)[y/x]}• assume xc# S = if S ({[xc]})

then else S

21

(Weakly-)relational abstractions

22

Relational abstractions• Represent correlations between all program variables

– Polyhedra– Linear equalities

• When correlations exist only between few variables (usually 2) we say that the abstraction is weakly-relational– Linear relations example (discussed in class)– Zone abstraction (next)– Octagons– Two-variable polyhedra– Usually abstraction is defined as the reduced product of the

abstract domain for any pair of variables

23

Zone abstraction

24

Zone abstraction [Mine]• Maintain bounded differences between a pair of

program variables (useful for tracking array accesses)• Abstract state is a conjunction of linear inequalities of

the form x-yc

0 2 312345

4

6

x

y

1

x ≤ 4−x ≤ −1y ≤ 3−y ≤ −1x − y ≤ 1

25

Difference bound matrices• Add a special V0 variable for the number 0• Represent non-existent relations between variables by +

entries• Convenient for defining the partial order between two abstract

elements… =?

x ≤ 4−x ≤ −1y ≤ 3−y ≤ −1x − y ≤ 1

y x V0

3 4 + V0

+ + -1 x

+ 1 -1 y

26

Ordering DBMs

• How should we order M1 M2?

x ≤ 5−x ≤ −1y ≤ 3x − y ≤ 1

y x V0

3 5 + V0

+ + -1 x

+ 1 + y

x ≤ 4−x ≤ −1y ≤ 3−y ≤ −1x − y ≤ 1

y x V0

3 4 + V0

+ + -1 x

+ 1 -1 y

M1 =

M2 =

27

Joining DBMs

• How should we join M1 M2?

x ≤ 2−x ≤ −1y ≤ 0x − y ≤ 1

y x V0

0 2 + V0

+ + -1 x

+ 1 + y

x ≤ 4−x ≤ −1y ≤ 3−y ≤ −1x − y ≤ 1

y x V0

3 4 + V0

+ + -1 x

+ 1 -1 y

M1 =

M2 =

28

Widening DBMs

• How should we widen M1 M2?

x ≤ 5−x ≤ −1y ≤ 3x − y ≤ 1

y x V0

3 5 + V0

+ + -1 x

+ 1 + y

x ≤ 4−x ≤ −1y ≤ 3−y ≤ −1x − y ≤ 1

y x V0

3 4 + V0

+ + -1 x

+ 1 -1 y

M1 =

M2 =

29

Potential graph• A vertex per variable• A directed edge with the weight of the inequality• Enables computing semantic reduction by shortest-path

algorithms

x ≤ 4−x ≤ −1y ≤ 3−y ≤ −1x − y ≤ 1

V0

x y

-1-1

1

3

3

Can we tell whether a system of constraints is satisfiable?

Semantic reduction for zones

• Apply the following rule repeatedlyx - y ≤ c y - z ≤ d x - z ≤ e

x - z ≤ min{e, c+d}• When should we stop?• Theorem 3.3.4. Best abstraction of potential

sets and zones m = (∗ Pot ◦ Pot)(m)

30

31

More numerical domains

32

Octagon abstraction [Mine-01]

• Abstract state is an intersection of linear inequalities of the form x y c

captures relationships common in programs (array access)

33

Some inequality-basedrelational domains

policy iteration

34

Equality-based domains

• Simple congruences [Granger’89]: y=a mod k• Linear relations: y=a*x+b– Join operator a little tricky

• Linear equalities [Karr’76]: a1*x1+…+ak*xk = c• Polynomial equalities:

a1*x1d1*…*xk

dk + b1*y1z1*…*yk

zk + … = c– Some good results are obtainable when

d1+…+dk < n for some small n

Next lecture:alias analysis