![Page 1: Sound Bit-Precise Numerical Domainspages.cs.wisc.edu/~tsharma/vmcai17_slides.pdfA. SIMON AND A. KING. TAMING THE WRAPPING OF INTEGER ARITHMETIC. IN SAS, 2007. IMPRECISE! Solution:](https://reader033.vdocuments.mx/reader033/viewer/2022042911/5f44903e6208a502ca2319a8/html5/thumbnails/1.jpg)
Sound Bit-Precise Numerical Domains
Thomas RepsUniversity of Wisconsin
GrammaTech
Tushar SharmaUniversity of Wisconsin
![Page 2: Sound Bit-Precise Numerical Domainspages.cs.wisc.edu/~tsharma/vmcai17_slides.pdfA. SIMON AND A. KING. TAMING THE WRAPPING OF INTEGER ARITHMETIC. IN SAS, 2007. IMPRECISE! Solution:](https://reader033.vdocuments.mx/reader033/viewer/2022042911/5f44903e6208a502ca2319a8/html5/thumbnails/2.jpg)
Verification via Abstract Interpretation
Program Invariants
Program
Abstraction
Abstract Domain
Fixpoint Analysis
Numerical Abstract Domains (Polyhedra,
Octagons, ..)
UNSOUND!
T. SHARMA AND T. REPS. SOUND BIT-PRECISE NUMERICAL DOMAINS. VMCAI 2017. 2
![Page 3: Sound Bit-Precise Numerical Domainspages.cs.wisc.edu/~tsharma/vmcai17_slides.pdfA. SIMON AND A. KING. TAMING THE WRAPPING OF INTEGER ARITHMETIC. IN SAS, 2007. IMPRECISE! Solution:](https://reader033.vdocuments.mx/reader033/viewer/2022042911/5f44903e6208a502ca2319a8/html5/thumbnails/3.jpg)
Incorrect midpoint exampleunsigned low , high , mid;
assume ( low <= high );
mid = ( low + high ) /2;
assert ( low <= mid <= high );
Possible overflow
Polyhedral analysis unsoundly says that the assert holds, midmight become less than low in case low + high overflows.
T. SHARMA AND T. REPS. SOUND BIT-PRECISE NUMERICAL DOMAINS. VMCAI 2017. 3
![Page 4: Sound Bit-Precise Numerical Domainspages.cs.wisc.edu/~tsharma/vmcai17_slides.pdfA. SIMON AND A. KING. TAMING THE WRAPPING OF INTEGER ARITHMETIC. IN SAS, 2007. IMPRECISE! Solution:](https://reader033.vdocuments.mx/reader033/viewer/2022042911/5f44903e6208a502ca2319a8/html5/thumbnails/4.jpg)
Bit-vector arithmetic is challenging
T. SHARMA AND T. REPS. SOUND BIT-PRECISE NUMERICAL DOMAINS. VMCAI 2017. 4
x
y
x
y
![Page 5: Sound Bit-Precise Numerical Domainspages.cs.wisc.edu/~tsharma/vmcai17_slides.pdfA. SIMON AND A. KING. TAMING THE WRAPPING OF INTEGER ARITHMETIC. IN SAS, 2007. IMPRECISE! Solution:](https://reader033.vdocuments.mx/reader033/viewer/2022042911/5f44903e6208a502ca2319a8/html5/thumbnails/5.jpg)
Problem Statement
Given a relational numeric domain over integers, capable of expressing inequalities:◦Provide an automatic method to create a similar domain over bitvectors.
◦Create sound bit-precise abstract transformers.
T. SHARMA AND T. REPS. SOUND BIT-PRECISE NUMERICAL DOMAINS. VMCAI 2017. 5
![Page 6: Sound Bit-Precise Numerical Domainspages.cs.wisc.edu/~tsharma/vmcai17_slides.pdfA. SIMON AND A. KING. TAMING THE WRAPPING OF INTEGER ARITHMETIC. IN SAS, 2007. IMPRECISE! Solution:](https://reader033.vdocuments.mx/reader033/viewer/2022042911/5f44903e6208a502ca2319a8/html5/thumbnails/6.jpg)
Key Idea
Program Invariants
Program
Abstraction
Abstract Domain
Fixpoint Analysis
Reinterpretation + Wrap-around functionality
Sound Abstract Transformers
T. SHARMA AND T. REPS. SOUND BIT-PRECISE NUMERICAL DOMAINS. VMCAI 2017. 6
![Page 7: Sound Bit-Precise Numerical Domainspages.cs.wisc.edu/~tsharma/vmcai17_slides.pdfA. SIMON AND A. KING. TAMING THE WRAPPING OF INTEGER ARITHMETIC. IN SAS, 2007. IMPRECISE! Solution:](https://reader033.vdocuments.mx/reader033/viewer/2022042911/5f44903e6208a502ca2319a8/html5/thumbnails/7.jpg)
Wrap around operation
A. SIMON AND A. KING. TAMING THE WRAPPING OF INTEGER ARITHMETIC. IN SAS, 2007.
IMPRECISE!
Solution: Use disjunctions.
T. SHARMA AND T. REPS. SOUND BIT-PRECISE NUMERICAL DOMAINS. VMCAI 2017. 8
Quadrant -1 Quadrant 0 Quadrant 1
![Page 8: Sound Bit-Precise Numerical Domainspages.cs.wisc.edu/~tsharma/vmcai17_slides.pdfA. SIMON AND A. KING. TAMING THE WRAPPING OF INTEGER ARITHMETIC. IN SAS, 2007. IMPRECISE! Solution:](https://reader033.vdocuments.mx/reader033/viewer/2022042911/5f44903e6208a502ca2319a8/html5/thumbnails/8.jpg)
Maximum allowed of disjunctions = 2
T. SHARMA AND T. REPS. SOUND BIT-PRECISE NUMERICAL DOMAINS. VMCAI 2017. 9
Quadrant -1 Quadrant 0 Quadrant 1
x0-256 256 512
y
(i)
x0 256
(ii)
![Page 9: Sound Bit-Precise Numerical Domainspages.cs.wisc.edu/~tsharma/vmcai17_slides.pdfA. SIMON AND A. KING. TAMING THE WRAPPING OF INTEGER ARITHMETIC. IN SAS, 2007. IMPRECISE! Solution:](https://reader033.vdocuments.mx/reader033/viewer/2022042911/5f44903e6208a502ca2319a8/html5/thumbnails/9.jpg)
Maximum allowed of disjunctions ≥ 3
T. SHARMA AND T. REPS. SOUND BIT-PRECISE NUMERICAL DOMAINS. VMCAI 2017. 10
Quadrant -1 Quadrant 0 Quadrant 1
x0-256 256 512
y
(i)
x0 256
(ii)
![Page 10: Sound Bit-Precise Numerical Domainspages.cs.wisc.edu/~tsharma/vmcai17_slides.pdfA. SIMON AND A. KING. TAMING THE WRAPPING OF INTEGER ARITHMETIC. IN SAS, 2007. IMPRECISE! Solution:](https://reader033.vdocuments.mx/reader033/viewer/2022042911/5f44903e6208a502ca2319a8/html5/thumbnails/10.jpg)
Abstract Domain Constructors• Bit-Vector-Sound Constructor (BVS) • For a base domain A, such that A is sound over integers, BVS[A] constructs a bit-precise version of
the domain.
• Sound over bitvectors and imprecise.
• Finite-Disjunctive Domain Constructor (FDk)• For a base domain A, such that A is sound over integers, and a parameter k, FDk[A] constructs a
finite-disjuctive version of the domain.
• Number of disjunction in any element a ∈ FDk[A] cannot exceed k.
• Unsound over bitvectors (sound over integers) and precise.
• Bit-Vector-Sound Finite-Disjunctive Domain (BVSFDk)• BVSFDk[A] domain is constructed as BVS[FDk[A]].
• Sound over bitvectors and precise.
T. SHARMA AND T. REPS. SOUND BIT-PRECISE NUMERICAL DOMAINS. VMCAI 2017. 12
![Page 11: Sound Bit-Precise Numerical Domainspages.cs.wisc.edu/~tsharma/vmcai17_slides.pdfA. SIMON AND A. KING. TAMING THE WRAPPING OF INTEGER ARITHMETIC. IN SAS, 2007. IMPRECISE! Solution:](https://reader033.vdocuments.mx/reader033/viewer/2022042911/5f44903e6208a502ca2319a8/html5/thumbnails/11.jpg)
Contributions◦ Introduce a generic framework to construct sound abstract
domains BVSFDk over bitvectors, by performing wrap-around over abstract domain A and using disjunctions to retain precision.
◦ We provide a generic technique via reinterpretation to create the abstract transformer for the path through a basic block to a given successor, such that the transformer incorporates lazy wrap-around.
◦ We present experiments to show how the performance and precision of BVSFDk analysis changes with the tunable parameter k.
T. SHARMA AND T. REPS. SOUND BIT-PRECISE NUMERICAL DOMAINS. VMCAI 2017. 13
![Page 12: Sound Bit-Precise Numerical Domainspages.cs.wisc.edu/~tsharma/vmcai17_slides.pdfA. SIMON AND A. KING. TAMING THE WRAPPING OF INTEGER ARITHMETIC. IN SAS, 2007. IMPRECISE! Solution:](https://reader033.vdocuments.mx/reader033/viewer/2022042911/5f44903e6208a502ca2319a8/html5/thumbnails/12.jpg)
Abstract-Domain InterfaceType Operation Description
A ⊤ Top element
A ⊥ Bottom element
A (a1 == a2) Equality
A (a1 ⊓ a2) Meet
A (a1 ⊔ a2) Join
A (a1 𝛻 a2) Widen
A πW (a) Project on vocabulary W
T. SHARMA AND T. REPS. SOUND BIT-PRECISE NUMERICAL DOMAINS. VMCAI 2017.
A C(le1 ≤ le2) Construct abstract value
D D(a1, a2) Distance heuristic
14
![Page 13: Sound Bit-Precise Numerical Domainspages.cs.wisc.edu/~tsharma/vmcai17_slides.pdfA. SIMON AND A. KING. TAMING THE WRAPPING OF INTEGER ARITHMETIC. IN SAS, 2007. IMPRECISE! Solution:](https://reader033.vdocuments.mx/reader033/viewer/2022042911/5f44903e6208a502ca2319a8/html5/thumbnails/13.jpg)
Abstract Interpretation with BVSFDk
◦Abstract Transformers Generation◦ Eager Abstract Transformers
◦ Lazy Abstract Transformers
◦Fixed-point Iteration◦ Uses join (widen at loop headers) and abstract composition to get
procedure summaries
T. SHARMA AND T. REPS. SOUND BIT-PRECISE NUMERICAL DOMAINS. VMCAI 2017. 15
![Page 14: Sound Bit-Precise Numerical Domainspages.cs.wisc.edu/~tsharma/vmcai17_slides.pdfA. SIMON AND A. KING. TAMING THE WRAPPING OF INTEGER ARITHMETIC. IN SAS, 2007. IMPRECISE! Solution:](https://reader033.vdocuments.mx/reader033/viewer/2022042911/5f44903e6208a502ca2319a8/html5/thumbnails/14.jpg)
Abstract Transformers Generation
T. SHARMA AND T. REPS. SOUND BIT-PRECISE NUMERICAL DOMAINS. VMCAI 2017.
L0: f(int x, int y) {L1: assume (x <=y)L2: while (*) {L3: if (*)L4: x=x+1, y=y+1L5: y=y+1L6: if (y <=0)L7: x=0, y=0L8: }
END: }
Desired property: x <= y relationship is true at the end of the function.
16
![Page 15: Sound Bit-Precise Numerical Domainspages.cs.wisc.edu/~tsharma/vmcai17_slides.pdfA. SIMON AND A. KING. TAMING THE WRAPPING OF INTEGER ARITHMETIC. IN SAS, 2007. IMPRECISE! Solution:](https://reader033.vdocuments.mx/reader033/viewer/2022042911/5f44903e6208a502ca2319a8/html5/thumbnails/15.jpg)
Abstract Transformers GenerationL0: f(int x, int y) {L1: assume (x ≤ y)L2: while (*) {L3: if (*)L4: x=x+1, y=y+1L5: y=y+1L6: if (y ≤ 0)L7: x=0, y=0L8: }
END: }
T. SHARMA AND T. REPS. SOUND BIT-PRECISE NUMERICAL DOMAINS. VMCAI 2017.
L0→L2: (m≤ x,y≤M) ˄ (x’=x ˄ y’=y) ˄ x’≤y’
m is minimum signed integer -2147483648.M is maximum signed integer 2147483647.
17
![Page 16: Sound Bit-Precise Numerical Domainspages.cs.wisc.edu/~tsharma/vmcai17_slides.pdfA. SIMON AND A. KING. TAMING THE WRAPPING OF INTEGER ARITHMETIC. IN SAS, 2007. IMPRECISE! Solution:](https://reader033.vdocuments.mx/reader033/viewer/2022042911/5f44903e6208a502ca2319a8/html5/thumbnails/16.jpg)
Eager Abstract TransformersL0: f(int x, int y) {L1: assume (x <=y)L2: while (*) {L3: if (*)L4: x=x+1, y=y+1L5: y=y+1L6: if (y <=0)L7: x=0, y=0L8: }
END: }
T. SHARMA AND T. REPS. SOUND BIT-PRECISE NUMERICAL DOMAINS. VMCAI 2017.
L4→L5: (m≤ x,y≤M) ˄ (x’=x+1 ˄ y’=y+1)L5→L6: (m≤ x,y≤M) ˄ (x’=x ˄ y’=y+1)
Pre-vocabulary in eager abstract transformers is always bounded in [m, M].
Abstract composition (L4→L5) o (L5→L6): (m≤ x’’,y’’≤M) ˄ (x’=x’’ ˄ y’=y’’+1)
⊓WRAP{x′′,y′′}( (m≤ x,y≤M) ˄ (x’′=x+1 ˄ y’′=y+1) )
Need 4 disjunctions for the following scenarios:1) Variables x’’,y’’ don’t overflow2) Both variables x’’,y’’ overflow3) Variable y’’ overflows, but x’’ does not 4) Variable x’’ overflows, but y’’ does not
18
![Page 17: Sound Bit-Precise Numerical Domainspages.cs.wisc.edu/~tsharma/vmcai17_slides.pdfA. SIMON AND A. KING. TAMING THE WRAPPING OF INTEGER ARITHMETIC. IN SAS, 2007. IMPRECISE! Solution:](https://reader033.vdocuments.mx/reader033/viewer/2022042911/5f44903e6208a502ca2319a8/html5/thumbnails/17.jpg)
Eager Abstract Transformers• Forces call to wrap at each composition operation.
• Addition and multiplication over integers preserves concretization over bitvectors.
• For example, (M+1)%(232) = m%(232).
T. SHARMA AND T. REPS. SOUND BIT-PRECISE NUMERICAL DOMAINS. VMCAI 2017.
Avoid adding bounds until
there is a cast or guard operation!
19
![Page 18: Sound Bit-Precise Numerical Domainspages.cs.wisc.edu/~tsharma/vmcai17_slides.pdfA. SIMON AND A. KING. TAMING THE WRAPPING OF INTEGER ARITHMETIC. IN SAS, 2007. IMPRECISE! Solution:](https://reader033.vdocuments.mx/reader033/viewer/2022042911/5f44903e6208a502ca2319a8/html5/thumbnails/18.jpg)
Lazy Abstract TransformersL0: f(int x, int y) {L1: assume (x <=y)L2: while (*) {L3: if (*)L4: x=x+1, y=y+1L5: y=y+1L6: if (y <=0)L7: x=0, y=0L8: }
END: }
T. SHARMA AND T. REPS. SOUND BIT-PRECISE NUMERICAL DOMAINS. VMCAI 2017.
L4→L5: (x’=x+1 ˄ y’=y+1)L5→L6: (x’=x ˄ y’=y+1)(L4→L5) o (L5→L6): (x’=x+1 ˄ y’=y+2)
Pre-vocabulary in lazy abstract transformers need not be bounded in [m, M].
20
![Page 19: Sound Bit-Precise Numerical Domainspages.cs.wisc.edu/~tsharma/vmcai17_slides.pdfA. SIMON AND A. KING. TAMING THE WRAPPING OF INTEGER ARITHMETIC. IN SAS, 2007. IMPRECISE! Solution:](https://reader033.vdocuments.mx/reader033/viewer/2022042911/5f44903e6208a502ca2319a8/html5/thumbnails/19.jpg)
Lazy Abstract TransformersL0: f(int x, int y) {L1: assume (x ≤ y)L2: while (*) {L3: if (*)L4: x=x+1, y=y+1L5: y=y+1L6: if (y ≤ 0)L7: x=0, y=0L8: }
END: }
T. SHARMA AND T. REPS. SOUND BIT-PRECISE NUMERICAL DOMAINS. VMCAI 2017. 21
L5→L7: (x’=x ˄ y’=y+1) ^ …
Step 1: Backward dependency analysis to find subset of pre-vocabulary on which y’ depends.Answer: y
Step 2: Add bounding constraints for y.
![Page 20: Sound Bit-Precise Numerical Domainspages.cs.wisc.edu/~tsharma/vmcai17_slides.pdfA. SIMON AND A. KING. TAMING THE WRAPPING OF INTEGER ARITHMETIC. IN SAS, 2007. IMPRECISE! Solution:](https://reader033.vdocuments.mx/reader033/viewer/2022042911/5f44903e6208a502ca2319a8/html5/thumbnails/20.jpg)
Lazy Abstract TransformersL0: f(int x, int y) {L1: assume (x ≤ y)L2: while (*) {L3: if (*)L4: x=x+1, y=y+1L5: y=y+1L6: if (y ≤ 0)L7: x=0, y=0L8: }
END: }
T. SHARMA AND T. REPS. SOUND BIT-PRECISE NUMERICAL DOMAINS. VMCAI 2017. 22
L5→L7: (m≤y≤M) ^ (x’=x ˄ y’=y+1)
Step 1: Backward dependency analysis to find subset of pre-vocabulary on which y’ depends.Answer: y
Step 2: Add bounding constraints for y.
Step 3: Perform Wrap on y’.
![Page 21: Sound Bit-Precise Numerical Domainspages.cs.wisc.edu/~tsharma/vmcai17_slides.pdfA. SIMON AND A. KING. TAMING THE WRAPPING OF INTEGER ARITHMETIC. IN SAS, 2007. IMPRECISE! Solution:](https://reader033.vdocuments.mx/reader033/viewer/2022042911/5f44903e6208a502ca2319a8/html5/thumbnails/21.jpg)
Lazy Abstract TransformersL0: f(int x, int y) {L1: assume (x ≤ y)L2: while (*) {L3: if (*)L4: x=x+1, y=y+1L5: y=y+1L6: if (y ≤ 0)L7: x=0, y=0L8: }
END: }
T. SHARMA AND T. REPS. SOUND BIT-PRECISE NUMERICAL DOMAINS. VMCAI 2017. 23
L5→L7: WRAP{y′}( (m≤y≤M) ^ (x’=x ˄ y’=y+1) )
Step 1: Backward dependency analysis to find subset of pre-vocabulary on which y’ depends.Answer: y
Step 2: Add bounding constraints for y.
Step 3: Perform Wrap on y’.
![Page 22: Sound Bit-Precise Numerical Domainspages.cs.wisc.edu/~tsharma/vmcai17_slides.pdfA. SIMON AND A. KING. TAMING THE WRAPPING OF INTEGER ARITHMETIC. IN SAS, 2007. IMPRECISE! Solution:](https://reader033.vdocuments.mx/reader033/viewer/2022042911/5f44903e6208a502ca2319a8/html5/thumbnails/22.jpg)
Lazy Abstract TransformersL0: f(int x, int y) {L1: assume (x ≤ y)L2: while (*) {L3: if (*)L4: x=x+1, y=y+1L5: y=y+1L6: if (y ≤ 0)L7: x=0, y=0L8: }
END: }
T. SHARMA AND T. REPS. SOUND BIT-PRECISE NUMERICAL DOMAINS. VMCAI 2017. 24
L5→L7: ((m≤y≤M-1) ˄ (x’=x ˄ y’=y+1))⊔((y=M) ˄ (x’=x ˄ y’=m))
Step 1: Backward dependency analysis to find subset of pre-vocabulary on which y’ depends.Answer: y
Step 2: Add bounding constraints for y.
Step 3: Perform Wrap on y’.
Step 4: Add guard to the abstract value.
![Page 23: Sound Bit-Precise Numerical Domainspages.cs.wisc.edu/~tsharma/vmcai17_slides.pdfA. SIMON AND A. KING. TAMING THE WRAPPING OF INTEGER ARITHMETIC. IN SAS, 2007. IMPRECISE! Solution:](https://reader033.vdocuments.mx/reader033/viewer/2022042911/5f44903e6208a502ca2319a8/html5/thumbnails/23.jpg)
Lazy Abstract TransformersL0: f(int x, int y) {L1: assume (x ≤ y)L2: while (*) {L3: if (*)L4: x=x+1, y=y+1L5: y=y+1L6: if (y ≤ 0)L7: x=0, y=0L8: }
END: }
T. SHARMA AND T. REPS. SOUND BIT-PRECISE NUMERICAL DOMAINS. VMCAI 2017. 25
Step 1: Backward dependency analysis to find subset of pre-vocabulary on which y’ depends.Answer: y
Step 2: Add bounding constraints for y.
Step 3: Perform Wrap on y’.
Step 4: Add guard to the abstract value.
L5→L7: ((m≤y≤M-1) ˄ (x’=x ˄ y’=y+1) ^ (y’<=0))⊔((y=M) ˄ (x’=x ˄ y’=m))
![Page 24: Sound Bit-Precise Numerical Domainspages.cs.wisc.edu/~tsharma/vmcai17_slides.pdfA. SIMON AND A. KING. TAMING THE WRAPPING OF INTEGER ARITHMETIC. IN SAS, 2007. IMPRECISE! Solution:](https://reader033.vdocuments.mx/reader033/viewer/2022042911/5f44903e6208a502ca2319a8/html5/thumbnails/24.jpg)
Implementation
Program Invariants
Program (LLVM Bitcode)
Abstract Transformers (Weighted Pushdown System)
Reinterpretation
Fixpoint Analysis
(WALi poststar + pathsummary)
T. SHARMA AND T. REPS. SOUND BIT-PRECISE NUMERICAL DOMAINS. VMCAI 2017.
Abstract Domain (Parma Polyhedra Library)
26
![Page 25: Sound Bit-Precise Numerical Domainspages.cs.wisc.edu/~tsharma/vmcai17_slides.pdfA. SIMON AND A. KING. TAMING THE WRAPPING OF INTEGER ARITHMETIC. IN SAS, 2007. IMPRECISE! Solution:](https://reader033.vdocuments.mx/reader033/viewer/2022042911/5f44903e6208a502ca2319a8/html5/thumbnails/25.jpg)
Distance Heuristic
T. SHARMA AND T. REPS. SOUND BIT-PRECISE NUMERICAL DOMAINS. VMCAI 2017. 28
y
x
a1
a2
b1
b2
dx
dy
D(a1, a2) = dx + dy
![Page 26: Sound Bit-Precise Numerical Domainspages.cs.wisc.edu/~tsharma/vmcai17_slides.pdfA. SIMON AND A. KING. TAMING THE WRAPPING OF INTEGER ARITHMETIC. IN SAS, 2007. IMPRECISE! Solution:](https://reader033.vdocuments.mx/reader033/viewer/2022042911/5f44903e6208a502ca2319a8/html5/thumbnails/26.jpg)
Experimental Evaluation◦Performance and precision comparison of the bit-precise disjunctive-inequality domain BVSFDk for different values of k.
◦Base domains of octagons and polyhedra.◦Assertion proving and array-bounds checking.◦Time out of 200 seconds for each example.
T. SHARMA AND T. REPS. SOUND BIT-PRECISE NUMERICAL DOMAINS. VMCAI 2017. 29
![Page 27: Sound Bit-Precise Numerical Domainspages.cs.wisc.edu/~tsharma/vmcai17_slides.pdfA. SIMON AND A. KING. TAMING THE WRAPPING OF INTEGER ARITHMETIC. IN SAS, 2007. IMPRECISE! Solution:](https://reader033.vdocuments.mx/reader033/viewer/2022042911/5f44903e6208a502ca2319a8/html5/thumbnails/27.jpg)
Assertion proving benchmarks
Benchmark Examples Instructions Assertions
Loop-invgen 18 2373 90
Loop-lit 15 1173 16
Loops 34 3974 32
Loop-acceleration 19 1001 19
Total 86 8521 158
T. SHARMA AND T. REPS. SOUND BIT-PRECISE NUMERICAL DOMAINS. VMCAI 2017.
SVCOMP’16 loop benchmarks with true assertions
30
![Page 28: Sound Bit-Precise Numerical Domainspages.cs.wisc.edu/~tsharma/vmcai17_slides.pdfA. SIMON AND A. KING. TAMING THE WRAPPING OF INTEGER ARITHMETIC. IN SAS, 2007. IMPRECISE! Solution:](https://reader033.vdocuments.mx/reader033/viewer/2022042911/5f44903e6208a502ca2319a8/html5/thumbnails/28.jpg)
Assertions Proving with Polyhedra
T. SHARMA AND T. REPS. SOUND BIT-PRECISE NUMERICAL DOMAINS. VMCAI 2017.
1.1-4.6 times slower44-142% of the assertions of FD[Poly]
31
40/157 assertions
![Page 29: Sound Bit-Precise Numerical Domainspages.cs.wisc.edu/~tsharma/vmcai17_slides.pdfA. SIMON AND A. KING. TAMING THE WRAPPING OF INTEGER ARITHMETIC. IN SAS, 2007. IMPRECISE! Solution:](https://reader033.vdocuments.mx/reader033/viewer/2022042911/5f44903e6208a502ca2319a8/html5/thumbnails/29.jpg)
Assertions Proving with Octagons
T. SHARMA AND T. REPS. SOUND BIT-PRECISE NUMERICAL DOMAINS. VMCAI 2017.
1.1-1.3 times slower33-67% of the assertions of FD[Oct]
32
34/157 assertions
![Page 30: Sound Bit-Precise Numerical Domainspages.cs.wisc.edu/~tsharma/vmcai17_slides.pdfA. SIMON AND A. KING. TAMING THE WRAPPING OF INTEGER ARITHMETIC. IN SAS, 2007. IMPRECISE! Solution:](https://reader033.vdocuments.mx/reader033/viewer/2022042911/5f44903e6208a502ca2319a8/html5/thumbnails/30.jpg)
Array-Bounds Checking• Added bounds checking for each array access and update
• SVCOMP’16 Array benchmarks
• 88 examples, 14,742 instructions and 598 array-bounds checks
T. SHARMA AND T. REPS. SOUND BIT-PRECISE NUMERICAL DOMAINS. VMCAI 2017. 33
![Page 31: Sound Bit-Precise Numerical Domainspages.cs.wisc.edu/~tsharma/vmcai17_slides.pdfA. SIMON AND A. KING. TAMING THE WRAPPING OF INTEGER ARITHMETIC. IN SAS, 2007. IMPRECISE! Solution:](https://reader033.vdocuments.mx/reader033/viewer/2022042911/5f44903e6208a502ca2319a8/html5/thumbnails/31.jpg)
Array-Bounds Checking with Polyhedra
T. SHARMA AND T. REPS. SOUND BIT-PRECISE NUMERICAL DOMAINS. VMCAI 2017.
1.18-1.26 times slower95-101% of the assertions
34
515/598 assertions
![Page 32: Sound Bit-Precise Numerical Domainspages.cs.wisc.edu/~tsharma/vmcai17_slides.pdfA. SIMON AND A. KING. TAMING THE WRAPPING OF INTEGER ARITHMETIC. IN SAS, 2007. IMPRECISE! Solution:](https://reader033.vdocuments.mx/reader033/viewer/2022042911/5f44903e6208a502ca2319a8/html5/thumbnails/32.jpg)
Conclusion◦ Introduce a generic framework to construct sound abstract
domains BVSFDk .
◦ We provide a generic technique via reinterpretation to create the abstract transformer with enhanced precision via lazy wrap-around.
◦ Our experiments show that the analysis can prove:◦ 25% of the assertions in the SVCOMP loop benchmarks with BVSFD6[Poly].
◦ 22% of the assertions in the SVCOMP loop benchmarks with BVSFD8[Oct].
◦ 88% of the array-bounds checks in the SVCOMP array benchmarks with BVSFD4[Poly].
◦ Empirical results show that values of k in the range 3-8 provide best results.
T. SHARMA AND T. REPS. SOUND BIT-PRECISE NUMERICAL DOMAINS. VMCAI 2017. 35
Questions?