program analysis and verification spring 2015 program analysis and verification lecture 12: abstract...
TRANSCRIPT
Spring 2015Program Analysis and Verification
Lecture 12: Abstract Interpretation IV
Roman ManevichBen-Gurion University
2
הוראה סקר
באימייל • מופץאנונימי•
3
Syllabus
Semantics
NaturalSemantics
Structural semantics
AxiomaticVerification
StaticAnalysis
AutomatingHoare Logic
Control Flow Graphs
Equation Systems
CollectingSemantics
AbstractInterpretation fundamentals
Lattices
Fixed-Points
Chaotic Iteration
Galois Connections
Domain constructors
Widening/Narrowing
AnalysisTechniques
Numerical Domains
Alias analysis
InterproceduralAnalysis
ShapeAnalysis
CEGAR
Crafting your own
Soot
From proofs to abstractions
Systematically developing
transformers
4
Previously
• Solving monotone systems via chaotic iteration
• Relating abstract semantics and concrete semantics– Galois connection– Sound abstract transformers– Partial reduction– Completeness
• Implementing transformers
5
Agenda
Question: given existing abstract interpreters (GC + transformers) can we reuse them to construct a new abstract interpreter?
• Composing abstract domains (and GCs)• Reduced product• Implementing composition of analyses
6
Composing lattices
7
Three example analyses
• Abstract states are conjunctions of constraints• Variable Equalities– VE-factoids = { x=y | x, y Var} false
VE = (2VE-factoids, , , , false, )• Constant Propagation– CP-factoids = { x=c | x Var, c Z} false
CP = (2CP-factoids, , , , false, )• Available Expressions– AE-factoids = { x=y+z | x Var, y,z VarZ} false
AE = (2AE-factoids, , , , false, )
8
Lattice combinators reminder
• Cartesian Product– L1 = (D1, 1, 1, 1, 1, 1)
L2 = (D2, 2, 2, 2, 2, 2)
– Cart(L1, L2) = (D1D2, cart, cart, cart, cart, cart)
• Disjunctive completion– L = (D, , , , , )– Disj(L) = (2D, , , , , )
• Relational Product– Rel(L1, L2) = Disj(Cart(L1, L2))
9
Cartesian product of complete lattices
• For two complete lattices L1 = (D1, 1, 1, 1, 1, 1) L2 = (D2, 2, 2, 2, 2, 2)
• Define the posetLcart = (D1D2, cart, cart, cart, cart, cart)as follows:– (x1, x2) cart (y1, y2) iff
x1 1 y1 andx2 2 y2
• Lemma: L is a complete lattice• Define the Cartesian constructor Lcart = Cart(L1, L2)
10
Composing Galois connections
11
Goal
• Given two Galois connections, can we combine them to form a new Galois connection?
12
Product connection: abstraction
CPVE lattice
{a=9, c=9}{c=a}{[a9, c 9]}
collecting lattice
{}
13
Product connection: concretization
CPVE lattice
{a=9}{c=a}
{[a9, c 0] [a9, c 1] [a9, c 9] ... }
collecting lattice
{}
{[a9, c 9] [a1, c 1] [a2, c 2] ... }
14
Product connection: concretization
CPVE lattice
{a=9}{c=a}
collecting lattice
{}
{[a9, c 9]}
15
Cartesian product of GCs
• GCA=(C, A, A, A)GCB=(C, B, B, B)
• Cartesian ProductGCAB = (C, AB, AB, AB)
– AB(X) = ?– AB(Y1,Y2) = ?
16
Cartesian product of GCs
• GCA=(C, A, A, A)GCB=(C, B, B, B)
• Cartesian ProductGCAB = (C, AB, AB, AB)
– AB(X) = A(X), B(X)– AB(Y1,Y2) = A(Y1) B(Y2)
17
Product vs. reduced product
18
Product vs. reduced product
CPVE lattice
{a=9}{c=a} {c=9}{c=a}
{a=9, c=9}{c=a}{[a9, c 9]}
collecting lattice
{}
19
Reduced product
• For two complete lattices L1 = (D1, 1, 1, 1, 1, 1) L2 = (D2, 2, 2, 2, 2, 2)
• Define the reduced posetD1D2 = {(d1,d2)D1D2 | (d1,d2) = (d1,d2) } L1L2 = (D1D2, cart, cart, cart, cart, cart)
20
Cartesian product transformers
• GCA=(C, A, A, A) FA[st] : A AGCB=(C, B, B, B) FB[st] : B B
• Cartesian ProductGCAB = (C, AB, AB, AB)
– AB(X) = (A(X), B(X))– AB(Y) = A(X) B(X)
• How should we define FAB[st] : AB AB ?
21
Cartesian product transformers
• GCA=(C, A, A, A) FA[st] : A AGCB=(C, B, B, B) FB[st] : B B
• Cartesian ProductGCAB = (C, AB, AB, AB)
– AB(X) = (A(X), B(X))– AB(Y) = A(X) B(X)
• How should we define FAB[st] : AB AB ?• Idea: FAB[st](a, b) = (FA[st] a, FB[st] b)• Are component-wise transformers precise?
22
Cartesian product analysis example• Abstract interpreter 1: Constant Propagation• Abstract interpreter 2: Variable Equalities• Let’s compare
– Running them separately and combining results– Running the analysis with their Cartesian product
a := 9;b := 9;c := a;
a := 9;b := 9;c := a;
CP analysis VE analysis{a=9}{a=9, b=9}{a=9, b=9, c=9}
{}{}{c=a}
23
Cartesian product analysis example• Abstract interpreter 1: Constant Propagation• Abstract interpreter 2: Variable Equalities• Let’s compare
– Running them separately and combining results– Running the analysis with their Cartesian product
CP analysis + VE analysisa := 9;b := 9;c := a;
{a=9}{a=9, b=9}{a=9, b=9, c=9, c=a}
24
Cartesian product analysis example• Abstract interpreter 1: Constant Propagation• Abstract interpreter 2: Variable Equalities• Let’s compare
– Running them separately and combining results– Running the analysis with their Cartesian product
CPVE analysisMissing
{a=b, b=c}
a := 9;b := 9;c := a;
{a=9}{a=9, b=9}{a=9, b=9, c=9, c=a}
25
Transformers for Cartesian product
• Naïve (component-wise) transformers do not utilize information from both components– Same as running analyses separately and then
combining results• Can we treat transformers from each analysis
as black box and obtain best transformer for their combination?
26
Can we combine transformers modularly?
No generic method for any abstract interpretations
27
Implementing approximate reduced product
28
Reducing values for CPVE
• X = set of CP constraints of the form x=c(e.g., a=9)
• Y = set of VE constraints of the form x=y• ReduceCPVE(X, Y) = (X’, Y’) such that
(X’, Y’) (X’, Y’)• Ideas?
29
Reducing values for CPVE
• X = set of CP constraints of the form x=c (e.g., a=9)• Y = set of VE constraints of the form x=y• ReduceCPVE(X, Y) = (X’, Y’) such that (X’, Y’) (X’, Y’)• ReduceLeft:
– if a=c X and a=b Y then add b=c to X• ReduceRight:
– If a=c and b=c X then add a=b to Y• Keep applying ReduceLeft and ReduceRight and
reductions on each domain separately until reaching a fixed-point
30
All the code you need to obtaina basic CPVE implementation
31
Implementing reduction for CPVE
32
Transformers for Cartesian product
• Do we get the best transformer by applying component-wise transformer followed by reduction?– Unfortunately, no (what’s the intuition?)
• Can we do better?– Logical Product [Gulwani and Tiwari, PLDI 2006]
33
A modular approachfor approximatingreduced product
34
Logical product--
• Idea: use equalities as common reasoning tool to pass information between two domains
• Assume A=(D,…) is an abstract domain that supports two operations: for xD– inferEqualities(x) = { a=b | (x) a=b }
returns a set of equalities between variables that are satisfied in all states given by x
– refineFromEqualities(x, {a=b}) = ysuch that• (x)=(y)• y x
35
Need to implement interface
When interface not implemented default versions of these operations are used
36
VE
37
CP
38
Implementing CP VE AE
39
Reducing Cartesian elements
40
41
Logical Product-
basically the strongest postcondition
safely abstracting the existential quantifier
42
Abstracting the existentialReduce the pair
Abstract away existential quantifier for each domain
43
Combined analysis example
44
Disjunctive completionfor path sensitivity
45
Information loss example (CP)
if (…) b := 5else b := -5
if (b>0) b := b-5else b := b+5assert b==0
{}
{b=5}
{b=-5}
{true}
{true}
{true}
can’t prove
46
Constant Propagation example
Lost all information about b at control-flow join
47
Disjunctive completion of a lattice
• For a complete lattice L = (D, , , , , )
• Define the powerset lattice L = (2D, , , , , ) = ? = ? = ? = ? = ?
• Lemma: L is a complete lattice
• L contains all subsets of D, which can be thought of as disjunctions of the corresponding predicates
• Define the disjunctive completion constructorL = Disj(L)
48
Disjunctive completion for GCs
• GCA=(C, A, C, A)• Disjunctive completion
GCP(A) = (C, P(A), P(A), P(A))– P(A)(X) = ?– P(A)(Y) = ?
49
Disjunctive completion for GCs
• GCA=(C, A, C, A)• Disjunctive completion
GCP(A) = (C, P(A), P(A), P(A))– P(A)(X) = {A({x}) | xX}– P(A)(Y) = {A(y) | yY}
• What about transformers?
50
Information loss example
if (…) b := 5else b := -5
if (b>0) b := b-5else b := b+5assert b==0
{}
{b=5}
{b=-5}
{b=5 b=-5}
{b=0}
{b=0}proved
51
Disj(CP) example
52
The base lattice CPfalse
{x=0}
true
{x=-1}{x=-2} {x=1} {x=2} ……
false
53
The disjunctive completion of CPfalse
true
false
{x=-2x=-1} {x=-2x=0} {x=-2x=1} {x=1x=2}… … …
What is the height of this lattice?
{x=0}{x=-1}{x=-2} {x=1} {x=2} ……
{x=0 x=1x=2}{x=-1 x=1x=-2}… ……
…
54
Mixing productand disjunctive completion
55
Taming disjunctive completion
• Disjunctive completion is very precise– Maintains distinction between different execution
paths– Helps handle conditions precisely– But very expensive – number of abstract states
grows exponentially in the number of conditions– May lead to non-termination
• Base analysis is less precise but terminates• How can we increase precision and avoid non-
termination?
56
Taming disjunctive completion
• Use different abstractions for different program locations– At loop heads use coarse abstraction (base)– At other points use disjunctive completion
• Termination is guaranteed (by base domain)• Precision increased inside loop body
57
With Disj(CP)
while (…) { x := x+1 if (…) b := 5 else b := -5
if (b>0) b := b-5 else b := b+5 assert b==0}
Doesn’t terminate
58
With tamed Disj(CP)
while (…) { x := x+1 if (…) b := 5 else b := -5
if (b>0) b := b-5 else b := b+5 assert b==0}
terminates
CP
Disj(CP)
What DisjunctiveDomain implements
59
DisjunctiveDomain(CP) example
60
Reducing disjunctive elements
• A disjunctive set X may contain within it an ascending chain Y=a b c…
• We only need max(Y) – remove all elements below
61
Relational product construction
62
Cartesian product example
Lost all information about b at control-flow join
63
Relational product of lattices
• L1 = (D1, 1, 1, 1, 1, 1)L2 = (D2, 2, 2, 2, 2, 2)
• Lrel = (2D1D2, rel, rel, rel, rel, rel)as follows:– Lrel = ?
64
Relational product of lattices
• L1 = (D1, 1, 1, 1, 1, 1)L2 = (D2, 2, 2, 2, 2, 2)
• Lrel = (2D1D2, rel, rel, rel, rel, rel)as follows:– Lrel = Disj(Cart(L1, L2))
• Lemma: L is a complete lattice• What does it buy us?– How is it relative to Cart(Disj(L1), Disj(L2))?
• What about transformers?
65
Relational product of GCs
• GCA=(C, A, A, A)GCB=(C, B, B, B)
• Relational ProductGCP(AB) = (C, P(AB), P(AB), P(AB))
– P(AB)(X) = ?– P(AB)(Y) = ?
66
Relational product of GCs
• GCA=(C, A, A, A)GCB=(C, B, B, B)
• Relational ProductGCP(AB) = (C, P(AB), P(AB), P(AB))
– P(AB)(X) = {(A({x}), B({x})) | xX}– P(AB)(Y) = {A(yA) B(yB) | (yA,yB)Y}
67
Relational product example
Correlations preserved
68
Function space construction
69
Function space• GCA=(C, A, C, A)
GCB=(C, B, C, B)• Denote the set of monotone functions from A to B by AB• Define for elements of AB as follows
(a1, b1) (a2, b2) = if a1=a2 then {(a1, b1B b1)} else {(a1, b1), (a2, b2)}
• Reduced cardinal powerGCAB = (C, AB, AB, AB)
– AB(X) = {(A({x}), B({x})) | xX}– AB(Y) = {A(yA) B(yB) | (yA,yB)Y}
• Useful when A is small and B is much larger– E.g., typestate verification
Next lecture:abstract interpretation V