program analysis with dynamic change of precision dirk beyer tom henzinger grégory théoduloz...
TRANSCRIPT
Program Analysis withDynamic Change of Precision
Dirk BeyerTom Henzinger
Grégory ThéodulozPresented by: Pashootan Vaezipoor
Directed Reading
ASE 2008 – L’Aquila – 17 September 2008
Simon Fraser University,BC, Canada
EPFL,Switzerland
Automatic Software Verification
Overapproximation
int main() { int a = foo(); int b = bar(a); assert(a == b);}
int main() { int a = foo(); int b = bar(a); assert(a == b);}
C program
VerificationTool
SAFEi.e. assertionscannot be violated
UNSAFE
Reachablestates
Reachablestates
Errorstate
s
General method:Create an overapproximation of the program states
Example Program
• We want to prove that ERR is not reachable
• Variables st, ok, cmd, p are tracked explicitly at first
• All of them except p encounter more than five values
Abstraction
x = 1y = 1z = 2
p { h = 3 }
x = 1y = 1z = 2
p { h = 3 }
Concrete statex = y z = 2
x 1, y 1, z >
p h=3 Shape graph
Abstract state
Predicate abstraction
Explicit valuations
int f = 0, x = 1, y = 0;
while (x > 0) {
if (f == 0) { x = 50;
f = 1; }
else
{ x--; y++; }
}
assert(y == 50);
Few explicit values Explicit domain
Many values Predicate abstraction
int f = 0, x = 1, y = 0;while (x > 0) {
if (f == 0) { x = 50; f = 1; }
else{ x--; y++; }
}assert(y == 50);
Fully Explicit Analysis
f 0x 1y 0
f 0x 1y 0
f 1x 50y 0
f 1x 50y 0
f 1x 49y 1
f 1x 49y 1
f 1x 48y 2
f 1x 48y 2
f 1x 47y 3
f 1x 47y 3 …
f 1x 46y 4
f 1x 46y 4
+ cheap to compute- many states
Combined Analysis
Start with explicit Precision of explicit: threshold on number of diff. values
E.g. ¼(x) = 3 Precision of predicate: set of tracked predicates
E.g. ¼ = { x + y = 50, x ¸ 0, x = 0} Switch to predicates when the explicit threshold is
hit
Note: Coming up with “good” predicates is an orthogonal problem
int f = 0, x = 1, y = 0;while (x > 0) {
if (f == 0) { x = 50; f = 1; }
else{ x--; y++; }
}assert(y == 50);
Combined Analysis
f 0x 1y 0
f 0x 1y 0
f 1x 50y 0
f 1x 50y 0
f 1x 49y 1
f 1x 49y 1
f 1x 48y 2
f 1x 48y 2
f 1x 48y 2
f 1x 48y 2
x + y = 50x ¸ 0
x + y = 50x ¸ 0
f 1x 48y 2
f 1x 48y 2
x + y = 50x = 0
x + y = 50x = 0
Threshold hit for explicit analysis
int f = 0, x = 1, y = 0;while (x > 0) {
if (f == 0) { x = 50; f = 1; }
else{ x--; y++; }
}assert(y == 50);
Motivation
Flexible combination of abstract domains
Dynamically update their respective precisions precision: set of predicates, variables, etc. to track e.g. switch on/off analyses e.g. use different analyses for different variables …
Configurable Program Analysis [Beyer/Henzinger/T 2007]
Reached, Frontier := { e0 }
while Frontier doremove e from Frontier
for each e’ post( e ) dofor each e’’ Reached do
e’’new := merge( e’, e’’ )
if e’’new e’’ then
replace e’’ in Reached, Frontier by e’’new
if stop(e’, Reached ) add e’ to Reached, Frontier
return Reached
Configurable Program Analysis
- Better combination of abstractions Configurable Program Analysis [CAV07]
Unified framework that enables intermediate algorithms
ImpreciseScalable
PreciseExpensive
Data-flow analysis Model CheckingCPA
Configurable Program Analysis [Beyer/Henzinger/T 2007]
Reached, Frontier := { e0 }
while Frontier doremove e from Frontier
for each e’ post( e ) dofor each e’’ Reached do
e’’new := merge( e’, e’’ )
if e’’new e’’ then
replace e’’ in Reached, Frontier by e’’new
if stop(e’, Reached ) add e’ to Reached, Frontier
return Reached
Configurable Program Analysiswith Dynamic Precision Adjustment
Reached, Frontier := { ( e0 , π0 ) }
while Frontier doremove ( e , π ) from Frontier
( ê , πnew ) = prec( e, π, Reached )
for each e’ post( ê , πnew ) do
for each ( e’’, π’’ ) Reached do e’’new := merge( e’, e’’, πnew )
if e’’new e’’ then
replace ( e’’ , π’’ ) in Reached, Frontier by (e’’new , πnew )
if stop(e’, Reached, πnew ) add (e’, πnew ) to Reached, Frontier
return Reached
(CPA+)
CPA+Configurable program analysis with dynamic precision adjustment:
- concrete system (C, c0, !)- abstract domain (E, >, ?, v, t)- a set of precisions ¦- concretization function : E ! 2C
- transfer function post µ E £ ¦ 2E
- merge operator merge: E £ E £ ¦ ! E
- termination check stop: E £ 2E £ ¦ ! B
- precision adjustment: prec: E £ ¦ £ 2E £ ¦ E £ ¦
Note: Operators are required to be soundly overapproximating
e
e’1 e’2 …¼
post
e . e’
merge(e,e’,¼)
e1 e2 …R = e3
e stop(e,R,¼) = true
e
¼ ¼’
prec
Reached
e’
CPA+Configurable program analysis with dynamic precision adjustment:
- concrete system (C, c0, !)- abstract domain (E, >, ?, v, t)- a set of precisions ¦- concretization function : E ! 2C
- transfer function post µ E £ ¦ 2E
- merge operator merge: E £ E £ ¦ ! E mergesep(e,e’,¼) = e’mergejoin(e,e’,¼) = e t e’
- termination check stop: E £ 2E £ ¦ ! B stopsep(e,R,¼)=9e’2R, eve’
stopjoin(e,R,¼) = e v t R
- precision adjustment: prec: E £ ¦ £ 2E £ ¦ E £ ¦
Note: Operators are required to be soundly overapproximating
Composite CPA+
E1 £ E2 , ¦1 £ ¦2
post£, merge£, stop£, prec£
Composite CPA+
E1 £ E2 , ¦1 £ ¦2
post£, merge£, stop£, prec£
Composite CPA+
D1
E1 , ¦1
post1 , merge1 ,stop1 , prec1
D1
E1 , ¦1
post1 , merge1 ,stop1 , prec1
D2
E2 , ¦2
post2 , merge2 ,stop2 , prec2
D2
E2 , ¦2
post2 , merge2 ,stop2 , prec2
Compositeoperators:
Strengthening operators "1 , "2
Strengthening operators "1 , "2
Composite CPA+Composite CPA+
Example: Predicate Abstraction + Explicit
Example of composite abstract element:
( 6 , x > 0 Æ x = y , { i 2, x >, y > })
L(locations)
L(locations)
P(predicate
abstraction)
P(predicate
abstraction)
C(explicitanalysis)
C(explicitanalysis)
Domain and Precisions
Abstract domain Precisions / Precision Adjustment
Predicate Abstraction
E = 2P ¦ = 2P
e.g. e = { x < 3, y > 0 } precP(e,¼,R) = (e,¼)
Explicit Analysis
E = [ X Z ]Z = Z [ {?,>}
¦ = [ X N ]
e.g. e = { x 2, y >, … }
Set of tracked predicates
Max. number of diff. values per variable
CPA+
P
C precC(e,¼,R) = (e’,¼)
if for all x 2 X:if |R(x)| ¸ ¼(x), then e’(x) = >otherwise, e’(x) = e(x)
Example: Predicate Abstraction + Explicit
Idea:
Dynamically choose between explicit & predicate abstraction
- Too many explicit values predicate abstraction
- Use explicit values to infer predicates
Implementable in the composite prec operator
Note: explicit analysis ¼ testing on some variables
Example: Predicate Abstraction + Explicit
Composite precision adjustment:
prec((l, P, v), (¼L,¼P,¼C), R) = ((l,P’,v’), (¼L, ¼’P, ¼’C))
if (v’, ¼’C) = precC(v, ¼C, {(v’’, ¼’’C) | ((l,P,v’’), (¢,¢, ¼’’C)) 2 R})
and ¼’P = ¼P [ x2X: v(x)>Æv’(x)=> abstract(x, {v’’|((l,P,v’’),¢) 2 R})
P’ = P [ { p 2 (¼’P n ¼P ) | v ² p }
ProgramThreshold
Pred. onlyk = 0
Predicate + Explicitk = 1 k = 5
Explicit onlyk = 1
ex1 0.46 s 0.17 s 0.21 s ―ex2 0.43 s 0.16 s 0.21 s 1.00 sloop1 25.20 s 26.01 s 22.78 s 0.16 sloop2 279.84 s 277.07 s 258.79 s 0.44 ssquare ― ― ― 0.08 s
Precision for explicit analysis: ¼C(x) = k
ProgramThreshold
Pred. onlyk = 0
Predicate + Explicitk = 1 k = 2
s3_clnt (total) 75.11 s 10.40 s 18.42 ss3_srvr (total) 536.79 s 24.23 s 34.40 s
Another combination: Shapes + Explicit heap
Composite CPA+
Idea: Switch to shape analysis triggered by then number of nodes in the explicit heap.
Composite CPA+
Idea: Switch to shape analysis triggered by then number of nodes in the explicit heap.
L(locations)
L(locations)
S(shape
analysis)
S(shape
analysis)
H(explicit heap
analysis)
H(explicit heap
analysis)
Conclusion Framework to express change of precision
during the analysis ( refinement)Useful when composing existing analysesMake combination more effective/precise
Ongoing/Future workImprove predicate inference from explicit valuesIntegration with refinement loopUse explicit heap to infer good predicates for
shape analysis (e.g. instrumentation predicates)