ALICe: A Benchmark to Improve Affine Loop Invariant Computation - PowerPoint PPT Presentation

ALICe: A Benchmark to Improve Affine Loop Invariant Computation Vivien Maisonneuve Seventh meeting of the French community of compilation Dammarie-les-Lys, December 2013

Introduction Need of abstract domains to represent complex program behaviors. x y Program analysis ⇒ computation of invariants (e.g. model checking). Here: affine invariants = systems of linear (in)equations. 2 / 23

• Branches • Loops Linear Relation Analysis if (b) x += 2; lots of research, programs convex hull Sources of approximation: } else x += 1, y += 1; b = rand(); Predicate propagation: forward / backward. while (x <= 100) { x = 0; y = 0; x y // 0 Loops? Widening Branches: convex union of invariants. 3 / 23

• Branches • Loops Linear Relation Analysis if (b) x += 2; lots of research, programs convex hull Sources of approximation: } else x += 1, y += 1; b = rand(); Predicate propagation: forward / backward. while (x <= 100) { x = 0; y = 0; x y // 0 Loops? Widening Branches: convex union of invariants. // x = y = 0 3 / 23

• Branches • Loops Predicate propagation: forward / backward. convex hull Sources of approximation: } else x += 1, y += 1; if (b) x += 2; b = rand(); Linear Relation Analysis lots of research, programs x = 0; y = 0; x y // 0 Loops? Widening Branches: convex union of invariants. while (x <= 100) { // x = y = 0 // x = y = 0 3 / 23

• Branches • Loops Linear Relation Analysis Predicate propagation: forward / backward. lots of research, programs convex hull Sources of approximation: } else x += 1, y += 1; if (b) x += 2; b = rand(); while (x <= 100) { x = 0; y = 0; x y // 0 Loops? Widening Branches: convex union of invariants. // x = y = 0 // x = y = 0 // x = 2 , y = 0 // x = 1 , y = 1 3 / 23

• Branches • Loops Linear Relation Analysis b = rand(); lots of research, programs convex hull Sources of approximation: } else x += 1, y += 1; Predicate propagation: forward / backward. if (b) x += 2; x = 0; y = 0; while (x <= 100) { x y // 0 Loops? Widening Branches: convex union of invariants. // x = y = 0 // x = y = 0 // x = 2 , y = 0 // x = 1 , y = 1 // 1 ≤ x ≤ 2 , x + y = 2 3 / 23

• Branches • Loops if (b) x += 2; Sources of approximation: } lots of research, programs else x += 1, y += 1; Predicate propagation: forward / backward. Linear Relation Analysis convex hull while (x <= 100) { x = 0; y = 0; Branches: convex union of invariants. b = rand(); Loops? Widening ⇒ // 0 ≤ y ≤ x // x = y = 0 // x = y = 0 // x = 2 , y = 0 // x = 1 , y = 1 // 1 ≤ x ≤ 2 , x + y = 2 3 / 23

Linear Relation Analysis b = rand(); Sources of approximation: } else x += 1, y += 1; Predicate propagation: forward / backward. if (b) x += 2; while (x <= 100) { x = 0; y = 0; Branches: convex union of invariants. Loops? Widening ⇒ // 0 ≤ y ≤ x // x = y = 0 // x = y = 0 // x = 2 , y = 0 // x = 1 , y = 1 // 1 ≤ x ≤ 2 , x + y = 2 • Branches ⇒ convex hull • Loops ⇒ lots of research, programs 3 / 23

ALICe Benchmark to compare several techniques & programs to compute affine loop invariants. http://alice.cri.mines-paristech.fr/ Motivations: 1 Compare tools on a common set of previously published examples. 2 Study effects of input model restructurations. 3 Improve invariant computation in PIPS. 4 / 23

Contents 1 The ALICe Benchmark Test Cases Supported Tools Test Chain Results 2 Model Restructurations State Splitting Heuristic Using a Unique State Comparative Results 3 Improving Results in PIPS Transformer Lists Iterative Analysis Multiple Precision Arithmetic Results 5 / 23

Models Transition systems with a finite number of vertices (“control states”), of integer variables. k Goal: E is unreachable. • Initial condition I on control states & variables. • Transitions t 1 , . . . , t n with guards and actions. • Error condition E on control states & variables. t 1 : x ≤ 0 ? x ++ I : x ≥ 0 ? E : x < 0 t 2 : x ≥ 1 ? x -- 6 / 23

Test Cases number of transitions 20 15 10 5 30 25 20 15 10 5 0 25 102 previously published test cases: from L. Gonnord, S. Gulwani, 20 15 10 5 10 5 0 number of control states Mostly: loop invariants, loop bounds, protocols. Small test cases: 1-10 control states, 2-15 transitions. N. Halbwachs, B. Jeannet et al. 7 / 23

Tools A 2 x 2 x 2 d 1 d 2 z e A 1 x 1 Bs Supported tools: Dz c more expressive than polyhedra ( Presburger). Models as relations. Sophisticated computation of transitive closure. x 1 R s c S s : polyhedral invariant generator. Developed by L. Gonnord. Forward LRA + accelerations . : the Integer Set Library. Developed by S. Verdoolaege. A library for manipulating sets and relations of integer tuples bounded by affine Dz constraints: x d z e Ax Bs • Aspic • isl • PIPS 8 / 23

Tools x 1 Sophisticated computation of transitive closure. Models as relations. Presburger). more expressive than polyhedra ( c Dz Bs A 2 x 2 A 1 x 1 e z d 2 d 1 x 2 R s Supported tools: x Forward LRA + accelerations . : the Integer Set Library. Developed by S. Verdoolaege. A library for manipulating sets and relations of integer tuples bounded by affine constraints: c S s d z e Ax Bs Dz • Aspic : polyhedral invariant generator. Developed by L. Gonnord. • isl • PIPS 8 / 23

Tools Models as relations. Forward LRA + accelerations . for manipulating sets and relations of integer tuples bounded by affine constraints: Sophisticated computation of transitive closure. Supported tools: • Aspic : polyhedral invariant generator. Developed by L. Gonnord. • isl : the Integer Set Library. Developed by S. Verdoolaege. A library � ∃ z ∈ Z e : Ax + Bs + Dz ≥ c x ∈ Z d � � � S ( s ) = � ∃ z ∈ Z e : A 1 x 1 + A 2 x 2 + Bs + Dz ≥ c x 1 → x 2 ∈ Z d 1 × Z d 2 � � � R ( s ) = more expressive than polyhedra ( ∼ Presburger). • PIPS 8 / 23

PIPS Interprocedural source-to-source compiler framework for C and Fortran. x x 0 P // // x += 2; x x x x T // while (rand()) 42 x x 0 P // 2 Then, invariants Bottom-up procedure. represents the transfer function. 1 Program is abstracted: each program command instruction Code analysis: 2-step approach Initially developed at MINES ParisTech. (elementary or compound) is associated to an affine transformer that T = { ( x , x ′ ) | x ′ = x + 2 } Notation: x before, x ′ after. 9 / 23

PIPS x x x 0 P // // x += 2; // while (rand()) Interprocedural source-to-source compiler framework for C and Fortran. 42 x 0 P // 2 Then, invariants Bottom-up procedure. represents the transfer function. 1 Program is abstracted: each program command instruction Code analysis: 2-step approach Initially developed at MINES ParisTech. (elementary or compound) is associated to an affine transformer that T ∗ = { ( x , x ′ ) | x ′ ≥ x } T = { ( x , x ′ ) | x ′ = x + 2 } Notation: x before, x ′ after. 9 / 23

PIPS Interprocedural source-to-source compiler framework for C and Fortran. x x 0 P // // x += 2; // while (rand()) // 2 Then, invariants Bottom-up procedure. represents the transfer function. 1 Program is abstracted: each program command instruction Code analysis: 2-step approach Initially developed at MINES ParisTech. (elementary or compound) is associated to an affine transformer that P = { x | 0 ≤ x ≤ 42 } T ∗ = { ( x , x ′ ) | x ′ ≥ x } T = { ( x , x ′ ) | x ′ = x + 2 } Notation: x before, x ′ after. 9 / 23

PIPS // Initially developed at MINES ParisTech. Code analysis: 2-step approach 1 Program is abstracted: each program command instruction represents the transfer function. Bottom-up procedure. 2 Then, invariants are propagated along transformers. // Interprocedural source-to-source compiler framework for C and Fortran. while (rand()) // // x += 2; (elementary or compound) is associated to an affine transformer that P = { x | 0 ≤ x ≤ 42 } T ∗ = { ( x , x ′ ) | x ′ ≥ x } T = { ( x , x ′ ) | x ′ = x + 2 } P ′ = { x | 0 ≤ x } Notation: x before, x ′ after. 9 / 23

Input Format action := x' = x + 1; Easy, existing base of models, c2fsm. } Region bad := {x < 0}; Region init := {x >= 0}; strategy S { } } ... transition t2 { } guard := x <= 0; Test cases are written in fsm format (Aspic format, introduced by FAST). to := k; from := k; transition t1 { states k; var x; model M { k t 1 : x ≤ 0 ? x ++ I : x ≥ 0 ? t 2 : x ≥ 1 ? x -- E : x < 0 10 / 23

Test Chain out.isl Mostly written in OCaml, wrappers in Python. To challenge a tool T on a test case: isl isl isl in.fsm out.isl out.c out.isl out.asp PIPS isl Aspic in.c in.isl • convert test case into T ’s input language. • run T , get the resulting invariant in T ’s output language; • convert invariant in isl format; • check with isl that the invariant does not reach the error region. ⇒ Several wrappers and format conversion tools involved. 11 / 23

Comparative Results Out of 102 test cases: Slower, poor results with parallel loops. Very fast on small cases, slower on bigger ones. Remarks: (Quad-core AMD Opteron Processor 2380 at 2.4 GHz, 16 GB RAM) 46.2 35.5 10.9 Time (s.) 43 63 75 Successes PIPS isl Aspic • Best results with Aspic (native format, ad-hoc tool). • isl very good with loops, not at ease with multiple states. • Average results with PIPS (default options). 12 / 23