numerical invariants via abstract machines compositional
play

Numerical Invariants via Abstract Machines Compositional Recurrence - PowerPoint PPT Presentation

Princeton University Zachary Kincaid Static Analysis Symposium August 31, 2018 Numerical Invariants via Abstract Machines Compositional Recurrence Analysis (CRA) Azadeh Farzan, Thomas Reps. Todays agenda: A recipe for building abstract


  1. Princeton University Zachary Kincaid Static Analysis Symposium August 31, 2018 Numerical Invariants via Abstract Machines

  2. Compositional Recurrence Analysis (CRA) Azadeh Farzan, Thomas Reps. Today’s agenda: A recipe for building abstract interpreters • Technique for generating numerical invariants • Joint work with Jason Breck, Ashkan Forouhi Boroujeni, John Cyphert,

  3. • Generates numerical invariants is an expressive assertion language • Linear arithmetic, polynomials, exponentials, logarithms • Equations and inequations, congruences, disjunctions • Strongly compositional • Potential to scale, be parallelized, apply to incomplete programs, • No context Compositional Recurrence Analysis incremental analysis, .. no forward propagation, no abstract refinement

  4. • Strongly compositional • Potential to scale, be parallelized, apply to incomplete programs, • No context Compositional Recurrence Analysis incremental analysis, .. no forward propagation, no abstract refinement • Generates numerical invariants is an expressive assertion language • Linear arithmetic, polynomials, exponentials, logarithms • Equations and inequations, congruences, disjunctions

  5. • No context incremental analysis, .. Compositional Recurrence Analysis no forward propagation, no abstract refinement • Generates numerical invariants is an expressive assertion language • Linear arithmetic, polynomials, exponentials, logarithms • Equations and inequations, congruences, disjunctions • Strongly compositional • Potential to scale, be parallelized, apply to incomplete programs,

  6. incremental analysis, .. Compositional Recurrence Analysis • Generates numerical invariants is an expressive assertion language • Linear arithmetic, polynomials, exponentials, logarithms • Equations and inequations, congruences, disjunctions • Strongly compositional • Potential to scale, be parallelized, apply to incomplete programs, • No context ⇒ no forward propagation, no abstract refinement

  7. HOLA/C4B/SVComp benchmarks (linear) 113 Oct Poly SeaHorn UAutomizer CRA 114 37 # safe 150 00 2.5k 7.5k 10k Time(s) Box

  8. • Abstract domains • Boolean programs • Constraint-based analysis • Linear dynamical systems • Interpolation • Solvable polynomial systems • Property-directed reachability • Vector addition systems • ... • ... Practice Theory How can we answer questions about the behavior of so�ware?

  9. • Boolean programs • Linear dynamical systems • Solvable polynomial systems • Vector addition systems • ... Practice Theory How can we answer questions about the behavior of so�ware? • Abstract domains • Constraint-based analysis • Interpolation • Property-directed reachability • ...

  10. Theory Practice How can we answer questions about the behavior of so�ware? • Abstract domains • Boolean programs • Constraint-based analysis • Linear dynamical systems • Interpolation • Solvable polynomial systems • Property-directed reachability • Vector addition systems • ... • ...

  11. Theory Practice How can we answer questions about the behavior of so�ware? • Abstract domains • Boolean programs • Constraint-based analysis • Linear dynamical systems • Interpolation • Solvable polynomial systems • Property-directed reachability • Vector addition systems • ... • ...

  12. Outline Background The recipe Examples

  13. Goal t t Pre-state v F F F F F s s TF F v t Given a program: t n x’ x Term t Compute a transition formula Post-state x ∈ Var n ∈ Z e ∈ Expr ::= x | n | e 1 + e 2 | n · e c ∈ Cond ::= e 1 < e 2 | e 1 = e 2 | c 1 ∧ c 2 | c 1 ∨ c 2 P 1 ∈ Program ::= x := e | if c then P else P | while c do P

  14. Goal Given a program: Compute a transition formula Pre-state Post-state x ∈ Var n ∈ Z e ∈ Expr ::= x | n | e 1 + e 2 | n · e c ∈ Cond ::= e 1 < e 2 | e 1 = e 2 | c 1 ∧ c 2 | c 1 ∨ c 2 P 1 ∈ Program ::= x := e | if c then P else P | while c do P t ∈ Term ::= x | x’ | n | t 1 + t 2 | t 1 t 2 | v F ∈ TF ::= s < 0 | s = 0 | F 1 ∨ F 2 | F 1 ∧ F 2 | ∃ v . F

  15. Goal Given a program: Compute a transition formula Pre-state Post-state x ∈ Var n ∈ Z e ∈ Expr ::= x | n | e 1 + e 2 | n · e c ∈ Cond ::= e 1 < e 2 | e 1 = e 2 | c 1 ∧ c 2 | c 1 ∨ c 2 P 1 ∈ Program ::= x := e | if c then P else P | while c do P t ∈ Term ::= x | x’ | n | t 1 + t 2 | t 1 t 2 | v F ∈ TF ::= s < 0 | s = 0 | F 1 ∨ F 2 | F 1 ∧ F 2 | ∃ v . F

  16. Running example y z y z y z z y N x := 0; x z := z + x else y := y + x if (*) then x := x + 1; while (x < N) do N N

  17. Running example y z y z y z z y x := 0; z := z + x else y := y + x if (*) then x := x + 1; while (x < N) do N N x ′ = N

  18. Running example x := 0; while (x < N) do x := x + 1; if (*) then y := y + x else z := z + x y z y z N N x ′ = N ∧ y ′ ≥ y ∧ z ′ ≥ z

  19. Running example x := 0; while (x < N) do x := x + 1; if (*) then y := y + x else z := z + x x ′ = N ∧ y ′ ≥ y ∧ z ′ ≥ z ∧ y ′ + z ′ = y + z + N ( N + 1)/2

  20. • Arbitrary control flow [Tarjan ’81] • Recursive procedures [PLDI’17] Effective denotational semantics TF P TF while c do P Var Var TF P Var Var Var TF P TF P ; P c TF P c else P TF if c then P y y x Var y e x TF x := e Aside TF � · � : Program → TransitionFormula

  21. • Arbitrary control flow [Tarjan ’81] • Recursive procedures [PLDI’17] Effective denotational semantics TF P ; P TF while c do P Var Var TF P Var Var Var TF P TF P c TF P c else P TF if c then P Aside TF � · � : Program → TransitionFormula TF � x := e � ≜ x ′ = e ∧ y ′ = y ∧ y ̸ = x ∈ Var

  22. • Arbitrary control flow [Tarjan ’81] • Recursive procedures [PLDI’17] Effective denotational semantics Var TF while c do P Var Var TF P Var Var TF P TF P ; P Aside TF � · � : Program → TransitionFormula TF � x := e � ≜ x ′ = e ∧ y ′ = y ∧ y ̸ = x ∈ Var TF � if c then P 1 else P 2 � ≜ ( c ∧ TF � P 1 � ) ∨ ( ¬ c ∧ TF � P 2 � )

  23. • Arbitrary control flow [Tarjan ’81] • Recursive procedures [PLDI’17] TF while c do P Effective denotational semantics Aside TF � · � : Program → TransitionFormula TF � x := e � ≜ x ′ = e ∧ y ′ = y ∧ y ̸ = x ∈ Var TF � if c then P 1 else P 2 � ≜ ( c ∧ TF � P 1 � ) ∨ ( ¬ c ∧ TF � P 2 � ) TF � P 1 ; P 2 � ≜ ∃ Var ′′ . TF � P 1 � [ Var ′ �→ Var ′′ ] ∧ TF � P 2 � [ Var �→ Var ′′ ]

  24. • Arbitrary control flow [Tarjan ’81] • Recursive procedures [PLDI’17] Effective denotational semantics Aside TF � · � : Program → TransitionFormula TF � x := e � ≜ x ′ = e ∧ y ′ = y ∧ y ̸ = x ∈ Var TF � if c then P 1 else P 2 � ≜ ( c ∧ TF � P 1 � ) ∨ ( ¬ c ∧ TF � P 2 � ) TF � P 1 ; P 2 � ≜ ∃ Var ′′ . TF � P 1 � [ Var ′ �→ Var ′′ ] ∧ TF � P 2 � [ Var �→ Var ′′ ] TF � while c do P � ≜ ...

  25. Effective denotational semantics Aside TF � · � : Program → TransitionFormula TF � x := e � ≜ x ′ = e ∧ y ′ = y ∧ y ̸ = x ∈ Var TF � if c then P 1 else P 2 � ≜ ( c ∧ TF � P 1 � ) ∨ ( ¬ c ∧ TF � P 2 � ) TF � P 1 ; P 2 � ≜ ∃ Var ′′ . TF � P 1 � [ Var ′ �→ Var ′′ ] ∧ TF � P 2 � [ Var �→ Var ′′ ] TF � while c do P � ≜ ... • Arbitrary control flow [Tarjan ’81] • Recursive procedures [PLDI’17]

  26. x := 0; while (x < N) do x := x + 1; if (*) then y := y + x else z := z + x Compositionality ⇒ TF for a loop is a function of the TF of its body x ′ = x + 1 ( y ′ = y + x ′ ∧ z ′ = z ) ( ) ∧ ∨ ( y ′ = y ∧ z ′ = z + x ′ )

  27. k k k k v x v y z k v x v y z k k z k x x k y z y z kx f k v y x z z v x v y z v x y v x x v y z f v x v y z y x ′ = x + 1 ( y ′ = y + x ′ ∧ z ′ = z ) ( ) ∧ ∨ ( y ′ = y ∧ z ′ = z + x ′ )

  28. k k k k v x v y z k v x v y z k k z k x x k y z y z kx f k v y x z z v x v y z v x y v x x v y z f v x v y z y x ′ = x + 1 ( y ′ = y + x ′ ∧ z ′ = z ) ( ) ∧ ∨ ( y ′ = y ∧ z ′ = z + x ′ )

  29. k k z z v x v y z f k v x v y z k v x v y k v x k k k k x x k y z y z kx v y f z v x z y x x y x ′ = x + 1 ( y ′ = y + x ′ ∧ z ′ = z ) ( ) ∧ ∨ ( y ′ = y ∧ z ′ = z + x ′ ) v y + z ]   [ v x ] [ 1 0 0 =   0 1 1 v y + z

  30. k k z z v x v y z f k v x v y z k v x v y k v x k k k k x x k y z y z kx v y f z v x z y x x y x ′ = x + 1 ( y ′ = y + x ′ ∧ z ′ = z ) ( ) ∧ ∨ ( y ′ = y ∧ z ′ = z + x ′ ) v y + z ]   [ v x ] [ 1 0 0 =   0 1 1 v y + z

  31. k k z z v x v y z f k v x v y z k v x v y k v x k k k k x x k y z y z kx v y f z v x z y x x y x ′ = x + 1 ( y ′ = y + x ′ ∧ z ′ = z ) ( ) ∧ ∨ ( y ′ = y ∧ z ′ = z + x ′ ) v y + z ]   [ v x ] [ 1 0 0 =   0 1 1 v y + z

Recommend


More recommend