Princeton University Zachary Kincaid Static Analysis Symposium August 31, 2018 Numerical Invariants via Abstract Machines
Compositional Recurrence Analysis (CRA) Azadeh Farzan, Thomas Reps. Today’s agenda: A recipe for building abstract interpreters • Technique for generating numerical invariants • Joint work with Jason Breck, Ashkan Forouhi Boroujeni, John Cyphert,
• Generates numerical invariants is an expressive assertion language • Linear arithmetic, polynomials, exponentials, logarithms • Equations and inequations, congruences, disjunctions • Strongly compositional • Potential to scale, be parallelized, apply to incomplete programs, • No context Compositional Recurrence Analysis incremental analysis, .. no forward propagation, no abstract refinement
• Strongly compositional • Potential to scale, be parallelized, apply to incomplete programs, • No context Compositional Recurrence Analysis incremental analysis, .. no forward propagation, no abstract refinement • Generates numerical invariants is an expressive assertion language • Linear arithmetic, polynomials, exponentials, logarithms • Equations and inequations, congruences, disjunctions
• No context incremental analysis, .. Compositional Recurrence Analysis no forward propagation, no abstract refinement • Generates numerical invariants is an expressive assertion language • Linear arithmetic, polynomials, exponentials, logarithms • Equations and inequations, congruences, disjunctions • Strongly compositional • Potential to scale, be parallelized, apply to incomplete programs,
incremental analysis, .. Compositional Recurrence Analysis • Generates numerical invariants is an expressive assertion language • Linear arithmetic, polynomials, exponentials, logarithms • Equations and inequations, congruences, disjunctions • Strongly compositional • Potential to scale, be parallelized, apply to incomplete programs, • No context ⇒ no forward propagation, no abstract refinement
HOLA/C4B/SVComp benchmarks (linear) 113 Oct Poly SeaHorn UAutomizer CRA 114 37 # safe 150 00 2.5k 7.5k 10k Time(s) Box
• Abstract domains • Boolean programs • Constraint-based analysis • Linear dynamical systems • Interpolation • Solvable polynomial systems • Property-directed reachability • Vector addition systems • ... • ... Practice Theory How can we answer questions about the behavior of so�ware?
• Boolean programs • Linear dynamical systems • Solvable polynomial systems • Vector addition systems • ... Practice Theory How can we answer questions about the behavior of so�ware? • Abstract domains • Constraint-based analysis • Interpolation • Property-directed reachability • ...
Theory Practice How can we answer questions about the behavior of so�ware? • Abstract domains • Boolean programs • Constraint-based analysis • Linear dynamical systems • Interpolation • Solvable polynomial systems • Property-directed reachability • Vector addition systems • ... • ...
Theory Practice How can we answer questions about the behavior of so�ware? • Abstract domains • Boolean programs • Constraint-based analysis • Linear dynamical systems • Interpolation • Solvable polynomial systems • Property-directed reachability • Vector addition systems • ... • ...
Outline Background The recipe Examples
Goal t t Pre-state v F F F F F s s TF F v t Given a program: t n x’ x Term t Compute a transition formula Post-state x ∈ Var n ∈ Z e ∈ Expr ::= x | n | e 1 + e 2 | n · e c ∈ Cond ::= e 1 < e 2 | e 1 = e 2 | c 1 ∧ c 2 | c 1 ∨ c 2 P 1 ∈ Program ::= x := e | if c then P else P | while c do P
Goal Given a program: Compute a transition formula Pre-state Post-state x ∈ Var n ∈ Z e ∈ Expr ::= x | n | e 1 + e 2 | n · e c ∈ Cond ::= e 1 < e 2 | e 1 = e 2 | c 1 ∧ c 2 | c 1 ∨ c 2 P 1 ∈ Program ::= x := e | if c then P else P | while c do P t ∈ Term ::= x | x’ | n | t 1 + t 2 | t 1 t 2 | v F ∈ TF ::= s < 0 | s = 0 | F 1 ∨ F 2 | F 1 ∧ F 2 | ∃ v . F
Goal Given a program: Compute a transition formula Pre-state Post-state x ∈ Var n ∈ Z e ∈ Expr ::= x | n | e 1 + e 2 | n · e c ∈ Cond ::= e 1 < e 2 | e 1 = e 2 | c 1 ∧ c 2 | c 1 ∨ c 2 P 1 ∈ Program ::= x := e | if c then P else P | while c do P t ∈ Term ::= x | x’ | n | t 1 + t 2 | t 1 t 2 | v F ∈ TF ::= s < 0 | s = 0 | F 1 ∨ F 2 | F 1 ∧ F 2 | ∃ v . F
Running example y z y z y z z y N x := 0; x z := z + x else y := y + x if (*) then x := x + 1; while (x < N) do N N
Running example y z y z y z z y x := 0; z := z + x else y := y + x if (*) then x := x + 1; while (x < N) do N N x ′ = N
Running example x := 0; while (x < N) do x := x + 1; if (*) then y := y + x else z := z + x y z y z N N x ′ = N ∧ y ′ ≥ y ∧ z ′ ≥ z
Running example x := 0; while (x < N) do x := x + 1; if (*) then y := y + x else z := z + x x ′ = N ∧ y ′ ≥ y ∧ z ′ ≥ z ∧ y ′ + z ′ = y + z + N ( N + 1)/2
• Arbitrary control flow [Tarjan ’81] • Recursive procedures [PLDI’17] Effective denotational semantics TF P TF while c do P Var Var TF P Var Var Var TF P TF P ; P c TF P c else P TF if c then P y y x Var y e x TF x := e Aside TF � · � : Program → TransitionFormula
• Arbitrary control flow [Tarjan ’81] • Recursive procedures [PLDI’17] Effective denotational semantics TF P ; P TF while c do P Var Var TF P Var Var Var TF P TF P c TF P c else P TF if c then P Aside TF � · � : Program → TransitionFormula TF � x := e � ≜ x ′ = e ∧ y ′ = y ∧ y ̸ = x ∈ Var
• Arbitrary control flow [Tarjan ’81] • Recursive procedures [PLDI’17] Effective denotational semantics Var TF while c do P Var Var TF P Var Var TF P TF P ; P Aside TF � · � : Program → TransitionFormula TF � x := e � ≜ x ′ = e ∧ y ′ = y ∧ y ̸ = x ∈ Var TF � if c then P 1 else P 2 � ≜ ( c ∧ TF � P 1 � ) ∨ ( ¬ c ∧ TF � P 2 � )
• Arbitrary control flow [Tarjan ’81] • Recursive procedures [PLDI’17] TF while c do P Effective denotational semantics Aside TF � · � : Program → TransitionFormula TF � x := e � ≜ x ′ = e ∧ y ′ = y ∧ y ̸ = x ∈ Var TF � if c then P 1 else P 2 � ≜ ( c ∧ TF � P 1 � ) ∨ ( ¬ c ∧ TF � P 2 � ) TF � P 1 ; P 2 � ≜ ∃ Var ′′ . TF � P 1 � [ Var ′ �→ Var ′′ ] ∧ TF � P 2 � [ Var �→ Var ′′ ]
• Arbitrary control flow [Tarjan ’81] • Recursive procedures [PLDI’17] Effective denotational semantics Aside TF � · � : Program → TransitionFormula TF � x := e � ≜ x ′ = e ∧ y ′ = y ∧ y ̸ = x ∈ Var TF � if c then P 1 else P 2 � ≜ ( c ∧ TF � P 1 � ) ∨ ( ¬ c ∧ TF � P 2 � ) TF � P 1 ; P 2 � ≜ ∃ Var ′′ . TF � P 1 � [ Var ′ �→ Var ′′ ] ∧ TF � P 2 � [ Var �→ Var ′′ ] TF � while c do P � ≜ ...
Effective denotational semantics Aside TF � · � : Program → TransitionFormula TF � x := e � ≜ x ′ = e ∧ y ′ = y ∧ y ̸ = x ∈ Var TF � if c then P 1 else P 2 � ≜ ( c ∧ TF � P 1 � ) ∨ ( ¬ c ∧ TF � P 2 � ) TF � P 1 ; P 2 � ≜ ∃ Var ′′ . TF � P 1 � [ Var ′ �→ Var ′′ ] ∧ TF � P 2 � [ Var �→ Var ′′ ] TF � while c do P � ≜ ... • Arbitrary control flow [Tarjan ’81] • Recursive procedures [PLDI’17]
x := 0; while (x < N) do x := x + 1; if (*) then y := y + x else z := z + x Compositionality ⇒ TF for a loop is a function of the TF of its body x ′ = x + 1 ( y ′ = y + x ′ ∧ z ′ = z ) ( ) ∧ ∨ ( y ′ = y ∧ z ′ = z + x ′ )
k k k k v x v y z k v x v y z k k z k x x k y z y z kx f k v y x z z v x v y z v x y v x x v y z f v x v y z y x ′ = x + 1 ( y ′ = y + x ′ ∧ z ′ = z ) ( ) ∧ ∨ ( y ′ = y ∧ z ′ = z + x ′ )
k k k k v x v y z k v x v y z k k z k x x k y z y z kx f k v y x z z v x v y z v x y v x x v y z f v x v y z y x ′ = x + 1 ( y ′ = y + x ′ ∧ z ′ = z ) ( ) ∧ ∨ ( y ′ = y ∧ z ′ = z + x ′ )
k k z z v x v y z f k v x v y z k v x v y k v x k k k k x x k y z y z kx v y f z v x z y x x y x ′ = x + 1 ( y ′ = y + x ′ ∧ z ′ = z ) ( ) ∧ ∨ ( y ′ = y ∧ z ′ = z + x ′ ) v y + z ] [ v x ] [ 1 0 0 = 0 1 1 v y + z
k k z z v x v y z f k v x v y z k v x v y k v x k k k k x x k y z y z kx v y f z v x z y x x y x ′ = x + 1 ( y ′ = y + x ′ ∧ z ′ = z ) ( ) ∧ ∨ ( y ′ = y ∧ z ′ = z + x ′ ) v y + z ] [ v x ] [ 1 0 0 = 0 1 1 v y + z
k k z z v x v y z f k v x v y z k v x v y k v x k k k k x x k y z y z kx v y f z v x z y x x y x ′ = x + 1 ( y ′ = y + x ′ ∧ z ′ = z ) ( ) ∧ ∨ ( y ′ = y ∧ z ′ = z + x ′ ) v y + z ] [ v x ] [ 1 0 0 = 0 1 1 v y + z
Recommend
More recommend