SMT-Style Program Analysis SAT Style Abstract Analysis Value-based Trace Partitionings ◮ If the abstract transformer ˆ F is too imprecise, find a set of transformers ˆ F 1 , . . . , ˆ F k , such that � γ ( µ X . ˆ F i ( X )) ⊇ µ X . F ( X ) 1 ≤ i ≤ k ◮ This can be done by clipping the analysis by an abstract element: F i = ˆ ˆ F ⊓ a i = +
SMT-Style Program Analysis SAT Style Abstract Analysis Value-based Trace Partitionings New question:
SMT-Style Program Analysis SAT Style Abstract Analysis Value-based Trace Partitionings New question: How can we find such a set of elements a 1 , . . . , a k ?
SMT-Style Program Analysis SAT Style Abstract Analysis Value-based Trace Partitionings New question: How can we find such a set of elements a 1 , . . . , a k ? Use the search architecture of a SAT solver!
SMT-Style Program Analysis SAT Style Abstract Analysis DPLL framework DPLL procedure Conflict learn propagate decide backtrack
SMT-Style Program Analysis SAT Style Abstract Analysis DPLL framework DPLL procedure Conflict learn propagate decide backtrack ◮ Main phases of the DPLL procedure:
SMT-Style Program Analysis SAT Style Abstract Analysis DPLL framework DPLL procedure Conflict learn propagate decide backtrack ◮ Main phases of the DPLL procedure: Decision Assume a value for an undetermined variable
SMT-Style Program Analysis SAT Style Abstract Analysis DPLL framework DPLL procedure Conflict learn propagate decide backtrack ◮ Main phases of the DPLL procedure: Decision Assume a value for an undetermined variable Propagation Deduce implied variable values
SMT-Style Program Analysis SAT Style Abstract Analysis DPLL framework DPLL procedure Conflict learn propagate decide backtrack ◮ Main phases of the DPLL procedure: Decision Assume a value for an undetermined variable Propagation Deduce implied variable values Learning Learn reason for conflict and backtrack
SMT-Style Program Analysis SAT Style Abstract Analysis DPLL framework DPLL procedure Conflict learn propagate decide backtrack ◮ Main phases of the DPLL procedure: Decision Assume a value for an undetermined variable Propagation Deduce implied variable values Learning Learn reason for conflict and backtrack
SMT-Style Program Analysis SAT Style Abstract Analysis DPLL Procedure Is φ ( x , y , z ) satisfiable?
SMT-Style Program Analysis SAT Style Abstract Analysis DPLL Procedure Is φ ( x , y , z ) satisfiable? Decision x = 1
SMT-Style Program Analysis SAT Style Abstract Analysis DPLL Procedure Is φ ( x , y , z ) satisfiable? Propagation x = 1 z = 0
SMT-Style Program Analysis SAT Style Abstract Analysis DPLL Procedure Is φ ( x , y , z ) satisfiable? Decision x = 1 z = 0 y = 1
SMT-Style Program Analysis SAT Style Abstract Analysis DPLL Procedure Is φ ( x , y , z ) satisfiable? Propagation x = 1 z = 0 y = 1 z = 1
SMT-Style Program Analysis SAT Style Abstract Analysis DPLL Procedure Is φ ( x , y , z ) satisfiable? Propagation x = 1 z = 0 y = 1 z = 1 Conflict
SMT-Style Program Analysis SAT Style Abstract Analysis DPLL Procedure Is φ ( x , y , z ) satisfiable? Learning x = 1 z = 0 y = 1 z = 1
SMT-Style Program Analysis SAT Style Abstract Analysis DPLL Procedure Is φ ( x , y , z ) satisfiable? Learning x = 0
SMT-Style Program Analysis SAT Style Abstract Analysis SAT-Style Program Analysis SAT-Style Program Analysis Safety proven generalize clipped fixpoint decide backtrack
SMT-Style Program Analysis SAT Style Abstract Analysis SAT-Style Program Analysis SAT-Style Program Analysis Safety proven generalize clipped fixpoint decide backtrack Decision Refine current element a by a ′ ⊏ a
SMT-Style Program Analysis SAT Style Abstract Analysis SAT-Style Program Analysis SAT-Style Program Analysis Safety proven generalize clipped fixpoint decide backtrack Decision Refine current element a by a ′ ⊏ a Propagation Compute clipped fixpoint µ X . ˆ T ( X ) ⊓ a ′
SMT-Style Program Analysis SAT Style Abstract Analysis SAT-Style Program Analysis SAT-Style Program Analysis Safety proven generalize clipped fixpoint decide backtrack Decision Refine current element a by a ′ ⊏ a Propagation Compute clipped fixpoint µ X . ˆ T ( X ) ⊓ a ′ Learning Find a ′′ ⊒ a ′ , such that µ X . ˆ F ( X ) ⊓ a ′′ is safe.
SMT-Style Program Analysis SAT Style Abstract Analysis SAT-Style Program Analysis Decision Initially, a = ⊤ ⊤ ⊤ A 1 A 2 A 3 A 4 B 1 B 2 B 3 B 4 B 5 C 1 C 2 C 3 C 4 ⊥
SMT-Style Program Analysis SAT Style Abstract Analysis SAT-Style Program Analysis Propagation µ X . ˆ Initially, a = ⊤ ⊤ ⊤ F ( X ) not safe A 1 A 2 A 3 A 4 B 1 B 2 B 3 B 4 B 5 C 1 C 2 C 3 C 4 ⊥
SMT-Style Program Analysis SAT Style Abstract Analysis SAT-Style Program Analysis Decision ⊤ ⊤ A 1 A 1 A 2 A 3 A 4 Decision: refine a B 1 B 2 B 3 B 4 B 5 C 1 C 2 C 3 C 4 ⊥
SMT-Style Program Analysis SAT Style Abstract Analysis SAT-Style Program Analysis Propagation ⊤ ⊤ µ X . (ˆ A 1 A 1 A 2 A 3 A 4 Decision: refine a F ( X ) ⊓ A 1 ) not safe B 1 B 2 B 3 B 4 B 5 C 1 C 2 C 3 C 4 ⊥
SMT-Style Program Analysis SAT Style Abstract Analysis SAT-Style Program Analysis Decision ⊤ ⊤ A 1 A 1 A 2 A 3 A 4 Decision: refine a B 1 B 2 B 2 B 3 B 4 B 5 C 1 C 2 C 3 C 4 ⊥
SMT-Style Program Analysis SAT Style Abstract Analysis SAT-Style Program Analysis Propagation ⊤ ⊤ A 1 A 1 A 2 A 3 A 4 µ X . (ˆ Decision: refine a B 1 B 2 B 2 B 3 B 4 B 5 F ( X ) ⊓ B 2 ) safe C 1 C 2 C 3 C 4 ⊥
SMT-Style Program Analysis SAT Style Abstract Analysis SAT-Style Program Analysis Generalization ⊤ A 1 A 1 A 2 A 3 A 4 B 1 B 2 B 2 B 3 B 4 B 5 C 1 C 2 C 3 C 4 ⊥
SMT-Style Program Analysis SAT Style Abstract Analysis SAT-Style Program Analysis Generalization ⊤ A 1 A 1 A 2 A 2 A 3 A 4 µ X . ˆ B 1 B 2 B 2 B 3 B 4 B 5 F ( X ) ⊓ A 2 safe C 1 C 2 C 3 C 4 ⊥
SMT-Style Program Analysis SAT Style Abstract Analysis SAT-Style Program Analysis Generalization ⊤ A 1 A 1 A 2 A 2 A 3 A 4 µ X . ˆ B 1 B 2 B 2 B 3 B 4 B 5 F ( X ) ⊓ A 2 safe C 1 C 2 C 3 C 4 ⊥
SMT-Style Program Analysis SAT Style Abstract Analysis SAT-Style Program Analysis Generalization ⊤ Backtrack and continue A 1 A 1 A 2 A 2 A 3 A 4 B 1 B 2 B 2 B 3 B 3 B 4 B 5 C 1 C 1 C 2 C 2 C 3 C 3 C 4 ⊥ ⊥
SMT-Style Program Analysis SAT Style Abstract Analysis Comments on Analysis ◮ When can we efficiently prove safety with this?
SMT-Style Program Analysis SAT Style Abstract Analysis Comments on Analysis ◮ When can we efficiently prove safety with this? ◮ When there is a small and finite number of elements a 1 , . . . , a k such that the fixpoints µ X . (ˆ F ( X ) ⊓ a i ) can be put together to form a concrete postfixpoint.
SMT-Style Program Analysis SAT Style Abstract Analysis Comments on Analysis ◮ When can we efficiently prove safety with this? ◮ When there is a small and finite number of elements a 1 , . . . , a k such that the fixpoints µ X . (ˆ F ( X ) ⊓ a i ) can be put together to form a concrete postfixpoint. ◮ Specific implementation issues: ◮ Generalization step ◮ Decision heuristic
SMT-Style Program Analysis Value-based Refinement for Intervals Value-based Refinement for Intervals We have created a preliminary instantiation of this framework for the domain of intervals.
SMT-Style Program Analysis Value-based Refinement for Intervals Value-based Refinement for Intervals We have created a preliminary instantiation of this framework for the domain of intervals. Decision : Choose an initial assignment for all variables
SMT-Style Program Analysis Value-based Refinement for Intervals Value-based Refinement for Intervals We have created a preliminary instantiation of this framework for the domain of intervals. Decision : Choose an initial assignment for all variables Propagation : Compute forward interpretation for this initial value
SMT-Style Program Analysis Value-based Refinement for Intervals Value-based Refinement for Intervals We have created a preliminary instantiation of this framework for the domain of intervals. Decision : Choose an initial assignment for all variables Propagation : Compute forward interpretation for this initial value Generalization and Learning : Generalize the result by locally generalizing intervals. Re- move generalized initial values from selection pool
SMT-Style Program Analysis Value-based Refinement for Intervals Example 1 Decision Choose initial: x = 0 , y = 0 [x > 5] [x<= 5] y:=-1 y:=1 assert(y!=0);
SMT-Style Program Analysis Value-based Refinement for Intervals Example 1 Propagation Choose initial: x = 0 , y = 0 [x > 5] [x<= 5] x = 0 , y = 0 ⊥ y:=-1 y:=1 x = 0 , y = 1 assert(y!=0); x = 0 , y = 1
SMT-Style Program Analysis Value-based Refinement for Intervals Example 1 Generalization Choose initial: x = 0 , y = 0 [x > 5] [x<= 5] x = 0 , y = 0 ⊥ y:=-1 y:=1 x = 0 , y = 1 assert(y!=0); ⊤
SMT-Style Program Analysis Value-based Refinement for Intervals Example 1 Generalization Choose initial: x = 0 , y = 0 [x > 5] [x<= 5] x = 0 , y = 0 ⊥ y:=-1 y:=1 y > 0 assert(y!=0); ⊤
SMT-Style Program Analysis Value-based Refinement for Intervals Example 1 Generalization Choose initial: x = 0 , y = 0 [x > 5] [x<= 5] x = 0 , y = 0 ⊥ y:=-1 y:=1 y > 0 assert(y!=0); ⊤
SMT-Style Program Analysis Value-based Refinement for Intervals Example 1 Generalization Choose initial: x = 0 , y = 0 [x > 5] [x<= 5] ⊥ ⊤ y:=-1 y:=1 y > 0 assert(y!=0); ⊤
SMT-Style Program Analysis Value-based Refinement for Intervals Example 1 Generalization Generalized init: x ≤ 5 [x > 5] [x<= 5] ⊥ ⊤ y:=-1 y:=1 y > 0 assert(y!=0); ⊤
SMT-Style Program Analysis Value-based Refinement for Intervals Example 1 Decision ¬ x ≤ 5 Choose initial: x = 8 , y = 0 [x > 5] [x<= 5] y:=-1 y:=1 assert(y!=0);
SMT-Style Program Analysis Value-based Refinement for Intervals Example 1 Propagation ¬ x ≤ 5 Choose initial: x = 8 , y = 0 [x > 5] [x<= 5] x = 8 , y = 0 ⊥ y:=-1 y:=1 x = 8 , y = − 1 assert(y!=0); x = 8 , y = − 1
SMT-Style Program Analysis Value-based Refinement for Intervals Example 1 Generalization ¬ x ≤ 5 Generalized init: x > 5 [x > 5] [x<= 5] ⊤ ⊥ y:=-1 y:=1 y < 0 assert(y!=0); ⊤
SMT-Style Program Analysis Value-based Refinement for Intervals Example 1 Generalization ¬ x ≤ 5 ¬ x > 5 [x > 5] [x<= 5] y:=-1 y:=1 assert(y!=0);
SMT-Style Program Analysis Value-based Refinement for Intervals Example 2 x = 0 , y = 1 Decision x:=y [x<5] [x>=5] assert(y<5)
SMT-Style Program Analysis Value-based Refinement for Intervals Example 2 Propagation x = 0 , y = 1 x:=y x = 1 , y = 1 [x<5] x = 1 , y = 1 [x>=5] assert(y<5) x = 1 , y = 1
SMT-Style Program Analysis Value-based Refinement for Intervals Example 2 Generalized init: y < 5 Generalization x:=y y < 5 [x<5] y < 5 [x>=5] assert(y<5) ⊤
SMT-Style Program Analysis Value-based Refinement for Intervals Example 2 ¬ y < 5 Generalization x:=y [x<5] [x>=5] assert(y<5)
SMT-Style Program Analysis Value-based Refinement for Intervals Example 2 ¬ y < 5 x = 0 , y = 6 Decision x:=y [x<5] [x>=5] assert(y<5)
SMT-Style Program Analysis Value-based Refinement for Intervals Example 2 ¬ y < 5 Propagation x = 0 , y = 6 x:=y x = 6 , y = 6 [x<5] [x>=5] ⊥ assert(y<5) x = 6 , y = 6
SMT-Style Program Analysis Value-based Refinement for Intervals Example 2 ¬ y < 5 Generalized init: y ≥ 5 Generalization x:=y x ≥ 5 [x<5] y < 5 [x>=5] assert(y<5) ⊤
SMT-Style Program Analysis Value-based Refinement for Intervals Example 2 ¬ y < 5 ¬ y ≥ 5 x:=y [x<5] [x>=5] assert(y<5)
SMT-Style Program Analysis Value-based Refinement for Intervals Notes on Implementation ◮ Initial values chosen by call to a SAT solver.
SMT-Style Program Analysis Value-based Refinement for Intervals Notes on Implementation ◮ Initial values chosen by call to a SAT solver. ◮ Generalization uses local repair (SMPP): ◮ Set every location to ⊤ ◮ For each invalid triple { pre } stmt { post } ◮ repair with { pre } from forward analysis. ◮ generalize using search on bounds.
SMT-Style Program Analysis Value-based Refinement for Intervals Notes on Implementation ◮ Initial values chosen by call to a SAT solver. ◮ Generalization uses local repair (SMPP): ◮ Set every location to ⊤ ◮ For each invalid triple { pre } stmt { post } ◮ repair with { pre } from forward analysis. ◮ generalize using search on bounds. ◮ Generalization step: 0 ≤ a ≤ 5 , b > 5 , c < 10 Repair using SAT solver assert(a <= 10 || a >= -10) b > 5
SMT-Style Program Analysis Value-based Refinement for Intervals Notes on Implementation ◮ Initial values chosen by call to a SAT solver. ◮ Generalization uses local repair (SMPP): ◮ Set every location to ⊤ ◮ For each invalid triple { pre } stmt { post } ◮ repair with { pre } from forward analysis. ◮ generalize using search on bounds. ◮ Generalization step: 0 ≤ a ≤ 5 , b > 5 , c < 10 Repair using SAT solver Increase bounds by search assert(a <= 10 || a >= -10) b > 5
SMT-Style Program Analysis Value-based Refinement for Intervals Notes on Implementation ◮ Initial values chosen by call to a SAT solver. ◮ Generalization uses local repair (SMPP): ◮ Set every location to ⊤ ◮ For each invalid triple { pre } stmt { post } ◮ repair with { pre } from forward analysis. ◮ generalize using search on bounds. ◮ Generalization step: 0 ≤ a ≤ ∞ , b > 5 , c < 10 Repair using SAT solver Increase bounds by search assert(a <= 10 || a >= -10) b > 5
SMT-Style Program Analysis Value-based Refinement for Intervals Notes on Implementation ◮ Initial values chosen by call to a SAT solver. ◮ Generalization uses local repair (SMPP): ◮ Set every location to ⊤ ◮ For each invalid triple { pre } stmt { post } ◮ repair with { pre } from forward analysis. ◮ generalize using search on bounds. ◮ Generalization step: 0 ≤ a ≤ ∞ , b > 5 , c < 10 Repair using SAT solver Increase bounds by search assert(a <= 10 || a >= -10) b > 5
SMT-Style Program Analysis Value-based Refinement for Intervals Notes on Implementation ◮ Initial values chosen by call to a SAT solver. ◮ Generalization uses local repair (SMPP): ◮ Set every location to ⊤ ◮ For each invalid triple { pre } stmt { post } ◮ repair with { pre } from forward analysis. ◮ generalize using search on bounds. ◮ Generalization step: − 10 ≤ a ≤ ∞ , b > 5 , c < 10 Repair using SAT solver Increase bounds by search assert(a <= 10 || a >= -10) b > 5
Recommend
More recommend
