Static Program Analysis Foundations of Abstract Interpretation - PowerPoint PPT Presentation

Static Program Analysis Foundations of Abstract Interpretation Sebastian Hack, Christian Hammer, Jan Reineke Advanced Lecture, Winter 2014/15

Overview: Numerical Abstractions fi from above Refinemen y f : : : ; h 19; 77i ; : : : ; h 20; 03i ; : : :g x “Abstract terpretation” — 73 — ľ “Abstract terpretation” — 74 — ľ fi fi – – ’ – fi infinite “Abstract terpretation” — 75 — ľ “Abstract terpretation” — 76 — ľ

fi Refinemen “Abstract terpretation” — 73 — ľ “Abstract terpretation” — 74 — ľ Overview: Numerical Abstractions Signs (Cousot & Cousot, 1979) fi fi y x – 0 y – 0 x ’ – fi infinite “Abstract terpretation” — 75 — ľ “Abstract terpretation” — 76 — ľ

Overview: Numerical Abstractions Intervals (Cousot & Cousot, 1976) fi fi » » » y » » x 2 [19; 77] » y 2 [20; 03] x Miné. ’ 155–172. “Abstract terpretation” — 77 — ľ “Abstract terpretation” — 78 — ľ fi fi » – 84–97. – “Abstract terpretation” — 79 — ľ “Abstract terpretation” — 80 — ľ

Overview: Numerical Abstractions Octagons (Mine, 2001) fi fi 8 > 1 » x » 9 > > < x + y » 77 y 1 » y » 9 > > > : x ` y » 99 x Miné. ’ 155–172. “Abstract terpretation” — 77 — ľ “Abstract terpretation” — 78 — ľ fi fi » – 84–97. – “Abstract terpretation” — 79 — ľ “Abstract terpretation” — 80 — ľ

fi fi » » » » » » Miné. ’ 155–172. “Abstract terpretation” — 77 — ľ “Abstract terpretation” — 78 — ľ Overview: Numerical Abstractions Polyhedra (Cousot & Halbwachs, 1978) fi fi y 19x + 77y » 2004 20x + 03y – 0 x  Very Expensive… 84–97. – “Abstract terpretation” — 79 — ľ “Abstract terpretation” — 80 — ľ

fi fi » » » » » » Miné. ’ 155–172. “Abstract terpretation” — 77 — ľ “Abstract terpretation” — 78 — ľ Overview: Numerical Abstractions Simple and Linear Congruences (Granger, 1989+1991) fi fi congruences y » x = 19 mod 77 – y = 20 mod 99 fi fi x congruences 84–97. – “Abstract terpretation” — 79 — ľ “Abstract terpretation” — 80 — ľ y 1x + 9y = 7 mod 8 2x ` 1y = 9 mod 9 x ’ – ’92. “Abstract terpretation” — 81 — ľ “Abstract terpretation” — 82 — ľ Refinemen fi “Abstract terpretation” — 83 — ľ “Abstract terpretation” — 84 — ľ

fi fi » » » » » » Numerical Abstractions Miné. ’ 155–172. Which abstraction is the most precise? “Abstract terpretation” — 77 — ľ “Abstract terpretation” — 78 — ľ Depends on questions you want to answer! fi fi fi fi c ✓ ✗ y y » – x x ’ – ’92. 84–97. – “Abstract terpretation” — 81 — ľ “Abstract terpretation” “Abstract — 79 — terpretation” ľ — 82 — ľ “Abstract terpretation” — 80 — ľ Refinemen fi “Abstract terpretation” — 83 — ľ “Abstract terpretation” — 84 — ľ

fi fi » » » » » » Numerical Abstractions Miné. ’ 155–172. Which abstraction is the most precise? “Abstract terpretation” — 77 — ľ “Abstract terpretation” — 78 — ľ Depends on questions you want to answer! fi fi fi fi c ✗ y y ✓ » – x x ’ – ’92. 84–97. – “Abstract terpretation” — 81 — ľ “Abstract terpretation” “Abstract — 79 — terpretation” ľ — 82 — ľ “Abstract terpretation” — 80 — ľ Refinemen fi “Abstract terpretation” — 83 — ľ “Abstract terpretation” — 84 — ľ

Partial Order of Abstractions Polyhedra Linear Congruences Octagons Intervals Simple Congruences Constants Signs Parity

Partial Order of Abstractions Relational domains Polyhedra Octagons Linear Congruences Intervals Simple Congruences Constants Signs Parity Non-relational domains

Characteristics of Non-relational Domains  Non-relational/independent attribute abstraction:  Abstract each variable separately  Maintains no relations between variable values  Can be lifted to an abstraction of valuations of multiple variables in the expected way:

The Interval Domain Abstracts sets of values by enclosing interval where is appropriately extended from to Intervals are ordered by inclusion: forms a complete lattice.

Concretization and Abstraction of Intervals  Concretization:  Abstraction: They form a Galois connection.

Interval Arithmetic Calculating with Intervals:

Example: Interval Analysis start x = 0 x  [0,1] x  [0,0] x  [3,3] x  [0,2] x  [0,3] 1 Neg(x < 3) 5 y  [3,5] y  [3,3] y  top y  [3,7] y  [3,7] Pos(x < 3) x  [0,2] x  [0,1] x  [0,0] y = y+1 2 y  [3,5] y  [3,3] y  top Imprecise x = x+1 due to non- x  [1,1] x  [1,2] x  [1,3] 3 relational y  top y  [3,3] y  [3,5] analysis y = 2*x x  [1,3] x  [1,2] x  [1,1] 4 y  [2,6] y  [2,4] y  [2,2] Would Octagons determine that y must be 7 at program point 5?

Intervals, Hasse diagram [-infty, infty] Ascending chain condition is not satisfied!  Kleene iteration is not [-1, infty] guaranteed to terminate! [-infty,1] [0, infty] [-infty,0] [1, infty] [-infty, -1] [-1,1] [-2,-1] [-1,0] [0,1] [1,2] [-2,-2] [-1,-1] [0,0] [1,1] [2,2] 

Example: Interval Analysis start x = 0 1 Neg(x < 1000) 3 Pos(x < 1000) x = x+1 … 2 1000 iterations later

Solution: Widening “Enforce Ascending Chain Condition” { x | x ⊒ lfp F }  Widening enforces the ascending chain safe condition during analysis. but possibly imprecise  Accelerates termination by moving up the lattice lfp ∇ F more quickly.  May yield imprecise lfp F results…

Widening: Formal Requirement A widening ∇ is an operator ∇ : D x D → D such that Safety: x ⊑ ( x ∇ y ) and y ⊑ ( x ∇ y ) 1. Termination: 2. forall ascending chains x 0 ⊑ x 1 ⊑ ... the chain y 0 = x 0 = y i ∇ x i+1 y i+1 is finite.

Widening Operator for Intervals Simplest solution: Example:

Example Revisited: Interval Analysis with Simple Widening Standard Kleene Iteration: Kleene Iteration with Widening: start x = 0 1 Neg(x < 1000) 3 Do we need to apply Pos(x < 1000) x = x+1 widening at all program points? 2  Quick termination but imprecise result!

More Sophisticated Widening for Intervals Define set of jump points (barriers) based on constants appearing in program, e.g.: Intuition: “Don’t jump to – infty, +infty immediately but only to next jump point .”

Example Revisited: Interval Analysis with Sophisticated Widening start x = 0 1 Neg(x < 1000) 3 Pos(x < 1000) x = x+1 2  More precise, potentially terminates more slowly.

Another Example: Interval Analysis with Sophisticated Widening start x = 0 1 Neg(x < 1000) 5 Pos(x < 1000) y = y+1 2 x = x+1 3 y = 2*x 4 Would be [2, 2000] in least fixed point, but 2000 does not appear in the program…

Narrowing: { x | x ⊒ lfp F } Recovering Precision  Widening may yield imprecise results by lfp ∇ F overshooting the least fixed point.  Narrowing is used to approach the least lfp F fixed point from above. How can we safely move Possible problem: infinite descending chains down the Is it really a problem? lattice?

Narrowing: Recovering Precision Widening terminates at a point x ⊒ lfp F. We can iterate: x 0 = x = F(x i ) ⊓ x i x i+1 Safety: By monotonicity we know F(x) ⊒ F(lfp F) = lfp F. By induction we can easily show that x i ⊒ lfp F for all i. Termination: Depends on existence of infinite descending chains.

Narrowing: Formal Requirement A narrowing ∆ is an operator ∆ : D x D → D such that Safety: l ⊑ x and l ⊑ y  l ⊑ (x ∆ y) ⊑ x 1. Termination: 2. for all descending chains x 0 ⊒ x 1 ⊒ ... the chain y 0 = x 0 = y i ∆ x i+1 y i+1 is finite. Is (“meet”) a narrowing operator on intervals?

Narrowing Operator for Intervals Simplest solution: Example:

Another Example Revisited: Interval Analysis with Widening and Narrowing start Result after Widening: Result after Narrowing: x = 0 1 Neg(x < 1000) 5 Pos(x < 1000) y = y+1 2 x = x+1 3 y = 2*x 4  Precisely the least fixed point!

Some Applications of Numerical Domains Immediate applications:  To rule out runtime errors, such as division by zero, buffer overflows, exceeding upper or lower bounds of data types Within other analyses:  Cache Analysis  Loop Bound Analysis

Reduction: Loop Bound Analysis to Value Analysis start x = x % 5 start x = x % 5 1 1 y = 42 Instrument program y = 42 with counters of loop 2 iterations and other 2 Neg(x < y) 8 loopc = 0 interesting events leftc = 0 rightc = 0 Pos(x < y) 3 3 Neg(x < y) 8 a = M[x] Pos(x < y) 4 4 b = M[x+1] loopc++ 5 5 Neg(a<b) Pos(a<b) Pos(a<b) Neg(a<b) 6 7 6 7 leftc++ x = x+1 rightc++ x = x+2 x = x+2 x = x+1