Monniaux_Menlo_Park_2011

Monniaux_Menlo_Park_2011 - Abstract interpretation David...

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Abstract interpretation David Monniaux CNRS / VERIMAG May 2327, Menlo College . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 1 / 97 Grenoble . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 2 / 97 VERIMAG Joint lab between CNRS and Grenoble University 9 CNRS permanent researchers + 4 research engineers 23 professors . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 3 / 97 . 1 . . Introduction Position within other techniques A short chronology Basic ideas . 2 . . Transition systems . 3 . . Boolean abstraction Definition Some more examples Abstraction refinement . 4 . . Intervals . 5 . . Extrapolation . 6 . . Executive summary . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 4 / 97 Outline . 1 . . Introduction Position within other techniques A short chronology Basic ideas . 2 . . Transition systems .. . 3 Boolean abstraction Definition Some more examples Abstraction refinement . 4 . . Intervals .. . 5 Extrapolation . 6 . . Executive summary . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 5 / 97 Static analysis Establish automatically that a program meets a specification. Specification can be: .. Explicit, e.g. "the program sorts the integer array given as 1 input". Can be expressed by e.g. temporal logics, assertions. . . . ... 2 Implicit, e.g. "the program never crashes due to division by zero, array overflow, bad pointer dereference". Easier for the programmer (no need to write anything in addition to the code). . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 6 / 97 Impossibilities Turing's Halting Problem / Rice's Theorem Program analysis is impossible unless one condition is met: .. Not fully automatic, requires user interaction. 1 .. Constrained enough class of programs. 2 .. Finite memory. 3 .. Finite number of program steps. 4 .. Analysis can answer false positives. 5 .. Analysis can answer false negatives. 6 . . . . . . . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 7 / 97 User interaction Example: interactive theorem proving. Program analysis problems generally map to logics (e.g. Peano arithmetic) with no decision procedure. (Actually a way to prove undecidability of such logics. . . ) . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 8 / 97 Finite memory Can enumerate reachable states explicitly. Computable but costly: n bits of memory in analyzed system 2n states in analyzer . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 9 / 97 Finite number of program steps Finite number of program steps + program statements with semantics in logics e.g. linear arithmetic Bounded model checking. . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 10 / 97 Analysis can produce false negatives False negative = some bugs may be ignored Examples of techniques: testing Coverity . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 11 / 97 (Semantically sound) static analysis Deducing properties of software From a mathematical model of its behaviour (semantics). Examples: "no division by zero", "no assertion failure" valid for all executions using safe over-approximation of behaviors no false negatives maybe false positives (false alarms) . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 12 / 97 A central problem Higher precision (fewer false alarms) vs scaling-up (low higher time/space costs) Want to have them both? . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 13 / 97 Outline . 1 . . Introduction Position within other techniques A short chronology Basic ideas . 2 . . Transition systems .. . 3 Boolean abstraction Definition Some more examples Abstraction refinement . 4 . . Intervals .. . 5 Extrapolation . 6 . . Executive summary . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 14 / 97 Ariane V, maiden flight, 1996 . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 15 / 97 Ariane V self-destructing . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 16 / 97 Arithmetic overflow x = computation for Ariane4 ( ) ; y = ( short int ) x ; (ok it was Ada, not C) . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 17 / 97 Arithmetic overflow x = computation for Ariane4 ( ) ; y = ( short int ) x ; (ok it was Ada, not C) PolySpace Verifier (1996) (Deutsch et al.; commercial tool) Bug found by direct automated analysis of the source code. . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 17 / 97 A modern airplane: Airbus A380 . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 18 / 97 A modern airplane: Airbus A380 Astre (2002) (Cousot et al.) e Prove absence of bugs. I was a key member of Astre (now sold commercially). e . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 18 / 97 Safety-critical embedded systems Airplanes (DO-178C), trains, space launchers Nuclear plants, electrical grid controls Medical devices US Food and Drug Administration, action on infusion pumps (2010). . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 19 / 97 At Microsoft. . . Microsoft Device Driver Verifier (from project SLAM) CodeContracts etc. . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 20 / 97 Outline . 1 . . Introduction Position within other techniques A short chronology Basic ideas . 2 . . Transition systems .. . 3 Boolean abstraction Definition Some more examples Abstraction refinement . 4 . . Intervals .. . 5 Extrapolation . 6 . . Executive summary . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 21 / 97 Large state spaces We cannot represent the concrete state space X . Four 32-bit variables: 2128 states. Too large for explicit-state model-checking (need to memorize all states in memory). . . and also for implicit-state model-checking (using clever structures e.g. BDDs) . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 22 / 97 Solution Instead of a set of states s X use another s simpler to represent. e.g. with X = Z2 , s X a set of pairs of integers, s a product of 2 intervals We do not forget behaviors: since s s , cannot forget any reachable state. . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 23 / 97 . 1 . . Introduction Position within other techniques A short chronology Basic ideas . 2 . . Transition systems . 3 . . Boolean abstraction Definition Some more examples Abstraction refinement . 4 . . Intervals . 5 . . Extrapolation . 6 . . Executive summary . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 24 / 97 Initial states + transitions Program or machine state = values of variables, registers, memories. . . within state space . Examples: if system state = 17-bit value, then = {0, 1}17 ; = 3 unbounded integers, = Z3 ; if finite automaton, is the set of states ; if stack automaton, complete state = couple (finite state, stack contents), thus = S . P Transition relation x y = "if at x then can go to y at next time" . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 25 / 97 Safety properties Show that a program does not reach an undesirable state (crash, error, out of specification). Set W of undesirable states. Show that there is no n 0 and 0 1 . . . n s.t. 0 initial state (= reset) and n W Otherwise said 0 n W . transitive closure of . . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 26 / 97 Reachable states 0 set of initial states. Reachable states A set of states s.t. 0 0 0 (1) Goal: show that A W = . . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 27 / 97 Computation Xn set of states reachable in at most n turns of : X0 = 0 , X1 = 0 R(0 ), X2 = 0 R(0 ) R(R(0 )), etc. with R(X ) = {y | x X x y }. The sequence Xk is ascending for . Its limit (= the union of all iterates) is the set of reachable states. . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 28 / 97 Iterative computation Remark Xn+1 = (Xn ) with (X ) = 0 R(X ). Intuition: to reach in at most n + 1 turns either in 0 turns, thus on an initial state: 0 either in 0 < k n + 1 coups, otherwise said at most n turns (Xn ), then another turn. How to compute efficiently the Xn ? And the limit? . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 29 / 97 Explicit-state model-checking Explicit representations of Xn (list all states). If finite, Xn converges in at most || iterations. Reason: Either Xn = Xn+1 , thus remains constant. Either Xn Xn+1 , then Xn+1 \ Xn contains at least 1 state. Cannot happen more than times. . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 30 / 97 Inductive invariants (Inductive) invariant: set X of states s.t. (X ) X . Recall (X ) = X0 {y | x X x y } (2) If X et Y two invariants, then so is X Y . monotonic for (if X Y , then (X ) (Y )). (X Y ) (X ) X , same for Y , thus (X Y ) X Y . Same for intersections of infinitely many invariants. . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 31 / 97 The strongest invariant Intersect all invariants, obtain least invariant / strongest invariant. This invariant satisfies (X ) = X , it is the least fixed point of . . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 32 / 97 . 1 . . Introduction Position within other techniques A short chronology Basic ideas . 2 . . Transition systems . 3 . . Boolean abstraction Definition Some more examples Abstraction refinement . 4 . . Intervals . 5 . . Extrapolation . 6 . . Executive summary . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 33 / 97 Outline . 1 . . Introduction Position within other techniques A short chronology Basic ideas . 2 . . Transition systems .. . 3 Boolean abstraction Definition Some more examples Abstraction refinement . 4 . . Intervals .. . 5 Extrapolation . 6 . . Executive summary . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 34 / 97 A system with infinite state State = a single integer variable x Initial state : x = 0 Transition: x = x + 1 Reachable states: N. Prove that x 0 is an invariant. Cannot compute reachable states by iterations: infinite state space! . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 35 / 97 A finite state system State = a single integer variable x Initial state: x = 0 Transition: x = x + 1 x < 1010 Reachable states: 0 x 1010 No hope by explicit model-checking techniques (computing the 1010 reachable states). . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 36 / 97 Abstraction Introduce 5 "abstract states" A: x < 0 B: x = 0 C : 0 < x < 1010 D: x = 1010 E : x > 1010 Put an arrow between abstract states P and Q iff one can move from p P to q Q. Example: can move from A to B because {x = -1} A, can move to {x = 0} B. . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 37 / 97 Resulting system A .. . s . tart A: B: C: D: E: B . . C . . D . E . . x <0 x =0 0 < x < 1010 x = 1010 x > 1010 No concrete transition is forgotten and thus E is unreachable. . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 38 / 97 Other example Initial state: x = 0 Transition: x = x + 2 x = 1010 Reachable states: 0 x < 1010 x mod 2 = 0. . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 39 / 97 Abstract graph A .. . s . tart A: B: C: D: E: B . . C . . . . D . E . x <0 x =0 0 < x < 1010 x = 1010 x > 1010 C E since (1010 - 1) (1010 + 1). . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 40 / 97 Over-approximation More behaviors: E is concretely reachable. E is abstractly reachable The analysis fails to prove the true property "E unreachable". Incomplete method. Remark: works with a better abstraction (x < 1010 - 1). . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 41 / 97 Principles of predicate abstraction A finite set of predicates (e.g. arithmetic constraints). Construct a finite system of abstract transitions between abstract states. Each abstract state labeled by predicates, e.g. ex. x < 0. Put an abstract transition from A to B iff one can move from a state a A to a state b B. Correctness if an abstract state is unreachable, then so are the corresponding concrete states . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 42 / 97 How to construct the abstract system Abstract states A : x < 0 and C : 0 < x < 1010 , transition relation x = x + 1 x < 1010 , can we move from A to C ? Otherwise said: is there a solution to x < 0 (x = x + 1 x < 1010 ) x > 0? Use satisfiability modulo theory (SMT-solving). . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 43 / 97 Computing the graph Abstract states are couples (program point, set of predicates) Apply SMT-solving to insert or not insert arrows. Check if bad states are unreachable. If they are, win! . . . and if they are reachable? Maybe the abstraction is badly chosen? Maybe the property to prove (unreachability of bad states) is false? . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 44 / 97 Outline . 1 . . Introduction Position within other techniques A short chronology Basic ideas . 2 . . Transition systems .. . 3 Boolean abstraction Definition Some more examples Abstraction refinement . 4 . . Intervals .. . 5 Extrapolation . 6 . . Executive summary . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 45 / 97 Exemple x = 0; while ( x < 1 0 ) { x = x +1; } y = 0; while ( y < x ) { y = y+1; } Try predicates x < 0, x = 0, x > 0, x < 10, x = 10, x > 10, y < 0, y = 0, y > 0, y < x, y = x, y > x. Note: 12 predicates, so in the worst case 212 = 4096 combinations, some of which impossible (cannot have both x < 0 and x > 0 at same time). . . . . . . 1 2 3 4 5 6 7 8 David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 46 / 97 Abstract automaton . s . tart L .9 L1 .. L . .6 . L .2 . L .2 . 1 2 3 4 5 6 7 8 x = 0; while ( x <10) x = x +1; } y = 0; while ( y<x ) { y = y+1; } L . .6 . L . .5 L1 : L2 : L2 : L5 : L6 : L6 : L9 : line line line line line line line 1, 2, 2: 5: 6: 6: 9: x =0 0 < x < 10 x = 10 x = 10 x = 10 y < x x = 10 y = x x = 10 y = x Abstract interpretation . . . . . . David Monniaux (CNRS / VERIMAG) May 2327, Menlo College 47 / 97 Attention 1 x = 0; 2 while ( x ! = 1 0 ) { 3 x = x +2; 4 } Syntactic choice of predicates (x < 0, x = 0, x > 0, x < 10, x = 10, x > 10). . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 48 / 97 Some solution? . s . tart . L1 . x=0 . . L2 x=0 . . L2 0<x<10 . . L5 x=10 . . L2 x=10 . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 49 / 97 Why is this solution wrong? This solution is sound since it collects all behaviors of the program. But you realize this only because you already know (in your head) the set of reachable states! (This is cheating.) This solution is not inductive: it is possible to move from a state represented in the graph to one that isn't! . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 50 / 97 Attention 1 x = 0; 2 while ( x ! = 1 0 ) { 3 x = x +2; 4 } At line 2, abstraction says 0 < x < 10, thus x = 9 for instance. x = 9 is inaccessible in the concrete systems! You know it only because you computed the set of reachable states {0, 2, 4, 6, 8}. Need a transition from 0 < x < 10 (x = 9) to a new state x > 10 (x = 11). . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 51 / 97 Human intuition vs automated computation The human sees the simple program and computes the set of reachable states {0, 2, 4, 6, 8} knowing x should be even. Then projects onto predicates, and x > 10 unreachable. Automated computation does not see that x is even because it was not given the predicate x mod 2 = 0. . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 52 / 97 Not convinced? Let P be a program where Boolean x is not mentioned. Consider: x := 0; P; x := 1 Use predicates x = 0 et x = 1. Give a finite automaton for the behaviors of the program wrt x. . . Automaton with two states x = 0, x = 1. Simple, hey? . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 53 / 97 A minimal automaton (not inductive) If P terminates: . s . tart x . . =0 . x . =1 If P does not terminate: . s . tart x . . =0 . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 54 / 97 Outline . 1 . . Introduction Position within other techniques A short chronology Basic ideas . 2 . . Transition systems .. . 3 Boolean abstraction Definition Some more examples Abstraction refinement . 4 . . Intervals .. . 5 Extrapolation . 6 . . Executive summary . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 55 / 97 Abstraction refinement A .. . s . tart B . . C . . . . D . E . x = x + 2 x = 1010 E is reachable in the abstract and not in the concrete. Would have been prevented using predicate x < 1010 - 1. Can this be made automatic? Yes: compute weakest precondition wp(E ) for one step: x 1010 x + 2 1010 x 1010 - 2. Add x 1010 - 2 as predicate and voil. . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 56 / 97 CEGAR Counterexample guided abstraction refinement Generalize the idea compute weakest precondition and add predicates . . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 57 / 97 Some tools Bounded model checking on C programs: CBMC Predicate abstraction on C programs: Microsoft Device Driver Verifier [SLAM], BLAST SMT-solvers: Yices (SRI), Z3 (Microsoft) . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 58 / 97 . 1 . . Introduction Position within other techniques A short chronology Basic ideas . 2 . . Transition systems . 3 . . Boolean abstraction Definition Some more examples Abstraction refinement . 4 . . Intervals . 5 . . Extrapolation . 6 . . Executive summary . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 59 / 97 Recall the idea Try to compute an interval for each variable at each program point using interval arithmetic : assume ( x >= assume ( y >= assume ( z >= t = ( x+y ) Interval for z? 0 && x<= 1 ) ; 2 && y= 3 ) ; 3 && z= 4 ) ; z; . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 60 / 97 Recall the idea Try to compute an interval for each variable at each program point using interval arithmetic : assume ( x >= assume ( y >= assume ( z >= t = ( x+y ) 0 && x<= 1 ) ; 2 && y= 3 ) ; 3 && z= 4 ) ; z; Interval for z? [6, 16] . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 60 / 97 Why is this interesting? Let t(0..10) an array. Program writes to t(i). We must know whether 0 i 10, thus know an interval over i. . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 61 / 97 Again. . . assume ( x >= 0 && x <= 1 ) ; y = x; z = x-y ; The human (intelligent) sees z = 0 thus interval [0, 0], taking into account y = x. Interval arithmetic does not see z = 0 because it does not take y = x into account. . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 62 / 97 How to track relations Using relational domains. E.g.: keep for each variable an interval for each pair of variables (x, y ) an information x - y C . (One obtains x = y by x - y 0 and y - x 0.) How to compute on that? . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 63 / 97 Bounds on differences . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 64 / 97 Practical example Suppose x - y 4, computation is z = x + 3, then we know z - y 7. Suppose x - z 20, that x - y 4 and that y - z 6, then we know x - z 10. We know how to compute on these relations (transitive closure / shortest path). On our example, obtain z = 0. . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 65 / 97 Why this is useful Let t(0..n) an array in the program. The program writes t(i). Need to know whether 0 i n, otherwise said find bounds on i and on n - i. . . . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 66 / 97 Can we do better? How about tracking relations such as 2x + 3y 6? At a given program point, a set of linear inequalities. In other words, a convex polyhedron. . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 67 / 97 Example of polyhedron . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 68 / 97 Caveat (In general) The more precise we are, the higher the costs. For each line of code: Intervals: algorithms O(n), n number of variables. Differences x - y C : algorithms O(n3 ) Polyhedra: algorithms often O(2n ). On short examples with few variables, ok. . . But in general? . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 69 / 97 Even linear may not be fast enough Fly-by-wire control code from Airbus: Main control loop Number of tests linear in length n of code Number of variables linear in length n of code (global state) Complexity of naive convex hull on products of intervals linear in number of variables . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 70 / 97 Even linear may not be fast enough Fly-by-wire control code from Airbus: Main control loop Number of tests linear in length n of code Number of variables linear in length n of code (global state) Complexity of naive convex hull on products of intervals linear in number of variables Cost per iteration in n2 . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 70 / 97 Absolute value y = abs ( x ) ; / valeur absolue / i f ( y >= 1 ) { a s s e r t ( x != 0 ) ; } . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 71 / 97 Interval expansion Intervals: / -1000 <= x <= 2000 / i f ( x < 0 ) y = -x ; / 0 <= y <= 1000 / e l s e y = x ; / 0 <= y <= 2000 / i f ( y >= 1 ) { / 1 <= y <= 2000 / a s s e r t ( x ! = 0 ) ; / -1000 <= x <= 2000 ! ! ! / } . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 72 / 97 Polyhedra Branch x 0 . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 73 / 97 Autre branche du test Branch x < 0 . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 74 / 97 After first test y = |x| = union of the two red lines. Not a convex. Convex hull = pink polyhedron . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 75 / 97 At second test Note: includes (x, y ) = (0, 1). . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 76 / 97 Disjunction Possible if we do a union of two polyhedra: x 0y =x x < 0 y = -x But with n tests? . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 77 / 97 Two tests i f ( x >= 0 ) y=x ; e l s e y= -x ; i f ( y >= 1 ) z=y + 1 ; e l s e z=y ; 4 polyhedra = costly computations z x . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 78 / 97 Two tests, convex hull More imprecise: z x . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 79 / 97 Sources of imprecision Need to distinguish each path and compute one polyhedron for each. But 2n paths. Too costly if done naively. In current tools, not implemented. explains some imprecisions. . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 80 / 97 Current research In the last few years articles propose methods distinguishing paths. Use of SMT-solving techniques to cut the exponential cost: Only look at "useful" paths. . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 81 / 97 . 1 . . Introduction Position within other techniques A short chronology Basic ideas . 2 . . Transition systems . 3 . . Boolean abstraction Definition Some more examples Abstraction refinement . 4 . . Intervals . 5 . . Extrapolation . 6 . . Executive summary . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 82 / 97 Loops? Push intervals / polyhedra forward. . . int x =0; while ( x <1000) { x=x + 1 ; } Loop iterations [0, 0], [0, 1], [0, 2], [0, 3],. . . How? (X ) = tat initial post(X ), thus ([a, b]) = {0} [a + 1, min(b, 999) + 1] When do we stop? Wait 1000 iterations? No. . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 83 / 97 One solution. . . Extrapolation! [0, 0], [0, 1], [0, 2], [0, 3] [0, +) Push interval: int x =0; while / / [0 , x=x + 1 ; / [1 , } / [0 , 0] / [ 0 , + i n f t y ) ( x <1000) { 999] / 1000] / Yes! [0, [ is stable! . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 84 / 97 Mediocre results Expected: [0, 999]. Obtained [0, +). . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 85 / 97 Mediocre results Expected: [0, 999]. Obtained [0, +). Run one more iteration of the loop: [ 0 , + i n f t y ) ( x <1000) / [0 , 999] / x=x + 1 ; / [1 , 1000] / Obtain {0} [1, 1000] = [0, 1000]. . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 85 / 97 Narrowing int x =0; while / / [0 , x=x + 1 ; / [1 , } / [0 , 0] / [ 0 , 1 0 0 0 ] ( x <1000) { 999] / 1000] / Yes! [0, 1000] is an inductive invariant! . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 86 / 97 Stabilization Look for a set (polyhedron, intervals) Containing initial values for the loop. Inductive: if valid at one iteration, valid at the next. Look for X such that (X ) X with (X ) = tats initiaux post(X ) post(X ) = states reachable from X in one loop iteration Any inductive invariant. (Not necessarily the least one.) . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 87 / 97 Computing the inductive invariant We don't know how to compute post(P) with P interval / polyhedron in general. (The loop body may be complex, with tests. . . ) Replace computation by simpler over-approximation post(X ) post (X ). Cannot do over polyhedra, do (convex hull) Thus computation: (X ) = initial states post (X ) Instead of (X ) X with (X ) = initial states post(X ) . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 88 / 97 All the time, over-approximation (X ) (X ) so lfp lfp (work out the math, using lfp = inf{X | (X ) X }) In the end, over-approximation of the least fixed point of . . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 89 / 97 Graphical vision Dark blue = concrete reachable states after 1 loop iteration Light blue = concrete reachable states after 2 loop iterations Dark red = over-approximated states after 1 loop iteration Light red = over-approximated states after 2 loop iterations . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 90 / 97 Extrapolation . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 91 / 97 Consequences Over-approximate during computations (even without loops). Over-approximation during widening. Thus obtain super-set of reachable states. This super-set is an inductive invariant (cannot exit from it). . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 92 / 97 Practical consequences Cannot prove that a problem truly happens. Example: interval i [0, 20] for access t(0..10), is the interval exact? Yet sure that all potential problems are detected (over-approximation of problems). Let B be the set of bad states. X B = : "ORANGE" If X B, "RED". What do orange vs red mean? . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 93 / 97 . 1 . . Introduction Position within other techniques A short chronology Basic ideas . 2 . . Transition systems . 3 . . Boolean abstraction Definition Some more examples Abstraction refinement . 4 . . Intervals . 5 . . Extrapolation . 6 . . Executive summary . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 94 / 97 Outside of numerics Pointers, arrays, memory threads. . . E.g. representing tree / graphs using automata Widening = limitation in the number of states when computing bisimulation (Myhill-Nerode minimization of DFA) . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 95 / 97 Important points The computer is stupid, it does not "see" why a program works. Normal, everything important is undecidable algorithmically (or of high complexity). Look for inductive invariants that can be proved automatically (e.g. by propagation of intervals or polyhedra). They over-approximate the reachable states, thus the safety violations. . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 96 / 97 Success stories Microsoft SLAM / Device driver verifier -- predicate abstraction, checks the respect of Windows API in device drivers PolySpace Verifier Astre, with specific control numerical relations -- A340, A380 (Airbus), ATV (EADS Astrium / ESA), etc. Absint, worst case execution time (WCET) with cache and pipelines . . . . . . David Monniaux (CNRS / VERIMAG) Abstract interpretation May 2327, Menlo College 97 / 97 ...
View Full Document

Ask a homework question - tutors are online