Program Analysis - sri.inf.ethz.ch · octagon abstract domain", In AST in WCRE 2001, IEEE. Octagon Abstract Domain I Supports limited set of linear inequalities between program variables

Program Analysis

Instructor: Martin VechevAuthor: Gagandeep Singh

March 12, 2015

Relational Domains

I Interval domain only captures bounds of program variables

I Many verification tasks require relational invariants

I Buffer overflow, Concurrency bugs, Aliasing

I Tradeoff between complexity and expressive power

Numerical Abstract Domains

I Interval:cheap butlessexpressive

I Polyhedra:expressivebut costly

I Octagon:cheaperthanPolyhedra,limitedexpressivepower

Expressive Power

Asymptotic Complexity

Interval

c ≤ xi ≤ d Octagon

±xi ± xj ≤ c

Polyhedra

∑ni=1 aixi ≤ c

Abstract Interpretation Recipe

1. come up with an abstract domainI select based on the type of properties you want to prove

2. define abstract semantics for the programming language w.r.t.to the abstract domain from step 1.

I we need to define the abstract transformers, that is, the effectof statement/expression on the abstract domain

I we need to prove that the abstract semantics are sound w.r.tconcrete semantics of the programming language

3. iterate abstract transformers over the abstract domainI until we reach a fixed point

Octagon Abstract Domain

I Introduced in 2001 byAntoine Mine

I Quadratic spacecomplexity

I Cubic time complexity

I Used in Astreeanalyzer for verifyingcorrectness of flightsoftware in AirBus

I Antoine Mine, ”Theoctagon abstractdomain”, In AST inWCRE 2001, IEEE

Octagon Abstract Domain

I Supports limited set of linear inequalities between programvariables

I Octagonal inequalities:I Binary: ±vj ± vi ≤ c, vi 6= vjI Unary: ±vi ≤ dI c, d ∈ R ∪ {∞}I If an inequality does not exist, then its bound is ∞

I The inequalities limit the set of possible values taken byprogram variables

I For n variables there are 2n2 possible inequalities

Octagons

I Let L be the set of Octagonal inequalities between n variables,then an octagon is conjunction of all the inequalities in set L

y = 2

y = −1

x=−2

x=

1x+y=2

−x−y=2

−x+y=3

x−y=1

Encoding of Octagons

I Each octagonalinequality can beencoded as an element ofa matrix m

I Each variable vi isunfolded into v′2i = v+iand v′2i+1 = v−i

I mi,j = c representsv′j − v′i ≤ c

I vi + vj ≤ c can berepresented as:v+j − v−i ≤ c and

v+i − v−j ≤ c

v−3

v+3

v−2

v+2

v−1

v+1

v−0

v+0

c1

c2

−2v2 ≤ c1

v1 + v2 ≤ c

2v2 ≤ c2v1 + v2 ≤ c

v−3v+

3v−2v+

2v−1v+

1v−0v+

0

0

0

0

0

0

0

0

0

Octagon Abstract Domain

I The Octagon domain: {Oo,vo,to,uo,⊥o,>o}I ⊥o represents bottom element that contains an unsatisfiable

set of inequalities

I O is the set of all octagons

I Oo = O ∪ {⊥o}I >o represents top element for which the bound for all

inequalities is ∞

Uniqueness of Octagons

I An octagon can be represented by more than one set ofinequalities

I (x ≤ 4) ∧ (y ≤ 6) and (x ≤ 4) ∧ (y ≤ 6) ∧ (x+ y ≤ 10)represent the same concrete values, thus no galois insertion

I A unique representation of octagons is required to build galoisinsertion

I The set with maximum inequalities representing an octagon isunique

Closure (*)

I Closure operator produces unique octagon representation

I Combine binary inequalities vi − vj ≤ c1 and vj − vk ≤ c2 toobtain vi − vk ≤ c1 + c2

I If the octagon already contains vi − vk ≤ c, then keepvi − vk ≤ min(c, c1 + c2)

I This is same as applying Floyd Warshall on octagon matrix

I Combining binary inequalities of(x− y ≤ 4) ∧ (y − z ≤ 6) ∧ (x ≤ 5) ∧ (y ≤ 7) we get(x− y ≤ 4) ∧ (y − z ≤ 6) ∧ (x− z ≤ 10) ∧ (x ≤ 5) ∧ (y ≤ 7)

Closure (*)

I The previous step alone does not produce maximal set

I Combine unary inequalities vi ≤ c1 and vj ≤ c2 to obtainvi + vj ≤ c1 + c2

I If the octagon already contains vi + vj ≤ c, then keepvi + vj ≤ min(c, c1 + c2)

I Combining unary inequalities of(x− y ≤ 4) ∧ (y − z ≤ 6) ∧ (x− z ≤ 10) ∧ (x ≤ 5) ∧ (y ≤ 7)we get (x− y ≤ 4) ∧ (y − z ≤ 6) ∧ (x− z ≤ 10) ∧ (x ≤5) ∧ (y ≤ 7) ∧ (x+ y ≤ 12)

I The set produced thus produced is maximal

Closure (*)

v−3

v+3

v−2

v+2

v−1

v+1

v−0

v+0

v−3v+

3v−2v+

2v−1v+

1v−0v+

0

2 2 6 26 24 42 2 0

24 2 2 28 2 2 0 32

2 14 2 2 24 0 2 2

30 38 32 2 0 38 2 2

14 28 2 0 2 2 22 38

24 2 0 2 10 42 12 4

2 0 6 2 10 2 2 2

0 2 2 6 2 2 20 8

∗

v−3

v+3

v−2

v+2

v−1

v+1

v−0

v+0

v−3v+

3v−2v+

2v−1v+

1v−0v+

0

2 2 2 2 3 3 2 0

3 2 2 3 2 2 0 4

2 3 2 2 4 0 2 2

3 3 3 2 0 4 2 2

2 2 2 0 2 2 2 3

2 2 0 2 3 3 2 3

2 0 2 2 3 2 2 2

0 2 2 2 2 2 2 3

Least Upper Bound (to)

I The union of two octagons is not necessarily an octagon

I to of two octagons is approximated

I To reduce the imprecision due to approximation, closureoperator is applied on both operands before computing t

I to can be computed by taking piecewise maximum of boundsof corresponding inequalities

I

(x ≤ 5) ∧ (x+ y ≤ 10) to (x ≤ 4) ∧ (x+ y ≤ 11)

⇓(x ≤ 5) ∧ (x+ y ≤ 11)

Greatest Lower Bound (uo)

I The intersection of two octagons is always an octagon

I uo of two octagons can be computed by taking piecewiseminimum of bounds of corresponding inequalities

I

(x ≤ 5) ∧ (x+ y ≤ 10) uo (x ≤ 4) ∧ (x+ y ≤ 11)

⇓(x ≤ 4) ∧ (x+ y ≤ 10)

Order (vo)

I The octagons are ordered by the inclusion relation

I An octagon O1 is included inside another octagon O2 iff thebounds of each inequality in O1 is ≤ than the correspondinginequality in O2

I The closed octagon is the smallest octagon as per vo amongthe set of octagons abstracting same concrete values.

I Compare closed form of O1 with O2

I (x ≤ 5) ∧ (x+ y) ≤ 10 vo (x ≤ 6) ∧ (x+ y) ≤ 10

Widening (5o)

I If the bound of an inequality keeps increasing, widening sets itto ∞

I

(x ≤ 5) ∧ (x+ y ≤ 10)5o (x ≤ 4) ∧ (x+ y ≤ 11)

⇓(x ≤ 5) ∧ (x+ y ≤ ∞)

I Widening operator for octagon domain is tricky, it requiresfirst operand to not be closed

I This is because widening increases the number of inequalitieswith ∞ bounds whereas closure does the reverse

Abstract Interpretation Recipe

1. come up with an abstract domainI select based on the type of properties you want to prove

2. define abstract semantics for the programming language w.r.t.to the abstract domain from step 1

I we need to define the abstract transformers, that is, the effectof statement/expression on the abstract domain

I we need to prove that the abstract semantics are sound w.r.tconcrete semantics of the programming language

3. iterate abstract transformers over the abstract domainI until we reach a fixed point

Transformer for Assignment Statements

I Assignment statements can be divided into two types:I Octagonal assignments

I x = 5;I x = x + 10;I x = y + 5;

I Non-octagonal assignmentsI x = 2y;I x = y + z;I x = y/z;

I The transformer is precise for octagonal whereas approximatefor non octagonal assignments

Transformer for Octagonal Assignments

I x = cI Add inequalities (x ≤ c) and (−x ≤ −c) to the octagonI The resulting octagon needs to be closed

I x = x+ cI Subtract c from inequalities having -ve coeffiecient for xI Add c to inequalities having +ve coeffiecient for xI The resulting octagon is closed

I x = y + cI Add inequalities (x− y ≤ c) and (y − x ≤ c) to the ocatgonI The resulting octagon needs to be closed

Transformer for Non-octagonal Assignments

I xj = e where xj − e is non octagonalI Compute bounds [a, b] for e using interval arithmeticI For example e = [a0, b0] +

∑ni=1[ai, bi]xi where each xi has

bounds [ci, di] then [a, b] = [a0, b0] +∑n

i=1[ai, bi]× [ci, di]I Add constraints of the form ±xi ± xj ≤ ±[a, b]± [ci, di] to the

octagonI The resulting octagon is not closed

Transformer for Conditional Statements

I Conditional statements encode constraints which can beadded to the input octagon

I The constraints can again be octagonal or non octagonal

I The octagonal constraints are handled precisely

I The effect of adding non-octagonal constraints isapproximated

Abstract Interpretation Recipe

1. come up with an abstract domainI select based on the type of properties you want to prove

2. define abstract semantics for the programming language w.r.t.to the abstract domain from step 1.

I we need to define the abstract transformers, that is, the effectof statement/expression on the abstract domain

I we need to prove that the abstract semantics are sound w.r.tconcrete semantics of the programming language

3. iterate abstract transformers over the abstract domainI until we reach a fixed point

Octagon Analysis Example

1 x=1;2 y=x ;3 wh i l e ( x <= m)4 x=x+1;5 y=y+x ;6 a s s e r t ( y >= m)

I O1 : >o

I O2 : >o

I O3 : >o

I O4 : >o

I O5 : >o

I O6 : >o

Octagon Analysis Example

1 x=1;2 y=x ;3 wh i l e ( x <= m)4 x=x+1;5 y=y+x ;6 a s s e r t ( y >= m)

m−

m+

y−

y+

x−

x+

m−m+y−y+x−x+

m−

m+

y−

y+

x−

x+

m−m+y−y+x−x+

∞ ∞ ∞ ∞ ∞ 0

∞ ∞ ∞ ∞ 0 ∞

∞ ∞ ∞ 0 ∞ ∞

∞ ∞ 0 ∞ ∞ ∞

∞ 0 ∞ ∞ ∞ ∞

0 ∞ ∞ ∞ ∞ ∞

∞ ∞ ∞ ∞ ∞ 0

∞ ∞ ∞ ∞ 0 ∞

∞ ∞ ∞ 0 ∞ ∞

∞ ∞ 0 ∞ ∞ ∞

2 0 ∞ ∞ ∞ ∞

0 −2 ∞ ∞ ∞ ∞

O1 O∗2

x = 1

Octagon Analysis Example

1 x=1;2 y=x;3 wh i l e ( x <= m)4 x=x+1;5 y=y+x ;6 a s s e r t ( y >= m)

m−

m+

y−

y+

x−

x+

m−m+y−y+x−x+

m−

m+

y−

y+

x−

x+

m−m+y−y+x−x+

∞ ∞ ∞ ∞ ∞ 0

∞ ∞ ∞ ∞ 0 ∞

∞ ∞ ∞ 0 ∞ ∞

∞ ∞ 0 ∞ ∞ ∞

2 0 ∞ ∞ ∞ ∞

0 −2 ∞ ∞ ∞ ∞

∞ ∞ ∞ ∞ ∞ 0

∞ ∞ ∞ ∞ 0 ∞

∞ 0 ∞ 0 ∞ ∞

0 ∞ 0 ∞ ∞ ∞

2 0 ∞ 0 ∞ ∞

0 −2 0 ∞ ∞ ∞

O∗2 O3

y = x

Octagon Analysis Example

1 x=1;2 y=x;3 wh i l e ( x <= m)4 x=x+1;5 y=y+x ;6 a s s e r t ( y >= m)

m−

m+

y−

y+

x−

x+

m−m+y−y+x−x+

m−

m+

y−

y+

x−

x+

m−m+y−y+x−x+

∞ ∞ ∞ ∞ ∞ 0

∞ ∞ ∞ ∞ 0 ∞

∞ 0 ∞ 0 ∞ ∞

0 ∞ 0 ∞ ∞ ∞

2 0 ∞ 0 ∞ ∞

0 −2 0 ∞ ∞ ∞

∞ ∞ ∞ ∞ ∞ 0

∞ ∞ ∞ ∞ 0 ∞

2 0 2 0 ∞ ∞

0 −2 0 −2 ∞ ∞

2 0 2 0 ∞ ∞

0 −2 0 −2 ∞ ∞

O3 O∗3

∗

Octagon Analysis Example

1 x=1;2 y=x ;3 while(x ≤ m)4 x=x+1;5 y=y+x ;6 a s s e r t ( y >= m)

m−

m+

y−

y+

x−

x+

m−m+y−y+x−x+

∞ ∞ ∞ ∞ ∞ 0

∞ ∞ ∞ ∞ 0 ∞

2 0 2 0 ∞ ∞

0 −2 0 −2 ∞ ∞

2 0 2 0 ∞ ∞

0 −2 0 −2 ∞ ∞

m−

m+

y−

y+

x−

x+

m−m+y−y+x−x+

∞ ∞ ∞ ∞ ∞ 0

0 ∞ ∞ ∞ 0 ∞

2 0 2 0 ∞ ∞

0 −2 0 −2 ∞ ∞

2 0 2 0 ∞ 0

0 −2 0 −2 ∞ ∞

O∗3 O4

while(x <= m)

Octagon Analysis Example

1 x=1;2 y=x ;3 while(x ≤ m)4 x=x+1;5 y=y+x ;6 a s s e r t ( y >= m)

m−

m+

y−

y+

x−

x+

m−m+y−y+x−x+

m−

m+

y−

y+

x−

x+

m−m+y−y+x−x+

∞ ∞ ∞ ∞ ∞ 0

0 ∞ ∞ ∞ 0 ∞

2 0 2 0 ∞ ∞

0 −2 0 −2 ∞ ∞

2 0 2 0 ∞ 0

0 −2 0 −2 ∞ ∞

∞ ∞ ∞ ∞ ∞ 0

0 −2 0 −2 0 −2

2 0 2 0 ∞ 0

0 −2 0 −2 ∞ −2

2 0 2 0 ∞ 0

0 −2 0 −2 ∞ −2

O4 O∗4

∗

Octagon Analysis Example

1 x=1;2 y=x ;3 wh i l e ( x <= m)4 x=x+1;5 y=y+x ;6 a s s e r t ( y >= m)

m−

m+

y−

y+

x−

x+

m−m+y−y+x−x+

m−

m+

y−

y+

x−

x+

m−m+y−y+x−x+

∞ ∞ ∞ ∞ ∞ 0

0 −2 0 −2 0 −2

2 0 2 0 ∞ 0

0 −2 0 −2 ∞ −2

2 0 2 0 ∞ 0

0 −2 0 −2 ∞ −2

∞ ∞ ∞ ∞ ∞ 0

1 −3 0 −2 0 −2

3 −1 2 0 ∞ 0

1 −3 0 −2 ∞ −2

4 0 3 1 ∞ 1

0 −4 −1 −3 ∞ −3

O∗4 O∗

5

x = x+ 1

Octagon Analysis Example

1 x=1;2 y=x ;3 wh i l e ( x <= m)4 x=x+1;5 y=y+x;6 a s s e r t ( y >= m)

m−

m+

y−

y+

x−

x+

m−m+y−y+x−x+

m−

m+

y−

y+

x−

x+

m−m+y−y+x−x+

∞ ∞ ∞ ∞ ∞ 0

1 −3 0 −2 0 −2

3 −1 2 0 ∞ 0

1 −3 0 −2 ∞ −2

4 0 3 1 ∞ 1

0 −4 −1 −3 ∞ −3

∞ ∞ ∞ ∞ ∞ 0

1 −3 2 −4 0 −2

5 1 6 0 ∞ 0

−1 −5 0 −6 ∞ −4

4 0 5 −1 ∞ 2

0 −4 1 −5 ∞ −3

O∗5 O6

y = y + x

Octagon Analysis Example

1 x=1;2 y=x ;3 while(x ≤ m)4 x=x+1;5 y=y+x ;6 a s s e r t ( y >= m)

∞ ∞ ∞ ∞ ∞ 0

∞ ∞ ∞ ∞ 0 ∞

2 0 2 0 ∞ ∞

0 −2 0 −2 ∞ ∞

2 0 2 0 ∞ ∞

0 −2 0 −2 ∞ ∞

∞ ∞ ∞ ∞ ∞ 0

0 −4 1 −5 0 −4

5 1 6 0 ∞ 0

−1 −5 0 −6 ∞ −6

4 0 5 −1 ∞ −1

0 −4 1 −5 ∞ −5

∞ ∞ ∞ ∞ ∞ 0

∞ ∞ ∞ ∞ 0 ∞

5 1 6 0 ∞ ∞

0 −2 0 −2 ∞ ∞

4 0 5 0 ∞ ∞

0 −2 1 −2 ∞ ∞

O∗3 O∗

6 O∗3

to ⇒