SMT-Style Program Analysis with Value-based Refinements

Size: px

Start display at page:

Download "SMT-Style Program Analysis with Value-based Refinements"

Aleesha Dinah Barrett
5 years ago
Views:

1 SMT-Style Program Analysis with Value-based Refinements Vijay D Silva Leopold Haller Daniel Kröning NSV-3 July 15, 2010

2 Outline Imprecision and Refinement in Abstract Interpretation SAT Style Abstract Analysis Value-based Refinement for Intervals

3 Imprecision and Refinement in AI Imprecision in Abstract Interpretation Abstract interpretation sound but not complete. Incompleteness manifests in imprecision during the analysis.

4 Imprecision and Refinement in AI Imprecision in Abstract Interpretation Abstract interpretation sound but not complete. Incompleteness manifests in imprecision during the analysis. [1, 3] [1, 2] [2, 3] [1, 1] [2, 2] [3, 3] Example: Domain of Intervals

5 Imprecision and Refinement in AI Imprecisions in the Domain x:=*; if(x > 5) y := -1; else y := 1; assert(y!= 0); Imprecision in join

6 Imprecision and Refinement in AI Imprecisions in the Domain Imprecision in join x:=*; if(x > 5) y := -1; else y := 1; y [ 1, 1], x [6, ] assert(y!= 0);

7 Imprecision and Refinement in AI Imprecisions in the Domain Imprecision in join x:=*; if(x > 5) y := -1; else y := 1; y [ 1, 1], x [6, ] y [1, 1], x [, 5] assert(y!= 0);

8 Imprecision and Refinement in AI Imprecisions in the Domain Imprecision in join x:=*; if(x > 5) y := -1; else y := 1; assert(y!= 0); y [ 1, 1], x [6, ] y [1, 1], x [, 5] y [ 1, 1] The disjunction y = 1 y = 1 cannot be expressed as an interval.

9 Imprecision and Refinement in AI Imprecisions in the Domain Imprecision in transformer x:=y; if(x > 5) assert(y > 5);

10 Imprecision and Refinement in AI Imprecisions in the Domain Imprecision in transformer x:=y; if(x > 5) assert(y > 5);

11 Imprecision and Refinement in AI Imprecisions in the Domain Imprecision in transformer x:=y; if(x > 5) assert(y > 5); x [6, ]

12 Imprecision and Refinement in AI Imprecisions in the Domain Imprecision in transformer x:=y; if(x > 5) assert(y > 5); x [6, ] Intervals cannot express relational information.

13 Imprecision and Refinement in AI Imprecisions in the Analysis while(x < 50000) { x++; if(y < x) y++; } Imprecision in widening x [50000, 50000], y [0, ] x [0, 0], y [0, 0] x [0, 1], y [0, 1] widening x [0, ], y [0, ] Precision can be lost in the the analysis Refinement of widening studied by, e.g., Gulavani et. al (TACAS 2008), Wang et al. (CAV 2007)

14 Imprecision and Refinement in AI Refining Abstract Domains Global domain refinement

15 Imprecision and Refinement in AI Refining Abstract Domains Global domain refinement More powerful domain... Octagons Polyhedra

16 Imprecision and Refinement in AI Refining Abstract Domains Global domain refinement More powerful domain Disjunctive completion Octagons Polyhedra

17 Imprecision and Refinement in AI Refining Abstract Domains Cardinal power Global domain refinement Reduced product More powerful domain Disjunctive completion Octagons Polyhedra Global refinements potentially expensive. How can we locally refine an abstract domain?

18 Imprecision and Refinement in AI Trace Partitioning Trace partitioning allows for flexible and local refinement

19 Imprecision and Refinement in AI Trace Partitioning Trace partitioning allows for flexible and local refinement Consider separately different sets of traces through a program Similar to case splits in a mathematical proof.

20 Imprecision and Refinement in AI Trace Partitioning Trace partitioning allows for flexible and local refinement Consider separately different sets of traces through a program Similar to case splits in a mathematical proof. Control-flow based trace partitioning x := * [x > 5] y := -1 assert(y!= 0) [x <= 5] y := 1

21 Imprecision and Refinement in AI Trace Partitioning Trace partitioning allows for flexible and local refinement Consider separately different sets of traces through a program Similar to case splits in a mathematical proof. Control-flow based trace partitioning x := * [x > 5] y := -1 assert(y!= 0) y = 1 [x <= 5] y := 1

22 Imprecision and Refinement in AI Trace Partitioning Trace partitioning allows for flexible and local refinement Consider separately different sets of traces through a program Similar to case splits in a mathematical proof. Control-flow based trace partitioning x := * [x > 5] y := -1 assert(y!= 0) y = 1 [x <= 5] y := 1 y = 1

23 Imprecision and Refinement in AI Trace Partitioning Wide range of partitionings possible control flow, values of variables, number of iterations through a loop, etc.

24 Imprecision and Refinement in AI Trace Partitioning Wide range of partitionings possible control flow, values of variables, number of iterations through a loop, etc. Value-based partitioning x:=y; if(x > 5) assert(y > 5);

25 Imprecision and Refinement in AI Trace Partitioning Wide range of partitionings possible control flow, values of variables, number of iterations through a loop, etc. Value-based partitioning assume(y > 5); x:=y; if(x > 5) assert(y > 5); y > 5

26 Imprecision and Refinement in AI Trace Partitioning Wide range of partitionings possible control flow, values of variables, number of iterations through a loop, etc. Value-based partitioning assume(y > 5); assume(y <= 5); x:=y; if(x > 5) assert(y > 5); y > 5

27 Imprecision and Refinement in AI Finding Partitioning Functions Trace partitioning allows one to refine the precision of an analysis down to explicit exploration of all traces.

28 Imprecision and Refinement in AI Finding Partitioning Functions Trace partitioning allows one to refine the precision of an analysis down to explicit exploration of all traces. The main question is:

29 Imprecision and Refinement in AI Finding Partitioning Functions Trace partitioning allows one to refine the precision of an analysis down to explicit exploration of all traces. The main question is: How can we find a good partitioning?

30 Imprecision and Refinement in AI Finding Partitioning Functions Trace partitioning allows one to refine the precision of an analysis down to explicit exploration of all traces. The main question is: How can we find a good partitioning? Precise enough to prove the property, and abstract enough to be efficient.

31 Imprecision and Refinement in AI Finding Partitioning Functions Leino and Logozzo (APLAS 2005): Value-based trace partitionings based on counter examples Gulavani et al. (TACAS 2008): DAG-based Exploration of control-flow paths inside loops with splitting on demand. Gulwani et al. (PLDI 2009): Control-flow refinement for bounds analysis. Harris et al. (POPL 2010): Satisfiability Modulo Path Programs

32 SAT Style Abstract Analysis Value-based Trace Partitionings If the abstract transformer ˆF is too imprecise, find a set of transformers ˆF 1,..., ˆF k, such that γ(µx. ˆFi (X )) µx. F (X ) 1 i k

33 SAT Style Abstract Analysis Value-based Trace Partitionings If the abstract transformer ˆF is too imprecise, find a set of transformers ˆF 1,..., ˆF k, such that γ(µx. ˆFi (X )) µx. F (X ) 1 i k This can be done by clipping the analysis by an abstract element: ˆF i = ˆF a i

34 SAT Style Abstract Analysis Value-based Trace Partitionings If the abstract transformer ˆF is too imprecise, find a set of transformers ˆF 1,..., ˆF k, such that γ(µx. ˆFi (X )) µx. F (X ) 1 i k This can be done by clipping the analysis by an abstract element: ˆF i = ˆF a i

35 SAT Style Abstract Analysis Value-based Trace Partitionings If the abstract transformer ˆF is too imprecise, find a set of transformers ˆF 1,..., ˆF k, such that γ(µx. ˆFi (X )) µx. F (X ) 1 i k This can be done by clipping the analysis by an abstract element: ˆF i = ˆF a i +

36 SAT Style Abstract Analysis Value-based Trace Partitionings If the abstract transformer ˆF is too imprecise, find a set of transformers ˆF 1,..., ˆF k, such that γ(µx. ˆFi (X )) µx. F (X ) 1 i k This can be done by clipping the analysis by an abstract element: ˆF i = ˆF a i + =

37 SAT Style Abstract Analysis Value-based Trace Partitionings New question:

38 SAT Style Abstract Analysis Value-based Trace Partitionings New question: How can we find such a set of elements a 1,..., a k?

39 SAT Style Abstract Analysis Value-based Trace Partitionings New question: How can we find such a set of elements a 1,..., a k? Use the search architecture of a SAT solver!

40 SAT Style Abstract Analysis DPLL framework decide DPLL procedure propagate Conflict learn backtrack

41 SAT Style Abstract Analysis DPLL framework decide DPLL procedure propagate Conflict learn backtrack Main phases of the DPLL procedure:

42 SAT Style Abstract Analysis DPLL framework decide DPLL procedure propagate Conflict learn backtrack Main phases of the DPLL procedure: Decision Assume a value for an undetermined variable

43 SAT Style Abstract Analysis DPLL framework decide DPLL procedure propagate Conflict learn backtrack Main phases of the DPLL procedure: Decision Assume a value for an undetermined variable Propagation Deduce implied variable values

44 SAT Style Abstract Analysis DPLL framework decide DPLL procedure propagate Conflict learn backtrack Main phases of the DPLL procedure: Decision Assume a value for an undetermined variable Propagation Deduce implied variable values Learning Learn reason for conflict and backtrack

45 SAT Style Abstract Analysis DPLL framework decide DPLL procedure propagate Conflict learn backtrack Main phases of the DPLL procedure: Decision Assume a value for an undetermined variable Propagation Deduce implied variable values Learning Learn reason for conflict and backtrack

46 SAT Style Abstract Analysis DPLL Procedure Is φ(x, y, z) satisfiable?

47 SAT Style Abstract Analysis DPLL Procedure Is φ(x, y, z) satisfiable? x = 1 Decision

48 SAT Style Abstract Analysis DPLL Procedure Is φ(x, y, z) satisfiable? x = 1 Propagation z = 0

49 SAT Style Abstract Analysis DPLL Procedure Is φ(x, y, z) satisfiable? x = 1 Decision y = 1 z = 0

50 SAT Style Abstract Analysis DPLL Procedure Is φ(x, y, z) satisfiable? x = 1 Propagation y = 1 z = 0 z = 1

51 SAT Style Abstract Analysis DPLL Procedure Is φ(x, y, z) satisfiable? x = 1 Propagation y = 1 z = 0 z = 1 Conflict

52 SAT Style Abstract Analysis DPLL Procedure Is φ(x, y, z) satisfiable? x = 1 Learning y = 1 z = 0 z = 1

53 SAT Style Abstract Analysis DPLL Procedure Is φ(x, y, z) satisfiable? x = 0 Learning

54 SAT Style Abstract Analysis SAT-Style Program Analysis SAT-Style Program Analysis Safety proven decide clipped fixpoint generalize backtrack

55 SAT Style Abstract Analysis SAT-Style Program Analysis SAT-Style Program Analysis Safety proven decide clipped fixpoint generalize backtrack Decision Refine current element a by a a

56 SAT Style Abstract Analysis SAT-Style Program Analysis SAT-Style Program Analysis Safety proven decide clipped fixpoint generalize backtrack Decision Refine current element a by a a Propagation Compute clipped fixpoint µx. ˆT (X ) a

57 SAT Style Abstract Analysis SAT-Style Program Analysis SAT-Style Program Analysis Safety proven decide clipped fixpoint generalize backtrack Decision Refine current element a by a a Propagation Compute clipped fixpoint µx. ˆT (X ) a Learning Find a a, such that µx.ˆf (X ) a is safe.

58 SAT Style Abstract Analysis SAT-Style Program Analysis Decision Initially, a = A 1 A 2 A 3 A 4 B 1 B 2 B 3 B 4 B 5 C 1 C 2 C 3 C 4

59 SAT Style Abstract Analysis SAT-Style Program Analysis Propagation Initially, a = µx.ˆf (X ) not safe A 1 A 2 A 3 A 4 B 1 B 2 B 3 B 4 B 5 C 1 C 2 C 3 C 4

60 SAT Style Abstract Analysis SAT-Style Program Analysis Decision Decision: refine a A 1 A 2 A 3 A 4 B 1 B 2 B 3 B 4 B 5 C 1 C 2 C 3 C 4

61 SAT Style Abstract Analysis SAT-Style Program Analysis Propagation Decision: refine a A 1 A 2 A 3 A 4 µx.(ˆf (X ) A 1 ) not safe B 1 B 2 B 3 B 4 B 5 C 1 C 2 C 3 C 4

62 SAT Style Abstract Analysis SAT-Style Program Analysis Decision A 1 A 2 A 3 A 4 Decision: refine a B 1 B 2 B 3 B 4 B 5 C 1 C 2 C 3 C 4

63 SAT Style Abstract Analysis SAT-Style Program Analysis Propagation A 1 A 2 A 3 A 4 Decision: refine a B 1 B 2 B 3 B 4 B 5 µx.(ˆf (X ) B 2 ) safe C 1 C 2 C 3 C 4

64 SAT Style Abstract Analysis SAT-Style Program Analysis Generalization A 1 A 2 A 3 A 4 B 1 B 2 B 3 B 4 B 5 C 1 C 2 C 3 C 4

65 SAT Style Abstract Analysis SAT-Style Program Analysis Generalization A 1 A 2 A 3 A 4 B 1 B 2 B 3 B 4 B 5 µx.ˆf (X ) A 2 safe C 1 C 2 C 3 C 4

66 SAT Style Abstract Analysis SAT-Style Program Analysis Generalization A 1 A 2 A 3 A 4 B 1 B 2 B 3 B 4 B 5 µx.ˆf (X ) A 2 safe C 1 C 2 C 3 C 4

67 SAT Style Abstract Analysis SAT-Style Program Analysis Generalization Backtrack and continue A 1 A 2 A 3 A 4 B 1 B 2 B 3 B 4 B 5 C 1 C 2 C 3 C 4

68 SAT Style Abstract Analysis Comments on Analysis When can we efficiently prove safety with this?

69 SAT Style Abstract Analysis Comments on Analysis When can we efficiently prove safety with this? When there is a small and finite number of elements a1,..., a k such that the fixpoints µx.(ˆf (X ) a i ) can be put together to form a concrete postfixpoint.

70 SAT Style Abstract Analysis Comments on Analysis When can we efficiently prove safety with this? When there is a small and finite number of elements a1,..., a k such that the fixpoints µx.(ˆf (X ) a i ) can be put together to form a concrete postfixpoint. Specific implementation issues: Generalization step Decision heuristic

71 Value-based Refinement for Intervals Value-based Refinement for Intervals We have created a preliminary instantiation of this framework for the domain of intervals.

72 Value-based Refinement for Intervals Value-based Refinement for Intervals We have created a preliminary instantiation of this framework for the domain of intervals. Decision: Choose an initial assignment for all variables

73 Value-based Refinement for Intervals Value-based Refinement for Intervals We have created a preliminary instantiation of this framework for the domain of intervals. Decision: Choose an initial assignment for all variables Propagation: Compute forward interpretation for this initial value

74 Value-based Refinement for Intervals Value-based Refinement for Intervals We have created a preliminary instantiation of this framework for the domain of intervals. Decision: Choose an initial assignment for all variables Propagation: Compute forward interpretation for this initial value Generalization and Learning: Generalize the result by locally generalizing intervals. Remove generalized initial values from selection pool

75 Value-based Refinement for Intervals Example 1 Decision [x > 5] [x<= 5] Choose initial: x = 0, y = 0 y:=-1 y:=1 assert(y!=0);

76 Value-based Refinement for Intervals Example 1 Propagation Choose initial: x = 0, y = 0 [x > 5] [x<= 5] x = 0, y = 0 y:=-1 y:=1 x = 0, y = 1 assert(y!=0); x = 0, y = 1

77 Value-based Refinement for Intervals Example 1 Generalization Choose initial: x = 0, y = 0 [x > 5] [x<= 5] x = 0, y = 0 y:=-1 y:=1 x = 0, y = 1 assert(y!=0);

78 Value-based Refinement for Intervals Example 1 Generalization Choose initial: x = 0, y = 0 [x > 5] [x<= 5] x = 0, y = 0 y:=-1 y:=1 y > 0 assert(y!=0);

79 Value-based Refinement for Intervals Example 1 Generalization Choose initial: x = 0, y = 0 [x > 5] [x<= 5] x = 0, y = 0 y:=-1 y:=1 y > 0 assert(y!=0);

80 Value-based Refinement for Intervals Example 1 Generalization Choose initial: x = 0, y = 0 [x > 5] [x<= 5] y:=-1 y:=1 y > 0 assert(y!=0);

81 Value-based Refinement for Intervals Example 1 Generalization Generalized init: x 5 [x > 5] [x<= 5] y:=-1 y:=1 y > 0 assert(y!=0);

82 Value-based Refinement for Intervals Example 1 Decision x 5 [x > 5] [x<= 5] Choose initial: x = 8, y = 0 y:=-1 y:=1 assert(y!=0);

83 Value-based Refinement for Intervals Example 1 Propagation x 5 Choose initial: x = 8, y = 0 [x > 5] [x<= 5] x = 8, y = 0 y:=-1 y:=1 x = 8, y = 1 assert(y!=0); x = 8, y = 1

84 Value-based Refinement for Intervals Example 1 Generalization x 5 Generalized init: x > 5 [x > 5] [x<= 5] y:=-1 y:=1 y < 0 assert(y!=0);

85 Value-based Refinement for Intervals Example 1 Generalization x 5 x > 5 [x > 5] [x<= 5] y:=-1 y:=1 assert(y!=0);

86 Value-based Refinement for Intervals Example 2 Decision x:=y x = 0, y = 1 [x>=5] [x<5] assert(y<5)

87 Value-based Refinement for Intervals Example 2 Propagation [x>=5] x = 0, y = 1 x:=y x = 1, y = 1 [x<5] x = 1, y = 1 assert(y<5) x = 1, y = 1

88 Value-based Refinement for Intervals Example 2 Generalized init: y < 5 Generalization [x>=5] x:=y y < 5 [x<5] y < 5 assert(y<5)

89 Value-based Refinement for Intervals Example 2 y < 5 Generalization x:=y [x>=5] [x<5] assert(y<5)

90 Value-based Refinement for Intervals Example 2 y < 5 Decision x:=y x = 0, y = 6 [x>=5] [x<5] assert(y<5)

91 Value-based Refinement for Intervals Example 2 y < 5 Propagation [x>=5] x = 0, y = 6 x:=y x = 6, y = 6 [x<5] assert(y<5) x = 6, y = 6

92 Value-based Refinement for Intervals Example 2 Generalization [x>=5] x:=y [x<5] assert(y<5) y < 5 Generalized init: y 5 x 5 y < 5

93 Value-based Refinement for Intervals Example 2 y < 5 y 5 x:=y [x>=5] [x<5] assert(y<5)

94 Value-based Refinement for Intervals Notes on Implementation Initial values chosen by call to a SAT solver.

95 Value-based Refinement for Intervals Notes on Implementation Initial values chosen by call to a SAT solver. Generalization uses local repair (SMPP): Set every location to For each invalid triple {pre} stmt {post} repair with {pre} from forward analysis. generalize using search on bounds.

96 Value-based Refinement for Intervals Notes on Implementation Initial values chosen by call to a SAT solver. Generalization uses local repair (SMPP): Set every location to For each invalid triple {pre} stmt {post} repair with {pre} from forward analysis. generalize using search on bounds. Generalization step: 0 a 5, b > 5, c < 10 Repair using SAT solver assert(a <= 10 a >= -10) b > 5

97 Value-based Refinement for Intervals Notes on Implementation Initial values chosen by call to a SAT solver. Generalization uses local repair (SMPP): Set every location to For each invalid triple {pre} stmt {post} repair with {pre} from forward analysis. generalize using search on bounds. Generalization step: 0 a 5, b > 5, c < 10 assert(a <= 10 a >= -10) b > 5 Repair using SAT solver Increase bounds by search

98 Value-based Refinement for Intervals Notes on Implementation Initial values chosen by call to a SAT solver. Generalization uses local repair (SMPP): Set every location to For each invalid triple {pre} stmt {post} repair with {pre} from forward analysis. generalize using search on bounds. Generalization step: 0 a, b > 5, c < 10 assert(a <= 10 a >= -10) b > 5 Repair using SAT solver Increase bounds by search

99 Value-based Refinement for Intervals Notes on Implementation Initial values chosen by call to a SAT solver. Generalization uses local repair (SMPP): Set every location to For each invalid triple {pre} stmt {post} repair with {pre} from forward analysis. generalize using search on bounds. Generalization step: 0 a, b > 5, c < 10 assert(a <= 10 a >= -10) b > 5 Repair using SAT solver Increase bounds by search

100 Value-based Refinement for Intervals Notes on Implementation Initial values chosen by call to a SAT solver. Generalization uses local repair (SMPP): Set every location to For each invalid triple {pre} stmt {post} repair with {pre} from forward analysis. generalize using search on bounds. Generalization step: 10 a, b > 5, c < 10 assert(a <= 10 a >= -10) b > 5 Repair using SAT solver Increase bounds by search

101 Value-based Refinement for Intervals Preliminary benchmarks Selection of NEC Small Static Analysis Benchmarks (slightly modified) Interval analysis too imprecise in all cases

102 Value-based Refinement for Intervals Preliminary benchmarks Selection of NEC Small Static Analysis Benchmarks (slightly modified) Interval analysis too imprecise in all cases Inst. # paths (SCC-decomp.) runtime (s) iterations inf1.c 36 * * inf2.c inf3.c inf4.c 1080 * * inf5.c inf6.c inf7.c inf8.c

103 Value-based Refinement for Intervals Preliminary benchmarks Selection of NEC Small Static Analysis Benchmarks (slightly modified) Interval analysis too imprecise in all cases Inst. # paths (SCC-decomp.) runtime (s) iterations inf1.c 36 * * inf2.c inf3.c inf4.c 1080 * * inf5.c inf6.c inf7.c inf8.c Does not work if fully relational information is required (inf1.c,inf4.c) assume(x > y); assert(x > y);

104 Value-based Refinement for Intervals Current Work Extending the prototype into a tool

105 Value-based Refinement for Intervals Current Work Extending the prototype into a tool Move towards a fully SAT-style analyzer

106 Value-based Refinement for Intervals Current Work Extending the prototype into a tool Move towards a fully SAT-style analyzer Handling of floating-point numbers

107 Value-based Refinement for Intervals Current Work Extending the prototype into a tool Move towards a fully SAT-style analyzer Handling of floating-point numbers Move to more powerful domains

108 Value-based Refinement for Intervals Current Work Extending the prototype into a tool Move towards a fully SAT-style analyzer Handling of floating-point numbers Move to more powerful domains Use trace partitioning and SMT/SAT-style analysis as glue to combine a static analyzer with a bounded model checker.

Embedded Software Verification Challenges and Solutions. Static Program Analysis

Embedded Software Verification Challenges and Solutions Static Program Analysis Chao Wang chaowang@nec-labs.com NEC Labs America Princeton, NJ ICCAD Tutorial November 11, 2008 www.nec-labs.com 1 Outline