Algebraic Program Analysis

Size: px

Start display at page:

Download "Algebraic Program Analysis"

Ambrose Allen
5 years ago
Views:

1 Introduction to Algebraic Program Analysis Zachary Kincaid 1 Thomas Reps 2,3 1 Princeton University 2 University of Wisconsin-Madison 3 GrammaTech, Inc. January 8,

2 Program analysis Design algorithms to answer questions about the dynamic behavior of software Correctness Is a program correct w.r.t. some specification? Security Can a program over-read a buffer? Performance How much memory will a program consume? 2

3 Algebraic program analysis A framework for designing program analyses based on algebra. Semantic algebra = space of program properties + composition operators Sequencing: Choice: Iteration: 3

4 Why algebraic program analysis? Compositional Incremental analysis Easy to parallelize Opens the door for new ways to compute loop invariants Abstractions of loops are computed from abstractions of loop bodies 4

5 Why algebraic program analysis? Compositional Incremental analysis Easy to parallelize Opens the door for new ways to compute loop invariants Abstractions of loops are computed from abstractions of loop bodies Why not algebraic program analysis? Loss of contextual information 4

6 Outline Background Iterative program analysis Abstract interpretation Intraprocedural analysis Overview Path expressions Compositional Recurrence Analysis Proving soundness Interprocedural analysis Functional approach Newtonian program analysis Newtonian program analysis via tensor product Newtonian program analysis and Gauss-Jordan elimination 5

7 Outline Background Iterative program analysis Abstract interpretation Intraprocedural analysis Overview Path expressions Compositional Recurrence Analysis Proving soundness break Interprocedural analysis Functional approach Newtonian program analysis Newtonian program analysis via tensor product Newtonian program analysis and Gauss-Jordan elimination 5

8 x = 2; y = 1 while(y!= 0): y = rand() mod x x = x + 2

9 y x = 2; y = 1 while(y!= 0): y = rand() mod x x = x + 2 x

10 y x = 2; y = 1 while(y!= 0): y = rand() mod x x = x + 2 Error states x

11 y x = 2; y = 1 while(y!= 0): y = rand() mod x x = x + 2 x Reachable states

12 y x = 2; y = 1 while(y!= 0): y = rand() mod x x = x + 2 x Computable invariant

13 y x = 2; y = 1 while(y!= 0): y = rand() mod x x = x + 2 x False alarm

14 Iterative program analysis Repeatedly evaluate the program under an abstract semantics until convergence upon a property that over-approximates all reachable states. SLAM, Astrée,... Initial states 7

15 Iterative program analysis Repeatedly evaluate the program under an abstract semantics until convergence upon a property that over-approximates all reachable states. SLAM, Astrée,... Initial states 7 (May) reach in 1 step

16 Iterative program analysis Repeatedly evaluate the program under an abstract semantics until convergence upon a property that over-approximates all reachable states. SLAM, Astrée,... Initial states 7 (May) reach in 2 steps

17 Iterative program analysis Repeatedly evaluate the program under an abstract semantics until convergence upon a property that over-approximates all reachable states. SLAM, Astrée,... Initial states 7 (May) reach in k steps

18 Iterative program analysis Repeatedly evaluate the program under an abstract semantics until convergence upon a property that over-approximates all reachable states. SLAM, Astrée,... Error states Initial states buffer overflow null pointer deref divide by zero... 7

19 Program model Control flow graph G = Loc, Edge, root Loc: set of control locations Edge: set of instruction-labeled edges root: root (entry location) while(n 1){ if(n % 2 == 0) n := n/2; else n := 3*n+1; i := i+1; } [n = 1] [n 1] [n % 2 = 0] [n % 2 0] i := i + 1 n := n/2 n := 3*n + 1 8

20 Example: interval analysis Interval {}}{ Property Var (Z { }) (Z { }) }{{} Interval store i := 0 n := 100 [i n] i := i + 1 [i < n] 9

21 Example: interval analysis Interval {}}{ Property Var (Z { }) (Z { }) }{{} Interval store i [, ] n [, ] i := 0 n := 100 [i n] i := i + 1 [i < n] 9

22 Example: interval analysis Interval {}}{ Property Var (Z { }) (Z { }) }{{} Interval store i [0, 0] n [, ] i := 0 n := 100 [i n] i := i + 1 [i < n] 9

23 Example: interval analysis Interval {}}{ Property Var (Z { }) (Z { }) }{{} Interval store i := 0 i [0, 0] n [100, 100] n := 100 [i n] i := i + 1 [i < n] 9

24 Example: interval analysis Interval {}}{ Property Var (Z { }) (Z { }) }{{} Interval store i := 0 i [0, 0] n [100, 100] n := 100 [i n] i := i + 1 i [0, 0] n [100, 100] [i < n] 9

25 Example: interval analysis Interval {}}{ Property Var (Z { }) (Z { }) }{{} Interval store i := 0 i [0, 0] n [100, 100] n := 100 [i n] i [1, 1] n [100, 100] i := i + 1 [i < n] 9

26 Example: interval analysis Interval {}}{ Property Var (Z { }) (Z { }) }{{} Interval store i := 0 n := 100 i [0, 1] n [100, 100] [i n] i := i + 1 [i < n] 9

27 Example: interval analysis Interval {}}{ Property Var (Z { }) (Z { }) }{{} Interval store i := 0 n := 100 i [0, 2] n [100, 100] [i n] i := i + 1 [i < n] 9

28 Example: interval analysis Interval {}}{ Property Var (Z { }) (Z { }) }{{} Interval store i := 0 n := 100 i [0, 100] n [100, 100] [i n] i := i + 1 [i < n] 9

29 Example: interval analysis Interval {}}{ Property Var (Z { }) (Z { }) }{{} Interval store i := 0 n := 100 i [0, 100] n [100, 100] [i n] i := i + 1 i [0, 99] n [100, 100] [i < n] 9

30 Example: interval analysis Interval {}}{ Property Var (Z { }) (Z { }) }{{} Interval store i := 0 n := 100 i [0, 100] n [100, 100] i [1, 100] n [100, 100] i := i + 1 [i n] [i < n] 9

31 Example: interval analysis Interval {}}{ Property Var (Z { }) (Z { }) }{{} Interval store i := 0 n := 100 i [0, 100] n [100, 100] [i n] i := i + 1 [i < n] 9

32 Example: interval analysis Interval {}}{ Property Var (Z { }) (Z { }) }{{} Interval store i := 0 i [100, n := 100] 100 n [100, 100] [i n] i := i + 1 [i < n] 9

33 Approximating a loop Ascending sequence of properties {}}{ p 1 p 2 p 2... Approximate limit w/ a widening operator ˆp 1 = p 1 ˆp i+1 = p i p i+1 10

34 Designing an iterative analysis 1 Define: Abstract domain L = L,,,, L: space of program properties L L: approximation order : L L L: join (least upper bound) operator : L L L widening (extrapolation) operator Property transformer: L : Edge (L L) maps each command to a monotone function on L 11

35 Designing an iterative analysis 1 Define: Abstract domain L = L,,,, L: space of program properties L L: approximation order : L L L: join (least upper bound) operator : L L L widening (extrapolation) operator Property transformer: L : Edge (L L) maps each command to a monotone function on L 2 Apply: chaotic iteration algorithm Computes a map inv : Loc L that is closed under the abstract semantics: (u, v) Edge.L (u, v) (inv(u)) inv(v) 11

36 Outline Background Iterative program analysis Abstract interpretation Intraprocedural analysis Overview Path expressions Compositional Recurrence Analysis Proving soundness Interprocedural analysis Functional approach Newtonian program analysis Newtonian program analysis via tensor product Newtonian program analysis and Gauss-Jordan elimination 12

37 Proving soundness [Cousot & Cousot 77] 1 Define: Concrete semantics C 2 Store,,,, C e (S) {s : s S.s e s } Concretization function γ : L 2 Store maps properties to set of stores that satisfy it { } [x 0; y 2], [x 0; y 3], γ([x [0, 1]; y [2, 3]]) = [x 1; y 2], [x 1; y 3]

38 Proving soundness [Cousot & Cousot 77] 1 Define: Concrete semantics C 2 Store,,,, C e (S) {s : s S.s e s } Concretization function γ : L 2 Store maps properties to set of stores that satisfy it { [x 0; y 2], [x 0; y 3], γ([x [0, 1]; y [2, 3]]) = [x 1; y 2], [x 1; y 3] } 2 Prove transformer simulation: for all properties p, edges e: C e (γ(p)) γ(l e (p))

39 Proving soundness [Cousot & Cousot 77] 1 Define: Concrete semantics C 2 Store,,,, C e (S) {s : s S.s e s } Concretization function γ : L 2 Store maps properties to set of stores that satisfy it { [x 0; y 2], [x 0; y 3], γ([x [0, 1]; y [2, 3]]) = [x 1; y 2], [x 1; y 3] } 2 Prove transformer simulation: for all properties p, edges e: C e (γ(p)) γ(l e (p)) 3 Apply fixpoint transfer: Chaotic iteration algorithm computes a map inv : Loc L such that Stores reachable at v γ(inv(v))

Sendmail crackaddr - Static Analysis strikes back

Sendmail crackaddr - Static Analysis strikes back Bogdan Mihaila Technical University of Munich, Germany December 6, 2014 Name Lastname < name@mail.org > ()()()()()()()()()... ()()() 1 / 25 Abstract Interpretation