Widening Operator. Fixpoint Approximation with Widening. A widening operator 2 L ˆ L 7``! L is such that: Correctness: - 8x; y 2 L : (y) v (x y)

Size: px

Start display at page:

Download "Widening Operator. Fixpoint Approximation with Widening. A widening operator 2 L ˆ L 7``! L is such that: Correctness: - 8x; y 2 L : (y) v (x y)"

Norma Burke
6 years ago
Views:

1 EXPERIENCE AN INTRODUCTION WITH THE DESIGN TOF A SPECIAL PURPOSE STATIC ANALYZER ABSTRACT INTERPRETATION P. Cousot Patrick.Cousot@ens.fr Biarritz IFIP-WG meeting (1) (4) mars 2003, Hotel Miramar, Biarritz, France ľ P. Cousot, all rights reserved. 3. Application to Static Analysis Widening Operator A widening operator 2 L ˆ L 7``! L is such that: Correctness: - 8x; y 2 L : (x) v (x y) - 8x; y 2 L : (y) v (x y) Convergence: - for all increasing chains x 0 v x 1 v..., the increasing chain defined by y 0 = x 0,..., y i+1 = y i x i+1,... is not strictly increasing. An Introduction to Abstract Interpretation, ľ P. Cousot, 25/3/03 3:1/58 J []? I Idx, Toc An Introduction to Abstract Interpretation, ľ P. Cousot, 24/3/03 3:58/121 J []? I Idx, Toc Fixpoint Approximation with Widening 3.5 Fixpoint Approximation with Convergence Acceleration by Widening/Narrowing The upward iteration sequence with widening: X 0 =?- (infimum) X i+1 = X i if F ( X i ) v X i = X i F ( X i ) otherwise is ultimately stationary and its limit Ã is a sound upper approximation of lfp?- F : lfp?- F v Ã P. Cousot, R. Cousot: Comparing the Galois Connection and Widening/Narrowing Approaches to Abstract Interpretation. PLILP, LNCS 631, 1992: , Springer. An Introduction to Abstract Interpretation, ľ P. Cousot, 24/3/03 3:57/121 J []? I Idx, Toc An Introduction to Abstract Interpretation, ľ P. Cousot, 24/3/03 3:59/121 J []? I Idx, Toc

2 > gfp F lfp F?- F L >; Fixpoint Approximation with Widening/Narrowing 9 2 >= >; 9 2 >= L 9 2 >= >; F X 2 = X 1 F ( X 1 ) = > = ˇX 0 ˇX 1 = ˇX 0 F ( ˇX 0 ) =gfpf =lfpf X 1 = X 0 F ( X 0 ) X 0 =?- An Introduction to Abstract Interpretation, ľ P. Cousot, 24/3/03 3:60/121 J []? I Idx, Toc Interval Widening with threshold set The threshold set T is a finite set of numbers (plus +1 and `1), [a; b] T [a 0 ;b 0 ]=[if a 0 <athen maxf 2 T j» a 0 g else a; if b 0 >bthen minfh 2 T j h b 0 g else b] : Examples (intervals): - sign analysis: T = f`1; 0; +1g; - strict sign analysis: T = f`1; `1; 0; +1; +1g; T is a parameter of the analysis. An Introduction to Abstract Interpretation, ľ P. Cousot, 24/3/03 3:62/121 J []? I Idx, Toc Interval Widening L = f?g [ f[ ; u] j 2 Z [f`1g^u 2 Z [f+1g ^» ug The widening extrapolates unstable bounds to infinity:? X = X X? = X [ 0 ;u 0 ] [ 1 ;u 1 ]=[if 1 < 0 then `1else 0 ; if u 1 > u 0 then + 1 else u 0 ] Not monotone. For example [0; 1] v [0; 2] but [0; 1] [0; 2] = [0; +1] 6v [0; 2] = [0; 2] [0; 2] Non-Existence of Finite Abstractions Let us consider the infinite family of programs parameterized by the mathematical constants n 1, n 2 (n 1» n 2 ): X := n 1 ; while X» n 2 do X := X +1; od An interval analysis with widening/narrowing will discover the loop invariant X 2 [n 1 ;n 2 ]; To handle all programs in the family without false alarm, the abstract domain must contain all such intervals; ) No single finite abstract domain will do for all programs! An Introduction to Abstract Interpretation, ľ P. Cousot, 24/3/03 3:61/121 J []? I Idx, Toc An Introduction to Abstract Interpretation, ľ P. Cousot, 24/3/03 3:63/121 J []? I Idx, Toc

3 General-Purpose Static Program Analyzers 3.8 Application to the static analysis of critical real-time synchronous embedded software To handle infinitely many programs for non-trivial properties, a general-purpose analyser must use an infinite abstract domain 20 ; Such analyzers are huge for complex languages hence very costly to develop but reusable; There are always programs for which they lead to false alarms; Although incomplete, they are very useful for verifying/testing/ debugging. 20 P. Cousot & R. Cousot. Comparing the Galois Connection and Widening/Narrowing Approaches to Abstract Interpretation. PLILP 92. LNCS 631, pp Springer. An Introduction to Abstract Interpretation, ľ P. Cousot, 24/3/03 3:88/121 J []? I Idx, Toc An Introduction to Abstract Interpretation, ľ P. Cousot, 24/3/03 3:90/121 J []? I Idx, Toc Parametric Specializable Static Program Analyzers General-Purpose versus Specializable Static Program Analysis The abstraction can provably be tailored to one program without any false alarm [SARA 00]; So, may be, the abstraction can be tailored to significant classes of programs (e.g. critical synchronous real-time embedded systems); This would lead to very efficient analyzers with zero (or almost no) false alarm even for large programs. [SARA 00] P. Cousot. Partial Completeness of Abstract Fixpoint Checking, invited paper. In 4 th Int. Symp. SARA 2000, LNAI1864,Springer,pp.1 25,2000. An Introduction to Abstract Interpretation, ľ P. Cousot, 24/3/03 3:89/121 J []? I Idx, Toc An Introduction to Abstract Interpretation, ľ P. Cousot, 24/3/03 3:91/121 J []? I Idx, Toc

4 The Class of Periodic Synchronous Programs declare volatile input, state and output variables; initialize state variables; loop forever -readvolatileinputvariables, -computeoutputandstatevariables, -writetovolatileoutputvariables; wait for next clock tick; end loop All computations originates from non-linear control theory; The only allowed interrupts are clock ticks; Execution time of loop body less than a clock tick [4]. AFirstExperienceofParametric Specializable Static Program Analyzers C programs: safety critical embedded real-time synchronous software for non-linear control of complex systems; LOCs, 1300 global variables (booleans, integers, floats, arrays, macros, non-recursive procedures); Implicit specification: absence of runtime errors (no integer/floating point arithmetic overflow, no array bound overflow); Comparative results (commercial software): - 70 false alarms, 2 days, 500 Megabytes; [4] C. Ferdinand, R. Heckmann, M. Langenbach, F. Martin, M. Schmidt, H. Theiling, S. Thesing, and R. Wilhelm. Reliable and precise WCET determination for a real-life processor. ESOP (2001), LNCS2211, An Introduction to Abstract Interpretation, ľ P. Cousot, 24/3/03 3:92/121 J []? I Idx, Toc An Introduction to Abstract Interpretation, ľ P. Cousot, 24/3/03 3:94/121 J []? I Idx, Toc First Experience Report First Experience [5] B. Blanchet, P. Cousot, R. Cousot, J. Feret, L. Mauborgne, A.Miné,D.Monniaux,and X. Rival. Design and implementation of a special-purpose static program analyzer for safety-critical real-time embedded software. The Essence of Computation: Complexity, Analysis, Transformation. Essays Dedicated to Neil D. Jones, LNCS2566,pages Springer, Initial design: 2h, 110 false alarms (general purpose intervalbased analyzer); Main redesign: - Reduced product with weak relational domain with time; Parametrisation: - Hypotheses on volatile inputs; - Staged widenings with thresholds; - Local refinements of the parameterized abstract domains; Results: No false alarm, 14s, 20 Megabytes. An Introduction to Abstract Interpretation, ľ P. Cousot, 24/3/03 3:93/121 J []? I Idx, Toc An Introduction to Abstract Interpretation, ľ P. Cousot, 24/3/03 3:95/121 J []? I Idx, Toc

5 Example of a Simple Idea That Does Not Scale Up Represent abstract environments M = X 7``! D where D is the abstract domain as arrays/functional arrays; O(1) to access/change the abstract value of an identifier but, most variables are locally unchanged so a lot of time is lost in unions P [ P = P and widenings P P = P ; Solution: shared balanced binary tree (maps in CAML); O(ln n) among n to access/change the abstract value of an identifier but, most of the tree is unchanged in unions and widenings (gained factor 7 in time). Performance: Space and Time Space = O(LOCs) Time = O(LOCs ˆ (ln(locs)) 1:5 ) Time (minutes) k 100 k 150 k 200 k 250 k 300 k Size (KiloLOCs) An Introduction to Abstract Interpretation, ľ P. Cousot, 24/3/03 3:96/121 J []? I Idx, Toc An Introduction to Abstract Interpretation, ľ P. Cousot, 24/3/03 3:98/121 J []? I Idx, Toc Example of refinement: trace partitionning Control point partitionning: Second Experience Trace partitionning: Fork Join [6] B. Blanchet, P. Cousot, R. Cousot, J. Feret, L. Mauborgne, A.Miné,D.Monniaux,and X. Rival. A static analyzer for large safety critical software. ACM PLDI 03, San Diego, CA, June 2003, to appear. An Introduction to Abstract Interpretation, ľ P. Cousot, 24/3/03 3:97/121 J []? I Idx, Toc An Introduction to Abstract Interpretation, ľ P. Cousot, 24/3/03 3:99/121 J []? I Idx, Toc

6 ASecondExperienceofParametric Specializable Static Program Analyzers Same C programs for synchronous non-linear control of very complex systems; 132,000 lines of C, 75,000 LOCs after preprocessing, 10,000 global variables, over 21,000 after expansion of small arrays; Same implicit specification: absence of runtime errors + no modulo arithmetic; Analyzer of first experience: 30mn, 1,200 false alarms; Example of Difficulty: Semantics Problems For C programs, the abstract transfer functions have to take the machine-level semantics into account; For example: - floating-point arithmetic with rounding errors as opposed to real numbers (e.g. A + B<C^D`B» C 6) A + D< 2 ˆ C); - ESC is simply unsound with respect to modulo arithmetics [8]. [8] Flanagan, C., Leino, K.R.M., Lillibridge, M., Nelson, G., Saxe, J., Stata, R.: Extended static checking for Java. PLDI 02,ACMSIGPLANNot.37(5),(2002) An Introduction to Abstract Interpretation, ľ P. Cousot, 24/3/03 3:100/121 J []? I Idx, Toc An Introduction to Abstract Interpretation, ľ P. Cousot, 24/3/03 3:102/121 J []? I Idx, Toc Some Difficulties (Among Others) Ignoring the value of any variable at any program point creates false alarms; Most precise abstract domains (e.g. polyhedra [7]) simply do not scale up; Tracing the fixpoint computation will produce huge log files crashing usual text editors; Example of Refinement: Octagons 8 1» x» 9 x + y» 78 1» y» 20 x ` y» 03 >< >: [7] P. Cousot and N. Halbwachs. Automatic discovery of linear restraintsamongvariables of a program. In 5 th POPL, pages84 97,Tucson,AZ,1978.ACMPress. 101 An Introduction to Abstract Interpretation, ľ P. Cousot, 24/3/03 3:101/121 J []? I Idx, Toc [9] A. Miné. A New Numerical Abstract Domain Based on Difference-Bound Matrices. In PADO 2001,LNCS2053,Springer,2001,pp An Introduction to Abstract Interpretation, ľ P. Cousot, 24/3/03 3:103/121 J []? I Idx, Toc

7 Difficulty 1 with Octagons Most operations are O(n 2 ) in space and O(n 3 ) in time, so does not scale up; Solution: - Parameterize with packs of variables/program points where to use octagons, - Automatize the determination of the packs by experimentation (to eliminate the useless ones); Second Experience (Preliminary) Report Comparative results (commercial software): 2,000 (false?) alarms, 3 days; Results: 20 2 (false?) alarms, 1h30mn, 2500 Gigabytes. Megabytes. An Introduction to Abstract Interpretation, ľ P. Cousot, 24/3/03 3:104/121 J []? I Idx, Toc An Introduction to Abstract Interpretation, ľ P. Cousot, 24/3/03 3:106/121 J []? I Idx, Toc Difficulty 2 with Octagons 21 Benchmarks Must be correct with respect to the IEEE 754 floating-point arithmetic norm; Solution: sophisticated algorithmics to correctly handle concrete and abstract rounding errors time (s) kloc 21 An opened problem with polyhedra. An Introduction to Abstract Interpretation, ľ P. Cousot, 24/3/03 3:105/121 J []? I Idx, Toc An Introduction to Abstract Interpretation, ľ P. Cousot, 24/3/03 3:107/121 J []? I Idx, Toc

8 Mastering Invariant Size Explosion The main loop invariant: a textual file over 4.5 Mb with 6,900 boolean interval assertions (x 2 [0; 1]) 9,600 interval assertions (x 2 [a; b]) 25,400 clock assertions (x +clk2 [a; b] ^ x ` clk 2 [a; b]) 19,100 additive octagonal assertions (a» x + y» b) 19,200 subtractive octagonal assertions (a» x ` y» b) 100 decision trees etc,... involving over 16,000 floating point constants (only 550 appearing in the program text) ˆ 75,000 LOCs. An Introduction to Abstract Interpretation, ľ P. Cousot, 24/3/03 3:108/121 J []? I Idx, Toc

The Verification Grand Challenge and Abstract Interpretation

The Verification Grand Challenge and Abstract Interpretation Patrick Cousot École normale supérieure, 45 rue d Ulm 75230 Paris cedex 05, France Patrick.Cousot ens fr Visiting the Aeronautics and Astronautics