Splitting the Control Flow with Boolean Flags

Size: px

Start display at page:

Download "Splitting the Control Flow with Boolean Flags"

Daisy Williamson
5 years ago
Views:

1 École Normale Supérieure, Paris, France July 2008

2 Good States are Usually Convex Declare C variable int array[12]; i Access array[i] within bound if 0 i and i 11.

3 Good States are Usually Convex Declare C variable int array[s]; where s is any int s-1 i Access array[i] within bound if 0 i and i s 1.

4 Good States are Usually Convex Declare C variable int array[s]; where s is any int s-1 i Access array[i] within bound if 0 i and i s 1. Observations: One conjunction of linear inequalities is sufficient.

5 Good States are Usually Convex Declare C variable int array[s]; where s is any int s-1 i Access array[i] within bound if 0 i and i s 1. Observations: One conjunction of linear inequalities is sufficient. Such a conjunction defines a convex polyhedron.

6 Good States are Usually Convex Declare C variable int array[s]; where s is any int s-1 i Access array[i] within bound if 0 i and i s 1. Observations: One conjunction of linear inequalities is sufficient. Such a conjunction defines a convex polyhedron. Verification often possible by inferring a single polyhedron.

7 Domain of Convex Polyhedra Properties are expressed over abstract variables X e.g. value of p is expressed by xp X let x = x1,... x n and {x 1,... x n } = X

8 Domain of Convex Polyhedra Properties are expressed over abstract variables X e.g. value of p is expressed by xp X let x = x1,... x n and {x 1,... x n } = X The domain of convex polyhedra Poly X,,, : Ineq X : the set of linear inequalities a x c, a Z n, c Z. Poly X : subsets of Q n that can be delimited by finite sets of I Ineq X [[ a x c]]: subspace of Q n that satisfies a x c P 1 P 2 : entailment; P 1 P 2 P 1 P 2 : join; closure of the convex hull of P 1 and P 2. P 1 P 2 : meet; for instance P 1 P 2 := P 1 P 2

9 Example: Division by Zero Let 9 d 9 in abstract state P and execute: int r= MAX_INT ; if (d!=0) r=v/d; Task: Verify that d is not zero when dividing.

10 Example: Division by Zero Let 9 d 9 in abstract state P and execute: int r= MAX_INT ; if (d!=0) r=v/d; Task: Verify that d is not zero when dividing. Model d!=0 by P = (P [[d 1]]) (P [[d 1]]). Approximation results in 9 d 9 in P. Cannot prove v/d correct using P.

11 Example: Division by Zero Let 9 d 9 in abstract state P and execute: int r= MAX_INT ; if (d!=0) r=v/d; Task: Verify that d is not zero when dividing. Model d!=0 by P = (P [[d 1]]) (P [[d 1]]). Approximation results in 9 d 9 in P. Cannot prove v/d correct using P. One solution: Do not join the states P [[d 1]] and P [[d 1]] until after the division (trace partitioning). Partitioning the traces: when to split and when to join?

12 One Polyhedron and one Boolean Flag Idea: add a Boolean flag f to the states that are to be separated. Let P = P [[{d 1, f = 0}]] and P + = P [[{d 1, f = 1}]].

13 One Polyhedron and one Boolean Flag Idea: add a Boolean flag f to the states that are to be separated. Let P = P [[{d 1, f = 0}]] and P + = P [[{d 1, f = 1}]]. Analyze v/d using the state P = P P + : f d=0 1 + P 0 P d

14 One Polyhedron and one Boolean Flag Idea: add a Boolean flag f to the states that are to be separated. Let P = P [[{d 1, f = 0}]] and P + = P [[{d 1, f = 1}]]. Analyze v/d using the state P = P P + : f d=0 1 + P 0 P d Division by zero possible if P [[d = 0]].

15 One Polyhedron and one Boolean Flag Idea: add a Boolean flag f to the states that are to be separated. Let P = P [[{d 1, f = 0}]] and P + = P [[{d 1, f = 1}]]. Analyze v/d using the state P = P P + : f d=0 1 + P 0 P d Division by zero possible if P [[d = 0]]. Since d integral, we can conclude that P [[d = 0]] Z n =.

16 The Main Observation Let P 1, P 2 Poly X and let P = (P 1 [[f = 0]]) (P 2 [[f = 1]]). Then: P 1 and P 2 can be recovered from P if satisfies P 1 P 2 = S s.th. S Z n = P 1 P 2 Z n, P1 and P 2 are bounded. Otherwise a loss of information may occur. f 1 d=0 + P 0 P d

17 The Main Observation Let P 1, P 2 Poly X and let P = (P 1 [[f = 0]]) (P 2 [[f = 1]]). Then: P 1 and P 2 can be recovered from P if satisfies P1 P 2 = S s.th. S Z n = P 1 P 2 Z n, P1 and P 2 are bounded. Otherwise a loss of information may occur. E.g.: d 9: f 1 d=0 + P 0 P d

18 Using Boolean Flags instead of Reanalyzing a Path Separating two states using a Boolean flag is conceptually simpler, still need to decide where to split, but joining paths is automatic.

19 Using Boolean Flags instead of Reanalyzing a Path Separating two states using a Boolean flag is conceptually simpler, still need to decide where to split, but joining paths is automatic. Complexity: Polyhedra with integral tightening can express any Boolean function. Examples over two variables: y x y y x y y x y y x y x 0 1 x 0 1 x 0 1 x

20 Using Boolean Flags instead of Reanalyzing a Path Separating two states using a Boolean flag is conceptually simpler, still need to decide where to split, but joining paths is automatic. Complexity: Polyhedra with integral tightening can express any Boolean function. Examples over two variables: y x y y x y y x y y x y x 0 1 x 0 1 x 0 1 x Indeed, deciding if P Z n = is NP-complete. [Schrijver86]

21 Using Polyhedral Sub-Domains Reduce the complexity by using sub-domains of Z-polyhedra, e.g.:

22 Using Polyhedral Sub-Domains Reduce the complexity by using sub-domains of Z-polyhedra, e.g.: Octagons [Mine06]: Restrict Ineq X to ±x ± y c, c Z. Modifying the closure yields Z-Octagons and a decision procedure for 2-SAT. [Bagnara08]

23 Using Polyhedral Sub-Domains Reduce the complexity by using sub-domains of Z-polyhedra, e.g.: Octagons [Mine06]: Restrict Ineq X to ±x ± y c, c Z. Modifying the closure yields Z-Octagons and a decision procedure for 2-SAT. [Bagnara08] TVPI [Simon02]: Restrict Ineq X to ax + by c. Emptiness test for TVPI system over Z n is NP-complete [Lagarias85]. Approximation via Planar Integer Hull algorithm [Harvey99].

24 Using Polyhedral Sub-Domains Reduce the complexity by using sub-domains of Z-polyhedra, e.g.: Octagons [Mine06]: Restrict Ineq X to ±x ± y c, c Z. Modifying the closure yields Z-Octagons and a decision procedure for 2-SAT. [Bagnara08] TVPI [Simon02]: Restrict Ineq X to ax + by c. Emptiness test for TVPI system over Z n is NP-complete [Lagarias85]. Approximation via Planar Integer Hull algorithm [Harvey99]. Polyhedra with Tightening: a x c where gcd( a) = 1. Refine with Gomory s cutting plane method.

25 Using Polyhedral Sub-Domains Reduce the complexity by using sub-domains of Z-polyhedra, e.g.: Octagons [Mine06]: Restrict Ineq X to ±x ± y c, c Z. Modifying the closure yields Z-Octagons and a decision procedure for 2-SAT. [Bagnara08] f 1 d=0 + P 0 P d

26 Polyhedral and Points-to Analysis Consider the following call to f: char *p; bool r; r = f(&p); /* other statments here */ if (r) printf("value: %s", p); And the following stub implementation: int f( char ** pp) { if ( rand ()) return 0; /* error */ *pp = "Success."; return 1; /* success */ } Two possible cases:

27 Polyhedral and Points-to Analysis Consider the following call to f: char *p; bool r; r = f(&p); /* other statments here */ if (r) printf("value: %s", p); And the following stub implementation: int f( char ** pp) { if ( rand ()) return 0; /* error */ *pp = "Success."; return 1; /* success */ } Two possible cases: success rand() returns 0, p points to "Success.", r is 1

28 Polyhedral and Points-to Analysis Consider the following call to f: char *p; bool r; r = f(&p); /* other statments here */ if (r) printf("value: %s", p); And the following stub implementation: int f( char ** pp) { if ( rand ()) return 0; /* error */ *pp = "Success."; return 1; /* success */ } Two possible cases: success rand() returns 0, p points to "Success.", r is 1 error rand() returns non-zero, p is uninitialized, r is 0

29 Polyhedral and Points-to Analysis Consider the following call to f: char *p; bool r; r = f(&p); /* other statments here */ if (r) printf("value: %s", p); Let P Poly X and A : X P(A) represent state after call to f. points-to set A(x p ) value of x p in P value of x r success a s 0 1 error null [0, ] 0 p γ p (P, A) = {x p + p... x p,... P p ρ(a) a A(x p )} where A(x p ) = {a s, null} and ρ(a s ) = [4096, 2 31 ], ρ(null) = {0}

30 Evaluating the Condition Is dereferencing p correct in if (r) printf("value: %s", p);? points-to set A(x p ) value of x p in P value of x r success a s 0 1 error null [0, ] 0 Possible ways of analysing the program:

31 Evaluating the Condition Is dereferencing p correct in if (r) printf("value: %s", p);? points-to set A(x p ) value of x p in P value of x r success a s 0 1 error null [0, ] 0 Possible ways of analysing the program: Evaluate f and return one (joined) result: A(x p ) = {a s, null}, P = [[{x p 0, x r 0, x p + (2 32 1)x r (2 32 1)}]] Problem: P [[x r 1]] x p = 0 but null A(x p )

32 Evaluating the Condition Is dereferencing p correct in if (r) printf("value: %s", p);? points-to set A(x p ) value of x p in P value of x r success a s 0 1 error null [0, ] 0 Possible ways of analysing the program: Evaluate f and return one (joined) result: A(x p ) = {a s, null}, P = [[{x p 0, x r 0, x p + (2 32 1)x r (2 32 1)}]] Problem: P [[x r 1]] x p = 0 but null A(x p ) Analyse twice: keep success and error traces separate. The error traces are infeasible since r = 0 in P [[xr 1]].

33 Evaluating the Condition Is dereferencing p correct in if (r) printf("value: %s", p);? points-to set A(x p ) value of x p in P value of x r success a s 0 1 error null [0, ] 0 Possible ways of analysing the program: Evaluate f and return one (joined) result: A(x p ) = {a s, null}, P = [[{x p 0, x r 0, x p + (2 32 1)x r (2 32 1)}]] Problem: P [[x r 1]] x p = 0 but null A(x p ) Analyse twice: keep success and error traces separate. The error traces are infeasible since r = 0 in P [[xr 1]]. However, need to re-analyse code between f(&p) and if (r).

34 Evaluating the Condition Is dereferencing p correct in if (r) printf("value: %s", p);? points-to set A(x p ) value of x p in P value of x r success a s 0 1 error null [0, ] 0 Possible ways of analysing the program: Evaluate f and return one (joined) result: A(x p ) = {a s, null}, P = [[{x p 0, x r 0, x p + (2 32 1)x r (2 32 1)}]] Problem: P [[x r 1]] x p = 0 but null A(x p ) Analyse twice: keep success and error traces separate. The error traces are infeasible since r = 0 in P [[xr 1]]. However, need to re-analyse code between f(&p) and if (r). Choose a different way of performing points-to analysis.

35 Refining Points-to Analysis With Boolean Flags A : X P(A) is flow-sensitive points-to analysis null A to denote NULL Problem: can only restrict points-to set of x p for certain tests involving p such as if (p!=null).

36 Refining Points-to Analysis With Boolean Flags A : X P(A) is flow-sensitive points-to analysis null A to denote NULL Problem: can only restrict points-to set of x p for certain tests involving p such as if (p!=null). Now: Fix A : X P(X A) such that A(x p ) = { f s, a s }. p γ p (P) = {x p + f s p... x p,... f s,... P p ρ(a s )}

37 Refining Points-to Analysis With Boolean Flags A : X P(A) is flow-sensitive points-to analysis null A to denote NULL Problem: can only restrict points-to set of x p for certain tests involving p such as if (p!=null). Now: Fix A : X P(X A) such that A(x p ) = { f s, a s }. p γ p (P) = {x p + f s p... x p,... f s,... P p ρ(a s )} points-to set A(x p ) f s in P x p in P x r in P success a s if f s = error a s if f s = 1 0 [0, ] 0 P = [[{f s = x r, x p 0, r 0, x p + (2 32 1)r (2 32 1)}]]

38 Refining Points-to Analysis With Boolean Flags A : X P(A) is flow-sensitive points-to analysis null A to denote NULL Problem: can only restrict points-to set of x p for certain tests involving p such as if (p!=null). Now: Fix A : X P(X A) such that A(x p ) = { f s, a s }. p γ p (P) = {x p + f s p... x p,... f s,... P p ρ(a s )} points-to set A(x p ) f s in P x p in P x r in P success a s if f s = error a s if f s = 1 0 [0, ] 0 P = [[{f s = x r, x p 0, r 0, x p + (2 32 1)r (2 32 1)}]] Is dereferencing p correct in if (r) printf("value: %s", p);? Yes: P [[r 1]] x p = 0, f s = 1

39 On Using Flags in Points-to Analysis can use one points-to map for the whole program improves precision cost negligible if points-to flags is equal to variable or constant

40 On Using Flags in Points-to Analysis can use one points-to map for the whole program improves precision cost negligible if points-to flags is equal to variable or constant performing pointer arithmetic is simple. Evaluate e=p+q-r, and let A(x p ) = { a 1, f p 1,... a k, f p k }, similarly for x q, x r, x e. x e x p + x q x r f1 e. f p 1 + f q 1 f 1 r. fk e f p k + f q k f k r Same calculation, independent of which variable is a pointer.

41 On Using Flags in Points-to Analysis can use one points-to map for the whole program improves precision cost negligible if points-to flags is equal to variable or constant performing pointer arithmetic is simple. Evaluate e=p+q-r, and let A(x p ) = { a 1, f p 1,... a k, f p k }, similarly for x q, x r, x e. x e x p + x q x r f1 e. f p 1 + f q 1 f 1 r. fk e f p k + f q k f k r Same calculation, independent of which variable is a pointer. if 0 f1 e 1,... 0 f k e 1: each flag is Boolean

42 On Using Flags in Points-to Analysis can use one points-to map for the whole program improves precision cost negligible if points-to flags is equal to variable or constant performing pointer arithmetic is simple. Evaluate e=p+q-r, and let A(x p ) = { a 1, f p 1,... a k, f p k }, similarly for x q, x r, x e. x e x p + x q x r f1 e. f p 1 + f q 1 f 1 r. fk e f p k + f q k f k r Same calculation, independent of which variable is a pointer. if 0 f1 e 1,... 0 f k e 1: each flag is Boolean if f e fk e 1: e is not NULL

43 On Using Flags in Points-to Analysis can use one points-to map for the whole program improves precision cost negligible if points-to flags is equal to variable or constant performing pointer arithmetic is simple. Evaluate e=p+q-r, and let A(x p ) = { a 1, f p 1,... a k, f p k }, similarly for x q, x r, x e. x e x p + x q x r f1 e. f p 1 + f q 1 f 1 r. fk e f p k + f q k f k r Same calculation, independent of which variable is a pointer. if 0 f1 e 1,... 0 f k e 1: each flag is Boolean if f e fk e 1: e is not NULL if f e fk e 1: e is not the sum of pointers

44 Conclusion Using Boolean variables in a polyhedron distinguishes two states (if P bounded and Z-polyhedron) but approximation to Z-polyhedra suffice in practice are useful to refine points-to analysis can be cheaper than trace partitioning simpler to implement than trace partitioning

45 Conclusion Using Boolean variables in a polyhedron distinguishes two states (if P bounded and Z-polyhedron) but approximation to Z-polyhedra suffice in practice are useful to refine points-to analysis can be cheaper than trace partitioning simpler to implement than trace partitioning Observations: convex polyhedra can express non-convex spaces duality: some variables in a polyhedron are Boolean E.g.: string buffer analysis; character is either 0 or apply trace partitioning within polyhedron when relationship with Boolean flag become too complicated?

Simon 1 Value-Range Analysis of C Programs Value-Range Analysis

Vulnerabilities 1 3 defines semantics for C abstracted using

but light-weight description add-ons: string buffer and improved

46 Simon 1 Value-Range Analysis of C Programs Value-Range Analysis of C Programs Towards Proving the Absence of Buffer Overflow Vulnerabilities 1 3 defines semantics for C abstracted using polyhedra abstraction relation precise to the bit-level formal but light-weight description add-ons: string buffer and improved pointer analysis starting point for other analyses appears July 18th 2008

The Chvátal-Gomory Closure of a Strictly Convex Body is a Rational Polyhedron

The Chvátal-Gomory Closure of a Strictly Convex Body is a Rational Polyhedron Juan Pablo Vielma Joint work with Daniel Dadush and Santanu S. Dey July, Atlanta, GA Outline Introduction Proof: Step Step