Lecture 6. Abstract Interpretation

Similar documents
Static Analysis by A. I. of Embedded Critical Software

A Gentle Introduction to Program Analysis

Advanced Programming Methods. Introduction in program analysis

Algebraic Program Analysis

Sendmail crackaddr - Static Analysis strikes back

Simplifying Loop Invariant Generation Using Splitter Predicates. Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University

Symbolic Trajectory Evaluation - A Survey

CS 6110 S14 Lecture 38 Abstract Interpretation 30 April 2014

Structuring an Abstract Interpreter through Value and State Abstractions: EVA, an Evolved Value Analysis for Frama C

Lecture 5. Data Flow Analysis

Static Analysis. Systems and Internet Infrastructure Security

ait: WORST-CASE EXECUTION TIME PREDICTION BY STATIC PROGRAM ANALYSIS

Functor abstract domain by example

The Apron Library. Bertrand Jeannet and Antoine Miné. CAV 09 conference 02/07/2009 INRIA, CNRS/ENS

Thursday, December 23, The attack model: Static Program Analysis

Widening Operator. Fixpoint Approximation with Widening. A widening operator 2 L ˆ L 7``! L is such that: Correctness: - 8x; y 2 L : (y) v (x y)

Flow Analysis. Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM

Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation TDDC90: Software Security

Program Static Analysis. Overview

Static Program Analysis

Improving the Static Analysis of Loops by Dynamic Partitioning Techniques

Abstract Interpretation

Iterative Program Analysis Abstract Interpretation

COS 320. Compiling Techniques

Principles of Program Analysis. Lecture 1 Harry Xu Spring 2013

Lecture Notes: Widening Operators and Collecting Semantics

Automatic Software Verification

Lecture Notes on Real-world SMT

Applications of Program analysis in Model-Based Design

Embedded Software Verification Challenges and Solutions. Static Program Analysis

The Verification Grand Challenge and Abstract Interpretation

Design and Implementation of an Abstract Interpreter for VHDL

Static Program Analysis

Learning Analysis Strategies for Octagon and Context Sensitivity from Labeled Data Generated by Static Analyses

Chapter 1 Introduction

Toward Abstract Interpretation of Program Transformations

Timing Analysis of Parallel Software Using Abstract Execution

Static Analysis and Verification of Aerospace Software by Abstract Interpretation

Constructing Control Flow Graph for Java by Decoupling Exception Flow from Normal Flow

Time Stamps for Fixed-Point Approximation

Overview. Probabilistic Programming. Dijkstra s guarded command language: Syntax. Elementary pgcl ingredients. Lecture #4: Probabilistic GCL

EECS 144/244: Fundamental Algorithms for System Modeling, Analysis, and Optimization

Automatic synthesis of switching controllers for linear hybrid systems: Reachability control

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

Why does ASTRÉE scale up?

Utilizing Static Analysis for Programmable Logic Controllers

An Approach to Behavioral Subtyping Based on Static Analysis

Program Analysis and Verification

Gradual Typing with Union and Intersection Types

A Static Analyzer for Large Safety-Critical Software

4/24/18. Overview. Program Static Analysis. Has anyone done static analysis? What is static analysis? Why static analysis?

Cuts from Proofs: A Complete and Practical Technique for Solving Linear Inequalities over Integers

Temporal Abstract Interpretation. To have a continuum of program analysis techniques ranging from model-checking to static analysis.

PROGRAM ANALYSIS & SYNTHESIS

Static Analysis methods and tools An industrial study. Pär Emanuelsson Ericsson AB and LiU Prof Ulf Nilsson LiU

RATCOP: Relational Analysis Tool for Concurrent Programs

Operational Semantics. One-Slide Summary. Lecture Outline

A First-Order Logic with First-Class Types

Lecture Outline. COOL operational semantics. Operational Semantics of Cool. Motivation. Notation. The rules. Evaluation Rules So Far.

Relational Abstract Domains for the Detection of Floating-Point Run-Time Errors

Abstract Interpretation of Floating-Point Computations

Abstract Interpretation of Floating-Point. Computations. Interaction, CEA-LIST/X/CNRS. February 20, Presentation at the University of Verona

State of Practice. Automatic Verification of Embedded Control Software with ASTRÉE and beyond

Verasco: a Formally Verified C Static Analyzer

Theory of Computation Prof. Raghunath Tewari Department of Computer Science and Engineering Indian Institute of Technology, Kanpur

Programming Languages & Translators PARSING. Baishakhi Ray. Fall These slides are motivated from Prof. Alex Aiken: Compilers (Stanford)

Logic-Flow Analysis of Higher-Order Programs

Lecture Outline. COOL operational semantics. Operational Semantics of Cool. Motivation. Lecture 13. Notation. The rules. Evaluation Rules So Far

Action Language Verifier, Extended

containing such cycles will not satisfy the eventuality property, thus, we will be unable to derive its correctness for the concrete model. A common w

Static analysis and all that

Hoare Logic: Proving Programs Correct

Principles of Program Analysis: A Sampler of Approaches

Building a specialized static analyzer

Communication Complexity and Parallel Computing

Critical Analysis of Computer Science Methodology: Theory

TVLA: A SYSTEM FOR GENERATING ABSTRACT INTERPRETERS*

Lecture 4. More on Data Flow: Constant Propagation, Speed, Loops

A Context-Sensitive Memory Model for Verification of C/C++ Programs

Trace Partitioning in Abstract Interpretation Based Static Analyzers

Programming Languages and Compilers Qualifying Examination. Answer 4 of 6 questions.

Weakly Relational Domains for Floating-Point Computation Analysis

Abstract debugging of higher-order imperative languages

Program Analysis Course Notes

CS243 Homework 1. Winter Due: January 23, 2019 at 4:30 pm

Lecture slides & distribution files:

An Introduction to Heap Analysis. Pietro Ferrara. Chair of Programming Methodology ETH Zurich, Switzerland

6. Hoare Logic and Weakest Preconditions

Static Program Analysis

µz An Efficient Engine for Fixed Points with Constraints

Detecting Metamorphic Computer Viruses using Supercompilation

Static and dynamic analysis: synergy and duality

MODEL-BASED DESIGN OF CODE FOR PLC CONTROLLERS

1 Introduction. 3 Syntax

Timed Automata: Semantics, Algorithms and Tools

Petri Nets. Petri Nets. Petri Net Example. Systems are specified as a directed bipartite graph. The two kinds of nodes in the graph:

Leveraging DTrace for runtime verification

Crash Course in Applied PL

Fast Algorithms for Octagon Abstract Domain

ABSTRACT INTERPRETATION

Transcription:

Lecture 6. Abstract Interpretation Wei Le 2014.10

Outline Motivation History What it is: an intuitive understanding An example Steps of abstract interpretation Galois connection Narrowing and Widening Fixed point

Motivation Static program analysis: automatically discovering properties of a program that hold for all possible execution paths of the program Discovering a sufficient set of properties for checking every operation of a program is an undecidable problem False positives Specialization: Tailoring the program analyzer algorithms for a specific class of programs Precision and scalability is guaranteed for this class of programs only Requires a lot of try-and-test to fine-tune the algorithms

History: Patrick Cousot, Radhia Cousot 1977 Abstract Interpretation: A Unified Lattice Model for Static Analysis of Programs by Construction or Approximation of Fixpoints, 1977 Methods and Logics for Proving Programs, 1990 Completeness in Abstract Interpretation, 1995 Directions for Research in Approximate System Analysis, 1999 Probabilistic Abstract Interpretation, 2012 An abstract interpretation framework for termination, 2012 Abstract interpretation: past, present and future, 2014

What it is [1] A theoretical framework to formalize approximation An applications of abstraction to the semantics of programming languages as well as to static program analysis Provides approximate methods for computing abstract semantics

An Example See Prof. Alex Aiken s slide

Steps of Abstract Interpretation

Concrete Semantics

Collecting Semantics (A set of) Partial program states Precise, strongest static properties Examples: computation traces, forward/backward reachable states, predicate transformers

Collecting Semantics We formulate collecting semantics in terms of sets because they describe properties, e.g., the set 1, 3, 5,... describes the property odd the set 2, 4, 6,... describes the property even the singleton set 42 describes a constant property the set 4, 5, 6, 7, 8, 9, 10 describes an interval property [4; 10]

Collecting Semantics: Examples The set of all descendants of the initial state The set of all descendants of the initial state that can reach a final state The set of all finite traces from the initial state The set of all finite and infinite traces from the initial state Buffer overrun, division by zero, arithmetic overflows: state properties Deadlocks, un-initialized variables: finite trace properties Loop termination: finite and infinite trace properties

Collecting Semantics: Example Trace (or path) semantics model program computations by a set of finite or infinite sequences of states.

Collecting Semantics: Example Relational and Natural semantics

Collecting Semantics: Example Transition semantics

Collecting Semantics: Example Reachable states

Partitioning and Abstract Domain Partition: abstract sets of environments Abstract domain:

Partitioning and Abstract Domain

Abstract Domain: Interval

Abstract Semantics: the Example Abstract values: +, -, 0 Abstract operations: Sound: the signedness properties preserve in the abstract domain See the extension of the Prof. Alex Aiken s example

Approximation

Abstract Interpretation An abstract interpretation consists of: An abstract domain A (+,-,0) and concrete domain D (Int) Concretization γ and abstraction functions σ, forming a Galois insertion A (sound) abstract semantic function Finite domains (lattice) + monotonic functions Large domains = slow analysis In practice, domains are forced to be small Chain height is the critical measure The focus in abstract interpretation is on correctness; not much insight into efficient algorithms

Galois Connection [2]

Concrete and Abstract Lattice

Galois Connection: Definition

Galois Connection: Intuition The order (property) is preserved: Soundness

Galois Connection: Characterization

Galois Connection: Characterization

Galois Connection: Characterization

Galois Connection: Characterization

Galois Connection: Characterization

Iterative Resolution Algorithm Widening: pair-widening, set-widening Narrowing: pair-narrowing, set-narrowing

Widening

Widening: Example Interval domain: L L = {[l, u] [l, u] (Z { inf, inf }) l u}

Widening and Fixpoint

Narrowing

Narrowing and Fixpoint

Patrick Cousot. Abstract interpretation based formal methods and future challenges. In Informatics - 10 Years Back. 10 Years Ahead., pages 138 156, London, UK, UK, 2001. Springer-Verlag. Grgoire Sutre. Software verification, September 2008.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback