Inferring Disjunctive Postconditions
Corneliu Popeea and Wei-Ngan Chin
School of Computing
National University of Singapore
- ASIAN 2006 -
Motivation: Infer Precise Invariants
x:=0;
while (x<len(A)) {
if (…) {
m:=x;
}
x:=x+1;
/* l1 */
}
return A[m];
/* check if a new minimum has been found */
/* what invariant at l1 proves assertion ?? */
/* assert (0·m < len(A)) */
Compute an invariant at l1 over inputs (x,m,s) + outputs (x',m')
(x,m,s,x',m') :- (x¸s Æ x'=x Æ m'=m)
Ç (x < s Æ x'=s Æ m'=m)
Ç (x < s Æ x'=s Æ x·m'< x')
2
Related: Numerical Abstract Domains
Conjunctive Num-Abs-Domains:
• Interval domain: §x · c
[Cousot et al: ISOP’76]
• Polyhedron domain: a1x1 + .. + anxn · c [Cousot et al: POPL’78]
Disjunctive Num-Abs-Domains:
• Powerset extension of an abstract domain
[Cousot et al: POPL’79]
• Powerset widening
[Bagnara et al: VMCAI'04]
[Gulavani et al: TACAS'06]
• Hulling based on Hausdorff distance
[Sankaranarayanan et al: SAS'06]
3
Overview
• Constraint abstraction: collected from the
method body.
• Conjunctive fixpoint analysis.
• Disjunctive fixpoint analysis.
• Experimental results.
4
Constraint Abstraction
• A method is translated to a constraint abstraction:
void mnD (ref int x) {
if x>0 {
x:=x-1;
mnD(x);
} else ()
mnD(x,x') = (x·0 Æ x'=x)
}
Ç (x>0 Æ 9x1.(x1=x-1Æ(mnD(x,x'))))
 - substitution from formal to actual args
= [x!x1, x'!x']
• Next step: derive the lfp of this rec-constraint.
5
Abstract Domain of Polyhedra
[Cousot-Halbwachs: POPL'78]
Defined as a lattice: <L, v, ?, >, t, u>
• abstract element:
•
•
•
•
•
partial order:
bottom:
top:
lub:
glb:
conj. of linear inequalities
(convex polyhedron)
F1vF2 = F1)F2
? = False
> = True
F1 t F2 = hull(F1 Ç F2)
F1 u F2 = F1 Æ F2
CAbst is a monotone function
8F1,F22L: if F1vF2 then
f: L -> L
f(F1)vf(F2)
6
Fixpoint Analysis
mnD() = (x·0 Æ x'=x) Ç (x>0 Æ 9x1.(x1=x-1 Æ ))
 - relation over inputs (x) + outputs (x')
• mnD0 = False
• mnDi+1 = mnD(mnDi)
• Ascending chain:
False v mnD1 v mnD2 v .. v mnDi v ..
7
Conjunctive Fixpoint Analysis
mnD1 = mnD(False)
mnD2 = mnD(mnD1)
mnD3 = mnD(mnD2)
= (x·0Æx'=x)
= (x·0 Æ x'=x) Ç (x>0 Æ 9x1.(x1=x-1 Æ (mnD1)))
= hull((x·0Æx'=x) Ç (x=1Æx'=0))
= (x-1·x'·x Æ x'·0)
= (x-2·x'·x Æ x'·0)
• Lattice of polyhedra has infinite height: use widening operator.
mnDW2 = widen(mnD2,mnD3)
= (x'·x Æ x'·0)
• A post-fixpoint has been found when:
mnDW3 = mnD(mnDW2) = (x'·x Æ x'·0)
mnD(mnDi) ) mnDi
8
Conjunctive Analysis
• mnDCONJ = (x'·x Æ x'·0)
More precision? Disjunctive Analysis
• mnDDISJ = (x·0Æx'=x) Ç (x>0Æx'=0)
mnD1 = (x·0Æx'=x)
mnD2 = (x·0Æx'=x) Ç (x=1Æx'=0)
mnD3 = (x·0Æx'=x) Ç (x=1Æx'=0) Ç (x=2Æx'=0)
...
9
Powerset Abstract Domain of Polyhedra
Defined as a semi-lattice: <L, v, ?, >, t>
• abstract element: m-bounded disj of convex poly.
• partial order:
F1vF2 = F1)F2
• bottom:
? = False
• top:
> = True
• lub:
F1 t F2 = hullm(F1 Ç F2)
10
Disjunctive Fixpoint Analysis
• Key Problems:
• Maintain precision at reasonable cost.
• Ensuring termination of analysis (with widening
operator).
• Main contributions:
• Use disjunct affinity to lift both the hulling and
widening operators from the conjunctive to the
disjunctive domain.
• Precise and fairly-efficient disjunctive polyhedra
analysis.
11
Hullm: Selective Hulling
• Given F= Çni=1 i (where i are conjunctive
formulae)
• find the most affine disjuncts for hulling
(according to some affinity measure)
• ensure the number of disjuncts does not
exceed m
12
Geometrical Intuition for Affinity
• A good affinity-measure:
• should be able to quantify how precisely (1Ç 2) can
be approximated by hull (the convex-hull result)
1
2
3
4
Compare 1Ç2 with hull
Identify perfect match
(100% affinity)
13
Affinity Measures (1)
• Based on Hausdorff distance [SAS'06]:
h-heur(P,Q) = maxx2 P { miny 2 Q {|x - y|}}
1
2
3
4
• Not able to distinguish among (1,2) and (3,4)
(they have similar Haus-distances).
• Less appropriate for a relational domain.
14
Affinity Measures (2)
• Planar-Affinity:
p-heur(1,2) =
mset = { c 2 (1[2) | hull ) c}
1
2
3
4
• Detects that (3,4) has higher affinity.
• Suited for relational domains.
15
Example: Hullm and Planar-Affinity
• mnD3 = (x·0Æx'=x) Ç (x=1Æx'=0) Ç (x=2Æx'=0)
(F1 Ç F2 Ç F3)
F1 F2 F3
• Affinhull matrix (F1,F2,F3)
F1
F2
-
41
-
41
100
F3
-
-
-
• hull2(F1ÇF2ÇF3) = (F1 Ç hull(F2ÇF3))
= (x·0 Æ x'=x) Ç (1·x·2 Æ x'=0)
16
Overview
• Collect a constraint abstraction corresponding to
the method body.
• Background: Conjunctive fixpoint analysis.
• Disjunctive fixpoint analysis.
• find related disjuncts for hulling
• powerset widening operator
• Experimental results.
17
Powerset Widening
Given F1= Çdi and F2 = Çej (di, ej are conjunctive formulae):
• find pairs of related disjuncts di and ej
• compute widening on the conjunctive domain: fi = (direj)
• result is: F1 rm F2 = Çfi
Related work:
• Bagnara et al [VMCAI'04]: propose to use a connector to
combine elements in F2 (e.g. each connected element will
approximate some element from F1)
• Gulavani et al [TACAS'06]: specify a recipe for a
connector; but rely on the ability to find one minimal
element from a set of polyhedra
18
Powerset Widening - rm
• Our solution:
• find pairs of related disjuncts based on planar-affinity
• Planar-affinity is a good indicator for the number
of conjuncts preserved in the result of widening.
d1
d2
e1
(d1Çd2)rm (e1Çe2) = (d1re1) Ç (d2re2)
e2
19
Summary:
Disjunctive Fixpoint Analysis
mnD1 = mnD(False)
mnD2 = mnD(mnD1)
mnD3 = mnD(mnD2)
= (x·0Æx'=x)
= hull2((x·0Æx'=x) Ç (x=1Æx'=0))
= (x·0Æx'=x) Ç (x=1Æx'=0)
= hull2((x·0Æx'=x) Ç (x=1Æx'=0) Ç (x=2Æx'=0))
= (x·0Æx'=x) Ç (1·x·2Æx'=0)
• Lattice has infinite height: use widening operator.
mnDW2 = mnD2 rm mnD3 = (x·0 Æ x'=x) Ç (x>0 Æ x'=0)
• A post-fixpoint has been found when:
mnD(mnDi) ) mnDi
mnDW3 = mnD(mnDW2) = (x·0 Æ x'=x) Ç (x>0 Æ x'=0)
20
Implementation
• Haskell + Omega library [Pugh et al]
• Automate disjunctive postcondition inference.
• Does it give more precise results?
• Benchmarks: numerical programs written in C-like
language.
21
Experimental Results
• Infer postconditions with different values for m.
• Most precise POST:
m=2 (binary search, bubble sort, init array)
m=3 (queens, quick sort, LU, Linpack)
m=4 (SOR)
m=5 (merge sort)
22
Experimental Results (II)
• Array bound checks elimination.
• Programs proved as safe:
m=2 (bubble sort, init array)
m=4 (merge sort, SOR)
• Planar-Affinity proves redundant more checks than the
Hausdorff-based affinity.
• Disj-Analysis is useful: as m increases, no. of checks not
proven decreases gradually.
23
Summary
• Disjunctive polyhedra analysis via affinity.
• selective hulling
• powerset widening
• Implementation of a modular static analyzer
based on disjunctive polyhedra domain.
• potential for trade-off between precision and analysis
cost
24
The End
25
Convex-Hull Operator
1 = (x·0Æx'=x)
2 = (x=1Æx'=0)
hull(1Ç2) = (x-1·x'·x Æ x'·0)
x'
x
x'=x
x-1=x'
hull(1Ç2)
26
Widening Operator
1 = (x-1·x'·x Æ x'·0)
2 = (x-2·x'·x Æ x'·0)
widen(1,2) = (x'·x Æ x'·0)
x'
x
x'·x
widen(
1,
2)
x-1·x'
x-2·x'
27
Quick Sort Example
28
Quick Sort Example (II)
• Conjunctive analysis:
discovers a lower bound for result: (res ¸ n)
• 3-Disjunctive analysis:
result is a valid index: (0 · res < s)
29
References
• [Cousot-Halbwachs:POPL'78] Automatic discovery of
linear restraints among variables of a program.
• [Bagnara et al: VMCAI'04] Widening Operators for
Powerset Domains.
• [Gulavani-Rajamani: TACAS'06] Counterexample Driven
Refinement for Abstract Interpretation.
• [Sankaranarayanan et al:SAS'06] Static Analysis in
Disjunctive Numerical Domains.
30
Constraint Abstraction
• From a method, the analysis generates a
constraint-abstraction:
meth => 
• Constraint language:
 ::= Æ j Ç j 9x. j mn(x*) j s
(constraint)
s ::= a1x1 + .. + anxn · a
(linear inequality)
a 2 Z, x 2 Var, mn 2 Meth-Name
31
Hullm: Selective Hulling
• Given F= Çni=1 i (where i are conjunctive formulae)
• find the most affine disjuncts for hulling
(according to some affinity measure)
• ensure the number of disjuncts does not exceed m
hullm (F) = if (n · m) then F
else hullm(F - {i,j} [ hull(i,j))
such that 8 a,b21..n: affinhull(i,j) ¸ affinhull(a,b)
32
Affinity for Hulling
• Compute:
• hull operation:
• approx. due to hull:
hull = hull (1 Ç 2)
approx = hull Æ :(1 Ç 2)
• affinhull(1,2) = if (approx=False) then 100
else if (hull=True) then 0
else heur(1,2)
33
Example: rm and Planar-Affinity
• mnD3 = (x·0 Æ x'=x) Ç (1·x·2 Æ x'=0)
• mnD4 = (x·0 Æ x'=x) Ç (1·x·3 Æ x'=0)
• Affinwiden matrix
e1
e2
(d1Çd2)
(e1Çe2)
d1 d2
100 21
41
34
• mnD3 rm mnD4 = (d1r e1) Ç (d2r e2)
= (x·0 Æ x'=x) Ç (x>0 Æ x'=0)
34
Loops are Analyzed as Methods
• Transform loops into tail-recursive functions.
• The proposed fixpoint analysis works both for
loops and for general recursion.
• Nested loops
• Mutually-recursive methods
35