Program Analysis
Instructor: Martin Vechev
Author: Gagandeep Singh
March 19, 2015
Numerical Abstract Domains
I
I
I
I
Interval: cheap
but less
expressive
Polyhedra:
expressive but
costly
Octagon:
cheaper than
Polyhedra,
limited
expressive
power
Pentagon:
Cheaper but
less expressive
than Octagon
±x ± y ≤ c
Asymptotic Complexity
Octagon
(c ≤ x ≤ d) ∧ (x < y)
Pentagon
c≤x≤d
Interval
Expressive Power
Abstract Interpretation Recipe
1. come up with an abstract domain
I
select based on the type of properties you want to prove
2. define abstract semantics for the programming language w.r.t.
to the abstract domain from step 1.
I
I
we need to define the abstract transformers, that is, the effect
of statement/expression on the abstract domain
we need to prove that the abstract semantics are sound w.r.t
concrete semantics of the programming language
3. iterate abstract transformers over the abstract domain
I
until we reach a fixed point
Domain of Strict Upper Bounds (SUB)
I
For each variable x store the list s(x) of all other variables y
s.t., x < y
I
SUB domain: {S s , vs , ts , us , ⊥s , >s }
I
⊥s ⇐⇒ ∃x, y s.t., y ∈ s(x) ∧ x ∈ s(y)
I
S is the set of all SUB inequalities, S s = S ∪ {⊥s }
I
>s ⇐⇒ ∀x, s(x) = ∅
Domain of Strict Upper Bounds (SUB)
I
s1 ⊆s s2 ⇐⇒ ∀x, s1 (x) ⊇ s2 (x)
I
s1 ts s2 = ∀x.s1 (x) ∩ s2 (x)
I
s1 us s2 = ∀x.s1 (x) ∪ s2 (x)
I
s1 5s s2 = ∀x.s1 (x) ⊆ s2 (x) ? s2 (x) : ∅
Closure is not performed to avoid cubic complexity
I
I
I
No galois insertion
Domain loses precision for various operators
Pentagon Abstract Domain
I
Introduced in 2008 by Francesco
Logozzo and Manuel Fähndrich
I
Quadratic space complexity
I
Quadratic time complexity
I
Used in Clousot analyzer for
verifying runtime correctness of
.NET assemblies
I
Francesco Logozzo and Manuel
Fähndrich, ”Pentagons: A weakly
relational abstract domain for the
efficient validation of array
accesses”, In SAC 2008
Pentagon Abstract Domain
I
Pentagon domain is reduced product of two domains:
I
I
I
Interval: c ≤ x ≤ d
Strict Upper Bounds (SUB): x < y
Useful for checking array out of bounds error
I
I
The interval component takes care of index underflow e.g.,
index ≥ 0
The SUB component takes care of index overflow e.g.,
index < array.length
Pentagons
Let i be the set of interval and s be the set of SUB constraints
over n variables, then a Pentagon is the conjunction of all the
constraints in i and s represented as a tuple (i,s)
y=2
x
<
y
x=1
x = −1
I
y=0
Pentagon Abtsract Domain
I
The Pentagon Domain: {P p , vp , tp , up , ⊥p , >p }
I
(i, s) = ⊥p ⇐⇒ (i = ⊥i ) ∨ (s = ⊥s )
I
P is the set of all Pentagons, P p = P ∪ {⊥p }
I
(i, s) = >p ⇐⇒ (i = >i ) ∧ (s = >s )
Pentagon Abstract Domain
I
I
(i1 , s1 ) vp (i2 , s2 ) ⇐⇒ (i1 vi i2 ) ∧ (∀x, ∀y ∈ s2 (x) s.t.
y ∈ s1 (x) ∨ sup(i1 (x)) ≤ inf (i2 (x)))
(i1 , s1 ) tp (i2 , s2 ) = (i1 ti i2 , s0 ∪ s00 ∪ s000 ), where
I
I
I
s0 = ∀x.s1 (x) ∩ s2 (x)
s00 = ∀x.{y ∈ s1 (x) | sup(i2 (x)) < inf (i2 (y))}
s000 = ∀x.{y ∈ s2 (x) | sup(i1 (x)) < inf (i1 (y))}
I
(i1 , s1 ) up (i2 , s2 ) = (i1 ui i2 , s1 us s2 )
I
(i1 , s1 ) 5p (i2 , s2 ) = (i1 5i i2 , s1 5s s2 )