Lifting Abstract Interpreters to Quantified Logical Domains

Sumit Gulwani, MSRBill McCloskey, UCB

Ashish Tiwari, SRI

1

Motivating Example

2

a[0] = 0;for (i=1; i<n; i++) a[i] = 0;Postcondition: i n a[0] = 0

k (0 ≤ k < i a[k] = 0)

How Are Quantifiers Useful?

• Reasoning about arrays– k (0 ≤ k < STRLEN(s) s[k] '!')– j, k (0 ≤ j < k < n a[j] ≤ a[k])

• Reasoning about pointer-based data structures

– u (R(hd, u) R(u, tl) udata = 0) means list is initialized from hd to tl

Security properties

Sorting

u vR(u, v)

3

What Do Quantifiers Look Like?

4

k ( 0 ≤ k < n a[k] = 0 )

Typically seeonly universalquantifiers

Comes fromsome domain,e.g. linear arithmetic

Belongs to anotherdomain, e.g. equality ofuninterpreted functions

• Goal: Create a universally quantified domain parameterized by base domains– Take advantage of existing domains, transfer functions

Quantifier-Free Domain Quantified Domain

Universally Quantified Domain

5

A V1.(B1 C1) ... Vn.(Bn Cn)Domain Element Definition

Partial Order Definition

V.(B C) V. (B' C')

C v C'

B' v B

A V.(B C) v A' V.(B' C')

if 1. A v A'

2. A

A

Transfer Function Example

6

A[0] := 0; i := 1A[0] := 0; i := 1

true

?

?

?

?i = 1 A[0] = 0

i = 1 A[0] = 0

i = 1 A[0] = 0

i = 2 A[0] = 0 A[1] = 0

6

i < ni < nT F

?

A[i] := 0; i := i+1A[i] := 0; i := i+1

Transfer Function Example

7

A[0] := 0; i := 1A[0] := 0; i := 1

true

i = 1 A[0] = 0

i = 1 A[0] = 0

i = 1 A[0] = 0

i = 2 A[0] = 0 A[1] = 0

7

i < ni < nT F

?

A[i] := 0; i := i+1A[i] := 0; i := i+1

i < ni < nT F

i = 1 A[0] = 0

i = 1 A[0] = 0

i = 1 A[0] = 0Join Algorithm

i = 1 A[0] = 0 i = 2 A[0] = 0 A[1] = 0

1 i 2 A[0] = 0

Transfer Function Example

8

A[0] := 0; i := 1A[0] := 0; i := 1

true

i = 1 A[0] = 0

i = 1 A[0] = 0

i = 1 A[0] = 0

i = 2 A[0] = 0 A[1] = 0

8

i < ni < nT F

?

A[i] := 0; i := i+1A[i] := 0; i := i+1

i < ni < nT F

i = 1 A[0] = 0

i = 1 A[0] = 0

i = 1 A[0] = 0Join Algorithm

i = 1 A[0] = 0 i = 2 A[0] = 0 A[1] = 0

i = 1 k(k = 0 A[k] = 0)

i = 2 k(0 k 1 A[k] = 0)

1 i 2 k(0 k < i A[k] = 0)

Transfer Function Example

9

A[0] := 0; i := 1A[0] := 0; i := 1

i < ni < n

A[i] := 0; i := i+1A[i] := 0; i := i+1

T F

true

9

i = 1 k(k = 0 A[k] = 0)

1 i k(0 k < i A[k] = 0)

1 i < n k(0 k < i A[k] = 0)

2 i n k(0 k < i A[k] = 0)

i n k(0 k < i A[k] = 0)

Outline

• Join Algorithm– Quantifier introduction– Joining quantifiers

• Experiments• Conclusion

10

Quantifier Introduction

• Quantified facts are drawn from standard facts in A

• User gives set of templates to guide quantification

• Experiments show that few templates are needed

b[0] = 0

b[0] ≤ b[1]

k (k = 0 b[k] = 0)

j, k (j = 0 k = 1 b[j] ≤ b[k])

b[0] = 0 k(k = 0 b[k] = 0)A[*] = c

11

Env fact Template Quantified fact (result)

b[0] ≤ b[1] A[*] ≤ A[*] j, k (j = 0 k = 1 b[j] ≤ b[k])

Outline

• Join Algorithm– Quantifier introduction– Joining quantifiers

• Experiments• Conclusion

12

Transfer Function Example

13

A[0] := 0; i := 1A[0] := 0; i := 1

true

i = 1 A[0] = 0

i = 1 A[0] = 0

i = 1 A[0] = 0

i = 2 A[0] = 0 A[1] = 0

13

i < ni < nT F

?

A[i] := 0; i := i+1A[i] := 0; i := i+1

i < ni < nT F

i = 1 A[0] = 0

i = 1 A[0] = 0

i = 1 A[0] = 0Join Algorithm

i = 1 A[0] = 0 i = 2 A[0] = 0 A[1] = 0

i = 1 k(k = 0 A[k] = 0)

i = 2 k(0 k 1 A[k] = 0)

1 i 2 k(0 k < i A[k] = 0)

Joining Quantifiers

• Goal: (AL V.(BL CL)) t (AR V. (BR CR))• Result must be above both inputs in v, so:– AL V.(BL CL) v A V.(B C)– AR V. (BR CR) v A V.(B C)

• Based on v definition:

14

1. AL v A and AR v A

V.(BL CL) V. (B C)

AL CL v C

AL B v BL

2.

V.(BR CR)

AR CR v C

AR B v BR

so A = AL t AR

Joining Quantifiers

• C = (AL CL) t (AR CR)• Rewriting for B:

• Best solution for B = (AL BL) (AR BR)• If it's not in domain, pick best under-approximation

15

B v AL BL and B v AR BR

or, B v AL BL and B v AR BR

V.(BL CL) V. (B C)

AL CL v C

AL B v BL

V.(BR CR)

AR CR v C

AR B v BR

Under-Approximation Example

• Compute (i = 1 k = 0) (i = 2 0 k 1) in LA• 1st step: guess an over-approximation of the answer

• 2nd step: Check if (0 k < i) is correct; refine if not

16

(i = 1 k = 0) t (i = 2 0 k 1)= (1 i 2 0 k < i)

Many details skipped. See paper!

(0 k < i) (i = 1 k = 0) (i = 2 0 k 1) ? YES

Outline

• Join Algorithm– Quantifier introduction– Joining quantifiers

• Experiments• Conclusion

17

ExperimentsProcedure Time (s) Ratio to base # Tmpls

Array initialization 3.2 s 2.1x 1

C main() argument scan 4.1 s 2.1x 1

Array copy 5.5 s 2.5x 1

Array copy (start with non-zero elements) 11.3 s 1.7x 1

Array copy (only copy positive elements) 12.0 s 2.0x 1

Find element in array 24.6 s 3.0x 1

Partition array into zero/non-zero parts 73.0 s 3.2x 2

Insertion sort inner loop 35.9 s 18x 3

Quicksort inner loop 42.2 s 9.4x 3

Selection sort inner loop 59.2 s 7.3x 3

Merge sort inner loop 334.1 s 4.5x 3

Linked list remove 20.5 s 14.6x 1

Linked list insert 23.9 s 17.1x 1

Linked list initialization 24.5 s 12.9x 1

Linked list creation 42.0 s 12.4x 1

Invariant: a[k] = b[k] for all k

Invariant: All data fields of list are zero

Quantified Domain Construction Works!

19

Base domain D•partial order•transfer functions

Under-approximation operatorsfor D (optional)

Quantified domain Q•3x slowdown relative to D•transfer functions relatively complete

Under-approximation