Static Program Analysis -...
-
Upload
trinhthuan -
Category
Documents
-
view
284 -
download
0
Transcript of Static Program Analysis -...
![Page 1: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/1.jpg)
Static Program Analysis Foundations of Abstract Interpretation
Sebastian Hack, Christian Hammer, Jan Reineke
Advanced Lecture, Winter 2014/15
![Page 2: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/2.jpg)
Overview: Numerical Abstractions
Refinement of abstract ions
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 73 — ľ P. Cousot , 2005
Approximat ions of an [in]finite set of points:
from above
x
y
f : : : ; h19; 77i ; : : : ;
h20; 03i ; : : :g
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 74 — ľ P. Cousot , 2005
Approximat ions of an [in]finite set of points:
from above
x
y f : : : ; h19; 77i ; : : : ;
h20; 03i ; h?; ?i ; : : :g
From Below: dual 3 + combinat ions.
3 Trivial for finite states (liveness model-checking), more difficult for infinite states (variant funct ions).
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 75 — ľ P. Cousot , 2005
Effect ive computable approximat ions of an
[in]finite set of points; Signs 4
x
y
x – 0
y – 0
4 P. Cousot & R. Cousot. Systemat ic design of program analysis frameworks. ACM POPL ’79, pp. 269–282,
1979.
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 76 — ľ P. Cousot , 2005
![Page 3: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/3.jpg)
Overview: Numerical Abstractions
Signs (Cousot & Cousot, 1979)
Refinement of abstract ions
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 73 — ľ P. Cousot , 2005
Approximat ions of an [in]finite set of points:
from above
x
y
f : : : ; h19; 77i ; : : : ;
h20; 03i ; : : :g
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 74 — ľ P. Cousot , 2005
Approximat ions of an [in]finite set of points:
from above
x
y f : : : ; h19; 77i ; : : : ;
h20; 03i ; h?; ?i ; : : :g
From Below: dual 3 + combinat ions.
3 Trivial for finite states (liveness model-checking), more difficult for infinite states (variant funct ions).
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 75 — ľ P. Cousot , 2005
Effect ive computable approximat ions of an
[in]finite set of points; Signs 4
x
y
x – 0
y – 0
4 P. Cousot & R. Cousot. Systemat ic design of program analysis frameworks. ACM POPL ’79, pp. 269–282,
1979.
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 76 — ľ P. Cousot , 2005
![Page 4: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/4.jpg)
Overview: Numerical Abstractions
Intervals (Cousot & Cousot, 1976) Effect ive computable approximat ions of an
[in]finite set of points; Intervals5
x
y
x 2 [19; 77]
y 2 [20; 03]
5 P. Cousot & R. Cousot. Stat ic determinat ion of dynamic propert ies of programs. Proc. 2nd Int . Symp. on
Programming, Dunod, 1976.
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 77 — ľ P. Cousot , 2005
Effect ive computable approximat ions of an
[in]finite set of points; Octagons 6
x
y
8>>><
>>>:
1 » x » 9
x + y » 77
1 » y » 9
x ` y » 99
6 A. Miné. A New Numerical Abst ract Domain Based on Difference-Bound Matrices. PADO ’2001.
LNCS 2053, pp. 155–172. Springer 2001. See the The Octagon Abstract Domain Library on
ht t p: / / www. di . ens. f r / ~mi ne/ oct /
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 78 — ľ P. Cousot , 2005
Effect ive computable approximat ions of an
[in]finite set of points; Polyhedra 7
x
y
19x + 77y » 2004
20x + 03y – 0
7 P. Cousot & N. Halbwachs. Automat ic discovery of linear restraints among variables of a program. ACM
POPL, 1978, pp. 84–97.
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 79 — ľ P. Cousot , 2005
Effect ive computable approximat ions of an
[in]finite set of points; Simplecongruences 8
x
y
x = 19 mod 77
y = 20 mod 99
8 Ph. Granger. Stat ic Analysis of Arithmet ical Congruences. Int . J. Comput. Math. 30, 1989, pp. 165–190.
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 80 — ľ P. Cousot , 2005
![Page 5: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/5.jpg)
Overview: Numerical Abstractions
Octagons (Mine, 2001) Effect ive computable approximat ions of an
[in]finite set of points; Intervals 5
x
y
x 2 [19; 77]
y 2 [20; 03]
5 P. Cousot & R. Cousot. Stat ic determinat ion of dynamic propert ies of programs. Proc. 2nd Int . Symp. on
Programming, Dunod, 1976.
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 77 — ľ P. Cousot , 2005
Effect ive computable approximat ions of an
[in]finite set of points; Octagons 6
x
y
8>>><
>>>:
1 » x » 9
x + y » 77
1 » y » 9
x ` y » 99
6 A. Miné. A New Numerical Abst ract Domain Based on Difference-Bound Matrices. PADO ’2001.
LNCS 2053, pp. 155–172. Springer 2001. See the The Octagon Abstract Domain Library on
ht t p: / / www. di . ens. f r / ~mi ne/ oct /
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 78 — ľ P. Cousot , 2005
Effect ive computable approximat ions of an
[in]finite set of points; Polyhedra 7
x
y
19x + 77y » 2004
20x + 03y – 0
7 P. Cousot & N. Halbwachs. Automat ic discovery of linear restraints among variables of a program. ACM
POPL, 1978, pp. 84–97.
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 79 — ľ P. Cousot , 2005
Effect ive computable approximat ions of an
[in]finite set of points; Simplecongruences 8
x
y
x = 19 mod 77
y = 20 mod 99
8 Ph. Granger. Stat ic Analysis of Arithmet ical Congruences. Int . J. Comput . Math. 30, 1989, pp. 165–190.
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 80 — ľ P. Cousot , 2005
![Page 6: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/6.jpg)
Overview: Numerical Abstractions
Polyhedra (Cousot & Halbwachs, 1978)
Effect ive computable approximat ions of an
[in]finite set of points; Intervals5
x
y
x 2 [19; 77]
y 2 [20; 03]
5 P. Cousot & R. Cousot. Stat ic determinat ion of dynamic propert ies of programs. Proc. 2nd Int . Symp. on
Programming, Dunod, 1976.
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 77 — ľ P. Cousot , 2005
Effect ive computable approximat ions of an
[in]finite set of points; Octagons 6
x
y
8>>><
>>>:
1 » x » 9
x + y » 77
1 » y » 9
x ` y » 99
6 A. Miné. A New Numerical Abst ract Domain Based on Difference-Bound Matrices. PADO ’2001.
LNCS 2053, pp. 155–172. Springer 2001. See the The Octagon Abstract Domain Library on
ht t p: / / www. di . ens. f r / ~mi ne/ oct /
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 78 — ľ P. Cousot , 2005
Effect ive computable approximat ions of an
[in]finite set of points; Polyhedra 7
x
y
19x + 77y » 2004
20x + 03y – 0
7 P. Cousot & N. Halbwachs. Automat ic discovery of linear restraints among variables of a program. ACM
POPL, 1978, pp. 84–97.
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 79 — ľ P. Cousot , 2005
Effect ive computable approximat ions of an
[in]finite set of points; Simplecongruences 8
x
y
x = 19 mod 77
y = 20 mod 99
8 Ph. Granger. Stat ic Analysis of Arithmet ical Congruences. Int . J. Comput . Math. 30, 1989, pp. 165–190.
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 80 — ľ P. Cousot , 2005
Very Expensive…
![Page 7: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/7.jpg)
Overview: Numerical Abstractions
Simple and Linear Congruences (Granger,
1989+1991)
Effect ive computable approximat ions of an
[in]finite set of points; Intervals5
x
y
x 2 [19; 77]
y 2 [20; 03]
5 P. Cousot & R. Cousot. Stat ic determinat ion of dynamic propert ies of programs. Proc. 2nd Int . Symp. on
Programming, Dunod, 1976.
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 77 — ľ P. Cousot , 2005
Effect ive computable approximat ions of an
[in]finite set of points; Octagons 6
x
y
8>>><
>>>:
1 » x » 9
x + y » 77
1 » y » 9
x ` y » 99
6 A. Miné. A New Numerical Abst ract Domain Based on Difference-Bound Matrices. PADO ’2001.
LNCS 2053, pp. 155–172. Springer 2001. See the The Octagon Abstract Domain Library on
ht t p: / / www. di . ens. f r / ~mi ne/ oct /
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 78 — ľ P. Cousot , 2005
Effect ive computable approximat ions of an
[in]finite set of points; Polyhedra 7
x
y
19x + 77y » 2004
20x + 03y – 0
7 P. Cousot & N. Halbwachs. Automat ic discovery of linear restraints among variables of a program. ACM
POPL, 1978, pp. 84–97.
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 79 — ľ P. Cousot , 2005
Effect ive computable approximat ions of an
[in]finite set of points; Simplecongruences 8
x
y
x = 19 mod 77
y = 20 mod 99
8 Ph. Granger. Stat ic Analysis of Arithmet ical Congruences. Int . J. Comput. Math. 30, 1989, pp. 165–190.
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 80 — ľ P. Cousot , 2005
Effect ive computable approximat ions of an
[in]finite set of points; Linearcongruences 9
x
y
1x + 9y = 7 mod 8
2x ` 1y = 9 mod 9
9 Ph. Granger. Stat ic Analysis of Linear Congruence Equalit ies among Variables of a Program.
TAPSOFT ’91, pp. 169–192. LNCS 493, Springer, 1991.
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 81 — ľ P. Cousot , 2005
Effect ive computable approximat ions of an
[in]finite set of points; Trapezoidal lin-ear congruences 10
x
y
1x + 9y 2 [0; 77] mod 10
2x ` 1y 2 [0; 99] mod 11
10 F. Masdupuy. Array Operat ions Abstract ion Using Semant ic Analysis of Trapezoid Congruences. ACM
ICS ’92.
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 82 — ľ P. Cousot , 2005
Refinement of iterates
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 83 — ľ P. Cousot , 2005
Graphic example: Refinement requiredby false alarms
x(t)
t
Forbidden zone
False alarms
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 84 — ľ P. Cousot , 2005
![Page 8: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/8.jpg)
Numerical Abstractions
Which abstraction is the most precise?
Depends on questions you want to answer! Effect ive computable approximat ions of an
[in]finite set of points; Linearcongruences 9
x
y
1x + 9y = 7 mod 8
2x ` 1y = 9 mod 9
9 Ph. Granger. Stat ic Analysis of Linear Congruence Equalit ies among Variables of a Program.
TAPSOFT ’91, pp. 169–192. LNCS 493, Springer, 1991.
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 81 — ľ P. Cousot , 2005
Effect ive computable approximat ions of an
[in]finite set of points; Trapezoidal lin-ear congruences 10
x
y
1x + 9y 2 [0; 77] mod 10
2x ` 1y 2 [0; 99] mod 11
10 F. Masdupuy. Array Operat ions Abst ract ion Using Semant ic Analysis of Trapezoid Congruences. ACM
ICS’92.
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 82 — ľ P. Cousot , 2005
Refinement of iterates
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 83 — ľ P. Cousot , 2005
Graphic example: Refinement requiredby false alarms
x(t)
t
Forbidden zone
False alarms
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 84 — ľ P. Cousot , 2005
Effect ive computable approximat ions of an
[in]finite set of points; Intervals5
x
y
x 2 [19; 77]
y 2 [20; 03]
5 P. Cousot & R. Cousot. Stat ic determinat ion of dynamic propert ies of programs. Proc. 2nd Int . Symp. on
Programming, Dunod, 1976.
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 77 — ľ P. Cousot , 2005
Effect ive computable approximat ions of an
[in]finite set of points; Octagons 6
x
y
8>>><
>>>:
1 » x » 9
x + y » 77
1 » y » 9
x ` y » 99
6 A. Miné. A New Numerical Abst ract Domain Based on Difference-Bound Matrices. PADO ’2001.
LNCS 2053, pp. 155–172. Springer 2001. See the The Octagon Abstract Domain Library on
ht t p: / / www. di . ens. f r / ~mi ne/ oct /
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 78 — ľ P. Cousot , 2005
Effect ive computable approximat ions of an
[in]finite set of points; Polyhedra 7
x
y
19x + 77y » 2004
20x + 03y – 0
7 P. Cousot & N. Halbwachs. Automat ic discovery of linear restraints among variables of a program. ACM
POPL, 1978, pp. 84–97.
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 79 — ľ P. Cousot , 2005
Effect ive computable approximat ions of an
[in]finite set of points; Simplecongruences 8
x
y
x = 19 mod 77
y = 20 mod 99
8 Ph. Granger. Stat ic Analysis of Arithmet ical Congruences. Int . J. Comput. Math. 30, 1989, pp. 165–190.
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 80 — ľ P. Cousot , 2005
✓ ✗
![Page 9: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/9.jpg)
Numerical Abstractions
Which abstraction is the most precise?
Depends on questions you want to answer! Effect ive computable approximat ions of an
[in]finite set of points; Linearcongruences 9
x
y
1x + 9y = 7 mod 8
2x ` 1y = 9 mod 9
9 Ph. Granger. Stat ic Analysis of Linear Congruence Equalit ies among Variables of a Program.
TAPSOFT ’91, pp. 169–192. LNCS 493, Springer, 1991.
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 81 — ľ P. Cousot , 2005
Effect ive computable approximat ions of an
[in]finite set of points; Trapezoidal lin-ear congruences 10
x
y
1x + 9y 2 [0; 77] mod 10
2x ` 1y 2 [0; 99] mod 11
10 F. Masdupuy. Array Operat ions Abst ract ion Using Semant ic Analysis of Trapezoid Congruences. ACM
ICS’92.
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 82 — ľ P. Cousot , 2005
Refinement of iterates
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 83 — ľ P. Cousot , 2005
Graphic example: Refinement requiredby false alarms
x(t)
t
Forbidden zone
False alarms
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 84 — ľ P. Cousot , 2005
Effect ive computable approximat ions of an
[in]finite set of points; Intervals5
x
y
x 2 [19; 77]
y 2 [20; 03]
5 P. Cousot & R. Cousot. Stat ic determinat ion of dynamic propert ies of programs. Proc. 2nd Int . Symp. on
Programming, Dunod, 1976.
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 77 — ľ P. Cousot , 2005
Effect ive computable approximat ions of an
[in]finite set of points; Octagons 6
x
y
8>>><
>>>:
1 » x » 9
x + y » 77
1 » y » 9
x ` y » 99
6 A. Miné. A New Numerical Abst ract Domain Based on Difference-Bound Matrices. PADO ’2001.
LNCS 2053, pp. 155–172. Springer 2001. See the The Octagon Abstract Domain Library on
ht t p: / / www. di . ens. f r / ~mi ne/ oct /
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 78 — ľ P. Cousot , 2005
Effect ive computable approximat ions of an
[in]finite set of points; Polyhedra 7
x
y
19x + 77y » 2004
20x + 03y – 0
7 P. Cousot & N. Halbwachs. Automat ic discovery of linear restraints among variables of a program. ACM
POPL, 1978, pp. 84–97.
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 79 — ľ P. Cousot , 2005
Effect ive computable approximat ions of an
[in]finite set of points; Simplecongruences 8
x
y
x = 19 mod 77
y = 20 mod 99
8 Ph. Granger. Stat ic Analysis of Arithmet ical Congruences. Int . J. Comput. Math. 30, 1989, pp. 165–190.
Course 16.399: “Abst ract interpretat ion” , Thursday, February 10, 2005 — 80 — ľ P. Cousot , 2005
✓ ✗
![Page 10: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/10.jpg)
Partial Order of Abstractions
Intervals
Octagons
Polyhedra
Signs
Simple Congruences
Linear Congruences
Constants Parity
![Page 11: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/11.jpg)
Relational domains
Non-relational domains
Partial Order of Abstractions
Intervals
Octagons
Polyhedra
Signs
Simple Congruences
Linear Congruences
Constants Parity
![Page 12: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/12.jpg)
Characteristics of Non-relational Domains
Non-relational/independent attribute
abstraction:
Abstract each variable separately
Maintains no relations between variable values
Can be lifted to an abstraction of valuations of
multiple variables in the expected way:
![Page 13: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/13.jpg)
The Interval Domain
Abstracts sets of values by enclosing interval
where is appropriately extended from to
Intervals are ordered by inclusion:
forms a complete lattice.
![Page 14: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/14.jpg)
Concretization and Abstraction of Intervals
Concretization:
Abstraction:
They form a Galois connection.
![Page 15: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/15.jpg)
Interval Arithmetic
Calculating with Intervals:
![Page 16: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/16.jpg)
Example: Interval Analysis
x [0,0]
y top
x [0,0]
y top
x [1,1]
y top
x [1,1]
y [2,2]
x [0,1]
y [3,3]
x [0,1]
y [3,3]
x [1,2]
y [3,3]
x [1,2]
y [2,4]
x [0,2]
y [3,5]
x [0,2]
y [3,5]
x [1,3]
y [3,5]
x [1,3]
y [2,6]
x [0,3]
y [3,7]
x [3,3]
y [3,7]
Imprecise
due to non-
relational
analysis
Would Octagons
determine that y must be
7 at program point 5?
start
1 5
x = 0
Pos(x < 3)
Neg(x < 3)
x = x+1
2
3
4
y = y+1
y = 2*x
![Page 17: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/17.jpg)
Intervals, Hasse diagram
Ascending chain condition
is not satisfied!
Kleene iteration is not
guaranteed to terminate!
[0, infty]
[-infty, infty]
[-1,1]
[-2,-1] [-1,0] [0,1] [1,2]
[-2,-2] [-1,-1] [0,0] [1,1] [2,2]
[1, infty]
[-1, infty]
[-infty,0]
[-infty,1]
[-infty, -1]
![Page 18: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/18.jpg)
Example: Interval Analysis
start
1 3
x = 0
Pos(x < 1000)
Neg(x < 1000)
x = x+1
2
…
1000 iterations later
![Page 19: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/19.jpg)
Solution: Widening
“Enforce Ascending Chain Condition”
Widening enforces the
ascending chain
condition during analysis.
Accelerates termination
by moving up the lattice
more quickly.
May yield imprecise
results… lfp F
lfp∇F
safe
but
possibly imprecise
{ x | x ⊒ lfp F }
![Page 20: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/20.jpg)
Widening: Formal Requirement
A widening ∇ is an operator ∇: D x D → D such that
1. Safety: x ⊑ ( x ∇ y ) and y ⊑ ( x ∇ y )
2. Termination:
forall ascending chains x0 ⊑ x1 ⊑ ... the chain
y0 = x0
yi+1 = yi ∇ xi+1
is finite.
![Page 21: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/21.jpg)
Widening Operator for Intervals
Simplest solution:
Example:
![Page 22: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/22.jpg)
Example Revisited:
Interval Analysis with Simple Widening
start
1 3
x = 0
Pos(x < 1000)
Neg(x < 1000)
x = x+1
2
Quick termination but imprecise result!
Standard Kleene Iteration:
Kleene Iteration with Widening:
Do we need to apply
widening at all
program points?
![Page 23: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/23.jpg)
More Sophisticated Widening for Intervals
Define set of jump points (barriers) based on
constants appearing in program, e.g.:
Intuition: “Don’t jump to –infty, +infty immediately
but only to next jump point.”
![Page 24: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/24.jpg)
Example Revisited:
Interval Analysis with Sophisticated Widening
start
1 3
x = 0
Pos(x < 1000)
Neg(x < 1000)
x = x+1
2
More precise, potentially terminates more slowly.
![Page 25: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/25.jpg)
Another Example:
Interval Analysis with Sophisticated Widening
start
1 5
x = 0
Pos(x < 1000)
Neg(x < 1000)
x = x+1
2
3
4
y = y+1
y = 2*x
Would be [2, 2000] in
least fixed point, but
2000 does not appear
in the program…
![Page 26: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/26.jpg)
Narrowing:
Recovering Precision
Widening may yield
imprecise results by
overshooting the least
fixed point.
Narrowing is used to
approach the least
fixed point from above.
lfp∇ F
{ x | x ⊒ lfp F }
lfp F
How can we
safely move
down the
lattice?
Possible problem: infinite descending chains
Is it really a problem?
![Page 27: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/27.jpg)
Narrowing:
Recovering Precision
Widening terminates at a point x ⊒ lfp F.
We can iterate:
x0 = x
xi+1 = F(xi) ⊓ xi
Safety: By monotonicity we know F(x) ⊒ F(lfp F) = lfp F. By induction we can easily show that xi ⊒ lfp F for all i.
Termination: Depends on existence of infinite descending chains.
![Page 28: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/28.jpg)
Narrowing: Formal Requirement
A narrowing ∆ is an operator ∆ : D x D → D such that
1. Safety: l ⊑ x and l ⊑ y l ⊑ (x ∆ y) ⊑ x
2. Termination:
for all descending chains x0 ⊒ x1 ⊒ ... the chain
y0 = x0
yi+1 = yi ∆ xi+1
is finite.
Is (“meet”) a narrowing operator on intervals?
![Page 29: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/29.jpg)
Simplest solution:
Example:
Narrowing Operator for Intervals
![Page 30: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/30.jpg)
Result after Widening:
Another Example Revisited:
Interval Analysis with Widening and Narrowing
start
1 5
x = 0
Pos(x < 1000)
Neg(x < 1000)
x = x+1
2
3
4
y = y+1
y = 2*x
Result after Narrowing:
Precisely the least fixed point!
![Page 31: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/31.jpg)
Some Applications of Numerical Domains
Immediate applications:
To rule out runtime errors, such as division by
zero, buffer overflows, exceeding upper or
lower bounds of data types
Within other analyses:
Cache Analysis
Loop Bound Analysis
![Page 32: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/32.jpg)
Reduction:
Loop Bound Analysis to Value Analysis start
1
3
6 7
8
x = x % 5
loopc = 0leftc = 0rightc = 0
Pos(x < y)
Pos(a<b) Neg(a<b)
Neg(x < y)
leftc++x = x+2
rightc++x = x+1
4
5
loopc++
2
y = 42
start
1
2
5
6 7
8
x = x % 5
y = 42
Pos(x < y)
Pos(a<b) Neg(a<b)
Neg(x < y)
x = x+2 x = x+1
3
4
a = M[x]
b = M[x+1]
Instrument program
with counters of loop
iterations and other
interesting events
![Page 33: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/33.jpg)
Summary
Interval Analysis:
A non-relational value analysis
Widenings for termination in the presence of
Infinite Ascending Chains
Narrowings to recover precision
Basic Approach to Loop Bound Analysis
based on Value Analysis
![Page 34: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/34.jpg)
State of the Art in Loop Bound Analysis
Multiple approaches of varying sophistication
Pattern-based approach
Slicing + Value Analysis + Invariant Analysis
Reduction to Value Analysis
![Page 35: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/35.jpg)
Loop Bound Analysis:
Pattern-based Approach
Identify common loop patterns; derive loop
bounds for pattern once manually
for (x < 6) {
…
x++;
}
No
modification
of x.
Initial value
of x?
Loop bound: 6-minimal value of x
![Page 36: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/36.jpg)
Slicing + Value Analysis + Invariant Analysis
[Ermedahl et al., WCET 2007]
Combination of multiple analyses:
1. Slicing: eliminate code that is irrelevant for
loop termination
2. Value analysis: determine possible values of
all variables in slice
3. Invariant analysis: determine variables that
do not change during loop execution
4. Loop bound = set of possible valuations of
non-invariant variables
Program slicing is the computation of the set of programs statements, the program slice,
that may affect the values at some point of interest, referred to as a slicing criterion.
![Page 37: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/37.jpg)
Slicing + Value Analysis + Invariant Analysis
[Ermedahl et al., WCET 2007]
int OUTPUT = 0;
int i = 1;
while (i <= INPUT) {
OUTPUT += 2;
i += 2;
}
int i = 1;
while (i <= INPUT) {
i += 2;
}
Step 1: Slicing with
slicing criterion (i <= INPUT)
![Page 38: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/38.jpg)
Slicing + Value Analysis + Invariant Analysis
[Ermedahl et al., WCET 2007]
int i = 1;
while (i <= INPUT) {
i += 2;
}
Observation:
If the loop terminates, the program can only be in
any particular state once.
Determine number of states the program can
be in at the loop header.
Value Analysis:
INPUT in [10, 20] (assumption)
i in [1, 20], i % 2 = 1
11 * 10 states
Loop bound 110!
Step 2: Value Analysis
![Page 39: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/39.jpg)
Slicing + Value Analysis + Invariant Analysis
[Ermedahl et al., WCET 2007]
int i = 1;
while (i <= INPUT) {
i += 2;
}
Observation:
Value of INPUT is not completely known, but
INPUT does not change during loop.
Determine variables that are invariant during
loop.
Value Analysis:
INPUT in [10, 20] (assumption)
i in [1, 20] , i % 2 = 1
INPUT is invariant!
Loop bound 10!
Step 3: Invariant Analysis
![Page 40: Static Program Analysis - uni-saarland.decompilers.cs.uni-saarland.de/teaching/spa/2014/slides/static... · Static Program Analysis Foundations of Abstract Interpretation ... See](https://reader030.fdocuments.net/reader030/viewer/2022020204/5b686d267f8b9a20388c9bac/html5/thumbnails/40.jpg)
Reduction:
Loop Bound Analysis to Value Analysis start
1
3
6 7
8
x = x % 5
loopc = 0leftc = 0rightc = 0
Pos(x < y)
Pos(a<b) Neg(a<b)
Neg(x < y)
leftc++x = x+2
rightc++x = x+1
4
5
loopc++
2
y = 42
start
1
2
5
6 7
8
x = x % 5
y = 42
Pos(x < y)
Pos(a<b) Neg(a<b)
Neg(x < y)
x = x+2 x = x+1
3
4
a = M[x]
b = M[x+1]
Instrument program
with counters of loop
iterations and other
interesting events
Upper bound for
loopc is loop bound!
Requires very
powerful relational
analysis…