Compilation and Program Analysis (#8) : Abstract Interpretation

Transcription

1 Compilation and Program Analysis (#8) : Abstract Interpretation Laure Gonnord Laure.Gonnord@ens-lyon.fr Master, ENS de Lyon Nov 7

2 Objective Compilation vs program analysis : Compilation : generate code (with the same semantics). Program Analysis : infer properties, prove absence of bugs. Programs are inputs. Inspiration for slides : M course Program Analysis, D. Monniaux, D. Hirschkoff, P. Roux,.... Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 / 89

3 Reference book Chapters. (dataflow) and (abstract interpretation). A nice paper (in french), about ocaml implementation for finite lattices : http: //perso.ens-lyon.fr/pierre.roux/media/jfla.pdf Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 / 89

4 Program analysis & Abstract Interpretation Typical questions we want to ask/bugs to avoid x:=a/b make sure that b. x:=t[i] make sure that i is within the bounds of t. i:=i+ make sure there is no overflow. or more complex properties. Fully automatic! Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 / 89

5 Come back on dataflow Come back on dataflow A bit of theory : IA on finite lattices Computing Invariants in infinite height lattices. Application - Tools Designing Analyses that scale Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 / 89

6 Come back on dataflow Liveness entry Block l exit LV exit (l) = {LVentry (l ) (l, l ) flow(g)} if l = final LV entry (l) = ( LV exit (l)\kill LV (l) ) gen LV (l) Backward set of recurrence equations. Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 6 / 89

7 Come back on dataflow Available expressions entry Block l exit AE entry (l) = {AEexit (l ) (l, l) flow(g)} if l = init AE exit (l) = ( AE entry (l)\kill AE (l) ) gen AE (l) Forward set of recurrence equations. Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 7 / 89

8 Come back on dataflow Common points Computing growing sets from via fixpoint iterations. (or the dual) Sets of equations of the form (collecting semantics) : S(l) = f(s(l )) (l,l) E where f is computed w.r.t. the program statements S is an abstract interpretation of the program. Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 8 / 89

9 A bit of theory : IA on finite lattices Come back on dataflow A bit of theory : IA on finite lattices Computing invariants Two problems to solve Computing Invariants in infinite height lattices. Application - Tools Designing Analyses that scale Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 9 / 89

10 A bit of theory : IA on finite lattices Concrete semantics : refreshing memories Program control points are denoted by l L. Environnements assign values to variables. Operational semantics : Recursive equations involving sets of environments. The fixpoint yields a function of type L P(Var Val). (set of possible memory states of each variable at each line). Concrete semantics = least fixpoint. It exists (Knaster-Tarski s theorem). No hope to compute it. Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 / 89

11 A bit of theory : IA on finite lattices Concrete semantics-revisited cos(y) x x := x+ k init k true y := y + x y y := y x Semantics of the programs as transition systems : A state is a pair (k, Val) : Val : Var N d Var is [,..., d ] (finite set, d vars) N is N, Z, Q Initial states : (k init, allv). + transition relation (concrete) denoted by. Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 / 89

12 A bit of theory : IA on finite lattices Computing concrete semantics-reachability Notations : Σ concrete states, (σ a state). Σ Σ : set of initial states. reachable states : σ is reachable iff : σ Σ σ σ R(X) = {y Σ x X x y}. X n : set of states reachable in at most n steps : X = Σ, X = Σ R(Σ ), X = Σ R(Σ ) R(R(Σ )), etc. The sequence X k is ascending for. Its limit (= the union of all iterates) is the set of reachable states. Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 / 89

13 A bit of theory : IA on finite lattices Computing invariants Come back on dataflow A bit of theory : IA on finite lattices Computing invariants Two problems to solve Computing Invariants in infinite height lattices. Intervals Toward more relational abstract domains Application - Tools Designing Analyses that scale Overview Scalable symbolic abstract domain Experimental results Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 / 89

14 A bit of theory : IA on finite lattices Computing invariants Computing concrete semantics-iterative computation Remark X n+ = φ(x n ) with φ(x) = Σ R(X). How to compute efficiently the X n? And the limit? Explicit representations of X n (list all states) : If Σ finite, X n converges in at most Σ iterations. else, we have to cope with two problems : Representing the X i s and computing R(X i ). Computing the limit? X = φ n (X ) is the strongest invariant of the program Looking for overapproximations : X X result also called invariant. Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 / 89

15 A bit of theory : IA on finite lattices Computing invariants Invariants for programs init x := loop x 99 x++ x end {x N, x } is the most precise invariant in control point loop. Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 / 89

16 A bit of theory : IA on finite lattices Computing invariants Inductive invariants (Inductive) invariant : set X of states s.t. φ(x) X : with φ(x) = X {y Σ x X x y} Properties : If X et Y two invariants, then so is X Y. φ monotonic for (if X Y, then φ(x) φ(y )). φ(x Y ) φ(x) X, same for Y, thus φ(x Y ) X Y. Same for intersections of infinitely many invariants. Thus the strongest invariant can be defined as the intersection of all invariants. This invariant satisfies φ(x) = X, it is the least fixed point of φ. Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 6 / 89

17 A bit of theory : IA on finite lattices Computing invariants Back to our problem Given a program (or an interpreted automaton), find inductive invariants for each control point : Recall : a state is a pair (pc, Val) : Val : Var N d We want to compute lfp(φ) with φ(x) = X {y Σ x X x y} and entails the concrete semantics of the program. This is unfeasible in general Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 7 / 89

18 A bit of theory : IA on finite lattices Two problems to solve Come back on dataflow A bit of theory : IA on finite lattices Computing invariants Two problems to solve Computing Invariants in infinite height lattices. Intervals Toward more relational abstract domains Application - Tools Designing Analyses that scale Overview Scalable symbolic abstract domain Experimental results Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 8 / 89

19 A bit of theory : IA on finite lattices Two problems to solve Representing sets of valuations First problem to cope with : represent sets of valuations Val : Var N d Var is [,..., d ] (finite set, d vars) N is N, Z, Q Find a finite representation! abstract value/abstract domain. Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 9 / 89

20 A bit of theory : IA on finite lattices Two problems to solve Representing sets of valuations / Represent values of variables : R pc P(N d ) by a finite computable superset R pc : y y y x x x And compute such abstract values for each control point. Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 / 89

21 A bit of theory : IA on finite lattices Two problems to solve Computing R Second problem to cope with : computing the transition relation R(l, X) = {(l, x ) x X and (l, x) (l, x )} X is a (representation of a) set of valuations is the program transition function (the semantics) We have to adapt into an abstract semantics. R will be changed into R. Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 / 89

22 A bit of theory : IA on finite lattices Two problems to solve Some examples of abstractions For numerical values, we can abstract P(Var Val) by : Signs Constant+Value / Non Constant Intervals (Boxes) More complex shapes (see later). The function used to abstract elements of P(Var Val) is denoted by α and called abstraction. Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 / 89

23 A bit of theory : IA on finite lattices Two problems to solve From a lattice to an abstract domain A lattice : elements, (greatest), (least element), partial order. join (union), meet (intersection), emptiness test. Abstract Domain : Abstraction (α : val element) of the lattice, and concretization (γ) s.t. X γ(α(x) (Galois Connection). Abstract transfer functions : each f is adapted into f s.t. : f(x) γ(f (α(x))) Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 / 89

24 A bit of theory : IA on finite lattices Two problems to solve Abstract Domain for signs Lattice for a single element : take the cross product (for all variables), and modify meet, join, order... accordingly. Abstract domain : α, γ? (on board) Give the abstract transfer function for + (on board) Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 / 89

25 A bit of theory : IA on finite lattices Two problems to solve Abstract Interpretation, Algorithm (High-level) Algorithm : Write the abstract equations corresponding to the abstract semantics. Interpret the program from the beginning, but abstractly : Compute a lattice element per control point. Always make the union (join) with the former value. Stop when the iteration has stabilized (for all control points). credit examples, P. Roux for Onera Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 / 89

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47 A bit of theory : IA on finite lattices Two problems to solve Abstraction, concretisation for constants Abstraction : α is? Concretization : γ is? Lattice : Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 6 / 89

48 > / / > + = + = + [ ] + = + [ [ ] ] ()+ 7 + = + + = + [ ] + ()/ + = + [ ] + () + () + 6 = + 7 8

49 > / / > + = + = + [ ] + = + [ [ ] ] ()+ 7 + = + + = + [ ] + ()/ + = + [ ] + () + () + 6 = + (, ) (, ) (, ) (, ) (, ) (, ) 6 (, ) 7 8

50 > / / > + = + = + [ ] + = + [ [ ] ] ()+ 7 + = + + = + [ ] + ()/ + = + [ ] + () + () + 6 = + (, ) (, ) (, ) (, ) (, ) (, ) (, ) 6 (, ) 7 8

51 > / / > + = + = + [ ] + = + [ [ ] ] ()+ 7 + = + + = + [ ] + ()/ + = + [ ] + () + () + 6 = + (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) 6 (, ) 7 8

52 > / / > + = + = + [ ] + = + [ [ ] ] ()+ 7 + = + + = + [ ] + ()/ + = + [ ] + () + () + 6 = + (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) 6 (, ) (, 7) (, ) 7 8

53 > / / > + = + = + [ ] + = + [ [ ] ] ()+ 7 + = + + = + [ ] + ()/ + = + [ ] + () + () + 6 = + (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) 6 (, ) 7 8

54 > / / > + = + = + [ ] + = + [ [ ] ] ()+ 7 + = + + = + [ ] + ()/ + = + [ ] + () + () + 6 = + (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, 8) (, ) 6 (, ) 7 8

55 > / / > + = + = + [ ] + = + [ [ ] ] ()+ 7 + = + + = + [ ] + ()/ + = + [ ] + () + () + 6 = + (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, 8) (, ) (, 8) 6 (, ) 7 8

56 > / / > + = + = + [ ] + = + [ [ ] ] ()+ 7 + = + + = + [ ] + ()/ + = + [ ] + () + () + 6 = + (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, 8) (, ) (, 8) 6 (, ) (, ) 7 8

57 > / / > + = + = + [ ] + = + [ [ ] ] ()+ 7 + = + + = + [ ] + ()/ + = + [ ] + () + () + 6 = + (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, 8) (, ) (, 8) 6 (, ) (, ) 7 8

58 > / / > + = + = + [ ] + = + [ [ ] ] ()+ 7 + = + + = + [ ] + ()/ + = + [ ] + () + () + 6 = + (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, 8) (, ) (, 8) 6 (, ) (, ) 7 8

59 > / / > + = + = + [ ] + = + [ [ ] ] ()+ 7 + = + + = + [ ] + ()/ + = + [ ] + () + () + 6 = + (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, 8) (, ) (, 8) 6 (, ) (, ) (, 7) (, +8) 7 8

60 > / / > + = + = + [ ] + = + [ [ ] ] ()+ 7 + = + + = + [ ] + ()/ + = + [ ] + () + () + 6 = + (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, 8) (, ) (, 8) 6 (, ) (, ) 7 8

61 > / / > + = + = + [ ] + = + [ [ ] ] ()+ 7 + = + + = + [ ] + ()/ + = + [ ] + () + () + 6 = + (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, 8) (, 8) (, ) (, 8) 6 (, ) (, ) 7 8

62 > / / > + = + = + [ ] + = + [ [ ] ] ()+ 7 + = + + = + [ ] + ()/ + = + [ ] + () + () + 6 = + (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, 8) (, 8) (, ) (, 8) (, 8) 6 (, ) (, ) 7 8

63 > / / > + = + = + [ ] + = + [ [ ] ] ()+ 7 + = + + = + [ ] + ()/ + = + [ ] + () + () + 6 = + (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, 8) (, 8) (, ) (, 8) (, 8) 6 (, ) (, ) (, ) 7 8

64 > / / > + = + = + [ ] + = + [ [ ] ] ()+ 7 + = + + = + [ ] + ()/ + = + [ ] + () + () + 6 = + (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, ) (, 8) (, 8) (, ) (, 8) (, 8) 6 (, ) (, ) (, ) 7 8

65 A bit of theory : IA on finite lattices Two problems to solve Result Termination If the underlying lattice is of finite height, then the fixpoint iteration terminates and the least abstract fixpoint is computed. Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 7 / 89

66 A bit of theory : IA on finite lattices Two problems to solve Abstract Interpretation, implementation choices Control Flow Graph, and an abstract value per block. Propagate on the edges of the CFG. On the Abstract Syntax tree, a visitor, and the propagation is made by induction on the syntax. The only stopping test is inside the while visitor. For lab 7, you choose. You are totally free (apart from ANTLR + Python). Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 8 / 89

67 Computing Invariants in infinite height lattices. Come back on dataflow A bit of theory : IA on finite lattices Computing Invariants in infinite height lattices. Intervals Toward more relational abstract domains Application - Tools Designing Analyses that scale Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 9 / 89

68 Computing Invariants in infinite height lattices. In a nutshell The two problems also occur : representation of sets of valuations. abstract transitions (transfer functions). there is another one, how to terminate! Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 / 89

69 Computing Invariants in infinite height lattices. Intervals Come back on dataflow A bit of theory : IA on finite lattices Computing invariants Two problems to solve Computing Invariants in infinite height lattices. Intervals Toward more relational abstract domains Application - Tools Designing Analyses that scale Overview Scalable symbolic abstract domain Experimental results Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 / 89

70 Computing Invariants in infinite height lattices. Intervals A first example - Intervals Try to compute an interval for each variable at each program point using interval arithmetic : assume ( x >= && x<= ) ; assume ( y >= && y= ) ; assume ( z >= && z= ) ; t = ( x+y ) z ; Interval for z? [6, 6] Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 / 89

71 Computing Invariants in infinite height lattices. Intervals The interval lattice See the exercise sheet. Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 / 89

72 Computing Invariants in infinite height lattices. Intervals An example that terminates i n t x =; while ( x <) { x=x +; } Loop iterations [, ], [, ], [, ], [, ],... How? φ(x) = Initial state R(X), thus φ([a, b]) = {} [a +, min(b, 999) + ] Stricly growing interval during iterations, then stabilizes : [, ] is an invariant. Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 / 89

73 Computing Invariants in infinite height lattices. Intervals Termination Problem Third problem to cope with : stopping the computation : Too many computations unbounded loops Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 / 89

74 Computing Invariants in infinite height lattices. Intervals One solution... Extrapolation! [, ], [, ], [, ], [, ] [, + ) Push interval : i n t x =; / [, ] / while / [, + i n f t y ) / ( x <) { } / [, ] / x=x +; / [, ] / Yes! [, [ is stable! Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 6 / 89

75 Computing Invariants in infinite height lattices. Intervals Computing inductive invariants as intervals Representation : intervals. The union leads to an overapproximation. We don t know how to compute R(P ) with P interval (The statements may be too complex,...) Replace computation by simpler over-approximation R(X) R (X). The convergence is ensured by extrapolation/widening. We always compute φ (X) with : φ(x) φ (X) In the end, over-approximation of the least fixed point of φ. Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 7 / 89

76 Computing Invariants in infinite height lattices. Intervals Computing inductive invariants as intervals - (abstract) Interval operations : +,, on intervals : interval arithmetic union : [a, b] [c, d] : loosing info! widening : (I I with I I ) I = I [a, b] [c, d] = [if c < a then else a, if d > b then + else b] The idea is to infer the dynamic of the intervals thanks to the first terms. Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 8 / 89

77 Computing Invariants in infinite height lattices. Intervals Computing inductive invariants as intervals - The widening operator being designed, we compute (x F (x)) Σ, Y = Σ F (Σ ), Y = Y F (Y )... finite computation instead of : Σ, F (Σ ), F (Σ ),... which can be infinite. Theorem (Cousot/Cousot 77) Iteratively computing the reachable states from the entry point with the interval operators and applying widening at entry nodes of loops converges in a finite number of steps to a overapproximation of the least invariant (aka postfixpoint). The widening operators must satisfy the non ascending chain condition (see Cousot/Cousot 977). Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 9 / 89

78 Computing Invariants in infinite height lattices. Intervals Invariants for programs - ex init x := loop x 99 x++ x end x [, + ] in loop. Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 / 89

79 Computing Invariants in infinite height lattices. Intervals Computing inductive invariants as intervals - ex x = random (, 7 ) ; y = cos ( x )+ x while ( y <=) { i f ( x >) x ; else { y = ; x ; } } Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 / 89

80 Computing Invariants in infinite height lattices. Intervals Nested loops / Several loops (Bourdoncle, 99) Computing strongly connected subcomponents and iterate inside each : Gray nodes are widening nodes Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 / 89

81 Computing Invariants in infinite height lattices. Intervals Improving precision after convergence i n t x =; / [, ] / while / [, + i n f t y ) / ( x <) { } / [, ] / x=x +; / [, ] / we got [, + ) instead of [, 999]. Run one more iteration of the loop : {} [, ] = [, ]. Check if [, ] is an inductive invariant? YES This is called narrowing or descending sequence : ends when we have an inductive invariant or after k applications of the transition function. Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 / 89

82 Computing Invariants in infinite height lattices. Toward more relational abstract domains Come back on dataflow A bit of theory : IA on finite lattices Computing invariants Two problems to solve Computing Invariants in infinite height lattices. Intervals Toward more relational abstract domains Application - Tools Designing Analyses that scale Overview Scalable symbolic abstract domain Experimental results Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 / 89

83 Computing Invariants in infinite height lattices. Toward more relational abstract domains When intervals are not sufficient assume ( x >= && x <= ) ; y = x ; z = x y ; The human (intelligent) sees z = thus interval [, ], taking into account y = x. Interval arithmetic does not see z = because it does not take y = x into account. Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 / 89

84 Computing Invariants in infinite height lattices. Toward more relational abstract domains How to track relations Using relational domains. E.g. : keep for each variable an interval for each pair of variables (x, y) an information x y C. (One obtains x = y by x y and y x.) How to compute on that? Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 6 / 89

85 Computing Invariants in infinite height lattices. Toward more relational abstract domains Bounds on differences : practical example Suppose x y, computation is z = x +, then we know z y 7. Suppose x z, that x y and that y z 6, then we know x z. We know how to compute on these relations (transitive closure / shortest path). Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 7 / 89

86 Computing Invariants in infinite height lattices. Toward more relational abstract domains Why this is useful Let t(..n) an array in the program. The program writes t(i). Need to know whether i n, otherwise said find bounds on i and on n i... Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 8 / 89

87 Computing Invariants in infinite height lattices. Toward more relational abstract domains Can we do better? How about tracking relations such as x + y 6? At a given program point, a set of linear inequalities. In other words, a convex polyhedron (Linear Relation Anlysis). Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 9 / 89

88 Computing Invariants in infinite height lattices. Toward more relational abstract domains Classical Linear Relation Analysis (Halbwachs/Cousot 979) Abstract Interpretation in the Polyhedral domain Infinite Domain with many particularities Discover affine relations on variables Classically used in verification problems. Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 / 89

89 Computing Invariants in infinite height lattices. Toward more relational abstract domains The polyhedral domain () Convex polyhedra representation : Effective and efficient algorithmic (emptyness test, union, affine transformation... ) Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 / 89

90 Computing Invariants in infinite height lattices. Toward more relational abstract domains The polyhedral domain() Intersection, emptyness Affine Transformation : a(p ) = {CX + D X P }. Convex hull (loss of precision) Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 / 89

91 Computing Invariants in infinite height lattices. Toward more relational abstract domains The Polyhedral domain () Widening : P Q : limit extrapolation. P Q constraints : take Q constraints and remove those which are not saturated by P. Trick (!) : {x = y = } = { y x } Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 / 89

92 Computing Invariants in infinite height lattices. Toward more relational abstract domains Analysis example - x:=;y:= while (x<=) do read(b); if b then x:=x+ else begin x:=x+; y:=y+; end; endif endwhile x x := x + y := y + p in p p out (x,y) := (,) x x x := x + Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 / 89

93 Computing Invariants in infinite height lattices. Toward more relational abstract domains Example - p in (x,y) := (,) x x := x + y := y + p x x x := x + p out Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 / 89

94 Computing Invariants in infinite height lattices. Toward more relational abstract domains Linear Relation Analysis - Problems Complexity increases with : number of control points number of numerical variables Approximation is due to : Convex hulls Widening (credits for these slides : Nicolas Halbwachs) Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 6 / 89

95 Computing Invariants in infinite height lattices. Toward more relational abstract domains Complexity (In general) The more precise we are, the higher the costs. Intervals : algorithms O(n), n number of variables. Differences x y C : algorithms O(n ) Octagons ±x ± y C (Miné) : algorithms O(n ) Polyhedra (Cousot / Halbwachs) : algorithms often O( n ). Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 7 / 89

96 Computing Invariants in infinite height lattices. Toward more relational abstract domains Delaying widening - Halbwachs 99 / Goubault / Blanchet et al. Fix k and compute : if n = X n = F (X n ) if n < k X n F (X n ) else. Similar to unrolling loops, costly but useful (regular behaviour after a constant number of iterations). Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 8 / 89

97 Computing Invariants in infinite height lattices. Toward more relational abstract domains Delaying widening - - ex q p x := ;y := x x := x + x = x := x + y := y + Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 9 / 89

98 Computing Invariants in infinite height lattices. Toward more relational abstract domains Improving the widening operator While applying P Q, intersect with constraints that are satisfied by both P and Q. The constraints must be precomputed. init x := loop x 99 x++ x end Here, with x in the pool of constraints, it avoids narrowing. Warning widening is not monotone, so improving locally is not necessarily a good idea! Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 6 / 89

99 Computing Invariants in infinite height lattices. Toward more relational abstract domains Local improvement with acceleration (Gonnord/Halbwachs 6, Schrammel ) Idea : Sometimes, a fixpoint of a loop can be easily computed without any fixpoint iteration. Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 6 / 89

100 Computing Invariants in infinite height lattices. Toward more relational abstract domains Good path heuristic (Gonnord/Monniaux ) Idea : find interesting paths by means of smt-queries Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 6 / 89

101 Application - Tools Come back on dataflow A bit of theory : IA on finite lattices Computing Invariants in infinite height lattices. Application - Tools Designing Analyses that scale Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 6 / 89

102 Application - Tools Applications Bounds on iterators of arrays (intervals, differences on bounds) Dead code elimination (all domains) - especially when the code has been automatically generated / asserts Vectorization : computations that can be permuted Memory optimisation : this int can be encoded in 6 bits? Preconditions for code specialization (on going work with F. Rastello) Safety analysis. Termination. Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 6 / 89

103 Application - Tools Tools Frama-C : analysing/ proving correction of C programs (see Apron : numerical domain interface ( Interproc : IA analyser connected to Apron (see http: //pop-art.inrialpes.fr/interproc/interprocweb.cgi Rose / LLVM : C (and more) parsers and API for manipulating C programs. Rose is more decidated to program transformation, LLVM to compiler construction( and Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 6 / 89

104 Application - Tools Industrial succes stories Polyspace Astree Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 66 / 89

105 Application - Tools Demo Time : PAGAI. Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 67 / 89

106 Designing Analyses that scale Come back on dataflow A bit of theory : IA on finite lattices Computing Invariants in infinite height lattices. Application - Tools Designing Analyses that scale Overview Scalable symbolic abstract domain Experimental results Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 68 / 89

107 Designing Analyses that scale Challenges in Abstract Interpretation Precision of the abstract domain. Thousands, millions of lines of code to analyze. Static analyzers and compilers are complex programs (that also have bugs) Growing need for simple specialized analyses that scale Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 69 / 89

108 Designing Analyses that scale Designing a scalable static analysis : an example OOPSLA : A technique to prove that (some) memory accesses are safe : Less need for additional guards. Based on abstract interpretation. Precision and cost compromise. Implemented in LLVM-compiler infrastructure : Eliminate % of the guards inserted by AddressSanitizer SPEC CPU 6 7% faster Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 7 / 89

109 Designing Analyses that scale Overview Come back on dataflow A bit of theory : IA on finite lattices Computing invariants Two problems to solve Computing Invariants in infinite height lattices. Intervals Toward more relational abstract domains Application - Tools Designing Analyses that scale Overview Scalable symbolic abstract domain Experimental results Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 7 / 89

110 Designing Analyses that scale Overview A bit on sanitizing memory accesses Different techniques : but all have an overhead. Ex : Address Sanitizer Shadow every memory allocated : byte bit (allocated or not). Guard every array access : check if its shadow bit is valid. slows down SPEC CPU 6 by % We want to remove these guards. Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 7 / 89

111 Designing Analyses that scale Overview Green Arrays : overview / Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 7 / 89

112 Designing Analyses that scale Overview Green Arrays : overview / Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 7 / 89

113 Designing Analyses that scale Overview Symbolic ranges : How to ensure scalability? The idea is to work on the intermediate representation to ensure the following key property : SSI Property All abstract values are stable on their live ranges. How? Splitting variables (v, i in the last example). (technical stuff later if there remains time) Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 7 / 89

114 Designing Analyses that scale Scalable symbolic abstract domain Come back on dataflow A bit of theory : IA on finite lattices Computing invariants Two problems to solve Computing Invariants in infinite height lattices. Intervals Toward more relational abstract domains Application - Tools Designing Analyses that scale Overview Scalable symbolic abstract domain Experimental results Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 76 / 89

115 Designing Analyses that scale Scalable symbolic abstract domain Symbolic Ranges (SRA) : Running example i n t main ( i n t argc ) { i n t v = malloc ( sizeof ( i n t ) argc ) ; i n t i = argc ; v [ i ] = ; i f (? ) { v = r e a l l o c ( sizeof ( i n t ) ) ; i = ; } v [ i ] = ; } Are all accesses to v safe? Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 77 / 89

116 Designing Analyses that scale Scalable symbolic abstract domain Symbolic Ranges (SRA) : On the SSA form Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 78 / 89

117 Designing Analyses that scale Scalable symbolic abstract domain SRA on SSA form : a sparse analysis An abtract interpretation-based technique. Very similar to classic range analysis. One abstract value (R) per variable : sparsity. Easy to implement (simple algorithm, simple data structure). Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 79 / 89

118 Designing Analyses that scale Scalable symbolic abstract domain SRA on SSA form : constraint system v = R(v) = [v, v] v = o R(v) = R(o) v = v v R(v) = R(v ) I R(v ) v = φ(v, v ) R(v) = R(v ) R(v ) other instructions I : abstract effect of the operation on two intervals. : convex hull of two intervals. All these operation are performed symbolically thanks to GiNaC Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 8 / 89

119 Designing Analyses that scale Scalable symbolic abstract domain SRA on SSA form : an example N = randunsigned () i_ = i_ = phi ( i_, i_ ) i_ < N? i_ = i_ + R(i ) = [, ] R(i ) = [, + ] R(i ) = [, + ] Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 8 / 89

120 Designing Analyses that scale Scalable symbolic abstract domain Improving precision of SRA : live-range splitting / e-ssa form. Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 8 / 89

121 Designing Analyses that scale Scalable symbolic abstract domain Improving precision of SRA : live-range splitting / Rule for live-range splitting : a f = σ(a) b f = σ(b) t = a < b br (t, l) l a t = σ(a) b t = σ(b) All simplications are done by GiNaC. R(a t ) = [R(a), min(r(b), R(a) )] R(b t ) = [max(r(a) +, R(a) ), R(b) ] R(a f ) = [max(r(a), R(a) ), R(a) ] R(b t ) = [R(b), min(r(a), R(b) )] Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 8 / 89

122 Designing Analyses that scale Scalable symbolic abstract domain SRA + live-range on an example N = randunsigned () i_ = i_ = phi ( i_, i_ ) i_ < N? i_t = sigma ( i_ ) i_ = i_t + R(i t ) = [R(i ), min(n, R(i ) )] R(i ) = [, ] R(i ) = [, N] Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 8 / 89

123 Designing Analyses that scale Experimental results Come back on dataflow A bit of theory : IA on finite lattices Computing invariants Two problems to solve Computing Invariants in infinite height lattices. Intervals Toward more relational abstract domains Application - Tools Designing Analyses that scale Overview Scalable symbolic abstract domain Experimental results Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 8 / 89

124 Designing Analyses that scale Experimental results Experimental setup Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 86 / 89

125 Designing Analyses that scale Experimental results Percentage of bound checks removed Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 87 / 89

126 Designing Analyses that scale Experimental results Runtime improvement Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 88 / 89

127 Designing Analyses that scale Experimental results In the paper (OOPSLA ) A complete formalisation of all the analyses : Concrete and abstract semantics. Safety is proved. Interprocedural analysis. Remaining question : improving precision of the symbolic range analysis? Laure Gonnord (M/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 7 89 / 89