Disjunctive relational abstract interpretation for interprocedural program analysis

Size: px

Start display at page:

Download "Disjunctive relational abstract interpretation for interprocedural program analysis"

Giles Garrett
5 years ago
Views:

1 Disjunctive relational abstract interpretation for interprocedural program analysis Nicolas Halbwachs, joint work with Rémy Boutonnet Verimag/CNRS, and Grenoble-Alpes University Grenoble, France R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 1 / 30

2 Standard program analysis Goal: compute (an upper approximation of) the reachable states of a program (S,S 0, ) A = S 0 {s s A,s s } Trace partitioning: Assume S is partitioned: S = S 1 S 2... S k, and let A i = A S i,i = 1..k: A i = (S 0 S i ) {s S i s A j,s s } j=1..k a system of recursive semantic equations R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 2 / 30

3 Numerical program analysis A numerical state: n variables a vector X N n (N = Z or Q) R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 3 / 30

4 Numerical program analysis A numerical state: n variables a vector X N n (N = Z or Q) Example of semantic equations A 0 = N 2 x=0; y=0; A 1 = A 0 [x 0][y 0] while A 2 = A 1 A 6 x<=100 do A 3 = A 2 (x 100) if?? then x=x+2 A 4 = A 3 [x x + 2] else x=x+1; y=y+1 A 5 = A 3 [x x + 1][y y + 1] endif A 6 = A 4 A 5 endwhile A 7 = A 2 (x 101) R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 3 / 30

5 Numerical abstract domains y x R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 4 / 30

6 Numerical abstract domains y Polyhedra x + 2y 8 x y + 8 x 13 y 2x + 4 x + 2y 28 x R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 4 / 30

7 Numerical abstract domains y Polyhedra relational x + 2y 8 x y + 8 x 13 y 2x + 4 x + 2y 28 x R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 4 / 30

8 Numerical abstract domains y Intervals x [0,13] y [0,12] x R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 4 / 30

9 Numerical abstract domains y Intervals not relational x [0,13] y [0,12] x R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 4 / 30

10 Numerical abstract domains y Octagons weakly relational 0 x 13 0 y 12 4 x + y x y 8 x R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 4 / 30

11 An example with polyhedra x := 0 ; y := 0; while x 100 do if?? then x:= x+2 else x:= x+1; y:=y+1; endif endwhile R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 5 / 30

12 An example with polyhedra x := 0 ; y := 0; x=y=0 while x 100 do if?? then x:= x+2 else x:= x+1; y:=y+1; endif endwhile R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 5 / 30

13 An example with polyhedra x := 0 ; y := 0; x=y=0 while x=y=0 x 100 do if?? then x:= x+2 else x:= x+1; y:=y+1; endif endwhile /0 R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 5 / 30

14 An example with polyhedra x := 0 ; y := 0; x=y=0 while x=y=0 x 100 do if?? then x:= x+2 x=2, y=0 else x:= x+1; y:=y+1; x=1, y=1 endif endwhile /0 R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 5 / 30

15 An example with polyhedra x := 0 ; y := 0; x=y=0 while x=y=0 x 100 do if?? then x:= x+2 x=2, y=0 else x:= x+1; y:=y+1; x=1, y=1 endif 1 x 2, x+y=2 endwhile /0 y x R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 5 / 30

16 An example with polyhedra x := 0 ; y := 0; x=y=0 while x 100 do if?? then x:= x+2 y 1 2 x else x:= x+1; y:=y+1; endif 1 x 2, x+y=2 endwhile R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 5 / 30

17 An example with polyhedra x := 0 ; y := 0; x=y=0 while 0 y x, x+y 1 x 100 do if?? then x:= x+2 y 1 2 x else x:= x+1; y:=y+1; endif 1 x 2, x+y=2 endwhile R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 5 / 30

18 An example with polyhedra x := 0 ; y := 0; x=y=0 while 0 y x, x+y 1 x 100 do if?? then x:= x+2 0 y x y Widening 1 2 x else x:= x+1; y:=y+1; endif 1 x 2, x+y=2 endwhile R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 5 / 30

19 An example with polyhedra x := 0 ; y := 0; x=y=0 while x 100 do 0 y x 100 if?? then x:= x+2 else x:= x+1; y:=y+1; endif endwhile R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 6 / 30

20 An example with polyhedra x := 0 ; y := 0; x=y=0 while x 100 do 0 y x 100 if?? then x:= x+2 0 y x else x:= x+1; y:=y+1; 1 y x 101 endif endwhile R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 6 / 30

21 An example with polyhedra x := 0 ; y := 0; x=y=0 while x 100 do 0 y x 100 if?? then x:= x+2 0 y x else x:= x+1; y:=y+1; 1 y x 101 endif 0 y x 102,2 x + y 202 endwhile R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 6 / 30

22 An example with polyhedra x := 0 ; y := 0; x=y=0 while 0 y x 102,x + y 202 x 100 do 0 y x 100 if?? then x:= x+2 0 y x else x:= x+1; y:=y+1; 1 y x 101 endif 0 y x 102,2 x + y 202 endwhile 0 y,101 x 102,x + y 202 R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 6 / 30

23 Motivation Relational domains (polyhedra, octagons, congruences,...) are too expensive to scale up (on huge monolithic programs) interprocedural analysis especially interesting (analyse medium size procedures once and for all) Bottom-up interprocedural analysis (build a procedure summary independently of the calling context) little used, because too imprecise with non-relational domains take advantage of relational domains to build precise relational procedure summaries R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 7 / 30

24 Interprocedural program analysis How to deal with procedures and calls? Inlining Top-down: at each call, analyse the procedure in the context of its actual parameters. Bottom-up: analyse the procedure once and for all, synthesize a summary to be used at each call. Hybrid strategies: mix the two, e.g., compute a summary in the simplest aliasing context (no aliases), compute a new summary when a call with possible aliases is encountered. R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 8 / 30

25 From state analysis to relational analysis State analysis: Starting from a set S 0 of initial states, compute at each control point i, the set A i = {s S i s 0 S 0,s.t.,s 0 s} Relational analysis: Starting from a set S 0 of initial states, compute at each control point i, the relation R i = {(s 0,s) S 0 S i s 0 S 0,s 0 s} R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 9 / 30

26 From state analysis to relational analysis State analysis: Starting from a set S 0 of initial states, compute at each control point i, the set A i = {s S i s 0 S 0,s.t.,s 0 s} Relational analysis: Starting from a set S 0 of initial states, compute at each control point i, the relation R i = {(s 0,s) S 0 S i s 0 S 0,s 0 s} Important fact: s.r i is a necessary condition on s 0 for point i to be reachable from s 0 R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 9 / 30

27 Relational analysis of a procedure Procedures: All parameters are supposed to be passed by reference (but we ignore pointer manipulation, and we entrust existing analyses to detect aliasing problems). Global variables considered as additional parameters. R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 10 / 30

28 Relational analysis of a procedure Procedures: All parameters are supposed to be passed by reference (but we ignore pointer manipulation, and we entrust existing analyses to detect aliasing problems). Global variables considered as additional parameters. Relational analysis: Duplicate each parameter x with an auxiliary variable x 0, to record its initial value Perform a standard analysis of the body, starting from x = x 0 for each parameter x Project away local variables from the result at return point to obtain a relational summary R(X 0,X) R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 10 / 30

29 Example: div proc div (a, b, q, r: int){ assume a 0 && b 1; a0=a ; b0=b ; q0=q ; r0=r; q=0 ; r=a; while(r b){ r = r-b ; q = q+1 ; } } R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 11 / 30

30 Example: div proc div (a, b, q, r: int){ assume a 0 && b 1; a0=a ; b0=b ; q0=q ; r0=r; q=0 ; r=a; while(r b){ r = r-b ; q = q+1 ; } } Standard Analysis r 0 q 0 b r + 1 a = a0 b = b0 R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 11 / 30

31 Example: div proc div (a, b, q, r: int){ assume a 0 && b 1; a0=a ; b0=b ; q0=q ; r0=r; q=0 ; r=a; while(r b){ r = r-b ; q = q+1 ; } } Standard Analysis r 0 q 0 b r + 1 a = a0 b = b0 precondition a0 0 lost! R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 11 / 30

32 Widening limited by precondition A precondition is obviously an invariant (a procedure may not modify the initial values of its parameters!) one can limit (i.e., intersect) the widening by the precondition. Example (cont.): Intersect the result of the widening with a0 0 b0 1 R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 12 / 30

33 Example: div proc div (a, b, q, r: int){ assume a 0 && b 1; a0=a ; b0=b ; q0=q ; r0=r; q=0 ; r=a; while(r b){ r = r-b ; q = q+1 ; } } Standard Analysis r 0 q 0 b r + 1 a = a0 b = b0 precondition a0 0 lost! With limited widening r 0 q 0 b r + 1 a q + r a = a0 b = b0 Better than expected, but still imprecise, as a summary R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 13 / 30

34 Disjunctive summaries Convex summaries are not expressive enough General disjunctions of polyhedra are difficult to manage (ex.: inclusion) Idea: disjunctive refinement by partitioning preconditions precondition P partitioned into P 1 P 2... P m Disjunctive summary R = R 1 R 2...R m with P i = X.R i, i = 1..m R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 14 / 30

35 Example of disjunctive summary proc div (a, b, q, r: int){ assume a 0 && b 1; a0=a ; b0=b ; q0=q ; r0=r; q=0 ; r=a; while(r b){ r = r-b ; q = q+1 ; } } Standard analysis: r 0 q 0 b r + 1 With limited widening: r 0 q 0 b r +1 a q +r R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 15 / 30

36 Example of disjunctive summary proc div (a, b, q, r: int){ assume a 0 && b 1; a0=a ; b0=b ; q0=q ; r0=r; q=0 ; r=a; while(r b){ r = r-b ; q = q+1 ; } } Partitioning according to a0 b0, b0 a0 + 1 (entering the loop or not) Standard analysis: r 0 q 0 b r + 1 With limited widening: r 0 q 0 b r +1 a q +r R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 15 / 30

37 Example of disjunctive summary proc div (a, b, q, r: int){ assume a 0 && b 1; a0=a ; b0=b ; q0=q ; r0=r; q=0 ; r=a; while(r b){ r = r-b ; q = q+1 ; } } Standard analysis: r 0 q 0 b r + 1 With limited widening: r 0 q 0 b r +1 a q +r Partitioning according to a0 b0, b0 a0 + 1 (entering the loop or not) Result: either b0 1 a0 0 and q = 0 r = a or a0 b0 1 and r 0 q 0 q + r 1 b r + 1 a + 1 b + q R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 15 / 30

38 Partitioning preconditions Refinement according to local reachability: Let R k (P) be the result at control point k of a relational analysis from precondition P. It relates the initial values X 0 and the current values X. Then, R 0 k = X.R k(p) is a necessary condition on X 0 for the point k to be reachable. R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 16 / 30

39 Partitioning preconditions Refinement according to local reachability: Let R k (P) be the result at control point k of a relational analysis from precondition P. It relates the initial values X 0 and the current values X. Then, R 0 k = X.R k(p) is a necessary condition on X 0 for the point k to be reachable. Rk 0 P, thanks to widening limited by precondition, but if Rk 0 P, any constraint c of R0 k not satisfied by P, may be used to split the precondition P into P = P c and P = P c and point k is not reachable from P. R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 16 / 30

40 Partitioning preconditions: example Example: From the the precondition P = (a0 0 b0 1), the analysis of div provides R = (a = a0 b = b0 r b 1 q 0 a q + r) at the loop entry. Now, R 0 = (a,b,q,r).r = (a0 b0 1) Since a0 b0 is not satisfied by the precondition P, it provides the (obvious) refinement P = (a0 b0 1), P = (b0 1 a0 0) that we used before. R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 17 / 30

41 Postponing loop feedback The problem: In the div example, our partitioning separates the cases when the loop is entered at least once or not. In the former case, our analysis provides (a0 b0 1) (r 0 q 0 q + r 1 b r + 1 a + 1 b + q) We should find q 1 (the loop is executed at least once) R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 18 / 30

42 Postponing loop feedback The problem: In the div example, our partitioning separates the cases when the loop is entered at least once or not. In the former case, our analysis provides (a0 b0 1) (r 0 q 0 q + r 1 b r + 1 a + 1 b + q) We should find q 1 (the loop is executed at least once) The explanation: At loop exit, the semantic equation is R exit = (R in R feedback ) cond feedback in cond exit while R in cond = /0 R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 18 / 30

43 Postponing loop feedback The problem: In the div example, our partitioning separates the cases when the loop is entered at least once or not. In the former case, our analysis provides (a0 b0 1) (r 0 q 0 q + r 1 b r + 1 a + 1 b + q) We should find q 1 (the loop is executed at least once) The explanation: At loop exit, the semantic equation is R exit = (R in R feedback ) cond feedback in cond exit while R in cond = /0 The solution: Compute instead R exit = (R in cond) (R feedback cond) R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 18 / 30

44 Postponing loop feedback Previous result: (r 0 q 0 q + r 1 b r + 1 a + 1 b + q) New result: (r 0 q 1 b r + 1 a + 1 b + q + r) Better than expected R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 19 / 30

45 Using procedure summaries Let p be a procedure, with a call k : q(a) ; k :... where A = (a1,a2,...,a n ) are the actual parameters. Let R k be the relation computed at point k. Let F = (f 1,f 2,...,f n ) be the formal parameters of q, and (S 1,...,S m ) be a summary of q. R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 20 / 30

46 Using procedure summaries Let p be a procedure, with a call k : q(a) ; k :... where A = (a1,a2,...,a n ) are the actual parameters. Let R k be the relation computed at point k. Let F = (f 1,f 2,...,f n ) be the formal parameters of q, and (S 1,...,S m ) be a summary of q. Then, the relation at return point k is m R k = A. R k [A/A ] S l [F/A][F 0 /A ] where l=1 R k [A/A ] is the result of renaming in R k each variable a i as a i S l [F/A][F 0 /A ] is the result of renaming in S l each variable f i as a i and each variable fi 0 as a i R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 20 / 30

47 Partitioning preconditions (cont.) Refinement according to called procedure summary Since the relation at return point of a call is a, its a good idea to make some of its terms empty. Preconditions of the call: P l = ( F.S l ),l = 1..m Making C l = A.R k [A/A ] P l [F 0 /A ] empty: refine the precondition of the caller X.C l is a necessary condition (on initial values in the caller) for C l to be not empty. Use it to split the precondition, as before. R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 21 / 30

48 Example, a recursive procedure McCarthy s 91 function proc f91 (x,y: int) { var z, t: int ; 1:if (x > 100) 2: y = x -10 ; 3:else { 4: z = x + 11 ; 5: f91 (z, t) ; 6: f91 (t, y) ; 7:} } R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 22 / 30

49 Example, a recursive procedure McCarthy s 91 function proc f91 (x,y: int) { var z, t: int ; 1:if (x > 100) 2: y = x -10 ; 3:else { 4: z = x + 11 ; 5: f91 (z, t) ; 6: f91 (t, y) ; 7:} } Semantic equations (without parameters duplication) R = R 2 R 7 R 2 = (x 101 y = x 10) R 7 = (x 100) ( t.r(x + 11,t) R(t,y)) 22mm] R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 22 / 30

50 Example, a recursive procedure McCarthy s 91 function proc f91 (x,y: int) { var z, t: int ; 1:if (x > 100) 2: y = x -10 ; 3:else { 4: z = x + 11 ; 5: f91 (z, t) ; 6: f91 (t, y) ; 7:} } Semantic equations (without parameters duplication) R = R 2 R 7 R 2 = (x 101 y = x 10) R 7 = (x 100) ( t.r(x + 11,t) R(t,y)) 22mm]Standard analysis: R 2 = (x 101 y = x 10) R 7 = (x 100 y + 9 x y 91) R = (x y + 10 y 91) R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 22 / 30

51 Example, a recursive procedure (cont.) Standard analysis: R 2 = (x 101 y = x 10) R 7 = (x 100 y + 9 x y 91) R = (x y + 10 y 91) R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 23 / 30

52 Example, a recursive procedure (cont.) Standard analysis: R 2 = (x 101 y = x 10) R 7 = (x 100 y + 9 x y 91) R = (x y + 10 y 91) Since y.r 2 = (x 101), split the initial precondition into (x 101) and (x 100). R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 23 / 30

53 Example, a recursive procedure (cont.) Standard analysis: R 2 = (x 101 y = x 10) R 7 = (x 100 y + 9 x y 91) R = (x y + 10 y 91) Since y.r 2 = (x 101), split the initial precondition into (x 101) and (x 100). Result: (x 101 y = x 10) or (x 100 y 91) not much better R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 23 / 30

54 Example, a recursive procedure (cont.) Now, refine according to the summary at the first recursive call, i.e., according to (x ). R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 24 / 30

55 Example, a recursive procedure (cont.) Now, refine according to the summary at the first recursive call, i.e., according to (x ). Final result: (x 101 y = x 10) or (90 x 100 y = 91) or (x 89 y = 91) most precise summary R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 24 / 30

56 Implementation Method implemented by Rémy Boutonnet in his prototype analyzer MARS (Mars Abstract interpretation Research System) Based on CLANG, takes a significant subset of C Uses the Apron library of abstract domains Applies a standard data-flow analysis to identify pure value parameters and pure result parameters, which don t need to be duplicated Recursive procedures not yet taken into account R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 25 / 30

57 Experiments Goal: Compare the interprocedural analysis to a standard analysis of inlined programs, answer the following questions: The construction of summaries involves several analyses, does it induce a significant overhead? Does the bottom-up approach result in a significant loss of precision? Problems: Find an interesting benchmark (numerical programs with procedures) How to compare the precision? R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 26 / 30

58 Experiments (cont.) Use of the Mälardalen benchmark (worst case execution time), 19 programs sometimes augmented with statement counters Precision: Compare the results at the end of the main program (after projection on the variables of the main) Qualitative comparison: is the result of interprocedural analysis better ( ), worse ( ), equal (=), or incomparable (<>) w.r.t. the one of inlining analysis? Quantitative comparison: compare the number of constraints R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 27 / 30

59 First experimental results Interprocedural analysis faster on 13 programs over 19 (average speedup 2.9). Most procedures called once. The speedup increases rapidly with the number of calls. Some precision lost on 3 programs (worst: from 32 to 12 constraints) Some precision gained on 5 programs (best: from 1 to 6 constraints) R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 28 / 30

60 Future work Extend to modular analysis of procedures with memories (objects, reactive software) R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 29 / 30

61 Future work Extend to modular analysis of procedures with memories (objects, reactive software) A reactive module X : input variables Y : output variables M : memory variables M = M 0 ; forever { read(x); (Y,M) = Step(X,M); write(y); } M X Step Y R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 29 / 30

62 Future work X Can we construct a summary of each module (including an invariant on the memory) and use these summaries to analyse the whole system? M X 1 Step 1 M 1 Y 1 X 2 M 2 Step 2 Y 2 Y R. Boutonnet, N. Halbwachs (Verimag) Disjunctive relational abstract interpretation 30 / 30

Program verification

Program verification Data-flow analyses, numerical domains Laure Gonnord and David Monniaux University of Lyon / LIP September 29, 2015 1 / 75 Context Program Verification / Code generation: Variables