Two examples of numerical domains

Size: px

Start display at page:

Download "Two examples of numerical domains"

Dennis Cameron
5 years ago
Views:

1 ROSAEC workshop Fourth session Two examples of numerical domains Jérôme Feret Laboratoire d Informatique de l École Normale Supérieure INRIA, ÉNS, CNRS January, 2009

2 ROSAEC workshop The Arithmetic-Geometric Progression Abstract Domain VMCAI 2005 Jérôme Feret Laboratoire d Informatique de l École Normale Supérieure INRIA, ÉNS, CNRS ØØÔ»»ÛÛÛº º Ò º Ö» Ö Ø January, 2009.

3 Overview 1. Introduction 2. Case study 3. Arithmetic-geometric progressions 4. Benchmarks 5. Conclusion Jérôme Feret 2 January, 2009

4 Issue In automatically generated programs using floating point arithmetics, some computations may diverge because of rounding errors. We prove the absence of floating point number overflows: we bound rounding errors at each loop iteration by a linear combination of the loop inputs; we get bounds on the values that depends exponentially on the program execution time. We use non polynomial constraints. Our domain is both precise (no false alarm) and efficient (linear in memory / nln(n) in time). Jérôme Feret 3 January, 2009

5 Overview 1. Introduction 2. Case study 3. Arithmetic-geometric progressions 4. Benchmarks 5. Conclusion Jérôme Feret 4 January, 2009

6 Running example (in R) 1 : X := 0; k := 0; 2 : while (k < 1000) { 3 : if (?) {X [ 10; 10]}; 4 : X := X/3; 5 : X := 3 X; 6 : k := k + 1; 7 : } Jérôme Feret 5 January, 2009

7 Interval analysis: first loop iteration 1 : X := 0; k := 0; 2 : while (k < 1000) { 3 : if (?) {X [ 10; 10]}; 4 : X := X/3; 5 : X := 3 X; 6 : k := k + 1; X = 0 X = 0 X 10 X 10 3 X 10 7 : } Jérôme Feret 6 January, 2009

8 Interval analysis: Invariant 1 : X := 0; k := 0; 2 : while (k < 1000) { 3 : if (?) {X [ 10; 10]}; 4 : X := X/3; 5 : X := 3 X; 6 : k := k + 1; 7 : } X = 0 X 10 X 10 X 10 3 X 10 X 10 Jérôme Feret 7 January, 2009

9 Including rounding errors [Miné ESOP 04] 1 : X := 0; k := 0; 2 : while (k < 1000) { 3 : if (?) {X [ 10; 10]}; 4 : X := X/3 + [ ε 1 ; ε 1 ].X + [ ε 2 ; ε 2 ]; 5 : X := 3 X + [ ε 3 ; ε 3 ].X + [ ε 4 ; ε 4 ]; 6 : k := k + 1; 7 : } The constants ε 1, ε 2, ε 3, and ε 4 ( 0) are computed by other domains. Jérôme Feret 8 January, 2009

10 Let M 0 be a bound: Interval analysis 1 : X := 0; k := 0; X = 0 2 : while (k < 1000) { X M 3 : if (?) {X [ 10; 10]}; X max(m,10) 4 : X := X/3 + [ ε 1 ; ε 1 ].X + [ ε 2 ; ε 2 ]; X (ε ) max(m, 10) + ε 2 5 : X := 3 X + [ ε 3 ; ε 3 ].X + [ ε 4 ; ε 4 ]; X (1 + a) max(m,10) + b 6 : k := k + 1; 7 : } with a = 3 ε 1 + ε ε 1 ε 3 and b = ε 2 (3 + ε 3 ) + ε 4. Jérôme Feret 9 January, 2009

11 Ari.-geo. analysis: first iteration 1 : X := 0; k := 0; 2 : while (k < 1000) { 3 : if (?) {X [ 10; 10]}; 4 : X := X/3 + [ ε 1 ;ε 1 ].X + [ ε 2 ; ε 2 ]; X = 0, k = 0 X = 0 X 10 X [ v ( ε 1) v + ε2 ] (10) 5 : X := 3 X + [ ε 3 ;ε 3 ].X + [ ε 4 ; ε 4 ]; X f (1) (10) 6 : k := k + 1; X f (k) (10), k = 1 7 : } with f = [ v ( ε 1 + ε ε 1 ε 3 ) v + ε2 (3 + ε 3 ) + ε 4 ]. Jérôme Feret 10 January, 2009

12 1 : X := 0; k := 0; Ari.-geo. analysis: Invariant 2 : while (k < 1000) { 3 : if (?) {X [ 10; 10]}; 4 : X := X/3 + [ ε 1 ; ε 1 ].X + [ ε 2 ; ε 2 ]; 5 : X := 3 X + [ ε 3 ; ε 3 ].X + [ ε 4 ; ε 4 ]; 6 : k := k + 1; 7 : } X = 0, k = 0 X f (k) (10) X f (k) (10) ( ) X ( ε 1) f (k) (10) + ε 2 ( ) X f f (k) (10) X f (k) (10) X f (1000) (10) with f = [ v ( ε 1 + ε ε 1 ε 3 ) v + ε2 (3 + ε 3 ) + ε 4 ]. Jérôme Feret 11 January, 2009

13 Analysis session Jérôme Feret 12 January, 2009

14 Overview 1. Introduction 2. Case study 3. Arithmetic-geometric progressions 4. Benchmarks 5. Conclusion Jérôme Feret 13 January, 2009

15 Arithmetic-geometric progressions (in R) An arithmetic-geometric progression is a 5-tuple in (R + ) 5. An arithmetic-geometric progression denotes a function in N R + : β R (M, a,b, a,b )(k) = [ v a v + b ]( [ v a v + b ] (k) (M) ) Thus, k is the loop counter; M is an initial value; [ v a v + b ] describes the current iteration; [ v a v + b ] (k) describes the first k iterations. A concretization γ R maps each element d (R + ) 5 to a set γ R (d) (N R + ) defined as: {f k N, f(k) β R (d)(k)} Jérôme Feret 14 January, 2009

16 Monotonicity Let d = (M,a, b, a,b ) and d = (M, a,b,a, b ) be two arithmetic-geometric progressions. If: M M, a a, a a, b b, b b. Then: 100 β R (d)(k) k N, β R (d)(k) β R (d)(k) k Jérôme Feret 15 January, 2009

17 Disjunction Let d = (M,a, b, a,b ) and d = (M, a,b,a, b ) be two arithmetic-geometric progressions. We define: d R d = (M,a, b, a,b ) where: M = max(m,m), a = max(a,a), a = max(a, a ), 100 β R (d)(k) b = max(b,b), b = max(b,b ), k For any k N, β R (d R d)(k) max(β R (d)(k),β R (d)(k)). Jérôme Feret 16 January, 2009

18 Conjunction Let d and d be two arithmetic-geometric progressions. 1. If d and d are comparable (component-wise), we take the smaller one: d R d = Inf. {d; d}. 2. Otherwise, we use a parametric strategy: d R d {d; d}. For any k N, β R (d R d)(k) min(β R (d)(k),β R (d)(k)). Jérôme Feret 17 January, 2009

19 Assignment (I/III) We have: β R (M,a, b,a,b )(k) = a (M + b k) + b when a = 1 β R (M,a, b,a,b )(k) = a ( (a ) k ( M b 1 a ) + b 1 a ) + b when a 1. Thus: 1. for any a, a, M, b, b, λ R +, λ ( β R ( M, a,b, a,b ) (k) ) = β R ( λ M,a, λ b,a,λ b ) (k); 2. for any a, a, M, b, b, M,b, b R +, for any k N, β R ( M, a,b, a,b ) (k) + β R ( M, a,b, a,b ) (k) = β R ( M + M, a,b + b,a, b + b ) (k). Jérôme Feret 18 January, 2009

20 Assignment (II/III) For k N, if: then: B + α i X i B αi X i β R (M i,a i, b i, a i,b i)(k) ( αi M i β R, Max(a i ), αi αi b i, Max(a i), αi ) αi b i (k) αi so: B+ ( αi α i X βr M i i, α i Max(a i ), αi αi b i αi + B, Max(a i), ) αi b i (k) αi Jérôme Feret 19 January, 2009

21 Assignment (III/III) If for k N, X β R (M X, a X,b X, a X, b X)(k) and Y β R (M Y,a Y, b Y, a Y,b Y)(k), then: 1. increment: 2. multiplication: 3. barycentric mean: X + Y 2 ( MX + M Y β R X + 3 β R (M X,a X,b X + 3, a X, b X)(k) 3 X β R (M X,3 a X, b X,a X,b X)(k) 2, Max(a X, a Y ), b ) X + b Y, Max(a X,a Y), b X + b Y (k) 2 2 Parametric strategies can be used to transform expressions. Jérôme Feret 20 January, 2009

22 Projection I β R (M,a, b,a,b )(k) = a (M + b k) + b when a = 1 β R (M,a, b,a,b )(k) = a ( (a ) k ( M b 1 a ) + b 1 a ) + b when a 1. Thus, for any d (R + ) 5, the function [ k β R (d)(k) ] is: either monotonic, or anti-monotonic. a > 1, a = 1, a < 1 and M < b a < 1 and M > b 1 a, 1 a. 100 β R (d)(k) k Jérôme Feret 21 January, 2009

23 Projection II Let d (R + ) 5 and k max N. bound(d,k max ) = max(β R (d)(0), β R (d)(k max )) 100 β R (d)(k) For any k N such that 0 k k max : β(d)(k) bound(d,k max ) k max k Jérôme Feret 22 January, 2009

24 Incrementing the loop counter We integrate the current iteration into the first k iterations: the first k + 1 iterations are chosen as the worst case among the first k iterations and the current iteration; the current iteration is reset. Thus: next R (M,a,b, a, b ) = (M,1, 0, max(a,a ), max(b, b )). For any k N, d ( R +) 5, βr (d)(k) β R (next R (d))(k + 1). Jérôme Feret 23 January, 2009

25 About floating point numbers Floating point numbers occur: 1. in the concrete semantics: Floating point expressions are translated into real expressions with interval coefficients [Miné ESOP 04]. In other abstract domains, we handle real numbers. 2. in the abstract domain implementation: For efficiency purpose, we implement each primitive in floating point arithmetics: each real is safely approximated by an interval with floating point number bounds. Jérôme Feret 24 January, 2009

26 Overview 1. Introduction 2. Case study 3. Arithmetic-geometric progressions 4. Benchmarks 5. Conclusion Jérôme Feret 25 January, 2009

27 Applications Arithmetic-geometric progressions provide bounds for : 1. division by α followed by a multiplication by α: = our running example; 2. barycentric means: = at each loop iteration, the value of a variable X is computed as a barycentric mean of some previous values of X (not necessarily the last values); 3. bounded incremented variables: = it replaces the former domain that bounds the difference and the sum between each variable and the loop counter. Jérôme Feret 26 January, 2009

28 Benchmarks We analyze three programs in the same family on a AMD Opteron 248, 8 Gb of RAM (analyses use only 2 Gb of RAM). lines of C 70, , ,000 global variables 13,400 7,500 9,000 iterations time/iteration 1mn14s 1mn21s 1mn16s 4mn04s 5mn13s 4mn40s 7mn33s 9mn42s 8mn17s analysis time 2h18mn 2h05mn 47mn 15h34mn 19h24mn 4h08mn 31h53mn 43h51mn 10h14mn false alarms without using computation time; 2. with the former loop counter domain, (without the arithmetic-geometric domain); 3. with the arithmetic-geometric domain, (without the former loop counter domain). Jérôme Feret 27 January, 2009

29 Overview 1. Introduction 2. Case study 3. Arithmetic-geometric progressions 4. Benchmarks 5. Conclusion Jérôme Feret 28 January, 2009

30 A new abstract domain non polynomial constraints; sound with respect to rounding errors (both in the concrete semantics and in the domain implementation); accurate (we infer bounds on the values that depend on the execution time of the program); efficient: - in time: O(n ln(n)) per abstract iteration (n denotes the program size), - in memory: at most 5 coefficients per variable in the program, - sparse implementation. Jérôme Feret 29 January, 2009

31 ROSAEC workshop Static Analysis of Digital Filters ESOP 2004 Jérôme Feret Laboratoire d Informatique de l École Normale Supérieure INRIA, ÉNS, CNRS ØØÔ»»ÛÛÛº º Ò º Ö» Ö Ø January, 2009.

32 Overview 1. Introduction 2. Case study 3. Concrete semantics 4. Generic aproximation 5. Filter extension 6. Post fixpoint inference of contracting function in floating-point arithmetics 7. Basic simplified filters 8. Other simplified filters 9. Filter expansion 10. Conclusion Jérôme Feret 2 January 2009

33 Context We want to prove run time error absence, in critical embedded software. Filter behaviour is implemented at the software level, using hardware floating point numbers. Full certification requires special care about these filters. Jérôme Feret 3 January 2009

34 Issues Control flow detection: to locate filter resets and filter iterations. Invariant inference: we are not interested in functional properties. We seek precise bounds on the output, using information inferred about the input. (Linear invariants do not yield accurate bounds). To take into account floating-point rounding: - in the semantics, - when implementing the abstract domain. Jérôme Feret 4 January 2009

35 Overview 1. Introduction 2. Case study 3. Concrete semantics 4. Generic aproximation 5. Filter extension 6. Post fixpoint inference of contracting function in floating-point arithmetics 7. Basic simplified filters 8. Other simplified filters 9. Filter expansion 10. Conclusion Jérôme Feret 5 January 2009

36 The high bandpass filter We consider the following example: V R E 1 := 0 S 0 := while (V 0) { V R T R E 0 [ 1;1]; if (T 0) {S := 0} else {S := S + E 0 E 1 } E 1 := E 0 ; } Jérôme Feret 6 January 2009

37 Interval approximation (simplified) With a view to simplifying, we ignore rounding errors!!! The analyzer infers the following sound counterpart F : F ( X ) = {0.999 s + e 0 + e 1 s X, e 0, e 1 [ 1; 1]} to the loop body. Jérôme Feret 7 January 2009

38 Abstract iteration 1. The analyzer starts iterating F : F ({0}) = [ 2; 2], F ([ 2; 2]) = [ 3.998; 3.998],... ; 2. then it widens the iterates: F ([ 10; 10]) [ 10; 10], F ([ 100; 100]) [ 100; 100],... ; 3. until it discovers a stable threshold: F ([ 10000; 10000]) = [ 9992; 9992]; 4. finally, it keeps iterating to refine the solution: F ([ 9992; 9992]) = [ ; ]. Jérôme Feret 8 January 2009

39 Driving the analysis Better results could have been obtained by driving the analysis: Theorem 1 (High bandpass filter (history-insensitive)) Let D 0, m 0, a, X and Z be real numbers such that: 1. X D; 2. ax m Z ax + m; then we have: 1. Z a D + m; 2. [ a < 1 and D m 1 a ] = Z D. Theorem 1 implies that 2000 can be used as a threshold. Jérôme Feret 9 January 2009

40 History sensitive approximation Theorem 2 (High bandpass filter (history-sensitive version)) Let α [ 1 2 ; 1[, i and m > 0 be real numbers. Let E n be a real number sequence, such that k N, E k [ m; m]. Let S n be the following sequence: { S0 = i We have: S n+1 = α.s n + E n+1 E n. 1. S n = α n.i + E n α n E 0 + n 1 l=1 (α 1)αl 1 E n l 2. S n α n i + (1 + α n + 1 α n 1 )m; 3. S n 2.m + i. Theorem 2 implies that 2 is a sound bound on S. Jérôme Feret 10 January 2009

41 The second order filter V R E 1 := 0 E 2 := 0 S 0 := 0 S 1 := 0 S 2 := 0 while (V 0) { V R; T R; E 0 [ 1; 1]; if (T 0) {S 0 := E 0 ;S 1 := E 0 ;E 1 := E 0 } else {S 0 := 1.5 S S E E E 2 }; E 2 := E 1 ; E 1 := E 0 ; S 2 := S 1 ; S 1 := S 0 } Jérôme Feret 11 January 2009

42 Ellipsoidal constraints Theorem 3 (second order filter (history insensitive)) Let a, b, K 0, m 0, X, Y, Z be real numbers such that: 1. a 2 + 4b < 0, 2. X 2 axy by 2 K, 3. ax + by m Z ax + by + m. We have: ( ) 2; 1. Z 2 azx bx 2 bk + m b < 1 ( 2. m K 1 b ) 2 = Z 2 azx bx 2 K. Jérôme Feret 12 January 2009

43 Linear versus quadratic invariants X F(X) F(X) X X U F(X) X U F(X) Jérôme Feret 13 January 2009

44 Second order filter approximation 1. without relational domain, we cannot limit S 2 ; 2. with ellipsoidal constraints (history insensitive abstraction), we can infer that S 2 < ; 3. by formally expanding the output as a sum of all previous inputs, we can prove that S 2 < ; Jérôme Feret 14 January 2009

45 Overview 1. Introduction 2. Case study 3. Concrete semantics 4. Generic aproximation 5. Filter extension 6. Post fixpoint inference of contracting function in floating-point arithmetics 7. Basic simplified filters 8. Other simplified filters 9. Filter expansion 10. Conclusion Jérôme Feret 15 January 2009

46 Syntax Let V be a finite set of variables. Let I be the set of real intervals (including R). Expressions E are affine forms of variables V with real interval coefficients: E::=I + j J I j.v j Programs are given by the following grammar: P :== skip P;P V := E if (V 0) {P } else {P } while (V 0) {P } Jérôme Feret 16 January 2009

47 Semantics We define the semantics of a program P : by induction over the syntax of P : skip (ρ) = {ρ}, P : (V R) (V R) P 1 ;P 2 (ρ) = {ρ ρ P 1 (ρ), ρ P 2 (ρ )}, V := I + j J I j.v j (ρ) = { ρ [ V i + j J i j.ρ(v j ) ] i I, j J,ij I j }, if (V 0) {P 1 } else {P 2 } (ρ) = { P1 (ρ) if ρ(v ) 0 P 2 (ρ) otherwise, while (V 0) {P } (ρ) = {ρ Inv ρ (V ) < 0} where Inv = lfp (X {ρ} {ρ ρ X, ρ (V ) 0 and ρ P (ρ )}). Jérôme Feret 17 January 2009

48 Overview 1. Introduction 2. Case study 3. Concrete semantics 4. Generic aproximation 5. Filter extension 6. Post fixpoint inference of contracting function in floating-point arithmetics 7. Basic simplified filters 8. Other simplified filters 9. Filter expansion 10. Conclusion Jérôme Feret 18 January 2009

49 Abstract domain An abstract domain ENV is a set of environment properties. A concretization map γ relates each property to the set of its solutions: γ : ENV (V R). Some primitives simulate concrete computation steps in the abstract: an abstract control path merge ; an abstract guard GUARD and an abstract assignment ASSIGN; an abstract least fixpoint lfp operator, which maps sound counterpart f to monotonic function f, to an abstraction of the least fixpoint of f. lfp is defined using extrapolation operators (,, ). Soundness follows from the monotony of the concrete semantics. Jérôme Feret 19 January 2009

50 Abstract semantics skip (a) = a P 1 ;P 2 (ρ ) = P 2 ( P 1 (ρ )) V := E (a) = ASSIGN(V, E,a) if (V 0) {{P 1 } else {P 2 } (a) = a 1 a 2, a1 = P 1 (GUARD(V, [0; + [,a)) with a 2 = P 2 (GUARD(V, ] ; 0[,a)) while (V 0) {P } (a) = GUARD(V, ] ; 0[, Inv ) where Inv = lfp ( X a P (GUARD(V, [0; + [,X)) ) Jérôme Feret 20 January 2009

51 Soundness We prove by induction over the syntax: Theorem 4 (Soundness) For any program P, environment ρ, abstract element a, we have: ρ γ(a) = P (ρ) γ ( P (a) ). Jérôme Feret 21 January 2009

52 Extrapolation operators iteration basis: ENV a widening operator such that: 1. (ENV ENV ) ENV, 2. a,b ENV, γ(a) γ(b) γ(a b), 3. (a i ) (ENV ) N, the sequence (a i ) defined by: a 0 = a 0 and a n+1 = a n a n+1 is ultimately stationary; a narrowing operator such that: 1. (ENV ENV ) ENV, 2. a,b ENV, γ(a) γ(b) γ(a b), 3. (a i ) (ENV ) N, the sequence (a i ) defined by: a 0 = a 0 and a n+1 = a n a n+1 is ultimately stationary; Jérôme Feret 22 January 2009

53 Abstract iterations Let f be a map in ENV ENV. Abstract upward-iterates: { C 0 =, C n+1 = C n f (C n ), is eventually stationary: We denote by C ω its limit. Abstract downward-iterates: { D 0 = C ω, D n+1 = D n f (D n ), is eventually stationary: We define lfp (f ) as this limit. Jérôme Feret 23 January 2009

54 Soundness Let f be a -complete morphism such that: a ENV, f(γ(a)) γ(f (a)). We want to prove that lfp(f) γ(lfp (f )). Since lfp(a) = {a f(a) a} (Tarski), we only have to prove that: a (V R), f(a) a and a γ(lfp (f )). Jérôme Feret 24 January 2009

55 Soundness proof (continued) 1. f(γ(cω )) γ(cω ) since: f(γ(cω )) γ(f (Cω )), (soundness of f ) γ(f (Cω )) γ(cω f (Cω )), (soundness of ) Cω f (Cω ) = Cω, (Cω is a limit) 2. n N, a (V R) such that f(a) a and a γ(d n ): (a) γ(d 0 ) = γ(c ω ) and f(γ(c ω )) γ(c ω ); (b) let a (V R) such that f(a) a and a γ(d n ), then f(f(a)) f(a) (f is monotonic), f(a) f(γ(d n )) γ(f (D n )), f(a f(a)) f(a) f(f(a)) a f(a), a f(a) γ(d n ) γ(f (D n )) γ(d n f (D n )) γ(d n+1 ) Jérôme Feret 25 January 2009

56 Overview 1. Introduction 2. Case study 3. Concrete semantics 4. Generic aproximation 5. Filter extension 6. Post fixpoint inference of contracting function in floating-point arithmetics 7. Basic simplified filters 8. Other simplified filters 9. Filter expansion 10. Conclusion Jérôme Feret 26 January 2009

57 Filter family A filter class is given by: the number p of outputs and the number q of inputs involved in the computation of the next output; a (generic/symbolic) description of F with parameters; some conditions over these parameters In the case of the second order filter: p = 2, q = 3; F(S n 1,S n 2,E n+2, E n+1, E n ) = a.s n 1 + b.s n 2 + c.e n+2 + d.e n+1 + e.e n ; a 2 + 4b < 0. Jérôme Feret 27 January 2009

58 Filter domain A filter constraint is a couple in T B B where: T B finite (V m R n ) with: - m, the number of variables that are involved in the computation of the next output. m depends on the abstraction; - n, the number of filter parameters; B is an abstract domain encoding some ranges. A constraint (t, d) is related to (V R), by a concretization function: γ B : T B B (V R). An approximation of second order filter may consist in relating: the last two outputs and the first two coefficients of the filter (a and b) to the ratio of an ellipsoid. Jérôme Feret 28 January 2009

59 Assignment FIRST ITERATION X BUILD B X = F(X) X filter iteration X X = X OTHER X = F(X) ITERATIONS filter iteration X X X = X Jérôme Feret 29 January 2009

60 Merging computation paths X = F(X) filter iteration BUILD B BUILD B B Jérôme Feret 30 January 2009

61 Overview 1. Introduction 2. Case study 3. Concrete semantics 4. Generic aproximation 5. Filter extension 6. Post fixpoint inference of contracting function in floating-point arithmetics 7. Basic simplified filters 8. Other simplified filters 9. Filter expansion 10. Conclusion Jérôme Feret 31 January 2009

62 Floating point domain Let: F be a finite subset of R closed upon opposite, L is a finite subset of F; q, r two natural parameters for setting extrapolation strategy. We define F q,r as follows: F q,r = F = F { ; + }; γ F : _ : F a { (R) [ a;a] if a F { R F R otherwise; r min({f F f r}); a F b = max({a, min({l L {a; + } l b})}). Jérôme Feret 32 January 2009

63 Extrapolation strategy Delayed widening: (a 1,k 1 ) Fq,r (a 2, k 2 ) = (a 1, k 1 ) if a 1 a 2 (a 2, k 1 + 1) if a 2 > a 1 and k 1 < q (a 1 F a 2, 0) otherwise; Constraints are only widened when they have been unstable (not necessarily successively) q times, since their last widening. Bounded narrowing: (a 1,k 1 ) Fq,r (a 2,k 2 ) = { (a1, k 1 ) if a 1 a 2 or k 1 ( r) (a 2, min(k 1, 0) 1) if a 2 < a 1 and k 1 > ( r); Constraints are only narrowed r times. Jérôme Feret 33 January 2009

64 Approximating contracting functions When analyzing filter, we iterate functions f such that: f : I F F i I, the map [x f(i,x)] is contracting; we can compute f l : I F such that i I, f(i,f l (i)) f l (i); where I is a set of inputs. Since [x f(i, x)] is contracting, we have: i I, x f l (i), f(i,x) x. Jérôme Feret 34 January 2009

65 Our goal We want to find a iterating strategy which ensures: soundness (even if f l is unsound) accuracy (if f l is sound): - do not jump directly at the limit f l : (to analyze not iterated filter, loop unrolling... ) - do not jump higher than the limit when the input is constant; - do not jump higher than the limit in most cases. termination (even if the input depend on the output). Jérôme Feret 35 January 2009

66 Reduced product We use an approximation of the reduced product of two domains: Let q,r be two natural parameters. 1. the first domain iterates f in F 0,r = widened at each step; 2. the second domain iterates [(i,x) max(f(i, x),f l (i))] in F q,0 = soundness does not depend on f l = not widened at each step to wait until input are stables. We use the reduction: ρ : { F0,r F q,0 F 0,r F q,0 (x 0, m 0 ), (x 1,m 1 ) (min(x 0, x 1 ), m 0 ), (x 1, m 1 ) after each computation step. = The second domain is used to reduce the first one, when it is not accurate. Jérôme Feret 36 January 2009

67 Unstable filters In case the iterated function is not contracting, filters are very likely to diverge. In case of linear filters, the iterated function is linear. We may use the arithmetic-geometric progression domain [VMCAI 2005]. We require an external clock to relate the divergence to the value of the clock. Jérôme Feret 37 January 2009

68 Overview 1. Introduction 2. Case study 3. Concrete semantics 4. Generic aproximation 5. Filter extension 6. Post fixpoint inference of contracting function in floating-point arithmetics 7. Basic simplified filters 8. Other simplified filters 9. Filter expansion 10. Conclusion Jérôme Feret 38 January 2009

69 Simplified second order filter Theorem 5 (Including rounding errors) Let a, b, ε a 0, ε b 0, K 0, m 0, X, Y, Z be real numbers, such that: 1. a 2 + 4b < 0, 2. X 2 axy by 2 K, 3. ax + by (m + ε a X + ε b Y ) Z ax + by + (m + ε a X + ε b Y ). We have ( 1. Z 2 azx bx 2 ( b + δ) ) 2 K + m ; b + δ < 1 ( 2. m K 1 b δ ) 2 = Z 2 azx bx 2 K, where δ = 2 ε b+ε a b. (a 2 +4b) Jérôme Feret 39 January 2009

70 Domain The domain relates the variables describing the last two outputs and the four filter parameters to the square of the ellipsoid ratio: γ B1 ((X, Y,a,ε a,b, ε b ), K) is given by the set of environments ρ that satisfy: (ρ(x)) 2 aρ(x)ρ(y ) b(ρ(y )) 2 K; in order to interpret assignment Z = E under range constraints ρ, we test whether E matches: with a 2 + 4b < 0, and capture: [a ε a ; a + ε a ] X + [b ε b ;b + ε b ] Y + E - filter parameters: (a,ε a, b,ε b ); - variables tied before (X, Y ) and after the iteration (Z, X), - an approximation of the current input: EVAL (E, ρ ). Jérôme Feret 40 January 2009

71 Approximated reduced product y y x x Initial conditions Output refinement Jérôme Feret 41 January 2009

72 Overview 1. Introduction 2. Case study 3. Concrete semantics 4. Generic aproximation 5. Filter extension 6. Post fixpoint inference of contracting function in floating-point arithmetics 7. Basic simplified filters 8. Other simplified filters 9. Filter expansion 10. Conclusion Jérôme Feret 42 January 2009

73 Higher order simplified filters A simplified filter of class (k,l) is defined as a sequence: S n+p = a 1.S n a p.s n+p 1 + E n+p, where the polynomial P = X p a p.x p 1... a 1.X 0 has no multiple roots (in C) and can be factored into the product of k second order irreducible polynomials X 2 α i.x β i and l first order polynomials X δ j. Then, there exists sequences (x i n) n N and (y j n) n N such that: S n = ( Σ 1 i k x i n) + ( Σ 1 j l y j n) x i n+2 = α i.x i n+1 + β i.x i n + F i (E n+2, E n+1 ) y j n+1 = δ j.y j n + G j (E n+1 ). The initial outputs (x i 0, xi 1, yj 0 ) and filter inputs F i,g j are given by solving symbolic linear systems, they only depend on the roots of P. Jérôme Feret 43 January 2009

74 Higher order simplified filters Soundness of the factoring algorithm into irreducible polynomials is not required. Whenever we meet a higher order filter assignment τ, 1. we compute the characteristic polynomial P, 2. we compute a potentially unsound factoring P of P, 3. we expand P, 4. we consider the filter assignment τ such that the characteristic polynomial of τ is P, 5. we bound the difference between τ and τ (by using symbolic computation), 6. we integrate this bound into the input stream. Jérôme Feret 44 January 2009

75 Overview 1. Introduction 2. Case study 3. Concrete semantics 4. Generic aproximation 5. Filter extension 6. Post fixpoint inference of contracting function in floating-point arithmetics 7. Basic simplified filters 8. Other simplified filters 9. Filter expansion 10. Conclusion Jérôme Feret 45 January 2009

76 Other filters We have: { Sk = i k, 0 k < p S n+p = F(S n,...,s n+p 1 ) + G(E n+p+1 q,...,e n+p ) Having bounds: on the input sequence (E n ), and on the initial outputs (i k ) 0 k<p ; we want to infer a bound on the output sequence (S n ). Jérôme Feret 46 January 2009

77 Splitting S n We split the output sequence S n = R n + ε n into the contribution of the errors (ε n ); { εk = 0, 0 k < p; ε n+p = F(ε n,...,ε n+p 1 ) + err n+p we can use the simplified filter domain to limit (ε n ). the ideal sequence (R n ) (in the real field); { Rk = i k, 0 k < p R n+p = F(R n,...,r n+p 1 ) + G(E n+p+1 q,...,e n+p ) Jérôme Feret 47 January 2009

78 Bounding R n To refine the output, we need to bound the sequence R n : 1. We isolate the contribution of the N last inputs: R n = last N n (E n,...,e n+1 N ) + res N n. 2. Since the filter is linear, we have, for n > N + p: last N n = last N N+p; res N n can be limited by using the corresponding simplified filter domain. Jérôme Feret 48 January 2009

79 Abstract gain with respect to N Jérôme Feret 49 January 2009

80 Overview 1. Introduction 2. Case study 3. Concrete semantics 4. Generic aproximation 5. Filter extension 6. Post fixpoint inference of contracting function in floating-point arithmetics 7. Basic simplified filters 8. Other simplified filters 9. Filter expansion 10. Conclusion Jérôme Feret 50 January 2009

81 Benchmarks We analyze three programs in the same family on a AMD Opteron 248, 8 Gb of RAM (analyses use only 2 Gb of RAM). lines of C 70, , ,000 global variables 13,400 7,500 9,000 iterations time/iteration 52s 1mn18s 1mn16s 3mn07s 5mn08s 4mn40s 4mn35s 9mn25s 8mn17s analysis time 1h02mn 53mn 47mn 8h23mn 6h25mn 4h08mn 11h34mn 30h26mn 10h14mn false alarms without filter domains; 2. with simplified filter domains; 3. with expanded filter domains. Jérôme Feret 51 January 2009

82 Conclusion a highly generic framework to analyze programs with digital filtering: a technical knowledge of used filters allows the design of the adequate abstract domain; the case of linear filters is fully handled: We need to solve a symbolic linear system for each filter family. We need an unsound polynomial reduction algorithm for each filter instance. filter detection is left as a parameter: - term rebuilding can be used [Miné:VMCAI 2006]; This framework has been used and was necessary in the full certification of the absence of runtime error in industrial critical embedded software. Jérôme Feret 52 January 2009

Abstract Interpretation II

Abstract Interpretation II Semantics and Application to Program Verification Antoine Miné École normale supérieure, Paris year 2015 2016 Course 11 13 May 2016 Course 11 Abstract Interpretation II Antoine