A posteriori soundness for nondeterministic abstract - - PowerPoint PPT Presentation

A posteriori soundness for nondeterministic abstract interpretations

Matthew Might (University of Utah) Panagiotis Manolios (Northeastern University)

Questions you don’t want at your defense

Questions you don’t want at your defense

• “But, why did you prove it that way?”

Questions you don’t want at your defense

• “But, why did you prove it that way?”
• “But, why is that necessary?”

Questions you don’t want at your defense

• “But, why did you prove it that way?”
• “But, why is that necessary?”
• “So, why did the Cousots do it that way?”

• Where did it come from?
• How do you prove it sound?
• Why would you want to use it?

Nondeterministic Abstract Interpretation

• Where did it come from?
• How do you prove it sound?
• Why would you want to use it?

Nondeterministic Abstract Interpretation

• Frustration with the standard recipe.

• Where did it come from?
• How do you prove it sound?
• Why would you want to use it?

Nondeterministic Abstract Interpretation

• Frustration with the standard recipe.
• A posteriori proof technique.

• Where did it come from?
• How do you prove it sound?
• Why would you want to use it?

Nondeterministic Abstract Interpretation

• Frustration with the standard recipe.
• A posteriori proof technique.
• Better speed, better precision.

Outline

• Review standard recipe.
• Find annoyances.
• Get rid of them.

Define abstraction map: α : L → ˆ L Prove simulates under . α f ˆ f

The Standard Recipe

Define concrete state-space: L Define abstract state-space: ˆ L Define concrete semantics: f : L → L Define abstract semantics: ˆ f : ˆ L → ˆ L

Define abstraction map: α : L → ˆ L

The A Posteriori Recipe

Prove simulates under . α f ˆ f Execute abstract semantics to obtain . ˆ ℓ′ = ˆ f(ˆ ℓ) Define concrete state-space: L Define abstract state-space: ˆ L Define concrete semantics: f : L → L Define abstract semantics: ˆ f : ˆ L → ˆ L

Define abstraction map: α : L → ˆ L

The A Posteriori Recipe

Prove simulates under . α f ˆ ℓ′ Execute abstract semantics to obtain . ˆ ℓ′ = ˆ f(ˆ ℓ) Define concrete state-space: L Define abstract state-space: ˆ L Define concrete semantics: f : L → L Define abstract semantics: ˆ f : ˆ L → ˆ L

ˆ f : ˆ L → 2

ˆ L

Define abstract semantics: Define abstraction map: α : L → ˆ L

The A Posteriori Recipe

Prove simulates under . α f ˆ ℓ′ Execute abstract semantics to obtain . ˆ ℓ′ = ˆ f(ˆ ℓ) Define concrete state-space: L Define abstract state-space: ˆ L Define concrete semantics: f : L → L

Illustrating the Standard Recipe

Malloc: The Language

v := malloc()

Malloc: The Language

v := malloc() lab :

Concrete Semantics

State = Instruction × Store

Concrete Semantics

State = Instruction × Store f(ς) = ς′

Concrete Semantics

Fresh State = Instruction × Store f([ [v := malloc()] ] : i, σ) = (

• i, σ[v → a′])

Concrete Semantics

Fresh State = Instruction × Store a′ = alloc(ς) f([ [v := malloc()] ] : i, σ) = (

• i, σ[v → a′])

Concrete Semantics

Fresh State = Instruction × Store a′ = alloc(ς) = max(range(σ)) + 1 f([ [v := malloc()] ] : i, σ) = (

• i, σ[v → a′])

ˆ a = alloc(ˆ ς)

Abstract Semantics

• State = Instruction ×

Store ˆ f([ [v := malloc()] ] : i, ˆ σ) = (

• i, ˆ

σ[v → ˆ a]) (from some finite set)

What to allocate?

• Abstract addresses = Scarce resource
• Avoid over-allocation: Good for speed
• Avoid under-allocation: Good for precision

Example: Over-allocation

3 ˆ a1 ˆ a2

Example: Over-allocation

3 ˆ a1,2

Example: Under-allocation

3 4 ˆ a′

ˆ a1 ˆ a2

Example: Under-allocation

3 4

Allocation heuristics

Observation: Objects from like contexts act alike.

Allocation heuristics

Example:

• alloc([

[lab : . . .] ] : i, ) = lab Observation: Objects from like contexts act alike.

Annoyance: Soundness

α(ς) ⊑ ˆ ς α(f(ς)) ⊑ ˆ f(ˆ ς) If then

Annoyance: Soundness

α(ς) ⊑ ˆ ς If then αAddr(alloc(ς)) ⊑ alloc(ˆ ς)

The Issue

• alloc([

[lab : . . .] ] : i, ) = lab What abstraction map will work here? alloc( , σ) = max(range(σ)) + 1

Example

B : y := malloc() A : x := malloc() [x → , y → ] [ →A, → B] 1 2 1 2 αAddr = σ =

Example

B : y := malloc() A : x := malloc() [x → , y → ] [ →A, → B] 1 2 1 2 αAddr = σ =

Example

B : y := malloc() A : x := malloc() [x → , y → ] [ →A, → B] 1 2 1 2 αAddr = σ =

Example

B : y := malloc() A : x := malloc() [x → , y → ] [ →A, → B] 1 2 1 2 αAddr = σ =

Change the concrete semantics!

Standard Solution

Change the concrete semantics!

Standard Solution

alloc( , σ) = max(range(σ)) + 1 Addr = N

Change the concrete semantics! Addr = N × Lab

Standard Solution

alloc([ [lab : . . .] ], σ) = (max(range(σ)1) + 1, lab)

Change the concrete semantics! Addr = N × Lab

Standard Solution

alloc([ [lab : . . .] ], σ) = (max(range(σ)1) + 1, lab) α( , lab) = lab

Another problem: Heuristics sometimes make stupid decisions

Another problem: Heuristics sometimes make stupid decisions Why not adapt on the fly?

Example: Greedy Strategy

3 ˆ a1 Heuristic says, “Allocate , and bind 4.” ˆ a1

Example: Greedy Strategy

3 4 ˆ a1 Heuristic says, “Allocate , and bind 4.” ˆ a1

Example: Greedy Strategy

3 4 ˆ a1 Adaptive allocator says, “Try first.” r(ˆ a1) Heuristic says, “Allocate , and bind 4.” ˆ a1

Example: Greedy Strategy

3 4 ˆ a1 r(ˆ a1) Adaptive allocator says, “Try first.” r(ˆ a1) Heuristic says, “Allocate , and bind 4.” ˆ a1

Example: Greedy Strategy

3 ˆ a1 Heuristic says, “Allocate , and bind 3.” ˆ a2

Example: Greedy Strategy

3 ˆ a1 ˆ a2 Heuristic says, “Allocate , and bind 3.” ˆ a2

Example: Greedy Strategy

3 ˆ a1 ˆ a2 Adaptive allocator says, “Just use .” ˆ a1 Heuristic says, “Allocate , and bind 3.” ˆ a2

Example: Greedy Strategy

3 ˆ a1 Adaptive allocator says, “Just use .” ˆ a1 Heuristic says, “Allocate , and bind 3.” ˆ a2

Dynamic Optimization

Given m abstract addresses, how should they be allocated to maximize precision?

So, why not?

Can’t within confines of standard recipe. (Counter-example in paper.)

Making it so

• Factor allocation out of semantics.
• Make allocation nondeterministic.
• Prove nondeterministic allocation sound.

Making it so

Locative = Address

(But also times, bindings, contours, etc.)

Factoring out allocation

ς

f : State → State

ς ς′

f : State → State

ς

f : State → State

ς

F : State → Loc → State

ς

F : State → Loc → State

ς ς′ ℓ

F : State → Loc → State

ˆ ς

ˆ f : State → 2

• State

ˆ ς ˆ ς′ ˆ ς′′ ˆ ς′′′

ˆ f : State → 2

• State

ˆ ς

ˆ f : State → 2

• State

ˆ ς

ˆ F : State → 2

d Loc→ State

ˆ ς

ˆ F : State → 2

d Loc→ State

ˆ ς ˆ ς′ ˆ ς′′ ˆ ς′′′

ˆ F : State → 2

d Loc→ State

ˆ ℓ′ ˆ ℓ′′′ ˆ ℓ′′

Nondeterministic Abstract Interpretation

• Sealed abstract transition graphs.
• Factored abstraction maps.
• A posteriori soundness condition.

Nondeterministic Abstract Interpretation

Transition Graphs

• Nodes = States
• Edge = Transition labeled by chosen locative

Sealed Graphs

Graph is sealed under factored semantics iff every state has an edge to cover every transition.

Example: Unsealed Graph

Example: Unsealed Graph

ˆ ℓ1 ˆ ℓ2 ˆ ς

ˆ ℓ1 ˆ ℓ2 ˆ h1(ˆ ℓ1) ˆ h2(ˆ ℓ2) ˆ F(ˆ ς) = {ˆ h1, ˆ h2, ˆ h3} ˆ ς

ˆ ℓ1 ˆ ℓ2 ˆ h1(ˆ ℓ1) ˆ h2(ˆ ℓ2)

?

ˆ F(ˆ ς) = {ˆ h1, ˆ h2, ˆ h3} ˆ ς

Proving Sealed Graphs Sound

Factoring Abstraction

α : State → State

Factoring Abstraction

α : State → State β : (Loc → Loc) → (State → State)

Dependent Simulation

Dependent Simulation

ς

Dependent Simulation

ς ς′ ℓ

Dependent Simulation

ς ˆ ς′ ς′ ℓ β(αLoc[ℓ → ˆ ℓ])

Dependent Simulation

ς ˆ ς ˆ ς′ ς′ ℓ ˆ ℓ β(αLoc) β(αLoc[ℓ → ˆ ℓ])

A Posteriori Theorem

Dependent simulation → Abstraction always exists

Proof Highlights

• Reduces to existence of locative abstractor.
• Construct abstractor as limit of sequence:

αLoc = lim

i→N αi Loc

More in the paper

• Nondeterministic CFA: ∃CFA.
• More on greedy adaptive allocation.
• Discussion of global precision sensitivity.

Ongoing Work

• Empirical trials: 1.5x - 3x space, time savings
• Genetic algorithms
• Probabilistic allocation

So...

• Stop changing concrete semantics.
• Look beyond context for allocation.
• Don’t allocate context if bad for precision.

Thanks, y’all