Analyse statique de programmes num eriques avec calculs flottants - - PowerPoint PPT Presentation

Analyse statique de programmes num´ eriques avec calculs flottants

4`

eme Rencontres Arithm´

etique de l’Informatique Math´ ematique Antoine Min´ e

´ Ecole normale sup´ erieure

9 f´ evrier 2011 Perpignan

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 1 / 63

Introduction

Outline

1 Introduction

Main goals Theoretical background

2 Rational Abstractions

Interval domain Polyhedra domain

3 Floating-Point Abstractions

Floating-point semantics Floating-point interval domain Expression linearization Floating-point polyhedra

4 Conclusion 9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 2 / 63

Introduction

Introduction

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 3 / 63

Introduction Main Goals

Static analysis

Goal: static analysis

[CousotCousot-ISP76]

Static (automatic) discovery

• f dynamic (semantic) properties of programs.

Applications: compilation and optimisation, e.g.:

array bound check elimination alias analysis

verification, e.g.:

infer invariants prove the absence of run-time errors (division by zero, overflow, invalid array access) prove functional properties

We focus here on numerical properties of numerical variables.

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 4 / 63

Introduction Main Goals

Example: discovering numerical invariants

Insertion Sort

for i=1 to 99 do p := T[i]; j := i+1; while j <= 100 and T[j] < p do T[j-1] := T[j]; j := j+1; end; T[j-1] := p; end;

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 5 / 63

Introduction Main Goals

Example: discovering numerical invariants

Interval analysis: Insertion Sort

for i=1 to 99 do i ∈ [1, 99] p := T[i]; j := i+1; i ∈ [1, 99], j ∈ [2, 100] while j <= 100 and T[j] < p do i ∈ [1, 99], j ∈ [2, 100] T[j-1] := T[j]; j := j+1; i ∈ [1, 99], j ∈ [3, 101] end; i ∈ [1, 99], j ∈ [2, 101] T[j-1] := p; end;

= ⇒ there is no out of bound array access

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 5 / 63

Introduction Main Goals

Example: discovering numerical invariants

Linear inequality analysis: Insertion Sort

for i=1 to 99 do i ∈ [1, 99] p := T[i]; j := i+1; i ∈ [1, 99], j = i + 1 while j <= 100 and T[j] < p do i ∈ [1, 99], i + 1 ≤ j ≤ 100 T[j-1] := T[j]; j := j+1; i ∈ [1, 99], i + 2 ≤ j ≤ 101 end; i ∈ [1, 99], i + 1 ≤ j ≤ 101 T[j-1] := p; end;

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 5 / 63

Introduction Theoretical Background

Theoretical background

Abstract interpretation: unifying theory of program semantics

[CousotCousot-POPL77]

Provide theoretical tools to design and compare static analyses that: always terminate are approximate (solve undecidability and efficiency issues) are sound by construction (no behavior is omitted) Analysis design roadmap:

1 concrete semantics 2 abstract domains 9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 6 / 63

Introduction Theoretical Background

Concrete semantics

Concrete semantics: most precise mathematical expression of the program behavior Example: from programs (CFGs) to equation systems

X:= X:=X−1 Y:=Y+10 1 loop invariant entry 5 4 6 3 2 ?(0,10) Y:=100 X<0 X>=0

                   X1 = D

(initial states)

X2 = C X := ?(0, 10) X1 X3 = C Y := 100 X2 ∪ C Y := Y + 10 X5 X4 = C X ≥ 0 X3 X5 = C X := X − 1 X4 X6 = C X < 0 X3 V

def

= {X, Y} variables D

def

= P(V → Q) sets of environments Xi ∈ D reachable environments at location i C c X models the effect of command c on X

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 7 / 63

Introduction Theoretical Background

Concrete semantics (cont.)

Semantics of (non-deterministic) expressions and commands.

E e : (V → Q) → P(Q) (expression semantics) E c ρ

def

= { c } E ?(c, c′) ρ

def

= { x | c ≤ x ≤ c′ } E V ρ

def

= { ρ(V) } E − e ρ

def

= { −v | v ∈ E e ρ } E e1 ⋄ e2 ρ

def

= { v1 + v2 | v1 ∈ E e1 ρ, v2 ∈ E e2 ρ } ⋄ ∈ {+, −, ×, /} ∧ (⋄ = / ∨ v2 = 0) C c : P(V → Q) → P(V → Q) (command semantics) C V :=e X

def

= { ρ[ V → v ] | ρ ∈ X, v ∈ E e ρ } C e ≤ 0 X

def

= { ρ | ρ ∈ X, ∃v ∈ E e ρ, v ≤ 0 } (can be extended to actual programming languages!)

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 8 / 63

Introduction Theoretical Background

Concrete semantics (cont.)

equations have the form: Xi = Fi(X1, . . . , Xn) (P(V → Q), ⊆, ∪, ∩) is a complete lattice all the Fi are monotonic (A ⊆ B = ⇒ C c A ⊆ C c B) Constructive version of Tarski’s theorem by [Tarski-PJM55] and [CousotCousot-PJM79] the system has a least solution (least fixpoint of Fi) it is the limit of:      X 0

i

def

= ∅ X k+1

i

def

= Fi(X k

1 , . . . , X k n )

for successor ordinals X o

i

def

=

• δ<o X δ

i

for limit ordinals

(many kinds of semantics can be expressed in fixpoint form [Cousot-ENTCS97])

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 9 / 63

Introduction Theoretical Background

Undecidability

elements in P(V → Q) are not computer-representable C · and ∪ are not computable least solutions of equations are not computable (requiring transfinite iterations) = ⇒ we use computable abstractions i.e.: computable sound over-approximations

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 10 / 63

Introduction Theoretical Background

Abstract domains

Abstract elements:

D♯ set of computer-representable elements γ : D♯ → D concretization ⊆♯ approximation order: X ♯ ⊆♯ Y♯ = ⇒ γ(X ♯) ⊆ γ(Y♯)

Abstract operators:

C♯ c : D♯ → D♯ and ∪♯ : (D♯ × D♯) → D♯ soundness: (C c ◦ γ)(X ♯) ⊆ (γ ◦ C♯ c )(X ♯) γ(X ♯) ∪ γ(Y♯) ⊆ γ(X ♯ ∪♯ Y♯)

Fixpoint extrapolation

▽ : (D♯ × D♯) → D♯ widening soundness: γ(X ♯) ∪ γ(Y♯) ⊆ γ(X ♯ ▽ Y♯) termination: ∀ sequence (Y♯

i )i∈N

the sequence X ♯

0 = Y♯ 0, X ♯ i+1 = X ♯ i ▽ Y♯ i+1

stabilizes in finite time: ∃n < ω, X ♯

n+1 = X ♯ n

Both semantics and algorithmic aspects.

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 11 / 63

Introduction Theoretical Background

Abstract analysis

Principles: compute entirely in D♯ replace C c with C♯ c in equations iterate, using widening ▽ at loop heads W X ♯

i, 0

def

= ⊥♯ X ♯

i, k+1

def

=

• F ♯

i (X ♯ 1, k, . . . , X ♯ n, k)

if i / ∈ W X ♯

i, k ▽ F ♯ i (X ♯ 1, k, . . . , X ♯ n, k)

if i ∈ W Theorem: the iterations stabilize in finite time δ < ω: X ♯

i, δ+1 = X ♯ i, δ

the result is sound: Xi ⊆ γ(X ♯

i, δ)

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 12 / 63

Introduction Theoretical Background

Some existing numerical abstract domains

Intervals Xi ∈ [ai, bi] [CousotCousot-ISP76] Simple Congruences Xi ≡ ai [bi] [Granger-JCM89] Linear Equalities

i αiXi = β

[Karr-AI76] Linear Congruences

i αiXi ≡ β [γ]

[Granger-TAPSOFT91]

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 13 / 63

Introduction Theoretical Background

Some existing numerical abstract domains (cont.)

Polyhedra

i αiXi ≥ β

[CousotHalbwachs-POPL78] Octagons ±Xi ± Xj ≤ β [Min´ e-WCRE01] Ellipsoids αX2

i + βX2 j + γXiYi ≤ δ

[Feret-ESOP04] Varieties P( X) = 0, P ∈ R[V] [SankaranarayananAl-POPL04]

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 14 / 63

Introduction Theoretical Background

Precision vs. cost tradeoff

Example: three abstractions of the same set of points Worst-case time cost per operation wrt. number of variables: polyhedra: exponential

• ctagons: cubic

intervals: linear

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 15 / 63

Rational Abstractions

Rational Numerical Abstract Domains

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 16 / 63

Rational Abstractions Interval Domain

Interval Domain

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 17 / 63

Rational Abstractions Interval Domain

Interval abstract elements

Abstract elements: I

def

= { (a, b) | a ∈ Q ∪ {−∞}, b ∈ Q ∪ {+∞}, a ≤ b } (intervals as pairs of bounds) D♯

def

= (V → I) ∪ {⊥♯} Concretization: γ(⊥♯)

def

= ∅ γ(X ♯)

def

= { ρ | ∀V, ρ(V) ∈ γI(X ♯(V)) } if X ♯ = ⊥♯ where γI(a, b)

def

= { x ∈ Q | a ≤ x ≤ b } Order: X ♯ ⊆♯ Y♯

def

⇐ ⇒ X ♯ = ⊥♯ ∨ X ♯, Y♯ = ⊥♯ ∧ ∀V, X ♯(V) ⊆I Y♯(V) where (a, b) ⊆I (a′, b′)

def

⇐ ⇒ a ≥ a′ ∧ b ≤ b′

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 18 / 63

Rational Abstractions Interval Domain

Interval abstract operators

Interval arithmetics in I −I (a, b)

def

= (−b, −a) (a, b) +I (c, d)

def

= (a + c, b + d) (a, b) −I (c, d)

def

= (a − d, b − c) (a, b) ×I (c, d)

def

= (min(ac, ad, bc, bd), max(ac, ad, bc, bd)) (a, b) ∪I (c, d)

def

= (min(a, c), max(b, d)) . . . Join ∪♯ in D♯ X ♯ ∪♯ Y♯

def

=    X ♯ if Y♯ = ⊥♯ Y♯ if X ♯ = ⊥♯ λV . X ♯(V) ∪I Y♯(V) if X ♯, Y♯ = ⊥♯ (optimal, but not exact: γ(X ♯) ∪ γ(Y♯) γ(X ♯ ∪♯ Y♯))

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 19 / 63

Rational Abstractions Interval Domain

Interval assignment

E♯ e : D♯ → I (abstract expression evaluation, X ♯ = ⊥♯) E♯ c X ♯

def

= (c, c) E♯ ?(c, c′) X ♯

def

= (c, c′) E♯ V X ♯

def

= X ♯(V) E♯ − e X ♯

def

= −I E♯ e X ♯ E♯ e1 ⋄ e2 X ♯

def

= E♯ e1 X ♯ ⋄I E♯ e2 X ♯ C♯ c : D♯ → D♯ (abstract command semantics) C♯ V :=e X ♯

def

= ⊥♯ if X ♯ = ⊥♯ X ♯[ V → E♯ e X ♯] if X ♯ = ⊥♯

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 20 / 63

Rational Abstractions Interval Domain

Interval test example

C♯ X + Y − Z ≤ 0 X ♯, with X ♯ = {X → (0, 10), Y → (2, 10), Z → (3, 5)}

• (−∞, +∞)
• +

(−∞, +∞)

• Z

(3, 5)

• X

(0, 10) Y (2, 10)

• (−3, 17)
• +

(2, 20)

• Z

(3, 5) X (0, 10) Y (2, 10)

• (−3, 0)
• +

(2, 20)

• Z

(3, 5) X (0, 10) Y (2, 10)

• (−3, 0)
• +

(2, 5)

• Z

(3, 5) X (0, 3) Y (2, 5)

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 21 / 63

Rational Abstractions Interval Domain

Interval widening

Classic widening ▽ in D♯ X ♯ ▽ Y♯

def

=    X ♯ if Y♯ = ⊥♯ Y♯ if X ♯ = ⊥♯ λV . X ♯(V) ▽I Y♯(V) if X ♯, Y♯ = ⊥♯ where (a, b) ▽I (c, d)

def

= a if a ≤ c −∞

• therwise ,

b if b ≥ d +∞

• therwise
• Unstable bounds are set to ±∞

Widening with thresholds: Parametrized by a finite set T. If b < d, bump to the next value in T greater than d (or +∞).

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 22 / 63

Rational Abstractions Interval Domain

Interval analysis example

Analysis example with W = {2}

X:=0 X>=40 X<40

1 2 4 3

X:=X+1 ℓ X ♯0

ℓ

X ♯1

ℓ

X ♯2

ℓ

X ♯3

ℓ

X ♯4

ℓ

X ♯5

ℓ

1 ⊤♯ ⊤♯ ⊤♯ ⊤♯ ⊤♯ ⊤♯ 2 ▽ ⊥♯ = 0 = 0 ≥ 0 ≥ 0 ≥ 0 3 ⊥♯ ⊥♯ = 0 = 0 ∈ [0, 39] ∈ [0, 39] 4 ⊥♯ ⊥♯ ⊥♯ ⊥♯ ≥ 40 ≥ 40

More precisely, at the widening point:

X ♯1

2

= ⊥♯ ▽ ([0, 0] ∪♯ ⊥♯) = ⊥♯ ▽ [0, 0] = [0, 0] X ♯2

2

= [0, 0] ▽ ([0, 0] ∪♯ ⊥♯) = [0, 0] ▽ [0, 0] = [0, 0] X ♯3

2

= [0, 0] ▽ ([0, 0] ∪♯ [1, 1]) = [0, 0] ▽ [0, 1] = [0, +∞[ X ♯4

2

= [0, +∞[ ▽ ([0, 0] ∪♯ [1, 40]) = [0, +∞[ ▽ [0, 40] = [0, +∞[

Note that the most precise interval abstraction would be X ∈ [0, 40] at 2, and X = 40 at 4.

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 23 / 63

Rational Abstractions Polyhedra Domain

Polyhedra Domain

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 24 / 63

Rational Abstractions Polyhedra Domain

Polyhedra domain

Domain proposed by [CousotHalbwachs-POPL78] to infer conjunctions of linear inequalities

j (n i=1 αijVi ≥ βj).

Abstract elements: LinCons

def

= linear constraints over V with coefficients in Q D♯

def

= Pfinite(LinCons) Concretization: γ(X ♯)

def

= { ρ ∈ V → Q | ∀c ∈ X ♯, ρ | = c } γ(X ♯) is a closed convex polyhedron of (V → Q) ≃ Q|V| γ(X ♯) may be empty, bounded, or unbounded γ is not injective

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 25 / 63

Rational Abstractions Polyhedra Domain

Polyhedra algorithms

Fourier-Motzkin elimination: Fourier(X ♯, Vk) eliminates Vk from all the constraints in X ♯: Fourier(X ♯, Vk)

def

= { (

i αiVi ≥ β) ∈ X ♯ | αk = 0 } ∪

{ (−α−

k )c+ + α+ k c− | c+ = ( i α+ i Vi ≥ β+) ∈ X ♯, α+ k > 0,

c− = (

i α− i Vi ≥ β−) ∈ X ♯, α− k < 0 }

Semantics γ(Fourier(X ♯, Vk)) = { ρ[Vk → v] | v ∈ Q, ρ ∈ γ(X ♯) } i.e., forget the value of Vk

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 26 / 63

Rational Abstractions Polyhedra Domain

Polyhedra algorithms

Linear programming:

[Schrijver-86]

simplex(X ♯, α)

def

= min {

i αiρ(Vi) | ρ ∈ γ(X ♯) }

Application: remove redundant constraints: for each c = (

i αiVi ≥ β) ∈ X ♯

if β ≤ simplex(X ♯ \ {c}, α), then remove c from X ♯ (e.g., Fourier causes a quadratic growth in constraint number, most of which are redundant) Note: calling simplex many times can be costly use fast syntactic checks first check against the bounding-box first use simplex as a last resort

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 27 / 63

Rational Abstractions Polyhedra Domain

Polyhedra abstract operators

Order: ⊆♯ X ♯ ⊆♯ Y♯

def

⇐ ⇒ ∀(

i αiVi ≥ β) ∈ Y♯, simplex(X ♯,

α) ≥ β

def

⇐ ⇒ γ(X ♯) ⊆ γ(Y♯) X ♯ =♯ Y♯

def

⇐ ⇒ X ♯ ⊆♯ Y♯ ∧ Y♯ ⊆♯ X ♯ Join: ∪♯

[BenoyKing-LOPSTR96]

We introduce temporaries VX

j , VY j , σX , σY:

X ♯ ∪♯ Y♯

def

= Fourier( { (

j αjVX j − βσX ≥ 0) | ( j αjVj ≥ β) ∈ X ♯ }

∪ { (

j αjVY j − βσY ≥ 0) | ( j αjVj ≥ β) ∈ Y♯ }

∪ { Vj = VX

j + VY j | Vj ∈ V } ∪ { σX ≥ 0, σY ≥ 0, σX + σY = 1 },

{ VX

j , VY j | Vj ∈ V } ∪ { σX , σY } )

γ(X ♯ ∪♯ Y♯) is the topological closure of the convex hull

• f γ(X ♯) and γ(Y♯)

(optimal).

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 28 / 63

Rational Abstractions Polyhedra Domain

Polyhedra abstract operators (cont.)

Precise abstract commands: (exact) C♯

i αiVi + β ≤ 0 X ♯

def

= X ♯ ∪ {(

i αiVi + β ≤ 0)}

C♯ Vj := [−∞, +∞] X ♯

def

= Fourier(X ♯, Vj)) C♯ Vj :=

i αiVi + β♯ X ♯

def

= subst(V → Vi, Fourier((X ♯ ∪ {V =

i αiVi + β}), Vj))

Fallback abstract commands: (coarse but sound) C♯ e ≤ 0 X ♯

def

= X ♯ C♯ Vj := e X ♯

def

= Fourier(X ♯, Vj) alternate solution: apply interval abstract commands to the bounding box

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 29 / 63

Rational Abstractions Polyhedra Domain

Polyhedra widening

Classic widening ▽ in D♯ X ♯ ▽ Y♯

def

= { c ∈ X ♯ | Y♯ ⊆♯ {c} } ∪ { c ∈ Y♯ | ∃c′ ∈ X ♯, X ♯ =♯ (X ♯ \ c′) ∪ {c} } suppress unstable constraints c ∈ X ♯, Y♯ ⊆♯ {c} add back constraints c ∈ Y♯ equivalent to those in X ♯ i.e., when ∃c′ ∈ X ♯, X ♯ =♯ (X ♯ \ c′) ∪ {c}. (X ♯ and Y♯ must have no redundant constraint) Example:

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 30 / 63

Rational Abstractions Polyhedra Domain

Analysis example

Rate limiter

Y:=0; while true do• X:=?(-128,128); D:=?(0,16); S:=Y; Y:=X; R:=X-S; if R+D<=0 then Y:=S-D fi; if R-D>=0 then Y:=S+D fi

• d

X: input signal Y:

• utput signal

S: last output R: delta Y-S D:

• max. allowed for |R|

Polyhedra analysis: result: at •, Y ∈ [−128, 128] to prove, e.g., Y ≥ −128, the analysis needs to: represent the properties R = X − S and R ≤ −D combine them to deduce S − X ≥ D, and then Y = S − D ≥ X

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 31 / 63

Rational Abstractions Polyhedra Domain

Analysis example

Rate limiter

Y:=0; while true do• X:=?(-128,128); D:=?(0,16); S:=Y; Y:=X; R:=X-S; if R+D<=0 then Y:=S-D fi; if R-D>=0 then Y:=S+D fi

• d

X: input signal Y:

• utput signal

S: last output R: delta Y-S D:

• max. allowed for |R|

Interval analysis: iterations without widening:

X ♯

• ,0

X ♯

• ,1

X ♯

• ,2

. . . X ♯

• ,n

Y = 0 |Y| ≤ 144 |Y| ≤ 160 . . . |Y| ≤ 128 + 16n

i.e., not bound on Y can be found.

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 31 / 63

Floating-point abstractions

Floating-point abstractions

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 32 / 63

Floating-point abstractions

Floating-point uses

Two independent problems: Implement the analyzer using floating-point goal: trade precision for efficiency exact rational arithmetics can be costly coefficients can grow large (polyhedra) Analyze floating-point programs goal: catch run-time errors caused by rounding (overflow, division by 0, . . . ) Also: a floating-point analyzer for floating-point programs. Challenge: how to stay sound?

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 33 / 63

Floating-point abstractions Floating-point semantics

Floating-point semantics

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 34 / 63

Floating-point abstractions Floating-point semantics

Floating-point numbers

IEEE 754-1985 standard is the most widespread format (supported by most processors and programming languages) IEEE Binary representation: a number is a triple s, e, f a 1-bit sign s a x-bit exponent e, with a bias (e represents e − bias) a p-bit fraction f = .b1 . . . bp, (f represents

i 2−ibi)

IEEE format examples given by the choice of x, bias, p: 32-bit single precision float:    x = 8 bias = 127 p = 23 Other widespread formats: 64-bit double, 80-bit double extended, 128-bit quad

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 35 / 63

Floating-point abstractions Floating-point semantics

Floating-point representation

Semantics s, e, f represents either:

a normalized number: (−1)s × 2e−bias × 1.f (if 1 ≤ e ≤ 2x − 2); a denormalized number: (−1)s × 21−bias × 0.f (if e = 0, f = 0); +0 or −0 (if e = 0, f = 0); +∞ or −∞ (if e = 2x − 1, f = 0); an error code NaN (if e = 2x − 1, f = 0).

Visual representation (positive part)

+0 +∞ mf Mf denormalized normalized

mf

def

= 21−bias−p smallest positive Mf

def

= (2 − 2−p) × 22x−bias−2 largest non-∞

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 36 / 63

Floating-point abstractions Floating-point semantics

Floating-point computations

The set of floating-point numbers is not closed under +, −, ×, /: every result is rounded to a representable float, an overflow or division by 0 generates +∞ or −∞ (overflow); small numbers are truncated to +0 or −0 (underflow); some operations are invalid (0/0, (+∞) + (−∞), etc.) and return NaN. Simplified semantics:

• verflows and NaNs halt the program with an error Ω,

rounding and underflow are not errors, we do not distinguish between +0 and −0. = ⇒ variable values live in a finite subset F of Q, expression values live in F ∪ {Ω}.

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 37 / 63

Floating-point abstractions Floating-point semantics

Floating-point expressions

Floating-point expressions expf expf ::= [c, c′] constant range c, c′ ∈ F, c ≤ c′ | V variable V ∈ V | ⊖ expf negation | expf ⊙r expf

• perator ⊙ ∈ {⊕, ⊖, ⊗, ⊘}

(we use circled operators to distinguish them from operators in Q)

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 38 / 63

Floating-point abstractions Floating-point semantics

Concrete semantics of expressions

Semantics of rounding: Rr: Q → F ∪ {Ω}. 4 rounding modes r: towards +∞, −∞, 0, or to nearest n. Example definition: R+∞(x)

def

= min { y ∈ F | y ≥ x } if x ≤ Mf Ω if x > Mf R−∞(x)

def

= max { y ∈ F | y ≤ x } if x ≥ −Mf Ω if x < −Mf Notes: ∀x, r, R−∞(x) ≤ Rr(x) ≤ R+∞(x) ∀r, Rr is monotonic

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 39 / 63

Floating-point abstractions Floating-point semantics

Concrete semantics of expressions (cont.)

E ef : (V → F) → P(F ∪ {Ω}) (expression semantics) E V ρ

def

= { ρ(V) } E [c, c′] ρ

def

= { x ∈ F | c ≤ x ≤ c′ } E ⊖ ef ρ

def

= { −x | x ∈ E ef ρ ∩ F } ∪ ({Ω} ∩ E ef ρ) E ef ⊙r e′

f ρ

def

= { Rr(x · y) | x ∈ E ef ρ ∩ F, y ∈ E e′

f ρ ∩ F } ∪

{ Ω | if Ω ∈ E ef ρ ∪ E e′

f ρ }

{ Ω | if 0 ∈ E e′

f ρ and ⊙ = ⊘ }

C c : P(V → F) → P((V → F) ∪ {Ω}) (command semantics) C X := ef X

def

= { ρ[ X → v ] | ρ ∈ X, v ∈ E ef ρ ∩ F } ∪ ({Ω} ∩ E ef X) C ef ≤ 0 X

def

= { ρ | ρ ∈ X, ∃v ∈ E ef ρ ∩ F, v ≤ 0 } ∪ ({Ω} ∩ E ef X)

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 40 / 63

Floating-point abstractions Floating-point interval domain

Floating-point interval domain

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 41 / 63

Floating-point abstractions Floating-point interval domain

Floating-point interval abstract elements

Goals: analyze floating-point programs abstracted using a floating-point implementation report infinities and NaN as errors Abstract elements: I

def

= { (a, b) | a, b ∈ F, a ≤ b } (floating-point bounds) D♯

def

= (V → I) ∪ {⊥♯} Concretization: γ(⊥♯)

def

= ∅ γ(X ♯)

def

= { ρ | ∀V, ρ(V) ∈ γI(X ♯(V)) } if X ♯ = ⊥♯ where γI(a, b)

def

= { x ∈ F | a ≤ x ≤ b }

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 42 / 63

Floating-point abstractions Floating-point interval domain

Floating-point interval domain

Interval arithmetics ⊖I (a, b)

def

= (⊖b, ⊖a) (a, b) ⊕I (a′, b′)

def

= (a ⊕−∞ a′, b ⊕+∞ b′) (a, b) ⊖I (a′, b′)

def

= (a ⊖−∞ b′, b ⊖+∞ a′) (a, b) ⊗I (a′, b′)

def

= (min(a ⊗−∞ a′, a ⊗−∞ b′, b ⊗−∞ a′, b ⊗−∞ b′), max(a ⊗+∞ a′, a ⊗+∞ b′, b ⊗+∞ a′, b ⊗+∞ b′)) (a, b) ∪I (a′, b′)

def

= (min(a, a′), max(b, b′)) ▽I sets unstable bounds to ± Mf (we suppose r is unknown and assume a worst case rounding) Error management If some bound in E♯ ef evaluates to ±∞ or NaN, we report an alarm to the user and continue the evaluation with (−Mf , Mf )

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 43 / 63

Floating-point abstractions Floating-point interval domain

Floating-point interval analysis example

Filter with reinitialisation Z:=0; while true do if ?(0,1) then Z:=?(-12,12) fi; Z:=(0.3 ⊗? Z) ⊕? ?(-10,10)

• d

in Q: |Z| < 10/0.7 (≃ 14.29). in F: |Z| ≤ B, with B

def

= R+∞(10/0.7). Interval analysis: using a widening with thresholds T: |Z| ≤ min { x ∈ T | x ≥ B }. = ⇒ proof of absence of overflow if T has a value larger than B.

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 44 / 63

Floating-point abstractions Expression linearization

Expression linearization

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 45 / 63

Floating-point abstractions Expression linearization

Floating-point issues in relational domains

Relational domains assume many powerful properties on Q: associativity, distributivity,. . . that are not true on F! Example: Fourier-Motzkin elimination X − Y ≤ c ∧ Y − Z ≤ d = ⇒ X − Z ≤ c + d X ⊖n Y ≤ c ∧ Y ⊖n Z ≤ d = ⇒ X ⊖n Z ≤ c ⊕n d (X = 1, Y = 1038, Z = −1, c = X ⊖n Y = −1038, d = Y ⊖n Z = 1038, c ⊕n d = 0, X ⊖n Z = 2 > 0) We cannot manipulate float expressions as easily as rational ones! Solution: keep representing and manipulating rational expressions abstract float expressions from programs into rational ones feed them to a rational abstract domain (optional) implement the rational domain using floats

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 46 / 63

Floating-point abstractions Expression linearization

Affine interval forms

We put expressions in affine interval form:

[Min´ e-ESOP04]

expℓ ::= [a0, b0] +

k [ak, bk] × Vk

Semantics: E eℓ ρ

def

= { c0 +

k ck × ρ(Vk) | ∀i, ci ∈ [ai, bi] }

(evaluated in Q) Advantages: affine expressions are easy to manipulate interval coefficients allow non-determinism in expressions, hence, the opportunity for abstraction intervals can easily model rounding errors easy to design algorithms for C♯ X :=eℓ and C♯ eℓ ≤ 0 in most domains

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 47 / 63

Floating-point abstractions Expression linearization

Affine interval form algebra

Operations on affine interval forms: adding ⊞ and subtracting ⊟ two forms multiplying ⊠ and dividing a form by an interval Using interval arithmetics +I, −I, ×I:

(i0 +

k ik × Vk) ⊞ (i′ 0 + k i′ k × Vk)

def

= (i0 +I i′

0) + k(ik +I i′ k) × Vk

i ⊠ (i0 +

k ik × Vk)

def

= (i ×I i0) +

k (i ×I ik) × Vk

. . .

Projection: πk : D♯ → expℓ We suppose we are given an abstract interval projection operator πk such that: πk(X ♯) = [a, b] such that [a, b] ⊇ { ρ(Vk) | ρ ∈ γ(X ♯) }.

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 48 / 63

Floating-point abstractions Expression linearization

Linearization of rational expressions

Intervalization: ι : (expℓ × D♯) → expℓ Intervalization flattens the expression into a single interval:

ι(i0 +

k ik × Vk, X ♯)

def

= i0 +I

• I, k (ik ×I πk(X ♯)).

Linearization without rounding errors: ℓ : (exp × D♯) → expℓ Defined by induction on the syntax of expressions:

ℓ(V, X ♯)

def

= [1, 1] × V ℓ([a, b], X ♯)

def

= [a, b] ℓ(e1+e2, X ♯)

def

= ℓ(e1, X ♯) ⊞ ℓ(e2, X ♯) ℓ(e1−e2, X ♯)

def

= ℓ(e1, X ♯) ⊟ ℓ(e2, X ♯) ℓ(e1/e2, X ♯)

def

= ℓ(e1, X ♯) ι(ℓ(e2, X ♯), X ♯) ℓ(e1×e2, X ♯)

def

= can be either ι(ℓ(e1, X ♯), X ♯) ⊠ ℓ(e2, X ♯)

• r

ι(ℓ(e2, X ♯), X ♯) ⊠ ℓ(e1, X ♯)

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 49 / 63

Floating-point abstractions Expression linearization

Linearization of floating-point expressions

Rounding an affine interval form: if the result is normalized: we have a relative error ε with magnitude 2−23:

ε([a0, b0] +

k[ak, bk] × Vk)

def

= max(|a0|, |b0|) × [−2−23, 2−23] +

• k(max(|ak|, |bk|) × [−2−23, 2−23] × Vk)

if the result is denormalized, we have an absolute error ω

def

= [−2−159, 2−159]. = ⇒ we sum these two sources of rounding errors Linearization with rounding errors: ℓ : (expf × D♯) → expℓ

ℓ(e1 ⊕r e2, X ♯)

def

= ℓ(e1, X ♯) ⊞ ℓ(e2, X ♯) ⊞ ε(ℓ(e1, X ♯)) ⊞ ε(ℓ(e2, X ♯)) ⊞ ω ℓ(e1 ⊗r e2, X ♯)

def

= ι(ℓ(e1, X ♯), X ♯) ⊠ (ℓ(e2, X ♯) ⊞ ε(ℓ(e2, X ♯))) ⊞ ω etc.

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 50 / 63

Floating-point abstractions Expression linearization

Applications of the floating-point linearization

Soundness of the linearization ∀e, ∀X ♯ ∈ D♯, ∀ρ ∈ γ(X ♯), if Ω / ∈ E e ρ, then E e ρ ⊆ E ℓ(e, X ♯) ρ Application: C♯ V :=e X ♯ check that Ω / ∈ E e ρ for ρ ∈ γ(X ♯) with interval arithmetic compute C♯ V :=e X ♯ as C♯ V :=ℓ(e, X ♯) X ♯

(use C♯ V :=[−Mf , Mf ] X ♯ if Ω ∈ E e ρ)

Note: ⊕I, ⊖I, ⊗I, ⊘I are sound abstractions of +I, −I, ×I, /I = ⇒ use ⊕I, etc. to get a sound approximation of ℓ(e, X ♯) in floats

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 51 / 63

Floating-point abstractions Sound floating-point polyhedra

Sound floating-point polyhedra

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 52 / 63

Floating-point abstractions Sound floating-point polyhedra

Sound floating-point polyhedra

Algorithms to adapt:

[ChenAl-APLAS08]

linear programming: simplexf (X ♯, α) ≤ simplex(X ♯, α)

simplex(X ♯, α)

def

= min {

k αkρ(Vk) | ρ ∈ γ(X ♯) }

Fourier-Motzkin elimination: Fourierf (X ♯, Vk) ⇐ = Fourier(X ♯, Vk)

Fourier(X ♯, Vk)

def

= { (

i αiVi ≥ β) ∈ X ♯ | αk = 0 } ∪

{ (−α−

k )c+ + α+ k c− | c+ = ( i α+ i Vi ≥ β+) ∈ X ♯, α+ k > 0,

c− = (

i α− i Vi ≥ β−) ∈ X ♯, α− k < 0 }

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 53 / 63

Floating-point abstractions Sound floating-point polyhedra

Sound floating-point linear programming

Guaranteed linear programming:

[NeumaierShcherbina-MP04]

Goal: under-approximate µ = min { c · x | M × x ≤ b } knowing that x ∈ [ xl, xh] (bounding-box for γ(X ♯)). compute any approximation ˜ µ of the dual problem: ˜ µ ≃ µ = max { b · y | tM × y = c, y ≤ 0 } and the corresponding vector y

(e.g. using an off-the-shelf solver; ˜ µ may over-approximate or under-approximate µ)

compute with intervals safe bounds [ rl, rh] for A × y − c: [ rl, rh] = (tA ⊗I y) ⊖I c and then: ν = inf(( b ⊗I y) ⊖I ([ rl, rh] ⊗I [ xl, xh])) then: ν ≤ µ.

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 54 / 63

Floating-point abstractions Sound floating-point polyhedra

Sound floating-point Fourier-Motzkin elimination

Given: c+ = (

i α+ i Vi ≥ β+) with α+ k > 0

c− = (

i α− i Vi ≥ β−) with α− k < 0

a bounding-box of γ(X ♯): [ xl, xh] We wish to compute

i=k αiVi ≥ β in F

implied by (−α−

k )c+ + α+ k c− in γ(X ♯).

normalize c+ and c− using interval arithmetics: Vk +

i=k (α+ i ⊘I α+ k )Vi ≥ β+ ⊘I α+ k

−Vk +

i=k (α− i ⊘I (−α− k ))Vi ≥ β− ⊘I (−α− k )

(interval affine forms)

add them using interval arithmetics:

• i=k [ai, bi]Vi ≥ [a0, b0]

where [ai, bi] = (α+

i ⊘I α+ k ) ⊖I (α− i ⊘I α− k ),

[a0, b0] = (β+ ⊘I α+

k ) ⊖I (β− ⊘I α− k ).

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 55 / 63

Floating-point abstractions Sound floating-point polyhedra

Sound floating-point Fourier-Motzkin elimination (cont.)

linearize the interval linear form into

i=k αiVi ≥ β

where αi ∈ [ai, bi] β = sup ([a0, b0] ⊕I

• I, i=k(|αi ⊖I [ai, bi]|) ⊗I |[

xl, xh]|) Soundness: For all choices of αi ∈ [ai, bi],

• i=k αiVk ≥ β holds in Fourier(X ♯, Vk).

(e.g. αi = (ai ⊕n bi) ⊘ 2)

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 56 / 63

Floating-point abstractions Sound floating-point polyhedra

Consequences of rounding

Precision loss: Projection: γ(Fourier(X ♯, Vk)) ⊇ { ρ[Vk → v] | v ∈ Q, ρ ∈ γ(X ♯) } = C Vk := [−∞, +∞] γ(X ♯) Order: X ♯ ⊆♯ Y♯ = ⇒ γ(X ♯) ⊆ γ(Y♯) (⇐) Join: γ(X ♯ ∪♯ Y♯) ⊇ ConvexHull(γ(X ♯) ∪ γ(Y♯)) (=) Efficiency loss: cannot remove all redundant constraints

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 57 / 63

Floating-point abstractions Sound floating-point polyhedra

Floating-point polyhedra widening

Widening ▽: X ♯ ▽ Y♯

def

= { c ∈ X ♯ | Y♯ ⊆♯ {c} }

(drop { c ∈ Y♯ | ∃c′ ∈ X ♯, X ♯ =♯ (X ♯ \ c′) ∪ {c}} as X ♯ and Y♯ may have redundant constraints)

Stability improvement: robust strategies to choose αi ∈ [ai, bi] during Fourier-Motzkin: choose simple αi (e.g., integer nearest (ai + bi)/2) reuse the same (or a multiple of) αi used for other variables

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 58 / 63

Conclusion

Conclusion

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 59 / 63

Conclusion

Abstraction summary

Floating-point polyhedra analyzer for floating-point programs expression abstraction environment abstraction float expression ef ↓ linearization P(V → F) affine form eℓ in Q ↓ abstract domain ↓ float implementation polyhedra in Q affine form eℓ in F − → ↓ float implementation polyhedra in F ↓ widening polyhedra in F

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 60 / 63

Conclusion

Academic implementation

Interproc: on-line analyzer for a toy language, using Apron.

http://pop-art.inrialpes.fr/interproc/interprocweb.cgi

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 61 / 63

Conclusion

Industrial application

Astr´ ee static analyzer:

[BertraneAl-AIAA10]

developed at ENS, now industrialized by analyzes embedded critical control/command C code checks for run-time errors (arithmetics, arrays, pointers) applied to industrial Airbus code, up to 1 M lines zero alarm, ≃ 14h computation time Based on abstract interpretation: uses intervals and octagons (no polyhedra) and many more abstract domains (some domain-specific) uses linearization of float expressions

More information: http://www.astree.ens.fr/

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 62 / 63

Conclusion

The End

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 63 / 63

Bibliography

Bibliography

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 64 / 63

Bibliography

Bibliography

[Tarski-PJM55] A. Tarski. A lattice theoretical fixpoint theorem and its

• applications. In Pacific J. Math., 5 (1995), 285–310.

[CousotCousot-ISP76] P. Cousot & R. Cousot. Static determination of dynamic properties of programs. In Proc. of the 2d Int. Symp. on Prog. Dunod, 1976. [CousotCousot-POPL77] P. Cousot & R. Cousot. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proc. of POPL’77, 238–252, ACM Press, 1977. [CousotCousot-PJM79] P. Cousot & R. Cousot. Constructive versions

• f Tarski’s fixed point theorems. In Pacific J. Math., 82:1 (1979), 43–57.

[CousotHalbwachs-POPL78] P. Cousot & N. Halbwachs. Automatic discovery of linear restraints among variables of a program. In Proc. of POPL’78, 84–96. ACM Press, 1978.

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 65 / 63

Bibliography

Bibliography (cont.)

[Schrijver-86] A. Schrijver. Theory of linear and integer programming. John Wiley & Sons, Inc., 1986. [BenoyKing-LOPSTR96] F. Benoy & A. King. Inferring argument size relationships with CLP(R). In Proc. of LOPSTR’96, vol. 1207 of LNCS,

• pp. 204–223. Springer, 1996.

[Cousot-ENTCS97] P. Cousot. Constructive design of a hierarchy of semantics of a transition system by abstract interpretation. In ENTCS 6, 25 p., 1997. [Min´ e-AST01] A. Min´

• e. The octagon abstract domain. In AST’01, pp.

310–319. IEEE CS Press, 2001. [Min´ e-ESOP04] A. Min´

• e. Relational abstract domains for the detection
• f floating-point run-time errors. In Proc. of ESOP’04, vol. 2986 of

LNCS, pp. 3–17. Springer, 2004.

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 66 / 63

Bibliography

Bibliography (cont.)

[NeumaieShcherbina-MP04] A. Neumaier & O. Shcherbina. Safe bounds in linear and mixed-integer linear program ming. In Math. Program., 99(2):283–296 (2004). [Min´ e-ESOP04] A. Min´

• e. Relational abstract domains for the detection
• f floating-point run-time errors. In Proc. of ESOP’04, vol. 2986 of

LNCS, pp. 3–17. Springer, 2004. [ChenAl-APLAS08] L. Chen, A. Min´ e & P. Cousot. A sound floating-point polyhedra abstract domain. In Proc. of APLAS’08, vol. 5356 of LNCS, pp. 3–18. Springer, 2008. [BertraneAl-AIAA10] J. Bertrane, P. Cousot, R. Cousot, J. Feret,

• L. Mauborgne, A. Min´

e, X. Rival. Static Analysis and Verification of Aerospace Software by Abstract Interpretation. In AIAA Infotech@Aerospace (I@A 2010), 38 p.

9/02/2011 Analyse statique de programmes num´ eriques Antoine Min´ e

• p. 67 / 63