Analysis of Program Differences with Numerical Abstract - - PowerPoint PPT Presentation

Running example Concrete semantics Abstract semantics Evaluation References

Analysis of Program Differences with Numerical Abstract Interpretation

Airbus – LIP6 day David Delmas 1, 2 Antoine Min´ e 2

1Airbus EYYW 2LIP6 APR

20 february 2019

Running example Concrete semantics Abstract semantics Evaluation References

Introduction

PhD on“portability analysis” Portability analysis is about comparing the semantics of two syntactically close versions of a program in two different environments

(machine, OS, library, etc.)

Running example Concrete semantics Abstract semantics Evaluation References

Introduction

PhD on“portability analysis” Portability analysis is about comparing the semantics of two syntactically close versions of a program in two different environments

(machine, OS, library, etc.)

To start with Let us consider two syntactically close versions of a program in the same environment i.e. patch analysis

Running example Concrete semantics Abstract semantics Evaluation References

Agenda

1

Running example

2

Concrete semantics

3

Abstract semantics

4

Evaluation

Running example Concrete semantics Abstract semantics Evaluation References

Running example

Unchloop from Trostanetski et al. [2017] Original program 1 { 2 int a; int b; int c; int i ; int r; 3 4 a = input (−1000,1000); 5 b = input (−1000,1000); 6 c = 1; 7 8 i=0; 9 while ( i<a ) { 10 c=c+b; 11 i=i+1; 12 } 13 14 r = c; 15 16 }

Running example Concrete semantics Abstract semantics Evaluation References

Running example

Unchloop from Trostanetski et al. [2017] Change request 1 { 2 int a; int b; int c; int i ; int r; 3 4 a = input (−1000,1000); 5 b = input (−1000,1000); 6 c = 1; // to change 7 8 i=0; 9 while ( i<a ) { 10 c=c+b; 11 i=i+1; 12 } 13 14 r = c; // to change 15 16 }

Running example Concrete semantics Abstract semantics Evaluation References

Running example

Unchloop from Trostanetski et al. [2017] Patched program 1 { 2 int a; int b; int c; int i ; int r; 3 4 a = input (−1000,1000); 5 b = input (−1000,1000); 6 c = 0; // 1 7 8 i=0; 9 while ( i<a ) { 10 c=c+b; 11 i=i+1; 12 } 13 14 r = c + 1; // c 15 16 }

Running example Concrete semantics Abstract semantics Evaluation References

Running example

Unchloop from Trostanetski et al. [2017] Joint representation: double program P 1 { 2 int a; int b; int c; int i ; int r; 3 4 a = input (−1000,1000); 5 b = input (−1000,1000); 6 c = 1 0; 7 8 i=0; 9 while ( i<a ) { 10 c=c+b; 11 i=i+1; 12 } 13 14 r = c c + 1; 15 assert sync(r); 16 }

Running example Concrete semantics Abstract semantics Evaluation References

Running example

Unchloop from Trostanetski et al. [2017] Left projection: simple program P1 = π1(P) 1 { 2 int a1; int b1; int c1; int i 1; int r1; 3 4 a1 = input (−1000,1000); 5 b1 = input (−1000,1000); 6 c1 = 1; 7 8 i 1=0; 9 while ( i 1<a1 ) { 10 c1=c1+b1; 11 i 1=i1+1; 12 } 13 14 r1 = c1; 15 16 }

π1(x ∈ V)

def

= x1 ∈ V1 π1(s1 s2)

def

= s1

Running example Concrete semantics Abstract semantics Evaluation References

Running example

Unchloop from Trostanetski et al. [2017] Right projection: simple program P2 = π2(P) 1 { 2 int a2; int b2; int c2; int i 2; int r2; 3 4 a2 = input (−1000,1000); 5 b2 = input (−1000,1000); 6 c2 = 0; 7 8 i 2=0; 9 while ( i 2<a2 ) { 10 c2=c2+b2; 11 i 2=i2+1; 12 } 13 14 r2 = c2 + 1; 15 16 }

π2(x ∈ V)

def

= x2 ∈ V2 π2(s1 s2)

def

= s2

Running example Concrete semantics Abstract semantics Evaluation References

Agenda

1

Running example

2

Concrete semantics

3

Abstract semantics

4

Evaluation

Running example Concrete semantics Abstract semantics Evaluation References

Lifting simple program semantics to double programs

Simple programs Pk = πk(P) k ∈ {1; 2} variables in Vk = { xk | x ∈ V } memory states in Ek

def

= Vk → ❘ expression semantics ❊k e ∈ Ek → P(❘) condition semantics ❈k c ∈ Ek → P({true, false}) statement semantics ❙k s ∈ P(Ek × Ek): input-output relation ❉

Running example Concrete semantics Abstract semantics Evaluation References

Lifting simple program semantics to double programs

Simple programs Pk = πk(P) k ∈ {1; 2} variables in Vk = { xk | x ∈ V } memory states in Ek

def

= Vk → ❘ expression semantics ❊k e ∈ Ek → P(❘) condition semantics ❈k c ∈ Ek → P({true, false}) statement semantics ❙k s ∈ P(Ek × Ek): input-output relation Double program P variables in V memory states in D

def

= E1 × E2 statement semantics ❉ s ∈ P(D × D): input-output relation

Running example Concrete semantics Abstract semantics Evaluation References

Assignment and blocs

❉ dstat ∈ P(D × D) ❉ skip

def

= ∆D ❉ s1 s2

def

= { ((i1, i2), (o1, o2)) | (i1, o1) ∈ ❙1 s1 ∧ (i2, o2) ∈ ❙2 s2 } ❉ V ← e1 e2

def

= ❉ V ← e1 V ← e2 ❉ s1; s2

def

= ❉ s1 ❉ s2 where R1 R2

def

= { (x, z) | ∃y : (x, y) ∈ R1 ∧ (y, z) ∈ R2 }

Running example Concrete semantics Abstract semantics Evaluation References

if statement

❉ if c then s1 else s2

def

= ❋ c ❉ s1 ∪ ❋ ¬c ❉ s2 ∪ ❋ c ¬c ❉1 s1 ❉2 s2 ∪ ❋ ¬c c ❉1 s2 ❉2 s1 where ❋ c1 c2

def

= { ((ρ1, ρ2) , (ρ1, ρ2)) | true ∈ ❈1 c1 ρ1 ∩ ❈2 c2 ρ2 } ❋ c

def

= ❋ c c ❉1 s

def

= ❉ π1(s) skip ❉2 s

def

= ❉ skip π2(s)

Running example Concrete semantics Abstract semantics Evaluation References

while statement

❉ while c do s

def

= (lfp H) ❋ ¬c where H(R)

def

= ∆D ∪ R

• ❋ c

❉ s ∪ ❋ c ¬c ❉1 s ∪ ❋ ¬c c ❉2 s

Running example Concrete semantics Abstract semantics Evaluation References

Semantics of the example

1 c = 1 0; 2 3 i=0; 4 while ( i<a ) { 5 c=c+b; 6 i=i+1; 7 } 8 9 r = c c + 1;

Running example Concrete semantics Abstract semantics Evaluation References

Semantics of the example

1 c = 1 0; 2 3 i=0; 4 while ( i<a ) { 5 c=c+b; 6 i=i+1; 7 } 8 9 r = c c + 1;

❉ = { s0, ((a1, b1, 1, 0, 1), (a2, b2, 0, 0, 1)) | a1 ≤ 0 ∧ a2 ≤ 0 ∧ H0 } ∪ { s0, ((a1, b1, 1 + a1 × b1, a1, 1 + a1 × b1), (a2, b2, 0, 0, 1)) | a1 > 0 ∧ a2 ≤ 0 ∧ H0 } ∪ { s0, ((a1, b1, 1, 0, 1), (a2, b2, a2 × b2, a2, 1 + a2 × b2)) | a1 ≤ 0 ∧ a2 > 0 ∧ H0 } ∪ { s0, ((a1, b1, 1 + a1 × b1, a1, 1 + a1 × b1), (a2, b2, a2 × b2, a2, 1 + a2 × b2)) | a1 > 0 ∧ a2 > 0 ∧ H0 } where s0

def

= ((a1, b1, c1, i1, r1), (a2, b2, c2, i2, r2)) H0

def

= ∀k ∈ {1, 2} : (bk, ck, ik, rk) ∈ ❘4

Running example Concrete semantics Abstract semantics Evaluation References

Semantics of the example

1 c = 1 0; 2 3 i=0; 4 while ( i<a ) { 5 c=c+b; 6 i=i+1; 7 } 8 9 r = c c + 1;

assuming equal initial states a def = a1 = a2 and b

def

= b1 = b2 ❉ = { s0, ((a, b, 1, 0, 1), (a, b, 0, 0, 1)) | a ≤ 0 ∧ H0 } ∪ ∅ ∪ ∅ ∪ { s0, ((a, b, 1 + a × b, a, 1 + a × b), (a, b, a × b, a, 1 + a × b)) | a > 0 ∧ H0 } where s0

def

= ((a, b, c1, i1, r1), (a, b, c2, i2, r2)) H0

def

= b ∈ ❘ ∧ ∀k ∈ {1, 2} : (ck, ik, rk) ∈ ❘3

Running example Concrete semantics Abstract semantics Evaluation References

Agenda

1

Running example

2

Concrete semantics

3

Abstract semantics

4

Evaluation

Running example Concrete semantics Abstract semantics Evaluation References

❉ is not computable in general

Numerical abstraction memory states in D ≈ ❘|V1∪V2| ⇒ any numeric abstract domain on pairs of environments ❉ ❉ ❙ ❙ ❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉

Running example Concrete semantics Abstract semantics Evaluation References

❉ is not computable in general

Numerical abstraction memory states in D ≈ ❘|V1∪V2| ⇒ any numeric abstract domain on pairs of environments Abstract semantics ❉ defined by induction the syntax but for ❉ s1 s2

def

= { ... | ...❙1 s1 ∧ ...❙2 s2 } notice ❉ s1 s2 = ❉1 s1 ❉2 s2 e.g. ❉ c ← 1 0 = ❉ c1 ← 1 ❉ c2 ← 0 ❉♯ is standard e.g. ❉♯ s1 s2

def

= ❉♯

1 s1 ♯ ❉♯ 2 s2

Running example Concrete semantics Abstract semantics Evaluation References

Which numerical abstract domains?

Running example Concrete semantics Abstract semantics Evaluation References

Which numerical abstract domains?

x y Unable to express non linear invariant Polyhedra r1 = 1 + a × b = r2.

i aixi ≤ b

But able to infer linear invariant −c1 + c2 + 1 = 0, hence r1 = r2.

Running example Concrete semantics Abstract semantics Evaluation References

Which numerical abstract domains?

x y Unable to express non linear invariant Polyhedra r1 = 1 + a × b = r2.

i aixi ≤ b

But able to infer linear invariant −c1 + c2 + 1 = 0, hence r1 = r2. x y Octagons Able to express necessary linear invariants. ±x ± y ≤ c But unable to infer them using currently proposed transfer functions.

Running example Concrete semantics Abstract semantics Evaluation References

Which numerical abstract domains?

x y Unable to express non linear invariant Polyhedra r1 = 1 + a × b = r2.

i aixi ≤ b

But able to infer linear invariant −c1 + c2 + 1 = 0, hence r1 = r2. x y Octagons Able to express necessary linear invariants. ±x ± y ≤ c But unable to infer them using currently proposed transfer functions. x y Intervals x, y ∈ [a, b] Unable to express necessary invariants.

Running example Concrete semantics Abstract semantics Evaluation References

A specialized abstract domain

Remark to express the necessary invariants, it is sufficient to bound the differences x2 − x1 for any variable x. ❉ ❸ ❉ ❸ ❉ ❸ ❉

Running example Concrete semantics Abstract semantics Evaluation References

A specialized abstract domain

Remark to express the necessary invariants, it is sufficient to bound the differences x2 − x1 for any variable x. State (x1, x2) δx

def

= x2 − x1 (x1, δx) ❉ ❸ ❉ ❸ ❉ ❸ ❉

Running example Concrete semantics Abstract semantics Evaluation References

A specialized abstract domain

Remark to express the necessary invariants, it is sufficient to bound the differences x2 − x1 for any variable x. State (x1, x2) δx

def

= x2 − x1 (x1, δx) Lattice (P(D × D), ⊆) − − −→ − → ← ← − − − −

α γ

(P(D × D), ⊆) Semantics ❉ ❸

def

= α ◦ ❉ ❸ ❉ ❸ ❉

Running example Concrete semantics Abstract semantics Evaluation References

A specialized abstract domain

Remark to express the necessary invariants, it is sufficient to bound the differences x2 − x1 for any variable x. State (x1, x2) δx

def

= x2 − x1 (x1, δx) Lattice (P(D × D), ⊆) − − −→ − → ← ← − − − −

α γ

(P(D × D), ⊆) Semantics ❉ ❸

def

= α ◦ ❉ Numerical abstraction ❸♯ Like for ❉, any numeric domain can be used to abstract ❸. Unlike with ❉, intervals are enough to analyse the running example.

Running example Concrete semantics Abstract semantics Evaluation References

Symbolic simplifications in ❸♯

Special cases for the assignment transfer function

❸♯ V ← e

def

= ❸♯

1 V ← e ♯

• ❸♯ δV ← 0

if (e = input(a, b) ∧ input is sync())

• r (is deterministic(e) ∧ ∀x ∈ Vars(e) : δx = 0)

❸♯ δV ←

x∈V λxδx

if e = µ +

x∈V λxx

❸♯

2 V ← e

• therwise

Running example Concrete semantics Abstract semantics Evaluation References

Symbolic simplifications in ❸♯

Special cases for the assignment transfer function

❸♯ V ← e e′+e

def

= ❸♯

1 V ← e ♯

• ❸♯ δV ← π2(e′)+0

if (e = input(a, b) ∧ . . .)

• r (. . . ∧ ∀x ∈ Vars(e) : δx = 0)

❸♯ δV ← π2(e′)+

x∈V λxδx

if e = µ +

x∈V λxx

❸♯

2 V ← e′+e

• therwise

Running example Concrete semantics Abstract semantics Evaluation References

Symbolic simplifications in ❸♯

Special cases for the assignment transfer function

❸♯ V ← e

def

= ❸♯

1 V ← e ♯

• ❸♯ δV ← 0

if (e = input(a, b) ∧ input is sync())

• r (is deterministic(e) ∧ ∀x ∈ Vars(e) : δx = 0)

❸♯ δV ←

x∈V λxδx

if e = µ +

x∈V λxx

❸♯

2 V ← e

• therwise

Running example Concrete semantics Abstract semantics Evaluation References

Symbolic simplifications in ❸♯

Special cases for the assignment transfer function

❸♯ V ← e

def

= ❸♯

1 V ← e ♯

• ❸♯ δV ← 0

if (e = input(a, b) ∧ input is sync())

• r (is deterministic(e) ∧ ∀x ∈ Vars(e) : δx = 0)

❸♯ δV ←

x∈V λxδx

if e = µ +

x∈V λxx

❸♯

2 V ← e

• therwise

1 a = input (−1000,1000); 2 b = input (−1000,1000); 3 c = 1 0; 4 5 i=0; 6 while ( i<a ) { 7 c=c+b; 8 i=i+1; 9 } 10 11 r = c c + 1;

Running example Concrete semantics Abstract semantics Evaluation References

Symbolic simplifications in ❸♯

Special cases for the assignment transfer function

❸♯ V ← e

def

= ❸♯

1 V ← e ♯

• ❸♯ δV ← 0

if (e = input(a, b) ∧ input is sync())

• r (is deterministic(e) ∧ ∀x ∈ Vars(e) : δx = 0)

❸♯ δV ←

x∈V λxδx

if e = µ +

x∈V λxx

❸♯

2 V ← e

• therwise

1 a = input (−1000,1000); 2 b = input (−1000,1000); 3 c = 1 0; 4 5 i=0; 6 while ( i<a ) { 7 c=c+b; 8 i=i+1; 9 } 10 11 r = c c + 1;

δa ∈ [0, 0]

Running example Concrete semantics Abstract semantics Evaluation References

Symbolic simplifications in ❸♯

Special cases for the assignment transfer function

❸♯ V ← e

def

= ❸♯

1 V ← e ♯

• ❸♯ δV ← 0

if (e = input(a, b) ∧ input is sync())

• r (is deterministic(e) ∧ ∀x ∈ Vars(e) : δx = 0)

❸♯ δV ←

x∈V λxδx

if e = µ +

x∈V λxx

❸♯

2 V ← e

• therwise

1 a = input (−1000,1000); 2 b = input (−1000,1000); 3 c = 1 0; 4 5 i=0; 6 while ( i<a ) { 7 c=c+b; 8 i=i+1; 9 } 10 11 r = c c + 1;

δa ∈ [0, 0] δa ∈ [0, 0] ∧ δb ∈ [0, 0] ∧ δc ∈ [−1, −1]

Running example Concrete semantics Abstract semantics Evaluation References

Symbolic simplifications in ❸♯

Special cases for the assignment transfer function

❸♯ V ← e

def

= ❸♯

1 V ← e ♯

• ❸♯ δV ← 0

if (e = input(a, b) ∧ input is sync())

• r (is deterministic(e) ∧ ∀x ∈ Vars(e) : δx = 0)

❸♯ δV ←

x∈V λxδx

if e = µ +

x∈V λxx

❸♯

2 V ← e

• therwise

1 a = input (−1000,1000); 2 b = input (−1000,1000); 3 c = 1 0; 4 5 i=0; 6 while ( i<a ) { 7 c=c+b; 8 i=i+1; 9 } 10 11 r = c c + 1;

δa ∈ [0, 0] δa ∈ [0, 0] ∧ δb ∈ [0, 0] ∧ δc ∈ [−1, −1] δa ∈ [0, 0] ∧ δb ∈ [0, 0] ∧ δc ∈ [−1, −1] ∧ δi ∈ [0, 0]

Running example Concrete semantics Abstract semantics Evaluation References

Symbolic simplifications in ❸♯

Special cases for the assignment transfer function

❸♯ V ← e

def

= ❸♯

1 V ← e ♯

• ❸♯ δV ← 0

if (e = input(a, b) ∧ input is sync())

• r (is deterministic(e) ∧ ∀x ∈ Vars(e) : δx = 0)

❸♯ δV ←

x∈V λxδx

if e = µ +

x∈V λxx

❸♯

2 V ← e

• therwise

1 a = input (−1000,1000); 2 b = input (−1000,1000); 3 c = 1 0; 4 5 i=0; 6 while ( i<a ) { 7 c=c+b; 8 i=i+1; 9 } 10 11 r = c c + 1;

δa ∈ [0, 0] δa ∈ [0, 0] ∧ δb ∈ [0, 0] ∧ δc ∈ [−1, −1] δa ∈ [0, 0] ∧ δb ∈ [0, 0] ∧ δc ∈ [−1, −1] ∧ δi ∈ [0, 0] δa ∈ [0, 0] ∧ δb ∈ [0, 0] ∧ δc ∈ [−1, −1] ∧ δi ∈ [0, 0]

Running example Concrete semantics Abstract semantics Evaluation References

Symbolic simplifications in ❸♯

Special cases for the assignment transfer function

❸♯ V ← e e′+e

def

= ❸♯

1 V ← e ♯

• ❸♯ δV ← π2(e′)+0

if (e = input(a, b) ∧ . . .)

• r (. . . ∧ ∀x ∈ Vars(e) : δx = 0)

❸♯ δV ← π2(e′)+

x∈V λxδx

if e = µ +

x∈V λxx

❸♯

2 V ← e′+e

• therwise

1 a = input (−1000,1000); 2 b = input (−1000,1000); 3 c = 1 0; 4 5 i=0; 6 while ( i<a ) { 7 c=c+b; 8 i=i+1; 9 } 10 11 r = c c + 1;

δa ∈ [0, 0] δa ∈ [0, 0] ∧ δb ∈ [0, 0] ∧ δc ∈ [−1, −1] δa ∈ [0, 0] ∧ δb ∈ [0, 0] ∧ δc ∈ [−1, −1] ∧ δi ∈ [0, 0] δa ∈ [0, 0] ∧ δb ∈ [0, 0] ∧ δc ∈ [−1, −1] ∧ δi ∈ [0, 0] δa ∈ [0, 0] ∧ δb ∈ [0, 0] ∧ δc ∈ [−1, −1] ∧ δi ∈ [0, 0] ∧ δr ∈ [0, 0]

Running example Concrete semantics Abstract semantics Evaluation References

Symbolic simplifications in ❸♯

Special cases for the assignment transfer function

❸♯ V ← e

def

= ❸♯

1 V ← e ♯

• ❸♯ δV ← 0

if (e = input(a, b) ∧ input is sync())

• r (is deterministic(e) ∧ ∀x ∈ Vars(e) : δx = 0)

❸♯ δV ←

x∈V λxδx

if e = µ +

x∈V λxx

❸♯

2 V ← e

• therwise

1 a = input (−1000,1000); 2 b = input (−1000,1000); 3 c = 1 0; 4 5 i=0; 6 while ( i<a ) { 7 c=c+b; 8 i=i+1; 9 } 10 11 r = c c + 1;

δa ∈ [0, 0] δa ∈ [0, 0] ∧ δb ∈ [0, 0] ∧ δc ∈ [−1, −1] δa ∈ [0, 0] ∧ δb ∈ [0, 0] ∧ δc ∈ [−1, −1] ∧ δi ∈ [0, 0] δa ∈ [0, 0] ∧ δb ∈ [0, 0] ∧ δc ∈ [−1, −1] ∧ δi ∈ [0, 0] δa ∈ [0, 0] ∧ δb ∈ [0, 0] ∧ δc ∈ [−1, −1] ∧ δi ∈ [0, 0] ∧ δr ∈ [0, 0] q.e.d.

Running example Concrete semantics Abstract semantics Evaluation References

Agenda

1

Running example

2

Concrete semantics

3

Abstract semantics

4

Evaluation

Running example Concrete semantics Abstract semantics Evaluation References

Evaluation

Prototype abstract interpreter semantics ❉♯ and ❸♯ for toy language 2,000 lines of OCaml source code Apron library for polyhedra and octagons ❉

Running example Concrete semantics Abstract semantics Evaluation References

Evaluation

Prototype abstract interpreter semantics ❉♯ and ❸♯ for toy language 2,000 lines of OCaml source code Apron library for polyhedra and octagons Limitations collecting semantics ❉ ⇒ compares pairs of terminating executions only assumes the joint representation given

Running example Concrete semantics Abstract semantics Evaluation References

Evaluation

Prototype abstract interpreter semantics ❉♯ and ❸♯ for toy language 2,000 lines of OCaml source code Apron library for polyhedra and octagons Limitations collecting semantics ❉ ⇒ compares pairs of terminating executions only assumes the joint representation given Benchmarks selected from Trostanetski et al. [2017]a, Partush and Yahav [2013, 2014] focussing on equivalence for now speedups ≥ 1 order of magnitude

aspeedups ≥ 1 order of magnitude wrt. well-established tools Symdiff and RVT

Running example Concrete semantics Abstract semantics Evaluation References

Benchmarks

Related Benchmark LOC Related ❉♯(polyhedra) ❉♯(octagon) ❸♯(interval)

• rigin

time (ms) time (ms) time (ms) time (ms) 2017 Comp 13 539 14 ✓ 18 ✗ 2 ✗ Const 9 541 7 ✓ 17 ✓ 1 ✓

• Fig. 2

14 – 4 ✓ 5 ✓ 1 ✓ LoopMult 14 49,0312 20 ✓ 56 ✗ 1 ✗ LoopSub 15 1,179 19 ✓ 53 ✗ 2 ✗ UnchLoop 13 2,8383 15 ✓ 36 ✗ 2 ✓ 2013 sign 12 – 6 ✓ 8 ✗ 2 ✗ sum 14 4,000 14 ✓ 30 ✓ 6 ✗ copy1 37 7,000 102 ✓ 60 ✓ 2 ✗ remove1 19 1,000 6 ✓ 18 ✓ 2 ✗ 2013-14 seq1 41 11,000 75 ✓ 500 ✗ 2 ✗ test1 158 – 96 ✓ 521 ✓ 4 ✓

1Coreutils 2only 20 loop iterations 3only 5 loop iterations

Running example Concrete semantics Abstract semantics Evaluation References

Benchmarks

Related Benchmark LOC Related ❉♯(polyhedra) ❉♯(octagon) ❸♯(interval)

• rigin

time (ms) time (ms) time (ms) time (ms) 2017 Comp 13 539 14 ✓ 18 ✗ 2 ✗ Const 9 541 7 ✓ 17 ✓ 1 ✓

• Fig. 2

14 – 4 ✓ 5 ✓ 1 ✓ LoopMult 14 49,0312 20 ✓ 56 ✗ 1 ✗ LoopSub 15 1,179 19 ✓ 53 ✗ 2 ✗ UnchLoop 13 2,8383 15 ✓ 36 ✗ 2 ✓ 2013 sign 12 – 6 ✓ 8 ✗ 2 ✓ sum 14 4,000 14 ✓ 30 ✓ 6 ✓ copy1 37 7,000 102 ✓ 60 ✓ 2 ✓ remove1 19 1,000 6 ✓ 18 ✓ 2 ✗ 2013-14 seq1 41 11,000 75 ✓ 500 ✗ 2 ✗ test1 158 – 96 ✓ 521 ✓ 4 ✓

1Coreutils 2only 20 loop iterations 3only 5 loop iterations

✓partitioning in progress

Running example Concrete semantics Abstract semantics Evaluation References

The seq example: non regression verification

print extra number == false print numbers (long first , long last ) { long i ,x; char ∗ fmt, ∗ separator , ∗ terminator ; for (i = 0; /∗ empty ∗/; i++) { x = first + i ∗ STEP; if ( last < x) break; if (i) printf ( separator ); printf (fmt, x); } if (i) printf (terminator); } print numbers (long first , long last , bool print extra numb { char ∗ fmt, ∗ separator , ∗ terminator ; bool out of range = (last < first ); long x,x0, i ; if (! out of range) { x = first ; for (i = 1; /∗ empty ∗/; i++) { x0 = x; printf (fmt, x); if (out of range) break; x = first + i ∗ STEP;

• ut of range = (last < x);

if (out of range){ if (! print extra number) break; } printf ( separator ); } printf (terminator); } }

Running example Concrete semantics Abstract semantics Evaluation References

References

• N. Partush and E. Yahav. Abstract semantic differencing for numerical programs. In
• F. Logozzo and M. F¨

ahndrich, editors, Static Analysis, pages 238–258, Berlin, Heidelberg,

• 2013. Springer Berlin Heidelberg. ISBN 978-3-642-38856-9.
• N. Partush and E. Yahav. Abstract semantic differencing via speculative correlation. In

Proceedings of the 2014 ACM International Conference on Object Oriented Programming Systems Languages & Applications, OOPSLA ’14, pages 811–828, New York, NY, USA,

• 2014. ACM. ISBN 978-1-4503-2585-1. doi: 10.1145/2660193.2660245. URL

http://doi.acm.org/10.1145/2660193.2660245.

• A. Trostanetski, O. Grumberg, and D. Kroening. Modular demand-driven analysis of semantic

difference for program versions. In F. Ranzato, editor, Static Analysis - 24th International Symposium, SAS 2017, New York, NY, USA, August 30 - September 1, 2017, Proceedings, volume 10422 of Lecture Notes in Computer Science, pages 405–427. Springer, 2017. ISBN 978-3-319-66705-8. doi: 10.1007/978-3-319-66706-5\ 20. URL https://doi.org/10.1007/978-3-319-66706-5_20.

Running example Concrete semantics Abstract semantics Evaluation References

Conclusion

Patch analysis by abstract interpretation

1 novel concrete collecting semantics 2 analysis is parametric in abstract domain 3 novel numeric domain 4 experiments on examples from the literature

Running example Concrete semantics Abstract semantics Evaluation References

Conclusion

Patch analysis by abstract interpretation

1 novel concrete collecting semantics 2 analysis is parametric in abstract domain 3 novel numeric domain 4 experiments on examples from the literature

Future work non purely numeric programs

• ther abstract domains (e.g. zonotopes)

extension to portability analysis

Running example Concrete semantics Abstract semantics Evaluation References

Thank you for your attention. Questions?

Simple programs Double programs

Backup slides

Simple programs Double programs

Non termination

1 { 2 int x; 3 x = input (−100,100); 4 5 if ( x<0 ) { 6 x=−1; 7 } 8 else { 9 if ( x>=2 x>=4 ) {} 10 else { 11 while (x==2) x=2; 12 x=3; 13 } 14 } 15 16 assert sync (x); // x=2 ignored 17 }

x ≥ 2 x > 4 in Trostanetski et al. [2017]

Simple programs Double programs

Variables switch roles

1 { 2 int x; int y; int a; int b; int c; int i ; 3 x = input (−100,100); 4 y = input (−10,1); 5 6 a = x y; 7 b = y x; 8 9 c = a b; 10 i=0; 11 while ( i<3 ) { 12 c = c−b c−a; 13 i=i+1; 14 } 15 16 assert sync (c); 17 }

a1 = b2 ∧ a2 = b1

Simple programs Double programs

Loop rearrangements

1 first = input (0,100); 2 last = input (0,100); 3 4 step = 2; 5 separator = 128; 6 terminator = 1024; 7 print extra number = 0; 8 9 {/∗ skip ∗/} if ( last < first ) out of range = 1; 10 11 if ( 1==1 out of range == 0 ) { 12 {/∗ skip ∗/} x=first; 13 i = 0 1; 14 while ( break == 0 ) {

Simple programs Double programs

Loop rearrangements

1 { 2 x = first + i ∗ step; 3 if ( last < x) break = 1; 4 if (break == 0) { 5 if (i!=0) out1 = separator; 6

• ut2 = x;

7 } 8 } { 9

• ut2 = x;

10 if (out of range == 1) break = 1; 11 else { 12 x = first + i ∗ step; 13 if ( last < x) out of range = 1; 14 if (out of range == 1) if (print extra number == 0) break = 1; 15 if (break == 0) out1 = separator; 16 } 17 }

Simple programs Double programs

Loop rearrangements

1 i=i+1; 2 } 3 4 } 5 6 assert sync (out1,out2); 7 if (i!=0) out1 = terminator; out1 = terminator; 8 9 assert sync (out1); 10 }

Simple programs Double programs

Looping at different paces

1 { 2 int i ; 3 int max; 4 5 max = input(0,4359); 6 7 i=0; 8 while ( i<max ) { 9 i = i+1 i+2; 10 } 11 12 {/∗ skip ∗/} if (max>0 && i>max) i=i−1; // when max is odd 13 14 assert sync (i); 15 assert (i==max); 16 }

Simple programs Double programs

Syntax of simple programs

expr ::= V V ∈ V | c c ∈ ❘ | −expr | expr ⋄ expr ⋄ ∈ {+, −, ×, /} | rand(a, b) a, b ∈ ❘ cond ::= expr ⊲ ⊳ expr ⊲ ⊳ ∈ {≤, ≥, =, =, <, >} | ¬cond | cond ⋄ cond ⋄ ∈ {∧, ∨} stat ::= V ← expr | if cond then stat else stat | while cond do stat | stat; stat | skip

Simple programs Double programs

Standard relational concrete semantics of simple programs

Statements

❙ stat ∈ P(E × E) ❙ skip

def

= ∆E ❙ V ← e

def

= { (ρ, ρ[V → v]) | ρ ∈ E, v ∈ ❊ e ρ } ❙ if c then s1 else s2

def

= ❙ c? ❙ s1 ∪ ❙ ¬c? ❙ s2 ❙ while c do s

def

= (lfp λR. ∆E ∪ R ❙ c? ❙ s ) ❙ ¬c? ❙ s1; s2

def

= ❙ s1 ❙ s2 where ❙ c?

def

= { (ρ, ρ) | ρ ∈ E, true ∈ ❈ c ρ } R1 R2

def

= { (x, z) | ∃y : (x, y) ∈ R1 ∧ (y, z) ∈ R2 }

Simple programs Double programs

Standard relational concrete semantics of simple programs

Conditions

❈ cond ∈ E → P({true, false}) ⋄ ∈ {∧, ∨} ❈ ¬c ρ

def

= { ¬v | v ∈ ❈ c ρ } ⊲ ⊳ ∈ {≤, ≥, =, =, <, >} ❈ c1 ⋄ c2 ρ

def

= { v1 ⋄ v2 | v1 ∈ ❈ c1 ρ, v2 ∈ ❈ c2 ρ } ❈ e1 ⊲ ⊳ e2 ρ

def

= { true | ∃v1 ∈ ❊ e1 ρ, v2 ∈ ❊ e2 ρ: v1 ⊲ ⊳ v2 } ∪ { false | ∃v1 ∈ ❊ e1 ρ, v2 ∈ ❊ e2 ρ: v1 ⊲ ⊳ v2 }

Simple programs Double programs

Standard relational concrete semantics of simple programs

Expressions

❊ expr ∈ E → P(❘) ⋄ ∈ {+, −, ×, /} ❊ V ρ

def

= {ρ(V )} ❊ c ρ

def

= {c} ❊ rand(a, b) ρ

def

= { x | a ≤ x ≤ b } ❊ −e ρ

def

= { −v | v ∈ ❊ e ρ } ❊ e1 ⋄ e2 ρ

def

= { v1 ⋄ v2 | v1 ∈ ❊ e1 ρ, v2 ∈ ❊ e2 ρ, ⋄ = / ∨ v2 = 0 }

Simple programs Double programs

Syntax of double programs

dexpr ::= expr | expr expr dcond ::= cond | cond cond dstat ::= stat | stat stat | V ← dexpr | if dcond then dstat else dstat | while dcond do dstat | dstat; dstat

Simple programs Double programs

Concrete semantics

Denotational concrete semantics of double programs

❉ dstat ∈ P(D × D) ❉ skip

def

= ∆D ❉ s1 s2

def

= { ((i1, i2) , (o1, o2)) | ∀k ∈ {1, 2} : (ik, ok) ∈ ❙k sk } ❉ V ← e1 e2

def

= ❉ V ← e1 V ← e2 ❉ s1; s2

def

= ❉ s1 ❉ s2 ❉ if c then s1 else s2 def = ❋ c ❉ s1 ∪ ❋ ¬c ❉ s2 ∪ ❋ c ¬c ❉1 s1 ❉2 s2 ∪ ❋ ¬c c ❉1 s2 ❉2 s1 ❉ while c do s

def

= (lfp H) ❋ ¬c ❋ c1 c2 def = { ((ρ1, ρ2) , (ρ1, ρ2)) | ∀ k ∈ {1, 2} : true ∈ ❈k ck ρk } ❋ c

def

= ❋ c c ❉1 s

def

= ❉ π1(s) skip ❉2 s

def

= ❉ skip π2(s) H(R)

def

= ∆D ∪ R

• (

❋ c c ❉ s ∪ ❋ c ¬c ❉1 s ∪ ❋ ¬c c ❉2 s )