Semantics: Application to C Programs Lecture Slides by Dr. - - PowerPoint PPT Presentation
Semantics: Application to C Programs Lecture Slides by Dr. Marie-Christine Jakobs Prof. Dr. Dirk Beyer Dirk.Beyer@sosy-lab.org SoSy-Lab, LMU Munich, Germany Organization Prof. Dr. Dirk Beyer SoSy-Lab, LMU Munich, Germany 2 / 100 Lecture
Lecture Slides by Dr. Marie-Christine Jakobs
Dirk.Beyer@sosy-lab.org
SoSy-Lab, LMU Munich, Germany
SoSy-Lab, LMU Munich, Germany 2 / 100
Lecture Feb 27, 2019, 10:00 – 14:00 Munich, Oettingenstr. 67, C003 Tutorial Feb 27, 2019, 14:00 – 15:30 Munich, Oettingenstr. 67, C003
SoSy-Lab, LMU Munich, Germany 3 / 100
https: //www.sosy-lab.org/Teaching/2019-SS-Semantik/
SoSy-Lab, LMU Munich, Germany 4 / 100
SoSy-Lab, LMU Munich, Germany 5 / 100
Computes an (over-)approximation of a program’s behavior. Applications ◮ Optimization ◮ Correctness (i.e. whether program satisfies a given property)
SoSy-Lab, LMU Munich, Germany 6 / 100
Formally proves whether a program P satisfies a property ϕ. ◮ Requires program semantics, i.e., meaning of program ◮ Relies on mathematical methods,
◮ logic ◮ induction ◮ . . .
SoSy-Lab, LMU Munich, Germany 7 / 100
Formally proves whether a program P satisfies a property ϕ.
Program P Property ϕ Verifier
TRUE FALSE ×
Disprove (×) Find a program execution (counterexample) that violates the property ϕ Prove () Show that every execution of the program satisfies the property ϕ.
SoSy-Lab, LMU Munich, Germany 8 / 100
double divTwiceCons(double y) { int cons = 5; int d = 2∗cons; if (cons != 0) return y/(2∗cons); else return 0; }
SoSy-Lab, LMU Munich, Germany 9 / 100
double divTwiceCons(double y) { int cons = 5; // expression 2*cons has value 10 // variable d not used int d = 2∗cons; if (cons != 0) // expression 2*cons evaluated before return y/(2∗cons); else // dead code return 0; }
SoSy-Lab, LMU Munich, Germany 10 / 100
double divTwiceCons(double y) { int cons = 5; // expression 2*cons has value 10 // variable d not used int d = 2∗cons; if (cons != 0) // expression 2*cons evaluated before return y/(2∗cons); else // dead code return 0; }
double divTwiceConsOptimized(double y) { return y/10; }
SoSy-Lab, LMU Munich, Germany 11 / 100
double avgUpTo(int[] numbers, int length) { double sum = 0; for(int i=0;i<length;i++) sum += numbers[i]; return sum/(double)length; }
SoSy-Lab, LMU Munich, Germany 12 / 100
double avgUpTo(int[] numbers, int length) { double sum = 0; for(int i=0;i<length;i++) // possible null pointer access (numbers==null) // index out of bounds (length>numbers.length) // integer overflow sum += numbers[i]; // division by zero (length==0) return sum/(double) length; }
SoSy-Lab, LMU Munich, Germany 13 / 100
Ariane V88 Intel Pentium FDIV bug . . . Mars Polar Lander
endanger human lives Therac-25 Uber autonomous car . . .
SoSy-Lab, LMU Munich, Germany 14 / 100
SpotBugs Lint Error Prone Klee PeX Sapienz CPAchecker Infer CBMC SLAM UltimateAutomizer . . .
SoSy-Lab, LMU Munich, Germany 15 / 100
Dataflow Analysis Abstract Interpretation Program Analysis Model Checking Automatic Interactive Theorem Proving Static Type Systems Dynamic Testing Runtime Verification
This lecture
SoSy-Lab, LMU Munich, Germany 16 / 100
Any non-trivial, semantic property of programs is undecidable.
Techniques are ◮ incomplete, e.g. answer UNKNOWN, or ◮ unsound, i.e., report
◮ false alarms (non-existing bugs), ◮ false proofs (miss bugs).
SoSy-Lab, LMU Munich, Germany 17 / 100
Program P Property ϕ Verifier Ideal verifier
TRUE UNKNOWN FALSE ×
Program P Property ϕ Verifier Unreliable verifier
TRUE UNKNOWN FALSE ×
false alarm violation false proof correct
SoSy-Lab, LMU Munich, Germany 18 / 100
◮ Overapproximating verifier (superset of program behavior)
without precise counterexample check
Program P Property ϕ Verifier
TRUE UNKNOWN FALSE ×
false alarm violation
◮ Underapproximating verifier (subset of program behavior)
Program P Property ϕ Verifier
TRUE UNKNOWN FALSE ×
false proof correct
SoSy-Lab, LMU Munich, Germany 19 / 100
◮ State space grows exponentially with number of variables ◮ (Syntactic) paths grow exponentially with number of branches ⇒ Precise techniques may require too many resources (memory, time,. . . ) ⇒ Trade-off between precision and costs
SoSy-Lab, LMU Munich, Germany 20 / 100
Order of statements not considered E.g., does not distinguish between these two programs x=0; y=x; x=x+1; x=0; x=x+1; y=x; ⇒ very imprecise
SoSy-Lab, LMU Munich, Germany 21 / 100
◮ Takes order of statements into account ◮ Mostly, ignores infeasibility of syntactical paths ◮ Ignores branch correlations E.g., does not distinguish between these two programs
if (x>0) y=1; else y=0; if (x>0) y=y+1; else y=y+2; if (x>0) y=1; else y=0; if (x>0) y=y+2; else y=y+1;
SoSy-Lab, LMU Munich, Germany 22 / 100
◮ Takes (execution) paths into account ◮ Excludes infeasible, syntactic paths (not necessarily all infeasible ones) ◮ Covers flow-sensitivity
if (x>0) y=1; else y=0; if (x>0) y=y+2; else y=y+1;
To detect that y has value 0, 1, or 3 ◮ must exclude infeasible, syntactic path along first else-branch and second if-branch ◮ need to detect correlation between the if-conditions ◮ requires path-sensitivity ⇒ very precise
SoSy-Lab, LMU Munich, Germany 23 / 100
Program Analysis Model Checking Abstract Interpretation Dataflow Analysis Flow-insensitive Flow-sensitive Path-sensitive imprecise precise cheap expensive
SoSy-Lab, LMU Munich, Germany 24 / 100
SoSy-Lab, LMU Munich, Germany 25 / 100
Theory: simple while-programs ◮ Restriction to integer constants and variables ◮ Minimal set of statements (assignment, if, while) ◮ Techniques easier to teach/understand Practice: C programs ◮ Widely-used language ◮ Tool support
SoSy-Lab, LMU Munich, Germany 26 / 100
◮ Arithmetic expressions aexpr := Z | var | -aexpr | aexpr opa aexpr
◮ Boolean expressions bexpr := aexpr | aexpr opc aexpr | !bexpr | bexpr opb bexpr
◮ integer value 0 ≡false, remaining values represent true ◮ opc comparison operator like <, <=, >=, >, ==, ! = ◮ opb logic connective like &&(∧), || (∨), ˆ (xor), . . .
◮ Program S:= var=aexpr; | while bexpr S | if bexpr S else S | if bexpr S | S;S
SoSy-Lab, LMU Munich, Germany 27 / 100
Representation of a program
Meaning of a program
SoSy-Lab, LMU Munich, Germany 28 / 100
if (x>0) abs = x; else abs = −x; i = 1; while(i<abs) i = 2∗i;
◮ Basically sequence of characters ◮ No explicit information about the structure or paths of programs
SoSy-Lab, LMU Munich, Germany 29 / 100
Program Sequence if if-Block Condition else-Block x>0 Assignement Assignement abs=x; abs=-x; Sequence Assignment i=1; while while-Block Condition i<abs Assignement i=2*i;
◮ Hierarchical representation ◮ Flow, paths hard to detect
SoSy-Lab, LMU Munich, Germany 30 / 100
x>0 abs=x; abs=-x; i=1; i<abs i=2*i;
TRUE FALSE TRUE FALSE
l0 l1 l2 l3 l4 l5 l6 x>0 !(x>0) abs=x; abs=-x; i=1; i<abs !(i<abs) i=2*i;
SoSy-Lab, LMU Munich, Germany 31 / 100
A control-flow automaton (CFA) is a three-tuple P = (L, l0, G) consisting of ◮ the set L of program locations (domain of program counter) ◮ the initial program location l0 ∈ L, and ◮ the control-flow edges G ⊆ L × Ops × L.
SoSy-Lab, LMU Munich, Germany 32 / 100
Two types ◮ Assumes (boolean expressions) ◮ Assignments (var=aexpr;)
SoSy-Lab, LMU Munich, Germany 33 / 100
Assignment var=expr;
v=expr;
While-Statement while (C) S
S S C ¬ C
If-Statement if (C) S1 else S2
S1 S2 S1 S2 C ¬C
If-Statement if (C) S
S S C ¬C
Sequential Composition S1; S2
S1 S2 S1 S2
SoSy-Lab, LMU Munich, Germany 34 / 100
Remember: defines meaning of programs Different types ◮ Axiomatic semantics: based on pre- and postconditions, e.g. {true}x=0;{x=0} ◮ Denotational semantics: function from inputs to outputs ◮ Operational semantics (): defines execution of program
SoSy-Lab, LMU Munich, Germany 35 / 100
Defines program meaning by fixing program execution ◮ Transitions describe single execution steps
◮ Level of assignment or assume ◮ Change states ◮ Evaluate semantics of expressions in a state
◮ Execution: sequence of transitions
SoSy-Lab, LMU Munich, Germany 36 / 100
Pair of program counter and data state (C = L × Σ) ◮ Program counter
◮ Where am I? ◮ Location in CFA ◮ c(pc) refers to program counter of concrete state
◮ Data state σ : V → Z
◮ Fixes variable values ◮ c(d) refers to data state of concrete state
SoSy-Lab, LMU Munich, Germany 37 / 100
Evaluation function Sa : aexpr × Σ → Z Defined recursively on structure ◮ const ∈ Z : Sa(const, σ) = const ◮ variable var: Sa(var, σ) = σ(var) ◮ unary operation: Sa(−t, σ) = −Sa(t, σ) ◮ binary operation: Sa(t1 opa t2, σ) = Sa(t1, σ) opa Sa(t2, σ)
SoSy-Lab, LMU Munich, Germany 38 / 100
Evaluation function Sb : bexpr × Σ → {true, false} Defined recursively on structure ◮ arithmetic expression: Sb(t, σ) =
if Sa(t, σ) = 0 false else ◮ comparison: Sb(t1 opc t2, σ) = Sa(t1, σ) opc Sa(t2, σ) ◮ logic connection: Sb(b1 opb b2, σ) = Sb(b1, σ) opb Sb(b2, σ)
SoSy-Lab, LMU Munich, Germany 39 / 100
Consider σ : abs → 2; i → 0; x → −2 Derivation of the values of ◮ Sa(−x, σ) ◮ Sa(2 ∗ i, σ) ◮ Sb(x > 0, σ) ◮ Sb(i < abs, σ)
SoSy-Lab, LMU Munich, Germany 40 / 100
Σ × Opsassignment → Σ σ[var = aexpr; ] = σ′ with σ′(v) =
if v = var Sa(aexpr, σ) else
SoSy-Lab, LMU Munich, Germany 41 / 100
Consider σ : abs → 2; i → 0; x → −2 Computation of the state updates ◮ σ[i = 1; ] ◮ σ[abs = −x; ] ◮ σ[i = 2 ∗ i; ]
SoSy-Lab, LMU Munich, Germany 42 / 100
Transitions T ⊆ C × G × C with (c, (l, op, l′), c′) ∈ T if
c(pc) = l ∧ c′(pc) = l′
◮ op assignment var=aexpr; ∧c′(d) = c(d)[var = aexpr; ] ◮ op assume bexpr ∧Sb(bexpr, c(d)) = true ∧ c(d) = c′(d)
SoSy-Lab, LMU Munich, Germany 43 / 100
Defined inductively ◮ every concrete state c with c(pc) = l0 ◮ c0
g1
→ c1 · · ·
gn
→ cn program path and (cn, gn+1, cn+1) ∈ T , then c0
g1
→ c1 · · ·
gn
→ cn
gn+1
→ cn+1 program path Set of all program paths of program P = (L, G, l0) denoted by paths(P).
SoSy-Lab, LMU Munich, Germany 44 / 100
l0 l1 l2 l3 l4 l5 l6 x>0 !(x>0) abs=x; abs=-x; i=1; i<abs !(i<abs) i=2*i; On the board: Shortest and longest program path starting in state (l0, σ) with σ : abs → 2; i → 0; x → −2
SoSy-Lab, LMU Munich, Germany 45 / 100
reach(P) := {c | ∃c0
g1
→ c1 · · ·
gn
→ cn ∈ paths(P) : cn = c}
SoSy-Lab, LMU Munich, Germany 46 / 100
SoSy-Lab, LMU Munich, Germany 47 / 100
Trace Property Hyper Property Safety Liveness . . .
Termination Responsiveness
. . .
Reachability Type State Information-Flow Security
SoSy-Lab, LMU Munich, Germany 48 / 100
Defines which concrete states ϕR ⊆ C must not be reached In this lecture: ◮ Certain program locations must not be reached ◮ Denoted by ϕLsub := {c ∈ C | c(pc) ∈ Lsub}
SoSy-Lab, LMU Munich, Germany 49 / 100
Program P is correct wrt. reachability property ϕR if reach(P) ∩ ϕR = ∅.
SoSy-Lab, LMU Munich, Germany 50 / 100
◮ False alarm: v(P, ϕR) = FALSE ∧ reach(P) ∩ ϕR = ∅ ◮ False proof: v(P, ϕR) = TRUE ∧ reach(P) ∩ ϕR = ∅ ◮ Verifier v is sound and complete if v does not produce false proofs and false alarms, respectively.
SoSy-Lab, LMU Munich, Germany 51 / 100
SoSy-Lab, LMU Munich, Germany 52 / 100
◮ Infinitely many data states σ ⇒ infinitely many reachable states ◮ Cannot analyze program paths individually
SoSy-Lab, LMU Munich, Germany 53 / 100
Idea: analyze set of program paths together ◮ Group concrete states ⇒ abstract states ◮ Define (abstract) semantics for abstract states ⇒ Abstract domain
SoSy-Lab, LMU Munich, Germany 54 / 100
Let E be a set and ⊑ ⊆ E × E a binary relation on E. The structure (E, ⊑) is a partial order if ⊑ is ◮ reflexive ∀e ∈ E : e ⊑ e, ◮ transitive ∀e1, e2, e3 ∈ E : (e1 ⊑ e2 ∧ e2 ⊑ e3) ⇒ e1 ⊑ e3, ◮ antisymmetric ∀e1, e2 ∈ E : (e1 ⊑ e2 ∧ e2 ⊑ e1) ⇒ e1 = e2.
SoSy-Lab, LMU Munich, Germany 55 / 100
◮ (Z, ≤) ◮ (2Q, ⊆) ◮ (Σ∗, lexicographic order) ◮ (Σ∗, suffix)
SoSy-Lab, LMU Munich, Germany 56 / 100
Let (E, ⊑) be a partial order.
A subset Esubset ⊆ E is a chain if it is totally ordered, i.e. ∀e, e′ ∈ Esub : e ⊑ e′ ∨ e′ ⊑ e. A chain Esubset is finite if the subset Esubset is finite.
SoSy-Lab, LMU Munich, Germany 57 / 100
Let (E, ⊑) be a partial order.
A sequence (ei)n∈N ∈ Eω is an ascending chain if ∀m, m′ ∈ N : m ≤ m′ ⇒ em ⊑ em′.
A sequence (ei)n∈N ∈ Eω eventually stabilizes if ∃n0 ∈ N : ∀n ∈ N : n ≥ n0 : en = en0
A stabilizing ascending chain eventually stabilizes.
SoSy-Lab, LMU Munich, Germany 58 / 100
Consider (Z, =) ◮ Set {1,2} not a chain ◮ (a1, a2, . . . ) with ai = 1 ascending and stabilizing ◮ Is a stabilizing ascending chain. Consider (Z, ≤) ◮ Every subset of Z is a chain. ◮ (a1, a2, . . . ) with ai =
1 else not ascending ◮ (a1, a2, . . . ) with ai = i ascending, but not stabilizing ◮ (a1, a2, . . . ) with ai = min(i, 10) ascending and stabilizing ◮ Is not a stabilizing ascending chain.
SoSy-Lab, LMU Munich, Germany 59 / 100
Let (E, ⊑) be a partial order. ◮ (E, ⊑) has finite height if all chains are finite. ◮ (E, ⊑) has height h if all chains contain at most h + 1 elements and one chain contains h + 1 elements. Note: If E is finite than (E, ⊑) has finite height, but not vice versa. For example, (Z, =)
SoSy-Lab, LMU Munich, Germany 60 / 100
PO finite height height (Z, ≤) × (Z, ≥) (Z, =)
(Σ∗, lexicographic order) (Σ∗, suffix)
SoSy-Lab, LMU Munich, Germany 61 / 100
Let (E, ⊑) be a partial order.
An element e ∈ E is an upper bound of a subset Esub ⊆ E if ∀e′ ∈ Esub : e′ ⊑ e.
An element e ∈ E is a least upper bound ⊔ of a subset Esub ⊆ E if ◮ e is an upper bound of Esub and ◮ for all upper bounds e′ of Esub it yields that e ⊑ e′.
SoSy-Lab, LMU Munich, Germany 62 / 100
Let (E, ⊑) be a partial order.
An element e ∈ E is an lower bound of a subset Esub ⊆ E if ∀e′ ∈ Esub : e ⊑ e′.
An element e ∈ E is a greatest lower bound ⊓ of a subset Esub ⊆ E if ◮ e is a lower bound of Esub and ◮ for all lower bounds e′ of Esub it yields that e′ ⊑ e.
SoSy-Lab, LMU Munich, Germany 63 / 100
PO subset ⊔ (lub) ⊓ (glb) (Z, ≤) {1, 4, 7} 7 1 (Z, ≤) Z × × (N, ≤) ∅ × (2Q, ⊆) 2Q (2Q, ⊆) {∅} (2Q, ⊆) Y ⊆ 2Q
SoSy-Lab, LMU Munich, Germany 64 / 100
always exist. For example,
◮ (Z, ≤) ◮ (N, ≤) ◮ (N, ≥)
unique if they exists. (Proof on the board)
SoSy-Lab, LMU Munich, Germany 65 / 100
A structure E = (E, ⊑, ⊔, ⊓, ⊤, ⊥) is a lattice if ◮ (E, ⊑) is a partial order ◮ least upper bound ⊔ and greater lower bound ⊓ exist for all subsets Esub ⊆ E ◮ ⊤ = ⊔E = ⊓∅ and ⊥ = ⊓E = ⊔∅ Note: For any set Q the structure (2Q, ⊆, ∪, ∩, Q, ∅) is a lattice.
SoSy-Lab, LMU Munich, Germany 66 / 100
(a) . . . (b) . . . (c) (d) (e) (f)
SoSy-Lab, LMU Munich, Germany 67 / 100
A flat lattice of set Q consists of ◮ Extended set Q⊤
⊥ = Q ∪ {⊤, ⊥}
◮ Flat ordering ⊔, i.e. ∀q ∈ Q : ⊥ ⊑ q ⊑ ⊤ and ⊥ ⊑ ⊤ ◮ ⊔ =
⊥ X = ∅ ∨ X = {⊥} q X = {q} ∨ X = {⊥, q} ⊤ else ◮ ⊓ =
⊤ X = ∅ ∨ X = {⊤} q X = {q} ∨ X = {⊤, q} ⊥ else
⊤ . . . Q ⊥
SoSy-Lab, LMU Munich, Germany 68 / 100
Let E1 = (E1, ⊑1, ⊔1, ⊓1, ⊤1, ⊥1) and E2 = (E2, ⊑2, ⊔2, ⊓2, ⊤2, ⊥2) be lattices. The product lattice E× = (E1 × E2, ⊑×, ⊔×, ⊓×, ⊤×, ⊥×) with
◮ (e1, e2) ⊑× (e′
1, e′ 2) if e1 ⊑1 e′ 1 ∧ e2 ⊑2 e′ 2
◮ ⊔×Esub = (⊔1{e1 | (e1, ·) ∈ Esub}, ⊔2{e2 | (·, e2) ∈ Esub}) ◮ ⊓×Esub = (⊓1{e1 | (e1, ·) ∈ Esub}, ⊓2{e2 | (·, e2) ∈ Esub}) ◮ ⊤× = (⊤1, ⊤2) and ⊥× = (⊥1, ⊥2)
is a lattice. Proof on the board.
SoSy-Lab, LMU Munich, Germany 69 / 100
Complete lattice always not required ⇒ remove unused elements
Join-Semi-Lattice A structure E = (E, ⊑, ⊔, ⊤) is a lattice if ◮ (E, ⊑) is a partial order ◮ least upper bound ⊔ exists for all subsets Esub ⊆ E ◮ ⊤ = ⊔E
SoSy-Lab, LMU Munich, Germany 70 / 100
Join-semi-lattice on set of abstract states + meaning of abstract states
An abstract domain D = (C, E, [ [ · ] ]) consists of ◮ a set C of concrete states ◮ a join-semi-lattice E = (E, ⊑, ⊔, ⊤) ◮ a concretization function [ [ · ] ] : E → 2C (assigns meaning of abstract states)
◮ [ [⊤] ] = C ◮ ∀Esub ⊆ E :
e∈Esub [
[e] ] ⊆ [ [ ⊔ Esub] ] (join operator overapproximates)
SoSy-Lab, LMU Munich, Germany 71 / 100
α : 2C → E Here: ◮ Not defined separately ◮ Returns smallest abstract state that covers set of concrete states
SoSy-Lab, LMU Munich, Germany 72 / 100
Abstraction and concretization function fulfill the following connection
[α(Csub)] ] (abstraction safe approximation, but may loose information/precision)
[e] ]) ⊑ e (no loss in safety)
SoSy-Lab, LMU Munich, Germany 73 / 100
Abstract interpretation of program, i.e., evaluation on abstract states Transfer relation ⊆ E × G × E ◮ ∀e ∈ E, g ∈ G :
[e] ]{c′ | (c, g, c′) ∈ T } ⊆
[e′] ] (safe over-approximation) ◮ Depends on abstract domain ◮ In this lecture: restricted to functions
SoSy-Lab, LMU Munich, Germany 74 / 100
◮ Monotony ∀e, e′ ∈ E, g ∈ G : e ⊑ e′ ⇒ (e, g) ⊑ (e′, g) ◮ Distributivity ∀e, e′ ∈ E, g ∈ G : (e, g)⊔ (e′, g) = (e ⊔ e′, g)
SoSy-Lab, LMU Munich, Germany 75 / 100
◮ Join-semi lattice E on set of abstract states E ◮ Meaning of abstract states [ [] ]
SoSy-Lab, LMU Munich, Germany 76 / 100
◮ Join operator overapproximates ∀Esub ⊆ E :
[ [e] ] ⊆ [ [ ⊔ Esub] ] ◮ Monotony of transfer relation ∀e, e′ ∈ E, g ∈ G : e ⊑ e′ ⇒ (e, g) ⊑ (e′, g) ◮ Distributivity of transfer relation ∀e, e′ ∈ E, g ∈ G : (e, g)⊔ (e′, g) = (e ⊔ e′, g)
SoSy-Lab, LMU Munich, Germany 77 / 100
Tracks control-flow of program ◮ Uses flat lattice of set L of location states ◮ [ [ℓ] ] :=
C if ℓ = ⊤ ∅ if ℓ = ⊥ {c ∈ C | c(pc) = ℓ} else (guarantees that join overapproximates) ◮ (ℓ, (l, op, l′), ℓ′) ∈L if (ℓ = l ∨ ℓ = ⊤) and ℓ′ = l′
SoSy-Lab, LMU Munich, Germany 78 / 100
Transfer relation L ◮ overapproximates, i.e., ∀e ∈ EL, g ∈ G :
[e] ]
{c′ | (c, g, c′) ∈ T } ⊆
[ [e′] ] ◮ monotone ◮ distributive
SoSy-Lab, LMU Munich, Germany 79 / 100
Automaton observing violation of reachability property ϕLsub
qsafe qunsafe (·, ·, l) ∈ G ∧ l / ∈ Lsub g ∈ G (·, ·, l) ∈ G ∧ l ∈ Lsub
SoSy-Lab, LMU Munich, Germany 80 / 100
Represent automaton encoding of property ϕLsub as abstraction ◮ Uses join-semilattice on set {qsafe, qunsafe} with qsafe ⊑ qunsafe ◮ [ [q] ] :=
if q = qunsafe {c ∈ C | c(pc) / ∈ Lsub} else ◮ (q, (l, op, l′), q′) ∈R if q′ = qunsafe ∧ l′ ∈ Lsub or q = q ∧ l′ / ∈ Lsub
SoSy-Lab, LMU Munich, Germany 81 / 100
Transfer relation R ◮ overapproximates ◮ monotone ◮ distributive
SoSy-Lab, LMU Munich, Germany 82 / 100
Assigns to each variable an abstract value from base domain B = (EB, ⊑B, ⊔B, ⊤B) ◮ E = {f : V ar → B} ◮ f ⊑ f ′ if ∀v ∈ V ar : f(v) ⊑B f ′(v) ◮ ⊔F = f ′′ with ∀v ∈ V ar : f ′′(v) = ⊔f∈Ff(v) ◮ [ [f] ] = {c | ∀v ∈ V ar : c(d)(v) ∈ [ [f(v)] ]B}
SoSy-Lab, LMU Munich, Germany 83 / 100
Uses variable separate domain ◮ Base domain flat lattice of Z ◮ Abstract value ⊤ any value ◮ Transfer relation
◮ Assignment (f, (l, v := expr; , l′), f′) ∈V if ∀w ∈ V ar : v = w ⇒ f(w) = f′(w) and f′(v) =
⊤ if ∃w ∈ var(expr) : f(w) = ⊤ ⊥ if ∃w ∈ var(expr) : f(w) = ⊥ Sa(expr, f) else ◮ Assume (f, (l, expr, l′), f) ∈V if ∃w ∈ var(expr) : f(w) = ⊤ or ∀w ∈ var(expr) : f(w) ∈ Z ∧ Sb(expr, f)
SoSy-Lab, LMU Munich, Germany 84 / 100
Transfer relation ◮ overapproximates ◮ monotone ◮ not distributive, e.g., f : x → 3; y → 2 f ′ : x → 2; y → 3 (f, x = x + y; )⊔ (f ′, x = x + y; ) : x → 5; y → ⊤, but (f ⊔ f ′, x = x + y; ) : x → ⊤; y → ⊤
SoSy-Lab, LMU Munich, Germany 85 / 100
On the board: ◮ (i → ⊤; x → 3, (l, i = 1; , l′)) ◮ (i → ⊤; x → ⊤, (l, i = i ∗ 2; , l′)) ◮ (i → ⊤; x → 5, (l, i = i ∗ 2; , l′)) ◮ (i → 0; x → ⊤, (l, i&&x > 0, l′)) ◮ (i → ⊤; x → 10, (l, x > 10, l′))
SoSy-Lab, LMU Munich, Germany 86 / 100
Variable separate domain using base domain ⊤ +- 0+
⊥ [ [⊤] ] = Z [ [ + ] ] = N+ [ [ − ] ] = Z \ N+ [ [0] ] = {0} [ [ + −] ] = Z \ {0} [ [0 + ] ] = N+ [ [ − 0] ] = Z \ N+ [ [⊥] ] = ∅
SoSy-Lab, LMU Munich, Germany 87 / 100
Suggestion 1: ◮ (f, g) = f ′ with ∀v ∈ V ar : f ′(v) = ⊤ ◮ sound, but not useful
SoSy-Lab, LMU Munich, Germany 88 / 100
Suggestion 2: ◮ Assume: (f, expr) = f ◮ Assignment: (f, expr) = f ′ v=const; f ′(v) =
+ const ∈ N+ const = 0 − else v=w; f ′(v) = f(v) v=expr; f ′(v) = ⊤ and ∀u ∈ V ar : u = v ⇒ f ′(u) = f(u) sound, but could be more precise
SoSy-Lab, LMU Munich, Germany 89 / 100
More precise for special boolean expression like var>0, var==0, var<0, var>=0, var<=0 ◮ can be decided ◮ used to restrict successor of assume expressions Abstract evaluation of arithmetic expressions, e.g. ◮ e + e = e, for any abstract value e except +- ◮ e + 0 = e ◮ e - 0 = e ◮ e*0 = 0 ◮ . . .
SoSy-Lab, LMU Munich, Germany 90 / 100
Variable separate domain based on interval domain ◮ E = Z2 ∪ {⊤, ⊥} ◮ ⊥ ⊑ e, e ⊑ ⊤ and [a, b] ⊑ [c, d] if c ≤ a ∧ b ≤ d ◮ ⊔Esub =
⊤ if ⊤ ∈ Esub ⊥ if Esub ⊆ {⊥} [min[a,b]∈Esuba, max[a,b]∈Esubb] else
◮ [ [[a, b]] ] = {x ∈ Z | a ≤ x ≤ b} [ [⊤] ] = Z [ [⊥] ] = ∅ Violates ascending chain condition.
SoSy-Lab, LMU Munich, Germany 91 / 100
Relies on abstract evaluation of expressions in state f Arithmetic expressions ◮ const: [const,const] ◮ var: f(var) ◮ -[a,b]=[-b,-a] ◮
[a,b] opa [c,d] = [min(a opa c, b opa d), max(a opa c, b opa d)]
◮ special treatment of values ⊥, ⊤
SoSy-Lab, LMU Munich, Germany 92 / 100
Relies on abstract evaluation of expressions in state f Boolean expression ◮
[a,b]=
{true} a > 0 ∨ b < 0 {false} a = b = 0 {true, false} else
◮
[a,b]<[c,d]=
{true} b < c {false} a ≥ d {true, false} else
◮ other comparison operators similar ◮ . . . Define transfer relation analogous to transition
SoSy-Lab, LMU Munich, Germany 93 / 100
Represent states by first order logic formulae ◮ Restricted to a set of predicates Pred (subset of boolean expressions without boolean connectors) ◮ Conjunction of predicates
SoSy-Lab, LMU Munich, Germany 94 / 100
◮ Power set lattice on predicates (2Pred, ⊇, ∩, ∪, ∅, Pred) ◮ [ [⊤] ] = [ [∅] ] = C for p = ⊥: [ [p] ] = {c ∈ C | ∀pred ∈ p : Sb(pred, c(d)) = true} (guarantees that join overapproximates) ◮ Transfer relation
◮ Assignment (p, v = expr, p′) with
p′ =
t′∈p t′[v → v′] ∧ v = expr[v → v′]
(p, expr, p′) if
t∈p t ∧ expr is satisfiable and
p′ = {t ∈ Pred | (
t′∈p t′ ∧ expr) ⇒ t}
SoSy-Lab, LMU Munich, Germany 95 / 100
Transfer relation ◮ overapproximates ◮ monotone ◮ not distributive (e.g., use value abstraction example and value assignments as predicates)
SoSy-Lab, LMU Munich, Germany 96 / 100
Consider set of predicates {i>0, x=10} On the board: ◮ ({x = 10}, (l, i = 1; , l′)) ◮ ({i > 0}, (l, i = i ∗ 2; , l′)) ◮ ({i > 0}, (l, i < abs, l′)) ◮ ({x = 10, i > 0}, (l, x > 10, l′))
SoSy-Lab, LMU Munich, Germany 97 / 100
Combines two abstractions ◮ Product (join-semi) lattice E1 × E2 ◮ [ [(e1, e2)] ] = [ [e1] ]1 ∩ [ [e2] ]2 ◮ Product transfer relation ((e1, e2), g, (e′
1, e′ 2)) ∈
if (e1, g, e′
1) ∈1 and (e2, g, e′ 2) ∈2
◮ More precise transfer relations possible
SoSy-Lab, LMU Munich, Germany 98 / 100
Properties inherited from components Transfer relation ◮ overapproximates ◮ monotone ◮ distributive if respective property is fulfilled by both components. Proof on the board
SoSy-Lab, LMU Munich, Germany 99 / 100
◮ Value analysis L × V × R ◮ Predicate analysis L × P × R
SoSy-Lab, LMU Munich, Germany 100 / 100