[PPT] - Solvers Principles and Architecture (SPA) Part 2 Abstract PowerPoint Presentation

SLIDE 1

Solvers Principles and Architecture (SPA)

Part 2

Abstract Interpretation (Basics)

Master Sciences Informatique (Sif) September, 2019 Rennes

Khalil Ghorbal khalil.ghorbal@inria.fr

K. Ghorbal (INRIA)

1 SIF M2 1 / 13

SLIDE 2

Abstract Interpretation : Intuitions

i S

K. Ghorbal (INRIA)

2 SIF M2 2 / 13

SLIDE 3

Abstract Interpretation : Intuitions

i S

K. Ghorbal (INRIA)

2 SIF M2 2 / 13

SLIDE 4

Abstract Interpretation : Intuitions

i S

K. Ghorbal (INRIA)

2 SIF M2 2 / 13

SLIDE 5

Abstract Interpretation : Intuitions

i S ➻ What about the missed bugs ? are they severe ?

K. Ghorbal (INRIA)

2 SIF M2 2 / 13

SLIDE 6

Abstract Interpretation : Intuitions

i S

K. Ghorbal (INRIA)

2 SIF M2 2 / 13

SLIDE 7

Abstract Interpretation : Intuitions

i S

K. Ghorbal (INRIA)

2 SIF M2 2 / 13

SLIDE 8

Abstract Interpretation : Intuitions

i S

K. Ghorbal (INRIA)

2 SIF M2 2 / 13

SLIDE 9

Abstract Interpretation : Intuitions

i S ➻ Over-approximation may lead to false alarms.

K. Ghorbal (INRIA)

2 SIF M2 2 / 13

SLIDE 10

Abstract Interpretation : Intuitions

i S ➻ Accurate over-approximation gives a safety proof.

K. Ghorbal (INRIA)

2 SIF M2 2 / 13

SLIDE 11

Famous bugs

Examples

1982, The Vancouver stock exchange: after 22 months the index had

fallen to 524, 811 instead of 1098, 811

1985, Therac 25 (radiation therapy machine) : 5 patients killed

(overdoses of radiation)

1991, The Patriot Missile: 28 soldiers killed
1996, Ariane 5: more than 1 billion $ gone in 40 seconds
E. Dijkstra (1972)

Program testing can be used to show the presence of bugs, but never to show their absence!

K. Ghorbal (INRIA)

3 SIF M2 3 / 13

SLIDE 12

Detailed example

begin x = [0,10]; ➊ y = xx - x ➋ if (y >= 0) ➌ then y = x / 10; ➍ else ➎ y = xx + 2; ➏ done; ➐ end ➊ ➋ y = x2 − x ➌ y ≥ 0 ➍ y = x

10

➎ y < 0 ➏ y = x2 + 2 ➐ ∪

K. Ghorbal (INRIA)

4 SIF M2 4 / 13

SLIDE 13

Forward Propagation

x=[0,10]

➋ ➌ ➍ ➎ ➏ ➐ ∪

y=x2−x y≥0 y<0 y= x

10

y=x2+2

K. Ghorbal (INRIA)

5 SIF M2 5 / 13

SLIDE 14

Forward Propagation

x=[0,10] x=[0,10] y=[−10,100]

➌ ➍ ➎ ➏ ➐ ∪

y=x2−x y≥0 y<0 y= x

10

y=x2+2

K. Ghorbal (INRIA)

5 SIF M2 5 / 13

SLIDE 15

Forward Propagation

x=[0,10] x=[0,10] y=[−10,100] x=[0,10] y=[0,100]

➍ ➎ ➏ ➐ ∪

y=x2−x y≥0 y<0 y= x

10

y=x2+2

K. Ghorbal (INRIA)

5 SIF M2 5 / 13

SLIDE 16

Forward Propagation

x=[0,10] x=[0,10] y=[−10,100] x=[0,10] y=[0,100]

➍

x=[0,10] y=[−10,0]

➏ ➐ ∪

y=x2−x y≥0 y<0 y= x

10

y=x2+2

K. Ghorbal (INRIA)

5 SIF M2 5 / 13

SLIDE 17

Forward Propagation

x=[0,10] x=[0,10] y=[−10,100] x=[0,10] y=[0,100] x=[0,10] y=[0,1] x=[0,10] y=[−10,0]

➏ ➐ ∪

y=x2−x y≥0 y<0 y= x

10

y=x2+2

K. Ghorbal (INRIA)

5 SIF M2 5 / 13

SLIDE 18

Forward Propagation

x=[0,10] x=[0,10] y=[−10,100] x=[0,10] y=[0,100] x=[0,10] y=[0,1] x=[0,10] y=[−10,0] x=[0,10] y=[2,102]

➐ ∪

y=x2−x y≥0 y<0 y= x

10

y=x2+2

K. Ghorbal (INRIA)

5 SIF M2 5 / 13

SLIDE 19

Forward Propagation

x=[0,10] x=[0,10] y=[−10,100] x=[0,10] y=[0,100] x=[0,10] y=[0,1] x=[0,10] y=[−10,0] x=[0,10] y=[2,102]

➐ ∪

y=x2−x y≥0 y<0 y= x

10

y=x2+2

x y 1 10 102 invariant in ➐

K. Ghorbal (INRIA)

5 SIF M2 5 / 13

SLIDE 20

Forward Propagation

x=[0,10] x=[0,10] y=[−10,100] x=[0,10] y=[0,100] x=[0,10] y=[0,1] x=[0,10] y=[−10,0] x=[0,10] y=[2,102]

➐ ∪

y=x2−x y≥0 y<0 y= x

10

y=x2+2

x y 1 10 102 invariant in ➐ 102 3

K. Ghorbal (INRIA)

5 SIF M2 5 / 13

SLIDE 21

Forward Propagation

x=[0,10] x=[0,10] y=[−0.25,90] x=[0,10] y=[0,90] x=[0,10] y=[0,1] x=[0,1] y=[−0.25,0] x=[0,1] y=[2,3]

➐ ∪

y=x2−x y≥0 y<0 y= x

10

y=x2+2

x y 1 10 102 invariant in ➐ 102 3

K. Ghorbal (INRIA)

5 SIF M2 5 / 13

SLIDE 22

Precision Cost Trade-off

Precision Cost box

K. Ghorbal (INRIA)

6 SIF M2 6 / 13

SLIDE 23

Precision Cost Trade-off

Precision Cost box

ctagon
K. Ghorbal (INRIA)

6 SIF M2 6 / 13

SLIDE 24

Precision Cost Trade-off

Precision Cost box

ctagon

template

K. Ghorbal (INRIA)

6 SIF M2 6 / 13

SLIDE 25

Precision Cost Trade-off

Precision Cost box

ctagon

template polyhedron

K. Ghorbal (INRIA)

6 SIF M2 6 / 13

SLIDE 26

Precision Cost Trade-off

Precision Cost box

ctagon

template polyhedron

K. Ghorbal (INRIA)

6 SIF M2 6 / 13

SLIDE 27

Precision Cost Trade-off

Precision Cost box

ctagon

template polyhedron zonotope

K. Ghorbal (INRIA)

6 SIF M2 6 / 13

SLIDE 28

Precision Cost Trade-off

Precision Cost box

ctagon

template polyhedron zonotope constrained zonotope

K. Ghorbal (INRIA)

6 SIF M2 6 / 13

SLIDE 29

Outlines

1 Static Analysis-based Abstract Interpretation

K. Ghorbal (INRIA)

7 SIF M2 7 / 13

SLIDE 30

Formal Verification Approaches

Hoare 1969: wrap the code of interest with preconditions and

postconditions, then prove that postconditions are met

Clarke, Emerson et Sifakis 1974: model checking
Cousot(s) 1977: Abstract Interpretation

Properties of Interest

run time errors: overflow, division by zero, square root of negatives,

etc.

robustness and stability of algorithms: linear and non linear recursive

schemes, filters, etc.

K. Ghorbal (INRIA)

8 SIF M2 8 / 13

SLIDE 31

Formal Verification Approaches

Hoare 1969: wrap the code of interest with preconditions and

postconditions, then prove that postconditions are met

Clarke, Emerson et Sifakis 1974: model checking
Cousot(s) 1977: Abstract Interpretation

Properties of Interest

run time errors: overflow, division by zero, square root of negatives,

etc.

robustness and stability of algorithms: linear and non linear recursive

schemes, filters, etc.

K. Ghorbal (INRIA)

8 SIF M2 8 / 13

SLIDE 32

Formal Verification Approaches

Hoare 1969: wrap the code of interest with preconditions and

postconditions, then prove that postconditions are met

Clarke, Emerson et Sifakis 1974: model checking
Cousot(s) 1977: Abstract Interpretation

Properties of Interest

run time errors: overflow, division by zero, square root of negatives,

etc.

robustness and stability of algorithms: linear and non linear recursive

schemes, filters, etc.

K. Ghorbal (INRIA)

8 SIF M2 8 / 13

SLIDE 33

Formal Verification Approaches

Hoare 1969: wrap the code of interest with preconditions and

postconditions, then prove that postconditions are met

Clarke, Emerson et Sifakis 1974: model checking
Cousot(s) 1977: Abstract Interpretation

Properties of Interest

run time errors: overflow, division by zero, square root of negatives,

etc.

robustness and stability of algorithms: linear and non linear recursive

schemes, filters, etc.

K. Ghorbal (INRIA)

8 SIF M2 8 / 13

SLIDE 34

Abstract Interpretation, an overview

Program semantics formalized as a fixpoint of a monotonic operator

in a complete partially ordered set (exemplified later),

Fully automated,
Industrial tools exists : Polyspace Verifier (MathWorks), Astr˜

Al’e (ENS/ABSINT), Fluctuat (CEA), aIT (ABSINT), F-Soft (Nec Labs) . . .

Challenge

find the suitable abstract domain for the properties of interest.

K. Ghorbal (INRIA)

9 SIF M2 9 / 13

SLIDE 35

Equations System (collecting semantic)

➊ ➋ y = x2 − x ➌ y ≥ 0 ➍ y = x

10

➎ y < 0 ➏ y = x2 + 2 ➐ ∪                      X1 = V → I♭ X2 = y ← x2 − x♭(X1) X3 = y ≥ 0♭(X2) X4 = y ← x

10♭(X3)

X5 = y < 0♭(X2) X6 = y ← x2 + 2♭(X5) X7 = X6 ∪ X4

K. Ghorbal (INRIA)

10 SIF M2 10 / 13

SLIDE 36

Solving the equations system

D = (℘(V → I), ⊆, ∪, ∩, ∅, (V → I)) is a complete lattice
each operator X → F(X) is monotonic

➺ Tarski Theorem ensures the existence of a least fixpoint for F ➺ Kleene Iteration Technique reaches the least fixpoint

Issues

℘(V → I) is non representable in finite memory, .♭ are non computable, Iterations over the lattice may be transfinite.

K. Ghorbal (INRIA)

11 SIF M2 11 / 13

SLIDE 37

Concretisation-Based Abstract Interpretation

X1 ⊆ γ(X ♯

1)

X ♯

1

γ X2 y ← x2 − x♭ ⊆ γ(X ♯

2)

X ♯

2

γ y ← x2 − x♯ α abstract domain concrete domain

ver approximation
K. Ghorbal (INRIA)

12 SIF M2 12 / 13

SLIDE 38

Building an abstract domain

lattice-like structure:
abstract objects
order relation (preorder over abstract objects)
monotonic concretisation function (γ)
Transfer Functions
evaluation of arithmetic expressions (x2 − x♯)
assignment (X2 = y ← x2 − x♯(X1))
upper bound (join) (X7 = X6 ∪ X4)
over-approximation of lower bounds (meet) (X3 = y ≥ 0♯X2 =

“X3 = X2 ∩ y ≥ 0♯⊤♯” )

Convergence acceleration (widening)
K. Ghorbal (INRIA)

13 SIF M2 13 / 13

Solvers Principles and Architecture (SPA)

Part 2

Abstract Interpretation (Basics)

Master Sciences Informatique (Sif) September, 2019 Rennes

Khalil Ghorbal khalil.ghorbal@inria.fr

Abstract Interpretation : Intuitions

i S

Abstract Interpretation : Intuitions

i S

Abstract Interpretation : Intuitions

i S

Abstract Interpretation : Intuitions

i S ➻ What about the missed bugs ? are they severe ?

Abstract Interpretation : Intuitions

i S

Abstract Interpretation : Intuitions

i S

Abstract Interpretation : Intuitions

i S

Abstract Interpretation : Intuitions

i S ➻ Over-approximation may lead to false alarms.

Abstract Interpretation : Intuitions

i S ➻ Accurate over-approximation gives a safety proof.

Famous bugs

Examples

fallen to 524, 811 instead of 1098, 811

(overdoses of radiation)

Program testing can be used to show the presence of bugs, but never to show their absence!

Detailed example

begin x = [0,10]; ➊ y = x*x - x ➋ if (y >= 0) ➌ then y = x / 10; ➍ else ➎ y = x*x + 2; ➏ done; ➐ end ➊ ➋ y = x2 − x ➌ y ≥ 0 ➍ y = x

10

➎ y < 0 ➏ y = x2 + 2 ➐ ∪

Forward Propagation

x=[0,10]

➋ ➌ ➍ ➎ ➏ ➐ ∪

y=x2−x y≥0 y<0 y= x

y=x2+2

Forward Propagation

x=[0,10] x=[0,10] y=[−10,100]

➌ ➍ ➎ ➏ ➐ ∪

y=x2−x y≥0 y<0 y= x

y=x2+2

Forward Propagation

x=[0,10] x=[0,10] y=[−10,100] x=[0,10] y=[0,100]

➍ ➎ ➏ ➐ ∪

y=x2−x y≥0 y<0 y= x

y=x2+2

Forward Propagation

x=[0,10] x=[0,10] y=[−10,100] x=[0,10] y=[0,100]

➍

x=[0,10] y=[−10,0]

➏ ➐ ∪

y=x2−x y≥0 y<0 y= x

y=x2+2

Forward Propagation

x=[0,10] x=[0,10] y=[−10,100] x=[0,10] y=[0,100] x=[0,10] y=[0,1] x=[0,10] y=[−10,0]

➏ ➐ ∪

y=x2−x y≥0 y<0 y= x

y=x2+2

Forward Propagation

x=[0,10] x=[0,10] y=[−10,100] x=[0,10] y=[0,100] x=[0,10] y=[0,1] x=[0,10] y=[−10,0] x=[0,10] y=[2,102]

➐ ∪

y=x2−x y≥0 y<0 y= x

y=x2+2

Forward Propagation

x=[0,10] x=[0,10] y=[−10,100] x=[0,10] y=[0,100] x=[0,10] y=[0,1] x=[0,10] y=[−10,0] x=[0,10] y=[2,102]

➐ ∪

y=x2−x y≥0 y<0 y= x

y=x2+2

x y 1 10 102 invariant in ➐

Forward Propagation

x=[0,10] x=[0,10] y=[−10,100] x=[0,10] y=[0,100] x=[0,10] y=[0,1] x=[0,10] y=[−10,0] x=[0,10] y=[2,102]

➐ ∪

y=x2−x y≥0 y<0 y= x

y=x2+2

x y 1 10 102 invariant in ➐ 102 3

Forward Propagation

x=[0,10] x=[0,10] y=[−0.25,90] x=[0,10] y=[0,90] x=[0,10] y=[0,1] x=[0,1] y=[−0.25,0] x=[0,1] y=[2,3]

➐ ∪

y=x2−x y≥0 y<0 y= x

begin x = [0,10]; ➊ y = xx - x ➋ if (y >= 0) ➌ then y = x / 10; ➍ else ➎ y = xx + 2; ➏ done; ➐ end ➊ ➋ y = x2 − x ➌ y ≥ 0 ➍ y = x