[PPT] - TreeKs: a Functor to Make Abstract Numerical Domains Scalable PowerPoint Presentation

SLIDE 1

TreeKs: a Functor to Make Abstract Numerical Domains Scalable

Research Internship, advised by Antoine Min´ e ´ Ecole normale sup´ erieure, Paris, team Abstraction Mehdi Bouaziz

SLIDE 2

Motivation and context

Abstract interpretation is a formal theory of sound approximation

f semantics, mainly used in static analyzer, such as:

◮ Clousot: static verification of Code Contracts ◮ Astr´

ee: proof of absence of runtime errors on embedded softwares Abstract numerical domains:

◮ a set DV of computer-representable abstract values ◮ effective algorithms to compute sound abstractions of the

perations: intersection ⊓DV, union ⊔DV, projection ∃DV, . . .

Mehdi Bouaziz, ´ Ecole normale sup´ erieure TreeKs: a Functor to Make Abstract Numerical Domains Scalable 2/11

SLIDE 3

Numerical abstract domains: examples

Intervals [Cousot Cousot 76]

i ai ≤ Xi ≤ bi

Non-relational Linear cost Polyhedra [Cousot Halbwachs 78]

j
i aijXi ≤ bj

Relational and very precise Worst-case exponential cost

Mehdi Bouaziz, ´ Ecole normale sup´ erieure TreeKs: a Functor to Make Abstract Numerical Domains Scalable 3/11

SLIDE 4

Weakly relational numerical abstract domains

Zones [Min´ e 01]

ij Xi − Xj ≤ cij

Weakly relational Cubic cost Octagons [Min´ e 01]

ij ±Xi ± Xj ≤ cij

Cubic cost Logahedra [Howe King 09]

ij ±2aiXi ± 2bjXj ≤ cij

Cubic cost TVPI [Simon King Howe 02]

ij aiXi + bjXj ≤ cij

Quasi-cubic cost Octahedra [Claris´

Cortadella 07]

i ±Xi ≤ c

Worst-case exponential cost

Mehdi Bouaziz, ´ Ecole normale sup´ erieure TreeKs: a Functor to Make Abstract Numerical Domains Scalable 4/11

SLIDE 5

Closure operation: example

Domain of zones (

ij Xi − Xj ≤ bij)

V = {x, y, z}

y x z y x z

Mehdi Bouaziz, ´ Ecole normale sup´ erieure TreeKs: a Functor to Make Abstract Numerical Domains Scalable 5/11

SLIDE 6

Closure operation: example

Domain of zones (

ij Xi − Xj ≤ bij)

V = {x, y, z}

y x z y x z

−x ≤ −1

Mehdi Bouaziz, ´ Ecole normale sup´ erieure TreeKs: a Functor to Make Abstract Numerical Domains Scalable 5/11

SLIDE 7

Closure operation: example

Domain of zones (

ij Xi − Xj ≤ bij)

V = {x, y, z}

y x z y x z

−x ≤ −1 x − y ≤ 0

Mehdi Bouaziz, ´ Ecole normale sup´ erieure TreeKs: a Functor to Make Abstract Numerical Domains Scalable 5/11

SLIDE 8

Closure operation: example

Domain of zones (

ij Xi − Xj ≤ bij)

V = {x, y, z}

y x z y x z

−x ≤ −1 x − y ≤ 0 y − z ≤ −2

Mehdi Bouaziz, ´ Ecole normale sup´ erieure TreeKs: a Functor to Make Abstract Numerical Domains Scalable 5/11

SLIDE 9

Closure operation: example

Domain of zones (

ij Xi − Xj ≤ bij)

V = {x, y, z}

y x z y x z

−x ≤ −1 x − y ≤ 0 y − z ≤ −2 −y ≤ −1

Mehdi Bouaziz, ´ Ecole normale sup´ erieure TreeKs: a Functor to Make Abstract Numerical Domains Scalable 5/11

SLIDE 10

Closure operation: example

Domain of zones (

ij Xi − Xj ≤ bij)

V = {x, y, z}

y x z y x z

−x ≤ −1 x − y ≤ 0 y − z ≤ −2 −y ≤ −1 −z ≤ −3

Mehdi Bouaziz, ´ Ecole normale sup´ erieure TreeKs: a Functor to Make Abstract Numerical Domains Scalable 5/11

SLIDE 11

Closure operation: example

Domain of zones (

ij Xi − Xj ≤ bij)

V = {x, y, z}

y x z y x z

−x ≤ −1 x − y ≤ 0 y − z ≤ −2 −y ≤ −1 −z ≤ −3 x − z ≤ −2

Mehdi Bouaziz, ´ Ecole normale sup´ erieure TreeKs: a Functor to Make Abstract Numerical Domains Scalable 5/11

SLIDE 12

Closure operation: example

Domain of zones (

ij Xi − Xj ≤ bij)

V = {x, y, z}

y x z y x z

−x ≤ −1 x − y ≤ 0 y − z ≤ −2 −y ≤ −1 −z ≤ −3 x − z ≤ −2 Done!

Mehdi Bouaziz, ´ Ecole normale sup´ erieure TreeKs: a Functor to Make Abstract Numerical Domains Scalable 5/11

SLIDE 13

Domain of zones: representation

We represent a set of difference constraints between two variables (Xi − Xj ≤ mji) by a potential graph

r by a DBM (Difference Bound Matrix).

x y z

1
2

x y z +∞ +∞ +∞ x −1 +∞ +∞ y +∞ +∞ z +∞ +∞ −2 0 − x ≤ −1 x − y ≤ y − z ≤ −2

Mehdi Bouaziz, ´ Ecole normale sup´ erieure TreeKs: a Functor to Make Abstract Numerical Domains Scalable 6/11

SLIDE 14

Domain of zones: representation

We represent a set of difference constraints between two variables (Xi − Xj ≤ mji) by a potential graph

r by a DBM (Difference Bound Matrix).

x y z

1
2
1
2
3

x y z +∞ +∞ +∞ x −1 +∞ +∞ y −1 +∞ z −3 −2 −2 0 − x ≤ −1 x − y ≤ y − z ≤ −2 0 − y ≤ −1 0 − z ≤ −3 x − z ≤ −2

Mehdi Bouaziz, ´ Ecole normale sup´ erieure TreeKs: a Functor to Make Abstract Numerical Domains Scalable 6/11

SLIDE 15

Domain of zones: closure and other operators

The closure is a shortest-path closure. After closure, operators are point-wise. Join (best approximation of union): (m ⊔ n)ij = max(mij, nij) Forget operator (projection): (∃Xkm)ij =      mij if i = k and j = k if i = j = k +∞

therwise

Mehdi Bouaziz, ´ Ecole normale sup´ erieure TreeKs: a Functor to Make Abstract Numerical Domains Scalable 7/11

SLIDE 16

How to scale: packing

Principle:

◮ split variables into packs ◮ use a DBM per pack

Cost: linear for bounded-size packs Information loss: no communication between packs!

Mehdi Bouaziz, ´ Ecole normale sup´ erieure TreeKs: a Functor to Make Abstract Numerical Domains Scalable 8/11

SLIDE 17

How to scale: packing

Principle:

◮ split variables into packs ◮ use a DBM per pack

Cost: linear for bounded-size packs Information loss: no communication between packs! Solution: intervals constraints sharing Not good enough!

Mehdi Bouaziz, ´ Ecole normale sup´ erieure TreeKs: a Functor to Make Abstract Numerical Domains Scalable 8/11

SLIDE 18

TreeKs: a certain subgraph

Shape:

◮ a tree of complete graphs (packs) ◮ sharing borders

K

7

K

8

K

8

K

8

K

6

K

5

packs tree

Mehdi Bouaziz, ´ Ecole normale sup´ erieure TreeKs: a Functor to Make Abstract Numerical Domains Scalable 9/11

SLIDE 19

TreeKs: a certain subgraph

Shape:

◮ a tree of complete graphs (packs) ◮ sharing borders

Abstract value: tuple of DBMs

Mehdi Bouaziz, ´ Ecole normale sup´ erieure TreeKs: a Functor to Make Abstract Numerical Domains Scalable 9/11

SLIDE 20