TreeKs: a Functor to Make Abstract Numerical Domains Scalable - PowerPoint PPT Presentation

TreeKs: a Functor to Make Abstract Numerical Domains Scalable Research Internship, advised by Antoine Min´ e ´ Ecole normale sup´ erieure, Paris, team Abstraction Mehdi Bouaziz

Motivation and context Abstract interpretation is a formal theory of sound approximation of semantics, mainly used in static analyzer, such as: ◮ Clousot: static verification of Code Contracts ◮ Astr´ ee: proof of absence of runtime errors on embedded softwares Abstract numerical domains: ◮ a set D V of computer-representable abstract values ◮ effective algorithms to compute sound abstractions of the operations: intersection ⊓ D V , union ⊔ D V , projection ∃ D V , . . . Mehdi Bouaziz, ´ Ecole normale sup´ erieure 2/11 TreeKs: a Functor to Make Abstract Numerical Domains Scalable

Numerical abstract domains: examples Intervals [Cousot Cousot 76] Polyhedra [Cousot Halbwachs 78] � i a i ≤ X i ≤ b i � � i a ij X i ≤ b j j Relational and very precise Non-relational Worst-case exponential cost Linear cost Mehdi Bouaziz, ´ Ecole normale sup´ erieure 3/11 TreeKs: a Functor to Make Abstract Numerical Domains Scalable

Weakly relational numerical abstract domains Octagons [Min´ e 01] Zones [Min´ e 01] � ij ± X i ± X j ≤ c ij Cubic cost Logahedra [Howe King 09] ij ± 2 a i X i ± 2 b j X j ≤ c ij � Cubic cost TVPI [Simon King Howe 02] � ij a i X i + b j X j ≤ c ij Quasi-cubic cost � ij X i − X j ≤ c ij Octahedra [Claris´ o Cortadella 07] Weakly relational � � i ± X i ≤ c Cubic cost Worst-case exponential cost Mehdi Bouaziz, ´ Ecole normale sup´ erieure 4/11 TreeKs: a Functor to Make Abstract Numerical Domains Scalable

Closure operation: example Domain of zones ( � ij X i − X j ≤ b ij ) V = { x, y, z } z x y y z x Mehdi Bouaziz, ´ Ecole normale sup´ erieure 5/11 TreeKs: a Functor to Make Abstract Numerical Domains Scalable

Closure operation: example Domain of zones ( � ij X i − X j ≤ b ij ) V = { x, y, z } z x y y z x − x ≤ − 1 Mehdi Bouaziz, ´ Ecole normale sup´ erieure 5/11 TreeKs: a Functor to Make Abstract Numerical Domains Scalable

Closure operation: example Domain of zones ( � ij X i − X j ≤ b ij ) V = { x, y, z } z x y y z x − x ≤ − 1 x − y ≤ 0 Mehdi Bouaziz, ´ Ecole normale sup´ erieure 5/11 TreeKs: a Functor to Make Abstract Numerical Domains Scalable

Closure operation: example Domain of zones ( � ij X i − X j ≤ b ij ) V = { x, y, z } z x y y z x − x ≤ − 1 x − y ≤ 0 y − z ≤ − 2 Mehdi Bouaziz, ´ Ecole normale sup´ erieure 5/11 TreeKs: a Functor to Make Abstract Numerical Domains Scalable

Closure operation: example Domain of zones ( � ij X i − X j ≤ b ij ) V = { x, y, z } z x y y z x − y ≤ − 1 − x ≤ − 1 x − y ≤ 0 y − z ≤ − 2 Mehdi Bouaziz, ´ Ecole normale sup´ erieure 5/11 TreeKs: a Functor to Make Abstract Numerical Domains Scalable

Closure operation: example Domain of zones ( � ij X i − X j ≤ b ij ) V = { x, y, z } z x y y z x − y ≤ − 1 − x ≤ − 1 − z ≤ − 3 x − y ≤ 0 y − z ≤ − 2 Mehdi Bouaziz, ´ Ecole normale sup´ erieure 5/11 TreeKs: a Functor to Make Abstract Numerical Domains Scalable

Closure operation: example Domain of zones ( � ij X i − X j ≤ b ij ) V = { x, y, z } z x y y z x − y ≤ − 1 − x ≤ − 1 − z ≤ − 3 x − y ≤ 0 x − z ≤ − 2 y − z ≤ − 2 Mehdi Bouaziz, ´ Ecole normale sup´ erieure 5/11 TreeKs: a Functor to Make Abstract Numerical Domains Scalable

Closure operation: example Domain of zones ( � ij X i − X j ≤ b ij ) V = { x, y, z } z x y y z x − y ≤ − 1 − x ≤ − 1 − z ≤ − 3 x − y ≤ 0 x − z ≤ − 2 y − z ≤ − 2 Done! Mehdi Bouaziz, ´ Ecole normale sup´ erieure 5/11 TreeKs: a Functor to Make Abstract Numerical Domains Scalable

Domain of zones: representation We represent a set of difference constraints between two variables ( X i − X j ≤ m ji ) by a potential graph or by a DBM ( Difference Bound Matrix ). -1 0 x 0 x y z 0 0 + ∞ + ∞ + ∞ 0 x − 1 0 + ∞ + ∞ y y + ∞ 0 0 + ∞ -2 + ∞ + ∞ − 2 0 z z 0 − x ≤ − 1 x − y ≤ 0 y − z ≤ − 2 Mehdi Bouaziz, ´ Ecole normale sup´ erieure 6/11 TreeKs: a Functor to Make Abstract Numerical Domains Scalable

Domain of zones: representation We represent a set of difference constraints between two variables ( X i − X j ≤ m ji ) by a potential graph or by a DBM ( Difference Bound Matrix ). -1 0 x 0 x y z -1 0 0 + ∞ + ∞ + ∞ 0 x − 1 0 + ∞ + ∞ -2 y y − 1 0 0 + ∞ -2 -3 − 3 − 2 − 2 0 z z 0 − x ≤ − 1 0 − y ≤ − 1 x − y ≤ 0 0 − z ≤ − 3 y − z ≤ − 2 x − z ≤ − 2 Mehdi Bouaziz, ´ Ecole normale sup´ erieure 6/11 TreeKs: a Functor to Make Abstract Numerical Domains Scalable

Domain of zones: closure and other operators The closure is a shortest-path closure. After closure, operators are point-wise. Join (best approximation of union): ( m ⊔ n ) ij = max( m ij , n ij ) Forget operator (projection):  if i � = k and j � = k m ij   ( ∃ X k m ) ij = 0 if i = j = k  + ∞ otherwise  Mehdi Bouaziz, ´ Ecole normale sup´ erieure 7/11 TreeKs: a Functor to Make Abstract Numerical Domains Scalable

How to scale: packing ◮ split variables into packs Principle: ◮ use a DBM per pack Cost: linear for bounded-size packs Information loss: no communication between packs! Mehdi Bouaziz, ´ Ecole normale sup´ erieure 8/11 TreeKs: a Functor to Make Abstract Numerical Domains Scalable

How to scale: packing ◮ split variables into packs Principle: ◮ use a DBM per pack Cost: linear for bounded-size packs Information loss: no communication between packs! Solution: intervals constraints sharing Not good enough! Mehdi Bouaziz, ´ Ecole normale sup´ erieure 8/11 TreeKs: a Functor to Make Abstract Numerical Domains Scalable

TreeKs: a certain subgraph ◮ a tree of complete graphs (packs) Shape: ◮ sharing borders K 8 K K 7 8 K K K 5 8 6 packs tree Mehdi Bouaziz, ´ Ecole normale sup´ erieure 9/11 TreeKs: a Functor to Make Abstract Numerical Domains Scalable

TreeKs: a certain subgraph ◮ a tree of complete graphs (packs) Shape: ◮ sharing borders Abstract value: tuple of DBMs Mehdi Bouaziz, ´ Ecole normale sup´ erieure 9/11 TreeKs: a Functor to Make Abstract Numerical Domains Scalable

Closure algorithm Closure algorithm in TreeKs O ( mp 3 ) for each pack from the leaves to the root Apply closure on this pack in the domain of zones Pass the new constraints to his father for each pack from the root to the leaves Apply closure on this pack in the domain of zones Pass the new constraints to his children Mehdi Bouaziz, ´ Ecole normale sup´ erieure 10/11 TreeKs: a Functor to Make Abstract Numerical Domains Scalable

Closure algorithm Closure algorithm in TreeKs O ( mp 3 ) for each pack from the leaves to the root Apply closure on this pack in the domain of zones Pass the new constraints to his father for each pack from the root to the leaves Apply closure on this pack in the domain of zones Pass the new constraints to his children Mehdi Bouaziz, ´ Ecole normale sup´ erieure 10/11 TreeKs: a Functor to Make Abstract Numerical Domains Scalable

Closure algorithm Closure algorithm in TreeKs O ( mp 3 ) for each pack from the leaves to the root Apply closure on this pack in the domain of zones Pass the new constraints to his father for each pack from the root to the leaves Apply closure on this pack in the domain of zones Pass the new constraints to his children Mehdi Bouaziz, ´ Ecole normale sup´ erieure 10/11 TreeKs: a Functor to Make Abstract Numerical Domains Scalable

Closure algorithm Closure algorithm in TreeKs O ( mp 3 ) for each pack from the leaves to the root Apply closure on this pack in the domain of zones Pass the new constraints to his father for each pack from the root to the leaves Apply closure on this pack in the domain of zones Pass the new constraints to his children Mehdi Bouaziz, ´ Ecole normale sup´ erieure 10/11 TreeKs: a Functor to Make Abstract Numerical Domains Scalable

Closure algorithm Closure algorithm in TreeKs O ( mp 3 ) for each pack from the leaves to the root Apply closure on this pack in the domain of zones Pass the new constraints to his father for each pack from the root to the leaves Apply closure on this pack in the domain of zones Pass the new constraints to his children Mehdi Bouaziz, ´ Ecole normale sup´ erieure 10/11 TreeKs: a Functor to Make Abstract Numerical Domains Scalable

Closure algorithm Closure algorithm in TreeKs O ( mp 3 ) for each pack from the leaves to the root Apply closure on this pack in the domain of zones Pass the new constraints to his father for each pack from the root to the leaves Apply closure on this pack in the domain of zones Pass the new constraints to his children Mehdi Bouaziz, ´ Ecole normale sup´ erieure 10/11 TreeKs: a Functor to Make Abstract Numerical Domains Scalable