Program Analysis with Dynamic Change of Precision - PowerPoint PPT Presentation

1 / 24
About This Presentation
Title:

Program Analysis with Dynamic Change of Precision

Description:

Idea: Switch to shape analysis triggered by then number of nodes in the explicit heap. ... Use explicit heap to infer good predicates for shape analysis (e.g. ... – PowerPoint PPT presentation

Number of Views:35
Avg rating:3.0/5.0
Slides: 25
Provided by: grego97
Category:

less

Transcript and Presenter's Notes

Title: Program Analysis with Dynamic Change of Precision


1
Program Analysis withDynamic Change of Precision
  • Dirk BeyerTom Henzinger Grégory Théoduloz

Simon Fraser University,BC, Canada
EPFL,Switzerland
ASE 2008 LAquila 17 September 2008
2
Automatic Software Verification
C program
int main() int a foo() int b bar(a)
assert(a b)
SAFEi.e. assertionscannot be violated
VerificationTool
UNSAFE
Overapproximation
General method Create an overapproximation of
the program states
Reachablestates
Error states
3
Software Verification by Model CheckingClarke/Em
erson, Sifakis 1981
Iterative fixpoint (forward) post computation
R2
R1
R0
4
Software Verification by Data-flow Analysis
Fixpoint computation on the CFG
5
Abstraction
Abstract state
x y ? z 2
Predicate abstraction
Concrete state
x 1 y 1 z 2 p ? h 3
x ? 1, y ? 1, z ? gt
Explicit valuations
h3
Shape graph
p
6
Few explicit values? Explicit domain
Many values? Predicate abstraction
int f 0, x 1, y 0 while (x gt 0) if (f
0) x 50 f 1 else x-- y
assert(y 50)
7
int f 0, x 1, y 0 while (x gt 0) if (f
0) x 50 f 1 else x-- y
assert(y 50)
Fully Explicit Analysis
f ? 0 x ? 1 y ? 0
f ? 1 x ? 50 y ? 0
f ? 1 x ? 49 y ? 1
f ? 1 x ? 48 y ? 2
f ? 1 x ? 47 y ? 3
f ? 1 x ? 46 y ? 4

cheap to compute- many states
8
int f 0, x 1, y 0 while (x gt 0) if (f
0) x 50 f 1 else x-- y
assert(y 50)
Combined Analysis
  • Start with explicit
  • Precision of explicit threshold on number of
    diff. values
  • E.g. ¼(x) 3
  • Precision of predicate set of tracked predicates
  • E.g. ¼ x y 50, x 0, x 0
  • Switch to predicates when the explicit threshold
    is hit
  • Note Coming up with good predicates is an
    orthogonal problem

9
int f 0, x 1, y 0 while (x gt 0) if (f
0) x 50 f 1 else x-- y
assert(y 50)
Combined Analysis
f ? 0 x ? 1 y ? 0
f ? 1 x ? 50 y ? 0
f ? 1 x ? 49 y ? 1
f ? 1 x ? 48 y ? 2
f ? 1 x ? 48 y ? 2
x y 50 x 0
f ? 1 x ? 48 y ? 2
x y 50 x 0
Threshold hit for explicit analysis
10
Motivation
  • Flexible combination of abstract domains
  • Dynamically update their respective precisions
  • precision set of predicates, variables, etc. to
    track
  • e.g. switch on/off analyses
  • e.g. use different analyses for different
    variables

11
Configurable Program Analysis Beyer/Henzinger/T
2007
Reached, Frontier e0 while Frontier ? ?
do remove e from Frontier for each e ? post(
e ) do for each e ? Reached do enew
merge( e, e ) if enew ? e
then replace e in Reached, Frontier by
enew if ? stop(e, Reached ) add e to
Reached, Frontier return Reached
12
Configurable Program Analysis
  • Better combination of abstractions? Configurable
    Program Analysis CAV07
  • Unified framework that enables intermediate
    algorithms

ImpreciseScalable
PreciseExpensive
Data-flow analysis
CPA
Model Checking
13
Configurable Program Analysis Beyer/Henzinger/T
2007
Reached, Frontier e0 while Frontier ? ?
do remove e from Frontier for each e ? post(
e ) do for each e ? Reached do enew
merge( e, e ) if enew ? e
then replace e in Reached, Frontier by
enew if ? stop(e, Reached ) add e to
Reached, Frontier return Reached
14
Configurable Program Analysiswith Dynamic
Precision Adjustment
(CPA)
Reached, Frontier ( e0 , p0 ) while
Frontier ? ? do remove ( e , p ) from
Frontier ( ê , pnew ) prec( e, p, Reached
) for each e ? post( ê , pnew ) do for each (
e, p ) ? Reached do enew merge(
e, e, pnew ) if enew ? e
then replace ( e , p ) in Reached,
Frontier by (enew , pnew ) if ? stop(e,
Reached, pnew ) add (e, pnew ) to Reached,
Frontier return Reached
15
CPA
  • Configurable program analysis with dynamic
    precision adjustment
  • - concrete system (C, c0, !)- abstract domain
    (E, gt, ?, v, t)- a set of precisions -
    concretization function ? E ! 2C
  • transfer function post µ E ? 2E
  • merge operator merge E E ! E
  • termination check stop E 2E ! B
  • precision adjustment prec E 2E ? E
  • Note Operators are required to be soundly
    overapproximating

16
CPA
  • Configurable program analysis with dynamic
    precision adjustment
  • - concrete system (C, c0, !)- abstract domain
    (E, gt, ?, v, t)- a set of precisions -
    concretization function ? E ! 2C
  • transfer function post µ E ? 2E
  • merge operator merge E E !
    E mergesep(e,e,¼) e mergejoin(e,e,¼) e t
    e
  • termination check stop E 2E !
    B stopsep(e,R,¼)9e2R, eve stopjoin(e,R,¼) e
    v t R
  • precision adjustment prec E 2E ? E
  • Note Operators are required to be soundly
    overapproximating

17
Composite CPA
Composite CPA E1 E2 , 1
2 post, merge, stop, prec
D1 E1 , 1 post1 , merge1 ,stop1 , prec1
D2 E2 , 2 post2 , merge2 ,stop2 , prec2
Strengthening operators "1 , "2
Compositeoperators
18
Example Predicate Abstraction Explicit
Composite CPA
L(locations)
P(predicateabstraction)
C(explicitanalysis)
Example of composite abstract element ( 6 , x gt
0 Æ x y , i ? 2, x ? gt, y ? gt )
19
Domain and Precisions
Abstract domain
Precisions / Precision Adjustment
CPA
Predicate Abstraction
Set of tracked predicates
E 2P
2P
P
precP(e,¼,R) (e,¼)
e.g. e x lt 3, y gt 0
Explicit Analysis
Max. number of diff. values per variable
X ? N
E X ? Z Z Z ?,gt
C
precC(e,¼,R) (e,¼) if for all x 2 Xif R(x)
¼(x), then e(x) gtotherwise, e(x) e(x)
e.g. e x ? 2, y ? gt,
20
Example Predicate Abstraction Explicit
  • Idea
  • Dynamically choose between explicit predicate
    abstraction
  • Too many explicit values ? predicate abstraction
  • Use explicit values to infer predicates
  • Implementable in the composite prec operator
  • Note explicit analysis ¼ testing on some
    variables

21
Example Predicate Abstraction Explicit
Composite precision adjustment
prec((l, P, v), (¼L,¼P,¼C), R) ((l,P,v), (¼L,
¼P, ¼C)) if (v, ¼C) precC(v, ¼C, (v,
¼C) ((l,P,v), (,, ¼C)) 2 R) and ¼P
¼P ?x2X v(x)?gtÆv(x)gt abstract(x,
v((l,P,v),) 2 R) P P p 2 (¼P n
¼P ) v ² p
22
Precision for explicit analysis ¼C(x) k
23
Another combination Shapes Explicit heap
Composite CPA Idea Switch to shape
analysis triggered by then number of nodes in the
explicit heap.
L(locations)
S(shapeanalysis)
H(explicit heapanalysis)
24
Conclusion
  • Framework to express change of precision during
    the analysis (? refinement)
  • Useful when composing existing analyses
  • Make combination more effective/precise
  • Ongoing/Future work
  • Improve predicate inference from explicit values
  • Integration with refinement loop
  • Use explicit heap to infer good predicates for
    shape analysis (e.g. instrumentation predicates)
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Program Analysis with Dynamic Change of Precision" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!