Lifting Abstract Interpreters to Quantified Logical Domains - PowerPoint PPT Presentation

1 / 19

About This Presentation

Title:

Lifting Abstract Interpreters to Quantified Logical Domains

Description:

Lifting Abstract Interpreters to Quantified Logical Domains. Sumit Gulwani, MSR ... AL B v BL V.(BR CR) AR CR v C. AR B v BR. Under-Approximation Example ... – PowerPoint PPT presentation

Number of Views:13

Avg rating:3.0/5.0

Slides: 20

Provided by: EEC848

Category:

more less

Transcript and Presenter's Notes

Title: Lifting Abstract Interpreters to Quantified Logical Domains

1
Lifting Abstract Interpreters to Quantified
Logical Domains

Sumit Gulwani, MSR
Bill McCloskey, UCB
Ashish Tiwari, SRI

2
Motivating Example
a0 0 for (i1 iltn i) ai 0
Postcondition i ? n ? a0 0
? ?k (0 k lt i ? ak 0)
3
How Are Quantifiers Useful?

Reasoning about arrays
?k (0 k lt STRLEN(s) ? sk ? '!')
?j, k (0 j lt k lt n ? aj ak)
Reasoning about pointer-based data structures
?u (R(hd, u) ? R(u, tl) ? u?data 0) means list
is initialized from hd to tl

Security properties
Sorting
u
v
R(u, v)
4
What Do Quantifiers Look Like?
?k ( 0 k lt n ? ak 0 )
Typically see only universal quantifiers
Comes from some domain, e.g. linear arithmetic
Belongs to another domain, e.g. equality
of uninterpreted functions

Goal Create a universally quantified domain
parameterized by base domains
Take advantage of existing domains, transfer
functions

Quantifier-Free Domain
Quantified Domain
5
Universally Quantified Domain
Domain Element Definition
A ? ?V1.(B1 ? C1) ? ... ? ?Vn.(Bn ? Cn)
Partial Order Definition
A ? ?V.(B ? C) v A' ? ?V.(B' ? C')
if 1. A v A'
A ?
C v C'
2.
?V.(B ? C)
?V. (B' ? C')
A ?
B' v B
6
Transfer Function Example
true
A0 0 i 1
i 1 ? A0 0
?
i 2 ? A0 0 ? A1 0
?
i 1 ? A0 0
?
i lt n
T
F
?
i 1 ? A0 0
?
Ai 0 i i1
6
7
Transfer Function Example
true
A0 0 i 1
Join Algorithm
i 1 ? A0 0
i 1 ? A0 0
i 2 ? A0 0 ? A1 0
i 1 ? A0 0
i 1 ? A0 0
i 1 ? A0 0
i 2 ? A0 0 ? A1 0
i lt n
i lt n
i 1 ? A0 0
T
F
T
F
?
1 ? i ? 2 ? A0 0
i 1 ? A0 0
Ai 0 i i1
7
8
Transfer Function Example
true
A0 0 i 1
Join Algorithm
i 1 ? A0 0
i 1 ? A0 0
i 2 ? A0 0 ? A1 0
i 1 ? A0 0
i 2 ? A0 0 ? A1 0
i 1 ? A0 0
i 1 ? A0 0
i 1 ? ?k(k 0 ? Ak 0)
i 2 ? ?k(0 ? k ? 1 ? Ak 0)
i lt n
i lt n
i 1 ? A0 0
T
F
T
F
?
i 1 ? A0 0
1 ? i ? 2 ? ?k(0 ? k lt i ? Ak 0)
Ai 0 i i1
8
9
Transfer Function Example
true
A0 0 i 1
2 ? i ? n ? ?k(0 ? k lt i ? Ak 0)
i 1 ? ?k(k 0 ? Ak 0)
1 ? i ? ?k(0 ? k lt i ? Ak 0)
i lt n
T
F
1 ? i lt n ? ?k(0 ? k lt i ? Ak 0)
i ? n ? ?k(0 ? k lt i ? Ak 0)
Ai 0 i i1
9
10
Outline

Join Algorithm
Quantifier introduction
Joining quantifiers
Experiments
Conclusion

11
Quantifier Introduction

Quantified facts are drawn from standard facts in
A
User gives set of templates to guide
quantification
Experiments show that few templates are needed

b0 0 b0 b1
?k (k 0 ? bk 0) ?j, k (j 0 ? k 1 ? bj
bk)
Env fact
Template
Quantified fact (result)
A c
b0 0
?k(k 0 ? bk 0)
A A
b0 b1
?j, k (j 0 ? k 1 ? bj bk)
12
Outline

Join Algorithm
Quantifier introduction
Joining quantifiers
Experiments
Conclusion

13
Transfer Function Example
true
A0 0 i 1
Join Algorithm
i 1 ? A0 0
i 1 ? A0 0
i 2 ? A0 0 ? A1 0
i 1 ? A0 0
i 2 ? A0 0 ? A1 0
i 1 ? A0 0
i 1 ? A0 0
i 1 ? ?k(k 0 ? Ak 0)
i 2 ? ?k(0 ? k ? 1 ? Ak 0)
i lt n
i lt n
i 1 ? A0 0
T
F
T
F
?
i 1 ? A0 0
1 ? i ? 2 ? ?k(0 ? k lt i ? Ak 0)
Ai 0 i i1
13
14
Joining Quantifiers

Goal (AL ? ?V.(BL ? CL)) t (AR ? ?V. (BR ? CR))
Result must be above both inputs in v, so
AL ? ?V.(BL ? CL) v A ? ?V.(B ? C)
AR ? ?V. (BR ? CR) v A ? ?V.(B ? C)
Based on v definition

1. AL v A and AR v A
so A AL t AR
2.
AL ? CL v C
AR ? CR v C
?V.(BL ? CL)
?V. (B ? C)
?V.(BR ? CR)
AL ? B v BL
AR ? B v BR
15
Joining Quantifiers
AL ? CL v C
AR ? CR v C
?V.(BL ? CL)
?V.(BR ? CR)
?V. (B ? C)
AL ? B v BL
AR ? B v BR

C (AL ? CL) t (AR ? CR)
Rewriting for B
Best solution for B (AL ? BL) ? (AR ? BR)
If it's not in domain, pick best
under-approximation

B v ?AL ? BL and B v ?AR ? BR
or, B v AL ? BL and B v AR ? BR
16
Under-Approximation Example

Compute ?(i 1 ? k 0) ? (i 2 ? 0 ? k ? 1)?
in LA
1st step guess an over-approximation of the
answer
2nd step Check if (0 ? k lt i) is correct refine
if not

(i 1 ? k 0) t (i 2 ? 0 ? k ? 1) (1 ?
i ? 2 ? 0 ? k lt i)
Many details skipped. See paper!
?
(0 ? k lt i) ? (i 1 ? k 0) ? (i 2 ? 0
? k ? 1)
YES
17
Outline

Join Algorithm
Quantifier introduction
Joining quantifiers
Experiments
Conclusion

18
Experiments
Procedure ? Time (s) Ratio to base Tmpls
Array initialization 3.2 s 2.1x 1
C main() argument scan 4.1 s 2.1x 1
Array copy 5.5 s 2.5x 1
Array copy (start with non-zero elements) 11.3 s 1.7x 1
Array copy (only copy positive elements) 12.0 s 2.0x 1
Find element in array 24.6 s 3.0x 1
Partition array into zero/non-zero parts 73.0 s 3.2x 2
Insertion sort inner loop 35.9 s 18x 3
Quicksort inner loop 42.2 s 9.4x 3
Selection sort inner loop 59.2 s 7.3x 3
Merge sort inner loop 334.1 s 4.5x 3
Linked list remove 20.5 s 14.6x 1
Linked list insert 23.9 s 17.1x 1
Linked list initialization 24.5 s 12.9x 1
Linked list creation 42.0 s 12.4x 1
Invariant ak bk for all k
Invariant All data fields of list are zero
19
Quantified Domain Construction Works!