# Inferring Disjunctive Postconditions Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore - ASIAN 2006 -

## Presentation on theme: "Inferring Disjunctive Postconditions Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore - ASIAN 2006 -"— Presentation transcript:

Inferring Disjunctive Postconditions Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore - ASIAN 2006 -

2 Motivation: Infer Precise Invariants x:=0; while (x { "@context": "http://schema.org", "@type": "ImageObject", "contentUrl": "http://images.slideplayer.com/12/3412774/slides/slide_2.jpg", "name": "2 Motivation: Infer Precise Invariants x:=0; while (x

3 Related: Numerical Abstract Domains Conjunctive Num-Abs-Domains: Interval domain: § x · c [Cousot et al: ISOP’76] Polyhedron domain: a 1 x 1 +.. + a n x n · c [Cousot et al: POPL’78] Disjunctive Num-Abs-Domains: Powerset extension of an abstract domain [Cousot et al: POPL’79] Powerset widening [Bagnara et al: VMCAI'04] [Gulavani et al: TACAS'06] Hulling based on Hausdorff distance [Sankaranarayanan et al: SAS'06]

4 Overview Constraint abstraction: collected from the method body. Conjunctive fixpoint analysis. Disjunctive fixpoint analysis. Experimental results.

5 Constraint Abstraction A method is translated to a constraint abstraction: void mnD (ref int x) { if x>0 { x:=x-1; mnD(x); } else () } Next step: derive the lfp of this rec-constraint. mnD(x,x') = (x · 0 Æ x'=x) Ç (x>0 Æ 9 x1.(x1=x-1 Æ  mnD(x,x'))))  - substitution from formal to actual args = [x ! x1, x' ! x']

6 Abstract Domain of Polyhedra [Cousot-Halbwachs: POPL'78] Defined as a lattice:, t, u > abstract element:conj. of linear inequalities (convex polyhedron) partial order:F1 v F2 = F1 ) F2 bottom: ? = False top: > = True lub:F1 t F2 = hull(F1 Ç F2) glb:F1 u F2 = F1 Æ F2 CAbst is a monotone function f: L -> L 8 F 1,F 2 2 L: if F 1 v F 2 then f(F 1 ) v f(F 2 )

7 Fixpoint Analysis mnD(  ) = (x · 0 Æ x'=x) Ç (x>0 Æ 9 x1.(x1=x-1 Æ  )  - relation over inputs (x) + outputs (x') mnD 0 = False mnD i+1 = mnD(mnD i ) Ascending chain: False v mnD 1 v mnD 2 v.. v mnD i v..

8 Conjunctive Fixpoint Analysis mnD 1 = mnD(False) = (x · 0 Æ x'=x) mnD 2 = mnD(mnD 1 ) = (x · 0 Æ x'=x) Ç (x>0 Æ 9 x1.(x1=x-1 Æ  (mnD 1 ))) = hull((x · 0 Æ x'=x) Ç (x=1 Æ x'=0))hull = (x-1 · x' · x Æ x' · 0) mnD 3 = mnD(mnD 2 ) = (x-2 · x' · x Æ x' · 0) Lattice of polyhedra has infinite height: use widening operator. mnD W2 = widen(mnD 2,mnD 3 ) = (x' · x Æ x' · 0)widen A post-fixpoint has been found when: mnD(mnD i ) ) mnD i mnD W3 = mnD(mnD W2 ) = (x' · x Æ x' · 0)

9 Conjunctive Analysis mnD CONJ = (x' · x Æ x' · 0) mnD DISJ = (x · 0 Æ x'=x) Ç (x>0 Æ x'=0) mnD 1 = (x · 0 Æ x'=x) mnD 2 = (x · 0 Æ x'=x) Ç (x=1 Æ x'=0) mnD 3 = (x · 0 Æ x'=x) Ç (x=1 Æ x'=0) Ç (x=2 Æ x'=0)... More precision? Disjunctive Analysis

10 Powerset Abstract Domain of Polyhedra Defined as a semi-lattice:, t > abstract element:m-bounded disj of convex poly. partial order:F1 v F2 = F1 ) F2 bottom: ? = False top: > = True lub:F1 t F2 = hull m (F1 Ç F2)

11 Disjunctive Fixpoint Analysis Key Problems: Maintain precision at reasonable cost. Ensuring termination of analysis (with widening operator). Main contributions: Use disjunct affinity to lift both the hulling and widening operators from the conjunctive to the disjunctive domain. Precise and fairly-efficient disjunctive polyhedra analysis.

12 Hull m : Selective Hulling Given F= Ç n i=1  i (where  i are conjunctive formulae) find the most affine disjuncts for hulling (according to some affinity measure) ensure the number of disjuncts does not exceed m

13 33 44 Geometrical Intuition for Affinity Compare  1 Ç  2 with  hull 11 22 Identify perfect match (100% affinity) A good affinity-measure: should be able to quantify how precisely (  1 Ç  2 ) can be approximated by  hull (the convex-hull result)

14 Based on Hausdorff distance [SAS'06]: h-heur(P,Q) = max x 2 P  { min y 2 Q {|x - y|}} Not able to distinguish among (  1,  2 ) and (  3,  4 ) (they have similar Haus-distances). Less appropriate for a relational domain. Affinity Measures (1) 11 22 33 44

15 Planar-Affinity: p-heur(  1,  2 ) = mset = { c 2 (  1 [  2 ) |  hull ) c} Detects that (  3,  4 ) has higher affinity. Suited for relational domains. Affinity Measures (2) 11 22 33 44

16 Example: Hull m and Planar-Affinity mnD 3 = (x · 0 Æ x'=x) Ç (x=1 Æ x'=0) Ç (x=2 Æ x'=0) (F1 Ç F2 Ç F3) Affin hull matrix (F1,F2,F3) hull 2 (F1 Ç F2 Ç F3) = (F1 Ç hull(F2 Ç F3)) = (x · 0 Æ x'=x) Ç (1 · x · 2 Æ x'=0) F1F2F3 F1-41 F2--100 F3---

17 Overview Collect a constraint abstraction corresponding to the method body. Background: Conjunctive fixpoint analysis. Disjunctive fixpoint analysis. find related disjuncts for hulling powerset widening operator Experimental results.

18 Powerset Widening Given F 1 = Ç d i and F 2 = Ç e j (d i, e j are conjunctive formulae): find pairs of related disjuncts d i and e j compute widening on the conjunctive domain: f i = (d i r e j ) result is: F 1 r m F 2 = Ç f i Related work: Bagnara et al [VMCAI'04]: propose to use a connector to combine elements in F 2 (e.g. each connected element will approximate some element from F 1 ) Gulavani et al [TACAS'06]: specify a recipe for a connector; but rely on the ability to find one minimal element from a set of polyhedra

19 ( d 1 Ç d 2 ) r m ( e 1 Ç e 2 ) = ( d 1 r e 1 ) Ç ( d 2 r e 2 ) Powerset Widening - r m Our solution: find pairs of related disjuncts based on planar-affinity Planar-affinity is a good indicator for the number of conjuncts preserved in the result of widening. d1d1 e1e1 d2d2 e2e2

20 Summary: Disjunctive Fixpoint Analysis mnD 1 = mnD(False) = (x · 0 Æ x'=x) mnD 2 = mnD(mnD 1 ) = hull 2 ((x · 0 Æ x'=x) Ç (x=1 Æ x'=0)) = (x · 0 Æ x'=x) Ç (x=1 Æ x'=0) mnD 3 = mnD(mnD 2 ) = hull 2 ((x · 0 Æ x'=x) Ç (x=1 Æ x'=0) Ç (x=2 Æ x'=0)) = (x · 0 Æ x'=x) Ç (1 · x · 2 Æ x'=0) Lattice has infinite height: use widening operator. mnD W2 = mnD 2 r m mnD 3 = (x · 0 Æ x'=x) Ç (x>0 Æ x'=0) A post-fixpoint has been found when: mnD(mnD i ) ) mnD i mnD W3 = mnD(mnD W2 )= (x · 0 Æ x'=x) Ç (x>0 Æ x'=0)

21 Implementation Haskell + Omega library [Pugh et al] Automate disjunctive postcondition inference. Does it give more precise results? Benchmarks: numerical programs written in C-like language.

22 Experimental Results Infer postconditions with different values for m. Most precise POST: m=2 (binary search, bubble sort, init array) m=3 (queens, quick sort, LU, Linpack) m=4 (SOR) m=5 (merge sort)

23 Experimental Results (II) Array bound checks elimination. Programs proved as safe: m=2 (bubble sort, init array) m=4 (merge sort, SOR) Planar-Affinity proves redundant more checks than the Hausdorff-based affinity. Disj-Analysis is useful: as m increases, no. of checks not proven decreases gradually.

24 Summary Disjunctive polyhedra analysis via affinity. selective hulling powerset widening Implementation of a modular static analyzer based on disjunctive polyhedra domain. potential for trade-off between precision and analysis cost

25 The End

26 x'=x x' x x-1=x' Convex-Hull Operator  1 = (x · 0 Æ x'=x)  2 = (x=1 Æ x'=0) hull(  1 Ç  2 ) = (x-1 · x' · x Æ x' · 0) x'=x x' x hull(  1 Ç  2 )

27 x' · x x' x x-1 · x' x' · x x' x widen(  1,  2 ) Widening Operator  1 = (x-1 · x' · x Æ x' · 0)  2 = (x-2 · x' · x Æ x' · 0) widen(  1,  2 ) = (x' · x Æ x' · 0) x' · x x' x x-2 · x'

28 Quick Sort Example

29 Quick Sort Example (II) Conjunctive analysis: discovers a lower bound for result: (res ¸ n) 3-Disjunctive analysis: result is a valid index: (0 · res < s)

30 References [Cousot-Halbwachs:POPL'78] Automatic discovery of linear restraints among variables of a program. [Bagnara et al: VMCAI'04] Widening Operators for Powerset Domains. [Gulavani-Rajamani: TACAS'06] Counterexample Driven Refinement for Abstract Interpretation. [Sankaranarayanan et al:SAS'06] Static Analysis in Disjunctive Numerical Domains.

31 Constraint Abstraction From a method, the analysis generates a constraint-abstraction: meth =>  Constraint language:  ::=  Æ  j  Ç  j 9 x.  j mn(x*) j s(constraint) s ::= a 1 x 1 +.. + a n x n · a(linear inequality) a 2 Z, x 2 Var, mn 2 Meth-Name

32 Hull m : Selective Hulling Given F= Ç n i=1  i (where  i are conjunctive formulae) find the most affine disjuncts for hulling (according to some affinity measure) ensure the number of disjuncts does not exceed m hull m (F) = if (n · m) then F else hull m (F - {  i,  j } [ hull(  i,  j )) such that 8 a,b 2 1..n: affin hull (  i,  j ) ¸ affin hull (  a,  b )

33 Affinity for Hulling Compute: hull operation:  hull = hull (  1 Ç  2 ) approx. due to hull:  approx =  hull Æ : (  1 Ç  2 ) affin hull (  1,  2 ) = if (  approx =False) then 100 else if (  hull =True) then 0 else heur(  1,  2 )

34 Example: r m and Planar-Affinity mnD 3 = (x · 0 Æ x'=x) Ç (1 · x · 2 Æ x'=0) (d 1 Ç d 2 ) mnD 4 = (x · 0 Æ x'=x) Ç (1 · x · 3 Æ x'=0) (e 1 Ç e 2 ) Affin widen matrix mnD 3 r m mnD 4 = (d 1 r e 1 ) Ç (d 2 r e 2 ) = (x · 0 Æ x'=x) Ç (x>0 Æ x'=0) d1d1 d2d2 e1e1 10021 e2e2 4134

35 Loops are Analyzed as Methods Transform loops into tail-recursive functions. The proposed fixpoint analysis works both for loops and for general recursion. Nested loops Mutually-recursive methods

Download ppt "Inferring Disjunctive Postconditions Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore - ASIAN 2006 -"

Similar presentations