Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Parametric Segmentation Functor for Fully Automatic and Scalable Array Content Analysis Patrick Cousot, NYU & ENS Radhia Cousot, CNRS & ENS & MSR Francesco.

Published byAleesha Poole Modified over 8 years ago

Similar presentations

Presentation on theme: "A Parametric Segmentation Functor for Fully Automatic and Scalable Array Content Analysis Patrick Cousot, NYU & ENS Radhia Cousot, CNRS & ENS & MSR Francesco."— Presentation transcript:

1 A Parametric Segmentation Functor for Fully Automatic and Scalable Array Content Analysis Patrick Cousot, NYU & ENS Radhia Cousot, CNRS & ENS & MSR Francesco Logozzo, MSR

2 public void Init(int[] a) { Contract.Requires(a.Length > 0); var j = 0; while (j < a.Length) { a[j] = 11; j++; } // here: ∀ k.0≤k<j ⇒ a[k]=11 } if j = 0 then a[0] … not known else if j > 0 ∧ j ≤ a.Length a[0] = … a[j-1] = 11 else impossible if j = 0 then a[0] … not known else if j > 0 ∧ j ≤ a.Length a[0] = … a[j-1] = 11 else impossible Challenge 2: Handling of disjunction Challenge 2: Handling of disjunction Challenge 1: All the elements are initialized Challenge 1: All the elements are initialized

3 Precision Scalability

4 Functor abstract domain by example

5 public void Init(int[] a) { Contract.Requires(a.Length > 0); var j = 0; while (j < a.Length) { a[j] = 11; j++; } Segment limits Segment abstraction Possibly empty segment Possibly empty segment

6 public void Init(int[] a) { Contract.Requires(a.Length > 0); var j = 0; while (j < a.Length) { a[j] = 11; j++; } Remove doubt

7 public void Init(int[] a) { Contract.Requires(a.Length > 0); var j = 0; while (j < a.Length) { a[j] = 11; j++; } Scalar variables abstraction (omit a.Length ∈ [1, +∞)) Scalar variables abstraction (omit a.Length ∈ [1, +∞)) ∞ Record j = 0

8 public void Init(int[] a) { Contract.Requires(a.Length > 0); var j = 0; while (j < a.Length) { a[j] = 11; j++; }

9 public void Init(int[] a) { Contract.Requires(a.Length > 0); var j = 0; while (j < a.Length) { a[j] = 11; j++; } Materialize segment Introduce ‘?’

10 public void Init(int[] a) { Contract.Requires(a.Length > 0); var j = 0; while (j < a.Length) { a[j] = 11; j++; } Replace j by j-1

11 public void Init(int[] a) { Contract.Requires(a.Length > 0); var j = 0; while (j < a.Length) { a[j] = 11; j++; }

12 1.Unify the segments 2.Point-wise join Similar for order, meet and widening

13 public void Init(int[] a) { Contract.Requires(a.Length > 0); var j = 0; while (j < a.Length) { a[j] = 11; j++; }

14 public void Init(int[] a) { Contract.Requires(a.Length > 0); var j = 0; while (j < a.Length) { a[j] = 11; j++ } Remove ‘?'

15 public void Init(int[] a) { Contract.Requires(a.Length > 0); var j = 0; while (j < a.Length) { a[j] = 11; j++; }

16 public void Init(int[] a) { Contract.Requires(a.Length > 0); var j = 0; while (j < a.Length) { a[j] = 11; j++; }

17 public void Init(int[] a) { Contract.Requires(a.Length > 0); var j = 0; while (j < a.Length) { a[j] = 11; j++; }

18 public void Init(int[] a) { Contract.Requires(a.Length > 0); var j = 0; while (j < a.Length) { a[j] = 11; j++; }

19 public void Init(int[] a) { Contract.Requires(a.Length > 0); var j = 0; while (j < a.Length) { a[j] = 11; j++; } // here j ≥ a.Length } Remove the empty segment

20 Abstract Semantics

21 Given an abstract domain B for bounds S for segments E for scalar variables environment Constructs an abstract domain F(B, S, E) to analyze programs with arrays (Main) Advantages Fine tuning of the precision/cost ratio Easy lifting of existing analyses

22 Sets of symbolic expressions In our examples: Exp := k | x | x + k Meaning: { e 0 … e n } { e’ 1 … e’ m } ≝ e 0 =… = e n < e’ 1 = … =e’ m { e 0 … e n } { e’ 1 … e’ m }? ≝ e 0 =… = e n ≤ e’ 1 = … =e’ m Possibly empty segments are key for scalability

23 public void CopyNonNull(object[] a, object[] b) { Contract.Requires(a.Length <= b.Length); var j = 0; for (var i = 0; i < a.Length; i++) { if (a[i] != null) { b[j] = a[i]; j++; } } Four partitions: j = 0 ∨ 0 ≤ j< b.Length-1 ∨ j = b.Length-1 ∨ j = b.Length Four partitions: j = 0 ∨ 0 ≤ j< b.Length-1 ∨ j = b.Length-1 ∨ j = b.Length

24 public void CopyNonNull(object[] a, object[] b) { Contract.Requires(a.Length <= b.Length); var j = 0; for (var i = 0; i < a.Length; i++) { if (a[i] != null) { b[j] = a[i]; j++; } } Segmentation discovered by the analysis Segmentation discovered by the analysis

25 Uniform abstraction for pairs (i, a[i]) More general than usual McCarthy definition Wide choice of abstract domains Fine tuning the cost/precision ratio Ex: Cardinal power of constants by parity [CC79] public void EvenOdd(int n) { var a = new int[n]; var i = 0; while (i < n) { a[i++] = 1; a[i++] = -1; }

26 Given two segmentations, find a common segmentation Crucial for order/join/meet/widening: 1.Unify the segments 2.Apply the operation point-wise In the concrete, a lattice of solutions In the abstract, a partial order of solutions Our algorithm tuned up by examples Details in the paper

27 Search the bounds for exp The search queries the scalar environment σ More precision A form of abstract domains reduction Set σ ’= σ [x ↦ A n ⊔ … ⊔ A m-1 ]

28 Search the bounds for exp Join the segments Split the segment Adjust emptiness May query scalar variables environment

29 Invertible assignment x = g(x) Replace x by g -1 (x) in all the segments Non-Invertible assignment x = g() Remove x in all the segments Remove all the empty segments Add x to all the bounds containing g()

30 Assume x == y Search for segments containing x/y Add y/x to them Assume x < y Adjust emptiness Assume x ≤ y Does the state implies x ≥ y ? If yes, Assume x == y Assumptions involving arrays similar

31 Fully implemented in CCCheck Static checker for CodeContracts Users: Professional programmers Array analysis completely transparent to users No parameters to tweak, templates, partitions … Instantiated with Expressions = Simple expressions (this talk) Segments = Intervals + NotNull + Weak bounds Environment = CCCheck default

32 Main.NET v2.0 Framework libraries Un-annotated code Analyzes itself at each build (0 warnings) 5297 lines of annotated C#

33 Inference of quantified preconditions See our VMCAI’11 Paper Handling of multi-dimensional matrixes With auto-application Inference of existential ∀∃ facts When segments interpreted existentially Array purity check The callee does not modify a sub-array …

34 Fully Automatic Once the functor is instantiated No hidden hypotheses Compact representation for disjunction Enables Scalability Precision/Cost ratio tunable Refine the functor parameters Refine the scalar abstract environment Used everyday in an industrial analyzer 1% Overhead on average

35 Backup slides

36 No [GRS05] and [HP07] They require a pre-determined array partition Main weakness of their approach Our segmentation is inferred by the analysis Totally automatic They explicitly handle disjunctions We have possibly empty segments

37 Orthogonal issue In the implementation in CCCheck Havoc arrays passed as parameters Assignment of unknown if by ref of one element Assume the postcondition Array element passed by ref Ex: f(ref a[x]) The same as assignment a[x] = Top Assume the postcondition

38 Orthogonal issue Depends on the underlying heap analysis In CCCheck: Optimistic hypotheses on non-aliasing FunArray easily fits in other heap models

Download ppt "A Parametric Segmentation Functor for Fully Automatic and Scalable Array Content Analysis Patrick Cousot, NYU & ENS Radhia Cousot, CNRS & ENS & MSR Francesco."

Similar presentations

Meta Predicate Abstraction for Hierarchical Symbolic Heaps Josh Berdine Microsoft Research, Cambridge joint with Mike Emmi University of California, Los.

Meta Predicate Abstraction for Hierarchical Symbolic Heaps Josh Berdine Microsoft Research, Cambridge joint with Mike Emmi University of California, Los.
De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.

De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.
Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.

Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
School of EECS, Peking University “Advanced Compiler Techniques” (Fall 2011) SSA Guo, Yao.

School of EECS, Peking University “Advanced Compiler Techniques” (Fall 2011) SSA Guo, Yao.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.

Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.
CodeContracts & Clousot Francesco Logozzo - Microsoft Mehdi Bouaziz – ENS.

CodeContracts & Clousot Francesco Logozzo - Microsoft Mehdi Bouaziz – ENS.
1 PROPERTIES OF A TYPE ABSTRACT INTERPRETATER. 2 MOTIVATION OF THE EXPERIMENT § a well understood case l type inference in functional programming à la.

1 PROPERTIES OF A TYPE ABSTRACT INTERPRETATER. 2 MOTIVATION OF THE EXPERIMENT § a well understood case l type inference in functional programming à la.
1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.

1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.
1 How to transform an analyzer into a verifier. 2 OUTLINE OF THE LECTURE a verification technique which combines abstract interpretation and Park’s fixpoint.

1 How to transform an analyzer into a verifier. 2 OUTLINE OF THE LECTURE a verification technique which combines abstract interpretation and Park’s fixpoint.
Inferring Disjunctive Postconditions Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore - ASIAN 2006 -

Inferring Disjunctive Postconditions Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore - ASIAN
© Anvesh Komuravelli Quantified Invariants in Rich Domains using Model Checking and Abstract Interpretation Anvesh Komuravelli, CMU Joint work with Ken.

© Anvesh Komuravelli Quantified Invariants in Rich Domains using Model Checking and Abstract Interpretation Anvesh Komuravelli, CMU Joint work with Ken.
August 27-29 2007Moscow meeting1August 27-29 2007Moscow meeting1August 27-29 2007Moscow meeting11 Deductive tools in insertion modeling verification A.Letichevsky.

August Moscow meeting1August Moscow meeting1August Moscow meeting11 Deductive tools in insertion modeling verification A.Letichevsky.
Abstract Data Types Data abstraction, or abstract data types, is a programming methodology where one defines not only the data structure to be used, but.

Abstract Data Types Data abstraction, or abstract data types, is a programming methodology where one defines not only the data structure to be used, but.
Relational Inductive Shape Analysis Bor-Yuh Evan Chang University of California, Berkeley Xavier Rival INRIA POPL 2008.

Relational Inductive Shape Analysis Bor-Yuh Evan Chang University of California, Berkeley Xavier Rival INRIA POPL 2008.
Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University Simplifying Loop Invariant Generation Using Splitter Predicates.

Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University Simplifying Loop Invariant Generation Using Splitter Predicates.
Lifting Abstract Interpreters to Quantified Logical Domains Sumit Gulwani, MSR Bill McCloskey, UCB Ashish Tiwari, SRI 1.

Lifting Abstract Interpreters to Quantified Logical Domains Sumit Gulwani, MSR Bill McCloskey, UCB Ashish Tiwari, SRI 1.
Francesco Logozzo Microsoft Research, Redmond, WA.

Francesco Logozzo Microsoft Research, Redmond, WA.
CS 330 Programming Languages 10 / 16 / 2008 Instructor: Michael Eckmann.

CS 330 Programming Languages 10 / 16 / 2008 Instructor: Michael Eckmann.

Similar presentations

Ads by Google