Program Analysis with Dynamic Change of Precision Dirk Beyer Tom Henzinger Grégory Théoduloz Presented by: Pashootan Vaezipoor Directed Reading ASE 2008 – L’Aquila – 17 September 2008 Simon Fraser University, BC, Canada EPFL, Switzerland

Automatic Software Verification Overapproximation int main() { int a = foo(); int b = bar(a); assert(a == b); } int main() { int a = foo(); int b = bar(a); assert(a == b); } C program Verification Tool SAFE i.e. assertions cannot be violated UNSAFE Reachable states Error states General method: Create an overapproximation of the program states

Example Program We want to prove that ERR is not reachable Variables st, ok, cmd, p are tracked explicitly at first All of them except p encounter more than five values

Abstraction x = 1 y = 1 z = 2 p  { h = 3 } x = 1 y = 1 z = 2 p  { h = 3 } Concrete state x = y  z = 2 x  1, y  1, z  > p h=3 Shape graph Abstract state Predicate abstraction Explicit valuations

int f = 0, x = 1, y = 0; while (x > 0) { if (f == 0){ x = 50; f = 1; } else{ x--; y++; } } assert(y == 50); Few explicit values  Explicit domain Many values  Predicate abstraction

int f = 0, x = 1, y = 0; while (x > 0) { if (f == 0){ x = 50; f = 1; } else{ x--; y++; } } assert(y == 50); Fully Explicit Analysis f  0 x  1 y  0 f  0 x  1 y  0 f  1 x  50 y  0 f  1 x  50 y  0 f  1 x  49 y  1 f  1 x  49 y  1 f  1 x  48 y  2 f  1 x  48 y  2 f  1 x  47 y  3 f  1 x  47 y  3 … f  1 x  46 y  4 f  1 x  46 y  4 +cheap to compute -many states

Combined Analysis  Start with explicit  Precision of explicit: threshold on number of diff. values E.g. ¼ (x) = 3  Precision of predicate: set of tracked predicates E.g. ¼ = { x + y = 50, x ¸ 0, x = 0}  Switch to predicates when the explicit threshold is hit Note: Coming up with “good” predicates is an orthogonal problem int f = 0, x = 1, y = 0; while (x > 0) { if (f == 0){ x = 50; f = 1; } else{ x--; y++; } } assert(y == 50);

Combined Analysis f  0 x  1 y  0 f  0 x  1 y  0 f  1 x  50 y  0 f  1 x  50 y  0 f  1 x  49 y  1 f  1 x  49 y  1 f  1 x  48 y  2 f  1 x  48 y  2 f  1 x  48 y  2 f  1 x  48 y  2 x + y = 50 x ¸ 0 x + y = 50 x ¸ 0 f  1 x  48 y  2 f  1 x  48 y  2 x + y = 50 x = 0 x + y = 50 x = 0 Threshold hit for explicit analysis int f = 0, x = 1, y = 0; while (x > 0) { if (f == 0){ x = 50; f = 1; } else{ x--; y++; } } assert(y == 50);

Motivation  Flexible combination of abstract domains  Dynamically update their respective precisions  precision: set of predicates, variables, etc. to track  e.g. switch on/off analyses  e.g. use different analyses for different variables  …

Configurable Program Analysis [Beyer/Henzinger/T 2007] Reached, Frontier := { e 0 } while Frontier   do remove e from Frontier for each e’  post( e ) do for each e’’  Reached do e’’ new := merge( e’, e’’ ) if e’’ new  e’’ then replace e’’ in Reached, Frontier by e’’ new if  stop(e’, Reached ) add e’ to Reached, Frontier return Reached

Configurable Program Analysis -Better combination of abstractions  Configurable Program Analysis [CAV07] Unified framework that enables intermediate algorithms Imprecise Scalable Precise Expensive Data-flow analysis Model Checking CPA

Configurable Program Analysis [Beyer/Henzinger/T 2007] Reached, Frontier := { e 0 } while Frontier   do remove e from Frontier for each e’  post( e ) do for each e’’  Reached do e’’ new := merge( e’, e’’ ) if e’’ new  e’’ then replace e’’ in Reached, Frontier by e’’ new if  stop(e’, Reached ) add e’ to Reached, Frontier return Reached

Configurable Program Analysis with Dynamic Precision Adjustment Reached, Frontier := { ( e 0, π 0 ) } while Frontier   do remove ( e, π ) from Frontier ( ê, π new ) = prec( e, π, Reached )‏ for each e’  post( ê, π new ) do for each ( e’’, π’’ )  Reached do e’’ new := merge( e’, e’’, π new ) if e’’ new  e’’ then replace ( e’’, π’’ ) in Reached, Frontier by (e’’ new, π new ) if  stop(e’, Reached, π new ) add (e’, π new ) to Reached, Frontier return Reached (CPA+)‏

CPA+ Configurable program analysis with dynamic precision adjustment: - concrete system (C, c 0, ! ) - abstract domain (E, >, ?, v, t ) - a set of precisions ¦ - concretization function  : E ! 2 C - transfer function post µ E £ ¦  2 E - merge operator merge: E £ E £ ¦ ! E - termination check stop: E £ 2 E £ ¦ ! B - precision adjustment: prec: E £ ¦ £ 2 E £ ¦  E £ ¦ Note: Operators are required to be soundly overapproximating e e’ 1 e’ 2 … ¼ post e.e’ merge(e,e’, ¼ )‏ e1e1 e2e2 … R = e3e3 e stop(e,R, ¼ ) = true e ¼ ¼’ prec Reached e’

CPA+ Configurable program analysis with dynamic precision adjustment: - concrete system (C, c 0, ! ) - abstract domain (E, >, ?, v, t ) - a set of precisions ¦ - concretization function  : E ! 2 C - transfer function post µ E £ ¦  2 E - merge operator merge: E £ E £ ¦ ! Emerge sep (e,e’, ¼ ) = e’ merge join (e,e’, ¼ ) = e t e’ - termination check stop: E £ 2 E £ ¦ ! B stop sep (e,R, ¼ )= 9 e’ 2 R, e v e’ stop join (e,R, ¼ ) = e v t R - precision adjustment: prec: E £ ¦ £ 2 E £ ¦  E £ ¦ Note: Operators are required to be soundly overapproximating

Composite CPA+ E 1 £ E 2, ¦ 1 £ ¦ 2 post £, merge £, stop £, prec £ Composite CPA+ E 1 £ E 2, ¦ 1 £ ¦ 2 post £, merge £, stop £, prec £ Composite CPA+ D 1 E 1, ¦ 1 post 1, merge 1, stop 1, prec 1 D 1 E 1, ¦ 1 post 1, merge 1, stop 1, prec 1 D 2 E 2, ¦ 2 post 2, merge 2, stop 2, prec 2 D 2 E 2, ¦ 2 post 2, merge 2, stop 2, prec 2 Composite operators: Strengthening operators " 1, " 2

Composite CPA+ Example: Predicate Abstraction + Explicit Example of composite abstract element: ( 6,x > 0 Æ x = y,{ i  2, x  >, y  > })‏ L (locations)‏ P (predicate abstraction)‏ C (explicit analysis)‏

Domain and Precisions Abstract domainPrecisions / Precision Adjustment Predicate Abstraction E = 2 P ¦ = 2 P e.g. e = { x 0 } prec P (e, ¼,R) = (e, ¼ )‏ Explicit Analysis E = [ X  Z ] Z = Z [ { ?, > } ¦ = [ X  N ] e.g. e = { x  2, y  >, … } Set of tracked predicates Max. number of diff. values per variable CPA+ P C prec C (e, ¼,R) = (e’, ¼ )‏ if for all x 2 X: if |R(x)| ¸ ¼ (x), then e’(x) = > otherwise, e’(x) = e(x)‏

Example: Predicate Abstraction + Explicit Idea: Dynamically choose between explicit & predicate abstraction - Too many explicit values  predicate abstraction - Use explicit values to infer predicates Implementable in the composite prec operator Note: explicit analysis ¼ testing on some variables

Example: Predicate Abstraction + Explicit Composite precision adjustment: prec((l, P, v), ( ¼ L, ¼ P, ¼ C ), R) = ((l,P’,v’), ( ¼ L, ¼ ’ P, ¼ ’ C ))‏ if (v’, ¼’ C ) = prec C (v, ¼ C, {(v’’, ¼’’ C ) | ((l,P,v’’), ( ¢, ¢, ¼’’ C )) 2 R})‏ and ¼ ’ P = ¼ P [  x 2 X: v(x)  >Æ v’(x)= > abstract(x, {v’’|((l,P,v’’), ¢ ) 2 R}) P’= P [ { p 2 ( ¼ ’ P n ¼ P ) | v ² p }

Program Threshold Pred. only k = 0 Predicate + Explicit k = 1 k = 5 Explicit only k = 1 ex10.46 s0.17 s0.21 s― ex20.43 s0.16 s0.21 s1.00 s loop s26.01 s22.78 s0.16 s loop s s s0.44 s square―――0.08 s Precision for explicit analysis: ¼ C (x) = k Program Threshold Pred. only k = 0 Predicate + Explicit k = 1 k = 2 s3_clnt (total)‏75.11 s10.40 s18.42 s s3_srvr (total)‏ s24.23 s34.40 s

Another combination: Shapes + Explicit heap Composite CPA+ Idea:Switch to shape analysis triggered by then number of nodes in the explicit heap. Composite CPA+ Idea:Switch to shape analysis triggered by then number of nodes in the explicit heap. L (locations)‏ S (shape analysis)‏ H (explicit heap analysis)‏

Conclusion  Framework to express change of precision during the analysis (  refinement)‏  Useful when composing existing analyses  Make combination more effective/precise  Ongoing/Future work  Improve predicate inference from explicit values  Integration with refinement loop  Use explicit heap to infer good predicates for shape analysis (e.g. instrumentation predicates)‏