Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol.

Published byKristopher Jobes Modified over 9 years ago

Similar presentations

Presentation on theme: "Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol."— Presentation transcript:

1 Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol

2 2 Topics  Program Slicing  Static  Dynamic  Abstract Interpretation  Soundness  Completeness

3 3 Program slicing A technique for analyzing programs regarding to a specific criterion. More specifically, the analysis is meant to find the statements that participate to a result.

4 4 Intuition What are the statements leading to the value of b at the end? a := 1 b := 5 if (b > 3) then Result := b else a := 2 end b := a

5 5 Key Idea: static slicing criteria Slicing criterion: (S, {variables}) A statement, a point in the program The set of variables that matter

6 6 The static slice The set of statements that lead to the state of the variables at the chosen statement. Example: i := 3 fact := 1 from i := 1 until i > 10 loop fact :=fact *i last_i := i-- Middle io.put ("last I:" +last_i ) i := i + 1 end (end,i)? (end,fact)? (middle,i)?

7 7 Key Idea: dynamic slicing criteria Slicing criterion: (x, S q, {variables}) Input of the program The set of variables that matter Statement S in q th position

8 8 The dynamic slice The set of statements that lead to the state of the variables at the chosen statement given input x. Example: n := io.read_int i := 3 fact := 1 from i := 1 until i > n loop fact :=fact *i last_i := i -- Middle io.put ("last I:“ + last_i ) i := i + 1 end (10,end 1,i)? (0,end 1,fact)? (5,middle 2,i)?

9 9 Application: Debugging  Simpler: Easier to understand what’s wrong  Remove statements: Detect dead code  By comparing to an intended behavior: detects bugs in the behavior

10 10 Other Applications  Software maintenance  Testing  Optimizations

11 11 Abstract interpretation A technique for analyzing the programs by modeling their values and operations. It is an execution that one can make to prove facts.

12 12 Intuition Set of values: V::= integers Expressions: e::= e * e | i ∈ V Language: eval: e -> integers eval(i) = i eval(e1*e2) = eval(e1) x eval(e2) How can we decide on the sign of the evaluated expressions?

13 13 Key Idea: the Abstraction! State Abstract State State Abstract State next α α How is this called? Homomorphism γ α: abstraction function γ: concretization function

14 14 Abstraction Set of values: V::= integers Expressions: e::= e * e | i ∈ V Language: eval: e -> integers eval(i) = i eval(e1*e2) = eval(e1) * eval(e2) Set of abstract values: AV::= {+, -, 0} Expressions: e::= e * e | ai ∈ AV Language: aeval: e -> AV aeval(i>0) = + aeval(i<0) = - aeval(i=0) = 0 aeval(e1*e2) = aeval(e1)* aeval(e2) where +*- = - +*+=+ -*-=+ 0*av=0 av*0=0 Adding unary minus?

15 15 If only the world would be so great… State Abstract State State Abstract State next α α How is this called? Semi-Homomorphism ⊆

16 16 Abstraction Set of values: V::= integers Expressions: e::= e * e | -e | e + e | i ∈ V Language: eval: e -> integers eval(i) = i eval(-e)=-eval(e) eval(e1*e2) = eval(e1) * eval(e2) eval(e1+e2) = eval(e1) + eval(e2) Set of abstract values: AV::= {+, -, 0, T} Expressions: e::= e * e | -e | e + e | av ∈ AV Language: aeval: e -> AV aeval(integer) = … as before aeval(e1*e2) = … as before aeval(-e) = … easy ;) aeval(e1+e2) = aeval(e1)+ aeval(e2) where + + - = T + + + = + - + - = - 0+av=av av+0=av

17 17 Abstraction complete? Set of values: V::= integers Expressions: e::= e * e | -e | e + e | e/e | i ∈ V Language: eval: e -> integers eval(i) = i eval(-e)=-eval(e) eval(e1*e2) = eval(e1) * eval(e2) eval(e1+e2) = eval(e1) + eval(e2) eval(e1/e2) = eval(e1) / eval(e2) Set of abstract values: AV::= {+, -, 0, T, ⊥ } Expressions: e::= e * e | -e | e + e | e/e | av ∈ AV Language: aeval: e -> AV aeval(integer) = … as before aeval(e1*e2) = … as before aeval(-e) = … easy ;) aeval(e1/e2) = aeval(e1)/ aeval(e2) where av/0 = ⊥ av+ ⊥ = ⊥ …

18 18 Significance of the results?  It is sound! (the results are correct)  It is far from complete!!!!! (the results loose too much information)

19 19 Condition for Soundness It should be a Galois insertion: γ and α monotonic (x ⊆ y => f(x) ⊆ f(y)) for all S: S ⊆ γ ( α(S) ) α ( γ( av ) ) = av

20 20 Monotonic Functions In the example: for α: (S, ⊆ ) → (AV, ≤ ) for γ:(av,≤) → (S, ⊆ ) T + 0 - ⊥

21 21 Exercise Prove that the expression is divisible by 3. Set of abstract values: AV::= {true,false,T,  } Expressions: e::= e * e | -e | e + e | e/e | ai ∈ AV Language: aeval: e -> AV aeval(3) = yes aeval(e1*e2) = yes iff aeval(e1)=yes or aeval(e2)=yes aeval(-e) = … easy ;) aeval(e1+e2) = aeval(e1) and aeval(e2) aeval(e1/e2) = true if aeval(e1) and not aeval (e2)

22 22 Presenting it… Usually presented through the definition of transitions… Prove that this program does not try to access a value outside the array’s definition, a of size 10 (from 1 to 10) j := 0 from i := 1 until i > 50 loop j :=j + (45 - a.item (i ) + a.item (2*i )) i :=i + 1 end

23 23 Using abstract interpretation…  What abstraction would you use to compute the call graph of a program?  What abstraction would you use to optimize the tests within a program?

24 24 Problems  How would you verify that loops terminate?  Is it sound? Is it complete?  How would you verify that a password read on the keyboard is not sent through a socket?  Is it sound? Is it complete?

25 25 Applications to Trusted Components  Dataflow Analysis?  Program Slicing?  Abstract Interpretation?

26 26 Conclusions  Program Slicing  Static  Dynamic  Abstract Interpretation  Soundness  Completeness

Download ppt "Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol."

Similar presentations

Precise Interprocedural Analysis using Random Interpretation Sumit Gulwani George Necula UC-Berkeley.

Precise Interprocedural Analysis using Random Interpretation Sumit Gulwani George Necula UC-Berkeley.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
DATAFLOW TESTING DONE BY A.PRIYA, 08CSEE17, II- M.s.c [C.S].

DATAFLOW TESTING DONE BY A.PRIYA, 08CSEE17, II- M.s.c [C.S].
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
CS107 Introduction to Computer Science Lecture 2.

CS107 Introduction to Computer Science Lecture 2.
Finding bugs: Analysis Techniques & Tools Comparison of Program Analysis Techniques CS161 Computer Security Cho, Chia Yuan.

Finding bugs: Analysis Techniques & Tools Comparison of Program Analysis Techniques CS161 Computer Security Cho, Chia Yuan.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
1 Program Slicing Purvi Patel. 2 Contents Introduction What is program slicing? Principle of dependences Variants of program slicing Slicing classifications.

1 Program Slicing Purvi Patel. 2 Contents Introduction What is program slicing? Principle of dependences Variants of program slicing Slicing classifications.
Basic Control Structures Control order of execution of statements sequential selection iteration - Repeat some action while a certain condition is true.

Basic Control Structures Control order of execution of statements sequential selection iteration - Repeat some action while a certain condition is true.
What is an Algorithm? (And how do we analyze one?)

What is an Algorithm? (And how do we analyze one?)
Example – calculating interest until the amount doubles using a for loop: will calculate up to 1000 years, if necessary if condition decides when to terminate.

Example – calculating interest until the amount doubles using a for loop: will calculate up to 1000 years, if necessary if condition decides when to terminate.
CS 536 Spring 20011 Global Optimizations Lecture 23.

CS 536 Spring Global Optimizations Lecture 23.
Chair of Software Engineering Fundamentals of Program Analysis Dr. Manuel Oriol.

Chair of Software Engineering Fundamentals of Program Analysis Dr. Manuel Oriol.
4/25/08Prof. Hilfinger CS164 Lecture 371 Global Optimization Lecture 37 (From notes by R. Bodik & G. Necula)

4/25/08Prof. Hilfinger CS164 Lecture 371 Global Optimization Lecture 37 (From notes by R. Bodik & G. Necula)
Abstract Interpretation Part I Mooly Sagiv Textbook: Chapter 4.

Abstract Interpretation Part I Mooly Sagiv Textbook: Chapter 4.
1 Program Analysis Mooly Sagiv Tel Aviv University 640-6706 Textbook: Principles of Program Analysis.

1 Program Analysis Mooly Sagiv Tel Aviv University Textbook: Principles of Program Analysis.
Software Testing and Quality Assurance

Software Testing and Quality Assurance
Pointer and Shape Analysis Seminar Mooly Sagiv Schriber 317 Office Hours Thursday 15-16.

Pointer and Shape Analysis Seminar Mooly Sagiv Schriber 317 Office Hours Thursday
Prof. Fateman CS 164 Lecture 221 Global Optimization Lecture 22.

Prof. Fateman CS 164 Lecture 221 Global Optimization Lecture 22.
Program Analysis Mooly Sagiv Tel Aviv University 640-6706 Sunday 18-21 Scrieber 8 Monday 10-12 Schrieber.

Program Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.

Similar presentations

Ads by Google