Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automating Abstract Interpretation Mooly Sagiv Adapted from Thomas Reps VMCAI’2016 Invited Talk.

Published byClifton Marsh Modified over 8 years ago

Similar presentations

Presentation on theme: "Automating Abstract Interpretation Mooly Sagiv Adapted from Thomas Reps VMCAI’2016 Invited Talk."— Presentation transcript:

1 Automating Abstract Interpretation Mooly Sagiv Adapted from Thomas Reps VMCAI’2016 Invited Talk

2 Determine information about the possible situations that can arise at execution time, without actually running the program on specific inputs Typically: – For each point in the program, find a descriptor that represents (a superset of) the stores that could possibly arise at that point Correctness of an analysis justified via abstract interpretation [Cousot & Cousot 77] Static Analysis in a Nutshell

3 Automating Abstraction Interpretation Abstract interpretation – A “black art” → hard to work with 20-year quest to raise the level of automation in abstract interpretation – 3-valued logic analysis (TVLA) M. Sagiv, T. Reps, R. Wilhelm, T. Lev-Ami, A. Loginov, R. Manevichs – machine-code analysis (TSL) T. Reps, J. Lim – symbolic-abstraction algorithms T. Reps, M. Sagiv, G. Yorsh, A. Thakur Reps, T. and Thakur, A., “Automating abstract interpretation,” VMCAI, 2016. research.cs.wisc.edu/wpis/papers/vmcai16-invited.pdf Radhia Cousot Patrick Cousot

4 What Does It Mean to Automate Parsing? Steve Johnson source: simple-talk interviewsimple-talk interview A parsing-problem instance Parse(L,s) has two inputs – L = a context-free language – s = a string to be parsed The string changes more frequently than the language A context-free language has a context-free grammar Yacc (and later, Gnu Bison) – Input: a context-free grammar that describes the language L to be parsed – Output: a parsing function, yyparse(), for which executing yyparse() on string s computes Parse(L,s)

5 What Does It Mean to Automate Program Analysis? Follow a similar scheme... But first, why would you even want to invest the time doing so?

6

7

8

9 Why is Program Analysis Difficult?

10 Universe of States Reachable States Bad States Sidestepping Undecidability

11 Universe of States Reachable States Bad States Overapproximate the reachable states False positive! Sidestepping Undecidability

12 Why is Program Analysis Difficult?

13 Large/unbounded base types: int, float, string User-defined types/classes Pointers/aliasing + unbounded #’s of heap-allocated cells Procedure calls/recursion/calls through pointers/dynamic method lookup/overloading Concurrency + unbounded #’s of threads  Why is Program Analysis Difficult?

14 Data – unbounded counters, integer variables, lists, queues Control structures – procedures, process creation Configuration parameters – unbounded number of processes, principals Real-time – discrete or continuous time Sources of Infinity 

15 Some Successes of the Field Static Driver Verifier, a.k.a. SLAM (Microsoft) – Tool for finding possible bugs in Windows device drivers – Complicated back-out protocols in driver APIs when events cancelled or interrupted Astrée (ENS) – Established the absence of run-time errors in Airbus flight software

16 Example: Parity Analysis f (a,b) = (16 * b + 3) * (2 * a + 1) * + b * + 1 2a *3 16 +0123... 00123 11234 22345 33456 ⋮⋮⋮⋮⋮⋱ *0123 00000 10123 20246 30369 ⋮⋮⋮⋮⋮⋱

17 b 1 2a 3 16 O ? ? E E E E O O O O Example: Parity Analysis ?OE ???? O?EO E?OE ?OE ???E O?OE EEEE

18 Abstract values, such as O, E, and ?, represent potentially infinite collections of concrete values ?OE ???? O?EO E?OE ?OE ???E O?OE EEEE

19 Constant Propagation e.e e.e[i  0] i = 0 j = 0 j = (j+1)/4 i = i+1 printf(i,j) while i  2 [i  ?, j  ?] e.e[j  0] e.e [i  0, j  ?] [i  0, j  0] e.e[i  e(i) + 1] e.e[j  (e(j)+1)/4] [i  0, j  0]  [i  1, j  0] [i  0, j  0]

20 e.e e.e[i  0] i = 0 j = 0 j = (j+1)/4 i = i+1 printf(i,j) while (…) [i  ?, j  ?] e.e[j  0] e.e [i  0, j  ?] [i  ?, j  0] e.e[i  e(i) + 1] e.e[j  (e(j)+1)/4] [i  0, j  0] [i  ?, j  0]  [i  ?, j  0] i  {…,-2,-1,0,1,2, …} j  {0} Constant Propagation

21 What Does It Mean to Automate Abstract Interpretation?

22 Abstract Interpretation [CC77] α Universe of States x  [2,5] y  [1,3] {(x  2, y  1), (x  5, y  3)} {(2,1), (2,2), (2,3), (3,1), (3,2), (3,3), (4,1), (4,2), (4,3), (5,1), (5,2), (5,3)} γ α Radhia Cousot Patrick Cousot

23 Best Transformer [CC79] τ#τ# τ α γ Universe of States safe τ # τ τ τ τ τ τ Radhia Cousot Patrick Cousot Loss of precision However, no algorithms to apply the best transformer  create the best transformer  γ

24 Why do we need algorithms for best transformers? Enables parametric semantics – X86 – Libraries Domain constructors – Reduced products Basic blocks and Loop free code – Simpler abstract domains

25 Challenge: Abstract Interpretation is Inherently Non-Compositional In computer science, we rely on compositionality – languages are expressed using context-free grammars – many concepts and properties defined using inductive definitions – recursive tree traversals are a basic workhorse – software organized into layers Example: (x + (–x)), evaluated in (x ↦ [5,10], y ↦ [10,20]) – [-5, 5] versus [0,0] – Suppose that you have in hand a collection of ``best” abstract- interpretation operators – Their composition may not provide the best (abstract) answer for the composition of the corresponding concrete operations x x [5,10] [-5,5] [-10,-5]

26 Predicate Abstraction Verify the safety of a program over infinite data using fixed set of predicates (Booleans) P 1, P 2, …, P n The meaning of each predicate is a function from the states into Booleans –  P i  :  {0, 1} The program can be conservatively represented by a Boolean program If safety property holds in the Boolean program then it also holds in original program

27 A Simple Example X := 0 ; while true do { X := X + 1; assert X > 0 } P 1 = X  0P 2 = X  0 while true do { assert P1  P2 }

28 A Simple Example (Transition System) X=0X=1X=3X=4X=… X:=0 X:=X+1  X:=0  #  X:=X+1  #  X:=X+1  # P 1 = X  0P 2 = X  0 Concrete Abstract

29 Predicate Abstraction: Basics Initial Error Program State Space Abstraction Abstraction: Predicates on program state –Signs: x > 0 –Aliasing:&x  &y States satisfying the same predicates are equivalent –Merged into single abstract state

30 (Predicate) Abstraction: A crash course Initial Error Program State Space Abstraction Q1: Which predicates are required to verify a property ? Q2: How to compute abstract transformers?

31 The Predicate Abstraction Domain Fixed set of predicates Pred The meaning of each predicate p i  Pred is a closed first order formula f i The relational domain is – Join is set union

32 A Simple Example int x, y; x = 1; y = 2 ; while (*) do { x = x + y ; } assert x > 0; Predicates: p1 = x > 0 p2 = y  0 bool p1, p2; p1 = true ; p2 = true ; while (*) do { p1 = (p1&&p2 ? 1 : *) } assert p1 ;

33 Existential Abstraction Given a transition system M=(S, S 0, T) and an abstraction  : S  S # An abstract a transition system M=(S #, S 0 #, T # ) is an existential abstraction of M w.r.t.  if –  s 0  S 0.  (s 0 ) = s 0 #  s 0  S 0 # –  (s, s’)  T.  (s) = s # .  (s’) = s’ #   (s #, s’ # )  T #

34 Minimal Existential Abstraction Given a transition system M=(S, S 0, T) and an abstraction  : S  S # An abstract a transition system M=(S #, S 0 #, T # ) is a minimal existential abstraction of M w.r.t.  if –  s 0  S 0.  (s 0 ) = s 0 #  s 0  S 0 # –  (s, s’)  T.  (s) = s # .  (s’) = s’ #   (s #, s’ # )  T # But how does one compute minimal abstraction? – Employ a SAT solver

35 The SAT Problem Given a propositional formula (Boolean function) –  = (a  b)  (  a   b  c) Determine if  is valid Determine if  is satisfiable –Find a satisfying assignment or report that such does not exit For n variables, there are 2 n possible truth assignments to be checked But many practical tools exist a bb cccc 0 0 0 00001 1 1 111 1

36 SAT made some progress…

37 The SMT Problem (Sat Modulu Theory) Given a quantifier free first order formula over some theory equation –  = 3x + y = z  f(y) = z Determine if  is valid Determine if  is satisfiable – Find a satisfying assignment or report that such does not exit Tools exist – Z3 (Microsoft) – CVC

38 Representing States as Formulas [F] states satisfying F {s | s  F } F FO formula over prog. vars [F 1 ]  [F 2 ]F1  F2F1  F2 [F 1 ]  [F 2 ]F 1  F 2 [F][F]  F F [F 1 ]  [F 2 ]F 1 implies F 2 i.e. F 1   F 2 unsatisfiable

39 A Simple Example (Again) X := 0 ; while true do { X := X + 1; assert X > 0 } P 1 = X  0P 2 = X  0 How can the SMT solver be used to compute the effect of X := X + 1 on P 1 and P 2 ?

40 Symbolic Operations: Three Value-Spaces Formulas Concrete Values Abstract Values  T T 

41 Symbolic Operations: Three Value-Spaces Formulas Abstract Values  T  T#T# Concrete Values

42 Symbolic Operations: Three Value-Spaces FormulasConcrete Values Abstract Values  even(x)   x=E 2, 4, 16, …

43 Symbolic Operations: Three Value-Spaces FormulasConcrete Values Abstract Values u1u1 x u     x... x

44 Required Primitive Operations Abstraction  (S) =  store  S  (store)  ( ) = { } Symbolic concretization  ( ) =  v 1,v 2 : node u1 ( v 1 )  node u ( v 2 )  v 1 ≠ v 2   v : node u1 ( v )  node u ( v ) ... Theorem prover returning a satisfying structure (store) S   u1u1 x u x u1u1 x u

45 Constant-Propagation Domain (Var  Z T ) , where Z T = T... -2 -1 0 1 2... Examples: , [x  0, y  43, z  0], [x  T, y  T, z  0], [x  T, y  T, z  T] Infinite cardinality, but finite height

46 Three Value-Spaces Formulas Abstract Values Concrete Values [x  0, y  0, z  0] [x  0, y  1, z  0] [x  0, y  2, z  0] (x = 0)  (z = 0)  [x  0, y  T, z  0]  

47 Three Value-Spaces Formulas Abstract Values Concrete Values [x  0, y  0, z  0] [x  0, y  1, z  0] [x  0, y  2, z  0]   (x = 0)  (z = 0)

48 Required Primitive Operations Abstraction  (S) =  store  S  (store)  ([x  0, y  2, z  0]) = [x  0, y  2, z  0] Symbolic concretization  ([x  0, y  T, z  0]) = (x = 0)  (z = 0) Theorem prover returning a satisfying structure (store) S   [x  0, y  2, z  0]  (x = 0)  (z = 0)

49 Required Primitive Operations Abstraction  (S) =  store  S  (store)  ([x  0, y  2, z  0]) = [x  0, y  2, z  0] Symbolic concretization  ([x  0, y  T, z  0]) = (x = 0)  (z = 0) Theorem prover returning a satisfying structure (store) S   [x  0, y  2, z  0]  (z = 0)  (x = y*z)

50 Constant Propagation x = y * z [x  3, y  4, z  1] [x ’  4, y ’  4, z ’  1] T[x = y * z] λe.e[x  e(y)*e(z)] T[x := y*z] = df (x ’ = y * z)  (y ’ = y)  (z ’ = z)  (x ’ = y * z)  (y ’ = y)  (z ’ = z) [x  3, y  4, z  1, x ’  4, y ’  4, z ’  1]

51 Constant Propagation x = y * z [x  3, y  T, z  1] [x’  T, y’  T, z’  1] T # [x = y * z] λ e. e [ x  e(y)  # e(z)]

52 Constant Propagation Startx = 3 if... z = 2 y = x y = z+1 printf(y)  λe.λe. λ e. e [ x  3] λe.eλe.e λe.eλe.e λ e. e [ z  2] λ e. e [ y  e(x)] λ e. e [ y  e(z)+ # 1]      

53 Constant Propagation Startx = 3 if... z = 2 y = x y = z+1 printf(y)  λe.λe. λ e. e [ x  3] λe.eλe.e λe.eλe.e λ e. e [ z  2] λ e. e [ y  e(x)] λ e. e [ y  e(z)+ # 1]       [ x  T, y  T, z  T ] [ x  3, y  T, z  T ] [ x  3, y  T, z  2 ] [ x  3, y  3, z  2 ] [ x  3, y  3, z  T ]

54 Abstract Transformer T # [ x := y*z ] [x  T, y  T, z  0] {[x  3, y  3, z  0], [x  7, y  2, z  0]} [x  T, y  T, z  0]  [x  0, y  T, z  0] {[x  0, y  3, z  0], [x  0, y  2, z  0]} T[ x := y*z ]  

55 Best Abstract Transformer [x  T, y  T, z  0] {[x  0, y  0, z  0], [x  1, y  0, z  0],... [x  0, y  1, z  0], [x  1, y  1, z  0],...} [x  0, y  T, z  0] {[x  0, y  0, z  0], [x  0, y  1, z  0],...} T[ x := y*z ]  

56 Three Value-Spaces Formulas Abstract Values Concrete Values (z = 0) [x’  0,y’  T,z’  0] α (x ’ = 0)  (z ’ = 0) T[x := y*z] αT αT [x  T,y  T,z  0] 

57 Remainder of the Lecture  (  ) – best abstract value that represents  Best =  T   – best abstract transformer

58 Idea Behind Procedure  CP (  )  FormulasConcrete Values Abstract Values  ans 

59 Idea Behind Procedure  CP (  )  FormulasConcrete Values Abstract Values S  S   S  (S)(S)  ans

60 Idea Behind Procedure  CP (  )  FormulasConcrete Values Abstract Values S  S   S  (S)(S)   ( ans )      ( ans )    ( ans )  ans

61 Idea Behind Procedure  CP (  ) 11 FormulasConcrete Values Abstract Values S 11  ( ans )    1   ( ans )    ( ans )  S  1S  1 ans  (S)(S)

62 Idea Behind Procedure  CP (  ) 22 FormulasConcrete Values Abstract Values 22 S  2S  2 S  (S)(S) ans  2 =  1   ( ans )

63   ( ans )  S  2S  2 Idea Behind Procedure  CP (  ) 22 FormulasConcrete Values Abstract Values 22   2   ( ans )  S  (S)(S) ans  ( ans ) 

64 Idea Behind Procedure  CP (  )  5 = false FormulasConcrete Values Abstract Values ans  ( ans )   ( ans ) ,  ( ans )  

65 Procedure   (formula  ) { ans :=   :=  while (  is satisfiable) { Select a store S such that S   ans := ans   (S)  :=    (ans) } return ans }

66 Example:  CP ((y = 3)  (x = 4*y + 1)) Initialization: ans :=   := (y = 3)  (x = 4*y + 1) Iteration 1: S := [x  13, y  3] // A satisfying store ans :=    ([x  13, y  3]) = [x  13, y  3]  (ans) = (x = 13)  (y = 3)  := (y = 3)  (x = 4*y + 1)   ((x = 13)  (y = 3)) = (y = 3)  (x = 4*y + 1)  ((x  13)  (y  3)) = false Iteration 2:  is unsatisfiable Return value: [x  13, y  3]

67 Procedure  CP (  ) (z = 0)  (x = y * z) FormulasConcrete Values Abstract Values  S  ans [x  0,y  43,z  0] [x  0, y  43, z  0]

68 Procedure  CP (  ) FormulasConcrete Values Abstract Values  (x = 0)  (y = 43)  (z = 0)      ( ans )    ( ans )  ans  S (z = 0)  (x = y * z) [x  0,y  43,z  0] [x  0, y  43, z  0]

69 Example:  CP ((z = 0)  (x = y * z)) Initialization: ans :=   := (z = 0)  (x = y * z) Iteration 1: S := [x  0, y  43, z  0] // A satisfying store ans :=    ([x  0, y  43, z  0]) = [x  0, y  43, z  0]  (ans) = (x = 0)  (y = 43)  (z = 0)  := (z = 0)  (x = y*z)   ((x=0)  (y=43)  (z=0)) = (z = 0)  (x = y*z)  (y  43)

70 Procedure  CP (  ) (z = 0)  (x = y * z)  (y  43) FormulasConcrete Values Abstract Values  S  [x  0,y  24,z  0] [x  0, y  43, z  0] [x  0, y  24, z  0]

71 Example:  CP ((z = 0)  (x = y * z))...  = (z = 0)  (x = y * z)  (y  43) Iteration 2: S := [x  0,y  46,z  0] // A satisfying store ans := [x  0,y  43,z  0]   ([x  0,y  46,z  0]) = [x  0, y  43, z  0]  [x  0,y  46,z  0] = [x  0, y  T, z  0]  (ans) = (x = 0)  (z = 0)  := (z=0)  (x=y*z)  (y  43)   ((x=0)  (z=0)) = false Iteration 3:  is unsatisfiable Return value: [x  0, y  T, z  0]

72 Procedure  CP (  ) (z = 0)  (x = y * z)  (y  43) FormulasConcrete Values Abstract Values  S  [x  0, y  T, z  0] ans (x = 0)  (z = 0)   (x = 0)  (z = 0) 

73 Example:  CP (y = x + (-x))  = y = x + (-x) Iteration 1: S := [x  43,y  0] // A satisfying store ans :=    ([x  43,y  0]) = [x  43 y  0]  (ans) = (x = 43)  (y = 0)  := (y = x + (-x))  (x  43  y  0)

74 FormulasConcrete Values Abstract Values  S  [x  43,y  0] [x  43 y  0]

75 Example:  CP (y = x + (-x)) (Cont)  := (y = x + (-x))  (x  43  y  0) Iteration 2: S = [x  43,y  0] ans := [x  43, y  0]   ([x  46,y  0]) = [x  T, y  0]  (ans) = (y = 0)  := (y = x + (-x))  (x  43  y  0)  (y  0) Iteration 3:  is unsatisfiable Return value: [x  T, y  0]

76 FormulasConcrete Values Abstract Values  S  [x  43,y  0] [x  43, y  0] (x = 43)  (y = 0)

77 FormulasConcrete Values Abstract Values [x  43, y  0]

78

79 FormulasConcrete Values Abstract Values  S  [x  46,y  0] [x  43, y  0] [x  46, y  0]

80 FormulasConcrete Values Abstract Values  S  [x  T, y  0] (y = 0) [x  46,y  0]

81 FormulasConcrete Values Abstract Values [x  T, y  0] unsat 

82   (a)  T  The Idea Behind Best =  T   FormulasT Abstract Values  (a)    (a)  a

83   (a)  T  The Idea Behind Best =  T   FormulasT Abstract Values  (a)    (a)  a

84   (a)  T  The Idea Behind Best =  T   FormulasT Abstract Values  (a)    (a)    a ans

85   (a)  T  The Idea Behind Best =  T   FormulasT Abstract Values  (a)    (a)    a ans

86 Procedure Best Best(two-store-formula T, abs-store a) { ans’ :=  ’  :=  (a)  T while (  is satisfiable) { Select a store pair (S,S ’) such that (S,S ’)   ans’ := ans’   ’(S ’)  :=    ’(ans’) } return ans’ }

87 Best( (x ’ = y * z)  (y ’ = y)  (z ’ = z), [x  T, y  T, z  0] ) Initialization: ans ’ :=  ’  := (z = 0)  (x ’ = y * z)  (y ’ = y)  (z ’ = z) Iteration 1: (S,S ’ ) := [x  5, y  17, z  0, x ’  0, y ’  17, z ’  0]

88   (a)  T  The Idea Behind Best =  T   Formulas T Abstract Values  (a)    (a)  a [x  5, y  17, z  0] [ x ’  0, y ’  17, z ’  0]

89 Best( (x ’ = y * z)  (y ’ = y)  (z ’ = z), [x  T, y  T, z  0] ) Initialization: ans ’ :=  ’  := (z = 0)  (x ’ = y * z)  (y ’ = y)  (z ’ = z) Iteration 1: (S,S ’ ) := [x  5, y  17, z  0, x ’  0, y ’  17, z ’  0] ans ’ := [x’  0, y’  17, z’  0]  ’ (ans ’ ) = (x ’ = 0)  (y ’ = 17)  (z ’ = 0)  := (z = 0)  (x ’ = y*z)  (y ’ = y)  (z ’ = z)  (y ’  17)

90 Best( (x ’ = y * z)  (y ’ = y)  (z ’ = z), [x  T, y  T, z  0] ) Iteration 2: (S,S ’ ) := [x  12, y  99, z  0, x ’  0, y ’  99, z ’  0] ans ’ := [x’  0, y’  17, z’  0]  [x’  0, y’  99, z’  0] = [x’  0, y’  T, z’  0]  ’ (ans ’ ) = (x ’ = 0)  (z ’ = 0)  := (z = 0)  (x ’ = y * z)  (y ’ = y)  (z ’ = z)  (y ’  17)  ( (x ’  0)  (z ’  0)) = false Iteration 3:  is unsatisfiable Return value: [x’  0, y’  T, z’  0]

91 Best( y = x  next, ) u1u1 x u r[x]r[x] r[x]r[x] u4u4 x r[x]r[x] r[x]r[x] r[x]r[x]r[x]r[x] u1u1 u2u2 u3u3 x’x’ r[x]’,r[y]’r[x]’,r[y]’ r[x]’,r[y]’r[x]’,r[y]’ r[x]’,r[y]’r[x]’,r[y]’ r[x]’r[x]’ y’y’ u2u2 x u r[x],r[y] u1u1 r[x]r[x] y...  (y ’ (v)   v 1 : x(v 1 )  n(v 1,v)) ...

92 Predicate Abstraction y := 3 x := 4*y + 1  B 1  B 2   B 3   B 4   B 5   B 6 [x  13, y  3] { B 1  (y = 1), B 2  (y = 3), B 3  (y = 4), B 4  (x = 1), B 5  (x = 3), B 6  (x = 4) } y = 3  x  {1, 3, 4} [x  13, y  3]

93 Three Value-Spaces Formulas Abstract Values Concrete Values (y ≠ 1)  (y = 3)  (y ≠ 4)  (x ≠ 1)  (x ≠ 3)  (x ≠ 4)  (  B1, B2,  B3,  B4,  B5,  B6) [x  5, y  3] [x  0, y  3] [x  17, y  3] 

94 Three Value-Spaces Formulas Abstract Values Concrete Values (y ≠ 1)  (y = 3)  (y ≠ 4)  (x ≠ 1)  (x ≠ 3)  (x ≠ 4)  (  B1, B2,  B3,  B4,  B5,  B6) (  B1, B2,  B3,  B6) α (y ≠ 1)  (y = 3)  (y ≠ 4)  (x ≠ 4) T[x := x+1] αTαT

95 Predicate Abstraction Abstract values (  B1, B2,  B3,  B4,  B5,  B6) Apply , which performs  symbolically (y ≠ 1)  (y = 3)  (y ≠ 4)  (x ≠ 1)  (x ≠ 3)  (x ≠ 4) Apply  T, which implements α  T

96 α PA : Most-Precise Abstract Value [Predicate Abstraction] Formulas Abstract Values Concrete Values (y = 3)  (x = 4*y + 1) (  B1, B2,  B3,  B4,  B5,  B6) α PA

97 α PA : Most-Precise Abstract Value [Predicate Abstraction]  PA (  ) = false  j = 1 k B j if    j is valid  B j if    j is valid true otherwise if  is unsatisfiable otherwise  PA ((y = 3)  (x = 4*y + 1)) =  B 1, B 2,  B 3,  B 4,  B 5,  B 6 (y = 3)  (x = 4*y + 1)   (y = 1) (y = 3)  (x = 4*y + 1)  (y = 3) (y = 3)  (x = 4*y + 1)   (y = 4)

98 α PA : Most-Precise Abstract Value [Predicate Abstraction]  PA (  ) = false  j = 1 k B j if    j is valid  B j if    j is valid true otherwise if  is unsatisfiable otherwise (y = 3)  (x = 4*y + 1)   (x = 1) (y = 3)  (x = 4*y + 1)   (x = 3) (y = 3)  (x = 4*y + 1)   (x = 4)  PA ((y = 3)  (x = 4*y + 1)) =  B 1, B 2,  B 3,  B 4,  B 5,  B 6

99 Procedure  PA vs. General  Concrete Values Formulas Abstract Values  PA ii Formulas Concrete Values Abstract Values ii S  iS  i S  ans i = ans i-1   ( S ) ans i-1   ( ans i-1 )  

100 Open Questions Infinite height domains Different algorithms for best transformers –Can we go down from  –No counter examples –Use symbolic counter examples Can we operate on formulas directly? Lower bounds on the problem of computing the best transformer

101 Bibliography Susanne Graf, Hassen Saïdi: Construction of Abstract State Graphs with PVS. CAV 1997: 72-83 Thomas W. Reps, Shmuel Sagiv, Greta Yorsh: Symbolic Implementation of the Best Transformer. VMCAI 2004: 252-266 Aditya V. Thakur, Thomas W. Reps: A Generalization of Stålmarck's Method. SAS 2012: 334-351 Aditya V. Thakur, Matt Elder, Thomas W. Reps: Bilateral Algorithms for Symbolic Abstraction. SAS 2012: 111-128 Aditya V. Thakur, Thomas W. Reps: A Generalization of Stålmarck's Method. SAS 2012: 334-351 Vijay D'Silva, Leopold Haller, Daniel Kroening: Abstract satisfaction. POPL 2014: 139-150

102 Summary Requirements –Finite-height abstract domain –Theorem prover that returns a satisfying structure (store) –  (S) =  s  S  (S) –Symbolic-concretization operation (  )  (  ) – best abstract value that represents  Best(T,a) – best abstract transformer

Download ppt "Automating Abstract Interpretation Mooly Sagiv Adapted from Thomas Reps VMCAI’2016 Invited Talk."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Fall 20021 Semantics Juan Carlos Guzmán CS 3123 Programming Languages Concepts Southern Polytechnic State University.

Fall Semantics Juan Carlos Guzmán CS 3123 Programming Languages Concepts Southern Polytechnic State University.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Lecture 02 – Structural Operational Semantics (SOS) Eran Yahav 1.

Lecture 02 – Structural Operational Semantics (SOS) Eran Yahav 1.
1 Basic abstract interpretation theory. 2 The general idea §a semantics l any definition style, from a denotational definition to a detailed interpreter.

1 Basic abstract interpretation theory. 2 The general idea §a semantics l any definition style, from a denotational definition to a detailed interpreter.
1 Operational Semantics Mooly Sagiv Tel Aviv University 640-6706 Textbook: Semantics with Applications.

1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.
Counterexample-Guided Focus TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A A A AA A A Thomas Wies Institute of.

Counterexample-Guided Focus TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A A A AA A A Thomas Wies Institute of.
Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.

Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc06.html.

Program analysis Mooly Sagiv html://
Finite Differencing of Logical Formulas for Static Analysis Thomas Reps University of Wisconsin Joint work with M. Sagiv and A. Loginov.

Finite Differencing of Logical Formulas for Static Analysis Thomas Reps University of Wisconsin Joint work with M. Sagiv and A. Loginov.
1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.

1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.
CS 267: Automated Verification Lectures 14: Predicate Abstraction, Counter- Example Guided Abstraction Refinement, Abstract Interpretation Instructor:

CS 267: Automated Verification Lectures 14: Predicate Abstraction, Counter- Example Guided Abstraction Refinement, Abstract Interpretation Instructor:
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc08.html.

Program analysis Mooly Sagiv html://
Model Checking of Concurrent Software: Current Projects Thomas Reps University of Wisconsin.

Model Checking of Concurrent Software: Current Projects Thomas Reps University of Wisconsin.
Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space 03-640-760603-640-5358 html://www.cs.tau.ac.il/~msagiv/courses/sem03.html.

Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space html://
Abstract Interpretation Part I Mooly Sagiv Textbook: Chapter 4.

Abstract Interpretation Part I Mooly Sagiv Textbook: Chapter 4.

Similar presentations

Ads by Google