Symbolic Implementation of the Best Transformer - PowerPoint PPT Presentation

1 / 32

About This Presentation

Title:

Symbolic Implementation of the Best Transformer

Description:

For predicate-abstraction domains, implementation of best ... Number of calls to the decision procedure. linear in the height of the domain. Termination ... – PowerPoint PPT presentation

Number of Views:23

Avg rating:3.0/5.0

Slides: 33

Provided by: thoma423

Category:

more less

Transcript and Presenter's Notes

Title: Symbolic Implementation of the Best Transformer

1
Symbolic Implementationof the Best Transformer

Thomas Reps
Mooly Sagiv
Greta Yorsh

University of Wisconsin
Tel Aviv University
2
Motivation

New approach to using symbolic techniques in
abstract interpretation
for shape analysis
for other abstract domains
What does it mean to harness a decision procedure
for use in static analysis?
requirements
what does it buy us ?

3
Goals

Automatic verification of software
no loop invariants
abstraction
sound but incomplete methods
Mathematically justified by the abstract
interpretation (CC79)
Best possible precision for the given abstraction
No loss of information beyond abstraction

4
Plan

The challenge
computing the best transformer
Our solution
the idea behind our algorithm
example
Conclusions

5
Implementing Best Transformer

For predicate-abstraction domains, implementation
of best transformer is known
Uses decision procedure
Our work implement best transformers for
non-predicate-abstraction domains
Also uses decision procedure

6
The Best Transformer abstract operation
a1
Abstract
Concrete
7
The Best Transformer abstract operation
a1? a2
a2
?
a1
a
T(?(a)) ? ?(a1) ? a2 T(?(a)) ? ?(a2) ? ?(a1)
? ?(a2)
Abstract
Concrete
8
The Best Transformer - abstract operation
?
a1
?(a1)
a
?(a)
Abstract
Concrete
9
The Best Transformer symbolic operation
?
a1
?(a1)
a
?
?(a)
Abstract
Concrete
10
The Best Transformer symbolic operation
?
a1
?(a1)
a
?
?(a)
Abstract
Concrete
11
The idea behind ?(?)

?
???
Abstract
Concrete
12
The idea behind ?(?)

?
???
?
ans
?
?
Abstract
Concrete
13
Remainder of the Talk

Requirements
Example
Conclusions

14
Requirements

Lattice L (L, ?, ?,?, ?, ?)abstract domain of
finite height
a1 ? a2 means a1 represents fewer states than
a2
? Store ? L the best abstract value represented
by a store
?2Store ? Lthe best abstract value for a set of
stores
?(C) ? ?(store) store ? C
? L ? 2Storethe set of stores represented by
an abstract value
?(a) store ?(store) ? a
Galois Connection (?, ?)

15
A Simple Example - Constant Propagation
void main() int x,y,z x 3 if
(getchar()gt116) y x else z 2 y
z 1 printf(y)
x 3
x 3
z 2
y ?
y 3
y 2 1 3
y 3
16
Abstract Domain for Constant Propagation
L (Var ? Z T)?
x??, y??, z? ?
x??, y??, z?0
x?0, y??, z?0
x?0, y?43, z?0
x?0, y?0, z?0
x?0, y?1, z?0
x?0, y?2, z?0
?
Infinite cardinality, but finite height
17
Function ?cp
Abstract
Concrete
18
Function ?cp
x?0, y?0, z?0
x?0, y?1, z?0
x?0, y?0, z?0
x?0, y?2, z?0
?cp
x?0, y?2, z?0
Abstract
Concrete
19
Abstraction Function ?cp
?cp(?,?)
x?0, y?0, z?0
x?0, y?1, z?0
x?0, y?0, z?0
x?0, y?2, z?0
?cp
?cp
x?0, y?2, z?0
Abstract
Concrete
20
Three Value-Spaces

S ? ? (a) ? S ? ?(a)
x?0, y??, z?0
Abstract
Concrete
Formulas
21
Required Primitive Operations

Abstraction
?(S) ?store?S ?(store)
?(x ? 0, y ? 2, z ? 0) x?0, y?2, z?0
Symbolic concretization
S ? ? (a) ? S ? ?(a)
? (x?0, y??, z?0) (x 0) ? (z 0)
Decision procedure returning a satisfying
structure S ? ?
x ? 0, y ? 2, z ? 0 ? (z 0) ? (x y z)

22
Procedure ?(?) Example

(z 0) ? (x y z)
x?0, y?43, z?0
ans
Formulas
Abstract
Concrete
23
Procedure ?(?) Example

(z 0) ? (x y z)
x?0, y?43, z?0
ans
Formulas
Abstract
Concrete
24
Procedure ?(?) Example