Download - Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol
![Page 1: Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol](https://reader030.vdocuments.site/reader030/viewer/2022032516/56649c7d5503460f94932af6/html5/thumbnails/1.jpg)
Chair of Software Engineering
From Program slicing to Abstract Interpretation
Dr. Manuel Oriol
![Page 2: Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol](https://reader030.vdocuments.site/reader030/viewer/2022032516/56649c7d5503460f94932af6/html5/thumbnails/2.jpg)
2
Topics
Program Slicing Static Dynamic
Abstract Interpretation Soundness Completeness
![Page 3: Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol](https://reader030.vdocuments.site/reader030/viewer/2022032516/56649c7d5503460f94932af6/html5/thumbnails/3.jpg)
3
Program slicing
A technique for analyzing programs regarding to a specific criterion.
More specifically, the analysis is meant to find the statements that participate to a result.
![Page 4: Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol](https://reader030.vdocuments.site/reader030/viewer/2022032516/56649c7d5503460f94932af6/html5/thumbnails/4.jpg)
4
Intuition
What are the statements leading to the value of b at the end?
a := 1b := 5if (b > 3) then
Result := belse
a := 2endb := a
![Page 5: Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol](https://reader030.vdocuments.site/reader030/viewer/2022032516/56649c7d5503460f94932af6/html5/thumbnails/5.jpg)
5
Key Idea: static slicing criteria
Slicing criterion:
(S, {variables})
A statement, a point in the
program
The set of variables that
matter
![Page 6: Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol](https://reader030.vdocuments.site/reader030/viewer/2022032516/56649c7d5503460f94932af6/html5/thumbnails/6.jpg)
6
The static slice
The set of statements that lead to the state of the variables at the chosen statement.
Example:
i := 3fact := 1from i := 1 until i > 10 loop
fact :=fact *ilast_i := i -- Middleio.put ("last I:" +last_i )i := i + 1
end
(end,i)? (end,fact)? (middle,i)?
![Page 7: Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol](https://reader030.vdocuments.site/reader030/viewer/2022032516/56649c7d5503460f94932af6/html5/thumbnails/7.jpg)
7
Key Idea: dynamic slicing criteria
Slicing criterion:
(x, Sq, {variables})
Input of the program
The set of variables that
matter
Statement S in qth position
![Page 8: Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol](https://reader030.vdocuments.site/reader030/viewer/2022032516/56649c7d5503460f94932af6/html5/thumbnails/8.jpg)
8
The dynamic slice
The set of statements that lead to the state of the variables at the chosen statement given input x.
Example:
n := io.read_inti := 3fact := 1from i := 1 until i > n loop
fact :=fact *ilast_i := i -- Middleio.put ("last I:“ + last_i )i := i + 1
end
(10,end1,i)? (0,end1,fact)? (5,middle2,i)?
![Page 9: Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol](https://reader030.vdocuments.site/reader030/viewer/2022032516/56649c7d5503460f94932af6/html5/thumbnails/9.jpg)
9
Application: Debugging
Simpler: Easier to understand what’s wrong
Remove statements: Detect dead code
By comparing to an intended behavior: detects bugs in the behavior
![Page 10: Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol](https://reader030.vdocuments.site/reader030/viewer/2022032516/56649c7d5503460f94932af6/html5/thumbnails/10.jpg)
10
Other Applications
Software maintenance
Testing
Optimizations
![Page 11: Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol](https://reader030.vdocuments.site/reader030/viewer/2022032516/56649c7d5503460f94932af6/html5/thumbnails/11.jpg)
11
Abstract interpretation
A technique for analyzing the programs by modeling their values and operations.
It is an execution that one can make to prove facts.
![Page 12: Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol](https://reader030.vdocuments.site/reader030/viewer/2022032516/56649c7d5503460f94932af6/html5/thumbnails/12.jpg)
12
Intuition
Set of values: V::= integers
Expressions:e::= e * e | i ∈ V
Language:eval: e -> integerseval(i) = ieval(e1*e2) = eval(e1) x eval(e2)
How can we decide on the sign of the evaluated expressions?
![Page 13: Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol](https://reader030.vdocuments.site/reader030/viewer/2022032516/56649c7d5503460f94932af6/html5/thumbnails/13.jpg)
13
Key Idea: the Abstraction!
State
Abstract State
State
Abstract Statenext
next
α α
How is this called? Homomorphism
γ
α: abstraction function
γ: concretization function
![Page 14: Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol](https://reader030.vdocuments.site/reader030/viewer/2022032516/56649c7d5503460f94932af6/html5/thumbnails/14.jpg)
14
Abstraction
Set of values: V::= integers
Expressions: e::= e * e | i ∈ V
Language: eval: e -> integers eval(i) = i eval(e1*e2) = eval(e1) * eval(e2)
Set of abstract values: AV::= {+, -, 0}
Expressions:e::= e * e | ai ∈ AV
Language:aeval: e -> AVaeval(i>0) = +aeval(i<0) = -aeval(i=0) = 0aeval(e1*e2) = aeval(e1)* aeval(e2)
where +*- = -+*+=+-*-=+0*av=0av*0=0
Adding unary minus?
![Page 15: Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol](https://reader030.vdocuments.site/reader030/viewer/2022032516/56649c7d5503460f94932af6/html5/thumbnails/15.jpg)
15
If only the world would be so great…
State
Abstract State
State
Abstract Statenext
next
α α
How is this called? Semi-Homomorphism
⊆
![Page 16: Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol](https://reader030.vdocuments.site/reader030/viewer/2022032516/56649c7d5503460f94932af6/html5/thumbnails/16.jpg)
16
Abstraction
Set of values: V::= integers
Expressions: e::= e * e | -e | e + e | i ∈ V
Language: eval: e -> integers eval(i) = i eval(-e)=-eval(e) eval(e1*e2) = eval(e1) * eval(e2) eval(e1+e2) = eval(e1) + eval(e2)
Set of abstract values: AV::= {+, -, 0, T}
Expressions:e::= e * e | -e | e + e | av ∈ AV
Language:aeval: e -> AVaeval(integer) = … as beforeaeval(e1*e2) = … as beforeaeval(-e) = … easy ;)aeval(e1+e2) = aeval(e1)+ aeval(e2)
where + + - = T+ + + = +
- + - = -0+av=av
av+0=av
![Page 17: Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol](https://reader030.vdocuments.site/reader030/viewer/2022032516/56649c7d5503460f94932af6/html5/thumbnails/17.jpg)
17
Abstraction complete?
Set of values: V::= integers
Expressions: e::= e * e | -e | e + e | e/e | i ∈ V
Language: eval: e -> integers eval(i) = i eval(-e)=-eval(e) eval(e1*e2) = eval(e1) * eval(e2) eval(e1+e2) = eval(e1) + eval(e2) eval(e1/e2) = eval(e1) / eval(e2)
Set of abstract values: AV::= {+, -, 0, T, ⊥}
Expressions:e::= e * e | -e | e + e | e/e | av ∈ AV
Language:aeval: e -> AVaeval(integer) = … as beforeaeval(e1*e2) = … as beforeaeval(-e) = … easy ;)aeval(e1/e2) = aeval(e1)/ aeval(e2)
where av/0 = ⊥av+ ⊥= ⊥
…
![Page 18: Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol](https://reader030.vdocuments.site/reader030/viewer/2022032516/56649c7d5503460f94932af6/html5/thumbnails/18.jpg)
18
Significance of the results?
It is sound!(the results are correct)
It is far from complete!!!!!(the results loose too much information)
![Page 19: Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol](https://reader030.vdocuments.site/reader030/viewer/2022032516/56649c7d5503460f94932af6/html5/thumbnails/19.jpg)
19
Condition for Soundness
It should be a Galois insertion:
γ and α monotonic (x ⊆ y => f(x) ⊆ f(y))
for all S: S ⊆ γ(α(S))α(γ(av)) = av
![Page 20: Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol](https://reader030.vdocuments.site/reader030/viewer/2022032516/56649c7d5503460f94932af6/html5/thumbnails/20.jpg)
20
Monotonic Functions
In the example:
for α: (S, ⊆) → (AV,≤)
for γ: (av,≤) → (S,⊆)
T
+ 0 -
⊥
![Page 21: Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol](https://reader030.vdocuments.site/reader030/viewer/2022032516/56649c7d5503460f94932af6/html5/thumbnails/21.jpg)
21
Exercise
Prove that the expression is divisible by 3.
Set of abstract values:
AV::= {true,false,T, ^}
Expressions:e::= e * e | -e | e + e | e/e | ai ∈ AV
Language:aeval: e -> AVaeval(3) = yesaeval(e1*e2) = yes iff aeval(e1)=yes or
aeval(e2)=yesaeval(-e) = … easy ;)aeval(e1+e2) = aeval(e1) and aeval(e2)aeval(e1/e2) = true if aeval(e1) and
not aeval (e2)
![Page 22: Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol](https://reader030.vdocuments.site/reader030/viewer/2022032516/56649c7d5503460f94932af6/html5/thumbnails/22.jpg)
22
Presenting it…
Usually presented through the definition of transitions…Prove that this program does not try to access a value outside the array’s definition, a of size 10 (from 1 to 10)
j := 0from i := 1 until i > 50 loop
j :=j + (45 - a.item (i ) + a.item (2*i ))i :=i + 1
end
![Page 23: Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol](https://reader030.vdocuments.site/reader030/viewer/2022032516/56649c7d5503460f94932af6/html5/thumbnails/23.jpg)
23
Using abstract interpretation…
What abstraction would you use to compute the call graph of a program?
What abstraction would you use to optimize the tests within a program?
![Page 24: Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol](https://reader030.vdocuments.site/reader030/viewer/2022032516/56649c7d5503460f94932af6/html5/thumbnails/24.jpg)
24
Problems
How would you verify that loops terminate? Is it sound? Is it complete?
How would you verify that a password read on the keyboard is not sent through a socket? Is it sound? Is it complete?
![Page 25: Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol](https://reader030.vdocuments.site/reader030/viewer/2022032516/56649c7d5503460f94932af6/html5/thumbnails/25.jpg)
25
Applications to Trusted Components
Dataflow Analysis?
Program Slicing?
Abstract Interpretation?
![Page 26: Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol](https://reader030.vdocuments.site/reader030/viewer/2022032516/56649c7d5503460f94932af6/html5/thumbnails/26.jpg)
26
Conclusions
Program Slicing Static Dynamic
Abstract Interpretation Soundness Completeness