inferring disjunctive postconditions
DESCRIPTION
Inferring Disjunctive Postconditions. Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore. - ASIAN 2006 -. Motivation: Infer Precise Invariants. x:=0; while (xTRANSCRIPT
Inferring Disjunctive Postconditions
Corneliu Popeea and Wei-Ngan Chin
School of ComputingNational University of Singapore
- ASIAN 2006 -
2
Motivation: Infer Precise Invariantsx:=0; while (x<len(A)) { if (…) { /* check if a new minimum has been found */ m:=x; } x:=x+1;}return A[m]; /* assert (0·m < len(A)) */
Compute an invariant at l1 over inputs (x,m,s) + outputs (x',m') (x,m,s,x',m') :- (x¸s Æ x'=x Æ m'=m)
Ç (x < s Æ x'=s Æ m'=m)Ç (x < s Æ x'=s Æ x·m'< x')
/* l1 */ /* what invariant at l1 proves assertion ?? */
3
Related: Numerical Abstract Domains
Conjunctive Num-Abs-Domains:• Interval domain: §x · c [Cousot et al: ISOP’76] • Polyhedron domain: a1x1 + .. + anxn · c [Cousot et al:
POPL’78]
Disjunctive Num-Abs-Domains:• Powerset extension of an abstract domain
[Cousot et al: POPL’79]
• Powerset widening [Bagnara et al: VMCAI'04] [Gulavani et al: TACAS'06]
• Hulling based on Hausdorff distance [Sankaranarayanan et al: SAS'06]
4
Overview• Constraint abstraction: collected from the
method body.
• Conjunctive fixpoint analysis.
• Disjunctive fixpoint analysis.
• Experimental results.
5
Constraint Abstraction• A method is translated to a constraint abstraction:
void mnD (ref int x) { if x>0 { x:=x-1; mnD(x); } else ()}
• Next step: derive the lfp of this rec-constraint.
mnD(x,x') = (x·0 Æ x'=x)Ç (x>0 Æ 9x1.(x1=x-1ÆmnD(x,x'))))
- substitution from formal to actual args= [x!x1, x'!x']
6
Abstract Domain of Polyhedra[Cousot-Halbwachs: POPL'78]
Defined as a lattice: <L, v, ?, >, t, u>• abstract element: conj. of linear inequalities
(convex polyhedron)• partial order: F1vF2 = F1)F2• bottom: ? = False• top: > = True• lub: F1 t F2 = hull(F1 Ç F2)• glb: F1 u F2 = F1 Æ F2
CAbst is a monotone function f: L -> L8F1,F22L: if F1vF2 then f(F1)vf(F2)
7
Fixpoint AnalysismnD() = (x·0 Æ x'=x) Ç (x>0 Æ 9x1.(x1=x-1
Æ )- relation over inputs (x) + outputs (x')
• mnD0 = False• mnDi+1 = mnD(mnDi)• Ascending chain:
False v mnD1 v mnD2 v .. v mnDi v ..
8
Conjunctive Fixpoint AnalysismnD1 = mnD(False) = (x·0Æx'=x)mnD2 = mnD(mnD1) = (x·0 Æ x'=x) Ç (x>0 Æ 9x1.(x1=x-1 Æ
(mnD1)))= hull((x·0Æx'=x) Ç (x=1Æx'=0))= (x-1·x'·x Æ x'·0)
mnD3 = mnD(mnD2) = (x-2·x'·x Æ x'·0)
• Lattice of polyhedra has infinite height: use widening operator.mnDW2 = widen(mnD2,mnD3) = (x'·x Æ x'·0)
• A post-fixpoint has been found when: mnD(mnDi) ) mnDi
mnDW3 = mnD(mnDW2) = (x'·x Æ x'·0)
9
Conjunctive Analysis• mnDCONJ = (x'·x Æ x'·0)
• mnDDISJ = (x·0Æx'=x) Ç (x>0Æx'=0)
mnD1 = (x·0Æx'=x)mnD2 = (x·0Æx'=x) Ç (x=1Æx'=0)mnD3 = (x·0Æx'=x) Ç (x=1Æx'=0) Ç (x=2Æx'=0)...
More precision? Disjunctive Analysis
10
Powerset Abstract Domain of Polyhedra
Defined as a semi-lattice: <L, v, ?, >, t>• abstract element: m-bounded disj of convex
poly.• partial order: F1vF2 = F1)F2• bottom: ? = False• top: > = True• lub: F1 t F2 = hullm(F1 Ç F2)
11
Disjunctive Fixpoint Analysis• Key Problems:
• Maintain precision at reasonable cost.• Ensuring termination of analysis (with widening
operator).
• Main contributions:• Use disjunct affinity to lift both the hulling and
widening operators from the conjunctive to the disjunctive domain.
• Precise and fairly-efficient disjunctive polyhedra analysis.
12
Hullm: Selective Hulling
• Given F= Çni=1 i (where i are conjunctive
formulae)• find the most affine disjuncts for hulling
(according to some affinity measure)• ensure the number of disjuncts does not
exceed m
13
3 4
Geometrical Intuition for Affinity
Compare 1Ç2 with hull1 2
Identify perfect match (100% affinity)
• A good affinity-measure:• should be able to quantify how precisely (1Ç 2)
can be approximated by hull (the convex-hull result)
14
• Based on Hausdorff distance [SAS'06]:h-heur(P,Q) = maxx2 P{ miny 2 Q {|x - y|}}
• Not able to distinguish among (1,2) and (3,4) (they have similar Haus-distances).
• Less appropriate for a relational domain.
Affinity Measures (1)
1 2 3 4
15
• Planar-Affinity:p-heur(1,2) =
mset = { c 2 (1[2) | hull ) c}
• Detects that (3,4) has higher affinity.• Suited for relational domains.
Affinity Measures (2)
1 2 3 4
16
Example: Hullm and Planar-Affinity
• mnD3 = (x·0Æx'=x) Ç (x=1Æx'=0) Ç (x=2Æx'=0) (F1 Ç F2 Ç F3)
• Affinhull matrix (F1,F2,F3)
• hull2(F1ÇF2ÇF3) = (F1 Ç hull(F2ÇF3)) = (x·0 Æ x'=x) Ç (1·x·2 Æ x'=0)
F1 F2 F3F1 - 41 41F2 - - 10
0F3 - - -
17
Overview• Collect a constraint abstraction corresponding
to the method body.
• Background: Conjunctive fixpoint analysis.
• Disjunctive fixpoint analysis.• find related disjuncts for hulling• powerset widening operator
• Experimental results.
18
Powerset WideningGiven F1= Çdi and F2 = Çej (di, ej are conjunctive formulae):• find pairs of related disjuncts di and ej
• compute widening on the conjunctive domain: fi = (direj)• result is: F1 rm F2 = Çfi
Related work:• Bagnara et al [VMCAI'04]: propose to use a connector to
combine elements in F2 (e.g. each connected element will approximate some element from F1)
• Gulavani et al [TACAS'06]: specify a recipe for a connector; but rely on the ability to find one minimal element from a set of polyhedra
19
(d1Çd2)rm (e1Çe2) = (d1re1) Ç (d2re2)
Powerset Widening - rm
• Our solution: • find pairs of related disjuncts based on planar-
affinity• Planar-affinity is a good indicator for the
number of conjuncts preserved in the result of widening.
d1
e1
d2e2
20
Summary: Disjunctive Fixpoint Analysis
mnD1 = mnD(False) = (x·0Æx'=x)mnD2 = mnD(mnD1) = hull2((x·0Æx'=x) Ç (x=1Æx'=0))
= (x·0Æx'=x) Ç (x=1Æx'=0)mnD3 = mnD(mnD2) = hull2((x·0Æx'=x) Ç (x=1Æx'=0) Ç
(x=2Æx'=0))= (x·0Æx'=x) Ç (1·x·2Æx'=0)
• Lattice has infinite height: use widening operator.mnDW2 = mnD2 rm mnD3 = (x·0 Æ x'=x) Ç (x>0 Æ x'=0)
• A post-fixpoint has been found when: mnD(mnDi) ) mnDi
mnDW3 = mnD(mnDW2) = (x·0 Æ x'=x) Ç (x>0 Æ x'=0)
21
Implementation• Haskell + Omega library [Pugh et al]
• Automate disjunctive postcondition inference.• Does it give more precise results?
• Benchmarks: numerical programs written in C-like language.
22
Experimental Results• Infer postconditions with different values for m.
• Most precise POST: m=2 (binary search, bubble sort, init array) m=3 (queens, quick sort, LU, Linpack)m=4 (SOR)m=5 (merge sort)
23
Experimental Results (II)• Array bound checks elimination.
• Programs proved as safe:m=2 (bubble sort, init array)m=4 (merge sort, SOR)
• Planar-Affinity proves redundant more checks than the Hausdorff-based affinity.
• Disj-Analysis is useful: as m increases, no. of checks not proven decreases gradually.
24
Summary• Disjunctive polyhedra analysis via affinity.
• selective hulling• powerset widening
• Implementation of a modular static analyzer based on disjunctive polyhedra domain.• potential for trade-off between precision and
analysis cost
25
The End
26
x'=x
x'
x
x-1=x'
Convex-Hull Operator1 = (x·0Æx'=x)2 = (x=1Æx'=0)
hull(1Ç2) = (x-1·x'·x Æ x'·0)
x'=x
x'
x
hull(1Ç2)
27
x'·x
x'
x
x-1·x'x'·x
x'
x
widen(1,2)
Widening Operator1 = (x-1·x'·x Æ x'·0) 2 = (x-2·x'·x Æ x'·0)
widen(1,2) = (x'·x Æ x'·0)
x'·x
x'
x
x-2·x'
28
Quick Sort Example
29
Quick Sort Example (II)• Conjunctive analysis:
discovers a lower bound for result: (res ¸ n)• 3-Disjunctive analysis:
result is a valid index: (0 · res < s)
30
References• [Cousot-Halbwachs:POPL'78] Automatic discovery of
linear restraints among variables of a program.
• [Bagnara et al: VMCAI'04] Widening Operators for Powerset Domains.
• [Gulavani-Rajamani: TACAS'06] Counterexample Driven Refinement for Abstract Interpretation.
• [Sankaranarayanan et al:SAS'06] Static Analysis in Disjunctive Numerical Domains.
31
Constraint Abstraction• From a method, the analysis generates a
constraint-abstraction:meth =>
• Constraint language:::= Æ j Ç j 9x. j mn(x*) j s(constraint)s ::= a1x1 + .. + anxn · a (linear inequality)
a 2 Z, x 2 Var, mn 2 Meth-Name
32
Hullm: Selective Hulling• Given F= Çn
i=1 i (where i are conjunctive formulae)• find the most affine disjuncts for hulling
(according to some affinity measure)• ensure the number of disjuncts does not exceed m
hullm (F) = if (n · m) then Felse hullm(F - {i,j} [ hull(i,j))
such that 8 a,b21..n: affinhull(i,j) ¸ affinhull(a,b)
33
Affinity for Hulling• Compute:
• hull operation: hull = hull (1 Ç 2)
• approx. due to hull: approx
= hull
Æ :(1 Ç
2)
• affinhull(1,2) = if (approx
=False) then 100 else if (hull=True) then 0 else heur(1,2)
34
Example: rm and Planar-Affinity• mnD3 = (x·0 Æ x'=x) Ç (1·x·2 Æ x'=0) (d1Çd2)• mnD4 = (x·0 Æ x'=x) Ç (1·x·3 Æ x'=0) (e1Çe2)
• Affinwiden matrix
• mnD3 rm mnD4 = (d1r e1) Ç (d2r e2) = (x·0 Æ x'=x) Ç (x>0 Æ x'=0)
d1 d2
e1 100
21
e2 41 34
35
Loops are Analyzed as Methods• Transform loops into tail-recursive functions.
• The proposed fixpoint analysis works both for loops and for general recursion.• Nested loops• Mutually-recursive methods