program analysis and verification spring 2013 program analysis and verification lecture 1:...
TRANSCRIPT
![Page 1: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/1.jpg)
Spring 2013Program Analysis and Verification
Lecture 1: Introduction
Roman ManevichBen-Gurion University
![Page 2: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/2.jpg)
December 31, 2008
30GB Zunes all over the world fail en masse
2
![Page 3: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/3.jpg)
Zune bug 1 while (days > 365) { 2 if (IsLeapYear(year)) { 3 if (days > 366) { 4 days -= 366; 5 year += 1; 6 } 7 } else { 8 days -= 365; 9 year += 1; 10 } 11 }
3
![Page 4: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/4.jpg)
Zune bug 1 while (366 > 365) { 2 if (IsLeapYear(2008)) { 3 if (366 > 366) { 4 days -= 366; 5 year += 1; 6 } 7 } else { 8 days -= 365; 9 year += 1; 10 } 11 }
Suggested solution: wait for tomorrow 4
![Page 5: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/5.jpg)
February 25, 1991
On the night of the 25th of February, 1991, a Patriot missile system operating in Dhahran, Saudi Arabia, failed to track and intercept an incoming Scud. The Iraqi missile impacted into an army barracks, killing 28 U.S. soldiers and injuring another 98.
Patriot missile failure
5
![Page 6: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/6.jpg)
Patriot bug – rounding error• Time measured in 1/10 seconds• Binary expansion of 1/10:
0.0001100110011001100110011001100....• 24-bit register
0.00011001100110011001100• error of
– 0.0000000000000000000000011001100... binary, or ~0.000000095 decimal
• After 100 hours of operation error is 0.000000095×100×3600×10=0.34
• A Scud travels at about 1,676 meters per second, and so travels more than half a kilometer in this time
Suggested solution: reboot every 10 hours6
![Page 7: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/7.jpg)
August 13, 2003
Billy Gates why do you make this possible ? Stop making moneyand fix your software!!
(W32.Blaster.Worm)
7
![Page 8: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/8.jpg)
8
Windows exploit(s)Buffer Overflow
void foo (char *x) { char buf[2]; strcpy(buf, x); } int main (int argc, char *argv[]) { foo(argv[1]); }
./a.out abracadabraSegmentation fault
Stack grows this way
Memory addresses
Previous frame
Return address
Saved FP
char* x
buf[2]
…
ab
ra
ca
da
br
![Page 9: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/9.jpg)
Buffer overrun exploits int check_authentication(char *password) { int auth_flag = 0; char password_buffer[16];
strcpy(password_buffer, password); if(strcmp(password_buffer, "brillig") == 0) auth_flag = 1; if(strcmp(password_buffer, "outgrabe") == 0) auth_flag = 1; return auth_flag;}int main(int argc, char *argv[]) { if(check_authentication(argv[1])) { printf("\n-=-=-=-=-=-=-=-=-=-=-=-=-=-\n"); printf(" Access Granted.\n"); printf("-=-=-=-=-=-=-=-=-=-=-=-=-=-\n"); } else printf("\nAccess Denied.\n"); }
(source: “hacking – the art of exploitation, 2nd Ed”) 9
![Page 10: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/10.jpg)
10
(In)correct usage of APIs Application trend: Increasing number of libraries and APIs
– Non-trivial restrictions on permitted sequences of operations
Typestate: Temporal safety properties
– What sequence of operations are permitted on an object?
– Encoded as DFA
e.g. “Don’t use a Socket unless it is connected”
init connected closed
err
connect)( close)(
getInputStream)(getOutputStream)(
getInputStream)(getOutputStream)(getInputStream)(
getOutputStream)(
close)(
*
![Page 11: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/11.jpg)
Challengesclass SocketHolder { Socket s; }
Socket makeSocket() { return new Socket(); // A }
open(Socket l) { l.connect(); }talk(Socket s) { s.getOutputStream()).write(“hello”); }
main() { Set<SocketHolder> set = new HashSet<SocketHolder>(); while(…) { SocketHolder h = new SocketHolder(); h.s = makeSocket(); set.add(h); } for (Iterator<SocketHolder> it = set.iterator(); …) { Socket g = it.next().s; open(g); talk(g); }}
11
![Page 12: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/12.jpg)
12
Testing is not enough
• Observe some program behaviors• What can you say about other behaviors?
• Concurrency makes things worse
• Smart testing is useful– requires the techniques that we will see in the
course
![Page 13: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/13.jpg)
13
Static analysis definition
Reason statically (at compile time) about the possible runtime behaviors of a program
“The algorithmic discovery of properties of a program by inspection of its source text1”-- Manna, Pnueli
1 Does not have to literally be the source text, just means w/o running it
![Page 14: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/14.jpg)
14
Is it at all doable?x = ?if (x > 0) { y = 42;} else { y = 73; foo();} assert (y == 42);
Bad news: problem is generally undecidable
![Page 15: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/15.jpg)
15
universe
Central idea: use approximation
Under Approximation
Exact set of configurations/behaviors
Over Approximation
![Page 16: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/16.jpg)
Goal: exploring program states
initialstates
badstates
16
reachablestates
![Page 17: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/17.jpg)
Technique: explore abstract states
initialstates
badstates
17
reachablestates
![Page 18: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/18.jpg)
Technique: explore abstract states
initialstates
badstates
18
reachablestates
![Page 19: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/19.jpg)
Technique: explore abstract states
initialstates
badstates
19
reachablestates
![Page 20: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/20.jpg)
Technique: explore abstract states
initialstates
badstates
20
reachablestates
![Page 21: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/21.jpg)
21
Sound: cover all reachable states
initialstates
badstates
reachablestates
![Page 22: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/22.jpg)
22
Unsound: miss some reachable states
initialstates
badstates
reachablestates
![Page 23: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/23.jpg)
23
Imprecise abstraction
initialstates
badstates
23
reachablestates
False alarms
![Page 24: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/24.jpg)
24
A sound message
x = ?if (x > 0) { y = 42;} else { y = 73; foo();} assert (y == 42); Assertion may be violated
![Page 25: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/25.jpg)
25
• Avoid useless result
• Low false alarm rate• Understand where precision is lost
Precision
UselessAnalysis(Program p) { printf(“assertion may be violated\n”);}
![Page 26: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/26.jpg)
Runtime vs. static analysis
Runtime Static analysis
Effectiveness Can miss errorsFinds real errors
Can find rare errorsCan raise false alarms
Cost Proportional to program’s execution
Proportional to program’s complexity
No need to efficiently handle rare cases
Can handle limited classes of programs and still be useful
26
![Page 27: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/27.jpg)
Driver’s Source Code in C
PreciseAPI Usage Rules(SLIC)
Defects
100% pathcoverage
Rules
Static Driver Verifier
Environment model
Static Driver Verifier
![Page 28: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/28.jpg)
Bill Gates’ Quote
"Things like even software verification, this has been the Holy Grail of computer science for many decades but now in some very key areas, for example, driver verification we’re building tools that can do actual proof about the software and how it works in order to guarantee the reliability." Bill Gates, April 18, 2002. Keynote address at WinHec 2002
![Page 29: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/29.jpg)
The Astrée Static Analyzer
Patrick CousotRadhia CousotJérôme Feret
Laurent MauborgneAntoine Miné Xavier Rival
ENS France
![Page 30: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/30.jpg)
Objectives of Astrée
• Prove absence of errors in safety critical C code
• ASTRÉE was able to prove completely automatically the absence of any RTE in the primary flight control software of the Airbus A340 fly-by-wire system– a program of 132,000 lines of C analyzed
![Page 31: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/31.jpg)
Objectives of Astrée
• Prove absence of errors in safety critical C code
• ASTRÉE was able to prove completely automatically the absence of any RTE in the primary flight control software of the Airbus A340 fly-by-wire system– a program of 132,000 lines of C analyzed
By Lasse Fuss (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons
![Page 32: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/32.jpg)
32
A little about me• History
– Studied B.Sc., M.Sc., Ph.D. at Tel-Aviv University• Research in program analysis with IBM and Microsoft
– Post-doc in UCLA and in UT Austin– Joined Ben-Gurion University this year
• Example research challenges– What’s a good algorithm for automatically discovering (with no
hints) that a program generates a binary tree where all leaves are connected in a list?
– What’s a good algorithm for automatically proving that a parallel program behaves “well”?
– How can we automatically synthesize parallel code that is both correct and efficient?
![Page 33: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/33.jpg)
33
Why study program analysis?
• Challenging and thought provoking– An approach for dealing with computationally hard
(usually undecidable) problems– Treat programs as mathematical objects
• Understand how to systematically– Design optimizations– Reason about correctness / find bugs (security)
• Some techniques may be applied in other domains– Computational learning– Analysis of biological systems
![Page 34: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/34.jpg)
34
What do you get in this course?
• Learn basic principles of static analysis– Understand jargon/papers
• Learn a few advanced techniques– Some principled way of developing analysis– Develop one in a small-scale project
• Put to practice what you learned in logic, automata, programming
![Page 35: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/35.jpg)
35
My role
• Teach you theory and practice• Teach you how to think of new techniques
• E-mail: [email protected]• Office hours: Wednesday 13:00-15:00• Course web-page– Announcements– Forum– …
![Page 36: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/36.jpg)
36
Requirements1. Summarize one lecture: 10% of grade– Submit initial summary– Get corrections/suggestions– Submit revised summary
2. Theoretical assignments and programming assignments: 50%– About 8 (some very small)– Must submit all– Must solve all questions– Otherwise re-submit (and get a lower grade)
3. Final project: 40%– Implement a program analyzer for a given component
![Page 37: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/37.jpg)
37
How to succeed in this course• Attend all classes• Make sure you understand material in class– Engage by asking questions and raising ideas
• Be on top of assignments– Submit on time– Don’t get stuck or give up on exercises – get help – ask me– Don’t start working on assignments the day before
• Be ethical
Joe (a day before assignment deadline):“I don’t really understand what you want from me in this assignment, can you help me/extend the deadline”?
![Page 38: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/38.jpg)
38
The static analysis approach
• Formalize software behavior in a mathematical model (semantics)
• Prove properties of the mathematical model– Automatically, typically with approximation of the
formal semantics
• Develop theory and tools for program correctness and robustness
![Page 39: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/39.jpg)
39
Kinds of static analysis• Spans a wide range
– type checking … up to full functional verification
• General safety specifications • Security properties (e.g., information flow)• Concurrency correctness conditions (e.g., absence of
data races, absence of deadlocks, atomicity)• Correct usage of libraries (e.g., typestate)
• Underapproximations useful for bug-finding, test-case generation,…
![Page 40: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/40.jpg)
Static analysis techniques
• Abstract Interpretation• Dataflow analysis
• Constraint-based analysis• Type and effect systems
40
![Page 41: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/41.jpg)
Static analysis for verification
program
specification
Abstractcounterexample
Analyzer
Valid
41
![Page 42: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/42.jpg)
Relation to program verification
• Fully automatic
• Applicable to a programming language
• Can be very imprecise• May yield false alarms
• Requires specification and loop invariants
• Program specific
• Relatively complete• Provides counter examples• Provides useful documentation• Can be mechanized using
theorem provers
Static Analysis Program Verification
42
![Page 43: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/43.jpg)
Verification challenge
main(int i) { int x=3,y=1;
do { y = y + 1; } while(--i > 0) assert 0 < x + y;}
Determine what states can arise during any execution
Challenge: set of states is unbounded
43
![Page 44: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/44.jpg)
Abstract Interpretation
main(int i) { int x=3,y=1;
do { y = y + 1; } while(--i > 0) assert 0 < x + y;}
Recipe1) Abstraction2) Transformers3) Exploration
Challenge: set of states is unbounded Solution: compute a bounded representation of (a superset) of program states
Determine what states can arise during any execution
44
![Page 45: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/45.jpg)
1) Abstraction
main(int i) { int x=3,y=1;
do { y = y + 1; } while(--i > 0) assert 0 < x + y;}
• concrete state
• abstract state (sign)
: Var Z
#: Var{+, 0, -, ?}
x y i
3 1 7 x y i
+ + +
3 2 6
x y i
…45
![Page 46: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/46.jpg)
2) Transformers
main(int i) { int x=3,y=1;
do { y = y + 1; } while(--i > 0) assert 0 < x + y;}
• concrete transformer
• abstract transformer
x y i
+ + 0
x y i
3 1 0y = y + 1
x y i
3 2 0
x y i
+ + 0
y = y + 1
+ - 0 + ? 0
+ 0 0 + + 0
+ ? 0 + ? 0
46
![Page 47: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/47.jpg)
3) Exploration
+ + ? + + ?
x y i
main(int i) { int x=3,y=1;
do { y = y + 1; } while(--i > 0) assert 0 < x + y;}
+ + ?
+ + ?
? ? ?
x y i
+ + ?
+ + ?
+ + ?
+ + ?
+ + ?
+ + ?
47
![Page 48: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/48.jpg)
Incompleteness
main(int i) { int x=3,y=1;
do { y = y - 2; y = y + 3; } while(--i > 0) assert 0 < x + y;}
+ ? ?
+ ? ?
x y i
+ ? ?
+ + ?
? ? ?
x y i
+ ? ?
+ ? ?
+ ? ?
48
![Page 49: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/49.jpg)
Parity abstraction
challenge: how to find “the right” abstraction
while (x !=1 ) do { if (x % 2) == 0 { x := x / 2; } else { x := x * 3 + 1; assert (x %2 ==0); }}
49
![Page 50: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/50.jpg)
How to find “the right” abstraction?
• Pick an abstract domain suited for your property– Numerical domains– Domains for reasoning about the heap– …
• Combination of abstract domains
• Another approach – Abstraction refinement
50
![Page 51: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/51.jpg)
Following the recipe (in a nutshell)
1) Abstraction
Concrete state Abstract statex
tn n n
x
t
n
2) Transformers
n
x
t
n
t n
x n
t->n = x
51
![Page 52: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/52.jpg)
Example: shape (heap) analysis
t
x
n
x
t n
x
t n n
xt n n
xtt
x
ntt
ntx
tx
t
xemp
void stack-init(int i) {
Node* x = null;
do {
Node t =
malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
} assert(acyclic(Top))
t
x
n n
x
t n n
x
t n n n
xt n n n
xt n n n
top52
![Page 53: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/53.jpg)
x
t n n
t
x
n
x
t n
x
t n n
xtt
x
ntt
ntx
tx
t
xemp
xt n
n
xt n
n
n
x
t
n
t n
x n
xt n
n
3) Exploration
x
t n
Top n
ntx Top
tx Top x
t n
Top n
void stack-init(int i) {
Node* x = null;
do {
Node t =
malloc(…)
t->n = x;
x = t;
} while(--i>0)
Top = x;
}
assert(acyclic(Top))
53
![Page 54: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/54.jpg)
Example: polyhedra (numerical) domain
proc MC(n:int) returns (r:int) var t1:int, t2:int; begin if (n>100) then r = n-10; else t1 = n + 11; t2 = MC(t1); r = MC(t2); endif; end
var a:int, b:int; begin b = MC(a); end
What is the result of this program?54
![Page 55: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/55.jpg)
McCarthy 91 function
proc MC (n : int) returns (r : int) var t1 : int, t2 : int;begin /* (L6 C5) top */ if n > 100 then /* (L7 C17) [|n-101>=0|] */ r = n - 10; /* (L8 C14) [|-n+r+10=0; n-101>=0|] */ else /* (L9 C6) [|-n+100>=0|] */ t1 = n + 11; /* (L10 C17) [|-n+t1-11=0; -n+100>=0|] */ t2 = MC(t1); /* (L11 C17) [|-n+t1-11=0; -n+100>=0; -n+t2-1>=0; t2-91>=0|] */ r = MC(t2); /* (L12 C16) [|-n+t1-11=0; -n+100>=0; -n+t2-1>=0; t2-91>=0; r-t2+10>=0; r-91>=0|] */ endif; /* (L13 C8) [|-n+r+10>=0; r-91>=0|] */end
var a : int, b : int;begin /* (L18 C5) top */ b = MC(a); /* (L19 C12) [|-a+b+10>=0; b-91>=0|] */end
if (n>=101) then n-10 else 91
55
![Page 56: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/56.jpg)
Some things that should trouble you
• Does a result always exist?• Does the recipe always converge?• How “optimal” is the result?• How do I pick my abstraction?• How do come up with abstract transformers?• Other practical issues– Efficiency– How does it do in practice?
56
![Page 57: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/57.jpg)
Change the abstraction to match the program
Abstraction refinement
program
specificationAbstractcounterexample
abstraction AbstractionRefinement counter
example
Verify
Valid
57
![Page 58: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/58.jpg)
Recap: program analysis
• Reason statically (at compile time) about the possible runtime behaviors of a program
• use sound overapproximation of program behavior
• abstract interpretation– abstract domain – transformers – exploration (fixed-point computation)
• finding the right abstraction?
58
![Page 59: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/59.jpg)
Next lecture:semantics of programming languages
59
![Page 60: Program Analysis and Verification Spring 2013 Program Analysis and Verification Lecture 1: Introduction Roman Manevich Ben-Gurion University](https://reader035.vdocuments.site/reader035/viewer/2022062722/56649f355503460f94c53f3e/html5/thumbnails/60.jpg)
References• Patriot bug:
– http://www.cs.usyd.edu.au/~alum/patriot_bug.html– Patrick Cousot’s NYU lecture notes
• Zune bug:–
http://www.crunchgear.com/2008/12/31/zune-bug-explained-in-detail/
• Blaster worm:– http://www.sans.org/security-resources/malwarefaq/w32_bl
asterworm.php• Interesting CACM article
– http://cacm.acm.org/magazines/2010/2/69354-a-few-billion-lines-of-code-later/fulltext
• Interesting blog post– http://www.altdevblogaday.com/2011/12/24/static-code-ana
lysis/
60