program analysis with dynamic change of precision

11
Program analysis with dynamic change of precision. Philippe Giabbanelli CMPT 894 – Spring 2008

Upload: kiayada-madden

Post on 01-Jan-2016

35 views

Category:

Documents


0 download

DESCRIPTION

Program analysis with dynamic change of precision. Philippe Giabbanelli CMPT 894 – Spring 2008. As we said a long time ago in a far, far galaxy…. specify a trade-off before executing the. In the episode I, we saw that we could. Analysis. Here, the precision can be. - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Program analysis with dynamic change of precision

Program analysis with dynamic change of precision.

Philippe Giabbanelli CMPT 894 – Spring 2008

Page 2: Program analysis with dynamic change of precision

As we said a long time ago in a far, far galaxy…

C_______CMPT 894 – Episode VI _______ The Program Analysis Strikes Back ______________________________

Model checking is accurate but very costly.

On the other hand, abstract Interpretation had a reasonablecost but was not very accurate.

In the episode I, we saw that we couldspecify a trade-off before executing theAnalysis. Here, the precision can be dynamically adjusted: not before, during!

Page 3: Program analysis with dynamic change of precision

Principles Formalism Application Results

2

Model Checking Program Analysis

• Accurate analysis but very costly: small programs!

• The precision can be increased automatically during the execution, but extremely costly!

• Not too precise (possible false alarms,…) but quite cheap.

• Has to be specified to the user before starting: the abstraction cannot be changed dynamically.

• As you can guess, we want the advantages but not the inconvenient. A reasonable cost and the possibility of automatically increasing the precision during the execution.

• We run several analysis simultaneously. When the precision of one analysis becomes two costly (i.e. number of values over a threshold), we decrease its accuracy and increase the accuracy of another one.

Page 4: Program analysis with dynamic change of precision

Principles Formalism Application Results

3

We can afford having an explicit analysis to track the values of st because there is a reasonable number of possible values.

However, the number of possible values for the loop counter p can be arbitrarily large.

We stop tracking explicitely the values of p and we inject p < n in the predicate analysis.

We added a new predicate: refinement of the predicate abstract domain. We removed a variable: abstraction of the explicit abstract domain.

Page 5: Program analysis with dynamic change of precision

Principles Formalism Application Results

4

• Remember the definition of configurable program analysis (CPA)?

∙ An abstract domain, determines the objective of the analysis.

∙ A transfer relation, assigns to each abstract state its successors.

∙ The merge operator, combines two abstract states.

∙ The termination check : if the abstract state given as first parameter is covered by the states of abstract state given as second parameter, then we stop. The way we define covered is where the customization happens.

• Now, let’s add the manipulation of the precision to define CPA+!

∙ A set of possible precisions for the abstract domain. We will have pairs (e, π) of states e with precision π. For example, if e is a floating-point variable, π can be the number of digits.

∙ A precision adjustement function, changes the precision from one abstract state to another.

Page 6: Program analysis with dynamic change of precision

Principles Formalism Application Results

5

• As before, the reachability algorithms computes an over-approximation of the set of reachable concrete states.

• A set reached contains all the abstract states that have been reached, and a set waitlist the abstract states that have not been processed so far.

• How does the precision changes the algorithm from the one in CPA:

∙ Begins by the state e0 with precision π0.

∙ For a given state e, we adjust the precision according to which abstract states we reached.

• We have many tools, some being accurate but quite slow, other converging faster but loosing in accuracy… Let’s combine them!

∙ For example, predicate abstraction and shape analysis can be combined. The shape graph can become more accurate by using information from the predicate abstraction. The accuracy of the combination is the degree of sharpness.

Page 7: Program analysis with dynamic change of precision

Principles Formalism Application Results

6

∙ Basic BLAST’s. The components are the configurable program analysis for program locations and the configurable program analysis for predicate. Merge/Stop are separated.

∙ We can add to it a third component: shape analysis.

∙ We can also add to it pointer analysis as a third component (tracks pointer aliases, memory allocations, etc.)

• Remember in CPA: we explained how to combine things. The next step was obviously to say which CPAs we could combine.

• So, let see which are the three CPA+ we can combine here!

∙ Explicit Analysis. Merge/Stop are separated. The precision specifies for each variable x a maximum quantity π(x) of values we can store (threshold). If π(x) = 0 we do not store any values hence we do not track the variable. If π(x) = inf, we always track the values. R(x) is the set of values stored for x. If |R(x)| > π(x), we stop keeping track of the variable.

∙ Predicate Analysis. Merge/Stop are separated. The precision of an abstract state is a set of predicates. For a predicate p, if p is in π is tracked by the analysis if this analysis is set to π (in other words the analysis cannot change here).

∙ Location Analysis. Merge/Stop are separated. The precision is the set {L} of locations.

Page 8: Program analysis with dynamic change of precision

Principles Formalism Application Results

7

• We showed an example at the beginning where we abstracted the explicit abstract domain (stopped tracking one variable) and refined the predicates (dealing with a set of values that becomes too big).

• This can be defined as the composition of the three CPA+: location analysis L, predicate analysis P and explicit analysis C.

• Everything is in the composite precision adjustement function. If the number of values for a variable becomes too big, we stop the explicit analysis and add the predicates. That’s exactly what we said before, thus this definition is quite straight-forward.

• Want to analyse heap structures? Compose a CPA+ for shape analysis (costly computations) and a CPA+ for explicit heap analysis (requires lots of space). Again, when the size of the data becomes too big fir explicit heap analysis, we abstract and go for shape analysis.

Page 9: Program analysis with dynamic change of precision

Principles Formalism Application Results

8

• CPA+ has been implemented to extend BLAST (allows reusability of components such as the interface to theorem provers for predicate analysis, interface to the TLVA package for heap analysis, etc).

• Experiments have been conducted on the composition of the three CPA+ we presented (location + predicate + explicit), with different values for the maximum number of values stored for a variable (i.e. different values of the threshold that triggers the change of precision).

This is the example we had at the beginning. An explicit analysis cannot work because of the arbitrarily large number

of possible values. We see from the results that the better idea is to track variables with a small number of values and to handle the loop index with symbolically, as we explained.

Now, we bound the loop index by some number. So, we can do an explicit analysis. However, as there are still

many possible values for the index, a symbolic analysis shows to be faster.

Page 10: Program analysis with dynamic change of precision

Principles Formalism Application Results

9

• Those programs are subroutines for the handshake

protocol of SSH.

• In pure predicate analysis, the predicates are missused to track just one single explicit

value, which is the job in which a purely explicit

analysis performs better.

• A purely explicit analysis creates false alarms in all

cases.

Page 11: Program analysis with dynamic change of precision

T H A N K

Y O U

This Presentation was Based on…

Program Analysis with Dynamic Change of Precision (Beyer, Henzinger and Théoduloz).

I won’t give any date because there are not any yet

…but according to our conjectures, we predict

that it will not be before 2008…