The Octagon Abstract Domain

1. Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion The Octagon Domain Bernhard Mallinger March 6-7th, 2013 Bernhard Mallinger The Octagon Domain

2. Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion Outline 1 Domains 2 The Octagon Domain 3 Abstract Transfer Functions 4 Analysis Example 5 Conclusion Bernhard Mallinger The Octagon Domain

4. Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion Recap: Abstract Domains Models states/properties in abstract interpretation of programs Manipulated by abstract transfer functions Can be composed of diﬀerent kinds of elements Properties (e.g. sign, is even) Numeric values, intervals Relations Examples Sign Domain Interval Domain Polyhedra Domain Bernhard Mallinger The Octagon Domain

5. Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion Numerical Domains I Figure: • represent elements of the domain, spurious elements are marked by ×. Domains always overapproximate in order to be sound. (ﬁgure from Miné (2006)) Bernhard Mallinger The Octagon Domain

6. Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion Numerical Domains II Assumption: Numeric means R Interval Domain: Xi ∈ [ai , bi ] Polyhedra Domain: i aij Xi ≤ bj Zone Abstract Domain: ±Xi ≤ ci , Xi − Xj ≤ cij ∀i = j Octagon Domain: ±Xi ± Xj ≤ cij ∀i, j Bernhard Mallinger The Octagon Domain

10. Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion Numerical Domains III In terms of precision: Interval < Octagon < Polyhedra Interval Domain is non-relational Polyhedra Domain has theoretically unbounded cost (exponentially in practise) Octagon domain limited to two variables per inequality and no coeﬃcients ⇒ Quadratic memory/cubic time cost Bernhard Mallinger The Octagon Domain

11. Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion Motivation: Relational Domains Not only properties of variables are of interest, but also the relation among them: 1 Y := X; 2 Z := X - Y; 3 Z := 4/Z; Bernhard Mallinger The Octagon Domain

13. Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion Representation: Diﬀerence bound matrices I Constraints: ±X ± Y ≤ c ⇒ 2n × 2n matrix m Concretisation function γ: def γ (m) = {(v1 , . . . , vn ) ∈ Rn | ∀i, j : vj − vi ≤ mij } def γ(m) = {(v1 , . . . , vn ) ∈ Rn | (v1 , −v1 , . . . , vn , −vn ) ∈ γ (m)} Bernhard Mallinger The Octagon Domain

16. Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion Figure: Octagon representation (ﬁgure from Miné (2006)) Bernhard Mallinger The Octagon Domain

17. Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion Representation: Difference bound matrices II Abstraction function α: Given concrete values, α computes all entries of m by taking the maximal differences for each pair of variables A lattice can be defined: def m n ⇐⇒ ∀i, j : mij ≤ nij def (m n)ij = max(mij , nij ) def (m n)ij = min(mij , nij ) m n ⇒ γ(m) ⊆ γ(n) (γ, α) form a Galois connection Bernhard Mallinger The Octagon Domain

18. Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion Figure: Problem: Representation is not unique (ﬁgure from Miné (2006)) Bernhard Mallinger The Octagon Domain

19. Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion Shortest Path Closure Calculating all-pairs shortest paths yield smallest (closed) m∗ m∗ = inf {n | γ(m) = γ(n)} All bounds are as tight as possible (Saturation) Cubic time complexity (e.g. Floyd-Warshall) Negative cost cycle in m ⇐⇒ γ(m) = ∅ Bernhard Mallinger The Octagon Domain

21. Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion Abstract Transfer Functions Abstract transfer functions correspond to semantic operations Must be sound, therefore overapproximation Some require closed arguments, some return closed ones Diﬀerent kinds: Set operations such as Union/Intersection Assignment Test Widening/Narrowing Conversions to other domains (e.g. Interval, Polyhedra) Bernhard Mallinger The Octagon Domain

22. Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion Union Take largest bounds elementwise: def m∪n = m n Union of two octagons isn’t an octagon in general ⇒ exact abstractions isn’t possible, only best abstraction Best abstraction is obtained if m and n are closed Bernhard Mallinger The Octagon Domain

23. Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion Intersection Deﬁnition similar to union, but result is always exact Bernhard Mallinger The Octagon Domain

24. Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion Forget-Operator Figure: Non-deterministic behaviour can be modeled by “forgetting” constraints, but closure is necessary (ﬁgure from Miné (2006)) Bernhard Mallinger The Octagon Domain

25. Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion Assignment I Handling of assignments depends on the type of the expression Directly handleable in the octagon domain: X ← ±[a, b] X ← ±Y ± [a, b] e.g. for X ← Y + [a, b], we get a ≤ X − Y ≤ b: +X − −Y ≤ b − X − +Y ≤ −a −Y − +X ≤ b + Y − −X ≤ −a Constraints for X w.r.t. other variables have to be discarded Bernhard Mallinger The Octagon Domain

26. Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion Assignment II In case the expression is too complex: ⇒ Transform everything to Interval or Polyhedra domain and do assignment there If using the Interval domain, new constraints can be derived by computing bounds of ±expr ± Y Using the Polyhedra domain is applicable to linear expressions and costly, but yields a best abstraction Bernhard Mallinger The Octagon Domain

27. Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion Test 1 X := [-100, 100] 2 if X ≥ 0 then 3 // X ∈ [0, 100] 4 end if All tests can be simpliﬁed to expr ≤ 0 Octagonally shaped tests can directly be applied (e.g. X + Y + [a, b] ≤ 0) More complex forms can be handled in the Interval or Polyhedra domain (cf. Assignment) Bernhard Mallinger The Octagon Domain

29. Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion 1 X := [-100, 100] 2 Y := X 3 if Y ≤ 0 then 4 1 Y := -Y 2 5 else 6 3 7 end if 8 4 9 if Y ≤ 69 then 5 10 end if 1 −100 ≤ X ≤ 0 ∧ −100 ≤ Y ≤ 0 ∧ X − Y = 0 ∧ −200 ≤ X + Y ≤ 0 2 −100 ≤ X ≤ 0 ∧ 0 ≤ Y ≤ 100 ∧ −200 ≤ X − Y ≤ 0 ∧ X + Y = 0 3 0 ≤ X ≤ 100 ∧ 0 ≤ Y ≤ 100 ∧ X − Y = 0 ∧ 0 ≤ X + Y ≤ 200 4 −100 ≤ X ≤ 100 ∧ 0 ≤ Y ≤ 100 ∧ −200 ≤ X − Y ≤ 0 ∧ 0 ≤ X + Y ≤ 200 5 −69 ≤ X ≤ 69 ∧ 0 ≤ Y ≤ 69 ∧ −138 ≤ X − Y ≤ 0 ∧ 0 ≤ X + Y ≤ 138 Bernhard Mallinger The Octagon Domain

36. Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion Conclusion The Octagon domain adds limited relational information to the Interval Domain As opposed to the Polyhedra domain (exponential worst case), its operations are still in P A normal form can be computed using Shortest Path Closure ⇒ necessary for emptiness testing and comparison Has been employed successfully in ASTRÉE to analyse a large C-program (airplane control software) Reduction of false alarms with reasonable overhead Only relevant relations are considered (“packs” of variables) Bernhard Mallinger The Octagon Domain

The Octagon Abstract Domain

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie The Octagon Abstract Domain

Ähnlich wie The Octagon Abstract Domain (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

The Octagon Abstract Domain