This disclosure relates generally to the field of computer software and in particular to a method of program analysis using abstract interpretation which advantageously expresses non-convex properties.
Efficient program analysis using abstract interpretation typically uses convex domains such as intervals, octagons, zonotopes or polyhedral. However, certain properties of interest require reasoning about non-convex structures. Accordingly, program analysis methods that address these non-convex structures would represent an advance in the art.
An advance in the art is made according to an aspect of the present disclosure directed a computer implemented method of program analysis employing a set of new non-convex domains based on the notion of an outer convex region of reachable states and an inner region of unreachable states. Advantageously, this allows the capture of non-convex properties by reasoning completely using convex regions and operations.
In sharp contrast to the prior art, methods according to the present disclosure will over-approximate reachable states of a program under analysis and under-approximate unreachable states of that program. In that manner, a more precise analysis is performed.
A more complete understanding of the present disclosure may be realized by reference to the accompanying drawings in which:
The following merely illustrates the principles of the disclosure. It will thus be appreciated that those skilled in the art will be able to devise various arrangements which, although not explicitly described or shown herein, embody the principles of the disclosure and are included within its spirit and scope.
Furthermore, all examples and conditional language recited herein are principally intended expressly to be only for pedagogical purposes to aid the reader in understanding the principles of the disclosure and the concepts contributed by the inventor(s) to furthering the art, and are to be construed as being without limitation to such specifically recited examples and conditions.
Moreover, all statements herein reciting principles, aspects, and embodiments of the disclosure, as well as specific examples thereof, are intended to encompass both structural and functional equivalents thereof. Additionally, it is intended that such equivalents include both currently-known equivalents as well as equivalents developed in the future, i.e., any elements developed that perform the same function, regardless of structure.
Thus, for example, it will be appreciated by those skilled in the art that the diagrams herein represent conceptual views of illustrative structures embodying the principles of the invention.
In addition, it will be appreciated by those skilled in art that any flow charts, flow diagrams, state transition diagrams, pseudocode, and the like represent various processes which may be substantially represented in computer readable medium and so executed by a computer or processor, whether or not such computer or processor is explicitly shown.
In the claims hereof any element expressed as a means for performing a specified function is intended to encompass any way of performing that function including, for example, a) a combination of circuit elements which performs that function or b) software in any form, including, therefore, firmware, microcode or the like, combined with appropriate circuitry for executing that software to perform the function. The invention as defined by such claims resides in the fact that the functionalities provided by the various recited means are combined and brought together in the manner which the claims call for. Applicant thus regards any means which can provide those functionalities as equivalent as those shown herein. Finally, and unless otherwise explicitly specified herein, the drawings are not drawn to scale.
Thus, for example, it will be appreciated by those skilled in the art that the diagrams herein represent conceptual views of illustrative structures embodying the principles of the disclosure.
By way of some additional background, it is noted that prior approach to non-convex reasoning is to utilize powerset domains of elementary convex domains. In general, it has proved to be difficult to provide satisfactory improvements over elementary convex domains with powerset domains while maintaining small enough performance degradation. Furthermore, it would be difficult to maintain enough disjunctions in the powerset depending on the particular non-convex shape being approximated. Note, however, that the recently proposed B
Additional non-convex domains based on congruence analysis (either linear or trapezoid have been developed. Such domains capture a congruence relation that variables satisfy and are suitable for the analysis of indexes of arrays for instance. Recent work by Chen et al. considered a polyhedral abstract domain with interval coefficients. This abstract domain has the ability to express certain non-convex invariants. For example, in this domain some multiplications can be evaluated precisely. Other interesting non-convex abstract domains were introduced to capture specific invariants such as min-max invariants and quadratic templates.
We address a different type of non-convexity commonly occurring in software, which relates to small sub-regions of instability within a normal operating (convex) region of interest. The non-convex region of values that may cause the bug is (under-)approximated using a convex inner region (or hole) that is subtracted from a convex outer region. We call this representation donut domains. Our approach relies on the usual operations defined on (convex) sub-domains, except for the need to compute under-approximations in the inner domain. The donut domains give a convenient framework to reason about disequality constraints in abstract domains such as in. It can be considered as a generalization of the work on signed types domain introduced in. There, we start with a finite set of types, and allow a set-minus operation only from the universal set.
Under-approximations have been utilized for applications such as test vector generation and counterexample generation, by providing must-reach sets. Bemporad et al. introduced the notion of inner-approximations of polyhedra using intervals in. In, polyhedra are under-approximated for test vector generation of Simulink/Stateflow models using a bounded vertex representation (BVR). Goubault and Putot describe a method to compute an under-approximating zonotope using modal intervals for non-linear operations.
Herein, we describe a technique to find under-approximations of polyhedra based on a fixed template. We first re-formulate the problem by introducing an auxiliary matrix. This matrix represents the fact that we are looking for an inner polyhedral object of a particular shape. Using this auxiliary matrix re-formulation, we can then use standard convex analysis techniques to characterize an under-approximations of polyhedra.
After the step marked initializations, (dx, dy) could be any point in 2 except the origin (0,0). In our analysis, this particular point is kept and propagated forward as a “hole”. After the i f-statement, the set of reachable values is: (dy>dxdy>−dx) (−dy>dx−dy>−dx). The above region is non-convex; therefore, a classical abstract domain will end up at this control point with T for both variables. Moreover, here, the interpretation of the strict inequality of the test is required to prove that dx≠0. The else case is even harder: in addition to the non-convexity of the set of possible values, one needs to consider the full-zero-test together with the negation of |dy|>|dx|, to prove that the division by dy is safe.
In this section we introduce donut domains, and define the operation on donut domains based on operations in the component domains.
Let (1, ≦1, ∪1, ∩1, ⊥1, T1, γ1) and (2, ≦2, ∪2, ∩2, ⊥2, T2, γ2) denote two classical numerical abstract domains, where ≦*, ∪*, ∩*, ⊥*, T*, γ* denote the partial order, the join and meet operations, the bottom and top elements and the concretization function of the classical abstract domain for *∈ {1,2}, respectively.
In this disclosure, we extend a given abstract domain with an under-approximation operator {hacek over (α)}, such that for any concrete object X, we have y ∘{hacek over (α)}(X) ⊂X. An abstract object X#1\2 of the domain 1\2 is defined by a pair of objects (X#1, X#2), such that X#1 ∈ 1 an X#2 ∈ 2. The object X#1\2 abstracts the set of possible values reached by the variables as follows:
The concretization function is defined as follows.
At this point, one should keep in mind the implicit set of unreachable values implied by γ1(X#1)—namely p\γ1(X#1) denoted in the sequel by
The interval concretization of the variable xk, 1≦k≦p, denoted by [xk], is defined by πk (γ1 (X#1)\γ2 (X#2)), where πk denotes the orthogonal projection of a given set onto dimension k. Note that [xk]⊃πk(γ1(X#1))\πk(γ2(X#2)). For instance in ([−2,2]×[−2,2], [−1,1]×[−28 , +∞]) , we have [x2]=[−2,2], whereas [−2,2]\[−∞, +∞]=Ø.
We embed 1\2 with a binary relation and prove that it is a pre-order.
Definition 1. Given X#1, Y#1 ∈ 1 and X#2, Y#2 ∈ 2, we say that (X#1, X#2) is less than or equal to (Y#1, Y#2) denoted by (X#1, X#2)≦1\2 (Y#1, Y#2) if and only if X#1≦1 Y#1 and
1(X#1)∪γ2(X#2)⊃
Proposition 1. The binary relation ≦1\2 is a pre-order over 1\2. It defines an equivalence relation ˜ defined by (X#1, X#2)≦1\2 (Y#1, Y#2) and (Y#1, Y#2)≦1\2 (X#1, X#2) and characterized by X#1=Y#1 (X#1≦1 Y#1 and Y#1≦1 X#1), γ2(X#2)⊂γ2(Y#2)∪
With respect to ≦1\2, we have
(⊥1, ⊥2)˜(⊥1, T2)≦1\2 (T1, T2)≦1\2 (T1, ⊥2);
therefore, we define the bottom and top elements of 1\2 by
⊥1\2 def=(⊥1, −) T1\2 def=(T1, ⊥2).
Despite the non-convexity of
Proposition 2. Let (X#1, X#2) and (Y#1, Y#2) be two elements of 1\2 such that γ2 (X#2)⊂γ1(X#1), and γ2(Y#2)⊂γ1(Y#1). Therefore, (X#1, X#2)≦1\2 (Y#1, Y#2) if and only if X#1≦1 Y#1 and γ1(X#1)∩γ2 (Y#2)⊂γ2(X#2).
The condition γ1(X#1)∩γ2(Y#2)⊂γ2(X#2), can be checked in the abstract world rather than in the concrete domain up to the use of an expressive enough domain for both 12 and 1: for instance a box and an octagon can be seen as special polyhedra and the meet operation of the Polyhedra abstract domain can be used.
Let denote the abstract representation in the Polyhedra domain of the abstract object X#1, that is (γ1(X#1)). To decide whether (X#1, X#2) is less than or equal to (Y#1, Y#2), we proceed as follows:
We start with a simple example to clarify the intuition behind the formal definition given later.
Example 1. Consider a one-dimensional donut domain where 1 and 2 are Intervals domains. Assume we are interested in computing
The above join yields the following union of four intervals: [0,1)∪(2,3]∪[1,2)∪(5,6], which can be combined without loss of precision into [0,2)∪(2,3]∪(5,6], or equivalently
What the example suggests is that when computing a join of two elements (X#1, X#2) and (Y#1, Y#2), we often end up with multiple (not necessarily convex nor connex) holes defined by (γ2(X#2)∪
An under-approximation of the final element
[1,2]∪([−∞, 1)∪(6, +∞])=ø
[2,5]∩([−∞, 0)∪(3, +∞])=(3,5].
As noted previously, the intersection ([−∞, 1)∪(6, +∞])∩([−∞, 0)∪(3, +∞]) is implicit since it is covered by
where
We may perform heuristic checks to prioritize which hole (if many) to keep, which may also depend on the under-approximation abstraction function {hacek over (α)}. For instance we may choose an inner approximation (if working with closed domains) of the hole (3,5] instead of choosing the hole [2,2]. Notice also that we have a straightforward fallback operator {hacek over (∩)}fb, that involves only X#2 and Y#2:
The operator is sound with respect to under-approximation. It focuses only on a particular hole, namely γ2(X#2)∩γ2(Y#2), instead of considering all possibilities. In our current implementation, we use this fallback operator in a smart manner: before computing the meet of both holes, we relax, whenever possible, in a convex way, these holes. This relaxation is performed by removing all constraints that could be removed while preserving γ1(X#1). For instance, if the hole is the point (0,0), and the abstraction of X#1 is given by the conjunction γ≧x{circumflex over (0)}−γ≧x, then the hole (0,0) is relaxed to x≧0 (see
For the meet operation, we proceed in a similar manner. If the domain 2 is closed under the meet operation (almost all polyhedra-like abstract domains), it is possible to replace {hacek over (α)} by α, and {hacek over (∩)}fb by ∩2. In our example, the fallback operator gives the box [2,2].
The meet operator ∩1\2 is defined in a similar manner:
We deliberately omit
Example 2. Consider 2 -dim simple abstract objects.
When processing loop elements in abstract interpretation, we may require widening to guarantee termination of the analysis. For donut domains, we extend the widening operations defined on the component abstract domains. We use the pair-wise definition of widening operators ∇. We thus define widening of donut domains as:
(X#1, X#2)∇1\2(Y#1, Y#2)=(X#1∇1Y#1,X#2∩2Y#2).
We use the standard widening operator ∇1 for abstract domain 1. Similarly, we use the standard meet operator ∩2 of abstract domain 2 for the inner region, which ensures the soundness of ∇1\2. The convergence of the first component is guaranteed by the widening operator ∇1. The convergence of the second component needs however more attention.
Note that the simple use of narrowing operator of 2 is unsound as it may give a donut object which is not an upper bound. To ensure the termination we add a parameter k which will encode the maximal number of allowed iterations. If the donut object does not converge within those k iterations, the hole component is reduced to ⊥2. Note that the use of the narrowing operator of 2 instead of ∩2 does not give in general an upper bound of (X#1, X#2) and (Y#1, Y#2).
The ability to express holes allows us to better handle a wide range of non-convex tests such as the ≠ test or the strict inequality test. We start with classical tests. For ⋄∈ {=, ≦}:
where
Such under-approximation is required so that the newly computed (exact) hole can be encoded in 2. Therefore, if the exact hole fits naturally in 2 (say we have a linear constraint and 2 is the Polyhedra domain), there is no need to under-approximate ([[·]]#2=[[·]]#2). In Section 3, we detail how we compute such an under-approximation, whenever needed. If no algorithm is available for the under-approximation, we keep the object n unchanged, which is sound.
The non-equality test is defined as follows:
Although [[χk≠0]]#(X#1) is interpreted as the identity function in standard implementations, nothing prevents the use of any available enhancement proposed by the used analyzer. For the hole, we compute the join of the new hole implied by the constraint xk≠0 together with the already existing hole X#2. If holes γ2(X#2) and [[χk=0]]T2 do not overlap, we discard X#2. In fact, very often (as will be seen in experiments), the hole induced by the constraint xk≠0 is mandatory in order to prove the safety of subsequent computations.
Finally, our approach offers, for free, an interesting abstraction of the strict inequality tests. A comparison with Not Necessarily Closed domains is planned as future work.
We define in this section the abstraction of the assignment transfer function in 1\2. We first give an abstraction of the forget transfer function (non-deterministic assignment):
For Y#2, we basically check whether applying the forget operator to X#2 intersects γ1\2(X#1, X#2), by checking if this newly computed hole is included in the original hole, that is γ2(X#2). If yes, Y#2 is set to ⊥2. For instance, forgetting x2 in
which is included in γ2(X#2). Forgetting x1, however, makes Y#2=⊥2.
The assignment could be seen as a sequence of multiple basic, already defined, operations. We distinguish two kind of assignments x←e, where e is an arithmetic expression: (I) non-invertible assignments, where the old values of x are lost, such as x←c, c ∈ , and (II) invertible assignments, such as x←x+y. For non-invertible assignment, we have:
Invertible assignments are defined in a similar manner. It augments first the set of variables by a new fresh variable, say ν, then enforces the test ν=e, and finally forgets x and (syntactically) renames ν to x. Notice that augmenting the set of variables in 1\2 makes the newly added variable, ν, unconstrained in both components, X#1 and X#2. We can suppose that such a variable v already exists, and used whenever we have an invertible assignment; hence, we obtain:
We now develop a new technique to under-approximate holes obtained after linear tests. Holes obtained after non-linear tests are so far reduced to ⊥2, which is sound. We plan to improve this as a future work. Consider for instance the object ([−2,3]×[−2,2], [−1,1]×[0,1]) .
The problem can be seen as follows: given a polyhedron , we seek to compute a maximal (in a sense to define) inner polyhedron (could be boxes, zones, octagons, linear-templates, etc. depending on 2), which obeys the template pattern matrix T.
Let ={x ∈ |Zx≦b} be a non-empty polyhedron, where A is a known m×p matrix, b a known vector of m, and x a vector of p. The inner polyhedron is expressed in a similar manner: ={x ∈ p|Tx≦c}, where T is a known n×p matrix, and c and x are unknown vectors within n and p, respectively. The inclusion ⊂ holds if and only if
The consistency of (that is the system admits a solution in p) discards the trivial (and unwanted) cases where the polyhedron is empty. For the non-trivial cases, the existence of the vector c and the characterization of the set of its possible values are given by Proposition 3.
Proposition 3. Let be the set of c such that is consistent. There exists a vector c ∈ such that ⊂ if and only if there exists an n×m matrix Λ, such that λi,j, the elements of the matrix Λ, are non-negative and ΛT=A. For a given possible Λ, the set cΛ⊂ is characterized by
Proof. Let x denote a vector of p, and b denote a known vector of m. Let A and T be two known matrices with p columns and m and n rows, respectively. Suppose that c is such that is consistent. Therefore, we can assume that
The previous claim of the existence of the non-negative λi,j is a generalization of the classical Farkas' Lemma. The matrix Λ is then constructed column by column using the elements λi,j, 1≦i≦n for the j th column. Of course, by construction, such a Λ has non-negative elements, and satisfies ΛT=A, and Λc≦b.
On the other hand, if such a matrix exists, and the set {c ∈ n|Λc≦b} is not empty, we have by the fact that Λ has non-negative elements
Tχ≦cΛTχ≦Λc.
Therefore, ΛT=A and Λc≦b, gives Ax≦b.
It not obvious in general, given a matrix T, to characterize the set of c such that is consistent. However, given a vector c, we can efficiently check whether the system is consistent or not using its dual form and a LP solver. Indeed, the system Tx≦c is inconsistent if and only if there exists a non-negative vector λ ∈ n such that Ttλ=0 and <λ, c><0, where Tt denotes the transpose of T. Therefore, given a vector c, if the objective value of the following problem:
min λ, cs.t. T′λ=0 (2)
is non-negative, the system is consistent. Observe that, for simple patterns such as boxes, the characterization of the set of c that makes the system consistent is immediate.
The matrix Λ is built column by column. Let us denote by λ—,j ∈ n the jth column of Λ, by aj ∈ p, 1≦j≦m, the jth row of A, by bj ∈ the jth component of b, and by ti ∈ p, 1≦i≦m, the ith row of T. The vector λ—,j satisfies Σi=1nλi,jti=aj. To each feasible λ—,j corresponds a pattern
which is included in the affine subspace
The maximal pattern (with respect to set inclusion) corresponds to
Therefore, computing Λ needs solving p instances of the LP (3).
We have already established (Proposition 3) that the vector c verifies Λc≦b. Since A is known, any feasible c (that is such that Λc≦b) that makes the system Tx≦c consistent (the objective value of the LP (2) is non-negative) gives an under-approximation of that respects our initial template T. Of course, it is immediate to see that the set of c that lies on the boundaries of the feasible region (that is by making Λc=b) gives, in general, a “better” under-approximation than the strict feasible solutions since the saturation makes some of the facets of the inner pattern () included in those of the under-approximated polyhedron . Moreover, in some cases, the saturation gives a unique consistent solution for c. For instance, when we under-approximate a shape which respects already the pattern , c is uniquely determined and gives actually b using our technique. In other words, under-approximating an octagon (for instance) with an octagonal pattern gives exactly the first octagon.
We have implemented donut domains on top of the known A
Division-by-Zero Analysis Results
The WCfS column (above) indicates the weakest condition that we need to infer to prove the safety of the program. Whenever the negation of this condition is verified by (included in) the donut hole, the program is proved to be safe. The third column shows the inferred donut holes when using a non-relational domain (boxes) to encode holes. As Table 1 shows, our approach permits to catch almost all division-by-zero false positives that classical domains (even non-convex) fail to prove. Here, the use of boxes is sufficient to eliminate almost all false alarms here. In the last example, among the two possible holes, namely usemax ∈ [1,10] and usemax ∈ {0}, we choose by default the one created immediately after the test (usemax>10 or usemax<1). Here the safety property can not be proved with this hole and relies on an earlier (disjoint) hole created by a former test, namely usemax ∈ {0}. We could also choose systematically (as a heuristic) the hole that contains “zero”, which is sufficient here to discard the remaining false alarm. Such a property-driven hole behavior would be an interesting direction for future research.
The proof of the motivating example is really challenging as it requires to handle both the hole that comes from the full-zero-test, together with strict inequality tests and the over-approximation that comes from the join operation. Our technique that consists of relaxing the hole in a convex way before using the fallback operator works here and is able to prove that in both branches the division is safe. In goc example, we can see one interesting ability of donuts domain: when we compute a convex join of two non-overlapping objects, the hole in between is directly captured which permits a better precision. Finally, example x2 needs a precise interpretation of strict inequalities.
We have implemented our technique of Section 3 using the GLPK solver. Some experiments, obtained for randomly generated polyhedra with octagonal template, are shown in
is used as a metric for the quality of the under-approximation (shown near each pattern in
All obtained octagons are maximal with respect to set inclusion. It is not clear which choice among many (see the left graph), is the best. Indeed, such a choice depends on the future computations and the properties one would like to prove.
With reference now to
While not specifically shown in
However, and as may be appreciated by those skilled in the art, certain properties of interest sometimes require reasoning over non-convex regions of reachable states. Turning now to
Notably, sub-figure (a) shows an actual reachable state space as a solid shade. Note that the reachable state space excludes a particular inner unshaded region (maybe an ε-ball around 0 to avoid division-by-zero, for example).
Sub-figure (b) shows an over-approximation of reachable state space as computed by the interval domain (depicted as region in box). Note that the inner region (hole) is within the box and therefore treated as reachable.
Sub-figure (c) shows a more precise over-approximation (that is, the over-approximation is tighter), using the polyhedral domain (depicted within polyhedria). However, even here, the inner region (hole) is regarded as reachable.
Sub-figure (d) highlights one particular incarnation of donut domains according to an aspect of the present disclosure. In particular, it shows an example where both D1 and D2 are the interval domain. Notably, we have under-approximateed the inner region (hole) of unreachable states (rectangle in center circle). This allows us to potentially prove the division by 0 as safe, as long as the under-approximation includes 0. Similar to the degree of precision allowed in defining an over-approximation using different domains, we can also trade-off precision of the under-approximation by choosing various domains for the inner region of ‘unreachable states.
In summary, our method over-approximates reachable states, and under approximates unreachable states. Advantageously, we have defined and described a generic donut domain template that can be instantiated appropriately with various domains.
The donut domains can be viewed as an effort to make some Boolean structure in the underlying concrete space visible at the level of abstract domains as a “set-minus” operator. This allows optimization of the related abstract operators (such as meet and join) to take full advantage of its semantics in terms of excluded states. While powerset domains allow handling non-convex sets, this comes at significant cost. In practice, the full expressiveness may not be needed. We exploit the set-minus operator, which is quite versatile in capturing many problems of interest—division by zero, instability regions in numeric computations, sets excluded by contracts in a modular setting, etc. In the future, we wish to expand the experiments performed using donut domains. Furthermore, other non-convexity issues may be addressed by trying to combine the work on LDDs with insights gained here to allow handling many holes in an efficient manner. Accordingly, the disclosure should be viewed as limited only by the scope of the claims that follow.
This application claims the benefit of U.S. Provisional Patent Application Ser. No. 61/466,522 filed Mar. 23, 2011 which is incorporated by reference as if set forth at length herein.
Number | Date | Country | |
---|---|---|---|
61466522 | Mar 2011 | US |