the octagon abstract domain
TRANSCRIPT
Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion
The Octagon Domain
Bernhard Mallinger
March 6-7th, 2013
Bernhard Mallinger
The Octagon Domain
Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion
Outline
1 Domains
2 The Octagon Domain
3 Abstract Transfer Functions
4 Analysis Example
5 Conclusion
Bernhard Mallinger
The Octagon Domain
Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion
Outline
1 Domains
2 The Octagon Domain
3 Abstract Transfer Functions
4 Analysis Example
5 Conclusion
Bernhard Mallinger
The Octagon Domain
Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion
Recap: Abstract Domains
Models states/properties in abstract interpretation of programsManipulated by abstract transfer functionsCan be composed of different kinds of elements
Properties (e.g. sign, is even)Numeric values, intervalsRelations
ExamplesSign DomainInterval DomainPolyhedra Domain
Bernhard Mallinger
The Octagon Domain
Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion
Numerical Domains I
Figure: • represent elements of the domain, spurious elements are markedby ×. Domains always overapproximate in order to be sound.
(figure from Miné (2006))
Bernhard Mallinger
The Octagon Domain
Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion
Numerical Domains II
Assumption: Numeric means R
Interval Domain: Xi ∈ [ai , bi ]
Polyhedra Domain:∑
i aijXi ≤ bj
Zone Abstract Domain: ±Xi ≤ ci , Xi − Xj ≤ cij ∀i 6= j
Octagon Domain: ±Xi ± Xj ≤ cij ∀i , j
Bernhard Mallinger
The Octagon Domain
Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion
Numerical Domains II
Assumption: Numeric means R
Interval Domain: Xi ∈ [ai , bi ]
Polyhedra Domain:∑
i aijXi ≤ bj
Zone Abstract Domain: ±Xi ≤ ci , Xi − Xj ≤ cij ∀i 6= j
Octagon Domain: ±Xi ± Xj ≤ cij ∀i , j
Bernhard Mallinger
The Octagon Domain
Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion
Numerical Domains II
Assumption: Numeric means R
Interval Domain: Xi ∈ [ai , bi ]
Polyhedra Domain:∑
i aijXi ≤ bj
Zone Abstract Domain: ±Xi ≤ ci , Xi − Xj ≤ cij ∀i 6= j
Octagon Domain: ±Xi ± Xj ≤ cij ∀i , j
Bernhard Mallinger
The Octagon Domain
Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion
Numerical Domains II
Assumption: Numeric means R
Interval Domain: Xi ∈ [ai , bi ]
Polyhedra Domain:∑
i aijXi ≤ bj
Zone Abstract Domain: ±Xi ≤ ci , Xi − Xj ≤ cij ∀i 6= j
Octagon Domain: ±Xi ± Xj ≤ cij ∀i , j
Bernhard Mallinger
The Octagon Domain
Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion
Numerical Domains III
In terms of precision: Interval < Octagon < PolyhedraInterval Domain is non-relationalPolyhedra Domain has theoretically unbounded cost(exponentially in practise)Octagon domain limited to two variables per inequality and nocoefficients⇒ Quadratic memory/cubic time cost
Bernhard Mallinger
The Octagon Domain
Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion
Motivation: Relational Domains
Not only properties of variables are of interest,but also the relation among them:
1 Y := X;2 Z := X - Y;3 Z := 4/Z;
Bernhard Mallinger
The Octagon Domain
Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion
Outline
1 Domains
2 The Octagon Domain
3 Abstract Transfer Functions
4 Analysis Example
5 Conclusion
Bernhard Mallinger
The Octagon Domain
Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion
Representation: Difference bound matrices I
Constraints: ±X ± Y ≤ c⇒ 2n × 2n matrix m
Concretisation function γ:
γ′(m)def= {(v1, . . . , vn) ∈ Rn | ∀i , j : vj − vi ≤ mij}
γ(m)def= {(v1, . . . , vn) ∈ Rn | (v1,−v1, . . . , vn,−vn) ∈ γ′(m)}
Bernhard Mallinger
The Octagon Domain
Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion
Representation: Difference bound matrices I
Constraints: ±X ± Y ≤ c⇒ 2n × 2n matrix m
Concretisation function γ:
γ′(m)def= {(v1, . . . , vn) ∈ Rn | ∀i , j : vj − vi ≤ mij}
γ(m)def= {(v1, . . . , vn) ∈ Rn | (v1,−v1, . . . , vn,−vn) ∈ γ′(m)}
Bernhard Mallinger
The Octagon Domain
Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion
Representation: Difference bound matrices I
Constraints: ±X ± Y ≤ c⇒ 2n × 2n matrix m
Concretisation function γ:
γ′(m)def= {(v1, . . . , vn) ∈ Rn | ∀i , j : vj − vi ≤ mij}
γ(m)def= {(v1, . . . , vn) ∈ Rn | (v1,−v1, . . . , vn,−vn) ∈ γ′(m)}
Bernhard Mallinger
The Octagon Domain
Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion
Figure: Octagon representation(figure from Miné (2006))
Bernhard Mallinger
The Octagon Domain
Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion
Representation: Difference bound matrices II
Abstraction function α:Given concrete values, α computes all entries of m by takingthe maximal differences for each pair of variablesA lattice can be defined:
m v n def⇐⇒ ∀i , j : mij ≤ nij
(m t n)ijdef= max(mij ,nij)
(m u n)ijdef= min(mij ,nij)
m v n⇒ γ(m) ⊆ γ(n)(γ, α) form a Galois connection
Bernhard Mallinger
The Octagon Domain
Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion
Figure: Problem: Representation is not unique
(figure from Miné (2006))
Bernhard Mallinger
The Octagon Domain
Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion
Shortest Path Closure
Calculating all-pairs shortest paths yield smallest (closed) m∗
m∗ = infv{n | γ(m) = γ(n)}
All bounds are as tight as possible (Saturation)Cubic time complexity (e.g. Floyd-Warshall)Negative cost cycle in m ⇐⇒ γ(m) = ∅
Bernhard Mallinger
The Octagon Domain
Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion
Outline
1 Domains
2 The Octagon Domain
3 Abstract Transfer Functions
4 Analysis Example
5 Conclusion
Bernhard Mallinger
The Octagon Domain
Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion
Abstract Transfer Functions
Abstract transfer functions correspond to semantic operationsMust be sound, therefore overapproximationSome require closed arguments, some return closed ones
Different kinds:Set operations such as Union/IntersectionAssignmentTestWidening/NarrowingConversions to other domains (e.g. Interval, Polyhedra)
Bernhard Mallinger
The Octagon Domain
Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion
Union
Take largest bounds elementwise:
m ∪ n def= m t n
Union of two octagons isn’t an octagon in general⇒ exact abstractions isn’t possible, only best abstractionBest abstraction is obtained if m and n are closed
Bernhard Mallinger
The Octagon Domain
Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion
Intersection
Definition similar to union, but result is always exact
Bernhard Mallinger
The Octagon Domain
Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion
Forget-Operator
Figure: Non-deterministic behaviour can be modeledby “forgetting” constraints, but closure is necessary
(figure from Miné (2006))
Bernhard Mallinger
The Octagon Domain
Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion
Assignment I
Handling of assignments depends on the type of the expressionDirectly handleable in the octagon domain:
X ← ±[a, b]X ← ±Y ± [a, b]
e.g. for X ← Y + [a, b], we get a ≤ X − Y ≤ b:
+X −−Y ≤ b − X −+Y ≤ −a−Y −+X ≤ b + Y −−X ≤ −a
Constraints for X w.r.t. other variables have to be discarded
Bernhard Mallinger
The Octagon Domain
Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion
Assignment II
In case the expression is too complex:⇒ Transform everything to Interval or Polyhedra domain anddo assignment thereIf using the Interval domain, new constraints can be derived bycomputing bounds of ±expr ± YUsing the Polyhedra domain is applicable to linear expressionsand costly, but yields a best abstraction
Bernhard Mallinger
The Octagon Domain
Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion
Test
1 X := [-100, 100]2 if X ≥ 0 then3 // X ∈ [0, 100]4 end if
All tests can be simplified to expr ≤ 0Octagonally shaped tests can directly be applied(e.g. X + Y + [a, b] ≤ 0)More complex forms can be handled in the Interval orPolyhedra domain (cf. Assignment)
Bernhard Mallinger
The Octagon Domain
Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion
Outline
1 Domains
2 The Octagon Domain
3 Abstract Transfer Functions
4 Analysis Example
5 Conclusion
Bernhard Mallinger
The Octagon Domain
Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion
1 X := [-100, 100]2 Y := X3 if Y ≤ 0 then4 1 Y := -Y 25 else6 37 end if8 49 if Y ≤ 69 then 5
10 end if
1 −100 ≤ X ≤ 0 ∧ −100 ≤ Y ≤ 0 ∧ X − Y = 0 ∧ −200 ≤ X + Y ≤ 02 −100 ≤ X ≤ 0 ∧ 0 ≤ Y ≤ 100 ∧ −200 ≤ X − Y ≤ 0 ∧ X + Y = 03 0 ≤ X ≤ 100 ∧ 0 ≤ Y ≤ 100 ∧ X − Y = 0 ∧ 0 ≤ X + Y ≤ 2004 −100 ≤ X ≤ 100 ∧ 0 ≤ Y ≤ 100 ∧ −200 ≤ X − Y ≤ 0 ∧ 0 ≤ X + Y ≤ 2005 −69 ≤ X ≤ 69 ∧ 0 ≤ Y ≤ 69 ∧ −138 ≤ X − Y ≤ 0 ∧ 0 ≤ X + Y ≤ 138
Bernhard Mallinger
The Octagon Domain
Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion
1 X := [-100, 100]2 Y := X3 if Y ≤ 0 then4 1 Y := -Y 25 else6 37 end if8 49 if Y ≤ 69 then 5
10 end if
1 −100 ≤ X ≤ 0 ∧ −100 ≤ Y ≤ 0 ∧ X − Y = 0 ∧ −200 ≤ X + Y ≤ 02 −100 ≤ X ≤ 0 ∧ 0 ≤ Y ≤ 100 ∧ −200 ≤ X − Y ≤ 0 ∧ X + Y = 03 0 ≤ X ≤ 100 ∧ 0 ≤ Y ≤ 100 ∧ X − Y = 0 ∧ 0 ≤ X + Y ≤ 2004 −100 ≤ X ≤ 100 ∧ 0 ≤ Y ≤ 100 ∧ −200 ≤ X − Y ≤ 0 ∧ 0 ≤ X + Y ≤ 2005 −69 ≤ X ≤ 69 ∧ 0 ≤ Y ≤ 69 ∧ −138 ≤ X − Y ≤ 0 ∧ 0 ≤ X + Y ≤ 138
Bernhard Mallinger
The Octagon Domain
Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion
1 X := [-100, 100]2 Y := X3 if Y ≤ 0 then4 1 Y := -Y 25 else6 37 end if8 49 if Y ≤ 69 then 5
10 end if
1 −100 ≤ X ≤ 0 ∧ −100 ≤ Y ≤ 0 ∧ X − Y = 0 ∧ −200 ≤ X + Y ≤ 02 −100 ≤ X ≤ 0 ∧ 0 ≤ Y ≤ 100 ∧ −200 ≤ X − Y ≤ 0 ∧ X + Y = 03 0 ≤ X ≤ 100 ∧ 0 ≤ Y ≤ 100 ∧ X − Y = 0 ∧ 0 ≤ X + Y ≤ 2004 −100 ≤ X ≤ 100 ∧ 0 ≤ Y ≤ 100 ∧ −200 ≤ X − Y ≤ 0 ∧ 0 ≤ X + Y ≤ 2005 −69 ≤ X ≤ 69 ∧ 0 ≤ Y ≤ 69 ∧ −138 ≤ X − Y ≤ 0 ∧ 0 ≤ X + Y ≤ 138
Bernhard Mallinger
The Octagon Domain
Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion
1 X := [-100, 100]2 Y := X3 if Y ≤ 0 then4 1 Y := -Y 25 else6 37 end if8 49 if Y ≤ 69 then 5
10 end if
1 −100 ≤ X ≤ 0 ∧ −100 ≤ Y ≤ 0 ∧ X − Y = 0 ∧ −200 ≤ X + Y ≤ 02 −100 ≤ X ≤ 0 ∧ 0 ≤ Y ≤ 100 ∧ −200 ≤ X − Y ≤ 0 ∧ X + Y = 03 0 ≤ X ≤ 100 ∧ 0 ≤ Y ≤ 100 ∧ X − Y = 0 ∧ 0 ≤ X + Y ≤ 2004 −100 ≤ X ≤ 100 ∧ 0 ≤ Y ≤ 100 ∧ −200 ≤ X − Y ≤ 0 ∧ 0 ≤ X + Y ≤ 2005 −69 ≤ X ≤ 69 ∧ 0 ≤ Y ≤ 69 ∧ −138 ≤ X − Y ≤ 0 ∧ 0 ≤ X + Y ≤ 138
Bernhard Mallinger
The Octagon Domain
Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion
1 X := [-100, 100]2 Y := X3 if Y ≤ 0 then4 1 Y := -Y 25 else6 37 end if8 49 if Y ≤ 69 then 5
10 end if
1 −100 ≤ X ≤ 0 ∧ −100 ≤ Y ≤ 0 ∧ X − Y = 0 ∧ −200 ≤ X + Y ≤ 02 −100 ≤ X ≤ 0 ∧ 0 ≤ Y ≤ 100 ∧ −200 ≤ X − Y ≤ 0 ∧ X + Y = 03 0 ≤ X ≤ 100 ∧ 0 ≤ Y ≤ 100 ∧ X − Y = 0 ∧ 0 ≤ X + Y ≤ 2004 −100 ≤ X ≤ 100 ∧ 0 ≤ Y ≤ 100 ∧ −200 ≤ X − Y ≤ 0 ∧ 0 ≤ X + Y ≤ 2005 −69 ≤ X ≤ 69 ∧ 0 ≤ Y ≤ 69 ∧ −138 ≤ X − Y ≤ 0 ∧ 0 ≤ X + Y ≤ 138
Bernhard Mallinger
The Octagon Domain
Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion
1 X := [-100, 100]2 Y := X3 if Y ≤ 0 then4 1 Y := -Y 25 else6 37 end if8 49 if Y ≤ 69 then 5
10 end if
1 −100 ≤ X ≤ 0 ∧ −100 ≤ Y ≤ 0 ∧ X − Y = 0 ∧ −200 ≤ X + Y ≤ 02 −100 ≤ X ≤ 0 ∧ 0 ≤ Y ≤ 100 ∧ −200 ≤ X − Y ≤ 0 ∧ X + Y = 03 0 ≤ X ≤ 100 ∧ 0 ≤ Y ≤ 100 ∧ X − Y = 0 ∧ 0 ≤ X + Y ≤ 2004 −100 ≤ X ≤ 100 ∧ 0 ≤ Y ≤ 100 ∧ −200 ≤ X − Y ≤ 0 ∧ 0 ≤ X + Y ≤ 2005 −69 ≤ X ≤ 69 ∧ 0 ≤ Y ≤ 69 ∧ −138 ≤ X − Y ≤ 0 ∧ 0 ≤ X + Y ≤ 138
Bernhard Mallinger
The Octagon Domain
Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion
Outline
1 Domains
2 The Octagon Domain
3 Abstract Transfer Functions
4 Analysis Example
5 Conclusion
Bernhard Mallinger
The Octagon Domain
Domains The Octagon Domain Abstract Transfer Functions Analysis Example Conclusion
Conclusion
The Octagon domain adds limited relational information to theInterval DomainAs opposed to the Polyhedra domain (exponential worst case),its operations are still in PA normal form can be computed using Shortest Path Closure⇒ necessary for emptiness testing and comparisonHas been employed successfully in ASTRÉE to analyse a largeC-program (airplane control software)
Reduction of false alarms with reasonable overheadOnly relevant relations are considered (“packs” of variables)
Bernhard Mallinger
The Octagon Domain