1 / 38

A Parametric Segmentation Functor for Fully Automatic and Scalable Array Content Analysis

This paper presents a novel approach to fully automatic and scalable analysis of array contents using a parametric segmentation functor. By defining abstract domains that allow for the manipulation and analysis of array segments, this work addresses key challenges in array analysis such as element initialization and handling disjunctions. The proposed functor enhances scalability through efficient segment partitioning and unification. The approach is supported by practical examples and provides fine-tuning of precision and cost ratios in existing analyses, ultimately paving the way for improved techniques in program verification and analysis.

dee
Télécharger la présentation

A Parametric Segmentation Functor for Fully Automatic and Scalable Array Content Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Parametric Segmentation Functor for Fully Automatic and Scalable Array Content Analysis Patrick Cousot, NYU & ENS Radhia Cousot, CNRS & ENS & MSR Francesco Logozzo, MSR

  2. The problem: Array analysis publicvoidInit(int[] a) { Contract.Requires(a.Length > 0); var j = 0; while (j < a.Length) { a[j] = 11; j++; } // here: ∀k.0≤k<j⇒a[k]=11 } if j = 0 then a[0] … not known else if j > 0 ∧ j ≤ a.Length a[0] = … a[j-1] = 11 else impossible Challenge 2: Handling of disjunction Challenge 1: All the elements are initialized

  3. Haven’t we solved it yet? Array smashing Functor abstract domain Scalability Automation Array partitions Automation Template/ annotation based Theorem provers Array expansion Precision

  4. Functor abstract domain by example

  5. Array Materialization publicvoidInit(int[] a) { Contract.Requires(a.Length > 0); var j = 0; while (j < a.Length) { a[j] = 11; j++; } } Possibly empty segment Segment abstraction Segment limits

  6. ‘?’ Removal publicvoidInit(int[] a) { Contract.Requires(a.Length > 0); var j = 0; while (j < a.Length) { a[j] = 11; j++; } } Remove doubt

  7. Constant Assignment publicvoidInit(int[] a) { Contract.Requires(a.Length > 0); var j = 0; while (j < a.Length) { a[j] = 11; j++; } } Scalar variables abstraction (omit a.Length∈ [1, +∞)) ∞ Record j = 0

  8. Test publicvoidInit(int[] a) { Contract.Requires(a.Length > 0); var j = 0; while (j < a.Length) { a[j] = 11; j++; } }

  9. Array assignment Materialize segment publicvoidInit(int[] a) { Contract.Requires(a.Length > 0); var j = 0; while (j < a.Length) { a[j] = 11; j++; } } Introduce ‘?’

  10. Scalar Assignment publicvoidInit(int[] a) { Contract.Requires(a.Length > 0); var j = 0; while (j < a.Length) { a[j] = 11; j++; } } Replace j by j-1

  11. Join publicvoidInit(int[] a) { Contract.Requires(a.Length > 0); var j = 0; while (j < a.Length) { a[j] = 11; j++; } }

  12. Segment unification • Unify the segments • Point-wise join • Similar for order, meet and widening

  13. After the first iteration publicvoidInit(int[] a) { Contract.Requires(a.Length > 0); var j = 0; while (j < a.Length) { a[j] = 11; j++; } }

  14. Test Remove ‘?' publicvoidInit(int[] a) { Contract.Requires(a.Length > 0); var j = 0; while (j < a.Length) { a[j] = 11; j++ } }

  15. Array assignment publicvoidInit(int[] a) { Contract.Requires(a.Length > 0); var j = 0; while (j < a.Length) { a[j] = 11; j++; } }

  16. Scalar assignement publicvoidInit(int[] a) { Contract.Requires(a.Length > 0); var j = 0; while (j < a.Length) { a[j] = 11; j++; } }

  17. Widening publicvoidInit(int[] a) { Contract.Requires(a.Length > 0); var j = 0; while (j < a.Length) { a[j] = 11; j++; } }

  18. Fixpoint publicvoidInit(int[] a) { Contract.Requires(a.Length > 0); var j = 0; while (j < a.Length) { a[j] = 11; j++; } }

  19. Reduction Remove the empty segment publicvoidInit(int[] a) { Contract.Requires(a.Length > 0); var j = 0; while (j < a.Length) { a[j] = 11; j++; } // here j ≥ a.Length }

  20. Abstract Semantics

  21. The Functor FunArray • Given an abstract domain • B for bounds • S for segments • E for scalar variables environment • Constructs an abstract domain F(B, S, E) to analyze programs with arrays • (Main) Advantages • Finetuning of the precision/cost ratio • Easy lifting of existing analyses

  22. Segment bounds • Sets of symbolic expressions • In our examples: Exp := k | x | x + k • Meaning: { e0 … en } { e’1 … e’m} ≝ e0 =… = en< e’1 = … =e’m { e0 … en } { e’1 … e’m}?≝ e0 =… = en≤e’1 = … =e’m • Possibly empty segments are key for scalability

  23. Disjunction: Partitions & co. publicvoidCopyNonNull(object[] a, object[] b) { Contract.Requires(a.Length <= b.Length); varj = 0; for(var i = 0; i < a.Length; i++) { if (a[i] != null) { b[j] = a[i]; j++; } } }} • Four partitions: • j = 0 ∨ • 0 ≤ j< b.Length-1 ∨ • j = b.Length-1 ∨ • j = b.Length

  24. Disjunction: Our approach publicvoidCopyNonNull(object[] a, object[] b) { Contract.Requires(a.Length <= b.Length); varj = 0; for(var i = 0; i < a.Length; i++) { if (a[i] != null) { b[j] = a[i]; j++; } } }} Segmentation discovered by the analysis

  25. Segment Abstraction • Uniform abstraction for pairs (i, a[i]) • More general than usual McCarthy definition • Wide choice of abstract domains • Fine tuning the cost/precision ratio • Ex: Cardinal power of constants by parity [CC79] publicvoidEvenOdd(int n) { var a = newint[n]; var i = 0; while (i < n) { a[i++] = 1; a[i++] = -1; } }

  26. Segmentation Unification • Given two segmentations, find acommon segmentation • Crucial for order/join/meet/widening: • Unify the segments • Apply the operation point-wise • In the concrete, a lattice of solutions • In the abstract, a partial order of solutions • Our algorithm tuned up by examples • Details in the paper

  27. Read:x = a[exp] • Search the bounds for exp • The search queries the scalar environment σ • More precision • A form of abstract domains reduction • Setσ’= σ [x ↦An ⊔ … ⊔ Am-1]

  28. Write: a[exp] = x • Search the bounds for exp • Join the segments • Split the segment • Adjust emptiness • May query scalar variables environment

  29. Scalar assignment • Invertible assignment x = g(x) • Replace x by g-1(x) in all the segments • Non-Invertible assignment x = g() • Remove x in all the segments • Remove all the empty segments • Add x to all the bounds containing g()

  30. Assumptions (and tests) • Assume x == y • Search for segments containing x/y • Addy/x to them • Assume x < y • Adjust emptiness • Assume x ≤ y • Does the state impliesx≥ y ? • If yes, Assume x == y • Assumptions involving arrays similar

  31. Implementation • Fully implemented in CCCheck • Static checker for CodeContracts • Users: Professional programmers • Array analysis completely transparent to users • No parameters to tweak, templates, partitions … • Instantiated with • Expressions = Simple expressions (this talk) • Segments = Intervals + NotNull + Weak bounds • Environment = CCCheck default

  32. Results • Main .NET v2.0 Framework libraries • Un-annotated code • Analyzes itself at each build (0 warnings) • 5297 lines of annotated C#

  33. More? • Inference of quantified preconditions • See our VMCAI’11 Paper • Handling of multi-dimensional matrixes • With auto-application • Inference of existential ∀∃ facts • When segments interpreted existentially • Array purity check • The callee does not modify a sub-array • …

  34. To Sum up… • Fully Automatic • Once the functor is instantiated • No hidden hypotheses • Compact representation for disjunction • Enables Scalability • Precision/Cost ratio tunable • Refine the functor parameters • Refine the scalar abstract environment • Used everyday in an industrial analyzer • 1% Overhead on average

  35. Backup slides

  36. Is this as Array Partitions? • No • [GRS05] and [HP07] • They require a pre-determined array partition • Main weakness of their approach • Our segmentation is inferred by the analysis • Totally automatic • They explicitly handle disjunctions • We have possibly empty segments

  37. Calls • Orthogonal issue • In the implementation in CCCheck • Havoc arrays passed as parameters • Assignment of unknown if by ref of one element • Assume the postcondition • Array element passed by ref • Ex: f(ref a[x]) • The same as assignment a[x] = Top • Assume the postcondition

  38. Multiple arrays as parameters • Orthogonal issue • Depends on the underlying heap analysis • In CCCheck: • Optimistic hypotheses on non-aliasing • FunArray easily fits in other heap models

More Related