static analysis by abstract interpretationrxg/cpsc509/staticanalysis.pdf · static analysis by...

Static AnalysisBy

Abstract Interpretation

Jeffrey Goh, Peiyu Xiong, Yingying WangNovember 20, 2019

Goals for today

● Get a brief understanding of Static Analysis and Abstract Interpretation

● Design an Abstract Interpreter to analyze a simple program

Outline

● Introduction to Static Analysis

○ What is static analysis

○ Why we need static analysis

○ What can we use static analysis for

● Concrete vs. Abstract Interpretation

● Design an Abstract Interpreter: Sign Analysis

● Theoretical Guarantees for Sound Approximation

● Summary

● References

“Program testing can be used to show the presence of bugs, but never to show their absence.”

- Edsger W. Dijkstra, 1970 [1]

Bugs are Everywhere

4Picture: Patrick Cousot, ICSME’14. https://www.di.ens.fr/~cousot/publications.www/slides-public/2014-10-02-PCousot-ICSME-1-1.pdf [1]: Edsger W. Dijkstra. Notes on structured programming. Technical Report EWD249, Technological University Eindhoven, 1970.

Better to Prove the Absence of Bugs!

Picture: Patrick Cousot, ICSME’14. https://www.di.ens.fr/~cousot/publications.www/slides-public/2014-10-02-PCousot-ICSME-1-1.pdf

Applications of Static Analysis

● Program optimization, e.g.,○ Dead code detection

○ Loop invariants

○ Automatic parallelization

● Program correctness, e.g.,○ Type inference

○ Null pointer dereferences

○ Division by zero error

○ Security vulnerabilities

● Program development, e.g., ○ Debugging

○ Refactoring

○ Program understanding

● Analyze program without running it

● Overview:

○ Type Analysis

○ Dataflow Analysis

○ Point-to Analysis

○ …

○ Abstract Interpretation

Introduction to Static Analysis

● Analyze program without running it

● Overview:

○ Type Analysis

○ Dataflow Analysis

○ Point-to Analysis

○ …

○ Abstract Interpretation

Introduction to Static Analysis

Example: Array Index Out of Bound Problem

i := 0;while (i<5) do

i := i+2…

i := 0

while (i<5)

i := i+2

● I: index of an array

● Examine i for array index out-of-bound exception

i := i+2…

i := 0

while (i<5)

i := i+2

● I: index of an array

i := i+2…

i := 0

while (i<5)

i := i+2

● i: index of an array

i := i+2…

i := 0

while (i<5)

i := i+2

{0,2,4}

{2,4,6}

i := i+2…

i := 0

while (i<5)

i := i+2

{0,2,4,6}

{2,4,6}

Concrete Interpretation

Expensive When Program Scales

i := 0;while (i<500) do

i := i+2…

i := 0

while (i<5)

i := i+2

while (i<500) {0,2,4,....., 500}

{2,4,....., 500}

Expensive When Program Scales

i := 0

while (i<5)

i := i+2

while (i<500) {0,2,4,....., 500}

{2,4,....., 500}

i := 0;while (i<500) do

i := i+2…

👉 Only care about - min(i)- max(i)

Rather, Use Abstract Interpretation

i := 0

i := i+2

[0, 0]

[2, 2]

while (i<500)

i := 0;while (i<500) do

i := i+2…

i := 0

while (i<500)

i := i+2

[0, 0]

[0, 2]

[2, 4]

● Examine i for array index out-of-bound exception👉 Only care about - min(i)- max(i)

i := 0;while (i<500) do

i := i+2…

i := 0

while (i<500)

i := i+2

[0, 0]

[0, 4]

[2, 6]

i := 0;while (i<500) do

i := i+2…

i := 0

while (i<500)

i := i+2

[0, 0]

[0, 498]

[2, 500]

👉 Only care about - min(i)- max(i)

i := 0;while (i<500) do

i := i+2…

i := 0

while (i<500)

i := i+2

[0, 0]

[0, 500]

[2, 500]

[500,500]

i := 0;while (i<500) do

i := i+2…

RE Ron’s Question: What is Abstract Interpretation (AI)?

● Formal verification

○ Proving that its semantics (describing "what the program executions actually do")

satisfies its specification (describing "what the program executions are supposed

to do").

● Sound approximation of the semantics of computer programs

○ No conclusion derived from the abstract semantics is wrong relative to the program concrete semantics and specification

● May result in false alarm/ false positives

Abstraction must be Sound

Error / Failure / Unexpected behavior ..

Diagram inspired by: Patrick Cousot, ICSME’14. https://www.di.ens.fr/~cousot/publications.www/slides-public/2014-10-02-PCousot-ICSME-1-1.pdf

Abstraction should be Precise

Acceptable (but not ideal)

Better

Much Better!

Concrete value C

Concrete value C’

OperationalSemantics

Abstract Interpretation Processes

Concrete Domain

Abstract Domain

Concrete value C

Concrete value C’

Abstract value A

Abstract value A’

Concrete Domain

Abstract Domain

Concrete value C

Concrete value C’

Abstract value A

Abstract value A’

Abstraction (α)

Concretization (𝛄)

Concrete Domain

Abstract Domain

Concrete value C

Concrete value C’

Abstract value A

Abstract value A’

Abstract semantics

Concrete Domain

Abstraction (α)

Sign Analysis: • Tracks the sign (+, -, 0) of variables

Can be used for:

• Program correctness: • Division by zero

• Banking program erroneously allow for negative

values

• Program optimization:

• Store pos values as unsigned integers or 0s as

“false” Boolean literals

• ...

x = 0; y = 1;

while (y<=n) {

if (z==0){x = x+1;

}else{

x=x+y;}y=y+1;

Is x always ≥ 0 in this program?

Abstract Domain

Concrete value C

Concrete value C’

Abstract value A

Abstract value A’

Abstract semantics

Abstraction (α)

Concrete Domain

❷ Concretization (𝛄)

● Select the Abstract Property:

● Identify the Abstract Domain:

Step 1: Design an Abstract Domain

Sign of integers

Sign = { + , - , 0 }

Is x always ≥0 in this program?

Abstract Domain

Concrete value C

Concrete value C’

Abstract value A

Abstract value A’

Abstract semantics

Abstraction (𝛂)

Concrete Domain

Step 2: Abstraction and Concretization Functions

● Abstraction function (𝛂): maps sets of concrete elements to the most precise value in the abstract domain

Step 2: Abstraction and Concretization Functions

● Concretization function (𝛄): maps abstract value back to the sets of concrete elements

Quiz! (Kidding)

Syntax

Function definition Concrete (Eval) & Abstract (AEval)

Prove the following propositions:

Example from John A. Paulson. Abstract Interpretation. 2015. https://www.seas.harvard.edu/courses/cs252/2015fa/lectures/Lec05-AbstractInt.pdf

Abstract Domain

Concrete value C

Concrete value C’

Abstract value A

Abstract value A’

Abstract semantics

Abstraction (α)

Concrete Domain

Step 3: Abstract Semantics

To ensure the soundness of abstract interpretation, the abstract semantics must faithfully models concrete semantics

* Diagram: Işil Dillig. A Gentle Introduction to Program Analysis. Programming Languages Mentoring Workshop. January 2014.https://www.cis.upenn.edu/~alur/CIS673/isil-plmw.pdf

Assumption: assume abstract semantics for control structures (if-condition and while-loop) have relatively similar structure in operational semantics.

Addition Subtraction Multiplication

Boolean

Diagrams from Anders Møller and Michael I. Schwartzbach. Static Program Analysis Part 3 - lattices and fixpoints. https://cs.au.dk/~amoeller/spa/3%20-%20lattices%20and%20fixpoints.pdf

x = 0; y = 1;

while (y<=n) {

if (z==0){x = x+1;

}else{

x=x+y;}y=y+1;

Z => ZeroP => Positive

Example from Işil Dillig. A Gentle Introduction to Program Analysis. Programming Languages Mentoring Workshop. January 2014.https://www.cis.upenn.edu/~alur/CIS673/isil-plmw.pdf

x = 0; y = 1;

while (y<=n) {

if (z==0){x = x+1;

}else{

x=x+y;}y=y+1;

x = 0; y = 1;

while (y<=n) {

if (z==0){x = x+1;

}else{

x=x+y;}y=y+1;

x = 0; y = 1;

while (y<=n) {

if (z==0){x = x+1;

}else{

x=x+y;}y=y+1;

Conclude all possible behaviors → go into all branches in this program

x = 0; y = 1;

while (y<=n) {

if (z==0){x = x+1;

}else{

x=x+y;}y=y+1;

x = 0; y = 1;

while (y<=n) {

if (z==0){x = x+1;

}else{

x=x+y;}y=y+1;

x = 0; y = 1;

while (y<=n) {

if (z==0){x = x+1;

}else{

x=x+y;}y=y+1;

x = 0; y = 1;

while (y<=n) {

if (z==0){x = x+1;

}else{

x=x+y;}y=y+1;

x = 0; y = 1;

while (y<=n) {

if (z==0){x = x+1;

}else{

x=x+y;}y=y+1;

x = 0; y = 1;

while (y<=n) {

if (z==0){x = x+1;

}else{

x=x+y;}y=y+1;

x = 0; y = 1;

while (y<=n) {

if (z==0){x = x+1;

}else{

x=x+y;}y=y+1;

}Combine the solution from two branch

53• When the information mismatch → take the union of them

x = 0; y = 1;

while (y<=n) {

if (z==0){x = x+1;

}else{

x=x+y;}y=y+1;

Second Iteration

54• When the information mismatch → take the union of them

x = 0; y = 1;

while (y<=n) {

if (z==0){x = x+1;

}else{

x=x+y;}y=y+1;

Second Iteration

• No update from more iterations → reach the fixed point of the program

• Stable Over Approximation from fixed point program

x = 0; y = 1;

while (y<=n) {

if (z==0){x = x+1;

}else{

x=x+y;}y=y+1;

Third Iteration

x = 0; y = 1;

while (y<=n) {

if (z==0){x = x+1;

}else{

x=x+y;}y=y+1;

x is never less than 0 !

Limitations of Abstract Interpretation: lost precision

57Example from Emina Torlak. Static Analysis. Lecture Note. 2016. https://courses.cs.washington.edu/courses/cse403/16au/lectures/L15.pdf

The Abstraction should be Built based on the Needs

58Slide from Işil Dillig. A Gentle Introduction to Program Analysis. Programming Languages Mentoring Workshop. January 2014.https://www.cis.upenn.edu/~alur/CIS673/isil-plmw.pdf

Theoretical guarantees for safe approximation?

Theoretical guarantees for safe approximation?● Abstract Domain is a Lattice with finite height

● Abstraction function (𝛂) and Concretization function (𝛄)

form a Galois Insertion

Background, Set Theory: Partial orders

Partial order (S, ⊑) is a binary relation ⊑ on set S that satisfies:

• Reflexivity: ∀x ∈ S. x⊑x

• Transitivity: ∀x,y,z ∈ S. x⊑y ⋀ y⊑z ⟹ x⊑z

• Anti-symmetry: ∀x,y ∈ S. x⊑y ⋀ y⊑x ⟹ x=y

Assume