Widening with Thresholds for Programs with Complex Control Graphs

HAL Id: inria-00606961

https://hal.inria.fr/inria-00606961

Submitted on 7 Jul 2011

HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

Widening with Thresholds for Programs with Complex Control Graphs

Lies Lakhdar-Chaouch, Bertrand Jeannet, Alain Girault

To cite this version:

Lies Lakhdar-Chaouch, Bertrand Jeannet, Alain Girault. Widening with Thresholds for Programs with Complex Control Graphs. [Research Report] RR-7673, INRIA. 2011, pp.17. �inria-00606961�

a p p o r t

d e r e c h e r c h e

ISSN0249-6399ISRNINRIA/RR--7673--FR+ENG

Domaine Algorithmique, programmation, logiciels et architectures

Widening with Thresholds for Programs with Complex Control Graphs

Lies Lakhdar-Chaouch — Bertrand Jeannet — Alain Girault

N° 7673

Juillet 2011

Centre de recherche INRIA Grenoble – Rhône-Alpes 655, avenue de l’Europe, 38334 Montbonnot Saint Ismier

Téléphone : +33 4 76 61 52 00 — Télécopie +33 4 76 61 52 52

Lies Lakhdar-Chaouh ,Bertrand Jeannet ,Alain Girault

Domaine:

Équipe-ProjetPOP-ART

Rapport dereherhe n°7673 Juillet 2011 17 pages

Abstrat: Thepreisionofananalysisbasedonabstratinterpretationdoesnot onlydepend

ontheexpressivenessoftheabstratdomain,butalso onthewayxpoint equationsaresolved:

exat solving is often not possible. The traditional solution is to solve iteratively abstrat

xpointequations,usingextrapolationwithawideningoperatortomaketheiterationsonverge.

Unfortunately, theextrapolationtoooften losesruialinformation for theanalysisgoal.

Alassialtehniqueforimprovingthepreisioniswideningwiththresholds,whihbounds

theextrapolation. Itsbenet strongly dependsonthe hoie ofrelevant thresholds. In thispa-

per we propose a semanti-based tehnique for automatially inferring suh thresholds, whih

appliesto anyontrol graph,be itintraproedural,interproedural or onurrent, withoutspe-

iassumptions ontheabstratdomain. Despite itstehnial simpliity,our tehnique isable

to inferthe relevant thresholds inmanypratial ases.

Key-words: Abstrat Interpretation, Numerial and Symboli Abstrat Domains, Convex

Polyhedra, Semanti EquationSolving, Widening

ontrle omplexe

Résumé: Lapréisiond'uneanalysefondéesurl'interprétationabstraitedépendnoseulement

de l'expressivité dudomaine abstrait, maisaussi de lafaçon dont les équations abstraitessont

résolues: lasolutionoptimalen'esteneetpastoujorsalulable. Latehniquetraditionnelleest

derésoudreitérativementleséquations depoint-xeabstraites,en eetuantdesextrapolations

à l'aide d'un opérateur d'élargissement pour faire onverger les itérations. Malheureusement,

es extrapolations induisent fréquemment la perte d'informations ruiales pour l'objetif de

l'analyse.

Une tehnique lassique pour améliorer la préision est l'élargissement ave seuil , qui

bornel'extrapolation. Soneaitédépendfortementduhoixdeseuilspertinents. Nouspropo-

sonsiiunetehnique denaturesémantiquepourinférerautomatiquement desseuilspertinents,

quis'appliqueànimportequelgraphedeontrle, qu'ilsoitintraproédural,interproédural ou

onurrent, sans hypothèse spéique sur le domaine abstrait. malgré sasimpliité tehnique,

ette tehnique infère lesseuils pertinentsdansbeauoup deas pratiques.

Mots-lés: Interprétationabstraite,Domaineabstraitsnumériquesetsymboliques,Polyèdres

onvexes,Résolution d'équations sémantiques, Élargissement

1 Introdution and Related Work

Many stati analysisproblems boil down to the omputation of theleast solutionof a xpoint

equation X = F(X), X ∈ C ^where C ^{is a domain of onrete} properties, and F ^{a funtion}

derived from the semantis of the analyzed program. Abstrat Interpretation [1 ℄ provides a

theoretialframeworkforreduingthisproblemtothesolvingofasimplerequationinadomain

A ^ofabstrat properties:

Y =G(Y), Y ∈A ⁽¹⁾

Having performed this stati approximation, one is left with the problem of solving Eqn. (1).

The paper fouses on this problem. It onsiders the traditional iterative solving tehnique

with widening and narrowing, and fouses more speially on the widening with thresholds

tehnique. We rstreviewexistingtehniquesbeforepresentingour approah.

Exat equation solving. Some tehniques have been reently proposed for solving diretly

Eqn. (1 ) inthe ase where onrete properties are invariants on numerial variables. In [2, 3 ℄

lasses of equations on intervals are identied,for whih the leastsolution an be omputed in

polynomialtime. Poliyiteration methods,inspiredbygametheory,solveEqn.(1 )bysolvinga

suessionof simpler equations Y =Gπ(Y) ^{indexedbya poliy} π^{. Theyhave been applied for}

instanetointervals[4,5℄andtemplatepolyhedra[6,7℄. However,suhapproahesareurrently

restritedtodomainsthatinferlower/upperboundsonaxedsetofnumerialexpressions. This

exludesnumerialabstratdomainslikeonvexpolyhedra[8℄ orsymboli abstratdomainsfor

sets ofwords[9 ℄ or terms[10℄. Hene, they donot make obsoletethelassial iterative method

desribed next.

b

b

b b

b

b

b

b

b

G(Y)⊑Y

G(Y)⊒Y G(Y) =Y

⊤

gfp(G)

lfp(G)

⊥ Y0

Y1

Y2

Y∞ Z0

Z1

Z2

Figure1: Kleene iteration with

wideningand narrowing Approximateequationsolvingbywidening/narrowing.

Under the lassial hypothesis the sequene Y₀ = ⊥, Y_n+1 = G(Y_n) ^{onverges to} lfp(G)^{. However, this method is eetive}

onlyifA ^{doesnot ontaininniteasendingsequenes,whih}

is not the ase in all the abstrat latties mentioned above.

Abstrat Interpretation proposes to extrapolate the limit by

usinga widening operator ∇:A×A→A^{. Oneomputesthe}

asendingsequene

Y₀=⊥, Y_n+1 =Yn∇G(Yn) ⁽²⁾

whih onverges within a bounded number of iterations to a

post-xpoint Y∞ ⊒ lfp(G)^{, see Fig. 1. The} approximations induedbywidening anbepartiallyreovered byperforming

afew desendingiterations dened bythe sequene

Z₀ =Y_∞, Z_n+1 =G(Z_n) ⁽³⁾

Thisisthemostommoninstaneoftheoneptofnarrowing (see[11℄). Inpratie,desending

sequenes propagatesguards inthe Control FlowGraph (CFG)of theprogram.

The use of widening adds dynami approximations to the stati approximations indued

by thehoie of the abstrat domain. Although it isshown in[11 ℄ that abstrat domainswith

innitelyasendingsequenesandisoverpropertiesthatsimplerabstratdomainsannotinfer,

these dynami approximations often raise auray issues. For instane, for many numerial

abstrat domains (like intervals [12 ℄, otagons [13℄ and onvex polyhedra [8 ℄) the standard

wideningonsistsinkeepinginthe resultR=P∇Q^{thenumerialonstraintsof}P ^thatarestill

satised by Q^{. Despite thislear geometrial intuition, intheontext of program analysisit is}

diult topreditand tokeepunderontrol thelossof information itindues. Moregenerally,

to the best of our knowledge, no widening operator is monotoni and widening is ultimately

a heuristi method. Moreover, as we will show in Setion 3, narrowing often fails to reover

important information lost by widening, even on simple examples. In the extreme ase where

thefuntion G^{isextensive (i.e.,}∀Y ∈A, Y ⊑G(Y)^{),narrowing hasno eetat all.}

Tehniques for ontrolling dynami approximations. Several tehniques have been de-

signed to address the widening problem. One approah is to propose improved widening oper-

ators, like [14, 15, 16 ℄. Other approahes are more global. For instane, abstrat aeleration

aimsat omputing preisely witha single formula theeet of aelerable yles intheCFG

[17 ℄, and relies on widening for more omplex yles. The guided stati analysis tehnique of

[18 ℄ alternates asendinganddesendingsequenes on aninreasinglylarger partofthesystem

of equations. Thismethodapplies to anyabstrat domain and itimproves theauray ofthe

analysis in many ases, but it relies ultimately on the eetiveness of narrowing, whih is far

frombeingguaranteed (see Setion3).

Wideningwiththresholds. Amongloaltehniques,wideningup-toorwideningwiththresh-

olds attemptstoboundtheextrapolationperformedbythestandardwidening∇^{operator[8,19℄.}

The idea is to parameterize ∇ ^{with a nite set} C ^{of threshold} onstraints, and to keep in the resultR =P∇CQ^{those onstraints} c∈ C ^{that arestill satisedby}Q^: P∇CQ= (P∇Q)⊓ {c∈ C | Q |= c}^{. In pratie, one} extrapolates up to some threshold; in the next iteration, either thethreshold is still satised and the result isbetter than withthestandard widening, or it is

violated and oneextrapolatesupto theremaining thresholds.

Onsimple exampleswitharelevant hoie ofthresholds, wideningwiththresholds doesnot

improve uponstandard widening and narrowing. However, intheases where narrowing isnot

eetive, widening withthresholds maybehave muh better: similarly to abstrat aeleration

tehniques, widening with thresholds prevents from going too high in the lattie of properties

(seeFig.1)andfrompropagatinginaurateinvariantsintheCFGoftheprogram,whihannot

bestrengthenedlater bynarrowing. However,thebenetprovidedbywidening withthresholds

fullydependson the hoie ofthe thresholds.

Our ontribution: thresholds inferene. Thispaper developsa semanti-based tehnique

toinferautomatiallyrelevantthresholds,bypropagatingonstraintsintheCFGoftheprogram

inan adequateway.

After givingin Setion 2some preliminaries about iterative equation solving withwidening

and narrowing, Setion 3 applies it to several small examples to illustrate the strengths and

weaknessesof narrowing. Wealso analyzearefullythe problemof inferringrelevantthresholds

on these examples and we show that, although widening with thresholds is dened as a loal

improvementofthestandardwidening,therelevantthresholdsdependonmoreglobalproperties

of the program. After having progressively given the hints behind our inferene tehnique,

Setion 4formalizesitinageneriway,illustratesitontherunningexamples, anddisussesits

appliation to more omplexabstrat domains.

Setion5evaluatesitonanumberofexampleprogramsandomparesitw.r.t.botheieny

and preision to guided stati analysis [18℄ and poliy iteration [4 ℄. This omparison shows

that our tehniques is almost always as or more preise than the mentioned tehniques for

all the examples we tested. w.r.t. eieny, our tehnique is slightly slower for sequential,

intraproedural programs. We also disuss the less favorable ases of interproedural and/or

onurrent programs.

A strength of our approah is thatitan easily be ombined withother approahes aiming

at improving dynami approximations, in partiular abstrat aeleration [17℄, whih may be

more preisethan our inferenetehnique when it is appliable.

2 Preliminaries and Notations

Theequationstobesolved. Weassumeastatianalysisproblemformalizedasanequation

system

X^(k)=F^(k)(X) X= (X⁽¹⁾, . . . , X^(K))∈C^{K (4)}

where X^(k) ∈ C ^{is typially the onrete property assoiated with a node of the CFG of the}

program. The tehnial assumptions are that (C,⊆) ^{is a omplete lattie ordered by logial}

impliation,andthefuntionsF^{(k)areontinuous. Intheaseofanimperativeprogramwithout}

proedure all, we have an intraproedural CFG and Eqn. (4) an be rewritten into a system

X^(k) =S

k^′;kF^k′;k(X^(k′)) ^where F^{k′;k is the semanti funtion assoiated to the CFG edge} k^′ ; k^{. In relational in}terproedural analysis however, the proedure return operation may ombine both the information at the all-site inthealler and at theexit-siteof theallee, see

for instane[20 , 21℄.

Weassumeanabstratdomain (A,⊑) ^onnetedtoC ^{withamonotone} onretizationfun- tionγ :A→C^{,yielding thesystemof equations}

Y^(k)=G^(k)(Y) Y = (Y⁽¹⁾, . . . , Y^(K))∈A^{K (5)}

derivedfromEqn.(4)inthesensethat∀k:γ◦G^(k)(Y)⊇F(γ(Y⁽¹⁾). . . γ(Y^(K)))^{. Thefuntions} G^{(k) are assumed to be monotoni and} A ^{is assumed to be a lattie equipped with a widening}

operator ∇:A×A→A^{satisfying the tehnial} assumptions desribed in[11 ℄.

Inalltheexamplesofthispaper,thestatianalysisproblemistheomputationofreahable

valuesofthenumerialvariablesofaprogram. A^{willbetheonvexpolyhedradomain,equipped}

withits standard wideningoperator,see [8 ℄for the full denition.

Solving by Kleene haoti iteration. In all the examples, in order to solve Eqn. (5), we

applythetehniqueofBourdonle[22 ℄,i.e.,haoti iterationswithwidening. Thatis,wefollow

theiterationorder1. . . K ^{andweapplywidening tothesubset}W ^{ofwideningnodesasfollows:}

Y₀^(k) = ⊥ Y_n+1^(k) = (

Yn^(k)∇Y^{′ if}k∈W Y^{′ otherwise}

where Y^′ =G^(k)(Y_n+1⁽⁰⁾ . . . Y_n+1^(k−1), Yn^(k). . . Yn^(K))

(6)

Thesubset W ^{is suhthat anydependeny yleinEqn. (5)ontainsa nodein}W^{. Narrowing}

by desending iteration (Eqn. (3)) isperformed similarly on apartitioned system. Inpratie,

onerstdeomposesthedependenygraphinduedbythesystemofequations(5)intostrongly

onneted omponents, and then one solves eah omponent using widening and narrowing

following alinearized orderompatible withthe topologial orderbetween omponents.

3 The widening/narrowing approah in pratie

Thissetionillustratesthewidening/narrowing approahfortheanalysisofnumerial variables

ofsmallexamples. Itpointsoutthe limitationsofnarrowing forreovering theinformationlost

by widening,and gives theintuitionabout howto infer relevant threshold onstraints. We end

thesetionwiththe rationale for theinferenemethod we proposeinSetion 4.

var i,j:int;

begin

i=0; j=10;

while i<=j do

i = i+2;

j = j-1;

done;

end

1

2

3 i= 0 j= 10

i≤j?

i=i+2 j=j−1 i≥j+1?

Asendingsequene

n Yn⁽²⁾ Yn⁽³⁾

1 i= 0∧j= 10 2 i+2j= 20∧0≤i≤2 3^′ i+2j= 20∧0≤i≤4

3 i+2j= 20∧0≤i i+2j= 20∧22≤3i

Desendingsequene

n Zn⁽²⁾ Zn⁽³⁾

1 i+2j= 20∧0≤3i≤26 i+2j= 20∧22≤3i≤26

Figure2: Example: single loop

3.1 Analysis of a simple loop program

Our introdutory example is the program depited on Fig. 2 . The double-line around a CFG

node indiates a widening node inW^{. Thetable on the right details theKleene iteration with}

widening and narrowing (desending sequene), starting from⊥ ^{at thetwo node} 2 ^and 3^{. In}

thesteps1and2,thewideningoperatorhasnoeet. Therowindexedby3'orrespondstothe

omputation of Y^{′ inEqn. (6). Instep3, wehave} Y₃⁽²⁾ =Y₂⁽²⁾∇Y₃⁽²⁾′ ^{and theeet of widening}

isthelossoftheupperboundoni^{. Onedesendingstepdisoverstheonstraint}i≤26/3^,whih

omes fromthe postonditionof Y₃^{(2) bytheloop:}

∃i, j:

impliedbyY₃⁽²⁾

z }| { i+2j= 20∧

looptransition

z }| {

i≤j∧i^′=i+2∧j^′=j−1

= (i^′= 20−2j^′ ∧ i^′≤j^′+3 )

⇒ i^′≤20−2(i^′−3)

| {z }

= 3i^′ ≤26

(7)

This examplealls fortwo important observations:

(1) The invariant Z^{(3) at point} 3 ^{an be rewritten into} i+ 2j= 20∧8−²₃ ≤i≤8 +²₃^{. This}

means thati≤26/3 ^{isthe right bound for}i^{at node} 2 ^{ifone abstratsawaythearithmeti}

properties.

(2) If one wants to use widening with thresholds, the guard of the loop i≤j ^{is not a useful}

thresholdonstraint. Starting fromstep 3,wewouldobtain

Y₃⁽²⁾ = Y₂⁽²⁾∇{i≤j}Y₃⁽²⁾′ =i+2j= 20∧0≤i≤j Y₄⁽²⁾′ = G(Y₃⁽²⁾) =i+2j= 20∧0≤i≤j+3 Y₄⁽²⁾ = Y₃⁽²⁾∇{i≤j}Y₄⁽²⁾′ =i+2j= 20∧0≤i

Theeet ofusing thisthreshold onstraint allowsus to keep theonstraint i≤j ^{at step}3^,

but this bound isviolated at step 4^{′ bythe} postonditionof theloop transition,hene this doesnot hange thenal result.

The important point here is that the important onstraint in a simple while loop is the

postondition of the guard of the loopby the loop body,herei≤j+3^{,see Eqn.(7 ).}

3.2 Four problemati examples

Two non-deterministiloops. TheCFGofFig.3istypiallytheresultoftheasynhronous

parallel produt of two threads with a simple loop. It shows the limitation of desending se-

quenes. The asending sequene onverges to Y⁽²⁾ = 0≤i∧0≤j^{. The desending sequene}

1

2

3

i=j= 0 (a)

i≤9?

i=i+1

i≥10∧j≥10?

(b) j≤9?

j=j+1

Figure 3: Example: two non-

deterministi loops

begin

i=0;

while true do

if ? then

i=i+1;

if i>=100 then

i=0;

done;

end

1

2

3 i= 0

i=i+1

i≤99? i≥100?

i= 0

Figure4: Example: a singleloop withbreak

var i,j:int;

begin

i=0; j=0;

while i<=9 do

j=0;

while j<=9 do

j=j+1;

done;

i=i+1;

done;

end

1

2 3

4 i=j= 0

i≤9?

j= 0

j≥10?

i=i+1

j≤9?

j=j+1

i≥10?

Asendingsequene

n Yn⁽²⁾ Yn⁽³⁾

1 i=j= 0 i=j= 0 2^′ i=j= 0 i= 0∧0≤j≤1

2 i=j= 0 i= 0∧0≤j 3^′ 0≤i≤1∧10i≤j 0≤i≤9∧0≤j

3 0≤i ∧10i≤j 0≤i ∧0≤j 4^′ 0≤i ∧0≤j 0≤i ∧0≤j

4 0≤i 0≤i ∧0≤j

Desendingsequene

n Zn⁽²⁾ Zn⁽³⁾

1 0≤i ∧0≤j 0≤i ∧0≤j≤10 2 j≤10i ∧0≤j≤10 0≤i ∧0≤j≤10

Figure 5: Example: nested loop

failsto improve it:

Z₁⁽²⁾ = G^1;2(Y⁽¹⁾) ⊔ G^2;2(a)(Y⁽²⁾) ⊔ G^2;2(b)(Y⁽²⁾)

= {i=j= 0} ⊔ {1≤i≤10∧0≤j} ⊔ {0≤i∧0≤j≤10}

= {0≤i∧0≤j}

The problem is that, for both variables i^and j^{, there is always one inoming edge in node} 2

that propagates an invariant without an upper bound on it. As a result, no variable gets an

upperbound inthe result.

A single loop with break. Another example, inspired by a real ontroller, is depited on

Fig.4 . The dashedself-loopomes fromthenon-deterministi test ? modeling aninput from

the environment. When the then branh is not taken, nothing happens in the loop body.

It makes the transfer funtion on node 2 ^extensive: G⁽²⁾(Y) ⊒ G^2;2(Y⁽²⁾) = Y^{(2). Hene,}

the desending sequene will never improve the invariant Y⁽²⁾ = i≥0 ^{found by the asending}

sequene.

Nested loop. The nestedloop program ofFig. 5ontains two wideningnodes 2 ^and 3 ^and

raises some additional issues. The asending sequeneloses thetwo onstraints j≤10 ^{(step 2)}

and i≤10 ^{(step 3) as expeted (it even loses} 0≤j ^{at step 4). The desending sequene rst}

reovers j≤10 ^{at point} 3^{, but then failsto reover}i≤10 ^{at point} 2^{. Theproblem is similar}

to the problemwiththe non-deterministi loopsofFig. 3:

ˆ at point 2^{, theinoming edge} 3 ; ^{2 is not guardedby} i≤9^,and

ˆ at point 3 ^{the self-loop} 3 ; ^{3 isalso notguarded by}i≤9^.

Hene, i≤10^{isneitherreoveredatnode} 2 ^nor 3^{. Onthis example,theguidedstatianalysis}

of [18℄also failsto disoverthisbound.