Scribd
Upload
11 views

lecture10

language based security

Uploaded by

g18603914990
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
11 views

lecture10

language based security

Uploaded by

g18603914990
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 18

Program Analysis

10. Advanced Iteration Techniques

Kihong Heo

1
Advanced Analysis Techniques

• So far, our focus most has been sound abstract semantics

• From now on, we will cover several advanced techniques to achieve e cient
and accurate analysis

program states program states

error states error states

10. Advanced Iteration Techniques CS524 / KAIST Kihong Heo 2 / 18

ffi
Iteration Strategies

• Loop invariant inference: sequences of abstract iterations

• Compute weaker and weaker abstract states until stabilization (via join and widening)

• “Loop is evil”: a main source of imprecision in static analysis

• Needs for techniques to improve the precision

10. Advanced Iteration Techniques CS524 / KAIST Kihong Heo 3 / 18


Problem 1: Overused Widening

• Recall the worklist algorithm


X : L ! M]
<latexit sha1_base64="CplMgNdsuo0H8dIRfsHWG+EKHzk=">AAAGOHicjVRPaxNBFN/WRGv81+rRy2CxpFBKUoqKKBQE8aBSwbaBTgyzs2+TIbMzm5lZY1g238qLH8ObePGgiFc/gbObbbrZDbUDC2/ee7/35/dmnxtypk2r9W1l9UqtfvXa2vXGjZu3bt9Z37h7rGWkKBxRyaXquEQDZwKODDMcOqECErgcTtzhi9R+8hGUZlK8N5MQugHpC+YzSoxV9TZqb7c66CnCATED141fJ9jI+e1N8iHGekBUmGDc2Ho5v1lE87+QbZQaLuGXxs70zMQnUg3TttMUeBwW0DM3A5+M9mMX+kxkReFRRDxUhWMOviFKyXGxuTmgs+DgSlOIledQEAIx55iZtTneqWbbrqSz+FCGSbPqWooXzHnoxZJ7C4WjTnN8kb+A8WKjLuvrEY1ChOOin6XKVsVsa5yIPgfEd2xobqtWszseSDlUrD+YBTqf8xnANl0KmENxmZ+L6qs2O8VGsSyQJ8diWkGXgp9Ry/xpsiSTsGPUIx25GgyMKtmmZ3AzAFEKnb8Ky3ex4IvLuezTKxqxnQ6O+eI4SuxmmS47GTtK3Jt7lyvMGwbhMT+pPvFIGMZRsqSH5whDEJqJZRIt+zVMpIQFdoo/pc2S9NY3W7ut7KCq0M6FTSc/h731r9iTNApAGMqJ1qftVmi6MVGGUQ5JA0caQkKHpA+nVhQkAN2Ns8WXoIdW4yFfKvsJgzJtERGTQOtJ4FrPjImyLVUus51Gxn/Stc88jAwIOkvkRxzZDZZuUeQxBdTwiRUIVczWiqidC6HG7tqGJaFdbrkqHO/tth/t7r/b3zx4ltOx5tx3HjhNp+08dg6cV86hc+TQ2ufa99rP2q/6l/qP+u/6n5nr6kqOuecsnPrff+bRNMI=</latexit>

F ] : (L ! M] ) ! (L ! M] )
Worklist : }(L)
begin
Worklist L
X ?
repeat
(w, Worklist) pop(Worklist)
m]old X(w) Widening Everywhere?
G ]
m]new {min | hl, X(l)i ,!] hw, m]in i}
m]new m]old O m]new
if m]new 6v m]old then
X(w) m]new
Worklist Worklist [ {l | hw, m]new i ,!] hl, i}
endif
until Worklist = ;
return X
end

10. Advanced Iteration Techniques CS524 / KAIST Kihong Heo 4 / 18


Example

• Consider an analysis with the interval abstract domain


0

2
1 x = 1
x = 0
x [1,1]
3
x [0,0]

t ❓
5 x [0,1] = x [0,+∞] 😟

10. Advanced Iteration Techniques CS524 / KAIST Kihong Heo 5 / 18


Solution: Selective Widening

• Apply widening only when the label is the target of a cycling control ow

• e.g., while-loop heads, targets of cycling gotos, (spurious) call-cycle

• For other labels, apply the join operation instead

10. Advanced Iteration Techniques CS524 / KAIST Kihong Heo 6 / 18

fl
Case 1: Loop Heads

// i = [0,0]
// x = [0,1]

i [0,0] 5 i [0,1] = i [0,+∞]


while (*)

if (x == 1)

x = x - 1 x = x + 1
… …

i++

x [0,0] t x [0,1] = x [0,1] 👍


10. Advanced Iteration Techniques CS524 / KAIST Kihong Heo 7 / 18
Case 2: Call-cycle

• Widening when a recursive call-cycle exists

g++
5
void f() {
g++; f();
f();

return; …
} 5
return;

10. Advanced Iteration Techniques CS524 / KAIST Kihong Heo 8 / 18


Case 2: Call-cycle (Cont’d)

• Widening when even spurious-cycle happens

• For example, context-insensitive analysis

g++

int main() {
g++; f(); entry
f(); // non-recursive
f();
return; f(); exit
}
5

return;

10. Advanced Iteration Techniques CS524 / KAIST Kihong Heo 9 / 18


Caveat

• In general, cycle detection cannot be done before analysis

• control- ow is dynamic (e.g., higher-order functions, exceptions, etc)

• Possible solutions:

• online cycle-detection (during analysis): precise but costly

• o ine cycle-detection with pre-analysis (before analysis): imprecise but lightweight

10. Advanced Iteration Techniques CS524 / KAIST Kihong Heo 10 / 18


ffl
fl
Problem 2: Hasty Join
x = ?; // any value
i = 1;
while (i > 0) {
if(x < 0 || x > 1000) {
// [-∞, +∞] Initialization step
x = 0;
} else {
// [0, 1000]
x = x + 1;
}
input(i);
}
// actually, x is in [0, 1001]

• The abstract value for x with a naive approach would be [-∞, +∞]

• Idea: detach the rst iteration from the rest

10. Advanced Iteration Techniques CS524 / KAIST Kihong Heo 11 / 18


fi
Solution: Loop Unrolling

x = ?; // any value
i = 1;

}
x = ?; // any value if(x < 0 || x > 1000) {
i = 1; x = 0;
} else { rst iter.
while (i > 0) {
if(x < 0 || x > 1000) { x = x + 1;
x = 0; }
} else { input(i);
// x is in [0, 1001]

}
x = x + 1;
} while (i > 0) {
input(i); if(x < 0 || x > 1000) {
} x = 0;
// actually, x is in [0, 1001] } else { rest
x = x + 1;
}
input(i);
}
// x is in [0, 1001]

10. Advanced Iteration Techniques CS524 / KAIST Kihong Heo 12 / 18


fi
Problem 3: Hasty Widening

x = 0;
while (*) {
if(*) {
x = -1;
} else { x [0,0] 5 x [-1,1] = x [-∞,+∞]
x = x + 1;
}
}
// x >= -1

• The abstract value of x with a naive approach would be [-∞, +∞]

• Idea: delay the application of widening for the rst N iterations

10. Advanced Iteration Techniques CS524 / KAIST Kihong Heo 13 / 18


fi
Solution: Delayed Widening

Delayed widening where N = 1


x = 0;
while (*) { x [0,0] t x [-1,1] = x [-1,1]
if(*) {
x = -1;
} else { x [-1,1] 5 x [-1,2] = x [-1,+∞]
x = x + 1;
}
} x [-1,+∞] 5 x [-1,+∞] = x [-1,+∞]

// x >= -1
Fixed Point!

10. Advanced Iteration Techniques CS524 / KAIST Kihong Heo 14 / 18


Problem 4: Excessive Widening

x = 0;
// actually, x is in [0, 50]
while (x <= 100) {
if(x >= 50) { x [0,0] 5 x [0,1] = x [0,+∞]

x = 10;
} else {
x = x + 1;
}
}

• The abstract value of x with a naive approach is [0, +∞]

• Idea: use a slower and more precise widening

10. Advanced Iteration Techniques CS524 / KAIST Kihong Heo 15 / 18


Solution: Widening with Thresholds

• Take several small steps and stops at pre-de ned threshold values

• For example, consider only one threshold B:

A naive widening operator A widening with thresholds

( 8
>
<[n, p] if p q
[n, p] if p q
[n, p] O [n, q] = [n, p] O [n, q] = [n, B] if p < q  B
[n, +1] if p < q >
:
[n, +1] if B < q

*only the right bounds, for brevity

10. Advanced Iteration Techniques CS524 / KAIST Kihong Heo 16 / 18


fi
Widening with Thresholds

Thresholds = {50}
x = 0;
while (x <= 100) { 5
x [0,0] x [0,1] = x [0,50]
if(x >= 50) {
x = 10;
} else { x [0,50] 5 x [0,50] = x [0,50]
x = x + 1;
}
}
Fixed Point!

10. Advanced Iteration Techniques CS524 / KAIST Kihong Heo 17 / 18


Summary

• “Loop is evil”: one of the main source of imprecision

• Important to design e ective iteration techniques

• no universal solutions

• depending on the target program’s characteristics

• Need for domain knowledge (human experts or learning techniques)

10. Advanced Iteration Techniques CS524 / KAIST Kihong Heo 18 / 18


ff

You might also like