Static analysis of memory manipulations by abstract interpretation – Algorithmics of tropical polyhedra, and application to abstract interpretation Xavier Allamigeon To cite this version: Xavier Allamigeon. Static analysis of memory manipulations by abstract interpretation – Algorith- mics of tropical polyhedra, and application to abstract interpretation. Computer Science [cs]. Ecole Polytechnique X, 2009. English. NNT: . pastel-00005850 HAL Id: pastel-00005850 https://pastel.archives-ouvertes.fr/pastel-00005850 Submitted on 3 May 2010 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Th`ese pr´esent´ee pour obtenir le grade de ´ DOCTEUR DE L’ECOLE POLYTECHNIQUE Sp´ecialit´e : Informatique par Xavier Allamigeon Static analysis of memory manipulations by abstract interpretation Algorithmics of tropical polyhedra, and application to abstract interpretation soutenue le 30 novembre 2009 devant le jury compos´e de : Jean-Eric Pin LIAFA – CNRS pr´esident du jury Nicolas Halbwachs Verimag – CNRS rapporteur Michael Joswig Technische Universita¨t Darmstadt rapporteur Peter Butkovicˇ University of Birmingham examinateur St´ephane Gaubert INRIA Saclay examinateur David Monniaux Verimag – CNRS examinateur Eric Goubault CEA List, MeASI directeur de th`ese Charles Hymans EADS Innovation Works encadrant de th`ese Merci `a / Thanks to . . . Je tiens de tout coeur `a remercier : I’d really like to thank: ❼ mes trois directeurs de th`ese (officiels ou officieux), Eric, Charles et St´ephane pour leur encadrement de si grande qualit´e, my three advisors (officially or unofficially), Eric, Charles, and St´ephane, for their great supervision, ❼ Nicolas et Michael pour avoir rapport´e ce long manuscrit, pour leur expertise et leurs remarques constructives, Nicolas and Michael for having reported such a long manuscript, for their expertise and their helpful remarks, ❼ Peter, David pour avoir accept´e spontan´ement de participer au jury de ma th`ese, et Jean-Eric pour l’avoir pr´esid´e, Peter, David, for having spontaneously accepted to take part in the jury, and Jean-Eric for having chaired it, ❼ mes coll`egues d’EADS et du CEA, avec qui j’ai pass´e de tr`es bons moments tout au long de cette th`ese, my officemates at EADS and CEA, for the great moments we shared together, ❼ mes amis pour leurs encouragements, my friends for their encouragements, ❼ ma famille pour m’avoir toujours soutenu, my family for their everlasting support, ❼ et Audrey, pour tout. and Audrey, for all. Abstract In this thesis, we define a static analysis by abstract interpretation of memory manipulations. It is based on a new numerical abstract domain, which is able to infer program invariants involvingtheoperatorsminandmax. Thisdomainreliesontropicalpolyhedra, whicharethe analoguesofconvexpolyhedraintropicalalgebra. TropicalalgebrareferstothesetR∪{−∞} endowed with max as addition and + as multiplication. This abstract domain is provided with sound abstract primitives, which allow to automat- ically compute over-approximations of semantics of programs by means of tropical polyhedra. Thanks to them, we develop and implement a sound static analysis inferring min- and max- invariants over the program variables, the length of the strings, and the size of the arrays in memory. In order to improve the scalability of the abstract domain, we also study the algorithmics of tropical polyhedra. In particular, a tropical polyhedron can be represented in two different ways,eitherinternally,intermsofextremepointsandrays,orexternally,intermsoftropically affine inequalities. Passing from the external description of a polyhedron to its internal description, or inversely, is a fundamental computational issue, comparable to the well-known vertex/facet enumeration or convex hull problems in the classical algebra. It is also a crucial operation in our numerical abstract domain. For this reason, we develop two original algorithms allowing to pass from an external description of tropical polyhedra to an internal description, and vice versa. They are based on a tropical analogue of the double description method introduced by Motzkin et al.. We show that they outperform the other existing methods, both in theory and in practice. The cornerstone of these algorithms is a new combinatorial characterization of extreme elements in tropical polyhedra defined by means of inequalities: we have proved that the extremality of an element amounts to the existence of a strongly connected component reachable from any node in a directed hypergraph. We also show that the latter property can be checked in almost linear time in the size of the hypergraph. Moreover, in order to have a better understanding of the intrinsic complexity of tropical polyhedra, we study the problem of determining the maximal number of extreme points in a tropical polyhedron. In the classical case, this problem is addressed by McMullen upper bound theorem. We prove that the maximal number of extreme points in the tropical case is bounded by a similar result. We introduce a class of tropical polyhedra appearing as natural candidatestobemaximizinginstances. Weestablishlowerandupperboundsontheirnumber of extreme points, and show that the McMullen type bound is asymptotically tight when the dimension tends to infinity and the number of inequalities defining the polyhedra is fixed. Finally, we experiment our tropical polyhedra based static analyzer on programs ma- nipulating strings and arrays. These experimentations show that the analyzer successfully determines precise properties on memory manipulations, and that it scales up to highly dis- junctive invariants which could not be computed by the existing methods. The implementation of all the algorithms and abstract domains on tropical polyhedra developed in this work is available in the Tropical Polyhedra Library TPLib [All09]. Contents 1 Introduction 11 1.1 Context of this work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 1.2 Analyzing memory manipulations by abstract interpretation . . . . . . . . . . 13 1.2.1 Main principles of abstract interpretation . . . . . . . . . . . . . . . . 13 1.2.2 Abstractions for memory manipulations . . . . . . . . . . . . . . . . . 14 1.3 An overview of tropical polyhedra . . . . . . . . . . . . . . . . . . . . . . . . 18 1.4 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 1.5 Organization of the manuscript . . . . . . . . . . . . . . . . . . . . . . . . . . 20 1.6 A few words on notations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 I Combinatorial and algorithmic aspects of tropical polyhedra 23 2 Introduction to tropical convexity 25 2.1 Preliminaries on tropical algebra . . . . . . . . . . . . . . . . . . . . . . . . . 25 2.2 Preliminaries on tropical convexity . . . . . . . . . . . . . . . . . . . . . . . . 26 2.2.1 Notations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 2.2.2 Tropical convex sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 2.2.3 Tropical cones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 2.2.4 Extreme elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 2.2.5 Minimal generating representations . . . . . . . . . . . . . . . . . . . . 30 2.2.6 Tropical homogenization . . . . . . . . . . . . . . . . . . . . . . . . . . 32 2.3 Tropical polyhedra and polyhedral cones . . . . . . . . . . . . . . . . . . . . . 34 2.3.1 Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 2.3.2 Minkowski-Weyl theorem . . . . . . . . . . . . . . . . . . . . . . . . . 38 2.3.3 Homogenization of tropical polyhedra . . . . . . . . . . . . . . . . . . 39 2.4 Conclusion of the chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 3 Combinatorial characterization of extremality from halfspaces 43 3.1 Preliminaries on extremality . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 3.2 Characterizing extremality using the tangent cone . . . . . . . . . . . . . . . 46 3.2.1 Tangent cone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 3.2.2 The {✵,✶}-cones and their extreme elements . . . . . . . . . . . . . . 49 3.3 Characterizing extremality using directed hypergraphs . . . . . . . . . . . . . 52 3.3.1 Preliminaries on directed hypergraphs . . . . . . . . . . . . . . . . . . 52 3.3.2 Tangent directed hypergraph . . . . . . . . . . . . . . . . . . . . . . . 53 3.4 Conclusion of the chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 4 Maximal strongly connected components in directed hypergraphs 57 4.1 Reachability in directed hypergraphs . . . . . . . . . . . . . . . . . . . . . . . 58 4.2 Computing maximal strongly connected components . . . . . . . . . . . . . . 60 4.2.1 Principle of the algorithm for directed hypergraphs . . . . . . . . . . . 60 4.2.2 Computing maximal strongly connected components in directed graphs 62 4.2.3 Optimized algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 4.2.4 Example of a complete execution trace . . . . . . . . . . . . . . . . . . 65 4.3 Conclusion of the chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 4.4 Proving Theorem 4.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 4.4.1 Correctness of the algorithm . . . . . . . . . . . . . . . . . . . . . . . 73 4.4.2 Complexity proof . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 5 Algorithmics of tropical polyhedra 83 5.1 From the external description to the internal description . . . . . . . . . . . . 84 5.1.1 The tropical double description method . . . . . . . . . . . . . . . . . 84 5.1.2 Resulting algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 5.1.3 Comparison with the existing approaches . . . . . . . . . . . . . . . . 89 5.1.4 Comparison with the classical double description method . . . . . . . 93 5.1.5 Benchmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 5.2 From the internal description to the external description . . . . . . . . . . . . 95 5.2.1 Polar of tropical cones . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 5.2.2 Polar of finitely generated cones . . . . . . . . . . . . . . . . . . . . . 96 5.2.3 Efficient characterization of extreme elements of the polar of a polyhe- dral cone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 5.2.4 Resulting algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 5.2.5 Comparison with alternative approaches . . . . . . . . . . . . . . . . . 102 5.3 The number of extreme elements in tropical polyhedra . . . . . . . . . . . . . 103 5.3.1 A first McMullen-type bound . . . . . . . . . . . . . . . . . . . . . . . 104 5.3.2 Signed cyclic polyhedral cones . . . . . . . . . . . . . . . . . . . . . . 105 5.3.3 Comparison with the classical case . . . . . . . . . . . . . . . . . . . . 106 5.3.4 The number of extreme rays in signed cyclic polyhedral cones . . . . . 108 5.3.5 The number of extreme rays in polar cones . . . . . . . . . . . . . . . 108 5.4 Conclusion of the chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 II Application to static analysis by abstract interpretation 113 6 Introduction to static analysis by abstract interpretation 115 6.1 Kernel language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 6.1.1 Principles of the language . . . . . . . . . . . . . . . . . . . . . . . . . 116 6.1.2 Syntax of the language . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 6.2 Semantics of the language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 6.2.1 Control-flow graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 6.2.2 Memory model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 6.2.3 Operational semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 6.2.4 Collecting semantics of a program . . . . . . . . . . . . . . . . . . . . 124 6.2.5 Proving the absence of heap overflows . . . . . . . . . . . . . . . . . . 125 6.3 Abstract interpretation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 6.3.1 Theoretical framework . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 6.3.2 Numerical abstract domains . . . . . . . . . . . . . . . . . . . . . . . . 132 6.4 A first possible abstract semantics . . . . . . . . . . . . . . . . . . . . . . . . 139 6.5 An abstraction on strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 6.6 Conclusion of the chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 7 Numerical abstract domains based on tropical polyhedra 151 7.1 Inferring max-invariants: the abstract domain MaxPoly . . . . . . . . . . . . . 152 7.1.1 Definition of the abstract domain . . . . . . . . . . . . . . . . . . . . . 152 7.1.2 Abstract preorder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 7.1.3 Abstract union operator . . . . . . . . . . . . . . . . . . . . . . . . . . 157 7.1.4 Abstract intersection primitives . . . . . . . . . . . . . . . . . . . . . . 160 7.1.5 Abstract assignment operators . . . . . . . . . . . . . . . . . . . . . . 162 7.1.6 Widening operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 7.1.7 Reduction with zones . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 7.1.8 Non-tropically affine abstract primitives . . . . . . . . . . . . . . . . . 177 7.1.9 Summary of abstract primitives behavior . . . . . . . . . . . . . . . . 177 7.2 Inferring min-invariants: the abstract domain MinPoly . . . . . . . . . . . . . 177 7.2.1 Order-theoretic abstract primitives . . . . . . . . . . . . . . . . . . . . 178 7.2.2 Conditions and assignments . . . . . . . . . . . . . . . . . . . . . . . . 178 7.2.3 Reduction with zones . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 7.3 Inferring min- and max-invariants: the domain MinMaxPoly . . . . . . . . . . 180 7.3.1 Order-theoretic abstract primitives . . . . . . . . . . . . . . . . . . . . 180 7.3.2 Conditions and assignments . . . . . . . . . . . . . . . . . . . . . . . . 180 7.3.3 Reduction with octagons. . . . . . . . . . . . . . . . . . . . . . . . . . 181 7.4 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 7.4.1 Principles of the implementation . . . . . . . . . . . . . . . . . . . . . 183 7.4.2 Analysis of memory manipulating programs . . . . . . . . . . . . . . . 184 7.4.3 Application to array predicate abstractions . . . . . . . . . . . . . . . 186 7.4.4 Efficiently handling many disjunctions . . . . . . . . . . . . . . . . . . 188 7.4.5 Sort algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 7.4.6 Performance of the analysis . . . . . . . . . . . . . . . . . . . . . . . . 189 7.5 Conclusion of the chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Description: