Extending MIRAI with the Octagon Abstract Domain by
Extending MIRAI with the Octagon Abstract Domain by Alexey Malyshev 1
Abstract Interpretation - A theoretical framework to formalize approximation Was introduced in 1977 by Patrick Cousot - - Abstract Interpretation: A Unified Lattice Model for Static Analysis of Programs by Construction or Approximation of Fixpoints Applications of AI is wherever understanding of program semantics is important: - Quality assurance Refactoring of programs Security checks 2
Basis of Abstract Interpretation - - An abstract domain (“+”, ”-”, 0) Concretization �� and abstraction �functions - �� : “+” -> {1, 2, 3, . . . +inf} - �: 5 -> “+” Transfer functions - - “+” / “-” = “-” “+” + “-” = T Deal with the Halting problem 3
MIRAI - Rust Mid-level Intermediate Representation Abstract Interpreter https: //github. com/facebookexperimental/MIRAI Is actively developed by Facebook Research group Goal: - - to find and report code that violates implicit and explicit specifications - Check index out of bounds - Division by zero It is a plugin for the Rust compiler. The tool is intended to become a part of Rust compiler in the future 4
What is MIR? - Rust's Mid-level Intermediate Representation. Simplified form of Rust Key characteristics: - based on a control-flow graph does not have nested expressions all types in MIR are fully explicit 5
How does MIRAI analyze a program? The analyzer is an abstract interpreter over the MIR control flow graph. The state of the interpreter is stored in a data structure so that every edge in the control flow graph can have a state associated with it. Problematic instructions are flagged during interpretation. Once interpretation has reached a fixed point, error messages(if any) are reported. 7
MIRAI’s abstract domains - It doesn’t implement Sign Domain, Even/Odd domain Supports Interval Domain 9
Example 10
Example Using rustc to compile sources: No warnings or compilation errors 11
Example Using mirai: 12
Another example 13
Another example Interval Analysis: ● x = [5; 5] ● y = [0; +inf] Octagon Analysis: ● ● x = [5; 5] y = [0; 5] x-y = [0; 5] x+y = [5; 10] 14
Octagon ● ● A finite set V={V 1, . . . , Vn} of variables. An environment ρ∈(V→I)(ρ∈I^n), where I can be ℤ, ℚ, or ℝ. An octagonal constraint is a constraint of the form ±Vi ± Vj ≤ c. An octagon is the set of points satisfying a conjunction of octagonal constraints. 15
Octagon Abstract Domain ● A DBM is 2 n× 2 n square matrix, where n is the number of program variables ● Each variable has positive( ) ● and negative( ) forms. ● Each cell represents the relationship of two variables in a form of ±Vi±Vj≤c ○ V 2 - (-V 2) ≤ 2 A conjunction of octagonal constraints (a), its encoding as a coherent DBM(b), and potential graph on. V 0(c), and the octagon it defines(d) 16
Evaluation ● Ran over libra-crypto ○ https: //github. com/libra - the payment system written in Rust that is built on a secure, scalable, and reliable blockchain. ● Results: ○ With the Interval Domain enabled ○ With the Octagon Domain enabled 18
Other interesting findings ● The Interval Domain is lightweight and doesn’t degrade the performance of the interpreter ● Simplifying an expression before solving it with SMT solver, does make a difference 19
Conclusion ● Extended MIRAI with the Octagon Domain ● Next steps: ○ ○ extend MIRAI to deal with loops answer the questions: ■ Does the Octagon domain slow the analysis down? ■ If yes, does it at least increase precision? 20
Thank you! Questions? 21
References - https: //arxiv. org/pdf/cs/0703084. pdf - original paper of Octagon Domain by Antoine Miné http: //prl. korea. ac. kr/~pronto/home/courses/aaa 616/2016/slides/lec 7. pdf 22
- Slides: 20