Basic abstract interpretation theory

1 / 23

Basic abstract interpretation theory - PowerPoint PPT Presentation

Basic abstract interpretation theory. The general idea. a semantics any definition style, from a denotational definition to a detailed interpreter assigning meanings to programs on a suitable concrete domain (concrete computations domain)

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

PowerPoint Slideshow about 'Basic abstract interpretation theory' - bernad

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Basic abstract interpretation theory

The general idea
• a semantics
• any definition style, from a denotational definition to a detailed interpreter

assigning meanings to programs on a suitable concrete domain (concrete computations domain)

• an abstract domain modeling some properties of concrete computations and forgetting about the remaining information (abstract computations domain)
• we derive an abstract semantics, which allows us to “execute” the program on the abstract domain to compute its abstract meaning, i.e., the modeled property
Concrete and Abstract Domains
• two complete partial orders
• the partial orders reflect precision
• smaller is better
• concrete domain (P(C),,,C, , )
• has the structure of a powerset
• we will see later why
• abstract domain(A,,bottom,top, lub, glb)
• each abstract value is a description of “a set of” concrete values
The Sign Abstract Domain
• concrete domain (P(Z),,,C, ,  )

sets of integers

• abstract domain(Sign,,bot,top, lub, glb)
Concretization
• concrete domain (P(C),,,C, , )
• abstract domain(A,,bottom,top, lub, glb)
• the meaning of abstract values is defined by a concretization function

: AP(C)

a A,(a) is the set of concrete computations described by a

• that’s why the concrete domain needs to be a powerset
• the concretization function must be monotonic

a1,a2  A,a1 a2 implies (a1) (a2)

• concretization preserves relative precision
Abstraction
• concrete domain (P(C),, ,C, , )
• abstract domain(A, , bottom,top, lub, glb)
• every element of P(C) should have a unique “best” (most precise) description in A
• this is possible if and only if A is a Moore family
• closed under glb
• in such a case, we can define an abstraction function

a:P(C) A

c P(C),a(c) is the best abstract description of c

• the abstraction function must be monotonic

c1,c2  P(C),c1 c2 implies a(c1) a(c2)

• abstraction preserves relative precision
The example ofSign

Sign(x) =

• , if x= bot
• {y|y>0}, if x= +
• {y|y0}, if x= 0+
• {0}, if x= 0
• {y|y0}, if x= 0-
• {y|y<0}, if x= -
• Z, if x= top

Sign (y) = glb of

• bot , if y= 
• - , if y {y|y<0}
• 0- , if y {y|y0}
• 0 , if y ={0}
• 0+ , if y {y|y 0}
• + , if y {y|y>0}
• top , if y Z
Galois connection
• (P(C),,,C, ,  )
• (A,,bottom,top, lub, glb)
• : AP(C) (concretization)
• a:P(C) A(abstraction)

 , monotonic

• there may be loss of information (approximation) in describing an element of P(C) by an element of A
• Galois connection (insertion)

c P(C). c ((c))

a A.((a)) a(a A.((a)) =a)

 , mutually determine each other

Concrete semantics
• the concrete semantics is defined as the least or (greatest) fixpont of a concrete semantic evaluation function F defined on the domain C
• this does not necessarily mean that the semantic definition style is denotational!
• F is defined in terms of primitive semantic operations fionC
• the abstract semantic evaluation function is obtained by replacing in F each concrete operation fi by a suitable abstract operation
• however, since the actual concrete domain is P(C), we need first to lift the concrete semantics lfpF to a collecting semantics defined onP(C)
Collecting semantics
• liftinglfpFto the powerset (to get the collecting semantics) is simply a conceptual operation
• collecting semantics = {lfpF}
• we don’t need to define a brand new collecting semantic evaluation function on P(C)
• we just need to reason in terms of liftings of all the primitive operations (and ofF), while designing the abstract operations and establishing their properties
• in the following, by abuse of notation, we will use the same notation for the standard and the collecting (“conceptually” lifted) operations
Abstract operations: local correctness
• an abstract operator fidefined onAis locally correct wrt a concrete operator fiif

x1,..,xn P(C).

fi(x1,..,xn) (fi((x1),..,(xn)))

• the concrete computation step is more precise than the concretization of the “corresponding” abstract computation step
• a very weak requirement, which is satisfied, for example, by an abstract operator which always computes the worst abstract value top
• the real issue in the design of abstract operations is therefore precision
Abstract operations: optimality and completeness
• correctness

x1,..,xn P(C).

fi(x1,..,xn) (fi((x1),..,(xn)))

• optimality

y1,..,yn A.

fi(y1,..,yn) = a(fi(g(y1),..,g(yn)))

• the most precise abstract operator ficorrect wrt fi
• a theoretical bound and basis for the design, rather then an implementable definition
• completeness (exactness or absolute precision)

x1,..,xn P(C).

a(fi(x1,..,xn)) = fi((x1),..,(xn))

• no loss of information,the abstraction of the concrete computation step is exactly the same as the result of the corresponding abstract computation step
The Sign example
• TimesandPlusare the usual operations lifted toP(Z)
• bothTimesSignandPlusSignare optimal (hence correct)
• TimesSignis also complete (no approximation)
• PlusSignis necessarily incomplete
• Sign(Times({2},{-3})) =

TimesSign(Sign({2}),Sign({-3}))

• Sign(Plus({2},{-3})) 

PlusSign(Sign({2}),Sign({-3}))

From local to global correctness
• the composition of locally correct abstract operations is locally correct wrt the composition of concrete operations
• composition does not preserve optimality, i.e., the composition of optimal operators may be less precise than the optimal abstract version of the composition
• if we obtainF(abstract semantic evaluation function) by replacing inFevery concrete semantic operation by a corresponding (locally correct) abstract operation, the local correctness property still holds

x  P(C).F(x) (F((x)))

• local correctness implies global correctness, i.e., correctness of the abstract semantics wrt the concrete one

lfpF(lfpF) gfpF (gfpF)

a(lfpF)lfpF a(gfpF)gfpF

• the abstraction of the concrete semantics is more precise than the abstract semantics
lfpFcannot be computed in finitely many steps

 steps are in general required

lfpFcan be computed in finitely many steps, if the abstract domain is finite or at leastnoetherian

does not contain infinite increasing chains

interesting for static program analysis, where the fixpoint computation must terminate

most program properties considered in static analysis are undecidable

we accept a loss of precision (safe approximation) in order to make the analysis feasible

a(lfpF) lfpF:why computing lfpF?
Where does the approximation come from?
• incomplete abstract operators
• more execution paths in the abstract semantics
• the abstract state has no information to allow deterministic choices
• conditionals, pattern matching, etc.
• the set of resulting abstract states is transformed into a single abstract state by an abstract lub operation
Approximation in abstract Sign computations
• abstract state [x=+]
• if x>2 then y:=3 else y:=-5;
• the abstract guard “can be both true and false”
• we need to abstractly execute both paths
• the resulting abstract states are “merged” by performing a lub on Sign
• abstract state [x=+,y=top]
• concrete state [x={3}]
• if x>2 then y:=3 else y:=-5;
• concrete state [x={3}, y={3}]
Approximation in type analysis
• the following ML expression is not typed by the ML’s type inference algorithm, because it always performs a lub operation in the conditional

if true then 3 else true

even when the guard is valid or unsatisfiable in the abstract state

comparative semantics

a technique to reason about semantics at different level of abstraction

non-noetherian abstract domain

abstraction without approximation (completeness)

(lfpF)=lfpF

static analysis = effective computation of the abstract semantics

if the abstract domain is noetherian and the abstract operations are computationally feasible

if the abstract domain is non-noetherian or if the fixpoint computation is too complex

use widening operators

which effectively compute an (upper) approximation oflfpF

one example later

Applications of Abstract Interpretation
(P(C),, ,C, ,  )(concrete domain)

(A,,bottom,top, lub, glb) (abstract domain)

:AP(C)monotonic(concretization function)

a:P(C)Amonotonic(abstraction function)

xP(C). x ((x))

y A.((y)) y(Galois connection)

fi \$fi| x1,..,xn P(C).

fi(x1,..,xn) (fi((x1),..,(xn)))(local correctness)

critical choices

the abstract domain to model the property

the (possibly optimal) correct abstract operations

The abstract interpretation framework
there exist weaker versions of abstract interpretation

without Galois connections (e.g., concretization function only)

based on approximation operators (widening, narrowing)

without explicit abstract domain (closure operators)

the theory provides also several results on abstract domain design

how to combine domains

how to improve the precision of a domain

how to transform an abstract domain into a complete one

…...

we will look at some of these results in the last lecture

Other approaches and extensions