1 / 113

Noam Rinetzky Lecture 12: Abstract Interpretation IV

Program Analysis and Verification 0368- 4479 http://www.cs.tau.ac.il/~maon/teaching/2013-2014/paav/paav1314b.html. Noam Rinetzky Lecture 12: Abstract Interpretation IV. Slides credit: Roman Manevich , Mooly Sagiv , Eran Yahav , Ganesan Ramalingam. Abstract Interpretation [Cousot’77].

lieu
Download Presentation

Noam Rinetzky Lecture 12: Abstract Interpretation IV

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Program Analysis and Verification 0368-4479http://www.cs.tau.ac.il/~maon/teaching/2013-2014/paav/paav1314b.html Noam Rinetzky Lecture 12: Abstract Interpretation IV Slides credit: Roman Manevich, MoolySagiv, EranYahav, GanesanRamalingam

  2. Abstract Interpretation [Cousot’77] • Mathematical foundation of static analysis • Abstract domains • Abstract states • Join () • Transformer functions • Abstract steps • Chaotic iteration • Structured Programs • Abstract computation

  3. Abstract (conservative) interpretation abstract representation abstract representation statement S abstract semantics concretization concretization set of states set of states set of states statement S  operational semantics(concrete semantics)

  4. Abstract Interpretation [Cousot’77] • Mathematical foundation of static analysis • Abstract domains • Abstract states • Join () • Transformer functions • Abstract steps • Chaotic iteration • Abstract computation • Structured Programs Lattices (D, , , , , ) Monotonic functions Fixpoints

  5. Chains • d  d’ means d  d’ and d  d’ • An ascending chain is a sequencex1 x2 …  xk… • A descending chain is a sequencex1 x2 …  xk… • The height of a poset(D, ) is the length of the maximal ascending chain in D

  6. Complete partial order (CPO) • A poset (D , ) is a complete partial if every ascending chain x1 x2 …  xk… has a LUB

  7. Lattices • (D, , , , , ) is a lattice if • (D, ) is a partial order • ∀X FIN D . X is defined • A top element  • ∀X FIN D . X is defined • A bottom element  • A lattice (D, , , , , ) is a complete lattice if • X and Y are defined for arbitrary sets

  8. Example I: Sign lattice  x0 x0 x<0 x=0 x>0 

  9. Example II: Powerset lattices • (2X, , , , , X) is the powersetlatticeof X • A complete lattice

  10. Domain Constructors • Cartesian products: 0 < x ∧ 0 < y: • Disjunctive completion: x < 0 ∨ 0 < x • Relational product: (0 < x ∧ 0 < y) ∨ (0 < x ∧ y < 0) • Finite maps: [L1 ↦ x= ⊤ , L2 ↦ x=0] • |{L1, L2}| finite

  11. Concrete Semantics

  12. Collecting semantics • For a set of program states State, we define the collecting lattice (2State, , , , , State) • The collecting semantics accumulates the (possibly infinite) sets of states generated during the execution • Not computable in general

  13. The collecting lattice • Lattice for a given control-flow node v: Lv=(2State, , , , , State) • Lattice for entire control-flow graph with nodes V: LCFG = Map(V, Lv) • We will use this lattice as a baseline for static analysis and define abstractions of its elements

  14. Equational definition of the semantics • R[2] = R[entry]  x:=x-1 R[3] • R[3] = R[2]  {s | s(x) > 0} • R[exit] = R[2]  {s | s(x)  0} • A system of recursive equations • Solution: concrete meaning of the program R[entry] entry R[2] if x > 0 R[3] R[exit] exit x := x - 1

  15. An abstract semantics Abstract transformer for x:=x-1 Abstract representationof {s | s(x) < 0} • R[2] = R[entry]  x:=x-1#R[3] • R[3] = R[2]  {s | s(x) > 0}# • R[exit] = R[2]  {s | s(x)  0}# • A system of recursive equations • Solution: abstract meaning of the program • Over-approximation of the concrete semantics R[entry] entry R[2] if x > 0 R[3] R[exit] exit x := x - 1

  16. Abstract interpretation via concretization abstract representationof sets of states abstract representationof sets of states statement S abstract semantics concretization concretization set of states set of states set of states statement S  collecting semantics

  17. Can we always find a solution?

  18. Monotone functions • Let L1=(D1, ) and L2=(D2, ) be two posets • A function f : D1D2 is monotone if for every pair x, y D1x y implies f(x)  f(y) • A special case: L1=L2=(D, ) f : DD

  19. Fixed-points  Red(f) • L = (D, , , , , ) • f : DDmonotone • Fix(f) = { d | f(d) = d } • Red(f) = { d | f(d)  d } • Ext(f) = { d | d  f(d) } • Theorem [Tarski 1955] • lfp(f) = Fix(f) = Red(f)  Fix(f) • gfp(f) = Fix(f) = Ext(f)  Fix(f) fn() gfp Fix(f) lfp Ext(f) fn()  • A solution always exist • It unique • Not always computable

  20. Continuity and ACC condition • Let L = (D, , , ) be a complete partial order • Every ascending chain has an upper bound • A function f is continuous if for every increasing chain Y D*, f(Y) = { f(y) | yY } • L satisfies the ascending chain condition (ACC) if every ascending chain eventually stabilizes:d0 d1  …  dn = dn+1 = …

  21. Fixed-point theorem [Kleene] • Let L = (D, , , ) be a complete partial order and a continuous function f: DD thenlfp(f) = nNfn() • Lemma: Monotone functions on posets satisfying ACC are continuous

  22. Resulting algorithm  • Kleene’s fixed point theorem gives a constructive method for computing the lfp Mathematical definition lfp(f) = nNfn() lfp fn() Algorithm … d := whilef(d)  ddod := d  f(d)returnd f2() f() 

  23. Correctness • Transformer monotonicity is required for termination – what should we require for correctness? • What is the connection between the two least fixed-points of the concrete and abstract semantics?

  24. Abstraction/Concretization • Given two complete latticesC = (DC, C, C, C, C, C) – concrete domainA = (DA, A, A, A, A, A) – abstract domain • A Galois Connection (GC) is quadruple (C, , , A)that relates C and A via the monotone functions • The abstraction function  : DC DA • The concretization function  : DA DC • for every concrete element cDCand abstract element aDA((a)) a and c ((c)) • Alternatively (c)  aiffc (a) • Homework

  25. Galois Connection: c ((c)) C A The most precise (least) element in A representing c  ((c)) 3  (c) 2 c  1

  26. Galois Connection: ((a)) a What a represents in C(its meaning) C A  a (a) 1 2  ((a))  3

  27. Properties of a Galois Connection • The abstraction and concretization functions uniquely determine each other:(a) = {c | (c)  a}(c) = {a | c  (a)}

  28. Abstracting sets • It is usually convenient to first define the abstraction of single elements(s) = ({s}) • Then lift the abstraction to sets of elements (X) = A{(s) | sX}

  29. Inducing along the connections C A M A,C M,A c’ 4 5 a’=A,M(C,A(c)) 3 c C,A(c) C,A A,M 1 2

  30. Sound abstract transformer • Given two latticesC = (DC, C, C, C, C, C)A = (DA, A, A, A, A, A)and GCC,A=(C, , , A) with • A concrete transformer f : DC DCan abstract transformer f# : DA DA • We say that f#is a sound transformer (w.r.t. f) if • c: (f(c)) f#((c)) • a:(f((a)))A f#(a)

  31. Transformer soundness condition 1 c: f(c)=c’ f#((c))  (c’) C A f#  5 f 4 1 2 3

  32. Abstract (conservative) interpretation abstract representation abstract representation statement S abstract semantics concretization concretization set of states set of states set of states statement S  operational semantics(concrete semantics)

  33. Transformer soundness condition 2 a: f#(a)=a’ f((a))  (a’) C A 4  f 5 1 2 f# 3

  34. Abstract (conservative) interpretation 0 < x 0 ≤ x x = x -1 abstract semantics concretization concretization {x↦1, x↦2, …} {x↦0, x↦1, …} {x↦0, x↦1, …} x=x-1  operational semantics(concrete semantics)

  35. Best (induced) transformer f#(a)=(f((a))) C A f# 4 f 3 1 2 Problem:  incomputable directly

  36. Best abstract transformer [CC’77] • Best in terms of precision • Most precise abstract transformer • May be too expensive to compute • Constructively defined asf# =  f   • Induced by the GC • Not directly computable because first step is concretization • We often compromise for a “good enough” transformer • Useful tool: partial concretization

  37. Negative property of best transformers • Let f# =  f   • Best transformer does not compose(f(f((a))))  f#(f#(a))

  38. (f(f((a))))  f#(f#(a)) C A 9 7  f# f 5 4 f 8 6 f f# 3 1 2

  39. Soundness theorem 1 • Given two complete latticesC = (DC, C, C, C, C, C)A = (DA, A, A, A, A, A)and GCC,A=(C, , , A) with • Monotone concrete transformer f : DC DC • Monotone abstract transformer f# : DA DA • a DA : f((a))  (f#(a)) Thenlfp(f)  (lfp(f#)) (lfp(f))  lfp(f#)

  40. Soundness theorem 1 C A lpf(f)  lpf(f#)  fn  f#n  f3 f#3 … … f2  f#2  f  f#   

  41. Soundness theorem 2 • Given two complete latticesC = (DC, C, C, C, C, C)A = (DA, A, A, A, A, A)and GCC,A=(C, , , A) with • Monotone concrete transformer f : DC DC • Monotone abstract transformer f# : DA DA • c DC : (f(c))  f#((c)) Then(lfp(f))  lfp(f#)lfp(f)  (lfp(f#))

  42. Soundness theorem 2 C A lpf(f#)  lpf(f)  f#n  fn  … … f#3 f3 f#2  f2  f#  f   

  43. A recipe for a sound static analysis • Define an “appropriate” operational semantics • Define “collecting” structural operational semantics • Establish a Galois connection between collecting states and abstract states • Local correctness: show that the abstract interpretation of every atomic statement is soundw.r.t. the collecting semantics • Global correctness: conclude that the analysis is sound

  44. Completeness • Local property: • forward complete: c: (f#(c)) = (f(c)) • backward complete:a: f((a)) = (f#(a)) • A property of domain and the (best) transformer • Global property: • (lfp(f)) =lfp(f#) • lfp(f) = (lfp(f#)) • Very ideal but usually not possible unless we change the program model (apply strong abstraction) and/or aim for very simple properties

  45. Forward complete transformer c: (f#(c)) = (f(c)) C A f# f 4 1 2 3

  46. Global (forward) completeness C A lpf(f#)  lpf(f)  f#n  fn  … … f#3 f3 f#2  f2  f#  f   

  47. Backward complete transformer a: f((a)) = (f#(a)) C A f 5 1 2 f# 3

  48. Global (backward) completeness C A lpf(f)  lpf(f#)  fn  f#n  f3 f#3 … … f2  f#2  f  f#   

  49. Three example analyses • Variable Equalities • Constant Propagation • Available Expressions

  50. Combining GC and Transformers • Cartesian Product • L1 = (D1, 1, 1, 1, 1, 1)L2 = (D2, 2, 2, 2, 2, 2) • Cart(L1, L2) = (D1D2, cart, cart, cart, cart, cart) • Disjunctive completion • L = (D, , , , , ) • Disj(L) = (2D, , , , , ) • Relational Product • Rel(L1, L2) = Disj(Cart(L1, L2))

More Related