Download
slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Noam Rinetzky Lecture 9: Abstract Interpretation II PowerPoint Presentation
Download Presentation
Noam Rinetzky Lecture 9: Abstract Interpretation II

Noam Rinetzky Lecture 9: Abstract Interpretation II

134 Views Download Presentation
Download Presentation

Noam Rinetzky Lecture 9: Abstract Interpretation II

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Program Analysis and Verification 0368-4479http://www.cs.tau.ac.il/~maon/teaching/2013-2014/paav/paav1314b.html Noam Rinetzky Lecture 9: Abstract Interpretation II Slides credit: Roman Manevich, MoolySagiv, EranYahav

  2. From verification to analysis • Manual program verification • Verifier provides assertions • Loop invariants • Program analysis • Automatic program verification • Tool automatically synthesize assertions • Finds loop invariants

  3. Abstract Interpretation [Cousot’77] • Mathematical foundation of static analysis

  4. Abstract Interpretation [Cousot’77] • Mathematical framework for approximating semantics (aka abstraction) • Allows designing sound static analysis algorithms • Usually compute by iterating to a fixed-point • Computes (loop) invariants • Can be interpreted as axiomatic verification assertions • Generalizes Hoare Logic & WP / SP calculus

  5. Abstract Interpretation [Cousot’77] • Mathematical foundation of static analysis • Abstract domains • Abstract states ~ Assertions • Join () ~ Weakening • Transformer functions • Abstract steps ~ Axioms • Chaotic iteration • Structured Programs ~ Control-flow graphs • Abstract computation ~ Loop invariants

  6. Concrete Semantics set of states set of states statement S operational semantics(concrete semantics)

  7. Conservative Semantics set of states set of states set of states statement S  operational semantics(concrete semantics)

  8. Abstract (conservative) interpretation generalizes axiomatic verification statement S abstract representation abstract representation abstract representation abstract semantics  abstraction abstraction statement S set of states set of states operational semantics(concrete semantics) {P} S {Q}  sp(S, P)

  9. Abstract (conservative) interpretation abstract representation abstract representation statement S abstract semantics concretization concretization set of states set of states set of states statement S  operational semantics(concrete semantics)

  10. Abstract (conservative) interpretation abstract state abstract state statement S abstract semantics (transfer function) concretization concretization set of states set of states set of states statement S  operational semantics(concrete semantics)

  11. Abstract Interpretation [Cousot’77] • Mathematical foundation of static analysis • Abstract domains • Abstract states ~ Assertions • Join () ~ Weakening • Transformer functions • Abstract steps ~ Axioms • Chaotic iteration • Abstract computation ~ Loop invariants • Structured Programs ~ Control-flow graphs Lattices (D, , , , , ) Monotonic functions Fixpoints

  12. A taxonomy of semantic domain types Complete Lattice(D, , , , , ) Lattice(D, , , , , ) Join semilattice(D, , , ) Meet semilattice(D, , , ) Complete partial order (CPO)(D, , ) Partial order (poset)(D, ) Preorder(D, )

  13. Preorder • We say that a binary order relation over a set D is a preorder if the following conditions hold for every d, d’, d’’  D • Reflexive: d  d • Transitive: d  d’ and d’  d’’ implies d  d’’

  14. Preorder • We say that a binary order relation over a set D is a preorder if the following conditions hold for every d, d’, d’’  D • Reflexive: d  d • Transitive: d  d’ and d’  d’’ implies d  d’’  d’’   Hasse Diagram    d d’ 

  15. Preorder • We say that a binary order relation over a set D is a preorder if the following conditions hold for every d, d’, d’’  D • Reflexive: d  d • Transitive: d  d’ and d’  d’’ implies d  d’’  d’’   Hasse Diagram    d d’ 

  16. Partial order • We say that a binary order relation over a set D is a preorder if the following conditions hold for every d, d’, d’’  D • Reflexive: d  d • Transitive: d  d’ and d’  d’’ implies d  d’’ • Anti-symmetric: d  d’ and d’  d implies d = d’  d’’   Hasse Diagram    d d’ 

  17. Chains • d  d’ means d  d’ and d  d’ • An ascending chain is a sequencex1 x2 …  xk… • A descending chain is a sequencex1 x2 …  xk… • The height of a poset(D, ) is the length of the maximal ascending chain in D

  18. poset Hasse diagram (for CP)  … … {x=-2} {x=-1} {x=0} {x=1} {x=2} 

  19. Some posets-related terminology • If x  y(alt y ⊒x) we can say • x is lowerthan y • x is more precise than y • x is more concrete than y • x under-approximates y • y isgreaterthan x • y is less precise than x • y is more abstractthan x • y over-approximates x

  20. Least upper bound (LUB) • (D, ) is a poset • b ∊ D is an upper bound of A⊆D if ∀a  A:a b • b ∊ D is theleastupper bound of A⊆D if • b is an upper bound of A • If b’ is an upper bound of A then b b’ • Join: X = LUB of X • x  y = {x,y} May not exist May not exist

  21. Join operator • Properties of a join operator • Commutative: x  y = y  x • Associative: (x  y)  z = x  (y  z) • Idempotent: x  x = x • A kind of abstract union (disjunction) operator • Top element of (D, ) is  = D

  22. Join Example  … … {x=-2} {x=-1} {x=0} {x=1} {x=2} 

  23. Join Example  … … {x=-2} {x=-1} {x=0} {x=1} {x=2} 

  24. Join Example  … … {x=-2} {x=-1} {x=0} {x=1} {x=2} 

  25. Greatest lower bound (GLB) • (D, ) is a poset • b ∊ D is an lower bound of A⊆D if ∀a  A:b a • b ∊ D is thegreatest lower bound of A⊆D if • b is an lower bound of A • If b’ is an lower bound of A then b’ b • Meet: X= GLB of X • x y = {x, y} May not exist May not exist

  26. Meet operator • Properties of a meet operator • Commutative: x  y = y  x • Associative: (x  y)  z = x  (y  z) • Idempotent: x  x = x • A kind of abstract intersection (conjunction) operator • Bottom element of (D, ) is  = D

  27. Complete partial order (CPO) • A poset (D , ) is a complete partial if every ascending chain x1 x2 …  xk… has a LUB

  28. Meet Example  x0 x0 x<0 x=0 x>0 

  29. Meet Example  x0 x0 x<0 x=0 x>0 

  30. Meet Example  x0 x0 x<0 x=0 x>0 

  31. Complete partial order (CPO) • A poset (D , ) is a complete partial if every ascending chain x1 x2 …  xk… has a LUB

  32. Join semilattices • (D, , , ) is a join semilattice • (D, ) is a partial order • ∀X FIN D . X is defined • A top element

  33. Meet semilattices • (D, , , ) is a meet semilattice • (D, ) is a partial order • ∀X FIN D . X is defined • A bottom element 

  34. Lattices • (D, , , , , ) is a lattice if • (D, , ,) is a join semilattice • (D, , , ) is a meet semilattice • A lattice (D, , , , , ) is a complete lattice if • X and Y are defined for arbitrary sets

  35. Example: Powerset lattices • (2X, , , , , X) is the powersetlatticeof X • A complete lattice

  36. Example: Sign lattice  x0 x0 x<0 x=0 x>0 

  37. A taxonomy of semantic domain types Join/Meet exist for every subset of D Join/Meet exist for every finite subset of D (alternatively, binary join/meet) Complete Lattice(D, , , , , ) Lattice(D, , , , , ) Meet of the empty set Join of the empty set Join semilattice(D, , , ) Meet semilattice(D, , , ) poset with LUB for all ascending chains Complete partial order (CPO)(D, , ) reflexivetransitiveanti-symmetric: d  d’ and d’  d implies d = d’ Partial order (poset)(D, ) • reflexive: d  dtransitive: d  d’, d’  d’’ implies d  d’’ Preorder(D, )

  38. Towards a recipe for static analysis

  39. Collecting semantics • For a set of program states State, we define the collecting lattice (2State, , , , , State) • The collecting semantics accumulates the (possibly infinite) sets of states generated during the execution • Not computable in general

  40. Abstract (conservative) interpretation abstract representation abstract representation statement S abstract semantics concretization concretization set of states set of states set of states statement S  operational semantics(concrete semantics)

  41. Abstract (conservative) interpretation 0 < x 0 ≤ x x = x -1 abstract semantics concretization concretization {x↦1, x↦2, …} {x↦0, x↦1, …} {x↦0, x↦1, …} x=x-1  operational semantics(concrete semantics)

  42. Abstract (conservative) interpretation 0 < x  x = x -1 abstract semantics concretization concretization {x↦1, x↦2, …} {x↦0, x↦1, …} {…, x↦0, …} x=x-1  operational semantics(concrete semantics)

  43. Abstract (non-conservative) interpretation 0 < x 0 < x x = x -1 abstract semantics concretization concretization {x↦1, x↦2, …} {x↦0, x↦1, …} { x↦1, …} x=x-1 ⊈ operational semantics(concrete semantics)

  44. But … • what if we have x & y? • Define lattice (semantics) for each variable • Compose lattices • Goal: compositional definition • What if we have more than 1 statement? • Define semantics for entire program via CFG • Different “abstract states” at every CFG node

  45. One lattice per variable true true x0 x0 y0 y0 x<0 x=0 x>0 y<0 y=0 y>0 false false How can we compose them?

  46. Cartesian product of complete lattices • For two complete lattices L1 = (D1, 1, 1, 1, 1, 1) L2 = (D2, 2, 2, 2, 2, 2) • Define the posetLcart = (D1D2, cart, cart, cart, cart, cart)as follows: • (x1, x2) cart (y1, y2) iffx1 1 y1x2 2 y2 • cart = ? cart = ? cart = ? cart = ? • Lemma: L is a complete lattice • Define the Cartesian constructor Lcart = Cart(L1, L2)

  47. Cartesian product example =(,) x0 x0 y0 y0 x0,y0 x0,y0 x0,y0 x0,y0 … … x0,y<0 x0,y<0 x0,y=0 x0,y=0 x0,y>0 x0,y>0 x>0,y0 x>0,y0 … x<0,y<0 x<0,y=0 x<0,y>0 x=0,y<0 x=0,y=0 x=0,y>0 x>0,y<0 x>0,y=0 x>0,y>0 =(, ) How does it represent(x<0y<0)  (x>0y>0)? (false, false)

  48. Disjunctive completion • For a complete lattice L = (D, , , , , ) • Define the powerset latticeL = (2D, , , , , ) = ?  = ?  = ?  = ?  = ? • Lemma: L is a complete lattice • L contains all subsets of D, which can be thought of as disjunctions of the corresponding predicates • Define the disjunctive completion constructorL = Disj(L)

  49. The base lattice CP  … … {x=-2} {x=-1} {x=0} {x=1} {x=2} 

  50. The disjunctive completion of CP What is the height of this lattice? true … … {x=-2} {x=-1} {x=0} {x=1} {x=2} … … … {x=-2x=-1} {x=-2x=0} {x=-2x=1} {x=1x=2} … … … {x=-1 x=1x=-2} {x=0 x=1x=2} … false