program analysis and verification spring 2015 program analysis and verification lecture 12: abstract...
TRANSCRIPT
![Page 1: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/1.jpg)
Spring 2015Program Analysis and Verification
Lecture 12: Abstract Interpretation IV
Roman ManevichBen-Gurion University
![Page 2: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/2.jpg)
2
הוראה סקר
באימייל • מופץאנונימי•
![Page 3: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/3.jpg)
3
Syllabus
Semantics
NaturalSemantics
Structural semantics
AxiomaticVerification
StaticAnalysis
AutomatingHoare Logic
Control Flow Graphs
Equation Systems
CollectingSemantics
AbstractInterpretation fundamentals
Lattices
Fixed-Points
Chaotic Iteration
Galois Connections
Domain constructors
Widening/Narrowing
AnalysisTechniques
Numerical Domains
Alias analysis
InterproceduralAnalysis
ShapeAnalysis
CEGAR
Crafting your own
Soot
From proofs to abstractions
Systematically developing
transformers
![Page 4: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/4.jpg)
4
Previously
• Solving monotone systems via chaotic iteration
• Relating abstract semantics and concrete semantics– Galois connection– Sound abstract transformers– Partial reduction– Completeness
• Implementing transformers
![Page 5: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/5.jpg)
5
Agenda
Question: given existing abstract interpreters (GC + transformers) can we reuse them to construct a new abstract interpreter?
• Composing abstract domains (and GCs)• Reduced product• Implementing composition of analyses
![Page 6: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/6.jpg)
6
Composing lattices
![Page 7: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/7.jpg)
7
Three example analyses
• Abstract states are conjunctions of constraints• Variable Equalities– VE-factoids = { x=y | x, y Var} false
VE = (2VE-factoids, , , , false, )• Constant Propagation– CP-factoids = { x=c | x Var, c Z} false
CP = (2CP-factoids, , , , false, )• Available Expressions– AE-factoids = { x=y+z | x Var, y,z VarZ} false
AE = (2AE-factoids, , , , false, )
![Page 8: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/8.jpg)
8
Lattice combinators reminder
• Cartesian Product– L1 = (D1, 1, 1, 1, 1, 1)
L2 = (D2, 2, 2, 2, 2, 2)
– Cart(L1, L2) = (D1D2, cart, cart, cart, cart, cart)
• Disjunctive completion– L = (D, , , , , )– Disj(L) = (2D, , , , , )
• Relational Product– Rel(L1, L2) = Disj(Cart(L1, L2))
![Page 9: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/9.jpg)
9
Cartesian product of complete lattices
• For two complete lattices L1 = (D1, 1, 1, 1, 1, 1) L2 = (D2, 2, 2, 2, 2, 2)
• Define the posetLcart = (D1D2, cart, cart, cart, cart, cart)as follows:– (x1, x2) cart (y1, y2) iff
x1 1 y1 andx2 2 y2
• Lemma: L is a complete lattice• Define the Cartesian constructor Lcart = Cart(L1, L2)
![Page 10: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/10.jpg)
10
Composing Galois connections
![Page 11: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/11.jpg)
11
Goal
• Given two Galois connections, can we combine them to form a new Galois connection?
![Page 12: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/12.jpg)
12
Product connection: abstraction
CPVE lattice
{a=9, c=9}{c=a}{[a9, c 9]}
collecting lattice
{}
![Page 13: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/13.jpg)
13
Product connection: concretization
CPVE lattice
{a=9}{c=a}
{[a9, c 0] [a9, c 1] [a9, c 9] ... }
collecting lattice
{}
{[a9, c 9] [a1, c 1] [a2, c 2] ... }
![Page 14: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/14.jpg)
14
Product connection: concretization
CPVE lattice
{a=9}{c=a}
collecting lattice
{}
{[a9, c 9]}
![Page 15: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/15.jpg)
15
Cartesian product of GCs
• GCA=(C, A, A, A)GCB=(C, B, B, B)
• Cartesian ProductGCAB = (C, AB, AB, AB)
– AB(X) = ?– AB(Y1,Y2) = ?
![Page 16: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/16.jpg)
16
Cartesian product of GCs
• GCA=(C, A, A, A)GCB=(C, B, B, B)
• Cartesian ProductGCAB = (C, AB, AB, AB)
– AB(X) = A(X), B(X)– AB(Y1,Y2) = A(Y1) B(Y2)
![Page 17: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/17.jpg)
17
Product vs. reduced product
![Page 18: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/18.jpg)
18
Product vs. reduced product
CPVE lattice
{a=9}{c=a} {c=9}{c=a}
{a=9, c=9}{c=a}{[a9, c 9]}
collecting lattice
{}
![Page 19: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/19.jpg)
19
Reduced product
• For two complete lattices L1 = (D1, 1, 1, 1, 1, 1) L2 = (D2, 2, 2, 2, 2, 2)
• Define the reduced posetD1D2 = {(d1,d2)D1D2 | (d1,d2) = (d1,d2) } L1L2 = (D1D2, cart, cart, cart, cart, cart)
![Page 20: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/20.jpg)
20
Cartesian product transformers
• GCA=(C, A, A, A) FA[st] : A AGCB=(C, B, B, B) FB[st] : B B
• Cartesian ProductGCAB = (C, AB, AB, AB)
– AB(X) = (A(X), B(X))– AB(Y) = A(X) B(X)
• How should we define FAB[st] : AB AB ?
![Page 21: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/21.jpg)
21
Cartesian product transformers
• GCA=(C, A, A, A) FA[st] : A AGCB=(C, B, B, B) FB[st] : B B
• Cartesian ProductGCAB = (C, AB, AB, AB)
– AB(X) = (A(X), B(X))– AB(Y) = A(X) B(X)
• How should we define FAB[st] : AB AB ?• Idea: FAB[st](a, b) = (FA[st] a, FB[st] b)• Are component-wise transformers precise?
![Page 22: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/22.jpg)
22
Cartesian product analysis example• Abstract interpreter 1: Constant Propagation• Abstract interpreter 2: Variable Equalities• Let’s compare
– Running them separately and combining results– Running the analysis with their Cartesian product
a := 9;b := 9;c := a;
a := 9;b := 9;c := a;
CP analysis VE analysis{a=9}{a=9, b=9}{a=9, b=9, c=9}
{}{}{c=a}
![Page 23: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/23.jpg)
23
Cartesian product analysis example• Abstract interpreter 1: Constant Propagation• Abstract interpreter 2: Variable Equalities• Let’s compare
– Running them separately and combining results– Running the analysis with their Cartesian product
CP analysis + VE analysisa := 9;b := 9;c := a;
{a=9}{a=9, b=9}{a=9, b=9, c=9, c=a}
![Page 24: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/24.jpg)
24
Cartesian product analysis example• Abstract interpreter 1: Constant Propagation• Abstract interpreter 2: Variable Equalities• Let’s compare
– Running them separately and combining results– Running the analysis with their Cartesian product
CPVE analysisMissing
{a=b, b=c}
a := 9;b := 9;c := a;
{a=9}{a=9, b=9}{a=9, b=9, c=9, c=a}
![Page 25: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/25.jpg)
25
Transformers for Cartesian product
• Naïve (component-wise) transformers do not utilize information from both components– Same as running analyses separately and then
combining results• Can we treat transformers from each analysis
as black box and obtain best transformer for their combination?
![Page 26: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/26.jpg)
26
Can we combine transformers modularly?
No generic method for any abstract interpretations
![Page 27: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/27.jpg)
27
Implementing approximate reduced product
![Page 28: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/28.jpg)
28
Reducing values for CPVE
• X = set of CP constraints of the form x=c(e.g., a=9)
• Y = set of VE constraints of the form x=y• ReduceCPVE(X, Y) = (X’, Y’) such that
(X’, Y’) (X’, Y’)• Ideas?
![Page 29: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/29.jpg)
29
Reducing values for CPVE
• X = set of CP constraints of the form x=c (e.g., a=9)• Y = set of VE constraints of the form x=y• ReduceCPVE(X, Y) = (X’, Y’) such that (X’, Y’) (X’, Y’)• ReduceLeft:
– if a=c X and a=b Y then add b=c to X• ReduceRight:
– If a=c and b=c X then add a=b to Y• Keep applying ReduceLeft and ReduceRight and
reductions on each domain separately until reaching a fixed-point
![Page 30: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/30.jpg)
30
All the code you need to obtaina basic CPVE implementation
![Page 31: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/31.jpg)
31
Implementing reduction for CPVE
![Page 32: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/32.jpg)
32
Transformers for Cartesian product
• Do we get the best transformer by applying component-wise transformer followed by reduction?– Unfortunately, no (what’s the intuition?)
• Can we do better?– Logical Product [Gulwani and Tiwari, PLDI 2006]
![Page 33: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/33.jpg)
33
A modular approachfor approximatingreduced product
![Page 34: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/34.jpg)
34
Logical product--
• Idea: use equalities as common reasoning tool to pass information between two domains
• Assume A=(D,…) is an abstract domain that supports two operations: for xD– inferEqualities(x) = { a=b | (x) a=b }
returns a set of equalities between variables that are satisfied in all states given by x
– refineFromEqualities(x, {a=b}) = ysuch that• (x)=(y)• y x
![Page 35: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/35.jpg)
35
Need to implement interface
When interface not implemented default versions of these operations are used
![Page 36: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/36.jpg)
36
VE
![Page 37: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/37.jpg)
37
CP
![Page 38: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/38.jpg)
38
Implementing CP VE AE
![Page 39: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/39.jpg)
39
Reducing Cartesian elements
![Page 40: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/40.jpg)
40
![Page 41: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/41.jpg)
41
Logical Product-
basically the strongest postcondition
safely abstracting the existential quantifier
![Page 42: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/42.jpg)
42
Abstracting the existentialReduce the pair
Abstract away existential quantifier for each domain
![Page 43: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/43.jpg)
43
Combined analysis example
![Page 44: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/44.jpg)
44
Disjunctive completionfor path sensitivity
![Page 45: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/45.jpg)
45
Information loss example (CP)
if (…) b := 5else b := -5
if (b>0) b := b-5else b := b+5assert b==0
{}
{b=5}
{b=-5}
{true}
{true}
{true}
can’t prove
![Page 46: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/46.jpg)
46
Constant Propagation example
Lost all information about b at control-flow join
![Page 47: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/47.jpg)
47
Disjunctive completion of a lattice
• For a complete lattice L = (D, , , , , )
• Define the powerset lattice L = (2D, , , , , ) = ? = ? = ? = ? = ?
• Lemma: L is a complete lattice
• L contains all subsets of D, which can be thought of as disjunctions of the corresponding predicates
• Define the disjunctive completion constructorL = Disj(L)
![Page 48: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/48.jpg)
48
Disjunctive completion for GCs
• GCA=(C, A, C, A)• Disjunctive completion
GCP(A) = (C, P(A), P(A), P(A))– P(A)(X) = ?– P(A)(Y) = ?
![Page 49: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/49.jpg)
49
Disjunctive completion for GCs
• GCA=(C, A, C, A)• Disjunctive completion
GCP(A) = (C, P(A), P(A), P(A))– P(A)(X) = {A({x}) | xX}– P(A)(Y) = {A(y) | yY}
• What about transformers?
![Page 50: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/50.jpg)
50
Information loss example
if (…) b := 5else b := -5
if (b>0) b := b-5else b := b+5assert b==0
{}
{b=5}
{b=-5}
{b=5 b=-5}
{b=0}
{b=0}proved
![Page 51: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/51.jpg)
51
Disj(CP) example
![Page 52: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/52.jpg)
52
The base lattice CPfalse
{x=0}
true
{x=-1}{x=-2} {x=1} {x=2} ……
false
![Page 53: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/53.jpg)
53
The disjunctive completion of CPfalse
true
false
{x=-2x=-1} {x=-2x=0} {x=-2x=1} {x=1x=2}… … …
What is the height of this lattice?
{x=0}{x=-1}{x=-2} {x=1} {x=2} ……
{x=0 x=1x=2}{x=-1 x=1x=-2}… ……
…
![Page 54: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/54.jpg)
54
Mixing productand disjunctive completion
![Page 55: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/55.jpg)
55
Taming disjunctive completion
• Disjunctive completion is very precise– Maintains distinction between different execution
paths– Helps handle conditions precisely– But very expensive – number of abstract states
grows exponentially in the number of conditions– May lead to non-termination
• Base analysis is less precise but terminates• How can we increase precision and avoid non-
termination?
![Page 56: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/56.jpg)
56
Taming disjunctive completion
• Use different abstractions for different program locations– At loop heads use coarse abstraction (base)– At other points use disjunctive completion
• Termination is guaranteed (by base domain)• Precision increased inside loop body
![Page 57: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/57.jpg)
57
With Disj(CP)
while (…) { x := x+1 if (…) b := 5 else b := -5
if (b>0) b := b-5 else b := b+5 assert b==0}
Doesn’t terminate
![Page 58: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/58.jpg)
58
With tamed Disj(CP)
while (…) { x := x+1 if (…) b := 5 else b := -5
if (b>0) b := b-5 else b := b+5 assert b==0}
terminates
CP
Disj(CP)
What DisjunctiveDomain implements
![Page 59: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/59.jpg)
59
DisjunctiveDomain(CP) example
![Page 60: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/60.jpg)
60
Reducing disjunctive elements
• A disjunctive set X may contain within it an ascending chain Y=a b c…
• We only need max(Y) – remove all elements below
![Page 61: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/61.jpg)
61
Relational product construction
![Page 62: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/62.jpg)
62
Cartesian product example
Lost all information about b at control-flow join
![Page 63: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/63.jpg)
63
Relational product of lattices
• L1 = (D1, 1, 1, 1, 1, 1)L2 = (D2, 2, 2, 2, 2, 2)
• Lrel = (2D1D2, rel, rel, rel, rel, rel)as follows:– Lrel = ?
![Page 64: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/64.jpg)
64
Relational product of lattices
• L1 = (D1, 1, 1, 1, 1, 1)L2 = (D2, 2, 2, 2, 2, 2)
• Lrel = (2D1D2, rel, rel, rel, rel, rel)as follows:– Lrel = Disj(Cart(L1, L2))
• Lemma: L is a complete lattice• What does it buy us?– How is it relative to Cart(Disj(L1), Disj(L2))?
• What about transformers?
![Page 65: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/65.jpg)
65
Relational product of GCs
• GCA=(C, A, A, A)GCB=(C, B, B, B)
• Relational ProductGCP(AB) = (C, P(AB), P(AB), P(AB))
– P(AB)(X) = ?– P(AB)(Y) = ?
![Page 66: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/66.jpg)
66
Relational product of GCs
• GCA=(C, A, A, A)GCB=(C, B, B, B)
• Relational ProductGCP(AB) = (C, P(AB), P(AB), P(AB))
– P(AB)(X) = {(A({x}), B({x})) | xX}– P(AB)(Y) = {A(yA) B(yB) | (yA,yB)Y}
![Page 67: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/67.jpg)
67
Relational product example
Correlations preserved
![Page 68: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/68.jpg)
68
Function space construction
![Page 69: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/69.jpg)
69
Function space• GCA=(C, A, C, A)
GCB=(C, B, C, B)• Denote the set of monotone functions from A to B by AB• Define for elements of AB as follows
(a1, b1) (a2, b2) = if a1=a2 then {(a1, b1B b1)} else {(a1, b1), (a2, b2)}
• Reduced cardinal powerGCAB = (C, AB, AB, AB)
– AB(X) = {(A({x}), B({x})) | xX}– AB(Y) = {A(yA) B(yB) | (yA,yB)Y}
• Useful when A is small and B is much larger– E.g., typestate verification
![Page 70: Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University](https://reader030.vdocuments.site/reader030/viewer/2022032722/56649f485503460f94c6a522/html5/thumbnails/70.jpg)
Next lecture:abstract interpretation V