spring 2014 program analysis and verification lecture 9: abstract interpretation i
DESCRIPTION
Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I. Roman Manevich Ben-Gurion University. Syllabus. Previously. Another static analysis example – constant propagation Basic concepts in static analysis Control flow graphs Equation systems - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/1.jpg)
Spring 2014Program Analysis and Verification
Lecture 9: Abstract Interpretation I
Roman ManevichBen-Gurion University
![Page 2: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/2.jpg)
2
Syllabus
Semantics
NaturalSemantics
Structural semantics
AxiomaticVerification
StaticAnalysis
AutomatingHoare Logic
Control Flow Graphs
Equation Systems
CollectingSemantics
AbstractInterpretation fundamentals
Lattices
Galois Connections
Fixed-Points
Widening/Narrowing
Domain constructors
InterproceduralAnalysis
AnalysisTechniques
Numerical Domains
CEGAR
Alias analysis
ShapeAnalysis
Crafting your own
Soot
From proofs to abstractions
Systematically developing
transformers
![Page 3: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/3.jpg)
3
Previously
• Another static analysis example – constant propagation
• Basic concepts in static analysis– Control flow graphs– Equation systems– Collecting semantics– (Trace semantics)
![Page 4: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/4.jpg)
4
Annotating programsAnnotate(P, S) = case S is x:=aexpr return {P} x:=aexpr {F*[x:=aexpr] P} case S is S1; S2
let Annotate(P, S1) be {P} A1 {Q1} let Annotate(Q1, S2) be {Q1} A2 {Q2} return {P} A1; {Q1} A2 {Q2} case S is if bexpr then S1 else S2
let Pt = F[assume bexpr] P let Pf = F[assume bexpr] P let Annotate(Pt, S1) be {Pt} A1 {Q1} let Annotate(Pf, S2) be {Pf} A2 {Q2} return {P} if bexpr then {Pt} A1 {Q1}
else {Pf} A2 {Q2} {Q1 Q2}
case S is while bexpr do S N := Nc := P // Initialize repeat
let Pt = F[assume bexpr] Nc
let Annotate(Pt, S) be {Nc} Abody {N} Nc := Nc N
until N = Nc return {P} INV= {N} while bexpr do {Pt} Abody {F[assume bexpr](N)}
![Page 5: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/5.jpg)
Collecting semantics example: input 1
1234
5
if x > 0
x := x - 1
2
3
entry
exit
[x1]
[x1]
[x0]
[x0]
[x-1]
[x-1]
5
[x1][x2][x3]…label0: if x <= 0 goto label1 x := x – 1 goto label0
label1:
![Page 6: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/6.jpg)
Collecting semantics example: input 2
1234
5
if x > 0
x := x - 1
2
3
entry
exit
[x1]
[x1]
[x0]
[x0]
[x-1][x2]
[x2][x-1]
6
[x1][x2][x3]…label0: if x <= 0 goto label1 x := x – 1 goto label0
label1:
![Page 7: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/7.jpg)
Collecting semantics example: input 3
1234
5
if x > 0
x := x - 1
2
3
entry
exit
[x1]
[x1]
[x0]
[x0]
[x-1][x2]
[x2]
[x2][x3]
[x3][x-1]
7
[x1][x2][x3]…label0: if x <= 0 goto label1 x := x – 1 goto label0
label1:
![Page 8: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/8.jpg)
ad infinitum – fixed point
1234
5
if x > 0
x := x - 1
2
3
entry
exit
[x1]
[x1]
[x1]
[x0][x-1]
[x2]
[x2]
[x2]
[x2]
[x3]
[x3]
[x3]
…
…
…8
label0: if x <= 0 goto label1 x := x – 1 goto label0
label1:
[x-1][x-2]…
![Page 9: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/9.jpg)
Predicates at fixed point
1234
5
if x > 0
x := x - 1
2
3
entry
exit
9
label0: if x <= 0 goto label1 x := x – 1 goto label0
label1:
{true}
{true}
{x>0}{x0} {x0}
![Page 10: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/10.jpg)
10
Equational definition example• A vector of variables R[0, 1, 2, 3, 4]• R[0] = {xZ} // established input
R[1] = R[0] R[4]R[2] = R[1] {s | s(x) > 0}R[3] = R[1] {s | s(x) 0}R[4] = x:=x-1 R[2]
• A (recursive) system of equations
if x > 0
x := x-1
entry
exit
R[0]
R[1]
R[2]R[4]
R[3]
Semantic function for assume x>0
Semantic function for x:=x-1 lifted to sets of states
![Page 11: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/11.jpg)
11
General definition• A vector of variables R[0, …, k] one per input/output of a node
– R[0] is for entry• For node n with multiple predecessors add equation
R[n] = {R[k] | k is a predecessor of n}• For an atomic operation node R[m] S R[n] add equation
R[n] = S R[m]
• Transform if b then S1 else S2
to (assume b; S1) or (assume b; S2)
if x > 0
x := x-1
entry
exit
R[0]
R[1]
R[2]R[4]
R[3]
![Page 12: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/12.jpg)
12
Current lecture
• Semantic domains– Preorders– Partial orders (posets)– Pointed posets– Ascending/descending chains– The height of a poset– Join and Meet operators– Complete lattices– Constructing new lattices from old
Appendix A.
![Page 13: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/13.jpg)
13
By Rama (Own work) [CC-BY-SA-2.0-fr (http://creativecommons.org/licenses/by-sa/2.0/fr/deed.en)], via Wikimedia Commons
Abstractinterpretation
Theory[1977]
![Page 14: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/14.jpg)
14
Abstract Interpretation [CC77]• A very general mathematical framework
for approximating semantics– Generalizes Hoare Logic– Generalizes weakest precondition calculus
• Allows designing sound static analysis algorithms– Usually compute by iterating to a fixed-point– Not specific to any programming language style
• Results of an abstract interpretation are (loop) invariants– Can be interpreted as axiomatic verification assertions and
used for verification
![Page 15: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/15.jpg)
15
Annotating programsAnnotate(P, S) = case S is x:=aexpr return {P} x:=aexpr {F*[x:=aexpr] P} case S is S1; S2
let Annotate(P, S1) be {P} A1 {Q1} let Annotate(Q1, S2) be {Q1} A2 {Q2} return {P} A1; {Q1} A2 {Q2} case S is if bexpr then S1 else S2
let Pt = F[assume bexpr] P let Pf = F[assume bexpr] P let Annotate(Pt, S1) be {Pt} A1 {Q1} let Annotate(Pf, S2) be {Pf} A2 {Q2} return {P} if bexpr then {Pt} A1 {Q1}
else {Pf} A2 {Q2} {Q1 Q2}
case S is while bexpr do S N := Nc := P // Initialize repeat
let Pt = F[assume bexpr] Nc
let Annotate(Pt, S) be {Nc} Abody {N} Nc := Nc N
until N = Nc return {P} INV= {N} while bexpr do {Pt} Abody {F[assume bexpr](N)}
Approximates concrete semantics sp(x:=aexpr, P) F*[x:=aexpr]
Approximates disjunction
{ P’ } S { Q’ } { P } S { Q }[consp] if PP’ and Q’Q
![Page 16: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/16.jpg)
16
The big picture• Use semantic domains to define both concrete
semantics and abstract semantics• Relate semantics in a sound way• Interpret program over abstract semantics
set of states set of statescollecting semantics
statement Sset of states
abstract representationof sets of states
abstract semanticsstatement S abstract
representationof sets of states
meaningabstraction meaningabstraction
![Page 17: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/17.jpg)
17
A theoryof semantic
domains
By Brett Jordan David Macdonald [CC-BY-2.0 (http://creativecommons.org/licenses/by/2.0)], via Wikimedia Commons
1. Approximating elements2. Approximating sets of elements
![Page 18: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/18.jpg)
18
Overall idea
• A semantic domain can be used to define properties (representations of predicates)– Also called abstract states
• Common representations– Logical formulas– Automata– Specialized graphs
![Page 19: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/19.jpg)
19
A taxonomy of semantic domain typesComplete Lattice(D, , , , , )
Lattice(D, , , , , )
Join semilattice(D, , , )
Meet semilattice(D, , , )
Complete partial order (CPO)(D, , )
Partial order (poset)(D, )
Preorder(D, )
![Page 20: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/20.jpg)
20
preorders
![Page 21: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/21.jpg)
21
Preorder
• Let D be a set of elements• We say that a binary order relation over D
is a preorder if the following conditions hold for every d, d’, d’’ D– Reflexive: d d– Transitive: d d’ and d’ d’’ implies d d’’
• There may exist d, d’ such thatd d’ and d’ d yet d d’
![Page 22: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/22.jpg)
22
Preorder examples• SAV-predicates– SAV-factoids
= { x = y | x, y Var } { x = y + z | x, y, z Var }– SAV-predicates = 2
– Order relation 1: P1 set P2 iff P1 P2
– Order relation 2: P1 imp P2 iff P1 P2
– Which order relation is stronger(contains more pairs)?
– Which order relation is easier to check?– What if both P1 and P2 are in the image of explicate?
![Page 23: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/23.jpg)
23
SAV preorder 1: P1 set P2 iff P1 P2
{x=y} {x=x+x} {y=y+y}
{}
{y=x} {y=x+y} {y=y+x} {x=x+y} {x=y+x}
{x=y, y=x} {x=y, x=x+x} {x=x+y, x=y+x}…
{x=y, x=x+x, x=x+y} {x=y, x=x+x, x=x+y}…
{x=y, y=x, x=x+x, y=y+y, y=x+y, y=y+x, x=x+y, x=y+x}
Var = {x, y}
![Page 24: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/24.jpg)
24
SAV preorder 2: P1 imp P2 iff P1 P2
{x=y} {x=x+x} {y=y+y}
{}
{y=x} {y=x+y} {y=y+x} {x=x+y} {x=y+x}
{x=y, y=x} {x=x+y, x=y+x}…
{x=y, x=x+x, x=x+y} {x=y, x=x+x, x=x+y}
…
{x=y, y=x, x=x+x, y=y+y, y=x+y, y=y+x, x=x+y, x=y+x}
{x=y, x=x+x}
Var = {x, y}
…
![Page 25: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/25.jpg)
25
Preorder examples
• CP-predicates– CP-factoids
= { x = c | x Var, c Z }– CP-predicates = 2
– Order relation 1: P1 set P2 iff P1 P2
– Order relation 2: P1 imp P2 iff P1 P2
– Is there a difference?• {x=5, x=7, x=9} {x=5, x=7}• {x=5, x=7, x=9} {x=5, x=7}• {x=5, x=7} {x=5, x=7, x=9}
![Page 26: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/26.jpg)
26
CP preorder example
{x=-3} {x=-1} {x=0}
{}
{x=-2} {x=1} {x=2} {x=3}… …
Var = {x}
![Page 27: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/27.jpg)
27
CP preorder example
{x=-3} {x=3} {y=-5}
{}
{x=0} {y=0} {y=36}… …
{x=-3, y=-5} {x=0, y=0} {x=3, y=36}
…
Var = {x, y}
![Page 28: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/28.jpg)
28
The problem with preorders
• Equivalent elements have different representations– {x=y, x=a+b} S {Q}– {x=y, y=a+b} S {Q’}
• Leads to unpredictability• Which result should our static analysis give?
![Page 29: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/29.jpg)
29
The problem with preorders
• Equivalent elements have different representations– {x=y, x=a+b} assume ya+b {x=y, x=a+b}– {x=y, y=a+b} assume ya+b {false}
• Leads to unpredictability• Which result should our static analysis give?
![Page 30: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/30.jpg)
30
The problem with preorders
• Equivalent elements have different representations– {x=y, x=a+b} assume xa+b {false}– {x=y, y=a+b} assume xa+b {x=y, x=a+b}
• Leads to unpredictability• Which result should our static analysis give?
In practice many static analyses still use preorders
![Page 31: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/31.jpg)
31
Partial orders
![Page 32: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/32.jpg)
32
Partially ordered sets (partial orders)
• A partially ordered set (Poset for short)is a pair (D , )
• D is a set of elements – a semantic domain• is a partial order between pairs of elements
from D. That is : D D with the following properties, for all d, d’, d’’ in D– Reflexive: d d– Transitive: d d’ and d’ d’’ implies d d’’– Anti-symmetric: d d’ and d’ d implies d = d’
• If d d’ and d d’ we write d d’
Makes it easier to choose the best element
![Page 33: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/33.jpg)
33
Partially ordered sets (partial orders)
• A partially ordered set (Poset for short)is a pair (D , )
• D is a set of elements – a semantic domain• is a partial order between pairs of elements
from D. That is : D D with the following properties, for all d, d’, d’’ in D– Reflexive: d d– Transitive: d d’ and d’ d’’ implies d d’’– Anti-symmetric: d d’ and d’ d implies d = d’
• If d d’ and d d’ we write d d’
![Page 34: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/34.jpg)
34
SAV partial order• SAV-predicates– SAV-factoids
= { x = y | x, y Var } { x = y + z | x, y, z Var }– SAV-predicates = 2
• Order relation 1: P1 set P2 iff P1 P2
Is this a partial order?• Order relation 2: P1 imp P2 iff P1 P2
that is models(P1) models(P2)Is this a partial order?
• Order relation 3: P1 set* P2 iff Explicate(P1) set Explicate(P2)Is this a partial order?
![Page 35: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/35.jpg)
35
CP partial order
• CP-predicates– CP-factoids
= { x = c | x Var, c Z }– CP-predicates = 2
• Order relation 1: P1 set P2 iff P1 P2
Is it a partial order?• Order relation 2: P1 imp P2 iff P1 P2
Is it a partial order?
Can we define a more precise partial order?
![Page 36: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/36.jpg)
36
CP partial order
• CP-predicates– CP-factoids false = { x = c | x Var, c Z }– CP-predicates = 2 {false}– Define reduce : 2 2
reduce(P) = if exists {x=c1, x=c2}P then {false} else P
– false = { P2 | P=reduce(P) } {false}
• Order relation: P1 P2 if P1 P2 or P1={false}
![Page 37: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/37.jpg)
37
Pointed poset
• A poset (D, ) with a least element is called a pointed poset– For all dD we have that d
• The pointed poset is denoted by (D , , )• We can always transform a poset (D, ) into a
pointed poset by adding a special bottom element
(D {}, {d | dD}, )• Example: false = { P2 | P=reduce(P) } {false}
![Page 38: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/38.jpg)
38
chains
![Page 39: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/39.jpg)
39
Chains• If d d’ and d d’ we write d d’• Similarly define d d’• Let (D, ) be a poset• An ascending chain is a sequence
x1 x2 … xk …• A descending chain is a sequence
x1 x2 … xk …• The height of a poset is the length of the maximal
ascending chain– What is the height of the SAV poset?– What is the height of the CP poset?
![Page 40: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/40.jpg)
40
Ascending chain example
true
false
x=0
x0
x<0 x>0
x0
![Page 41: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/41.jpg)
41By Viviana Pastor (originally posted to Flickr as Harbour Bridge 1) [CC-BY-2.0 (http://creativecommons.org/licenses/by/2.0)], via Wikimedia Commons
Joining elements
![Page 42: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/42.jpg)
42
Bounds• Let (D , ) be a poset• Let X D be a set of elements from D• An element dD is an upper bound (ub) of X iff for
every xD we have that xd• An element dD is a lower bound (lb) of X
iff for every xD we have that dx• An element dD is the least upper bound (lub) of X
iff d is the minimal of all upper bounds of X• An element dD is the greatest lower bound (glb)
of X iff d is the maximal of all lower bounds of X
![Page 43: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/43.jpg)
43
Bounds example
true
false
x=0
x0
x<0 x>0
x0
the signs lattice(for variable x)
![Page 44: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/44.jpg)
44
x0 and true are upper bounds
true
false
x=0
x0
x<0 x>0
x0
![Page 45: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/45.jpg)
45
x0 is the least upper bound
true
false
x=0
x0
x<0 x>0
x0
![Page 46: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/46.jpg)
46
Join (confluence) operator• Assume a poset (D, )• Let X D be a subset of D (finite/infinite)• The join of X is defined as
– X = the least upper bound (LUB) of all elements in X if it exists– X = min{ b | forall xX we have that xb}– The supremum of the elements in X– A kind of abstract union (disjunction) operator
• Properties of a join operator– Commutative: x y = y x– Associative: (x y) z = x (y z)– Idempotent: x x = x
• x y = y iff x y
![Page 47: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/47.jpg)
47
Properties of join
• Can be used to define partial orderx y = y iff x y
• Monotone: if y z then (x y) (x z)• x = x• x =
![Page 48: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/48.jpg)
48
Meet operator• Assume a poset (D, )• Let X D be a subset of D (finite/infinite)• The meet of X is defined as– X = the greatest lower bound (GLB) of all elements in X if it exists– X = max{ b | forall xX we have that bx}– The infimum of the elements in X– A kind of abstract intersection (conjunction) operator
• Properties of a join operator– Commutative: x y = y x– Associative: (x y) z = x (y z)– Idempotent: x x = x
![Page 49: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/49.jpg)
49
Complete partial orders
![Page 50: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/50.jpg)
50
Complete partial order (CPO)
• A CPO is a partial order where each ascending chain has a supremum
![Page 51: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/51.jpg)
51
lattices
![Page 52: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/52.jpg)
52
Complete lattice
• A complete lattice (D, , , , , ) is• A set of elements D• A partial order x y• A join operator • A meet operator
![Page 53: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/53.jpg)
53
Join semilattice
• A complete lattice (D, , , ) is• A set of elements D with • A partial order x y• A join operator
![Page 54: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/54.jpg)
54
Meet semilattice
• A complete lattice (D, , , ) is• A set of elements D with • A partial order x y• A meet operator
![Page 55: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/55.jpg)
55
Powerset lattices
• For a set of elements X we define the powerset lattice for X as
(2X, , , , , X)– Notice it is a complete lattice
• For a set of program states State, we define the collecting lattice
(2State, , , , , State)
![Page 56: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/56.jpg)
56
Composing lattices
![Page 57: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/57.jpg)
57
One lattice per variable
true
false
x=0
x0
x<0 x>0
x0
true
false
y=0
y0
y<0 y>0
y0
How can we compose them?
![Page 58: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/58.jpg)
58
Cartesian product of complete lattices• For two complete lattices
L1 = (D1, 1, 1, 1, 1, 1) L2 = (D2, 2, 2, 2, 2, 2)
• Define the posetLcart = (D1D2, cart, cart, cart, cart, cart)as follows:– (x1, x2) cart (y1, y2) iff
x1 1 y1 andx2 2 y2
– cart = ? cart = ? cart = ? cart = ?
• Lemma: L is a complete lattice• Define the Cartesian constructor Lcart = Cart(L1, L2)
![Page 59: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/59.jpg)
59
Cartesian product exampletrue
false
x<0,y<0 x<0,y=0 x<0,y>0 x=0,y<0 x=0,y=0 x=0,y>0 x>0,y<0 x>0,y=0 x>0,y>0
x0,y<0 x0,y<0 x0,y=0 x0,y=0 x0,y>0 x0,y>0 x>0,y0 x>0,y0……
x0,y0 x0,y0 x0,y0x0,y0
x0 x0 y0 y0
…
(false, false)
(true, true)
How does it represent(x<0y<0) (x>0y>0)?
![Page 60: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/60.jpg)
60
Disjunctive completion• For a complete lattice
L = (D, , , , , )• Define the powerset lattice
L = (2D, , , , , ) = ? = ? = ? = ? = ?
• Lemma: L is a complete lattice• L contains all subsets of D, which can be thought of
as disjunctions of the corresponding predicates• Define the disjunctive completion constructor
L = Disj(L)
![Page 61: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/61.jpg)
61
The base lattice CPfalse
{x=0}
true
{x=-1}{x=-2} {x=1} {x=2} ……
false
![Page 62: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/62.jpg)
62
The disjunctive completion of CPfalse
{x=0}
true
{x=-1}{x=-2} {x=1} {x=2} ……
false
{x=-2x=-1} {x=-2x=0} {x=-2x=1} {x=1x=2}… … …
{x=0 x=1x=2}{x=-1 x=1x=-2}… ………
What is the height of this lattice?
![Page 63: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/63.jpg)
63
Relational product of lattices
• L1 = (D1, 1, 1, 1, 1, 1)L2 = (D2, 2, 2, 2, 2, 2)
• Lrel = (2D1D2, rel, rel, rel, rel, rel)as follows:– Lrel = ?
![Page 64: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/64.jpg)
64
Relational product of lattices
• L1 = (D1, 1, 1, 1, 1, 1)L2 = (D2, 2, 2, 2, 2, 2)
• Lrel = (2D1D2, rel, rel, rel, rel, rel)as follows:– Lrel = Disj(Cart(L1, L2))
• Lemma: L is a complete lattice• What does it buy us?
![Page 65: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/65.jpg)
65
Cartesian product exampletrue
false
x<0,y<0 x<0,y=0 x<0,y>0 x=0,y<0 x=0,y=0 x=0,y>0 x>0,y<0 x>0,y=0 x>0,y>0
x0,y<0 x0,y<0 x0,y=0 x0,y=0 x0,y>0 x0,y>0 x>0,y0 x>0,y0……
x0,y0 x0,y0 x0,y0x0,y0
x0 x0 y0 y0
…
How does it represent(x<0y<0) (x>0y>0)?
What is the height of this lattice?
![Page 66: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/66.jpg)
66
Relational product exampletrue
false
(x<0y<0)(x>0y>0)
x0 x0 y0 y0
How does it represent(x<0y<0) (x>0y>0)?
(x<0y<0)(x>0y=0) (x<0y0)(x<0y0)
…
What is the height of this lattice?
![Page 67: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/67.jpg)
Collecting semantics
1 label0: if x <= 0 goto label1 x := x – 1 goto label0
label1:
234
5
if x > 0
x := x - 1
2
3
entry
exit
[x1]
[x1]
[x1]
[x0]
[x0]
[x-1]
[x-1]
[x2]
[x2]
[x2]
[x2]
[x3]
[x3]
[x3]
…
…
…67
[x-2]…
![Page 68: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/68.jpg)
68
Defining the collecting semantics
• How should we represent the set of states at a given control-flow node by a lattice?
• How should we represent the sets of states at all control-flow nodes by a lattice?
![Page 69: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/69.jpg)
69
Finite maps• For a complete lattice
L = (D, , , , , )and finite set V
• Define the posetLVL = (VD, VL, VL, VL, VL, VL)as follows:– f1 VL f2 iff for all vV
f1(v) f2(v)– VL = ? VL = ? VL = ? VL = ?
• Lemma: L is a complete lattice• Define the map constructor LVL = Map(V, L)
![Page 70: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/70.jpg)
70
The collecting lattice
• Lattice for a given control-flow node v: ?
• Lattice for entire control-flow graph with nodes V:
?• We will use this lattice as a baseline for static
analysis and define abstractions of its elements
![Page 71: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/71.jpg)
71
The collecting lattice
• Lattice for a given control-flow node v: Lv=(2State, , , , , State)
• Lattice for entire control-flow graph with nodes V:
LCFG = Map(V, Lv)• We will use this lattice as a baseline for static
analysis and define abstractions of its elements
![Page 72: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/72.jpg)
72
Equational definition of the semantics
• Define variables of type set of states for each control-flow node
• Define constraints between them
if x > 0
x := x - 1
2
3
entry
exit
R[entry]
R[2]
R[3]R[exit]
![Page 73: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/73.jpg)
73
Equational definition of the semantics• R[2] = R[entry] x:=x-1 R[3]• R[3] = R[2] {s | s(x) > 0}• R[exit] = R[2] {s | s(x) 0}• A system of recursive equations• How can we approximate it using what
we have learned so far?if x > 0
x := x - 1
2
3
entry
exit
R[entry]
R[2]
R[3]R[exit]
![Page 74: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/74.jpg)
74
An abstract semantics• R[2] = R[entry] x:=x-1# R[3]• R[3] = R[2] {s | s(x) > 0}#
• R[exit] = R[2] {s | s(x) 0}#
• A system of recursive equations
if x > 0
x := x - 1
2
3
entry
exit
R[entry]
R[2]
R[3]R[exit]
Abstract transformer for x:=x-1
Abstract representationof {s | s(x) < 0}
![Page 75: Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I](https://reader034.vdocuments.site/reader034/viewer/2022051420/56815ecf550346895dcd5829/html5/thumbnails/75.jpg)
Next lecture:abstract interpretation II