Abstract Interpretation Part I

1
Abstract InterpretationPart I

• Mooly Sagiv
• Textbook Chapter 4

2
The Abstract Interpretation Technique (Cousot
Cousot)

• The foundation of program analysis
• Defines the meaning of the information computed
  by static tools
• A mathematical framework
• Allows proving that an analysis is sound in a
  local way
• Identify design bugs
• Understand where precision is lost
• New analysis from old
• Not limited to certain programming style

3
Outline

• Monotone Frameworks with Widening
• Galois Connections (Insertions)
• Collecting semantics
• The Soundness Theorem

4
Specialized Chaotic Iterations
Chaotic(G(V, E) Graph, s Node, L lattice, ?
L, f E ?(L ?L) ) for each v in V to n do
dfentryv ? Inv ? WL s
while (WL ? ? ) do select and remove an
element u ? WL for each v, such that. (u,
v) ?E do temp f(e)(dfentryu)
new dfentry(v)? temp if
(new ? dfentryv) then
dfentryv new
WL WL ?v
5
Widening

• Accelerate the termination of Chaotic iterations
  by computing a more conservative solution
• Can handle lattices of infinite heights

6
Specialized Chaotic Iterations ?
Chaotic(G(V, E) Graph, s Node, L lattice, ?
L, f E ?(L ?L) ) for each v in V to n do
dfentryv ? Inv ? WL s
while (WL ? ? ) do select and remove an
element u ? WL for each v, such that. (u,
v) ?E do temp f(e)(dfentryu)
new dfentry(v) ? temp if
(new ? dfentryv) then
dfentryv new
WL WL ?v
7
Example Interval Analysis

• Find a lower and an upper bound of the value of a
  variable
• Usages?
• Lattice L (Z?-?, ??Z ?-?, ?, ?, ?, ?, ?,?)
• a, b ? c, d if c ? a and d ? b
• a, b ? c, d min(a, c), max(b, d)
• a, b ? c, d max(a, c), min(b, d)
• ?
• ?

8
Example ProgramInterval Analysis

• x 11 while x ? 10002 do x x
  13

IntEntry(1) minint,maxint IntExit(1) 1,1
IntEntry(2) IntExit(1) ? IntExit(3) IntExit(2)
IntEntry(2)
IntEntry(3) IntExit(2) ? minint,1000 IntExit(3
) IntEntry(3)1,1
IntEntry(4) IntExit(2) ? 1001,maxint IntExit(4
) IntEntry(4)
9
Widening for Interval Analysis

• ?? c, d c, d
• a, b ? c, d if a ? c then a else
  -?, if b ? d then b else ?

10
Example ProgramInterval Analysis

• x 11 while x ? 10002 do x x
  13

IntEntry(1) -?, ? IntExit(1) 1,1
IntEntry(2) InExit(2) ? (IntExit(1) ?
IntExit(3)) IntExit(2) IntEntry(2)
IntEntry(3) IntExit(2) ? -?,1000 IntExit(3)
IntEntry(3)1,1
IntEntry(4) IntExit(2) ? 1001, ? IntExit(4)
IntEntry(4)
11
Requirements on Widening

• For all elements l1 ? l2 ? l1 ? l2
• For all ascending chains l0 ? l1 ? l2 ? the
  following sequence is finite
• y0 l0
• yi1 yi ? li1
• For a monotonic function f L ? Ldefine
• x0 ?
• xi1 xi ? f(xi )
• Theorem
• There exits k such that xk1 xk
• xk ?Red(f) l l ? L, f(l) ? l

12
Narrowing

• Improve the result of widening
• y ? x ? y ? (x ?y) ? x
• For all decreasing chains x0 ? x1 ?the
  following sequence is finite
• y0 x0
• yi1 yi ? xi1
• For a monotonic function f L ? L and x ?Red(f)
  l l ? L, f(l) ? ldefine
• y0 x
• yi1 yi ? f(yi )
• Theorem
• There exits k such that yk1 yk
• yk ?Red(f) l l ? L, f(l) ? l

13
Narrowing for Interval Analysis

• a, b ? ? a, b
• a, b ? c, d if a -? then
  c else a, if b ? then d else b

14
Example ProgramInterval Analysis

• x 11 while x ? 10002 do x x
  13

IntEntry(1) -? , ? IntExit(1) 1,1
IntEntry(2) InExit(2) ?( IntExit(1) ?
IntExit(3)) IntExit(2) IntEntry(2)
IntEntry(3) IntExit(2) ? -?,1000 IntExit(3)
IntEntry(3)1,1
IntEntry(4) IntExit(2) ? 1001, ? IntExit(4)
IntEntry(4)
15
Non Montonicity of Widening

• 0,1 ? 0,2 0, ?
• 0,2 ? 0,2 0,2

16
Widening and Narrowing Summary

• Very simple but produces impressive precision
• Sometimes non-monotonic
• The McCarthy 91 function
• Also useful in the finite case
• Can be used as a methodological tool

int f(x) -? , ? if x gt 100 then 101, ?
return x -10 91, ?-10 else -?, 100
return f(f(x11)) 91, 91
17
Foundation of Static Analysis

• Static analysis can be viewed as interpreting the
  program over an abstract domain
• Execute the program over larger set of execution
  paths
• Guarantee sound results
• Every identified constant is indeed a constant
• But not every constant is identified as such

18
Abstract Interpretation
Concrete
Sets of stores
19
Odd/Even Abstract Interpretation
All concrete states
?
-2, 1, 5
x x ? Even
0,2
2
0
?
?
20
Odd/Even Abstract Interpretation
All concrete states
?
-2, 1, 5
x x ? Even
0,2
2
0
?
?
21
Odd/Even Abstract Interpretation
All concrete states
?
-2, 1, 5
?
x x ? Even
0,2
2
0
?
?
22
Galois Connections

• A concrete domain (C, ?)
• An abstract domain (A, ?)
• An abstraction function ? C? A
• A concretization function ? A? C
• ? is monotone (order-preserving)
• ? is monotone (order-preserving)
• c ? ? (? (c))
• ? (? (a)) ? a
• ? (c) ? a ? c ? ? (a)

23
More on Galois Connections

• ? and ? determine each other
• Defines an upward closure operator upC ? C such
  that c ?up(c) and up(up(c)) up(c) by up(c)
  ?(?(c))
• For C P(?) let ? C ? A then the Galois
  connection is defined by
• ?(c) ? ?(?) ?? c
• ?(a) ? ?(?) ? a

24
The Abstraction Function (CP)

• Map collecting states into constants
• The abstraction of an individual state?CPVar
  ?Z ? Var ?Z??, ??CP(?) ?
• The abstraction of set of states ?CPP(Var
  ?Z) ? Var ?Z??, ? ?CP (CS) ? ?CP (?)
  ? ? CS ?? ? ? CS
• Soundness ?CP (Reach (v)) ? df(v)
• Completeness

25
The Concretization Function

• Map constants into collecting states
• The formal meaning of constants
• The concretization ?CP Var ?Z??, ?
  ?P(Var ?Z) ? CP (df) ? ?CP (?) ? df
  ? ? ? df
• Soundness Reach (v) ? ?CP (df(v))
• Optimality

26
Galois Connection Constant Propagation

• ?CP is monotone
• ?CP is monotone
• ? df ? Var ?Z??, ?
• ? CP(? CP (df)) ? df
• ? c ? P(Var ?Z)
• c CP ? ? CP (? CP(C))

27
Upper Closure (CP)
28
More Examples

• Interval Analysis
• Points-to analysis
• Reaching definitions
• Live variable analysis

29
Collecting Semantics

• The input state is not known at compile-time
• Collect all the states for all possible inputs
  to the program
• The set of reachable states
• No lost of precision
• Need not be computable

30
A Simple Example Program
x?0, y?0, z?0
z 3 x 1 while (x gt 0) ( if (x 1)
then y 7 else y z
4 x 3 print y )
x?0, y?0, z?3
x?1, y?0, z?3
x?1, y?7, z?3, x?3, y?7, z?3
x?1, y?7, z?3, x?3, y?7, z?3
x?3, y?7, z?3
x?3, y?7, z?3
31
Another Example
while (true) do x x 1
x?0
x?0, x?1, x?2,
x?1, x?2,
32
Global Soundness Theorem

• If the meaning of every statement is locally
  sound
• Then, the solution computed by the iterative
  algorithm overapproximates the collecting
  semantics
• ? (CS) ? df
• CS ? ? (df)

33
Example
while (true) do x x 1
x?0
P
x?0, x?1, x?2,
P
P
x?1, x?2,
34
Bad Example
x?0
P
x x -1 x x 1
x?-1
?
?
x?0
35
An Iterative Definition of Collecting Semaics

• Generate a system of monotone equations
• The least solution is well-defined
• The least solution is the collecting
  interpretation
• But may not be computable

36
Equations Generated for Collecting Interpretation

• Equations for elementary statements
• skipCSexit(1) CSentry(l)
• bCSexit(1) ? ? ?CSentry(l), ?b??tt
• x aCSexit(1) (sx ?A?a?s) s ?
  CSentry(l)
• Equations for control flow constructs CSentry(l)
  ? CSexit(l) l immediately precedes l in the
  control flow graph
• An equation for the entryCSentry(1) ? ? ?
  Var ?Z

37
System of Equations (Collecting Semantics)
S CSentrys ?0 CSentryv
?f(e)(CSentryu) (u, v) ? E where f(e)
?X. ?st(e)? ? ?? X for atomic statements
f(e) ?X.? ?b(e)? ? tt
FSLn ?Ln Fs(X)v ?f(e)u (u, v) ? E
lfp(S) lfp(FS)
38
The Least Solution

• 2n sets of equationsCSentry(1), , CSentry (n),
  CSexit(1), , CSexit (n)
• Can be written in vectorial form
• The least solution lfp(Fcs) is well-defined
• Every component is minimal
• Since Fcs is monotone such a solution always
  exists
• CSentry(v) s?s0 ltP, s0 gt ? (S, s)),
  init(S)v
• Simplify the soundness criteria

39
Example
x 00 while (true)1 do x x 12
40
A Low Level View

• An infinite set of states ? (including control)
• The meaning of the program (small step) is a
  transition relation ? ? ? ? ?
• Let ?s be the set of initial states
• The collecting interpretation systemF(CS) ?s
  ? ? ? ? ? ? CS ? ? ?? ?
• Let A be an abstract domain (lattice)
• Let as?A be the initial abstract element
• Let ? A ? P(?) be the concretization
• The abstract meaning of the program (small step)
  is a transition relation ? ? A ? A
• Local soundness
• Global soundness

41
Abstract (Conservative) interpretation
Set of states
Set of states
abstraction
abstraction
abstract representation
abstract representation
abstract representation
?
42
Abstract (Conservative) interpretation
Set of states
Set of states
?
concretization
abstract representation
abstract representation
43
Abstract (Conservative) interpretation
Set of states
abstraction
abstract representation
abstract representation
abstract representation
?
44
Soundness Theorem(1)

1. Let (?, ?) form Galois connection from C to A
2. f C ? C be a monotone function
3. f A ? A be a monotone function
4. ?a?A f(?(a)) ? ?(f(a))

lfp(f) ? ?(lfp(f))
?(lfp(f)) ? lfp(f)
45
Soundness Theorem(2)

1. Let (?, ?) form Galois connection from C to A
2. f C ? C be a monotone function
3. f A ? A be a monotone function
4. ?c?C ?(f(c)) ? f(?(c))

?(lfp(f)) ? lfp(f)
lfp(f) ? ?(lfp(f))
46
Soundness Theorem(3)

1. Let (?, ?) form Galois connection from C to A
2. f C ? C be a monotone function
3. f A ? A be a monotone function
4. ?a?A ?(f(?(a))) ? f(a)

?(lfp(f)) ? lfp(f)
lfp(f) ? ?(lfp(f))
47
Local Concrete Semantics

• For every atomic statement S
• ?S ? Var ?Z ?Var ?Z
• ?x a ?s sx ?A?a?s
• ?skip ?s s
• For Boolean conditions

48
Local Abstract Semantics(CP)

• For every atomic statement S
• ?S ? Var ?L ? Var ?L
• ?x a ? (e) e x ? ?a? (e)
• ?skip ? (e) e
• For Booleans

49
Local Soundness (CP)

• For every atomic statement S show one of the
  following
• ?CP(?S?? ? ?CS ? ?S? (? CP(CS))
• ?S?? ? ? ?CP (df) ? ?CP (?S? (df))
• ?(?S?? ? ? ?CP (df)) ? ?S? (df)
• The above condition implies global soundness
  Cousot Cousot 1976 ?(CSentry (l)) ?
  dfentry(l) CSentry (l) ? ? (dfentry(l))

50
Lemma 1
Consider a lattice L. f L ? L is monotone iff
for all X ? L ?f(z) z
?X ? f(?z z ?X )
51
Assignments in constant propagation

• Monotone
• df1 ? df2 ??x e?)df1 )? ? x e?)df2(
• Local Soundness
• ?(? x e ?? ? ?CS ? ? x e ? (?(CS))

52
Proof of Soundness (Summary)

• Define an appropriate operational semantics
• Define collecting operational semantics
• Establish a Galois connection between collecting
  states and abstract states
• (Local correctness) Show that the abstract
  interpretation of every atomic statement is
  soundw.r.t. the collecting semantics
• (Global correctness) Conclude that the result of
  the iterative analysis is sound w.r.t. the
  collecting semantics
• Can be applied between different abstractions

53
Induced Analysis (Relatively Optimal)

• It is sometimes possible to show that a given
  analysis is not only sound but optimal w.r.t. the
  chosen abstraction
• but not necessarily optimal!
• Define ?S? (df) ?(?S?? ? ? ? (df))
• But this ?S? may not be computable
• Derive (at compiler-generation time) an
  alternative form for ?S?
• A useful measure to decide if the abstraction
  must lead to overly imprecise results

54
Notions of precision

• CS ? (df)
• ?(CS) df
• Meet(Join) over all paths
• Using best transformers
• Good enough

55
Conclusions

• Abstract interpretation relates runtime semantics
  and static information
• The concrete semantics serves as a tool in
  designing abstractions
• Understanding concretization is a must
• Understand what is preserved/lost