Iterative Program Analysis Abstract Interpretation

1
Iterative Program AnalysisAbstract Interpretation

• Mooly Sagiv
• http//www.cs.tau.ac.il/msagiv/courses/pa12-13.ht
  ml
• Tel Aviv University
• 640-6706
• Textbook Principles of Program Analysis
• Chapter 4
• CC79, CC92

2
Outline

• Reminder Chaotic Iterations
• The abstract interpretation technique
• Relating Concrete and Abstract Interpretation
• More examples
• Precision
• Later
• Backward analysis
• Complexity
• Widening and Narrowing
• Shape Analysis

3
Specialized Chaotic IterationsSystem of Equations
S dfentrys ? dfentryv ?f(u, v)
(dfentryu) (u, v) ? E
FSLn ?Ln FS (X)s ? FS(X)v
?f(u, v)(Xu) (u, v) ? E
lfp(S) lfp(FS)
4
Specialized Chaotic Iterations
Chaotic(G(V, E) Graph, s Node, L Lattice, ?
L, f E ?(L ?L) ) for each v in V to n do
dfentryv ? dfs ? WL s while
(WL ? ? ) do select and remove an
element u ? WL for each v, such that. (u,
v) ?E do temp f(e)(dfentryu)
new dfentry(v)? temp if
(new ? dfentryv) then
dfentryv new
WL WL ?v
5
WL dfentryv
1
2 df2x?0, y?0, z?3
3 df3x?1, y?0, z?3
4 df4x?1, y?0, z?3
5 df5x?1, y?0, z?3
7 df7x?1, y?7, z?3
8 df8x?3, y?7, z?3
3 df3x??, y??, z?3
4 df4x??, y??, z?3
5,6 df5x?1, y??, z?3
6,7 df6x??, y??, z?3
7 df7x??, y?7, z?3
x?0, y?0, z?0
1
z 3
?e.ez?3
2
x 1
?e.ex?1
?e. if e x ?0 then e else ?
3
while (xgt0)
?e. if x gt0 then e else ?
4
if (x1)
?e. if e x ?0 then e else ?
?e. e ?x?1, y ??, z??
5
6
?
y 7
y z4
?e.e
?e.ey?7
?e.ey?e(z)4
7
x3
?e.ex?3
8
print y
6
The Abstract Interpretation Technique (Cousot
Cousot)

• The foundation of program analysis
• Defines the meaning of the information computed
  by static tools
• A mathematical framework
• Allows proving that an analysis is sound in a
  local way
• Identify design bugs
• Understand where precision is lost
• New analysis from old
• Not limited to certain programming style

7
Abstract (Conservative) interpretation
Set of states
Set of states
abstraction
abstraction
abstract representation
abstract representation
abstract representation
?
8
Abstract (Conservative) interpretation
Set of states
Set of states
?
concretization
abstract representation
abstract representation
9
Abstract Interpretation
Concrete
Sets of stores
10
Galois Connections

• Lattices C and A and functions ? C ?A and ? A
  ?C
• The pair of functions (?, ?) form Galois
  connection if
• ? and ? are monotone
• ? a ? A
• ?(? (a)) ? a
• ? c ? C
• c ? ? (?(C))
• Alternatively if ? c ? C ? a ? A
  ?(c) ? a iff c ? ? (a)
• ? and ? uniquely determine each other

11
The Abstraction Function (CP)

• Map collecting states into constants
• The abstraction of an individual state?CPVar
  ?Z ? Var ?Z??, ??CP(?) ?
• The abstraction of set of states ?CPP(Var
  ?Z) ? Var ?Z??, ? ?CP (CS) ? ?CP (?)
  ? ? CS ?? ? ? CS
• Soundness ?CP (Reach (v)) ? df(v)
• Completeness

12
The Concretization Function

• Map constants into collecting states
• The formal meaning of constants
• The concretization ?CP Var ?Z??, ?
  ?P(Var ?Z) ? CP (df) ? ?CP (?) ? df
  ? ? ? df
• Soundness Reach (v) ? ?CP (df(v))
• Completeness

13
Galois Connection Constant Propagation

• ?CP is monotone
• ?CP is monotone
• ? df ? Var ?Z??, ?
• ? CP(? CP (df)) ? df
• ? c ? P(Var ?Z)
• c CP ? ? CP (? CP(C))

14
Upper Closures

• Define abstractions on sets of concrete states
• ? P(?) ?P(?) such that
• ? is monotone, i.e., X ? Y ? ? X ? ? Y
• ? is extensive, i.e., ? X ? X
• ? is closure, i.e., ?( ? X) ? X
• Every Galois connection defines an upper closure

15
Proof of Soundness

• Define an appropriate operational semantics
• Define collecting structural operational
  semantics
• Establish a Galois connection between collecting
  states and abstract states
• (Local correctness) Show that the abstract
  interpretation of every atomic statement is
  soundw.r.t. the collecting semantics
• (Global correctness) Conclude that the analysis
  is sound

16
Collecting Semantics

• The input state is not known at compile-time
• Collect all the states for all possible inputs
  to the program
• No lost of precision

17
A Simple Example Program
x?0, y?0, z?0
z 3 x 1 while (x gt 0) ( if (x 1)
then y 7 else y z
4 x 3 print y )
x?0, y?0, z?3
x?1, y?0, z?3
x?1, y?7, z?3, x?3, y?7, z?3
x?1, y?7, z?3, x?3, y?7, z?3
x?3, y?7, z?3
x?3, y?7, z?3
18
Another Example
x 0 while (true) do x x 1
19
An Iterative Definition

• Generate a system of monotone equations
• The least solution is well-defined
• The least solution is the collecting
  interpretation
• But may not be computable

20
Equations Generated for Collecting Interpretation

• Equations for elementary statements
• skipCSexit(1) CSentry(l)
• bCSexit(1) ? ? ?CSentry(l), ?b??tt
• x aCSexit(1) (sx ?A?a?s) s ?
  CSentry(l)
• Equations for control flow constructs CSentry(l)
  ? CSexit(l) l immediately precedes l in the
  control flow graph
• An equation for the entryCSentry(1) ? ? ?
  Var ?Z

21
Specialized Chaotic IterationsSystem of
Equations (Collecting Semantics)
S CSentrys ?0 CSentryv
?f(e)(CSentryu) (u, v) ? E where f(e)
?X. ?st(e)? ? ?? X for atomic statements
f(e) ?X.? ?b(e)? ? tt
FSLn ?Ln Fs(X)v ?f(e)u (u, v) ? E
lfp(S) lfp(FS)
22
The Least Solution

• 2n sets of equationsCSentry(1), , CSentry (n),
  CSexit(1), , CSexit (n)
• Can be written in vectorial form
• The least solution lfp(Fcs) is well-defined
• Every component is minimal
• Since Fcs is monotone such a solution always
  exists
• CSentry(v) s?s0 ltP, s0 gt ? (S, s)),
  init(S)v
• Simplify the soundness criteria

23
?a f(?(a)) ? ?(f(a))
gfp(f)
gfp(f)
lfp(f)
lfp(f)
24
Finite Height Case


Lfp(f)





?
?
25
Soundness Theorem(1)

1. Let (?, ?) form Galois connection from C to A
2. f C ? C be a monotone function
3. f A ? A be a monotone function
4. ?a?A f(?(a)) ? ?(f(a))

lfp(f) ? ?(lfp(f))
?(lfp(f)) ? lfp(f)
26
Soundness Theorem(2)

1. Let (?, ?) form Galois connection from C to A
2. f C ? C be a monotone function
3. f A ? A be a monotone function
4. ?c?C ?(f(c)) ? f(?(c))

?(lfp(f)) ? lfp(f)
lfp(f) ? ?(lfp(f))
27
Soundness Theorem(3)

1. Let (?, ?) form Galois connection from C to A
2. f C ? C be a monotone function
3. f A ? A be a monotone function
4. ?a?A ?(f(?(a))) ? f(a)

?(lfp(f)) ? lfp(f)
lfp(f) ? ?(lfp(f))
28
Proof of Soundness (Summary)

• Define an appropriate structural operational
  semantics
• Define collecting structural operational
  semantics
• Establish a Galois connection between collecting
  states and reaching definitions
• (Local correctness) Show that the abstract
  interpretation of every atomic statement is
  soundw.r.t. the collecting semantics
• (Global correctness) Conclude that the analysis
  is sound

29
Completeness
?(lfp(f)) lfp(f)
lfp(f) ?(lfp(f))
30
Constant Propagation

• ? Var ? Z ? Var ? Z??, ?
• ?(?) (?)
• ? P(Var ? Z) ? Var ? Z??, ?
• ?(X) ? ?(?) ?? X ? ? ?? X
• ?Var ? Z ??, ? ? P(Var ? Z)
• ?(?) ? ?(?) ? ? ? ? ? ?
• Local Soundness
• ??st?(?) ? ?(??st? ? ? ? ?(?) ? ??st? ?
  ? ? ?
• Optimality (Induced)
• ??st?(?) ?(??st? ? ? ?? (?) ? ??st? ?
  ? ? ?
• Soundness
• Completeness

31
Summary

• Abstract interpretation Connects Abstract and
  Concrete Semantics
• Galois Connection
• Local Correctness
• Global Correctness