Basic Concepts of Abstract Interpretation Patrick Cousot cole - PowerPoint PPT Presentation

Undecidability – The concrete mathematical semantics of a program is an “tinfinite” mathematical object, not computable ; – All non trivial questions on the concrete program semantics are undecidable . Example: termination – Assume termination(P) would always terminates and returns true iff P always terminates on all input data; – The following program yields a contradiction P ” while termination(P) do skip od . ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 22 —

Graphic example: Safety properties The safety properties of a program express that no possible execution in any possible execution environment can reach an erroneous state. ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 23 —

Graphic example: Safety property x ( t ) �� t ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 24 —

Safety proofs – A safety proof consists in proving that the intersection of the program concrete semantics and the forbidden zone is empty; – Undecidable problem (the concrete semantics is not computable); – Impossible to provide completely automatic answers with finite computer resources and neither human in- teraction nor uncertainty on the answer 2 . 2 e.g. probabilistic answer. ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 25 —

Test/debugging – consists in considering a subset of the possible executions; – not a correctness proof; – absence of coverage is the main problem. ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 26 —

Graphic example: Property test/simulation x ( t ) �� t ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 27 —

Abstract interpretation – consists in considering an abstract semantics , that is to say a superset of the concrete semantics of the program; – hence the abstract semantics covers all possible concrete cases; – correct: if the abstract semantics is safe (does not in- tersect the forbidden zone) then so is the concrete semantics ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 28 —

Graphic example: Abstract interpretation x ( t ) �� t ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 29 —

Formal methods Formal methods are abstract interpretations, which dif- fer in the way to obtain the abstract semantics: – “ model checking ”: - the abstract semantics is given manually by the user; - in the form of a finitary model of the program execution; - can be computed automatically, by techniques relevant to static analysis. ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 30 —

– “ deductive methods ”: - the abstract semantics is specified by verification con- ditions; - the user must provide the abstract semantics in the form of inductive arguments (e.g. invariants); - can be computed automatically by methods relevant to static analysis. – “ static analysis ”: the abstract semantics is computed automatically from the program text according to pre- defined abstractions (that can sometimes be tailored automatically/manually by the user). ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 31 —

Required properties of the abstract semantics – sound so that no possible error can be forgotten; – precise enough (to avoid false alarms); – as simple/abstract as possible (to avoid combinatorial explosion phenomena). ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 32 —

Graphic example: The most abstract correct and precise semantics x ( t ) �� t ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 33 —

Graphic example: Erroneous abstraction — I x ( t ) �� t ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 34 —

Graphic example: Erroneous abstraction — II x ( t ) �� t ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 35 —

Graphic example: Imprecision ) false alarms x ( t ) �� t ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 36 —

Abstract domains Standard abstractions – that serve as a basis for the design of static analyzers: - abstract program data, - abstract program basic operations; - abstract program control (iteration, procedure, con- currency, . . . ); – can be parametrized to allow for manual adaptation to the application domains. ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 37 —

Graphic example: Standard abstraction by intervals x ( t ) �� t ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 38 —

Graphic example: A more refined abstraction x ( t ) �� t ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 39 —

A very informal introduction to static analysis algorithms ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 40 —

Standard operational semantics ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 41 —

Standard semantics – Start from a standard operational semantics that de- scribes formally: - states that is data values of program variables, - transitions that is elementary computation steps; – Consider traces that is successions of states correspond- ing to executions described by transitions (possibly in- finite). ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 42 —

Graphic example: Small-steps transition semantics x ( t ) �� t ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 43 —

Example: Small-steps transition semantics of an assignment int x; ... l: x := x + 1; l’: f l : x = v ! l 0 : x = v + 1 j v 2 [ min _ int ; max _ int ` 1] g [ f l : x = max _ int ! l 0 : x = ˙ g (runtime error) ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 44 —

Example: Small-steps transition semantics of a loop 3 l1 : : : : 7 7 7 7 l1 : x = ` 1 & 7 7 7 7 7 7 l1: l1 : x = 0 ! l2 : x = 1 7 7 7 7 x := 1; 7 7 % l1 : x = 1 7 7 l2: 7 7 7 7 l1 : : : : 7 while x < 10 do 7 5 l3: l2 : x = 1 ! l3 : x = 1 x := x + 1 l3 : x = 1 ! l4 : x = 2 l4: od l4 : x = 2 ! l3 : x = 2 l5: l3 : x = 2 ! l4 : x = 3 : : : l4 : x = 10 ! l5 : x = 10 ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 45 —

Example: Trace semantics of loop l1: x := 1; l2: while x < 10 do l3: x := x + 1 l4: od 3 l5: l1 : : : : 7 7 7 7 l1 : x = ` 1 & 7 7 7 7 7 7 ! l2 : x = 1 ! l3 : x = 1 ! l4 : x = 2 ! l1 : x = 0 7 7 7 7 7 7 l1 : x = 1 % 7 7 7 7 7 7 l1 : : : : 7 7 5 l3 : x = 2 ! l4 : x = 3 : : : ! l4 : x = 10 ! l5 : x = 10 ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 46 —

Transition systems – h S; t !i where: - S is a set of states/vertices/. . . t - ! 2 } ( S ˆ S ) is a transition relation/set of arcs/. . . t ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 47 —

Collecting semantics in fixpoint form ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 48 —

Collecting semantics – consider all traces simultaneously; – collecting semantics: - sets of states that describe data values of program variables on all possible trajectories; - set of states transitions that is simultaneous elementary computation steps on all possible trajectories; ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 49 —

Graphic example: sets of states x ( t ) t ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 50 —

Graphic example: set of states transitions x ( t ) t ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 51 —

� Example: Reachable states of a transition system I ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 52 —

Reachable states in fixpoint form F ( X ) = I [ f s 0 j 9 s 2 X : s t ! s 0 g „ R = lfp ; F = + 1 n =0 F n ( ; ) f 0 ( x ) = x where [ f n +1 ( x ) = f ( f n ( x )) ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 53 —

Example of fixpoint iteration „ ; –X . I [ f s 0 j 9 s 2 X : s t for reachable states lfp ! s 0 g I � � � � � � � � � � � � � � � �� ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 54 —

Example of fixpoint iteration „ ; –X . I [ f s 0 j 9 s 2 X : s t for reachable states lfp ! s 0 g � � � � � F � � � � � � � � � � �� ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 54 —

Example of fixpoint iteration „ ; –X . I [ f s 0 j 9 s 2 X : s t for reachable states lfp ! s 0 g � � � � � F � � F � � � � � � � �� ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 54 —

Example of fixpoint iteration „ ; –X . I [ f s 0 j 9 s 2 X : s t for reachable states lfp ! s 0 g � � � � � F � � F � � F � � � � �� ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 54 —

Example of fixpoint iteration „ ; –X . I [ f s 0 j 9 s 2 X : s t for reachable states lfp ! s 0 g � � � � � F � � F � � F � � F � �� ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 54 —

Abstraction by Galois connections ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 55 —

Abstracting sets (i.e. properties) – Choose an abstract domain, replacing sets of objects (states, traces, . . . ) S by their abstraction ¸ ( S ) – The abstraction function ¸ maps a set of concrete objects to its abstract interpretation; – The inverse concretization function ‚ maps an abstract set of objects to concrete ones; – Forget no concrete objects: (abstraction from above) S „ ‚ ( ¸ ( S )) . ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 56 —

Interval abstraction ¸ � �� f x : [1 ; 99] ; y : [2 ; 77] g � � � �� ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 57 —

Interval concretization ‚ � �� f x : [1 ; 99] ; y : [2 ; 77] g � � � �� ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 58 —

The abstraction ¸ is monotone � �� f x : [33 ; 89] ; y : [48 ; 61] g v �� f x : [1 ; 99] ; y : [2 ; 90] g � � � �� X „ Y ) ¸ ( X ) v ¸ ( Y ) ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 59 —

The concretization ‚ is monotone f x : [33 ; 89] ; y : [48 ; 61] g v f x : [1 ; 99] ; y : [2 ; 90] g X v Y ) ‚ ( X ) „ ‚ ( Y ) ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 60 —

The ‚ ‹ ¸ composition is extensive � �� f x : [1 ; 99] ; y : [2 ; 77] g � � �� X „ ‚ ‹ ¸ ( X ) ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 61 —

The ¸ ‹ ‚ composition is reductive � �� f x : [1 ; 99] ; y : [2 ; 77] g = = v f x : [1 ; 99] ; y : [2 ; 77] g � � � �� ¸ ‹ ‚ ( Y ) = = v Y ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 62 —

Correspondance between concrete and abstract properties – The pair h ¸; ‚ i is a Galois connection: ‚ ` ` ` h } ( S ) ; „i ` hD ; vi ` ` ! ¸ ‚ ` ` ` ` – h } ( S ) ; „i ` hD ; vi when ¸ is onto (equivalently ` `! ` ! ¸ ¸ ‹ ‚ = 1 or ‚ is one-to-one). ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 63 —

Galois connection ‚ ` ` ` hD ; „i ` hD ; vi ` ` ! ¸ iff 8 x; y 2 D : x „ y = ) ¸ ( x ) v ¸ ( y ) ^ 8 x; y 2 D : x v y = ) ‚ ( x ) „ ‚ ( y ) ^ 8 x 2 D : x „ ‚ ( ¸ ( x )) ^ 8 y 2 D : ¸ ( ‚ ( y )) v x iff 8 x 2 D ; y 2 D : ¸ ( x ) v y ( ) x „ ‚ ( y ) ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 64 —

Graphic example: Interval abstraction x ( t ) �� t ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 65 —

Graphic example: Abstract transitions x ( t ) �� t ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 66 —

Example: Interval transition semantics of assignments int x; ... l: x := x + 1; l’: f l : x 2 [ ‘; h ] ! l 0 : x 2 [ l + 1 ; min( h + 1 ; max _ int )] [ f ˙ j h = max _ int g j ‘ » h g where [ ‘; h ] = ; when h < ‘ . ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 67 —

�� Function abstraction � � F ] = ¸ ‹ F ‹ ‚ i : e : F ] =  ‹ F � �� ‚ ` ` ` h P; „i ` h Q; vi ) ` ` ! ¸ –F ] . ‚ ‹ F ] ‹ ¸ ! P; _ ` ` ` ` ` ` ` ` ` ` ! Q; _ mon h Q mon h P 7` „i ` 7` vi ` ` ` ` ` ` ` ` ` ! –F . ¸ ‹ F ‹ ‚ ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 68 —

Example: Set of traces to trace of intervals abstraction Set of traces: ¸ 1 # Trace of sets: ¸ 2 # Trace of intervals ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 69 —

Example: Set of traces to reachable states abstraction Set of traces: ¸ 1 # Trace of sets: ¸ 3 # Reachable states ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 70 —

Composition of Galois Connections The composition of Galois connections: ‚ 1 ` ` ` h L; »i ` h M; vi ` ` ! ¸ 1 and: ‚ 2 ` ` ` h M; vi ` h N; —i ` ` ! ¸ 2 is a Galois connection: ‚ 1 ‹ ‚ 2 ` ` ` ` ` ` h L; »i ` h N; —i ` ` ` ` ` ! ¸ 2 ‹ ¸ 1 ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 71 —

Abstract semantics in fixpoint form ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 72 —

Graphic example: traces of sets of states in fixpoint form x ( t ) t ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 73 —

Graphic example: traces of intervals in fixpoint form x ( t ) t ľ P. Cousot IFIP WCC — Topical day on Abstract Interpretation, Toulouse, 24 August 2004 — 74 —

Basic Concepts of Abstract Interpretation Patrick Cousot cole - PowerPoint PPT Presentation

Basic Concepts of Abstract Interpretation Patrick Cousot cole normale suprieure 45 rue dUlm 75230 Paris cedex 05, France Patrick.Cousot@ens.fr www.di.ens.fr/~cousot IFIP WCC Topical day on Abstract Interpretation P.

Abstract interpretation based Analysis [FPCA 95], Predicate Abstraction [Mannas festschrift

Correctness of Abstract Interpretation Deepak Dsouza and K. V. Raghavan Summary: What is an

Basic Concepts of I R: Outline Basic Concepts of Information Retrieval: Task definition of

Abstract Interpretation Harry Xu CS 253/INF 212 Spring 2013 Acknowledgements Many slides in

Ariane 5.01 failure Patriot failure Mars orbiter loss (overflow) (float rounding) (unit error)

Abstract Interpretation III Semantics and Application to Program Verification Antoine Min e

A Reconstruction of a Types-and-Effects Analysis by Abstract Interpretation Letterio Galletta

Tracing Compilation by Abstract Interpretation S. Dissegna, F. Logozzo, F. Ranzato Thophile

Part I - Basic concepts of thermochronology Basic concepts of thermochronology

Part I - Basic concepts of thermochronology Basic concepts of thermochronology

Part I - Basic concepts of thermochronology Basic concepts of thermochronology

30 Years of Abstract Interpretation Thomas Jaudon Ball Microsoft Research [This is the text of a

Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond Final Goal of the

Survival analysis : from basic concepts to open research questions Ecole dt,

Static Program Analysis Foundations of Abstract Interpretation Sebastian Hack, Christian Hammer,

Outline Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation Overview

Constraints in Abstract Model Checking Direct implementation of an abstract interpretation John

Classification 1 Classification: Basic Concepts and Methods Classification: Basic Concepts

Abstract Interpretation + Impure Catalysts Our Sparrow Experience YI Jhee, MS Jin, YB Jung, DH

A proof - theoretic approach to abstract interpretation Apostolos Tzimoulis joint work with

1 SOME NOTES ON STATISTICAL INTERPRETATION Below I provide some basic notes on statistical

Evaluation of the Implementation of an Abstract Interpretation Algorithm using Tabled CLP n

Second-Order Abstract Interpretation via Kleene Algebra Dexter Kozen Cornell University AVM

Abstract Interpretation with Applications to Semantics and Static Analysis 1. The