Correctness of Abstract Interpretation Deepak Dsouza and K. V. - PowerPoint PPT Presentation

Correctness of Abstract Interpretation Deepak D’souza and K. V. Raghavan

Summary: What is an abstract interpretation (AI)? • Given: • A complete join semi-lattice D . This is the “abstract” semantic domain. • A monotonic “abstract” transfer functions f MN : D → D for each arc M → N in the control-flow graph. • Output: A map D from program points to elements in D . • Ideal output: JOP D • for any program point p JOP D [ p ] is the join of all values obtained by propagating initial value d 0 ∈ D through transfer functions of all paths in the CFG that end at p , where • transfer function of a path is the composition of the transfer functions of the arcs on the path.

Summary: What does Killdall’s algorithm compute? • In general JOP D is not computable. • Killdall’s algorithm computes LFP D ( F ), which is the least fix point of the vectorized transfer function F . • Killdall requires D to contain no infinite ascending chains. • In general LFP D ≥ JOP D . • They are equal when lattice is finite and functions are distributive.

Summary: Theorems • Knaster-Tarski theorem: • Guarantees presence of a fix point. • Fix points form a complete lattice. i ≥ 0 ( f i ( ⊥ )), if f is monotonic. • LFP D ( f ) ≥ � i ≥ 0 ( f i ( ⊥ )), if f is continuous. • LFP D ( f ) = � • D needs to be a complete join semi-lattice. D may contain infinite ascending chains.

Summary: Theorems • Knaster-Tarski theorem: • Guarantees presence of a fix point. • Fix points form a complete lattice. i ≥ 0 ( f i ( ⊥ )), if f is monotonic. • LFP D ( f ) ≥ � i ≥ 0 ( f i ( ⊥ )), if f is continuous. • LFP D ( f ) = � • D needs to be a complete join semi-lattice. D may contain infinite ascending chains. Exercise: Consider example in slide 51 in data-flow analysis slide i ( ⊥ )). set. Compute � i ≥ 0 ( F

Static (i.e., collecting) semantics • Lattice of values: ( Val ⊥ , ≤ Val ⊥ , ⊔ Val ⊥ ) ⊤ ff tt −3 −2 −1 0 1 2 3 ⊥ • Env is (normally) a map e : Var → Val ⊥ . However, in general, it can be any semantic domain. • Program semantics is given by the nstate function: S 1 M nstate S 2 N nstate ( M , S 1 ∈ 2 Env ) = ( N , S 2 ∈ 2 Env ).

Static (i.e., collecting) semantics – contd. • Initial environment S 0 is given. Normally, it is: { λ x . ⊥} . • Static semantics SS is a map ProgramPoints → 2 Env . • At each program point N , SS ( N ) = { e | nstate p ( E , S 0 ) = ( N , S ) , p is a path E � N , e ∈ S } where E is entry point of CFG.

Static (i.e., collecting) semantics – contd. • Initial environment S 0 is given. Normally, it is: { λ x . ⊥} . • Static semantics SS is a map ProgramPoints → 2 Env . • At each program point N , SS ( N ) = { e | nstate p ( E , S 0 ) = ( N , S ) , p is a path E � N , e ∈ S } where E is entry point of CFG. • Static semantics can also be phrased as an AI: • Concrete lattice C : (2 Env , ⊆ ), ⊥ = φ , ⊤ = Env , ⊔ = ∪ . • Initial value: { λ x . ⊥} • Transfer function = nstate • Static semantics = JOP C ; i.e., SS( N ) = JOP C [ N ]. • Notice that framework is distributive: nstate ( S 1 ⊔ S 2 ) = nstate ( S 1 ) ⊔ nstate ( S 2 ) • Hence, JOP C = LFP C ( nstate )

Sample program JOP C = 0 { λ x . ⊥} A 1 x := 1 B { 1 } 2 C { 1 , · · · , 101 } F 3 x <= 100 E { 101 } { 2 , · · · , 101 } D { 1 , · · · , 100 } 4 x:=x+1

Sample program JOP C = 0 { λ x . ⊥} A 1 x := 1 B { 1 } 2 C { 1 , · · · , 101 } F 3 x <= 100 E { 101 } { 2 , · · · , 101 } D { 1 , · · · , 100 } 4 x:=x+1 Exercise: Find a non-minimal fixpoint of this program.

Conditions for correctness of an AI Should exist maps • α : C → D (abstraction) • γ : D → C (concretization) such that γ • α and γ are α monotonic • γ ( α ( e )) ≥ e γ • α ( γ ( d )) = d C α D

Conditions for correctness of an AI Should exist maps • α : C → D (abstraction) • γ : D → C (concretization) such that γ • α and γ are α monotonic • γ ( α ( e )) ≥ e γ • α ( γ ( d )) = d C α D In this case ( α, γ ) are said to form a Galois connection.

Illustration of Galois connection For constant propagation, the following mappings form a galois connection: α ( S ) = { ( x , c ) | c = ⊔ Val ⊥ ( { e ( x ) | e ∈ S } ) } γ ( P ) = { e ∈ Env | for each ( x , c ) ∈ P : e ( x ) ≤ Val ⊥ c }

Corollaries If ( α, γ ) form a Galois connection then the concrete and abstract join operators satisfy the following properties. Concrete Abstract α c 1 c 2 α α Corollary 1 γ d 1 d 2 γ γ Corollary 2

Conditions for correctness – continued Transfer functions should satisfy one of the following (each of them implies the other): Concrete Abstract α d nstate f n n α d ′ γ nstate f n n γ

Conditions for correctness – continued Transfer functions should satisfy one of the following (each of them implies the other): Concrete Abstract α d nstate f n n α d ′ γ nstate f n n γ Exercise: Illustrate first condition above using constant propagation example. Let n be “z = x + y”, and let + be strict on its arguments. Demonstrate a situation where α ( f n , concrete ( S )) < f n , abstract ( α ( S ))

Theorem: Correctness of AI If ( α, γ ) form a Galois connection and transfer functions satisfy the property mentioned above and α ( S 0 ) ≤ d 0 then: • α ( JOP C ) ≤ JOP D • JOP C ≤ γ ( JOP D ) γ α JOP C JOP D D C

More on correctness of AI • We showed just now that γ ( JOP D ) ≥ JOP C . • We have already shown that LFP D ≥ JOP D (see slide 74, data-flow analysis slides). • We know γ is monotonic. • Therefore, γ ( LFP D ) ≥ JOP C .

More on correctness of AI • We showed just now that γ ( JOP D ) ≥ JOP C . • We have already shown that LFP D ≥ JOP D (see slide 74, data-flow analysis slides). • We know γ is monotonic. • Therefore, γ ( LFP D ) ≥ JOP C . In other words, the concretization of the result of abstract inter- pretation is an over-approximation of the collecting semantics.

Proof of corollaries Proof of Corollary 2: • d 1 ⊔ d 2 is ≥ both d 1 and d 2 (property of join) • Therefore, due to monotonicity of γ , γ ( d 1 ⊔ d 2 ) is ≥ both γ ( d 1 ) and γ ( d 2 ). • Therefore, by property of join, γ ( d 1 ⊔ d 2 ) ≥ γ ( d 1 ) ⊔ γ ( d 2 ) . � . Proof of Corollary 1: • Using an argument similar to above it can be shown that α ( c 1 ⊔ c 2 ) ≥ α ( c 1 ) ⊔ α ( c 2 ).

Proof of Corollary 1 – continued We now need to show that α ( c 1 ⊔ c 2 ) ≤ α ( c 1 ) ⊔ α ( c 2 ). This would complete the proof. Concrete Abstract c 4 d 3 c 3 c 1 c 2 d 1 d 2 • (Rightward arrows are α ’s and leftward arrows are γ ’s.) • γ ( d 1 ) ≥ c 1 and γ ( d 2 ) ≥ c 2 (by defn. of Galois connection). • c 4 = γ ( d 3 = ( d 1 ⊔ d 2 )) is ≥ both γ ( d 1 ) and γ ( d 2 ) (by monotonicity of γ ). • Therefore, c 4 is ≥ both c 1 and c 2 (by transitivity of ≥ ). • Therefore, c 4 ≥ ( c 3 = ( c 1 ⊔ c 2 )) (by property of join). • α ( c 4 ) = d 3 (by defn. of Galois connection). Therefore, d 3 ≥ α ( c 3 ) (by monotonicity of α ). �

Proof of correctness theorem We give a proof that α ( JOP C ) ≤ JOP D . • Lemma: Consider any edge M → N . Let d be an abstract value c be a concrete value at M such that α ( c ) ≤ d . α ( f MN , concrete ( c )) ≤ f MN , abstract ( d ). Proof: The first condition on transfer functions tells us that α ( f MN , concrete ( c )) ≤ f MN , abstract ( α ( c )). Using the lemma’s prerequisite α ( c ) ≤ d , and by monotonicity of f MN , abstract , we get f MN , abstract ( α ( c )) ≤ f MN , abstract ( d ). Therefore α ( f MN , concrete ( c )) ≤ f MN , abstract ( d ) • Consider any path p in the CFG starting from the entry point E . We will prove using induction that for any i > = 0, where p i is the prefix of p containing i edges, α ( f p i , concrete ( S 0 )) ≤ f p i , abstract ( d 0 ), where f p i , concrete ( f p i , abstract ) is the composition of the concrete (abstract) transfer functions of the edges in p i . • Base case ( i = 0): The property reduces to α ( S 0 ) ≤ d 0 . This is a pre-requisite of the theorem.

Proof – continued • Inductive case: The inductive hypothesis is that α ( f p i − 1 , concrete ( S 0 )) ≤ f p i − 1 , abstract ( d 0 ). Let the i th edge of p be L → M . Applying the lemma above on this edge we get α ( f LM , concrete ( f p i − 1 , concrete ( S 0 ))) ≤ f LM , abstract ( f p i − 1 , abstract ( d 0 )). This reduces to α ( f p i , concrete ( S 0 )) ≤ f p i , abstract ( d 0 ). The inductive case is done. • From the result proved above we derive α ( c p ) ≤ d p (1) where p is any path, c p = f p , concrete ( S 0 ) and d p = f p , abstract ( d 0 ). • Let N be any program point, and let P N = { p | p is a path from E to N } .

Proof – continued • Property (1), plus the property of joins, gives us � � ( α ( c p )) ≤ ( d p ) (2) p ∈ P N p ∈ P N = JOP D [ N ] (3) • By Corollary 1 we have � � ( α ( c p )) = α ( ( c p )) (4) p ∈ P N p ∈ P N = α ( JOP C [ N ]) (5) • Using Properties 3 and 5, and extending over all program points N we get α ( JOP C ) ≤ JOP D We are done.