Presentation is loading. Please wait.

Presentation is loading. Please wait.

Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)

Similar presentations


Presentation on theme: "Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)"— Presentation transcript:

1 Abstract Interpretation Part II Mooly Sagiv

2 Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing) u Canonic Abstraction u Shape analysis is a separate 3 hours lecture with demos

3 Fixed Points u A monotone function f: L  L u l 1  l 2  f(l 1 )  f(l 2 ) u (L, , , , ,  ) is a complete lattice u Fix(f) = { l: l  L, f(l) = l} u Red(f) = {l: l  L, f(l)  l} u Ext(f) = {l: l  L, l  f(l)} u Tarski’s Theorem 1955: – lfp(f) =  Fix(f) =  Red(f)  Fix(f) – gfp(f) =  Fix(f) =  Ext(f)  Fix(f)   f(  ) f(  ) f2()f2() f2()f2() Fix(f) Ext(f) Red(f) gfp(f) lfp(f)

4 Abstract (Conservative) interpretation abstract representation Set of states abstraction Abstract semantics statement s abstract representation abstraction Operational semantics statement s Set of states abstract representation 

5 Abstract (Conservative) interpretation abstract representation Set of states concretization Abstract semantics statement s abstract representation concretization Operational semantics statement s Set of states 

6 Abstract (Conservative) interpretation abstract representation Set of states concretization Abstract semantics statement s abstract representation abstraction Operational semantics statement s Set of states  abstract representation

7 Soundness Theorem [CC] u Let ( ,  ) form Galois connection from C to A  (c)  a iff c   (a)  and  are monotone  (  (a))  a c   (  (c)) u f: C  C be a monotone function u f # : A  A be a monotone function u  a  A: f(  (a))   (f # (a)) u  c  C:  (f(c))  f#(  (a)) u  a  A:  (f(  (a))  f#(a) lfp(f)   (lfp(f # ))  (lfp(f))  lfp(f # )

8   f(  ) f(  ) f2()f2() f2()f2() f(x)=x f(x)  x f(x)  x gfp(f) lfp(f)   f#(  ) f#(  ) f# 2 (  ) f# 2 (  ) f#(y)=y f#(y)  y f#(y)  y gfp(f#) lfp(f#) 

9 Finite Height Case  f#f# f#f# Lfp(f # )   f f#f#   f Lfp(f) f 

10 Example Interval Analysis u Find a lower and an upper bound of the value of a variable u Usages? u Lattice L = (Z  {- ,  }  Z  {- ,  }, , , , ,  ) –[a, b]  [c, d] if c  a and d  b –[a, b]  [c, d] = [min(a, c), max(b, d)] –[a, b]  [c, d] = [max(a, c), min(b, d)] –  = –  =

11 The need for disjunctions if (…) … [1, 5] else … [7, 8] assert x !=6

12 Widening for Interval Analysis u   [c, d] = [c, d] u [a, b]  [c, d] = [ if a  c then a else - , if b  d then b else  ]

13 Example Program Interval Analysis [x := 1] 1 ; while [x  1000] 2 do [x := x + 1;] 3 IntEntry(1) = [ - ,  ] IntExit(1) = [1,1] IntEntry(2) = InExit(2)  (IntExit(1)  IntExit(3)) IntExit(2) = IntEntry(2) [x:=1] 1 [x  1000] 2 [x := x+1] 3 [exit] 4 IntEntry(3) = IntExit(2)  [ - ,1000] IntExit(3) = IntEntry(3)+[1,1] IntEntry(4) = IntExit(2)  [1001,  ] IntExit(4) = IntEntry(4)

14 Requirements on Widening u For all elements l 1  l 2  l 1  l 2 u For all ascending chains l 0  l 1  l 2  … the following sequence is finite –y 0 = l 0 –y i+1 = y i  l i+1 u For a monotonic function f: L  L define –x 0 =  –x i+1 = x i  f(x i ) u Theorem: –There exits k such that x k+1 = x k –x k  Red(f) = {l: l  L, f(l)  l}

15 Narrowing u Improve the result of widening u y  x  y  (x  y)  x u For all decreasing chains x 0  x 1  … the following sequence is finite –y 0 = x 0 –y i+1 = y i  x i+1 u For a monotonic function f: L  L and x  Red(f) = {l: l  L, f(l)  l} define –y 0 = x –y i+1 = y i  f(y i ) u Theorem: –There exits k such that y k+1 =y k –y k  Red(f) = {l: l  L, f(l)  l}

16 Narrowing for Interval Analysis u [a, b]   = [a, b] u [a, b]  [c, d] = [ if a = -  then c else a, if b =  then d else b ]

17 Example Program Interval Analysis [x := 1] 1 ; while [x  1000] 2 do [x := x + 1;] 3 IntEntry(1) = [ - ,  ] IntExit(1) = [1,1] IntEntry(2) = InExit(2)  ( IntExit(1)  IntExit(3)) IntExit(2) = IntEntry(2) [x:=1] 1 [x  1000] 2 [x := x+1] 3 [exit] 4 IntEntry(3) = IntExit(2)  [ - ,1000] IntExit(3) = IntEntry(3)+[1,1] IntEntry(4) = IntExit(2)  [1001,  ] IntExit(4) = IntEntry(4)

18 Non Montonicity of Widening u [0,1]  [0,2] = [0,  ] u [0,2]  [0,2] = [0,2]

19 Widening and Narrowing Summary u Very simple but produces impressive precision u Sometimes non-monotonic u The McCarthy 91 function u Also useful in the finite case u Can be used as a methodological tool int f(x) [- ,  ] if x > 100 then [101,  ] return x -10 [91,  -10]; else [- , 100] return f(f(x+11)) [91, 91] ;

20 Numerical Abstractions x y    x  c  y  c Interval  x  y  c Octagon  c 1 x  c 2 y  c Polyhedron    Octagon only maintains correlations between two variables

21 Non-Numerical Abstractions

22 Predicate Abstraction u L = (P(P(B)), , , , ,  ) u X  Y if X  Y u X  Y = X  Y u X  Y = X  Y u  = P(B) u  = 

23 Example Programs if (x > 0) y = malloc(); … if (x >0) z = *y; while x != y do x = x  n;

24 Canonical Abstraction u Abstract unbounded sets of memory locations into a bounded set u Partition based abstraction u Use unary relations (symbols as distinctions) u Maintain binary relations when necessary

25 x t n n u u2 u1 u3 Canonical Abstraction x = null; while (…) do { t = malloc(); t.next=x; x = t } u1 uxux utut u u2,3 unun n unun uu uu uu

26 Canonical Abstraction and Equality x = null; while (…) do { t = malloc(); t.next=x; x = t } u1 x t u2 u3 u u1 uxux utut u u2,3 eq n n unun unun  eq eq uu u u2,3  eq

27 Heap Sharing relation is(v)=0 u1u1 x t u2u2 unun … u u1 uxux utut u u 2..n unun unun is(v) =  v 1,v 2 : n(v 1,v)  n(v 2,v)  v 1  v 2 is(v)=0 n n n

28 Heap Sharing relation is(v)=0 u1u1 x t u2u2 unun … is(v) =  v 1,v 2 : n(v 1,v)  n(v 2,v)  v 1  v 2 is(v)=1is(v)=0 n n n n u u1 uxux utut u u2 unun is(v)=0is(v)=1is(v)=0 unun u u 3..n unun unun

29 Reachability relation t[n](v1, v2) = n * (v1,v2) u1u1 x t u2u2 unun n n n t[n] u u1 uxux utut u u 2..n unun unun t[n] u t[n]...

30 List Segments u1u1 x u2u2 u5u5 n u3u3 u4u4 u6u6 u7u7 u8u8 n n nn n n y u1u1 x u 2,3,4,6,7,8 u5u5 n n y

31 Reachability from a variable r[y](v) =  w: y(w)  n*(w, v) u1u1 x u2u2 u5u5 n u3u3 u4u4 u6u6 u7u7 u8u8 n n nn n n y r[y]=0 r[y]=1 u1u1 x u 2,3,4 u5u5 n n n y u 6,7,8

32 Sortedness u1u1 x t u2u2 unun n n n dle u1 x t u 2..n n n dle...

33 Example: Sortedness inOrder(v) =  v1: n(v,v1)  dle(v, v1) u1u1 x t u2u2 unun n n dle u1 x t u 2..n n n dle inOrder = 1 n...

34 Example: InsertSort Run Demo List InsertSort(List x) { List r, pr, rn, l, pl; r = x; pr = NULL; while (r != NULL) { l = x; rn = r  n; pl = NULL; while (l != r) { if (l  data > r  data) { pr  n = rn; r  n = l; if (pl = = NULL) x = r; else pl  n = r; r = pr; break; } pl = l; l = l  n; } pr = r; r = rn; } return x; } typedef struct list_cell { int data; struct list_cell *n; } *List;

35 Example: InsertSort Run Demo List InsertSort(List x) { if (x == NULL) return NULL pr = x; r = x->n; while (r != NULL) { pl = x; rn = r->n; l = x->n; while (l != r) { pr->n = rn ; r->n = l; pl->n = r; r = pr; break; } pl = l; l = l->n; } pr = r; r = rn; } typedef struct list_cell { int data; struct list_cell *n; } *List; 14

36 void Mark(Node root) { if (root != NULL) { pending =  pending = pending  {root} marked =  while (pending   ) { x = SelectAndRemove(pending) marked = marked  {x} t = x  left if (t  NULL) if (t  marked) pending = pending  {t} /* t = x  right * if (t  NULL) * if (t  marked) * pending = pending  {t} */ } } assert(marked = = Reachset(root))}

37 There may exist an individual that is reachable from the root, but not marked x r[root] m root r[root] u left u rig ht right left right

38 Conclusions(1) u Good static analysis = –Precise enough (for the client) –Efficient enough u Good static analysis –Good domain »Abstract non-important details »Represent relevant concrete information »Precise and efficient abstract meaning of abstract interpreters »Efficient join implementation »Small height or widening

39 Conclusions(2) u The Theory of Static Analysis is well founded –Abstraction –Soundness –Chaotic iterations –Elimination methods –Modular methods u Weak Parts –Transformations –Predictable approximations –User defined abstractions –System


Download ppt "Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)"

Similar presentations


Ads by Google