Abstractions Eric Feron

Outline Principles of abstraction Motivating example Abstracting variables Abstracting functions Abstracting operators Recommended readings

Principles of abstractions We consider software or hardware objects which are too complicated to describe exactly. We approximate them by embedding them into larger objects, but whose description is simpler. If the original objects are subject to manipulations, we are able to manipulate their abstractions at comparable computational cost. Hopefully we learn something useful.

Example Prototype program [1] while x> 1000 do [2] x:=x+y ; [3] od; [4] (x,y) in [-b-1;b] integer b is overflow limit. Program characteristics: Program terminates without error iff (x>0, y0<0). Execution never terminates iff (1000< x0<b)  (y0=0). Execution leads to run-time error (by overflow) iff (x0>1000)  (y0>0). These are desirable characteristics to be found

Where can the states of a program go? [1] while x> 1000 do [2] x:=x+y ; [3] od; [4] (x,y) in I =[-b;b] integer if x> 1000 if x<1000 if x>1000 if x<1000 Representation of program behavior by means of automaton possible but not really compact.

Reachable states

Order relation is that of inclusion: A set is smaller than another if it is included in it Forms a complete lattice: Any finite set of sets has a least upper bound and a greatest lower bound. Reachable set always grows with iterations Basic theorem: A sequence of sets that always grows ends up converging. But convergence can take a very long time

Example of complete lattice Set L of subsets of states in a state-space S: Partial order is traditional inclusion H = {H1,H2}  L H1 U H2 is the least upper bound for H. H1  H2 is the greatest lower bound for H. Obviously these exist for any H. L has an infimum: The empty set L has a supremum: S. H1 H2 Problem: Arbitrary sets are often not computer-representable, thus hard to do computations with them.

(Discrete) Complete Lattices Some element in the set A Least upper bound Greatest lower bound For our purposes, each element is a set. So A is a set of sets. A

if x> 1000 if x<1000 if x>1000  if x<1000 Back to our program Assume y 0. Clearly insufficient to identify what will happen to program states Could use abstraction by means of intervals: eg: x in [200;2000], y in [-2 -1] Can extract "propagation laws" for intervals rather than numbers.

Lattice of Intervals least upper bound (lub) greatest lower bound (glb) In two dimensions Greatest lower bound Least upper bound In one dimension

if x> 1000 if x<1000 if x>1000  if x<1000 From program on variables to abstracted program on abstracted variables if x<1000 if x>1000  if x<1000 (X1,Y1) if x> 1000 (X2,Y2)= (lub((X1  [1000;b]) U (X3  [1000;b])),lub(Y1UY3)) (X3,Y3) = (X2+Y2,Y2) (X4,Y4)=(lub((X1  [-b;1000]) U(X3  [-b;1000])), lub(Y1UY3)

Step if x> 1000 if x<1000 if x>1000 if x<1000 X1 = [200;2000], Y1 = [-2 -1] X2= , Y2 =  X3= , Y3 =  x= , y =  (X2,Y2)= (lub((X1  [1000;b]) U (X3  [1000;b])),lub(Y1UY3)) (X4,Y4)=(lub((X1  [-b;1000]) U(X3  [-b;1000])), lub(Y1UY3) (X3,Y3) = (X2+Y2,Y2)

Step if x> 1000 if x<1000 if x>1000  if x<1000 X1 =[200;2000], Y1 = [-2 -1] X2 = [1000;2000] Y2 = [-2 -1] X3= , Y3 =  X4= , Y4=  (X2,Y2)= (lub((X1  [1000;b]) U (X3  [1000;b])),lub(Y1UY3)) (X4,Y4)=(lub((X1  [-b;1000]) U(X3  [-b;1000])), lub(Y1UY3) (X3,Y3) = (X2+Y2,Y2)

Step if x> 1000 if x<1000 if x>1000  if x<1000 X1 =[200;2000], Y1 = [-2 -1] X2 = [1000;2000] Y2 = [-2 -1] X3= [998,1999], Y3 = [-2-1] X4= , Y4=  (X2,Y2)= (lub((X1  [1000;b]) U (X3  [1000;b])),lub(Y1UY3)) (X4,Y4)=(lub((X1  [-b;1000]) U(X3  [-b;1000])), lub(Y1UY3) (X3,Y3) = (X2+Y2,Y2)

Step if x> 1000 if x<1000 if x>1000  if x<1000 X1 =[200;2000], Y1 = [-2 -1] X2 = [1000;2000] Y2 = [-2 -1] X3= [998,1999], Y3 = [-2;-1] X4= [200,999], Y4= [-2;-1] (X2,Y2)= (lub((X1  [1000;b]) U (X3  [1000;b])),lub(Y1UY3)) (X4,Y4)=(lub((X1  [-b;1000]) U(X3  [-b;1000])), lub(Y1UY3) (X3,Y3) = (X2+Y2,Y2) Any further iteration would not yield any change to the values of (Xi, Yi)s: We have reached a fixed point.

Step if x> 1000 if x<1000 if x>1000 if x<1000 X1 = [1200;2000], Y1 = [-2 -1] X2= , Y2 =  X3= , Y3 =  x= , y =  (X2,Y2)= (lub((X1  [1000;b]) U (X3  [1000;b])),lub(Y1UY3)) (X4,Y4)=(lub((X1  [-b;1000]) U(X3  [-b;1000])), lub(Y1UY3) (X3,Y3) = (X2+Y2,Y2) New initial conditions

Step if x> 1000 if x<1000 if x>1000  if x<1000 X1 =[1200;2000], Y1 = [-2 -1] X2 = [1200;2000] Y2 = [-2 -1] X3= , Y3 =  X4= , Y4=  (X2,Y2)= (lub((X1  [1000;b]) U (X3  [1000;b])),lub(Y1UY3)) (X4,Y4)=(lub((X1  [-b;1000]) U(X3  [-b;1000])), lub(Y1UY3) (X3,Y3) = (X2+Y2,Y2)

Step if x> 1000 if x<1000 if x>1000  if x<1000 X1 =[1200;2000], Y1 = [-2 -1] X2 = [1200;2000] Y2 = [-2 -1] X3= [1198,1999], Y3 = [-2-1] X4= , Y4=  (X2,Y2)= (lub((X1  [1000;b]) U (X3  [1000;b])),lub(Y1UY3)) (X4,Y4)=(lub((X1  [-b;1000]) U(X3  [-b;1000])), lub(Y1UY3) (X3,Y3) = (X2+Y2,Y2)

Step if x> 1000 if x<1000 if x>1000  if x<1000 (X2,Y2)= (lub((X1  [1000;b]) U (X3  [1000;b])),lub(Y1UY3)) (X4,Y4)=(lub((X1  [-b;1000]) U(X3  [-b;1000])), lub(Y1UY3) (X3,Y3) = (X2+Y2,Y2) We are not finished with iterations..... X1 =[1200;2000], Y1 = [-2 -1] X2 = [1200;2000] Y2 = [-2 -1] X3= [1198,1999], Y3 = [-2-1] X4= , Y4= 

Step if x> 1000 if x<1000 if x>1000  if x<1000 (X2,Y2)= (lub((X1  [1000;b]) U (X3  [1000;b])),lub(Y1UY3)) (X4,Y4)=(lub((X1  [-b;1000]) U(X3  [-b;1000])), lub(Y1UY3) (X3,Y3) = (X2+Y2,Y2) X1 =[1200;2000], Y1 = [-2 -1] X2 = [1198;2000] Y2 = [-2 -1] X3= [1198,1999], Y3 = [-2-1] X4= , Y4= 

Step if x> 1000 if x<1000 if x>1000  if x<1000 (X2,Y2)= (lub((X1  [1000;b]) U (X3  [1000;b])),lub(Y1UY3)) (X4,Y4)=(lub((X1  [-b;1000]) U(X3  [-b;1000])), lub(Y1UY3) (X3,Y3) = (X2+Y2,Y2) X1 =[1200;2000], Y1 = [-2 -1] X2 = [1198;2000] Y2 = [-2 -1] X3= [1196,1999], Y3 = [-2-1] X4= , Y4=  All this is going to take a while to converge towards fixed point...

Some interesting questions How can I speed up the convergence of the computations leading to a fixed point? Does the order in which I do the computation (the sequence of vertices where reachable sets are computed) have much importance? How do I automatically write the "abstracted program"?

Abstracting state spaces further {Set of all subsets of signed integer numbers between -b and b}   if x = T then x is any value if x = + then 0<x<b if x = 0 then x = 0 if x = - then -b<x<0 if x =  then  Some Rules: = T but = error = error Effect: Go from huge state-space decompositions to finite and simple state-space decomposition + U - = T o  T = o

if x> 1000 if x<1000 if x>1000  if x<1000 From program on variables to abstracted program on abstracted variables if x<1000 if x>1000  if x<1000 (X1,Y1) if x> 1000 (X2,Y2)=((X3  +)U (X1  +),Y1UY3) (X3,Y3) =(X2+Y2,Y2) (X4,Y4)=(X1UX3,Y1UY3)

if x> 1000 if x<1000 if x>1000  if x<1000 X1= +, Y1 = - Step 1 X2= , Y2 =  X3= , Y3 =  X4 = , Y4 =  (X2,Y2)=((X3  +)U (X1  +),Y1UY3) (X3,Y3) =(X2+Y2,Y2) (X4,Y4)=(X1UX3,Y1UY3)

if x> 1000 if x<1000 if x>1000  if x<1000 X1= +, Y1 = - Step 2 X2= +, Y2 = - X3= , Y3 =  X4 = , Y4 =  (X2,Y2)=((X3  +)U (X1  +),Y1UY3) (X3,Y3) =(X2+Y2,Y2) (X4,Y4)=(X1UX3,Y1UY3)

if x> 1000 if x<1000 if x>1000  if x<1000 X1= +, Y1 = - Step 3 X2= +, Y2 = - X3= T, Y3 = - X4 = , Y4 =  (X2,Y2)=((X3  +)U (X1  +),Y1UY3) (X3,Y3) =(X2+Y2,Y2) (X4,Y4)=(X1UX3,Y1UY3)

if x> 1000 if x<1000 if x>1000  if x<1000 X1= +, Y1 = - Step 4 X2= +, Y2 = - X3= T, Y3 = - X4 = T, Y4 = - (X2,Y2)=((X3  +)U (X1  +),Y1UY3) (X3,Y3) =(X2+Y2,Y2) (X4,Y4)=(X1UX3,Y1UY3)... and we have reached a fixed point....

Other motivating example In ideal world (real numbers are reals and multiplies are truly working as they should, the sequence converges to 1 for any delta and x0. But real world is populated by, well, floats, and things become more hairy. In particular, system may exhibit disgraceful behaviors, including non convergence to zero (or its vicinity). Assume we would like to “establish good behavior” of the system over a range of possible initial conditions and values of delta. Issue: Exhaustive exploration of state-space is necessary but impossible in current form. Must work at higher abstract level.

Abstraction of floats Float format (figuratively) defined as: Geometric distribution: 0 How do we prove things work over this range? Possibly LOTS of floats between f1 and f2. Abstraction: Consider the whole real interval between f1 and f2: [f1 f2]. Counterintuitive because reals are not machine representable. Simple object though – the object itself (the interval) is machine-representable. f1 f2

Working with abstractions Intuitively: But Must have some machine-representable description of where interval could “land” after “+” operation. Sounds trivial but requires monotonicity properties of ‘+’ operation over floats. In this case it’s OK. So we can write

Associativity counts… and + under floats is not associative

Back to system Must define interval for xks. Transition rules for intervals: “Abstracted transitions” So in this case we can monitor behavior of entire interval by monitoring bounds.

Nonconvergence :

Would like to “bound” possible behaviors From observations: Looks like it stays around 1. Look at behaviors of intervals in vicinity of 1. Eg pick By induction, true for all following iterations: So we know [ ] is invariant. Nonconvergence (to 1) maybe, but could that be sufficient level of precision for practical purposes?? Note analysis is for fixed delta (1e-5) – so far.

Guaranteed convergence to region of nonconvergence Fix delta and a for simplicity (you make them live in intervals for HW) Look in more detail at behavior of Need easy to analyze upper bounds for x+ and lower bounds for x- Requires abstraction of float operations (+ and x) themselves!

Abstraction of float operations

Back to problem