1 Basic abstract interpretation theory

2 The general idea §a semantics l any definition style, from a denotational definition to a detailed interpreter assigning meanings to programs on a suitable concrete domain (concrete computations domain) §an abstract domain modeling some properties of concrete computations and forgetting about the remaining information (abstract computations domain) §we derive an abstract semantics, which allows us to “execute” the program on the abstract domain to compute its abstract meaning, i.e., the modeled property

3 Concrete and Abstract Domains §two complete partial orders l the partial orders reflect precision smaller is better   concrete domain ( P(C), , , C, ,  ) l has the structure of a powerset we will see later why   abstract domain ( A, ,  bottom, top, lub, glb ) l each abstract value is a description of “a set of” concrete values

4 The Sign Abstract Domain   concrete domain ( P ( Z ), , C, ,  ) sets of integers   abstract domain ( Sign, ,  bot, top, lub, glb )

5 Concretization   concrete domain ( P(C), , , C, ,  )   abstract domain ( A, ,  bottom, top, lub, glb ) §the meaning of abstract values is defined by a concretization function  : A   P(C)  a  A,  (a) is the set of concrete computations described by a l that’s why the concrete domain needs to be a powerset §the concretization function must be monotonic  a 1,a 2  A, a 1  a 2 implies  (a 1 )   (a 2 ) l concretization preserves relative precision

6 Abstraction   concrete domain ( P(C), , C, ,  ),   abstract domain ( A,  bottom, top, lub, glb )  every element of P(C) should have a unique “best” (most precise) description in A this is possible if and only if A is a Moore family closed under glb l in such a case, we can define an abstraction function  : P(C)  A  c  P(C),  (c) is the best abstract description of c l the abstraction function must be monotonic  c 1,c 2  P(C), c 1  c 2 implies  (c 1 )   (c 2 ) l abstraction preserves relative precision

7 The example of Sign  Sign  (x) = , if x= bot l {y|y>0}, if x= + l {y|y  0}, if x= 0+ l {0}, if x= 0 {y|y  0}, if x= 0- l {y|y<0}, if x= - Z, if x= top  Sign  y) = glb of bot, if y=  -, if y  {y|y<0} 0-, if y  {y|y  0} 0, if y  {0} 0+, if y  {y|y  0} +, if y  {y|y  0} top, if y  Z

8 Galois connection Galois connection (insertion)  c  P(C). c  c   a  A.  a    a (  a  A.  a    a)  mutually determine each other ( P(C), , C, ,  ) ( A,  bottom, top, lub, glb )  : A   P(C) (concretization)  : P(C)  A (abstraction)  monotonic  there may be loss of information (approximation) in describing an element of P(C) by an element of A

9 Concrete semantics  the concrete semantics is defined as the least or (greatest) fixpont of a concrete semantic evaluation function F defined on the domain C l this does not necessarily mean that the semantic definition style is denotational!  F is defined in terms of primitive semantic operations f i on C  the abstract semantic evaluation function is obtained by replacing in F each concrete operation f i by a suitable abstract operation  however, since the actual concrete domain is P(C), we need first to lift the concrete semantics lfp F to a collecting semantics defined on P(C)

10 Collecting semantics  lifting lfp F to the powerset (to get the collecting semantics) is simply a conceptual operation collecting semantics = { lfp F }  we don’t need to define a brand new collecting semantic evaluation function on P(C) we just need to reason in terms of liftings of all the primitive operations (and of F ), while designing the abstract operations and establishing their properties §in the following, by abuse of notation, we will use the same notation for the standard and the collecting (“conceptually” lifted) operations

11 Abstract operations: local correctness  an abstract operator f i  defined on A is locally correct wrt a concrete operator f i if  x 1,..,x n  P(C)  f i  x 1,..,x n )  f i   x 1 ,..,  x n  l the concrete computation step is more precise than the concretization of the “corresponding” abstract computation step l a very weak requirement, which is satisfied, for example, by an abstract operator which always computes the worst abstract value top l the real issue in the design of abstract operations is therefore precision

12 Abstract operations: optimality and completeness §correctness  x 1,..,x n  P(C)  f i  x 1,..,x n )  f i   x 1 ,..,  x n  §optimality  y 1,..,y n  A . f i   y 1,..,y n )  f i   y 1 ,..,  y n  the most precise abstract operator f i  correct wrt f i l a theoretical bound and basis for the design, rather then an implementable definition §completeness (exactness or absolute precision)  x 1,..,x n  P(C)   f i  x 1,..,x n ))  f i   x 1 ,..,  x n  no loss of information,  the abstraction of the concrete computation step is exactly the same as the result of the corresponding abstract computation step

13 Abstract operations on Sign : Times Sign

14 Abstract operations on Sign : Plus Sign

15 The Sign example  Times and Plus are the usual operations lifted to P(Z)  both Times Sign and Plus Sign are optimal (hence correct)  Times Sign is also complete (no approximation)  Plus Sign is necessarily incomplete   Sign ( Times ({2},{-3})) = Times Sign (  Sign ({2}),  Sign ({-3}))   Sign ( Plus ({2},{-3}))  Plus Sign (  Sign ({2}),  Sign ({-3}))

16 From local to global correctness §the composition of locally correct abstract operations is locally correct wrt the composition of concrete operations l composition does not preserve optimality, i.e., the composition of optimal operators may be less precise than the optimal abstract version of the composition  if we obtain F   (abstract semantic evaluation function) by replacing in F every concrete semantic operation by a corresponding (locally correct) abstract operation, the local correctness property still holds  x  P(C)   F  x)  F   x))) §local correctness implies global correctness, i.e., correctness of the abstract semantics wrt the concrete one lfp F  lfp  F   gfp F  gfp  F    ( lfp F )   lfp  F   ( gfp F )   gfp  F  §the abstraction of the concrete semantics is more precise than the abstract semantics

17  ( lfp F )  lfp F  : why computing lfp F  ?  lfp F cannot be computed in finitely many steps  steps are in general required  lfp F   can be computed in finitely many steps, if the abstract domain is finite or at least noetherian l does not contain infinite increasing chains l interesting for static program analysis, where the fixpoint computation must terminate l most program properties considered in static analysis are undecidable l we accept a loss of precision (safe approximation) in order to make the analysis feasible

18 Where does the approximation come from? §incomplete abstract operators §more execution paths in the abstract semantics l the abstract state has no information to allow deterministic choices l conditionals, pattern matching, etc. §the set of resulting abstract states is transformed into a single abstract state by an abstract lub operation

19 Approximation in abstract Sign computations §concrete state [x={3}] §if x>2 then y:=3 else y:=-5; §concrete state [x={3}, y={3}] abstract state [x=+] if x>2 then y:=3 else y:=-5; –the abstract guard “can be both true and false” –we need to abstractly execute both paths –the resulting abstract states are “merged” by performing a lub on Sign abstract state [x=+,y=top]

20 Approximation in type analysis §the following ML expression is not typed by the ML’s type inference algorithm, because it always performs a lub operation in the conditional if true then 3 else true even when the guard is valid or unsatisfiable in the abstract state

21 Applications of Abstract Interpretation §comparative semantics l a technique to reason about semantics at different level of abstraction non-noetherian abstract domain abstraction without approximation (completeness)  ( lfp F )  lfp F  §static analysis = effective computation of the abstract semantics l if the abstract domain is noetherian and the abstract operations are computationally feasible l if the abstract domain is non-noetherian or if the fixpoint computation is too complex use widening operators –which effectively compute an (upper) approximation of lfp F  »one example later

22 The abstract interpretation framework  ( P(C), , C, ,  ) (concrete domain )  ( A,  bottom, top, lub, glb ) (abstract domain )  : A   P(C) monotonic (concretization function)  : P(C)  A monotonic (abstraction function)  x  P(C)  x  x   y  A.  y    y (Galois connection)   f i   f i   |  x 1,..,x n  P(C)  f i  x 1,..,x n )  f i   x 1 ,..,  x n  (local correctness) §critical choices l the abstract domain to model the property l the (possibly optimal) correct abstract operations

23 Other approaches and extensions §there exist weaker versions of abstract interpretation l without Galois connections (e.g., concretization function only) l based on approximation operators (widening, narrowing) l without explicit abstract domain (closure operators) §the theory provides also several results on abstract domain design l how to combine domains l how to improve the precision of a domain l how to transform an abstract domain into a complete one l …... l we will look at some of these results in the last lecture