1 Iterative Program Analysis Abstract Interpretation Mooly Sagiv Tel Aviv University Textbook: Principles of Program Analysis Chapter 4 CC79, CC92

Outline u Reminder Chaotic Iterations u The abstract interpretation technique –Relating Concrete and Abstract Interpretation –More examples –Precision u Later –Backward analysis –Complexity –Widening and Narrowing –Shape Analysis

Specialized Chaotic Iterations System of Equations S = df entry [s] =  df entry [v] =  {f(u, v) (df entry [u]) | (u, v)  E } F S :L n  L n F S (X)[s] =  F S (X)[v] =  {f(u, v)(X[u]) | (u, v)  E } lfp(S) = lfp(F S )

Specialized Chaotic Iterations Chaotic(G(V, E): Graph, s: Node, L: Lattice,  : L, f: E  (L  L) ){ for each v in V to n do df entry [v] :=  df[s] =  WL = {s} while (WL   ) do select and remove an element u  WL for each v, such that. (u, v)  E do temp = f(e)(df entry [u]) new := df entry (v)  temp if (new  df entry [v]) then df entry [v] := new; WL := WL  {v}

z =3 x =1 while (x>0) if (x=1) y =7y =z+4 x=3 print y  e.e[z  3]  e.e[x  1]  e. if x >0 then e else   e. if e x  0 then e else   e. e  [x  1, y , z  ]  e. if e x  0 then e else   e.e[y  7]  e.e[y  e(z)+4]  e.e[x  3]  e.e  [x  0, y  0, z  0] WLdf entry ]v] {1} {2} df[2]:=[x  0, y  0, z  3] {3} df[3]:=[x  1, y  0, z  3] {4} df[4]:=[x  1, y  0, z  3] {5} df[5]:=[x  1, y  0, z  3] {7} df[7]:=[x  1, y  7, z  3] {8} df[8]:=[x  3, y  7, z  3] {3} df[3]:=[x , y , z  3] {4} df[4]:=[x , y , z  3] {5,6} df[5]:=[x  1, y , z  3] {6,7} df[6]:=[x , y , z  3] {7} df[7]:=[x , y  7, z  3]

The Abstract Interpretation Technique (Cousot & Cousot) u The foundation of program analysis u Defines the meaning of the information computed by static tools u A mathematical framework u Allows proving that an analysis is sound in a local way u Identify design bugs u Understand where precision is lost u New analysis from old u Not limited to certain programming style

Abstract (Conservative) interpretation abstract representation Set of states abstraction Abstract semantics statement s abstract representation abstraction Operational semantics statement s Set of states abstract representation 

Abstract (Conservative) interpretation abstract representation Set of states concretization Abstract semantics statement s abstract representation concretization Operational semantics statement s Set of states 

  Abstract Abstract Interpretation Concrete  Sets of stores Descriptors of sets of stores 

Galois Connections u Lattices C and A and functions  : C  A and  : A  C u The pair of functions ( ,  ) form Galois connection if –  and  are monotone –  a  A »  (  (a))  a –  c  C »c   (  (C)) u Alternatively if:  c  C  a  A  (c)  a iff c   (a) u  and  uniquely determine each other

The Abstraction Function (CP) u Map collecting states into constants u The abstraction of an individual state  CP :[Var *  Z]  [Var *  Z  { ,  }]  CP (  ) =  u The abstraction of set of states  CP :P([Var *  Z])  [Var *  Z  { ,  }]  CP (CS) =  {  CP (  ) |   CS} =  {  |   CS} u Soundness  CP (Reach (v))  df(v) u Completeness

The Concretization Function u Map constants into collecting states u The formal meaning of constants u The concretization  CP : [Var *  Z  { ,  }]  P([Var *  Z])  CP (df) = {  |  CP (  )  df} = {  |   df} u Soundness Reach (v)   CP (df(v)) u Completeness

Galois Connection Constant Propagation u  CP is monotone u  CP is monotone u  df  [Var *  Z  { ,  }] –  CP (  CP (df))  df u  c  P([Var *  Z]) –c CP   CP (  CP (C))

Upper Closures u Define abstractions on sets of concrete states u  : P(  )  P(  ) such that –  is monotone, i.e., X  Y   X   Y –  is extensive, i.e.,  X  X –  is closure, i.e.,  (  X) =  X u Every Galois connection defines an upper closure

Proof of Soundness u Define an “appropriate” operational semantics u Define “collecting” structural operational semantics u Establish a Galois connection between collecting states and abstract states u (Local correctness) Show that the abstract interpretation of every atomic statement is sound w.r.t. the collecting semantics u (Global correctness) Conclude that the analysis is sound

Collecting Semantics u The input state is not known at compile-time u “Collect” all the states for all possible inputs to the program u No lost of precision

A Simple Example Program z = 3 x = 1 while (x > 0) ( if (x = 1) then y = 7 else y = z + 4 x = 3 print y ) {[x  0, y  0, z  0]} {[x  1, y  0, z  3]} {[x  1, y  0, z  3], [x  3, y  0, z  3],} {[x  0, y  0, z  3]} {[x  1, y  7, z  3], [x  3, y  7, z  3]} {[x  3, y  7, z  3]}

Another Example x= 0 while (true) do x = x +1

An “Iterative” Definition u Generate a system of monotone equations u The least solution is well-defined u The least solution is the collecting interpretation u But may not be computable

Equations Generated for Collecting Interpretation u Equations for elementary statements –[skip] CS exit (1) = CS entry (l) –[b] CS exit (1) = {  :   CS entry (l),  b   =tt} –[x := a] CS exit (1) = { (s[x  A  a  s]) | s  CS entry (l)} u Equations for control flow constructs CS entry (l) =  CS exit (l’) l’ immediately precedes l in the control flow graph u An equation for the entry CS entry (1) = {  |   Var *  Z }

Specialized Chaotic Iterations System of Equations (Collecting Semantics) S = CS entry [s] ={  0 } CS entry [v] =  {f(e)(CS entry [u]) | (u, v)  E } where f(e) = X. {  st(e)   |  X} for atomic statements f(e) = X.{  |  b(e)   =tt } F S :L n  L n F s (X)[v] =  {f(e)[u] | (u, v)  E } lfp(S) = lfp(F S )

The Least Solution u 2n sets of equations CS entry (1), …, CS entry (n), CS exit (1), …, CS exit (n) u Can be written in vectorial form u The least solution lfp(F cs ) is well-defined u Every component is minimal u Since F cs is monotone such a solution always exists u CS entry (v) = {s|  s 0 |  * (S’, s)), init(S’)=v} u Simplify the soundness criteria

  f(  ) f(  ) f2()f2() f2()f2() f(x)=x f(x)  x f(x)  x gfp(f) lfp(f)   f#()f#() f#()f#() f #2 (  ) f #2 (  ) f # (y)=y f # (y)  y f # (y)  y gfp(f # ) lfp(f # )   a: f(  (a))   (f # (a))

Finite Height Case  f#f# f#f# Lfp(f # )   f   f f#f# Lfp(f)  f  

Soundness Theorem(1) 1. Let ( ,  ) form Galois connection from C to A 2. f: C  C be a monotone function 3. f # : A  A be a monotone function 4.  a  A: f(  (a))   (f # (a)) lfp(f)   (lfp(f # ))  (lfp(f))  lfp(f # )

Soundness Theorem(2) 1. Let ( ,  ) form Galois connection from C to A 2. f: C  C be a monotone function 3. f # : A  A be a monotone function 4.  c  C:  (f(c))  f # (  (c))  (lfp(f))  lfp(f # ) lfp(f)   (lfp(f # ))

Soundness Theorem(3) 1. Let ( ,  ) form Galois connection from C to A 2. f: C  C be a monotone function 3. f # : A  A be a monotone function 4.  a  A:  (f(  (a)))  f # (a)  (lfp(f))  lfp(f # ) lfp(f)   (lfp(f # ))

Proof of Soundness (Summary) u Define an “appropriate” structural operational semantics u Define “collecting” structural operational semantics u Establish a Galois connection between collecting states and reaching definitions u (Local correctness) Show that the abstract interpretation of every atomic statement is sound w.r.t. the collecting semantics u (Global correctness) Conclude that the analysis is sound

Completeness  (lfp(f)) = lfp(f # ) lfp(f) =  (lfp(f # ))

Constant Propagation u  : [Var  Z]  [Var  Z  { ,  }] –  (  ) = (  ) u  : P([Var  Z])  [Var  Z  { ,  }] –  (X) =  {  (  ) |  X} =  {  |  X} u  :[Var  Z  { ,  }]  P([Var  Z]) –  (  # ) = {  |  (  )   # } = {  |    # } u Local Soundness –   st  # (  # )   ({   st   |    (  # ) =  {   st   |    # } u Optimality (Induced) –   st  # (  # ) =  ({   st   |   (  # )} =  {   st   |    # } u Soundness u Completeness

Summary u Abstract interpretation Connects Abstract and Concrete Semantics u Galois Connection u Local Correctness u Global Correctness