Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 9: Abstract Interpretation I Roman Manevich Ben-Gurion University

Tentative syllabus Semantics Natural Semantics Structural semantics Axiomatic Verification Static Analysis Automating Hoare Logic Control Flow Graphs Equation Systems Collecting Semantics Abstract Interpretation fundamentals LatticesFixed-Points Chaotic Iteration Galois Connections Domain constructors Widening/ Narrowing Analysis Techniques Numerical Domains Alias analysis Interprocedural Analysis Shape Analysis CEGAR Crafting your own Soot From proofs to abstractions Systematically developing transformers 2

Collecting semantics in equational form A vector of variables R[0, …, k] one per input/output of a node – R[0] is for entry For node n with multiple predecessors add equation R[n] =  {R[k] | k is a predecessor of n} For an atomic operation node R[m] S R[n] add equation R[n] =  S  R[m] Transform if b then S 1 else S 2 to ( assume b; S 1 ) or ( assume  b; S 2 ) 3 if x > 0 x := x-1 entry exit R[0] R[1] R[2] R[4] R[3]

Agenda Semantic domains – Preorders – Partial orders (posets) – Pointed posets – Ascending/descending chains – The height of a poset – Join and Meet operators – Complete lattices – Constructing new lattices from old 4 Appendix A.

5 By Rama (Own work) [CC-BY-SA-2.0-fr ( via Wikimedia Commons Abstract interpretation Theory [1977]

Abstract Interpretation [CC77] A very general mathematical framework for approximating semantics – Generalizes Hoare Logic – Generalizes weakest precondition calculus Allows designing sound static analysis algorithms – Usually compute by iterating to a fixed-point – Not specific to any programming language style Results of an abstract interpretation are (loop) invariants – Can be interpreted as axiomatic verification assertions and used for verification 6

Annotating programs Annotate(P, S) = case S is x:=aexpr return {P} x:=aexpr {F * [x:=aexpr] P} case S is S 1 ; S 2 let Annotate(P, S 1 ) be {P} A 1 {Q 1 } let Annotate(Q 1, S 2 ) be {Q 1 } A 2 {Q 2 } return {P} A 1 ; {Q 1 } A 2 {Q 2 } case S is if bexpr then S 1 else S 2 let P t = F[ assume bexpr] P let P f = F[ assume  bexpr] P let Annotate(P t, S 1 ) be {P t } A 1 {Q 1 } let Annotate(P f, S 2 ) be {P f } A 2 {Q 2 } return {P} if bexpr then {P t } A 1 {Q 1 } else {P f } A 2 {Q 2 } {Q 1  Q 2 } case S is while bexpr do S N := N c := P // Initialize repeat let P t = F[ assume bexpr] N c let Annotate(P t, S) be {N c } A body {N} N c := N c  N until N = Nc return {P} INV= {N} while bexpr do {P t } A body {F[ assume  bexpr](N)} 7 Approximates concrete semantics sp(x:=aexpr, P)  F * [x:=aexpr] Approximates disjunction { P’ } S { Q’ } { P } S { Q } [cons p ] if P  P’ and Q’  Q

The big picture Use semantic domains to define both concrete semantics and abstract semantics Relate semantics in a sound way Interpret program over abstract semantics 8 set of states collecting semantics statement S set of states  abstract representation of sets of states abstract semantics statement S abstract representation of sets of states meaning abstraction meaning abstraction

A theory of semantic domains 9 By Brett Jordan David Macdonald [CC-BY-2.0 ( via Wikimedia Commons 1. Approximating elements 2. Approximating sets of elements

Overall idea A semantic domain can be used to define properties (representations of predicates) – Also called abstract states Common representations – Logical formulas – Automata – Specialized graphs 10

A taxonomy of semantic domain types 11 Complete Lattice (D, , , , ,  ) Lattice (D, , , , ,  ) Join semilattice (D, , ,  ) Meet semilattice (D, , ,  ) Complete partial order (CPO) (D, ,  ) Partial order (poset) (D,  ) Preorder (D,  )

preorders 12

Preorder Let D be a set of elements We say that a binary order relation  over D is a preorder if the following conditions hold for every d, d’, d’’  D – Reflexive: d  d – Transitive: d  d’ and d’  d’’ implies d  d’’ There may exist d, d’ such that d  d’ and d’  d yet d  d’ 13

Preorder examples SAV-predicates – SAV-factoids  = { x = y | x, y  Var }  { x = y + z | x, y, z  Var } – SAV-predicates  = 2  – Order relation 1: P 1  set P 2 iff P 1  P 2 – Order relation 2: P 1  imp P 2 iff P 1  P 2 – Which order relation is stronger (contains more pairs)? – Which order relation is easier to check? – What if both P 1 and P 2 are in the image of reduce? 14

SAV preorder 1: P 1  set P 2 iff P 1  P 2 15 {x=y}{x=x+x}{y=y+y} {} {y=x}{y=x+y}{y=y+x}{x=x+y}{x=y+x} {x=y, y=x}{x=y, x=x+x}{x=x+y, x=y+x} … {x=y, x=x+x, x=x+y} … {x=y, y=x, x=x+x, y=y+y, y=x+y, y=y+x, x=x+y, x=y+x} Var = {x, y}

SAV preorder 2: P 1  imp P 2 iff P 1  P 2 16 {x=y}{x=x+x}{y=y+y} {} {y=x}{y=x+y}{y=y+x}{x=x+y}{x=y+x} {x=y, y=x}{x=x+y, x=y+x} … {x=y, x=x+x, x=x+y} … {x=y, y=x, x=x+x, y=y+y, y=x+y, y=y+x, x=x+y, x=y+x} {x=y, x=x+x} Var = {x, y} …

Preorder examples CP-predicates – CP-factoids  = { x = c | x  Var, c  Z } – CP-predicates  = 2  – Order relation 1: P 1  set P 2 iff P 1  P 2 – Order relation 2: P 1  imp P 2 iff P 1  P 2 – Is there a difference? {x=5, x=7, x=9}  {x=5, x=7} {x=5, x=7, x=9}  {x=5, x=7} {x=5, x=7}  {x=5, x=7, x=9} 17

CP preorder example 18 {x=-3}{x=-1}{x=0} {} {x=-2}{x=1}{x=2}{x=3} …… Var = {x}

CP preorder example 19 {x=-3}{x=3}{y=-5} {} {x=0}{y=0}{y=36} …… {x=-3, y=-5}{x=0, y=0}{x=3, y=36} … Var = {x, y}

The problem with preorders Equivalent elements have different representations – {x=y, x=a+b} S {Q} – {x=y, y=a+b} S {Q’} Leads to unpredictability Which result should our static analysis give? 20

The problem with preorders Equivalent elements have different representations – {x=y, x=a+b} assume y  a+b {x=y, x=a+b} – {x=y, y=a+b} assume y  a+b {false} Leads to unpredictability Which result should our static analysis give? 21

The problem with preorders Equivalent elements have different representations – {x=y, x=a+b} assume x  a+b {false} – {x=y, y=a+b} assume x  a+b {x=y, x=a+b} Leads to unpredictability Which result should our static analysis give? May turn a terminating analysis into a non- terminating one 22 In practice many static analyses still use preorders (taking extreme care to ensure termination)

Partial orders 23

Partially ordered sets (partial orders) A partially ordered set (Poset for short) is a pair (D,  ) D is a set of elements – a semantic domain  is a partial order between pairs of elements from D. That is  : D  D with the following properties, for all d, d’, d’’ in D – Reflexive: d  d – Transitive: d  d’ and d’  d’’ implies d  d’’ – Anti-symmetric: d  d’ and d’  d implies d = d’ If d  d’ and d  d’ we write d  d’ 24 Makes it easier to choose the best element

Partially ordered sets (partial orders) A partially ordered set (Poset for short) is a pair (D,  ) D is a set of elements – a semantic domain  is a partial order between pairs of elements from D. That is  : D  D with the following properties, for all d, d’, d’’ in D – Reflexive: d  d – Transitive: d  d’ and d’  d’’ implies d  d’’ – Anti-symmetric: d  d’ and d’  d implies d = d’ If d  d’ and d  d’ we write d  d’ 25

SAV partial order SAV-predicates – SAV-factoids  = { x = y | x, y  Var }  { x = y + z | x, y, z  Var } – SAV-predicates  = 2  Order relation 1: P 1  set P 2 iff P 1  P 2 Is this a partial order? Order relation 2: P 1  imp P 2 iff P 1  P 2 that is models(P 1 )  models(P 2 ) Is this a partial order? Order relation 3: P 1  set* P 2 iff reduce(P 1 )  set reduce(P 2 ) Is this a partial order? 26

CP partial order CP-predicates – CP-factoids  = { x = c | x  Var, c  Z } – CP-predicates  = 2  Order relation 1: P 1  set P 2 iff P 1  P 2 Is it a partial order? Order relation 2: P 1  imp P 2 iff P 1  P 2 Is it a partial order? 27 Can we define a more precise partial order?

CP partial order CP-predicates – CP-factoids  false = { x = c | x  Var, c  Z } – CP-predicates  = 2   {false} – Define reduce : 2   2  reduce(P) = if exists {x=c 1, x=c 2 }  P then {false} else P –  false = { P  2  | P=reduce(P) }  {false} Order relation: P 1  P 2 if P 1  P 2 or P 1 ={false} 28

Pointed poset A poset (D,  ) with a least element  is called a pointed poset – For all d  D we have that   d The pointed poset is denoted by (D, ,  ) We can always transform a poset (D,  ) into a pointed poset by adding a special bottom element (D  {  },   {  d | d  D},  ) Example:  false = { P  2  | P=reduce(P) }  {false} 29

chains 30

Chains If d  d’ and d  d’ we write d  d’ Similarly define d  d’ Let (D,  ) be a poset An ascending chain is a sequence x 1  x 2  …  x k … A descending chain is a sequence x 1  x 2  …  x k … The height of a poset is the length of the maximal ascending chain – What is the height of the SAV poset? – What is the height of the CP poset? 31

Ascending chain example 32 true false x=0 x0x0 x<0 x>0 x0x0

33 By Viviana Pastor (originally posted to Flickr as Harbour Bridge 1) [CC-BY-2.0 ( via Wikimedia Commons Joining elements

Bounds Let (D,  ) be a poset Let X  D be a set of elements from D An element d  D is an upper bound (ub) of X iff for every x  D we have that x  d An element d  D is a lower bound (lb) of X iff for every x  D we have that d  x An element d  D is the least upper bound (lub) of X iff d is the minimal of all upper bounds of X An element d  D is the greatest lower bound (glb) of X iff d is the maximal of all lower bounds of X 34

Bounds example 35 true false x=0 x0x0 x<0x>0 x0x0 the signs lattice (for variable x )

x  0 and true are upper bounds 36 true false x=0 x0x0 x<0 x>0 x0x0

x  0 is the least upper bound 37 true false x=0 x0x0 x<0 x>0 x0x0

Join (confluence) operator Assume a poset (D,  ) Let X  D be a subset of D (finite/infinite) The join of X is defined as –  X = the least upper bound (LUB) of all elements in X if it exists –  X = min  { b | forall x  X we have that x  b} – The supremum of the elements in X – A kind of abstract union (disjunction) operator Properties of a join operator – Commutative: x  y = y  x – Associative: (x  y)  z = x  (y  z) – Idempotent: x  x = x x  y = y iff x  y 38

Properties of join Can be used to define partial order x  y = y iff x  y Monotone: if y  z then (x  y)  (x  z)   x = x   x =  39

Meet operator Assume a poset (D,  ) Let X  D be a subset of D (finite/infinite) The meet of X is defined as –  X = the greatest lower bound (GLB) of all elements in X if it exists –  X = max  { b | forall x  X we have that b  x} – The infimum of the elements in X – A kind of abstract intersection (conjunction) operator Properties of a join operator – Commutative: x  y = y  x – Associative: (x  y)  z = x  (y  z) – Idempotent: x  x = x 40

Complete partial orders 41

Complete partial order (CPO) A CPO is a partial order where each ascending chain has a supremum 42

lattices 43

Complete lattice A complete lattice (D, , , , ,  ) is A set of elements D A partial order x  y A join operator  A meet operator  44

Join semilattice A complete lattice (D, , ,  ) is A set of elements D with  A partial order x  y A join operator  45

Meet semilattice A complete lattice (D, , ,  ) is A set of elements D with  A partial order x  y A meet operator  46

Powerset lattices For a set of elements X we define the powerset lattice for X as (2 X, , , , , X) – Notice it is a complete lattice For a set of program states State, we define the collecting lattice (2 State, , , , , State) 47

Composing lattices 48

One lattice per variable 49 true false x=0 x0x0 x<0x>0 x0x0 true false y=0 y0y0 y<0y>0 y0y0 How can we compose them?

Cartesian product 50

Cartesian product of complete lattices For two complete lattices L 1 = (D 1,  1,  1,  1,  1,  1 ) L 2 = (D 2,  2,  2,  2,  2,  2 ) Define the poset L cart = (D 1  D 2,  cart,  cart,  cart,  cart,  cart ) as follows: – (x 1, x 2 )  cart (y 1, y 2 ) iff x 1  1 y 1 and x 2  2 y 2 –  cart = ?  cart = ?  cart = ?  cart = ? Lemma: L is a complete lattice Define the Cartesian constructor L cart = Cart(L 1, L 2 ) 51

Cartesian product example 52 true false x<0,y<0x<0,y=0x 0x=0,y<0x=0,y=0x=0,y>0x>0,y<0x>0,y=0x>0,y>0 x  0,y< 0 x  0,y< 0 x  0,y= 0 x  0,y= 0 x  0,y> 0 x  0,y> 0 x>0,y  0 … … x  0,y  0 x  0,y  0 x  0,y  0 x  0,y  0 x  0, truex  0, truetrue, y  0true, y  0 … ( false, false ) ( true, true ) How does it represent (x 0  y>0)? x<0, falsefalse, y>0 ………

Disjunctive completion 53

Disjunctive completion For a complete lattice L = (D, , , , ,  ) Define the Powerset lattice L  = (2 D,  ,  ,  ,  ,   )   = ?   = ?   = ?   = ?   = ? Lemma: L  is a complete lattice L  contains all subsets of D, which can be thought of as disjunctions of the corresponding predicates Define the disjunctive completion constructor L  = Disj(L) 54

The base lattice CP false 55 {x=0} true {x=-1}{x=-2}{x=1}{x=2} …… false

The disjunctive completion of CP false 56 {x=0} true {x=-1}{x=-2}{x=1}{x=2} …… false {x=-2  x=-1}{x=-2  x=0}{x=-2  x=1}{x=1  x=2} ……… {x=0  x=1  x=2}{x=-1  x=1  x=-2} ……… … What is the height of this lattice?

The disjunctive completion of CP false 57 true false What is the height of this lattice? {x=0}{x=-1}{x=-2}{x=1}{x=2} …… {x=-2  x=-1}{x=-2  x=0}{x=-2  x=1}{x=1  x=2} ……… {x=0  x=1  x=2}{x=-1  x=1  x=-2} ……… {x is even} {x is odd} {x is prime} …

Relational product 58

Relational product of lattices L 1 = (D 1,  1,  1,  1,  1,  1 ) L 2 = (D 2,  2,  2,  2,  2,  2 ) L rel = (2 D 1  D 2,  rel,  rel,  rel,  rel,  rel ) as follows: – L rel = ? 59

Relational product of lattices L 1 = (D 1,  1,  1,  1,  1,  1 ) L 2 = (D 2,  2,  2,  2,  2,  2 ) L rel = (2 D 1  D 2,  rel,  rel,  rel,  rel,  rel ) as follows: – L rel = Disj(Cart(L 1, L 2 )) Lemma: L is a complete lattice What does it buy us? 60

Cartesian product example 61 How does it represent (x 0  y>0)? What is the height of this lattice? true false x<0,y<0x<0,y=0x 0x=0,y<0x=0,y=0x=0,y>0x>0,y<0x>0,y=0x>0,y>0 x  0,y< 0 x  0,y< 0 x  0,y= 0 x  0,y= 0 x  0,y> 0 x  0,y> 0 x>0,y  0 … … x  0,y  0 x  0,y  0 x  0,y  0 x  0,y  0 x  0, truex  0, truetrue, y  0true, y  0 … x<0, falsefalse, y>0 ………

Relational product example 62 true false (x 0  y>0) x0x0 x0x0 y0y0 y0y0 How does it represent (x 0  y>0)? (x 0  y=0)(x<0  y  0)  (x<0  y  0) … What is the height of this lattice?

A lattice for collecting semantics 63

Collecting semantics 1 label0: if x <= 0 goto label1 x := x – 1 goto label0 label1: if x > 0 x := x entry exit [x1][x1] [x1][x1] [x1][x1] [x0][x0] [x0][x0] [ x  -1] [x2][x2] [x2][x2] [x2][x2] [x2][x2] [x3][x3] [x3][x3] [x3][x3] … … … 64 [ x  -2] …

Defining the collecting semantics How should we represent the set of states at a single control-flow node by a lattice? How should we represent the sets of states at all control-flow nodes by a lattice? 65

Finite maps For a complete lattice L = (D, , , , ,  ) and finite set V Define the poset L V  L = (V  D,  V  L,  V  L,  V  L,  V  L,  V  L ) as follows: – f 1  V  L f 2 iff for all v  V f 1 (v)  f 2 (v) –  V  L = ?  V  L = ?  V  L = ?  V  L = ? Lemma: L is a complete lattice Define the map constructor L V  L = Map(V, L) 66

The collecting lattice Lattice for a given control-flow node v: ? Lattice for entire control-flow graph with nodes V: ? We will use this lattice as a baseline for static analysis and define abstractions of its elements 67

The collecting lattice Lattice for a given control-flow node v: L v =(2 State, , , , , State) Lattice for entire control-flow graph with nodes V: L CFG = Map(V, L v ) We will use this lattice as a baseline for static analysis and define abstractions of its elements 68

Equational definition of the semantics Define variables of type set of states for each control-flow node Define constraints between them 69 if x > 0 x := x entry exit R[entry] R[2] R[3] R[exit]

Equational definition of the semantics R[2] = R[entry]   x:=x-1  R[3] R[3] =  assume x>0  R[2] R[exit] =  assume x  0  R[2] A recursive system of equations How can we approximate it using what we have learned so far? 70 if x > 0 x := x entry exit R[entry] R[2] R[3] R[exit]

An abstract semantics R[2] = R[entry]   x:=x-1  # R[3] R[3] =  assume x>0  # R[2] R[exit] =  assume x  0  # R[2] A recursive system of equations 71 if x > 0 x := x entry exit R[entry] R[2] R[3] R[exit] Abstract transformer for x:=x-1

The meaning of sound analysis result R[2]  R[entry]   x:=x-1  # R[3] R[3]   assume x>0  # R[2] R[exit]   assume x  0  # R[2] A recursive system of inequations 72 if x > 0 x := x entry exit R[entry] R[2] R[3] R[exit]

Next lecture: abstract interpretation II