Presentation is loading. Please wait.

Presentation is loading. Please wait.

Abstract Interpretation Part I Mooly Sagiv Textbook: Chapter 4.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Abstract Interpretation Part I Mooly Sagiv Textbook: Chapter 4."— Presentation transcript:

1 Abstract Interpretation Part I Mooly Sagiv Textbook: Chapter 4

2 The Abstract Interpretation Technique (Cousot & Cousot) u The foundation of program analysis u Defines the meaning of the information computed by static tools u A mathematical framework u Allows proving that an analysis is sound in a local way u Identify design bugs u Understand where precision is lost u New analysis from old u Not limited to certain programming style

3 Outline u Monotone Frameworks with Widening u Galois Connections (Insertions) u Collecting semantics u The Soundness Theorem

4 Specialized Chaotic Iterations Chaotic(G(V, E): Graph, s: Node, L: lattice,  : L, f: E  (L  L) ){ for each v in V to n do df entry [v] :=  In[v] =  WL = {s} while (WL   ) do select and remove an element u  WL for each v, such that. (u, v)  E do temp = f(e)(df entry [u]) new := df entry (v)  temp if (new  df entry [v]) then df entry [v] := new; WL := WL  {v}

5 Widening u Accelerate the termination of Chaotic iterations by computing a more conservative solution u Can handle lattices of infinite heights

6 Specialized Chaotic Iterations+  Chaotic(G(V, E): Graph, s: Node, L: lattice,  : L, f: E  (L  L) ){ for each v in V to n do df entry [v] :=  In[v] =  WL = {s} while (WL   ) do select and remove an element u  WL for each v, such that. (u, v)  E do temp = f(e)(df entry [u]) new := df entry (v)  temp if (new  df entry [v]) then df entry [v] := new; WL := WL  {v}

7 Example Interval Analysis u Find a lower and an upper bound of the value of a variable u Usages? u Lattice L = (Z  {- ,  }  Z  {- ,  }, , , , ,  ) –[a, b]  [c, d] if c  a and d  b –[a, b]  [c, d] = [min(a, c), max(b, d)] –[a, b]  [c, d] = [max(a, c), min(b, d)] –  = –  =

8 Example Program Interval Analysis [x := 1] 1 ; while [x  1000] 2 do [x := x + 1;] 3 IntEntry(1) = [minint,maxint] IntExit(1) = [1,1] IntEntry(2) = IntExit(1)  IntExit(3) IntExit(2) = IntEntry(2) [x:=1] 1 [x  1000] 2 [x := x+1] 3 [exit] 4 IntEntry(3) = IntExit(2)  [minint,1000] IntExit(3) = IntEntry(3)+[1,1] IntEntry(4) = IntExit(2)  [1001,maxint] IntExit(4) = IntEntry(4)

9 Widening for Interval Analysis u   [c, d] = [c, d] u [a, b]  [c, d] = [ if a  c then a else - , if b  d then b else  ]

10 Example Program Interval Analysis [x := 1] 1 ; while [x  1000] 2 do [x := x + 1;] 3 IntEntry(1) = [ - ,  ] IntExit(1) = [1,1] IntEntry(2) = InExit(2)  (IntExit(1)  IntExit(3)) IntExit(2) = IntEntry(2) [x:=1] 1 [x  1000] 2 [x := x+1] 3 [exit] 4 IntEntry(3) = IntExit(2)  [ - ,1000] IntExit(3) = IntEntry(3)+[1,1] IntEntry(4) = IntExit(2)  [1001,  ] IntExit(4) = IntEntry(4)

11 Requirements on Widening u For all elements l 1  l 2  l 1  l 2 u For all ascending chains l 0  l 1  l 2  … the following sequence is finite –y 0 = l 0 –y i+1 = y i  l i+1 u For a monotonic function f: L  L define –x 0 =  –x i+1 = x i  f(x i ) u Theorem: –There exits k such that x k+1 = x k –x k  Red(f) = {l: l  L, f(l)  l}

12 Narrowing u Improve the result of widening u y  x  y  (x  y)  x u For all decreasing chains x 0  x 1  … the following sequence is finite –y 0 = x 0 –y i+1 = y i  x i+1 u For a monotonic function f: L  L and x  Red(f) = {l: l  L, f(l)  l} define –y 0 = x –y i+1 = y i  f(y i ) u Theorem: –There exits k such that y k+1 =y k –y k  Red(f) = {l: l  L, f(l)  l}

13 Narrowing for Interval Analysis u [a, b]   = [a, b] u [a, b]  [c, d] = [ if a = -  then c else a, if b =  then d else b ]

14 Example Program Interval Analysis [x := 1] 1 ; while [x  1000] 2 do [x := x + 1;] 3 IntEntry(1) = [ - ,  ] IntExit(1) = [1,1] IntEntry(2) = InExit(2)  ( IntExit(1)  IntExit(3)) IntExit(2) = IntEntry(2) [x:=1] 1 [x  1000] 2 [x := x+1] 3 [exit] 4 IntEntry(3) = IntExit(2)  [ - ,1000] IntExit(3) = IntEntry(3)+[1,1] IntEntry(4) = IntExit(2)  [1001,  ] IntExit(4) = IntEntry(4)

15 Non Montonicity of Widening u [0,1]  [0,2] = [0,  ] u [0,2]  [0,2] = [0,2]

16 Widening and Narrowing Summary u Very simple but produces impressive precision u Sometimes non-monotonic u The McCarthy 91 function u Also useful in the finite case u Can be used as a methodological tool int f(x) [- ,  ] if x > 100 then [101,  ] return x -10 [91,  -10]; else [- , 100] return f(f(x+11)) [91, 91] ;

17 Foundation of Static Analysis u Static analysis can be viewed as interpreting the program over an “abstract domain” u Execute the program over larger set of execution paths u Guarantee sound results –Every identified constant is indeed a constant –But not every constant is identified as such

18   Abstract Abstract Interpretation Concrete  Sets of stores Descriptors of sets of stores 

19 Odd/Even Abstract Interpretation  {-2, 1, 5} {0,2} {2}{0}  EO ? All concrete states   {x: x  Even}

20 Odd/Even Abstract Interpretation  {-2, 1, 5} {0,2} {2}{0}  EO ?    All concrete states   {x: x  Even}

21 Odd/Even Abstract Interpretation  {-2, 1, 5} {0,2} {2}{0}  EO ?  All concrete states {x: x  Even}  

22 Galois Connections u A concrete domain (C,  ) u An abstract domain (A,  ) u An abstraction function  : C  A u A concretization function  : A  C u  is monotone (order-preserving) u  is monotone (order-preserving) u c   (  (c)) u  (  (a))  a u  (c)  a  c   (a)

23 More on Galois Connections u  and  determine each other u Defines an upward closure operator up:C  C such that c  up(c) and up(up(c)) = up(c) by up(c) =  (  (c)) u For C = P(  ) let  : C  A then the Galois connection is defined by: –  (c) =  {  (  ) |  c} –  (a) = {  |  (  )  a }

24 The Abstraction Function (CP) u Map collecting states into constants u The abstraction of an individual state  CP :[Var *  Z]  [Var *  Z  { ,  }]  CP (  ) =  u The abstraction of set of states  CP :P([Var *  Z])  [Var *  Z  { ,  }]  CP (CS) =  {  CP (  ) |   CS} =  {  |   CS} u Soundness  CP (Reach (v))  df(v) u Completeness

25 The Concretization Function u Map constants into collecting states u The formal meaning of constants u The concretization  CP : [Var *  Z  { ,  }]  P([Var *  Z])  CP (df) = {  |  CP (  )  df} = {  |   df} u Soundness Reach (v)   CP (df(v)) u Optimality

26 Galois Connection Constant Propagation u  CP is monotone u  CP is monotone u  df  [Var *  Z  { ,  }] –  CP (  CP (df))  df u  c  P([Var *  Z]) –c CP   CP (  CP (C))

27 Upper Closure (CP)

28 More Examples u Interval Analysis u Points-to analysis u Reaching definitions u Live variable analysis

29 Collecting Semantics u The input state is not known at compile-time u “Collect” all the states for all possible inputs to the program u The set of reachable states u No lost of precision u Need not be computable

30 A Simple Example Program z = 3 x = 1 while (x > 0) ( if (x = 1) then y = 7 else y = z + 4 x = 3 print y ) {[x  0, y  0, z  0 ]} {[x  1, y  0, z  3 ]} {[x  1, y  0, z  3 ], [x  3, y  0, z  3], } {[x  0, y  0, z  3 ]} {[x  1, y  7, z  3 ], [x  3, y  7, z  3] } { [x  3, y  7, z  3] }

31 Another Example while (true) do x = x +1 {[x  0]} {[x  0], {[x  1], {[x  2], … } {{[x  1], {[x  2], … }

32 Global Soundness Theorem u If the meaning of every statement is locally sound u Then, the solution computed by the iterative algorithm overapproximates the collecting semantics –  (CS)  df –CS   (df)

33 Example while (true) do x = x +1 {[x  0]} {[x  0], {[x  1], {[x  2], … } {{[x  1], {[x  2], … } P P P

34 Bad Example x = x -1 x = x + 1 {[x  0]} P ? ? {[x  -1]} {[x  0]}

35 An “Iterative” Definition of Collecting Semaics u Generate a system of monotone equations u The least solution is well-defined u The least solution is the collecting interpretation u But may not be computable

36 Equations Generated for Collecting Interpretation u Equations for elementary statements –[skip] CS exit (1) = CS entry (l) –[b] CS exit (1) = {  :   CS entry (l),  b   =tt} –[x := a] CS exit (1) = { (s[x  A  a  s]) | s  CS entry (l)} u Equations for control flow constructs CS entry (l) =  CS exit (l’) l’ immediately precedes l in the control flow graph u An equation for the entry CS entry (1) = {  |   Var *  Z }

37 System of Equations (Collecting Semantics) S = CS entry [s] ={  0 } CS entry [v] =  {f(e)(CS entry [u]) | (u, v)  E } where f(e) = X. {  st(e)   |  X} for atomic statements f(e) = X.{  |  b(e)   =tt } F S :L n  L n F s (X)[v] =  {f(e)[u] | (u, v)  E } lfp(S) = lfp(F S )

38 The Least Solution u 2n sets of equations CS entry (1), …, CS entry (n), CS exit (1), …, CS exit (n) u Can be written in vectorial form u The least solution lfp(F cs ) is well-defined u Every component is minimal u Since F cs is monotone such a solution always exists u CS entry (v) = {s|  s 0 |  * (S’, s)), init(S’)=v} u Simplify the soundness criteria

39 Example [x = 0] 0 while [(true)] 1 do [x = x +1] 2

40 A Low Level View u An infinite set of states  (including control) u The meaning of the program (small step) is a transition relation      u Let  s be the set of initial states u The collecting interpretation system F(CS) =  s  {  |   ’:  ’  CS   ’    } u Let A be an abstract domain (lattice) u Let a s  A be the initial abstract element u Let  : A  P(  ) be the concretization u The abstract meaning of the program (small step) is a transition relation  #  A  A u Local soundness: u Global soundness:

41 Abstract (Conservative) interpretation abstract representation Set of states abstraction Abstract semantics statement s abstract representation abstraction Operational semantics statement s Set of states abstract representation 

42 Abstract (Conservative) interpretation abstract representation Set of states concretization Abstract semantics statement s abstract representation concretization Operational semantics statement s Set of states 

43 Abstract (Conservative) interpretation abstract representation Set of states concretization Abstract semantics statement s abstract representation abstraction Operational semantics statement s Set of states  abstract representation

44 Soundness Theorem(1) 1. Let ( ,  ) form Galois connection from C to A 2. f: C  C be a monotone function 3. f # : A  A be a monotone function 4.  a  A: f(  (a))   (f # (a)) lfp(f)   (lfp(f # ))  (lfp(f))  lfp(f # )

45 Soundness Theorem(2) 1. Let ( ,  ) form Galois connection from C to A 2. f: C  C be a monotone function 3. f # : A  A be a monotone function 4.  c  C:  (f(c))  f # (  (c))  (lfp(f))  lfp(f # ) lfp(f)   (lfp(f # ))

46 Soundness Theorem(3) 1. Let ( ,  ) form Galois connection from C to A 2. f: C  C be a monotone function 3. f # : A  A be a monotone function 4.  a  A:  (f(  (a)))  f # (a)  (lfp(f))  lfp(f # ) lfp(f)   (lfp(f # ))

47 Local Concrete Semantics u For every atomic statement S –  S  : [Var *  Z]  [Var *  Z] –  x := a]  s = s[x  A  a  s] –  skip]  s = s u For Boolean conditions …

48 Local Abstract Semantics(CP) u For every atomic statement S –  S  # :Var *  L  Var *  L –  x := a  # (e) = e [x   a  # (e) –  skip  # (e) = e u For Booleans …

49 Local Soundness (CP) u For every atomic statement S show one of the following –  CP ({  S   |   CS }   S  # (  CP (CS)) –{  S   |    CP (df)}   CP (  S  # (df)) –  ({  S   |    CP (df)})   S  # (df) u The above condition implies global soundness [Cousot & Cousot 1976]  (CS entry (l))  df entry (l) CS entry (l)   (df entry (l))

50 Lemma 1 Consider a lattice L. f: L  L is monotone iff for all X  L:  {f(z) | z  X }  f(  {z | z  X })

51 Assignments in constant propagation u Monotone –df 1  df 2   x :=e  ) # df 1 )   x :=e  ) # df 2 ( u Local Soundness –  ({  x :=e   |   CS }   x :=e  # (  (CS))

52 Proof of Soundness (Summary) u Define an “appropriate” operational semantics u Define “collecting” operational semantics u Establish a Galois connection between collecting states and abstract states u (Local correctness) Show that the abstract interpretation of every atomic statement is sound w.r.t. the collecting semantics u (Global correctness) Conclude that the result of the iterative analysis is sound w.r.t. the collecting semantics u Can be applied between different abstractions

53 Induced Analysis (Relatively Optimal) u It is sometimes possible to show that a given analysis is not only sound but optimal w.r.t. the chosen abstraction –but not necessarily optimal! u Define  S  # (df) =  ({  S   |    (df)}) u But this  S  # may not be computable u Derive (at compiler-generation time) an alternative form for  S  # u A useful measure to decide if the abstraction must lead to overly imprecise results

54 Notions of precision u CS =  (df) u  (CS) = df u Meet(Join) over all paths u Using best transformers u Good enough

55 Conclusions u Abstract interpretation relates runtime semantics and static information u The concrete semantics serves as a tool in designing abstractions u Understanding concretization is a must u Understand what is preserved/lost

Download ppt "Abstract Interpretation Part I Mooly Sagiv Textbook: Chapter 4."

Similar presentations

Abstract Interpretation Part II

Abstract Interpretation Part II
Continuing Abstract Interpretation We have seen: 1.How to compile abstract syntax trees into control-flow graphs 2.Lattices, as structures that describe.

Continuing Abstract Interpretation We have seen: 1.How to compile abstract syntax trees into control-flow graphs 2.Lattices, as structures that describe.
3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.

3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
1 How to transform an analyzer into a verifier. 2 OUTLINE OF THE LECTURE a verification technique which combines abstract interpretation and Park’s fixpoint.

1 How to transform an analyzer into a verifier. 2 OUTLINE OF THE LECTURE a verification technique which combines abstract interpretation and Park’s fixpoint.
Tutorial on Widening (and Narrowing) Hongseok Yang Seoul National University.

Tutorial on Widening (and Narrowing) Hongseok Yang Seoul National University.
Foundations of Data-Flow Analysis. Basic Questions Under what circumstances is the iterative algorithm used in the data-flow analysis correct? How precise.

Foundations of Data-Flow Analysis. Basic Questions Under what circumstances is the iterative algorithm used in the data-flow analysis correct? How precise.
1 Basic abstract interpretation theory. 2 The general idea §a semantics l any definition style, from a denotational definition to a detailed interpreter.

1 Basic abstract interpretation theory. 2 The general idea §a semantics l any definition style, from a denotational definition to a detailed interpreter.
Worklist algorithm Initialize all d i to the empty set Store all nodes onto a worklist while worklist is not empty: –remove node n from worklist –apply.

Worklist algorithm Initialize all d i to the empty set Store all nodes onto a worklist while worklist is not empty: –remove node n from worklist –apply.
Programming Language Semantics Denotational Semantics Chapter 5 Based on a lecture by Martin Abadi.

Programming Language Semantics Denotational Semantics Chapter 5 Based on a lecture by Martin Abadi.
1 Operational Semantics Mooly Sagiv Tel Aviv University 640-6706 Textbook: Semantics with Applications.

1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc06.html.

Program analysis Mooly Sagiv html://
CS 536 Spring 20011 Global Optimizations Lecture 23.

CS 536 Spring Global Optimizations Lecture 23.
Control Flow Analysis Mooly Sagiv Tel Aviv University 640-6706 Sunday 18-21 Scrieber 8 Monday 10-12 Schrieber.

Control Flow Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
Global optimization. Data flow analysis To generate better code, need to examine definitions and uses of variables beyond basic blocks. With use- definition.

Global optimization. Data flow analysis To generate better code, need to examine definitions and uses of variables beyond basic blocks. With use- definition.
1 Iterative Program Analysis Part I Mooly Sagiv Tel Aviv University 640-6706 Textbook: Principles of Program.

1 Iterative Program Analysis Part I Mooly Sagiv Tel Aviv University Textbook: Principles of Program.
Data Flow Analysis 2 15-411 Compiler Design Nov. 3, 2005.

Data Flow Analysis Compiler Design Nov. 3, 2005.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc08.html.

Program analysis Mooly Sagiv html://
1 Control Flow Analysis Mooly Sagiv Tel Aviv University 640-6706 Textbook Chapter 3

1 Control Flow Analysis Mooly Sagiv Tel Aviv University Textbook Chapter 3
1 Iterative Program Analysis Mooly Sagiv Tel Aviv University 640-6706 Textbook: Principles of Program Analysis.

1 Iterative Program Analysis Mooly Sagiv Tel Aviv University Textbook: Principles of Program Analysis.

Similar presentations

Ads by Google