noam rinetzky lecture 9: abstract interpretation ii
DESCRIPTION
Program Analysis and Verification 0368- 4479 http://www.cs.tau.ac.il/~maon/teaching/2013-2014/paav/paav1314b.html. Noam Rinetzky Lecture 9: Abstract Interpretation II. Slides credit: Roman Manevich , Mooly Sagiv , Eran Yahav. From verification to analysis. Manual program verification - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/1.jpg)
Program Analysis and Verification
0368-4479http://www.cs.tau.ac.il/~maon/teaching/2013-2014/paav/paav1314b.html
Noam Rinetzky
Lecture 9: Abstract Interpretation II
Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav
![Page 2: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/2.jpg)
From verification to analysis
• Manual program verification– Verifier provides assertions• Loop invariants
• Program analysis– Automatic program verification – Tool automatically synthesize assertions • Finds loop invariants
![Page 3: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/3.jpg)
3
Abstract Interpretation [Cousot’77]
• Mathematical foundation of static analysis
![Page 4: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/4.jpg)
4
Abstract Interpretation [Cousot’77]
• Mathematical framework for approximating semantics (aka abstraction)– Allows designing sound static analysis algorithms• Usually compute by iterating to a fixed-point
– Computes (loop) invariants• Can be interpreted as axiomatic verification assertions• Generalizes Hoare Logic & WP / SP calculus
![Page 5: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/5.jpg)
5
Abstract Interpretation [Cousot’77]
• Mathematical foundation of static analysis– Abstract domains• Abstract states ~ Assertions• Join () ~ Weakening
– Transformer functions• Abstract steps ~ Axioms
– Chaotic iteration • Structured Programs ~ Control-flow graphs• Abstract computation ~ Loop invariants
![Page 6: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/6.jpg)
6
Concrete Semantics
set of statesoperational semantics(concrete semantics)
statement Sset of states
![Page 7: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/7.jpg)
7
Conservative Semantics
set of states set of statesoperational semantics(concrete semantics)
statement Sset of states
![Page 8: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/8.jpg)
8
Abstract (conservative) interpretation
set of states set of statesoperational semantics(concrete semantics)
statement S
abstract representation abstract
representation abstract semanticsstatement S abstract
representation
abstraction abstraction
{P} S {Q} sp(S, P)generalizes axiomatic verification
![Page 9: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/9.jpg)
9
Abstract (conservative) interpretation
set of states set of statesoperational semantics(concrete semantics)
statement Sset of states
abstract representation abstract semantics
statement S abstract representation
concretization concretization
![Page 10: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/10.jpg)
10
Abstract (conservative) interpretation
set of states set of statesoperational semantics(concrete semantics)
statement Sset of states
abstract state abstract semantics (transfer function)
statement S abstract state
concretization concretization
![Page 11: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/11.jpg)
11
Abstract Interpretation [Cousot’77]
• Mathematical foundation of static analysis– Abstract domains• Abstract states ~ Assertions• Join () ~ Weakening
– Transformer functions• Abstract steps ~ Axioms
– Chaotic iteration • Abstract computation ~ Loop invariants• Structured Programs ~ Control-flow graphs
Lattices(D, , , , , )
Monotonic functions
Fixpoints
![Page 12: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/12.jpg)
12
A taxonomy of semantic domain typesComplete Lattice(D, , , , , )
Lattice(D, , , , , )
Join semilattice(D, , , )
Meet semilattice(D, , , )
Complete partial order (CPO)(D, , )
Partial order (poset)(D, )
Preorder(D, )
![Page 13: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/13.jpg)
13
Preorder• We say that a binary order relation over a
set D is a preorder if the following conditions hold for every d, d’, d’’ D– Reflexive: d d– Transitive: d d’ and d’ d’’ implies d d’’
![Page 14: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/14.jpg)
14
Preorder
d d’
d’’
• We say that a binary order relation over a set D is a preorder if the following conditions hold for every d, d’, d’’ D– Reflexive: d d– Transitive: d d’ and d’ d’’ implies d d’’
Hasse Diagram
![Page 15: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/15.jpg)
15
Preorder• We say that a binary order relation over a
set D is a preorder if the following conditions hold for every d, d’, d’’ D– Reflexive: d d– Transitive: d d’ and d’ d’’ implies d d’’
d d’
d’’
Hasse Diagram
![Page 16: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/16.jpg)
16
Partial order• We say that a binary order relation over a
set D is a preorder if the following conditions hold for every d, d’, d’’ D– Reflexive: d d– Transitive: d d’ and d’ d’’ implies d d’’– Anti-symmetric: d d’ and d’ d implies d = d’
d d’
d’’
Hasse Diagram
![Page 17: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/17.jpg)
17
Chains
• d d’ means d d’ and d d’
• An ascending chain is a sequencex1 x2 … xk …
• A descending chain is a sequencex1 x2 … xk …
• The height of a poset (D, ) is the length of the maximal ascending chain in D
![Page 18: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/18.jpg)
18
poset Hasse diagram (for CP)
{x=0}
{x=-1}{x=-2} {x=1} {x=2} ……
![Page 19: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/19.jpg)
19
Some posets-related terminology
• If x y (alt y ⊒x) we can say– x is lower than y – x is more precise than y – x is more concrete than y – x under-approximates y
– y is greater than x – y is less precise than x – y is more abstract than x – y over-approximates x
![Page 20: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/20.jpg)
Least upper bound (LUB)
• (D, ) is a poset
• b D is an ∊ upper bound of A D if a ⊆ ∀ A: a b
• b D is ∊ the least upper bound of A D if ⊆– b is an upper bound of A – If b’ is an upper bound of A then b b’– Join: X = LUB of X• x y = {x, y}
May not exist
May not exist
![Page 21: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/21.jpg)
21
Join operator
• Properties of a join operator– Commutative: x y = y x– Associative: (x y) z = x (y z)– Idempotent: x x = x
• A kind of abstract union (disjunction) operator
• Top element of (D, ) is = D
![Page 22: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/22.jpg)
22
Join Example
{x=0}
{x=-1}{x=-2} {x=1} {x=2} ……
![Page 23: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/23.jpg)
23
Join Example
{x=0}
{x=-1}{x=-2} {x=1} {x=2} ……
![Page 24: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/24.jpg)
24
Join Example
{x=0}
{x=-1}{x=-2} {x=1} {x=2} ……
![Page 25: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/25.jpg)
Greatest lower bound (GLB)
• (D, ) is a poset
• b D is an ∊ lower bound of A D if a ⊆ ∀ A: b a
• b D is ∊ the greatest lower bound of A D if ⊆– b is an lower bound of A – If b’ is an lower bound of A then b’ b– Meet: X = GLB of X• x y = {x, y}
May not exist
May not exist
![Page 26: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/26.jpg)
26
Meet operator
• Properties of a meet operator– Commutative: x y = y x– Associative: (x y) z = x (y z)– Idempotent: x x = x
• A kind of abstract intersection (conjunction) operator
• Bottom element of (D, ) is = D
![Page 27: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/27.jpg)
27
Complete partial order (CPO)
• A poset (D , ) is a complete partial if every ascending chain x1 x2 … xk … has a LUB
![Page 28: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/28.jpg)
28
Meet Example
x=0
x0
x<0 x>0
x0
![Page 29: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/29.jpg)
29
Meet Example
x=0
x0
x<0 x>0
x0
![Page 30: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/30.jpg)
30
Meet Example
x=0
x0
x<0 x>0
x0
![Page 31: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/31.jpg)
31
Complete partial order (CPO)
• A poset (D , ) is a complete partial if every ascending chain x1 x2 … xk … has a LUB
![Page 32: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/32.jpg)
32
Join semilattices
• (D, , , ) is a join semilattice – (D, ) is a partial order – ∀X FIN D . X is defined – A top element
![Page 33: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/33.jpg)
33
Meet semilattices
• (D, , , ) is a meet semilattice – (D, ) is a partial order – ∀X FIN D . X is defined – A bottom element
![Page 34: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/34.jpg)
34
Lattices
• (D, , , , , ) is a lattice if– (D, , , ) is a join semilattice– (D, , , ) is a meet semilattice
• A lattice (D, , , , , ) is a complete lattice if– X and Y are defined for arbitrary sets
![Page 35: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/35.jpg)
35
Example: Powerset lattices
• (2X, , , , , X) is the powerset lattice of X– A complete lattice
![Page 36: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/36.jpg)
36
Example: Sign lattice
x=0
x0
x<0 x>0
x0
![Page 37: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/37.jpg)
37
A taxonomy of semantic domain typesComplete Lattice(D, , , , , )
Lattice(D, , , , , )
Join semilattice(D, , , )
Meet semilattice(D, , , )
Join/Meet exist for every subset of DJoin/Meet exist for every finite
subset of D (alternatively, binary join/meet)
Join of the empty set Meet of the empty set
Complete partial order (CPO)(D, , )
Partial order (poset)(D, )
Preorder(D, )
reflexivetransitiveanti-symmetric: d d’ and d’ d implies d = d’
reflexive: d dtransitive: d d’, d’ d’’ implies d d’’
poset with LUB for all ascending chains
![Page 38: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/38.jpg)
38
Towards a recipe for static analysis
![Page 39: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/39.jpg)
39
Collecting semantics
• For a set of program states State, we define the collecting lattice
(2State, , , , , State)
• The collecting semantics accumulates the (possibly infinite) sets of states generated during the execution– Not computable in general
![Page 40: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/40.jpg)
40
Abstract (conservative) interpretation
set of states set of statesoperational semantics(concrete semantics)
statement Sset of states
abstract representation abstract semantics
statement S abstract representation
concretization concretization
![Page 41: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/41.jpg)
41
Abstract (conservative) interpretation
{x 1, x 2, …}↦ ↦ {x 0, x 1, …}↦ ↦operational semantics(concrete semantics)
x=x-1{x 0, x 1, …}↦ ↦
0 < x abstract semanticsx = x -1
0 ≤ x
concretization concretization
![Page 42: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/42.jpg)
42
Abstract (conservative) interpretation
{x 1, x 2, …}↦ ↦ {…, x 0, …}↦operational semantics(concrete semantics)
x=x-1{x 0, x 1, …}↦ ↦
0 < x abstract semanticsx = x -1
concretization concretization
![Page 43: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/43.jpg)
43
Abstract (non-conservative) interpretation
{x 1, x 2, …}↦ ↦ { x 1, …}↦operational semantics(concrete semantics)
x=x-1{x 0, x 1, …}↦ ↦ ⊈
0 < x abstract semanticsx = x -1
0 < x
concretization concretization
![Page 44: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/44.jpg)
44
But …
• what if we have x & y?– Define lattice (semantics) for each variable– Compose lattices• Goal: compositional definition
• What if we have more than 1 statement?– Define semantics for entire program via CFG– Different “abstract states” at every CFG node
![Page 45: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/45.jpg)
45
One lattice per variabletrue
false
x=0
x0
x<0 x>0
x0
true
false
y=0
y0
y<0 y>0
y0
How can we compose them?
![Page 46: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/46.jpg)
46
Cartesian product of complete lattices
• For two complete lattices L1 = (D1, 1, 1, 1, 1, 1) L2 = (D2, 2, 2, 2, 2, 2)
• Define the posetLcart = (D1D2, cart, cart, cart, cart, cart)as follows:– (x1, x2) cart (y1, y2) iff x1 1 y1 x2 2 y2
– cart = ? cart = ? cart = ? cart = ?
• Lemma: L is a complete lattice• Define the Cartesian constructor Lcart = Cart(L1, L2)
![Page 47: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/47.jpg)
47
Cartesian product example=(,)
x<0,y<0 x<0,y=0 x<0,y>0 x=0,y<0 x=0,y=0 x=0,y>0 x>0,y<0 x>0,y=0 x>0,y>0
x0,y<0 x0,y<0 x0,y=0 x0,y=0 x0,y>0 x0,y>0 x>0,y0 x>0,y0……
x0,y0 x0,y0 x0,y0x0,y0
x0 x0 y0 y0
…
(false, false)How does it represent
(x<0y<0) (x>0y>0)?
=(, )
![Page 48: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/48.jpg)
48
Disjunctive completion• For a complete lattice
L = (D, , , , , )• Define the powerset lattice
L = (2D, , , , , ) = ? = ? = ? = ? = ?
• Lemma: L is a complete lattice
• L contains all subsets of D, which can be thought of as disjunctions of the corresponding predicates
• Define the disjunctive completion constructorL = Disj(L)
![Page 49: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/49.jpg)
49
The base lattice CP
{x=0}
{x=-1}{x=-2} {x=1} {x=2} ……
![Page 50: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/50.jpg)
50
The disjunctive completion of CP
{x=0}
true
{x=-1}{x=-2} {x=1} {x=2} ……
false
{x=-2x=-1} {x=-2x=0} {x=-2x=1} {x=1x=2}… … …
{x=0 x=1x=2}{x=-1 x=1x=-2}… ………
What is the height of this lattice?
![Page 51: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/51.jpg)
51
Relational product of lattices
• L1 = (D1, 1, 1, 1, 1, 1)L2 = (D2, 2, 2, 2, 2, 2)
• Lrel = (2D1D2, rel, rel, rel, rel, rel)as follows:– Lrel = ?
![Page 52: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/52.jpg)
52
Relational product of lattices
• L1 = (D1, 1, 1, 1, 1, 1)L2 = (D2, 2, 2, 2, 2, 2)
• Lrel = (2D1D2, rel, rel, rel, rel, rel)as follows:– Lrel = Disj(Cart(L1, L2))
• Lemma: L is a complete lattice• What does it buy us?
![Page 53: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/53.jpg)
53
Cartesian product exampletrue
false
x<0,y<0 x<0,y=0 x<0,y>0 x=0,y<0 x=0,y=0 x=0,y>0 x>0,y<0 x>0,y=0 x>0,y>0
x0,y<0 x0,y<0 x0,y=0 x0,y=0 x0,y>0 x0,y>0 x>0,y0 x>0,y0……
x0,y0 x0,y0 x0,y0x0,y0
x0 x0 y0 y0
…
How does it represent(x<0y<0) (x>0y>0)?
What is the height of this lattice?
![Page 54: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/54.jpg)
54
Relational product exampletrue
false
(x<0y<0)(x>0y>0)
x0 x0 y0 y0
How does it represent(x<0y<0) (x>0y>0)?
(x<0y<0)(x>0y=0) (x<0y0)(x<0y0)
…
What is the height of this lattice?
![Page 55: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/55.jpg)
Collecting semantics1 label0: if x <= 0 goto label1 x := x – 1 goto label0
label1:
234
5
if x > 0
x := x - 1
2
3
entry
exit
[x1]
[x1]
[x1]
[x0]
[x0]
[x-1]
[x-1]
[x2]
[x2]
[x2]
[x2]
[x3]
[x3]
[x3]
…
…
…55
[x-2]…
![Page 56: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/56.jpg)
56
Defining the collecting semantics
• How should we represent the set of states at a given control-flow node by a lattice?
• How should we represent the sets of states at all control-flow nodes by a lattice?
![Page 57: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/57.jpg)
57
Finite maps• For a complete lattice
L = (D, , , , , )and finite set V
• Define the posetLVL = (VD, VL, VL, VL, VL, VL)as follows:– f1 VL f2 iff for all vV
f1(v) f2(v)
– VL = ? VL = ? VL = ? VL = ?
• Lemma: L is a complete lattice• Define the map constructor LVL = Map(V, L)
![Page 58: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/58.jpg)
58
The collecting lattice
• Lattice for a given control-flow node v: ?
• Lattice for entire control-flow graph with nodes V:
?• We will use this lattice as a baseline for static
analysis and define abstractions of its elements
![Page 59: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/59.jpg)
59
The collecting lattice
• Lattice for a given control-flow node v: Lv=(2State, , , , , State)
• Lattice for entire control-flow graph with nodes V:
LCFG = Map(V, Lv)• We will use this lattice as a baseline for static
analysis and define abstractions of its elements
![Page 60: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/60.jpg)
60
Equational definition of the semantics• Define variables of type
set of states for each control-flow node
• Define constraints between them
if x > 0
x := x - 1
2
3
entry
exit
R[entry]
R[2]
R[3]R[exit]
![Page 61: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/61.jpg)
61
Equational definition of the semantics• R[2] = R[entry] x:=x-1 R[3]• R[3] = R[2] {s | s(x) > 0}• R[exit] = R[2] {s | s(x) 0}• A system of recursive equations• How can we approximate it using what
we have learned so far?if x > 0
x := x - 1
2
3
entry
exit
R[entry]
R[2]
R[3]R[exit]
![Page 62: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/62.jpg)
62
An abstract semantics• R[2] = R[entry] x:=x-1# R[3]• R[3] = R[2] {s | s(x) > 0}#
• R[exit] = R[2] {s | s(x) 0}#
• A system of recursive equations
if x > 0
x := x - 1
2
3
entry
exit
R[entry]
R[2]
R[3]R[exit]
Abstract transformer for x:=x-1
Abstract representationof {s | s(x) < 0}
![Page 63: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/63.jpg)
63
Abstract interpretation via abstraction
set of states set of statescollecting semantics
statement S
abstract representationof sets of states
abstract
representationof sets of states abstract semantics
statement Sabstract
representationof sets of states
abstraction abstraction
{P} S {Q} sp(S, P)generalizes axiomatic verification
![Page 64: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/64.jpg)
64
Abstract interpretation via concretization
set of states set of statescollecting semantics
statement Sset of states
abstract representationof sets of states
abstract semanticsstatement S abstract
representationof sets of states
concretization concretization
{P} S {Q}
models(P) models(sp(S, P)) models(Q)
![Page 65: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/65.jpg)
65
Required knowledge
Collecting semanticsAbstract semantics • Connection between collecting semantics and
abstract semantics• Algorithm to compute abstract semantics
![Page 66: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/66.jpg)
66
The collecting lattice (sets of states)
• Lattice for a given control-flow node v: Lv=(2State, , , , , State)
• Lattice for entire control-flow graph with nodes V:
LCFG = Map(V, Lv)• We will use this lattice as a baseline for static
analysis and define abstractions of its elements
![Page 67: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/67.jpg)
Collecting semantics example1234
5
67
label0: if x <= 0 goto label1 x := x – 1 goto label0
label1:
if x > 0
x := x-1
entry
exit
2
3
[x1][x0][x-1][x2][x2][x3]…[x1][x0][x-1][x2][x2][x3]…
[x1][x3][x4]
[x2]
…[x-1][x-2]… [x0]
[x0][x1][x2][x3] …
![Page 68: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/68.jpg)
Shorthand notation1234
5
68
label0: if x <= 0 goto label1 x := x – 1 goto label0
label1:
if x > 0
x := x-1
entry
exit
{xZ}
{xZ}
{x>0}{x0}
{x0}
2
3
![Page 69: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/69.jpg)
69
Equational definition example• A vector of variables R[0, 1, 2, 3, 4]• R[0] = {xZ} // established input
R[1] = R[0] R[4]R[2] = R[1] {s | s(x) > 0}R[3] = R[1] {s | s(x) 0}R[4] = x:=x-1 R[2]
• A (recursive) system of equations
if x > 0
x := x-1
entry
exit
R[0]
R[1]
R[2]R[4]
R[3]
Semantic function for assume x>0
Semantic function for x:=x-1 lifted to sets of states
![Page 70: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/70.jpg)
70
General definition• A vector of variables R[0, …, k] one per input/output of a node
– R[0] is for entry• For node n with multiple predecessors add equation
R[n] = {R[k] | k is a predecessor of n}• For an atomic operation node R[m] S R[n] add equation
R[n] = S R[m]• Treat true/false branches of conditions as atomic statements
assume bexpr and assume bexpr
if x > 0
x := x-1
entry
exit
R[0]
R[1]
R[2]R[4]
R[3]
![Page 71: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/71.jpg)
71
Equation systems in general• Let L be a complete lattice (D, , , , , )• Let R be a vector of variables R[0, …, n] D … D• Let F be a vector of functions of the type
F[i] : R[0, …, n] R[0, …, n]• A system of equations
R[0] = f[0](R[0], …, R[n])…R[n] = f[n](R[0], …, R[n])
• In vector notation R = F(R)• Questions:
1. Does a solution always exist?
2. If so, is it unique?
3. If so, is it computable?
![Page 72: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/72.jpg)
72
Equation systems in general• Let L be a complete lattice (D, , , , , )• Let R be a vector of variables R[0, …, n] D … D• Let F be a vector of functions of the type
F[i] : R[0, …, n] R[0, …, n]• A system of equations
R[0] = f[0](R[0], …, R[n])…R[n] = f[n](R[0], …, R[n])
• In vector notation R = F(R)• Questions:
1. Does a solution always exist?2. If so, is it unique?3. If so, is it computable?
![Page 73: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/73.jpg)
73
Monotone functions
• Let L1=(D1, ) and L2=(D2, ) be two posets
• A function f : D1 D2 is monotone if for every pair x, y D1
x y implies f(x) f(y)• A special case: L1=L2=(D, )
f : D D
![Page 74: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/74.jpg)
74
Important cases of monotonicity
• Join: f(X, Y) = X YProve it!
• For a set X and any function gF(X) = { g(x) | x X }Prove it!
• Notice that the collecting semantics function is defined in terms of– Join (set union)– Semantic function for atomic statements lifted to sets of
states
![Page 75: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/75.jpg)
75
Extensive/reductive functions
• Let L=(D, ) be a poset• A function f : D D is extensive if for every
pair x D, we have that x f(x)• A function f : D D is reductive if for every
pair x D, we have that x f(x)
![Page 76: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/76.jpg)
76
Fixed-points• L = (D, , , , , )• f : D D monotone• Fix(f) = { d | f(d) = d }• Red(f) = { d | f(d) d }• Ext(f) = { d | d f(d) }• Theorem [Tarski 1955]– lfp(f) = Fix(f) = Red(f) Fix(f)– gfp(f) = Fix(f) = Ext(f) Fix(f)
Red(f)
Ext(f)
Fix(f)
lfp
gfp
fn()
fn()
1.Does a solution always exist? Yes2. If so, is it unique? No, but it has least/greatest solutions3. If so, is it computable? Under some conditions…
![Page 77: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/77.jpg)
77
Fixed point example for program• R[0] = {xZ}
R[1] = R[0] R[4]R[2] = R[1] {s | s(x) > 0}R[3] = R[1] {s | s(x) 0}R[4] = x:=x-1 R[2]
if x>0
x := x-1
2
3
entry
exit
xZ
xZ
{x>0}{x<0}
if x>0
x := x-1
2
3
entry
exit
xZ
xZ
{x>0}{x<0}
F(d) : Fixed-point
=
d
![Page 78: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/78.jpg)
78
Fixed point example for program• R[0] = {xZ}
R[1] = R[0] R[4]R[2] = R[1] {s | s(x) > 0}R[3] = R[1] {s | s(x) 0}R[4] = x:=x-1 R[2]
if x>0
x := x-1
2
3
entry
exit
xZ
xZ
{x>0}{x<-5}
if x>0
x := x-1
2
3
entry
exit
xZ
xZ
{x>0}{x<0}
F(d) : pre Fixed-point
d
![Page 79: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/79.jpg)
79
Fixed point example for program• R[0] = {xZ}
R[1] = R[0] R[4]R[2] = R[1] {s | s(x) > 0}R[3] = R[1] {s | s(x) 0}R[4] = x:=x-1 R[2]
if x>0
x := x-1
2
3
entry
exit
xZ
xZ
{x>0}{x<9}
if x>0
x := x-1
2
3
entry
exit
xZ
xZ
{x>0}{x<0}
F(d) : post Fixed-point
d
![Page 80: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/80.jpg)
80
Continuity and ACC condition
• Let L = (D, , , ) be a complete partial order– Every ascending chain has an upper bound
• A function f is continuous if for every increasing chain Y D*,
f(Y) = { f(y) | yY }• L satisfies the ascending chain condition (ACC)
if every ascending chain eventually stabilizes:d0 d1 … dn = dn+1 = …
![Page 81: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/81.jpg)
81
Fixed-point theorem [Kleene]• Let L = (D, , , ) be a complete partial order and a continuous function f: D D
then
lfp(f) = nN fn()
• Lemma: Monotone functions on posets satisfying ACC are continuousProof:
1. Every ascending chain Y eventually stabilizes d0 d1 … dn = dn+1 = … hence dn is the least upper bound of {d0, d1, … , dn},thus f(Y) = f(dn)
2. From monotonicity of f f(d0) f(d1) … f(dn) = f(dn+1) = … Hence f(dn) is the least upper bound of {f(d0), f(d1), … , f(dn)},thus { f(y) | yY } = f(dn)
![Page 82: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/82.jpg)
82
Resulting algorithm • Kleene’s fixed point theorem
gives a constructive method for computing the lfp
lfpfn()
f()f2()
…d := while f(d) d do d := d f(d)return d
Algorithm
lfp(f) = nN fn()Mathematical definition
![Page 83: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/83.jpg)
83
Chaotic iteration• Input:
– A cpo L = (D, , , ) satisfying ACC– Ln = L L … L– A monotone function f : Dn Dn – A system of equations { X[i] | f(X) | 1 i n }
• Output: lfp(f)• A worklist-based algorithm
for i:=1 to n do X[i] := WL = {1,…,n}while WL do j := pop WL // choose index non-deterministically N := F[i](X) if N X[i] then X[i] := N add all the indexes that directly depend on i to WL (X[j] depends on X[i] if F[j] contains X[i])return X
![Page 84: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/84.jpg)
84
Chaotic iteration for static analysis• Specialize chaotic iteration for programs• Create a CFG for program• Choose a cpo of properties for the static analysis to infer: L
= (D, , , )• Define variables R[0,…,n] for input/output of each CFG node
such that R[i] D• For each node v let vout be the variable at the output of that
node:vout = F[v]( u | (u,v) is a CFG edge)– Make sure each F[v] is monotone
• Variable dependence determined by outgoing edges in CFG
![Page 85: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/85.jpg)
85
Constant propagation example
x := 4
if (*)
assume y5
assume y=5
z := x
x := 4
entry
exit
x := 4;while (y5) do z := x; x := 4
![Page 86: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/86.jpg)
86
Constant propagation lattice• For each variable x define L as
• For a set of program variables Var=x1,…,xn
Ln = L L … L
0-1-2 1 2 ......
no information
not-a-constant
![Page 87: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/87.jpg)
87
Write down variables
x := 4
if (*)
assume y5
assume y=5
z := x
x := 4
entry
exit
x := 4;while (y5) do z := x; x := 4
![Page 88: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/88.jpg)
88
Write down equations
x := 4
if (*)
assume y5
assume y=5
z := x
x := 4
entry
exit
R2R2R2
R3
R4
R6
R1
R5
R0x := 4;while (y5) do z := x; x := 4
![Page 89: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/89.jpg)
89
Collecting semantics equations
x := 4
if (*)
assume y5
assume y=5
z := x
x := 4
entry
exit
R2R2R2
R3
R4
R6
R0 = StateR1 = x:=4 R0
R2 = R1 R5
R3 = assume y5 R2
R4 = z:=x R3
R5 = x:=4 R4
R6 = assume y=5 R2
R1
R5
R0
![Page 90: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/90.jpg)
90
Constant propagation equations
x := 4
if (*)
assume y5
assume y=5
z := x
x := 4
entry
exit
R2R2R2
R3
R4
R6
R0 = R1 = x:=4# R0
R2 = R1 R5
R3 = assume y5# R2
R4 = z:=x# R3
R5 = x:=4# R4
R6 = assume y=5# R2
R1
R5
R0
abstract transformer
![Page 91: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/91.jpg)
91
Abstract operations for CPR0 = R1 = x:=4# R0
R2 = R1 R5
R3 = assume y5# R2
R4 = z:=x# R3
R5 = x:=4# R4
R6 = assume y=5# R2
Lattice elements have the form: (vx, vy, vz)x:=4# (vx,vy,vz) = (4, vy, vz)z:=x# (vx,vy,vz) = (vx, vy, vx)assume y5# (vx,vy,vz) = (vx, vy, vx)assume y=5# (vx,vy,vz) = if vy=k5 then (, , ) else (vx, 5, vz)R1 R5 = (a1, b1, c1) (a5, b5, c5) = (a1a5, b1b5, c1c5)
0-1-2 1 2 ......
CP lattice for a single variable
![Page 92: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/92.jpg)
92
Chaotic iteration for CP: initialization
x := 4
if (*)
assume y5
assume y=5
z := x
x := 4
entry
exit
R2=(, , )R2R2
R3=(, , )
R4=(, , )
R6=(, , )
R0 = R1 = x:=4# R0
R2 = R1 R5
R3 = assume y5# R2
R4 = z:=x# R3
R5 = x:=4# R4
R6 = assume y=5# R2
R1=(, , )
R5=(, , )
R0=(, , )
WL = {R0, R1, R2, R3, R4, R5, R6}
![Page 93: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/93.jpg)
93
Chaotic iteration for CP
x := 4
if (*)
assume y5
assume y=5
z := x
x := 4
entry
exit
R2=(, , )R2R2
R3=(, , )
R4=(, , )
R6=(, , )
R0 = R1 = x:=4# R0
R2 = R1 R5
R3 = assume y5# R2
R4 = z:=x# R3
R5 = x:=4# R4
R6 = assume y=5# R2
R1=(, , )
R5=(, , )
R0=(, , )
WL = {R1, R2, R3, R4, R5, R6}
![Page 94: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/94.jpg)
94
Chaotic iteration for CP
x := 4
if (*)
assume y5
assume y=5
z := x
x := 4
entry
exit
R2=(, , )R2R2
R3=(, , )
R4=(, , )
R6=(, , )
R0 = R1 = x:=4# R0
R2 = R1 R5
R3 = assume y5# R2
R4 = z:=x# R3
R5 = x:=4# R4
R6 = assume y=5# R2
R1=(4, , )
R5=(, , )
R0=(, , )
WL = {R2, R3, R4, R5, R6}
![Page 95: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/95.jpg)
95
Chaotic iteration for CP
x := 4
if (*)
assume y5
assume y=5
z := x
x := 4
entry
exit
R2=(, , )R2R2
R3=(, , )
R4=(, , )
R6=(, , )
R0 = R1 = x:=4# R0
R2 = R1 R5
R3 = assume y5# R2
R4 = z:=x# R3
R5 = x:=4# R4
R6 = assume y=5# R2
R1=(4, , )
R5=(, , )
R0=(, , )
0-1-2 1 2 ......
3 4
WL = {R2, R3, R4, R5, R6}
![Page 96: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/96.jpg)
96
Chaotic iteration for CP
x := 4
if (*)
assume y5
assume y=5
z := x
x := 4
entry
exit
R2=(4, , )R2R2
R3=(, , )
R4=(, , )
R6=(, , )
R0 = R1 = x:=4# R0
R2 = R1 R5
R3 = assume y5# R2
R4 = z:=x# R3
R5 = x:=4# R4
R6 = assume y=5# R2
R1=(4, , )
R5=(, , )
R0=(, , )
0-1-2 1 2 ......
3 4
WL = {R2, R3, R4, R5, R6}
![Page 97: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/97.jpg)
97
Chaotic iteration for CP
x := 4
if (*)
assume y5
assume y=5
z := x
x := 4
entry
exit
R2=(4, , )R2R2
R3=(, , )
R4=(, , )
R6=(, , )
R0 = R1 = x:=4# R0
R2 = R1 R5
R3 = assume y5# R2
R4 = z:=x# R3
R5 = x:=4# R4
R6 = assume y=5# R2
R1=(4, , )
R5=(, , )
R0=(, , )
WL = {R3, R4, R5, R6}
![Page 98: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/98.jpg)
98
Chaotic iteration for CP
x := 4
if (*)
assume y5
assume y=5
z := x
x := 4
entry
exit
R2R2
R3=(4, , )
R4=(, , )
R6=(, , )
R0 = R1 = x:=4# R0
R2 = R1 R5
R3 = assume y5# R2
R4 = z:=x# R3
R5 = x:=4# R4
R6 = assume y=5# R2
R5=(, , )
R1=(4, , )
R0=(, , )
R2=(4, , )
WL = {R4, R5, R6}
![Page 99: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/99.jpg)
99
Chaotic iteration for CP
x := 4
if (*)
assume y5
assume y=5
z := x
x := 4
entry
exit
R2R2
R3=(4, , )
R4=(4, , 4)
R6=(, , )
R0 = R1 = x:=4# R0
R2 = R1 R5
R3 = assume y5# R2
R4 = z:=x# R3
R5 = x:=4# R4
R6 = assume y=5# R2
R5=(, , )
R1=(4, , )
R0=(, , )
R2=(4, , )
WL = {R5, R6}
![Page 100: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/100.jpg)
100
Chaotic iteration for CP
x := 4
if (*)
assume y5
assume y=5
z := x
x := 4
entry
exit
R2R2
R6=(, , )
R0 = R1 = x:=4# R0
R2 = R1 R5
R3 = assume y5# R2
R4 = z:=x# R3
R5 = x:=4# R4
R6 = assume y=5# R2
R5=(4, , 4)
R4=(4, , 4)
R3=(4, , )
R1=(4, , )
R0=(, , )
R2=(4, , )R2=(4, , )
WL = {R2, R6}
added R2 back to worklist since it depends on R5
![Page 101: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/101.jpg)
101
Chaotic iteration for CPR0 = R1 = x:=4# R0
R2 = R1 R5
R3 = assume y5# R2
R4 = z:=x# R3
R5 = x:=4# R4
R6 = assume y=5# R2
x := 4
if (*)
assume y5
assume y=5
z := x
x := 4
entry
exit
R2R2
R6=(, , )
R5=(4, , 4)
R4=(4, , 4)
R3=(4, , )
R1=(4, , )
R0=(, , )
R2=(4, , )
WL = {R6}
![Page 102: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/102.jpg)
102
Chaotic iteration for CPR0 = R1 = x:=4# R0
R2 = R1 R5
R3 = assume y5# R2
R4 = z:=x# R3
R5 = x:=4# R4
R6 = assume y=5# R2
x := 4
if (*)
assume y5
assume y=5
z := x
x := 4
entry
exit
R2R2
R6=(4, 5, )
R5=(4, , 4)
R4=(4, , 4)
R3=(4, , )
R1=(4, , )
R0=(, , )
R2=(4, , )
Fixed-point
WL = {}
In practice maintaina worklist of nodes
![Page 103: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/103.jpg)
103
Chaotic iteration for static analysis• Specialize chaotic iteration for programs• Create a CFG for program• Choose a cpo of properties for the static analysis to infer: L
= (D, , , )• Define variables R[0,…,n] for input/output of each CFG node
such that R[i] D• For each node v let vout be the variable at the output of that
node:vout = F[v]( u | (u,v) is a CFG edge)– Make sure each F[v] is monotone
• Variable dependence determined by outgoing edges in CFG
![Page 104: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/104.jpg)
104
Complexity of chaotic iteration• Parameters:
– n the number of CFG nodes– k is the maximum in-degree of edges – Height h of lattice L– c is the maximum cost of
• Applying Fv
• • Checking fixed-point condition for lattice L
• Complexity: O(n h c k)• Incremental (worklist) algorithm reduces the n factor in factor
– Implement worklist by priority queue and order nodes by reversed topological order
![Page 105: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/105.jpg)
105
Required knowledge
Collecting semanticsAbstract semantics (over lattices)Algorithm to compute abstract semantics
(chaotic iteration)• Connection between collecting semantics and
abstract semantics• Abstract transformers
![Page 106: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/106.jpg)
106
Recap• We defined a reference semantics –
the collecting semantics• We defined an abstract semantics for a given lattice and
abstract transformers• We defined an algorithm to compute abstract least fixed-point
when transformers are monotone and lattice obeys ACC• Questions:1. What is the connection between the two least fixed-points?2. Transformer monotonicity is required for termination – what
should we require for correctness?
![Page 107: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/107.jpg)
107
Recap• We defined a reference semantics –
the collecting semantics• We defined an abstract semantics for a given lattice and
abstract transformers• We defined an algorithm to compute abstract least fixed-point
when transformers are monotone and lattice obeys ACC• Questions:1. What is the connection between the two least fixed-points?2. Transformer monotonicity is required for termination – what
should we require for correctness?
![Page 108: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/108.jpg)
108
Galois Connection• Given two complete lattices
C = (DC, C, C, C, C, C) – concrete domainA = (DA, A, A, A, A, A) – abstract domain
• A Galois Connection (GC) is quadruple (C, , , A)that relates C and A via the monotone functions– The abstraction function : DC DA
– The concretization function : DA DC
• for every concrete element c DC
and abstract element a DA
( (a)) a and c ( (c))• Alternatively (c) a iff c (a)
![Page 109: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/109.jpg)
109
Galois Connection: c ((c))
1
c2(c)
3((c))
The most precise (least) element in A representing c
C A
![Page 110: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/110.jpg)
110
Galois Connection: ((a)) a
1
3((a))
2(a) a
C AWhat a represents in C(its meaning)
![Page 111: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/111.jpg)
111
Example: lattice of equalities
• Concrete lattice:C = (2State, , , , , State)
• Abstract lattice:EQ = { x=y | x, y Var}A = (2EQ, , , , EQ , )– Treat elements of A as both formulas and sets of constraints
• Useful for copy propagation – a compiler optimization•
(X) = ?(Y) = ?
![Page 112: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/112.jpg)
112
Example: lattice of equalities
• Concrete lattice:C = (2State, , , , , State)
• Abstract lattice:EQ = { x=y | x, y Var}A = (2EQ, , , , EQ , )– Treat elements of A as both formulas and sets of constraints
• Useful for copy propagation – a compiler optimization• (s) = ({s}) = { x=y | s x = s y} that is s x=y
(X) = {(s) | sX} = A {(s) | sX} (Y) = { s | s Y } = models(Y)
![Page 113: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/113.jpg)
113
Galois Connection: c ((c))
1
[x5, y5, z5]
2
x=x, y=y, z=z,x=y, y=x,x=z, z=x,y=z, z=y
3
…[x6, y6, z6][x5, y5, z5][x4, y4, z4]
…
4
x=x, y=y, z=z
The most precise (least) element in A representing [x5, y5, z5]
C A
![Page 114: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/114.jpg)
114
Most precise abstract representation
1c
5
C A
46
2
7 3 8
9
(c)
(c) = {c’ | c (c’)}
![Page 115: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/115.jpg)
115
Most precise abstract representation
1c
5
C A
46
2
7 3 8
9
(c)= x=x, y=y, z=z,x=y, y=x,x=z, z=x,y=z, z=y
(c) = {c’ | c (c’)}
[x5, y5, z5]
x=y, y=zx=y, z=y
x=y
![Page 116: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/116.jpg)
116
Galois Connection: ((a)) a
1
3x=x, y=y, z=z,x=y, y=x,x=z, z=x,y=z, z=y
2
…[x6, y6, z6][x5, y5, z5][x4, y4, z4]
…
x=y, y=z
What a represents in C(its meaning)
is called a semanticreduction
C A
![Page 117: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/117.jpg)
117
Galois Insertion a: ((a))=a
1x=x, y=y, z=z,x=y, y=x,x=z, z=x,y=z, z=y
2
…[x6, y6, z6][x5, y5, z5][x4, y4, z4]
…
C AHow can we obtain a Galois Insertion
from a Galois Connection?
All elementsare reduced
![Page 118: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/118.jpg)
118
Properties of a Galois Connection
• The abstraction and concretization functions uniquely determine each other:
(a) = {c | (c) a}(c) = {a | c (a)}
![Page 119: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/119.jpg)
119
Abstracting (disjunctive) sets
• It is usually convenient to first define the abstraction of single elements
(s) = ({s}) • Then lift the abstraction to sets of elements
(X) = A {(s) | sX}
![Page 120: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/120.jpg)
120
The case of symbolic domains• An important class of abstract domains are symbolic domains –
domains of formulas• C = (2State, , , , , State)
A = (DA, A, A, A, A, A)• If DA is a set of formulas then the abstraction of a state is defined
as (s) = ({s}) = A{ | s }
the least formula from DA that s satisfies• The abstraction of a set of states is
(X) = A { (s) | s X}• The concretization is
( ) = { s | s } = models( )
![Page 121: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/121.jpg)
121
Inducing along the connections
• Assume the complete latticesC = (DC, C, C, C, C, C) A = (DA, A, A, A, A, A)M = (DM, M, M, M, M, M)andGalois connectionsGCC,A=(C, C,A, A,C, A) and GCA,M=(A, A,M, M,A, M)
• Lemma: both connections induce theGCC,M= (C, C,M, M,C, M)
defined by C,M = C,A A,M and M,C = M,A A,C
![Page 122: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/122.jpg)
122
Inducing along the connections
1 C,A
A,C
c 2C,A(c)
5
C A
3
M
A,M
4
M,A
c’a’
=A,M(C,A(c))
![Page 123: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/123.jpg)
123
Sound abstract transformer
• Given two latticesC = (DC, C, C, C, C, C)A = (DA, A, A, A, A, A)and GCC,A=(C, , , A) with
• A concrete transformer f : DC DC
an abstract transformer f# : DA DA
• We say that f# is a sound transformer (w.r.t. f) if• c: f(c)=c’ (f#(c)) (c’)• For every a and a’ such that
(f((a))) A f#(a)
![Page 124: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/124.jpg)
124
Transformer soundness condition 1
1 2
C A
f 34f#
5
c: f(c)=c’ (f#(c)) (c’)
![Page 125: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/125.jpg)
125
Transformer soundness condition 2
C A
1 2
f#35f
4
a: f#(a)=a’ f((a)) (a’)
![Page 126: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/126.jpg)
126
Best (induced) transformer
C A
23f
f#(a)= (f((a)))
1 f#
4
Problem: incomputable directly
![Page 127: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/127.jpg)
127
Best abstract transformer [CC’77]
• Best in terms of precision– Most precise abstract transformer– May be too expensive to compute
• Constructively defined asf# = f
– Induced by the GC• Not directly computable because first step is
concretization• We often compromise for a “good enough” transformer– Useful tool: partial concretization
![Page 128: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/128.jpg)
128
Transformer example
• C = (2State, , , , , State)• EQ = { x=y | x, y Var}
A = (2EQ, , , , EQ , )• (s) = ({s}) = { x=y | s x = s y} that is s x=y
(X) = {(s) | sX} = A {(s) | sX} () = { s | s } = models()
• Concrete: x:=y X = { s[xs y] | sX}• Abstract: x:=y# X = ?
![Page 129: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/129.jpg)
129
Developing a transformer for EQ - 1
• Input has the form X = {a=b}• sp(x:=expr, ) = v. x=expr[v/x] [v/x]
• sp(x:=y, X) = v. x=y[v/x] {a=b}[v/x] = …• Let’s define helper notations:– EQ(X, y) = {y=a, b=y X}• Subset of equalities containing y
– EQc(X, y) = X \ EQ(X, y)• Subset of equalities not containing y
![Page 130: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/130.jpg)
130
Developing a transformer for EQ - 2
• sp(x:=y, X) = v. x=y[v/x] {a=b}[v/x] = …• Two cases– x is y: sp(x:=y, X) = X – x is different from y:
sp(x:=y, X) = v. x=y EQ)X, x)[v/x] EQc(X, x)[v/x] = x=y EQc(X, x) v. EQ)X, x)[v/x] x=y EQc(X, x)
• Vanilla transformer: x:=y#1 X = x=y EQc(X, x)
• Example: x:=y#1 {x=p, q=x, m=n} = {x=y, m=n}Is this the most precise result?
![Page 131: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/131.jpg)
131
Developing a transformer for EQ - 3
• x:=y#1 {x=p, x=q, m=n} = {x=y, m=n} {x=y, m=n, p=q}– Where does the information p=q come from?
• sp(x:=y, X) =x=y EQc(X, x) v. EQ)X, x)[v/x]
• v. EQ)X, x)[v/x] holds possible equalities between different a’s and b’s – how can we account for that?
![Page 132: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/132.jpg)
132
Developing a transformer for EQ - 4
• Define a reduction operator:Explicate(X) = if exist {a=b, b=c}X
but not {a=c} X then Explicate(X{a=c})elseX
• Define x:=y#2 = x:=y#1 Explicate• x:=y#2){x=p, x=q, m=n}) = {x=y, m=n, p=q}
is this the best transformer?
![Page 133: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/133.jpg)
133
Developing a transformer for EQ - 5
• x:=y#2 ){y=z}) = {x=y, y=z} {x=y, y=z, x=z}• Idea: apply reduction operator again after the vanilla
transformer• x:=y#3 = Explicate x:=y#1 Explicate • Observation : after the first time we apply Explicate, all
subsequent values will be in the image of the abstraction so really we only need to apply it once to the input
• Finally: x:=y#(X) = Explicate x:=y#1
– Best transformer for reduced elements (elements in the image of the abstraction)
![Page 134: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/134.jpg)
134
Negative property of best transformers
• Let f# = f • Best transformer does not compose
(f(f((a)))) f#(f#(a))
![Page 135: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/135.jpg)
135
(f(f((a)))) f#(f#(a))
C A
23f
1 f#
6
54
f
7
f#
8
9
f
![Page 136: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/136.jpg)
136
Soundness theorem 1
1. Given two complete latticesC = (DC, C, C, C, C, C)A = (DA, A, A, A, A, A)and GCC,A=(C, , , A) with
2. Monotone concrete transformer f : DC DC
3. Monotone abstract transformer f# : DA DA
4. a DA : f( (a)) (f#(a))Then
lfp(f) (lfp(f#)) (lfp(f)) lfp(f#)
![Page 137: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/137.jpg)
137
Soundness theorem 1
C A
f
fn …
lpf(f)
f2 f3
f#n
…
lpf(f#)
f#2 f#3
f#
aDA : f((a)) (f#(a)) aDA : fn((a)) (f#n(a)) aDA : lfp(fn)((a)) (lfp(f#n)(a)) lfp(f) lfp(f#)
![Page 138: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/138.jpg)
138
Soundness theorem 2
1. Given two complete latticesC = (DC, C, C, C, C, C)A = (DA, A, A, A, A, A)and GCC,A=(C, , , A) with
2. Monotone concrete transformer f : DC DC
3. Monotone abstract transformer f# : DA DA
4. c DC : (f(c)) f#( (c))Then
(lfp(f)) lfp(f#)lfp(f) (lfp(f#))
![Page 139: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/139.jpg)
139
Soundness theorem 2
C A
f
fn …
lpf(f)
f2 f3
f#n
…
lpf(f#)
f#2 f#3
f#
c DC : (f(c)) f#((c)) c DC : (fn(c)) f#n((c)) c DC : (lfp(f)(c)) lfp(f#)((c)) lfp(f) lfp(f#)
![Page 140: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/140.jpg)
140
A recipe for a sound static analysis
• Define an “appropriate” operational semantics• Define “collecting” structural operational semantics • Establish a Galois connection between collecting
states and abstract states• Local correctness: show that the abstract
interpretation of every atomic statement is soundw.r.t. the collecting semantics
• Global correctness: conclude that the analysis is sound
![Page 141: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/141.jpg)
141
Completeness
• Local property:– forward complete: c: (f#(c)) = (f(c))– backward complete: a: f((a)) = (f#(a))
• A property of domain and the (best) transformer• Global property:– (lfp(f)) = lfp(f#)– lfp(f) = (lfp(f#))
• Very ideal but usually not possible unless we change the program model (apply strong abstraction) and/or aim for very simple properties
![Page 142: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/142.jpg)
142
Forward complete transformer
1 2
C A
f 34
f#
c: (f#(c)) = (f(c))
![Page 143: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/143.jpg)
143
Backward complete transformer
C A
1 2
f#35f
a: f((a)) = (f#(a))
![Page 144: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/144.jpg)
144
Global (backward) completeness
C A
f
fn …
lpf(f)
f2 f3
f#n
…
lpf(f#)
f#2 f#3
f#
a: f((a)) = (f#(a)) a: fn((a)) = (f#n(a)) aDA : lfp(fn)((a)) = (lfp(f#n)(a)) lfp(f) = lfp(f#)
![Page 145: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/145.jpg)
145
Global (forward) completeness
C A
f
fn …
lpf(f)
f2 f3
f#n
…
lpf(f#)
f#2 f#3
f#
c DC : (f(c)) = f#((c)) c DC : (fn(c)) = f#n((c)) c DC : (lfp(f)(c)) = lfp(f#)((c)) lfp(f) = lfp(f#)
![Page 146: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/146.jpg)
146
Three example analyses
• Abstract states are conjunctions of constraints• Variable Equalities– VE-factoids = { x=y | x, y Var} false
VE = (2VE-factoids, , , , false, )• Constant Propagation– CP-factoids = { x=c | x Var, c Z} false
CP = (2CP-factoids, , , , false, )• Available Expressions– AE-factoids = { x=y+z | x Var, y,z VarZ} false
A = (2AE-factoids, , , , false, )
![Page 147: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/147.jpg)
147
Lattice combinators reminder
• Cartesian Product– L1 = (D1, 1, 1, 1, 1, 1)
L2 = (D2, 2, 2, 2, 2, 2)– Cart(L1, L2) = (D1 D2, cart, cart, cart, cart, cart)
• Disjunctive completion– L = (D, , , , , )– Disj(L) = (2D, , , , , )
• Relational Product– Rel(L1, L2) = Disj(Cart(L1, L2))
![Page 148: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/148.jpg)
148
Cartesian product of complete lattices
• For two complete lattices L1 = (D1, 1, 1, 1, 1, 1) L2 = (D2, 2, 2, 2, 2, 2)
• Define the posetLcart = (D1 D2, cart, cart, cart, cart, cart)as follows:– (x1, x2) cart (y1, y2) iff
x1 1 y1 andx2 2 y2
– cart = ? cart = ? cart = ? cart = ?
• Lemma: L is a complete lattice• Define the Cartesian constructor Lcart = Cart(L1, L2)
![Page 149: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/149.jpg)
149
Cartesian product of GCs
• GCC,A=(C, C,A, A,C, A)GCC,B=(C, C,B, B,C, B)
• Cartesian ProductGCC,AB = (C, C,AB, AB,C, AB)
– C,AB(X)= ?– AB,C(Y) = ?
![Page 150: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/150.jpg)
150
Cartesian product of GCs
• GCC,A=(C, C,A, A,C, A)GCC,B=(C, C,B, B,C, B)
• Cartesian ProductGCC,AB = (C, C,AB, AB,C, AB)
– C,AB(X) = (C,A(X), C,B(X))– AB,C(Y) = A,C(X) B,C(X)
• What about transformers?
![Page 151: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/151.jpg)
151
Cartesian product transformers
• GCC,A=(C, C,A, A,C, A) FA[st] : A AGCC,B=(C, C,B, B,C, B) FB[st] : B B
• Cartesian ProductGCC,AB = (C, C,AB, AB,C, AB)
– C,AB(X) = (C,A(X), C,B(X))– AB,C(Y) = A,C(X) B,C(X)
• How should we define FAB[st] : AB AB
![Page 152: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/152.jpg)
152
Cartesian product transformers
• GCC,A=(C, C,A, A,C, A) FA[st] : A AGCC,B=(C, C,B, B,C, B) FB[st] : B B
• Cartesian ProductGCC,AB = (C, C,AB, AB,C, AB)
– C,AB(X) = (C,A(X), C,B(X))– AB,C(Y) = A,C(X) B,C(X)
• How should we define FAB[st] : AB AB• Idea: FAB[st](a, b) = (FA[st] a, FB[st] b)• Are component-wise transformers precise?
![Page 153: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/153.jpg)
153
Cartesian product analysis example• Abstract interpreter 1: Constant Propagation• Abstract interpreter 2: Variable Equalities• Let’s compare
– Running them separately and combining results– Running the analysis with their Cartesian product
a := 9;b := 9;c := a;
a := 9;b := 9;c := a;
CP analysis VE analysis{a=9}{a=9, b=9}{a=9, b=9, c=9}
{}{}{c=a}
![Page 154: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/154.jpg)
154
Cartesian product analysis example• Abstract interpreter 1: Constant Propagation• Abstract interpreter 2: Variable Equalities• Let’s compare
– Running them separately and combining results– Running the analysis with their Cartesian product
CP analysis + VE analysisa := 9;b := 9;c := a;
{a=9}{a=9, b=9}{a=9, b=9, c=9, c=a}
![Page 155: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/155.jpg)
155
Cartesian product analysis example• Abstract interpreter 1: Constant Propagation• Abstract interpreter 2: Variable Equalities• Let’s compare
– Running them separately and combining results– Running the analysis with their Cartesian product
CPVE analysisMissing
{a=b, b=c}
a := 9;b := 9;c := a;
{a=9}{a=9, b=9}{a=9, b=9, c=9, c=a}
![Page 156: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/156.jpg)
156
Transformers for Cartesian product
• Naïve (component-wise) transformers do not utilize information from both components– Same as running analyses separately and then
combining results• Can we treat transformers from each analysis
as black box and obtain best transformer for their combination?
![Page 157: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/157.jpg)
157
Can we combine transformer modularly?
• No generic method for any abstract interpretations
![Page 158: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/158.jpg)
158
Reducing values for CPVE
• X = set of CP constraints of the form x=c(e.g., a=9)
• Y = set of VE constraints of the form x=y• ReduceCPVE(X, Y) = (X’, Y’) such that
(X’, Y’) (X’, Y’)• Ideas?
![Page 159: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/159.jpg)
159
Reducing values for CPVE• X = set of CP constraints of the form x=c
(e.g., a=9)• Y = set of VE constraints of the form x=y• ReduceCPVE(X, Y) = (X’, Y’) such that
(X’, Y’) (X’, Y’)• ReduceRight:
– if a=b X and a=c Y then add b=c to Y• ReduceLeft:
– If a=c and b=c Y then add a=b to X• Keep applying ReduceLeft and ReduceRight and reductions
on each domain separately until reaching a fixed-point
![Page 160: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/160.jpg)
160
Transformers for Cartesian product
• Do we get the best transformer by applying component-wise transformer followed by reduction?– Unfortunately, no (what’s the intuition?)– Can we do better?– Logical Product [Gulwani and Tiwari, PLDI 2006]
![Page 161: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/161.jpg)
161
Product vs. reduced productCPVE lattice
{a=9}{c=a} {c=9}{c=a}
{a=9, c=9}{c=a}{[a9, c 9]}
collecting lattice
{}
![Page 162: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/162.jpg)
162
Reduced product
• For two complete lattices L1 = (D1, 1, 1, 1, 1, 1) L2 = (D2, 2, 2, 2, 2, 2)
• Define the reduced posetD1D2 = {(d1,d2)D1D2 | (d1,d2) = (d1,d2) } L1L2 = (D1D2, cart, cart, cart, cart, cart)
![Page 163: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/163.jpg)
163
Transformers for Cartesian product
• Do we get the best transformer by applying component-wise transformer followed by reduction?– Unfortunately, no (what’s the intuition?)– Can we do better?– Logical Product [Gulwani and Tiwari, PLDI 2006]
![Page 164: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/164.jpg)
164
![Page 165: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/165.jpg)
165
Logical product--
• Assume A=(D,…) is an abstract domain that supports two operations: for xD– inferEqualities(x) = { a=b | (x) a=b }
returns a set of equalities between variables that are satisfied in all states given by x
– refineFromEqualities(x, {a=b}) = ysuch that• (x)=(y)• y x
![Page 166: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/166.jpg)
166
Developing a transformer for EQ - 1
• Input has the form X = {a=b}• sp(x:=expr, ) = v. x=expr[v/x] [v/x]
• sp(x:=y, X) = v. x=y[v/x] {a=b}[v/x] = …• Let’s define helper notations:– EQ(X, y) = {y=a, b=y X}• Subset of equalities containing y
– EQc(X, y) = X \ EQ(X, y)• Subset of equalities not containing y
![Page 167: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/167.jpg)
167
Developing a transformer for EQ - 2
• sp(x:=y, X) = v. x=y[v/x] {a=b}[v/x] = …• Two cases
– x is y: sp(x:=y, X) = X – x is different from y:
sp(x:=y, X) = v. x=y EQ)X, x)[v/x] EQc(X, x)[v/x] = x=y EQc(X, x) v. EQ)X, x)[v/x] x=y EQc(X, x)
• Vanilla transformer: x:=y#1 X = x=y EQc(X, x)
• Example: x:=y#1 {x=p, q=x, m=n} = {x=y, m=n}Is this the most precise result?
![Page 168: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/168.jpg)
168
Developing a transformer for EQ - 3
• x:=y#1 {x=p, x=q, m=n} = {x=y, m=n} {x=y, m=n, p=q}– Where does the information p=q come from?
• sp(x:=y, X) =x=y EQc(X, x) v. EQ)X, x)[v/x]
• v. EQ)X, x)[v/x] holds possible equalities between different a’s and b’s – how can we account for that?
![Page 169: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/169.jpg)
169
Developing a transformer for EQ - 4
• Define a reduction operator:Explicate(X) = if exist {a=b, b=c}X
but not {a=c} X then Explicate(X{a=c})elseX
• Define x:=y#2 = x:=y#1 Explicate• x:=y#2){x=p, x=q, m=n}) = {x=y, m=n, p=q}
is this the best transformer?
![Page 170: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/170.jpg)
170
Developing a transformer for EQ - 5
• x:=y#2 ){y=z}) = {x=y, y=z} {x=y, y=z, x=z}• Idea: apply reduction operator again after the
vanilla transformer• x:=y#3 = Explicate x:=y#1 Explicate
![Page 171: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/171.jpg)
171
Logical Product-
basically the strongest postcondition
safely abstracting the existential quantifier
![Page 172: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/172.jpg)
172
Abstracting the existentialReduce the pair
Abstract away existential quantifier for each domain
![Page 173: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/173.jpg)
173
Example
![Page 174: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/174.jpg)
174
Information loss exampleif (…) b := 5else b := -5
if (b>0) b := b-5else b := b+5assert b==0
{}{b=5}
{b=-5}{b=}
{b=}
{b=}can’t prove
![Page 175: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/175.jpg)
175
Disjunctive completion of a lattice• For a complete lattice
L = (D, , , , , )• Define the powerset lattice
L = (2D, , , , , ) = ? = ? = ? = ? = ?
• Lemma: L is a complete lattice
• L contains all subsets of D, which can be thought of as disjunctions of the corresponding predicates
• Define the disjunctive completion constructorL = Disj(L)
![Page 176: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/176.jpg)
176
Disjunctive completion for GCs
• GCC,A=(C, C,A, A,C, A)GCC,B=(C, C,B, B,C, B)
• Disjunctive completionGCC,P(A) = (C, P(A), P(A), P(A))
– C,P(A)(X) = ?– P(A),C(Y) = ?
![Page 177: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/177.jpg)
177
Disjunctive completion for GCs
• GCC,A=(C, C,A, A,C, A)GCC,B=(C, C,B, B,C, B)
• Disjunctive completionGCC,P(A) = (C, P(A), P(A), P(A))
– C,P(A)(X) = {C,A({x}) | xX}– P(A),C(Y) = {P(A)(y) | yY}
• What about transformers?
![Page 178: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/178.jpg)
178
Information loss exampleif (…) b := 5else b := -5
if (b>0) b := b-5else b := b+5assert b==0
{}{b=5}
{b=-5}{b=5 b=-5}
{b=0}
{b=0}proved
![Page 179: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/179.jpg)
179
The base lattice CP
{x=0}
true
{x=-1}{x=-2} {x=1} {x=2} ……
false
![Page 180: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/180.jpg)
180
The disjunctive completion of CP
{x=0}
true
{x=-1}{x=-2} {x=1} {x=2} ……
false
{x=-2x=-1} {x=-2x=0} {x=-2x=1} {x=1x=2}… … …
{x=0 x=1x=2}{x=-1 x=1x=-2}… ………
What is the height of this lattice?
![Page 181: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/181.jpg)
181
Taming disjunctive completion• Disjunctive completion is very precise
– Maintains correlations between states of different analyses– Helps handle conditions precisely– But very expensive – number of abstract states grows
exponentially– May lead to non-termination
• Base analysis (usually product) is less precise– Analysis terminates if the analyses of each component
terminates• How can we combine them to get more precision yet
ensure termination and state explosion?
![Page 182: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/182.jpg)
182
Taming disjunctive completion
• Use different abstractions for different program locations– At loop heads use coarse abstraction (base)– At other points use disjunctive completion
• Termination is guaranteed (by base domain)• Precision increased inside loop body
![Page 183: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/183.jpg)
183
With Disj(CP)while (…) { if (…) b := 5 else b := -5
if (b>0) b := b-5 else b := b+5 assert b==0}
Doesn’t terminate
![Page 184: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/184.jpg)
184
With tamed Disj(CP)while (…) { if (…) b := 5 else b := -5
if (b>0) b := b-5 else b := b+5 assert b==0}
terminates
CP
Disj(CP)
What MultiCartDomain implements
![Page 185: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/185.jpg)
185
Reducing disjunctive elements
• A disjunctive set X may contain within it an ascending chain Y=a b c…
• We only need max(Y) – remove all elements below
![Page 186: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/186.jpg)
186
Relational product of lattices
• L1 = (D1, 1, 1, 1, 1, 1)L2 = (D2, 2, 2, 2, 2, 2)
• Lrel = (2D1D2, rel, rel, rel, rel, rel)as follows:– Lrel = ?
![Page 187: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/187.jpg)
187
Relational product of lattices
• L1 = (D1, 1, 1, 1, 1, 1)L2 = (D2, 2, 2, 2, 2, 2)
• Lrel = (2D1D2, rel, rel, rel, rel, rel)as follows:– Lrel = Disj(Cart(L1, L2))
• Lemma: L is a complete lattice• What does it buy us?– How is it relative to Cart(Disj(L1), Disj(L2))?
• What about transformers?
![Page 188: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/188.jpg)
188
Relational product of GCs
• GCC,A=(C, C,A, A,C, A)GCC,B=(C, C,B, B,C, B)
• Relational ProductGCC,P(AB) = (C, C,P(AB), P(AB),C, P(AB))
– C,P(AB)(X) = ?– P(AB),C(Y) = ?
![Page 189: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/189.jpg)
189
Relational product of GCs
• GCC,A=(C, C,A, A,C, A)GCC,B=(C, C,B, B,C, B)
• Relational ProductGCC,P(AB) = (C, C,P(AB), P(AB),C, P(AB))
– C,P(AB)(X) = {(C,A({x}), C,B({x})) | xX}– P(AB),C(Y) = {A,C(yA) B,C(yB) | (yA,yB)Y}
![Page 190: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/190.jpg)
190
Cartesian product example
Correlations preserved
![Page 191: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/191.jpg)
191
Function space• GCC,A=(C, C,A, A,C, A)
GCC,B=(C, C,B, B,C, B)• Denote the set of monotone functions from A to B by AB• Define for elements of AB as follows
(a1, b1) (a2, b2) = if a1=a2 then {(a1, b1B b1)} else {(a1, b1), (a2, b2)}
• Reduced cardinal powerGCC,AB = (C, C,AB, AB,C, AB)
– C,AB(X) = {(C,A({x}), C,B({x})) | xX}– AB,C(Y) = {A,C(yA) B,C(yB) | (yA,yB)Y}
• Useful when A is small and B is much larger– E.g., typestate verification
![Page 192: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/192.jpg)
192
Widening/Narrowing
![Page 193: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/193.jpg)
193
How can we prove this automatically?
RelProd(CP, VE)
![Page 194: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/194.jpg)
194
Intervals domain
• One of the simplest numerical domains• Maintain for each variable x an interval [L,H]– L is either an integer of -– H is either an integer of +
• A (non-relational) numeric domain
![Page 195: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/195.jpg)
195
Intervals lattice for variable x
[0,0][-1,-1][-2,-2] [1,1] [2,2] ......
[-,+]
[0,1] [1,2] [2,3][-1,0][-2,-1]
[-10,10]
[1,+][-,0]
... ...
[2,+][0,+][-,-1][-,-1]... ...
[-20,10]
![Page 196: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/196.jpg)
196
Intervals lattice for variable x
• Dint[x] = { (L,H) | L-,Z and HZ,+ and LH}• • =[-,+]• = ?– [1,2] [3,4] ?– [1,4] [1,3] ?– [1,3] [1,4] ?– [1,3] [-,+] ?
• What is the lattice height?
![Page 197: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/197.jpg)
197
Intervals lattice for variable x
• Dint[x] = { (L,H) | L-,Z and HZ,+ and LH}• • =[-,+]• = ?– [1,2] [3,4] no– [1,4] [1,3] no– [1,3] [1,4] yes– [1,3] [-,+] yes
• What is the lattice height? Infinite
![Page 198: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/198.jpg)
198
Joining/meeting intervals
• [a,b] [c,d] = ?– [1,1] [2,2] = ?– [1,1] [2, +] = ?
• [a,b] [c,d] = ?– [1,2] [3,4] = ?– [1,4] [3,4] = ?– [1,1] [1,+] = ?
• Check that indeed xy if and only if xy=y
![Page 199: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/199.jpg)
199
Joining/meeting intervals
• [a,b] [c,d] = [min(a,c), max(b,d)]– [1,1] [2,2] = [1,2]– [1,1] [2,+] = [1,+]
• [a,b] [c,d] = [max(a,c), min(b,d)] if a proper interval and otherwise – [1,2] [3,4] = – [1,4] [3,4] = [3,4]– [1,1] [1,+] = [1,1]
• Check that indeed xy if and only if xy=y
![Page 200: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/200.jpg)
200
Interval domain for programs
• Dint[x] = { (L,H) | L-,Z and HZ,+ and LH}• For a program with variables Var={x1,…,xk}• Dint[Var] = ?
![Page 201: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/201.jpg)
201
Interval domain for programs
• Dint[x] = { (L,H) | L-,Z and HZ,+ and LH}• For a program with variables Var={x1,…,xk}
• Dint[Var] = Dint[x1] … Dint[xk]• How can we represent it in terms of formulas?
![Page 202: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/202.jpg)
202
Interval domain for programs
• Dint[x] = { (L,H) | L-,Z and HZ,+ and LH}• For a program with variables Var={x1,…,xk}
• Dint[Var] = Dint[x1] … Dint[xk]• How can we represent it in terms of formulas?– Two types of factoids xc and xc– Example: S = {x9, y5, y10}– Helper operations• c + + = +• remove(S, x) = S without any x-constraints• lb(S, x) =
![Page 203: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/203.jpg)
203
Assignment transformers• x := c# S = ?• x := y# S = ?• x := y+c# S = ?• x := y+z# S = ?• x := y*c# S = ?• x := y*z# S = ?
![Page 204: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/204.jpg)
204
Assignment transformers• x := c# S = remove(S,x) {xc, xc}• x := y# S = remove(S,x) {xlb(S,y), xub(S,y)}• x := y+c# S = remove(S,x) {xlb(S,y)+c, xub(S,y)+c}• x := y+z# S = remove(S,x) {xlb(S,y)+lb(S,z),
xub(S,y)+ub(S,z)}• x := y*c# S = remove(S,x) if c>0 {xlb(S,y)*c,
xub(S,y)*c} else {xub(S,y)*-c, xlb(S,y)*-c}
• x := y*z# S = remove(S,x) ?
![Page 205: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/205.jpg)
205
assume transformers• assume x=c# S = ?• assume x<c# S = ?• assume x=y# S = ?• assume xc# S = ?
![Page 206: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/206.jpg)
206
assume transformers• assume x=c# S = S {xc, xc}• assume x<c# S = S {xc-1}• assume x=y# S = S {xlb(S,y), xub(S,y)}• assume xc# S = ?
![Page 207: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/207.jpg)
207
assume transformers• assume x=c# S = S {xc, xc}• assume x<c# S = S {xc-1}• assume x=y# S = S {xlb(S,y), xub(S,y)}• assume xc# S = (S {xc-1}) (S {xc+1})
![Page 208: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/208.jpg)
208
Effect of function f on lattice elements• L = (D, , , , , )• f : D D monotone• Fix(f) = { d | f(d) = d }• Red(f) = { d | f(d) d }• Ext(f) = { d | d f(d) }• Theorem [Tarski 1955]– lfp(f) = Fix(f) = Red(f) Fix(f)– gfp(f) = Fix(f) = Ext(f) Fix(f)
Red(f)
Ext(f)
Fix(f)
lfp
gfp
fn()
fn()
![Page 209: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/209.jpg)
209
Effect of function f on lattice elements• L = (D, , , , , )• f : D D monotone• Fix(f) = { d | f(d) = d }• Red(f) = { d | f(d) d }• Ext(f) = { d | d f(d) }• Theorem [Tarski 1955]– lfp(f) = Fix(f) = Red(f) Fix(f)– gfp(f) = Fix(f) = Ext(f) Fix(f)
Red(f)
Ext(f)
Fix(f)
lfp
gfp
fn()
fn()
![Page 210: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/210.jpg)
210
Continuity and ACC condition
• Let L = (D, , , ) be a complete partial order– Every ascending chain has an upper bound
• A function f is continuous if for every increasing chain Y D*,
f(Y) = { f(y) | yY }• L satisfies the ascending chain condition (ACC)
if every ascending chain eventually stabilizes:d0 d1 … dn = dn+1 = …
![Page 211: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/211.jpg)
211
Fixed-point theorem [Kleene]
• Let L = (D, , , ) be a complete partial order and a continuous function f: D D then
lfp(f) = nN fn()
![Page 212: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/212.jpg)
212
Resulting algorithm • Kleene’s fixed point theorem
gives a constructive method for computing the lfp
lfpfn()
f()f2()
…d := while f(d) d do d := d f(d)return d
Algorithm
lfp(f) = nN fn()Mathematical definition
![Page 213: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/213.jpg)
213
Chaotic iteration• Input:
– A cpo L = (D, , , ) satisfying ACC– Ln = L L … L– A monotone function f : Dn Dn – A system of equations { X[i] | f(X) | 1 i n }
• Output: lfp(f)• A worklist-based algorithm
for i:=1 to n do X[i] := WL = {1,…,n}while WL do j := pop WL // choose index non-deterministically N := F[i](X) if N X[i] then X[i] := N add all the indexes that directly depend on i to WL (X[j] depends on X[i] if F[j] contains X[i])return X
![Page 214: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/214.jpg)
214
Concrete semantics equations
• R[0] = {xZ} R[1] = x:=7R[2] = R[1] R[4]R[3] = R[2] {s | s(x) < 1000}R[4] = x:=x+1 R[3]R[5] = R[2] {s | s(x) 1000} R[6] = R[5] {s | s(x) 1001}
R[0]R[2]R[3] R[4]
R[1]
R[5]R[6]
![Page 215: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/215.jpg)
215
Abstract semantics equations
• R[0] = ({xZ}) R[1] = x:=7#
R[2] = R[1] R[4]R[3] = R[2] ({s | s(x) < 1000})R[4] = x:=x+1# R[3]R[5] = R[2] ({s | s(x) 1000})R[6] = R[5] ({s | s(x) 1001}) R[5] ({s | s(x) 999})
R[0]R[2]R[3] R[4]
R[1]
R[5]R[6]
![Page 216: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/216.jpg)
216
Abstract semantics equations
• R[0] = R[1] = [7,7] R[2] = R[1] R[4]R[3] = R[2] [-,999]R[4] = R[3] + [1,1]R[5] = R[2] [1000,+] R[6] = R[5] [999,+] R[5] [1001,+]
R[0]R[2]R[3] R[4]
R[1]
R[5]R[6]
![Page 217: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/217.jpg)
217
Too many iterations to converge
![Page 218: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/218.jpg)
218
How many iterations for this one?
![Page 219: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/219.jpg)
219
Widening
• Introduce a new binary operator to ensure termination– A kind of extrapolation
• Enables static analysis to use infinite height lattices– Dynamically adapts to given program
• Tricky to design• Precision less predictable then with finite-
height domains (widening non-monotone)
![Page 220: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/220.jpg)
220
Formal definition• For all elements d1 d2 d1 d2 • For all ascending chains d0 d1 d2 …
the following sequence is finite– y0 = d0 – yi+1 = yi di+1
• For a monotone function f : DD define– x0 = – xi+1 = xi f(xi )
• Theorem:– There exits k such that xk+1 = xk
– xkRed(f) = { d | dD and f(d) d }
![Page 221: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/221.jpg)
221
Analysis with finite-height lattice
A
f#n = lpf(f#) …
f#2 f#3
f#
Red(f)
Fix(f)
![Page 222: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/222.jpg)
222
Analysis with widening
A
f#2 f#3
f#2 f#3
f#
Red(f)
Fix(f) lpf(f#)
![Page 223: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/223.jpg)
223
Widening for Intervals Analysis
• [c, d] = [c, d]• [a, b] [c, d] = [
if a cthen aelse -,
if b dthen belse
![Page 224: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/224.jpg)
224
Semantic equations with widening
• R[0] = R[1] = [7,7] R[2] = R[1] R[4]R[2.1] = R[2.1] R[2]R[3] = R[2.1] [-,999]R[4] = R[3] + [1,1]R[5] = R[2] [1001,+] R[6] = R[5] [999,+] R[5] [1001,+]
R[0]R[2]R[3] R[4]
R[1]
R[5]R[6]
![Page 225: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/225.jpg)
225
Choosing analysis with widening
Enable widening
![Page 226: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/226.jpg)
Non monotonicity of widening
• [0,1] [0,2] = ?• [0,2] [0,2] = ?
![Page 227: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/227.jpg)
Non monotonicity of widening
• [0,1] [0,2] = [0, ]• [0,2] [0,2] = [0,2]
![Page 228: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/228.jpg)
228
Analysis results with widening
Did we prove it?
![Page 229: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/229.jpg)
229
Analysis with narrowing
A
f#2 f#3
f#2 f#3
f#
Red(f)
Fix(f) lpf(f#)
![Page 230: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/230.jpg)
Formal definition of narrowing• Improves the result of widening• y x y (x y) x• For all decreasing chains x0 x1 …
the following sequence is finite– y0 = x0
– yi+1 = yi xi+1
• For a monotone function f: DDand xkRed(f) = { d | dD and f(d) d }define– y0 = x– yi+1 = yi f(yi )
• Theorem:– There exits k such that yk+1 =yk
– ykRed(f) = { d | dD and f(d) d }
![Page 231: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/231.jpg)
Narrowing for Interval Analysis • [a, b] = [a, b]• [a, b] [c, d] = [
if a = - then celse a,
if b = then delse b
]
![Page 232: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/232.jpg)
232
Semantic equations with narrowing
• R[0] = R[1] = [7,7] R[2] = R[1] R[4]R[2.1] = R[2.1] R[2]R[3] = R[2.1] [-,999]R[4] = R[3]+[1,1]R[5] = R[2]# [1000,+] R[6] = R[5] [999,+] R[5] [1001,+]
R[0]R[2]R[3] R[4]
R[1]
R[5]R[6]
![Page 233: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/233.jpg)
233
Analysis with widening/narrowing• Two phases– Phase 1: analyze with
widening until converging
– Phase 2: use values to analyze with narrowing
Phase 2:R[0] = R[1] = [7,7] R[2] = R[1] R[4]R[2.1] = R[2.1] R[2]R[3] = R[2.1] [-,999]R[4] = R[3]+[1,1]R[5] = R[2]# [1000,+] R[6] = R[5] [999,+] R[5] [1001,+]
Phase 1:R[0] = R[1] = [7,7] R[2] = R[1] R[4]R[2.1] = R[2.1] R[2]R[3] = R[2.1] [-,999]R[4] = R[3] + [1,1]R[5] = R[2] [1001,+] R[6] = R[5] [999,+] R[5] [1001,+]
![Page 234: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/234.jpg)
234
Analysis with widening/narrowing
![Page 235: Noam Rinetzky Lecture 9: Abstract Interpretation II](https://reader038.vdocument.in/reader038/viewer/2022103102/5681671c550346895ddb9502/html5/thumbnails/235.jpg)
235
Analysis results widening/narrowing
Precise invariant