1 / 235

Noam Rinetzky Lecture 9: Abstract Interpretation II

Program Analysis and Verification 0368- 4479 http://www.cs.tau.ac.il/~maon/teaching/2013-2014/paav/paav1314b.html. Noam Rinetzky Lecture 9: Abstract Interpretation II. Slides credit: Roman Manevich , Mooly Sagiv , Eran Yahav. From verification to analysis. Manual program verification

zan
Télécharger la présentation

Noam Rinetzky Lecture 9: Abstract Interpretation II

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Program Analysis and Verification 0368-4479http://www.cs.tau.ac.il/~maon/teaching/2013-2014/paav/paav1314b.html Noam Rinetzky Lecture 9: Abstract Interpretation II Slides credit: Roman Manevich, MoolySagiv, EranYahav

  2. From verification to analysis • Manual program verification • Verifier provides assertions • Loop invariants • Program analysis • Automatic program verification • Tool automatically synthesize assertions • Finds loop invariants

  3. Abstract Interpretation [Cousot’77] • Mathematical foundation of static analysis

  4. Abstract Interpretation [Cousot’77] • Mathematical framework for approximating semantics (aka abstraction) • Allows designing sound static analysis algorithms • Usually compute by iterating to a fixed-point • Computes (loop) invariants • Can be interpreted as axiomatic verification assertions • Generalizes Hoare Logic & WP / SP calculus

  5. Abstract Interpretation [Cousot’77] • Mathematical foundation of static analysis • Abstract domains • Abstract states ~ Assertions • Join () ~ Weakening • Transformer functions • Abstract steps ~ Axioms • Chaotic iteration • Structured Programs ~ Control-flow graphs • Abstract computation ~ Loop invariants

  6. Concrete Semantics set of states set of states statement S operational semantics(concrete semantics)

  7. Conservative Semantics set of states set of states set of states statement S  operational semantics(concrete semantics)

  8. Abstract (conservative) interpretation generalizes axiomatic verification statement S abstract representation abstract representation abstract representation abstract semantics  abstraction abstraction statement S set of states set of states operational semantics(concrete semantics) {P} S {Q}  sp(S, P)

  9. Abstract (conservative) interpretation abstract representation abstract representation statement S abstract semantics concretization concretization set of states set of states set of states statement S  operational semantics(concrete semantics)

  10. Abstract (conservative) interpretation abstract state abstract state statement S abstract semantics (transfer function) concretization concretization set of states set of states set of states statement S  operational semantics(concrete semantics)

  11. Abstract Interpretation [Cousot’77] • Mathematical foundation of static analysis • Abstract domains • Abstract states ~ Assertions • Join () ~ Weakening • Transformer functions • Abstract steps ~ Axioms • Chaotic iteration • Abstract computation ~ Loop invariants • Structured Programs ~ Control-flow graphs Lattices (D, , , , , ) Monotonic functions Fixpoints

  12. A taxonomy of semantic domain types Complete Lattice(D, , , , , ) Lattice(D, , , , , ) Join semilattice(D, , , ) Meet semilattice(D, , , ) Complete partial order (CPO)(D, , ) Partial order (poset)(D, ) Preorder(D, )

  13. Preorder • We say that a binary order relation over a set D is a preorder if the following conditions hold for every d, d’, d’’  D • Reflexive: d  d • Transitive: d  d’ and d’  d’’ implies d  d’’

  14. Preorder • We say that a binary order relation over a set D is a preorder if the following conditions hold for every d, d’, d’’  D • Reflexive: d  d • Transitive: d  d’ and d’  d’’ implies d  d’’  d’’   Hasse Diagram    d d’ 

  15. Preorder • We say that a binary order relation over a set D is a preorder if the following conditions hold for every d, d’, d’’  D • Reflexive: d  d • Transitive: d  d’ and d’  d’’ implies d  d’’  d’’   Hasse Diagram    d d’ 

  16. Partial order • We say that a binary order relation over a set D is a preorder if the following conditions hold for every d, d’, d’’  D • Reflexive: d  d • Transitive: d  d’ and d’  d’’ implies d  d’’ • Anti-symmetric: d  d’ and d’  d implies d = d’  d’’   Hasse Diagram    d d’ 

  17. Chains • d  d’ means d  d’ and d  d’ • An ascending chain is a sequencex1 x2 …  xk… • A descending chain is a sequencex1 x2 …  xk… • The height of a poset(D, ) is the length of the maximal ascending chain in D

  18. poset Hasse diagram (for CP)  … … {x=-2} {x=-1} {x=0} {x=1} {x=2} 

  19. Some posets-related terminology • If x  y(alt y ⊒x) we can say • x is lowerthan y • x is more precise than y • x is more concrete than y • x under-approximates y • y isgreaterthan x • y is less precise than x • y is more abstractthan x • y over-approximates x

  20. Least upper bound (LUB) • (D, ) is a poset • b ∊ D is an upper bound of A⊆D if ∀a  A:a b • b ∊ D is theleastupper bound of A⊆D if • b is an upper bound of A • If b’ is an upper bound of A then b b’ • Join: X = LUB of X • x  y = {x,y} May not exist May not exist

  21. Join operator • Properties of a join operator • Commutative: x  y = y  x • Associative: (x  y)  z = x  (y  z) • Idempotent: x  x = x • A kind of abstract union (disjunction) operator • Top element of (D, ) is  = D

  22. Join Example  … … {x=-2} {x=-1} {x=0} {x=1} {x=2} 

  23. Join Example  … … {x=-2} {x=-1} {x=0} {x=1} {x=2} 

  24. Join Example  … … {x=-2} {x=-1} {x=0} {x=1} {x=2} 

  25. Greatest lower bound (GLB) • (D, ) is a poset • b ∊ D is an lower bound of A⊆D if ∀a  A:b a • b ∊ D is thegreatest lower bound of A⊆D if • b is an lower bound of A • If b’ is an lower bound of A then b’ b • Meet: X= GLB of X • x y = {x, y} May not exist May not exist

  26. Meet operator • Properties of a meet operator • Commutative: x  y = y  x • Associative: (x  y)  z = x  (y  z) • Idempotent: x  x = x • A kind of abstract intersection (conjunction) operator • Bottom element of (D, ) is  = D

  27. Complete partial order (CPO) • A poset (D , ) is a complete partial if every ascending chain x1 x2 …  xk… has a LUB

  28. Meet Example  x0 x0 x<0 x=0 x>0 

  29. Meet Example  x0 x0 x<0 x=0 x>0 

  30. Meet Example  x0 x0 x<0 x=0 x>0 

  31. Complete partial order (CPO) • A poset (D , ) is a complete partial if every ascending chain x1 x2 …  xk… has a LUB

  32. Join semilattices • (D, , , ) is a join semilattice • (D, ) is a partial order • ∀X FIN D . X is defined • A top element

  33. Meet semilattices • (D, , , ) is a meet semilattice • (D, ) is a partial order • ∀X FIN D . X is defined • A bottom element 

  34. Lattices • (D, , , , , ) is a lattice if • (D, , ,) is a join semilattice • (D, , , ) is a meet semilattice • A lattice (D, , , , , ) is a complete lattice if • X and Y are defined for arbitrary sets

  35. Example: Powerset lattices • (2X, , , , , X) is the powersetlatticeof X • A complete lattice

  36. Example: Sign lattice  x0 x0 x<0 x=0 x>0 

  37. A taxonomy of semantic domain types Join/Meet exist for every subset of D Join/Meet exist for every finite subset of D (alternatively, binary join/meet) Complete Lattice(D, , , , , ) Lattice(D, , , , , ) Meet of the empty set Join of the empty set Join semilattice(D, , , ) Meet semilattice(D, , , ) poset with LUB for all ascending chains Complete partial order (CPO)(D, , ) reflexivetransitiveanti-symmetric: d  d’ and d’  d implies d = d’ Partial order (poset)(D, ) • reflexive: d  dtransitive: d  d’, d’  d’’ implies d  d’’ Preorder(D, )

  38. Towards a recipe for static analysis

  39. Collecting semantics • For a set of program states State, we define the collecting lattice (2State, , , , , State) • The collecting semantics accumulates the (possibly infinite) sets of states generated during the execution • Not computable in general

  40. Abstract (conservative) interpretation abstract representation abstract representation statement S abstract semantics concretization concretization set of states set of states set of states statement S  operational semantics(concrete semantics)

  41. Abstract (conservative) interpretation 0 < x 0 ≤ x x = x -1 abstract semantics concretization concretization {x↦1, x↦2, …} {x↦0, x↦1, …} {x↦0, x↦1, …} x=x-1  operational semantics(concrete semantics)

  42. Abstract (conservative) interpretation 0 < x  x = x -1 abstract semantics concretization concretization {x↦1, x↦2, …} {x↦0, x↦1, …} {…, x↦0, …} x=x-1  operational semantics(concrete semantics)

  43. Abstract (non-conservative) interpretation 0 < x 0 < x x = x -1 abstract semantics concretization concretization {x↦1, x↦2, …} {x↦0, x↦1, …} { x↦1, …} x=x-1 ⊈ operational semantics(concrete semantics)

  44. But … • what if we have x & y? • Define lattice (semantics) for each variable • Compose lattices • Goal: compositional definition • What if we have more than 1 statement? • Define semantics for entire program via CFG • Different “abstract states” at every CFG node

  45. One lattice per variable true true x0 x0 y0 y0 x<0 x=0 x>0 y<0 y=0 y>0 false false How can we compose them?

  46. Cartesian product of complete lattices • For two complete lattices L1 = (D1, 1, 1, 1, 1, 1) L2 = (D2, 2, 2, 2, 2, 2) • Define the posetLcart = (D1D2, cart, cart, cart, cart, cart)as follows: • (x1, x2) cart (y1, y2) iffx1 1 y1x2 2 y2 • cart = ? cart = ? cart = ? cart = ? • Lemma: L is a complete lattice • Define the Cartesian constructor Lcart = Cart(L1, L2)

  47. Cartesian product example =(,) x0 x0 y0 y0 x0,y0 x0,y0 x0,y0 x0,y0 … … x0,y<0 x0,y<0 x0,y=0 x0,y=0 x0,y>0 x0,y>0 x>0,y0 x>0,y0 … x<0,y<0 x<0,y=0 x<0,y>0 x=0,y<0 x=0,y=0 x=0,y>0 x>0,y<0 x>0,y=0 x>0,y>0 =(, ) How does it represent(x<0y<0)  (x>0y>0)? (false, false)

  48. Disjunctive completion • For a complete lattice L = (D, , , , , ) • Define the powerset latticeL = (2D, , , , , ) = ?  = ?  = ?  = ?  = ? • Lemma: L is a complete lattice • L contains all subsets of D, which can be thought of as disjunctions of the corresponding predicates • Define the disjunctive completion constructorL = Disj(L)

  49. The base lattice CP  … … {x=-2} {x=-1} {x=0} {x=1} {x=2} 

  50. The disjunctive completion of CP What is the height of this lattice? true … … {x=-2} {x=-1} {x=0} {x=1} {x=2} … … … {x=-2x=-1} {x=-2x=0} {x=-2x=1} {x=1x=2} … … … {x=-1 x=1x=-2} {x=0 x=1x=2} … false

More Related