Abstract Interpretation, or Non-Standard Semantics, or Picking the Right Abstraction

Transcription

1 Abstract Interpretation, or NonStandard Semantics, or Picking the Right Abstraction Meeting 14, SI 5535, Spring 29 Announcements Homework 3 is graded Graded out of 19, out of 38 on moodle because of.5 point values Homework 6 out, due Mon Mar 9 Just one short exercise 2 Announcements: Projects Project suggestions posted Project proposal due Sun Mar 8 Part of Homework 6 Project status update due Sun Mar 29 or Fri Mar 2 or Sun Mar 22? Project paper due Wed May 6 The Problem: Static Analysis It is extremely useful to predict program behavior statically (= without running the program) Why? What uses? 3 4 The Problem: Static Analysis It is extremely useful to predict program behavior statically (= without running the program) For optimizing compilers, program analyses, software engineering tools, finding security flaws, etc. The semantics we studied so far give us the precise behavior of a program However, precise static predictions are impossible The exact semantics is not computable We must settle for approximate, but correct, static analyses (e.g. V vs. WP) 5 The Plan We will introduce abstract interpretation by example Starting with a miniscule language we will build up to a fairly realistic application Along the way we will see most of the ideas and difficulties that arise in a big class of applications 6 1

2 A Tiny Language onsider the following language of arithmetic ( shrimp?) e ::= n e 1 * e 2 Denotational semantics of this language n = n e 1 * e 2 = e 1 e 2 Take deno. sem. as the ground truth For this language the precise semantics is computable (but in general it s not) 7 An Abstraction Assume that we are interested not in the value of the expression, but only in its sign: positive (), negative (), or zero () We can define an abstract semantics that computes only the sign of the result σ: Exp {,, } σ(n) = sign(n) σ(e 1 * e 2 ) = σ(e 1 ) σ(e 2 ) 8 I Saw the Sign orrectness of Sign Abstraction Why did we want to compute the sign of an expression? One reason: no one will believe you know abstract interpretation if you haven t seen the sign thing :) What could we be computing instead? an show that the abstraction is correct in the sense that it predicts the sign e > σ(e) = e = σ(e) = e < σ(e) = Our semantics is abstract but precise Proof is by structural induction on the expression e Each case repeats similar reasoning 9 1 Associate each concrete value to an abstract value: β : Z {,, } This is called the abstraction function (β) This threeelement set is the abstract domain Also define the concretization function (γ): γ : {,, } P(Z) γ() = { n Z n > } γ() = { } γ() = { n Z n < } Soundness can be stated succinctly e Exp. e γ(σ(e)) (the real value of the expression is among the concrete values represented by the abstract value of the expression)

3 Soundness can be stated succinctly e Exp. e γ(σ(e)) (the real value of the expression is among the concrete values represented by the abstract value of the expression) Let be the concrete domain (e.g. Z) and A be the abstract domain (e.g. {,, }) ommutative diagram? Exp A P() 13 Soundness can be stated succinctly e Exp. e γ(σ(e)) (the real value of the expression is among the concrete values represented by the abstract value of the expression) Let be the concrete domain (e.g. Z) and A be the abstract domain (e.g. {,, }) ommutative diagram: σ Exp A γ P() Often, this is called the concrete domain 14 onsider the generic abstraction of an operator σ(e 1 op e 2 ) = σ(e 1 ) op # σ (e 2 ) This is sound iff a 1 a 2. γ(a 1 op # a 2 ) {n 1 op n 2 n 1 γ(a 1 ), n 2 γ(a 2 )} e.g. γ(a 1 a 2 ) { n 1 * n 2 n 1 γ(a 1 ), n 2 γ(a 2 ) } This reduces the proof of correctness to one proof for each operator 15 OneSlide Summary: Abstract Interp This is our first example of an abstract interpretation We carry out computation in an abstract domain The abstract semantics is a sound approximation of the standard semantics The concretization and abstraction functions establish the connection between the two domains 16 Adding Unary Minus and Addition Adding Unary Minus and Addition We extend the language to e ::= n e 1 * e 2 e We define σ( e) = σ(e) We extend the language to e ::= n e 1 * e 2 e We define σ( e) = σ(e) Now we add addition: e ::= n e 1 * e 2 e e 1 e 2 We define σ(e 1 e 2 ) = σ(e 1 ) σ(e 2 )

4 Adding Unary Minus and Addition Adding Addition We extend the language to e ::= n e 1 * e 2 e We define σ( e) = σ(e) Now we add addition: e ::= n e 1 * e 2 e e 1 e 2? We define σ(e 1 e 2 ) = σ(e 1 ) σ(e 2 )? 19 The sign values are not closed under addition What should be the value of? Start from the soundness condition: γ( ) { n 1 n 2 n 1 >, n 2 < } = Z We don t have an abstract value whose concretization includes Z, so we add one: ( top = don t know ) 2 Loss of Precision Loss of Precision Abstract computation may lose information: (1 2) 3 = but: σ((12) 3) = Abstract computation may lose information: (1 2) 3 = but: σ((12) 3) = (σ(1) σ(2)) σ(3) = ( ) = We lost some precision But this will simplify the computation of the abstract answer in cases when the precise answer is not computable Adding Division Issues? 23 Adding Division Straightforward except for division by We say that there is no answer in that case γ( ) = { n n = n 1 /, n 1 > } = Introduce to be the abstraction of the We also use the same abstraction for nontermination! = nothing = something unknown 24 4

5 The Abstract Domain What s this again? Lattice Facts Our abstract domain forms a lattice A partial order is induced by γ a 1 a 2 iff γ(a 1 ) γ(a 2 ) We say that a 1 is more precise than a 2! Every finite subset has a leastupper bound (lub) and a greatestlower bound (glb) 25 A lattice is complete when every subset has a lub and a gub Even infinite subsets! Every finite lattice is (trivially) complete Every complete lattice is a complete partial order (recall: denotational semantics!) Since a chain is a subset Not every PO is a complete lattice Might not even be a lattice at all 26 Lattice History Early work in denotational semantics used lattices (instead of what?) But only chains need to have lubs And there was no need for and glb In abstract interpretation we ll use to denote I don t know. orresponds to all values in the concrete domain From One, Many We can start with the abstraction function β β : A (maps a concrete value to the best abstract value) A must be a lattice We can derive the concretization function γ γ : A P() γ(a) = And the abstraction for sets α α : P() A α(s) = From One, Many Example: With Our Sign Lattice We can start with the abstraction function β β : A (maps a concrete value to the best abstract value) A must be a lattice We can derive the concretization function γ γ : A P() γ(a) = { x β(x) a } And the abstraction for sets α α : P() A α(s) = lub { β(x) x S } 29 onsider our sign lattice if n > β(n) = if n = if n < α(s) = lub { β(x) x S} Example: α ({1, 2}) = α ({1, }) = α ({}) = γ(a) = { n β(n) a } Example: γ () = { n β(n) } = γ () = γ () = 3 5

6 Example: With Our Sign Lattice onsider our sign lattice if n > β(n) = if n = if n < α(s) = lub { β(x) x S} Example: α ({1, 2}) = lub { } = α ({1, }) = lub {, } = α ({}) = lub = γ(a) = { n β(n) a } Example: γ () = { n β(n) } = { n β(n) = } = { n n > } γ () = { n β(n) } = Z γ () = { n β(n) } = 31 Galois onnections We can show that γ and α are monotonic (with ordering on P()) α (γ (a)) = a for all a A γ (α(s)) S for all S P() Such a pair of functions is called a Galois connection Between the lattices A and P() S γ(α(s)) 32 orrectness ondition Three Little orrectness onditions In general, abstract interpretation satisfies the following (amazingly common) diagram denotation abstract semantics Exp σ ( ) A γ P() ( ) abstract domain abstraction function for sets α concretization function 33 Three conditions define a correct abstract interpretation 1. α and γ are monotonic 2. α and γ form a Galois connection = α and γ are almost inverses 3. Abstraction of operations is correct a 1 op # a 2 = α(γ(a 1 ) op γ(a 2 )) 34 For Next Time Read ousot s Abstract Interpretation Based Formal Methods and Future hallenges Read Thompson s Turing Award Lecture Project Proposal Review of Verification onditions 35 6

7 Additional Exercises What is the V for for i = e low to e high do Inv c 37 7