Abstract Intrprtation 1
History On brakthrough papr Cousot & Cousot 77 (?) Inspird by Dataflow analysis Dnotational smantics Enthusiastically mbracd by th community At last th functional community... At last th first half of th papr... 2
A Tiny Languag Considr a languag with only intgrs and multiplication. i : Exp Int () i i ( ) ( ) ( ) 1 2 1 2 3
An Abstraction Dfin an abstract smantics that computs only th sign of th rsult. :Exp,-,0 if i 0 0 ( i) 0 if i 0 0 if i 0 0 0 0 0 ( ) ( ) ( ) 0 1 2 1 2 4
Soundnss W can show that this abstraction is corrct in th sns that it corrctly prdicts th sign of an xprssion. Proof is by structural induction on. ( ) 0 ( ) ( ) 0 ( ) 0 ( ) 0 ( ) 5
Anothr Viw of Soundnss Th soundnss proof is clunky ach cas rpats th sam ida. Instad, dirctly associat ach abstract valu with th st of concrt valus it rprsnts. : {,0, } 2 ( ) i i 0 (0) 0 Int ( ) i i 0 6
Anothr Viw (Cont.) Th concrtization function Lt Mapping from abstract valus to (sts of) concrt valus D b th concrt domain, A th abstract domain. ( ) ( ( )) Exp A 2 D 7
Abstract Intrprtation This is an abstract intrprtation. Computation in an abstract domain In this cas {+,0,-}. Th abstract smantics is sound approximats th standard smantics. Th concrtization function stablishs th connction btwn th two domains. 8
Adding - Extnd our languag with unary - ( ) ( ) 0 ( ) ( ) 0 9
Adding + Adding addition is not so asy. Th abstract valus ar not closd undr addition. ( 1 2 ) ( 1 ) ( 2 )? 1 2 1 2 0 ( ) ( ) ( ) 0 0? 10
Solution W nd anothr abstract valu to rprsnt a rsult that can b any intgr. Finding a domain closd undr all th abstract oprations is oftn a ky dsign problm. 0 T T T (T) Int 0 0 T T T T T T T T 11
Extnding Othr Oprations W also nd to xtnd th othr abstract oprations to work with T. 0 T 0 T 0 0 0 0 0 0 T T T 0 T T 0 T 0 T 12
Exampls Abstract computation loss information ((1 2) 3) 0 ((1 2) 3) ( ) ( ) T No loss of information ((5 5) 6) 31 ((5 5) 6) ( ) 13
Adding / (Intgr Division) Adding / is straightforward xcpt for th cas of division by 0. If w divid ach intgr in a st by 0, what st of intgrs rsults? Th mpty st. ( ) / 0 T 0 T 0 0 T T T 0 T T 14
Adding / (Cont.) As bfor w nd to xtnd th othr abstract oprations. In this cas, vry ntry involving bottom is bottom all oprations ar strict in bottom x x 15
Th Abstract Domain Our abstract domain forms a lattic. A partial ordr x y ( x ) ( y ) Evry finit subst has a last uppr bound (lub) & gratst lowr bound (glb). W writ A for an abstract domain a st of valus + an ordring T 0 16
Lattic Lingo A lattic is complt if vry subst (finit or infinit) has lub s and glb s. Evry finit lattic is complt Thus vry lattic has a top/bottom lmnt. Usually ndd in abstract intrprtations. 17
Th Abstraction Function Th abstraction function maps concrt valus to abstract valus. Th dual of concrtization. Th smallst valu of A that is th abstraction of a st of concrt valus. Int : 2 A ( S ) lub i 0 i S, 0 0 S, i 0 i S 18
A Gnral Dfinition An abstract intrprtation consists of An abstract domain A and concrt domain D Concrtization and abstraction functions forming a Galois insrtion. A (sound) abstract smantic function. Galois insrtion: D x 2. x ( ( x )) a A. x ( ( x )) or id id 19
Galois Insrtions Th abstract domain can b thought of as dividing th concrt domain into substs (not disjoint). Th abstraction function maps a subst of th domain to th smallst containing abstract valu. id id 20
Pictur In corrct abstract intrprtations, w xpct th following diagram to commut. Exp A 2 D 21
Gnral Conditions for Corrctnss Thr conditions guarant corrctnss in gnral: and form a Galois insrtion id, id and ar monotonic x y ( x ) ( y ) Abstract oprations op 1 n 1 ar locally (op( s,..., s )) op( ( s ),..., ( s )) corrct: n 22
Gnric Corrctnss Proof Proof by induction on th structur of : ( ) ( ( )) ( op ) 1 2 ( ) op ( ) df. of 1 2 ( ( )) op ( ( )) by induction 1 2 ( ( ) op ( )) local corrctnss 1 2 ( ( op )) df of 1 2 23
A Scond Notion of Corrctnss W can dfin corrctnss using abstraction instad of concrtization. ( ) ( ( )) ({ ( )}) ( ) dirction ( ) ( ( )) ({ ( )}) ( ( ( ))) monotonicity ({ ( )}) ( ) id 24
Corrctnss (Cont.) Th othr dirction... ( ) ( ( )) ({ ( )}) ( ) dirction ({ ( )}) ( ) ( ({ ( )})) ( ( )) monotonicity ( ) ( ( )) id 25
A Languag with Input Th nxt stp is to add languag faturs bsids nw oprations. W bgin with input, modld as a singl fr variabl x in xprssions. i... x 26
Smantics Th maning function now has typ : Exp Int Int W writ th function currid with th xprssion as a subscript. ( j) i ( j) x i j ( j ) ( j ) ( j ) 1 2 1 2 ( j ) ( j ) ( j ) 1 2 1 2...... 27
Abstract Smantics Abstract smantic function: : Exp A A Also writ this smantics currid. ( j) i i ( j) x j ( j ) ( j ) ( j ) 1 2 1 2 ( j ) ( j ) ( j ) 1 2 1 2...... i ({ i}) 28
Corrctnss Th corrctnss condition nds to b gnralizd. This is th first ral us of th abstraction function. Th following ar all quivalnt: i. ( i ) ( ( ({ i }))) D A A 2 D A 2 D 29
Local Corrctnss W also nd a modifid local corrctnss condition. ( ( )),..., ( ( )) ( ( ),..., ( )) op j j op j j 1 n 1 n 30
Proof of Corrctnss Thm ( j) ( ( j)) Proof (by induction) Basis. ( j ) i ( i ) ( ( j )) Stp op (,..., ) 1 ( j ) j ( j ) ( ( j )) 1 i x n 1 ( j ) op( ( j ),..., ( j )) df. of n op( ( ( j )),..., ( ( j )) induction 1 1 op (,..., ) n ( op( ( j),..., ( j))) local corrctnss n ( ( j )) df. of n i x 31
If-Thn-Els... if thn ls... if thn ls 1 2 3 4 () i ( i ) if ( ) ( ) 3 i 1 i 2 ( i ) if ( ) ( ) 4 i 1 i 2 ( i ) ( i ) ( i ) if thn ls 1 2 3 4 3 4 Not th lub opration in th abstract function; this is why w nd lattics as domains. 32
Corrctnss of If-Thn-Els Assum th tru branch is takn. (Th argumnt for th fals branch is symmtric.) () i 3 ( ( i )) by induction 3 ( ( i)) ( ( i)) 3 4 3 4 ( i) ( i) monotonicity of 33
Rcursion Add rcursiv dfinitions of a singl variabl for simplicity Th smantic function is : Exp Int Int program df f ( x )... f ( ) 34
Rvisd Maning Function Dfin an auxiliary smantics taking a function (for th fr variabl f) and an intgr (for x). : Exp (Int Int ) Int Int f ( ) x ( g)( j ) g( ( g)( j )) ( g)( j ) j ( g)( j ) ( g)( j ) ( g)( j ) 1 2 1 Profs. Aikn, Barrtt & Dill 2 CS 357 35
Maning of Rcursiv Functions : Exp Int Int : Exp (Int Int ) Int Int Considr a function df f Dfin an ascnding chain f x. f 0 i 1 ( f) i f, f,... in Int Int 0 1 Dfin f i f i 36
Abstract Smantics Rvisd Dfin an analogous auxiliary function for th abstract smantics. : Exp (A A) A A f ( ) x ( g)( i ) g( ( g)( i )) ( g)( i ) i ( g)( i ) ( g)( i ) ( g)( i ) 1 2 Profs. Aikn, Barrtt 1 & Dill CS 357 2 37
Abstract Smantics Rvisd II W nd on mor condition for th abstract smantics. All abstract functions ar rquird to b monotonic. Thm. Any monotonic function on a complt lattic has a last fixd point. 38
Abstract Maning of Rcursion : Exp A A ': Exp ( A A) A A Considr a function df f Dfin an ascnding chain f, f,... in A f f 0 i 1 a. ( f ) i 0 1 A Dfin f i f i 39
Corrctnss f ( j) 2 f( j) 1 f ( j) 0 f ( j) 2 f 1( j) f 0( j) Corrsponding lmnts of th chain stand in th corrct rlationship. 40
Corrctnss (Cont.) i. f ( j ) ( f ( j )) i f ( j ) ( f ( j )) chains stabiliz i i0 i0 i i fi ( j ) f i ( j ) monotonicity of i0 i0 ( j) ( ( j)) by dfinition f f 41
Exampl df f(x) if x 0 thn 1 ls x f(x -1) Abstraction: lfp if x 0 thn 1 ls x f(x -1) Simplifid: lfp f. x. x f(x ) 42
Strictnss W will assum our languag is strict. Maks littl diffrnc in quality of analysis for this xampl. Assum that f ( ) Thrfor it is sound to dfin f ( ) 43
Calculating th LFP lfp f. x. x f(x ) f 0 0 T f 1 0 T f 2 0 T T T T f 3 0 T T T T T 44
Nots In this cas, th abstraction yilds no usful information! Not that squnc of functions forms a strictly ascnding chain until stabilization f0 f1 f2 f3 f4 f5... But th squnc of valus at particular points may not b strictly ascnding: f ( ) f ( ) f ( ) f ( ) f ( ) f ( )... 0 1 2 3 4 5 45
Nots (Cont.) Lsson: Th fixd point is bing computd in th domain (A A) A A Th fixd point is not bing computd in A A Mak sur you chck th domain of th fixd point oprator. 46
Strictnss Analysis 47
Strictnss Analysis Ovrviw In lazy functional languags, it may b dsirabl to chang call-by-nd (lazy valuation) to call-by-valu. CBN rquirs building thunks (closurs) to captur th lxical nvironmnt of unvaluatd xprssions. CBV valuats its argumnt immdiatly, which is wastful (or vn wrong) if th argumnt is nvr valuatd undr CBN. 48
Corrctnss Substituting CBV for CBN is always corrct if w somhow know that a function valuats its argumnt(s). A function f is strict if f ( ) Obsrvation: if f is strict, thn it is corrct to pass argumnts to f by valu. 49
Outlin Dciding whthr a function is strict is undcidabl. Mycroft s ida: Us abstract intrprtation. Corrctnss condition: If f is non-strict, w must rport that it is non-strict. 50
Th Abstract Domain Continu working with th sam languag (1 rcursiv function of 1 variabl). Nw abstract domain 2: 1 0 51
Concrtization/Abstraction Th concrtization/abstraction functions say 0 mans th computation dfinitly divrgs 1 mans nothing is known about th computation D is th concrt domain (0) ( ) 0 (1) D ( S ) 1 if S 52
Abstract Smantics Nxt stp is to dfin an abstract smantics Transform f:int Int to f:2 2 Transform valus v:int to v : 2 To tst strictnss chck if f(0) 0 53
Abstract Smantics (Cont.) An a stands for an abstract valu (0 or 1). Trat 0,1 as fals, tru rspctivly. ( g)( a) a x ( g)( a) 1 i ( g)( a) ( g)( a) ( g)( a) ( g)( a) ( g)( a) 1 2 1 2 ' ( g)( a) g( ( g)( a)) f ( ) 54
Th Rst of th Ruls ( g)( a) ( g)( a) ( g)( a) 1 2 1 2 ( g)( a) ( g)( a) ( g)( a) / 1 2 if thn ls df f 1 2 3 4 1 2 ( g)( a) ( g)( a) ( g)( a) ( g)( a) ( g)( a) lfp 1 2 3 4 55
An Exampl df f(x) if x 0 thn 1 ls x f(x -1) lfp if x 0 thn 1 ls x f(x -1) lfp f. x.x aa. ( aa. ) 0 0 Th function is strict in x. 56
Calculating th LFP lfp f. x.x 1 1 (x f(x 1)) f f f 0 1 2 0 1 0 0 0 1 0 1 0 1 0 1 57
Anothr Exampl Gnraliz to rcursiv functions of two variabls. df f(x,y) if x 0 thn 0 ls f(x -1,f(x,y)) lfp if x 0 thn 0 ls f(x -1,f(x,y)) lfp( f. (x, y). x 1 (1...)) (x, y). x 58
Exampl (Cont.) For multi-argumnt functions, chck ach argumnt combination of th form (1,,1,0,1,,1). (x, y). x (0,1) 0 (x, y). x (1,0) 1 X can b passd by valu. Unsaf to pass Y by valu. 59
Summary of Strictnss Analysis Mycroft s tchniqu is sound and practical. Widly implmntd for lazy functional languags. Maks modst improvmnt in prformanc (a fw %). Th thory of abstract intrprtation is critical hr. Mycroft s tchniqu trats all valus as atomic. No rfinmnt for componnts of lists, tupls, tc. Many rsarch paprs tak up improvmnts for data typs, highr-ordr functions, tc. Most of ths ar vry slow. 60
Conclusions Th Cousot&Cousot papr(s) gnratd an normous amount of othr rsarch. Abstract intrprtation as a thory and abstract intrprtation as a mthod of constructing tools ar oftn confusd. Slogan of most rsarchrs: Finit Lattics + Monotonic Functions = Program Analysis 61
Whr is Abstract Intrprtation Wak? Thory is compltly gnral Th part of th original papr popl undrstand is limitd Finit domains + monotonic functions 62
Data Structurs and th Hap Rquirs a finit abstraction Which may b tund to th program Mor oftn is mpty list, list of lngth 1, unknown lngth Similar commnts apply to analyzing hap proprtis E.g., a cll has 0 rfrncs, 1 rfrncs, many rfrncs 63
Siz of Domains Larg domains = slow analysis In practic, domains ar forcd to b small Chain hight is th critical masur Th focus in abstract intrprtation is on corrctnss Not much insight into fficint algorithms 64
Contxt Snsitivity No particular insight into contxt snstivity Any rasonabl tchniqu is an abstract intrprtation 65
Highr-Ordr Functions Maks clar how to handl highr-ordr functions Modl as abstract, finit functions Ordring on functions is pointwis Problm: hug domains Brak with th dpndnc on control-flow graphs 66
Forwards vs. Backwards Th forwards vs. backwards mntality prmats much of th abstract intrprtation litratur But nothing in th thory says it has to b that way 67