abstract interpretation part ii mooly sagiv. outline u tarski’s fixed point theorem u the...
TRANSCRIPT
![Page 1: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/1.jpg)
Abstract InterpretationPart II
Mooly Sagiv
![Page 2: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/2.jpg)
Outline
Tarski’s fixed point theorem The Soundness Theorem Infinite Domains (Widening & Narrowing) Canonic Abstraction Shape analysis is a separate 3 hours lecture with
demos
![Page 3: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/3.jpg)
Fixed Points A monotone function f: L L
l1 l2 f(l1 ) f(l2 ) (L, , , , , ) is a complete lattice Fix(f) = { l: l L, f(l) = l} Red(f) = {l: l L, f(l) l} Ext(f) = {l: l L, l f(l)} Tarski’s Theorem 1955:
– lfp(f) = Fix(f) = Red(f) Fix(f)– gfp(f) = Fix(f) = Ext(f) Fix(f)
f()
f()
f2()
f2()
Fix(f)
Ext(f)
Red(f)
gfp(f)
lfp(f)
![Page 4: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/4.jpg)
Abstract (Conservative) interpretation
abstract representation
Set of states
abstraction
Abstractsemantics
statement s abstract representation
abstraction
Operational semantics
statement sSet of states
abstract representation
![Page 5: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/5.jpg)
Abstract (Conservative) interpretation
abstract representation
Set of states
concretization
Abstractsemantics
statement s abstract representation
concretization
Operational semantics
statement sSet of states Set of states
![Page 6: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/6.jpg)
Abstract (Conservative) interpretation
abstract representation
Set of states
concretization
Abstractsemantics
statement s abstract representation
abstraction
Operational semantics
statement sSet of states
abstract representation
![Page 7: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/7.jpg)
Soundness Theorem [CC] Let (, ) form Galois connection from C to A
(c) a iff c (a) and are monotone( (a)) ac ((c))
f: C C be a monotone function
f# : A A be a monotone function
aA: f((a)) (f#(a))
cC: (f(c)) f#((a))
aA: (f((a)) f#(a)
lfp(f) (lfp(f#))
(lfp(f)) lfp(f#)
![Page 8: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/8.jpg)
f()
f()
f2()
f2()
f(x)=x
f(x)x
f(x)x
gfp(f)
lfp(f)
f#()
f#()
f#2()
f#2()
f#(y)=y
f#(y)y
f#(y)y
gfp(f#)
lfp(f#)
![Page 9: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/9.jpg)
Finite Height Case
f#
f#
Lfp(f#)
f
f#
f
Lfp(f)
f
![Page 10: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/10.jpg)
Example Interval Analysis Find a lower and an upper bound of the value of a
variable Usages? Lattice
L = (Z{-, }Z {-, }, , , , ,)– [a, b] [c, d] if c a and d b– [a, b] [c, d] = [min(a, c), max(b, d)]– [a, b] [c, d] = [max(a, c), min(b, d)]– =– =
![Page 11: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/11.jpg)
The need for disjunctions
if (…)
… [1, 5]
else
… [7, 8]
assert x !=6
![Page 12: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/12.jpg)
Widening for Interval Analysis [c, d] = [c, d] [a, b] [c, d] = [
if a cthen aelse -,
if b dthen belse
]
![Page 13: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/13.jpg)
Example ProgramInterval Analysis
[x := 1]1 ;while [x 1000]2 do [x := x + 1;]3
IntEntry(1) = [-, ]
IntExit(1) = [1,1]
IntEntry(2) = InExit(2) (IntExit(1) IntExit(3))
IntExit(2) = IntEntry(2)
[x:=1]1
[x 1000]2
[x := x+1]3
[exit]4
IntEntry(3) = IntExit(2) [-,1000]
IntExit(3) = IntEntry(3)+[1,1]
IntEntry(4) = IntExit(2) [1001, ]
IntExit(4) = IntEntry(4)
![Page 14: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/14.jpg)
Requirements on Widening For all elements l1 l2 l1 l2 For all ascending chains
l0 l1 l2 …the following sequence is finite– y0 = l0 – yi+1 = yi li+1
For a monotonic function f: L Ldefine– x0 = – xi+1 = xi f(xi )
Theorem:– There exits k such that xk+1 = xk
– xk Red(f) = {l: l L, f(l) l}
![Page 15: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/15.jpg)
Narrowing Improve the result of widening y x y (x y) x For all decreasing chains x0 x1 …
the following sequence is finite– y0 = x0
– yi+1 = yi xi+1
For a monotonic function f: L L and x Red(f) = {l: l L, f(l) l}define– y0 = x– yi+1 = yi f(yi )
Theorem:– There exits k such that yk+1 =yk
– yk Red(f) = {l: l L, f(l) l}
![Page 16: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/16.jpg)
Narrowing for Interval Analysis [a, b] = [a, b] [a, b] [c, d] = [
if a = - then celse a,
if b = then delse b
]
![Page 17: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/17.jpg)
Example ProgramInterval Analysis
[x := 1]1 ;while [x 1000]2 do [x := x + 1;]3
IntEntry(1) = [- , ]
IntExit(1) = [1,1]
IntEntry(2) = InExit(2) ( IntExit(1) IntExit(3))
IntExit(2) = IntEntry(2)
[x:=1]1
[x 1000]2
[x := x+1]3
[exit]4
IntEntry(3) = IntExit(2) [-,1000]
IntExit(3) = IntEntry(3)+[1,1]
IntEntry(4) = IntExit(2) [1001, ]
IntExit(4) = IntEntry(4)
![Page 18: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/18.jpg)
Non Montonicity of Widening
[0,1] [0,2] = [0, ] [0,2] [0,2] = [0,2]
![Page 19: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/19.jpg)
Widening and Narrowing Summary
Very simple but produces impressive precision Sometimes non-monotonic The McCarthy 91 function
Also useful in the finite case Can be used as a methodological tool
int f(x) [- , ] if x > 100 then [101, ] return x -10 [91, -10]; else [-, 100] return f(f(x+11)) [91, 91] ;
![Page 20: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/20.jpg)
Numerical Abstractions
x
y
x c y c
Interval
x y c Octagon
c1x c2y c Polyhedron
Octagon only maintains correlations between two variables
![Page 21: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/21.jpg)
Non-Numerical Abstractions
![Page 22: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/22.jpg)
Predicate Abstraction
L = (P(P(B)), , , , ,)
X Y if X Y X Y = X Y X Y = X Y = P(B)
=
![Page 23: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/23.jpg)
Example Programs
if (x > 0) y = malloc();
…
if (x >0)
z = *y;
while x != y do
x = x n;
![Page 24: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/24.jpg)
Canonical Abstraction
Abstract unbounded sets of memory locations into a bounded set
Partition based abstraction Use unary relations (symbols as distinctions) Maintain binary relations when necessary
![Page 25: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/25.jpg)
x
t
n n u2u1 u3
Canonical Abstraction
x = null;
while (…) do {
t = malloc();
t.next=x;
x = t
}u1 x
t
u2,3 n
n
n
![Page 26: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/26.jpg)
Canonical Abstraction and Equality
x = null;
while (…) do {
t = malloc();
t .next=x;
x = t
}
u1x
t
u2 u3
u1 x
t
u2,3
eq
n n
n
n
eq eq
eq
eqeq
u2,3
eq
eq
eq
![Page 27: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/27.jpg)
Heap Sharing relation
is(v)=0
u1x
t
u2 un…
u1 x
t
u2..n
n
n
is(v) = v1,v2: n(v1,v) n(v2,v) v1 v2
is(v)=0 is(v)=0
is(v)=0 is(v)=0
n n n
![Page 28: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/28.jpg)
Heap Sharing relation
is(v)=0
u1x
t
u2 un…
is(v) = v1,v2: n(v1,v) n(v2,v) v1 v2
is(v)=1 is(v)=0
n n
n
n
u1 x
t
u2 n
is(v)=0 is(v)=1 is(v)=0
n
u3..n
n
n
![Page 29: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/29.jpg)
Reachability relationt[n](v1, v2) = n*(v1,v2)
u1x
t
u2 unn n n
t[n] t[n] t[n]
t[n]
t[n]
t[n]
u1 x
t
u2..n
n
n
t[n]
t[n]
t[n]
...
![Page 30: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/30.jpg)
List Segments
u1
x
u2 u5nu3 u4 u6 u7 u8n n n n n n
y
u1
x
u2,3,4,6,7,8 u5n n
y
![Page 31: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/31.jpg)
Reachability from a variable
r[y](v) =w: y(w) n*(w, v)
u1
x
u2 u5nu3 u4 u6 u7 u8n n n n n n
y
r[y]=0 r[y]=0 r[y]=0 r[y]=1 r[y]=1 r[y]=1
u1
x
u2,3,4 u5n n n
y
u6,7,8
![Page 32: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/32.jpg)
Sortedness
u1x
t
u2 unn n n
dle dle dle
dle
dle
dle
u1x
t
u2..n
n
n
dle
dle
dle
...
![Page 33: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/33.jpg)
Example: SortednessinOrder(v) = v1: n(v,v1) dle(v, v1)
u1x
t
u2 unn n
dle dle dle
dle
dle
dle
u1x
t
u2..n
n
n
dle
dledle
inOrder = 1 inOrder = 1 inOrder = 1
inOrder = 1 inOrder = 1
n...
![Page 34: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/34.jpg)
Example: InsertSort
Run Demo
List InsertSort(List x) { List r, pr, rn, l, pl; r = x; pr = NULL; while (r != NULL) { l = x; rn = r n; pl = NULL; while (l != r) { if (l data > r data) { pr n = rn; r n = l; if (pl = = NULL) x = r; else pl n = r; r = pr; break; } pl = l; l = l n; } pr = r; r = rn; } return x; }
typedef struct list_cell { int data; struct list_cell *n;} *List;
![Page 35: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/35.jpg)
Example: InsertSort
Run Demo
List InsertSort(List x) { if (x == NULL) return NULL pr = x; r = x->n; while (r != NULL) {
pl = x; rn = r->n; l = x->n; while (l != r) {
pr->n = rn ; r->n = l;
pl->n = r; r = pr; break; }
pl = l; l = l->n;
} pr = r; r = rn;
}
typedef struct list_cell { int data; struct list_cell *n;} *List;
14
![Page 36: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/36.jpg)
void Mark(Node root) {
if (root != NULL) {
pending =
pending = pending {root}
marked =
while (pending ) {
x = SelectAndRemove(pending)
marked = marked {x}
t = x left
if (t NULL)
if (t marked)
pending = pending {t}
/* t = x right
* if (t NULL)
* if (t marked)
* pending = pending {t} */ }
}
assert(marked = = Reachset(root))}
![Page 37: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/37.jpg)
There may exist an individual that is reachable from the root, but not marked
x
r[root]
m
root
r[root]
left
right
right
left
right
![Page 38: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/38.jpg)
Conclusions(1)
Good static analysis = – Precise enough (for the client)– Efficient enough
Good static analysis– Good domain
» Abstract non-important details» Represent relevant concrete information» Precise and efficient abstract meaning of abstract interpreters» Efficient join implementation» Small height or widening
![Page 39: Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The Soundness Theorem u Infinite Domains (Widening & Narrowing)](https://reader035.vdocuments.net/reader035/viewer/2022062620/551b5b0f5503465c7e8b5f84/html5/thumbnails/39.jpg)
Conclusions(2) The Theory of Static Analysis is well founded
– Abstraction– Soundness– Chaotic iterations– Elimination methods– Modular methods
Weak Parts– Transformations– Predictable approximations– User defined abstractions– System