Lecture 10 Abstract Interpretation using

Fixpoints

Notation

Partial order:Least upper bound: lub, sup, Greatest lower bound: glb, inf, Least fixpoint: lfp

Complete lattice: always exist

Tarski’s fixpoint theorem

(A, ) complete lattice

G : A A monotonic functionPostfixp = { x | G(x) x }

Then G has least fixpoint, lfp(G) and it’s PostfixpSo, if G(x) x then x Postfixp, so lfp(G) x

Let G be also -continuous.Then { Gn ( ) | n 0 } = lfp(G)

Fixpoints for Recursive Definitions

Given monotonic G in complete lattice,If G(P) P then lfp(G) P

Natural numbers: lfp under adding successors: G(P) = {0} {x+1|x P} lfp(G) = {0,1,2, … } (natural numbers)Take a property PP(x), let P = {x | PP(x)}What does G(P) P mean? {0} U {x+1|x P} P

0 P x P x+1 PIf so, we get that all natural numbers are in P

Structural Recursion

Trees = lfp(G) whereG(P) = { Leaf } U

{ Node(t1,x,t2) | t1P, t2P}To prove all trees satisfy property, prove for the set P of trees satisfying property that G(P) P.

{ Leaf } U { Node(t1,x,t2) | t1 P /\ t2 P} PStructural induction!

Every inductively defined set is given as lfp(G) for some G, and this gives us an induction principle.

Concrete postInit,Good S r SxSGoal: show sp(Init,r*) GoodApproach: find I S such that sp(Init,r*) I GoodDefine post : 2S 2S post(P) = Init U sp(P,r)– post is monotonic function on complete lattice 2S so it has a

least fixpoint. This is sp(Init,r*)– Consequence: if post(P) P, then sp(Init,r*) P– Remark: post is also -continuous

and join morphism: post(UC)=U{post(x)|xC} so this is also equal to U{ postn({}) | n ≥ 0}

Strategy: find P such thatpost(P) P and then check that P Good

Example

k=1; while(k < 100) { k=k+3 }; assert(k <= 255)k=1; loop {assume(k < 100); k=k+3}; assume(k>=100); assert(k <= 255)

r = {(k,k’) | (k < 100 /\ k’ = k + 3) }Approximating sp({1},r*)post(P) = {1} U sp(P,r) = {1} U {k+3|k P, k < 100}postn({}): {}, {1}, {1,4}, …, {1,…,97},{1,…,97,100}, {1,…,97,100}

Approximate post

Let apost be approximation of post, that is, post(P) apost(P)

for all sets P (e.g. take interval enclosing a set)If we find P such that apost(P) P, then

post(P) apost(P) PSummary: all we need is – apost that approximes post– a postfix point P of apost, ideally as small as

possible, hoping to be able to prove P Good

Domain: Representation of Invariants

apost will work only on certain invariants (e.g. only intervals)Represent these invariants as another set A.Define concretization : A 2S

post# : A A (post#(a)) = apost((a))Then post(P) apost(P) becomes

post((a)) (post#(a))This is the soundness condition.

Postfixpoint in Abstract Domain

We have found a postfixpoint (a) if(post#(a)) (a)

How to effectively check if this inclusion holds?Define an ordering on domain that is computable and satisfies:

a1 a2 (a1) (a2)If post#(a) a , then (post#(a)) (a) is monotonic. We need postfixpoint of Define such that it is ordering, the nicer ordering the better (e.g. complete lattice).

Interval Approximationpost(P) = {1} U {k+3|k P /\ k < 100}post#() = [1,1]post#([a,b]) = [min(1,a+3),min(b+3,102)]

Soundness: post([a,b]) post#([a,b]){1}U{k+3|a ≤ k ≤ b, k < 100} [min(1,a+3),min(b+3,102)]

(post#)n(): , [1,1], [1,4], …, [1,97],

lfp(post#) = [1,102]We proved automatically

sp({1},r*) [1,102]

How to define post# ?

One way: Galois comes to rescueSuppose s.t. (, ) is Galois connection. Then

post((a)) (post#(a))is equivalent to ( on right = on left)

(post((a)) post#(a)So we can define:

post#(a) = (post((a))Note: such post# is monotonic

Finding fixpoint of post#

Compute post# iteration:(post#)n()

If for some n (post#)n()= (post#)n+1()then for this n lfp(post#) = (post#)n()

To help make this happen• make post# monotonic• design domain so post# iteration terminates in

finitely many steps

Partial Order on Intervals

Interval Domain A

A = , intervals w/ finite and infinite bounds

Partial order a1, a2 A

Galois Connection: Monotonicity

: A 2S ([L,U]) = {x | L ≤ x ≤ U} : 2S A (c) = [min(c),max(c)]Prove , are monotonic

Galois Connection Condition

: A 2S ([L,U]) = {x | L ≤ x ≤ U} : 2S A (c) = [min(c),max(c)]Galois connection condition

c (a) (c) aProve it for case where c is bounded, a is [L,U]

Multiple variables

Wish to track interval for each variableWe track not [L,U] but ([L1,U1],[L2,U2])

If program state is (x,y), define(([L1,U1],[L2,U2])) = {(x,y) | }(p) = ([L1,U1],[L2,U2]) L1 = U1 = L2 = U2 =

Product of Partial Orders

(Ai, ≤i) partial orders for iJ

(A, ≤) given by A = {f : J UiJ Ai , i. f(i) Ai}f,g A ordered by

f ≤ g i. f(i) ≤i g(i)

Then (A, ≤) is a partial order. Moreover:If (Ai, ≤i) all have lub, then so does (A, ≤).

If (Ai, ≤i) all have glb, then so does (A, ≤).