whatisstaticanalysis patrickcousot...
TRANSCRIPT
« An Informal Overview ofAbstract Interpretation »
Patrick CousotJerome C. Hunsaker Visiting ProfessorMassachusetts Institute of Technology
Department of Aeronautics and Astronauticscousot mit edu
www.mit.edu/~cousot
Course 16.399: “Abstract interpretation”http://web.mit.edu/afs/athena.mit.edu/course/16/16.399/www/
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 1 — ľ P. Cousot, 2005
What is static analysisby abstract interpretation?
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 2 — ľ P. Cousot, 2005
Example of static analysis (input){n0>=0}n := n0;
{n0=n,n0>=0}i := n;
{n0=i,n0=n,n0>=0}while (i <> 0 ) do
{n0=n,i>=1,n0>=i}j := 0;
{n0=n,j=0,i>=1,n0>=i}while (j <> i) do
{n0=n,j>=0,i>=j+1,n0>=i}j := j + 1
{n0=n,j>=1,i>=j,n0>=i}od;
{n0=n,i=j,i>=1,n0>=i}i := i - 1
{i+1=j,n0=n,i>=0,n0>=i+1}od
{n0=n,i=0,n0>=0}
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 3 — ľ P. Cousot, 2005
Example of static analysis (output){n0>=0}n := n0;
{n0=n,n0>=0}i := n;
{n0=i,n0=n,n0>=0}while (i <> 0 ) do
{n0=n,i>=1,n0>=i}j := 0;
{n0=n,j=0,i>=1,n0>=i}while (j <> i) do
{n0=n,j>=0,i>=j+1,n0>=i}j := j + 1
{n0=n,j>=1,i>=j,n0>=i}od;
{n0=n,i=j,i>=1,n0>=i}i := i - 1
{i+1=j,n0=n,i>=0,n0>=i+1}od
{n0=n,i=0,n0>=0}
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 3 — ľ P. Cousot, 2005
Example of static analysis (safety){n0>=0}n := n0;
{n0=n,n0>=0}i := n; n0 must be initially nonnegative
(otherwise the program does notterminate properly)
{n0=i,n0=n,n0>=0}while (i <> 0 ) do
{n0=n,i>=1,n0>=i}j := 0;
{n0=n,j=0,i>=1,n0>=i}while (j <> i) do
{n0=n,j>=0,i>=j+1,n0>=i}j := j + 1 j < n0 so no upper overflow
{n0=n,j>=1,i>=j,n0>=i}od;
{n0=n,i=j,i>=1,n0>=i}i := i - 1 i > 0 so no lower overflow
{i+1=j,n0=n,i>=0,n0>=i+1}od
{n0=n,i=0,n0>=0}
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 3 — ľ P. Cousot, 2005
Static analysis by abstract interpretation
Verification: define and prove automatically a property ofthe possible behaviors of a complex computer pro-gram;
Abstraction: the reasoning/calculus can be done on an ab-straction of these behaviors dealing only with thoseelements of the behaviors related to the consideredproperty;
Theory: abstract interpretation.
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 4 — ľ P. Cousot, 2005
Example of static analysis
Verification: absence of runtime errors;
Abstraction: polyhedral abstraction (affine inequalities);
Theory: abstract interpretation.
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 5 — ľ P. Cousot, 2005
Potential impact of runtime errors– 50% of the security attacks on computer systems arethrough buffer overruns 1!– Embedded computer system crashes easily result fromoverflows of various kinds.
1 See for example the Microsoft Security Bulletins MS02-065, MS04-011, etc.
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 6 — ľ P. Cousot, 2005
A very informal introductionto the principles ofabstract interpretation
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 7 — ľ P. Cousot, 2005
Semantics
The concrete semantics of a program formalizes (is amathematical model of) the set of all its possible execu-tions in all possible execution environments.
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 8 — ľ P. Cousot, 2005
Graphic example: Possible behaviors
x(t)
t
������������ ����
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 9 — ľ P. Cousot, 2005
Undecidability
– The concrete mathematical semantics of a program isan “infinite” mathematical object, not computable;– All non trivial questions on the concrete program se-mantics are undecidable.Example: Kurt Gödel argument on termination– Assume termination(P) would always terminates andreturns true iff P always terminates on all input data;– The following program yields a contradiction
P ” while termination(P) do skip od.
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 10 — ľ P. Cousot, 2005
Graphic example: Safety properties
The safety properties of a program express that no possi-ble execution in any possible execution environment canreach an erroneous state.
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 11 — ľ P. Cousot, 2005
Graphic example: Safety property
x(t)
t
�������������
������������ ����
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 12 — ľ P. Cousot, 2005
Safety proofs
– A safety proof consists in proving that the intersectionof the program concrete semantics and the forbiddenzone is empty;– Undecidable problem (the concrete semantics is notcomputable);– Impossible to provide completely automatic answerswith finite computer resources and neither human in-teraction nor uncertainty on the answer 2.
2 e.g. probabilistic answer.
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 13 — ľ P. Cousot, 2005
Test/debugging
– consists in considering a subset of the possible execu-tions;– not a correctness proof;– absence of coverage is the main problem.
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 14 — ľ P. Cousot, 2005
Graphic example: Property test/simulation
x(t)
t
���������������� ����
�������������
������������ ����
������
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 15 — ľ P. Cousot, 2005
Abstract interpretation
– consists in considering an abstract semantics, that isto say a superset of the concrete semantics of the pro-gram;– hence the abstract semantics covers all possible con-crete cases;– correct: if the abstract semantics is safe (does not in-tersect the forbidden zone) then so is the concrete se-mantics.
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 16 — ľ P. Cousot, 2005
Graphic example: Abstract interpretation
x(t)
t
���� ������������� ����
�������������
������������ ����
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 17 — ľ P. Cousot, 2005
Formal methods
Formal methods are abstract interpretations, which dif-fer in the way to obtain the abstract semantics:– “model checking”:- the abstract semantics is given manually by the user;- in the form of a finitary model of the program exe-cution;- can be computed automatically, by techniques rele-vant to static analysis.
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 18 — ľ P. Cousot, 2005
– “deductive methods”:- the abstract semantics is specified by verification con-ditions;- the user must provide the abstract semantics in theform of inductive arguments (e.g. invariants);- can be computed automatically by methods relevantto static analysis.
– “static analysis”: the abstract semantics is computedautomatically from the program text according to pre-defined abstractions (that can sometimes be tailoredautomatically/manually by the user).
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 19 — ľ P. Cousot, 2005
Required properties of the abstract semantics
– sound so that no possible error can be forgotten;– precise enough (to avoid false alarms);– as simple/abstract as possible (to avoid combinatorialexplosion phenomena).
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 20 — ľ P. Cousot, 2005
Graphic example: Erroneous abstraction — I
x(t)
t
����������� ������� ���
�������������
������������ ����
������
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 21 — ľ P. Cousot, 2005
Graphic example: Erroneous abstraction — II
x(t)
t
����������� ������� ���
�������������
������������ ����
������
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 22 — ľ P. Cousot, 2005
Graphic example: Imprecision ) false alarms
x(t)
t
���� ������� ������� ���
�������������
������������ ����
����������
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 23 — ľ P. Cousot, 2005
Abstract domains
Standard abstractions– that serve as a basis for the design of static analyzers:- abstract program data,- abstract program basic operations;- abstract program control (iteration, procedure, con-currency, . . . );
– can be parametrized to allow for manual adaptationto the application domains.
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 24 — ľ P. Cousot, 2005
Graphic example: Standard abstractionby intervals
x(t)
t
���� ������� ������� ��������������
�������������
������������ ����
�����������
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 25 — ľ P. Cousot, 2005
Graphic example: A more refined abstraction
x(t)
t
��������������������
�������������
������������ ����
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 26 — ľ P. Cousot, 2005
A very informal introductionto static analysisalgorithms
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 27 — ľ P. Cousot, 2005
Trace semantics
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 28 — ľ P. Cousot, 2005
Trace semantics
– Consider (possibly infinite) traces that is series of statescorresponding to executions described by discrete tran-sitions;– The collection of all such traces, starting from the ini-tial states, is the trace semantics.
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 29 — ľ P. Cousot, 2005
Graphic example: Small-steps transitionsemantics
x(t)
t
������������ ���
��� ����
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 30 — ľ P. Cousot, 2005
Trace semantics, intuition������� ������
���� ������ � ���
������ ������������������ ������
��������
������
� � � � � � � � � � �������� ����
�
�
�
�
��
�
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 31 — ľ P. Cousot, 2005
Prefix trace semantics
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 32 — ľ P. Cousot, 2005
Prefixes of a finite trace������� ����� ���� �����
������������ ������
� � � � � � � � �������� ����
�
�
�
�
��
�
� ������ �����
��� ������ ��������
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 33 — ľ P. Cousot, 2005
Prefixes of an infinite trace
������� ������
������������ �������� ��������
�����
� � � � � � � � � � �������� ����
�
�
�
�
��
�
��� ������
��������
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 34 — ľ P. Cousot, 2005
Prefix trace semantics
Trace semantics: maximal finite and infinite behaviors
Prefix trace semantics: finite prefixes of the maximal be-haviors
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 35 — ľ P. Cousot, 2005
AbstractionThis is an abstraction. For example:
Trace semantics: fanb j n – 0gPrefix trace semantics: fan j n – 0g[fanb j n – 0g
Is there of possible behavior with infinitely many succes-sive a?
– Trace semantics: no
– Prefix trace semantics: I don’t know
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 36 — ľ P. Cousot, 2005
Prefix trace semanticsin fixpoint form
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 37 — ľ P. Cousot, 2005
Least Fixpoint Prefix Trace Semantics
Prefixes = f› j › is an initial stateg[ f› ` : : : ` › ` › j › ` : : : ` › 2 Prefixes
& › ` › is a transition stepg
› In general, the equation Prefixes = F (Prefixes) mayhave multiple solutions;› Choose the least one for subset inclusion „.› Abstractions of this equation lead to effective iterativeanalysis algorithms.
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 38 — ľ P. Cousot, 2005
Collecting semantics
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 39 — ľ P. Cousot, 2005
Collecting semantics
– Collect all states that can appear on some trace at anygiven discrete time:
����
���������
� � � � � � � � � � �������� ����
�
��
�
��
�
!�������"
���������
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 40 — ľ P. Cousot, 2005
Collecting abstraction
– This is an abstraction. Does the red trace exists?Trace semantics: no, collecting semantics: I don’t know.
����
���������
� � � � � � � � � � �������� ����
�
��
�
��
�
!�������"
���������
#�$��$� �����
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 41 — ľ P. Cousot, 2005
Graphic example: collecting semantics
x(t)
t
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 42 — ľ P. Cousot, 2005
Collecting semanticsin fixpoint form
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 43 — ľ P. Cousot, 2005
Graphic example: collecting semanticsin fixpoint form
x(t)
t
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 44 — ľ P. Cousot, 2005
Graphic example: collecting semanticsin fixpoint form
x(t)
t
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 44 — ľ P. Cousot, 2005
Graphic example: collecting semanticsin fixpoint form
x(t)
t
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 44 — ľ P. Cousot, 2005
Graphic example: collecting semanticsin fixpoint form
x(t)
t
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 44 — ľ P. Cousot, 2005
Graphic example: collecting semanticsin fixpoint form
x(t)
t
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 44 — ľ P. Cousot, 2005
Graphic example: collecting semanticsin fixpoint form
x(t)
t
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 44 — ľ P. Cousot, 2005
Graphic example: collecting semanticsin fixpoint form
x(t)
t
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 44 — ľ P. Cousot, 2005
Graphic example: collecting semanticsin fixpoint form
x(t)
t
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 44 — ľ P. Cousot, 2005
Graphic example: collecting semanticsin fixpoint form
x(t)
t
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 44 — ľ P. Cousot, 2005
Graphic example: collecting semanticsin fixpoint form
x(t)
t
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 44 — ľ P. Cousot, 2005
Graphic example: collecting semanticsin fixpoint form
x(t)
t
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 44 — ľ P. Cousot, 2005
Graphic example: collecting semanticsin fixpoint form
x(t)
t
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 44 — ľ P. Cousot, 2005
Graphic example: collecting semanticsin fixpoint form
x(t)
t
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 44 — ľ P. Cousot, 2005
Graphic example: collecting semanticsin fixpoint form
x(t)
t
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 44 — ľ P. Cousot, 2005
Interval Abstraction(in iterative fixpoint form)
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 45 — ľ P. Cousot, 2005
Graphic example: traces of intervalsin fixpoint form
x(t)
t
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 46 — ľ P. Cousot, 2005
Graphic example: traces of intervalsin fixpoint form
x(t)
t
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 46 — ľ P. Cousot, 2005
Graphic example: traces of intervalsin fixpoint form
x(t)
t
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 46 — ľ P. Cousot, 2005
Graphic example: traces of intervalsin fixpoint form
x(t)
t
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 46 — ľ P. Cousot, 2005
Graphic example: traces of intervalsin fixpoint form
x(t)
t
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 46 — ľ P. Cousot, 2005
Graphic example: traces of intervalsin fixpoint form
x(t)
t
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 46 — ľ P. Cousot, 2005
Graphic example: traces of intervalsin fixpoint form
x(t)
t
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 46 — ľ P. Cousot, 2005
Graphic example: traces of intervalsin fixpoint form
x(t)
t
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 46 — ľ P. Cousot, 2005
Graphic example: traces of intervalsin fixpoint form
x(t)
t
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 46 — ľ P. Cousot, 2005
Graphic example: traces of intervalsin fixpoint form
x(t)
t
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 46 — ľ P. Cousot, 2005
Graphic example: traces of intervalsin fixpoint form
x(t)
t
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 46 — ľ P. Cousot, 2005
Graphic example: traces of intervalsin fixpoint form
x(t)
t
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 46 — ľ P. Cousot, 2005
Graphic example: traces of intervalsin fixpoint form
x(t)
t
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 46 — ľ P. Cousot, 2005
Graphic example: traces of intervalsin fixpoint form
x(t)
t
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 46 — ľ P. Cousot, 2005
Graphic example: traces of intervalsin fixpoint form
x(t)
t
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 46 — ľ P. Cousot, 2005
Abstraction by Galois connections
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 47 — ľ P. Cousot, 2005
Abstracting sets (i.e. properties)
– Choose an abstract domain, replacing sets of objects(states, traces, . . . ) S by their abstraction ¸(S)– The abstraction function ¸ maps a set of concrete ob-jects to its abstract interpretation;– The inverse concretization function ‚ maps an abstractset of objects to concrete ones;– Forget no concrete objects: (abstraction from above)S „ ‚(¸(S)).
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 48 — ľ P. Cousot, 2005
Interval abstraction ¸
�
�
���
�
��
fx : [1; 99]; y : [2; 77]g
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 49 — ľ P. Cousot, 2005
Interval concretization ‚
�
�
���
�
��
fx : [1; 99]; y : [2; 77]g
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 50 — ľ P. Cousot, 2005
The abstraction ¸ is monotone
�
�
���
�
��
����
��
�
fx : [33; 89]; y : [48; 61]gv
fx : [1; 99]; y : [2; 90]g
X „ Y ) ¸(X) v ¸(Y )
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 51 — ľ P. Cousot, 2005
The concretization ‚ is monotone
fx : [33; 89]; y : [48; 61]gv
fx : [1; 99]; y : [2; 90]g
X v Y ) ‚(X) „ ‚(Y )
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 52 — ľ P. Cousot, 2005
The ‚ ‹ ¸ composition is extensive
�
�
���
�
��
fx : [1; 99]; y : [2; 77]g
X „ ‚ ‹ ¸(X)
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 53 — ľ P. Cousot, 2005
The ¸ ‹ ‚ composition is reductive
�
�
���
�
��
fx : [1; 99]; y : [2; 77]g==v
fx : [1; 99]; y : [2; 77]g
¸ ‹ ‚(Y ) ==v Y
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 54 — ľ P. Cousot, 2005
Correspondance between concrete andabstract properties
– The pair h¸; ‚i is a Galois connection:
h}(S); „i ` !``¸‚ hD; vi
– h}(S); „i ``!!` `¸‚ hD; vi when ¸ is onto (equivalently
¸ ‹ ‚ = 1 or ‚ is one-to-one).
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 55 — ľ P. Cousot, 2005
Galois connection
hD;„i ` !``¸‚ hD;vi
iff 8x; y 2 D : x „ y =) ¸(x) v ¸(y)^ 8x; y 2 D : x v y =) ‚(x) „ ‚(y)^ 8x 2 D : x „ ‚(¸(x))^ 8y 2 D : ¸(‚(y)) v x
iff 8x 2 D; y 2 D : ¸(x) v y () x „ ‚(y)Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 56 — ľ P. Cousot, 2005
Example: Set of traces to trace of intervalsabstraction
Set of traces:
¸1 #
Trace of sets:
¸2 #
Trace of intervals
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 57 — ľ P. Cousot, 2005
Example: Set of traces to reachable statesabstraction
Set of traces:
¸1 #
Trace of sets:
¸3 #
Reachable states
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 58 — ľ P. Cousot, 2005
Composition of Galois Connections
The composition of Galois connections:
hL; »i ` !` `¸1‚1 hM; vi
and:
hM; vi ` !` `¸2‚2 hN; —i
is a Galois connection:
hL; »i `` `!` ` `¸2‹¸1
‚1‹‚2 hN; —i
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 59 — ľ P. Cousot, 2005
Convergence accelerationby widening/narrowing
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 60 — ľ P. Cousot, 2005
Graphic example: upward iterationwith widening
x(t)
t
�����������
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 61 — ľ P. Cousot, 2005
Graphic example: upward iterationwith widening
x(t)
t
��������������
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 61 — ľ P. Cousot, 2005
Graphic example: upward iterationwith widening
x(t)
t
��������������������������
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 61 — ľ P. Cousot, 2005
Graphic example: upward iterationwith widening
x(t)
t
��������������������������
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 61 — ľ P. Cousot, 2005
Graphic example: stability of theupward iteration
x(t)
t
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 62 — ľ P. Cousot, 2005
Interval widening– L = f?g[f[‘; u] j ‘; u 2 Z[f`1g^u 2 Z[fg^‘ » ug– The widening extrapolates unstable bounds to infinity:
?�X = X
X�? = X
[‘0; u0]�[‘1; u1] = [if ‘1 < ‘0 then `1 else ‘0;
if u1 > u0 then +1 else u0]
Not monotone. For example [0; 1] v [0; 2] but [0; 1]�
[0; 2] = [0; +1] 6v [0; 2] = [0; 2]�[0; 2]
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 63 — ľ P. Cousot, 2005
Example: Interval analysis (1975)Program to be analyzed:
x := 1;1:
while x < 10000 do2:
x := x + 13:
od;4:
8>>><>>>:
X1 = [1; 1]X2 = (X1 [X3) \ [`1; 9999]X3 = X2 ˘ [1; 1]X4 = (X1 [X3) \ [10000;+1]8>>><>>>:
X1 = [1; 1]
X2 = (X1 [X3) \ [`1; 9999]X3 = X2 ˘ [1; 1]X4 = (X1 [X3) \ [10000;+1]
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 64 — ľ P. Cousot, 2005
Example: Interval analysis (1975)Equations (abstract interpretation of the semantics):
x := 1;1:
while x < 10000 do2:
x := x + 13:
od;4:
8>>><>>>:
X1 = [1; 1]X2 = (X1 [X3) \ [`1; 9999]X3 = X2 ˘ [1; 1]X4 = (X1 [X3) \ [10000;+1]8>>><>>>:
X1 = [1; 1]
X2 = (X1 [X3) \ [`1; 9999]X3 = X2 ˘ [1; 1]X4 = (X1 [X3) \ [10000;+1]
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 65 — ľ P. Cousot, 2005
Example: Interval analysis (1975)Resolution by chaotic increasing iteration:
x := 1;1:
while x < 10000 do2:
x := x + 13:
od;4:
8>>><>>>:
X1 = [1; 1]X2 = (X1 [X3) \ [`1; 9999]X3 = X2 ˘ [1; 1]X4 = (X1 [X3) \ [10000;+1]8>>><>>>:
X1 = ;X2 = ;X3 = ;X4 = ;
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 66 — ľ P. Cousot, 2005
Example: Interval analysis (1975)Increasing chaotic iteration:
x := 1;1:
while x < 10000 do2:
x := x + 13:
od;4:
8>>><>>>:
X1 = [1; 1]X2 = (X1 [X3) \ [`1; 9999]X3 = X2 ˘ [1; 1]X4 = (X1 [X3) \ [10000;+1]8>>><>>>:
X1 = [1; 1]
X2 = ;X3 = ;X4 = ;
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 67 — ľ P. Cousot, 2005
Example: Interval analysis (1975)Increasing chaotic iteration:
x := 1;1:
while x < 10000 do2:
x := x + 13:
od;4:
8>>><>>>:
X1 = [1; 1]X2 = (X1 [X3) \ [`1; 9999]X3 = X2 ˘ [1; 1]X4 = (X1 [X3) \ [10000;+1]8>>><>>>:
X1 = [1; 1]
X2 = [1; 1]
X3 = ;X4 = ;
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 67 — ľ P. Cousot, 2005
Example: Interval analysis (1975)Increasing chaotic iteration:
x := 1;1:
while x < 10000 do2:
x := x + 13:
od;4:
8>>><>>>:
X1 = [1; 1]X2 = (X1 [X3) \ [`1; 9999]X3 = X2 ˘ [1; 1]X4 = (X1 [X3) \ [10000;+1]8>>><>>>:
X1 = [1; 1]
X2 = [1; 1]
X3 = [2; 2]
X4 = ;Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 67 — ľ P. Cousot, 2005
Example: Interval analysis (1975)Increasing chaotic iteration:
x := 1;1:
while x < 10000 do2:
x := x + 13:
od;4:
8>>><>>>:
X1 = [1; 1]X2 = (X1 [X3) \ [`1; 9999]X3 = X2 ˘ [1; 1]X4 = (X1 [X3) \ [10000;+1]8>>><>>>:
X1 = [1; 1]
X2 = [1; 2]
X3 = [2; 2]
X4 = ;Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 67 — ľ P. Cousot, 2005
Example: Interval analysis (1975)Increasing chaotic iteration: convergence !
x := 1;1:
while x < 10000 do2:
x := x + 13:
od;4:
8>>><>>>:
X1 = [1; 1]X2 = (X1 [X3) \ [`1; 9999]X3 = X2 ˘ [1; 1]X4 = (X1 [X3) \ [10000;+1]8>>><>>>:
X1 = [1; 1]
X2 = [1; 2]
X3 = [2; 3]
X4 = ;Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 67 — ľ P. Cousot, 2005
Example: Interval analysis (1975)Increasing chaotic iteration: convergence !!
x := 1;1:
while x < 10000 do2:
x := x + 13:
od;4:
8>>><>>>:
X1 = [1; 1]X2 = (X1 [X3) \ [`1; 9999]X3 = X2 ˘ [1; 1]X4 = (X1 [X3) \ [10000;+1]8>>><>>>:
X1 = [1; 1]
X2 = [1; 3]
X3 = [2; 3]
X4 = ;Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 67 — ľ P. Cousot, 2005
Example: Interval analysis (1975)Increasing chaotic iteration: convergence !!!
x := 1;1:
while x < 10000 do2:
x := x + 13:
od;4:
8>>><>>>:
X1 = [1; 1]X2 = (X1 [X3) \ [`1; 9999]X3 = X2 ˘ [1; 1]X4 = (X1 [X3) \ [10000;+1]8>>><>>>:
X1 = [1; 1]
X2 = [1; 3]
X3 = [2; 4]
X4 = ;Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 67 — ľ P. Cousot, 2005
Example: Interval analysis (1975)Increasing chaotic iteration: convergence !!!!
x := 1;1:
while x < 10000 do2:
x := x + 13:
od;4:
8>>><>>>:
X1 = [1; 1]X2 = (X1 [X3) \ [`1; 9999]X3 = X2 ˘ [1; 1]X4 = (X1 [X3) \ [10000;+1]8>>><>>>:
X1 = [1; 1]
X2 = [1; 4]
X3 = [2; 4]
X4 = ;Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 67 — ľ P. Cousot, 2005
Example: Interval analysis (1975)Increasing chaotic iteration: convergence !!!!!
x := 1;1:
while x < 10000 do2:
x := x + 13:
od;4:
8>>><>>>:
X1 = [1; 1]X2 = (X1 [X3) \ [`1; 9999]X3 = X2 ˘ [1; 1]X4 = (X1 [X3) \ [10000;+1]8>>><>>>:
X1 = [1; 1]
X2 = [1; 4]
X3 = [2; 5]
X4 = ;Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 67 — ľ P. Cousot, 2005
Example: Interval analysis (1975)Increasing chaotic iteration: convergence !!!!!!
x := 1;1:
while x < 10000 do2:
x := x + 13:
od;4:
8>>><>>>:
X1 = [1; 1]X2 = (X1 [X3) \ [`1; 9999]X3 = X2 ˘ [1; 1]X4 = (X1 [X3) \ [10000;+1]8>>><>>>:
X1 = [1; 1]
X2 = [1; 5]
X3 = [2; 5]
X4 = ;Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 67 — ľ P. Cousot, 2005
Example: Interval analysis (1975)Increasing chaotic iteration: convergence !!!!!!!
x := 1;1:
while x < 10000 do2:
x := x + 13:
od;4:
8>>><>>>:
X1 = [1; 1]X2 = (X1 [X3) \ [`1; 9999]X3 = X2 ˘ [1; 1]X4 = (X1 [X3) \ [10000;+1]8>>><>>>:
X1 = [1; 1]
X2 = [1; 5]
X3 = [2; 6]
X4 = ;Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 67 — ľ P. Cousot, 2005
Example: Interval analysis (1975)Convergence speed-up by widening:
x := 1;1:
while x < 10000 do2:
x := x + 13:
od;4:
8>>><>>>:
X1 = [1; 1]X2 = (X1 [X3) \ [`1; 9999]X3 = X2 ˘ [1; 1]X4 = (X1 [X3) \ [10000;+1]8>>><>>>:
X1 = [1; 1]
X2 = [1;+1] ( wideningX3 = [2; 6]
X4 = ;Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 68 — ľ P. Cousot, 2005
Example: Interval analysis (1975)Decreasing chaotic iteration:
x := 1;1:
while x < 10000 do2:
x := x + 13:
od;4:
8>>><>>>:
X1 = [1; 1]X2 = (X1 [X3) \ [`1; 9999]X3 = X2 ˘ [1; 1]X4 = (X1 [X3) \ [10000;+1]8>>><>>>:
X1 = [1; 1]
X2 = [1;+1]X3 = [2;+1]X4 = ;
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 69 — ľ P. Cousot, 2005
Example: Interval analysis (1975)Decreasing chaotic iteration:
x := 1;1:
while x < 10000 do2:
x := x + 13:
od;4:
8>>><>>>:
X1 = [1; 1]X2 = (X1 [X3) \ [`1; 9999]X3 = X2 ˘ [1; 1]X4 = (X1 [X3) \ [10000;+1]8>>><>>>:
X1 = [1; 1]
X2 = [1; 9999]
X3 = [2;+1]X4 = ;
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 69 — ľ P. Cousot, 2005
Example: Interval analysis (1975)Decreasing chaotic iteration:
x := 1;1:
while x < 10000 do2:
x := x + 13:
od;4:
8>>><>>>:
X1 = [1; 1]X2 = (X1 [X3) \ [`1; 9999]X3 = X2 ˘ [1; 1]X4 = (X1 [X3) \ [10000;+1]8>>><>>>:
X1 = [1; 1]
X2 = [1; 9999]
X3 = [2;+10000]
X4 = ;Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 69 — ľ P. Cousot, 2005
Example: Interval analysis (1975)Final solution:
x := 1;1:
while x < 10000 do2:
x := x + 13:
od;4:
8>>><>>>:
X1 = [1; 1]X2 = (X1 [X3) \ [`1; 9999]X3 = X2 ˘ [1; 1]X4 = (X1 [X3) \ [10000;+1]8>>><>>>:
X1 = [1; 1]
X2 = [1; 9999]
X3 = [2;+10000]
X4 = [+10000;+10000]
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 70 — ľ P. Cousot, 2005
Example: Interval analysis (1975)Result of the interval analysis:
x := 1;1: {x = 1}
while x < 10000 do2: {x 2 [1; 9999]}
x := x + 13: {x 2 [2;+10000]}
od;4: {x = 10000}
8>>><>>>:
X1 = [1; 1]X2 = (X1 [X3) \ [`1; 9999]X3 = X2 ˘ [1; 1]X4 = (X1 [X3) \ [10000;+1]8>>><>>>:
X1 = [1; 1]
X2 = [1; 9999]
X3 = [2;+10000]
X4 = [+10000;+10000]
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 71 — ľ P. Cousot, 2005
Example: Interval analysis (1975)Checking absence of runtime errors with interval analysis:
x := 1;1: {x = 1}
while x < 10000 do2: {x 2 [1; 9999]}
x := x + 13: {x 2 [2;+10000]}
od;4: {x = 10000}
8>>><>>>:
X1 = [1; 1]X2 = (X1 [X3) \ [`1; 9999]X3 = X2 ˘ [1; 1]X4 = (X1 [X3) \ [10000;+1]8>>><>>>:
no overflowX2 = [1; 9999]
X3 = [2;+10000]
X4 = [+10000;+10000]
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 72 — ľ P. Cousot, 2005
Refinement of abstractions
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 73 — ľ P. Cousot, 2005
Approximations of an [in]finite set of points:from above
x
y
f: : : ; h19; 77i; : : : ;h20; 03i; : : :g
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 74 — ľ P. Cousot, 2005
Approximations of an [in]finite set of points:from above
x
y f: : : ; h19; 77i; : : : ;
h20; 03i; h?; ?i; : : :g
From Below: dual 3 + combinations.
3 Trivial for finite states (liveness model-checking), more difficult for infinite states (variant functions).
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 75 — ľ P. Cousot, 2005
Effective computable approximations of an[in]finite set of points; Signs 4
x
y x – 0y – 0
4 P. Cousot & R. Cousot. Systematic design of program analysis frameworks. ACM POPL’79, pp. 269–282,1979.
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 76 — ľ P. Cousot, 2005
Effective computable approximations of an[in]finite set of points; Intervals 5
x
y x 2 [19; 77]y 2 [20; 03]
5 P. Cousot & R. Cousot. Static determination of dynamic properties of programs. Proc. 2nd Int. Symp. onProgramming, Dunod, 1976.
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 77 — ľ P. Cousot, 2005
Effective computable approximations of an[in]finite set of points; Octagons 6
x
y
8>>><>>>:
1 » x » 9x+ y » 771 » y » 9x` y » 99
6 A. Miné. A New Numerical Abstract Domain Based on Difference-Bound Matrices. PADO ’2001.LNCS 2053, pp. 155–172. Springer 2001. See the The Octagon Abstract Domain Library onhttp://www.di.ens.fr/~mine/oct/
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 78 — ľ P. Cousot, 2005
Effective computable approximations of an[in]finite set of points; Polyhedra 7
x
y 19x+ 77y » 200420x+ 03y – 0
7 P. Cousot & N. Halbwachs. Automatic discovery of linear restraints among variables of a program. ACMPOPL, 1978, pp. 84–97.
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 79 — ľ P. Cousot, 2005
Effective computable approximations of an[in]finite set of points; Simple
congruences 8
x
y x = 19 mod 77
y = 20 mod 99
8 Ph. Granger. Static Analysis of Arithmetical Congruences. Int. J. Comput. Math. 30, 1989, pp. 165–190.
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 80 — ľ P. Cousot, 2005
Effective computable approximations of an[in]finite set of points; Linear
congruences 9
x
y 1x+ 9y = 7 mod 8
2x` 1y = 9 mod 9
9 Ph. Granger. Static Analysis of Linear Congruence Equalities among Variables of a Program.TAPSOFT ’91, pp. 169–192. LNCS 493, Springer, 1991.
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 81 — ľ P. Cousot, 2005
Effective computable approximations of an[in]finite set of points; Trapezoidal lin-
ear congruences 10
x
y
1x+ 9y 2 [0; 77] mod 102x` 1y 2 [0; 99] mod 11
10 F. Masdupuy. Array Operations Abstraction Using Semantic Analysis of Trapezoid Congruences. ACMICS ’92.
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 82 — ľ P. Cousot, 2005
Refinement of iterates
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 83 — ľ P. Cousot, 2005
Graphic example: Refinement requiredby false alarms
x(t)
t
�������������
�����������
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 84 — ľ P. Cousot, 2005
Graphic example: Partitionning
x(t)
t
������������ ���
��� ����
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 85 — ľ P. Cousot, 2005
Graphic example: partitionned upward itera-tion with widening
x(t)
t
������������ ���
��� ����
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 86 — ľ P. Cousot, 2005
Graphic example: partitionned upward itera-tion with widening
x(t)
t
������������ ���
��� ����
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 86 — ľ P. Cousot, 2005
Graphic example: partitionned upward itera-tion with widening
x(t)
t
������������ ���
��� ����
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 86 — ľ P. Cousot, 2005
Graphic example: partitionned upward itera-tion with widening
x(t)
t
������������ ���
��� ����
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 86 — ľ P. Cousot, 2005
Graphic example: partitionned upward itera-tion with widening
x(t)
t
������������ ���
��� ����
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 86 — ľ P. Cousot, 2005
Graphic example: partitionned upward itera-tion with widening
x(t)
t
������������ ���
��� ����
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 86 — ľ P. Cousot, 2005
Graphic example: partitionned upward itera-tion with widening
x(t)
t
������������ ���
��� ����
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 86 — ľ P. Cousot, 2005
Graphic example: partitionned upward itera-tion with widening
x(t)
t
������������ ���
��� ����
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 86 — ľ P. Cousot, 2005
Graphic example: partitionned upward itera-tion with widening
x(t)
t
������������ ���
��� ����
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 86 — ľ P. Cousot, 2005
Graphic example: partitionned upward itera-tion with widening
x(t)
t
������������ ���
��� ����
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 86 — ľ P. Cousot, 2005
Graphic example: partitionned upward itera-tion with widening
x(t)
t
������������ ���
��� ����
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 86 — ľ P. Cousot, 2005
Graphic example: safety verification
x(t)
t
������������ ���
��� ����
�������������
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 87 — ľ P. Cousot, 2005
Interval widening with threshold set
– The threshold set T is a finite set of numbers (plus+1 and `1),– [a; b]
�T [a0; b0] = [if a0 < a then maxf‘ 2 T j ‘ » a0g
else a;if b0 > b then minfh 2 T j h – b0g
else b] :
– Examples (intervals):- sign analysis: T = f`1; 0;+1g;- strict sign analysis: T = f`1;`1; 0;+1;+1g;
– T is a parameter of the analysis.
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 88 — ľ P. Cousot, 2005
Combinations of abstractions
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 89 — ľ P. Cousot, 2005
Forward/reachability analysis
II
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 90 — ľ P. Cousot, 2005
Backward/ancestry analysis
IIF
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 91 — ľ P. Cousot, 2005
Iterated forward/backward analysis
IF
I
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 92 — ľ P. Cousot, 2005
Example of iterated forward/backward analysisArithmetical mean of two integers x and y:{x>=y}
while (x <> y) do{x>=y+2}
x := x - 1;{x>=y+1}
y := y + 1{x>=y}
od{x=y}
Necessarily x – y for proper termination
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 93 — ľ P. Cousot, 2005
Example of iterated forward/backward analysisAdding an auxiliary counter k decremented in the loopbody and asserted to be null on loop exit:{x=y+2k,x>=y}
while (x <> y) do{x=y+2k,x>=y+2}
k := k - 1;{x=y+2k+2,x>=y+2}
x := x - 1;{x=y+2k+1,x>=y+1}
y := y + 1{x=y+2k,x>=y}
od{x=y,k=0}
assume (k = 0){x=y,k=0}
Moreover the differ-ence of x and y mustbe even for proper ter-mination
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 94 — ľ P. Cousot, 2005
Applications ofabstract interpretation
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 95 — ľ P. Cousot, 2005
Theoretical applications of abstract interpretation
– Static Program Analysis [POPL ’77,78,79] inluding Data-flow Analysis [POPL ’79,00], Set-based Analysis [FPCA ’95],etc– Syntax Analysis [TCS 290(1) 2002]– Hierarchies of Semantics (including Proofs) [POPL ’92, TCS277(1–2) 2002]– Typing [POPL ’97]– Model Checking [POPL ’00]– Program Transformation [POPL ’02]– Software watermarking [POPL ’04]
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 96 — ľ P. Cousot, 2005
Industrial applications of abstractinterpretation
– Program analysis and manipulation: a small rate of falsealarms is acceptable- AiT: worst case execution time 11
- StackAnalyzer: stack usage analysis 11
– Program verification: no false alarms is acceptable- TVLA: A system for generating abstract interpreters- Astrée: verification of absence of run-time errors 11
11 applied to the primary flight control software of the Airbus A340/600 and A380 fly-by-wire systems
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 97 — ľ P. Cousot, 2005
Bibliography
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 98 — ľ P. Cousot, 2005
Seminal papers– Patrick Cousot & Radhia Cousot. Abstract interpretation: aunified lattice model for static analysis of programs by con-struction or approximation of fixpoints. In 4th Symp. on Prin-ciples of Programming Languages, pages 238—252. ACM Press,1977.– Patrick Cousot & Nicolas Halbwachs. Automatic discovery oflinear restraints among variables of a program. In 5th Symp.on Principles of Programming Languages, pages 84—97. ACMPress, 1978.– Patrick Cousot & Radhia Cousot. Systematic design of pro-gram analysis frameworks. In 6th Symp. on Principles of Pro-gramming Languages pages 269—282. ACM Press, 1979.
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 99 — ľ P. Cousot, 2005
Recent surveys– Patrick Cousot. Interprétation abstraite. Technique et ScienceInformatique, Vol. 19, Nb 1-2-3. Janvier 2000, Hermès, Paris,France. pp. 155-164.– Patrick Cousot. Abstract Interpretation Based Formal Meth-ods and Future Challenges. In Informatics, 10 Years Back —10 Years Ahead, R. Wilhelm (Ed.), LNCS 2000, pp. 138-156,2001.– Patrick Cousot & Radhia Cousot. Abstract InterpretationBased Verification of Embedded Software: Problems and Per-spectives. In Proc. 1st Int. Workshop on Embedded Software,EMSOFT 2001, T.A. Henzinger & C.M. Kirsch (Eds.), LNCS2211, pp. 97–113. Springer, 2001.
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 100 — ľ P. Cousot, 2005
Course Content
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 101 — ľ P. Cousot, 2005
Anticipated Content of Course 16.399:Abstract Interpretation
– Today : an informal overview of abstract interpreta-tion;– The software verification problem (undecidability, com-plexity, test, simulation, specification, formal methods(deductive methods, model-checking, static analysis)and their limitations, intuitive notion of approxima-tion, false alarms);– Mathematical foundations (naive set theory, first orderclassical logic, lattice theory, fixpoints);
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 102 — ľ P. Cousot, 2005
– Semantics of programming languages (abstract syntax,operational semantics, inductive definitions, exampleof a simple imperative language, grammar and inter-pretor of the language, trace semantics);– Program specification and manual proofs (safety prop-erties, Hoare logic, predicate transformers, liveness prop-erties, linear-time temporal logic (LTL));– Order-theoretic approximation (abstraction, closures,Galois connections, fixpoint abstraction, widening, nar-rowing, reduced product, absence of best approxima-tion, refinement);
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 103 — ľ P. Cousot, 2005
– Principle of static analysis by abstract interpretation(reachability analysis of a transition system, finite ap-proximation, model-checking, infinite approximation,static analysis, program-based versus language-basedanalysis, limitations of finite approximations);– Design of a generic structural abstract interpreter (col-lecting semantics, non-relational and relational analy-sis, convergence acceleration by wideing/narrowing);– Static analysis (forward reachability analysis, back-ward analysis, iterated forward/backward analysis, in-evitability analysis, termination)
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 104 — ľ P. Cousot, 2005
– Numerical abstract domains (intervals, affine equali-ties, congruences, octagons, polyhedra);– Symbolic abstract domains (abstraction of sequences,trees and graphs, BDDs, word and tree automata, pointeranalysis);– Case studies (abstractions used in ASTREE and TVLA);
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 105 — ľ P. Cousot, 2005
Anticipated Home Work of Course 16.399:Abstract Interpretation
– A reading assignment of the slides for each course andof a recommanded recently published research articlerelated to that course;– A personnal project on the design and implementa-tion of a static analyzer of numerical programs (whichfrontend will be provided)
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 106 — ľ P. Cousot, 2005
Assigned reading for course 1Patrick Cousot.Abstract Interpretation Based Formal Methods andFuture Challenges.In Informatics, 10 Years Back — 10 Years Ahead,R. Wilhelm (Ed.), Lecture Notes in Computer Science2000, pp. 138–156, 2001.
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 107 — ľ P. Cousot, 2005
Anticipated Grading of Course 16.399:Abstract Interpretation
The course is letter graded.10% Class participation15% Presentation 115% Presentation 240% Personal project20% Final written exam
The two presentations of research papers are in CS con-ference format (25mn of talk and 5mn of questions) to beselected by the students in the list of assigned readings;to be held outside of lecture hours — times TBA.
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 108 — ľ P. Cousot, 2005
THE END
My MIT web site is http://www.mit.edu/~cousot/
The course web site is http://web.mit.edu/afs/athena.mit.edu/course/16/16.399/www/.
Course 16.399: “Abstract interpretation”, Thursday, February 10, 2005 — 109 — ľ P. Cousot, 2005