Abstract%20Interpretation%20Part%20II

1
Abstract InterpretationPart II

• Mooly Sagiv
• Textbook Chapter 4
• CC79, CC92

2
Tentative Schedule
24/5 Operational Semantics
31/5 7/6 Abstract Interpretation
14/6 No class
21/6 22/6 9-12 309 Shape Analysis
27/6 Predicate Abstraction
3/8 9-12 309 Advanced Topics
Targil 2
Course Project
3
Outline

• The Soundness Theorem
• Intuition about abstract interpretation
• Methodologies for creating abstractions

4
Abstract (Conservative) interpretation
Set of states
Set of states
abstraction
abstraction
abstract representation
abstract representation
abstract representation
?
5
Abstract (Conservative) interpretation
Set of states
Set of states
?
concretization
abstract representation
abstract representation
6
Abstract (Conservative) interpretation
Set of states
abstraction
abstract representation
abstract representation
abstract representation
?
7
Soundness Theorem

1. Let (?, ?) form Galois connection from C to A
2. f C ? C be a monotone function
3. f A ? A be a monotone function
4. ?a?A f(?(a)) ? ?(f(a))
5. ?c?C ?(f(c)) ? f(?(a))
6. ?a?A ? (f(?(a)) ? f(a)

?
lfp(f) ? ?(lfp(f))
?(lfp(f)) ? lfp(f)
8
gfp(f)
gfp(f)
?
lfp(f)
lfp(f)
9
Finite Height Case


Lfp(f)





?
?
10
Local Concrete Semantics

• For every atomic statement S
• ?S ? Var ?Z ?Var ?Z
• ?x a ?s sx ?A?a?s
• ?skip ?s s
• For Boolean conditions

11
Local Abstract Semantics(CP)

• For every atomic statement S
• ?S ? Var ?L ? Var ?L
• ?x a ? (e) e x ? ?a? (e)
• ?skip ? (e) e
• For Booleans

12
Lemma 1
Consider a lattice L. f L ? L is monotone iff
for all X ? L ?f(z) z
?X ? f(?z z ?X )
13
Assignments in constant propagation

• Monotone
• df1 ? df2 ??x e?)df1 )? ? x e?)df2(
• Local Soundness
• ?(? x e ?? ? ?CS ? ? x e ? (?(CS))
• Best Transformer
• Homomorphic

14
Proof of Soundness (Summary)

• Define an appropriate operational semantics
• Define collecting operational semantics
• Establish a Galois connection between collecting
  states and abstract states
• (Local correctness) Show that the abstract
  interpretation of every atomic statement is
  soundw.r.t. the collecting semantics
• (Global correctness) Conclude that the result of
  the iterative analysis is sound w.r.t. the
  collecting semantics
• Can be applied between different abstractions

15
Induced Analysis (Relatively Optimal)

• It is sometimes possible to show that a given
  analysis is not only sound but optimal w.r.t. the
  chosen abstraction
• but not necessarily optimal!
• Define ?S? (df) ?(?S?? ? ? ? (df))
• But this ?S? may not be computable
• Derive (at compiler-generation time) an
  alternative form for ?S?
• A useful measure to decide if the abstraction
  must lead to overly imprecise results

16
Properties of Abstractions

• Eagerly forget parts of the state
• Reduce state space
• Abstract traces do not necessarily correspond to
  concrete trace
• even when best transformer is used
• Executes the program on traces with fabricated
  states
• When the abstraction succeeds prove stronger
  properties

17
Notions of precision

• CS ? (df)
• ?(CS) df
• Meet(Join) over all paths
• Using best transformers
• Good enough

18
Summary

• Abstract interpretation relates runtime semantics
  and static information
• The concrete semantics serves as a tool in
  designing abstractions
• Understanding concretization is a must
• Understand what is preserved/lost

19
Combining Data Flow Analyzes

• Develop new algorithms from old
• If I know how to conservatively represent
• Pointers
• Integers
• Do I know how to handle C programs with integers
  and pointers?

20
Combining Data Flow Analyzes

• Develop new algorithms from old
• If I know how to conservatively represent
• Pointers
• Integers
• Do I know how to handle C programs with integers
  and pointers?
• Improve the precision of an analysis
• Obtain a more efficient analysis

21
Combining Data Flow Analyzers

• Lattice constructors
• L1 ? L2
• S ? L1
• Galois connection constructors
• Constructing the abstract effect of elementary
  statements
• Model the relevant parts of the program
• Abstract irrelevant parts of the program

22
Galois Connections

• For
• A complete lattice (L1, ?1) (L1, ?, ?1, ?1,
  ?1, ?1)
• A complete lattice (L2, ?2) (, ?, ?2, ?2, ?2,
  ?2)
• ?L1?L2
• ? L2?L1
• We say that (L1, ?, ?, L2) is a Galois
  connection
• ? and ? are monotone
• For all c ? L1 ?(?(c)) ? c
• For all a? L2 ?(?(a)) ? a

23
Cartesian Products

• A complete lattice (L1, ?1) (L1, ?, ?1, ?1,
  ?1, ?1)
• A complete lattice (L2, ?2) (, ?, ?2, ?2, ?2,
  ?2)
• Define a Poset L (L1 ? L2 ,? ) where
• (x1, x2) ? (y1, y2) if
• x1 ? y1 and
• x2 ? y2
• L is a complete lattice
• But what does an element in L represent?

24
Cartesian Products (cont)

• A complete lattice (L1, ?1) (L1, ?, ?1, ?1,
  ?1, ?1)
• A complete lattice (L2, ?2) (, ?, ?2, ?2, ?2,
  ?2)
• Complete lattice L (L1 ? L2 ,? )
• A concrete lattice C (usually a powerset)
• A Galois connection (C, ?1 , ?1, L1)
• A Galois connection (C, ?2 , ?2, L2)
• Define ?C? L1 ? L2 and ? L1 ? L2 ? C ?
• Example Parity ? Sign

25
Cartesian Products (cont)

• A Galois connection (C, ?1 , ?1, L1)
• A Galois connection (C, ?2 , ?2, L2)
• A Galois connection (C, ? , ?, L1 ? L2 )
• ?(c) lt?1(c), ?2(c)gt
• ?(lta1, a2gt) ?1(a1) ? ?2(a2)
• Define
• L1?st? L1? L1
• L2?st? L2? L2
• How to define L1 ? L2 ?st? L1 ? L2 ? L1 ? L2
• Preserve soundness
• Preserve relative optimality (induced)
• Reasonable
• Example Parity ? Sign

26
Component-wise combinations

• Combine several analyses into a single analysis
• Cartesian products (Direct product)
• Independent attribute method
• Relational attribute method
• Total function space
• Monotone function space
• Direct tensor product

27
Independent Attribute Method

• A Galois connection (C1, ?1 , ?1, L1)
• A Galois connection (C2, ?2 , ?2, L2)
• A Galois connection (C1?C2, ? , ?, L1 ? L2 )
• ?(ltc1, c2gt) lt?1(c1), ?2(c2)gt
• ?(lta1, a2gt) lt?1(a1) , ?2(a2)gt
• Define
• L1?st? L1? L1
• L2?st? L2? L2
• How to define L1 ? L2 ?st? L1 ? L2 ? L1 ? L2
• Preserve soundness
• Preserve relative optimality (induced)

28
Relational Attribute Method

• A Galois connection (P(C1), ?1 , ?1, P(L1))
  where ?1 C1?L1
• ?1 (X) ??1(c) c ? X
• A Galois connection (P(C2), ?2 , ?2, P(L2))
  where ?2 C2?L2
• ?2 (X) ??2(c) c ? X
• A Galois connection (P(C1?C2), ? , ?, P(L1 ? L2))
• ?(ltX1, X2gt) lt?1(c1), ?2(c2)gt c1 ? X1, c2 ?
  X2
• ?(ltY1,Y2gt) ltc1 , c2gt ?1(c1) ? Y1 ?2(c2)
  ? Y2
• But how about transformers?
  

29
Semantic Reduction

• Consider a Galois connection(C, ? , ?, A)
• An operation op A ? A is a semantic reduction if
  
• For all a ? A op(a) ? a and ?(op(a)) ?(a)

30
Conclusions(1)

• Good static analysis
• Precise enough (for the client)
• Efficient enough
• Good static analysis
• Good domain
• Abstract non-important details
• Represent relevant concrete information
• Precise and efficient abstract meaning of
  abstract interpreters
• Efficient join implementation
• Small height or widening

31
Conclusions(2)

• The Theory of Static Analysis is well founded
• Abstraction
• Soundness
• Chaotic iterations
• Elimination methods
• Modular methods
• Weak Parts
• Transformations
• Predictable approximations
• User defined abstractions
• System