abstract interpretation: concrete and abstract semanticsavp/08_avp_2012.pdf · representation of...
TRANSCRIPT
Abstract Interpretation: concrete and abstract semantics
2
Concrete semantics • We consider a very tiny language that manages arithmetic
operations on integers values.
• The (concrete) semantics of the languages cab be defined by the funzcion µ defined by:
µ
µ
µ µ µ
= ∗
→
=
∗ = ×1 2 1 2
|
:( )
( ) ( ) ( )
e i e e
Exp Inti i
e e e e
3
Abstract Semantics • Consider now an abstract semantics over the domain of signs
{ }σ
σ
σ σ σ
→ +
+ > × + − = = + + − − <
∗ = × − − +1 2 1 2
:Exp ,-,0
if 0 0( ) 0 if 0 0 if 0 0 0 0 0( ) ( ) ( ) 0
ii i
ie e e e
4
From a different perspective • We can associate to each abstract value the set of concrete
elements it represents.
• The concretization function :
{ }{ }
{ }
γ
γγ
γ
+ − →
+ = >=
− = <
: { ,0, } 2
( ) | 0(0) 0( ) | 0
Int
i i
i i
5
Concretization • The concretization function γ maps an abstract value to a set of
concrete elements
• Let D denote the comncrete domain and A denote the abstract domain. The correctness of the abstract semantics wrt the concrete one can be expressed by:
µ γ σ∈( ) ( ( ))e e γσ
µExp
A
2D
6
Abstract Interpretation
• Abstract Interpretation is: – Computing the semantics of a program in an abstract
domain – In the case of signs, the domain so far is {+,0,-}.
• The abstract semantics should be correct – it is an over approximation of the concrete semantics
• The relatrion between te two domains is given by a concretization function
7
Consider the unary operator - • Let us add to our language the unary operator -
µ µ
σ σ
− = − − + −
− +− = −
( ) ( ) 0
0( ) ( )
e ee e
8
Consider the binary operation + • Adding the addition operator focrces us to modify the domain, as the
previous one is not able to represent the result of adding numbers of opposite sign
µ µ µ
σ σ σ
+ + −+ = + + + +
+ = + + −
− − −
1 2 1 2
1 2 1 2
0( ) ( ) ( ) ? ( ) ( ) ( ) 0 0
?
e e e e
e e e e
9
So… • We add to the domain a new element that represents all the integer
numbers (both positive and negative, and zero)
γ
+ + −+ + +
= + −− − −
0 TT T
(T) Int 0 0 TT T
T T T T T
10
The operations should be revisited
× + −+ + −
− + −− +
− − +
0 T0 T 0 T 0 0 0 0 0 0 T0 T
T T 0 T T
11
Examples
µ
σ
µ
σ
+ + − =
+ + − = + + + + −+ =
∗ + =
∗ + = + × + + + = +
((1 2) 3) 0
((1 2) 3) ( ) ( ) T
((5 5) 6) 31
((5 5) 6) ( )
Sometimes there is information loss due to the abstract operations
Sometimes there is no information loss, with respect to the abstraction
12
Consider the division operator /
• Problem: what is the result of dividing by zero? No number!
• So we need a new element in our domain that represents the empty set of integers (i.e. a failure state)
γ
+ − ⊥+ + − ⊥
⊥ ⊥ ⊥ ⊥ ⊥⊥ = ∅− − + ⊥
⊥⊥ ⊥ ⊥ ⊥ ⊥ ⊥
/ 0 T0 T
0( ) 0 T
T T 0 T T
⊥ + = ⊥
× ⊥ = ⊥
− ⊥ = ⊥
x
x
13
The resulting abstract domain
• It is a finite complete lattice
• The partial order is coherent wrt the concretization function:
+ −0
⊥
Tγ γ≤ ⇔ ⊆( ) ( )x y x y
14
The abstraction function • The concretization function γ has an adjoint function, the abstraction
function α.
• Function α maps a set of concrete values into the best representation of this set in the abstract domain (the smaller element f the abstract domain that represents of of these elements)
• In our example:,
{ } { } { }( )α
α
σ α
→
= − < ∧ ∈ ∈ + > ∧ ∈
=
Int: 2 A
( ) lub | 0 , 0 | 0 , | 0
( ) ({ })
S i i S S i i S
i i
15
A general definition
• An Abstract Interpretation consists of: – An abstract domain A and a concrete domain D – A and D are complete lattices . Smaller means “more precise” – Two monotone adjoint function that enjoy che formino una
inserzione di Galois. – Abstract operations that are correct wrt the concrete ones – A fixpoint algorithm
• Galois insertion:
γ αα γ
∀ ∈ ⊆
∀ ∈ =
2 . ( ( )). ( ( ))
Dx x xa A x x
16
Correctness revisited
• If case of Galois insertion, these correctness conditions are equivalent (prove it !)
γσ
∈
αExp
A≤
µ 2D
µ γ σ∈( ) ( ( ))e e
σ α µ≥( ) ({ ( )})e e
17
Correctness
• We show that in order to ensure the correctness of the whole analysis the following conditions are sufficient: 1. The function α and γ are monotone 2. The function α and γ form a Galois insertion 3. The abstract operations are locally correct, i.e.
• Notice that there is always a way to define a locally correct abstract
operation. It is sufficient to consider the operations that returns the top element of the abstract domain.
γ γ γ⊇1 1(op( ,..., )) op( ( ),..., ( ))n ns s s s
18
Local correctness
γ 1(op( ,..., ))ns s
γ γ1op( ( ),..., ( ))ns s
A A
2D 2D
op
op
γ γ
19
Correctness proof
• We show by structural induction on e that:
• Basic step:
µ γ σ∈( ) ( ( ))e e
µ
γ αγ σ
µ
σ
=∈⊆=
def. di
inserzione di Ga
( )
{ }( ({ }))( (i)
loisdef di )
iii
i
20
Correctness proof
Inductive Step
µµ µγ σ γ σ
γ σ σγ σ
µ
σ
=∈
⊆=
1 2
1 2
1 2
1 2
1 2
def. di per ipotesi induttivacorrettezz
( )( ) ( )( ( ))
a localedef
( ( ))( ( ) (
di ))
( ( ))
e op ee op e
e op ee op ee op e
µ γ σ∈( ) ( ( ))e e
21
Adding an input
• We can extend our tiny language with the possibility to get an input value from the user
• This means that we have a variable x in the expressions
= ∗ −| | | ... |e i e e e x
22
Concrete semantics • The semantic function µ becomes
• And we may express it in terms of a family of functions, having expressions as indeces and a single parameter (the input value)
µ → →: Exp Int Int
µµ
µ µ µµ µ µ
∗
+
=== ∗= +=
1 2 1 2
1 2 1 2
( )( )( ) ( ) ( )( ) ( ) ( )
... ...
i
x
e e e e
e e e e
j ij jj j jj j j
23
Abstract semantics
• The same holds for the abstract semantic function σ
• Also in this case we can express σ by a family of functions:
σ → →: Exp A A
σ
σ
σ σ σ
σ σ σ
α
∗
+
=
=
= ∗
= +=
=
1 2 1 2
1 2 1 2
( )( )
( ) ( ) ( )( ) ( ) ( )
... ...({ })
i
x
e e e e
e e e e
j ij j
j j jj j j
i i
24
Correctness
• The following conditions are equivalent
µ γ σ αµ γ σ αα µ σ α
∀ ∈≤
≤
. ( ) ( ( ({ })))e e
e eD
e eA
i i iγ
eσ
eµ
α
A
2D
≤Aα
2D ∈
25
Local correctness
• We can express the local correntess condition by:
( ) ( )γ σ γ σ γ σ σ⊆1 1
( ( )),..., ( ( )) ( ( ),..., ( ))n ne e e eop j j op j j
26
Conditional statement
• Concrete semantics
• Abstract semantics
• Notice the role of the lub in the abstract domain
µ µ µµ
µ µ µ
σ σ σ
=
=
= =
=
≠
=
=
3 1 2
1 2 3 41 24
3 41 2 3 4
if then else
if then else
(
... | if then else | .
) if ( ) ( )( ) ( ) if ( ) ( )
( ) ( ) (
.
)
.
e e ee e e e
e e e
e ee e e e
i i ii i i i
i
e e
i
e e
i
e
27
Correctness of the conditional statm.
( )
µ
γ σ
γ σ γ σ
γ σ σ γ
γ σ =
∈
⊆
⊆=
3
3
3 4
3 4
1 2 3 4if then else
( )( ( )) per induzione( ( )) ( ( ))
( ) ( ) monotonia di ( ( ))
e
e
e e
e e
e e e e
iii ii i
i
• Assume that the condition is true (the other case is analogous)
28
Recursion
• As a final step, we add recursive functions (on a single paramether)
• Until now, the concrete semantics was defined as:
= =
=
def ( )... | ( )
program f x ee f e
µ ⊥→ →: Exp Int Int
29
Concrete semantics (function calls)
• In order to take into account the call of functions, the signature of µ becomes as folllows:
µ
µ µ
µµ µ µ
⊥ ⊥
+
′ → → → →
′ ′=
′ =
′ ′ ′= +1 2 1 2
( )
: Exp (Int Int ) Int Int
( )( ) ( ( )( ))( )( )
( )( ) ( )( ) ( )( )
ef e
x
e e e e
g j g g jg j j
g j g j g j
30
Semantics of recursive functions
µ
λµ
µ
⊥ ⊥
⊥
+
′ → → → →
=
→
= ⊥
′=
=
0 1
0
1
f
Consideriamo una funzione
Definiamo una catena ascendente in
: Exp (Int Int ) Int Int
def f e
, ,... Int Int.(
Definiamo
)e ii
ii
f ff xf f
f
31
def f = if x=0 then 1 else f(x - 1) f0(i) = ⊥ for every i
f1(i) = µ’if x=0 then 1 else f(x - 1)(f0)(i) = µ’1(f0)(i) = 1 if i=0
µ’f(x - 1)(f0)(i) otherwise
= f0 (µ’x - 1(f0)(i)) = f0 (µ’x (f0)(i)) - f0 (µ’1 (f0)(i)) = f0 (i) - f0 (1) = ⊥
32
def f = if x=0 then 1 else f(x - 1) f0(i) = ⊥ for each i
f1(i) = 1 if i=0, ⊥ otherwise
f2(i) = µ’if x=0 then 1 else f(x - 1)(f1)(i) = µ’1(f1)(i)=1 if i=0
µ’f(x - 1)(f1)(i) otherwise
= f1 (µ’x - 1(f1)(i)) = f1 (µ’x (f1)(i)) - f1 (µ’1 (f1)(i)) = …
33
def f = if x=0 then 1 else f(x - 1)
f0(i) = ⊥ for every i
f1(i) = 1 if i=0, ⊥ otherwise
f2(i) = 1 if i=0,1, ⊥ otherwise
f3(i) = 1 if i=0,1,2, ⊥ otherwise
f4(i) = 1 if i=0,1,2,3, ⊥ otherwise
...
µ(f) = Ui>=0 fi
34
Abstract Semantics
• Tn the same way, we need to extend the definition of the abstract semantics σ.
• We require that all the operations are monotone.
σ
σ σ
σ
σ σ σ+
′ → → → →
′ ′=
′ =
′ ′ ′= +1 2 1 2
( )
: Exp (A A) A A
( )( ) ( ( )( ))
( )( )( )( ) ( )( ) ( )( )
ef e
x
e e e e
g i g g ig i i
g i g i g i
35
Abstract semantics of recursion
σ
λ
σ
σ
+
→ → → →
=
→
= ⊥
′=
=
0 1
0
1
f
Consideriamo una funzione
Definiamo una c
': Exp (A A) A A
def f e
, ,... A Aatena
.
(
ascendente in
Definiamo
)
i ie
ii
f ff af f
f
36
Correctness
• The abstract chain always covers the corresponding element in
the concrete chain
0( )f j
1( )f j
2( )f j γ
0( )f j
1( )f j
2( )f j≤
≤
≤
≤
γ
γ
37
Correctness (ctd.)
γ
σ
γ
γ
γ
µ γ
≥ ≥
≥ ≥
∀ ∈
⇒ ∈
⇒ ∈
⇒ ∈
0 0
0 0
. ( ) ( ( ))
( ) ( ( ))
( )
le catene convergono
monotonia di ( )
( ) ( ( ) per definizion) e
ii
iii i
iii i
f f
i f j f jf j f j
f j f j
j j
38
Summary
• Abstract Interpretation means – Define a concrete (collecting) smenatics – Define an abstract semantics (domain and operations) – Prove the local correctness of the operations – Apply a fixpoint algorithm to compute the abstract semantics – Use a widening operator to ensure convergence (if the
ascending chain condition does not hold)