Abstract Interpretation Part II Mooly Sagiv Textbook Chapter
Abstract Interpretation Part II Mooly Sagiv Textbook: Chapter 4 CC 79, CC 92
Tentative Schedule 24/5 Operational Semantics 31/5 7/6 Abstract Interpretation 14/6 No class Targil 2 21/6 Shape Analysis 22/6 9 -12 309 27/6 Predicate Abstraction 3/8 9 -12 309 Advanced Topics Course Project
Outline u The Soundness Theorem u Intuition about abstract interpretation u Methodologies for creating abstractions
Abstract (Conservative) interpretation Set of states Operational semantics statement s abstraction abstract representation Set of states abstraction statement s abstract Abstract representation semantics
Abstract (Conservative) interpretation Set of states Operational semantics statement s concretization abstract representation statement s Abstract semantics Set of states concretization abstract representation
Abstract (Conservative) interpretation Set of states Operational semantics statement s concretization abstract representation statement s Abstract semantics Set of states abstraction abstract representation
Soundness Theorem 1. Let ( , ) form Galois connection from C to A 2. f: C C be a monotone function 3. f# : A A be a monotone function 4. a A: f( (a)) (f#(a)) 5. c C: (f(c)) f#( (a)) a A: (f( (a)) f#(a) lfp(f) (lfp(f#)) 6. (lfp(f)) lfp(f#)
f( ) f#( ) f 2( ) f#2( ) f(x) x f#(y) y gfp(f#) gfp(f) f(x)=x f#(y)=y lfp(f) lfp(f#) f#(y) y f#2( ) f#( ) f(x) x f 2( ) f( )
Lfp(f) f# f f# Lfp(f#) f f# Finite Height Case f
![Local Concrete Semantics u For every atomic statement S – S : [Var* Z]](http://slidetodoc.com/presentation_image_h2/1488ea26a5ee83a2113eeb87e51558ab/image-10.jpg "Local Concrete Semantics u For every atomic statement S – S : [Var* Z]")
Local Concrete Semantics u For every atomic statement S – S : [Var* Z] – x : = a] s = s[x A a s] – skip] s = s u For Boolean conditions …
Local Abstract Semantics(CP) u For every atomic statement S – S # : Var* L – x : = a #(e) = e [x a #(e) – skip # (e) = e u For Booleans …
Lemma 1 Consider a lattice L. f: L L is monotone iff for all X L: {f(z) | z X } f( {z | z X })
Assignments in constant propagation u Monotone – df 1 df 2 x : =e )#df 1 ) x : =e )#df 2) u Local Soundness – ({ x : =e | CS } x : =e # ( (CS)) u Best Transformer u Homomorphic
Proof of Soundness (Summary) u Define an “appropriate” operational semantics u Define “collecting” operational semantics u Establish a Galois connection between collecting states and abstract states u (Local correctness) Show that the abstract interpretation of every atomic statement is sound w. r. t. the collecting semantics u (Global correctness) Conclude that the result of the iterative analysis is sound w. r. t. the collecting semantics u Can be applied between different abstractions
Induced Analysis (Relatively Optimal) u It is sometimes possible to show that a given analysis is not only sound but optimal w. r. t. the chosen abstraction – but not necessarily optimal! u Define S # (df) = ({ S | (df)}) u But this S # may not be computable u Derive (at compiler-generation time) an alternative form for S # u A useful measure to decide if the abstraction must lead to overly imprecise results
Properties of Abstractions u Eagerly forget parts of the state u Reduce state space u Abstract traces do not necessarily correspond to concrete trace – even when best transformer is used u Executes the program on traces with “fabricated” states u When the abstraction succeeds prove stronger properties
Notions of precision = (df) u (CS) = df u Meet(Join) over all paths u Using best transformers u Good enough u CS
Summary u Abstract interpretation relates runtime semantics and static information u The concrete semantics serves as a tool in designing abstractions u Understanding concretization is a must u Understand what is preserved/lost
Combining Data Flow Analyzes u Develop u If new algorithms from old I know how to conservatively represent – Pointers – Integers u Do I know how to handle C programs with integers and pointers?
Combining Data Flow Analyzes u Develop u If new algorithms from old I know how to conservatively represent – Pointers – Integers u Do I know how to handle C programs with integers and pointers? u Improve the precision of an analysis u Obtain a more efficient analysis
Combining Data Flow Analyzers u Lattice constructors – L 1 L 2 – S L 1 – … u Galois connection constructors u Constructing the abstract effect of elementary statements u Model the “relevant” parts of the program u Abstract “irrelevant” parts of the program
Galois Connections u For – A complete lattice (L 1, 1) = (L 1, , 1, 1) – A complete lattice (L 2, 2) = (, , 2, 2) – : L 1 L 2 – : L 2 L 1 u We say that (L 1, , , L 2) is a Galois connection – and are monotone – For all c L 1: ( (c)) c – For all a L 2: ( (a)) a
Cartesian Products u. A complete lattice (L 1, 1) = (L 1, , 1, 1) u A complete lattice (L 2, 2) = (, , 2, 2) u Define a Poset L = (L 1 L 2 , ) where – (x 1, x 2) (y 1, y 2) if u. L » x 1 y 1 and » x 2 y 2 is a complete lattice u But what does an element in L represent?
Cartesian Products (cont) u u u u A complete lattice (L 1, 1) = (L 1, , 1, 1) A complete lattice (L 2, 2) = (, , 2, 2) Complete lattice L = (L 1 L 2 , ) A concrete lattice C (usually a powerset) A Galois connection (C, 1, L 1) A Galois connection (C, 2, L 2) Define : C L 1 L 2 and : L 1 L 2 C ? Example: Parity Sign
Cartesian Products (cont) u. A Galois connection (C, 1, L 1) u A Galois connection (C, 2, L 2) u A Galois connection (C, , , L 1 L 2 ) – (c) = < 1(c), 2(c)> – (<a 1, a 2>) = 1(a 1) 2(a 2) u Define – L 1 st #: L 1 – L 2 st #: L 2 u How L 2 to define L 1 L 2 st #: L 1 L 2 L 1 – Preserve soundness – Preserve relative optimality (induced) – Reasonable
Component-wise combinations u Combine several analyses into a single analysis ü Cartesian products (Direct product) u Independent attribute method u Relational attribute method u Total function space u Monotone function space u Direct tensor product
Independent Attribute Method u u u A Galois connection (C 1, 1, L 1) A Galois connection (C 2, 2, L 2) A Galois connection (C 1 C 2, , , L 1 L 2 ) – (<c 1, c 2>) = < 1(c 1), 2(c 2)> – (<a 1, a 2>) = < 1(a 1) , 2(a 2)> u Define – L 1 st #: L 1 – L 2 st #: L 2 u How to define L 1 L 2 st #: L 1 L 2 – Preserve soundness – Preserve relative optimality (induced)
Relational Attribute Method u. A Galois connection (P(C 1), 1, P(L 1)) where 1: C 1 L 1 – 1 (X) = { 1(c) | c X} u. A Galois connection (P(C 2), 2, P(L 2)) where 2: C 2 L 2 u 2 (X) = { 2(c) | c X} u A Galois connection (P(C 1 C 2), , , P(L 1 L 2)) – (<X 1, X 2>) = {< 1(c 1), 2(c 2)> | c 1 X 1, c 2 X 2} – (<Y 1, Y 2>) = {<c 1 , c 2> | 1(c 1) Y 1 2(c 2) Y 2 } u But how about transformers?
Semantic Reduction u Consider a Galois connection (C, , , A) u An operation op: A A is a semantic reduction if – For all a A: op(a) a and (op(a)) = (a)
Conclusions(1) u Good static analysis = – Precise enough (for the client) – Efficient enough u Good static analysis – Good domain » » » Abstract non-important details Represent relevant concrete information Precise and efficient abstract meaning of abstract interpreters Efficient join implementation Small height or widening
Conclusions(2) u The – – – Theory of Static Analysis is well founded Abstraction Soundness Chaotic iterations Elimination methods Modular methods u Weak – – Parts Transformations Predictable approximations User defined abstractions System
- Slides: 31