Lifting Abstract Interpreters to Quantified Logical Domains (POPL’08) Presented by M.Raveendra Kumar Some of the slides adopted from author’s presentations

Motivating Example a[0] = 0; for (i=1; i<n; i++) a[i] = 0; Post condition: i  n  a[0] = 0 "At past POPLs, we've seen fairly powerful domains for reasoning using LA+UFS and the like. When applied to this example, those domains give poor results. ... The problem arises because they can only refer to a bounded number of locations (variables for example). To state a fact about every array element, we need quantifiers." Say loop unrolled for explanatory purposes.  k (0 ≤ k < i  a[k] = 0) Invariant: 1 ≤ i < n  k (0 ≤ k < i  a[k] = 0)

How are Quantifiers Useful? Reasoning about arrays k (0 ≤ k < STRLEN(s)  s[k]  '!') j, k (0 ≤ j < k < n  a[j] ≤ a[k]) Reasoning about pointer-based data structures u (R(hd, u)  R(u, tl)  udata = 0) means list is initialized from hd to tl Security properties Sorting "There are many other places where quantifiers are useful." u v R(u, v)

Outline Logical AI Quantified abstract domain Abstract interpretation Partial order Templates & Quantifier introduction Abstract interpretation Join Transformers Soundness & correctness Termination Under-approximation algorithms

Logical Abstract Interpretation Logical Abstract Interpretation refers to the case when D = logical formulas over theory T ⊑ = logical implication relationship, i.e., E ⊑ E’ iff E ⟹T E’ We will examine following examples of logical interpretation D consists of finite conjunctions of atomic facts over T. Combination of Linear Arithmetic and Uninterpreted Functions D consists of universally quantified formulas over T which is our main topic Abstract Interpretation of a program involves interpreting the program over abstract values from some abstract domain D equipped with a partial order ⊑

Transfer Functions for Logical A.I G =Postcondition(y := e, G’) = ⌈ ∃y’: G’[y’/y] ⋀ y=e[y’/y] ⌉ y := e G’ Assignment Node G =Join(G1,G2) = ⌈G1⋁G2⌉ G2 G1 Join Node G2 = G’⋀¬:g g True False G’ G1 = G’⋀ g Conditional Node An abstract interpreter computes abstract values or facts at each program point from facts at preceding program points using appropriate transfer fns. TFs for a logical AI thus involve providing operators for over-approximating disjunction and existential quantifier elimination.

Quantified Domain

Lattice element 𝐺=𝛦 ⋀ 𝑗=1 𝑛 ∀𝑈 𝑗 ( 𝐹 𝑗 ⇒ 𝑒 𝑗 ) 𝐺=𝛦 ⋀ 𝑗=1 𝑛 ∀𝑈 𝑗 ( 𝐹 𝑗 ⇒ 𝑒 𝑗 ) G is an element of quantified domain 𝓓⩝ E , Fj , and ej are quantifier free facts from conjunctive domains 𝓓𝓪, 𝓓𝓫, and 𝓓𝓬. These “base” domains are parameters to quantified domain. Partial order, join operator and TFs of quantified defined in terms of “base” domain operators. Conjunctive domains : each domain element is a conjunction of automatic facts of form p(t1,….tn) or its negation. P can be predicate such as =, <, or reachability.

Concreate Semantics A program state 𝜌∈ 𝛾 𝒟 ∀ 𝐺 iff, 𝜌∈ 𝛾 𝒟 𝑎 𝐸 , and For every 𝑖, if 𝜌 ′ is an extension of state 𝜌 with assignment to variables in 𝑈 𝑖 such that 𝜌 ′ ∈ 𝛾 𝒟 𝑏 𝐹 𝑖 , then, 𝜌 ′ ∈ 𝛾 𝒟 𝑐 𝑒 𝑖 In going forward we use “base” domains 𝒟 ≔𝒟 𝑎 = 𝒟 𝑏 = 𝒟 𝑐

Running Example a[0] = 0; for (i=1; i<n; i++) a[i] = 0; .. i = 0; a Program State .. a i 3 n 50

Partial order (⊑⩝) Ideal partial order : G1 ⊑⩝ G2 if G1 ⟹⩝ G2 Issues Depends on base domain partial order Induction to prove implication Things to say: (1) Implication is ideal order, but we are incomplete; stuff like induction is not handled. (2) Second rule is analogous to function subtyping (since B in a negative position). (3) We use environment in doing subtyping rule. Say I'll assume in rest of presentation that we use one base domain. Also, all examples are with one quantifier, but in general we support many.

Partial order definition E  U.(F  e) ⊑⩝ E'  U.(F'  e') if 1. E ⊑ E' E  e ⊑e' 2. U.(F  e) U. (F'  e') Things to say: (1) Implication is ideal order, but we are incomplete; stuff like induction is not handled. (2) Second rule is analogous to function subtyping (since B in a negative position). (3) We use environment in doing subtyping rule. Say I'll assume in rest of presentation that we use one base domain. Also, all examples are with one quantifier, but in general we support many. E  F' ⊑ F

⊑ ∀ Example 𝑖=1 ⋀∀𝑘 𝑘=0 ⟹𝐴 𝑘 =0 1≤𝑖≤2⋀∀𝑘 0≤𝑘<𝑖 ⟹𝐴 𝑘 =0 𝑖=1⊑1≤𝑖≤2 𝑖=1∧0≤𝑘<𝑖⊑𝑘=0 𝑖=1∧𝐴 𝑘 =0 ⊑𝐴[𝑘]=0

Example ⊑ .. a .. a 0 ≤𝑖<3 ∧ ∀𝑘(0≤𝑘<𝑖⇒𝑎 𝑘 =0) .. a 0 ≤𝑖<3 ∧ ∀𝑘(0≤𝑘<𝑖⇒𝑎 𝑘 =0) ⊑ .. a 0 ≤𝑖<4 ∧ ∀𝑘(0≤𝑘<𝑖⇒𝑎 𝑘 =0)

Abstract Interpreter - Overview Quantifier introduction Templates Move facts from environment into quantified fact Join computes ⌈⋁⌉ of two quantified facts which involves ⌊⋀⌋ of their quantifier guards Assignment transfer function ∃ quantifier elimination Conditional transfer functions Termination

Quantifier Introduction Quantified facts are drawn from standard facts in E User gives set of templates to guide quantification Experiments show that few templates are needed b[0] = 0 b[0] ≤ b[1] k (k = 0  b[k] = 0) j, k (j = 0  k = 1  b[j] ≤ b[k]) Env fact Template Quantified fact (result) A[*] = c Can think of templates as defn of RHS domain. b[0] = 0 k(k = 0  b[k] = 0) A[*] ≤ A[*] b[0] ≤ b[1] j, k (j = 0  k = 1  b[j] ≤ b[k])

Join Ideal Join : GL⋁GR GL GR

Not in the desired quantified fact form Ideal Join GL= EL  V.(FL  eL) ⊔⩝ GR = ER  V.(FR  eR) EL  ¬ER ⟹ FL ¬EL  ER ⟹ FR EL  ER ⟹ FLFR Not in the desired quantified fact form Valuations for quantified vars (FL,FR) Valuations to Environment Vars (EL,ER)

Join G⩝ GL⋁GR GL GR Soundness : GL ⟹ G⩝ and GR ⟹ G⩝ Completeness : if G# s.t GL ⊑⩝ G# and GR ⊑⩝ G#, then G⩝ ⊑⩝ G#

Joining Quantifiers Result must be above both inputs in ⊔⩝, so: Goal: (EL  U.(FL  eL)) ⊔⩝ (ER  U. (FR  eR)) Result must be above both inputs in ⊔⩝, so: EL  U.(FL  eL) ⊑⩝ E  U.(F  e) ER  U.(FR  eR) ⊑⩝ E  U.(F  e) Based on ⊑⩝ definition: 1. EL ⊑ E and ER ⊑ E so E = EL ⊔ ER 2. EL  eL ⊑ e ER  eR ⊑ e U.(FL  eL) F. (F  e) U.(FR  eR) EL  F ⊑ FL ER  F ⊑ FR

Joining Quantifiers e = (EL  eL) ⊔ (ER  eR) Rewriting for F: U.(FL  eL) F. (F  e) EL  eL ⊑ e EL  F ⊑ FL U.(FR  eR) ER  eR ⊑ e ER  F ⊑ FR e = (EL  eL) ⊔ (ER  eR) Rewriting for F: Best solution for F = (EL  FL)  (ER  FR) If it's not in domain, pick best under-approximation F ⊑ EL  FL and F ⊑ ER  FR Why ? Mention near end at that it's really interesting! "One of the main contributions of this paper is to identify under-approx as the core of the quantification problem. It's used in all our transfer functions.“ F and E implies F i.e. F implies E implies F or, F ⊑ EL  FL and F ⊑ ER  FR

Quantified Join Algorithm Join⩝ (EL  ⋀iUi.(FiL  eiL)) ⊔⩝ (ER  ⋀i Ui. (FiR  eiR) result := Join𝒟 (EL , ER) forall i,j F = ⌊ EL  FiL ⋀ ER FiR ⌋ e = Join𝒟 (EL ⋀ eiL, ER ⋀ eiR) result := result ⋀ U(F  e ) return result;

⊔ ∀ Join - Example 𝑖=1 ⋀∀𝑘 𝑘=0 ⟹𝐴 𝑘 =0 𝑖=2 ⋀∀𝑘 0≤𝑘<1 ⟹𝐴 𝑘 =0 𝑖=1⊔𝑖=2≈1≤𝑖≤2 𝑖=1⇒𝑘=0 ∧𝑖=2 ⇒0≤𝑘<1 ≈0≤𝑘<𝑖 𝑖=1∧𝐴 𝑘 =0 ⊔𝑖=2∧𝐴 𝑘 =0≈𝐴 𝑘 =0 Requires Abduction

AI Example A[0] := 0; i := 1 i < n T F A[i] := 0; i := i+1 true i = 1  A[0] = 0 ? i = 2  A[0] = 0  A[1] = 0 ? i = 1  A[0] = 0 ? i < n Issue: This sort of assumes 1 < n T F ? i = 1  A[0] = 0 ? A[i] := 0; i := i+1 24

AI Example A[0] := 0; i := 1 Join Algorithm i < n i < n T T F F true A[0] := 0; i := 1 Join Algorithm i = 1  A[0] = 0 i = 1  A[0] = 0 i = 2  A[0] = 0  A[1] = 0 i = 1  A[0] = 0 i = 1  A[0] = 0 i = 1  A[0] = 0 i = 2  A[0] = 0  A[1] = 0 i < n i < n i = 1  A[0] = 0 Issue: This sort of assumes 1 < n T T F F 1  i  2  A[0] = 0 ? i = 1  A[0] = 0 A[i] := 0; i := i+1 25

AI Example A[0] := 0; i := 1 Join Algorithm i < n i < n T T F F true A[0] := 0; i := 1 Join Algorithm i = 1  A[0] = 0 i = 1  A[0] = 0 i = 2  A[0] = 0  A[1] = 0 i = 1  A[0] = 0 i = 2  A[0] = 0  A[1] = 0 i = 1  A[0] = 0 i = 1  A[0] = 0 i = 1  k(k = 0  A[k] = 0) i = 2  k(0  k  1  A[k] = 0) i < n i < n i = 1  A[0] = 0 Issue: This sort of assumes 1 < n T T F F ? i = 1  A[0] = 0 1  i  2  k(0  k < i  A[k] = 0) A[i] := 0; i := i+1 26

AI Example A[0] := 0; i := 1 i < n T F A[i] := 0; i := i+1 true k(0  k < i  A[k] = 0) i = 1  k(k = 0  A[k] = 0) 1  i  k(0  k < i  A[k] = 0) i < n T F 1  i < n  k(0  k < i  A[k] = 0) i  n  k(0  k < i  A[k] = 0) A[i] := 0; i := i+1 27

Assignment Transfer function Eliminate 𝓵

Assignment TF Key observation : If G is quantified fact before assignment statement y := exp and G’ = Eliminate⩝(G, y) is fact after eliminating y from G Then G ⊑⩝ G’ For a moment assume y does not effect terms involving quantifier variables. E ⇒ E’ , therefore E’ = Eliminate(E, y) E ⋀ F’ ⇒ F, therefore F’ = ⌊⩝y(E ⇒ F)⌋ E ⋀ e ⇒ e’, therefore e’ = Eliminate(E ⋀ e, y)

Assignment TF - Eliminate⩝ Eliminate ⩝(G, y): Let G be E ⋀ ⩝U(F ⇒ e) T := { t | t occurs in F or e; Vars(t) ∩ U  ∅ } F := F ∧ ⋀t∈TNotEffect(<y,G>, t); E’ := EliminateD(E,y); e’ := EliminateD(e∧E,y); F’ := ⩝y(E⇒F) return (E’ ⋀ ⩝U(F’ ⇒ e’)) NotEffect(<y,G>, t) denotes a constraint g s.t. G ∧ g implies that y does not affect t.

Eliminating ∃ Fix F : Eliminate affected instances Fix F : Eliminate y from F Fix e : Eliminate y from e – Provided by base domain Fix E : Eliminate y from E – Provided by base domain

Remove affected instances {G ∶=∀𝑖(0≤𝑖 <10⇒𝐴 𝑖 =0)} s: A[0] = 1 {G ′ ∶=?} Remove only instances that are impacted and leave the rest as is 𝐹 ′ =0≤𝑖 <10 𝑖 ≠0

Eliminate y from F {G ∶=𝑖≥𝑛 ∧ ∀𝑘 0≤𝑘<𝑖⇒𝐴 𝑘 =0 } s : 𝑖=0 G ′ ∶=? Removing i from the guard (and E) is not sound (why ??) Solution: Under approximate universal quantification 𝐹′⇒∀𝑖 𝐸⇒𝐹 𝐹 ′ =⌊∀𝑖(𝑖≥𝑛⇒ 0≤𝑘<𝑖) ⌋ 𝐹 ′ ≔ 0≤𝑘<𝑛

Example Let G = (F[0]>10 ∧⩝k: 0·k<F[0] ⇒ F[k]>F[0] ) Then Eliminate ⩝(G, F[0]) = true ∧ ⩝k: F’⇒ e’, where T = { k, F[k] } NotEffect(<F[0],G>, F[k]) = k0 NotEffect(<F[0],G>, F[k]) = true F1 = 0·k<F[0] ∧ k  0 ∧ true = 1≤k<F[0] F’ = ⌊⩝F[0]: F[0]>10 ⇒ 1·k<F[0]⌋ = 1 ≤ k<10 e’ = Eliminate(F[k]>F[0] ∧ F[0]>10, F[0]) = F[k]<10

Widening and termination Look at the paper

Under-approximation of Operators We need Under-approximation operators for ⌊⋀⌋ during join operation ⌊⋁⌋ during quantifier merging (not covered) ⌊⩝⌋ during quantifier elimination Issues Under-approximation results should be in conjunctive domain. Under-approximations should be in the context of environment and two inputs may different inputs. ⩝

Solution - Abduction Process of reasoning of a fact (observations) with assumptions given a set of assumed facts (knowledge). F = abduct( E,F’) where F’ is a given base fact; formally E ∧ F ⇒ F’ ⌊⋀⌋((F1,E1),(F2,E2)) := abduct(E1,F1) ∩ abduct(E2,F2)

⌊⋀⌋ Algorithm F’’ = ⌊⋁⌋ ((F1∧E1),(F2 ∧ E2)) F = ∧ ((F1,E1),(F2,E2))

Example Example 2 𝐸 1 ≔𝑖=1 𝐹 1 ≔𝑗=0 𝐸 2 ≔𝑖=2 𝐹 1 ≔0 ≤𝑗<2 𝐸 1 ≔𝑖=1 𝐹 1 ≔𝑗=0 𝐸 2 ≔𝑖=2 𝐹 1 ≔0 ≤𝑗<2 Ans : 0 ≤𝑗<𝑖

Abduction Key Observation

⌊⩝⌋ Algorithm Key Observation