Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 7: Abstract Interpretation Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

Abstract Interpretation [Cousot’77] Mathematical foundation of static analysis

Abstract Interpretation [CC77] A very general mathematical framework for approximating semantics Generalizes Hoare Logic Generalizes weakest precondition calculus Allows designing sound static analysis algorithms Usually compute by iterating to a fixed-point Not specific to any programming language style Results of an abstract interpretation are (loop) invariants Can be interpreted as axiomatic verification assertions and used for verification

Abstract Interpretation [Cousot’77] Mathematical framework for approximating semantics (aka abstraction) Allows designing sound static analysis algorithms Usually compute by iterating to a fixed-point Computes (loop) invariants Can be interpreted as axiomatic verification assertions Generalizes Hoare Logic & WP / SP calculus

Abstract Interpretation [Cousot’77] Mathematical foundation of static analysis Abstract domains Abstract states ~ Assertions Join () ~ Weakening Transformer functions Abstract steps ~ Axioms Chaotic iteration Structured Programs ~ Control-flow graphs Abstract computation ~ Loop invariants

Introduction to Domain Theory

Motivation Monotonicity: in terms of information Let “isone” be a function that must return “1$” when the input string has at least a 1 and “0$” otherwise isone(00…0$) = 0$ isone(xx…1…$) =1$ isone(0…0) =? Monotonicity: in terms of information Output is never retracted More information about the input is reflected in more information about the output How do we express monotonicity precisely?

Montonicity Define a partial order x  y A partial order is reflexive, transitive, and anti-symmetric y is a refinement of x “more precise” For streams of bits x y when x is a prefix of y For programs, a typical order is: No output (yet)  some output

Montonicity A set equipped with a partial order is a poset Definition: D and E are postes A function f: D E is monotonic if x, y D: x D y  f(x) E f(y) The semantics of the program ought to be a monotonic function More information about the input leads to more information about the output

Montonicity Example Consider our “isone” function with the prefix ordering Notation: 0k is the stream with k consecutive 0’s 0 is the infinite stream with only 0’s Question (revisited): what is isone(0k )? By definition, isone(0k$) = 0$ and isone(0k1$) = 1$ But 0k 0k$ and 0k  0 k1$ “isone” must be monotone, so: isone( 0k )  isone( 0k$) = 0$ isone( 0k )  isone( 0k1$) = 1$ Therefore, monotonicity requires that isone(0k ) is a common prefix of 0$ and 1$, namely 

Motivation Are there other constraints on “isone”? Define “isone” to satisfy the equations isone()= isone(1s)=1$ isone(0s)=isone(s) isone($)=0$ What about 0? Continuity: finite output depends only on finite input (no infinite lookahead) Intuition: A program that can produce observable results can do it in a finite time

Chains A chain is a countable increasing sequence <xi> = {xi X | x0 x1  … } An upper bound of a set if an element “bigger” than all elements in the set The least upper bound is the “smallest” among upper bounds: xi  <xi> for all i  N <xi>  y for all upper bounds y of <xi> and it is unique if it exists

Complete Partial Orders Not every poset has an upper bound with   n and nn for all n N {1, 2} does not have an upper bound Sometimes chains have no upper bound 0 1 2 …   2 1 The chain 0 12… does not have an upper bound

Complete Partial Orders It is convenient to work with posets where every chain (not necessarily every set) has a least upper bound A partial order P is complete if every chain in P has a least upper bound also in P We say that P is a complete partial order (cpo) A cpo with a least (“bottom”) element  is a pointed cpo (pcpo)

Examples of cpo’s Any set P with the order x y if and only if x = y is a cpo It is discrete or flat If we add  so that  x for all x  P, we get a flat pointed cpo The set N with  is a poset with a bottom, but not a complete one The set N  {  } with n  is a pointed cpo The set N with is a cpo without bottom Let S be a set and P(S) denotes the set of all subsets of S ordered by set inclusion P(S) is a pointed cpo

Constructing cpos If D and E are pointed cpos, then so is D × E (x, y)  D×E (x’, y’) iff x D x’ and yE y’ D×E = (D , E )  (x i , y i ) = ( D x i , E y i)

Constructing cpos (2) If S is a set of E is a pcpos, then so is S  E m  m’ iff s S: m(s) E m’(s) SE = s. E  (m , m’ ) = s.m(s) E m’(s)

Continuity A monotonic function maps a chain of inputs into a chain of outputs: x0  x1 …  f(x0)  f(x1)  … It is always true that: i <f(xi)>  f(i <xi>) But f(i <xi>) i <f(xi)> is not always true

A Discontinuity Example   3 2 1 f(i <xi>)  i <f(xi)>  1

Continuity Each f(xi) uses a “finite” view of the input f(<xi> ) uses an “infinite” view of the input A function is continuous when f(<xi>) = i <f(xi)> The output generated using an infinite view of the input does not contain more information than all of the outputs based on finite inputs

Continuity Each f(xi) uses a “finite” view of the input f(<xi> ) uses an “infinite” view of the input A function is continuous when f(<xi>) = i <f(xi)> The output generated using an infinite view of the input does not contain more information than all of the outputs based on finite inputs Scott’s thesis: The semantics of programs can be described by a continuous functions

Examples of Continuous Functions For the partial order ( N { },  ) The identity function is continuous id(ni) = id(ni ) The constant function “five(n)=5” is continuous five(ni) = five(ni ) If isone(0) = then isone is continuos For a flat cpo A, any monotonic function f: A A such that f is strict is continuous Chapter 8 of the Wynskel textbook includes many more continuous functions

{ Fixed Points Solve equation: where W:∑  ∑ ; W= Swhile b do S W(Ss ) if Bb()=true W() =  if Bb()=false  if Bb()= 

{ { Fixed Points Solve equation: where W:∑  ∑ ; W= Swhile b do S Alternatively, W = F(W) where: F(W) = . W(Ss ) if Bb()=true W() =  if Bb()=false  if Bb()=  { W(Ss ) if Bb()=true  if Bb()=false  if Bb()= 

Fixed Point (cont) Thus we are looking for a solution for W = F( W) a fixed point of F Typically there are many fixed points We may argue that W ought to be continuous W [∑  ∑] Cut the number of solutions We will see how to find the least fixed point for such an equation provided that F itself is continuous

Fixed Point Theorem Define Fk = x. F( F(… F( x)…)) (F composed k times) If D is a pointed cpo and F : D  D is continuous, then for any fixed-point x of F and k  N Fk ()  x The least of all fixed points is k Fk () Proof: By induction on k. Base: F0 ( ) =   x Induction step: Fk+1 ( ) = F( Fk ( ))  F( x) = x It suffices to show that k Fk () is a fixed-point F(k Fk ()) = k Fk+1 (  ) = k Fk ()

Fixed-Points (notes) If F is continuous on a pointed cpo, we know how to find the least fixed point All other fixed points can be regarded as refinements of the least one They contain more information, they are more precise In general, they are also more arbitrary

Fixed-Points (notes) If F is continuous on a pointed cpo, we know how to find the least fixed point All other fixed points can be regarded as refinements of the least one They contain more information, they are more precise In general, they are also more arbitrary They also make less sense for our purposes

Complete Lattice Let (D, ) be a partial order D is a complete lattice if every subset has both greatest lower bounds and least upper bounds

Knaster-Tarski Theorem Let f: L L be a monotonic function on a complete lattice L The least fixed point lfp(f) exists lfp(f) = {x L: f(x)x}

Fixed Points l1  l2  f(l1 )  f(l2 ) Red(f)   f() f() f2() f2() A monotone function f: L  L where (L, , , , , ) is a complete lattice Fix(f) = { l: l  L, f(l) = l} Red(f) = {l: l  L, f(l)  l} Ext(f) = {l: l  L, l  f(l)} l1  l2  f(l1 )  f(l2 ) Tarski’s Theorem 1955: if f is monotone then: lfp(f) =  Fix(f) =  Red(f)  Fix(f) gfp(f) =  Fix(f) =  Ext(f)  Fix(f) gfp(f) Ext(f) Fix(f) lfp(f)

Constant Propagation constant folding Optimization: constant folding simplifies constant expressions Optimization: constant folding Example: x:=7; y:=x*9 transformed to: x:=7; y:=7*9 and then to: x:=7; y:=63 Analysis: constant propagation (CP) Infers facts of the form x=c constant folding { x=c } y := aexpr y := eval(aexpr[c/x])

CP semantic domain Define CP-factoids:  = { x = c | x  Var, c  Z } How many factoids are there? Define predicates as  = 2 How many predicates are there? Do all predicates make sense? (x=5)  (x=7) Treat conjunctive formulas as sets of factoids {x=5, y=7} ~ (x=5)  (y=7)

One lattice per variable true true x0 x0 y0 y0 x<0 x=0 x>0 y<0 y=0 y>0 false false How can we compose them?

Cartesian product of complete lattices For two complete lattices L1 = (D1, 1, 1, 1, 1, 1) L2 = (D2, 2, 2, 2, 2, 2) Define the poset Lcart = (D1D2, cart, cart, cart, cart, cart) as follows: (x1, x2) cart (y1, y2) iff x1 1 y1 x2 2 y2 cart = ? cart = ? cart = ? cart = ? Lemma: L is a complete lattice Define the Cartesian constructor Lcart = Cart(L1, L2)

Cartesian product example =(,) x0 x0 y0 y0 x0,y0 x0,y0 x0,y0 x0,y0 … … x0,y<0 x0,y<0 x0,y=0 x0,y=0 x0,y>0 x0,y>0 x>0,y0 x>0,y0 … x<0,y<0 x<0,y=0 x<0,y>0 x=0,y<0 x=0,y=0 x=0,y>0 x>0,y<0 x>0,y=0 x>0,y>0 =(, ) How does it represent (x<0y<0)  (x>0y>0)? (false, false)

Disjunctive completion For a complete lattice L = (D, , , , , ) Define the powerset lattice L = (2D, , , , , )  = ?  = ?  = ?  = ?  = ? Lemma: L is a complete lattice L contains all subsets of D, which can be thought of as disjunctions of the corresponding predicates Define the disjunctive completion constructor L = Disj(L)

The base lattice CP  … … {x=-2} {x=-1} {x=0} {x=1} {x=2} 

The disjunctive completion of CP What is the height of this lattice? true … … {x=-2} {x=-1} {x=0} {x=1} {x=2} … … … {x=-2x=-1} {x=-2x=0} {x=-2x=1} {x=1x=2} … … … {x=-1 x=1x=-2} {x=0 x=1x=2} … false

Relational product of lattices L1 = (D1, 1, 1, 1, 1, 1) L2 = (D2, 2, 2, 2, 2, 2) Lrel = (2D1D2, rel, rel, rel, rel, rel) as follows: Lrel = ?

Relational product of lattices L1 = (D1, 1, 1, 1, 1, 1) L2 = (D2, 2, 2, 2, 2, 2) Lrel = (2D1D2, rel, rel, rel, rel, rel) as follows: Lrel = Disj(Cart(L1, L2)) Lemma: L is a complete lattice What does it buy us?

Cartesian product example true x0 x0 y0 y0 x0,y0 x0,y0 x0,y0 x0,y0 … … x0,y<0 x0,y<0 x0,y=0 x0,y=0 x0,y>0 x0,y>0 x>0,y0 x>0,y0 … x<0,y<0 x<0,y=0 x<0,y>0 x=0,y<0 x=0,y=0 x=0,y>0 x>0,y<0 x>0,y=0 x>0,y>0 false How does it represent (x<0y<0)  (x>0y>0)? What is the height of this lattice?

Relational product example true x0 x0 y0 y0 (x<0y<0)(x>0y>0) (x<0y<0)(x>0y=0) (x<0y0)(x<0y0) … false How does it represent (x<0y<0)  (x>0y>0)? What is the height of this lattice?

Collecting semantics … … … … label0: if x <= 0 goto label1 x := x – 1 goto label0 label1: 1 2 … 3 [x3] [x2] [x1] entry 4 5 … [x3] [x2] [x2] [x-1] [x0] [x1] 2 if x > 0 … [x-2] [x-1] exit [x0] [x1] x := x - 1 3 [x3] [x2] …

Defining the collecting semantics How should we represent the set of states at a given control-flow node by a lattice? How should we represent the sets of states at all control-flow nodes by a lattice?

Finite maps For a complete lattice L = (D, , , , , ) and finite set V Define the poset LVL = (VD, VL, VL, VL, VL, VL) as follows: f1 VL f2 iff for all vV f1(v)  f2(v) VL = ? VL = ? VL = ? VL = ? Lemma: L is a complete lattice Define the map constructor LVL = Map(V, L)

The collecting lattice Lattice for a given control-flow node v: ? Lattice for entire control-flow graph with nodes V: ? We will use this lattice as a baseline for static analysis and define abstractions of its elements

The collecting lattice Lattice for a given control-flow node v: Lv=(2State, , , , , State) Lattice for entire control-flow graph with nodes V: LCFG = Map(V, Lv) We will use this lattice as a baseline for static analysis and define abstractions of its elements

Equational definition of the semantics Define variables of type set of states for each control-flow node Define constraints between them R[entry] entry R[2] 2 if x > 0 R[exit] R[3] exit x := x - 1 3

Equational definition of the semantics R[2] = R[entry]  x:=x-1 R[3] R[3] = R[2]  {s | s(x) > 0} R[exit] = R[2]  {s | s(x)  0} A system of recursive equations How can we approximate it using what we have learned so far? R[entry] entry R[2] 2 if x > 0 R[exit] R[3] exit x := x - 1 3

An abstract semantics R[2] = R[entry]  x:=x-1# R[3] Abstract transformer for x:=x-1 R[2] = R[entry]  x:=x-1# R[3] R[3] = R[2]  {s | s(x) > 0}# R[exit] = R[2]  {s | s(x)  0}# A system of recursive equations Abstract representation of {s | s(x) < 0} R[entry] entry R[2] 2 if x > 0 R[exit] R[3] exit x := x - 1 3

Abstract interpretation via abstraction generalizes axiomatic verification {P} S {Q} sp(S, P)  abstract representation of sets of states abstract representation of sets of states abstract representation of sets of states abstract semantics statement S  abstraction abstraction set of states set of states collecting semantics statement S

Abstract interpretation via concretization {Q} abstract representation of sets of states abstract representation of sets of states statement S abstract semantics concretization concretization set of states set of states set of states statement S  collecting semantics models(P) models(sp(S, P)) models(Q) 

Required knowledge Collecting semantics Abstract semantics Connection between collecting semantics and abstract semantics Algorithm to compute abstract semantics

The collecting lattice (sets of states) Lattice for a given control-flow node v: Lv=(2State, , , , , State) Lattice for entire control-flow graph with nodes V: LCFG = Map(V, Lv) We will use this lattice as a baseline for static analysis and define abstractions of its elements

Equation systems in general Let L be a complete lattice (D, , , , , ) Let R be a vector of variables R[0, …, n]  D… D Let F be a vector of functions of the type F[i] : R[0, …, n]  R[0, …, n] A system of equations R[0] = f[0](R[0], …, R[n]) … R[n] = f[n](R[0], …, R[n]) In vector notation R = F(R) Questions: Does a solution always exist? If so, is it unique? If so, is it computable?

Equation systems in general Let L be a complete lattice (D, , , , , ) Let R be a vector of variables R[0, …, n]  D… D Let F be a vector of functions of the type F[i] : R[0, …, n]  R[0, …, n] A system of equations R[0] = f[0](R[0], …, R[n]) … R[n] = f[n](R[0], …, R[n]) In vector notation R = F(R) Questions: Does a solution always exist? If so, is it unique? If so, is it computable?

Monotone functions Let L1=(D1, ) and L2=(D2, ) be two posets A function f : D1  D2 is monotone if for every pair x, y  D1 x  y implies f(x)  f(y) A special case: L1=L2=(D, ) f : D  D

Important cases of monotonicity Join: f(X, Y) = X  Y Prove it! For a set X and any function g F(X) = { g(x) | x  X } Prove it! Notice that the collecting semantics function is defined in terms of Join (set union) Semantic function for atomic statements lifted to sets of states

Extensive/reductive functions Let L=(D, ) be a poset A function f : D  D is extensive if for every x  D, we have that x  f(x) A function f : D  D is reductive if for every x  D, we have that x  f(x)

Fixed-points L = (D, , , , , ) f : D  D monotone Fix(f) = { d | f(d) = d } Red(f) = { d | f(d)  d } Ext(f) = { d | d  f(d) } Theorem [Tarski 1955] lfp(f) = Fix(f) = Red(f)  Fix(f) gfp(f) = Fix(f) = Ext(f)  Fix(f) Red(f) fn() gfp Fix(f) lfp Ext(f) fn()  Does a solution always exist? Yes If so, is it unique? No, but it has least/greatest solutions If so, is it computable? Under some conditions…

Fixed point example for program R[0] = {xZ} R[1] = R[0]  R[4] R[2] = R[1]  {s | s(x) > 0} R[3] = R[1]  {s | s(x)  0} R[4] = x:=x-1 R[2] F(d) : Fixed-point d if x>0 x := x-1 2 3 entry exit xZ {x>0} {x<0} if x>0 x := x-1 2 3 entry exit xZ {x>0} {x<0} =

Fixed point example for program R[0] = {xZ} R[1] = R[0]  R[4] R[2] = R[1]  {s | s(x) > 0} R[3] = R[1]  {s | s(x)  0} R[4] = x:=x-1 R[2] F(d) : pre Fixed-point d if x>0 x := x-1 2 3 entry exit xZ {x>0} {x<-5} if x>0 x := x-1 2 3 entry exit xZ {x>0} {x<0} 

Fixed point example for program R[0] = {xZ} R[1] = R[0]  R[4] R[2] = R[1]  {s | s(x) > 0} R[3] = R[1]  {s | s(x)  0} R[4] = x:=x-1 R[2] F(d) : post Fixed-point d if x>0 x := x-1 2 3 entry exit xZ {x>0} {x<9} if x>0 x := x-1 2 3 entry exit xZ {x>0} {x<0} 

Continuity and ACC condition Let L = (D, , , ) be a complete partial order Every ascending chain has an upper bound A function f is continuous if for every increasing chain Y  D*, f(Y) = { f(y) | yY } L satisfies the ascending chain condition (ACC) if every ascending chain eventually stabilizes: d0  d1  …  dn = dn+1 = …

Fixed-point theorem [Kleene] Let L = (D, , , ) be a complete partial order and a continuous function f: D  D then lfp(f) = nN fn() Lemma: Monotone functions on posets satisfying ACC are continuous Proof:

Mathematical definition Resulting algorithm  Kleene’s fixed point theorem gives a constructive method for computing the lfp lfp(f) = nN fn() Mathematical definition lfp fn() d :=  while f(d)  d do d := d  f(d) return d Algorithm … f2() f() 

Chaotic iteration Input: Output: lfp(f) A worklist-based algorithm A cpo L = (D, , , ) satisfying ACC Ln = L  L  …  L A monotone function f : Dn Dn A system of equations { X[i] | f(X) | 1  i  n } Output: lfp(f) A worklist-based algorithm for i:=1 to n do X[i] :=  WL = {1,…,n} while WL   do j := pop WL // choose index non-deterministically N := F[i](X) if N  X[i] then X[i] := N add all the indexes that directly depend on i to WL (X[j] depends on X[i] if F[j] contains X[i]) return X

Chaotic iteration for static analysis Specialize chaotic iteration for programs Create a CFG for program Choose a cpo of properties for the static analysis to infer: L = (D, , , ) Define variables R[0,…,n] for input/output of each CFG node such that R[i]D For each node v let vout be the variable at the output of that node: vout = F[v]( u | (u,v) is a CFG edge) Make sure each F[v] is monotone Variable dependence determined by outgoing edges in CFG

Constant propagation example entry x := 4; while (y5) do z := x; x := 4 x := 4 if (*) assume y=5 assume y5 exit z := x x := 4

Constant propagation lattice For each variable x define L as For a set of program variables Var=x1,…,xn Ln = L  L  …  L not-a-constant  ... -2 -1 1 2 ...  no information

Write down variables x := 4; while (y5) do z := x; x := 4 entry if (*) assume y=5 assume y5 exit z := x x := 4

Write down equations x := 4; while (y5) do z := x; x := 4 entry R0 if (*) assume y=5 assume y5 R6 R3 exit z := x R4 x := 4 R5

Collecting semantics equations R0 = State R1 = x:=4 R0 R2 = R1  R5 R3 = assume y5 R2 R4 = z:=x R3 R5 = x:=4 R4 R6 = assume y=5 R2 entry R0 x := 4 R1 R2 R2 R2 if (*) assume y=5 assume y5 R6 R3 exit z := x R4 x := 4 R5

Constant propagation equations R0 =  R1 = x:=4# R0 R2 = R1  R5 R3 = assume y5# R2 R4 = z:=x# R3 R5 = x:=4# R4 R6 = assume y=5# R2 entry abstract transformer R0 x := 4 R1 R2 R2 R2 if (*) assume y=5 assume y5 R6 R3 exit z := x R4 x := 4 R5

Abstract operations for CP R0 =  R1 = x:=4# R0 R2 = R1  R5 R3 = assume y5# R2 R4 = z:=x# R3 R5 = x:=4# R4 R6 = assume y=5# R2  -1 -2 1 2 ...  CP lattice for a single variable Lattice elements have the form: (vx, vy, vz) x:=4# (vx,vy,vz) = (4, vy, vz) z:=x# (vx,vy,vz) = (vx, vy, vx) assume y5# (vx,vy,vz) = (vx, vy, vx) assume y=5# (vx,vy,vz) = if vy=k5 then (, , ) else (vx, 5, vz) R1  R5 = (a1, b1, c1)  (a5, b5, c5) = (a1a5, b1b5, c1c5)

Chaotic iteration for CP: initialization R0 =  R1 = x:=4# R0 R2 = R1  R5 R3 = assume y5# R2 R4 = z:=x# R3 R5 = x:=4# R4 R6 = assume y=5# R2 entry R0=(, , ) x := 4 R1=(, , ) R2=(, , ) R2 R2 if (*) WL = {R0, R1, R2, R3, R4, R5, R6} assume y=5 assume y5 R6=(, , ) R3=(, , ) exit z := x R4=(, , ) x := 4 R5=(, , )

Chaotic iteration for CP R0 =  R1 = x:=4# R0 R2 = R1  R5 R3 = assume y5# R2 R4 = z:=x# R3 R5 = x:=4# R4 R6 = assume y=5# R2 entry R0=(, , ) x := 4 R1=(, , ) R2=(, , ) R2 R2 if (*) WL = {R1, R2, R3, R4, R5, R6} assume y=5 assume y5 R6=(, , ) R3=(, , ) exit z := x R4=(, , ) x := 4 R5=(, , )

Chaotic iteration for CP R0 =  R1 = x:=4# R0 R2 = R1  R5 R3 = assume y5# R2 R4 = z:=x# R3 R5 = x:=4# R4 R6 = assume y=5# R2 entry R0=(, , ) x := 4 R1=(4, , ) R2=(, , ) R2 R2 if (*) WL = {R2, R3, R4, R5, R6} assume y=5 assume y5 R6=(, , ) R3=(, , ) exit z := x R4=(, , ) x := 4 R5=(, , )

Chaotic iteration for CP R0 =  R1 = x:=4# R0 R2 = R1  R5 R3 = assume y5# R2 R4 = z:=x# R3 R5 = x:=4# R4 R6 = assume y=5# R2 entry R0=(, , ) x := 4 R1=(4, , ) R2=(, , ) R2 R2 if (*) WL = {R2, R3, R4, R5, R6} assume y=5 assume y5 R6=(, , ) R3=(, , )  exit z := x R4=(, , ) ... -2 -1 1 2 3 4 ... x := 4 R5=(, , ) 

Chaotic iteration for CP R0 =  R1 = x:=4# R0 R2 = R1  R5 R3 = assume y5# R2 R4 = z:=x# R3 R5 = x:=4# R4 R6 = assume y=5# R2 entry R0=(, , ) x := 4 R1=(4, , ) R2=(4, , ) R2 R2 if (*) WL = {R2, R3, R4, R5, R6} assume y=5 assume y5 R6=(, , ) R3=(, , )  exit z := x R4=(, , ) ... -2 -1 1 2 3 4 ... x := 4 R5=(, , ) 

Chaotic iteration for CP R0 =  R1 = x:=4# R0 R2 = R1  R5 R3 = assume y5# R2 R4 = z:=x# R3 R5 = x:=4# R4 R6 = assume y=5# R2 entry R0=(, , ) x := 4 R1=(4, , ) R2=(4, , ) R2 R2 if (*) WL = {R3, R4, R5, R6} assume y=5 assume y5 R6=(, , ) R3=(, , ) exit z := x R4=(, , ) x := 4 R5=(, , )

Chaotic iteration for CP R0 =  R1 = x:=4# R0 R2 = R1  R5 R3 = assume y5# R2 R4 = z:=x# R3 R5 = x:=4# R4 R6 = assume y=5# R2 entry R0=(, , ) x := 4 R1=(4, , ) R2=(4, , ) R2 R2 if (*) WL = {R4, R5, R6} assume y=5 assume y5 R6=(, , ) R3=(4, , ) exit z := x R4=(, , ) x := 4 R5=(, , )

Chaotic iteration for CP R0 =  R1 = x:=4# R0 R2 = R1  R5 R3 = assume y5# R2 R4 = z:=x# R3 R5 = x:=4# R4 R6 = assume y=5# R2 entry R0=(, , ) x := 4 R1=(4, , ) R2=(4, , ) R2 R2 if (*) WL = {R5, R6} assume y=5 assume y5 R6=(, , ) R3=(4, , ) exit z := x R4=(4, , 4) x := 4 R5=(, , )

Chaotic iteration for CP R0 =  R1 = x:=4# R0 R2 = R1  R5 R3 = assume y5# R2 R4 = z:=x# R3 R5 = x:=4# R4 R6 = assume y=5# R2 entry R0=(, , ) x := 4 R1=(4, , ) R2=(4, , ) R2=(4, , ) R2 R2 if (*) WL = {R2, R6} assume y=5 assume y5 R6=(, , ) R3=(4, , ) exit z := x R4=(4, , 4) added R2 back to worklist since it depends on R5 x := 4 R5=(4, , 4)

Chaotic iteration for CP R0 =  R1 = x:=4# R0 R2 = R1  R5 R3 = assume y5# R2 R4 = z:=x# R3 R5 = x:=4# R4 R6 = assume y=5# R2 entry R0=(, , ) x := 4 R1=(4, , ) R2=(4, , ) R2 R2 if (*) WL = {R6} assume y=5 assume y5 R6=(, , ) R3=(4, , ) exit z := x R4=(4, , 4) x := 4 R5=(4, , 4)

Chaotic iteration for CP R0 =  R1 = x:=4# R0 R2 = R1  R5 R3 = assume y5# R2 R4 = z:=x# R3 R5 = x:=4# R4 R6 = assume y=5# R2 entry R0=(, , ) x := 4 R1=(4, , ) R2=(4, , ) R2 R2 if (*) WL = {} assume y=5 assume y5 R6=(4, 5, ) R3=(4, , ) exit z := x R4=(4, , 4) x := 4 Fixed-point In practice maintain a worklist of nodes R5=(4, , 4)

Chaotic iteration for static analysis Specialize chaotic iteration for programs Create a CFG for program Choose a cpo of properties for the static analysis to infer: L = (D, , , ) Define variables R[0,…,n] for input/output of each CFG node such that R[i]D For each node v let vout be the variable at the output of that node: vout = F[v]( u | (u,v) is a CFG edge) Make sure each F[v] is monotone Variable dependence determined by outgoing edges in CFG

Complexity of chaotic iteration Parameters: n the number of CFG nodes k is the maximum in-degree of edges Height h of lattice L c is the maximum cost of Applying Fv  Checking fixed-point condition for lattice L Complexity: O(n  h  c  k) Incremental (worklist) algorithm reduces the n factor in factor Implement worklist by priority queue and order nodes by reversed topological order

Required knowledge Collecting semantics Abstract semantics (over lattices) Algorithm to compute abstract semantics (chaotic iteration) Connection between collecting semantics and abstract semantics Abstract transformers

Recap We defined a reference semantics – the collecting semantics We defined an abstract semantics for a given lattice and abstract transformers We defined an algorithm to compute abstract least fixed-point when transformers are monotone and lattice obeys ACC Questions: What is the connection between the two least fixed-points? Transformer monotonicity is required for termination – what should we require for correctness?

Recap We defined a reference semantics – the collecting semantics We defined an abstract semantics for a given lattice and abstract transformers We defined an algorithm to compute abstract least fixed-point when transformers are monotone and lattice obeys ACC Questions: What is the connection between the two least fixed-points? Transformer monotonicity is required for termination – what should we require for correctness?

Galois Connection Given two complete lattices C = (DC, C, C, C, C, C) – concrete domain A = (DA, A, A, A, A, A) – abstract domain A Galois Connection (GC) is quadruple (C, , , A) that relates C and A via the monotone functions The abstraction function  : DC  DA The concretization function  : DA  DC for every concrete element cDC and abstract element aDA ((a))  a and c  ((c)) Alternatively (c)  a iff c  (a)

Galois Connection: c  ((c)) The most precise (least) element in A representing c  3 ((c))  2 (c) c  1

Galois Connection: ((a))  a What a represents in C (its meaning) C A  a 2 (a) 1   3 ((a))

Example: lattice of equalities Concrete lattice: C = (2State, , , , , State) Abstract lattice: EQ = { x=y | x, y  Var} A = (2EQ, , , , EQ , ) Treat elements of A as both formulas and sets of constraints Useful for copy propagation – a compiler optimization (X) = ? (Y) = ?

Example: lattice of equalities Concrete lattice: C = (2State, , , , , State) Abstract lattice: EQ = { x=y | x, y  Var} A = (2EQ, , , , EQ , ) Treat elements of A as both formulas and sets of constraints Useful for copy propagation – a compiler optimization (s) = ({s}) = { x=y | s x = s y} that is s  x=y (X) = {(s) | sX} = A {(s) | sX} (Y) = { s | s  Y } = models(Y)

Galois Connection: c  ((c)) 3 … [x6, y6, z6] [x5, y5, z5] [x4, y4, z4] … 4 x=x, y=y, z=z   2 x=x, y=y, z=z, x=y, y=x, x=z, z=x, y=z, z=y   1 [x5, y5, z5] The most precise (least) element in A representing [x5, y5, z5]

Most precise abstract representation (c) = {c’ | c  (c’)} C A 6 4 5 2    7  3 (c) 8  9 c 1

Most precise abstract representation (c) = {c’ | c  (c’)} C A x=y 6 x=y, z=y 4 x=y, y=z 5 2   7  3 (c)= x=x, y=y, z=z, x=y, y=x, x=z, z=x, y=z, z=y 8  9 c 1 [x5, y5, z5]

Galois Connection: ((a))  a What a represents in C (its meaning) C A 2 … [x6, y6, z6] [x5, y5, z5] [x4, y4, z4] …     is called a semantic reduction x=y, y=z 1   3 x=x, y=y, z=z, x=y, y=x, x=z, z=x, y=z, z=y

Galois Insertion a: ((a))=a How can we obtain a Galois Insertion from a Galois Connection? C A 2 … [x6, y6, z6] [x5, y5, z5] [x4, y4, z4] … All elements are reduced   1 x=x, y=y, z=z, x=y, y=x, x=z, z=x, y=z, z=y

Properties of a Galois Connection The abstraction and concretization functions uniquely determine each other: (a) = {c | (c)  a} (c) = {a | c  (a)}

Abstracting (disjunctive) sets It is usually convenient to first define the abstraction of single elements (s) = ({s}) Then lift the abstraction to sets of elements (X) = A {(s) | sX}

The case of symbolic domains An important class of abstract domains are symbolic domains – domains of formulas C = (2State, , , , , State) A = (DA, A, A, A, A, A) If DA is a set of formulas then the abstraction of a state is defined as (s) = ({s}) = A{ | s  } the least formula from DA that s satisfies The abstraction of a set of states is (X) = A {(s) | sX} The concretization is () = { s | s   } = models()

Inducing along the connections Assume the complete lattices C = (DC, C, C, C, C, C) A = (DA, A, A, A, A, A) M = (DM, M, M, M, M, M) and Galois connections GCC,A=(C, C,A, A,C, A) and GCA,M=(A, A,M, M,A, M) Lemma: both connections induce the GCC,M= (C, C,M, M,C, M) defined by C,M = C,A  A,M and M,C = M,A  A,C

Inducing along the connections M A,C M,A c’ 5 4 a’ =A,M(C,A(c)) 3 c C,A(c) 1 C,A 2 A,M

Sound abstract transformer Given two lattices C = (DC, C, C, C, C, C) A = (DA, A, A, A, A, A) and GCC,A=(C, , , A) with A concrete transformer f : DC DC an abstract transformer f# : DA DA We say that f# is a sound transformer (w.r.t. f) if c: f(c)=c’  (f#(c))  (c’) For every a and a’ such that (f((a))) A f#(a)

Transformer soundness condition 1 c: f(c)=c’  (f#(c))  (c’) C A  5 f# 4 1 f 2 3

Transformer soundness condition 2 a: f#(a)=a’  f((a))  (a’) C A 4  f 5 1 f# 2 3

Best (induced) transformer f#(a)= (f((a))) C A 4 f f# 3 1 2 Problem:  incomputable directly

Best abstract transformer [CC’77] Best in terms of precision Most precise abstract transformer May be too expensive to compute Constructively defined as f# =   f   Induced by the GC Not directly computable because first step is concretization We often compromise for a “good enough” transformer Useful tool: partial concretization

Transformer example C = (2State, , , , , State) EQ = { x=y | x, y  Var} A = (2EQ, , , , EQ , ) (s) = ({s}) = { x=y | s x = s y} that is s  x=y (X) = {(s) | sX} = A {(s) | sX} () = { s | s   } = models() Concrete: x:=y X = { s[xs y] | sX} Abstract: x:=y# X = ?

Developing a transformer for EQ - 1 Input has the form X = {a=b} sp(x:=expr, ) = v. x=expr[v/x]  [v/x] sp(x:=y, X) = v. x=y[v/x]  {a=b}[v/x] = … Let’s define helper notations: EQ(X, y) = {y=a, b=y  X} Subset of equalities containing y EQc(X, y) = X \ EQ(X, y) Subset of equalities not containing y

Developing a transformer for EQ - 2 sp(x:=y, X) = v. x=y[v/x]  {a=b}[v/x] = … Two cases x is y: sp(x:=y, X) = X x is different from y: sp(x:=y, X) = v. x=y  EQ)X, x)[v/x]  EQc(X, x)[v/x] = x=y  EQc(X, x)  v. EQ)X, x)[v/x]  x=y  EQc(X, x) Vanilla transformer: x:=y#1 X = x=y  EQc(X, x) Example: x:=y#1 {x=p, q=x, m=n} = {x=y, m=n} Is this the most precise result?

Developing a transformer for EQ - 3 x:=y#1 {x=p, x=q, m=n} = {x=y, m=n}  {x=y, m=n, p=q} Where does the information p=q come from? sp(x:=y, X) = x=y  EQc(X, x)  v. EQ)X, x)[v/x] v. EQ)X, x)[v/x] holds possible equalities between different a’s and b’s – how can we account for that?

Developing a transformer for EQ - 4 Define a reduction operator: Explicate(X) = if exist {a=b, b=c}X but not {a=c} X then Explicate(X{a=c}) else X Define x:=y#2 = x:=y#1  Explicate x:=y#2){x=p, x=q, m=n}) = {x=y, m=n, p=q} is this the best transformer?

Developing a transformer for EQ - 5 x:=y#2 ){y=z}) = {x=y, y=z}  {x=y, y=z, x=z} Idea: apply reduction operator again after the vanilla transformer x:=y#3 = Explicate  x:=y#1  Explicate Observation : after the first time we apply Explicate, all subsequent values will be in the image of the abstraction so really we only need to apply it once to the input Finally: x:=y#(X) = Explicate  x:=y#1 Best transformer for reduced elements (elements in the image of the abstraction)

Negative property of best transformers Let f# =   f   Best transformer does not compose (f(f((a))))  f#(f#(a))

(f(f((a))))  f#(f#(a)) C A 9 f 7  f# 5 4 f 8 6 f f# 3 2 1

Soundness theorem 1 Given two complete lattices C = (DC, C, C, C, C, C) A = (DA, A, A, A, A, A) and GCC,A=(C, , , A) with Monotone concrete transformer f : DC DC Monotone abstract transformer f# : DA DA a DA : f((a))  (f#(a)) Then lfp(f)  (lfp(f#)) (lfp(f))  lfp(f#)

Soundness theorem 1 C A lpf(f)  lpf(f#)  fn  f#n  … … f3 f#3 aDA : f((a))  (f#(a))  aDA : fn((a))  (f#n(a))  aDA : lfp(fn)((a))  (lfp(f#n)(a))  lfp(f)   lfp(f#)  C A lpf(f)  lpf(f#)  fn  f#n  … … f3 f#3 f#2  f2  f#  f   

Soundness theorem 2 Given two complete lattices C = (DC, C, C, C, C, C) A = (DA, A, A, A, A, A) and GCC,A=(C, , , A) with Monotone concrete transformer f : DC DC Monotone abstract transformer f# : DA DA c DC : (f(c))  f#((c)) Then (lfp(f))  lfp(f#) lfp(f)  (lfp(f#))

Soundness theorem 2 C A lpf(f#)  lpf(f)  f#n  fn  … … f#3 f3 c DC : (f(c))  f#((c))  c DC : (fn(c))  f#n((c))  c DC : (lfp(f)(c))  lfp(f#)((c))  lfp(f)   lfp(f#)  C A lpf(f#)   f  fn  … lpf(f)  f2  f3 f#n  … f#3 f#2  f#  

A recipe for a sound static analysis Define an “appropriate” operational semantics Define “collecting” structural operational semantics Establish a Galois connection between collecting states and abstract states Local correctness: show that the abstract interpretation of every atomic statement is sound w.r.t. the collecting semantics Global correctness: conclude that the analysis is sound

Completeness Local property: forward complete: c: (f#(c)) = (f(c)) backward complete: a: f((a)) = (f#(a)) A property of domain and the (best) transformer Global property: (lfp(f)) = lfp(f#) lfp(f) = (lfp(f#)) Very ideal but usually not possible unless we change the program model (apply strong abstraction) and/or aim for very simple properties

Forward complete transformer c: (f#(c)) = (f(c)) C A 4 1 f 2 f# 3

Backward complete transformer a: f((a)) = (f#(a)) C A f 5 1 f# 2 3

Global (backward) completeness a: f((a)) = (f#(a))  a: fn((a)) = (f#n(a))  aDA : lfp(fn)((a)) = (lfp(f#n)(a))  lfp(f)  = lfp(f#)  C A lpf(f)  lpf(f#)  fn  f#n  … … f3 f#3 f#2  f2  f#  f   

Global (forward) completeness c DC : (f(c)) = f#((c))  c DC : (fn(c)) = f#n((c))  c DC : (lfp(f)(c)) = lfp(f#)((c))  lfp(f)  = lfp(f#)  C A lpf(f#)   f  fn  … lpf(f)  f2  f3 f#n  … f#3 f#2  f#  

Three example analyses Abstract states are conjunctions of constraints Variable Equalities VE-factoids = { x=y | x, y  Var}  false VE = (2VE-factoids, , , , false, ) Constant Propagation CP-factoids = { x=c | x  Var, c  Z}  false CP = (2CP-factoids, , , , false, ) Available Expressions AE-factoids = { x=y+z | x  Var, y,z  VarZ}  false A = (2AE-factoids, , , , false, )

Lattice combinators reminder Cartesian Product L1 = (D1, 1, 1, 1, 1, 1) L2 = (D2, 2, 2, 2, 2, 2) Cart(L1, L2) = (D1D2, cart, cart, cart, cart, cart) Disjunctive completion L = (D, , , , , ) Disj(L) = (2D, , , , , ) Relational Product Rel(L1, L2) = Disj(Cart(L1, L2))

Cartesian product of complete lattices For two complete lattices L1 = (D1, 1, 1, 1, 1, 1) L2 = (D2, 2, 2, 2, 2, 2) Define the poset Lcart = (D1D2, cart, cart, cart, cart, cart) as follows: (x1, x2) cart (y1, y2) iff x1 1 y1 and x2 2 y2 cart = ? cart = ? cart = ? cart = ? Lemma: L is a complete lattice Define the Cartesian constructor Lcart = Cart(L1, L2)

Cartesian product of GCs GCC,A=(C, C,A, A,C, A) GCC,B=(C, C,B, B,C, B) Cartesian Product GCC,AB = (C, C,AB, AB,C, AB) C,AB(X)= ? AB,C(Y) = ?

Cartesian product of GCs GCC,A=(C, C,A, A,C, A) GCC,B=(C, C,B, B,C, B) Cartesian Product GCC,AB = (C, C,AB, AB,C, AB) C,AB(X) = (C,A(X), C,B(X)) AB,C(Y) = A,C(X)  B,C(X) What about transformers?

Cartesian product transformers GCC,A=(C, C,A, A,C, A) FA[st] : A  A GCC,B=(C, C,B, B,C, B) FB[st] : B  B Cartesian Product GCC,AB = (C, C,AB, AB,C, AB) C,AB(X) = (C,A(X), C,B(X)) AB,C(Y) = A,C(X)  B,C(X) How should we define FAB[st] : AB  AB

Cartesian product transformers GCC,A=(C, C,A, A,C, A) FA[st] : A  A GCC,B=(C, C,B, B,C, B) FB[st] : B  B Cartesian Product GCC,AB = (C, C,AB, AB,C, AB) C,AB(X) = (C,A(X), C,B(X)) AB,C(Y) = A,C(X)  B,C(X) How should we define FAB[st] : AB  AB Idea: FAB[st](a, b) = (FA[st] a, FB[st] b) Are component-wise transformers precise?

Cartesian product analysis example Abstract interpreter 1: Constant Propagation Abstract interpreter 2: Variable Equalities Let’s compare Running them separately and combining results Running the analysis with their Cartesian product CP analysis VE analysis a := 9; b := 9; c := a; {a=9} {a=9, b=9} {a=9, b=9, c=9} a := 9; b := 9; c := a; {} {} {c=a}

Cartesian product analysis example Abstract interpreter 1: Constant Propagation Abstract interpreter 2: Variable Equalities Let’s compare Running them separately and combining results Running the analysis with their Cartesian product CP analysis + VE analysis a := 9; b := 9; c := a; {a=9} {a=9, b=9} {a=9, b=9, c=9, c=a}

Cartesian product analysis example Abstract interpreter 1: Constant Propagation Abstract interpreter 2: Variable Equalities Let’s compare Running them separately and combining results Running the analysis with their Cartesian product CPVE analysis Missing {a=b, b=c} a := 9; b := 9; c := a; {a=9} {a=9, b=9} {a=9, b=9, c=9, c=a}

Transformers for Cartesian product Naïve (component-wise) transformers do not utilize information from both components Same as running analyses separately and then combining results Can we treat transformers from each analysis as black box and obtain best transformer for their combination?

Can we combine transformer modularly? No generic method for any abstract interpretations

Reducing values for CPVE X = set of CP constraints of the form x=c (e.g., a=9) Y = set of VE constraints of the form x=y ReduceCPVE(X, Y) = (X’, Y’) such that (X’, Y’)  (X’, Y’) Ideas?

Reducing values for CPVE X = set of CP constraints of the form x=c (e.g., a=9) Y = set of VE constraints of the form x=y ReduceCPVE(X, Y) = (X’, Y’) such that (X’, Y’)  (X’, Y’) ReduceRight: if a=b  X and a=c  Y then add b=c to Y ReduceLeft: If a=c and b=c  Y then add a=b to X Keep applying ReduceLeft and ReduceRight and reductions on each domain separately until reaching a fixed-point

Transformers for Cartesian product Do we get the best transformer by applying component-wise transformer followed by reduction? Unfortunately, no (what’s the intuition?) Can we do better? Logical Product [Gulwani and Tiwari, PLDI 2006]

Product vs. reduced product CPVE lattice collecting lattice   {a=9}{c=a} {c=9}{c=a}  {[a9, c 9]} {a=9, c=9}{c=a}  {}

Reduced product For two complete lattices L1 = (D1, 1, 1, 1, 1, 1) L2 = (D2, 2, 2, 2, 2, 2) Define the reduced poset D1D2 = {(d1,d2)D1D2 | (d1,d2) =  (d1,d2) } L1L2 = (D1D2, cart, cart, cart, cart, cart)

Transformers for Cartesian product Do we get the best transformer by applying component-wise transformer followed by reduction? Unfortunately, no (what’s the intuition?) Can we do better? Logical Product [Gulwani and Tiwari, PLDI 2006]

Logical product-- Assume A=(D,…) is an abstract domain that supports two operations: for xD inferEqualities(x) = { a=b | (x)  a=b } returns a set of equalities between variables that are satisfied in all states given by x refineFromEqualities(x, {a=b}) = y such that (x)=(y) y  x

Developing a transformer for EQ - 1 Input has the form X = {a=b} sp(x:=expr, ) = v. x=expr[v/x]  [v/x] sp(x:=y, X) = v. x=y[v/x]  {a=b}[v/x] = … Let’s define helper notations: EQ(X, y) = {y=a, b=y  X} Subset of equalities containing y EQc(X, y) = X \ EQ(X, y) Subset of equalities not containing y

Developing a transformer for EQ - 2 sp(x:=y, X) = v. x=y[v/x]  {a=b}[v/x] = … Two cases x is y: sp(x:=y, X) = X x is different from y: sp(x:=y, X) = v. x=y  EQ)X, x)[v/x]  EQc(X, x)[v/x] = x=y  EQc(X, x)  v. EQ)X, x)[v/x]  x=y  EQc(X, x) Vanilla transformer: x:=y#1 X = x=y  EQc(X, x) Example: x:=y#1 {x=p, q=x, m=n} = {x=y, m=n} Is this the most precise result?

Developing a transformer for EQ - 3 x:=y#1 {x=p, x=q, m=n} = {x=y, m=n}  {x=y, m=n, p=q} Where does the information p=q come from? sp(x:=y, X) = x=y  EQc(X, x)  v. EQ)X, x)[v/x] v. EQ)X, x)[v/x] holds possible equalities between different a’s and b’s – how can we account for that?

Developing a transformer for EQ - 4 Define a reduction operator: Explicate(X) = if exist {a=b, b=c}X but not {a=c} X then Explicate(X{a=c}) else X Define x:=y#2 = x:=y#1  Explicate x:=y#2){x=p, x=q, m=n}) = {x=y, m=n, p=q} is this the best transformer?

Developing a transformer for EQ - 5 x:=y#2 ){y=z}) = {x=y, y=z}  {x=y, y=z, x=z} Idea: apply reduction operator again after the vanilla transformer x:=y#3 = Explicate  x:=y#1  Explicate

Logical Product- safely abstracting the existential quantifier basically the strongest postcondition

Abstracting the existential Reduce the pair Abstract away existential quantifier for each domain

Example

Information loss example if (…) b := 5 else b := -5 if (b>0) b := b-5 else b := b+5 assert b==0 {} {b=5} {b=-5} {b=} {b=} {b=} can’t prove

Disjunctive completion of a lattice For a complete lattice L = (D, , , , , ) Define the powerset lattice L = (2D, , , , , )  = ?  = ?  = ?  = ?  = ? Lemma: L is a complete lattice L contains all subsets of D, which can be thought of as disjunctions of the corresponding predicates Define the disjunctive completion constructor L = Disj(L)

Disjunctive completion for GCs GCC,A=(C, C,A, A,C, A) GCC,B=(C, C,B, B,C, B) Disjunctive completion GCC,P(A) = (C, P(A), P(A), P(A)) C,P(A)(X) = ? P(A),C(Y) = ?

Disjunctive completion for GCs GCC,A=(C, C,A, A,C, A) GCC,B=(C, C,B, B,C, B) Disjunctive completion GCC,P(A) = (C, P(A), P(A), P(A)) C,P(A)(X) = {C,A({x}) | xX} P(A),C(Y) = {P(A)(y) | yY} What about transformers?

Information loss example if (…) b := 5 else b := -5 if (b>0) b := b-5 else b := b+5 assert b==0 {} {b=5} {b=-5} {b=5  b=-5} {b=0} {b=0} proved

The base lattice CP true … … {x=-2} {x=-1} {x=0} {x=1} {x=2} false

The disjunctive completion of CP What is the height of this lattice? true … … {x=-2} {x=-1} {x=0} {x=1} {x=2} … … … {x=-2x=-1} {x=-2x=0} {x=-2x=1} {x=1x=2} … … … {x=-1 x=1x=-2} {x=0 x=1x=2} … false

Taming disjunctive completion Disjunctive completion is very precise Maintains correlations between states of different analyses Helps handle conditions precisely But very expensive – number of abstract states grows exponentially May lead to non-termination Base analysis (usually product) is less precise Analysis terminates if the analyses of each component terminates How can we combine them to get more precision yet ensure termination and state explosion?

Taming disjunctive completion Use different abstractions for different program locations At loop heads use coarse abstraction (base) At other points use disjunctive completion Termination is guaranteed (by base domain) Precision increased inside loop body

With Disj(CP) Doesn’t terminate while (…) { if (…) b := 5 else b := -5 if (b>0) b := b-5 else b := b+5 assert b==0 } Doesn’t terminate

What MultiCartDomain implements With tamed Disj(CP) CP while (…) { if (…) b := 5 else b := -5 if (b>0) b := b-5 else b := b+5 assert b==0 } Disj(CP) terminates What MultiCartDomain implements

Reducing disjunctive elements A disjunctive set X may contain within it an ascending chain Y=a  b  c… We only need max(Y) – remove all elements below

Relational product of lattices L1 = (D1, 1, 1, 1, 1, 1) L2 = (D2, 2, 2, 2, 2, 2) Lrel = (2D1D2, rel, rel, rel, rel, rel) as follows: Lrel = ?

Relational product of lattices L1 = (D1, 1, 1, 1, 1, 1) L2 = (D2, 2, 2, 2, 2, 2) Lrel = (2D1D2, rel, rel, rel, rel, rel) as follows: Lrel = Disj(Cart(L1, L2)) Lemma: L is a complete lattice What does it buy us? How is it relative to Cart(Disj(L1), Disj(L2))? What about transformers?

Relational product of GCs GCC,A=(C, C,A, A,C, A) GCC,B=(C, C,B, B,C, B) Relational Product GCC,P(AB) = (C, C,P(AB), P(AB),C, P(AB)) C,P(AB)(X) = ? P(AB),C(Y) = ?

Relational product of GCs GCC,A=(C, C,A, A,C, A) GCC,B=(C, C,B, B,C, B) Relational Product GCC,P(AB) = (C, C,P(AB), P(AB),C, P(AB)) C,P(AB)(X) = {(C,A({x}), C,B({x})) | xX} P(AB),C(Y) = {A,C(yA)  B,C(yB) | (yA,yB)Y}

Cartesian product example Correlations preserved

Function space GCC,A=(C, C,A, A,C, A) GCC,B=(C, C,B, B,C, B) Denote the set of monotone functions from A to B by AB Define  for elements of AB as follows (a1, b1)  (a2, b2) = if a1=a2 then {(a1, b1B b1)} else {(a1, b1), (a2, b2)} Reduced cardinal power GCC,AB = (C, C,AB, AB,C, AB) C,AB(X) = {(C,A({x}), C,B({x})) | xX} AB,C(Y) = {A,C(yA)  B,C(yB) | (yA,yB)Y} Useful when A is small and B is much larger E.g., typestate verification

Widening/Narrowing

How can we prove this automatically? RelProd(CP, VE)

Intervals domain One of the simplest numerical domains Maintain for each variable x an interval [L,H] L is either an integer of - H is either an integer of + A (non-relational) numeric domain

Intervals lattice for variable x [-,+] ... [-,-1] [-,-1] [-,0] [0,+] [1,+] [2,+] ... [-20,10] [-10,10] ... [-2,-1] [-1,0] [0,1] [1,2] [2,3] ... ... [-2,-2] [-1,-1] [0,0] [1,1] [2,2] ... 

Intervals lattice for variable x Dint[x] = { (L,H) | L-,Z and HZ,+ and LH}  =[-,+]  = ? [1,2]  [3,4] ? [1,4]  [1,3] ? [1,3]  [1,4] ? [1,3]  [-,+] ? What is the lattice height?

Intervals lattice for variable x Dint[x] = { (L,H) | L-,Z and HZ,+ and LH}  =[-,+]  = ? [1,2]  [3,4] no [1,4]  [1,3] no [1,3]  [1,4] yes [1,3]  [-,+] yes What is the lattice height? Infinite

Joining/meeting intervals [a,b]  [c,d] = ? [1,1]  [2,2] = ? [1,1]  [2, +] = ? [a,b]  [c,d] = ? [1,2]  [3,4] = ? [1,4]  [3,4] = ? [1,1]  [1,+] = ? Check that indeed xy if and only if xy=y

Joining/meeting intervals [a,b]  [c,d] = [min(a,c), max(b,d)] [1,1]  [2,2] = [1,2] [1,1]  [2,+] = [1,+] [a,b]  [c,d] = [max(a,c), min(b,d)] if a proper interval and otherwise  [1,2]  [3,4] =  [1,4]  [3,4] = [3,4] [1,1]  [1,+] = [1,1] Check that indeed xy if and only if xy=y

Interval domain for programs Dint[x] = { (L,H) | L-,Z and HZ,+ and LH} For a program with variables Var={x1,…,xk} Dint[Var] = ?

Interval domain for programs Dint[x] = { (L,H) | L-,Z and HZ,+ and LH} For a program with variables Var={x1,…,xk} Dint[Var] = Dint[x1]  …  Dint[xk] How can we represent it in terms of formulas?

Interval domain for programs Dint[x] = { (L,H) | L-,Z and HZ,+ and LH} For a program with variables Var={x1,…,xk} Dint[Var] = Dint[x1]  …  Dint[xk] How can we represent it in terms of formulas? Two types of factoids xc and xc Example: S = {x9, y5, y10} Helper operations c + + = + remove(S, x) = S without any x-constraints lb(S, x) =

Assignment transformers x := c# S = ? x := y# S = ? x := y+c# S = ? x := y+z# S = ? x := y*c# S = ? x := y*z# S = ?

Assignment transformers x := c# S = remove(S,x)  {xc, xc} x := y# S = remove(S,x)  {xlb(S,y), xub(S,y)} x := y+c# S = remove(S,x)  {xlb(S,y)+c, xub(S,y)+c} x := y+z# S = remove(S,x)  {xlb(S,y)+lb(S,z), xub(S,y)+ub(S,z)} x := y*c# S = remove(S,x)  if c>0 {xlb(S,y)*c, xub(S,y)*c} else {xub(S,y)*-c, xlb(S,y)*-c} x := y*z# S = remove(S,x)  ?

assume transformers assume x=c# S = ? assume x<c# S = ? assume x=y# S = ? assume xc# S = ?

assume transformers assume x=c# S = S  {xc, xc} assume x=y# S = S  {xlb(S,y), xub(S,y)} assume xc# S = ?

assume transformers assume x=c# S = S  {xc, xc} assume x=y# S = S  {xlb(S,y), xub(S,y)} assume xc# S = (S  {xc-1})  (S  {xc+1})

Effect of function f on lattice elements  L = (D, , , , , ) f : D  D monotone Fix(f) = { d | f(d) = d } Red(f) = { d | f(d)  d } Ext(f) = { d | d  f(d) } Theorem [Tarski 1955] lfp(f) = Fix(f) = Red(f)  Fix(f) gfp(f) = Fix(f) = Ext(f)  Fix(f) Red(f) fn() gfp Fix(f) lfp Ext(f) fn() 

Effect of function f on lattice elements  L = (D, , , , , ) f : D  D monotone Fix(f) = { d | f(d) = d } Red(f) = { d | f(d)  d } Ext(f) = { d | d  f(d) } Theorem [Tarski 1955] lfp(f) = Fix(f) = Red(f)  Fix(f) gfp(f) = Fix(f) = Ext(f)  Fix(f) Red(f) fn() gfp Fix(f) lfp Ext(f) fn() 

Continuity and ACC condition Let L = (D, , , ) be a complete partial order Every ascending chain has an upper bound A function f is continuous if for every increasing chain Y  D*, f(Y) = { f(y) | yY } L satisfies the ascending chain condition (ACC) if every ascending chain eventually stabilizes: d0  d1  …  dn = dn+1 = …

Fixed-point theorem [Kleene] Let L = (D, , , ) be a complete partial order and a continuous function f: D  D then lfp(f) = nN fn()

Mathematical definition Resulting algorithm  Kleene’s fixed point theorem gives a constructive method for computing the lfp lfp(f) = nN fn() Mathematical definition lfp fn() d :=  while f(d)  d do d := d  f(d) return d Algorithm … f2() f() 

Chaotic iteration Input: Output: lfp(f) A worklist-based algorithm A cpo L = (D, , , ) satisfying ACC Ln = L  L  …  L A monotone function f : Dn Dn A system of equations { X[i] | f(X) | 1  i  n } Output: lfp(f) A worklist-based algorithm for i:=1 to n do X[i] :=  WL = {1,…,n} while WL   do j := pop WL // choose index non-deterministically N := F[i](X) if N  X[i] then X[i] := N add all the indexes that directly depend on i to WL (X[j] depends on X[i] if F[j] contains X[i]) return X

Concrete semantics equations R[0] = {xZ} R[1] = x:=7 R[2] = R[1]  R[4] R[3] = R[2]  {s | s(x) < 1000} R[4] = x:=x+1 R[3] R[5] = R[2]  {s | s(x) 1000} R[6] = R[5]  {s | s(x) 1001}

Abstract semantics equations R[0] = ({xZ}) R[1] = x:=7# R[2] = R[1]  R[4] R[3] = R[2]  ({s | s(x) < 1000}) R[4] = x:=x+1# R[3] R[5] = R[2]  ({s | s(x) 1000}) R[6] = R[5]  ({s | s(x) 1001})  R[5]  ({s | s(x) 999})

Abstract semantics equations R[0] =  R[1] = [7,7] R[2] = R[1]  R[4] R[3] = R[2]  [-,999] R[4] = R[3] + [1,1] R[5] = R[2]  [1000,+] R[6] = R[5]  [999,+]  R[5]  [1001,+]

Too many iterations to converge

How many iterations for this one?

Widening Introduce a new binary operator to ensure termination A kind of extrapolation Enables static analysis to use infinite height lattices Dynamically adapts to given program Tricky to design Precision less predictable then with finite-height domains (widening non-monotone)

Formal definition For all elements d1  d2  d1  d2 For all ascending chains d0  d1  d2  … the following sequence is finite y0 = d0 yi+1 = yi  di+1 For a monotone function f : DD define x0 =  xi+1 = xi  f(xi ) Theorem: There exits k such that xk+1 = xk xkRed(f) = { d | dD and f(d)  d }

Analysis with finite-height lattice Red(f) Fix(f) f#n = lpf(f#)  … f#3 f#2  f#  

Analysis with widening Red(f) f#2  f#3 lpf(f#)  Fix(f) f#3 f#2  f#  

Widening for Intervals Analysis  [c, d] = [c, d] [a, b]  [c, d] = [ if a  c then a else -, if b  d then b else 

Semantic equations with widening R[0] R[1] R[2] R[3] R[4] R[5] R[6] R[0] =  R[1] = [7,7] R[2] = R[1]  R[4] R[2.1] = R[2.1]  R[2] R[3] = R[2.1]  [-,999] R[4] = R[3] + [1,1] R[5] = R[2]  [1001,+] R[6] = R[5]  [999,+]  R[5]  [1001,+]

Choosing analysis with widening Enable widening

Non monotonicity of widening [0,1]  [0,2] = ? [0,2]  [0,2] = ?

Non monotonicity of widening [0,1]  [0,2] = [0, ] [0,2]  [0,2] = [0,2]

Analysis results with widening Did we prove it?

Analysis with narrowing f#2  f#3 Red(f) lpf(f#)  Fix(f) f#3 f#2  f#  

Formal definition of narrowing Improves the result of widening y  x  y  (x y)  x For all decreasing chains x0  x1 … the following sequence is finite y0 = x0 yi+1 = yi  xi+1 For a monotone function f: DD and xkRed(f) = { d | dD and f(d)  d } define y0 = x yi+1 = yi  f(yi ) Theorem: There exits k such that yk+1 =yk ykRed(f) = { d | dD and f(d)  d }

Narrowing for Interval Analysis [a, b]   = [a, b] [a, b]  [c, d] = [ if a = - then c else a, if b =  then d else b ]

Semantic equations with narrowing R[0] =  R[1] = [7,7] R[2] = R[1]  R[4] R[2.1] = R[2.1]  R[2] R[3] = R[2.1]  [-,999] R[4] = R[3]+[1,1] R[5] = R[2]#  [1000,+] R[6] = R[5]  [999,+]  R[5]  [1001,+]

Analysis with widening/narrowing Two phases Phase 1: analyze with widening until converging Phase 2: use values to analyze with narrowing Phase 1: R[0] =  R[1] = [7,7] R[2] = R[1]  R[4] R[2.1] = R[2.1]  R[2] R[3] = R[2.1]  [-,999] R[4] = R[3] + [1,1] R[5] = R[2]  [1001,+] R[6] = R[5]  [999,+]  R[5]  [1001,+] Phase 2: R[0] =  R[1] = [7,7] R[2] = R[1]  R[4] R[2.1] = R[2.1]  R[2] R[3] = R[2.1]  [-,999] R[4] = R[3]+[1,1] R[5] = R[2]#  [1000,+] R[6] = R[5]  [999,+]  R[5]  [1001,+]

Analysis with widening/narrowing

Analysis results widening/narrowing Precise invariant