Abstraction in Abstract Interpretation

1. Introductive example Patrick COUSOT École Normale Supérieure 45 rue d’Ulm 75230 Paris cedex 05, France mailto:[email protected] http://www.di.ens.fr/˜cousot

Workshop on Reﬁnement and Abstraction ETL Osaka, Japan, November 15-17, 1999

¡¡¡£££ ! [] "# Abstraction in abstract interpretation, ¡¡¡—3! 81 — £££ ! [] " # ©P.Cousot,Nov16,1999

Abstract Abstract interpretation

Abstract interpretation is a semantic approximation theory which has mainly been used for the de sign of static program analyzers. Our objective is to explain and illustrate the notion of abstrac Abstract interpretation is a semantic approximation theory [2]; • tion/concretization and its numerous variants which are commonly used in abstract interpretation to Mainly used for the design of semantics [3]andstaticprogramana formalize the loss of information. We also explain how the concrete model can be transformed into an • abstract semantic model, and inversely for refinement. lyzers [1]. Several examples are given for the design of programming language semantics as well as model-checking and program analysis algorithms. To illustrate the notions of relative completeness and of existence of a best abstraction, we show that transitional, demonic, natural and angelic deno tational, predicate transformer and axiomatic semantics are all relatively complete, best abstractions References of a maximal trace semantics (or equivalently that the maximal trace semantics is a refinement of all [1] P. Cousot and R. Cousot. these semantics). To illustrate incompleteness, we consider model-checking of finite transition systems Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints.In4th POPL,pages238–252,LosAngeles,Calif.,1977.ACMPress. for a temporal logic, both with maximal trace semantics. The logic can be restricted to ensure relative completeness at the expense of expressiveness. To illustrate inexistence of best approximations, we [2] P. Cousot and R. Cousot. consider several abstract domains for the abstraction of sets of vectors of numbers and sets of graphs Systematic design of program analysis frameworks. In 6th POPL,pages269–282,SanAntonio,Texas,1979.ACMPress. (for so-called set-based analysis). [3] P. Cousot. Constructive design of a hierarchy of semantics of a transition system by abstract interpretation. ENTCS,6,1997.URL:http://www.elsevier.nl/locate/entcs/volume6.html,25pages.

Abstraction in abstract interpretation, ¡¡¡—2! 81 — £££ ! [] " # ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—4! 81 — £££ ! [] " # ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation Properties as sets

Abstraction is understood as an approximation: A property is the set of objects which have this property; • • Example (properties of integers): • abstract -- Positive: 1, 2, 3, 4,... { } -- Odd: 1, 3, 5, 7,... Aprogramanalyzerisanapproximate implementation of the { } program (collecting) semantics! . "# $ There is often a confusion on the fact that abstract interpretation • interpretation does not deal with abstract objects but with abstract properties of # $! " objects; This is because the two notions sometime coincide; • The view of abstract interpretation as abstraction of properties is • more powerful that pseudo-evaluation on abstract objects .

Abstraction in abstract interpretation, ¡¡¡—5! 81 — £££ ! [] " # ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—7! 81 — £££ ! [] " # ©P.Cousot,Nov16,1999

Objects and their properties Example: rule of signs standard semantics Programming is relative to objects: • reﬁnement Reﬁned object Abstract object Standard semantics: ←−−−−−−−−−− • −−−−−−−−−−abstraction→ -- Operational: what are the steps of evaluation of the expression Program proof/analysis to object properties: when knowing an assignment of values to the free variables; • -- Example (ρ =[x :5,y : 3]): Concrete concretization Abstract − "x x + y y#ρ object property ←−−−−−−−−−−−− object property × × −−−−−−−−−−−−abstraction → ("x#ρ "x#ρ)+("y#ρ "y#ρ) → × × (5 5) + ( 3 3)) → × − ×− 25 + 9 → 34 →

Abstraction in abstract interpretation, ¡¡¡—6! 81 — £££ ! [] " # ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—8! 81 — £££ ! [] " # ©P.Cousot,Nov16,1999 Example (ρ =[x :+1,y : 1]): • − Denotational: what is the value of the expression when knowing an "x x + y y#ρ • × × assignment of values to the free variables: ("x#ρ "x#ρ)+("y#ρ "y#ρ) → × × X Z Z (+1 +1) + ( 1 1)) "e# ( ) → × − ×− ∈ &→ &→ +1 + +1 → "n#ρ = n +1 → "x#ρ = ρ(x) Correctness:theruleofsignsisastepbystepsimulationofthe • "e1 e2#ρ = "e1#."e1# standard semantics (inconclusive when no rule applies e.g. +1 + 1 × − "e1 + e2#ρ = "e1# + "e1# =?); Same idea in “subject reduction” of type theory. •

Abstraction in abstract interpretation, ¡¡¡—9! 81 — £££ ! [] " # ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—11! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999

Example: rule of signs Example: rule of signs 1 — the abstract object point of view 2—theabstractpropertypointofview Objective:determinethesignofanexpression; • Pseudo-evaluation method: • -- replace values by their signs; Property of an expression: set of its possible semantics; • -- interpret arithmetic operators on signs: Collecting semantics: the strongest program property: • X Z Z +1 + +1 = +1 , e ℘(( ) ) {| |} ∈ &→ &→ (1) +1 1= 1 , etc. e =! "e# ×− − {| |} { } Abstraction: Abstract semantics: a computable approximation of the collecting • • concrete object abstract object semantics. -- integer sign &−→ ! "#concrete$ operation!"#$ abstract operation -- integer integer integer sign sign sign …/… ! × "# &→ $ &−→ ! × "# &→ $ Abstraction in abstract interpretation, ¡¡¡—10! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—12! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Approximation The lattice of signs [4]: • -1,0,1 { } Two alternatives: • -- Universal/from above: consider a superset of the possible cases, -1,0 -1,1 0,1 { }{}{} -- Existential/from below: consider a subset of the possible cases; By duality, only universal approximation need to be formely studied; • -1 0 1 The rule of signs is a universal approximation (i.e. +1 + +1 = +1 { }{}{} • is valid whether 3 + 2 = 5 or 3 + 2 = 1789!) since more cases are considered than possible. ¿

…/… Reference [4] P. Cousot and R. Cousot. Systematic design of program analysis frameworks.In6th POPL,pages269–282, San Antonio, Texas, 1979. ACM Press.

Abstraction in abstract interpretation, ¡¡¡—13! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—15! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999

Approximation for the rule of signs α2 ℘(X Z) (X ℘(Z)) • ∈ &→! &→ &→ ! α2(R) = λ X ρ(X) ρ R α0 : Z S where S = +1, 0, 1 (2) · { | ∈ } • &→ { − } γ2 (X ℘(Z)) ℘(X Z)(4) α0(n)= 1iff n<0 ∈ &→! &→ X &→ − γ2(r) = ρ X : ρ(X) r(X) α0(n)=0 iff n =0 { | ∀ ∈ ∈ } α (n)=+1iff n>0 0 Example: Z S α1 ℘( ) ℘( )(3)[X :0,Y :0], [X :5,Y :5] • ∈ !&→ α (N) = α (n) n N α1 { } 1 0 [X : 0, 5 ,Y : 0, 5 ] S { Z | ∈ } γ1 ℘( ) ℘( ) &−→γ1 { } { } ∈ !&→ [X :0,Y :0], [X :0,Y :5], [X :5,Y :0], [X :5,Y :5] γ (S) = n α (n) S &−→ { } 1 { | 0 ∈ } Example: α γ 0, 17 1 0, +1 1 0, 1,...,17,... { } &−→ { } &−→ { } …/… …/…

Abstraction in abstract interpretation, ¡¡¡—14! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—16! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 …/… α5 (℘(X Z) ℘(Z)) ((X ℘(S)) ℘(S)) (7) X Z X S • ∈ ! &→ &→ &−→ &→ &→ α3 :( ℘( )) ( ℘( )) α (s) = α s γ • &→ &→ &→ 5 1 ◦ ◦ 4 α (ρ)=λ X α (ρ(X)) X S S X Z Z 3 · 1 γ5 (( ℘( )) ℘( )) (℘( ) ℘( )) X S X Z ∈ &→! &→ &−→ &→ &→ γ3 :( ℘( )) ( ℘( )) (5) γ (S) = γ S α &→ &→ &→ 5 1 ◦ ◦ 4 γ (ρ)=λ X γ (ρ(X)) 3 · 1 Intuition: Example: s ℘(X Z) # ℘(Z) [X : 0, 5 ,Y : 0, 5 ] &→ α { } { } % % 3 [X : 0, +1 ,Y : 0, +1 ] &−→γ { } { } α4 γ4 α1 γ1 3 [X : N,Y : N] &−→ $ S $ X ℘(S) ℘(S) &→ #

…/… …/…

Abstraction in abstract interpretation, ¡¡¡—17! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—19! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999

X Z X S X Z Z X Z Z α4 : ℘( ) ( ℘( )) α6 ℘(( ) ) (℘( ) ℘( )) (8) • &→ &→ &→ • ∈ !&→ &→ &−→ &→ &→ α = α α α (S) = λ R s(ρ) s S ρ R 4 3 ◦ 2 6 X S X Z X Z · { Z| ∈ ∧ X∈ }Z Z γ4 :( ℘( )) ℘( )(6)γ6 (℘( ) ℘( )) ℘(( ) ) &→ &→ &→ ∈ !&→ &→ &−→ &→ &→ γ = γ γ γ (S) = s ρ X Z : s(ρ) S( ρ ) 4 2 ◦ 3 6 { | ∀ ∈ &→ ∈ { } } Example: Intuition: [X :0,Y :0], [X :5,Y :5] γ (α ( s )) 6 6 { } α3 { } = s ρ X Z : s (ρ ) s (ρ ) s s ρ ρ [X : 0, +1 ,Y : 0, +1 ] { * | ∀ * ∈ &→ * * ∈ { ** ** | ** ∈ { } ∧ ** ∈ { *}}} &−→γ { } { } = s ρ X Z : s (ρ ) s(ρ ) 3 [X : n, Y : m] n N m N { * | ∀ * ∈ &→ * * ∈ { * }} &−→ { | ∈ ∧ ∈ } = s ρ X Z : s (ρ )=s(ρ ) { * | ∀ * ∈ &→ * * * } = s s = s { * | * } = s { }

…/… …/…

Abstraction in abstract interpretation, ¡¡¡—18! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—20! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 X Z Z X S S α7 ℘(( ) ) (( ℘( )) ℘( )) (9) Calculational design of the abstract semantics • ∈ ! &→ &→ &−→ &→ &→ α = α α 7 5 ◦ 6 X S S X Z Z γ7 (( ℘( )) ℘( )) ℘(( ) ) $e% ∈ ! &→ &→ &−→ &→ &→ = α ( e ) γ7 = γ6 γ5 7 {| |} ◦ = α α ( e )bydef.(9)ofα 5 ◦ 6 {| |} 7 = α1 α6( e ) γ by def. (7)ofα5 Intuition: ℘((X Z) Z) ◦ {| |} ◦ 4 &→ &→ = λ R α ( s(ρ) s e ρ γ (R) )by(8) % · 1 { | ∈ {| |} ∧ ∈ 4 } = λ R α1( "e#ρ ρ γ4(R) )bydef.(1)of"e# α6 γ6 · { | ∈ } = λ R α ( "e#ρ ρ γ γ (R) )by(6) · 1 { | ∈ 2 ◦ 3 } $ = λ R α ( "e#ρ ρ γ (λ Y γ (R(Y ))) )bydef.(5)ofγ ℘(X Z) ℘(Z) · 1 { | ∈ 2 · 1 } 3 &→ &→ = λ R α ( "e#ρ ρ ρ Y X : ρ (Y ) γ (R(Y )) ) % · 1 { | ∈ { * | ∀ ∈ * ∈ 1 }} by def. (4)ofγ α5 γ5 2 = λ R α ( "e#ρ Y X : ρ(Y ) γ (R(Y )) )bydef. $ · 1 { | ∀ ∈ ∈ 1 } ∈ (X ℘(S)) ℘(S) We go on by structural induction on e. &→ &→ …/…

Abstraction in abstract interpretation, ¡¡¡—21! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—23! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999

e n: Speciﬁcation of the rule of signs abstract semantics • ≡ λ R α1( "n#ρ Y X : ρ(Y ) γ1(R(Y )) ) · { | ∀ ∈ ∈ } ! = λ R α ( n )bydef."n#ρ = n Standard semantics: "e# · 1 { } • ! = λ R α (n) by def. (3)ofα · 0 1 Collecting semantics: e = "e# λ R { } n< α • {| |} ! { } = 1 if 0 by def. (2)of 0 Abstract semantics: $e% = α ( e )bestapproximation · {− } • 7 {| |} λ R 0 if n =0 $e% ˙ α ( e )suboptimalapproximation · { } ⊇ 7 {| |} λ R +1 if n>0 Example of suboptimal abstract semantics: · { } • -- α ( X X )[X : +1 ] e X: 7 {| − |} { } • ≡ = α ( 0 )[X : +1 ] 7 {| |} { } λ R α ( "X#ρ Y X : ρ(Y ) γ (R(Y )) ) = 0 · 1 { | ∀ ∈ ∈ 1 } { } = λ R α1( ρ(X) Y X : ρ(Y ) γ1(R(Y )) ) -- $X X %[X : +1 ] · { | ∀ ∈ ∈ } ! − { } = $X %[X : +1 ] $X %[X : +1 ] by def. "X#ρ = ρ(X) { } − { } = +1 +1 = λ R α1( ρ(X) ρ(X) γ1(R(X)) ) { } − { } · { | ∈ } ={-1,0,+1} = λ R α (γ (R(X))) · 1 1 = λ R R(X) …/… · Abstraction in abstract interpretation, ¡¡¡—22! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—24! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 e e + e : • ≡ 1 2 Summary of the abstract semantics λ R α1( "e1 + e2#ρ ρ γ4(R) ) · { | ∈ } $n%R = 1 if n<0 = λ R α1( "e1#ρ + "e2#ρ ρ γ4(R) ) • {− } · { | ∈ } ! 0 if n =0 by def. "e1 + e2#ρ = "e1#ρ + "e2#ρ { } λ R α ( "e #ρ + "e #ρ ρ γ (R) ρ γ (R) ) +1 if n>0 ⊆ · 1 { 1 2 * | ∈ 4 ∧ * ∈ 4 } { } = λ R α ( x + y x "e #ρ ρ γ (R) $X %R = R(x) · 1 { | ∈ { 1 | ∈ 4 } ∧ • y "e #ρ ρ γ (R) ) $e + e %R = $e %R + $e %R ∈ { 2 * | * ∈ 4 }} • 1 2 1 2 λ R α ( x + y x γ α ( "e #ρ ρ γ (R) ) ⊆ · 1 { | ∈ 1 ◦ 1 { 1 | ∈ 4 } ∧ where the “rule of signs”for addition + is: y γ α ( "e #ρ ρ γ (R) ) ) ∈ 1 ◦ 1 { 2 * | * ∈ 4 } } λ R α ( x + y x γ ($e %R) y γ ($e %R) )byind.hyp. + 1 0 +1 1, 0 1, +1 0, +1 1, 0, +1 1 1 1 1 2 ∅ {− }{}{}{− }{− }{ }{− } ⊆ · { | ∈ ∧ ∈ } 1, 0, +1 ∅ ∅∅∅∅∅∅∅{− } =λ R ($e1%R + $e2%R)where+ is calculated by cases: 1 1 1 1, 0, +1 1 1, 0, +1 1, 0, +1 1, 0, +1 {− } ∅ {− }{− }{− }{− }{− }{− }{− } · 0 1 0 +1 1, 0 1, +1 0, +1 1, 0, +1 { } ∅ {− }{}{}{− }{− }{ }{− } +1 1, 0, +1 +1 +1 1, 0, +1 1, 0, +1 +1 1, 0, +1 { } ∅ {− }{}{}{− }{− }{}{− } 1, 0 1 1, 0 1, 0, +1 1, 0 1, 0, +1 1, 0, +1 1, 0, +1 {− } ∅ {− }{− }{− }{− }{− }{− }{− } 1, +1 1, 0, +1 1, +1 1, 0, +1 1, 0, +1 1, 0, +1 1, 0, +1 1, 0, +1 {− } ∅ {− }{− }{− }{− }{− }{− }{− } 0, +1 1, 0, +1 0, +1 +1 1, 0, +1 1, 0, +1 1, 0, +1 1, 0, +1 { } ∅ {− }{ }{}{− }{− }{− }{− } 1, 0, +1 1, 0, +1 1, 0, +1 1, 0, +1 1, 0, +1 1, 0, +1 1, 0, +1 1, 0, +1 1, 0, +1 …/… {− } {− }{− }{− }{− }{− }{− }{− }{− }

Abstraction in abstract interpretation, ¡¡¡—25! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—27! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999

-- α1( x + y x γ1(+1) y γ1(+1) ) { | ∈ + ∧ ∈ + } = α1( x + y x N y N ) { + | ∈ ∧ ∈ } = α1(N ) = +1 so that +1 + +1 = +1 { } { } { } { } -- α ( x + y x γ ( 1) y γ (+1) ) 1 { | ∈ 1 − ∧ ∈ 1 } N+ N = α1( x + y x y − ) { | ∈ ∧ ∈ } 2. Formalization of abstraction/concretization = α1(Z) = 1, 0, +1 so that 1 + +1 = 1, 0, +1 {− } {− } { } {− } -- etc.

Reference [5] P. Cousot. The calculational design of a generic abstract interpreter.InM.BroyandR.Steinbrüggen,edi tors, Calculational System Design,volume173,pages421–505.NATOScienceSeries,SeriesF:Computerand Systems Sciences. IOS Press, 1999.

Abstraction in abstract interpretation, ¡¡¡—26! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—28! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Galois connection — 1 Galois connection — 2

The paire α, γ is a Galois connection: An equivalent deﬁnition of / 0 α is -monotone γ • ⊆ L, M, abstraction preserve implication; ←−−α− ⇒ / ≤0 −−−→ / 30 γ is -monotone is • ⊆ concretization preserves implication; ⇒ L, and M, are posets; γ α is -extensive • / ≤0 / 30 • ◦ ⊆ x L : y M : α(x) y x γ(y). an abstraction introduces a loss of information; • ∀ ∈ ∀ ∈ 3 ⇔ ≤ ⇒ α γ is -reductive • ◦ ⊆ aconcretizationcanonlybemoreprecise. ⇒ γ7 Notation: ℘((X Z) Z), (X ℘(S)) ℘(S), ˙ / &→ &→ ⊆0 −←−−−−α7→− / &→ &→ ⊆0

Abstraction in abstract interpretation, ¡¡¡—29! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—31! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999

Example of Galois connection based abstraction: A few properties of Galois connections •

One function uniquely determine the other: -1,0,1 -1,0,1 • { } { } α(x)= y x γ(y) 5{ | ≤ } γ(y)= x α(x) y -1,0 -1,1 0,1 -1,0 0,1 6{ | 3 } { }{}{} { } { } α has an adjoint iﬀ it preserves existing lubs; • γ has an adjoint iﬀ it preserves existing glbs; • -1 0 1 0 { }{}{} { }

¿ ¿

Abstraction in abstract interpretation, ¡¡¡—30! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—32! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Surjections/injections Example of closure operator based abstraction: •

γ α ◦ α is surjective γ is injective α γ = 1: • ⇔ ⇔ ◦ -1,0,1 γ α{ } γ α γ ◦ ◦ L, M, γ α / ≤0 ←−−−α − / 30 ◦ −−−→−→ -1,0 -1,1 0,1 { }{}{} γ α Assuming α surjective simpliﬁes the formal presentation (not always γ α ◦ γ α • ◦ ◦ possible in practice); -1 0 1 α γ γ α { }{}{} Dually, is injective is surjective = 1: γ α • ⇔ ⇔ ◦ ◦ γ L, M, ¿ / ≤0 −←−←−−−α−−→− / 30

Abstraction in abstract interpretation, ¡¡¡—33! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—35! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999

Closure operators Moore family If γ L, M, If ←−−α− γ / ≤0 −−−→ / 30 L, M, γ α represents the approximation of concrete properties by a con / ≤0 ←−−α− / 30 • ◦ −−−→ crete representation of the abstract properties; γ α(M)representsthesetofconcreterepresentationsoftheab • ◦ γ α is an upper closure operator: stract properties; • ◦ γ α(M)isaMoore family: -- monotone, • ◦ -- extensive, -- contains a top element (if M has a supremum), -- idempotent. -- closed by arbitrary intersections. Aformallyequivalentformalizationofabstraction[6,Sections6.2]. Aformallyequivalentformalizationofabstraction[7,Sections6.1]. • •

Reference Reference [6] P. Cousot and R. Cousot. Systematic design of program analysis frameworks.In6th POPL,pages269–282, [7] P. Cousot and R. Cousot. Systematic design of program analysis frameworks.In6th POPL,pages269–282, San Antonio, Texas, 1979. ACM Press. San Antonio, Texas, 1979. ACM Press.

Abstraction in abstract interpretation, ¡¡¡—34! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—36! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Example of Moore family based abstraction: In absence of best approximation? • 1 -1,0,1 The classical rule of signs has no 0 : { } { }

-1,0 -1,1 0,1 -1,0,1 -1,0,1 { }{}{} { } { }

-1 0 1 -1,0 -1,1 0,1 -1,0 -1,1 0,1 { }{} { } { }{}{} { }{}{}

¿ -1 0 1 { }{}{} α???

¿ ¿ …/…

1 because in practice one makes the algebraic simpliﬁcation x +0=0+x =0.

Abstraction in abstract interpretation, ¡¡¡—37! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—39! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999

Best approximation In absence of best approximation (continued)

The best choice must be determined during this analysis: γ α(P )istheconcreterepresentationofthebest abstract approxi • • ◦ -- α( 0 )= 1, 0 is a better choice in $0+ 1%R = 1, 0 mation of P : { } {− } − {− } Its an upper-approximation: P γ α(P ); -- α( 0 )= +1, 0 is a better choice in $0+1%R = 0, +1 -- ◦ { } { } { } ≤ In practice, one uses γ only and widening/narrowing operators [8]as -- Its the best abstraction: if is another abstract approximation (i.e. • Q γ α(L)andP Q)thenγ α(P )ismoreprecise(in e.g. in [9]; ∈ ◦ ≤ ◦ that γ α(P ) Q). Other alternatives (e.g. use a soundness relation)discussedin[10]. ◦ ≤ • The best approximation does exists and is unique (by antisymmetry). • References [8] P. Cousot and R. Cousot. Abstract interpretation: a uniﬁed lattice model for static analysis of programs by construction or approximation of ﬁxpoints.In4th POPL,pages238–252,LosAngeles,Calif.,1977.ACM Press. [9] P. Cousot and N. Halbwachs. Automatic discovery of linear restraints among variables of a program.In5th POPL,pages84–97,Tucson,Ariz.,1978.ACMPress. [10] P. Cousot and R. Cousot. Abstract interpretation frameworks. J. Logic and Comp.,2(4):511–547,Aug.1992.

Abstraction in abstract interpretation, ¡¡¡—38! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—40! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Compound abstraction 2 Examples of abstraction composition operators

γ1 γ2 Abstraction composition:if L, M, and M, ←−−α − ←−−α − The abstraction is designed by composition: • / ≤0 −−−1→ / 30 / 30 −−−2→ • N, then: -- of primitive abstractions; / 70 γ1 γ2 -- of abstraction composition operators. L, ◦ N, ←−−−−α α − / ≤0 −−−−−2◦ 1→ / 70 γ1 γ2 Functional abstraction:if L, L%, % and M, • / ≤0 −←−−−−α1→− / ≤ 0 / 30 −←−−−−α2→− M %, % then: / 3 0

mon λ f α2 f γ1 mon % L M, ˙ · ◦ ◦ L% M%, ˙ / &−→ 30 −←−−−−−−−−−−−−−−−−−−−−λ F γ F α →− / &−→ 3 0 · 1◦ ◦ 2 2 In french we would use the term “compositional”, which in the context of denotational semantics is already used to mean “by structural induction on the abstract syntax”.

Abstraction in abstract interpretation, ¡¡¡—41! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—43! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999

Example of primitive abstractions Fixpoint transfer and approximation [11,p.309]:If Elementwise abstraction:if@ S S% then: -- L, , 0, is a cpo, • ∈ &→ / ≤ ∨0γ -- L, M, , γ@ % / ≤0 ←−−α− / 30 ℘(S), ℘(S ), −mon−−→ / ⊆0 −−−→←−−−α@ / ⊆0 -- F L L , ∈ &−→mon -- G M M where: ∈ &−→ α F =/ G α local completeness/approximation -- ◦ ◦ ! 3 α@(X) = @(x) x X then ! { | ∈ } γ (Y ) = x @(x) Y M, , , is a cpo where = α(0) and X = α( γ(X)) , @ { | ∈ } / 3 ⊥ 60 ⊥ 6 ∨ α F γ =/ G , ◦ ◦ 3 α(lfp≤F )=/ lfp3G. Reference 3 [11] P. Cousot. Semantic foundations of program analysis.InS.S.MuchnickandN.D.Jones,editors,Program Flow Analysis: Theory and Applications,chapter10,pages303–342.Prentice-Hall,1981.

Abstraction in abstract interpretation, ¡¡¡—42! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—44! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 The lattice of abstract interpretations

The abstract interpretations of a semantics are isomorphic to closure • operators; So the complete lattice of abstract interpretations [12]isisomorphic • to the complete lattice of closure operators on a complete lattice/cpo. 3. Abstraction/concretization in program analysis

References [12] P. Cousot and R. Cousot. Systematic design of program analysis frameworks. In 6th POPL,pages269–282,SanAntonio,Texas,1979.ACMPress.

Abstraction in abstract interpretation, ¡¡¡—45! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—47! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999

Soundness and completeness 3 Data ﬂow analysis is an abstract interpretation

From [13,section7.2.0.6.3]: P :collectingsemanticsofP τ = S, A,t :transitionsystem(S =! C M control memory •{| |} γ • / 0 × × L, M, :abstraction states, actions A are assignments and tests) ←−−α− • / ≤0 −−−→ / 30 T S $P %:abstractsemanticsofP :traces s0,a0,s1 s1,a1,s2 ... sn 1,an 1,sn , si , ai • • A / 0/ 0 / − − 0 ∈ ∈ Soundness: • τ T:programsemantics(setofpreﬁxclosedﬁnitetracesgener • M ⊆ P : α( P ) $P % ated by τ); ∀ {| |} 3 E A (Global) completeness: :setofexpressionsappearinginactions ; • • P : α( P )=$P % ∀ {| |} Reference [13] P. Cousot and R. Cousot. Systematic design of program analysis frameworks.In6th POPL,pages269–282, 3 We should say relative completeness to stress the fact that we reason in set theoretical terms, so that, in logical terms, an oracle is assumed San Antonio, Texas, 1979. ACM Press. to exist for logical implication.

Abstraction in abstract interpretation, ¡¡¡—46! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—48! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Program static analysis is an abstract interpretation Static partitioning abstraction [14]: • ! ! n αp(M) = σ* s, a, ',m σ* s, a, ',m M S = C Z States (ﬁnite control states C) { / / 00 | / / 00 ∈ } • ! × '%C P = ℘(S)Properties ∈ • I ! such that: γ = [a, b] a b Interval abstract domains p • { | γ ≤ } ∪ {⊥} ℘(T), C ℘(T), ˙ Z 1 I / ⊆0 ←−←α−−p − / &→ ⊆0 ℘( ), , Interval abstraction −−−−→ → • / ⊆0 −←−−−−α1→− / ≤0 γ ! Pointwise abstraction:If ℘(T), L, then: α (Z) = (Z = ? : [min Z, max Z]) (min Z = ,maxZ = ) α 1 −∞ ∞ • / ⊆0 −←−−−−→− / 30 γ2 ∅ ⊥ γ˙ P, C ([1,n] I), ˙ State abstraction C ℘(T), ˙ C L, ˙ • / ⊆0 −←−−−−α2→− / &→ &→ ≤0 / &→ ⊆0 ←−−α˙ − / &→ 30 n −−−→ ! ! α2(S) = α1( z x1,...,xi 1,xi+1,...,xn : where: α˙ (M) = λ ' α(M(')) { | ∃ − · '%C %i=1 ', x1,...,xi 1,z,xi+1,...,xn S ) Reference ∈ / / − 00 ∈ } [14] P. Cousot. Semantic foundations of program analysis.InS.S.MuchnickandN.D.Jones,editors,Program Flow Analysis: Theory and Applications,chapter10,pages303–342.Prentice-Hall,1981.

Abstraction in abstract interpretation, ¡¡¡—49! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—51! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999

gen(a):expressionse E generated by assignment/test a A; {n:_O_;i:_O_} • ∈ ∈ n:=?; kill(a):expressionse E killed by assignment/test a A; • ∈ ∈ {n:[-oo,+oo];i:_O_} Deﬁnition of availability at exit of a path σ: i:=1; • {n:[-oo,+oo];i:[1,+oo]} avail(σ)=(σ = σ* s, a, s* ? (avail(σ*) kill(a)) gen(a) : ) while (i < n) do / 0 ∩ ¬ ∪ ∅ {n:[2,+oo];i:[1,1073741822]} Availability abstraction (availability at exit of all paths of M): i:=(i+1) • {n:[2,+oo];i:[2,+oo]} ! αa(M) = avail(σ) σ M od ∩{ | ∈ } {n:[-oo,+oo];i:[1,+oo]} such that: References γa ℘(T), ℘(E), [15] P. Cousot and R. Cousot. Static determination of dynamic properties of programs.InProc. 2ndInt. Symp. / ⊆0 ←−−−−−αa→− / ⊇0 on Programming,pages106–130.Dunod,1976. Availability at all points ' C: [16] P. Cousot. The Marktoberdorf’98 generic abstract interpreter.1998. • ∈ http://www.di.ens.fr/˜cousot/Marktoberdorf98.shtml,Nov. [17] P. Lacan, J.N. Monfort, Le Vinh Quy Ribal, A. Deutsch, and G. Gonthier. The software reliability veriﬁcation α˙ a αp( τ ). process: The Ariane 5 example. In Proceedings DASIA 98 – DAta Systems IN Aerospace,Athens,GR.ESA ◦ M Publications, SP-422, 25–28 May 1998.

Abstraction in abstract interpretation, ¡¡¡—50! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—52! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Grammar analysis is an abstract interpretation No best approximation (f F3 , a, b, c F1 , n F0): • ∈ ∈ ∈ G = N,T,P,A context free grammar ! • / 0 0 = The semantics "G# of G is the terminal language generated by G; X ! ∅ • 1 = f(a(n),b(n),c(n)) The First algorithm is an abstract interpretation of the grammar X ! { } 2 2 2 • 2 = f(a(n),b(n),c(n)), f(a (n),b (n),c (n)) ﬁxpoint semantics [18]by: X { } ...... γ ) 4 ! T , ℘(T * ), = f(a(n),b(n),c(n)),...,f(ak(n),bk(n),ck(n)) / ⊆0 ←−−−α − / ∪ { } ⊆0 Xk { } where: −−−→−→ ! ...... α(L) = @(σ) σ L ! k k k ! { | ∈ } ω = k = f(a (n),b (n),c (n)) k 0 @(*) = * X X { | ≥ } k(0 is not context free @(xσ) =! x ≥ The , k 0canallbedescribedbyaregulartreegrammarbut Reference • Xk ≥ [18] P. Cousot and R. Cousot. Abstract interpretation of algebraic polynomial systems.InM.Johnson,ed.,Proc. not ω.So ω is approximated by the regular language: 6thInt. Conf. AMAST ’97,Sydney,AU,LNCS1349,pages138–154.Springer-Verlag,13–18Dec.1997. X X f(ak(n),b"(n),cm(n)) k, ',m 0 . 4 " is the empty string. { | ≥ } Abstraction in abstract interpretation, ¡¡¡—53! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—55! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999

Set based analysis is an abstract interpretation Type inference is an abstract interpretation

T F Fn Concrete domain: set of tree on a ﬁnite signature = n 0 ; • ≥ Concrete standard domain for λ-expressions: Abstract domain: regular tree grammars G in Greibach normal& form: • • ! W = ω wrong n n Fn ::= f ( 1,..., n) f z Z { } integers X 0 Y Y 0 ∈ 0 ' ::= f f F ∈ U W Z U con U X ∈ v,ϕ ∼= ( ) domain of values x ∈ X ⊥ ⊕ ⊥ ⊕ &−→ ⊥ program variables where non-terminals ,... correspond to program elements (vari ∈ ! X R X U ables, etc…) R = environments ∈ ! &→ ! S R U Concretization: γ(G) =thesetofﬁnitetreesgeneratedbythegram φ = λ-expression type • ∈ &→ mar G; Reference [19] P. Cousot and R. Cousot. Reference Formal language, grammar and set-constraint-based program analysis by abstract interpretation. [20] P. Cousot. Types as abstract interpretations, invited paper.In24th POPL,pages316–331,Paris,FR,Jan. In Proc. 7th FPCA,pages170–181,LaJolla,Calif.,25–28June1995.ACMPress. 1997. ACM Press.

Abstraction in abstract interpretation, ¡¡¡—54! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—56! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Concrete collecting domain: Galois connection: • • γ P =! ℘(S) P, T, / ⊆0 −←−−−−α→− / ⊇0 Abstract domain: Typable programs cannot go wrong:ifaλ-expression e has type T • • and T = then R R : "e#R = ω (since "e# γ(T )); m M m ::= int m >m Church/Curry/Hindley A ∅ ∀ ∈ A ∈ ∈ | 1 − 2 monotype H H =! X M type environments ∈ ! &→ θ I = H M typings ∈ ! × T T = ℘(I)programtypes ∈ In general a λ-expression has (inﬁnitely) many types: • λx.x has types H, m >m H H m M {/ − 0 | ∈ ∧ ∈ }

Abstraction in abstract interpretation, ¡¡¡—57! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—59! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999

Concretization: Model checking is an abstract interpretation • γ M ℘(U) ∈! &→ γ(int) = Z S,t :transitionsystem(t S2); ! ∪ {⊥} con • / 0 ⊆ γ(m1 >m2) = φ U U v γ(m1):φ(v) γ(m2) 0S:setoftracesonstatesS; − {H ∈ &−→R | ∀ ∈ ∈ } ∪ {⊥} • γ ℘( ) t 0S:model(setofmaximaltraces)generatedbyt; ∈! &→ R X •M ⊆! γ(H) = R x : R(x) γ(H(x)) X = sσ sσ X subset of traces of X 0S starting with I{ ∈ S| ∀ ∈ ∈ } • s { | ∈ } ⊆ γ ℘( ) state↓ s ∈! &→ S γ H, m = φ R γ(H):φ(R) γ(m) ϕ L:formulaeoftemporallogicL; / γ0 {T ∈ ℘(|S∀) ∈ ∈ } • ∈ ∈ &→ "ϕ# 0S:semanticsoftheclosedtemporalformula(setofmaximal ! • ⊆ γ(T ) = γ(θ) traces); θ)T ! ∈ γ( ) = S ∅ Reference [21] P. Cousot and R. Cousot. Temporal abstract interpretation.In27th POPL,Boston,Mass.,Jan.2000.ACM Press. To appear.

Abstraction in abstract interpretation, ¡¡¡—58! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—60! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Boolean universal model checking is α∀("ϕ#) • t

γt∀ ℘(0), ℘(S), / ⊇0 ←−−− / ⊇0 −−−αt∀→ ! S αt∀(1) = s t s 1 { ∈ |M↓ ⊆ }

Boolean existential model checking is dual (α∃(1)= α∀( 1)) so: 4. Abstraction/concretization in semantics • t ¬ t ¬

γt∃ ℘(0), ℘(S), / ⊆0 ←−−− / ⊆0 −−−αt∃→ ! S αt∃(1) = s ( t s 1) = { ∈ | M ↓ ∩ A ∅}

Abstraction in abstract interpretation, ¡¡¡—61! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—63! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999

Abstract model checking is the composition of abstract Semantics are abstract interpretations interpretations The various semantics of programming languages can be understood • State abstraction: as abstract interpretations of a maximal trace semantics; • γs (and the ﬁxpoint characterizations of these semantics can all be con ℘(S), ℘(S%), • / ⊆0 −←−−−−αs→− / ⊆0 structively derived from the maximal trace semantics generated by a transition system (i.e. small-step operational semantics), see [22]). Trace-based model abstraction: • γm ℘(0), ℘(0%), / ⊆0 −←−−−−−−αm→− / ⊆0 Abstract model checking: • Reference

% ! [22] P. Cousot. Constructive design of a hierarchy of semantics of a transition system by abstract interpretation. αt∀ = αs αt∀ γm ENTCS,6,1997.URL:http://www.elsevier.nl/locate/entcs/volume6.html,25pages.(Fullversionto ◦ ◦ appear in TCS.)

Abstraction in abstract interpretation, ¡¡¡—62! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—64! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Maximal trace semantics Natural, demoniac & angelic semantics

Natural trace semantics: 2; The basic maximal trace semantics is: • T • Angelic abstraction 5: • blocking α( 2)= ... T {•→ • → → • →•| state ... 2 ; •→ • → → • →• ∈ T } 2 ↓ Demoniac abstraction 6: = ... ﬁnite traces • T {•−→ •−→ • •−→ •−→ •} ← α( 2)= 2 ↓ ↓ T T ...... inﬁnite traces ∪ {•→ • → → • →• | ∪ {•−→ •−→ • •−→ •−→ • } ← ...... 2 . ↓ ↓ •→ • → → • → • → ∈ T } any state transition The α ’s are Galois connections.

2 ℘(T), T is the set of traces over states S. •T ∈ 5 Eliminate all infinite traces. 6 Introduce all arbitrary finite traces for states possibly starting an infinite trace.

Abstraction in abstract interpretation, ¡¡¡—65! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—67! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999

Transition semantics Relational semantics

α ℘(T) ℘(S S ), S = S Transition semantics: ∈ &−→ × ∪ {⊥} • ⊥ ⊥ a b a b = α( ) R T α( 2)= , ...... 2 a b a b T {/• •0 | •−→ •−→ • −→ •−→ •−→ •−→ • ∈ T } = , ... a* b* a* b* {/• •0 | •→ • → → • →• ∈ T} , ...... 2 a a ∪ {/ • •0 | •−→ • •−→ • −→ •−→ • •−→ ∈ T } , ...... γ ∪ {/• ⊥0 | •→ • → → • → • → ∈ T} α is a Galois connection: ℘(T), ℘(S S), • / ⊆0 −←−−→−−−α−→− / × ⊆0 α is a Galois connection. This is an approximation.Forexample,fairnessinformationislost: • if 2 = a)b then γ α( 2)=a)b aω. T ◦ T |

Abstraction in abstract interpretation, ¡¡¡—66! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—68! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Non-deterministic denotational semantics Axiomatic semantics

α ℘(S S ) (S ℘(S )) α (℘(S) mon ℘(S )) ℘(℘(S) ℘(S )) ∈ × ⊥ &−→ &→ ⊥ ∈ &−→ ⊥ &−→ × ⊥ = α( ) = α( ) D R S H W = λ s s* s, s* right image = P, Q P (Q) · { ∈ ⊥ | / 0∈R} {/ 0 | ⊆ W } α is a Galois isomorphism. α is a Galois injection.

Abstraction in abstract interpretation, ¡¡¡—69! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—71! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999

Predicate transformer semantics The hierarchy of semantics

mon S S S S Manna!&!Pnueli Hoare α ( ℘( )) (℘( ) ℘( )) abstraction Axiomatic ∈ &−→ ⊥ &−→ ⊥ &→ equivalence semantics = α( ) Djkstra’s!wp Djkstra’s!wlp Predicate transformer W D S S = λ Q s s* : s* (s) s* Q Jacob!&!Gries’!gwp semantics · { ∈ | ∀ ∈ ⊥ ∈ D ⇒ ∈ } Scott Smyth Hoare Deterministic Nondeterministic deno- α is a Galois injection. Plotkin denotational tational semantics semantics Park Relational semantics Keller Hoare Transition Trace semantics semantics

Demoniac Natural Angelic semantics

Abstraction in abstract interpretation, ¡¡¡—70! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—72! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 On the coincidence of abstraction/reﬁnement in program veriﬁcation and abstraction/concretization in abstract interpretation (tentative)

Abstraction/reﬁnement in program veriﬁcation: • α:concreteobject abstract object 5. Conclusion &−→ Abstraction/concretization in abstract interpretation: • α: ℘(concrete object) ℘(abstract object) &−→ Coincidence: • -- Lift the reasoning on objects to reasoning on object properties (e.g. using predicate transformers) ??? -- Use category theory (various attempts that we made did not bring any new practical idea) ???

Abstraction in abstract interpretation, ¡¡¡—73! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—75! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999

What is abstract interpretation? What I know about refinement 7: • -- c : C C concrete operation a : A A abstract operation &→ &→ -- α : C A abstraction Semantics as well as program analysis algorithms approximate the &→ • α c = a α refinement condition (10) incomputable collection of all possible behaviors of programs on com -- ◦ ◦ puters [24]; Lifting to sets: % • ! γ α%(X) = α(x) x X so ℘(C), ℘(A), Abstract interpretation is a theory of abstraction understood as a -- ←−−− • ! { | ∈ } / ⊆0 −−−%→ / ⊆0 discrete approximation of computer system behavior specifications -- c%(X) = c(x) x X α ! { | ∈ } [23]; -- a%(Y ) = a(y) x Y { | ∈ } so that (10)implies: α% c% = a% α%.Ifα is surjective then ◦ ◦ a% = α% c% γ% (i.e. a% is the abstract interpretation of c%). ◦ ◦ Reference So (?) reasoning on objects in program development by refinement is [23] P. Cousot. Abstract interpretation. Symposium on Models of Programming Languages and Computation, • ACM Comput. Surv. ,28(2):324–328,1996. “equivalent to” reasoning on their local properties (i.e. topos theory [24] P. Cousot. Program analysis: The abstract interpretation perspective. ACM Comput. Surv. , is relevant)? 28A(4es):165–es, Dec. 1996. 7 nothing, so its what I guess about refinement!

Abstraction in abstract interpretation, ¡¡¡—74! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—76! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Summary of the abstract semantics ...... 27

2. Formalization of abstraction/concretization 28 Galois connection — 1 ...... 29 Galois connection — 2 ...... 31 AfewpropertiesofGaloisconnections ...... 32 Surjections/injections ...... 33 Closure operators ...... 34 Moore family ...... 36 THE END Best approximation ...... 38 In absence of best approximation? ...... 39 In absence of best approximation (continued) ...... 40 Compound abstraction ...... 41 Example of primitive abstractions ...... 42 Examples of abstraction composition operators ...... 43 Fixpoint transfer and approximation ...... 44 The lattice of abstract interpretations ...... 45

Abstraction in abstract interpretation, ¡¡¡—77! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—79! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999

Contents Soundness and completeness ...... 46 3. Abstraction/concretization in program analysis 47 Abstraction in abstract interpretation ...... 1 Data ﬂow analysis is an abstract interpretation ...... 48 Abstract ...... 2 Program static analysis is an abstract interpretation ...... 51 Grammar analysis is an abstract interpretation ...... 53 1. Introductive example 3 Abstract interpretation ...... 4 Set based analysis is an abstract interpretation ...... 54 Abstraction in abstract interpretation ...... 5 Type inference is an abstract interpretation ...... 56 Objects and their properties ...... 6 Model checking is an abstract interpretation ...... 60 Properties as sets ...... 7 Abstract model checking is the composition of abstract interpretations 62 Example: rule of signs standard semantics ...... 8 4. Abstraction/concretization in semantics 63 Example: rule of signs — 1 — the abstract object point of view ... 10 Semantics are abstract interpretations ...... 64 Example: rule of signs — 2 — the abstract property point of view .. 12 Maximal trace semantics ...... 65 Approximation ...... 13 Transition semantics ...... 66 Approximation for the rule of signs ...... 14 Natural, demoniac & angelic semantics ...... 67 Speciﬁcation of the rule of signs abstract semantics ...... 22 Relational semantics ...... 68 Calculational design of the abstract semantics ...... 23 Non-deterministic denotational semantics ...... 69

Abstraction in abstract interpretation, ¡¡¡—78! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—80! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Predicate transformer semantics ...... 70 Axiomatic semantics ...... 71 The hierarchy of semantics ...... 72

5. Conclusion 73 What is abstract interpretation? ...... 74 Electronic bibliography