A Tutorial on Abstract Interpretation

«ATutorialon Abstract Interpretation »

Patrick Cousot École normale supérieure 45 rue d’Ulm 75230 Paris cedex 05, France [email protected] www.di.ens.fr/~cousot

VMCAI’05 Industrial Day

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —1— ľ P. Cousot Static analysis by abstract interpretation

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —2— ľ P. Cousot {n0>=0} Example of static analysis (input) n:=n0; {n0=n,n0>=0} i:=n; {n0=i,n0=n,n0>=0} while (i <> 0 ) do {n0=n,i>=1,n0>=i} j:=0; {n0=n,j=0,i>=1,n0>=i} while (j <> i) do {n0=n,j>=0,i>=j+1,n0>=i} j:=j+1 {n0=n,j>=1,i>=j,n0>=i} od; {n0=n,i=j,i>=1,n0>=i} i:=i-1 {i+1=j,n0=n,i>=0,n0>=i+1} od {n0=n,i=0,n0>=0}

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —3— ľ P. Cousot {n0>=0} Example of static analysis (output) n:=n0; {n0=n,n0>=0} i:=n; {n0=i,n0=n,n0>=0} while (i <> 0 ) do {n0=n,i>=1,n0>=i} j:=0; {n0=n,j=0,i>=1,n0>=i} while (j <> i) do {n0=n,j>=0,i>=j+1,n0>=i} j:=j+1 {n0=n,j>=1,i>=j,n0>=i} od; {n0=n,i=j,i>=1,n0>=i} i:=i-1 {i+1=j,n0=n,i>=0,n0>=i+1} od {n0=n,i=0,n0>=0}

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —3— ľ P. Cousot {n0>=0} Example of static analysis (safety) n:=n0; {n0=n,n0>=0} i:=n; n0 must be initially nonnegative {n0=i,n0=n,n0>=0} (otherwise the program does not while (i <> 0 ) do {n0=n,i>=1,n0>=i} terminate properly) j:=0; {n0=n,j=0,i>=1,n0>=i} while (j <> i) do {n0=n,j>=0,i>=j+1,n0>=i} j:=j+1 j=1,i>=j,n0>=i} ` od; {n0=n,i=j,i>=1,n0>=i} i:=i-1 i>0sonoloweroverflow {i+1=j,n0=n,i>=0,n0>=i+1} ` od {n0=n,i=0,n0>=0}

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —3— ľ P. Cousot Static analysis by abstract interpretation

Veriﬁcation: deﬁne and prove automatically a property of the possible behaviors of a complex computer program (example: program semantics); Abstraction: the reasoning/calculus can be done on an abstraction of these behaviors dealing only with those elements of the behaviors related to the considered property; Theory: abstract interpretation.

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —4— ľ P. Cousot Example of static analysis

Veriﬁcation: absence of runtime errors; Abstraction: polyhedral abstraction (aﬃne inequalities); Theory: abstract interpretation.

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —5— ľ P. Cousot A very informal introduction to the principles of abstract interpretation

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —6— ľ P. Cousot Semantics

The concrete semantics of a program formalizes (is a mathematical model of) the set of all its possible executions in all possible execution environments.

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —7— ľ P. Cousot Graphic example: Possible behaviors

x(t)

Possible trajectories

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —8— ľ P. Cousot Undecidability

–Theconcretemathematicalsemanticsofaprogramis an “tinﬁnite” mathematical object, not computable; –Allnontrivialquestionsontheconcreteprogramse- mantics are undecidable. Example: termination –Assumetermination(P) would always terminates and returns true iﬀ P always terminates on all input data; –Thefollowingprogramyieldsacontradiction P while termination(P) do skip od. ”

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —9— ľ P. Cousot Graphic example: Safety properties

The safety properties of a program express that no possible execution in any possible execution environment can reach an erroneous state.

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —10— ľ P. Cousot Graphic example: Safety property

x(t) Forbidden zone

Possible trajectories

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —11— ľ P. Cousot Safety proofs

–Asafety proof consists in proving that the intersection of the program concrete semantics and the forbidden zone is empty; – Undecidable problem (the concrete semantics is not computable); –Impossibletoprovidecompletelyautomaticanswers with ﬁnite computer resources and neither human in- teraction nor uncertainty on the answer 1.

1 e.g. probabilistic answer.

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —12— ľ P. Cousot Test/debugging

–consistsinconsideringasubsetofthepossibleexecu- tions; –notacorrectnessproof; – absence of coverage is the main problem.

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —13— ľ P. Cousot Graphic example: Property test/simulation

x(t) Forbidden zone Error !!!

Possible trajectories

Test of a few trajectories

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —14— ľ P. Cousot Abstract interpretation

–consistsinconsideringanabstract semantics,thatis to say a superset of the concrete semantics of the program; –hencetheabstractsemanticscovers all possible concrete cases; – correct:iftheabstractsemanticsissafe(doesnotin- tersect the forbidden zone) then so is the concrete semantics

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —15— ľ P. Cousot Graphic example: Abstract interpretation

x(t) Forbidden zone

Possible trajectories

Abstraction of the trajectories

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —16— ľ P. Cousot Formal methods

Formal methods are abstract interpretations, which dif- fer in the way to obtain the abstract semantics: – “model checking”: -theabstractsemanticsisgivenmanuallybytheuser; -intheformofaﬁnitarymodeloftheprogramexe- cution; -canbecomputedautomatically,bytechniquesrele- vant to static analysis.

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —17— ľ P. Cousot – “deductive methods”: -theabstractsemanticsisspecifiedbyverificationcon- ditions; -theusermustprovidetheabstractsemanticsinthe form of inductive arguments (e.g. invariants); -canbecomputedautomaticallybymethodsrelevant to static analysis. – “static analysis”:theabstractsemanticsiscomputed automatically from the program text according to pre- defined abstractions (that can sometimes be tailored automatically/manually by the user).

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —18— ľ P. Cousot Required properties of the abstract semantics

– sound so that no possible error can be forgotten; – precise enough (to avoid false alarms); –assimple/abstract as possible (to avoid combinatorial explosion phenomena).

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —19— ľ P. Cousot Graphic example: The most abstract correct and precise semantics x(t) Forbidden zone

Possible trajectories

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —20— ľ P. Cousot Graphic example: Erroneous abstraction — I

x(t) Forbidden zone Error !!!

Possible trajectories

Erroneous trajectory abstraction

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —21— ľ P. Cousot Graphic example: Erroneous abstraction — II

x(t) Forbidden zone Error !!!

Possible trajectories

Erroneous trajectory abstraction

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —22— ľ P. Cousot Graphic example: Imprecision false alarms ) x(t) Forbidden zone False alarm

Possible trajectories

Imprecise trajectory abstraction

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —23— ľ P. Cousot Abstract domains

Standard abstractions –thatserveasabasis for the design of static analyzers: - abstract program data, -abstractprogrambasicoperations; -abstractprogramcontrol(iteration,procedure,con- currency, . . . ); –canbeparametrized to allow for manual adaptation to the application domains.

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —24— ľ P. Cousot Graphic example: Standard abstraction by intervals x(t) Forbidden zone

False alarms Possible trajectories

Imprecise trajectory abstraction by intervals

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —25— ľ P. Cousot Graphic example: Amorereﬁnedabstraction

x(t) Forbidden zone

Possible trajectories

Refinement of intervals

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —26— ľ P. Cousot A very informal introduction to static analysis algorithms

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —27— ľ P. Cousot Standard operational semantics

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —28— ľ P. Cousot Standard semantics

–Startfromastandard operational semantics that de- scribes formally: - states that is data values of program variables, - transitions that is elementary computation steps; –Considertraces that is successions of states correspond- ing to executions described by transitions (possibly in- ﬁnite).

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —29— ľ P. Cousot Graphic example: Small-steps transition semantics x(t)

Possible discrete trajectories

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —30— ľ P. Cousot Example: Small-steps transition semantics of an assignment int x; ... l: x:=x+1; l’:

l : x = v l : x = v +1 v [min_int; max_int 1] f ! 0 j 2 ` g l : x = max_int l : x = ˙ (runtime error) [f ! 0 g

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —31— ľ P. Cousot Example: Small-steps transition semantics of

l1 : ::: aloop l1 : x = 1 ` 3 & l1: l1 : x =0 l2 : x =1 x:=1; 7 ! l1 : x =1 7 l2: 7 % while x < 10 do l1 : ::: 7 7 l3: l2 : x =1 5l3 : x =1 x:=x+1 ! l3 : x =1 l4 : x =2 l4: ! od l4 : x =2 l3 : x =2 ! l5: l3 : x =2 l4 : x =3 ! ::: l4 : x =10 l5 : x =10

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —32—! ľ P. Cousot Example: Trace semantics of loop

l1: x:=1; l2: while x < 10 do l3: x:=x+1 l4: od l1 : ::: l5: l1 : x = 1 ` 3 & l1 : x =0 l2 : x =1 l3 : x =1 l4 : x =2 7 ! ! ! ! l1 : x =1 7 7 % l1 : ::: 7 7 l3 : x =2 5l4 : x =3::: l4 : x =10 l5 : x =10

VMCAI’05 Industrial Day,! Paris, France, January 20, 2005 ! —33— ! ľ P. Cousot Transition systems t – S; where: h !i - S is a set of states/vertices/. . . t - }(S S) is a transition relation/set of arcs/. . . !2 ˆ t

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —34— ľ P. Cousot Collecting semantics in ﬁxpoint form

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —35— ľ P. Cousot Collecting semantics

– consider all traces simultaneously; – collecting semantics: - sets of states that describe data values of program variables on all possible trajectories; - set of states transitions that is simultaneous elementary computation steps on all possible trajectories;

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —36— ľ P. Cousot Graphic example: sets of states

x(t)

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —37— ľ P. Cousot Graphic example: set of states transitions

x(t)

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —38— ľ P. Cousot Example: Reachable states of a transition system

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —39— ľ P. Cousot Reachable states in ﬁxpoint form

t F (X)= s s X : s s I[f 0 j9 2 ! 0g

= lfp„ F R ; + 1 = F n( )where f0(x)=x ; n+1 n n[=0 f (x)=f(f (x))

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —40— ľ P. Cousot Example of ﬁxpoint iteration t for reachable states lfp„ –X . s0 s X : s s0 ; I[f j9 2 ! g

0 1 2n F ( ) F ( ) F ( ) F ( ), n 0

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —41— ľ P. Cousot Example of ﬁxpoint iteration t for reachable states lfp„ –X . s0 s X : s s0 ; I[f j9 2 ! g

0 1 2n F ( ) F ( ) F ( ) F ( ), n 0

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —41— ľ P. Cousot Example of ﬁxpoint iteration t for reachable states lfp„ –X . s0 s X : s s0 ; I[f j9 2 ! g

0 1 2n F ( ) F ( ) F ( ) F ( ), n 0

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —41— ľ P. Cousot Example of ﬁxpoint iteration t for reachable states lfp„ –X . s0 s X : s s0 ; I[f j9 2 ! g

0 1 2 n F ( ) F ( ) F ( ) F ( ), n 0

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —41— ľ P. Cousot Example of ﬁxpoint iteration t for reachable states lfp„ –X . s0 s X : s s0 ; I[f j9 2 ! g

0 1 2n F ( ) F ( ) F ( ) F ( ), n 0

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —41— ľ P. Cousot Abstraction by Galois connections

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —42— ľ P. Cousot Abstracting sets (i.e. properties)

–Chooseanabstract domain,replacingsetsofobjects (states, traces, . . . ) S by their abstraction ¸(S) –Theabstraction function ¸ maps a set of concrete objects to its abstract interpretation; –Theinverseconcretization function ‚ maps an abstract set of objects to concrete ones; – Forget no concrete objects:(abstractionfromabove) S ‚(¸(S)). „

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —43— ľ P. Cousot Interval abstraction ¸

y 77

x :[1; 99];y :[2; 77] f g 2

1 99 x

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —44— ľ P. Cousot Interval concretization ‚

y 77

x :[1; 99];y :[2; 77] f g 2

1 99 x

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —45— ľ P. Cousot The abstraction ¸ is monotone

y 90 61 x :[33; 89];y :[48; 61] f g 48 v x :[1; 99];y :[2; 90] 2 f g

1 33 89 99 x X Y ¸(X) ¸(Y ) „ ) v

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —46— ľ P. Cousot The concretization ‚ is monotone

x :[33; 89];y :[48; 61] f g v x :[1; 99];y :[2; 90] f g

X Y ‚(X) ‚(Y ) v ) „

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —47— ľ P. Cousot The ‚ ¸ composition is extensive ‹ y 77

x :[1; 99];y :[2; 77] f g 2

1 99 x X ‚ ¸(X) „ ‹

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —48— ľ P. Cousot The ¸ ‚ composition is reductive ‹ y 77

x :[1; 99];y :[2; 77] f g == v x :[1; 99];y :[2; 77] 2 f g

1 99 x ¸ ‚(Y )== Y ‹ v

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —49— ľ P. Cousot Correspondance between concrete and abstract properties

–Thepair ¸; ‚ is a Galois connection: h i ‚ }(S); ; h „i ` ````¸!` hD vi ‚ – }(S); ; when ¸ is onto (equivalently h „i ```¸ ` hD vi ¸ ‚ =1or```‚`! !is one-to-one). ‹

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —50— ľ P. Cousot Galois connection

‚ ; ; hD „i ` ````¸!` hD vi iﬀ x; y : x y = ¸(x) ¸(y) 8 2D „ ) v x; y : x y = ‚(x) ‚(y) ^8 2 D v ) „ x : x ‚(¸(x)) ^8 2D „ y : ¸(‚(y)) x ^8 2 D v iﬀ x ; y : ¸(x) y x ‚(y) 8 2D 2 D v () „

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —51— ľ P. Cousot Graphic example: Interval abstraction

x(t)

Interval with spurious states t

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —52— ľ P. Cousot Graphic example: Abstract transitions

x(t)

Interval transition t

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —53— ľ P. Cousot Example: Interval transition semantics of assignments int x; ... l: x:=x+1; l’:

l : x [‘; h] l : x [l +1; min(h +1; max_int)] f 2 ! 0 2 [ ˙ h = max_int ‘ h f j gj » g where [‘; h]= when h<‘. ;

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —54— ľ P. Cousot Abstract domain Function abstraction F ]

F ] = ¸ F ‚ ‹ ‹ i:e: F ] =  F ‹ F

Concrete domain ‚ P; Q; h „i ``¸` h vi ) ```] ! ] –F . ‚ F ¸ P mon P; _ ‹ ‹ Q mon Q; _ h 7`! „i `````````–F . ¸ F ‚ ` h 7`! vi ``````````‹ ‹ !

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —55— ľ P. Cousot Example: Set of traces to trace of intervals abstraction Set of traces:

¸ 1 # Trace of sets:

¸ 2 # Trace of intervals

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —56— ľ P. Cousot Example: Set of traces to reachable states abstraction Set of traces:

¸ 1 # Trace of sets:

¸ 3 # Reachable states

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —57— ľ P. Cousot Composition of Galois Connections

The composition of Galois connections: ‚1 L; M; h »i ` ````¸1!` h vi and: ‚2 M; N; h vi ` ````¸2!` h —i is a Galois connection: ‚1 ‚2 L; ‹ N; `````¸ ¸ ` h »i ``````2‹ 1! h —i

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —58— ľ P. Cousot Abstract semantics in ﬁxpoint form

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —59— ľ P. Cousot Graphic example: traces of sets of states in ﬁxpoint form x(t)

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —60— ľ P. Cousot Graphic example: traces of sets of states in ﬁxpoint form x(t)

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —60— ľ P. Cousot Graphic example: traces of intervals in ﬁxpoint form x(t)

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —61— ľ P. Cousot Graphic example: traces of intervals in ﬁxpoint form x(t)

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —61— ľ P. Cousot Approximate ﬁxpoint abstraction

Abstract domain ] ] ] ] F ] F F ] F F ? â Approximation relation v

F F F F F ? F F Concrete domain F ] = ¸ F ‚ ¸(lfp F ) lfp F ] ‹ ‹ ) v

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —62— ľ P. Cousot approximate/exact ﬁxpoint abstraction

Exact Abstraction: ] ¸(lfp F ) = lfp F Approximate Abstraction: ] ] ¸(lfp F ) @ lfp F

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —63— ľ P. Cousot Convergence acceleration by widening/narrowing

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —64— ľ P. Cousot Graphic example: upward iteration with widening x(t)

Initial states t

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —65— ľ P. Cousot Graphic example: upward iteration with widening x(t)

Interval transition t

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —65— ľ P. Cousot Graphic example: upward iteration with widening x(t)

Interval transition with widening t

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —65— ľ P. Cousot Graphic example: upward iteration with widening x(t)

Interval transition with widening t

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —65— ľ P. Cousot Graphic example: stability of the upward iteration x(t)

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —66— ľ P. Cousot Convergence acceleration with widening

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —67— ľ P. Cousot Widening operator

Awideningoperator L L L is such that: 2 ˆ 7! – Correctness: ! - x; y L : ‚(x) ‚(x y) 8 2 v - x; y L : ‚(y) ‚(x ! y) 8 2 v – Convergence: ! -forallincreasingchainsx0 x1 ...,thein- creasing chain deﬁned by y0v= x0v, ..., yi+1 = yi xi+1, ... is not strictly increasing. !

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —68— ľ P. Cousot Fixpoint approximation with widening

The upward iteration sequence with widening: – X^ 0 = - (inﬁmum) ? – X^ i+1 = X^ i if F (X^ i) X^ i v = X^ i F (X^ i) otherwise is ultimately stationary! and its limit A^ is a sound upper - approximation of lfp? F : - lfp? F A^ v

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —69— ľ P. Cousot Interval widening – L = [‘; u] ‘; u Z u Z ‘ u f?g[f j 2 [f`1g^ 2 [fg^ » g –Thewidening extrapolates unstable bounds to inﬁnity: X = X ? X ! = X ? [‘ ;u] [‘ ;u! ]=[if‘ <‘ then else ‘ ; 0 0 1 1 1 0 `1 0 ! if u > u then + else u ] 1 0 1 0 Not monotone. For example [0; 1] [0; 2] but [0; 1] v [0; 2] = [0; + ] [0; 2] = [0; 2] [0; 2] 1 6v ! !

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —70— ľ P. Cousot Example: Interval analysis (1975) Program to be analyzed:

X1 =[1; 1] X =(X X ) [ ; 9999] x:=1; 8 2 1 [ 3 \ `1 >X = X [1; 1] 1: > 3 2 ˘ 2: :> x:=x+1 X1 =[1; 1] X =(X X ) [ ; 9999] 3: 8 2 1 [ 3 \ `1 >X = X [1; 1] od; > 3 2 ˘ VMCAI’05 Industrial Day, Paris, France, January 20, 2005> —71— ľ P. Cousot :> Example: Interval analysis (1975) Equations (abstract interpretation of the semantics):

X1 =[1; 1] X =(X X ) [ ; 9999] x:=1; 8 2 1 [ 3 \ `1 >X = X [1; 1] 1: > 3 2 ˘ 2: :> x:=x+1 X1 =[1; 1] X =(X X ) [ ; 9999] 3: 8 2 1 [ 3 \ `1 >X = X [1; 1] od; > 3 2 ˘ VMCAI’05 Industrial Day, Paris, France, January 20, 2005> —72— ľ P. Cousot :> Example: Interval analysis (1975) Resolution by chaotic increasing iteration:

X1 =[1; 1] X =(X X ) [ ; 9999] x:=1; 8 2 1 [ 3 \ `1 >X = X [1; 1] 1: > 3 2 ˘ 2: :> X = x:=x+1 1 ; X = 3: 8 2 ; >X = od; > 3 ; VMCAI’05 Industrial Day, Paris, France, January 20, 2005> —73— ľ P. Cousot :> Example: Interval analysis (1975) Increasing chaotic iteration:

X1 =[1; 1] X =(X X ) [ ; 9999] x:=1; 8 2 1 [ 3 \ `1 >X = X [1; 1] 1: > 3 2 ˘ 2: :> x:=x+1 X1 =[1; 1] X = 3: 8 2 ; >X = od; > 3 ; VMCAI’05 Industrial Day, Paris, France, January 20, 2005> —74— ľ P. Cousot :> Example: Interval analysis (1975) Increasing chaotic iteration:

X1 =[1; 1] X =(X X ) [ ; 9999] x:=1; 8 2 1 [ 3 \ `1 >X = X [1; 1] 1: > 3 2 ˘ 2: :> x:=x+1 X1 =[1; 1] 3: 8X2 =[1; 1] >X = od; > 3 ; VMCAI’05 Industrial Day, Paris, France, January 20, 2005> —74— ľ P. Cousot :> Example: Interval analysis (1975) Increasing chaotic iteration:

X1 =[1; 1] X =(X X ) [ ; 9999] x:=1; 8 2 1 [ 3 \ `1 >X = X [1; 1] 1: > 3 2 ˘ 2: :> x:=x+1 X1 =[1; 1] 3: 8X2 =[1; 1] >X =[2; 2] od; > 3 VMCAI’05 Industrial Day, Paris, France, January 20, 2005> —74— ľ P. Cousot :> Example: Interval analysis (1975) Increasing chaotic iteration:

X1 =[1; 1] X =(X X ) [ ; 9999] x:=1; 8 2 1 [ 3 \ `1 >X = X [1; 1] 1: > 3 2 ˘ 2: :> x:=x+1 X1 =[1; 1] 3: 8X2 =[1; 2] >X =[2; 2] od; > 3 VMCAI’05 Industrial Day, Paris, France, January 20, 2005> —74— ľ P. Cousot :> Example: Interval analysis (1975) Increasing chaotic iteration: convergence !

X1 =[1; 1] X =(X X ) [ ; 9999] x:=1; 8 2 1 [ 3 \ `1 >X = X [1; 1] 1: > 3 2 ˘ 2: :> x:=x+1 X1 =[1; 1] 3: 8X2 =[1; 2] >X =[2; 3] od; > 3 VMCAI’05 Industrial Day, Paris, France, January 20, 2005> —74— ľ P. Cousot :> Example: Interval analysis (1975) Increasing chaotic iteration: convergence !!

X1 =[1; 1] X =(X X ) [ ; 9999] x:=1; 8 2 1 [ 3 \ `1 >X = X [1; 1] 1: > 3 2 ˘ 2: :> x:=x+1 X1 =[1; 1] 3: 8X2 =[1; 3] >X =[2; 3] od; > 3 VMCAI’05 Industrial Day, Paris, France, January 20, 2005> —74— ľ P. Cousot :> Example: Interval analysis (1975) Increasing chaotic iteration: convergence !!!

X1 =[1; 1] X =(X X ) [ ; 9999] x:=1; 8 2 1 [ 3 \ `1 >X = X [1; 1] 1: > 3 2 ˘ 2: :> x:=x+1 X1 =[1; 1] 3: 8X2 =[1; 3] >X =[2; 4] od; > 3 VMCAI’05 Industrial Day, Paris, France, January 20, 2005> —74— ľ P. Cousot :> Example: Interval analysis (1975) Increasing chaotic iteration: convergence !!!!

X1 =[1; 1] X =(X X ) [ ; 9999] x:=1; 8 2 1 [ 3 \ `1 >X = X [1; 1] 1: > 3 2 ˘ 2: :> x:=x+1 X1 =[1; 1] 3: 8X2 =[1; 4] >X =[2; 4] od; > 3 VMCAI’05 Industrial Day, Paris, France, January 20, 2005> —74— ľ P. Cousot :> Example: Interval analysis (1975) Increasing chaotic iteration: convergence !!!!!

X1 =[1; 1] X =(X X ) [ ; 9999] x:=1; 8 2 1 [ 3 \ `1 >X = X [1; 1] 1: > 3 2 ˘ 2: :> x:=x+1 X1 =[1; 1] 3: 8X2 =[1; 4] >X =[2; 5] od; > 3 VMCAI’05 Industrial Day, Paris, France, January 20, 2005> —74— ľ P. Cousot :> Example: Interval analysis (1975) Increasing chaotic iteration: convergence !!!!!!

X1 =[1; 1] X =(X X ) [ ; 9999] x:=1; 8 2 1 [ 3 \ `1 >X = X [1; 1] 1: > 3 2 ˘ 2: :> x:=x+1 X1 =[1; 1] 3: 8X2 =[1; 5] >X =[2; 5] od; > 3 VMCAI’05 Industrial Day, Paris, France, January 20, 2005> —74— ľ P. Cousot :> Example: Interval analysis (1975) Increasing chaotic iteration: convergence !!!!!!!

X1 =[1; 1] X =(X X ) [ ; 9999] x:=1; 8 2 1 [ 3 \ `1 >X = X [1; 1] 1: > 3 2 ˘ 2: :> x:=x+1 X1 =[1; 1] 3: 8X2 =[1; 5] >X =[2; 6] od; > 3 VMCAI’05 Industrial Day, Paris, France, January 20, 2005> —74— ľ P. Cousot :> Example: Interval analysis (1975) Convergence speed-up by widening:

X1 =[1; 1] X =(X X ) [ ; 9999] x:=1; 8 2 1 [ 3 \ `1 >X = X [1; 1] 1: > 3 2 ˘ 2: :> x:=x+1 X1 =[1; 1] X =[1; + ] widening 3: 8 2 1 ( >X =[2; 6] od; > 3 VMCAI’05 Industrial Day, Paris, France, January 20, 2005> —75— ľ P. Cousot :> Example: Interval analysis (1975) Decreasing chaotic iteration:

X1 =[1; 1] X =(X X ) [ ; 9999] x:=1; 8 2 1 [ 3 \ `1 >X = X [1; 1] 1: > 3 2 ˘ 2: :> x:=x+1 X1 =[1; 1] X =[1; + ] 3: 8 2 1 >X =[2; + ] od; > 3 1 VMCAI’05 Industrial Day, Paris, France, January 20, 2005> —76— ľ P. Cousot :> Example: Interval analysis (1975) Decreasing chaotic iteration:

X1 =[1; 1] X =(X X ) [ ; 9999] x:=1; 8 2 1 [ 3 \ `1 >X = X [1; 1] 1: > 3 2 ˘ 2: :> x:=x+1 X1 =[1; 1] 3: 8X2 =[1; 9999] >X =[2; + ] od; > 3 1 VMCAI’05 Industrial Day, Paris, France, January 20, 2005> —76— ľ P. Cousot :> Example: Interval analysis (1975) Decreasing chaotic iteration:

X1 =[1; 1] X =(X X ) [ ; 9999] x:=1; 8 2 1 [ 3 \ `1 >X = X [1; 1] 1: > 3 2 ˘ 2: :> x:=x+1 X1 =[1; 1] 3: 8X2 =[1; 9999] >X =[2; +10000] od; > 3 VMCAI’05 Industrial Day, Paris, France, January 20, 2005> —76— ľ P. Cousot :> Example: Interval analysis (1975) Final solution:

X1 =[1; 1] X =(X X ) [ ; 9999] x:=1; 8 2 1 [ 3 \ `1 >X = X [1; 1] 1: > 3 2 ˘ 2: :> x:=x+1 X1 =[1; 1] 3: 8X2 =[1; 9999] od; >X3 =[2; +10000] <> 4: X4 = [+10000; +10000] > VMCAI’05 Industrial Day, Paris, France, January 20, 2005> —77— ľ P. Cousot :> Example: Interval analysis (1975) Result of the interval analysis:

X1 =[1; 1] X =(X X ) [ ; 9999] x:=1; 8 2 1 [ 3 \ `1 >X = X [1; 1] 1: {x =1} > 3 2 ˘ 2: {x [1; 9999]} > 2 : x:=x+1 X1 =[1; 1] 3: {x [2; +10000]} 8X2 =[1; 9999] 2 od; >X3 =[2; +10000] <> 4: {x =10000} X4 = [+10000; +10000] > VMCAI’05 Industrial Day, Paris, France, January 20, 2005> —78— ľ P. Cousot :> Example: Interval analysis (1975) Checking absence of runtime errors with interval analysis:

X1 =[1; 1] X =(X X ) [ ; 9999] x:=1; 8 2 1 [ 3 \ `1 >X = X [1; 1] 1: {x =1} > 3 2 ˘ 2: {x [1; 9999]} :> 2 no overﬂow x:=x+1 ` 3: {x [2; +10000]} 8X2 =[1; 9999] 2 od; >X3 =[2; +10000] <> 4: {x =10000} X4 = [+10000; +10000] > VMCAI’05 Industrial Day, Paris, France, January 20, 2005> —79— ľ P. Cousot :> Reﬁnement of abstractions

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —80— ľ P. Cousot Approximations of an [in]ﬁnite set of points: from above

y :::; 19; 77 ;:::; f h i 20; 03 ;::: h i g x

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —81— ľ P. Cousot Approximations of an [in]ﬁnite set of points: from above

? ?

? y ? :::; 19; 77 ;:::; ? ? ? f h i ? ? ? 20; 03 ; ?; ? ;::: h i h i g x From Below:dual2 +combinations.

2 Trivial for finite states (liveness model-checking), more difficult for infinite states (variant functions).

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —82— ľ P. Cousot Eﬀective computable approximations of an [in]ﬁnite set of points; Signs 3

y x 0 – y 0  –

3 P. Cousot & R. Cousot. Systematic design of program analysis frameworks.ACMPOPL’79,pp.269–282, 1979.

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —83— ľ P. Cousot Eﬀective computable approximations of an [in]ﬁnite set of points; Intervals 4

y x [19; 77] 2 y [20; 03]  2

4 P. Cousot & R. Cousot. Static determination of dynamic properties of programs.Proc.2nd Int. Symp. on Programming, Dunod, 1976.

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —84— ľ P. Cousot Eﬀective computable approximations of an [in]ﬁnite set of points; Octagons 5

1 x 9 » » y x + y 77 8 » > 1 y 9 > » » < x y 99 ` » > x :>

5 A. Miné. ANewNumericalAbstractDomainBasedonDiﬀerence-BoundMatrices.PADO’2001. LNCS 2053, pp. 155–172. Springer 2001. See the The Octagon Abstract Domain Library on http://www.di.ens.fr/~mine/oct/

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —85— ľ P. Cousot Eﬀective computable approximations of an [in]ﬁnite set of points; Polyhedra 6

y 19x +77y 2004 » 20x +03y 0  –

6 P. Cousot & N. Halbwachs. Automatic discovery of linear restraints among variables of a program.ACM POPL, 1978, pp. 84–97.

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —86— ľ P. Cousot Eﬀective computable approximations of an [in]ﬁnite set of points; Simple congruences 7

y x =19mod77 y =20mod99 

7 Ph. Granger. Static Analysis of Arithmetical Congruences.Int.J.Comput.Math.30,1989,pp.165–190.

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —87— ľ P. Cousot Eﬀective computable approximations of an [in]ﬁnite set of points; Linear congruences 8

y 1x +9y =7mod8 2x 1y =9mod9  `

8 Ph. Granger. Static Analysis of Linear Congruence Equalities among Variables of a Program. TAPSOFT’91, pp. 169–192. LNCS 493, Springer, 1991.

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —88— ľ P. Cousot Eﬀective computable approximations of an [in]ﬁnite set of points; Trapezoidal linear congruences 9

1x +9y [0; 77] mod 10 2x 1y 2 [0; 99] mod 11  ` 2

9 F. Masdupuy. Array Operations Abstraction Using Semantic Analysis of Trapezoid Congruences.ACM ICS ’92.

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —89— ľ P. Cousot Reﬁnement of iterates

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —90— ľ P. Cousot Graphic example: Reﬁnement required by false alarms x(t) Forbidden zone

False alarms

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —91— ľ P. Cousot Graphic example: Partitionning

x(t)

Possible discrete trajectories

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —92— ľ P. Cousot Graphic example: partitionned upward iteration with widening x(t)

Possible discrete trajectories

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —93— ľ P. Cousot Graphic example: partitionned upward iteration with widening x(t)

Possible discrete trajectories

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —93— ľ P. Cousot Graphic example: partitionned upward iteration with widening x(t)

Possible discrete trajectories

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —93— ľ P. Cousot Graphic example: partitionned upward iteration with widening x(t)

Possible discrete trajectories

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —93— ľ P. Cousot Graphic example: partitionned upward iteration with widening x(t)

Possible discrete trajectories

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —93— ľ P. Cousot Graphic example: partitionned upward iteration with widening x(t)

Possible discrete trajectories

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —93— ľ P. Cousot Graphic example: partitionned upward iteration with widening x(t)

Possible discrete trajectories

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —93— ľ P. Cousot Graphic example: partitionned upward iteration with widening x(t)

Possible discrete trajectories

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —93— ľ P. Cousot Graphic example: partitionned upward iteration with widening x(t)

Possible discrete trajectories

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —93— ľ P. Cousot Graphic example: partitionned upward iteration with widening x(t)

Possible discrete trajectories

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —93— ľ P. Cousot Graphic example: partitionned upward iteration with widening x(t)

Possible discrete trajectories

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —93— ľ P. Cousot Graphic example: safety veriﬁcation

x(t) Forbidden zone

Possible discrete trajectories

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —94— ľ P. Cousot Examples of partitionnings

– sets of control states:attachlocalinformationtopro- gram points instead of global information for the whole program/procedure/loop – sets of data states: -caseanalysis(test,switches) – ﬁxpoint iterates: -wideningwiththresholdset

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —95— ľ P. Cousot Interval widening with threshold set –Thethreshold set T is a ﬁnite set of numbers (plus + and ), 1 `1 – [a; b] [a ;b]=[if a bthen min h T h b 0 f 2 j – 0g else b] : –Examples(intervals): -signanalysis:T = ; 0; + ; f`1 1g -strictsignanalysis:T = ; 1; 0; +1; + ; f`1 ` 1g – T is a parameter of the analysis.

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —96— ľ P. Cousot Combinations of abstractions

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —97— ľ P. Cousot Forward/reachability analysis

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —98— ľ P. Cousot Backward/ancestry analysis

F I

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —99— ľ P. Cousot Iterated forward/backward analysis

F I

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —100— ľ P. Cousot Example of iterated forward/backward analysis Arithmetical mean of two integers x and y: {x>=y} while (x <> y) do {x>=y+2} x:=x-1; {x>=y+1} y:=y+1 {x>=y} od {x=y} Necessarily x y for proper termination –

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —101— ľ P. Cousot Example of iterated forward/backward analysis Adding an auxiliary counter k decremented in the loop body and asserted to be null on loop exit: {x=y+2k,x>=y} while (x <> y) do {x=y+2k,x>=y+2} k:=k-1; {x=y+2k+2,x>=y+2} x:=x-1; {x=y+2k+1,x>=y+1} y:=y+1 Moreover the diﬀer- {x=y+2k,x>=y} od ence of x and y must {x=y,k=0} assume (k = 0) be even for proper ter- {x=y,k=0} mination

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —102— ľ P. Cousot Bibliography

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —103— ľ P. Cousot Seminal papers –PatrickCousot&RadhiaCousot. Abstract interpretation: a uniﬁed lattice model for static analysis of programs by con- struction or approximation of ﬁxpoints.In4thSymp.onPrin- ciples of Programming Languages, pages 238—252. ACM Press, 1977. – Patrick Cousot & Nicolas Halbwachs. Automatic discovery of linear restraints among variables of a program.In5thSymp. on Principles of Programming Languages, pages 84—97. ACM Press, 1978. –PatrickCousot&RadhiaCousot. Systematic design of program analysis frameworks.In6thSymp.onPrinciplesofPro- gramming Languages pages 269—282. ACM Press, 1979.

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —104— ľ P. Cousot Recent surveys –PatrickCousot.Interprétation abstraite.TechniqueetScience Informatique, Vol. 19, Nb 1-2-3. Janvier 2000, Hermès, Paris, France. pp. 155-164. –PatrickCousot.Abstract Interpretation Based Formal Meth- ods and Future Challenges.InInformatics,10YearsBack— 10 Years Ahead, R. Wilhelm (Ed.), LNCS 2000, pp. 138-156, 2001. –PatrickCousot&RadhiaCousot. Abstract Interpretation Based Veriﬁcation of Embedded Software: Problems and Per- spectives. In Proc. 1st Int. Workshop on Embedded Software, EMSOFT 2001, T.A. Henzinger & C.M. Kirsch (Eds.), LNCS 2211, pp. 97–113. Springer, 2001.

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —105— ľ P. Cousot Conclusion

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —106— ľ P. Cousot Theoretical applications of abstract interpretation – Static Program Analysis [POPL ’77,78,79] inluding Data- ﬂow Analysis [POPL ’79,00], Set-based Analysis [FPCA ’95], etc – Syntax Analysis [TCS 290(1) 2002] – Hierarchies of Semantics (including Proofs) [POPL ’92, TCS 277(1–2) 2002] – Typing [POPL ’97] – Model Checking [POPL ’00] – Program Transformation [POPL ’02] – Software watermarking [POPL ’04]

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —107— ľ P. Cousot Practical applications of abstract interpretation – Program analysis and manipulation:asmallrateoffalse alarms is acceptable - AiT: worst case execution time –ChristianFerdi- nand – Program veriﬁcation: no false alarms is acceptable - TVLA: A system for generating abstract interpreters –MoolySagiv - Astrée: veriﬁcation of absence of run-time errors – Laurent Mauborgne

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —108— ľ P. Cousot Industrial applications of abstract interpretation –BothtoProgram analysis and veriﬁcation – Experience with the industrial use of abstract interpretation-based static analysis tools –JeanSouyris(Air- bus France)

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —109— ľ P. Cousot THE END

More references at URL www.di.ens.fr/~cousot.

VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —110— ľ P. Cousot