CS 357 D Carry Over the Results Into a Different Domain

Total Page:16

File Type:pdf, Size:1020Kb

CS 357 D Carry Over the Results Into a Different Domain Abstraction of Physical Systems Abstraction enables us to do system analysis in one domain and CS 357 D carry over the results into a different domain Lecture 7 Common abstraction: analysis results Abstract Interpretation Physical system Mathematical model Introduction modeling we analyze a mathematical model of the system and assume that the physical system behaves similarly. http://cs357d.stanford.edu/ the justification that analysis results can indeed be carried over is necessarily informal, since we cannot establish a formal correspondence between the physical April 24, 2007 system and the mathematical model; we rely on domain experts and experimentation Lecture 7, April 24 1 CS357D Spring 2007 Lecture 7, April 24 2 CS357D Spring 2007 Mathematical Abstraction Abstract Interpretation (Cousot&Cousot 1977) The theory of abstract interpretation was introduced by Cousot and analysis results (concrete) (abstract) Cousot (POPL’77); it has been and still is being used in many Mathematical model Mathematical model different settings, ranging from compiler optimization to language semantics analysis, formal verification, and theorem proving. modeling we analyze a, usually simpler, mathematical model of the system and conclude that the more complex From the POPL’77 paper: model has the same properties. “A program denotes computations in some universe of objects. In this case, property preservation can be formally justified since Abstract interpretation of programs consists in using that denotation we can define a formal relationship between the two models. to describe computations in another universe of abstract objects, so that the results of abstract execution give some information about Here we will be concerned only with this type of abstraction, and in particular the actual computations.” with abstract interpretation, the theory that relates the semantics of systems in different domains. Lecture 7, April 24 3 CS357D Spring 2007 Lecture 7, April 24 4 CS357D Spring 2007 Abstract Interpretation -- more quotes Abstract interpretation -- more quotes Cousot & Cousot, Journal of Logic and Computation, 1992: Cousot & Cousot, 1992: “Abstract interpretation is a method for designing approximate “Theoretical point of view: The purpose of abstract semantics of programs which can be used to gather information interpretation is to design hierarchies of interrelated about programs in order to provide sound answers to questions semantics at various levels of detail.” about their runtime behaviors. These semantics can then be used to design manual proof methods or to specify automatic program analyses.” “Practical point of view: The purpose of abstract interpretation is to design automatic program analysis tools for determining statically dynamic properties of programs.” Lecture 7, April 24 5 CS357D Spring 2007 Lecture 7, April 24 6 CS357D Spring 2007 Abstract interpretation -- basics Abstract interpretation -- basics Given: Given: - a concrete system with concrete (standard) semantics - a concrete system with concrete (standard) semantics - some notion of the properties we are interested in - some notion of the properties we are interested in We have to choose / construct : 1. Abstract domain 2.Correspondence between abstract and concrete objects 3.Abstract semantics Lecture 7, April 24 7 CS357D Spring 2007 Lecture 7, April 24 8 CS357D Spring 2007 Abstract interpretation -- a simple example Abstract interpretation -- basics Concrete system : multiplication of integers We have to choose / construct : Question : are the results of these multiplications 1. Abstract domain less than, equal to, or greater than zero? 2.Correspondence between abstract and concrete objects 3.Abstract semantics Concrete domain: sets of integers ! = 2Z Extend the semantics of multiplication to multiplication of sets: S1 x S2 = { n | ∃n1 ∈ S1 , n2 ∈ S2 . n1 x n2 = n } Example: { 1 , 2 } x { 3 , 4 } = { 3 , 4 , 6 , 8 } Lecture 7, April 24 9 CS357D Spring 2007 Lecture 7, April 24 10 CS357D Spring 2007 Abstract interpretation -- a simple example Abstract interpretation -- a simple example Question : are the results of these multiplications Question : are the results of these multiplications less than, equal to, or greater than zero? less than, equal to, or greater than zero? 1. Abstract domain: !A = { neg , zero , pos } 1. Abstract domain: !A = { neg , zero , pos } !A = { -1 , 0 , 1 } !A = { !"# , $"%& , '&( } !A = { ♭ , ♮ , ♯ } !A = { ! , ☁ , ) } !A = { * , + , , } Lecture 7, April 24 11 CS357D Spring 2007 Lecture 7, April 24 12 CS357D Spring 2007 Abstract interpretation -- a simple example Choose an abstract domain Question : are the results of these multiplications Question : are the results of these multiplications less than, equal to, or greater than zero? less than, equal to, or greater than zero? 1. Abstract domain: !A = { neg , zero , pos } 1. Abstract domain: !A = { neg , zero , pos } 2. Correspondence between abstract and concrete objects expressed by a concretization function " : !A # ! Lecture 7, April 24 13 CS357D Spring 2007 Lecture 7, April 24 14 CS357D Spring 2007 Concretization function Abstraction function $ : ! # !A " : !A # ! { neg , zero , pos } sets of integers sets of integers { neg , zero , pos } maps concrete objects into abstract objects maps abstract objects to concrete objects gives meaning to the abstract objects $( { 0 } ) = zero $( S ) = neg if ∀n∈S . n < 0 " ( neg ) = { n ∈ Z | n < 0 } $( S ) = pos if ∀n∈S . n > 0 " ( zero ) = { 0 } $( S ) = ? otherwise ?? " ( pos ) = { n Z | n > 0 } we need another ∈ abstract object to map sets like { 3 , -4 } into Lecture 7, April 24 15 CS357D Spring 2007 Lecture 7, April 24 16 CS357D Spring 2007 Abstraction function Abstraction function $ : ! # !A $ : ! # !A sets of integers { neg , zero , pos } sets of integers { ⊥, neg , zero , pos, T } maps concrete objects into abstract objects maps concrete objects into abstract objects $( { 0 } ) = zero $( { 0 } ) = zero $( S ) = neg if ∀n∈S . n < 0 $( S ) = neg if ∀n∈S . n < 0 $( S ) = pos if ∀n∈S . n > 0 $( S ) = pos if ∀n∈S . n > 0 $( S ) = T otherwise introduce new abstract object $( S ) = ⊥ if S = ∅ for symmetry also add new T (top) abstract object ⊥ (bottom) $( S ) = T otherwise with meaning with meaning "( T ) = Z "( ⊥ ) = ∅ Lecture 7, April 24 17 CS357D Spring 2007 Lecture 7, April 24 18 CS357D Spring 2007 Abstraction function Concretization function $ : ! # !A " : !A # ! sets of integers { ⊥, neg , zero , pos, T } sets of integers { ⊥, neg , zero , pos, T } maps concrete objects into abstract objects maps abstract objects to concrete objects gives meaning to the abstract objects $( S ) = ⊥ if S = ∅ $( { 0 } ) = zero " ( ⊥ ) = ∅ " ( neg ) = { n Z | n < 0 } $( S ) = neg if ∀n∈S . n < 0 ∈ $( S ) = pos if ∀n∈S . n > 0 " ( zero ) = { 0 } $( S ) = T otherwise " ( pos ) = { n ∈ Z | n > 0 } " ( T ) = Z Lecture 7, April 24 19 CS357D Spring 2007 Lecture 7, April 24 20 CS357D Spring 2007 Abstraction and Concretization function Abstraction function Z ! = 2 { 3 , 4 } $ Z+ $ : ! # !A " : !A # ! { -7 , -12 , -42 } $ !A abstraction concretization Z- ∅ neg $ pos Z ⊥ $( S ) = ⊥ if S = ∅ " ( ⊥ ) = ∅ $ {-2 , 0 } T - $ zero $( S ) = neg if ∀n∈S . n < 0 " ( neg ) = { n ∈ Z | n < 0 } = Z {-2 , 0 , 14 } size: 5 $( { 0 } ) = zero " ( zero ) = { 0 } {-2 , 0 , 14 , 27 } $ $( S ) = pos if ∀n∈S . n > 0 " ( pos ) = { n ∈ Z | n > 0 } = Z+ $ { 0 } $( S ) = T otherwise " ( T ) = Z size: uncountable Lecture 7, April 24 21 CS357D Spring 2007 Lecture 7, April 24 22 CS357D Spring 2007 Concretization function Abstract version of multiplication ! Z = 2 { 3 , 4 } Concrete multiplication: xC : ! x ! # ! Z+ " { -7 , -12 , -42 } Example: { 1 , 2 } xC { 3 , 4 } = { 3 , 4 , 6 , 8 } !A Z- " ∅ neg pos " Abstract multiplication: xA : !A x !A # !A Z ⊥ {-2 , 0 } " T zero {-2 , 0 , 14 } size: 5 {-2 , 0 , 14 , 27 } " { 0 } size: uncountable Lecture 7, April 24 23 CS357D Spring 2007 Lecture 7, April 24 24 CS357D Spring 2007 Abstract version of multiplication Abstract analysis > Abstract multiplication: xA : !A x !A # !A Concrete question: n1 x n2 = ? 0 < xA ⊥ neg zero pos T Procedure: A A Abstract n1 and n2 : n1 = $ ( { n1 } ) n2 = $ ( { n2 } ) ⊥ ⊥ ⊥ ⊥ ⊥ ⊥ A A A A neg ⊥ pos zero neg T Perform abstract multiplication : n = n1 x n2 zero ⊥ zero zero zero zero Concretize nA : S = " ( nA ) pos ⊥ neg zero pos T + if S = Z then n1 x n2 > 0 T ⊥ T zero T T - if S = Z then n1 x n2 < 0 if S = { 0 } then n1 x n2 = 0 if S = Z then we don’t know Lecture 7, April 24 25 CS357D Spring 2007 Lecture 7, April 24 26 CS357D Spring 2007 Abstract analysis -- Example Abstract analysis -- Observations n1 = 783,422 > n1 x n2 = ? 0 • The choice of abstract domain was governed by the question. If n2 = 409,312 < the question had been to determine whether the result was even or odd, we would have chosen a different abstract domain A Abstract n1 and n2 : n1 = $ ( { n1 } ) = pos and abstract semantics. A n2 = $ ( { n2 } ) = pos • The concrete domain is a partially ordered set with the subset A A A A Perform abstract multiplication : n = n1 x n2 relation ⊆ as order. = pos xA pos = pos • We can also impose an order <A on the abstract domain: Concretize nA : S = " ( nA ) = Z+ ⊥ <A neg neg <A T T + A A if S = Z then n1 x n2 > 0 ⊥ < zero zero < T neg zero pos ⊥ <A pos pos <A T Conclude: 783,422 x 409,312 > 0 ⊥ <A T ⊥ Lecture 7, April 24 27 CS357D Spring 2007 Lecture 7, April 24 28 CS357D Spring 2007 Abstract analysis -- Observations Abstract analysis -- Observations • $ and " are both monotone: T • $ and " are both monotone: T A A S1 ⊆ S2 # $(
Recommended publications
  • Integrated Program Debugging, Verification, and Optimization Using Abstract Interpretation (And the Ciao System Preprocessor)
    Integrated Program Debugging, Verification, and Optimization Using Abstract Interpretation (and The Ciao System Preprocessor) Manuel V. Hermenegildo a,b Germ´anPuebla a Francisco Bueno a Pedro L´opez-Garc´ıa a aDepartment of Computer Science, Technical University of Madrid (UPM) {herme,german,bueno,pedro.lopez}@fi.upm.es http://www.clip.dia.fi.upm.es/ bDepts. of Comp. Science and Electrical and Computer Eng., U. of New Mexico [email protected] – http://www.unm.edu/~herme Abstract The technique of Abstract Interpretation has allowed the development of very so- phisticated global program analyses which are at the same time provably correct and practical. We present in a tutorial fashion a novel program development frame- work which uses abstract interpretation as a fundamental tool. The framework uses modular, incremental abstract interpretation to obtain information about the pro- gram. This information is used to validate programs, to detect bugs with respect to partial specifications written using assertions (in the program itself and/or in system libraries), to generate and simplify run-time tests, and to perform high-level program transformations such as multiple abstract specialization, parallelization, and resource usage control, all in a provably correct way. In the case of valida- tion and debugging, the assertions can refer to a variety of program points such as procedure entry, procedure exit, points within procedures, or global computations. The system can reason with much richer information than, for example, traditional types. This includes data structure shape (including pointer sharing), bounds on data structure sizes, and other operational variable instantiation properties, as well as procedure-level properties such as determinacy, termination, non-failure, and bounds on resource consumption (time or space cost).
    [Show full text]
  • Abstract Interpretation and Abstract Domains with Special Attention to the Congruence Domain
    Malardalen¨ University Master Thesis Abstract Interpretation and Abstract Domains with special attention to the congruence domain Stefan Bygde May 2006 Department of Computer Science and Electronics Malardalen¨ University Vaster¨ as,˚ Sweden Abstract This thesis is a survey on a framework for program analysis known as Abstract interpre- tation. Abstract interpretation uses abstract semantics to obtain important properties of programs. Different abstract semantics can be used in abstract interpretation, to obtain different properties. For instance there are semantics that spots upper and lower limits for the values of the variables of the program. These different semantics are called abstract domains and this thesis is meant to summarize different numerical abstract domains as well as give mathematical properties to them. The thesis also offers a small survey of free software libraries that implements abstract domains. Special attention will be given to the congruence domain. The congruence domain was implemented in a program analysis tool developed at M¨alardalen University. In the congruence domain the property ”variable x is always congruent to n modulo m” is obtained. Abstract operators for this domain are presented and new bit-operators are introduced. Contents 1 Introduction 4 1.1 Static analysis and WCET . ..................... 4 1.2 SWEET . ................................ 5 1.3 Motivation and results ......................... 7 1.4 Related work . ......................... 7 1.5 Outline . ................................ 7 2 Collecting semantics 8 2.1 Definitions ................................ 8 2.2 The transition system . ......................... 9 3 Abstract Interpretation 9 3.1 The idea of abstraction ......................... 10 3.2 Galois connections . ......................... 10 3.2.1 An example . ......................... 11 3.3 Relational and non-relational domains ................
    [Show full text]
  • Static Program Analysis Via 3-Valued Logic
    Static Program Analysis via 3-Valued Logic ¡ ¢ £ Thomas Reps , Mooly Sagiv , and Reinhard Wilhelm ¤ Comp. Sci. Dept., University of Wisconsin; [email protected] ¥ School of Comp. Sci., Tel Aviv University; [email protected] ¦ Informatik, Univ. des Saarlandes;[email protected] Abstract. This paper reviews the principles behind the paradigm of “abstract interpretation via § -valued logic,” discusses recent work to extend the approach, and summarizes on- going research aimed at overcoming remaining limitations on the ability to create program- analysis algorithms fully automatically. 1 Introduction Static analysis concerns techniques for obtaining information about the possible states that a program passes through during execution, without actually running the program on specific inputs. Instead, static-analysis techniques explore a program’s behavior for all possible inputs and all possible states that the program can reach. To make this feasible, the program is “run in the aggregate”—i.e., on abstract descriptors that repre- sent collections of many states. In the last few years, researchers have made important advances in applying static analysis in new kinds of program-analysis tools for identi- fying bugs and security vulnerabilities [1–7]. In these tools, static analysis provides a way in which properties of a program’s behavior can be verified (or, alternatively, ways in which bugs and security vulnerabilities can be detected). Static analysis is used to provide a safe answer to the question “Can the program reach a bad state?” Despite these successes, substantial challenges still remain. In particular, pointers and dynamically-allocated storage are features of all modern imperative programming languages, but their use is error-prone: ¨ Dereferencing NULL-valued pointers and accessing previously deallocated stor- age are two common programming mistakes.
    [Show full text]
  • Design of Semantics by Abstract Interpretation
    …/… Design of Semantics by Abstract Interpretation -- Abstraction of the relational into a nondeterministic Plotkin/- Smyth/Hoare denotational/functional semantics; -- Abstraction of the natural/demoniac relational into a determin­ istic denotational/functional semantics;Scott’ssemantics; Patrick COUSOT -- Abstraction of nondeterministic denotational semantics to weakest École Normale Supérieure precondition/strongest postcondition predicate transformer se­ DMI, 45, rue d’Ulm mantics; 75230 Paris cedex 05 Abstraction of predicate transformer semantics to à la Hoare France -- ax­ ;Programproofmethods; [email protected] iomatic semantics http://www.dmi.ens.fr/ cousot Extension to the λ-calculus. ˜ • MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, am Montag, dem 2. Juni 1997 um 14.15 Uhr 1 1 Extended version of the invited address at MFPS XIII, CMU, Pittsburgh, March 24, 1997 © P. Cousot 1 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 © P. Cousot 3 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 Content Application of abstract interpretation ideas to the design of formal semantics: Examples of Abstract Interpretations Examples of abstract interpretations; • Abstraction of fixpoint semantics; • -- Maximal trace semantics of nondeterministic transition systems; -- Abstraction of the trace into a natural/demoniac/angelic relational semantics; …/… © P. Cousot 2 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 © P. Cousot 4 MPI-Kolloquium,
    [Show full text]
  • Abstract Interpretation Based Program Testing
    1 Abstract Interpretation Based Program Testing Patrick Cousot and Radhia Cousot Département d’informatique Laboratoire d’informatique École normale supérieure École polytechnique 45 rue d’Ulm 91128 Palaiseau cedex, France 75230 Paris cedex 05, France [email protected] [email protected] http://lix.polytechnique.fr/˜rcousot http://www.di.ens.fr/˜cousot Abstract— Every one can daily experiment that programs II. An informal introduction to abstract are bugged. Software bugs can have severe if not catas­ testing trophic consequences in computer-based safety critical ap­ plications. This impels the development of formal methods, Abstract testing is the verification that the abstract se­ whether manual, computer-assisted or automatic, for verify­ mantics of a program satisfies an abstract specification. ing that a program satisfies a specification. Among the auto­ matic formal methods, program static analysis can be used The origin is the abstract interpretation based static check­ to check for the absence of run-time errors. In this case the ing of safety properties [1], [2] such as array bound checking specification is provided by the semantics of the program­ and the absence of run-time errors which was extended to ming language in which the program is written. Abstract in­ terpretation provides a formal theory for approximating this liveness properties such as termination [3], [4]. semantics, which leads to completely automated tools where Consider for example, the factorial program (the random run-time bugs can be statically and safely classified as un­ assignment ? is equivalent to the reading of an input value reachable, certain, impossible or potential. We discuss the or the passing of an unknown but initialized parameter extension of these techniques to abstract testing where speci­ fications are provided by the programmers.
    [Show full text]
  • Abstract Interpretation of Programs for Model-Based Debugging
    Abstract Interpretation of Programs for Model-Based Debugging Wolfgang Mayer Markus Stumptner Advanced Computing Research Centre University of South Australia [mayer,mst]@cs.unisa.edu.au Language Abstract Semantics Test-Cases Developing model-based automatic debugging strategies has been an active research area for sev- Program eral years. We present a model-based debug- Conformance Test Components ging approach that is based on Abstract Interpre- Fault Conflict sets tation, a technique borrowed from program analy- Assumptions sis. The Abstract Interpretation mechanism is inte- grated with a classical model-based reasoning en- MBSD Engine gine. We test the approach on sample programs and provide the first experimental comparison with earlier models used for debugging. The results Diagnoses show that the Abstract Interpretation based model provides more precise explanations than previous Figure 1: MBSD cycle models or standard non-model based approaches. 2 Model-based debugging 1 Introduction Model-based software debugging (MBSD) is an application of Model-based Diagnosis (MBD) [19] techniques to locat- Developing tools to support the software engineer in locating ing errors in computer programs. MBSD was first intro- bugs in programs has been an active research area during the duced by Console et. al. [6], with the goal of identifying last decades, as increasingly complex programs require more incorrect clauses in logic programs; the approach has since and more effort to understand and maintain them. Several dif- been extended to different programming languages, includ- ferent approaches have been developed, using syntactic and ing VHDL [10] a n d JAVA [21]. semantic properties of programs and languages. The basic principle of MBD is to compare a model,ade- This paper extends past research on model-based diagnosis scription of the correct behaviour of a system, to the observed of mainstream object oriented languages, with Java as con- behaviour of the system.
    [Show full text]
  • Abstract Interpretation: a Unified Lattice Model for Static Analysis of Programs by Construction Or Approximation of Fixpoints
    ABSTRACT INTERPRETATION : ‘A UNIFIED LATTICE MODEL FOR STATIC ANALYSIS OF PROGRAMS BY CONSTRUCTION OR APPROXIMATION OF FIXPOINTS Patrick Cousot*and Radhia Cousot** Laboratoire d’Informatique, U.S.M.G., BP. 53 38041 Grenoble cedex, France 1. Introduction Abstract program properties are modeled by a com– plete semilattice, Birkhoff[611. Elementary Pro- A program denotes computations in some universe of gram constructs are locally interpreted by order objects. Abstract interpretation of programs con– preserving functions which are used to associate sists in using that denotation to describe compu– a system of recursive equations with a program. The tations in another universe of abstract objects, program global properties are then defined as one so that the results of abstract execution give of the extreme fixpoints of that system, Tarski [55]. some information on the actual computations. An The abstraction process is defined in section 6. It intuitive example (which we borrow from Sintzoff is shown that the program properties obtained by 172]) is the rule of signs. The text ‘1515* 17 an abstract interpretation of a program are consis– may be understood to denote computations on the tent with those obtained by a more refined inter– abstract universe {(+), (-), (~)} where the se- pretation of that program. In particular, an ab– mantics of arithmetic operators is defined by the stract interpretation may be shown to be consistent rule of signs. The abstract execution -1515* 17 with the formal semantics of the language. Levels => -(+) * (+) e> (–) * (+) => (–), proves that of abstraction are formalized by showing that con- –1515 * 17 is a negative number. Abstract interpre– sistent abstract interpretations form a lattice tation is concerned by a particular underlying (section 7).
    [Show full text]
  • Arxiv:1007.3250V1 [Cs.PL] 19 Jul 2010 Ple Opromhg-Adlwlvlotmztosand Optimizations Low-Level and High- Perform to Applied Ae Rpoesro the of Etc
    Verification of Java Bytecode using Analysis and Transformation of Logic Programs E. Albert1, M. G´omez-Zamalloa1, L. Hubert2, and G. Puebla2 1 DSIC, Complutense University of Madrid, E-28040 Madrid, Spain 2 CLIP, Technical University of Madrid, E-28660 Boadilla del Monte, Madrid, Spain {elvira,mzamalloa,laurent,german}@clip.dia.fi.upm.es Abstract. State of the art analyzers in the Logic Programming (LP) paradigm are nowadays mature and sophisticated. They allow inferring a wide variety of global properties including termination, bounds on re- source consumption, etc. The aim of this work is to automatically transfer the power of such analysis tools for LP to the analysis and verification of Java bytecode (jvml). In order to achieve our goal, we rely on well-known techniques for meta-programming and program specialization. More pre- cisely, we propose to partially evaluate a jvml interpreter implemented in LP together with (an LP representation of) a jvml program and then analyze the residual program. Interestingly, at least for the examples we have studied, our approach produces very simple LP representations of the original jvml programs. This can be seen as a decompilation from jvml to high-level LP source. By reasoning about such residual programs, we can automatically prove in the CiaoPP system some non-trivial prop- erties of jvml programs such as termination, run-time error freeness and infer bounds on its resource consumption. We are not aware of any other system which is able to verify such advanced properties of Java bytecode. 1 Introduction Verifying programs in the (Constraint) Logic Programming paradigm —(C)LP— offers a good number of advantages, an important one being the maturity and sophistication of the analysis tools available for it.
    [Show full text]
  • Verification by Abstract Interpretation
    Verification by Abstract Interpretation Patrick Cousot École normale supérieure, Département d’informatique 45 rue d’Ulm, 75230 Paris cedex 05, France [email protected], www.di.ens.fr/~cousot Dedicated to Zohar Manna, for his 26th birthday. Abstract. Abstract interpretation theory formalizes the idea of abstrac- tion of mathematical structures, in particular those involved in the spec- ification of properties and proof methods of computer systems. Verifica- tion by abstract interpretation is illustrated on the particular cases of predicate abstraction, which is revisited to handle infinitary abstractions, and on the new parametric predicate abstraction. 1 Introduction Abstract interpretation theory [7,8,9,11,13] formalizes the idea of abstraction of mathematical structures, in particular those involved in the specification of properties and proof methods of computer systems. Verification by abstract interpretation is illustrated on the particular cases of predicate abstraction [4,15,19] (where the finitary program-specific ground atomic propositional components of inductive invariants have to be provided) which is revisited (in that it is derived by systematic approximation of the con- crete semantics of a programming language using an infinitary abstraction) and on the new parametric predicate abstraction, a program-independent generaliza- tion (where parameterized infinitary predicates are automatically combined by reduction and instantiated to particular programs by approximation). 2 Elements of Abstract Interpretation Let us first recall a few elements of abstract interpretation from [7,9,11]. 2.1 Properties and Their Abstraction. Given a set Σ of objects (such as program states, execution traces, etc.), we represent properties P of objects s ∈ Σ as sets of objects P ∈ ℘(Σ) (which have the considered property).
    [Show full text]
  • Abstract Interpretation: Theory and Practice
    Abstract Interpretation: Theory and Practice Patrick Cousot École normale supérieure Département d'informatique, 45 rue d'Ulm 75230 Paris cedex 05, France [email protected] http://www.di.ens.fr/~cousot/ Our objective in this talk is to give an intuitive account of abstract interpre- tation theory [1,2,3,4,5] and to present and discuss its main applications [6]. Abstract interpretation theory formalizes the conservative approximation of the semantics of hardware and software computer systems. The semantics pro- vides a formal model describing all possible behaviors of a computer system in interaction with any possible environment. By approximation we mean the observation of the semantics at some level of abstraction, ignoring irrelevant de- tails. Conservative means that the approximation can never lead to an erroneous conclusion. Abstract interpretation theory provides thinking tools since the idea of ab- straction by conservative approximation is central to reasoning (in particular on computer systems) and mechanical tools since the idea of an effective computable approximation leads to a systematic and constructive formal design methodol- ogy of automatic semantics-based program manipulation algorithms and tools (e.g. [7]). Semantics have been studied in the framework of abstract interpretation [8,9] and compared according to their relative precision. A number of semantics including among others small-step, big-step, termination and nontermination se- mantics, Plotkin's natural, Smyth's demoniac, Hoare's angelic relational and cor- responding denotational semantics, Dijkstra's weakest precondition and weakest liberal precondition predicate transformers and Hoare's partial and total ax- iomatic semantics have all been derived by successive abstractions starting from an operational maximal trace semantics of a transition system.
    [Show full text]
  • Extending Abstract Interpretation to Dependency Analysis of Database Applications
    1 Extending Abstract Interpretation to Dependency Analysis of Database Applications Angshuman Jana1, Raju Halder1, K. V. Abhishekh1, S. D. Ganni1, and Agostino Cortesi2 1Indian Institute of Technology Patna, India {ajana.pcs13, halder, kalahasti.cs13, ganni.cs13}@iitp.ac.in 2Università Ca’ Foscari Venezia, Italy [email protected] Abstract—Dependency information (data- and/or control-dependencies) among program variables and program statements is playing crucial roles in a wide range of software-engineering activities, e.g. program slicing, information flow security analysis, debugging, code-optimization, code-reuse, code-understanding. Most existing dependency analyzers focus on mainstream languages and they do not support database applications embedding queries and data-manipulation commands. The first extension to the languages for relational database management systems, proposed by Willmor et al. in 2004, suffers from the lack of precision in the analysis primarily due to its syntax-based computation and flow insensitivity. Since then no significant contribution is found in this research direction. This paper extends the Abstract Interpretation framework for static dependency analysis of database applications, providing a semantics-based computation tunable with respect to precision. More specifically, we instantiate dependency computation by using various relational and non-relational abstract domains, yielding to a detailed comparative analysis with respect to precision and efficiency. Finally, we present a prototype semDDA, a semantics-based Database Dependency Analyzer integrated with various abstract domains, and we present experimental evaluation results to establish the effectiveness of our approach. We show an improvement of the precision on an average of 6% in the interval, 11% in the octagon, 21% in the polyhedra and 7% in the powerset of intervals abstract domains, as compared to their syntax-based counterpart, for the chosen set of Java Server Page (JSP)-based open-source database-driven web applications as part of the GotoCode project.
    [Show full text]
  • Static Analysis for Software Assurance: Soundness, Scalability and Adaptiveness
    Static Analysis for Software Assurance: Soundness, Scalability and Adaptiveness [Position Paper] Arnaud J. Venet Michael R. Lowry CMU / NASA Ames Research Center NASA Ames Research Center Moffett Field, CA 94035 Moffett Field, CA 94035 [email protected] [email protected] ABSTRACT The three objectives of no false negatives, high precision Standard approaches to software assurance are either process- (few false positives), and scaling to large systems push the based or test-based. We propose to include static analysis boundaries of computational complexity. In other words, by Abstract Interpretation to the software development cy- except for especially simple classes of defects, no single veri- cle. Static analysis by Abstract Interpretation provides a fication algorithm will be able to achieve all three. However, high level of assurance as well as ground-truth evidence in in case studies described here and elsewhere, human experts support of its findings. Successes in the verification of large have demonstrated that given a particular software system industrial codes demonstrate the readiness of this technol- being certified; they can adapt a custom algorithmic ap- ogy. However, in order to be practical in real development proach by carefully selecting, composing, and tuning known environments, static analysis must be able to scale and yield verification algorithms to simultaneously achieve these three few false positives without the need for expert hand-tuning. objectives. We present a research agenda to reach this goal based on the development of adaptive static analysis algorithms. Can this adaptive expert human approach of selecting and composing verification algorithms be automated? In this po- sition paper we discuss this approach within the context of Categories and Subject Descriptors Abstract Interpretation for static analysis.
    [Show full text]