Abstraction of Physical Systems
Abstraction enables us to do system analysis in one domain and CS 357 D carry over the results into a different domain
Lecture 7 Common abstraction:
analysis results Abstract Interpretation Physical system Mathematical model Introduction modeling we analyze a mathematical model of the system and assume that the physical system behaves similarly.
http://cs357d.stanford.edu/ the justification that analysis results can indeed be carried over is necessarily informal, since we cannot establish a formal correspondence between the physical April 24, 2007 system and the mathematical model; we rely on domain experts and experimentation
Lecture 7, April 24 1 CS357D Spring 2007 Lecture 7, April 24 2 CS357D Spring 2007
Mathematical Abstraction Abstract Interpretation (Cousot&Cousot 1977)
The theory of abstract interpretation was introduced by Cousot and analysis results (concrete) (abstract) Cousot (POPL’77); it has been and still is being used in many Mathematical model Mathematical model different settings, ranging from compiler optimization to language semantics analysis, formal verification, and theorem proving. modeling we analyze a, usually simpler, mathematical model of the system and conclude that the more complex From the POPL’77 paper: model has the same properties. “A program denotes computations in some universe of objects. In this case, property preservation can be formally justified since Abstract interpretation of programs consists in using that denotation we can define a formal relationship between the two models. to describe computations in another universe of abstract objects, so that the results of abstract execution give some information about
Here we will be concerned only with this type of abstraction, and in particular the actual computations.” with abstract interpretation, the theory that relates the semantics of systems in different domains.
Lecture 7, April 24 3 CS357D Spring 2007 Lecture 7, April 24 4 CS357D Spring 2007 Abstract Interpretation -- more quotes Abstract interpretation -- more quotes
Cousot & Cousot, Journal of Logic and Computation, 1992: Cousot & Cousot, 1992:
“Abstract interpretation is a method for designing approximate “Theoretical point of view: The purpose of abstract semantics of programs which can be used to gather information interpretation is to design hierarchies of interrelated about programs in order to provide sound answers to questions semantics at various levels of detail.” about their runtime behaviors. These semantics can then be used to design manual proof methods or to specify automatic program analyses.” “Practical point of view: The purpose of abstract interpretation is to design automatic program analysis tools for determining statically dynamic properties of programs.”
Lecture 7, April 24 5 CS357D Spring 2007 Lecture 7, April 24 6 CS357D Spring 2007
Abstract interpretation -- basics Abstract interpretation -- basics
Given: Given: - a concrete system with concrete (standard) semantics - a concrete system with concrete (standard) semantics - some notion of the properties we are interested in - some notion of the properties we are interested in
We have to choose / construct :
1. Abstract domain 2.Correspondence between abstract and concrete objects 3.Abstract semantics
Lecture 7, April 24 7 CS357D Spring 2007 Lecture 7, April 24 8 CS357D Spring 2007 Abstract interpretation -- a simple example Abstract interpretation -- basics
Concrete system : multiplication of integers We have to choose / construct :
Question : are the results of these multiplications 1. Abstract domain less than, equal to, or greater than zero? 2.Correspondence between abstract and concrete objects 3.Abstract semantics Concrete domain: sets of integers ! = 2Z
Extend the semantics of multiplication to multiplication of sets:
S1 x S2 = { n | ∃n1 ∈ S1 , n2 ∈ S2 . n1 x n2 = n }
Example: { 1 , 2 } x { 3 , 4 } = { 3 , 4 , 6 , 8 }
Lecture 7, April 24 9 CS357D Spring 2007 Lecture 7, April 24 10 CS357D Spring 2007
Abstract interpretation -- a simple example Abstract interpretation -- a simple example
Question : are the results of these multiplications Question : are the results of these multiplications less than, equal to, or greater than zero? less than, equal to, or greater than zero?
1. Abstract domain: !A = { neg , zero , pos } 1. Abstract domain: !A = { neg , zero , pos }
!A = { -1 , 0 , 1 }
!A = { !"# , $"%& , '&( }
!A = { ♭ , ♮ , ♯ }
!A = { ! , ☁ , ) }
!A = { * , + , , }
Lecture 7, April 24 11 CS357D Spring 2007 Lecture 7, April 24 12 CS357D Spring 2007 Abstract interpretation -- a simple example Choose an abstract domain
Question : are the results of these multiplications Question : are the results of these multiplications less than, equal to, or greater than zero? less than, equal to, or greater than zero?
1. Abstract domain: !A = { neg , zero , pos } 1. Abstract domain: !A = { neg , zero , pos }
2. Correspondence between abstract and concrete objects
expressed by a concretization function
" : !A # !
Lecture 7, April 24 13 CS357D Spring 2007 Lecture 7, April 24 14 CS357D Spring 2007
Concretization function Abstraction function
$ : ! # !A " : !A # ! { neg , zero , pos } sets of integers sets of integers { neg , zero , pos }
maps concrete objects into abstract objects maps abstract objects to concrete objects
gives meaning to the abstract objects $( { 0 } ) = zero $( S ) = neg if ∀n∈S . n < 0 " ( neg ) = { n ∈ Z | n < 0 } $( S ) = pos if ∀n∈S . n > 0 " ( zero ) = { 0 } $( S ) = ? otherwise ?? " ( pos ) = { n Z | n > 0 } we need another ∈ abstract object to map sets like { 3 , -4 } into
Lecture 7, April 24 15 CS357D Spring 2007 Lecture 7, April 24 16 CS357D Spring 2007 Abstraction function Abstraction function
$ : ! # !A $ : ! # !A sets of integers { neg , zero , pos } sets of integers { ⊥, neg , zero , pos, T }
maps concrete objects into abstract objects maps concrete objects into abstract objects
$( { 0 } ) = zero $( { 0 } ) = zero $( S ) = neg if ∀n∈S . n < 0 $( S ) = neg if ∀n∈S . n < 0 $( S ) = pos if ∀n∈S . n > 0 $( S ) = pos if ∀n∈S . n > 0
$( S ) = T otherwise introduce new abstract object $( S ) = ⊥ if S = ∅ for symmetry also add new T (top) abstract object ⊥ (bottom) $( S ) = T otherwise with meaning with meaning "( T ) = Z "( ⊥ ) = ∅
Lecture 7, April 24 17 CS357D Spring 2007 Lecture 7, April 24 18 CS357D Spring 2007
Abstraction function Concretization function
$ : ! # !A " : !A # ! sets of integers { ⊥, neg , zero , pos, T } sets of integers { ⊥, neg , zero , pos, T }
maps concrete objects into abstract objects maps abstract objects to concrete objects gives meaning to the abstract objects $( S ) = ⊥ if S = ∅ $( { 0 } ) = zero " ( ⊥ ) = ∅ " ( neg ) = { n Z | n < 0 } $( S ) = neg if ∀n∈S . n < 0 ∈ $( S ) = pos if ∀n∈S . n > 0 " ( zero ) = { 0 } $( S ) = T otherwise " ( pos ) = { n ∈ Z | n > 0 } " ( T ) = Z
Lecture 7, April 24 19 CS357D Spring 2007 Lecture 7, April 24 20 CS357D Spring 2007 Abstraction and Concretization function Abstraction function
Z ! = 2 { 3 , 4 } $ Z+ $ : ! # !A " : !A # ! { -7 , -12 , -42 } $ !A abstraction concretization Z- ∅ neg $ pos Z ⊥ $( S ) = ⊥ if S = ∅ " ( ⊥ ) = ∅ $ {-2 , 0 } T - $ zero $( S ) = neg if ∀n∈S . n < 0 " ( neg ) = { n ∈ Z | n < 0 } = Z {-2 , 0 , 14 } size: 5 $( { 0 } ) = zero " ( zero ) = { 0 } {-2 , 0 , 14 , 27 } $ $( S ) = pos if ∀n∈S . n > 0 " ( pos ) = { n ∈ Z | n > 0 } = Z+ $ { 0 } $( S ) = T otherwise " ( T ) = Z
size: uncountable
Lecture 7, April 24 21 CS357D Spring 2007 Lecture 7, April 24 22 CS357D Spring 2007
Concretization function Abstract version of multiplication
! Z = 2 { 3 , 4 } Concrete multiplication: xC : ! x ! # ! Z+ "
{ -7 , -12 , -42 } Example: { 1 , 2 } xC { 3 , 4 } = { 3 , 4 , 6 , 8 } !A Z- " ∅ neg pos " Abstract multiplication: xA : !A x !A # !A Z ⊥ {-2 , 0 } " T zero {-2 , 0 , 14 } size: 5 {-2 , 0 , 14 , 27 }
" { 0 } size: uncountable
Lecture 7, April 24 23 CS357D Spring 2007 Lecture 7, April 24 24 CS357D Spring 2007 Abstract version of multiplication Abstract analysis
> Abstract multiplication: xA : !A x !A # !A Concrete question: n1 x n2 = ? 0 <
xA ⊥ neg zero pos T Procedure: A A Abstract n1 and n2 : n1 = $ ( { n1 } ) n2 = $ ( { n2 } ) ⊥ ⊥ ⊥ ⊥ ⊥ ⊥ A A A A neg ⊥ pos zero neg T Perform abstract multiplication : n = n1 x n2 zero ⊥ zero zero zero zero Concretize nA : S = " ( nA )
pos ⊥ neg zero pos T + if S = Z then n1 x n2 > 0 T ⊥ T zero T T - if S = Z then n1 x n2 < 0
if S = { 0 } then n1 x n2 = 0 if S = Z then we don’t know
Lecture 7, April 24 25 CS357D Spring 2007 Lecture 7, April 24 26 CS357D Spring 2007
Abstract analysis -- Example Abstract analysis -- Observations
n1 = 783,422 > n1 x n2 = ? 0 • The choice of abstract domain was governed by the question. If n2 = 409,312 < the question had been to determine whether the result was even or odd, we would have chosen a different abstract domain A Abstract n1 and n2 : n1 = $ ( { n1 } ) = pos and abstract semantics. A n2 = $ ( { n2 } ) = pos • The concrete domain is a partially ordered set with the subset A A A A Perform abstract multiplication : n = n1 x n2 relation ⊆ as order. = pos xA pos = pos • We can also impose an order A A S1 ⊆ S2 # $( S1 ) ! $( S2 ) neg zero pos S1 ⊆ S2 # $( S1 ) ! $( S2 ) neg zero pos A A a1!! a2 # "( a1 ) ⊆ "( a2 ) ⊥ a1!! a2 # "( a1 ) ⊆ "( a2 ) ⊥ Example: Example: $( S ) = ⊥ if S = ∅ " ( ⊥ ) = ∅ { 0 } ⊆ { 0 , 1 , 2 } zero 0 "( T ) = Z " ( pos ) = { n ∈ Z | n > 0 } = Z+ A $( S ) = T otherwise zero < T { 0 } ⊆ Z " ( T ) = Z Lecture 7, April 24 29 CS357D Spring 2007 Lecture 7, April 24 30 CS357D Spring 2007 Abstract analysis -- Observations Abstract analysis -- Observations • The result of abstraction followed by concretization is • The result of concretization followed by abstraction is the something larger: same object: ! S ⊆ " ( $ ( S ) ) $( " ( a ) ) = a !A Example: " Example: S = { 3 , 4 } $ ( S ) = pos $ a = pos + " ( $ ( S ) ) = " ( pos ) = Z "( a ) = Z+ { 3 , 4 } ⊆ Z+ $( "( a ) ) = pos Lecture 7, April 24 31 CS357D Spring 2007 Lecture 7, April 24 32 CS357D Spring 2007 Abstract analysis -- Observations Abstract analysis -- Observations A "( a1 ) x "( a2 ) = "( a1 x a2 ) • Abstract multiplication over-approximates Example: " " " A ( in this case it is ( a1 ) x ( a2 ) ⊆ ( a1 x a2 ) actually equal ) "( pos ) x "( pos ) = Z+ x Z+ = Z+ we don’t lose xA ⊥ neg zero pos T anything by A pos x pos = pos xA ⊥ neg zero pos T doing abstract ⊥ ⊥ ⊥ ⊥ ⊥ ⊥ multiplications "( pos ) = Z+ ⊥ ⊥ ⊥ ⊥ ⊥ ⊥ neg ⊥ pos zero neg T neg ⊥ pos zero neg T zero ⊥ zero zero zero zero zero ⊥ zero zero zero zero pos ⊥ neg zero pos T pos ⊥ neg zero pos T T ⊥ T zero T T T ⊥ T zero T T Lecture 7, April 24 33 CS357D Spring 2007 Lecture 7, April 24 34 CS357D Spring 2007 Abstract analysis -- Observations Galois connection A A "( a1 ) x "( a2 ) = "( a1 x a2 ) Let ( !A , ! ) and ( ! , ⊆ ) be partially ordered sets. Example: A pair ( $ , " ) is a Galois connection if the following hold: "( neg ) x "( zero ) = Z- x { 0 } = { 0 } (1) $ : ! # !A and " : !A # ! A neg x zero = zero xA ⊥ neg zero pos T (2) $ and " are monotone "( zero ) = { 0 } ⊥ ⊥ ⊥ ⊥ ⊥ ⊥ (3) S ⊆ " ( $ ( S ) ) for all S ∈ ! and neg ⊥ pos zero neg T A $( " ( a ) ) % a for all a ∈ !A zero ⊥ zero zero zero zero pos ⊥ neg zero pos T Note: if $( " ( a ) ) = a then ( $ , " ) is called a T ⊥ T zero T T Galois insertion Lecture 7, April 24 35 CS357D Spring 2007 Lecture 7, April 24 36 CS357D Spring 2007 Galois connection Galois connection The functions $ and " determine each other: if one is given, The functions $ and " determine each other: if one is given, the other follows the other follows Given " : Given $: $( S ) is the smallest object in !A that represents all of S : "( a ) is the largest object in ! that is fully described by a : " ! $ !A $( S ) = inf { a ∈ !A | S ⊆ "( a ) } ( a ) = sup { S ∈ | ( S ) a } = { S ∈ ! | $( S ) !A a } = ∩A { a ∈ !A | S ⊆ "( a ) } (meet) ∪ Example: $( { 3 , 4 } ) !A pos Example: S = { 3 , 4 } $( { 17 , 32 , 42 } ) !A pos S ⊆ "( T ) S ⊆ "( pos ) ...... " + $( { 3 , 4 } ) = inf { pos , T } = pos ( pos ) = { 3 , 4 } ∪ { 17 , 32 , 42 } ∪ ...... = Z Lecture 7, April 24 37 CS357D Spring 2007 Lecture 7, April 24 38 CS357D Spring 2007 Galois connection Given " : $( S ) is the smallest object in !A that represents all of S : $( S ) = inf { a ∈ !A | S ⊆ "( a ) } = ∩A { a ∈ !A | S ⊆ "( a ) } (meet) Given $: "( a ) is the largest object in ! that is fully described by a : "( a ) = sup { S ∈ ! | $( S ) !A a } A = ∪ { S ∈ ! | $( S ) ! a } (join) Lecture 7, April 24 39 CS357D Spring 2007