Abstract Interpretation Static Program AnalysisStatic Analysis

A general method for automatic and sound approximation of sw run-time behaviors before the execution

“before”: statically, without running sw “automatic”: sw analyzes sw “sound”: all possibilities into account “approximation”: cannot be exact “general”: for any source language and property

I C, C++, C#, F#, Java, JavaScript, ML, Scala, Python, JVM, Dalvik, x86, Excel, etc I “bu↵er-overrun?”, “memory leak?”, “type errors?”, “x = y at line 2?”, “memory use 2K?”, etc 

Hakjoo Oh AAA616 2016 Fall, Lecture 3 October 3, 2016 2 / 44 Abstract Interpretation

• A powerful framework for designing correct static analysis

• “framework” : correct static analysis comes out, reusable

• “powerful” : all static analyses are understood in this framework

• “simple” : prescription is simple

• “eye-opening” : any static analysis is an abstract interpretation Why Abstraction?

Examples • Without abstraction, • Does the program have memory errors? (such as buffer overrun or memory leaks)! • can’t capture all possible executions• Does the program always terminate?

• can’t terminate Impossible

Alan Turing • Abstraction is not omission 5 / 50

• reality: {2, 4, 6, 8, … }

• “even number” (abstraction) vs “multiple of 4” (omission) AbstractAbstraction Interpretation The static analysis game

MAX++ *a++ =

*0

7 / 50

20 AbstractAbstraction Interpretation The static analysis game

MAX++ *a++ =

*0

8 / 50

20 AbstractAbstraction Interpretation The static analysis game

MAX++ *a++ =

*0

9 / 50

20 Concrete Interpretation (Standard Semantics)

Execution Trace : + 1: x := 0; (Program Points x (Var →Z)) 2: y := 0; (1, {x ⟼ 0}) 3: while (x < 10) { (2, {x ⟼ 0, y ⟼ 0}) 4: x := x + 1; (3, {x ⟼ 0, y ⟼ 0}) 5: y := y + 1; (4, {x ⟼ 1, y ⟼ 0}) 6: } . . . 7: print(x) (3, {x ⟼ 10, y ⟼ 10}) (7, {x ⟼ 10, y ⟼ 10}) Concrete Interpretation (Collecting Semantics)

Partitioned Execution Traces: Z 1: x := 0; Program Points → (Var → 2 ) 2: y := 0; 3: while (x < 10) { (1,{x ⟼ {0}}) (2,{x ⟼ {0}, y ⟼ {0}) 4: x := x + 1; (3,{x ⟼ {0,1,…,9}, 5: y := y + 1; y ⟼ {0,1,…,9}} 6: } (4,{x ⟼ {1,2,…,10}, 7: print(x) y ⟼ {0,1,…,9}} . . . The possible values of x are {1, …, 10} after executing line 4. (7,{x ⟼ {10}, y ⟼ {10}) Abstract Interpretation (Abstract Semantics)

Abstract State: 1: x := 0; : Program Points → (Var → Interval) 2: y := 0; (1, {x ⟼ [0, 0]}) (2, {x ⟼ [0, 0], y ⟼ [0, 0]}) 3: while (x < 10) { (3, {x ⟼ [0, 9], y ⟼ [0, 9]) 4: x := x + 1; (4, {x ⟼ [1, 10], y ⟼ [0, 9]) 5: y := y + 1; . . . 6: } The possible value of x ranges from 1 to 10 after executing line 4. 7: print(x) (7, {x ⟼ [10, 10], y ⟼ [10, 10]}) 1: x := 0; 2: y := 0; 3: while (very complex) { 4: x := x + 1; 5: y := y + 1; 6: } 7: print(x) Concrete Interpretation (Collecting Semantics)

Partitioned Execution Traces 1: x := 0; 2: y := 0; (1, {x ⟼ {0}}) 3: while (very complex) { (2, {x ⟼ {0}, y ⟼ {0}) (3, may be undecidable) 4: x := x + 1; (4, may be undecidable) 5: y := y + 1; . . . 6: } (7, may be undecidable) 7: print(x) Abstract Interpretation (Abstract Semantics)

1: x := 0; Abstract State 2: y := 0; (1, {x ⟼ [0, 0]}) (2, {x ⟼ [0, 0], y ⟼ [0, 0]}) 3: while (very complex){ (3, {x ⟼ [0,∞], y ⟼ [0,∞]) 4: x := x + 1; (4, {x ⟼ [1,∞], y ⟼ [1,∞]) 5: y := y + 1; The possible value of x is 6: } . . . greater than or equal to 1 after executing line 4. 7: print(x) (7, {x ⟼ [0,∞], y ⟼ [0,∞]}) Need for Theory

• How to ensure that we soundly approximate real executions?

• How to ensure the termination of analysis? Abstract Interpretation Framework

real execution [[ P ]] = fi x F D 2 [[ Pˆ]] = fi x Fˆ Dˆ abstract execution 2 correctness [[ Pˆ]] [[ Pˆ]] ⇡ implementation computation of [[ Pˆ]]

• The framework requires: • a relation between D and Dˆ a relation between F D D and Fˆ Dˆ Dˆ • 2 ! 2 ! • The framework guarantees: • correctness and implementation • freedom: any such D ˆ and F ˆ are fine. Abstract Interpretation Framework

real execution [[ P ]] = fi x F D 2 ˆ ˆ ˆ abstract execution [[ P ]] = fi x F D A domain of concrete states 2 (e.g., a set of memories) correctness [[ Pˆ]] [[ Pˆ]] ⇡ implementation computation of [[ Pˆfix]] F = X in D s.t. F(X) = X.

A function corresponding to • The framework requires: one-step real execution • a relation between D and Dˆ a relation between F D D and Fˆ Dˆ Dˆ • 2 ! 2 ! • The framework guarantees: • correctness and implementation A function corresponding to one-step abstract execution • freedom: any such D ˆ and F ˆ are fine. Plan

• Step 1: Define concrete semantics

• Step 2: Define abstract semantics

• Step 3: Compute abstract semantics guaranteeing termination

• with a finite abstract domain

• with a infinite abstract domain Preliminaries for Step 1

• Domain theory

• Every program’s meaning is an element of CPO,

• which is a least fixed point of a continuous function : CPO → CPO.

• Every continuous function has a unique least fixed point.

• See:

• Mathematical Concepts in Programming Language Concepts, Dana Scott. Preliminaries for Step 1

• What is

• CPO?

• Continuous Functions?

• Least Fixed Point? Partially Ordered SetPartial Order

Definition (Partial Order) We say a binary relation is a partial order on a set D i↵ is v v reflexive: p D. p p 8 2 v transitive: p, q, r D. p q q r = p r 8 2 v ^ v ) v anti-symmetric: p, q D. p q q p = p = q 8 2 v ^ v ) We call such a pair (D, ) partially ordered set, or poset. v Lemma If a partially ordered set (D, ) has a least element d,thend is unique. v • {1,2} ⊑ {1,2,3}

• {} = ⊥

Hakjoo Oh AAA616 2016 Fall, Lecture 2 September 19, 2016 10 / 30 Least Upper Bound LUB

Definition (Least Upper Bound) Let (D, ) be a partially ordered set and let Y be a subset of D.An v upper bound of Y is an element d of D such that

d0 Y. d0 d. 8 2 v An upper bound d of Y is a least upper bound if and only if d d for v 0 every upper bound d0 of Y . The least upper bound of Y is denoted by Y . F Lemma If Y has a least upper bound d,thend is unique.

• {1,2} ⊔ {3} = {1,2,3}

Hakjoo Oh AAA616 2016 Fall, Lecture 2 September 19, 2016 13 / 30 Chain Chain

Definition (Chain) Let (D, ) be a poset and Y a subset of D. Y is called a chain if Y is v totally ordered:

y ,y Y.y y or y y . 8 1 2 2 1 v 2 2 v 1 Example Consider the poset (}( a, b, c ), ). { } ✓ Y = , a , a, c 1 {; { } { }} Y = , a , c , a, c 2 {; { } { } { }}

Hakjoo Oh AAA616 2016 Fall, Lecture 2 September 19, 2016 14 / 30 CPO

Complete Partial Order (CPO)

Definition (CPO) A poset (D, ) is a CPO, if every chain Y D has Y D. v ✓ 2 F Definition (Complete Lattice) A poset (D, ) is a complete lattice, if every subset Y D has v ✓ Y D. 2 F Lemma If (D, ) is a CPO, then it has a least element given by = . v ? ? ; F

Hakjoo Oh AAA616 2016 Fall, Lecture 2 September 19, 2016 15 / 30 Continuous Functions

Definition (Continuous Functions) A function f : D D defined on posets (D , ) and (D , ) is 1 ! 2 1 v1 2 v2 continuous if it is monotone and it preserves least upper bounds of chains:

f(Y )=f( Y ) G G for all non-empty chains Y in D1.Iff( Y )= f(Y ) holds for the empty chain (that is, = f( )), then we say that f is strict. ? ? F F

Hakjoo Oh AAA616 2016 Fall, Lecture 2 September 19, 2016 23 / 30 Least Fixed Points

Definition (Fixed Point) Let (D, ) be a poset. A fixed point of a function f : D D is an v ! element d D such that f(d)=d.Wewritefix(f) for the least fixed 2 point of f,ifitexists,suchthat f(fix(f)) = fix(f) d D. f(d)=d = fix(f) d 8 2 ) v

Hakjoo Oh AAA616 2016 Fall, Lecture 2 September 19, 2016 26 / 30 Step 1: Define Concrete Semantics Step 1: Define Concrete Semantics Step 1: Define Concrete Semantics The concrete semantics describes the real executions of the program. TheDescribed concrete by semantics semantic describes domain and the function. real executions of the program. DescribedDefine by semantica semantic domain domain and D , function.which is a CPO • A semanticStep domain 1: DefineD,whichisaCPO: Concrete Semantics A semanticI D is a domain partiallyD ordered,whichisaCPO: set with a least element . The concrete semantics describes the real executions? of the program. Step 1: Define ConcreteI IAnyDAnyis increasing a increasing Semantics partially orderedchain chain d set with d a least... inin element DD hashas a a least. least upper upper bound bound • Described by semantic0 domainv 1 andv function. ? I Any increasing chain d d ... in D has a least upper bound n 0 dn in D. 0 1 The concrete semantics describes A thesemantic real executions domainvD,whichisaCPO: ofv the program. dn in D. A semanticn 0 functionI D is a partiallyF : D orderedD set, with which a least is element continuous:. for all chains Described by semantic domainF and function. ? I Any increasing chain!d0 d1 ... in D has a least upper bound A dsemantic0 F d1 function..., F : D Dv, whichv is continuous: for all chains A semantic domain D,whichisaCPO:n 0 dn in D. ! d vd v..., 0Define1 a semanticA semantic function function F : D D , , which which is continuous:is continuous: for all chainsfor all I D is a partially• v orderedv set withF a least element !. d d ...F (, di)=? F (dn). I Any increasingchains chain d0 d0 1v 1...v in D has a least upper bound v v F ( n 0di)= n 0F (dn). n 0 dn in D. G G n 0 F ( dni)=0 F (dn). A semantic functionThen, theF concrete: D D semantics, whichFG is (or( continuous: collectingdnn0)=G semantics)forn F0 all(dn chains). is defined as the F ! G G d0 d1 Then,...least, the fixed concrete pointThen, of the semanticssemantic concrete semantics (or functionn collecting0 (orF collecting: nD semantics)0 semantics)D: is is defined defined as as the the v v G G ! least fixed pointleast of fixedsemantic point of functionsemantic functionF : DF : D D:D: F ( d )= F (d ). i ! ! i fixF n= F ( i ). fixF = i F?( ). n 0 n fix0 F = i NF ( ).? G G i N G2 G2 ? i N Then, the concrete semanticsHakjoo Oh (or collectingHakjoo Oh semantics)AAA616 2016AAA616G2 Fall, is 2016 defined Lecture Fall, Lecture 4 4 as the OctoberOctober 11, 11, 2016 2016 3 / 29 3 / 29 least fixed point of semanticHakjoo Oh function F : D AAA616D 2016: Fall, Lecture 4 October 11, 2016 3 / 29 ! fixF = F i( ). ? i N G2

Hakjoo Oh AAA616 2016 Fall, Lecture 4 October 11, 2016 3 / 29 Step 1: Define Concrete Semantics The concrete semantics describes the real executions of the program. Described by semantic domain and function. A semantic domain D,whichisaCPO: I D is a partially ordered set with a least element . ? I Any increasing chain d d ... in D has a least upper bound 0 v 1 v Step 1: Define Concreten 0 Semanticsdn in D. A semantic function F : D D, which is continuous: for all chains The concrete semantics describesF the real executions! of the program. d d ..., Described by semanticStep0 domainv 1 1:v and Define function. Concrete Semantics

A semantic domain D,whichisaCPO:F ( di)= F (dn). I D is a partially ordered set with a leastn element0 .n 0 G ? G I Any increasing chain d d ... in D has a least upper bound 0 v 1 v n 0 Then,dThen,n in D the the. concrete semantics semantics (or collectingis the least semantics) fixed point is defined of semantic as the • A semanticfunctionleast function fixedF point: D of semanticD, which function is continuous:F : D forD all: chains F ! ! d0 d1 ..., v v fixF = F i( ). ? Fixed Point Theorem i N F ( di)= F (dn)G2. n 0 n 0 TheoremHakjoo (Kleene OhG Fixed Point)G AAA616 2016 Fall, Lecture 4 October 11, 2016 3 / 29 Then, the concreteLet f semantics: D D (orbe collecting a continuous semantics) function is defined on a as CPO the D.Thenf has a least fixed point of semantic! function F : D D: least fixed point, fix(f),and! fixF = F i( ). ? n i N fix(f)= f ( ) G2 ? n 0 Hakjoo Oh AAA616 2016 Fall, Lecture 4 G October 11, 2016 3 / 29

n n =0 where f ( )= ? n 1 ? f(f ( )) n>0 ⇢ ?

Hakjoo Oh AAA616 2016 Fall, Lecture 2 September 19, 2016 27 / 30 Proof Proof n We show the claims of the theorem by showing that n 0 f ( ) exists and it is n ? indeed equivalent to fix(f). First note that n 0 f ( ) exists because F ? f 0( ) f 1( ) f 2( ) ... is a chain. We show by induction that ? v ? v ? v F n N.f n( ) f n+1( ): 8 2 ? v ? d1,d2 D. d1 d2 = f(d1) f(d2) f( ) ( is the least element) 8 2 v ) v ?v ? ? f n( ) f n+1( )= f n+1( ) f n+2( ) (monotonicity of f) ? v ? ) ? v ? n Now, we show that fix(f)= n 0 f ( ) in two steps: ? f continuous ⇒ n We show that n 0 f (F ) is a fixed point of f: f monotone (why?) ? f( Ff n( )) = f(f n( )) continuity of f ? ? n 0 n 0 G G = f n+1( ) ? n 0 G = f n( ) ? n 0 G

Hakjoo Oh AAA616 2016 Fall, Lecture 2 September 19, 2016 28 / 30 Proof Proofs

We show that f n( ) is smaller than all the other fixed points. n 0 ? Suppose d is a fixed point, i.e., f(d)=d.Then, F f n( ) d ? v n 0 G since n N.f n( ) d: 8 2 ? v f 0( )= d, f n( ) d = f n+1( ) f(d)=d. ? ?v ? v ) ? v Therefore, we conclude fix(f)= f n( ). ? n 0 G

Hakjoo Oh AAA616 2016 Fall, Lecture 2 September 19, 2016 29 / 30 Example: Concrete (Collecting) Semantics

0: ENTRY

1: x := 0 Example: Concrete Semantics • Program as a control flow graph (CFG) 2: y := 0 Program representation: I P is represented by control flow graph (C, ,c0) Example: Concrete Semantics • ! I Each program point c is associated with a command cmd(c) 3: skip Program representation: cmd skip xEach:= e node is with a command I P is represented by control flow graph !(C, ,c0)•| c C e !n x e + e e e.2 I Each program point c is associated with a command cmd(c) ! | | | 4: x := x + 1 Semanticscmd of commands:skip x := e ! | cmd skip x := e Concrete memorye states:n x Me =+ eVare e.Z ! | ! | | | ! 5: y := y + 1 Semantics ofConcrete commands: semantics: e n x e + e e e ! | | | Concrete memory states: M = Var Z[[ c]] : M M ! ! 6: skip Concrete semantics: [[ skip]] ( m)=m [[ c]][[ x := : eM]] ( m)=M m[x [[ e]] ( s)] ! 7! [[ skip]] ( m)=m [[ e]] : M Z [[ x := e]] ( m)=m[x [[ e]] ( s)]! [[ n]] ( m)=7! n [[ e]] : M Z [[ x]] ( !m)=m(x) [[ n]] ( m[[ e)=1 + e2n]] ( m)=[[e1]] ( m)+[[e2]] ( m) [[ x]] ( m[[ e)=e m]] ((mx))=[[e ]] ( m)+[[e ]] ( m) 1 2 1 2 [[ e1 + e2]] ( m)=[[e1]] ( m)+[[e2]] ( m) Hakjoo[[ e Oh e ]] ( m)=[[eAAA616]] ( m 2016)+[[ Fall,e Lecture]] ( m 4) October 11, 2016 4 / 29 1 2 1 2 Hakjoo Oh AAA616 2016 Fall, Lecture 4 October 11, 2016 4 / 29 Example: Concrete Semantics Example: Concrete Semantics Program representation: Program representation: Example:I P is represented Concrete by control (Collecting) flow graph (C, ,c 0Semantics) I P is represented by control! flow graph (C, ,c0) Example: Concrete SemanticsI Each program point c is associated with a command cmd(c) ! I Each program point c is associated with a command cmd(c) cmd skip x := e Program representation: ! | cmd skip x := e Semantics of commands: e n x e + e !e e. | I P is represented• by control flow graph (C, ,c0) e n x e + e e e. ! ! | | |! | | | I Each program point c Semanticsis associated of with commands: a commandSemanticscmd( ofc) commands: cmdConcreteMemory:skip memory x := e states:Concrete= memoryVar states: M = Var Z • ! | M Z ! eConcreten semantics:x e + e eConcretee. semantics:! ! | | | [[ c]] : M M Semantics of commands:• Semantics: [[ c]] : M M ! [[!skip]] ( m)=m Concrete memory states: M = Var Z [[ skip]] ( m)=m ! [[ x := e]] ( m)=m[x [[ e]] ( s)] Concrete semantics: [[ x := e]] ( m)=m[x [[ e]] ( s)] 7! [[ c]] : M M 7![[ e]] : M Z ! [[ e]] : M Z ! [[ skip]] ( m)=m ![[ n]] ( m)=n [[ x := e]] ( m)=m[x [[ e]][[ (ns]])] ( m)=n [[ x]] ( m)=m(x) 7! [[ x]] ( m)=[[me1(x+)e2]] ( m)=[[e1]] ( m)+[[e2]] ( m) [[ e]] : M Z[[ e + e ]] ( m)=[[[[ ee1 ]] ( me2)+[[]] ( m)=[[e ]] ( me)1]] ( m)+[[e2]] ( m) ! 1 2 1 2 [[ n]] ( m)=n [[ e e ]] ( m)=[[e ]] ( m)+[[e ]] ( m) e.g., {}[x ⟼ 1] = 1{x ⟼ 1}2 Hakjoo Oh 1 AAA616 20162 Fall, Lecture 4 October 11, 2016 4 / 29 [[ x]] ( m)=m(x) {xHakjoo ⟼ Oh1}[x ⟼ 2] = {x ⟼ 2}AAA616 2016 Fall, Lecture 4 October 11, 2016 4 / 29 [[ e1 + e2]] ( m)=[[e1]] ( m)+[[e2]] ( m) [[ e e ]] ( m)=[[e ]] ( m)+[[e ]] ( m) 1 2 1 2 Hakjoo Oh AAA616 2016 Fall, Lecture 4 October 11, 2016 4 / 29 Example: Concrete (Collecting) Semantics Example: Concrete Semantics

Example:Program Concrete states: State Semantics= C M ⇥ Atrace State+ is a (partial) execution sequence of the program: Program states:2 State = C M + ⇥ Atrace State is a (partial)I executionk. sequence of the program: 2 0 2 ^8 k k+1 I k. ; where I State is the0 2 initial^8 programk statesk+1 ✓ ; where I State is the initial program states ✓ I = I(c=0,m(c00,m) 0m) 0 M { { | } 2 } I = (c0,m0) m0 M and ( ) State State{ is the relation| 2 forinitial} the memory one-step state execution: ✓ ⇥ and (;) State State is the relation for the one-step execution: (c ,s ✓) (c ,s⇥ ) c c s =[[cmd(c )]](s ) ;i i j j () i ! j ^ j j i (ci,si) ; (cj,sj) ci cj sj =[[cmd(cj)]](si) () ! ^ ;

Hakjoo Oh AAA616 2016 Fall, Lecture 4 October 11, 2016 5 / 29 Hakjoo Oh AAA616 2016 Fall, Lecture 4 October 11, 2016 5 / 29 Example: Concrete (Collecting) Semantics Example: Concrete Semantics The collecting semantics of program P is defined as the set of all finite traces of the program:

[[ P ]] = State+ I k. { 2 | 0 2 ^8 k k+1} ; The semantic domain: D = }(State+) The semantic function: the end of the sequence F : }(State+) }(State+) ! F (⌃)=I (c, m) ⌃ (c, m) [ { · | 2 ^ a } ; Lemma sequence concatenation [[ P ]] = fixF .

Hakjoo Oh AAA616 2016 Fall, Lecture 4 October 11, 2016 6 / 29 Example: Concrete (Collecting) Semantics

0: ENTRY F ( )=I (c, m) , (c, m) ; = ([c {,m· ) | 2; a } { 0 0 } 1: x := 0

2 F ( )=I (c, m) I, (c, m) 2: y := 0 ; = ([c {,m· ), (c ,m| )2 (c ,ma [x 0])} { 0 0 0 0 · 1 0 7! }

3: skip 3 2 F ( )=I (c, m) F ( ), (c, m) ; [ { · | 2 ; a } = (c0,m0), (c0,m0) (c1,m0[x 0]), ({c ,m ) (c ,m [x· 0]) (c 7!,m [x 0][y 0]) 4: x := x + 1 0 0 · 1 0 7! · 2 0 7! 7! }

5: y := y + 1 . . .

6: skip Static Analysis Design: step 2

Define the input program’s abstract semantics Define abstract domain CPO Dˆ. Establish a Galois connection between D and Dˆ StepDefine 2: anDefine abstract semantic Abstract function FˆSemanticsDˆ Dˆ 2 ! Fˆ must be monotonic or extensive Step 2: Define Abstract Semantics Step 2: DefinePlan: define Abstract an abstraction Semantics that captures fixF by using Fˆ Define the abstract semantics of the input program. Step 2: Define Abstract Semantics DefineDefineStep• anDefine theStep 2:StepabstractStep abstract Define 2: 2: 2:an semanticDefine Defineabstract Define semantics Abstract Abstract Abstract Abstractdomain domain of SemanticsCPOCPO Semantics Semantics Semantics the inputDˆ . program. Define the abstract semanticsIStepIntuition: ofDefine the 2: input DefineD anˆ isabstract program. an abstraction Abstract semantic of SemanticsD domain CPO Dˆ . DefineDefineDefineDefine the abstract the the the abstract abstract abstract semantics semantics semantics semantics of of of ofˆ the the the the inputˆ input input input program. program. program. program.ˆ Define an abstract semanticDefine an domainIabstractIntuition:CPO semantic DDˆ ˆ . isis anan function abstractionF : D ofof D D. DefineStep• the 2:Define abstractDefineDefine Define an an an semanticsabstractabstractabstract Abstract semantic semantic semantic of Semanticsthe domain domain domain input! program.CPOCPOCPO DDDˆˆˆ... Stepˆ 2:I DefineIntuition:Define AbstractFˆ anis anabstract abstraction Semantics semantic of F . domain CPOˆ Dˆˆ. ˆ I Intuition: D is an abstractionDefineDefine of anD anIIIabstractabstractIntuition:Intuition:Intuition: DDD semanticˆˆˆ semanticisisis an an an abstraction abstraction abstraction domain function of of ofCPODDD FDˆ:.D D. I ˆ Define the abstract semantics ofKwangkeun the input Yi Abstract program. Interpretation! F mustI be monotone:ˆ ˆˆ ˆ ˆˆˆ ˆˆˆ ˆˆˆ Define an abstractDefine semantic the abstract functionDefineI IIntuition: semanticsIntuition:Intuition:DefineDefineDefine anF abstract: an an anDFDˆˆ ofDabstractabstractabstractis theis an an semantic anD input abstraction abstraction. semantic semanticabstraction semantic program. function function function function of of ofD FD F.FF :::DDD DDD... • Define an abstract! semantic domain CPO Dˆ .!!! ˆ ˆ III ˆˆˆ I Intuition: F is an abstractionDefineDefineI F of mustF an an. abstractIntuition:Intuition:Intuition:x,abstractˆ beyˆ monotone:D.FˆFF semantic semanticisisisxˆ an an an abstraction abstraction abstractionyˆ function= functionˆ of ofF ofˆ(ˆFFFxˆ...)F:ˆDˆ:FˆDˆ(ˆy)Dˆ . Dˆ . Define an abstractI Intuition: semanticˆˆˆ Dˆ domainis an abstractionCPO D. of D I Fˆ must be monotone: III8FFF mustmustmust2 be be be monotone: monotone: monotone:v ) v ! ! IIˆIntuition:Intuition:FˆFˆisis an an abstraction abstraction of ofF .F . I Intuition:• DIntuition:Defineis an an abstraction abstract is an semantic ofabstractionD function of Fˆ : Dˆ Dˆ . (or extensive:ˆ x D.ˆ xx,ˆ yˆFˆ(xD.)ˆ)ˆˆˆxˆ yˆ = ˆˆˆ Fˆ(ˆx)ˆˆˆ Fˆ(ˆy) II FFˆmustmust be be monotone: monotone:x,ˆx,ˆx,ˆ yyˆˆyˆˆ D.D.D.ˆxˆxˆxˆ yyˆˆyˆˆ=== FFF!(ˆ(ˆ(ˆxxx))) FFF(ˆ(ˆ(ˆyyy))) Definex,ˆ yˆ anD.ˆabstractxˆ Iyˆ Intuition: semantic=8 2Fˆ(ˆFˆx function8)is anv888F abstractionˆ2(ˆyF2)22: D ofvvvvFD. .)))) vvv v Then,8 static2 analysisv isˆ to) computev an upper bound! of: I Intuition: F ˆ isImust anF must(or(or abstraction(or be extensive: extensive: extensive: monotone: be monotone: ofxxxFˆ. ˆD.D.D.ˆˆˆ x x x FFˆFˆˆˆ(((xxx)))))) ˆ ˆ ˆ • (orˆ extensive: x,ˆxx,ˆy8ˆ88yˆD.222D.D.ˆ xxˆ xˆvvvFyˆ (yˆ=x)=) F (ˆxFˆ)(ˆx)F (ˆyFˆ) (ˆy) (or extensive: xI FˆD.must x beF monotone:(x)) 88 22 vv ) v 8 2 vThen,Then,Then, static static static analysis analysis analysis8 is is is to to toi compute compute2 computeˆ an an anv upper upper upper) bound bound boundˆ of: of: of: vˆ Then, static analysis is tox,ˆ computeFˆyˆ ( D.) xˆˆ anyˆ upper= F bound(ˆx) F of:(ˆy) Then, static analysis is to compute an(or(or upper extensive: extensive: boundx of:8x D.D.2ˆ? x x Fv(Fxˆ)()x))) v x,ˆ yˆ D.ˆ 8ixˆ N2 yˆ = v Fˆ(ˆˆˆˆxiii) Fˆ(ˆy) Then, static8(or analysis extensive:2 is to8G2v computex2 D.ˆ ) x anvFFF upperˆ((x(()v)))) bound of: Then, statici analysis is to8 compute2 v anˆi upper??? bound of: Fˆ ( ) ˆ ˆ iii NNNF ( ) How can(or we extensive:Then, ensure static? thatx analysis theD. result x is toF soundly( computex)) GG approximate2G22 an upper? bound the concreteof: i N 8 2 v i Nˆi semantics? G2 HowHowHow can can can we we we ensure ensure ensure that that that the the the result result resultG2F soundly soundly soundly( i ) approximate approximate approximate the the the concrete concrete concrete Then, static analysis is to compute an upper boundˆFˆi?( of: ) semantics?semantics?semantics? i N F ( ) How can we ensure that theHow result can soundly we ensure approximate that the the resultG concrete2 soundly?? approximate the concrete Hakjoo Oh AAA616 2016i Fall, Lecturei NN 4 October 11, 2016 7 / 29 Fˆ ( ) GG22 semantics? semantics?How can we ensureHakjooHakjooHakjoo Oh Oh Oh that the? resultAAA616AAA616AAA616 soundly 2016 2016 2016 Fall, Fall, Fall, Lecture Lecture Lecture approximate 4 4 4 theOctoberOctoberOctober concrete 11, 11, 11, 2016 2016 2016 7 7 7 / / / 29 29 29 How can we ensurei thatN the result soundly approximate the concrete Howsemantics? can we ensure thatG2 the result soundly approximate the concrete Hakjoo Oh AAA616semantics? 2016 Fall, Lecture 4 October 11, 2016 7 / 29 How can wesemantics? ensureHakjoo that Oh the result soundlyAAA616 approximate 2016 Fall, Lecture the 4 concrete October 11, 2016 7 / 29 Hakjoo Oh AAA616 2016 Fall, Lecture 4 October 11, 2016 7 / 29 semantics? Hakjoo Oh AAA616 2016 Fall, Lecture 4 October 11, 2016 7 / 29 Hakjoo Oh AAA616 2016 Fall, Lecture 4 October 11, 2016 7 / 29

Hakjoo Oh AAA616 2016 Fall, Lecture 4 October 11, 2016 7 / 29 Step 2: Define Abstract Semantics Define the abstract semantics of the input program. Define an abstract semantic domain CPO Dˆ .

I Intuition: Dˆ is an abstraction of D Define an abstract semantic function Fˆ : Dˆ Dˆ . Step 2: Define Abstract Semantics! I Intuition: Fˆ is an abstraction of F . I Fˆ must be monotone:

x,ˆ yˆ D.ˆ xˆ yˆ = Fˆ(ˆx) Fˆ(ˆy) 8 2 v ) v (or extensive: x D.ˆ x Fˆ(x)) 8 2 v • Then,Then, static static analysis analysis is is to to computecompute an an upper upper bound bound of: of:

Fˆi( ) ? i N G2 HowHow can can we we ensure ensure that that the the result result soundly soundly approximate approximate the concrete the • semantics? concrete semantics?

Hakjoo Oh AAA616 2016 Fall, Lecture 4 October 11, 2016 7 / 29 Requirement 1: Galois Connection Requirement 1: Galois Connection D and Dˆ must be related with Galois-connection: D Dˆ ! ↵ That is, we have abstraction function: ↵ D Dˆ 2 ! I represents elements in D as elements of Dˆ concretization function: Dˆ D 2 ! I gives the meaning of elements of Dˆ in terms of D x D, xˆ D.ˆ ↵(x) xˆ x (ˆx) 8 2 2 v () v I ↵ and respect the orderings of D and Dˆ

Hakjoo Oh AAA616 2016 Fall, Lecture 4 October 11, 2016 8 / 29 Requirement 1: Galois Connection

Galois-Connection

Hakjoo Oh AAA616 2016 Fall, Lecture 4 October 11, 2016 9 / 29 Example: Sign Abstraction

D =2Z Dˆ Z >

+ = 1, 2, 3,... Z + 0 { }

? ; ↵ Example: Sign Abstraction Example: Sign Abstraction Sign abstraction: }(Z) , +, 0, ! ↵ {? >} where Z = ? ; + z Z. z > 0 8 8 2 ↵(Z)= 0 Z = 0 > { } > z Z. z < 0 < 82 otherwise > ( )=> ? ;> ( )=Z: > (+) = z Z z>0 { 2 | } (0) = 0 { } ( )= z Z z<0 { 2 | }

Hakjoo Oh AAA616 2016 Fall, Lecture 4 October 11, 2016 10 / 29 Example: Interval Abstraction Example: Interval Abstraction

}(Z) [a, b] a Z ,b Z + ! ↵ {?} [ { | 2 [ {1} 2 [ { 1}} ( )= ? ; ([a, b]) = z Z a z b { 2 |   } ([a, + ]) = z Z z a 1 { 2 | } ([ ,b]) = z Z z b 1 { 2 |  } ([ , + ]) = Z 1 1

Hakjoo Oh AAA616 2016 Fall, Lecture 4 October 11, 2016 11 / 29 Step 2: DefineStep Abstract 2: Define Semantics Abstract Semantics Requirement 2: about Fˆ Define the abstractDefine semantics the abstract of the semantics input program. of the input program. Define an abstractDefine semantic an abstract domain semanticCPO domainDˆ . CPO Dˆ . Fˆ must beˆ monotonic: I Intuition: D IisIntuition: an abstractionDˆ is an of abstractionD of D Step 2: Define Abstract Semanticsx, y Dˆ : x y Fˆ(x) Fˆ(y) DefineStep an 2:abstract DefineDefine8 Abstract2 semantic anv Semanticsabstract) functionv semanticFˆ : functionDˆ DˆFˆ. : Dˆ Dˆ . or extensive: Define the abstract semantics of the input program. ! ! I DefineIntuition: the abstractFˆ isI semantics anIntuition:x abstractionDˆ of: x theFˆF inputˆ(x).is program. an of abstractionF . of F . RequirementRequirement 2: Fˆ and 8F2 2: v and Define an abstract semantic domain CPO Dˆ . ˆ I Fˆ Definemust an beabstract monotone:I Fˆ semanticmust domain be monotone:CPO D. I Intuition: Dˆˆ is an abstractionˆ of D ˆi ˆ FPlan:andI Intuition: staticF must analysis satisfyD isis computing an abstraction an upper of boundD of i F ( ) 2N ? Define an abstractDefine semantic an abstract function semanticFˆ : D functionˆ DˆF.ˆ : Dˆ Dˆ . ↵ F Fˆ ↵ (i.e.,ˆF x,ˆ FyˆFˆ) D.ˆ xˆˆ yˆ = ˆ Fˆ(ˆx) Fˆ(ˆy) ˆ ˆ x,ˆ yˆ D.! xˆ yˆ!= F (ˆx) F (ˆy) I Intuition:• For anyFˆ xis I an D,Intuition: abstractionxˆ D , F isandv of an F abstraction . must satisfy of F .8v 2 v ) v ˆ 2 ˆ 2 8 2 v ) v I F must beor, monotone: alternatively,I F must be monotone: ˆ ˆ (or extensive: (orx extensive:D.ˆ x Fxˆ(x)D.) x F (x)) ˆ↵(x) x,ˆ xˆyˆ = D.ˆ ↵xˆ(F (xyˆ))8=ˆFˆ(ˆ2xFˆ)(ˆx) Fˆ(ˆvy) x,ˆ yˆ D. xˆ8Kwangkeunyˆ2 Yi= AbstractF (ˆ Interpretationx)v F (ˆy) 8Then,2 staticv8v analysis2)) v isvv to) computev an upper bound of: Then, static analysis(or extensive: is tox computeD.ˆ x Fˆ(x) an) upper bound of: (or extensive: x D.ˆ x 8Fˆ(x2)) v Then, static8 2 analysisv is to compute an upper bound of: Then, static analysisIntuition: is to the compute result of an one-step upper abstract bound of:execution subsumes thatˆ iof • ˆi F ( ) one-step real execution. Fˆi( F) ( ) ? ˆ Fˆi( ) ? ? i N Requirement 2: F and F i N 2 ? G2 i N G • or, alternatively, i N G2 HowF canˆ andHow weF ensuremust canG satisfy2 that we the ensure result soundly that approximate the result the soundly concrete approximate the concrete How can we ensuresemantics? that the result soundly approximate the concrete How can we ensure↵ thatF theFˆ ↵ result(i.e., F soundly Fˆ) approximate the concrete semantics? semantics? v v Hakjoo Oh AAA616 2016 Fall, Lecture 4 October 11, 2016 12 / 29 semantics? or,Hakjoo alternatively, Oh AAA616 2016 Fall, Lecture 4 October 11, 2016 7 / 29 Hakjoo Oh AAA616 2016 Fall, Lecture 4 October 11, 2016 7 / 29 ↵(Hakjoox) xˆ Oh= ↵(F (x)) Fˆ(ˆx) AAA616 2016 Fall, Lecture 4 October 11, 2016 7 / 29 v ) v Hakjoo Oh AAA616 2016 Fall, Lecture 4 October 11, 2016 7 / 29

Hakjoo Oh AAA616 2016 Fall, Lecture 4 October 11, 2016 12 / 29 Then:Then: a CorrectThen: a Correct Static a Correct Static Analysis Analysis Static Analysis Then: a Correct Static Analysis Then: a Correct Static Analysis

static analysis = computing an upper bound of Fˆi( ˆ ). • static analysis = computing an upper bound of i N 2 ˆi ?ˆ static analysis = computing anˆ upper bound of F (i ). staticstatic analysisSuch analysis = an = computing upper computing bound an an upper upperis correct: bound bound of of FFˆii( ˆN). Fˆ ( ˆ ). A i N 2i N ? Then: a Correct Static Analysisˆ 2 ?2 ? • Such anSuch an upper upper an upper bound bound bound ˆ ˆ is is correct: correct:correct: F Such an upper boundAA↵(fixisF correct:) ˆ, thatF is, F A vˆA ↵(fixfixFF) ˆ,ˆ that is, ↵(fixF )vvA Aˆ, that is, ↵fix(fixF F)vˆ A , that is, Theorem[fixpoint-transfer]fixF v AvˆˆA fixFv A • TheoremTheorem[fixpoint-transfer]Analysis [fixpoint-transfer] result ˆ subsumesv A the real executions fixF static analysisTheorem[fixpoint-transfer] =Analysis computing result anˆ subsumesA upper bound the real ofexecutionsFfixˆiF( ˆ ). Theorem[fixpoint-transfer]A i N ˆ 2 ? Such anAnalysisAnalysis upper result resultbound result ˆ subsumes issubsumes subsumes correct: the the the real realreal executions executionsexecutionfix fixFF • AA F ↵(fixF ) ˆ, that is, v A fixF ˆ vKwangkeunAKwangkeun Yi YiAbstractAbstract Interpretation Interpretation Theorem[fixpoint-transfer] Analysis result ˆ subsumes the real executions fixF A KwangkeunKwangkeun Yi Yi AbstractAbstract Interpretation Interpretation

Kwangkeun Yi Abstract Interpretation Soundness Guarantee Soundness Guarantee

Theorem (Fixpoint Transfer) Let D and Dˆ be related by Galois-connection D Dˆ .LetF : D D be ! ↵ ! a continuous function and Fˆ : Dˆ Dˆ be a monotone function such that ! ↵ F Fˆ ↵.Then, v ↵(fixF ) Fˆi( ˆ ). v ? i G2N

Theorem (Fixpoint Transfer2) Let D and Dˆ be related by Galois-connection D Dˆ .LetF : D D be ! ↵ ! a continuous function and Fˆ : Dˆ Dˆ be a monotone function such that ! ↵(x) xˆ = ↵(F (x)) Fˆ(ˆx).Then, v ) v ↵(fixF ) Fˆi( ˆ ). v ? i G2N

Hakjoo Oh AAA616 2016 Fall, Lecture 4 October 11, 2016 13 / 29 Example: Sign Analysis Example: Memory State Abstraction • Plan Example:Galois-connection: Partitioning Abstraction 2 + 1 Galois-connection: }(State ) C }}((M)) ˆ ↵1C M C M ! !! ! ↵2 ! ˆ ˆ ↵1(⌃)=c. m M ↵ (f)=⌃ i.ic.=(↵c, m(f) (c)) = Var D { 2 | 92 2 ^9 m } M ˆ ˆ ! Semantic• ↵ 1 : function: partitioning abstraction1(f)=c. m(f(c)) where we assumeˆ F1 :(C }(M)) (C }(M))m A Property of Galois-Connection! ! ! ˆ • ↵ 2 : memory state abstraction}(M) M ˆ ↵ m The functionalF1(X)= composition↵1(I) c of twoC.f Galois-connectionsc( X ( !c0)) is also ˆ t 2 ˆ ˆ Semantic function F :(C M) c0 (Cc M): Galois-connection: ! ![! ! where fc : }(M) }(M) is a transfer function at program point c: Lemma ! Fˆ(X)=(↵2 ↵1)(I) c . fˆc( X(c0)) 1 2 C fc(M)= m0 m M m0 =[[cmdt (c)]](2m) If D1 D{2 and| D22 ^ D3,then } c0 c ! ↵1 ! ↵2 G! Lemmawhere (Soundnessabstract transfer of Partitioning function Abstraction)fˆ1 :2 ˆ ˆ is given such that D1 c MD3. M ! ↵2 ↵1 ! ↵ (fixF ) Fˆi( ). 1 i N 1 ↵ f fˆ ↵ (1) v 2 ? m c v c m Proof.Hakjoo OhF AAA616 2016 Fall, Lecture 4 October 11, 2016 15 / 29 TheoremExercise (Soundness) ˆi ↵(fixF ) i F ( ) where ↵ = ↵2 ↵1. v 2N ?

HakjooF Oh AAA616 2016 Fall, Lecture 4 October 11, 2016 16 / 29

Hakjoo Oh AAA616 2016 Fall, Lecture 4 October 11, 2016 14 / 29 Example: Sign Analysis (Step 1: Partitioning Abstraction) Example: Partitioning Abstraction + 1 Galois-connection: }(State ) C }(M) ! ↵1 !

↵1(⌃)=c. m M ⌃ i.i =(c, m) { 2 | 9 2 ^9 } Semantic function: ˆ F1 :(C }(M)) (C }(M)) ! ! ! ˆ F1(X)=↵1(I) c C.fc( X(c0)) t 2 c c 0[! where fc : }(M) }(M) is a transfer function at program point c: ! f (M)= m m M m =[[cmd(c)]](m) c { 0 | 2 ^ 0 }

Lemma (Soundness of Partitioning Abstraction) ˆi ↵1(fixF ) i N F1( ). v 2 ? Hakjoo OhF AAA616 2016 Fall, Lecture 4 October 11, 2016 15 / 29 Example: Sign Analysis Example:(Step Memory 2: Memory State Abstraction State Abstraction) Galois-connection: 2 C }(M) C Mˆ ! ! ↵2 ! ↵2(f)=c. ↵m(f(c)) 1(fˆ)=c. m(fˆ(c)) where we assume m }(M) Mˆ ↵ m ! Semantic function Fˆ :(C Mˆ ) (C Mˆ ): ! ! ! ˆ ˆ F (X)=(↵2 ↵1)(I) c C. fc( X(c0)) t 2 c c 0G! ˆ ˆ ˆ where abstract transfer function fc : M M is given such that ! ↵ f fˆ ↵ (1) m c v c m Theorem (Soundness) ˆi ↵(fixF ) i F ( ) where ↵ = ↵2 ↵1. v 2N ?

HakjooF Oh AAA616 2016 Fall, Lecture 4 October 11, 2016 16 / 29 Example: Sign Analysis Example:(Step Sign 2: Analysis Memory State Abstraction) Memory state abstraction: m }(M) Mˆ ↵ m ! ↵ (M)=x Var. ↵ ( m(x) m M ) m 2 s { | 2 } where ↵s is the sign abstraction: s }(Z) Zˆ ! ↵s ˆ ˆ ˆ The transfer function fc : M M: ! fˆc(ˆm)=mc ˆ = skip fˆ (ˆm)=m ˆ[x ˆ(e)(m ˆ )] c = x := e c 7! V ˆ(n)(m ˆ )=↵ ( n ) V s { } ˆ(x)(m ˆ )=m ˆ(x) V ˆ(e + e )= ˆ(e )(m ˆ ) +ˆ ˆ(e )(m ˆ ) V 1 2 V 1 V 2 ˆ(e - e )= ˆ(e )(m ˆ ) ˆ ˆ(e )(m ˆ ) V 1 2 V 1 V 2 Lemma ↵ f fˆ ↵ m c v c m Hakjoo Oh AAA616 2016 Fall, Lecture 4 October 11, 2016 17 / 29 Abstract Addition

+ˆ ⊥ + 0 - ⊤

⊥ ⊥ ⊥ ⊥ ⊥ ⊥

+ ⊥ + + ⊤ ⊤

0 ⊥ + 0 - ⊤

- ⊥ ⊤ - - ⊤ ⊤ ⊤ ⊤ ⊤ ⊤ ⊤ Abstract Subtraction

ˆ ⊥ + 0 - ⊤ ⊥ ⊥ ⊥ ⊥ ⊥ ⊥

+ ⊥ ⊤ + + ⊤

0 ⊥ - 0 + ⊤

- ⊥ - - ⊤ ⊤ ⊤ ⊤ ⊤ ⊤ ⊤ ⊤ Example: Abstract Semantics Fixpoint reached! 0: ENTRY

Iter 1 2 3 4 5 6 7 8 1: x := 0 c1 {x ⟼0} {x ⟼0} {x ⟼0} {x ⟼0} {x ⟼0} {x ⟼0} {x ⟼0} {x ⟼0}

2: y := 0 {x⟼0, {x⟼0, {x⟼0, {x⟼0, {x⟼0, {x⟼0, {x⟼0, c2 {y ⟼0} y⟼0} y⟼0} y⟼0} y⟼0} y⟼0} y⟼0} y⟼0} {x⟼0, {x⟼0, {x⟼0, {x⟼+, {x⟼+, {x⟼+, 3: skip c3 {} {y ⟼0} y⟼0} y⟼0} y⟼0} y⟼+} y⟼+} y⟼+} {x⟼+, {x⟼+, {x⟼+, {x⟼+, {x⟼+, c4 {} {} {} y⟼0} y⟼0} y⟼0} y⟼+} y⟼+} 4: x := x + 1 {x⟼+, {x⟼+, {x⟼+, {x⟼+, c5 {} {} {} {} y⟼+} y⟼+} y⟼+} y⟼+} 5: y := y + 1 {x⟼0, {x⟼0, {x⟼0, {x⟼+, {x⟼+, c6 {} {} {y ⟼0} y⟼0} y⟼0} y⟼0} y⟼+} y⟼+}

6: skip Next

• What if the abstract domain is infinite?

• Widening / Narrowing

• Interval analysis

• Worklist algorithm for more efficient fixpoint computation