‟Next 40 years of Abstract Interpretation”

Abstract Interpretation – 40 years back + some years ahead Abstract interpretation: origin (abridged) N40AI 2017 January 21st, 2017 Paris, France Patrick Cousot

[email protected]@yu.e1du cs.nyu.edu/~pcousot

N40AI, 2017/01/21, Paris, France 1 © P. Cousot N40AI, 2017/01/21, Paris, France 2 © P. Cousot

Before starting (1972-73): formal syntax Before starting (1972-73): formal semantics • Radhia Rezig: works on precedence parsing (R.W. • Patrick Cousot: works on the operational semantics of Floyd, N. Wirth and H. Weber, etc.) for Algol 68 programming languages and the derivation of ➡ P r e - p r o c e s s i n g ( by s t a t i c a n a l y s i s a n d implementations from the formal definition transformation) of the grammar before building the ➡ Static analysis of the formal definition and bottom-up parser transformation to get the implementation by “pre- • Patrick Cousot: works on context-free grammar evaluation” (similar to the more recent “partial parsing (J. Earley and F. De Remer) evaluation”) ➡ P r e - p r o c e s s i n g ( by s t a t i c a n a l y s i s a n d transformation) of the grammar before building the top-down parser

• Radhia Rezig. Application de la méthode de précédence totale à l’analyse d’Algol 68, Master thesis, Université Joseph Fourier, Grenoble, France, September 1972. • Patrick Cousot. Définition interprétative et implantation de languages de programmation. Thèse de Docteur Ingénieur en Informatique, Université Joseph Fourier, Grenoble, France, 14 Décembre 1974 (submitted in 1973 • Patrick Cousot. Un analyseur syntaxique pour grammaires hors contexte ascendant sélectif et général. In Congrès AFCET 72, Brochure 1, pages 106-130, Grenoble, France, 6-9 November 1972. but defended after finishing military service with J.D. Ichbiah at CII). N40AI, 2017/01/21, Paris, France 3 © P. Cousot N40AI, 2017/01/21, Paris, France 4 © P. Cousot Vision (1973) An important encounter • I do my military service as a scientist with Jean Ichbiah • Work on the revision of LIS (ancestor of Green → ADA) Intervals ➞ • Will always be a very strong support on our work Assertions ➞

Static analysis ➞

N40AI, 2017/01/21, Paris, France 5 © P. Cousot N40AI, 2017/01/21, Paris, France 6 © P. Cousot

1973: Dijkstra’s handmade proofs 1974: origin Radhia Rezig: attends Marktoberdorf summer • Radhia Rezig shows her interval analysis • ideas to Patrick Cousot school, July 25–Aug. 4, 1973 ➡ Patrick very critical on going backwards ➡ Dijkstra shows program proofs (inventing from [-∞, +∞] and claims that going elegant backward invariants) forward would be much better ➡ Patrick also very skeptical on forward termination for loops • Radhia comes back with the idea of ➡ Radhia has the idea of automatically inferring extrapolating bounds to ±∞ for the forward the invariants by a backward calculus to analysis determine intervals • We discover widening = induction in the abstract and that the idea is very general

N40AI, 2017/01/21, Paris, France 7 © P. Cousot N40AI, 2017/01/21, Paris, France 8 © P. Cousot First seminar in Grenoble: a warm welcome Notes of Radhia Rezig on forward iteration • “Not all functions are increasing, for example, sin” (1) from ☐ = ⊥ versus • “This is woolly” (fumeux) backward iteration • “This will have applications in hundred years” from [-∞, +∞] (2)

(1) i.e. forward least fixed point (2) i.e. backward greatest fixed point

N40AI, 2017/01/21, Paris, France 9 © P. Cousot N40AI, 2017/01/21, Paris, France 10 © P. Cousot

The IRIA-SESORI contract (1975–76) The IRIA-SESORI contract (1975-76) • The project evaluator (Bernard Lohro) points us to the • New general ideas literature on constant propagation in data flow analysis - The formal notions of abstraction/approximation (Kildall thesis). - The formal notion of abstract induction (widening) to • It appears that it is completely related to some of ours handle infiniteness and/or complexity ideas, but a.o. - The systematic correct design with respect to a formal semantics - We are not syntactic (as in boolean DFA) - ... - We have no need for some hypotheses (e.g. distributivity not even satisfied by constant propagation!) - We have no restriction to finite lattices (or ACC) - We have no need of an a-posteriori proof of correctness (e.g. with respect to the MOP as in DFA) - ...

N40AI, 2017/01/21, Paris, France 11 © P. Cousot N40AI, 2017/01/21, Paris, France 12 © P. Cousot The IRIA-SESORI contract (1975-76) The first reports (1975)

• The first contract report:

3I}Ti\ilTIIO 3I}Ti\ilTIIO NOIJ\DICITEA NOIJ\DICITEA JO f,IIVIS

s'fl{vluv s'fl{vluv c0 c0 sgrrul@ud sgrrul@ud sdrt

Pue Pue JCISrp3 JCISrp3 {f,rrlBd JOSfp3 JOSfp3 TqPeU TqPeU €

s/6T s/6T 5Z 5Z er$E^oN 'trtl

30 30 ruoddvu 3H3U3HC3U

The first abstract The first research interpreter with report widening (Nov. 1975) (as of 23 Sep. 1975)

N40AI, 2017/01/21, Paris, France 13 © P. Cousot N40AI, 2017/01/21, Paris, France 14 © P. Cousot

The first publication (1976) Maturation (1976 – 77): from an • The first publication (ISOP II, Apr. 76) algorithmic to an algebraic point of view • Narrowing, duality • Transition systems, traces • Fixpoints, chaotic/asynchronous iterations, approximation • Abstraction, formalized by Galois connections, closure operators, Moore families, ...; • Numeric and symbolic abstract domains, combinations of abstract domains • Recursive procedures, relational analyses, heap analysis • etc.

cited by 551

N40AI, 2017/01/21, Paris, France 15 © P. Cousot N40AI, 2017/01/21, Paris, France 16 © P. Cousot A Visitor POPL’77 FDPC’77 POPL’79 • Hi, I am Steve Warshall • The theorem? • Yes • Steve Schuman told me you are doing interesting work • … • You should publish in Principles of Programming On this page: dual, Galois connections, Languages. conjugate and Topology, higher-order closure operators, Moore inversion:lfp/gfp wp/sp fixpoints, operational/ families, ideals,... (i.e. pre/post) wp/sp)˜ ˜ summary/... analysis

• Stephen Warshall. A theorem on Boolean matrices. Journal of the ACM, 9(1):11–12 , January 1962. Cited by 6381 Cited by 225 Cited by 1638

N40AI, 2017/01/21, Paris, France 17 © P. Cousot N40AI, 2017/01/21, Paris, France 18 © P. Cousot

And a bit of mathematics… On submitting to POPL

PA.IFIC'?:lTii HEMATI.S ::',''ffi • For POPL’77, we submit (on Aug. 12, 1976) CONSTRUCTIVEVERSIONS OF TARSKI'S FIXED POINT THEOREMS

P,q.rnrcN Cousor l.No RlpnlA Cousor

Let F be a monotone operator on the complete lattice copies of a two-hands written manuscript of 100 Z into itself. Tarski's lattice theoretical fixed point theorern states that the set of fixed points of l' is a nonempty cornplete lattice for the ordering of Z. We give a constructive proof of this theorern showing that the set of fixed points of .F is the image of L by a lower and an upper preclosure operator. These preclosure operators are the composition of lower and upper closure operators which are defined by means of pages. The paper is accepted ! limits of stationary transfinite iteration sequencesfor ,F. In the same wey we give a constructive characterization of the set of common fixed points of a family of commuting operators. Finally we examine some consequencesof additional semi- continuity hypotheses.

1. Introduction. LetL(s:, L,T,U, |-l) beanonempty complete g, Lutt'ice with parti,al ordering least upper bound, u , greatest lower bound, ft. The i,nf,munL I of tr is f-lL, the supremum T of L is UL. (Birkhoff's standard referenee book I3l provides the necessary background materiai.) Set inclusion, union and intersection are respectively denoted by e , U and f-l . Let tr be a monotone operator on L(e, L, T, U, fl) into itself (i.e., YX, Y e L, {X =Y) - {F(X) e lr(y)}). The fundamental theorem of Tarski [19] states that the set fp(F) of f,red"poi,ntsof f'(i.e., fp(F): {Xe L:X: f'(X)}) is a nonempty complete iattice with ordering e . The proof of this theorem is based on the definition of the least fixed point tfp(F) of lI by Lfp(F) : g n{Xe L:F(X) X}. The least upper bounclof S c fe@) in fp(F) ASYNCHRONOUSITERATIVE METHODS is the least fixed point of the restriction of f'to the completelattice FORSOLVING A FIXED POINTSYSTEM OF MONOTONE {X e L: ( u S1 q 11. An application of the duality principte completes EQUATIONSIN A COMPLETILATTICE the proof. Patri ck Cousot

This deflnition is not constructive and many appiications of R.R. B8 lanl- omlrno LYI I Tarski's theorem (specially in computer science (Cousot [5]) and numerical analysis (Amann Iz])) use the alternative characterization of lfp(F) as U {tr"(-r ): i e N}. This iteration schemewhich originates from Kleene [tO]'s first recursion theorem and which was used by Tarski [fl] for complete morphisms, has the drawback to require the additional assumptionthat F is semi-conti,nuous(F(US) : U,F'(S) 'increas'ing l for every nonempty ch,ai,tt,S, see e.g., Kolodner [ff]). RAFPORT DE REGT-!ERCHE l

I cited by 208 cited by 31 cited by 42

N40AI, 2017/01/21, Paris, France 19 © P. Cousot N40AI, 2017/01/21, Paris, France 20 © P. Cousot On abstracting: transition system On convincing ... Reachability semantics is an abstraction of the relational semantics (in PC’s thesis, 21 march 1978 also § 3 of POPL’79) • During PC’s thesis defense, it was suggested that abstraction/approximation is useless since computers i.e. pre i.e. post transformer are finite and executions are timed-out (so, the second part of the thesis on fixpoint approximation/ widening/narrowing/... is superfluous!) • Fortunately we do not listen (otherwise we would have invented enumeration methods that fail to scale) fixpoint reflexive transitive closure • On the contrary, in 1978, during a seminar (1) abstract transformer concrete transformer at Harvard , G. Birkhoff appears interested, according to his questions & fixpoint ... feedback, in the effective computational backward reachability Fixpoint abstraction under commutativity forward reachability aspects of lattice fixpoint theory with abstraction h iterative fixpoint computation (1) invited by Ed. Clarke. N40AI, 2017/01/21, Paris, France 21 © P. Cousot N40AI, 2017/01/21, Paris, France 22 © P. Cousot

tel-00288657, version 1 - 18 Jun 2008 21 The principles (1977–79) are lasting • Define the semantics (operational, denotational, axiomatic, ...) of the programming language (as a ... / trace semantics / transition system / transformers / ...) • Define the strongest property of interest (also called the collecting semantics) • Express this collecting semantics in fixpoint (constraint, rule- Abstract interpretation: based,…) form • Define the abstraction/concretization compositionally (by Research takes time composition of elementary abstractions and abstraction constructors/functors) • Design the abstract proof / analysis semantics by calculus using [structural] abstraction i.e. abstract domain + abstract fixpoint • Combine abstractions (e.g. reduced product)

N40AI, 2017/01/21, Paris, France 23 © P. Cousot N40AI, 2017/01/21, Paris, France 24 © P. Cousot Typing Typing

• Type checking and inference is an abstract • POPL 1997: Types as Abstract Interpretations (invited paper)

Patrick Cousot interpretation: LIENS, Ecole´ Normale Sup´erieure 45, rue d’Ulm 75230 Paris cedex 05 (France) [email protected], http://www.ens.fr/~cousot

Abstract cern, and their correctness can be verified with respect to a Starting from a denotational semantics of the eager untyped given type system; this process guarantees that type checkers lambda-calculus with explicit runtime errors, the standard satisfy the language definition.” [2]. Abstract interpreta- collecting semantics is defined as specifying the strongest tion allows viewing all these different aspects in the more program properties. By a first abstraction, a new sound unifying framework of semantic approximation. Formaliza- type collecting semantics is derived in compositional fix- tion of program analysis and type systems within the same point form. Then by successive (semi-dual) Galois con- abstract interpretation framework should lead to a better nection based abstractions, type systems and/or type in- understanding of the relationship between these seemingly ference algorithms are designed as abstract semantics or different approaches to program correctness and optimiza- abstract interpreters approximating the type collecting se- tion. mantics. This leads to a hierarchy of type systems, which 2Syntax is part of the lattice of abstract interpretations of the un- The syntax of the untyped eager lambda calculus is: typed lambda-calculus. This hierarchy includes two new `alaChurch/Currypolytypesystems.Abstractionsofthis x, f,... :programvariables polytype semantics lead to classical Milner/Mycroft and ∈ e :programexpressions Damas/Milner polymorphic type schemes, Church/Curry ∈ monotypes and Hindley principal typing algorithm. This e ::= x x e e1(e2) f x e shows that types are abstract interpretations. | · | | · · | 1 e1 e2 (e1 ? e2 : e3) 1Introduction | − | The leading idea of abstract interpretation [6, 7, 9, 12] is x e is the lambda abstraction and e1(e2)theapplication. In · f x e,thefunctionf with formal parameter x is de- that program semantics, proof and static analysis methods · · have common structures which can be exhibited by abstrac- fined recursively. (e1 ? e2 : e3) is the test for zero. tion of the structure of run-time computations. This leads 3DenotationalSemantics to an organization of the more or less approximate or refined The semantic domain is defined by the following equations semantics into a lattice of abstract interpretations. This uni- [20]: fying point of view allows for a synthetic understanding of awiderangeofworksfromtheoreticalsemanticalspecifica- =△ ω wrong tions to practical static analysis algorithms. { } z integers It will be shown that this point of view can be applied to ∈ type theory, in particular to type soundness and `alaCurry u, f, ϕ ∼= [ ] values type inference which, following [17, 29], have been dominat- ∈ ⊥ ⊕ ⊥ ⊕ %→ ⊥ R =△ environments ing research themes in programming languages during the ∈ %→ last two decades, at least for functional programming lan- φ =△ semantic domain guages [1, 19, 31]. Traditionally the design of a type system ∈ %→ “involves defining the notion of type error for a given lan- where ω is the wrong value, denotes non-termination, D guage, formalizing the type system by a set of type rules, is the lift of domain D (with⊥ up injection ( ) D D⊥ ↑ • ∈ %→ ⊥ and verifying that program execution of well-typed programs and partial down injection ( ) D D), D1 D2 is ↓ • ∈ ⊥ %−↛ ⊕ cannot produce type errors. This process, if successful, guar- the coalesced sum of domains D1 and D2 (with left and antees the type-soundness of a language as a whole. Type- right injections :: D1 D1 D1 D2 and :: D2 checking algorithms can then be developed as a separate con- • ∈ %→ ⊕ • ∈ D2 D1 D2), Ω =△ (ω):: and [D1 D2]isthe %→ ⊕ ↑ ⊥ %→ Permission to make digital/hard copies of all or part of this material for domain of continuous, -strict, Ω-strict functions from D1 personnal or classroom use is granted without fee provided that the copies ⊥ are not made or distributed for profit or commercial advantage, the copy- into D2. is the computational ordering on and is the right notice, the title of the publication and its date appear, and notice is ⊑ ) given that copyright is by permission of the ACM, Inc. To copy otherwise, least upper bound (lub) of increasing chains. to republish, to post on servers or to redistribute to lists, requires specific In the metalanguage for defining the denotational seman- permission and/or fee. POPL 97, Paris, France tics below, Λx. ... or Λx S. ... is the lambda abstraction. c 1997 ACM 0-89791-853-3/96/01 ..$3.50 (... ? ...... ? ...... ∈ )istheconditionalexpression. ⃝ | |

316

N40AI, 2017/01/21, Paris, France 25 © P. Cousot N40AI, 2017/01/21, Paris, France 26 © P. Cousot

Probabilistic static analysis Probabilistic static analysis • ESOP 2012:

Probabilistic Abstract Interpretation

Patrick Cousot and Michael Monerau

Courant Institute, NYU and École Normale Supérieure, France

Abstract. Abstract interpretation has been widely used for verifying properties of computer systems. Here, we present a way to extend this framework to the case of probabilistic systems. The probabilistic abstraction framework that we propose allows us to systematically lift any classical analysis or verification method to the probabilistic setting by separating in the program semantics the probabilistic behavior from the (non-)deterministic behavior. This sep- aration provides new insights for designing novel probabilistic static analyses and verification methods. We define the concrete probabilistic semantics and propose di↵erent ways to abstract them. We provide examples illustrating the expressiveness and e↵ectiveness of our approach.

1 Introduction As programs get larger and larger, it has become untractable to verify their properties and/or N40AI, 2017/01/21, Paris, France 27 © P. Cousot N40AI,correctness 2017/01/21, Paris, France by hand or testing. Formal methods 28 have thus been developed in order to be © P. Cousot able to verify program properties automatically, at least in part. One of them is abstract interpretation which has proved successful both in solving hard problems and scaling up nicely. When probabilities come into play, the verification of program properties is even more dicult. Our work precisely tackles this issue, that is verifying properties of probabilistic programs. We propose a formal, general and modular framework, extending the classical abstract interpretation framework to take probabilities into account, allowing for crafting of new analyses, as well as lifting of existing non-probabilistic analyses to the probabilistic setting. Probabilities come into play because of program randomness (such as calls to a random number generator rand()) and input randomness (for which a distribution may be known). Usually, all this randomness is forgotten for non-determinism. It is sound but loses a lot of information. So our goal here is to use hypotheses on randomness to be able to infer more precise probabilistic program properties. The goals of having probabilistic static analyses are various, let alone the fact that we can actually verify some probabilistic properties on the program. A couple of more original examples of interesting applications are to enable compilers to gain access to more useful in- formation to decide register allocations or cache/scratchpad allocations, or to provide useful information about branching for Just In Time compilers without having to do any profiling or execution, among many other applications. There is a lot of work on probabilistic program construction and verification meth- ods [13,15,19,23], probabilistic model-checking [11], probabilistic abstract model-checking [2,27,29], probabilistic abstract interpretation [21,25,28], with, in the case of model-checking and abstract interpretation, existing applications to biological pathways [1,3,18]. One of our objectives is to unify and generalize these frameworks.

2 The abstract interpretation framework Abstract interpretation is a theory of approximation. Applied to semantics of computer pro- grams, it allows oneself for generic design of static analyses [5]. An Abstract Interpretation Framework for Termination Termination Termination Patrick Cousot Radhia Cousot CNRS, École Normale Supérieure, and INRIA, France CNRS, École Normale Supérieure, and INRIA, France Courant Institute ⇤, NYU, USA u ot rcfsen.s@or • POPL 2012: os s, o t @cu m s@o .tn .ips enyoc du.c ufeu Abstract Proof, verification and analysis methods for termination while remaining lower-bounded, or dually. So most termination all rely on two induction principles: (1) a variant function or induction on analysis methods indirectly reduce to a relational invariance anal- data ensuring progress towards the end and (2) some form of induction ysis hence can reuse classical static analysis methods. An Abstract Interpretationon Framework the program structure. for Termination The abstract interpretation design principle is instantiated with The abstract interpretation design principle is first illustrated for the suitable abstractions for safety and termination analysis, proof, An Abstract Interpretation Frameworkdesign of new forward and for backward Termination proof, verification and analysis Patrick Cousot methods for safety. The safetyRadhia collecting Cousot semantics defining the strongest and checking/verification (either potential termination or definite safety property of programs is first expressed in a constructive fixpoint termination for nondeterministic systems). CNRS, École NormalePatrick Supérieure, Cousot and INRIA, France form. SafetyCNRS, proof École and Normale checkingRadhia/ Supérieure,verification Cousot methods and INRIA, then immediatelyFrance The first main idea for termination is that there exists a most Courant Institute ⇤, NYU, USA CNRS, École Normale Supérieure, and INRIA, France followCNRS, by fixpoint École induction. Normale Static Supérieure,u ot analysis andof rcfsen.s@or abstract INRIA, safety France properties precise variant function that can be expressed in fixpoint form by no [email protected] os s, o t @cu m s@o .tn .ips enyoc du.c ufeu such as invariance are constructively designed by fixpoint abstraction abstract interpretation of a termination collecting semantics itself Courant Institute ⇤, NYU, USA u ot rcfsen.s@or (or approximation) to (automatically) infer safety properties. So far, no abstracting the program operational trace semantics. This yields no [email protected] os s, o t @cu m s@o .tn .ips enyoc du.c ufeu Proof, verification and analysis methods for termination such clearwhile design remaining principle lower-bounded, did exist for termination or dually. so So that most the existing termination new static analysis methods automatically inferring abstractions Abstract approaches are scattered and largely not comparable with each other. all rely on two induction principles: (1) a variant function or induction on analysis methods indirectly reduce to a relational invariance anal- of that variant function by the constructive fixpoint approximation Abstract Proof, verification and analysis methods for termination whileFor (1), remaining we show that lower-bounded, this design principle or dually. applies So equally most well termination to po- data ensuring progress towards the end and (2) some form of induction ysis hence can reuse classical static analysis methods. methods of abstract interpretation. allon rely the on program two induction structure. principles: (1) a variant function or induction on tentialanalysis and definite methods termination indirectly. The reduce trace-based to a relational termination invariance collecting anal- data ensuring progress towards the end and (2) some form of induction semanticsThe is given abstract a fixpoint interpretation definition. design Its abstraction principle yields is instantiated a fixpoint with The second main idea introduced in this paper both for safety The abstract interpretation design principle is first illustrated for the ysissuitable hencecan abstractions reuse classical for safety staticand analysistermination methods.analysis, proof, ondesign the program of new structure. forward and backward proof, verification and analysis definitionThe of abstract the best interpretation variant function. design By further principle abstraction is instantiated of this best with and termination is that of semantic structural induction, including variantand function, checking we/verification derive the Floyd (either/Turing potential termination termination proof method or definite methodsThe abstract for safety interpretation. The safety design collecting principle semantics is first defining illustrated thefor strongest the suitable abstractions for safety and termination analysis, proof, termination proofs, over trace segment covers and their abstrac- design of new forward and backward proof, verification and analysis as welltermination as new static for analysis nondeterministic methods to esystems).↵ectively compute approxima- safety property of programs is first expressed in a constructive fixpoint and checking/verification (either potential termination or definite tions. Trace segments are more powerful than binary relations be- methodsform. Safetyfor safety proof. The and safety checking collecting/verification semantics methods defining then the immediately strongest tions of thisThe best first variant main function. idea for termination is that there exists a most tween states which have been used traditionally in program termi- safety property of programs is first expressed in a constructive fixpoint terminationFor (2), we introduce for nondeterministic a generalization systems). of the syntactic notion of struc- follow by fixpoint induction. Static analysis of abstract safety properties precise variant function that can be expressed in fixpoint form by nation proofs (for example, the transition invariants used in [53] form.such Safety as invariance proof and are checking constructively/verification designed methods by thenfixpoint immediately abstraction tural inductionabstractThe first interpretation (as main found idea in Hoare for of termination a logic) termination into a issemantic collecting that there structural semanticsexists induc- a most itself tion based on the new semantic concept of inductive trace cover covering are binary relation abstractions of the set of trace segments). Exam- follow(or approximation) by fixpoint induction. to (automatically) Static analysis infer of safety abstract properties. safety properties So far, no preciseabstracting variant the function program that operational can be expressed trace semantics. in fixpoint This form yields by such as invariance are constructively designed by fixpoint abstraction execution traces by segments, a new basis for formulating program prop- ples include structural induction on the program syntax (including such clear design principle did exist for termination so that the existing abstractnew static interpretation analysis methodsof a termination automatically collecting inferring semantics abstractions itself (orapproaches approximation) are scattered to (automatically) and largely infer not comparable safety properties. with each So other. far, no erties.abstracting Its abstractions the program allow for operational generalized trace recursive semantics. proof, verification This yields loop invariants à la Floyd [40]), induction on data, à la Burstall and staticof that analysis variant methods function by inductionby the constructive on both program fixpoint structure, approximation con- such clearFor (1), design we show principle that didthis exist design for principle termination applies so thatequally the wellexisting to po- new static analysis methods automatically inferring abstractions [3], the covering of the transition relation closure by well-founded approachestential and are definite scattered termination and largely. The not comparabletrace-based terminationwith each other. collecting trol, andmethods data. Examples of abstract ofinterpretation. particular instances include Floyd’s handling of that variant function by the constructive fixpoint approximation relations, à la Podelski-Rybalchenko [53], their combinations and semanticsFor (1), we is show given that a fixpoint this design definition. principle Its applies abstraction equally yields well a tofixpointpo- of loop cut-pointsThe second as well main as idea nested introduced loops, Burstall’s in this paperintermittent both forasser- safety generalizations. tentialdefinition and definite of the best termination variant function.. The trace-based By further termination abstraction collecting of this best tionmethods totaland correctness termination of abstract proof is interpretation. that method, of semantic and Podelski-Rybalchenko structural induction transition, including semanticsvariant function, is given a we fixpoint derive definition. the Floyd/ ItsTuring abstraction termination yields proof a fixpoint method invariants.terminationThe second proofs, main idea over introducedtrace segment in this covers paperand both their for safety abstrac- ↵ 2. Fixpoints, fixpoint induction, abstraction, and definitionas well asof newthe best static variant analysis function. methods By to further e ectively abstraction compute of approxima- this best andtions. termination Trace segments is that of aresemantic more powerful structural thanSoftware induction binary/Program, relations including be- varianttions function, of this best we variant derive function. the Floyd/Turing termination proof method Categories and Subject Descriptors D.2.4 [ Verificationterminationtween]; states D.3.1 proofs, which [Formal over havetrace Definitions been segment used andtraditionally covers Theoryand]; in F.3.1 their program [Spec- abstrac- termi- approximation as wellFor as (2),new we static introduce analysis a generalizationmethods to e↵ectively of the syntactic compute notion approxima- of struc- tions. Trace segments are more powerful than binary relations be- We express semantics as fixpoints of maps f A A i.e. elements tionstural of induction this best variant (as found function. in Hoare logic) into a semantic structural induc- ifyingnation and Verifying proofs (for and example, Reasoning the about transition Programs invariants]. used in [53] 2 7! tweenare binary states relation which have abstractions been used of traditionallythe set of trace in segments). program termi- Exam- x A such that x = f (x). We let lfpav f be the least fixpoint of tionForbased (2), we on introduce the new semantic a generalization concept of of theinductive syntactic trace notion cover ofcovering struc- General Terms Languages, Reliability, Security, Theory, Verifi- 2 nationples include proofs (for structural example, induction the transition on the program invariants syntax used (including in [53] f A A on the poset A, greater than or equal to a A, turalexecution induction traces (as found by segments in Hoare, a logic) new basis into for a semantic formulating structural program induc- prop- cation. 2 7! h vi 2 tionerties.based Its on abstractions the new semantic allow forconcept generalized of inductive recursive trace proof, cover verificationcovering areloop binary invariants relation à abstractions la Floyd [40 of]), the induction set of trace on segments). data, à la Exam- Burstall if any. The dual notion is that of greatest fixpoint gfpav f . We write executionand static traces analysis by segments methods, a by new induction basis for on formulating both program program structure, prop- con- Keywordsples[3], include theAbstract covering structural Interpretation, of the induction transition onInduction, relationthe program Proof,closure syntax Safety, by well-founded (including Static lfpv f if a is the infimum of A, and lfp f if the partial order is clear v N40AI, 2017/01/21, Paris, France 29 © P. Cousot N40AI,erties. 2017/01/21,trol, Its and abstractions data.Paris, Examples France allow of for particular generalized instances recursive include proof, Floyd’s verification handling analysis, 30 loop relations, invariants Variant à la function, à Podelski-Rybalchenko la Floyd Verification, [ 40 ]), induction Termination. [53 ], on their data, combinations à la Burstall © and P. Cousotfrom the context. By Tarski/Pataria’s fixpoint theorem [50, 58], andof static loop analysis cut-points methods as well by as induction nested loops, on both Burstall’s program intermittent structure, con- asser- 1 [3],generalizations. the covering of the transition relation closure by well-founded lfpv f = P A a P f (P) P exists for f increasing tion total correctness proof method, and Podelski-Rybalchenko transition a trol, and data. Examples of particular instances include Floyd’s handling 1.relations, Introduction à la Podelski-Rybalchenko [53], their combinations and { 2 | v, ,^ , , v, } 2 , , , ofinvariants. loop cut-points as well as nested loops, Burstall’s intermittent asser- on a complete lattice A a or on a cpo A a generalizations. 3 d h v 0> t ui n+1 h v n tion total correctness proof method, and Podelski-Rybalchenko transition Floyd2./Turing Fixpoints, program proof fixpoint methods induction, for invariance abstraction, and termina- and . The fixpoint iterates are f , a, n N : f = f ( f ), Categories and Subject Descriptors D.2.4 [Software/Program ti! n 8 2 invariants. tion [24, 40, 59] have inspired most sound static analysis methods. f , n N f which is lfpav f when a f (a) is a pre-fixpoint and Verification]; D.3.1 [Formal Definitions and Theory]; F.3.1 [Spec- approximation 2 2.For static Fixpoints,invariance fixpointanalysis induction, by abstract interpretation abstraction, [19, and21], f is continuous4,5,6. If f is increasing butv not continuous, transfinite Categoriesifying and and Verifying Subject and Descriptors Reasoning aboutD.2.4 Programs [Software]. /Program We express semantics as fixpoints of maps f A A i.e. elements a key step is to express the strongest invariant as2 a7! fixpoint and iterationsF may have to be used [22]. Verification]; D.3.1 [Formal Definitions and Theory]; F.3.1 [Spec- x approximationA such that x = f (x). We let lfpav f be the least fixpoint of Denotational Semantics General Terms Languages,Hierarchy Reliability, Security, Theory, Verifi- ofnextWe tof express2 approximatesemanticsA semanticsA on this the as strongest posetfixpointsA, invariantof mapsgreater tof thanautomaticallyA orA equali.e. elements toinfera A, ifyingcation. and Verifying and Reasoning about Programs]. 2 7! h vi 2 7! 2 anx abstractif any.A such Theinductive that dualx notion invariant= f (x is). that usingWe of letgreatest thelfpv constructivef be fixpoint the leastgfp fixpointv fixpointf . We ap- writeof General Terms Languages, Reliability, Security, Theory, Verifi- 2 a a 1 f A A is increasing (also monotone, isotone, ...) on a poset A, if Keywords Abstract Interpretation, Induction, Proof, Safety, Static proximationf lfpvAf if methods.aAison the the infimum poset ofAA, , andgreaterlfp f if than the partial or equal order to a is clearA, 2 7! h vi 2 7! h vi 2 and only if x, y A :(x y) = ( f (x) f (y)) [36]. cation. For static termination analysis, the discovery of variantv func-v analysis, Variant function, Verification, Termination. iffrom any. The the dual context. notion By is Tarski that of/Pataria’sgreatest fixpoint gfp theorema f . We [50 write, 58], 2 8 2 v ) v 1 A complete lattice A, , , , , is a poset s. t. any subset has a Keywords Abstract Interpretation, Induction, Proof, Safety, Static tionslfplfpv isfv eitheriff a=is decidabletheP infimumA ina of limitedAP, and casesflfp(P)f if [54 theP] or partialexists elsefor order is basedf increasingis on clear • POPL 1992: a least upper bound (lub)h v, hence? > at greatestui lower bound (glb) , = , analysis,1. Introduction Variant function, Verification, Termination. thefrom Floyd the/Turing context.{ idea2 By of| variantTarskiv /Pataria’s functions^ v fixpoint into} 2 well-founded theoremv [50 sets, 58], on a complete lattice A, , a, , , or on a cpo A, , a, = . t u ? t; 3 d h v 0> t ui n+1 h v 1n Floyd/Turing program proof methods for invariance and termina- obtainedlfpav f . by= The observingPfixpointA quantities iteratesa P are thatf (fP strictly) Pa, decreaseexistsn for within: f fincreasing loops= f ( f ), > u; { 2 | v ^ ,v } N 3 A complete partial order (cpo) A, , , is a poset A, such that 1.tion Introduction [24, 40, 59] have inspired most sound static analysis methods. onti a! complete latticen A, , a, , , 28or2 on a cpo A, , a, f , n N f which is lfpav f when a f (a) is a pre-fixpoint and any increasing chain C A suchh that vx,?y tiC : x y yh vix has a least / ⇤ Work3 supportedd2 in part4, by5,6 theh CMACSv NSF0> tExpeditionsuiv in Computingn+1 h awardv n FloydForTuring static programinvariance proofanalysis methods by abstract for invariance interpretation and termina- [19, 21], f .is The continuousfixpoint iterates. If f isare increasingf , a, butn not continuous,N : f = transfinitef ( f ), upper bound (lub) C, hence✓ has an infimum8 2 = v for_ thev empty chain. tiona key[24, step40, 59 is] to have express inspired the most strongest sound invariant static analysis as a fixpoint methods. and 0926166ti! and theF Europeann ARTEMIS Project MBAT. 8 2 t ? t; f iterations, n N mayf which haveis tolfp beav usedf when [22].a f (a) is a pre-fixpoint and 4 , , nextFor staticto approximateinvariance thisanalysis strongest by abstract invariant interpretation to automatically [19, 21 infer], Permission to make2 digital4,5,6 or hard copies of all or partv of this work for personal or f A A is continuous on a poset A if and only if for all classroomf is continuous use is granted without. If f feeis providedincreasing that butcopies not are continuous, not made or distributed transfinite increasing2 7! chains C }(A) such that itsh lub v Ctidoes exist then the lub a keyan abstract step is toinductive express invariant the strongest using invariant the constructive as a fixpoint fixpoint and ap- F 2 t for profititerations1 or commercial may have advantage to be and used that [ copies22]. bear this notice and the full citation f [C] exists and is such that f [C] = f ( C). nextproximation to approximate methods. this strongest invariant to automatically infer on the firstf page.A ToA copyis increasing otherwise,(also to republish,monotone to post, isotone on servers, ...) or on to a redistribute poset A, if t t t 2 7! h vi 5 } X an abstractFor static inductivetermination invariantanalysis, using the the constructive discovery of fixpoint variant ap-func- to lists,and requires only prior if x specific, y A permission:(x y) = and/or( af ( fee.x) f (y)) [36]. (X) or 2 is the powerset of X i.e. the set of all subsets of a set X. 1 8 2 v ) v POPL’12,f2 AAcompleteJanuaryA is 25–27,increasing lattice 2012,A,(also Philadelphia,, monotone, , PA,, , USA.isotoneis a poset, ...) on s. t. a poset any subsetA, hasif a 6 The post-image (or image) of X }(A) by a map f A B is proximationtions is either methods. decidable in limited cases [54] or else is based on 2 7! h v ? > t ui h vi 2 2 7! Copyrightandleast onlyc upper2012 if x ACM, boundy 978-1-4503-1083-3A (lub):(x y,) hence= (/ a12f greatest(/x01.) . . $10.00f (y lower)) [36 bound]. (glb) , = , } theFor Floyd static/Turingtermination idea ofanalysis, variantfunctions the discovery into ofwell-founded variant func- sets 8 2 v ) v f [X] , f (x) x X (B). 2 = t u ? t; { | 2 } 2 tionsobtained is either byobserving decidablequantities in limited that cases strictly [54] decreaseor else is within based loops on A complete. lattice A, , , , , is a poset s. t. any subset has a 3> u; h v ? > t ui the Floyd/Turing idea of variant functions into well-founded sets leastA uppercomplete bound partial (lub) order, hence(cpo) a greatestA, , lower, is bound a poset (glb)A, , such= that, any= increasing. chain Ct A suchh that vx,?y tiC : x y yh uvix?has at; least obtained⇤ Work supported by observing in part quantities by the CMACS thatNSF strictlyExpeditions decrease in within Computing loops award > u; ✓ 8 2 v _ v 245 3 upper bound (lub) C, hence has an infimum = for the empty chain. 0926166 and the European ARTEMIS Project MBAT. A complete partialt order (cpo) A, , , is? a posett; A, such that Permission to make digital or hard copies of all or part of this work for personal or any4 f increasingA chainA is continuousC A suchonh that av posetx,?y tiAC, : x, y ifyh andvix onlyhas ifa least for all ⇤ Work supported in part by the CMACS NSF Expeditions in Computing award classroom use is granted without fee provided that copies are not made or distributed upperincreasing bound2 7! (lub) chainsCC, hence✓ }(A has) such an infimum that8 its2h lub=v Cvtidoesfor_ the existv empty then chain. the lub 0926166 and the European ARTEMIS Project MBAT. t 2 ? tt; for profit or commercial advantage and that copies bear this notice and the full citation 4 f [C] exists and is such that f [C] = f ( C). Permission to make digital or hard copies of all or part of this work for personal or ft A A is continuous ont a poset At, , if and only if for all on the first page. To copy otherwise, to republish, to post on servers or to redistribute 5 2 7! X h v ti classroomto lists, userequires is granted prior specific without permission fee provided and that/or copies a fee. are not made or distributed increasing}(X) or chains 2 is theC powerset}(A) such of X thati.e. the its lubset ofC alldoes subsets exist of then a set theX. lub for profit or commercial advantage and that copies bear this notice and the full citation 2 t POPL’12, January 25–27, 2012, Philadelphia, PA, USA. f6[TheC] existspost-image and is such(or image that )f [ ofC]X= f ( }C(A).) by a map f A B is on the first page. To copy otherwise, to republish, to post on servers or to redistribute t t 2 t 2 7! Copyright c 2012 ACM 978-1-4503-1083-3/12/01. . . $10.00 5 }f(X[X)] or 2Xfis(x) thex powersetX } of(B).X i.e. the set of all subsets of a set X. to lists, requires prior specific permission and/or a fee. , { | 2 } 2 POPL’12, January 25–27, 2012, Philadelphia, PA, USA. 6 The post-image (or image) of X }(A) by a map f A B is Copyright c 2012 ACM 978-1-4503-1083-3/12/01. . . $10.00 2 2 7! f [X] , f (x) x X }(B). 245 { | 2 } 2

245

N40AI, 2017/01/21, Paris, France 31 © P. Cousot N40AI, 2017/01/21, Paris, France 32 © P. Cousot Hierarchy of semantics 1 Hierarchy of semantics • TCS 2002: • Information and computation 2009:

Constructive Design of a Hierarchy of Semantics of a Transition System Bi-inductive Structural Semantics ı by Abstract Interpretation

Patrick Cousota Patrick Cousot aD´epartement d’Informatique, Ecole´ Normale Sup´erieure, 45 rue d’Ulm, 75230 Paris Département d’informatique, École normale supérieure, 45 rue d’Ulm, 75230 Paris cedex 05, France cedex 05, France, [email protected], http://www.di.ens.fr/~cousot Radhia Cousot

We construct a hierarchy of semantics by successive abstract interpretations. Starting CNRS & École polytechnique, 91128 Palaiseau cedex, France from the maximal trace semantics of a transition system, we derive the big-step seman- tics, termination and nontermination semantics, Plotkin’s natural, Smyth’s demoniac and Hoare’s angelic relational semantics and equivalent nondeterministic denotational se- Abstract mantics (with alternative powerdomains to the Egli-Milner and Smyth constructions), We propose a simple order-theoretic generalization, possibly non monotone, of set- D. Scott’s deterministic denotational semantics, the generalized and Dijkstra’s conser- theoretic inductive definitions. This generalization covers inductive, co-inductive and bi-inductive definitions and is preserved by abstraction. This allows structural vative/liberal predicate transformer semantics, the generalized/total and Hoare’s partial operational semantics to describe simultaneously the finite/terminating and infi- correctness axiomatic semantics and the corresponding proof methods. All the semantics nite/diverging behaviors of programs. This is illustrated on grammars and the are presented in a uniform fixpoint form and the correspondences between these seman- structural bifinitary small/big-step trace/relational/operational semantics of the call-by-value ⁄-calculus (for which co-induction is shown to be inadequate). tics are established through composable Galois connections, each semantics being formally calculated by abstract interpretation of a more concrete one using Kleene and/or Tarski Key words: fixpoint definition, inductive definition, co-inductive definition, fixpoint approximation transfer theorems. bi-inductive definition, non-monotone definition, grammar, structural operational semantics, SOS, trace semantics, relational semantics, small-step semantics, big-step semantics, divergence semantics. Contents N40AI, 2017/01/21, Paris, France 33 © P. Cousot N40AI, 2017/01/21, Paris, France 34 © P. Cousot 1 Introduction 2 1 Introduction 2AbstractionofFixpointSemantics 3 2.1 Fixpoint Semantics ...... 3 The connection between the use of fixpoints in denotational semantics [24] 2.2 Fixpoint Semantics Approximation ...... 4 and the use of rule-based inductive definitions in axiomatic semantics [15] and 2.3 Fixpoint SemanticsParallelism Transfer ...... 5 Parallelism ı This work was done in the INRIA project team Abstraction common to the 2.4 Semantics Abstraction ...... 7 CNRS and the École normale supérieure. 2.5 Fixpoint Semantics Fusion ...... 8 Email addresses: .C ekto ncu .ri@s fsto raP (Patrick Cousot), • POPL 2017: C lh y@ eaR n u e.cdo .fsqitopti rhauo (Radhia Cousot). 2.6 Fixpoint Iterates Reordering ...... 8 URLs: www.di.ens.fr/˜cousot/ (Patrick Cousot), www.enseignement.polytechnique.fr/profs/informatique/Radhia.Cousot/ 3Transition/Small-StepOperationalSemantics 9 (Radhia Cousot).

4FiniteandInfiniteSequences 9 Preprint submittedOgre to Elsevier and Pythia: 28 April 2009 4.1 Sequences ...... 9 An Invariance Proof Method for Weak Consistency Models 4.2 Concatenation of Sequences ...... 10 4.3 Junction of Sequences ...... 10 Jade Alglave Patrick Cousot 5MaximalTraceSemantics 10 University College London New York University, USA Microsoft Research Cambridge, UK emer. Ecole´ Normale Superieure,´ PSL, France ja vm slrlg otof.o@ mccaia , g.vc..jc a klualuela@ so copc iu m s.t n y u@ . e d u , nt se.srcou fo@

cited by 55 cited by 36 cited by 21 Abstract ten by the last previous write (for example due to hardware features We design an invariance proof method for concurrent programs such as store buffers and caches). parameterised by a weak consistency model. The calculational Different consistency semantics styles can be used to describe design of the invariance proof method is by abstract interpretation WCMs. Operational models de
ne abstract machines in which of a truly parallel analytic semantics. This generalises the methods executions of programs are sequences of transitions made to or by Lamport and Owicki-Gries for sequential consistency. We use from formal entities modelling e.g. hardware features such as store cat as an example of language to write consistency speci
cations buffers and caches. Axiomatic models abstract away from such of both concurrent programs and machine architectures. concrete features and describe executions as relations over events modelling e.g. read or write memory accesses, and synchronisation. Categories and Subject Descriptors D.1.3 (Concurrent Program- We abstract our invariance proof method from the analytic ming); D.2.4 (Veri
cation); F.3.1 (Invariants); F.3.2 (Semantics). semantics. Thus our method is parameterised by a WCM. Keywords concurrency, distributed and parallel programming, in- N40AI, 2017/01/21, Paris, France 35 © P. Cousot N40AI,variance, 2017/01/21, veri Paris,
cation, France weak consistency models. 36 2. Overview of the Analytic Semantics © P. Cousot Our analytic semantics describes program executions as their an- archic semantics (process computations without any restriction on 1. Introduction communications), and their communication semantics (restrictions When an ogre (Owicki-GRies Extended) meets a pythia (variable) on communication between processes). To illustrate our analytic classic tales get retold: in this paper we investigate an invariance semantics, we will use the load buffering example lb in Fig. 1. proof method for concurrent (parallel or distributed) algorithms parameterised by weak consistency models. 0: x = 0; y = 0; { } Different program semantics styles can be used to describe con- P0 P1 ; current program executions, for example operational, denotational 1:r[] r1 x 11:r[] r2 y; or axiomatic semantics. We introduce here a new style, that we call 2:w[] y 1 12:w[] x 1 ; analytic; it is more abstract than operational models (Boudol et al. 3: 13: ; 2012) or pomsets (Brookes 2016; Grief 1975)). In this context, we Figure 1: lb algorithm in LISA separate the individual traces of the different processes that consti- tute the program from the communications between processes. In lb, processes P0 and P1 communicate via shared variables x Weak Consistency Models (WCMs) are seen as placing more or and y (initialised to 0 at line 0). Each process reads a variable (x less restrictions on communications. WCMs are now a
xture of at line 1 for P0, and y at line 11 for P1), then writes to the other computing systems: for example Intel x86 or ARM processors, variable (y at line 2 for P0 and x at line 12 for P1). Nvidia graphics cards, programming languages such as C++ or OpenCL, or distributed systems such as Amazon Web Services or 2.1 Anarchic Semantics Microsoft’s Azure. In this context, the execution of a concurrent Fig. 2 gives one of the four anarchic executions of lb. The compu- program can be seen as an interleaving of the individual traces of tations of P0 and P1 are formalised by traces, viz.,
nite or in
nite the different processes that constitute the program, but the commu- sequences of states separated by unique events. nication between processes are unlike what is prescribed by Lam- States and events appear along a trace in the process execution port’s Sequential Consistency (SC) (Lamport 1979). Indeed the order. Events give a semantics to instructions, for example accesses read of a shared variable may read another value than the one writ- to registers or memory locations. States record a process program point, the value of local variables (registers r1 for P0 and r2 for Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed P1) and the value of pythia variables. for profit or commercial advantage and that copies bear this notice and the full citation A pythia variable is the unique name given to the value of a read 1 on the first page. Copyrights for components of this work owned by others than ACM event, e.g. x1 for the read r = 1:r[] r1 x. Our pythia variables must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, x to post on servers or to redistribute to lists, requires prior specific permission and/or a are different from ghost variables; ghost variables compensate for fee. Request permissions from [email protected]. objects that do not exist in the chosen program semantics. POPL’17, January 15–21, 2017, Paris, France The read-from relation rf describes communications between c 2017 ACM. 978-1-4503-4660-3/17/01...$15.00 processes. In Fig. 2, the read r1 takes its value from the write w12 x x http://dx.doi.org/10.1145/3009837.3009883[Copyright notice will appear here once ’preprint’ option is removed.] (so the value 1 is assigned to the pythia variable x1).

3 Industrialization • Very first industrial implementation: The interval analysis was implemented in the AdaWorld compiler for IBM PC 80286 by J.D. Abstract interpretation: Ichbiah and his Alsys SA corporation team in 1980–87. Industrialization

N40AI, 2017/01/21, Paris, France 37 © P. Cousot N40AI, 2017/01/21, Paris, France 38 © P. Cousot

Warm welcome AbsInt Angewandte Informatik GmbH • Real-time software development companies: we • Astrée sold by AbsInt: have to pay for this new option of the ADA compiler, but: • The machine code size is significantly reduced → we cannot sell as much memory as we did before; • Many bugs are found at compile time → we make less money with our debugging services.

N40AI, 2017/01/21, Paris, France 39 © P. Cousot N40AI, 2017/01/21, Paris, France 40 © P. Cousot Abstract interpretation based static analyzers

• Ait www.absint.com/ait/, StackAnalyzer www.absint.com/ stackanalyzer from AbSint

• Polyspace static analysis www.mathworks.com/products/ polyspace.html • Julia (Java) www.juliasoft.com Abstract interpretation: • Ikos, NASA ti.arc.nasa.gov/opensource/ikos/

• Clousot for code contract, Microsoft, github.com/Microsoft/ CodeContracts Prospective

• Infer (Facebook) http://fbinfer.com

• Zoncolan (Facebook)

• Google

• …

N40AI, 2017/01/21, Paris, France 41 © P. Cousot N40AI, 2017/01/21, Paris, France 42 © P. Cousot

The future is hard to predict The future is hard to predict • From my thesis in 1978: • From “30 years of Abstract Interpretation”:

computer, economical and biological systems Programming Abstract interpretation – The evolution of programming languages and program- – Beyond programming, abstraction is the only way to ming assistance systems has greatly helped to consid- apprehend complex systems erably speed up the development and scale up the size – Therefore, the scope of application of abstract inter- of conceivable programs pretation ideas is large – Software quality remains much far beyond, essentially – Over 30 years, abstract interpretation theory, prac- because it is anti-economical tice and achievements have grown despite trends and – ... untilthenextcatastrophy,evolutionofthestan- evanescent applications dards, revolution of the customers, or new laws holding – Hopefully, abstract interpretation will continue to be computer scientists accountable for bugs useful in the future sequential and parallel programs San Francisco, Jan. 9, 2008 —73— ©P.Cousot San Francisco, Jan. 9, 2008 —75— ©P.Cousot

Formal methods – Formal methods might then become profitable at every stage of program design – The winners, if any, will definitely have to scale up,at areasonablecost THE END – Up to now, research has mainly concentrated on easy avenues with short-term rewards Many thanks to all of you who contributed to abstract interpretation! – Small groups cannot make it, large groups fail to share common interests – There is still a long long way to go

San Francisco, Jan. 9, 2008 —74— ©P.Cousot San Francisco, Jan. 9, 2008 —75— ©P.Cousot

N40AI, 2017/01/21, Paris, France 43 © P. Cousot N40AI, 2017/01/21, Paris, France 44 © P. Cousot The future is hard to predict Hopes (10 years) • From the Dagstuhl Seminar “Formal Methods — • Complex data structures (libraries like for Just a Euro-Science?” in December 2010: numerical domains)

• More properties: • Program security • Security (not dynamically checkable) • ... • Parallel & distributed systems, weak consistency • More systems and tools: models • Parallel and distributed systems, • Cyber-physical (continuous+discrete) • Biological, financial, ... • Better practices: • Verification from design to implementation

N40AI, 2017/01/21, Paris, France 45 © P. Cousot N40AI, 2017/01/21, Paris, France 46 © P. Cousot

Dreams (40 years) Dreams (40 years) 1. The semantics is specified structurally and 4. The design of static analyzers is computer- compositionally assisted by automatic composition of certified public-domain modules for: 2. The abstraction is specified by composition of Galois connections • Abstract domains POPL 2014: • Syntax and semantics to fixpoint equations A Galois Connection Calculus for Abstract Interpretation⇤ Patrick Cousot Radhia Cousot CIMS⇤⇤, NYU, USA [email protected] CNRS Emeritus, ENS, France s [email protected] rfru • Parallel/distributed fixpoint solvers (direct or Abstract We introduce a Galois connection calculus for language independent 3. Basic GC semantics Basic GCs are primitive abstractions of specification of abstract interpretations used in programming language semantics, properties. Classical examples are the identity abstraction 1[ , formal verification, and static analysis. This Galois connection calculus and its type Q . Q S hC with convergence acceleration) system are typed by abstract interpretation. ] , , , , the top abstraction [ , vi hC vi P . P !! hC vi S > hC 3. TheCategories and calculational Subject Descriptors D.2.4 [Software/Program Verificationdesign] of the Q .abstract J General Terms Algorithms, Languages, Reliability, Security, Theory, Verification. , ] , , > , , the join abstraction [C] vi K> hC vi P . hC vi S J[ Keywords Abstract Interpretation, Galois connection, Static Analysis, Verification. !} > }(}(C)), }(C), with ↵}(P ) P , }(Q) In Abstract , } , , interpreter1. Galois connections in Abstract is Interpretation supported hbyK libraries✓i ! ↵ h ✓i and toolsJ K • User-interface automatic design interpretation [3, 4, 6, 7] concrete properties (for example (e.g.) }(Q), the complement abstraction [C] , }(SC), ¬ of computations) are related to abstract properties (e.g. types). The S ¬ h ✓i ! ¬ }(C), , the finite/infinite sequence abstraction [C] , abstract properties are always sound approximations of the con- h ◆i S 1 1 J K crete properties (abstract proofs/static analyzes are always correct }(C1), }(C), with ↵1(P ) , i P i h ✓i ↵ 1 h ✓i { | 2 ^ 2 in the concrete) and are sometimes complete (proofs/analyzes of ! J K 4. All modular and compositionaldom() and 1(Q) , C1 i dom():i Q , the • Automatic fixing of errors abstract properties can all be done in the abstract only). E.g. types } { 2 | 8 2 2 } transformer abstraction [C1,C2] , }(C1 C2), are sound but incomplete [2] while abstract semantics are usually S h ⇥ ✓i ↵ ! complete [9]. The concrete domain , and abstract domain }(C1) [ }(C2), ˙ mapping relations to join-preserving hC vi h ! ✓i , 4 of properties are posets (partial orders being interpreted as transformers with ↵ (R)J X . yK x X : x, y R , N40AI, 2017/01/21,hA Paris,i France 47 , { | 9 2 h i2 } © P. Cousot N40AI, 2017/01/21, Paris, France 48 © P. Cousot implication). When concrete properties all have a 4-most precise (g) , x, y y g( x ) , the function abstraction abstraction, the correspondence is a Galois connection (GC) , {h i | 2 { } } 7! hC [C1,C2] , }(C1 C2), }(C1) }(C2), , with abstraction ↵ and concretiza- S 7! h 7! ✓i ↵ 7! h 7! vi ↵ hA 4i 2 C 7! A ! ! ˙ with ↵7!(P ) X . f(x) f P x X , 7!(g) tion satisfying P : Q : ↵(x) 4 y ✓i , { | 2 ^ 2 } , x (2y)A( 7!expressesC soundness8 2 andC 8 best2 A abstraction). Each, fJ C1 KC2 X }(C1): x X : f(x) g(X) , v ) ( { 2 7! | 8 2 8 2 2 ⇥ } adjoint ↵/ uniquely determines the other /↵.AGalois retrac- the cartesian abstraction [I,C] , }(I C), S ⇥ h 7! ✓i ↵ tion (or insertion) has ↵ onto, so is one-to-one, and ↵ is the !⇥ identity. E.g. the interval abstraction [3, 4] of the power set }(C) I }(C), ˙ with ↵⇥(X) , i I . x C f I h 7! ✓i J K2 { 2 | 9 2 7! of complete -totally ordered sets C , is I[ C, C : f[i x] X , ⇥(Y ) , f i I : f(i) Y (i) , and I 2 } { | 8 2 2 }  [ {1 1} S h  the pointwise extension ˙ of to I, etc. , , ] , }(C), I(C , , ), with ✓ ✓ I i 1 1 h ✓i ↵ !! h [{1 1}  J i 4. Galois connector semantics Galois connectors build a GC ↵I(X) [min X, max X], min , max , I([a, b]) , ; , 1 ; , 1 from GCs provided as parameters. Unary Galois connectors in- x CK a x b , intervals I(C , F, ) , { 2 |   } S [ {1 1}  , clude the reduction connector R[ , , 4 ] , [a, b] a C b C a b [ , ] , S hC vi ! ↵ hA i { | 2 [ {1} ^ 2 [ {1} ^  } [ { 1 1 } , ↵(P ) P , and the pointwise connec- and inclusion [a, b] [c, d] c a b d.AGalois isomor- ↵ 4 , J K hC vi !! h{ | 2 C} i ⇢ ⇢  ^  J . K phism , , has both ↵ and bijective. E.g. global tor X C, A, 4 , X C, ˙ ↵ 4 ↵ ⇢ . ↵ ⇢ hC ✓i !! hA i S h vi ! h i h 7! vi ! and local invariants areF isomorphic by the right image abstraction ˙ ˙ ˙ y X A, 4 for the pointwise orderings and 4. Binary Ga- ˙ h 7! i v 1 y[L, ] , }(L ), L }( ), with lois connectorsJ _ include the compositionK connector , S M h ⇥M ✓i ↵ y !! h 7! M ✓i S hC ✓i ↵1 y y 2 ! ↵ (P ) , ` . m `,m P , (Q) , `,m m 1, 2, 3, 1, = 2, , b ↵ 4 , ( b ? J ˙K { | h i2 } {h i | 2 hA i hA vi 2 hA i hA i hA vi hC Q(`) , and is the pointwise extension of inclusion . 1 2 ! J 3, ⌦ (where ⌦ is a static error), the prod- } ✓ ✓ ↵ ↵ 4 : ) GC ✓i 2 1 hA i 2. Equivalent formalizations of -based Abstract Interpre- !# 1 K 2 , , uct connector 1, 1, * 2, b 2, tation GCs ↵ 4 are Galois retracts of/Galois iso- S hC ✓i ↵1 hA vi hC i ↵2 hA hC vi hA i !1 2 ! ! ⇥ morphic to numerous equivalent mathematical structures [6] such 4 , 1 2, b 1 2, 4 (gen- ↵ ↵ as join-preserving maps (↵), meet-preserving maps (), upper- i hC ⇥ C J ✓⇥ i 1 ⇥ !2 hA ⇥ A v⇥ i eralizing to tuples), the higher-order functional connector 1, closures ( ↵), Moore families ( (Q) Q ), Sierpi´nski 1 2 S hC { | 2 A} K 1, = 2, 4 2, 6 , 1 2, topologies [5]( (Q) Q where is unique complemen- ✓i ↵1 hA vi ) hC i ↵2 hA i hC ! C {¬ | 2 A} ¬ ! g . 2 g ↵1 ! 1 principal downset families J tation in the concrete domain , if any), 4˙ 1 2, 6˙ for increasing maps and C f . ↵ f ( v(Q) Q where vx y y x ), maximal i 2 !1 Z hA !1 A i K , ˙ ˙ convex{# congruences| 2 A}( P # ↵(P{)=2 C|↵((Qv)) } Q , pointwise orderings and 6. {{ 2 C| }| 2 A} v soundness relations (also called abstraction relation, logical rela- 5. Galois connection calculus The GC calculus G (to specify tion, or tensor product, ↵ 4 = P, Q ↵(P ) 4 Q = P, verifiers/analyzers compositionally) is x,... X for program 1 {h i | } {h 2 Q P (Q) = where f x, f(x) x variables, `,... L for labels, e E for elements e ::= true i | v } v ⌘ {h i | 2 2 2 | dom(f) , r r0 = x, z y : x, y r y, z r0 ), 1 x ` e ..., s S for sets s ::= B Z X L } {h #i | 9 h i2 ^h i2 } | 1 | | | | 2 | | | | and, for powersets = }(C), = }(A), polarities of rela- e [e, e] I(s, o) s1 s s s s s s }(s) ..., C # A tions ((Q)= x C y Q : R(x, y) where R = x, o{ }|O for| partial orders| o| ::=[ | 7! | ⇥ | | = # { 2 | 8 2 } {h 21 ) | , |  | ✓ | | | y x ( y ) ). o o1 o2 o˙ o¨ ..., p P for posets p ::= s, o , and i | 2 { } } g G| for⇥GCs|g ::=| 1|[p] [2p, e] I[p, e, e] [s,h s] i [s] ⇤ See the auxiliary materials. ⇤⇤ Work supported in part by the CMACS NSF award 0926166. > y F [ Permission to make digital or hard copies of part or all of this work for personal or classroom use 2[s] [s] [s, s] [|s, s] [|s, s] ... | R[g] s| g | is granted without fee provided that copies are not made or distributed for profit or commercial ¬ | 1 | | 7! | ⇥ | | | | advantage and that copies bear this notice and the full citation on the first page. Copyrights for third- g g g * g g = g .... The semantics of interval sets is party components of this work must be honored. For all other uses, contact the owner/author(s). | | ) | POPL ’14, January 22–24, 2014, San Diego, CA, USA. Copyright is held by the owner/author(s). I(C, ) ( C C ? [a, b] a, b C : !) where ! S 4 , 4 ✓ ⇥ { 4 | 2 } _ ACM 978-1-4503-2544-8/14/01. http://dx.doi.org/10.1145/2535838.2537850 is# a dynamic error (maybeZ not detectable by typing). J K The End

N40AI, 2017/01/21, Paris, France 49 © P. Cousot