CMACS Workshop on Systems Biology and Formals Methods (SBFM'12) Abstractions of Dora Maar by Picasso
A casual introduction to Abstract Interpretation
NYU, 29–30 March 2012 Patrick Cousot cs.nyu.edu/~pcousot di.ens.fr/~cousot
CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 1 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 3 © P. Cousot
Pixelation of a photo by Jay Maisel
Examples of Abstractions
www.petapixel.com/2011/06/23/how-much-pixelation-is-needed-before-a-photo-becomes-transformed/ P. Cousot & R. Cousot. A gentle introduction to formal verification of computer systems by abstract interpretation. In Logics and Languages for Reliability and Security, J. Esparza, O. Grumberg, & Image credit: Photograph by Jay Maisel M. Broy (Eds), NATO Science Series III: Computer and Systems Sciences, © IOS Press, 2010, Pages 1—29.
CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 2 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 4 © P. Cousot II.P. Combination of abstract domains Abstract interpretation-based tools usually use several di�erent abstract domains, since the design of a complex one is best decomposed into a combination of simpler abstract domains. Here are a few abstract 2 An old idea... domain examples used inNumerical the Astree´ static abstractions analyzer: in Astrée y y y 20 000 years old picture in a spanish cave: x x x
Collecting semantics:1, 5 Intervals:20 Simple congruences:24 partial traces x [a, b] x a[b] ⌃ ⌅ y y y t x x
The concrete is not always well-known! Octagons:25 Ellipses:26 Exponentials:27 x y a x2 + by2 axy d abt y(t) abt ± ± ⇥ � ⇥ � ⇥ ⇥ CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 5 © P. Cousot NFM 2012 — 4th NASA Formal Methods Symposium — Norfolk, VA, April 3–5, 2012 7 © P Cousot Such abstract domains (and more) are described in more details in Sects. III.H–III.I. The following classic abstract domains, however, are not used in Astree´ because they are either too imprecise, not scalable, di⌅cult to implement correctly (for instance, soundness may be an issue in the event of floating-point rounding), or out of scope (determining program properties which are usually of no interest Abstractions of a man / crowd to prove the specification): y y y ... x x x Height Individual heights A slightly more detailled Polyhedra:9 Signs:7 Linear congruences:28 too costly too imprecise out of scope Fingerprint ... example Because abstract domains do not use a uniform machine representation of the information they manip- ulate, combining them is not completely trivial. The conjunction of abstract program properties has to be performed, ideally, by a reduced product 7 for Galois connection abstractions. In absence of a Galois connec- Eye color min, max tion or for performance reasons, the conjunction is performed using an easily computable but not optimal over-approximation of this combination of abstract domains. Assume that we have designed several abstract domains and compute lfp� F D ,...,lfp� F D 1 ⌃ 1 n ⌃ n in these abstract domains D1,...,Dn, relative to a collecting semantics t I. The combination of these DNA , C analyses is sound as t I �1(lfp� F1) �n(lfp� Fn). However, only combining the analysis results is CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 6 © P. Cousot CMACS Workshop Con Systems Biology⇧ and Formals Methods (SBFM'12),� ··· NYU,� 29–30 March 2012 8 © P. Cousot not very precise, as it does not permit analyses to improve each other duringJ theK computation. Consider, for instance, that intervalJ andK parity analyses find respectively that x [0, 100] and x is odd at some iteration. Combining the results would enable the interval analysis to continue⌃ with the interval x [1, 99] and, e.g., avoid a useless widening. This is not possible with analyses carried out independently. ⌃ Combining the analyses by a reduced product, the proof becomes “let F ( x ,...,x ) ⇥( F (x ),..., 1 n⌦ � 1 1 Fn(xn ) and r1,...,rn =lfp� F in t I �1(r1) �n(rn)” where ⇥ performs the reduction between abstract⌦ domains. For example⌦ ⇥( [0,C100], odd⇧ )= �[1···, 99]�, odd . ⌦ ⌦ J K 10 of 38
American Institute of Aeronautics and Astronautics Set of functions abstraction A less precise abstraction
fi(t) f(t)
i=4
i=3
i=2 i=1 i=0
t t
How to approximate { f1, f 2, f 3, f 4 } ?
CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 9 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 11 © P. Cousot
Set of functions abstraction Concrete questions answeredon the fi in the abstract
f(t) f(t) l h
∃ i, t ∈ [l,h] : fi(t) > M ? M
m t t ∃ i, t ∈ [l, h]: fi(t) < m ? No
Min/max questions on the fi CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 10 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 12 © P. Cousot Concrete questions answered in the abstract A more precise/refined abstraction
f(t) l h f(t)
i, t ∈ [l,h]: fi(t) > M ? I don’t know M ∃
m t t ∃ i, t ∈ [l,h] : fi(t) < m ? No
Min/max questions on the fi CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 13 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 15 © P. Cousot
Soundness of the abstraction An even more precise/refined abstraction • No concrete case is ever forgotten: f(t) f(t)
t t
CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 14 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 16 © P. Cousot Passing to the limit The hierarchy of abstractions
f(t)
t Sound and complete abstraction for min/max questions on the fi CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 17 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 19 © P. Cousot
A non-comparable abstraction
f(t) Elements of Abstract Interpretation Theory Explained with ... Flowers
Patrick Cousot & Radhia Cousot. Static Determination of Dynamic Properties of Programs. In B. Robinet, editor, Proceedings of the second international symposium on Programming, Paris, France, pages 106—130, April 13-15 1976, Dunod, Paris. t Patrick Cousot, Radhia Cousot: Abstract Interpretation: A Unified Lattice Model for Static Analysis of Programs by Construction or Approximation of Fixpoints. POPL 1977: 238-252 Patrick Cousot, Radhia Cousot: Systematic Design of Program Analysis Frameworks. POPL 1979: 269-282 Patrick Cousot. Méthodes itératives de construction et d'approximation de points fixes d'opérateurs monotones sur un treillis, analyse sémantique des programmes. Thèse És Sciences Sound and incomplete abstraction for min/max questions on Mathématiques, Université Joseph Fourier, Grenoble, France, 21 March 1978 Patrick Cousot. Semantic foundations of program analysis. In S.S. Muchnick & N.D. Jones, editors, Program Flow Analysis: Theory and Applications, Ch. 10, pages 303—342, Prentice- the fi Hall, Inc., Englewood Cliffs, New Jersey, U.S.A., 1981. CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 1811 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 20 © P. Cousot A mini graphical language • Objects o ∈ O Elements of Abstract • Operations on objects On O, n ≥ 0 Interpretation Theory • Logical operations on objects On Booleans, n ≥ 0 Explained with ... Flowers
Patrick Cousot & Radhia Cousot. Static Determination of Dynamic Properties of Programs. In B. Robinet, editor, Proceedings of the second international symposium on Programming, Paris, France, pages 106—130, April 13-15 1976, Dunod, Paris.
Patrick Cousot, Radhia Cousot: Abstract Interpretation: A Unified Lattice Model for Static Analysis of Programs by Construction or Approximation of Fixpoints. POPL 1977: 238-252
Patrick Cousot, Radhia Cousot: Systematic Design of Program Analysis Frameworks. POPL 1979: 269-282 Patrick Cousot. Méthodes itératives de construction et d'approximation de points fixes d'opérateurs monotones sur un treillis, analyse sémantique des programmes. Thèse És Sciences Mathématiques, Université Joseph Fourier, Grenoble, France, 21 March 1978 Patrick Cousot. Semantic foundations of program analysis. In S.S. Muchnick & N.D. Jones, editors, Program Flow Analysis: Theory and Applications, Ch. 10, pages 303—342, Prentice- Hall, Inc., Englewood Cliffs, New Jersey, U.S.A., 1981.
CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 21 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 23 © P. Cousot
Objects • An object o ∈ O is defined by • An origin (a reference point ) • A set of (infinitely small) black pixels (on a white The concrete world background) • Example I of object:
CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 22 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 24 © P. Cousot An example II of object: a flower Constant objects • A petal is an example of constant object
petal =
CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 25 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 27 © P. Cousot
Logical operations on objects Operation on objects: rotation • rotation Inclusion ⊆ • r[a](o)
Examples: rotates the object o clockwise by angle a degrees • around its origin
a
⊆ ⊆ ⊆ ⊆ o r[a](o)
CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 26 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 28 © P. Cousot Example I of rotation Operation on objects: add a stem • Add a stem stem(o) adds a stem to object o (up to the origin of object o, with new origin at the root of the stem) petal = r[45](petal) =
o = stem(o) =
CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 29 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 31 © P. Cousot
Example II of rotation Operation on objects: union
• The union o1 U o2 of objects o1 and o2 is the superposition of the pixels of o1 and o2 at their origins
• Example: flower = r[-45](flower) =
o1 = o2 = o1Uo2 =
CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 30 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 32 © P. Cousot Example: corolla Building a corolla iteratively
• corolla = petal U r[45](petal) U r[90](petal) U r[135](petal) U r[180](petal) U r[225](petal) U r[270](petal) U r[315](petal) F0 F1 F2 F3 F4
F5 F6 F7 F8 Fn, n≥8
CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 33 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 35 © P. Cousot
flower Corolla transformer
• F(X) = r[45]X U petal corolla = • Example: • X =
flower = stem(corolla) = • r[45]X =
• r[45]X U petal =
CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 34 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 36 © P. Cousot Iterates of a transformer to a fixpoint Concrete bouquet bouquet = r[-45](flower) U flower U r[45](flower) • The iterates Fn, n≥0, of F from the empty set ∅ are • F0 = ∅ F1 = F(F0) F2 = F(F1) … Fn+1 = F(Fn) … n Fω = Un≥0 F = lfp F (assuming F continuous) • Least fixpoint: F(lfp F) = lfp F, and F(x)=x implies lfp F ⊆ x
Patrick Cousot & Radhia Cousot. Constructive versions of Tarski's fixed point theorems. In Pacific Journal of Mathematics, Vol. 82, No. 1, 1979, pp. 43—57.
CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 37 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 39 © P. Cousot
Fixpoint corolla • F(X) = r[45]X U petal
• corolla = lfp F = The abstract world • Proof:Building the iterates a corolla areiteratively
F0 F1 F2 F3 F4
F5 F6 F7 F8 Fn, n≥8
CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 34 © P. Cousot 38 40 Over-approximation Abstraction • An over-approximation of an object o is an object o • An abstraction of an object o is a mathematical/ with computer representation of an over-approximation of this object o • same origin • The abstraction is sometimes exact else is a strict • more pixels over-approximation • Examples abstraction by plain squares (I) • The dual is an under-approximation, with less pixels exact
strict over-approximation
(I) Patrick Cousot. Méthodes itératives de construction et d'approximation de points fixes d'opérateurs monotones sur un treillis, analyse sémantique des programmes. Thèse És Sciences Mathématiques, Université Joseph Fourier, Grenoble, France, 21 March 1978 Patrick Cousot. Semantic foundations of program analysis. In S.S. Muchnick & N.D. Jones, editors, Program Flow Analysis: Theory and Applications, Ch. 10, pages 303—342, Prentice- Hall, Inc., Englewood Cliffs, New Jersey, U.S.A., 1981.
CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 41 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 43 © P. Cousot
Examples of over-approximations of flowers Examples of abstractions of flowers • Encode a concrete over-approximation by its outline
⊆ ⊆ m m
concrete abstract more abstract
CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 42 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 44 © P. Cousot Abstraction function
• The abstraction function α ∈ O O maps concrete objects o ∈ O to their approximation by an abstract object α(o) ∈ O A Touch of Abstract • Example I of abstraction function by plain squares: Interpretation Theory o α(o) α exact α approximate α
Patrick Cousot, Radhia Cousot: Abstract Interpretation: A Unified Lattice Model for Static Analysis of Programs by Construction or Approximation of Fixpoints. POPL 1977: 238-252 Patrick Cousot, Radhia Cousot: Systematic Design of Program Analysis Frameworks. POPL 1979: 269-282 Patrick Cousot, Radhia Cousot: Systematic Design of Program Analysis Frameworks. POPL 1979: 269-282 Patrick Cousot, Radhia Cousot, Laurent Mauborgne: The Reduced Product of Abstract Domains and the Combination of Decision Procedures. FOSSACS 2011: 456-472 CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 45 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 47 © P. Cousot
Abstract domain Example II of abstraction function • An abstract domain is • a set of abstract objects O (abstracting concrete objects) • a set of abstract operations (abstracting the concrete operations) On O, n ≥ 0 • a set of logical abstract operations On Booleans, n ≥ 0
Outlining brush:
CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 46 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 48 © P. Cousot Example III of abstraction function Concretization function • A concretization function γ ∈ O O maps an ab- stract object o ∈ O to the concrete objects γ(o) ∈ O that is represents/approximates • γ(o) is the concrete meaning/semantics of o
Outlining brush of infinite diameter Patrick Cousot, Radhia Cousot: Systematic Design of Program Analysis Frameworks. POPL 1979: 269-282 Patrick Cousot, Radhia Cousot, Laurent Mauborgne: The Reduced Product of Abstract Domains and the Combination of Decision Procedures. FOSSACS 2011: 456-472 CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 49 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 51 © P. Cousot
The hierarchy of abstractions Example of concretization • Larger brush diameter: more abstract • Different brush shapes: may be non-comparable abstractions
γ o γ(o) Oval outlining brush:
CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 50 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 52 © P. Cousot Abstract logical operation: abstract inclusion Galois connection 2/4 • The abstract flower inclusion is defined as • γ is increasing o1 m o2 if and only if γ(o1) ⊆ γ(o2) • Proof: by definition of m, o1 m o2 implies γ(o1) ⊆ γ(o2) • Example:
m since ⊆ m implies
CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 53 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 55 © P. Cousot
Galois connection 1/4 Galois connection 3/4 • α is increasing • For all concrete objects x ∈ O, x ⊆ γ o α(x) • Intuition: soudness (over-approximation)
⊆ implies m
The larger the concrete, the larger the abstract
Patrick Cousot, Radhia Cousot: Systematic Design of Program Analysis Frameworks. POPL 1979: 269-282 flower α( flower ) γ(α( flower )) Patrick Cousot, Radhia Cousot, Laurent Mauborgne: The Reduced Product of Abstract Domains and the Combination of Decision Procedures. FOSSACS 2011: 456-472 CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 54 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 56 © P. Cousot Local views Local views
R Y1 l. Set of reachableR Y1 chemical speciesu R l l. Galois connection 4/4 Example of biologicalu abstractionR r Galoisl connexion R Y1 r Let = {Ri} be a setGalois ofGalois rules. connexion connexionGalois connexion R R Y1 u E For all abstract objects y ∈ O, α o (y) = y Let Species be the set of all chemical species (C, cr1,c10 ,...,ck,ck0 ,... Speciesl ). • γ • Let Local_view be the set of all local views. 2 Let Species0 be the set of initial . u E Let LocalLocal__viewviewbebe the the set set ofr of all all local local views. views. l r. E • We write: Let Local_view be the set ofE all local views. Intuition: α returns the most precise abstraction Let ↵ }(Species) }(Local_view) be the function that maps any set of • c ,...,cGalois connexionc ,...,c r. E • Let ↵↵ 2}}((SpeciesSpecies)) }}(Local(Local1 _view_viewm) be) Rbek the1 the0 function functionn0 that that maps maps any any set setof of complexes22 intoLocal the set views ofE their local views. complexes into into the the setLet set ofGalois of↵ their their} local(Species local views. views.connexion) }(Local_view) be the function that maps any set of whenever: ! 2 • Let Local_viewcomplexes! be the set into of all the! local↵ set({ views.R( ofY1 their⇠u, locall!1), views.E(r!1)}) = {R(Y1⇠u,l!r.E); E(r!l.R)}. The1. setthere}(Local is an_ embeddingview!) is a complete of the lhs lattice. of R in the solution c ,...,c ; The set set}R}((LocalLocalY1 __viewview) )isis a a complete complete lattice. lattice.!k 1 m LetTheLocal function_view↵ isbe a the-complete set of all morphism. locall.R views. The function ↵uis a -complete morphism. The2. functiontheLetl (embedding/rule)↵↵ is↵}({( aSpeciesTheR([-completeY1 set)⇠ producesu,}(l!1}Local( morphism.Local), E(Jérôme_ the_viewviewr!1 Feret solution))})beis = a the {c completeR(10 ,...,c functionY1⇠n0u,. lattice.thatl!r.E maps); E( 22 anyr!l.R set)}. of January 2012 2 [ r [ R Y1 Thus, it definescomplexes a Galois intoThe the function connexion: set of their↵ is local a -complete views. morphism. LetThus,We↵ are it defines interested}(Species a Galois in) Species connexion:}(Localu ! _theEview set) [ ofbe all the chemical function species that maps that any can setbe of Thus, it2r definesJérôme Feret a Galoisl connexion:! 22 January 2012 complexesconstructed into in one} the or set several of their applications local� views. of rules in starting from the set The set (Local_r.viewE ) is a� complete lattice. R SpeciesE of initial chemicalThus,}(Species it species. defines)--�-- a Galois}(Local connexion:_view). 0The function ↵}!(isSpecies a -complete) ----↵} morphism.(Local_view). }(Species[ ) ↵---- }(Local_view). The set }(Local_view) is a complete↵ lattice. � ↵({R(Y1⇠Thus,u,l!1),↵E( itr!1 defines)}) = {R( aY1 Galois⇠u,l!r.E connexion:) ; E( r!l.R)}. }(Species) -- }(Local_view). The(We functiondo not careis about a -complete the number morphism.! of! occurrences of each-- chemical↵ species). • (The(The function function��mapsmaps[ a a set set of of local local views views into into the the set set of complexes of complexes that that can can Jérôme Feret 22! January 2012� Jérôme(The Feret function � maps a set of local views 20 into the set of complexes that January can 2012 • Thus,bebe built built it with withdefines these these a local Galois local views). views). connexion:}(Species) ---- }(Local_view ). be built with these local views). ↵ ! JérômeJérôme Feret Feret(The function � 23maps 23 a set of local views into January the 2012 January set 2012 of complexes that can flower (flower) ( flower)) Jérôme Feret. Reachability Analysis of Biological Signalling Pathways by Abstract Interpretation. In� Proceedings of the International Conference of Computational Methods in Sciences and Engineering γ α γ( (ICCMSE'2007),Jérôme Feret Corfu, Greece, 25--30 september, T.E.be Simos(Ed.), built}( Species2007, withAmerican Institute these) of Physics-- 23 localconference}(!Local proceedings views). _963.(2),view pp 619--622.). January 2012 Vincent Danos, Jérôme Feret,(The Walter Fontana function, Jean Krivine�: Abstractmaps Interpretation a setof Cellular of-- Signalling local↵ Networks. views VMCAI 2008 into: 83-97 the set of complexes that can CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 57 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 59 © P. Cousot be built withJérôme these Feret local views). 23 January 2012 ! (The functionJérôme Feret� maps a set of local views 23 into the set of complexes that January can 2012 Galois connection: all in one beSpecification built with these local views). of abstract operations Jérôme Feret 23 January 2012 cte =D (cte) constant Notation: • α • D γ op1(x) = α(op1(γ(x))) unary
CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 61 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 63 © P. Cousot
Abstract rotation Abstract stems • Abstract rotation • stem(y) =D α(stem(γ(y))) D r[a](o) = α(r[a](γ(o))) definition = α(γ(r[a](o))) rotation preserves shape • Example: = r[a](o) identity • Example: a a
o γ(o) r[a](γ(o)) α(r[a](γ(o))) corolla γ(corolla) stem(γ(corolla)) α(stem(γ(corolla))) CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 62 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 64 © P. Cousot Abstract union Abstract bouquet (cont’d) • x + y =D α(γ(x) U γ(y))
α U U • Join abstraction theorem: ( ) α(x) + α(y) = α(x U y) Galois connection = α( )
=
CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 65 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 67 © P. Cousot
Abstract bouquet (cont’d) A theorem on abstract bouquets • bouquet = r[-45](flower) + flower + r[45](flower) • bouquet = r[-45](flower) + flower + r[45](flower) = = + + flower = α(flower) = r[-45](α(flower)) + α(flower) + r[45](α(flower)) rotation commutation theorem = α(r[-45](flower)) + α(flower) + α(r[45](flower)) = α γ U γ U γ (( ) ( ) ( )) join abstraction theorem = α(r[-45](flower) U flower U r[45](flower)) = α definition concrete bouquet ( U U ) = α(bouquet) CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 66 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 68 © P. Cousot ↵t(T) T ⌃+ P , 6, 0, 1, , , \ hP _ ^i t + P ↵ (T) , T ⌃ P P, 6=, 0, 61, P, \ J K ShP lfp F_ ^i P t + + P = 6 P ↵ (⌧ 1 P ) = ⌧ 1 PJ K FS P Plfp FP, increasing (or continuous) J K 2 ! J K ↵t ⌧+ P = ⌧+ P x ( 1y ) 1 F PP P P, increasing (or continuous) � J K J K S J K 62 P! J K 6 t x + yy lfp F P P t + ↵ (T) T ⌃ >P , 6, 0, 1, , S P P6 ↵ (T) T ⌃ P , \ � J K J K , , 0, 1, , hP _ ^i , J K 6 , hP 6 _ ^i J K \ I 6: F P (I) I I P t P + x y S P = lfp6F P lfp F P P6 6 P ↵ (T) , T ⌃ P = J>K P, 6=, 0, 16, ,P ,9 6 ^ \ J K ) AbstractShP lfp corollaF_ ^i transformer Example, J K ofJ biologicalK transformer ↵t ⌧+ P = ⌧+ P I : F P (I) I I P t P+ + ( 1 ) 1 S P = lfp6F P F P P P, increasing (or continuous), , , 6, , 6 ↵ (⌧ 1 P ) = ⌧ 1 P J K = • CorollaF transformerP P commutationP, increasingJ K 2 theorem:! (orJ continuous)K • Concrete,9hA rule:vAbstractJ ?K rules> t ^ui ) J K 2 ! J K AbstractJ K rules t + x+ y () α(F(x)) ↵ (⌧ 1 P ) = ⌧ 1 P • P S P P x y � J K J K F P P, increasing6 (or continuous) R r ,r R, , R, r ,r R rk S JPK 62 P! J K J K P J K↵(P) � J K J K = (petal U r[45](x)) definition F r r r r ↵ α J K 6 R hA2 PvR ? >R 2tAuiR x y x > y () lfp F P 6 P x y lfpS 6PF6P P6 P, Abstract rule: � > � J K J K = ,α(petal)J K+ α(r[45](x)) J joinK abstraction theorem • P ↵#(P) rk P Y1 I F I I I P Y1 : ( ) Y1 R J K 6 6 Y1 , R R , = ↵ 6 PP R 6 # ,9 ^ . p 2 P ↵ 2 A . x y = petallfp I+ : FF(r[45]((xI)))P I I P p � �� u Y1 α 6 6 6 u Y1 Y1 l R r > definitionJ K abstract petal l hY1P l R ir l Rhr A vi = ) ; ,9, ^ R r �� �!� p u r. . p . J K J K u r. r. l E r l r. R l E r R l r ) = petal I+ :r[45](F Pα((Ix))) 6 I I, 6,P , , , r rotation commut. theorem , , r. J K r. r. E = ,9 , , , , h,^A v ? > t ui r. 6E R () ! JJ KK RP : �↵ ��Q : ↵(P) Q P 6 �(Q) ) hA v ? > t ui Jérôme FerethP i �� 27 �! hA vi January 2012 () ; = F(α(x)), , , , , ↵ 8 2 P 8 2 A v , ↵rk J K P (P) Jérôme Feret 27 January 2012 rk byPhA definingv ? ↵F((yP>) )= tpetalui 2+ Pr[45](y) 2 A ↵ () ! � P : Q : ↵(P) Q P 6 �(Q) ↵ 2 P 2 A Jérôme Feret. Reachability AnalysisF of Biological Signalling Pathways by Abstract Interpretation. In Proceedings of the International Conference of Computational Methods in Sciences and Engineering A (ICCMSE'2007), Corfu, Greece, 825--30 september, T.E.2 Simos(Ed.),P 2007, American 8Institute of Physics conference2 proceedingsA 963.(2), pp 619--622. v , rk P ↵�(P) , , Vincent Danos, Jérôme Feret, Walter Fontana2, Jean KrivineA: Abstract Interpretation! of CellularA Signalling Networks. VMCAI 2008: 83-97 ↵ CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 6 � ↵ �� 69 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 71 © P. Cousot ; 2, 6P 2 Ah,P i �� �! hA vi ↵ hP i ��↵ �� hA vi F ; ↵AG , �� �! , ↵ P� : ↵ F(P) F ↵(P) ! 6 �↵ �� P : Q : (P) Q P 6 2(QA) ! A� � ; hPPAbstracti ��: �!Qh Atransformer8vi: 2↵(PP) 8 Q2 AP �(Qv) , 8 Fixpoint2 P abstractionv ! 8 2 P 8 2 A v , 6 ↵ v An abstractP transformer: Q F :is↵(P) Q P �(Q) For an increasingP and: ↵ soundF (abstractP) transformer,F ↵(P )we ! ↵A f1G f2 • 8 2 P 8 2 A v , 6 • P : ↵ � F(P) = F � ↵(P) ↵ v F 2 A ! A have a8 fixpoint2 Papproximation� v � A • Sound iff2 A ! A 8 2 P ↵A ↵G v F ↵ f1 f2 2 A !↵A ↵ ↵P 6 : ↵ Fv(P) = F ↵(P) G v P : � F(P) F � (P) (lfp F) �lfp F � v rk 8 2 P v 8 2 P v ↵G f1 f2 P : ↵ � F(P) F � ↵(P) v v ↵ }(⌃ ⌃) (⌃ •OComplete) 8 2 iffP v f1 f2 2 ⇥ 7! 67! P : ↵ F(P) = F ↵(P) • For an↵ (lfp increasing,6 F) sound,lfpv andF complete abstract v v rk 8 2 P � � ↵(lfp F) = lfpvF f1 f2 ↵ (r)rks 0 when s0 ⌃ : s,Ps0 : ↵r F(P) = F ↵(P) transformer, we havev an exact fixpoint abstraction v ↵ , }(⌃ ⌃) (⌃ ) 8 2 P< � � rk 8 2 O h↵ 6i v ↵ }(⌃ rk⌃) (⌃2 O) ⇥ rk 7! 67! (lfp F) lfp F 6 rk 2 ↵⇥rk (r)7!s 67! sup ↵ (r)s0 + 1 s0 ↵(lfp⌃6:F)sv, lfps0vF r ↵(lfp F) = lfpvF ↵ }(⌃ rk⌃) (⌃ O↵) (r)s , 0 when s0 ⌃ : s, s0 < vr rk2 ↵⇥ (r)7!s , 67!0 when s0, ⌃ : s, s0 < r 9 2 6 h i2 ^ rk ↵ }(⌃ ⌃) (⌃ O) 8 2 h i 8 2 h↵(lfp iF) = lfpvF rk ↵ (r)s 20 whenrk⇥ 7!s0 ⌃67!: rks,rks0 < r rk s0 ⌃ : s, s0 6 r = s0 dom(↵ (r)) rk , ↵ (r)s sup ↵ (r)s0 + 1 s0 n⌃ : s, s0 r � ↵(lfp F) = lfpvF ↵ ↵ 0 + Patrick Cousot, Radhia 0Cousot: Abstract Interpretation:⌃ A Unified Lattice, Model for Static0 Analysis of Programs by Construction or Approximation of Fixpoints. POPL 1977: 238-252 ↵ (r)s 0 when 8, s20 ⌃h: (sr, )sis0 < r sup (r)s 1 s : s s r Patrick Cousot, Radhia Cousot: Systematic Design of Program Analysis Frameworks. POPL 1979: 269-282 rk , rk , 9 2 h 8i22 ^ Patrick� Cousot,h Radhia Cousot: Systematici2 Design of Program Analysis Frameworks.) POPL 1979: 269-282 2 ↵ ↵ 0 +8 2 0 h ⌃ i , 0 CMACS Workshop� 9 on Systems Biologyrk2 and Formals Methods (SBFM'12),h NYU, 29–30 Marchi2 2012 ^ 70 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 72 © P. Cousot (rrk)s , sup (rkr)s 1 s : s s r rk ↵ (r)s sup ↵ (r)s0 + 19 nks20 : ⌫⌃(shx:0,sy,)⌃si2�0=: sk,r,^sx0 yr = 2ks=0 0dom, k (↵ 0(r)) o , 9 2 8 h2 �i2h ^ni2 rk)s0 2⌃�: >s, s0 r = s0 dom(↵ (r)) n s0 ⌃�: 9s, s0 r = � s0 dom� (↵�rk8(r)) 2 � h i2 ) 2 kn: ⌫(8x, ys2)0 = �k⌃,�h:x s,ysi20 2kr=)=0, k >s020 dom(↵ (r)) � o k : ⌫(x, y) = k, x9 y 28k =20, k�khk�=0:⌫�⌫i2((xx,,yy)))= k,2x y 2ko= 0, k > 0 o 9 k : ⌫(x, y) = k,�x �y 2k = 0,9k> 0 � � o 9 k =�⌫(x�, y) > k = ⌫(x, y) + + k = ⌫(x, y) + k↵+⇥=( ⌫⌧(x1, yP) ) = ⌧ 1 P ↵⇥( ⌧ 1 P ) = ⌧ 1 P + + { } { } ↵⇥( ⌧ 1 +P ) = ⌧ 1+ P ↵ ( ⌧ 1 P ) = ⌧ 1 P + + {⇥ } ↵⇥( ⌧ 1 P ) = ⌧ 1 P { } J K J{ K J K} J K J KJ K J JK K J K J K
258 258 258
258
258 Set of reachable chemical species Set of reachable chemical species Let = {R } be a set of rules. R i Let Species be the set of all chemical species (C, c ,c0 ,...,c ,c0 ,... Species). 1 1 k k 2 InductiveLet = {RiLet} beSpecies definitiona set of0 rules.be the set of initial . R Let SpeciesWebe write:the set of all chemical species (C, c1,c0 ,...,ck,c0 ,... Species). Inductive1 k definition2 Abstract corolla ExampleLet ofSpecies biological0 be the set of fixpoint initial . c1,...,cm Rk c10 ,...,cn0 We define the mapping FWeas write: follows: whenever: corolla = (corolla) = (lfp⊆ F) = lfpm F Concrete reachability transformer: c ,...,c c ,...,c • α α • 1 m Rk 10 !n0 1. there is an embedding of the lhs of Rk in the solution c1,...,cm; }(Specieswhenever:) }(Species) since F(x) = petal U r[45](x) We define the mapping as follows:c ,...,c : 2. theR (embedding/rule),c ,...,c! producesFX, the solution 10 n0 . F 8 1. there is an embeddingk of1 the lhsm of Rk in the solution c1,...,cm; X X c0 9 2 R 2 . > ! Wej are interested in Species! the set of all chemical species that can be and F(y) = petal + r[45](y) < 7 [ � c1,...,cm Rk c10 ,...,cn0 ✏ c ,...,c 2. the (embedding/rule)constructed� in one produces or several the solution applications10 of rulesn0 . in starting from the set � R Reachable> speciesWe ! arefrom interestedSpecies0 inofSpecies} initial(Species chemical! the set species. of) all chemical}(Species species that) can be do commute: α(F(x)) = F(α(x)) • :> � The set }(SpeciesAbstract) is aconstructed complete counterpart lattice. in one� or several! applications to F of rules in starting from the set ⊆ R The mapping lfpF is anλ X extensive. Species 0 of-complete ∪(We initial do(:X chemical not8) morphism. care species.about the number of occurrences of each chemicalRk species).,c1,...,cm X, [ F ] X X c0 9 2 R 2 . We define F as: Jérôme Feret> ! 20j January 2012 • Abstract reachability(We do nottransformer care about< the: number of occurrences7 of each[ chemical species).c1,...,cm R c0 ,...,cn0 We define the set of reachable chemical species as follows: � � k 1 ✏ }(Local_viewJérôme) Feret}(Local_view) 20 January 2012 ] n � F : 8 Species = (Species>Rk ) , lvn1,...,lv.m X, ! X ! X F lv0 9> 2 0R N 2 . � > ! j : 2] < The7 set[ �}(Specieslv1,...,lvm ) Rislv10 a,..., completelvn0 ✏ lattice. ! � � k � [ � � Jérôme Feret. Reachability> Analysis of Biological Signalling Pathways by Abstract! Interpretation. In Proceedings of the International Conference of Computational Methods in Sciences and Engineering (ICCMSE'2007), Corfu, Greece,:> 25--30 september, T.E. Simos(Ed.),The 2007, American Institute mapping of Physics conference� proceedings 963.(2),F ppis 619--622.� an extensive -complete morphism. JérômeVincent Feret Danos, Jérôme Feret, Walter Fontana, Jean Krivine: Abstract Interpretation of Cellular Signalling Networks. 21� VMCAI 2008: 83-97 ! January 2012 CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 73 © P. Cousot CMACSWe Workshop have: on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 75 © P. Cousot [ F] is extensive; • F] is monotonic; We define the set of reachable chemical species as follows: • . Iterates for the abstract corolla ] ConvergenceF � � F ; acceleration with widening • � ✓ � F] ↵ = ↵ F � ↵ (we will see later why). n • � � � � Species! = F (Species0) n N . 2 Jérôme Feret 28 January[ 2012 � � F F � Jérôme Feret 21 January 2012 0 1 2 3 4 F F F F F F(x)6x
l fp F l fp F x
Infinite iteration Accelerated iteration with widening F5 F6 F7 F8 Fn, n≥8 (e.g. with a widening based on the derivative as in Newton-Raphson method)
CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 74 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 76 © P. Cousot Abstraction of the graphical language Software Any graphical program can be abstracted by replacing • Ait: static analysis of the worst-case execution time of control/command • software (www.absint.com/ait/) the concrete objects/operations by abstract ones • Astrée: proof of absence of runtime errors in embedded synchronous The soundness follows by induction on the syntax of real time control/command software (www.absint.com/astree/), • AstréeA for asynchronous programs (www.astreea.ens.fr/) programs • C Global Surveyor, NASA, static analyzer for flight software of NASA missions (www.cmu.edu/silicon-valley/faculty-staff/venet- arnaud.html) • Checkmate: static analyzer of multi-threaded Java programs (www.pietro.ferrara.name/checkmate/) • CodeContracts Static Checker, Microsoft (msdn.microsoft.com/en-us/ devlabs/dd491992.aspx) • Fluctuat: static analysis of the precision of numerical computations (www- list.cea.fr/labos/gb/LSL/fluctuat/index.html)
CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 77 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 79 © P. Cousot
Software • Infer: Static analyzer for C/C++ (monoidics.com/) • Julia: static analyzer for Java and Android programs (www.juliasoft.com/juliasoft-android-java-verification.aspx? Id=201177234649) Applications of Abstract • Predator: static analyzer of C dynamic data structures using separation logic (www.fit.vutbr.cz/research/groups/verifit/tools/predator/) Interpretation in • Te r m i n a t o r : termination proof (www.cs.ucl.ac.uk/staff/p.ohearn/ Invader/Invader/Invader_Home.html) Computer Science • etc Libraries: • Apron numerical domains library (apron.cri.ensmp.fr/library/) • Parma Polyhedral Library (bugseng.com/products/ppl/) See Software Horror Stories (www.cs.tau.ac.il/~nachumd/horror.html) • etc
CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 78 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 80 © P. Cousot Hardware • (Generalized) symbolic trajectory evaluation (Intel) Quaternary simulation Example of ternary simulation Intel’s Successes with Formal Methods If some inputs are undefined,It’s theoretically the output convenient often is too, to but generalize not ternary to quaternary always: simulation, introducing an ‘overconstrained’ value T . John Harrison X We can think of each quaternary value as standing for a set of X possible values: Intel Corporation 1 7-input X AND gate X 1 T = 15 March 2012 X {} X 0= 0 { } 1= 1 { } Conclusion X X = 0, 1 X { } X 7-input X 0 0 AND gate X This is essentially a simple case of an abstraction mapping, and we 1 X �������������������������������������������������������������������������� can think of the abstract values partially ordered by information.
16
18
Jin Yang and Carl-Johan H. Seger, Generalized Symbolic Trajectory Evaluation — Abstraction in Action, Formal Methods in Computer-Aided Design, Lecture Notes in Computer Science, 2002, Volume 2517/2002, 70–87.
Jin Yang; Seger, C.-J.H.; Introduction to generalized symbolic trajectory evaluation, IEEE Transactions onVery Large Scale Integration (VLSI) Systems 11(3), June 2003, 345–353.
CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 81 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 83 © P. Cousot
System biology Conclusion • See SBFM‘2012 ! If the simulation/analysis/checking of your model does not scale up, consider using (sound (and complete)) abstractions
CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 82 © P. Cousot CMACS Workshop on Systems Biology and Formals Methods (SBFM'12), NYU, 29–30 March 2012 84 © P. Cousot