A Galois Connection Calculus for Abstract Interpretation⇤ Patrick Cousot Radhia Cousot CIMS⇤⇤, NYU, USA [email protected] CNRS Emeritus, ENS, France s [email protected] rfru
Abstract We introduce a Galois connection calculus for language independent 3. Basic GC semantics Basic GCs are primitive abstractions of specification of abstract interpretations used in programming language semantics, properties. Classical examples are the identity abstraction 1[ , formal verification, and static analysis. This Galois connection calculus and its type � Q . Q S hC system are typed by abstract interpretation. ] , , , , the top abstraction [ , vi hC vi �� �� � �P � � �. � �P !�!� � hC vi S > hC Categories and Subject Descriptors D.2.4 [Software/Program Verification] � Q . J General Terms Algorithms, Languages, Reliability, Security, Theory, Verification. , ] , , > , , the join abstraction [C] vi K> hC vi ������� P . hC vi S J[ Keywords Abstract Interpretation, Galois connection, Static Analysis, Verification. ������!�} > }(}(C)), }(C), with ↵}(P ) P , �}(Q) In Abstract , } , , 1. Galois connections in Abstract Interpretation h K ✓i ���! ���↵ h ✓i J K interpretation [3, 4, 6, 7] concrete properties (for example (e.g.) }(Q), the complement abstraction [C] , }(SC), ¬ of computations) are related to abstract properties (e.g. types). The S ¬ h ✓i ��! ��¬ }(C), , the finite/infinite sequence abstraction [C] , abstract properties are always sound approximations of the con- h ◆i � S 1 1 J K crete properties (abstract proofs/static analyzes are always correct }(C1), }(C), with ↵1(P ) , �i � P i h ✓i �↵ �1 �� h ✓i { | 2 ^ 2 in the concrete) and are sometimes complete (proofs/analyzes of �� � �! J K dom(�) and �1(Q) , � C1 i dom(�):�i Q , the abstract properties can all be done in the abstract only). E.g. types } { 2 |8 2 2 }� transformer abstraction [C1,C2] , }(C1 C2), are sound but incomplete [2] while abstract semantics are usually S h ⇥ ✓i �� �↵ � � �! �� complete [9]. The concrete domain , and abstract domain }(C1) [ }(C2), ˙ mapping relations to join-preserving hC vi h �! ✓i , 4 of properties are posets (partial orders being interpreted as transformers with ↵ (R)J � X . yK x X : x, y R , hA i , { |9 2 h i2 } implication). When concrete properties all have a 4-most precise � (g) , x, y y g( x ) , the function abstraction abstraction, the correspondence is a Galois connection (GC) , {h i| 2 { } } �7! � hC [C1,C2] , }(C1 C2), }(C1) }(C2), , with abstraction ↵ and concretiza- S 7! h 7! ✓i �↵ �7! �� h 7! vi ��↵ hA 4i 2C7! A �� � �! ��! ˙ with ↵7!(P ) � X . f(x) f P x X , �7!(g) tion � satisfying P : Q : ↵(x) 4 y ✓i , { | 2 ^ 2 } , x �(2y)A( 7!expressesC soundness8 2 andC 8 best2A abstraction). Each, fJ C1 KC2 X }(C1): x X : f(x) g(X) , v ) ( { 2 7! |8 2 8 2 2 �⇥ } adjoint ↵/� uniquely determines the other �/↵.AGalois retrac- the cartesian abstraction [I,C] , }(I C), S ⇥ h 7! ✓i ↵��� tion (or insertion) has ↵ onto, so � is one-to-one, and ↵ � � is the ���!⇥ identity. E.g. the interval abstraction [3, 4] of the power set }(C) I }(C), ˙ with ↵⇥(X) , � i I . x C f I h 7! ✓i J K2 { 2 |9 2 7! of complete -totally ordered sets C , is I[ C, C : f[i x] X , �⇥(Y ) , f i I : f(i) Y (i) , and I 2 } { |8 2 2 } � [{�1 1} S h the pointwise extension ˙ of to I, etc. , , ] , }(C), I(C , , ), with ✓ ✓ ����I i �1 1 h ✓i �� �↵ !�! h [{�1 1} J i 4. Galois connector semantics Galois connectors build a GC ↵I(X) [min X, max X], min , max , �I([a, b]) , ; , 1 ; , �1 from GCs provided as parameters. Unary Galois connectors in- x CK a x b , intervals I(C , F, ) � , { 2 | } S [{�1 1} , clude the reduction connector R[ , , 4 ] , [a, b] a C b C a b [ , ] , � S hC vi ��! ��↵ hA i { | 2 [{�1}^ 2 [{1}^ }[{1 �1 } , ↵(P ) P , and the pointwise connec- and inclusion [a, b] [c, d] c a b d.AGalois isomor- ↵ 4 , J K hC vi �� ��� !�! h{ �| 2C} i � ⇢ � ⇢ � ^ J . K� phism , , has both ↵ and � bijective. E.g. global tor X C, A, 4 , X C, ˙ ↵ 4 ��↵ �� �⇢ �. �↵ �⇢ �� hC ✓i �� � �!�! � hA i S h vi ��! h i h 7! vi �� � � � �� �! and local invariants areF isomorphic by the right image abstraction ˙ ˙ ˙ �y X A, 4 for the pointwise orderings and 4. Binary Ga- ˙ h 7! i v �1 y[L, ] , }(L ), L }( ), with lois connectorsJ _ include the compositionK connector , S M h ⇥M ✓i �� �↵ � �y � !�!� � h 7! M ✓i S hC ✓i ���↵1 y y �2 ���! ↵ (P ) , � ` . m `, m P , � (Q) , `, m m 1, 2, 3, 1, = 2, , b ↵ 4 , ( b ? J ˙K { |h i2 } {h i| 2 hA � i �hA vi ���2 hA i hA i hA vi hC Q(`) , and is the pointwise extension of inclusion . 1� 2 ���! J 3, ⌦ (where ⌦ is a static error), the prod- } ✓ ✓ ↵ ↵ 4 : ) GC ✓i �����2� 1 hA i � � 2. Equivalent formalizations� of -based Abstract Interpre- �����!# 1 K 2 , , uct connector 1, 1, * 2, b 2, tation GCs ↵ 4 are Galois retracts of/Galois iso- S hC ✓i ���↵1 hA vi hC i ���↵2 hA hC vi �� hA i ���!�1 �2 ���! ��! ⇥ morphic to numerous equivalent mathematical structures [6] such 4 , 1 2, b 1 2, 4 (gen- �↵ � � �↵ �� as join-preserving maps (↵), meet-preserving maps (�), upper- i hC ⇥CJ ✓⇥ i �� �1 �⇥ � �!2 hA ⇥A v⇥ i eralizing to tuples), the higher-order functional connector 1, � � closures (� � ↵), Moore families ( �(Q) Q ), Sierpi´nski 1 2 S hC { | 2A} K 1, = 2, 4 2, 6 , 1 2, topologies [5]( �(Q) Q where is unique complemen- ✓i ���↵1 hA vi ) hC i ���↵2 hA i hC �! C {¬ | 2A} ¬ ���!� g . �2 g ↵1 ���! 1 principal downset families � � J tation in the concrete domain , if any), 4˙ 1 2, 6˙ for increasing maps and C �� �f �. �↵ � �f � �� �� ( v�(Q) Q where vx y y x ), maximal i �� � � � �2 �� �� �!1 Z hA �!1 A i K , ˙ ˙ convex{# congruences| 2A}( P # ↵(P{)=2C|↵(�(Qv)) } Q , pointwise orderings and 6. {{ 2C| }| 2A} v soundness relations (also called abstraction relation, logical rela- 5. Galois connection calculus The GC calculus G (to specify tion, or tensor product, ↵ 4 = P, Q ↵(P ) 4 Q = P, verifiers/analyzers compositionally) is x,... X for program 1 {h i| } {h 2 Q P �(Q) = �� where f x, f(x) x variables, `,... L for labels, e E for elements e ::= true i| v } v ⌘{h i| 2 2 2 | dom(f) , r r0 = x, z y : x, y r y, z r0 ), 1 x ` e ..., s S for sets s ::= B Z X L } {h #i|9 h i2 ^h i2 } |1| | |� | 2 | | | | and, for powersets = }(C), = }(A), polarities of rela- e [e, e] I(s, o) s1 s s s s s s }(s) ..., C # A tions (�(Q)= x C y Q : R(x, y) where R = x, o{ }|O for| partial orders| o| ::=[ | 7! | ⇥ | | = # { 2 |8 2 } {h 21 )|,||✓| | | y x �( y ) ). o� o1 o2 o˙ o¨ ..., p P for posets p ::= s, o , and i| 2 { } } g G| for⇥GCs|g ::=| 1|[p] [2p, e] I[p, e, e] [s,h s] i [s] ⇤ See the auxiliary materials. ⇤⇤ Work supported in part by the CMACS NSF award 0926166. > y F [ Permission to make digital or hard copies of part or all of this work for personal or classroom use 2[s] [s] [s, s] [|s, s] [|s, s] ... | R[g] s| g | is granted without fee provided that copies are not made or distributed for profit or commercial ¬ | 1 | | 7! | ⇥ | | | | advantage and that copies bear this notice and the full citation on the first page. Copyrights for third- g g g * g g = g .... The semantics of interval sets is party components of this work must be honored. For all other uses, contact the owner/author(s). | | ) | POPL ’14, January 22–24, 2014, San Diego, CA, USA. Copyright is held by the owner/author(s). I(C, ) ( C C ? [a, b] a, b C : !) where ! S 4 , 4 ✓ ⇥ { 4 | 2 } _ ACM 978-1-4503-2544-8/14/01. http://dx.doi.org/10.1145/2535838.2537850 is# a dynamic error (maybeZ not detectable by typing). J K 6. Abstraction Papers in semantics, verification, and static Ignoring error propagation, S s1 seq S s , S s1 s2 , 7! , analysis can be understood by extracting the semantic domain S s1 S s2 , S s1 s2 S s1 S s2 , S }(s) P S s . ⇤! ⇥ , ⇤ , and GC which are used. For the interval example [3, 4, p. 247], For orders and posets, O o o, o , , , , = , J K, 2J {K)J, ✓ K } the semantic domain , }(⌃1) is that of (nonempty) sets of ˙ S OJ K , ,...,J K O o¨J , ((OKo )),J andK P Js,K o J, S sK ~ O oJ .K nonempty finite or infinite sequences of states in ⌃ , L ✓ h i ⇥M For GCs, T 1[p] , P p J� KP p , T y[sL,s ] , P(S sL made of a control state in L and a memory state in X �! M , S S S ˙ T S ⇤ M 7! V JFKs ) ~ �! � JsKL PJ Ks ~ J, [sK] , PJ (KP sJ )K~ mapping variables X to a complete total order , (e.g. Z, M ✓ ⇤! M ✓ [ 1 hV i h P S s , T [s] P S s P S s � , 6 or [minint, maxint], 6 ). The static (or collecting) seman- ✓ �! � J~ ✓K ¬J K , J K J~ ✓ �! � K ~J✓ K i h i T [s] P (seq S s ) P S s , T [s1,s2] tics is the reachability abstraction of program properties in }( ) J1 K , J K ~ J �! � K ~J K J K , S S S S✓ S ✓˙ T that is G⇤ [⌃1] [⌃] [L, ] with abstract domain P ( s1 J Ks2 )~ �! J� P Ks1 JPK s2 ~ , J [Ks1,s2] , , [ 1 y ⇤ ✓ ⇤! ✓ 7! ˙ M P (S s1 S s2 ) P S s1 P S s2 ˙ , T [s1,s2] L }( ), . The reduced interval cartesian reachabil- J K ⇤! ~J✓K�! � ⇤! J K ~✓J ⇥ K h 7! M ✓i ⇤ (S s S s ) S s S s ˙ T R[g] ity abstraction is G= R[G⇤ (L ( [X, ] (X , PJ K 1 J K 2 ~ �! J� K 1 JP K 2 ~ J , K , # , # ⇥ ⇤! ✓ ⇤! ✓ I[ , , , ])))] that is the abstraction }(}((VL (X T g J, TK s gJ ,K S s TJg ,...K J K J K � ⇤ hV i �1 1 h ¨⇥ 7! Examples of type errors are T [p, e] E e = err S ))1)), L X I#( _ , ), # where_ J K J K J K ,J( K J K V ✓i ��! ��↵ h 7! 7! V[{�11} i > 6 ^9 2 I y } S, O O : P p = S O E e › S ? P p � P p : err) or ↵(P ) , � ` . smash(� x . ↵ (↵⇥((↵ (↵1(↵ (P ))))(`))(x))) J K 2 J _ K J ~K _^ J K �! I and smash(� x X . [ax,bx]) reduces to � x X . [ , F ] when T [ s, o ,b,t] , (err = E b J › S s K = errJ K err = E t › 2 2 1 �1 h i 6 6 ^ 6 some [ax,bx] is the empty interval [ , ] else to � x X . [ax,bx]. S s ? (P SJs K~ ) �! � (P S Js K~ ) : errJ )K whereJ K› abstracts 1 �1 2 set membership of✓ top/botton elements✓ to the abstracted set. 7. Typing As usual with syntactic definitions, GC expression J K2 J K J K J K semantics may be undefined (i.e. ⌦ or !). This can be fixed for ⌦ JThisK functionalJ K presentationJ isK equivalent to a rule-based sys- g1 P1 P2,g2 P3 P4, P2=P3 by a type system that is an Abstract Interpretation of the properties tem e.g. ` �! � ` �! � ⇠ (where err is not deriv- g g P P }(Gc) of the semantics g Gc of expressions g G belong- 1 2 ` 1 �! � 4 S 2 � 2 g S O S O ,g S O S O ing to the class Gc , , , 4 , are sets able), 1 ` 1 ~ 1 �! � 2 ~ 2 2 ` 3 ~ 3 �! � 4 ~ 4 , Id. for *. ��↵ g = g #S S O˙ S S O˙ {hC vi ��! hA i|C A ^v2 1 ) 2 ` 1⇤! 3 ~ 3 �! � 2⇤! 4 ~ 4 }( ) }( ) ⌦,! . Typing is formalized ⇤ 4 J K For example T G= = P (P (seq(P lab (P var P int)))) C⇥C ^ 2 A⇥A�T}[{ } Gc T Z ¨ ⇤ ⇤! by a GC [2] }( ), /= , where the preorder ~ �! � (P lab P var P P int ~ ) i.e. sets of sets of se- h ✓i ���! ↵���T h ⇠ i ✓ ⇤! ⇤! ✓ T T quences of statesJ are abstractedK to a map of labels to variables to on types is T T0 , � (T) � (T0) so that types T/= are ✓ P ⇠ sets of integers (which includes intervals), ordered pointwise. considered up to the equivalence ⇠= for this preorder (⇠= is = when �T is injective). In absence of a -most precise i.e. principal 10. Type soundness Typable expressions g G (for which P 2T type, hence of a best abstraction ↵T, as e.g. in [15] for the poly- T g = err) cannot go wrong since then g � (T g ) ! P and ⌦6 �T(T g ). However, dynamic errorsS (2 g = !) cannot[{ } hedral abstraction, only one of ↵ or �Pis used [7]. A GC expres- 62 S sion g G has sound types T T such that g �T(T) beJ excludedK (e.g. int does not prevent overflows).J K J K 2 T Gc 2 {S }✓ i.e. g � (T) or ⇢ ( g , T g ) for the soundness rela- 11. PrincipalJ typeK Arbitrary concrete propertiesJ K in }(Gc) may S Gc 2 TS have no best abstraction (e.g. so we add the empty type ?). Yet, tion ⇢ (S, T ) , S � (T ). For GCs, this isJ equivalentK to ; ↵T( g ) T, where2 g is the strongest property (col- by considering only semantic properties P = gi i � of J K J K J K T {S T | 2 } {S } {ST } GC expressions, the principal type is ↵ ( ) ?, ↵ (P ) [T] lecting semantics) of g and ↵ ( g ) is the best abstraction of , , ⇠= {S } ; T g. The type soundness proof is by induction on the structure of the when i � = : T gi = T else ↵ J(PK) , err so J K P J K 8 2 6 ; T ⇠ GC expressions as in [2] (instead of operational subject reduction � T J K }( g g G ), (T ? )/ , (↵ onto). i.e. induction on program computation steps). T ⇠= h {S | 2 } ✓i ��� ����J↵ !�!K h [{ } i 8. Types For elements E E, E ::= var lab bool int 12. Types of types Types , E, S, O, P, T have properties E 2 E | | | | J K T { } P err with � (int) , Z , , � (err) , (E) ⌦,! . , }( ) can be abstracted to types of types T::=? E S O [{�1 1} S [{ } P T T | | | | For sets S S, S ::= P E P S seq S S S P T err by ↵ (P ) , (P = ? ? | P T, T ? T : err). 2 S E| | S | ⇤!S | | | S ; ✓ 2T S S err with � (P E) , }(� (E)), � (P S) , }(� (S)), 13. Static analyzers In static analyzers [1, 12, 14] GCs specify S⇤ | S S � (seq S) , X1 X � (S) , � (S1 S2) , X Y abstract domains modules and Galois connectors their combina- S { | S2 S} ⇤! { 7! | X � (S1) Y � (S2) , � (S1 S2) , X Y X tions by functors. For scalability, rapid convergence acceleration of S2 ^ S 2 S } ⇤ { ⇥ | 2 � (S1) Y � (S2) , � (err) , (S) ⌦,! . infinite fixpoint computations by widening/narrowing abstracting ^ 2 } S [{ } 1 For partial orders O O, O ::= = O� induction and/or their duals for co-induction [3–5] is effective and 2 O )|,||✓| | | more precise than finite abstractions [8]. O?O O˙ ... err with � (O) , O , O , , , , = , | | | { } 2{) , ✓ } Acknowledgments We warmly thank the ACM SIGPLAN Awards Committee for awarding us the false, false , true, true , etc. ) , {h i h i} 2013 Programming Languages Achievement Award and the programming languages community for For posets P P, P ::= S ~ O err with componentwise its support. P2 S | O References concretization � (S ~ O) , � (S) � (O). [1] B. Blanchet, P. Cousot, R. Cousot, J. Feret, L. Mauborgne, A. Miné, D. Monniaux, and X. Rival. A static analyzer ⇥ for large safety-critical software. PLDI’03, 196–207. For GCs, T T, T ::= P �! � P S T err with [2] P. Cousot. Types as abstract interpretations. POPL’97, 316–331. T 2 � P| ⇤ | P [3] P. Cousot and R. Cousot. Static determination of dynamic properties of programs. Proc. 2nd Int. Symp. on � (P P0) P P 0 P � (P) P 0 � (P0) Programming, 106–130, Paris, 1976. Dunod. �! � , ��↵ { ��! | 2 � ^ 2 } [4] P. Cousot and R. Cousot. Abstract interpretation: A unified lattice model for static analysis of programs by T ˙ 0 _ ˙ construction or approximation of fixpoints. POPL’77, 238–252. and � (S T) , X , X , 4 X [5] P. Cousot and R. Cousot. Static determination of dynamic properties of recursive procedures. IFIP Conf. on Formal ⇤ {h 7! C vi �� �↵ �! ��0 h 7! A i| 2 Description of Programming Concepts, St-Andrews, N.B., CN, 237–277. North-Holland Pub. Co., 1977. S � T [6] P. Cousot and R. Cousot. Systematic design of program analysis frameworks. POPL’79, 269–282. � (S) , , � (T) . [7] P. Cousot and R. Cousot. Abstract interpretation frameworks. J. Logic and Comp., 2(4):511–547, 1992. ↵ 4 ^hC vi ��! �� hA i2 } [8] P. Cousot and R. Cousot. Comparing the Galois connection and widening/narrowing approaches to abstract _ interpretation. PLILP’92, LNCS 631, 269–295. 9. Type inference The type inference algorithm is E true , [9] P. Cousot and R. Cousot. Inductive definitions, semantics and abstract interpretation. POPL’92, 83–94. [10] P. Cousot and R. Cousot. Temporal abstract interpretation. POPL’00, 12–25. bool,...,E e , ( E e = bool E e = int ? E e : err). [11] P. Cousot and R. Cousot. Systematic design of program transformation frameworks by abstract interpretation. � _ POPL’02, 178–190. For sets S B ,P bool,...,S e ,( E e = err ? JP EKe : [12] P. Cousot and R. Cousot. An abstract interpretation-based framework for software watermarking. POPL’04, { } 6 173–185. err),...,SJs1 K s2 ,J(errK = S s1 =J KS s2 = errJ?K S s1 : [13] P. Cousot and R. Cousot. An abstract interpretation framework for termination. POPL’12, 245–258. [ 6 ⇠ 6 [14] P. Cousot, R. Cousot, and F. Logozzo. A parametric segmentation functor for fully automatic and scalable array err content analysis. POPL’11, 105–118. ) (note theJ approximationK thatJ s1 Kand s2JmustK have equivalentJ K [15] P. Cousot and N. Halbwachs. Automatic discovery of linear restraints among variables of a program. POPL’78, types as forJ alternativesK of conditionalsJ K in functionalJ K languages).J K 84–96.