‟Next 40 years of Abstract Interpretation”

Abstract Interpretation – 40 years back + some years ahead

N40AI 2017 January 21st, 2017 Paris, France Patrick Cousot

[email protected]@yu.e1du cs.nyu.edu/~pcousot

N40AI, 2017/01/21, Paris, France 1 © P. Cousot Abstract interpretation: origin (abridged)

N40AI, 2017/01/21, Paris, France 2 © P. Cousot Before starting (1972-73): formal syntax • Radhia Rezig: works on precedence parsing (R.W. Floyd, N. Wirth and H. Weber, etc.) for Algol 68 ➡ P r e - p r o c e s s i n g ( by s t a t i c a n a l y s i s a n d transformation) of the grammar before building the bottom-up parser • Patrick Cousot: works on context-free grammar parsing (J. Earley and F. De Remer) ➡ P r e - p r o c e s s i n g ( by s t a t i c a n a l y s i s a n d transformation) of the grammar before building the top-down parser

• Radhia Rezig. Application de la méthode de précédence totale à l’analyse d’Algol 68, Master thesis, Université Joseph Fourier, Grenoble, France, September 1972. • Patrick Cousot. Un analyseur syntaxique pour grammaires hors contexte ascendant sélectif et général. In Congrès AFCET 72, Brochure 1, pages 106-130, Grenoble, France, 6-9 November 1972. N40AI, 2017/01/21, Paris, France 3 © P. Cousot Before starting (1972-73): formal semantics • Patrick Cousot: works on the operational semantics of programming languages and the derivation of implementations from the formal definition

➡ Static analysis of the formal definition and transformation to get the implementation by “pre- evaluation” (similar to the more recent “partial evaluation”)

• Patrick Cousot. Définition interprétative et implantation de languages de programmation. Thèse de Docteur Ingénieur en Informatique, Université Joseph Fourier, Grenoble, France, 14 Décembre 1974 (submitted in 1973 but defended after finishing military service with J.D. Ichbiah at CII).

N40AI, 2017/01/21, Paris, France 4 © P. Cousot Vision (1973)

Intervals ➞

Assertions ➞

Static analysis ➞

N40AI, 2017/01/21, Paris, France 5 © P. Cousot An important encounter • I do my military service as a scientist with Jean Ichbiah • Work on the revision of LIS (ancestor of Green → ADA) • Will always be a very strong support on our work

N40AI, 2017/01/21, Paris, France 6 © P. Cousot 1973: Dijkstra’s handmade proofs • Radhia Rezig: attends Marktoberdorf summer school, July 25–Aug. 4, 1973 ➡ Dijkstra shows program proofs (inventing elegant backward invariants)

➡ Radhia has the idea of automatically inferring the invariants by a backward calculus to determine intervals

N40AI, 2017/01/21, Paris, France 7 © P. Cousot 1974: origin • Radhia Rezig shows her interval analysis ideas to Patrick Cousot ➡ Patrick very critical on going backwards from [-∞, +∞] and claims that going forward would be much better ➡ Patrick also very skeptical on forward termination for loops • Radhia comes back with the idea of extrapolating bounds to ±∞ for the forward analysis • We discover widening = induction in the abstract and that the idea is very general

N40AI, 2017/01/21, Paris, France 8 © P. Cousot Notes of Radhia Rezig on forward iteration from ☐ = ⊥(1) versus backward iteration from [-∞, +∞] (2)

(1) i.e. forward least fixed point (2) i.e. backward greatest fixed point

N40AI, 2017/01/21, Paris, France 9 © P. Cousot First seminar in Grenoble: a warm welcome • “Not all functions are increasing, for example, sin” • “This is woolly” (fumeux) • “This will have applications in hundred years”

N40AI, 2017/01/21, Paris, France 10 © P. Cousot The IRIA-SESORI contract (1975–76) • The project evaluator (Bernard Lohro) points us to the literature on constant propagation in data flow analysis (Kildall thesis). • It appears that it is completely related to some of ours ideas, but a.o. - We are not syntactic (as in boolean DFA) - We have no need for some hypotheses (e.g. distributivity not even satisfied by constant propagation!) - We have no restriction to finite lattices (or ACC) - We have no need of an a-posteriori proof of correctness (e.g. with respect to the MOP as in DFA) - ...

N40AI, 2017/01/21, Paris, France 11 © P. Cousot The IRIA-SESORI contract (1975-76) • New general ideas - The formal notions of abstraction/approximation - The formal notion of abstract induction (widening) to handle infiniteness and/or complexity - The systematic correct design with respect to a formal semantics - ...

N40AI, 2017/01/21, Paris, France 12 © P. Cousot The IRIA-SESORI contract (1975-76) • The first contract report:

N40AI, 2017/01/21, Paris, France 13 © P. Cousot

The first reports (1975)

3I}Ti\ilTIIO 3I}Ti\ilTIIO NOIJ\DICITEA NOIJ\DICITEA JO f,IIVIS

s'fl{vluv s'fl{vluv c0 c0 sgrrul@ud sgrrul@ud sdrt

Pue Pue JCISrp3 JCISrp3 {f,rrlBd JOSfp3 JOSfp3 TqPeU TqPeU €

s/6T s/6T 5Z 5Z er$E^oN 'trtl

30 30 ruoddvu 3H3U3HC3U

The first abstract The first research interpreter with report widening (Nov. 1975) (as of 23 Sep. 1975)

N40AI, 2017/01/21, Paris, France 14 © P. Cousot The first publication (1976) • The first publication (ISOP II, Apr. 76)

cited by 551

N40AI, 2017/01/21, Paris, France 15 © P. Cousot Maturation (1976 – 77): from an algorithmic to an algebraic point of view • Narrowing, duality • Transition systems, traces • Fixpoints, chaotic/asynchronous iterations, approximation • Abstraction, formalized by Galois connections, closure operators, Moore families, ...; • Numeric and symbolic abstract domains, combinations of abstract domains • Recursive procedures, relational analyses, heap analysis • etc.

N40AI, 2017/01/21, Paris, France 16 © P. Cousot A Visitor • Hi, I am Steve Warshall • The theorem? • Yes • Steve Schuman told me you are doing interesting work • … • You should publish in Principles of Programming Languages.

• Stephen Warshall. A theorem on Boolean matrices. Journal of the ACM, 9(1):11–12 , January 1962.

N40AI, 2017/01/21, Paris, France 17 © P. Cousot POPL’77 FDPC’77 POPL’79

On this page: dual, Galois connections, conjugate and Topology, higher-order closure operators, Moore inversion:lfp/gfp wp/sp fixpoints, operational/ families, ideals,... (i.e. pre/post) wp/sp)˜ ˜ summary/... analysis

Cited by 6381 Cited by 225 Cited by 1638

N40AI, 2017/01/21, Paris, France 18 © P. Cousot And a bit of mathematics…

PA.IFIC'?:lTii HEMATI.S ::',''ffi

CONSTRUCTIVEVERSIONS OF TARSKI'S FIXED POINT THEOREMS

P,q.rnrcN Cousor l.No RlpnlA Cousor

Let F be a monotone operator on the complete lattice Z into itself. Tarski's lattice theoretical fixed point theorern states that the set of fixed points of l' is a nonempty cornplete lattice for the ordering of Z. We give a constructive proof of this theorern showing that the set of fixed points of .F is the image of L by a lower and an upper preclosure operator. These preclosure operators are the composition of lower and upper closure operators which are defined by means of limits of stationary transfinite iteration sequencesfor ,F. In the same wey we give a constructive characterization of the set of common fixed points of a family of commuting operators. Finally we examine some consequencesof additional semi- continuity hypotheses.

1. Introduction. LetL(s:, L,T,U, |-l) beanonempty complete g, Lutt'ice with parti,al ordering least upper bound, u , greatest lower bound, ft. The i,nf,munL I of tr is f-lL, the supremum T of L is UL. (Birkhoff's standard referenee book I3l provides the necessary background materiai.) Set inclusion, union and intersection are respectively denoted by e , U and f-l . Let tr be a monotone operator on L(e, L, T, U, fl) into itself (i.e., YX, Y e L, {X =Y) - {F(X) e lr(y)}). The fundamental theorem of Tarski [19] states that the set fp(F) of f,red"poi,ntsof f'(i.e., fp(F): {Xe L:X: f'(X)}) is a nonempty complete iattice with ordering e . The proof of this theorem is based on the definition of the least fixed point tfp(F) of lI by Lfp(F) : g n{Xe L:F(X) X}. The least upper bounclof S c fe@) in fp(F) ASYNCHRONOUSITERATIVE METHODS is the least fixed point of the restriction of f'to the completelattice FORSOLVING A FIXED POINTSYSTEM OF MONOTONE {X e L: ( u S1 q 11. An application of the duality principte completes EQUATIONSIN A COMPLETILATTICE the proof. Patri ck Cousot

This deflnition is not constructive and many appiications of R.R. B8 lanl- omlrno LYI I Tarski's theorem (specially in computer science (Cousot [5]) and numerical analysis (Amann Iz])) use the alternative characterization of lfp(F) as U {tr"(-r ): i e N}. This iteration schemewhich originates from Kleene [tO]'s first recursion theorem and which was used by Tarski [fl] for complete morphisms, has the drawback to require the additional assumptionthat F is semi-conti,nuous(F(US) : U,F'(S) 'increas'ing l for every nonempty ch,ai,tt,S, see e.g., Kolodner [ff]). RAFPORT DE REGT-!ERCHE l

I cited by 208 cited by 31 cited by 42

N40AI, 2017/01/21, Paris, France 19 © P. Cousot On submitting to POPL • For POPL’77, we submit (on Aug. 12, 1976) copies of a two-hands written manuscript of 100 pages. The paper is accepted !

N40AI, 2017/01/21, Paris, France 20 © P. Cousot On abstracting: transition system Reachability semantics is an abstraction of the relational semantics (in PC’s thesis, 21 march 1978 also § 3 of POPL’79)

i.e. pre i.e. post transformer

fixpoint reflexive transitive closure

abstract transformer concrete transformer

fixpoint ... backward reachability Fixpoint abstraction under commutativity forward reachability with abstraction h iterative fixpoint computation N40AI, 2017/01/21, Paris, France 21 © P. Cousot

tel-00288657, version 1 - 18 Jun 2008 21 On convincing ... • During PC’s thesis defense, it was suggested that abstraction/approximation is useless since computers are finite and executions are timed-out (so, the second part of the thesis on fixpoint approximation/ widening/narrowing/... is superfluous!) • Fortunately we do not listen (otherwise we would have invented enumeration methods that fail to scale) • On the contrary, in 1978, during a seminar at Harvard (1), G. Birkhoff appears interested, according to his questions & feedback, in the effective computational aspects of lattice fixpoint theory

(1) invited by Ed. Clarke. N40AI, 2017/01/21, Paris, France 22 © P. Cousot The principles (1977–79) are lasting • Define the semantics (operational, denotational, axiomatic, ...) of the programming language (as a ... / trace semantics / transition system / transformers / ...) • Define the strongest property of interest (also called the collecting semantics) • Express this collecting semantics in fixpoint (constraint, rule- based,…) form • Define the abstraction/concretization compositionally (by composition of elementary abstractions and abstraction constructors/functors) • Design the abstract proof / analysis semantics by calculus using [structural] abstraction i.e. abstract domain + abstract fixpoint • Combine abstractions (e.g. reduced product)

N40AI, 2017/01/21, Paris, France 23 © P. Cousot Abstract interpretation: Research takes time

N40AI, 2017/01/21, Paris, France 24 © P. Cousot Typing • Type checking and inference is an abstract interpretation:

N40AI, 2017/01/21, Paris, France 25 © P. Cousot Typing

• POPL 1997: Types as Abstract Interpretations (invited paper)

Patrick Cousot LIENS, Ecole´ Normale Sup´erieure 45, rue d’Ulm 75230 Paris cedex 05 (France) [email protected], http://www.ens.fr/~cousot

Abstract cern, and their correctness can be verified with respect to a Starting from a denotational semantics of the eager untyped given type system; this process guarantees that type checkers lambda-calculus with explicit runtime errors, the standard satisfy the language definition.” [2]. Abstract interpreta- collecting semantics is defined as specifying the strongest tion allows viewing all these different aspects in the more program properties. By a first abstraction, a new sound unifying framework of semantic approximation. Formaliza- type collecting semantics is derived in compositional fix- tion of program analysis and type systems within the same point form. Then by successive (semi-dual) Galois con- abstract interpretation framework should lead to a better nection based abstractions, type systems and/or type in- understanding of the relationship between these seemingly ference algorithms are designed as abstract semantics or different approaches to program correctness and optimiza- abstract interpreters approximating the type collecting se- tion. mantics. This leads to a hierarchy of type systems, which 2Syntax is part of the lattice of abstract interpretations of the un- The syntax of the untyped eager lambda calculus is: typed lambda-calculus. This hierarchy includes two new `alaChurch/Currypolytypesystems.Abstractionsofthis x, f,... :programvariables polytype semantics lead to classical Milner/Mycroft and ∈ e :programexpressions Damas/Milner polymorphic type schemes, Church/Curry ∈ monotypes and Hindley principal typing algorithm. This e ::= x x e e1(e2) f x e shows that types are abstract interpretations. | · | | · · | 1 e1 e2 (e1 ? e2 : e3) 1Introduction | − | The leading idea of abstract interpretation [6, 7, 9, 12] is x e is the lambda abstraction and e1(e2)theapplication. In · f x e,thefunctionf with formal parameter x is de- that program semantics, proof and static analysis methods · · have common structures which can be exhibited by abstrac- fined recursively. (e1 ? e2 : e3) is the test for zero. tion of the structure of run-time computations. This leads 3DenotationalSemantics to an organization of the more or less approximate or refined The semantic domain is defined by the following equations semantics into a lattice of abstract interpretations. This uni- [20]: fying point of view allows for a synthetic understanding of awiderangeofworksfromtheoreticalsemanticalspecifica- =△ ω wrong tions to practical static analysis algorithms. { } z integers It will be shown that this point of view can be applied to ∈ type theory, in particular to type soundness and `alaCurry u, f, ϕ ∼= [ ] values type inference which, following [17, 29], have been dominat- ∈ ⊥ ⊕ ⊥ ⊕ %→ ⊥ R =△ environments ing research themes in programming languages during the ∈ %→ last two decades, at least for functional programming lan- φ =△ semantic domain guages [1, 19, 31]. Traditionally the design of a type system ∈ %→ “involves defining the notion of type error for a given lan- where ω is the wrong value, denotes non-termination, D guage, formalizing the type system by a set of type rules, is the lift of domain D (with⊥ up injection ( ) D D⊥ ↑ • ∈ %→ ⊥ and verifying that program execution of well-typed programs and partial down injection ( ) D D), D1 D2 is ↓ • ∈ ⊥ %−↛ ⊕ cannot produce type errors. This process, if successful, guar- the coalesced sum of domains D1 and D2 (with left and antees the type-soundness of a language as a whole. Type- right injections :: D1 D1 D1 D2 and :: D2 checking algorithms can then be developed as a separate con- • ∈ %→ ⊕ • ∈ D2 D1 D2), Ω =△ (ω):: and [D1 D2]isthe %→ ⊕ ↑ ⊥ %→ Permission to make digital/hard copies of all or part of this material for domain of continuous, -strict, Ω-strict functions from D1 personnal or classroom use is granted without fee provided that the copies ⊥ are not made or distributed for profit or commercial advantage, the copy- into D2. is the computational ordering on and is the right notice, the title of the publication and its date appear, and notice is ⊑ ) given that copyright is by permission of the ACM, Inc. To copy otherwise, least upper bound (lub) of increasing chains. to republish, to post on servers or to redistribute to lists, requires specific In the metalanguage for defining the denotational seman- permission and/or fee. POPL 97, Paris, France tics below, Λx. ... or Λx S. ... is the lambda abstraction. c 1997 ACM 0-89791-853-3/96/01 ..$3.50 (... ? ...... ? ...... ∈ )istheconditionalexpression. ⃝ | |

316

N40AI, 2017/01/21, Paris, France 26 © P. Cousot Probabilistic static analysis

N40AI, 2017/01/21, Paris, France 27 © P. Cousot Probabilistic static analysis • ESOP 2012: Probabilistic Abstract Interpretation

Patrick Cousot and Michael Monerau

Courant Institute, NYU and École Normale Supérieure, France

Abstract. Abstract interpretation has been widely used for verifying properties of computer systems. Here, we present a way to extend this framework to the case of probabilistic systems. The probabilistic abstraction framework that we propose allows us to systematically lift any classical analysis or verification method to the probabilistic setting by separating in the program semantics the probabilistic behavior from the (non-)deterministic behavior. This sep- aration provides new insights for designing novel probabilistic static analyses and verification methods. We define the concrete probabilistic semantics and propose di↵erent ways to abstract them. We provide examples illustrating the expressiveness and e↵ectiveness of our approach.

1 Introduction As programs get larger and larger, it has become untractable to verify their properties and/or N40AI,correctness 2017/01/21, Paris, France by hand or testing. Formal methods 28 have thus been developed in order to be © P. Cousot able to verify program properties automatically, at least in part. One of them is abstract interpretation which has proved successful both in solving hard problems and scaling up nicely. When probabilities come into play, the verification of program properties is even more dicult. Our work precisely tackles this issue, that is verifying properties of probabilistic programs. We propose a formal, general and modular framework, extending the classical abstract interpretation framework to take probabilities into account, allowing for crafting of new analyses, as well as lifting of existing non-probabilistic analyses to the probabilistic setting. Probabilities come into play because of program randomness (such as calls to a random number generator rand()) and input randomness (for which a distribution may be known). Usually, all this randomness is forgotten for non-determinism. It is sound but loses a lot of information. So our goal here is to use hypotheses on randomness to be able to infer more precise probabilistic program properties. The goals of having probabilistic static analyses are various, let alone the fact that we can actually verify some probabilistic properties on the program. A couple of more original examples of interesting applications are to enable compilers to gain access to more useful in- formation to decide register allocations or cache/scratchpad allocations, or to provide useful information about branching for Just In Time compilers without having to do any profiling or execution, among many other applications. There is a lot of work on probabilistic program construction and verification meth- ods [13,15,19,23], probabilistic model-checking [11], probabilistic abstract model-checking [2,27,29], probabilistic abstract interpretation [21,25,28], with, in the case of model-checking and abstract interpretation, existing applications to biological pathways [1,3,18]. One of our objectives is to unify and generalize these frameworks.

2 The abstract interpretation framework Abstract interpretation is a theory of approximation. Applied to semantics of computer pro- grams, it allows oneself for generic design of static analyses [5]. Termination

N40AI, 2017/01/21, Paris, France 29 © P. Cousot An Abstract Interpretation Framework for Termination Termination Patrick Cousot Radhia Cousot CNRS, École Normale Supérieure, and INRIA, France CNRS, École Normale Supérieure, and INRIA, France Courant Institute ⇤, NYU, USA c u otfsen.s@or r • POPL 2012: c sot@o n .feu p coss, o t@cu m s .ny .i edu u Abstract Proof, verification and analysis methods for termination while remaining lower-bounded, or dually. So most termination all rely on two induction principles: (1) a variant function or induction on analysis methods indirectly reduce to a relational invariance anal- data ensuring progress towards the end and (2) some form of induction ysis hence can reuse classical static analysis methods. An Abstract Interpretationon Framework the program structure. for Termination The abstract interpretation design principle is instantiated with The abstract interpretation design principle is first illustrated for the suitable abstractions for safety and termination analysis, proof, An Abstract Interpretation Frameworkdesign of new forward and for backward Termination proof, verification and analysis Patrick Cousot methods for safety. The safetyRadhia collecting Cousot semantics defining the strongest and checking/verification (either potential termination or definite safety property of programs is first expressed in a constructive fixpoint termination for nondeterministic systems). CNRS, École NormalePatrick Supérieure, Cousot and INRIA, France form. SafetyCNRS, proof École and Normale checkingRadhia/ Supérieure,verification Cousot methods and INRIA, then Franceimmediately The first main idea for termination is that there exists a most CNRS, École NormaleCourant Institute Supérieure,⇤, NYU, and INRIA, USA France followCNRS, by fixpoint École induction. Normale Staticc Supérieure,u ot analysis and offsen.s@or r abstract INRIA, safety France properties precise variant function that can be expressed in fixpoint form by such as invariance are constructively designed by fixpoint abstraction c Courantsot@o n Institute.feu p cos⇤,s, NYU, o t@cu USAm s .ny .i edu u abstract interpretation of a termination collecting semantics itself (or approximation) to (automatically)c u ot inferfsen.s@or r safety properties. So far, no c sot@o n .feu p coss, o t@cu m s .ny .i edu u abstracting the program operational trace semantics. This yields Abstract Proof, verification and analysis methods for termination such clearwhile design remaining principle lower-bounded, did exist for termination or dually. so So that most the existing termination new static analysis methods automatically inferring abstractions all rely on two induction principles: (1) a variant function or induction on approachesanalysis are methods scattered andindirectly largely reduce not comparable to a relational with each invariance other. anal- Proof, verification and analysis methods for termination whileFor (1), remaining we show that lower-bounded, this design principle or dually. applies So equally most well termination to po- of that variant function by the constructive fixpoint approximation Abstractdata ensuring progress towards the end and (2) some form of induction ysis hence can reuse classical static analysis methods. all rely on two induction principles: (1) a variant function or induction on tentialanalysis and definite methods termination indirectly. The reduce trace-based to a relational termination invariance collecting anal- methods of abstract interpretation. on the program structure. The abstract interpretation design principle is instantiated with data ensuring progress towards the end and (2) some form of induction semanticsysis hence is given can reusea fixpoint classical definition. static Its analysis abstraction methods. yields a fixpoint The second main idea introduced in this paper both for safety The abstract interpretation design principle is first illustrated for the suitable abstractions for safety and termination analysis, proof, ondesign the program of new structure. forward and backward proof, verification and analysis definitionThe of abstract the best interpretation variant function. design By further principle abstraction is instantiated of this best with and termination is that of semantic structural induction, including variantand function, checking we/verification derive the Floyd (either/Turing potential termination termination proof method or definite methodsThe abstract for safety interpretation. The safety design collecting principle semantics is first defining illustrated the for strongest the suitable abstractions for safety and termination analysis, proof, termination proofs, over trace segment covers and their abstrac- design of new forward and backward proof, verification and analysis as welltermination as new static for analysis nondeterministic methods to esystems).↵ectively compute approxima- safety property of programs is first expressed in a constructive fixpoint and checking/verification (either potential termination or definite tions. Trace segments are more powerful than binary relations be- methods for safety. The safety collecting semantics defining the strongest tions of thisThe best first variant main function. idea for termination is that there exists a most form. Safety proof and checking/verification methods then immediately termination for nondeterministic systems). tween states which have been used traditionally in program termi- safetyfollow property by fixpoint of programs induction. is first Static expressed analysis inof aabstract constructive safety fixpoint properties Forprecise (2), we variant introduce function a generalization that can beof the expressed syntactic in notion fixpoint of struc- form by / tural inductionThe first (as main found idea in Hoare for termination logic) into a issemantic that there structural exists induc- a most nation proofs (for example, the transition invariants used in [53] form.such Safety as invariance proof and are checking constructivelyverification designed methods by then fixpoint immediately abstraction abstract interpretation of a termination collecting semantics itself follow by fixpoint induction. Static analysis of abstract safety properties tionprecisebased on variant the new function semantic that concept can be of inductive expressed trace in fixpoint cover covering form by are binary relation abstractions of the set of trace segments). Exam- (or approximation) to (automatically) infer safety properties. So far, no abstracting the program operational trace semantics. This yields such as invariance are constructively designed by fixpoint abstraction executionabstract traces interpretation by segments of, a a new termination basis for formulating collectingsemantics program prop- itself ples include structural induction on the program syntax (including such clear design principle did exist for termination so that the existing new static analysis methods automatically inferring abstractions (orapproaches approximation) are scattered to (automatically) and largely infer not comparable safety properties. with each So other. far, no erties.abstracting Its abstractions the program allow for operational generalized trace recursive semantics. proof, verification This yields loop invariants à la Floyd [40]), induction on data, à la Burstall and staticof that analysis variant methods function by inductionby the constructive on both program fixpoint structure, approximation con- such clearFor (1), design we show principle that did this exist design for principle termination applies so that equally the wellexisting to po- new static analysis methods automatically inferring abstractions [3], the covering of the transition relation closure by well-founded approaches are scattered and largely not comparable with each other. trol, andmethods data. Examples of abstract of interpretation. particular instances include Floyd’s handling tential and definite termination. The trace-based termination collecting of that variant function by the constructive fixpoint approximation relations, à la Podelski-Rybalchenko [53], their combinations and For (1), we show that this design principle applies equally well to po- of loop cut-pointsThe second as well main as idea nested introduced loops, Burstall’s in this paperintermittent both forasser- safety semantics is given a fixpoint definition. Its abstraction yields a fixpoint methods of abstract interpretation. generalizations. tentialdefinition and definite of the best termination variant function.. The trace-based By further termination abstraction collecting of this best tion totaland correctness termination proof is that method, of semantic and Podelski-Rybalchenko structural induction transition, including invariants.The second main idea introduced in this paper both for safety semanticsvariant function, is given a we fixpoint derive definition. the Floyd/ ItsTuring abstraction termination yields proof a fixpoint method termination proofs, over trace segment covers and their abstrac- definition of the best variant function. By further abstraction of this best and termination is that of semantic structural induction, including 2. Fixpoints, fixpoint induction, abstraction, and as well as new static analysis methods to e↵ectively compute approxima- Categoriestions. Trace and Subjectsegments Descriptors are more powerfulD.2.4 than [Software binary/Program relations be- variant function, we derive the Floyd/Turing termination proof method termination proofs, over trace segment covers and their abstrac- tions of this best variant function. Verificationtween]; states D.3.1 which [Formal have Definitions been used andtraditionally Theory]; in F.3.1 program [Spec- termi- approximation as wellFor as (2),new we static introduce analysis a methodsgeneralization to e↵ectively of the syntactic compute notion approxima- of struc- tions. Trace segments are more powerful than binary relations be- We express semantics as fixpoints of maps f A A i.e. elements tions of this best variant function. ifyingnation and Verifying proofs (for and example, Reasoning the about transition Programs invariants]. used in [53] 2 7! tural induction (as found in Hoare logic) into a semantic structural induc- tween states which have been used traditionally in program termi- = v For (2), we introduce a generalization of the syntactic notion of struc- are binary relation abstractions of the set of trace segments). Exam- x A such that x f (x). We let lfpa f be the least fixpoint of tion based on the new semantic concept of inductive trace cover covering Generalnation Terms proofs (forLanguages, example, Reliability, the transition Security, invariants Theory, used Verifi- in [53] 2 , tural induction (as found in Hoare logic) into a semantic structural induc- ples include structural induction on the program syntax (including f A A on the poset A greater than or equal to a A, execution traces by segments, a new basis for formulating program prop- cation.are binary relation abstractions of the set of trace segments). Exam- 2 7! h vi 2 tionerties.based Its on abstractions the new semantic allow forconcept generalized of inductive recursive trace proof, cover verificationcovering loop invariants à la Floyd [40]), induction on data, à la Burstall if any. The dual notion is that of greatest fixpoint gfpav f . We write execution traces by segments, a new basis for formulating program prop- Keywordsples includeAbstract structural Interpretation, induction on Induction, the program Proof, syntax Safety, (including Static lfpv f if a is the infimum of A, and lfp f if the partial order is clear and static analysis methods by induction on both program structure, con- [3], the covering of the transition relation closure by well-founded v N40AI,erties. 2017/01/21,trol, Its and abstractions data. Paris, Examples France allow of for particular generalized instances recursive include proof, Floyd’s verification handling analysis, 30 loop invariants Variant function, à la Floyd Verification, [ 40 ]), induction Termination. on data, à la Burstall © P. Cousotfrom the context. By Tarski/Pataria’s fixpoint theorem [50, 58], relations, à la Podelski-Rybalchenko [53], their combinations and 1 and static analysis methods by induction on both program structure, con- [3], the covering of the transition relation closure by well-founded v = of loop cut-points as well as nested loops, Burstall’s intermittent asser- generalizations. lfpa f P A a P f (P) P exists for f increasing trol,tion and total data. correctness Examples proof of particular method, instances and Podelski-Rybalchenko include Floyd’s handling transition 1.relations, Introduction à la Podelski-Rybalchenko [53], their combinations and on a complete{ 2 lattice| Av, ,^a, , v, } 2 or on a cpo A, , a, of loop cut-points as well as nested loops, Burstall’s intermittent asser- invariants. generalizations. 3 d h v 0> t ui n+1 h v n tion total correctness proof method, and Podelski-Rybalchenko transition Floyd/Turing program proof methods for invariance and termina- . The fixpoint iterates are f , a, n N : f = f ( f ), 2. Fixpoints, fixpoint induction, abstraction, and ti! n 8 2 invariants.Categories and Subject Descriptors D.2.4 [Software/Program tion [24, 40, 59] have inspired most sound static analysis methods. f , n N f which is lfpav f when a f (a) is a pre-fixpoint and Verification]; D.3.1 [Formal Definitions and Theory]; F.3.1 [Spec- 2.For static Fixpoints,approximationinvariance fixpointanalysis induction, by abstract interpretation abstraction, [19, and21], f is continuous2 4,5,6. If f is increasing butv not continuous, transfinite Categories and Subject Descriptors D.2.4 [Software/Program We express semantics as fixpoints of maps f A A i.e. elements ifying and Verifying and Reasoning about Programs]. a key stepapproximation is to express the strongest invariant as2 a7! fixpoint and iterationsF may have to be used [22]. Verification]; D.3.1 [Formal Definitions and Theory]; F.3.1 [Spec- x A such that x = f (x). We let lfpv f be the least fixpoint of General Terms Languages, Reliability, Security, Theory, Verifi- nextWe to express2 approximate semantics this as strongestfixpoints invariantof mapsa tof automaticallyA A i.e. elements infer ifying and Verifying and Reasoning about Programs]. an abstractf A inductiveA on theinvariant poset usingA, thegreater constructive2 than7! or fixpoint equal to ap-a A, cation. x 2A such7! that x = f (x). Weh letvi lfpv f be the least fixpoint 2of 1 if any. The dual notion is that of greatesta fixpoint gfpv f . We write f A A is increasing (also monotone, isotone, ...) on a poset A, if General Terms Languages, Reliability, Security, Theory, Verifi- proximationf 2 A methods.A on the poset A, greater than or equala to a A, 2 7! h vi cation.Keywords Abstract Interpretation, Induction, Proof, Safety, Static lfp2 v f 7!if a is the infimum ofh A,vi and lfp f if the partial order is2 clear and only if x, y A :(x y) = ( f (x) f (y)) [36]. ifFor any. static Thetermination dual notion isanalysis, that of greatest the discovery fixpoint ofgfp variantv f . We func-v write 8 2 v ) v analysis, Variant function, Verification, Termination. from the context. By Tarski/Pataria’s fixpoint theorema [50, 58], 2 A complete lattice A, , , , , is a poset s. t. any subset has a Keywords Abstract Interpretation, Induction, Proof, Safety, Static tionsv is either decidable in limited cases [54] or else is based on lfp f if a is the infimum of A, and lfp f if the partial order is clear 1 h v ? > t ui = the Floydlfpav f/Turing= P ideaA of varianta P functionsf (P) intoP exists well-founded for f vincreasing sets least upper bound (lub) , hence a greatest lower bound (glb) , , analysis,1. Introduction Variant function, Verification, Termination. from the context.{ 2 By| Tarskiv /Pataria’s^ v fixpoint} 2 theorem [50, 58], = . t u ? t; obtainedon a by complete observing lattice quantitiesA, , thata, strictly, , decreaseor on within a cpo loopsA, ,1a, > u; lfpav f3 = dP A a h P v f (P0>) tP uiexists for f increasingn+1 h v n 3 1.Floyd Introduction/Turing program proof methods for invariance and termina- . The{fixpoint2 | iteratesv ^are f ,v a,} 2 n N : f = f ( f ), A complete partial order (cpo) A, , , is a poset A, such that onti a! complete latticen A, , a, , , 8or2 on a cpo A, , a, h v ? ti h vi tion [24, 40, 59] have inspired most sound static analysis methods. Workf supported in partf which by theh isCMACSvlfpv f NSFwhen> tExpeditionsaui f (a) in is Computing a pre-fixpointh awardv and any increasing chain C A such that x, y C : x y y x has a least Floyd/Turing program proof methods for invariance and termina- ⇤ 3. The, dfixpointn N iterates area f 0 a, n : f n+1 = f ( f n), ✓ 8 2 v _ v For static invariance analysis by abstract interpretation [19, 21], 0926166 and the European2 4, ARTEMIS5,6 Project MBAT, . v N upper bound (lub) C, hence has an infimum = for the empty chain. tion [24, 40, 59] have inspired most sound static analysis methods. ti!f is continuousn . If f is increasing but8 not2 continuous, transfinite t ? t; a key step is to express the strongest invariant as a fixpoint and Permissionf , tonF makeN f digitalwhich or hard is lfp copiesav f when of all ora partf of(a this) is work a pre-fixpoint for personal or and 4 f A A is continuous on a poset A, , if and only if for all For static invariance analysis by abstract interpretation [19, 21], iterations2 may4,5 have,6 to be used [22]. v 2 7! h v ti next to approximate this strongest invariant to automatically infer classroomf is continuous use is granted without. If f feeis providedincreasing that butcopies not are continuous, not made or distributed transfinite increasing chains C }(A) such that its lub C does exist then the lub a key step is to express the strongest invariant as a fixpoint and for profititerations orF commercial may have advantage to be and used that [ copies22]. bear this notice and the full citation f [C] exists and is such2 that f [C] = f ( C). t an abstract inductive invariant using the constructive fixpoint ap- on the first page. To copy otherwise, to republish, to post on servers or to redistribute t t t next to approximate this strongest invariant to automatically infer 1 f A A is increasing (also monotone, isotone, ...) on a poset A, if 5 X proximation methods. to lists, requires prior specific permission and/or a fee. }(X) or 2 is the powerset of X i.e. the set of all subsets of a set X. an abstract inductive invariant using the constructive fixpoint ap- and2 only7! if x, y A :(x y) = ( f (x) f (y)) [36]. h vi For static termination analysis, the discovery of variant func- POPL’12,1 f A JanuaryA is8 25–27,increasing2 2012,(also Philadelphia,v monotone) PA,, USA.isotonev , ...) on a poset A, if 6 The post-image (or image) of X }(A) by a map f A B is proximation methods. 2 , , , , , 2 2 7! tions is either decidable in limited cases [54] or else is based on Copyrightand2A onlycompletec 7!2012 if x ACM, y lattice 978-1-4503-1083-3A :(xA y) = (/12f (/x01.) . . $10.00fis(y a)) poset [36]. s. t. any subseth vi has a f [X] f (x) x X }(B). For static termination analysis, the discovery of variant func- least upper8 bound2 (lub)h v v, hence?)> at greatestuiv lower bound (glb) , = , , { | 2 } 2 the Floyd/Turing idea of variant functions into well-founded sets 2 tions is either decidable in limited cases [54] or else is based on A complete= . lattice A, t, , , , is a poset s. t. any subsetu ? has at; obtained by observing quantities that strictly decrease within loops least> upperu; bound (lub)h v, hence? > at greatestui lower bound (glb) , = , the Floyd/Turing idea of variant functions into well-founded sets 3 A complete partial ordert (cpo) A, , , is a poset A,u ?sucht; that = . 245 obtained by observing quantities that strictly decrease within loops > anyu; increasing chain C A suchh that vx,?y tiC : x y yh vix has a least ⇤ Work supported in part by the CMACS NSF Expeditions in Computing award 3 A complete partial order✓(cpo) A, , 8 , 2 is a posetv _A, v such that 0926166 and the European ARTEMIS Project MBAT. upper bound (lub) C, hence has an infimum = for the empty chain. any increasing chain tC A suchh that vx,?y tiC ?: x t;y yh vix has a least ⇤ Work supported in part by the CMACS NSF Expeditions in Computing award 4 , , Permission to make digital or hard copies of all or part of this work for personal or upperf boundA (lub)A isCcontinuous, hence✓ hason an a infimum8 poset2 A = v forif_ the andv empty only chain. if for all 0926166classroom and the use European is granted ARTEMIS without fee Project providedMBAT that. copies are not made or distributed increasing2 7! chains C }(A) such that itsh lub v Ctidoes exist then the lub 4 t ? t; Permissionfor profit to or make commercial digital advantage or hard copies and that of all copies or part bear of this this notice work and for the personal full citation or f f [CA] existsA is andcontinuous is such2 thaton af [ posetC] = f (A,C)., t if and only if for all classroomon the first use page. is granted To copy without otherwise, fee provided to republish, that copies to post are on not servers made or or to distributed redistribute increasingt2 7! chains C }(A) sucht that itsh lubt v Ctidoes exist then the lub 5 } X forto profit lists, or requires commercial prior advantage specific permission and that copies and/or bear a fee. this notice and the full citation f [C(]X exists) or 2 andis theis such powerset2 that off [XC]i.e.= thef ( C set). oft all subsets of a set X. 6 onPOPL’12, the first page.January To copy 25–27, otherwise, 2012, toPhiladelphia, republish, to PA, post USA. on servers or to redistribute 5t The post-imageX (or imaget) of X t}(A) by a map f A B is to lists, requires prior specific permission and/or a fee. }(X) or 2 is the powerset of X i.e. the2 set of all subsets of a set2 X. 7! Copyright c 2012 ACM 978-1-4503-1083-3/12/01. . . $10.00 f [X] , f (x) x X }(B). POPL’12, January 25–27, 2012, Philadelphia, PA, USA. 6 The post-image{ | (or2 image} 2 ) of X }(A) by a map f A B is 2 2 7! Copyright c 2012 ACM 978-1-4503-1083-3/12/01. . . $10.00 f [X] f (x) x X }(B). , { | 2 } 2 245

245 Denotational Semantics

N40AI, 2017/01/21, Paris, France 31 © P. Cousot Hierarchy of semantics • POPL 1992:

N40AI, 2017/01/21, Paris, France 32 © P. Cousot Hierarchy of semantics 1 • TCS 2002:

Constructive Design of a Hierarchy of Semantics of a Transition System by Abstract Interpretation Patrick Cousota aD´epartement d’Informatique, Ecole´ Normale Sup´erieure, 45 rue d’Ulm, 75230 Paris cedex 05, France, [email protected], http://www.di.ens.fr/~cousot

We construct a hierarchy of semantics by successive abstract interpretations. Starting from the maximal trace semantics of a transition system, we derive the big-step seman- tics, termination and nontermination semantics, Plotkin’s natural, Smyth’s demoniac and Hoare’s angelic relational semantics and equivalent nondeterministic denotational se- mantics (with alternative powerdomains to the Egli-Milner and Smyth constructions), D. Scott’s deterministic denotational semantics, the generalized and Dijkstra’s conser- vative/liberal predicate transformer semantics, the generalized/total and Hoare’s partial correctness axiomatic semantics and the corresponding proof methods. All the semantics are presented in a uniform fixpoint form and the correspondences between these seman- tics are established through composable Galois connections, each semantics being formally calculated by abstract interpretation of a more concrete one using Kleene and/or Tarski fixpoint approximation transfer theorems.

Contents N40AI, 2017/01/21, Paris, France 33 © P. Cousot 1 Introduction 2

2AbstractionofFixpointSemantics 3 2.1 Fixpoint Semantics ...... 3 2.2 Fixpoint Semantics Approximation ...... 4 2.3 Fixpoint Semantics Transfer ...... 5 2.4 Semantics Abstraction ...... 7 2.5 Fixpoint Semantics Fusion ...... 8 2.6 Fixpoint Iterates Reordering ...... 8

3Transition/Small-StepOperationalSemantics 9

4FiniteandInfiniteSequences 9 4.1 Sequences ...... 9 4.2 Concatenation of Sequences ...... 10 4.3 Junction of Sequences ...... 10

5MaximalTraceSemantics 10 Hierarchy of semantics • Information and computation 2009:

Bi-inductive Structural Semantics ı

Patrick Cousot

Département d’informatique, École normale supérieure, 45 rue d’Ulm, 75230 Paris cedex 05, France

Radhia Cousot

CNRS & École polytechnique, 91128 Palaiseau cedex, France

Abstract

We propose a simple order-theoretic generalization, possibly non monotone, of set- theoretic inductive definitions. This generalization covers inductive, co-inductive and bi-inductive definitions and is preserved by abstraction. This allows structural operational semantics to describe simultaneously the finite/terminating and infi- nite/diverging behaviors of programs. This is illustrated on grammars and the structural bifinitary small/big-step trace/relational/operational semantics of the call-by-value ⁄-calculus (for which co-induction is shown to be inadequate).

Key words: fixpoint definition, inductive definition, co-inductive definition, bi-inductive definition, non-monotone definition, grammar, structural operational semantics, SOS, trace semantics, relational semantics, small-step semantics, big-step semantics, divergence semantics.

N40AI, 2017/01/21, Paris, France 34 © P. Cousot

1 Introduction

The connection between the use of fixpoints in denotational semantics [24] and the use of rule-based inductive definitions in axiomatic semantics [15] and

ı This work was done in the INRIA project team Abstraction common to the CNRS and the École normale supérieure. Email addresses: aPtrick .C u o to @s e n .fs r (Patrick Cousot), aR dh a.C uo s ol y@ ec nqitopti ue .f rh (Radhia Cousot). URLs: www.di.ens.fr/˜cousot/ (Patrick Cousot), www.enseignement.polytechnique.fr/profs/informatique/Radhia.Cousot/ (Radhia Cousot).

Preprint submitted to Elsevier 28 April 2009 Parallelism

cited by 55 cited by 36 cited by 21

N40AI, 2017/01/21, Paris, France 35 © P. Cousot Parallelism • POPL 2017:

Ogre and Pythia: An Invariance Proof Method for Weak Consistency Models

Jade Alglave Patrick Cousot University College London New York University, USA Microsoft Research Cambridge, UK emer. Ecole´ Normale Superieure,´ PSL, France ja v m slrlg otof.o@ mccaia , j.alg.vc. uela@ a cklu s o copc iu m s.t n y u@ .e d u ,cou nt se.sr fo@

Abstract ten by the last previous write (for example due to hardware features We design an invariance proof method for concurrent programs such as store buffers and caches). parameterised by a weak consistency model. The calculational Different consistency semantics styles can be used to describe design of the invariance proof method is by abstract interpretation WCMs. Operational models de
ne abstract machines in which of a truly parallel analytic semantics. This generalises the methods executions of programs are sequences of transitions made to or by Lamport and Owicki-Gries for sequential consistency. We use from formal entities modelling e.g. hardware features such as store cat as an example of language to write consistency speci
cations buffers and caches. Axiomatic models abstract away from such of both concurrent programs and machine architectures. concrete features and describe executions as relations over events modelling e.g. read or write memory accesses, and synchronisation. Categories and Subject Descriptors D.1.3 (Concurrent Program- We abstract our invariance proof method from the analytic ming); D.2.4 (Veri
cation); F.3.1 (Invariants); F.3.2 (Semantics). semantics. Thus our method is parameterised by a WCM. Keywords concurrency, distributed and parallel programming, in- N40AI,variance, 2017/01/21, veri Paris,
cation, France weak consistency models. 36 2. Overview of the Analytic Semantics © P. Cousot Our analytic semantics describes program executions as their an- archic semantics (process computations without any restriction on 1. Introduction communications), and their communication semantics (restrictions When an ogre (Owicki-GRies Extended) meets a pythia (variable) on communication between processes). To illustrate our analytic classic tales get retold: in this paper we investigate an invariance semantics, we will use the load buffering example lb in Fig. 1. proof method for concurrent (parallel or distributed) algorithms parameterised by weak consistency models. 0: x = 0; y = 0; { } Different program semantics styles can be used to describe con- P0 P1 ; current program executions, for example operational, denotational 1:r[] r1 x 11:r[] r2 y; or axiomatic semantics. We introduce here a new style, that we call 2:w[] y 1 12:w[] x 1 ; analytic; it is more abstract than operational models (Boudol et al. 3: 13: ; 2012) or pomsets (Brookes 2016; Grief 1975)). In this context, we Figure 1: lb algorithm in LISA separate the individual traces of the different processes that consti- tute the program from the communications between processes. In lb, processes P0 and P1 communicate via shared variables x Weak Consistency Models (WCMs) are seen as placing more or and y (initialised to 0 at line 0). Each process reads a variable (x less restrictions on communications. WCMs are now a
xture of at line 1 for P0, and y at line 11 for P1), then writes to the other computing systems: for example Intel x86 or ARM processors, variable (y at line 2 for P0 and x at line 12 for P1). Nvidia graphics cards, programming languages such as C++ or OpenCL, or distributed systems such as Amazon Web Services or 2.1 Anarchic Semantics Microsoft’s Azure. In this context, the execution of a concurrent Fig. 2 gives one of the four anarchic executions of lb. The compu- program can be seen as an interleaving of the individual traces of tations of P0 and P1 are formalised by traces, viz.,
nite or in
nite the different processes that constitute the program, but the commu- sequences of states separated by unique events. nication between processes are unlike what is prescribed by Lam- States and events appear along a trace in the process execution port’s Sequential Consistency (SC) (Lamport 1979). Indeed the order. Events give a semantics to instructions, for example accesses read of a shared variable may read another value than the one writ- to registers or memory locations. States record a process program point, the value of local variables (registers r1 for P0 and r2 for Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed P1) and the value of pythia variables. for profit or commercial advantage and that copies bear this notice and the full citation A pythia variable is the unique name given to the value of a read 1 on the first page. Copyrights for components of this work owned by others than ACM event, e.g. x1 for the read r = 1:r[] r1 x. Our pythia variables must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, x to post on servers or to redistribute to lists, requires prior specific permission and/or a are different from ghost variables; ghost variables compensate for fee. Request permissions from [email protected]. objects that do not exist in the chosen program semantics. POPL’17, January 15–21, 2017, Paris, France The read-from relation rf describes communications between c 2017 ACM. 978-1-4503-4660-3/17/01...$15.00 processes. In Fig. 2, the read r1 takes its value from the write w12 x x http://dx.doi.org/10.1145/3009837.3009883[Copyright notice will appear here once ’preprint’ option is removed.] (so the value 1 is assigned to the pythia variable x1).

3 Abstract interpretation: Industrialization

N40AI, 2017/01/21, Paris, France 37 © P. Cousot Industrialization • Very first industrial implementation: The interval analysis was implemented in the AdaWorld compiler for IBM PC 80286 by J.D. Ichbiah and his Alsys SA corporation team in 1980–87.

N40AI, 2017/01/21, Paris, France 38 © P. Cousot Warm welcome • Real-time software development companies: we have to pay for this new option of the ADA compiler, but: • The machine code size is significantly reduced → we cannot sell as much memory as we did before; • Many bugs are found at compile time → we make less money with our debugging services.

N40AI, 2017/01/21, Paris, France 39 © P. Cousot AbsInt Angewandte Informatik GmbH • Astrée sold by AbsInt:

N40AI, 2017/01/21, Paris, France 40 © P. Cousot Abstract interpretation based static analyzers

• Ait www.absint.com/ait/, StackAnalyzer www.absint.com/ stackanalyzer from AbSint

• Polyspace static analysis www.mathworks.com/products/ polyspace.html

• Julia (Java) www.juliasoft.com

• Ikos, NASA ti.arc.nasa.gov/opensource/ikos/

• Clousot for code contract, Microsoft, github.com/Microsoft/ CodeContracts

• Infer (Facebook) http://fbinfer.com

• Zoncolan (Facebook)

• Google

• …

N40AI, 2017/01/21, Paris, France 41 © P. Cousot Abstract interpretation: Prospective

N40AI, 2017/01/21, Paris, France 42 © P. Cousot The future is hard to predict • From my thesis in 1978:

computer, economical and biological systems

sequential and parallel programs

N40AI, 2017/01/21, Paris, France 43 © P. Cousot The future is hard to predict • From “30 years of Abstract Interpretation”:

Programming Abstract interpretation – The evolution of programming languages and program- – Beyond programming, abstraction is the only way to ming assistance systems has greatly helped to consid- apprehend complex systems erably speed up the development and scale up the size – Therefore, the scope of application of abstract inter- of conceivable programs pretation ideas is large – Software quality remains much far beyond, essentially – Over 30 years, abstract interpretation theory, prac- because it is anti-economical tice and achievements have grown despite trends and – ... untilthenextcatastrophy,evolutionofthestan- evanescent applications dards, revolution of the customers, or new laws holding – Hopefully, abstract interpretation will continue to be computer scientists accountable for bugs useful in the future

San Francisco, Jan. 9, 2008 —73— ©P.Cousot San Francisco, Jan. 9, 2008 —75— ©P.Cousot

Formal methods – Formal methods might then become profitable at every stage of program design – The winners, if any, will definitely have to scale up,at areasonablecost THE END – Up to now, research has mainly concentrated on easy avenues with short-term rewards Many thanks to all of you who contributed to abstract interpretation! – Small groups cannot make it, large groups fail to share common interests – There is still a long long way to go

San Francisco, Jan. 9, 2008 —74— ©P.Cousot San Francisco, Jan. 9, 2008 —75— ©P.Cousot

N40AI, 2017/01/21, Paris, France 44 © P. Cousot The future is hard to predict • From the Dagstuhl Seminar “Formal Methods — Just a Euro-Science?” in December 2010:

• More properties: • Security (not dynamically checkable) • ... • More systems and tools: • Parallel and distributed systems, • Cyber-physical (continuous+discrete) • Biological, financial, ... • Better practices: • Verification from design to implementation

N40AI, 2017/01/21, Paris, France 45 © P. Cousot Hopes (10 years) • Complex data structures (libraries like for numerical domains) • Program security • Parallel & distributed systems, weak consistency models

N40AI, 2017/01/21, Paris, France 46 © P. Cousot Dreams (40 years) 1. The semantics is specified structurally and compositionally 2. The abstraction is specified by composition of Galois connections POPL 2014:

A Galois Connection Calculus for Abstract Interpretation⇤ Patrick Cousot Radhia Cousot CIMS⇤⇤, NYU, USA [email protected] u . CNRS Emeritus, ENS, France rco us nteo s@. rf

Abstract We introduce a Galois connection calculus for language independent 3. Basic GC semantics Basic GCs are primitive abstractions of specification of abstract interpretations used in programming language semantics, properties. Classical examples are the identity abstraction 1[ , formal verification, and static analysis. This Galois connection calculus and its type Q . Q S hC system are typed by abstract interpretation. ] , , , , the top abstraction [ , vi hC vi P . P !! hC vi S > hC 3. TheCategories and calculational Subject Descriptors D.2.4 [Software/Program Verification design] of the Q .abstract J General Terms Algorithms, Languages, Reliability, Security, Theory, Verification. , ] , , > , , the join abstraction [C] vi K> hC vi P . hC vi S J[ Keywords Abstract Interpretation, Galois connection, Static Analysis, Verification. !} > }(}(C)), }(C), with ↵}(P ) P , }(Q) In Abstract , } , , interpreter1. Galois connections in Abstract is Interpretation supported hbyK libraries✓i ! ↵ h ✓i and toolsJ K interpretation [3, 4, 6, 7] concrete properties (for example (e.g.) }(Q), the complement abstraction [C] , }(SC), ¬ of computations) are related to abstract properties (e.g. types). The S ¬ h ✓i ! ¬ }(C), , the finite/infinite sequence abstraction [C] , abstract properties are always sound approximations of the con- h ◆i S 1 1 J K crete properties (abstract proofs/static analyzes are always correct }(C1), }(C), with ↵1(P ) , i P i h ✓i ↵ 1 h ✓i { | 2 ^ 2 in the concrete) and are sometimes complete (proofs/analyzes of ! J K 4. All modular and compositionaldom() and 1(Q) , C1 i dom():i Q , the abstract properties can all be done in the abstract only). E.g. types } { 2 | 8 2 2 } transformer abstraction [C1,C2] , }(C1 C2), are sound but incomplete [2] while abstract semantics are usually S h ⇥ ✓i ↵ ! complete [9]. The concrete domain , and abstract domain }(C1) [ }(C2), ˙ mapping relations to join-preserving hC vi h ! ✓i , 4 of properties are posets (partial orders being interpreted as transformers with ↵ (R)J X . yK x X : x, y R , N40AI, 2017/01/21,hA Paris,i France 47 , { | 9 2 h i2 } © P. Cousot implication). When concrete properties all have a 4-most precise (g) , x, y y g( x ) , the function abstraction abstraction, the correspondence is a Galois connection (GC) , {h i | 2 { } } 7! hC [C1,C2] , }(C1 C2), }(C1) }(C2), , with abstraction ↵ and concretiza- S 7! h 7! ✓i ↵ 7! h 7! vi ↵ hA 4i 2 C 7! A ! ! ˙ with ↵7!(P ) X . f(x) f P x X , 7!(g) tion satisfying P : Q : ↵(x) 4 y ✓i , { | 2 ^ 2 } , x (2y)A( 7!expressesC soundness8 2 andC 8 best2 A abstraction). Each, fJ C1 KC2 X }(C1): x X : f(x) g(X) , v ) ( { 2 7! | 8 2 8 2 2 ⇥ } adjoint ↵/ uniquely determines the other /↵.AGalois retrac- the cartesian abstraction [I,C] , }(I C), S ⇥ h 7! ✓i ↵ tion (or insertion) has ↵ onto, so is one-to-one, and ↵ is the !⇥ identity. E.g. the interval abstraction [3, 4] of the power set }(C) I }(C), ˙ with ↵⇥(X) , i I . x C f I h 7! ✓i J K2 { 2 | 9 2 7! of complete -totally ordered sets C , is I[ C, C : f[i x] X , ⇥(Y ) , f i I : f(i) Y (i) , and I 2 } { | 8 2 2 }  [ {1 1} S h  the pointwise extension ˙ of to I, etc. , , ] , }(C), I(C , , ), with ✓ ✓ I i 1 1 h ✓i ↵ !! h [{1 1}  J i 4. Galois connector semantics Galois connectors build a GC ↵I(X) [min X, max X], min , max , I([a, b]) , ; , 1 ; , 1 from GCs provided as parameters. Unary Galois connectors in- x CK a x b , intervals I(C , F, ) , { 2 |   } S [ {1 1}  , clude the reduction connector R[ , , 4 ] , [a, b] a C b C a b [ , ] , S hC vi ! ↵ hA i { | 2 [ {1} ^ 2 [ {1} ^  } [ { 1 1 } , ↵(P ) P , and the pointwise connec- and inclusion [a, b] [c, d] c a b d.AGalois isomor- ↵ 4 , J K hC vi !! h{ | 2 C} i ⇢ ⇢  ^  J . K phism , , has both ↵ and bijective. E.g. global tor X C, A, 4 , X C, ˙ ↵ 4 ↵ ⇢ . ↵ ⇢ hC ✓i !! hA i S h vi ! h i h 7! vi ! and local invariantsF are isomorphic by the right image abstraction ˙ ˙ ˙ y X A, 4 for the pointwise orderings and 4. Binary Ga- ˙ h 7! i v 1 y[L, ] , }(L ), L }( ), with lois connectorsJ _ include the compositionK connector , S M h ⇥M ✓i ↵ y !! h 7! M ✓i S hC ✓i ↵1 y y 2 ! ↵ (P ) , ` . m `,m P , (Q) , `,m m 1, 2, 3, 1, = 2, , b ↵ 4 , ( b ? J ˙K { | h i2 } {h i | 2 hA i hA vi 2 hA i hA i hA vi hC Q(`) , and is the pointwise extension of inclusion . 1 2 ! J 3, ⌦ (where ⌦ is a static error), the prod- } ✓ ✓ ↵ ↵ 4 : ) GC ✓i 2 1 hA i 2. Equivalent formalizations of -based Abstract Interpre- !# 1 K 2 , , uct connector 1, 1, * 2, b 2, tation GCs ↵ 4 are Galois retracts of/Galois iso- S hC ✓i ↵1 hA vi hC i ↵2 hA hC vi hA i !1 2 ! ! ⇥ morphic to numerous equivalent mathematical structures [6] such 4 , 1 2, b 1 2, 4 (gen- ↵ ↵ as join-preserving maps (↵), meet-preserving maps (), upper- i hC ⇥ C J ✓⇥ i 1 ⇥ !2 hA ⇥ A v⇥ i eralizing to tuples), the higher-order functional connector 1, closures ( ↵), Moore families ( (Q) Q ), Sierpi´nski 1 2 S hC { | 2 A} K 1, = 2, 4 2, 6 , 1 2, topologies [5]( (Q) Q where is unique complemen- ✓i ↵1 hA vi ) hC i ↵2 hA i hC ! C {¬ | 2 A} ¬ ! g . 2 g ↵1 ! 1 principal downset families J tation in the concrete domain , if any), 4˙ 1 2, 6˙ for increasing maps and C f . ↵ f ( v(Q) Q where vx y y x ), maximal i 2 !1 Z hA !1 A i K , ˙ ˙ convex{# congruences| 2 A}( P # ↵(P{)=2 C|↵((Qv)) } Q , pointwise orderings and 6. {{ 2 C| }| 2 A} v soundness relations (also called abstraction relation, logical rela- 5. Galois connection calculus The GC calculus G (to specify tion, or tensor product, ↵ 4 = P, Q ↵(P ) 4 Q = P, verifiers/analyzers compositionally) is x,... X for program 1 {h i | } {h 2 Q P (Q) = where f x, f(x) x variables, `,... L for labels, e E for elements e ::= true i | v } v ⌘ {h i | 2 2 2 | dom(f) , r r0 = x, z y : x, y r y, z r0 ), 1 x ` e ..., s S for sets s ::= B Z X L } {h #i | 9 h i2 ^h i2 } | 1 | | | | 2 | | | | and, for powersets = }(C), = }(A), polarities of rela- e [e, e] I(s, o) s1 s s s s s s }(s) ..., C # A tions ((Q)= x C y Q : R(x, y) where R = x, o{ }|O for| partial orders| o| ::=[ | 7! | ⇥ | | = # { 2 | 8 2 } {h 21 ) | , |  | ✓ | | | y x ( y ) ). o o1 o2 o˙ o¨ ..., p P for posets p ::= s, o , and i | 2 { } } g G| for⇥GCs|g ::=| 1|[p] [2p, e] I[p, e, e] [s,h s] i [s] ⇤ See the auxiliary materials. ⇤⇤ Work supported in part by the CMACS NSF award 0926166. > y F [ Permission to make digital or hard copies of part or all of this work for personal or classroom use 2[s] [s] [s, s] [|s, s] [|s, s] ... | R[g] s| g | is granted without fee provided that copies are not made or distributed for profit or commercial ¬ | 1 | | 7! | ⇥ | | | | advantage and that copies bear this notice and the full citation on the first page. Copyrights for third- g g g * g g = g .... The semantics of interval sets is party components of this work must be honored. For all other uses, contact the owner/author(s). | | ) | POPL ’14, January 22–24, 2014, San Diego, CA, USA. Copyright is held by the owner/author(s). I(C, ) ( C C ? [a, b] a, b C : !) where ! S 4 , 4 ✓ ⇥ { 4 | 2 } _ ACM 978-1-4503-2544-8/14/01. http://dx.doi.org/10.1145/2535838.2537850 is# a dynamic error (maybeZ not detectable by typing). J K Dreams (40 years) 4. The design of static analyzers is computer- assisted by automatic composition of certified public-domain modules for: • Abstract domains • Syntax and semantics to fixpoint equations • Parallel/distributed fixpoint solvers (direct or with convergence acceleration) • User-interface automatic design • Automatic fixing of errors

N40AI, 2017/01/21, Paris, France 48 © P. Cousot The End

N40AI, 2017/01/21, Paris, France 49 © P. Cousot