Spring 2014 Program Analysis and Verification Lecture 9: Abstract Interpretation I Roman Manevich Ben-Gurion University Syllabus Abstract Static Analysis Crafting your Semantics Interpretation Analysis Techniques own fundamentals Natural Automating Numerical Lattices Soot Semantics Hoare Logic Domains Structural Control Flow Galois From proofs to CEGAR semantics Graphs Connections abstractions Systematically Axiomatic Equation Fixed-Points Alias analysis developing Verification Systems transformers Collecting Widening/ Shape Semantics Narrowing Analysis Domain constructors Interprocedural Analysis 2 Previously • Another static analysis example – constant propagation • Basic concepts in static analysis – Control flow graphs – Equation systems – Collecting semantics – (Trace semantics) 3 Annotating programs Annotate(P, S) = case S is x:=aexpr * return {P} x:=aexpr {F [x:=aexpr] P} case S is S1; S2 let Annotate(P, S1) be {P} A1 {Q1} let Annotate(Q1, S2) be {Q1} A2 {Q2} return {P} A1; {Q1} A2 {Q2} case S is if bexpr then S1 else S2 let Pt = F[assume bexpr] P let Pf = F[assume bexpr] P let Annotate(Pt, S1) be {Pt} A1 {Q1} let Annotate(Pf, S2) be {Pf} A2 {Q2} return {P} if bexpr then {Pt} A1 {Q1} else {Pf} A2 {Q2} {Q1 Q2} case S is while bexpr do S N := Nc := P // Initialize repeat let Pt = F[assume bexpr] Nc let Annotate(Pt, S) be {Nc} Abody {N} Nc := Nc N until N = Nc return {P} INV= {N} while bexpr do {P } A {F[assume bexpr](N)} t body 4 Collecting semantics example: input 1 1 label0: 2 if x <= 0 goto label1 3 x := x – 1 … [x3] [x2] [x1] entry 4 goto label0 5 label1: [x-1] [x0] [x1] 2 if x > 0 [x-1] exit [x0] [x1] 3 x := x - 1 5 Collecting semantics example: input 2 1 label0: 2 if x <= 0 goto label1 3 x := x – 1 … [x3] [x2] [x1] entry 4 goto label0 5 label1: [x2] [x-1] [x0] [x1] 2 if x > 0 [x-1] exit [x0] [x1] 3 x := x - 1 [x2] 6 Collecting semantics example: input 3 1 label0: 2 if x <= 0 goto label1 3 x := x – 1 … [x3] [x2] [x1] entry 4 goto label0 5 label1: [x3] [x2] [x2] [x-1] [x0] [x1] 2 if x > 0 [x-1] exit [x0] [x1] 3 x := x - 1 [x3] [x2] 7 ad infinitum – fixed point 1 label0: 2 if x <= 0 goto label1 3 x := x – 1 … [x3] [x2] [x1] entry 4 goto label0 5 label1: … [x3] [x2] [x2] [x-1] [x0] [x1] 2 if x > 0 … [x-2][ x-1] exit [x1] 3 x := x - 1 x x [ 3] [ …2 ] 8 Predicates at fixed point 1 label0: 2 if x <= 0 goto label1 3 x := x – 1 {true} entry 4 goto label0 5 label1: {true} 2 if x > 0 {x0} exit {x>0} 3 x := x - 1 {x0} 9 Equational definition example • A vector of variables R[0, 1, 2, 3, 4] • R[0] = {xZ} // established input Semantic function for assume x>0 R[1] = R[0] R[4] R[2] = R[1] {s | s(x) > 0} R[3] = R[1] {s | s(x) 0} Semantic function for x:=x-1 lifted to sets of states R[4] = x:=x-1 R[2] • A (recursive) system of equations entry R[0] R[1] if x > 0 R[3] R[2] R[4] exit x := x-1 10 General definition • A vector of variables R[0, …, k] one per input/output of a node – R[0] is for entry • For node n with multiple predecessors add equation R[n] = {R[k] | k is a predecessor of n} • For an atomic operation node R[m] S R[n] add equation R[n] = S R[m] • Transform if b then S1 else S2 to (assume b; S1) or (assume b; S2) entry R[0] R[1] if x > 0 R[3] R[2] R[4] exit x := x-1 11 Current lecture Appendix A. • Semantic domains – Preorders – Partial orders (posets) – Pointed posets – Ascending/descending chains – The height of a poset – Join and Meet operators – Complete lattices – Constructing new lattices from old 12 Abstract interpretation Theory [1977] By Rama (Own work) [CC-BY-SA-2.0-fr (http://creativecommons.org/licenses/by-sa/2.0/fr/deed.en)], via Wikimedia Commons 13 Abstract Interpretation [CC77] • A very general mathematical framework for approximating semantics – Generalizes Hoare Logic – Generalizes weakest precondition calculus • Allows designing sound static analysis algorithms – Usually compute by iterating to a fixed-point – Not specific to any programming language style • Results of an abstract interpretation are (loop) invariants – Can be interpreted as axiomatic verification assertions and used for verification 14 Annotating programs Annotate(P, S) = case S is x:=aexpr * return {P} x:=aexpr {F [x:=aexpr] P} case S is S1; S2 let Annotate(P, S1) be {P} A1 {Q1} let Annotate(Q , S ) be {Q } A {Q } 1 2 1 2 2 Approximates concrete semantics return {P} A ; {Q } A {Q } 1 1 2 2 sp(x:=aexpr, P) F*[x:=aexpr] case S is if bexpr then S1 else S2 let Pt = F[assume bexpr] P let Pf = F[assume bexpr] P let Annotate(Pt, S1) be {Pt} A1 {Q1} let Annotate(Pf, S2) be {Pf} A2 {Q2} Approximates return {P} if bexpr then {Pt} A1 {Q1} disjunction else {Pf} A2 {Q2} {Q1 Q2} case S is while bexpr do S { P’ } S { Q’ } N := Nc := P // Initialize [consp] if PP’ and Q’Q { P } S { Q } repeat let Pt = F[assume bexpr] Nc let Annotate(Pt, S) be {Nc} Abody {N} Nc := Nc N until N = Nc return {P} INV= {N} while bexpr do {P } A {F[assume bexpr](N)} t body 15 The big picture • Use semantic domains to define both concrete semantics and abstract semantics • Relate semantics in a sound way • Interpret program over abstract semantics abstract abstract statement S representation representation abstract semantics of sets of states of sets of states abstraction meaning abstraction meaning statement S set of states set of states set of states collecting semantics 16 A theory of semantic domains 1. Approximating elements 2. Approximating sets of elements By Brett Jordan David Macdonald [CC-BY-2.0 (http://creativecommons.org/licenses/by/2.0)], via Wikimedia Commons 17 Overall idea • A semantic domain can be used to define properties (representations of predicates) – Also called abstract states • Common representations – Logical formulas – Automata – Specialized graphs 18 A taxonomy of semantic domain types Complete Lattice (D, , , , , ) Lattice (D, , , , , ) Join semilattice Meet semilattice (D, , , ) (D, , , ) Complete partial order (CPO) (D, , ) Partial order (poset) (D, ) Preorder (D, ) 19 preorders 20 Preorder • Let D be a set of elements • We say that a binary order relation over D is a preorder if the following conditions hold for every d, d’, d’’ D – Reflexive: d d – Transitive: d d’ and d’ d’’ implies d d’’ • There may exist d, d’ such that d d’ and d’ d yet d d’ 21 Preorder examples • SAV-predicates – SAV-factoids = { x = y | x, y Var } { x = y + z | x, y, z Var } – SAV-predicates = 2 set – Order relation 1: P1 P2 iff P1 P2 imp – Order relation 2: P1 P2 iff P1 P2 – Which order relation is stronger (contains more pairs)? – Which order relation is easier to check? – What if both P1 and P2 are in the image of explicate? 22 set SAV preorder 1: P1 P2 iff P1 P2 {} Var = {x, y} {x=y} {y=x} {x=x+x} {y=y+y} {y=x+y} {y=y+x} {x=x+y} {x=y+x} {x=y, y=x} {x=y, x=x+x} … {x=x+y, x=y+x} {x=y, x=x+x, x=x+y} … {x=y, x=x+x, x=x+y} {x=y, y=x, x=x+x, y=y+y, y=x+y, y=y+x, x=x+y, x=y+x} 23 imp SAV preorder 2: P1 P2 iff P1 P2 {} Var = {x, y} {x=y} {y=x} {x=x+x} {y=y+y} {y=x+y} {y=y+x} {x=x+y} {x=y+x} {x=y, y=x} {x=y, x=x+x} … {x=x+y, x=y+x} … {x=y, x=x+x, x=x+y} … {x=y, x=x+x, x=x+y} {x=y, y=x, x=x+x, y=y+y, y=x+y, y=y+x, x=x+y, x=y+x} 24 Preorder examples • CP-predicates – CP-factoids = { x = c | x Var, c Z } – CP-predicates = 2 set – Order relation 1: P1 P2 iff P1 P2 imp – Order relation 2: P1 P2 iff P1 P2 – Is there a difference? • {x=5, x=7, x=9} {x=5, x=7} • {x=5, x=7, x=9} {x=5, x=7} • {x=5, x=7} {x=5, x=7, x=9} 25 CP preorder example {} … {x=-3} {x=-2} {x=-1} {x=0} {x=1} {x=2} {x=3} … Var = {x} 26 CP preorder example {} … {x=-3} {x=0} {x=3} … {y=-5} {y=0} {y=36} … {x=-3, y=-5} {x=0, y=0} {x=3, y=36} Var = {x, y} 27 The problem with preorders • Equivalent elements have different representations – {x=y, x=a+b} S {Q} – {x=y, y=a+b} S {Q’} • Leads to unpredictability • Which result should our static analysis give? 28 The problem with preorders • Equivalent elements have different representations – {x=y, x=a+b} assume ya+b {x=y, x=a+b} – {x=y, y=a+b} assume ya+b {false} • Leads to unpredictability • Which result should our static analysis give? 29 The problem with preorders • Equivalent elements have different representations – {x=y, x=a+b} assume xa+b {false} – {x=y, y=a+b} assume xa+b {x=y, x=a+b} • Leads to unpredictability • Which result should our static analysis give? In practice many static analyses still use preorders 30 Partial orders 31 Partially ordered sets (partial orders) • A partially ordered set (Poset for short) is a pair (D , ) • D is a set of elements – a semantic domain • is a partial order between pairs of elements from D.