Abstraction in Abstract Interpretation 1. Introductive example Patrick COUSOT École Normale Supérieure 45 rue d’Ulm 75230 Paris cedex 05, France mailto:[email protected] http://www.di.ens.fr/˜cousot Workshop on Refinement and Abstraction ETL Osaka, Japan, November 15-17, 1999 ¡¡¡£££ ! [] "# Abstraction in abstract interpretation, ¡¡¡—3! 81 — £££ ! [] " # ©P.Cousot,Nov16,1999 Abstract Abstract interpretation Abstract interpretation is a semantic approximation theory which has mainly been used for the de­ sign of static program analyzers. Our objective is to explain and illustrate the notion of abstrac­ Abstract interpretation is a semantic approximation theory [2]; • tion/concretization and its numerous variants which are commonly used in abstract interpretation to Mainly used for the design of semantics [3]andstaticprogramana­ formalize the loss of information. We also explain how the concrete model can be transformed into an • abstract semantic model, and inversely for refinement. lyzers [1]. Several examples are given for the design of programming language semantics as well as model-checking and program analysis algorithms. To illustrate the notions of relative completeness and of existence of a best abstraction, we show that transitional, demonic, natural and angelic deno­ tational, predicate transformer and axiomatic semantics are all relatively complete, best abstractions References of a maximal trace semantics (or equivalently that the maximal trace semantics is a refinement of all [1] P. Cousot and R. Cousot. these semantics). To illustrate incompleteness, we consider model-checking of finite transition systems Abstract interpretation: a unified lattice model for static analysis of programs by construction or approxima- tion of fixpoints.In4th POPL,pages238–252,LosAngeles,Calif.,1977.ACMPress. for a temporal logic, both with maximal trace semantics. The logic can be restricted to ensure relative completeness at the expense of expressiveness. To illustrate inexistence of best approximations, we [2] P. Cousot and R. Cousot. consider several abstract domains for the abstraction of sets of vectors of numbers and sets of graphs Systematic design of program analysis frameworks. In 6th POPL,pages269–282,SanAntonio,Texas,1979.ACMPress. (for so-called set-based analysis). [3] P. Cousot. Constructive design of a hierarchy of semantics of a transition system by abstract interpretation. ENTCS,6,1997.URL:http://www.elsevier.nl/locate/entcs/volume6.html,25pages. Abstraction in abstract interpretation, ¡¡¡—2! 81 — £££ ! [] " # ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—4! 81 — £££ ! [] " # ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation Properties as sets Abstraction is understood as an approximation: A property is the set of objects which have this property; • • Example (properties of integers): • abstract -- Positive: 1, 2, 3, 4,... { } -- Odd: 1, 3, 5, 7,... Aprogramanalyzerisanapproximate implementation of the { } program (collecting) semantics! . "# $ There is often a confusion on the fact that abstract interpretation • interpretation does not deal with abstract objects but with abstract properties of # $! " objects; This is because the two notions sometime coincide; • The view of abstract interpretation as abstraction of properties is • more powerful that pseudo-evaluation on abstract objects . Abstraction in abstract interpretation, ¡¡¡—5! 81 — £££ ! [] " # ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—7! 81 — £££ ! [] " # ©P.Cousot,Nov16,1999 Objects and their properties Example: rule of signs standard semantics Programming is relative to objects: • refinement Refined object Abstract object Standard semantics: ←−−−−−−−−−− • −−−−−−−−−−abstraction→ -- Operational: what are the steps of evaluation of the expression Program proof/analysis to object properties: when knowing an assignment of values to the free variables; • -- Example (ρ =[x :5,y : 3]): Concrete concretization Abstract − "x x + y y#ρ object property ←−−−−−−−−−−−− object property × × −−−−−−−−−−−−abstraction → ("x#ρ "x#ρ)+("y#ρ "y#ρ) → × × (5 5) + ( 3 3)) → × − ×− 25 + 9 → 34 → Abstraction in abstract interpretation, ¡¡¡—6! 81 — £££ ! [] " # ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—8! 81 — £££ ! [] " # ©P.Cousot,Nov16,1999 Example (ρ =[x :+1,y : 1]): • − Denotational: what is the value of the expression when knowing an "x x + y y#ρ • × × assignment of values to the free variables: ("x#ρ "x#ρ)+("y#ρ "y#ρ) → × × X Z Z (+1 +1) + ( 1 1)) "e# ( ) → × − ×− ∈ &→ &→ +1 + +1 → "n#ρ = n +1 → "x#ρ = ρ(x) Correctness:theruleofsignsisastepbystepsimulationofthe • "e1 e2#ρ = "e1#."e1# standard semantics (inconclusive when no rule applies e.g. +1 + 1 × − "e1 + e2#ρ = "e1# + "e1# =?); Same idea in “subject reduction” of type theory. • Abstraction in abstract interpretation, ¡¡¡—9! 81 — £££ ! [] " # ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—11! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Example: rule of signs Example: rule of signs 1 — the abstract object point of view 2—theabstractpropertypointofview Objective:determinethesignofanexpression; • Pseudo-evaluation method: • -- replace values by their signs; Property of an expression: set of its possible semantics; • -- interpret arithmetic operators on signs: Collecting semantics: the strongest program property: • X Z Z +1 + +1 = +1 , e ℘(( ) ) {| |} ∈ &→ &→ (1) +1 1= 1 , etc. e =! "e# ×− − {| |} { } Abstraction: Abstract semantics: a computable approximation of the collecting • • concrete object abstract object semantics. -- integer sign &−→ ! "#concrete$ operation!"#$ abstract operation -- integer integer integer sign sign sign …/… ! × "# &→ $ &−→ ! × "# &→ $ Abstraction in abstract interpretation, ¡¡¡—10! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—12! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Approximation The lattice of signs [4]: • -1,0,1 { } Two alternatives: • -- Universal/from above: consider a superset of the possible cases, -1,0 -1,1 0,1 { }{}{} -- Existential/from below: consider a subset of the possible cases; By duality, only universal approximation need to be formely studied; • -1 0 1 The rule of signs is a universal approximation (i.e. +1 + +1 = +1 { }{}{} • is valid whether 3 + 2 = 5 or 3 + 2 = 1789!) since more cases are considered than possible. ¿ …/… Reference [4] P. Cousot and R. Cousot. Systematic design of program analysis frameworks.In6th POPL,pages269–282, San Antonio, Texas, 1979. ACM Press. Abstraction in abstract interpretation, ¡¡¡—13! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—15! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Approximation for the rule of signs α2 ℘(X Z) (X ℘(Z)) • ∈ &→! &→ &→ ! α2(R) = λ X ρ(X) ρ R α0 : Z S where S = +1, 0, 1 (2) · { | ∈ } • &→ { − } γ2 (X ℘(Z)) ℘(X Z)(4) α0(n)= 1iff n<0 ∈ &→! &→ X &→ − γ2(r) = ρ X : ρ(X) r(X) α0(n)=0 iff n =0 { | ∀ ∈ ∈ } α (n)=+1iff n>0 0 Example: Z S α1 ℘( ) ℘( )(3)[X :0,Y :0], [X :5,Y :5] • ∈ !&→ α (N) = α (n) n N α1 { } 1 0 [X : 0, 5 ,Y : 0, 5 ] S { Z | ∈ } γ1 ℘( ) ℘( ) &−→γ1 { } { } ∈ !&→ [X :0,Y :0], [X :0,Y :5], [X :5,Y :0], [X :5,Y :5] γ (S) = n α (n) S &−→ { } 1 { | 0 ∈ } Example: α γ 0, 17 1 0, +1 1 0, 1,...,17,... { } &−→ { } &−→ { } …/… …/… Abstraction in abstract interpretation, ¡¡¡—14! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—16! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 …/… α5 (℘(X Z) ℘(Z)) ((X ℘(S)) ℘(S)) (7) X Z X S • ∈ ! &→ &→ &−→ &→ &→ α3 :( ℘( )) ( ℘( )) α (s) = α s γ • &→ &→ &→ 5 1 ◦ ◦ 4 α (ρ)=λ X α (ρ(X)) X S S X Z Z 3 · 1 γ5 (( ℘( )) ℘( )) (℘( ) ℘( )) X S X Z ∈ &→! &→ &−→ &→ &→ γ3 :( ℘( )) ( ℘( )) (5) γ (S) = γ S α &→ &→ &→ 5 1 ◦ ◦ 4 γ (ρ)=λ X γ (ρ(X)) 3 · 1 Intuition: Example: s ℘(X Z) # ℘(Z) [X : 0, 5 ,Y : 0, 5 ] &→ α { } { } % % 3 [X : 0, +1 ,Y : 0, +1 ] &−→γ { } { } α4 γ4 α1 γ1 3 [X : N,Y : N] &−→ $ S $ X ℘(S) ℘(S) &→ # …/… …/… Abstraction in abstract interpretation, ¡¡¡—17! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—19! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 X Z X S X Z Z X Z Z α4 : ℘( ) ( ℘( )) α6 ℘(( ) ) (℘( ) ℘( )) (8) • &→ &→ &→ • ∈ !&→ &→ &−→ &→ &→ α = α α α (S) = λ R s(ρ) s S ρ R 4 3 ◦ 2 6 X S X Z X Z · { Z| ∈ ∧ X∈ }Z Z γ4 :( ℘( )) ℘( )(6)γ6 (℘( ) ℘( )) ℘(( ) ) &→ &→ &→ ∈ !&→ &→ &−→ &→ &→ γ = γ γ γ (S) = s ρ X Z : s(ρ) S( ρ ) 4 2 ◦ 3 6 { | ∀ ∈ &→ ∈ { } } Example: Intuition: [X :0,Y :0], [X :5,Y :5] γ (α ( s )) 6 6 { } α3 { } = s ρ X Z : s (ρ ) s (ρ ) s s ρ ρ [X : 0, +1 ,Y : 0, +1 ] { * | ∀ * ∈ &→ * * ∈ { ** ** | ** ∈ { } ∧ ** ∈ { *}}} &−→γ { } { } = s ρ X Z : s (ρ ) s(ρ ) 3 [X : n, Y : m] n N m N { * | ∀ * ∈ &→ * * ∈ { * }} &−→ { | ∈ ∧ ∈ } = s ρ X Z : s (ρ )=s(ρ ) { * | ∀ * ∈ &→ * * * } = s s = s { * | * } = s { } …/… …/… Abstraction in abstract interpretation, ¡¡¡—18! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 Abstraction in abstract interpretation, ¡¡¡—20! 81 — £££ ! [] "# ©P.Cousot,Nov16,1999 X Z Z X S S α7 ℘(( ) ) (( ℘( )) ℘( )) (9) Calculational design of the abstract semantics • ∈ ! &→ &→ &−→ &→ &→ α = α α 7 5 ◦ 6 X S S X Z Z γ7 (( ℘( )) ℘( )) ℘(( ) ) $e% ∈ ! &→ &→ &−→ &→ &→ = α ( e ) γ7 = γ6 γ5 7 {| |} ◦ = α α ( e )bydef.(9)ofα 5 ◦ 6 {| |} 7 = α1 α6( e ) γ by def. (7)ofα5 Intuition: ℘((X Z) Z) ◦ {| |} ◦ 4 &→ &→ = λ R α ( s(ρ) s e ρ γ (R) )by(8) % · 1 { | ∈ {| |} ∧ ∈ 4 } = λ R α1( "e#ρ ρ γ4(R) )bydef.(1)of"e# α6 γ6 · { | ∈ } = λ R α ( "e#ρ ρ γ γ (R) )by(6) · 1 { | ∈ 2 ◦ 3 } $ = λ R α ( "e#ρ ρ γ (λ Y γ (R(Y ))) )bydef.(5)ofγ ℘(X Z) ℘(Z) · 1 { | ∈ 2 · 1 } 3 &→ &→ = λ R α ( "e#ρ ρ ρ Y X : ρ (Y