«ATutorialon Abstract Interpretation » Patrick Cousot École normale supérieure 45 rue d’Ulm 75230 Paris cedex 05, France [email protected] www.di.ens.fr/~cousot VMCAI’05 Industrial Day VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —1— ľ P. Cousot Static analysis by abstract interpretation VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —2— ľ P. Cousot {n0>=0} Example of static analysis (input) n:=n0; {n0=n,n0>=0} i:=n; {n0=i,n0=n,n0>=0} while (i <> 0 ) do {n0=n,i>=1,n0>=i} j:=0; {n0=n,j=0,i>=1,n0>=i} while (j <> i) do {n0=n,j>=0,i>=j+1,n0>=i} j:=j+1 {n0=n,j>=1,i>=j,n0>=i} od; {n0=n,i=j,i>=1,n0>=i} i:=i-1 {i+1=j,n0=n,i>=0,n0>=i+1} od {n0=n,i=0,n0>=0} VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —3— ľ P. Cousot {n0>=0} Example of static analysis (output) n:=n0; {n0=n,n0>=0} i:=n; {n0=i,n0=n,n0>=0} while (i <> 0 ) do {n0=n,i>=1,n0>=i} j:=0; {n0=n,j=0,i>=1,n0>=i} while (j <> i) do {n0=n,j>=0,i>=j+1,n0>=i} j:=j+1 {n0=n,j>=1,i>=j,n0>=i} od; {n0=n,i=j,i>=1,n0>=i} i:=i-1 {i+1=j,n0=n,i>=0,n0>=i+1} od {n0=n,i=0,n0>=0} VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —3— ľ P. Cousot {n0>=0} Example of static analysis (safety) n:=n0; {n0=n,n0>=0} i:=n; n0 must be initially nonnegative {n0=i,n0=n,n0>=0} (otherwise the program does not while (i <> 0 ) do {n0=n,i>=1,n0>=i} terminate properly) j:=0; {n0=n,j=0,i>=1,n0>=i} while (j <> i) do {n0=n,j>=0,i>=j+1,n0>=i} j:=j+1 j<n0sonoupperoverflow {n0=n,j>=1,i>=j,n0>=i} ` od; {n0=n,i=j,i>=1,n0>=i} i:=i-1 i>0sonoloweroverflow {i+1=j,n0=n,i>=0,n0>=i+1} ` od {n0=n,i=0,n0>=0} VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —3— ľ P. Cousot Static analysis by abstract interpretation Verification: define and prove automatically a property of the possible behaviors of a complex computer pro- gram (example: program semantics); Abstraction: the reasoning/calculus can be done on an ab- straction of these behaviors dealing only with those elements of the behaviors related to the considered property; Theory: abstract interpretation. VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —4— ľ P. Cousot Example of static analysis Verification: absence of runtime errors; Abstraction: polyhedral abstraction (affine inequalities); Theory: abstract interpretation. VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —5— ľ P. Cousot A very informal introduction to the principles of abstract interpretation VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —6— ľ P. Cousot Semantics The concrete semantics of a program formalizes (is a mathematical model of) the set of all its possible execu- tions in all possible execution environments. VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —7— ľ P. Cousot Graphic example: Possible behaviors x(t) Possible trajectories t VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —8— ľ P. Cousot Undecidability –Theconcretemathematicalsemanticsofaprogramis an “tinfinite” mathematical object, not computable; –Allnontrivialquestionsontheconcreteprogramse- mantics are undecidable. Example: termination –Assumetermination(P) would always terminates and returns true iff P always terminates on all input data; –Thefollowingprogramyieldsacontradiction P while termination(P) do skip od. ” VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —9— ľ P. Cousot Graphic example: Safety properties The safety properties of a program express that no possi- ble execution in any possible execution environment can reach an erroneous state. VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —10— ľ P. Cousot Graphic example: Safety property x(t) Forbidden zone Possible trajectories t VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —11— ľ P. Cousot Safety proofs –Asafety proof consists in proving that the intersection of the program concrete semantics and the forbidden zone is empty; – Undecidable problem (the concrete semantics is not computable); –Impossibletoprovidecompletelyautomaticanswers with finite computer resources and neither human in- teraction nor uncertainty on the answer 1. 1 e.g. probabilistic answer. VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —12— ľ P. Cousot Test/debugging –consistsinconsideringasubsetofthepossibleexecu- tions; –notacorrectnessproof; – absence of coverage is the main problem. VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —13— ľ P. Cousot Graphic example: Property test/simulation x(t) Forbidden zone Error !!! Possible trajectories Test of a few trajectories t VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —14— ľ P. Cousot Abstract interpretation –consistsinconsideringanabstract semantics,thatis to say a superset of the concrete semantics of the pro- gram; –hencetheabstractsemanticscovers all possible con- crete cases; – correct:iftheabstractsemanticsissafe(doesnotin- tersect the forbidden zone) then so is the concrete se- mantics VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —15— ľ P. Cousot Graphic example: Abstract interpretation x(t) Forbidden zone Possible trajectories Abstraction of the trajectories t VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —16— ľ P. Cousot Formal methods Formal methods are abstract interpretations, which dif- fer in the way to obtain the abstract semantics: – “model checking”: -theabstractsemanticsisgivenmanuallybytheuser; -intheformofafinitarymodeloftheprogramexe- cution; -canbecomputedautomatically,bytechniquesrele- vant to static analysis. VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —17— ľ P. Cousot – “deductive methods”: -theabstractsemanticsisspecifiedbyverificationcon- ditions; -theusermustprovidetheabstractsemanticsinthe form of inductive arguments (e.g. invariants); -canbecomputedautomaticallybymethodsrelevant to static analysis. – “static analysis”:theabstractsemanticsiscomputed automatically from the program text according to pre- defined abstractions (that can sometimes be tailored automatically/manually by the user). VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —18— ľ P. Cousot Required properties of the abstract semantics – sound so that no possible error can be forgotten; – precise enough (to avoid false alarms); –assimple/abstract as possible (to avoid combinatorial explosion phenomena). VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —19— ľ P. Cousot Graphic example: The most abstract correct and precise semantics x(t) Forbidden zone Possible trajectories t VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —20— ľ P. Cousot Graphic example: Erroneous abstraction — I x(t) Forbidden zone Error !!! Possible trajectories Erroneous trajectory abstraction t VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —21— ľ P. Cousot Graphic example: Erroneous abstraction — II x(t) Forbidden zone Error !!! Possible trajectories Erroneous trajectory abstraction t VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —22— ľ P. Cousot Graphic example: Imprecision false alarms ) x(t) Forbidden zone False alarm Possible trajectories Imprecise trajectory abstraction t VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —23— ľ P. Cousot Abstract domains Standard abstractions –thatserveasabasis for the design of static analyzers: - abstract program data, -abstractprogrambasicoperations; -abstractprogramcontrol(iteration,procedure,con- currency, . ); –canbeparametrized to allow for manual adaptation to the application domains. VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —24— ľ P. Cousot Graphic example: Standard abstraction by intervals x(t) Forbidden zone False alarms Possible trajectories Imprecise trajectory abstraction by intervals t VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —25— ľ P. Cousot Graphic example: Amorerefinedabstraction x(t) Forbidden zone Possible trajectories Refinement of intervals t VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —26— ľ P. Cousot A very informal introduction to static analysis algorithms VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —27— ľ P. Cousot Standard operational semantics VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —28— ľ P. Cousot Standard semantics –Startfromastandard operational semantics that de- scribes formally: - states that is data values of program variables, - transitions that is elementary computation steps; –Considertraces that is successions of states correspond- ing to executions described by transitions (possibly in- finite). VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —29— ľ P. Cousot Graphic example: Small-steps transition semantics x(t) Possible discrete trajectories t VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —30— ľ P. Cousot Example: Small-steps transition semantics of an assignment int x; ... l: x:=x+1; l’: l : x = v l : x = v +1 v [min_int; max_int 1] f ! 0 j 2 ` g l : x = max_int l : x = ˙ (runtime error) [f ! 0 g VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —31— ľ P. Cousot Example: Small-steps transition semantics of l1 : ::: aloop l1 : x = 1 ` 3 & l1: l1 : x =0 l2 : x =1 x:=1; 7 ! l1 : x =1 7 l2: 7 % while x < 10 do l1 : ::: 7 7 l3: l2 : x =1 5l3 : x =1 x:=x+1 ! l3 : x =1 l4 : x =2 l4: ! od l4 : x =2 l3 : x =2 ! l5: l3 : x =2 l4 : x =3 ! ::: l4 : x =10 l5 : x =10 VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —32—! ľ P. Cousot Example: Trace semantics of loop l1: x:=1; l2: while x < 10 do l3: x:=x+1 l4: od l1 : ::: l5: l1 : x = 1 ` 3 & l1 : x =0 l2 : x =1 l3 : x =1 l4 : x =2 7 ! ! ! ! l1 : x =1 7 7 % l1 : ::: 7 7 l3 : x =2 5l4 : x =3::: l4 : x =10 l5 : x =10 VMCAI’05 Industrial Day,! Paris, France, January 20, 2005 ! —33— ! ľ P. Cousot Transition systems t – S; where: h !i - S is a set of states/vertices/. t - }(S S) is a transition relation/set of arcs/. !2 ˆ t VMCAI’05 Industrial Day, Paris, France, January 20, 2005 —34— ľ P.