Abstract Interpretation Static Program Analysisstatic Analysis

Abstract Interpretation Static Program Analysisstatic Analysis

Abstract Interpretation Static Program AnalysisStatic Analysis A general method for automatic and sound approximation of sw run-time behaviors before the execution “before”: statically, without running sw “automatic”: sw analyzes sw “sound”: all possibilities into account “approximation”: cannot be exact “general”: for any source language and property I C, C++, C#, F#, Java, JavaScript, ML, Scala, Python, JVM, Dalvik, x86, Excel, etc I “bu↵er-overrun?”, “memory leak?”, “type errors?”, “x = y at line 2?”, “memory use 2K?”, etc Hakjoo Oh AAA616 2016 Fall, Lecture 3 October 3, 2016 2 / 44 Abstract Interpretation • A powerful framework for designing correct static analysis • “framework” : correct static analysis comes out, reusable • “powerful” : all static analyses are understood in this framework • “simple” : prescription is simple • “eye-opening” : any static analysis is an abstract interpretation Why Abstraction? Examples • Without abstraction, • Does the program have memory errors? (such as buffer overrun or memory leaks)! • can’t capture all possible executions• Does the program always terminate? • can’t terminate Impossible Alan Turing • Abstraction is not omission 5 / 50 • reality: {2, 4, 6, 8, … } • “even number” (abstraction) vs “multiple of 4” (omission) AbstractAbstraction Interpretation The static analysis game MAX++ *a++ = *0 7 / 50 20 AbstractAbstraction Interpretation The static analysis game MAX++ *a++ = *0 8 / 50 20 AbstractAbstraction Interpretation The static analysis game MAX++ *a++ = *0 9 / 50 20 Concrete Interpretation (Standard Semantics) Execution Trace : + 1: x := 0; (Program Points x (Var →Z)) 2: y := 0; (1, {x ⟼ 0}) 3: while (x < 10) { (2, {x ⟼ 0, y ⟼ 0}) 4: x := x + 1; (3, {x ⟼ 0, y ⟼ 0}) 5: y := y + 1; (4, {x ⟼ 1, y ⟼ 0}) 6: } . 7: print(x) (3, {x ⟼ 10, y ⟼ 10}) (7, {x ⟼ 10, y ⟼ 10}) Concrete Interpretation (Collecting Semantics) Partitioned Execution Traces: Z 1: x := 0; Program Points → (Var → 2 ) 2: y := 0; 3: while (x < 10) { (1,{x ⟼ {0}}) (2,{x ⟼ {0}, y ⟼ {0}) 4: x := x + 1; (3,{x ⟼ {0,1,…,9}, 5: y := y + 1; y ⟼ {0,1,…,9}} 6: } (4,{x ⟼ {1,2,…,10}, 7: print(x) y ⟼ {0,1,…,9}} . The possible values of x are {1, …, 10} after executing line 4. (7,{x ⟼ {10}, y ⟼ {10}) Abstract Interpretation (Abstract Semantics) Abstract State: 1: x := 0; : Program Points → (Var → Interval) 2: y := 0; (1, {x ⟼ [0, 0]}) (2, {x ⟼ [0, 0], y ⟼ [0, 0]}) 3: while (x < 10) { (3, {x ⟼ [0, 9], y ⟼ [0, 9]) 4: x := x + 1; (4, {x ⟼ [1, 10], y ⟼ [0, 9]) 5: y := y + 1; . 6: } The possible value of x ranges from 1 to 10 after executing line 4. 7: print(x) (7, {x ⟼ [10, 10], y ⟼ [10, 10]}) 1: x := 0; 2: y := 0; 3: while (very complex) { 4: x := x + 1; 5: y := y + 1; 6: } 7: print(x) Concrete Interpretation (Collecting Semantics) Partitioned Execution Traces 1: x := 0; 2: y := 0; (1, {x ⟼ {0}}) 3: while (very complex) { (2, {x ⟼ {0}, y ⟼ {0}) (3, may be undecidable) 4: x := x + 1; (4, may be undecidable) 5: y := y + 1; . 6: } (7, may be undecidable) 7: print(x) Abstract Interpretation (Abstract Semantics) 1: x := 0; Abstract State 2: y := 0; (1, {x ⟼ [0, 0]}) (2, {x ⟼ [0, 0], y ⟼ [0, 0]}) 3: while (very complex){ (3, {x ⟼ [0,∞], y ⟼ [0,∞]) 4: x := x + 1; (4, {x ⟼ [1,∞], y ⟼ [1,∞]) 5: y := y + 1; The possible value of x is 6: } . greater than or equal to 1 after executing line 4. 7: print(x) (7, {x ⟼ [0,∞], y ⟼ [0,∞]}) Need for Theory • How to ensure that we soundly approximate real executions? • How to ensure the termination of analysis? Abstract Interpretation Framework real execution [[ P ]] = fi x F D 2 [[ Pˆ]] = fi x Fˆ Dˆ abstract execution 2 correctness [[ Pˆ]] [[ Pˆ]] ⇡ implementation computation of [[ Pˆ]] • The framework requires: • a relation between D and Dˆ a relation between F D D and Fˆ Dˆ Dˆ • 2 ! 2 ! • The framework guarantees: • correctness and implementation • freedom: any such D ˆ and F ˆ are fine. Abstract Interpretation Framework real execution [[ P ]] = fi x F D 2 ˆ ˆ ˆ abstract execution [[ P ]] = fi x F D A domain of concrete states 2 (e.g., a set of memories) correctness [[ Pˆ]] [[ Pˆ]] ⇡ implementation computation of [[ Pˆfix]] F = X in D s.t. F(X) = X. A function corresponding to • The framework requires: one-step real execution • a relation between D and Dˆ a relation between F D D and Fˆ Dˆ Dˆ • 2 ! 2 ! • The framework guarantees: • correctness and implementation A function corresponding to one-step abstract execution • freedom: any such D ˆ and F ˆ are fine. Plan • Step 1: Define concrete semantics • Step 2: Define abstract semantics • Step 3: Compute abstract semantics guaranteeing termination • with a finite abstract domain • with a infinite abstract domain Preliminaries for Step 1 • Domain theory • Every program’s meaning is an element of CPO, • which is a least fixed point of a continuous function : CPO → CPO. • Every continuous function has a unique least fixed point. • See: • Mathematical Concepts in Programming Language Concepts, Dana Scott. Preliminaries for Step 1 • What is • CPO? • Continuous Functions? • Least Fixed Point? Partially Ordered SetPartial Order Definition (Partial Order) We say a binary relation is a partial order on a set D i↵ is v v reflexive: p D. p p 8 2 v transitive: p, q, r D. p q q r = p r 8 2 v ^ v ) v anti-symmetric: p, q D. p q q p = p = q 8 2 v ^ v ) We call such a pair (D, ) partially ordered set, or poset. v Lemma If a partially ordered set (D, ) has a least element d,thend is unique. v • {1,2} ⊑ {1,2,3} • {} = ⊥ Hakjoo Oh AAA616 2016 Fall, Lecture 2 September 19, 2016 10 / 30 Least Upper Bound LUB Definition (Least Upper Bound) Let (D, ) be a partially ordered set and let Y be a subset of D.An v upper bound of Y is an element d of D such that d0 Y. d0 d. 8 2 v An upper bound d of Y is a least upper bound if and only if d d for v 0 every upper bound d0 of Y . The least upper bound of Y is denoted by Y . F Lemma If Y has a least upper bound d,thend is unique. • {1,2} ⊔ {3} = {1,2,3} Hakjoo Oh AAA616 2016 Fall, Lecture 2 September 19, 2016 13 / 30 Chain Chain Definition (Chain) Let (D, ) be a poset and Y a subset of D. Y is called a chain if Y is v totally ordered: y ,y Y.y y or y y . 8 1 2 2 1 v 2 2 v 1 Example Consider the poset (}( a, b, c ), ). { } ✓ Y = , a , a, c 1 {; { } { }} Y = , a , c , a, c 2 {; { } { } { }} Hakjoo Oh AAA616 2016 Fall, Lecture 2 September 19, 2016 14 / 30 CPO Complete Partial Order (CPO) Definition (CPO) A poset (D, ) is a CPO, if every chain Y D has Y D. v ✓ 2 F Definition (Complete Lattice) A poset (D, ) is a complete lattice, if every subset Y D has v ✓ Y D. 2 F Lemma If (D, ) is a CPO, then it has a least element given by = . v ? ? ; F Hakjoo Oh AAA616 2016 Fall, Lecture 2 September 19, 2016 15 / 30 Continuous Functions Definition (Continuous Functions) A function f : D D defined on posets (D , ) and (D , ) is 1 ! 2 1 v1 2 v2 continuous if it is monotone and it preserves least upper bounds of chains: f(Y )=f( Y ) G G for all non-empty chains Y in D1.Iff( Y )= f(Y ) holds for the empty chain (that is, = f( )), then we say that f is strict. ? ? F F Hakjoo Oh AAA616 2016 Fall, Lecture 2 September 19, 2016 23 / 30 Least Fixed Points Definition (Fixed Point) Let (D, ) be a poset. A fixed point of a function f : D D is an v ! element d D such that f(d)=d.Wewritefix(f) for the least fixed 2 point of f,ifitexists,suchthat f(fix(f)) = fix(f) d D. f(d)=d = fix(f) d 8 2 ) v Hakjoo Oh AAA616 2016 Fall, Lecture 2 September 19, 2016 26 / 30 Step 1: Define Concrete Semantics Step 1: Define Concrete Semantics Step 1: Define Concrete Semantics The concrete semantics describes the real executions of the program. TheDescribed concrete by semantics semantic describes domain and the function. real executions of the program. DescribedDefine by semantica semantic domain domain and D , function.which is a CPO • A semanticStep domain 1: DefineD,whichisaCPO: Concrete Semantics A semanticI D is a domain partiallyD ordered,whichisaCPO: set with a least element . The concrete semantics describes the real executions? of the program. Step 1: Define ConcreteI IAnyDAnyis increasing a increasing Semantics partially orderedchain chain d set with d a least... inin element DD hashas a a least. least upper upper bound bound • Described by semantic0 domainv 1 andv function. ? I Any increasing chain d d ... in D has a least upper bound n 0 dn in D. 0 1 The concrete semantics describes≥ A thesemantic real executions domainvD,whichisaCPO: ofv the program. dn in D. A semanticn 0 functionI D is a partiallyF : D orderedD set, with which a least is element continuous:. for all chains Described by semantic domainF≥ and function. ? I Any increasing chain!d0 d1 ... in D has a least upper bound A dsemantic0 F d1 function..., F : D Dv, whichv is continuous: for all chains A semantic domain D,whichisaCPO:n 0 dn in D. ! d vd v..., ≥ 0Define1 a semanticA semantic function function F : D D , , which which is continuous:is continuous: for all chainsfor all I D is a partially• v orderedv set withF a least element !.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    52 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us