Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The...
39
Abstract Interpretation Part II Mooly Sagiv
-
Upload
mark-carow -
Category
Documents
-
view
215 -
download
0
Transcript of Abstract Interpretation Part II Mooly Sagiv. Outline u Tarski’s fixed point theorem u The...
Abstract InterpretationPart II
Mooly Sagiv
Outline
Tarski’s fixed point theorem The Soundness Theorem Infinite Domains (Widening & Narrowing) Canonic Abstraction Shape analysis is a separate 3 hours lecture with
demos
Fixed Points A monotone function f: L L
l1 l2 f(l1 ) f(l2 ) (L, , , , , ) is a complete lattice Fix(f) = { l: l L, f(l) = l} Red(f) = {l: l L, f(l) l} Ext(f) = {l: l L, l f(l)} Tarski’s Theorem 1955:
– lfp(f) = Fix(f) = Red(f) Fix(f)– gfp(f) = Fix(f) = Ext(f) Fix(f)
f()
f()
f2()
f2()
Fix(f)
Ext(f)
Red(f)
gfp(f)
lfp(f)
Abstract (Conservative) interpretation
abstract representation
Set of states
abstraction
Abstractsemantics
statement s abstract representation
abstraction
Operational semantics
statement sSet of states
abstract representation
Abstract (Conservative) interpretation
abstract representation
Set of states
concretization
Abstractsemantics
statement s abstract representation
concretization
Operational semantics
statement sSet of states Set of states
Abstract (Conservative) interpretation
abstract representation
Set of states
concretization
Abstractsemantics
statement s abstract representation
abstraction
Operational semantics
statement sSet of states
abstract representation
Soundness Theorem [CC] Let (, ) form Galois connection from C to A
(c) a iff c (a) and are monotone( (a)) ac ((c))
f: C C be a monotone function
f# : A A be a monotone function
aA: f((a)) (f#(a))
cC: (f(c)) f#((a))
aA: (f((a)) f#(a)
lfp(f) (lfp(f#))
(lfp(f)) lfp(f#)
f()
f()
f2()
f2()
f(x)=x
f(x)x
f(x)x
gfp(f)
lfp(f)
f#()
f#()
f#2()
f#2()
f#(y)=y
f#(y)y
f#(y)y
gfp(f#)
lfp(f#)
Finite Height Case
f#
f#
Lfp(f#)
f
f#
f
Lfp(f)
f
Example Interval Analysis Find a lower and an upper bound of the value of a
variable Usages? Lattice
L = (Z{-, }Z {-, }, , , , ,)– [a, b] [c, d] if c a and d b– [a, b] [c, d] = [min(a, c), max(b, d)]– [a, b] [c, d] = [max(a, c), min(b, d)]– =– =
The need for disjunctions
if (…)
… [1, 5]
else
… [7, 8]
assert x !=6
Widening for Interval Analysis [c, d] = [c, d] [a, b] [c, d] = [
if a cthen aelse -,
if b dthen belse
]
Example ProgramInterval Analysis
[x := 1]1 ;while [x 1000]2 do [x := x + 1;]3
IntEntry(1) = [-, ]
IntExit(1) = [1,1]
IntEntry(2) = InExit(2) (IntExit(1) IntExit(3))
IntExit(2) = IntEntry(2)
[x:=1]1
[x 1000]2
[x := x+1]3
[exit]4
IntEntry(3) = IntExit(2) [-,1000]
IntExit(3) = IntEntry(3)+[1,1]
IntEntry(4) = IntExit(2) [1001, ]
IntExit(4) = IntEntry(4)
Requirements on Widening For all elements l1 l2 l1 l2 For all ascending chains
l0 l1 l2 …the following sequence is finite– y0 = l0 – yi+1 = yi li+1
For a monotonic function f: L Ldefine– x0 = – xi+1 = xi f(xi )
Theorem:– There exits k such that xk+1 = xk
– xk Red(f) = {l: l L, f(l) l}
Narrowing Improve the result of widening y x y (x y) x For all decreasing chains x0 x1 …
the following sequence is finite– y0 = x0
– yi+1 = yi xi+1
For a monotonic function f: L L and x Red(f) = {l: l L, f(l) l}define– y0 = x– yi+1 = yi f(yi )
Theorem:– There exits k such that yk+1 =yk
– yk Red(f) = {l: l L, f(l) l}
Narrowing for Interval Analysis [a, b] = [a, b] [a, b] [c, d] = [
if a = - then celse a,
if b = then delse b
]
Example ProgramInterval Analysis
[x := 1]1 ;while [x 1000]2 do [x := x + 1;]3
IntEntry(1) = [- , ]
IntExit(1) = [1,1]
IntEntry(2) = InExit(2) ( IntExit(1) IntExit(3))
IntExit(2) = IntEntry(2)
[x:=1]1
[x 1000]2
[x := x+1]3
[exit]4
IntEntry(3) = IntExit(2) [-,1000]
IntExit(3) = IntEntry(3)+[1,1]
IntEntry(4) = IntExit(2) [1001, ]
IntExit(4) = IntEntry(4)
Non Montonicity of Widening
[0,1] [0,2] = [0, ] [0,2] [0,2] = [0,2]
Widening and Narrowing Summary
Very simple but produces impressive precision Sometimes non-monotonic The McCarthy 91 function
Also useful in the finite case Can be used as a methodological tool
int f(x) [- , ] if x > 100 then [101, ] return x -10 [91, -10]; else [-, 100] return f(f(x+11)) [91, 91] ;
Numerical Abstractions
x
y
x c y c
Interval
x y c Octagon
c1x c2y c Polyhedron
Octagon only maintains correlations between two variables
Non-Numerical Abstractions
Predicate Abstraction
L = (P(P(B)), , , , ,)
X Y if X Y X Y = X Y X Y = X Y = P(B)
=
Example Programs
if (x > 0) y = malloc();
…
if (x >0)
z = *y;
while x != y do
x = x n;
Canonical Abstraction
Abstract unbounded sets of memory locations into a bounded set
Partition based abstraction Use unary relations (symbols as distinctions) Maintain binary relations when necessary
x
t
n n u2u1 u3
Canonical Abstraction
x = null;
while (…) do {
t = malloc();
t.next=x;
x = t
}u1 x
t
u2,3 n
n
n
Canonical Abstraction and Equality
x = null;
while (…) do {
t = malloc();
t .next=x;
x = t
}
u1x
t
u2 u3
u1 x
t
u2,3
eq
n n
n
n
eq eq
eq
eqeq
u2,3
eq
eq
eq
Heap Sharing relation
is(v)=0
u1x
t
u2 un…
u1 x
t
u2..n
n
n
is(v) = v1,v2: n(v1,v) n(v2,v) v1 v2
is(v)=0 is(v)=0
is(v)=0 is(v)=0
n n n
Heap Sharing relation
is(v)=0
u1x
t
u2 un…
is(v) = v1,v2: n(v1,v) n(v2,v) v1 v2
is(v)=1 is(v)=0
n n
n
n
u1 x
t
u2 n
is(v)=0 is(v)=1 is(v)=0
n
u3..n
n
n
Reachability relationt[n](v1, v2) = n*(v1,v2)
u1x
t
u2 unn n n
t[n] t[n] t[n]
t[n]
t[n]
t[n]
u1 x
t
u2..n
n
n
t[n]
t[n]
t[n]
...
List Segments
u1
x
u2 u5nu3 u4 u6 u7 u8n n n n n n
y
u1
x
u2,3,4,6,7,8 u5n n
y
Reachability from a variable
r[y](v) =w: y(w) n*(w, v)
u1
x
u2 u5nu3 u4 u6 u7 u8n n n n n n
y
r[y]=0 r[y]=0 r[y]=0 r[y]=1 r[y]=1 r[y]=1
u1
x
u2,3,4 u5n n n
y
u6,7,8
Sortedness
u1x
t
u2 unn n n
dle dle dle
dle
dle
dle
u1x
t
u2..n
n
n
dle
dle
dle
...
Example: SortednessinOrder(v) = v1: n(v,v1) dle(v, v1)
u1x
t
u2 unn n
dle dle dle
dle
dle
dle
u1x
t
u2..n
n
n
dle
dledle
inOrder = 1 inOrder = 1 inOrder = 1
inOrder = 1 inOrder = 1
n...
Example: InsertSort
Run Demo
List InsertSort(List x) { List r, pr, rn, l, pl; r = x; pr = NULL; while (r != NULL) { l = x; rn = r n; pl = NULL; while (l != r) { if (l data > r data) { pr n = rn; r n = l; if (pl = = NULL) x = r; else pl n = r; r = pr; break; } pl = l; l = l n; } pr = r; r = rn; } return x; }
typedef struct list_cell { int data; struct list_cell *n;} *List;
Example: InsertSort
Run Demo
List InsertSort(List x) { if (x == NULL) return NULL pr = x; r = x->n; while (r != NULL) {
pl = x; rn = r->n; l = x->n; while (l != r) {
pr->n = rn ; r->n = l;
pl->n = r; r = pr; break; }
pl = l; l = l->n;
} pr = r; r = rn;
}
typedef struct list_cell { int data; struct list_cell *n;} *List;
14
void Mark(Node root) {
if (root != NULL) {
pending =
pending = pending {root}
marked =
while (pending ) {
x = SelectAndRemove(pending)
marked = marked {x}
t = x left
if (t NULL)
if (t marked)
pending = pending {t}
/* t = x right
* if (t NULL)
* if (t marked)
* pending = pending {t} */ }
}
assert(marked = = Reachset(root))}
There may exist an individual that is reachable from the root, but not marked
x
r[root]
m
root
r[root]
left
right
right
left
right
Conclusions(1)
Good static analysis = – Precise enough (for the client)– Efficient enough
Good static analysis– Good domain
» Abstract non-important details» Represent relevant concrete information» Precise and efficient abstract meaning of abstract interpreters» Efficient join implementation» Small height or widening
Conclusions(2) The Theory of Static Analysis is well founded
– Abstraction– Soundness– Chaotic iterations– Elimination methods– Modular methods
Weak Parts– Transformations– Predictable approximations– User defined abstractions– System
![TARSKI’S [7] 6’ of cs 6, SCIIOLZ - IBM](https://static.fdocuments.net/doc/165x107/619c19787e46e30edd1e0285/tarskis-7-6-of-cs-6-sciiolz-ibm.jpg)
![A REPORT ON TARSKI’S DECIDABILITY PROBLEM: …zlil/decidability.pdf · of the free groups is decidable [Ma2]. However, the generalization of Merzlyakov’s theorem to general (not](https://static.fdocuments.net/doc/165x107/606ee875851a357aa9229806/a-report-on-tarskias-decidability-problem-zlil-of-the-free-groups-is-decidable.jpg)
