Abstract Interpretation:
concrete and abstract semantics
2
Concrete semantics
• We consider a very tiny language that manages arithmetic
operations on integers values.
• The (concrete) semantics of the languages cab be defined by the
funzcion m defined by:
m
m
m m m
1 2 1 2
|
:
( )
( ) ( ) ( )
e i e e
Exp Int
i i
e e e e
3
Abstract Semantics
• Consider now an abstract semantics over the domain of signs
1 2 1 2
:Exp ,-,0
if 0 0( ) 0 if 0 0
if 0 0 0 0 0
( ) ( ) ( ) 0
i
i i
i
e e e e
4
From a different perspective
• We can associate to each abstract value the set of concrete
elements it represents.
• The concretization function :
: { ,0, } 2
( ) | 0
(0) 0
( ) | 0
Int
i i
i i
5
Concretization
• The concretization function maps an abstract value to a set of
concrete elements
• Let D denote the comncrete domain and A denote the abstract
domain. The correctness of the abstract semantics wrt the concrete
one can be expressed by:
m ( ) ( ( ))e e
m
Exp
A
2D
6
Abstract Interpretation
• Abstract Interpretation is:
– Computing the semantics of a program in an abstract
domain
– In the case of signs, the domain so far is {+,0,-}.
• The abstract semantics should be correct
– it is an over approximation of the concrete semantics
• The relatrion between te two domains is given by a
concretization function
7
Consider the unary operator -
• Let us add to our language the unary operator -
m m
( ) ( ) 0
0( ) ( )
e e
e e
8
Consider the binary operation +
• Adding the addition operator focrces us to modify the domain, as the
previous one is not able to represent the result of adding numbers of
opposite sign
m m m
1 2 1 2
1 2 1 2
0
( ) ( ) ( ) ?
( ) ( ) ( ) 0 0
?
e e e e
e e e e
9
So…
• We add to the domain a new element that represents all the integer
numbers (both positive and negative, and zero)
0 T
T T(T) Int 0 0 T
T T
T T T T T
10
The operations should be revisited
0 T
0 T0 T
0 0 0 0 00 T
0 T
T T 0 T T
11
Examples
m
m
((1 2) 3) 0
((1 2) 3) ( ) ( ) T
((5 5) 6) 31
((5 5) 6) ( )
Sometimes there is information loss due to the abstract operations
Sometimes there is no information loss, with respect to the abstraction
12
Consider the division operator /
• Problem: what is the result of dividing by zero? No number!
• So we need a new element in our domain that represents the
empty set of integers (i.e. a failure state)
• But.. What’s wrong in the table below?
/ 0 T
0 T
0( ) 0 T
T T 0 T T
x
x
13
The resulting abstract domain
• It is a finite complete lattice
• The partial order is coherent wrt the
concretization function:
0
T
( ) ( )x y x y
14
The abstraction function
• The concretization function has an adjoint function, the abstraction
function a.
• Function a maps a set of concrete values into the best
representation of this set in the abstract domain (the smaller
element f the abstract domain that represents of of these elements)
• In our example:,
a
a
a
Int: 2 A
( ) lub | 0 , 0| 0 , | 0
( ) ({ })
S i i S S i i S
i i
15
A general definition
• An Abstract Interpretation consists of:
– An abstract domain A and a concrete domain D
– A and D are complete lattices . Smaller means “more precise”
– Two monotone adjoint function that enjoy che formino una
inserzione di Galois.
– Abstract operations that are correct wrt the concrete ones
– A fixpoint algorithm
• Galois insertion:
a
a
2 . ( ( ))
. ( ( ))
Dx x x
a A x x
16
Correctness revisited
• If case of Galois insertion, these correctness conditions
are equivalent (prove it !)
aExp
A
m 2D
m ( ) ( ( ))e e
a m( ) ({ ( )})e e
17
Correctness
• We show that in order to ensure the correctness of the whole
analysis the following conditions are sufficient:
1. The function a and are monotone
2. The function a and form a Galois insertion
3. The abstract operations are locally correct, i.e.
• Notice that there is always a way to define a locally correct abstract
operation. It is sufficient to consider the operations that returns the
top element of the abstract domain.
1 1(op( ,..., )) op( ( ),..., ( ))n ns s s s
18
Local correctness
1(op( ,..., ))ns s
1op( ( ),..., ( ))ns s
A A
2D
2D
op
op
19
Correctness proof
• We show by structural induction on e that:
• Basic step:
m ( ) ( ( ))e e
m
a
m
def. di
inserzione di Ga
( )
{ }
( ({ }))
( (i)
lois
def di )
i
i
i
i
20
Correctness proof
Inductive Step
m
m m
m
1 2
1 2
1 2
1 2
1 2
def. di
per ipotesi induttiva
correttezz
( )
( ) ( )
( ( ))
a locale
def
( ( ))
( ( ) (
di
))
( ( ))
e op e
e op e
e op e
e op e
e op e
m ( ) ( ( ))e e
21
Adding an input
• We can extend our tiny language with the possibility to
get an input value from the user
• This means that we have a variable x in the expressions
| | | ... |e i e e e x
22
Concrete semantics
• The semantic function m becomes
• And we may express it in terms of a family of functions, having
expressions as indeces and a single parameter (the input value)
m : Exp Int Int
m
m
m m m
m m m
1 2 1 2
1 2 1 2
( )
( )
( ) ( ) ( )
( ) ( ) ( )
... ...
i
x
e e e e
e e e e
j i
j j
j j j
j j j
23
Abstract semantics
• The same holds for the abstract semantic function
• Also in this case we can express by a family of functions:
: Exp A A
a
1 2 1 2
1 2 1 2
( )
( )
( ) ( ) ( )
( ) ( ) ( )
... ...
({ })
i
x
e e e e
e e e e
j i
j j
j j j
j j j
i i
24
Correctness
• The following conditions are equivalent
m a
m a
a m a
. ( ) ( ( ({ })))e e
e eD
e eA
i i i
e
em
a
A
2D
A
a
2D
25
Local correctness
• We can express the local correntess condition by:
1 1
( ( )),..., ( ( )) ( ( ),..., ( ))n ne e e eop j j op j j
26
Conditional statement
• Concrete semantics
• Abstract semantics
• Notice the role of the lub in the abstract domain
m m mm
m m m
3 1 2
1 2 3 4
1 24
3 41 2 3 4
if then else
if then else
(
... | if then else | .
) if ( ) ( )( )
( ) if ( ) ( )
( ) ( ) (
.
)
.
e e e
e e e ee e e
e ee e e e
i i ii
i i i
i
e e
i
e e
i
e
27
Correctness of the conditional statm.
m
3
3
3 4
3 4
1 2 3 4if then else
( )
( ( )) per induzione
( ( )) ( ( ))
( ) ( ) monotonia di
( ( ))
e
e
e e
e e
e e e e
i
i
i i
i i
i
• Assume that the condition is true (the other case is analogous)
Top Related