Lecture 10 Abstract Interpretation using Fixpoints
-
Upload
octavius-michael -
Category
Documents
-
view
26 -
download
0
description
Transcript of Lecture 10 Abstract Interpretation using Fixpoints
Notation
Partial order:Least upper bound: lub, sup, Greatest lower bound: glb, inf, Least fixpoint: lfp
Complete lattice: always exist
Tarski’s fixpoint theorem
(A, ) complete lattice
G : A A monotonic functionPostfixp = { x | G(x) x }
Then G has least fixpoint, lfp(G) and it’s PostfixpSo, if G(x) x then x Postfixp, so lfp(G) x
Let G be also -continuous.Then { Gn ( ) | n 0 } = lfp(G)
Fixpoints for Recursive Definitions
Given monotonic G in complete lattice,If G(P) P then lfp(G) P
Natural numbers: lfp under adding successors: G(P) = {0} {x+1|x P} lfp(G) = {0,1,2, … } (natural numbers)Take a property PP(x), let P = {x | PP(x)}What does G(P) P mean? {0} U {x+1|x P} P
0 P x P x+1 PIf so, we get that all natural numbers are in P
Structural Recursion
Trees = lfp(G) whereG(P) = { Leaf } U
{ Node(t1,x,t2) | t1P, t2P}To prove all trees satisfy property, prove for the set P of trees satisfying property that G(P) P.
{ Leaf } U { Node(t1,x,t2) | t1 P /\ t2 P} PStructural induction!
Every inductively defined set is given as lfp(G) for some G, and this gives us an induction principle.
Concrete postInit,Good S r SxSGoal: show sp(Init,r*) GoodApproach: find I S such that sp(Init,r*) I GoodDefine post : 2S 2S post(P) = Init U sp(P,r)– post is monotonic function on complete lattice 2S so it has a
least fixpoint. This is sp(Init,r*)– Consequence: if post(P) P, then sp(Init,r*) P– Remark: post is also -continuous
and join morphism: post(UC)=U{post(x)|xC} so this is also equal to U{ postn({}) | n ≥ 0}
Strategy: find P such thatpost(P) P and then check that P Good
Example
k=1; while(k < 100) { k=k+3 }; assert(k <= 255)k=1; loop {assume(k < 100); k=k+3}; assume(k>=100); assert(k <= 255)
r = {(k,k’) | (k < 100 /\ k’ = k + 3) }Approximating sp({1},r*)post(P) = {1} U sp(P,r) = {1} U {k+3|k P, k < 100}postn({}): {}, {1}, {1,4}, …, {1,…,97},{1,…,97,100}, {1,…,97,100}
Approximate post
Let apost be approximation of post, that is, post(P) apost(P)
for all sets P (e.g. take interval enclosing a set)If we find P such that apost(P) P, then
post(P) apost(P) PSummary: all we need is – apost that approximes post– a postfix point P of apost, ideally as small as
possible, hoping to be able to prove P Good
Domain: Representation of Invariants
apost will work only on certain invariants (e.g. only intervals)Represent these invariants as another set A.Define concretization : A 2S
post# : A A (post#(a)) = apost((a))Then post(P) apost(P) becomes
post((a)) (post#(a))This is the soundness condition.
Postfixpoint in Abstract Domain
We have found a postfixpoint (a) if(post#(a)) (a)
How to effectively check if this inclusion holds?Define an ordering on domain that is computable and satisfies:
a1 a2 (a1) (a2)If post#(a) a , then (post#(a)) (a) is monotonic. We need postfixpoint of Define such that it is ordering, the nicer ordering the better (e.g. complete lattice).
Interval Approximationpost(P) = {1} U {k+3|k P /\ k < 100}post#() = [1,1]post#([a,b]) = [min(1,a+3),min(b+3,102)]
Soundness: post([a,b]) post#([a,b]){1}U{k+3|a ≤ k ≤ b, k < 100} [min(1,a+3),min(b+3,102)]
(post#)n(): , [1,1], [1,4], …, [1,97],
lfp(post#) = [1,102]We proved automatically
sp({1},r*) [1,102]
How to define post# ?
One way: Galois comes to rescueSuppose s.t. (, ) is Galois connection. Then
post((a)) (post#(a))is equivalent to ( on right = on left)
(post((a)) post#(a)So we can define:
post#(a) = (post((a))Note: such post# is monotonic
Finding fixpoint of post#
Compute post# iteration:(post#)n()
If for some n (post#)n()= (post#)n+1()then for this n lfp(post#) = (post#)n()
To help make this happen• make post# monotonic• design domain so post# iteration terminates in
finitely many steps
Galois Connection: Monotonicity
: A 2S ([L,U]) = {x | L ≤ x ≤ U} : 2S A (c) = [min(c),max(c)]Prove , are monotonic
Galois Connection Condition
: A 2S ([L,U]) = {x | L ≤ x ≤ U} : 2S A (c) = [min(c),max(c)]Galois connection condition
c (a) (c) aProve it for case where c is bounded, a is [L,U]
Multiple variables
Wish to track interval for each variableWe track not [L,U] but ([L1,U1],[L2,U2])
If program state is (x,y), define(([L1,U1],[L2,U2])) = {(x,y) | }(p) = ([L1,U1],[L2,U2]) L1 = U1 = L2 = U2 =