Compilation and Program Analysis (#8) :Abstract Interpretation
Laure Gonnordhttp://laure.gonnord.org/pro/teaching/capM1.html
Master 1, ENS de Lyon
Nov 2017
Objective
Compilation vs program analysis :
Compilation : generate code (with the “same” semantics).
Program Analysis : infer properties, prove absence of bugs.
I Programs are inputs.
Inspiration for slides : M2 course Program Analysis, D. Monniaux, D. Hirschkoff, P.
Roux, . . . .
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 2 / 89 �
Reference book
Chapters 2.4 (dataflow) and 4 (abstract interpretation).
A nice paper (in french), about ocaml implementation for finitelattices : http://perso.ens-lyon.fr/pierre.roux/media/jfla2011.pdf
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 3 / 89 �
Program analysis & Abstract Interpretation
Typical questions we want to ask/bugs to avoid
x:=a/b make sure that b 6= 0.
x:=t[i] make sure that i is within the bounds of t.
i:=i+1 make sure there is no overflow.
or more complex properties.
Fully automatic !
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 4 / 89 �
Come back on dataflow
1 Come back on dataflow
2 A bit of theory : IA on finite lattices
3 Computing Invariants in infinite height lattices.
4 Application - Tools
5 Designing Analyses that scale
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 5 / 89 �
Come back on dataflow
Liveness
exit
entry
Block `
LVexit(`) =
∅ if ` = final⋃{LVentry(`′)|(`, `′) ∈ flow(G)}
LVentry(`) =(LVexit(`)\killLV (`)
)∪ genLV (`)
I “Backward” set of recurrence equations.
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 6 / 89 �
Come back on dataflow
Available expressions
exit
entry
Block `
AEentry(`) =
∅ if ` = init⋂{AEexit(`
′)|(`′, `) ∈ flow(G)}
AEexit(`) =(AEentry(`)\killAE(`)
)∪ genAE(`)
I “Forward” set of recurrence equations.
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 7 / 89 �
Come back on dataflow
Common points
Computing growing sets from ∅ via fixpoint iterations. (orthe dual)
Sets of equations of the form (collecting semantics) :
S(`) =⋃
(`′,`)∈E
f(S(`′))
where f is computed w.r.t. the program statements
I S is an abstract interpretation of the program.
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 8 / 89 �
A bit of theory : IA on finite lattices
1 Come back on dataflow
2 A bit of theory : IA on finite latticesComputing invariantsTwo problems to solve
3 Computing Invariants in infinite height lattices.
4 Application - Tools
5 Designing Analyses that scale
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 9 / 89 �
A bit of theory : IA on finite lattices
Concrete semantics : refreshing memories
Program control points are denoted by ` ∈ L. Environnementsassign values to variables.Operational semantics :
Recursive equations involving sets of environments.
The fixpoint yields a function of type L → P(Var→ Val).(set of possible memory states of each variable at eachline).
I Concrete semantics = least fixpoint. It exists(Knaster-Tarski’s theorem). No hope to compute it.
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 10 / 89 �
A bit of theory : IA on finite lattices
Concrete semantics-revisited
kinit k1
cos(y) ≤ x → x := x+ 1
x 6= y → y := yx
true → y := y + 2
Semantics of the programs as transition systems :
A state is a pair (k,Val) :
Val : Var→ N d
Var is [[0, . . . , d− 1]] (finite set, d vars)N is N, Z, Q
Initial states : (kinit, allv).
+ “transition relation” (concrete) denoted by→.Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 11 / 89 �
A bit of theory : IA on finite lattices
Computing concrete semantics-reachability
Notations :
Σ concrete states, (σ a state).
Σ0 ⊆ Σ : set of initial states.
reachable states : σ is reachable iff :
∃σ0 ∈ Σ0 σ0 →∗ σ
R(X) = {y ∈ Σ | ∃x ∈ X x→ y}.
Xn : set of states reachable in at most n steps : X0 = Σ0,X1 = Σ0 ∪R(Σ0), X2 = Σ0 ∪R(Σ0) ∪R(R(Σ0)), etc.
I The sequence Xk is ascending for ⊆. Its limit (= the union ofall iterates) is the set of reachable states.
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 12 / 89 �
A bit of theory : IA on finite lattices Computing invariants
1 Come back on dataflow
2 A bit of theory : IA on finite latticesComputing invariantsTwo problems to solve
3 Computing Invariants in infinite height lattices.IntervalsToward more relational abstract domains
4 Application - Tools
5 Designing Analyses that scaleOverviewScalable symbolic abstract domainExperimental results
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 13 / 89 �
A bit of theory : IA on finite lattices Computing invariants
Computing concrete semantics-iterative computation
Remark Xn+1 = φ(Xn) with φ(X) = Σ0 ∪R(X).
How to compute efficiently the Xn ? And the limit ?
Explicit representations of Xn (list all states) : If Σ finite, Xn
converges in at most |Σ| iterations.
else, we have to cope with two problems :Representing the Xis and computing R(Xi).Computing the limit ?
I X∞ = ∪φn(X0) is the strongest invariant of the programI Looking for overapproximations : X∞ ⊆ Xresult also calledinvariant.
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 14 / 89 �
A bit of theory : IA on finite lattices Computing invariants
Invariants for programs
init
loop
end
x := 0
x ≥ 100
x ≤ 99
→ x++
I {x ∈ N, 0 6 x 6 100} is the most precise invariant in controlpoint loop.
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 15 / 89 �
A bit of theory : IA on finite lattices Computing invariants
Inductive invariants(Inductive) invariant : set X of states s.t. φ(X) ⊆ X : with
φ(X) = X0 ∪ {y ∈ Σ | ∃x ∈ X x→ y}
Properties :
If X et Y two invariants, then so is X ∩ Y .
φ monotonic for ⊆ (if X ⊆ Y , then φ(X) ⊆ φ(Y )).
φ(X ∩ Y ) ⊆ φ(X) ⊆ X, same for Y , thusφ(X ∩ Y ) ⊆ X ∩ Y .
Same for intersections of infinitely many invariants.
I Thus the strongest invariant can be defined as theintersection of all invariants. This invariant satisfies φ(X) = X,it is the least fixed point of φ.
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 16 / 89 �
A bit of theory : IA on finite lattices Computing invariants
Back to our problem
Given a program (or an interpreted automaton), find inductiveinvariants for each control point : Recall : a state is a pair
(pc,Val) :Val : Var→ N d
I We want to compute lfp(φ) with
φ(X) = X0 ∪ {y ∈ Σ | ∃x ∈ X x→ y}
and→ entails the concrete semantics of the program.
This is unfeasible in general
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 17 / 89 �
A bit of theory : IA on finite lattices Two problems to solve
1 Come back on dataflow
2 A bit of theory : IA on finite latticesComputing invariantsTwo problems to solve
3 Computing Invariants in infinite height lattices.IntervalsToward more relational abstract domains
4 Application - Tools
5 Designing Analyses that scaleOverviewScalable symbolic abstract domainExperimental results
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 18 / 89 �
A bit of theory : IA on finite lattices Two problems to solve
Representing sets of valuations
First problem to cope with : represent sets of valuations
Val : Var→ N d
Var is [[0, . . . , d− 1]] (finite set, d vars)
N is N, Z, Q
I Find a finite representation ! abstract value/abstractdomain.
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 19 / 89 �
A bit of theory : IA on finite lattices Two problems to solve
Representing sets of valuations 2/2
Represent values of variables :
Rpc ∈ P(Nd)
by a finite computable superset R]pc :
y
xxx
y y
I And compute such abstract values for each control point.
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 20 / 89 �
A bit of theory : IA on finite lattices Two problems to solve
Computing R
Second problem to cope with : computing the transitionrelation
R(`,X) = {(`′, x′)|∃x ∈ X and (`, x)→ (`′, x′)}
X is a (representation of a) set of valuations
→ is the program transition function (the semantics)
I We have to adapt→ into an abstract semantics→]. R willbe changed into R].
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 21 / 89 �
A bit of theory : IA on finite lattices Two problems to solve
Some examples of abstractions
For numerical values, we can abstract P(Var→ Val) by :
Signs
Constant+Value / Non Constant
Intervals (Boxes)
More complex shapes (see later).
The function used to abstract elements of P(Var→ Val) isdenoted by α and called abstraction.
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 22 / 89 �
A bit of theory : IA on finite lattices Two problems to solve
From a lattice to an abstract domain
A lattice :
elements, > (greatest), ⊥ (least element), partial order.
join (union), meet (intersection), emptiness test.
Abstract Domain :
Abstraction (α : val 7→ element) of the lattice, andconcretization (γ) s.t. X ⊆ γ(α(X) (Galois Connection).
Abstract transfer functions : each f is adapted into f ] s.t. :
f(X) ⊆ γ(f ](α(X)))
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 23 / 89 �
A bit of theory : IA on finite lattices Two problems to solve
Abstract Domain for signs
Lattice for a single element :
I take the cross product (for all variables), and modify meet,join, order . . . accordingly. Abstract domain :
α, γ ? (on board)
Give the abstract transfer function for + (on board)
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 24 / 89 �
A bit of theory : IA on finite lattices Two problems to solve
Abstract Interpretation, Algorithm
(High-level) Algorithm :
Write the abstract equations corresponding to the abstractsemantics.
Interpret the program from the beginning, but abstractly :Compute a lattice element per control point.Always make the union (join) with the former value.
Stop when the iteration has stabilized (for all controlpoints).
credit examples, P. Roux for Onera
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 25 / 89 �
������� �� ����� � ��� ��� ��� ���
�� � ������� ��� ��� � �� �
��� ��� ❃ �� �
�� � � � � �
�� � � ✰ � �
�
� � �
��
� � ������� ��� � � ��
� ❃ �
� � � � �
� � � ✰ �
� ✁ �
�✂�
� ✄ �❂ ☎ ��
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂
��
�✂�
�✠� ✆✝ �
✂�
�
✭ � ✮ ✡ ✂ ✭ ✞ �✮☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ☞ ✂ ✞ �
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �☞ ✂ ✍ �
☛
�� � �
������� �� ����� � ��� ��� ��� ���
�� � ������� ��� ��� � �� �
��� ��� ❃ �� �
�� � � � � �
�� � � ✰ � �
�
� � �
��
� � ������� ��� � � ��
� ❃ �
� � � � �
� � � ✰ �
� ✁ �
�✂�
� ✄ �❂ ☎ ��
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂
��
�✂�
�✠� ✆✝ �
✂�
�
✭ � ✮ ✡ ✂ ✭ ✞ �✮☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ☞ ✂ ✞ �
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �☞ ✂ ✍ �
☛
� �✂�
��
✂�
��
✂�
��
✂�
�
� ✭ ✎ ✱ ✎ ✮� ✭ ✎ ✱ ✎ ✮� ✭ ✎ ✱ ✎ ✮� ✭ ✎ ✱ ✎ ✮� ✭ ✎ ✱ ✎ ✮� ✭ ✎ ✱ ✎ ✮
�� � �
������� �� ����� � ��� ��� ��� ���
�� � ������� ��� ��� � �� �
��� ��� ❃ �� �
�� � � � � �
�� � � ✰ � �
�
� � �
��
� � ������� ��� � � ��
� ❃ �
� � � � �
� � � ✰ �
� ✁ �
�✂�
� ✄ �❂ ☎ ��
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂
��
�✂�
�✠� ✆✝ �
✂�
�
✭ � ✮ ✡ ✂ ✭ ✞ �✮☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ☞ ✂ ✞ �
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �☞ ✂ ✍ �
☛
� �✂�
��
✂�
��
✂�
��
✂�
�
� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮� ✭ ✎ ✱ ✎ ✮� ✭ ✎ ✱ ✎ ✮� ✭ ✎ ✱ ✎ ✮� ✭ ✎ ✱ ✎ ✮
�� � �
������� �� ����� � ��� ��� ��� ���
�� � ������� ��� ��� � �� �
��� ��� ❃ �� �
�� � � � � �
�� � � ✰ � �
�
� � �
��
� � ������� ��� � � ��
� ❃ �
� � � � �
� � � ✰ �
� ✁ �
�✂�
� ✄ �❂ ☎ ��
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂
��
�✂�
�✠� ✆✝ �
✂�
�
✭ � ✮ ✡ ✂ ✭ ✞ �✮☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ☞ ✂ ✞ �
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �☞ ✂ ✍ �
☛
� �✂�
��
✂�
��
✂�
��
✂�
�
� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮� ✭ ✎ ✱ ✎ ✮� ✭ ✎ ✱ ✎ ✮� ✭ ✎ ✱ ✎ ✮
�� � �
������� �� ����� � ��� ��� ��� ���
�� � ������� ��� ��� � �� �
��� ��� ❃ �� �
�� � � � � �
�� � � ✰ � �
�
� � �
��
� � ������� ��� � � ��
� ❃ �
� � � � �
� � � ✰ �
� ✁ �
�✂�
� ✄ �❂ ☎ ��
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂
��
�✂�
�✠� ✆✝ �
✂�
�
✭ � ✮ ✡ ✂ ✭ ✞ �✮☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ☞ ✂ ✞ �
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �☞ ✂ ✍ �
☛
� �✂�
��
✂�
��
✂�
��
✂�
�
� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ � ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮� ✭ ✎ ✱ ✎ ✮� ✭ ✎ ✱ ✎ ✮
✏ ✑ �✒ ✑ �✓ ✔✕��
✏ ✖ ✒ ✖ ✓
�� � �
������� �� ����� � ��� ��� ��� ���
�� � ������� ��� ��� � �� �
��� ��� ❃ �� �
�� � � � � �
�� � � ✰ � �
�
� � �
��
� � ������� ��� � � ��
� ❃ �
� � � � �
� � � ✰ �
� ✁ �
�✂�
� ✄ �❂ ☎ ��
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂
��
�✂�
�✠� ✆✝ �
✂�
�
✭ � ✮ ✡ ✂ ✭ ✞ �✮☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ☞ ✂ ✞ �
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �☞ ✂ ✍ �
☛
� �✂�
��
✂�
��
✂�
��
✂�
�
� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ � ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮� ✭ ✎ ✱ ✎ ✮
�� � �
������� �� ����� � ��� ��� ��� ���
�� � ������� ��� ��� � �� �
��� ��� ❃ �� �
�� � � � � �
�� � � ✰ � �
�
� � �
��
� � ������� ��� � � ��
� ❃ �
� � � � �
� � � ✰ �
� ✁ �
�✂�
� ✄ �❂ ☎ ��
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂
��
�✂�
�✠� ✆✝ �
✂�
�
✭ � ✮ ✡ ✂ ✭ ✞ �✮☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ☞ ✂ ✞ �
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �☞ ✂ ✍ �
☛
� �✂�
��
✂�
��
✂�
��
✂�
�
� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ � ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮
�� � �
������� �� ����� � ��� ��� ��� ���
�� � ������� ��� ��� � �� �
��� ��� ❃ �� �
�� � � � � �
�� � � ✰ � �
�
� � �
��
� � ������� ��� � � ��
� ❃ �
� � � � �
� � � ✰ �
� ✁ �
�✂�
� ✄ �❂ ☎ ��
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂
��
�✂�
�✠� ✆✝ �
✂�
�
✭ � ✮ ✡ ✂ ✭ ✞ �✮☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ☞ ✂ ✞ �
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �☞ ✂ ✍ �
☛
� �✂�
��
✂�
��
✂�
��
✂�
�
� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ � ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ �✱ ✞ � ✮
�� � �
������� �� ����� � ��� ��� ��� ���
�� � ������� ��� ��� � �� �
��� ��� ❃ �� �
�� � � � � �
�� � � ✰ � �
�
� � �
��
� � ������� ��� � � ��
� ❃ �
� � � � �
� � � ✰ �
� ✁ �
�✂�
� ✄ �❂ ☎ ��
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂
��
�✂�
�✠� ✆✝ �
✂�
�
✭ � ✮ ✡ ✂ ✭ ✞ �✮☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ☞ ✂ ✞ �
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �☞ ✂ ✍ �
☛
� �✂�
��
✂�
��
✂�
��
✂�
�
� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ � ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ �✱ ✞ �✮
�� � �
������� �� ����� � ��� ��� ��� ���
�� � ������� ��� ��� � �� �
��� ��� ❃ �� �
�� � � � � �
�� � � ✰ � �
�
� � �
��
� � ������� ��� � � ��
� ❃ �
� � � � �
� � � ✰ �
� ✁ �
�✂�
� ✄ �❂ ☎ ��
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂
��
�✂�
�✠� ✆✝ �
✂�
�
✭ � ✮ ✡ ✂ ✭ ✞ �✮☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ☞ ✂ ✞ �
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �☞ ✂ ✍ �
☛
� �✂�
��
✂�
��
✂�
��
✂�
�
� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ � ✱ ☎ ✮ ✭ ✞ � ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ �✱ ✞ �✮
�� � �
������� �� ����� � ��� ��� ��� ���
�� � ������� ��� ��� � �� �
��� ��� ❃ �� �
�� � � � � �
�� � � ✰ � �
�
� � �
��
� � ������� ��� � � ��
� ❃ �
� � � � �
� � � ✰ �
� ✁ �
�✂�
� ✄ �❂ ☎ ��
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂
��
�✂�
�✠� ✆✝ �
✂�
�
✭ � ✮ ✡ ✂ ✭ ✞ �✮☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ☞ ✂ ✞ �
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �☞ ✂ ✍ �
☛
� �✂�
��
✂�
��
✂�
��
✂�
�
� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ � ✱ ☎ ✮ ✭ ✞ �✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ☎ ✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ �✱ ✞ �✮
✏ ✑ �✒ ✑ �✓ ✔✕��
✏ ✖ ✒ ✑ � ✓
�� � �
������� �� ����� � ��� ��� ��� ���
�� � ������� ��� ��� � �� �
��� ��� ❃ �� �
�� � � � � �
�� � � ✰ � �
�
� � �
��
� � ������� ��� � � ��
� ❃ �
� � � � �
� � � ✰ �
� ✁ �
�✂�
� ✄ �❂ ☎ ��
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂
��
�✂�
�✠� ✆✝ �
✂�
�
✭ � ✮ ✡ ✂ ✭ ✞ �✮☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ☞ ✂ ✞ �
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �☞ ✂ ✍ �
☛
� �✂�
��
✂�
��
✂�
��
✂�
�
� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ � ✱ ☎ ✮ ✭ ✞ �✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ☎ ✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ✞ �✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ �✱ ✞ �✮
�� � �
������� �� ����� � ��� ��� ��� ���
�� � ������� ��� ��� � �� �
��� ��� ❃ �� �
�� � � � � �
�� � � ✰ � �
�
� � �
��
� � ������� ��� � � ��
� ❃ �
� � � � �
� � � ✰ �
� ✁ �
�✂�
� ✄ �❂ ☎ ��
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂
��
�✂�
�✠� ✆✝ �
✂�
�
✭ � ✮ ✡ ✂ ✭ ✞ �✮☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ☞ ✂ ✞ �
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �☞ ✂ ✍ �
☛
� �✂�
��
✂�
��
✂�
��
✂�
�
� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ � ✱ ☎ ✮ ✭ ✞ �✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ☎ ✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ✞ �✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ✞ � ✮ ✭ ☎ ✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ �✱ ✞ �✮
�� � �
������� �� ����� � ��� ��� ��� ���
�� � ������� ��� ��� � �� �
��� ��� ❃ �� �
�� � � � � �
�� � � ✰ � �
�
� � �
��
� � ������� ��� � � ��
� ❃ �
� � � � �
� � � ✰ �
� ✁ �
�✂�
� ✄ �❂ ☎ ��
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂
��
�✂�
�✠� ✆✝ �
✂�
�
✭ � ✮ ✡ ✂ ✭ ✞ �✮☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ☞ ✂ ✞ �
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �☞ ✂ ✍ �
☛
� �✂�
��
✂�
��
✂�
��
✂�
�
� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ � ✱ ☎ ✮ ✭ ✞ �✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ☎ ✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ✞ �✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ✞ � ✮ ✭ ☎ ✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ �✱ ✞ �✮ ✭ ✍ �✱ ✞ �✮
�� � �
������� �� ����� � ��� ��� ��� ���
�� � ������� ��� ��� � �� �
��� ��� ❃ �� �
�� � � � � �
�� � � ✰ � �
�
� � �
��
� � ������� ��� � � ��
� ❃ �
� � � � �
� � � ✰ �
� ✁ �
�✂�
� ✄ �❂ ☎ ��
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂
��
�✂�
�✠� ✆✝ �
✂�
�
✭ � ✮ ✡ ✂ ✭ ✞ �✮☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ☞ ✂ ✞ �
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �☞ ✂ ✍ �
☛
� �✂�
��
✂�
��
✂�
��
✂�
�
� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ � ✱ ☎ ✮ ✭ ✞ �✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ☎ ✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ✞ �✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ✞ � ✮ ✭ ☎ ✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ �✱ ✞ �✮ ✭ ✍ �✱ ✞ � ✮
�� � �
������� �� ����� � ��� ��� ��� ���
�� � ������� ��� ��� � �� �
��� ��� ❃ �� �
�� � � � � �
�� � � ✰ � �
�
� � �
��
� � ������� ��� � � ��
� ❃ �
� � � � �
� � � ✰ �
� ✁ �
�✂�
� ✄ �❂ ☎ ��
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂
��
�✂�
�✠� ✆✝ �
✂�
�
✭ � ✮ ✡ ✂ ✭ ✞ �✮☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ☞ ✂ ✞ �
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �☞ ✂ ✍ �
☛
� �✂�
��
✂�
��
✂�
��
✂�
�
� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ � ✱ ☎ ✮ ✭ ✞ �✱ ☎ ✮ ✭ ✞ � ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ☎ ✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ✞ �✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ✞ � ✮ ✭ ☎ ✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ �✱ ✞ �✮ ✭ ✍ �✱ ✞ � ✮
�� � �
������� �� ����� � ��� ��� ��� ���
�� � ������� ��� ��� � �� �
��� ��� ❃ �� �
�� � � � � �
�� � � ✰ � �
�
� � �
��
� � ������� ��� � � ��
� ❃ �
� � � � �
� � � ✰ �
� ✁ �
�✂�
� ✄ �❂ ☎ ��
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂
��
�✂�
�✠� ✆✝ �
✂�
�
✭ � ✮ ✡ ✂ ✭ ✞ �✮☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ☞ ✂ ✞ �
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �☞ ✂ ✍ �
☛
� �✂�
��
✂�
��
✂�
��
✂�
�
� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ � ✱ ☎ ✮ ✭ ✞ �✱ ☎ ✮ ✭ ✞ �✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ☎ ✱ ✞ � ✮ ✭ ☎ ✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ✞ �✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ✞ � ✮ ✭ ☎ ✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ �✱ ✞ �✮ ✭ ✍ �✱ ✞ � ✮
✏ ✑ �✒ ✑ �✓ ✔✕��
✏ ✖ ✒ ✑ � ✓
�� � �
������� �� ����� � ��� ��� ��� ���
�� � ������� ��� ��� � �� �
��� ��� ❃ �� �
�� � � � � �
�� � � ✰ � �
�
� � �
��
� � ������� ��� � � ��
� ❃ �
� � � � �
� � � ✰ �
� ✁ �
�✂�
� ✄ �❂ ☎ ��
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂
��
�✂�
�✠� ✆✝ �
✂�
�
✭ � ✮ ✡ ✂ ✭ ✞ �✮☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ☞ ✂ ✞ �
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �☞ ✂ ✍ �
☛
� �✂�
��
✂�
��
✂�
��
✂�
�
� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ � ✱ ☎ ✮ ✭ ✞ �✱ ☎ ✮ ✭ ✞ �✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ☎ ✱ ✞ � ✮ ✭ ☎ ✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ✞ �✱ ✞ � ✮ ✭ ✞ � ✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ✞ � ✮ ✭ ☎ ✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ �✱ ✞ �✮ ✭ ✍ �✱ ✞ � ✮
�� � �
������� �� ����� � ��� ��� ��� ���
�� � ������� ��� ��� � �� �
��� ��� ❃ �� �
�� � � � � �
�� � � ✰ � �
�
� � �
��
� � ������� ��� � � ��
� ❃ �
� � � � �
� � � ✰ �
� ✁ �
�✂�
� ✄ �❂ ☎ ��
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂
��
�✂�
�✠� ✆✝ �
✂�
�
✭ � ✮ ✡ ✂ ✭ ✞ �✮☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ☞ ✂ ✞ �
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �☞ ✂ ✍ �
☛
� �✂�
��
✂�
��
✂�
��
✂�
�
� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ � ✱ ☎ ✮ ✭ ✞ �✱ ☎ ✮ ✭ ✞ �✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ☎ ✱ ✞ � ✮ ✭ ☎ ✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ✞ �✱ ✞ � ✮ ✭ ✞ �✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ✞ � ✮ ✭ ☎ ✱ ✞ �✮ ✭ ☎ ✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ �✱ ✞ �✮ ✭ ✍ �✱ ✞ � ✮
�� � �
������� �� ����� � ��� ��� ��� ���
�� � ������� ��� ��� � �� �
��� ��� ❃ �� �
�� � � � � �
�� � � ✰ � �
�
� � �
��
� � ������� ��� � � ��
� ❃ �
� � � � �
� � � ✰ �
� ✁ �
�✂�
� ✄ �❂ ☎ ��
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂
��
�✂�
�✠� ✆✝ �
✂�
�
✭ � ✮ ✡ ✂ ✭ ✞ �✮☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ☞ ✂ ✞ �
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �☞ ✂ ✍ �
☛
� �✂�
��
✂�
��
✂�
��
✂�
�
� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ � ✱ ☎ ✮ ✭ ✞ �✱ ☎ ✮ ✭ ✞ �✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ☎ ✱ ✞ � ✮ ✭ ☎ ✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ✞ �✱ ✞ � ✮ ✭ ✞ �✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ✞ � ✮ ✭ ☎ ✱ ✞ �✮ ✭ ☎ ✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ �✱ ✞ �✮ ✭ ✍ �✱ ✞ � ✮ ✭ ✍ � ✱ ✞ �✮
�� � �
������� �� ����� � ��� ��� ��� ���
�� � ������� ��� ��� � �� �
��� ��� ❃ �� �
�� � � � � �
�� � � ✰ � �
�
� � �
��
� � ������� ��� � � ��
� ❃ �
� � � � �
� � � ✰ �
� ✁ �
�✂�
� ✄ �❂ ☎ ��
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪
�✂�
� ✄ �❂ �
✂�
� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂
��
�✂�
�✠� ✆✝ �
✂�
�
✭ � ✮ ✡ ✂ ✭ ✞ �✮☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ☞ ✂ ✞ �
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮
☛
�✂�
� ✄ �❂ �
✂�
� ✄ �✠� ✆✝ �
✂�
� ✄ �☞ ✂ ✍ �
☛
� �✂�
��
✂�
��
✂�
��
✂�
�
� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ � ✱ ☎ ✮ ✭ ✞ �✱ ☎ ✮ ✭ ✞ �✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ☎ ✱ ✞ � ✮ ✭ ☎ ✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ✞ �✱ ✞ � ✮ ✭ ✞ �✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ✞ � ✮ ✭ ☎ ✱ ✞ �✮ ✭ ☎ ✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ �✱ ✞ �✮ ✭ ✍ �✱ ✞ � ✮ ✭ ✍ �✱ ✞ � ✮
� � � ��� �� ���� ��� �
�� � �
A bit of theory : IA on finite lattices Two problems to solve
Abstraction, concretisation for constantsAbstraction : α is ?Concretization : γ is ?
Lattice :
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 26 / 89 �
������� �� ����� � ��� ��� ��� ���
�� � ������� ��� ��� � �� �
��� ��� > �� �
�� � � / � �
�� � � − � �
�� � � + � �
�� � �
��
� � ������� ��� � � �� � > �
� � � / �
� � � − �
� � � + �
� � �
�♯�
�+�= ⊤��
�♯�
�+�= �
♯�
�+�[� �→ ⊤]
�♯�
�+�= �
♯�
�+�[� �→ ��]⊔♯
��
�♯�
�[
� �→ �♯�
�
(�) +♯�
]
�♯�
�+�= �
♯�
�+�
�♯�
�+�= �
♯�
�+�[
� �→ �♯�
�+�(�)/♯�
]
�♯�
�+�= �
♯�
�+�[
� �→ �♯�
�+�(�)−♯ �
♯�
�+�(�)
]
�♯�
�+�= �
♯�
�+�
�� � �
������� �� ����� � ��� ��� ��� ���
�� � ������� ��� ��� � �� �
��� ��� > �� �
�� � � / � �
�� � � − � �
�� � � + � �
�� � �
��
� � ������� ��� � � �� � > �
� � � / �
� � � − �
� � � + �
� � �
�♯�
�+�= ⊤��
�♯�
�+�= �
♯�
�+�[� �→ ⊤]
�♯�
�+�= �
♯�
�+�[� �→ ��]⊔♯
��
�♯�
�[
� �→ �♯�
�
(�) +♯�
]
�♯�
�+�= �
♯�
�+�
�♯�
�+�= �
♯�
�+�[
� �→ �♯�
�+�(�)/♯�
]
�♯�
�+�= �
♯�
�+�[
� �→ �♯�
�+�(�)−♯ �
♯�
�+�(�)
]
�♯�
�+�= �
♯�
�+�
� �♯�
��
♯�
��
♯�
�
� (⊥,⊥)� (⊥,⊥)� (⊥,⊥)� (⊥,⊥)� (⊥,⊥)� (⊥,⊥)� (⊥,⊥)
�� � �
������� �� ����� � ��� ��� ��� ���
�� � ������� ��� ��� � �� �
��� ��� > �� �
�� � � / � �
�� � � − � �
�� � � + � �
�� � �
��
� � ������� ��� � � �� � > �
� � � / �
� � � − �
� � � + �
� � �
�♯�
�+�= ⊤��
�♯�
�+�= �
♯�
�+�[� �→ ⊤]
�♯�
�+�= �
♯�
�+�[� �→ ��]⊔♯
��
�♯�
�[
� �→ �♯�
�
(�) +♯�
]
�♯�
�+�= �
♯�
�+�
�♯�
�+�= �
♯�
�+�[
� �→ �♯�
�+�(�)/♯�
]
�♯�
�+�= �
♯�
�+�[
� �→ �♯�
�+�(�)−♯ �
♯�
�+�(�)
]
�♯�
�+�= �
♯�
�+�
� �♯�
��
♯�
��
♯�
�
� (⊥,⊥) (⊤,⊤)� (⊥,⊥)� (⊥,⊥)� (⊥,⊥)� (⊥,⊥)� (⊥,⊥)� (⊥,⊥)
�� � �
������� �� ����� � ��� ��� ��� ���
�� � ������� ��� ��� � �� �
��� ��� > �� �
�� � � / � �
�� � � − � �
�� � � + � �
�� � �
��
� � ������� ��� � � �� � > �
� � � / �
� � � − �
� � � + �
� � �
�♯�
�+�= ⊤��
�♯�
�+�= �
♯�
�+�[� �→ ⊤]
�♯�
�+�= �
♯�
�+�[� �→ ��]⊔♯
��
�♯�
�[
� �→ �♯�
�
(�) +♯�
]
�♯�
�+�= �
♯�
�+�
�♯�
�+�= �
♯�
�+�[
� �→ �♯�
�+�(�)/♯�
]
�♯�
�+�= �
♯�
�+�[
� �→ �♯�
�+�(�)−♯ �
♯�
�+�(�)
]
�♯�
�+�= �
♯�
�+�
� �♯�
��
♯�
��
♯�
�
� (⊥,⊥) (⊤,⊤)� (⊥,⊥) (⊤,⊤)� (⊥,⊥)� (⊥,⊥)� (⊥,⊥)� (⊥,⊥)� (⊥,⊥)
�� � �
������� �� ����� � ��� ��� ��� ���
�� � ������� ��� ��� � �� �
��� ��� > �� �
�� � � / � �
�� � � − � �
�� � � + � �
�� � �
��
� � ������� ��� � � �� � > �
� � � / �
� � � − �
� � � + �
� � �
�♯�
�+�= ⊤��
�♯�
�+�= �
♯�
�+�[� �→ ⊤]
�♯�
�+�= �
♯�
�+�[� �→ ��]⊔♯
��
�♯�
�[
� �→ �♯�
�
(�) +♯�
]
�♯�
�+�= �
♯�
�+�
�♯�
�+�= �
♯�
�+�[
� �→ �♯�
�+�(�)/♯�
]
�♯�
�+�= �
♯�
�+�[
� �→ �♯�
�+�(�)−♯ �
♯�
�+�(�)
]
�♯�
�+�= �
♯�
�+�
� �♯�
��
♯�
��
♯�
�
� (⊥,⊥) (⊤,⊤)� (⊥,⊥) (⊤,⊤)� (⊥,⊥) (⊤, ��)� (⊥,⊥)� (⊥,⊥)� (⊥,⊥)� (⊥,⊥)
(⊤, ��) ⊔♯��
(⊥,⊥)
�� � �
������� �� ����� � ��� ��� ��� ���
�� � ������� ��� ��� � �� �
��� ��� > �� �
�� � � / � �
�� � � − � �
�� � � + � �
�� � �
��
� � ������� ��� � � �� � > �
� � � / �
� � � − �
� � � + �
� � �
�♯�
�+�= ⊤��
�♯�
�+�= �
♯�
�+�[� �→ ⊤]
�♯�
�+�= �
♯�
�+�[� �→ ��]⊔♯
��
�♯�
�[
� �→ �♯�
�
(�) +♯�
]
�♯�
�+�= �
♯�
�+�
�♯�
�+�= �
♯�
�+�[
� �→ �♯�
�+�(�)/♯�
]
�♯�
�+�= �
♯�
�+�[
� �→ �♯�
�+�(�)−♯ �
♯�
�+�(�)
]
�♯�
�+�= �
♯�
�+�
� �♯�
��
♯�
��
♯�
�
� (⊥,⊥) (⊤,⊤)� (⊥,⊥) (⊤,⊤)� (⊥,⊥) (⊤, ��)� (⊥,⊥) (⊤, ��)� (⊥,⊥)� (⊥,⊥)� (⊥,⊥)
�� � �
������� �� ����� � ��� ��� ��� ���
�� � ������� ��� ��� � �� �
��� ��� > �� �
�� � � / � �
�� � � − � �
�� � � + � �
�� � �
��
� � ������� ��� � � �� � > �
� � � / �
� � � − �
� � � + �
� � �
�♯�
�+�= ⊤��
�♯�
�+�= �
♯�
�+�[� �→ ⊤]
�♯�
�+�= �
♯�
�+�[� �→ ��]⊔♯
��
�♯�
�[
� �→ �♯�
�
(�) +♯�
]
�♯�
�+�= �
♯�
�+�
�♯�
�+�= �
♯�
�+�[
� �→ �♯�
�+�(�)/♯�
]
�♯�
�+�= �
♯�
�+�[
� �→ �♯�
�+�(�)−♯ �
♯�
�+�(�)
]
�♯�
�+�= �
♯�
�+�
� �♯�
��
♯�
��
♯�
�
� (⊥,⊥) (⊤,⊤)� (⊥,⊥) (⊤,⊤)� (⊥,⊥) (⊤, ��)� (⊥,⊥) (⊤, ��)� (⊥,⊥) (⊤, �)� (⊥,⊥)� (⊥,⊥)
�� � �
������� �� ����� � ��� ��� ��� ���
�� � ������� ��� ��� � �� �
��� ��� > �� �
�� � � / � �
�� � � − � �
�� � � + � �
�� � �
��
� � ������� ��� � � �� � > �
� � � / �
� � � − �
� � � + �
� � �
�♯�
�+�= ⊤��
�♯�
�+�= �
♯�
�+�[� �→ ⊤]
�♯�
�+�= �
♯�
�+�[� �→ ��]⊔♯
��
�♯�
�[
� �→ �♯�
�
(�) +♯�
]
�♯�
�+�= �
♯�
�+�
�♯�
�+�= �
♯�
�+�[
� �→ �♯�
�+�(�)/♯�
]
�♯�
�+�= �
♯�
�+�[
� �→ �♯�
�+�(�)−♯ �
♯�
�+�(�)
]
�♯�
�+�= �
♯�
�+�
� �♯�
��
♯�
��
♯�
�
� (⊥,⊥) (⊤,⊤)� (⊥,⊥) (⊤,⊤)� (⊥,⊥) (⊤, ��)� (⊥,⊥) (⊤, ��)� (⊥,⊥) (⊤, �)� (⊥,⊥) (⊤, �)� (⊥,⊥)
�� � �
������� �� ����� � ��� ��� ��� ���
�� � ������� ��� ��� � �� �
��� ��� > �� �
�� � � / � �
�� � � − � �
�� � � + � �
�� � �
��
� � ������� ��� � � �� � > �
� � � / �
� � � − �
� � � + �
� � �
�♯�
�+�= ⊤��
�♯�
�+�= �
♯�
�+�[� �→ ⊤]
�♯�
�+�= �
♯�
�+�[� �→ ��]⊔♯
��
�♯�
�[
� �→ �♯�
�
(�) +♯�
]
�♯�
�+�= �
♯�
�+�
�♯�
�+�= �
♯�
�+�[
� �→ �♯�
�+�(�)/♯�
]
�♯�
�+�= �
♯�
�+�[
� �→ �♯�
�+�(�)−♯ �
♯�
�+�(�)
]
�♯�
�+�= �
♯�
�+�
� �♯�
��
♯�
��
♯�
�
� (⊥,⊥) (⊤,⊤)� (⊥,⊥) (⊤,⊤)� (⊥,⊥) (⊤, ��)� (⊥,⊥) (⊤, ��)� (⊥,⊥) (⊤, �)� (⊥,⊥) (⊤, �)� (⊥,⊥) (⊤, ��)
�� � �
������� �� ����� � ��� ��� ��� ���
�� � ������� ��� ��� � �� �
��� ��� > �� �
�� � � / � �
�� � � − � �
�� � � + � �
�� � �
��
� � ������� ��� � � �� � > �
� � � / �
� � � − �
� � � + �
� � �
�♯�
�+�= ⊤��
�♯�
�+�= �
♯�
�+�[� �→ ⊤]
�♯�
�+�= �
♯�
�+�[� �→ ��]⊔♯
��
�♯�
�[
� �→ �♯�
�
(�) +♯�
]
�♯�
�+�= �
♯�
�+�
�♯�
�+�= �
♯�
�+�[
� �→ �♯�
�+�(�)/♯�
]
�♯�
�+�= �
♯�
�+�[
� �→ �♯�
�+�(�)−♯ �
♯�
�+�(�)
]
�♯�
�+�= �
♯�
�+�
� �♯�
��
♯�
��
♯�
�
� (⊥,⊥) (⊤,⊤) (⊤,⊤)� (⊥,⊥) (⊤,⊤)� (⊥,⊥) (⊤, ��)� (⊥,⊥) (⊤, ��)� (⊥,⊥) (⊤, �)� (⊥,⊥) (⊤, �)� (⊥,⊥) (⊤, ��)
�� � �
������� �� ����� � ��� ��� ��� ���
�� � ������� ��� ��� � �� �
��� ��� > �� �
�� � � / � �
�� � � − � �
�� � � + � �
�� � �
��
� � ������� ��� � � �� � > �
� � � / �
� � � − �
� � � + �
� � �
�♯�
�+�= ⊤��
�♯�
�+�= �
♯�
�+�[� �→ ⊤]
�♯�
�+�= �
♯�
�+�[� �→ ��]⊔♯
��
�♯�
�[
� �→ �♯�
�
(�) +♯�
]
�♯�
�+�= �
♯�
�+�
�♯�
�+�= �
♯�
�+�[
� �→ �♯�
�+�(�)/♯�
]
�♯�
�+�= �
♯�
�+�[
� �→ �♯�
�+�(�)−♯ �
♯�
�+�(�)
]
�♯�
�+�= �
♯�
�+�
� �♯�
��
♯�
��
♯�
�
� (⊥,⊥) (⊤,⊤) (⊤,⊤)� (⊥,⊥) (⊤,⊤) (⊤,⊤)� (⊥,⊥) (⊤, ��)� (⊥,⊥) (⊤, ��)� (⊥,⊥) (⊤, �)� (⊥,⊥) (⊤, �)� (⊥,⊥) (⊤, ��)
�� � �
������� �� ����� � ��� ��� ��� ���
�� � ������� ��� ��� � �� �
��� ��� > �� �
�� � � / � �
�� � � − � �
�� � � + � �
�� � �
��
� � ������� ��� � � �� � > �
� � � / �
� � � − �
� � � + �
� � �
�♯�
�+�= ⊤��
�♯�
�+�= �
♯�
�+�[� �→ ⊤]
�♯�
�+�= �
♯�
�+�[� �→ ��]⊔♯
��
�♯�
�[
� �→ �♯�
�
(�) +♯�
]
�♯�
�+�= �
♯�
�+�
�♯�
�+�= �
♯�
�+�[
� �→ �♯�
�+�(�)/♯�
]
�♯�
�+�= �
♯�
�+�[
� �→ �♯�
�+�(�)−♯ �
♯�
�+�(�)
]
�♯�
�+�= �
♯�
�+�
� �♯�
��
♯�
��
♯�
�
� (⊥,⊥) (⊤,⊤) (⊤,⊤)� (⊥,⊥) (⊤,⊤) (⊤,⊤)� (⊥,⊥) (⊤, ��) (⊤, ��)� (⊥,⊥) (⊤, ��)� (⊥,⊥) (⊤, �)� (⊥,⊥) (⊤, �)� (⊥,⊥) (⊤, ��)
(⊤, ��) ⊔♯��
(⊤, �+ �)
�� � �
������� �� ����� � ��� ��� ��� ���
�� � ������� ��� ��� � �� �
��� ��� > �� �
�� � � / � �
�� � � − � �
�� � � + � �
�� � �
��
� � ������� ��� � � �� � > �
� � � / �
� � � − �
� � � + �
� � �
�♯�
�+�= ⊤��
�♯�
�+�= �
♯�
�+�[� �→ ⊤]
�♯�
�+�= �
♯�
�+�[� �→ ��]⊔♯
��
�♯�
�[
� �→ �♯�
�
(�) +♯�
]
�♯�
�+�= �
♯�
�+�
�♯�
�+�= �
♯�
�+�[
� �→ �♯�
�+�(�)/♯�
]
�♯�
�+�= �
♯�
�+�[
� �→ �♯�
�+�(�)−♯ �
♯�
�+�(�)
]
�♯�
�+�= �
♯�
�+�
� �♯�
��
♯�
��
♯�
�
� (⊥,⊥) (⊤,⊤) (⊤,⊤)� (⊥,⊥) (⊤,⊤) (⊤,⊤)� (⊥,⊥) (⊤, ��) (⊤, ��)� (⊥,⊥) (⊤, ��) (⊤, ��)� (⊥,⊥) (⊤, �)� (⊥,⊥) (⊤, �)� (⊥,⊥) (⊤, ��)
�� � �
������� �� ����� � ��� ��� ��� ���
�� � ������� ��� ��� � �� �
��� ��� > �� �
�� � � / � �
�� � � − � �
�� � � + � �
�� � �
��
� � ������� ��� � � �� � > �
� � � / �
� � � − �
� � � + �
� � �
�♯�
�+�= ⊤��
�♯�
�+�= �
♯�
�+�[� �→ ⊤]
�♯�
�+�= �
♯�
�+�[� �→ ��]⊔♯
��
�♯�
�[
� �→ �♯�
�
(�) +♯�
]
�♯�
�+�= �
♯�
�+�
�♯�
�+�= �
♯�
�+�[
� �→ �♯�
�+�(�)/♯�
]
�♯�
�+�= �
♯�
�+�[
� �→ �♯�
�+�(�)−♯ �
♯�
�+�(�)
]
�♯�
�+�= �
♯�
�+�
� �♯�
��
♯�
��
♯�
�
� (⊥,⊥) (⊤,⊤) (⊤,⊤)� (⊥,⊥) (⊤,⊤) (⊤,⊤)� (⊥,⊥) (⊤, ��) (⊤, ��)� (⊥,⊥) (⊤, ��) (⊤, ��)� (⊥,⊥) (⊤, �) (⊤, �)� (⊥,⊥) (⊤, �)� (⊥,⊥) (⊤, ��)
�� � �
������� �� ����� � ��� ��� ��� ���
�� � ������� ��� ��� � �� �
��� ��� > �� �
�� � � / � �
�� � � − � �
�� � � + � �
�� � �
��
� � ������� ��� � � �� � > �
� � � / �
� � � − �
� � � + �
� � �
�♯�
�+�= ⊤��
�♯�
�+�= �
♯�
�+�[� �→ ⊤]
�♯�
�+�= �
♯�
�+�[� �→ ��]⊔♯
��
�♯�
�[
� �→ �♯�
�
(�) +♯�
]
�♯�
�+�= �
♯�
�+�
�♯�
�+�= �
♯�
�+�[
� �→ �♯�
�+�(�)/♯�
]
�♯�
�+�= �
♯�
�+�[
� �→ �♯�
�+�(�)−♯ �
♯�
�+�(�)
]
�♯�
�+�= �
♯�
�+�
� �♯�
��
♯�
��
♯�
�
� (⊥,⊥) (⊤,⊤) (⊤,⊤)� (⊥,⊥) (⊤,⊤) (⊤,⊤)� (⊥,⊥) (⊤, ��) (⊤, ��)� (⊥,⊥) (⊤, ��) (⊤, ��)� (⊥,⊥) (⊤, �) (⊤, �)� (⊥,⊥) (⊤, �) (⊤, �)� (⊥,⊥) (⊤, ��)
�� � �
������� �� ����� � ��� ��� ��� ���
�� � ������� ��� ��� � �� �
��� ��� > �� �
�� � � / � �
�� � � − � �
�� � � + � �
�� � �
��
� � ������� ��� � � �� � > �
� � � / �
� � � − �
� � � + �
� � �
�♯�
�+�= ⊤��
�♯�
�+�= �
♯�
�+�[� �→ ⊤]
�♯�
�+�= �
♯�
�+�[� �→ ��]⊔♯
��
�♯�
�[
� �→ �♯�
�
(�) +♯�
]
�♯�
�+�= �
♯�
�+�
�♯�
�+�= �
♯�
�+�[
� �→ �♯�
�+�(�)/♯�
]
�♯�
�+�= �
♯�
�+�[
� �→ �♯�
�+�(�)−♯ �
♯�
�+�(�)
]
�♯�
�+�= �
♯�
�+�
� �♯�
��
♯�
��
♯�
�
� (⊥,⊥) (⊤,⊤) (⊤,⊤)� (⊥,⊥) (⊤,⊤) (⊤,⊤)� (⊥,⊥) (⊤, ��) (⊤, ��)� (⊥,⊥) (⊤, ��) (⊤, ��)� (⊥,⊥) (⊤, �) (⊤, �)� (⊥,⊥) (⊤, �) (⊤, �)� (⊥,⊥) (⊤, ��) (⊤, ��)
�� � �
������� �� ����� � ��� ��� ��� ���
�� � ������� ��� ��� � �� �
��� ��� > �� �
�� � � / � �
�� � � − � �
�� � � + � �
�� � �
��
� � ������� ��� � � �� � > �
� � � / �
� � � − �
� � � + �
� � �
�♯�
�+�= ⊤��
�♯�
�+�= �
♯�
�+�[� �→ ⊤]
�♯�
�+�= �
♯�
�+�[� �→ ��]⊔♯
��
�♯�
�[
� �→ �♯�
�
(�) +♯�
]
�♯�
�+�= �
♯�
�+�
�♯�
�+�= �
♯�
�+�[
� �→ �♯�
�+�(�)/♯�
]
�♯�
�+�= �
♯�
�+�[
� �→ �♯�
�+�(�)−♯ �
♯�
�+�(�)
]
�♯�
�+�= �
♯�
�+�
� �♯�
��
♯�
��
♯�
�
� (⊥,⊥) (⊤,⊤) (⊤,⊤)� (⊥,⊥) (⊤,⊤) (⊤,⊤)� (⊥,⊥) (⊤, ��) (⊤, ��)� (⊥,⊥) (⊤, ��) (⊤, ��)� (⊥,⊥) (⊤, �) (⊤, �)� (⊥,⊥) (⊤, �) (⊤, �)� (⊥,⊥) (⊤, ��) (⊤, ��)
� � ������� �� ����� ��� �
�� � �
A bit of theory : IA on finite lattices Two problems to solve
Result
TerminationIf the underlying lattice is of finite height, then the fixpointiteration terminates and the least abstract fixpoint is computed.
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 27 / 89 �
A bit of theory : IA on finite lattices Two problems to solve
Abstract Interpretation, implementation choices
Control Flow Graph, and an abstract value per block.Propagate on the edges of the CFG.
On the Abstract Syntax tree, a visitor, and the propagationis made by induction on the syntax. The only stopping testis inside the while visitor.
I For lab 7, you choose. You are totally free (apart from ANTLR+ Python).
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 28 / 89 �
Computing Invariants in infinite height lattices.
1 Come back on dataflow
2 A bit of theory : IA on finite lattices
3 Computing Invariants in infinite height lattices.IntervalsToward more relational abstract domains
4 Application - Tools
5 Designing Analyses that scale
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 29 / 89 �
Computing Invariants in infinite height lattices.
In a nutshell
The two problems also occur :
representation of sets of valuations.
abstract transitions (transfer functions).
there is another one, how to terminate !
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 30 / 89 �
Computing Invariants in infinite height lattices. Intervals
1 Come back on dataflow
2 A bit of theory : IA on finite latticesComputing invariantsTwo problems to solve
3 Computing Invariants in infinite height lattices.IntervalsToward more relational abstract domains
4 Application - Tools
5 Designing Analyses that scaleOverviewScalable symbolic abstract domainExperimental results
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 31 / 89 �
Computing Invariants in infinite height lattices. Intervals
A first example - Intervals
Try to compute an interval for each variable at each programpoint using interval arithmetic :
assume ( x >= 0 && x<= 1 ) ;assume ( y >= 2 && y= 3 ) ;assume ( z >= 3 && z= 4 ) ;t = ( x+y ) ∗ z ;
Interval for z ? [6, 16]
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 32 / 89 �
Computing Invariants in infinite height lattices. Intervals
The interval lattice
See the exercise sheet.
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 33 / 89 �
Computing Invariants in infinite height lattices. Intervals
An example that terminates
i n t x =0;while ( x<1000) {
x=x +1;}
Loop iterations [0, 0], [0, 1], [0, 2], [0, 3],. . .
How ? φ(X) = Initial state tR(X), thusφ([a, b]) = {0} t [a+ 1,min(b, 999) + 1]
I Stricly growing interval during 1000 iterations, thenstabilizes : [0, 1000] is an invariant.
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 34 / 89 �
Computing Invariants in infinite height lattices. Intervals
Termination Problem
Third problem to cope with : stopping the computation :
Too many computations
unbounded loops
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 35 / 89 �
Computing Invariants in infinite height lattices. Intervals
One solution. . .
Extrapolation !
[0, 0], [0, 1], [0, 2], [0, 3]→ [0,+∞)
Push interval :
i n t x =0; / ∗ [ 0 , 0 ] ∗ /
while / ∗ [ 0 , + i n f t y ) ∗ / ( x<1000) {/ ∗ [ 0 , 9 9 9 ] ∗ /
x=x +1;/ ∗ [ 1 , 1 0 0 0 ] ∗ /
}
Yes ! [0,∞[ is stable !
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 36 / 89 �
Computing Invariants in infinite height lattices. Intervals
Computing inductive invariants as intervals
Representation : intervals. The union leads to anoverapproximation.
We don’t know how to compute R(P ) with P interval (Thestatements may be too complex, . . .)I Replace computation by simpler over-approximationR(X) ⊆ R](X).
The convergence is ensured by extrapolation/widening.
I We always compute φ](X) with : φ(X) ⊆ φ](X)
In the end, over-approximation of the least fixed point of φ.
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 37 / 89 �
Computing Invariants in infinite height lattices. Intervals
Computing inductive invariants as intervals - 2
(abstract) Interval operations :
+,−,× on intervals : interval arithmetic
union : [a, b] ∪ [c, d] : loosing info !
widening : (I1∇I2 with I1 ⊆ I2)
⊥∇I = I
[a, b]∇[c, d] = [if c < a then −∞ else a,
if d > b then +∞ else b]
The idea is to infer the dynamic of the intervals thanks to thefirst terms.
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 38 / 89 �
Computing Invariants in infinite height lattices. Intervals
Computing inductive invariants as intervals - 3The widening operator being designed, we compute (x ⊆ F (x))
Σ0, Y1 = Σ0∇F (Σ0), Y2 = Y1∇F (Y1) . . .
finite computation instead of : Σ0, F (Σ0), F2(Σ0), . . . which
can be infinite.
Theorem(Cousot/Cousot 77) Iteratively computing the reachable statesfrom the entry point with the interval operators and applyingwidening at entry nodes of loops converges in a finite numberof steps to a overapproximation of the least invariant (akapostfixpoint).
I The widening operators must satisfy the non ascending chaincondition (see Cousot/Cousot 1977).
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 39 / 89 �
Computing Invariants in infinite height lattices. Intervals
Invariants for programs - ex 1
init
loop
end
x := 0
x ≥ 100
x ≤ 99
→ x++
I x ∈ [0,+∞] in loop.
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 40 / 89 �
Computing Invariants in infinite height lattices. Intervals
Computing inductive invariants as intervals - ex 2
x = random ( 0 , 7 ) ;y = cos ( x )+ xwhile ( y<=100) {
i f ( x >2) x−−;else {
y = −4;x−−;
}}
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 41 / 89 �
Computing Invariants in infinite height lattices. Intervals
Nested loops / Several loops(Bourdoncle, 1992) Computing strongly connectedsubcomponents and iterate inside each :
0
1 2 3 4
7 5 8 9
6
Gray nodes are widening nodes
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 42 / 89 �
Computing Invariants in infinite height lattices. Intervals
Improving precision after convergence
i n t x =0; / ∗ [ 0 , 0 ] ∗ /
while / ∗ [ 0 , + i n f t y ) ∗ / ( x<1000) {/ ∗ [ 0 , 9 9 9 ] ∗ /
x=x +1;/ ∗ [ 1 , 1 0 0 0 ] ∗ /
}
we got [0,+∞) instead of [0, 999]. Run one more iteration of theloop : {0} t [1, 1000] = [0, 1000]. Check if [0, 1000] is an inductiveinvariant ? YESI This is called narrowing or descending sequence : endswhen we have an inductive invariant or after k applications ofthe transition function.
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 43 / 89 �
Computing Invariants in infinite height lattices. Toward more relational abstract domains
1 Come back on dataflow
2 A bit of theory : IA on finite latticesComputing invariantsTwo problems to solve
3 Computing Invariants in infinite height lattices.IntervalsToward more relational abstract domains
4 Application - Tools
5 Designing Analyses that scaleOverviewScalable symbolic abstract domainExperimental results
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 44 / 89 �
Computing Invariants in infinite height lattices. Toward more relational abstract domains
When intervals are not sufficient
assume ( x >= 0 && x <= 1 ) ;y = x ;z = x−y ;
The human (intelligent) sees z = 0 thus interval [0, 0],taking into account y = x.
Interval arithmetic does not see z = 0 because it does nottake y = x into account.
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 45 / 89 �
Computing Invariants in infinite height lattices. Toward more relational abstract domains
How to track relations
Using relational domains.
E.g. : keep
for each variable an interval
for each pair of variables (x, y) an information x− y 6 C.
(One obtains x = y by x− y 6 0 and y − x 6 0.)
How to compute on that ?
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 46 / 89 �
Computing Invariants in infinite height lattices. Toward more relational abstract domains
Bounds on differences : practical example
Suppose x− y 6 4, computation is z = x+ 3, then we knowz − y 6 7. Suppose x− z 6 20, that x− y 6 4 and that
y − z 6 6, then we know x− z 6 10.
I We know how to compute on these relations (transitiveclosure / shortest path).
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 47 / 89 �
Computing Invariants in infinite height lattices. Toward more relational abstract domains
Why this is useful
Let t(0..n) an array in the program.The program writes t(i).
Need to know whether 0 6 i 6 n, otherwise said find bounds oni and on n− i. . .
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 48 / 89 �
Computing Invariants in infinite height lattices. Toward more relational abstract domains
Can we do better ?
How about tracking relations such as 2x+ 3y 6 6 ?
At a given program point, a set of linear inequalities.
In other words, a convex polyhedron (Linear Relation Anlysis).
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 49 / 89 �
Computing Invariants in infinite height lattices. Toward more relational abstract domains
Classical Linear Relation Analysis
(Halbwachs/Cousot 1979)
Abstract Interpretation in the Polyhedral domain
Infinite Domain with many particularities
Discover affine relations on variables
I Classically used in verification problems.
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 50 / 89 �
Computing Invariants in infinite height lattices. Toward more relational abstract domains
The polyhedral domain (1)
Convex polyhedra representation :
I Effective and efficient algorithmic (emptyness test, union,affine transformation . . . )
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 51 / 89 �
Computing Invariants in infinite height lattices. Toward more relational abstract domains
The polyhedral domain(2)
Intersection, emptyness
Affine Transformation : a(P ) = {CX +D | X ∈ P}.
Convex hull (loss of precision)
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 52 / 89 �
Computing Invariants in infinite height lattices. Toward more relational abstract domains
The Polyhedral domain (3)Widening : P∇Q : limit extrapolation.P∇Q constraints : take Q constraints and remove those whichare not saturated by P .
Trick ( !) : {x = y = 0} = {0 6 y 6 x 6 0}
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 53 / 89 �
Computing Invariants in infinite height lattices. Toward more relational abstract domains
Analysis example - 1
x:=0;y:=0
while (x<=100) do
read(b);
if b then
x:=x+2
else begin
x:=x+1;
y:=y+1;
end;
endif
endwhile
p
pin
x 6 100 →
x := x + 1y := y + 1
x 6 100 →
x := x + 2
(x, y) := (0, 0)
pout
x > 100
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 54 / 89 �
Computing Invariants in infinite height lattices. Toward more relational abstract domains
Example - 2
p
pin
x 6 100 →
x := x + 1y := y + 1
x 6 100 →
x := x + 2
(x, y) := (0, 0)
pout
x > 100
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 55 / 89 �
Computing Invariants in infinite height lattices. Toward more relational abstract domains
Linear Relation Analysis - Problems
Complexity increases with :
number of control points
number of numerical variables
Approximation is due to :
Convex hulls
Widening
(credits for these slides : Nicolas Halbwachs)
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 56 / 89 �
Computing Invariants in infinite height lattices. Toward more relational abstract domains
Complexity
(In general) The more precise we are, the higher the costs.
Intervals : algorithms O(n), n number of variables.
Differences x− y 6 C : algorithms O(n3)
Octagons ±x± y 6 C (Miné) : algorithms O(n3)
Polyhedra (Cousot / Halbwachs) : algorithms often O(2n).
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 57 / 89 �
Computing Invariants in infinite height lattices. Toward more relational abstract domains
Delaying widening - 1
Halbwachs 1993 / Goubault 2001 / Blanchet et al. 2003
Fix k and compute :
Xn =
⊥ if n = 0
F (Xn−1) if n < k
Xn−1∇F (Xn−1) else.
I Similar to unrolling loops, costly but useful (regular behaviourafter a constant number of iterations).
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 58 / 89 �
Computing Invariants in infinite height lattices. Toward more relational abstract domains
Delaying widening - 2 - ex
p
q0
x > 0 →
x := x + 1
x = 0 →
x := x + 1
y := y + 1
x := 0; y := 0
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 59 / 89 �
Computing Invariants in infinite height lattices. Toward more relational abstract domains
Improving the widening operatorWhile applying P∇Q, intersect with constraints that aresatisfied by both P and Q. The constraints must beprecomputed.
init
loop
end
x := 0
x ≥ 100
x ≤ 99
→ x++
Here, with “x 6 100” in the pool of constraints, it avoidsnarrowing.I Warning widening is not monotone, so improving locally isnot necessarily a good idea !
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 60 / 89 �
Computing Invariants in infinite height lattices. Toward more relational abstract domains
Local improvement with acceleration
(Gonnord/Halbwachs 2006, Schrammel 2012)Idea : Sometimes, a fixpoint of a loop can be easily computedwithout any fixpoint iteration.
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 61 / 89 �
Computing Invariants in infinite height lattices. Toward more relational abstract domains
Good path heuristic
(Gonnord/Monniaux 2011)Idea : find interesting paths by means of smt-queries
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 62 / 89 �
Application - Tools
1 Come back on dataflow
2 A bit of theory : IA on finite lattices
3 Computing Invariants in infinite height lattices.
4 Application - Tools
5 Designing Analyses that scale
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 63 / 89 �
Application - Tools
ApplicationsBounds on iterators of arrays (intervals, differences onbounds)Dead code elimination (all domains) - especially when thecode has been automatically generated / assertsVectorization : computations that can be permutedMemory optimisation : this int can be encoded in 16 bits ?Preconditions for code specialization (on going work with F.Rastello)Safety analysis. Termination.
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 64 / 89 �
Application - Tools
Tools
Frama-C : analysing/ proving correction of C programs(see http://frama-c.com/
Apron : numerical domain interface(http://apron.cri.ensmp.fr/library/)
Interproc : IA analyser connected to Apron (see http:
//pop-art.inrialpes.fr/interproc/interprocweb.cgi
Rose / LLVM : C (and more) parsers and API formanipulating C programs. Rose is more decidated toprogram transformation, LLVM to compilerconstruction(http://www.rosecompiler.org/ andhttp://llvm.org/.
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 65 / 89 �
Application - Tools
Industrial succes stories
Polyspace
Astree
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 66 / 89 �
Application - Tools
Demo Time : PAGAI.
http://pagai.forge.imag.fr/
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 67 / 89 �
Designing Analyses that scale
1 Come back on dataflow
2 A bit of theory : IA on finite lattices
3 Computing Invariants in infinite height lattices.
4 Application - Tools
5 Designing Analyses that scaleOverviewScalable symbolic abstract domainExperimental results
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 68 / 89 �
Designing Analyses that scale
Challenges in Abstract Interpretation
Precision of the abstract domain.
Thousands, millions of lines of code to analyze.
Static analyzers and compilers are complex programs (thatalso have bugs)
I Growing need for simple specialized analyses that scale
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 69 / 89 �
Designing Analyses that scale
Designing a scalable static analysis : an example
OOPSLA’14 :
A technique to prove that (some) memory accesses aresafe :
Less need for additional guards.Based on abstract interpretation.Precision and cost compromise.
Implemented in LLVM-compiler infrastructure :Eliminate 50% of the guards inserted by AddressSanitizerSPEC CPU 2006 17% faster
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 70 / 89 �
Designing Analyses that scale Overview
1 Come back on dataflow
2 A bit of theory : IA on finite latticesComputing invariantsTwo problems to solve
3 Computing Invariants in infinite height lattices.IntervalsToward more relational abstract domains
4 Application - Tools
5 Designing Analyses that scaleOverviewScalable symbolic abstract domainExperimental results
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 71 / 89 �
Designing Analyses that scale Overview
A bit on sanitizing memory accesses
Different techniques : but all have an overhead.
Ex : Address Sanitizer
Shadow every memory allocated : 1 byte→ 1 bit (allocatedor not).
Guard every array access : check if its shadow bit is valid.I slows down SPEC CPU 2006 by 25%
I We want to remove these guards.
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 72 / 89 �
Designing Analyses that scale Overview
Green Arrays : overview 1/2
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 73 / 89 �
Designing Analyses that scale Overview
Green Arrays : overview 2/2
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 74 / 89 �
Designing Analyses that scale Overview
Symbolic ranges : How to ensure scalability ?
The idea is to work on the intermediate representation toensure the following key property :
SSI PropertyAll abstract values are stable on their live ranges.
How ? Splitting variables (v, i in the last example).(technical stuff later if there remains time)
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 75 / 89 �
Designing Analyses that scale Scalable symbolic abstract domain
1 Come back on dataflow
2 A bit of theory : IA on finite latticesComputing invariantsTwo problems to solve
3 Computing Invariants in infinite height lattices.IntervalsToward more relational abstract domains
4 Application - Tools
5 Designing Analyses that scaleOverviewScalable symbolic abstract domainExperimental results
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 76 / 89 �
Designing Analyses that scale Scalable symbolic abstract domain
Symbolic Ranges (SRA) : Running example
i n t main ( i n t argc ) {i n t ∗ v = mal loc ( sizeof ( i n t )∗ argc ) ;i n t i = argc − 1;v [ i ] = 0 ;i f ( ? ) { v = r e a l l o c ( sizeof ( i n t ) ∗2 ) ; i =1 ; }v [ i ] = 0 ;
}
I Are all accesses to v safe ?
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 77 / 89 �
Designing Analyses that scale Scalable symbolic abstract domain
Symbolic Ranges (SRA) : On the SSA form
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 78 / 89 �
Designing Analyses that scale Scalable symbolic abstract domain
SRA on SSA form : a sparse analysis
An abtract interpretation-based technique.
Very similar to classic range analysis.
One abstract value (R) per variable : sparsity.
I Easy to implement (simple algorithm, simple data structure).
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 79 / 89 �
Designing Analyses that scale Scalable symbolic abstract domain
SRA on SSA form : constraint system
v = • ⇒ R(v) = [v, v]
v = o ⇒ R(v) = R(o)
v = v1 ⊕ v2 ⇒ R(v) = R(v1)⊕I R(v2)
v = φ(v1, v2) ⇒ R(v) = R(v1) tR(v2)
other instructions ⇒ ∅
⊕I : abstract effect of the operation ⊕ on two intervals.t : convex hull of two intervals. I All these operation areperformed symbolically thanks to GiNaC
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 80 / 89 �
Designing Analyses that scale Scalable symbolic abstract domain
SRA on SSA form : an example
N = randunsigned ()
i_0 = 0
i_1 = phi(i_0 ,i_2)
i_1 < N ?
i_2 = i_1 + 1
R(i0) = [0, 0]
R(i1) = [0,+∞]
R(i2) = [1,+∞]
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 81 / 89 �
Designing Analyses that scale Scalable symbolic abstract domain
Improving precision of SRA : live-range splitting 1/2
I e-SSA form.
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 82 / 89 �
Designing Analyses that scale Scalable symbolic abstract domain
Improving precision of SRA : live-range splitting 2/2
Rule for live-range splitting :
t = a < bbr (t, l)
at = σ(a)bt = σ(b)
af = σ(a)bf = σ(b)
l
R(at ) = [R(a)↓, min(R(b)↑− 1, R(a)↑)]
R(bt ) = [max(R(a)↓ + 1, R(a)↓), R(b)↑]
R(af ) = [max(R(a)↓, R(a)↑), R(a)↑]
R(bt ) = [R(b)↓, min(R(a)↑, R(b)↑)]
�
I All simplications are done by GiNaC.
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 83 / 89 �
Designing Analyses that scale Scalable symbolic abstract domain
SRA + live-range on an example
N = randunsigned ()
i_0 = 0
i_1 = phi(i_0 ,i_2)
i_1 < N ?
i_t = sigma(i_1)
i_2 = i_t + 1R(it) = [R(i1) ↓,min(N − 1, R(i1) ↑)]
R(i0) = [0, 0]
R(i1) = [0, N ]
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 84 / 89 �
Designing Analyses that scale Experimental results
1 Come back on dataflow
2 A bit of theory : IA on finite latticesComputing invariantsTwo problems to solve
3 Computing Invariants in infinite height lattices.IntervalsToward more relational abstract domains
4 Application - Tools
5 Designing Analyses that scaleOverviewScalable symbolic abstract domainExperimental results
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 85 / 89 �
Designing Analyses that scale Experimental results
Experimental setup
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 86 / 89 �
Designing Analyses that scale Experimental results
Percentage of bound checks removed
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 87 / 89 �
Designing Analyses that scale Experimental results
Runtime improvement
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 88 / 89 �
Designing Analyses that scale Experimental results
In the paper (OOPSLA’14)
A complete formalisation of all the analyses :
Concrete and abstract semantics.
Safety is proved.
Interprocedural analysis.
I https://code.google.com/p/ecosoc/
Remaining question : improving precision of the symbolic rangeanalysis ?
Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 89 / 89 �
Top Related