laure.gonnord.org · A bit of theory : IA on ﬁnite lattices Concrete semantics : refreshing...

Compilation and Program Analysis (#8) :Abstract Interpretation

Laure Gonnordhttp://laure.gonnord.org/pro/teaching/capM1.html

[email protected]

Master 1, ENS de Lyon

Nov 2017

http://laure.gonnord.org/pro/teaching/capM1.html

[email protected]

Objective

Compilation vs program analysis :

Compilation : generate code (with the “same” semantics).

Program Analysis : infer properties, prove absence of bugs.

I Programs are inputs.

Inspiration for slides : M2 course Program Analysis, D. Monniaux, D. Hirschkoff, P.

Roux, . . . .

Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 2 / 89 �

Reference book

Chapters 2.4 (dataflow) and 4 (abstract interpretation).

A nice paper (in french), about ocaml implementation for finitelattices : http://perso.ens-lyon.fr/pierre.roux/media/jfla2011.pdf


http://perso.ens-lyon.fr/pierre.roux/media/jfla2011.pdf

http://perso.ens-lyon.fr/pierre.roux/media/jfla2011.pdf

Program analysis & Abstract Interpretation

Typical questions we want to ask/bugs to avoid

x:=a/b make sure that b 6= 0.

x:=t[i] make sure that i is within the bounds of t.

i:=i+1 make sure there is no overflow.

or more complex properties.

Fully automatic !


Come back on dataflow

1 Come back on dataflow

2 A bit of theory : IA on finite lattices

3 Computing Invariants in infinite height lattices.

4 Application - Tools

5 Designing Analyses that scale



Liveness

exit

entry

Block `

LVexit(`) =

∅ if ` = final⋃{LVentry(`′)|(`, `′) ∈ flow(G)}

LVentry(`) =(LVexit(`)\killLV (`)

)∪ genLV (`)

I “Backward” set of recurrence equations.



Available expressions

exit

entry

Block `

AEentry(`) =

∅ if ` = init⋂{AEexit(`

′)|(`′, `) ∈ flow(G)}

AEexit(`) =(AEentry(`)\killAE(`)

)∪ genAE(`)

I “Forward” set of recurrence equations.



Common points

Computing growing sets from ∅ via fixpoint iterations. (orthe dual)

Sets of equations of the form (collecting semantics) :

S(`) =⋃

(`′,`)∈E

f(S(`′))

where f is computed w.r.t. the program statements

I S is an abstract interpretation of the program.


A bit of theory : IA on finite lattices


2 A bit of theory : IA on finite latticesComputing invariantsTwo problems to solve






Concrete semantics : refreshing memories

Program control points are denoted by ` ∈ L. Environnementsassign values to variables.Operational semantics :

Recursive equations involving sets of environments.

The fixpoint yields a function of type L → P(Var→ Val).(set of possible memory states of each variable at eachline).

I Concrete semantics = least fixpoint. It exists(Knaster-Tarski’s theorem). No hope to compute it.



Concrete semantics-revisited

kinit k1

cos(y) ≤ x → x := x+ 1

x 6= y → y := yx

true → y := y + 2

Semantics of the programs as transition systems :

A state is a pair (k,Val) :

Val : Var→ N d

Var is [[0, . . . , d− 1]] (finite set, d vars)N is N, Z, Q

Initial states : (kinit, allv).

+ “transition relation” (concrete) denoted by→.Laure Gonnord (M1/DI-ENSL) Compilation and Program Analysis (#8): Abstract Interpretation 2017 � 11 / 89 �


Computing concrete semantics-reachability

Notations :

Σ concrete states, (σ a state).

Σ0 ⊆ Σ : set of initial states.

reachable states : σ is reachable iff :

∃σ0 ∈ Σ0 σ0 →∗ σ

R(X) = {y ∈ Σ | ∃x ∈ X x→ y}.

Xn : set of states reachable in at most n steps : X0 = Σ0,X1 = Σ0 ∪R(Σ0), X2 = Σ0 ∪R(Σ0) ∪R(R(Σ0)), etc.

I The sequence Xk is ascending for ⊆. Its limit (= the union ofall iterates) is the set of reachable states.


A bit of theory : IA on finite lattices Computing invariants



3 Computing Invariants in infinite height lattices.IntervalsToward more relational abstract domains


5 Designing Analyses that scaleOverviewScalable symbolic abstract domainExperimental results



Computing concrete semantics-iterative computation

Remark Xn+1 = φ(Xn) with φ(X) = Σ0 ∪R(X).

How to compute efficiently the Xn ? And the limit ?

Explicit representations of Xn (list all states) : If Σ finite, Xn

converges in at most |Σ| iterations.

else, we have to cope with two problems :Representing the Xis and computing R(Xi).Computing the limit ?

I X∞ = ∪φn(X0) is the strongest invariant of the programI Looking for overapproximations : X∞ ⊆ Xresult also calledinvariant.



Invariants for programs

init

loop

end

x := 0

x ≥ 100

x ≤ 99

→ x++

I {x ∈ N, 0 6 x 6 100} is the most precise invariant in controlpoint loop.



Inductive invariants(Inductive) invariant : set X of states s.t. φ(X) ⊆ X : with

φ(X) = X0 ∪ {y ∈ Σ | ∃x ∈ X x→ y}

Properties :

If X et Y two invariants, then so is X ∩ Y .

φ monotonic for ⊆ (if X ⊆ Y , then φ(X) ⊆ φ(Y )).

φ(X ∩ Y ) ⊆ φ(X) ⊆ X, same for Y , thusφ(X ∩ Y ) ⊆ X ∩ Y .

Same for intersections of infinitely many invariants.

I Thus the strongest invariant can be defined as theintersection of all invariants. This invariant satisfies φ(X) = X,it is the least fixed point of φ.



Back to our problem

Given a program (or an interpreted automaton), find inductiveinvariants for each control point : Recall : a state is a pair

(pc,Val) :Val : Var→ N d

I We want to compute lfp(φ) with

φ(X) = X0 ∪ {y ∈ Σ | ∃x ∈ X x→ y}

and→ entails the concrete semantics of the program.

This is unfeasible in general


A bit of theory : IA on finite lattices Two problems to solve








Representing sets of valuations

First problem to cope with : represent sets of valuations

Val : Var→ N d

Var is [[0, . . . , d− 1]] (finite set, d vars)

N is N, Z, Q

I Find a finite representation ! abstract value/abstractdomain.



Representing sets of valuations 2/2

Represent values of variables :

Rpc ∈ P(Nd)

by a finite computable superset R]pc :

y

xxx

y y

I And compute such abstract values for each control point.



Computing R

Second problem to cope with : computing the transitionrelation

R(`,X) = {(`′, x′)|∃x ∈ X and (`, x)→ (`′, x′)}

X is a (representation of a) set of valuations

→ is the program transition function (the semantics)

I We have to adapt→ into an abstract semantics→]. R willbe changed into R].



Some examples of abstractions

For numerical values, we can abstract P(Var→ Val) by :

Signs

Constant+Value / Non Constant

Intervals (Boxes)

More complex shapes (see later).

The function used to abstract elements of P(Var→ Val) isdenoted by α and called abstraction.



From a lattice to an abstract domain

A lattice :

elements, > (greatest), ⊥ (least element), partial order.

join (union), meet (intersection), emptiness test.

Abstract Domain :

Abstraction (α : val 7→ element) of the lattice, andconcretization (γ) s.t. X ⊆ γ(α(X) (Galois Connection).

Abstract transfer functions : each f is adapted into f ] s.t. :

f(X) ⊆ γ(f ](α(X)))



Abstract Domain for signs

Lattice for a single element :

I take the cross product (for all variables), and modify meet,join, order . . . accordingly. Abstract domain :

α, γ ? (on board)

Give the abstract transfer function for + (on board)



Abstract Interpretation, Algorithm

(High-level) Algorithm :

Write the abstract equations corresponding to the abstractsemantics.

Interpret the program from the beginning, but abstractly :Compute a lattice element per control point.Always make the union (join) with the former value.

Stop when the iteration has stabilized (for all controlpoints).

credit examples, P. Roux for Onera


��

��

�� ❃ ��

��

�� ✰ � �

�

� � �

��

� � ��

� ❃ �

� � � � �

� � � ✰ �

� ✁ �

�✂�

� ✄ �❂ ☎ ��

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂

��

�✂�

�✠� ✆✝ �

✂�

�

✭ � ✮ ✡ ✂ ✭ ✞ �✮☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ☞ ✂ ✞ �

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �☞ ✂ ✍ �

☛

��

��

��

�� ❃ ��

��

�� ✰ � �

�

� � �

��

� � ��

� ❃ �

� � � � �

� � � ✰ �

� ✁ �

�✂�

� ✄ �❂ ☎ ��

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂

��

�✂�

�✠� ✆✝ �

✂�

�

✭ � ✮ ✡ ✂ ✭ ✞ �✮☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ☞ ✂ ✞ �

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �☞ ✂ ✍ �

☛

� �✂�

��

✂�

��

✂�

��

✂�

�

� ✭ ✎ ✱ ✎ ✮� ✭ ✎ ✱ ✎ ✮� ✭ ✎ ✱ ✎ ✮� ✭ ✎ ✱ ✎ ✮� ✭ ✎ ✱ ✎ ✮� ✭ ✎ ✱ ✎ ✮

��

��

��

�� ❃ ��

��

�� ✰ � �

�

� � �

��

� � ��

� ❃ �

� � � � �

� � � ✰ �

� ✁ �

�✂�

� ✄ �❂ ☎ ��

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂

��

�✂�

�✠� ✆✝ �

✂�

�

✭ � ✮ ✡ ✂ ✭ ✞ �✮☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ☞ ✂ ✞ �

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �☞ ✂ ✍ �

☛

� �✂�

��

✂�

��

✂�

��

✂�

�

� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮� ✭ ✎ ✱ ✎ ✮� ✭ ✎ ✱ ✎ ✮� ✭ ✎ ✱ ✎ ✮� ✭ ✎ ✱ ✎ ✮

��

��

��

�� ❃ ��

��

�� ✰ � �

�

� � �

��

� � ��

� ❃ �

� � � � �

� � � ✰ �

� ✁ �

�✂�

� ✄ �❂ ☎ ��

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂

��

�✂�

�✠� ✆✝ �

✂�

�

✭ � ✮ ✡ ✂ ✭ ✞ �✮☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ☞ ✂ ✞ �

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �☞ ✂ ✍ �

☛

� �✂�

��

✂�

��

✂�

��

✂�

�

� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮� ✭ ✎ ✱ ✎ ✮� ✭ ✎ ✱ ✎ ✮� ✭ ✎ ✱ ✎ ✮

��

��

��

�� ❃ ��

��

�� ✰ � �

�

� � �

��

� � ��

� ❃ �

� � � � �

� � � ✰ �

� ✁ �

�✂�

� ✄ �❂ ☎ ��

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂

��

�✂�

�✠� ✆✝ �

✂�

�

✭ � ✮ ✡ ✂ ✭ ✞ �✮☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ☞ ✂ ✞ �

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �☞ ✂ ✍ �

☛

� �✂�

��

✂�

��

✂�

��

✂�

�

� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ � ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮� ✭ ✎ ✱ ✎ ✮� ✭ ✎ ✱ ✎ ✮

✏ ✑ �✒ ✑ �✓ ✔✕��

✏ ✖ ✒ ✖ ✓

��

��

��

�� ❃ ��

��

�� ✰ � �

�

� � �

��

� � ��

� ❃ �

� � � � �

� � � ✰ �

� ✁ �

�✂�

� ✄ �❂ ☎ ��

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂

��

�✂�

�✠� ✆✝ �

✂�

�

✭ � ✮ ✡ ✂ ✭ ✞ �✮☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ☞ ✂ ✞ �

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �☞ ✂ ✍ �

☛

� �✂�

��

✂�

��

✂�

��

✂�

�

� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ � ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮� ✭ ✎ ✱ ✎ ✮

��

��

��

�� ❃ ��

��

�� ✰ � �

�

� � �

��

� � ��

� ❃ �

� � � � �

� � � ✰ �

� ✁ �

�✂�

� ✄ �❂ ☎ ��

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂

��

�✂�

�✠� ✆✝ �

✂�

�

✭ � ✮ ✡ ✂ ✭ ✞ �✮☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ☞ ✂ ✞ �

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �☞ ✂ ✍ �

☛

� �✂�

��

✂�

��

✂�

��

✂�

�

� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ � ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮

��

��

��

�� ❃ ��

��

�� ✰ � �

�

� � �

��

� � ��

� ❃ �

� � � � �

� � � ✰ �

� ✁ �

�✂�

� ✄ �❂ ☎ ��

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂

��

�✂�

�✠� ✆✝ �

✂�

�

✭ � ✮ ✡ ✂ ✭ ✞ �✮☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ☞ ✂ ✞ �

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �☞ ✂ ✍ �

☛

� �✂�

��

✂�

��

✂�

��

✂�

�

� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ � ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ �✱ ✞ � ✮

��

��

��

�� ❃ ��

��

�� ✰ � �

�

� � �

��

� � ��

� ❃ �

� � � � �

� � � ✰ �

� ✁ �

�✂�

� ✄ �❂ ☎ ��

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂

��

�✂�

�✠� ✆✝ �

✂�

�

✭ � ✮ ✡ ✂ ✭ ✞ �✮☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ☞ ✂ ✞ �

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �☞ ✂ ✍ �

☛

� �✂�

��

✂�

��

✂�

��

✂�

�

� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ � ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ �✱ ✞ �✮

��

��

��

�� ❃ ��

��

�� ✰ � �

�

� � �

��

� � ��

� ❃ �

� � � � �

� � � ✰ �

� ✁ �

�✂�

� ✄ �❂ ☎ ��

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂

��

�✂�

�✠� ✆✝ �

✂�

�

✭ � ✮ ✡ ✂ ✭ ✞ �✮☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ☞ ✂ ✞ �

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �☞ ✂ ✍ �

☛

� �✂�

��

✂�

��

✂�

��

✂�

�

� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ � ✱ ☎ ✮ ✭ ✞ � ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ �✱ ✞ �✮

��

��

��

�� ❃ ��

��

�� ✰ � �

�

� � �

��

� � ��

� ❃ �

� � � � �

� � � ✰ �

� ✁ �

�✂�

� ✄ �❂ ☎ ��

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂

��

�✂�

�✠� ✆✝ �

✂�

�

✭ � ✮ ✡ ✂ ✭ ✞ �✮☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ☞ ✂ ✞ �

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �☞ ✂ ✍ �

☛

� �✂�

��

✂�

��

✂�

��

✂�

�

� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ � ✱ ☎ ✮ ✭ ✞ �✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ☎ ✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ �✱ ✞ �✮

✏ ✑ �✒ ✑ �✓ ✔✕��

✏ ✖ ✒ ✑ � ✓

��

��

��

�� ❃ ��

��

�� ✰ � �

�

� � �

��

� � ��

� ❃ �

� � � � �

� � � ✰ �

� ✁ �

�✂�

� ✄ �❂ ☎ ��

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂

��

�✂�

�✠� ✆✝ �

✂�

�

✭ � ✮ ✡ ✂ ✭ ✞ �✮☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ☞ ✂ ✞ �

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �☞ ✂ ✍ �

☛

� �✂�

��

✂�

��

✂�

��

✂�

�

� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ � ✱ ☎ ✮ ✭ ✞ �✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ☎ ✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ✞ �✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ �✱ ✞ �✮

��

��

��

�� ❃ ��

��

�� ✰ � �

�

� � �

��

� � ��

� ❃ �

� � � � �

� � � ✰ �

� ✁ �

�✂�

� ✄ �❂ ☎ ��

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂

��

�✂�

�✠� ✆✝ �

✂�

�

✭ � ✮ ✡ ✂ ✭ ✞ �✮☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ☞ ✂ ✞ �

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �☞ ✂ ✍ �

☛

� �✂�

��

✂�

��

✂�

��

✂�

�

� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ � ✱ ☎ ✮ ✭ ✞ �✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ☎ ✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ✞ �✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ✞ � ✮ ✭ ☎ ✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ �✱ ✞ �✮

��

��

��

�� ❃ ��

��

�� ✰ � �

�

� � �

��

� � ��

� ❃ �

� � � � �

� � � ✰ �

� ✁ �

�✂�

� ✄ �❂ ☎ ��

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂

��

�✂�

�✠� ✆✝ �

✂�

�

✭ � ✮ ✡ ✂ ✭ ✞ �✮☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ☞ ✂ ✞ �

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �☞ ✂ ✍ �

☛

� �✂�

��

✂�

��

✂�

��

✂�

�

� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ � ✱ ☎ ✮ ✭ ✞ �✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ☎ ✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ✞ �✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ✞ � ✮ ✭ ☎ ✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ �✱ ✞ �✮ ✭ ✍ �✱ ✞ �✮

��

��

��

�� ❃ ��

��

�� ✰ � �

�

� � �

��

� � ��

� ❃ �

� � � � �

� � � ✰ �

� ✁ �

�✂�

� ✄ �❂ ☎ ��

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂

��

�✂�

�✠� ✆✝ �

✂�

�

✭ � ✮ ✡ ✂ ✭ ✞ �✮☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ☞ ✂ ✞ �

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �☞ ✂ ✍ �

☛

� �✂�

��

✂�

��

✂�

��

✂�

�

� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ � ✱ ☎ ✮ ✭ ✞ �✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ☎ ✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ✞ �✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ✞ � ✮ ✭ ☎ ✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ �✱ ✞ �✮ ✭ ✍ �✱ ✞ � ✮

��

��

��

�� ❃ ��

��

�� ✰ � �

�

� � �

��

� � ��

� ❃ �

� � � � �

� � � ✰ �

� ✁ �

�✂�

� ✄ �❂ ☎ ��

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂

��

�✂�

�✠� ✆✝ �

✂�

�

✭ � ✮ ✡ ✂ ✭ ✞ �✮☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ☞ ✂ ✞ �

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �☞ ✂ ✍ �

☛

� �✂�

��

✂�

��

✂�

��

✂�

�

� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ � ✱ ☎ ✮ ✭ ✞ �✱ ☎ ✮ ✭ ✞ � ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ☎ ✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ✞ �✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ✞ � ✮ ✭ ☎ ✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ �✱ ✞ �✮ ✭ ✍ �✱ ✞ � ✮

��

��

��

�� ❃ ��

��

�� ✰ � �

�

� � �

��

� � ��

� ❃ �

� � � � �

� � � ✰ �

� ✁ �

�✂�

� ✄ �❂ ☎ ��

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂

��

�✂�

�✠� ✆✝ �

✂�

�

✭ � ✮ ✡ ✂ ✭ ✞ �✮☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ☞ ✂ ✞ �

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �☞ ✂ ✍ �

☛

� �✂�

��

✂�

��

✂�

��

✂�

�

� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ � ✱ ☎ ✮ ✭ ✞ �✱ ☎ ✮ ✭ ✞ �✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ☎ ✱ ✞ � ✮ ✭ ☎ ✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ✞ �✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ✞ � ✮ ✭ ☎ ✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ �✱ ✞ �✮ ✭ ✍ �✱ ✞ � ✮

✏ ✑ �✒ ✑ �✓ ✔✕��

✏ ✖ ✒ ✑ � ✓

��

��

��

�� ❃ ��

��

�� ✰ � �

�

� � �

��

� � ��

� ❃ �

� � � � �

� � � ✰ �

� ✁ �

�✂�

� ✄ �❂ ☎ ��

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂

��

�✂�

�✠� ✆✝ �

✂�

�

✭ � ✮ ✡ ✂ ✭ ✞ �✮☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ☞ ✂ ✞ �

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �☞ ✂ ✍ �

☛

� �✂�

��

✂�

��

✂�

��

✂�

�

� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ � ✱ ☎ ✮ ✭ ✞ �✱ ☎ ✮ ✭ ✞ �✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ☎ ✱ ✞ � ✮ ✭ ☎ ✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ✞ �✱ ✞ � ✮ ✭ ✞ � ✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ✞ � ✮ ✭ ☎ ✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ �✱ ✞ �✮ ✭ ✍ �✱ ✞ � ✮

��

��

��

�� ❃ ��

��

�� ✰ � �

�

� � �

��

� � ��

� ❃ �

� � � � �

� � � ✰ �

� ✁ �

�✂�

� ✄ �❂ ☎ ��

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂

��

�✂�

�✠� ✆✝ �

✂�

�

✭ � ✮ ✡ ✂ ✭ ✞ �✮☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ☞ ✂ ✞ �

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �☞ ✂ ✍ �

☛

� �✂�

��

✂�

��

✂�

��

✂�

�

� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ � ✱ ☎ ✮ ✭ ✞ �✱ ☎ ✮ ✭ ✞ �✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ☎ ✱ ✞ � ✮ ✭ ☎ ✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ✞ �✱ ✞ � ✮ ✭ ✞ �✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ✞ � ✮ ✭ ☎ ✱ ✞ �✮ ✭ ☎ ✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ �✱ ✞ �✮ ✭ ✍ �✱ ✞ � ✮

��

��

��

�� ❃ ��

��

�� ✰ � �

�

� � �

��

� � ��

� ❃ �

� � � � �

� � � ✰ �

� ✁ �

�✂�

� ✄ �❂ ☎ ��

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂

��

�✂�

�✠� ✆✝ �

✂�

�

✭ � ✮ ✡ ✂ ✭ ✞ �✮☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ☞ ✂ ✞ �

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �☞ ✂ ✍ �

☛

� �✂�

��

✂�

��

✂�

��

✂�

�

� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ � ✱ ☎ ✮ ✭ ✞ �✱ ☎ ✮ ✭ ✞ �✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ☎ ✱ ✞ � ✮ ✭ ☎ ✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ✞ �✱ ✞ � ✮ ✭ ✞ �✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ✞ � ✮ ✭ ☎ ✱ ✞ �✮ ✭ ☎ ✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ �✱ ✞ �✮ ✭ ✍ �✱ ✞ � ✮ ✭ ✍ � ✱ ✞ �✮

��

��

��

�� ❃ ��

��

�� ✰ � �

�

� � �

��

� � ��

� ❃ �

� � � � �

� � � ✰ �

� ✁ �

�✂�

� ✄ �❂ ☎ ��

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪

�✂�

� ✄ �❂ �

✂�

� ✄ �❬ � ✆✝ ✞ �❪ ✟ ✂

��

�✂�

�✠� ✆✝ �

✂�

�

✭ � ✮ ✡ ✂ ✭ ✞ �✮☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ☞ ✂ ✞ �

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �✭ � ✮ ✌ ✂ ✭ ✞ �✮

☛

�✂�

� ✄ �❂ �

✂�

� ✄ �✠� ✆✝ �

✂�

� ✄ �☞ ✂ ✍ �

☛

� �✂�

��

✂�

��

✂�

��

✂�

�

� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮ ✭ ☎ ✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ � ✱ ☎ ✮ ✭ ✞ �✱ ☎ ✮ ✭ ✞ �✱ ☎ ✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ☎ ✱ ✞ � ✮ ✭ ☎ ✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ ✞ �✱ ✞ �✮ ✭ ✞ �✱ ✞ � ✮ ✭ ✞ �✱ ✞ � ✮� ✭ ✎ ✱ ✎ ✮ ✭ ☎ ✱ ✞ � ✮ ✭ ☎ ✱ ✞ �✮ ✭ ☎ ✱ ✞ �✮� ✭ ✎ ✱ ✎ ✮ ✭ �✱ ✞ �✮ ✭ ✍ �✱ ✞ � ✮ ✭ ✍ �✱ ✞ � ✮

� � � ��

��


Abstraction, concretisation for constantsAbstraction : α is ?Concretization : γ is ?

Lattice :


��

��

�� > ��

�� / � �

�� − � �

�� + � �

��

��

� � �� > �

� � � / �

� � � − �

� � � + �

� � �

�♯�

�+�= ⊤��

�♯�

�+�= �

♯�

�+�[� �→ ⊤]

�♯�

�+�= �

♯�

�+�[� �→ ��]⊔♯

��

�♯�

�[

� �→ �♯�

�

(�) +♯�

]

�♯�

�+�= �

♯�

�+�

�♯�

�+�= �

♯�

�+�[

� �→ �♯�

�+�(�)/♯�

]

�♯�

�+�= �

♯�

�+�[

� �→ �♯�

�+�(�)−♯ �

♯�

�+�(�)

]

�♯�

�+�= �

♯�

�+�

��

��

��

�� > ��

�� / � �

�� − � �

�� + � �

��

��

� � �� > �

� � � / �

� � � − �

� � � + �

� � �

�♯�

�+�= ⊤��

�♯�

�+�= �

♯�

�+�[� �→ ⊤]

�♯�

�+�= �

♯�

�+�[� �→ ��]⊔♯

��

�♯�

�[

� �→ �♯�

�

(�) +♯�

]

�♯�

�+�= �

♯�

�+�

�♯�

�+�= �

♯�

�+�[

� �→ �♯�

�+�(�)/♯�

]

�♯�

�+�= �

♯�

�+�[

� �→ �♯�

�+�(�)−♯ �

♯�

�+�(�)

]

�♯�

�+�= �

♯�

�+�

� �♯�

��

♯�

��

♯�

�

� (⊥,⊥)� (⊥,⊥)� (⊥,⊥)� (⊥,⊥)� (⊥,⊥)� (⊥,⊥)� (⊥,⊥)

��

��

��

�� > ��

�� / � �

�� − � �

�� + � �

��

��

� � �� > �

� � � / �

� � � − �

� � � + �

� � �

�♯�

�+�= ⊤��

�♯�

�+�= �

♯�

�+�[� �→ ⊤]

�♯�

�+�= �

♯�

�+�[� �→ ��]⊔♯

��

�♯�

�[

� �→ �♯�

�

(�) +♯�

]

�♯�

�+�= �

♯�

�+�

�♯�

�+�= �

♯�

�+�[

� �→ �♯�

�+�(�)/♯�

]

�♯�

�+�= �

♯�

�+�[

� �→ �♯�

�+�(�)−♯ �

♯�

�+�(�)

]

�♯�

�+�= �

♯�

�+�

� �♯�

��

♯�

��

♯�

�

� (⊥,⊥) (⊤,⊤)� (⊥,⊥)� (⊥,⊥)� (⊥,⊥)� (⊥,⊥)� (⊥,⊥)� (⊥,⊥)

��

��

��

�� > ��

�� / � �

�� − � �

�� + � �

��

��

� � �� > �

� � � / �

� � � − �

� � � + �

� � �

�♯�

�+�= ⊤��

�♯�

�+�= �

♯�

�+�[� �→ ⊤]

�♯�

�+�= �

♯�

�+�[� �→ ��]⊔♯

��

�♯�

�[

� �→ �♯�

�

(�) +♯�

]

�♯�

�+�= �

♯�

�+�

�♯�

�+�= �

♯�

�+�[

� �→ �♯�

�+�(�)/♯�

]

�♯�

�+�= �

♯�

�+�[

� �→ �♯�

�+�(�)−♯ �

♯�

�+�(�)

]

�♯�

�+�= �

♯�

�+�

� �♯�

��

♯�

��

♯�

�

� (⊥,⊥) (⊤,⊤)� (⊥,⊥) (⊤,⊤)� (⊥,⊥)� (⊥,⊥)� (⊥,⊥)� (⊥,⊥)� (⊥,⊥)

��

��

��

�� > ��

�� / � �

�� − � �

�� + � �

��

��

� � �� > �

� � � / �

� � � − �

� � � + �

� � �

�♯�

�+�= ⊤��

�♯�

�+�= �

♯�

�+�[� �→ ⊤]

�♯�

�+�= �

♯�

�+�[� �→ ��]⊔♯

��

�♯�

�[

� �→ �♯�

�

(�) +♯�

]

�♯�

�+�= �

♯�

�+�

�♯�

�+�= �

♯�

�+�[

� �→ �♯�

�+�(�)/♯�

]

�♯�

�+�= �

♯�

�+�[

� �→ �♯�

�+�(�)−♯ �

♯�

�+�(�)

]

�♯�

�+�= �

♯�

�+�

� �♯�

��

♯�

��

♯�

�

� (⊥,⊥) (⊤,⊤)� (⊥,⊥) (⊤,⊤)� (⊥,⊥) (⊤, ��)� (⊥,⊥)� (⊥,⊥)� (⊥,⊥)� (⊥,⊥)

(⊤, ��) ⊔♯��

(⊥,⊥)

��

��

��

�� > ��

�� / � �

�� − � �

�� + � �

��

��

� � �� > �

� � � / �

� � � − �

� � � + �

� � �

�♯�

�+�= ⊤��

�♯�

�+�= �

♯�

�+�[� �→ ⊤]

�♯�

�+�= �

♯�

�+�[� �→ ��]⊔♯

��

�♯�

�[

� �→ �♯�

�

(�) +♯�

]

�♯�

�+�= �

♯�

�+�

�♯�

�+�= �

♯�

�+�[

� �→ �♯�

�+�(�)/♯�

]

�♯�

�+�= �

♯�

�+�[

� �→ �♯�

�+�(�)−♯ �

♯�

�+�(�)

]

�♯�

�+�= �

♯�

�+�

� �♯�

��

♯�

��

♯�

�

� (⊥,⊥) (⊤,⊤)� (⊥,⊥) (⊤,⊤)� (⊥,⊥) (⊤, ��)� (⊥,⊥) (⊤, ��)� (⊥,⊥)� (⊥,⊥)� (⊥,⊥)

��

��

��

�� > ��

�� / � �

�� − � �

�� + � �

��

��

� � �� > �

� � � / �

� � � − �

� � � + �

� � �

�♯�

�+�= ⊤��

�♯�

�+�= �

♯�

�+�[� �→ ⊤]

�♯�

�+�= �

♯�

�+�[� �→ ��]⊔♯

��

�♯�

�[

� �→ �♯�

�

(�) +♯�

]

�♯�

�+�= �

♯�

�+�

�♯�

�+�= �

♯�

�+�[

� �→ �♯�

�+�(�)/♯�

]

�♯�

�+�= �

♯�

�+�[

� �→ �♯�

�+�(�)−♯ �

♯�

�+�(�)

]

�♯�

�+�= �

♯�

�+�

� �♯�

��

♯�

��

♯�

�

� (⊥,⊥) (⊤,⊤)� (⊥,⊥) (⊤,⊤)� (⊥,⊥) (⊤, ��)� (⊥,⊥) (⊤, ��)� (⊥,⊥) (⊤, �)� (⊥,⊥)� (⊥,⊥)

��

��

��

�� > ��

�� / � �

�� − � �

�� + � �

��

��

� � �� > �

� � � / �

� � � − �

� � � + �

� � �

�♯�

�+�= ⊤��

�♯�

�+�= �

♯�

�+�[� �→ ⊤]

�♯�

�+�= �

♯�

�+�[� �→ ��]⊔♯

��

�♯�

�[

� �→ �♯�

�

(�) +♯�

]

�♯�

�+�= �

♯�

�+�

�♯�

�+�= �

♯�

�+�[

� �→ �♯�

�+�(�)/♯�

]

�♯�

�+�= �

♯�

�+�[

� �→ �♯�

�+�(�)−♯ �

♯�

�+�(�)

]

�♯�

�+�= �

♯�

�+�

� �♯�

��

♯�

��

♯�

�

� (⊥,⊥) (⊤,⊤)� (⊥,⊥) (⊤,⊤)� (⊥,⊥) (⊤, ��)� (⊥,⊥) (⊤, ��)� (⊥,⊥) (⊤, �)� (⊥,⊥) (⊤, �)� (⊥,⊥)

��

��

��

�� > ��

�� / � �

�� − � �

�� + � �

��

��

� � �� > �

� � � / �

� � � − �

� � � + �

� � �

�♯�

�+�= ⊤��

�♯�

�+�= �

♯�

�+�[� �→ ⊤]

�♯�

�+�= �

♯�

�+�[� �→ ��]⊔♯

��

�♯�

�[

� �→ �♯�

�

(�) +♯�

]

�♯�

�+�= �

♯�

�+�

�♯�

�+�= �

♯�

�+�[

� �→ �♯�

�+�(�)/♯�

]

�♯�

�+�= �

♯�

�+�[

� �→ �♯�

�+�(�)−♯ �

♯�

�+�(�)

]

�♯�

�+�= �

♯�

�+�

� �♯�

��

♯�

��

♯�

�

� (⊥,⊥) (⊤,⊤)� (⊥,⊥) (⊤,⊤)� (⊥,⊥) (⊤, ��)� (⊥,⊥) (⊤, ��)� (⊥,⊥) (⊤, �)� (⊥,⊥) (⊤, �)� (⊥,⊥) (⊤, ��)

��

��

��

�� > ��

�� / � �

�� − � �

�� + � �

��

��

� � �� > �

� � � / �

� � � − �

� � � + �

� � �

�♯�

�+�= ⊤��

�♯�

�+�= �

♯�

�+�[� �→ ⊤]

�♯�

�+�= �

♯�

�+�[� �→ ��]⊔♯

��

�♯�

�[

� �→ �♯�

�

(�) +♯�

]

�♯�

�+�= �

♯�

�+�

�♯�

�+�= �

♯�

�+�[

� �→ �♯�

�+�(�)/♯�

]

�♯�

�+�= �

♯�

�+�[

� �→ �♯�

�+�(�)−♯ �

♯�

�+�(�)

]

�♯�

�+�= �

♯�

�+�

� �♯�

��

♯�

��

♯�

�

� (⊥,⊥) (⊤,⊤) (⊤,⊤)� (⊥,⊥) (⊤,⊤)� (⊥,⊥) (⊤, ��)� (⊥,⊥) (⊤, ��)� (⊥,⊥) (⊤, �)� (⊥,⊥) (⊤, �)� (⊥,⊥) (⊤, ��)

��

��

��

�� > ��

�� / � �

�� − � �

�� + � �

��

��

� � �� > �

� � � / �

� � � − �

� � � + �

� � �

�♯�

�+�= ⊤��

�♯�

�+�= �

♯�

�+�[� �→ ⊤]

�♯�

�+�= �

♯�

�+�[� �→ ��]⊔♯

��

�♯�

�[

� �→ �♯�

�

(�) +♯�

]

�♯�

�+�= �

♯�

�+�

�♯�

�+�= �

♯�

�+�[

� �→ �♯�

�+�(�)/♯�

]

�♯�

�+�= �

♯�

�+�[

� �→ �♯�

�+�(�)−♯ �

♯�

�+�(�)

]

�♯�

�+�= �

♯�

�+�

� �♯�

��

♯�

��

♯�

�

� (⊥,⊥) (⊤,⊤) (⊤,⊤)� (⊥,⊥) (⊤,⊤) (⊤,⊤)� (⊥,⊥) (⊤, ��)� (⊥,⊥) (⊤, ��)� (⊥,⊥) (⊤, �)� (⊥,⊥) (⊤, �)� (⊥,⊥) (⊤, ��)

��

��

��

�� > ��

�� / � �

�� − � �

�� + � �

��

��

� � �� > �

� � � / �

� � � − �

� � � + �

� � �

�♯�

�+�= ⊤��

�♯�

�+�= �

♯�

�+�[� �→ ⊤]

�♯�

�+�= �

♯�

�+�[� �→ ��]⊔♯

��

�♯�

�[

� �→ �♯�

�

(�) +♯�

]

�♯�

�+�= �

♯�

�+�

�♯�

�+�= �

♯�

�+�[

� �→ �♯�

�+�(�)/♯�

]

�♯�

�+�= �

♯�

�+�[

� �→ �♯�

�+�(�)−♯ �

♯�

�+�(�)

]

�♯�

�+�= �

♯�

�+�

� �♯�

��

♯�

��

♯�

�

� (⊥,⊥) (⊤,⊤) (⊤,⊤)� (⊥,⊥) (⊤,⊤) (⊤,⊤)� (⊥,⊥) (⊤, ��) (⊤, ��)� (⊥,⊥) (⊤, ��)� (⊥,⊥) (⊤, �)� (⊥,⊥) (⊤, �)� (⊥,⊥) (⊤, ��)

(⊤, ��) ⊔♯��

(⊤, �+ �)

��

��

��

�� > ��

�� / � �

�� − � �

�� + � �

��

��

� � �� > �

� � � / �

� � � − �

� � � + �

� � �

�♯�

�+�= ⊤��

�♯�

�+�= �

♯�

�+�[� �→ ⊤]

�♯�

�+�= �

♯�

�+�[� �→ ��]⊔♯

��

�♯�

�[

� �→ �♯�

�

(�) +♯�

]

�♯�

�+�= �

♯�

�+�

�♯�

�+�= �

♯�

�+�[

� �→ �♯�

�+�(�)/♯�

]

�♯�

�+�= �

♯�

�+�[

� �→ �♯�

�+�(�)−♯ �

♯�

�+�(�)

]

�♯�

�+�= �

♯�

�+�

� �♯�

��

♯�

��

♯�

�

� (⊥,⊥) (⊤,⊤) (⊤,⊤)� (⊥,⊥) (⊤,⊤) (⊤,⊤)� (⊥,⊥) (⊤, ��) (⊤, ��)� (⊥,⊥) (⊤, ��) (⊤, ��)� (⊥,⊥) (⊤, �)� (⊥,⊥) (⊤, �)� (⊥,⊥) (⊤, ��)

��

��

��

�� > ��

�� / � �

�� − � �

�� + � �

��

��

� � �� > �

� � � / �

� � � − �

� � � + �

� � �

�♯�

�+�= ⊤��

�♯�

�+�= �

♯�

�+�[� �→ ⊤]

�♯�

�+�= �

♯�

�+�[� �→ ��]⊔♯

��

�♯�

�[

� �→ �♯�

�

(�) +♯�

]

�♯�

�+�= �

♯�

�+�

�♯�

�+�= �

♯�

�+�[

� �→ �♯�

�+�(�)/♯�

]

�♯�

�+�= �

♯�

�+�[

� �→ �♯�

�+�(�)−♯ �

♯�

�+�(�)

]

�♯�

�+�= �

♯�

�+�

� �♯�

��

♯�

��

♯�

�

� (⊥,⊥) (⊤,⊤) (⊤,⊤)� (⊥,⊥) (⊤,⊤) (⊤,⊤)� (⊥,⊥) (⊤, ��) (⊤, ��)� (⊥,⊥) (⊤, ��) (⊤, ��)� (⊥,⊥) (⊤, �) (⊤, �)� (⊥,⊥) (⊤, �)� (⊥,⊥) (⊤, ��)

��

��

��

�� > ��

�� / � �

�� − � �

�� + � �

��

��

� � �� > �

� � � / �

� � � − �

� � � + �

� � �

�♯�

�+�= ⊤��

�♯�

�+�= �

♯�

�+�[� �→ ⊤]

�♯�

�+�= �

♯�

�+�[� �→ ��]⊔♯

��

�♯�

�[

� �→ �♯�

�

(�) +♯�

]

�♯�

�+�= �

♯�

�+�

�♯�

�+�= �

♯�

�+�[

� �→ �♯�

�+�(�)/♯�

]

�♯�

�+�= �

♯�

�+�[

� �→ �♯�

�+�(�)−♯ �

♯�

�+�(�)

]

�♯�

�+�= �

♯�

�+�

� �♯�

��

♯�

��

♯�

�

� (⊥,⊥) (⊤,⊤) (⊤,⊤)� (⊥,⊥) (⊤,⊤) (⊤,⊤)� (⊥,⊥) (⊤, ��) (⊤, ��)� (⊥,⊥) (⊤, ��) (⊤, ��)� (⊥,⊥) (⊤, �) (⊤, �)� (⊥,⊥) (⊤, �) (⊤, �)� (⊥,⊥) (⊤, ��)

��

��

��

�� > ��

�� / � �

�� − � �

�� + � �

��

��

� � �� > �

� � � / �

� � � − �

� � � + �

� � �

�♯�

�+�= ⊤��

�♯�

�+�= �

♯�

�+�[� �→ ⊤]

�♯�

�+�= �

♯�

�+�[� �→ ��]⊔♯

��

�♯�

�[

� �→ �♯�

�

(�) +♯�

]

�♯�

�+�= �

♯�

�+�

�♯�

�+�= �

♯�

�+�[

� �→ �♯�

�+�(�)/♯�

]

�♯�

�+�= �

♯�

�+�[

� �→ �♯�

�+�(�)−♯ �

♯�

�+�(�)

]

�♯�

�+�= �

♯�

�+�

� �♯�

��

♯�

��

♯�

�

� (⊥,⊥) (⊤,⊤) (⊤,⊤)� (⊥,⊥) (⊤,⊤) (⊤,⊤)� (⊥,⊥) (⊤, ��) (⊤, ��)� (⊥,⊥) (⊤, ��) (⊤, ��)� (⊥,⊥) (⊤, �) (⊤, �)� (⊥,⊥) (⊤, �) (⊤, �)� (⊥,⊥) (⊤, ��) (⊤, ��)

��

��

��

�� > ��

�� / � �

�� − � �

�� + � �

��

��

� � �� > �

� � � / �

� � � − �

� � � + �

� � �

�♯�

�+�= ⊤��

�♯�

�+�= �

♯�

�+�[� �→ ⊤]

�♯�

�+�= �

♯�

�+�[� �→ ��]⊔♯

��

�♯�

�[

� �→ �♯�

�

(�) +♯�

]

�♯�

�+�= �

♯�

�+�

�♯�

�+�= �

♯�

�+�[

� �→ �♯�

�+�(�)/♯�

]

�♯�

�+�= �

♯�

�+�[

� �→ �♯�

�+�(�)−♯ �

♯�

�+�(�)

]

�♯�

�+�= �

♯�

�+�

� �♯�

��

♯�

��

♯�

�

� (⊥,⊥) (⊤,⊤) (⊤,⊤)� (⊥,⊥) (⊤,⊤) (⊤,⊤)� (⊥,⊥) (⊤, ��) (⊤, ��)� (⊥,⊥) (⊤, ��) (⊤, ��)� (⊥,⊥) (⊤, �) (⊤, �)� (⊥,⊥) (⊤, �) (⊤, �)� (⊥,⊥) (⊤, ��) (⊤, ��)

� � ��

��


Result

TerminationIf the underlying lattice is of finite height, then the fixpointiteration terminates and the least abstract fixpoint is computed.



Abstract Interpretation, implementation choices

Control Flow Graph, and an abstract value per block.Propagate on the edges of the CFG.

On the Abstract Syntax tree, a visitor, and the propagationis made by induction on the syntax. The only stopping testis inside the while visitor.

I For lab 7, you choose. You are totally free (apart from ANTLR+ Python).


Computing Invariants in infinite height lattices.







Computing Invariants in infinite height lattices.

In a nutshell

The two problems also occur :

representation of sets of valuations.

abstract transitions (transfer functions).

there is another one, how to terminate !


Computing Invariants in infinite height lattices. Intervals








A first example - Intervals

Try to compute an interval for each variable at each programpoint using interval arithmetic :

assume ( x >= 0 && x<= 1 ) ;assume ( y >= 2 && y= 3 ) ;assume ( z >= 3 && z= 4 ) ;t = ( x+y ) ∗ z ;

Interval for z ? [6, 16]



The interval lattice

See the exercise sheet.



An example that terminates

i n t x =0;while ( x<1000) {

x=x +1;}

Loop iterations [0, 0], [0, 1], [0, 2], [0, 3],. . .

How ? φ(X) = Initial state tR(X), thusφ([a, b]) = {0} t [a+ 1,min(b, 999) + 1]

I Stricly growing interval during 1000 iterations, thenstabilizes : [0, 1000] is an invariant.



Termination Problem

Third problem to cope with : stopping the computation :

Too many computations

unbounded loops



One solution. . .

Extrapolation !

[0, 0], [0, 1], [0, 2], [0, 3]→ [0,+∞)

Push interval :

i n t x =0; / ∗ [ 0 , 0 ] ∗ /

while / ∗ [ 0 , + i n f t y ) ∗ / ( x<1000) {/ ∗ [ 0 , 9 9 9 ] ∗ /

x=x +1;/ ∗ [ 1 , 1 0 0 0 ] ∗ /

}

Yes ! [0,∞[ is stable !



Computing inductive invariants as intervals

Representation : intervals. The union leads to anoverapproximation.

We don’t know how to compute R(P ) with P interval (Thestatements may be too complex, . . .)I Replace computation by simpler over-approximationR(X) ⊆ R](X).

The convergence is ensured by extrapolation/widening.

I We always compute φ](X) with : φ(X) ⊆ φ](X)

In the end, over-approximation of the least fixed point of φ.



Computing inductive invariants as intervals - 2

(abstract) Interval operations :

+,−,× on intervals : interval arithmetic

union : [a, b] ∪ [c, d] : loosing info !

widening : (I1∇I2 with I1 ⊆ I2)

⊥∇I = I

[a, b]∇[c, d] = [if c < a then −∞ else a,

if d > b then +∞ else b]

The idea is to infer the dynamic of the intervals thanks to thefirst terms.



Computing inductive invariants as intervals - 3The widening operator being designed, we compute (x ⊆ F (x))

Σ0, Y1 = Σ0∇F (Σ0), Y2 = Y1∇F (Y1) . . .

finite computation instead of : Σ0, F (Σ0), F2(Σ0), . . . which

can be infinite.

Theorem(Cousot/Cousot 77) Iteratively computing the reachable statesfrom the entry point with the interval operators and applyingwidening at entry nodes of loops converges in a finite numberof steps to a overapproximation of the least invariant (akapostfixpoint).

I The widening operators must satisfy the non ascending chaincondition (see Cousot/Cousot 1977).



Invariants for programs - ex 1

init

loop

end

x := 0

x ≥ 100

x ≤ 99

→ x++

I x ∈ [0,+∞] in loop.



Computing inductive invariants as intervals - ex 2

x = random ( 0 , 7 ) ;y = cos ( x )+ xwhile ( y<=100) {

i f ( x >2) x−−;else {

y = −4;x−−;

}}



Nested loops / Several loops(Bourdoncle, 1992) Computing strongly connectedsubcomponents and iterate inside each :

0

1 2 3 4

7 5 8 9

6

Gray nodes are widening nodes



Improving precision after convergence

i n t x =0; / ∗ [ 0 , 0 ] ∗ /

while / ∗ [ 0 , + i n f t y ) ∗ / ( x<1000) {/ ∗ [ 0 , 9 9 9 ] ∗ /

x=x +1;/ ∗ [ 1 , 1 0 0 0 ] ∗ /

}

we got [0,+∞) instead of [0, 999]. Run one more iteration of theloop : {0} t [1, 1000] = [0, 1000]. Check if [0, 1000] is an inductiveinvariant ? YESI This is called narrowing or descending sequence : endswhen we have an inductive invariant or after k applications ofthe transition function.


Computing Invariants in infinite height lattices. Toward more relational abstract domains








When intervals are not sufficient

assume ( x >= 0 && x <= 1 ) ;y = x ;z = x−y ;

The human (intelligent) sees z = 0 thus interval [0, 0],taking into account y = x.

Interval arithmetic does not see z = 0 because it does nottake y = x into account.



How to track relations

Using relational domains.

E.g. : keep

for each variable an interval

for each pair of variables (x, y) an information x− y 6 C.

(One obtains x = y by x− y 6 0 and y − x 6 0.)

How to compute on that ?



Bounds on differences : practical example

Suppose x− y 6 4, computation is z = x+ 3, then we knowz − y 6 7. Suppose x− z 6 20, that x− y 6 4 and that

y − z 6 6, then we know x− z 6 10.

I We know how to compute on these relations (transitiveclosure / shortest path).



Why this is useful

Let t(0..n) an array in the program.The program writes t(i).

Need to know whether 0 6 i 6 n, otherwise said find bounds oni and on n− i. . .



Can we do better ?

How about tracking relations such as 2x+ 3y 6 6 ?

At a given program point, a set of linear inequalities.

In other words, a convex polyhedron (Linear Relation Anlysis).



Classical Linear Relation Analysis

(Halbwachs/Cousot 1979)

Abstract Interpretation in the Polyhedral domain

Infinite Domain with many particularities

Discover affine relations on variables

I Classically used in verification problems.



The polyhedral domain (1)

Convex polyhedra representation :

I Effective and efficient algorithmic (emptyness test, union,affine transformation . . . )



The polyhedral domain(2)

Intersection, emptyness

Affine Transformation : a(P ) = {CX +D | X ∈ P}.

Convex hull (loss of precision)



The Polyhedral domain (3)Widening : P∇Q : limit extrapolation.P∇Q constraints : take Q constraints and remove those whichare not saturated by P .

Trick ( !) : {x = y = 0} = {0 6 y 6 x 6 0}



Analysis example - 1

x:=0;y:=0

while (x<=100) do

read(b);

if b then

x:=x+2

else begin

x:=x+1;

y:=y+1;

end;

endif

endwhile

p

pin

x 6 100 →

x := x + 1y := y + 1

x 6 100 →

x := x + 2

(x, y) := (0, 0)

pout

x > 100



Example - 2

p

pin

x 6 100 →

x := x + 1y := y + 1

x 6 100 →

x := x + 2

(x, y) := (0, 0)

pout

x > 100



Linear Relation Analysis - Problems

Complexity increases with :

number of control points

number of numerical variables

Approximation is due to :

Convex hulls

Widening

(credits for these slides : Nicolas Halbwachs)



Complexity

(In general) The more precise we are, the higher the costs.

Intervals : algorithms O(n), n number of variables.

Differences x− y 6 C : algorithms O(n3)

Octagons ±x± y 6 C (Miné) : algorithms O(n3)

Polyhedra (Cousot / Halbwachs) : algorithms often O(2n).



Delaying widening - 1

Halbwachs 1993 / Goubault 2001 / Blanchet et al. 2003

Fix k and compute :

Xn =

⊥ if n = 0

F (Xn−1) if n < k

Xn−1∇F (Xn−1) else.

I Similar to unrolling loops, costly but useful (regular behaviourafter a constant number of iterations).



Delaying widening - 2 - ex

p

q0

x > 0 →

x := x + 1

x = 0 →

x := x + 1

y := y + 1

x := 0; y := 0



Improving the widening operatorWhile applying P∇Q, intersect with constraints that aresatisfied by both P and Q. The constraints must beprecomputed.

init

loop

end

x := 0

x ≥ 100

x ≤ 99

→ x++

Here, with “x 6 100” in the pool of constraints, it avoidsnarrowing.I Warning widening is not monotone, so improving locally isnot necessarily a good idea !



Local improvement with acceleration

(Gonnord/Halbwachs 2006, Schrammel 2012)Idea : Sometimes, a fixpoint of a loop can be easily computedwithout any fixpoint iteration.



Good path heuristic

(Gonnord/Monniaux 2011)Idea : find interesting paths by means of smt-queries


Application - Tools







Application - Tools

ApplicationsBounds on iterators of arrays (intervals, differences onbounds)Dead code elimination (all domains) - especially when thecode has been automatically generated / assertsVectorization : computations that can be permutedMemory optimisation : this int can be encoded in 16 bits ?Preconditions for code specialization (on going work with F.Rastello)Safety analysis. Termination.


Application - Tools

Tools

Frama-C : analysing/ proving correction of C programs(see http://frama-c.com/

Apron : numerical domain interface(http://apron.cri.ensmp.fr/library/)

Interproc : IA analyser connected to Apron (see http:

//pop-art.inrialpes.fr/interproc/interprocweb.cgi

Rose / LLVM : C (and more) parsers and API formanipulating C programs. Rose is more decidated toprogram transformation, LLVM to compilerconstruction(http://www.rosecompiler.org/ andhttp://llvm.org/.


http://frama-c.com/

http://apron.cri.ensmp.fr/library/

http://pop-art.inrialpes.fr/interproc/interprocweb.cgi

http://pop-art.inrialpes.fr/interproc/interprocweb.cgi

http://www.rosecompiler.org/

http://llvm.org/

Application - Tools

Industrial succes stories

Polyspace

Astree


Application - Tools

Demo Time : PAGAI.

http://pagai.forge.imag.fr/


http://pagai.forge.imag.fr/

Designing Analyses that scale








Challenges in Abstract Interpretation

Precision of the abstract domain.

Thousands, millions of lines of code to analyze.

Static analyzers and compilers are complex programs (thatalso have bugs)

I Growing need for simple specialized analyses that scale



Designing a scalable static analysis : an example

OOPSLA’14 :

A technique to prove that (some) memory accesses aresafe :

Less need for additional guards.Based on abstract interpretation.Precision and cost compromise.

Implemented in LLVM-compiler infrastructure :Eliminate 50% of the guards inserted by AddressSanitizerSPEC CPU 2006 17% faster


Designing Analyses that scale Overview








A bit on sanitizing memory accesses

Different techniques : but all have an overhead.

Ex : Address Sanitizer

Shadow every memory allocated : 1 byte→ 1 bit (allocatedor not).

Guard every array access : check if its shadow bit is valid.I slows down SPEC CPU 2006 by 25%

I We want to remove these guards.



Green Arrays : overview 1/2



Green Arrays : overview 2/2



Symbolic ranges : How to ensure scalability ?

The idea is to work on the intermediate representation toensure the following key property :

SSI PropertyAll abstract values are stable on their live ranges.

How ? Splitting variables (v, i in the last example).(technical stuff later if there remains time)


Designing Analyses that scale Scalable symbolic abstract domain








Symbolic Ranges (SRA) : Running example

i n t main ( i n t argc ) {i n t ∗ v = mal loc ( sizeof ( i n t )∗ argc ) ;i n t i = argc − 1;v [ i ] = 0 ;i f ( ? ) { v = r e a l l o c ( sizeof ( i n t ) ∗2 ) ; i =1 ; }v [ i ] = 0 ;

}

I Are all accesses to v safe ?



Symbolic Ranges (SRA) : On the SSA form



SRA on SSA form : a sparse analysis

An abtract interpretation-based technique.

Very similar to classic range analysis.

One abstract value (R) per variable : sparsity.

I Easy to implement (simple algorithm, simple data structure).



SRA on SSA form : constraint system

v = • ⇒ R(v) = [v, v]

v = o ⇒ R(v) = R(o)

v = v1 ⊕ v2 ⇒ R(v) = R(v1)⊕I R(v2)

v = φ(v1, v2) ⇒ R(v) = R(v1) tR(v2)

other instructions ⇒ ∅

⊕I : abstract effect of the operation ⊕ on two intervals.t : convex hull of two intervals. I All these operation areperformed symbolically thanks to GiNaC



SRA on SSA form : an example

N = randunsigned ()

i_0 = 0

i_1 = phi(i_0 ,i_2)

i_1 < N ?

i_2 = i_1 + 1

R(i0) = [0, 0]

R(i1) = [0,+∞]

R(i2) = [1,+∞]



Improving precision of SRA : live-range splitting 1/2

I e-SSA form.



Improving precision of SRA : live-range splitting 2/2

Rule for live-range splitting :

t = a < bbr (t, l)

at = σ(a)bt = σ(b)

af = σ(a)bf = σ(b)

l

R(at ) = [R(a)↓, min(R(b)↑− 1, R(a)↑)]

R(bt ) = [max(R(a)↓ + 1, R(a)↓), R(b)↑]

R(af ) = [max(R(a)↓, R(a)↑), R(a)↑]

R(bt ) = [R(b)↓, min(R(a)↑, R(b)↑)]

�

I All simplications are done by GiNaC.



SRA + live-range on an example

N = randunsigned ()

i_0 = 0

i_1 = phi(i_0 ,i_2)

i_1 < N ?

i_t = sigma(i_1)

i_2 = i_t + 1R(it) = [R(i1) ↓,min(N − 1, R(i1) ↑)]

R(i0) = [0, 0]

R(i1) = [0, N ]


Designing Analyses that scale Experimental results








Experimental setup



Percentage of bound checks removed



Runtime improvement



In the paper (OOPSLA’14)

A complete formalisation of all the analyses :

Concrete and abstract semantics.

Safety is proved.

Interprocedural analysis.

I https://code.google.com/p/ecosoc/

Remaining question : improving precision of the symbolic rangeanalysis ?


https://code.google.com/p/ecosoc/

laure.gonnord.org · A bit of theory : IA on ﬁnite lattices Concrete semantics : refreshing...

Documents

Transcript of laure.gonnord.org · A bit of theory : IA on ﬁnite lattices Concrete semantics : refreshing...