Outline
I Motivation
I History
I What it is: an intuitive understanding
I An example
I Steps of abstract interpretation
I Galois connection
I Narrowing and Widening
I Fixed point
Motivation
I Static program analysis: automatically discovering properties of aprogram that hold for all possible execution paths of the program
I Discovering a sufficient set of properties for checking every operationof a program is an undecidable problem
I False positives
I Specialization:
I Tailoring the program analyzer algorithms for a specific class ofprograms
I Precision and scalability is guaranteed for this class of programs onlyI Requires a lot of try-and-test to fine-tune the algorithms
History: Patrick Cousot, Radhia Cousot 1977
I Abstract Interpretation: A Unified Lattice Model for Static Analysisof Programs by Construction or Approximation of Fixpoints, 1977
I Methods and Logics for Proving Programs, 1990
I Completeness in Abstract Interpretation, 1995
I Directions for Research in Approximate System Analysis, 1999
I Probabilistic Abstract Interpretation, 2012
I An abstract interpretation framework for termination, 2012
I Abstract interpretation: past, present and future, 2014
What it is [1]
I A theoretical framework to formalize approximation
I An applications of abstraction to the semantics of programminglanguages as well as to static program analysis
I Provides approximate methods for computing abstract semantics
Collecting Semantics
I (A set of) Partial program states
I Precise, strongest static properties
I Examples: computation traces, forward/backward reachable states,predicate transformers
Collecting Semantics
We formulate collecting semantics in terms of sets because they describeproperties, e.g.,
I the set 1, 3, 5, ... describes the property odd
I the set 2, 4, 6, ... describes the property even
I the singleton set 42 describes a constant property
I the set 4, 5, 6, 7, 8, 9, 10 describes an interval property [4; 10]
Collecting Semantics: Examples
I The set of all descendants of the initial state
I The set of all descendants of the initial state that can reach a finalstate
I The set of all finite traces from the initial state
I The set of all finite and infinite traces from the initial state
I Buffer overrun, division by zero, arithmetic overflows: stateproperties
I Deadlocks, un-initialized variables: finite trace properties
I Loop termination: finite and infinite trace properties
Collecting Semantics: Example
Trace (or path) semantics model program computations by a set of finiteor infinite sequences of states.
Abstract Semantics: the Example
I Abstract values: +, -, 0
I Abstract operations:
I Sound: the signedness properties preserve in the abstract domain
See the extension of the Prof. Alex Aiken’s example
Abstract Interpretation
I An abstract interpretation consists of:I An abstract domain A (+,-,0) and concrete domain D (Int)I Concretization γ and abstraction functions σ, forming a Galois
insertionI A (sound) abstract semantic function
I Finite domains (lattice) + monotonic functionsI Large domains = slow analysisI In practice, domains are forced to be smallI Chain height is the critical measureI The focus in abstract interpretation is on correctness; not much
insight into efficient algorithms
Iterative Resolution Algorithm
I Widening: pair-widening, set-widening
I Narrowing: pair-narrowing, set-narrowing