[Facultyof Science InformationandComputingSciences] APA Abstract Interpretation Jurriaan Hage e-mail: [email protected] homepage: http://www.cs.uu.nl/people/jur/ Department of Information and Computing Sciences, Universiteit Utrecht June 7, 2016 1. Abstract interpretation [FacultyofScience InformationandComputingSciences] 2 Abstract Interpretation §1 Abstract Interpretation = analysis as a simplification of running a computer program. [FacultyofScience InformationandComputingSciences] 3 Examples §1 (cid:73) During program execution we compute the values of variables. (cid:73) And our location in the program. (cid:73) During abstract interpretation we might (cid:73) compute only the signs of integer variables, (cid:73) compute where closures are created, but not the closures themselves, (cid:73) compute only the lengths of lists, (cid:73) compute only the types of variables. (cid:73) Typically, but not necessarily, we compute this for any given location. (cid:73) The right simplification depends on the analysis we are attempting. [FacultyofScience InformationandComputingSciences] 4 The benefits of good abstractions §1 (cid:73) For certain “good” abstract interpretations, soundness of the analysis follows “immediately” from the soundness of the semantics of the language. (cid:73) The latter needs to be proved only once, but many analyses may benefit. (cid:73) Semantics must be formally defined. (cid:73) E.g., operational semantics, i.e., specification of interpreter (cid:73) Since static analyses must be sound for all executions, we need a collecting semantics for the language. (cid:73) Abstracting to a complete lattice with ACC gives guarantee of termination. [FacultyofScience InformationandComputingSciences] 5 The State is everything §1 (cid:73) An interpreter keeps track of the state of the program. (cid:73) Usually it contains: (cid:73) What program point are we at? (cid:73) For every variable, what value does it currently have? (cid:73) What does the stack look like? (cid:73) What is allocated on the heap? [FacultyofScience InformationandComputingSciences] 6 Examples §1 (cid:73) For an imperative languages (While) without procedures we track only the program point and the variables to value mapping. (cid:73) To deal with procedures, also track the stack. (cid:73) The state is determined by the language constructs we support. (cid:73) Adding new implies the need to keep track of the heap. (cid:73) For the moment, we assume State = Lab×(Var → Data) where Data typically contains integers, reals and booleans. [FacultyofScience InformationandComputingSciences] 7 State too static §1 (cid:73) In abstract interpretation we simplify the state. (cid:73) And operations on the state should behave consistently with the abstraction. (cid:73) What if the state is already so information poor that the information we want is not in the state to begin with? (cid:73) Our state State = Lab×(Var → Data) has only momentaneous information: (cid:73) It does not record dynamic information for the program, e.g., executions. [FacultyofScience InformationandComputingSciences] 8 The need for dynamic information §1 (cid:73) Many program analyses concern dynamic properties. (cid:73) Examples: (cid:73) Record the minimum and maximum value an integer identifier may take. (cid:73) In a dynamically typed language: compute all types a variable may have. (cid:73) Record all the function abstractions an identifier might evaluate to. (cid:73) Record the set of pairs (x,(cid:96)) in case x may have gotten its last value at program point (cid:96). (cid:73) We must first enrich the state to hold this information. [FacultyofScience InformationandComputingSciences] 9 Single execution versus all executions §1 (cid:73) Static analysis results should hold for all runs. (cid:73) Code is only dead if all executions avoid it. (cid:73) An interpreter considers only a single execution at the time. (cid:73) Redefine semantics to specify all executions “in parallel”. (cid:73) This is called a collecting semantics. (cid:73) Static analysis is on a simplified version (abstraction) of the collecting semantics. (cid:73) Because, usually, the collecting semantics is very infinite. [FacultyofScience InformationandComputingSciences] 10