From Program slicing to Abstract Interpretation

Chair of Software Engineering

From Program slicing to Abstract Interpretation

Dr. Manuel Oriol

2

Topics

Program Slicing Static Dynamic

Abstract Interpretation Soundness Completeness

3

Program slicing

A technique for analyzing programs regarding to a specific criterion.

More specifically, the analysis is meant to find the statements that participate to a result.

4

IntuitionWhat are the statements leading to the value of b at the end?

a := 1b := 5if (b > 3) then

Result := belse

a := 2endb := a

5

Key Idea: static slicing criteria

Slicing criterion:

(S, {variables})

A statement, a point in the

program

The set of variables that

matter

6

The static sliceThe set of statements that lead to the state of the variables at the chosen statement.

Example:

i := 3fact := 1from i := 1 until i > 10 loop

fact :=fact *ilast_i := i -- Middleio.put ("last I:" +last_i )i := i + 1

end

(end,i)? (end,fact)? (middle,i)?

7

Key Idea: dynamic slicing criteria

Slicing criterion:

(x, Sq, {variables})

Input of the program

The set of variables that

matter

Statement S in qth position

8

The dynamic sliceThe set of statements that lead to the state of the variables at the chosen statement given input x.

Example:

n := io.read_inti := 3fact := 1from i := 1 until i > n loop

fact :=fact *ilast_i := i -- Middleio.put ("last I:“ + last_i )i := i + 1

end

(10,end1,i)? (0,end1,fact)? (5,middle2,i)?

9

Application: Debugging

Simpler: Easier to understand what’s wrong

Remove statements: Detect dead code

By comparing to an intended behavior: detects bugs in the behavior

10

Other Applications

Software maintenance

Testing

Optimizations

11

Abstract interpretation

A technique for analyzing the programs by modeling their values and operations.

It is an execution that one can make to prove facts.

12

IntuitionSet of values:

V::= integers

Expressions:e::= e * e | i ∈ V

Language:eval: e -> integerseval(i) = ieval(e1*e2) = eval(e1) x eval(e2)

How can we decide on the sign of the evaluated expressions?

13

Key Idea: the Abstraction!

State

Abstract State

State

Abstract Statenext

next

α α

How is this called? Homomorphism

γ

α: abstraction functionγ: concretization function

14

Abstraction

Set of values: V::= integers

Expressions: e::= e * e | i ∈ V

Language: eval: e -> integers eval(i) = i eval(e1*e2) = eval(e1) * eval(e2)

Set of abstract values: AV::= {+, -, 0}

Expressions:e::= e * e | ai ∈ AV

Language:aeval: e -> AVaeval(i>0) = +aeval(i<0) = -aeval(i=0) = 0aeval(e1*e2) = aeval(e1)* aeval(e2)

where +*- = -+*+=+-*-=+0*av=0av*0=0

Adding unary minus?

15

If only the world would be so great…

State

Abstract State

State

Abstract Statenext

next

α α

How is this called? Semi-Homomorphism

⊆

16

Abstraction

Set of values: V::= integers

Expressions: e::= e * e | -e | e + e | i ∈ V

Language: eval: e -> integers eval(i) = i eval(-e)=-eval(e) eval(e1*e2) = eval(e1) * eval(e2) eval(e1+e2) = eval(e1) + eval(e2)

Set of abstract values: AV::= {+, -, 0, T}

Expressions:e::= e * e | -e | e + e | av ∈ AV

Language:aeval: e -> AVaeval(integer) = … as beforeaeval(e1*e2) = … as beforeaeval(-e) = … easy ;)aeval(e1+e2) = aeval(e1)+ aeval(e2)

where + + - = T+ + + = +

- + - = -0+av=av

av+0=av

17

Abstraction complete?

Set of values: V::= integers

Expressions: e::= e * e | -e | e + e | e/e | i ∈ V

Language: eval: e -> integers eval(i) = i eval(-e)=-eval(e) eval(e1*e2) = eval(e1) * eval(e2) eval(e1+e2) = eval(e1) + eval(e2) eval(e1/e2) = eval(e1) / eval(e2)

Set of abstract values: AV::= {+, -, 0, T, ⊥}

Expressions:e::= e * e | -e | e + e | e/e | av ∈ AV

Language:aeval: e -> AVaeval(integer) = … as beforeaeval(e1*e2) = … as beforeaeval(-e) = … easy ;)aeval(e1/e2) = aeval(e1)/ aeval(e2)

where av/0 = ⊥av+ ⊥= ⊥

…

18

Significance of the results?

It is sound!(the results are correct)

It is far from complete!!!!!(the results loose too much information)

19

Condition for Soundness

It should be a Galois insertion:

γ and α monotonic (x ⊆ y => f(x) ⊆ f(y))

for all S: S ⊆ γ(α(S))α(γ(av)) = av

20

Monotonic Functions

In the example:

for α: (S, ⊆) → (AV,≤)for γ: (av,≤) → (S,⊆)

T

+ 0 -

⊥

21

Exercise

Prove that the expression is divisible by 3.

Set of abstract values: AV::= {true,false,T, ^}

Expressions:e::= e * e | -e | e + e | e/e | ai ∈ AV

Language:aeval: e -> AVaeval(3) = yesaeval(e1*e2) = yes iff aeval(e1)=yes or

aeval(e2)=yesaeval(-e) = … easy ;)aeval(e1+e2) = aeval(e1) and aeval(e2)aeval(e1/e2) = true if aeval(e1) and

not aeval (e2)

22

Presenting it…

Usually presented through the definition of transitions…Prove that this program does not try to access a value outside the array’s definition, a of size 10 (from 1 to 10)

j := 0from i := 1 until i > 50 loop

j :=j + (45 - a.item (i ) + a.item (2*i ))i :=i + 1

end

23

Using abstract interpretation… What abstraction would you use to compute the

call graph of a program?

What abstraction would you use to optimize the tests within a program?

24

Problems How would you verify that loops terminate?

Is it sound? Is it complete?

How would you verify that a password read on the keyboard is not sent through a socket? Is it sound? Is it complete?

25

Applications to Trusted Components

Dataflow Analysis?

Program Slicing?

Abstract Interpretation?

26

Conclusions

Program Slicing Static Dynamic

Abstract Interpretation Soundness Completeness