Software Verification

ion of the Concrete Semantics: Intuition Concrete Semantics 〈 (P(X→ R),⊆),F ,Q,qin,qout ,X,→, f , ı 〉 Galois connection (P(X→ R),⊆) −−→ ←−− α γ (L,v) L is a set of machine-representable “properties” of the variables. Example L = {x is even, y is odd or negative, x≥y ⇒ x = 2i} γ(ψ) is the meaning of an abstract “property” ψ. α(φ) encodes a sound approximation of φ, the most precise one. v corresponds to entailment between “properties”, and abstracts ⊆. Grégoire Sutre Software Verification Abstract Interpretation INF555’09 28 / 100 Abstraction of the Concrete Semantics: Intuition Concrete Semantics 〈 (P(X→ R),⊆),F ,Q,qin,qout ,X,→, f , ı 〉 Galois connection (P(X→ R),⊆) −−→ ←−− α γ (L,v) L is a set of machine-representable “properties” of the variables. Example L = {x is even, y is odd or negative, x≥y ⇒ x = 2i} γ(ψ) is the meaning of an abstract “property” ψ. α(φ) encodes a sound approximation of φ, the most precise one. v corresponds to entailment between “properties”, and abstracts ⊆. Grégoire Sutre Software Verification Abstract Interpretation INF555’09 28 / 100ion of the Concrete Semantics: Intuition Concrete Semantics 〈 (P(X→ R),⊆),F ,Q,qin,qout ,X,→, f , ı 〉 Galois connection (P(X→ R),⊆) −−→ ←−− α γ (L,v) L is a set of machine-representable “properties” of the variables. Example L = {x is even, y is odd or negative, x≥y ⇒ x = 2i} γ(ψ) is the meaning of an abstract “property” ψ. α(φ) encodes a sound approximation of φ, the most precise one. v corresponds to entailment between “properties”, and abstracts ⊆. Grégoire Sutre Software Verification Abstract Interpretation INF555’09 28 / 100 Abstract Semantics Induced by a Galois Connection Consider a data flow instance A = 〈 (L,v),F ,Q,qin,qout ,X,→, f , ı 〉 and a Galois connection (L,v) −−→ ←−− α γ (L,v). Definition The abstract data flow instance A induced by A and (L,v) −−→ ←−− α γ (L,v) is A = 〈 (L,v),F ,Q,qin,qout ,X,→, f , ı 〉 where: F = L mon −−→ L f = λop . f ] op ı = α(ı)Semantics Induced by a Galois Connection Consider a data flow instance A = 〈 (L,v),F ,Q,qin,qout ,X,→, f , ı 〉 and a Galois connection (L,v) −−→ ←−− α γ (L,v). Definition The abstract data flow instance A induced by A and (L,v) −−→ ←−− α γ (L,v) is A = 〈 (L,v),F ,Q,qin,qout ,X,→, f , ı 〉 where: F = L mon −−→ L f = λop . f ] op ı = α(ı) Recall that f ] op = α ◦ fop ◦ γ is the best abstraction of fop. Grégoire Sutre Software Verification Abstract Interpretation INF555’09 29 / 100 Correctness of Induced Abstract Data Flow Analysis Extension of Galois Connections to Functions For any set Q and Galois connection (L,v) −−→ ←−− α γ (L,v), we have (Q → L,v) −−→ ←−− α γ (Q → L,v) where: α(a) = λq . α(a(q)) γ(b) = λq . γ(b(q)) Theorem (Correctness of Induced Abstract Forward Analysis) For any data flow instance A and Galois connection (L,v) −−→ ←−− α γ (L,v), the induced abstract data flow instance A satisfies: −−→ MFP (A) v γ (−−→ MFP ( A )) α (−−→ MFP (A) ) v −−→ MFP ( A ) −−−→ MOP (A) v γ (−−−→ MOP ( A )) α (−−−→ MOP (A) ) v −−−→ MOP ( A ) Grégoire Sutre Software Verification Abstract Interpretation INF555’09 30 / 100 Correctness of Induced Abstract Data Flow Analysis Extension of Galois Connections to Functions For any set Q and Galois connection (L,v) −−→ ←−− α γ (L,v), we have (Q → L,v) −−→ ←−− α γ (Q → L,v) where: α(a) = λq . α(a(q)) γ(b) = λq . γ(b(q)) Theorem (Correctness of Induced Abstract Backward Analysis) For any data flow instance A and Galois connection (L,v) −−→ ←−− α γ (L,v), the induced abstract data flow instance A satisfies: ←−− MFP (A) v γ (←−− MFP ( A )) α (←−− MFP (A) ) v ←−− MFP ( A ) ←−−− MOP (A) v γ (←−−− MOP ( A )) α (←−−− MOP (A) ) v ←−−− MOP ( A ) Grégoire Sutre Software Verification Abstract Interpretation INF555’09 30 / 100 Back Again to Sign Analysis: Galois Connection