Interpretation

Interpretation Işıl Dillig Işıl Dillig, Abstract Interpretation 1/27 Overview I Deductive verifiers require annotations (e.g., loop invariants) from user I Fortunately, many techniques that can automatically learn loop invariants I A common framework for this purpose is Abstract Interpretation (AI) I Abstract interpretation forms the basis of most static analyzers Işıl Dillig, Abstract Interpretation 2/27 Key Idea: Over-approximation I Abstract interpretation is a framework for computing over-approximations of program states I Cannot reason about the exact program behavior due to undecidability (and also for scalability reasons) I But we can obtain a conservative over-approximation and this can be enough to prove program correctness Işıl Dillig, Abstract Interpretation 3/27 Motivating Example I What does this function do? I Annotations computed automatically using an AI tool (Apron) Işıl Dillig, Abstract Interpretation 4/27 The AI Recipe Abstract interpretation provides a recipe for computing over-approximations of program behavior 1. Define abstract domain – fixes “shape” of the invariants I e.g., c1 ≤ x ≤ c2 (intervals) or ±x ± y ≤ c (octagons) 2. Define abstract semantics (transformers) I Define how to symbolically execute each statement in the chosen abstract domain I Must be sound wrt to concrete semantics 3. Iterate abstract transformers until fixed point I The fixed-point is an over-approximation of program behavior Işıl Dillig, Abstract Interpretation 5/27 Simple Example: Sign Domain I Suppose we want to infer invariants of the form x on 0 where on∈ {≥,=, >,<} (i.e., zero, non-negative, positive, negative) I This corresponds to the following abstract domain represented as lattice: non-neg neg pos zero Each element in this lattice is an "abstract value" I Lattice is a partially ordered set (S ,v) where each pair of elements has a least upper bound or join (t) Işıl Dillig, Abstract Interpretation 6/27