Domain Precision in Galois Connection-Less Abstract Interpretation

Abstract

The ever growing pervasiveness of software systems in modern days technology results in an increasing need of software/program correctness proofs. The latter, allow developers to spot software failures before production, hence preventing potentially catastrophic repercussions on our society, as in the case of safety-critical infrastructures.

Unfortunately, correctness proofs may fail (even when software is actually correct) due to program analysis imprecision: program analysis sacrifices precision in order to gain decidability. In standard abstract interpretation-based static analyses, such imprecision is “measured” in terms of completeness of the chosen observation (i.e., of the chosen abstract domain) w.r.t. the programming language semantics. In this setting, fixed the language language, it is crucial to have decidable techniques to determine whether the chosen abstraction is sufficiently precise to analyze the program under consideration.

In this paper, we characterize abstract domain precision from a novel point of view, providing a formal framework for characterizing and (statically) verifying abstract domain precision, that can be adopted also in the case of “weakened”, i.e., Galois Connection-less, static analysis frameworks. Distinctive examples adopting such frameworks are the Convex Polyhedra and Automata domains, for which standard approaches to reason about analysis precision (i.e., completeness) cannot be applied.

A Selected Proofs

Proof

(Proof of Lemma 1). We prove that the set \(\eta ^{\wedge }_f\) is a Moore family, namely that is closed under greatest lower bound. Let us consider \(Y\subseteq \eta ^{\wedge }_f\) and suppose \(\exists x\in D \, .\, z\in \kappa ^\eta _f(x)\) and such that \(\bigwedge Y\ge z\), then \(\forall y\in Y\) we have \(Y\ge \bigwedge Y\ge z\). But, by definition of Y, this means that \(\forall y\in Y\) we have \(y\ge \vee \kappa ^\eta _f\), hence by definition of glb we have \(\bigwedge Y\ge \vee \kappa ^\eta _f\), meaning that \(\bigwedge Y\in \eta ^{\wedge }_f\).

Suppose now that \(\forall x\in D.\forall z\in \kappa ^\eta _f(x)\) we have \(\bigwedge Y\not \ge z\), hence the implication defining \({ Nint}_f^\eta \) is trivially true and again \(\bigwedge Y\in \eta ^{\wedge }_f\).

Proof

(Proof of Theorem 3). First of all we have to show that:

By construction, and . By Lemma 1, we know that also the glb of \({ Nint}_f^\eta \) elements satisfies \({ Nint}_f^\eta \), namely is in the set. Let us prove that if y is such that \({ Nint}_f^\eta (y)\) then it is greater than any image of f. Suppose , then \(y\ge f(x_1)\), but by hypothesis, but then by \({ Nint}_f^\eta \) hypothesis, \(y\ge \bigvee \kappa ^\eta _f(x_2)\ge f(x_2)\). Namely . Since we do not have hypotheses on \(x_1\) and \(x_2\), this proves that the two sets are the same, and therefore .

We now have to prove that it is the most concrete. This come trivially by construction, since \(\eta ^{\wedge }_f\) takes all the elements y such that \({ Nint}_f^\eta (y)\), any more concrete domain \(\rho '\) must contain w such that \(\lnot { Nint}_f^\eta (w)\). But this means that \(\exists x \in D \,\exists z\in \kappa ^\eta _f(x)\) such that \(w\ge z=f(y)\) (for some \(y\in D\)) but \(w\not \ge \bigvee \kappa ^\eta _f(x)\), meaning that there must exists \(z'\in \kappa ^\eta _f(x)\) such that \(w\not \ge z'=f(y')\) (for some \(y'\in D\)). Hence we have \(\eta (y)=\eta (y')\) and while meaning that .

Proof

(Proof of Lemma 2). Extensivity holds trivially by definition. Let us prove idempotence. Suppose . Let us compute . But the we trivially have that \(\rho \circ f(x)=\rho \circ f(y)=\rho \circ f(w)\), hence \(w\le y\) being y maximal, and \(y\le w\) by extensivity of \(\rho ^{\vee }_f\), hence \(\rho ^{\vee }_f(x)=y=w=\rho ^{\vee }_f(y)=\rho ^{\vee }_f \circ \rho ^{\vee }_f(x)\).

Proof

(Proof of Theorem 4). We have to prove that:

Suppose that \(\rho ^{\vee }_f(x_1)=\rho ^{\vee }_f(x_2)\). Then, and , with \(y_1=y_2\), hence \(\rho \circ f(x_1)=\rho \circ f(y_1)\) and \(\rho \circ f(y_2)=\rho \circ f(x_2)\).

We have now to prove that it is maximal w.r.t. the relative precision order, namely any more abstract abstraction does not satisfy the ANI property. Suppose there exists \(\eta '\in { wAbs}(D)\) more abstract than \(\rho ^{\vee }_f\), then it means that there exists \(x \in D\) such that \(y\triangleq \rho ^{\vee }_f(x) \lneq \eta '(x)\), namely . Hence \(\eta ' \circ \eta '(x)=\eta '(x)\), by idempotence, but \(\rho \circ f(\eta '(x))\ne \rho \circ f(x)\) being y maximal.

Proof

(Proof of Theorem 5). Exploiting the correspondence between completeness and Abstract Non-Interference (Theorem 2), we just have to prove that ANI holds. Indeed, we have to prove that if then holds. Let us prove that all rules in Fig. 4 are sound, namely that the deduced abstraction ensure ANI for \(\textsf{P}\).

• Rule R0: \(\forall x_1,x_2\), independently from the input observation \(\eta \), we trivially have \(\mathbb {T}{\llbracket \texttt{C} \rrbracket }(x_1)=\mathbb {T}{\llbracket \texttt{C} \rrbracket }(x_2)\). On the other hand, \({ id}(x_1)={ id}(x_2)\) means that \(x_1=x_2\), and therefore trivially, for any \(\rho \), \(\rho {\llbracket \texttt{C} \rrbracket }(x_1)=\rho {\llbracket \texttt{C} \rrbracket }(x_2)\).

• Rule R1: We consider here expressions as base case of the induction. By Corollary 2 we have that \(\eta ^{\wedge }_{\{\!|\textsf{e}|\!\}}\) is such that \(\forall x_1,x_2.\,\eta (x_1)=\eta (x_2)\ \Rightarrow \ \eta ^{\wedge }_{\{\!|\textsf{e}|\!\}}\{\!|\textsf{e}|\!\}(x_1)=\eta ^{\wedge }_{\{\!|\textsf{e}|\!\}}\{\!|\textsf{e}|\!\}(x_2)\). Analogous for the other rule by Corollary 3. Note that, in order to be precise we should have to write other two axioms for \(\textsf{b};\) but they are almost the same by considering \(\{\!|\textsf{b}|\!\}\) when computing, respectively, the input and the output observations.

• Rule R2: In this case we can observe that, holds iff \(\forall x_1,x_2\) we have that \(\eta (x_1)=\eta (x_2)\) implies \(\rho {\llbracket \textbf{skip} \rrbracket }(x_1)=\rho (x_1)=\rho (x_2)=\rho {\llbracket \textbf{skip} \rrbracket }(x_2)\), and this trivially holds if \(\eta \sqsubseteq \rho \).

• Rule R3: In this case we need the precondition , which means that the expression semantics does not change the property, i.e., \(\eta (x_1)=\eta (x_2)\ \Rightarrow \ \rho (\{\!|\textsf{e}|\!\}(x_1))=\rho (\{\!|\textsf{e}|\!\}(x_2))\). Hence, the assignment is complete if the expression is complete, but if there is more than one variable we need \(\eta \sqsubseteq \rho \) for guaranteeing the implication (the assignment behaves like \(\textbf{skip};\) on the other potential program viariables). Indeed, \({\llbracket x:=\textsf{e} \rrbracket }(x_1)=x_1[x\mapsto \{\!|\textsf{e}|\!\}(x_1)]\) and \({\llbracket x:=\textsf{e} \rrbracket }(x_2)=x_2[x\mapsto \{\!|\textsf{e}|\!\}(x_2)]\), provides results with the same \(\rho \) property since all the variables \(y\ne x\), due to the hypotheses \(\eta (x_1)=\eta (x_2)\) and \(\eta \sqsubseteq \rho \), have values sharing the same \(\rho \) property, while for x returns the evaluations of the expression on the two different input memories. These evaluations share precisely the same \(\rho \) property by the rule precondition.

• Rule R4: It is trivial since the semantics of the basic transfer function \(\textsf{b}?\) is precisely the semantics of the boolean expression \(\textsf{b}\).

• Rule R5: In this case, the proof is obtained by using rule R2, R6 and R8. Indeed, when we do not execute \(\texttt{C}\) (\(n=0\)) we need in output to observe \(\eta \) (R2). When we execute \(\texttt{C}\) one or more times, by induction on \(n\ge 1\), by hypotheses and by R6, we prove ANI with \(\rho \) in output, and therefore by R8 we prove ANI observing \(\eta \sqcup \rho =\eta \).

• Rule R6: If \(\forall x_1,x_2.\,\eta (x_1)=\eta (x_2)\ \Rightarrow \ \rho {\llbracket \texttt{C}_1 \rrbracket }(x_1)=\rho {\llbracket \texttt{C}_1 \rrbracket }(x_2)\) and \(\forall y_1,y_2.\,\eta _1(y_1)=\eta _1(y_2)\ \Rightarrow \ \rho _1 {\llbracket \texttt{C}_2 \rrbracket }(y_1)=\rho _1{\llbracket \texttt{C}_2 \rrbracket }(y_2)\), then we have that \(\forall x_1,x_2.\,\eta (x_1)=\eta (x_2)\ \Rightarrow \ \rho _1 {\llbracket \texttt{C}_2 \rrbracket }({\llbracket \texttt{C}_1 \rrbracket }(x_1))=\rho _1{\llbracket \texttt{C}_2 \rrbracket }({\llbracket \texttt{C}_1 \rrbracket }(x_2))\). At this point, since \(\rho {\llbracket \texttt{C}_1 \rrbracket }(x_1)=\rho {\llbracket \texttt{C}_1 \rrbracket }(x_2)\) implies \(\eta _1{\llbracket \texttt{C}_1 \rrbracket }(x_1)=\eta _1{\llbracket \texttt{C}_1 \rrbracket }(x_2)\), then we have the thesis.

• Rule R7: If \(\forall x_1,x_2\) we have \(\eta _1(x_1)=\eta _1(x_2)\ \Rightarrow \ \rho _1 {\llbracket \texttt{C}_1 \rrbracket }(x_1)=\rho _1{\llbracket \texttt{C}_1 \rrbracket }(x_2)\) and \(\forall y_1,y_2\) we have \(\eta _2(y_1)=\eta _2(y_2)\ \Rightarrow \ \rho _2 {\llbracket \texttt{C}_2 \rrbracket }(y_1)=\rho _2{\llbracket \texttt{C}_2 \rrbracket }(y_2)\), then \(\forall x_1,x_2\) we have that \(.\,(\eta _1\sqcap \eta _2)(x_1)=(\eta _1\sqcap \eta _2)(x_2)\) implies both the equalities \(\eta _1(x_1)=\eta _1(x_2)\) and \(\eta _2(x_1)=\eta _2(x_2)\), hence we have both \(\rho _1 {\llbracket \texttt{C}_1 \rrbracket }(x_1)=\rho _1{\llbracket \texttt{C}_1 \rrbracket }(x_2)\) and \(\rho _2 {\llbracket \texttt{C}_2 \rrbracket }(x_1)=\rho _2{\llbracket \texttt{C}_2 \rrbracket }(x_2)\). This implies that, being , .

• Rule R8: Trivial. Indeed, \(\eta \) implies \(\eta _1\) and \(\rho _1\) implies \(\rho \).

• Rule R9: By definition of \(\sqcup \) of partitioning closures [28], we have that \(\eta _1\sqcup \eta _2(x_1)=\eta _1\sqcup \eta _2(x_2)\) implies that either \(\eta _1(x_1)=\eta _1(x_2)\) or \(\eta _2(x_1)=\eta _2(x_2)\). then by hypothesis, in both cases we have that \(\rho {\llbracket \texttt{C} \rrbracket }(x_1)=\rho {\llbracket \texttt{C} \rrbracket }(x_2)\), namely we have the thesis. We can trivially extend the proof to any set I.

• Rule R10: Trivial by rule R7.

• Rule R11: By definition of \(\sqcap \) we have that \(\sqcap _i \rho _i{\llbracket \texttt{C} \rrbracket }(x_1)=\bigwedge _i\rho _i{\llbracket \texttt{C} \rrbracket }(x_1)\). By hypothesis if \(\eta (x_)=\eta (x_2)\) then for each \(i\in I\) we have \(\rho _i {\llbracket \texttt{C} \rrbracket }(x_1)=\rho _i {\llbracket \texttt{C} \rrbracket }(x_2)\), but then \(\bigwedge _i\rho _i{\llbracket \texttt{C} \rrbracket }(x_1)=\bigwedge _i\rho _i{\llbracket \texttt{C} \rrbracket }(x_2)=\sqcap _i \rho _i{\llbracket \texttt{C} \rrbracket }(x_2)\), namely we have the thesis.