105
Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

Embed Size (px)

Citation preview

Page 1: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

Program Analysis and Verification

0368-4479

Noam Rinetzky

Lecture 6: Abstract Interpretation

1

Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

Page 2: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

2

Abstract Interpretation [Cousot’77]

• Mathematical foundation of static analysis

Page 3: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

3

Abstract Interpretation [Cousot’77]

• Mathematical foundation of static analysis

– Abstract (semantic) domains (“abstract states”)– Transformer functions (“abstract steps”)– Chaotic iteration (“abstract computation”)

Page 4: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

4

Abstract Interpretation [CC77]

• A very general mathematical framework for approximating semantics– Generalizes Hoare Logic– Generalizes weakest precondition calculus

• Allows designing sound static analysis algorithms– Usually compute by iterating to a fixed-point– Not specific to any programming language style

• Results of an abstract interpretation are (loop) invariants– Can be interpreted as axiomatic verification assertions and

used for verification

Page 5: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

Abstract Interpretation in 5 Slides

• Disclaimer– Do not worry if you feel that you do not

understand the next 5 slides • You are not expected to …

– This is just to give you a view of the land …

Page 6: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

6

Collecting semantics

• For a set of program states State, we define the collecting lattice

(2State, , , , , State)

• The collecting semantics accumulates the (possibly infinite) sets of states generated during the execution– Not computable in general

Page 7: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

7

“Proof”

if x>0

x := x-1

entry

x:= x + 1

xZ

xZ

{x<=0}{x>0}

x := x-1

{x<-1}

{x<0}

xZ

{x>1}

Page 8: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

8

Abstract (conservative) interpretation

set of states set of statesoperational semantics(concrete semantics)

statement Sset of states

abstract representation abstract semantics

statement S abstract representation

concretization concretization

Page 9: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

9

Abstract (conservative) interpretation

{x 1, x 2, …}↦ ↦ {x 0, x 1, …}↦ ↦operational semantics(concrete semantics)

x=x-1{x 0, x 1, …}↦ ↦

0 < x abstract semantics

x = x -10 ≤ x

concretization concretization

Page 10: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

10

Abstract (conservative) interpretation

{x 1, x 2, …}↦ ↦ {…, x 0, …}↦operational semantics(concrete semantics)

x=x-1{x 0, x 1, …}↦ ↦

0 < x abstract semantics

x = x -1

concretization concretization

Page 11: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

11

Abstract (non-conservative) interpretation

{x 1, x 2, …}↦ ↦ { x 1, …}↦operational semantics(concrete semantics)

x=x-1{x 0, x 1, …}↦ ↦ ⊈

0 < x abstract semantics

x = x -10 < x

concretization concretization

Page 12: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

Abstract Interpretation by Example

Page 13: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

13

Available Expressions Analysis

• A static analysis that infers for every program point a set of facts of the formAV = { x = y | x, y Var }

{ x = - y | x, y Var } { x = y op z | y, z Var, op {+, -, *, <=} }

• For every program with n=|Var| variables number of possible facts is finite: |AV|=O(n3)– Yields a trivial algorithm … but, is it efficient?

Page 14: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

14

What do we need to prove?

{ true }C1

x := a op bC2

{ x = a op b }y := a op bC3

{ true }C1

x := a op bC2

{ x = a op b }y := xC3

CSE

Page 15: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

15

Developing a theory of approximation

• Formulae are suitable for many analysis-based proofs but we may want to represent predicates in other ways:– Sets of “facts”– Automata– Linear (in)equalities– … ad-hoc representation

• Wanted: a uniform theory to represent semantic values and approximations

Page 16: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

16

Preorder

• We say that a binary order relation over a set D is a preorder if the following conditions hold for every d, d’, d’’ D– Reflexive: d d– Transitive: d d’ and d’ d’’ implies d d’’

• There may exist d, d’ such thatd d’ and d’ d yet d d’

Page 17: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

17

Partial order

• A binary order relation over a set D is a partial order if – is a preorder – is anti-symmetric

• For any d, d’ ifd d’ and d’ d then d = d’

• Notation: if d d’ and d d’ we write d d’

Page 18: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

18

Some posets-related terminology

• If x y we can say– x is lower than y – x is more precise than y – x is more concrete than y – x under-approximates y

– y is greater than x – y is less precise than x – y is more abstract than x – y over-approximates x

Page 19: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

Intuition

• {x > 0} x Z

Page 20: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

20

Pointed poset

• A poset (D, ) with a least element is called a pointed poset, and denoted by (D , , )

• For all dD we have that d

• We can always transform a poset (D, ) into a pointed poset by adding a special bottom element

(D {}, {d | dD}, )

Page 21: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

21

Join operator

• Assume a poset (D, )• Let X D be a subset of D (finite/infinite)• The join of X is defined as

– X = the least upper bound (LUB) of all elements in X if it exists– X = min{ b | forall xX we have that xb}– The supremum of the elements in X– A kind of abstract union (disjunction) operator

• Properties of a join operator– Commutative: x y = y x– Associative: (x y) z = x (y z)– Idempotent: x x = x

Page 22: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

22

Join operator

• Assume a poset (D, )• Let X D be a subset of D (finite/infinite)• The join of X is defined as

– X = the least upper bound (LUB) of all elements in X if it exists– X = min{ b | forall xX we have that xb}– The supremum of the elements in X– A kind of abstract union (disjunction) operator

• Properties of a join operator– Commutative: x y = y x– Associative: (x y) z = x (y z)– Idempotent: x x = x

Page 23: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

23

Meet operator

• Assume a poset (D, )• Let X D be a subset of D (finite/infinite)• The meet of X is defined as

– X = the greatest lower bound (GLB) of all elements in X if it exists– X = max{ b | forall xX we have that bx}– The infimum of the elements in X– A kind of abstract intersection (conjunction) operator

• Properties of a join operator– Commutative: x y = y x– Associative: (x y) z = x (y z)– Idempotent: x x = x

Page 24: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

24

Meet operator

• Assume a poset (D, )• Let X D be a subset of D (finite/infinite)• The meet of X is defined as

– X = the greatest lower bound (GLB) of all elements in X if it exists– X = max{ b | forall xX we have that bx}– The infimum of the elements in X– A kind of abstract intersection (conjunction) operator

• Properties of a join operator– Commutative: x y = y x– Associative: (x y) z = x (y z)– Idempotent: x x = x

Page 25: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

25

Complete lattices

• A complete lattice (D, , , , , ) is• A set of elements D• A partial order x y• A join operator • A meet operator • A bottom element

= = D• A top element

= D =

Page 26: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

Transfer Functions

• Mathematical foundations

Page 27: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

27

Towards an automatic proof

• Goal: automatically compute an annotated program proving as many facts of the formx = y + z as possible

• Decision 1: develop a forward-going proof• Decision 2: draw predicates from a finite set D

– “looking under the light of the lamp”– A compromise that simplifies problem by focusing attention –

possibly miss some facts that hold• Challenge 1: handle straight-line code• Challenge 2: handle conditions• Challenge 3: handle loops

Page 28: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

28

Domain for SAV

• Define atomic facts (for SAV) as = { x = y | x, y Var } { x = y + z | x, y, z Var }– For n=|Var| number of atomic facts is O(n3)

• Define sav-predicates as = 2

• For D , Conj(D) = D– Conj({a=b, c=b+d, b=c}) = (a=b) (c=b+d) (b=c)

• Note:– Conj(D1 D2) = Conj(D1) Conj(D1)– Conj({}) true

Page 29: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

29

Visualizing ordering for SAV

{false}

{x=y y=z+a}* {x=y p=q}* {y=z+a p=q}*

{x=y}* {y=z+a}* {p=q}*

{true}Greater

Lower

D={x=y, y=x, p=q, q=p, y=z+a, y=a+z, z=y+z, x=z+a}

Page 30: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

30

An algorithm for annotating SLP

• Annotate(P, x:=a) = {P} x:=a F*[x:=a](P)

• Annotate(P, S1; S2) = {P} S1; {Q1} S2 {Q2

– Annotate(P, S1) = {P} S1 {Q1}

– Annotate(Q1, S2) = {Q1} S2 {Q2}

Page 31: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

31

handling conditions: Goal

• Annotate a programif b then S1 else S2 with predicates from

• Assumption 1: P is given(otherwise use true)

• Assumption 2: b is a simple binary expression e.g., x=y, xy, x<y (why?)

{ P }if b then

{ b P }S1

{ Q1 }else

{ b P }S2

{ Q2 }{ Q }

Page 32: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

32

handling conditions: Goal

• Annotate a programif b then S1 else S2 with predicates from

• Assumption 1: P is given(otherwise use true)

• Assumption 2: b is a simple binary expression e.g., x=y, xy, x<y (why?)

{ P }if b then

{ b P }S1

{ Q1 }else

{ b P }S2

{ Q2 }{ Q }

Page 33: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

33

Annotating conditions

1. Start with P or {b P} and annotate S1 (yielding Q1)

2. Start with P or {b P} andannotate S2 (yielding Q2)

3. How do we infer a Q such that Q1Q and Q2Q?

Q1=Conj(D1), Q2=Conj(D2)Define: Q = Q1 Q2

= Conj(D1 D2)

{ P }if b then

{ b P }S1

{ Q1 }else { b P }

S2

{ Q2 }{ Q }

Possibly an SAV-fact

Possibly an SAV-fact

Page 34: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

34

Joining predicates

1. Start with P or {b P} and annotate S1 (yielding Q1)

2. Start with P or {b P} andannotate S2 (yielding Q2)

3. How do we infer a Q such that Q1Q and Q2Q?

Q1=Conj(D1), Q2=Conj(D2)Define: Q = Q1 Q2

= Conj(D1 D2)

{ P }if b then

{ b P }S1

{ Q1 }else { b P }

S2

{ Q2 }{ Q }The join operator for SAV

Page 35: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

35

Joining predicates

• Q1=Conj(D1), Q2=Conj(D2)

• We want to soundly approximate Q1 Q2 in

• Define: Q = Q1 Q2

= Conj(D1 D2)

• Notice that Q1Q and Q2Qmeaning Q1 Q2 Q

Page 36: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

36

Handling conditional expressions

• Let D be a set of facts and b be an expression• Goal: Elements in that soundly approximate– D bexpr – D bexpr

• Technique: Add statement assume bexpr assume bexpr, s sos s if B bexpr s = tt

• Find a function F[assume bexpr] : Conj(D) bexpr Conj(F[assume bexpr])

Page 37: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

37

Handling conditional expressions

• F[assume bexpr] : such thatConj(D) bexpr Conj(F[assume bexpr])

• (bexpr) = if bexpr is an SAV-fact then {bexpr} else {}– Notice bexpr (bexpr)– Examples

• (y=z) = {y=z}• (y<z) = {}

• F[assume bexpr](D) = D (bexpr)

Page 38: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

38

Example

{ }if (x = y) { x=y, y=x } a := b + c { x=y, y=x, a=b+c, a=c+b } d := b – c { x=y, y=x, a=b+c, a=c+b }else { } a := b + c { a=b+c, a=c+b } d := b + c { a=b+c, a=c+b, d=b+c, d=c+b, a=d, d=a }{ a=b+c, a=c+b }

Page 39: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

39

Example

{ }if (x = y) { x=y, y=x } a := b + c { x=y, y=x, a=b+c, a=c+b } d := b – c { x=y, y=x, a=b+c, a=c+b }else { } a := b + c { a=b+c, a=c+b } d := b + c { a=b+c, a=c+b, d=b+c, d=c+b, a=d, d=a }{ a=b+c, a=c+b }

Page 40: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

Handling assumes

• Meet or join?

Page 41: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

Another Example

Page 42: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

42

Constant Propagation (CP)

• Goal: infers facts of the form x=c

Page 43: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

43

Motivation: Constant folding

• Optimization: constant folding

– Example: x:=7; y:=x*9transformed to: x:=7; y:=7*9and then to: x:=7; y:=63

{ x=c }y := aexpr y := eval(aexpr[c/x])

constantfolding

simplifies constant expressions

Page 44: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

44

CP semantic domain

?

Page 45: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

45

CP semantic domain

• Define CP-factoids: = { x = c | x Var, c Z }– How many factoids are there?

• Define predicates as = 2

– How many predicates are there?– Do all predicates make sense? (x=5) (x=7)

• Treat conjunctive formulas as sets of factoids{x=5, y=7} ~ (x=5) (y=7)

Page 46: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

46

CP abstract transformer• Goal: define a function

FCP[x:=aexpr] : such thatif FCP[x:=aexpr] P = P’ then sp(x:=aexpr, P) P’

?

Page 47: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

47

CP abstract transformer• Goal: define a function

FCP[x:=aexpr] : such thatif FCP[x:=aexpr] P = P’ then sp(x:=aexpr, P) P’

{ x=c } x:=aexpr { }[kill]

{ y=c, z=c’ } x:=y op z { x=c op c’ }[gen-2]

{ } x:=c { x=c }[gen-1]

{ y=c } x:=aexpr { y=c }[preserve]

Page 48: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

48

Gen-kill formulation of transformers

• Suited for analysis propagating sets of factoids– Available expressions,– Constant propagation, etc.

• For each statement, define a set of killed factoids and a set of generated factoids

F[S] P = (P \ kill(S)) gen(S)• FCP[x:=aexpr] P = (P \ {x=c}) aexpr is not a constant• FCP[x:=k] P = (P \ {x=c}) {x=k}

• Used in dataflow analysis – a special case of abstract interpretation

Page 49: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

49

Does this still work?

Annotate(P, S1; S2) = let Annotate(P, S1) be {P} A1 {Q1} let Annotate(Q1, S2) be {Q1} A2 {Q2} return {P} A1; {Q1} A2 {Q2}

Page 50: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

50

Handling conditional expressions

• We want to soundly approximate D bexpr and D bexpr in

• Define an artificial statement assume bexpr assume bexpr, s sos s if B bexpr s = tt

• Define (bexpr) = if bexpr is CP-factoid {bexpr} else {}

• Define F[assume bexpr](D) = D (bexpr)

Page 51: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

51

Does this still work?

let Pt = F[assume bexpr] P

let Pf = F[assume bexpr] P

let Annotate(Pt, S1) be {Pt} S1 {Q1}

let Annotate(Pf, S2) be {Pf} S2 {Q2}

return {P} if bexpr then {Pt} S1 {Q1} else {Pf} S2 {Q2} {Q1 Q2}

How do we define join for CP?

Page 52: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

52

Join example

• {x=5, y=7} {x=3, y=7, z=9} =

Page 53: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

53

Does this still work?

• What about correctness?• What about termination?

Annotate(P, while bexpr do S) = N’ := Nc := P // Initialize repeat let Pt = F[assume bexpr] Nc

let Annotate(Pt, S) be {Nc} Abody {N’} Nc := Nc N’ until N’ = Nc return {P} INV= {N’} while bexpr do {Pt} Abody {F[assume bexpr](N)}

Page 54: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

54

Does this still work?

• What about correctness?– If loop terminates then is N’ a loop invariant?

• What about termination?

Annotate(P, while bexpr do S) = N’ := Nc := P // Initialize repeat let Pt = F[assume bexpr] Nc

let Annotate(Pt, S) be {Nc} Abody {N’} Nc := Nc N’ until N’ = Nc return {P} INV= {N’} while bexpr do {Pt} Abody {F[assume bexpr](N)}

Page 55: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

55

What were the common elements?

• Two static analyses– Available Expressions (extended with equalities)– Constant Propagation

• Semantic domain– An approximation relation

• A weaker one given by set inclusion

– Join operator• Abstract transformers for basic statements

– Assignments– assume statements

• Initial precondition

Page 56: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

56

Abstract Interpretation [Cousot’77]More Formally …

• Mathematical foundation of static analysis

Page 57: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

57

Abstract Interpretation [Cousot’77]

• Mathematical framework for approximating semantics (aka abstraction)– Allows designing sound static analysis algorithms• Usually compute by iterating to a fixed-point

– Computes (loop) invariants• Can be interpreted as axiomatic verification assertions• Generalizes Hoare Logic & WP / SP calculus

Page 58: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

58

Abstract Interpretation [Cousot’77]

• Mathematical foundation of static analysis– Abstract domains• Abstract states ~ Assertions• Join () ~ Weakening

– Transformer functions• Abstract steps ~ Axioms

– Chaotic iteration • Structured Programs ~ Control-flow graphs• Abstract computation ~ Loop invariants

Page 59: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav
Page 60: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

60

Introduction to Domain Theory

Page 61: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

61

Motivation

• Let “isone” be a function that must return “1$” when the input string has at least a 1 and “0$” otherwise– isone(00…0$) = 0$– isone(xx…1…$) =1$– isone(0…0) =?

• Monotonicity: in terms of information– Output is never retracted• More information about the input is reflected in more

information about the output– How do we express monotonicity precisely?

Page 62: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

62

Montonicity

• Define a partial orderx y– A partial order is reflexive, transitive, and anti-symmetric– y is a refinement of x

• “more precise”

• For streams of bits x y when x is a prefix of y• For programs, a typical order is:– No output (yet) some output

Page 63: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

63

Montonicity

• A set equipped with a partial order is a poset• Definition: – D and E are postes– A function f: D E is monotonic if

x, y D: x D y f(x) E f(y) – The semantics of the program ought to be a

monotonic function• More information about the input leads to more

information about the output

Page 64: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

64

Montonicity Example• Consider our “isone” function with the prefix

ordering• Notation:– 0k is the stream with k consecutive 0’s– 0 is the infinite stream with only 0’s

• Question (revisited): what is isone(0k )?– By definition, isone(0k$) = 0$ and isone(0k1$) = 1$– But 0k 0k$ and 0k 0 k1$– “isone” must be monotone, so:

• isone( 0k ) isone( 0k$) = 0$• isone( 0k ) isone( 0k1$) = 1$

– Therefore, monotonicity requires that isone(0k ) is a common prefix of 0$ and 1$, namely

Page 65: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

65

Motivation• Are there other constraints on “isone”?• Define “isone” to satisfy the equations

– isone()=– isone(1s)=1$– isone(0s)=isone(s)– isone($)=0$

• What about 0?

• Continuity: finite output depends only on finite input (no infinite lookahead)– Intuition: A program that can produce observable results can

do it in a finite time

Page 66: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

66

Chains

• A chain is a countable increasing sequence<xi> = {xi X | x0 x1 … }

• An upper bound of a set if an element “bigger” than all elements in the set

• The least upper bound is the “smallest” among upper bounds:– xi <xi> for all i N– <xi> y for all upper bounds y of <xi>

and it is unique if it exists

Page 67: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

67

Complete Partial Orders

• Not every poset has an upper bound– with n and nn for all n N– {1, 2} does not have an upper bound

• Sometimes chains have no upper bound

0 1 2…

2

1

0

The chain

0 12…

does not have an upper bound

Page 68: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

68

Complete Partial Orders

• It is convenient to work with posets where every chain (not necessarily every set) has a least upper bound

• A partial order P is complete if every chain in P has a least upper bound also in P

• We say that P is a complete partial order (cpo)• A cpo with a least (“bottom”) element is a pointed

cpo (pcpo)

Page 69: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

69

Examples of cpo’s• Any set P with the order

x y if and only if x = y is a cpoIt is discrete or flat

• If we add so that x for all x P, we get a flat pointed cpo• The set N with is a poset with a bottom, but not a complete

one• The set N { } with n is a pointed cpo• The set N with is a cpo without bottom• Let S be a set and P(S) denotes the set of all subsets of S

ordered by set inclusion– P(S) is a pointed cpo

Page 70: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

70

Constructing cpos

• If D and E are pointed cpos, then so is D × E(x, y) D×E (x’, y’) iff x D x’ and yE y’D×E = (D , E ) (x i , y i ) = ( D x i , E y i)

Page 71: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

71

Constructing cpos (2)

• If S is a set of E is a pcpos, then so is S Em m’ iff s S: m(s) E m’(s)SE = s. E

(m , m’ ) = s.m(s) E m’(s)

Page 72: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

72

Continuity

• A monotonic function maps a chain of inputs into a chain of outputs:x0 x1 … f(x0) f(x1) …

• It is always true that:i <f(xi)> f(i <xi>)

• Butf(i <xi>) i <f(xi)> is not always true

Page 73: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

73

A Discontinuity Example

3

2

1

0

1

f(i <xi>) i <f(xi)>

Page 74: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

74

Continuity

• Each f(xi) uses a “finite” view of the input

• f(<xi> ) uses an “infinite” view of the input• A function is continuous when

f(<xi>) = i <f(xi)>• The output generated using an infinite view of the

input does not contain more information than all of the outputs based on finite inputs

Page 75: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

75

Continuity

• Each f(xi) uses a “finite” view of the input

• f(<xi> ) uses an “infinite” view of the input• A function is continuous when

f(<xi>) = i <f(xi)>• The output generated using an infinite view of the

input does not contain more information than all of the outputs based on finite inputs

• Scott’s thesis: The semantics of programs can be described by a continuous functions

Page 76: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

76

Examples of Continuous Functions • For the partial order ( N { }, )

– The identity function is continuousid(ni) = id(ni )

– The constant function “five(n)=5” is continuousfive(ni) = five(ni )

– If isone(0) = then isone is continuos

• For a flat cpo A, any monotonic function f: A Asuch that f is strict is continuous

• Chapter 8 of the Wynskel textbook includes many more continuous functions

Page 77: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

77

Fixed Points

• Solve equation:

where W:∑ ∑ ; W= Swhile b do S

W(Ss ) if Bb()=true W() = if Bb()=false

if Bb()= {

Page 78: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

78

Fixed Points

• Solve equation:

where W:∑ ∑ ; W= Swhile be do s

• Alternatively, W = F(W) where:

F(W) = .

W(Ss ) if Bb()=true W() = if Bb()=false

if Bb()= {

W(Ss ) if Bb()=true if Bb()=false

if Bb()= {

Page 79: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

79

Fixed Point (cont)

• Thus we are looking for a solution for W = F( W)– a fixed point of F

• Typically there are many fixed points• We may argue that W ought to be continuous

W [∑ ∑]• Cut the number of solutions• We will see how to find the least fixed point for such

an equation provided that F itself is continuous

Page 80: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

80

Fixed Point Theorem• Define Fk = x. F( F(… F( x)…)) (F composed k times)• If D is a pointed cpo and F : D D is continuous,

then – for any fixed-point x of F and k N

Fk () x– The least of all fixed points is

k Fk ()• Proof:

i. By induction on k.• Base: F0 ( ) = x• Induction step: Fk+1 ( ) = F( Fk ( )) F( x) = x

ii. It suffices to show that k Fk () is a fixed-point• F(k Fk ()) = k Fk+1 ( ) = k Fk ()

Page 81: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

81

Fixed-Points (notes)

• If F is continuous on a pointed cpo, we know how to find the least fixed point

• All other fixed points can be regarded as refinements of the least one– They contain more information, they are more

precise– In general, they are also more arbitrary

Page 82: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

82

Fixed-Points (notes)

• If F is continuous on a pointed cpo, we know how to find the least fixed point

• All other fixed points can be regarded as refinements of the least one– They contain more information, they are more

precise– In general, they are also more arbitrary

– They also make less sense for our purposes

Page 83: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

Denotational Semantics

• Meaning of programs

Page 84: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

84

Denotational Semantics of While• ∑ is a flat pointed cpo

– A state has more information on non-termination– Otherwise, the states must be equal to be comparable (information-

wise)

• We want strict functions ∑ ∑– therefore, continuous functions

• The partial order on ∑ ∑ f g iff f(x) = or f(x) = g(x) for all x ∑– g terminates with the same state whenever f terminates– g might terminate for more inputs

Page 85: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

85

Denotational Semantics of While

• Recall that W is a fixed point ofF:[[∑ ∑][∑ ∑]]

• F is continuous

• Thus, we set Swhile b do c = Fk()– Least fixed point

• Terminates least often of all fixed points

• Agrees on terminating states with all fixed point

w(Ss()) if Bb()=true F(w) = . if Bb()=false

if Bb()= {

Page 86: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

86

Denotational Semantics of While

• S skip = .• S X := exp = .[X Aexp ]

• S s0 ; s1 = . S s1 (S s0 )

• S if b then s0 else s1 =

. if Bb then S s0 else S s1 • S while b do s = Fk() – k=0, 1, … – F = w. . if Bb()=true w(Ss()) else

Page 87: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

87

Example(1)

• while true do skip• F:[[∑ ∑][∑ ∑]]

w(Ss()) if Bb()=true F = w.. if Bb()=false

if Bb()=

Btrue=.trueSskip=.

F = w..w()

F0()= F1() = F2() = =

{

Page 88: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

88

Example(2)

• while false do s• F:[[∑ ∑][∑ ∑]]

Bfalse=.false

F = w..

F0()= F1() = . F2() = . =.

w(Ss()) if Bb()=true F = w.. if Bb()=false

if Bb()= {

Page 89: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

89

Example(3) while x3 do x = x -1 = Fk() k=0, 1, …

whereF = w. . if (x)3 w([x (x) -1]) else

F0()

F1() if (x)3 ([x (x) -1]) else if (x)3 then else

F2() if (x)3 then F1([x (x) -1] ) else if (x)3 then (if [x (x) -1] x 3 then else [x (x) -1] ) else if (x)3 (if (x) 4 then else [x (x) -1] ) else if (x) {3, 4} then [x 3] else

Fk()lfp(F)

if (x) {3, 4, …k} then [x 3] else if (x) 3 then [x 3] else

Page 90: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

90

Complete Lattice

• Let (D, ) be a partial order

• D is a complete lattice if every subset has both greatest lower bounds and least upper bounds

Page 91: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

91

Knaster-Tarski Theorem

• Let f: L L be a monotonic function on a complete lattice L

• The least fixed point lfp(f) exists– lfp(f) = {x L: f(x)x}

Page 92: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

92

Fixed Points

• A monotone function f: L L where (L, , , , , ) is a complete lattice

• Fix(f) = { l: l L, f(l) = l}• Red(f) = {l: l L, f(l) l}• Ext(f) = {l: l L, l f(l)}– l1 l2 f(l1 ) f(l2 )

• Tarski’s Theorem 1955: if f is monotone then:– lfp(f) = Fix(f) = Red(f) Fix(f)– gfp(f) = Fix(f) = Ext(f) Fix(f)

f()

f()

f2()

f2()

Fix(f)

Ext(f)

Red(f)gfp(f)

lfp(f)

Page 93: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

Constant Propagation - Again

Page 94: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

94

Constant Propagation

• Optimization: constant folding

– Example: x:=7; y:=x*9transformed to: x:=7; y:=7*9and then to: x:=7; y:=63

• Analysis: constant propagation (CP)– Infers facts of the form x=c

{ x=c }y := aexpr y := eval(aexpr[c/x])

constantfolding

simplifies constant expressions

Page 95: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

95

CP semantic domain

• Define CP-factoids: = { x = c | x Var, c Z }– How many factoids are there?

• Define predicates as = 2

– How many predicates are there?– Do all predicates make sense? (x=5) (x=7)

• Treat conjunctive formulas as sets of factoids{x=5, y=7} ~ (x=5) (y=7)

Page 96: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

96

One lattice per variable

true

false

x=0

x0

x<0 x>0

x0

true

false

y=0

y0

y<0 y>0

y0

How can we compose them?

Page 97: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

97

Cartesian product of complete lattices

• For two complete lattices L1 = (D1, 1, 1, 1, 1, 1) L2 = (D2, 2, 2, 2, 2, 2)

• Define the posetLcart = (D1D2, cart, cart, cart, cart, cart)as follows:– (x1, x2) cart (y1, y2) iff x1 1 y1 x2 2 y2

– cart = ? cart = ? cart = ? cart = ?

• Lemma: L is a complete lattice• Define the Cartesian constructor Lcart = Cart(L1, L2)

Page 98: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

98

Cartesian product example=(,)

x<0,y<0 x<0,y=0 x<0,y>0 x=0,y<0 x=0,y=0 x=0,y>0 x>0,y<0 x>0,y=0 x>0,y>0

x0,y<0 x0,y<0 x0,y=0 x0,y=0 x0,y>0 x0,y>0 x>0,y0 x>0,y0……

x0,y0 x0,y0 x0,y0x0,y0

x0 x0 y0 y0

(false, false)How does it represent

(x<0y<0) (x>0y>0)?

=(, )

Page 99: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

99

Disjunctive completion

• For a complete lattice L = (D, , , , , )

• Define the powerset lattice L = (2D, , , , , ) = ? = ? = ? = ? = ?

• Lemma: L is a complete lattice

• L contains all subsets of D, which can be thought of as disjunctions of the corresponding predicates

• Define the disjunctive completion constructorL = Disj(L)

Page 100: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

100

The base lattice CP

{x=0}

{x=-1}{x=-2} {x=1} {x=2} ……

Page 101: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

101

The disjunctive completion of CP

{x=0}

true

{x=-1}{x=-2} {x=1} {x=2} ……

false

{x=-2x=-1} {x=-2x=0} {x=-2x=1} {x=1x=2}… … …

{x=0 x=1x=2}{x=-1 x=1x=-2}… ………

What is the height of this lattice?

Page 102: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

102

Relational product of lattices

• L1 = (D1, 1, 1, 1, 1, 1)L2 = (D2, 2, 2, 2, 2, 2)

• Lrel = (2D1D2, rel, rel, rel, rel, rel)as follows:– Lrel = ?

Page 103: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

103

Relational product of lattices

• L1 = (D1, 1, 1, 1, 1, 1)L2 = (D2, 2, 2, 2, 2, 2)

• Lrel = (2D1D2, rel, rel, rel, rel, rel)as follows:– Lrel = Disj(Cart(L1, L2))

• Lemma: L is a complete lattice• What does it buy us?

Page 104: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

104

Cartesian product exampletrue

false

x<0,y<0 x<0,y=0 x<0,y>0 x=0,y<0 x=0,y=0 x=0,y>0 x>0,y<0 x>0,y=0 x>0,y>0

x0,y<0 x0,y<0 x0,y=0 x0,y=0 x0,y>0 x0,y>0 x>0,y0 x>0,y0……

x0,y0 x0,y0 x0,y0x0,y0

x0 x0 y0 y0

How does it represent(x<0y<0) (x>0y>0)?

What is the height of this lattice?

Page 105: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

105

Relational product exampletrue

false

(x<0y<0)(x>0y>0)

x0 x0 y0 y0

How does it represent(x<0y<0) (x>0y>0)?

(x<0y<0)(x>0y=0) (x<0y0)(x<0y0)

What is the height of this lattice?