Abstract Interpretation with Intervals

A framework of methods, known as abstract interpretation (AI), is proposed by Cousot et al. [CC77] to formally mitigate the problem of computability in program analysis. Instead of finding the LFP, which may not be computable, it is much more efficient to work out an approximation of the LFP. Despite the outcome of an AI-based static analysis not being as precise as the LFP, the significant benefits of AI is two-fold. Firstly, the program analysis framework can now produce a “yes” or “I don’t know” answer to a query of a program property in a finite amount of time. Secondly, it provides the means to prove the correctness of an answer produced by the static analyzer using AI in formal mathematics.

Here, a simple formulation of interval arithmetic is first introduced, which is then exercised in the AI framework, again by using the simple example in Figure 2.7.

Interval Arithmetic

Interval arithmetic (IA), is a method to enclose a set of solutions that may arise in computation problems [Moo+09]. The standard method is to use a pair of values [a, b], to represent {v | a ≤ v ≤ b}, a potentially infinite set of real numbers between a and b. As it is closely related to sets of reals and real arithmetic, IA gets the benefits of both worlds.

Firstly, operations, similar to the set operations such as the subset relation “⊆”, union “∪” and intersection “∩” from R, can also be defined for real intervals Interval. The corresponding operations are known as the partial ordering “v”, join “t” and meet “u”, a partially ordered set with these operations defined for all elements within it is a complete

lattice. The definitions of these operators on two intervals [a, b] and [c, d] are as follows:

[a, b] v [c, d] := a ≥ c ∧ b ≤ d,

[a, b] t [c, d] := [min(a, c), max(b, d)],

[a, b] u [c, d] :=       

[max(a, c), min(b, d)] if max(a, c) ≤ min(b, d),

⊥ otherwise.

(2.25)

where s := t indicates s is defined as t, min(x, y) and max(x, y) respectively compute the minimum and maximum of x and y, and ⊥, > respectively denote intervals with no elements, i.e. an empty interval, and the entire set of reals. For completeness, the above relations can be further extended for > and ⊥, where X] _{∈ Interval is an interval:}

X]t > := >, and X]u ⊥ := ⊥. (2.26)

As a consequence, ⊥ and > are respectively the least and greatest elements of Interval. This means that ⊥ v X]_{and X}] _{v > for any interval X}]_.

Secondly, in a similar fashion to real arithmetic, arithmetic operations can also be defined for real intervals:

[a, b] + [c, d] = [a + c, b + d] , [a, b] − [c, d] = [a − d, b − c] , [a, b] × [c, d] = [min(s), max(s)] ,

where s = {a × c, a × d, b × c, b × d} , − [a, b] = [−b, −a] .

(2.27)

A scalar value x, which can be abbreviated by x itself, represents an interval [x, x] in IA.

An Informal Approach to Approximation

AI is a theoretical framework to approximate mathematical objects that are not directly computable. We start by explaining what it means to approximate, then show how an approximation can be proved to be safe.

In the DFA of simple in Section 2.3.1, we arrived at a function f : ℘ (R) → ℘ (R) defined in (2.19), which is not directly computable. The IA introduced earlier could serve as an inspiration to produce a different function ˜f : Interval → Interval, which is very similar to the original f :

˜

f (X]) =ι]t0.9X]u [1, ∞], (2.28)

where ι]_{is an interval that bounds the set of initial values ι. There are two noticeable} differences between f and ˜f. Firstly, the domain, where ˜f carries out its computation, is Interval instead of ℘ (R). Secondly, because the domain used is different from f, the function definition is therefore updated accordingly for ˜f.

When given an input X, f must enumerate on all X to compute the result f (X) precisely. As we have discussed earlier this is infeasible as X could contain infinite number of values. Conversely, ˜f does not suffer from this problem, since (2.27) dictates any IA operations can be performed by a finite number of real arithmetic computations.

As it is possible to prove that both fixpoint theorems in Section 2.3.2 hold for Interval and ˜f, its LFP, an approximation to the LFP to f , can therefore be computed as follows:

lfp( ˜f ) = G

k∈N ˜

fk(⊥). (2.29)

For example, consider the case when ι = [0, 10],

˜ f0(⊥) = ⊥, ˜ f1(⊥) = ([0, 10] t 0.9⊥) u [1, ∞] = [1, 10], ˜ f2(⊥) = ([0, 10] t (0.9 × [1, 10])) u [1, ∞] = [1, 10], . . . (2.30)

As all other values in the sequence evaluates to [1, 10], lfp( ˜f )is hence [1, 10], which was computed in 3 iterations. It is easy to see in Figure 2.7 that the reachable values of x before executing the statement “x *= 0.9;” is indeed [1, 10].

In many cases, an algorithm to compute ˜fk(⊥)can terminate. It is clear that if ˜fk(⊥) = ˜

fk+1(⊥)_{for some k ∈ N, then for all integers j that are greater than k, ˜}fj(⊥) = ˜fk(⊥)and there is no point in computing ˜fj(⊥). Widening and narrowing operators [CC77; Nie+99] can be used to reduce the number of iterations required in the iterative computation steps, hence accelerating, or even ensuring, termination by sacrificing precision of the computed fixpoint, i.e. the result is no longer the LFP, but is a fixpoint X w lfp( ˜f )that can be computed more easily.

Galois Connection

Although our informal derivation gives us empirical evidence of the usefulness and correctness of intervals in place of real sets, a series of questions pertaining the theory behind it remain. The questions are of the format “is X a correct abstraction of Y ”, where X and Y refer to each of the following pairs: (Interval, ℘ (R)), ( ˜f , f ), and (lfp( ˜f ), lfp(f )).

Fortunately, Cousot et al. [CC77] show that if a Galois connection can be formed be- tween ℘ (R) and Interval, then all of the above questions can be now answered with a resounding “yes”. We can define [Nie+99]:

Definition 2.1. [Galois connection] A Galois connection is a relation between two complete lattices hL, ⊆i and hM, vi, given by a pair of functions α : L → M and γ : M → L, such that for all l ∈ L and m ∈ M:

α(l) v m if and only if l ⊆ γ(m), (2.31)

alternatively the following property may sometimes be easier to work with:

l ⊆ γ(α(l)) and α(γ(m)) v m. (2.32)

The Galois connection above can often be concisely written as:

Here, the functions α and γ are often called the abstraction function and concretization function respectively.

Bearing on the informal approach earlier, the following Galois connection can be estab- lished to formalize it:

h℘ (R), ⊆i −−→←−−_αγ hInterval, vi, (2.34)

The functions α : ℘ (R) → Interval and γ : Interval → ℘ (R) that satisfy (2.31) can be defined as follows:

α(X) = [inf(X), sup(X)] , γ ([a, b]) = {v | a ≤ v ≤ b} ,

(2.35)

where inf(X) and sup(X) are respectively the infimum and supremum of X. Here α takes a potentially infinite set of reals and translate it into a pair of values representing an interval bounding the reals, whereas γ performs the backwards translation from an interval to a set of reals. For instance:

α ({1, 1.2, 3}) = [1, 3] ,

γ ([1, 3]) = {v | 1 ≤ v ≤ 3} .

(2.36)

It is clear that information could be lost when the abstraction function α is applied. As shown in the example above, a set of three real values 1, 1.2 and 3 can be approximated by an interval [1, 3], which represents a set of real values ranging from 1 to 3.

Furthermore, from a function g : L → L, the AI framework allows an approximated function g]_{: M → Mto be inductively abstracted by the Galois connection [Nie+99]. For} example, consider (2.19) which is not computable, an approximated candidate f]_{can be} computed by α ◦ f ◦ γ. Since we are computing in Interval, we assume that ι = γ(ι]₎ and use a] _{and a}] _{respectively denote the lower- and upper-bounds of an interval a}]_,

i.e. a]₌h_a]_{, a}]i_:

f](X]) = αfγX]= αfnv | X] ≤ v ≤ X]o = αι ∪n0.9v | X]≤ v ≤ X]o_{∩ {v | v > 1}}

= α(ι ∩ {v | v > 1}) ∪nv | 0.9X]≤ v ≤ 0.9X]o_{∩ {v | v > 1}}_.

We introduce  to denote an infinitesimal positive value. Because α(A∪B) = α(A)tα(B):

f](X]) = αnv | ι] ≤ v ≤ ι]o_{∩ {v | v > 1}}_t

αnv | min(0.9X], 1 + ) ≤ v ≤ 0.9X]o_,

(2.38)

The term  vanishes when the abstraction function α is applied:

f](X]) = αnv | min(ι], 1 + ) ≤ v ≤ ι]o_th_min(0.9X]_{, 1), 0.9X}]i =ι]u [1, ∞]t0.9X]u [1, ∞]=ι]t 0.9X]u [1, ∞] .

(2.39)

which is identical to ˜f defined in (2.28), therefore the correctness of ˜f is analytically proven. Although we derived a special case using the approximate function induction technique, in a more general fashion, this method can be applied to the functions and operators in the DFA of reachable sets of reals. Consequently, the DFA of a general program based on intervals can be induced.

Further Generalization

For simplicity, simple is used as an example of DFA. However unlike simple, general programs can consist of more than one variable. A DFA for a program should therefore compute a reachable set of values for each variable. A typical way do so is to use a mapping which associates each program variable with a value, which is defined as an element σ ∈ Σ, where Σ = [Var → L] and L is a set of values. For example, a single program state of simple could be σ0 ∈ [Var → R], and σ0 = [x 7→ 0], which denotes that the state σ0has only a variable x, and x is assigned a value 0. We could also have a state that captures multiple program states, e.g. σ]_{∈ [Var → Interval], where σ}]_(x) could be an interval.

Galois connections can be compositionally constructed [Nie+99]. If we know that ℘ (R) −−→←−−_αγ Interval, then the following Galois connection between mappings can also be constructed:

[Var → ℘ (R)] −−−→←−−− α0 γ0

where α0(f ) = α ◦ f, γ0(g) = γ ◦ g, and a term of the form s ◦ t, where s : B → C and t : A → B denotes a function which accepts an input from A and produces an intermediate output in B using t, then in turn s is used on the intermediate value to compute a final output in C.