Post/Pre Hypersemantics

In the previous sections we have seen two intuitive ways for extending base semantics to sets of sets. Clearly, there are a lot of other possibilities and, in this section, we see how to define hypersemantics useful for partial verification. In particular, we define the post and pre hypersemantics for the more concrete cases where Den = Σ∞~_{, for backward semantics,} and Den = Σ∝~_{, for forward semantics. The Post hypersemantics τ}∞~

postis defined as: τ_post∞~ _,nS_n>0τ~n X∪ τ~ω  X ⊆ Ω o where τ~n X , {σ ∈ τ ~ n _{| σ} n−1∈ X} The Pre hypersemantics τ~∝

preis defined as: τ_pre∝~ _,nS n>0τ ˙ ~ n X  X ⊆ Υ ∧ X 6= ∅ o where τ~n˙ X , {σ ∈ τ ˙ ~n_{| σ} 0∈ X} The first collects the sets of terminating computations partitioned by all possible sets of final states, plus the infinite computations of course. This is a backward semantics and intuitively says which initial states we need to take in order to reach some given final states. The second does the opposite, namely it collects the sets of partial (finite) computations partitioned by all the possible sets of initial states. This is a forward semantics and intuitively says which partial computations we obtain starting from some given initial states.

Example 10. As example, consider the transition system with: • Σ = {a, b, c, d, e};

• τ = {ha, bi, ha, ci, hb, di, hc, ci, he, bi, he, ei}; • Υ = {a, e};

• Ω = {d}.

Then the maximal trace semantics and the partial trace semantics are τ∞~ = {d, bd, abd} ∪ {enbd | n ≥ 1} ∪ {cω, acω, eω}

τ∝~ = {a, ab, abd} ∪ {acn | n ≥ 1} ∪ {en | n ≥ 1} ∪ {enb | n ≥ 1} ∪ {enbd | n ≥ 1} The hyper versions are

τ_post∞~ =τ∞~_{, {c}ω_{, ac}ω_{, e}ω_}

τ_pre~∝ =τ∝~_{, {a, ab, abd} ∪ {ac}n_{| n ≥ 1}, {e}n _{| n ≥ 1} ∪ {e}n_{b | n ≥ 1} ∪ {e}n_{bd | n ≥ 1}} being ℘(Ω) ={d}, ∅ and ℘(Υ) \ {∅} = {a, e}, {a}, {e} .

These hypersemantics can be used for partially verifying hyperproperties, since they provide the semantics parametrically on the subsets of blocking/initial states. Suppose that, instead of checking whether a program fulfills a hyperproperty Hp, we want to check when a program fulfills it. The problem boils down to analyze the intersection τ∞~

post∩ Hp [or τ ~ ∝

pre∩ Hp]. If the intersection is ∅ then the answer is “never”, if the answer is τ∞~

post[or τ ~ ∝

M. Pasqua 6.1. Hyper Static Analysis

otherwise we have that for particular final states [initial states] the system satisfies the hy- perproperty. Hence we have a form of partial satisfiability. This is useful, for example when we want to know under what conditions we can still use an unsafe system.

Computing Post/Pre Hypersemantics. As for the other semantics, also pre and post hy- persemantics are constructive, hence we give now their computational fixpoint definitions. For the post hypersemantics we have hF∞~

post, O, {⊥ ~

∞_{}i, where O , hGEN}H_{, v}H_{, ˜}ti and4

F_post∞~ _{, λX .}X ∪ Σ~ωX ⊆ Ω ˜tX t τ ˙ ~2

_ X X ∈ X

The partial least upper bound operator is defined, for every non-empty X , Y ∈ GENH_{, as:}

X ˜t Y , {X t Y | X ∈ X ∧ Y ∈ Y ∧ (X v Y ∨ Y v X)} ∪_{{X ∈ X | ∀Y ∈ Y . X 6v Y ∧ Y 6v X} ∪ {Y ∈ Y | ∀X ∈ X . Y 6v X ∧ X 6v Y }}

It basically makes the union of the elements of X and Y which are in relation v, and adds all other elements of both sets, as they are. For the pre hypersemantics we have hF∝~

pre, O, {∅}i, where O , hGENH_{, ⊆}H, ˜∪i and

F_pre∝~ _{, λX . {X ⊆ Υ | X 6= ∅} ˜}∪X ∪ X _ τ~2˙  X ∈ X

The partial least upper bound operator is defined, for every non-empty X , Y ∈ GENH_{, as:}

X ˜∪ Y , {X ∪ Y | X ∈ X ∧ Y ∈ Y ∧ (X ⊆ Y ∨ Y ⊆ X)} ∪_{{X ∈ X | ∀Y ∈ Y . X 6⊆ Y ∧ Y 6⊆ X} ∪ {Y ∈ Y | ∀X ∈ X . Y 6⊆ X ∧ X 6⊆ Y }}

It follows the same intuition as the operator for the post hypersemantics. For the iterates of F∞~

postand F ~ ∝

prewe have that vH and ⊆H are partial orders and the iterates are increasing. Furthermore, both operators stabilize in at most a countable number of steps, indeed:

τ_post∞~ = lfpv_{{⊥ ~}H_∞}F_post~∝ =G˜ n<ωF ~ ∞ post n ({⊥∞~}) and τ∝~ pre= lfp ⊆H {∅}F ~ ∝ pre= ˜ [ n<ωF ~ ∝ pre n ({∅})

Analyzing Analyses. Pre and Post hypersemantics do not only allow us to provide weaker forms of satisfiability, but they provide a promising methodology allowing us to lift static analyses (for hyperproperties) directly at the hyper level. We believe that this approach could provide a deep insight and useful formal tools also for tackling the problem of an-

alyzing analyzers, aiming at systematically analyzing static analyses [Giacobazzi, Logozzo,

and Ranzato,2015; Cousot, Giacobazzi, and Ranzato,2019].

A static analysis for invariants can be seen as the characterization, potentially approxi- mated, of the set of reachable states τR_{from the initial states in Υ, which provides a, po-} tentially approximated, invariant of the program. Very often, we are interested in a re- stricted invariant, namely on the reachable states τR|I originated from a subset I ⊆ Υ of initial states. The most common static analyzers compute this information by a sys- tem of equations associating each control point with a set of memories (the invariant), as

4_{Here t is the least upper bound operator used to compute the maximal trace semantics τ}∞~ .

86 86

Chapter 6. Hyper Program Analysis M. Pasqua

we have seen in Chapter5. This means that they compute the state semantics in its form τ`R∈ Lab −→ ℘(Mem), or τ

R

` |Iif it is restricted to initial states in I.

We can observe that the semantics of an (abstract) interpreter of a program P is an ab- straction of the hypersemantics of P. We have already seen that τR _{is an abstraction of} τ∝~, through the function αR_{◦ α}∝ _{(see Section4.1.2). Then, by isomorphism, τ}R

` is also

an abstraction of τ∝~_{, through the function α}

? , α` ◦ αR ◦ α∝. Analogously, the seman-

tics of an (abstract) interpreter, associating with each possible subset I of initial states, the corresponding reachable states τR

` |I, is an abstraction of τ

~ ∝

pre. As usual, we obtain abstract invariants in the abstract domain A exploiting a Galois connection h℘(Mem), ⊆i −−→←−−_αγ hA, 4i, extended to labels, namely:

hLab −→ ℘(Mem), ˙_{⊆i −−→}←−− ˙ α

˙ γ

hLab −→ A, ˙_4i

Proposition 7. The semantics of the abstract interpreter, applied on a given program P, computing abstract invariants in A, is ˆ˙α ◦ ˆα?(τ_pre∝~ ), i.e. it is an abstraction of the Pre hypersemantics τ_pre∝~ of P. We recall thatˆ·indicates the direct image lift, namely ˆ˙α ◦ ˆα?= λX . { ˙α ◦ α?(X) | X ∈ X }. The meaning of the proposition is that if we specialize, in the sense of partial evaluation, a static analyzer on a given program P then the semantics of the specialized program is an abstraction of the Pre hypersemantics of P. Hence, analyzing τ~∝

prewe can, indirectly, obtain information about the analyzer.