## A Certified Denotational Abstract Interpreter (Proof Pearl)

### BibTeX

@MISC{Cachera_acertified,

author = {David Cachera and David Pichardie},

title = {A Certified Denotational Abstract Interpreter (Proof Pearl)},

year = {}

}

### OpenURL

### Abstract

Abstract Interpretation proposes advanced techniques for static analysis of programs that raise specific challenges for machinechecked soundness proofs. Most classical dataflow analysis techniques iterate operators on lattices without infinite ascending chains. In contrast, abstract interpreters are looking for fixpoints in infinite lattices where widening and narrowing are used for accelerating the convergence. Smart iteration strategies are crucial when using such accelerating operators because they directly impact the precision of the analysis diagnostic. In this paper, we show how we manage to program and prove correct in Coq an abstract interpreter that uses iteration strategies based on program syntax. A key component of the formalization is the introduction of an intermediate semantics based on a generic least-fixpoint operator on complete lattices and allows us to decompose the soundness proof in an elegant manner.

### Citations

2004 |
Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints
- Cousot, Cousot
- 1977
(Show Context)
Citation Context ...ing chain. Instead of computing a least fixpoint, we can accommodate ourselves with an over-approximation, keeping correction in mind, but losing optimality.The solution proposed by P. and R. Cousot =-=[6]-=- consists in accelerating the ascending iteration, thus reaching a post-fixpoint, but not necessarily the least one. This is done by using a binary widening operator ▽, that extrapolates both of its a... |

1373 | A structural approach to operational semantics
- Plotkin
- 1981
(Show Context)
Citation Context ...e closely the AI methodology. The key ingredient of the formalization is an intermediate collecting semantics which is proved conservative with respect to a classical structural operational semantics =-=[15]-=-. The current work is a first step towards a global objective of putting in the Coq proof assistant most of the advanced static analysis techniques that are used in an analyser like Astrée. We could e... |

243 | Formal certification of a compiler back-end, or: Programming a compiler with a proof assistant
- Leroy
- 2006
(Show Context)
Citation Context ...oints 1 and 2 iteration round 1 2 3 I1 [0, 0] [0, 0] [0, +∞] J1 [0, 0] [0, +∞] [0, +∞] I2 [0, 0] [0, +∞] [0, +∞] [0, 0] [0, +∞] [0, +∞] J2 Post-fixpoint after ascending and descending iterations I1 = =-=[0, 10]-=- I2 = [0, 10] I3 = [1, 10] I4 = [10, 10] I5 = [0, 10] J1 = [0, +∞] J2 = [0, +∞] J3 = [0, +∞] J4 = [1, +∞] J5 = [10, +∞] (a) Strategy (1 2 3 4 5) ∗ Ascending iteration for points 1 and 2 iteration roun... |

58 |
The calculational design of a generic abstract interpreter
- Cousot
- 1999
(Show Context)
Citation Context ...ics do. This is why we consider this kind of strategy in this paper. 3 Language Syntax and Operational Semantics The analyser we formalize here is taken from an analysis previously designed by Cousot =-=[5]-=-. We consider a minimal While language whose concrete Coq syntax is given below. Programs are labelled 4 with elements of type word, which plays a special role in all our development. It is the type o... |

55 | Relational abstract domains for the detection of floatingpoint runtime errors - Miné - 2004 |

55 | Winskel is (almost) right: Towards a mechanized semantics textbook
- Nipkow
- 1996
(Show Context)
Citation Context ...ing C compiler and has so far [10] only be interested in data flow analyses without widening/narrowing techniques. The While language has been the subject of several machine-checked semantics studies =-=[8, 12, 2, 9]-=- but few have studied the formalization of abstract interpretation techniques. A more recent approach in the field of semantics formalization is the work of Benton et al. [1] which gives a Coq formali... |

39 | First-class type classes
- Sozeau, Oury
- 2008
(Show Context)
Citation Context ...architecture. Then, we conclude after a discussion of related work. Except in Section 2, all formal definitions in this paper are given in Coq syntax. We heavily rely on the new type classes features =-=[17]-=- in order to use concise overloaded notations that 3 This kind of “bug” is sometimes a feature in order to find a pragmatic balance between precision and algorithmic complexity.should allow the reade... |

37 |
The ASTRÉE Analyser
- Cousot, Cousot, et al.
- 2005
(Show Context)
Citation Context ... of modern software design, as it allows to screen code for potential bugs, security vulnerabilities or unwanted behaviours. A significant example is the state-of-the-art Astrée static analyser for C =-=[7]-=- which has proven some critical safety properties for the primary flight control software of the Airbus A340 fly-by-wire system. Taking note of such a success, the next question is: should we complete... |

33 |
Mechanizing programming logics in higher-order logic
- Gordon
(Show Context)
Citation Context ...ing C compiler and has so far [10] only be interested in data flow analyses without widening/narrowing techniques. The While language has been the subject of several machine-checked semantics studies =-=[8, 12, 2, 9]-=- but few have studied the formalization of abstract interpretation techniques. A more recent approach in the field of semantics formalization is the work of Benton et al. [1] which gives a Coq formali... |

28 | Mechanized Semantics for the Clight Subset of the C Language
- Blazy, Leroy
(Show Context)
Citation Context ...se of pointers) allow Astrée to concentrate mainly on While static analysis techniques. We are currently studying how we might formally link our current abstract interpreter with the formal semantics =-=[3]-=- of the CompCert project. This project is dedicated to the certification of a realistic optimizing C compiler and has so far [10] only be interested in data flow analyses without widening/narrowing te... |

21 |
The trace partitioning abstract domain
- Rival, Mauborgne
(Show Context)
Citation Context ... useful for tracking the third category of static analysis failures we have mentioned in the introduction of this paper. Our abstract interpreter may appear as a toy example but it is often presented =-=[16]-=- as the core of the Astrée static analyser for C [7]. The same iteration strategy is used and the restrictions on the C language that are common in many critical embedded systems (no recursion, restri... |

17 |
Interpretation abstraite en logique intuitioniste: extraction d'analyseurs Java certi
- Pichardie
- 2005
(Show Context)
Citation Context ...unctions that enjoy a monotony property together with a meet morphism property. This formalization choice is motivated by our previous study of embedding AI framework in the constructive logic of Coq =-=[13]-=-. Module Gamma. Class t a A {Lattice.t a} {AbLattice.t A} : Type := { γ : A → a; γ_monotone : ∀ N1 N2:A, N1 ⊑ ♯ N2 → γ N1 ⊑ γ N2; γ_meet_morph : ∀ N1 N2:A, γ N1 ⊓ γ N2 ⊑ γ (N1 ⊓ ♯ N2) }. End Gamma. Co... |

12 | Some domain theory and denotational semantics in coq
- Benton, Varming
(Show Context)
Citation Context ... of equations. However, the lattice of intervals is of infinite height, which generally prevents us from computing a solution in finite time with a simple Kleene iteration. For instance, ∅ ⊂ [0, 0] ⊂ =-=[0, 1]-=- ⊂ [0, 2] ⊂ · · · ⊂ [0, n] ⊂ . . . is an infinite increasing chain. Instead of computing a least fixpoint, we can accommodate ourselves with an over-approximation, keeping correction in mind, but losi... |

5 | Building certified static analysers by modular construction of well-founded lattices
- Pichardie
- 2008
(Show Context)
Citation Context ...r equality and partial order, and widening/narrowing operators. It is equipped with overloaded notations ⊑ ♯ , ⊓ ♯ , ⊔ ♯ , ⊥ ♯ . This abstract lattice structure has been presented in an earlier paper =-=[14]-=-. The lattice signature contains a well-foundedness proof obligation which ensures termination of a generic post-fixpoint iteration algorithm. Definition approx_lfp : ∀ ‘{AbLattice.t t}, (t → t) → t :... |

4 |
Structural abstract interpretation, a formal study in Coq
- Bertot
- 2009
(Show Context)
Citation Context ... directly generating an (in)equation system that was solved with a naive round-robin strategy as in Figure 2a. The soundness proof was performed with respect to an ad-hoc small-step semantics. Bertot =-=[2]-=- has formalized an abstract interpreter whose iteration strategy is similar to ours. His proof methodology differs from the traditional AI approach since the analyser is proved correct with respect to... |

1 |
Visiting Professor at the MIT Aeronautics and Astronautics Department, Course 16.399: Abstract Interpretation
- Cousot
(Show Context)
Citation Context ...he different instances of the analyser can be extracted to Ocaml code and run on program examples 5 . 7 Related Work The analyser we have formalized here is taken from lecture notes by Patrick Cousot =-=[5, 4]-=-. We follow only partly his methodology here. Like him, we rely on a collecting semantics which gives a suitable semantic counterpart to the abstract interpreter. This semantics requires elements of l... |

1 | Mechanized semantics, with applications to program proof and compiler verification, lecture given at the 2009 Marktoberdorf summer school
- Leroy
(Show Context)
Citation Context ...teration for points 1 and 2 iteration round 1 2 3 4 5 I1 [0, 0] [0, 0] [0, 0] [0, +∞] [0, +∞] J1 [0, 0] [0, 0] [0, 0] [0, +∞] [0, +∞] I2 [0, 0] [0, +∞] [0, +∞] [0, +∞] [0, +∞] J2 [0, 0] [0, 0] [0, 0] =-=[0, 9]-=- [0, 9] Post-fixpoint after ascending and descending iterations I1 = [0, 10] I2 = [0, 10] I3 = [1, 10] I4 = [10, 10] I5 = [0, 10] J1 = [0, 10] J2 = [0, 9] J3 = [0, 9] J4 = [1, 10] J5 = [10, 10] (b) St... |