1

Recently I have read a lot about formal verification and I am fascinated by the topic. Yet I cannot figure out the following:
Formal verification requires a formal specification so how can be abstract interpretation used on any source code in compilers, when there is no formal specification of the program?

Translation from a text in a foreign language that seems correct (and again does not seem to require a formal spec.)

If a program is represented by its control flow chart, then each branch represents a program state (can be more than one - e.g. in a loop a branch is traversed multiple times) and abstract intepretation creates static semantics that approximates the set of this states.

Here an article about abstract interpretation as a formal verification technique: http://www.di.ens.fr/~cousot/publications.www/Cousot-NFM2012.pdf

John V
  • 4,855
  • 15
  • 39
  • 63

2 Answers2

3

One can do "concrete interpretation" by building an interpreter for a language, that computes results according to the language specification manual. (The fact that the language manuals are informal leaves the correctness of such an interpreter in permanent doubt).

Abstract interpretation only requires that one have a good understanding of the program semantics, and an idea about what is worthwhile abstracting. You can get this by taking the interpreter above, and replacing actual computation with an abstraction of the computation, e.g., you can decide to represent all integer values as "positive", "zero", "negative", or "unknown". You can still compute with this, now producing qualitative results. More importantly, you can compute with this without necessarily having actual program inputs (perhaps just abstracted values). I note that the abstract interpreter is also completely untrustworthy in a formal sense, because you are still computing using the informal reference manual as a guide as to what the language will do.

Now, by running such an abstract program, you may discover that it makes mistakes (e.g., dereferences a null value) with the variables controlling that null value not being "undefined". In that case, you can suggest there is a bug in the program; you may not be right, but this might produce useful results.

Nowhere does abstract interpretation in practice tell you what the program computes formally because you are still using an informal reference manual. If the manual were to become a formal document, and your abstract interpreter is derived from by provably correct steps, then we might agree that an abstract interpretation of the program is a kind of specification modulo the abstraction for what the program actually does.

Nowhere does abstract interpretation provide with access to a formal specification of the intention for the program. So you cannot use it by itself to prove the program "correct" with respect to the specification.

Ira Baxter
  • 93,541
  • 22
  • 172
  • 341
  • Thank you! But as mentioned in the books and other sources I read, when there is a formal specification, abstract intepretation can provide the formal proof, or not? Here an article: http://www.di.ens.fr/~cousot/publications.www/Cousot-NFM2012.pdf – John V Feb 22 '16 at 10:42
  • You asked about what abstract interpretation can prove without a formal spec (of the language). The answer is "nothing". (You might have a very high degree of confidence). If you have a formal spec of the language, you might be able to *prove* properties of your program, and Dr. Cousot would know a lot more about that than I. However, it is a rare case that one has such formal spec; I've never seen one for a real language. I just use "AI" to reason about program properties with, er, confidence, under the assumption that I understood what the informal manual actually said, and testing. – Ira Baxter Feb 22 '16 at 10:46
  • So its use in compilers and tools for code quality is just for increasing confidence and finding some common errors, right? – John V Feb 22 '16 at 11:02
  • As a practical matter, that's how I see it. Pretty useful, though. – Ira Baxter Feb 22 '16 at 11:03
  • Thank you, so basically it is let say another step above tools like Sonar but that is about that. According to TIOBE code quality, it is a deep flow analysis (abstract intepretation). http://www.tiobe.com/_userdata/files/TIOBEQualityIndicator_v3_7.pdf – John V Feb 22 '16 at 11:05
  • Yes, many abstract interpretations are just a way to get deeper flow analysis than "this variable was read or written from *there*". – Ira Baxter Feb 22 '16 at 11:08
1

Abstract interpretation is a method used to statically gain understanding on how a software will behave. It never comes alone - there's always some goal which includes abstract interpretation as one of its components.

An example of such a goal is formal verification, in which a static technique (for example, abstract interpretation) is used to obtain information about the code and then compare it to a provided specification. This is why verification requires specifications - you need something to compare it to.

Oak
  • 26,231
  • 8
  • 93
  • 152
  • Sorry, I do not follow - if AbsInt is classiffied as a formal verification technique (and it is), then how can it be applied to any source code? By definition, formal verification requires formal (mathematically described) specification. But I can run AI on a source code I have no formal specification to. That is what I do not udnerstand. – John V Feb 22 '16 at 08:55