On multi-language abstraction: Towards a static analysis of multi-language programs

Abstract

Modern software development rarely takes place within a single programming language. Often, programmers appeal to cross-language interoperability. Examples are exploitation of novel features of one language within another, and cross-language code reuse. Our previous works developed a theory of so-called multi-languages, which arise by combining existing languages, defining a precise notion of (algebraic) multi-language semantics. As regards static analysis, the heterogeneity of the multi-language context opens up new and unexplored scenarios. In this paper, we provide a general theory for the combination of abstract interpretations of existing languages, regardless of their inherent nature, in order to gain an abstract semantics of multi-language programs. As a part of this general theory, we show that formal properties of interest of multi-language abstractions (e.g., soundness and completeness) boil down to the features of the interoperability mechanism that binds the underlying languages together. We extend many of the standard concepts of abstract interpretation to the framework of multi-languages.

Appendices

Appendix A

Examples of algebraic semantics for \(\textsf{Imp}\)

We illustrate a simple imperative language \(\textsf{Imp}\) on which we define various semantics in the algebraic style, namely small step operational, prefix trace, and reachability.

Let \(\mathbb{X}\) be a set of variables and \(\mathbb{V}\) a set of scalar values with metavariables x and v, respectively. Variables and values occur in the language as terminal symbols, and for each production defining the syntax of the language (on the right), we introduce a corresponding algebraic operator (on the left), or a family of operators when they are parametric on a subscript:

$$\begin{aligned} \begin{array}{l|rllr} \text {(v)} &{} \langle exp \rangle & {::=}& v & \text {{scalar values}} \\ \text {(x)} &{} \langle exp \rangle & {::=}& x &{} \text {{ variables}} \\ (bop_\odot ) &{} \langle exp \rangle & {::=} & \langle exp \rangle \odot \langle exp \rangle &{} \text {{ binary operations}} \\ ( skip ) &{} \langle com \rangle & {::=} & \text {skip}&{} \text {{ do-nothing}} \\ ( assign _x) \quad &{} \quad \langle com \rangle & {::=} & \text {x} = \langle exp \rangle &{} \text {{ assignment}} \\ ( cond ) &{} \langle com \rangle & {::=} & \text {if }\langle exp \rangle \text { then }\langle com \rangle \text { else }\langle com \rangle \quad &{} \text {{conditional}} \\ ( loop ) &{} \langle com \rangle & {::=} & \text {while}\,\langle exp \rangle \,\text {do}\,\langle com \rangle &{} \text {{ loop statement}} \\ ( seq ) &{} \langle com \rangle & {::=} & \langle com \rangle ;\,\langle com \rangle &{} \text{{composition}} \end{array} \end{aligned}$$

where \(\odot \) is a binary operator such as \(\text {+}\), \(\text {-}\), \(\text {{*}}\), etc. We abuse notation and assume that \(\odot \) denotes both a syntactical symbol of the language and a mathematical function \(\odot :\mathbb{V}^2 \rightarrow \mathbb{V}\) over values. The rank of each algebraic operator can be inferred by the non-terminals appearing in the production rules; for instance, the operator \( cond \) is sorted as

$$\begin{aligned} cond : exp , com , com \rightarrow com \end{aligned}$$

In the examples in the following sections, we often use the correspondence between algebraic and context-free terms. For instance, we may write the algebraic term \( cond (bop_{>}(\text {x}, 0), skip , assign _{\text {x}}(bop\_(0, \text {x})))\) in the less cumbersome context-free form \(\text{if}\;\text{x > 0}\;\text{then}\;\text{skip}\;\text{else}\;\text{x}\;\text{ = }\;\text{0 - x}\).

2.1 A small-step operational semantics

We define a small-step operational semantics \(\mathscr {S}\) describing the program execution steps. The presentation provided here is purely algebraic, and therefore less intuitive than the traditional rule-based style. However, the algebraic framework allows to express many more kinds of semantics in the same formalism, thus favouring their comparison.

Expressions

We treat expressions \(\text {E}\) as “atomic” terms that are fully evaluable into a scalar value in a single-step. Let \(\mathbb{S}_{ exp }\triangleq \{ \, \langle {\text {E}, \rho }\rangle \, \vert \; \text {E} \in {\llbracket exp \rrbracket }_{\mathscr {T}_{\textsf{Imp}}} \wedge \rho \in {\mathbbm{Env}} \}\) be the set of configurations where \(\text {E}\) is an expression and \(\rho \) an environment in \({\mathbbm{Env}}\triangleq \mathbb{X}\rightarrow \mathbb{V}\). The small-step semantics of expressions is given in Fig. 17. Intuitively, starting from an expression \(\text {E}\), we build a set of pairs in \(\mathcal {P}(\mathbb{S}_{ exp }\times \mathbb{V})\) representing the one-step evaluation of \(\text {E}\) in each environment \(\rho \). More precisely, \( \langle{E} \rho \rangle v \in {\llbracket {E} \rrbracket}_{\mathscr{S}}\) simply means that \(\text {E}\) is evaluated into v in \(\rho \). We write \({\llbracket {\text {E}} \rrbracket }_{\mathscr {S}}^\rho \) for denoting such v (unique by construction).

Remark 5

Note that from the small-step semantics \(\llbracket \text {E} \rrbracket_{\mathscr{S}}\) of an expression \(\text {E}\), we are able to recover the term \(\text {E}\). Indeed, \(\llbracket \text {E} \rrbracket_{\mathscr {S}} \ne \varnothing \) and if \( {\langle {\text{E}}_{1}, \rho_{1} \rangle} {\rightarrowtriangle} v_{1}\) and \( {\langle {\text{E}}_{2}, \rho_{2} \rangle} {\rightarrowtriangle} v_{2}\) are transitions (that is, pairs) in \({\llbracket {\text{E}} \rrbracket }_{\mathscr {S}}\), then \(\text {E}_{1} = \text{E} = \text {E}_2\) (this can be shown by a simple structural induction on \(\text {E}\)).

Remark 6

There are some missing cases in the definition of the interpretation functions for the operators in Fig. 17. For instance, we have defined \({\llbracket bop_\odot \rrbracket }_{\mathscr {S}}\) on arguments \({\llbracket \text {E}_1\rrbracket }_{\mathscr {S}}\) and \({\llbracket \text {E}_2\rrbracket }_{\mathscr {S}}\). However, there are semantic elements in \(\mathcal {P}(\mathbb{S}_{ exp }\times \mathbb{V})\) that are not the image of any expressions \(\text {E}\) (e.g., the empty set \(\varnothing \)). We shall leave implicit that \({\llbracket bop_\odot \rrbracket }_{\mathscr {S}}(e_1, e_2) \triangleq \varnothing \) whenever there are no \(\text {E}_1\) or \(\text {E}_2\) such that \(e_1 = {\llbracket \text {E}_1\rrbracket }_{\mathscr {S}}\) and \(e_2 = {\llbracket \text {E}_2\rrbracket }_{\mathscr {S}}\). (This remark and Rem. 5 shall also apply to the next definitions.)

Fig. 17

Small-step operational semantics of \(\textsf{Imp}\) expressions

Commands

Let \(\mathbb{S}_{ com }\triangleq \{ \, \langle {\text {C}, \rho }\rangle \, \vert \; \text {C} \in {\llbracket com \rrbracket }_{\mathscr {T}_{\textsf{Imp}}} \cup \{\bot \} \wedge \rho \in {\mathbbm{Env}} \}\) where \(\text {C}\) is a command (or \(\bot \), denoting the end of a computation) and \(\rho \) an environment. For each command operator of \(\textsf{Imp}\) we define its semantics by specifying exactly the pairs of configurations which are related by the action of such an operator (Fig. 18). We write \({\llbracket \text {C}\rrbracket }_{\mathscr {S}}^\rho \) for the unique \(\langle {\text {C}^{\prime}, \rho^{\prime}}\rangle \) such that \( \langle {\text {C}, \rho }\rangle {\rightarrowtriangle} \langle {\text {C}^{\prime}, \rho^{\prime}}\rangle \in {\llbracket \text {C}\rrbracket }_{\mathscr {S}} \).

Fig. 18

Small-step operational semantics of \(\textsf{Imp}\) commands

Example 3

We show a small example of the application of the newly defined semantics \({\llbracket -\rrbracket }_{\mathscr {S}}\). We adopt the more intuitive notation provided by the context-free grammar for denoting terms, and we avoid the use of subscripts \(_\mathscr {S}\). Suppose we want to compute the small-step semantics of the conditional statement \(\text {if }\text {x > 0}\text { then }\text {skip}\text { else }\text {x} = {0 - x}\). Then,

$$\begin{aligned} {\llbracket \text {if }\text {x> 0}\text { then }\text {skip}\text { else }\text {x} = {0 - x}\rrbracket } = {\llbracket cond \rrbracket }({\llbracket \text {x > 0}\rrbracket }, {\llbracket \text {skip}\rrbracket }, {\llbracket \text {x} = {0 - x}\rrbracket }) \end{aligned}$$

where the semantics of the condition is

$$\begin{aligned} \begin{array}{rcl} {\llbracket \text {x> 0}\rrbracket } = {\llbracket bop_{>}\rrbracket }({\llbracket \text {x}\rrbracket }, {\llbracket 0\rrbracket }) &{}= &{}\{ \, \langle {\text {x> 0}, \rho }\rangle {\rightarrowtriangle} \text {1}\, \vert \, \rho \in {\mathbbm{Env}}\wedge (\rho (\text {x}) \text {> } 0) = \text {1} \} \\ &{}\cup &{}\{ \, \langle {\text {x> 0}, \rho }\rangle {\rightarrowtriangle} 0\, \vert \, \rho \in {\mathbbm{Env}}\wedge (\rho (\text {x}) > 0) = 0 \} \end{array} \end{aligned}$$

and therefore,

$$\begin{aligned} \begin{array}{rl} {\llbracket cond \rrbracket }&{}({\llbracket \text {x> 0}\rrbracket }, {\llbracket \text {skip}\rrbracket }, {\llbracket \text {x} = {0 - x}\rrbracket }) = \\ &{}= \{\;\langle {\text {if }\text {x> 0}\text { then }\text {skip}\text { else }\text {x} = {0 - x}, \rho }\rangle {\rightarrowtriangle} \langle {\text {skip}, \rho }\rangle \\ &{}\qquad \vert \;\rho \in {\mathbbm{Env}}\wedge (\rho (\text {x}) > 0) = \text {1}\;\} \\ &{}\cup \;\,\{\;\langle {\text {if }\text {x> 0}\text { then }\text {skip}\text { else }\text {x} = {0 - x}, \rho }\rangle {\rightarrowtriangle} \langle {\text {x} = {0 - x}, \rho }\rangle \\ &{}\qquad \vert \;\rho \in {\mathbbm{Env}}\wedge (\rho (\text {x}) > 0) = 0\;\} \end{array} \end{aligned}$$

Note that the same result would have been achieved with a traditional rule-based style for specifying small-step semantics.

2.2 Fixpoint definition of prefix trace semantics

Prefix trace semantics associates each program \(\text{P}\) with the set of all finite traces obtained by iterating an arbitrarily large number of times the small-step semantics \(\mathscr {S}\) from \(\langle {\text{P}, \rho }\rangle \), for each environment \(\rho \).

Let \(\mathbb{S}_{ com }^{*} \triangleq \bigcup _{n \in \mathbb{N}} \mathbb{S}_{ com }^n\) be the set of finite sequences of command configurations (that is, finite traces). A trace \(\tau \in \mathbb{S}_{ com }^n\) is denoted by \( \langle {\text {C}_1, \rho _1}\rangle {\rightarrowtriangle} \cdots {\rightarrowtriangle} \langle {\text {C}_n, \rho _n}\rangle \). The prefix trace semantics \(\mathscr {P}\) is defined by keeping the one-step evaluation semantics for expressions \(\text {E}\) (i.e., \({\llbracket \text {E}\rrbracket }_{\mathscr {P}} \triangleq {\llbracket \text {E}\rrbracket }_{\mathscr {S}}\)), and by defining the following fixpoint semantics for command operators \(f:w \rightarrow s\) on the domain \(\langle {\llbracket com \rrbracket }_{\mathscr {P}} \triangleq \mathcal {P}(\mathbb{S}_{ com }^{*}), \subseteq , \varnothing , \cup \rangle \):

$$\begin{aligned} {\llbracket f:w \rightarrow s\rrbracket }_{\mathscr {P}}({\llbracket \text{P}_1\rrbracket }_{\mathscr {P}}, \ldots , {\llbracket \text{P}_n\rrbracket }_{\mathscr {P}}) \triangleq {{\,\textrm{lfp}\,}}_\varnothing ^\subseteq F_{f(\text{P}_1, \ldots , \text{P}_n)} \end{aligned}$$

where \(F_{f(\text{P}_1, \ldots , \text{P}_n)}:\mathcal {P}(\mathbb{S}_{ com }^{*}) \rightarrow \mathcal {P}(\mathbb{S}_{ com }^{*})\) is defined as

$$\begin{aligned} X &{}\mapsto &{}\{\varepsilon \} \cup \{ \, \langle {f(\text{P}_1, \ldots , \text{P}_n), \rho }\rangle \, \vert \; \rho \in {\mathbbm{Env}} \} \\ &{}\cup &{}\{ \, \tau {\rightarrowtriangle} \langle {\text {C}, \rho }\rangle {\rightarrowtriangle} \langle {\text {C}^{\prime}, \rho^{\prime}}\rangle \in \mathbb{S}_{ com }^{*} \, \vert \; \tau {\rightarrowtriangle} \langle {\text {C}, \rho }\rangle \in X \wedge \langle {\text {C}^{\prime}, \rho^{\prime}}\rangle = {\llbracket \text {C}\rrbracket }_{\mathscr {S}}^\rho \} \end{aligned}$$

and the trace semantics of the constant \( skip \) is trivially defined by \({\llbracket skip \rrbracket }_{\mathscr {P}} \triangleq \{\varepsilon \} \cup \{ \, \langle { skip , \rho }\rangle \, \vert \; \rho \in {\mathbbm{Env}} \} \cup \{ \, \langle skip , \rho \rangle {\rightarrowtriangle} \langle \bot , \rho \rangle \, \vert \; \rho \in {\mathbbm{Env}} \}\). The constructive computation of \({{\,\textrm{lfp}\,}}_\varnothing ^\subseteq F_{f(\text{P}_1, \ldots , \text{P}_n)}\) is guaranteed by Kleene’s theorem (\(F_{f(\text{P}_1, \ldots , \text{P}_n)}\) is continuous on the pointed dcpo \(\langle \mathcal {P}(\mathbb{S}_{ com }^{*}), \subseteq , \varnothing , \cup \rangle \)).

Example 4

We restate Ex. 3 for the prefix trace semantics \(\mathscr {P}\) applied to the same term \(\text{P} \triangleq \text {if }\text {x > 0}\text { then }\text {skip}\text { else }\text {x} = {0 - x}\):

$$\begin{aligned} {\llbracket \text {if }\text {x > 0}\text { then }\text {skip}\text { else }\text {x} = {0 - x}\rrbracket } = {{\,\textrm{lfp}\,}}_\varnothing ^\subseteq F_{\text{P}} \end{aligned}$$

where the iterates of \(F_{\text{P}}\) are

$$\begin{aligned} F_{\text{P}}^0 &{}= &{}\varnothing \\ F_{\text{P}}^1 &{}= &{}\{\varepsilon \} \cup \{\langle {\text {if }{x> 0}\text { then }\mathrm {skip} \text{ else } \mathrm{x} = {0 - x}, \rho }\rangle \} \\ F_{\text{P}}^2 &{}= &{}\{\;\langle {\text {if } {x> 0}\text { then }\mathrm{skip}\text { else }\mathrm{x}{ = }{0 - x}, \rho }\rangle {\rightarrowtriangle} \langle {\text {skip}, \rho }\rangle \\ &{}&{}\qquad \vert \rho \in {\mathbbm{Env}}\wedge (\rho (\text {x}) > {0}) = {1} \} \\ &{}\cup &{}\{\langle {\text {if }{x> 0}\mathrm{ then }\text {skip} \mathrm{else } {x} = {0 - x}, \rho }\rangle {\rightarrowtriangle} \langle {{x} = {0 - x}, \rho }\rangle \\ &{}&{}\qquad \vert \rho \in {\mathbbm{Env}}\wedge (\rho (\text {x}) > {0}) = 0 \} \\ &{}\cup &{}F_{\text{P}}^1 \\ F_{\text{P}}^3 &{}= &{}\{\langle {\text {if } {x> 0}\text { then }\mathrm{skip} \text{else} \mathrm{x} = {0 - x}, \rho }\rangle {\rightarrowtriangle} \langle {\text {skip}, \rho }\rangle {\rightarrowtriangle} \langle {\bot , \rho }\rangle \\ &{}&{}\qquad \vert \;\rho \in {\mathbbm{Env}}\wedge (\rho (\text {x}) > 0) = 1\;\} \\ &{}\cup &{}\{\;\langle {\text {if }{x> 0}\mathrm{ then }\text {skip}\mathrm{ else }\text {x} = {0 - x}, \rho }\rangle {\rightarrowtriangle} \langle {\text {x} = {0 - x}, \rho }\rangle {\rightarrowtriangle} \\ &{}&{}\qquad {\rightarrowtriangle} \langle {\bot , \rho [\text {x} \leftarrow \text {-x}]}\rangle \;\vert \;\rho \in {\mathbbm{Env}}\wedge (\rho (\text {x}) > 0) = 0\;\} \\ &{}\cup &{}F_{\text{P}}^1 \\ F_{\text{P}}^{\delta > 3} &{}= &{}F_{\text{P}}^3 \end{aligned}$$

and therefore \({\llbracket \text{P}\rrbracket }_{\mathscr {P}}\) is the union of the iterates.

2.3 Reachability semantics as abstraction of trace semantics

Reachability semantics aims at computing the set of states that a program \(\text{P}\) may reach during its execution. Such a set can be parametric on program points (that is, location) or it can be the union of all the environments reached in any point. We show that both of these versions can be obtained by abstracting the collecting semantics \(\mathscr {P}^{*}\) over traces provided in the previous section.

Reachability on Program Points

Let \(\mathscr {R}\) be the reachability semantics that collects states per program point. Its carrier set of sort \( com \) is defined as \({\llbracket com \rrbracket }_{\mathscr {R}} \triangleq \mathcal {P}(\mathbb{S}_{ com })\), thus a command is interpreted as a set of configurations (where program code denotes locations). We show that \(\mathscr {R}\) can be obtained by abstracting the collecting semantics \(\mathscr {P}^{*}\) by establishing a Galois connection between their carrier sets:

$$\begin{aligned} \langle \mathcal {P}(\mathcal {P}(\mathbb{S}_{ com }^{*}))\rangle \overset{\gamma }{\underset{\alpha }{\leftrightarrows }}{\mathcal {P}(\mathbb{S}_{ com })} \end{aligned}$$

The abstraction function \(\alpha \) maps a semantic property \(\mathcal {X} \subseteq \mathcal {P}(\mathbb{S}_{ com }^{*})\) (i.e., a set of sets of finite traces) to the set of states that appears in those traces:

$$\begin{aligned} \alpha (\mathcal {X}) \triangleq \{ \, \langle {\text {C},\rho }\rangle \in \mathbb{S}_{ com }\, \vert \; \exists \tau \in \cup \mathcal {X}\,:\,\exists \langle {\text {C},\rho }\rangle \in \tau \} \end{aligned}$$

Conversely, the concretisation function \(\gamma \) maps each set of states C to the set containing only those traces whose configurations are in C:

$$\begin{aligned} \gamma (C) \triangleq \{ \, X \in \mathcal {P}(\mathbb{S}_{ com }^{*})\, \vert \; \forall \tau \in X\,.\,\langle {\text {C},\rho }\rangle \in \tau \implies \langle {\text {C},\rho } \in C \}\rangle \end{aligned}$$

Now, the definition of \(\mathscr {R}\) follows by the existence of a best correct approximation, as shown in Sect. 4.

Reachability without Program Points

The reachability semantics \(\mathscr {R}_\cup \) forgets about program locations and simply collects the environments reached during the execution of a program. The carrier set of commands is defined as \({\llbracket com \rrbracket }_{\mathscr {R}_\cup } \triangleq \mathcal {P}({\mathbbm{Env}})\). \(\mathscr {R}_\cup \) can be obtained by abstracting the collecting semantics \(\mathscr {P}^{*}\) over traces:

$$\begin{aligned} \alpha \big (\mathcal {X} \in \mathcal {P}(\mathcal {P}(\mathbb{S}_{ com }^{*}))\big )&\triangleq \{ \, \rho \in {\mathbbm{Env}}\, \vert \; \exists \tau \in \cup \mathcal {X}\,:\,\exists \langle {\text {C},\rho }\rangle \in \tau \} \\ \gamma \big (R \in \mathcal {P}({\mathbbm{Env}})\big )&\triangleq \{ \, X \in \mathcal {P}(\mathbb{S}_{ com }^{*})\, \vert \; \forall \tau \in X\,.\,\langle {\text {C},\rho }\rangle \in \tau \implies \rho \in R \} \end{aligned}$$