1 / 25

Iterative Program Analysis Abstract Interpretation

Iterative Program Analysis Abstract Interpretation. Mooly Sagiv http://www.cs.tau.ac.il/~msagiv/courses/pa11.html Tel Aviv University 640-6706 Textbook: Principles of Program Analysis Chapter 4 CC79, CC92. Outline. The abstract interpretation technique The main theorem Applications

alain
Download Presentation

Iterative Program Analysis Abstract Interpretation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Iterative Program AnalysisAbstract Interpretation Mooly Sagiv http://www.cs.tau.ac.il/~msagiv/courses/pa11.html Tel Aviv University 640-6706 Textbook: Principles of Program Analysis Chapter 4 CC79, CC92

  2. Outline • The abstract interpretation technique • The main theorem • Applications • Precision • Complexity • Widening • Later on • Combining Analysis • Interprocedural Analysis • Shape Analysis

  3. Soundness Theorem(1) Let(, ) form Galois connection from C to A f: C  C be a monotone function f#: A  A be a monotone function aA: f((a))  (f#(a)) lfp(f)  (lfp(f#)) (lfp(f))  lfp(f#)

  4. Soundness Theorem(2) Let(, ) form Galois connection from C to A f: C  C be a monotone function f#: A  A be a monotone function cC: (f(c))  f#((c)) (lfp(f))  lfp(f#) lfp(f)  (lfp(f#))

  5. Soundness Theorem(3) Let(, ) form Galois connection from C to A f: C  C be a monotone function f#: A  A be a monotone function aA: (f((a)))  f#(a) (lfp(f))  lfp(f#) lfp(f)  (lfp(f#))

  6. Completeness (lfp(f)) =lfp(f#) lfp(f) = (lfp(f#))

  7. Constant Propagation • : [Var  Z]  [Var  Z{, }] • () = () • : P([Var  Z])  [Var  Z{, }] • (X) =  {() |  X} =  { |  X} • :[Var  Z {, }]  P([Var  Z]) • (#) = { | ()  #} = { |   # } • Local Soundness • st#(#)  ({st  |   (#) =  {st  |   #} • Optimality (Induced) • st#(#) = ({st  |   (#)} =  {st  |   #} • Soundness • Completeness

  8. Formal available expression • Find out which expressions are available at a given program point • Example program x = y + t //{(y+t)} z = y + r //{(y+t), (y+r)} while (…) { // {(y+t), (y+r)} t = t + (y + r) // {(y+t), (y+r), t + (y +r )} }

  9. Available expression lattice • P(Fexp) • X  Y  X  Y • X  Y = X  Y • = Fexp •  = 

  10. Available expressions • Computing Fexp for whiles ::= skip { s.Fexp :=  }s := id = exp { s.Fexp = {exp.rep }s := s ; s { s.Fexp := s[1].Fexp  s[2].Fexp }s := while exp do s { s.Fexp := {exp.rep}  s[1].Fexp }s := if exp then s else s { s.Fexp := {exp.rep}  s[1].Fexp  s[2].Fexp }

  11. Instrumented Semantics Available expressions • S Stm  : State  P(Fexp) State  P(Fexp) • S  id := a  (, ae) = ([a  a a ], notArg(id, ae  {a} ) • S  skip  (, ae) = (, ae) • CS Stm  : P(State  P(Fexp)) P(State  P(Fexp)) • CS s (X) ={S  s (, ae) | (, ae)  X}

  12. Collecting Semantics Example x = y * z; if (x == 6) y = z+ t; … if (x == 6) r = z + t;

  13. Formal Available Expressions Abstraction • : [Var  Z]  P(Fexp) P(Fexp) • (, ae) = (ae) • : P(P([Var  Z]  P(Fexp))  P(Fexp) • (X) =  {() |  X} = {ae | (, ae) X} • : P(Fexp) P(P([Var  Z]  P(Fexp)) • (ae#) = {(, ae) | (, ae)  ae#} = {(, ae) | ae  ae# }

  14. Formal Available Expressions AI • S Stm # : P(Fexp) P(Fexp) • S  id := a  # (ae) = notArg(id, ae  {a} ) • S  skip  # (ae) = (ae) • Local Soundness • st#(ae#)   {(st (, ae)[1] | ae  ae#} • Optimality • st#(ae#) = ({st (, ae) | (, ae)  (#)} =  {(st (, ae)[1] | ae  ae#} • The initial value at the entry is  • Example program x = y + t //{(y+t)} z = y + r //{(y+t), (y+r)} while (…) { // {(y+t), (y+r)} t = t + (y + r) // { (y+r)} } • Soundness and Completeness

  15. Example: May-Be-Garbage • A variable x may-be-garbageat a program point v if there exists a execution path leading to v in which x’s value is unpredictable: • Was not assigned • Was assigned using an unpredictable expression • Lattice • Galois connection • Basic statements • Soundness

  16. The PWhile Programming Language Abstract Syntax a := x | *x | &x | n | a1 opa a2 b := true | false | not b | b1 opb b2 | a1 opr a2 S := x := a | *x := a | skip | S1 ; S2|if b then S1else S2 | while b do S

  17. Concrete Semantics for PWhile State1= [LocLocZ] • For every atomic statement S • S  : States1 States1 • x := a ()=[loc(x) Aa ] • x := &y () • x := *y () • x := y () • *x := y ()

  18. Points-ToAnalysis • Lattice Lpt = • Galois connection

  19. t := &a; y := &b; z := &c; if x> 0 then p:= &y; else p:= &z; *p := t;

  20. /*  */ t := &a; /* {(t, a)}*//* {(t, a)}*/y := &b; /* {(t, a), (y, b) }*/ /* {(t, a), (y, b)}*/z := &c; /* {(t, a), (y, b), (z, c) }*/ if x> 0; then p:= &y;/* {(t, a), (y, b), (z, c), (p, y)}*/ else p:= &z; /* {(t, a), (y, b), (z, c), (p, z)}*/ /* {(t, a), (y, b), (z, c), (p, y), (p, z)}*/ *p := t; /* {(t, a), (y, b), (y, c), (p, y), (p, z), (y, a), (z, a)}*/

  21. Abstract Semantics for PWhile State#= P(Var*  Var*) • For every atomic statement S • x := a () • x := &y () • x := *y () • x := y () • *x := y ()

  22. /*  */ t := &a; /* {(t, a)}*//* {(t, a)}*/y := &b; /* {(t, a), (y, b) }*/ /* {(t, a), (y, b)}*/z := &c; /* {(t, a), (y, b), (z, c) }*/ if x> 0; then p:= &y;/* {(t, a), (y, b), (z, c), (p, y)}*/ else p:= &z; /* {(t, a), (y, b), (z, c), (p, z)}*/ /* {(t, a), (y, b), (z, c), (p, y), (p, z)}*/ *p := t; /* {(t, a), (y, b), (y, c), (p, y), (p, z), (y, a), (z, a)}*/

  23. Flow insensitive points-to-analysisSteengard 1996 • Ignore control flow • One set of points-to per program • Can be represented as a directed graph • Conservative approximation • Accumulate pointers • Can be computed in almost linear time • Union find

  24. t := &a; y := &b; z := &c; if x> 0; then p:= &y; else p:= &z; *p := t;

  25. Conclusion • Chaotic iterations is a powerful technique • Easy to implement • Rather precise • But expensive • More efficient methods exist for structured programs • Abstract interpretation relates runtime semantics and static information • The concrete semantics serves as a tool in designing abstractions • More intuition will be given in the sequel

More Related