1 / 32

Iterative Program Analysis Abstract Interpretation

Iterative Program Analysis Abstract Interpretation. Mooly Sagiv http://www.cs.tau.ac.il/~msagiv/courses/pa11.html Tel Aviv University 640-6706 Textbook: Principles of Program Analysis Chapter 4 CC79, CC92. Outline. The abstract interpretation technique The main theorem Applications

alcina
Download Presentation

Iterative Program Analysis Abstract Interpretation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Iterative Program AnalysisAbstract Interpretation Mooly Sagiv http://www.cs.tau.ac.il/~msagiv/courses/pa11.html Tel Aviv University 640-6706 Textbook: Principles of Program Analysis Chapter 4 CC79, CC92

  2. Outline • The abstract interpretation technique • The main theorem • Applications • Precision • Complexity • Widening • Later on • Combining Analysis • Interprocedural Analysis • Shape Analysis

  3. Soundness Theorem(1) Let(, ) form Galois connection from C to A f: C  C be a monotone function f#: A  A be a monotone function aA: f((a))  (f#(a)) lfp(f)  (lfp(f#)) (lfp(f))  lfp(f#)

  4. Soundness Theorem(2) Let(, ) form Galois connection from C to A f: C  C be a monotone function f#: A  A be a monotone function cC: (f(c))  f#((c)) (lfp(f))  lfp(f#) lfp(f)  (lfp(f#))

  5. Soundness Theorem(3) Let(, ) form Galois connection from C to A f: C  C be a monotone function f#: A  A be a monotone function aA: (f((a)))  f#(a) (lfp(f))  lfp(f#) lfp(f)  (lfp(f#))

  6. Completeness (lfp(f)) =lfp(f#) lfp(f) = (lfp(f#))

  7. Constant Propagation • : [Var  Z]  [Var  Z{, }] • () = () • : P([Var  Z])  [Var  Z{, }] • (X) =  {() |  X} =  { |  X} • :[Var  Z {, }]  P([Var  Z]) • (#) = { | ()  #} = { |   # } • Local Soundness • st#(#)  ({st  |   (#) =  {st  |   #} • Optimality (Induced) • st#(#) = ({st  |   (#)} =  {st  |   #} • Soundness • Completeness

  8. Example Interval Analysis • Find a lower and an upper bound of the value of a variable • Usages? • Lattice L = (Z{-, }Z {-, }, , , , ,) • [a, b]  [c, d] if c  a and d  b • [a, b]  [c, d] = [min(a, c), max(b, d)] • [a, b]  [c, d] = [max(a, c), min(b, d)] •  = •  =

  9. Domains with Infinite Heights for Integers y Intervals CC’77: xi b Octagons SKS’00, Mine’01: xi yi b Polyhedra Cousot& Halbwachs’78: ai*xi  b x

  10. Formal available expression • Find out which expressions are available at a given program point • Example program x = y + t //{(y+t)} z = y + r //{(y+t), (y+r)} while (…) { // {(y+t), (y+r)} t = t + (y + r) // {(y+t), (y+r), t + (y +r )} }

  11. Available expression lattice • P(Fexp) • X  Y  X  Y • X  Y = X  Y • = Fexp •  = 

  12. Available expressions • Computing Fexp for whiles ::= skip { s.Fexp :=  }s := id = exp { s.Fexp = {exp.rep }s := s ; s { s.Fexp := s[1].Fexp  s[2].Fexp }s := while exp do s { s.Fexp := {exp.rep}  s[1].Fexp }s := if exp then s else s { s.Fexp := {exp.rep}  s[1].Fexp  s[2].Fexp }

  13. Instrumented Semantics Available expressions • S Stm  : State  P(Fexp) State  P(Fexp) • S  id := a  (, ae) = ([a  a a ], notArg(id, ae  {a} ) • S  skip  (, ae) = (, ae) • CS Stm  : P(State  P(Fexp)) P(State  P(Fexp)) • CS s (X) ={S  s (, ae) | (, ae)  X}

  14. Collecting Semantics Example x = y * z; if (x == 6) y = z+ t; … if (x == 6) r = z + t;

  15. Formal Available Expressions Abstraction • : [Var  Z]  P(Fexp) P(Fexp) • (, ae) = (ae) • : P(P([Var  Z]  P(Fexp))  P(Fexp) • (X) =  {() |  X} = {ae | (, ae) X} • : P(Fexp) P(P([Var  Z]  P(Fexp)) • (ae#) = {(, ae) | (, ae)  ae#} = {(, ae) | ae  ae# }

  16. Formal Available Expressions AI • S Stm # : P(Fexp) P(Fexp) • S  id := a  # (ae) = notArg(id, ae  {a} ) • S  skip  # (ae) = (ae) • Local Soundness • st#(ae#)   {(st (, ae)[1] | ae  ae#} • Optimality • st#(ae#) = ({st (, ae) | (, ae)  (#)} =  {(st (, ae)[1] | ae  ae#} • The initial value at the entry is  • Example program x = y + t //{(y+t)} z = y + r //{(y+t), (y+r)} while (…) { // {(y+t), (y+r)} t = t + (y + r) // { (y+r)} } • Soundness and Completeness

  17. Example: May-Be-Garbage • A variable x may-be-garbageat a program point v if there exists a execution path leading to v in which x’s value is unpredictable: • Was not assigned • Was assigned using an unpredictable expression • Lattice • Galois connection • Basic statements • Soundness

  18. The PWhile Programming Language Abstract Syntax a := x | *x | &x | n | a1 opa a2 b := true | false | not b | b1 opb b2 | a1 opr a2 S := x := a | *x := a | skip | S1 ; S2|if b then S1else S2 | while b do S

  19. Concrete Semantics for PWhile State1= [LocLocZ] • For every atomic statement S • S  : States1 States1 • x := a ()=[loc(x) Aa ] • x := &y () • x := *y () • x := y () • *x := y ()

  20. Points-ToAnalysis • Lattice Lpt = • Galois connection • Meaning of statements

  21. t := &a; y := &b; z := &c; if x> 0 then p:= &y; else p:= &z; *p := t;

  22. /*  */ t := &a; /* {(t, a)}*//* {(t, a)}*/y := &b; /* {(t, a), (y, b) }*/ /* {(t, a), (y, b)}*/z := &c; /* {(t, a), (y, b), (z, c) }*/ if x> 0; then p:= &y;/* {(t, a), (y, b), (z, c), (p, y)}*/ else p:= &z; /* {(t, a), (y, b), (z, c), (p, z)}*/ /* {(t, a), (y, b), (z, c), (p, y), (p, z)}*/ *p := t; /* {(t, a), (y, b), (y, c), (p, y), (p, z), (y, a), (z, a)}*/

  23. Abstract Semantics for PWhile State#= P(Var*  Var*) • For every atomic statement S • x := a () • x := &y () • x := *y () • x := y () • *x := y ()

  24. /*  */ t := &a; /* {(t, a)}*//* {(t, a)}*/y := &b; /* {(t, a), (y, b) }*/ /* {(t, a), (y, b)}*/z := &c; /* {(t, a), (y, b), (z, c) }*/ if x> 0; then p:= &y;/* {(t, a), (y, b), (z, c), (p, y)}*/ else p:= &z; /* {(t, a), (y, b), (z, c), (p, z)}*/ /* {(t, a), (y, b), (z, c), (p, y), (p, z)}*/ *p := t; /* {(t, a), (y, b), (y, c), (p, y), (p, z), (y, a), (z, a)}*/

  25. Flow insensitive points-to-analysisSteengard 1996 • Ignore control flow • One set of points-to per program • Can be represented as a directed graph • Conservative approximation • Accumulate pointers • Can be computed in almost linear time • Union find

  26. t := &a; y := &b; z := &c; if x> 0; then p:= &y; else p:= &z; *p := t;

  27. Precision • We cannot usually have • (CS) = DF on all programs • But can we say something about precision in all programs?

  28. The Join-Over-All-Paths (JOP) • Let paths(v) denote the potentially infinite set paths from start to v (written as sequences of edges) • For a sequence of edges [e1, e2, …, en] definef#[e1, e2, …, en]: L  L by composing the effects of basic blocksf#[e1, e2, …, en](l) = f#(en)(… (f#(e2)(f#(e1)(l)) …) • JOP[v] = {f#[e1, e2, …,en]() [e1, e2, …, en]  paths(v)}

  29. JOP vs. Least Solution • The df solution obtained by Chaotic iteration satisfies for every v: • JOP[v] df(v) • A function f# is additive (distributive) if • f#({x| x  X}) = {f#(x) |  X} • If every f# (u,v)is additive (distributive) for all the edges (u,v) • JOP[v]= df(v) • Examples • Maybe garbage • Available expressions • Constant Propagation • Points-to

  30. Notions of precision • CS =  (df) • (CS) = df • Meet(Join) over all paths • Using best transformers • Good enough

  31. Complexity of Chaotic Iterations • Usually depends on the height of the lattice • In some cases better bound exist • A function f is fast if f (f(l))  l  f(l) • For fast functions the Chaotic iterations can be implemented in O(nest * |V|) iterations • nest is the number of nested loop • |V| is the number of control flow nodes

  32. Conclusion • Chaotic iterations is a powerful technique • Easy to implement • Rather precise • But expensive • More efficient methods exist for structured programs • Abstract interpretation relates runtime semantics and static information • The concrete semantics serves as a tool in designing abstractions • More intuition will be given in the sequel

More Related