Towards Proper Understanding of Interprocedural Analyses

1. Towards Proper Understanding of Interprocedural Analyses Hongseok Yang Seoul National University

2. Program Analysis from Abstract Interpretation’s Perspective • Abstract semantics: • Abstract domain, abstract transfer function. • Ex. {;, 0, +, -, >}, «x:=x+1¬[x!0] = [x!+]. • Corresponds to setting up a set of “equations.” • Strategy for “evaluating” the semantics: • Various methods for computing fixpoints or their approximations, such as widening/narrowing and chaotic iteration. • Corresponds to solving the set of equations. • Provides an easy method for showing correctness: • Abstract semantics approximates the real concrete semantics. • The evaluation strategy correctly computes the values (or fixpoints) specified by the abstract semantics.

3. Interprocedural Analyses • Analyze procedures. • Their abstract semantics is not properly understood. • No good answers for how the abstract semantics approximates the usual concrete semantics. • Not easy to see the correctness, or to design new analyses. • Most correctness arguments are “ad-hoc.” • Eliminate procedures by compiling them into gotos. main() { x:=0;p(); x:=1;p() } p(){ if (x>0) then x:=x-1;p() else x:=0 } main: x:=0;goto p; L1: x:=1;goto p; L2: goto EXIT; p: if (x>0) then x:=x-1;goto p else x:=0; L3: goto {L1,L2,L3}; EXIT:

4. Goal of Research (with Dino Distefano and Peter O’Hearn) • Explain commonly used interproc. analyses by: • the abstraction of the usual concrete semantics where procedures mean functions, not gotos, and • a specific evaluation strategy. • Design better interprocedural analyses using locality: • Locality: if a procedure does not access a variable, it does not change all the properties of the variable. • Ultimate goal: local shape analysis. • In this talk, I will explain some results about 1.

5. “Standard” Abstract Semantics • Interprets procedures as monotone functions on an abstract domain. • Assumption: only one procedure p, and one variable x. p = …x…; … p(); … • Standard abstract semantics for the sign analysis: • Sg = {?, +, 0, -, >}, ordered by ?v +,0,- v>. • «Body of p¬ : [Sg!Sg]![Sg!Sg] • «C;D¬k=«D¬ko«C¬k, «p()¬k=k, «if B then C else D¬k=«C¬kt«D¬k. • Ex: Compute «if (x>1) then x:=1;p() else x:=x+1¬ (x.?). • «p¬ : [Sg!Sg] = lfix «Body of p¬. • Ex: Compute «p¬ where p = if x>1 then x:=1;p() else x:=x+1. • [Cousot&Cousot] The standard abstract semantics abstracts the usual concrete (denotational) semantics.

6. “Nonstandard” Abstract Semantics • Replaces procedure calls by goto/return: …; P:…; p(); ) goto P; … L:…; return {L,E}; E: • Abstracts possible states at label P and E: • mBody of pn: Sg£Sg ! Sg£Sg • mBody of pn (preE, preP) = (postE, postP) • mpn : Sg ! Sg£Sg mpn(initP) = tnmBody of pnn(?, initP) • Question: • What is the relationship between two semantic definitions? • Is the nonstandard semantics correct?

7. Common Trick in Interproc. Analyses F: [Sg!Sg] ! [Sg!Sg], d: Sg • Usual goal: compute an approx. of (lfix F)(d). • Naïve and inefficient solution: • Compute an approx. f of (lfix F). Then, calculate f(d). • Common trick: compute a “d-approximation” g of (lfix F). • d-approximation: (lfix F)(d) v g(d). • But for other x in D, g might not approximate (lfix F). • Usually, an analysis computes (k,A) s.t. • d 2 A, • for all a2A, F(k)(a) v k(a), and the computation of F(k)(a) calls k only for some b2A. • Correctness: k is a d-approximation of (lfix F).

8. A-stable Pre-fixpoint of F • Mission: formalize the second condition: “for all a2A, F(k)(a) v k(a), and the computation of F(k)(a) calls k only for some b2A.” • k =A h iff 8a2A. k(a) = h(a); k vA h iff 8a2A. k(a) v h(a) • k is an A-stable pre-fixpoint of F iff for all h in [Sg!Sg], if h =A k, then F(h)vAk. • Mission accomplished: k is an A-stable pre-fixpoint of F. • Exercise: if k is an A-stable pre-fixpoint of F, then F(k) vA k. • Usually, analyses attempt to compute (k,A) s.t. • d 2 A, • k is an A-stable pre-fixpoint of F. • Lemma: lfix F vAk. So, k is a d-approximation of (lfix F).

9. Computation of (k,A) by “Super-abstract Interpretation” • Basic chaotic iteration [Cousot&Cousot]: • Define a functional F#: [Sg!Sg]£P(Sg) ! [Sg!Sg]£P(Sg). • Computes tn (F#)n(?,{d}). • Computation of (k,A) by “super-abstract interpretation”: • (super-)abstract domains: (: C![Sg!Sg]) and (: S!P(Sg)), • (super-)abstract transfer fns: (G: C£S!C) and (K: C£S!S), • initial (super-)abstract value: (init 2 S), s.t. • C,S finite lattices; , monotone; G,K extensive; • d 2(init); • for all c 2 C, all s 2 S and all h, if h=(K(c,s))(c), then F(h) v(s)(G(c,s)). Lemma[Correctness]: Let (cf,sf) be tn(<G,K>n(?,init)). Then, ((cf), (sf)) satisfies the requirements for (k,A) in the previous slide.

10. Context Insensitive Interproc. Analysis • Assumption: • F = «Body of p¬; • call(F,f,s) = {s’ | f(s’) called during the comp. of F(f)(s)}. • Super-abstract interp. for the context insen. analysis: C = Sg, (c) = x.c, S = Sg, (s) = {s’ | s’ v s}, init = d, G(c,s) = fst (mBody of pn(c,s)) = ctF(x.c)(s), K(c,s) = snd (mBody of pn(c,s)) = st(tcall(F, x.c, s)) • Mono. fns are abstracted by constant functions. • Support sets are abstracted by principal ideals. • Lemma: The above data form an instance of the framework in the previous slide. Thus, the analysis computes a d-approximation of «p¬.

11. Conclusion • Provided a framework that explains several interprocedural analyses by • standard abstract semantics and • a specific (super-abstract) evaluation strategy. • The current results are slightly more general than what are shown here. • The next goal is to incorporate locality into the framework and to design a local interprocedural interval analysis.