Chaotic Iterations Mooly Sagiv Tel Aviv University Textbook: Principles of Program Analysis F. Nielson, H. Nielson, C.L. Hankin Appendix A Caterina’s thesis
Content u Mathematical Background u Chaotic Iterations u Examples u Soundness, Precision and more examples next week
Mathematical Background u Declaratively define –The result of the analysis –The exact solution –Allow comparison
Posets u A partial ordering is a binary relation : L L {false, true} –For all l L : l l (Reflexive) –For all l 1, l 2, l 3 L : l 1 l 2, l 2 l 3 l 1 l 3 (Transitive) –For all l 1, l 2 L : l 1 l 2, l 2 l 1 l 1 = l 2 (Anti-Symmetric) u Denoted by (L, )
Posets u In program analysis –l 1 l 2 l 1 is more precise than l 2 l 1 represents fewer concrete states than l 2 u Examples –Total orders (N, ) –Powersets (P(S), ) –Powersets (P(S), ) –Even/Odd –Constant propagation »Single variable »Multiple variables –Intervals u Bad examples –(N, <) –Non-transitive x y x = y (x = 0 y=1) (x=1 y=2) –Non anti-symmetric
Posets u More notations –l 1 l 2 l 2 l 1 –l 1 l 2 l 1 l 2 l 1 l 2 –l 1 l 2 l 2 l 1
Upper and Lower Bounds u Consider a poset (L, ) u A subset L’ L has a lower bound l L if for all l’ L’ : l l’ u A subset L’ L has an upper bound u L if for all l’ L’ : l’ u u A greatest lower bound of a subset L’ L is a lower bound l 0 L such that l l 0 for any lower bound l of L’ u A lowest upper bound of a subset L’ L is an upper bound u 0 L such that u 0 u for any upper bound u of L’ u For every subset L’ L: –The greatest lower bound of L’ is unique if at all exists » L’ (meet) a b = {a, b} –The lowest upper bound of L’ is unique if at all exists » L’ (join) a b = {a, b}
Complete Lattices u A poset (L, ) is a complete lattice if every subset has least and upper bounds u L = (L, ) = (L, , , , , ) – = = L – = L = u Examples –Total orders (N, ) –Powersets (P(S), ) –Powersets (P(S), ) –Constant propagation –Intervals
Complete Lattices u Lemma For every poset (L, ) the following conditions are equivalent –L is a complete lattice –Every subset of L has a least upper bound –Every subset of L has a greatest lower bound
Cartesian Products u A complete lattice (L 1, 1 ) = (L 1, , 1, 1, 1, 1 ) u A complete lattice (L 2, 2 ) = (, , 2, 2, 2, 2 ) u Define a Poset L = (L 1 L 2, ) where –(x 1, x 2 ) (y 1, y 2 ) if »x 1 y 1 and »x 2 y 2 u L is a complete lattice
Finite Maps u A complete lattice (L 1, 1 ) = (L 1, , 1, 1, 1, 1 ) u A finite set V u Define a Poset L = (V L 1, ) where –e 1 e 2 if for all v V »e 1 v e 2 v u L is a complete lattice
Chains u A subset Y L in a poset (L, ) is a chain if every two elements in Y are ordered –For all l 1, l 2 Y: l 1 l 2 or l 2 l 1 u An ascending chain is a sequence of values –l 1 l 2 l 3 … u A strictly ascending chain is a sequence of values –l 1 l 2 l 3 … u A descending chain is a sequence of values –l 1 l 2 l 3 … u A strictly descending chain is a sequence of values –l 1 l 2 l 3 … u L has a finite height if every chain in L is finite u Lemma A poset (L, ) has finite height if and only if every strictly decreasing and strictly increasing chains are finite
Monotone Functions u A poset (L, ) u A function f: L L is monotone if for every l 1, l 2 L: –l 1 l 2 f(l 1 ) f(l 2 )
Fixed Points u A monotone function f: L L where (L, , , , , ) is a complete lattice u Fix(f) = { l: l L, f(l) = l} u Red(f) = {l: l L, f(l) l} u Ext(f) = {l: l L, l f(l)} –l 1 l 2 f(l 1 ) f(l 2 ) u Tarski’s Theorem 1955: if f is monotone then: – lfp(f) = Fix(f) = Red(f) Fix(f) – gfp(f) = Fix(f) = Ext(f) Fix(f) f( ) f( ) f2()f2() f2()f2() Fix(f) Ext(f) Red(f) gfp(f) lfp(f)
Chaotic Iterations u A lattice L = (L, , , , , ) with finite strictly increasing chains u L n = L L … L u A monotone function f: L n L n u Compute lfp(f) u The simultaneous least fixed of the system {x[i] = f i (x) : 1 i n } x := ( , , …, ) while (f(x) x ) do x := f(x) for i :=1 to n do x[i] = WL = {1, 2, …, n} while (WL ) do select and remove an element i WL new := f i (x) if (new x[i]) then x[i] := new; Add all the indexes that directly depends on i to WL
Specialized Chaotic Iterations System of Equations S = df entry [s] = df entry [v] = {f(u, v) (df entry [u]) | (u, v) E } F S :L n L n F S (X)[s] = F S (X)[v] = {f(u, v)(X[u]) | (u, v) E } lfp(S) = lfp(F S )
Specialized Chaotic Iterations Chaotic(G(V, E): Graph, s: Node, L: Lattice, : L, f: E (L L) ){ for each v in V to n do df entry [v] := df[s] = WL = {s} while (WL ) do select and remove an element u WL for each v, such that. (u, v) E do temp = f(e)(df entry [u]) new := df entry (v) temp if (new df entry [v]) then df entry [v] := new; WL := WL {v}
y :=z+4 Constant Propagation [x ?, y ?, z 3 ] 1 2 z :=3 7 z <=0 3 z >0 4 5 x==1 x!=1 6 y :=7 assert y==7 NValueWL 1 [x ?, y ?, z ?] {2, 3, 4, 5, 6, 7} 2 [x ?, y ?, z 3] { 3, 4, 5, 6, 7} 3 [x ?, y ?, z 3] { 4, 5, 6, 7} 4 [x 1, y 7, z 3] {5, 6, 7} 5 [x ?, y 7, z 3] {6, 7} 6 [x ?, y 7, z 3] {7}
Example Constant Propagation 1 2 e.e[x 3] e.e 3 DF(1) = [x 0] DF(2) = DF(1)[x 3] DF(2) DF(3) = DF(2) 3t e.e x :=3 skip DF[1]DF[2]DF[3] [x 0][x 3] [x 0][x ?] [x 7][x 9][x 7] [x ?][x 3]
Complexity of Chaotic Iterations u Parameters: –n the number of CFG nodes –k is the maximum outdegree of edges –A lattice of height h –c is the maximum cost of »applying f (e) » »L comparisons u Complexity O(n * h * c * k)
Soundness u Every detected constant is indeed such u Every error will be detected u The least fixed points represents all occurring runtime states u Next week
Completeness u Every constant is indeed detected as such u Every detected error is real u Cannot be guaranteed in general
The Join-Over-All-Paths (JOP) u Let paths(v) denote the potentially infinite set paths from start to v (written as sequences of labels) u For a sequence of edges [e 1, e 2, …, e n ] define f [e 1, e 2, …, e n ]: L L by composing the effects of basic blocks f [e 1, e 2, …, e n ](l) = f(e n ) (… (f(e 2 ) (f(e 1 ) (l)) …) u JOP[v] = {f[e 1, e 2, …,e n ]( ) [e 1, e 2, …, e n ] paths(v)}
JOP vs. Least Solution u The DF solution obtained by Chaotic iteration satisfies for every l: –JOP[v] DF entry (v) u A function f is additive (distributive) if –f( {x| x X}) = {f(x) | X} u If every f l is additive (distributive) for all the nodes v –JOP[v] = DF entry (v)
Conclusions u Chaotic iterations is a powerful technique u Easy to implement u Rather precise u But expensive –More efficient methods exist for structured programs u Abstract interpretation relates runtime semantics and static information u The concrete semantics serves as a tool in designing abstractions –More intuition will be given in the sequel
Widening u Accelerate the termination of Chaotic iterations by computing a more conservative solution u Can handle lattices of infinite heights
Specialized Chaotic Iterations+ Chaotic(G(V, E): Graph, s: Node, L: lattice, : L, f: E (L L) ){ for each v in V to n do df entry [v] := In[v] = WL = {s} while (WL ) do select and remove an element u WL for each v, such that. (u, v) E do temp = f(e)(df entry [u]) new := df entry (v) temp if (new df entry [v]) then df entry [v] := new; WL := WL {v}
Example Interval Analysis u Find a lower and an upper bound of the value of a variable u Usages? u Lattice L = (Z {- , } Z {- , }, , , , , ) –[a, b] [c, d] if c a and d b –[a, b] [c, d] = [min(a, c), max(b, d)] –[a, b] [c, d] = [max(a, c), min(b, d)] – = – =
Example Program Interval Analysis [x := 1] 1 ; while [x 1000] 2 do [x := x + 1;] 3 IntEntry(1) = [minint,maxint] IntExit(1) = [1,1] IntEntry(2) = IntExit(1) IntExit(3) IntExit(2) = IntEntry(2) [x:=1] 1 [x 1000] 2 [x := x+1] 3 [exit] 4 IntEntry(3) = IntExit(2) [minint,1000] IntExit(3) = IntEntry(3)+[1,1] IntEntry(4) = IntExit(2) [1001,maxint] IntExit(4) = IntEntry(4)
Widening for Interval Analysis u [c, d] = [c, d] u [a, b] [c, d] = [ if a c then a else - , if b d then b else ]
Example Program Interval Analysis [x := 1] 1 ; while [x 1000] 2 do [x := x + 1;] 3 IntEntry(1) = [ - , ] IntExit(1) = [1,1] IntEntry(2) = InExit(2) (IntExit(1) IntExit(3)) IntExit(2) = IntEntry(2) [x:=1] 1 [x 1000] 2 [x := x+1] 3 [exit] 4 IntEntry(3) = IntExit(2) [ - ,1000] IntExit(3) = IntEntry(3)+[1,1] IntEntry(4) = IntExit(2) [1001, ] IntExit(4) = IntEntry(4)
Requirements on Widening u For all elements l 1 l 2 l 1 l 2 u For all ascending chains l 0 l 1 l 2 … the following sequence is finite –y 0 = l 0 –y i+1 = y i l i+1 u For a monotonic function f: L L define –x 0 = –x i+1 = x i f(x i ) u Theorem: –There exits k such that x k+1 = x k –x k Red(f) = {l: l L, f(l) l}
Narrowing u Improve the result of widening u y x y (x y) x u For all decreasing chains x 0 x 1 … the following sequence is finite –y 0 = x 0 –y i+1 = y i x i+1 u For a monotonic function f: L L and x Red(f) = {l: l L, f(l) l} define –y 0 = x –y i+1 = y i f(y i ) u Theorem: –There exits k such that y k+1 =y k –y k Red(f) = {l: l L, f(l) l}
Narrowing for Interval Analysis u [a, b] = [a, b] u [a, b] [c, d] = [ if a = - then c else a, if b = then d else b ]
Example Program Interval Analysis [x := 1] 1 ; while [x 1000] 2 do [x := x + 1;] 3 IntEntry(1) = [ - , ] IntExit(1) = [1,1] IntEntry(2) = InExit(2) ( IntExit(1) IntExit(3)) IntExit(2) = IntEntry(2) [x:=1] 1 [x 1000] 2 [x := x+1] 3 [exit] 4 IntEntry(3) = IntExit(2) [ - ,1000] IntExit(3) = IntEntry(3)+[1,1] IntEntry(4) = IntExit(2) [1001, ] IntExit(4) = IntEntry(4)
Non Montonicity of Widening u [0,1] [0,2] = [0, ] u [0,2] [0,2] = [0,2]
Widening and Narrowing Summary u Very simple but produces impressive precision u Sometimes non-monotonic u The McCarthy 91 function u Also useful in the finite case u Can be used as a methodological tool int f(x) [- , ] if x > 100 then [101, ] return x -10 [91, -10]; else [- , 100] return f(f(x+11)) [91, 91] ;
Conclusions u Chaotic iterations is a powerful technique u Easy to implement u Rather precise u But expensive –More efficient methods exist for structured programs