Iterative Program Analysis Abstract Interpretation Mooly Sagiv http://www.cs.tau.ac.il/~msagiv/courses/pa11.html Tel Aviv University 640-6706 Textbook: Principles of Program Analysis Chapter 4 CC79, CC92

Outline Later on The abstract interpretation technique The main theorem Applications Precision Complexity Widening Later on Combining Analysis Interprocedural Analysis Shape Analysis

Soundness Theorem(1) Let (, ) form Galois connection from C to A f: C  C be a monotone function f# : A  A be a monotone function aA: f((a))  (f#(a)) lfp(f)  (lfp(f#)) (lfp(f))  lfp(f#)

Soundness Theorem(2) Let (, ) form Galois connection from C to A f: C  C be a monotone function f# : A  A be a monotone function cC: (f(c))  f#((c)) (lfp(f))  lfp(f#) lfp(f)  (lfp(f#))

Soundness Theorem(3) Let (, ) form Galois connection from C to A f: C  C be a monotone function f# : A  A be a monotone function aA: (f((a)))  f#(a) (lfp(f))  lfp(f#) lfp(f)  (lfp(f#))

Completeness (lfp(f)) = lfp(f#) lfp(f) = (lfp(f#))

Constant Propagation Local Soundness Optimality (Induced) : [Var  Z]  [Var  Z{, }] () = () : P([Var  Z])  [Var  Z{, }] (X) =  {() |  X} =  { |  X} :[Var  Z {, }]  P([Var  Z]) (#) = { | ()  # } = { |   # } Local Soundness st#(#)  ({st  |   (#) =  {st  |   # } Optimality (Induced) st#(#) = ({st  |   (#)} =  {st  |   # } Soundness Completeness

Example Interval Analysis Find a lower and an upper bound of the value of a variable Usages? Lattice L = (Z{-, }Z {-, }, , , , ,) [a, b]  [c, d] if c  a and d  b [a, b]  [c, d] = [min(a, c), max(b, d)] [a, b]  [c, d] = [max(a, c), min(b, d)]  =  =

Domains with Infinite Heights for Integers y Intervals CC’77: xi  b Octagons SKS’00, Mine’01: xi yi  b Polyhedra Cousot& Halbwachs’78: ai*xi  b x

Formal available expression Find out which expressions are available at a given program point Example program x = y + t //{(y+t)} z = y + r //{(y+t), (y+r)} while (…) { // {(y+t), (y+r)} t = t + (y + r) // {(y+t), (y+r), t + (y +r )} }

Available expression lattice P(Fexp) X  Y  X  Y X  Y = X  Y = Fexp  = 

Available expressions Computing Fexp for while s ::= skip { s.Fexp :=  } s := id = exp { s.Fexp = {exp.rep } s := s ; s { s.Fexp := s[1].Fexp  s[2].Fexp } s := while exp do s { s.Fexp := {exp.rep}  s[1].Fexp } s := if exp then s else s { s.Fexp := {exp.rep}  s[1].Fexp  s[2].Fexp }

Instrumented Semantics Available expressions S Stm  : State  P(Fexp)  State  P(Fexp) S  id := a  (, ae) = ([a  a a ], notArg(id, ae  {a} ) S  skip  (, ae) = (, ae) CS Stm  : P(State  P(Fexp))  P(State  P(Fexp)) CS s (X) ={S  s  (, ae) | (, ae)  X}

Collecting Semantics Example x = y * z; if (x == 6) y = z+ t; … r = z + t;

Formal Available Expressions Abstraction : [Var  Z]  P(Fexp)  P(Fexp) (, ae) = (ae) : P(P([Var  Z]  P(Fexp))  P(Fexp) (X) =  {() |  X} = {ae | (, ae) X} : P(Fexp)  P(P([Var  Z]  P(Fexp)) (ae#) = {(, ae) | (, ae)  ae# } = {(, ae) | ae  ae# }

Formal Available Expressions AI S Stm # : P(Fexp)  P(Fexp) S  id := a  # (ae) = notArg(id, ae  {a} ) S  skip  # (ae) = (ae) Local Soundness st#(ae#)   {(st (, ae)[1] | ae  ae# } Optimality st#(ae#) = ({st (, ae) | (, ae)  (#)} =  {(st (, ae)[1] | ae  ae# } The initial value at the entry is  Example program x = y + t //{(y+t)} z = y + r //{(y+t), (y+r)} while (…) { // {(y+t), (y+r)} t = t + (y + r) // { (y+r)} } Soundness and Completeness

Example: May-Be-Garbage A variable x may-be-garbage at a program point v if there exists a execution path leading to v in which x’s value is unpredictable: Was not assigned Was assigned using an unpredictable expression Lattice Galois connection Basic statements Soundness

The PWhile Programming Language Abstract Syntax a := x | *x | &x | n | a1 opa a2 b := true | false | not b | b1 opb b2 | a1 opr a2 S := x := a | *x := a | skip | S1 ; S2 | if b then S1 else S2 | while b do S

Concrete Semantics for PWhile State1= [LocLocZ] For every atomic statement S S  : States1 States1 x := a ()=[loc(x) Aa ] x := &y () x := *y () x := y () *x := y ()

Points-To Analysis Lattice Lpt = Galois connection Meaning of statements

t := &a; y := &b; z := &c; if x> 0 then p:= &y; else p:= &z; *p := t;

/. . / t := &a; /. {(t, a)}. / /. {(t, a)}. / y := &b; / /*  */ t := &a; /* {(t, a)}*/ /* {(t, a)}*/ y := &b; /* {(t, a), (y, b) }*/ /* {(t, a), (y, b)}*/ z := &c; /* {(t, a), (y, b), (z, c) }*/ if x> 0; then p:= &y; /* {(t, a), (y, b), (z, c), (p, y)}*/ else p:= &z; /* {(t, a), (y, b), (z, c), (p, z)}*/ /* {(t, a), (y, b), (z, c), (p, y), (p, z)}*/ *p := t; /* {(t, a), (y, b), (y, c), (p, y), (p, z), (y, a), (z, a)}*/

Abstract Semantics for PWhile State#= P(Var*  Var*) For every atomic statement S x := a () x := &y () x := *y () x := y () *x := y ()

/. . / t := &a; /. {(t, a)}. / /. {(t, a)}. / y := &b; / /*  */ t := &a; /* {(t, a)}*/ /* {(t, a)}*/ y := &b; /* {(t, a), (y, b) }*/ /* {(t, a), (y, b)}*/ z := &c; /* {(t, a), (y, b), (z, c) }*/ if x> 0; then p:= &y; /* {(t, a), (y, b), (z, c), (p, y)}*/ else p:= &z; /* {(t, a), (y, b), (z, c), (p, z)}*/ /* {(t, a), (y, b), (z, c), (p, y), (p, z)}*/ *p := t; /* {(t, a), (y, b), (y, c), (p, y), (p, z), (y, a), (z, a)}*/

Flow insensitive points-to-analysis Steengard 1996 Ignore control flow One set of points-to per program Can be represented as a directed graph Conservative approximation Accumulate pointers Can be computed in almost linear time Union find

t := &a; y := &b; z := &c; if x> 0; then p:= &y; else p:= &z; *p := t;

Precision We cannot usually have (CS) = DF on all programs But can we say something about precision in all programs?

The Join-Over-All-Paths (JOP) Let paths(v) denote the potentially infinite set paths from start to v (written as sequences of edges) For a sequence of edges [e1, e2, …, en] define f #[e1, e2, …, en]: L  L by composing the effects of basic blocks f #[e1, e2, …, en](l) = f#(en) (… (f#(e2) (f#(e1) (l)) …) JOP[v] = {f#[e1, e2, …,en]() [e1, e2, …, en]  paths(v)}

JOP vs. Least Solution The df solution obtained by Chaotic iteration satisfies for every v: JOP[v] df(v) A function f# is additive (distributive) if f#({x| x  X}) = {f#(x) |  X} If every f# (u,v) is additive (distributive) for all the edges (u,v) JOP[v] = df(v) Examples Maybe garbage Available expressions Constant Propagation Points-to

Notions of precision CS =  (df) (CS) = df Meet(Join) over all paths Using best transformers Good enough

Complexity of Chaotic Iterations Usually depends on the height of the lattice In some cases better bound exist A function f is fast if f (f(l))  l  f(l) For fast functions the Chaotic iterations can be implemented in O(nest * |V|) iterations nest is the number of nested loop |V| is the number of control flow nodes

Conclusion Chaotic iterations is a powerful technique Easy to implement Rather precise But expensive More efficient methods exist for structured programs Abstract interpretation relates runtime semantics and static information The concrete semantics serves as a tool in designing abstractions More intuition will be given in the sequel