Overview of program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc05.html.

Slides:



Advertisements
Similar presentations
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Advertisements

Abstract Interpretation Part II
Semantics Static semantics Dynamic semantics attribute grammars
Data-Flow Analysis II CS 671 March 13, CS 671 – Spring Data-Flow Analysis Gather conservative, approximate information about what a program.
8. Static Single Assignment Form Marcus Denker. © Marcus Denker SSA Roadmap  Static Single Assignment Form (SSA)  Converting to SSA Form  Examples.
Lecture 11: Code Optimization CS 540 George Mason University.
Chapter 9 Code optimization Section 0 overview 1.Position of code optimizer 2.Purpose of code optimizer to get better efficiency –Run faster –Take less.
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.
3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.
Some Properties of SSA Mooly Sagiv. Outline Why is it called Static Single Assignment form What does it buy us? How much does it cost us? Open questions.
Control Flow Analysis (Chapter 7) Mooly Sagiv (with Contributions by Hanne Riis Nielson)
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
CS 355 – Programming Languages
Cpeg421-08S/final-review1 Course Review Tom St. John.
Program analysis Mooly Sagiv html://
Recap Mooly Sagiv. Outline Subjects Studied Questions & Answers.
An Overview on Program Analysis Mooly Sagiv Tel Aviv University Textbook: Principles of Program.
Liveness Analysis Mooly Sagiv Schrierber Wed 10:00-12:00 html://
An Overview on Static Program Analysis Mooly Sagiv Tel Aviv University Textbook: Principles of.
Program analysis Mooly Sagiv html://
Code Generation for Basic Blocks Introduction Mooly Sagiv html:// Chapter
Data Flow Analysis Compiler Design October 5, 2004 These slides live on the Web. I obtained them from Jeff Foster and he said that he obtained.
Abstract Interpretation Part I Mooly Sagiv Textbook: Chapter 4.
1 Program Analysis Mooly Sagiv Tel Aviv University Textbook: Principles of Program Analysis.
Code Generation Mooly Sagiv html:// Chapter 4.
Pointer and Shape Analysis Seminar Mooly Sagiv Schriber 317 Office Hours Thursday
Detecting Memory Errors using Compile Time Techniques Nurit Dor Mooly Sagiv Tel-Aviv University.
1 Program Analysis Systematic Domain Design Mooly Sagiv Tel Aviv University Textbook: Principles.
Describing Syntax and Semantics
Program Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
Overview of program analysis Mooly Sagiv html://
1 Program Analysis Mooly Sagiv Tel Aviv University Textbook: Principles of Program Analysis.
Course Outline Traditional Static Program Analysis –Theory Compiler Optimizations; Control Flow Graphs Data-flow Analysis: Data-flow frameworks –Classic.
An Overview on Static Program Analysis Mooly Sagiv.
Abstract Interpretation (Cousot, Cousot 1977) also known as Data-Flow Analysis.
Data Flow Analysis Compiler Baojian Hua
Software (Program) Analysis. Automated Static Analysis Static analyzers are software tools for source text processing They parse the program text and.
Compiler Construction Lecture 16 Data-Flow Analysis.
Department of Computer Science A Static Program Analyzer to increase software reuse Ramakrishnan Venkitaraman and Gopal Gupta.
1 Iterative Program Analysis Abstract Interpretation Mooly Sagiv Tel Aviv University Textbook:
An Overview on Program Analysis Mooly Sagiv Tel Aviv University Textbook: Principles of Program.
Dataflow Analysis Topic today Data flow analysis: Section 3 of Representation and Analysis Paper (Section 3) NOTE we finished through slide 30 on Friday.
Static Program Analyses of DSP Software Systems Ramakrishnan Venkitaraman and Gopal Gupta.
Compiler Principles Fall Compiler Principles Lecture 0: Local Optimizations Roman Manevich Ben-Gurion University.
Page 1 5/2/2007  Kestrel Technology LLC A Tutorial on Abstract Interpretation as the Theoretical Foundation of CodeHawk  Arnaud Venet Kestrel Technology.
Semantics In Text: Chapter 3.
Data-Flow Analysis (Chapter 8). Outline What is Data-Flow Analysis? Structure of an optimizing compiler An example: Reaching Definitions Basic Concepts:
Intermediate Code Representations
CS412/413 Introduction to Compilers Radu Rugina Lecture 18: Control Flow Graphs 29 Feb 02.
1 Control Flow Graphs. 2 Optimizations Code transformations to improve program –Mainly: improve execution time –Also: reduce program size Can be done.
Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.
1 Languages and Compilers (SProg og Oversættere) Compiler Optimizations Bent Thomsen Department of Computer Science Aalborg University With acknowledgement.
/ PSWLAB Evidence-Based Analysis and Inferring Preconditions for Bug Detection By D. Brand, M. Buss, V. C. Sreedhar published in ICSM 2007.
1 Iterative Program Analysis Mooly Sagiv Tel Aviv University Textbook: Principles of Program.
1 Iterative Program Analysis Abstract Interpretation Mooly Sagiv Tel Aviv University Textbook:
CSC3315 (Spring 2009)1 CSC 3315 Languages & Compilers Hamid Harroud School of Science and Engineering, Akhawayn University
Operational Semantics Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
Chaotic Iterations Mooly Sagiv Tel Aviv University Textbook: Principles of Program Analysis.
Finding bugs with a constraint solver daniel jackson. mandana vaziri mit laboratory for computer science issta 2000.
Optimization Simone Campanoni
DFA foundations Simone Campanoni
STATIC CODE ANALYSIS. OUTLINE  INTRODUCTION  BACKGROUND o REGULAR EXPRESSIONS o SYNTAX TREES o CONTROL FLOW GRAPHS  TOOLS AND THEIR WORKING  ERROR.
Data Flow Analysis Suman Jana
Mooly Sagiv html://
Textbook: Principles of Program Analysis
Symbolic Implementation of the Best Transformer
University Of Virginia
Languages and Compilers (SProg og Oversættere) Compiler Optimizations
Ras Bodik WF 11-12:30 slides adapted from Mooly Sagiv
Presentation transcript:

Overview of program analysis Mooly Sagiv html://

Outline What is (static) program analysis Examples Undecidability Algorithms

Abstract Interpretation Static analysis Automatically identify program properties –No user provided loop invariants Sound but incomplete methods –But can be rather precise Non-standard interpretation of the program operational semantics Applications –Compiler optimization –Code quality tools Identify potential bugs Prove the absence of runtime errors Partial correctness

Control Flow Graph(CFG) z = 3 while (x>0) { if (x = 1) y = 7; else y =z + 4; assert y == 7 } z =3 while (x>0) if (x=1) y =7y =z+4 assert y==7

Constant Propagation z =3 while (x>0) if (x=1) y =7y =z+4 assert y==7 [x  ?, y  ?, z  ? ] [x  ?, y  ?, z  3 ] [x  1, y  ?, z  3 ] [x  1, y  7, z  3 ] [x  ?, y  7, z  3 ] [x  ?, y  ?, z  3 ]

List reverse(Element  head) { List rev, n; rev = NULL; while (head != NULL) { n = head  next; head  next = rev; head = n; rev = head; } return rev; } Memory Leakage potential leakage of address pointed to by head

Memory Leakage Element  reverse(Element  head) { Element  rev,  n; rev = NULL; while (head != NULL) { n = head  next; head  next = rev; rev = head; head = n; } return rev; }  No memory leaks

A Simple Example void foo(char *s ) { while ( *s != ‘ ‘ ) s++; *s = 0; } Potential buffer overrun: offset(s)  alloc(base(s))

A Simple Example void foo(char string(s) { while ( *s != ‘ ‘&& *s != 0) s++; *s = 0; }  No buffer overruns

Example Static Analysis Problem Find variables which are live at a given program location Used before set on some execution paths from the current program point

A Simple Example /* c */ L0: a := 0 /* ac */ L1:b := a + 1 /* bc */ c := c + b /* bc */ a := b * 2 /* ac */ if c < N goto L1 /* c */ return c ab c

Compiler Scheme String Scanner Parser Semantic Analysis Code Generator Static analysis Transformations Tokens source-program tokens AST IR IR +information

Undecidability issues It is impossible to compute exact static information Finding if a program point is reachable Difficulty of interesting data properties

Undecidabily A variable is live at a given point in the program –if its current value is used after this point prior to a definition in some execution path It is undecidable if a variable is live at a given program location

Proof Sketch Pr L: x := y Is y live at L?

Conservative (Sound) The compiler need not generate the optimal code Can use more registers (“spill code”) than necessary Find an upper approximation of the live variables Err on the safe side A superset of edges in the interference graph Not too many superfluous live variables

Conservative(Sound) Software Quality Tools Can never miss an error But may produce false alarms –Warning on non existing errors

Iterative computation of conservative static information Construct a control flow graph Optimistically start with the best value at every node “Interpret” every statement in a conservative way Stop when no changes occur

/* c */ L0: a := 0 /* ac */ L1:b := a + 1 /* bc */ c := c + b /* bc */ a := b * 2 /* ac */ if c < N goto L1 /* c */ return c a := 0 ; b := a +1 ; c := c +b ; a := b*2 ; c <N goto L1 return c ;

a := 0 ; b := a +1 ; c := c +b ; a := b*2 ; c <N goto L1 return c ;      

a := 0 ; b := a +1 ; c := c +b ; a := b*2 ; c <N goto L1 return c ;  {c}    

a := 0 ; b := a +1 ; c := c +b ; a := b*2 ; c <N goto L1 return c ;  {c}   

a := 0 ; b := a +1 ; c := c +b ; a := b*2 ; c <N goto L1 return c ;  {c} {c, b}  

a := 0 ; b := a +1 ; c := c +b ; a := b*2 ; c <N goto L1 return c ;  {c} {c, b} 

a := 0 ; b := a +1 ; c := c +b ; a := b*2 ; c <N goto L1 return c ;  {c} {c, b} {c, a} {c, b}

a := 0 ; b := a +1 ; c := c +b ; a := b*2 ; c <N goto L1 return c ;  {c, a} {c, b} {c, a} {c, b}

Summary Iterative Procedure Analyze one procedure at a time –More precise solutions exit Construct a control flow graph for the procedure Initializes the values at every node to the most optimistic value Iterate until convergence

Summary Program analysis provides non-trivial insights on the runtime executions of the program –Degenerate case – types (flow insensitive) Mathematically justified –Operational semantics –Abstract interpretation (lattice theory) Employed in compilers Will be employed in software quality tool