1 Iterative Program Analysis Abstract Interpretation Mooly Sagiv Tel Aviv University Textbook: Principles of Program Analysis Chapter 4 CC79, CC92
Outline u Reminder Chaotic Iterations u The abstract interpretation technique –Relating Concrete and Abstract Interpretation –More examples –Precision u Later –Backward analysis –Complexity –Widening and Narrowing –Shape Analysis
Specialized Chaotic Iterations System of Equations S = df entry [s] = df entry [v] = {f(u, v) (df entry [u]) | (u, v) E } F S :L n L n F S (X)[s] = F S (X)[v] = {f(u, v)(X[u]) | (u, v) E } lfp(S) = lfp(F S )
Specialized Chaotic Iterations Chaotic(G(V, E): Graph, s: Node, L: Lattice, : L, f: E (L L) ){ for each v in V to n do df entry [v] := df[s] = WL = {s} while (WL ) do select and remove an element u WL for each v, such that. (u, v) E do temp = f(e)(df entry [u]) new := df entry (v) temp if (new df entry [v]) then df entry [v] := new; WL := WL {v}
z =3 x =1 while (x>0) if (x=1) y =7y =z+4 x=3 print y e.e[z 3] e.e[x 1] e. if x >0 then e else e. if e x 0 then e else e. e [x 1, y , z ] e. if e x 0 then e else e.e[y 7] e.e[y e(z)+4] e.e[x 3] e.e [x 0, y 0, z 0] WLdf entry ]v] {1} {2} df[2]:=[x 0, y 0, z 3] {3} df[3]:=[x 1, y 0, z 3] {4} df[4]:=[x 1, y 0, z 3] {5} df[5]:=[x 1, y 0, z 3] {7} df[7]:=[x 1, y 7, z 3] {8} df[8]:=[x 3, y 7, z 3] {3} df[3]:=[x , y , z 3] {4} df[4]:=[x , y , z 3] {5,6} df[5]:=[x 1, y , z 3] {6,7} df[6]:=[x , y , z 3] {7} df[7]:=[x , y 7, z 3]
The Abstract Interpretation Technique (Cousot & Cousot) u The foundation of program analysis u Defines the meaning of the information computed by static tools u A mathematical framework u Allows proving that an analysis is sound in a local way u Identify design bugs u Understand where precision is lost u New analysis from old u Not limited to certain programming style
Abstract (Conservative) interpretation abstract representation Set of states abstraction Abstract semantics statement s abstract representation abstraction Operational semantics statement s Set of states abstract representation
Abstract (Conservative) interpretation abstract representation Set of states concretization Abstract semantics statement s abstract representation concretization Operational semantics statement s Set of states
Abstract Abstract Interpretation Concrete Sets of stores Descriptors of sets of stores
Galois Connections u Lattices C and A and functions : C A and : A C u The pair of functions ( , ) form Galois connection if – and are monotone – a A » ( (a)) a – c C »c ( (C)) u Alternatively if: c C a A (c) a iff c (a) u and uniquely determine each other
The Abstraction Function (CP) u Map collecting states into constants u The abstraction of an individual state CP :[Var * Z] [Var * Z { , }] CP ( ) = u The abstraction of set of states CP :P([Var * Z]) [Var * Z { , }] CP (CS) = { CP ( ) | CS} = { | CS} u Soundness CP (Reach (v)) df(v) u Completeness
The Concretization Function u Map constants into collecting states u The formal meaning of constants u The concretization CP : [Var * Z { , }] P([Var * Z]) CP (df) = { | CP ( ) df} = { | df} u Soundness Reach (v) CP (df(v)) u Completeness
Galois Connection Constant Propagation u CP is monotone u CP is monotone u df [Var * Z { , }] – CP ( CP (df)) df u c P([Var * Z]) –c CP CP ( CP (C))
Upper Closures u Define abstractions on sets of concrete states u : P( ) P( ) such that – is monotone, i.e., X Y X Y – is extensive, i.e., X X – is closure, i.e., ( X) = X u Every Galois connection defines an upper closure
Proof of Soundness u Define an “appropriate” operational semantics u Define “collecting” structural operational semantics u Establish a Galois connection between collecting states and abstract states u (Local correctness) Show that the abstract interpretation of every atomic statement is sound w.r.t. the collecting semantics u (Global correctness) Conclude that the analysis is sound
Collecting Semantics u The input state is not known at compile-time u “Collect” all the states for all possible inputs to the program u No lost of precision
A Simple Example Program z = 3 x = 1 while (x > 0) ( if (x = 1) then y = 7 else y = z + 4 x = 3 print y ) {[x 0, y 0, z 0]} {[x 1, y 0, z 3]} {[x 1, y 0, z 3], [x 3, y 0, z 3],} {[x 0, y 0, z 3]} {[x 1, y 7, z 3], [x 3, y 7, z 3]} {[x 3, y 7, z 3]}
Another Example x= 0 while (true) do x = x +1
An “Iterative” Definition u Generate a system of monotone equations u The least solution is well-defined u The least solution is the collecting interpretation u But may not be computable
Equations Generated for Collecting Interpretation u Equations for elementary statements –[skip] CS exit (1) = CS entry (l) –[b] CS exit (1) = { : CS entry (l), b =tt} –[x := a] CS exit (1) = { (s[x A a s]) | s CS entry (l)} u Equations for control flow constructs CS entry (l) = CS exit (l’) l’ immediately precedes l in the control flow graph u An equation for the entry CS entry (1) = { | Var * Z }
Specialized Chaotic Iterations System of Equations (Collecting Semantics) S = CS entry [s] ={ 0 } CS entry [v] = {f(e)(CS entry [u]) | (u, v) E } where f(e) = X. { st(e) | X} for atomic statements f(e) = X.{ | b(e) =tt } F S :L n L n F s (X)[v] = {f(e)[u] | (u, v) E } lfp(S) = lfp(F S )
The Least Solution u 2n sets of equations CS entry (1), …, CS entry (n), CS exit (1), …, CS exit (n) u Can be written in vectorial form u The least solution lfp(F cs ) is well-defined u Every component is minimal u Since F cs is monotone such a solution always exists u CS entry (v) = {s| s 0 | * (S’, s)), init(S’)=v} u Simplify the soundness criteria
f( ) f( ) f2()f2() f2()f2() f(x)=x f(x) x f(x) x gfp(f) lfp(f) f#()f#() f#()f#() f #2 ( ) f #2 ( ) f # (y)=y f # (y) y f # (y) y gfp(f # ) lfp(f # ) a: f( (a)) (f # (a))
Finite Height Case f#f# f#f# Lfp(f # ) f f f#f# Lfp(f) f
Soundness Theorem(1) 1. Let ( , ) form Galois connection from C to A 2. f: C C be a monotone function 3. f # : A A be a monotone function 4. a A: f( (a)) (f # (a)) lfp(f) (lfp(f # )) (lfp(f)) lfp(f # )
Soundness Theorem(2) 1. Let ( , ) form Galois connection from C to A 2. f: C C be a monotone function 3. f # : A A be a monotone function 4. c C: (f(c)) f # ( (c)) (lfp(f)) lfp(f # ) lfp(f) (lfp(f # ))
Soundness Theorem(3) 1. Let ( , ) form Galois connection from C to A 2. f: C C be a monotone function 3. f # : A A be a monotone function 4. a A: (f( (a))) f # (a) (lfp(f)) lfp(f # ) lfp(f) (lfp(f # ))
Proof of Soundness (Summary) u Define an “appropriate” structural operational semantics u Define “collecting” structural operational semantics u Establish a Galois connection between collecting states and reaching definitions u (Local correctness) Show that the abstract interpretation of every atomic statement is sound w.r.t. the collecting semantics u (Global correctness) Conclude that the analysis is sound
Completeness (lfp(f)) = lfp(f # ) lfp(f) = (lfp(f # ))
Constant Propagation u : [Var Z] [Var Z { , }] – ( ) = ( ) u : P([Var Z]) [Var Z { , }] – (X) = { ( ) | X} = { | X} u :[Var Z { , }] P([Var Z]) – ( # ) = { | ( ) # } = { | # } u Local Soundness – st # ( # ) ({ st | ( # ) = { st | # } u Optimality (Induced) – st # ( # ) = ({ st | ( # )} = { st | # } u Soundness u Completeness
Summary u Abstract interpretation Connects Abstract and Concrete Semantics u Galois Connection u Local Correctness u Global Correctness