Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Iterative Program Analysis Mooly Sagiv Tel Aviv University 640-6706 Textbook: Principles of Program Analysis.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Iterative Program Analysis Mooly Sagiv Tel Aviv University 640-6706 Textbook: Principles of Program Analysis."— Presentation transcript:

1 1 Iterative Program Analysis Mooly Sagiv http://www.cs.tau.ac.il/~msagiv/courses/pa.html Tel Aviv University 640-6706 Textbook: Principles of Program Analysis Chapter 2.1 +6 (modified) Appendix A

2 Outline u A gentle introduction constant propagation u Mathematical background u Chaotic iterations u Abstract interpretation u More examples –Kill/Gen Problems –Garbage variables –Pointer analysis »Stack »Heap (later)

3 A Simple Example Program z = 3 x = 1 while (x > 0) ( if (x = 1) then y = 7 else y = z + 4 x = 3 print y ) [x  0, y  0, z  0 ] [x  1, y  0, z  3 ] [x  1, y  7, z  3 ] [x  0, y  0, z  3 ] [x  3, y  7, z  3 ] [x  1, y  7, z  3 ]

4 A Simple Example Program z = 3 x = 1 while (x > 0) ( if (x = 1) then y = 7 else y = z + 4 x = 3 print y ) [x  0, y  0, z  0 ] [x  1, y  0, z  3 ] [x , y  0, z  3 ] [x  1, y  7, z  3 ] [x  0, y  0, z  3 ] [x  3, y  7, z  3 ]

5 A Simple Example Program z = 3 x = 1 while (x > 0) ( if (x = 1) then y = 7 else y = z + 4 x = 3 print y ) [x  0, y  0, z  0 ] [x  1, y  0, z  3 ] [x , y  0, z  3 ] [x , y  7, z  3 ] [x  1, y  7, z  3 ] [x  0, y  0, z  3 ] [x  3, y  7, z  3 ]

6 A Simple Example Program z = 3 x = 1 while (x > 0) ( if (x = 1) then y = 7 else y =z + 4 x = 3 print y ) [x  0, y  0, z  0 ] [x  1, y  0, z  3 ] [x , y  0, z  3 ] [x , y  7, z  3 ] [x  0, y  0, z  3 ] [x  3, y  7, z  3 ] [x  1, y  7, z  3 ]

7 A Simple Example Program z = 3 x = 1 while (x > 0) ( if (x = 1) then y = 7 else y =z + 4 x = 3 print y ) [x  0, y  0, z  0 ] [x  1, y  0, z  3 ] [x , y  0, z  3 ] [x  1, y  7, z  3 ] [x , y  7, z  3 ] [x  0, y  0, z  3 ] [x  3, y  7, z  3 ] [x , y  7, z  3 ] [x  1, y  7, z  3 ]

8 A Simple Example Program z = 3 x = 1 while (x > 0) ( if (x = 1) then y = 7 else y =z + 4 x = 3 print y ) [x  0, y  0, z  0 ] [x  1, y  0, z  3 ] [x , y  0, z  3 ] [x  1, y  7, z  3 ] [x  0, y  0, z  3 ] [x  3, y  7, z  3 ] [x , y  7, z  3 ]

9 Computing Constants u Construct a control flow graph (CFG) u Associate transfer functions with control flow graph edges u Iterate until a solution is found u The solution is unique –But order of evaluation may affect the number of iterations

10 Constructing CFG z = 3 x = 1 while (x > 0) ( if (x = 1) then y = 7 else y =z + 4 x = 3 print y ) z =3 x =1 while (x>0) if (x=1) y =7y =z+4 x=3 print y

11 Associating Transfer Functions z =3 x =1 while (x>0) if (x=1) y =7y =z+4 x=3 print y  e.e[z  3]  e.e[x  1]  e. if x >0 then e else   e. if x  0 then e else   e. e  [x  1, y , z  ]  e. if x  0 then e else   e.e[y  7]  e.e[y  e(z)+4]  e.e[x  3]  e.e

12 Iterative Computation z =3 x =1 while (x>0) if (x=1) y =7y =z+4 x=3 print y  e.e[z  3]  e.e[x  1]  e. if x >0 then e else   e. if x  0 then e else   e. e  [x  1, y , z  ]  e. if x  0 then e else   e.e[y  7]  e.e[y  e(z)+4]  e.e[x  3]  e.e [x  0, y  0, z  0 ]       

13 Iterative Computation z =3 x =1 while (x>0) if (x=1) y =7y =z+4 x=3 print y  e.e[z  3]  e.e[x  1]  e. if x >0 then e else   e. if x  0 then e else   e. e  [x  1, y , z  ]  e. if x  0 then e else   e.e[y  7]  e.e[y  e(z)+4]  e.e[x  3]  e.e [x  0, y  0, z  0 ]       [x  1, y  0, z  0 ]

14 Iterative Computation z =3 x =1 while (x>0) if (x=1) y =7y =z+4 x=3 print y  e.e[z  3]  e.e[x  1]  e. if x >0 then e else   e. if x  0 then e else   e. e  [x  1, y , z  ]  e. if x  0 then e else   e.e[y  7]  e.e[y  e(z)+4]  e.e[x  3]  e.e [x  0, y  0, z  0 ]       [x  0, y  0, z  3 ]

15 Iterative Computation z =3 x =1 while (x>0) if (x=1) y =7y =z+4 x=3 print y  e.e[z  3]  e.e[x  1]  e. if x >0 then e else   e. if x  0 then e else   e. e  [x  1, y , z  ]  e. if x  0 then e else   e.e[y  7]  e.e[y  e(z)+4]  e.e[x  3]  e.e [x  0, y  0, z  0 ]      [x  0, y  0, z  3 ] [x  1, y  0, z  3 ]

16 Iterative Computation z =3 x =1 while (x>0) if (x=1) y =7y =z+4 x=3 print y  e.e[z  3]  e.e[x  1]  e. if x >0 then e else   e. if x  0 then e else   e. e  [x  1, y , z  ]  e. if x  0 then e else   e.e[y  7]  e.e[y  e(z)+4]  e.e[x  3]  e.e [x  0, y  0, z  0 ]     [x  0, y  0, z  3 ] [x  1, y  0, z  3 ]

17 Iterative Computation z =3 x =1 while (x>0) if (x=1) y =7y =z+4 x=3 print y  e.e[z  3]  e.e[x  1]  e. if x >0 then e else   e. if x  0 then e else   e. e  [x  1, y , z  ]  e. if x  0 then e else   e.e[y  7]  e.e[y  e(z)+4]  e.e[x  3]  e.e [x  0, y  0, z  0 ]    [x  0, y  0, z  3 ] [x  1, y  0, z  3 ]

18 Iterative Computation z =3 x =1 while (x>0) if (x=1) y =7y =z+4 x=3 print y  e.e[z  3]  e.e[x  1]  e. if x >0 then e else   e. if x  0 then e else   e. e  [x  1, y , z  ]  e. if x  0 then e else   e.e[y  7]  e.e[y  e(z)+4]  e.e[x  3]  e.e [x  0, y  0, z  0 ]   [x  0, y  0, z  3 ] [x  1, y  0, z  3 ] [x  1, y  7, z  3 ]

19 Iterative Computation z =3 x =1 while (x>0) if (x=1) y =7y =z+4 x=3 print y  e.e[z  3]  e.e[x  1]  e. if x >0 then e else   e. if x  0 then e else   e. e  [x  1, y , z  ]  e. if x  0 then e else   e.e[y  7]  e.e[y  e(z)+4]  e.e[x  3]  e.e [x  0, y  0, z  0 ]  [x  0, y  0, z  3 ] [x  1, y  0, z  3 ] [x  1, y  7, z  3 ] [x  3, y  7, z  3 ]

20 Iterative Computation z =3 x =1 while (x>0) if (x=1) y =7y =z+4 x=3 print y  e.e[z  3]  e.e[x  1]  e. if x >0 then e else   e. if x  0 then e else   e. e  [x  1, y , z  ]  e. if x  0 then e else   e.e[y  7]  e.e[y  e(z)+4]  e.e[x  3]  e.e [x  0, y  0, z  0 ]  [x  0, y  0, z  3 ] [x , y  0, z  3 ] [x  1, y  0, z  3 ] [x  1, y  7, z  3 ] [x  3, y  7, z  3 ]

21 Iterative Computation z =3 x =1 while (x>0) if (x=1) y =7y =z+4 x=3 print y  e.e[z  3]  e.e[x  1]  e. if x >0 then e else   e. if x  0 then e else   e. e  [x  1, y , z  ]  e. if x  0 then e else   e.e[y  7]  e.e[y  e(z)+4]  e.e[x  3]  e.e [x  0, y  0, z  0 ]  [x  0, y  0, z  3 ] [x , y  0, z  3 ] [x  1, y  0, z  3 ] [x  1, y  7, z  3 ] [x  3, y  7, z  3 ]

22 Iterative Computation z =3 x =1 while (x>0) if (x=1) y =7y =z+4 x=3 print y  e.e[z  3]  e.e[x  1]  e. if x >0 then e else   e. if x  0 then e else   e. e  [x  1, y , z  ]  e. if x  0 then e else   e.e[y  7]  e.e[y  e(z)+4]  e.e[x  3]  e.e [x  0, y  0, z  0 ]  [x  0, y  0, z  3 ] [x , y  0, z  3 ] [x  1, y  7, z  3 ] [x  3, y  7, z  3 ]

23 Iterative Computation z =3 x =1 while (x>0) if (x=1) y =7y =z+4 x=3 print y  e.e[z  3]  e.e[x  1]  e. if x >0 then e else   e. if x  0 then e else   e. e  [x  1, y , z  ]  e. if x  0 then e else   e.e[y  7]  e.e[y  e(z)+4]  e.e[x  3]  e.e [x  0, y  0, z  0 ] [x  0, y  0, z  3 ] [x , y  0, z  3 ] [x  1, y  7, z  3 ] [x  3, y  7, z  3 ] [x , y  0, z  3 ]

24 Iterative Computation z =3 x =1 while (x>0) if (x=1) y =7y =z+4 x=3 print y  e.e[z  3]  e.e[x  1]  e. if x >0 then e else   e. if x  0 then e else   e. e  [x  1, y , z  ]  e. if x  0 then e else   e.e[y  7]  e.e[y  e(z)+4]  e.e[x  3]  e.e [x  0, y  0, z  0 ] [x  0, y  0, z  3 ] [x , y  0, z  3 ] [x  1, y  0, z  3 ] [x , y  7, z  3 ] [x  3, y  7, z  3 ] [x , y  0, z  3 ]

25 Order of evaluation u The solution is unique u Different orders may converge faster u Example order: Depth First Order

26 Mathematical Background u Declaratively define –The result of the analysis –The exact solution –Allow comparison u Prove that the algorithm is sound by proving that the handling of atomic statements is sound

27 Posets u A partial ordering is a binary relation  : L  L  {false, true} –For all l  L : l  l (Reflexive) –For all l 1, l 2, l 3  L : l 1  l 2, l 2  l 3  l 1  l 3 (Transitive) –For all l 1, l 2  L : l 1  l 2, l 2  l 1  l 1 = l 2 (Anti-Symmetric) u Denoted by (L,  ) u In program analysis –l 1  l 2  l 1 is more precise than l  l 1 represents fewer concrete states than l 2

28 Example Posets u Total orders (N,  ) u Powersets (P(S),  ) u Powersets (P(S),  ) u Constant propagation

29 Posets u More notations –l 1  l 2  l 2  l 1 –l 1  l 2  l 1  l 2  l 1  l 2 –l 1  l 2  l 2  l 1

30 Upper and Lower Bounds u Consider a poset (L,  ) u A subset L’  L has a lower bound l  L if for all l’  L’ : l  l’ u A subset L’  L has an upper bound u  L if for all l’  L’ : l’  u u A greatest lower bound of a subset L’  L is a lower bound l 0  L such that l  l 0 for any lower bound l of L’ u A lowest upper bound of a subset L’  L is an upper bound u 0  L such that u 0  u for any upper bound u of L’ u For every subset L’  L: –The greatest lower bound of L’ is unique if at all exists »  L’ (meet) a  b =  {a, b} –The lowest upper bound of L’ is unique if at all exists »  L’ (join) a  b =  {a, b}

31 Complete Lattices u A poset (L,  ) is a complete lattice if every subset has least and upper bounds u L = (L,  ) = (L, , , , ,  ) –  =   =  L –  =  L =   u Examples –Total orders (N,  ) –Powersets (P(S),  ) –Powersets (P(S),  ) –Constant propagation

32 Complete Lattices u Lemma For every poset (L,  ) the following conditions are equivalent –L is a complete lattice –Every subset of L has a least upper bound –Every subset of L has a greatest lower bound

33 Cartesian Products u A complete lattice (L 1,  1 ) = (L 1, ,  1,  1,  1,  1 ) u A complete lattice (L 2,  2 ) = (, ,  2,  2,  2,  2 ) u Define a Poset L = (L 1  L 2,  ) where –(x 1, x 2 )  (y 1, y 2 ) if »x 1  y 1 and »x 2  y 2 u L is a complete lattice

34 Finite Maps u A complete lattice (L 1,  1 ) = (L 1, ,  1,  1,  1,  1 ) u A finite set V u Define a Poset L = (V  L 1,  ) where –e 1  e 2 if for all v  V »e 1 v  e 2 v u L is a complete lattice

35 Chains u A subset Y  L in a poset (L,  ) is a chain if every two elements in Y are ordered –For all l 1, l 2  Y: l 1  l 2 or l 2  l 1 u An ascending chain is a sequence of values –l 1  l 2  l 3  … u A strictly ascending chain is a sequence of values –l 1  l 2  l 3  … u A descending chain is a sequence of values –l 1  l 2  l 3  … u A strictly descending chain is a sequence of values –l 1  l 2  l 3  … u L has a finite height if every chain in L is finite u Lemma A poset (L,  ) has finite height if and only if every strictly decreasing and strictly increasing chains are finite

36 Monotone Functions u A poset (L,  ) u A function f: L  L is monotone if for every l 1, l 2  L: –l 1  l 2  f(l 1 )  f(l 2 )

37 Lemma 1 Consider a lattice L. f: L  L is monotone iff for all X  L:  {f(z) | z  X }  f(  {z | z  X })

38 Distributive (additive functions) Consider a lattice L. f: L  L is distributive if for all X  L:  {f(z) | z  X } = f(  {z | z  X })

39 Fixed Points u A monotone function f: L  L where (L, , , , ,  ) is a complete lattice u Fix(f) = { l: l  L, f(l) = l} u Red(f) = {l: l  L, f(l)  l} u Ext(f) = {l: l  L, l  f(l)} –l 1  l 2  f(l 1 )  f(l 2 ) u Tarski’s Theorem 1955: if f is monotone then: – lfp(f) =  Fix(f) =  Red(f)  Fix(f) – gfp(f) =  Fix(f) =  Ext(f)  Fix(f)   f(  ) f(  ) f2()f2() f2()f2() Fix(f) Ext(f) Red(f) gfp(f) lfp(f)

40 Computing lfp(f) x =  while f(x)  x do x = f(x)

41 Chaotic Iterations u A lattice L = (L, , , , ,  ) with finite strictly increasing chains u L n = L  L  …  L u A monotone function f: L n  L n u Compute lfp(f) u The simultaneous least fixed of the system {x[i] = f i (x) : 1  i  n } x := ( , , …,  ) while (f(x)  x ) do x := f(x) for i :=1 to n do x[i] =  WL = {1, 2, …, n} while (WL   ) do select and remove an element i  WL new := f i (x) if (new  x[i]) then x[i] := new; Add all the indexes that directly depends on i to WL

42 Specialized Chaotic Iterations Chaotic(G(V, E): Graph, s: Node, L: Lattice,  : L, f: E  (L  L) ){ for each v in V to n do df entry [v] :=  df[v] =  WL = {1, 2, … n} while (WL   ) do select and remove an element u  WL for each v, such that. (u, v)  E do temp = f(e)(df entry [u]) new := df entry (v)  temp if (new  df entry [v]) then df entry [v] := new; WL := WL  {v}

43 z =3 x =1 while (x>0) if (x=1) y =7y =z+4 x=3 print y  e.e[z  3]  e.e[x  1]  e. if x >0 then e else   e. if x  0 then e else   e. e  [x  1, y , z  ]  e. if x  0 then e else   e.e[y  7]  e.e[y  e(z)+4]  e.e[x  3]  e.e  1 2 3 4 5 6 7 8 [x  0, y  0, z  0] WLdf entry ]v] {1} {2} df[2]:=[x  0, y  0, z  3] {3} df[3]:=[x  1, y  0, z  3] {4} df[4]:=[x  1, y  0, z  3] {5} df[5]:=[x  1, y  0, z  3] {7} df[7]:=[x  1, y  7, z  3] {8} df[8]:=[x  3, y  7, z  3] {3} df[3]:=[x , y , z  3] {4} df[4]:=[x , y , z  3] {5,6} df[5]:=[x  1, y , z  3] {6,7} df[6]:=[x , y , z  3] {7} df[7]:=[x , y  7, z  3]

44 Specialized Chaotic Iterations System of Equations S = df entry [s] =  df entry [v] =  {f(u, v) (df entry [u]) | (u, v)  E } F S :L n  L n F S (X)[s] =  F S (X)[v] =  {f(u, v)(X[u]) | (u, v)  E } lfp(S) = lfp(F S )

45 Complexity of Chaotic Iterations u Parameters: –n the number of CFG nodes –k is the maximum outdegree of edges –A lattice of height h –c is the maximum cost of »applying f (e) »  »L comparisons u Complexity O(n * h * c * k)

46 Soundness u Every detected constant is indeed such u Every error will be detected u The least fixed points represents all occurring runtime states

47 Completeness u Every constant is indeed detected as such u Every detected error is real u Every state represented by the least fixed is reachable for some input

48 The Abstract Interpretation Technique u The foundation of program analysis u Goals –Establish soundness of (find faults in) a given program analysis algorithm –Design new program analysis algorithms u The main ideas: –Relate each step in the algorithm to a step in a structural operational semantics –Establish global correctness using a general theorem u Not limited to a particular form of analysis

49 Galois Connections u Lattices C and A and functions  : C  A and  : A  C u The pair of functions ( ,  ) form Galois connection if –  and  are monotone –  a  A »  (  (a))  a –  c  C »c   (  (C)) u Alternatively if:  c  C  a  A  (c)  a iff c   (a) u  and  uniquely determine each other

50   Abstract Galois Connections Concrete  Sets of stores Descriptors of sets of stores 

51 Galois Insertions u Lattices C and A and functions  : C  A and  : A  C u The pair of functions ( ,  ) form Galois connection if –  and  are monotone –  a  A »  (  (a)) = a –  c  C »c   (  (C)) u  and  uniquely determine each other

52   Abstract Galois Insertion Concrete  Sets of stores Descriptors of sets of stores 

53 Soundness in Constant Propagation u Every detected constant is indeed such u May include fewer constants u May miss  u At every CFG node l All constants in df entry (l) are indeed constants u At every CFG node l df entry (l) “represents” all the possible concrete states arising when the structural operational semantics reaches l

54 Proof of Soundness u Define an “appropriate” operational semantics u Define “collecting” operational semantics u Establish a Galois connection between collecting states and reaching definitions u (Local correctness) Show that the abstract interpretation of every atomic statement is sound w.r.t. the collecting semantics u (Global correctness) Conclude that the analysis is sound CC1976

55 Syntax vs. Semantics u The pattern of formation of sentences or phrases in a language u Examples –Regular expressions –Context free grammars u The study or science of meaning in language u Examples –Interpreter –Operational Semantics –Denotational Semantics –Compiler

56 Alternative Formal Semantics u Operational Semantics –The meaning of the program is described “operationally” –Natural Operational Semantics –Structural Operational Semantics u Denotational Semantics –The meaning of the program is an input/output relation –Mathematically challenging but complicated u Axiomatic Semantics –Logical axioms –The meaning of the program are observed properties

57 General Notations u Syntactic categories –Var the set of program variables –Aexp the set of arithmetic expressions –Bexp the set of Boolean expressions –Stm set of program statements u Semantic categories –Natural values N={0, 1, 2, …} –Truth values T={ff, tt} –States State = Var  N –Lookup in a state s: s x –Update of a state s: s [ x  5]

58 Example State Manipulations u [x  1, y  7, z  16] y = u [x  1, y  7, z  16] t = u [x  1, y  7, z  16][x  5] = u [x  1, y  7, z  16][x  5] x = u [x  1, y  7, z  16][x  5] y =

59 Semantics of arithmetic expressions u Assume that arithmetic expressions are side-effect free u A  Aexp  : State  N u Defined by induction on the syntax tree –A  n  s = n –A  x  s = s x –A  e 1 + e 2  s = A  e 1  s + A  e 2  s –A  e 1 * e 2  s = A  e 1  s * A  e 2  s –A  ( e 1 )  s = A  e 1  s --- not needed –A  - e 1  s = -A  e 1  s u Compositional u Properties can be proved by structural induction

60 Assignments  x := a  (s) = s[x  A  a  s]

61 Collecting Semantics u The input state is not known at compile-time u “Collect” all the states for all possible inputs to the program u No lost of precision

62 A Simple Example Program z = 3 x = 1 while (x > 0) ( if (x = 1) then y = 7 else y = z + 4 x = 3 print y ) {[x  0, y  0, z  0 ]} {[x  1, y  0, z  3 ]} {[x  1, y  0, z  3 ], [x  3, y  0, z  3], } {[x  0, y  0, z  3 ]} {[x  1, y  7, z  3 ], [x  3, y  7, z  3] } { [x  3, y  7, z  3] }

63 Another Example x= 0 while (true) do x = x +1

64 An “Iterative” Definition u Generate a system of monotone equations u The least solution is well-defined u The least solution is the collecting interpretation u But may not be computable

65 Equations Generated for Collecting Interpretation u Equations for elementary statements –[skip] CS exit (1) = CS entry (l) –[b] CS exit (1) = {  :   CS entry (l),  b   =tt} –[x := a] CS exit (1) = { (s[x  A  a  s]) | s  CS entry (l)} u Equations for control flow constructs CS entry (l) =  CS exit (l’) l’ immediately precedes l in the control flow graph u An equation for the entry CS entry (1) = {  |   Var *  Z }

66 Specialized Chaotic Iterations System of Equations (Collecting Semantics) S = CS entry [s] ={  0 } CS entry [v] =  {f(e)(CS entry [u]) | (u, v)  E } where f(e) = X. {  st(e)   |  X} for atomic statements f(e) = X.{  |  b(e)   =tt } F S :L n  L n F s (X)[v] =  {f(e)[u] | (u, v)  E } lfp(S) = lfp(F S )

67 The Least Solution u 2n sets of equations CS entry (1), …, CS entry (n), CS exit (1), …, CS exit (n) u Can be written in vectorial form u The least solution lfp(F cs ) is well-defined u Every component is minimal u Since F cs is monotone such a solution always exists u CS entry (v) = {s|  s 0 |  * (S’, s)), init(S’)=v} u Simplify the soundness criteria

68 Abstract (Conservative) interpretation abstract representation Set of states concretization Abstract semantics statement s abstract representation concretization Operational semantics statement s Set of states 

69 Abstract (Conservative) interpretation abstract representation Set of states abstraction Abstract semantics statement s abstract representation abstraction Operational semantics statement s Set of states abstract representation 

70 The Abstraction Function u Map collecting states into constants u The abstraction of an individual state  CP :[Var *  Z]  [Var *  Z  { ,  }]  CP (  ) =  u The abstraction of set of states  CP :P([Var *  Z])  [Var *  Z  { ,  }]  CP (CS) =  {  CP (  ) |   CS} =  {  |   CS} u Soundness  CP (CS entry (v))  df entry (v) u Completeness

71 The Concretization Function u Map constants into collecting states u The formal meaning of constants u The concretization  CP : [Var *  Z  { ,  }]  P([Var *  Z])  CP (df) = {  |  CP (  )  df} = {  |   df} u Soundness CS entry (v)   CP (df entry (v)) u Optimality

72 Galois Connection u  CP is monotone u  CP is monotone u  df  [Var *  Z  { ,  }] –  CP (  CP (df))  df u  c  P([Var *  Z]) –c CP   CP (  CP (C))

73 Local Concrete Semantics u For every atomic statement S –  S  : [Var *  Z]  [Var *  Z] –  x := a]  s = s[x  A  a  s] –  skip]  s = s u For Boolean conditions …

74 Local Abstract Semantics u For every atomic statement S –  S  # :Var *  L  Var *  L –  x := a  # (e) = e [x   a  # (e) –  skip  # (e) = e u For Booleans …

75 Local Soundness u For every atomic statement S show one of the following –  CP ({  S   |   CS }   S  # (  CP (CS)) –{  S   |    CP (df)}   CP (  S  # (df)) –  ({  S   |    CP (df)})   S  # (df) u The above condition implies global soundness [Cousot & Cousot 1976]  (CS entry (l))  df entry (l) CS entry (l)   (df entry (l))

76 Assignments in constant propagation u Monotone –df 1  df 2   x :=e  ) # df 1 )   x :=e  ) # df 2 ( u Local Soundness –  ({  x :=e   |   CS }   x :=e  # (  (CS))

77 Soundness Theorem(1) 1. Let ( ,  ) form Galois connection from C to A 2. f: C  C be a monotone function 3. f # : A  A be a monotone function 4.  a  A: f(  (a))   (f # (a)) lfp(f)   (lfp(f # ))  (lfp(f))  lfp(f # )

78 Soundness Theorem(2) 1. Let ( ,  ) form Galois connection from C to A 2. f: C  C be a monotone function 3. f # : A  A be a monotone function 4.  c  C:  (f(c))  f # (  (c))  (lfp(f))  lfp(f # ) lfp(f)   (lfp(f # ))

79 Soundness Theorem(3) 1. Let ( ,  ) form Galois connection from C to A 2. f: C  C be a monotone function 3. f # : A  A be a monotone function 4.  a  A:  (f(  (a)))  f # (a)  (lfp(f))  lfp(f # ) lfp(f)   (lfp(f # ))

80 Proof of Soundness (Summary) u Define an “appropriate” operational semantics u Define “collecting” operational semantics u Establish a Galois connection between collecting states and reaching definitions u (Local correctness) Show that the abstract interpretation of every atomic statement is sound w.r.t. the collecting semantics u (Global correctness) Conclude that the analysis is sound

81 Best (Conservative) interpretation abstract representation Set of states concretization Abstract semantics statement s abstract representation abstraction Operational semantics statement s Set of states concretization Set of states 

82 Induced Analysis (Relatively Optimal) u It is sometimes possible to show that a given analysis is not only sound but optimal w.r.t. the chosen abstraction –but not necessarily optimal! u Define  S  # (df) =  ({  S   |    (df)}) u But this  S  # may not be computable u Derive (at compiler-generation time) an alternative form for  S  # u A useful measure to decide if the abstraction must lead to overly imprecise results

83 Example Dataflow Problem u Formal available expression analysis u Find out which expressions are available at a given program point u Example program x = y + t z = y + r while (…) { t = t + (y + r) } u Lattice u Galois connection u Basic statements u Soundness

84 Example: May-Be-Garbage u A variable x may-be-garbage at a program point v if there exists a execution path leading to v in which x’s value is unpredictable: –Was not assigned –Was assigned using an unpredictable expression u Lattice u Galois connection u Basic statements u Soundness

85 Points-To Analysis u Determine if a pointer variable p may point to q on some path leading to a program point u “Adapt” other optimizations –Constant propagation x = 5; *p = 7 ; … x … u Pointer aliases –Variables p and q are may-aliases at v if the points-to set at v contains entries (p, x) and (q, x) u Side-effect analysis *p = *q + * * t

86 Concrete Semantics For every atomic statement S  S  : States  States  x := a  (  )=  [loc(x)  A  a   ]  x := &y  (  )  x := *y  (  )  x := y  (  )  *x := y  (  ) State= [Loc  Loc  Z]

87 Points-To Analysis u Lattice L pt = u Galois connection

88 Abstract Semantics For every atomic statement S  S  # : P(Var*  Var*)  P(Var*  Var*)  x := &y  #  x := *y  #  x := y  #  *x := y  #

89 t := &a; y := &b; z := &c; if x> 0; then p:= &y; else p:= &z; *p := t;

90 /*  */ t := &a; /* {(t, a)}*/ /* {(t, a)}*/ y := &b; /* {(t, a), (y, b) }*/ /* {(t, a), (y, b)}*/ z := &c; /* {(t, a), (y, b), (z, c) }*/ if x> 0; then p:= &y; /* {(t, a), (y, b), (z, c), (p, y)}*/ else p:= &z; /* {(t, a), (y, b), (z, c), (p, z)}*/ /* {(t, a), (y, b), (z, c), (p, y), (p, z)}*/ *p := t; /* {(t, a), (y, b), (y, c), (p, y), (p, z), (y, a), (z, a)}*/

91 Flow insensitive points-to-analysis Steengard 1996 u Ignore control flow u One set of points-to per program u Can be represented as a directed graph u Conservative approximation –Accumulate pointers u Can be computed in almost linear time

92 t := &a; y := &b; z := &c; if x> 0; then p:= &y; else p:= &z; *p := t;

93 Precision u We cannot usually have –  (CS) = DF on all programs u But can we say something about precision in all programs?

94 The Join-Over-All-Paths (JOP) u Let paths(v) denote the potentially infinite set paths from start to v (written as sequences of labels) u For a sequence of edges [e 1, e 2, …, e n ] define f [e 1, e 2, …, e n ]: L  L by composing the effects of basic blocks f [e 1, e 2, …, e n ](l) = f(e n ) (… (f(e 2 ) (f(e 1 ) (l)) …) u JOP[v] =  {f[e 1, e 2, …,e n ](  ) [e 1, e 2, …, e n ]  paths(v)}

95 JOP vs. Least Solution u The DF solution obtained by Chaotic iteration satisfies for every l: –JOP[v]  DF entry (v) u A function f is additive (distributive) if –f(  {x| x  X}) =  {f(x) |  X} u If every f l is additive (distributive) for all the nodes v –JOP[v] = DF entry (v)

96 Conclusions u Chaotic iterations is a powerful technique u Easy to implement u Rather precise u But expensive –More efficient methods exist for structured programs u Abstract interpretation relates runtime semantics and static information u The concrete semantics serves as a tool in designing abstractions –More intuition will be given in the sequel

Download ppt "1 Iterative Program Analysis Mooly Sagiv Tel Aviv University 640-6706 Textbook: Principles of Program Analysis."

Similar presentations

Continuing Abstract Interpretation We have seen: 1.How to compile abstract syntax trees into control-flow graphs 2.Lattices, as structures that describe.

Continuing Abstract Interpretation We have seen: 1.How to compile abstract syntax trees into control-flow graphs 2.Lattices, as structures that describe.
Data-Flow Analysis II CS 671 March 13, 2008. CS 671 – Spring 2008 1 Data-Flow Analysis Gather conservative, approximate information about what a program.

Data-Flow Analysis II CS 671 March 13, CS 671 – Spring Data-Flow Analysis Gather conservative, approximate information about what a program.
3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.

3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.
Lecture 02 – Structural Operational Semantics (SOS) Eran Yahav 1.

Lecture 02 – Structural Operational Semantics (SOS) Eran Yahav 1.
Foundations of Data-Flow Analysis. Basic Questions Under what circumstances is the iterative algorithm used in the data-flow analysis correct? How precise.

Foundations of Data-Flow Analysis. Basic Questions Under what circumstances is the iterative algorithm used in the data-flow analysis correct? How precise.
1 Basic abstract interpretation theory. 2 The general idea §a semantics l any definition style, from a denotational definition to a detailed interpreter.

1 Basic abstract interpretation theory. 2 The general idea §a semantics l any definition style, from a denotational definition to a detailed interpreter.
Common Sub-expression Elim Want to compute when an expression is available in a var Domain:

Common Sub-expression Elim Want to compute when an expression is available in a var Domain:
Worklist algorithm Initialize all d i to the empty set Store all nodes onto a worklist while worklist is not empty: –remove node n from worklist –apply.

Worklist algorithm Initialize all d i to the empty set Store all nodes onto a worklist while worklist is not empty: –remove node n from worklist –apply.
Programming Language Semantics Denotational Semantics Chapter 5 Based on a lecture by Martin Abadi.

Programming Language Semantics Denotational Semantics Chapter 5 Based on a lecture by Martin Abadi.
1 Operational Semantics Mooly Sagiv Tel Aviv University 640-6706 Textbook: Semantics with Applications.

1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc06.html.

Program analysis Mooly Sagiv html://
Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space 03-640-760603-640-5358 html://www.cs.tau.ac.il/~msagiv/courses/sem03.html.

Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space html://
Control Flow Analysis Mooly Sagiv Tel Aviv University 640-6706 Sunday 18-21 Scrieber 8 Monday 10-12 Schrieber.

Control Flow Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
1 Iterative Program Analysis Part I Mooly Sagiv Tel Aviv University 640-6706 Textbook: Principles of Program.

1 Iterative Program Analysis Part I Mooly Sagiv Tel Aviv University Textbook: Principles of Program.
Programming Language Semantics Denotational Semantics Chapter 5 Part II.

Programming Language Semantics Denotational Semantics Chapter 5 Part II.
Data Flow Analysis 2 15-411 Compiler Design Nov. 3, 2005.

Data Flow Analysis Compiler Design Nov. 3, 2005.
From last time: reaching definitions For each use of a variable, determine what assignments could have set the value being read from the variable Information.

From last time: reaching definitions For each use of a variable, determine what assignments could have set the value being read from the variable Information.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc08.html.

Program analysis Mooly Sagiv html://
1 Control Flow Analysis Mooly Sagiv Tel Aviv University 640-6706 Textbook Chapter 3

1 Control Flow Analysis Mooly Sagiv Tel Aviv University Textbook Chapter 3
Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space 03-640-760603-640-5358 html://www.cs.tau.ac.il/~msagiv/courses/sem03.html.

Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space html://

Similar presentations

Ads by Google