Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Tentative Schedule u Today: Theory of abstract interpretation u May 5 Procedures u May 15, 14-16 Orna Grumberg 14-16 309 u May 12 Yom Hatzamaut u May.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Tentative Schedule u Today: Theory of abstract interpretation u May 5 Procedures u May 15, 14-16 Orna Grumberg 14-16 309 u May 12 Yom Hatzamaut u May."— Presentation transcript:

1 1 Tentative Schedule u Today: Theory of abstract interpretation u May 5 Procedures u May 15, 14-16 Orna Grumberg 14-16 309 u May 12 Yom Hatzamaut u May 19, 20 TVLA u May 22 TAU verification day (optional) u May 27 Yom Hastudent u June 2, Advanced Topics

2 2 Program Analysis Systematic Domain Design Mooly Sagiv http://www.cs.tau.ac.il/~msagiv/courses/pa05.html Tel Aviv University 640-6706 Textbook: Principles of Program Analysis Chapter 4, CC79, CC92

3 3 Outline u Domains with infinite heights u More on Galois Connections u Systematic construction of Galois connection u Precision

4 4 Specialized Chaotic Iterations Chaotic(G(V, E): Graph, s: Node, L: lattice,  : L, f: E  (L  L) ){ for each v in V to n do df entry [v] :=  In[v] =  WL = {s} while (WL   ) do select and remove an element u  WL for each v, such that. (u, v)  E do temp = f(e)(df entry [u]) new := df entry (v)  temp if (new  df entry [v]) then df entry [v] := new; WL := WL  {v}

5 5 Widening u Accelerate the termination of Chaotic iterations by computing a more conservative solution u Can handle lattices of infinite heights

6 6 Specialized Chaotic Iterations+  Chaotic(G(V, E): Graph, s: Node, L: lattice,  : L, f: E  (L  L) ){ for each v in V to n do df entry [v] :=  In[v] =  WL = {s} while (WL   ) do select and remove an element u  WL for each v, such that. (u, v)  E do temp = f(e)(df entry [u]) new := df entry (v)  temp if (new  df entry [v]) then df entry [v] := new; WL := WL  {v}

7 7 Example Interval Analysis u Find a lower and an upper bound of the value of a variable u Usages? u Lattice L = (Z  {- ,  }  Z  {- ,  }, , , , ,  ) –[a, b]  [c, d] if c  a and d  b –[a, b]  [c, d] = [min(a, c), max(b, d)] –[a, b]  [c, d] = [max(a, c), min(b, d)] –  = –  = u Galois connection

8 8 Example Program Interval Analysis [x := 1] 1 ; while [x  1000] 2 do [x := x + 1;] 3 IntEntry(1) = [minint,maxint] IntExit(1) = [1,1] IntEntry(2) = IntExit(1)  IntExit(3) IntExit(2) = IntEntry(2) [x:=1] 1 [x  1000] 2 [x := x+1] 3 [exit] 4 IntEntry(3) = IntExit(2)  [minint,1000] IntExit(3) = IntEntry(3)+[1,1] IntEntry(4) = IntExit(2)  [1001,maxint] IntExit(4) = IntEntry(4)

9 9 Widening for Interval Analysis u   [c, d] = [c, d] u [a, b]  [c, d] = [ if a  c then a else - , if b  d then b else  ]

10 10 Example Program Interval Analysis [x := 1] 1 ; while [x  1000] 2 do [x := x + 1;] 3 IntEntry(1) = [ - ,  ] IntExit(1) = [1,1] IntEntry(2) = InExit(2)  (IntExit(1)  IntExit(3)) IntExit(2) = IntEntry(2) [x:=1] 1 [x  1000] 2 [x := x+1] 3 [exit] 4 IntEntry(3) = IntExit(2)  [ - ,1000] IntExit(3) = IntEntry(3)+[1,1] IntEntry(4) = IntExit(2)  [1001,  ] IntExit(4) = IntEntry(4)

11 11 Requirements on Widening u For all elements l 1  l 2  l 1  l 2 u For all ascending chains l 0  l 1  l 2  … the following sequence is finite –y 0 = l 0 –y i+1 = y i  l i+1 u For a monotonic function f: L  L define –x 0 =  –x i+1 = x i  f(x i ) u Theorem: –There exits k such that x k+1 = x k –x k  Red(f) = {l: l  L, f(l)  l}

12 12 Narrowing u Improve the result of widening u y  x  y  (x  y)  x u For all decreasing chains x 0  x 1  … the following sequence is finite –y 0 = x 0 –y i+1 = y i  x i+1 u For a monotonic function f: L  L and x  Red(f) = {l: l  L, f(l)  l} define –y 0 = x –y i+1 = y i  f(y i ) u Theorem: –There exits k such that y k+1 =y k –y k  Red(f) = {l: l  L, f(l)  l}

13 13 Narrowing for Interval Analysis u [a, b]   = [a, b] u [a, b]  [c, d] = [ if a = -  then c else a, if b =  then d else b ]

14 14 Example Program Interval Analysis [x := 1] 1 ; while [x  1000] 2 do [x := x + 1;] 3 IntEntry(1) = [ - ,  ] IntExit(1) = [1,1] IntEntry(2) = InExit(2)  ( IntExit(1)  IntExit(3)) IntExit(2) = IntEntry(2) [x:=1] 1 [x  1000] 2 [x := x+1] 3 [exit] 4 IntEntry(3) = IntExit(2)  [ - ,1000] IntExit(3) = IntEntry(3)+[1,1] IntEntry(4) = IntExit(2)  [1001,  ] IntExit(4) = IntEntry(4)

15 15 Non Montonicity of Widening

16 16 Example Lattice Octagon (Shaham’00, Mine’02) u Inequalities between variables u Constraint graph G(V, E, w) –V includes a vertex for every variable –Additional zero node –weight function w: E  Z –Constraints –{ x  y + w(x, y) } u Lattice u Abstraction u Concretization u Widening u Relationships to intervals

17 17 Widening and Narrowing Summary u Very simple but produces impressive precision u Sometimes non-monotonic u The McCarthy 91 function u Also useful in the finite case u Can be used as a methodological tool u But not uniformly accepted int f(x) [- ,  ] if x > 100 then [101,  ] return x -10 [91,  -10]; else [- , 100] return f(f(x+11)) [91, 91] ;

18 18 Galois Insertions u For –A complete lattice (L 1,  1 ) = (L 1, ,  1,  1,  1,  1 ) –A complete lattice (L 2,  2 ) = (, ,  2,  2,  2,  2 ) –  :L 1  L 2 –  : L 2  L 1 u We say that (L 1, , , L 2 ) is a Galois insertion –  and  are monotone –For all c  L 1 :  (  (c))  c –For all a  L 2 :  (  (a)) = a

19 19 Galois Insertions l   (l)  (  (l))  

20 20 Upper Closure u An operator op: P(  )  P(  ) is an upper closure if –op is monotonic –op is inflationary, i.e., op(X)  X –op is idempotent, i.e., op(op(X)) = op(X) u Every Galois connection (insertion) defines an upper closure on the set of concretization

21 21 Properties of Galois connections u Uniquely determine each other u Compose u Abstraction is additive u Concretization is multiplicative u Abstraction is strict in  u Concretization is co-strict in 

22 22 Combining Data Flow Analyzes u Develop new algorithms from old u If I know how to conservatively represent –Pointers –Integers u Do I know how to handle C programs with integers and pointers?

23 23 Combining Data Flow Analyzes u Develop new algorithms from old u If I know how to conservatively represent –Pointers –Integers u Do I know how to handle C programs with integers and pointers? u Improve the precision of an analysis u Obtain a more efficient analysis

24 24 Combining Data Flow Analyzers u Lattice constructors –L 1  L 2 –S  L 1 –… u Galois connection constructors u Constructing the abstract effect of elementary statements u Model the “relevant” parts of the program u Abstract “irrelevant” parts of the program

25 25 Galois Connections u For –A complete lattice (L 1,  1 ) = (L 1, ,  1,  1,  1,  1 ) –A complete lattice (L 2,  2 ) = (, ,  2,  2,  2,  2 ) –  :L 1  L 2 –  : L 2  L 1 u We say that (L 1, , , L 2 ) is a Galois connection –  and  are monotone –For all c  L 1 :  (  (c))  c –For all a  L 2 :  (  (a))  a

26 26 Cartesian Products u A complete lattice (L 1,  1 ) = (L 1, ,  1,  1,  1,  1 ) u A complete lattice (L 2,  2 ) = (, ,  2,  2,  2,  2 ) u Define a Poset L = (L 1  L 2,  ) where –(x 1, x 2 )  (y 1, y 2 ) if »x 1  y 1 and »x 2  y 2 u L is a complete lattice u But what does an element in L represent?

27 27 Cartesian Products (cont) u A complete lattice (L 1,  1 ) = (L 1, ,  1,  1,  1,  1 ) u A complete lattice (L 2,  2 ) = (, ,  2,  2,  2,  2 ) u Complete lattice L = (L 1  L 2,  ) u A concrete lattice C (usually a powerset) u A Galois connection (C,  1,  1, L 1 ) u A Galois connection (C,  2,  2, L 2 ) u Define  :C  L 1  L 2 and  : L 1  L 2  C ? u Example: Parity  Sign

28 28 Cartesian Products (cont) u A Galois connection (C,  1,  1, L 1 ) u A Galois connection (C,  2,  2, L 2 ) u A Galois connection (C, , , L 1  L 2 ) –  (c) = –  ( ) =  1 (a 1 )   2 (a 2 ) u Define –L 1  st  # : L 1  L 1 –L 2  st  # : L 2  L 2 u How to define L 1  L 2  st  # : L 1  L 2  L 1  L 2 –Preserve soundness –Preserve relative optimality (induced) u Example: Parity  Sign

29 29 Component-wise combinations u Combine several analyses into a single analysis Cartesian products (Direct product) u Independent attribute method u Relational attribute method u Total function space u Monotone function space u Direct tensor product

30 30 Independent Attribute Method u A Galois connection (C 1,  1,  1, L 1 ) u A Galois connection (C 2,  2,  2, L 2 ) u A Galois connection (C 1  C 2, , , L 1  L 2 ) –  ( ) = –  ( ) = u Define –L 1  st  # : L 1  L 1 –L 2  st  # : L 2  L 2 u How to define L 1  L 2  st  # : L 1  L 2  L 1  L 2 –Preserve soundness –Preserve relative optimality (induced)

31 31 Relational Attribute Method u A Galois connection (P(C 1 ),  1,  1, P(L 1 )) where  1 : C 1  L 1 –  1 (X) =  {  1 (c) | c  X} u A Galois connection (P(C 2 ),  2,  2, P(L 2 )) where  2 : C 2  L 2 u  2 (X) =  {  2 (c) | c  X} u A Galois connection (P(C 1  C 2 ), , , P(L 1  L 2 )) –  (X) = { | X} –  ( ) = { |  1 (c 1 )  Y 1  2 (c 2 )  Y 2 } u But how about transformers?

32 32 Conclusions(1) u Good static analysis = –Precise enough (for the client) –Efficient enough u Good static analysis –Good domain »Abstract non-important details »Represent relevant concrete information »Precise and efficient abstract meaning of abstract interpreters »Efficient join implementation »Small height or widening

33 33 Conclusions(2) u The Theory of Static Analysis is well founded –Abstraction –Soundness –Chaotic iterations –Elimination methods –Modular methods u Weak Parts –Transformations –Predictable approximations –System

Download ppt "1 Tentative Schedule u Today: Theory of abstract interpretation u May 5 Procedures u May 15, 14-16 Orna Grumberg 14-16 309 u May 12 Yom Hatzamaut u May."

Similar presentations

Abstract Interpretation Part II

Abstract Interpretation Part II
Continuing Abstract Interpretation We have seen: 1.How to compile abstract syntax trees into control-flow graphs 2.Lattices, as structures that describe.

Continuing Abstract Interpretation We have seen: 1.How to compile abstract syntax trees into control-flow graphs 2.Lattices, as structures that describe.
Data-Flow Analysis II CS 671 March 13, 2008. CS 671 – Spring 2008 1 Data-Flow Analysis Gather conservative, approximate information about what a program.

Data-Flow Analysis II CS 671 March 13, CS 671 – Spring Data-Flow Analysis Gather conservative, approximate information about what a program.
Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.

Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.
3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.

3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.
Tutorial on Widening (and Narrowing) Hongseok Yang Seoul National University.

Tutorial on Widening (and Narrowing) Hongseok Yang Seoul National University.
Foundations of Data-Flow Analysis. Basic Questions Under what circumstances is the iterative algorithm used in the data-flow analysis correct? How precise.

Foundations of Data-Flow Analysis. Basic Questions Under what circumstances is the iterative algorithm used in the data-flow analysis correct? How precise.
1 Basic abstract interpretation theory. 2 The general idea §a semantics l any definition style, from a denotational definition to a detailed interpreter.

1 Basic abstract interpretation theory. 2 The general idea §a semantics l any definition style, from a denotational definition to a detailed interpreter.
Common Sub-expression Elim Want to compute when an expression is available in a var Domain:

Common Sub-expression Elim Want to compute when an expression is available in a var Domain:
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc06.html.

Program analysis Mooly Sagiv html://
Control Flow Analysis Mooly Sagiv Tel Aviv University 640-6706 Sunday 18-21 Scrieber 8 Monday 10-12 Schrieber.

Control Flow Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
1 Iterative Program Analysis Part I Mooly Sagiv Tel Aviv University 640-6706 Textbook: Principles of Program.

1 Iterative Program Analysis Part I Mooly Sagiv Tel Aviv University Textbook: Principles of Program.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc08.html.

Program analysis Mooly Sagiv html://
1 Control Flow Analysis Mooly Sagiv Tel Aviv University 640-6706 Textbook Chapter 3

1 Control Flow Analysis Mooly Sagiv Tel Aviv University Textbook Chapter 3
1 Iterative Program Analysis Mooly Sagiv Tel Aviv University 640-6706 Textbook: Principles of Program Analysis.

1 Iterative Program Analysis Mooly Sagiv Tel Aviv University Textbook: Principles of Program Analysis.
Data Flow Analysis 1 15-411 Compiler Design October 5, 2004 These slides live on the Web. I obtained them from Jeff Foster and he said that he obtained.

Data Flow Analysis Compiler Design October 5, 2004 These slides live on the Web. I obtained them from Jeff Foster and he said that he obtained.
Abstract Interpretation Part I Mooly Sagiv Textbook: Chapter 4.

Abstract Interpretation Part I Mooly Sagiv Textbook: Chapter 4.
Interprocedural Analysis Noam Rinetzky Mooly Sagiv Tel Aviv University 640-6706 Textbook Chapter 2.5.

Interprocedural Analysis Noam Rinetzky Mooly Sagiv Tel Aviv University Textbook Chapter 2.5.
1 Program Analysis Mooly Sagiv Tel Aviv University 640-6706 Textbook: Principles of Program Analysis.

1 Program Analysis Mooly Sagiv Tel Aviv University Textbook: Principles of Program Analysis.
Data Flow Analysis 4 15-411 Compiler Design Nov. 8, 2005.

Data Flow Analysis Compiler Design Nov. 8, 2005.

Similar presentations

Ads by Google