Presentation is loading. Please wait.

Presentation is loading. Please wait.

Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 10: Abstract Interpretation II Roman Manevich Ben-Gurion University.

Published byJuniper Amos Page Modified over 9 years ago

Similar presentations

Presentation on theme: "Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 10: Abstract Interpretation II Roman Manevich Ben-Gurion University."— Presentation transcript:

1 Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 10: Abstract Interpretation II Roman Manevich Ben-Gurion University

2 Syllabus Semantics Natural Semantics Structural semantics Axiomatic Verification Static Analysis Automating Hoare Logic Control Flow Graphs Equation Systems Collecting Semantics Abstract Interpretation fundamentals LatticesFixed-Points Iterative Solvers Galois Connections Widening/ Narrowing Domain constructors Interprocedural Analysis Analysis Techniques Numerical Domains CEGARAlias analysis Shape Analysis Crafting your own Soot From proofs to abstractions Systematically developing transformers 2

3 Previously Semantic domains – Preorders – Partial orders (posets) – Pointed posets – Ascending/descending chains – The height of a poset – Join and Meet operators – Complete lattices Lattice constructors – Powerset lattice – Cartesian product – Disjunctive completion – Relational product – Finite maps 3

4 Abstract domain types 4

5 A taxonomy of semantic domain types 5 Complete Lattice (D, , , , ,  ) Lattice (D, , , , ,  ) Join semilattice (D, , ,  ) Meet semilattice (D, , ,  ) Join/Meet exist for every subset of D Join/Meet exist for every finite subset of D (alternatively, binary join/meet) Join of the empty set Meet of the empty set Complete partial order (CPO) (D, ,  ) Partial order (poset) (D,  ) Preorder (D,  ) reflexive transitive anti-symmetric: d  d’ and d’  d implies d = d’ reflexive: d  d transitive: d  d’, d’  d’’ implies d  d’’ poset with LUB for all ascending chains

6 Agenda Solving monotone equation systems Fixed-points Vanilla static analysis algorithm Chaotic iteration Implementing abstract interpretation for Java programs 6

7 Abstract semantics 7

8 Abstract interpretation via abstraction 8 set of states collecting semantics statement S abstract representation of sets of states  abstract representation of sets of states abstract semantics statement S abstract representation of sets of states abstraction {P}{P}S{Q}{Q}sp(S, P)  generalizes axiomatic verification

9 Abstract interpretation via concretization 9 set of states collecting semantics statement S set of states  abstract representation of sets of states abstract semantics statement S abstract representation of sets of states concretization {P}{P}S{Q}{Q} models(P)  S  models(P)models(Q) 

10 Missing knowledge Abstract semantics Connection between collecting semantics and abstract semantics Algorithm to compute abstract semantics 10

11 Static analysis Given a system of equations for the collecting semantics A static analysis solves a corresponding system of equations over an abstract domain Questions: – What is the relation between the solutions? Next lecture – How do you solve the second system? This lecture 11 R[0] = { x  Z} // established input R[1] = R[0]  R[4] R[2] =  assume x>0  R[1] R[3] =  assume x  0  R[1] R[4] =  x:=x-1  R[2] R[0] # = { x  Z} # R[1] # = R[0]  R[4] R[2] # =  assume x>0  # R[1] R[3] # =  assume x  0  # R[1] R[4] # =  x:=x-1  # R[2]

12 Solving equation systems 12

13 Equation systems in general Let L be a complete lattice (D, , , , ,  ) Let R be a vector of analysis variables R[0, …, n]  D  …  D Let F be a vector of functions of the type F[i] : R[0, …, n]  R[i] A system of equations R[0] = F[0](R[0], …, R[n]) … R[n] = F[n](R[0], …, R[n]) In vector notation R = F(R) Questions: 1.Does a solution always exist? 2.If so, is it unique? 3.If so, is it computable? 13 For R[i]=F[i] R Usually F[i] reads only a small subset of R – D[i]. We say that R[i] depends on D[i] R[0] = { x  Z} // established input R[1] = R[0]  R[4] R[2] =  assume x>0  R[1] R[3] =  assume x  0  R[1] R[4] =  x:=x-1  R[2]

14 Equation systems in general Let L be a complete lattice (D, , , , ,  ) Let R be a vector of analysis variables R[0, …, n]  D  …  D Let F be a vector of functions of the type F[i] : R[0, …, n]  R[i] A system of equations R[0] = F[0](R[0], …, R[n]) … R[n] = F[n](R[0], …, R[n]) In vector notation R = F(R) Questions: 1.Does a solution always exist? 2.If so, is it unique? 3.If so, is it computable? 14 If it does – it is a fixed point of this equation

15 Monotone systems 15

16 Monotone functions Let L 1 =(D 1,  ) and L 2 =(D 2,  ) be two posets A function f : D 1  D 2 is monotone if for every pair x, y  D 1 x  y implies f(x)  f(y) A special case: L 1 =L 2 =(D,  ) f : D  D 16

17 Monotone function 17 f 1 x  L1L1 L2L2 2 y 3 f(x)f(x) 4 f(y)f(y)  f

18 Important cases of monotonicity Join: f(X, Y) = X  Y is monotone in each operand – Prove it! Set lifting function: for a set X and any function g F(X) = { g(x) | x  X } is monotone w.r.t.  – Prove it! Notice that the collecting semantics function is defined in terms of – Join (set union) – Semantic function for atomic statements lifted to sets of states Conclusion: collecting semantics function is monotone 18

19 Fixed points 19

20 Extensive/reductive functions Let L=(D,  ) be a poset A function f : D  D is extensive if for every x  D, we have that x  f(x) A function f : D  D is reductive if for every x  D, we have that x  f(x) 20

21 Fixed points L = (D, , , , ,  ) f : D  D monotone Fix(f) = { d | f(d) = d } Red(f) = { d | f(d)  d } Ext(f) = { d | d  f(d) } Theorem [Tarski 1955] – lfp(f) =  Fix(f) =  Red(f)  Fix(f) – gfp(f) =  Fix(f) =  Ext(f)  Fix(f) 21 Red(f) Ext(f) Fix(f)   lfp gfp fn()fn() 1.Does a solution always exist? Yes 2.If so, is it unique? No, but it has least/greatest solutions 3.If so, is it computable? Under some conditions…

22 Fixed point example R[0] = { x  Z} // established input R[1] = R[0]  R[4] R[2] =  assume x>0  R[1] R[3] =  assume x  0  R[1] R[4] =  x:=x-1  R[2] 22 if x>0 x := x-1 1 2 entry exit xZxZ xZxZ { x  0}{ x  0} 4 if x>0 x := x-1 1 2 entry exit xZxZ xZxZ { x  0}{ x  0} 4 { x >0} F(d) : Fixed point = d 0 3 0 3 { x> 0}

23 Pre-fixed point example 23 if x>0 x := x-1 entry exit xZxZ xZxZ { x <-5} if x>0 x := x-1 entry exit xZxZ xZxZ { x  0} F(d) : pre-fixed point  d 1 2 0 3 1 2 0 3 { x  0} { x> 0} { x  0} { x >0} R[0] = { x  Z} // established input R[1] = R[0]  R[4] R[2] =  assume x>0  R[1] R[3] =  assume x  0  R[1] R[4] =  x:=x-1  R[2] 44

24 Post-fixed point example 24 if x>0 x := x-1 entry exit xZxZ xZxZ { x <9} if x>0 x := x-1 entry exit xZxZ xZxZ { x  0} F(d) : post-fixed point  d 1 2 0 3 1 2 0 3 { x  0} { x >0} { x  0} R[0] = { x  Z} // established input R[1] = R[0]  R[4] R[2] =  assume x>0  R[1] R[3] =  assume x  0  R[1] R[4] =  x:=x-1  R[2] 44

25 Recap A system of equations of the form R=F(R) where R draws its elements from a complete lattice L = (D, , , , ,  ) Tarski’s fixed point theorem ensures us that there exists a least fixed point: lfp(f) =  Fix(f) However, it is not an algorithm since D is often infinite – And intractable when D is finite but large enough We need a more effective way of computing lfp(f) 25

26 Computing the least Fixed point 26

27 Continuous functions Let L = (D, ,  ) be a complete partial order – Every ascending chain has an upper bound A function f is continuous if for every increasing chain Y  D*, f(  Y) =  { f(y) | y  Y } Lemma: if f is continuous then f is monotone Proof: assume x  y Therefore x  y=y Then f(y) = f(x  y) = f(x)  f(y), which means f(x)  f(y) 27

28 Kleene’s fixed point theorem Let L = (D, ,  ) be a complete partial order and f: D  D be a continuous function then lfp(f) =  n  N f n (  ) That is, take the ascending chain   f(  )  f(f(  ))  …  f n (  )  … and return the supremum – Why is this an ascending chain? But how do you know whether a function f is continuous 28

29 Continuity and ACC condition Let L = (D, ,  ) be a complete partial order – Every ascending chain has an upper bound L satisfies the ascending chain condition (ACC) if every ascending chain eventually stabilizes: d 0  d 1  …  d n = d n+1 = d n+2 = … Lemma: Monotone function on a poset satisfying ACC is continuous Proof: We need to show that f(  Y) =  { f(y) | y  Y } 1.Every ascending chain Y eventually stabilizes d 0  d 1  …  d n = d n+1 = … hence d n is the least upper bound of {d 0, d 1, …, d n }, thus f(  Y) = f(d n ) 2.From monotonicity of f we get that f(d 0 )  f(d 1 )  …  f(d n ) = f(d n+1 ) = … Hence f(d n ) is the least upper bound of {f(d 0 ), f(d 1 ), …, f(d n )}, thus  { f(y) | y  Y } = f(d n ) 29

30 Resulting algorithm Kleene’s fixed point theorem gives a constructive method for computing lfp(f) over a poset with ACC when f is monotone 30   lfp fn()fn() f()f() f2()f2() … d :=  while f(d)  d do d := f(d) return d Algorithm lfp(f) =  n  N f n (  ) Mathematical definition

31 A generic static analysis algorithm How is it different than the one we derived from Hoare logic and restricting the set of assertions? – Agnostic to the programming language – Agnostic to the representation of the assertions: abstract elements – Guaranteed precision (more on this later) – Clear requirements on set of abstract elements 31

32 Vanilla algorithm: vector iteration Problem Definition: 1.Lattice of properties L of finite height (ACC) 2.For each statement define a monotone transformer Preparation: 1.Parse program into AST 2.Lower AST to TAC 3.Convert TAC into CFG 4.Generate system of equations from CFG Analysis: 1.Initialize each analysis variable with  2.Update all analysis variables of each equation until reaching a fixed point 32 Non-incremental. Most variables don’t change.

33 Chaotic iteration 33

34 Chaotic iteration 34 Input: – A cpo L = (D, , ,  ) satisfying ACC – L n = L  L  …  L – A monotone function f : D n  D n – A system of equations { X[i] | f(X) | 1  i  n } Output: lfp(f) A worklist-based algorithm for i:=1 to n do X[i] :=  WL = {1,…,n} while WL   do j := pop WL // choose index non-deterministically N := F[j](X) if N  X[j] then X[j] := N add all the indexes that directly depend on j to WL (X[q] depends on X[j] if F[q] contains X[j]) return X

35 Chaotic iteration for static analysis Specialize chaotic iteration for programs Create a CFG for program Choose a cpo of properties for the static analysis to infer: L = (D, ,  ) Define variables R[0,…,n] for input/output of each CFG node such that R[i]  D For each node v let v out be the variable at the output of that node: v out = F[v](  u | (u,v) is a CFG edge) – Make sure each F[v] is monotone Variable dependence determined by outgoing edges in CFG 35

36 Static analysis example: constant propagation 36

37 Constant propagation example 37 x := 4 if (*) assume y  5 assume y=5 z := x x := 4 entry exit x := 4; while (y  5) do z := x; x := 4

38 Constant propagation lattice For each variable x define L as For a set of program variables Var=x 1,…,x n L n = L  L  …  L 38  0-212...  no information yet not-a-constant

39 Write down variables 39 x := 4 if (*) assume y  5 assume y=5 z := x x := 4 entry exit x := 4; while (y  5) do z := x; x := 4

40 Write down equations 40 x := 4 if (*) assume y  5 assume y=5 z := x x := 4 entry exit R2R2 R2R2 R2R2 R3R3 R4R4 R6R6 R1R1 R5R5 R0R0 x := 4; while (y  5) do z := x; x := 4

41 Collecting semantics equations 41 x := 4 if (*) assume y  5 assume y=5 z := x x := 4 entry exit R2R2 R2R2 R2R2 R3R3 R4R4 R6R6 R 0 = State R 1 =  x:=4  R 0 R 2 = R 1  R 5 R 3 =  assume y  5  R 2 R 4 =  z:=x  R 3 R 5 =  x:=4  R 4 R 6 =  assume y=5  R 2 R1R1 R5R5 R0R0

42 Constant propagation equations 42 x := 4 if (*) assume y  5 assume y=5 z := x x := 4 entry exit R2R2 R2R2 R2R2 R3R3 R4R4 R6R6 R 0 =  R 1 =  x:=4  # R 0 R 2 = R 1  R 5 R 3 =  assume y  5  # R 2 R 4 =  z:=x  # R 3 R 5 =  x:=4  # R 4 R 6 =  assume y=5  # R 2 R1R1 R5R5 R0R0 abstract transformer

43 Abstract operations for CP 43 R 0 =  R 1 =  x:=4  # R 0 R 2 = R 1  R 5 R 3 =  assume y  5  # R 2 R 4 =  z:=x  # R 3 R 5 =  x:=4  # R 4 R 6 =  assume y=5  # R 2 Lattice elements have the form: (v x, v y, v z )  x:=4  # (v x,v y,v z ) = (4, v y, v z )  z:=x  # (v x,v y,v z ) = (v x, v y, v x )  assume y  5  # (v x,v y,v z ) = (v x, v y, v z )  assume y=5  # (v x,v y,v z ) = if v y = k  5 then ( , ,  ) else (v x, 5, v z ) R 1  R 5 = (a 1, b 1, c 1 )  (a 5, b 5, c 5 ) = (a 1  a 5, b 1  b 5, c 1  c 5 )  0-212...  CP lattice for a single variable

44 Chaotic iteration for CP: initialization 44 x := 4 if (*) assume y  5 assume y=5 z := x x := 4 entry exit R 2 =( , ,  ) R2R2 R2R2 R 3 =( , ,  ) R 4 =( , ,  ) R 6 =( , ,  ) R 0 =  R 1 =  x:=4  # R 0 R 2 = R 1  R 5 R 3 =  assume y  5  # R 2 R 4 =  z:=x  # R 3 R 5 =  x:=4  # R 4 R 6 =  assume y=5  # R 2 R 1 =( , ,  ) R 5 =( , ,  ) R 0 =( , ,  ) WL = {R 0, R 1, R 2, R 3, R 4, R 5, R 6 }

45 Chaotic iteration for CP: initialization 45 x := 4 if (*) assume y  5 assume y=5 z := x x := 4 entry exit R 2 =( , ,  ) R2R2 R2R2 R 3 =( , ,  ) R 4 =( , ,  ) R 6 =( , ,  ) R 0 =  R 1 =  x:=4  # R 0 R 2 = R 1  R 5 R 3 =  assume y  5  # R 2 R 4 =  z:=x  # R 3 R 5 =  x:=4  # R 4 R 6 =  assume y=5  # R 2 R 1 =( , ,  ) R 5 =( , ,  ) WL = {R 1, R 2, R 3, R 4, R 5, R 6 } R 0 =( , ,  )

46 Chaotic iteration for CP: initialization 46 x := 4 if (*) assume y  5 assume y=5 z := x x := 4 entry exit R 2 =( , ,  ) R2R2 R2R2 R 3 =( , ,  ) R 4 =( , ,  ) R 6 =( , ,  ) R 0 =  R 1 =  x:=4  # R 0 R 2 = R 1  R 5 R 3 =  assume y  5  # R 2 R 4 =  z:=x  # R 3 R 5 =  x:=4  # R 4 R 6 =  assume y=5  # R 2 R 1 =( , ,  ) R 5 =( , ,  ) R 0 =( , ,  ) WL = {R 1, R 2, R 3, R 4, R 5, R 6 }

47 Chaotic iteration for CP 47 x := 4 if (*) assume y  5 assume y=5 z := x x := 4 entry exit R 2 =( , ,  ) R2R2 R2R2 R 3 =( , ,  ) R 4 =( , ,  ) R 6 =( , ,  ) R 0 =  R 1 =  x:=4  # R 0 R 2 = R 1  R 5 R 3 =  assume y  5  # R 2 R 4 =  z:=x  # R 3 R 5 =  x:=4  # R 4 R 6 =  assume y=5  # R 2 R 1 =( , ,  ) R 5 =( , ,  ) R 0 =( , ,  ) WL = {R 2, R 3, R 4, R 5, R 6 }

48 Chaotic iteration for CP 48 x := 4 if (*) assume y  5 assume y=5 z := x x := 4 entry exit R 2 =( , ,  ) R2R2 R2R2 R 3 =( , ,  ) R 4 =( , ,  ) R 6 =( , ,  ) R 0 =  R 1 =  x:=4  # R 0 R 2 = R 1  R 5 R 3 =  assume y  5  # R 2 R 4 =  z:=x  # R 3 R 5 =  x:=4  # R 4 R 6 =  assume y=5  # R 2 R 1 =(4, ,  ) R 5 =( , ,  ) R 0 =( , ,  ) WL = {R 2, R 3, R 4, R 5, R 6 }

49 Chaotic iteration for CP 49 x := 4 if (*) assume y  5 assume y=5 z := x x := 4 entry exit R 2 =( , ,  ) R2R2 R2R2 R 3 =( , ,  ) R 4 =( , ,  ) R 6 =( , ,  ) R 0 =  R 1 =  x:=4  # R 0 R 2 = R 1  R 5 R 3 =  assume y  5  # R 2 R 4 =  z:=x  # R 3 R 5 =  x:=4  # R 4 R 6 =  assume y=5  # R 2 R 1 =(4, ,  ) R 5 =( , ,  ) R 0 =( , ,  )  0-212...  3 4 WL = {R 3, R 4, R 5, R 6 }

50 Chaotic iteration for CP 50 x := 4 if (*) assume y  5 assume y=5 z := x x := 4 entry exit R 2 =(4, ,  ) R2R2 R2R2 R 3 =( , ,  ) R 4 =( , ,  ) R 6 =( , ,  ) R 0 =  R 1 =  x:=4  # R 0 R 2 = R 1  R 5 R 3 =  assume y  5  # R 2 R 4 =  z:=x  # R 3 R 5 =  x:=4  # R 4 R 6 =  assume y=5  # R 2 R 1 =(4, ,  ) R 5 =( , ,  ) R 0 =( , ,  )  0-212...  3 4 WL = {R 3, R 4, R 5, R 6 }

51 Chaotic iteration for CP 51 x := 4 if (*) assume y  5 assume y=5 z := x x := 4 entry exit R 2 =(4, ,  ) R2R2 R2R2 R 3 =( , ,  ) R 4 =( , ,  ) R 6 =( , ,  ) R 0 =  R 1 =  x:=4  # R 0 R 2 = R 1  R 5 R 3 =  assume y  5  # R 2 R 4 =  z:=x  # R 3 R 5 =  x:=4  # R 4 R 6 =  assume y=5  # R 2 R 1 =(4, ,  ) R 5 =( , ,  ) R 0 =( , ,  ) WL = {R 4, R 5, R 6 }

52 Chaotic iteration for CP 52 x := 4 if (*) assume y  5 assume y=5 z := x x := 4 entry exit R2R2 R2R2 R 3 =(4, ,  ) R 4 =( , ,  ) R 6 =( , ,  ) R 0 =  R 1 =  x:=4  # R 0 R 2 = R 1  R 5 R 3 =  assume y  5  # R 2 R 4 =  z:=x  # R 3 R 5 =  x:=4  # R 4 R 6 =  assume y=5  # R 2 R 5 =( , ,  ) R 1 =(4, ,  ) R 0 =( , ,  ) R 2 =(4, ,  ) WL = {R 5, R 6 }

53 Chaotic iteration for CP 53 x := 4 if (*) assume y  5 assume y=5 z := x x := 4 entry exit R2R2 R2R2 R 3 =(4, ,  ) R 4 =(4, , 4) R 6 =( , ,  ) R 0 =  R 1 =  x:=4  # R 0 R 2 = R 1  R 5 R 3 =  assume y  5  # R 2 R 4 =  z:=x  # R 3 R 5 =  x:=4  # R 4 R 6 =  assume y=5  # R 2 R 5 =( , ,  ) R 1 =(4, ,  ) R 0 =( , ,  ) R 2 =(4, ,  ) WL = {R 6 }

54 Chaotic iteration for CP 54 x := 4 if (*) assume y  5 assume y=5 z := x x := 4 entry exit R2R2 R2R2 R 6 =( , ,  ) R 0 =  R 1 =  x:=4  # R 0 R 2 = R 1  R 5 R 3 =  assume y  5  # R 2 R 4 =  z:=x  # R 3 R 5 =  x:=4  # R 4 R 6 =  assume y=5  # R 2 R 5 =(4, , 4) R 4 =(4, , 4) R 3 =(4, ,  ) R 1 =(4, ,  ) R 0 =( , ,  ) R 2 =(4, ,  ) WL = {R 6 }

55 Chaotic iteration for CP 55 R 0 =  R 1 =  x:=4  # R 0 R 2 = R 1  R 5 R 3 =  assume y  5  # R 2 R 4 =  z:=x  # R 3 R 5 =  x:=4  # R 4 R 6 =  assume y=5  # R 2 x := 4 if (*) assume y  5 assume y=5 z := x x := 4 entry exit R2R2 R2R2 R 6 =( , ,  ) R 5 =(4, , 4) R 4 =(4, , 4) R 3 =(4, ,  ) R 1 =(4, ,  ) R 0 =( , ,  ) R 2 =(4, ,  ) WL = {}

56 Chaotic iteration for CP – fixed point 56 R 0 =  R 1 =  x:=4  # R 0 R 2 = R 1  R 5 R 3 =  assume y  5  # R 2 R 4 =  z:=x  # R 3 R 5 =  x:=4  # R 4 R 6 =  assume y=5  # R 2 x := 4 if (*) assume y  5 assume y=5 z := x x := 4 entry exit R2R2 R2R2 R 6 =(4, 5,  ) R 5 =(4, , 4) R 4 =(4, , 4) R 3 =(4, ,  ) R 1 =(4, ,  ) R 0 =( , ,  ) R 2 =(4, ,  ) WL = {} In practice maintain a worklist of nodes

57 Complexity of chaotic iteration Parameters: – n : number of CFG nodes – k: maximum in-degree of edges – h: height of lattice L – c: maximum cost of Applying F v  Checking fixed-point condition for lattice L Complexity: O(n  h  c  k) Incremental (worklist) algorithm reduces the n factor – Implement worklist by priority queue and order nodes by reversed topological order 57

58 implementation 58

59 Software package: paver152 Built on top of the Soot compiler framework for Java Download from web-site – Includes all necessary Soot jar files 59

60 60 Infrastructure for implementing static analysis Example analyses Soot-specific utilities Domain constructors Fixed point solvers Example Java programs

61 Existing analyses 61

62 Soot: a Java Optimization Framework Developed at McGill university (Canada) – http://www.sable.mcgill.ca/soot/ http://www.sable.mcgill.ca/soot/ Supports several input languages – Java source code – Java bytecode – Dalvik bytecode (Android) Dalvik bytecode – Jimple intermediate language Supported output languages – Java bytecode – Dalvik bytecode (Android) – Jimple intermediate language Support several intermediate languages – Jimple – what we will be using – Shimple – Baf – Grimp Supports static analysis: CFG, pointer-analysis, etc. Eclipse plug-in (useful for giving demos and teaching) 62

63 Soot documentation and resources Soot survivor’s guide Soot tutorials Soot API Eric Bodden’s blog – Running Soot: http://www.bodden.de/2008/08/21/soot-command-line/ http://www.bodden.de/2008/08/21/soot-command-line/ 63

64 Jimple synopsis TAC for Java: 15 statement types Core (intra-procedural) statements – NopStmt – IdentityStmt ( r0 := @this: Foo; i0 := @parameter0: int; ) – AssignStmt ( $r1 = new Foo; ) Intra-procedural control-flow statements – IfStmt – GotoStmt – TableSwitchStmt (JVM tableSwitch instruction) – LookupSwithcStmt (JVM lookupswitch instruction) Inter-procedural control-flow statements – InvokeStmt – ReturnStmt – ReturnVoidStmt Monitor statements – EnterMonitorStmt – ExitMonitorStmt Exceptions – ThrowStmt – RetStmt 64

65 Jimple expressions 65

66 Java source 66

67 Running Soot – command line 67

68 Running Soot – output files 68 output.jimple files go in “sootOutput”

69 Jimple code 69 (default) static class initializer Local Local s IdentityStmt IdentityStmt s

70 Setting up for development 1.Set up Java 2.Set up Soot 3.Set up abstract interpretation package 70

71 Setting up Java Make sure you have version 1.7 If you want to operate from command line make sure you have jdk 1.7 – Set environment variable JAVA_HOME to point to your jdk installation path 71

72 Example inputs Store input files in a separate directory than the ones you use for implementing the analyses (otherwise, front-end breaks) 72

73 Static analysis package Implements – Conversion of procedures to equation systems – Abstract domain implementations Some examples: variable equalities (VE), constant propagation (CP), simple linear relations (lin), … – Chaotic iterations Includes debugging information – Domain combinators: Cartesian, Disjunctive completion, and Relational – Code for displaying analysis results 73

74 Running the VE analysis Example: variable equalities 74

75 Running the VE analysis 75 Adds the analysis to Soot’s list of intra- procedural analyses 1.Creates the equation system 2.Runs chaotic iteration 3.Attaches results as StringTag s StringTag

76 Running the VE analysis Command-line options: -cp. : adds the current directory to Soot’s CLASSPATH -pp : adds Java’s CLASSPATH to Soot’s CLASSPATH -f jimple : outputs jimple code -p jb use-original-names : keeps local variables names as they are -p jb.ls enabled:false : disables local splitter to reduce number of local variables -keep-line-number : writes source code line numbers in the resulting jimple code -print-tags : writes out tags for each jimple statement (analysis results) TestClass : specifies the class to analyze 76 Enable assertions Which directory to run in

77 Debug printout 1/2 77

78 Debug printout 2/2 78

79 Analysis results inlined into.jimple 79

80 Next lecture: abstract interpretation III

81 Implementing abstract domains 81

82 Variable equalities analysis 82

83 Major classes 83 Variable per CFG node Converts CFG to equation system An equation per CFG edge and join point A system of equations Chaotic iteration algorithm to compute fixed point A transformer for assume statements A transformer non-assume statements Combines all sub-algorithms to get entire static analysis

Download ppt "Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 10: Abstract Interpretation II Roman Manevich Ben-Gurion University."

Similar presentations

Continuing Abstract Interpretation We have seen: 1.How to compile abstract syntax trees into control-flow graphs 2.Lattices, as structures that describe.

Continuing Abstract Interpretation We have seen: 1.How to compile abstract syntax trees into control-flow graphs 2.Lattices, as structures that describe.
Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.

Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.
A Deeper Look at Data-flow Analysis Copyright 2011, Keith D. Cooper & Linda Torczon, all rights reserved. Students enrolled in Comp 512 at Rice University.

A Deeper Look at Data-flow Analysis Copyright 2011, Keith D. Cooper & Linda Torczon, all rights reserved. Students enrolled in Comp 512 at Rice University.
Foundations of Data-Flow Analysis. Basic Questions Under what circumstances is the iterative algorithm used in the data-flow analysis correct? How precise.

Foundations of Data-Flow Analysis. Basic Questions Under what circumstances is the iterative algorithm used in the data-flow analysis correct? How precise.
1 Basic abstract interpretation theory. 2 The general idea §a semantics l any definition style, from a denotational definition to a detailed interpreter.

1 Basic abstract interpretation theory. 2 The general idea §a semantics l any definition style, from a denotational definition to a detailed interpreter.
CSE 231 : Advanced Compilers Building Program Analyzers.

CSE 231 : Advanced Compilers Building Program Analyzers.
Worklist algorithm Initialize all d i to the empty set Store all nodes onto a worklist while worklist is not empty: –remove node n from worklist –apply.

Worklist algorithm Initialize all d i to the empty set Store all nodes onto a worklist while worklist is not empty: –remove node n from worklist –apply.
Programming Language Semantics Denotational Semantics Chapter 5 Based on a lecture by Martin Abadi.

Programming Language Semantics Denotational Semantics Chapter 5 Based on a lecture by Martin Abadi.
1 Iterative Program Analysis Part I Mooly Sagiv Tel Aviv University 640-6706 Textbook: Principles of Program.

1 Iterative Program Analysis Part I Mooly Sagiv Tel Aviv University Textbook: Principles of Program.
Data Flow Analysis 2 15-411 Compiler Design Nov. 3, 2005.

Data Flow Analysis Compiler Design Nov. 3, 2005.
From last time: reaching definitions For each use of a variable, determine what assignments could have set the value being read from the variable Information.

From last time: reaching definitions For each use of a variable, determine what assignments could have set the value being read from the variable Information.
1 Iterative Program Analysis Mooly Sagiv Tel Aviv University 640-6706 Textbook: Principles of Program Analysis.

1 Iterative Program Analysis Mooly Sagiv Tel Aviv University Textbook: Principles of Program Analysis.
Data Flow Analysis 1 15-411 Compiler Design October 5, 2004 These slides live on the Web. I obtained them from Jeff Foster and he said that he obtained.

Data Flow Analysis Compiler Design October 5, 2004 These slides live on the Web. I obtained them from Jeff Foster and he said that he obtained.
Abstract Interpretation Part I Mooly Sagiv Textbook: Chapter 4.

Abstract Interpretation Part I Mooly Sagiv Textbook: Chapter 4.
Administrative stuff Office hours: After class on Tuesday.

Administrative stuff Office hours: After class on Tuesday.
Data Flow Analysis 4 15-411 Compiler Design Nov. 8, 2005.

Data Flow Analysis Compiler Design Nov. 8, 2005.
1 Program Analysis Mooly Sagiv Tel Aviv University 640-6706 Textbook: Principles of Program Analysis.

1 Program Analysis Mooly Sagiv Tel Aviv University Textbook: Principles of Program Analysis.
Course Outline Traditional Static Program Analysis –Theory Compiler Optimizations; Control Flow Graphs, Data-flow Analysis Data-flow Frameworks --- today’s.

Course Outline Traditional Static Program Analysis –Theory Compiler Optimizations; Control Flow Graphs, Data-flow Analysis Data-flow Frameworks --- today’s.
San Diego October 4-7, 2006 Over 1,000 women in computing Events for undergraduates considering careers and graduate school Events for graduate students.

San Diego October 4-7, 2006 Over 1,000 women in computing Events for undergraduates considering careers and graduate school Events for graduate students.
Recap: Reaching defns algorithm From last time: reaching defns worklist algo We want to avoid using structure of the domain outside of the flow functions.

Recap: Reaching defns algorithm From last time: reaching defns worklist algo We want to avoid using structure of the domain outside of the flow functions.

Similar presentations

Ads by Google