Download presentation
Presentation is loading. Please wait.
Published byJuniper Amos Page Modified over 9 years ago
1
Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 10: Abstract Interpretation II Roman Manevich Ben-Gurion University
2
Syllabus Semantics Natural Semantics Structural semantics Axiomatic Verification Static Analysis Automating Hoare Logic Control Flow Graphs Equation Systems Collecting Semantics Abstract Interpretation fundamentals LatticesFixed-Points Iterative Solvers Galois Connections Widening/ Narrowing Domain constructors Interprocedural Analysis Analysis Techniques Numerical Domains CEGARAlias analysis Shape Analysis Crafting your own Soot From proofs to abstractions Systematically developing transformers 2
3
Previously Semantic domains – Preorders – Partial orders (posets) – Pointed posets – Ascending/descending chains – The height of a poset – Join and Meet operators – Complete lattices Lattice constructors – Powerset lattice – Cartesian product – Disjunctive completion – Relational product – Finite maps 3
4
Abstract domain types 4
5
A taxonomy of semantic domain types 5 Complete Lattice (D, , , , , ) Lattice (D, , , , , ) Join semilattice (D, , , ) Meet semilattice (D, , , ) Join/Meet exist for every subset of D Join/Meet exist for every finite subset of D (alternatively, binary join/meet) Join of the empty set Meet of the empty set Complete partial order (CPO) (D, , ) Partial order (poset) (D, ) Preorder (D, ) reflexive transitive anti-symmetric: d d’ and d’ d implies d = d’ reflexive: d d transitive: d d’, d’ d’’ implies d d’’ poset with LUB for all ascending chains
6
Agenda Solving monotone equation systems Fixed-points Vanilla static analysis algorithm Chaotic iteration Implementing abstract interpretation for Java programs 6
7
Abstract semantics 7
8
Abstract interpretation via abstraction 8 set of states collecting semantics statement S abstract representation of sets of states abstract representation of sets of states abstract semantics statement S abstract representation of sets of states abstraction {P}{P}S{Q}{Q}sp(S, P) generalizes axiomatic verification
9
Abstract interpretation via concretization 9 set of states collecting semantics statement S set of states abstract representation of sets of states abstract semantics statement S abstract representation of sets of states concretization {P}{P}S{Q}{Q} models(P) S models(P)models(Q)
10
Missing knowledge Abstract semantics Connection between collecting semantics and abstract semantics Algorithm to compute abstract semantics 10
11
Static analysis Given a system of equations for the collecting semantics A static analysis solves a corresponding system of equations over an abstract domain Questions: – What is the relation between the solutions? Next lecture – How do you solve the second system? This lecture 11 R[0] = { x Z} // established input R[1] = R[0] R[4] R[2] = assume x>0 R[1] R[3] = assume x 0 R[1] R[4] = x:=x-1 R[2] R[0] # = { x Z} # R[1] # = R[0] R[4] R[2] # = assume x>0 # R[1] R[3] # = assume x 0 # R[1] R[4] # = x:=x-1 # R[2]
12
Solving equation systems 12
13
Equation systems in general Let L be a complete lattice (D, , , , , ) Let R be a vector of analysis variables R[0, …, n] D … D Let F be a vector of functions of the type F[i] : R[0, …, n] R[i] A system of equations R[0] = F[0](R[0], …, R[n]) … R[n] = F[n](R[0], …, R[n]) In vector notation R = F(R) Questions: 1.Does a solution always exist? 2.If so, is it unique? 3.If so, is it computable? 13 For R[i]=F[i] R Usually F[i] reads only a small subset of R – D[i]. We say that R[i] depends on D[i] R[0] = { x Z} // established input R[1] = R[0] R[4] R[2] = assume x>0 R[1] R[3] = assume x 0 R[1] R[4] = x:=x-1 R[2]
14
Equation systems in general Let L be a complete lattice (D, , , , , ) Let R be a vector of analysis variables R[0, …, n] D … D Let F be a vector of functions of the type F[i] : R[0, …, n] R[i] A system of equations R[0] = F[0](R[0], …, R[n]) … R[n] = F[n](R[0], …, R[n]) In vector notation R = F(R) Questions: 1.Does a solution always exist? 2.If so, is it unique? 3.If so, is it computable? 14 If it does – it is a fixed point of this equation
15
Monotone systems 15
16
Monotone functions Let L 1 =(D 1, ) and L 2 =(D 2, ) be two posets A function f : D 1 D 2 is monotone if for every pair x, y D 1 x y implies f(x) f(y) A special case: L 1 =L 2 =(D, ) f : D D 16
17
Monotone function 17 f 1 x L1L1 L2L2 2 y 3 f(x)f(x) 4 f(y)f(y) f
18
Important cases of monotonicity Join: f(X, Y) = X Y is monotone in each operand – Prove it! Set lifting function: for a set X and any function g F(X) = { g(x) | x X } is monotone w.r.t. – Prove it! Notice that the collecting semantics function is defined in terms of – Join (set union) – Semantic function for atomic statements lifted to sets of states Conclusion: collecting semantics function is monotone 18
19
Fixed points 19
20
Extensive/reductive functions Let L=(D, ) be a poset A function f : D D is extensive if for every x D, we have that x f(x) A function f : D D is reductive if for every x D, we have that x f(x) 20
21
Fixed points L = (D, , , , , ) f : D D monotone Fix(f) = { d | f(d) = d } Red(f) = { d | f(d) d } Ext(f) = { d | d f(d) } Theorem [Tarski 1955] – lfp(f) = Fix(f) = Red(f) Fix(f) – gfp(f) = Fix(f) = Ext(f) Fix(f) 21 Red(f) Ext(f) Fix(f) lfp gfp fn()fn() 1.Does a solution always exist? Yes 2.If so, is it unique? No, but it has least/greatest solutions 3.If so, is it computable? Under some conditions…
22
Fixed point example R[0] = { x Z} // established input R[1] = R[0] R[4] R[2] = assume x>0 R[1] R[3] = assume x 0 R[1] R[4] = x:=x-1 R[2] 22 if x>0 x := x-1 1 2 entry exit xZxZ xZxZ { x 0}{ x 0} 4 if x>0 x := x-1 1 2 entry exit xZxZ xZxZ { x 0}{ x 0} 4 { x >0} F(d) : Fixed point = d 0 3 0 3 { x> 0}
23
Pre-fixed point example 23 if x>0 x := x-1 entry exit xZxZ xZxZ { x <-5} if x>0 x := x-1 entry exit xZxZ xZxZ { x 0} F(d) : pre-fixed point d 1 2 0 3 1 2 0 3 { x 0} { x> 0} { x 0} { x >0} R[0] = { x Z} // established input R[1] = R[0] R[4] R[2] = assume x>0 R[1] R[3] = assume x 0 R[1] R[4] = x:=x-1 R[2] 44
24
Post-fixed point example 24 if x>0 x := x-1 entry exit xZxZ xZxZ { x <9} if x>0 x := x-1 entry exit xZxZ xZxZ { x 0} F(d) : post-fixed point d 1 2 0 3 1 2 0 3 { x 0} { x >0} { x 0} R[0] = { x Z} // established input R[1] = R[0] R[4] R[2] = assume x>0 R[1] R[3] = assume x 0 R[1] R[4] = x:=x-1 R[2] 44
25
Recap A system of equations of the form R=F(R) where R draws its elements from a complete lattice L = (D, , , , , ) Tarski’s fixed point theorem ensures us that there exists a least fixed point: lfp(f) = Fix(f) However, it is not an algorithm since D is often infinite – And intractable when D is finite but large enough We need a more effective way of computing lfp(f) 25
26
Computing the least Fixed point 26
27
Continuous functions Let L = (D, , ) be a complete partial order – Every ascending chain has an upper bound A function f is continuous if for every increasing chain Y D*, f( Y) = { f(y) | y Y } Lemma: if f is continuous then f is monotone Proof: assume x y Therefore x y=y Then f(y) = f(x y) = f(x) f(y), which means f(x) f(y) 27
28
Kleene’s fixed point theorem Let L = (D, , ) be a complete partial order and f: D D be a continuous function then lfp(f) = n N f n ( ) That is, take the ascending chain f( ) f(f( )) … f n ( ) … and return the supremum – Why is this an ascending chain? But how do you know whether a function f is continuous 28
29
Continuity and ACC condition Let L = (D, , ) be a complete partial order – Every ascending chain has an upper bound L satisfies the ascending chain condition (ACC) if every ascending chain eventually stabilizes: d 0 d 1 … d n = d n+1 = d n+2 = … Lemma: Monotone function on a poset satisfying ACC is continuous Proof: We need to show that f( Y) = { f(y) | y Y } 1.Every ascending chain Y eventually stabilizes d 0 d 1 … d n = d n+1 = … hence d n is the least upper bound of {d 0, d 1, …, d n }, thus f( Y) = f(d n ) 2.From monotonicity of f we get that f(d 0 ) f(d 1 ) … f(d n ) = f(d n+1 ) = … Hence f(d n ) is the least upper bound of {f(d 0 ), f(d 1 ), …, f(d n )}, thus { f(y) | y Y } = f(d n ) 29
30
Resulting algorithm Kleene’s fixed point theorem gives a constructive method for computing lfp(f) over a poset with ACC when f is monotone 30 lfp fn()fn() f()f() f2()f2() … d := while f(d) d do d := f(d) return d Algorithm lfp(f) = n N f n ( ) Mathematical definition
31
A generic static analysis algorithm How is it different than the one we derived from Hoare logic and restricting the set of assertions? – Agnostic to the programming language – Agnostic to the representation of the assertions: abstract elements – Guaranteed precision (more on this later) – Clear requirements on set of abstract elements 31
32
Vanilla algorithm: vector iteration Problem Definition: 1.Lattice of properties L of finite height (ACC) 2.For each statement define a monotone transformer Preparation: 1.Parse program into AST 2.Lower AST to TAC 3.Convert TAC into CFG 4.Generate system of equations from CFG Analysis: 1.Initialize each analysis variable with 2.Update all analysis variables of each equation until reaching a fixed point 32 Non-incremental. Most variables don’t change.
33
Chaotic iteration 33
34
Chaotic iteration 34 Input: – A cpo L = (D, , , ) satisfying ACC – L n = L L … L – A monotone function f : D n D n – A system of equations { X[i] | f(X) | 1 i n } Output: lfp(f) A worklist-based algorithm for i:=1 to n do X[i] := WL = {1,…,n} while WL do j := pop WL // choose index non-deterministically N := F[j](X) if N X[j] then X[j] := N add all the indexes that directly depend on j to WL (X[q] depends on X[j] if F[q] contains X[j]) return X
35
Chaotic iteration for static analysis Specialize chaotic iteration for programs Create a CFG for program Choose a cpo of properties for the static analysis to infer: L = (D, , ) Define variables R[0,…,n] for input/output of each CFG node such that R[i] D For each node v let v out be the variable at the output of that node: v out = F[v]( u | (u,v) is a CFG edge) – Make sure each F[v] is monotone Variable dependence determined by outgoing edges in CFG 35
36
Static analysis example: constant propagation 36
37
Constant propagation example 37 x := 4 if (*) assume y 5 assume y=5 z := x x := 4 entry exit x := 4; while (y 5) do z := x; x := 4
38
Constant propagation lattice For each variable x define L as For a set of program variables Var=x 1,…,x n L n = L L … L 38 0-212... no information yet not-a-constant
39
Write down variables 39 x := 4 if (*) assume y 5 assume y=5 z := x x := 4 entry exit x := 4; while (y 5) do z := x; x := 4
40
Write down equations 40 x := 4 if (*) assume y 5 assume y=5 z := x x := 4 entry exit R2R2 R2R2 R2R2 R3R3 R4R4 R6R6 R1R1 R5R5 R0R0 x := 4; while (y 5) do z := x; x := 4
41
Collecting semantics equations 41 x := 4 if (*) assume y 5 assume y=5 z := x x := 4 entry exit R2R2 R2R2 R2R2 R3R3 R4R4 R6R6 R 0 = State R 1 = x:=4 R 0 R 2 = R 1 R 5 R 3 = assume y 5 R 2 R 4 = z:=x R 3 R 5 = x:=4 R 4 R 6 = assume y=5 R 2 R1R1 R5R5 R0R0
42
Constant propagation equations 42 x := 4 if (*) assume y 5 assume y=5 z := x x := 4 entry exit R2R2 R2R2 R2R2 R3R3 R4R4 R6R6 R 0 = R 1 = x:=4 # R 0 R 2 = R 1 R 5 R 3 = assume y 5 # R 2 R 4 = z:=x # R 3 R 5 = x:=4 # R 4 R 6 = assume y=5 # R 2 R1R1 R5R5 R0R0 abstract transformer
43
Abstract operations for CP 43 R 0 = R 1 = x:=4 # R 0 R 2 = R 1 R 5 R 3 = assume y 5 # R 2 R 4 = z:=x # R 3 R 5 = x:=4 # R 4 R 6 = assume y=5 # R 2 Lattice elements have the form: (v x, v y, v z ) x:=4 # (v x,v y,v z ) = (4, v y, v z ) z:=x # (v x,v y,v z ) = (v x, v y, v x ) assume y 5 # (v x,v y,v z ) = (v x, v y, v z ) assume y=5 # (v x,v y,v z ) = if v y = k 5 then ( , , ) else (v x, 5, v z ) R 1 R 5 = (a 1, b 1, c 1 ) (a 5, b 5, c 5 ) = (a 1 a 5, b 1 b 5, c 1 c 5 ) 0-212... CP lattice for a single variable
44
Chaotic iteration for CP: initialization 44 x := 4 if (*) assume y 5 assume y=5 z := x x := 4 entry exit R 2 =( , , ) R2R2 R2R2 R 3 =( , , ) R 4 =( , , ) R 6 =( , , ) R 0 = R 1 = x:=4 # R 0 R 2 = R 1 R 5 R 3 = assume y 5 # R 2 R 4 = z:=x # R 3 R 5 = x:=4 # R 4 R 6 = assume y=5 # R 2 R 1 =( , , ) R 5 =( , , ) R 0 =( , , ) WL = {R 0, R 1, R 2, R 3, R 4, R 5, R 6 }
45
Chaotic iteration for CP: initialization 45 x := 4 if (*) assume y 5 assume y=5 z := x x := 4 entry exit R 2 =( , , ) R2R2 R2R2 R 3 =( , , ) R 4 =( , , ) R 6 =( , , ) R 0 = R 1 = x:=4 # R 0 R 2 = R 1 R 5 R 3 = assume y 5 # R 2 R 4 = z:=x # R 3 R 5 = x:=4 # R 4 R 6 = assume y=5 # R 2 R 1 =( , , ) R 5 =( , , ) WL = {R 1, R 2, R 3, R 4, R 5, R 6 } R 0 =( , , )
46
Chaotic iteration for CP: initialization 46 x := 4 if (*) assume y 5 assume y=5 z := x x := 4 entry exit R 2 =( , , ) R2R2 R2R2 R 3 =( , , ) R 4 =( , , ) R 6 =( , , ) R 0 = R 1 = x:=4 # R 0 R 2 = R 1 R 5 R 3 = assume y 5 # R 2 R 4 = z:=x # R 3 R 5 = x:=4 # R 4 R 6 = assume y=5 # R 2 R 1 =( , , ) R 5 =( , , ) R 0 =( , , ) WL = {R 1, R 2, R 3, R 4, R 5, R 6 }
47
Chaotic iteration for CP 47 x := 4 if (*) assume y 5 assume y=5 z := x x := 4 entry exit R 2 =( , , ) R2R2 R2R2 R 3 =( , , ) R 4 =( , , ) R 6 =( , , ) R 0 = R 1 = x:=4 # R 0 R 2 = R 1 R 5 R 3 = assume y 5 # R 2 R 4 = z:=x # R 3 R 5 = x:=4 # R 4 R 6 = assume y=5 # R 2 R 1 =( , , ) R 5 =( , , ) R 0 =( , , ) WL = {R 2, R 3, R 4, R 5, R 6 }
48
Chaotic iteration for CP 48 x := 4 if (*) assume y 5 assume y=5 z := x x := 4 entry exit R 2 =( , , ) R2R2 R2R2 R 3 =( , , ) R 4 =( , , ) R 6 =( , , ) R 0 = R 1 = x:=4 # R 0 R 2 = R 1 R 5 R 3 = assume y 5 # R 2 R 4 = z:=x # R 3 R 5 = x:=4 # R 4 R 6 = assume y=5 # R 2 R 1 =(4, , ) R 5 =( , , ) R 0 =( , , ) WL = {R 2, R 3, R 4, R 5, R 6 }
49
Chaotic iteration for CP 49 x := 4 if (*) assume y 5 assume y=5 z := x x := 4 entry exit R 2 =( , , ) R2R2 R2R2 R 3 =( , , ) R 4 =( , , ) R 6 =( , , ) R 0 = R 1 = x:=4 # R 0 R 2 = R 1 R 5 R 3 = assume y 5 # R 2 R 4 = z:=x # R 3 R 5 = x:=4 # R 4 R 6 = assume y=5 # R 2 R 1 =(4, , ) R 5 =( , , ) R 0 =( , , ) 0-212... 3 4 WL = {R 3, R 4, R 5, R 6 }
50
Chaotic iteration for CP 50 x := 4 if (*) assume y 5 assume y=5 z := x x := 4 entry exit R 2 =(4, , ) R2R2 R2R2 R 3 =( , , ) R 4 =( , , ) R 6 =( , , ) R 0 = R 1 = x:=4 # R 0 R 2 = R 1 R 5 R 3 = assume y 5 # R 2 R 4 = z:=x # R 3 R 5 = x:=4 # R 4 R 6 = assume y=5 # R 2 R 1 =(4, , ) R 5 =( , , ) R 0 =( , , ) 0-212... 3 4 WL = {R 3, R 4, R 5, R 6 }
51
Chaotic iteration for CP 51 x := 4 if (*) assume y 5 assume y=5 z := x x := 4 entry exit R 2 =(4, , ) R2R2 R2R2 R 3 =( , , ) R 4 =( , , ) R 6 =( , , ) R 0 = R 1 = x:=4 # R 0 R 2 = R 1 R 5 R 3 = assume y 5 # R 2 R 4 = z:=x # R 3 R 5 = x:=4 # R 4 R 6 = assume y=5 # R 2 R 1 =(4, , ) R 5 =( , , ) R 0 =( , , ) WL = {R 4, R 5, R 6 }
52
Chaotic iteration for CP 52 x := 4 if (*) assume y 5 assume y=5 z := x x := 4 entry exit R2R2 R2R2 R 3 =(4, , ) R 4 =( , , ) R 6 =( , , ) R 0 = R 1 = x:=4 # R 0 R 2 = R 1 R 5 R 3 = assume y 5 # R 2 R 4 = z:=x # R 3 R 5 = x:=4 # R 4 R 6 = assume y=5 # R 2 R 5 =( , , ) R 1 =(4, , ) R 0 =( , , ) R 2 =(4, , ) WL = {R 5, R 6 }
53
Chaotic iteration for CP 53 x := 4 if (*) assume y 5 assume y=5 z := x x := 4 entry exit R2R2 R2R2 R 3 =(4, , ) R 4 =(4, , 4) R 6 =( , , ) R 0 = R 1 = x:=4 # R 0 R 2 = R 1 R 5 R 3 = assume y 5 # R 2 R 4 = z:=x # R 3 R 5 = x:=4 # R 4 R 6 = assume y=5 # R 2 R 5 =( , , ) R 1 =(4, , ) R 0 =( , , ) R 2 =(4, , ) WL = {R 6 }
54
Chaotic iteration for CP 54 x := 4 if (*) assume y 5 assume y=5 z := x x := 4 entry exit R2R2 R2R2 R 6 =( , , ) R 0 = R 1 = x:=4 # R 0 R 2 = R 1 R 5 R 3 = assume y 5 # R 2 R 4 = z:=x # R 3 R 5 = x:=4 # R 4 R 6 = assume y=5 # R 2 R 5 =(4, , 4) R 4 =(4, , 4) R 3 =(4, , ) R 1 =(4, , ) R 0 =( , , ) R 2 =(4, , ) WL = {R 6 }
55
Chaotic iteration for CP 55 R 0 = R 1 = x:=4 # R 0 R 2 = R 1 R 5 R 3 = assume y 5 # R 2 R 4 = z:=x # R 3 R 5 = x:=4 # R 4 R 6 = assume y=5 # R 2 x := 4 if (*) assume y 5 assume y=5 z := x x := 4 entry exit R2R2 R2R2 R 6 =( , , ) R 5 =(4, , 4) R 4 =(4, , 4) R 3 =(4, , ) R 1 =(4, , ) R 0 =( , , ) R 2 =(4, , ) WL = {}
56
Chaotic iteration for CP – fixed point 56 R 0 = R 1 = x:=4 # R 0 R 2 = R 1 R 5 R 3 = assume y 5 # R 2 R 4 = z:=x # R 3 R 5 = x:=4 # R 4 R 6 = assume y=5 # R 2 x := 4 if (*) assume y 5 assume y=5 z := x x := 4 entry exit R2R2 R2R2 R 6 =(4, 5, ) R 5 =(4, , 4) R 4 =(4, , 4) R 3 =(4, , ) R 1 =(4, , ) R 0 =( , , ) R 2 =(4, , ) WL = {} In practice maintain a worklist of nodes
57
Complexity of chaotic iteration Parameters: – n : number of CFG nodes – k: maximum in-degree of edges – h: height of lattice L – c: maximum cost of Applying F v Checking fixed-point condition for lattice L Complexity: O(n h c k) Incremental (worklist) algorithm reduces the n factor – Implement worklist by priority queue and order nodes by reversed topological order 57
58
implementation 58
59
Software package: paver152 Built on top of the Soot compiler framework for Java Download from web-site – Includes all necessary Soot jar files 59
60
60 Infrastructure for implementing static analysis Example analyses Soot-specific utilities Domain constructors Fixed point solvers Example Java programs
61
Existing analyses 61
62
Soot: a Java Optimization Framework Developed at McGill university (Canada) – http://www.sable.mcgill.ca/soot/ http://www.sable.mcgill.ca/soot/ Supports several input languages – Java source code – Java bytecode – Dalvik bytecode (Android) Dalvik bytecode – Jimple intermediate language Supported output languages – Java bytecode – Dalvik bytecode (Android) – Jimple intermediate language Support several intermediate languages – Jimple – what we will be using – Shimple – Baf – Grimp Supports static analysis: CFG, pointer-analysis, etc. Eclipse plug-in (useful for giving demos and teaching) 62
63
Soot documentation and resources Soot survivor’s guide Soot tutorials Soot API Eric Bodden’s blog – Running Soot: http://www.bodden.de/2008/08/21/soot-command-line/ http://www.bodden.de/2008/08/21/soot-command-line/ 63
64
Jimple synopsis TAC for Java: 15 statement types Core (intra-procedural) statements – NopStmt – IdentityStmt ( r0 := @this: Foo; i0 := @parameter0: int; ) – AssignStmt ( $r1 = new Foo; ) Intra-procedural control-flow statements – IfStmt – GotoStmt – TableSwitchStmt (JVM tableSwitch instruction) – LookupSwithcStmt (JVM lookupswitch instruction) Inter-procedural control-flow statements – InvokeStmt – ReturnStmt – ReturnVoidStmt Monitor statements – EnterMonitorStmt – ExitMonitorStmt Exceptions – ThrowStmt – RetStmt 64
65
Jimple expressions 65
66
Java source 66
67
Running Soot – command line 67
68
Running Soot – output files 68 output.jimple files go in “sootOutput”
69
Jimple code 69 (default) static class initializer Local Local s IdentityStmt IdentityStmt s
70
Setting up for development 1.Set up Java 2.Set up Soot 3.Set up abstract interpretation package 70
71
Setting up Java Make sure you have version 1.7 If you want to operate from command line make sure you have jdk 1.7 – Set environment variable JAVA_HOME to point to your jdk installation path 71
72
Example inputs Store input files in a separate directory than the ones you use for implementing the analyses (otherwise, front-end breaks) 72
73
Static analysis package Implements – Conversion of procedures to equation systems – Abstract domain implementations Some examples: variable equalities (VE), constant propagation (CP), simple linear relations (lin), … – Chaotic iterations Includes debugging information – Domain combinators: Cartesian, Disjunctive completion, and Relational – Code for displaying analysis results 73
74
Running the VE analysis Example: variable equalities 74
75
Running the VE analysis 75 Adds the analysis to Soot’s list of intra- procedural analyses 1.Creates the equation system 2.Runs chaotic iteration 3.Attaches results as StringTag s StringTag
76
Running the VE analysis Command-line options: -cp. : adds the current directory to Soot’s CLASSPATH -pp : adds Java’s CLASSPATH to Soot’s CLASSPATH -f jimple : outputs jimple code -p jb use-original-names : keeps local variables names as they are -p jb.ls enabled:false : disables local splitter to reduce number of local variables -keep-line-number : writes source code line numbers in the resulting jimple code -print-tags : writes out tags for each jimple statement (analysis results) TestClass : specifies the class to analyze 76 Enable assertions Which directory to run in
77
Debug printout 1/2 77
78
Debug printout 2/2 78
79
Analysis results inlined into.jimple 79
80
Next lecture: abstract interpretation III
81
Implementing abstract domains 81
82
Variable equalities analysis 82
83
Major classes 83 Variable per CFG node Converts CFG to equation system An equation per CFG edge and join point A system of equations Chaotic iteration algorithm to compute fixed point A transformer for assume statements A transformer non-assume statements Combines all sub-algorithms to get entire static analysis
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.