1. 1 Iterative Program Analysis Abstract Interpretation Mooly Sagiv http://www.cs.tau.ac.il/~msagiv/courses/pa12-13.html Tel Aviv University 640-6706 Textbook: Principles of Program Analysis Chapter 4 CC79, CC92

2. Specialized Chaotic Iterations System of Equations S = df entry [s] =  df entry [v] =  {f(u, v) (df entry [u]) | (u, v)  E } F S :L n  L n F S (X)[s] =  F S (X)[v] =  {f(u, v)(X[u]) | (u, v)  E } lfp(S) = lfp(F S )

3. Specialized Chaotic Iterations Chaotic(G(V, E): Graph, s: Node, L: Lattice,  : L, f: E  (L  L) ){ for each v in V to n do df entry [v] :=  df[s] =  WL = {s} while (WL   ) do select and remove an element u  WL for each v, such that. (u, v)  E do temp = f(e)(df entry [u]) new := df entry (v)  temp if (new  df entry [v]) then df entry [v] := new; WL := WL  {v}

4. z =3 x =1 while (x>0) if (x=1) y =7y =z+4 x=3 print y  e.e[z  3]  e.e[x  1]  e. if x >0 then e else   e. if e x  0 then e else   e. e  [x  1, y , z  ]  e. if e x  0 then e else   e.e[y  7]  e.e[y  e(z)+4]  e.e[x  3]  e.e  1 2 3 4 5 6 7 8 [x  0, y  0, z  0] WLdf entry ]v] {1} {2} df[2]:=[x  0, y  0, z  3] {3} df[3]:=[x  1, y  0, z  3] {4} df[4]:=[x  1, y  0, z  3] {5} df[5]:=[x  1, y  0, z  3] {7} df[7]:=[x  1, y  7, z  3] {8} df[8]:=[x  3, y  7, z  3] {3} df[3]:=[x , y , z  3] {4} df[4]:=[x , y , z  3] {5,6} df[5]:=[x  1, y , z  3] {6,7} df[6]:=[x , y , z  3] {7} df[7]:=[x , y  7, z  3]

5. The Abstract Interpretation Technique (Cousot & Cousot) u The foundation of program analysis u Defines the meaning of the information computed by static tools u A mathematical framework u Allows proving that an analysis is sound in a local way u Identify design bugs u Understand where precision is lost u New analysis from old u Not limited to certain programming style

6. Abstract (Conservative) interpretation abstract representation Set of states abstraction Abstract semantics statement s abstract representation abstraction Operational semantics statement s Set of states abstract representation 

7. Abstract (Conservative) interpretation abstract representation Set of states concretization Abstract semantics statement s abstract representation concretization Operational semantics statement s Set of states 

8.   Abstract Abstract Interpretation Concrete  Sets of stores Descriptors of sets of stores 

9. Galois Connections u Lattices C and A and functions  : C  A and  : A  C u The pair of functions ( ,  ) form Galois connection if –  and  are monotone –  a  A »  (  (a))  a –  c  C »c   (  (C)) u Alternatively if:  c  C  a  A  (c)  a iff c   (a) u  and  uniquely determine each other

10. The Abstraction Function (CP) u Map collecting states into constants u The abstraction of an individual state  CP :[Var *  Z]  [Var *  Z  { ,  }]  CP (  ) =  u The abstraction of set of states  CP :P([Var *  Z])  [Var *  Z  { ,  }]  CP (CS) =  {  CP (  ) |   CS} =  {  |   CS} u Soundness  CP (Reach (v))  df(v) u Completeness

11. The Concretization Function u Map constants into collecting states u The formal meaning of constants u The concretization  CP : [Var *  Z  { ,  }]  P([Var *  Z])  CP (df) = {  |  CP (  )  df} = {  |   df} u Soundness Reach (v)   CP (df(v)) u Completeness

12. Galois Connection Constant Propagation u  CP is monotone u  CP is monotone u  df  [Var *  Z  { ,  }] –  CP (  CP (df))  df u  c  P([Var *  Z]) –c CP   CP (  CP (C))

13. Upper Closures u Define abstractions on sets of concrete states u  : P(  )  P(  ) such that –  is monotone, i.e., X  Y   X   Y –  is extensive, i.e.,  X  X –  is closure, i.e.,  (  X) =  X u Every Galois connection defines an upper closure

14. Proof of Soundness u Define an “appropriate” operational semantics u Define “collecting” operational semantics by pointwise extension u Establish a Galois connection between collecting states and abstract states u (Local correctness) Show that the abstract interpretation of every atomic statement is sound w.r.t. the collecting semantics u (Global correctness) Conclude that the analysis is sound

15. Collecting Semantics u The input state is not known at compile-time u “Collect” all the states for all possible inputs to the program u No lost of precision

16. A Simple Example Program z = 3 x = 1 while (x > 0) ( if (x = 1) then y = 7 else y = z + 4 x = 3 print y ) {[x  0, y  0, z  0]} {[x  1, y  0, z  3]} {[x  1, y  0, z  3], [x  3, y  0, z  3],} {[x  0, y  0, z  3]} {[x  1, y  7, z  3], [x  3, y  7, z  3]} {[x  3, y  7, z  3]}

17. Another Example x= 0 while (true) do x = x +1

18. An “Iterative” Definition u Generate a system of monotone equations u The least solution is well-defined u The least solution is the collecting interpretation u But may not be computable

19. Equations Generated for Collecting Interpretation u Equations for elementary statements –[skip] CS exit (1) = CS entry (l) –[b] CS exit (1) = {  :   CS entry (l),  b   =tt} –[x := a] CS exit (1) = { (s[x  A  a  s]) | s  CS entry (l)} u Equations for control flow constructs CS entry (l) =  CS exit (l’) l’ immediately precedes l in the control flow graph u An equation for the entry CS entry (1) = {  |   Var *  Z }

20. Specialized Chaotic Iterations System of Equations (Collecting Semantics) S = CS entry [s] ={  0 } CS entry [v] =  {f(e)(CS entry [u]) | (u, v)  E } where f(e) = X. {  st(e)   |  X} for atomic statements f(e) = X.{  |  b(e)   =tt } F S :L n  L n F s (X)[v] =  {f(e)[u] | (u, v)  E } lfp(S) = lfp(F S )

21. The Least Solution u 2n sets of equations CS entry (1), …, CS entry (n), CS exit (1), …, CS exit (n) u Can be written in vectorial form u The least solution lfp(F cs ) is well-defined u Every component is minimal u Since F cs is monotone such a solution always exists u CS entry (v) = {s|  s 0 |  * (S’, s)), init(S’)=v} u Simplify the soundness criteria

22.   f(  ) f(  ) f2()f2() f2()f2() f(x)=x f(x)  x f(x)  x gfp(f) lfp(f)   f#()f#() f#()f#() f #2 (  ) f #2 (  ) f # (y)=y f # (y)  y f # (y)  y gfp(f # ) lfp(f # )   a: f(  (a))   (f # (a))

23. Finite Height Case  f#f# f#f# Lfp(f # )   f   f f#f# Lfp(f)  f  

24. Soundness Theorem(1) 1. Let ( ,  ) form Galois connection from C to A 2. f: C  C be a monotone function 3. f # : A  A be a monotone function 4.  a  A: f(  (a))   (f # (a)) lfp(f)   (lfp(f # ))  (lfp(f))  lfp(f # )

25. Soundness Theorem(2) 1. Let ( ,  ) form Galois connection from C to A 2. f: C  C be a monotone function 3. f # : A  A be a monotone function 4.  c  C:  (f(c))  f # (  (c))  (lfp(f))  lfp(f # ) lfp(f)   (lfp(f # ))

26. Soundness Theorem(3) 1. Let ( ,  ) form Galois connection from C to A 2. f: C  C be a monotone function 3. f # : A  A be a monotone function 4.  a  A:  (f(  (a)))  f # (a)  (lfp(f))  lfp(f # ) lfp(f)   (lfp(f # ))

27. Proof of Soundness (Summary) u Define an “appropriate” operational semantics for atomic statements u Define “collecting” operational semantics u Establish a Galois connection between collecting states and abstract domains u (Local correctness) Show that the abstract interpretation of every atomic statement is sound w.r.t. the collecting semantics u (Global correctness) Conclude that the analysis is sound

28. Completeness  (lfp(f)) = lfp(f # ) lfp(f) =  (lfp(f # ))

29. Constant Propagation u  : [Var  Z]  [Var  Z  { ,  }] –  (  ) = (  ) u  : P([Var  Z])  [Var  Z  { ,  }] –  (X) =  {  (  ) |  X} =  {  |  X} u  :[Var  Z  { ,  }]  P([Var  Z]) –  (  # ) = {  |  (  )   # } = {  |    # } u Local Soundness –   st  # (  # )   ({   st   |    (  # ) =  {   st   |    # } u Optimality (Induced) –   st  # (  # ) =  ({   st   |   (  # )} =  {   st   |    # } u Soundness u Completeness

30. Proof of Soundness (Summary) u Define an “appropriate” structural operational semantics u Define “collecting” structural operational semantics u Establish a Galois connection between collecting states and reaching definitions u (Local correctness) Show that the abstract interpretation of every atomic statement is sound w.r.t. the collecting semantics u (Global correctness) Conclude that the analysis is sound

31. Best (Conservative) interpretation abstract representation Set of states concretization Abstract semantics statement s abstract representation abstraction Operational semantics statement s Set of states concretization Set of states 

32. Induced Analysis (Relatively Optimal) u It is sometimes possible to show that a given analysis is not only sound but optimal w.r.t. the chosen abstraction –but not necessarily optimal! u Define  S  # (df) =  ({  S   |    (df)}) u But this  S  # may not be computable u Derive (at compiler-generation time) an alternative form for  S  # u A useful measure to decide if the abstraction must lead to overly imprecise results

33. Example Dataflow Problem u Formal available expression analysis u Find out which expressions are available at a given program point u Example program x = y + t z = y + r while (…) { t = t + (y + r) } u Lattice u Galois connection u Basic statements u Soundness

34. Example: May-Be-Garbage u A variable x may-be-garbage at a program point v if there exists a execution path leading to v in which x’s value is unpredictable: –Was not assigned –Was assigned using an unpredictable expression u Lattice u Galois connection u Basic statements u Soundness

35. Points-To Analysis u Determine if a pointer variable p may point to q on some path leading to a program point u “Adapt” other optimizations –Constant propagation x = 5; *p = 7 ; … x … u Pointer aliases –Variables p and q are may-aliases at v if the points-to set at v contains entries (p, x) and (q, x) u Side-effect analysis *p = *q + * * t

36. The PWhile Programming Language Abstract Syntax a := x | *x | &x | n | a 1 op a a 2 b := true | false | not b | b 1 op b b 2 | a 1 op r a 2 S := x := a | *x := a | skip | S 1 ; S 2 | if b then S 1 else S 2 | while b do S

37. Concrete Semantics 1 for PWhile For every atomic statement S  S  : States1  States1  x := a  (  )=  [loc(x)  A  a   ]  x := &y  (  )  x := *y  (  )  x := y  (  )  *x := y  (  ) State1= [Loc  Loc  Z]

38. Points-To Analysis u Lattice L pt = u Galois connection

39. Abstract Semantics for PWhile For every atomic statement S  S  # : P(Var*  Var*)  P(Var*  Var*)  x := &y  #  x := *y  #  x := y  #  *x := y  #

40. t := &a; y := &b; z := &c; if x> 0; then p:= &y; else p:= &z; *p := t;

41. /*  */ t := &a; /* {(t, a)}*/ /* {(t, a)}*/ y := &b; /* {(t, a), (y, b) }*/ /* {(t, a), (y, b)}*/ z := &c; /* {(t, a), (y, b), (z, c) }*/ if x> 0; then p:= &y; /* {(t, a), (y, b), (z, c), (p, y)}*/ else p:= &z; /* {(t, a), (y, b), (z, c), (p, z)}*/ /* {(t, a), (y, b), (z, c), (p, y), (p, z)}*/ *p := t; /* {(t, a), (y, b), (y, c), (p, y), (p, z), (y, a), (z, a)}*/

42. Flow insensitive points-to-analysis Steengard 1996 u Ignore control flow u One set of points-to per program u Can be represented as a directed graph u Conservative approximation –Accumulate pointers u Can be computed in almost linear time

43. t := &a; y := &b; z := &c; if x> 0; then p:= &y; else p:= &z; *p := t;

44. Precision u We cannot usually have –  (CS) = DF on all programs u But can we say something about precision in all programs? u Precision criteria –Join over all paths –Induced analysis

45. Summary u Abstract interpretation Connects Abstract and Concrete Semantics u Galois Connection u Local Correctness u Global Correctness