Mooly Sagiv Textbook Principles of Program Analysis Chapter 4 Appendix A CC79 CC92 Content Mathematical Background Chaotic Iterations Examples Soundness Precision and more examples next week ID: 760522
Download Presentation The PPT/PDF document "Theory of Static Program Analysis" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Theory of Static Program Analysis
Mooly
Sagiv
Textbook:
Principles of Program Analysis
Chapter
4, Appendix A
CC79, CC92
Slide2Content
Mathematical Background
Chaotic Iterations
Examples
Soundness, Precision and more
examples next week
Slide3Mathematical Background
Declaratively define
The result of the analysis
The exact solution
Allow comparison
Slide4Posets
A partial ordering is a binary relation
: L L
{false, true}
For all l
L : l l (
Reflexive)
For all l
1
, l
2
, l
3
L :
l
1
l
2
, l
2
l
3
l
1
l
3
(Transitive)
For all l
1
, l
2
L :
l
1
l
2
, l
2
l
1
l
1
=
l
2
(Anti-Symmetric)
Denoted by (L,
)
In program analysis
l
1
l
2
l
1
is more precise than l
2
l
1
represents fewer concrete states than
l
2
Examples
Total orders (N, )
Powersets (P(S),
)
Powersets (P(S), )
Even/Odd
Constant propagation
Slide5Posets
More notations
l
1
l
2
l
2
l
1
l
1
l
2
l
1
l
2
l
1
l
2
l
1
l
2
l
2
l
1
Slide6Upper and Lower Bounds
Consider a poset (L,
)
A subset L’ L has a
lower bound
l
L if for all l’ L’ : l
l’
A subset L’ L has an
upper bound
u
L if for all l’ L’ : l’ u
A
greatest lower bound
of a subset L’ L is a lower bound l
0
L such that l l
0
for any lower bound l of L’
A
lowest upper bound
of a subset L’ L is an upper bound u
0
L such that u
0
u for any upper bound u of L’
For every subset L’ L:
The greatest lower bound of L’ is unique if at all exists
L’
(meet) a b
The lowest upper bound of L’ is unique if at all exists
L’
(join) ab
Slide7Complete Lattices
A poset (L,
) is a
complete lattice
if every subset has least and upper bounds
L = (L, ) = (L, , , , , )
=
= L
= L =
Examples
Total orders (N, )
Powersets (P(S),
)
Powersets (P(S), )
Constant propagation
Slide8Complete Lattices
Lemma
For every poset (L,
) the following conditions are equivalent
L is a complete lattice
Every subset of L has a least upper bound
Every subset of L has a greatest lower bound
Slide9Cartesian Products
A complete lattice
(
L
1
,
1
) = (L
1
, ,
1
,
1
,
1
,
1
)
A complete lattice
(
L
2
,
2
) = (, ,
2
,
2
,
2
,
2
)
Define a Poset L = (L
1
L
2
,
) where
(x
1
, x
2
) (y
1
, y
2
) if
x
1
y
1
and
x
2
y
2
L is a complete lattice
Slide10Finite Maps
A complete lattice
(
L
1
,
1
) = (L
1
, ,
1
,
1
,
1
,
1
)
A finite set V
Define a Poset L = (V
L
1
,
) where
e
1
e
2
if for all v
V
e
1
v e
2
v
L is a complete lattice
Slide11Chains
A subset Y
L in a
poset (L,
) is a
chain
if every two elements in Y are ordered
For all l
1
, l
2
Y: l
1
l
2
or l
2
l
1
An
ascending chain
is a sequence of values
l
1
l
2
l
3
…
A
strictly ascending chain
is a sequence of values
l
1
l
2
l
3
…
A
descending chain
is a sequence of values
l
1
l
2
l
3
…
A
strictly descending chain
is a sequence of values
l
1
l
2
l
3
…
L
has a finite height if every
chain in L is finite
Lemma
A poset (L,
) has finite height if and only if every strictly decreasing and strictly increasing chains are finite
Slide12Monotone Functions
A poset (L,
)
A
function f: L
L is
monotone
if for every
l
1
, l
2
L:
l
1
l
2
f(
l
1
)
f(l
2
)
Slide13Fixed Points
A monotone function f: L L where (L, , , , , ) is a complete latticeFix(f) = { l: l L, f(l) = l}Red(f) = {l: l L, f(l) l}Ext(f) = {l: l L, l f(l)}l1 l2 f(l1 ) f(l2 )Tarski’s Theorem 1955: if f is monotone then: lfp(f) = Fix(f) = Red(f) Fix(f) gfp(f) = Fix(f) = Ext(f) Fix(f)
f()
f()
f
2
()
f2()
Fix(f)
Ext(f)
Red(f)
gfp(f)
lfp(f)
Slide14Special Case Finite Height
A monotone function f: L L where (L, , , , , ) is a complete latticeL does not include infinite ascending chains
x :=
while changes do
x := f(x)
Slide15Chaotic Iterations
A lattice L = (L, , , , , ) with finite strictly increasing chainsLn = L L … LA monotone function f: Ln LnCompute lfp(f)The simultaneous least fixed of the system {x[i] = fi(x) : 1 i n }
x := (, , …, )while (f(x) x ) do x := f(x)
for i :=1 to n do
x[i] =
WL = {1, 2, …, n}
while (WL
) do
select and remove an element i WL
new := f
i
(
x
)
if (new
x[i]) then
x[i] := new;
Add all the indexes that directly depends on i to WL
Slide16Specialized Chaotic IterationsSystem of Equations
S = dfentry[s] = dfentry[v] = {f(u, v) (dfentry[u]) | (u, v) E }
F
S
:Ln Ln FS (X)[s] = FS(X)[v] = {f(u, v)(X[u]) | (u, v) E }
lfp(S) = lfp(F
S
)
Slide17Example Constant Propagation
1
2
e.e[x3]
e.e
3
DF(1) = [x
0]
DF(2) = DF(1)[x 3] DF(2)
DF(3) = DF(2)
3t
e.e
x :=3
skip
skip
DF[1]
DF[2]
DF[3]
[x
0]
[x
3]
[x
3]
[x
0]
[x
?]
[x
?]
[x
7]
[x
9]
[x
7]
[x
?]
[x
3]
[x
3]
Slide18Specialized Chaotic Iterations
Chaotic(G(V, E): Graph, s: Node, L: Lattice,
: L, f: E (L L)
){
for each v in V to n do df
entry
[v] :=
df[s] =
WL = {s}
while (WL
) do
select and remove an element u WL
for each v, such that. (u, v)
E do
temp =
f(e)(df
entry
[u])
new := df
entry
(v) temp
if (new
df
entry
[v]) then
df
entry
[v] := new;
WL := WL {v}
Slide19y :=z+4
Iterative Approximation
[x
?, y?, z3]
1
2
z :=3
7
z <=0
3
z >0
4
5
x==1
x!=1
6
y :=7
assert y==7
N
Value
WL
1
[x
?, y?, z?]
{2,
3, 4, 5, 6, 7}
2
[x
?, y?, z3]
{
3, 4, 5, 6, 7}
3
[x
?, y?, z3]
{ 4, 5, 6, 7}
4
[x
1, y7, z3]
{5, 6, 7}
5
[x
?, y7, z3]
{6, 7}
6
[x
?, y7, z3]
{7}
Slide20z =3
x =1
while (x>0)
if (x=1)
y =7
y =z+4
x=3
print y
e.e
[z
3]
e.e[x
1]
e. if x >0 then e else
e. if e x
0 then e else
e. e [x
1, y
, z
]
e. if e x 0 then e else
e.e[y7]
e.e[ye(z)+4]
e.e[x3]
e.e
1
2
3
4
5
6
7
8
[x0, y0, z0]
WLdfentry]v]{1}{2}df[2]:=[x0, y0, z3]{3}df[3]:=[x1, y0, z3]{4}df[4]:=[x1, y0, z3]{5}df[5]:=[x1, y0, z3]{7}df[7]:=[x1, y7, z3]{8}df[8]:=[x3, y7, z3]{3}df[3]:=[x, y, z3]{4}df[4]:=[x, y, z3]{5,6}df[5]:=[x1, y, z3]{6,7}df[6]:=[x, y, z3]{7}df[7]:=[x, y7, z3]
Slide21Complexity of Chaotic Iterations
Parameters:
n the number of CFG nodes
k is the maximum outdegree of edges
A lattice of height h
c is the maximum cost of
applying
f
(e)
L comparisons
Complexity
O(n * h * c * k)
Slide22Soundness
Every detected constant is indeed such
Every error will be detected
The least fixed points represents all occurring runtime states
Slide23Completeness
Every constant is indeed detected as such
Every detected error is real
Every state represented by the least fixed is reachable for some input
Slide24The Abstract Interpretation Technique (Cousot & Cousot)
The foundation of program analysis
Defines the meaning of the information computed by static tools
A mathematical framework
Allows proving that an analysis is sound in a local way
Identify design bugs
Understand where precision is lost
New analysis from old
Not limited to certain programming style
Slide25Abstract (Conservative) interpretation
abstract representation
Set of states
abstraction
Abstract
semantics
statement
s
abstract
representation
abstraction
Operational semantics
statement
s
Set of states
abstract
representation
Slide26Abstract (Conservative) interpretation
abstract representation
Set of states
concretization
Abstract
semantics
statement
s
abstract
representation
concretization
Operational semantics
statement
s
Set of states
Set of states
Slide27
Abstract
Abstract Interpretation
Concrete
Sets of stores
Descriptors of
sets of stores
Slide28Galois Connections
Lattices C
and A and functions
: C A and : A
C
The pair of functions (
, ) form
Galois connection
if
and are monotone
a
A
( (a))
a
c C
c
((C
))
Alternatively if:
c C
a
A
(c)
a
iff c
(a
)
and uniquely determine each other
Slide29The Abstraction Function (CP)
Map collecting states into constants
The abstraction of an individual state
CP
:
[Var
*
Z] [
Var
*
Z{
, }
]
CP
() =
The abstraction of set of states
CP
:P(
[Var
*
Z]) [
Var
*
Z{
, }
]
CP
(CS) =
{
CP
() | CS} =
{
| CS}
Soundness
CP
(Reach (v))
df
(v)
Completeness
Slide30The Concretization Function
Map constants into collecting states
The formal meaning of constants
The concretization
CP
: [
Var
*
Z{
, }]
P([
Var
*
Z])
CP
(df) = {|
CP
()
df
} = {
|
df}
Soundness
Reach (v)
CP
(df
(v))
Completeness
Slide31Galois Connection Constant Propagation
CP
is monotone
CP
is monotone
df
[
Var
*
Z{
, }]
CP
(
CP
(df))
df
c P([
Var
*
Z])
c
CP
CP
(
CP
(C
))
Slide32Upper Closures
Define abstractions on sets of concrete states
: P() P() such that
is monotone, i.e., X Y X Y
is extensive, i.e., X X
is closure, i.e., ( X) = X
Every Galois connection defines an upper closure
Slide33Proof of Soundness
Define an “appropriate” operational semantics
Define “collecting” structural operational semantics
Establish a Galois connection between collecting states and abstract states
(Local correctness) Show that the abstract interpretation of every atomic statement is
sound
w.r.t. the collecting semantics
(Global correctness) Conclude that the analysis is sound
Slide34Collecting Semantics
The input state is not known at compile-time
“Collect” all the states for all possible inputs to the program
No lost of precision
Slide35A Simple Example Program
z = 3x = 1while (x > 0) ( if (x = 1) then y = 7 else y = z + 4 x = 3 print y )
{[x0, y0, z0]}
{[x1, y0, z3]}
{[x
1, y0, z3],
[x3, y0, z3],}
{[x
0, y0, z3]}
{[x
1, y7, z3],
[x3, y7, z3]}
{[x1, y7, z3], [x3, y7, z3]}
{[x3, y7, z3]}
{[x
3, y7, z3]}
Slide36Another Example
x= 0
while (true) do
x = x +1
Slide37An “Iterative” Definition
Generate a system of monotone equations
The least solution is well-defined
The least solution is the collecting interpretation
But may not be computable
Slide38Equations Generated for Collecting Interpretation
Equations for elementary statements
[skip]
CS
exit
(1) = CS
entry
(l)
[b]
CS
exit
(1) = {
:
CS
entry
(l),
b
=tt}
[x := a]
CS
exit
(1) = {
(s[x
A
as]
) | s
CS
entry
(l)}
Equations for control flow constructs
CS
entry
(l) =
CS
exit
(
l’
)
l’
immediately precedes
l
in the
control flow graph
An equation for the entry
CS
entry
(1) = {
|
Var
*
Z
}
Slide39Specialized Chaotic IterationsSystem of Equations (Collecting Semantics)
S = CSentry[s] ={0} CSentry[v] = {f(e)(CSentry[u]) | (u, v) E }where f(e) = X. {st(e) | X} for atomic statements f(e) = X.{ | b(e) =tt }
FS:Ln Ln Fs(X)[v] = {f(e)[u] | (u, v) E }
lfp(S) = lfp(F
S
)
Slide40The Least Solution
2n sets of equationsCSentry(1), …, CSentry (n), CSexit(1), …, CSexit (n)Can be written in vectorial formThe least solution lfp(Fcs) is well-definedEvery component is minimalSince Fcs is monotone such a solution always existsCSentry(v) = {s|s0| <P, s0 > * (S’, s)), init(S’)=v}Simplify the soundness criteria
Slide41Specialized Chaotic IterationsSystem of Equations (Collecting Semantics)
S = CSentry[s] ={0} CSentry[v] = {f(e)(CSentry[u]) | (u, v) E }where f(e) = X. {st(e) | X} for atomic statements f(e) = X.{ | b(e) =tt }
F
S
:Ln Ln Fs(X)[v] = {f(e)[u] | (u, v) E }
lfp(S) = lfp(F
S
)
Slide42The Least Solution
2n sets of equationsCSentry(1), …, CSentry (n), CSexit(1), …, CSexit (n)Can be written in vectorial formThe least solution lfp(Fcs) is well-definedEvery component is minimalSince Fcs is monotone such a solution always existsCSentry(v) = {s|s0| <P, s0 > * (S’, s)), init(S’)=v}Simplify the soundness criteria
Slide43
f()
f()
f
2
()
f2()
f(x)
=x
f(x)
x
f(x)
x
gfp(f)
lfp(f)
f
#
()
f
#
()
f
#2
()
f
#2
()
f
#(y)=y
f
#
(y)
y
f
#
(y)
y
gfp(f
#
)
lfp(f#)
a: f((a))
(f
#
(a))
Slide44Finite Height Case
f
#
f
#
Lfp(f
#
)
f
f
f
#
Lfp(f)
f
Slide45Soundness Theorem(2)
Let (, ) form Galois connection from C to Af: C C be a monotone functionf# : A A be a monotone functioncC: (f(c)) f#((c))
(lfp(f)) lfp(f#)
lfp(f)
(lfp(f
#
))
Slide46Soundness Theorem(3)
Let (, ) form Galois connection from C to Af: C C be a monotone functionf# : A A be a monotone functionaA: (f((a))) f#(a)
(lfp(f)) lfp(f#)
lfp(f)
(lfp(f
#
))
Slide47Proof of Soundness (Summary)
Define an “appropriate” structural operational semantics
Define “collecting” structural operational semantics
Establish a Galois connection between collecting states and reaching definitions
(Local correctness) Show that the abstract interpretation of every atomic statement is
sound
w.r.t. the collecting semantics
(Global correctness) Conclude that the analysis is sound
Slide48Completeness
(lfp(f)) = lfp(f#)
lfp(f)
=
(lfp(f
#
))
Slide49Constant Propagation
: [Var Z] [Var Z{
, }]
() = ()
: P([Var Z]) [Var Z{
, }]
(X) =
{
() | X} =
{
| X}
:[Var Z {
, }]
P([Var Z
])
(
#
) = {
|
()
#
} = { |
#
}
Local Soundness
st
#
(
#
)
({
st
| (
#
) =
{
st
|
#
}
Optimality (Induced)
st
#
(
#
) = ({
st
| (
#
)} =
{
st
|
#
}
Soundness
Completeness
Slide50Summary
Abstract interpretation Connects Abstract and Concrete Semantics
Galois Connection
Local Correctness
Global Correctness
Slide51Conclusions
Chaotic iterations is a powerful technique
Easy to implement
Rather precise
But expensive
More efficient methods exist for structured programs