1

Iterative Program AnalysisAbstract Interpretation

Mooly Sagivhttp://www.cs.tau.ac.il/~msagiv/courses/pa11.html

Tel Aviv University

640-6706

Textbook: Principles of Program AnalysisChapter 4

CC79, CC92

Outline The abstract interpretation technique

– The main theorem

– Applications

– Precision

– Complexity

– Widening

Later on– Combining Analysis

– Interprocedural Analysis

– Shape Analysis

Soundness Theorem(1)

1. Let (, ) form Galois connection from C to A

2. f: C C be a monotone function

3. f# : A A be a monotone function

4. aA: f((a)) (f#(a))

lfp(f) (lfp(f#))

(lfp(f)) lfp(f#)

Soundness Theorem(2)

1. Let (, ) form Galois connection from C to A

2. f: C C be a monotone function

3. f# : A A be a monotone function

4. cC: (f(c)) f#((c))

(lfp(f)) lfp(f#)

lfp(f) (lfp(f#))

Soundness Theorem(3)

1. Let (, ) form Galois connection from C to A

2. f: C C be a monotone function

3. f# : A A be a monotone function

4. aA: (f((a))) f#(a)

(lfp(f)) lfp(f#)

lfp(f) (lfp(f#))

Completeness

(lfp(f)) = lfp(f#)

lfp(f) = (lfp(f#))

Constant Propagation : [Var Z] [Var Z{, }]

() = () : P([Var Z]) [Var Z{, }]

(X) = {() | X} = { | X} :[Var Z {, }] P([Var Z])

(#) = { | () # } = { | # }

Local Soundness st#(#) ({st | (#) = {st | # }

Optimality (Induced) st#(#) = ({st | (#)} = {st | # }

Soundness Completeness

Example Interval Analysis Find a lower and an upper bound of the value of a

variable Usages? Lattice

L = (Z{-, }Z {-, }, , , , ,)– [a, b] [c, d] if c a and d b– [a, b] [c, d] = [min(a, c), max(b, d)]

– [a, b] [c, d] = [max(a, c), min(b, d)] = =

Domains with Infinite Heights for Integers

y

x

Intervals CC’77: xi b

Octagons SKS’00, Mine’01: xi yi b

Polyhedra Cousot& Halbwachs’78: ai*xi b

Formal available expression Find out which expressions are available at a given

program point Example program

x = y + t //{(y+t)} z = y + r //{(y+t), (y+r)} while (…) { // {(y+t), (y+r)} t = t + (y + r) // {(y+t), (y+r), t + (y +r )} }

Available expression lattice

P(Fexp) X Y X Y X Y = X Y = Fexp =

Available expressions

Computing Fexp for whiles ::= skip { s.Fexp := }s := id = exp { s.Fexp = {exp.rep }s := s ; s { s.Fexp := s[1].Fexp s[2].Fexp }s := while exp do s { s.Fexp := {exp.rep} s[1].Fexp }s := if exp then s else s { s.Fexp := {exp.rep} s[1].Fexp s[2].Fexp }

Instrumented Semantics Available expressions

S Stm : State P(Fexp) State P(Fexp) S id := a (, ae) = ([a a a ], notArg(id, ae {a} ) S skip (, ae) = (, ae)

CS Stm : P(State P(Fexp)) P(State P(Fexp)) CS s (X) ={S s (, ae) | (, ae) X}

Collecting Semantics Example

x = y * z;

if (x == 6)

y = z+ t;

…

if (x == 6)

r = z + t;

Formal Available Expressions Abstraction

: [Var Z] P(Fexp) P(Fexp) (, ae) = (ae)

: P(P([Var Z] P(Fexp)) P(Fexp) (X) = {() | X} = {ae | (, ae) X}

: P(Fexp) P(P([Var Z] P(Fexp)) (ae#) = {(, ae) | (, ae) ae# } = {(, ae) | ae

ae# }

Formal Available Expressions AI

S Stm # : P(Fexp) P(Fexp) S id := a # (ae) = notArg(id, ae {a} ) S skip # (ae) = (ae) Local Soundness

st#(ae#) {(st (, ae)[1] | ae ae# }

Optimality st#(ae#) = ({st (, ae) | (, ae) (#)} = {(st (, ae)[1] | ae

ae# } The initial value at the entry is Example program

x = y + t //{(y+t)} z = y + r //{(y+t), (y+r)} while (…) { // {(y+t), (y+r)} t = t + (y + r) // { (y+r)} }

Soundness and Completeness

Example: May-Be-Garbage A variable x may-be-garbage at a program point v

if there exists a execution path leading to v in which x’s value is unpredictable:– Was not assigned

– Was assigned using an unpredictable expression

Lattice Galois connection Basic statements Soundness

The PWhile Programming Language Abstract Syntax

a := x | *x | &x | n | a1 opa a2

b := true | false | not b | b1 opb b2 | a1 opr a2

S := x := a | *x := a | skip | S1 ; S2 | if b then S1 else S2 | while b do S

Concrete Semantics for PWhile

For every atomic statement S

S : States1 States1

x := a ()=[loc(x) Aa ]

x := &y ()

x := *y ()

x := y ()

*x := y ()

State1= [LocLocZ]

Points-To Analysis Lattice Lpt =

Galois connection Meaning of statements

t := &a; y := &b;

z := &c;

if x> 0 then p:= &y;

else p:= &z;

*p := t;

/* */ t := &a; /* {(t, a)}*/ /* {(t, a)}*/ y := &b; /* {(t, a), (y, b) }*/

/* {(t, a), (y, b)}*/ z := &c; /* {(t, a), (y, b), (z, c) }*/

if x> 0; then p:= &y; /* {(t, a), (y, b), (z, c), (p, y)}*/

else p:= &z; /* {(t, a), (y, b), (z, c), (p, z)}*/ /* {(t, a), (y, b), (z, c), (p, y), (p, z)}*/

*p := t;

/* {(t, a), (y, b), (y, c), (p, y), (p, z), (y, a), (z, a)}*/

Abstract Semantics for PWhile

For every atomic statement S

x := a ()

x := &y ()

x := *y ()

x := y ()

*x := y ()

State#= P(Var* Var*)

/* */ t := &a; /* {(t, a)}*/ /* {(t, a)}*/ y := &b; /* {(t, a), (y, b) }*/

/* {(t, a), (y, b)}*/ z := &c; /* {(t, a), (y, b), (z, c) }*/

if x> 0; then p:= &y; /* {(t, a), (y, b), (z, c), (p, y)}*/

else p:= &z; /* {(t, a), (y, b), (z, c), (p, z)}*/ /* {(t, a), (y, b), (z, c), (p, y), (p, z)}*/

*p := t;

/* {(t, a), (y, b), (y, c), (p, y), (p, z), (y, a), (z, a)}*/

Flow insensitive points-to-analysisSteengard 1996

Ignore control flow One set of points-to per program Can be represented as a directed graph Conservative approximation

– Accumulate pointers

Can be computed in almost linear time– Union find

t := &a; y := &b;

z := &c;

if x> 0; then p:= &y;

else p:= &z;

*p := t;

Precision

We cannot usually have (CS) = DF

on all programs

But can we say something about precision in all programs?

The Join-Over-All-Paths (JOP)

Let paths(v) denote the potentially infinite set paths from start to v (written as sequences of edges)

For a sequence of edges [e1, e2, …, en] definef #[e1, e2, …, en]: L L by composing the effects of basic blocksf #[e1, e2, …, en](l) = f#(en) (… (f#(e2) (f

#(e1) (l)) …)

JOP[v] = {f#[e1, e2, …,en]() [e1, e2, …, en] paths(v)}

JOP vs. Least Solution The df solution obtained by Chaotic iteration satisfies for

every v: – JOP[v] df(v)

A function f# is additive (distributive) if – f#({x| x X}) = {f#(x) | X}

If every f# (u,v) is additive (distributive) for all the edges (u,v)

– JOP[v] = df(v)

Examples– Maybe garbage

– Available expressions

– Constant Propagation

– Points-to

Notions of precision

CS = (df) (CS) = df Meet(Join) over all paths Using best transformers Good enough

Complexity of Chaotic Iterations

Usually depends on the height of the lattice In some cases better bound exist A function f is fast if f (f(l)) l f(l) For fast functions the Chaotic iterations can be

implemented in O(nest * |V|) iterations– nest is the number of nested loop

– |V| is the number of control flow nodes

Conclusion

Chaotic iterations is a powerful technique Easy to implement Rather precise But expensive

– More efficient methods exist for structured programs

Abstract interpretation relates runtime semantics and static information

The concrete semantics serves as a tool in designing abstractions– More intuition will be given in the sequel