Program Analysis Systematic Domain Design - PowerPoint PPT Presentation

About This Presentation
Title:

Program Analysis Systematic Domain Design

Description:

http://www.math.tau.ac.il/~sagiv/courses/pa01.html. Tel Aviv University. 640-6706 ... for forward problems. for l Lab* do. DFentry(l) := DFexit(l) := DFentry ... – PowerPoint PPT presentation

Number of Views:16
Avg rating:3.0/5.0
Slides: 27
Provided by: Dor103
Category:

less

Transcript and Presenter's Notes

Title: Program Analysis Systematic Domain Design


1
Program AnalysisSystematic Domain Design
  • Mooly Sagiv
  • http//www.math.tau.ac.il/sagiv/courses/pa01.html
  • Tel Aviv University
  • 640-6706
  • Textbook Principles of Program Analysis
  • Chapter 4, CC79, CC92

Exercise 2 (homepage 5/5) Next Class 9/5
900-1200? 10/5 1000-1300
2
Outline
  • Domains with infinite heights
  • Systematic construction of Galois connection
  • Precision

3
Chaotic Iterationsfor forward problems
for l ? Lab do DFentry(l) ? DFexit(l)
? DFentry(init(S)) ? WL Lab while WL ! ?
do Select and remove an arbitrary l ? WL
if (temp ! DFexit(l)) DFexit(l) temp
for l' such that (l,l') ? flow(S) do
DFentry(l') DFentry(l') ? DFexit(l)
WL WL ? l
4
Widening
  • Accelerate the termination of Chaotic iterations
    by computing a more conservative solution
  • Can handle lattices of infinite heights

5
Chaotic Iterationsfor forward problems ?
for l ? Lab do DFentry(l) ? DFexit(l)
? DFentry(init(S)) ? WL Lab while WL ! ?
do Select and remove an arbitrary l ? WL
if (temp ! DFexit(l)) DFexit(l)
DFexit(l) ? temp for l' such that
(l,l') ? flow(S) do DFentry(l')
DFentry(l') ? DFexit(l) WL WL ? l
6
Example Interval Analysis
  • Find a lower and an upper bound of the value of a
    variable
  • Usages?
  • Lattice L (Z?-?, ??Z ?-?, ?, ?, ?, ?, ?,?)
  • a, b ? c, d if c ? a and d ? b
  • a, b ? c, d min(a, c), max(b, d)
  • a, b ? c, d max(a, c), min(b, d)
  • ?
  • ?
  • Galois connection

7
Example ProgramInterval Analysis
  • x 11 while x ? 10002 do x x
    13

InEntry(1) minint,maxint IntExit(1) 1,1
InEntry(2) IntExit(1) ? IntExit(3) IntExit(2)
IntEntry(2)
InEntry(3) IntExit(2) ? minint,1000 IntExit(3)
IntEntry(3)1,1
InEntry(4) IntExit(2) ? 1001,maxint IntExit(4)
IntEntry(4)
8
Widening for Interval Analysis
  • ?? c, d c, d
  • a, b ? c, d if a ? c then a else
    if 0 ? c then 0 else -?, if b ?
    d then b else if d ? 0 then 0 else ?

9
Example ProgramInterval Analysis
  • x 11 while x ? 10002 do x x
    13

InEntry(1) -?, ? IntExit(1) 1,1
InEntry(2) InExit(2) ? (IntExit(1) ?
IntExit(3)) IntExit(2) IntEntry(2)
InEntry(3) IntExit(2) ? -?,1000 IntExit(3)
IntEntry(3)1,1
InEntry(4) IntExit(2) ? 1001, ? IntExit(4)
IntEntry(4)
10
Requirements on Widening
  • For all elements l1 ? l2 ? l1 ? l2
  • For all ascending chains l0 ? l1 ? l2 ? the
    following sequence is finite
  • y0 l0
  • yi1 yi ? li1
  • For a monotonic function f L ? Ldefine
  • x0 ?
  • xi1 xi ? f(xi )
  • Theorem
  • There exits k such that xk1 xk
  • xk ?Red(f) l l ? L, f(l) ? l

11
Narrowing
  • Improve the result of widening
  • y ? x ? y ? (x ?y) ? x
  • For all decreasing chains x0 ? x1 ? the
    following sequence is finite
  • y0 x0
  • yi1 yi ? xi1
  • For a monotonic function f L ? L and x ?Red(f)
    l l ? L, f(l) ? ldefine
  • y0 x
  • yi1 yi ? f(yi )
  • Theorem
  • There exits k such that yk1 yk
  • yk ?Red(f) l l ? L, f(l) ? l

12
Narrowing for Interval Analysis
  • a, b ? ? a, b
  • a, b ? c, d if a -? then
    c else a, if b ? then d else b

13
Example ProgramInterval Analysis
  • x 11 while x ? 10002 do x x
    13

InEntry(1) -? , ? IntExit(1) 1,1
InEntry(2) InExit(2) ?( IntExit(1) ?
IntExit(3)) IntExit(2) IntEntry(2)
InEntry(3) IntExit(2) ? -?,1000 IntExit(3)
IntEntry(3)1,1
InEntry(4) IntExit(2) ? 1001, ? IntExit(4)
IntEntry(4)
14
Widening and Narrowing Summary
  • Very simple but produces impressive precision
  • The McCarthy 91 function
  • Also useful in the finite case
  • Can be used as a methodological tool
  • But not widely accepted

int f(x) -? , ? if x gt 100 then 101, ?
return x -10 91, ?-10 else -?, 100
return f(f(x11)) 91, 91
15
Combining Data Flow Analyzes
  • Develop new algorithms from old
  • If I know how to conservatively represent
  • Pointers
  • Integers
  • Do I know how to handle C programs with integers
    and pointers (and casting?)?

16
Combining Data Flow Analyzes
  • Develop new algorithms from old
  • If I know how to conservatively represent
  • Pointers
  • Integers
  • Do I know how to handle C programs with integers
    and pointers (and casting?)?
  • Improve the precision of an analysis
  • Obtain a more efficient analysis

17
Combining Data Flow Analyzers
  • Lattice constructors
  • L1 ? L2
  • S ? L1
  • Galois connection constructors
  • Constructing the abstract effect of elementary
    statements
  • Model the relevant parts of the program
  • Abstract irrelevant parts of the program

18
Galois Connections
  • For
  • A co mplete lattice (L1, ?1) (L1, ?, ?1, ?1,
    ?1, ?1)
  • A complete lattice (L2, ?2) (, ?, ?2, ?2, ?2,
    ?2)
  • ?L1?L2
  • ? L2?L1
  • We say that (L1, ?, ?, L2) is a Galois
    connection
  • ? and ? are monotone
  • For all c ? L1 ?(?(c)) ? c
  • For all a? L2 ?(?(a)) ? a

19
Cartesian Products
  • A complete lattice (L1, ?1) (L1, ?, ?1, ?1,
    ?1, ?1)
  • A complete lattice (L2, ?2) (, ?, ?2, ?2, ?2,
    ?2)
  • Define a Poset L (L1 ? L2 ,? ) where
  • (x1, x2) ? (y1, y2) if
  • x1 ? y1 and
  • x2 ? y2
  • L is a complete lattice
  • But what does an element in L represent?

20
Cartesian Products (cont)
  • A complete lattice (L1, ?1) (L1, ?, ?1, ?1,
    ?1, ?1)
  • A complete lattice (L2, ?2) (, ?, ?2, ?2, ?2,
    ?2)
  • Complete lattice L (L1 ? L2 ,? )
  • A concrete lattice C (usually a powerset)
  • A Galois connection (C, ?1 , ?1, L1)
  • A Galois connection (C, ?2 , ?2, L2)
  • Define ?C? L1 ? L2 and ? L1 ? L2 ? C ?
  • Example Parity ? Sign

21
Cartesian Products (cont)
  • A Galois connection (C, ?1 , ?1, L1)
  • A Galois connection (C, ?2 , ?2, L2)
  • A Galois connection (C, ? , ?, L1 ? L2 )
  • ?(c) lt?1(c), ?2(c)gt
  • ?(lta1, a2gt) ?1(a1) ? ?2(a2)
  • Define
  • L1?st? L1? L1
  • L2?st? L2? L2
  • How to define L1 ? L2 ?st? L1 ? L2 ? L1 ? L2
  • Preserve soundness
  • Preserve relative optimality (induced)
  • Example Parity ? Sign

22
Component-wise combinations
  • Combine several analyses into a single analysis
  • Cartesian products (Direct product)
  • Independent attribute method
  • Relational attribute method
  • Total function space
  • Monotone function space
  • Direct tensor product

23
Independent Attribute Method
  • A Galois connection (C1, ?1 , ?1, L1)
  • A Galois connection (C2, ?2 , ?2, L2)
  • A Galois connection (C1?C2, ? , ?, L1 ? L2 )
  • ?(ltc1, c2gt) lt?1(c1), ?2(c2)gt
  • ?(lta1, a2gt) lt?1(a1) , ?2(a2)gt
  • Define
  • L1?st? L1? L1
  • L2?st? L2? L2
  • How to define L1 ? L2 ?st? L1 ? L2 ? L1 ? L2
  • Preserve soundness
  • Preserve relative optimality (induced)

24
Relational Attribute Method
  • A Galois connection (P(C1), ?1 , ?1, P(L1))
    where ?1 C1?L1
  • ?1 (X) ??1(c) c ? X
  • A Galois connection (P(C2), ?2 , ?2, P(L2))
    where ?2 C2?L2
  • ?2 (X) ??2(c) c ? X
  • A Galois connection (P(C1?C2), ? , ?, P(L1 ? L2))
  • ?(ltX1, X2gt) lt?1(c1), ?2(c2)gt c1 ? X1, c2 ?
    X2
  • ?(ltY1,Y2gt) ltc1 , c2gt ?1(c1) ? Y1 ?2(c2)
    ? Y2

25
Conclusions(1)
  • Good static analysis
  • Precise enough (for the client)
  • Efficient enough
  • Good static analysis
  • Good domain
  • Abstract non-important details
  • Represents relevant concrete information
  • Precise and efficient abstract meaning of
    abstract interpreters
  • Efficient join implementation
  • Small height or widening

26
Conclusions(2)
  • The Theory of Static Analysis is well founded
  • Abstraction
  • Soundness
  • Chaotic iterations
  • Elimination methods
  • Modular methods
  • Weak Parts
  • Transformations
  • Predictable approximations
  • System
Write a Comment
User Comments (0)
About PowerShow.com