Title: Program Analysis Systematic Domain Design
1Program AnalysisSystematic Domain Design
- Mooly Sagiv
- http//www.math.tau.ac.il/sagiv/courses/pa01.html
- Tel Aviv University
- 640-6706
- Textbook Principles of Program Analysis
- Chapter 4, CC79, CC92
Exercise 2 (homepage 5/5) Next Class 9/5
900-1200? 10/5 1000-1300
2Outline
- Domains with infinite heights
- Systematic construction of Galois connection
- Precision
3Chaotic Iterationsfor forward problems
for l ? Lab do DFentry(l) ? DFexit(l)
? DFentry(init(S)) ? WL Lab while WL ! ?
do Select and remove an arbitrary l ? WL
if (temp ! DFexit(l)) DFexit(l) temp
for l' such that (l,l') ? flow(S) do
DFentry(l') DFentry(l') ? DFexit(l)
WL WL ? l
4Widening
- Accelerate the termination of Chaotic iterations
by computing a more conservative solution - Can handle lattices of infinite heights
5Chaotic Iterationsfor forward problems ?
for l ? Lab do DFentry(l) ? DFexit(l)
? DFentry(init(S)) ? WL Lab while WL ! ?
do Select and remove an arbitrary l ? WL
if (temp ! DFexit(l)) DFexit(l)
DFexit(l) ? temp for l' such that
(l,l') ? flow(S) do DFentry(l')
DFentry(l') ? DFexit(l) WL WL ? l
6Example Interval Analysis
- Find a lower and an upper bound of the value of a
variable - Usages?
- Lattice L (Z?-?, ??Z ?-?, ?, ?, ?, ?, ?,?)
- a, b ? c, d if c ? a and d ? b
- a, b ? c, d min(a, c), max(b, d)
- a, b ? c, d max(a, c), min(b, d)
- ?
- ?
- Galois connection
7Example ProgramInterval Analysis
- x 11 while x ? 10002 do x x
13
InEntry(1) minint,maxint IntExit(1) 1,1
InEntry(2) IntExit(1) ? IntExit(3) IntExit(2)
IntEntry(2)
InEntry(3) IntExit(2) ? minint,1000 IntExit(3)
IntEntry(3)1,1
InEntry(4) IntExit(2) ? 1001,maxint IntExit(4)
IntEntry(4)
8Widening for Interval Analysis
- ?? c, d c, d
- a, b ? c, d if a ? c then a else
if 0 ? c then 0 else -?, if b ?
d then b else if d ? 0 then 0 else ?
9Example ProgramInterval Analysis
- x 11 while x ? 10002 do x x
13
InEntry(1) -?, ? IntExit(1) 1,1
InEntry(2) InExit(2) ? (IntExit(1) ?
IntExit(3)) IntExit(2) IntEntry(2)
InEntry(3) IntExit(2) ? -?,1000 IntExit(3)
IntEntry(3)1,1
InEntry(4) IntExit(2) ? 1001, ? IntExit(4)
IntEntry(4)
10Requirements on Widening
- For all elements l1 ? l2 ? l1 ? l2
- For all ascending chains l0 ? l1 ? l2 ? the
following sequence is finite - y0 l0
- yi1 yi ? li1
- For a monotonic function f L ? Ldefine
- x0 ?
- xi1 xi ? f(xi )
- Theorem
- There exits k such that xk1 xk
- xk ?Red(f) l l ? L, f(l) ? l
11Narrowing
- Improve the result of widening
- y ? x ? y ? (x ?y) ? x
- For all decreasing chains x0 ? x1 ? the
following sequence is finite - y0 x0
- yi1 yi ? xi1
- For a monotonic function f L ? L and x ?Red(f)
l l ? L, f(l) ? ldefine - y0 x
- yi1 yi ? f(yi )
- Theorem
- There exits k such that yk1 yk
- yk ?Red(f) l l ? L, f(l) ? l
12Narrowing for Interval Analysis
- a, b ? ? a, b
- a, b ? c, d if a -? then
c else a, if b ? then d else b
13Example ProgramInterval Analysis
- x 11 while x ? 10002 do x x
13
InEntry(1) -? , ? IntExit(1) 1,1
InEntry(2) InExit(2) ?( IntExit(1) ?
IntExit(3)) IntExit(2) IntEntry(2)
InEntry(3) IntExit(2) ? -?,1000 IntExit(3)
IntEntry(3)1,1
InEntry(4) IntExit(2) ? 1001, ? IntExit(4)
IntEntry(4)
14Widening and Narrowing Summary
- Very simple but produces impressive precision
- The McCarthy 91 function
- Also useful in the finite case
- Can be used as a methodological tool
- But not widely accepted
int f(x) -? , ? if x gt 100 then 101, ?
return x -10 91, ?-10 else -?, 100
return f(f(x11)) 91, 91
15Combining Data Flow Analyzes
- Develop new algorithms from old
- If I know how to conservatively represent
- Pointers
- Integers
- Do I know how to handle C programs with integers
and pointers (and casting?)?
16Combining Data Flow Analyzes
- Develop new algorithms from old
- If I know how to conservatively represent
- Pointers
- Integers
- Do I know how to handle C programs with integers
and pointers (and casting?)? - Improve the precision of an analysis
- Obtain a more efficient analysis
17Combining Data Flow Analyzers
- Lattice constructors
- L1 ? L2
- S ? L1
-
- Galois connection constructors
- Constructing the abstract effect of elementary
statements - Model the relevant parts of the program
- Abstract irrelevant parts of the program
18Galois Connections
- For
- A co mplete lattice (L1, ?1) (L1, ?, ?1, ?1,
?1, ?1) - A complete lattice (L2, ?2) (, ?, ?2, ?2, ?2,
?2) - ?L1?L2
- ? L2?L1
- We say that (L1, ?, ?, L2) is a Galois
connection - ? and ? are monotone
- For all c ? L1 ?(?(c)) ? c
- For all a? L2 ?(?(a)) ? a
19Cartesian Products
- A complete lattice (L1, ?1) (L1, ?, ?1, ?1,
?1, ?1) - A complete lattice (L2, ?2) (, ?, ?2, ?2, ?2,
?2) - Define a Poset L (L1 ? L2 ,? ) where
- (x1, x2) ? (y1, y2) if
- x1 ? y1 and
- x2 ? y2
- L is a complete lattice
- But what does an element in L represent?
20Cartesian Products (cont)
- A complete lattice (L1, ?1) (L1, ?, ?1, ?1,
?1, ?1) - A complete lattice (L2, ?2) (, ?, ?2, ?2, ?2,
?2) - Complete lattice L (L1 ? L2 ,? )
- A concrete lattice C (usually a powerset)
- A Galois connection (C, ?1 , ?1, L1)
- A Galois connection (C, ?2 , ?2, L2)
- Define ?C? L1 ? L2 and ? L1 ? L2 ? C ?
- Example Parity ? Sign
21Cartesian Products (cont)
- A Galois connection (C, ?1 , ?1, L1)
- A Galois connection (C, ?2 , ?2, L2)
- A Galois connection (C, ? , ?, L1 ? L2 )
- ?(c) lt?1(c), ?2(c)gt
- ?(lta1, a2gt) ?1(a1) ? ?2(a2)
- Define
- L1?st? L1? L1
- L2?st? L2? L2
- How to define L1 ? L2 ?st? L1 ? L2 ? L1 ? L2
- Preserve soundness
- Preserve relative optimality (induced)
- Example Parity ? Sign
22Component-wise combinations
- Combine several analyses into a single analysis
- Cartesian products (Direct product)
- Independent attribute method
- Relational attribute method
- Total function space
- Monotone function space
- Direct tensor product
23Independent Attribute Method
- A Galois connection (C1, ?1 , ?1, L1)
- A Galois connection (C2, ?2 , ?2, L2)
- A Galois connection (C1?C2, ? , ?, L1 ? L2 )
- ?(ltc1, c2gt) lt?1(c1), ?2(c2)gt
- ?(lta1, a2gt) lt?1(a1) , ?2(a2)gt
- Define
- L1?st? L1? L1
- L2?st? L2? L2
- How to define L1 ? L2 ?st? L1 ? L2 ? L1 ? L2
- Preserve soundness
- Preserve relative optimality (induced)
24Relational Attribute Method
- A Galois connection (P(C1), ?1 , ?1, P(L1))
where ?1 C1?L1 - ?1 (X) ??1(c) c ? X
- A Galois connection (P(C2), ?2 , ?2, P(L2))
where ?2 C2?L2 - ?2 (X) ??2(c) c ? X
- A Galois connection (P(C1?C2), ? , ?, P(L1 ? L2))
- ?(ltX1, X2gt) lt?1(c1), ?2(c2)gt c1 ? X1, c2 ?
X2 - ?(ltY1,Y2gt) ltc1 , c2gt ?1(c1) ? Y1 ?2(c2)
? Y2
25Conclusions(1)
- Good static analysis
- Precise enough (for the client)
- Efficient enough
- Good static analysis
- Good domain
- Abstract non-important details
- Represents relevant concrete information
- Precise and efficient abstract meaning of
abstract interpreters - Efficient join implementation
- Small height or widening
26Conclusions(2)
- The Theory of Static Analysis is well founded
- Abstraction
- Soundness
- Chaotic iterations
- Elimination methods
- Modular methods
- Weak Parts
- Transformations
- Predictable approximations
- System