Program Analysis Last Lesson Mooly Sagiv

Goals u Show the significance of set constraints for CFA of Object Oriented Programs u Sketch advanced techniques u Summarize the course u Get some feedback

A Motivating Example class Vehicle Object { int position = 10; void move(x1 : int) { position = position + x1 ;}} class Car extends Vehicle { int passengers; void await(v : Vehicle) { if (v.position < position) then v.move(position - v.position); else self.move(10); }} class Truck extends Vehicle { void move(x2 : int) { if (x2 < 55) position = position + x2; }} void main { Car c; Truck t; Vehicle v1; new c; new t; v1 := c; c.passengers := 2; c.move(60); v1.move(70); c.await(t) ;}

A Motivating Example class Vehicle Object { int position = 10; void move(x1 : int) { position = position + x1 ;}} class Car extends Vehicle { int passengers; void await(v {Truck} : Vehicle) { if (v {Truck}.position < position) then v {Truck}.move(position - v.position); else self {Car}.move(10); }} class Truck extends Vehicle { void move(x2 : int) { if (x2 < 55) position = position + x2; }} void main { Car c; Truck t; Vehicle v1; new c {Car} ; new t {Truck} ; v1 {Car} := c {Car} ; c {Car}.passengers := 2; c {Car}.move(60); v1 {Car}.move(70); c {Car}.await(t {Truck} ) ;}

Flow Insensitive Class Analysis u Determine the set of potential classes of every variable at every program point u Compute a mapping  from variables into a set of class names u Combine values of variables at different points u Generate a set of constraints for every statement u Find a minimal solution

A Motivating Example class Vehicle Object { int position = 10; void move(x1 : int) { position = position + x1 ;}} class Car extends Vehicle { int passengers; void await(v1 : Vehicle) { if (v1.position < position) then v1.move(position - v1.position); else self.move(10); }} class Truck extends Vehicle { void move(x2 : int) { if (x2 < 55) position = position + x2; }} void main { Car c; Truck t; Vehicle v2; new c; new t; v2 := c; c.passengers := 2; c.move(60); v2.move(70); c.await(t) ; } {Car}   (c) {Truck}   (t)  (c)   (v2) {Car}   (c)   (t)   (v1)

Class Analysis Summary u Resolve called function u Can also perform type inference and checking u Can be used to warn against programmer errors at compile-time

Set Constraints Summary u Can be used to generate a flow sensitive solution u Can also handle sets of “terms” –Finite set of constructors C={b, c, …} –Finite set of variables –Set expressions E ::=  | variable | E 1  E 2 | E 1  E 2 | c(E 1, E 2,…, E k )| c -i (E) –Finite set of inequalities E 1  E 2 –Find the least solution (or a symbolic representation)

Advanced Abstract Interpretation Techniques u Origin [Cousot&Cousot POPL 1979] Download from the course homepage u Widening & Narrowing u Combining dataflow analysis problems u Semantic reductions u...

Widening u Accelerate the termination of Chaotic iterations by computing a more conservative solution u Can handle lattices of infinite heights

Example Interval Analysis u Find a lower and an upper bound of the value of a variable u Lattice L = (Z  Z, , , , ,  ) –[a, b]  [c, d] if c  a and d  b –[a, b]  [c, d] = [min(a, c), max(b, d)] –[a, b]  [c, d] = [max(a, c), min(b, d)] –  = –  = u Program x := 1 ; while x  1000 do x := x + 1;

Widening for Interval Analysis u   [c, d] = [c, d] u [a, b]  [c, d] = [ if a  c then a else if 0  c then 0 else minint, if b  d then b else if d  0 then 0 else maxint

Chaotic Iterations for forward problems+  for l  Lab * do DF entry (l) :=  DF exit (l) :=  DF entry (init(S * )) :=  WL= Lab * while WL !=  do Select and remove an arbitrary l  WL if (temp != DF exit (l)) DF exit (l) := DF exit (l)  temp for l' such that (l,l')  flow(S*) do DF entry (l') := DF entry (l')  DF exit (l) WL := WL  {l’}

Example [x := 1] 1 ; while [x  1000] 2 do [x := x + 1] 3 ;

Requirements on Widening u For all elements l 1  l 2  l 1  l 2 u For all ascending chains l 0  l 1  l 2  … the following sequence is finite –y 0 = l 0 –y i+1 = y i  l i+1

Narrowing u Improve the result of widening

Example [x := 1] 1 ; while [x  1000] 2 do [x := x + 1] 3 ;

Widening and Narrowing Summary u Very simple but produces impressive precision u The McCarthy 91 function u Also useful in the finite case u Can be used as a methodological tool u But not widely accepted int f(x) if x > 100 then return x -10 else return f(f(x+11))

Combining dataflow analysis problems u How to combine different analyses u The result can be more precise than both! u On some programs more efficient too u Many possibly ways to combine (4.4) u A simple example sign+parity analysis x := x - 1

Cartezian Products u Analysis 1 –Lattice (L 1,  1,  1,  1,  1,  1 ) –Galois connection  1 : P(States)  L 1  1 : L 1  P(States) –Transfer functions op 1 :L 1  L 1 u Analysis 2 –Lattice (L 2,  2,  2,  2,  2,  2 ) –Galois connection  2 : P(States)  L 2  1 : L 2  P(States) –Transfer functions op 2 :L 2  L 2 u Combined Analysis –L = (L 1  L 2,  ) where (l 1, l 2 )  (u 1, u 2 ) if l 1  1 u 1 and l 2  2 u 2 –Galois connection –Transfer functions

Course Summary u Techniques Studied –Operational Semantics –Dataflow Analysis and Monotone Frameworks (Imperative Programs) –Control Flow Analysis and Set Constraints (Functional Programs) u Techniques Sketched –Abstract interpretation –Interprocedural Analysis –Type and effect systems u Not Covered –Efficient algorithms –Applications in compilers –Logic programming

Course Summary u Able to understand advanced static analysis techniques u Find faults in existing algorithms u Be able to develop new algorithms u Gain a better understanding of programming languages –Functional Vs. Imperative –Operational Semantics

Feedback