1 Program Analysis Systematic Domain Design Mooly Sagiv Tel Aviv University Textbook: Principles of Program Analysis Chapter 4, CC79, CC92

2 Outline u Domains with infinite heights u Systematic construction of Galois connection u Precision

3 Specialized Chaotic Iterations Chaotic(G(V, E): Graph, s: Node, L: lattice,  : L, f: E  (L  L) ){ for each v in V to n do df entry [v] :=  In[v] =  WL = {s} while (WL   ) do select and remove an element u  WL for each v, such that. (u, v)  E do temp = f(e)(df entry [u]) new := df entry (v)  temp if (new  df entry [v]) then df entry [v] := new; WL := WL  {v}

4 Widening u Accelerate the termination of Chaotic iterations by computing a more conservative solution u Can handle lattices of infinite heights

5 Specialized Chaotic Iterations+  Chaotic(G(V, E): Graph, s: Node, L: lattice,  : L, f: E  (L  L) ){ for each v in V to n do df entry [v] :=  In[v] =  WL = {s} while (WL   ) do select and remove an element u  WL for each v, such that. (u, v)  E do temp = f(e)(df entry [u]) new := df entry (v)  temp if (new  df entry [v]) then df entry [v] := new; WL := WL  {v}

6 Example Interval Analysis u Find a lower and an upper bound of the value of a variable u Usages? u Lattice L = (Z  {- ,  }  Z  {- ,  }, , , , ,  ) –[a, b]  [c, d] if c  a and d  b –[a, b]  [c, d] = [min(a, c), max(b, d)] –[a, b]  [c, d] = [max(a, c), min(b, d)] –  = –  = u Galois connection

7 Example Program Interval Analysis [x := 1] 1 ; while [x  1000] 2 do [x := x + 1;] 3 IntEntry(1) = [minint,maxint] IntExit(1) = [1,1] IntEntry(2) = IntExit(1)  IntExit(3) IntExit(2) = IntEntry(2) [x:=1] 1 [x  1000] 2 [x := x+1] 3 [exit] 4 IntEntry(3) = IntExit(2)  [minint,1000] IntExit(3) = IntEntry(3)+[1,1] IntEntry(4) = IntExit(2)  [1001,maxint] IntExit(4) = IntEntry(4)

8 Widening for Interval Analysis u   [c, d] = [c, d] u [a, b]  [c, d] = [ if a  c then a else - , if b  d then b else  ]

9 Example Program Interval Analysis [x := 1] 1 ; while [x  1000] 2 do [x := x + 1;] 3 IntEntry(1) = [ - ,  ] IntExit(1) = [1,1] IntEntry(2) = InExit(2)  (IntExit(1)  IntExit(3)) IntExit(2) = IntEntry(2) [x:=1] 1 [x  1000] 2 [x := x+1] 3 [exit] 4 IntEntry(3) = IntExit(2)  [ - ,1000] IntExit(3) = IntEntry(3)+[1,1] IntEntry(4) = IntExit(2)  [1001,  ] IntExit(4) = IntEntry(4)

10 Requirements on Widening u For all elements l 1  l 2  l 1  l 2 u For all ascending chains l 0  l 1  l 2  … the following sequence is finite –y 0 = l 0 –y i+1 = y i  l i+1 u For a monotonic function f: L  L define –x 0 =  –x i+1 = x i  f(x i ) u Theorem: –There exits k such that x k+1 = x k –x k  Red(f) = {l: l  L, f(l)  l}

11 Narrowing u Improve the result of widening u y  x  y  (x  y)  x u For all decreasing chains x 0  x 1  … the following sequence is finite –y 0 = x 0 –y i+1 = y i  x i+1 u For a monotonic function f: L  L and x  Red(f) = {l: l  L, f(l)  l} define –y 0 = x –y i+1 = y i  f(y i ) u Theorem: –There exits k such that y k+1 =y k –y k  Red(f) = {l: l  L, f(l)  l}

12 Narrowing for Interval Analysis u [a, b]   = [a, b] u [a, b]  [c, d] = [ if a = -  then c else a, if b =  then d else b ]

13 Example Program Interval Analysis [x := 1] 1 ; while [x  1000] 2 do [x := x + 1;] 3 IntEntry(1) = [ - ,  ] IntExit(1) = [1,1] IntEntry(2) = InExit(2)  ( IntExit(1)  IntExit(3)) IntExit(2) = IntEntry(2) [x:=1] 1 [x  1000] 2 [x := x+1] 3 [exit] 4 IntEntry(3) = IntExit(2)  [ - ,1000] IntExit(3) = IntEntry(3)+[1,1] IntEntry(4) = IntExit(2)  [1001,  ] IntExit(4) = IntEntry(4)

14 Non Montonicity of Widening

15 Example Lattice Octagon (Shaham’00, Mine’02) u Inequalities between variables u Constraint graph G(V, E, w) –V includes a vertex for every variable –Additional zero node –weight function w: E  Z –Constraints –{ x  y + w(x, y) } u Lattice u Abstraction u Concretization u Widening u Relationships to intervals

16 Widening and Narrowing Summary u Very simple but produces impressive precision u Sometimes non-monotonic u The McCarthy 91 function u Also useful in the finite case u Can be used as a methodological tool u But not widely accepted int f(x) [- ,  ] if x > 100 then [101,  ] return x -10 [91,  -10]; else [- , 100] return f(f(x+11)) [91, 91] ;

17 Combining Data Flow Analyzes u Develop new algorithms from old u If I know how to conservatively represent –Pointers –Integers u Do I know how to handle C programs with integers and pointers?

18 Combining Data Flow Analyzes u Develop new algorithms from old u If I know how to conservatively represent –Pointers –Integers u Do I know how to handle C programs with integers and pointers? u Improve the precision of an analysis u Obtain a more efficient analysis

19 Combining Data Flow Analyzers u Lattice constructors –L 1  L 2 –S  L 1 –… u Galois connection constructors u Constructing the abstract effect of elementary statements u Model the “relevant” parts of the program u Abstract “irrelevant” parts of the program

20 Galois Connections u For –A complete lattice (L 1,  1 ) = (L 1, ,  1,  1,  1,  1 ) –A complete lattice (L 2,  2 ) = (, ,  2,  2,  2,  2 ) –  :L 1  L 2 –  : L 2  L 1 u We say that (L 1, , , L 2 ) is a Galois connection –  and  are monotone –For all c  L 1 :  (  (c))  c –For all a  L 2 :  (  (a))  a

21 Cartesian Products u A complete lattice (L 1,  1 ) = (L 1, ,  1,  1,  1,  1 ) u A complete lattice (L 2,  2 ) = (, ,  2,  2,  2,  2 ) u Define a Poset L = (L 1  L 2,  ) where –(x 1, x 2 )  (y 1, y 2 ) if »x 1  y 1 and »x 2  y 2 u L is a complete lattice u But what does an element in L represent?

22 Cartesian Products (cont) u A complete lattice (L 1,  1 ) = (L 1, ,  1,  1,  1,  1 ) u A complete lattice (L 2,  2 ) = (, ,  2,  2,  2,  2 ) u Complete lattice L = (L 1  L 2,  ) u A concrete lattice C (usually a powerset) u A Galois connection (C,  1,  1, L 1 ) u A Galois connection (C,  2,  2, L 2 ) u Define  :C  L 1  L 2 and  : L 1  L 2  C ? u Example: Parity  Sign

23 Cartesian Products (cont) u A Galois connection (C,  1,  1, L 1 ) u A Galois connection (C,  2,  2, L 2 ) u A Galois connection (C, , , L 1  L 2 ) –  (c) = –  ( ) =  1 (a 1 )   2 (a 2 ) u Define –L 1  st  # : L 1  L 1 –L 2  st  # : L 2  L 2 u How to define L 1  L 2  st  # : L 1  L 2  L 1  L 2 –Preserve soundness –Preserve relative optimality (induced) u Example: Parity  Sign

24 Component-wise combinations u Combine several analyses into a single analysis Cartesian products (Direct product) u Independent attribute method u Relational attribute method u Total function space u Monotone function space u Direct tensor product

25 Independent Attribute Method u A Galois connection (C 1,  1,  1, L 1 ) u A Galois connection (C 2,  2,  2, L 2 ) u A Galois connection (C 1  C 2, , , L 1  L 2 ) –  ( ) = –  ( ) = u Define –L 1  st  # : L 1  L 1 –L 2  st  # : L 2  L 2 u How to define L 1  L 2  st  # : L 1  L 2  L 1  L 2 –Preserve soundness –Preserve relative optimality (induced)

26 Relational Attribute Method u A Galois connection (P(C 1 ),  1,  1, P(L 1 )) where  1 : C 1  L 1 –  1 (X) =  {  1 (c) | c  X} u A Galois connection (P(C 2 ),  2,  2, P(L 2 )) where  2 : C 2  L 2 u  2 (X) =  {  2 (c) | c  X} u A Galois connection (P(C 1  C 2 ), , , P(L 1  L 2 )) –  ( ) = { | c 1  X 1, c 2  X 2 } –  ( ) = { |  1 (c 1 )  Y 1  2 (c 2 )  Y 2 } u But how about transformers?

27 Conclusions(1) u Good static analysis = –Precise enough (for the client) –Efficient enough u Good static analysis –Good domain »Abstract non-important details »Represent relevant concrete information »Precise and efficient abstract meaning of abstract interpreters »Efficient join implementation »Small height or widening

28 Conclusions(2) u The Theory of Static Analysis is well founded –Abstraction –Soundness –Chaotic iterations –Elimination methods –Modular methods u Weak Parts –Transformations –Predictable approximations –System