Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Program Analysis Systematic Domain Design Mooly Sagiv Tel Aviv University 640-6706 Textbook: Principles.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Program Analysis Systematic Domain Design Mooly Sagiv Tel Aviv University 640-6706 Textbook: Principles."— Presentation transcript:

1 1 Program Analysis Systematic Domain Design Mooly Sagiv http://www.cs.tau.ac.il/~msagiv/courses/pa04.html Tel Aviv University 640-6706 Textbook: Principles of Program Analysis Chapter 4, CC79, CC92

2 2 Outline u Domains with infinite heights u Systematic construction of Galois connection u Precision

3 3 Specialized Chaotic Iterations Chaotic(G(V, E): Graph, s: Node, L: lattice,  : L, f: E  (L  L) ){ for each v in V to n do df entry [v] :=  In[v] =  WL = {s} while (WL   ) do select and remove an element u  WL for each v, such that. (u, v)  E do temp = f(e)(df entry [u]) new := df entry (v)  temp if (new  df entry [v]) then df entry [v] := new; WL := WL  {v}

4 4 Widening u Accelerate the termination of Chaotic iterations by computing a more conservative solution u Can handle lattices of infinite heights

5 5 Specialized Chaotic Iterations+  Chaotic(G(V, E): Graph, s: Node, L: lattice,  : L, f: E  (L  L) ){ for each v in V to n do df entry [v] :=  In[v] =  WL = {s} while (WL   ) do select and remove an element u  WL for each v, such that. (u, v)  E do temp = f(e)(df entry [u]) new := df entry (v)  temp if (new  df entry [v]) then df entry [v] := new; WL := WL  {v}

6 6 Example Interval Analysis u Find a lower and an upper bound of the value of a variable u Usages? u Lattice L = (Z  {- ,  }  Z  {- ,  }, , , , ,  ) –[a, b]  [c, d] if c  a and d  b –[a, b]  [c, d] = [min(a, c), max(b, d)] –[a, b]  [c, d] = [max(a, c), min(b, d)] –  = –  = u Galois connection

7 7 Example Program Interval Analysis [x := 1] 1 ; while [x  1000] 2 do [x := x + 1;] 3 IntEntry(1) = [minint,maxint] IntExit(1) = [1,1] IntEntry(2) = IntExit(1)  IntExit(3) IntExit(2) = IntEntry(2) [x:=1] 1 [x  1000] 2 [x := x+1] 3 [exit] 4 IntEntry(3) = IntExit(2)  [minint,1000] IntExit(3) = IntEntry(3)+[1,1] IntEntry(4) = IntExit(2)  [1001,maxint] IntExit(4) = IntEntry(4)

8 8 Widening for Interval Analysis u   [c, d] = [c, d] u [a, b]  [c, d] = [ if a  c then a else - , if b  d then b else  ]

9 9 Example Program Interval Analysis [x := 1] 1 ; while [x  1000] 2 do [x := x + 1;] 3 IntEntry(1) = [ - ,  ] IntExit(1) = [1,1] IntEntry(2) = InExit(2)  (IntExit(1)  IntExit(3)) IntExit(2) = IntEntry(2) [x:=1] 1 [x  1000] 2 [x := x+1] 3 [exit] 4 IntEntry(3) = IntExit(2)  [ - ,1000] IntExit(3) = IntEntry(3)+[1,1] IntEntry(4) = IntExit(2)  [1001,  ] IntExit(4) = IntEntry(4)

10 10 Requirements on Widening u For all elements l 1  l 2  l 1  l 2 u For all ascending chains l 0  l 1  l 2  … the following sequence is finite –y 0 = l 0 –y i+1 = y i  l i+1 u For a monotonic function f: L  L define –x 0 =  –x i+1 = x i  f(x i ) u Theorem: –There exits k such that x k+1 = x k –x k  Red(f) = {l: l  L, f(l)  l}

11 11 Narrowing u Improve the result of widening u y  x  y  (x  y)  x u For all decreasing chains x 0  x 1  … the following sequence is finite –y 0 = x 0 –y i+1 = y i  x i+1 u For a monotonic function f: L  L and x  Red(f) = {l: l  L, f(l)  l} define –y 0 = x –y i+1 = y i  f(y i ) u Theorem: –There exits k such that y k+1 =y k –y k  Red(f) = {l: l  L, f(l)  l}

12 12 Narrowing for Interval Analysis u [a, b]   = [a, b] u [a, b]  [c, d] = [ if a = -  then c else a, if b =  then d else b ]

13 13 Example Program Interval Analysis [x := 1] 1 ; while [x  1000] 2 do [x := x + 1;] 3 IntEntry(1) = [ - ,  ] IntExit(1) = [1,1] IntEntry(2) = InExit(2)  ( IntExit(1)  IntExit(3)) IntExit(2) = IntEntry(2) [x:=1] 1 [x  1000] 2 [x := x+1] 3 [exit] 4 IntEntry(3) = IntExit(2)  [ - ,1000] IntExit(3) = IntEntry(3)+[1,1] IntEntry(4) = IntExit(2)  [1001,  ] IntExit(4) = IntEntry(4)

14 14 Non Montonicity of Widening

15 15 Example Lattice Octagon (Shaham’00, Mine’02) u Inequalities between variables u Constraint graph G(V, E, w) –V includes a vertex for every variable –Additional zero node –weight function w: E  Z –Constraints –{ x  y + w(x, y) } u Lattice u Abstraction u Concretization u Widening u Relationships to intervals

16 16 Widening and Narrowing Summary u Very simple but produces impressive precision u Sometimes non-monotonic u The McCarthy 91 function u Also useful in the finite case u Can be used as a methodological tool u But not widely accepted int f(x) [- ,  ] if x > 100 then [101,  ] return x -10 [91,  -10]; else [- , 100] return f(f(x+11)) [91, 91] ;

17 17 Combining Data Flow Analyzes u Develop new algorithms from old u If I know how to conservatively represent –Pointers –Integers u Do I know how to handle C programs with integers and pointers?

18 18 Combining Data Flow Analyzes u Develop new algorithms from old u If I know how to conservatively represent –Pointers –Integers u Do I know how to handle C programs with integers and pointers? u Improve the precision of an analysis u Obtain a more efficient analysis

19 19 Combining Data Flow Analyzers u Lattice constructors –L 1  L 2 –S  L 1 –… u Galois connection constructors u Constructing the abstract effect of elementary statements u Model the “relevant” parts of the program u Abstract “irrelevant” parts of the program

20 20 Galois Connections u For –A complete lattice (L 1,  1 ) = (L 1, ,  1,  1,  1,  1 ) –A complete lattice (L 2,  2 ) = (, ,  2,  2,  2,  2 ) –  :L 1  L 2 –  : L 2  L 1 u We say that (L 1, , , L 2 ) is a Galois connection –  and  are monotone –For all c  L 1 :  (  (c))  c –For all a  L 2 :  (  (a))  a

21 21 Cartesian Products u A complete lattice (L 1,  1 ) = (L 1, ,  1,  1,  1,  1 ) u A complete lattice (L 2,  2 ) = (, ,  2,  2,  2,  2 ) u Define a Poset L = (L 1  L 2,  ) where –(x 1, x 2 )  (y 1, y 2 ) if »x 1  y 1 and »x 2  y 2 u L is a complete lattice u But what does an element in L represent?

22 22 Cartesian Products (cont) u A complete lattice (L 1,  1 ) = (L 1, ,  1,  1,  1,  1 ) u A complete lattice (L 2,  2 ) = (, ,  2,  2,  2,  2 ) u Complete lattice L = (L 1  L 2,  ) u A concrete lattice C (usually a powerset) u A Galois connection (C,  1,  1, L 1 ) u A Galois connection (C,  2,  2, L 2 ) u Define  :C  L 1  L 2 and  : L 1  L 2  C ? u Example: Parity  Sign

23 23 Cartesian Products (cont) u A Galois connection (C,  1,  1, L 1 ) u A Galois connection (C,  2,  2, L 2 ) u A Galois connection (C, , , L 1  L 2 ) –  (c) = –  ( ) =  1 (a 1 )   2 (a 2 ) u Define –L 1  st  # : L 1  L 1 –L 2  st  # : L 2  L 2 u How to define L 1  L 2  st  # : L 1  L 2  L 1  L 2 –Preserve soundness –Preserve relative optimality (induced) u Example: Parity  Sign

24 24 Component-wise combinations u Combine several analyses into a single analysis Cartesian products (Direct product) u Independent attribute method u Relational attribute method u Total function space u Monotone function space u Direct tensor product

25 25 Independent Attribute Method u A Galois connection (C 1,  1,  1, L 1 ) u A Galois connection (C 2,  2,  2, L 2 ) u A Galois connection (C 1  C 2, , , L 1  L 2 ) –  ( ) = –  ( ) = u Define –L 1  st  # : L 1  L 1 –L 2  st  # : L 2  L 2 u How to define L 1  L 2  st  # : L 1  L 2  L 1  L 2 –Preserve soundness –Preserve relative optimality (induced)

26 26 Relational Attribute Method u A Galois connection (P(C 1 ),  1,  1, P(L 1 )) where  1 : C 1  L 1 –  1 (X) =  {  1 (c) | c  X} u A Galois connection (P(C 2 ),  2,  2, P(L 2 )) where  2 : C 2  L 2 u  2 (X) =  {  2 (c) | c  X} u A Galois connection (P(C 1  C 2 ), , , P(L 1  L 2 )) –  ( ) = { | c 1  X 1, c 2  X 2 } –  ( ) = { |  1 (c 1 )  Y 1  2 (c 2 )  Y 2 } u But how about transformers?

27 27 Conclusions(1) u Good static analysis = –Precise enough (for the client) –Efficient enough u Good static analysis –Good domain »Abstract non-important details »Represent relevant concrete information »Precise and efficient abstract meaning of abstract interpreters »Efficient join implementation »Small height or widening

28 28 Conclusions(2) u The Theory of Static Analysis is well founded –Abstraction –Soundness –Chaotic iterations –Elimination methods –Modular methods u Weak Parts –Transformations –Predictable approximations –System

Download ppt "1 Program Analysis Systematic Domain Design Mooly Sagiv Tel Aviv University 640-6706 Textbook: Principles."

Similar presentations

Abstract Interpretation Part II

Abstract Interpretation Part II
Continuing Abstract Interpretation We have seen: 1.How to compile abstract syntax trees into control-flow graphs 2.Lattices, as structures that describe.

Continuing Abstract Interpretation We have seen: 1.How to compile abstract syntax trees into control-flow graphs 2.Lattices, as structures that describe.
Data-Flow Analysis II CS 671 March 13, 2008. CS 671 – Spring 2008 1 Data-Flow Analysis Gather conservative, approximate information about what a program.

Data-Flow Analysis II CS 671 March 13, CS 671 – Spring Data-Flow Analysis Gather conservative, approximate information about what a program.
3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.

3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.
Some Properties of SSA Mooly Sagiv. Outline Why is it called Static Single Assignment form What does it buy us? How much does it cost us? Open questions.

Some Properties of SSA Mooly Sagiv. Outline Why is it called Static Single Assignment form What does it buy us? How much does it cost us? Open questions.
Tutorial on Widening (and Narrowing) Hongseok Yang Seoul National University.

Tutorial on Widening (and Narrowing) Hongseok Yang Seoul National University.
Foundations of Data-Flow Analysis. Basic Questions Under what circumstances is the iterative algorithm used in the data-flow analysis correct? How precise.

Foundations of Data-Flow Analysis. Basic Questions Under what circumstances is the iterative algorithm used in the data-flow analysis correct? How precise.
1 Basic abstract interpretation theory. 2 The general idea §a semantics l any definition style, from a denotational definition to a detailed interpreter.

1 Basic abstract interpretation theory. 2 The general idea §a semantics l any definition style, from a denotational definition to a detailed interpreter.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc06.html.

Program analysis Mooly Sagiv html://
Control Flow Analysis Mooly Sagiv Tel Aviv University 640-6706 Sunday 18-21 Scrieber 8 Monday 10-12 Schrieber.

Control Flow Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
1 Iterative Program Analysis Part I Mooly Sagiv Tel Aviv University 640-6706 Textbook: Principles of Program.

1 Iterative Program Analysis Part I Mooly Sagiv Tel Aviv University Textbook: Principles of Program.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc08.html.

Program analysis Mooly Sagiv html://
1 Control Flow Analysis Mooly Sagiv Tel Aviv University 640-6706 Textbook Chapter 3

1 Control Flow Analysis Mooly Sagiv Tel Aviv University Textbook Chapter 3
1 Iterative Program Analysis Mooly Sagiv Tel Aviv University 640-6706 Textbook: Principles of Program Analysis.

1 Iterative Program Analysis Mooly Sagiv Tel Aviv University Textbook: Principles of Program Analysis.
Data Flow Analysis 1 15-411 Compiler Design October 5, 2004 These slides live on the Web. I obtained them from Jeff Foster and he said that he obtained.

Data Flow Analysis Compiler Design October 5, 2004 These slides live on the Web. I obtained them from Jeff Foster and he said that he obtained.
Abstract Interpretation Part I Mooly Sagiv Textbook: Chapter 4.

Abstract Interpretation Part I Mooly Sagiv Textbook: Chapter 4.
Interprocedural Analysis Noam Rinetzky Mooly Sagiv Tel Aviv University 640-6706 Textbook Chapter 2.5.

Interprocedural Analysis Noam Rinetzky Mooly Sagiv Tel Aviv University Textbook Chapter 2.5.
1 Program Analysis Mooly Sagiv Tel Aviv University 640-6706 Textbook: Principles of Program Analysis.

1 Program Analysis Mooly Sagiv Tel Aviv University Textbook: Principles of Program Analysis.
Data Flow Analysis 4 15-411 Compiler Design Nov. 8, 2005.

Data Flow Analysis Compiler Design Nov. 8, 2005.
1 Program Analysis Mooly Sagiv Tel Aviv University 640-6706 Textbook: Principles of Program Analysis.

1 Program Analysis Mooly Sagiv Tel Aviv University Textbook: Principles of Program Analysis.

Similar presentations

Ads by Google