Title: Tentative Schedule
1Tentative Schedule
- Today Theory of abstract interpretation
- May 5 Procedures
- May 15, 14-16 Orna Grumberg 14-16 309
- May 12 Yom Hatzamaut
- May 19, 20 TVLA
- May 22 TAU verification day (optional)
- May 27 Yom Hastudent
- June 2, Advanced Topics
2Program AnalysisSystematic Domain Design
- Mooly Sagiv
- http//www.cs.tau.ac.il/msagiv/courses/pa05.html
- Tel Aviv University
- 640-6706
- Textbook Principles of Program Analysis
- Chapter 4, CC79, CC92
3Outline
- Domains with infinite heights
- More on Galois Connections
- Systematic construction of Galois connection
- Precision
4Specialized Chaotic Iterations
Chaotic(G(V, E) Graph, s Node, L lattice, ?
L, f E ?(L ?L) ) for each v in V to n do
dfentryv ? Inv ? WL s
while (WL ? ? ) do select and remove an
element u ? WL for each v, such that. (u,
v) ?E do temp f(e)(dfentryu)
new dfentry(v)? temp if
(new ? dfentryv) then
dfentryv new
WL WL ?v
5Widening
- Accelerate the termination of Chaotic iterations
by computing a more conservative solution - Can handle lattices of infinite heights
6Specialized Chaotic Iterations ?
Chaotic(G(V, E) Graph, s Node, L lattice, ?
L, f E ?(L ?L) ) for each v in V to n do
dfentryv ? Inv ? WL s
while (WL ? ? ) do select and remove an
element u ? WL for each v, such that. (u,
v) ?E do temp f(e)(dfentryu)
new dfentry(v) ? temp if
(new ? dfentryv) then
dfentryv new
WL WL ?v
7Example Interval Analysis
- Find a lower and an upper bound of the value of a
variable - Usages?
- Lattice L (Z?-?, ??Z ?-?, ?, ?, ?, ?, ?,?)
- a, b ? c, d if c ? a and d ? b
- a, b ? c, d min(a, c), max(b, d)
- a, b ? c, d max(a, c), min(b, d)
- ?
- ?
- Galois connection
8Example ProgramInterval Analysis
- x 11 while x ? 10002 do x x
13
IntEntry(1) minint,maxint IntExit(1) 1,1
IntEntry(2) IntExit(1) ? IntExit(3) IntExit(2)
IntEntry(2)
IntEntry(3) IntExit(2) ? minint,1000 IntExit(3
) IntEntry(3)1,1
IntEntry(4) IntExit(2) ? 1001,maxint IntExit(4
) IntEntry(4)
9Widening for Interval Analysis
- ?? c, d c, d
- a, b ? c, d if a ? c then a else
-?, if b ? d then b else ?
10Example ProgramInterval Analysis
- x 11 while x ? 10002 do x x
13
IntEntry(1) -?, ? IntExit(1) 1,1
IntEntry(2) InExit(2) ? (IntExit(1) ?
IntExit(3)) IntExit(2) IntEntry(2)
IntEntry(3) IntExit(2) ? -?,1000 IntExit(3)
IntEntry(3)1,1
IntEntry(4) IntExit(2) ? 1001, ? IntExit(4)
IntEntry(4)
11Requirements on Widening
- For all elements l1 ? l2 ? l1 ? l2
- For all ascending chains l0 ? l1 ? l2 ? the
following sequence is finite - y0 l0
- yi1 yi ? li1
- For a monotonic function f L ? Ldefine
- x0 ?
- xi1 xi ? f(xi )
- Theorem
- There exits k such that xk1 xk
- xk ?Red(f) l l ? L, f(l) ? l
12Narrowing
- Improve the result of widening
- y ? x ? y ? (x ?y) ? x
- For all decreasing chains x0 ? x1 ?the
following sequence is finite - y0 x0
- yi1 yi ? xi1
- For a monotonic function f L ? L and x ?Red(f)
l l ? L, f(l) ? ldefine - y0 x
- yi1 yi ? f(yi )
- Theorem
- There exits k such that yk1 yk
- yk ?Red(f) l l ? L, f(l) ? l
13Narrowing for Interval Analysis
- a, b ? ? a, b
- a, b ? c, d if a -? then
c else a, if b ? then d else b
14Example ProgramInterval Analysis
- x 11 while x ? 10002 do x x
13
IntEntry(1) -? , ? IntExit(1) 1,1
IntEntry(2) InExit(2) ?( IntExit(1) ?
IntExit(3)) IntExit(2) IntEntry(2)
IntEntry(3) IntExit(2) ? -?,1000 IntExit(3)
IntEntry(3)1,1
IntEntry(4) IntExit(2) ? 1001, ? IntExit(4)
IntEntry(4)
15Non Montonicity of Widening
16Example Lattice Octagon (Shaham00, Mine02)
- Inequalities between variables
- Constraint graph G(V, E, w)
- V includes a vertex for every variable
- Additional zero node
- weight function w E ? Z
- Constraints
- x ? y w(x, y)
- Lattice
- Abstraction
- Concretization
- Widening
- Relationships to intervals
17Widening and Narrowing Summary
- Very simple but produces impressive precision
- Sometimes non-monotonic
- The McCarthy 91 function
- Also useful in the finite case
- Can be used as a methodological tool
- But not uniformly accepted
int f(x) -? , ? if x gt 100 then 101, ?
return x -10 91, ?-10 else -?, 100
return f(f(x11)) 91, 91
18Galois Insertions
- For
- A complete lattice (L1, ?1) (L1, ?, ?1, ?1,
?1, ?1) - A complete lattice (L2, ?2) (, ?, ?2, ?2, ?2,
?2) - ?L1?L2
- ? L2?L1
- We say that (L1, ?, ?, L2) is a Galois insertion
- ? and ? are monotone
- For all c ? L1 ?(?(c)) ? c
- For all a? L2 ?(?(a)) a
19Galois Insertions
?(?(l))
?(l)
l
20Upper Closure
- An operator op P(?) ?P(?) is an upper closure if
- op is monotonic
- op is inflationary, i.e., op(X) ? X
- op is idempotent, i.e., op(op(X)) op(X)
- Every Galois connection (insertion) defines an
upper closure on the set of concretization
21Properties of Galois connections
- Uniquely determine each other
- Compose
- Abstraction is additive
- Concretization is multiplicative
- Abstraction is strict in ?
- Concretization is co-strict in ?
22Combining Data Flow Analyzes
- Develop new algorithms from old
- If I know how to conservatively represent
- Pointers
- Integers
- Do I know how to handle C programs with integers
and pointers?
23Combining Data Flow Analyzes
- Develop new algorithms from old
- If I know how to conservatively represent
- Pointers
- Integers
- Do I know how to handle C programs with integers
and pointers? - Improve the precision of an analysis
- Obtain a more efficient analysis
24Combining Data Flow Analyzers
- Lattice constructors
- L1 ? L2
- S ? L1
-
- Galois connection constructors
- Constructing the abstract effect of elementary
statements - Model the relevant parts of the program
- Abstract irrelevant parts of the program
25Galois Connections
- For
- A complete lattice (L1, ?1) (L1, ?, ?1, ?1,
?1, ?1) - A complete lattice (L2, ?2) (, ?, ?2, ?2, ?2,
?2) - ?L1?L2
- ? L2?L1
- We say that (L1, ?, ?, L2) is a Galois
connection - ? and ? are monotone
- For all c ? L1 ?(?(c)) ? c
- For all a? L2 ?(?(a)) ? a
26Cartesian Products
- A complete lattice (L1, ?1) (L1, ?, ?1, ?1,
?1, ?1) - A complete lattice (L2, ?2) (, ?, ?2, ?2, ?2,
?2) - Define a Poset L (L1 ? L2 ,? ) where
- (x1, x2) ? (y1, y2) if
- x1 ? y1 and
- x2 ? y2
- L is a complete lattice
- But what does an element in L represent?
27Cartesian Products (cont)
- A complete lattice (L1, ?1) (L1, ?, ?1, ?1,
?1, ?1) - A complete lattice (L2, ?2) (, ?, ?2, ?2, ?2,
?2) - Complete lattice L (L1 ? L2 ,? )
- A concrete lattice C (usually a powerset)
- A Galois connection (C, ?1 , ?1, L1)
- A Galois connection (C, ?2 , ?2, L2)
- Define ?C? L1 ? L2 and ? L1 ? L2 ? C ?
- Example Parity ? Sign
28Cartesian Products (cont)
- A Galois connection (C, ?1 , ?1, L1)
- A Galois connection (C, ?2 , ?2, L2)
- A Galois connection (C, ? , ?, L1 ? L2 )
- ?(c) lt?1(c), ?2(c)gt
- ?(lta1, a2gt) ?1(a1) ? ?2(a2)
- Define
- L1?st? L1? L1
- L2?st? L2? L2
- How to define L1 ? L2 ?st? L1 ? L2 ? L1 ? L2
- Preserve soundness
- Preserve relative optimality (induced)
- Example Parity ? Sign
29Component-wise combinations
- Combine several analyses into a single analysis
- Cartesian products (Direct product)
- Independent attribute method
- Relational attribute method
- Total function space
- Monotone function space
- Direct tensor product
30Independent Attribute Method
- A Galois connection (C1, ?1 , ?1, L1)
- A Galois connection (C2, ?2 , ?2, L2)
- A Galois connection (C1?C2, ? , ?, L1 ? L2 )
- ?(ltc1, c2gt) lt?1(c1), ?2(c2)gt
- ?(lta1, a2gt) lt?1(a1) , ?2(a2)gt
- Define
- L1?st? L1? L1
- L2?st? L2? L2
- How to define L1 ? L2 ?st? L1 ? L2 ? L1 ? L2
- Preserve soundness
- Preserve relative optimality (induced)
31Relational Attribute Method
- A Galois connection (P(C1), ?1 , ?1, P(L1))
where ?1 C1?L1 - ?1 (X) ??1(c) c ? X
- A Galois connection (P(C2), ?2 , ?2, P(L2))
where ?2 C2?L2 - ?2 (X) ??2(c) c ? X
- A Galois connection (P(C1?C2), ? , ?, P(L1 ? L2))
- ?(X) lt?1(c1), ?2(c2)gt ltc1, c2 gt X
- ?(ltY1,Y2gt) ltc1 , c2gt ?1(c1) ? Y1 ?2(c2)
? Y2 - But how about transformers?
32Conclusions(1)
- Good static analysis
- Precise enough (for the client)
- Efficient enough
- Good static analysis
- Good domain
- Abstract non-important details
- Represent relevant concrete information
- Precise and efficient abstract meaning of
abstract interpreters - Efficient join implementation
- Small height or widening
33Conclusions(2)
- The Theory of Static Analysis is well founded
- Abstraction
- Soundness
- Chaotic iterations
- Elimination methods
- Modular methods
- Weak Parts
- Transformations
- Predictable approximations
- System