noam rinetzky lecture 9: abstract interpretation i

Program Analysis and Verification

0368-4479http://www.cs.tau.ac.il/~maon/teaching/2013-2014/paav/paav1314b.html

Noam Rinetzky

Lecture 9: Abstract Interpretation I

Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

http://www.cs.tau.ac.il/~maon/teaching/2013-2014/paav/paav1314b.html

We begin …• Mobiles

• Scribe

• Home assignment – next lesson

3

Previously

• Operational Semantics– Large step (Natural)– Small step (SOS)

• Denotational Semantics– aka mathematical semantics

• Axiomatic Semantics– aka Hoare Logic– aka axiomatic (manual) verification

How?

What?

Why?

From verification to analysis

• Manual program verification– Verifier provides assertions• Loop invariants

• Automatic program verification (P analysis)– Tool automatically synthesize assertions • Finds loop invariants

5

Manual proof for maxnums : arrayN : int{ N0 } x := 0{ N0 x=0 }res := nums[0]{ x=0 }Inv = { xN }while x < N { x=k k<N } if nums[x] > res then { x=k k<N } res := nums[x] { x=k k<N } { x=k k<N } x := x + 1 { x=k+1 k<N }{ xN xN }{ x=N }

6

Manual proof for maxnums : arrayN : int{ N0 } x := 0{ N0 x=0 }res := nums[0]{ x=0 }Inv = { xN }while x < N { x=k k<N } if nums[x] > res then { x=k k<N } res := nums[x] { x=k k<N } { x=k k<N } x := x + 1 { x=k+1 kN }{ xN xN }{ x=N }

7

Can we find this proof automatically?nums : arrayN : int{ N0 } x := 0{ N0 x=0 }res := nums[0]{ x=0 }Inv = { xN }while x < N { x=k k<N } if nums[x] > res then { x=k k<N } res := nums[x] { x=k k<N } { x=k k<N } x := x + 1 { x=k+1 kN }{ xN xN }{ x=N }

Observation: predicates in proof have the general form

constraint

where constraint has the formX - Y c orX c

8

Zone Abstract Domain (Analysis)

• Developed by Antoine Minein his Ph.D. thesis

• Uses constraints of the formX - Y c and X c

• Built on top of Difference Bound Matrices (DBM) and shortest-path algorithms– O(n3) time– O(n2) space

9

Analysis with Zone abstract domainnums : arrayN : int { N0 } x := 0{ N0 x=0 }res := nums[0]{ N0 x=0 }Inv = { N0 0xN }while x < N { N0 0x<N } if nums[x] > res then { N0 0x<N } res := nums[x] { N0 0x<N } { N0 0x<N } x := x + 1 { N0 0<xN }{N0 0x x=N }

nums : arrayN : int { N0 } x := 0{ N0 x=0 }res := nums[0]{ x=0 }Inv = { xN }while x < N { x=k kN } if nums[x] > res then { x=k k<N } res := nums[x] { x=k k<N } { x=k k<N } x := x + 1 { x=k+1 kN }{ xN xN }{ x=N }

Static Analysis with Zone Abstraction Manual Proof

10

Abstract Interpretation [Cousot’77]

• Mathematical foundation of static analysis

11

Abstract Interpretation [Cousot’77]

• Mathematical foundation of static analysis

– Abstract (semantic) domains (“abstract states”)– Transformer functions (“abstract steps”)– Chaotic iteration (“abstract computation”)

12

Abstract Interpretation [CC77]

• A very general mathematical framework for approximating semantics– Generalizes Hoare Logic– Generalizes weakest precondition calculus

• Allows designing sound static analysis algorithms– Usually compute by iterating to a fixed-point– Not specific to any programming language style

• Results of an abstract interpretation are (loop) invariants– Can be interpreted as axiomatic verification assertions and

used for verification

Abstract Interpretation by Example

14

Motivating Application: Optimization

• A compiler optimization is defined by a program transformation:

T : Prog Prog• The transformation is semantics-preserving:

sState. Ssos C s = Ssos T(C) s• The transformation is applied to the program

only if an enabling condition is met• We use static analysis for inferring enabling

conditions

15

Common Subexpression Elimination

• If we have two variable assignments x := a op b … y := a op band the values of x, a, and b have not changed between the assignments, rewrite the code as x = a op b … y := x

• Eliminates useless recalculation• Paves the way for more optimizations

– e.g., dead code elimination

op {+, -, *, ==, <=}

16

What do we need to prove?

{ true }C1

x := a op bC2

{ x = a op b }y := a op bC3

{ true }C1

x := a op bC2

{ x = a op b }y := xC3

CSE

17

Available Expressions Analysis

• A static analysis that infers for every program point a set of facts of the formAV = { x = y | x, y Var }

{ x = - y | x, y Var } { x = y op z | y, z Var, op {+, -, *, <=} }

• For every program with n=|Var| variables number of possible facts is finite: |AV|=O(n3)– Yields a trivial algorithm … but, is it efficient?

18

Which proof is more desirable?{ true }x := a + b{ x=a+b }z := a + c{ x=a+b }y := a + b...

{ true }x := a + b{ x=a+b }z := a + c{ z=a+c }y := a + b...

{ true }x := a + b{ x=a+b }z := a + c{ x=a+b z=a+c }y := a + b...

19

Which proof is more desirable?{ true }x := a + b{ x=a+b }z := a + c{ x=a+b }y := a + b...

{ true }x := a + b{ x=a+b }z := a + c{ z=a+c }y := a + b...

{ true }x := a + b{ x=a+b }z := a + c{ x=a+b z=a+c }y := a + b...

More detailed predicate =more optimization opportunities

x=a+b z=a+c x=a+b

x=a+b z=a+c z=a+c

Implication formalizes “more detailed” relation between predicates

20

Developing a theory of approximation

• Formulae are suitable for many analysis-based proofs but we may want to represent predicates in other ways:– Sets of “facts”– Automata– Linear (in)equalities– … ad-hoc representation

• Wanted: a uniform theory to represent semantic values and approximations

A Blast from the Past

• Recall denotational semantics– Pre-orders– Partial orders

• Complete partial orders CPO, • Pointed CPO• Lattices• Least upper bounds• Chains

– Monotonic functions– Fixpoints

Abstract Domains

• Mathematical foundations

23

Preorder

• We say that a binary order relation over a set D is a preorder if the following conditions hold for every d, d’, d’’ D– Reflexive: d d– Transitive: d d’ and d’ d’’ implies d d’’

• There may exist d, d’ such thatd d’ and d’ d yet d d’

24

Preorder example

• Simple Available Expressions• Define SAV = { x = y | x, y Var }

{ x = y + z | y, z Var }• For D=2SAV (sets of available expressions) define (for

two subsets A1, A2 D)

A1 imp A2 if and only if A1 A2

• A1 is “more detailed” if it implies all facts of A2

• Compare {x=y x=a+b} with {x=y y=a+b}– Which one should we choose?

Can we decide A1 imp A2 ?

25

The meaning of implication

• A predicate P represents the set of statesmodels(P) = { s | s P }

• P Q meansmodels(P) models(Q)

26

Partially ordered sets

• A partially ordered set (poset) is a pair (D , )– D is a set of elements – a (semantic) domain– is a partial order between pairs of elements

from D. That is : D D with the following properties, for all d, d’, d’’ in D• Reflexive: d d• Transitive: d d’ and d’ d’’ implies d d’’• Anti-symmetric: d d’ and d’ d implies d = d’

• Notation: if d d’ and d d’ we write d d’

Unique “most detailed” element

27

From preorders to partial orders

• We can transform a preorder into a poset by1. Coarsening the ordering

2. Switching to a canonical form by choosing a representative for the set of equivalent elementsd* for { d’ | d d’ and d’ d }

28

Coarsening for SAV

• For D=2SAV (sets of available expressions) define (for two subsets A1, A2 D)

A1 coarse A2 if and only if A1 A2

• Notice that if A1 A2 then A1 A2

• Compare {x=y x=a+b} with {x=y y=a+b}• How about {x=y x=a+b y=a+b} ?

29

Canonical form for SAV• For an available expressions element A define

Explicate(A) = minimal set B such that:1. A B2. x=y B implies y=x B3. x=y B and y=z B implies x=z B4. x=y+z B implies x=z+y B5. x=y B and x=z+w B implies y=z+w B6. x=y B and z=x+w B implies z=y+w B7. x=z+w B and y=z+w B implies x=y B

• Makes all implicit facts explicit

• Define A* = Explicate(A)• Define (for two subsets A1, A2 D)

A1 exp A2 if and only if A1* A2

*

• Lemma: A1 exp A2 if and only A1 imp A2

Therefore A1 imp A2 is decidable

30

Some posets-related terminology

• If x y we can say– x is lower than y – x is more precise than y – x is more concrete than y – x under-approximates y

– y is greater than x – y is less precise than x – y is more abstract than x – y over-approximates x

31

Visualizing ordering for SAV

{false}

{x=y y=z+a}* {x=y p=q}* {y=z+a p=q}*

{x=y}* {y=z+a}* {p=q}*

{true}Greater

Lower

D={x=y, y=x, p=q, q=p, y=z+a, y=a+z, z=y+z, x=z+a}

32

Pointed poset

• A poset (D, ) with a least element is called a pointed poset– For all dD we have that d

• The pointed poset is denoted by (D , , )• We can always transform a poset (D, ) into a

pointed poset by adding a special bottom element

(D {}, {d | dD}, )• Greatest element for SAV = {true = ?}• Least element for SAV = {false= ?}

33

Annotating conditions

{ P }if b then

{ b P }S1

{ Q1 }else

S2

{ Q2 }{ Q }Q approximates Q1 and Q2

We need a general way to approximate a set of semantic elements by a single semantic element

34

Join operator• Assume a poset (D, )• Let X D be a subset of D (finite/infinite)• The join of X is defined as

– X = the least upper bound (LUB) of all elements in X if it exists– X = min{ b | forall xX we have that xb}– The supremum of the elements in X– A kind of abstract union (disjunction) operator

• Properties of a join operator– Commutative: x y = y x– Associative: (x y) z = x (y z)– Idempotent: x x = x

35

Meet operator• Assume a poset (D, )• Let X D be a subset of D (finite/infinite)• The meet of X is defined as

– X = the greatest lower bound (GLB) of all elements in X if it exists– X = max{ b | forall xX we have that bx}– The infimum of the elements in X– A kind of abstract intersection (conjunction) operator

• Properties of a join operator– Commutative: x y = y x– Associative: (x y) z = x (y z)– Idempotent: x x = x

36

Complete lattices

• A complete lattice (D, , , , , ) is• A set of elements D• A partial order x y• A join operator • A meet operator • A bottom element

= ?• A top element

= ?

37

Complete lattices

• A complete lattice (D, , , , , ) is• A set of elements D• A partial order x y• A join operator • A meet operator • A bottom element

= • A top element

= D

Transfer Functions

• Mathematical foundations

39

Towards an automatic proof• Goal: automatically compute an annotated program proving

as many facts of the formx = y + z as possible

• Decision 1: develop a forward-going proof• Decision 2: draw predicates from a finite set D

– “looking under the light of the lamp”– A compromise that simplifies problem by focusing attention –

possibly miss some facts that hold• Challenge 1: handle straight-line code• Challenge 2: handle conditions• Challenge 3: handle loops

40

Domain for SAV

• Define atomic facts (for SAV) as = { x = y | x, y Var } { x = y + z | x, y, z Var }– For n=|Var| number of atomic facts is O(n3)

• Define sav-predicates as = 2

• For D , Conj(D) = D– Conj({a=b, c=b+d, b=c}) = (a=b) (c=b+d) (b=c)

• Note:– Conj(D1 D2) = Conj(D1) Conj(D1)– Conj({}) true

41

Challenge 2: handling straight-line code

42

handling straight-line code: Goal

• Given a program of the formx1 := a1; … xn := an

• Find predicates P0, …, Pn such that1. {P0} x1 := a1 {P1} … {Pn-1} xn := an {Pn} is a proof• sp(xi := ai, Pi-1) Pi

2. Pi = Conj(Di) • Di is a set of simple (SAV) facts

43

Example

• Find a proof that satisfies both conditions

{ }x := a + b{ x=a+b }z := a + c{ x=a+b, z=a+c }b := a * c{ z=a+c }

44

Example

• Can we make this into an algorithm?


Frame

sp

cons

45

Algorithm for straight-line code• Goal: find predicates P0, …, Pn such that

1. {P0} x1 := a1 {P1} … {Pn-1} xn := an {Pn} is a proof That is: sp(xi := ai, Pi-1) Pi

2. Each Pi has the form Conj(Di) where Di is a set of simple (SAV) facts

• Idea: define a function FSAV[x:=a] : s.t.if FSAV[x:=a](D) = D’then sp(x := a, Conj(D)) Conj(D’)– We call F the abstract transformer for x:=a

• Initialize D0={}

• For each i: compute Di+1 = Conj(FSAV[xi := ai] Di)

• Finally Pi = Conj(Di)

46

Defining an SAV abstract transformer• Goal: define a function FSAV[x:=a] : s.t.

if FSAV[x:=a](D) = D’then sp(x := a, Conj(D)) Conj(D’)

• Idea: define rules for individual factsand generalize to sets of facts by the conjunction rule

47




48




Is either a variable v or an addition expression v+w

{ x= } x:=a { }[kill-lhs]

{ y=x+w } x:=a { }[kill-rhs-1]

{ y=w+x } x:=a { }[kill-rhs-2]

{ } x:= { x= }[gen]

{ y=z+w } x:=a { y=z+w }[preserve]

49

SAV abstract transformer example

Is either a variable v or an addition expression v+w


{ x= } x:=a { }[kill-lhs]

{ y=x+w } x:=a { }[kill-rhs-1]

{ y=w+x } x:=a { }[kill-rhs-2]

{ } x:= { x= }[gen]

{ y=z+w } x:=a { y=z+w }[preserve]

50

Problem 1: large expressions

• Large expressions on the right hand sides of assignments are problematic– Can miss optimization opportunities– Require complex transformers

• Solution: transform code to normal form where right-hand sides have bounded size

Missed CSE opportunity

{ }x := a + b + c{ }y := a + b + c{ }

51

Solution: Simplify Prog. Lang.

• Main idea: simplify expressions by storing intermediate results in new temporary variables– Three-address code

• Number of variables in simplified statements 3

{ }x := a + b + c{ }y := a + b + c{ }

{ }i1 := a + b{ i1=a+b }x := i1 + c{ i1=a+b, x=i1+c }i2 := a + b{ i1=a+b, x=i1+c, i2=a+b }y := i2 + c{ i1=a+b, x=i1+c, i2=a+b, y=i2+c }

52

Solution: Simplify Prog. Lang.

• Main idea: simplify expressions by storing intermediate results in new temporary variables– Three-address code

• Number of variables in simplified statements 3

{ }x := a + b + c{ }y := a + b + c{ }


Need to infer i1=i2

53

Problem 2: Transformer Precision

• Our transformer only infers syntactically available expressions – ones that appear in the code explicitly

• We want a transformer that looks deeper into the semantics of the predicates– Takes equalities into account


Need to infer i1=i2

54

Solution: Use Canonical Form• Idea: make as many implicit facts explicit by

– Using symmetry and transitivity of equality– Commutativity of addition– Meaning of equality – can substitute equal variables

• For P=Conj(D) let Explicate(D) = minimal set D* such that:1. D D*

2. x=y D* implies y=x D*

3. x=y D* y=z D* implies x=z D*

4. x=y+z D* implies x=z+y D*

5. x=y D* and x=z+w D* implies y=z+w D*

6. x=y D* and z=x+w D* implies z=y+w D*

7. x=z+w D* and y=z+w D* implies x=y D*

• Notice that Explicate(D) D– Explicate is a special case of a reduction operator

55

Sharpening the transformer• Define: F*[x:=a] = Explicate FSAV[x:=a]

{ }i1 := a + b{ i1=a+b, i1=b+a }x := i1 + c{ i1=a+b, i1=b+a, x=i1+c, x=c+i1 }i2 := a + b{ i1=a+b, i1=b+a, x=i1+c, x=c+i1, i2=a+b, i2=b+a, i1=i2, i2=i1, x=i2+c, x=c+i2, }y := i2 + c{ ... }

Since sets of facts and their conjunction are isomorphic we will use them interchangeably

56

An algorithm for annotating SLP

• Annotate(P, x:=a) = {P} x:=a F*[x:=a](P)

• Annotate(P, S1; S2) = {P} S1; {Q1} S2 {Q2

– Annotate(P, S1) = {P} S1 {Q1}

– Annotate(Q1, S2) = {Q1} S2 {Q2}

57

Challenge 2: handling conditions

58

handling conditions: Goal

• Annotate a programif b then S1 else S2 with predicates from

• Assumption 1: P is given(otherwise use true)

• Assumption 2: b is a simple binary expression e.g., x=y, xy, x<y (why?)

{ P }if b then

{ b P }S1

{ Q1 }else

{ b P }S2

{ Q2 }{ Q }

59

handling conditions: Goal

• Annotate a programif b then S1 else S2 with predicates from

• Assumption 1: P is given(otherwise use true)

• Assumption 2: b is a simple binary expression e.g., x=y, xy, x<y (why?)

{ P }if b then

{ b P }S1

{ Q1 }else

{ b P }S2

{ Q2 }{ Q }

60

Annotating conditions

1. Start with P or {b P} and annotate S1 (yielding Q1)

2. Start with P or {b P} andannotate S2 (yielding Q2)

3. How do we infer a Q such that Q1Q and Q2Q?

Q1=Conj(D1), Q2=Conj(D2)Define: Q = Q1 Q2

= Conj(D1 D2)

{ P }if b then

{ b P }S1

{ Q1 }else { b P }

S2

{ Q2 }{ Q }

Possibly an SAV-fact

Possibly an SAV-fact

61

Joining predicates

1. Start with P or {b P} and annotate S1 (yielding Q1)

2. Start with P or {b P} andannotate S2 (yielding Q2)

3. How do we infer a Q such that Q1Q and Q2Q?

Q1=Conj(D1), Q2=Conj(D2)Define: Q = Q1 Q2

= Conj(D1 D2)

{ P }if b then

{ b P }S1

{ Q1 }else { b P }

S2

{ Q2 }{ Q }The join operator for SAV

62

Joining predicates

• Q1=Conj(D1), Q2=Conj(D2)

• We want to soundly approximate Q1 Q2 in

• Define: Q = Q1 Q2

= Conj(D1 D2)

• Notice that Q1Q and Q2Qmeaning Q1 Q2 Q

63

Handling conditional expressions

• Let D be a set of facts and b be an expression• Goal: Elements in that soundly approximate– D bexpr – D bexpr

• Technique: Add statement assume bexpr assume bexpr, s sos s if B bexpr s = tt

• Find a function F[assume bexpr] : Conj(D) bexpr Conj(F[assume bexpr])

64


• F[assume bexpr] : such thatConj(D) bexpr Conj(F[assume bexpr])

• (bexpr) = if bexpr is an SAV-fact then {bexpr} else {}– Notice bexpr (bexpr)– Examples

• (y=z) = {y=z}• (y<z) = {}

• F[assume bexpr](D) = D (bexpr)

65

Example

{ }if (x = y) { x=y, y=x } a := b + c { x=y, y=x, a=b+c, a=c+b } d := b – c { x=y, y=x, a=b+c, a=c+b }else { } a := b + c { a=b+c, a=c+b } d := b + c { a=b+c, a=c+b, d=b+c, d=c+b, a=d, d=a }{ a=b+c, a=c+b }

66

Example

{ }if (x = y) { x=y, y=x } a := b + c { x=y, y=x, a=b+c, a=c+b } d := b – c { x=y, y=x, a=b+c, a=c+b }else { } a := b + c { a=b+c, a=c+b } d := b + c { a=b+c, a=c+b, d=b+c, d=c+b, a=d, d=a }{ a=b+c, a=c+b }

67

Recap

• We now have an algorithm for soundly annotating loop-free code

• Generates forward-going proofs• Algorithm operates on abstract syntax tree of

code– Handles straight-line code by applying F*

– Handles conditions by recursively annotating true and false branches and then intersecting their postconditions

68

An algorithm for conditions

• Annotate(P, if bexpr then S1 else S2) = {P} if bexpr then S1 else S2

Q1 Q2

– Annotate(P (bexpr), S1) = F[assume bexpr](P) S1 {Q1}

– Annotate(P (bexpr), S2)=F[assume bexpr](P) S2 {Q2}

71

Challenge 2: handling loops

72

handling loops: Goal

{ P }Inv = { N }while bexpr do { bexpr N } S { Q }{bexpr N }

73

handling loops: Goal

• Annotate a program while bexpr do S with predicates from – s.t. P N

• Main challenge: find N• Assumption 1: P is given

(otherwise use true)• Assumption 2: bexpr is a

simple binary expression


74

Example: annotate this program{ y=x+a, y=a+x, w=d, d=w }Inv = { y=x+a, y=a+x }while (x z) do { z=x+a, z=a+x, w=d, d=w } x := x + 1 { w=d, d=w

} y := x + a { y=x+a, y=a+x, w=d, d=w } d := x + a { y=x+a, y=a+x, d=x+a, d=a+x, y=d, d=y } { y=x+a, y=a+x, x=z, z=x }

75

Example: annotate this program{ y=x+a, y=a+x, w=d, d=w }Inv = { y=x+a, y=a+x }while (x z) do { y=x+a, y=a+x } x := x + 1 { } y := x + a { y=x+a, y=a+x } d := x + a { y=x+a, y=a+x, d=x+a, d=a+x, y=d, d=y } { y=x+a, y=a+x, x=z, z=x }

76

handling loops: Idea

• Idea: try to guess a loop invariant from a small number of loop unrollings– We know how to annotate S

(by induction)


77

k-loop unrolling

{ P }if (x z) x := x + 1 y := x + a d := x + aQ1 = { y=x+a } if (x z) x := x + 1 y := x + a d := x + aQ2 = { y=x+a }

…

{ P }Inv = { N }while (x z) do x := x + 1 y := x + a d := x + a

{ y=x+a, y=a+x, w=d, d=w } if (x z) x := x + 1 y := x + a d := x + aQ1 = { y=x+a }

78

k-loop unrolling

{ P }if (x z) x := x + 1 y := x + a d := x + aQ1 = { y=x+a, y=a+x } if (x z) x := x + 1 y := x + a d := x + aQ2 = { y=x+a, y=a+x }

…


{ y=x+a, y=a+x, w=d, d=w } if (x z) x := x + 1 y := x + a d := x + aQ1 = { y=x+a, y=a+x }

79

k-loop unrolling

The following must hold:P NQ1 NQ2 N…Qk N


…



80

k-loop unrolling

The following must hold:P NQ1 NQ2 N…Qk N…


…



We can compute the following sequence:N0 = P

N1 = N1 Q1

N2 = N1 Q2

…Nk = Nk-1 Qk

Observation 1: No need to explicitly unroll loop – we can reuse postcondition from unrolling k-1 for k

81

k-loop unrolling

The following must hold:P NQ1 NQ2 N…Qk N…


…



We can compute the following sequence:N0 = P

N1 = N1 Q1

N2 = N1 Q2

…Nk = Nk-1 Qk

Observation 2: Nk monotonically decreases set of facts.Question: does it stabilizes for some k?

82

Algorithm for annotating a loopAnnotate(P, while bexpr do S) = Initialize N’ := Nc := P

repeat let Annotate(P, if b then S else skip) be {Nc} if bexpr then S else skip {N’} Nc := Nc N’ until N’ = Nc

return {P} INV= N’ while bexpr do F[assume bexpr](N) Annotate(F[assume bexpr](N), S) F[assume bexpr](N)

83

A technical issue

• Unrolling loops is quite inconvenient and inefficient (but we can avoid it as we just saw)

• How do we handle more complex control-flow constructs, e.g., goto , break, exceptions…?

• Solution: model control-flow by labels and goto statements

• Would like a dedicated data structure to explicitly encode control flow in support of the analysis

• Solution: control-flow graphs (CFGs)

84

Intermediate language example

while (x z) do x := x + 1 y := x + a d := x + aa := b

label0: if x z goto label1 x := x + 1 y := x + a d := x + a goto label0

label1: a := b

Control-flow graph example

85

1 label0: if x z goto label1 x := x + 1 y := x + a d := x + a goto label0

label1: a := b

2345

78

6

label0:

if x z

x := x + 1

y := x + a

d := x + a

goto label0

label1:

a := b

1

2

3

4

5

6

7

8

line number

Control-flow graph example

86

1 label0: if x z goto label1 x := x + 1 y := x + a d := x + a goto label0

label1: a := b

2345

78

6

label0:

if x z

x := x + 1

y := x + a

d := x + a

goto label0

label1:

a := b

1

2

3

4

5

6

8

entry

exit

7

87

Control-flow graph

• Node are statements or labels• Special nodes for entry/exit• A edge from node v to node w means that after

executing the statement of v control passes to w– Conditions represented by splits and join node– Loops create cycles

• Can be generated from abstract syntax tree in linear time– Automatically taken care of by the front-end

• Usage: store analysis results in CFG nodes

88

CFG with Basic Blocks• Stores basic blocks in a single node• Extended blocks – maximal connected loop-

free subgraphs

if x z

x := x + 1y := x + ad := x + aa := b

2

3

8

entry

exit

45

96

An algorithm for annotating SLP

Annotate(P, S1; S2) = let Annotate(P, S1) be {P} A1 {Q1} let Annotate(Q1, S2) be {Q1} A2 {Q2} return {P} A1; {Q1} A2 {Q2}

97


• We want to soundly approximate D bexpr and D bexpr in

• Define an artificial statement assume bexpr assume bexpr, s sos s if B bexpr s = tt

• Define (bexpr) = if bexpr is factoid {bexpr} else {}

• Define F[assume bexpr](D) = D (bexpr)• Can sharpen

F*[assume bexpr] = Explicate FSAV[assume bexpr]

98

An algorithm for annotating conditions

let Pt = F*[assume bexpr] Plet Pf = F*[assume bexpr] Plet Annotate(Pt, S1) be {Pt} A1 {Q1}let Annotate(Pf, S2) be {Pf} A2 {Q2}return {P}

if bexpr then {Pt} A1 {Q1} else {Pf} A2 {Q2} {Q1 Q2}

99

Algorithm for annotating loopsAnnotate(P, while bexpr do S) = N’ := Nc := P // Initialize repeat let Pt = F[assume bexpr] Nc

let Annotate(Pt, S) be {Nc} Abody {N’} Nc := Nc N’

until N’ = Nc

return {P} INV= {N’} while bexpr do {Pt} Abody

{F[assume bexpr](N)}

100

Algorithm for annotating a programAnnotate(P, S) = case S is x:=aexpr return {P} x:=aexpr {F*[x:=aexpr] P} case S is S1; S2

let Annotate(P, S1) be {P} A1 {Q1} let Annotate(Q1, S2) be {Q1} A2 {Q2} return {P} A1; {Q1} A2 {Q2} case S is if bexpr then S1 else S2

let Pt = F[assume bexpr] P let Pf = F[assume bexpr] P let Annotate(Pt, S1) be {Pt} A1 {Q1} let Annotate(Pf, S2) be {Pf} A2 {Q2} return {P} if bexpr then {Pt} A1 {Q1}

else {Pf} A2 {Q2} {Q1 Q2}

case S is while bexpr do S N’ := Nc := P // Initialize repeat

let Pt = F[assume bexpr] Nc

let Annotate(Pt, S) be {Nc} Abody {N’} Nc := Nc N’

until N’ = Nc return {P} INV= {N’} while bexpr do {Pt} Abody {F[assume bexpr](N)}

101

Exercise: apply algorithm

{ }y := a+b{ }x := y{ } while (xz) do { } w := a+b { } x := a+b { } a := z { }

102

Step 1/18

{}y := a+b{ y=a+b }*x := ywhile (xz) do w := a+b x := a+b a := z

Not all factoids are shown – apply Explicate to get all factoids

103

Step 2/18

{}y := a+b{ y=a+b }*x := y{ y=a+b, x=y, x=a+b }*while (xz) do w := a+b x := a+b a := z

104

Step 3/18

{}y := a+b{ y=a+b }*x := y{ y=a+b, x=y, x=a+b }*Inv’ = { y=a+b, x=y, x=a+b }*while (xz) do w := a+b x := a+b a := z

105

Step 4/18

{}y := a+b{ y=a+b }*x := y{ y=a+b, x=y, x=a+b }*Inv’ = { y=a+b, x=y, x=a+b }*while (xz) do { y=a+b, x=y, x=a+b }* w := a+b x := a+b a := z

106

Step 5/18

{}y := a+b{ y=a+b }*x := y{ y=a+b, x=y, x=a+b }*Inv’ = { y=a+b, x=y, x=a+b }*while (xz) do { y=a+b, x=y, x=a+b }* w := a+b { y=a+b, x=y, x=a+b, w=a+b, w=x, w=y }* x := a+b a := z

107

Step 6/18

{}y := a+b{ y=a+b }*x := y{ y=a+b, x=y, x=a+b }*Inv’ = { y=a+b, x=y, x=a+b }*while (xz) do { y=a+b, x=y, x=a+b }* w := a+b { y=a+b, x=y, x=a+b, w=a+b, w=x, w=y }* x := a+b { y=a+b, w=a+b, w=y, x=a+b, w=x, x=y }* a := z

108

Step 7/18

{}y := a+b{ y=a+b }*x := y{ y=a+b, x=y, x=a+b }*Inv’ = { y=a+b, x=y, x=a+b }*while (xz) do { y=a+b, x=y, x=a+b }* w := a+b { y=a+b, x=y, x=a+b, w=a+b, w=x, w=y }* x := a+b { y=a+b, w=a+b, w=y, x=a+b, w=x, x=y }* a := z { w=y, w=x, x=y, a=z }*

109

Step 8/18

{}y := a+b{ y=a+b }*x := y{ y=a+b, x=y, x=a+b }*Inv’’ = { x=y }*while (xz) do { y=a+b, x=y, x=a+b }* w := a+b { y=a+b, x=y, x=a+b, w=a+b, w=x, w=y }* x := a+b { y=a+b, w=a+b, w=y, x=a+b, w=x, x=y }* a := z { w=y, w=x, x=y, a=z }*

110

Step 9/18

{}y := a+b{ y=a+b }*x := y{ y=a+b, x=y, x=a+b }*Inv’’ = { x=y }*while (xz) do { x=y }* w := a+b { y=a+b, x=y, x=a+b, w=a+b, w=x, w=y }* x := a+b { y=a+b, w=a+b, w=y, x=a+b, w=x, x=y }* a := z { w=y, w=x, x=y, a=z }*

111

Step 10/18

{}y := a+b{ y=a+b }*x := y{ y=a+b, x=y, x=a+b }*Inv’’ = { x=y }*while (xz) do { x=y }* w := a+b { x=y, w=a+b }* x := a+b { y=a+b, w=a+b, w=y, x=a+b, w=x, x=y }* a := z { w=y, w=x, x=y, a=z }*

112

Step 11/18

{}y := a+b{ y=a+b }*x := y{ y=a+b, x=y, x=a+b }*Inv’’ = { x=y }*while (xz) do { x=y }* w := a+b { x=y, w=a+b }* x := a+b { x=a+b, w=a+b, w=x }* a := z { w=y, w=x, x=y, a=z }*

113

Step 12/18

{}y := a+b{ y=a+b }*x := y{ y=a+b, x=y, x=a+b }*Inv’’ = { x=y }*while (xz) do { x=y }* w := a+b { x=y, w=a+b }* x := a+b { x=a+b, w=a+b, w=x }* a := z { w=x, a=z }*

114

Step 13/18

{}y := a+b{ y=a+b }*x := y{ y=a+b, x=y, x=a+b }*Inv’’’ = { }while (xz) do { x=y }* w := a+b { x=y, w=a+b }* x := a+b { x=a+b, w=a+b, w=x }* a := z { w=x, a=z }*

115

Step 14/18

{}y := a+b{ y=a+b }*x := y{ y=a+b, x=y, x=a+b }*Inv’’’ = { }while (xz) do { } w := a+b { x=y, w=a+b }* x := a+b { x=a+b, w=a+b, w=x }* a := z { w=x, a=z }*

116

Step 15/18

{}y := a+b{ y=a+b }*x := y{ y=a+b, x=y, x=a+b }*Inv’’’ = { }while (xz) do { } w := a+b { w=a+b }* x := a+b { x=a+b, w=a+b, w=x }* a := z { w=x, a=z }*

117

Step 16/18


118

Step 17/18


119

Step 18/18

{}y := a+b{ y=a+b }*x := y{ y=a+b, x=y, x=a+b }*Inv = { }while (xz) do { } w := a+b { w=a+b }* x := a+b { x=a+b, w=a+b, w=x }* a := z { w=x, a=z }*{ x=z }

Another Example

121

Constant Propagation

• Optimization: constant folding

– Example: x:=7; y:=x*9transformed to: x:=7; y:=7*9and then to: x:=7; y:=63

• Analysis: constant propagation (CP)– Infers facts of the form x=c

{ x=c }y := aexpr y := eval(aexpr[c/x])

constantfolding

simplifies constant expressions

122

CP semantic domain

?

123

CP semantic domain

• Define CP-factoids: = { x = c | x Var, c Z }– How many factoids are there?

• Define predicates as = 2

– How many predicates are there?– Do all predicates make sense? (x=5) (x=7)

• Treat conjunctive formulas as sets of factoids{x=5, y=7} ~ (x=5) (y=7)

124

CP abstract transformer• Goal: define a function

FCP[x:=aexpr] : such thatif FCP[x:=aexpr] P = P’ then sp(x:=aexpr, P) P’

?

125

CP abstract transformer• Goal: define a function

FCP[x:=aexpr] : such thatif FCP[x:=aexpr] P = P’ then sp(x:=aexpr, P) P’

{ x=c } x:=aexpr { }[kill]

{ y=c, z=c’ } x:=y op z { x=c op c’ }[gen-2]

{ } x:=c { x=c }[gen-1]

{ y=c } x:=aexpr { y=c }[preserve]

126

Gen-kill formulation of transformers

• Suited for analysis propagating sets of factoids– Available expressions,– Constant propagation, etc.

• For each statement, define a set of killed factoids and a set of generated factoids

F[S] P = (P \ kill(S)) gen(S)• FCP[x:=aexpr] P = (P \ {x=c}) aexpr is not a constant• FCP[x:=k] P = (P \ {x=c}) {x=k}

• Used in dataflow analysis – a special case of abstract interpretation

127

Does this still work?

Annotate(P, S1; S2) = let Annotate(P, S1) be {P} A1 {Q1} let Annotate(Q1, S2) be {Q1} A2 {Q2} return {P} A1; {Q1} A2 {Q2}

128


• We want to soundly approximate D bexpr and D bexpr in

• Define an artificial statement assume bexpr assume bexpr, s sos s if B bexpr s = tt

• Define (bexpr) = if bexpr is CP-factoid {bexpr} else {}

• Define F[assume bexpr](D) = D (bexpr)

129


let Pt = F[assume bexpr] Plet Pf = F[assume bexpr] Plet Annotate(Pt, S1) be {Pt} A1 {Q1}let Annotate(Pf, S2) be {Pf} A2 {Q2}return {P}

if bexpr then {Pt} A1 {Q1} else {Pf} A2 {Q2} {Q1 Q2}

How do we define join for CP?

130

Join example

• {x=5, y=7} {x=3, y=7, z=9} =

131


• What about correctness?• What about termination?

Annotate(P, while bexpr do S) = N’ := Nc := P // Initialize repeat let Pt = F[assume bexpr] Nc

let Annotate(Pt, S) be {Nc} Abody {N’} Nc := Nc N’ until N’ = Nc return {P} INV= {N’} while bexpr do {Pt} Abody {F[assume bexpr](N)}

132


• What about correctness?– If loop terminates then is N’ a loop invariant?

• What about termination?



133

A termination principle

• g : X X is a function• How can we determine whether the sequence

x0, x1 = g(x0), …, xk+1=g(xk),… stabilizes?• Technique:

1. Find ranking function rank : X N(that is show that rank(x) 0 for all x)

2. Show that if xg(x)then rank(g(x)) < rank(x)

134

Rank function for available expressions

• rank(P) = ?

135

Rank function for available expressions

• rank(P) = |P|number of factoids

• Prove that either Nc = Nc N’or rank(Nc N’) <? rank(Nc)



136

Rank function for constant propagation

• rank(P) = ?

• Prove that either Nc = Nc N’or rank(Nc) >? rank(Nc N’)



137

Rank function for constant propagation

• rank(P) = |P|number of factoids

• Prove that either Nc = Nc N’or rank(Nc) >? rank(Nc N’)



138

What were the common elements?• Two static analyses

– Available Expressions (extended with equalities)– Constant Propagation

• Semantic domain– An approximation relation

• A weaker one given by set inclusion– Join operator

• Abstract transformers for basic statements– Assignments– assume statements

• Initial precondition

Orders (Reminder)

140

Preorder

• Let D be a set of elements• We say that a binary order relation over D is

a preorder if the following conditions hold for every d, d’, d’’ D– Reflexive: d d– Transitive: d d’ and d’ d’’ implies d d’’

• There may exist d, d’ such thatd d’ and d’ d yet d d’

141

Preorder examples

• SAV-predicates– SAV-factoids

= { x = y | x, y Var } { x = y + z | x, y, z Var }– SAV-predicates = 2

– Order relation 1: P1 set P2 iff P1 P2

– Order relation 2: P1 imp P2 iff P1 P2

– Which order relation is stronger(contains more pairs)?

– Which order relation is easier to check?

142

SAV preorder 1: P1 set P2 iff P1 P2

{x=y} {x=x+x} {y=y+y}

{}

{y=x} {y=x+y} {y=y+x} {x=x+y} {x=y+x}

{x=y, y=x} {x=y, x=x+x} {x=x+y, x=y+x}…

{x=y, x=x+x, x=x+y} {x=y, x=x+x, x=x+y}…

{x=y, y=x, x=x+x, y=y+y, y=x+y, y=y+x, x=x+y, x=y+x}

Var = {x, y}

143

Preorder examples

• CP-predicates– CP-factoids

= { x = c | x Var, c Z }– CP-predicates = 2



– Is there a difference?

144

Preorder examples

• CP-predicates– CP-factoids

= { x = c | x Var, c Z }– CP-predicates = 2



– Is there a difference?• {x=5, x=7, x=9} {x=5, x=7}• {x=5, x=7, x=9} {x=5, x=7}• {x=5, x=7} {x=5, x=7, x=9}

145

CP preorder example

{x=-3} {x=-1} {x=0}

{}

{x=-2} {x=1} {x=2} {x=3}… …

Var = {x}

146

CP preorder example

{x=-3} {x=3} {y=-5}

{}

{x=0} {y=0} {y=36}… …

{x=-3, y=-5} {x=0, y=0} {x=3, y=36}

…

Var = {x, y}

147

The problem with preorders

• Equivalent elements have different representations– {x=y, x=a+b} S– {x=y, y=a+b} S

• Leads to unpredictability• Which result should our static analysis give?

148

The problem with preorders

• Equivalent elements have different representations– {x=y, x=a+b} assert y==a+b– {x=y, y=a+b} assert y==a+b


149

The problem with preorders• Equivalent elements have different

representations– {x=y, x=a+b} assert x==a+b– {x=y, y=a+b} assert x==a+b


In practice many static analyses use preorders

150

Partially ordered sets (partial orders)

• A partially ordered set (Poset) is a pair (D , )• D is a set of elements – a semantic domain• is a partial order between pairs of elements

from D. That is : D D with the following properties, for all d, d’, d’’ in D– Reflexive: d d– Transitive: d d’ and d’ d’’ implies d d’’– Anti-symmetric: d d’ and d’ d implies d = d’

• If d d’ and d d’ we write d d’

151

SAV partial order• SAV-predicates

– SAV-factoids = { x = y | x, y Var } { x = y + z | x, y, z Var }

– SAV-predicates = 2

• Order relation 1: P1 set P2 iff P1 P2

Is this a partial order?• Order relation 2: P1 imp P2 iff P1 P2

that is models(P1) models(P2)Is this a partial order?

• Order relation 3: P1 set* P2 iff Explicate(P1) set Explicate(P2)Is this a partial order?

noam rinetzky lecture 9: abstract interpretation i

Documents

verification program

loop invariants manual

mobiles scribe home

roman manevich

eran yahavwe

mooly sagiv

rinetzky lecture