Program AnalysisLast Lesson
Mooly Sagiv
Goals
Show the significance of set constraints forCFA of Object Oriented Programs
Sketch advanced techniques Summarize the course Get some feedback
A Motivating Exampleclass Vehicle Object { int position = 10; void move(x1 : int) { position = position + x1 ;}}class Car extends Vehicle { int passengers;
void await(v : Vehicle) { if (v.position < position) then v.move(position - v.position); else self.move(10); }}class Truck extends Vehicle {
void move(x2 : int) { if (x2 < 55) position = position + x2; }}void main { Car c; Truck t; Vehicle v1;
new c; new t; v1 := c;c.passengers := 2;c.move(60);v1.move(70);c.await(t) ;}
A Motivating Exampleclass Vehicle Object { int position = 10; void move(x1 : int) { position = position + x1 ;}}class Car extends Vehicle { int passengers;
void await(v {Truck} : Vehicle) { if (v {Truck} .position < position) then v {Truck}.move(position - v.position); else self {Car}.move(10); }}class Truck extends Vehicle {
void move(x2 : int) { if (x2 < 55) position = position + x2; }}void main { Car c; Truck t; Vehicle v1;
new c {Car} ; new t {Truck} ; v1 {Car} := c {Car} ;c {Car} .passengers := 2;c {Car} .move(60);v1 {Car}.move(70);c {Car} .await(t {Truck} ) ;}
Flow Insensitive Class Analysis
Determine the set of potential classes of every variable at every program point
Compute a mapping from variables into a set of class names
Combine values of variables at different points Generate a set of constraints for every statement Find a minimal solution
A Motivating Exampleclass Vehicle Object { int position = 10; void move(x1 : int) { position = position + x1 ;}}class Car extends Vehicle { int passengers;
void await(v1 : Vehicle) { if (v1.position < position) then v1.move(position - v1.position); else self.move(10); }}class Truck extends Vehicle {
void move(x2 : int) { if (x2 < 55) position = position + x2; }}void main { Car c; Truck t; Vehicle v2;
new c; new t; v2 := c;c.passengers := 2;c.move(60);v2.move(70);c.await(t) ;
}
{Car} (c){Truck} (t)(c) (v2)
{Car} (c) (t) (v1)
Class Analysis Summary
Resolve called function Can also perform type inference and checking Can be used to warn against programmer errors
at compile-time
Set Constraints Summary Can be used to generate a flow sensitive solution Can also handle sets of “terms”
– Finite set of constructors C={b, c, …}
– Finite set of variables
– Set expressionsE ::= | variable | E1 E2 | E1 E2 | c(E1 , E2 ,…, Ek )| c-i(E)
– Finite set of inequalitiesE1 E2
– Find the least solution (or a symbolic representation)
Advanced Abstract Interpretation Techniques Origin [Cousot&Cousot POPL 1979]
Download from the course homepage Widening & Narrowing Combining dataflow analysis problems Semantic reductions ...
Widening
Accelerate the termination of Chaotic iterations by computing a more conservative solution
Can handle lattices of infinite heights
Example Interval Analysis Find a lower and an upper bound of the value of a
variable Lattice L = (ZZ, , , , ,)
– [a, b] [c, d] if c a and d b– [a, b] [c, d] = [min(a, c), max(b, d)]
– [a, b] [c, d] = [max(a, c), min(b, d)] = =
Programx := 1 ;while x 1000 do x := x + 1;
Widening for Interval Analysis [c, d] = [c, d] [a, b] [c, d] = [
if a cthen aelse if 0 c
then 0 else minint,
if b dthen belse if d 0
then 0else maxint
Chaotic Iterations
for forward problems+ for l Lab* do
DFentry(l) := DFexit(l) :=
DFentry(init(S*)) := WL= Lab*
while WL != do Select and remove an arbitrary l WL
if (temp != DFexit(l))
DFexit(l) := DFexit(l) temp for l' such that (l,l') flow(S*) do DFentry(l') := DFentry(l') DFexit(l) WL := WL {l’}
))(( lDFftemp entryl
Example
[x := 1]1 ;
while [x 1000]2 do [x := x + 1]3;
Requirements on Widening
For all elements l1 l2 l1 l2
For all ascending chains l0 l1 l2 …the following sequence is finite– y0 = l0
– yi+1 = yi li+1
Narrowing
Improve the result of widening
Example
[x := 1]1 ;
while [x 1000]2 do [x := x + 1]3;
Widening and Narrowing Summary
Very simple but produces impressive precision The McCarthy 91 function
Also useful in the finite case Can be used as a methodological tool But not widely accepted
int f(x)if x > 100
then return x -10else return f(f(x+11))
Combining dataflow analysis problems
How to combine different analyses The result can be more precise than both! On some programs more efficient too Many possibly ways to combine (4.4) A simple example sign+parity analysis
x := x - 1
Cartezian Products Analysis 1
– Lattice (L1, 1, 1, 1, 1,1)
– Galois connection 1: P(States) L1 1: L1 P(States)
– Transfer functionsop1:L1 L1
Analysis 2
– Lattice (L2, 2, 2, 2, 2,2)
– Galois connection2: P(States) L2 1: L2 P(States)
– Transfer functionsop2:L2 L2
Combined Analysis
– L = (L1 L2, ) where (l1, l2) (u1, u2) if l1 1 u1 and l2 2 u2
– Galois connection
– Transfer functions
Course Summary Techniques Studied
– Operational Semantics
– Dataflow Analysis and Monotone Frameworks (Imperative Programs)
– Control Flow Analysis and Set Constraints (Functional Programs)
Techniques Sketched– Abstract interpretation
– Interprocedural Analysis
– Type and effect systems
Not Covered– Efficient algorithms
– Applications in compilers
– Logic programming
Course Summary
Able to understand advanced static analysis techniques
Find faults in existing algorithms Be able to develop new algorithms Gain a better understanding of programming
languages– Functional Vs. Imperative
– Operational Semantics
Feedback