Iterative Program Analysis

1
Iterative Program Analysis

• Mooly Sagiv
• http//www.cs.tau.ac.il/msagiv/courses/pa.html
• Tel Aviv University
• 640-6706
• Textbook Principles of Program Analysis
• Chapter 2.1 6 (modified)
• Appendix A

2
Outline

• A gentle introduction constant propagation
• Mathematical background
• Chaotic iterations
• Abstract interpretation
• More examples
• Kill/Gen Problems
• Garbage variables
• Pointer analysis
• Stack
• Heap (later)

3
A Simple Example Program
z 3 x 1 while (x gt 0) ( if (x 1)
then y 7 else y z
4 x 3 print y )
4
A Simple Example Program
z 3 x 1 while (x gt 0) ( if (x 1)
then y 7 else y z
4 x 3 print y )
5
A Simple Example Program
z 3 x 1 while (x gt 0) ( if (x 1)
then y 7 else y z
4 x 3 print y )
6
A Simple Example Program
z 3 x 1 while (x gt 0) ( if (x 1)
then y 7 else y z 4
x 3 print y )
7
A Simple Example Program
z 3 x 1 while (x gt 0) ( if (x 1)
then y 7 else y z 4
x 3 print y )
8
A Simple Example Program
z 3 x 1 while (x gt 0) ( if (x 1)
then y 7 else y z 4
x 3 print y )
9
Computing Constants

• Construct a control flow graph (CFG)
• Associate transfer functions with control flow
  graph edges
• Iterate until a solution is found
• The solution is unique
• But order of evaluation may affect the number of
  iterations

10
Constructing CFG
z 3
z 3 x 1 while (x gt 0) ( if (x 1)
then y 7 else y z 4
x 3 print y )
x 1
while (xgt0)
if (x1)
y 7
y z4
x3
print y
11
Associating Transfer Functions
z 3
?e.ez?3
x 1
?e.ex?1
?e. if x ?0 then e else ?
while (xgt0)
?e. if x gt0 then e else ?
if (x1)
?e. if x ?0 then e else ?
?e. e ?x?1, y ??, z??
y 7
y z4
?e.e
?e.ey?7
?e.ey?e(z)4
x3
?e.ex?3
print y
12
Iterative Computation
z 3
x?0, y?0, z?0
?e.ez?3
x 1
?
?e.ex?1
?e. if x ?0 then e else ?
?
while (xgt0)
?e. if x gt0 then e else ?
?
if (x1)
?e. if x ?0 then e else ?
?e. e ?x?1, y ??, z??
?
?
y 7
y z4
?e.e
?e.ey?7
?e.ey?e(z)4
?
x3
?e.ex?3
?
print y
13
Iterative Computation
z 3
x?0, y?0, z?0
?e.ez?3
x?1, y?0, z?0
x 1
?e.ex?1
?e. if x ?0 then e else ?
?
while (xgt0)
?e. if x gt0 then e else ?
?
if (x1)
?e. if x ?0 then e else ?
?e. e ?x?1, y ??, z??
?
?
y 7
y z4
?e.e
?e.ey?7
?e.ey?e(z)4
?
x3
?e.ex?3
?
print y
14
Iterative Computation
z 3
x?0, y?0, z?0
?e.ez?3
x?0, y?0, z?3
x 1
?e.ex?1
?e. if x ?0 then e else ?
?
while (xgt0)
?e. if x gt0 then e else ?
?
if (x1)
?e. if x ?0 then e else ?
?e. e ?x?1, y ??, z??
?
?
y 7
y z4
?e.e
?e.ey?7
?e.ey?e(z)4
?
x3
?e.ex?3
?
print y
15
Iterative Computation
z 3
x?0, y?0, z?0
?e.ez?3
x?0, y?0, z?3
x 1
?e.ex?1
?e. if x ?0 then e else ?
x?1, y?0, z?3
while (xgt0)
?e. if x gt0 then e else ?
?
if (x1)
?e. if x ?0 then e else ?
?e. e ?x?1, y ??, z??
?
?
y 7
y z4
?e.e
?e.ey?7
?e.ey?e(z)4
?
x3
?e.ex?3
?
print y
16
Iterative Computation
z 3
x?0, y?0, z?0
?e.ez?3
x?0, y?0, z?3
x 1
?e.ex?1
?e. if x ?0 then e else ?
x?1, y?0, z?3
while (xgt0)
?e. if x gt0 then e else ?
x?1, y?0, z?3
if (x1)
?e. if x ?0 then e else ?
?e. e ?x?1, y ??, z??
?
?
y 7
y z4
?e.e
?e.ey?7
?e.ey?e(z)4
?
x3
?e.ex?3
?
print y
17
Iterative Computation
z 3
x?0, y?0, z?0
?e.ez?3
x?0, y?0, z?3
x 1
?e.ex?1
?e. if x ?0 then e else ?
x?1, y?0, z?3
while (xgt0)
?e. if x gt0 then e else ?
x?1, y?0, z?3
if (x1)
?e. if x ?0 then e else ?
?e. e ?x?1, y ??, z??
?
y 7
y z4
x?1, y?0, z?3
?e.e
?e.ey?7
?e.ey?e(z)4
?
x3
?e.ex?3
?
print y
18
Iterative Computation
z 3
x?0, y?0, z?0
?e.ez?3
x?0, y?0, z?3
x 1
?e.ex?1
?e. if x ?0 then e else ?
x?1, y?0, z?3
while (xgt0)
?e. if x gt0 then e else ?
x?1, y?0, z?3
if (x1)
?e. if x ?0 then e else ?
?e. e ?x?1, y ??, z??
?
y 7
y z4
x?1, y?0, z?3
?e.e
?e.ey?7
?e.ey?e(z)4
x?1, y?7, z?3
x3
?e.ex?3
?
print y
19
Iterative Computation
z 3
x?0, y?0, z?0
?e.ez?3
x?0, y?0, z?3
x 1
?e.ex?1
?e. if x ?0 then e else ?
x?1, y?0, z?3
while (xgt0)
?e. if x gt0 then e else ?
x?1, y?0, z?3
if (x1)
?e. if x ?0 then e else ?
?e. e ?x?1, y ??, z??
?
y 7
y z4
x?1, y?0, z?3
?e.e
?e.ey?7
?e.ey?e(z)4
x?1, y?7, z?3
x3
?e.ex?3
x?3, y?7, z?3
print y
20
Iterative Computation
z 3
x?0, y?0, z?0
?e.ez?3
x?0, y?0, z?3
x 1
?e.ex?1
?e. if x ?0 then e else ?
x??, y?0, z?3
while (xgt0)
?e. if x gt0 then e else ?
x?1, y?0, z?3
if (x1)
?e. if x ?0 then e else ?
?e. e ?x?1, y ??, z??
?
y 7
y z4
x?1, y?0, z?3
?e.e
?e.ey?7
?e.ey?e(z)4
x?1, y?7, z?3
x3
?e.ex?3
x?3, y?7, z?3
print y
21
Iterative Computation
z 3
x?0, y?0, z?0
?e.ez?3
x?0, y?0, z?3
x 1
?e.ex?1
?e. if x ?0 then e else ?
x??, y?0, z?3
while (xgt0)
?e. if x gt0 then e else ?
x??, y?0, z?3
if (x1)
?e. if x ?0 then e else ?
?e. e ?x?1, y ??, z??
?
y 7
y z4
x?1, y?0, z?3
?e.e
?e.ey?7
?e.ey?e(z)4
x?1, y?7, z?3
x3
?e.ex?3
x?3, y?7, z?3
print y
22
Iterative Computation
z 3
x?0, y?0, z?0
?e.ez?3
x?0, y?0, z?3
x 1
?e.ex?1
?e. if x ?0 then e else ?
x??, y?0, z?3
while (xgt0)
?e. if x gt0 then e else ?
x??, y?0, z?3
if (x1)
?e. if x ?0 then e else ?
?e. e ?x?1, y ??, z??
?
y 7
y z4
x??, y?0, z?3
?e.e
?e.ey?7
?e.ey?e(z)4
x?1, y?7, z?3
x3
?e.ex?3
x?3, y?7, z?3
print y
23
Iterative Computation
z 3
x?0, y?0, z?0
?e.ez?3
x?0, y?0, z?3
x 1
?e.ex?1
?e. if x ?0 then e else ?
x??, y?0, z?3
while (xgt0)
?e. if x gt0 then e else ?
x??, y?0, z?3
if (x1)
?e. if x ?0 then e else ?
?e. e ?x?1, y ??, z??
x??, y?0, z?3
y 7
y z4
x??, y?0, z?3
?e.e
?e.ey?7
?e.ey?e(z)4
x?1, y?7, z?3
x3
?e.ex?3
x?3, y?7, z?3
print y
24
Iterative Computation
z 3
x?0, y?0, z?0
?e.ez?3
x?0, y?0, z?3
x 1
?e.ex?1
?e. if x ?0 then e else ?
x??, y?0, z?3
while (xgt0)
?e. if x gt0 then e else ?
x??, y?0, z?3
if (x1)
?e. if x ?0 then e else ?
?e. e ?x?1, y ??, z??
x??, y?0, z?3
y 7
y z4
x?1, y?0, z?3
?e.e
?e.ey?7
?e.ey?e(z)4
x??, y?7, z?3
x3
?e.ex?3
x?3, y?7, z?3
print y
25
Order of evaluation

• The solution is unique
• Different orders may converge faster
• Example order Depth First Order

26
Mathematical Background

• Declaratively define
• The result of the analysis
• The exact solution
• Allow comparison
• Prove that the algorithm is sound by proving that
  the handling of atomic statements is sound

27
Posets

• A partial ordering is a binary relation? L ? L
  ? false, true
• For all l ? L l ? l (Reflexive)
• For all l1, l2, l3 ? L l1 ? l2, l2 ? l3 ? l1 ?
  l3 (Transitive)
• For all l1, l2? L l1 ? l2, l2 ? l1 ? l1 l2
  (Anti-Symmetric)
• Denoted by (L, ? )
• In program analysis
• l1 ? l2? l1 is more precise than l ? l1
  represents fewer concrete states than l2

28
Example Posets

• Total orders (N, ?)
• Powersets (P(S), ?)
• Powersets (P(S), ?)
• Constant propagation

29
Posets

• More notations
• l1 ? l2 ? l2 ? l1
• l1 ? l2 ? l1 ? l2 ? l1? l2
• l1 ? l2 ? l2? l1

30
Upper and Lower Bounds

• Consider a poset (L, ? )
• A subset L ? L has a lower bound l ? L if for
  all l ? L l ? l
• A subset L ? L has an upper bound u ? L if for
  all l ? L l ? u
• A greatest lower bound of a subset L ? L is a
  lower bound l0 ?L such that l ? l0 for any
  lower bound l of L
• A lowest upper bound of a subset L ? L is an
  upper bound u0 ?L such that u0 ? u for any
  upper bound u of L
• For every subset L ? L
• The greatest lower bound of L is unique if at
  all exists
• ?L (meet) a ?b ?a, b
• The lowest upper bound of L is unique if at all
  exists
• ?L (join) a?b ? a, b

31
Complete Lattices

• A poset (L, ? ) is a complete lattice if every
  subset has least and upper bounds
• L (L, ?) (L, ?, ?, ?, ?, ?)
• ? ? ? ? L
• ? ? L ? ?
• Examples
• Total orders (N, ?)
• Powersets (P(S), ?)
• Powersets (P(S), ?)
• Constant propagation

32
Complete Lattices

• Lemma For every poset (L, ? ) the following
  conditions are equivalent
• L is a complete lattice
• Every subset of L has a least upper bound
• Every subset of L has a greatest lower bound

33
Cartesian Products

• A complete lattice (L1, ?1) (L1, ?, ?1, ?1,
  ?1, ?1)
• A complete lattice (L2, ?2) (, ?, ?2, ?2, ?2,
  ?2)
• Define a Poset L (L1 ? L2 ,? ) where
• (x1, x2) ? (y1, y2) if
• x1 ? y1 and
• x2 ? y2
• L is a complete lattice

34
Finite Maps

• A complete lattice (L1, ?1) (L1, ?, ?1, ?1,
  ?1, ?1)
• A finite set V
• Define a Poset L (V? L1 ,? ) where
• e1 ? e2 if for all v ? V
• e1v ? e2v
• L is a complete lattice

35
Chains

• A subset Y ? L in a poset (L, ? ) is a chain if
  every two elements in Y are ordered
• For all l1, l2 ? Y l1 ? l2 or l2 ? l1
• An ascending chain is a sequence of values
• l1 ? l2 ? l3 ?
• A strictly ascending chain is a sequence of
  values
• l1 ? l2 ? l3?
• A descending chain is a sequence of values
• l1 ? l2 ? l3 ?
• A strictly descending chain is a sequence of
  values
• l1 ? l2 ? l3 ?
• L has a finite height if every chain in L is
  finite
• Lemma A poset (L, ? ) has finite height if and
  only if every strictly decreasing and strictly
  increasing chains are finite

36
Monotone Functions

• A poset (L, ? )
• A function f L ? L is monotone if for every
  l1, l2 ? L
• l1 ? l2 ? f(l1 ) ? f(l2 )

37
Lemma 1
Consider a lattice L. f L ? L is monotone iff
for all X ? L ?f(z) z
?X ? f(?z z ?X )
38
Distributive (additive functions)
Consider a lattice L. f L ? L is distributive if
for all X ? L ?f(z)
z ?X f(?z z ?X )
39
Fixed Points

• A monotone function f L ? L where (L, ?, ?, ?,
  ?, ?) is a complete lattice
• Fix(f) l l ? L, f(l) l
• Red(f) l l ? L, f(l) ? l
• Ext(f) l l ? L, l ? f(l)
• l1 ? l2 ? f(l1 ) ? f(l2 )
• Tarskis Theorem 1955 if f is monotone then
• lfp(f) ? Fix(f) ? Red(f) ? Fix(f)
• gfp(f) ? Fix(f) ? Ext(f) ? Fix(f)

gfp(f)
lfp(f)
40
Computing lfp(f)
x ? while f(x)?x do x f(x)
41
Chaotic Iterations

• A lattice L (L, ?, ?, ?, ?, ?) with finite
  strictly increasing chains
• Ln L ? L ? ? L
• A monotone function f Ln? Ln
• Compute lfp(f)
• The simultaneous least fixed of the system
  xi fi(x) 1 ? i ?n

for i 1 to n do xi ? WL 1, 2, ,
n while (WL ? ? ) do select and remove an
element i ? WL new fi(x) if (new ?
xi) then xi new Add
all the indexes that directly depends on i to WL
x (?, ?, , ?) while (f(x) ? x ) do x
f(x)
42
Specialized Chaotic Iterations
Chaotic(G(V, E) Graph, s Node, L Lattice, ?
L, f E ?(L ?L) ) for each v in V to n do
dfentryv ? dfv ? WL 1, 2, n
while (WL ? ? ) do select and remove
an element u ? WL for each v, such that.
(u, v) ?E do temp
f(e)(dfentryu) new dfentry(v)? temp
if (new ? dfentryv) then
dfentryv new
WL WL ?v
43
WL dfentryv
1
2 df2x?0, y?0, z?3
3 df3x?1, y?0, z?3
4 df4x?1, y?0, z?3
5 df5x?1, y?0, z?3
7 df7x?1, y?7, z?3
8 df8x?3, y?7, z?3
3 df3x??, y??, z?3
4 df4x??, y??, z?3
5,6 df5x?1, y??, z?3
6,7 df6x??, y??, z?3
7 df7x??, y?7, z?3
x?0, y?0, z?0
1
z 3
?e.ez?3
2
x 1
?e.ex?1
?e. if x ?0 then e else ?
3
while (xgt0)
?e. if x gt0 then e else ?
4
if (x1)
?e. if x ?0 then e else ?
?e. e ?x?1, y ??, z??
5
6
?
y 7
y z4
?e.e
?e.ey?7
?e.ey?e(z)4
7
x3
?e.ex?3
8
print y
44
Specialized Chaotic IterationsSystem of Equations
S dfentrys ? dfentryv ?f(u, v)
(dfentryu) (u, v) ? E
FSLn ?Ln FS (X)s ? FS(X)v
?f(u, v)(Xu) (u, v) ? E
lfp(S) lfp(FS)
45
Complexity of Chaotic Iterations

• Parameters
• n the number of CFG nodes
• k is the maximum outdegree of edges
• A lattice of height h
• c is the maximum cost of
• applying f(e)
• ?
• L comparisons
• ComplexityO(n h c k)

46
Soundness

• Every detected constant is indeed such
• Every error will be detected
• The least fixed points represents all occurring
  runtime states

47
Completeness

• Every constant is indeed detected as such
• Every detected error is real
• Every state represented by the least fixed is
  reachable for some input

48
The Abstract Interpretation Technique

• The foundation of program analysis
• Goals
• Establish soundness of (find faults in) a given
  program analysis algorithm
• Design new program analysis algorithms
• The main ideas
• Relate each step in the algorithm to a step in a
  structural operational semantics
• Establish global correctness using a general
  theorem
• Not limited to a particular form of analysis

49
Galois Connections

• Lattices C and A and functions ? C ?A and ? A
  ?C
• The pair of functions (?, ?) form Galois
  connection if
• ? and ? are monotone
• ? a ? A
• ?(? (a)) ? a
• ? c ? C
• c ? ? (?(C))
• Alternatively if ? c ? C ? a ? A
  ?(c) ? a iff c ? ? (a)
• ? and ? uniquely determine each other

50
Galois Connections
?
Concrete
Sets of stores
51
Galois Insertions

• Lattices C and A and functions ? C ?A and ? A
  ?C
• The pair of functions (?, ?) form Galois
  connection if
• ? and ? are monotone
• ? a ? A
• ?(? (a)) a
• ? c ? C
• c ? ? (?(C))
• ? and ? uniquely determine each other

52
Galois Insertion
Concrete
Sets of stores
53
Soundness in Constant Propagation

• Every detected constant is indeed such
• May include fewer constants
• May miss ?
• At every CFG node l All constants in dfentry(l)
  are indeed constants
• At every CFG node l dfentry(l) represents all
  the possible concrete states arising when the
  structural operational semantics reaches l

54
Proof of Soundness

• Define an appropriate operational semantics
• Define collecting operational semantics
• Establish a Galois connection between collecting
  states and reaching definitions
• (Local correctness) Show that the abstract
  interpretation of every atomic statement is
  soundw.r.t. the collecting semantics
• (Global correctness) Conclude that the analysis
  is sound CC1976

55
Syntax vs. Semantics

• The pattern of formation of sentences or phrases
  in a language
• Examples
• Regular expressions
• Context free grammars

• The study or science of meaning in language
• Examples
• Interpreter
• Operational Semantics
• Denotational Semantics
• Compiler

56
Alternative Formal Semantics

• Operational Semantics
• The meaning of the program is described
  operationally
• Natural Operational Semantics
• Structural Operational Semantics
• Denotational Semantics
• The meaning of the program is an input/output
  relation
• Mathematically challenging but complicated
• Axiomatic Semantics
• Logical axioms
• The meaning of the program are observed properties

57
General Notations

• Syntactic categories
• Var the set of program variables
• Aexp the set of arithmetic expressions
• Bexp the set of Boolean expressions
• Stm set of program statements
• Semantic categories
• Natural values N0, 1, 2,
• Truth values Tff, tt
• States State Var ? N
• Lookup in a state s s x
• Update of a state s s x ? 5

58
Example State Manipulations

• x?1, y?7, z?16 y
• x?1, y?7, z?16 t
• x?1, y?7, z?16x?5
• x?1, y?7, z?16x?5 x
• x?1, y?7, z?16x?5 y

59
Semantics of arithmetic expressions

• Assume that arithmetic expressions are
  side-effect free
• A? Aexp ? State ? N
• Defined by induction on the syntax tree
• A? n ? s n
• A? x ? s s x
• A? e1 e2 ? s A? e1 ? s A ? e2 ? s
• A? e1 e2 ? s A? e1 ? s A ? e2 ? s
• A? ( e1 ) ? s A? e1 ? s --- not needed
• A? - e1 ? s -A ? e1 ? s
• Compositional
• Properties can be proved by structural induction

60
Assignments
?x a?(s) sx ?A?a?s
61
Collecting Semantics

• The input state is not known at compile-time
• Collect all the states for all possible inputs
  to the program
• No lost of precision

62
A Simple Example Program
x?0, y?0, z?0
z 3 x 1 while (x gt 0) ( if (x 1)
then y 7 else y z
4 x 3 print y )
x?0, y?0, z?3
x?1, y?0, z?3
x?1, y?7, z?3, x?3, y?7, z?3
x?1, y?7, z?3, x?3, y?7, z?3
x?3, y?7, z?3
x?3, y?7, z?3
63
Another Example
x 0 while (true) do x x 1
64
An Iterative Definition

• Generate a system of monotone equations
• The least solution is well-defined
• The least solution is the collecting
  interpretation
• But may not be computable

65
Equations Generated for Collecting Interpretation

• Equations for elementary statements
• skipCSexit(1) CSentry(l)
• bCSexit(1) ? ? ?CSentry(l), ?b??tt
• x aCSexit(1) (sx ?A?a?s) s ?
  CSentry(l)
• Equations for control flow constructs CSentry(l)
  ? CSexit(l) l immediately precedes l in the
  control flow graph
• An equation for the entryCSentry(1) ? ? ?
  Var ?Z

66
Specialized Chaotic IterationsSystem of
Equations (Collecting Semantics)
S CSentrys ?0 CSentryv
?f(e)(CSentryu) (u, v) ? E where f(e)
?X. ?st(e)? ? ?? X for atomic statements
f(e) ?X.? ?b(e)? ? tt
FSLn ?Ln Fs(X)v ?f(e)u (u, v) ? E
lfp(S) lfp(FS)
67
The Least Solution

• 2n sets of equationsCSentry(1), , CSentry (n),
  CSexit(1), , CSexit (n)
• Can be written in vectorial form
• The least solution lfp(Fcs) is well-defined
• Every component is minimal
• Since Fcs is monotone such a solution always
  exists
• CSentry(v) s?s0 ltP, s0 gt ? (S, s)),
  init(S)v
• Simplify the soundness criteria

68
Abstract (Conservative) interpretation
Set of states
Set of states
?
concretization
abstract representation
abstract representation
69
Abstract (Conservative) interpretation
Set of states
Set of states
abstraction
abstraction
abstract representation
abstract representation
abstract representation
?
70
The Abstraction Function

• Map collecting states into constants
• The abstraction of an individual state?CPVar
  ?Z ? Var ?Z??, ??CP(?) ?
• The abstraction of set of states ?CPP(Var
  ?Z) ? Var ?Z??, ? ?CP (CS) ? ?CP (?)
  ? ? CS ?? ? ? CS
• Soundness ?CP (CSentry (v)) ? dfentry(v)
• Completeness

71
The Concretization Function

• Map constants into collecting states
• The formal meaning of constants
• The concretization ?CP Var ?Z??, ?
  ?P(Var ?Z) ? CP (df) ? ?CP (?) ? df
  ? ? ? df
• Soundness CSentry (v) ? ?CP (dfentry(v))
• Optimality

72
Galois Connection

• ?CP is monotone
• ?CP is monotone
• ? df ? Var ?Z??, ?
• ? CP(? CP (df)) ? df
• ? c ? P(Var ?Z)
• c CP ? ? CP (? CP(C))

73
Local Concrete Semantics

• For every atomic statement S
• ?S ? Var ?Z ?Var ?Z
• ?x a ?s sx ?A?a?s
• ?skip ?s s
• For Boolean conditions

74
Local Abstract Semantics

• For every atomic statement S
• ?S ? Var ?L ? Var ?L
• ?x a ? (e) e x ? ?a? (e)
• ?skip ? (e) e
• For Booleans

75
Local Soundness

• For every atomic statement S show one of the
  following
• ?CP(?S?? ? ?CS ? ?S? (? CP(CS))
• ?S?? ? ? ?CP (df) ? ?CP (?S? (df))
• ?(?S?? ? ? ?CP (df)) ? ?S? (df)
• The above condition implies global soundness
  Cousot Cousot 1976 ?(CSentry (l)) ?
  dfentry(l) CSentry (l) ? ? (dfentry(l))

76
Assignments in constant propagation

• Monotone
• df1 ? df2 ??x e?)df1 )? ? x e?)df2(
• Local Soundness
• ?(? x e ?? ? ?CS ? ? x e ? (?(CS))

77
Soundness Theorem(1)

1. Let (?, ?) form Galois connection from C to A
2. f C ? C be a monotone function
3. f A ? A be a monotone function
4. ?a?A f(?(a)) ? ?(f(a))

lfp(f) ? ?(lfp(f))
?(lfp(f)) ? lfp(f)
78
Soundness Theorem(2)

1. Let (?, ?) form Galois connection from C to A
2. f C ? C be a monotone function
3. f A ? A be a monotone function
4. ?c?C ?(f(c)) ? f(?(c))

?(lfp(f)) ? lfp(f)
lfp(f) ? ?(lfp(f))
79
Soundness Theorem(3)

1. Let (?, ?) form Galois connection from C to A
2. f C ? C be a monotone function
3. f A ? A be a monotone function
4. ?a?A ?(f(?(a))) ? f(a)

?(lfp(f)) ? lfp(f)
lfp(f) ? ?(lfp(f))
80
Proof of Soundness (Summary)

• Define an appropriate operational semantics
• Define collecting operational semantics
• Establish a Galois connection between collecting
  states and reaching definitions
• (Local correctness) Show that the abstract
  interpretation of every atomic statement is
  soundw.r.t. the collecting semantics
• (Global correctness) Conclude that the analysis
  is sound

81
Best (Conservative) interpretation
abstract representation
82
Induced Analysis (Relatively Optimal)

• It is sometimes possible to show that a given
  analysis is not only sound but optimal w.r.t. the
  chosen abstraction
• but not necessarily optimal!
• Define ?S? (df) ?(?S?? ? ? ? (df))
• But this ?S? may not be computable
• Derive (at compiler-generation time) an
  alternative form for ?S?
• A useful measure to decide if the abstraction
  must lead to overly imprecise results

83
Example Dataflow Problem

• Formal available expression analysis
• Find out which expressions are available at a
  given program point
• Example program x y t z y r while
  () t t (y r)
  
• Lattice
• Galois connection
• Basic statements
• Soundness

84
Example May-Be-Garbage

• A variable x may-be-garbage at a program point v
  if there exists a execution path leading to v in
  which xs value is unpredictable
• Was not assigned
• Was assigned using an unpredictable expression
• Lattice
• Galois connection
• Basic statements
• Soundness

85
Points-To Analysis

• Determine if a pointer variable p may point to q
  on some path leading to a program point
• Adapt other optimizations
• Constant propagationx 5p 7 x
• Pointer aliases
• Variables p and q are may-aliases at v if the
  points-to set at v contains entries (p, x) and
  (q, x)
• Side-effect analysis p q t

86
Concrete Semantics
State Loc?Loc?Z
For every atomic statement S ?S ? States
?States ?x a ?(?)?loc(x) ?A?a? ? ?x y
?(?) ?x y ?(?) ?x y ?(?) ?x y ?(?)
87
Points-To Analysis

• Lattice Lpt
• Galois connection

88
Abstract Semantics

• For every atomic statement S
• ?S ? P(Var? Var)? P(Var? Var)
• ?x y ?
• ?x y ?
• ?x y ?
• ?x y ?

89
t a y b z c if xgt 0 then
p y else p z p t
90
/ ? / t a / (t, a)/ / (t, a)/ y
b / (t, a), (y, b) / / (t, a), (y,
b)/ z c / (t, a), (y, b), (z, c) / if
xgt 0 then p y / (t, a), (y, b), (z,
c), (p, y)/ else p z / (t, a), (y,
b), (z, c), (p, z)/ / (t, a), (y, b), (z,
c), (p, y), (p, z)/ p t / (t, a), (y,
b), (y, c), (p, y), (p, z), (y, a), (z, a)/
91
Flow insensitive points-to-analysisSteengard 1996

• Ignore control flow
• One set of points-to per program
• Can be represented as a directed graph
• Conservative approximation
• Accumulate pointers
• Can be computed in almost linear time

92
t a y b z c if xgt 0 then
p y else p z p t
93
Precision

• We cannot usually have
• ?(CS) DF on all programs
• But can we say something about precision in all
  programs?

94
The Join-Over-All-Paths (JOP)

• Let paths(v) denote the potentially infinite set
  paths from start to v (written as sequences of
  labels)
• For a sequence of edges e1, e2, , en definef
  e1, e2, , en L ? L by composing the effects
  of basic blocksf e1, e2, , en(l) f(en) (
  (f(e2) (f(e1) (l)) )
• JOPv ?fe1, e2, ,en(?) e1, e2, ,
  en ? paths(v)

95
JOP vs. Least Solution

• The DF solution obtained by Chaotic iteration
  satisfies for every l
• JOPv? DFentry(v)
• A function f is additive (distributive) if
• f(?x x ? X) ?f(x) ? X
• If every fl is additive (distributive) for all
  the nodes v
• JOPv DFentry(v)

96
Conclusions

• Chaotic iterations is a powerful technique
• Easy to implement
• Rather precise
• But expensive
• More efficient methods exist for structured
  programs
• Abstract interpretation relates runtime semantics
  and static information
• The concrete semantics serves as a tool in
  designing abstractions
• More intuition will be given in the sequel