Static Program Analysis

Size: px

Start display at page:

Download "Static Program Analysis"

Gerald Rich
5 years ago
Views:

1 Static Program Analysis Thomas Noll Software Modeling and Verification Group RWTH Aachen University

2 Online Registration for Seminars and Practical Courses (Praktika) in Summer Term 2017 Who? Students of: Master Courses Bachelor Informatik (ProSeminar!) Where? When?

3 Seminar Verification and Static Analysis of Software (SS 2017) Topics Pointer and shape analysis Advanced model checking techniques Analysis of probabilistic programs... More information Registration between January 13 and 29 via 3 of 18 Static Program Analysis

4 Interprocedural Dataflow Analysis Outline of Lecture 18 Interprocedural Dataflow Analysis Intraprocedural vs. Interprocedural Analysis The MVP Solution 4 of 18 Static Program Analysis

5 Interprocedural Dataflow Analysis Overview So far: only intraprocedural analyses (i.e., without user-defined functions or procedures or just within their bodies) 5 of 18 Static Program Analysis

6 Interprocedural Dataflow Analysis Overview So far: only intraprocedural analyses (i.e., without user-defined functions or procedures or just within their bodies) Now: interprocedural dataflow analysis Complications: correct matching between calls and returns parameter passing (aliasing effects) main(head, tail) reverse(cur, tail) if (cur!= tail) reverse(head, tail) tmp := cur.prev tmp := head cur.prev := cur.next head := tail cur.next := tmp tail := tmp reverse(cur.prev, tail) exit exit if (cur = tail) 5 of 18 Static Program Analysis

7 Interprocedural Dataflow Analysis Overview So far: only intraprocedural analyses (i.e., without user-defined functions or procedures or just within their bodies) Now: interprocedural dataflow analysis Complications: correct matching between calls and returns parameter passing (aliasing effects) Here: simple setting only top-level declarations, no blocks or nested declarations mutual recursion one call-by-value and one call-by-result parameter (extension to multiple and call-by-value-result parameters straightforward) main(head, tail) reverse(head, tail) tmp := head head := tail tail := tmp exit if (cur!= tail) tmp := cur.prev cur.prev := cur.next cur.next := tmp reverse(cur.prev, tail) reverse(cur, tail) exit if (cur = tail) 5 of 18 Static Program Analysis

8 Interprocedural Dataflow Analysis Extending the Syntax Syntactic categories: Category Domain Meta variable Procedure identifiers Pid = {P, Q,...} P Procedure declarations PDec p Commands (statements) Cmd c 6 of 18 Static Program Analysis

9 Interprocedural Dataflow Analysis Extending the Syntax Syntactic categories: Category Domain Meta variable Procedure identifiers Pid = {P, Q,...} P Procedure declarations PDec p Commands (statements) Cmd c Context-free grammar: p ::= proc [P(val x,res y)] l n is c [end]l x ;p ε PDec c ::= [skip] l [x := a] l c 1 ;c 2 if [b] l then c 1 else c 2 end while [b] l do c end [call P(a,x)] l c lr Cmd 6 of 18 Static Program Analysis

10 Interprocedural Dataflow Analysis Extending the Syntax Syntactic categories: Category Domain Meta variable Procedure identifiers Pid = {P, Q,...} P Procedure declarations PDec p Commands (statements) Cmd c Context-free grammar: p ::= proc [P(val x,res y)] l n is c [end]l x ;p ε PDec c ::= [skip] l [x := a] l c 1 ;c 2 if [b] l then c 1 else c 2 end while [b] l do c end [call P(a,x)] l c lr Cmd All labels and procedure names in program p c distinct In proc [P(val x,res y)] l n is c [end]l x, l n / l x refers to the entry / exit of P In [call P(a,x)] l c lr, l c /l r refers to the call of / return from P First parameter call-by-value (input), second call-by-result (output) 6 of 18 Static Program Analysis

11 Interprocedural Dataflow Analysis An Example Example 18.1 (Fibonacci numbers) (with extension by multiple call-by-value parameters) proc [Fib(val x, y, res z)] 1 is if [x < 2] 2 then [z := y + 1] 3 else [call Fib(x-1, y, z)] 4 5; [call Fib(x-2, z, z)] 6 7 end [end] 8 ; [call Fib(5, 0, v)] of 18 Static Program Analysis

12 Interprocedural Dataflow Analysis Procedure Flow Graphs I Definition 18.2 (Procedure flow graphs; extends Def. 2.3 and 2.4) The auxiliary functions init, final, and flow are extended as follows: init(proc [P(val x,res y)] l n is c [end]l x ) := l n final(proc [P(val x,res y)] l n is c [end]l x ) := {l x} flow(proc [P(val x,res y)] l n is c [end]l x ) := {(l n, init(c))} flow(c) {(l, l x ) l final(c)} init([call P(a,x)] l c lr ) := l c final([call P(a,x)] l c lr ) := {l r } flow([call P(a,x)] l c lr ) := {(l c ; l n ), (l x ; l r )} 8 of 18 Static Program Analysis

13 Interprocedural Dataflow Analysis Procedure Flow Graphs I Definition 18.2 (Procedure flow graphs; extends Def. 2.3 and 2.4) The auxiliary functions init, final, and flow are extended as follows: init(proc [P(val x,res y)] l n is c [end]l x ) := l n final(proc [P(val x,res y)] l n is c [end]l x ) := {l x} flow(proc [P(val x,res y)] l n is c [end]l x ) := {(l n, init(c))} flow(c) {(l, l x ) l final(c)} init([call P(a,x)] l c lr ) := l c final([call P(a,x)] l c lr ) := {l r } flow([call P(a,x)] l c lr ) := {(l c ; l n ), (l x ; l r )} Moreover the interprocedural flow of a program p c is defined by iflow := {(l c, l n, l x, l r ) p contains proc [P(val x,res y)] l n is c [end]l x Lab 4 c contains [call P(a,x)] l c lr } and 8 of 18 Static Program Analysis

14 Interprocedural Dataflow Analysis Procedure Flow Graphs II Example 18.3 (Fibonacci numbers) Flow graph of (on the board) proc [Fib(val x, y, res z)] 1 is if [x < 2] 2 then [z := y + 1] 3 else [call Fib(x-1, y, z)] 4 5; [call Fib(x-2, z, z)] 6 7 end [end] 8 ; [call Fib(5, 0, v)] of 18 Static Program Analysis

15 Interprocedural Dataflow Analysis Procedure Flow Graphs II Example 18.3 (Fibonacci numbers) Flow graph of (on the board) proc [Fib(val x, y, res z)] 1 is if [x < 2] 2 then [z := y + 1] 3 else [call Fib(x-1, y, z)] 4 5; [call Fib(x-2, z, z)] 6 7 end [end] 8 ; [call Fib(5, 0, v)] 9 10 Here iflow = {(9, 1, 8, 10), (4, 1, 8, 5), (6, 1, 8, 7)} 9 of 18 Static Program Analysis

16 Intraprocedural vs. Interprocedural Analysis Outline of Lecture 18 Interprocedural Dataflow Analysis Intraprocedural vs. Interprocedural Analysis The MVP Solution 10 of 18 Static Program Analysis

17 Intraprocedural vs. Interprocedural Analysis Naive Formulation I Attempt: directly transfer techniques from intraprocedural analysis = treat (l c ; l n ) like (l c, l n ) and (l x ; l r ) like (l x, l r ) 11 of 18 Static Program Analysis

18 Intraprocedural vs. Interprocedural Analysis Naive Formulation I Attempt: directly transfer techniques from intraprocedural analysis = treat (l c ; l n ) like (l c, l n ) and (l x ; l r ) like (l x, l r ) Given: dataflow system S = (Lab, E, F, (D, ), ι, ϕ) 11 of 18 Static Program Analysis

19 Intraprocedural vs. Interprocedural Analysis Naive Formulation I Attempt: directly transfer techniques from intraprocedural analysis = treat (l c ; l n ) like (l c, l n ) and (l x ; l r ) like (l x, l r ) Given: dataflow system S = (Lab, E, F, (D, ), ι, ϕ) For each procedure call [call P(a,x)] l c lr : transfer functions ϕ lc, ϕ lr : D D (definition later) For each procedure declaration proc [P(val x,res y)] l n is c [end]l x : transfer functions ϕ ln, ϕ lx : D D (definition later) 11 of 18 Static Program Analysis

20 Intraprocedural vs. Interprocedural Analysis Naive Formulation I Attempt: directly transfer techniques from intraprocedural analysis = treat (l c ; l n ) like (l c, l n ) and (l x ; l r ) like (l x, l r ) Given: dataflow system S = (Lab, E, F, (D, ), ι, ϕ) For each procedure call [call P(a,x)] l c lr : transfer functions ϕ lc, ϕ lr : D D (definition later) For each procedure declaration proc [P(val x,res y)] l n is c [end]l x : transfer functions ϕ ln, ϕ lx : D D (definition later) Induces equation system { ι if l E AI l = {ϕl (AI l ) (l, l) F or (l ; l) F} otherwise 11 of 18 Static Program Analysis

21 Intraprocedural vs. Interprocedural Analysis Naive Formulation I Attempt: directly transfer techniques from intraprocedural analysis = treat (l c ; l n ) like (l c, l n ) and (l x ; l r ) like (l x, l r ) Given: dataflow system S = (Lab, E, F, (D, ), ι, ϕ) For each procedure call [call P(a,x)] l c lr : transfer functions ϕ lc, ϕ lr : D D (definition later) For each procedure declaration proc [P(val x,res y)] l n is c [end]l x : transfer functions ϕ ln, ϕ lx : D D (definition later) Induces equation system { ι if l E AI l = {ϕl (AI l ) (l, l) F or (l ; l) F} otherwise Problem: procedure calls (l c ; l n ) and procedure returns (l x ; l r ) treated like goto s = nesting of calls and returns ignored = too many paths considered = analysis information possibly imprecise (but still correct) 11 of 18 Static Program Analysis

22 Intraprocedural vs. Interprocedural Analysis Naive Formulation II Example 18.4 (Fibonacci numbers) proc [Fib(val x, y, res z)] 1 is if [x < 2] 2 then [z := y + 1] 3 else [call Fib(x-1, y, z)] 4 5; [call Fib(x-2, z, z)] 6 7 end [end] 8 ; [call Fib(5, 0, v)] of 18 Static Program Analysis

23 Intraprocedural vs. Interprocedural Analysis Naive Formulation II Example 18.4 (Fibonacci numbers) proc [Fib(val x, y, res z)] 1 is if [x < 2] 2 then [z := y + 1] 3 else [call Fib(x-1, y, z)] 4 5; [call Fib(x-2, z, z)] 6 7 end [end] 8 ; [call Fib(5, 0, v)] 9 10 Valid path: [9, 1, 2, 3, 8, 10] 12 of 18 Static Program Analysis

24 Intraprocedural vs. Interprocedural Analysis Naive Formulation II Example 18.4 (Fibonacci numbers) proc [Fib(val x, y, res z)] 1 is if [x < 2] 2 then [z := y + 1] 3 else [call Fib(x-1, y, z)] 4 5; [call Fib(x-2, z, z)] 6 7 end [end] 8 ; [call Fib(5, 0, v)] 9 10 Valid path: [9, 1, 2, 3, 8, 10] Invalid path: [9, 1, 2, 4, 1, 2, 3, 8, 10] 12 of 18 Static Program Analysis

25 Intraprocedural vs. Interprocedural Analysis Naive Formulation III Example 18.5 (Impreciseness of constant propagation analysis) proc [P(val x, res y)] 1 is [y := x] 2 [end] 3 ; if [y = 0] 4 then [call P(1, y)] 5 6; [y := y - 1] 7 else [call P(2, y)] 8 9; [y := y - 2] 10 end; [skip] of 18 Static Program Analysis

26 Intraprocedural vs. Interprocedural Analysis Naive Formulation III Example 18.5 (Impreciseness of constant propagation analysis) proc [P(val x, res y)] 1 is [y := x] 2 [end] 3 ; if [y = 0] 4 then [call P(1, y)] 5 6; [y := y - 1] 7 else [call P(2, y)] 8 9; [y := y - 2] 10 end; [skip] 11 Two valid and two invalid paths: Valid: [4, 5, 1, 2, 3, 6, 7, 11] = y = 0 at label of 18 Static Program Analysis

27 Intraprocedural vs. Interprocedural Analysis Naive Formulation III Example 18.5 (Impreciseness of constant propagation analysis) proc [P(val x, res y)] 1 is [y := x] 2 [end] 3 ; if [y = 0] 4 then [call P(1, y)] 5 6; [y := y - 1] 7 else [call P(2, y)] 8 9; [y := y - 2] 10 end; [skip] 11 Two valid and two invalid paths: Valid: [4, 5, 1, 2, 3, 6, 7, 11] = y = 0 at label 11 Valid: [4, 8, 1, 2, 3, 9, 10, 11] = y = 0 at label of 18 Static Program Analysis

28 Intraprocedural vs. Interprocedural Analysis Naive Formulation III Example 18.5 (Impreciseness of constant propagation analysis) proc [P(val x, res y)] 1 is [y := x] 2 [end] 3 ; if [y = 0] 4 then [call P(1, y)] 5 6; [y := y - 1] 7 else [call P(2, y)] 8 9; [y := y - 2] 10 end; [skip] 11 Two valid and two invalid paths: Valid: [4, 5, 1, 2, 3, 6, 7, 11] = y = 0 at label 11 Valid: [4, 8, 1, 2, 3, 9, 10, 11] = y = 0 at label 11 Invalid: [4, 5, 1, 2, 3, 9, 10, 11] = y = 1 at label of 18 Static Program Analysis

29 Intraprocedural vs. Interprocedural Analysis Naive Formulation III Example 18.5 (Impreciseness of constant propagation analysis) proc [P(val x, res y)] 1 is [y := x] 2 [end] 3 ; if [y = 0] 4 then [call P(1, y)] 5 6; [y := y - 1] 7 else [call P(2, y)] 8 9; [y := y - 2] 10 end; [skip] 11 Two valid and two invalid paths: Valid: [4, 5, 1, 2, 3, 6, 7, 11] = y = 0 at label 11 Valid: [4, 8, 1, 2, 3, 9, 10, 11] = y = 0 at label 11 Invalid: [4, 5, 1, 2, 3, 9, 10, 11] = y = 1 at label 11 Invalid: [4, 8, 1, 2, 3, 6, 7, 11] = y = 1 at label of 18 Static Program Analysis

30 Intraprocedural vs. Interprocedural Analysis Naive Formulation III Example 18.5 (Impreciseness of constant propagation analysis) proc [P(val x, res y)] 1 is [y := x] 2 [end] 3 ; if [y = 0] 4 then [call P(1, y)] 5 6; [y := y - 1] 7 else [call P(2, y)] 8 9; [y := y - 2] 10 end; [skip] 11 Two valid and two invalid paths: Valid: [4, 5, 1, 2, 3, 6, 7, 11] = y = 0 at label 11 Valid: [4, 8, 1, 2, 3, 9, 10, 11] = y = 0 at label 11 Invalid: [4, 5, 1, 2, 3, 9, 10, 11] = y = 1 at label 11 Invalid: [4, 8, 1, 2, 3, 6, 7, 11] = y = 1 at label 11 = actually always y = 0 at 11, but naive method yields y = 13 of 18 Static Program Analysis

31 The MVP Solution Outline of Lecture 18 Interprocedural Dataflow Analysis Intraprocedural vs. Interprocedural Analysis The MVP Solution 14 of 18 Static Program Analysis

32 The MVP Solution Valid Paths I Consider only paths with correct nesting of procedure calls and returns Will yield MVP solution (Meet over all Valid Paths) Definition 18.6 (Valid path fragments) Given a dataflow system S = (Lab, E, F, (D, ), ι, ϕ) and l 1, l 2 Lab, the set of valid paths from l 1 to l 2 is generated by the nonterminal symbol P[l 1, l 2 ] according to the following context-free grammar: P[l 1, l 2 ] l 1 whenever l 1 = l 2 P[l 1, l 3 ] l 1, P[l 2, l 3 ] whenever (l 1, l 2 ) F P[l c, l] l c, P[l n, l x ], P[l r, l] whenever (l c, l n, l x, l r ) iflow 15 of 18 Static Program Analysis

33 The MVP Solution Valid Paths II Example 18.7 (Fibonacci numbers; cf. Example 18.4) proc [Fib(val x, y, res z)] 1 is if [x < 2] 2 then [z := y + 1] 3 else [call Fib(x-1, y, z)] 4 5; [call Fib(x-2, z, z)] 6 7 end [end] 8 ; [call Fib(5, 0, v)] of 18 Static Program Analysis

34 The MVP Solution Valid Paths II Example 18.7 (Fibonacci numbers; cf. Example 18.4) proc [Fib(val x, y, res z)] 1 is if [x < 2] 2 then [z := y + 1] 3 else [call Fib(x-1, y, z)] 4 5; [call Fib(x-2, z, z)] 6 7 end [end] 8 ; [call Fib(5, 0, v)] 9 10 Reminder: P[l 1, l 2 ] l 1 for l 1 = l 2 P[l 1, l 3 ] l 1, P[l 2, l 3 ] for (l 1, l 2 ) F P[l c, l] l c, P[l n, l x ], P[l r, l] for (l c, l n, l x, l r ) iflow 16 of 18 Static Program Analysis

35 The MVP Solution Valid Paths II Example 18.7 (Fibonacci numbers; cf. Example 18.4) proc [Fib(val x, y, res z)] 1 is if [x < 2] 2 then [z := y + 1] 3 else [call Fib(x-1, y, z)] 4 5; [call Fib(x-2, z, z)] 6 7 end [end] 8 ; [call Fib(5, 0, v)] 9 10 Reminder: P[l 1, l 2 ] l 1 for l 1 = l 2 P[l 1, l 3 ] l 1, P[l 2, l 3 ] for (l 1, l 2 ) F P[l c, l] l c, P[l n, l x ], P[l r, l] for (l c, l n, l x, l r ) iflow Valid paths from 9 to 10: P[9, 10] 9, P[1, 8], P[10, 10] P[1, 8] 1, P[2, 8] P[2, 8] 2, P[3, 8] P[2, 8] 2, P[4, 8] P[3, 8] 3, P[8, 8] P[4, 8] 4, P[1, 8], P[5, 8] P[5, 8] 5, P[6, 8] P[6, 8] 6, P[1, 8], P[7, 8] P[7, 8] 7, P[8, 8] P[8, 8] 8 P[10, 10] of 18 Static Program Analysis

36 The MVP Solution Valid Paths II Example 18.7 (Fibonacci numbers; cf. Example 18.4) proc [Fib(val x, y, res z)] 1 is if [x < 2] 2 then [z := y + 1] 3 else [call Fib(x-1, y, z)] 4 5; [call Fib(x-2, z, z)] 6 7 end [end] 8 ; [call Fib(5, 0, v)] 9 10 Reminder: P[l 1, l 2 ] l 1 for l 1 = l 2 P[l 1, l 3 ] l 1, P[l 2, l 3 ] for (l 1, l 2 ) F P[l c, l] l c, P[l n, l x ], P[l r, l] for (l c, l n, l x, l r ) iflow Valid paths from 9 to 10: P[9, 10] 9, P[1, 8], P[10, 10] P[1, 8] 1, P[2, 8] P[2, 8] 2, P[3, 8] P[2, 8] 2, P[4, 8] P[3, 8] 3, P[8, 8] P[4, 8] 4, P[1, 8], P[5, 8] P[5, 8] 5, P[6, 8] P[6, 8] 6, P[1, 8], P[7, 8] P[7, 8] 7, P[8, 8] P[8, 8] 8 P[10, 10] 10 Thus [9, 1, 2, 3, 8, 10] L(P[9, 10]), [9, 1, 2, 4, 1, 2, 3, 8, 10] / L(P[9, 10]) 16 of 18 Static Program Analysis

37 The MVP Solution The MVP Solution I Definition 18.8 (Complete valid paths) Let S = (Lab, E, F, (D, ), ι, ϕ) be a dataflow system. For every l Lab, the set of valid paths up to l is given by VPath(l) := {[l 1,..., l k 1 ] k 1, l 1 E, l k = l, [l 1,..., l k ] valid path from l 1 to l k }. 17 of 18 Static Program Analysis

38 The MVP Solution The MVP Solution I Definition 18.8 (Complete valid paths) Let S = (Lab, E, F, (D, ), ι, ϕ) be a dataflow system. For every l Lab, the set of valid paths up to l is given by VPath(l) := {[l 1,..., l k 1 ] k 1, l 1 E, l k = l, [l 1,..., l k ] valid path from l 1 to l k }. For π = [l 1,..., l k 1 ] VPath(l), we define the transfer function ϕ π : D D by (so that ϕ [] = id D ). ϕ π := ϕ lk 1... ϕ l1 id D 17 of 18 Static Program Analysis

39 The MVP Solution The MVP Solution II Definition 18.9 (MVP solution) Let S = (Lab, E, F, (D, ), ι, ϕ) be a dataflow system where Lab = {l 1,..., l n }. The MVP solution for S is determined by mvp(s) := (mvp(l 1 ),..., mvp(l n )) D n where, for every l Lab, mvp(l) := {ϕ π (ι) π VPath(l)}. 18 of 18 Static Program Analysis

40 The MVP Solution The MVP Solution II Definition 18.9 (MVP solution) Let S = (Lab, E, F, (D, ), ι, ϕ) be a dataflow system where Lab = {l 1,..., l n }. The MVP solution for S is determined by mvp(s) := (mvp(l 1 ),..., mvp(l n )) D n where, for every l Lab, mvp(l) := {ϕ π (ι) π VPath(l)}. Corollary mvp(s) mop(s) 2. The MVP solution is undecidable. 18 of 18 Static Program Analysis

41 The MVP Solution The MVP Solution II Definition 18.9 (MVP solution) Let S = (Lab, E, F, (D, ), ι, ϕ) be a dataflow system where Lab = {l 1,..., l n }. The MVP solution for S is determined by mvp(s) := (mvp(l 1 ),..., mvp(l n )) D n where, for every l Lab, mvp(l) := {ϕ π (ι) π VPath(l)}. Corollary mvp(s) mop(s) 2. The MVP solution is undecidable. Proof. 1. since VPath(l) Path(l) for every l Lab 2. as mvp(s) = mop(s) in intraprocedural case and MOP solution undecidable (Thm. 7.1) 18 of 18 Static Program Analysis

Static Program Analysis

Static Program Analysis Thomas Noll Software Modeling and Verification Group RWTH Aachen University https://moves.rwth-aachen.de/teaching/ss-18/spa/ Recap: Interprocedural Dataflow Analysis Outline of