Precise Program Analysis through (Linear) Algebra

Size: px

Start display at page:

Download "Precise Program Analysis through (Linear) Algebra"

Abner Holmes
5 years ago
Views:

1 Precise Program Analysis through (Linear) Algebra Markus Müller-Olm FernUniversität Hagen (on leave from Universität Dortmund) Joint work with Helmut Seidl (TU München) CP+CV 4, Barcelona, March 8, 4 Overview Title, motivation and results Karr s algorithm Interprocedural analysis / linear algebra Intraprocedural analysis / algebra Conclusion CP+CV 4, Barcelona, March 6, 4

2 through (Linear) Algebra Linear Algebra vectors vector spaces, sub-spaces, bases linear maps, matrices vector spaces of matrices Gaussian elimination Algebra rings ideals polynomial rings ideals of polynomial rings Buchberger s Algorithm CP+CV 4, Barcelona, March 6, 4...(Interprocedural) Program Analysis x -x -x -x x -= Main: P: x :=x x :=x + x := x :=x +x + x -x -x = P() P() x -x -x = x :=x -x -x x :=x -x 4 x = 4

3 Some Questions of Interest What is the value of variable x at program exit? Where is x =x? What is the relationship between x,x, and x at program point? affine relations 5x+7y-4= a + a i x i = a i F polynomial relations 5xy +7z -4= p(x,,x k ) = p F[x,,x n ] CP+CV 4, Barcelona, March 6, 4 5 Exact Approximate Analysis Original Problem Abstraction Abstracted Problem approximate Approximate Analysis Algorithm exact CP+CV 4, Barcelona, March 6, 4 6

4 Abstractions of Interest Affine programs (first part): affine assignments: x := x -x +7 unknown assignments: x i :=? abstract too complex statements! non-deterministic instead of guarded branching Polynomial programs (second part): polynomial assignments: x := x x -5x negated polynomial guards: (x -y = ) the rest as for affine programs! CP+CV 4, Barcelona, March 6, 4 7 The Challenge (Precise ) Given an affine program with (recursive) procedures, local variables, parameters, return values, determine all valid affine relations: a + a i x i = a i F determine all valid polynomial relations: p(x,,x k ) = p F[x,,x n ] and all this in polynomial time Weaker goal: determine all polynomial relations of degree d CP+CV 4, Barcelona, March 6, 4 8

5 Infinity Dimensions push-down arithmetic CP+CV 4, Barcelona, March 6, 4 9 Applications Interprocedural analysis: definite equalities: x = y constant propagation: x = 4 discovery of symbolic constants: x = 5yz+7 complex common subexpressions: xy+4 = y +5 loop induction variables Program verification strongest affine or polynomial assertions (cf. Petri Net invariants) CP+CV 4, Barcelona, March 6, 4

6 Intraprocedural Algorithm of Karr = x:= x:= x = x = y = y:= 4 y:= x = x = y = 4 y 4 5 x+y=5 x + y = 5 x x = x:=x+y x = 5 Use a Standard Approach for Interprocedural Generalization of Karr? Functional approach [Sharir/Pnueli, 98], [Knoop/Steffen, 99] Idea: summarize each procedure by function on data flow facts Problem: not applicable Call-string approach [Sharir/Pnueli, 98] Idea: take just a finite piece of run-time stack into account Problem: not exact Relational analysis [Cousot, 977] Idea: summarize each procedure by approximation of I/O relation Problem: not exact (next slide) CP+CV 4, Barcelona, March 6, 4 4

7 Relational Analysis is Not Strong Enough True relational semantics of P: Main: x:= x post P() x= x pre x:=x P: x:= x 4 x:=x- 5 Best affine approximation: x post x pre Overview Title and results Karr s algorithm Interprocedural analysis / linear algebra Intraprocedural analysis / algebra Conclusion CP+CV 4, Barcelona, March 6, 4 6

8 Concrete Semantics of an Execution Path Every execution path π induces an affine transformation of the program state: x: = x+ x + ; x : = x + ( v) x : x ( x: x x ( v) ) = = + = + + v = x : = x + v + v v = v + v

9 Affine Relations An affine relation can be represented by a vector: corresponds to 5 + x x x = a = CP+CV 4, Barcelona, March 6, 4 9 Weakest Precondition of Affine Relations Every execution path π induces a linear transformation of affine post-conditions into their weakest pre-condition: T = + + = + T x : x x ; x : x ( a) T ( ) = x : = x + x + x : = x + ( a) a T a = x: = x+ x + a a a a = a a CP+CV 4, Barcelona, March 6, 4

10 WP of Affine Relations Therefore: = { x x = } x : = x + x + ; x : = x + { x x x = } weakest precondition! CP+CV 4, Barcelona, March 6, 4 Observation Onlythezerorelationisvalid at program start: : +x + +x k = Thus, relation a +a x + +a k x k = is valid at program point v iff M a = for all M {«π T π reaches v}. CP+CV 4, Barcelona, March 6, 4

11 Observation The following statements are equivalent for a: M a = for all M R M a = for all M Span(R) M a = for all M in a basis of Span(R) CP+CV 4, Barcelona, March 6, 4 Observation The set of all affine relations valid at program point v equals th set of solutions of the linear equation system: = Ma, M B where B is a basis of V = Span{«π T π reaches v} (+) it suffices to compute a basis of V! CP+CV 4, Barcelona, March 6, 4 4

12 Observation 4 The set of subspaces of F k k is a complete lattice: Ordering: v = Least element: {} Least upper bound: B tb = Span(B B ) Height: k abstract interpretation techniques apply! α(r) = Span{ «π T π R } R(v) = { π π reaches v } CP+CV 4, Barcelona, March 6, 4 5 Constraint System for Characterizing Execution Paths Executions of base edges: x: = t = { xi : = t} x: =? = x : = d d { i } Same-level executions: Sv { ε} ( ) ventry point S(p) Sv ( ) vreturn point of p Sv ( ) Su ( ); labuv (, ) ( uv, ) base edge S(v) Su ( ); Sp ( ) ( uv, ) calls procedure p Reaching executions: Rv ( ) Sv ( ) vin Main Rv ( ) Rp ( ); Sv ( ) vin p Rp ( ) Ru ( ) ( u,_) calls p

13 Abstract Interpretation (on Bases) I a = + = ak I # x : j a a x Span i i I I = = I I # x j :? Span, # { Mi i I} { Nj j J} = { MN i j i I j J} Span ; Span Span, # { Mi i I} { Nj j J} = ({ Mi i I} { Nj j J} ) Span Span Span Use Gauss elimination for simplifying sets of matrices

14 Theorem In an affine program: The following vector spaces of matrices can be computed precisely: α(r(v)) = Span { «π T π R(v) } for each prg. point v. The vector spaces { a F k+ affine relation a is valid at v } can be computed precisely for all prg. points v. The time complexity is linear in the program size and polynomial in the number of variables: O(n k 8 ) (n size of the program, k number of variables) CP+CV 4, Barcelona, March 6, 4 An Example Main: P: x :=x x :=x + x := x :=x +x + P() P() x :=x -x -x x :=x -x stable! 4 4 =

15 An Example a + ax + ax + ax = is valid at Main: x :=x x := a a a = a and = a a a a a = a = a = a P() x :=x -x -x 4 Span are valid at, Just the affine relations of the form a x a x a x = (a F) Extensions Local variables, value parameters, return values Computing polynomial relations of degree d Affine pre-conditions CP+CV 4, Barcelona, March 6, 4 4

16 Overview Title and results Karr s algorithm Interprocedural analysis / linear algebra Intraprocedural analysis / algebra Conclusion CP+CV 4, Barcelona, March 6, 4 5 Precise Analysis through Algebra Algebra Polynomial rings, ideals, Gröbner bases, Polynomial programs: Polynomial assignments: x := xy 5z Negated polynomial guards: (xy z = ) The rest as for affine programs! Intraprocedural computation of [SAS ] polynomial constants Intraprocedural derivation of [MO/Seidl ] all valid polynomial relations of degree d

17 Negated Polynomial Guards are Useful u v w u:= u = v+ w = v+ v:= w:= v u:=u+ w:=w+ v Note: we need the power of polynomials in order to cope with the guards! Representing other Models Polynomial programs can represent: Petri Nets Vector Addition Systems (VAS) VAS with state polynomial invariants for these models! CP+CV 4, Barcelona, March 6, 4 8

18 A Polynomial Program After n iterations at : x : : = x = q y y q + x : : = y = q x y = n i q = i = n+ = q n+ q q x ( q ) = y x q x y + = (Horner s method) x: = x ( q ) At : x y + = CP+CV 4, Barcelona, March 6, 4 9 Idea Use ideals instead of vector spaces: An ideal I F[x,,x k ] is a set of polynomials with: ) q,q I implies q +q I ) q I implies rq I for all r F[x,,x k ] B F[x,,x n ] generates I iff I = hbi = {r b + +r k b k r,,r k F [x,,x n ], b,,b k B} Intuition: Ideal hp,,p n i captures the `essence of polynomial constraint i=,,n p i (x,,x n )= Problem: no substitute for linear maps: just intra-procedural analysis

19 Observations Hilbert's Basis Theorem: Every polynomial ideal is finitely generated. every ascending chain of polynomial ideals is ultimately stable. iterative least fixpoint computations stabilize. Buchberger s Algorithm allows us to check ideal membership, ideal inclusion, ideal equality. termination can be checked effectively Only the zero ideal hi is valid at program start. Validity of weakest pre-condition checkable. Checking Polynomial Relations x : : = x = q y y q + p : = q q+ = x : : = y = q p : = xq x y+ p : = ( xq + ) q ( xq + ) yq + = q p x: = x ( q ) p : = x y+ CP+CV 4, Barcelona, March 6, 4 46

20 Question: How to infer unknown identities? Idea: Consider generic polynomial! Lemma: p = y x... x ( y fresh variables) Suppose j jk J j,..., jl k j,..., jl ( j,, jk ) J t Then: π t ( π J )[ / ] k p = a x... x ( j,, jk ) J p = p a y j j j,..., jl k Computing Polynomial Relations x : : = x = q y y q + x : : = y = q x: = x ( q ) p : = ( a+ b+ c) q+ ( d a) 4 : = ( + ) + ( ) p a c d q cq d a p : = axq ax + by + cq + d p : axq aq axq a byq cq d q p (( a c d) q cq a d) = = p := ax by cq d a+ b+ c= d a = a+ c d = c= d a= All identities of the form ax ay + a = a = d = b c= are valid.

21 Summary Precise program analysis through (linear) algebra Affine programs: Interprocedural derivation of all valid polynomial relations of degree d (under affine pre-condition) Summarize procedures by linear space of matrices Polynomial programs: Intraprocedural derivation of all valid polynomial relations of degree d Future Challenges Affine & polynomial programs: can we do without a degree bound for polynomial relations? Affine programs: guards? Polynomial programs: interprocedural analysis? complexity bound? Other abstractions CP+CV 4, Barcelona, March 6, 4 5

22 References Seidl, MO: Precise Interprocedural Analysis through Linear Algebra. POPL 4. Seidl, MO: Polynomial constants are decidable. SAS, LNCS 477, pages 4-9. MO: Variations on Constants. Habilitationsschrift, Uni Dortmund,. Seidl, MO: Computing Polynomial Program Invariants. Submitted for publication (TR, FernUniversität Hagen). Rüthing, MO: On the Complexity of Constant Propagation. ESOP. available from: Questions?

A Tutorial on Program Analysis

A Tutorial on Program Analysis Markus Müller-Olm Dortmund University Thanks! Helmut Seidl (TU München) and Bernhard Steffen (Universität Dortmund) for discussions, inspiration, joint work,... 1 Dream of