Static Program Analysis

Size: px

Start display at page:

Download "Static Program Analysis"

Brice Shaw
5 years ago
Views:

1 Static Program Analysis Thomas Noll Software Modeling and Verification Group RWTH Aachen University

2 Recap: Interprocedural Dataflow Analysis Outline of Lecture 18 Recap: Interprocedural Dataflow Analysis The Interprocedural Fixpoint Solution Correctness of Fixpoint Solution 2 of 19 Static Program Analysis

3 Recap: Interprocedural Dataflow Analysis Extending the Syntax Syntactic categories: Category Domain Meta variable Procedure identifiers Pid = {P, Q,...} P Procedure declarations PDec p Commands (statements) Cmd c Context-free grammar p ::= proc [P(val x,res y)] l n is c [end]l x ;p ε PDec c ::= [skip] l [x := a] l c 1 ;c 2 if [b] l then c 1 else c 2 end while [b] l do c end [call P(a,x)] l c lr Cmd All labels and procedure names in program p c distinct In proc [P(val x,res y)] l n is c [end]l x, l n / l x refers to the entry / exit of P In [call P(a,x)] l c lr, l c / l r refers to the call of / return from P First parameter call-by-value (input), second call-by-result (output) 3 of 19 Static Program Analysis

4 Recap: Interprocedural Dataflow Analysis Naive Formulation Attempt: directly transfer techniques from intraprocedural analysis = treat (l c ; l n ) like (l c, l n ) and (l x ; l r ) like (l x, l r ) Given: dataflow system S = (Lab, E, F, (D, ), ι, ϕ) For each procedure call [call P(a,x)] l c lr : transfer functions ϕ lc, ϕ lr : D D (definition later) For each procedure declaration proc [P(val x,res y)] l n is c [end]l x : transfer functions ϕ ln, ϕ lx : D D (definition later) Induces equation system { ι if l E AI l = {ϕl (AI l ) (l, l) F or (l ; l) F} otherwise Problem: procedure calls (l c ; l n ) and procedure returns (l x ; l r ) treated like goto s = nesting of calls and returns ignored = too many paths considered = analysis information possibly imprecise (but still sound as all valid paths covered) 4 of 19 Static Program Analysis

5 Recap: Interprocedural Dataflow Analysis Valid Paths Consider only paths with correct nesting of procedure calls and returns Yields MVP solution (Meet over all Valid Paths) Definition (Valid path fragments) Given a dataflow system S = (Lab, E, F, (D, ), ι, ϕ) and l 1, l 2 Lab, the set of valid paths from l 1 to l 2 is generated by the nonterminal symbol P[l 1, l 2 ] according to the following context-free grammar: P[l 1, l 2 ] l 1 whenever l 1 = l 2 P[l 1, l 3 ] l 1, P[l 2, l 3 ] whenever (l 1, l 2 ) F P[l c, l] l c, P[l n, l x ], P[l r, l] whenever (l c, l n, l x, l r ) iflow 5 of 19 Static Program Analysis

6 Recap: Interprocedural Dataflow Analysis The MVP Solution I Definition (Complete valid paths) Let S = (Lab, E, F, (D, ), ι, ϕ) be a dataflow system. For every l Lab, the set of valid paths up to l is given by VPath(l) := {[l 1,..., l k 1 ] k 1, l 1 E, l k = l, [l 1,..., l k ] valid path from l 1 to l k }. For π = [l 1,..., l k 1 ] VPath(l), we define the transfer function ϕ π : D D by (so that ϕ [] = id D ). ϕ π := ϕ lk 1... ϕ l1 id D 6 of 19 Static Program Analysis

7 Recap: Interprocedural Dataflow Analysis The MVP Solution II Definition (MVP solution) Let S = (Lab, E, F, (D, ), ι, ϕ) be a dataflow system where Lab = {l 1,..., l n }. The MVP solution for S is determined by mvp(s) := (mvp(l 1 ),..., mvp(l n )) D n where, for every l Lab, mvp(l) := {ϕ π (ι) π VPath(l)}. Corollary 1. mvp(s) mop(s) 2. The MVP solution is undecidable. Proof. 1. since VPath(l) Path(l) for every l Lab 2. as mvp(s) = mop(s) in intraprocedural case and MOP solution undecidable (Thm. 6.6) 7 of 19 Static Program Analysis

8 The Interprocedural Fixpoint Solution Outline of Lecture 18 Recap: Interprocedural Dataflow Analysis The Interprocedural Fixpoint Solution Correctness of Fixpoint Solution 8 of 19 Static Program Analysis

9 The Interprocedural Fixpoint Solution The Interprocedural Fixpoint Solution Goal: adapt fixpoint solution to avoid invalid paths For simplification: consider only forward problems 9 of 19 Static Program Analysis

10 The Interprocedural Fixpoint Solution The Interprocedural Fixpoint Solution Goal: adapt fixpoint solution to avoid invalid paths For simplification: consider only forward problems Approach: represent combined effect of procedure execution by procedure summaries (to be used in node transfer function of return label) 9 of 19 Static Program Analysis

11 The Interprocedural Fixpoint Solution The Interprocedural Fixpoint Solution Goal: adapt fixpoint solution to avoid invalid paths For simplification: consider only forward problems Approach: represent combined effect of procedure execution by procedure summaries (to be used in node transfer function of return label) Two types of functions: Node transfer functions ϕ l : for non-procedural constructs (skip, assignments, tests): as before (specific to analysis) for procedure call (l c ): parameter passing (specific to analysis) for procedure entry (l n ): initialisation (specific to analysis) for procedure exit (l x ): always identity for procedure return (l r ): combine call context with procedure result obtained from summary function (combine specific to analysis) ϕ lr (d) = combine(d, Φ lx (ϕ lc (d))) 9 of 19 Static Program Analysis

12 The Interprocedural Fixpoint Solution The Interprocedural Fixpoint Solution Goal: adapt fixpoint solution to avoid invalid paths For simplification: consider only forward problems Approach: represent combined effect of procedure execution by procedure summaries (to be used in node transfer function of return label) Two types of functions: Node transfer functions ϕ l : for non-procedural constructs (skip, assignments, tests): as before (specific to analysis) for procedure call (l c ): parameter passing (specific to analysis) for procedure entry (l n ): initialisation (specific to analysis) for procedure exit (l x ): always identity for procedure return (l r ): combine call context with procedure result obtained from summary function ϕ lr (d) = combine(d, Φ lx (ϕ lc (d))) (combine specific to analysis) Procedure summary functions Φ l : for procedure entry (l n ): identity for procedure exit (l x ): full effect inductively defined by stepwise composition of node transfer functions 9 of 19 Static Program Analysis

13 The Interprocedural Fixpoint Solution Procedure Summaries [P(val x,res y)] l n Φ ln = id D [...] l 1 Φ l1 = ϕ ln [...] l 2 Φ l2 = ϕ l1 ϕ ln = Φ l3 [...] l 3 [end] l x Φ lx = ϕ l2 ϕ l1 ϕ ln ϕ l3 ϕ l1 ϕ ln 10 of 19 Static Program Analysis

14 The Interprocedural Fixpoint Solution Information Flow. [P(val x,res y)] l n [call P(a,z)] l c lr.. [end] l x 11 of 19 Static Program Analysis

15 The Interprocedural Fixpoint Solution Information Flow 1. Parameter passing (ϕ lc ). [P(val x,res y)] l n d (1) ϕ lc (d) [call P(a,z)] l c lr.. [end] l x 11 of 19 Static Program Analysis

16 The Interprocedural Fixpoint Solution Information Flow 1. Parameter passing (ϕ lc ) 2. Procedure entry (ϕ ln ). [P(val x,res y)] l n d (1) ϕ lc (d) (2) ϕ ln (ϕ lc (d)) [call P(a,z)] l c lr.. [end] l x 11 of 19 Static Program Analysis

17 The Interprocedural Fixpoint Solution Information Flow 1. Parameter passing (ϕ lc ) 2. Procedure entry (ϕ ln ). [P(val x,res y)] l n 3. Procedure summary (Φ lx ) d (1) ϕ lc (d) (2) ϕ ln (ϕ lc (d)) [call P(a,z)] l c lr. (3) Φ lx (ϕ lc (d)) (3) Φ lx (ϕ lc (d)). [end] l x 11 of 19 Static Program Analysis

18 The Interprocedural Fixpoint Solution Information Flow 1. Parameter passing (ϕ lc ) 2. Procedure entry (ϕ ln ). [P(val x,res y)] l n 3. Procedure summary (Φ lx ) 4. Return (combine) d (1) ϕ lc (d) (2) ϕ ln (ϕ lc (d)) [call P(a,z)] l c lr. (4) combine(d, Φ lx (ϕ lc (d))) (3) Φ lx (ϕ lc (d)) (3) Φ lx (ϕ lc (d)). [end] l x 11 of 19 Static Program Analysis

19 The Interprocedural Fixpoint Solution Example: Constant Propagation Example 18.1 (Constant Propagation; cf. Lecture 5/6) Ŝ := (Lab, E, F, (D, ), ι, ϕ, Φ) is determined by D := {δ δ : Var c Z {, }} (constant/undefined/overdefined) z for every z Z ι := δ D For each l Lab \ {l c, l n, l x, l r (l c, l n, l x, l r ) iflow}, { δ if B l = skip or B ϕ l (δ) := l BExp δ[x val δ (a)] if B l = (x := a) 12 of 19 Static Program Analysis

20 The Interprocedural Fixpoint Solution Example: Constant Propagation Example 18.1 (Constant Propagation; cf. Lecture 5/6) Ŝ := (Lab, E, F, (D, ), ι, ϕ, Φ) is determined by D := {δ δ : Var c Z {, }} (constant/undefined/overdefined) z for every z Z ι := δ D For each l Lab \ {l c, l n, l x, l r (l c, l n, l x, l r ) iflow}, { δ if B l = skip or B ϕ l (δ) := l BExp δ[x val δ (a)] if B l = (x := a) Whenever p c contains [call P(a,z)] l c lr and proc [P(val x,res y)] l n is c [end]l x : call/entry: set input and reset output parameter ϕ lc (δ) := δ[x val δ (a), y ], ϕ ln (δ) := δ return: reset parameters (x, y possibly used in calling context) and set return value ϕ lr (δ) := combine(δ, Φ lx (ϕ lc (δ))), combine(δ, δ ) := δ [x δ(x), y δ(y), z δ (y)] (note: order of δ updates important in case z {x, y}; definition of Φ: later) 12 of 19 Static Program Analysis

21 Outline of Lecture 18 Recap: Interprocedural Dataflow Analysis The Interprocedural Fixpoint Solution Correctness of Fixpoint Solution 13 of 19 Static Program Analysis

22 Types of Equations For an interprocedural dataflow system Ŝ := (Lab, E, F, (D, ), ι, ϕ, Φ) the intraprocedural equation system (cf. Definition 4.3) AI l = { ι if l E {ϕl (AI l ) (l, l) F} otherwise is extended to a system with three kinds of equations (for l Lab): 14 of 19 Static Program Analysis

23 Types of Equations For an interprocedural dataflow system Ŝ := (Lab, E, F, (D, ), ι, ϕ, Φ) the intraprocedural equation system (cf. Definition 4.3) AI l = { ι if l E {ϕl (AI l ) (l, l) F} otherwise is extended to a system with three kinds of equations (for l Lab): for actual dataflow information: AI l D counterpart of intraprocedural AI 14 of 19 Static Program Analysis

24 Types of Equations For an interprocedural dataflow system Ŝ := (Lab, E, F, (D, ), ι, ϕ, Φ) the intraprocedural equation system (cf. Definition 4.3) AI l = { ι if l E {ϕl (AI l ) (l, l) F} otherwise is extended to a system with three kinds of equations (for l Lab): for actual dataflow information: AI l D counterpart of intraprocedural AI for node transfer functions: ϕ l : D D extension of intraprocedural transfer functions by handling of procedure calls 14 of 19 Static Program Analysis

25 Types of Equations For an interprocedural dataflow system Ŝ := (Lab, E, F, (D, ), ι, ϕ, Φ) the intraprocedural equation system (cf. Definition 4.3) AI l = { ι if l E {ϕl (AI l ) (l, l) F} otherwise is extended to a system with three kinds of equations (for l Lab): for actual dataflow information: AI l D counterpart of intraprocedural AI for node transfer functions: ϕ l : D D extension of intraprocedural transfer functions by handling of procedure calls for procedure summary functions of complete procedures: Φ l : D D Φ l (d) yields information at (entry of) l if corresponding procedure is called with information d thus Φ ln (d) = d and complete procedure effect represented by Φ lx (d) 14 of 19 Static Program Analysis

26 Formal Definition of Equation System Dataflow equations (for each l Lab): ι AI l = AI lc {ϕl (AI l ) (l, l) F or (l ; l) F} if l E if l = l r for some (l c, l n, l x, l r ) iflow otherwise 15 of 19 Static Program Analysis

27 Formal Definition of Equation System Dataflow equations (for each l Lab): ι AI l = AI lc {ϕl (AI l ) (l, l) F or (l ; l) F} if l E if l = l r for some (l c, l n, l x, l r ) iflow otherwise Node transfer functions (for each l Lab \ {l x (l c, l n, l x, l r ) iflow}): { combine(d, Φlx (ϕ ϕ l (d) = lc (d))) if l = l r for some (l c, l n, l x, l r ) iflow specific to analysis otherwise 15 of 19 Static Program Analysis

28 Formal Definition of Equation System Dataflow equations (for each l Lab): ι AI l = AI lc {ϕl (AI l ) (l, l) F or (l ; l) F} if l E if l = l r for some (l c, l n, l x, l r ) iflow otherwise Node transfer functions (for each l Lab \ {l x (l c, l n, l x, l r ) iflow}): { combine(d, Φlx (ϕ ϕ l (d) = lc (d))) if l = l r for some (l c, l n, l x, l r ) iflow specific to analysis otherwise Procedure summary functions (for each l Lab occurring in some procedure): d if l = l n for some (l c, l n, l x, l r ) iflow Φ l (d) = Φ lc (d) if l = l r for some (l c, l n, l x, l r ) iflow {ϕl (Φ l (d)) (l, l) F} otherwise 15 of 19 Static Program Analysis

29 Formal Definition of Equation System Dataflow equations (for each l Lab): ι AI l = AI lc {ϕl (AI l ) (l, l) F or (l ; l) F} if l E if l = l r for some (l c, l n, l x, l r ) iflow otherwise Node transfer functions (for each l Lab \ {l x (l c, l n, l x, l r ) iflow}): { combine(d, Φlx (ϕ ϕ l (d) = lc (d))) if l = l r for some (l c, l n, l x, l r ) iflow specific to analysis otherwise Procedure summary functions (for each l Lab occurring in some procedure): d if l = l n for some (l c, l n, l x, l r ) iflow Φ l (d) = Φ lc (d) if l = l r for some (l c, l n, l x, l r ) iflow {ϕl (Φ l (d)) (l, l) F} otherwise Note: introduces recursive equations for AI l (of type D) and Φ l (of type D D) 15 of 19 Static Program Analysis

30 Solving the Equation System Monotonicity of ϕ l implies monotonicity of Φ l (Φ l : D mon D) 16 of 19 Static Program Analysis

31 Solving the Equation System Monotonicity of ϕ l implies monotonicity of Φ l (Φ l : D mon D) Complete lattice property of (D, ) ensures that (D mon D, ) is complete lattice Φ 1 Φ 2 iff d D : Φ 1 (d) Φ 2 (d) (pointwise extension) 16 of 19 Static Program Analysis

32 Solving the Equation System Monotonicity of ϕ l implies monotonicity of Φ l (Φ l : D mon D) Complete lattice property of (D, ) ensures that (D mon D, ) is complete lattice Φ 1 Φ 2 iff d D : Φ 1 (d) Φ 2 (d) (pointwise extension) Equation system induces monotonic functional on complete lattice ΨŜ : }{{} D n (D mon D) m D }{{} n (D mon D) m AI Φ where n = Lab and m n (procedure labels) 16 of 19 Static Program Analysis

33 Solving the Equation System Monotonicity of ϕ l implies monotonicity of Φ l (Φ l : D mon D) Complete lattice property of (D, ) ensures that (D mon D, ) is complete lattice Φ 1 Φ 2 iff d D : Φ 1 (d) Φ 2 (d) (pointwise extension) Equation system induces monotonic functional on complete lattice ΨŜ : D n }{{} AI (D mon D) m }{{} Φ D n (D mon D) m where n = Lab and m n (procedure labels) Thus least solution effectively computable by fixpoint iteration (Theorem 3.15): where = ( n D, [d D d D] m ) fix(ψŝ) = {Ψ k Ŝ ( ) k N} Dn (D mon D) m 16 of 19 Static Program Analysis

34 Solving the Equation System Monotonicity of ϕ l implies monotonicity of Φ l (Φ l : D mon D) Complete lattice property of (D, ) ensures that (D mon D, ) is complete lattice Φ 1 Φ 2 iff d D : Φ 1 (d) Φ 2 (d) (pointwise extension) Equation system induces monotonic functional on complete lattice ΨŜ : D n }{{} AI (D mon D) m }{{} Φ D n (D mon D) m where n = Lab and m n (procedure labels) Thus least solution effectively computable by fixpoint iteration (Theorem 3.15): fix(ψŝ) = {Ψ k Ŝ ( ) k N} Dn (D mon D) m where = ( n D, [d D d D] m ) Moreover: (D mon D, ) satisfies ACC if (D, ) satisfies ACC Φ l distributive if ϕ l distributive 16 of 19 Static Program Analysis

35 Solving the Equation System Monotonicity of ϕ l implies monotonicity of Φ l (Φ l : D mon D) Complete lattice property of (D, ) ensures that (D mon D, ) is complete lattice Φ 1 Φ 2 iff d D : Φ 1 (d) Φ 2 (d) (pointwise extension) Equation system induces monotonic functional on complete lattice ΨŜ : D n }{{} AI (D mon D) m }{{} Φ D n (D mon D) m where n = Lab and m n (procedure labels) Thus least solution effectively computable by fixpoint iteration (Theorem 3.15): fix(ψŝ) = {Ψ k Ŝ ( ) k N} Dn (D mon D) m where = ( n D, [d D d D] m ) Moreover: (D mon D, ) satisfies ACC if (D, ) satisfies ACC Φ l distributive if ϕ l distributive Problem: effective and efficient representation of procedure summaries D finite = D mon D finite = can use (compact representation of) value tables often: demand-driven approach (restrict analysis to values occurring in calls) example: Constant Propagation (see following slide) 16 of 19 Static Program Analysis

36 Example of Equation System Example 18.2 (Constant Propagation) Program: proc [P(val x, res y)] 1 is [y := 2*(x-1)] 2 ; [end] 3 ; [call P(2, z)] 4 5; [call P(z, z)] 6 7; [skip] 8 17 of 19 Static Program Analysis

37 Example of Equation System Example 18.2 (Constant Propagation) Program: proc [P(val x, res y)] 1 is [y := 2*(x-1)] 2 ; [end] 3 ; [call P(2, z)] 4 5; [call P(z, z)] 6 7; [skip] 8 Dataflow equations: AI 1 = ϕ 4 (AI 4 ) ϕ 6 (AI 6 ) AI 2 = ϕ 1 (AI 1 ) AI 3 = ϕ 2 (AI 2 ) AI 4 = ι = [x, y, z ] AI 5 = AI 4 AI 6 = ϕ 5 (AI 5 ) AI 7 = AI 6 AI 8 = ϕ 7 (AI 7 ) 17 of 19 Static Program Analysis

38 Example of Equation System Example 18.2 (Constant Propagation) Program: proc [P(val x, res y)] 1 is [y := 2*(x-1)] 2 ; [end] 3 ; [call P(2, z)] 4 5; [call P(z, z)] 6 7; [skip] 8 Dataflow equations: AI 1 = ϕ 4 (AI 4 ) ϕ 6 (AI 6 ) AI 2 = ϕ 1 (AI 1 ) AI 3 = ϕ 2 (AI 2 ) AI 4 = ι = [x, y, z ] AI 5 = AI 4 AI 6 = ϕ 5 (AI 5 ) AI 7 = AI 6 AI 8 = ϕ 7 (AI 7 ) Node transfer functions: ϕ 1 (δ) = δ ϕ 2 (δ) = δ[y val δ (2*(x-1))] ϕ 4 (δ) = δ[x 2, y ] ϕ 5 (δ) = combine(δ, Φ 3 (ϕ 4 (δ))) ϕ 6 (δ) = δ[x δ(z), y ] ϕ 7 (δ) = combine(δ, Φ 3 (ϕ 6 (δ))) combine(δ, δ ) = δ [x δ(x), y δ(y), z δ (y)] 17 of 19 Static Program Analysis

39 Example of Equation System Example 18.2 (Constant Propagation) Program: proc [P(val x, res y)] 1 is [y := 2*(x-1)] 2 ; [end] 3 ; [call P(2, z)] 4 5; [call P(z, z)] 6 7; [skip] 8 Dataflow equations: AI 1 = ϕ 4 (AI 4 ) ϕ 6 (AI 6 ) AI 2 = ϕ 1 (AI 1 ) AI 3 = ϕ 2 (AI 2 ) AI 4 = ι = [x, y, z ] AI 5 = AI 4 AI 6 = ϕ 5 (AI 5 ) AI 7 = AI 6 AI 8 = ϕ 7 (AI 7 ) Node transfer functions: ϕ 1 (δ) = δ ϕ 2 (δ) = δ[y val δ (2*(x-1))] ϕ 4 (δ) = δ[x 2, y ] ϕ 5 (δ) = combine(δ, Φ 3 (ϕ 4 (δ))) ϕ 6 (δ) = δ[x δ(z), y ] ϕ 7 (δ) = combine(δ, Φ 3 (ϕ 6 (δ))) combine(δ, δ ) = δ [x δ(x), y δ(y), z δ (y)] Procedure summary functions: Φ 1 (δ) = δ Φ 2 (δ) = ϕ 1 (Φ 1 (δ)) = δ Φ 3 (δ) = ϕ 2 (Φ 2 (δ)) = δ[y val δ (2*(x-1))] 17 of 19 Static Program Analysis

40 Example of Equation System Example 18.2 (Constant Propagation) Program: proc [P(val x, res y)] 1 is [y := 2*(x-1)] 2 ; [end] 3 ; [call P(2, z)] 4 5; [call P(z, z)] 6 7; [skip] 8 Dataflow equations: AI 1 = ϕ 4 (AI 4 ) ϕ 6 (AI 6 ) AI 2 = ϕ 1 (AI 1 ) AI 3 = ϕ 2 (AI 2 ) AI 4 = ι = [x, y, z ] AI 5 = AI 4 AI 6 = ϕ 5 (AI 5 ) AI 7 = AI 6 AI 8 = ϕ 7 (AI 7 ) Node transfer functions: ϕ 1 (δ) = δ ϕ 2 (δ) = δ[y val δ (2*(x-1))] ϕ 4 (δ) = δ[x 2, y ] ϕ 5 (δ) = combine(δ, Φ 3 (ϕ 4 (δ))) ϕ 6 (δ) = δ[x δ(z), y ] ϕ 7 (δ) = combine(δ, Φ 3 (ϕ 6 (δ))) combine(δ, δ ) = δ [x δ(x), y δ(y), z δ (y)] Procedure summary functions: Φ 1 (δ) = δ Φ 2 (δ) = ϕ 1 (Φ 1 (δ)) = δ Φ 3 (δ) = ϕ 2 (Φ 2 (δ)) = δ[y val δ (2*(x-1))] Fixpoint iteration: on the board 17 of 19 Static Program Analysis

41 Correctness of Fixpoint Solution Outline of Lecture 18 Recap: Interprocedural Dataflow Analysis The Interprocedural Fixpoint Solution Correctness of Fixpoint Solution 18 of 19 Static Program Analysis

42 Correctness of Fixpoint Solution Soundness and Completeness The following results carry over from the intraprocedural case: Theorem 18.3 Let S := (Lab, E, F, (D, ), ι, ϕ) be a dataflow system with interprocedural extension Ŝ := (Lab, E, F, (D, ), ι, ϕ, Φ) with MVP solution mvp(s) (Def. 17.9) and fixpoint solution fix(ψŝ) = (d 1,..., d n, f 1,..., f m ). Then: 1. (cf. Theorem 6.2) 2. (cf. Theorem 6.5) Proof. mvp(s) n (d 1,..., d n ) mvp(s) = (d 1,..., d n ) if all ϕ l are distributive see J. Knoop, B. Steffen: The Interprocedural Coincidence Theorem, Proc. CC 92, LNCS 641, Springer, 1992, of 19 Static Program Analysis

Static Program Analysis

Static Program Analysis Thomas Noll Software Modeling and Verification Group RWTH Aachen University https://moves.rwth-aachen.de/teaching/ws-1617/spa/ Online Registration for Seminars and Practical Courses