Static Program Analysis

Transcription

1 Static Program Analysis Thomas Noll Software Modeling and Verification Group RWTH Aachen University

2 Software Architektur Praxis-Workshop Bringen Sie Informatik zur Wirkung! Serviceorientiert, zustandslos, geschichtet, lose gekoppelt, ad hoc entstanden oder model-driven was ist die beste Softwarearchitektur? Inhalte des Workshops: Anhand eines realen Beispiels aus der Praxis entwickelt ihr in kleinen Teams die Architektur für ein Informationssystem. Da sich Software fortlaufend weiterentwickelt, prüfen wir, wie sich die Architektur gegenüber neuen, auch unerwarteten Anforderungen verhält und daran anpassen lässt. Gemeinsam diskutieren wir den Einfluss verschiedener Anforderungen, mögliche Varianten und ihre Auswirkungen. Außerdem zeigen wir euch die Aufgaben eines Softwarearchitekten und wie er Projekte zum Erfolg führt. Mittwoch, , Uhr Seminarraum , B-IT Research School, RWTH Aachen (Ahornstraße 55) Melden Sie sich unter Angabe Ihres Semesters bis zum an. Wir freuen uns auf Sie! Kontakt: Anne-Kristin Hauk itestra GmbH

3 Recap: The MOP Solution The MOP Solution Definition (MOP solution) Let S = (Lab, E, F, (D, ), ι, ϕ) be a dataflow system where Lab = {l 1,..., l n }. The MOP solution for S is determined by where, for every l Lab, mop(s) := (mop(l 1 ),..., mop(l n )) D n mop(l) := {ϕ π (ι) π Path(l)}. Remark: Path(l) is generally infinite not clear how to compute mop(l) In fact: MOP solution generally undecidable (later) 4 of 27 Static Program Analysis

4 Recap: The MOP Solution MOP vs. Fixpoint Solution I Example (Constant Propagation) c := if [z > 0] 1 then [x := 2] 2 ; [y := 3] 3 else [x := 3] 4 ; [y := 2] 5 end; [z := x+y] 6 ; [...] 7 Transfer functions (for δ = (δ(x), δ(y), δ(z)) D): ϕ 1 (a, b, c) = (a, b, c) ϕ 2 (a, b, c) = (2, b, c) ϕ 3 (a, b, c) = (a, 3, c) ϕ 4 (a, b, c) = (3, b, c) ϕ 5 (a, b, c) = (a, 2, c) ϕ 6 (a, b, c) = (a, b, a + b) 1. Fixpoint solution: CP 1 = ι = (,, ) CP 2 = ϕ 1 (CP 1 ) = (,, ) CP 3 = ϕ 2 (CP 2 ) = (2,, ) CP 4 = ϕ 1 (CP 1 ) = (,, ) CP 5 = ϕ 4 (CP 4 ) = (3,, ) CP 6 = ϕ 3 (CP 3 ) ϕ 5 (CP 5 ) = (2, 3, ) (3, 2, ) = (,, ) CP 7 = ϕ 6 (CP 6 ) = (,, ) 2. MOP solution: mop(7) = ϕ [1,2,3,6] (,, ) ϕ [1,4,5,6] (,, ) = (2, 3, 5) (3, 2, 5) = (,, 5) 5 of 27 Static Program Analysis

5 Recap: The MOP Solution MOP vs. Fixpoint Solution II Theorem (MOP vs. Fixpoint Solution) Let S = (Lab, E, F, (D, ), ι, ϕ) be a dataflow system. Then Reminder: by Definition 4.9, mop(s) fix(φ S ) Φ S : D n D n : (d 1,..., d n ) (d 1,..., d n) where Lab = {1,..., n} and, for each l Lab, Proof. on the board d l := { ι if l E {ϕl (d l ) (l, l) F} otherwise Remark: as Example?? shows, mop(s) fix(φ S ) is possible 6 of 27 Static Program Analysis

6 Recap: The MOP Solution Distributivity of Transfer Functions A sufficient condition for the coincidence of MOP and Fixpoint Solution is the distributivity of the transfer functions. Definition (Distributivity) Let (D, ) and (D, ) be complete lattices. Function F : D D is called distributive (w.r.t. (D, ) and (D, )) if, for every d 1, d 2 D, F(d 1 D d 2 ) = F(d 1 ) D F(d 2 ). A dataflow system S = (Lab, E, F, (D, ), ι, ϕ) is called distributive if every ϕ l : D D (l Lab) is so. 7 of 27 Static Program Analysis

7 Recap: The MOP Solution Coincidence of MOP and Fixpoint Solution Theorem (MOP vs. Fixpoint Solution) Let S = (Lab, E, F, (D, ), ι, ϕ) be a distributive dataflow system. Then mop(s) = fix(φ S ) Proof. mop(s) fix(φ S ): Theorem?? fix(φ S ) mop(s): as fix(φ S ) is the least fixpoint of Φ S, it suffices to show that Φ S (mop(s)) = mop(s) (on the board) 8 of 27 Static Program Analysis

8 Undecidability of the MOP Solution Undecidability of the MOP Solution I Theorem 7.1 (Undecidability of MOP solution) The MOP solution for Constant Propagation is undecidable. Proof. Based on undecidability of Modified Post Correspondence Problem: Let Γ be some alphabet, n N, and u 1,..., u n, v 1,..., v n Γ +. Do there exist i 1,..., i m {1,..., n} with m 1 and i 1 = 1 such that u i1 u i2... u im = v i1 v i2... v im? Given a MPCP, we construct a WHILE program (with strings and Booleans) whose MOP analysis detects a constant property iff the MPCP has no solution (see next slide). 10 of 27 Static Program Analysis

9 Undecidability of the MOP Solution Undecidability of the MOP Solution II Proof (continued). x := u 1 ;y := v 1 ; while... do if... then x := x ++ u 1 ; y := y ++ v 1 else if... then. else x := x ++ u n ; y := y ++ v n end... end end; z := (x = y); [skip] l Then: mop(l)(z) = false x y at the end of every path to l the MPCP has no solution 11 of 27 Static Program Analysis

10 Dataflow Analysis with Non-ACC Domains Dataflow Analysis with Non-ACC Domains Reminder: (D, ) satisfies ACC if each ascending chain d 0 d 1... eventually stabilises, i.e., there exists n N such that d n = d n+1 =... If height (= maximal chain size - 1) of (D, ) is m, then fixpoint computation terminates after at most Lab m iterations But: if (D, ) has non-stabilising ascending chains = algorithm may not terminate Solution: use widening operators to enforce termination 13 of 27 Static Program Analysis

11 Example: Interval Analysis Example: Interval Analysis Interval Analysis The goal of Interval Analysis is to determine, for each (interesting) program point, a safe interval for the values of the (interesting) program variables. Interval analysis is actually a generalisation of constant propagation ( interval analysis with 1-element intervals) Example 7.2 (Interval Analysis) var a[100]: int; i := 0; while i <= 42 do if i >= 0 i < 100 then a[i] := i end; i := i + 1; end; = redundant array bounds check 15 of 27 Static Program Analysis

12 Example: Interval Analysis The Domain of Interval Analysis The domain (Int, ) of intervals over Z is defined by Int := {[z 1, z 2 ] z 1 Z { }, z 2 Z {+ }}, z 1 z 2 } { } where z and z + (for all z Z) J (for all J Int) [y 1, y 2 ] [z 1, z 2 ] iff y 1 z 1 and y 2 z 2 (Int, ) is a complete lattice with (for every I Int) { if I = or I = { } I = [Z 1, Z 2 ] otherwise where Z 1 := Z { } {z 1 [z 1, z 2 ] I} Z 2 := Z {+ } {z 2 [z 1, z 2 ] I} (and thus =, = [, + ]) Clearly (Int, ) has infinite ascending chains, such as [1, 1] [1, 2] [1, 3] of 27 Static Program Analysis

13 Example: Interval Analysis The Complete Lattice of Interval Analysis [, + ] [, 1] [, 0] [, 1] [ 2, 2] [ 2, 1] [ 1, 2] [ 1, + ] [0, + ] [1, + ] 17 of 27 Static Program Analysis [ 2, 0] [ 1, 1] [0, 2] [ 2, 1] [ 1, 0] [0, 1] [1, 2] [ 2, 2] [ 1, 1] [0, 0] [1, 1] [2, 2]

14 Formalising Interval Analysis Formalising Interval Analysis I The dataflow system S = (Lab, E, F, (D, ), ι, ϕ) is given by set of labels Lab := Lab c extremal labels E := {init(c)} (forward problem) flow relation F := flow(c) (forward problem) complete lattice (D, ) where D := {δ δ : Var c Int} δ 1 δ 2 iff δ 1 (x) δ 2 (x) for every x Var c ι := D : Var c Int : x Int (with Int = [, + ]) ϕ: see next slide 19 of 27 Static Program Analysis

15 Formalising Interval Analysis Formalising Interval Analysis II Transfer functions {ϕ l l Lab} are defined by { δ if B l = skip or B ϕ l (δ) := l BExp δ[x val δ (a)] if B l = (x := a) where with val δ (x) := δ(x) val δ (z) := [z, z] val δ (a 1 +a 2 ) := val δ (a 1 ) val δ (a 2 ) val δ (a 1 -a 2 ) := val δ (a 1 ) val δ (a 2 ) val δ (a 1 *a 2 ) := val δ (a 1 ) val δ (a 2 ) J := J := J :=... := [y 1, y 2 ] [z 1, z 2 ] := [y 1 + z 1, y 2 + z 2 ] [y 1, y 2 ] [z 1, z 2 ] := [y 1 z 2, y 2 z 1 ] [y 1, y 2 ] [z 1, z 2 ] := [ {y 1 z 1, y 1 z 2, y 2 z 1, y 2 z 2 }, {y 1 z 1, y 1 z 2, y 2 z 1, y 2 z 2 }] 20 of 27 Static Program Analysis

16 Formalising Interval Analysis Remarks Possible refinement of DFA to take conditional blocks b l (b BExp) into account essentially: b as edge label, ϕ l (δ)(x) = δ(x) \ {z Z x = z = b} (cf. DFA with Conditional Branches later) Important: soundness and optimality of abstract operations, e.g., : soundness: z 1 J 1, z 2 J 2 = z 1 + z 2 J 1 J 2 optimality: J 1 J 2 as precise (i.e., small) as possible 21 of 27 Static Program Analysis

17 Formalising Interval Analysis Interval Analysis without Widening Example 7.3 [x := 1] 1 while [...] 2 [x := x + 1] 3 Transfer functions (for δ(x) = J): ϕ 1 (J) = [1, 1] ϕ 2 (J) = J ϕ 3 ( ) = ϕ 3 ([x 1, x 2 ]) = [x 1 + 1, x 2 + 1] Application of worklist algorithm without widening: does not terminate (on the board) 22 of 27 Static Program Analysis

18 Applying Widening to Interval Analysis Widening Operators Definition 7.4 (Widening operator) Let (D, ) be a complete lattice. A mapping : D D D is called widening operator if for every d 1, d 2 D, d 1 d 2 d 1 d 2 and for all ascending chains d 0 d 1..., the ascending chain d 0 d 1... eventually stabilises where d 0 := d 0 and d i+1 := d i d i+1 for each i N Remarks: (d i ) i N is clearly an ascending chain as d i+1 = d i d i+1 d i d i+1 d i In contrast to, does not have to be commutative, associative, monotonic, nor absorptive (d d = d) The requirement d 1 d 2 d 1 d 2 guarantees soundness of widening 24 of 27 Static Program Analysis

19 Applying Widening to Interval Analysis Applying Widening to Interval Analysis A widening operator: : Int Int Int with J := J := J [x 1, x 2 ] [y 1, y 2 ] := [z { 1, z 2 ] where x1 if x 1 y 1 z 1 := z 2 := { otherwise x2 if x 2 y 2 + otherwise Widening turns infinite ascending chain J 0 = J 1 = [1, 1] J 2 = [1, 2] J 3 = [1, 3]... into a finite one: J 0 = J 0 = J 1 = J 0 J 1 = [1, 1] = [1, 1] = J 1 J 2 = [1, 1] [1, 2] = [1, + ] J 2 J 3 = J 2 J 3 = [1, + ] [1, 3] = [1, + ] In fact, the maximal chain size arising with this operator is 4: [3, 7] [3, + ] [, + ] 25 of 27 Static Program Analysis

20 Applying Widening to Interval Analysis Worklist Algorithm with Widening I Goal: extend Algorithm 5.1 by widening to ensure termination Algorithm 7.5 (Worklist algorithm with widening) Input: dataflow system S = (Lab, E, F, (D, ), ι, ϕ) Variables: W (Lab Lab), {AI l D l Lab} Procedure: W := ε; for (l, l ) F do W := W (l, l ); % Initialise W for l Lab do if l E then AI l := ι else AI l := D ; % Initialise AI while W ε do (l, l ) := head(w); W := tail(w); % Next control-flow edge if ϕ l (AI l ) AI l then % Fixpoint not yet reached AI l := AI l ϕ l (AI l ); % Update analysis information for (l, l ) F do if (l, l ) not in W then W := (l, l ) W; % Propagate modification Output: {AI l l Lab}, denoted by fix (Φ S ) Remark: due to widening, only fix (Φ S ) fix(φ S ) is guaranteed (cf. Thm. 5.4) 26 of 27 Static Program Analysis

21 Applying Widening to Interval Analysis Worklist Algorithm with Widening II Example 7.6 [x := 1] 1 while [...] 2 [x := x + 1] 3 Transfer functions (for δ(x) = J): ϕ 1 (J) = [1, 1] ϕ 2 (J) = J ϕ 3 ( ) = ϕ 3 ([x 1, x 2 ]) = [x 1 + 1, x 2 + 1] Application of worklist algorithm with widening: terminates with expected result for AI 2 ([1, + ]) (on the board) 27 of 27 Static Program Analysis