Fundamentals of Program Analysis + Generation of Linear Prg. Invariants

Transcription

1 Fundamentals of Program Analysis + Generation of Linear Prg. Invariants Markus Müller-Olm Westfälische Wilhelms-Universität Münster, Germany 2nd Tutorial of SPP RS3: Reliably Secure Software Systems Schloss Buchenau, September 3-6, 2012

2 Dream of Automatic Analysis program analyzer result main() { x=17; if (x>63) { y=17;x=10;x=x+1;} else { x=42; while (y<99) { y=x+y;x=y+1;} y=11;} x=y+1; printf(x); } G( Φ FΨ) specification of property

3 Fundamental Problem Rice s Theorem (informal version): All non-trivial semantic properties of programs from a Turing-complete programming language are undecidable. Consequence: For Turing-complete programming languages: Automatic analyzers of semantic properties, which are both correct and complete are impossible. Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

4 What can we do about it? Give up automatic : interactive approaches: proof calculi, theorem provers, Give up sound :??? Give up complete : approximative approaches: Approximate analyses: data flow analysis, abstract interpretation, type checking, Analyse weaker formalism: model checking, reachability analysis, equivalence- or preorderchecking,

5 What can we do about it? Give up automatic automatic : interactive approaches: proof calculi,, theorem provers,, Give up sound sound : :??? Give up complete : approximative approaches: Approximate analyses: data flow analysis, abstract interpretation, type checking, Analyse weaker formalism: model checking, reachability analysis, equivalence- or preorderchecking,

6 Overview Introduction Fundamentals of Program Analysis Excursion 1 Interprocedural Analysis Excursion 2 Analysis of Parallel Programs Excursion 3 Conclusion Apology for not giving proper credit in these lectures! Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

7 Overview Introduction Fundamentals of Program Analysis Excursion 1 Interprocedural Analysis Excursion 2 Analysis of Parallel Programs Excursion 3 Conclusion Apology for not giving proper credit in these lectures! Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

8 From Programs to Flow Graphs 0 main() { x=17; if (x>63) { y=17;x=10;x=x+1;} else { x=x+42; while (y<99) { y=x+y;x=y+1;} y=11;} x=y+1; } x=17 1 y>63 2 y:=17 (y>63) 5 x=x+42 y< x:=10 (y<99) x=y x:=x+1 10 y:=11 x:=y y=x+y 11 Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

9 Dead Code Elimination Goal: find and eliminate assignments that compute values which are never used Fundamental problem: undecidability use approximate algorithm: e.g.: ignore that guards prohibit certain execution paths Technique: 1) perform live variables analyses: variable x is live at program point u iff there is a path from u on which x is used before it is modified 2) eliminate assignments to variables that are not live at the target point Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

10 Live Variables y>63 0 x=17 1 (y>63) y live 2 y:=17 5 x=x x:=10 (y<99) y<99 x=y+1 7 y=x+y 8 y live 4 9 x:=x+1 x dead y:=11 10 x:=y+1 11

11 Live Variables Analysis {y} {x,y} {y} y>63 0 x=17 1 (y>63) 2 y:=17 {y} 3 {x,y} {y} 6 {x,y} {y} {x,y} 5 x=x+42 x:=10 (y<99) 4 9 x:=x+1 y:=11 10 x:=y+1 y<99 x=y+1 7 {x,y} y=x+y 8 {y} {x,y} 11

12 Interpretation of Partial Orders in Approximate Program Analysis x y: x is more precise information than y. y is a correct approximation of x. X for X L, where (L, ) is the partial order: the most precise information consistent with all informations x X. Example: order for live variables analysis: (P(Var), ) with Var = set of variables in the program Remark: often dual interpretation in the literature!

13 Complete Lattice Complete lattice (L, ): a partial order (L, ) for which the least upper bound, X, exists for all X L. In a complete lattice (L, ): X exists for all X L: X = { x L x X } least element exists: = L = greatest element exists: = = L Example: for any set A let P(A) = {X X A } (power set of A). (P(A), ) is a complete lattice. (P(A), ) is a complete lattice.

14 Specifying Live Variables Analysis by a Constraint System Compute (smallest) solution over (L, ) = (P(Var), ) of: A[ fin] init, for fin, the termination node A[ u] f ( A[ v]), for each edge e = ( u, s, v) e where init = Var, f e :P(Var) P(Var), f e (x) = x\kill e gen e, with kill e = variables assigned at e gen e = variables used in an expression evaluated at e

15 Specifying Live Variables Analysis by a Constraint System Remarks: 1. Every solution is correct (whatever this means). 2. The smallest solution is called MFP-solution; it comprises a value MFP[u] L for each program point u. 3. MFP abbreviates maximal fixpoint for traditional reasons. 4. The MFP-solution is the most precise one. Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

16 The Goal: Constant Propagation Find for each program point expressions or variables that have a constant value at this program point Enabled Optimizations: Replace constant variables or expressions at compile time by their value smaller and faster code Eliminate unreachable branches in the program smaller code Remarks: Constant expressions and variables appear often, e.g.; const-declarations in PASCAL final attributes in JAVA-interfaces,... values computed out of declared constants Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

17 x:=2 Constant Propagation 1 (2, 0,0) 2 5 (3,0,0) y:=3 (2,3,0) 3 6 (3,2,0) z:=x+y (0,0,0) x:=3 y:=2 z:=x+y ( ρ( x), ρ( y), ρ( z)) (2,3,5) 4 7 (3,2,5) 8??? (,,5) Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

18 A Lattice for Constant Propagation An order on Z { }: unknown value L { ρ ρ : ( Z { }) } { } CP = VarG ( x Var x x ) ρ ρ ' : ρ = ρ ρ ' : ρ( ) ρ '( ) CP G Remark: (L, is a complete latt ice. CP ) CP Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

19 Constant Propagation 1 (2,, ) 2 5 (3,, ) y:=3 (2,3, ) z:=x+y x:=2 3 (,, ) x:=3 6 y:=2 (3,2, ) z:=x+y ( ρ( x), ρ( y), ρ( z)) (2,3,5) 4 7 (3,2,5) 8 (,,5) Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

20 Specifying Constant Propagation by a Constraint System Sei G = (N,E,st,te) ein Flussgraph über BA std. Compute (smallest) solution over (L, ) = (L CP, CP ) of: V[ st] init, for st, the start note V[ v] f ( V[ u]), for each edge e = ( u, s, v) e where: init = CP L CP is the mapping CP (x) = and f e : L CP L CP is defined by f e (ρ) = df ρ{ t CP (ρ) / x}, if e = (u,x:=t,v) und ρ ρ, otherwise Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

21 Specifying Constant Propagation by a Constraint System Remarks: 1. Again, every solution is correct (whatever this means). 2. Again, the smallest solution is called MFP-solution; it comprises a value MFP[u] L for each program point u. 3. The MFP-solution is the most precise one. Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

22 Backwards vs. Forward Analyses Live Variables Analysis is a Backwards Analysis, i.e.: analysis info flows from target node to source node of an edge the initial inequality is for the termination node of the flow graph A[ te] init, for te, the termination point A[ u] f ( A[ v]), for each edge e = ( u, s, v) E e Dually, constant propagation is a Forward Analyses i.e..: analysis info flows from source node to target node of an edge. the initial inequality is for the start node of the flow graph A[ st] init, for st,the start node A[ v] f ( A[ u]), for each edge e = ( u, s, v) E e Other examples: reaching definitions, available expressions,... Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

23 Monotone Data-Flow Problems Goal: A generic notion that captures what is common for different analyses Advantages: Study general properties of data flow problems independently of concrete analysis questions Build efficient, generic implementations Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

24 Definition: Monotone Data-Flow Problems A monotone data-flow problem is a tuple P = ((L, ),F,(N,E),st,init) consisting of: a complete lattice (L, ). The elements of L are called (data-flow facts). a set F of transfer functions f: L L, such that: each f F is monotone: x,y L : x y f(x) f(y) id F F is closed under composition: f,g F : f g F. A graph (N, E) with a finite set of edges N; each node of the graph is annotated with a transfer function f F: E N F N. st N is a designated initial node. init L is a designated initial information. Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

25 Constraint System for a Data-Flow Problem Let P = ((L, ),F,(N,E),u 0,init) be a data-flow problem Compute (smallest) solution over (L, ) of the followi constraint system: A[ st] init, for st, the start node A[ v] f ( A[ u]), for each node e = ( u, f, v) E Note: Here, information flows from nodes to their successor nodes only. Hence, for backwards analyses the direction of the edges must be reversed when mapping it to the corresponding data-flow problem. Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

26 Constraint System for a Data-Flow Problem Remarks: 1. Again, every solution is correct (whatever this means). 2. Again, the smallest solution is called MFP-solution; it comprises a value MFP[u] L for each program point u. 3. The MFP-solution is the most precise one. Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

27 Three Questions Do (smallest) solutions always exist? How to compute the (smallest) solution? How to justify that a solution is what we want? Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

28 Three Questions Do (smallest) solutions always exist? How to compute the (smallest smallest) solution? How to justify that a solution is what we want? Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

29 Knaster-Tarski Fixpoint Theorem Definitions: Let (L, ) be a partial order. f : L L is monotonic iff x,y L : x y f(x) f(y). x L is a fixpoint of f iff f(x)=x. Fixpoint Theorem of Knaster-Tarski: Every monotonic function f on a complete lattice L has a least fixpoint lfp(f) and a greatest fixpoint gfp(f). More precisely, lfp(f) = { x L f(x) x } least pre-fixpoint gfp(f) = { x L x f(x) } greatest post-fixpoint

30 Knaster-Tarski Fixpoint Theorem L: pre-fixpoints of f gfp(f) fixpoints of f lfp(f) post-fixpoints of f Picture from: Nielson/Nielson/Hankin, Principles of Program Analysis

31 Smallest Solutions Always Exist Define functional F : L n L n from right hand sides of constraints such that: σ solution of constraint system iff σ pre-fixpoint of F Functional F is monotonic. By Knaster-Tarski Fixpoint Theorem: F has a least fixpoint which equals its least pre-fixpoint. Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

32 Three Questions Do (smallest smallest) solutions always exist? How to compute the (smallest) solution? How to justify that a solution is what we want? Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

33 Workset-Algorithm W = ; forall ( program points v) { A[ v] = ; W = W { v} ; } A[ st] = init; while W { u = Extract( W ); forall ( s, v with e = ( u, s, v) edge) { t = fe( A[ u]); if ( t A[ v]) { A[ v] = A[ v] t; W = W { v} ; } } } Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

34 Invariants of the Main Loop a) A[ u] MFP[ u] f.a. prg. points u b1) A[ st] init b2) u W A[ v] f e ( A[ u]) f.a. edges e = ( u, s, v) If and when workset algorithm terminates: A is a solution of the constraint system by b1)&b2) A[ u] MFP[ u] f.a. u Hence, with a): A[ u] = MFP[ u] f.a. u Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

35 How to Guarantee Termination Lattice (L, ) has finite heights algorithm terminates after at most #prg points (heights(l)+1) iterations of main loop Lattice (L, ) has no infinite ascending chains algorithm terminates Lattice (L, ) has infinite ascending chains: algorithm may not terminate; use widening operators in order to enforce termination Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

36 Widening Operator [Cousot/Cousot] : L L L is called a widening operator iff 1) x,y L: x y x y 2) for all sequences (l n ) n, the (ascending) chain (w n ) n w 0 = l 0, w i+1 = w i l i+1 for i > 0 stabilizes eventually.

37 Workset-Algorithm with Widening W = ; forall ( program points v) { A[ v] = ; W = W { v} ; } A[ st] = init; while W { u = Extract( W ); forall ( s, v with e = ( u, s, v) edge) { t = fe( A[ u]); if ( t A[ v]) { A[ v] = A[ v] t; W = W { v} ; } } } Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

38 Invariants of the Main Loop a) A[ u] MFP[ u] f.a. prg. points u b1) A[ st] init b2) u W A[ v] f e ( A[ u]) f.a. edges e = ( u, s, v) With a widening operator we enforce termination but we loose invariant a). Upon termination, we have: A is a solution of the constraint system by b1)&b2) A[ u] MFP[ u] f.a. u Compute a sound upper approximation (only)! Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

39 Example of a Widening Operator: Interval Analysis The goal Find save interval for the values of program variables, e.g. of i in: for (i=0; i<42; i++) if (0<=i and i<42) { } A1 = A+i; M[A1] = i;..., e.g., in order to remove the redundant array range check.

40 Example of a Widening Operator: Interval Analysis The lattice... ({ } { } ) ( ) Z { } Z { } L, = [ l, u] l, u +, l u,... has infinite ascending chains, e.g.: [0,0] [0,1] [0,2]... A widening operator: [ l, u ] [ l, u ] = [ l, u ], where l l if l l u if u u = and u = otherwise + otherwise A chain of maximal length arising with this widening operator: [3,7] [3, + ] [, + ]

41 Analyzing the Program with the Widening Operator 0 i:=0 (i < 42) 1 i< i < 42 (0 i < 42) 3 7 A 1 := A + i 4 M[A 1 ] := i 5 i := i+1 6 Result is far too imprecise! Example taken from: H. Seidl, Vorlesung Programmoptimierung

42 Remedy 1: Loop Separators Apply the widening operator only at a loop separator (a set of program points that cuts each loop). We use the loop separator {1} here. (i < 42) 0 1 i:=0 i<42 8 (0 i < 42) i < 42 3 A 1 := A + i 4 M[A 1 ] := i 5 i := i+1 6 Identify condition at edge from 2 to 3 as redundant! Find out, prg. point 7 is unreachable!

43 Remedy 2: Narrowing Iterate again from the result obtained by widening --- Iteration from a prefix-point stays above the least fixpoint! --- (i < 42) 0 1 i:=0 i<42 8 (0 i < 42) i < 42 3 A 1 := A + i 4 M[A 1 ] := i 5 i := i+1 6 We get the exact result in this example (but not guaranteed)!

44 Remarks Can use a work-list instead of a work-set Special iteration strategies in special situations Semi-naive iteration (later!) Narrowing operators Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

45 Three Questions Do (smallest smallest) solutions always exist? How to compute the (smallest smallest) solution? How to justify that a solution is what we want? MOP vs MFP-solution Abstract interpretation Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

46 Three Questions Do (smallest smallest) solutions always exist? How to compute the (smallest smallest) solution? How to justify that a solution is what we want? MOP vs MFP-solution Abstract interpretation Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

47 Assessing Data Flow Frameworks Execution Semantics Abstraction MOP-solution sound? how precise? MFP-solution sound? precise? Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

48 Live Variables x := 17 {y} y := 17 x := 10 x := x+1 x := 42 y := 11 y := x+y x := y+1 x := y+1 out(x) infinitely many such paths MOP[ v] = { y} = { y}

49 Meet-Over-All-Paths Solution (MOP) Definition: The transfer function f π : L L of a path π: v 0 f 0...f k-1 v k, k 0, is: f π = f k-1... f 0. The MOP-solution is: MOP[v] = { f π (init) π Paths[st,v] } für alle v N. Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

50 Coincidence Theorem Definition: A data-flow problem is positively-distributive if f( X)= { f(x) x X} for all sets X L and transfer functions f F. Theorem: For any instance of a positively-distributive data-flow problem: MOP[u] = MFP[u] for all program points u (if all program points reachable). Remark: A data-flow problem is positively-distributive if a) and b) hold: (a) it is distributive: f(x y) = f(x) f(y) f.a. f F, x,y L. (b) it is effective: the lattice L does not have infinite ascending chains. Remark: All bitvector frameworks are distributive and effective. Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

51 Recall: Lattice for Constant Propagation unknown value lattice L : { ρ ρ : Var ( Z { })} { } : ρ ρ ' : ρ = ( ρ, ρ ' x : ρ( x) ρ '( x))

52 x := 17 ( ρ( x), ρ( y), ρ( z)) x := 2 x := 3 y := 3 y := 2 z := x+y (2,3,5) out(x) (3,2,5) MOP[ v] = (,,5) Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

53 x := 17 ( ρ( x), ρ( y), ρ( z)) (,, ) x := 2 x := 3 (2,, ) (3,, ) y := 3 (2,3, ) (,, ) z := x+y (,, ) out(x) y := 2 (3,2, ) M FP[ v] = (,, ) MOP[ v] = (,,5) Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

54 Correctness Theorem Recall:. We assume transfer functions in a dataflow problem to be monotone i.e.: x y f(x) f(y) for all f F, x,y L. Theorem: For any data-flow problem: MOP[u] MFP[u] for all program points u. Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

55 Assessing Data Flow Frameworks Execution Semantics Abstraction MOP-solution sound MFP-solution sound precise, if distrib. Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

56 Where Flow Analysis Looses Precision Execution semantics MOP MFP Widening Potential loss of precision Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

57 Three Questions Do (smallest smallest) solutions always exist? How to compute the (smallest smallest) solution? How to justify that a solution is what we want? MOP vs MFP-solution Abstract interpretation Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

58 Abstract Interpretation constraint system for Reference Semantics on concrete lattice (D, ) Replace concrete operators o by abstract operators o # constraint system for Analysis on abstract lattice (D #, # ) MFP MFP # Often used as reference semantics: sets of reaching runs: (D, ) = (P(Edges * ), ) or (D, ) = (P(Stmt * ), ) sets of reaching states ( Collecting Semantics ): (D, ) = (P(Σ * ), ) with Σ = Var Val Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

59 Abstract Interpretation constraint system for Reference Semantics on concrete lattice (D, ) Replace concrete operators o by abstract operators o # constraint system for Analysis on abstract lattice (D #, # ) MFP MFP # Assume a universally-disjunctive abstraction function α : D D #. Correct abstract interpretation: Show α(o(x 1,...,x k )) # o # (α(x 1 ),...,α(x k )) f.a. x 1,...,x k L, operators o Then α(mfp[u]) # MFP # [u] f.a. u Correct and precise abstract interpretation: Show α(o(x 1,...,x k )) = o # (α(x 1 ),...,α(x k )) f.a. x 1,...,x k L, operators o Then α(mfp[u]) = MFP # [u] f.a. u Use this as a guideline for designing correct (and precise) analyses! Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

60 Abstract Interpretation Constraint system for reaching runs: Operational justification: Let R[u] be components of smallest solution over P(Edges *). Then Prove: { ε} R[ st], for st, the start node { } R[ v] R[ u] e, for each edge e = ( u, s, v) op R[ u] = R [ u] = { r Edges * st r u} for all u def a) R op [u] satisfies all constraints (direct) R[u] R op [u] f.a. u b) w R op [u] w R[u] (by induction on w ) R op [u] R[u] f.a. u

61 Abstract Interpretation Constraint system for reaching runs: { ε} R[ st], for st, the start node { } R[ v] R[ u] e, for each edge e = ( u, s, v) Derive the analysis: Replace {ε} by init ( ) { e } by f e Obtain abstracted constraint system: # R st init st [ ], for, the start node R [ v] f ( R [ u]), for each edge e = ( u, s, v) # # e

62 Abstract Interpretation MOP-Abstraction: Define α MOP : P(Edges *) L by Remark: { } α ( ) ( ) MOP R = f init r R where fε = Id, f = f f r s e e s If all transfer functions f e are monotone, the abstraction is correct, hence: α ΜOP (R[u]) R # [u] f.a. prg. points u If all transfer function f e are universally-distributive, i.e., f( X)= { f(x) x X} for all sets X L the abstraction is correct and precise, hence: α ΜOP (R[u]) = R # [u] f.a. prg. points u Justifies MOP vs. MFP theorems (cum grano salis). Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

63 Overview Introduction Fundamentals of Program Analysis Excursion 1 Interprocedural Analysis Excursion 2 Analysis of Parallel Programs Excursion 3 Conclusion Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

64 Challenges for Automatic Analysis Data aspects: infinite number domains dynamic data structures (e.g. lists of unbounded length) pointers... Control aspects: recursion concurrency creation of processes / threads synchronization primitives (locks, monitors, communication stmts...)... infinite/unbounded state spaces Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

65 Classifying Analysis Approaches control aspects data aspects analysis techniques Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

66 (My) Main Interests of Recent Years Data aspects: algebraic invariants over Q, Z, Z m (m = 2 n ) in sequential programs, partly with recursive procedures invariant generation relative to Herbrand interpretation Control aspects: recursion concurrency with process creation / threads synchronization primitives, in particular locks/monitors Technics: fixpoint-based automata-based (linear) algebra syntactic substitution-based techniques...

67 Overview Introduction Fundamentals of Program Analysis Excursion 1 Interprocedural Analysis Excursion 2 Analysis of Parallel Programs Excursion 3 Conclusion Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

68 A Note on Karr s Algorithm Markus Müller-Olm Joint work with Helmut Seidl (TU München) ICALP 2004, Turku, July 12-16, 2004

69 What this Excursion is About x 1 :=1 x 2 :=1 x 3 :=1 x 1 :=x 1 +1 x 2 :=2x 2-2x 1 +5 x 3 :=x 3 +x 2 x 3 = x 1 2 x 2 = 2x 1-1

70 Affine Programs Basic Statements: affine assignments: x 1 := x 1-2x 3 +7 unknown assignments: x i :=? abstract too complex statements Affine Programs: control flow graph G=(N,E,st), where N E N Stmt N st N finite set of program points set of edges start node Note: non-deterministic instead of guarded branching

71 The Goal: Precise Analysis Given an affine program, determine for each program point all valid affine relations: a 0 + a i x i = 0 More ambitious goal: a i Q 5x 1 +7x 2-42=0 determine all valid polynomial relations (of degree d): p(x 1,,x k ) = 0 p Q[x 1,,x n ] 5x 1 x 22 +7x 33 =0

72 Applications of Affine (and Polynomial) Relations Data-flow analysis: definite equalities: x = y constant detection: x = 42 discovery of symbolic constants: complex common subexpressions: xy+42 = y 2 +5 loop induction variables Program verification strongest valid affine (or polynomial) assertions (cf. Petri Net invariants) RS3: x = 5yz+17 Improve precision of PDG-based IFC analysis (with Gregor Snelting (KIT, Karlsruhe) and his group)

73 Karr s Algorithm [Karr, 1976] Determines valid affine relations in programs. Idea: Perform a data-flow analysis maintaining for each program point a set of affine relations, i.e., a linear equation system. Fact: Set of valid affine relations forms a vector space of dimension at most k+1, where k = #program variables. can be represented by a basis. forms a complete lattice of height k+1.

74 Deficiencies of Karr s Algorithm Basic operations are complex non-invertible assignments union of affine spaces O(n k 4 ) arithmetic operations n size of the program k number of variables Number may grow to exponential size

75 Our Contribution Reformulation of Karr s algorithm: basic operations are simple O(n k 3 ) arithmetic operations numbers stay of polynomial length: O(n k 2 ) Moreover: generalization to polynomial relations of bounded degree show, algorithm finds all affine relations in affine programs Ideas: represent affine spaces by affine bases instead of lin. eq. syst. use semi-naive fixpoint iteration keep a reduced affine basis for each program point during fixpoint iteration

76 Affine Basis

77 Concrete Collecting Semantics Smallest solution over subsets of Q k of: where V[ st] Q k V[ v] f ( V[ u]), for each edge ( u, s, v) x : = t i x : =? s { } f ( X ) = x[ x t( x)] x X i { Q} f ( X ) = x[ x c] x X, c i i First goal: compute affine hull of V[u] for each u.

78 Abstraction Affine hull: { λ λ Q λ } aff ( X ) = x x X,, = 1 i i i i i The affine hull operator is a closure operator: aff ( X ) X, aff ( aff ( X )) = X, X Y aff ( X ) aff ( Y ) Affine subspaces of Q k ordered by set inclusion form a complete lattice: ({ Q k } ) ( D, ) = X aff ( X ) = X,. Affine hull is even a precise abstraction: Lemma : f ( aff ( X )) = aff ( f ( X )). s s

79 Abstract Semantics Smallest solution over (D, ) of: V # [ st] Q V [ v] f ( V [ u]), for each edge ( u, s, v) # # s k # Lemma: V [ u] = aff ( V[ u]) for all program points u.

80 Basic Semi-naive Fixpoint Algorithm forall ( v N) G[ v] = ; G[ st] = {0, e1,..., ek }; W = {( st,0),( st, e1),...,( st, ek )}; while W { ( u, x) = Extract( W ); forall ( s, v with ( u, s, v) E) { t = s x; if ( t aff ( G[ v])) { G[ v] = G[ v] { t} ; W = W { ( v, t) }; } } }

81 Example 0 1 x 1 :=1 x 2 :=1 x 3 :=1 x 1 :=x 1 +1 x 2 :=2x 2-2x , 0, 1, aff 1, 3, x 3 :=x 3 +x

82 Correctness Theorem: a) Algorithm terminates after at most nk + n iterations of the loop, where n = N and k is the number of variables. # b) For all, we have ( fin[ ]) = [ v N aff G v V v]. Invariants for b) I1: v N : G[ v] V[ v] and ( u, x) W : x V[ u]. { } ( ) I2: (u,s,v) E: aff G[ v] s x ( u, x) W f ( aff ( G[ u]). s

83 Complexity Theorem: # a) The affine hulls V [ u] = aff ( V[ u]) can be computed in time 3 O( n k ), where n = N + E. b) In this computation only arithmetic operations on numbers 2 with O( n k ) bits are u sed. Store diagonal basis for membership tests. Propagate original vectors.

84 Point + Linear Basis

85 Example 0 1 x 1 :=1 x 2 :=1 x 3 :=1 x 1 :=x 1 +1 x 2 :=2x 2-2x , 0, 1, , x 3 :=x 3 +x , 0 0 2

86 Determining Affine Relations Lemma: a is valid for X a is valid for aff ( X ). suffices to determine the affine relations valid for affine bases; can be done with a linear equation system! Theorem: a) The vector spaces of all affine relations valid at the program 3 points of an affine program can be computed in time O( n k ). b) This computation performs arithmetic operations on integers 2 with O( n k ) bits only.

87 Example a + a x + a x + a x = 0 is valid at x 1 :=1 x 2 :=1 x 3 :=1 x 1 :=x 1 +1 x 2 :=2x 2-2x 1 +5 a + 2a + 3a + 4a = a + 2a = a = 0 a = a, a = 2 a, a = x x 1 is valid at x 3 :=x 3 +x , 0 0 2

88 Also in the Paper Non-deterministic assignments Bit length estimation Polynomial relations Affine programs + affine equality guards validity of affine relations undecidable

89 End of Excursion 1

90 Overview Introduction Fundamentals of Program Analysis Excursion 1 Interprocedural Analysis Excursion 2 Analysis of Parallel Programs Excursion 3 Conclusion Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

91 Interprocedural Analysis Main: c:=a+b procedures P: c:=a+b P() Q() call edges R() Q: a:=7 c:=a+b R: a:=7 c:=a+b P() recursion R()

92 Running Example: (Definite) Availability of the single expression a+b The lattice: false a+b not available false true a+b available Initial value: false c:=c+3 true false true c:=a+b true a:=7 false c:=a+b a:=42 false

93 Intra-Procedural-Like Analysis Conservative assumption: procedure destroys all information; information flows from call node to entry point of procedure Main: false true false st M u 1 u 2 c:=a+b P() λ x. false a:=7 P: st P r P true false c:=a+b true The lattice: false true false u 3 false r M P() λ x. false

94 Context-Insensitive Analysis Conservative assumption: Information flows from each call node to entry of procedure and from exit of procedure back to return point Main: false true true st M u 1 u 2 c:=a+b P() a:=7 P: st P r P true false c:=a+b true The lattice: false true false u 3 true r M P()

95 Context-Insensitive Analysis Conservative assumption: Information flows from each call node to entry of procedure and from exit of procedure bac to return point Main: false true st M u 1 c:=a+b P() P: st P true false The lattice: false true false true u 2 a:=7 r P true false false u 3 false r M P()

96 Recall: Abstract Interpretation Recipe constraint system for Reference Semantics on concrete lattice (D, ) Replace concrete operators o by abstract operators o # constraint system for Analysis on abstract lattice (D #, # ) MFP MFP # Assume a universally-disjunctive abstraction function α : D D #. Correct abstract interpretation: Show α(o(x 1,...,x k )) # o # (α(x 1 ),...,α(x k )) f.a. x 1,...,x k L, operators o Then α(mfp[u]) # MFP # [u] f.a. u Correct and precise abstract interpretation: Show α(o(x 1,...,x k )) = o # (α(x 1 ),...,α(x k )) f.a. x 1,...,x k L, operators o Then α(mfp[u]) = MFP # [u] f.a. u Use this as a guideline for designing correct (and precise) analyses! Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

97 Example Flow Graph Main: e 0 : e 1 : st M u 1 u 2 c:=a+b P() P: e 4 : st P c:=a+b The lattice: false true e 2 : a:=7 r P e 3 : u 3 P() r M

98 Let s Apply Our Abstract Interpretation Recipe: Constraint System for Feasible Paths Operational justification: Same-level runs: S( p) S( r ) r return point of p { ε} p S( st ) st entry point of p p r { stp } r { stp ε } S( u) = r Edges u for all u in procedure p S( p) = r Edges for all procedures p r { w Nodes stmain } R( u) = r Edges : uw for all u { } S( v ) S( u) e e = ( u, s, v ) base edge S(v) S( u) S( p) e = ( u, p, v) call edge p p Reaching runs: Main { ε} R( st ) st entry point of Main { } R( v ) R( u) e e = ( u, s, v ) basic edge R( v ) R( u) S( p) e = ( u, p, v ) call edge R( st ) R( u) e = ( u, p, v ) call edge, st entry point of p Main p p

99 Summary-based approaches: Context-Sensitive Analysis Phase 1: Compute summary information for each procedure as an abstraction of same-level runs Phase 2: Use summary information as transfer functions for procedure calls in an abstraction of reaching runs Classic types of summary information: Functional approach: [Sharir/Pnueli 81, Knoop/Steffen: CC 92] Use (monotonic) functions on data flow informations! Relational approach: [Cousot/Cousot: POPL 77] Use relations (of a representable class) on data flow informations! Call-string-based approaches: e.g [Sharir/Pnueli 81], [Khedker/Karkare: CC 08] - Analysis relative to finite portion of call stack - Applicable to arbitrary lattices - Sometimes less precise than summary-based approaches

100 Formalization of Functional Approach Abstractions: Abstract same-level runs with α : Edges ( L L) : α Funct { fr r R } Funct ( R) = for R Edges Abstract reaching runs with α : Edges L : α MOP 1. Phase: Compute summary informations, i.e., functions: # # S ( p) S ( rp ) rp return point of p # S ( stp ) id stp entry point of p # # # S ( v) f S ( u) e = ( u, s, v) base edge e MOP { fr init r R } ( R) = ( ) for R Edges # # # S (v) S ( p) S ( u) e = ( u, p, v) call edge 2. Phase: Use summary informations; compute on data flow informations: # R ( stmain ) init stmain entry point of Main # # # R ( v ) f ( R ( u) ) e = ( u, s, v ) basic edge e # # # R ( v ) S ( p) ( R ( u) ) e = ( u, p, v ) call edge # # R ( st ) R ( u) e = ( u, p, v ) call edge, st entry point of p p p

101 Functional Approach for Availability of Single Expression Problem Observations: Just three montone functions on lattice L: λ x. false k (ill) false true λ x. x λ x. true i (gnore) g (enerate) Functional composition of two such functions f,g : L L: h f f = h if if h = i h { g, k} Analogous: precise interprocedural analysis for all (separable) bitvector problems in time linear in program size.

102 Context-Sensitive Analysis, 1. Phase Main: P() g c:=a+b Q() i P: i i g c:=a+b g the lattice: k i g R() g i k Q: k a:=7 k i g c:=a+b g k R: k a:=7 g i g c:=a+b g P() g k R() g

103 Context-Sensitive Analysis, 2. Phase Main: P() g false true Q() false true P: i g true the lattice: false true true R() false true false true false Q: k k g true false R: k g g true P() true false R() true

104 Functional Approach Theorem: Correctness: For any monotone framework: α MOP (R[u]) R # [u] f.a. u Completeness: For any universally-distributive framework: Remark: α MOP (R[u]) = R # [u] f.a. u Alternative condition: framework positively-distributive & all prog. point dyn. reachable a) Functional approach is effective, if L is finite... b)... but may lead to chains of length up to L height(l) at each program point. Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

105 Overview Introduction Fundamentals of Program Analysis Excursion 1 Interprocedural Analysis Excursion 2 Analysis of Parallel Programs Excursion 3 Conclusion Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

106 Excursion Mainly Based On... MMO + Helmut Seidl (TU München) Precise Interprocedural Analysis through Linear Algebra, POPL 2004 MMO + Helmut Seidl (TU München) Analysis of Modular Arithmetic ESOP TOPLAS 2007 Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

107 Finding Invariants... x 1 -x 2 -x 3 -x 2 x 3 = 0 Main: 0 P: 5 x 1 :=x 2 x 3 :=x x 3 :=0 x 1 -x 2 -x 3 = x 1 :=x 1 +x P() x 1 -x 2 -x 3 = 0 8 P() x 1 :=x 1 -x 2 -x 3 x 1 :=x 1 -x 2 4 x 1 = 0 9

108 through Linear Algebra Linear Algebra vectors vector spaces, sub-spaces, bases linear maps, matrices vector spaces of matrices Gaussian elimination... Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

109 Applications definite equalities: x = y constant propagation: x = 42 discovery of symbolic constants: x = 5yz+17 complex common subexpressions: xy+42 = y 2 +5 loop induction variables program verification improving PDG-based IFC analysis (with G. Snelting s group, KIT)... Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

110 A Program Abstraction Affine programs: affine assignments: x 1 := x 1-2x 3 +7 unknown assignments: x i :=? abstract too complex statements! non-deterministic instead of guarded branching Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

111 The Challenge Given an affine program (with procedures, parameters, local and global variables,...) over R : (R the field Q or Z p, a modular ring Z m, the ring of integers Z, an effective PIR,...) determine all valid affine relations: a 0 + a i x i = 0 a i R 5x+7y-42=0 determine all valid polynomial relations (of degree d): p(x 1,,x k ) = 0 p R [x 1,,x n ] 5xy 2 +7z 3-42=0 and all this in polynomial time (unit cost measure)!!!

112 Infinity Dimensions push-down arithmetic Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

113 Use a Standard Approach for Interprocedural Generalization of Karr s Algo? Functional approach [Sharir/Pnueli, 1981], [Knoop/Steffen, 1992] Idea: summarize each procedure by function on data flow facts Problem: not applicable, lattice is infinite Relational approach [Cousot/Cousot, 1977] Idea: summarize each procedure by approximation of I/O relation Problem: not exact Call-string approach [Sharir/Pnueli, 1981], [Khedker/Karkare: CC 08] Idea: take a finite piece of the run-time stack into account Problem: not exact Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

114 Relational Analysis is Not Strong Enough True relational semantics of P: Main: 0 x:=1 x post P() x = x pre x:=x P: 3 4 x:=2 x Best affine approximation: x post 2 5 x:=x x pre

115 Towards the Algorithm...

116 Concrete Semantics of an Execution Path Every execution path π induces a linear transformation on extended program states: π x : = 2x + 3x + 4, x : = 5x + 6 ( v) x2 : 5x1 6 ( x1 : 2x1 3x2 4 ( v) ) = = + = = ( v) = ( v) with v = v v2 π, the transformation matrix for path π

117 Observation 1 Extended states form a vector space of dimension k+1 = O(k). Subspaces form a lattice of height k+1 = O(k) Transformation matrices form a vector space of dimension k (k+1)+1 = O(k 2 ). Subspaces from a complete lattice of height k (k+1)+1 = O(k 2 ). Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

118 Observation 2 Affine relation is valid for a set M of extended states iff it is valid for span M, i.e.: 1 a0 + a1v akv k for all v1 V v 2 v0 a0v 0 + a1v akv k for all v1 span V v 2 Suffices to compute span of reaching states!! (cf. Excursion 1) Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

119 Observation 3 {, } {, } span Mv M P v V = span Mv M span P v span V Span of transformation matrices of paths through procedure can be used as precise summary!! Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

120 Let s Apply Our Abstract Interpretation Recipe: Constraint System for Feasible Paths Operational justification: Same-level runs: S( p) S( r ) r return point of p { ε} p S( st ) st entry point of p p r { stp } r { stp ε } S( u) = r Edges u for all u in procedure p S( p) = r Edges for all procedures p r { ω Nodes stmain ω } R( u) = r Edges : u for all u { } S( v) S( u) e e = ( u, s, v ) base edge S(v) S( u) S( p) e = ( u, p, v ) call edge p p Reaching runs: Main { ε} R( st ) st entry point of Main { } R( v ) R( u) e e = ( u, s, v ) basic edge R( v ) R( u) S( p) e = ( u, p, v ) call edge R( st ) R( u) e = ( u, p, v ) call edge, st entry point of p Main p p

121 Algorithm for Computing Affine Relations 1) Compute (for each prg. point and procedure u) a basis B with: Span B = Span { π π S(u) } by a precise abstract interpretation. α S (S(u)) 2) Compute (for each prg. point u) a basis B with: Span B = Span { π (v) π R(u), v F k+1 } by a precise abstract interpretation. 3) Solve the linear equation system: a 0 v 0 + a 1 v a k v k = 0 for all (v 0,...,v k ) T R(u) α R (R(u)) Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

122 Same-level runs: Constraint Systems obtained by Abstract Interpretation S( p) S( r ) r return point of p p S( st ) span { I } st entry point of p, I identity matrix p { } S( v ) e S( u) e = ( u, s, v ) base edge, matrix product lifted to sets S(v) S( u) S( p) e = ( u, p, v ) call edge p p Reaching runs: R st st Main k+1 ( Main ) F Main entry point of { } R( v ) e v v R( u) e = ( u, s, v ) basic edge { } R( v ) Mv M S( p), v R( u) e = ( u, p, v ) call edge R( st ) R( u) e = ( u, p, v ) call edge, st entry point p p of p All computations can be and are performed on bases!

123 In an affine program: Theorem We can compute bases for the following vector spaces: α S (S(u)) = Span { π π S(u) } for all u. α R (R(u)) = Span { π v π R(u), v F k+1 } for all u. The vector spaces { a F k+1 affine relation a is valid at u } can be computed precisely for all prg. points u. The time complexity is linear in the program size and polynomial in the number of variables More specifically, for fields, it is O(n k 8 ) (n size of the program, k number of variables) Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

124 An Example Main: 0 P: 0 x 1 :=x x 3 :=0 2 2 P() 3 3 x 1 :=x 1 -x 2 -x 3 x 3 :=x 3 +1 x 1 :=x 1 +x 2 +1 P() x 1 :=x 1 -x stable! =

125 An Example Main: 0 P: 0 x 1 :=x x 3 :=0 2 2 P() 3 3 x 1 :=x 1 -x 2 -x 3 x 3 :=x 3 +1 x 1 :=x 1 +x 2 +1 P() x 1 :=x 1 -x stable! =

126 An Example Main: x 1 :=x 1 -x 2 -x 3 x 1 :=x 2 x 3 :=0 P()

127 An Example a + a x + a x + a x = 0 is valid at Main: 0 1 x 1 :=x 2 x 3 := a = a1 a 2 a3 a = 0 a = a = a x 1 :=x 1 -x 2 -x 3 P() Just the affine relations of the form ax ax ax = 0 (for a F) are valid at 3, in particular: x x x =

128 Extensions Also in the papers: Local variables, value parameters, return values Computing polynomial relations of bounded degree Affine pre-conditions Computing over modular rings (e.g. modulo 2 w ) or PIR Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

129 End of Excursion 2 Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

130 Overview Introduction Fundamentals of Program Analysis Excursion 1 Interprocedural Analysis Excursion 2 Analysis of Parallel Programs Excursion 3 Conclusion Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

131 Interprocedural Analysis of Parallel Programs Main: c:=a+b P: c:=a+b P() Q() P() parallel call edge R() Q: a:=7 c:=a+b R: a:=7 c:=a+b P() R() Q()

132 Interleaving- Operator (Shuffle-Operator) Example: a, b, x, y a, b x, y = a, x, b, y, a, x, y, b x, a, b, y, x, a, y, b, x, y, a, b Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

133 Constraint System for Same-Level Runs Operational justification: r { stp } r { stp ε } S( u) = r Edges u for all u in procedure p S( p) = r Edges for all procedures p Same-level runs: [Seidl/Steffen: ESOP 2000] S( p) S( r ) r return point of p { ε} p S( st ) st entry point of p p { } S( v ) S( u) e e = ( u, s, v) base edge S(v) S( u) S( p) e = ( u, p, v ) call edge S(v) S( u) ( S( p ) S( p )) e = ( u, p p, v) parallel call edge p p Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

134 Constraint System for a Variant of Reaching Runs Operational justification: r { c Config stq u } R( u, q) = r Edges : c, At ( c) for progam point u and procedure r { c Config stq } P( q) = r Edges : c q Reaching runs: [Seidl/Steffen: ESOP 2000] R( u, q) S( u) u program point in procedure q R( u, q) S( v ) R( u, p) e = ( v, p,_) call edge in proc. q R( u, q) S( v ) ( R( u, p ) P( p )) e = ( v, p p, _) parallel call edge in proc. q, i = 0, 1 i 1 i 0 1 Interleaving potential: P( p) R( u, p) u program point and p procedure Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

135 Interleaving- Operator (Shuffle-Operator) Example: a, b, x, y a, b x, y = a, x, b, y, a, x, y, b x, a, b, y, x, a, y, b, x, y, a, b The only new ingredient: interleaving operator must be abstracted! Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

136 Case: Availability of Single Expression [Seidl/Steffen: ESOP 2000] Abstract shuffle operator: # i g k i i g k g g g k k k k k f f : = f f f f # The lattice: k (ill) i (gnore) g (enerate) Main lemma: { i} fj { g, k, i} : fn... fj + 1 fj... f1 = f { g k}, j = 1 Treat other (separable) bitvector problems analogously... j precise interprocedural analyses for all bitvector problems!

137 Bitvector Problems Problem of this algorithm: Complexity: quadratic in program size: quadratically many constraints for reaching runs! Solution: linear-time search for killers -algorithm. Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

138 Idea of Search for Killers -Algorithm [Knoop/Steffen/Vollmer: TACAS 1995] [Seidl/Steffen: ESOP 2000] the basic lattice: false true false g k the function lattice: k (ill) i (gnore) g (enerate) perform, normal analysis but weaken information if a killer can run in parallel! Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

139 Formalization of Search for Killers -Algorithm Kill Potential: KP( p) if p contains reachable edge e with f e = k KP( p) KP( q) if p calls q, q _, or _ q at some reachable edge Possible Interference: PI( p) PI( q) if q contains reachable call to p PI( p ) PI( q) KP( p ) if q contains reachable parallel call p p, i 0,1 i 1 i 0 1 = Weaken data flow information in 2nd phase if killer can run in : # R ( stmain ) init stmain entry point of Main R ( v ) f ( R ( u)) e = ( u, s, v ) basic edge # # e ( ) ( )( ( )) = (,, ) call edge # # # R v S p R u e u p v R ( st ) R ( u) e = ( u, p, v ) call edge, st entry point of # # p # R v PI p ( ) ( ) v reachable prg. point in p p p Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

140 Overview Introduction Fundamentals of Program Analysis Excursion 1 Interprocedural Analysis Excursion 2 Analysis of Parallel Programs Excursion 3 Conclusion Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

141 Precise Fixpoint-Based Analysis of Programs with Thread-Creation and Procedures Markus Müller-Olm Westfälische Wilhelms-Universität Münster Joint work with: Peter Lammich [same place] CONCUR 2007

142 (My) Main Interests of Recent Years Data aspects algebraic invariants over Q, Z, Z m (m = 2 n ) in sequential programs, partly with recursive procedures invariant generation relative to Herbrand interpretation Control aspects recursion concurrency with process creation / threads synchronization primitives, in particular locks/monitors Technics used fixpoint-based automata-based (linear) algebra syntactic substitution-based techniques...

143 Another Program Model Procedures Entry point, e q, of Q P: 0 Q: 4 Recursive procedure calls A 1 call P spawn Q 5 C call Q 2 6 Basic actions B 3 7 D Spawn commands Return point, x q, of Q

144 Spawns are Fundamentally Different P: 0 Q: 4 A C 1 5 call P spawn Q call Q 2 6 B D 3 7 P induces trace language: L = { A n ( B m (C i D j ) n m 0, i j 0 } Cannot characterize L by constraint system with and. [Bouajjani, MO, Touili: CONCUR 2005]

145 Gen/Kill-Problems Class of simple but important DFA problems Assumptions: Lattice (L, ) is distributive Transfer functions have form f e (l)= (l kill e ) gen e with kill,gen L Examples: bitvector problems, e.g. available expressions, live variables, very busy expressions,... Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

146 Data Flow Analysis Goal: Compute, for each program point u: Forward analysis: MOP F [u] = α F (Reach[u]), where α F (X) = { f w (x 0 ) w X } Backward analysis: MOP B [u] = α B (Leave[u]), where α B (X) = { f w ( ) w R X } w { w c emain c atu c } * w { w c emain c atu c } Reach[u] = :{[ ]} ( ) Leave[u] = :{[ ]} _ ( ) at ( c) w : ( uw) c u f = f f, for w = e e w e e 1 n n 1 Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

147 Data Flow Analysis Goal: Compute, for each program point u: Forward analysis: MOP F [u] = α F (Reach[u]), where α F (X) = { f w (x 0 ) w X } Backward analysis: MOP B [u] = α B (Leave[u]), where α B (X) = { f w ( ) w R X } Problem for programs with threads and procedures: We cannot characterize Reach[u] and Leave[u] by a constraint system with operators concatenation and interleaving. Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

148 One Way Out [Lammich/MO: CONCUR 2007] Derive alternative characterization of MOP-solution: reason on level of execution paths exploit properties of gen/kill-problems Characterize the path sets occuring as least solutions of constraint systems Perform analysis by abstract interpretation of these constraint systems Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

149 Forward Analysis Markus Müller-Olm, WWU Münster 2nd RS3-Tutorial, Schloss Buchenau, September 3-6,

150 Directly Reaching Paths and Potential Interleaving at u e Main Reaching path: Directly reaching path: Potential interference: a suitable interleaving of the red and blue paths the red path set of edges in the blue paths (note: no order information!) Formalization by augmented operational semantics with markers (see paper)