Program Analysis. Lecture 5. Rayna Dimitrova WS 2016/2017

Transcription

1 Program Analysis Lecture 5 Rayna Dimitrova WS 2016/2017

2 2/21 Recap: Constant propagation analysis Goal: For each program point, determine whether a variale has a constant value whenever an execution reaches the respective lock. Applications: Useful for the constant folding optimization: a use of the variale can e replaced y the respective constant. Classification: This is a forward must analysis.

3 3/21 Recap : Constant propagation analysis (lattice) (D, ) := ((Vars (Z {?})) { }, ) Vars is the set of variales appearing in the program an element d (Vars (Z {?})) is a function d : Vars (Z {?}) such that for a variale v Vars d(v) Z indicates that the value of v is the constant d(v) d(v) =? indicates that the variale v is non-constant the least element indicates that no information is availale the partial ordering is defined y d for all d D, d1 d 2 if and only if for every v Vars we have that either d 1 (v), d 2 (v) Z and d 1 (v) = d 2 (v), or it holds that d 2 (v) =?

4 3/21 Recap : Constant propagation analysis (lattice) (D, ) := ((Vars (Z {?})) { }, ) Then, the inary join operation is such that d = d = d, for all d D for all d 1, d 2 D \ { } and every v Vars, { d 1 (v) if d 1 (v) = d 2 (v), (d 1 d 2 )(v) =? otherwise It is easy to check that (D, ) is a complete lattice.

5 4/21 Recap: Constant propagation analysis (transfer functions) To define the transfer functions, we first define astract evaluation of arithmetic expressions, which is a function eval that maps each arithmetic expression a and d D \ { } to an element of Z {?}. if a is a variale v, then eval(a, d) := d(v) if a is a constant k, then eval(a, d) := k if a = a 1 a 2, then eval(a, d) :=?, if eval(a1, d) =? or eval(a 2, d) =?, eval(a, d) :=?, if eval(a1, d) eval(a 2, d) is undefined, eval(a, d) := eval(a1, d) eval(a 2, d), otherwise For d (Vars (Z {?})), x, v Vars, and n Z {?}, define the function d[x n] : Vars (Z {?}), such that { n if v = x, d[x n](v) = d(v) otherwise.

6 4/21 Recap: Constant propagation analysis (transfer functions) for [x := a] let f (d) := for [read(x)] let f (d) := { if d =, d[x eval(a, d)] otherwise { if d =, d[x?] otherwise for [print(a)], for [skip], and for condition [e] let f (d) = d for all d D

7 5/21 Recap: Constant propagation analysis (example) [z > 0] 1 initial f ( ) = for {1,..., 7} [x := 2] 2 [x := 3] 4 [y := 3] 3 [y := 2] 5 [z := x + y] 6 For d D \ { } we have f 1 (d) = d f 2 (d) = d[x 2] f 3 (d) = d[y 3] f 4 (d) = d[x 3] f 5 (d) = d[y 2] f 6 (d) = d[z eval(x, d) + eval(y, d)] f 7 (d) = d [skip] 7

8 5/21 Recap: Constant propagation analysis (example) (n 1, n 2, n 3 ) denotes the function d(x) = n 1, d(y) = n 2, d(z) = n 3 least fixpoint X 1 = (?,?,?) X 2 = f 1 (X 1 ) X 3 = f 2 (X 2 ) X 4 = f 1 (X 1 ) X 5 = f 4 (X 4 ) X 6 = f 3 (X 3 ) f 5 (X 5 ) X 7 = f 6 (X 6 ) ((?,?,?), (?,?,?), (2,?,?), (?,?,?), (3,?,?), (?,?,?), (?,?,?)) From this solution we cannot infer the information that at the eginning of lock 7 the value of z is 5 regardless of the execution path.

9 6/21 Example: precision of the least fixpoint solution [z > 0] 1 [x := 2] 2 [x := 3] 4 [y := 3] 3 [y := 2] 5 [z := x + y] 6 f 6 (d) = d[z eval(x, d) + eval(y, d) For the least fixpoint we compute f 6 ((2, 3,?) (3, 2,?)) = f 6 ((?,?,?)) = (?,?,?) On the other hand f 6 ((2, 3,?)) f 6 ((3, 2,?)) = (2, 3, 5) (3, 2, 5) = (?,?, 5) [skip] 7

10 7/21 Join Over all Paths (JOP) solution Let S = (G = (B, E, F ), (D, ), i, {f } B ) e a dataflow system. A different solution method, called Join Over all Paths (JOP) propagates analysis information along paths in the program. Analysis information for lock : join over all execution paths leading to, most precise information for (reference solution) Remark : In the literature often you see Meet Over all Paths (MOP).

11 8/21 Join Over all Paths (JOP) solution Let S = (G = (B, E, F ), (D, ), i, {f } B ) e a dataflow system. A path to the entry of a lock from the initial lock is a list of locks traversed from the initial lock to (excluding ). Paths() = {[ 1,..., n 1 ] n 1, 1 is initial, n =, i < n : i+1 succ( i )} We say that a path [ 1,..., n 1 ] has length n 1. Remark: For ackward analysis we can consider paths to the exit of lock that follow reverse edges starting from the final node. Paths() = {[ 1,..., n 1 ] n 1, 1 is final, n =, i < n : i+1 pred( i )}

12 8/21 Join Over all Paths (JOP) solution Let S = (G = (B, E, F ), (D, ), i, {f } B ) e a dataflow system. With a path π = [ 1,..., k ] we associate the transfer function f π = f k f k 1... f 1 id. Thus, for the empty path ε, the transfer function f ε = id is identity. The JOP solution for B (up to ut not including ) is defined as X JOP := {f π (i) π Paths()}. The JOP solution of S is JOP(S) := (X JOP 1,..., X JOP B ).

13 9/21 JOP solution: example [z > 0] 1 [x := 2] 2 [x := 3] 4 [y := 3] 3 [y := 2] 5 [z := x + y] 6 [skip] 7 For lock 7 we have Paths(7) = {[1, 2, 3, 6], [1, 4, 5, 6]}. f [1,2,3,6] ((?,?,?)) = f 6 (f 3 (f 2 (f 1 (id((?,?,?)))))) = f 6 (f 3 (f 2 (f 1 ((?,?,?))))) = f 6 (f 3 (f 2 ((?,?,?)))) = f 6 (f 3 ((2,?,?))) = f 6 ((2, 3,?)) = (2, 3, 5) Similarly we compute f [1,4,5,6] ((?,?,?)) = (3, 2, 5)

14 9/21 JOP solution: example [z > 0] 1 [x := 2] 2 [x := 3] 4 [y := 3] 3 [y := 2] 5 [z := x + y] 6 For lock 7 we have Paths(7) = {[1, 2, 3, 6], [1, 4, 5, 6]}. X7 JOP = f [1,2,3,6] ((?,?,?)) f [1,4,5,6] ((?,?,?)) = (2, 3, 5) (3, 2, 5) = (?,?, 5) Recall that X LFP 7 = (?,?,?). Thus, X JOP 7 X LFP 7. [skip] 7 Note: In general, the set of paths in a program is infinite.

15 10/21 Least fixpoint as an approximation of JOP Let S = (G = (B, E, F ), (D, ), i, {f } B ) e a dataflow system. Let lfp(s) = (X LFP 1,..., X LFP B ) e the least fixpoint solution of S. Then, lfp(s) is a sound approximation of JOP(S). Theorem For every dataflow system S = (G = (B, E, F ), (D, ), i, {f } B ) (1) it holds for all B that X JOP X LFP. (2) if all functions f for B are distriutive (that is, for all d 1, d 2 D, f (d 1 ) f (d 2 ) = f (d 1 d 2 )), then for all B it holds that X JOP = X LFP, i.e., oth solutions coincide.

16 11/21 Proof of (1) By definition we have X JOP = {f π (i) π Paths()}. Let us define X JOP,n := {f π (i) π Paths(), π n}, for the paths of length less than or equal to n for n N. Then X JOP X JOP X LFP = {X JOP,n n N}, and so, we can show y proving that for all n N, X JOP,n We show y induction on n that for all n N, for all B it holds that X JOP,n X LFP. For n = 0 there are two possile cases 1) There is no path of length 0 in Paths(). Then X JOP,0 = = X LFP. 2) There exists a path of length 0 in Paths(). Then is an extremal node, and thus, X LFP We have X JOP,0 = i. = f ε (i) = id(i) = i. Thus, X JOP,0 X LFP. = X LFP.

17 11/21 Proof of (1) continued Induction hypothesis: for some n and all B, X JOP,n If is an extremal node, the only path is the empty path. Now, suppose that is not extremal. Then, X LFP. X LFP = {f p (Xp LFP ) p pred()} (X LFP is a solution) {f p (Xp JOP,n ) p pred()} (IH, f p monotonic) = {f p ( {f π (i) π Paths(p), π n}) p pred()} (definition of Xp JOP,n ) { {f p (f π (i)) π Paths(p), π n} p pred()} (f p is monotonic and thus, f p (d 1 ) f p (d 2 ) f p (d 1 d 2 )) = {f p (f π (i)) π Paths(p), π n, p pred()} = {f π (i)) π Paths(), π n + 1} = X JOP,n+1 (π = π p is path of length n + 1 to ; f π = f p f π ) (definition of Xp JOP,n+1 )

18 12/21 Distriutive frameworks A dataflow system S = (G = (B, E, F ), (D, ), i, {f } B ) in which all f are distriutive are called a distriutive framework. The Reaching Definitions, Availale Expressions, Live Variales, and Very Busy Expressions analyses are all distriutive frameworks. For them, the least fixpoint computation delivers the JOP solution. Constant Propagation is not a distriutive framework.

19 13/21 JOP for Constant propagation Theorem The prolem of computing the JOP solution for the Constant Propagation analysis is undecidale. Proof reduction from modified Post Correspondence Prolem

20 14/21 Modified Post Correspondence Prolem Let Γ e a finite alphaet with at least 2 symols. given lists of finite words u 1,..., u n Γ + and v 1,..., v n Γ + determine whether there exists a sequence of indices i 1,..., i m {1,..., n} such that m 1, i 1 = 1, and u i1 u i2... u im = v i1 v i2... v im Example Γ = {a, } u 1 = a, u 2 = a, u 3 = a u 1 =, u 2 = aa, u 3 = aa 1,2,1,3 is a solution: aaaa = aaaa

21 14/21 Modified Post Correspondence Prolem Let Γ e a finite alphaet with at least 2 symols. given lists of finite words u 1,..., u n Γ + and v 1,..., v n Γ + determine whether there exists a sequence of indices i 1,..., i m {1,..., n} such that m 1, i 1 = 1, and u i1 u i2... u im = v i1 v i2... v im Remark: Fixing i 1 = 1 does not affect undecidaility. The (modified) Post Correspondence Prolem is undecidale.

22 15/21 Proof of the Theorem Theorem The prolem of computing the JOP solution for the Constant Propagation analysis is undecidale. Proof Let Γ = {1,..., 9} and for u Γ +, let u e the length of u when interpreted as a string in Γ +, u e the value of u when interpreted as a natural numer, Given lists of finite words u 1,..., u n Γ + and v 1,..., v n Γ + we construct a program for which computing the JOP solution for Constant Propagation allows us to determine if the modified Post correspondence prolem has a solution for this lists of words.

23 15/21 Proof of the Theorem (cont.) x := u 1 ; y := v 1 ; while [...] do { if [...] then { x := x 10 u1 + u 1 ; y := y 10 v1 + v 1 } else if [...] then { x := x 10 u2 + u 2 ; y := y 10 v2 + v 2 }... else if [...] then { x := x 10 un + u n ; y := y 10 vn + v n } } [z := sign((x y) (x y))] l 1 ; [skip] l ; We assume that our programming language contains arithmetic expressions a a2 1, for a 1, a 2 arithmetic expressions the function sign, where 1 if z < 0 sign(z) = 0 if z = 0 1 if z > 0 Note: We omit the conditions of while and if statements, as they are ignored y Constant Propagation.

24 15/21 Proof of the Theorem (cont.) The set Paths(l) consists of execution paths corresponding to all possile pairs of words x Γ + and y Γ + of the form x = u i1 u i2... u im and y = v i1 v i2... v im for sequences i 1,..., i m of indices where i 1 = 1 and m 1. For each such path if x = y then z is set to 0 in lock l 1, if x y then z is set to 1 in lock l 1. Hence, the modified Post correspondence prolem has no solution if and only if z is set to 1 on all execution paths reaching lock l. If Xl JOP = d is the JOP solution for program location l, then d(z) = 1 if and only if the modified Post correspondence prolem has no solution for the lists of words u 1,..., u n and v 1,..., v n.

25 15/21 Proof of the Theorem (cont.) Thus, if there exists an algorithm for computing the JOP solution for Constant Propagation, then we can construct an algorithm for solving the modified Post correspondence prolem. This implies that the prolem of computing the JOP solution for Constant Propagation is undecidale, since the modified Post correspondence prolem is undecidale.

26 16/21 Conditional ranches So far: values of conditions have een ignored y the analysis Essentially, we have een treating if and while statements as nondeterministic choice etween the two ranches. Solution: introduce transfer functions for ranches Possile approaches: 1. attach conditions as edge laels in the CFG advantage: no language modification required disadvantage: requires modification to the analysis framework 2. encode conditions as assert statements advantage: no modification of the analysis framework disadvantage: requires extension of the programming language

27 17/21 Taking into account conditional ranches approach 1: [w = 0] 1 w = 0 (w = 0) [z := 0] 2 [z := 1] 3 [skip] 4 approach 2: if [w = 0] 1 { [assert(w = 0)] 2 ; [z := 0] 3 ; } else { } [assert( (w = 0))] 4 ; [z := 1] 5 ; [skip] 6

28 18/21 While programs with assertions arithmetic expressions, which denote integer values a ::= k x a 1 + a 2 a 1 a 2 a 1 a 2 a 1 /a 2 k is an integer constant, x is a variale Boolean expressions ::= a 1 = a 2 a 1 < a true programs c ::= [skip] l [x := a] l [read(x)] l [print(a)] l c 1 ; c 2 if [] l then {c 1 } else {c 2 } while [] l do {c} [assert()] l x is a variale, a is arithmetic expression, is a Boolean expression

29 19/21 Assert statements assert() aorts the execution if is false, and has no effect otherwise. We will only insert it where it is guaranteed to hold. The definition of transfer functions for assert locks depends on the analysis prolem. Often, insight into the analysis prolem is required to define non-trivial and sound constraints for assert. Idea: use assertions as filters that only let valid information pass

30 Remark For simplicity, the definition of eval(a 1 = a 2 ) assumes that the value of oth expressions a 1 and a 2 is defined (this holds for expressions that do not contain division). To handle operations with undefined value (e.g., division y zero) the range of eval should e extended with the value?, and the value? should e taken into consideration in the transfer function for assert. 20/21 Constant propagation analysis with assertions extend the evaluation function eval to oolean expressions: maps a oolean expression and d D \ { } to an element of B if is true, then eval(, d) := true, if is a 1 = a 2, then eval(, d) := true, if eval(a 1, d) = eval(a 2, d), and eval(, d) := false, otherwise if is, then eval(, d) := true, if eval(, d) = false, and eval(, d) := false, otherwise if is 1 2, then eval(, d) := true, if eval( 1, d) = eval( 2, d) = true, and eval(, d) := false, otherwise

31 20/21 Constant propagation analysis with assertions for [assert()] l we define the transfer function f l : D D f l (d) = f l (d) = if d = if ( d α(d) : eval(, d ) = true) f l (d)(v) = n if ( d α(d) : eval(, d ) = true d (v) = n) f l (d)(v) =? otherwise where α(d) is the set of functions from Vars to Z such that d α(d) if and only if for all x Vars it holds that { d {n} if d(x) = n Z (x) Z if d(x) =?

32 21/21 Example: Constant propagation analysis with assertions [x := 0] 1 [x 0] 2 [assert(x 0)] 3 [assert(x < 0)] 4 [y := 0] 5 [y := 1] 6 [skip] 7 (d x, d y ): represents function d with d(x) = d x and d(y) = d y consider d = (0,?) α(d) = {(0, m) m Z} d α(d) if and only if for all v {x, y} it holds that { d {n} if d(v) = n Z (v) Z if d(v) =?

33 21/21 Example: Constant propagation analysis with assertions [x := 0] 1 [x 0] 2 [assert(x 0)] 3 [assert(x < 0)] 4 [y := 0] 5 [y := 1] 6 [skip] 7 (d x, d y ): represents function d with d(x) = d x and d(y) = d y consider d = (0,?) α(d) = {(0, m) m Z} d α(d) : eval(x 0, d ) = true d α(d) : eval(x < 0, d ) = false f 3 (d)(x) = 0, f 3 (d)(y) =? f 4 (d) = f 5 (f 3 (d)) = f 5 ((0,?)) = (0, 0) f 6 (f 4 (d)) = f 6 ( ) =