Principles of Program Analysis: Control Flow Analysis
Size: px
Start display at page:

Download "Principles of Program Analysis: Control Flow Analysis"

Transcription

1 Principles of Program Analysis: Control Flow Analysis Transparencies based on Chapter 3 of the book: Flemming Nielson, Hanne Riis Nielson and Chris Hankin: Principles of Program Analysis. Springer Verlag 005. c Flemming Nielson & Hanne Riis Nielson & Chris Hankin. PPA Chapter 3 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004)

2 The Dynamic Dispatch Problem. [call p(p,,v)] l c l r. [call p(p,,v)] l c l r. proc p(procval q, val x, res y) is l n. [call q (x,y)] lp c l p r. end l x which procedure is called? These problems arise for: imperative languages with procedures as parameters object oriented languages functional languages PPA Chapter 3 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004)

3 Example: let f = fn x => x ; g = fn y => y+; h = fn z => z+3 in ( f g ) + ( f h ) The aim of Control Flow Analysis: For each function application, which functions may be applied? Control Flow Analysis computes the interprocedural flow relation used when formulating interprocedural Data Flow Analysis. PPA Chapter 3 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 3

4 Syntax of the Fun Language Syntactic categories: Syntax: e Exp expressions (or labelled terms) t Term terms (or unlabelled expressions) f, x Var variables c Const constants op Op binary operators l Lab labels e ::= t l t ::= c x fn x => e 0 fun f x => e 0 e e if e 0 then e else e let x = e in e e op e (Labels correspond to program points or nodes in the parse tree.) PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 4

5 Examples: ((fn x => x ) (fn y => y 3 ) 4 ) 5 (let f = (fn x => (x ) 3 ) 4 ; in (let g = (fn y => y 5 ) 6 ; in (let h = (fn z => z 7 ) 8 in ((f 9 g 0 ) + (f h 3 ) 4 ) 5 ) 6 ) 7 ) 8 (let g = (fun f x => (f (fn y => y ) 3 ) 4 ) 5 in (g 6 (fn z => z 7 ) 8 ) 9 ) 0 PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 5

6 Abstract 0-CFA Analysis Abstract domains Specification of the analysis Well-definedness of the analysis PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 6

7 Towards defining the Abstract Domains The result of a 0-CFA analysis is a pair (Ĉ, ρ): Ĉ is the abstract cache associating abstract values with each labelled program point ρ is the abstract environment associating abstract values with each variable PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 7

8 Example: ((fn x => x ) (fn y => y 3 ) 4 ) 5 Three guesses of a 0-CFA analysis result: x y (Ĉe, ρ e ) (Ĉ e, ρ e) (Ĉ e, ρ {fn y => y 3 } {fn x => x } {fn y => y 3 } {fn y => y 3 } {fn y => y 3 } {fn x => x } {fn y => y 3 } {fn y => y 3 } {fn y => y 3 } e ) {fn x => x, fn y => y 3 } {fn x => x, fn y => y 3 } {fn x => x, fn y => y 3 } {fn x => x, fn y => y 3 } {fn x => x, fn y => y 3 } {fn x => x, fn y => y 3 } {fn x => x, fn y => y 3 } PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 8

9 Example: (let g = (fun f x => (f (fn y => y ) 3 ) 4 ) 5 in (g 6 (fn z => z 7 ) 8 ) 9 ) 0 Abbreviations: f = fun f x => (f (fn y => y ) 3 ) 4 id y = fn y => y id z = fn z => z 7 One guess of a 0-CFA analysis result: Ĉ lp () = {f} Ĉ lp () = Ĉ lp (3) = {id y } Ĉ lp (4) = Ĉ lp (5) = {f} Ĉ lp (6) = {f} Ĉ lp (7) = Ĉ lp (8) = {id z } Ĉ lp (9) = Ĉ lp (0) = ρ lp (f) = {f} ρ lp (g) = {f} ρ lp (x) = {id y, id z } ρ lp (y) = ρ lp (z) = PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 9

10 Abstract Domains Formally: v Val = P(Term) abstract values ρ Env = Var Val abstract environments Ĉ Cache = Lab Val abstract caches An abstract value v is a set of terms of the forms fn x => e 0 fun f x => e 0 PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 0

11 Control Flow Analysis versus Use-Definition chains The aim: to trace how definition points reach use points Control Flow Analysis definition points: where function abstractions are created use points: where functions are applied Use-Definition chains definition points: where variables are assigned a value use points: where values of variables are accessed PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004)

12 Specification of the 0-CFA When is a proposed guess (Ĉ, ρ) of an analysis results an acceptable 0-CFA analysis for the program? Different approaches: abstract specification syntax-directed and constraint-based specifications algorithms for computing the best result PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004)

13 Specification of the Abstract 0-CFA (Ĉ, ρ) = e means that (Ĉ, ρ) is an acceptable Control Flow Analysis of the expression e The relation = has functionality: = : ( Cache Env Exp) {true, false} PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 3

14 Clauses for Abstract 0-CFA () (Ĉ, ρ) = c l always (Ĉ, ρ) = x l iff ρ(x) Ĉ(l) (Ĉ, ρ) = (let x = t l in t l iff (Ĉ, ρ) = t l (Ĉ, ρ) = t l Ĉ(l ) ρ(x) Ĉ(l ) Ĉ(l) ) l PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 4

15 Ĉ ρ (let x = t l in t l ) l t l t l x x l PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 5

16 Clauses for Abstract 0-CFA () (Ĉ, ρ) = (if t l 0 0 then t l else t l iff (Ĉ, ρ) = t l 0 0 (Ĉ, ρ) = t l (Ĉ, ρ) = t l Ĉ(l ) Ĉ(l) Ĉ(l ) Ĉ(l) ) l (Ĉ, ρ) = (t l op t l iff (Ĉ, ρ) = t l (Ĉ, ρ) = t l ) l PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 6

17 Clauses for Abstract 0-CFA (3) (Ĉ, ρ) = (fn x => t l 0 0 ) l iff {fn x => t l 0 0 } Ĉ(l) (Ĉ, ρ) = (t l t l ) l iff (Ĉ, ρ) = t l (Ĉ, ρ) = t l ( ( fn x => t l 0 0 ) Ĉ(l ) : (Ĉ, ρ) = t l 0 0 Ĉ(l ) ρ(x) Ĉ(l 0) Ĉ(l)) PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 7

18 Ĉ (t l t l ) l ρ fn x => t l 0 0 t l t l t l 0 0 x x l PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 8

19 Clauses for Abstract 0-CFA (4) (Ĉ, ρ) = (fun f x => e 0 ) l iff {fun f x => e 0 } Ĉ(l) (Ĉ, ρ) = (t l t l ) l iff (Ĉ, ρ) = t l (Ĉ, ρ) = t l ( ( fn x => t l 0 0 ) Ĉ(l ) : (Ĉ, ρ) = t l 0 0 ( ( fun f x => t l 0 0 ) Ĉ(l ) : (Ĉ, ρ) = t l 0 0 Ĉ(l ) ρ(x) Ĉ(l 0) Ĉ(l)) Ĉ(l ) ρ(x) Ĉ(l 0) Ĉ(l) {fun f x => t l 0 0 } ρ(f) ) PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 9

20 Example: Two guesses for ((fn x => x ) (fn y => y 3 ) 4 ) x y (Ĉe, ρ e ) (Ĉ e, ρ e) {fn y => y 3 } {fn x => x } {fn y => y 3 } {fn y => y 3 } {fn y => y 3 } {fn y => y 3 } {fn x => x } {fn y => y 3 } {fn y => y 3 } Checking the guesses: (Ĉe, ρ e ) = ((fn x => x ) (fn y => y 3 ) 4 ) 5 (Ĉ e, ρ e) = ((fn x => x ) (fn y => y 3 ) 4 ) 5 PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 0

21 Well-definedness of the Abstract 0-CFA Difficulty: The clause for function application is not of a form that allows us to define (Ĉ, ρ) = e by Structural Induction in the expression e (Ĉ, ρ) = (t l t l ) l iff (Ĉ, ρ) = t l (Ĉ, ρ) = t l ( (fn x => t l 0 0 ) Ĉ(l ) : (Ĉ, ρ) = t l 0 0 Ĉ(l ) ρ(x) Ĉ(l 0) Ĉ(l)) Solution: The relation = is defined by coinduction, that is, as the greatest fixed point of a functional. PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004)

22 The functional Q The clauses for = define a function: Q : (( Cache Env Exp) {true, false}) (( Cache Env Exp) {true, false}) Example: (Ĉ, ρ) = (let x = t l in t l ) l becomes iff (Ĉ, ρ) = t l (Ĉ, ρ) = t l Ĉ(l ) ρ(x) Ĉ(l ) Ĉ(l) Q( Q )(Ĉ, ρ, (let x = t l in t l ) l ) = Q (Ĉ, ρ, t l ) Q (Ĉ, ρ, t l ) Ĉ(l ) ρ(x) Ĉ(l ) Ĉ(l) PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004)

23 Properties of Q Q is a monotone function on the complete lattice (( Cache Env Exp) {true, false}, ) where the ordering is defined by: Q Q iff (Ĉ, ρ, e) : (Q (Ĉ, ρ, e) = true) (Q (Ĉ, ρ, e) = true) Hence Q has fixed points and we shall define = coinductively: = is the greatest fixed point of Q PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 3

24 Tarski s Theorem: A monotone function on a complete lattice has a complete lattice of fixed points and in particular a least and a greatest fixed point. Q n ( ) gfp(q) lfp(q) Q n ( ) Q : (( Cache Env Exp) {true, false}) (( Cache Env Exp) {true, false}) Coinductive definition: gfp(q) = {P Q(P ) P } Inductive definition: lfp(q) = {P Q(P ) P } = n Q n ( ) assuming that Q(P )(Ĉ, ρ, e) only depends on finitely many values of P PPA App. A.4 and B c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 4

25 Inductive Definition P = lfp(q) = n Q n ( ) assuming P can be expressed as P (Ĉ, ρ, x l ) iff ρ(x) Ĉ(l) P (Ĉ, ρ, (let x = t l in t l ) l ) iff P (Ĉ, ρ, t l ) P (Ĉ, ρ, t l ) Ĉ(l ) ρ(x) Ĉ(l ) Ĉ(l). simply because P = Q(P ) Example: 0 is a number n+ is a number iff n is a number (Peano s Axioms) to check P (Ĉ, ρ, e) simply unfold using the clauses: if it terminates and yields true: then it holds and yields false: then it does not if it loops because it repeats itself: then it does not hold but we cannot detect it Example: = 0++ is a number because 0+ is because 0 is PPA App. A.4 and B c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 5

26 Inductive Definition to prove: (Ĉ, ρ, e) : P (Ĉ, ρ, e) R(Ĉ, ρ, e) show: R(Ĉ, ρ, x l ) if ρ(x) Ĉ(l) axiom R(Ĉ, ρ, t l ) R(Ĉ, ρ, t l ) R(Ĉ, ρ, (let x = t l in t l ) l ) if Ĉ(l ) ρ(x) Ĉ(l ) Ĉ(l) inference rule. Examples: mathematical induction: R(0), structural induction R(n) R(n + ) induction on the shape of inference tree PPA App. A.4 and B c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 6

27 Coinductive Definition P = gfp(q) = {R R Q(R)} P can be expressed as P (Ĉ, ρ, x l ) iff ρ(x) Ĉ(l) P (Ĉ, ρ, (let x = t l in t l ) l ) iff P (Ĉ, ρ, t l ) P (Ĉ, ρ, t l ) Ĉ(l ) ρ(x) Ĉ(l ) Ĉ(l). simply because P = Q(P ) to check P (Ĉ, ρ, e) find some R such that R(Ĉ, ρ, e) can be shown to hold that is prove: R(Ĉ, ρ, x l ) if ρ(x) Ĉ(l) R(Ĉ, ρ, t l ) R(Ĉ, ρ, t l ) R(Ĉ, ρ, (let x = t l in t l ) l ) if Ĉ(l ) ρ(x) Ĉ(l ) Ĉ(l). and use P = {R R Q(R)} PPA App. A.4 and B c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 7

28 Coinductive Definition to prove: (Ĉ, ρ, e) : P (Ĉ, ρ, e) R(Ĉ, ρ, e) try to prove it using P = Q(P ) i.e. by using the way P is expressed if it fails try to do induction (on the structure or size) of e if it fails you will need an extra insight PPA App. A.4 and B c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 8

29 Example: loop (let g = (fun f x => (f (fn y => y ) 3 ) 4 ) 5 in (g 6 (fn z => z 7 ) 8 ) 9 ) 0 Abbreviations: f = fun f x => (f (fn y => y ) 3 ) 4 id y = fn y => y id z = fn z => z 7 One guess of a 0-CFA analysis result: Ĉ lp () = {f} Ĉ lp () = Ĉ lp (3) = {id y } Ĉ lp (4) = Ĉ lp (5) = {f} Ĉ lp (6) = {f} Ĉ lp (7) = Ĉ lp (8) = {id z } Ĉ lp (9) = Ĉ lp (0) = ρ lp (f) = {f} ρ lp (g) = {f} ρ lp (x) = {id y, id z } ρ lp (y) = ρ lp (z) = PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 9

30 Naively checking the solution gives rise to circularity: To show (Ĉlp, ρ lp ) = loop we have (among others) to show (Ĉlp, ρ lp ) = (g 6 (fn z => z 7 ) 8 ) 9 and to prove this we have (among others) to show (Ĉlp, ρ lp ) = (f (fn y => y ) 3 ) 4 and to show this we have (among others) to show (Ĉlp, ρ lp ) = (f (fn y => y ) 3 ) 4 because Ĉlp (3) ρ lp (x), Ĉlp (4) Ĉlp (4) and f ρ lp (f). PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 30

31 The Lesson The co-inductive definition solves the circularity: It allows us to assume that (Ĉlp, ρ lp ) = (f (fn y => y ) 3 ) 4 holds at the inner level and proving that it also holds at the outer level An inductive definition does not give us this possibility! PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 3

32 Theoretical Properties: structural operational semantics semantic correctness the existence of least solutions PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 3

33 Choice of Semantics operational or denotational semantics? an operational semantics more easily models intensional properties small-step or big-step operational semantics? a small-step semantics allows us to reason about looping programs operational semantics based on environments or substitutions? an environment based semantics preserves the identity of functions PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 33

34 Configurations and Transitions Semantic categories: v Val values defined by: ρ Env environments v ::= c close t in ρ closures ρ ::= [ ] ρ[x v] Transitions have the form ρ e e meaning that one step of computation of the expression e in the environment ρ will transform it into e. PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 34

35 Transitions ρ x l v l if x dom(ρ) and v = ρ(x) ρ (fn x => e 0 ) l (close (fn x => e 0 ) in ρ 0 ) l where ρ 0 = ρ FV(fn x => e 0 ) ρ (fun f x => e 0 ) l (close (fun f x => e 0 ) in ρ 0 ) l where ρ 0 = ρ FV(fun f x => e 0 ) static scope! PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 35

36 Intermediate Expressions and Terms extending the syntax: ie ::= it l ie IExp intermediate expressions it ITerm intermediate terms it ::= c x fn x => e 0 fun f x => e 0 ie ie if ie 0 then e else e let x = ie in e ie op ie close t in ρ bind ρ in ie The correct form of transitions ρ ie ie PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 36

37 Transitions ρ ie ie ρ ie ie ρ (ie ie ) l (ie ie ) l ρ (v l ie ) l (v l ie )l ρ ((close (fn x => e ) in ρ ) l v l ) l (bind ρ [x v ] in e ) l ρ ((close (fun f x => e ) in ρ ) l v l ) l (bind ρ [x v ] in e ) l where ρ = ρ [f close (fun f x => e ) in ρ ] ρ ie ie ρ (bind ρ in ie ) l (bind ρ in ie )l ρ (bind ρ in v l ) l v l the outermost label remains the same PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 37

38 Example: [ ] ((fn x => x ) (fn y => y 3 ) 4 ) 5 ((close (fn x => x ) in [ ]) (fn y => y 3 ) 4 ) 5 ((close (fn x => x ) in [ ]) (close (fn y => y 3 ) in [ ]) 4 ) 5 (bind [x (close (fn y => y 3 ) in [ ])] in x ) 5 (bind [x (close (fn y => y 3 ) in [ ])] in (close (fn y => y 3 ) in [ ]) ) 5 (close (fn y => y 3 ) in [ ]) 5 PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 38

39 Transitions ρ ie 0 ie 0 ρ (if ie 0 then e else e ) l (if ie 0 then e else e ) l ρ (if true l 0 then t l else t l ) l t l ρ (if false l 0 then t l else t l ) l t l ρ ie ie ρ (let x = ie in e ) l (let x = ie in e ) l ρ (let x = v l in e ) l (bind [x v] in e ) l ρ ie ie ρ ie ie ρ (ie op ie ) l (ie op ie ) l ρ (v l op ie ) l (v l op ie )l ρ (v l op v l ) l v l if v = v op v PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 39

40 Example: [ ] (let g = (fun f x => (f (fn y => y ) 3 ) 4 ) 5 in (g 6 (fn z => z 7 ) 8 ) 9 ) 0 (let g = f 5 in (g 6 (fn z => z 7 ) 8 ) 9 ) 0 (bind [g f] in (g 6 (fn z => z 7 ) 8 ) 9 ) 0 (bind [g f] in (f 6 (fn z => z 7 ) 8 ) 9 ) 0 (bind [g f] in (f 6 id 8 z ) 9 ) 0 (bind [g f] in (bind [f f][x id z ] in (f (fn y => y ) 3 ) 4 ) 9 ) 0 (bind [g f] in (bind [f f][x id z ] in (bind [f f][x id y ] in (f (fn y => y ) 3 ) 4 ) 4 ) 9 ) 0 Abbreviations: f = close (fun f x => (f (fn y => y ) 3 ) 4 ) in [ ] id y = close (fn y => y ) in [ ] id z = close (fn z => z 7 ) in [ ] PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 40

41 Semantic Correctness A subject reduction result: an acceptable result of the analysis remains acceptable under evaluation Analysis of intermediate expressions (Ĉ, ρ) = (bind ρ in it l 0 0 ) l iff (Ĉ, ρ) = it l 0 0 Ĉ(l 0) Ĉ(l) ρ R ρ (Ĉ, ρ) = (close t 0 in ρ) l iff {t 0 } Ĉ(l) ρ R ρ PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 4

42 Correctness Relation The global abstract environment, ρ models all the local environments of the semantics Correctness relation R : (Env Env) {true, false} We demand that ρ R ρ for all local environments, ρ, occurring in the intermediate expressions Define ρ R ρ iff x dom(ρ) dom( ρ) t x ρ x : (ρ(x) = close t x in ρ x ) (t x ρ(x) ρ x R ρ ) (Well-defined by induction in the size of ρ.) PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 4

43 Example: Suppose that: ρ = [x close t in ρ ][y close t in ρ ] ρ = [ ] ρ = [x close t 3 in ρ 3 ] ρ 3 = [ ] Then ρ R ρ amounts to {t, t 3 } ρ(x) {t } ρ(y). PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 43

44 Alternative definition of Correctness Relation Split the definition of R into two components: V : R : (Val ( Env Val)) {true, false} (Env Env) {true, false} and define v V ( ρ, v) iff t ρ : (v = close t in ρ) (t v ρ R ρ) ρ R ρ iff x dom(ρ) dom( ρ) : ρ(x) V ( ρ, ρ(x)) PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 44

45 Correctness Result ρ ie ie ie v l R = = = = ρ (Ĉ, ρ) (Ĉ, ρ) (Ĉ, ρ) (Ĉ, ρ) PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 45

46 Formal details of Correctness Result Theorem: If ρ R ρ and ρ ie ie then (Ĉ, ρ) =ie implies (Ĉ, ρ) =ie. Intuitively: If there is a possible evaluation of the program such that the function at a call point evaluates to some abstraction, then this abstraction has to be in the set of possible abstractions computed by the analysis. Observe: the theorem expresses that all acceptable analysis results remain acceptable under evaluation! Thus we do not rely on the existence of a least or best solution. PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 46

47 Proof of Correctness Result We assume that ρ R ρ and (Ĉ, ρ) =ie and prove (Ĉ, ρ) =ie by induction on the structure of the inference tree for ρ ie ie. Most cases amount to inspecting the defining clause for (Ĉ, ρ) = ie. This method of proof applies to all fixed points of a recursive definition and in particular also to the (more familiar least and) greatest fixed point(s). Crucial fact: If (Ĉ, ρ) = it l and Ĉ(l ) Ĉ(l ) then (Ĉ, ρ) = it l. PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 47

48 Example: Semantics: [ ] ((fn x => x ) (fn y => y 3 ) 4 ) 5 (close (fn y => y 3 ) in [ ]) x y (Ĉe, ρ e ) {fn y => y 3 } {fn x => x } {fn y => y 3 } {fn y => y 3 } {fn y => y 3 } Analysis: (Ĉe, ρ e ) =((fn x => x ) (fn y => y 3 ) 4 ) 5 Correctness relation: [ ] R ρ e Correctness theorem: (Ĉe, ρ e ) =(close (fn y => y 3 ) in [ ]) 5 PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 48

49 Existence of Solutions Does each expression e admit a Control Flow Analysis? i.e. does there exist (Ĉ, ρ) such that (Ĉ, ρ) = e? Does each expression e have a least Control Flow Analysis? i.e. does there exists (Ĉ0, ρ 0 ) such that (Ĉ0, ρ 0 ) = e and such that whenever (Ĉ, ρ) = e then (Ĉ0, ρ 0 ) is less than (Ĉ, ρ)? Here least is with respect to the partial ordering (Ĉ, ρ ) (Ĉ, ρ ) iff ( l Lab : Ĉ(l) Ĉ(l)) ( x Var : ρ (x) ρ (x)) PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 49

50 Existence of Solutions (cont.) Two answers: there exists algorithms for the efficient computation of least solutions for all expressions all intermediate expressions enjoy a Moore family property A subset Y of a complete lattice L = (L, ) is a Moore family if and only if ( Y ) Y for all subsets Y of L Proposition: The set {(Ĉ, ρ) (Ĉ, ρ) = ie} is a Moore family for all intermediate expressions ie PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 50

51 Existence of Solutions (cont.) All intermediate expressions admit a Control Flow Analysis Let Y be the empty set; then Y is an element of {(Ĉ, ρ) (Ĉ, ρ) = ie} showing that there exists at least one analysis of ie. All intermediate expressions have a least Control Flow Analysis Let Y be the set {(Ĉ, ρ) (Ĉ, ρ) = ie}; then Y is an element of {(Ĉ, ρ) (Ĉ, ρ) = ie} so it will also be an analysis of ie. Clearly Y (Ĉ, ρ) for all other analyses (Ĉ, ρ) of ie so it is the least analysis result. PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 5

52 Example: (Ĉe, ρ e ) = ((fn x => x ) (fn y => y 3 ) 4 ) 5 (Ĉe, ρ e ) = ((fn x => x ) (fn y => y 3 ) 4 ) 5 The Moore family result ensures that (Ĉe Ĉe, ρ e ρ e ) = ((fn x => x ) (fn y => y 3 ) 4 ) x y (Ĉe, ρ e ) (Ĉe, ρ e ) (Ĉe, ρ e ) {fn y => y 3 } {fn y => y 3 } {fn y => y 3 } {fn x => x } {fn x => x } {fn x => x } {fn x => x } {fn y => y 3 } {fn y => y 3 } {fn y => y 3 } {fn y => y 3 } {fn y => y 3 } {fn y => y 3 } {fn y => y 3 } {fn y => y 3 } {fn y => y 3 } {fn x => x } {fn y => y 3 } {fn y => y 3 } PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 5

53 Coinduction versus Induction The abstract Control Flow Analysis is defined coinductively = is the greatest fixed point of a function Q An alternative might be an inductive definition = is the least fixed point of the function Q. Proposition: There exists e Exp such that {(Ĉ, ρ) (Ĉ, ρ) = e } is not a Moore family. PPA Section 3. c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 53

54 Syntax Directed 0-CFA Analysis Reformulate the abstract specification: (i) Syntax directed specification (ii) Constructing a finite set of constraints (iii) Compute the least solution of the set of constraints PPA Section 3.3 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 54

55 Common Phenomenon A specification = A is reformulated into a specification = B ensuring that (Ĉ, ρ) = A e (Ĉ, ρ) = B e so that = B is a safe approximation to = A and hence the best (i.e. least) solution to = B e will also be a solution to = A e. If additionally (Ĉ, ρ) = A e (Ĉ, ρ) = B e then we can be assured that no solutions are lost and hence the best (i.e. least) solution to = B e will also be the best (i.e. least) solution to = A e. PPA Section 3.3 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 55

56 Syntax Directed Specification () (Ĉ, ρ) = s (fn x => e 0 ) l iff {fn x => e 0 } Ĉ(l) (Ĉ, ρ) = s e 0 (Ĉ, ρ) = s (fun f x => e 0 ) l iff {fun f x => e 0 } Ĉ(l) (Ĉ, ρ) = s (t l (Ĉ, ρ) = s e 0 t l ) l {fun f x => e 0 } ρ(f) iff (Ĉ, ρ) = s t l (Ĉ, ρ) = s t l ( (fn x => t l 0 0 ) Ĉ(l ) : Ĉ(l ) ρ(x) Ĉ(l 0) Ĉ(l) ( (fun f x => t l 0 0 ) Ĉ(l ) : Ĉ(l ) ρ(x) Ĉ(l 0) Ĉ(l) ) ) PPA Section 3.3 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 56

57 Syntax Directed Specification () (Ĉ, ρ) = s c l always (Ĉ, ρ) = s x l iff ρ(x) Ĉ(l) (Ĉ, ρ) = s (if t l 0 0 then t l else t l iff (Ĉ, ρ) = s t l 0 0 (Ĉ, ρ) = s t l (Ĉ, ρ) = s t l Ĉ(l ) Ĉ(l) Ĉ(l ) Ĉ(l) ) l (Ĉ, ρ) = s (let x = t l in t l iff (Ĉ, ρ) = s t l (Ĉ, ρ) = s t l Ĉ(l ) ρ(x) Ĉ(l ) Ĉ(l) ) l (Ĉ, ρ) = s (t l op t l ) l iff (Ĉ, ρ) = s t l (Ĉ, ρ) = s t l PPA Section 3.3 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 57

58 Example: loop (let g = (fun f x => (f (fn y => y ) 3 ) 4 ) 5 in (g 6 (fn z => z 7 ) 8 ) 9 ) 0 Abbreviations: f = fun f x => (f (fn y => y ) 3 ) 4 id y = fn y => y id z = fn z => z 7 One guess of a 0-CFA analysis result: Ĉ lp () = {f} Ĉ lp () = Ĉ lp (3) = {id y } Ĉ lp (4) = Ĉ lp (5) = {f} Ĉ lp (6) = {f} Ĉ lp (7) = Ĉ lp (8) = {id z } Ĉ lp (9) = Ĉ lp (0) = ρ lp (f) = {f} ρ lp (g) = {f} ρ lp (x) = {id y, id z } ρ lp (y) = ρ lp (z) = PPA Section 3.3 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 58

59 Example: Checking the solution To show (Ĉlp, ρ lp ) = s loop we have (among others) to show (Ĉlp, ρ lp ) = s (g 6 (fn z => z 7 ) 8 ) 9 and (Ĉlp, ρ lp ) = s (f (fn y => y ) 3 ) 4 and this is straightforward. The Lesson No need for co-induction because the definition is syntax-directed PPA Section 3.3 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 59

60 Preservation of Solutions Define (Ĉ, ρ ) by: { Ĉ if l / (l) = Lab Term if l Lab ρ (x) = { if x / Var Term if x Var Then all the solutions to = s e that are less than (Ĉ, ρ ) are solutions to = e as well: Proposition: If (Ĉ, ρ) = s e and (Ĉ, ρ) (Ĉ, ρ ) then (Ĉ, ρ) = e. (That (Ĉ, ρ) (Ĉ, ρ ) means that (Ĉ, ρ) lives in a closed universe.) PPA Section 3.3 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 60

61 Proposition: {(Ĉ, ρ) (Ĉ, ρ ) (Ĉ, ρ) = s e } is a Moore family. Corollaries: each expression e has a Control Flow Analysis that is less than (Ĉ, ρ ), and each expression e has a least Control Flow Analysis that is less than (Ĉ, ρ ). PPA Section 3.3 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 6

62 Constraint Based 0-CFA Analysis C [[e ]] is a set of constraints of the form lhs rhs {t} rhs lhs rhs where rhs ::= C(l) r(x) lhs ::= C(l) r(x) {t} and all occurrences of t are of the form fn x => e 0 or fun f x => e 0 PPA Section 3.4 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 6

63 Constraint Based Control Flow Analysis () C [[(fn x => e 0 ) l ]] = { {fn x => e 0 } C(l) } C [[e 0 ]] C [[(fun f x => e 0 ) l ]] = { {fun f x => e 0 } C(l) } C [[e 0 ]] { {fun f x => e 0 } r(f) } C [[(t l t l ) l ]] = C [[t l ]] C [[t l ]] { {t} C(l ) C(l ) r(x) t = (fn x => t l 0 0 ) Term } { {t} C(l ) C(l 0 ) C(l) t = (fn x => t l 0 0 ) Term } { {t} C(l ) C(l ) r(x) t = (fun f x => t l 0 0 ) Term } { {t} C(l ) C(l 0 ) C(l) t = (fun f x => t l 0 0 ) Term } (Eager rather than lazy unfolding easy but costly.) PPA Section 3.4 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 63

64 Constraint Based Control Flow Analysis () C [[c l ]] = C [[x l ]] = { r(x) C(l) } C [[(if t l 0 0 then t l else t l ) l ]] = C [[t l 0 0 ]] C [[t l ]] C [[t l ]] { C(l ) C(l) } { C(l ) C(l) } C [[(let x = t l in t l ) l ]] = C [[t l ]] C [[t l ]] { C(l ) r(x) } { C(l ) C(l) } C [[(t l op t l ) l ]] = C [[t l ]] C [[t l ]] PPA Section 3.4 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 64

65 Example: C [[((fn x => x ) (fn y => y 3 ) 4 ) 5 ]] = { {fn x => x } C(), r(x) C(), {fn y => y 3 } C(4), r(y) C(3), {fn x => x } C() C(4) r(x), {fn x => x } C() C() C(5), {fn y => y 3 } C() C(4) r(y), {fn y => y 3 } C() C(3) C(5) } PPA Section 3.4 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 65

66 Preservation of Solutions Translating syntactic entities to sets of terms: (Ĉ, ρ)[[c(l)]] = Ĉ(l) (Ĉ, ρ)[[r(x)]] = ρ(x) (Ĉ, ρ)[[{t}]] = {t} Satisfaction relation for constraints: (Ĉ, ρ) = c (lhs rhs) (Ĉ, ρ) = c (lhs rhs) iff (Ĉ, ρ)[[lhs]] (Ĉ, ρ)[[rhs]] (Ĉ, ρ) = c ({t} rhs lhs rhs) iff ({t} (Ĉ, ρ)[[rhs ]] (Ĉ, ρ)[[lhs]] (Ĉ, ρ)[[rhs]]) ({t} (Ĉ, ρ)[[rhs ]]) Proposition: (Ĉ, ρ) = s e if and only if (Ĉ, ρ) = c C [[e ]]. PPA Section 3.4 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 66

67 Solving the Constraints () Input: a set of constraints C [[e ]] Output: the least solution (Ĉ, ρ) to the constraints Data structures: a graph with one node for each C(l) and r(x) (where l Lab and x Var ) and zero, one or two edges for each constraint in C [[e ]] W: the worklist of the nodes whose outgoing edges should be traversed D: an array that for each node gives an element of Val E: an array that for each node gives a list of constraints influenced (and outgoing edges) Auxiliary procedure: procedure add(q,d) is if (d D[q]) then D[q] := D[q] d; W := cons(q,w); PPA Section 3.4 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 67

68 Solving the Constraints () Step Step Step 3 Step 4 Initialisation W := nil; for q in Nodes do D[q] := ; E[q] := nil; Building the graph for cc in C [[e ]] do case cc of {t} p: add(p,{t}); p p : E[p ] := cons(cc,e[p ]); {t} p p p : E[p ] := cons(cc,e[p ]); E[p] := cons(cc,e[p]); Iteration while W nil do q := head(w); W := tail(w); for cc in E[q] do case cc of p p : add(p, D[p ]); {t} p p p : if t D[p] then add(p, D[p ]); Recording the solution for l in Lab do Ĉ(l) := D[C(l)]; for x in Var do ρ(x) := D[r(x)]; PPA Section 3.4 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 68

69 Example: Initialisation of data structures p D[p] E[p] C() [id x C() C() C(5)] C() id x [id y C() C(3) C(5), id y C() C(4) r(y), id x C() C() C(5), id x C() C(4) r(x)] C(3) [id y C() C(3) C(5)] C(4) id y [id y C() C(4) r(y), id x C() C(4) r(x)] C(5) [ ] r(x) [r(x) C()] r(y) [r(y) C(3)] PPA Section 3.4 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 69

70 Example: Iteration steps W [C(4),C()] [r(x),c()] [C(),C()] [C(5),C()] [C()] [ ] p D[p] D[p] D[p] D[p] D[p] D[p] C() id y id y id y id y C() id x id x id x id x id x id x C(3) C(4) id y id y id y id y id y id y C(5) id y id y id y r(x) id y id y id y id y id y r(y) PPA Section 3.4 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 70

71 Correctness: Given input C [[e ]] the worklist algorithm terminates and the result (Ĉ, ρ) produced by the algorithm satisfies (Ĉ, ρ) = {(Ĉ, ρ ) (Ĉ, ρ ) = c C [[e ]]} and hence it is the least solution to C [[e ]]. Complexity: The algorithm takes at most O(n 3 ) steps if the original expression e has size n. PPA Section 3.4 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 7

72 Adding Data Flow Analysis Idea: extend the set Val to contain other abstract values than just abstractions powerset (possibly finite) complete lattice (possibly satisfying Ascending Chain Condition) PPA Section 3.5 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 7

73 Abstract Values as Powersets Let Data be a set of abstract data values (i.e. abstract properties of booleans and integers) v Val d = P(Term Data) abstract values For each constant c Const we need an element d c Data For each operator op Op we need a total function ôp : Val d Val d Val d typically v ôp v = {d op (d, d ) d v Data, d v Data} for some d op : Data Data P(Data) PPA Section 3.5 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 73

74 Example: Detection of Signs Analysis Data sign = {tt, ff, -, 0, +} d true = tt d 7 = + + is defined from d + tt ff tt ff - {-} {-} {-, 0, +} 0 {-} {0} {+} + {-, 0, +} {+} {+} PPA Section 3.5 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 74

75 Abstract Values as Powersets () (Ĉ, ρ) = d (fn x => e 0 ) l iff {fn x => e 0 } Ĉ(l) (Ĉ, ρ) = d (fun f x => e 0 ) l iff {fun f x => e 0 } Ĉ(l) (Ĉ, ρ) = d (t l t l ) l iff (Ĉ, ρ) = d t l (Ĉ, ρ) = d t l ( (fn x => t l 0 0 ) Ĉ(l ) : (Ĉ, ρ) = d t l 0 0 Ĉ(l ) ρ(x) Ĉ(l 0) Ĉ(l)) ( (fun f x => t l 0 0 ) Ĉ(l ) : (Ĉ, ρ) = d t l 0 0 Ĉ(l ) ρ(x) Ĉ(l 0) Ĉ(l) {fun f x => t l 0 0 } ρ(f)) PPA Section 3.5 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 75

76 Abstract Values as Powersets () (Ĉ, ρ) = d c l iff {d c } Ĉ(l) (Ĉ, ρ) = d x l iff ρ(x) Ĉ(l) (Ĉ, ρ) = d (if t l 0 0 then t l else t l iff (Ĉ, ρ) = d t l 0 0 ) l (d true Ĉ(l 0) ( (Ĉ, ρ) = d t l Ĉ(l ) Ĉ(l))) (d false Ĉ(l 0) ( (Ĉ, ρ) = d t l Ĉ(l ) Ĉ(l))) (Ĉ, ρ) = d (let x = t l in t l iff (Ĉ, ρ) = d t l (Ĉ, ρ) = d t l Ĉ(l ) ρ(x) Ĉ(l ) Ĉ(l) (Ĉ, ρ) = d (t l op t l ) l ) l iff (Ĉ, ρ) = d t l (Ĉ, ρ) = d t l Ĉ(l ) ôp Ĉ(l ) Ĉ(l) PPA Section 3.5 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 76

77 Example: (let f = (fn x => (if (x > 0 ) 3 then (fn y => y 4 ) 5 else (fn z => 5 6 ) 7 ) 8 ) 9 in ((f 0 3 ) 0 3 ) 4 ) 5 A pure 0-CFA analysis will not be able to discover that the else-branch of the conditional will never be executed. When we combine the analysis with a Detection of Signs Analysis then the analysis can determine that only fn y => y 4 is a possible abstraction at label. PPA Section 3.5 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 77

78 Example: (Ĉ, ρ) (Ĉ, ρ) {+} {0} 3 {tt} 4 {0} 5 {fn y => y 4 } {fn y => y 4 } 6 7 {fn z => 5 6 } 8 { fn y => y 4, fn z => 5 6 } {fn y => y 4 } 9 {fn x => ( ) 8 } {fn x => ( ) 8 } 0 {fn x => ( ) 8 } {fn x => ( ) 8 } {+} { fn y => y 4, fn z => 5 6 } {fn y => y 4 } 3 {0} 4 {0} 5 {0} f {fn x => ( ) 8 } {fn x => ( ) 8 } x {+} y {0} z PPA Section 3.5 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 78

79 Abstract Values as Complete Lattices A monotone structure consists of: a complete lattice L, and a set F of monotone functions of L L L. An instance of a monotone structure consists of the structure (L, F) and a mapping ι from the constants c Const to values in L, and a mapping f from the binary operators op Op to functions of F. PPA Section 3.5 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 79

80 Example: A monotone structure corresponding to the previous development will have L to be P(Data) and F to be the monotone functions of P(Data) P(Data) P(Data). (L satisfies the Ascending Chain Property iff Data is finite.) An instance of the monotone structure is then obtained by taking ι c = {d c } for all constants c (and with d c Data as above) and f op (l, l ) = {d op (d, d ) d l, d l } for all binary operators op (and where d op : Data Data P(Data) is as above). PPA Section 3.5 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 80

81 Example: A monotone structure for Constant Propagation Analysis will have L to be Z P({tt, ff}) and F to be the monotone functions of L L L. An instance of the monotone structure is obtained by taking e.g. ι 7 = (7, ) and ι true = (, {tt}). For a binary operator as + we can take: f+(l, l ) = (z + z, ) if l = (z, ), l = (z, ), and z, z Z (, ) if l = (z, ), l = (z, ), and z = or z = (, ) otherwise PPA Section 3.5 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 8

82 Abstract Domains For the Control Flow Analysis: v Val = P(Term) abstract values ρ Env = Var Val abstract environments Ĉ Cache = Lab Val abstract caches For the Data Flow Analysis: d Data = L abstract data values δ DEnv = Var Data abstract data environments D DCache = Lab Data abstract data caches PPA Section 3.5 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 8

83 Abstract Values as Complete Lattices () (Ĉ, D, ρ, δ) = D (fn x => e 0 ) l iff {fn x => e 0 } Ĉ(l) (Ĉ, D, ρ, δ) = D (fun f x => e 0 ) l iff {fun f x => e 0 } Ĉ(l) (Ĉ, D, ρ, δ) = D (t l t l ) l iff (Ĉ, D, ρ, δ) = D t l (Ĉ, D, ρ, δ) = D t l ( (fn x => t l 0 0 ) Ĉ(l ) : (Ĉ, D, ρ, δ) = D t l 0 Ĉ(l ) ρ(x) Ĉ(l 0 ) Ĉ(l) 0 ( (fun f x => t l 0 0 ) Ĉ(l ) : (Ĉ, D, ρ, δ) = D t l 0 Ĉ(l ) ρ(x) Ĉ(l 0 ) Ĉ(l) D(l ) δ(x) D(l 0 ) D(l) ) 0 {fun f x => t l 0 0 } ρ(f)) D(l ) δ(x) D(l 0 ) D(l) PPA Section 3.5 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 83

84 Abstract Values as Complete Lattices () (Ĉ, D, ρ, δ) = D c l iff ι C D(l) (Ĉ, D, ρ, δ) = D x l iff ρ(x) Ĉ(l) δ(x) D(l) (Ĉ, D, ρ, δ) = D (if t l 0 0 then t l else t l iff (Ĉ, D, ρ, δ) = D t l 0 0 ( ι true D(l 0 ) (Ĉ, D, ρ, δ) = D t l ) l Ĉ(l ) Ĉ(l) D(l ) D(l) ) ( ι false D(l 0 ) (Ĉ, D, ρ, δ) = D t l Ĉ(l ) Ĉ(l) D(l ) D(l) ) PPA Section 3.5 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 84

85 Abstract Values as Complete Lattices (3) (Ĉ, D, ρ, δ) = D (let x = t l in t l iff (Ĉ, D, ρ, δ) = D t l (Ĉ, D, ρ, δ) = D t l Ĉ(l ) ρ(x) D(l ) δ(x) ) l Ĉ(l ) Ĉ(l) D(l ) D(l) (Ĉ, D, ρ, δ) = D (t l op t l iff (Ĉ, D, ρ, δ) = D t l (Ĉ, D, ρ, δ) = D t l f op ( D(l ), D(l )) D(l) ) l PPA Section 3.5 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 85

86 Example: (Ĉ, ρ) (Ĉ, ρ) (Ĉ, ρ) ( D, δ) {+} {+} {0} {0} 3 {tt} {tt} 4 {0} {0} 5 {fn y => y 4 } {fn y => y 4 } {fn y => y 4 } 6 7 {fn z => 5 6 } 8 { fn y => y 4, fn z => 5 6 } {fn y => y 4 } {fn y => y 4 } 9 {fn x => ( ) 8 } {fn x => ( ) 8 } {fn x => ( ) 8 } 0 {fn x => ( ) 8 } {fn x => ( ) 8 } {fn x => ( ) 8 } {+} {+} { fn y => y 4, fn z => 5 6 } {fn y => y 4 } {fn y => y 4 } 3 {0} {0} 4 {0} {0} 5 {0} {0} f {fn x => ( ) 8 } {fn x => ( ) 8 } {fn x => ( ) 8 } x {+} {+} y {0} {0} z PPA Section 3.5 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 86

87 Staging the specification Alternative clause for the conditional where the data flow component cannot influence the control flow component: (Ĉ, D, ρ, δ) = D (if t l 0 0 then t l else t l iff (Ĉ, D, ρ, δ) = D t l 0 0 (Ĉ, D, ρ, δ) = D t l Ĉ(l ) Ĉ(l) D(l ) D(l) (Ĉ, D, ρ, δ) = D t l Ĉ(l ) Ĉ(l) D(l ) D(l) ) l Compare with flow-insensitive Data Flow Analyses. PPA Section 3.5 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 87

88 Adding Context Information Mono-variant analysis: does not distinguish the various instances of variables and program points from one another. (Compare with contextinsensitive interprocedural analysis.) 0-CFA is a typical example. Poly-variant analysis: distinguishes between the various instances of variables and program points. (Compare with context-sensitive interprocedural analysis.) PPA Section 3.6 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 88

89 Example: (let f = (fn x => x ) in ((f 3 f 4 ) 5 (fn y => y 6 ) 7 ) 8 ) 9 The least 0-CFA analysis: Ĉ id () = {fn x => x, fn y => y 6 } Ĉid () = {fn x => x } Ĉ id (3) = {fn x => x } Ĉid (4) = {fn x => x } Ĉ id (5) = {fn x => x, fn y => y 6 } Ĉid (6) = {fn y => y6 } Ĉ id (7) = {fn y => y 6 } Ĉid (8) = {fn x => x, fn y => y 6 } Ĉ id (9) = {fn x => x, fn y => y 6 } ρ id (f) = {fn x => x } ρ id (x) = {fn x => x, fn y => y 6 } ρ id (y) = {fn y => y 6 } The analysis says that the expression may evaluate to fn x => x or fn y => y 6. However, only fn y => y 6 is a possible result. PPA Section 3.6 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 89

90 A purely syntactic solution: Expand (let f = (fn x => x) in ((f f) (fn y => y))) into let f = (fn x => x) in let f = (fn x => x) in (f f) (fn y => y) and analyse the expanded expression. The 0-CFA analysis is now able to deduce that the overall expression will evaluate to fn y => y only. PPA Section 3.6 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 90

91 A purely semantic solution: Uniform k-cfa Idea: extend the set Val to include context information In a (uniform) k-cfa a context δ records the last k dynamic call points; hence contexts will be sequences of labels of length at most k and they will be updated whenever a function application is analysed. (Compare call strings of length at most k.) PPA Section 3.6 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 9

92 Abstract Domains δ = Lab k context information ce CEnv = Var context environments v Val = P(Term CEnv) abstract values ρ Env = (Var ) Val abstract environments Ĉ Cache = (Lab ) Val abstract caches (Uniform because used both for Env and Cache.) PPA Section 3.6 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 9

93 Acceptability Relation where (Ĉ, ρ) = ce δ e ce is the current context environment will be changed when new bindings are made δ is the current context will be changed when functions are called Idea: The formula expresses that (Ĉ, ρ) is an acceptable analysis of e in the context specified by ce and δ. PPA Section 3.6 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 93

94 Control Flow Analysis with Context () (Ĉ, ρ) = ce δ (fn x => e 0) l iff {(fn x => e 0, ce )} Ĉ(l, δ) (Ĉ, ρ) = ce δ (fun f x => e 0) l iff {(fun f x => e 0, ce )} Ĉ(l, δ) (Ĉ, ρ) = ce δ (tl iff t l ) l (Ĉ, ρ) = ce δ tl (Ĉ, ρ) = ce δ tl ( (fn x => t l 0 0, ce 0 ) Ĉ(l, δ) : (Ĉ, ρ) = ce 0 δ t l Ĉ(l, δ) ρ(x, δ 0 ) Ĉ(l 0, δ 0 ) where δ 0 = δ, l k and ce 0 = ce 0[x δ 0 ]) ( (fun f x => t l 0 0, ce 0 ) Ĉ(l, δ) : (Ĉ, ρ) = ce 0 δ t l Ĉ(l, δ) ρ(x, δ 0 ) Ĉ(l 0, δ 0 ) {(fun f x => t l 0 0, ce 0 )} ρ(f, δ 0 ) where δ 0 = δ, l k and ce 0 = ce 0[f δ 0, x δ 0 ]) Ĉ(l, δ) Ĉ(l, δ) PPA Section 3.6 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 94

95 Control Flow Analysis with Context () (Ĉ, ρ) = ce δ cl always (Ĉ, ρ) = ce δ xl iff ρ(x, ce(x) ) Ĉ(l, δ) (Ĉ, ρ) = ce δ (if tl 0 0 then t l else t l ) l iff (Ĉ, ρ) = ce δ tl 0 0 (Ĉ, ρ) = ce δ tl (Ĉ, ρ) = ce Ĉ(l, δ) Ĉ(l, δ) Ĉ(l, δ) Ĉ(l, δ) (Ĉ, ρ) = ce δ (let x = tl in t l iff (Ĉ, ρ) = ce δ tl (Ĉ, ρ) = ce δ t l Ĉ(l, δ) ρ(x, δ) Ĉ(l, δ) Ĉ(l, δ) where ce = ce[x δ] ) l δ tl (Ĉ, ρ) = ce δ (tl op t l ) l iff (Ĉ, ρ) = ce δ tl (Ĉ, ρ) = ce δ tl PPA Section 3.6 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 95

96 Example: (let f = (fn x => x ) in ((f 3 f 4 ) 5 (fn y => y 6 ) 7 ) 8 ) 9 Contexts of interest for uniform -CFA: Λ: the initial context 5: the context when the application point labelled 5 has been passed 8: the context when the application point labelled 8 has been passed Context environments of interest for uniform -CFA: ce 0 = [ ] the initial (empty) context environment ce = ce 0 [f Λ] the context environment for the analysis of the body of the let-construct ce = ce 0 [x 5] the context environment used for the analysis of the body of f initiated at the application point 5 ce 3 = ce 0 [x 8] the context environment used for the analysis of the body of f initiated at the application point 8. PPA Section 3.6 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 96

97 Example: Let us take Ĉid and ρ id to be: Ĉ id (, 5) = {(fn x => x,ce 0 )} Ĉid (, 8) = {(fn y => y 6,ce 0 )} Ĉ id (, Λ) = {(fn x => x,ce 0 )} Ĉid (3, Λ) = {(fn x => x,ce 0 )} Ĉ id (4, Λ) = {(fn x => x,ce 0 )} Ĉid (5, Λ) = {(fn x => x,ce 0 )} Ĉ id (7, Λ) = {(fn y => y 6,ce 0 )} Ĉid (8, Λ) = {(fn y => y 6,ce 0 )} Ĉ id (9, Λ) = {(fn y => y 6,ce 0 )} ρ id (f, Λ) = {(fn x => x,ce 0 )} ρ id (x, 5) = {(fn x => x,ce 0 )} ρ id (x, 8) = {(fn y => y 6,ce 0 )} This is an acceptable analysis result: (Ĉid, ρ id ) = ce 0 Λ (let f = (fn x => x ) in ((f 3 f 4 ) 5 (fn y => y 6 ) 7 ) 8 ) 9 PPA Section 3.6 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 97

98 Complexity Uniform k-cfa has exponential worst case complexity even when k = Assume that the expression has size n and that it has p different variables. Then has O(n) elements and hence there will be O(p n) different pairs (x, δ) and O(n ) different pairs (l, δ). This means that (Ĉ, ρ) can be seen as an O(n ) tuple of values from Val. Since Val itself is a powerset of pairs of the form (t, ce) and there are O(n n p ) such pairs it follows that Val has height O(n n p ). Since O(p) = O(n) we have the exponential worst case complexity. 0-CFA analysis has polynomial worst case complexity It corresponds to letting be a singleton. Repeating the above calculations we can see (Ĉ, ρ) as an O(p + n) tuple of values from Val, and Val will be a lattice of height O(n). PPA Section 3.6 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 98

99 Variations (based on call-strings) Uniform k-cfa ce CEnv = Var context environments v Val = P(Term CEnv) abstract values ρ Env = (Var ) Val abstract environments Ĉ Cache = (Lab ) Val abstract caches k-cfa Ĉ Cache = (Lab CEnv) Val abstract caches Polynomial k-cfa v Val = P(Term ) abstract values PPA Section 3.6 c F.Nielson & H.Riis Nielson & C.Hankin (Dec. 004) 99

Similar documents

Principles of Program Analysis: A Sampler of Approaches

Principles of Program Analysis: A Sampler of Approaches Principles of Program Analysis: A Sampler of Approaches Transparencies based on Chapter 1 of the book: Flemming Nielson, Hanne Riis Nielson and Chris Hankin: Principles of Program Analysis Springer Verlag

More information

Principles of Program Analysis: Abstract Interpretation

Principles of Program Analysis: Abstract Interpretation Principles of Program Analysis: Abstract Interpretation Transparencies based on Chapter 4 of the book: Flemming Nielson, Hanne Riis Nielson and Chris Hankin: Principles of Program Analysis. Springer Verlag

More information

Principles of Program Analysis: Data Flow Analysis

Principles of Program Analysis: Data Flow Analysis Principles of Program Analysis: Data Flow Analysis Transparencies based on Chapter 2 of the book: Flemming Nielson, Hanne Riis Nielson and Chris Hankin: Principles of Program Analysis. Springer Verlag

More information

for creating parallel threads that communicate via rst class shared locations, and they present a -CFA like analysis with the additional twist that a

for creating parallel threads that communicate via rst class shared locations, and they present a -CFA like analysis with the additional twist that a Systematic Realisation of Control Flow Analyses for CML Kirsten L. Solberg Gasser, Flemming Nielson, Hanne Riis Nielson Computer Science Department, Aarhus University, Ny Munkegade, DK-8 Aarhus C, Denmark

More information

Semantics with Applications: Model-Based Program Analysis

Semantics with Applications: Model-Based Program Analysis Semantics with Applications: Model-Based Program Analysis c Hanne Riis Nielson c Flemming Nielson Computer Science Department, Aarhus University, Denmark (October 1996) Contents 1 Introduction 1 1.1 Side-stepping

More information

Principles of Program Analysis: Data Flow Analysis

Principles of Program Analysis: Data Flow Analysis Principles of Program Analysis: Data Flow Analysis Transparencies based on Chapter 2 of the book: Flemming Nielson, Hanne Riis Nielson and Chris Hankin: Principles of Program Analysis. Springer Verlag

More information

Static Program Analysis

Static Program Analysis Static Program Analysis Thomas Noll Software Modeling and Verification Group RWTH Aachen University https://moves.rwth-aachen.de/teaching/ss-18/spa/ Recap: Interprocedural Dataflow Analysis Outline of

More information

Denotational Semantics

Denotational Semantics 5 Denotational Semantics In the operational approach, we were interested in how a program is executed. This is contrary to the denotational approach, where we are merely interested in the effect of executing

More information

Introduction to Kleene Algebras

Introduction to Kleene Algebras Introduction to Kleene Algebras Riccardo Pucella Basic Notions Seminar December 1, 2005 Introduction to Kleene Algebras p.1 Idempotent Semirings An idempotent semiring is a structure S = (S, +,, 1, 0)

More information

Probabilistic Model Checking and [Program] Analysis (CO469)

Probabilistic Model Checking and [Program] Analysis (CO469) Probabilistic Model Checking and [Program] Analysis (CO469) Program Analysis Herbert Wiklicky herbert@doc.ic.ac.uk Spring 208 / 64 Overview Topics we will cover in this part will include:. Language WHILE

More information

Dynamic Noninterference Analysis Using Context Sensitive Static Analyses. Gurvan Le Guernic July 14, 2007

Dynamic Noninterference Analysis Using Context Sensitive Static Analyses. Gurvan Le Guernic July 14, 2007 Dynamic Noninterference Analysis Using Context Sensitive Static Analyses Gurvan Le Guernic July 14, 2007 1 Abstract This report proposes a dynamic noninterference analysis for sequential programs. This

More information

Static Program Analysis

Static Program Analysis Static Program Analysis Xiangyu Zhang The slides are compiled from Alex Aiken s Michael D. Ernst s Sorin Lerner s A Scary Outline Type-based analysis Data-flow analysis Abstract interpretation Theorem

More information

Mechanics of Static Analysis

Mechanics of Static Analysis Escuela 03 III / 1 Mechanics of Static Analysis David Schmidt Kansas State University www.cis.ksu.edu/~schmidt Escuela 03 III / 2 Outline 1. Small-step semantics: trace generation 2. State generation and

More information

Roy L. Crole. Operational Semantics Abstract Machines and Correctness. University of Leicester, UK

Roy L. Crole. Operational Semantics Abstract Machines and Correctness. University of Leicester, UK Midlands Graduate School, University of Birmingham, April 2008 1 Operational Semantics Abstract Machines and Correctness Roy L. Crole University of Leicester, UK Midlands Graduate School, University of

More information

Sums of Products. Pasi Rastas November 15, 2005

Sums of Products. Pasi Rastas November 15, 2005 Sums of Products Pasi Rastas November 15, 2005 1 Introduction This presentation is mainly based on 1. Bacchus, Dalmao and Pitassi : Algorithms and Complexity results for #SAT and Bayesian inference 2.

More information

CS357: CTL Model Checking (two lectures worth) David Dill

CS357: CTL Model Checking (two lectures worth) David Dill CS357: CTL Model Checking (two lectures worth) David Dill 1 CTL CTL = Computation Tree Logic It is a propositional temporal logic temporal logic extended to properties of events over time. CTL is a branching

More information

Programming Language Concepts, CS2104 Lecture 3

Programming Language Concepts, CS2104 Lecture 3 Programming Language Concepts, CS2104 Lecture 3 Statements, Kernel Language, Abstract Machine 31 Aug 2007 CS2104, Lecture 3 1 Reminder of last lecture Programming language definition: syntax, semantics

More information

Improved Algorithms for Module Extraction and Atomic Decomposition

Improved Algorithms for Module Extraction and Atomic Decomposition Improved Algorithms for Module Extraction and Atomic Decomposition Dmitry Tsarkov tsarkov@cs.man.ac.uk School of Computer Science The University of Manchester Manchester, UK Abstract. In recent years modules

More information

A Succinct Solver for ALFP

A Succinct Solver for ALFP Nordic Journal of Computing A Succinct Solver for ALFP Flemming Nielson 1, Helmut Seidl 2 and Hanne Riis Nielson 1 1 Informatics and Mathematical Modelling, Technical University of Denmark Email: {nielson,riis}@imm.dtu.dk

More information

SEMANTICS OF PROGRAMMING LANGUAGES Course Notes MC 308

SEMANTICS OF PROGRAMMING LANGUAGES Course Notes MC 308 University of Leicester SEMANTICS OF PROGRAMMING LANGUAGES Course Notes for MC 308 Dr. R. L. Crole Department of Mathematics and Computer Science Preface These notes are to accompany the module MC 308.

More information

CS422 - Programming Language Design

CS422 - Programming Language Design 1 CS422 - Programming Language Design Denotational Semantics Grigore Roşu Department of Computer Science University of Illinois at Urbana-Champaign 2 Denotational semantics, also known as fix-point semantics,

More information

Type Systems. Today. 1. What is the Lambda Calculus. 1. What is the Lambda Calculus. Lecture 2 Oct. 27th, 2004 Sebastian Maneth

Type Systems. Today. 1. What is the Lambda Calculus. 1. What is the Lambda Calculus. Lecture 2 Oct. 27th, 2004 Sebastian Maneth Today 1. What is the Lambda Calculus? Type Systems 2. Its Syntax and Semantics 3. Church Booleans and Church Numerals 4. Lazy vs. Eager Evaluation (call-by-name vs. call-by-value) Lecture 2 Oct. 27th,

More information

A Modular Rewriting Semantics for CML

A Modular Rewriting Semantics for CML A Modular Rewriting Semantics for CML Fabricio Chalub Barbosa do Rosário frosario@ic.uff.br 19 de março de 2004 0-0 Outline A closer look at MSOS Mapping MSOS to MRS Executing and model checking CML programs

More information

Propositional Logic: Part II - Syntax & Proofs 0-0

Propositional Logic: Part II - Syntax & Proofs 0-0 Propositional Logic: Part II - Syntax & Proofs 0-0 Outline Syntax of Propositional Formulas Motivating Proofs Syntactic Entailment and Proofs Proof Rules for Natural Deduction Axioms, theories and theorems

More information

Operationally-Based Theories of Program Equivalence

Operationally-Based Theories of Program Equivalence Operationally-Based Theories of Program Equivalence Andrew Pitts Contents 1 Introduction : : : : : : : : : : : : : : : : : : : : : : : : : : : : 241 2 Contextual Equivalence : : : : : : : : : : : : : :

More information

Formal Methods in Software Engineering

Formal Methods in Software Engineering Formal Methods in Software Engineering An Introduction to Model-Based Analyis and Testing Vesal Vojdani Department of Computer Science University of Tartu Fall 2014 Vesal Vojdani (University of Tartu)

More information

A brief introduction to Logic. (slides from

A brief introduction to Logic. (slides from A brief introduction to Logic (slides from http://www.decision-procedures.org/) 1 A Brief Introduction to Logic - Outline Propositional Logic :Syntax Propositional Logic :Semantics Satisfiability and validity

More information

Lecture Notes on Emptiness Checking, LTL Büchi Automata

Lecture Notes on Emptiness Checking, LTL Büchi Automata 15-414: Bug Catching: Automated Program Verification Lecture Notes on Emptiness Checking, LTL Büchi Automata Matt Fredrikson André Platzer Carnegie Mellon University Lecture 18 1 Introduction We ve seen

More information

Design of Distributed Systems Melinda Tóth, Zoltán Horváth

Design of Distributed Systems Melinda Tóth, Zoltán Horváth Design of Distributed Systems Melinda Tóth, Zoltán Horváth Design of Distributed Systems Melinda Tóth, Zoltán Horváth Publication date 2014 Copyright 2014 Melinda Tóth, Zoltán Horváth Supported by TÁMOP-412A/1-11/1-2011-0052

More information

CVO103: Programming Languages. Lecture 2 Inductive Definitions (2)

CVO103: Programming Languages. Lecture 2 Inductive Definitions (2) CVO103: Programming Languages Lecture 2 Inductive Definitions (2) Hakjoo Oh 2018 Spring Hakjoo Oh CVO103 2018 Spring, Lecture 2 March 13, 2018 1 / 20 Contents More examples of inductive definitions natural

More information

What are the recursion theoretic properties of a set of axioms? Understanding a paper by William Craig Armando B. Matos

What are the recursion theoretic properties of a set of axioms? Understanding a paper by William Craig Armando B. Matos What are the recursion theoretic properties of a set of axioms? Understanding a paper by William Craig Armando B. Matos armandobcm@yahoo.com February 5, 2014 Abstract This note is for personal use. It

More information

Model Checking with CTL. Presented by Jason Simas

Model Checking with CTL. Presented by Jason Simas Model Checking with CTL Presented by Jason Simas Model Checking with CTL Based Upon: Logic in Computer Science. Huth and Ryan. 2000. (148-215) Model Checking. Clarke, Grumberg and Peled. 1999. (1-26) Content

More information

Chapter 4: Computation tree logic

Chapter 4: Computation tree logic INFOF412 Formal verification of computer systems Chapter 4: Computation tree logic Mickael Randour Formal Methods and Verification group Computer Science Department, ULB March 2017 1 CTL: a specification

More information

Goal. Partially-ordered set. Game plan 2/2/2013. Solving fixpoint equations

Goal. Partially-ordered set. Game plan 2/2/2013. Solving fixpoint equations Goal Solving fixpoint equations Many problems in programming languages can be formulated as the solution of a set of mutually recursive equations: D: set, f,g:dxd D x = f(x,y) y = g(x,y) Examples Parsing:

More information

The complexity of recursive constraint satisfaction problems.

The complexity of recursive constraint satisfaction problems. The complexity of recursive constraint satisfaction problems. Victor W. Marek Department of Computer Science University of Kentucky Lexington, KY 40506, USA marek@cs.uky.edu Jeffrey B. Remmel Department

More information

3. Only sequences that were formed by using finitely many applications of rules 1 and 2, are propositional formulas.

3. Only sequences that were formed by using finitely many applications of rules 1 and 2, are propositional formulas. 1 Chapter 1 Propositional Logic Mathematical logic studies correct thinking, correct deductions of statements from other statements. Let us make it more precise. A fundamental property of a statement is

More information

Notes on Abstract Interpretation

Notes on Abstract Interpretation Notes on Abstract Interpretation Alexandru Sălcianu salcianu@mit.edu November 2001 1 Introduction This paper summarizes our view of the abstract interpretation field. It is based on the original abstract

More information

Complete Partial Orders, PCF, and Control

Complete Partial Orders, PCF, and Control Complete Partial Orders, PCF, and Control Andrew R. Plummer TIE Report Draft January 2010 Abstract We develop the theory of directed complete partial orders and complete partial orders. We review the syntax

More information

On the Complexity of the Reflected Logic of Proofs

On the Complexity of the Reflected Logic of Proofs On the Complexity of the Reflected Logic of Proofs Nikolai V. Krupski Department of Math. Logic and the Theory of Algorithms, Faculty of Mechanics and Mathematics, Moscow State University, Moscow 119899,

More information

Program verification. Hoare triples. Assertional semantics (cont) Example: Semantics of assignment. Assertional semantics of a program

Program verification. Hoare triples. Assertional semantics (cont) Example: Semantics of assignment. Assertional semantics of a program Program verification Assertional semantics of a program Meaning of a program: relation between its inputs and outputs; specified by input assertions (pre-conditions) and output assertions (post-conditions)

More information

CS 6110 S16 Lecture 33 Testing Equirecursive Equality 27 April 2016

CS 6110 S16 Lecture 33 Testing Equirecursive Equality 27 April 2016 CS 6110 S16 Lecture 33 Testing Equirecursive Equality 27 April 2016 1 Equirecursive Equality In the equirecursive view of recursive types, types are regular labeled trees, possibly infinite. However, we

More information

Semantics and Verification of Software

Semantics and Verification of Software Semantics and Verification of Software Thomas Noll Software Modeling and Verification Group RWTH Aachen University http://moves.rwth-aachen.de/teaching/ss-15/sv-sw/ The Denotational Approach Denotational

More information

1 Introduction. 2 Recap The Typed λ-calculus λ. 3 Simple Data Structures

1 Introduction. 2 Recap The Typed λ-calculus λ. 3 Simple Data Structures CS 6110 S18 Lecture 21 Products, Sums, and Other Datatypes 1 Introduction In this lecture, we add constructs to the typed λ-calculus that allow working with more complicated data structures, such as pairs,

More information

Analysis of Algorithms. Outline 1 Introduction Basic Definitions Ordered Trees. Fibonacci Heaps. Andres Mendez-Vazquez. October 29, Notes.

Analysis of Algorithms. Outline 1 Introduction Basic Definitions Ordered Trees. Fibonacci Heaps. Andres Mendez-Vazquez. October 29, Notes. Analysis of Algorithms Fibonacci Heaps Andres Mendez-Vazquez October 29, 2015 1 / 119 Outline 1 Introduction Basic Definitions Ordered Trees 2 Binomial Trees Example 3 Fibonacci Heap Operations Fibonacci

More information

Abstract Interpretation and Static Analysis

Abstract Interpretation and Static Analysis / 1 Abstract Interpretation and Static Analysis David Schmidt Kansas State University www.cis.ksu.edu/~schmidt Welcome! / 2 / 3 Four parts 1. Introduction to static analysis what it is and how to apply

More information

Description Logics: an Introductory Course on a Nice Family of Logics. Day 2: Tableau Algorithms. Uli Sattler

Description Logics: an Introductory Course on a Nice Family of Logics. Day 2: Tableau Algorithms. Uli Sattler Description Logics: an Introductory Course on a Nice Family of Logics Day 2: Tableau Algorithms Uli Sattler 1 Warm up Which of the following subsumptions hold? r some (A and B) is subsumed by r some A

More information

Bayesian Networks Factor Graphs the Case-Factor Algorithm and the Junction Tree Algorithm

Bayesian Networks Factor Graphs the Case-Factor Algorithm and the Junction Tree Algorithm Bayesian Networks Factor Graphs the Case-Factor Algorithm and the Junction Tree Algorithm 1 Bayesian Networks We will use capital letters for random variables and lower case letters for values of those

More information

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct. EE 244: Fundamental Algorithms for System Modeling, Analysis, and Optimization Fall 2016 Temporal logic Stavros Tripakis University of California, Berkeley Stavros Tripakis (UC Berkeley) EE 244, Fall 2016

More information

Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions

Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions Chapter 1 Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions 1.1 The IMP Language IMP is a programming language with an extensible syntax that was developed in the late 1960s. We will

More information

Safety Analysis versus Type Inference

Safety Analysis versus Type Inference Information and Computation, 118(1):128 141, 1995. Safety Analysis versus Type Inference Jens Palsberg palsberg@daimi.aau.dk Michael I. Schwartzbach mis@daimi.aau.dk Computer Science Department, Aarhus

More information

Lecture Notes: Program Analysis Correctness

Lecture Notes: Program Analysis Correctness Lecture Notes: Program Analysis Correctness 15-819O: Program Analysis Jonathan Aldrich jonathan.aldrich@cs.cmu.edu Lecture 5 1 Termination As we think about the correctness of program analysis, let us

More information

Formal Techniques for Software Engineering: Denotational Semantics

Formal Techniques for Software Engineering: Denotational Semantics Formal Techniques for Software Engineering: Denotational Semantics Rocco De Nicola IMT Institute for Advanced Studies, Lucca rocco.denicola@imtlucca.it May 2013 Lesson 4 R. De Nicola (IMT-Lucca) FoTSE@LMU

More information

Chapter 2: The Basics. slides 2017, David Doty ECS 220: Theory of Computation based on The Nature of Computation by Moore and Mertens

Chapter 2: The Basics. slides 2017, David Doty ECS 220: Theory of Computation based on The Nature of Computation by Moore and Mertens Chapter 2: The Basics slides 2017, David Doty ECS 220: Theory of Computation based on The Nature of Computation by Moore and Mertens Problem instances vs. decision problems vs. search problems Decision

More information

Operational reasoning for functions with local state

Operational reasoning for functions with local state Operational reasoning for functions with local state Andrew Pitts and Ian Stark Abstract Languages such as ML or Lisp permit the use of recursively defined function expressions with locally declared storage

More information

Abstracting Definitional Interpreters. David Van Horn

Abstracting Definitional Interpreters. David Van Horn Abstracting Definitional Interpreters David Van Horn Abstracting Definitional Interpreters David Van Horn Northeastern University Definitional interpreters written in monadic style can express a wide variety

More information

Type Systems. Lecture 2 Oct. 27th, 2004 Sebastian Maneth.

Type Systems. Lecture 2 Oct. 27th, 2004 Sebastian Maneth. Type Systems Lecture 2 Oct. 27th, 2004 Sebastian Maneth http://lampwww.epfl.ch/teaching/typesystems/2004 Today 1. What is the Lambda Calculus? 2. Its Syntax and Semantics 3. Church Booleans and Church

More information

TR : Binding Modalities

TR : Binding Modalities City University of New York (CUNY) CUNY Academic Works Computer Science Technical Reports Graduate Center 2012 TR-2012011: Binding Modalities Sergei N. Artemov Tatiana Yavorskaya (Sidon) Follow this and

More information

Lecture Notes on Inductive Definitions

Lecture Notes on Inductive Definitions Lecture Notes on Inductive Definitions 15-312: Foundations of Programming Languages Frank Pfenning Lecture 2 September 2, 2004 These supplementary notes review the notion of an inductive definition and

More information

Chapter 6: Computation Tree Logic

Chapter 6: Computation Tree Logic Chapter 6: Computation Tree Logic Prof. Ali Movaghar Verification of Reactive Systems Outline We introduce Computation Tree Logic (CTL), a branching temporal logic for specifying system properties. A comparison

More information

What does the partial order "mean"?

What does the partial order mean? What does the partial order "mean"? Domain theory developed by Dana Scott and Gordon Plotkin in the late '60s use partial order to represent (informally): approximates carries more information than better

More information

Part 1: Propositional Logic

Part 1: Propositional Logic Part 1: Propositional Logic Literature (also for first-order logic) Schöning: Logik für Informatiker, Spektrum Fitting: First-Order Logic and Automated Theorem Proving, Springer 1 Last time 1.1 Syntax

More information

Lecture Notes on Inductive Definitions

Lecture Notes on Inductive Definitions Lecture Notes on Inductive Definitions 15-312: Foundations of Programming Languages Frank Pfenning Lecture 2 August 28, 2003 These supplementary notes review the notion of an inductive definition and give

More information

Intra-procedural Data Flow Analysis Backwards analyses

Intra-procedural Data Flow Analysis Backwards analyses Live variables Dead code elimination Very Busy Expressions Code hoisting Bitvector frameworks Monotone frameworks Intra-procedural Data Flow Analysis Backwards analyses Hanne Riis Nielson and Flemming

More information

From Constructibility and Absoluteness to Computability and Domain Independence

From Constructibility and Absoluteness to Computability and Domain Independence From Constructibility and Absoluteness to Computability and Domain Independence Arnon Avron School of Computer Science Tel Aviv University, Tel Aviv 69978, Israel aa@math.tau.ac.il Abstract. Gödel s main

More information

Unifying Theories of Programming

Unifying Theories of Programming 1&2 Unifying Theories of Programming Unifying Theories of Programming 3&4 Theories Unifying Theories of Programming designs predicates relations reactive CSP processes Jim Woodcock University of York May

More information

Compositionality in SLD-derivations and their abstractions Marco Comini, Giorgio Levi and Maria Chiara Meo Dipartimento di Informatica, Universita di

Compositionality in SLD-derivations and their abstractions Marco Comini, Giorgio Levi and Maria Chiara Meo Dipartimento di Informatica, Universita di Compositionality in SLD-derivations and their abstractions Marco Comini Giorgio Levi and Maria Chiara Meo Dipartimento di Informatica Universita di Pisa Corso Italia 40 56125 Pisa Italy fcomini levi meog@di.unipi.it

More information

The non-logical symbols determine a specific F OL language and consists of the following sets. Σ = {Σ n } n<ω

The non-logical symbols determine a specific F OL language and consists of the following sets. Σ = {Σ n } n<ω 1 Preliminaries In this chapter we first give a summary of the basic notations, terminology and results which will be used in this thesis. The treatment here is reduced to a list of definitions. For the

More information

Simply Typed Lambda Calculus

Simply Typed Lambda Calculus Simply Typed Lambda Calculus Language (ver1) Lambda calculus with boolean values t ::= x variable x : T.t abstraction tt application true false boolean values if ttt conditional expression Values v ::=

More information

Model Checking in the Propositional µ-calculus

Model Checking in the Propositional µ-calculus Model Checking in the Propositional µ-calculus Ka I Violet Pun INF 9140 - Specification and Verification of Parallel Systems 13 th May, 2011 Overview Model Checking is a useful means to automatically ascertain

More information

Extensions to the Logic of All x are y: Verbs, Relative Clauses, and Only

Extensions to the Logic of All x are y: Verbs, Relative Clauses, and Only 1/53 Extensions to the Logic of All x are y: Verbs, Relative Clauses, and Only Larry Moss Indiana University Nordic Logic School August 7-11, 2017 2/53 An example that we ll see a few times Consider the

More information

LOGIC PROPOSITIONAL REASONING

LOGIC PROPOSITIONAL REASONING LOGIC PROPOSITIONAL REASONING WS 2017/2018 (342.208) Armin Biere Martina Seidl biere@jku.at martina.seidl@jku.at Institute for Formal Models and Verification Johannes Kepler Universität Linz Version 2018.1

More information

Chapter 3 Deterministic planning

Chapter 3 Deterministic planning Chapter 3 Deterministic planning In this chapter we describe a number of algorithms for solving the historically most important and most basic type of planning problem. Two rather strong simplifying assumptions

More information

Logic as a Tool Chapter 1: Understanding Propositional Logic 1.1 Propositions and logical connectives. Truth tables and tautologies

Logic as a Tool Chapter 1: Understanding Propositional Logic 1.1 Propositions and logical connectives. Truth tables and tautologies Logic as a Tool Chapter 1: Understanding Propositional Logic 1.1 Propositions and logical connectives. Truth tables and tautologies Valentin Stockholm University September 2016 Propositions Proposition:

More information

Model Checking & Program Analysis

Model Checking & Program Analysis Model Checking & Program Analysis Markus Müller-Olm Dortmund University Overview Introduction Model Checking Flow Analysis Some Links between MC and FA Conclusion Apology for not giving proper credit to

More information

First-Order Logic. 1 Syntax. Domain of Discourse. FO Vocabulary. Terms

First-Order Logic. 1 Syntax. Domain of Discourse. FO Vocabulary. Terms First-Order Logic 1 Syntax Domain of Discourse The domain of discourse for first order logic is FO structures or models. A FO structure contains Relations Functions Constants (functions of arity 0) FO

More information

Lecture 2: Syntax. January 24, 2018

Lecture 2: Syntax. January 24, 2018 Lecture 2: Syntax January 24, 2018 We now review the basic definitions of first-order logic in more detail. Recall that a language consists of a collection of symbols {P i }, each of which has some specified

More information

Chapter 2. Reductions and NP. 2.1 Reductions Continued The Satisfiability Problem (SAT) SAT 3SAT. CS 573: Algorithms, Fall 2013 August 29, 2013

Chapter 2. Reductions and NP. 2.1 Reductions Continued The Satisfiability Problem (SAT) SAT 3SAT. CS 573: Algorithms, Fall 2013 August 29, 2013 Chapter 2 Reductions and NP CS 573: Algorithms, Fall 2013 August 29, 2013 2.1 Reductions Continued 2.1.1 The Satisfiability Problem SAT 2.1.1.1 Propositional Formulas Definition 2.1.1. Consider a set of

More information

Deductive Verification

Deductive Verification Deductive Verification Mooly Sagiv Slides from Zvonimir Rakamaric First-Order Logic A formal notation for mathematics, with expressions involving Propositional symbols Predicates Functions and constant

More information

Axiomatic Semantics. Semantics of Programming Languages course. Joosep Rõõmusaare

Axiomatic Semantics. Semantics of Programming Languages course. Joosep Rõõmusaare Axiomatic Semantics Semantics of Programming Languages course Joosep Rõõmusaare 2014 Direct Proofs of Program Correctness Partial correctness properties are properties expressing that if a given program

More information

Modal and Temporal Logics

Modal and Temporal Logics Modal and Temporal Logics Colin Stirling School of Informatics University of Edinburgh July 23, 2003 Why modal and temporal logics? 1 Computational System Modal and temporal logics Operational semantics

More information

SAT, NP, NP-Completeness

SAT, NP, NP-Completeness CS 473: Algorithms, Spring 2018 SAT, NP, NP-Completeness Lecture 22 April 13, 2018 Most slides are courtesy Prof. Chekuri Ruta (UIUC) CS473 1 Spring 2018 1 / 57 Part I Reductions Continued Ruta (UIUC)

More information

2.2 Lowenheim-Skolem-Tarski theorems

2.2 Lowenheim-Skolem-Tarski theorems Logic SEP: Day 1 July 15, 2013 1 Some references Syllabus: http://www.math.wisc.edu/graduate/guide-qe Previous years qualifying exams: http://www.math.wisc.edu/ miller/old/qual/index.html Miller s Moore

More information

Inter-procedural Data Flow Analysis

Inter-procedural Data Flow Analysis Flow insensitive analysis Context insensitive analysis Context sensitive analysis Inter-procedural Data Flow Analysis Hanne Riis Nielson and Flemming Nielson email: {riis,nielson}@imm.dtu.dk Informatics

More information

An Introduction to Modal Logic III

An Introduction to Modal Logic III An Introduction to Modal Logic III Soundness of Normal Modal Logics Marco Cerami Palacký University in Olomouc Department of Computer Science Olomouc, Czech Republic Olomouc, October 24 th 2013 Marco Cerami

More information

3 Propositional Logic

3 Propositional Logic 3 Propositional Logic 3.1 Syntax 3.2 Semantics 3.3 Equivalence and Normal Forms 3.4 Proof Procedures 3.5 Properties Propositional Logic (25th October 2007) 1 3.1 Syntax Definition 3.0 An alphabet Σ consists

More information

Restricted truth predicates in first-order logic

Restricted truth predicates in first-order logic Restricted truth predicates in first-order logic Thomas Bolander 1 Introduction It is well-known that there exist consistent first-order theories that become inconsistent when we add Tarski s schema T.

More information

CS522 - Programming Language Semantics

CS522 - Programming Language Semantics 1 CS522 - Programming Language Semantics Simply Typed Lambda Calculus Grigore Roşu Department of Computer Science University of Illinois at Urbana-Champaign 2 We now discuss a non-trivial extension of

More information

Intelligent Agents. Formal Characteristics of Planning. Ute Schmid. Cognitive Systems, Applied Computer Science, Bamberg University

Intelligent Agents. Formal Characteristics of Planning. Ute Schmid. Cognitive Systems, Applied Computer Science, Bamberg University Intelligent Agents Formal Characteristics of Planning Ute Schmid Cognitive Systems, Applied Computer Science, Bamberg University Extensions to the slides for chapter 3 of Dana Nau with contributions by

More information

Comp487/587 - Boolean Formulas

Comp487/587 - Boolean Formulas Comp487/587 - Boolean Formulas 1 Logic and SAT 1.1 What is a Boolean Formula Logic is a way through which we can analyze and reason about simple or complicated events. In particular, we are interested

More information

A Discrete Duality Between Nonmonotonic Consequence Relations and Convex Geometries

A Discrete Duality Between Nonmonotonic Consequence Relations and Convex Geometries A Discrete Duality Between Nonmonotonic Consequence Relations and Convex Geometries Johannes Marti and Riccardo Pinosio Draft from April 5, 2018 Abstract In this paper we present a duality between nonmonotonic

More information

The simplex algorithm

The simplex algorithm The simplex algorithm The simplex algorithm is the classical method for solving linear programs. Its running time is not polynomial in the worst case. It does yield insight into linear programs, however,

More information

Knowledge Bases in Description Logics

Knowledge Bases in Description Logics (1/23) Description Logics Knowledge Bases in Description Logics Enrico Franconi franconi@cs.man.ac.uk http://www.cs.man.ac.uk/ franconi Department of Computer Science, University of Manchester (2/23) Understanding

More information

The Bayesian Ontology Language BEL

The Bayesian Ontology Language BEL Journal of Automated Reasoning manuscript No. (will be inserted by the editor) The Bayesian Ontology Language BEL İsmail İlkan Ceylan Rafael Peñaloza Received: date / Accepted: date Abstract We introduce

More information

Tableau-based decision procedures for the logics of subinterval structures over dense orderings

Tableau-based decision procedures for the logics of subinterval structures over dense orderings Tableau-based decision procedures for the logics of subinterval structures over dense orderings Davide Bresolin 1, Valentin Goranko 2, Angelo Montanari 3, and Pietro Sala 3 1 Department of Computer Science,

More information

MIT Martin Rinard Laboratory for Computer Science Massachusetts Institute of Technology

MIT Martin Rinard Laboratory for Computer Science Massachusetts Institute of Technology MIT 6.035 Foundations of Dataflow Analysis Martin Rinard Laboratory for Computer Science Massachusetts Institute of Technology Dataflow Analysis Compile-Time Reasoning About Run-Time Values of Variables

More information

P is the class of problems for which there are algorithms that solve the problem in time O(n k ) for some constant k.

P is the class of problems for which there are algorithms that solve the problem in time O(n k ) for some constant k. Complexity Theory Problems are divided into complexity classes. Informally: So far in this course, almost all algorithms had polynomial running time, i.e., on inputs of size n, worst-case running time

More information

LTCS Report. A finite basis for the set of EL-implications holding in a finite model

LTCS Report. A finite basis for the set of EL-implications holding in a finite model Dresden University of Technology Institute for Theoretical Computer Science Chair for Automata Theory LTCS Report A finite basis for the set of EL-implications holding in a finite model Franz Baader, Felix

More information

Logical specification and coinduction

Logical specification and coinduction Logical specification and coinduction Robert J. Simmons Carnegie Mellon University, Pittsburgh PA 15213, USA, rjsimmon@cs.cmu.edu, WWW home page: http://www.cs.cmu.edu/ rjsimmon Abstract. The notion of

More information

Introduction to Logic in Computer Science: Autumn 2006

Introduction to Logic in Computer Science: Autumn 2006 Introduction to Logic in Computer Science: Autumn 2006 Ulle Endriss Institute for Logic, Language and Computation University of Amsterdam Ulle Endriss 1 Plan for Today Today s class will be an introduction

More information

an efficient procedure for the decision problem. We illustrate this phenomenon for the Satisfiability problem.

an efficient procedure for the decision problem. We illustrate this phenomenon for the Satisfiability problem. 1 More on NP In this set of lecture notes, we examine the class NP in more detail. We give a characterization of NP which justifies the guess and verify paradigm, and study the complexity of solving search

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback