static program analysis - aarhus universitet
TRANSCRIPT
![Page 1: Static Program Analysis - Aarhus Universitet](https://reader030.vdocuments.net/reader030/viewer/2022012608/619c174345dca568d06c1660/html5/thumbnails/1.jpg)
Anders Møller & Michael I. SchwartzbachComputer Science, Aarhus University
Static Program AnalysisPart 5 – widening and narrowing
http://cs.au.dk/~amoeller/spa/
![Page 2: Static Program Analysis - Aarhus Universitet](https://reader030.vdocuments.net/reader030/viewer/2022012608/619c174345dca568d06c1660/html5/thumbnails/2.jpg)
Interval analysis• Compute upper and lower bounds for integers• Possible applications:
– array bounds checking– integer representation– …
• Lattice of intervals:Intervals = lift({ [l,h] | l,h∈N ∧ l ≤ h })
whereN = {-∞, ..., -2, -1, 0, 1, 2, ..., ∞}
and intervals are ordered by inclusion:[l1,h1]⊑[l2,h2] iff l2 ≤ l1 ∧ h1 ≤ h2 2
![Page 3: Static Program Analysis - Aarhus Universitet](https://reader030.vdocuments.net/reader030/viewer/2022012608/619c174345dca568d06c1660/html5/thumbnails/3.jpg)
The interval lattice[-∞,∞]
[0,0] [1,1] [2,2][-1,-1][-2,-2]
[0,1] [1,2][-1,0][-2,-1]
[2,∞]
[1,∞]
[0,∞]
[-∞,-2]
[-∞,-1]
[-∞,0]
[-2,0] [-1,1] [0,2]
[-2,1] [-1,2]
[-2,2]
3
⊥bottom element here interpreted as “not an integer”
![Page 4: Static Program Analysis - Aarhus Universitet](https://reader030.vdocuments.net/reader030/viewer/2022012608/619c174345dca568d06c1660/html5/thumbnails/4.jpg)
Interval analysis lattice
• The total lattice for a program point isVars → Intervals
that provides bounds for each (integer) variable
• If using the worklist solver that initializes the worklist with only the entry node, use the lattice lift(Vars → Intervals)
– bottom value of lift(Vars → Intervals) represents “unreachable program point”– bottom value of Vars → Intervals represents “maybe reachable,
but all variables are non-integers”
• This lattice has infinite height, since the chain[0,0] ⊑ [0,1] ⊑ [0,2] ⊑ [0,3] ⊑ [0,4] ...
occurs in Intervals4
![Page 5: Static Program Analysis - Aarhus Universitet](https://reader030.vdocuments.net/reader030/viewer/2022012608/619c174345dca568d06c1660/html5/thumbnails/5.jpg)
Interval constraints
• For assignments:⟦ x = E ⟧ = JOIN(v)[x→eval(JOIN(v),E)]
• For all other nodes:⟦v⟧ = JOIN(v)
where JOIN(v) = ⨆⟦w⟧w∈pred(v)
5
![Page 6: Static Program Analysis - Aarhus Universitet](https://reader030.vdocuments.net/reader030/viewer/2022012608/619c174345dca568d06c1660/html5/thumbnails/6.jpg)
Evaluating intervals
• The eval function is an abstract evaluation:– eval(σ, x) = σ(x)– eval(σ, intconst) = [intconst,intconst]– eval(σ, E1 op E2) = op(eval(σ,E1),eval(σ,E2))
• Abstract operators:– op([l1,h1],[l2,h2]) =
[ min x op y, max x op y]x∈[l1,h1], y∈[l2,h2] x∈[l1,h1], y∈[l2,h2]
6
not trivial to implement!
![Page 7: Static Program Analysis - Aarhus Universitet](https://reader030.vdocuments.net/reader030/viewer/2022012608/619c174345dca568d06c1660/html5/thumbnails/7.jpg)
Fixed-point problems
• The lattice has infinite height, so the fixed-point algorithm does not work
• The sequence of approximantsfi(⊥) for i = 0, 1, ...
is not guaranteed to converge• (Exercise: give an example of a program where this happens)
• Restricting to 32 bit integers is not a practical solution• Widening gives a useful solution…
7
![Page 8: Static Program Analysis - Aarhus Universitet](https://reader030.vdocuments.net/reader030/viewer/2022012608/619c174345dca568d06c1660/html5/thumbnails/8.jpg)
Does the least fixed point exist?
• The lattice has infinite height, so Kleene’s fixed-point theorem does not apply
• Tarski’s fixed-point theorem:
8
In a complete lattice L, every monotone function f: L → L has a unique least fixed point given by
lfp(f) = ⨅{ x∈L | f(x) ⊑ x}
(Proof?)
![Page 9: Static Program Analysis - Aarhus Universitet](https://reader030.vdocuments.net/reader030/viewer/2022012608/619c174345dca568d06c1660/html5/thumbnails/9.jpg)
Widening
• Introduce a widening function ω: L → L so that
(ωf)i(⊥) for i = 0, 1, ...
converges on a fixed point that is a safe approximation of each fi(⊥)
• i.e. the function ω coarsens the information
9
![Page 10: Static Program Analysis - Aarhus Universitet](https://reader030.vdocuments.net/reader030/viewer/2022012608/619c174345dca568d06c1660/html5/thumbnails/10.jpg)
Turbo charging the iterations
f
10
ω
![Page 11: Static Program Analysis - Aarhus Universitet](https://reader030.vdocuments.net/reader030/viewer/2022012608/619c174345dca568d06c1660/html5/thumbnails/11.jpg)
Simple widening for intervals• The function ω: L → L is defined pointwise on
L = (Vars → Intervals)n
• Parameterized with a fixed finite set B– must contain -∞ and ∞ (to retain the ⊤ element)– typically seeded with all integer constants occurring in the
given program
• Idea: Find the nearest enclosing allowed interval• On single elements from Intervals :
ω([a,b]) = [ max{i∈B|i≤a}, min{i∈B|b≤i} ]ω(⊥) = ⊥
11-∞ ∞-87 5 117
[1,42]
ω([1,42])
![Page 12: Static Program Analysis - Aarhus Universitet](https://reader030.vdocuments.net/reader030/viewer/2022012608/619c174345dca568d06c1660/html5/thumbnails/12.jpg)
Divergence in action
[x→⊥, y→⊥][x→ [8,8], y→ [0,1]][x→ [8,8], y→ [0,2]][x→ [8,8], y→ [0,3]]...
12
y = 0;
x = 7;
x = x+1;
while (input) {
x = 7;
x = x+1;
y = y+1;
}
![Page 13: Static Program Analysis - Aarhus Universitet](https://reader030.vdocuments.net/reader030/viewer/2022012608/619c174345dca568d06c1660/html5/thumbnails/13.jpg)
Simple widening in action
[x→⊥, y→⊥][x→ [7,∞], y→ [0,1]][x→ [7,∞], y→ [0,7]][x→ [7,∞], y→ [0,∞]]
13
y = 0;
x = 7;
x = x+1;
while (input) {
x = 7;
x = x+1;
y = y+1;
}
B = {-∞, 0, 1, 7, ∞}
![Page 14: Static Program Analysis - Aarhus Universitet](https://reader030.vdocuments.net/reader030/viewer/2022012608/619c174345dca568d06c1660/html5/thumbnails/14.jpg)
Correctness of simple widening
• This form of widening works when:– ω is an extensive and monotone function, and– the sub-lattice ω(L) has finite height
• ωf is monotone and ω(L) has finite height,so (ωf)i(⊥) for i = 0, 1, ... converges
• Let fω = (ωf)k(⊥) where (ωf)k(⊥) = (ωf)k+1(⊥) • lfp(f) ⊑ fω follows from Tarski’s fixed-point theorem,
i.e., fω is a safe approximation of lfp(f)
14
![Page 15: Static Program Analysis - Aarhus Universitet](https://reader030.vdocuments.net/reader030/viewer/2022012608/619c174345dca568d06c1660/html5/thumbnails/15.jpg)
Narrowing• Widening generally shoots over the target• Narrowing may improve the result by applying f
• We have f(fω) ⊑ fω so applying f again mayimprove the result!
• And we also have lfp(f) ⊑ f(fω) so it remains safe!• This can be iterated arbitrarily many times
– may diverge, but safe to stop anytime
15
![Page 16: Static Program Analysis - Aarhus Universitet](https://reader030.vdocuments.net/reader030/viewer/2022012608/619c174345dca568d06c1660/html5/thumbnails/16.jpg)
Backing up
f ω
16
![Page 17: Static Program Analysis - Aarhus Universitet](https://reader030.vdocuments.net/reader030/viewer/2022012608/619c174345dca568d06c1660/html5/thumbnails/17.jpg)
Narrowing in action
[x→⊥, y→⊥][x→ [7,∞], y→ [0,1]][x→ [7,∞], y→ [0,7]][x→ [7,∞], y→ [0,∞]]...[x→ [8,8], y→ [0,∞]]
B = {-∞, 0, 1, 7, ∞}
17
y = 0;
x = 7;
x = x+1;
while (input) {
x = 7;
x = x+1;
y = y+1;
}
![Page 18: Static Program Analysis - Aarhus Universitet](https://reader030.vdocuments.net/reader030/viewer/2022012608/619c174345dca568d06c1660/html5/thumbnails/18.jpg)
Correctness of (repeated) narrowing
• f(fω) ⊑ ω(f(fω)) = (ωf)(fω) = fω since ω is extensive– by monotonicity of f and induction we also have, for all i:
fi+1(fω) ⊑ fi(fω) ⊑ fω– i.e. fi+1(fω) is at least as precise as fi(fω)
• f(fω) ⊑ fω so f(f(fω)) ⊑ f(fω) by monotonicity of f, hence lfp(f) ⊑ f(fω) by Tarski’s fixed-point theorem– by induction we also have, for all i:
lfp(f) ⊑ fi(fω) – i.e. fi(fω) is a safe approximation of lfp(f)
18
Claim: lfp(f) ⊑ ... ⊑ fi(fω) ⊑ ... ⊑ f(fω) ⊑ fω
![Page 19: Static Program Analysis - Aarhus Universitet](https://reader030.vdocuments.net/reader030/viewer/2022012608/619c174345dca568d06c1660/html5/thumbnails/19.jpg)
Some observations
• The simple notion of widening is a bit naive…• Widening happens at every interval and at every node
• There’s no need to widen intervals that are not “unstable”
• There’s no need to widen if there are no “cycles” in the dataflow
19
![Page 20: Static Program Analysis - Aarhus Universitet](https://reader030.vdocuments.net/reader030/viewer/2022012608/619c174345dca568d06c1660/html5/thumbnails/20.jpg)
More powerful widening
• A widening is a function ∇: L × L →L that is extensive in both arguments and satisfies the following property:
for all increasing chains z0 ⊑ z1 ⊑ …,the sequence y0 = z0, …, yi+1 = yi ∇ zi+1 ,… converges(i.e. stabilizes after a finite number of steps)
• Now replace the basic fixed point solver by computing x0 = ⊥ and xi+1 = xi ∇ f(xi) until convergence
• Theorem: xk+1 = xk and lfp(f) ⊑ xk for some k
20(Proof: similar to the correctness proof for simple widening)
![Page 21: Static Program Analysis - Aarhus Universitet](https://reader030.vdocuments.net/reader030/viewer/2022012608/619c174345dca568d06c1660/html5/thumbnails/21.jpg)
More powerful wideningfor interval analysis
Extrapolates unstable bounds to B:⊥ ∇ y = yx ∇ ⊥ = x[a1,b1] ∇ [a2,b2] =
[if a1 ≤ a2 then a1 else max{i∈B|i≤a2},if b2 ≤ b1 then b1 else min{i∈B|b2≤i}]
The ∇ operator on L is then defined pointwise down to individual intervals
For the small example program, we get the same result as with simple widening plus narrowing (but now without using narrowing)
21
![Page 22: Static Program Analysis - Aarhus Universitet](https://reader030.vdocuments.net/reader030/viewer/2022012608/619c174345dca568d06c1660/html5/thumbnails/22.jpg)
Yet another improvement
• Divergence (e.g. in the interval analysis without widening) can only appear in presence of recursive dataflow constraint
• Sufficient to “break the cycles”, perform widening only at, for example, loop heads in the CFG
22
![Page 23: Static Program Analysis - Aarhus Universitet](https://reader030.vdocuments.net/reader030/viewer/2022012608/619c174345dca568d06c1660/html5/thumbnails/23.jpg)
Choosing the set B
• Defining the widening function based on constants occurring in the given program may not work well
• (This example requires interprocedural and control-sensitive analysis)23
f(x) { // ”McCarthy’s 91 function”
var r;
if (x > 100) {
r = x - 10;
} else {
r = f(f(x + 11));
}
return r;
}
https://en.wikipedia.org/wiki/McCarthy_91_function