230 likes | 357 Views
Program Analysis Last Lesson. Mooly Sagiv. Goals. Show the significance of set constraints for CFA of Object Oriented Programs Sketch advanced techniques Summarize the course Get some feedback. A Motivating Example. class Vehicle Object { int position = 10; void move(x1 : int) {
E N D
Program AnalysisLast Lesson Mooly Sagiv
Goals • Show the significance of set constraints forCFA of Object Oriented Programs • Sketch advanced techniques • Summarize the course • Get some feedback
A Motivating Example class Vehicle Object { int position = 10; void move(x1 : int) { position = position + x1 ;}} class Car extends Vehicle { int passengers; void await(v : Vehicle) { if (v.position < position) then v.move(position - v.position); else self.move(10); }} class Truck extends Vehicle { void move(x2 : int) { if (x2 < 55) position = position + x2; }} void main { Car c; Truck t; Vehicle v1; new c; new t; v1 := c; c.passengers := 2; c.move(60); v1.move(70); c.await(t) ;}
A Motivating Example class Vehicle Object { int position = 10; void move(x1 : int) { position = position + x1 ;}} class Car extends Vehicle { int passengers; void await(v {Truck} : Vehicle) { if (v {Truck} .position < position) then v {Truck}.move(position - v.position); else self {Car}.move(10); }} class Truck extends Vehicle { void move(x2 : int) { if (x2 < 55) position = position + x2; }} void main { Car c; Truck t; Vehicle v1; new c {Car} ; new t {Truck} ; v1 {Car} := c {Car} ; c {Car} .passengers := 2; c {Car} .move(60); v1 {Car}.move(70); c {Car} .await(t {Truck} ) ;}
Flow Insensitive Class Analysis • Determine the set of potential classes of every variable at every program point • Compute a mapping from variables into a set of class names • Combine values of variables at different points • Generate a set of constraints for every statement • Find a minimal solution
A Motivating Example class Vehicle Object { int position = 10; void move(x1 : int) { position = position + x1 ;}} class Car extends Vehicle { int passengers; void await(v1 : Vehicle) { if (v1.position < position) then v1.move(position - v1.position); else self.move(10); }} class Truck extends Vehicle { void move(x2 : int) { if (x2 < 55) position = position + x2; }} void main { Car c; Truck t; Vehicle v2; new c; new t; v2 := c; c.passengers := 2; c.move(60); v2.move(70); c.await(t) ; } {Car} (c) {Truck} (t) (c) (v2) {Car} (c) (t) (v1)
Class Analysis Summary • Resolve called function • Can also perform type inference and checking • Can be used to warn against programmer errorsat compile-time
Set Constraints Summary • Can be used to generate a flow sensitive solution • Can also handle sets of “terms” • Finite set of constructors C={b, c, …} • Finite set of variables • Set expressionsE ::= | variable | E1 E2 | E1 E2 | c(E1 , E2 ,…, Ek )| c-i(E) • Finite set of inequalitiesE1 E2 • Find the least solution (or a symbolic representation)
Advanced Abstract Interpretation Techniques • Origin [Cousot&Cousot POPL 1979]Download from the course homepage • Widening & Narrowing • Combining dataflow analysis problems • Semantic reductions • ...
Widening • Accelerate the termination of Chaotic iterations by computing a more conservative solution • Can handle lattices of infinite heights
Example Interval Analysis • Find a lower and an upper bound of the value of a variable • Lattice L = (ZZ, , , , ,) • [a, b] [c, d] if c a and d b • [a, b] [c, d] = [min(a, c), max(b, d)] • [a, b] [c, d] = [max(a, c), min(b, d)] • = • = • Programx := 1 ;while x 1000 do x := x + 1;
Widening for Interval Analysis • [c, d] = [c, d] • [a, b] [c, d] = [ if a c then a else if 0 c then 0 else minint,if b d then b else if d 0 then 0 else maxint
Chaotic Iterationsfor forward problems+ for l Lab*do DFentry(l) := DFexit(l) := DFentry(init(S*)) := WL= Lab* while WL != do Select and remove an arbitrary l WL if (temp != DFexit(l)) DFexit(l) := DFexit(l) temp for l' such that (l,l') flow(S*) do DFentry(l') := DFentry(l') DFexit(l) WL := WL {l’}
Example [x := 1]1 ;while [x 1000]2 do [x := x + 1]3;
Requirements on Widening • For all elements l1 l2 l1 l2 • For all ascending chains l0 l1 l2 …the following sequence is finite • y0 = l0 • yi+1 = yi li+1
Narrowing • Improve the result of widening
Example [x := 1]1 ;while [x 1000]2 do [x := x + 1]3;
Widening and Narrowing Summary • Very simple but produces impressive precision • The McCarthy 91 function • Also useful in the finite case • Can be used as a methodological tool • But not widely accepted int f(x) if x > 100 then return x -10 else return f(f(x+11))
Combining dataflow analysis problems • How to combine different analyses • The result can be more precise than both! • On some programs more efficient too • Many possibly ways to combine (4.4) • A simple example sign+parity analysisx := x - 1
Cartezian Products • Analysis 1 • Lattice (L1, 1, 1, 1, 1,1) • Galois connection 1: P(States) L1 1: L1 P(States) • Transfer functionsop1:L1 L1 • Analysis 2 • Lattice (L2, 2, 2, 2, 2,2) • Galois connection2: P(States) L2 1: L2 P(States) • Transfer functionsop2:L2 L2 • Combined Analysis • L = (L1 L2, ) where (l1, l2) (u1, u2) if l1 1 u1 and l2 2 u2 • Galois connection • Transfer functions
Course Summary • Techniques Studied • Operational Semantics • Dataflow Analysis and Monotone Frameworks (Imperative Programs) • Control Flow Analysis and Set Constraints (Functional Programs) • Techniques Sketched • Abstract interpretation • Interprocedural Analysis • Type and effect systems • Not Covered • Efficient algorithms • Applications in compilers • Logic programming
Course Summary • Able to understand advanced static analysis techniques • Find faults in existing algorithms • Be able to develop new algorithms • Gain a better understanding of programming languages • Functional Vs. Imperative • Operational Semantics