Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I
description
Transcript of Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I
![Page 1: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/1.jpg)
Spring 2014Program Analysis and Verification
Lecture 7: Static Analysis I
Roman ManevichBen-Gurion University
![Page 2: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/2.jpg)
2
Syllabus
Semantics
NaturalSemantics
Structural semantics
AxiomaticVerification
StaticAnalysis
AutomatingHoare Logic
Control Flow Graphs
Equation Systems
CollectingSemantics
AbstractInterpretation fundamentals
Lattices
Galois Connections
Fixed-Points
Widening/Narrowing
Domain constructors
InterproceduralAnalysis
AnalysisTechniques
Numerical Domains
CEGAR
Alias analysis
ShapeAnalysis
Crafting your own
Soot
From proofs to abstractions
Systematically developing
transformers
![Page 3: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/3.jpg)
3
Previously
• Axiomatic verification• Weakest precondition calculus• Strongest postcondition calculus• Total correctness
![Page 4: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/4.jpg)
4
Axiomatic semantics for While { P[a/x] } x := a { P }[assp]
{ P } skip { P }[skipp]
{ P } S1 { Q }, { Q } S2 { R } { P } S1; S2 { R }[compp]
{ b P } S1 { Q }, { b P } S2 { Q } { P } if b then S1 else S2 { Q }[ifp]
{ b P } S { P } { P } while b do S {b P }
[whilep]
{ P’ } S { Q’ } { P } S { Q }
[consp] if PP’ and Q’Q
![Page 5: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/5.jpg)
5
Strongest postcondition
• A forward-going predicate transformer• The strongest postcondition for P is
’ sp(P, C)if and only if there exists such that P and C, ’
Propositions:1. p { P } C { sp(P, C) }
2. If p { P } C { Q } then sp(P, C) Q
![Page 6: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/6.jpg)
6
Calculating sp
1. sp(skip, P) = P2. sp(x := a, P) = v. x=a[v/x] P[v/x] 3. sp(S1; S2, P) = sp(S2, sp(S1, P))
4. sp(if b then S1 else S2, P) =sp(S1, b P) sp(S2, b P)
5. sp(while b do {} S, P) = bwhere {b } S {}and P b
![Page 7: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/7.jpg)
7
Today
• Static analysis for compiler optimization– Common Subexpression Elimination– Available Expression domain
• Develop a static analysis for Simple Available Expressions
![Page 8: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/8.jpg)
8
Array-max example: Post3nums : array{ N0 0m<N } // N stands for num’s lengthx := 0{ x=0 }res := nums[0]{ x=0 res=nums(0) }Inv = { 0m<x nums(m)res }while x < N { x=k res=oRes 0m<k nums(m)oRes } if nums[x] > res then { nums(x)>oRes res=oRes x=k 0m<k nums(m)oRes } res := nums[x] { res=nums(x) nums(x)>oRes x=k 0m<k nums(m)oRes } { x=k 0mk nums(m)res } { (x=k 0mk nums(m)res) (oresnums(x) res=oRes x=k res=oRes 0m<k nums(m)oRes)} { x=k 0mk nums(m)res } x := x + 1 { x=k+1 0mk nums(m)res } { 0m<x nums(m)res }{ x=N 0m<x nums(m)res} [univp]{ m. 0m<N nums(m)res }
![Page 9: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/9.jpg)
9
Can we find this proof automatically?
nums : arrayN : int{ N0 } x := 0{ N0 x=0 }res := nums[0]{ x=0 }Inv = { xN }while x < N { x=k k<N } if nums[x] > res then { x=k k<N } res := nums[x] { x=k k<N } { x=k k<N } x := x + 1 { x=k+1 k<N }{ xN xN }{ x=N }
Observation: predicates in proof have the general form
constraint
where constraint has the formX - Y c orX c
![Page 10: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/10.jpg)
10
Look under the
street lamp
By Infopablo00 (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons
…We may move
lamp a bit
![Page 11: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/11.jpg)
11
Zone Abstract Domain
• Developed by Antoine Minein his Ph.D. thesis
• Uses constraints of the formX - Y c and X c
![Page 12: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/12.jpg)
12
Analysis with Zone abstract domainnums : arrayN : int { N0 } x := 0{ N0 x=0 }res := nums[0]{ N0 x=0 }Inv = { N0 0xN }while x < N { N0 0x<N } if nums[x] > res then { N0 0x<N } res := nums[x] { N0 0x<N } { N0 0x<N } x := x + 1 { N0 0<x<N }{N0 0x x=N }
nums : arrayN : int { N0 } x := 0{ N0 x=0 }res := nums[0]{ x=0 }Inv = { xN }while x < N { x=k kN } if nums[x] > res then { x=k k<N } res := nums[x] { x=k k<N } { x=k k<N } x := x + 1 { x=k+1 k<N }{ xN xN }{ x=N }
Static Analysis with Zone Abstraction Manual Proof
![Page 13: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/13.jpg)
13
Static analysisfor compiler optimizations
![Page 14: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/14.jpg)
14
Motivating problem: optimization
• A compiler optimization is defined by a program transformation:
T : Stmt Stmt• The transformation is semantics-preserving:
s. Ssos C s = Ssos T(C) s• The transformation is applied to the program
only if an enabling condition is met• We use static analysis for inferring enabling
conditions
![Page 15: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/15.jpg)
15
Common Subexpression Elimination
• If we have two variable assignmentsx := a op b…y := a op band the values of x, a, and b have not changed between the assignments, rewrite the code asx = a op b…y := x
• Eliminates useless recalculation• Paves the way for more optimizations
(e.g., dead code elimination)
op {+, -, *, ==, <=}
![Page 16: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/16.jpg)
16
What do we need to prove?
{ true }C1
x := a op bC2
{ x = a op b }y := a op bC3
{ true }C1
x := a op bC2
{ x = a op b }y := xC3
CSE
Assertion localizes decision
![Page 17: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/17.jpg)
17
A simplified problem
{ true }C1
x := a + bC2
{ x = a + b }y := a + bC3
{ true }C1
x := a + bC2
{ x = a + b }y := xC3
CSE
![Page 18: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/18.jpg)
18
Available Expressions analysis
• A static analysis that infers for every program point a set of facts of the formAV = { x = y | x, y Var }
{ x = op y | x, y Var, op {-, !} } { x = y op z | y, z Var, op {+, -, *, <=} }
• For every program with n=|Var| variables number of possible facts is finite: |AV|=O(n3)
• Yields a trivial algorithm …– Is it efficient?
![Page 19: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/19.jpg)
19
Simple Available Expressions
• Define atomic facts (for SAV) as = { x = y | x, y Var } { x = y + z | x, y, z Var }– For n=|Var| number of atomic facts is O(n3)
• Define sav-predicates as = 2
![Page 20: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/20.jpg)
20
Notation for conjunctive sets of facts
• For a set of atomic facts D , we defineConj(D) = D– E.g., if D={a=b, c=b+d, b=c} then
Conj(D) = (a=b) (c=b+d) (b=c)
• Notice that for two sets of facts D1 and D2
Conj(D1 D2) = Conj(D1) Conj(D1)• What does Conj({}) stand for…?
![Page 21: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/21.jpg)
21
Towards an automatic proof• Goal: automatically compute an annotated program
proving as many facts as possible of the form x = y and x = y + z
• Decision 1: develop a forward-going proof• Decision 2: draw predicates from a finite set D– “looking under the light of the lamp”– A compromise that simplifies problem by focusing
attention – possibly miss some facts that hold• Challenge 1: handle straight-line code• Challenge 2: handle conditions• Challenge 3: handle loops
![Page 22: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/22.jpg)
22
Challenge 1: handling straight-line code
By Zachary Dylan Tax (Zachary Dylan Tax) [GFDL (http://www.gnu.org/copyleft/fdl.html) or CC-BY-3.0 (http://creativecommons.org/licenses/by/3.0)], via Wikimedia Commons
![Page 23: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/23.jpg)
23
Straight line code example
• Find a proof that satisfies both conditions
{ }x := a + b{ x=a+b }z := a + c{ x=a+b, z=a+c }b := a * c{ z=a+c }
![Page 24: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/24.jpg)
24
Straight line code example
• Can we make this into an algorithm?• What do we need to ensure for each triple?
{ }x := a + b{ x=a+b }z := a + c{ x=a+b, z=a+c }b := a * c{ z=a+c }
Frame
sp
cons
![Page 25: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/25.jpg)
25
Goal
• Given a program of the formx1 := a1; … xn := an
• Find predicates P0, …, Pn such that1. {P0} x1 := a1 {P1} … {Pn-1} xn := an {Pn} is a proof
That is: sp(xi := ai, Pi-1) Pi
2. Each Pi has the form Conj(Di) where Di is a set of atomic
![Page 26: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/26.jpg)
26
Algorithm for straight-line code• Goal: find predicates P0, …, Pn such that
1. {P0} x1 := a1 {P1} … {Pn-1} xn := an {Pn} is a proof That is: sp(xi := ai, Pi-1) Pi
2. Each Pi has the form Conj(Di) where Di is a set of atomic facts
• Idea: define a function FSAV[x:=a] : s.t.if FSAV[x:=a](D) = D’then sp(x := a, Conj(D)) Conj(D’)– We call F the abstract transformer of x:=a
• Unless D0 is given, initialize D0={}
• For each i: compute Di+1 = Conj(FSAV[xi := ai] Di)
• Finally Pi = Conj(Di)
![Page 27: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/27.jpg)
27
Defining an SAV abstract transformer
• Goal: define a function FSAV[x:=a] : s.t.if FSAV[x:=a](D) = D’then sp(x := a, Conj(D)) Conj(D’)
• Idea: define rules for individual factsand generalize to sets of facts by the conjunction rule
![Page 28: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/28.jpg)
28
Defining an SAV abstract transformer
• Goal: define a function FSAV[x:=a] : s.t.if FSAV[x:=a](D) = D’then sp(x := a, Conj(D)) Conj(D’)
• Idea: define rules for individual factsand generalize to sets of facts by the conjunction rule
![Page 29: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/29.jpg)
29
Defining an SAV abstract transformer
• Goal: define a function FSAV[x:=a] : s.t.if FSAV[x:=a](D) = D’then sp(x := a, Conj(D)) Conj(D’)
• Idea: define rules for individual factsand generalize to sets of facts by the conjunction rule
Is either a variable v or an addition expression v+w
{ x= } x:=a { }[kill-lhs]
{ y=x+w } x:=a { }[kill-rhs-1]
{ y=w+x } x:=a { }[kill-rhs-2]
{ } x:= { x= }[gen]
{ y=z+w } x:=a { y=z+w }[preserve]
![Page 30: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/30.jpg)
30
SAV abstract transformer example
Is either a variable v or an addition expression v+w
{ }x := a + b{ x=a+b }z := a + c{ x=a+b, z=a+c }b := a * c{ z=a+c }
{ x= } x:= aexpr { }[kill-lhs]
{ y=x+w } x:= aexpr { }[kill-rhs-1]
{ y=w+x } x:= aexpr { }[kill-rhs-2]
{ } x:= { x= }[gen]
{ y=z+w } x:= aexpr { y=z+w }[preserve]
![Page 31: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/31.jpg)
31
Problem 1: large expressions
• Large expressions on the right hand sides of assignments are problematic– Can miss optimization opportunities– Require complex transformers
• Solution: transform code to normal form where right-hand sides have bounded size
Missed CSE opportunity
{ }x := a + b + c{ }y := a + b + c{ }
![Page 32: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/32.jpg)
32
Three-address code
• Main idea: simplify expressions by storing intermediate results in new temporary variables
• Number of variables in simplified statements 3
{ }x := a + b + c{ }y := a + b + c{ }
{ }i1 := a + b{ i1=a+b }x := i1 + c{ i1=a+b, x=i1+c }i2 := a + b{ i1=a+b, x=i1+c, i2=a+b }y := i2 + c{ i1=a+b, x=i1+c, i2=a+b, y=i2+c }
![Page 33: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/33.jpg)
33
Three-address code
• Main idea: simplify expressions by storing intermediate results in new temporary variables
• Number of variables in simplified statements 3
{ }x := a + b + c{ }y := a + b + c{ }
{ }i1 := a + b{ i1=a+b }x := i1 + c{ i1=a+b, x=i1+c }i2 := a + b{ i1=a+b, x=i1+c, i2=a+b }y := i2 + c{ i1=a+b, x=i1+c, i2=a+b, y=i2+c }
Need to infer i1=i2
![Page 34: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/34.jpg)
34
Problem 2: transformer precision
• Our transformer only infers syntactically available expressions – ones that appear in the code explicitly
• We want a transformer that looks deeper into the semantics of the predicates– Takes equalities into account
{ }i1 := a + b{ i1=a+b }x := i1 + c{ i1=a+b, x=i1+c }i2 := a + b{ i1=a+b, x=i1+c, i2=a+b }y := i2 + c{ i1=a+b, x=i1+c, i2=a+b, y=i2+c }
Need to infer i1=i2
![Page 35: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/35.jpg)
35
Defining a semantic reduction• Idea: make as many implicit facts explicit by
– Using symmetry and transitivity of equality– Commutativity of addition– Meaning of equality – can substitute equal variables
• For an SAV-predicate P=Conj(D) defineExplicate(D) = minimal set D* such that:
1. D D*
2. x=y D* implies y=x D*
3. x=y D* y=z D* implies x=z D*
4. x=y+z D* implies x=z+y D*
5. x=y D* and x=z+w D* implies y=z+w D*
6. x=y D* and z=x+w D* implies z=y+w D*
7. x=z+w D* and y=z+w D* implies x=y D*
• Notice that Explicate(D) D• Explicate is a special case of a semantic reduction
![Page 36: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/36.jpg)
36
Sharpening the transformer• Define: F*[x:=aexpr] = Explicate FSAV[x:= aexpr]
{ }i1 := a + b{ i1=a+b, i1=b+a }x := i1 + c{ i1=a+b, i1=b+a, x=i1+c, x=c+i1 }i2 := a + b{ i1=a+b, i1=b+a, x=i1+c, x=c+i1, i2=a+b, i2=b+a, i1=i2, i2=i1, x=i2+c, x=c+i2, }y := i2 + c{ ... }
Since sets of facts and their conjunction are isomorphic we will use them interchangeably
![Page 37: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/37.jpg)
37
An algorithm for annotating SLP
• Annotate(P, x:=aexpr) ={P} x:=aexpr F*[x:= aexpr](P)
Annotate(P, S1; S2) = let Annotate(P, S1) be {P} A1 {Q1} let Annotate(Q1, S2) be {Q1} A2 {Q2} return {P} A1; {Q1} A2 {Q2}
![Page 38: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/38.jpg)
38
Challenge 2: handling conditions
![Page 39: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/39.jpg)
39
Goal
• Annotate a programif bexpr then S1 else S2 with predicates from
• Assumption 1: P is given(otherwise use true)
• Assumption 2: bexpr is a simple binary expression e.g., x=y, xy, x<y (why?)
{ P }if bexpr then
{ bexpr P }S1
{ Q1 }else { bexpr P }
S2
{ Q2 }{ Q }
![Page 40: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/40.jpg)
40
Joining predicates
1. Start with P or {bexpr P} and annotate S1 (yielding Q1)
2. Start with P or {bexpr P} andannotate S2 (yielding Q2)
3. How do we infer a Q such that Q1Q and Q2Q?
Q1=Conj(D1), Q2=Conj(D2)Define: Q = Q1 Q2
= Conj(D1 D2)
{ P }if bexpr then
{ bexpr P }S1
{ Q1 }else { bexpr P }
S2
{ Q2 }{ Q }
Possibly an SAV-fact
Possibly an SAV-fact
![Page 41: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/41.jpg)
41
Joining predicates
1. Start with P or {bexpr P} and annotate S1 (yielding Q1)
2. Start with P or {bexpr P} andannotate S2 (yielding Q2)
3. How do we infer a Q such that Q1Q and Q2Q?
Q1=Conj(D1), Q2=Conj(D2)Define: Q = Q1 Q2
= Conj(D1 D2)
The join operator for SAV
{ P }if bexpr then
{ bexpr P }S1
{ Q1 }else { bexpr P }
S2
{ Q2 }{ Q }
![Page 42: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/42.jpg)
42
Joining predicates
• Q1=Conj(D1), Q2=Conj(D2)
• We want to soundly approximate Q1 Q2 in
• Define: Q = Q1 Q2
= Conj(D1 D2)
• Notice that Q1Q and Q2Qmeaning Q1 Q2 Q
![Page 43: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/43.jpg)
43
Simplifying conditions
• Extend While with– Non-determinism (or) and– An assume statement
assume b, s sos s if B b s = tt • Now, the following two statements are
equivalent– if b then S1 else S2
– (assume b; S1) or (assume b; S2)
![Page 44: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/44.jpg)
44
Handling conditional expressions
• We want to soundly approximate D bexpr and D bexpr in
• Define (bexpr) = if bexpr is factoid {bexpr} else {}
• Define F[assume bexpr](D) = D (bexpr)• Can sharpen
F*[assume bexpr] = Explicate FSAV[assume bexpr]
![Page 45: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/45.jpg)
45
Handling conditional expressions
• Notice bexpr (bexpr)• Examples– (y=z) = {y=z}– (y<z) = {}
![Page 46: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/46.jpg)
46
An algorithm for annotating conditions
let Pt = F*[assume bexpr] P
let Pf = F*[assume bexpr] P
let Annotate(Pt, S1) be {Pt} A1 {Q1}
let Annotate(Pf, S2) be {Pf} A2 {Q2}
return {P} if bexpr then {Pt} A1 {Q1} else {Pf} A2 {Q2} {Q1 Q2}
![Page 47: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/47.jpg)
47
Example
{ }if (x = y) { x=y, y=x } a := b + c { x=y, y=x, a=b+c, a=c+b } d := b – c { x=y, y=x, a=b+c, a=c+b }else { } a := b + c { a=b+c, a=c+b } d := b + c { a=b+c, a=c+b, d=b+c, d=c+b, a=d, d=a }{ a=b+c, a=c+b }
![Page 48: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/48.jpg)
48
Example
{ }if (x = y) { x=y, y=x } a := b + c { x=y, y=x, a=b+c, a=c+b } d := b – c { x=y, y=x, a=b+c, a=c+b }else { } a := b + c { a=b+c, a=c+b } d := b + c { a=b+c, a=c+b, d=b+c, d=c+b, a=d, d=a }{ a=b+c, a=c+b }
![Page 49: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/49.jpg)
49
Recap
• We now have an algorithm for soundly annotating loop-free code
• Generates forward-going proofs• Algorithm operates on abstract syntax tree of
code– Handles straight-line code by applying F*
– Handles conditions by recursively annotating true and false branches and then intersecting their postconditions
![Page 50: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/50.jpg)
50
Example
{ }if (x = y) { x=y, y=x } a := b + c { x=y, y=x, a=b+c, a=c+b } d := b – c { x=y, y=x, a=b+c, a=c+b }else { } a := b + c { a=b+c, a=c+b } d := b + c { a=b+c, a=c+b, d=b+c, d=c+b, a=d, d=a }{ a=b+c, a=c+b }
![Page 51: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/51.jpg)
51
Challenge 2: handling loops
By Stefan Scheer (Own work (Own Photo)) [GFDL (http://www.gnu.org/copyleft/fdl.html), CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0/) or CC-BY-SA-2.5-2.0-1.0 (http://creativecommons.org/licenses/by-sa/2.5-2.0-1.0)], via Wikimedia Commons
![Page 52: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/52.jpg)
52
Goal
• Annotate a program while bexpr do S with predicates from – s.t. P N
• Main challenge: find N• Assumption 1: P is given
(otherwise use true)• Assumption 2: bexpr is a
simple binary expression
{ P }Inv = { N }while bexpr do { bexpr N } S { Q }{bexpr N }
![Page 53: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/53.jpg)
53
Example: annotate this program
{ y=x+a, y=a+x, w=d, d=w }Inv = { y=x+a, y=a+x }while (x z) do { z=x+a, z=a+x, w=d, d=w } x := x + 1 { w=d, d=w
} y := x + a { y=x+a, y=a+x, w=d, d=w } d := x + a { y=x+a, y=a+x, d=x+a, d=a+x, y=d, d=y } { y=x+a, y=a+x, x=z, z=x }
![Page 54: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/54.jpg)
54
Example: annotate this program
{ y=x+a, y=a+x, w=d, d=w }Inv = { y=x+a, y=a+x }while (x z) do { y=x+a, y=a+x } x := x + 1 { } y := x + a { y=x+a, y=a+x } d := x + a { y=x+a, y=a+x, d=x+a, d=a+x, y=d, d=y } { y=x+a, y=a+x, x=z, z=x }
![Page 55: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/55.jpg)
55
Goal
• Idea: try to guess a loop invariant from a small number of loop unrollings– We know how to annotate S
(by induction)
{ P }Inv = { N }while bexpr do { bexpr N } S { Q }{bexpr N }
![Page 56: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/56.jpg)
56
k-loop unrolling
{ P }if (x z) x := x + 1 y := x + a d := x + aQ1 = { y=x+a } if (x z) x := x + 1 y := x + a d := x + aQ2 = { y=x+a }
…
{ P }Inv = { N }while (x z) do x := x + 1 y := x + a d := x + a
{ y=x+a, y=a+x, w=d, d=w } if (x z) x := x + 1 y := x + a d := x + aQ1 = { y=x+a }
![Page 57: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/57.jpg)
57
k-loop unrolling
{ P }if (x z) x := x + 1 y := x + a d := x + aQ1 = { y=x+a, y=a+x } if (x z) x := x + 1 y := x + a d := x + aQ2 = { y=x+a, y=a+x }
…
{ P }Inv = { N }while (x z) do x := x + 1 y := x + a d := x + a
{ y=x+a, y=a+x, w=d, d=w } if (x z) x := x + 1 y := x + a d := x + aQ1 = { y=x+a, y=a+x }
![Page 58: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/58.jpg)
58
k-loop unrolling
The following must hold:P NQ1 NQ2 N…Qk N
{ P }if (x z) x := x + 1 y := x + a d := x + aQ1 = { y=x+a, y=a+x } if (x z) x := x + 1 y := x + a d := x + aQ2 = { y=x+a, y=a+x }
…
{ P }Inv = { N }while (x z) do x := x + 1 y := x + a d := x + a
{ y=x+a, y=a+x, w=d, d=w } if (x z) x := x + 1 y := x + a d := x + aQ1 = { y=x+a, y=a+x }
![Page 59: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/59.jpg)
59
k-loop unrolling
The following must hold:P NQ1 NQ2 N…Qk N…
{ P }if (x z) x := x + 1 y := x + a d := x + aQ1 = { y=x+a, y=a+x } if (x z) x := x + 1 y := x + a d := x + aQ2 = { y=x+a, y=a+x }
…
{ P }Inv = { N }while (x z) do x := x + 1 y := x + a d := x + a
{ y=x+a, y=a+x, w=d, d=w } if (x z) x := x + 1 y := x + a d := x + aQ1 = { y=x+a, y=a+x }
We can compute the following sequence:N0 = P
N1 = N1 Q1
N2 = N1 Q2
…Nk = Nk-1 Qk
Observation 1: No need to explicitly unroll loop – we can reuse postcondition from unrolling k-1 for k
![Page 60: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/60.jpg)
60
k-loop unrolling
The following must hold:P NQ1 NQ2 N…Qk N…
{ P }if (x z) x := x + 1 y := x + a d := x + aQ1 = { y=x+a, y=a+x } if (x z) x := x + 1 y := x + a d := x + aQ2 = { y=x+a, y=a+x }
…
{ P }Inv = { N }while (x z) do x := x + 1 y := x + a d := x + a
{ y=x+a, y=a+x, w=d, d=w } if (x z) x := x + 1 y := x + a d := x + aQ1 = { y=x+a, y=a+x }
We can compute the following sequence:N0 = P
N1 = N1 Q1
N2 = N1 Q2
…Nk = Nk-1 Qk
Observation 2: Nk monotonically decreases set of facts.Question: does it stabilizes for some k?
![Page 61: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/61.jpg)
61
Algorithm for annotating a loopAnnotate(P, while bexpr do S) = Initialize N := Nc := P
repeat let Annotate(P, if b then S else skip) be {Nc} if bexpr then S else skip {N} Nc := Nc N until N = Nc
return {P} INV= N while bexpr do F[assume bexpr](N) Annotate(F[assume bexpr](N), S) F[assume bexpr](N)
![Page 62: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/62.jpg)
62
Putting it together
![Page 63: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/63.jpg)
63
Algorithm for annotating a programAnnotate(P, S) = case S is x:=aexpr return {P} x:=aexpr {F*[x:=aexpr] P} case S is S1; S2
let Annotate(P, S1) be {P} A1 {Q1}
let Annotate(Q1, S2) be {Q1} A2 {Q2}
return {P} A1; {Q1} A2 {Q2}
case S is if bexpr then S1 else S2
let Pt = F[assume bexpr] P
let Pf = F[assume bexpr] P
let Annotate(Pt, S1) be {Pt} A1 {Q1}
let Annotate(Pf, S2) be {Pf} A2 {Q2}
return {P} if bexpr then {Pt} A1 {Q1} else {Pf} A2 {Q2} {Q1 Q2}
case S is while bexpr do S N := Nc := P // Initialize
repeat let Pt = F[assume bexpr] Nc
let Annotate(Pt, S) be {Nc} Abody {N} Nc := Nc N
until N= Nc return {P} INV= {N} while bexpr do {Pt} Abody {F[assume bexpr](N)}
![Page 64: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/64.jpg)
64
Exercise: apply algorithm
{ }y := a+b{ }x := y{ } while (xz) do { } w := a+b { } x := a+b { } a := z { }
![Page 65: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/65.jpg)
65
Step 1/18
{}y := a+b{ y=a+b }*x := ywhile (xz) do w := a+b x := a+b a := z
Not all factoids are shown – apply Explicate to get all factoids
![Page 66: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/66.jpg)
66
Step 2/18
{}y := a+b{ y=a+b }*x := y{ y=a+b, x=y, x=a+b }*while (xz) do w := a+b x := a+b a := z
![Page 67: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/67.jpg)
67
Step 3/18
{}y := a+b{ y=a+b }*x := y{ y=a+b, x=y, x=a+b }*Inv’ = { y=a+b, x=y, x=a+b }*while (xz) do w := a+b x := a+b a := z
![Page 68: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/68.jpg)
68
Step 4/18
{}y := a+b{ y=a+b }*x := y{ y=a+b, x=y, x=a+b }*Inv’ = { y=a+b, x=y, x=a+b }*while (xz) do { y=a+b, x=y, x=a+b }* w := a+b x := a+b a := z
![Page 69: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/69.jpg)
69
Step 5/18
{}y := a+b{ y=a+b }*x := y{ y=a+b, x=y, x=a+b }*Inv’ = { y=a+b, x=y, x=a+b }*while (xz) do { y=a+b, x=y, x=a+b }* w := a+b { y=a+b, x=y, x=a+b, w=a+b, w=x, w=y }* x := a+b a := z
![Page 70: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/70.jpg)
70
Step 6/18
{}y := a+b{ y=a+b }*x := y{ y=a+b, x=y, x=a+b }*Inv’ = { y=a+b, x=y, x=a+b }*while (xz) do { y=a+b, x=y, x=a+b }* w := a+b { y=a+b, x=y, x=a+b, w=a+b, w=x, w=y }* x := a+b { y=a+b, w=a+b, w=y, x=a+b, w=x, x=y }* a := z
![Page 71: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/71.jpg)
71
Step 7/18
{}y := a+b{ y=a+b }*x := y{ y=a+b, x=y, x=a+b }*Inv’ = { y=a+b, x=y, x=a+b }*while (xz) do { y=a+b, x=y, x=a+b }* w := a+b { y=a+b, x=y, x=a+b, w=a+b, w=x, w=y }* x := a+b { y=a+b, w=a+b, w=y, x=a+b, w=x, x=y }* a := z { w=y, w=x, x=y, a=z }*
![Page 72: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/72.jpg)
72
Step 8/18
{}y := a+b{ y=a+b }*x := y{ y=a+b, x=y, x=a+b }*Inv’’ = { x=y }*while (xz) do { y=a+b, x=y, x=a+b }* w := a+b { y=a+b, x=y, x=a+b, w=a+b, w=x, w=y }* x := a+b { y=a+b, w=a+b, w=y, x=a+b, w=x, x=y }* a := z { w=y, w=x, x=y, a=z }*
![Page 73: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/73.jpg)
73
Step 9/18
{}y := a+b{ y=a+b }*x := y{ y=a+b, x=y, x=a+b }*Inv’’ = { x=y }*while (xz) do { x=y }* w := a+b { y=a+b, x=y, x=a+b, w=a+b, w=x, w=y }* x := a+b { y=a+b, w=a+b, w=y, x=a+b, w=x, x=y }* a := z { w=y, w=x, x=y, a=z }*
![Page 74: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/74.jpg)
74
Step 10/18
{}y := a+b{ y=a+b }*x := y{ y=a+b, x=y, x=a+b }*Inv’’ = { x=y }*while (xz) do { x=y }* w := a+b { x=y, w=a+b }* x := a+b { y=a+b, w=a+b, w=y, x=a+b, w=x, x=y }* a := z { w=y, w=x, x=y, a=z }*
![Page 75: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/75.jpg)
75
Step 11/18
{}y := a+b{ y=a+b }*x := y{ y=a+b, x=y, x=a+b }*Inv’’ = { x=y }*while (xz) do { x=y }* w := a+b { x=y, w=a+b }* x := a+b { x=a+b, w=a+b, w=x }* a := z { w=y, w=x, x=y, a=z }*
![Page 76: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/76.jpg)
76
Step 12/18
{}y := a+b{ y=a+b }*x := y{ y=a+b, x=y, x=a+b }*Inv’’ = { x=y }*while (xz) do { x=y }* w := a+b { x=y, w=a+b }* x := a+b { x=a+b, w=a+b, w=x }* a := z { w=x, a=z }*
![Page 77: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/77.jpg)
77
Step 13/18
{}y := a+b{ y=a+b }*x := y{ y=a+b, x=y, x=a+b }*Inv’’’ = { }while (xz) do { x=y }* w := a+b { x=y, w=a+b }* x := a+b { x=a+b, w=a+b, w=x }* a := z { w=x, a=z }*
![Page 78: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/78.jpg)
78
Step 14/18
{}y := a+b{ y=a+b }*x := y{ y=a+b, x=y, x=a+b }*Inv’’’ = { }while (xz) do { } w := a+b { x=y, w=a+b }* x := a+b { x=a+b, w=a+b, w=x }* a := z { w=x, a=z }*
![Page 79: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/79.jpg)
79
Step 15/18
{}y := a+b{ y=a+b }*x := y{ y=a+b, x=y, x=a+b }*Inv’’’ = { }while (xz) do { } w := a+b { w=a+b }* x := a+b { x=a+b, w=a+b, w=x }* a := z { w=x, a=z }*
![Page 80: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/80.jpg)
80
Step 16/18
{}y := a+b{ y=a+b }*x := y{ y=a+b, x=y, x=a+b }*Inv’’’ = { }while (xz) do { } w := a+b { w=a+b }* x := a+b { x=a+b, w=a+b, w=x }* a := z { w=x, a=z }*
![Page 81: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/81.jpg)
81
Step 17/18
{}y := a+b{ y=a+b }*x := y{ y=a+b, x=y, x=a+b }*Inv’’’ = { }while (xz) do { } w := a+b { w=a+b }* x := a+b { x=a+b, w=a+b, w=x }* a := z { w=x, a=z }*
![Page 82: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/82.jpg)
82
Step 18/18
{}y := a+b{ y=a+b }*x := y{ y=a+b, x=y, x=a+b }*Inv = { }while (xz) do { } w := a+b { w=a+b }* x := a+b { x=a+b, w=a+b, w=x }* a := z { w=x, a=z }*{ x=z }
![Page 83: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/83.jpg)
Next lecture:abstract interpretation
fundamentals
![Page 84: Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I](https://reader036.fdocuments.net/reader036/viewer/2022070411/568147b5550346895db4fbb7/html5/thumbnails/84.jpg)
84
Canonical form for SAV• For an available expressions element A define
Explicate(A) = minimal set B such that:1. A B2. x=y B implies y=x B3. x=y B and y=z B implies x=z B4. x=y+z B implies x=z+y B5. x=y B and x=z+w B implies y=z+w B6. x=y B and z=x+w B implies z=y+w B7. x=z+w B and y=z+w B implies x=y B
• Makes all implicit facts explicit• Define A* = Explicate(A)• Define (for two subsets A1, A2 D)
A1 exp A2 if and only if A1* A2
*
• Lemma: A1 exp A2 if and only A1 imp A2