introduction to program analysis
play

Introduction to Program Analysis Uday Khedker - PowerPoint PPT Presentation

Aug 14, 2022 •223 likes •1.3k views

Introduction to Program Analysis Uday Khedker (www.cse.iitb.ac.in/uday) Department of Computer Science and Engineering, Indian Institute of Technology, Bombay Dec 2017 WSSE Pune Intro to PA: Outline 1/1 Introduction to Program Analysis:

  1. WSSE Pune Intro to PA: Improving Garbage Collection 7/1 Liveness of Stack Data: An Informal Introduction Accessing the location and reading its contents 1 w = x // x points to m a rptr 2 while (x.data < max) Heap lptr 3 x = x.rptr rptr rptr data 4 y = x.lptr 5 z = New class of z 6 y = y.lptr 7 z.sum = x.data + y.data w x y z Stack Reading x.data (Heap data) Dec 2017 IIT Bombay

  2. WSSE Pune Intro to PA: Improving Garbage Collection 7/1 Liveness of Stack Data: An Informal Introduction Accessing the location and reading its contents 1 w = x // x points to m a rptr 2 while (x.data < max) Heap lptr 3 x = x.rptr rptr rptr data 4 y = x.lptr 5 z = New class of z 6 y = y.lptr 7 z.sum = x.data + y.data w x y z Stack Reading x.rptr (Heap data) Dec 2017 IIT Bombay

  3. WSSE Pune Intro to PA: Improving Garbage Collection 8/1 Liveness of Stack Data: An Informal Introduction w = x while (x.data < max) x = x.rptr y = x.lptr z = New class of z No variable is used beyond this y = y.lptr program point z.sum = x.data + y.data w x y z Dec 2017 IIT Bombay

  4. WSSE Pune Intro to PA: Improving Garbage Collection 8/1 Liveness of Stack Data: An Informal Introduction w = x while (x.data < max) x = x.rptr y = x.lptr Current values of x, y, and z are z = New class of z used beyond this program point y = y.lptr Live w x y z z.sum = x.data + y.data Dead Dec 2017 IIT Bombay

  5. WSSE Pune Intro to PA: Improving Garbage Collection 8/1 Liveness of Stack Data: An Informal Introduction w = x while (x.data < max) • Current values of x, y, and z are x = x.rptr used beyond this program point • The value of y is different before y = x.lptr and after the assignment to y z = New class of z w x y z y = y.lptr z.sum = x.data + y.data Dec 2017 IIT Bombay

  6. WSSE Pune Intro to PA: Improving Garbage Collection 8/1 Liveness of Stack Data: An Informal Introduction w = x while (x.data < max) • The current values of x and y are used beyond this program point • The current value of z is not used x = x.rptr beyond this program point y = x.lptr w x y z z = New class of z y = y.lptr z.sum = x.data + y.data Dec 2017 IIT Bombay

  7. WSSE Pune Intro to PA: Improving Garbage Collection 8/1 Liveness of Stack Data: An Informal Introduction w = x while (x.data < max) x = x.rptr w x y z y = x.lptr • The current values of x is used beyond this program point z = New class of z • Current values of y and z are not used beyond this program point y = y.lptr z.sum = x.data + y.data Dec 2017 IIT Bombay

  8. WSSE Pune Intro to PA: Improving Garbage Collection 8/1 Liveness of Stack Data: An Informal Introduction w = x while (x.data < max) x = x.rptr w x y z y = x.lptr • Nothing is known as of now z = New class of z • Some information will be available in the next iteration point y = y.lptr z.sum = x.data + y.data Dec 2017 IIT Bombay

  9. WSSE Pune Intro to PA: Improving Garbage Collection 8/1 Liveness of Stack Data: An Informal Introduction w = x while (x.data < max) w x y z x = x.rptr • Current value of x is used beyond this program point y = x.lptr • However its value is different before and after the assignment z = New class of z y = y.lptr z.sum = x.data + y.data Dec 2017 IIT Bombay

  10. WSSE Pune Intro to PA: Improving Garbage Collection 8/1 Liveness of Stack Data: An Informal Introduction w = x while (x.data < max) w x y z x = x.rptr • Current value of x is used beyond this program point y = x.lptr • There are two control flow paths beyond this program point z = New class of z y = y.lptr z.sum = x.data + y.data Dec 2017 IIT Bombay

  11. WSSE Pune Intro to PA: Improving Garbage Collection 8/1 Liveness of Stack Data: An Informal Introduction w = x w x y z while (x.data < max) Current value of x is used be- x = x.rptr yond this program point y = x.lptr z = New class of z y = y.lptr z.sum = x.data + y.data Dec 2017 IIT Bombay

  12. WSSE Pune Intro to PA: Improving Garbage Collection 8/1 Liveness of Stack Data: An Informal Introduction w x y z w = x Current value of x is used be- while (x.data < max) yond this program point x = x.rptr y = x.lptr z = New class of z y = y.lptr z.sum = x.data + y.data Dec 2017 IIT Bombay

  13. WSSE Pune Intro to PA: Improving Garbage Collection 8/1 Liveness of Stack Data: An Informal Introduction w x y z w = x w x y z while (x.data < max) w x y z w x y z x = x.rptr w x y z w x y z End of iteration #1 y = x.lptr w x y z z = New class of z w x y z y = y.lptr Live w x y z z.sum = x.data + y.data Dead w x y z Dec 2017 IIT Bombay

  14. WSSE Pune Intro to PA: Improving Garbage Collection 8/1 Liveness of Stack Data: An Informal Introduction w x y z w = x w x y z while (x.data < max) w x y z w x y z x = x.rptr w x y z w x y z End of iteration #2 y = x.lptr w x y z z = New class of z w x y z y = y.lptr Live w x y z z.sum = x.data + y.data Dead w x y z Dec 2017 IIT Bombay

  15. WSSE Pune Intro to PA: Improving Garbage Collection 9/1 Applying Cedar Mesa Folk Wisdom to Heap Data Liveness Analysis of Heap Data If the while loop is not executed even once. d t r p r c rptr p e lptr z 1 w = x // x points to m a b g rptr 2 while (x.data < max) l p t rptr r f 3 x = x.rptr x lptr h 4 y = x.lptr a a k rptr w 5 z = New class of z j lptr rptr 6 y = y.lptr lptr l 7 z.sum = x.data + y.data i i y n q rptr l p t r m m l o p t r Heap Stack Dec 2017 IIT Bombay

  16. WSSE Pune Intro to PA: Improving Garbage Collection 9/1 Applying Cedar Mesa Folk Wisdom to Heap Data Liveness Analysis of Heap Data If the while loop is executed once. d t r p r c rptr p e lptr z 1 w = x // x points to m a b b g rptr 2 while (x.data < max) l p t rptr r f f 3 x = x.rptr x lptr h h 4 y = x.lptr a k rptr w 5 z = New class of z j lptr rptr 6 y = y.lptr lptr l 7 z.sum = x.data + y.data i y n q rptr l p t r m l o p t r Heap Stack Dec 2017 IIT Bombay

  17. WSSE Pune Intro to PA: Improving Garbage Collection 9/1 Applying Cedar Mesa Folk Wisdom to Heap Data Liveness Analysis of Heap Data If the while loop is executed twice. d t r p r c c rptr p e e lptr z 1 w = x // x points to m a b g rptr 2 while (x.data < max) l p t rptr r f 3 x = x.rptr x lptr h 4 y = x.lptr a k rptr w 5 z = New class of z j lptr rptr 6 y = y.lptr lptr l 7 z.sum = x.data + y.data i y n q rptr l p t r m l o p t r Heap Stack Dec 2017 IIT Bombay

  18. WSSE Pune Intro to PA: Improving Garbage Collection 10/1 The Moral of the Story • Mappings between access expressions and l-values keep changing • This is a rule for heap data For stack and static data, it is an exception ! • Static analysis of programs has made significant progress for stack and static data. What about heap data? ◮ Given two access expressions at a program point, do they have the same l-value? ◮ Given the same access expression at two program points, does it have the same l-value? Dec 2017 IIT Bombay

  19. WSSE Pune Intro to PA: Improving Garbage Collection 11/1 Our Solution y = z = null 1 w = x w = null 2 while (x.data < max) { x.lptr = null 3 x = x.rptr } x.rptr = x.lptr.rptr = null x.lptr.lptr.lptr = null x.lptr.lptr.rptr = null 4 y = x.lptr x.lptr = y.rptr = null y.lptr.lptr = y.lptr.rptr = null 5 z = New class of z z.lptr = z.rptr = null 6 y = y.lptr y.lptr = y.rptr = null 7 z.sum = x.data + y.data x = y = z = null Dec 2017 IIT Bombay

  20. WSSE Pune Intro to PA: Improving Garbage Collection 12/1 Our Solution y = z = null While loop is not executed even once 1 w = x w = null 2 while (x.data < max) d rptr { x.lptr = null c rptr p lptr 3 x = x.rptr } e z x.rptr = x.lptr.rptr = null b g rptr x.lptr.lptr.lptr = null lptr rptr f x.lptr.lptr.rptr = null x l p t r h 4 y = x.lptr a a x.lptr = y.rptr = null k t r r p w y.lptr.lptr = y.lptr.rptr = null lptr j r t p r 5 z = New class of z lptr l i i z.lptr = z.rptr = null y n q t r p 6 y = y.lptr lptr r m m y.lptr = y.rptr = null l p o t r 7 z.sum = x.data + y.data x = y = z = null Heap Stack Dec 2017 IIT Bombay

  21. WSSE Pune Intro to PA: Improving Garbage Collection 12/1 Our Solution y = z = null While loop is not executed even once 1 w = x w = null 2 while (x.data < max) d rptr { x.lptr = null c rptr p lptr 3 x = x.rptr } e z x.rptr = x.lptr.rptr = null b g rptr x.lptr.lptr.lptr = null lptr rptr f x.lptr.lptr.rptr = null x l p t r h 4 y = x.lptr a a x.lptr = y.rptr = null k t r r p w y.lptr.lptr = y.lptr.rptr = null lptr j r t p r 5 z = New class of z lptr l i i z.lptr = z.rptr = null y n q t r p 6 y = y.lptr lptr r m m y.lptr = y.rptr = null l p o t r 7 z.sum = x.data + y.data x = y = z = null Heap Stack Dec 2017 IIT Bombay

  22. WSSE Pune Intro to PA: Improving Garbage Collection 12/1 Our Solution y = z = null While loop is not executed even once 1 w = x w = null 2 while (x.data < max) d rptr { x.lptr = null c rptr p lptr 3 x = x.rptr } e z x.rptr = x.lptr.rptr = null b g rptr x.lptr.lptr.lptr = null lptr rptr f x.lptr.lptr.rptr = null x l p t r h 4 y = x.lptr a a x.lptr = y.rptr = null k t r r p w y.lptr.lptr = y.lptr.rptr = null lptr j r t p r 5 z = New class of z lptr l i i z.lptr = z.rptr = null y n q t r p 6 y = y.lptr lptr r m m y.lptr = y.rptr = null l p o t r 7 z.sum = x.data + y.data x = y = z = null Heap Stack Dec 2017 IIT Bombay

  23. WSSE Pune Intro to PA: Improving Garbage Collection 12/1 Our Solution y = z = null While loop is not executed even once 1 w = x w = null 2 while (x.data < max) d rptr { x.lptr = null c rptr p lptr 3 x = x.rptr } e z x.rptr = x.lptr.rptr = null b g rptr x.lptr.lptr.lptr = null lptr rptr f x.lptr.lptr.rptr = null x l p t r h 4 y = x.lptr a a x.lptr = y.rptr = null k t r r p w y.lptr.lptr = y.lptr.rptr = null lptr j r t p r 5 z = New class of z lptr l i i z.lptr = z.rptr = null y n q t r p 6 y = y.lptr lptr r m m y.lptr = y.rptr = null l o p t r 7 z.sum = x.data + y.data x = y = z = null Heap Stack Dec 2017 IIT Bombay

  24. WSSE Pune Intro to PA: Improving Garbage Collection 12/1 Our Solution y = z = null While loop is not executed even once 1 w = x w = null 2 while (x.data < max) d rptr { x.lptr = null c rptr p lptr 3 x = x.rptr } e z x.rptr = x.lptr.rptr = null b g rptr x.lptr.lptr.lptr = null lptr rptr f x.lptr.lptr.rptr = null x l p t r h 4 y = x.lptr a a x.lptr = y.rptr = null k t r r p w y.lptr.lptr = y.lptr.rptr = null lptr j r t p r 5 z = New class of z lptr l i i z.lptr = z.rptr = null y n r q t r p 6 y = y.lptr lptr m m y.lptr = y.rptr = null l o p t r 7 z.sum = x.data + y.data x = y = z = null Heap Stack Dec 2017 IIT Bombay

  25. WSSE Pune Intro to PA: Improving Garbage Collection 12/1 Our Solution y = z = null While loop is not executed even once 1 w = x w = null 2 while (x.data < max) d rptr { x.lptr = null c rptr p lptr 3 x = x.rptr } e z x.rptr = x.lptr.rptr = null b g rptr x.lptr.lptr.lptr = null lptr rptr f x.lptr.lptr.rptr = null x l p t r h 4 y = x.lptr a a x.lptr = y.rptr = null k t r r p w y.lptr.lptr = y.lptr.rptr = null lptr j r t p r 5 z = New class of z lptr l i i z.lptr = z.rptr = null y n r q t r p 6 y = y.lptr lptr m m y.lptr = y.rptr = null l o p t r 7 z.sum = x.data + y.data x = y = z = null Heap Stack Dec 2017 IIT Bombay

  26. WSSE Pune Intro to PA: Improving Garbage Collection 12/1 Our Solution y = z = null While loop is not executed even once 1 w = x w = null 2 while (x.data < max) d rptr { x.lptr = null c rptr p lptr 3 x = x.rptr } e z x.rptr = x.lptr.rptr = null b g rptr x.lptr.lptr.lptr = null lptr f x.lptr.lptr.rptr = null x l p t r h 4 y = x.lptr a a x.lptr = y.rptr = null k t r r p w y.lptr.lptr = y.lptr.rptr = null j 5 z = New class of z lptr l i i z.lptr = z.rptr = null y n q 6 y = y.lptr lptr m m y.lptr = y.rptr = null o 7 z.sum = x.data + y.data x = y = z = null Heap Stack Dec 2017 IIT Bombay

  27. WSSE Pune Intro to PA: Improving Garbage Collection 12/1 Our Solution y = z = null While loop is executed once 1 w = x w = null 2 while (x.data < max) d rptr { x.lptr = null c p lptr 3 x = x.rptr } e z x.rptr = x.lptr.rptr = null b b g x.lptr.lptr.lptr = null rptr f f x.lptr.lptr.rptr = null x lptr h h 4 y = x.lptr a a x.lptr = y.rptr = null k t r r p w y.lptr.lptr = y.lptr.rptr = null j rptr 5 z = New class of z lptr l i i z.lptr = z.rptr = null y n q rptr 6 y = y.lptr l p t r m m y.lptr = y.rptr = null l p o t r 7 z.sum = x.data + y.data x = y = z = null Heap Stack Dec 2017 IIT Bombay

  28. WSSE Pune Intro to PA: Improving Garbage Collection 12/1 Our Solution y = z = null While loop is executed twice 1 w = x w = null 2 while (x.data < max) d { x.lptr = null c c rptr p 3 x = x.rptr } e e z x.rptr = x.lptr.rptr = null b b g rptr x.lptr.lptr.lptr = null rptr f f x.lptr.lptr.rptr = null x l p t r h h 4 y = x.lptr a a x.lptr = y.rptr = null k t r r p w y.lptr.lptr = y.lptr.rptr = null j rptr 5 z = New class of z lptr l i i z.lptr = z.rptr = null y n q rptr 6 y = y.lptr l p t r m m y.lptr = y.rptr = null l p o t r 7 z.sum = x.data + y.data x = y = z = null Heap Stack Dec 2017 IIT Bombay

  29. WSSE Pune Intro to PA: Improving Garbage Collection 13/1 Some Observations y = z = null Node is live but link a → i is nullified i 1 w = x w = null 2 while (x.data < max) rptr d { x.lptr = null c r p t p r 3 x = x.rptr } lptr e z b x.rptr = x.lptr.rptr = null g rptr x.lptr.lptr.lptr = null lptr rptr f x.lptr.lptr.rptr = null x l p t h r 4 y = x.lptr a a x.lptr = y.rptr = null r k p t r w y.lptr.lptr = y.lptr.rptr = null j r t p r 5 z = New class of z lptr l i i z.lptr = z.rptr = null y n rptr q 6 y = y.lptr lptr m m y.lptr = y.rptr = null o l p t r 7 z.sum = x.data + y.data x = y = z = null Heap Stack Dec 2017 IIT Bombay

  30. WSSE Pune Intro to PA: Improving Garbage Collection 13/1 Some Observations y = z = null • The memory address that x holds when the 1 w = x execution reaches a given program point is w = null not an invariant of program execution 2 while (x.data < max) rptr d { x.lptr = null c r p t p r 3 x = x.rptr } lptr e z b x.rptr = x.lptr.rptr = null g rptr x.lptr.lptr.lptr = null lptr rptr f x.lptr.lptr.rptr = null x l p t h r 4 y = x.lptr a a x.lptr = y.rptr = null r k p t r w y.lptr.lptr = y.lptr.rptr = null j r t p r 5 z = New class of z lptr l i i z.lptr = z.rptr = null y n rptr q 6 y = y.lptr lptr m m y.lptr = y.rptr = null o l p t r 7 z.sum = x.data + y.data x = y = z = null Heap Stack Dec 2017 IIT Bombay

  31. WSSE Pune Intro to PA: Improving Garbage Collection 13/1 Some Observations y = z = null • The memory address that x holds when the 1 w = x execution reaches a given program point is w = null not an invariant of program execution 2 while (x.data < max) • Whether we dereference lptr out of x or rptr d { x.lptr = null c rptr out of x at a given program point is an r p t p r 3 x = x.rptr } lptr e invariant of program execution z b x.rptr = x.lptr.rptr = null g rptr x.lptr.lptr.lptr = null lptr rptr f x.lptr.lptr.rptr = null x l p t h r 4 y = x.lptr a a x.lptr = y.rptr = null r k p t r w y.lptr.lptr = y.lptr.rptr = null j r t p r 5 z = New class of z lptr l i i z.lptr = z.rptr = null y n rptr q 6 y = y.lptr lptr m m y.lptr = y.rptr = null o l p t r 7 z.sum = x.data + y.data x = y = z = null Heap Stack Dec 2017 IIT Bombay

  32. WSSE Pune Intro to PA: Improving Garbage Collection 13/1 Some Observations y = z = null • The memory address that x holds when the 1 w = x execution reaches a given program point is w = null not an invariant of program execution 2 while (x.data < max) • Whether we dereference lptr out of x or rptr d { x.lptr = null c rptr out of x at a given program point is an r p t p r 3 x = x.rptr } lptr e invariant of program execution z b x.rptr = x.lptr.rptr = null g • A static analysis can discover only rptr x.lptr.lptr.lptr = null lptr rptr f invariants x.lptr.lptr.rptr = null x l p t h r 4 y = x.lptr a a x.lptr = y.rptr = null r k p t r w y.lptr.lptr = y.lptr.rptr = null j r t p r 5 z = New class of z lptr l i i z.lptr = z.rptr = null y n rptr q 6 y = y.lptr lptr m m y.lptr = y.rptr = null o l p t r 7 z.sum = x.data + y.data x = y = z = null Heap Stack Dec 2017 IIT Bombay

  33. WSSE Pune Intro to PA: Improving Garbage Collection 13/1 Some Observations New access expressions are created. y = z = null • The memory address that x holds when the Can they cause exceptions? 1 w = x execution reaches a given program point is w = null not an invariant of program execution 2 while (x.data < max) • Whether we dereference lptr out of x or rptr d { x.lptr = null c rptr out of x at a given program point is an r p t p r 3 x = x.rptr } lptr e invariant of program execution z b x.rptr = x.lptr.rptr = null g • A static analysis can discover only some rptr x.lptr.lptr.lptr = null lptr rptr f invariants x.lptr.lptr.rptr = null x l p t h r 4 y = x.lptr a a x.lptr = y.rptr = null r k p t r w y.lptr.lptr = y.lptr.rptr = null j r t p r 5 z = New class of z lptr l i i z.lptr = z.rptr = null y n rptr q 6 y = y.lptr lptr m m y.lptr = y.rptr = null o l p t r 7 z.sum = x.data + y.data x = y = z = null Heap Stack Dec 2017 IIT Bombay

  34. WSSE Pune Intro to PA: Improving Garbage Collection 14/1 The Main Theme of (Static) Program Analysis Constructing suitable abstractions for sound & precise modelling of runtime behaviour of programs efficiently Dec 2017 IIT Bombay

  35. WSSE Pune Intro to PA: Improving Garbage Collection 14/1 The Main Theme of (Static) Program Analysis Constructing suitable abstractions for sound & precise modelling of runtime behaviour of programs efficiently Abstract, Bounded, Single Instance Concrete, Unbounded, Infinitely Many Static Dynamic Program Execution Program Execution Program Execution Program Code Program Execution Program Execution Program Execution Static Analysis Memory Memory Memory Memory Memory Memory Memory Memory Memory Memory Memory Memory Memory Memory Memory Summary Information Memory Memory Memory Memory Memory Memory Memory Memory Memory Dec 2017 IIT Bombay

  36. Part 2 Soundness and Precision

  37. WSSE Pune Intro to PA: Soundness and Precision 15/1 Program Representation • Three address code statements ◮ Result, operator, operand1, operand2 ◮ Assignments, expressions, conditional jumps ◮ Pointer expressions (including structure accesses) Features will be introduced as and when needed • Control flow graph representation ◮ Nodes represent maximal groups of statements devoid of any control transfer except fall through ◮ Edges represent control transfers across basic blocks ◮ A unique Start node and a unique End node Every node reachable from Start , and End reachable from every node • Initially only intraprocedural programs Function calls brought in later Dec 2017 IIT Bombay

  38. WSSE Pune Intro to PA: Soundness and Precision 16/1 Motivating Example for Introducing Soundness and Precision Example Program Control Flow Graph int a; int f(int b) { int c; c = a%2; b = - abs(b); while (b < c) b = b+1; if (b > 0) b = 0; return b; } Dec 2017 IIT Bombay

  39. WSSE Pune Intro to PA: Soundness and Precision 16/1 Motivating Example for Introducing Soundness and Precision Example Program Control Flow Graph Absolute int a; int f(int b) { int c; c = a%2; b = - abs(b); while (b < c) b = b+1; if (b > 0) b = 0; return b; } Dec 2017 IIT Bombay

  40. WSSE Pune Intro to PA: Soundness and Precision 16/1 Motivating Example for Introducing Soundness and Precision Example Program Control Flow Graph c = a%2 Absolute 1 b = - abs(b) int a; int f(int b) if (b < c) 2 { int c; c = a%2; F T b = - abs(b); if (b > 0) b = b+1 4 3 while (b < c) b = b+1; T if (b > 0) F b = 0 5 b = 0; return b; } return b 6 Dec 2017 IIT Bombay

  41. WSSE Pune Intro to PA: Soundness and Precision 17/1 Execution Traces for Concrete Semantics (1) • States ◮ A data state: Variables → Values ◮ A program state: (Program Point , A data state) • Execution traces (or traces, for short) ◮ Valid sequences of program states starting with a given initial state Dec 2017 IIT Bombay

  42. WSSE Pune Intro to PA: Soundness and Precision 18/1 Execution Traces for Concrete Semantics (2) c = a%2 1 b = - abs(b) 2 if (b < c) F T b = b+1 4 if (b > 0) 3 T b = 0 F 5 return b 6 Dec 2017 IIT Bombay

  43. WSSE Pune Intro to PA: Soundness and Precision 18/1 Execution Traces for Concrete Semantics (2) c = a%2 Trace 1 1 b = - abs(b) a b c Entry 1 , (5 , 2 , 7) Entry 2 , (5 , − 2 , 1) 2 if (b < c) Entry 3 , (5 , − 2 , 1) Entry 2 , (5 , − 1 , 1) F T Entry 3 , (5 , − 1 , 1) b = b+1 4 if (b > 0) 3 Entry 2 , (5 , 0 , 1) T Entry 3 , (5 , 0 , 1) Entry 2 , (5 , 1 , 1) b = 0 F 5 Entry 4 , (5 , 1 , 1) Entry 5 , (5 , 1 , 1) return b 6 Entry 6 , (5 , 0 , 1) Dec 2017 IIT Bombay

  44. WSSE Pune Intro to PA: Soundness and Precision 18/1 Execution Traces for Concrete Semantics (2) c = a%2 Trace 1 Trace 2 1 b = - abs(b) a b c a b c Entry 1 , ( − 5 , − 2 , 8) Entry 1 , (5 , 2 , 7) Entry 2 , (5 , − 2 , 1) Entry 2 , ( − 5 , − 2 , − 1) 2 if (b < c) Entry 3 , (5 , − 2 , 1) Entry 3 , ( − 5 , − 2 , − 1) Entry 2 , (5 , − 1 , 1) Entry 2 , ( − 5 , − 1 , − 1) F T Entry 3 , (5 , − 1 , 1) Entry 4 , ( − 5 , − 1 , − 1) b = b+1 4 if (b > 0) 3 Entry 2 , (5 , 0 , 1) Entry 6 , ( − 5 , − 1 , − 1) T Entry 3 , (5 , 0 , 1) Entry 2 , (5 , 1 , 1) b = 0 F 5 Entry 4 , (5 , 1 , 1) Entry 5 , (5 , 1 , 1) return b 6 Entry 6 , (5 , 0 , 1) Dec 2017 IIT Bombay

  45. WSSE Pune Intro to PA: Soundness and Precision 18/1 Execution Traces for Concrete Semantics (2) c = a%2 Trace 1 Trace 2 1 b = - abs(b) a b c a b c Entry 1 , ( − 5 , − 2 , 8) Entry 1 , (5 , 2 , 7) • A separate trace for each combination of inputs Entry 2 , (5 , − 2 , 1) Entry 2 , ( − 5 , − 2 , − 1) 2 if (b < c) ◮ The number of traces is potentially infinite Entry 3 , (5 , − 2 , 1) Entry 3 , ( − 5 , − 2 , − 1) Entry 2 , (5 , − 1 , 1) Entry 2 , ( − 5 , − 1 , − 1) F T • Program points may repeat in the traces Entry 3 , (5 , − 1 , 1) Entry 4 , ( − 5 , − 1 , − 1) b = b+1 4 if (b > 0) 3 Entry 2 , (5 , 0 , 1) Entry 6 , ( − 5 , − 1 , − 1) ◮ Traces may be very long T Entry 3 , (5 , 0 , 1) ◮ Non-terminating traces: Infinitely long Entry 2 , (5 , 1 , 1) b = 0 F 5 Entry 4 , (5 , 1 , 1) Entry 5 , (5 , 1 , 1) return b 6 Entry 6 , (5 , 0 , 1) Dec 2017 IIT Bombay

  46. WSSE Pune Intro to PA: Soundness and Precision 19/1 Abstract States A static analysis computes abstract states • The values are abstract values and are decided by the analysis • An analysis may record values for other program entities such as expressions, statements, procedures etc. Dec 2017 IIT Bombay

  47. WSSE Pune Intro to PA: Soundness and Precision 20/1 Static Analysis Computes Abstractions of Traces (1) Traces Execution Time Dec 2017 IIT Bombay

  48. WSSE Pune Intro to PA: Soundness and Precision 20/1 Static Analysis Computes Abstractions of Traces (1) Traces An Abstraction of Traces Execution Time Dec 2017 IIT Bombay

  49. WSSE Pune Intro to PA: Soundness and Precision 20/1 Static Analysis Computes Abstractions of Traces (1) Traces An Abstraction of Traces Execution Time Dec 2017 IIT Bombay

  50. WSSE Pune Intro to PA: Soundness and Precision 20/1 Static Analysis Computes Abstractions of Traces (1) Traces An Abstraction of Traces For compile time modelling of possible runtime behaviours of a program • compute a set of states that cover all traces Execution Time • associate the sets with appropriate program points States may be defined in terms of properties derived from values of variables Dec 2017 IIT Bombay

  51. WSSE Pune Intro to PA: Soundness and Precision 21/1 Static Analysis Computes Abstractions of Traces (2) A possible static abstraction using sets Trace 1 c = a%2 1 a b c b = - abs(b) Entry 1 , (5 , 2 , 7) Trace 2 Entry 2 , (5 , − 2 , 1) a b c Entry 3 , (5 , − 2 , 1) Entry 1 , ( − 5 , − 2 , 8) if (b < c) 2 Entry 2 , (5 , − 1 , 1) Entry 2 , ( − 5 , − 2 , − 1) Entry 3 , (5 , − 1 , 1) F T Entry 3 , ( − 5 , − 2 , − 1) Entry 2 , (5 , 0 , 1) Entry 2 , ( − 5 , − 1 , − 1) b = b+1 4 if (b > 0) 3 Entry 3 , (5 , 0 , 1) Entry 4 , ( − 5 , − 1 , − 1) Entry 2 , (5 , 1 , 1) T Entry 6 , ( − 5 , − 1 , − 1) Entry 4 , (5 , 1 , 1) b = 0 5 Entry 5 , (5 , 1 , 1) F Entry 6 , (5 , 0 , 1) return b 6 Dec 2017 IIT Bombay

  52. WSSE Pune Intro to PA: Soundness and Precision 21/1 Static Analysis Computes Abstractions of Traces (2) A possible static abstraction using sets { (5 , 2 , 7) , ( − 5 , − 2 , 8) } Trace 1 c = a%2 1 a b c b = - abs(b) Entry 1 , (5 , 2 , 7) Trace 2 Entry 2 , (5 , − 2 , 1) a b c Entry 3 , (5 , − 2 , 1) Entry 1 , ( − 5 , − 2 , 8) if (b < c) 2 Entry 2 , (5 , − 1 , 1) Entry 2 , ( − 5 , − 2 , − 1) Entry 3 , (5 , − 1 , 1) F T Entry 3 , ( − 5 , − 2 , − 1) Entry 2 , (5 , 0 , 1) Entry 2 , ( − 5 , − 1 , − 1) b = b+1 4 if (b > 0) 3 Entry 3 , (5 , 0 , 1) Entry 4 , ( − 5 , − 1 , − 1) Entry 2 , (5 , 1 , 1) T Entry 6 , ( − 5 , − 1 , − 1) Entry 4 , (5 , 1 , 1) b = 0 5 Entry 5 , (5 , 1 , 1) F Entry 6 , (5 , 0 , 1) return b 6 Dec 2017 IIT Bombay

  53. WSSE Pune Intro to PA: Soundness and Precision 21/1 Static Analysis Computes Abstractions of Traces (2) A possible static abstraction using sets a = {− 5 , 5 } , b = {− 2 , 2 } , c = { 7 , 8 } Trace 1 c = a%2 1 a b c b = - abs(b) Entry 1 , (5 , 2 , 7) Trace 2 Entry 2 , (5 , − 2 , 1) a b c Entry 3 , (5 , − 2 , 1) Entry 1 , ( − 5 , − 2 , 8) if (b < c) 2 Entry 2 , (5 , − 1 , 1) Entry 2 , ( − 5 , − 2 , − 1) Entry 3 , (5 , − 1 , 1) F T Entry 3 , ( − 5 , − 2 , − 1) Entry 2 , (5 , 0 , 1) Entry 2 , ( − 5 , − 1 , − 1) b = b+1 4 if (b > 0) 3 Entry 3 , (5 , 0 , 1) Entry 4 , ( − 5 , − 1 , − 1) Entry 2 , (5 , 1 , 1) T Entry 6 , ( − 5 , − 1 , − 1) Entry 4 , (5 , 1 , 1) b = 0 5 Entry 5 , (5 , 1 , 1) F Entry 6 , (5 , 0 , 1) return b 6 Dec 2017 IIT Bombay

  54. WSSE Pune Intro to PA: Soundness and Precision 21/1 Static Analysis Computes Abstractions of Traces (2) A possible static abstraction using sets a = {− 5 , 5 } , b = {− 2 , 2 } , c = { 7 , 8 } Trace 1 We only show c = a%2 1 a b c b = - abs(b) the values of b Entry 1 , (5 , 2 , 7) Trace 2 Entry 2 , (5 , − 2 , 1) b = {− 2 , − 1 , 0 , 1 } a b c Entry 3 , (5 , − 2 , 1) Entry 1 , ( − 5 , − 2 , 8) if (b < c) 2 Entry 2 , (5 , − 1 , 1) Entry 2 , ( − 5 , − 2 , − 1) Entry 3 , (5 , − 1 , 1) F T Entry 3 , ( − 5 , − 2 , − 1) Entry 2 , (5 , 0 , 1) Entry 2 , ( − 5 , − 1 , − 1) b = b+1 4 if (b > 0) 3 Entry 3 , (5 , 0 , 1) Entry 4 , ( − 5 , − 1 , − 1) Entry 2 , (5 , 1 , 1) T Entry 6 , ( − 5 , − 1 , − 1) Entry 4 , (5 , 1 , 1) b = 0 5 Entry 5 , (5 , 1 , 1) F Combine the values Entry 6 , (5 , 0 , 1) across all occurrences of a program point return b 6 Dec 2017 IIT Bombay

  55. WSSE Pune Intro to PA: Soundness and Precision 21/1 Static Analysis Computes Abstractions of Traces (2) A possible static abstraction using sets a = {− 5 , 5 } , b = {− 2 , 2 } , c = { 7 , 8 } Trace 1 We only show c = a%2 1 a b c b = - abs(b) the values of b Entry 1 , (5 , 2 , 7) Trace 2 Entry 2 , (5 , − 2 , 1) b = {− 2 , − 1 , 0 , 1 } a b c Entry 3 , (5 , − 2 , 1) Entry 1 , ( − 5 , − 2 , 8) if (b < c) 2 Entry 2 , (5 , − 1 , 1) Entry 2 , ( − 5 , − 2 , − 1) Entry 3 , (5 , − 1 , 1) b = {− 2 , − 1 , 0 } F T Entry 3 , ( − 5 , − 2 , − 1) Entry 2 , (5 , 0 , 1) Entry 2 , ( − 5 , − 1 , − 1) b = b+1 4 if (b > 0) 3 Entry 3 , (5 , 0 , 1) Entry 4 , ( − 5 , − 1 , − 1) Entry 2 , (5 , 1 , 1) T Entry 6 , ( − 5 , − 1 , − 1) Entry 4 , (5 , 1 , 1) b = 0 5 Entry 5 , (5 , 1 , 1) F Combine the values Entry 6 , (5 , 0 , 1) across all occurrences of a program point return b 6 Dec 2017 IIT Bombay

  56. WSSE Pune Intro to PA: Soundness and Precision 21/1 Static Analysis Computes Abstractions of Traces (2) A possible static abstraction using sets a = {− 5 , 5 } , b = {− 2 , 2 } , c = { 7 , 8 } Trace 1 We only show c = a%2 1 a b c b = - abs(b) the values of b Entry 1 , (5 , 2 , 7) Trace 2 Entry 2 , (5 , − 2 , 1) b = {− 2 , − 1 , 0 , 1 } a b c Entry 3 , (5 , − 2 , 1) Entry 1 , ( − 5 , − 2 , 8) if (b < c) 2 Entry 2 , (5 , − 1 , 1) Entry 2 , ( − 5 , − 2 , − 1) Entry 3 , (5 , − 1 , 1) b = {− 1 , 1 } b = {− 2 , − 1 , 0 } F T Entry 3 , ( − 5 , − 2 , − 1) Entry 2 , (5 , 0 , 1) Entry 2 , ( − 5 , − 1 , − 1) b = b+1 4 if (b > 0) 3 Entry 3 , (5 , 0 , 1) Entry 4 , ( − 5 , − 1 , − 1) Entry 2 , (5 , 1 , 1) T Entry 6 , ( − 5 , − 1 , − 1) Entry 4 , (5 , 1 , 1) b = 0 5 Entry 5 , (5 , 1 , 1) F Combine the values Entry 6 , (5 , 0 , 1) across all occurrences of a program point return b 6 Dec 2017 IIT Bombay

  57. WSSE Pune Intro to PA: Soundness and Precision 21/1 Static Analysis Computes Abstractions of Traces (2) A possible static abstraction using sets a = {− 5 , 5 } , b = {− 2 , 2 } , c = { 7 , 8 } Trace 1 We only show c = a%2 1 a b c b = - abs(b) the values of b Entry 1 , (5 , 2 , 7) Trace 2 Entry 2 , (5 , − 2 , 1) b = {− 2 , − 1 , 0 , 1 } a b c Entry 3 , (5 , − 2 , 1) Entry 1 , ( − 5 , − 2 , 8) if (b < c) 2 Entry 2 , (5 , − 1 , 1) Entry 2 , ( − 5 , − 2 , − 1) Entry 3 , (5 , − 1 , 1) b = {− 1 , 1 } b = {− 2 , − 1 , 0 } F T Entry 3 , ( − 5 , − 2 , − 1) Entry 2 , (5 , 0 , 1) Entry 2 , ( − 5 , − 1 , − 1) b = b+1 4 if (b > 0) 3 Entry 3 , (5 , 0 , 1) Entry 4 , ( − 5 , − 1 , − 1) Entry 2 , (5 , 1 , 1) T b = { 1 } Entry 6 , ( − 5 , − 1 , − 1) Entry 4 , (5 , 1 , 1) b = 0 5 Entry 5 , (5 , 1 , 1) F Combine the values Entry 6 , (5 , 0 , 1) across all occurrences of a program point return b 6 Dec 2017 IIT Bombay

  58. WSSE Pune Intro to PA: Soundness and Precision 21/1 Static Analysis Computes Abstractions of Traces (2) A possible static abstraction using sets a = {− 5 , 5 } , b = {− 2 , 2 } , c = { 7 , 8 } Trace 1 We only show c = a%2 1 a b c b = - abs(b) the values of b Entry 1 , (5 , 2 , 7) Trace 2 Entry 2 , (5 , − 2 , 1) b = {− 2 , − 1 , 0 , 1 } a b c Entry 3 , (5 , − 2 , 1) Entry 1 , ( − 5 , − 2 , 8) if (b < c) 2 Entry 2 , (5 , − 1 , 1) Entry 2 , ( − 5 , − 2 , − 1) Entry 3 , (5 , − 1 , 1) b = {− 1 , 1 } b = {− 2 , − 1 , 0 } F T Entry 3 , ( − 5 , − 2 , − 1) Entry 2 , (5 , 0 , 1) Entry 2 , ( − 5 , − 1 , − 1) b = b+1 4 if (b > 0) 3 Entry 3 , (5 , 0 , 1) Entry 4 , ( − 5 , − 1 , − 1) Entry 2 , (5 , 1 , 1) T b = { 1 } Entry 6 , ( − 5 , − 1 , − 1) Entry 4 , (5 , 1 , 1) b = 0 5 Entry 5 , (5 , 1 , 1) F Combine the values Entry 6 , (5 , 0 , 1) across all occurrences b = {− 1 , 0 } of a program point return b 6 Dec 2017 IIT Bombay

  59. WSSE Pune Intro to PA: Soundness and Precision 22/1 Computing Static Abstraction for Liveness of Variables At a program point p a �→ 1 ⇒ a is live at p a �→ 0 ⇒ a is not live at p Trace 1 c = a%2 1 a b c b = - abs(b) Entry 1 , (1 , 1 , 0) Trace 2 Entry 2 , (0 , 1 , 1) a b c Entry 3 , (0 , 1 , 1) if (b < c) Entry 1 , (1 , 1 , 0) 2 Entry 2 , (0 , 1 , 1) Entry 2 , (0 , 1 , 1) Entry 3 , (0 , 1 , 1) F T Entry 3 , (0 , 0 , 1) Entry 2 , (0 , 1 , 1) Entry 2 , (0 , 1 , 1) if (b > 0) b = b+1 4 3 Entry 3 , (0 , 1 , 1) Entry 4 , (0 , 1 , 0) Entry 2 , (0 , 1 , 1) T Entry 6 , (0 , 1 , 0) Entry 4 , (0 , 1 , 0) b = 0 5 F Entry 5 , (0 , 0 , 0) Entry 6 , (0 , 1 , 0) return b 6 Dec 2017 IIT Bombay

  60. WSSE Pune Intro to PA: Soundness and Precision 22/1 Computing Static Abstraction for Liveness of Variables At a program point p a �→ 1 ⇒ a is live at p a �→ 0 ⇒ a is not live at p 110 or { a , b } Trace 1 c = a%2 1 a b c b = - abs(b) Entry 1 , (1 , 1 , 0) Trace 2 Entry 2 , (0 , 1 , 1) a b c Entry 3 , (0 , 1 , 1) if (b < c) Entry 1 , (1 , 1 , 0) 2 Entry 2 , (0 , 1 , 1) Entry 2 , (0 , 1 , 1) Entry 3 , (0 , 1 , 1) F T Entry 3 , (0 , 0 , 1) Entry 2 , (0 , 1 , 1) Entry 2 , (0 , 1 , 1) if (b > 0) b = b+1 4 3 Entry 3 , (0 , 1 , 1) Entry 4 , (0 , 1 , 0) Entry 2 , (0 , 1 , 1) T Entry 6 , (0 , 1 , 0) Entry 4 , (0 , 1 , 0) b = 0 5 F Entry 5 , (0 , 0 , 0) Entry 6 , (0 , 1 , 0) return b 6 Dec 2017 IIT Bombay

  61. WSSE Pune Intro to PA: Soundness and Precision 22/1 Computing Static Abstraction for Liveness of Variables At a program point p a �→ 1 ⇒ a is live at p a �→ 0 ⇒ a is not live at p 110 or { a , b } Trace 1 c = a%2 1 a b c b = - abs(b) Entry 1 , (1 , 1 , 0) Trace 2 Entry 2 , (0 , 1 , 1) 011 or { b , c } a b c Entry 3 , (0 , 1 , 1) if (b < c) Entry 1 , (1 , 1 , 0) 2 Entry 2 , (0 , 1 , 1) Entry 2 , (0 , 1 , 1) Entry 3 , (0 , 1 , 1) F T Entry 3 , (0 , 0 , 1) Entry 2 , (0 , 1 , 1) Entry 2 , (0 , 1 , 1) if (b > 0) b = b+1 4 3 Entry 3 , (0 , 1 , 1) Entry 4 , (0 , 1 , 0) Entry 2 , (0 , 1 , 1) T Entry 6 , (0 , 1 , 0) Entry 4 , (0 , 1 , 0) b = 0 5 F Entry 5 , (0 , 0 , 0) Entry 6 , (0 , 1 , 0) return b 6 Dec 2017 IIT Bombay

  62. WSSE Pune Intro to PA: Soundness and Precision 22/1 Computing Static Abstraction for Liveness of Variables At a program point p a �→ 1 ⇒ a is live at p a �→ 0 ⇒ a is not live at p 110 or { a , b } Trace 1 c = a%2 1 a b c b = - abs(b) Entry 1 , (1 , 1 , 0) Trace 2 Entry 2 , (0 , 1 , 1) 011 or { b , c } a b c Entry 3 , (0 , 1 , 1) if (b < c) Entry 1 , (1 , 1 , 0) 2 Entry 2 , (0 , 1 , 1) Entry 2 , (0 , 1 , 1) Entry 3 , (0 , 1 , 1) F T 011 or { b , c } Entry 3 , (0 , 0 , 1) Entry 2 , (0 , 1 , 1) Entry 2 , (0 , 1 , 1) if (b > 0) b = b+1 4 3 Entry 3 , (0 , 1 , 1) Entry 4 , (0 , 1 , 0) Entry 2 , (0 , 1 , 1) T Entry 6 , (0 , 1 , 0) Entry 4 , (0 , 1 , 0) b = 0 5 F Entry 5 , (0 , 0 , 0) Entry 6 , (0 , 1 , 0) return b 6 Dec 2017 IIT Bombay

  63. WSSE Pune Intro to PA: Soundness and Precision 22/1 Computing Static Abstraction for Liveness of Variables At a program point p a �→ 1 ⇒ a is live at p a �→ 0 ⇒ a is not live at p 110 or { a , b } Trace 1 c = a%2 1 a b c b = - abs(b) Entry 1 , (1 , 1 , 0) Trace 2 Entry 2 , (0 , 1 , 1) 011 or { b , c } a b c Entry 3 , (0 , 1 , 1) if (b < c) Entry 1 , (1 , 1 , 0) 2 Entry 2 , (0 , 1 , 1) Entry 2 , (0 , 1 , 1) Entry 3 , (0 , 1 , 1) 010 or { b } F T 011 or { b , c } Entry 3 , (0 , 0 , 1) Entry 2 , (0 , 1 , 1) Entry 2 , (0 , 1 , 1) if (b > 0) b = b+1 4 3 Entry 3 , (0 , 1 , 1) Entry 4 , (0 , 1 , 0) Entry 2 , (0 , 1 , 1) T Entry 6 , (0 , 1 , 0) Entry 4 , (0 , 1 , 0) b = 0 5 F Entry 5 , (0 , 0 , 0) Entry 6 , (0 , 1 , 0) return b 6 Dec 2017 IIT Bombay

  64. WSSE Pune Intro to PA: Soundness and Precision 22/1 Computing Static Abstraction for Liveness of Variables At a program point p a �→ 1 ⇒ a is live at p a �→ 0 ⇒ a is not live at p 110 or { a , b } Trace 1 c = a%2 1 a b c b = - abs(b) Entry 1 , (1 , 1 , 0) Trace 2 Entry 2 , (0 , 1 , 1) 011 or { b , c } a b c Entry 3 , (0 , 1 , 1) if (b < c) Entry 1 , (1 , 1 , 0) 2 Entry 2 , (0 , 1 , 1) Entry 2 , (0 , 1 , 1) Entry 3 , (0 , 1 , 1) 010 or { b } F T 011 or { b , c } Entry 3 , (0 , 0 , 1) Entry 2 , (0 , 1 , 1) Entry 2 , (0 , 1 , 1) if (b > 0) b = b+1 4 3 Entry 3 , (0 , 1 , 1) Entry 4 , (0 , 1 , 0) Entry 2 , (0 , 1 , 1) T 000 or ∅ Entry 6 , (0 , 1 , 0) Entry 4 , (0 , 1 , 0) b = 0 5 F Entry 5 , (0 , 0 , 0) Entry 6 , (0 , 1 , 0) return b 6 Dec 2017 IIT Bombay

  65. WSSE Pune Intro to PA: Soundness and Precision 22/1 Computing Static Abstraction for Liveness of Variables At a program point p a �→ 1 ⇒ a is live at p a �→ 0 ⇒ a is not live at p 110 or { a , b } Trace 1 c = a%2 1 a b c b = - abs(b) Entry 1 , (1 , 1 , 0) Trace 2 Entry 2 , (0 , 1 , 1) 011 or { b , c } a b c Entry 3 , (0 , 1 , 1) if (b < c) Entry 1 , (1 , 1 , 0) 2 Entry 2 , (0 , 1 , 1) Entry 2 , (0 , 1 , 1) Entry 3 , (0 , 1 , 1) 010 or { b } F T 011 or { b , c } Entry 3 , (0 , 0 , 1) Entry 2 , (0 , 1 , 1) Entry 2 , (0 , 1 , 1) if (b > 0) b = b+1 4 3 Entry 3 , (0 , 1 , 1) Entry 4 , (0 , 1 , 0) Entry 2 , (0 , 1 , 1) T 000 or ∅ Entry 6 , (0 , 1 , 0) Entry 4 , (0 , 1 , 0) b = 0 5 F Entry 5 , (0 , 0 , 0) Entry 6 , (0 , 1 , 0) 010 or { b } return b 6 Dec 2017 IIT Bombay

  66. WSSE Pune Intro to PA: Soundness and Precision 22/1 Computing Static Abstraction for Liveness of Variables At a program point p a �→ 1 ⇒ a is live at p a �→ 0 ⇒ a is not live at p 110 or { a , b } Trace 1 c = a%2 1 a b c b = - abs(b) Entry 1 , (1 , 1 , 0) Trace 2 Entry 2 , (0 , 1 , 1) 011 or { b , c } a b c Entry 3 , (0 , 1 , 1) if (b < c) Entry 1 , (1 , 1 , 0) 2 Entry 2 , (0 , 1 , 1) Entry 2 , (0 , 1 , 1) Entry 3 , (0 , 1 , 1) 010 or { b } F T 011 or { b , c } Entry 3 , (0 , 0 , 1) Entry 2 , (0 , 1 , 1) Entry 2 , (0 , 1 , 1) if (b > 0) b = b+1 4 3 Entry 3 , (0 , 1 , 1) Entry 4 , (0 , 1 , 0) Entry 2 , (0 , 1 , 1) T 000 or ∅ Entry 6 , (0 , 1 , 0) Entry 4 , (0 , 1 , 0) b = 0 5 F Entry 5 , (0 , 0 , 0) Trace 2 does not Entry 6 , (0 , 1 , 0) add anything to 010 or { b } the abstraction return b 6 Dec 2017 IIT Bombay

  67. WSSE Pune Intro to PA: Soundness and Precision 23/1 Soundness of Abstractions (1) Sound • An over-approximation of traces is sound Dec 2017 IIT Bombay

  68. WSSE Pune Intro to PA: Soundness and Precision 23/1 Soundness of Abstractions (1) Sound Unsound • An over-approximation of traces is sound • Missing any state in any trace causes unsoundness Dec 2017 IIT Bombay

  69. WSSE Pune Intro to PA: Soundness and Precision 23/1 Soundness of Abstractions (1) Sound Unsound • An over-approximation of traces is sound • Missing any state in any trace causes unsoundness Dec 2017 IIT Bombay

  70. WSSE Pune Intro to PA: Soundness and Precision 24/1 Soundness of Abstractions (2) An unsound abstraction a = {− 5 , 5 } , b = {− 2 , 2 } , c = { 7 , 8 } c = a%2 1 b = - abs(b) All variables can have arbitrary b = {− 2 , − 1 , 0 , 1 } values at the start. 2 if (b < c) b can have many more values b = {− 1 , 1 } b = {− 2 , − 1 , 0 } at the entry of F T b = b+1 • blocks 2 and 3 (e.g. -3, 4 if (b > 0) 3 -8, . . . ) T b = { 1 } • block 4 (e.g. 0) b = 0 5 F b = {− 1 , 0 } return b 6 Dec 2017 IIT Bombay

  71. WSSE Pune Intro to PA: Soundness and Precision 24/1 Soundness of Abstractions (2) A sound abstraction using intervals An unsound abstraction a = {− 5 , 5 } , b = {− 2 , 2 } , c = { 7 , 8 } c = a%2 1 • Over-approximated range of b = - abs(b) values denoted by b = {− 2 , − 1 , 0 , 1 } � � low limit , high limit 2 if (b < c) b = {− 1 , 1 } b = {− 2 , − 1 , 0 } F T • Inclusive limits with b = b+1 4 if (b > 0) 3 low limit ≤ high limit T b = { 1 } • One contiguous range per b = 0 5 F variable with no “holes” b = {− 1 , 0 } return b 6 Dec 2017 IIT Bombay

  72. WSSE Pune Intro to PA: Soundness and Precision 24/1 Soundness of Abstractions (2) A sound abstraction using intervals An unsound abstraction a = {− 5 , 5 } , b = {− 2 , 2 } , c = { 7 , 8 } a =[ −∞ , ∞ ] , b =[ −∞ , ∞ ] , c =[ −∞ , ∞ ] c = a%2 c = a%2 1 1 b = - abs(b) b = - abs(b) b = {− 2 , − 1 , 0 , 1 } b =[ −∞ , 1 ] 2 if (b < c) 2 if (b < c) b = {− 1 , 1 } b = {− 2 , − 1 , 0 } b =[ − 1 , 1] b =[ −∞ , 0] F T F T b = b+1 b = b+1 4 if (b > 0) 3 4 if (b > 0) 3 T b = { 1 } T b =[1 , 1] b = 0 b = 0 5 5 F F b = {− 1 , 0 } b =[ − 1 , 0] return b return b 6 6 Dec 2017 IIT Bombay

  73. WSSE Pune Intro to PA: Soundness and Precision 24/1 Soundness of Abstractions (2) A sound abstraction using intervals An unsound abstraction a = {− 5 , 5 } , b = {− 2 , 2 } , c = { 7 , 8 } a =[ −∞ , ∞ ] , b =[ −∞ , ∞ ] , c =[ −∞ , ∞ ] c = a%2 c = a%2 1 1 b = - abs(b) b = - abs(b) b = {− 2 , − 1 , 0 , 1 } b =[ −∞ , 1 ] 2 if (b < c) 2 if (b < c) b = {− 1 , 1 } b = {− 2 , − 1 , 0 } b =[ − 1 , 1] b =[ −∞ , 0] F T F T b = b+1 b = b+1 4 if (b > 0) 3 4 if (b > 0) 3 T b = { 1 } T b =[1 , 1] b can be 1 b = 0 b = 0 5 5 F F because of the increment b = {− 1 , 0 } in basic block 3 b =[ − 1 , 0] return b return b 6 6 Dec 2017 IIT Bombay

  74. WSSE Pune Intro to PA: Soundness and Precision 25/1 Soundness of Abstractions for Liveness Analysis A sound abstraction An unsound abstraction { a , b } ∅ c = a%2 c = a%2 1 1 b = - abs(b) b = - abs(b) { b , c } ∅ 2 if (b < c) 2 if (b < c) { b } F T { b , c } F T ∅ ∅ if (b > 0) b = b+1 if (b > 0) b = b+1 4 3 4 3 T T ∅ ∅ b = 0 b = 0 F 5 F 5 { b } ∅ return b return b 6 6 Dec 2017 IIT Bombay

  75. WSSE Pune Intro to PA: Soundness and Precision 26/1 Precision of Sound Abstractions(1) Sound but imprecise Dec 2017 IIT Bombay

Recommend

Lecture 1: Introduction to Program Analysis 17-355/17-655/17-819: Program Analysis Claire Le

Lecture 1: Introduction to Program Analysis 17-355/17-655/17-819: Program Analysis Claire Le

Lecture 1: Introduction to Program Analysis 17-355/17-655/17-819: Program Analysis Claire Le Goues January 14, 2020 * Course materials developed with Jonathan Aldrich (c) 2020 C. Le Goues 1 Learning objectives Provide a high level

788 views • 50 slides
Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda Motivation Current State of Program Analysis Design Goals of Binja Program Analysis Building Tools 2 Motivation 3 Tooling - Concrete -&gt;

963 views • 77 slides
Analysis and Optimizations Program Analysis P3 / 2006 Discovers properties of a program

Analysis and Optimizations Program Analysis P3 / 2006 Discovers properties of a program

Analysis and Optimizations Program Analysis P3 / 2006 Discovers properties of a program Optimizations Using Program Analysis Use analysis results to transform program for Optimization Goal: improve some aspect of program

232 views • 12 slides
Efficient Deductive Methods for Program Analysis Harald Ganzinger Max-Planck-Institut f ur

Efficient Deductive Methods for Program Analysis Harald Ganzinger Max-Planck-Institut f ur

Efficient Deductive Methods for Program Analysis Harald Ganzinger Max-Planck-Institut f ur Informatik Introduction 2 program analysis from high-level inference rules complexity analysis through general meta-complexity theorems

451 views • 33 slides
Analysis and Optimizations Analysis and Optimizations Program Analysis Program Analysis

Analysis and Optimizations Analysis and Optimizations Program Analysis Program Analysis

Analysis and Optimizations Analysis and Optimizations Program Analysis Program Analysis Discovers properties of a program Optimizations Using Program Analysis Use analysis results to transform program Use analysis results

744 views • 17 slides
EDA045F: Program Analysis LECTURE 2: DATAFLOW ANALYSIS 1 Christoph Reichenbach In the last

EDA045F: Program Analysis LECTURE 2: DATAFLOW ANALYSIS 1 Christoph Reichenbach In the last

EDA045F: Program Analysis LECTURE 2: DATAFLOW ANALYSIS 1 Christoph Reichenbach In the last lecture. . . Uses of Program Analysis Static vs. Dynamic Program Analysis Soundness, Precision, Termination Abstraction and Simplification

4.44k views • 52 slides
Program analysis INF4140 - Models of concurrency Program Analysis, lecture 5 Hsten 2015 28.

Program analysis INF4140 - Models of concurrency Program Analysis, lecture 5 Hsten 2015 28.

Program analysis INF4140 - Models of concurrency Program Analysis, lecture 5 Hsten 2015 28. 9. 2016 2 / 43 Program correctness Is my program correct? Central question for this and the next lecture. Does a given program behave as intended?

880 views • 43 slides
Program extraction in computable analysis Ulrich Berger - Swansea Computability in Europe 2011

Program extraction in computable analysis Ulrich Berger - Swansea Computability in Europe 2011

Program extraction in computable analysis Ulrich Berger - Swansea Computability in Europe 2011 Sofia, Bulgaria 1 / 39 Outline Introduction Program extraction in computable analysis Memoized functionals Conclusion 2 / 39 Introduction

1.23k views • 81 slides
Program Analysis Chris Hankin(clh) Efficiency Type and Effect Control Flow Analysis Systems

Program Analysis Chris Hankin(clh) Efficiency Type and Effect Control Flow Analysis Systems

Program Analysis Chris Hankin(clh) Efficiency Type and Effect Control Flow Analysis Systems Data Flow Abstract Analysis Interpretation Correctness Program Analysis p.1/23 Overview Introduction Data Flow Analysis Control Flow

279 views • 23 slides
Program Analysis Attackers: need to analyze our program to modify it! Defenders: need to analyze

Program Analysis Attackers: need to analyze our program to modify it! Defenders: need to analyze

Program Analysis Attackers: need to analyze our program to modify it! Defenders: need to analyze our program to protect it! Two kinds of analyses: 1 static analysis tools collect information about a program by studying its code; 2 dynamic

1.21k views • 41 slides
Lexical analysis Lexical analysis Lexical analysis checks the correctness of program words and

Lexical analysis Lexical analysis Lexical analysis checks the correctness of program words and

Lexical analysis Lexical analysis Lexical analysis checks the correctness of program words and transforms a program to the stream of tokens: removes empty symbols and commentaries; identifies keywords, indentifiers and literal

400 views • 37 slides
Program Analysis in Software Development Summary of Papers Program Analysis Application Areas

Program Analysis in Software Development Summary of Papers Program Analysis Application Areas

Program Analysis in Software Development Summary of Papers Program Analysis Application Areas Compilation and Optimization LLVM: A Compilation Framework for Lifelong Program Analysis &amp; Transformation Obfuscation Generation and

1.64k views • 6 slides
Information Flow and Program Analysis Program Analysis Markus Mller-Olm Westflische

Information Flow and Program Analysis Program Analysis Markus Mller-Olm Westflische

Information Flow and Program Analysis Program Analysis Markus Mller-Olm Westflische Wilhelms-Universitt Mnster, Germany IFIP WG 2.2 Meeting Singapore, September 13-16, 2016 Project Context Work in progress from a joint project with

762 views • 19 slides
Interprocedural Analysis and Optimization Mod/Ref Analysis Alias Analysis Constant Propagation

Interprocedural Analysis and Optimization Mod/Ref Analysis Alias Analysis Constant Propagation

Interprocedural Analysis and Optimization Mod/Ref Analysis Alias Analysis Constant Propagation Procedure Inlining and Cloning cs6363 1 Introduction Interprocedural Analysis Gathering information about the whole program instead of a

496 views • 22 slides
Principles of Program Analysis An overview of approaches beyond loop analysis and optimizations

Principles of Program Analysis An overview of approaches beyond loop analysis and optimizations

Principles of Program Analysis An overview of approaches beyond loop analysis and optimizations cs6363 1 The Nature of static analysis --- approximation Static program analysis --- predict the dynamic behavior of programs without running

368 views • 19 slides
Technical Analysis Technical Analysis Technical Analysis Technical Analysis Introduction

Technical Analysis Technical Analysis Technical Analysis Technical Analysis Introduction

Technical Analysis Technical Analysis Technical Analysis Technical Analysis Introduction Technical analysis is the attempt to forecast stock prices on the basis of market-derived data. Technicians (also known as quantitative analysts or

853 views • 73 slides
1 Programmers often use analysis tools to improve program quality. These are just tools to

1 Programmers often use analysis tools to improve program quality. These are just tools to

1 Programmers often use analysis tools to improve program quality. These are just tools to analyze, or carefully examine, some aspect of a program. We can categorize program analyses into two groups: Static analysis involves analyzing a program's

511 views • 35 slides
Introduction to Program Analysis: A Pointer Centric View Uday Khedker

Introduction to Program Analysis: A Pointer Centric View Uday Khedker

Introduction to Program Analysis: A Pointer Centric View Uday Khedker (www.cse.iitb.ac.in/uday) Department of Computer Science and Engineering, Indian Institute of Technology, Bombay Dec 2017 WSSE Pune Intro to PA: Outline 1/7 An Outline

552 views • 8 slides
1 Analysis Information Where Do Facts Hold? How much information depends on the client

1 Analysis Information Where Do Facts Hold? How much information depends on the client

711? CS711 Advanced Programming Languages Topics in Program Analysis Radu Rugina Fall 2005 CS711 Overview 2 Program Analysis Static vs. Dynamic Static analysis: inspect programs at compile-time Static analysis: Work done at

282 views • 4 slides
Program Analysis 1 Summary Summary analysis of algorithms asymptotic analysis

Program Analysis 1 Summary Summary analysis of algorithms asymptotic analysis

csci 210: Data Structures Program Analysis 1 Summary Summary analysis of algorithms asymptotic analysis big-O big-Omega big-theta asymptotic notation commonly used functions discrete math

500 views • 33 slides
Control-dependence Analysis 2 Control-dependence Analysis 1. Introduction (motivation, overview)

Control-dependence Analysis 2 Control-dependence Analysis 1. Introduction (motivation, overview)

Class 4 Basic Analyses (4) Assign (see Schedule for links) Readings Control/program-dependence analysis Static single assignment and control dependence Problem Set 2: due 9/1/09 1 Control-dependence Analysis 2

254 views • 12 slides
Introduction of COMS Program Introduction of COMS Program September 2006 COMS Program Office

Introduction of COMS Program Introduction of COMS Program September 2006 COMS Program Office

Introduction of COMS Program Introduction of COMS Program September 2006 COMS Program Office Korea Aerospace Research Institute KARI Proprietary Material 1 Long-term Plan for National Space Program 2006 2001 2005 Scientific Satellite 2

390 views • 16 slides
Introduction to NLP and NLG Introduction to NLP Rules or Statistics?? Lexical Analysis,

Introduction to NLP and NLG Introduction to NLP Rules or Statistics?? Lexical Analysis,

Introduction to NLP and NLG Introduction to NLP Rules or Statistics?? Lexical Analysis, Syntax Analysis, Semantic Analysis, Pragmatics Speech Processing (Phonetics, Punctuations, Prosody) Ambiguity Concepts

735 views • 13 slides
ICE Analysis Training Program Module 6: Presentation of ICE Analysis in the Environmental

ICE Analysis Training Program Module 6: Presentation of ICE Analysis in the Environmental

ICE Analysis Training Program Module 6: Presentation of ICE Analysis in the Environmental Documentation 1 ICE Analysis Training Program Module 6: Presentation of ICE Analysis in the Environmental Documentation Introduction Introduction

428 views • 21 slides

More recommend