Principles of Program Analysis: Data Flow Analysis Transparencies - PowerPoint PPT Presentation

Principles of Program Analysis: Data Flow Analysis Transparencies based on Chapter 2 of the book: Flemming Nielson, Hanne Riis Nielson and Chris Hankin: Principles of Program Analysis. Springer Verlag 2005. c � Flemming Nielson & Hanne Riis Nielson & Chris Hankin. PPA Chapter 2 1 � F.Nielson & H.Riis Nielson & C.Hankin (May 2005) c

Shape Analysis Goal: to obtain a finite representation of the shape of the heap of a language with pointers. The analysis result can be used for • detection of pointer aliasing • detection of sharing between structures • software development tools – detection of errors like dereferences of nil -pointers • program verification – reverse transforms a non-cyclic list to a non-cyclic list PPA Section 2.6 110 � F.Nielson & H.Riis Nielson & C.Hankin (May 2005) c

Syntax of the pointer language ::= p | n | a 1 op a a 2 | nil a ::= x | x. sel p ::= true | false | not b | b 1 op b b 2 | a 1 op r a 2 | op p p b [ p := a ] ` | [ skip ] ` | S 1 ; S 2 | ::= S if [ b ] ` then S 1 else S 2 | while [ b ] ` do S | [ malloc p ] ` Example [ y:=nil ] 1 ; while [ not is-nil ( x )] 2 do ([ z:=y ] 3 ; [ y:=x ] 4 ; [ x:=x . cdr ] 5 ; [ y . cdr:=z ] 6 ); [ z:=nil ] 7 PPA Section 2.6 111 � F.Nielson & H.Riis Nielson & C.Hankin (May 2005) c

Reversal of a list - ↵ � cdr ↵ � cdr ↵ � cdr ↵ � cdr ↵ � - ↵ � cdr ↵ � cdr ↵ � cdr ↵ � cdr ⇧ cdr ⇧ - - - - - - - - - x x ⇠ 1 ⇠ 2 ⇠ 3 ⇠ 4 ⇠ 5 ⇠ 2 ⇠ 3 ⇠ 4 ⇠ 5 ⌦ ⌦ ⌦ ⌦ ⌦ ⌦ ⌦ ⌦ ⌦ - ↵ � - ⇧ cdr ⇧ y y - 0: 1: ⇠ 1 ⌦ - ⇧ z z - ↵ � cdr ↵ � cdr ↵ � - ↵ � cdr ↵ � cdr ⇧ cdr ⇧ - - - - - x x ⇠ 3 ⇠ 4 ⇠ 5 ⇠ 4 ⇠ 5 ⌦ ⌦ ⌦ ⌦ ⌦ - ↵ � cdr ↵ � - ↵ � cdr ↵ � cdr ↵ � cdr ⇧ cdr ⇧ - - - - - y y 2: ⇠ 2 ⇠ 1 3: ⇠ 3 ⇠ 2 ⇠ 1 ⌦ ⌦ ⌦ ⌦ ⌦ ✓ ✓ z z - ↵ � - ⇧ cdr ⇧ - x x ⇠ 5 ⌦ - ↵ � cdr ↵ � cdr ↵ � cdr ↵ � - ↵ � cdr ↵ � cdr ↵ � cdr ↵ � cdr ↵ � cdr ⇧ cdr ⇧ - - - - - - - - - y y 4: ⇠ 4 ⇠ 3 ⇠ 2 ⇠ 1 5: ⇠ 5 ⇠ 4 ⇠ 3 ⇠ 2 ⇠ 1 ⌦ ⌦ ⌦ ⌦ ⌦ ⌦ ⌦ ⌦ ⌦ ✓ ✓ z z PPA Section 2.6 112 c � F.Nielson & H.Riis Nielson & C.Hankin (May 2005)

Structural Operational Semantics A configurations consists of • a state � 2 State = Var ? ! ( Z + Loc + { ⇧ } ) mapping variables to values, locations (in the heap) or the nil-value • a heap H 2 Heap = ( Loc ⇥ Sel ) ! fin ( Z + Loc + { ⇧ } ) mapping pairs of locations and selectors to values, locations in the heap or the nil-value PPA Section 2.6 113 c � F.Nielson & H.Riis Nielson & C.Hankin (May 2005)

Pointer expressions } : PExp ! ( State ⇥ Heap ) ! fin ( Z + { ⇧ } + Loc ) is defined by } [ [ x ] ]( � , H ) = � ( x ) 8 H ( � ( x ) , sel ) > > < if � ( x ) 2 Loc and H is defined on ( � ( x ) , sel ) } [ [ x. sel ] ]( � , H ) = > undefined otherwise > : Arithmetic and boolean expressions A : AExp ! ( State ⇥ Heap ) ! fin ( Z + Loc + { ⇧ } ) B : BExp ! ( State ⇥ Heap ) ! fin T PPA Section 2.6 114 � F.Nielson & H.Riis Nielson & C.Hankin (May 2005) c

Statements Clauses for assignments: h [ x := a ] ` , � , H i ! h � [ x 7! A [ [ a ] ]( � , H )] , H i if A [ [ a ] ]( � , H ) is defined h [ x. sel := a ] ` , � , H i ! h � , H [( � ( x ) , sel ) 7! A [ [ a ] ]( � , H )] i if � ( x ) 2 Loc and A [ [ a ] ]( � , H ) is defined Clauses for malloc: h [ malloc x ] ` , � , H i ! h � [ x 7! ⇠ ] , H i where ⇠ does not occur in � or H h [ malloc ( x. sel )] ` , � , H i ! h � , H [( � ( x ) , sel ) 7! ⇠ ] i where ⇠ does not occur in � or H and � ( x ) 2 Loc PPA Section 2.6 115 c � F.Nielson & H.Riis Nielson & C.Hankin (May 2005)

Shape graphs The analysis will operate on shape graphs (S , H , is) consisting of • an abstract state, S, • an abstract heap, H, and • sharing information, is, for the abstract locations. The nodes of the shape graphs are abstract locations: ALoc = { n X | X ✓ Var ? } Note: there will only be finitely many abstract locations PPA Section 2.6 116 c � F.Nielson & H.Riis Nielson & C.Hankin (May 2005)

Example Abstract Locations In the semantics: The abstract location n X represents the location � ( x ) if x 2 X ✏ � ✏ � ✏ � cdr ⇧ cdr cdr - - - - x ⇠ 3 ⇠ 4 ⇠ 5 � � � � � � ✏ � ✏ � cdr ⇧ The abstract location n ; is called the cdr - - - y ⇠ 2 ⇠ 1 � � � � ✓ abstract summary location : n ; rep- z resents all the locations that cannot be reached directly from the state without consulting the heap In the analysis: ◆ ⇣ Invariant 1 If two abstract locations cdr ? cdr - n { x } - ⌘ x n ; n X and n Y occur in the same shape graph then either X = Y or X \ Y = ; cdr y - n { y } - n { z } ✓ z PPA Section 2.6 117 c � F.Nielson & H.Riis Nielson & C.Hankin (May 2005)

Abstract states and heaps S 2 AState = P ( Var ? ⇥ ALoc ) abstract states H 2 AHeap = P ( ALoc ⇥ Sel ⇥ ALoc ) abstract heap Invariant 2 If x is mapped to n X by ◆ ⇣ cdr the abstract state S then x 2 X ? cdr - n { x } - ⌘ x n ; cdr y - n { y } - n { z } Invariant 3 Whenever ( n V , sel , n W ) ✓ and ( n V , sel , n W 0 ) are in the abstract z heap H then either V = ; or W = W 0 PPA Section 2.6 118 � F.Nielson & H.Riis Nielson & C.Hankin (May 2005) c

Reversal of a list ◆ ⇣ cdr ? ◆ ⇣ cdr cdr - n { x } - ⌘ x n ; ? cdr - n { x } - ⌘ x n ; 0: 1: y - n { y } ◆ ⇣ cdr ? cdr cdr - n { x } - ⌘ - n { x } - x x n ; n ; 6 cdr cdr cdr y y - n { y } - n { z } - n { y } - n { z } 2: 3: ✓ ✓ z z ◆ ⇣ ◆ ⇣ cdr cdr ? ? - n { x } ⌘ ⌘ x n ; n ; 6 cdr 6 cdr cdr cdr y y - n { y } - n { z } - n { y } - n { z } 4: 5: ✓ ✓ z z PPA Section 2.6 119 c � F.Nielson & H.Riis Nielson & C.Hankin (May 2005)

Sharing in the heap ✏ � ✏ � ✏ � ✏ � ✏ � ✏ � cdr cdr cdr cdr - - - - - - x ⇠ 1 ⇠ 2 ⇠ 3 x ⇠ 1 ⇠ 2 ⇠ 3 � � � � � � � � � � � � ? cdr ? cdr ✏ � ✏ � ✏ � cdr ⇧ cdr - - ⇠ 4 ⇠ 4 ⇠ 5 � � � � � � ? cdr ✓ ✏ � cdr ⇧ - - y y ⇠ 5 � � Give rise to the same shape graph: is: the abstract locations that might be shared due to pointers in the ◆ ⇣ cdr ? heap: cdr - n { x } - ⌘ x n ; n X is included in is if it might repre- y - n { y } � sents a location that is the target of cdr more than one pointer in the heap PPA Section 2.6 120 � F.Nielson & H.Riis Nielson & C.Hankin (May 2005) c

Examples: sharing in the heap ✏ � ✏ � ✏ � cdr cdr ◆ ⇣ cdr - - - x ⇠ 1 ⇠ 2 ⇠ 3 ? � � � � � � cdr - n { x } - ⌘ x n ; ? cdr ✏ � ⇠ 4 � � y - n { y } � ? cdr cdr ✏ � cdr ⇧ - - y ⇠ 5 � � ✏ � ✏ � ✏ � cdr cdr ◆ ⇣ cdr - - - x ⇠ 1 ⇠ 2 ⇠ 3 ? � � � � � � cdr - n { x } - ⌘ x n ; ? cdr ✏ � ✏ � cdr ⇧ cdr - - ⇠ 4 ⇠ 5 � � � � y - n { y } � ✓ cdr y ✏ � ✏ � ✏ � ◆ ⇣ cdr cdr cdr - - ⇠ 2 ⇠ 3 ⇠ 4 ? � � � � � � - n { x } ⌘ x n ; ? cdr ✏ � ✏ � cdr ⇧ cdr - - - ? cdr ⇠ 1 ⇠ 5 x � � � � y - n { y } � ✓ cdr y PPA Section 2.6 121 � F.Nielson & H.Riis Nielson & C.Hankin (May 2005) c

Sharing information The implicit sharing information of the abstract heap must be consistent with the explicit sharing information: Invariant 4 If n X 2 is then either • ( n ; , sel , n X ) is in the abstract heap for ◆ ⇣ cdr ? some sel , or ⌘ - n { x } x n ; • there are two distinct triples ( n V , sel 1 , n X ) ? cdr y - n { y } � and ( n W , sel 2 , n X ) in the abstract heap cdr Invariant 5 Whenever there are two distinct triples ( n V , sel 1 , n X ) and ( n W , sel 2 , n X ) in the abstract heap and X 6 = ; then n X 2 is PPA Section 2.6 122 � F.Nielson & H.Riis Nielson & C.Hankin (May 2005) c

The complete lattice of shape graphs A shape graph is a triple (S,H,is) where S 2 AState = P ( Var ? ⇥ ALoc ) H 2 AHeap = P ( ALoc ⇥ Sel ⇥ ALoc ) is 2 IsShared = P ( ALoc ) and ALoc = { n Z | Z ✓ Var ? } . A shape graph (S , H , is) is compatible if it fulfils the five invariants. The analysis computes over sets of compatible shape graphs SG = { (S , H , is) | (S , H , is) is compatible } PPA Section 2.6 123 c � F.Nielson & H.Riis Nielson & C.Hankin (May 2005)

The analysis An instance of a forward Monotone Framework with the complete lattice of interest being P ( SG ) A may analysis : each of the sets of shape graphs computed by the analysis may contain shape graphs that cannot really arrise Aspects of a must analysis : each of the individual shape graphs (in a set of shape graphs computed by the analysis) will be the best possible description of some ( � , H ) PPA Section 2.6 124 c � F.Nielson & H.Riis Nielson & C.Hankin (May 2005)