Principles of Program Analysis: Data Flow Analysis Transparencies - PowerPoint PPT Presentation

Principles of Program Analysis: Data Flow Analysis Transparencies based on Chapter 2 of the book: Flemming Nielson, Hanne Riis Nielson and Chris Hankin: Principles of Program Analysis. Springer Verlag 2005. c � Flemming Nielson & Hanne Riis Nielson & Chris Hankin. PPA Chapter 2 1 � F.Nielson & H.Riis Nielson & C.Hankin (May 2005) c

Shape Analysis Goal: to obtain a finite representation of the shape of the heap of a language with pointers. The analysis result can be used for • detection of pointer aliasing • detection of sharing between structures • software development tools – detection of errors like dereferences of nil -pointers • program verification – reverse transforms a non-cyclic list to a non-cyclic list PPA Section 2.6 110 � F.Nielson & H.Riis Nielson & C.Hankin (May 2005) c

Syntax of the pointer language ::= p | n | a 1 op a a 2 | nil a ::= x | x. sel p ::= true | false | not b | b 1 op b b 2 | a 1 op r a 2 | op p p b [ p := a ] ` | [ skip ] ` | S 1 ; S 2 | ::= S if [ b ] ` then S 1 else S 2 | while [ b ] ` do S | [ malloc p ] ` Example [ y:=nil ] 1 ; while [ not is-nil ( x )] 2 do ([ z:=y ] 3 ; [ y:=x ] 4 ; [ x:=x . cdr ] 5 ; [ y . cdr:=z ] 6 ); [ z:=nil ] 7 PPA Section 2.6 111 � F.Nielson & H.Riis Nielson & C.Hankin (May 2005) c

Reversal of a list - ↵ � cdr ↵ � cdr ↵ � cdr ↵ � cdr ↵ � - ↵ � cdr ↵ � cdr ↵ � cdr ↵ � cdr ⇧ cdr ⇧ - - - - - - - - - ⇠ 1 ⇠ 2 ⇠ 3 ⇠ 4 ⇠ 5 ⇠ 2 ⇠ 3 ⇠ 4 ⇠ 5 x x ⌦ ⌦ ⌦ ⌦ ⌦ ⌦ ⌦ ⌦ ⌦ - ↵ � - ⇧ cdr ⇧ - y y 0: 1: ⇠ 1 ⌦ - ⇧ z z - ↵ � cdr ↵ � cdr ↵ � - ↵ � cdr ↵ � cdr ⇧ cdr ⇧ - - - - - ⇠ 3 ⇠ 4 ⇠ 5 ⇠ 4 ⇠ 5 x x ⌦ ⌦ ⌦ ⌦ ⌦ - ↵ � cdr ↵ � - ↵ � cdr ↵ � cdr ↵ � cdr ⇧ cdr ⇧ - - - - - y y 2: ⇠ 2 ⇠ 1 3: ⇠ 3 ⇠ 2 ⇠ 1 ⌦ ⌦ ⌦ ⌦ ⌦ ✓ ✓ z z - ↵ � - ⇧ cdr ⇧ - x ⇠ 5 x ⌦ - ↵ � cdr ↵ � cdr ↵ � cdr ↵ � - ↵ � cdr ↵ � cdr ↵ � cdr ↵ � cdr ↵ � cdr ⇧ cdr ⇧ - - - - - - - - - y y 4: ⇠ 4 ⇠ 3 ⇠ 2 ⇠ 1 5: ⇠ 5 ⇠ 4 ⇠ 3 ⇠ 2 ⇠ 1 ⌦ ⌦ ⌦ ⌦ ⌦ ⌦ ⌦ ⌦ ⌦ ✓ ✓ z z PPA Section 2.6 112 c � F.Nielson & H.Riis Nielson & C.Hankin (May 2005)

Structural Operational Semantics A configurations consists of • a state � 2 State = Var ? ! ( Z + Loc + { ⇧ } ) mapping variables to values, locations (in the heap) or the nil-value • a heap H 2 Heap = ( Loc ⇥ Sel ) ! fin ( Z + Loc + { ⇧ } ) mapping pairs of locations and selectors to values, locations in the heap or the nil-value PPA Section 2.6 113 c � F.Nielson & H.Riis Nielson & C.Hankin (May 2005)

Pointer expressions } : PExp ! ( State ⇥ Heap ) ! fin ( Z + { ⇧ } + Loc ) is defined by } [ [ x ] ]( � , H ) = � ( x )  H ( � ( x ) , sel )    if � ( x ) 2 Loc and H is defined on ( � ( x ) , sel ) } [ [ x. sel ] ]( � , H ) =  undefined otherwise   Arithmetic and boolean expressions A : AExp ! ( State ⇥ Heap ) ! fin ( Z + Loc + { ⇧ } ) B : BExp ! ( State ⇥ Heap ) ! fin T PPA Section 2.6 114 � F.Nielson & H.Riis Nielson & C.Hankin (May 2005) c

Statements Clauses for assignments: h [ x := a ] ` , � , H i ! h � [ x 7! A [ [ a ] ]( � , H )] , H i if A [ [ a ] ]( � , H ) is defined h [ x. sel := a ] ` , � , H i ! h � , H [( � ( x ) , sel ) 7! A [ [ a ] ]( � , H )] i if � ( x ) 2 Loc and A [ [ a ] ]( � , H ) is defined Clauses for malloc: h [ malloc x ] ` , � , H i ! h � [ x 7! ⇠ ] , H i where ⇠ does not occur in � or H h [ malloc ( x. sel )] ` , � , H i ! h � , H [( � ( x ) , sel ) 7! ⇠ ] i where ⇠ does not occur in � or H and � ( x ) 2 Loc PPA Section 2.6 115 c � F.Nielson & H.Riis Nielson & C.Hankin (May 2005)

Shape graphs The analysis will operate on shape graphs (S , H , is) consisting of • an abstract state, S, • an abstract heap, H, and • sharing information, is, for the abstract locations. The nodes of the shape graphs are abstract locations: ALoc = { n X | X ✓ Var ? } Note: there will only be finitely many abstract locations PPA Section 2.6 116 c � F.Nielson & H.Riis Nielson & C.Hankin (May 2005)

Example Abstract Locations In the semantics: The abstract location n X represents the location � ( x ) if x 2 X ✏ � ✏ � ✏ � cdr ⇧ cdr cdr - - - - ⇠ 3 ⇠ 4 ⇠ 5 x � � � � � � ✏ � ✏ � cdr ⇧ The abstract location n ; is called the cdr - - - y ⇠ 2 ⇠ 1 � � � � ✓ abstract summary location : n ; rep- z resents all the locations that cannot be reached directly from the state without consulting the heap In the analysis: ◆ ⇣ Invariant 1 If two abstract locations cdr ? cdr - n { x } - ⌘ n ; x n X and n Y occur in the same shape graph then either X = Y or X \ Y = ; cdr - n { y } - y n { z } ✓ z PPA Section 2.6 117 c � F.Nielson & H.Riis Nielson & C.Hankin (May 2005)

Abstract states and heaps S 2 AState = P ( Var ? ⇥ ALoc ) abstract states H 2 AHeap = P ( ALoc ⇥ Sel ⇥ ALoc ) abstract heap Invariant 2 If x is mapped to n X by ◆ ⇣ cdr the abstract state S then x 2 X ? cdr - n { x } - ⌘ n ; x cdr - n { y } - n { z } y Invariant 3 Whenever ( n V , sel , n W ) ✓ and ( n V , sel , n W 0 ) are in the abstract z heap H then either V = ; or W = W 0 PPA Section 2.6 118 � F.Nielson & H.Riis Nielson & C.Hankin (May 2005) c

Reversal of a list ◆ ⇣ cdr ? ◆ ⇣ cdr cdr - n { x } - ⌘ n ; x ? cdr - n { x } - ⌘ n ; x 0: 1: - n { y } y ◆ ⇣ cdr ? cdr cdr - n { x } - ⌘ - n { x } - n ; n ; x x 6 cdr cdr cdr - n { y } - n { z } - n { y } - n { z } y y 2: 3: ✓ ✓ z z ◆ ⇣ ◆ ⇣ cdr cdr ? ? - n { x } ⌘ ⌘ n ; n ; x 6 cdr 6 cdr cdr cdr - n { y } - n { z } - n { y } - n { z } y y 4: 5: ✓ ✓ z z PPA Section 2.6 119 c � F.Nielson & H.Riis Nielson & C.Hankin (May 2005)

Sharing in the heap ✏ � ✏ � ✏ � ✏ � ✏ � ✏ � cdr cdr cdr cdr - - - - - - ⇠ 1 ⇠ 2 ⇠ 3 ⇠ 1 ⇠ 2 ⇠ 3 x x � � � � � � � � � � � � ? cdr ? cdr ✏ � ✏ � ✏ � cdr ⇧ cdr - - ⇠ 4 ⇠ 4 ⇠ 5 � � � � � � ? cdr ✓ ✏ � cdr ⇧ - - y ⇠ 5 y � � Give rise to the same shape graph: is: the abstract locations that might be shared due to pointers in the ◆ ⇣ cdr ? heap: cdr - n { x } - ⌘ n ; x n X is included in is if it might repre- - n { y } y � sents a location that is the target of cdr more than one pointer in the heap PPA Section 2.6 120 � F.Nielson & H.Riis Nielson & C.Hankin (May 2005) c

Examples: sharing in the heap ✏ � ✏ � ✏ � cdr cdr ◆ ⇣ cdr - - - ⇠ 1 ⇠ 2 ⇠ 3 x ? � � � � � � cdr - n { x } - ⌘ n ; ? cdr x ✏ � ⇠ 4 � � - n { y } y � ? cdr cdr ✏ � cdr ⇧ - - y ⇠ 5 � � ✏ � ✏ � ✏ � cdr cdr ◆ ⇣ cdr - - - ⇠ 1 ⇠ 2 ⇠ 3 x ? � � � � � � cdr - n { x } - ⌘ n ; ? cdr x ✏ � ✏ � cdr ⇧ cdr - - ⇠ 4 ⇠ 5 � � � � - n { y } y � ✓ cdr y ✏ � ✏ � ✏ � ◆ ⇣ cdr cdr cdr - - ⇠ 2 ⇠ 3 ⇠ 4 ? � � � � � � - n { x } ⌘ n ; x ? cdr ✏ � ✏ � cdr ⇧ cdr - - - ? cdr ⇠ 1 ⇠ 5 x � � � � - n { y } y � ✓ cdr y PPA Section 2.6 121 � F.Nielson & H.Riis Nielson & C.Hankin (May 2005) c

Sharing information The implicit sharing information of the abstract heap must be consistent with the explicit sharing information: Invariant 4 If n X 2 is then either • ( n ; , sel , n X ) is in the abstract heap for ◆ ⇣ cdr ? some sel , or ⌘ - n { x } n ; x • there are two distinct triples ( n V , sel 1 , n X ) ? cdr - n { y } y � and ( n W , sel 2 , n X ) in the abstract heap cdr Invariant 5 Whenever there are two distinct triples ( n V , sel 1 , n X ) and ( n W , sel 2 , n X ) in the abstract heap and X 6 = ; then n X 2 is PPA Section 2.6 122 � F.Nielson & H.Riis Nielson & C.Hankin (May 2005) c