Static Analysis By Elimination Pavle Subotic, Andrew Santosa, - PowerPoint PPT Presentation

Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Static Analysis By Elimination Pavle Subotic, Andrew Santosa, Bernhard Scholz pavle.subotic@it.uu.se , andrew.santosa@usyd.edu.au , bernhard.scholz@usyd.edu.au Uppsala University, Sweden University of Sydney, Australia Bytecode workshop 2013 Subotic, Santosa, Scholz Static Analysis By Elimination 1 / 32

Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Introduction ◮ Range Analysis ◮ Finds lower and upper bounds of variables values ◮ Challenges ◮ Conceptionally infinitely ascending chains ◮ Identify Loops ◮ Existing techniques ◮ Relies on code structure (e.g. Astr´ ee [Cousot et al., 2006]) ◮ Require a pre-processing stage to discover loop headers ([Bourdoncle, 1993]) Subotic, Santosa, Scholz Static Analysis By Elimination 2 / 32

Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Introduction ◮ Our technique: 1. Extends elimination-based data flow analysis to a lattice with infinite ascending chains 2. Fast termination 3. Loops are detected intrinsically with in the data flow analysis. ◮ Implemented as an analysis pass in the LLVM compiler framework. Subotic, Santosa, Scholz Static Analysis By Elimination 3 / 32

Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Motivating Example B0 int i,k = 0; int arr[5]; . . . B1 if (i < 5) goto B2 B7 I2: i == 5 ∧ k ≤ 25 else goto B7; B2 int j = 0; if (i < 5) B5 i++; goto B3 else goto B5; B3 I1: i ≥ 0 ∧ j ≤ 3 if (arr[j] > arr[j+1]) B6 goto B5 j++; else goto B6; B4 swap(arr, j, j+1); k++; Subotic, Santosa, Scholz Static Analysis By Elimination 4 / 32

Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Background Existing Techniques Our Approach Implementation Experiments Subotic, Santosa, Scholz Static Analysis By Elimination 5 / 32

Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Foundations ◮ Range Analysis is a complete lattice ◮ x ⊒ y , x is as or less precise than y ◮ ⊤ least element (least precise), ◮ ⊥ greatest element, so ⊤ ⊒ ⊥ ◮ ⊔ merges information ◮ ⊓ constrains information Subotic, Santosa, Scholz Static Analysis By Elimination 6 / 32

Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Representing Information with Intervals [-inf, inf] Meet [-100, 100] [-200, -110] More info [5, 100] [-170,-150] [-155,-111] [-90, 10] [-150, -150] [9,9] Join ⊥ Subotic, Santosa, Scholz Static Analysis By Elimination 7 / 32

Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Some Existing Techniques ◮ Iterative Data-Flow Analysis [Kildall, 1973] : ◮ A technique for iteratively gathering variable information at various points in a computer program. ◮ Operates on finite and short lattice structures ◮ Abstract Interpretation [Cousot & Cousot, 1977] : ◮ A theory of sound approximation of the semantics of computer programs ◮ Approximating the execution behaviour of a computer program ◮ Additional theory of widening/narrowing to accelerate convergence, required with high and unbounded domains Subotic, Santosa, Scholz Static Analysis By Elimination 8 / 32

Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Iterative Data-Flow Analysis ◮ Input in the form of a Control Flow Graph (CFG) ◮ Initialise to ⊥ ◮ Every block transforms the values ◮ Iterate through CFG until a fixpoint is reached Subotic, Santosa, Scholz Static Analysis By Elimination 9 / 32

Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Attempt 1: Iterative Data-Flow Analysis a = [1, 4] if (a < 3) condition: a >= 3 condition: a < 3 [1,4] ⊓ [3, ∞] = [3,4] [1,4] ⊓ [-∞, 2] = [1,2] [5,5] ⊔ [3,4] = [3,5] a = [5,5] …. Subotic, Santosa, Scholz Static Analysis By Elimination 10 / 32

Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Attempt 1: Iterative Data-Flow Analysis b1 int I, k = 0 int arr[5] = ... *P1 b2 *P4 b8 if i < 5 invariant (2) *P2 b6 b3 b7 i++ int j = 0 j++; if j < 5 *P3 b4 invariant (1) if arr[j] > arr[j+1] b5 swap(j, j+1) k++ Subotic, Santosa, Scholz Static Analysis By Elimination 11 / 32

Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments With Kleene Iteration int j = 0; int i = 0; if (j <= 3) ... j++; k++; Subotic, Santosa, Scholz Static Analysis By Elimination 12 / 32

Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments With Kleene Iteration ∀ l i ∈ L . l 1 ⊑ l 2 ⊑ l 3 ⊑ l 4 ... ⊑ l n where: In the example, when the inner loop is first visited, we have that j �→ [ 0 , 0 ] and k �→ [ 0 , 0 ] . In subsequent visits, j �→ [ 0 , 1 ] and k �→ [ 0 , 1 ] , j �→ [ 0 , 2 ] and k �→ [ 0 , 2 ] , j �→ [ 0 , 3 ] and k �→ [ 0 , 3 ] , . . . j �→ [ 0 , 4 ] and k �→ [ 0 , ∞ ] . Subotic, Santosa, Scholz Static Analysis By Elimination 13 / 32

Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments The Problem: Slow Termination ◮ Impractically slow termination ◮ Conditions not incorporating increasing variables ◮ Large loop bounds Subotic, Santosa, Scholz Static Analysis By Elimination 14 / 32

Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Attempt 2: Abstract Interpretation ◮ General method to compute a sound approximation of program semantics ◮ Define an abstract semantics, soundly connect to the concrete semantics ◮ Soundness ensures that if a property does not hold in the abstract world, it will not hold in the concrete world ◮ Define widening and narrowing operator Subotic, Santosa, Scholz Static Analysis By Elimination 15 / 32

Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Abstract Interpretation Widening and narrowing enforce termination ◮ Widening safely approximates the fixpoint solution ◮ Narrowing recovers some precision Subotic, Santosa, Scholz Static Analysis By Elimination 16 / 32

Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Attempt 2: Abstract Interpretation ⊥ More precision Red / FP widening Fixed-Point (FP) Less Ext / FP precision narrowing ⊤ Subotic, Santosa, Scholz Static Analysis By Elimination 17 / 32

Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Abstract Interpretation ◮ Requires to know where to perform widening ◮ Previously approaches ◮ Use the syntax to determine the loop ◮ Perform complicated pre-processing to find loop headers Subotic, Santosa, Scholz Static Analysis By Elimination 18 / 32

Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Our Approach ◮ Discovers loops implicitly using elimination-based data flow analysis ◮ Various acceleration techniques can be embedded such as widening and narrowing Subotic, Santosa, Scholz Static Analysis By Elimination 19 / 32

Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Our Approach ◮ Elimination-based approach: Based on Gaussian elimination ◮ Instead of iterating, we eliminate variables from the flow equations ◮ substitution e.g. x = true , y = x ∨ false � y = true ∨ false ◮ loop-breaking e.g. x = x ∧ true � x = true ◮ When all variables are eliminated, we compute a solution Subotic, Santosa, Scholz Static Analysis By Elimination 20 / 32

Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Elimination-based Approach Example - Diverging B0 i = 1; if(i < 1) goto B1; else goto B2; B1 B2 i =i + 1; i =i + 1; goto B2; goto B1; Figure: An Irreducible CFG of a Diverging Program Subotic, Santosa, Scholz Static Analysis By Elimination 21 / 32

Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Elimination  X 0 = f 0 ( ⊤ )      EQS =  X 1 = f 1 ( X 0 , X 2 )     X 2 = f 2 ( X 0 , X 1 )   Substitution �  X 0 = f 0 ( ⊤ )      = X 1 = f 1 ( f 0 ( ⊤ ) , X 2 ) EQS 0      X 2 = f 2 ( f 0 ( ⊤ ) , X 1 )   Substitution �  X 0 = f 0 ( ⊤ )      EQS 1 = X 1 = f 1 ( f 0 ( ⊤ ) , X 2 )     X 2 = f 2 ( f 0 ( ⊤ ) , f 1 ( f 0 ( ⊤ ) , X 2 ))    Break Loop , Substitute Back �  X 0 = f 0 ( ⊤ )      X 1 = f 1 ( f 0 ( ⊤ ) , F ∗ ( f 2 ( f 0 ( ⊤ ) , f 1 ( f 0 ( ⊤ ) , X 2 ) , X ′ EQS 2 =  2 )))    X 2 = F ∗ ( f 2 ( f 0 ( ⊤ ) , f 1 ( f 0 ( ⊤ ) , X 2 ) , X ′  2 ))   Subotic, Santosa, Scholz Static Analysis By Elimination 22 / 32