Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are...
-
date post
20-Dec-2015 -
Category
Documents
-
view
216 -
download
1
Transcript of Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are...
![Page 1: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/1.jpg)
Correctness
![Page 2: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/2.jpg)
Until now
• We’ve seen how to define dataflow analyses
• How do we know our analyses are correct?
• We could reason about each individual analysis one a time
• However, a unified framework would make proofs easier to develop and understand
![Page 3: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/3.jpg)
Abstract interpretation
• Abstract interpretation is such a framework
• Life in analysis-land is all about two things:– fixed points– and approximations
• In most general terms, abstract interpretation is a theory of fixed point approximation
• Abstract interpretation is very flexible, and it has been applied to many domains
![Page 4: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/4.jpg)
Just a reminder
• An analysis (ignore subscripts for now...):
• Fa is global flow function, which takes a map from edges to dataflow information
• Solution is
![Page 5: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/5.jpg)
A simple example with const prop
x := 0;
y := 0;
while (...) {
x := x + 1;
print(x);
}
print(y);
![Page 6: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/6.jpg)
Same example with a twist
• At merge point, take union of maps, rather than merging maps
x := 0;
y := 0;
while (...) {
x := x + 1;
print(x);
}
print(y);
![Page 7: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/7.jpg)
What exactly is going on? (discussion)
![Page 8: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/8.jpg)
What exactly is going on?
• Well, to begin with, our analysis doesn’t terminate anymore...
• We are keeping much more information around
• In fact, we are...
• ... running the program
![Page 9: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/9.jpg)
Excursion into semantics land
• Semantics of a programming language– captures how instructions of a programming language
operate
• vs. semantics of a program– captures how a given program runs
![Page 10: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/10.jpg)
Semantics of a program
• Can use fixed points to capture the semantics of a program
• Solution:
![Page 11: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/11.jpg)
Semantics of a program
• Back to our const prop example
• What were we computing?
![Page 12: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/12.jpg)
Semantics of a program
• Back to our const prop example
• What were we computing?
• Set of all program states at a given CFG edge
• This fixed point is not computable, but we never compute it. We only reason about it.
![Page 13: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/13.jpg)
Abstract Interpretation
• An abstract interpretation I is a tuple:
• Important to not get confused: F is the global flow function here, and D is the global domain (ie: most of the time D will contain maps form edges to dataflow information)
![Page 14: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/14.jpg)
Concrete and abstract
• “Concrete” interpretation
• “Running” program in concrete domain
• Generally not computable
• “Abstract” interpretation
• “Running” program in abstract domain
• Computable
![Page 15: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/15.jpg)
Concrete and abstract
• Recall I is an abstract interpretation
• So we should really be saying “concrete” abstract interpretation, and “abstract” abstract interpretation.
• So even the concrete interpretation is called abstract...
• Anyone confused yet?
![Page 16: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/16.jpg)
Concrete and abstract
• Ok, so why is the “concrete” interpretation a “concrete” abstract interpretation
• Because all interpretations are in some way or another abstractions of the program
• In fact, even our so-called “concrete” interpretation can be seen as “abstract” when compared to other interpretation
![Page 17: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/17.jpg)
Back to semantics of a program
• Collecting semantics– compute set of all program states (this is the const
prop example)
• More “concrete” than collecting semantics: trace prefix semantics– compute at edge e the set of all program traces that
reach e
• Even more concrete: full trace semantics– collect set of all traces
• Even more concrete?
![Page 18: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/18.jpg)
Back to semantics of a program
• Less concrete than trace semantics: input-output semantics– compute set of input-output pairs
• So, to summarize: many options, of varying levels of abstractions.
• In some sense, they are all abstract (unless maybe you are capturing the set of electron transitions in the wires of your computer ... )
![Page 19: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/19.jpg)
Back to semantics of a program
• Choosing the right concrete semantics is actually important: it affects what you are proving about the program
• But the key is that all can be expressed as a fixed point computation
![Page 20: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/20.jpg)
Correctness
• Ok, so now we have two fixed point computations Ic and Ia.
• Ic is the precise semantics of our program, but it’s not computable. So we compute Ia instead. Ia is computable, but... is it meaningfull?
• In other words does Ia in fact tell us something about Ic?
• We now want to show that the abstract fixed point is in fact meaningful, in that it approximates the concrete one.
![Page 21: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/21.jpg)
Formally
• Formalize relation between the two fixed points using two functions:– abstraction function – concretization function
???
![Page 22: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/22.jpg)
Let’s start with the concretization function
• : Da ! Dc
• (da) returns the most lenient concrete information that da approximates
• For const prop: (da) =
![Page 23: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/23.jpg)
Let’s start with the concretization function
• : Da ! Dc
• (da) returns the most lenient concrete information that da approximates
• For const prop: (da) =
![Page 24: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/24.jpg)
Approximation
• da approximates dc iff: dc vc (da)
• Assume that at a given edge e, the dataflow info says that a is 4, ie: da(e) = { a ! 4 }, and assume that da approximates dc i.e.: dc vc (da)
• From dc vc (da), using the definition of vc, we get: dc(e) µ (da)(e)
• From da(e) = { a ! 4 } and defn of , we get (da)(e) is the set of all program states where a is 4.
• So what does dc(e) µ (da)(e) say?
![Page 25: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/25.jpg)
Approximation
• da approximates dc iff: dc vc (da)
• Assume that at a given edge e, the dataflow info says that a is 4, ie: da(e) = { a ! 4 }, and assume that da approximates dc i.e.: dc vc (da)
• From dc vc (da), using the definition of vc, we get: dc(e) µ (da)(e)
• From da(e) = { a ! 4 } and defn of , we get (da)(e) is the set of all program states where a is 4.
• So what does dc(e) µ (da)(e) say?
• It says that a evaluates to 4 in all program states at e
![Page 26: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/26.jpg)
Fixed point approximation
• We want to show that the abstract fixed point approximates the concrete fixed point
![Page 27: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/27.jpg)
Fixed point approximation
• We want to show that the abstract fixed point approximates the concrete fixed point
• This is our goal. We’ll get to establishing it later. First, let’s see
![Page 28: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/28.jpg)
Abstraction function
• : Dc ! Da
• (dc) returns the most precise abstract information that characterizes dc
• For const prop: (dc) =
![Page 29: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/29.jpg)
Abstraction function
• : Dc ! Da
• (dc) returns the most precise abstract information that characterizes dc
• For const prop: (dc) =
![Page 30: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/30.jpg)
Approximation
• da approximates dc iff: (dc) va da
• Assume that at a given edge e, the dataflow info says that a is 4, ie: da(e) = { a ! 4 }, and assume that da approximates dc i.e.: (dc) va da
• From (dc) va da,using the definition of va, we get: (dc)(e) ¶ da(e), and since da(e) = { a ! 4 }, we get (a ! 4) 2 (dc)(e).
• From defn of , (dc)(e) is the set of all constant prop information that we could possibly get out of dc.
• So what does (a ! 4) 2 (dc)(e) say?
![Page 31: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/31.jpg)
Fixed point approximation
• We want to show that the abstract fixed point approximates the concrete fixed point
![Page 32: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/32.jpg)
Fixed point approximation
• We want to show that the abstract fixed point approximates the concrete fixed point
![Page 33: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/33.jpg)
Summary
• Want to show:
![Page 34: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/34.jpg)
Summary
![Page 35: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/35.jpg)
Summary
![Page 36: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/36.jpg)
Problem
• The above conditions are global: they talk about the fixed point computation
• We want some local conditions on Fa and Fc
![Page 37: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/37.jpg)
Cousot and Cousot 77
• Cousot and Cousot show that the following conditions are sufficient for proving (1) and (2):
(3)
(4)
(5)
![Page 38: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/38.jpg)
Let’s look at the condition
![Page 39: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/39.jpg)
Let’s look at the condition
![Page 40: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/40.jpg)
Let’s look at the condition
![Page 41: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/41.jpg)
Let’s look at the condition
![Page 42: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/42.jpg)
Link between local and global
•
• Indeed, using (4) we can show by induction that
is local version of
(4)
(1)
![Page 43: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/43.jpg)
Link between local and global
![Page 44: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/44.jpg)
Link between local and global
![Page 45: Correctness. Until now We’ve seen how to define dataflow analyses How do we know our analyses are correct? We could reason about each individual analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d425503460f94a1e524/html5/thumbnails/45.jpg)