Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline...
Transcript of Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline...
![Page 1: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/1.jpg)
Static Program Analysis
Lecture 20: Wrap-Up Interprocedural DFA & Pointer Analysis
Thomas Noll
Lehrstuhl fur Informatik 2(Software Modeling and Verification)
http://moves.rwth-aachen.de/teaching/ws-1415/spa/
Winter Semester 2014/15
![Page 2: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/2.jpg)
Outline
1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution
2 Soundness and Completeness
3 Context-Sensitive Interprocedural Dataflow Analysis
4 Pointer Analysis
5 Introducing Pointers
6 Shape Graphs
Static Program Analysis Winter Semester 2014/15 20.2
![Page 3: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/3.jpg)
The Interprocedural Extension II
Visualization of
1 ϕlc (d ·w) = ϕlc (d)·d ·w
2 ϕln(d′ ·d ·w) = ϕln(d
′)·d ·w
3 ϕlx (d′ ·d ·w) = ϕlx (d
′)·d ·w
4 ϕlr (d′ ·d ·w) = ϕlr (d
′, d)·w
...
[call P(a,z)]lclr
...
[P(val x,res y)]ln
...
[end]lx
d · w1 ϕlc (d)·d ·w
2 ϕln(ϕlc (d))·d ·w
d ′ ·d ·w3 ϕlx (d
′)·d ·w4 ϕlr (ϕlx (d
′), d)·w
Static Program Analysis Winter Semester 2014/15 20.3
![Page 4: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/4.jpg)
Formal Definition of Equation System
Dataflow equations:
AIl =
ι if l ∈ E⊔
{ϕlc (AIlc ) | (lc , ln, lx , lr ) ∈ iflow} if l = lnfor some (lc , ln, lx , lr ) ∈ iflow
⊔
{fl ′(AIl ′) | (l′, l) ∈ F} otherwise
(if l not a return label)
Node transfer functions:
fl(w) =
{
ϕlr (ϕlx (Flx (ϕlc (w)))) if l = lc for some (lc , ln, lx , lr ) ∈ iflowϕl (w) otherwise
(if l not an exit or return label)
Procedure transfer functions:
Fl(w) =
w if l = lnfor some (lc , ln, lx , lr ) ∈ iflow
⊔
{fl ′(Fl ′(w)) | (l ′, l) ∈ F} otherwise(if l occurs in some procedure)
As before: induces monotonic functional on lattice with ACC=⇒ least fixpoint effectively computable
Static Program Analysis Winter Semester 2014/15 20.4
![Page 5: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/5.jpg)
Outline
1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution
2 Soundness and Completeness
3 Context-Sensitive Interprocedural Dataflow Analysis
4 Pointer Analysis
5 Introducing Pointers
6 Shape Graphs
Static Program Analysis Winter Semester 2014/15 20.5
![Page 6: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/6.jpg)
The Fixpoint Iteration
For the fixpoint iteration it is important that the auxiliary functions onlyoperate (at most) on the two topmost elements of the stack:
Lemma 20.1
For every l ∈ Lab, d ∈ D, and w ∈ D∗,
fl(d′ · d · w) = fl(d
′ · d) · w and Fl(d′ · d · w) = Fl(d
′ · d)w
Proof.
see J. Knoop, B. Steffen: The Interprocedural Coincidence Theorem, Proc.CC ’92, LNCS 641, Springer, 1992, 125–140
It therefore suffices to consider stacks with at most two entries, and so thefixpoint iteration ranges over “finitary objects”.
Static Program Analysis Winter Semester 2014/15 20.6
![Page 7: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/7.jpg)
Soundness and Completeness
The following results carry over from the intraprocedural case:
Theorem 20.2
Let S := (Lab,E ,F , (D , ⊑), ι, ϕ) be an interprocedural dataflow system.
1 (cf. Theorem 6.3)
mvp(S) ⊑ fix(ΦS)
2 (cf. Theorem 7.3)
mvp(S) = fix(ΦS) if all ϕl are distributive
Proof.
see J. Knoop, B. Steffen: The Interprocedural Coincidence Theorem, Proc.CC ’92, LNCS 641, Springer, 1992, 125–140
Static Program Analysis Winter Semester 2014/15 20.7
![Page 8: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/8.jpg)
Outline
1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution
2 Soundness and Completeness
3 Context-Sensitive Interprocedural Dataflow Analysis
4 Pointer Analysis
5 Introducing Pointers
6 Shape Graphs
Static Program Analysis Winter Semester 2014/15 20.8
![Page 9: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/9.jpg)
Context-Sensitive Interprocedural DFA
Observation: MVP and fixpoint solution maintain proper relationshipbetween procedure calls and returns
Static Program Analysis Winter Semester 2014/15 20.9
![Page 10: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/10.jpg)
Context-Sensitive Interprocedural DFA
Observation: MVP and fixpoint solution maintain proper relationshipbetween procedure calls and returns
But: do not distinguish between different procedure calls
AIl =
ι if l ∈ E⊔
{ϕlc (AIlc ) | (lc , ln, lx , lr ) ∈ iflow} if l = ln for some(lc , ln, lx , lr ) ∈ iflow
⊔
{fl ′(AIl ′) | (l′, l) ∈ F} otherwise
information about calling states combined for all call sitesprocedure body only analyzed once using combined informationresulting information used at all return points
=⇒ “context-insensitive”
Static Program Analysis Winter Semester 2014/15 20.9
![Page 11: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/11.jpg)
Context-Sensitive Interprocedural DFA
Observation: MVP and fixpoint solution maintain proper relationshipbetween procedure calls and returns
But: do not distinguish between different procedure calls
AIl =
ι if l ∈ E⊔
{ϕlc (AIlc ) | (lc , ln, lx , lr ) ∈ iflow} if l = ln for some(lc , ln, lx , lr ) ∈ iflow
⊔
{fl ′(AIl ′) | (l′, l) ∈ F} otherwise
information about calling states combined for all call sitesprocedure body only analyzed once using combined informationresulting information used at all return points
=⇒ “context-insensitive”
Alternative: context-sensitive analysis
separate information for different call sitesimplementation by “procedure cloning” (one copy for each call site)more precisemore costly
Static Program Analysis Winter Semester 2014/15 20.9
![Page 12: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/12.jpg)
Outline
1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution
2 Soundness and Completeness
3 Context-Sensitive Interprocedural Dataflow Analysis
4 Pointer Analysis
5 Introducing Pointers
6 Shape Graphs
Static Program Analysis Winter Semester 2014/15 20.10
![Page 13: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/13.jpg)
Pointer Analysis
So far: only static data structures (variables)
Static Program Analysis Winter Semester 2014/15 20.11
![Page 14: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/14.jpg)
Pointer Analysis
So far: only static data structures (variables)
Now: pointer (variables) and dynamic memory allocation using heaps
Static Program Analysis Winter Semester 2014/15 20.11
![Page 15: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/15.jpg)
Pointer Analysis
So far: only static data structures (variables)
Now: pointer (variables) and dynamic memory allocation using heaps
Problem:
Programs with pointers and dynamically allocated data structures areerror proneIdentify subtle bugs at compile timeAutomatically prove correctness
Static Program Analysis Winter Semester 2014/15 20.11
![Page 16: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/16.jpg)
Pointer Analysis
So far: only static data structures (variables)
Now: pointer (variables) and dynamic memory allocation using heaps
Problem:
Programs with pointers and dynamically allocated data structures areerror proneIdentify subtle bugs at compile timeAutomatically prove correctness
Interesting properties of heap-manipulating programs:
No null pointer dereferenceNo memory leaksPreservation of data structuresPartial/total correctness
Static Program Analysis Winter Semester 2014/15 20.11
![Page 17: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/17.jpg)
The Shape Analysis Approach
Goal: determine the possible shapes of a dynamically allocated datastructure at given program point
Static Program Analysis Winter Semester 2014/15 20.12
![Page 18: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/18.jpg)
The Shape Analysis Approach
Goal: determine the possible shapes of a dynamically allocated datastructure at given program pointInteresting information:
data types (to avoid type errors, such as dereferencing nil)aliasing (different pointer variables having same value)sharing (different heap pointers referencing same location)reachability of nodes (garbage collection)disjointness of heap regions (parallelizability)shapes (lists, trees, absence of cycles, ...)
Static Program Analysis Winter Semester 2014/15 20.12
![Page 19: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/19.jpg)
The Shape Analysis Approach
Goal: determine the possible shapes of a dynamically allocated datastructure at given program pointInteresting information:
data types (to avoid type errors, such as dereferencing nil)aliasing (different pointer variables having same value)sharing (different heap pointers referencing same location)reachability of nodes (garbage collection)disjointness of heap regions (parallelizability)shapes (lists, trees, absence of cycles, ...)
Concrete questions:
Does x.next point to a shared element?Does a variable p point to an allocated element every time p isdereferenced?Does a variable point to an acyclic list?Does a variable point to a doubly-linked list?Can a loop or procedure cause a memory leak?
Static Program Analysis Winter Semester 2014/15 20.12
![Page 20: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/20.jpg)
The Shape Analysis Approach
Goal: determine the possible shapes of a dynamically allocated datastructure at given program pointInteresting information:
data types (to avoid type errors, such as dereferencing nil)aliasing (different pointer variables having same value)sharing (different heap pointers referencing same location)reachability of nodes (garbage collection)disjointness of heap regions (parallelizability)shapes (lists, trees, absence of cycles, ...)
Concrete questions:
Does x.next point to a shared element?Does a variable p point to an allocated element every time p isdereferenced?Does a variable point to an acyclic list?Does a variable point to a doubly-linked list?Can a loop or procedure cause a memory leak?
Here: basic outline; details in [Nielson/Nielson/Hankin 2005,Sct. 2.6]
Static Program Analysis Winter Semester 2014/15 20.12
![Page 21: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/21.jpg)
Outline
1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution
2 Soundness and Completeness
3 Context-Sensitive Interprocedural Dataflow Analysis
4 Pointer Analysis
5 Introducing Pointers
6 Shape Graphs
Static Program Analysis Winter Semester 2014/15 20.13
![Page 22: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/22.jpg)
Extending the Syntax
Syntactic categories:
Category Domain Meta variableArithmetic expressions AExp aBoolean expressions BExp bSelector names Sel selPointer expressions PExp pCommands (statements) Cmd c
Static Program Analysis Winter Semester 2014/15 20.14
![Page 23: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/23.jpg)
Extending the Syntax
Syntactic categories:
Category Domain Meta variableArithmetic expressions AExp aBoolean expressions BExp bSelector names Sel selPointer expressions PExp pCommands (statements) Cmd c
Context-free grammar:
a ::= z | x | a1+a2 | . . . | p | nil ∈ AExpb ::= t | a1=a2 | b1∧b2 | . . . | is-nil(p) ∈ BExpp ::= x | x.selc ::= [skip]l | [p := a]l | c1;c2 | if [b]l then c1 else c2 |
while [b]l do c | [malloc p]l ∈ Cmd
Static Program Analysis Winter Semester 2014/15 20.14
![Page 24: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/24.jpg)
An Example
Example 20.3 (List reversal)
Program that reverses list pointed to by x and leaves result in y:
[y := nil]1;while [¬is-nil(x)]2 do
[z := y]3;[y := x]4;[x := x.next]5;[y.next := z]6;
[z := nil]7;
x a1 a2 a3 ♦
y
z
next next next
Static Program Analysis Winter Semester 2014/15 20.15
![Page 25: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/25.jpg)
An Example
Example 20.3 (List reversal)
Program that reverses list pointed to by x and leaves result in y:
[y := nil]1;while [¬is-nil(x)]2 do
[z := y]3;[y := x]4;[x := x.next]5;[y.next := z]6;
[z := nil]7;
x a1 a2 a3 ♦
y
z
next next next
x a1 a2 a3 ♦
y ♦
z
next next next
Static Program Analysis Winter Semester 2014/15 20.15
![Page 26: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/26.jpg)
An Example
Example 20.3 (List reversal)
Program that reverses list pointed to by x and leaves result in y:
[y := nil]1;while [¬is-nil(x)]2 do
[z := y]3;[y := x]4;[x := x.next]5;[y.next := z]6;
[z := nil]7;
x a1 a2 a3 ♦
y ♦
z
next next next
x a1 a2 a3 ♦
y ♦
z ♦
next next next
Static Program Analysis Winter Semester 2014/15 20.15
![Page 27: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/27.jpg)
An Example
Example 20.3 (List reversal)
Program that reverses list pointed to by x and leaves result in y:
[y := nil]1;while [¬is-nil(x)]2 do
[z := y]3;[y := x]4;[x := x.next]5;[y.next := z]6;
[z := nil]7;
x a1 a2 a3 ♦
y ♦
z ♦
next next next
x a1 a2 a3 ♦
y
z ♦
next next next
Static Program Analysis Winter Semester 2014/15 20.15
![Page 28: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/28.jpg)
An Example
Example 20.3 (List reversal)
Program that reverses list pointed to by x and leaves result in y:
[y := nil]1;while [¬is-nil(x)]2 do
[z := y]3;[y := x]4;[x := x.next]5;[y.next := z]6;
[z := nil]7;
x a1 a2 a3 ♦
y
z ♦
next next next
x a2 a3 ♦
y a1
z ♦
next next
next
Static Program Analysis Winter Semester 2014/15 20.15
![Page 29: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/29.jpg)
An Example
Example 20.3 (List reversal)
Program that reverses list pointed to by x and leaves result in y:
[y := nil]1;while [¬is-nil(x)]2 do
[z := y]3;[y := x]4;[x := x.next]5;[y.next := z]6;
[z := nil]7;
x a2 a3 ♦
y a1
z ♦
next next
next
x a2 a3 ♦
y a1 ♦
z ♦
next next
next
Static Program Analysis Winter Semester 2014/15 20.15
![Page 30: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/30.jpg)
An Example
Example 20.3 (List reversal)
Program that reverses list pointed to by x and leaves result in y:
[y := nil]1;while [¬is-nil(x)]2 do
[z := y]3;[y := x]4;[x := x.next]5;[y.next := z]6;
[z := nil]7;
x a2 a3 ♦
y a1 ♦
z ♦
next next
next
(4 steps)
x a3 ♦
y a2 a1 ♦
z
next
next next
Static Program Analysis Winter Semester 2014/15 20.15
![Page 31: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/31.jpg)
An Example
Example 20.3 (List reversal)
Program that reverses list pointed to by x and leaves result in y:
[y := nil]1;while [¬is-nil(x)]2 do
[z := y]3;[y := x]4;[x := x.next]5;[y.next := z]6;
[z := nil]7;
(4 steps)
x a3 ♦
y a2 a1 ♦
z
next
next next
(4 steps)x ♦
y a3 a2 a1 ♦
z
next next next
Static Program Analysis Winter Semester 2014/15 20.15
![Page 32: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/32.jpg)
An Example
Example 20.3 (List reversal)
Program that reverses list pointed to by x and leaves result in y:
[y := nil]1;while [¬is-nil(x)]2 do
[z := y]3;[y := x]4;[x := x.next]5;[y.next := z]6;
[z := nil]7;
(4 steps)x ♦
y a3 a2 a1 ♦
z
next next next
x ♦
y a3 a2 a1 ♦
z ♦
next next next
Static Program Analysis Winter Semester 2014/15 20.15
![Page 33: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/33.jpg)
Outline
1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution
2 Soundness and Completeness
3 Context-Sensitive Interprocedural Dataflow Analysis
4 Pointer Analysis
5 Introducing Pointers
6 Shape Graphs
Static Program Analysis Winter Semester 2014/15 20.16
![Page 34: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/34.jpg)
Shape Graphs I
Approach: representation of (infinitely many) concrete heap states by(finitely many) abstract shape graphs
abstract nodes X = sets of variables
interpretation: x ∈ X iff x points to concrete node represented by X
∅ represents all concrete nodes that are not directly addressed bypointer variables
x , y ∈ X (with x 6= y) indicate aliasing (as x and y point to the sameconcrete node)
if x .sel and y refer to the same heap address and if X ,Y are abstract
nodes with x ∈ X and y ∈ Y , this yields abstract edge Xsel−→ Y
transfer functions transform (sets of) shape graphs
Static Program Analysis Winter Semester 2014/15 20.17
![Page 35: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/35.jpg)
Shape Graphs II
Example 20.4 (List reversal; cf. Example 20.3)
Concrete heap Shape graph
x a1 a2 a3 ♦
y
z
next next next
{x} ∅next
next
Static Program Analysis Winter Semester 2014/15 20.18
![Page 36: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/36.jpg)
Shape Graphs II
Example 20.4 (List reversal; cf. Example 20.3)
Concrete heap Shape graph
x a1 a2 a3 ♦
y
z
next next next
{x} ∅next
next
x a1 a2 a3 ♦
y ♦
z
next next next
{x} ∅next
next
Static Program Analysis Winter Semester 2014/15 20.18
![Page 37: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/37.jpg)
Shape Graphs II
Example 20.4 (List reversal; cf. Example 20.3)
Concrete heap Shape graph
x a1 a2 a3 ♦
y ♦
z
next next next
{x} ∅next
next
x a1 a2 a3 ♦
y ♦
z ♦
next next next
{x} ∅next
next
Static Program Analysis Winter Semester 2014/15 20.18
![Page 38: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/38.jpg)
Shape Graphs II
Example 20.4 (List reversal; cf. Example 20.3)
Concrete heap Shape graph
x a1 a2 a3 ♦
y ♦
z ♦
next next next
{x} ∅next
next
x a1 a2 a3 ♦
y
z ♦
next next next
{x, y} ∅next
next
Static Program Analysis Winter Semester 2014/15 20.18
![Page 39: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/39.jpg)
Shape Graphs II
Example 20.4 (List reversal; cf. Example 20.3)
Concrete heap Shape graph
x a1 a2 a3 ♦
y
z ♦
next next next
{x, y} ∅next
next
x a2 a3 ♦
y a1
z ♦
next next
next
{x} ∅
{y}
next
next
Static Program Analysis Winter Semester 2014/15 20.18
![Page 40: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/40.jpg)
Shape Graphs II
Example 20.4 (List reversal; cf. Example 20.3)
Concrete heap Shape graph
x a2 a3 ♦
y a1
z ♦
next next
next
{x} ∅
{y}
next
next
x a2 a3 ♦
y a1 ♦
z ♦
next next
next
{x} ∅
{y}
next
Static Program Analysis Winter Semester 2014/15 20.18
![Page 41: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/41.jpg)
Shape Graphs II
Example 20.4 (List reversal; cf. Example 20.3)
Concrete heap Shape graph
x a2 a3 ♦
y a1 ♦
z ♦
next next
next
{x} ∅
{y}
next
(4 steps)
x a3 ♦
y a2 a1 ♦
z
next
next next
{x}
{y} {z}next
Static Program Analysis Winter Semester 2014/15 20.18
![Page 42: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/42.jpg)
Shape Graphs II
Example 20.4 (List reversal; cf. Example 20.3)
Concrete heap Shape graph
(4 steps)
x a3 ♦
y a2 a1 ♦
z
next
next next
{x}
{y} {z}next
(4 steps)x ♦
y a3 a2 a1 ♦
z
next next next
{y} {z} ∅next next
Static Program Analysis Winter Semester 2014/15 20.18
![Page 43: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/43.jpg)
Shape Graphs II
Example 20.4 (List reversal; cf. Example 20.3)
Concrete heap Shape graph
(4 steps)x ♦
y a3 a2 a1 ♦
z
next next next
{y} {z} ∅next next
x ♦
y a3 a2 a1 ♦
z ♦
next next next
{y} ∅next
next
Static Program Analysis Winter Semester 2014/15 20.18
![Page 44: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/44.jpg)
Shape Graphs III
Definition 20.5 (Shape graph)
A shape graph G = (S ,H) consists of
a set S ⊆ 2Var of abstract locations andan abstract heap H ⊆ S × Sel × S
notation: Xsel−→ Y for (X , sel ,Y ) ∈ H
with the following properties:
Disjointness: X ,Y ∈ S =⇒ X = Y or X ∩ Y = ∅(a variable can refer to at most one heap location)
Determinacy: X 6= ∅ and Xsel−→ Y and X
sel−→ Z =⇒ Y = Z
(target location is unique if source node is unique)
SG denotes the set of all shape graphs.
Static Program Analysis Winter Semester 2014/15 20.19
![Page 45: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/45.jpg)
Shape Graphs III
Definition 20.5 (Shape graph)
A shape graph G = (S ,H) consists of
a set S ⊆ 2Var of abstract locations andan abstract heap H ⊆ S × Sel × S
notation: Xsel−→ Y for (X , sel ,Y ) ∈ H
with the following properties:
Disjointness: X ,Y ∈ S =⇒ X = Y or X ∩ Y = ∅(a variable can refer to at most one heap location)
Determinacy: X 6= ∅ and Xsel−→ Y and X
sel−→ Z =⇒ Y = Z
(target location is unique if source node is unique)
SG denotes the set of all shape graphs.
Remark: the following example shows that determinacy requires X 6= ∅:
Concrete: y −→ •sel←− •
z −→ •sel←− •
Abstract: Y = {y}sel←− X = ∅
sel−→ Z = {z}
Static Program Analysis Winter Semester 2014/15 20.19
![Page 46: Static Program Analysis - Lecturemoves.rwth-aachen.de/wp-content/uploads/WS1415/SPA14/l20.pdfOutline 1 Recap: Interprocedural Dataflow Analysis – Fixpoint Solution 2 Soundness and](https://reader035.fdocuments.us/reader035/viewer/2022071212/6025157d2c602135e24fab6a/html5/thumbnails/46.jpg)
Shape Graphs and Concrete Heap Properties
Example 20.6
Let G = (S ,H) be a shape graph. Then the following concrete heapproperties can be expressed as conditions on G :
x 6= nil
⇐⇒ ∃X ∈ S : x ∈ X
x = y 6= nil (aliasing)⇐⇒ ∃Z ∈ S : x, y ∈ Z
x.sel1 = y.sel2 6= nil (sharing)
=⇒ ∃X ,Y ,Z ∈ S : x ∈ X , y ∈ Y ,Xsel1−→ Z
sel2←− Y
(⇐= only valid if Z 6= ∅)
Static Program Analysis Winter Semester 2014/15 20.20