introduction to program analysis
play

Introduction to Program Analysis Uday Khedker - PowerPoint PPT Presentation

Aug 14, 2022 •223 likes •1.3k views

Introduction to Program Analysis Uday Khedker (www.cse.iitb.ac.in/uday) Department of Computer Science and Engineering, Indian Institute of Technology, Bombay Dec 2017 WSSE Pune Intro to PA: Outline 1/1 Introduction to Program Analysis:

  1. WSSE Pune Intro to PA: Improving Garbage Collection 7/1 Liveness of Stack Data: An Informal Introduction Accessing the location and reading its contents 1 w = x // x points to m a rptr 2 while (x.data < max) Heap lptr 3 x = x.rptr rptr rptr data 4 y = x.lptr 5 z = New class of z 6 y = y.lptr 7 z.sum = x.data + y.data w x y z Stack Reading x.data (Heap data) Dec 2017 IIT Bombay

  2. WSSE Pune Intro to PA: Improving Garbage Collection 7/1 Liveness of Stack Data: An Informal Introduction Accessing the location and reading its contents 1 w = x // x points to m a rptr 2 while (x.data < max) Heap lptr 3 x = x.rptr rptr rptr data 4 y = x.lptr 5 z = New class of z 6 y = y.lptr 7 z.sum = x.data + y.data w x y z Stack Reading x.rptr (Heap data) Dec 2017 IIT Bombay

  3. WSSE Pune Intro to PA: Improving Garbage Collection 8/1 Liveness of Stack Data: An Informal Introduction w = x while (x.data < max) x = x.rptr y = x.lptr z = New class of z No variable is used beyond this y = y.lptr program point z.sum = x.data + y.data w x y z Dec 2017 IIT Bombay

  4. WSSE Pune Intro to PA: Improving Garbage Collection 8/1 Liveness of Stack Data: An Informal Introduction w = x while (x.data < max) x = x.rptr y = x.lptr Current values of x, y, and z are z = New class of z used beyond this program point y = y.lptr Live w x y z z.sum = x.data + y.data Dead Dec 2017 IIT Bombay

  5. WSSE Pune Intro to PA: Improving Garbage Collection 8/1 Liveness of Stack Data: An Informal Introduction w = x while (x.data < max) • Current values of x, y, and z are x = x.rptr used beyond this program point • The value of y is different before y = x.lptr and after the assignment to y z = New class of z w x y z y = y.lptr z.sum = x.data + y.data Dec 2017 IIT Bombay

  6. WSSE Pune Intro to PA: Improving Garbage Collection 8/1 Liveness of Stack Data: An Informal Introduction w = x while (x.data < max) • The current values of x and y are used beyond this program point • The current value of z is not used x = x.rptr beyond this program point y = x.lptr w x y z z = New class of z y = y.lptr z.sum = x.data + y.data Dec 2017 IIT Bombay

  7. WSSE Pune Intro to PA: Improving Garbage Collection 8/1 Liveness of Stack Data: An Informal Introduction w = x while (x.data < max) x = x.rptr w x y z y = x.lptr • The current values of x is used beyond this program point z = New class of z • Current values of y and z are not used beyond this program point y = y.lptr z.sum = x.data + y.data Dec 2017 IIT Bombay

  8. WSSE Pune Intro to PA: Improving Garbage Collection 8/1 Liveness of Stack Data: An Informal Introduction w = x while (x.data < max) x = x.rptr w x y z y = x.lptr • Nothing is known as of now z = New class of z • Some information will be available in the next iteration point y = y.lptr z.sum = x.data + y.data Dec 2017 IIT Bombay

  9. WSSE Pune Intro to PA: Improving Garbage Collection 8/1 Liveness of Stack Data: An Informal Introduction w = x while (x.data < max) w x y z x = x.rptr • Current value of x is used beyond this program point y = x.lptr • However its value is different before and after the assignment z = New class of z y = y.lptr z.sum = x.data + y.data Dec 2017 IIT Bombay

  10. WSSE Pune Intro to PA: Improving Garbage Collection 8/1 Liveness of Stack Data: An Informal Introduction w = x while (x.data < max) w x y z x = x.rptr • Current value of x is used beyond this program point y = x.lptr • There are two control flow paths beyond this program point z = New class of z y = y.lptr z.sum = x.data + y.data Dec 2017 IIT Bombay

  11. WSSE Pune Intro to PA: Improving Garbage Collection 8/1 Liveness of Stack Data: An Informal Introduction w = x w x y z while (x.data < max) Current value of x is used be- x = x.rptr yond this program point y = x.lptr z = New class of z y = y.lptr z.sum = x.data + y.data Dec 2017 IIT Bombay

  12. WSSE Pune Intro to PA: Improving Garbage Collection 8/1 Liveness of Stack Data: An Informal Introduction w x y z w = x Current value of x is used be- while (x.data < max) yond this program point x = x.rptr y = x.lptr z = New class of z y = y.lptr z.sum = x.data + y.data Dec 2017 IIT Bombay

  13. WSSE Pune Intro to PA: Improving Garbage Collection 8/1 Liveness of Stack Data: An Informal Introduction w x y z w = x w x y z while (x.data < max) w x y z w x y z x = x.rptr w x y z w x y z End of iteration #1 y = x.lptr w x y z z = New class of z w x y z y = y.lptr Live w x y z z.sum = x.data + y.data Dead w x y z Dec 2017 IIT Bombay

  14. WSSE Pune Intro to PA: Improving Garbage Collection 8/1 Liveness of Stack Data: An Informal Introduction w x y z w = x w x y z while (x.data < max) w x y z w x y z x = x.rptr w x y z w x y z End of iteration #2 y = x.lptr w x y z z = New class of z w x y z y = y.lptr Live w x y z z.sum = x.data + y.data Dead w x y z Dec 2017 IIT Bombay

  15. WSSE Pune Intro to PA: Improving Garbage Collection 9/1 Applying Cedar Mesa Folk Wisdom to Heap Data Liveness Analysis of Heap Data If the while loop is not executed even once. d t r p r c rptr p e lptr z 1 w = x // x points to m a b g rptr 2 while (x.data < max) l p t rptr r f 3 x = x.rptr x lptr h 4 y = x.lptr a a k rptr w 5 z = New class of z j lptr rptr 6 y = y.lptr lptr l 7 z.sum = x.data + y.data i i y n q rptr l p t r m m l o p t r Heap Stack Dec 2017 IIT Bombay

  16. WSSE Pune Intro to PA: Improving Garbage Collection 9/1 Applying Cedar Mesa Folk Wisdom to Heap Data Liveness Analysis of Heap Data If the while loop is executed once. d t r p r c rptr p e lptr z 1 w = x // x points to m a b b g rptr 2 while (x.data < max) l p t rptr r f f 3 x = x.rptr x lptr h h 4 y = x.lptr a k rptr w 5 z = New class of z j lptr rptr 6 y = y.lptr lptr l 7 z.sum = x.data + y.data i y n q rptr l p t r m l o p t r Heap Stack Dec 2017 IIT Bombay

  17. WSSE Pune Intro to PA: Improving Garbage Collection 9/1 Applying Cedar Mesa Folk Wisdom to Heap Data Liveness Analysis of Heap Data If the while loop is executed twice. d t r p r c c rptr p e e lptr z 1 w = x // x points to m a b g rptr 2 while (x.data < max) l p t rptr r f 3 x = x.rptr x lptr h 4 y = x.lptr a k rptr w 5 z = New class of z j lptr rptr 6 y = y.lptr lptr l 7 z.sum = x.data + y.data i y n q rptr l p t r m l o p t r Heap Stack Dec 2017 IIT Bombay

  18. WSSE Pune Intro to PA: Improving Garbage Collection 10/1 The Moral of the Story • Mappings between access expressions and l-values keep changing • This is a rule for heap data For stack and static data, it is an exception ! • Static analysis of programs has made significant progress for stack and static data. What about heap data? ◮ Given two access expressions at a program point, do they have the same l-value? ◮ Given the same access expression at two program points, does it have the same l-value? Dec 2017 IIT Bombay

  19. WSSE Pune Intro to PA: Improving Garbage Collection 11/1 Our Solution y = z = null 1 w = x w = null 2 while (x.data < max) { x.lptr = null 3 x = x.rptr } x.rptr = x.lptr.rptr = null x.lptr.lptr.lptr = null x.lptr.lptr.rptr = null 4 y = x.lptr x.lptr = y.rptr = null y.lptr.lptr = y.lptr.rptr = null 5 z = New class of z z.lptr = z.rptr = null 6 y = y.lptr y.lptr = y.rptr = null 7 z.sum = x.data + y.data x = y = z = null Dec 2017 IIT Bombay

  20. WSSE Pune Intro to PA: Improving Garbage Collection 12/1 Our Solution y = z = null While loop is not executed even once 1 w = x w = null 2 while (x.data < max) d rptr { x.lptr = null c rptr p lptr 3 x = x.rptr } e z x.rptr = x.lptr.rptr = null b g rptr x.lptr.lptr.lptr = null lptr rptr f x.lptr.lptr.rptr = null x l p t r h 4 y = x.lptr a a x.lptr = y.rptr = null k t r r p w y.lptr.lptr = y.lptr.rptr = null lptr j r t p r 5 z = New class of z lptr l i i z.lptr = z.rptr = null y n q t r p 6 y = y.lptr lptr r m m y.lptr = y.rptr = null l p o t r 7 z.sum = x.data + y.data x = y = z = null Heap Stack Dec 2017 IIT Bombay

  21. WSSE Pune Intro to PA: Improving Garbage Collection 12/1 Our Solution y = z = null While loop is not executed even once 1 w = x w = null 2 while (x.data < max) d rptr { x.lptr = null c rptr p lptr 3 x = x.rptr } e z x.rptr = x.lptr.rptr = null b g rptr x.lptr.lptr.lptr = null lptr rptr f x.lptr.lptr.rptr = null x l p t r h 4 y = x.lptr a a x.lptr = y.rptr = null k t r r p w y.lptr.lptr = y.lptr.rptr = null lptr j r t p r 5 z = New class of z lptr l i i z.lptr = z.rptr = null y n q t r p 6 y = y.lptr lptr r m m y.lptr = y.rptr = null l p o t r 7 z.sum = x.data + y.data x = y = z = null Heap Stack Dec 2017 IIT Bombay

  22. WSSE Pune Intro to PA: Improving Garbage Collection 12/1 Our Solution y = z = null While loop is not executed even once 1 w = x w = null 2 while (x.data < max) d rptr { x.lptr = null c rptr p lptr 3 x = x.rptr } e z x.rptr = x.lptr.rptr = null b g rptr x.lptr.lptr.lptr = null lptr rptr f x.lptr.lptr.rptr = null x l p t r h 4 y = x.lptr a a x.lptr = y.rptr = null k t r r p w y.lptr.lptr = y.lptr.rptr = null lptr j r t p r 5 z = New class of z lptr l i i z.lptr = z.rptr = null y n q t r p 6 y = y.lptr lptr r m m y.lptr = y.rptr = null l p o t r 7 z.sum = x.data + y.data x = y = z = null Heap Stack Dec 2017 IIT Bombay

  23. WSSE Pune Intro to PA: Improving Garbage Collection 12/1 Our Solution y = z = null While loop is not executed even once 1 w = x w = null 2 while (x.data < max) d rptr { x.lptr = null c rptr p lptr 3 x = x.rptr } e z x.rptr = x.lptr.rptr = null b g rptr x.lptr.lptr.lptr = null lptr rptr f x.lptr.lptr.rptr = null x l p t r h 4 y = x.lptr a a x.lptr = y.rptr = null k t r r p w y.lptr.lptr = y.lptr.rptr = null lptr j r t p r 5 z = New class of z lptr l i i z.lptr = z.rptr = null y n q t r p 6 y = y.lptr lptr r m m y.lptr = y.rptr = null l o p t r 7 z.sum = x.data + y.data x = y = z = null Heap Stack Dec 2017 IIT Bombay

  24. WSSE Pune Intro to PA: Improving Garbage Collection 12/1 Our Solution y = z = null While loop is not executed even once 1 w = x w = null 2 while (x.data < max) d rptr { x.lptr = null c rptr p lptr 3 x = x.rptr } e z x.rptr = x.lptr.rptr = null b g rptr x.lptr.lptr.lptr = null lptr rptr f x.lptr.lptr.rptr = null x l p t r h 4 y = x.lptr a a x.lptr = y.rptr = null k t r r p w y.lptr.lptr = y.lptr.rptr = null lptr j r t p r 5 z = New class of z lptr l i i z.lptr = z.rptr = null y n r q t r p 6 y = y.lptr lptr m m y.lptr = y.rptr = null l o p t r 7 z.sum = x.data + y.data x = y = z = null Heap Stack Dec 2017 IIT Bombay

  25. WSSE Pune Intro to PA: Improving Garbage Collection 12/1 Our Solution y = z = null While loop is not executed even once 1 w = x w = null 2 while (x.data < max) d rptr { x.lptr = null c rptr p lptr 3 x = x.rptr } e z x.rptr = x.lptr.rptr = null b g rptr x.lptr.lptr.lptr = null lptr rptr f x.lptr.lptr.rptr = null x l p t r h 4 y = x.lptr a a x.lptr = y.rptr = null k t r r p w y.lptr.lptr = y.lptr.rptr = null lptr j r t p r 5 z = New class of z lptr l i i z.lptr = z.rptr = null y n r q t r p 6 y = y.lptr lptr m m y.lptr = y.rptr = null l o p t r 7 z.sum = x.data + y.data x = y = z = null Heap Stack Dec 2017 IIT Bombay

  26. WSSE Pune Intro to PA: Improving Garbage Collection 12/1 Our Solution y = z = null While loop is not executed even once 1 w = x w = null 2 while (x.data < max) d rptr { x.lptr = null c rptr p lptr 3 x = x.rptr } e z x.rptr = x.lptr.rptr = null b g rptr x.lptr.lptr.lptr = null lptr f x.lptr.lptr.rptr = null x l p t r h 4 y = x.lptr a a x.lptr = y.rptr = null k t r r p w y.lptr.lptr = y.lptr.rptr = null j 5 z = New class of z lptr l i i z.lptr = z.rptr = null y n q 6 y = y.lptr lptr m m y.lptr = y.rptr = null o 7 z.sum = x.data + y.data x = y = z = null Heap Stack Dec 2017 IIT Bombay

  27. WSSE Pune Intro to PA: Improving Garbage Collection 12/1 Our Solution y = z = null While loop is executed once 1 w = x w = null 2 while (x.data < max) d rptr { x.lptr = null c p lptr 3 x = x.rptr } e z x.rptr = x.lptr.rptr = null b b g x.lptr.lptr.lptr = null rptr f f x.lptr.lptr.rptr = null x lptr h h 4 y = x.lptr a a x.lptr = y.rptr = null k t r r p w y.lptr.lptr = y.lptr.rptr = null j rptr 5 z = New class of z lptr l i i z.lptr = z.rptr = null y n q rptr 6 y = y.lptr l p t r m m y.lptr = y.rptr = null l p o t r 7 z.sum = x.data + y.data x = y = z = null Heap Stack Dec 2017 IIT Bombay

  28. WSSE Pune Intro to PA: Improving Garbage Collection 12/1 Our Solution y = z = null While loop is executed twice 1 w = x w = null 2 while (x.data < max) d { x.lptr = null c c rptr p 3 x = x.rptr } e e z x.rptr = x.lptr.rptr = null b b g rptr x.lptr.lptr.lptr = null rptr f f x.lptr.lptr.rptr = null x l p t r h h 4 y = x.lptr a a x.lptr = y.rptr = null k t r r p w y.lptr.lptr = y.lptr.rptr = null j rptr 5 z = New class of z lptr l i i z.lptr = z.rptr = null y n q rptr 6 y = y.lptr l p t r m m y.lptr = y.rptr = null l p o t r 7 z.sum = x.data + y.data x = y = z = null Heap Stack Dec 2017 IIT Bombay

  29. WSSE Pune Intro to PA: Improving Garbage Collection 13/1 Some Observations y = z = null Node is live but link a → i is nullified i 1 w = x w = null 2 while (x.data < max) rptr d { x.lptr = null c r p t p r 3 x = x.rptr } lptr e z b x.rptr = x.lptr.rptr = null g rptr x.lptr.lptr.lptr = null lptr rptr f x.lptr.lptr.rptr = null x l p t h r 4 y = x.lptr a a x.lptr = y.rptr = null r k p t r w y.lptr.lptr = y.lptr.rptr = null j r t p r 5 z = New class of z lptr l i i z.lptr = z.rptr = null y n rptr q 6 y = y.lptr lptr m m y.lptr = y.rptr = null o l p t r 7 z.sum = x.data + y.data x = y = z = null Heap Stack Dec 2017 IIT Bombay

  30. WSSE Pune Intro to PA: Improving Garbage Collection 13/1 Some Observations y = z = null • The memory address that x holds when the 1 w = x execution reaches a given program point is w = null not an invariant of program execution 2 while (x.data < max) rptr d { x.lptr = null c r p t p r 3 x = x.rptr } lptr e z b x.rptr = x.lptr.rptr = null g rptr x.lptr.lptr.lptr = null lptr rptr f x.lptr.lptr.rptr = null x l p t h r 4 y = x.lptr a a x.lptr = y.rptr = null r k p t r w y.lptr.lptr = y.lptr.rptr = null j r t p r 5 z = New class of z lptr l i i z.lptr = z.rptr = null y n rptr q 6 y = y.lptr lptr m m y.lptr = y.rptr = null o l p t r 7 z.sum = x.data + y.data x = y = z = null Heap Stack Dec 2017 IIT Bombay

  31. WSSE Pune Intro to PA: Improving Garbage Collection 13/1 Some Observations y = z = null • The memory address that x holds when the 1 w = x execution reaches a given program point is w = null not an invariant of program execution 2 while (x.data < max) • Whether we dereference lptr out of x or rptr d { x.lptr = null c rptr out of x at a given program point is an r p t p r 3 x = x.rptr } lptr e invariant of program execution z b x.rptr = x.lptr.rptr = null g rptr x.lptr.lptr.lptr = null lptr rptr f x.lptr.lptr.rptr = null x l p t h r 4 y = x.lptr a a x.lptr = y.rptr = null r k p t r w y.lptr.lptr = y.lptr.rptr = null j r t p r 5 z = New class of z lptr l i i z.lptr = z.rptr = null y n rptr q 6 y = y.lptr lptr m m y.lptr = y.rptr = null o l p t r 7 z.sum = x.data + y.data x = y = z = null Heap Stack Dec 2017 IIT Bombay

  32. WSSE Pune Intro to PA: Improving Garbage Collection 13/1 Some Observations y = z = null • The memory address that x holds when the 1 w = x execution reaches a given program point is w = null not an invariant of program execution 2 while (x.data < max) • Whether we dereference lptr out of x or rptr d { x.lptr = null c rptr out of x at a given program point is an r p t p r 3 x = x.rptr } lptr e invariant of program execution z b x.rptr = x.lptr.rptr = null g • A static analysis can discover only rptr x.lptr.lptr.lptr = null lptr rptr f invariants x.lptr.lptr.rptr = null x l p t h r 4 y = x.lptr a a x.lptr = y.rptr = null r k p t r w y.lptr.lptr = y.lptr.rptr = null j r t p r 5 z = New class of z lptr l i i z.lptr = z.rptr = null y n rptr q 6 y = y.lptr lptr m m y.lptr = y.rptr = null o l p t r 7 z.sum = x.data + y.data x = y = z = null Heap Stack Dec 2017 IIT Bombay

  33. WSSE Pune Intro to PA: Improving Garbage Collection 13/1 Some Observations New access expressions are created. y = z = null • The memory address that x holds when the Can they cause exceptions? 1 w = x execution reaches a given program point is w = null not an invariant of program execution 2 while (x.data < max) • Whether we dereference lptr out of x or rptr d { x.lptr = null c rptr out of x at a given program point is an r p t p r 3 x = x.rptr } lptr e invariant of program execution z b x.rptr = x.lptr.rptr = null g • A static analysis can discover only some rptr x.lptr.lptr.lptr = null lptr rptr f invariants x.lptr.lptr.rptr = null x l p t h r 4 y = x.lptr a a x.lptr = y.rptr = null r k p t r w y.lptr.lptr = y.lptr.rptr = null j r t p r 5 z = New class of z lptr l i i z.lptr = z.rptr = null y n rptr q 6 y = y.lptr lptr m m y.lptr = y.rptr = null o l p t r 7 z.sum = x.data + y.data x = y = z = null Heap Stack Dec 2017 IIT Bombay

  34. WSSE Pune Intro to PA: Improving Garbage Collection 14/1 The Main Theme of (Static) Program Analysis Constructing suitable abstractions for sound & precise modelling of runtime behaviour of programs efficiently Dec 2017 IIT Bombay

  35. WSSE Pune Intro to PA: Improving Garbage Collection 14/1 The Main Theme of (Static) Program Analysis Constructing suitable abstractions for sound & precise modelling of runtime behaviour of programs efficiently Abstract, Bounded, Single Instance Concrete, Unbounded, Infinitely Many Static Dynamic Program Execution Program Execution Program Execution Program Code Program Execution Program Execution Program Execution Static Analysis Memory Memory Memory Memory Memory Memory Memory Memory Memory Memory Memory Memory Memory Memory Memory Summary Information Memory Memory Memory Memory Memory Memory Memory Memory Memory Dec 2017 IIT Bombay

  36. Part 2 Soundness and Precision

  37. WSSE Pune Intro to PA: Soundness and Precision 15/1 Program Representation • Three address code statements ◮ Result, operator, operand1, operand2 ◮ Assignments, expressions, conditional jumps ◮ Pointer expressions (including structure accesses) Features will be introduced as and when needed • Control flow graph representation ◮ Nodes represent maximal groups of statements devoid of any control transfer except fall through ◮ Edges represent control transfers across basic blocks ◮ A unique Start node and a unique End node Every node reachable from Start , and End reachable from every node • Initially only intraprocedural programs Function calls brought in later Dec 2017 IIT Bombay

  38. WSSE Pune Intro to PA: Soundness and Precision 16/1 Motivating Example for Introducing Soundness and Precision Example Program Control Flow Graph int a; int f(int b) { int c; c = a%2; b = - abs(b); while (b < c) b = b+1; if (b > 0) b = 0; return b; } Dec 2017 IIT Bombay

  39. WSSE Pune Intro to PA: Soundness and Precision 16/1 Motivating Example for Introducing Soundness and Precision Example Program Control Flow Graph Absolute int a; int f(int b) { int c; c = a%2; b = - abs(b); while (b < c) b = b+1; if (b > 0) b = 0; return b; } Dec 2017 IIT Bombay

  40. WSSE Pune Intro to PA: Soundness and Precision 16/1 Motivating Example for Introducing Soundness and Precision Example Program Control Flow Graph c = a%2 Absolute 1 b = - abs(b) int a; int f(int b) if (b < c) 2 { int c; c = a%2; F T b = - abs(b); if (b > 0) b = b+1 4 3 while (b < c) b = b+1; T if (b > 0) F b = 0 5 b = 0; return b; } return b 6 Dec 2017 IIT Bombay

  41. WSSE Pune Intro to PA: Soundness and Precision 17/1 Execution Traces for Concrete Semantics (1) • States ◮ A data state: Variables → Values ◮ A program state: (Program Point , A data state) • Execution traces (or traces, for short) ◮ Valid sequences of program states starting with a given initial state Dec 2017 IIT Bombay

  42. WSSE Pune Intro to PA: Soundness and Precision 18/1 Execution Traces for Concrete Semantics (2) c = a%2 1 b = - abs(b) 2 if (b < c) F T b = b+1 4 if (b > 0) 3 T b = 0 F 5 return b 6 Dec 2017 IIT Bombay

  43. WSSE Pune Intro to PA: Soundness and Precision 18/1 Execution Traces for Concrete Semantics (2) c = a%2 Trace 1 1 b = - abs(b) a b c Entry 1 , (5 , 2 , 7) Entry 2 , (5 , − 2 , 1) 2 if (b < c) Entry 3 , (5 , − 2 , 1) Entry 2 , (5 , − 1 , 1) F T Entry 3 , (5 , − 1 , 1) b = b+1 4 if (b > 0) 3 Entry 2 , (5 , 0 , 1) T Entry 3 , (5 , 0 , 1) Entry 2 , (5 , 1 , 1) b = 0 F 5 Entry 4 , (5 , 1 , 1) Entry 5 , (5 , 1 , 1) return b 6 Entry 6 , (5 , 0 , 1) Dec 2017 IIT Bombay

  44. WSSE Pune Intro to PA: Soundness and Precision 18/1 Execution Traces for Concrete Semantics (2) c = a%2 Trace 1 Trace 2 1 b = - abs(b) a b c a b c Entry 1 , ( − 5 , − 2 , 8) Entry 1 , (5 , 2 , 7) Entry 2 , (5 , − 2 , 1) Entry 2 , ( − 5 , − 2 , − 1) 2 if (b < c) Entry 3 , (5 , − 2 , 1) Entry 3 , ( − 5 , − 2 , − 1) Entry 2 , (5 , − 1 , 1) Entry 2 , ( − 5 , − 1 , − 1) F T Entry 3 , (5 , − 1 , 1) Entry 4 , ( − 5 , − 1 , − 1) b = b+1 4 if (b > 0) 3 Entry 2 , (5 , 0 , 1) Entry 6 , ( − 5 , − 1 , − 1) T Entry 3 , (5 , 0 , 1) Entry 2 , (5 , 1 , 1) b = 0 F 5 Entry 4 , (5 , 1 , 1) Entry 5 , (5 , 1 , 1) return b 6 Entry 6 , (5 , 0 , 1) Dec 2017 IIT Bombay

  45. WSSE Pune Intro to PA: Soundness and Precision 18/1 Execution Traces for Concrete Semantics (2) c = a%2 Trace 1 Trace 2 1 b = - abs(b) a b c a b c Entry 1 , ( − 5 , − 2 , 8) Entry 1 , (5 , 2 , 7) • A separate trace for each combination of inputs Entry 2 , (5 , − 2 , 1) Entry 2 , ( − 5 , − 2 , − 1) 2 if (b < c) ◮ The number of traces is potentially infinite Entry 3 , (5 , − 2 , 1) Entry 3 , ( − 5 , − 2 , − 1) Entry 2 , (5 , − 1 , 1) Entry 2 , ( − 5 , − 1 , − 1) F T • Program points may repeat in the traces Entry 3 , (5 , − 1 , 1) Entry 4 , ( − 5 , − 1 , − 1) b = b+1 4 if (b > 0) 3 Entry 2 , (5 , 0 , 1) Entry 6 , ( − 5 , − 1 , − 1) ◮ Traces may be very long T Entry 3 , (5 , 0 , 1) ◮ Non-terminating traces: Infinitely long Entry 2 , (5 , 1 , 1) b = 0 F 5 Entry 4 , (5 , 1 , 1) Entry 5 , (5 , 1 , 1) return b 6 Entry 6 , (5 , 0 , 1) Dec 2017 IIT Bombay

  46. WSSE Pune Intro to PA: Soundness and Precision 19/1 Abstract States A static analysis computes abstract states • The values are abstract values and are decided by the analysis • An analysis may record values for other program entities such as expressions, statements, procedures etc. Dec 2017 IIT Bombay

  47. WSSE Pune Intro to PA: Soundness and Precision 20/1 Static Analysis Computes Abstractions of Traces (1) Traces Execution Time Dec 2017 IIT Bombay

  48. WSSE Pune Intro to PA: Soundness and Precision 20/1 Static Analysis Computes Abstractions of Traces (1) Traces An Abstraction of Traces Execution Time Dec 2017 IIT Bombay

  49. WSSE Pune Intro to PA: Soundness and Precision 20/1 Static Analysis Computes Abstractions of Traces (1) Traces An Abstraction of Traces Execution Time Dec 2017 IIT Bombay

  50. WSSE Pune Intro to PA: Soundness and Precision 20/1 Static Analysis Computes Abstractions of Traces (1) Traces An Abstraction of Traces For compile time modelling of possible runtime behaviours of a program • compute a set of states that cover all traces Execution Time • associate the sets with appropriate program points States may be defined in terms of properties derived from values of variables Dec 2017 IIT Bombay

  51. WSSE Pune Intro to PA: Soundness and Precision 21/1 Static Analysis Computes Abstractions of Traces (2) A possible static abstraction using sets Trace 1 c = a%2 1 a b c b = - abs(b) Entry 1 , (5 , 2 , 7) Trace 2 Entry 2 , (5 , − 2 , 1) a b c Entry 3 , (5 , − 2 , 1) Entry 1 , ( − 5 , − 2 , 8) if (b < c) 2 Entry 2 , (5 , − 1 , 1) Entry 2 , ( − 5 , − 2 , − 1) Entry 3 , (5 , − 1 , 1) F T Entry 3 , ( − 5 , − 2 , − 1) Entry 2 , (5 , 0 , 1) Entry 2 , ( − 5 , − 1 , − 1) b = b+1 4 if (b > 0) 3 Entry 3 , (5 , 0 , 1) Entry 4 , ( − 5 , − 1 , − 1) Entry 2 , (5 , 1 , 1) T Entry 6 , ( − 5 , − 1 , − 1) Entry 4 , (5 , 1 , 1) b = 0 5 Entry 5 , (5 , 1 , 1) F Entry 6 , (5 , 0 , 1) return b 6 Dec 2017 IIT Bombay

  52. WSSE Pune Intro to PA: Soundness and Precision 21/1 Static Analysis Computes Abstractions of Traces (2) A possible static abstraction using sets { (5 , 2 , 7) , ( − 5 , − 2 , 8) } Trace 1 c = a%2 1 a b c b = - abs(b) Entry 1 , (5 , 2 , 7) Trace 2 Entry 2 , (5 , − 2 , 1) a b c Entry 3 , (5 , − 2 , 1) Entry 1 , ( − 5 , − 2 , 8) if (b < c) 2 Entry 2 , (5 , − 1 , 1) Entry 2 , ( − 5 , − 2 , − 1) Entry 3 , (5 , − 1 , 1) F T Entry 3 , ( − 5 , − 2 , − 1) Entry 2 , (5 , 0 , 1) Entry 2 , ( − 5 , − 1 , − 1) b = b+1 4 if (b > 0) 3 Entry 3 , (5 , 0 , 1) Entry 4 , ( − 5 , − 1 , − 1) Entry 2 , (5 , 1 , 1) T Entry 6 , ( − 5 , − 1 , − 1) Entry 4 , (5 , 1 , 1) b = 0 5 Entry 5 , (5 , 1 , 1) F Entry 6 , (5 , 0 , 1) return b 6 Dec 2017 IIT Bombay

  53. WSSE Pune Intro to PA: Soundness and Precision 21/1 Static Analysis Computes Abstractions of Traces (2) A possible static abstraction using sets a = {− 5 , 5 } , b = {− 2 , 2 } , c = { 7 , 8 } Trace 1 c = a%2 1 a b c b = - abs(b) Entry 1 , (5 , 2 , 7) Trace 2 Entry 2 , (5 , − 2 , 1) a b c Entry 3 , (5 , − 2 , 1) Entry 1 , ( − 5 , − 2 , 8) if (b < c) 2 Entry 2 , (5 , − 1 , 1) Entry 2 , ( − 5 , − 2 , − 1) Entry 3 , (5 , − 1 , 1) F T Entry 3 , ( − 5 , − 2 , − 1) Entry 2 , (5 , 0 , 1) Entry 2 , ( − 5 , − 1 , − 1) b = b+1 4 if (b > 0) 3 Entry 3 , (5 , 0 , 1) Entry 4 , ( − 5 , − 1 , − 1) Entry 2 , (5 , 1 , 1) T Entry 6 , ( − 5 , − 1 , − 1) Entry 4 , (5 , 1 , 1) b = 0 5 Entry 5 , (5 , 1 , 1) F Entry 6 , (5 , 0 , 1) return b 6 Dec 2017 IIT Bombay

  54. WSSE Pune Intro to PA: Soundness and Precision 21/1 Static Analysis Computes Abstractions of Traces (2) A possible static abstraction using sets a = {− 5 , 5 } , b = {− 2 , 2 } , c = { 7 , 8 } Trace 1 We only show c = a%2 1 a b c b = - abs(b) the values of b Entry 1 , (5 , 2 , 7) Trace 2 Entry 2 , (5 , − 2 , 1) b = {− 2 , − 1 , 0 , 1 } a b c Entry 3 , (5 , − 2 , 1) Entry 1 , ( − 5 , − 2 , 8) if (b < c) 2 Entry 2 , (5 , − 1 , 1) Entry 2 , ( − 5 , − 2 , − 1) Entry 3 , (5 , − 1 , 1) F T Entry 3 , ( − 5 , − 2 , − 1) Entry 2 , (5 , 0 , 1) Entry 2 , ( − 5 , − 1 , − 1) b = b+1 4 if (b > 0) 3 Entry 3 , (5 , 0 , 1) Entry 4 , ( − 5 , − 1 , − 1) Entry 2 , (5 , 1 , 1) T Entry 6 , ( − 5 , − 1 , − 1) Entry 4 , (5 , 1 , 1) b = 0 5 Entry 5 , (5 , 1 , 1) F Combine the values Entry 6 , (5 , 0 , 1) across all occurrences of a program point return b 6 Dec 2017 IIT Bombay

  55. WSSE Pune Intro to PA: Soundness and Precision 21/1 Static Analysis Computes Abstractions of Traces (2) A possible static abstraction using sets a = {− 5 , 5 } , b = {− 2 , 2 } , c = { 7 , 8 } Trace 1 We only show c = a%2 1 a b c b = - abs(b) the values of b Entry 1 , (5 , 2 , 7) Trace 2 Entry 2 , (5 , − 2 , 1) b = {− 2 , − 1 , 0 , 1 } a b c Entry 3 , (5 , − 2 , 1) Entry 1 , ( − 5 , − 2 , 8) if (b < c) 2 Entry 2 , (5 , − 1 , 1) Entry 2 , ( − 5 , − 2 , − 1) Entry 3 , (5 , − 1 , 1) b = {− 2 , − 1 , 0 } F T Entry 3 , ( − 5 , − 2 , − 1) Entry 2 , (5 , 0 , 1) Entry 2 , ( − 5 , − 1 , − 1) b = b+1 4 if (b > 0) 3 Entry 3 , (5 , 0 , 1) Entry 4 , ( − 5 , − 1 , − 1) Entry 2 , (5 , 1 , 1) T Entry 6 , ( − 5 , − 1 , − 1) Entry 4 , (5 , 1 , 1) b = 0 5 Entry 5 , (5 , 1 , 1) F Combine the values Entry 6 , (5 , 0 , 1) across all occurrences of a program point return b 6 Dec 2017 IIT Bombay

  56. WSSE Pune Intro to PA: Soundness and Precision 21/1 Static Analysis Computes Abstractions of Traces (2) A possible static abstraction using sets a = {− 5 , 5 } , b = {− 2 , 2 } , c = { 7 , 8 } Trace 1 We only show c = a%2 1 a b c b = - abs(b) the values of b Entry 1 , (5 , 2 , 7) Trace 2 Entry 2 , (5 , − 2 , 1) b = {− 2 , − 1 , 0 , 1 } a b c Entry 3 , (5 , − 2 , 1) Entry 1 , ( − 5 , − 2 , 8) if (b < c) 2 Entry 2 , (5 , − 1 , 1) Entry 2 , ( − 5 , − 2 , − 1) Entry 3 , (5 , − 1 , 1) b = {− 1 , 1 } b = {− 2 , − 1 , 0 } F T Entry 3 , ( − 5 , − 2 , − 1) Entry 2 , (5 , 0 , 1) Entry 2 , ( − 5 , − 1 , − 1) b = b+1 4 if (b > 0) 3 Entry 3 , (5 , 0 , 1) Entry 4 , ( − 5 , − 1 , − 1) Entry 2 , (5 , 1 , 1) T Entry 6 , ( − 5 , − 1 , − 1) Entry 4 , (5 , 1 , 1) b = 0 5 Entry 5 , (5 , 1 , 1) F Combine the values Entry 6 , (5 , 0 , 1) across all occurrences of a program point return b 6 Dec 2017 IIT Bombay

  57. WSSE Pune Intro to PA: Soundness and Precision 21/1 Static Analysis Computes Abstractions of Traces (2) A possible static abstraction using sets a = {− 5 , 5 } , b = {− 2 , 2 } , c = { 7 , 8 } Trace 1 We only show c = a%2 1 a b c b = - abs(b) the values of b Entry 1 , (5 , 2 , 7) Trace 2 Entry 2 , (5 , − 2 , 1) b = {− 2 , − 1 , 0 , 1 } a b c Entry 3 , (5 , − 2 , 1) Entry 1 , ( − 5 , − 2 , 8) if (b < c) 2 Entry 2 , (5 , − 1 , 1) Entry 2 , ( − 5 , − 2 , − 1) Entry 3 , (5 , − 1 , 1) b = {− 1 , 1 } b = {− 2 , − 1 , 0 } F T Entry 3 , ( − 5 , − 2 , − 1) Entry 2 , (5 , 0 , 1) Entry 2 , ( − 5 , − 1 , − 1) b = b+1 4 if (b > 0) 3 Entry 3 , (5 , 0 , 1) Entry 4 , ( − 5 , − 1 , − 1) Entry 2 , (5 , 1 , 1) T b = { 1 } Entry 6 , ( − 5 , − 1 , − 1) Entry 4 , (5 , 1 , 1) b = 0 5 Entry 5 , (5 , 1 , 1) F Combine the values Entry 6 , (5 , 0 , 1) across all occurrences of a program point return b 6 Dec 2017 IIT Bombay

  58. WSSE Pune Intro to PA: Soundness and Precision 21/1 Static Analysis Computes Abstractions of Traces (2) A possible static abstraction using sets a = {− 5 , 5 } , b = {− 2 , 2 } , c = { 7 , 8 } Trace 1 We only show c = a%2 1 a b c b = - abs(b) the values of b Entry 1 , (5 , 2 , 7) Trace 2 Entry 2 , (5 , − 2 , 1) b = {− 2 , − 1 , 0 , 1 } a b c Entry 3 , (5 , − 2 , 1) Entry 1 , ( − 5 , − 2 , 8) if (b < c) 2 Entry 2 , (5 , − 1 , 1) Entry 2 , ( − 5 , − 2 , − 1) Entry 3 , (5 , − 1 , 1) b = {− 1 , 1 } b = {− 2 , − 1 , 0 } F T Entry 3 , ( − 5 , − 2 , − 1) Entry 2 , (5 , 0 , 1) Entry 2 , ( − 5 , − 1 , − 1) b = b+1 4 if (b > 0) 3 Entry 3 , (5 , 0 , 1) Entry 4 , ( − 5 , − 1 , − 1) Entry 2 , (5 , 1 , 1) T b = { 1 } Entry 6 , ( − 5 , − 1 , − 1) Entry 4 , (5 , 1 , 1) b = 0 5 Entry 5 , (5 , 1 , 1) F Combine the values Entry 6 , (5 , 0 , 1) across all occurrences b = {− 1 , 0 } of a program point return b 6 Dec 2017 IIT Bombay

  59. WSSE Pune Intro to PA: Soundness and Precision 22/1 Computing Static Abstraction for Liveness of Variables At a program point p a �→ 1 ⇒ a is live at p a �→ 0 ⇒ a is not live at p Trace 1 c = a%2 1 a b c b = - abs(b) Entry 1 , (1 , 1 , 0) Trace 2 Entry 2 , (0 , 1 , 1) a b c Entry 3 , (0 , 1 , 1) if (b < c) Entry 1 , (1 , 1 , 0) 2 Entry 2 , (0 , 1 , 1) Entry 2 , (0 , 1 , 1) Entry 3 , (0 , 1 , 1) F T Entry 3 , (0 , 0 , 1) Entry 2 , (0 , 1 , 1) Entry 2 , (0 , 1 , 1) if (b > 0) b = b+1 4 3 Entry 3 , (0 , 1 , 1) Entry 4 , (0 , 1 , 0) Entry 2 , (0 , 1 , 1) T Entry 6 , (0 , 1 , 0) Entry 4 , (0 , 1 , 0) b = 0 5 F Entry 5 , (0 , 0 , 0) Entry 6 , (0 , 1 , 0) return b 6 Dec 2017 IIT Bombay

  60. WSSE Pune Intro to PA: Soundness and Precision 22/1 Computing Static Abstraction for Liveness of Variables At a program point p a �→ 1 ⇒ a is live at p a �→ 0 ⇒ a is not live at p 110 or { a , b } Trace 1 c = a%2 1 a b c b = - abs(b) Entry 1 , (1 , 1 , 0) Trace 2 Entry 2 , (0 , 1 , 1) a b c Entry 3 , (0 , 1 , 1) if (b < c) Entry 1 , (1 , 1 , 0) 2 Entry 2 , (0 , 1 , 1) Entry 2 , (0 , 1 , 1) Entry 3 , (0 , 1 , 1) F T Entry 3 , (0 , 0 , 1) Entry 2 , (0 , 1 , 1) Entry 2 , (0 , 1 , 1) if (b > 0) b = b+1 4 3 Entry 3 , (0 , 1 , 1) Entry 4 , (0 , 1 , 0) Entry 2 , (0 , 1 , 1) T Entry 6 , (0 , 1 , 0) Entry 4 , (0 , 1 , 0) b = 0 5 F Entry 5 , (0 , 0 , 0) Entry 6 , (0 , 1 , 0) return b 6 Dec 2017 IIT Bombay

  61. WSSE Pune Intro to PA: Soundness and Precision 22/1 Computing Static Abstraction for Liveness of Variables At a program point p a �→ 1 ⇒ a is live at p a �→ 0 ⇒ a is not live at p 110 or { a , b } Trace 1 c = a%2 1 a b c b = - abs(b) Entry 1 , (1 , 1 , 0) Trace 2 Entry 2 , (0 , 1 , 1) 011 or { b , c } a b c Entry 3 , (0 , 1 , 1) if (b < c) Entry 1 , (1 , 1 , 0) 2 Entry 2 , (0 , 1 , 1) Entry 2 , (0 , 1 , 1) Entry 3 , (0 , 1 , 1) F T Entry 3 , (0 , 0 , 1) Entry 2 , (0 , 1 , 1) Entry 2 , (0 , 1 , 1) if (b > 0) b = b+1 4 3 Entry 3 , (0 , 1 , 1) Entry 4 , (0 , 1 , 0) Entry 2 , (0 , 1 , 1) T Entry 6 , (0 , 1 , 0) Entry 4 , (0 , 1 , 0) b = 0 5 F Entry 5 , (0 , 0 , 0) Entry 6 , (0 , 1 , 0) return b 6 Dec 2017 IIT Bombay

  62. WSSE Pune Intro to PA: Soundness and Precision 22/1 Computing Static Abstraction for Liveness of Variables At a program point p a �→ 1 ⇒ a is live at p a �→ 0 ⇒ a is not live at p 110 or { a , b } Trace 1 c = a%2 1 a b c b = - abs(b) Entry 1 , (1 , 1 , 0) Trace 2 Entry 2 , (0 , 1 , 1) 011 or { b , c } a b c Entry 3 , (0 , 1 , 1) if (b < c) Entry 1 , (1 , 1 , 0) 2 Entry 2 , (0 , 1 , 1) Entry 2 , (0 , 1 , 1) Entry 3 , (0 , 1 , 1) F T 011 or { b , c } Entry 3 , (0 , 0 , 1) Entry 2 , (0 , 1 , 1) Entry 2 , (0 , 1 , 1) if (b > 0) b = b+1 4 3 Entry 3 , (0 , 1 , 1) Entry 4 , (0 , 1 , 0) Entry 2 , (0 , 1 , 1) T Entry 6 , (0 , 1 , 0) Entry 4 , (0 , 1 , 0) b = 0 5 F Entry 5 , (0 , 0 , 0) Entry 6 , (0 , 1 , 0) return b 6 Dec 2017 IIT Bombay

  63. WSSE Pune Intro to PA: Soundness and Precision 22/1 Computing Static Abstraction for Liveness of Variables At a program point p a �→ 1 ⇒ a is live at p a �→ 0 ⇒ a is not live at p 110 or { a , b } Trace 1 c = a%2 1 a b c b = - abs(b) Entry 1 , (1 , 1 , 0) Trace 2 Entry 2 , (0 , 1 , 1) 011 or { b , c } a b c Entry 3 , (0 , 1 , 1) if (b < c) Entry 1 , (1 , 1 , 0) 2 Entry 2 , (0 , 1 , 1) Entry 2 , (0 , 1 , 1) Entry 3 , (0 , 1 , 1) 010 or { b } F T 011 or { b , c } Entry 3 , (0 , 0 , 1) Entry 2 , (0 , 1 , 1) Entry 2 , (0 , 1 , 1) if (b > 0) b = b+1 4 3 Entry 3 , (0 , 1 , 1) Entry 4 , (0 , 1 , 0) Entry 2 , (0 , 1 , 1) T Entry 6 , (0 , 1 , 0) Entry 4 , (0 , 1 , 0) b = 0 5 F Entry 5 , (0 , 0 , 0) Entry 6 , (0 , 1 , 0) return b 6 Dec 2017 IIT Bombay

  64. WSSE Pune Intro to PA: Soundness and Precision 22/1 Computing Static Abstraction for Liveness of Variables At a program point p a �→ 1 ⇒ a is live at p a �→ 0 ⇒ a is not live at p 110 or { a , b } Trace 1 c = a%2 1 a b c b = - abs(b) Entry 1 , (1 , 1 , 0) Trace 2 Entry 2 , (0 , 1 , 1) 011 or { b , c } a b c Entry 3 , (0 , 1 , 1) if (b < c) Entry 1 , (1 , 1 , 0) 2 Entry 2 , (0 , 1 , 1) Entry 2 , (0 , 1 , 1) Entry 3 , (0 , 1 , 1) 010 or { b } F T 011 or { b , c } Entry 3 , (0 , 0 , 1) Entry 2 , (0 , 1 , 1) Entry 2 , (0 , 1 , 1) if (b > 0) b = b+1 4 3 Entry 3 , (0 , 1 , 1) Entry 4 , (0 , 1 , 0) Entry 2 , (0 , 1 , 1) T 000 or ∅ Entry 6 , (0 , 1 , 0) Entry 4 , (0 , 1 , 0) b = 0 5 F Entry 5 , (0 , 0 , 0) Entry 6 , (0 , 1 , 0) return b 6 Dec 2017 IIT Bombay

  65. WSSE Pune Intro to PA: Soundness and Precision 22/1 Computing Static Abstraction for Liveness of Variables At a program point p a �→ 1 ⇒ a is live at p a �→ 0 ⇒ a is not live at p 110 or { a , b } Trace 1 c = a%2 1 a b c b = - abs(b) Entry 1 , (1 , 1 , 0) Trace 2 Entry 2 , (0 , 1 , 1) 011 or { b , c } a b c Entry 3 , (0 , 1 , 1) if (b < c) Entry 1 , (1 , 1 , 0) 2 Entry 2 , (0 , 1 , 1) Entry 2 , (0 , 1 , 1) Entry 3 , (0 , 1 , 1) 010 or { b } F T 011 or { b , c } Entry 3 , (0 , 0 , 1) Entry 2 , (0 , 1 , 1) Entry 2 , (0 , 1 , 1) if (b > 0) b = b+1 4 3 Entry 3 , (0 , 1 , 1) Entry 4 , (0 , 1 , 0) Entry 2 , (0 , 1 , 1) T 000 or ∅ Entry 6 , (0 , 1 , 0) Entry 4 , (0 , 1 , 0) b = 0 5 F Entry 5 , (0 , 0 , 0) Entry 6 , (0 , 1 , 0) 010 or { b } return b 6 Dec 2017 IIT Bombay

  66. WSSE Pune Intro to PA: Soundness and Precision 22/1 Computing Static Abstraction for Liveness of Variables At a program point p a �→ 1 ⇒ a is live at p a �→ 0 ⇒ a is not live at p 110 or { a , b } Trace 1 c = a%2 1 a b c b = - abs(b) Entry 1 , (1 , 1 , 0) Trace 2 Entry 2 , (0 , 1 , 1) 011 or { b , c } a b c Entry 3 , (0 , 1 , 1) if (b < c) Entry 1 , (1 , 1 , 0) 2 Entry 2 , (0 , 1 , 1) Entry 2 , (0 , 1 , 1) Entry 3 , (0 , 1 , 1) 010 or { b } F T 011 or { b , c } Entry 3 , (0 , 0 , 1) Entry 2 , (0 , 1 , 1) Entry 2 , (0 , 1 , 1) if (b > 0) b = b+1 4 3 Entry 3 , (0 , 1 , 1) Entry 4 , (0 , 1 , 0) Entry 2 , (0 , 1 , 1) T 000 or ∅ Entry 6 , (0 , 1 , 0) Entry 4 , (0 , 1 , 0) b = 0 5 F Entry 5 , (0 , 0 , 0) Trace 2 does not Entry 6 , (0 , 1 , 0) add anything to 010 or { b } the abstraction return b 6 Dec 2017 IIT Bombay

  67. WSSE Pune Intro to PA: Soundness and Precision 23/1 Soundness of Abstractions (1) Sound • An over-approximation of traces is sound Dec 2017 IIT Bombay

  68. WSSE Pune Intro to PA: Soundness and Precision 23/1 Soundness of Abstractions (1) Sound Unsound • An over-approximation of traces is sound • Missing any state in any trace causes unsoundness Dec 2017 IIT Bombay

  69. WSSE Pune Intro to PA: Soundness and Precision 23/1 Soundness of Abstractions (1) Sound Unsound • An over-approximation of traces is sound • Missing any state in any trace causes unsoundness Dec 2017 IIT Bombay

  70. WSSE Pune Intro to PA: Soundness and Precision 24/1 Soundness of Abstractions (2) An unsound abstraction a = {− 5 , 5 } , b = {− 2 , 2 } , c = { 7 , 8 } c = a%2 1 b = - abs(b) All variables can have arbitrary b = {− 2 , − 1 , 0 , 1 } values at the start. 2 if (b < c) b can have many more values b = {− 1 , 1 } b = {− 2 , − 1 , 0 } at the entry of F T b = b+1 • blocks 2 and 3 (e.g. -3, 4 if (b > 0) 3 -8, . . . ) T b = { 1 } • block 4 (e.g. 0) b = 0 5 F b = {− 1 , 0 } return b 6 Dec 2017 IIT Bombay

  71. WSSE Pune Intro to PA: Soundness and Precision 24/1 Soundness of Abstractions (2) A sound abstraction using intervals An unsound abstraction a = {− 5 , 5 } , b = {− 2 , 2 } , c = { 7 , 8 } c = a%2 1 • Over-approximated range of b = - abs(b) values denoted by b = {− 2 , − 1 , 0 , 1 } � � low limit , high limit 2 if (b < c) b = {− 1 , 1 } b = {− 2 , − 1 , 0 } F T • Inclusive limits with b = b+1 4 if (b > 0) 3 low limit ≤ high limit T b = { 1 } • One contiguous range per b = 0 5 F variable with no “holes” b = {− 1 , 0 } return b 6 Dec 2017 IIT Bombay

  72. WSSE Pune Intro to PA: Soundness and Precision 24/1 Soundness of Abstractions (2) A sound abstraction using intervals An unsound abstraction a = {− 5 , 5 } , b = {− 2 , 2 } , c = { 7 , 8 } a =[ −∞ , ∞ ] , b =[ −∞ , ∞ ] , c =[ −∞ , ∞ ] c = a%2 c = a%2 1 1 b = - abs(b) b = - abs(b) b = {− 2 , − 1 , 0 , 1 } b =[ −∞ , 1 ] 2 if (b < c) 2 if (b < c) b = {− 1 , 1 } b = {− 2 , − 1 , 0 } b =[ − 1 , 1] b =[ −∞ , 0] F T F T b = b+1 b = b+1 4 if (b > 0) 3 4 if (b > 0) 3 T b = { 1 } T b =[1 , 1] b = 0 b = 0 5 5 F F b = {− 1 , 0 } b =[ − 1 , 0] return b return b 6 6 Dec 2017 IIT Bombay

  73. WSSE Pune Intro to PA: Soundness and Precision 24/1 Soundness of Abstractions (2) A sound abstraction using intervals An unsound abstraction a = {− 5 , 5 } , b = {− 2 , 2 } , c = { 7 , 8 } a =[ −∞ , ∞ ] , b =[ −∞ , ∞ ] , c =[ −∞ , ∞ ] c = a%2 c = a%2 1 1 b = - abs(b) b = - abs(b) b = {− 2 , − 1 , 0 , 1 } b =[ −∞ , 1 ] 2 if (b < c) 2 if (b < c) b = {− 1 , 1 } b = {− 2 , − 1 , 0 } b =[ − 1 , 1] b =[ −∞ , 0] F T F T b = b+1 b = b+1 4 if (b > 0) 3 4 if (b > 0) 3 T b = { 1 } T b =[1 , 1] b can be 1 b = 0 b = 0 5 5 F F because of the increment b = {− 1 , 0 } in basic block 3 b =[ − 1 , 0] return b return b 6 6 Dec 2017 IIT Bombay

  74. WSSE Pune Intro to PA: Soundness and Precision 25/1 Soundness of Abstractions for Liveness Analysis A sound abstraction An unsound abstraction { a , b } ∅ c = a%2 c = a%2 1 1 b = - abs(b) b = - abs(b) { b , c } ∅ 2 if (b < c) 2 if (b < c) { b } F T { b , c } F T ∅ ∅ if (b > 0) b = b+1 if (b > 0) b = b+1 4 3 4 3 T T ∅ ∅ b = 0 b = 0 F 5 F 5 { b } ∅ return b return b 6 6 Dec 2017 IIT Bombay

  75. WSSE Pune Intro to PA: Soundness and Precision 26/1 Precision of Sound Abstractions(1) Sound but imprecise Dec 2017 IIT Bombay

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lecture 1: Introduction to Program Analysis 17-355/17-655/17-819: Program Analysis Claire Le

Lecture 1: Introduction to Program Analysis 17-355/17-655/17-819: Program Analysis Claire Le

Lecture 1: Introduction to Program Analysis 17-355/17-655/17-819: Program Analysis Claire Le Goues January 14, 2020 * Course materials developed with Jonathan Aldrich (c) 2020 C. Le Goues 1 Learning objectives Provide a high level

788 views • 50 slides
Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda Motivation Current State of Program Analysis Design Goals of Binja Program Analysis Building Tools 2 Motivation 3 Tooling - Concrete -&gt;

963 views • 77 slides
Analysis and Optimizations Program Analysis P3 / 2006 Discovers properties of a program

Analysis and Optimizations Program Analysis P3 / 2006 Discovers properties of a program

Analysis and Optimizations Program Analysis P3 / 2006 Discovers properties of a program Optimizations Using Program Analysis Use analysis results to transform program for Optimization Goal: improve some aspect of program

232 views • 12 slides
Efficient Deductive Methods for Program Analysis Harald Ganzinger Max-Planck-Institut f ur

Efficient Deductive Methods for Program Analysis Harald Ganzinger Max-Planck-Institut f ur

Efficient Deductive Methods for Program Analysis Harald Ganzinger Max-Planck-Institut f ur Informatik Introduction 2 program analysis from high-level inference rules complexity analysis through general meta-complexity theorems

451 views • 33 slides
Analysis and Optimizations Analysis and Optimizations Program Analysis Program Analysis

Analysis and Optimizations Analysis and Optimizations Program Analysis Program Analysis

Analysis and Optimizations Analysis and Optimizations Program Analysis Program Analysis Discovers properties of a program Optimizations Using Program Analysis Use analysis results to transform program Use analysis results

744 views • 17 slides
EDA045F: Program Analysis LECTURE 2: DATAFLOW ANALYSIS 1 Christoph Reichenbach In the last

EDA045F: Program Analysis LECTURE 2: DATAFLOW ANALYSIS 1 Christoph Reichenbach In the last

EDA045F: Program Analysis LECTURE 2: DATAFLOW ANALYSIS 1 Christoph Reichenbach In the last lecture. . . Uses of Program Analysis Static vs. Dynamic Program Analysis Soundness, Precision, Termination Abstraction and Simplification

4.44k views • 52 slides
Program analysis INF4140 - Models of concurrency Program Analysis, lecture 5 Hsten 2015 28.

Program analysis INF4140 - Models of concurrency Program Analysis, lecture 5 Hsten 2015 28.

Program analysis INF4140 - Models of concurrency Program Analysis, lecture 5 Hsten 2015 28. 9. 2016 2 / 43 Program correctness Is my program correct? Central question for this and the next lecture. Does a given program behave as intended?

880 views • 43 slides
Program extraction in computable analysis Ulrich Berger - Swansea Computability in Europe 2011

Program extraction in computable analysis Ulrich Berger - Swansea Computability in Europe 2011

Program extraction in computable analysis Ulrich Berger - Swansea Computability in Europe 2011 Sofia, Bulgaria 1 / 39 Outline Introduction Program extraction in computable analysis Memoized functionals Conclusion 2 / 39 Introduction

1.23k views • 81 slides
Program Analysis Chris Hankin(clh) Efficiency Type and Effect Control Flow Analysis Systems

Program Analysis Chris Hankin(clh) Efficiency Type and Effect Control Flow Analysis Systems

Program Analysis Chris Hankin(clh) Efficiency Type and Effect Control Flow Analysis Systems Data Flow Abstract Analysis Interpretation Correctness Program Analysis p.1/23 Overview Introduction Data Flow Analysis Control Flow

279 views • 23 slides
Program Analysis Attackers: need to analyze our program to modify it! Defenders: need to analyze

Program Analysis Attackers: need to analyze our program to modify it! Defenders: need to analyze

Program Analysis Attackers: need to analyze our program to modify it! Defenders: need to analyze our program to protect it! Two kinds of analyses: 1 static analysis tools collect information about a program by studying its code; 2 dynamic

1.21k views • 41 slides
Lexical analysis Lexical analysis Lexical analysis checks the correctness of program words and

Lexical analysis Lexical analysis Lexical analysis checks the correctness of program words and

Lexical analysis Lexical analysis Lexical analysis checks the correctness of program words and transforms a program to the stream of tokens: removes empty symbols and commentaries; identifies keywords, indentifiers and literal

400 views • 37 slides
Program Analysis in Software Development Summary of Papers Program Analysis Application Areas

Program Analysis in Software Development Summary of Papers Program Analysis Application Areas

Program Analysis in Software Development Summary of Papers Program Analysis Application Areas Compilation and Optimization LLVM: A Compilation Framework for Lifelong Program Analysis &amp; Transformation Obfuscation Generation and

1.64k views • 6 slides
Information Flow and Program Analysis Program Analysis Markus Mller-Olm Westflische

Information Flow and Program Analysis Program Analysis Markus Mller-Olm Westflische

Information Flow and Program Analysis Program Analysis Markus Mller-Olm Westflische Wilhelms-Universitt Mnster, Germany IFIP WG 2.2 Meeting Singapore, September 13-16, 2016 Project Context Work in progress from a joint project with

762 views • 19 slides
Interprocedural Analysis and Optimization Mod/Ref Analysis Alias Analysis Constant Propagation

Interprocedural Analysis and Optimization Mod/Ref Analysis Alias Analysis Constant Propagation

Interprocedural Analysis and Optimization Mod/Ref Analysis Alias Analysis Constant Propagation Procedure Inlining and Cloning cs6363 1 Introduction Interprocedural Analysis Gathering information about the whole program instead of a

496 views • 22 slides
Principles of Program Analysis An overview of approaches beyond loop analysis and optimizations

Principles of Program Analysis An overview of approaches beyond loop analysis and optimizations

Principles of Program Analysis An overview of approaches beyond loop analysis and optimizations cs6363 1 The Nature of static analysis --- approximation Static program analysis --- predict the dynamic behavior of programs without running

368 views • 19 slides
Technical Analysis Technical Analysis Technical Analysis Technical Analysis Introduction

Technical Analysis Technical Analysis Technical Analysis Technical Analysis Introduction

Technical Analysis Technical Analysis Technical Analysis Technical Analysis Introduction Technical analysis is the attempt to forecast stock prices on the basis of market-derived data. Technicians (also known as quantitative analysts or

853 views • 73 slides
Improving Application Software Security in Linux Sebastian Neubauer Technische Universitt

Improving Application Software Security in Linux Sebastian Neubauer Technische Universitt

Improving Application Software Security in Linux Sebastian Neubauer Technische Universitt Mnchen Computer Science Department July 19, 2017 1 Improve C/C++ applications contain bugs Security Existing security mechanisms Still

367 views • 32 slides
Heat Treatment Considerations Before, During &amp; After Ole Dosland Director of Technical

Heat Treatment Considerations Before, During &amp; After Ole Dosland Director of Technical

Heat Treatment Considerations Before, During &amp; After Ole Dosland Director of Technical Training &amp; E-Learning 1 History of Heat Early 1900s Gaining Popularity Considerations Evolving 2 Heat Treatment 120F. to 140F.

559 views • 42 slides
First Meeting! What is IARC 7? International Aerial Robotics Competition Requires teams to

First Meeting! What is IARC 7? International Aerial Robotics Competition Requires teams to

First Meeting! What is IARC 7? International Aerial Robotics Competition Requires teams to solve challenges that are currently impossible for any flying robots owned by government or industry Began with Mission 1 in 1991

408 views • 12 slides
international students in Israel A perspective by the Erasmus Student Network Field work July

international students in Israel A perspective by the Erasmus Student Network Field work July

8/26/2019 Social integration of international students in Israel A perspective by the Erasmus Student Network Field work July 2019 Flra Bajnay, Ins Cunha, Joo Pinto www.esn.org The ESN team in Israel, 16-25/07/2019 1 8/26/2019 We

520 views • 12 slides
Re-arquitetando o Re-arquitetando o Stack Overflow Stack Overflow ou como construmos o Stack

Re-arquitetando o Re-arquitetando o Stack Overflow Stack Overflow ou como construmos o Stack

Re-arquitetando o Re-arquitetando o Stack Overflow Stack Overflow ou como construmos o Stack Overflow for Teams Roberta Arcoverde 1 /whois /whois recifense programadora h 15 anos principal software developer na stack overflow

711 views • 52 slides
How to fix bugs automatically? Martin Monperrus University of Lille &amp; Inria Lille, France

How to fix bugs automatically? Martin Monperrus University of Lille &amp; Inria Lille, France

How to fix bugs automatically? Martin Monperrus University of Lille &amp; Inria Lille, France October 2014 Martin Monperrus, University of Lille &amp; Inria 1 www.gustonomie.fr Le Merveilleux, specialty of Lille Martin Monperrus,

161 views • 15 slides
Contents Double Data Rate Interfaces DDR SDRAM Architecture and Functionality DDR

Contents Double Data Rate Interfaces DDR SDRAM Architecture and Functionality DDR

D ESIGN AND I MPLEMENTAION OF A DDR SDRAM C ONTROLLER FOR S YSTEM ON C HIP Magnus Sjlander 2002-12-13 Contents Double Data Rate Interfaces DDR SDRAM Architecture and Functionality DDR Memory Controller Data Resynchronization

404 views • 21 slides
Munitions Supply Chain Modelling: A Top-Down Approach Crispin Allard &amp; Louise Carver The

Munitions Supply Chain Modelling: A Top-Down Approach Crispin Allard &amp; Louise Carver The

Munitions Supply Chain Modelling: A Top-Down Approach Crispin Allard &amp; Louise Carver The Barbican, East Street, Farnham, Surrey GU9 7TB 01252 738500 www.Advantage-Business.co.uk Contents of Presentation 1. Project MASS 2.

496 views • 20 slides

More recommend