static analysis by elimination
play

Static Analysis By Elimination Pavle Subotic, Andrew Santosa, - PowerPoint PPT Presentation

Nov 29, 2022 •641 likes •958 views

Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Static Analysis By Elimination Pavle Subotic, Andrew Santosa, Bernhard Scholz pavle.subotic@it.uu.se , andrew.santosa@usyd.edu.au ,

  1. Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Static Analysis By Elimination Pavle Subotic, Andrew Santosa, Bernhard Scholz pavle.subotic@it.uu.se , andrew.santosa@usyd.edu.au , bernhard.scholz@usyd.edu.au Uppsala University, Sweden University of Sydney, Australia Bytecode workshop 2013 Subotic, Santosa, Scholz Static Analysis By Elimination 1 / 32

  2. Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Introduction ◮ Range Analysis ◮ Finds lower and upper bounds of variables values ◮ Challenges ◮ Conceptionally infinitely ascending chains ◮ Identify Loops ◮ Existing techniques ◮ Relies on code structure (e.g. Astr´ ee [Cousot et al., 2006]) ◮ Require a pre-processing stage to discover loop headers ([Bourdoncle, 1993]) Subotic, Santosa, Scholz Static Analysis By Elimination 2 / 32

  3. Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Introduction ◮ Our technique: 1. Extends elimination-based data flow analysis to a lattice with infinite ascending chains 2. Fast termination 3. Loops are detected intrinsically with in the data flow analysis. ◮ Implemented as an analysis pass in the LLVM compiler framework. Subotic, Santosa, Scholz Static Analysis By Elimination 3 / 32

  4. Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Motivating Example B0 int i,k = 0; int arr[5]; . . . B1 if (i < 5) goto B2 B7 I2: i == 5 ∧ k ≤ 25 else goto B7; B2 int j = 0; if (i < 5) B5 i++; goto B3 else goto B5; B3 I1: i ≥ 0 ∧ j ≤ 3 if (arr[j] > arr[j+1]) B6 goto B5 j++; else goto B6; B4 swap(arr, j, j+1); k++; Subotic, Santosa, Scholz Static Analysis By Elimination 4 / 32

  5. Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Background Existing Techniques Our Approach Implementation Experiments Subotic, Santosa, Scholz Static Analysis By Elimination 5 / 32

  6. Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Foundations ◮ Range Analysis is a complete lattice ◮ x ⊒ y , x is as or less precise than y ◮ ⊤ least element (least precise), ◮ ⊥ greatest element, so ⊤ ⊒ ⊥ ◮ ⊔ merges information ◮ ⊓ constrains information Subotic, Santosa, Scholz Static Analysis By Elimination 6 / 32

  7. Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Representing Information with Intervals [-inf, inf] Meet [-100, 100] [-200, -110] More info [5, 100] [-170,-150] [-155,-111] [-90, 10] [-150, -150] [9,9] Join ⊥ Subotic, Santosa, Scholz Static Analysis By Elimination 7 / 32

  8. Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Some Existing Techniques ◮ Iterative Data-Flow Analysis [Kildall, 1973] : ◮ A technique for iteratively gathering variable information at various points in a computer program. ◮ Operates on finite and short lattice structures ◮ Abstract Interpretation [Cousot & Cousot, 1977] : ◮ A theory of sound approximation of the semantics of computer programs ◮ Approximating the execution behaviour of a computer program ◮ Additional theory of widening/narrowing to accelerate convergence, required with high and unbounded domains Subotic, Santosa, Scholz Static Analysis By Elimination 8 / 32

  9. Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Iterative Data-Flow Analysis ◮ Input in the form of a Control Flow Graph (CFG) ◮ Initialise to ⊥ ◮ Every block transforms the values ◮ Iterate through CFG until a fixpoint is reached Subotic, Santosa, Scholz Static Analysis By Elimination 9 / 32

  10. Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Attempt 1: Iterative Data-Flow Analysis a = [1, 4] if (a < 3) condition: a >= 3 condition: a < 3 [1,4] ⊓ [3, ∞] = [3,4] [1,4] ⊓ [-∞, 2] = [1,2] [5,5] ⊔ [3,4] = [3,5] a = [5,5] …. Subotic, Santosa, Scholz Static Analysis By Elimination 10 / 32

  11. Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Attempt 1: Iterative Data-Flow Analysis b1 int I, k = 0 int arr[5] = ... *P1 b2 *P4 b8 if i < 5 invariant (2) *P2 b6 b3 b7 i++ int j = 0 j++; if j < 5 *P3 b4 invariant (1) if arr[j] > arr[j+1] b5 swap(j, j+1) k++ Subotic, Santosa, Scholz Static Analysis By Elimination 11 / 32

  12. Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments With Kleene Iteration int j = 0; int i = 0; if (j <= 3) ... j++; k++; Subotic, Santosa, Scholz Static Analysis By Elimination 12 / 32

  13. Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments With Kleene Iteration ∀ l i ∈ L . l 1 ⊑ l 2 ⊑ l 3 ⊑ l 4 ... ⊑ l n where: In the example, when the inner loop is first visited, we have that j �→ [ 0 , 0 ] and k �→ [ 0 , 0 ] . In subsequent visits, j �→ [ 0 , 1 ] and k �→ [ 0 , 1 ] , j �→ [ 0 , 2 ] and k �→ [ 0 , 2 ] , j �→ [ 0 , 3 ] and k �→ [ 0 , 3 ] , . . . j �→ [ 0 , 4 ] and k �→ [ 0 , ∞ ] . Subotic, Santosa, Scholz Static Analysis By Elimination 13 / 32

  14. Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments The Problem: Slow Termination ◮ Impractically slow termination ◮ Conditions not incorporating increasing variables ◮ Large loop bounds Subotic, Santosa, Scholz Static Analysis By Elimination 14 / 32

  15. Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Attempt 2: Abstract Interpretation ◮ General method to compute a sound approximation of program semantics ◮ Define an abstract semantics, soundly connect to the concrete semantics ◮ Soundness ensures that if a property does not hold in the abstract world, it will not hold in the concrete world ◮ Define widening and narrowing operator Subotic, Santosa, Scholz Static Analysis By Elimination 15 / 32

  16. Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Abstract Interpretation Widening and narrowing enforce termination ◮ Widening safely approximates the fixpoint solution ◮ Narrowing recovers some precision Subotic, Santosa, Scholz Static Analysis By Elimination 16 / 32

  17. Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Attempt 2: Abstract Interpretation ⊥ More precision Red / FP widening Fixed-Point (FP) Less Ext / FP precision narrowing ⊤ Subotic, Santosa, Scholz Static Analysis By Elimination 17 / 32

  18. Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Abstract Interpretation ◮ Requires to know where to perform widening ◮ Previously approaches ◮ Use the syntax to determine the loop ◮ Perform complicated pre-processing to find loop headers Subotic, Santosa, Scholz Static Analysis By Elimination 18 / 32

  19. Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Our Approach ◮ Discovers loops implicitly using elimination-based data flow analysis ◮ Various acceleration techniques can be embedded such as widening and narrowing Subotic, Santosa, Scholz Static Analysis By Elimination 19 / 32

  20. Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Our Approach ◮ Elimination-based approach: Based on Gaussian elimination ◮ Instead of iterating, we eliminate variables from the flow equations ◮ substitution e.g. x = true , y = x ∨ false � y = true ∨ false ◮ loop-breaking e.g. x = x ∧ true � x = true ◮ When all variables are eliminated, we compute a solution Subotic, Santosa, Scholz Static Analysis By Elimination 20 / 32

  21. Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Elimination-based Approach Example - Diverging B0 i = 1; if(i < 1) goto B1; else goto B2; B1 B2 i =i + 1; i =i + 1; goto B2; goto B1; Figure: An Irreducible CFG of a Diverging Program Subotic, Santosa, Scholz Static Analysis By Elimination 21 / 32

  22. Outline of Presentation Background Existing Techniques Our Approach Implementation Experiments Elimination  X 0 = f 0 ( ⊤ )      EQS =  X 1 = f 1 ( X 0 , X 2 )     X 2 = f 2 ( X 0 , X 1 )   Substitution �  X 0 = f 0 ( ⊤ )      = X 1 = f 1 ( f 0 ( ⊤ ) , X 2 ) EQS 0      X 2 = f 2 ( f 0 ( ⊤ ) , X 1 )   Substitution �  X 0 = f 0 ( ⊤ )      EQS 1 = X 1 = f 1 ( f 0 ( ⊤ ) , X 2 )     X 2 = f 2 ( f 0 ( ⊤ ) , f 1 ( f 0 ( ⊤ ) , X 2 ))    Break Loop , Substitute Back �  X 0 = f 0 ( ⊤ )      X 1 = f 1 ( f 0 ( ⊤ ) , F ∗ ( f 2 ( f 0 ( ⊤ ) , f 1 ( f 0 ( ⊤ ) , X 2 ) , X ′ EQS 2 =  2 )))    X 2 = F ∗ ( f 2 ( f 0 ( ⊤ ) , f 1 ( f 0 ( ⊤ ) , X 2 ) , X ′  2 ))   Subotic, Santosa, Scholz Static Analysis By Elimination 22 / 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting insights at compile time Full branch coverage Terminates Doesnt rely on a test suite Types are static analysis. Lets talk about

784 views • 39 slides
Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ? Basic analysis ! Example : Flow analysis ! Increasing precision ! Context -, flow -, and path sensitivity Scaling it up !

527 views • 27 slides
1 Analysis Information Where Do Facts Hold? How much information depends on the client

1 Analysis Information Where Do Facts Hold? How much information depends on the client

711? CS711 Advanced Programming Languages Topics in Program Analysis Radu Rugina Fall 2005 CS711 Overview 2 Program Analysis Static vs. Dynamic Static analysis: inspect programs at compile-time Static analysis: Work done at

282 views • 4 slides
A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical problem and how to ignore it An example static analysis What is static analysis used for? Commercial successes Free static analysis tools you should

488 views • 37 slides
Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Interesting Questions Interesting Questions Is every statement reachable? Does every non- void method return a value? Compilation 2007 Compilation 2007 Will local variables definitely be assigned before Static Analysis Static

169 views • 13 slides
Static and dynamic verification Software inspections Concerned with analysis of the static

Static and dynamic verification Software inspections Concerned with analysis of the static

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis Software

430 views • 12 slides
Static Single Assignment Form Last Time Static single assignment (SSA) form Today

Static Single Assignment Form Last Time Static single assignment (SSA) form Today

Static Single Assignment Form Last Time Static single assignment (SSA) form Today Applications of SSA CS553 Lecture Static Single Assignment Form 1 Dead Code Elimination for SSA Dead code elimination while a

508 views • 13 slides
CS293S SSA &amp; Dead Code Elimination Yufei Ding Review of Last Class Two other flow

CS293S SSA &amp; Dead Code Elimination Yufei Ding Review of Last Class Two other flow

CS293S SSA &amp; Dead Code Elimination Yufei Ding Review of Last Class Two other flow analysis (DFA) Constant Propagation Reaching definitions (def-use chain) Static Single Assignment(SSA) Maximal SSA (all variables in every

597 views • 42 slides
Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016 ! ! ! B ACKGROUND Static vs.

1.02k views • 32 slides
Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that

Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that

Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that Martin Steffen IfI UiO Spring 2014 Plan approx. 15 lectures, details see web-page flexible time-schedule, depending on progress/interest

2.15k views • 194 slides
CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu February 1, 2017 Static Analysis Static Analysis is the process of documenting your observations about what identifying characteristics a

575 views • 8 slides
Static and dynamic verification Software inspections Concerned with analysis of the

Static and dynamic verification Software inspections Concerned with analysis of the

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis

310 views • 12 slides
Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all

Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all

Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Plan approx. 15 lectures, details see web-page flexible time-schedule, depending on

938 views • 69 slides
Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis of Programs with Dynamic Memory Mihaela Sighireanu IRIF, University Paris Diderot &amp; CNRS VTSA 2015 1 / 99 Static Analysis Establish

2.15k views • 186 slides
Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile

Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile

Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile philip@tecnocode.co.uk July 30, 2017 MANCHESTER What is static analysis? Compile-time testing of all possible code paths. Whats Coverity static analysis

236 views • 12 slides
Outline t t Why static analysis? t t What is it? Underlying technology t Some

Outline t t Why static analysis? t t What is it? Underlying technology t Some

2005-05-04 Static Analysis methods and tools An industrial study t Pr Emanuelsson Ericsson AB and LiU Prof Ulf Nilsson LiU t itle Outline t t Why static analysis? t t What is it? Underlying technology t Some tools

438 views • 19 slides
Multi-modal Factorized High-order Pooling for Visual Question Answering Team HDU-USYD-UNCC with

Multi-modal Factorized High-order Pooling for Visual Question Answering Team HDU-USYD-UNCC with

Multi-modal Factorized High-order Pooling for Visual Question Answering Team HDU-USYD-UNCC with members Zhou Yu 1 , Jun Yu 1 , Chenchao Xiang 1 , Dalu Guo 2 , Jianping Fan 3 and Dacheng Tao 2 1 Hangzhou Dianzi University, China 2 The University of

493 views • 10 slides
11/12/2018 http://assign3.chem.usyd.edu.au/spectroscopy/reductionOperator.php?res=high 1

11/12/2018 http://assign3.chem.usyd.edu.au/spectroscopy/reductionOperator.php?res=high 1

11/12/2018 http://assign3.chem.usyd.edu.au/spectroscopy/reductionOperator.php?res=high 1 11/12/2018 Write the best dot structure you can for NO 2 . NO 2 is a radical. Is the unpaired electron on nitrogen or oxygen? A. nitrogen B. oxygen C.

270 views • 13 slides
Recap: Refactoring Improve the structure of code No value gain at the moment, but

Recap: Refactoring Improve the structure of code No value gain at the moment, but

Anti-Patterns CS356 Object-Oriented Design and Programming http://cs356.yusun.io December 1, 2014 Yu Sun, Ph.D. http://yusun.io yusun@csupomona.edu Recap: Refactoring Improve the structure of code No value gain at the moment, but

817 views • 38 slides
Thesis Defense Slides Data August 2016 CITATIONS READS 0 47 1 author: Andrew Weinert

Thesis Defense Slides Data August 2016 CITATIONS READS 0 47 1 author: Andrew Weinert

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/306571931 Thesis Defense Slides Data August 2016 CITATIONS READS 0 47 1 author: Andrew Weinert Singapore-MIT Alliance 46

1.16k views • 102 slides
L ECTURE 23: SLAM P ROPERTIES D ATA A SSOCIATION P ROBLEM I NSTRUCTOR : G IANNI A. D I C ARO E K F

L ECTURE 23: SLAM P ROPERTIES D ATA A SSOCIATION P ROBLEM I NSTRUCTOR : G IANNI A. D I C ARO E K F

16-311-Q I NTRODUCTION TO R OBOTICS F ALL 17 L ECTURE 23: SLAM P ROPERTIES D ATA A SSOCIATION P ROBLEM I NSTRUCTOR : G IANNI A. D I C ARO E K F E Q U AT I O N S F O R S L A M EKF FOR SIMULTANEOUS LOCALIZATION AND MAPPING The SLAM EKF

531 views • 30 slides
Clinician reports of the impact of electronic ordering on an Emergency Department Andrew

Clinician reports of the impact of electronic ordering on an Emergency Department Andrew

The University of Sydney Clinician reports of the impact of electronic ordering on an Emergency Department Andrew Georgiou (Senior Research Fellow) Johanna I Westbrook (Professor and Director) Health Informatics Research &amp; Evaluation Unit

496 views • 18 slides
Localisation, Mapping and the Simultaneous Localisation and Mapping (SLAM) Problem Hugh

Localisation, Mapping and the Simultaneous Localisation and Mapping (SLAM) Problem Hugh

Localisation, Mapping and the Simultaneous Localisation and Mapping (SLAM) Problem Hugh Durrant-Whyte Australian Centre for Field Robotics The University of Sydney hugh@acfr.usyd.edu.au SLAM Summer School 2002 Slide 1 Introduction SLAM

865 views • 49 slides
Logic and Natural Language Semantics: Distributional Semantics R affaella B ernardi DISI, U

Logic and Natural Language Semantics: Distributional Semantics R affaella B ernardi DISI, U

Logic and Natural Language Semantics: Distributional Semantics R affaella B ernardi DISI, U niversity of T rento e - mail : bernardi @ disi . unitn . it Contents First Last Prev Next Contents 1 Formal Semantics Applications . . . . . .

628 views • 50 slides

More recommend