COP 5021 Lecture -*- Outline -*- * Monotone Frameworks (2.3) Q: Can we identify some commonalities between different analyses? yes... (as we'll see), but draw them out of the students Q: Would doing that help implement them? yes! ** general pattern A_. means A with a subscript of a filled circle A_o means A with a subscript of a hollow circle ------------------------------------------ GENERAL PATTERN A_o(l) = if l \in E then i else A_.(l) = where \bigsqcup is either \bigcup or \bigcap F is either flow(S*) or flow^R(S*) E is {init(S*)} or final(S*) i is initial/final information f(l) is the transfer function for blocks B^l \in blocks(S*) For a forward analysis: F is flow(S*) A_o gives the entry conditions A_. gives the exit conditions For a backward analysis: F is flow^R(S*) A_o gives the exit conditions A_. gives the entry conditions ------------------------------------------ ... \bigsqcup {A_.(l') | (l',l) \in F} ... f(l)(A_o(l)) The book writes f(l) as f_l. The transfer functions are key. ** basic definitions (2.3.1) *** property space ------------------------------------------ PROPERTY SPACES def: a *property space*, L = (L, \bigsqcup), is a set with \bigsqcup: Powerset(L) -> L a join operation that makes it a complete lattice. Thus: l1 \sqcup l2 = \bigsqcup { l1, l2 } \bot = \bigsqcup {} l1 \sqsubseteq l2 = (l1 \sqcup l2 = l2) Examples: For reaching definitions: L = Powerset(Var* x Lab^?_*) \sqcup = \cup \sqsubseteq = \subseteq For available expressions: L = Powerset(AExp*) \sqcup = \cap \sqsubseteq = \supseteq ------------------------------------------ def: A lattice is a partially ordered set in which each pair of elements has a least upper bound. E.g., (Powerset({a, b, c}), \cup) The ordering \sqsubseteq is determined by the \sqcup operation: x \sqsubseteq y iff x \sqcup y = y def: A complete lattice is a partially ordered set in which all subsets have a least upper bound. Sometimes we also require that a property space satisfy the ascending chain condition... An ascending chain is a sequence (l_n)_{n \in N} such that n <= m ==> l_n \sqsubseteq l_m. def: L satisfies the ascending chain condition iff every ascending chain in L has a least upper bound that is an element of the chain. i.e., for all ascending chains (l_n)_{n \in N} (\exists n0 \in N :: (\forall n \in N : n >= n0 : l_n = l_n0)) (def: a domain (or cpo) is a lattice that satisfies the ascending chain condition. These are useful in programming language semantics.) *** transfer functions ------------------------------------------ TRANSFER FUNCTION SPACE def: Let L be a partially-ordered set. Then Funs is a *transfer function space for L* iff f \in Funs ==> f : L -> L and f is monotone, f,g \in Funs ==> f o g \in Funs, and id_L \in Funs. ------------------------------------------ *** monotone framework ------------------------------------------ MONOTONE FRAMEWORK def: (L, Funs) is a monotone framework iff L is a property space and Funs is a transfer function space for L. def: (L, Funs, F, E, i, f_.) is an *instance of a monotone framework* if and only if: - (L, Funs) is a monotone framework, - F is a finite set of pairs (of flows), - E is a finite set of extremal labels, - i \in L is an extremal value, - f : (dom(F) \cup E) -> (L -> L) s.t. for l in (dom(F) \cup E) f_l \in Funs ------------------------------------------ The first argument, the label, to the transfer functions is written as a subscript. ** examples (2.3.2) See figure 2.6 for a systematic presentation of the 4 analyses we've seen so far. ** predicate abstraction (new topic) Suppose we're concerned with the values of variables. ------------------------------------------ PREDICATE ABSTRACTION Goal: verify program properties Idea: Use property space of the form L = Powerset(Preds) Preds = {P1, ..., Pn} where each Pi is a nullary predicate Interpretation: {P3,P5} means P3 and P5 may/must be true (depending on kind of analysis) \sqcup is \cup Funs = monotonic (in \subseteq) functions on L ------------------------------------------ Q: What's the bottom element? The top? {}, {P1, ..., Pn} Q: How can you represent states? with bit vectors ------------------------------------------ PREDICATE ABSTRACTION EXAMPLE IsZero Analysis: At a given program point, which variables may be 0. "Abstract States" s \in L = Powerset(Preds) where Preds = {IsZero_x | x in Vars*} IsZero_y means y may be 0 F is flow(S*) E is {init(S*)} i is Preds fIZ(l) : L -> L, for l in Lab* fIZ(l)(s) = (s \ kill_IZ(B^l)(s)) \cup gen_IZ(B^l)(s) where B^l in blocks(S*) kill_IZ([x := a]^l)(s) = {IsZero_x} kill_IZ([skip]^l)(s) = {} kill_IZ([b]^l)(s) = {} gen_IZ([x := a]^l)(s) = {IsZero_x | (\exists cs \in \gamma(s) :: A[[a]]cs == 0)} gen_IZ([skip]^l)(s) = {} gen_IZ([b]^l)(s) = {} \gamma: L -> Store \gamma(s) = {cs | cs: Var* -> Int, IsZero_x \in s ==> cs(x) == 0} ------------------------------------------ Q: What kind of analysis is this? A forward may analysis Q: Why this initial value i? Q: What do the gen and kill functions do? Q: What are the equations for IZ_entry(l) and IZ_exit(l)? IZ_entry(l) = if l \in {init(S*)} then Preds else \bigcup {IZ_exit(l') | (l',l) \in flow(S*)} IZ_exit(l) = fIZ(l)(IZ_entry(l)) ------------------------------------------ EXAMPLE [y := 3]^1; while [y>0]^2 do ([q := y-2]^3; [y := y-1]^4); [q := q div y]^5 Var* = {y, q} Preds = {IsZero_y, IsZero_q} IZ_entry(1) = IZ_exit(1) = IZ_entry(2) = IZ_exit(2) = IZ_entry(3) = IZ_exit(3) = IZ_entry(4) = IZ_exit(4) = IZ_entry(5) = IZ_exit(5) = ------------------------------------------ ... IZ_entry(1) = {IsZero_q, IsZero_y} IZ_exit(1) = {IsZero_q} IZ_entry(2) = {IsZero_q} \cup IZ_exit(4) IZ_exit(2) = {IsZero_q} \cup IZ_exit(4) IZ_entry(3) = {IsZero_q} \cup IZ_exit(4) IZ_exit(3) = {IsZero_q} \cup IZ_exit(4) IZ_entry(4) ={IsZero_q} \cup IZ_exit(4) IZ_exit(4) = {IsZero_q} \cup {IsZero_y} IZ_entry(5) = {IsZero_q, IsZero_y} IZ_exit(5) = {IsZero_q, IsZero_y} Then by chaotic iteration you can see that most are {IsZero_q, IsZero_y} ** equation solving (2.4) *** MFP (Maximal Fixed Point) solution (2.4.1) See table 2.8 This is a work list algorithm that always terminates and computes the least solution to an instance of a monotone framework. (Lemma 2.29) The least solution is thus called the MFP solution (even though MFP stands for "maximal fixed point", because historically studied must analyses where \sqcup is \cap) The running time is approximately cubic in the number of program labels. *** MOP solution (2.4.2) (skip) propagates information over all paths in the program a MOP solution is always safely approximated by the MFP (least) solution, so the MOP solution is not always correct! always possible to use MFP, and MOP isn't always comparable, so MOP isn't very interesting...