Static Program Analysis

Book: https://users-cs.au.dk/amoeller/spa/

Applications

Optimization
Correctness
Development

The input/behavior of nontrivial programs are undecidable.

The Tiny Imperative Language

Syntax
Normalization
AST
CFG

Type Analysis

Type -> int
      | ↑Type
      | (Type, ..., Type) -> Type

      // Infinite types (caused by recursion)
      | μ TypeVar. Type
      | TypeVar

      // Record
      | { Id: Type, ..., Id: Type }
      | ◊  // Absent field

TypeVar -> t | u | ...

Polymorphic + recursive = undecidable type analysis.

Limits:

flow-sensitive
polymorphic
ignores other kinds of runtime errors

Lattice Theory

Partially ordered set

Reflexive
Transitive
Antisymmetric

Lattice

Least upper bound (join)
Greatest lower bound (meet)

Complete lattice: every subset has a join and a meet.

Top $⊤$
Bottom $⊥$

Examples:

Powerset lattice $(P (S), \subseteq)$
Flat lattice $flat (A)$
Product lattice $L_{1} \times L_{2}$
Function lattice $L_{1} \to L_{2}$

Homomorphism:

Homomorphism: $f : L_{1} \to L_{2}$ such that $f (x ⊔ y) = f (x) ⊔ f (y) \land f (x ⊓ y) = f (x) ⊓ f (y)$
Isomorphism = bijective homomorphism

$lift (L)$ : $L$ with a new bottom element

Equation System:

fixed point, least fixed point (LFP)

For monotonic function $f : L \to L$ , $LFP (f) = ⊔_{i = 0}^{\infty} f^{i} (⊥)$

Dataflow Analysis with Monotone Frameworks

Sign analysis, Constant propagation analysis:

$JOIN (v) = ⊔_{w \in pred (v)} [[w]]$
X=E: $[[v]] = JOIN (v) [X \mapsto eval (JOIN (v), E)]$
var X: $[[v]] = JOIN (v) [X \mapsto ⊤]$

Live variable analysis:

$JOIN (v) = \cup_{w \in succ (v)} [[w]]$
X=E: $[[v]] = JOIN (v) ∖ {X} \cup vars (E)$
if (E), output E: $[[v]] = JOIN (v) \cup vars (E)$
var X: $[[v]] = JOIN (v) ∖ {X}$
exit: $[[v]] = \emptyset$

Available expressions analysis:

State = (P({exprs}), $\subseteq$ )
$JOIN (v) = \cap_{w \in pred (v)} [[w]]$
X=E: $[[v]] = JOIN (v) \cup {E}$ removed all expressions that contain $X$
if (E), output E: $[[v]] = JOIN (v) \cup {E}$

Very busy expressions analysis:

$JOIN (v) = \cap_{w \in succ (v)} [[w]]$
X=E: $[[v]] = JOIN (v)$ removed all expressions that contain $X \cup {E}$
Usage: "Code hoisting"

Reaching definitions analysis:

State = (P({definitions}), $\subseteq$ )
$JOIN (v) = \cup_{w \in pred (v)} [[w]]$
X=E: $[[v]] = JOIN (v) ↓ {X} \cup {v}$
Usage: "DCE", "Code motion"

Summary

	Forward	Backward
May	Reaching definitions	Live variables
Must	Available expressions	Very busy expressions

May&Must

Transfer function: $[[v]] = t_{v} (JOIN (v))$

Widening and Narrowing

Allowing lattices with infinite height to converge.
Accelerate finite height lattices.

Widening: $B$
Narrowing: Not guaranteed to converge. Heuristics must determine how many iterations to apply.

Widening operator: $\nabla : L \times L \to L$ :

Only apply widening at recursive dataflow constraints.

Path Sensitivity

Assertions: $assert (E)$

Trivial: $[[assert (E)]] = JOIN (v)$
Predicates: $[[assert (E > 0)]] = JOIN (v) [X \mapsto gt (JOIN (v) (X), eval (JOIN (v), E))]$
Sound & Monotone

Relations

$L^{″} = Path \to L$
flag=0: $[[v]] = [flag = 0 \mapsto \cup_{p \in Path} JOIN (v) (p), flag \neq 0 \mapsto \emptyset]$
assert(flag): $[[v]] = [flag = 0 \mapsto \emptyset, flag \neq 0 \mapsto JOIN (v) (p) (flag \neq 0)]$

Interprocedural Analysis

Context Sensitivity

Using the lattice $(Context \to lift (State))^{n}$ . The bot of $lift (State)$ is "unreachable".

$Context = Singleton$ : Context-insensitive
$Context = {Call}^{\leq k}$ : Call string approach
$Context = State$ : Functional approach: full context sensitivity

Distributive Analysis Frameworks

Possibly-Uninitialized Variables Analysis

Monotone framework: not scalable
Pre-analysis + Main analysis:
- Pre-analysis:
  - Lattice: $(lift (P (Var) \to P (Var)))^{n}$
  - X=E: $[[v]]_{1} = t_{X = E} \circ ⊔_{w \in pred (v)} [[w]]_{1} or unreachable$
- Main analysis
  - Lattice: $(lift (P (Var)))^{n}$
  - Non-entry node: $[[v]]_{2} = [[v]]_{1} ([[v^{'}]]_{2}) or unreachable$

Compat Representation of Distributive Functions

$f : P (D) \to P (D)$ which is distributive, and $D$ is a finite set.
- Used in: "Pre-analysis" above, the IFDS framework
- A special case of 2.

${∙ \to ∙} \cup {∙ \to y | y \in f (\emptyset)} \cup {x \to y | x \in f ({x}) \land y \notin f (\emptyset)}$

txt

·  d1  d2  d3  d4
|\          \  |
| \          \ |
|  \          \|
·  d1  d2  d3  d4

$f : (D \to L) \to (D \to L)$ which is distributive and $D$ is a finite set and $L$ is a complete lattice.
- Used in: the IDE framework

Define $g : (D \cup {∙}) \times (D \cup {∙}) \to (L \to L)$

\begin{aligned} g (d_{1}, d_{2}) (e) & = f (⊥ [d_{1} \mapsto e]) (d_{2}) \\ g (∙, d_{2}) (e) & = f (⊥) (d_{2}) \\ g (∙, ∙) (e) & = e \\ g (d_{1}, ∙) (e) & = ⊥ \end{aligned}

The IFDS Framework

Interprocedural, Finite, Distributive, Subset

Lattice: $P (D)$ of a finite set $D$
Transfer functions: $t_{v} : P (D) \to P (D)$ are distributive

Phase 1

$⟨ v_{0}, d_{0} ⟩ ⇝ ⟨ v_{1}, d_{1} ⟩ \in P \land ⟨ v_{1}, d_{1} ⟩ \to ⟨ v_{2}, d_{2} ⟩ \in E ⟹ ⟨ v_{0}, d_{0} ⟩ ⇝ ⟨ v_{2}, d_{2} ⟩ \in P$

Phase 2

$\forall d_{1}, d_{2} : ⟨ v_{0}, d_{1} ⟩ ⇝ ⟨ v, d_{2} ⟩ \in P ⟹ d_{2} \in [[v]]$ , where $v_{0}$ is the entry node of the function containing $v$ .

The IDE Framework

Interprocedural, Distributive, Environment

Lattice: $D \to L$ , where $D$ is a finite set and $L$ is a complete lattice (the "environment")
Transfer functions: $t_{v} : (D \to L) \to (D \to L)$ are distributive

Phase 1

$m_{1} = [[⟨ v_{0}, d_{1} ⟩ ⇝ ⟨ v^{'}, d_{2} ⟩]]_{P} \neq ⊥ \land m_{2} = [⟨ v^{'}, d_{2} ⟩ \to ⟨ v, d_{3} ⟩]_{E} \neq ⊥ ⟹ m_{2} \circ m_{1} ⊑ [[⟨ v_{0}, d_{1} ⟩ ⇝ ⟨ v, d_{3} ⟩]]_{P}$

Phase 2

$\forall d_{0}, d : [[⟨ v_{0}, d_{0} ⟩]] \neq unreachable \land m = [[⟨ v_{0}, d_{0} ⟩ ⇝ ⟨ v, d ⟩]]_{P} ⟹ m ([[⟨ v_{0}, d_{0} ⟩]]) ⊑ [[⟨ v, d ⟩]]$

Properties of the IFDS and IDE Frameworks

Produces meet-over-all-paths solutions
The worst-case time complexity is: $O (| E | \cdot | D |^{3})$

Control Flow Analysis

Closure analysis

$λ X \in [[λ X . E]]$
E1 E2: $λ X \in [[E_{1}]] ⟹ ([[E_{2}]] \subseteq [[X]] \land [[E]] \subseteq [[E_{1} E_{2}]])$ for every $λ X . F$

First-class Functions

Pointer Analysis

Allocation-site abstraction
Interprocedural pointer analysis
Null pointer analysis
Flow-sensitive pointer analysis
Escape analysis

Abstract Interpretation

TODO

Static Program Analysis ​

Applications ​

The Tiny Imperative Language ​

Type Analysis ​

Lattice Theory ​

Partially ordered set ​

Lattice ​

Dataflow Analysis with Monotone Frameworks ​

Sign analysis, Constant propagation analysis: ​

Live variable analysis: ​

Available expressions analysis: ​

Very busy expressions analysis: ​

Reaching definitions analysis: ​

Summary ​

Widening and Narrowing ​

Path Sensitivity ​

Assertions: assert(E) ​

Relations ​

Interprocedural Analysis ​

Context Sensitivity ​

Distributive Analysis Frameworks ​

Possibly-Uninitialized Variables Analysis ​

Compat Representation of Distributive Functions ​

The IFDS Framework ​

Phase 1 ​

Phase 2 ​

The IDE Framework ​

Phase 1 ​

Phase 2 ​

Properties of the IFDS and IDE Frameworks ​

Control Flow Analysis ​

Closure analysis ​

First-class Functions ​

Pointer Analysis ​

Abstract Interpretation ​

Static Program Analysis

Applications

The Tiny Imperative Language

Type Analysis

Lattice Theory

Partially ordered set

Lattice

Dataflow Analysis with Monotone Frameworks

Sign analysis, Constant propagation analysis:

Live variable analysis:

Available expressions analysis:

Very busy expressions analysis:

Reaching definitions analysis:

Summary

Widening and Narrowing

Path Sensitivity

Assertions: $assert (E)$

Relations

Interprocedural Analysis

Context Sensitivity

Distributive Analysis Frameworks

Possibly-Uninitialized Variables Analysis

Compat Representation of Distributive Functions

The IFDS Framework

Phase 1

Phase 2

The IDE Framework

Phase 1

Phase 2

Properties of the IFDS and IDE Frameworks

Control Flow Analysis

Closure analysis

First-class Functions

Pointer Analysis

Abstract Interpretation