lecture 03 – background + intro ai + dataflow and connection to ai eran yahav 1
Post on 19-Dec-2015
224 views
TRANSCRIPT
PROGRAM ANALYSIS & SYNTHESIS
Lecture 03 – Background + intro AI + dataflow and connection to AI
Eran Yahav
2
Previously…
structural operational semantics trace semantics
meaning of a program as the set of its traces
abstract interpretation abstractions of the trace semantics
Example: Cormac’s PLDI’08
Example: Kuperstein PLDI’11
Today
abstract interpretation some basic math background
lattices functions
Galois connection A little more dataflow analysis
monotone framework
4
Trace Semantics
note that input (x) is unknown while loop? trace semantics is not computable
[y := x]1;[z := 1]2;while [y > 0]3 ( [z := z * y]4; [y := y − 1]5; )[y := 0]6
…
< 1,{ x42, y0, z0 } > < 2,{ x42, y42, z0 } >
< 3,{ x42, y42, z1 } > < 4,{ x42, y42, z1 }> …
[y := x]1 [z := 1]2
[y > 0]3
< 1,{ x73, y0, z0 } > < 2,{ x73, y73, z0 } >
< 3,{ x73, y73, z1 } > < 4,{ x73, y73, z1 }> …
[y := x]1 [z := 1]2
[y > 0]3
5
Abstract Interpretation
C C’concrete
’
set of states set of states
abstract state abstract state
abstract
S
S
C’’
6
Dataflow Analysis
Reaching Definitions The assignment lab: var := exp reaches lab’ if there
is an execution where var was last assigned at lab
1: y := x;2: z := 1;3: while y > 0 {4: z := z * y;5: y := y − 1 }6: y := 0
(adapted from Nielson, Nielson & Hankin)
{ (x,?), (y,?), (z,?) }
{ (x,?), (y,1), (z,?) }
{ (x,?), (y,1), (z,2) }
{ (x,?), (y,?), (z,4) }
{ (x,?), (y,5), (z,4) }
{ (x,?), (y,1), (z,2) }
{ (x,?), (y,?), (z,?) }
{ (x,?), (y,1), (z,2) }
7
Dataflow Analysis
Reaching Definitions The assignment lab: var := exp reaches lab’ if there
is an execution where var was last assigned at lab
1: y := x;2: z := 1;3: while y > 0 {4: z := z * y;5: y := y − 1 }6: y := 0
(adapted from Nielson, Nielson & Hankin)
{ (x,?), (y,?), (z,?) }
{ (x,?), (y,1), (z,?) }
{ (x,?), (y,1), (z,2), (y,5), (z,4) }
{ (x,?), (y,?), (z,4), (y,5) }
{ (x,?), (y,5), (z,4) }
{ (x,?), (y,1), (z,2), (y,5), (z,4) }
{ (x,?), (y,6), (z,2), (z,4) }
{ (x,?), (y,1), (z,2), (y,5), (z,4) }
8
Dataflow Analysis
Build control-flow graph Assign transfer functions Compute fixed point
9
Control-Flow Graph
1: y := x;2: z := 1;3: while y > 0 {4: z := z * y;5: y := y − 1 }6: y := 0
1: y:=x
2: z:=1
3: y > 0
4: z=z*y
5: y=y-1
6: y:=0
10
Transfer Functions
1: y:=x
2: z:=1
3: y > 0
4: z=z*y
5: y=y-1
6: y:=0
out(1) = in(1) \ { (y,l) | l Lab } U { (y,1) }
out(2) = in(2) \ { (z,l) | l Lab } U { (z,2) }
in(1) = { (x,?), (y,?), (z,?) } in(2) = out(1)in(3) = out(2) U out(5)in(4) = out(3)in(5) = out(4)in(6) = out(3)
out(4) = in(4) \ { (z,l) | l Lab } U { (z,4) }
out(5) = in(5) \ { (y,l) | l Lab } U { (y,5) }
out(6) = in(6) \ { (y,l) | l Lab } U { (y,6) }
out(3) = in(3)
11
System of Equationsin(1) = { (x,?), (y,?), (z,?) } in(2) = out(1)in(3) = out(2) U out(5)in(4) = out(3)in(5) = out(4)In(6) = out(3)out(1) = in(1) \ { (y,l) | l Lab } U { (y,1) }out(2) = in(2) \ { (z,l) | l Lab } U { (z,2) }out(3) = in(3)out(4) = in(4) \ { (z,l) | l Lab } U { (z,4) }out(5) = in(5) \ { (y,l) | l Lab } U { (y,5) }out(6) = in(6) \ { (y,l) | l Lab } U { (y,6) }F: ((Var x Lab) )12 ((Var x Lab) )12
12
System of Equations
in(1) = { (x,?), (y,?), (z,?) } in(2) = out(1)in(3) = out(2) U out(5)in(4) = out(3)in(5) = out(4)In(6) = out(3)out(1) = in(1) \ { (y,l) | l Lab } U { (y,1) }out(2) = in(2) \ { (z,l) | l Lab } U { (z,2) }out(3) = in(3)out(4) = in(4) \ { (z,l) | l Lab } U { (z,4) }out(5) = in(5) \ { (y,l) | l Lab } U { (y,5) }out(6) = in(6) \ { (y,l) | l Lab } U { (y,6) }
F: ((Var x Lab) )12 ((Var x Lab) )12
in(1)={(x,?),(y,?),(z,?)} , in(2)=out(1), in(3)=out(2) U out(5), in(4)=out(3), in(5)=out(4),In(6) = out(3)out(1) = in(1) \ { (y,l) | l Lab } U { (y,1) }, out(2) = in(2) \ { (z,l) | l Lab } U { (z,2) }out(3) = in(3), out(4) = in(4) \ { (z,l) | l Lab } U { (z,4) }out(5) = in(5) \ { (y,l) | l Lab } U { (y,5) }, out(6) = in(6) \ { (y,l) | l Lab } U { (y,6) }
In(1) {(x,?),(y,?),(z,?)}
== == ==
In(2) {(y,1)} {(x,?),(y,1),(z,?)}
==
In(3) {(z,2),(y,5)} {(z,2),(y,5)} {(z,2),(z,4),(y,5)}
In(4) {(z,2),(y,5)}
In(5) {(z,4)} {(z,4)} {(z,4)}
In(6) {(z,2),(y,5)}
Out(1)
{(y,1)} {(x,?),(y,1),(z,?)}
== ==
Out(2)
{(z,2)} {(z,2)} {(z,2),(y,1)} ==
Out(3)
{(z,2),(y,5)} {(z,2),(y,5)}
Out(4)
{(z,4)} {(z,4)} {(z,4)} {(z,4)}
Out(5)
{(y,5)} {(y,5)} {(z,4),(y,5)} {(z,4),(y,5)}
Out(6)
{(y,6)} {(y,6)} {(y,6)} {(y,6)}
…
13
F: ((Var x Lab) )12 ((Var x Lab) )12
RD RD’ when i: RD(i) RD’(i)
…
RD F(RD) F(F(RD)) F(F(F(RD))) F(F(F(F(RD))))
In(1) {(x,?),(y,?),(z,?)}
== == ==
In(2) {(y,1)} {(x,?),(y,1),(z,?)}
==
In(3) {(z,2),(y,5)} {(z,2),(y,5)} {(z,2),(z,4),(y,5)}
In(4) {(z,2),(y,5)}
In(5) {(z,4)} {(z,4)} {(z,4)}
In(6) {(z,2),(y,5)}
Out(1)
{(y,1)} {(x,?),(y,1),(z,?)}
== ==
Out(2)
{(z,2)} {(z,2)} {(z,2),(y,1)} ==
Out(3)
{(z,2),(y,5)} {(z,2),(y,5)}
Out(4)
{(z,4)} {(z,4)} {(z,4)} {(z,4)}
Out(5)
{(y,5)} {(y,5)} {(z,4),(y,5)} {(z,4),(y,5)}
Out(6)
{(y,6)} {(y,6)} {(y,6)} {(y,6)}
System of Equations
14
Monotonicity
F: ((Var x Lab) )12 ((Var x Lab) )12
RD F(RD) F(F(RD)) F(F(F(RD))) F(F(F(F(RD))))
…
Out(1)
{(y,1)} {(x,?),(y,1),(z,?)}
{(y,1)} ….
…
…
out(1) = {(y,1)} when (x,?) out(1)in(1) \ { (y,l) | l Lab } U { (y,1) }, otherwise(silly example just for illustration)
15
Convergence
0
1…
2
n
0
1
…
2
n
0
1
…
2
16
Least Fixed Point
We will see later why it exists For now, mostly informally…F: ((Var x Lab) )12 ((Var x Lab) )12
RD RD’ when i: RD(i) RD’(i)
F is monotone: RD RD’ implies that F(RD) F(RD’)
RD = (, ,…,)
F(RD), F(F(RD) , F(F(F(RD)), … Fn(RD)
Fn+1(RD) = Fn(RD)
RD
F(RD)
F(F(RD))
…
Fn(RD)
17
Partially Ordered Sets (posets) Partial ordering is a relation
: L L { true, false} that is: Reflexive (l: l l) Transitive (l1,l2,l3: l1 l2 l2 l3 l1 l3) Anti-symmetric ( l1 l2 l2 l1 l1 = l2)
A partially ordered set (L, ) is a set L equipped with a partial ordering
For example: ((S), )
Captures intuition of implication between facts l1 l2 will intuitively mean l1 l2 Later, in abstract domains , when l1 l2 , we will say that l1 is
“more precise” than l2 (represents fewer concrete states)
18
Bounds in Posets
Given a poset (L, ) A subset Y of L has l L as an upper bound if l’ Y : l’ l A subset Y of L has l L as a lower bound if l’ Y : l’ l
(we write l’ l when l l’) A least upper bound (lub) l of Y is an upper bound of Y
that satisfies l l’ whenever l’ is another upper bound of Y A greatest lower bound (glb) l of Y is a lower bound of Y
that satisfies l l’ whenever l’ is another lower bound of Y
For any subset Y L If the lub exists then it is unique, and denoted by Y (join)
We often write l1 l2 for { l1, l2} If the glb exists then it is unique, and denoted by Y (meet)
We often write l1 l2 for { l1, l2}
19
Complete Lattices
A complete lattice (L, ) is a poset such that all subsets have least upper bounds as well as greatest lower bounds
In particular = = L is the least element (bottom) = L = is the greatest element (top)
20
Complete Lattices: Examples
{1}{2}
{3}
{1,2}{1,3}
{2,3}
{1,2,3}
- +
0
21
Complete Lattices: Examples
[0,0][-1,-1][-2,-2]
[-2,-1]
[-2,0]
[1,1] [2,2]
[-1,0] [0,1] [1,2]
…
[-1,1] [0,2]
[-2,1] [-1,2]
[-2,2]
……
[2,]…
[1,]
[0,]
[-1,]
[-2,]
…
…
…
…
[- ,]
…
…
[- ,-2]…
[-,-1]
[- ,0]
[-,1]
[- ,2]
…
…
…
…
22
Moore Families
A Moore family is a subset Y of a complete lattice (L,) that is closed under greatest lower bounds Y’ Y: Y’ Y Hence, a Moore family is never empty Always contains least element Y and a greatest
element Why do we care?
We will see that Moore families correspond to choices of abstractions (as targets of upper closure operators)
23
Moore Families: Examples
{1}{2}
{3}
{1,2}{1,3}
{2,3}
{1,2,3}
{2}
{1,2} {2,3}
{1,2,3}
{1,2,2}
24
Chains
In program analysis we will often look at sequences of properties of the form l0 l1 … ln
Given a poset (L, ) a subset Y L is a chain if every two elements in Y are ordered l1,l2 Y: (l1 l2) or (l2 l1) When Y is a finite subset we say that the chain is a finite chain
A sequence of elements l0 l1 … L is an ascending chain A sequence of elements l0 l1 … L is a descending chain L has finite height when all chains in L are finite A poset (L, ) satisfies the ascending chain condition (ACC) if
every ascending chain eventually stabilizes, that is s N: n N: n s ln = ls
25
Chains: Example Posets
-
-2
…
-1
0
0
1
…2
… …
- 0-1 1
(a) (b) (c)
26
Properties of Functions
A function f: L1 L2 between two posets (L1,1) and (L2, 2) is
Monotone (order-preserving) l,l’ L1: l 1 l’ f(l) 2 f(l’) Special case f: L L, l,l’ L: l l’ f(l)
f(l’)
Distributive (join morphism) l,l’ L1 f(l l’) = f(l) f(l’)
27
Function Properties: Examples
{1}{2}
{3}
{1,2}{1,3}
{2,3}
{1,2,3}
28
Function Properties: Examples
{2}
{1,2} {2,3}
{1,2,3}
{2}
{1,2} {2,3}
{1,2,3}
29
Function Properties: Examples
{2}
{1,2} {2,3}
{1,2,3}
{2}
{1,2} {2,3}
{1,2,3}
30
Function Properties: Examples
{1}{2}
{3}
{1,2}{1,3}
{2,3}
{1,2,3}
{1}{2}
{3}
{1,2}{1,3}
{2,3}
{1,2,3}
31
Fixed Points
Consider a complete lattice L = (L,,,,,) and a monotone function f: L L
An element l L is A fixed point iff f(l) = l A pre-fixedpoint iff l f(l) A post-fixedpoint iff l f(l)
Fix(f) = set of all fixed points
Ext(f) = set of all pre-FP Red(f) = set of all post-FP
Red(f)
Ext(f)
Fix(f)
lfp
gfp
fn()
fn()
32
Tarski’s Theorem
Consider a complete lattice L = (L,,,,,) and a monotone function f: L L, then lfp(f) and gfp(f) exist and lfp(f) = Red(f) = Fix(f) gfp(f) = Ext(f) = Fix(f)
33
Kleene’s Fixedpoint Theorem Consider a complete lattice L = (L,,,,,) and a continuous
function f: L L then
lfp(f) = n N fn()
A function f is continuous if for every increasing chain Y L, f(Y) = { f(y) | y Y }
Monotone functions on posets satisfying ACC are continuous Every ascending chain eventually stabilizes
l0 l1 … ln = ln+1 = … hence ln is the least upper bound of { l0,l1,…,ln } , thus f(Y) = f(ln)
From monotonicity of f f(l0) f(l1) … f(ln) = f(ln+1) = … Hence f(ln) is the least upper bound of { f(l0),f(l1), … ,f(ln) } , thus { f(y) | y Y } = f(ln)
34
An Algorithm for Computing lfp Kleene’s fixed point theorem gives a
constructive method for computing the lfp
lfp(f) = n N fn()
l = while f(l) l do l = f(l)
In our case, can compute efficiently using a worklist algorithm for “chaotic iteration”
35
Finally…
36
Reaching Definitions…in(1) = { (x,?), (y,?), (z,?) } in(2) = out(1)in(3) = out(2) U out(5)in(4) = out(3)in(5) = out(4)In(6) = out(3)out(1) = in(1) \ { (y,l) | l Lab } U { (y,1) }out(2) = in(2) \ { (z,l) | l Lab } U { (z,2) }out(3) = in(3)out(4) = in(4) \ { (z,l) | l Lab } U { (z,4) }out(5) = in(5) \ { (y,l) | l Lab } U { (y,5) }out(6) = in(6) \ { (y,l) | l Lab } U { (y,6) }
F: ((Var x Lab) )12 ((Var x Lab) )12
l = while F(l) l do l = F(l)
37
Algorithm Revisited
Input: equation system for RD Output: lfp(F) Algorithm:
RD1 = , … , RD12 = While RDj Fj(RD1,…,RD12) for some j
RDj = Fj(RD1,…,RD12)
Idea: non-deterministically select which component of RD should make a step
Can make selection efficiently based on dependencies We have information on what equations depend on Fj that
has been updated, need only recompute these on every step
38
But…
where did the transfer functions come from? e.g., out(1) = in(1) \ { (y,l) | l Lab } U
{ (y,1) }
how do we know transfer functions really over-approximate the concrete operations?
39
Trace Semantics
note that input (x) is unknown while loop? trace semantics is not computable
[y := x]1;[z := 1]2;while [y > 0]3 ( [z := z * y]4; [y := y − 1]5; )[y := 0]6
…
< 1,{ x42, y0, z0 } > < 2,{ x42, y42, z0 } >
< 3,{ x42, y42, z1 } > < 4,{ x42, y42, z1 }> …
[y := x]1 [z := 1]2
[y > 0]3
< 1,{ x73, y0, z0 } > < 2,{ x73, y73, z0 } >
< 3,{ x73, y73, z1 } > < 4,{ x73, y73, z1 }> …
[y := x]1 [z := 1]2
[y > 0]3
40
Instrumented Trace Semantics on every assignment, record the
label in which the assignment was performed
41
Abstract Interpretation
Instrumented trace semantics
1: y := x;2: z := 1;3: while y > 0 {4: z := z * y;5: y := y − 1 }6: y := 0
(x,?)(y,?)(z,?)(y,1)(z,2)(z,4)(y,5)(y,6)
(x,?)(y,?)(z,?)(y,1)(z,2)(z,4)(y,5)(z,4)(y,5)(y,6)
(x,?)(y,?)(z,?)(y,1)(z,2)(z,4)(y,5)(z,4)(y,5)(z,4)(y,5)(y,6)
…
(x,?)(y,?)(z,?)(y,1)(z,2)(y,6)
42
Collecting Semantics
1: y:=x
2: z:=1
3: y > 0
4: z=z*y
5: y=y-1
6: y:=0
(x,?)(y,?)(z,?)(y,1)
(x,?)(y,?)(z,?) (y,1)(z,2)
(x,?)(y,?)(z,?)(y,1)(z,2)(z,4)
(x,?)(y,?)(z,?)(y,1)(z,2)(z,4)(y,5)
(x,?)(y,?)(z,?)(y,1)(z,2)
(x,?)(y,?)(z,?)(y,1)(z,2)(z,4)(y,5)(y,6)
(x,?)(y,?)(z,?)
(x,?)(y,?)(z,?)(y,1)
(x,?)(y,?)(z,?)(y,1)(z,2)(z,4)(y,5)
(x,?)(y,?)(z,?)(y,1)(z,2)(z,4)(y,5)(z,4)
(x,?)(y,?)(z,?)(y,1)(z,2)(z,4)(y,5)(z,4)(y,5)
(x,?)(y,?)(z,?)(y,1)(z,2)(z,4)(y,5)
(x,?)(y,?)(z,?)
(x,?)(y,?)(z,?)(y,1)(z,2)(z,4)(y,5)(z,4)(y,5)(y,6)
(x,?)(y,?)(z,?)(y,1)(z,2)(z,4)(y,5)
(x,?)(y,?)(z,?)(y,1)(z,2) (y,6)
43
System of Equationsin(1) = { (x,?)(y,?)(z,?) } in(2) = out(1)in(3) = out(2) U out(5)in(4) = out(3)in(5) = out(4)In(6) = out(3)out(1) = { (y,1) | in(1) }out(2) = { (z,2) | in(2) }out(3) = in(3)out(4) = { (z,4) | in(4) }out(5) = { (y,5) | in(5) }out(6) = { (y,6) | in(6) }
G: ((Trace) )12 ((Trace) )12
Trace = (Var x Lab)* TR
G(TR)
G(G(TR))
…
Gn(TR)
…
lfp(G)
44
Galois Connection
C (C)
(A) A
(C) A C (A)
45
C(C)
(A)A
Reaching Definitions: Abstraction
DOM() = variables in SRD()(v) = l iff rightmost pair for v in is
(v,l)
(C) = { (v,SRD()(v)) | v DOM() C }
(A) = { | v DOM() : (v,SRD()(v) ) A }
(x,?)(y,?)(z,?)(y,1)(z,2)(z,4)(y,5)(y,6)
(x,?)(y,?)(z,?)(y,1)(z,2)(z,4)(y,5)(z,4)(y,5)(y,6)
(x,?)(y,?)(z,?)(y,1)(z,2)(y,6)
(x,?),(z,4),(y,6)
(x,?),(z,4),(y,6)
(x,?),(z,2),(y,6)
(x,?),(z,2),(z,4),(y,6)
Set of Traces Set of (var,lab) pairs
46
C(C)
(A)A
Reaching Definitions: Concretization
DOM() = variables in SRD()(v) = l iff rightmost pair for v in is
(v,l)
(C) = { (v,SRD()(v)) | v DOM() C }
(A) = { | v DOM() : (v,SRD()(v) ) A }
(x,?)(y,?)(z,?)(y,1)(z,2)(z,4)(y,5)(y,6)
(x,?)(y,?)(z,?)(y,1)(z,2)(z,4)(y,5)(z,4)(y,5)(y,6)
(x,?),(z,4),(y,6)
(x,?)(y,?)(z,?)(y,1)(z,2)(z,4)(y,5)…(z,4)(y,5)(y,6)
…
47
Best (Induced) Transformer
C
A
C’
A’
How do we figure out the abstract effect S# of a statement S ?
?
S#
S
48
Sound Abstract Transformer
C
A
C’
A’
S#S
Aopt
S (A) S#(A)
49
Soundness of Induced Analysis
RD
F(RD)
F(F(RD))
…
lfp(F)
TR
G(TR)
G(G(TR))
…
Gn(TR)
…lfp(G)
(lfp(G))
(lfp(G)) lfp( G ) lfp(F)
50
Back to a bit of dataflow analysis…
51
Recap
Represent properties of a program using a lattice (L,,,,,)
A continuous function f: L L Monotone function when L satisfies ACC
implies continuous Kleene’s fixedpoint theorem
lfp(f) = n N fn()
A constructive method for computing the lfp
52
Some required notation
blocks : Stmt P(Blocks)blocks([x := a]lab) = {[x := a]lab}blocks([skip]lab) = {[skip]lab}blocks(S1; S2) = blocks(S1) blocks(S2)blocks(if [b]lab then S1 else S2) = {[b]lab} blocks(S1) blocks(S2)blocks(while [b]lab do S) = {[b]lab} blocks(S)
FV: (BExp AExp) Var Variables used in an expressionAExp(a) = all non-unit expressions in the arithmetic expression asimilarly AExp(b) for a boolean expression b
53
Available Expressions Analysis
For each program point, which expressions must have already been computed, and not later modified, on all paths to the program point
[x := a+b]1;[y := a*b]2;while [y > a+b]3 ( [a := a + 1]4; [x := a + b]5
)
(a+b) always available at label
3
54
Available Expressions Analysis Property space
inAE, outAE: Lab (AExp) Mapping a label to set of arithmetic
expressions available at that label
Dataflow equations Flow equations – how to join incoming
dataflow facts Effect equations - given an input set of
expressions S, what is the effect of a statement
55
inAE (lab) = when lab is the initial label { outAE (lab’) | lab’ pred(lab) }
otherwise
outAE (lab) = …Block out (lab)
[x := a]lab in(lab) \ { a’ AExp | x FV(a’) } U { a’ AExp(a) | x FV(a’) }
[skip]lab in(lab)
[b]lab in(lab) U AExp(b)
Available Expressions Analysis
From now on going to drop the AE subscript when clear from context
56
Transfer Functions1: x = a+b
2: y:=a*b
3: y > a+b
4: a=a+1
5: x=a+b
out(1) = in(1) U { a+b }
out(2) = in(2) U { a*b }
in(1) = in(2) = out(1)in(3) = out(2) out(5)in(4) = out(3)in(5) = out(4)
out(4) = in(4) \ { a+b,a*b,a+1 }
out(5) = in(5) U { a+b }
out(3) = in(3) U { a+ b }
[x := a+b]1;[y := a*b]2;while [y > a+b]3 ( [a := a + 1]4; [x := a + b]5
)
57
Solution
1: x = a+b
2: y:=a*b
3: y > a+b
4: a=a+1
5: x=a+b
in(2) = out(1) = { a + b }
out(2) = { a+b, a*b }
out(4) =
out(5) = { a+b }
in(4) = out(3) = { a+ b }
in(1) =
in(3) = { a + b }
58
Kill/Gen
Block out (lab)
[x := a]lab in(lab) \ { a’ AExp | x FV(a’) } U { a’ AExp(a) | x FV(a’) }
[skip]lab in(lab)
[b]lab in(lab) U AExp(b)
Block kill gen
[x := a]lab
{ a’ AExp | x FV(a’) }
{ a’ AExp(a) | x FV(a’) }
[skip]lab
[b]lab AExp(b)
out(lab) = in(lab) \ kill(Blab) U gen(Blab)
Blab = block at label lab
59
Why solution with largest sets?
1: z = x+y
2: true
3: skip
out(1) = in(1) U { x+y }in(1) = in(2) = out(1) out(3)in(3) = out(2)
out(3) = in(3)
out(2) = in(2)[z := x+y]1;while [true]2 ( [skip]3;)
in(1) =
After simplification: in(2) = in(2) { x+y }
Solutions: {x+y} or
in(2) = out(1) out(3)
in(3) = out(2)
60
Reaching Definitions Revisited
Block out (lab)
[x := a]lab
in(lab) \ { (x,l) | l Lab } U { (x,lab) }
[skip]la
b
in(lab)
[b]lab in(lab) Block kill gen
[x := a]lab
{ (x,l) | l Lab } { (x,lab) }
[skip]lab
[b]lab
For each program point, which assignments may have been made and not overwritten, when program execution reaches this point along some path.
61
Why solution with smallest sets?
1: z = x+y
2: true
3: skip
out(1) = ( in(1) \ { (z,?) } ) U { (z,1) }in(1) = { (x,?),(y,?),(z,?) } in(2) = out(1) U out(3)in(3) = out(2)
out(3) = in(3)
out(2) = in(2)[z := x+y]1;while [true]2 ( [skip]3;)
in(1) = { (x,?),(y,?),(z,?) }
After simplification: in(2) = in(2) U { (x,?),(y,?),(z,1) }
Many solutions: any superset of { (x,?),(y,?),(z,1) }
in(2) = out(1) U out(3)
in(3) = out(2)
62
Live Variables
For each program point, which variables may be live at the exit from the point.
[ x :=2]1; [y:=4]2; [x:=1]3; (if [y>x]4 then [z:=y]5 else [z:=y*y]6); [x:=z]7
[ x :=2]1; [y:=4]2; [x:=1]3; (if [y>x]4 then [z:=y]5 else [z:=y*y]6); [x:=z]7
Live Variables
1: x := 2
2: y:=4
4: y > x
5: z := y
7: x := z
6: z = y*y
3: x:=1
64
1: x := 2
2: y:=4
4: y > x
5: z := y
7: x := z
[ x :=2]1; [y:=4]2; [x:=1]3; (if [y>x]4 then [z:=y]5 else [z:=y*y]6); [x:=z]7
6: z = y*y
Live Variables
Block kill gen
[x := a]lab
{ x } { FV(a) }
[skip]la
b
[b]lab FV(b)
3: x:=1
65
1: x := 2
2: y:=4
4: y > x
5: z := y
7: x := z
[ x :=2]1; [y:=4]2; [x:=1]3; (if [y>x]4 then [z:=y]5 else [z:=y*y]6); [x:=z]7
6: z = y*y
Live Variables: solution
Block kill gen
[x := a]lab
{ x }
{ FV(a) }
[skip]lab
[b]lab FV(b)
3: x:=1
in(1) =
out(1) = in(2) =
out(2) = in(3) = { y }
out(3) = in(4) = { x,y }
in(7) = { z }
out(7) =
out(6) = { z }
in(6) = { y }
out(5) = { z }
in(5) = { y }
in(4) = { x,y }
out(4) = { y }
66
Why solution with smallest set?
1: x>1
2: skip
out(1) = in(2) U in(3)out(2) = in(1)out(3) =
out(3) =
in(2) = out(2)
while [x>1]1 ( [skip]2;)[x := x+1]3;
After simplification: in(1) = in(1) U { x }
Many solutions: any superset of { x }
3: x := x + 1
in(3) = { x }
in(1) = out(1) { x }
67
Monotone Frameworks
is or CFG edges go either forward or backwards Entry labels are either initial program labels or final
program labels (when going backwards) Initial is an initial state (or final when going backwards) flab is the transfer function associated with the blocks Blab
In(lab) = { out(lab’) | (lab’,lab) CFG edges }
Initial when lab Entry labels
otherwise
out(lab) = flab(in(lab))
68
Forward vs. Backward Analyses
1: x := 2
2: y:=4
4: y > x
5: z := y
7: x := z
6: z = y*y
1: x := 2
2: y:=4
4: y > x
5: z := y
7: x := z
6: z = y*y
{(x,1), (y,?), (z,?) }
{ (x,?), (y,?), (z,?) }
{(x,1), (y,2), (z,?) }
{ z }
{ y }{ y }
69
Must vs. May Analyses
When is - must analysis Want largest sets the solves the
equation system Properties hold on all paths reaching a
label (exiting a label, for backwards)
When is - may analysis Want smallest sets that solve the
equation system Properties hold at least on one path
reaching a label (existing a label, for backwards)
70
Example: Reaching Definition
L = (Var×Lab) is partially ordered by
is L satisfies the Ascending Chain
Condition because Var × Lab is finite (for a given program)
71
Example: Available Expressions L = (AExp) is partially ordered by is L satisfies the Ascending Chain
Condition because AExp is finite (for a given program)
72
Analyses Summary
Reaching Definitions
Available Expressions
Live Variables
L (Var x Lab) (AExp) (Var)
AExp
Initial { (x,?) | x Var}
Entry labels { init } { init } final
Direction Forward Forward Backward
F { f: L L | k,g : f(val) = (val \ k) U g }
flab flab(val) = (val \ kill) gen
73
Analyses as Monotone Frameworks Property space
Powerset Clearly a complete lattice
Transformers Kill/gen form Monotone functions (let’s show it)
74
Monotonicity of Kill/Gen transformers
Have to show that x x’ implies f(x) f(x’)
Assume x x’, then for kill set k and gen set g(x \ k) U g (x’ \ k) U g
Technically, since we want to show it for all functions in F, we also have to show that the set is closed under function composition
75
Distributivity of Kill/Gen transformers
Have to show that f(x y) f(x) f(y) f(x y) = ((x y) \ k) U g
= ((x \ k) (y \ k)) U g= (((x \ k) U g) ((y \ k) U g))= f(x) f(y)
Used distributivity of and U Works regardless of whether is U or
76
Constant Propagation
… …
- 0-1 1
State = (Var Z)
No information
Variable not a constant
77
Constant Propagation
L = ((Var Z) , ) 1 2 iff x: 1(x) 2(x) ordering in the Z
lattice
Examples: [x , y 42, z ] [x , y 42, z
73] [x , y 42, z 73] [x , y 42,
z ]
78
Constant PropagationA: AExp (State Z)
Aa1 op a2 = Aa1 op Aa2
Ax =(x) otherwise
If = An =
n otherwise
If =
Block out ()
[x := a]lab
If = [x Aa] otherwise
[skip]la
b
[b]lab
79
Example
[x :=42]1; [y:=73]2; (if [?]3 then [z:=x+y]4 else [z:=12]5
[w:=z]6
);
[X , y , z , w ]
[X 42, y , z , w ]
[X 42, y 73, z , w ]
[X 42, y 73, z , w ]
[X 42, y 73, z 115, w ]
[X 42, y 73, z 12, w ]
[X 42, y 73, z 12, w 12]
[X 42, y 73, z , w 12]
… …
- 0 12 115… …
80
Constant Propagation is Non Distributive
Consider the transformer f = [y=x*x]#
Consider two states 1, 2 1(x) = 1 2(x) = -1
(1 2)(x) = f(1 2) maps y to
f(1) maps y to 1f(2) maps y to 1f(1) f(2) maps y to 1
f(1 2) f(1) f(2)