Lecture 4: Data-Flow Analysis(contd.)

17-355/17-655/17-819: Program AnalysisRohan Padhye and Jonathan Aldrich

February 11, 2021

* Course materials developed with Claire Le Goues

1(c) 2021 J. Aldrich, C. Le Goues, R. Padhye

Random Facts #1

2(c) 2021 J. Aldrich, C. Le Goues, R. Padhye

exec(s:='print("exec(s:=%r)"%s)')Python 3.8:

“You are here” maps don’t lie

What mathematical concept is common to both these facts?

Example of Zero Analysis: Looping Code

3(c) 2021 J. Aldrich, C. Le Goues, R. Padhye

2:𝑦 ≔ 0

3:if𝑥 = 0 goto 7

4: 𝑦 ≔ 1

6:goto 3

5: 𝑥 ≔ 𝑥 − 1

1:𝑥 ≔ 10P1

P2P3

P4

P5

P7

7:𝑥 ≔ 𝑦

P6

P8

T

F

P9

P0

Example of Zero Analysis: Looping Code

4(c) 2021 J. Aldrich, C. Le Goues, R. Padhye

2:𝑦 ≔ 0

3:if𝑥 = 0 goto 7

4: 𝑦 ≔ 1

6:goto 3

5: 𝑥 ≔ 𝑥 − 1

1:𝑥 ≔ 10P1

P2P3

P4

P5

P7

7:𝑥 ≔ 𝑦

P6

P8

T

F

P9

P0

Example of Zero Analysis: Looping Code

5(c) 2021 J. Aldrich, C. Le Goues, R. Padhye

2:𝑦 ≔ 0

3:if𝑥 = 0 goto 7

4: 𝑦 ≔ 1

6:goto 3

5: 𝑥 ≔ 𝑥 − 1

1:𝑥 ≔ 10P1

P2P3

P4

P5

P7

7:𝑥 ≔ 𝑦

P6

P8

T

F

P9

P0

Fixed point of Flow Functions

6(c) 2021 J. Aldrich, C. Le Goues, R. Padhye

2:𝑦 ≔ 0

3:if𝑥 = 0 goto 7

4: 𝑦 ≔ 1

6:goto 3

5: 𝑥 ≔ 𝑥 − 1

1:𝑥 ≔ 10P1

P2P3

P4

P5

P7

7:𝑥 ≔ 𝑦

P6

P8

T

F

P9

(𝜎5, 𝜎6, 𝜎7, … , 𝜎8) →9! (𝜎′5, 𝜎′6, 𝜎′7, … , 𝜎′8)

P0

𝜎′6 = 𝑓: 𝑥 ≔ 10 (𝜎5)

𝜎′7 = 𝑓: 𝑦 ≔ 0 (𝜎6)

𝜎′; = 𝑓: 𝑥 ≔ 𝑦 (𝜎<)

𝜎′5 = 𝜎5

𝜎′= = 𝜎7 ⊔ 𝜎>

𝜎′< = 𝑓: if 𝑥 = 10 goto 7 ?(𝜎=)

𝜎′@ = 𝑓: if 𝑥 = 10 goto 7 A(𝜎=)

…

Fixed point of Flow Functions

7(c) 2021 J. Aldrich, C. Le Goues, R. Padhye

(𝜎5, 𝜎6, 𝜎7, … , 𝜎8) →9! (𝜎′5, 𝜎′6, 𝜎′7, … , 𝜎′8)

𝜎′6 = 𝑓: 𝑥 ≔ 10 (𝜎5)

𝜎′7 = 𝑓: 𝑦 ≔ 0 (𝜎6)

𝜎′; = 𝑓: 𝑥 ≔ 𝑦 (𝜎<)

𝜎′5 = 𝜎5

𝜎′= = 𝜎7 ⊔ 𝜎>

𝜎′< = 𝑓: if 𝑥 = 10 goto 7 ?(𝜎=)

𝜎′@ = 𝑓: if 𝑥 = 10 goto 7 A(𝜎=)

…

(𝜎!, 𝜎", 𝜎#, … , 𝜎$) = 𝑓%(𝜎!, 𝜎", 𝜎#, … , 𝜎$)Fixed point!

Correctness theorem:If data-flow analysis is well designed*, thenany fixed point of the analysis is sound.

* we will define these properties and prove this theoremin two weeks!

More on joins and lattices

8(c) 2021 J. Aldrich, C. Le Goues, R. Padhye

(𝜎5, 𝜎6, 𝜎7, … , 𝜎8) →9! (𝜎′5, 𝜎′6, 𝜎′7, … , 𝜎′8)

𝜎′6 = 𝑓: 𝑥 ≔ 10 (𝜎5)

𝜎′7 = 𝑓: 𝑦 ≔ 0 (𝜎6)

𝜎′; = 𝑓: 𝑥 ≔ 𝑦 (𝜎<)

𝜎′5 = 𝜎5

𝜎′= = 𝜎7 ⊔ 𝜎>

𝜎′< = 𝑓: if 𝑥 = 10 goto 7 ?(𝜎=)

𝜎′@ = 𝑓: if 𝑥 = 10 goto 7 A(𝜎=)

…

Hold up! How do you

More on joins and lattices

9(c) 2021 J. Aldrich, C. Le Goues, R. Padhye

𝜎′= = 𝜎7 ⊔ 𝜎>

2:𝑦 ≔ 0

3:if𝑥 = 0 goto 7

4: 𝑦 ≔ 1

6:goto 3

5: 𝑥 ≔ 𝑥 − 1

1:𝑥 ≔ 10P1

P2P3

P4

P5

P7

7:𝑥 ≔ 𝑦

P6

P8

T

F

P9

What should be the initial value for 𝜎! ????

P0

More on joins and lattices

10(c) 2021 J. Aldrich, C. Le Goues, R. Padhye

Enter: ⊥ (“bottom”)

⊥⊑ 𝑙⊥⊔ 𝑙 = 𝑙

for all 𝑙 ∈ 𝐿:𝑙 ⊑ ⊤𝑙 ⊔ ⊤ = ⊤

A lattice with both ⊥ and ⊤ defined is called a Complete Lattice

What would the complete lattice for Zero Analysis look like?

More on joins and lattices

11(c) 2021 J. Aldrich, C. Le Goues, R. Padhye

𝜎: 𝑉𝑎𝑟 → 𝐿 where 𝐿 = {𝑍,𝑁, ⊥, ⊤}

𝜎( ⊔ 𝜎) = { 𝑥 ↦ 𝜎( 𝑥 ⊔ 𝜎) 𝑥 , 𝑦 ↦ 𝜎( 𝑦 ⊔ 𝜎) 𝑦 }

𝜎( ⊑ 𝜎) = ???

Exercise: Define lifted ⊑ in terms of ordering on 𝐿

More on joins and lattices

12(c) 2021 J. Aldrich, C. Le Goues, R. Padhye

{x↦ ⊤, y↦ ⊤}

{x↦Z, y↦ ⊤} {x↦N, y↦ ⊤} {x↦ ⊤, y↦Z} {x↦ ⊤, y↦N}

… … … … … … … … … … … … …

{x↦ ⊤, y↦⊥} {x↦Z, y↦Z} {x↦Z, y↦N} … … …

{x↦Z, y↦⊥} {x↦N, y↦⊥} {x↦⊥, y↦Z} {x↦⊥, y↦N}

{x↦⊥, y↦⊥}

Lifting a complete lattice gives another complete lattice

Running a Data Flow Analysis

13(c) 2021 J. Aldrich, C. Le Goues, R. Padhye

2:𝑦 ≔ 0

3:if𝑥 = 0 goto 7

4: 𝑦 ≔ 1

6:goto 3

5: 𝑥 ≔ 𝑥 − 1

1:𝑥 ≔ 10P1

P2P3

P4

P5

P7

7:𝑥 ≔ 𝑦

P6

P8

T

F

P9

⊥ ⊥⊥ ⊥⊥ ⊥⊥ ⊥⊥ ⊥⊥ ⊥

⊥ ⊥⊥ ⊥⊥ ⊥

P0

Running a Data Flow Analysis

14(c) 2021 J. Aldrich, C. Le Goues, R. Padhye

𝜎′= = 𝜎7 ⊔ 𝜎>

2:𝑦 ≔ 0

3:if𝑥 = 0 goto 7

4: 𝑦 ≔ 1

6:goto 3

5: 𝑥 ≔ 𝑥 − 1

1:𝑥 ≔ 10P1

P2P3

P4

P5

P7

7:𝑥 ≔ 𝑦

P6

P8

T

F

P9

⊥ ⊥⊥ ⊥⊥ ⊥⊥ ⊥⊥ ⊥⊥ ⊥

P0

Running a Data Flow Analysis

15(c) 2021 J. Aldrich, C. Le Goues, R. Padhye

𝜎′= = 𝜎7 ⊔ 𝜎>

2:𝑦 ≔ 0

3:if𝑥 = 0 goto 7

4: 𝑦 ≔ 1

6:goto 3

5: 𝑥 ≔ 𝑥 − 1

1:𝑥 ≔ 10P1

P2P3

P4

P5

P7

7:𝑥 ≔ 𝑦

P6

P8

T

F

P9

P0

Running a Data Flow Analysis

16(c) 2021 J. Aldrich, C. Le Goues, R. Padhye

𝜎′= = 𝜎7 ⊔ 𝜎>

2:𝑦 ≔ 0

3:if𝑥 = 0 goto 7

4: 𝑦 ≔ 1

6:goto 3

5: 𝑥 ≔ 𝑥 − 1

1:𝑥 ≔ 10P1

P2P3

P4

P5

P7

7:𝑥 ≔ 𝑦

P6

P8

T

F

P9

P0

Running a Data Flow Analysis

17(c) 2021 J. Aldrich, C. Le Goues, R. Padhye

2:𝑦 ≔ 0

3:if𝑥 = 0 goto 7

4: 𝑦 ≔ 1

6:goto 3

5: 𝑥 ≔ 𝑥 − 1

1:𝑥 ≔ 10P1

P2P3

P4

P5

P7

7:𝑥 ≔ 𝑦

P6

P8

T

F

P9

P0

WHAT’S THE ALGORITHM?

18(c) 2021 J. Aldrich, C. Le Goues, R. Padhye

Analysis Execution Strategy

20(c) 2021 J. Aldrich, C. Le Goues, R. Padhye

Kildall’s Algorithm

21(c) 2021 J. Aldrich, C. Le Goues, R. Padhye

What order to process worklist nodes in?• Random? Queue? Stack?• Any order is valid (!!)• Some orders are better in practice

o Topological sorts are niceo Explore loops inside outo Reverse postorder!

22(c) 2021 J. Aldrich, C. Le Goues, R. Padhye

Exercise: Apply Kildall’s Worklist Algorithm for Zero Analysis

23(c) 2021 J. Aldrich, C. Le Goues, R. Padhye

2:𝑦 ≔ 0

3:if𝑥 = 0 goto 7

4: 𝑦 ≔ 1

6:goto 3

5: 𝑥 ≔ 𝑥 − 1

1:𝑥 ≔ 10

7:𝑥 ≔ 𝑦

T

F

Performance of Kildall’s Algorithm• Why is it guaranteed to terminate?• What is its complexity?

24(c) 2021 J. Aldrich, C. Le Goues, R. Padhye