program analysis and verificationpaver152/wiki.files/07-static analysis i.pdf · spring 2015...
TRANSCRIPT
Spring 2015Program Analysis and Verification
Lecture 7: Static Analysis I
Roman ManevichBen-Gurion University
Tentative syllabus
Semantics
NaturalSemantics
Structural semantics
AxiomaticVerification
StaticAnalysis
AutomatingHoare Logic
Control Flow Graphs
Equation Systems
CollectingSemantics
AbstractInterpretationfundamentals
Lattices
Fixed-Points
Chaotic Iteration
Galois Connections
Domain constructors
Widening/Narrowing
AnalysisTechniques
Numerical Domains
Alias analysis
InterproceduralAnalysis
ShapeAnalysis
CEGAR
Crafting your own
Soot
From proofsto abstractions
Systematically developing
transformers
2
Previously
• Axiomatic verification
• Weakest precondition calculus
• Strongest postcondition calculus
• Handling data structures
• Total correctness
3
Agenda• Static analysis for compiler optimization
– Common Subexpression Elimination
– Available Expression domain
• Develop a static analysis:Simple Available Expressions
4
Array-max example: Post3
5
nums : array
{ N0 0m<N } // N stands for num’s length
x := 0
{ x=0 }
res := nums[0]
{ x=0 res=nums(0) }
Inv = { 0m<x nums(m)res }
while x < N
{ x=k res=oRes 0m<k nums(m)oRes }
if nums[x] > res then
{ nums(x)>oRes res=oRes x=k 0m<k nums(m)oRes }
res := nums[x]
{ res=nums(x) nums(x)>oRes x=k 0m<k nums(m)oRes }
{ x=k 0mk nums(m)res }
{ (x=k 0mk nums(m)res) (oresnums(x) res=oRes x=k res=oRes 0m<k nums(m)oRes)} { x=k 0mk nums(m)res }
x := x + 1
{ x=k+1 0mk nums(m)res }
{ 0m<x nums(m)res }
{ x=N 0m<x nums(m)res}[univp]{ m. 0m<N nums(m)res }
Can we find this proof automatically?
6
nums : array
N : int
{ N0 } x := 0
{ N0 x=0 }
res := nums[0]
{ x=0 }
Inv = { xN }
while x < N
{ x=k k<N }
if nums[x] > res then
{ x=k k<N }
res := nums[x]
{ x=k k<N }
{ x=k k<N }
x := x + 1
{ x=k+1 k<N }
{ xN xN }
{ x=N }
Observation: predicates in proof have the general form
constraint
where constraint has the formX - Y c
orX c
7
Look under the
street lamp
By Infopablo00 (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons
…We may move lamp
a bit
Zone Abstract Domain
• Developed by Antoine Minein his Ph.D. thesis
• Uses constraints of the formX - Y c and X c
8
Analysis with Zone abstract domain
9
nums : array
N : int
{ N0 } x := 0
{ N0 x=0 }
res := nums[0]
{ N0 x=0 }
Inv = { N0 0xN }while x < N
{ N0 0x<N }if nums[x] > res then
{ N0 0x<N }res := nums[x]
{ N0 0x<N }{ N0 0x<N }x := x + 1
{ N0 0<x<N }
{N0 0x x=N }
nums : array
N : int
{ N0 } x := 0
{ N0 x=0 }
res := nums[0]
{ x=0 }
Inv = { xN }
while x < N
{ x=k kN }
if nums[x] > res then
{ x=k k<N }
res := nums[x]
{ x=k k<N }
{ x=k k<N }
x := x + 1
{ x=k+1 k<N }
{ xN xN }
{ x=N }
Static Analysis with Zone Abstraction Manual Proof
Static analysisfor compiler optimizations
10
Motivating problem: optimization
• A compiler optimization is defined by a program transformation:
T : Stmt Stmt
• The transformation is semantics-preserving:s. Ssos C s = Ssos T(C) s
• The transformation is applied to the program only if an enabling condition is met
• We use static analysis for inferring enabling conditions
11
Common Subexpression Elimination
• If we have two variable assignmentsx := a op b…y := a op band the values of x, a, and b have not changed between the assignments, rewrite the code asx = a op b…y := x
• Eliminates useless recalculation• Paves the way for more optimizations
(e.g., dead code elimination)
12
op {+, -, *, ==, <=}
What do we need to prove?
13
{ true }
C1x := a op b
C2{ x = a op b }
y := a op b
C3
{ true }
C1x := a op b
C2{ x = a op b }
y := x
C3
CSE
Assertion localizes decision
A simplified problem
14
{ true }
C1x := a + b
C2{ x = a + b }
y := a + b
C3
{ true }
C1x := a + b
C2{ x = a + b }
y := x
C3
CSE
Available Expressions analysis
• A static analysis that infers for every program point a set of facts of the formAV = { x = y | x, y Var }
{ x = op y | x, y Var, op {-, !} } { x = y op z | y, z Var, op {+, -, *, <=} }
• For every program with n=|Var| variables number of possible facts is finite: |AV|=O(n3)
• Yields a trivial algorithm …
– Is it efficient?
15
Simple Available Expressions
• Define atomic facts (for SAV) as = { x = y | x, y Var }
{ x = y + z | x, y, z Var }
– For n=|Var| number of atomic facts is O(n3)
• Define sav-predicates as = 2
16
Notation for conjunctive sets of facts
• For a set of atomic facts D , we defineConj(D) = D
– E.g., if D={a=b, c=b+d, b=c} thenConj(D) = (a=b) (c=b+d) (b=c)
• Notice that for two sets of facts D1 and D2
Conj(D1 D2) = Conj(D1) Conj(D1)
• What does Conj({}) stand for…?
17
Towards an automatic proof
• Goal: automatically compute an annotated program proving as many facts as possible of the form x = y and x = y + z
• Decision 1: develop a forward-going proof• Decision 2: draw predicates from a finite set D
– “looking under the light of the lamp”– A compromise that simplifies problem by focusing
attention – possibly miss some facts that hold
• Challenge 1: handle straight-line code• Challenge 2: handle conditions• Challenge 3: handle loops
18
Challenge 1: handling straight-line code
19
By Zachary Dylan Tax (Zachary Dylan Tax) [GFDL (http://www.gnu.org/copyleft/fdl.html) or CC-BY-3.0 (http://creativecommons.org/licenses/by/3.0)], via Wikimedia Commons
Straight line code example
• Find a proof that satisfies both conditions
20
{ }
x := a + b
{ x=a+b }
z := a + c
{ x=a+b, z=a+c }
b := a * c
{ z=a+c }
Straight line code example
• Can we turn this into an algorithm?
• What should we ensure for each triple?
21
{ }
x := a + b
{ x=a+b }
z := a + c
{ x=a+b, z=a+c }
b := a * c
{ z=a+c }Frame
sp
cons
Goal
• Given a program of the formx1 := a1; … xn := an
• Find predicates P0, …, Pn such that
1. {P0} x1 := a1 {P1} … {Pn-1} xn := an {Pn} is a proofThat is: sp(xi := ai, Pi-1) Pi
2. Each Pi has the form Conj(Di) where Di is a set of atomic
22
Algorithm for straight-line code
• Goal: find predicates P0, …, Pn such that1. {P0} x1 := a1 {P1} … {Pn-1} xn := an {Pn} is a proof
That is: sp(xi := ai, Pi-1) Pi
2. Each Pi has the form Conj(Di) where Di is a set of atomic facts
• Idea: define a function FSAV[x:=a] : s.t.if FSAV[x:=a](D) = D’then sp(x := a, Conj(D)) Conj(D’)– We call F the abstract transformer of x:=a
• Unless D0 is given, initialize D0={} (why?)• For each i: compute Di+1 = Conj(FSAV[xi := ai] Di)• Finally Pi = Conj(Di)
23
Defining an SAV abstract transformer
• Goal: define a function FSAV[x:=a] : s.t.if FSAV[x:=a](D) = D’then sp(x := a, Conj(D)) Conj(D’)
• Idea: define rules for individual factsand generalize to sets of facts by the conjunction rule
24
Defining an SAV abstract transformer
• Goal: define a function FSAV[x:=a] : s.t.if FSAV[x:=a](D) = D’then sp(x := a, Conj(D)) Conj(D’)
• Idea: define rules for individual factsand generalize to sets of facts by the conjunction rule
25
Defining an SAV abstract transformer
• Goal: define a function FSAV[x:=a] : s.t.if FSAV[x:=a](D) = D’then sp(x := a, Conj(D)) Conj(D’)
• Idea: define rules for individual factsand generalize to sets of facts by the conjunction rule
26
Is either a variable v or an addition expression v+w
{ x= } x:=a { }[kill-lhs]
{ y=x+w } x:=a { }[kill-rhs-1]
{ y=w+x } x:=a { }[kill-rhs-2]
{ } x:= { x= }[gen]
{ y=z+w } x:=a { y=z+w }[preserve]
SAV abstract transformer example
27
Is either a variable v or an addition expression v+w
{ }
x := a + b
{ x=a+b }
z := a + c
{ x=a+b, z=a+c }
b := a * c
{ z=a+c }
{ x= } x:= aexpr { }[kill-lhs]
{ y=x+w } x:= aexpr { }[kill-rhs-1]
{ y=w+x } x:= aexpr { }[kill-rhs-2]
{ } x:= { x= }[gen]
{ y=z+w } x:= aexpr { y=z+w }[preserve]
Problem 1: large expressions
• Large expressions on the right hand sidesof assignments are problematic– Can miss optimization opportunities– Require complex transformers
• Solution: …?
28
Missed CSE opportunity
{ }
x := a + b + c
{ }
y := a + b + c
{ }
Problem 1: large expressions
• Large expressions on the right hand sidesof assignments are problematic– Can miss optimization opportunities– Require complex transformers
• Solution: transform code to normal form where right-hand sides have bounded size– Standard compiler transformation – lowering into
three address code
29
Missed CSE opportunity
{ }
x := a + b + c
{ }
y := a + b + c
{ }
Three-address code
• Main idea: simplify expressions by storing intermediate results in new temporary variables
• Number of variables in simplified statements 3
30
{ }
x := a + b + c
{ }
y := a + b + c
{ }
{ }
i1 := a + b
{ i1=a+b }
x := i1 + c
{ i1=a+b, x=i1+c }
i2 := a + b
{ i1=a+b, x=i1+c, i2=a+b }
y := i2 + c
{ i1=a+b, x=i1+c, i2=a+b, y=i2+c }
Three-address code
• Main idea: simplify expressions by storing intermediate results in new temporary variables
• Number of variables in simplified statements 3
31
{ }
x := a + b + c
{ }
y := a + b + c
{ }
{ }
i1 := a + b
{ i1=a+b }
x := i1 + c
{ i1=a+b, x=i1+c }
i2 := a + b
{ i1=a+b, x=i1+c, i2=a+b }
y := i2 + c
{ i1=a+b, x=i1+c, i2=a+b, y=i2+c }
Need to infer i1=i2
Problem 2: transformer precision
• Our transformer only infers syntactically available expressions – ones that appear in the code explicitly
• We want a transformer that considers the meaning of the predicates– Takes equalities into account
32
{ }
i1 := a + b
{ i1=a+b }
x := i1 + c
{ i1=a+b, x=i1+c }
i2 := a + b
{ i1=a+b, x=i1+c, i2=a+b }
y := i2 + c
{ i1=a+b, x=i1+c, i2=a+b, y=i2+c }
Need to infer i1=i2
Defining a semantic reduction
• Idea: make as many implicit facts explicit by– Using symmetry and transitivity of equality– Commutativity of addition– Meaning of equality – can substitute equal variables
• For an SAV-predicate P=Conj(D) definereduce(D) = minimal set D* such that:1. D D*
2. x=y D* implies y=x D*
3. x=y D* y=z D* implies x=z D*
4. x=y+z D* implies x=z+y D*
5. x=y D* and x=z+w D* implies y=z+w D*
6. x=y D* and z=x+w D* implies z=y+w D*
7. x=z+w D* and y=z+w D* implies x=y D*
• Notice that reduce(D) D• reduce is a special case of a semantic reduction
33
Sharpening the transformer
• Define: F*[x:=aexpr] = reduce FSAV[x:= aexpr]
34
{ }
i1 := a + b
{ i1=a+b, i1=b+a }
x := i1 + c
{ i1=a+b, i1=b+a, x=i1+c, x=c+i1 }
i2 := a + b
{ i1=a+b, i1=b+a, x=i1+c, x=c+i1, i2=a+b,
i2=b+a, i1=i2, i2=i1, x=i2+c, x=c+i2, }
y := i2 + c
{ ... }
Since sets of facts and their conjunction are isomorphic we will use them interchangeably
An algorithm for annotating SLP
• Annotate(P, x:=aexpr) ={P} x:=aexpr F*[x:= aexpr](P)
Annotate(P, S1; S2) =let Annotate(P, S1) be {P} A1 {Q1} let Annotate(Q1, S2) be {Q1} A2 {Q2} return {P} A1; {Q1} A2 {Q2}
35
Challenge 2: handling conditions
36
Goal
• Annotate a programif bexpr then S1 else S2
with predicates from
• Assumption 1: P is given(otherwise use true)
• Assumption 2: bexpr is a simple binary expression e.g., x=y, xy, x<y (why?)
37
{ P }if bexpr then
{ bexpr P }S1
{ Q1 }else
{ bexpr P } S2
{ Q2 }{ Q }
{bexpr P } S1 { Q }, { bexpr P } S2 { Q }{ P } if bexpr then S1 else S2 { Q }
[ifp]
Joining predicates
1. Start with P or {bexpr P} and annotate S1 (yielding Q1)
2. Start with P or {bexpr P} andannotate S2 (yielding Q2)
3. How do we infer a Q such that Q1Q and Q2Q?
Q1=Conj(D1), Q2=Conj(D2)Define: Q = Q1 Q2
= Conj(D1 D2)
38
{ P }if bexpr then
{ bexpr P }S1
{ Q1 }else
{ bexpr P } S2
{ Q2 }{ Q }
Possibly an SAV-fact
Possibly an SAV-fact
{bexpr P } S1 { Q }, { bexpr P } S2 { Q }{ P } if bexpr then S1 else S2 { Q }
[ifp]
Joining predicates
1. Start with P or {bexpr P} and annotate S1 (yielding Q1)
2. Start with P or {bexpr P} andannotate S2 (yielding Q2)
3. How do we infer a Q such that Q1Q and Q2Q?
Q1=Conj(D1), Q2=Conj(D2)Define: Q = Q1 Q2
= Conj(D1 D2)
39
The join operator for SAV
{bexpr P } S1 { Q }, { bexpr P } S2 { Q }{ P } if bexpr then S1 else S2 { Q }
[ifp]
{ P }if bexpr then
{ bexpr P }S1
{ Q1 }else
{ bexpr P } S2
{ Q2 }{ Q }
Joining predicates
• Q1=Conj(D1), Q2=Conj(D2)
• We want to soundly approximate Q1 Q2 in
• Define: Q = Q1 Q2
= Conj(D1 D2)
• Notice that Q1Q and Q2Qmeaning Q1 Q2Q
40
Simplifying handling of conditions
• Extend While with
– Non-determinism (or) and
– An assume statement assume b, ssos s if B b s = tt
• Use the fact that the following two statements are equivalent
– if b then S1 else S2
– (assume b; S1) or (assume b; S2)
41
Handling conditional expressions
• We want to soundly approximate D bexprand D bexpr in
• Define (bexpr) = if bexpr is factoid{bexpr} else {}
• Define F[assume bexpr](D) = D (bexpr)
• Can sharpenF*[assume bexpr] = reduce FSAV[assume bexpr]
42
Handling conditional expressions
• Notice bexpr (bexpr)
• Examples
– (y=z) = {y=z}
– (y<z) = {}
43
An algorithm for annotating conditions
let Pt = F*[assume bexpr] P
let Pf = F*[assume bexpr] P
let Annotate(Pt, S1) be {Pt} A1 {Q1}
let Annotate(Pf, S2) be {Pf} A2 {Q2}
return {P}if bexpr then
{Pt} A1 {Q1} else
{Pf} A2 {Q2}{Q1 Q2}
44
Example
45
{ }
if (x = y)
{ x=y, y=x }
a := b + c
{ x=y, y=x, a=b+c, a=c+b }
d := b – c
{ x=y, y=x, a=b+c, a=c+b }
else
{ }
a := b + c
{ a=b+c, a=c+b }
d := b + c
{ a=b+c, a=c+b, d=b+c, d=c+b, a=d, d=a }
{ a=b+c, a=c+b }
Example
46
{ }
if (x = y)
{ x=y, y=x }
a := b + c
{ x=y, y=x, a=b+c, a=c+b }
d := b – c
{ x=y, y=x, a=b+c, a=c+b }
else
{ }
a := b + c
{ a=b+c, a=c+b }
d := b + c
{ a=b+c, a=c+b, d=b+c, d=c+b, a=d, d=a }
{ a=b+c, a=c+b }
Recap
• We now have an algorithm for soundly annotating loop-free code
• Generates forward-going proofs
• Algorithm operates on abstract syntax tree of code
– Handles straight-line code by applying F*
– Handles conditions by recursively annotating true and false branches and then intersecting their postconditions
47
Example
48
{ }
if (x = y)
{ x=y, y=x }
a := b + c
{ x=y, y=x, a=b+c, a=c+b }
d := b – c
{ x=y, y=x, a=b+c, a=c+b }
else
{ }
a := b + c
{ a=b+c, a=c+b }
d := b + c
{ a=b+c, a=c+b, d=b+c, d=c+b, a=d, d=a }
{ a=b+c, a=c+b }
Challenge 2: handling loops
49
By Stefan Scheer (Own work (Own Photo)) [GFDL (http://www.gnu.org/copyleft/fdl.html), CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0/) or CC-BY-SA-2.5-2.0-1.0 (http://creativecommons.org/licenses/by-sa/2.5-2.0-1.0)], via Wikimedia Commons
Goal
• Annotate a programwhile bexpr do S with
predicates from – s.t. P N
• Main challenge: find N
• Assumption 1: P is given(otherwise use true)
• Assumption 2: bexpr is asimple binary expression
50
{bexpr P } S { P }{ P } while b do S {bexpr P }[whilep]
{ P }Inv = { N }while bexpr do
{ bexpr N }S{ Q }
{bexpr N }
Example: annotate this program
51
{ y=x+a, y=a+x, w=d, d=w }
Inv = { y=x+a, y=a+x }
while (x z) do
{ z=x+a, z=a+x, w=d, d=w }
x := x + 1
{ w=d, d=w }
y := x + a
{ y=x+a, y=a+x, w=d, d=w }
d := x + a
{ y=x+a, y=a+x, d=x+a, d=a+x, y=d, d=y }
{ y=x+a, y=a+x, x=z, z=x }
Example: annotate this program
52
{ y=x+a, y=a+x, w=d, d=w }
Inv = { y=x+a, y=a+x }
while (x z) do
{ y=x+a, y=a+x }
x := x + 1
{ }
y := x + a
{ y=x+a, y=a+x }
d := x + a
{ y=x+a, y=a+x, d=x+a, d=a+x, y=d, d=y }
{ y=x+a, y=a+x, x=z, z=x }
Goal
• Idea: try to guess a loop invariant from a small number of loop unrollings
– We know how to annotate S(by induction)
53
{bexpr P } S { P }{ P } while b do S {bexpr P }[whilep]
{ P }Inv = { N }while bexpr do
{ bexpr N }S{ Q }
{bexpr N }
k-loop unrolling
54
{ P }
if (x z)
x := x + 1
y := x + a
d := x + a
Q1 = { y=x+a }
if (x z)
x := x + 1
y := x + a
d := x + a
Q2 = { y=x+a }
…
{ P }
Inv = { N }
while (x z) do
x := x + 1
y := x + a
d := x + a
{ y=x+a, y=a+x, w=d, d=w }
if (x z)
x := x + 1
y := x + a
d := x + a
Q1 = { y=x+a }
k-loop unrolling
55
{ P }
if (x z)
x := x + 1
y := x + a
d := x + a
Q1 = { y=x+a, y=a+x }
if (x z)
x := x + 1
y := x + a
d := x + a
Q2 = { y=x+a, y=a+x }
…
{ P }
Inv = { N }
while (x z) do
x := x + 1
y := x + a
d := x + a
{ y=x+a, y=a+x, w=d, d=w }
if (x z)
x := x + 1
y := x + a
d := x + a
Q1 = { y=x+a, y=a+x }
k-loop unrolling
56
The following must hold:P NQ1 NQ2 N…Qk N
{ P }
if (x z)
x := x + 1
y := x + a
d := x + a
Q1 = { y=x+a, y=a+x }
if (x z)
x := x + 1
y := x + a
d := x + a
Q2 = { y=x+a, y=a+x }
…
{ P }
Inv = { N }
while (x z) do
x := x + 1
y := x + a
d := x + a
{ y=x+a, y=a+x, w=d, d=w }
if (x z)
x := x + 1
y := x + a
d := x + a
Q1 = { y=x+a, y=a+x }
k-loop unrolling
57
The following must hold:P NQ1 NQ2 N…Qk N…
{ P }
if (x z)
x := x + 1
y := x + a
d := x + a
Q1 = { y=x+a, y=a+x }
if (x z)
x := x + 1
y := x + a
d := x + a
Q2 = { y=x+a, y=a+x }
…
{ P }
Inv = { N }
while (x z) do
x := x + 1
y := x + a
d := x + a
{ y=x+a, y=a+x, w=d, d=w }
if (x z)
x := x + 1
y := x + a
d := x + a
Q1 = { y=x+a, y=a+x }
We can compute the following sequence:N0 = PN1 = N0 Q1
N2 = N1 Q2
…Nk = Nk-1 Qk
Observation 1: No need to explicitly unroll loop – we can reuse postcondition from unrolling k-1 for k
k-loop unrolling
58
The following must hold:P NQ1 NQ2 N…Qk N…
{ P }
if (x z)
x := x + 1
y := x + a
d := x + a
Q1 = { y=x+a, y=a+x }
if (x z)
x := x + 1
y := x + a
d := x + a
Q2 = { y=x+a, y=a+x }
…
{ P }
Inv = { N }
while (x z) do
x := x + 1
y := x + a
d := x + a
{ y=x+a, y=a+x, w=d, d=w }
if (x z)
x := x + 1
y := x + a
d := x + a
Q1 = { y=x+a, y=a+x }
We can compute the following sequence:N0 = PN1 = N1 Q1
N2 = N1 Q2
…Nk = Nk-1 Qk
Observation 2: Nk
monotonically decreases set of facts.Question: does it stabilizes for some k?
Algorithm for annotating a loopAnnotate(P, while bexpr do S) =
Initialize N := Nc := Prepeat
let Annotate(P, if b then S else skip) be{Nc} if bexpr then S else skip {N}
Nc := Nc Nuntil N = Nc
return {P}INV= Nwhile bexpr do
F[assume bexpr](N)Annotate(F[assume bexpr](N), S)
F[assume bexpr](N)
59
Putting it together
60
Algorithm for annotating a programAnnotate(P, S) =
case S is x:=aexpr
return {P} x:=aexpr {F*[x:=aexpr] P}
case S is S1; S2
let Annotate(P, S1) be {P} A1 {Q1}
let Annotate(Q1, S2) be {Q1} A2 {Q2}
return {P} A1; {Q1} A2 {Q2}
case S is if bexpr then S1 else S2
let Pt = F[assume bexpr] P
let Pf = F[assume bexpr] P
let Annotate(Pt, S1) be {Pt} A1 {Q1}
let Annotate(Pf, S2) be {Pf} A2 {Q2}
return {P} if bexpr then {Pt} A1 {Q1}else {Pf} A2 {Q2}
{Q1 Q2}
case S is while bexpr do S
N := Nc := P // Initialize
repeatlet Pt = F[assume bexpr] Nc
let Annotate(Pt, S) be {Nc} Abody {N}Nc := Nc N
until N = Nc
return {P} INV= {N} while bexpr do {Pt} Abody {F[assume bexpr](N)}61
Exercise: apply algorithm
62
{ }
y := a+b
{ }
x := y
{ }
while (xz) do
{ }
w := a+b
{ }
x := a+b
{ }
a := z
{ }
Step 1/18
63
{}
y := a+b
{ y=a+b }*
x := y
while (xz) do
w := a+b
x := a+b
a := z
Not all factoids are shown – apply reduceto get all factoids
Step 2/18
64
{}
y := a+b
{ y=a+b }*
x := y
{ y=a+b, x=y, x=a+b }*
while (xz) do
w := a+b
x := a+b
a := z
Step 3/18
65
{}
y := a+b
{ y=a+b }*
x := y
{ y=a+b, x=y, x=a+b }*
Inv’ = { y=a+b, x=y, x=a+b }*
while (xz) do
w := a+b
x := a+b
a := z
Step 4/18
66
{}
y := a+b
{ y=a+b }*
x := y
{ y=a+b, x=y, x=a+b }*
Inv’ = { y=a+b, x=y, x=a+b }*
while (xz) do
{ y=a+b, x=y, x=a+b }*
w := a+b
x := a+b
a := z
Step 5/18
67
{}
y := a+b
{ y=a+b }*
x := y
{ y=a+b, x=y, x=a+b }*
Inv’ = { y=a+b, x=y, x=a+b }*
while (xz) do
{ y=a+b, x=y, x=a+b }*
w := a+b
{ y=a+b, x=y, x=a+b, w=a+b, w=x, w=y }*
x := a+b
a := z
Step 6/18
68
{}
y := a+b
{ y=a+b }*
x := y
{ y=a+b, x=y, x=a+b }*
Inv’ = { y=a+b, x=y, x=a+b }*
while (xz) do
{ y=a+b, x=y, x=a+b }*
w := a+b
{ y=a+b, x=y, x=a+b, w=a+b, w=x, w=y }*
x := a+b
{ y=a+b, w=a+b, w=y, x=a+b, w=x, x=y }*
a := z
Step 7/18
69
{}
y := a+b
{ y=a+b }*
x := y
{ y=a+b, x=y, x=a+b }*
Inv’ = { y=a+b, x=y, x=a+b }*
while (xz) do
{ y=a+b, x=y, x=a+b }*
w := a+b
{ y=a+b, x=y, x=a+b, w=a+b, w=x, w=y }*
x := a+b
{ y=a+b, w=a+b, w=y, x=a+b, w=x, x=y }*
a := z
{ w=y, w=x, x=y, a=z }*
Step 8/18
70
{}
y := a+b
{ y=a+b }*
x := y
{ y=a+b, x=y, x=a+b }*
Inv’’ = { x=y }*
while (xz) do
{ y=a+b, x=y, x=a+b }*
w := a+b
{ y=a+b, x=y, x=a+b, w=a+b, w=x, w=y }*
x := a+b
{ y=a+b, w=a+b, w=y, x=a+b, w=x, x=y }*
a := z
{ w=y, w=x, x=y, a=z }*
Step 9/18
71
{}
y := a+b
{ y=a+b }*
x := y
{ y=a+b, x=y, x=a+b }*
Inv’’ = { x=y }*
while (xz) do
{ x=y }*
w := a+b
{ y=a+b, x=y, x=a+b, w=a+b, w=x, w=y }*
x := a+b
{ y=a+b, w=a+b, w=y, x=a+b, w=x, x=y }*
a := z
{ w=y, w=x, x=y, a=z }*
Step 10/18
72
{}
y := a+b
{ y=a+b }*
x := y
{ y=a+b, x=y, x=a+b }*
Inv’’ = { x=y }*
while (xz) do
{ x=y }*
w := a+b
{ x=y, w=a+b }*
x := a+b
{ y=a+b, w=a+b, w=y, x=a+b, w=x, x=y }*
a := z
{ w=y, w=x, x=y, a=z }*
Step 11/18
73
{}
y := a+b
{ y=a+b }*
x := y
{ y=a+b, x=y, x=a+b }*
Inv’’ = { x=y }*
while (xz) do
{ x=y }*
w := a+b
{ x=y, w=a+b }*
x := a+b
{ x=a+b, w=a+b, w=x }*
a := z
{ w=y, w=x, x=y, a=z }*
Step 12/18
74
{}
y := a+b
{ y=a+b }*
x := y
{ y=a+b, x=y, x=a+b }*
Inv’’ = { x=y }*
while (xz) do
{ x=y }*
w := a+b
{ x=y, w=a+b }*
x := a+b
{ x=a+b, w=a+b, w=x }*
a := z
{ w=x, a=z }*
Step 13/18
75
{}
y := a+b
{ y=a+b }*
x := y
{ y=a+b, x=y, x=a+b }*
Inv’’’ = { }
while (xz) do
{ x=y }*
w := a+b
{ x=y, w=a+b }*
x := a+b
{ x=a+b, w=a+b, w=x }*
a := z
{ w=x, a=z }*
Step 14/18
76
{}
y := a+b
{ y=a+b }*
x := y
{ y=a+b, x=y, x=a+b }*
Inv’’’ = { }
while (xz) do
{ }
w := a+b
{ x=y, w=a+b }*
x := a+b
{ x=a+b, w=a+b, w=x }*
a := z
{ w=x, a=z }*
Step 15/18
77
{}
y := a+b
{ y=a+b }*
x := y
{ y=a+b, x=y, x=a+b }*
Inv’’’ = { }
while (xz) do
{ }
w := a+b
{ w=a+b }*
x := a+b
{ x=a+b, w=a+b, w=x }*
a := z
{ w=x, a=z }*
Step 16/18
78
{}
y := a+b
{ y=a+b }*
x := y
{ y=a+b, x=y, x=a+b }*
Inv’’’ = { }
while (xz) do
{ }
w := a+b
{ w=a+b }*
x := a+b
{ x=a+b, w=a+b, w=x }*
a := z
{ w=x, a=z }*
Step 17/18
79
{}
y := a+b
{ y=a+b }*
x := y
{ y=a+b, x=y, x=a+b }*
Inv’’’ = { }
while (xz) do
{ }
w := a+b
{ w=a+b }*
x := a+b
{ x=a+b, w=a+b, w=x }*
a := z
{ w=x, a=z }*
Step 18/18
80
{}
y := a+b
{ y=a+b }*
x := y
{ y=a+b, x=y, x=a+b }*
Inv = { }
while (xz) do
{ }
w := a+b
{ w=a+b }*
x := a+b
{ x=a+b, w=a+b, w=x }*
a := z
{ w=x, a=z }*
{ x=z }*
Next lecture:static analysis mechanics
Canonical form for SAV
• For an available expressions element A definereduce(A) = minimal set B such that:1. A B2. x=y B implies y=x B3. x=y B and y=z B implies x=z B4. x=y+z B implies x=z+y B5. x=y B and x=z+w B implies y=z+w B6. x=y B and z=x+w B implies z=y+w B7. x=z+w B and y=z+w B implies x=y B
• Makes all implicit facts explicit• Define A* = reduce(A)• Define (for two subsets A1, A2 D)
A1 exp A2 if and only if A1
* A2*
• Lemma: A1 exp A2 if and only A1
imp A2
82