A Fast Interprocedural Linear Two-Variable Equalities

Effect of Statements Every element E ∈ E(X) can be considered as description of the set γ(E) of the concrete states x ∈ Z with x |= E. Likewise, the best description α(X) of a setX ⊆ Z of states is the conjunction of all equalities e with x |= e for all x ∈ X . Together, α and γ form a Galois connection between (2Z k ,⊆), the powerset of the set of states ordered by inclusion, and (E(X),⇒). ACM Transactions on Programming Languages and Systems, Vol. V, No. N, Article A, Publication date: January YYYY. A:10 Andrea Flexeder et al. For our analysis, we define the abstract effect [[s]] for every assignment s by: [[xi :=?]] ] E = ∃xi. E [[xi := xi + c]] ] E = E[xi − c/xi] [[xi := c]] ] E = (∃xi. E) ∧ (xi . = c) [[xi := xj + c]] ] E = (∃xi. E) ∧ (xi . = xj + c) if i 6= j Here, ∃xi. E denotes the abstract existential quantification, i.e., ∃xi. E = ⊥ if E = ⊥, otherwise it is the conjunction of all equalities implied by E which do not contain variable xi. The array representation of the normalised conjunction for E′ = ∃xi.E can be computed as follows. Let X denote the connected component containing xi in the graph G(E). All entries of E′ for variables xj 6∈ X equal the corresponding entries in E. If X = {xi}, E′ equals E. Otherwise, we remove the variable xi from X . This means that we set E(xi)← xi. If xi is not the reference variable of X , then also E(xj) = E(xj) for all remaining xj ∈ X,xj 6= xi. If xi is the reference variable of X , then we determine the variable xh 6= xi ∈ X with least index. Assume that E(xh) = xi + b. Then we set E(xj)← xh − b+ bj if E(xj) = xi + bj . Note that ∃xi.E preserves ⊥ and commutes with least upper bounds. Furthermore, the given algorithm runs in time O(k). For an assignment xi := xi + c, we observe that the value of xi before the assignment can be recovered from the value of xi after the assignment. Therefore, the conjunction after the assignment can be obtained from the conjunction E before the assignment by substituting xi − c for xi. If xi occurs on the right-hand side of equalities in E, this substitution is implemented by preserving the equality xi . = xi and replacing every other equality xj . = xi + bj with xj . = xi − c+ bj . If xi only occurs on the left-hand side, i.e., in an equality xi . = xh + bi or xi . = bi, then we replace this equality with xi . = xh + c+ bi or xi . = c+ bi, respectively. Again, this operation is distributive and can be executed in time O(k). For the remaining instances of assignments, we first remove variable xi from all equalities in E by means of abstract existential quantification, and then add the equality xi . = c or xi . = xj + c, respectively. Since both abstract existential quantification and conjunction with a single equality can be executed in time O(k), this transformation can be executed in time O(k), as well. Since it is composed of distributive transformations, it is also distributive. Summarising, we found that for every assignment s the transformation [[s]] is distributive where [[s]] E can be computed in time O(k) for a normalised conjunction E. Moreover, we find: LEMMA 4.8. For a set of program states X ⊆ Z and an arbitrary assignment s: α([[s]]X) = [[s]](α(X)) PROOF. The proof of Lemma 4.8 is by construction. 5. INTERPROCEDURAL ANALYSIS In order to construct an interprocedural analysis of variable differences, we must provide an effective and if possible succinct representation of the effects of procedures. An obvious approach would be to tabulate the abstract effect of a procedure on its inputs. Here, we follow the approach of [MüllerOlm and Seidl 2008] and rely on weakest precondition transformers. The advantage of weakest precondition transformers is that they are completely distributive, i.e., commute with arbitrary conjunctions. This implies that weakest precondition transformers only need to be specified for single equalities alone. We are interested in preconditions of equalities of the form xi . = c or xi . = xj + c for global variables xi,xj and constants c. Since the constants c may take arbitrary integer values, there are still infinitely many equalities of interest. Instead of dealing with equalities for each constant c separately, we introduce a fresh variable denoted by the symbol • which is not accessed by the program, but may be instantiated with any constant c. Accordingly, for computing the representation of procedures we ACM Transactions on Programming Languages and Systems, Vol. V, No. N, Article A, Publication date: January YYYY. Fast Interprocedural Linear Two-Variable Equalities A:11 consider post-conditions of the form: xj . = • or xi . = xj + • for global variables xi,xj where, w.l.o.g., i > j. We call postconditions of this form generic. The variable • thus acts as a logical variable which allows to relate a value occurring in the postcondition with a value possibly occurring in the precondition. Preconditions of generic equalities then may be conjunctions of equalities of one of the following forms: (1) 0 . = a · •+ b (2) xj . = a · •+ b (3) xi . = xj + a · •+ b for global variables xi,xj ∈ X with i > j and constants a, b ∈ Z. Let us call such equalities parametric. Note that every generic equality is also parametric. (Choose a = 1 and b = 0 in parametric postconditions of types (2) and (3).) Note further that 0 . = a · •+ b is only satisfiable over Z iff a = b = 0 or a divides b. In the latter case it has the unique solution • = −b a . Example 5.1. Consider the procedure p: void p() { x1 = x1 + 1;x2 = x2 − 1; } which increments the global variable x1 and decrements the global variable x2. The weakest preconditions of x1 . = •, x2 . = • and x2 . = x1 + • then are given by: x1 . = • x1 . = • − 1 x2 . = • x2 . = •+ 1 x2 . = x1 + • x2 . = x1 + •+ 2 In case, the second assignment in the body of p is x2 = 5, we obtain the following preconditions: x1 . = • x1 . = • − 1 x2 . = • 0 . = • − 5 x2 . = x1 + • x1 . = − •+4 Thus, the postcondition x2 . = • can only hold if • equals 5. Satisfiability of single parametric equalities e as well as of conjunctions E of such equalities again is denoted by Z |= e and Z |= E, respectively, where now Z ⊆ Z is a set of vectors, each consisting of values for the variables xi together with one value for • as component k + 1. Such a vector z ∈ Z is called an extended state which is also written as a pair (x, c) for a vector x ∈ Z with values for the variables xi together with a value c for •. For a satisfiable conjunction E of parametric equalities without equalities of form (1), we define a normalised form analogously to the normal form of finite conjunctions of ordinary equalities. However, if there is a satisfiable equality of form (1), then we determine the unique value v for • and remove • from all other equalities. In this case, the normal form is (• . = v) ∧ E′ where E′ is the normal form which we have defined for conjunctions without •. Let E•(X) denote the complete lattice of equivalence classes of finite conjunctions of parametric equalities over variables from X. The concrete semantics operates on sets X ⊆ Z and does not affect the value of the logical variable. Accordingly, we extend any completely distributive transformation f : Z → Z of concrete sets of states to a completely distributive transformation ext f : Z → Z of sets of extended states by defining: ext f {(x, c)} = {(x′, c) | x′ ∈ f {x}} ACM Transactions on Programming Languages and Systems, Vol. V, No. N, Article A, Publication date: January YYYY. A:12 Andrea Flexeder et al. For an assignment s, the WP transformer [[s]]> applied to a single non-trivial equality e is given by: [[xi :=?]] > e = ∀xi. e = { ⊥ if e contains xi e otherwise [[xi := c]] > e = e [c/xi] [[xi := xj + c]] > e = e [xj + c/xi] for xi,xj ∈ X and c ∈ Z. The weakest precondition for a non-deterministic assignment xi :=? applied to a non-trivial equality e is ⊥ if variable xi occurs in e because e cannot hold for multiple values of xi. In order to compute the weakest precondition for an assignment xi := t, we substitute t for every occurrence of variable xi in e. If xi occurs on the left-hand side of e, this may violate the format we have fixed for equalities. This format, though, can be restored straightforwardly by algebraic simplification , e.g., [[x4 := x1 + 5]] (x4 . = x3 + 2) = (x1 + 5 . = x3 + 2) = (x3 . = x1 + 3) . By construction, we have: LEMMA 5.2. For a set of extended program states Z ⊆ Z, E ∈ E•(X) and an arbitrary assignment s: ext [[s]] (Z) |= E iff Z |= [[s]]>E. By this lemma, the WP transformers provide an exact abstraction of the extended concrete transformers of the collecting semantics, i.e., the extended concrete effect function applied to a set of extended states Z satisfies the conjunction E iff Z satisfies the conjunction returned by the WP transformer for E. In order to describe the abstract effects of whole procedures, we set up the following constraint system S>: S[rq] v Id rq exit point of procedure q S>[u] v S[sq] ◦ S>[v] (u, q(), v) a call edge, sq entry point of q S>[u] v [[s]]> ◦ S>[v] (u, s, v) an assignment edge Again, Id denotes the identity mapping that maps E to itself for every E ∈ E•(X). Here, S>[u] specifies the weakest precondition transformer for a program point u of procedure q when starting from u and reaching the procedure exit of q. All operations in this constraint system are monotonic. Therefore, it has a greatest solution. Since all occurring functions are u-distributive, composition is u-distributive as well. We obtain: THEOREM 5.3. Assume Z ⊆ Z is a set of extended states and E ∈ E•(X). Then, for every program point u: ext S[u] Z |= E iff Z |= S>[u] E. PROOF. The proof of Theorem 5.3 proceeds by induction on the i-th approximation of the least fixpoint of S and the greatest fixpoint of constraint system S>. For computing a solution for constraint system S> an effective representation of transformers is required. As weakest precondition transformers distribute over conjunctions, it suffices to determine the results of the transformer for single equalities only. However, since Z is infinite, the number of possible equalities, is infinite as well, such that we cannot simply tabulate the results for all equalities. In the next section we show how to circumvent this problem. 6. EFFECTIVE REPRESENTATION OF WP TRANSFORMERS The key observation for obtaining an effective representation of WP transformers is that the WP transformers are completely determined by their values for generic postconditions, i.e., postconditions of the forms xj . = • or xi . = xj + • with i > j. The set P•(X) of all generic postconditions is finite and contains only O(k) many elements. Any other equality involving globals is obtained from ACM Transactions on Programming Languages and Systems, Vol. V, No. N, Article A, Publication date: January YYYY. Fast Interprocedural Linear Two-Variable Equalities A:13 a generic postcondition by means of substituting the logical variable • with a term a • +b which consists of constants a, b and • only. Note that a, b can be 0. In order to recover the full WP transformer from its values for generic postconditions, we use an operator ext>. The operator ext> takes a function f> : P•(X) → E•(X) and transforms it into a full WP transformer of type E•(X)→ E•(X). For a single equality e involving globals and •, this transformer is defined by: ext(f)(xi . = t) = f(xi . = •)[t/•] ext(f)(xi . = xj + t) = f (xi . = xj + •)[t/•] for globals xi,xj ∈ X and a term t = a •+b for constants a, b. For equalities e only containing •, we define: ext>(f>)(e) = { > if f(x1 . = •) = > e otherwise Here, we assume that f> corresponds to a computation that definitely does not terminate, if f(x1 . = •) = >. In this case, the precondition of any equality should be >. Otherwise, the precondition of the equality e should be e itself. In fact, we could have chosen any xi to perform the distinction whether f terminates or not. Finally, for arbitrary conjunctions E = e1 ∧ . . . ∧ em, we set ext>(f>)(E) = ext(f)(e1) ∧ . . . ∧ ext(f)(em) Let f : 2Z k → 2Zk be completely distributive. We call f uniform if f ({x}) = ∅ for some vector x ∈ Z implies that f ({x′}) = ∅ for all x′ ∈ Z. Note that all concrete transformers which occur in this context are completely distributive and uniform. We have: LEMMA 6.1. Let f : 2Z k → 2Zk denote a concrete transformer which is completely distributive and uniform. Furthermore, let f> : P•(X) → E•(X) denote a function where for all Z ⊆ Z and e ∈ P•(X), ext f (Z) |= e iff Z |= f>(e). Then also ext f (Z) |= E iff Z |= ext>(f>)(E) for all Z ⊆ Z and E ∈ E•(X). PROOF. Since f and ext>(f>) are completely distributive, it suffices to consider single equalities e. We perform a case distinction on the different forms of e. First consider an equality e which contains a single global xi, i.e., is of the form xi . = t for a term t = a • +b. Consider the set Z ′ = {(x, ac+ b) | (x, c) ∈ Z}. Then ext f (Z) |= e iff ext f (Z ′) |= (xi . = •) iff Z ′ |= f(xi . = •) iff Z |= f(xi . = •)[a •+b/•] iff Z |= ext(f)(xi . = a •+b) The proof for an equality e of the form xi . = xj + t for a second global xj is analogous. Finally consider an equality e which does not contain globals xi, i.e., which only may contain constants or •. We rely on the following claim: Claim: Under the assumptions of the lemma for f and f>, one of the following statements is true: • f({x}) = ∅ for some x ∈ Z. Then f({x}) = ∅ for all x ∈ Z, and f(x1 . = •) = >. • f({x}) 6= ∅ for all x ∈ Z, and f(x1 . = •) 6= >. Before proving the claim, let us first show that the assertion of the lemma for equalities e without globals follows from the claim. First assume case 1 of the claim, i.e., f({x}) = ∅ for all (x, ). Then also ext f ({(x, c)}) = ∅ for all x and c. Since ∅ |= e, the left-hand side of the assertion is true for all ACM Transactions on Programming Languages and Systems, Vol. V, No. N, Article A, Publication date: January YYYY. A:14 Andrea Flexeder et al. Z. Now by the first case of the claim, f(x1 . = •) = >. Hence by definition, also ext>(f>)(e) = >, and the right-hand side of the assertion also evaluates to true for all Z. Now assume case 2 of the claim, i.e., f({x}) 6= ∅ for all x. Then ext f (Z) |= e iff Z |= e iff Z |= ext>(f>)(e) and the assertion follows. It therefore remains to prove the claim. First assume that f({x}) = ∅ for some x. Then by uniformity of f , also ext f ({(x, c)}) = ∅ for all (x, c), i.e., ext f(Z) = ∅. Since then ext f(Z) |= (x1 . = •), we conclude by the assumption on f and f> that Z |= f(x1 . = •), and therefore, f(x1 . = •) = >. Now assume that f({x}) 6= ∅ for all x. For a contradiction assume that f(x1 . = •) = >. For some x ∈ Z and x′ ∈ f({x}), consider the sets Z = {(x, c) | c ∈ Z} and Z ′ = {(x′, c) | c ∈ Z}. Then Z |= f(x1 . = •), and hence by the assumption on f and f>, ext f (Z) |= (x1 . = •). Since Z ′ ⊆ ext f (Z), also Z ′ |= (x1 . = •). This means that for all c, x1 = c, which yields a contradiction. We conclude that f(x1 . = •) cannot be equal > and the second statement of the claim follows. This completes the proof. Using the new operator ext>, we obtain the following modified constraint system for the weakest precondition transformers of procedures — as represented by their values on only the generic postconditions: S[rq] v Id rq exit point of procedure q S•[u] v ext(S[sq]) ◦ S•[v] (u, q(), v) a call edge, sq entry point of q S•[u] v [[s]]> ◦ S•[v] (u, s, v) an assignment edge For a distinction, let us call this constraint system S•. The construction of a representation for the composition of transformers, as required for the constraints of the second and third line, must take into account that we compute with mappings from P•(X)→ E•(X) only. This means for the constraints from the second line that we must extend the transformer for the called procedure by means of ext> before the composition can be performed. In general, consider a composition h = ext>(f>) ◦ g> for completely distributive functions f>, g>. Let e denote a generic postcondition, and assume that e1[t1/•] ∧ . . . ∧ er[tr/•] is a normalised conjunction for g>(e) where ei ∈ P•(X). Then the value (ext>(f>) ◦ g>)(e) is the normalised conjunction for: f(e1)[t1/•] ∧ . . . ∧ f(er)[tr/•] i.e., amounts to normalising a conjunction of O(k) equalities. According to Lemma 3.2, this can be done in time O(k). Since there are at most O(k) generic postconditions, a representation for the composition h can be computed in time O(k).