Scribd
Upload
38 views

Static and Dynamic Analysis: Synergy and Duality: Michael Ernst

This document discusses combining static and dynamic analysis techniques. It begins by reviewing static and dynamic analysis individually, noting their strengths and weaknesses. It then explores ways they can be combined, such as aggregation where one technique pre-processes or post-processes the other, analogous analyses that solve the same problem in different domains, and hybrid analyses that blend the approaches. A key point is that both static and dynamic analysis only examine subsets of all possible program behaviors, due to limitations like abstraction in static analysis and finite test suites in dynamic analysis. The document argues these subsets can be viewed dually between execution traces and data structures. Combining techniques by unifying their subset descriptions may lead to more precise analyses.

Uploaded by

Junaid Ahmad
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
38 views

Static and Dynamic Analysis: Synergy and Duality: Michael Ernst

This document discusses combining static and dynamic analysis techniques. It begins by reviewing static and dynamic analysis individually, noting their strengths and weaknesses. It then explores ways they can be combined, such as aggregation where one technique pre-processes or post-processes the other, analogous analyses that solve the same problem in different domains, and hybrid analyses that blend the approaches. A key point is that both static and dynamic analysis only examine subsets of all possible program behaviors, due to limitations like abstraction in static analysis and finite test suites in dynamic analysis. The document argues these subsets can be viewed dually between execution traces and data structures. Combining techniques by unifying their subset descriptions may lead to more precise analyses.

Uploaded by

Junaid Ahmad
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 35

Static and dynamic

analysis:
synergy and duality
Michael Ernst
CSE 503, Winter 2010
Lecture 1

Michael Ernst, page 1

Goals
Theme:
Static and dynamic analyses are more similar than
many people believe
One persons view of their relationship

Goals:
Encourage blending of the techniques and
communities
Start productive discussions
Michael Ernst, page 2

Outline
Review of static and dynamic analysis
Synergy: combining static and dynamic analysis
Aggregation
Analogies
Hybrids

Duality: subsets of behavior


Conclusion
Michael Ernst, page 3

Static analysis
Examples: compiler optimizations, program
verifiers
Examine program text (no execution)
Build a model of program state
An abstraction of the run-time state

Reason over possible behaviors


E.g., run the program over the abstract state
Michael Ernst, page 4

Abstract interpretation
Typically implemented via dataflow analysis
Each program statements transfer function
indicates how it transforms state
Example: What is the transfer function for
y = x++;

Michael Ernst, page 5

Selecting an abstract
domain

x = { 3, 5, 7 }; y = { 9, 11, 13 }

x is odd; y is odd
y = x++;
x is even; y is odd
x is prime; y is prime
y = x++;

y = x++;
x = { 4, 6, 8 }; y = { 3, 5, 7 }
x=3, y=11, x=5, y=9, x=7, y=13
y = x++;
x=4, y=3, x=6, y=5, x=8, y=7

x is anything; y is prime xn = f(an-1,,zn-1); yn = f(an-1,,zn-1)


y = x++;
xn+1 = xn+1; yn+1 = xn
Michael Ernst, page 6

Research challenge:
Choose good abstractions
The abstraction determines the expense (in
time and space)
The abstraction determines the accuracy
(what information is lost)
Less accurate results are poor for applications
that require precision
Cannot conclude all true properties in the
grammar
Michael Ernst, page 7

Static analysis recap


Slow to analyze large models of state, so
use abstraction
Conservative: account for abstracted-away
state
Sound: (weak) properties are guaranteed to
be true
*Some static analyses are not sound

Michael Ernst, page 8

Dynamic analysis
Examples: profiling, testing
Execute program (over some inputs)
The compiler provides the semantics

Observe executions
Requires instrumentation infrastructure

Must choose what to measure, and what test


runs
Michael Ernst, page 9

Research challenge:
What to measure?
Coverage or frequency
Statements, branches, paths, procedure calls, types,
method dispatch

Values computed
Parameters, array indices

Run time, memory usage


Test oracle results
Similarities among runs [Podgurski 99, Reps 97]
Like abstraction, determines what is reported
Michael Ernst, page 10

Research challenge:
Choose good tests
The test suite determines the expense (in time and
space)
The test suite determines the accuracy (what
executions are never seen)
Less accurate results are poor for applications that
require correctness
Many domains do not require correctness!

*What information is being collected also matters


Michael Ernst, page 11

Dynamic analysis recap


Can be as fast as execution (over a test
suite, and allowing for data collection)
Example: aliasing

Precise: no abstraction or approximation


Unsound: results may not generalize to
future executions
Describes execution environment or test suite

Michael Ernst, page 12

Static
analysis

Dynamic
analysis

Abstract domain
Concrete execution
slow if precise
slow if exhaustive
Conservative
Precise
due to abstraction
no approximation
Sound
Unsound
due to conservatism
does not generalize

Michael Ernst, page 13

Outline

Review of static and dynamic analysis


Synergy: combining static and dynamic analysis
Aggregation
Analogies
Hybrids

Duality: subsets of behavior


Conclusion
Michael Ernst, page 14

Combining static and


dynamic analysis
1. Aggregation:
Pre- or post-processing
2. Inspiring analogous analyses:
Same problem, different domain
3. Hybrid analyses:
Blend both approaches

Michael Ernst, page 15

1. Aggregation:
Pre- or post-processing
Use output of one analysis as input to another
Dynamic then static
Profile-directed compilation: unroll loops, inline,
reorder dispatch,
Verify properties observed at run time

Static then dynamic


Reduce instrumentation requirements
Efficient branch/path profiling
Discharge obligations statically (type/array checks)

Type checking (e.g., Java, including generics)


Indicate suspicious code to test more thoroughly
Michael Ernst, page 16

2. Analogous analyses:
Same problem, different
domain

Any analysis problem can be solved in either domain


Type safety: no memory corruption or operations
on wrong types of values
Static type-checking
Dynamic type-checking

Slicing: what computations could affect a value


Static: reachability over dependence graph
Dynamic: tracing
Michael Ernst, page 17

Memory checking
Goal: find array bound violations, uses of uninit. memory
Purify [Hastings 92]: run-time instrumentation
Tagged memory: 2 bits (allocated, initialized) per byte
Each instruction checks/updates the tags

Allocate: set A bit, clear I bit


Write: require A bit, set I bit
Read: require I bit
Deallocate: clear A bit

LCLint [Evans 96]: compile-time dataflow analysis


Abstract state contains allocated and initialized bits
Each transfer function checks/updates the state

Identical analyses!
Another example: atomicity checking [Flanagan 2003]
Michael Ernst, page 18

Specifications
Specification checking
Statically: theorem-proving
Dynamically: assert statement

Specification generation
Statically: by hand or abstract interpretation
[Cousot 77]

Dynamically: by invariant detection [Ernst 99],


reporting unfalsified properties
Michael Ernst, page 19

Your analogous analyses


here
Look for gaps with no analogous analyses!
Try using the same analysis
But be open to completely different approaches

There is still low-hanging fruit to be harvested

Michael Ernst, page 20

3. Hybrid analyses:
Blending static and
dynamic

Combine static and dynamic analyses

Not mere aggregation, but a new analysis


Disciplined trade-off between precision and
soundness: find the sweet spot between them

Michael Ernst, page 21

Possible starting points


Analyses that trade off run-time and precision
Different abstractions (at different program points)
Switch between static and dynamic at analysis time

Ignore some available information


Examine only some paths [Evans 94, Detlefs 98, Bush 00]

Merge based on observation that both examine only a


subset of executions (next section of talk)
Problem: optimistic vs. pessimistic treatment

More examples: (bounded) model checking, security


analyses, delta debugging [Zeller 99], etc.
Michael Ernst, page 22

Outline
Review of static and dynamic analysis
Synergy: combining static and dynamic analysis
Aggregation
Analogies
Hybrids

Duality: subsets of behavior


Conclusion
Michael Ernst, page 23

Static
analysis

Dynamic
analysis

Abstract domain
Concrete execution
slow if precise
slow if exhaustive
Conservative
Precise
due to abstraction
no approximation
Sound
Unsound
due to conservatism
does not generalize

Michael Ernst, page 24

Sound dynamic analysis


Observe every possible execution!
Problem: infinite number of executions
Solution: test case selection and generation
Efficiency tweaks to an algorithm that works
perfectly in theory but exhausts resources in
practice

Michael Ernst, page 25

Precise static analysis


Reason over full program state!
Problem: infinite number of executions
Solution: data or execution abstraction
Efficiency tweaks to an algorithm that works
perfectly in theory [Cousot 77] but exhausts
resources in practice

Michael Ernst, page 26

Dynamic analysis focuses


on
a subset of executions

The executions in the test suite


Easy to enumerate
Characterizes program use

Typically optimistic for other executions

Michael Ernst, page 27

Static analysis focuses on


a subset of data
structures

More precise for data or control described by


the abstraction
Concise logical description
Typically conservative elsewhere (safety net)

Example: k-limiting [Jones 81]


Represents each object reachable by k pointers
Groups together (approximates) more distant
objects
Michael Ernst, page 28

Dual views of subsets


Execution and data subsets are views on the same space
Every execution subset corresponds to a data subset
Executions induce data structures and control flow

Every data subset corresponds to an execution subset


A set of objects represents the executions that generate
them

Subset description may be concise in one domain but


complex in the other
What if the test suite was generated from a specification?

Any analysis may be conservative over other behaviors


Michael Ernst, page 29

Differences between the


approaches
Static and dynamic analysis communities
work with different subsets
Each subset and characterization is better for
certain uses

What subsets have a concise description in


both domains?
Augment a test suite to fill out the data
structures that it creates, making the data
structure description a smaller logical formula
Michael Ernst, page 30

A hybrid view of
subsets
Bring together static and dynamic analysis by
unifying their subset descriptions
Find subsets with small descriptions with respect to
both data structures and executions
Find a new, smaller description

Advantages of this approach

Directly compare previous disparate analyses


Directly apply analyses to other domain
Switch between the approaches
Obtain insight in order to devise and optimize analyses
Michael Ernst, page 31

Outline
Review of static and dynamic analysis
Synergy: combining static and dynamic analysis
Aggregation
Analogies
Hybrids

Duality: subsets of behavior


Conclusion
Michael Ernst, page 32

Potential pitfalls
Analogies between analyses
What applications tolerate unsoundness/imprecision?
Any more low-hanging fruit?
Most static and dynamic approaches differ

Hybrid analyses
How to measure and trade off precision and soundness
What is partial soundness? What is in between?

Not all static analyses are abstract interpretation


Optimistic vs. pessimistic treatment of unseen
executions

Subset characterization
Find the unified characterization of behavior
Michael Ernst, page 33

Conclusion
Static and dynamic analysis share many similarities
Communities should be closer

Create analogous analyses


Many successes so far

Hybrid approach holds great promise


Analyses increasingly look like points in this continuum
Unified theory of subsets of executions/data is key

(Our) future work: explore this space


Michael Ernst, page 34

Discussion

Michael Ernst, page 35

You might also like