├── .gitbook
└── assets
│ ├── DtoA.png
│ ├── Ex4-1.png
│ ├── Ex4-2.png
│ ├── Ex4-3.png
│ ├── Ex4-4.png
│ ├── Ex4-5.png
│ ├── Ex4-6.png
│ ├── PL.png
│ ├── concurrentProgram.png
│ ├── harmonyOS.png
│ ├── image-20201029224401395.png
│ ├── image-20201029224437136.png
│ ├── image-20201029224506176.png
│ ├── image-20201029224736803.png
│ ├── image-20201029224820647.png
│ ├── image-20201029224941882.png
│ ├── image-20201029225106724.png
│ ├── image-20201029225304889.png
│ ├── image-20201029225350619.png
│ ├── image-20201029230138054.png
│ ├── image-20201029230224316.png
│ ├── image-20201029230504891.png
│ ├── image-20201029230535984.png
│ ├── image-20201029230622120.png
│ ├── image-20201029230909895.png
│ ├── image-20201029231106891.png
│ ├── image-20201029231132412.png
│ ├── image-20201029231155238.png
│ ├── image-20201029231304304.png
│ ├── image-20201029231543567.png
│ ├── image-20201029231611608.png
│ ├── image-20201029231706834.png
│ ├── image-20201029231908883.png
│ ├── image-20201029231936719.png
│ ├── image-20201029231952670.png
│ ├── image-20201105183618529.png
│ ├── image-20201105184327763.png
│ ├── image-20201105184919660.png
│ ├── image-20201105185230667.png
│ ├── image-20201105185431196.png
│ ├── image-20201105185630758.png
│ ├── image-20201105185806532.png
│ ├── image-20201105190333596.png
│ ├── image-20201105190439805.png
│ ├── image-20201105191248594.png
│ ├── image-20201105191705757.png
│ ├── image-20201105194030384.png
│ ├── image-20201105194707507.png
│ ├── image-20201105195029800.png
│ ├── image-20201105195154527.png
│ ├── image-20201105195524932.png
│ ├── image-20201105195843958.png
│ ├── image-20201105195943007.png
│ ├── image-20201105200112512.png
│ ├── image-20201105200123601.png
│ ├── image-20201105200412145.png
│ ├── image-20201105200815104.png
│ ├── image-20201105201018655.png
│ ├── image-20201105201421501.png
│ ├── image-20201105201746860.png
│ ├── image-20201105201939088.png
│ ├── image-20201105202101633.png
│ ├── image-20201105235312349.png
│ ├── image-20201109140057119.png
│ ├── image-20201109140605829.png
│ ├── image-20201109154728420.png
│ ├── image-20201109154844509.png
│ ├── image-20201112191544354.png
│ ├── image-20201112191630283.png
│ ├── image-20201112193329365.png
│ ├── image-20201112193357268.png
│ ├── image-20201112194234928.png
│ ├── image-20201112194358502.png
│ ├── image-20201112194555582.png
│ ├── image-20201112195502575.png
│ ├── image-20201123205009821.png
│ ├── image-20201126184745576.png
│ ├── image-20201126185008506.png
│ ├── image-20201126185233403.png
│ ├── image-20201126191225969.png
│ ├── image-20201126191650221.png
│ ├── image-20201126194125039.png
│ ├── image-20201126195311513.png
│ ├── image-20201126195425756.png
│ ├── image-20201126201000426.png
│ ├── image-20201126221950557.png
│ ├── image-20201126230831572.png
│ ├── image-20201126231116221.png
│ ├── image-20201126231403264.png
│ ├── image-20201126231437769.png
│ ├── image-20201126231722298.png
│ ├── image-20201127170432941.png
│ ├── image-20201201151956869.png
│ ├── image-20201210134143907.png
│ ├── image-20201210134328575.png
│ ├── image-20201210135019104.png
│ ├── image-20201210135047052.png
│ ├── image-20201210145819255.png
│ ├── image-20201210151627827.png
│ ├── image-20201210165334864.png
│ ├── image-20201210183358390.png
│ ├── image-20201210183700963.png
│ ├── image-20201210184448955.png
│ ├── image-20201210184527645.png
│ ├── image-20201210184850528.png
│ ├── image-20201210191310040.png
│ ├── image-20201210192001954.png
│ ├── image-20201210193321202.png
│ ├── image-20201210193735607.png
│ ├── image-20201210195519912.png
│ ├── image-20201210200518022.png
│ ├── image-20201210200637330.png
│ ├── image-20201210201540194.png
│ ├── image-20201216173124146.png
│ ├── image-20201216175534756.png
│ ├── image-20201216175748133.png
│ ├── image-20201216180114246.png
│ ├── image-20201216180216650.png
│ ├── image-20201216180422745.png
│ ├── image-20201216180523896.png
│ ├── image-20201216202538515.png
│ ├── image-20201216204823876.png
│ ├── image-20201216205125278.png
│ ├── image-20201216210158092.png
│ ├── image-20201216210347469.png
│ ├── market.png
│ └── mayMustSum.png
├── .gitignore
├── .gitmodules
├── LICENSE
├── README.assets
└── image-20201231205814145.png
├── README.md
├── SUMMARY.md
├── ch0
├── 00-01-why-this-book.md
├── 00-02-sources-and-license.md
└── ch0.md
├── ch1
├── 1_Intro.md
├── 2IntermediateRepresentation.md
├── 34DataFlowAnalysis.md
├── 56DataFlowAnalysisFoundation.md
├── ch1.md
├── images
│ ├── 1.png
│ ├── 2.png
│ ├── 3.png
│ ├── 4.png
│ ├── 5.png
│ ├── 6.png
│ ├── 7.png
│ └── 8.png
└── img
│ ├── 1_Intro
│ ├── image-20210902200335848.png
│ └── image-20210902201618713.png
│ ├── 2_Intermediate Representation
│ ├── image-20210909175715157.png
│ ├── image-20210909180558685.png
│ ├── image-20210909192214368.png
│ ├── image-20210909192230838.png
│ ├── image-20210909193624370.png
│ ├── image-20210909193825373.png
│ ├── image-20210909194221057.png
│ ├── image-20210909194550772.png
│ ├── image-20210909194912657.png
│ └── image-20210909195613197.png
│ ├── 3_4_Data Flow Analysis
│ ├── image-20210917153822357.png
│ ├── image-20210917154034546.png
│ ├── image-20210917162309404.png
│ ├── image-20210917162405362.png
│ ├── image-20210917162747257.png
│ ├── image-20210917163542130.png
│ ├── image-20210917164337106.png
│ ├── image-20210917165027657.png
│ ├── image-20210917165047931.png
│ ├── image-20210917165459729.png
│ ├── image-20210917171457003.png
│ ├── image-20210917171825938.png
│ ├── image-20210917184215918.png
│ ├── image-20210917185149738.png
│ ├── image-20210917193557643.png
│ ├── image-20210917200639739.png
│ ├── image-20210917201617719.png
│ └── image-20210917202539780.png
│ └── 5_6_Data Flow Analysis Foundation
│ ├── image-20210923162141398.png
│ ├── image-20210923165949698.png
│ ├── image-20211009185424077.png
│ ├── image-20211009190320346.png
│ ├── image-20211009190612357.png
│ ├── image-20211009192219561.png
│ ├── image-20211009193258050.png
│ ├── image-20211009193822041.png
│ ├── image-20211009194808421.png
│ ├── image-20211009195346660.png
│ ├── image-20211009200111058.png
│ ├── image-20211009200302010.png
│ └── image-20211009200914835.png
├── ch2
└── ch2.md
├── ch3
├── context-sensitivity
│ ├── 03-04-context-sensitivity.md
│ ├── 03-05-cs2.md
│ └── README.md
└── pointer-analysis
│ ├── 03-01-pointer-analysis-spa.md
│ ├── 03-02-pointer2-analysis-spa.md
│ ├── 03-03-pointer3-analysis-spa.md
│ └── README.md
├── ch4
├── 04-01-security.assets
│ ├── image-20201217183223733.png
│ ├── image-20201217183451069.png
│ ├── image-20201217184823323.png
│ ├── image-20201217185309441.png
│ ├── image-20201217185829167.png
│ ├── image-20201217190510106.png
│ ├── image-20201217191513356.png
│ ├── image-20201217191608133.png
│ ├── image-20201217191941119.png
│ ├── image-20201217193802763.png
│ ├── image-20201217194544398.png
│ ├── image-20201217195126758.png
│ ├── image-20201217195814591.png
│ ├── image-20201217200536542.png
│ ├── image-20201217200616889.png
│ └── image-20201217201336388.png
├── 04-01-security.md
├── 04-02-Datalog-Based-PA.assets
│ ├── image-20201223184349163.png
│ ├── image-20201223184415502.png
│ ├── image-20201223185015690.png
│ ├── image-20201223185231533.png
│ ├── image-20201223185504296.png
│ ├── image-20201223185750701.png
│ ├── image-20201223185957740.png
│ ├── image-20201223190539380.png
│ ├── image-20201223190710495.png
│ ├── image-20201223190916420.png
│ ├── image-20201223191303096.png
│ ├── image-20201223191451507.png
│ ├── image-20201223191716873.png
│ ├── image-20201223192111827.png
│ ├── image-20201223193351919.png
│ ├── image-20201223193808413.png
│ ├── image-20201223194245876.png
│ ├── image-20201223194326258.png
│ ├── image-20201223194559347.png
│ ├── image-20201223195004344.png
│ ├── image-20201223195501180.png
│ ├── image-20201223200243589.png
│ ├── image-20201223200506410.png
│ ├── image-20201223200617134.png
│ ├── image-20201223200945544.png
│ ├── image-20201223201109543.png
│ ├── image-20201223201354991.png
│ ├── image-20201223201428109.png
│ ├── image-20201223201612811.png
│ ├── image-20201223201746117.png
│ ├── image-20201223201956852.png
│ └── image-20201223202140289.png
├── 04-02-Datalog-Based-PA.md
└── ch4.md
└── ch5
├── 05-01-IFDS.assets
├── image-20201224200732868.png
├── image-20201224201312394.png
├── image-20201224201921134.png
├── image-20201231184204252.png
├── image-20201231184249491.png
├── image-20201231185030483.png
├── image-20201231185419312.png
├── image-20201231185639039.png
├── image-20201231190743854.png
├── image-20201231191027738.png
├── image-20201231191043066.png
├── image-20201231191553161.png
├── image-20201231191923368.png
├── image-20201231192128228.png
├── image-20201231193305999.png
├── image-20201231193404292.png
├── image-20201231193423998.png
├── image-20201231193951460.png
├── image-20201231194039123.png
├── image-20201231194247160.png
├── image-20201231194752369.png
├── image-20201231195241378.png
├── image-20201231195259204.png
├── image-20201231195711805.png
├── image-20201231195848429.png
├── image-20201231200145777.png
├── image-20201231200214568.png
├── image-20201231200351183.png
├── image-20201231200406642.png
├── image-20201231200623730.png
├── image-20201231200656200.png
├── image-20201231201028380.png
├── image-20201231202231523.png
└── image-20201231202450969.png
├── 05-01-IFDS.md
├── 05-02-Soundiness.assets
├── image-20201224185622416.png
├── image-20201224185800853.png
├── image-20201224191028463.png
├── image-20201224191640084.png
├── image-20201224191711227.png
├── image-20201224191813323.png
├── image-20201224193417814.png
├── image-20201224193616512.png
├── image-20201224193811113.png
├── image-20201224193954800.png
├── image-20201224194144120.png
├── image-20201224194505888.png
├── image-20201224195102570.png
├── image-20201224195524083.png
├── image-20201224200127291.png
└── image-20201224200343625.png
├── 05-02-Soundiness.md
├── 2DC0453A-EB41-4678-8A81-E6E48E4C62B4.png
└── ch5.md
/.gitbook/assets/DtoA.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/DtoA.png
--------------------------------------------------------------------------------
/.gitbook/assets/Ex4-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/Ex4-1.png
--------------------------------------------------------------------------------
/.gitbook/assets/Ex4-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/Ex4-2.png
--------------------------------------------------------------------------------
/.gitbook/assets/Ex4-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/Ex4-3.png
--------------------------------------------------------------------------------
/.gitbook/assets/Ex4-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/Ex4-4.png
--------------------------------------------------------------------------------
/.gitbook/assets/Ex4-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/Ex4-5.png
--------------------------------------------------------------------------------
/.gitbook/assets/Ex4-6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/Ex4-6.png
--------------------------------------------------------------------------------
/.gitbook/assets/PL.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/PL.png
--------------------------------------------------------------------------------
/.gitbook/assets/concurrentProgram.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/concurrentProgram.png
--------------------------------------------------------------------------------
/.gitbook/assets/harmonyOS.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/harmonyOS.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201029224401395.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201029224401395.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201029224437136.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201029224437136.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201029224506176.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201029224506176.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201029224736803.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201029224736803.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201029224820647.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201029224820647.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201029224941882.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201029224941882.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201029225106724.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201029225106724.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201029225304889.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201029225304889.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201029225350619.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201029225350619.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201029230138054.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201029230138054.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201029230224316.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201029230224316.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201029230504891.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201029230504891.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201029230535984.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201029230535984.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201029230622120.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201029230622120.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201029230909895.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201029230909895.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201029231106891.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201029231106891.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201029231132412.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201029231132412.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201029231155238.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201029231155238.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201029231304304.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201029231304304.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201029231543567.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201029231543567.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201029231611608.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201029231611608.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201029231706834.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201029231706834.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201029231908883.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201029231908883.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201029231936719.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201029231936719.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201029231952670.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201029231952670.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201105183618529.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201105183618529.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201105184327763.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201105184327763.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201105184919660.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201105184919660.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201105185230667.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201105185230667.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201105185431196.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201105185431196.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201105185630758.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201105185630758.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201105185806532.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201105185806532.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201105190333596.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201105190333596.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201105190439805.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201105190439805.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201105191248594.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201105191248594.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201105191705757.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201105191705757.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201105194030384.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201105194030384.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201105194707507.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201105194707507.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201105195029800.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201105195029800.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201105195154527.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201105195154527.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201105195524932.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201105195524932.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201105195843958.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201105195843958.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201105195943007.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201105195943007.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201105200112512.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201105200112512.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201105200123601.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201105200123601.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201105200412145.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201105200412145.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201105200815104.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201105200815104.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201105201018655.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201105201018655.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201105201421501.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201105201421501.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201105201746860.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201105201746860.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201105201939088.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201105201939088.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201105202101633.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201105202101633.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201105235312349.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201105235312349.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201109140057119.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201109140057119.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201109140605829.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201109140605829.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201109154728420.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201109154728420.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201109154844509.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201109154844509.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201112191544354.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201112191544354.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201112191630283.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201112191630283.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201112193329365.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201112193329365.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201112193357268.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201112193357268.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201112194234928.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201112194234928.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201112194358502.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201112194358502.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201112194555582.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201112194555582.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201112195502575.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201112195502575.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201123205009821.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201123205009821.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201126184745576.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201126184745576.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201126185008506.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201126185008506.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201126185233403.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201126185233403.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201126191225969.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201126191225969.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201126191650221.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201126191650221.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201126194125039.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201126194125039.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201126195311513.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201126195311513.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201126195425756.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201126195425756.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201126201000426.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201126201000426.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201126221950557.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201126221950557.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201126230831572.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201126230831572.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201126231116221.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201126231116221.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201126231403264.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201126231403264.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201126231437769.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201126231437769.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201126231722298.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201126231722298.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201127170432941.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201127170432941.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201201151956869.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201201151956869.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201210134143907.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201210134143907.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201210134328575.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201210134328575.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201210135019104.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201210135019104.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201210135047052.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201210135047052.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201210145819255.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201210145819255.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201210151627827.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201210151627827.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201210165334864.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201210165334864.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201210183358390.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201210183358390.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201210183700963.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201210183700963.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201210184448955.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201210184448955.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201210184527645.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201210184527645.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201210184850528.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201210184850528.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201210191310040.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201210191310040.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201210192001954.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201210192001954.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201210193321202.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201210193321202.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201210193735607.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201210193735607.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201210195519912.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201210195519912.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201210200518022.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201210200518022.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201210200637330.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201210200637330.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201210201540194.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201210201540194.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201216173124146.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201216173124146.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201216175534756.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201216175534756.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201216175748133.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201216175748133.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201216180114246.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201216180114246.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201216180216650.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201216180216650.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201216180422745.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201216180422745.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201216180523896.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201216180523896.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201216202538515.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201216202538515.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201216204823876.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201216204823876.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201216205125278.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201216205125278.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201216210158092.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201216210158092.png
--------------------------------------------------------------------------------
/.gitbook/assets/image-20201216210347469.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/image-20201216210347469.png
--------------------------------------------------------------------------------
/.gitbook/assets/market.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/market.png
--------------------------------------------------------------------------------
/.gitbook/assets/mayMustSum.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/.gitbook/assets/mayMustSum.png
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | # Node rules:
2 | ## Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files)
3 | .grunt
4 |
5 | ## Dependency directory
6 | ## Commenting this out is preferred by some people, see
7 | ## https://docs.npmjs.com/misc/faq#should-i-check-my-node_modules-folder-into-git
8 | node_modules
9 |
10 | # Book build output
11 | _book
12 |
13 | # eBook build output
14 | *.epub
15 | *.mobi
16 | *.pdf
17 |
--------------------------------------------------------------------------------
/.gitmodules:
--------------------------------------------------------------------------------
1 | [submodule "homework"]
2 | path = homework
3 | url = git@github.com:canliture/nju-software-analysis-homework.git
4 | [submodule "Tai-e-assignments"]
5 | path = Tai-e-assignments
6 | url = https://github.com/pascal-lab/Tai-e-assignments
7 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | Attribution-ShareAlike 4.0 International
2 |
3 | =======================================================================
4 |
5 | Creative Commons Corporation ("Creative Commons") is not a law firm and
6 | does not provide legal services or legal advice. Distribution of
7 | Creative Commons public licenses does not create a lawyer-client or
8 | other relationship. Creative Commons makes its licenses and related
9 | information available on an "as-is" basis. Creative Commons gives no
10 | warranties regarding its licenses, any material licensed under their
11 | terms and conditions, or any related information. Creative Commons
12 | disclaims all liability for damages resulting from their use to the
13 | fullest extent possible.
14 |
15 | Using Creative Commons Public Licenses
16 |
17 | Creative Commons public licenses provide a standard set of terms and
18 | conditions that creators and other rights holders may use to share
19 | original works of authorship and other material subject to copyright
20 | and certain other rights specified in the public license below. The
21 | following considerations are for informational purposes only, are not
22 | exhaustive, and do not form part of our licenses.
23 |
24 | Considerations for licensors: Our public licenses are
25 | intended for use by those authorized to give the public
26 | permission to use material in ways otherwise restricted by
27 | copyright and certain other rights. Our licenses are
28 | irrevocable. Licensors should read and understand the terms
29 | and conditions of the license they choose before applying it.
30 | Licensors should also secure all rights necessary before
31 | applying our licenses so that the public can reuse the
32 | material as expected. Licensors should clearly mark any
33 | material not subject to the license. This includes other CC-
34 | licensed material, or material used under an exception or
35 | limitation to copyright. More considerations for licensors:
36 | wiki.creativecommons.org/Considerations_for_licensors
37 |
38 | Considerations for the public: By using one of our public
39 | licenses, a licensor grants the public permission to use the
40 | licensed material under specified terms and conditions. If
41 | the licensor's permission is not necessary for any reason--for
42 | example, because of any applicable exception or limitation to
43 | copyright--then that use is not regulated by the license. Our
44 | licenses grant only permissions under copyright and certain
45 | other rights that a licensor has authority to grant. Use of
46 | the licensed material may still be restricted for other
47 | reasons, including because others have copyright or other
48 | rights in the material. A licensor may make special requests,
49 | such as asking that all changes be marked or described.
50 | Although not required by our licenses, you are encouraged to
51 | respect those requests where reasonable. More_considerations
52 | for the public:
53 | wiki.creativecommons.org/Considerations_for_licensees
54 |
55 | =======================================================================
56 |
57 | Creative Commons Attribution-ShareAlike 4.0 International Public
58 | License
59 |
60 | By exercising the Licensed Rights (defined below), You accept and agree
61 | to be bound by the terms and conditions of this Creative Commons
62 | Attribution-ShareAlike 4.0 International Public License ("Public
63 | License"). To the extent this Public License may be interpreted as a
64 | contract, You are granted the Licensed Rights in consideration of Your
65 | acceptance of these terms and conditions, and the Licensor grants You
66 | such rights in consideration of benefits the Licensor receives from
67 | making the Licensed Material available under these terms and
68 | conditions.
69 |
70 |
71 | Section 1 -- Definitions.
72 |
73 | a. Adapted Material means material subject to Copyright and Similar
74 | Rights that is derived from or based upon the Licensed Material
75 | and in which the Licensed Material is translated, altered,
76 | arranged, transformed, or otherwise modified in a manner requiring
77 | permission under the Copyright and Similar Rights held by the
78 | Licensor. For purposes of this Public License, where the Licensed
79 | Material is a musical work, performance, or sound recording,
80 | Adapted Material is always produced where the Licensed Material is
81 | synched in timed relation with a moving image.
82 |
83 | b. Adapter's License means the license You apply to Your Copyright
84 | and Similar Rights in Your contributions to Adapted Material in
85 | accordance with the terms and conditions of this Public License.
86 |
87 | c. BY-SA Compatible License means a license listed at
88 | creativecommons.org/compatiblelicenses, approved by Creative
89 | Commons as essentially the equivalent of this Public License.
90 |
91 | d. Copyright and Similar Rights means copyright and/or similar rights
92 | closely related to copyright including, without limitation,
93 | performance, broadcast, sound recording, and Sui Generis Database
94 | Rights, without regard to how the rights are labeled or
95 | categorized. For purposes of this Public License, the rights
96 | specified in Section 2(b)(1)-(2) are not Copyright and Similar
97 | Rights.
98 |
99 | e. Effective Technological Measures means those measures that, in the
100 | absence of proper authority, may not be circumvented under laws
101 | fulfilling obligations under Article 11 of the WIPO Copyright
102 | Treaty adopted on December 20, 1996, and/or similar international
103 | agreements.
104 |
105 | f. Exceptions and Limitations means fair use, fair dealing, and/or
106 | any other exception or limitation to Copyright and Similar Rights
107 | that applies to Your use of the Licensed Material.
108 |
109 | g. License Elements means the license attributes listed in the name
110 | of a Creative Commons Public License. The License Elements of this
111 | Public License are Attribution and ShareAlike.
112 |
113 | h. Licensed Material means the artistic or literary work, database,
114 | or other material to which the Licensor applied this Public
115 | License.
116 |
117 | i. Licensed Rights means the rights granted to You subject to the
118 | terms and conditions of this Public License, which are limited to
119 | all Copyright and Similar Rights that apply to Your use of the
120 | Licensed Material and that the Licensor has authority to license.
121 |
122 | j. Licensor means the individual(s) or entity(ies) granting rights
123 | under this Public License.
124 |
125 | k. Share means to provide material to the public by any means or
126 | process that requires permission under the Licensed Rights, such
127 | as reproduction, public display, public performance, distribution,
128 | dissemination, communication, or importation, and to make material
129 | available to the public including in ways that members of the
130 | public may access the material from a place and at a time
131 | individually chosen by them.
132 |
133 | l. Sui Generis Database Rights means rights other than copyright
134 | resulting from Directive 96/9/EC of the European Parliament and of
135 | the Council of 11 March 1996 on the legal protection of databases,
136 | as amended and/or succeeded, as well as other essentially
137 | equivalent rights anywhere in the world.
138 |
139 | m. You means the individual or entity exercising the Licensed Rights
140 | under this Public License. Your has a corresponding meaning.
141 |
142 |
143 | Section 2 -- Scope.
144 |
145 | a. License grant.
146 |
147 | 1. Subject to the terms and conditions of this Public License,
148 | the Licensor hereby grants You a worldwide, royalty-free,
149 | non-sublicensable, non-exclusive, irrevocable license to
150 | exercise the Licensed Rights in the Licensed Material to:
151 |
152 | a. reproduce and Share the Licensed Material, in whole or
153 | in part; and
154 |
155 | b. produce, reproduce, and Share Adapted Material.
156 |
157 | 2. Exceptions and Limitations. For the avoidance of doubt, where
158 | Exceptions and Limitations apply to Your use, this Public
159 | License does not apply, and You do not need to comply with
160 | its terms and conditions.
161 |
162 | 3. Term. The term of this Public License is specified in Section
163 | 6(a).
164 |
165 | 4. Media and formats; technical modifications allowed. The
166 | Licensor authorizes You to exercise the Licensed Rights in
167 | all media and formats whether now known or hereafter created,
168 | and to make technical modifications necessary to do so. The
169 | Licensor waives and/or agrees not to assert any right or
170 | authority to forbid You from making technical modifications
171 | necessary to exercise the Licensed Rights, including
172 | technical modifications necessary to circumvent Effective
173 | Technological Measures. For purposes of this Public License,
174 | simply making modifications authorized by this Section 2(a)
175 | (4) never produces Adapted Material.
176 |
177 | 5. Downstream recipients.
178 |
179 | a. Offer from the Licensor -- Licensed Material. Every
180 | recipient of the Licensed Material automatically
181 | receives an offer from the Licensor to exercise the
182 | Licensed Rights under the terms and conditions of this
183 | Public License.
184 |
185 | b. Additional offer from the Licensor -- Adapted Material.
186 | Every recipient of Adapted Material from You
187 | automatically receives an offer from the Licensor to
188 | exercise the Licensed Rights in the Adapted Material
189 | under the conditions of the Adapter's License You apply.
190 |
191 | c. No downstream restrictions. You may not offer or impose
192 | any additional or different terms or conditions on, or
193 | apply any Effective Technological Measures to, the
194 | Licensed Material if doing so restricts exercise of the
195 | Licensed Rights by any recipient of the Licensed
196 | Material.
197 |
198 | 6. No endorsement. Nothing in this Public License constitutes or
199 | may be construed as permission to assert or imply that You
200 | are, or that Your use of the Licensed Material is, connected
201 | with, or sponsored, endorsed, or granted official status by,
202 | the Licensor or others designated to receive attribution as
203 | provided in Section 3(a)(1)(A)(i).
204 |
205 | b. Other rights.
206 |
207 | 1. Moral rights, such as the right of integrity, are not
208 | licensed under this Public License, nor are publicity,
209 | privacy, and/or other similar personality rights; however, to
210 | the extent possible, the Licensor waives and/or agrees not to
211 | assert any such rights held by the Licensor to the limited
212 | extent necessary to allow You to exercise the Licensed
213 | Rights, but not otherwise.
214 |
215 | 2. Patent and trademark rights are not licensed under this
216 | Public License.
217 |
218 | 3. To the extent possible, the Licensor waives any right to
219 | collect royalties from You for the exercise of the Licensed
220 | Rights, whether directly or through a collecting society
221 | under any voluntary or waivable statutory or compulsory
222 | licensing scheme. In all other cases the Licensor expressly
223 | reserves any right to collect such royalties.
224 |
225 |
226 | Section 3 -- License Conditions.
227 |
228 | Your exercise of the Licensed Rights is expressly made subject to the
229 | following conditions.
230 |
231 | a. Attribution.
232 |
233 | 1. If You Share the Licensed Material (including in modified
234 | form), You must:
235 |
236 | a. retain the following if it is supplied by the Licensor
237 | with the Licensed Material:
238 |
239 | i. identification of the creator(s) of the Licensed
240 | Material and any others designated to receive
241 | attribution, in any reasonable manner requested by
242 | the Licensor (including by pseudonym if
243 | designated);
244 |
245 | ii. a copyright notice;
246 |
247 | iii. a notice that refers to this Public License;
248 |
249 | iv. a notice that refers to the disclaimer of
250 | warranties;
251 |
252 | v. a URI or hyperlink to the Licensed Material to the
253 | extent reasonably practicable;
254 |
255 | b. indicate if You modified the Licensed Material and
256 | retain an indication of any previous modifications; and
257 |
258 | c. indicate the Licensed Material is licensed under this
259 | Public License, and include the text of, or the URI or
260 | hyperlink to, this Public License.
261 |
262 | 2. You may satisfy the conditions in Section 3(a)(1) in any
263 | reasonable manner based on the medium, means, and context in
264 | which You Share the Licensed Material. For example, it may be
265 | reasonable to satisfy the conditions by providing a URI or
266 | hyperlink to a resource that includes the required
267 | information.
268 |
269 | 3. If requested by the Licensor, You must remove any of the
270 | information required by Section 3(a)(1)(A) to the extent
271 | reasonably practicable.
272 |
273 | b. ShareAlike.
274 |
275 | In addition to the conditions in Section 3(a), if You Share
276 | Adapted Material You produce, the following conditions also apply.
277 |
278 | 1. The Adapter's License You apply must be a Creative Commons
279 | license with the same License Elements, this version or
280 | later, or a BY-SA Compatible License.
281 |
282 | 2. You must include the text of, or the URI or hyperlink to, the
283 | Adapter's License You apply. You may satisfy this condition
284 | in any reasonable manner based on the medium, means, and
285 | context in which You Share Adapted Material.
286 |
287 | 3. You may not offer or impose any additional or different terms
288 | or conditions on, or apply any Effective Technological
289 | Measures to, Adapted Material that restrict exercise of the
290 | rights granted under the Adapter's License You apply.
291 |
292 |
293 | Section 4 -- Sui Generis Database Rights.
294 |
295 | Where the Licensed Rights include Sui Generis Database Rights that
296 | apply to Your use of the Licensed Material:
297 |
298 | a. for the avoidance of doubt, Section 2(a)(1) grants You the right
299 | to extract, reuse, reproduce, and Share all or a substantial
300 | portion of the contents of the database;
301 |
302 | b. if You include all or a substantial portion of the database
303 | contents in a database in which You have Sui Generis Database
304 | Rights, then the database in which You have Sui Generis Database
305 | Rights (but not its individual contents) is Adapted Material,
306 |
307 | including for purposes of Section 3(b); and
308 | c. You must comply with the conditions in Section 3(a) if You Share
309 | all or a substantial portion of the contents of the database.
310 |
311 | For the avoidance of doubt, this Section 4 supplements and does not
312 | replace Your obligations under this Public License where the Licensed
313 | Rights include other Copyright and Similar Rights.
314 |
315 |
316 | Section 5 -- Disclaimer of Warranties and Limitation of Liability.
317 |
318 | a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
319 | EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
320 | AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
321 | ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
322 | IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
323 | WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
324 | PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
325 | ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
326 | KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
327 | ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
328 |
329 | b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
330 | TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
331 | NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
332 | INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
333 | COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
334 | USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
335 | ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
336 | DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
337 | IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
338 |
339 | c. The disclaimer of warranties and limitation of liability provided
340 | above shall be interpreted in a manner that, to the extent
341 | possible, most closely approximates an absolute disclaimer and
342 | waiver of all liability.
343 |
344 |
345 | Section 6 -- Term and Termination.
346 |
347 | a. This Public License applies for the term of the Copyright and
348 | Similar Rights licensed here. However, if You fail to comply with
349 | this Public License, then Your rights under this Public License
350 | terminate automatically.
351 |
352 | b. Where Your right to use the Licensed Material has terminated under
353 | Section 6(a), it reinstates:
354 |
355 | 1. automatically as of the date the violation is cured, provided
356 | it is cured within 30 days of Your discovery of the
357 | violation; or
358 |
359 | 2. upon express reinstatement by the Licensor.
360 |
361 | For the avoidance of doubt, this Section 6(b) does not affect any
362 | right the Licensor may have to seek remedies for Your violations
363 | of this Public License.
364 |
365 | c. For the avoidance of doubt, the Licensor may also offer the
366 | Licensed Material under separate terms or conditions or stop
367 | distributing the Licensed Material at any time; however, doing so
368 | will not terminate this Public License.
369 |
370 | d. Sections 1, 5, 6, 7, and 8 survive termination of this Public
371 | License.
372 |
373 |
374 | Section 7 -- Other Terms and Conditions.
375 |
376 | a. The Licensor shall not be bound by any additional or different
377 | terms or conditions communicated by You unless expressly agreed.
378 |
379 | b. Any arrangements, understandings, or agreements regarding the
380 | Licensed Material not stated herein are separate from and
381 | independent of the terms and conditions of this Public License.
382 |
383 |
384 | Section 8 -- Interpretation.
385 |
386 | a. For the avoidance of doubt, this Public License does not, and
387 | shall not be interpreted to, reduce, limit, restrict, or impose
388 | conditions on any use of the Licensed Material that could lawfully
389 | be made without permission under this Public License.
390 |
391 | b. To the extent possible, if any provision of this Public License is
392 | deemed unenforceable, it shall be automatically reformed to the
393 | minimum extent necessary to make it enforceable. If the provision
394 | cannot be reformed, it shall be severed from this Public License
395 | without affecting the enforceability of the remaining terms and
396 | conditions.
397 |
398 | c. No term or condition of this Public License will be waived and no
399 | failure to comply consented to unless expressly agreed to by the
400 | Licensor.
401 |
402 | d. Nothing in this Public License constitutes or may be interpreted
403 | as a limitation upon, or waiver of, any privileges and immunities
404 | that apply to the Licensor or You, including from the legal
405 | processes of any jurisdiction or authority.
406 |
407 |
408 | =======================================================================
409 |
410 | Creative Commons is not a party to its public
411 | licenses. Notwithstanding, Creative Commons may elect to apply one of
412 | its public licenses to material it publishes and in those instances
413 | will be considered the “Licensor.” The text of the Creative Commons
414 | public licenses is dedicated to the public domain under the CC0 Public
415 | Domain Dedication. Except for the limited purpose of indicating that
416 | material is shared under a Creative Commons public license or as
417 | otherwise permitted by the Creative Commons policies published at
418 | creativecommons.org/policies, Creative Commons does not authorize the
419 | use of the trademark "Creative Commons" or any other trademark or logo
420 | of Creative Commons without its prior written consent including,
421 | without limitation, in connection with any unauthorized modifications
422 | to any of its public licenses or any other arrangements,
423 | understandings, or agreements concerning use of licensed material. For
424 | the avoidance of doubt, this paragraph does not form part of the
425 | public licenses.
426 |
427 | Creative Commons may be contacted at creativecommons.org.
--------------------------------------------------------------------------------
/README.assets/image-20201231205814145.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/README.assets/image-20201231205814145.png
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # 简介
2 |
3 | ## 资料来源及食用方法@2022
4 |
5 | - 来源与课程网站:本仓库由南京大学[李樾](https://yuelee.bitbucket.io/)、[谭添](https://silverbullettt.bitbucket.io/)两位老师的课程[《软件分析》](https://tai-e.pascal-lab.net/lectures.html)的听课笔记修改而来。
6 | - 课程视频:2021年[甜品专家](https://space.bilibili.com/2919428/video)在B站上传了2020年春季学期完整的课程视频。
7 | - 实验平台:2022年发布了实验作业平台相关的[代码](https://github.com/RangerNJU/Static-Program-Analysis-Book/pull/15)。
8 |
9 | ## 简介
10 |
11 | Getting started with static program analysis. Read this and start writing your first static program analyzer! We focus on the problem:
12 |
13 | > ❓ How to automatically and efficiently guarantee software quality
14 |
15 | 静态程序分析入门。阅读此书并着手编写你的第一个静态程序分析器吧!本仓库关注一个非常重要的问题:
16 |
17 | > ❓ 如何自动化地高效保障软件质量
18 |
19 | * [《静态程序分析》Gitbook在线阅读地址](https://ranger-nju.gitbook.io/static-program-analysis-book/)
20 | * [《静态程序分析》GitHub项目地址](https://github.com/RangerNJU/Static-Program-Analysis-Book)
21 | * [南京大学《软件分析》实验作业平台 “太阿” 官方文档在线阅读地址](https://tai-e.pascal-lab.net/)
22 | * [南京大学《软件分析》实验作业平台 “太阿” GitHub 项目地址](https://github.com/pascal-lab/Tai-e-assignments/)
23 | * 离线阅读方式
24 | 1. 将本仓库**下载**到本地(安装Git后,在命令行中执行命令`git clone https://github.com/RangerNJU/Static-Program-Analysis-Book.git`)
25 | 2. 周期性地**更新**,在仓库目录下执行`git pull`
26 | 3. 使用[Typora](https://typora.io/)等本地Markdown阅读器**阅读**
27 | * 作业, 克隆仓库时, 推荐递归克隆子项目homework
28 | - git clone --recursive {git仓库}
29 |
30 | ### 表达你的声音 👂
31 |
32 | * **批评的意见很有价值。** 这是我第一次书写教程,一定有很多做得不好的地方。如果你觉得有值得修改或值得讨论的地方(包括但不仅限于行文风格,内容准确性,图例与解释的易读性等等),可以选择:
33 | * 提issue
34 | * 通过邮箱联系我(ranger.nju\#gmail.com\)
35 | * 如果你觉得我写得不错,可以到GitHub仓库中给我一个Star,也可以在自己的社交圈子中宣传,让更多的人了解这个项目。
36 |
37 | ### 更新记录与里程碑事件
38 |
39 | 1. Oct, 2020. 设立Repo,一个月内解锁Star、Fork和PR。
40 | 2. Nov. 将IR与Data Flow Analysis的相关内容暂时移出仓库,更新七至十课——Interprocedural Analysis、Pointer Analysis-Introduction and Foundations。
41 | 3. Dec. 更新十一和十二两课——Context Sensitive Pointer Analysis,指针分析大结局。🥳 更新十三十四课介绍指针分析的安全应用Taint Analysis和使用Datalog实现声明式指针分析算法。 更新十五十六课介绍IFDS分析框架和Soundiness。
42 | 4. APR, 2021. 由[Lancern](https://github.com/Lancern)开始英文翻译。
43 | 5. Sept. 新学期开始补充前八课的笔记版本。
44 | 6. Apr, 2022. [南京大学《软件分析》实验作业平台 “太阿” 正式发布](https://zhuanlan.zhihu.com/p/488957195)。
45 | 7. Jul, 2022. [“太阿”(科研版)静态程序分析框架正式发布](https://zhuanlan.zhihu.com/p/547780818)。
46 |
47 | 图文的主体部分更新完毕,撒花~!
48 |
49 | 后续会考虑录制一些视频补充对动态例子的讲解。
50 |
51 | 
52 |
53 | ## 这一《静态程序分析》教程对谁有用?
54 |
55 | 学生,开发者,研究者……几乎所有当代生活者都能从中受益。
56 |
57 | * 学习方向与程序有关的**学生。**
58 | * 计算机方向的学生可以通过深入学习这一领域知识而为自己建立独特的学术和就业优势,也能加深对编程的理解以降低自己写出bug的频率。
59 | * 其他方向的学生既然已经开始阅读这一页面,想必对计算机方向的内容有一定兴趣。你可以通过了解这一技术,了解静态分析软件(包括其内置于编译器,集成开发环境的部分)能够为你提供怎样的功能和便利,以及如何更好地使用这些软件,以此保证你所关心的程序质量。
60 | * 工作内容与程序有关的**开发者。**
61 | * 无论你希望更好地理解[Wiki](https://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis)上众多的开源或是闭源的静态程序分析技术,还是希望自己开发一个适用于眼下工作内容的静态程序分析器以保证程序质量,了解静态程序分析都会有所帮助。
62 | * 研究领域与程序相关的**研究者。** 或许你希望微调研究方向,却因没有合适的入门材料而苦恼;或许你希望了解计算机领域的相关知识以期获得启发……这一教程可以作为你的入门材料或是闲暇读物。
63 | * 生活与程序相关的**每个人**
64 | * 软件质量是信息化时代的重要议题之一,在这个时代生活与工作,你一定会遇到相关的问题。
65 | * 在大多数学校和企业中,没有开设该领域的课程。
66 |
67 | ## 什么是静态程序分析?
68 |
69 | ### 静态程序分析在计算机科学领域中的定位
70 |
71 | 
72 |
73 | **静态程序分析**是**编程语言**中**应用**层面下的一个细分领域,它是一个非常重要的核心内容。
74 |
75 | 在理论部分,考虑的是如何设计一个语言的语法和语义,如何设计语言的类型系统等等问题;有了语言的语法、语义和类型系统之后,我们需要支撑语言的运行。因此,在环境部分,需要考虑如何为运行中的程序提供运行时环境——如何设计编译器,在运行时需要怎样的支持(如内存的分配管理)等等;应用部分则关注如何保证语言所写出程序的效率、安全性和可靠性,主要考虑如何对程序进行分析,验证和合成(如何自动合成一个程序)。
76 |
77 | #### 编程语言的分类
78 |
79 | 当今的计算机世界,面对这样一条恶龙: 👇
80 |
81 | > 数十年来语言的核心没有变化,但软件的规模和复杂性增长迅速,如何保证程序的可靠性?
82 |
83 | 尽管新的语言和特性层出不穷,但现在编程语言无非三大类 _\(如果你对其中的某个语言不熟悉,可以到语言的官网或英文Wiki页面查看相关示例,也可以利用搜索引擎做初步的了解。本教程内容主要关注于针对命令式语言JAVA的分析。\)_ :
84 |
85 | * 命令式(C、C++、JAVA)
86 | * 函数式([Scala](https://www.scala-lang.org/)、[Haskell](https://www.haskell.org/))
87 | * 逻辑式([Prolog](https://en.wikipedia.org/wiki/Prolog))
88 |
89 | ### 静态程序分析的应用
90 |
91 | 静态程序分析即是屠龙的宝刀之一,举例来说这一技术可以处理以下问题\(_以下概念只需要了解,重要的应用在后文中会详细讲解。_\):
92 |
93 | 1. 提高程序可靠性
94 | * Null pointer dereference, memory leak, etc.
95 | * 空指针引用与内存泄漏等:几乎每个程序编写者都被这两个问题所困扰过
96 | 2. 提高程序安全性
97 | * Private information leak, injection attack, etc.
98 | * 隐私信息泄漏:这一问题在移动应用中较为普遍,如果你感兴趣,可以参考[这篇论文](https://www.ieee-security.org/TC/SP2012/posters/ScanDal.pdf)。
99 | * [注入攻击](https://en.wikipedia.org/wiki/Code_injection):这是网络安全中非常常见的议题。不熟悉的读者可以查看[W3School](https://www.w3schools.com/sql/sql_injection.asp)或[Wiki](https://en.wikipedia.org/wiki/SQL_injection)上关于SQL注入攻击的例子。
100 | 3. 为编译优化提供基础技术
101 | * Dead code elimination, code motion, etc.
102 | * [死代码消除](https://en.wikipedia.org/wiki/Dead_code_elimination):在编译器的机器无关优化环节,将不会对程序执行结果产生影响的代码(即死代码)删除。
103 | * [循环不变量的代码移动](https://en.wikipedia.org/wiki/Loop-invariant_code_motion):在编译器的机器无关优化环节,在保证不影响程序执行结果的情况下,将循环中的特定语句移动到循环外,使得程序运行时执行的语句数减少。更为详细的解释可以参考[StackOverFlow上的回答](https://stackoverflow.com/questions/5607762/what-does-code-motion-mean-for-loop-invariant-code-motion)。
104 | 4. 有助于程序理解
105 | * IDE call hierarchy, type indication, etc.
106 | * 为集成开发环境的功能提供帮助:当你使用VS/Idea/Clion/Eclipse/Android Studio等等IDE时,将鼠标悬停在代码上,IDE能够动态地分析并提示你所悬停对象的相关信息,背后使用的技术就是静态程序分析。
107 |
108 | 此外,静态程序分析技术也可以分析多线程程序,这是一个有难度的研究领域。主要困难在于处理多线程间的interleaving。本书定位入门,不会涉及相关内容。
109 |
110 | ### 静态程序分析的市场
111 |
112 | 
113 |
114 | * 在学术界,静态程序分析技术几乎可以应用于所有关于程序的研究方向。
115 | * 在工业界,国外的Google,IBM等大企业已经初步建立了自己的静态程序分析团队。国内的华为和阿里等企业也正在积极寻找静态程序分析方面的人才。
116 | * **无论你将来想在学术界还是工业界深入发展,学习这一领域的知识都能为你建立独特的优势。**
117 |
118 | ### 静态程序分析与类似技术的对比
119 |
120 | > Testing shows the presence, not the absence of bugs. --Edsger W. Dijkstra
121 |
122 | 动态的软件测试和形式化语义的验证的作用与静态程序分析类似,这一部分对这三个细分方向做简单的对比。
123 |
124 | #### 静态程序分析
125 |
126 | * 优点:在选定的精度下能够保证没有bug。这在教程中会详细介绍。
127 | * 缺点:
128 | 1. 学术门槛相对高。目前已知国内高校公开的课程资料只有北京大学,南京大学,国防科大,吉林大学的,且通俗易懂的教材稀少(详细课程及教材链接见[本文末尾](#refs))。作为一门计算机专业的高年级选修课,入门和提高都较困难。
129 | 2. You tell me.
130 |
131 | #### 动态软件测试
132 |
133 | * 优点:在工程中被广泛应用,并且有效。实现简单,便于自动化。
134 | * 缺点:
135 | 1. **无法保证没有bug。** 这是无法遍历所有可能的程序输入的必然结果。
136 | 2. 在当今的由多核与网络应用带来的**并发环境下作用有限。** 某个bug可能只在特定情况下发生,因而难以稳定地复现。如果你对并发程序的动态测试细节感兴趣,可以参考[《拧龙头法测试并发程序》](https://zhuanlan.zhihu.com/p/51341151)。(截图来自南京大学《形式化语义》课程资料)
137 |
138 | 
139 |
140 | #### 形式化语义验证
141 |
142 | * 优点:由于用数学的方法对程序做了抽象,能够保证没有bug。
143 | * 缺点:
144 | 1. 学术门槛较高,学习者必须有良好的数学基础才能入门。
145 | 2. 验证代价较高,一般来说非常重要的项目会使用这一方式保证程序质量。甚至在操作系统这样重要的软件中,也并不一定会使用。\(截图来自鸿蒙OS直播发布会\)
146 |
147 | 
148 |
149 | ## 加入项目/How to contribute
150 |
151 | > 觉得有所帮助的话可以点个star支持哦。
152 |
153 | 欢迎希望添加更好的讲解资料或对教程内容进行扩充的小伙伴 `fork, modify, PR` 三连。
154 |
155 | **提醒:引用图片时请使用相对路径。**
156 |
157 | ## 本地化/Localization
158 |
159 | We'd love help translating this book! Open a new issue to start working on a new language. Feel free to start :\)
160 |
161 | - [English translation](https://github.com/Lancern/Static-Program-Analysis-Book)
162 |
163 | ## 其他相关项目
164 |
165 | ### 软件质量保障相关
166 |
167 | [《软件测试简介》Gitbook在线阅读地址](https://ranger-nju.gitbook.io/software-testing-intro)
168 |
169 | [《软件测试简介》GitHub项目地址](https://github.com/RangerNJU/Software-Testing-Intro)
170 |
171 | ### 前辈们写过的优秀笔记
172 |
173 | [适合预习和同步阅读,CSDN+简书](https://blog.csdn.net/panhewu9919/article/details/106007155)
174 |
175 | [适合复习,个人博客笔记](https://fancypei.github.io/SA/)
176 |
177 | ## 进一步学习的资料
178 |
179 | ### 课程视频和阅读资料
180 |
181 | - 北大熊英飞老师的《软件分析技术》课程视频公开在了[这里](https://liveclass.org.cn/cloudCourse/#/courseDetail/8mI06L2eRqk8GcsW)。
182 | - CMU Jonathan Aldrich老师的[《17-355/17-665/17-819 Program Analysis》(2019 Spring)](https://www.cs.cmu.edu/~aldrich/courses/17-355-19sp/)。
183 | - Anders Møller and Michael I. Schwartzbach的[《Static Program analysis》](https://cs.au.dk/~amoeller/spa/) 以及配套的 [《Lecture Notes on Static Analysis》](https://lara.epfl.ch/w/_media/sav08:schwartzbach.pdf), [视频](https://www.bilibili.com/video/BV17K4y1t727) (推荐开启cc英文字幕)
184 | - Principles of Program Analysis
185 | - 中文版本:[《程序分析原理》](https://book.douban.com/subject/35970106/)
186 | - 张健, 张超, 玄跻峰, 熊英飞, 王千祥, 梁彬, 李炼, 窦文生, 陈振邦, 陈立前, 蔡彦. 程序分析研究进展. 软件学报, 2019, 30(1): 80-109.http://www.jos.org.cn/1000-9825/5651.htm
187 | - 国防科技大学陈立前老师的[《高可信软件技术-程序分析部分》](https://www.educoder.net/classrooms/7759/attachment)
188 | - 吉林大学刘磊老师的《程序分析技术》24集视频(超星/尔雅学术视频,需要账号登录搜索,B站上视频不全),[书籍](https://book.douban.com/subject/24733130/) 。算是国内最早的公开视频以及专门的教材了
189 | - 东南大学李必信老师的[《程序切片技术及其应用》](https://book.douban.com/subject/1815952/)
190 | - 北京邮电大学的[《源代码分析》](https://book.douban.com/subject/30819079/)
191 |
192 | ### 开源软件
193 |
194 | - [Pysonar2的GitHub Repo](https://github.com/yinwang0/pysonar2)
195 | - [Soot的GitHub Repo](https://github.com/soot-oss/soot)
196 | - [Wiki Tutorial:入门Soot时很重要的资料](https://github.com/soot-oss/soot/wiki/Tutorials)
197 |
--------------------------------------------------------------------------------
/SUMMARY.md:
--------------------------------------------------------------------------------
1 | # Table of contents
2 |
3 | * [简介](README.md)
4 |
5 | ## 前言
6 |
7 | * [写在前面](ch0/ch0.md)
8 | * [为什么是这本书?](ch0/00-01-why-this-book.md)
9 | * [资料来源与版权信息](ch0/00-02-sources-and-license.md)
10 | * [课程介绍与实验进度安排](ch1/1_Intro.md)
11 |
12 | ## 数据流分析
13 |
14 | * [静态程序分析简介与数据流分析](ch1/ch1.md)
15 | * [中间表示](ch1/2IntermediateRepresentation.md)
16 | * [数据流分析上](ch1/34DataFlowAnalysis.md)
17 | * [数据流分析下](ch1/56DataFlowAnalysisFoundation.md)
18 |
19 | ## 过程间分析
20 |
21 | * [过程间分析简介](ch2/ch2.md)
22 |
23 | ## 指针分析
24 |
25 | * [指针分析简介](ch3/pointer-analysis/README.md)
26 | * [指针分析简介](ch3/pointer-analysis/03-01-pointer-analysis-spa.md)
27 | * [指针分析理论(上)](ch3/pointer-analysis/03-02-pointer2-analysis-spa.md)
28 | * [指针分析理论(下)](ch3/pointer-analysis/03-03-pointer3-analysis-spa.md)
29 | * [指针分析进阶](ch3/context-sensitivity/README.md)
30 | * [上下文敏感分析(上)](ch3/context-sensitivity/03-04-context-sensitivity.md)
31 | * [上下文敏感分析(下)](ch3/context-sensitivity/03-05-cs2.md)
32 |
33 | ## 指针分析应用与声明式实现
34 |
35 | * [应用——污点分析](ch4/04-01-security.md)
36 | * [实现——声明式指针分析](ch4/04-02-Datalog-Based-PA.md)
37 |
38 | ## 其他话题
39 |
40 | * [另一种静态分析框架——IFDS](ch5/05-01-IFDS.md)
41 | * [从Soundness到Soundiness](ch5/05-02-Soundiness.md)
42 |
43 |
--------------------------------------------------------------------------------
/ch0/00-01-why-this-book.md:
--------------------------------------------------------------------------------
1 | # 为什么是这本书?
2 |
3 | > 这里的《静态程序分析》跟别处的有什么不同?
4 |
5 | ## 为什么应该读这本书?
6 |
7 | **1. 当前,中英文社区都缺乏这一领域的入门材料。**
8 |
9 | **2. 本书将试图通过理论和实践的结合介绍这一领域。**
10 |
11 | ### 中文社区
12 |
13 | 在搜索引擎上搜索相关中文关键词,你会发现结果靠前的答案都是与南京大学相关课程在B站上公开视频的笔记,其中有不少写得很好,**但并非面向一般学习者开发者的教程**。这两者有重要的区别:
14 |
15 | * 笔记:**面向自己复习**使用,只要自己回顾时能迅速pick up当时理解到的重点,就是一份好的笔记。
16 | * 教程:**面向他人学习**使用,一份好教程能让学习者迅速把握领域中的重点,并且为学习者的进一步应用打下基础。
17 |
18 | ### 英文社区
19 |
20 | 在搜索引擎上搜索英文关键词,你应该能搜索到国际上的大牛们的教材式的PDF文件和相关论文,或是开源的静态分析程序。但同样**缺乏教程**。大多数材料要么艰涩难懂要么太过粗浅。根据粗略的访问与调查,目前业界中主要还是大型的、国际化的、有前瞻视野的企业重视这一技术的发展应用,而中小企业则对其并不了解或认为静态程序分析技术仍不成熟。
21 |
22 | ### 理论与实践的结合
23 |
24 | 本书计划同时涉及理论和实践,这主要是受到了《The Rust Programming Language》的启发。由于老师的实验课程部分尚在设计中,预计会在理论课程结束后自主设计一些简单的实践任务与指南。
25 |
26 | ### 本书写作的目标
27 |
28 | 能让大多数有一定编程经历,已经修过本科计算机相关基础课程的大四及以上同学:
29 |
30 | 1. 在阅读本书时能**较为轻松地理解理论**
31 | 2. 能够**自主完成一个简单的程序实现**
32 | 3. (任何人都)能在阅读过程中接触**计算机不同领域的小知识**
33 |
34 | ## 为什么要写这本书?
35 |
36 | * **有趣且有用**
37 | * 有趣。首先非常**感谢**[**李老师**](https://yuelee.bitbucket.io/)**和**[**谭老师**](https://silverbullettt.bitbucket.io/)的精心准备和深入浅出的精彩课程 :\)
38 | * 有用。这门课的**理论内容已经被工业界实践**用于回答一个现代软件领域的重要问题:
39 |
40 | > ❓ 如何自动化地高效保证软件质量
41 | * **少有人涉足**
42 | * 其他领域**已经**有很多优秀前辈**完成了重要的工作**
43 | * 这一领域暂时还**不为大多数人所知**
44 | * 完善这方面的公开资料**能够帮助到很多人**
45 | * **知识没有界限**
46 | * 无论是[自学日语](https://www.douban.com/group/topic/139681153/),还是各大世界名校的公开课,我都受益颇多。世界已经如此不平等,**知识不应该有界限**
47 | * **回馈开源社区**
48 | * 我从开源社区中获益颇多,找到了合适的机会也希望能为开源社区(尤其是中文社区)作出自己的贡献
49 |
50 |
--------------------------------------------------------------------------------
/ch0/00-02-sources-and-license.md:
--------------------------------------------------------------------------------
1 | # 资料来源与版权信息
2 |
3 | ## 资料来源
4 |
5 | 本入门教程主要内容基于南京大学《软件分析》课程。
6 |
7 | [PASCAL研究组主页上的公开课件](https://pascal-group.bitbucket.io/teaching.html)
8 |
9 | ## 版权信息
10 |
11 | 教程文字部分遵循CC BY-NC-SA许可协议。
12 |
13 | 图片部分若无特殊说明则出自课程资料,使用已获作者同意。其他材料会注明出处,侵删。
14 |
15 |
--------------------------------------------------------------------------------
/ch0/ch0.md:
--------------------------------------------------------------------------------
1 | # 写在前面
2 |
3 | 记录一些你在继续阅读之前可能需要了解的信息。
4 |
5 | 如果这是你第一次了解“静态程序分析”,你应该先查看[Github上的简介](https://github.com/RangerNJU/Static-Program-Analysis-Book)。
6 |
7 |
--------------------------------------------------------------------------------
/ch1/1_Intro.md:
--------------------------------------------------------------------------------
1 | # Introduction
2 |
3 | 这里仅简单介绍课程的目录和实验的进度安排。
4 |
5 |
6 |
7 | 
8 |
9 | 
10 |
11 |
--------------------------------------------------------------------------------
/ch1/2IntermediateRepresentation.md:
--------------------------------------------------------------------------------
1 | # Intermediate Representation
2 |
3 | ## Compilers and Static Analyzers
4 |
5 | 编译器将源代码(Source code) 转换为机器代码(Machine Code)。其中的流程框架是:
6 |
7 | * 词法分析器(Scanner),结合正则表达式,通过词法分析(Lexical Analysis)将 source code 翻译为 token。
8 | * 语法分析器(Parser),结合上下文无关文法(Context-Free Grammar),通过语法分析(Syntax Analysis),将 token 解析为抽象语法树(Abstract Syntax Tree, AST)
9 | * 语义分析器(Type Checker),结合属性文法(Attribute Grammar),通过语义分析(Semantic Analysis),将 AST 解析为 decorated AST
10 | * Translator,将 decorated AST 翻译为生成三地址码这样的中间表示形式(Intermediate Representation, IR),并**基于 IR 做静态分析**(例如代码优化这样的工作)。
11 | * Code Generator,将 IR 转换为机器代码。
12 |
13 | 有人要问了,为什么不直接拿 source code 做静态分析?这是因为我们得先确保这是一份合格的代码,然后再进行分析。分析代码合不合格,这是 trivial 的事情,由前面的各种分析器去做就行了,我们要做的是 non-trivial 的事情。
14 |
15 | ## AST vs. IR
16 |
17 | 为什么在静态分析的时候,使用 IR 而非 AST 呢?
18 |
19 | 
20 |
21 | 这是因为:
22 |
23 | * AST 是 high-level 且接近语法结构的,而 IR 是 low-level 且接近机器代码的。
24 | * AST 是依赖于语言的,IR 通常是独立于语言的:三地址码会被分析器重点关注,因为可以将各种前端语言统一翻译成同一种 IR 再加以优化。
25 | * AST 适合快速类型检查,IR 的结构更加紧凑和统一:在 AST 中包含了很多非终结符所占用的结点(body, assign 等),而 IR 中不会需要到这些信息。
26 | * AST 缺少控制流信息,IR 包含了控制流信息:AST 中只是有结点表明了这是一个 do-while 结构,但是无法看出控制流信息;而 IR 中的 goto 等信息可以轻易看出控制流。
27 | * 因此 IR 更适合作为静态分析的基础。
28 |
29 |
30 |
31 | ## IR: Three-Address Code
32 |
33 | 三地址码(3-Address Code)通常没有统一的格式。在每个指令的右边至多有一个操作符。
34 |
35 | 
36 |
37 | 三地址码为什么叫做三地址码呢?因为每条 3AC 至多有三个地址。而一个「地址」可以是:
38 |
39 | * 名称 Name: a, b
40 | * 常量 Constant: 3
41 | * 编译器生成的临时变量 Compiler-generated Temporary: t1, t2
42 |
43 |
44 |
45 | 常见的 3AC 包括:
46 |
47 | * x = y bop z:双目运算并赋值,bop = binary operator
48 | * x = uop z:单目运算并赋值,uop = unary operator
49 | * x = y:直接赋值
50 | * goto L:无条件跳转,L = label
51 | * if x goto L:条件跳转
52 | * if x rop y goto L:包含了关系运算的条件跳转,rop = relational operator
53 |
54 | ## 3AC in Real Static Analyzer: Soot
55 |
56 | 以上的 3AC 比较抽象,来看看现实中的 3AC。Soot 是 Java 的静态分析框架,其中的 IR 叫做 Jimple。2021 年起的课程将使用一个新的框架来做试验,名叫 Tai-e。
57 |
58 | 关于这部分的内容,可以查看网课部分,因为主要是给大家感受一下 Jimple 的模样,并没有知识点要求。
59 |
60 | ## Static Single Assignment
61 |
62 | 这一部分也是可选内容,只需要稍加了解。
63 |
64 | 所谓静态单赋值(SSA),就是让每次对变量x赋值都重新使用一个新的变量xi,并在后续使用中选择最新的变量。
65 |
66 | ```
67 | 3AC | SSA
68 | p = a + b p1 = a + b
69 | q = p - c q1 = p1 - c
70 | p = q * d p2 = q1 * d
71 | q = p + q q2 = p2 + q1
72 | ```
73 |
74 |
75 |
76 | 但是这样一来,肯定会因为不同控制流汇入到一个块,导致多个变量备选的问题:
77 |
78 | 
79 |
80 | 这里解决的办法就是使用一个合并操作符$\phi$(phi-function),根据控制流的信息确定使用哪个变量。
81 |
82 |
83 |
84 | 为什么要用 SSA 呢?
85 |
86 | * 控制流信息间接地集成到了独特变量名中
87 | * 如果有些对控制流不敏感的简化分析,就可以借助于 SSA
88 | * 定义与使用是显式的
89 | * 更有效率的数据存取与传播,有些优化在基于 SSA 时效果更好(例如条件常量传播,全局变量编号等)
90 |
91 | 为什么不用 SSA 呢?
92 |
93 | * SSA 会引入过多的变量和 phi 函数
94 | * 在转换成机器代码时会引入低效率的问题
95 |
96 | ## Basic Blocks & Control Flow Graphs
97 |
98 | 控制流分析(Control Flow Analysis)通常指的是构建控制流图(Control Flow Graph, CFG),并以 CFG 作为基础结构进行静态分析的过程。
99 |
100 | 
101 |
102 | CFG 的一个结点可以是一条单独的 3AC,但是更常见的是一个基本块(Basic Block)。所谓基本块,就是满足以下性质的连续 3AC:
103 |
104 | * 只能从块的第一条指令进入。
105 | * 只能从块的最后一条指令离开。
106 |
107 | 
108 |
109 |
110 |
111 | 如何构建一个基本块呢?
112 |
113 | * 输入:程序 P 的一系列 3AC
114 | * 输出:程序 P 的基本块
115 | * 方法
116 | 1. 决定 P 的 leaders
117 | * P 的第一条指令就是一个 leader
118 | * 跳转的目标指令是一个 leader
119 | * 跳转指令的后一条指令,也是一个 leader
120 | 2. 构建 P 的基本块
121 | * 一个基本块就是一个 leader 及其后续直到下一个 leader 前的所有指令。
122 |
123 | 
124 |
125 | 除了基本块,CFG 中还会有块到块的边。块 A 和块 B 之间有一条边,当且仅当:
126 |
127 | * A 的末尾有一条指向了 B 开头的跳转指令。
128 | * A 的末尾紧接着 B 的开头,且 A 的末尾不是一条无条件跳转指令。
129 |
130 | 
131 |
132 | 注意到每个基本块和开头指令的标号唯一对应,因此很自然地,我们可以将跳转指令的目标改为基本块的标号而非指令标号:
133 |
134 | 
135 |
136 | 有了这些定义,我们就可以了解一些概念:
137 |
138 | * 若 A -> B,则我们说 A 是 B 的前驱(predecessor),B 是 A 的后继(successor)
139 | * 除了构建好的基本块,我们还会额外添加两个结点,「入口(Entry)」和「出口(Exit)」
140 | * 这两个结点不对应任何 IR
141 | * 入口有一条边指向 IR 中的第一条指令
142 | * 如果一个基本块的最后一条指令会让程序离开这段 IR,那么这个基本块就会有一条边指向出口。
143 |
144 |
145 |
146 | 这样,我们就完成了一个控制流图的构建:
147 |
148 | 
149 |
150 | ## 划重点
151 |
152 | * 编译器与静态分析器的关系
153 | * 了解 3AC 和其通常形式
154 | * 如何基于 IR 构建基本块
155 | * 如何基于基本块构建控制流图
156 |
157 |
--------------------------------------------------------------------------------
/ch1/34DataFlowAnalysis.md:
--------------------------------------------------------------------------------
1 | # Data Flow Analysis
2 |
3 | ## Overview of Data Flow Analysis
4 |
5 | 数据流分析的核心:How Data Flows on CFG?
6 |
7 | 将这句话展开来,所谓数据流分析就是:
8 |
9 | How application-specific Data (对数据的抽象:+, -, 0 等……)
10 |
11 | Flows (根据分析的类型,做出合适的估算) through the
12 |
13 | Nodes (数据如何 transfer, 如 + op + = +) and
14 |
15 | Edges (控制流如何处理,例如两个控制流汇入一个BB) of
16 |
17 | CFG (整个程序) ?
18 |
19 | 不同的数据流分析,有着不同的data abstraction, flow safe-approximation策略,transfer functions&control-flow handlings。
20 |
21 | ## Preliminaries of Data Flow Analysis
22 |
23 | ### Input and Output States 输入输出状态
24 |
25 | * 每一条IR的执行,都会使状态从**输入状态**变成新的**输出状态**
26 | * 输入/输出状态与语句前/后的 **program point** 相关联。
27 |
28 | 
29 |
30 | 
31 |
32 | 在数据流分析中,我们会把每一个PP关联一个数据流值,代表在该点中可观察到的抽象的程序状态。
33 |
34 | ### 关于转移方程约束的概念
35 |
36 | 分析数据流有前向和后向两种:
37 |
38 | 
39 |
40 | ### 关于控制流约束的概念
41 |
42 | 每条语句 s 都会使程序状态发生改变。
43 |
44 | B 的输出自然是其输入在经过多次转换后得到的状态。
45 |
46 | 而 B 的输入要根据数据流分析的需求,对其前驱应用合适的 meet operator 进行处理。后向分析时亦然。
47 |
48 | 
49 |
50 | 
51 |
52 | ### 不会涉及到的概念
53 |
54 | * 函数调用 Method Calls
55 | * 我们将分析的是过程本身中的事情,即 Intra-procedural。而过程之间的分析,将在 Inter-procedural Analysis 中介绍
56 | * 变量别名 Aliases
57 | * 变量不能有别名。有关问题将在指针分析中介绍。
58 |
59 | ## Reaching Definitions Analysis 到达定值分析
60 |
61 | #### 基本概念(来自编译原理的课件,许畅我的英雄)
62 |
63 | - 假定 x 有定值 d (**definition**),如果存在一个路径,从紧随 d 的点到达某点 p,并且此路径上面没有 x 的其他定值点,则称 x 的定值 d 到达 (**reaching**) p。
64 |
65 | - 如果在这条路径上有对 x 的其它定值,我们说变量 x 的这个定值 d 被杀死 (**killed**) 了
66 |
67 | 
68 |
69 | 到达定值可以用来分析未定义的变量。例如,我们在程序入口为各变量引入一个 dummy 定值。当程序出口的某变量定值依然为 dummy,则我们可以认为该变量未被定义。
70 |
71 |
72 |
73 | 对于一条赋值语句 D: v = x op y,该语句生成了 v 的一个定值 D,并杀死程序中其它对变量 v 定义的定值。
74 |
75 |
76 |
77 | #### 到达定值中的数据流值
78 |
79 | * 程序中所有变量的定值。
80 |
81 | * 可以用一个 bit vector 来定义,有多少个赋值语句,就有多少个位。
82 |
83 | 
84 |
85 |
86 |
87 | #### 到达定值的转移方程
88 |
89 | 
90 |
91 | * 从入口状态删除 kill 掉的定值,并加入新生成的定值。
92 | * v = x op y,gen v, kill 其它所有的 v
93 |
94 | #### 到达定值的数据流处理
95 |
96 | 
97 |
98 | * 任何一个前驱的变量定值都表明,该变量得到了定义。
99 |
100 | #### 到达定值的算法
101 |
102 | 
103 |
104 | 这是一个经典的迭代算法。
105 |
106 | * 首先让所有BB和入口的OUT为空。因为你不知道 BB 中有哪些定值被生成。
107 | * 当任意 OUT 发生变化,则分析出的定值可能需要继续往下流动,所需要修改各 BB 的 IN 和 OUT。
108 | * 先处理 IN,然后再根据转移完成更新 OUT。
109 | * 在 gen U (IN - kill) 中,kill 与 gen 相关的 bit 不会因为 IN 的改变而发生改变,而其它 bit 又是通过对前驱 OUT 取并得到的,因此其它 bit 不会发生 0 -> 1 的情况。所以,OUT 是不断增长的,而且有上界,因此算法最后必然会停止。
110 | * 因为 OUT 没有变化,不会导致任何的 IN 发生变化,因此 OUT 不变可以作为终止条件。我们称之为程序到达了不动点(Fixed Point)
111 |
112 | ## Live Variables Analysis 活跃变量分析
113 |
114 | #### 基本概念
115 |
116 | * 变量 x 在程序点 p 上的值是否会在某条从 p 出发的路径中使用
117 | * 变量 x 在 p 上活跃,当 且仅存在一条从 p 开始的路径,该路径的末端使用了 x,且路径上没有对 x进行覆盖。
118 | * 隐藏了这样一个含义:在被使用前,v 没有被重新定义过,即没有被 kill 过。
119 |
120 | 
121 |
122 | 这个算法可以用于寄存器分配,当一个变量不会再被使用,那么此变量就可以从寄存器中腾空,用于新值的存储。
123 |
124 |
125 |
126 | #### 活跃变量中的数据流值
127 |
128 | * 程序中的所有变量
129 | * 依然可以用 bit vector 来表示,每个 bit 代表一个变量
130 |
131 | 
132 |
133 | #### 活跃变量的转移方程和控制流处理
134 |
135 | 
136 |
137 | * 一个基本块内,若 v = exp, 则 def v。若 exp = exp op v,那么 use v。一个变量要么是 use,要么是 def,根据 def 和 use 的先后顺序来决定。
138 | * 考虑基本块 B 及其后继 S。若 S 中,变量 v 被使用,那么我们就把 v 放到 S 的 IN 中,交给 B 来分析。
139 | * 因此对于活跃变量分析,其控制流处理是 OUT[B] = IN[S]。
140 | * 在一个块中,若变量 v 被使用,那么我们需要添加到我们的 IN 里。而如果 v 被定义,那么在其之上的语句中,v 都是一个非活跃变量,因为没有语句再需要使用它。
141 | * 因此对于转移方程,IN 是从 OUT 中删去重新定值的变量,然后并上使用过的变量。需要注意,如果同一个块中,变量 v 的 def 先于 use ,那么实际上效果和没有 use 是一样的。
142 |
143 | #### 活跃变量的算法
144 |
145 | 
146 |
147 | * 我们不知道块中有哪些活跃变量,而且我们的目标是知道在一个块开始时哪些变量活跃,因此把 IN 初始化为空。
148 | * 初始化的判断技巧:may analysis 是空,must analysis 是 top。
149 |
150 | ## Available Expression Analysis 可用表达式分析
151 |
152 | #### 基本概念
153 |
154 | * x + y 在 p 点可用的条件:从流图入口结点到达 p 的每条路径都对 x + y 求了值,且在最后一次求值之后再没有对 x 或 y 赋值
155 |
156 | 可用表达式可以用于全局公共子表达式的计算。也就是说,如果一个表达式上次计算的值到这次仍然可用,我们就能直接利用其中值,而不用进行再次的计算。
157 |
158 |
159 |
160 | #### 可用表达式分析中的数据流值
161 |
162 | * 程序中的所有表达式
163 | * bit vector 中,一个 bit 就是一个表达式
164 |
165 | 
166 |
167 | #### 可用表达式的转移方程和控制流处理
168 |
169 | 
170 |
171 | * 我们要求无论从哪条路径到达 B,表达式都应该已经计算,才能将其视为可用表达式,因此这是一个 must analysis。
172 | * 注意到图中,两条不同的路径可能会导致表达式的结果最终不一致。但是我们只关心它的值能不能够再被重复利用,因此可以认为表达式可用。
173 | * v = x op y,则 gen x op y。当 x = a op b,则任何包含 x 的表达式都被 kill 掉。若 gen 和 kill 同时存在,那么以最后一个操作为准。
174 | * 转移方程很好理解,和到达定值差不多。但是,由于我们是 must analysis,因此控制流处理是取交集,而非到达定值那样取并集。
175 |
176 |
177 |
178 | #### 可用表达式的算法
179 |
180 | 
181 |
182 | * 注意此时的初始化:一开始确实无任何表达式可用,因此OUT[entry]被初始化为空集是自然的。但是,其它基本块的 OUT 被初始化为全集,这是因为当 CFG 存在环时,一个空的初始化值,会让取交集阶段直接把第一次迭代的 IN 设置成 0,无法进行正确的判定了。
183 | * 如果一个表达式从来都不可用,那么OUT[entry]的全 0 值会通过交操作将其置为 0,因此不用担心初始化为全 1 会否导致算法不正确。
184 |
185 |
186 |
187 | ## 总结
188 |
189 | 
190 |
191 | ## 划重点
192 |
193 | * 三种数据流分析
194 | * 到达定值
195 | * 活跃变量
196 | * 可用表达式
197 |
198 | * 三种数据流分析的区别和联系
199 | * 知道迭代算法,以及算法能停机的原因
--------------------------------------------------------------------------------
/ch1/56DataFlowAnalysisFoundation.md:
--------------------------------------------------------------------------------
1 | # Data Analysis Foundation
2 |
3 | ## Iterative Algorithm, Another View
4 |
5 | 给定一个有 k 个节点的 CFG,迭代算法会更新每个节点 n 的 OUT[n] 值。那么我就可以考虑把这些值定义为一个 k-tuple:
6 | $$
7 | (OUT[n_1],OUT[n_2],...,OUT[n_k])\in (V_1\times V_2 \times ...\times V_k) = V^k
8 | $$
9 | 则,我们的数据流分析迭代算法框架就可记为$F:V^k \rightarrow V^k$
10 |
11 | 迭代过程就被记为:
12 |
13 | * $X_0 = (null, null, ..., null)$
14 | * $X_1 = (v_1^1,v_2^1,...,v_k^1) = F(X_0)$
15 | * $X_2 = (v_1^2,v_2^2,...,v_k^2) = F(X_1)$
16 | * ...
17 | * $X_i = (v_1^i,v_2^i,...,v_k^i) = F(X_{i-1})$
18 | * $X_{i+1} = (v_1^i,v_2^i,...,v_k^i) = F(X_{i})$
19 | * 此时我们发现$X_i =X_{i+1}$,意味着$X_i$就是$F$的一个不动点。
20 |
21 |
22 |
23 | 在这个框架下,我们就有一些想知道的问题:
24 |
25 | * 算法是否确保一定能停止/达到不动点?会不会总是有一个解答?
26 | * 如果能到达不动点,那么是不是只有一个不动点?如果有多个不动点,我们的结果是最优的吗?
27 | * 什么时候我们会能得到不动点?
28 |
29 |
30 |
31 | 为了回答这个问题,我们需要先回顾一些数学。
32 |
33 |
34 |
35 | ## Partial Order
36 |
37 | 所谓偏序集合(poset),就是一个由集合 $P$ 和偏序关系$\sqsubseteq$所组成$(P, \sqsubseteq)$对。这个对满足以下三个条件:
38 |
39 | * Reflexivity 自反性:x $\sqsubseteq$ x
40 | * Antisymmetry 反对称性:x $\sqsubseteq$ y, y $\sqsubseteq$ x, 则 x = y
41 | * Transitivity 传递性:x $\sqsubseteq$ y, y $\sqsubseteq$ z, 则 x $\sqsubseteq$ z
42 | * 例子:小于等于关系就是一个偏序关系,但小于关系不是偏序关系,它是全序关系。
43 |
44 | 偏序关系与全序关系的区别在于,全序关系可以让任意两个元素比较,而偏序关系不保证所有元素都能进行比较。
45 |
46 |
47 |
48 | ## Upper and Lower Bounds
49 |
50 | 对于偏序集中的某子集 S 来说:
51 |
52 | * 若存在元素 u 使得 S 的任意元素 x 有 x $\sqsubseteq$ u,那么我们说 u 是 S 的上界(Upper bound)。
53 | * 同理,若存在元素 l 使得 S 的任意元素 x 有 l $\sqsubseteq$ x,那么我们说 l 是 S 的下界(Lower bound)。
54 |
55 | 然后我们衍生出最小上界和最大下界的概念:
56 |
57 | * 在 S 的所有上界中,我们记最小上界(Least upper bound, lub)为$\sqcup S$,满足所有上界 u 对 lub 有: $\sqcup S \sqsubseteq u$
58 | * 类似地我们也能定义出最大下界(Greatest lower bound, glb)为$\sqcap S$。
59 |
60 | 
61 |
62 | 当 S 的元素个数只有两个{a, b}时,我们还可以有另一种记法:
63 |
64 | * 最小上界:$a \sqcup b$, a join b
65 | * 最大下界:$a \sqcap b$, a meet b
66 |
67 |
68 |
69 | 并不是每个偏序集都有 lub 和 glb,但是如果有,那么该 lub, glb 将是唯一的。(可假设存在多个,然后用自反性证明它们是同一个)
70 |
71 |
72 |
73 | ## Lattice, Semilattice, Complete and Product Lattic
74 |
75 | 给定一个偏序集,如果任意元素 a, b 都有 lub和glb,那么这么偏序集就叫做 **格(lattice)**。
76 |
77 | * 属于 lattice 的:小于等于关系,子集关系
78 | * 不属于 lattice 的:子串关系
79 |
80 |
81 |
82 | 如果在此之上更加严格一些,任意集合都存在 lub 和 glb,那么我们说这个 lattice 为“**全格(complete lattice)**”
83 |
84 | * 属于全格的:子集关系
85 | * 不属于全格的:小于等于关系,因为全体正整数没有一个边界
86 |
87 | 每一个全格都存在着**最大元素$\top$ (top)**和**最小元素$\bot$ (bottom)**,他们分别是整个集合的 lub 和 glb。
88 |
89 | 如果一个 lattice 是有穷的,那么它一定是一个全格。
90 |
91 | 然而,一个全格不一定是有穷的,例如[0, 1]之间的实数是无穷的,但是期间的小于等于关系可以使其成为全格。
92 |
93 |
94 |
95 | 另外还有 **Product Lattice**,多个 lattice 的笛卡尔积也能形成一个新的 lattice。
96 |
97 | 需要记住的是:
98 |
99 | * product lattice 也是一个 lattice
100 | * 如果 product lattice L是全格的积,那么 L 也是全格。
101 |
102 |
103 |
104 | 扩展阅读:如果偏序集任意两元素的上下界仅有其 lub 和 glb,那么称该偏序集为半格(Semilattice)
105 |
106 |
107 |
108 | ## Data Flow Analysis Framework via Lattice
109 |
110 | 一个数据流分析框架(D, L, F)由以下元素组成:
111 |
112 | * D: 数据流的方向,前向还是后向
113 | * L: 包含了数据值 V 和 meet, join 符号的格
114 | * F: V -> V 的转移方程族
115 |
116 | 从而,数据流分析可以被视为在 lattice 的值上迭代地应用转移方程和 meet/join 操作符。
117 |
118 | 
119 |
120 |
121 |
122 | ## Monotonicity and Fixed Point Theorem
123 |
124 | 回看我们在上面提出的问题:迭代算法在什么条件下可以停机?我们在这里引入不动点定理:
125 |
126 |
127 |
128 | Monotonicity 单调性:如果$x \sqsubseteq y \Rightarrow f(x)\sqsubseteq f(y)$,则说函数f: L -> L 是**单调的**。
129 |
130 | FIxed Point Theorem 不动点定理:给定一个全格$(L,\sqsubseteq)$,如果
131 |
132 | 1. $f: L \rightarrow L$是单调的
133 |
134 | 2. $L$是有穷的
135 |
136 | (也就是f单调有界+L全格)
137 |
138 | 那么
139 |
140 | * 迭代$f^k(\bot)$可以得到最小不动点(least fixed point)。
141 |
142 | * 迭代$f^k(\top)$可以得到最大不动点(greatest fixed point)。
143 |
144 |
145 |
146 | 证明:
147 |
148 | 根据$\bot$和f的定义,我们可以得到:$\bot \sqsubseteq f(\bot)$。
149 |
150 | 由于 L 是有限的,且 f 单调,根据鸽笼原理,必然存在一个 k 使得$\bot \sqsubseteq f(\bot) \sqsubseteq f^2(\bot)\sqsubseteq ...\sqsubseteq f^k(\bot)\sqsubseteq f^{k+1}(\bot) $,且$f^k(\bot) = f^{k+1}(\bot)$。
151 |
152 | 假设我们有另一个任意不动点 x,由于 f 是单调的,因此$f(\bot) \sqsubseteq f(x), f^2(\bot) \sqsubseteq f^2(x),...,f^{Fix} = f^k(\bot)\sqsubseteq f^k(x) = x$
153 |
154 | 可知的确$f^{Fix}$是最小不动点。
155 |
156 |
157 |
158 | 通过上面的证明,我们又回答了一个问题:如果我们的迭代算法符合不动点定理的要求,那么迭代得到的不动点,确实就是最优不动点。
159 |
160 |
161 |
162 | ## Relate Iterative Algorithm to Fixed Point Theorem
163 |
164 | 以上我们只是定性的描述了是否能得到最优不动点,但是迭代算法怎样才能算是符合了不动点定理的要求呢?接下来介绍关联的方法。
165 |
166 | 首先,回想 fact 的形式:$(v_1^1,v_2^1,...,v_k^1)$,可以将其视为一个有限 lattice,它的积也是有限 lattice,因此 fact 对应到 finite lattice 是可以的。
167 |
168 | 然后,我们的迭代函数 F 包括了转移函数 f 和 join/meet 函数,证明 F 是单调的,那么也就能得到 $F: L\rightarrow L$ 是单调的。
169 |
170 | 这里分两部分。
171 |
172 | 1. 转移函数,即 OUT = gen U (IN - kill),显然是单调的。
173 | 2. 那么 join/meet 函数,我们要证明其单调,就是要证明:$\forall x,y,z\in L, x\sqsubseteq y$,有$x \sqcup z \sqsubseteq y \sqcup z$。
174 | 1. 由定义,$y \sqsubseteq y \sqcup z$
175 | 2. 由传递性,$x \sqsubseteq y \sqcup z$
176 | 3. 则 $y \sqcup z$ 是 $x, z$ 的 ub
177 | 4. 又 $x \sqcup z$ 是 $x, z$ 的 lub
178 | 5. 因此 $x \sqcup z \sqsubseteq y \sqcup z$,证毕。
179 |
180 | 于是我们就完成了迭代算法到不动点定理的对应。
181 |
182 |
183 |
184 | 现在我们要回答本文开头的第三个问题了,什么时候算法停机?
185 |
186 | 这个问题就很简单了,因为每个 lattice 都有其高度。假设 lattice 的高度为 h,而我们的 CFG 节点数为 k,就算每次迭代可以使一个节点在 lattice 上升一个高度,那么最坏情况下,我们的迭代次数也就是 $i = h \times k$
187 |
188 |
189 |
190 | 最后我们再列出这三个问题与其回答:
191 |
192 | * 算法是否确保一定能停止/达到不动点?**能!**会不会总是有一个解答?**可以!**
193 | * 如果能到达不动点,那么是不是只有一个不动点?**可以有很多。**如果有多个不动点,我们的结果是最优的吗?**是的!**
194 | * 什么时候我们会能得到不动点?**最坏情况下,是 lattice 的高度与 CFG 的节点数的乘积。**
195 |
196 |
197 |
198 | ## May/Must Analysis, A Lattice View
199 |
200 | 无论 may 还是 must 分析,都是从一个方向到另一个方向去走。考虑我们的 lattice 抽象成这样一个视图:
201 |
202 | 
203 |
204 | 例如,对于到达定值分析,下界代表没有任何可到达的定值,上界代表所有定值都可到达。
205 |
206 | 下界代表 unsafe 的情形,即我们认为无到达定值,可对相关变量的存储空间进行替换。上界代表 safe but useless 的情绪,即认为定值必然到达,但是这对我们寻找一个可替换掉的存储空间毫无意义。
207 |
208 | 而因为我们采用了 join 函数,那么我们必然会从 lattice 的最小下界往上走。而越往上走,我们就会失去更多的精确值。那么,在所有不动点中我们寻找最小不动点,那么就能得到精确值最大的结果。
209 |
210 | 
211 |
212 | 反之,在可用表达式分析中,下界代表无可用表达式,上界代表所有表达式都可用。
213 |
214 | 下界代表 safe but useless 的情形,因为需要重新计算每个表达式,即使确实有表达式可用。而上界代表 unsafe,因为不是所有路径都能使表达式都可用。与 may analysis 一样,通过寻找最大不动点,我们能得到合法的结果中精确值最大的结果。
215 |
216 | 
217 |
218 |
219 |
220 | ## Distributivity and MOP
221 |
222 | 我们引入 Meet-Over-All-Paths Solution,即 MOP。在这个 solution 中,我们不是根据节点与其前驱/后继节点的关系来迭代计算数据流,而是直接查找所有路径,根据所有路径的计算结果再取上/下界。这个结果是最理想的结果。
223 |
224 | 
225 |
226 | 
227 |
228 | 可以看到,迭代算法是 s3 对前驱取 join 后进行进行 f3 的转移,而 MOP 算法是对到达 s3 之后,s4 之前的路径结果取 join。
229 |
230 | 那么迭代算法和 MOP 哪个更精确呢?我们可以证明,$F(x)\sqcup F(y)\sqsubseteq F(x\sqcup y)$:
231 |
232 | 
233 |
234 | 这表明 MOP 是更为精确的。
235 |
236 | 但这并没有结束。而如果 F 是可分配的,那么确实可以让偏序符号改为等于号。恰好,gen/kill problem 下,F 确实可分配因此我们能确定,迭代算法的精度与 MOP 相等。
237 |
238 |
239 |
240 | ## Constant Propagation
241 |
242 | 当然有些问题下 F 是不可分配的,如常量传播(Constant Propagation)。
243 |
244 | 
245 |
246 | 在常量传播分析中,其最大上界是 undefine,因为我们不知道一个变量到底被定义为了什么值。最小下界是 NAC(Not A Constant),而中间就是各种常量。这是因为分析一个变量指向的值是否为常量,那么要么它是同一个值,要么它不是常量。
247 |
248 |
249 |
250 | 给定一个 statement s: x = ...,我们定义转移函数$OUT[s]=gen\cup(IN[s]-\{(x,\_)\})$。
251 |
252 | 其中我们根据赋值号右边的不同,决定不同的 gen 函数:
253 |
254 | 
255 |
256 | 注意,const + undef -> undef。因为 undef 变成 const 的过程中是降级,而如果 const1 + undef -> const2,那么 undef 变化为 const 时,const2 会发生改变,原来的 const2 与现在的 const2 不具有偏序关系,那么就不满足偏序关系的单调性了。
257 |
258 |
259 |
260 | 常量传播是不可分配的。以下图为例:
261 |
262 | 
263 |
264 |
265 |
266 | 对于 c,$F(X)\sqcap F(Y) = 10, F(X\sqcap Y) = \text{NAC}$
267 |
268 | 
269 |
270 |
271 |
272 | ## Worklist Algorithm
273 |
274 | worklist 是迭代算法的优化。
275 |
276 | 
277 |
278 | 在 Worklist 算法中,只在基本块的 fact 发生变化处理其相关基本块,不必再在每次有 fact 变化时处理所有的基本块了。
279 |
280 |
281 |
282 | ## 划重点
283 |
284 | * 理解函数视角下的迭代算法
285 | * 对于 lattice 和 complete lattice 的定义
286 | * 理解不动点定理
287 | * 知道如何用 lattice 来概述 may 和 must analysis
288 | * MOP与迭代算法结果之间的关系
289 | * 常量传播分析
290 | * Worklist 算法
--------------------------------------------------------------------------------
/ch1/ch1.md:
--------------------------------------------------------------------------------
1 | # 静态程序分析简介与数据流分析
2 |
3 | 在简介中,将介绍:
4 |
5 | * 什么是静态程序分析(下简称为静态分析)?
6 | * 如何设计一个实用的静态程序分析器?
7 |
8 | 然后将用较长的篇幅介绍静态分析的一个常见应用——数据流分析。
9 |
10 | * 首先介绍数据流分析的应用,让学习者有直观感受
11 | * 然后从理论上深入讲解数据流分析背后的逻辑
12 |
13 | **注:~~这一部分在B站上有相应的视频。~~ 建议读者结合B站视频食用。**
14 |
15 | (Update@20220124 [完整的官方视频](https://www.bilibili.com/read/cv14416770)已发布,1至6课文稿更新。祝大家玩的愉快!)
16 |
17 | 1至6课对应的视频在这里:
18 |
19 | * [第一课-课程简介](https://www.bilibili.com/video/BV1b7411K7P4?from=search&seid=9629980298568702440)
20 | * [第二课-中间表示\(IR\)](https://www.bilibili.com/video/BV1zE411s77Z)
21 | * [第三课-数据流分析一](https://www.bilibili.com/video/BV1oE411K79d)
22 | * [第四课-数据流分析二](https://www.bilibili.com/video/BV19741197zA)
23 | * [第五课-数据流分析理论一](https://www.bilibili.com/video/BV1A741117it)
24 | * [第六课-数据流分析理论二](https://www.bilibili.com/video/BV1964y1M7nL)
--------------------------------------------------------------------------------
/ch1/images/1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/images/1.png
--------------------------------------------------------------------------------
/ch1/images/2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/images/2.png
--------------------------------------------------------------------------------
/ch1/images/3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/images/3.png
--------------------------------------------------------------------------------
/ch1/images/4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/images/4.png
--------------------------------------------------------------------------------
/ch1/images/5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/images/5.png
--------------------------------------------------------------------------------
/ch1/images/6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/images/6.png
--------------------------------------------------------------------------------
/ch1/images/7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/images/7.png
--------------------------------------------------------------------------------
/ch1/images/8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/images/8.png
--------------------------------------------------------------------------------
/ch1/img/1_Intro/image-20210902200335848.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/1_Intro/image-20210902200335848.png
--------------------------------------------------------------------------------
/ch1/img/1_Intro/image-20210902201618713.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/1_Intro/image-20210902201618713.png
--------------------------------------------------------------------------------
/ch1/img/2_Intermediate Representation/image-20210909175715157.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/2_Intermediate Representation/image-20210909175715157.png
--------------------------------------------------------------------------------
/ch1/img/2_Intermediate Representation/image-20210909180558685.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/2_Intermediate Representation/image-20210909180558685.png
--------------------------------------------------------------------------------
/ch1/img/2_Intermediate Representation/image-20210909192214368.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/2_Intermediate Representation/image-20210909192214368.png
--------------------------------------------------------------------------------
/ch1/img/2_Intermediate Representation/image-20210909192230838.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/2_Intermediate Representation/image-20210909192230838.png
--------------------------------------------------------------------------------
/ch1/img/2_Intermediate Representation/image-20210909193624370.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/2_Intermediate Representation/image-20210909193624370.png
--------------------------------------------------------------------------------
/ch1/img/2_Intermediate Representation/image-20210909193825373.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/2_Intermediate Representation/image-20210909193825373.png
--------------------------------------------------------------------------------
/ch1/img/2_Intermediate Representation/image-20210909194221057.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/2_Intermediate Representation/image-20210909194221057.png
--------------------------------------------------------------------------------
/ch1/img/2_Intermediate Representation/image-20210909194550772.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/2_Intermediate Representation/image-20210909194550772.png
--------------------------------------------------------------------------------
/ch1/img/2_Intermediate Representation/image-20210909194912657.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/2_Intermediate Representation/image-20210909194912657.png
--------------------------------------------------------------------------------
/ch1/img/2_Intermediate Representation/image-20210909195613197.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/2_Intermediate Representation/image-20210909195613197.png
--------------------------------------------------------------------------------
/ch1/img/3_4_Data Flow Analysis/image-20210917153822357.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/3_4_Data Flow Analysis/image-20210917153822357.png
--------------------------------------------------------------------------------
/ch1/img/3_4_Data Flow Analysis/image-20210917154034546.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/3_4_Data Flow Analysis/image-20210917154034546.png
--------------------------------------------------------------------------------
/ch1/img/3_4_Data Flow Analysis/image-20210917162309404.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/3_4_Data Flow Analysis/image-20210917162309404.png
--------------------------------------------------------------------------------
/ch1/img/3_4_Data Flow Analysis/image-20210917162405362.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/3_4_Data Flow Analysis/image-20210917162405362.png
--------------------------------------------------------------------------------
/ch1/img/3_4_Data Flow Analysis/image-20210917162747257.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/3_4_Data Flow Analysis/image-20210917162747257.png
--------------------------------------------------------------------------------
/ch1/img/3_4_Data Flow Analysis/image-20210917163542130.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/3_4_Data Flow Analysis/image-20210917163542130.png
--------------------------------------------------------------------------------
/ch1/img/3_4_Data Flow Analysis/image-20210917164337106.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/3_4_Data Flow Analysis/image-20210917164337106.png
--------------------------------------------------------------------------------
/ch1/img/3_4_Data Flow Analysis/image-20210917165027657.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/3_4_Data Flow Analysis/image-20210917165027657.png
--------------------------------------------------------------------------------
/ch1/img/3_4_Data Flow Analysis/image-20210917165047931.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/3_4_Data Flow Analysis/image-20210917165047931.png
--------------------------------------------------------------------------------
/ch1/img/3_4_Data Flow Analysis/image-20210917165459729.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/3_4_Data Flow Analysis/image-20210917165459729.png
--------------------------------------------------------------------------------
/ch1/img/3_4_Data Flow Analysis/image-20210917171457003.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/3_4_Data Flow Analysis/image-20210917171457003.png
--------------------------------------------------------------------------------
/ch1/img/3_4_Data Flow Analysis/image-20210917171825938.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/3_4_Data Flow Analysis/image-20210917171825938.png
--------------------------------------------------------------------------------
/ch1/img/3_4_Data Flow Analysis/image-20210917184215918.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/3_4_Data Flow Analysis/image-20210917184215918.png
--------------------------------------------------------------------------------
/ch1/img/3_4_Data Flow Analysis/image-20210917185149738.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/3_4_Data Flow Analysis/image-20210917185149738.png
--------------------------------------------------------------------------------
/ch1/img/3_4_Data Flow Analysis/image-20210917193557643.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/3_4_Data Flow Analysis/image-20210917193557643.png
--------------------------------------------------------------------------------
/ch1/img/3_4_Data Flow Analysis/image-20210917200639739.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/3_4_Data Flow Analysis/image-20210917200639739.png
--------------------------------------------------------------------------------
/ch1/img/3_4_Data Flow Analysis/image-20210917201617719.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/3_4_Data Flow Analysis/image-20210917201617719.png
--------------------------------------------------------------------------------
/ch1/img/3_4_Data Flow Analysis/image-20210917202539780.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/3_4_Data Flow Analysis/image-20210917202539780.png
--------------------------------------------------------------------------------
/ch1/img/5_6_Data Flow Analysis Foundation/image-20210923162141398.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/5_6_Data Flow Analysis Foundation/image-20210923162141398.png
--------------------------------------------------------------------------------
/ch1/img/5_6_Data Flow Analysis Foundation/image-20210923165949698.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/5_6_Data Flow Analysis Foundation/image-20210923165949698.png
--------------------------------------------------------------------------------
/ch1/img/5_6_Data Flow Analysis Foundation/image-20211009185424077.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/5_6_Data Flow Analysis Foundation/image-20211009185424077.png
--------------------------------------------------------------------------------
/ch1/img/5_6_Data Flow Analysis Foundation/image-20211009190320346.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/5_6_Data Flow Analysis Foundation/image-20211009190320346.png
--------------------------------------------------------------------------------
/ch1/img/5_6_Data Flow Analysis Foundation/image-20211009190612357.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/5_6_Data Flow Analysis Foundation/image-20211009190612357.png
--------------------------------------------------------------------------------
/ch1/img/5_6_Data Flow Analysis Foundation/image-20211009192219561.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/5_6_Data Flow Analysis Foundation/image-20211009192219561.png
--------------------------------------------------------------------------------
/ch1/img/5_6_Data Flow Analysis Foundation/image-20211009193258050.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/5_6_Data Flow Analysis Foundation/image-20211009193258050.png
--------------------------------------------------------------------------------
/ch1/img/5_6_Data Flow Analysis Foundation/image-20211009193822041.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/5_6_Data Flow Analysis Foundation/image-20211009193822041.png
--------------------------------------------------------------------------------
/ch1/img/5_6_Data Flow Analysis Foundation/image-20211009194808421.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/5_6_Data Flow Analysis Foundation/image-20211009194808421.png
--------------------------------------------------------------------------------
/ch1/img/5_6_Data Flow Analysis Foundation/image-20211009195346660.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/5_6_Data Flow Analysis Foundation/image-20211009195346660.png
--------------------------------------------------------------------------------
/ch1/img/5_6_Data Flow Analysis Foundation/image-20211009200111058.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/5_6_Data Flow Analysis Foundation/image-20211009200111058.png
--------------------------------------------------------------------------------
/ch1/img/5_6_Data Flow Analysis Foundation/image-20211009200302010.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/5_6_Data Flow Analysis Foundation/image-20211009200302010.png
--------------------------------------------------------------------------------
/ch1/img/5_6_Data Flow Analysis Foundation/image-20211009200914835.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch1/img/5_6_Data Flow Analysis Foundation/image-20211009200914835.png
--------------------------------------------------------------------------------
/ch2/ch2.md:
--------------------------------------------------------------------------------
1 | # 过程间分析简介
2 |
3 | **阅读提示:使用屏幕较大的设备能够看到自带的Sticky Table of Contents,更有利于理清阅读思路。**
4 |
5 | 对应视频在:
6 |
7 | * [第七课-过程间分析](https://www.bilibili.com/video/BV1GQ4y1T7zm)
8 | * [第八课-指针分析](https://www.bilibili.com/video/BV1gg4y1z78p)
9 |
10 | ## 过程间分析简介
11 |
12 | 本小节通过四个部分介绍过程间分析。
13 |
14 | 1. Motivation
15 | * **为什么** 要引入过程间分析?
16 | 2. Call Graph Construction \(CHA\)
17 | * 介绍一个过程间分析 **必要的数据结构Call Graph**
18 | * 当前有数种方法来**构建Call Graph**,本节介绍其中**速度最快的一种(Class hierarchy analysis,简称CHA)**
19 | 3. Interprocedural Control-Flow Graph
20 | * 之前的章节关注CFG,引入过程间分析后,我们向CFG中**添加相应的元素**,得到过程间的控制流图(ICFG)
21 | * 讨论由于添加了新元素而需要**增加的操作**
22 | 4. Interprocedural Data-Flow Analysis
23 | * 通过一个例子(也就是实验一中做的常量传播分析)来**总结**过程间分析。
24 |
25 | ## Motivation
26 |
27 | 之前的章节中都没有考虑方法调用,然而在实际的程序中方法调用非常常见,那么我们如何分析带方法调用的程序呢?最简单的处理方式是(这里仍然以常量传播作为一个例子):做最保守的假设,即**为函数调用返回NAC**。而这种情况会**丢失精度**。**引入过程间分析能够提高精度。**如果使用最简单的处理方式,下图中的n和y分析结果都不是常量,尽管我们能够一眼看出他们的运行时值是n=10,y=43。
28 |
29 | 
30 |
31 | ## Call Graph Construction \(CHA\)
32 |
33 | 接下来我们讨论一个必要的数据结构Call Graph,中文可以理解为调用关系图。
34 |
35 | ### Definition of Call Graph
36 |
37 | > A representation of calling relationships in the program.
38 |
39 | 调用关系图表达调用关系(中文讲起来确实很奇怪),一个简单的例子如下:
40 |
41 | 
42 |
43 | ### Call Graph Construction
44 |
45 | Call Graph有很多种不同的构造方法,我们接下来会讲解两个极端:最准确的和最快速的。
46 |
47 | 
48 |
49 | #### Call types in Java
50 |
51 | 本课主要关注Java的调用关系图构建。为此,我们需要先了解Java中调用的类型。Java中call可分为三类(不需要理解透彻,之后会详细介绍):
52 |
53 | 
54 |
55 | * Instruction:指Java的**IR中的指令**
56 | * Receiver objects:方法调用对应的实例对象(static方法调用不需要对应实例)。
57 | * Target methods:表达**IR指令到被调用目标方法的映射关系**
58 | * Num of target methods:call对应的可能被调用的目标方法的数量。Virtual call与动态绑定和多态实现有关,可以对应多个对象下的重写方法。所以**Virtual call的可能对象可能超过1个**。
59 | * Determinacy:指什么时候能够确定这个call的对应方法。Virtual call与多态有关,只能在运行时决定调用哪一个具体方法的实现。其他两种call都和多态机制不相关,编译时刻就可以确定。
60 |
61 | #### Virtual call and dispatch
62 |
63 | Virtual call是几种调用中最为复杂的一种,我们首先重点讨论它。在动态运行时,Virtual call基于两点决定调用哪个具体方法:
64 |
65 | 1. Type of object
66 | 2. Method signature
67 | * Signature = class type + method name + descriptor
68 | * Descriptor = return type + parameter types
69 |
70 | 
71 |
72 | Java中Dispatch机制决定具体调用哪个方法:c是一个类的定义,m是一个方法。如果能在本类中找到name和descriptor一致的方法,则调用c的方法,否则到父类中寻找。
73 |
74 | > We define function Dispatch\(𝑐, 𝑚\) to simulate the procedure of run-time method dispatch.
75 |
76 | 
77 |
78 | **练习问题**
79 |
80 | Q:两次对foo的调用分别调用了哪个类的foo?
81 |
82 | 
83 |
84 | A:分别调用A和C中定义的foo方法。
85 |
86 | 
87 |
88 | ## Class Hierarchy Analysis \(CHA\)
89 |
90 | ### Definition of CHA
91 |
92 | * Require the class **hierarchy information \(inheritance structure\)** of the whole program
93 | * 需要首先获得整个程序的类继承关系图
94 | * Resolve a virtual call based on the declared type of receiver variable of the call site
95 | * 通过接收变量的声明类型来解析Virtual call
96 | * 接收变量的例子:在`a.foo()`中,a就是接收变量
97 | * Assume the receiver variable a may point to objects of class A or all subclasses of A(Resolve target methods by looking up the class hierarchy of class A)
98 | * 假设一个接收变量能够指向A或A的所有子类
99 |
100 | ### Call Resolution of CHA
101 |
102 | #### Algorithm of Resolve
103 |
104 | 下面介绍解析调用的算法。
105 |
106 | 
107 |
108 | * call site\(cs\)就是调用语句,m\(method\)就是对应的函数签名。
109 | * T集合中保存找到的结果
110 | * 三个if分支分别对应之前提到的Java中的三种call类型
111 | 1. Static call\(所有的静态方法调用\)
112 | 2. Special call\(使用super关键字的调用,构造函数调用和Private instance method\)
113 | 3. Virtual call\(其他所有调用\)
114 |
115 | **Static call**
116 |
117 | * 对于不了解OOP中静态方法的同学可以参考[这里](https://www.geeksforgeeks.org/static-methods-vs-instance-methods-java/)。具体来说,静态方法调用前写的是类名,而非静态方法调用前写的是变量或指针名。静态方法调用不需要依赖实例。
118 |
119 | 
120 |
121 | **Special call**
122 |
123 | * Superclass instance method(super关键字)最为复杂,故优先考虑这种情况
124 |
125 | 
126 |
127 | * 为什么处理super调用需要使用Dispatch函数:在下图所示情况中没有Dispatch函数时无法正确解析C类的super.foo调用:
128 |
129 | 
130 |
131 | * 而Private instance method和Constructor(一定由类实现或有默认的构造函数)都会在本类的实现中给出,使用Dispatch函数能够将这三种情况都包含,简化代码。
132 |
133 | **Virtual call**
134 |
135 | * receiver variable在例子中就是c。
136 |
137 | 
138 |
139 | * 对receiver c和c的所有直接间接子类都作为call site调用Dispatch
140 |
141 | **一个例子**
142 |
143 | 三个调用都是Virtual call。是上述算法中的第三种情况。
144 |
145 | 
146 |
147 | ### CHA的特征
148 |
149 | 1. 只考虑类继承结构,所以**很快**
150 | 2. 因为忽略了数据流和控制流的信息,所以**不太准确**
151 |
152 | ### CHA的应用
153 |
154 | 常用于IDE中,给用户提供提示。比如写一小段测试代码,看看b.foo\(\)可能会调用哪些函数签名。可以看出CHA分析中认为`b.foo()`可能调用A、C、D中的`foo()`方法。(实际上这并不准确,因为b实际上是B类对象,不会调用子类C、D中的方法,但胜在快速)
155 |
156 | 
157 |
158 | ### Call Graph Construction
159 |
160 | #### Idea
161 |
162 | * Build call graph for whole program via CHA
163 | * 通过CHA构造整个程序的call graph
164 | * Start from entry methods \(focus on main method\)
165 | * 通常从main函数开始
166 | * For each reachable method 𝑚, resolve target methods for each call site 𝑐𝑠 in 𝑚 via CHA \(Resolve\(𝑐𝑠\)\)
167 | * 递归地处理每个可达的方法
168 | * Repeat until no new method is discovered
169 | * 当不能拓展新的可达方法时停止
170 | * 整个过程和计算理论中求闭包的过程很相似
171 |
172 | 
173 |
174 | #### Algorithm
175 |
176 | 
177 |
178 | * Worklist记录需要处理的methods
179 | * Call graph是需要构建的目标,是call edges的集合
180 | * Reachable method (RM) 是已经处理过的目标,在Worklist中取新目标时,不需要再次处理已经在RM中的目标
181 |
182 | #### Example
183 |
184 | 1. 初始化
185 |
186 | 
187 |
188 | 2. 处理main后向WL中加入A.foo\(\)
189 |
190 | 
191 |
192 | 3. 中间省略一些步骤,这里面对C.bar\(\)时,虽然会调用A.foo\(\),但由于A.foo\(\)之前已经处理过(在集合RM中),之后不会再进行处理
193 |
194 | 
195 |
196 | 4. 这里C.m\(\)是不可达的死代码
197 |
198 | 
199 |
200 | _注:忽略new A\(\)对构造函数的调用,这不是例子的重点。_
201 |
202 | **这个例子是对本小节的总结,如果不能读懂并独立推导建议重读一遍。如果你理解了第一到第六课的内容但是觉得上面的内容写得不清晰,可以到本书简介中提到的QQ群交流吐槽。**
203 |
204 | ### Interprocedural Control-Flow Graph
205 |
206 | > ICFG = CFGs + **call & return edges**
207 |
208 | ICFG可以通过CFG加上两种边构造得到。
209 |
210 | 1. Call edges: from call sites to the entry nodes of their callees
211 | 2. Return edges: from return statements of the callees to the statements following their call sites \(i.e., return sites\)
212 |
213 | 例如:
214 |
215 | 
216 |
217 | 
218 |
219 | ## Interprocedural Data-Flow Analysis
220 |
221 | ### 定义与比较
222 |
223 | 目前这一分析领域没有标准方法。首先对过程间和过程内的分析做一个对比,并以常量传播(本校同学第一次实验作业主题,需要一到六课的基础)为例子进行解释。
224 |
225 | 
226 |
227 | Edge transfer处理引入的call & return edge。为此,我们需要**在之前章节的CFG基础上增加三种transfer函数。**
228 |
229 | * Call edge transfer
230 | * 从调用者向被调用者传递参数
231 | * Return edge transfer
232 | * 被调用者向调用者传递返回值
233 | * Node transfer
234 | * 大部分与过程内的常数传播分析一样,不过对于每一个函数调用,都要kill掉LHS(Left hand side)的变量
235 |
236 | 
237 |
238 | ### Example
239 |
240 | 
241 |
242 | #### 小问题
243 |
244 | 这一段有存在的必要吗?
245 |
246 | 
247 |
248 | > Such edge \(from call site to return site\) is named call-to-return edge. It allows the analysis to propagate local data-flow \(a=6 in this case\) on ICFG.
249 |
250 | 如果没有这一段,那么a就得“出国”去浪费地球资源——在分析被调用函数的全程中都需要记住a的值,这在程序运行时会浪费大量内存。
251 |
252 | 
253 |
254 | 要记得在调用语句处kill掉表达式左边的值,否则会造成结果的不准确,如:
255 |
256 | 
257 |
258 | ## 过程间分析有多重要?
259 |
260 | 讲到这里,我们回到故事的开头,看看过程间分析的引入到底能带来多大的精度提高吧。上述例子应用过程间分析的完整推导如下:
261 |
262 | 
263 |
264 | 而如果只做过程内分析,则**精度大大下降**:
265 |
266 | 
267 |
268 | ## Key points
269 |
270 | 1. How to build call graph via class hierarchy analysis
271 | * 如何利用CHA构建调用关系图\(call graph\)
272 | 2. Concept of interprocedural control-flow graph
273 | * 过程间控制流图\(ICFG\)的概念
274 | 3. Concept of interprocedural data-flow analysis
275 | * 过程间数据流分析的概念
276 | 4. Interprocedural constant propagation
277 | * 例子——引入过程间分析的常量分析
278 |
279 |
--------------------------------------------------------------------------------
/ch3/context-sensitivity/03-04-context-sensitivity.md:
--------------------------------------------------------------------------------
1 | # 上下文敏感分析(上)
2 |
3 | > 上下文敏感分析是提高指针分析精度最有效的技术,没有之一。
4 |
5 | 本课分为以下五个部分:
6 |
7 | 1. Introduction\(Example\)
8 | 2. Introduction\(Theory\)
9 | 3. Context Sensitive Pointer Analysis: Rules
10 | 4. Context Sensitive Pointer Analysis: Algorithms
11 | 5. Context Sensitivity Variants
12 |
13 | 在上半篇中我们讲解前三个部分,下半篇会继续讲最后的两个部分。
14 |
15 | ## Introduction\(example\)
16 |
17 | 首先用一个例子直观地说明上下文不敏感分析的问题所在。
18 |
19 | ```java
20 | void main() {
21 | Number n1, n2, x, y;
22 | n1 = new One(); // 𝑜1
23 | n2 = new Two(); // 𝑜2
24 | x = id(n1);
25 | y = id(n2);
26 | int i = x.get();
27 | //假设使用我们之前所讲述的上下文不敏感分析
28 | //这里i的常量分析结果是什么?
29 | }
30 | Number id(Number n) {
31 | return n;
32 | }
33 | interface Number {
34 | int get();
35 | }
36 | class One implements Number {
37 | public int get() { return 1; }
38 | }
39 | class Two implements Number {
40 | public int get() { return 2; }
41 | }
42 | ```
43 |
44 | 使用我们之前描述的算法,由于不考虑调用的顺序,会得到这样的PFG。
45 |
46 | 
47 |
48 | 也就因此造成了分析结果的低精度,即在动态运行时i一定是1,而分析的结果认为i为NAC\(Not a constant\):
49 |
50 | 
51 |
52 | 如果我们使用上下文敏感的分析方式,区分不同时间对的id调用,则会得到这样的PFG:
53 |
54 | 
55 |
56 | 对应地也就能得到更为精确的分析结果:
57 |
58 | 
59 |
60 | ## Introduction\(Theory\)
61 |
62 | ### C.I.\(Context Insensitive\)
63 |
64 | 是什么原因导致了上下文不敏感分析的低精度?
65 |
66 | 1. 在动态执行时,对同一个函数的不同调用,往往有着不同的调用上下文(calling contexts),如上一小节的例子中两次对id的调用。
67 | 2. 不同的调用上下文会被混合并传播,进而形成假的数据流。如上一小节的例子中指针x和y指向两个目标。
68 |
69 | ### C.S.\(Context Sensitive\)
70 |
71 | 上下文敏感分析通过区分不同调用上下文的数据流,对调用上下文建模。举个例子,在这一段代码中,对id调用的上下文就是两行call-site,记为\[1\]和\[2\]:
72 |
73 | ```java
74 | x = id(n1); //context 1 for id()
75 | y = id(n2); //context 2 for id()
76 | int i = x.get();
77 |
78 | Number id(Number n) {
79 | return n;
80 | }
81 | ```
82 |
83 | 进而,我们可以**通过对同一函数的不同调用添加标号进行区分**,而得到更精确的PFG:
84 |
85 | 
86 |
87 | ### C.S. heap
88 |
89 | **对于Java中被动态分配到heap上的对象,我们也需要对他们做相应的标记以提高分析精度。**例子:~~(或许真的需要录视频了?)~~
90 |
91 | * 不做标记时,第八行new出来的对象无法区分,只能同一记作 $$ o_8$$
92 | * 做标记后,可以分别记为$$ 3:o_8$$和$$ 4:o_8$$
93 |
94 | 
95 |
96 | 不过,采取C.I.+ C.S. heap进行分析时,C.S. heap就不能提高精度了。
97 |
98 | 
99 |
100 | ## Context Sensitive Pointer Analysis: Rules
101 |
102 | ### Domains and Notations
103 |
104 | 接下来我们用介绍适用于上下文敏感分析的规则。
105 |
106 | 首先我们讨论的Domain中,methods/variables/objects都升级为带有上下文标识的。
107 |
108 | 
109 |
110 | 新引入符号说明:引入C表示所有的上下文组成的集合,c表示具体的某个上下文。
111 |
112 | 值得一提的是,fields不需要带有上下文标记,因为field总是依赖于某一个object。只要object被标记进而通过上下文可被区分了,fields自然也可以被区分。一个不太准确但是可以帮助理解的例子是,如果你能区分一对双胞胎,那么他/她们口袋里的东西也是可以被区分的。
113 |
114 | ### Rules
115 |
116 | 首先我们考虑不包含调用(Call)语句的四类语句所对应的规则。
117 |
118 | 
119 |
120 | 对比一下上下文不敏感指针分析的规则:
121 |
122 | 
123 |
124 | **唯一的区别在于,对象被加上了上下文标识。**
125 |
126 | 然后我们来看看调用如何处理。在上下文敏感的指针分析中,规则如下:
127 |
128 | 
129 |
130 | 再次对比一下上下文不敏感指针分析的规则:
131 |
132 | 
133 |
134 | **这次我们添加了一个Select函数,它的作用是为object添加上下文标识,例如:**
135 |
136 | * 为参数添加上下文标识
137 |
138 | 
139 |
140 | * 为返回值添加上下文标识
141 |
142 | 
143 |
144 | **也就是说,上下文的信息是在处理调用时添加的。**
145 |
146 | ## Key points
147 |
148 | * Concept of context sensitivity \(**C.S.**\)
149 | * Concept of context-sensitive heap \(**C.S. heap**\)
150 | * **Why** C.S. **and** C.S. heap improve **precision**
151 | * 单独使用C.S.或C.S. heap依然会损失精度
152 | * Context-sensitive pointer analysis **rules**
153 |
154 |
--------------------------------------------------------------------------------
/ch3/context-sensitivity/03-05-cs2.md:
--------------------------------------------------------------------------------
1 | # 上下文敏感分析(下)
2 |
3 | > 上下文敏感分析是提高指针分析精度最有效的技术,没有之一。
4 |
5 | 本课分为以下五个部分:
6 |
7 | 1. Introduction\(Example\)
8 | 2. Introduction\(Theory\)
9 | 3. Context Sensitive Pointer Analysis: Rules
10 | 4. Context Sensitive Pointer Analysis: Algorithms
11 | 5. Context Sensitivity Variants
12 |
13 | 在上半篇中我们讲解了前三个部分,下半篇来继续讲最后的两个部分。
14 |
15 | ~~挖个坑——本文所有的例子其实都更适合视频讲解。~~
16 |
17 | ## Context Sensitive Pointer Analysis: Algorithms
18 |
19 | ### Idea
20 |
21 | 除了PFG做了相应改进之外,算法的总体思路没有改变。
22 |
23 | 
24 |
25 | 具体来说,带有上下文信息的Node和Edge的构成带有上下文信息的PFG:
26 |
27 | 
28 |
29 | ### Algorithm
30 |
31 | 
32 |
33 | 乍一看挺吓人的,对吧?不过你应该对上下文敏感\(C.S.\)指针分析算法的小伙伴上下文不敏感\(C.I.\)指针分析算法很熟悉了(下图中所有上下文标记都用色块遮挡了):
34 |
35 | 
36 |
37 | 因此,在接下来的内容中我们更关注和上下文相关的部分,而不像之前一样详细地关注所有细节。
38 |
39 | 值得一提的差异是,RM和CG两个集合在本节所述的上下文敏感算法中都是带有上下文信息的。举个例子,在C.S.的分析中,caller和callee都带有上下文信息($$ c^t$$ 代表callee的上下文标记,c:2->$$ c^t:\dots$$表示第二行的caller调用了带有$$ c^t$$标记的callee):
40 |
41 | 
42 |
43 | ### Select in ProcessCall
44 |
45 | 
46 |
47 | 在这一部分,我们只需要理解Select的作用(对于Select的具体实现,会在后面讲解):
48 |
49 | * ProcessCall接收两个参数,意义是:带有上下文标记的x新增一个带有上下文标记指向目标o。
50 | * m代表目标方法。
51 | * Select接收参数(这里虽然有3个参数,但并非每种实现方式都需要用到所有的3个参数)
52 | * c。x的上下文标记
53 | * l。调用点本身(call site),在例子中以行号标识调用点
54 | * $$ c' : o_i $$。receiver object
55 | * Select返回callee的context $$ c^t$$
56 |
57 | ## Context Sensitivity Variants
58 |
59 | > 那,讲讲Select吧?
60 |
61 | Select函数实现时的具体差异,产生了不同的上下文敏感分析的变种方法,它们有不同的优缺点。具体来说,就是
62 |
63 | 
64 |
65 | ### C.I.
66 |
67 | * 可以视为**C.S. 的一种特殊情况**,无论传递给Select的参数是什么,总是返回同样的上下文。即:
68 |
69 | ```java
70 | Select(*,*,*) = []
71 | ```
72 |
73 | ### Call-Site Sensitivity
74 |
75 | * 用一系列的**调用链\(call chain/call stream\)作为上下文标识**。
76 | * Also called **call-string sensitivity**, or **k-CFA**
77 |
78 | ```java
79 | Select(c,l,*) = [𝑙`, 𝑙``, 𝑙]
80 | // where 𝑐 = [𝑙`, … , 𝑙``]
81 | // 即:只根据caller已有的上下文和
82 | // call-site的新增上下文
83 | // 计算callee的上下文
84 | ```
85 |
86 | 举个例子直观地展示Call-Site Sensitivity:
87 |
88 | 
89 |
90 | 当然,如果bar是递归的,分析出来的context可能会包含非常多的内容……
91 |
92 | 
93 |
94 | #### k-Limiting Context Abstraction
95 |
96 | 为了避免上面所说的递归导致的算法无法终止的情况,我们可以给contexts的长度设一个上界k。
97 |
98 | * 1-call-site/1-CFA
99 |
100 | ```java
101 | Select(*,l,*) = [l]
102 | // 即:不继承caller已经带有的上下文
103 | // 只考虑call-site新引入的上下文
104 | // "只记得最近一次经过的路口是哪一个"
105 | ```
106 |
107 | 
108 |
109 | * 2-call-site/2-CFA
110 |
111 | ```java
112 | Select(c,l,*) = [l``,l]
113 | // where c = [l`,l``]
114 | // 即:"只记得最后两次经过的路口是哪两个"
115 | ```
116 |
117 | ### Call-Site Example
118 |
119 | 分析以下代码,给出指针流图PFG和调用关系图CG作为结果。(不需要关注heap上的变量和this变量,因为它们在这个例子中不是重点)
120 |
121 | ```java
122 | class C {
123 | static void main() {
124 | C c = new C();
125 | c.m();
126 | }
127 |
128 | Number id(Number n) {
129 | return n;
130 | }
131 | void m() {
132 | Number n1,n2,x,y;
133 | n1 = new One();
134 | n2 = new Two();
135 | x = this.id(n1);
136 | y = this.id(n2);
137 | x.get();
138 | // 先想想动态执行的时候上一行调用的结果是什么?
139 | }
140 | }
141 | ```
142 |
143 | 答案如下:
144 |
145 | 
146 |
147 | 和C.I.对比,我们可以发现对于16行处的分析,C.S.\(1-Call-Site\)更加精确。
148 |
149 | 
150 |
151 | ### Object Sensitivity
152 |
153 | * **以receiver object作为上下文标识**
154 | * Each context consists of a list of abstract objects \(represented by their allocation sites\)
155 | * At a method call, use the receiver object with its heap
156 |
157 | context as callee context
158 |
159 | * Distinguish the operations of data flow on different objects
160 | * 
161 |
162 | ### Object Example & Comparison
163 |
164 | 分别用1-Call-Site和1-Object的方式分析以下代码,给出所有指针(包括Variable和Field)所指向的对象。
165 |
166 | ```java
167 | a1 = new A();
168 | a2 = new A();
169 | b1 = new B();
170 | b2 = new B();
171 | a1.set(b1);
172 | a2.set(b2);
173 | x = a1.get();
174 |
175 | class A {
176 | B f;
177 | void set(B b) {
178 | this.doSet(b);
179 | }
180 | void doSet(B p) {
181 | this.f = p;
182 | }
183 | B get() {
184 | return this.f;
185 | }
186 | }
187 | ```
188 |
189 | 
190 |
191 | 在12行,1-call-site的分析方法产生了不精确分析结果。在Call Graph中我们能够更好地看到这一点:
192 |
193 | 
194 |
195 | 更加通俗地说,1-call-site只能记得自己是从哪个路口走到当前位置的,而1-object能够记得自己是谁。
196 |
197 | 然而并不能说明1-object的精度一定比1-call-site高。比如在分析以下代码时:
198 |
199 | ```java
200 | class C {
201 | static void main() {
202 | C c = new C();
203 | c.m();
204 | }
205 |
206 | Number id(Number n) {
207 | return n;
208 | }
209 |
210 | void m() {
211 | Number n1,n2,x,y;
212 | n1 = new One();
213 | n2 = new Two();
214 | x = this.id(n1);
215 | y = this.id(n2);
216 | // 1-object无法区分以上两条调用
217 | // 但是1-call-site可以区分
218 | x.get();
219 | }
220 | }
221 | ```
222 |
223 | 因此,在**理论上**,两种方法不可比。而在针对OO语言\(如Java\)的**实践中**,object方法的表现(无论是精度还是速度)**通常**更好,因为这更符合OO语言的特性。
224 |
225 | ### Type Sensitivity
226 |
227 | * 和Object Sensitivity类似,但是粒度更粗而效率更高——这种方法只关注Object是在哪一个Class中被声明的。
228 | * Each context consists of a list of types
229 | * At a method call, use the type containing the allocation site of the receiver object with its heap context as callee context
230 |
231 | 
232 |
233 | 例如(如果你发现这个例子不太好理解,请先往下看看下一个例子):
234 |
235 | 
236 |
237 | ### Comparison\(Type vs. Object Sensitivity\)
238 |
239 | 阅读顺序建议:绿框->蓝框->无框。在Object-sensitivity中我们记录下每一个object被声明出来的行数。在Type-sensitivity中我们只记录它们都是在Class X中声明的。
240 |
241 | 
242 |
243 | ### Sum up
244 |
245 | In general:
246 |
247 | * Precision: object > type > call-site
248 | * Efficiency: type > object > call-site
249 |
250 | ## Key points
251 |
252 | * **Algorithm** for context-sensitive pointer analysis
253 | * 和C.I.几乎一致
254 | * 3 Common context sensitivity **variants**
255 | * Call-Site Sensitivity
256 | * Object Sensitivity
257 | * Type Sensitivity
258 | * **Differences and relationship** among common
259 |
260 | context sensitivity variants
261 |
262 | * 在面向对象语言(如Java)中,Object Sensitivity通常比Call-Site Sensitivity表现更好
263 | * 如果追求速度,可以进而选用Type Sensitivity
264 |
265 |
--------------------------------------------------------------------------------
/ch3/context-sensitivity/README.md:
--------------------------------------------------------------------------------
1 | # 指针分析进阶
2 |
3 | 这一部分介绍精度更高的上下文敏感指针分析。
--------------------------------------------------------------------------------
/ch3/pointer-analysis/03-01-pointer-analysis-spa.md:
--------------------------------------------------------------------------------
1 | # 指针分析简介
2 |
3 | ## 指针分析简介
4 |
5 | **指针分析这一部分相对较难,将会有五节课讲授相关内容。**
6 |
7 | **本课主要内容如下:**
8 |
9 | 1. Motivation
10 | 2. Introduction to Pointer Analysis
11 | 3. Key Factors of Pointer Analysis
12 | 4. Concerned Statements
13 |
14 | ## Motivation
15 |
16 | 接下来我们对比基于CHA的分析方法和指针分析的分析方法。首先,回想一下CHA的构造过程。在这个程序中对`get()`的调用,在CHA分析下,应该调用哪几个方法?
17 |
18 | 
19 |
20 | ### 使用CHA分析
21 |
22 | 
23 |
24 | 可以看出,由于只关心类的层次结构,分析结果的三个箭头中有两个是false positive。也因此导致了分析结果的不精确。
25 |
26 | 
27 |
28 | ### 使用指针分析
29 |
30 | 利用指针分析,我们能知道n指向的对象就是new One\(\)语句所新建出来的对象。所以能精确地知道x一定会取1。
31 |
32 | 
33 |
34 | 
35 |
36 | **比较两种分析,可以看出CHA速度快而精度低,接下来我们学习高精度的指针分析。**
37 |
38 | ## Introduction to Pointer Analysis
39 |
40 | 程序中保存一个地址的东西都可以视为指针(Pointer/Reference)。
41 |
42 | * Regarded as a may-analysis
43 | * Computes an over-approximation of the set of objects that a pointer can point to, i.e., we ask “a pointer may point to which objects?”
44 |
45 | 什么是指针分析呢?举个例子(省略中间过程):
46 |
47 | 
48 |
49 | ### 区分指针分析与别名分析
50 |
51 | Pointer Analysis and Alias Analysis are 2 closely related but different concepts.
52 |
53 | * Pointer analysis: **which** objects a pointer can point to?
54 | * Alias analysis: **can** two pointers point to the same object?
55 |
56 | Example-If two pointers, say p and q, refer to the same object, then p and q are aliases.
57 |
58 | ```cpp
59 | // p and q are aliases
60 | p = new C();
61 | q = p;
62 |
63 | // x and y are not aliases
64 | x = new X();
65 | y = new Y();
66 | ```
67 |
68 | **Alias information can be derived from points-to relations.**
69 |
70 | ### 指针分析有多重要?
71 |
72 | > 业界大佬们说它很重要。
73 |
74 | 
75 |
76 | ## Key Factors of Pointer Analysis
77 |
78 | 此处有战术喝水。(现场梗)
79 |
80 | * Pointer analysis is a complex system
81 | * Multiple factors affect the precision and efficiency of the system
82 |
83 | 
84 |
85 | ### Heap Abstraction
86 |
87 | 在动态执行中,由于循环和递归的结构,堆上的对象数量可以是无限的。如果不做抽象,面对无限的对象,分析算法可能根本停不下来。
88 |
89 | ```cpp
90 | for (…) {
91 | A a = new A();
92 | }
93 | ```
94 |
95 | 解决方法也很简单,学校里同学太多了就分成班级来管理,我们也可以对堆上的对象进行抽象:
96 |
97 | 
98 |
99 | 相关的技术有很多,这里只讲一个最常用的分支Allocation-Site Abstraction。而Storeless的方法本课程不涉及。
100 |
101 | 
102 |
103 | #### Allocation-Site Abstraction
104 |
105 | 虽然动态时对象的个数可能是无限的,但是new语句的个数一定是有限的。我们可以按照new语句来进行抽象。
106 |
107 | 
108 |
109 | ### Context Sensitivity
110 |
111 | 首先我们需要了解什么是(被调用方法的)**调用上下文(calling contexts)**。调用上下文记录的是函数调用前后相关变量的值。例如,参数和返回值是上下文的一部分。
112 |
113 | 如果将上下文做区分(进行额外的标记,如记录下图中p指向的目标),对参数不同时的调用做不同的分析,则称为**上下文敏感分析**。
114 |
115 | 
116 |
117 | 反之,如果不区分上下文,则称为**上下文不敏感分析**。由于忽略了一部分信息,可能会损失分析的精度。
118 |
119 | 
120 |
121 | 我们首先学习不敏感的分析方法,在之后的课程中介绍上下文敏感分析。
122 |
123 | ### Flow Sensitivity
124 |
125 | > 流敏感分析重视语句执行的顺序,而流不敏感分析则恰恰相反。前者的精度更高,但优势不是特别大;后者的开销则远远小于前者。
126 |
127 | 之前课程中的所有数据流分析技术都是流敏感的。接下来我们考虑这样一段代码。_前排提示:复习的时候可以把图中箭头右侧挡住自己写一遍。_
128 |
129 | ```cpp
130 | c = new C();
131 | c.f = "x";
132 | s = c.f;
133 | c.f = "y";
134 | ```
135 |
136 | 对于流敏感的分析,会得到如下的mapping。`o1`代表在第一行动态分配的对象。
137 |
138 | 
139 |
140 | 如果使用流不敏感的分析,会得到如下的mapping。
141 |
142 | 
143 |
144 | ### Analysis Scope
145 |
146 | 可以分析整个程序,也可以按需分析(即只分析必要的部分)。
147 |
148 | ## Concerned Statements
149 |
150 | 在指针分析中,我们只关注会影响到指针的语句(pointer-affecting statements)。而对于if/switch/loop/break/continue等等语句则可以直接忽略。
151 |
152 | ### 关注的指针类型
153 |
154 | Java中的Pointers有以下几类:
155 |
156 | * **Local variable: x**
157 | * Static field: C.f
158 | * Sometimes referred as global variable
159 | * 在之后介绍的算法中,**可作为Local variable处理**
160 | * **Instance field: x.f**
161 | * \(pointed by x\) with a field f
162 | * Array element: array\[i\]
163 | * 涉及数组的分析中,我们**忽略下标**,代之以一个域(a single field)。例如,在下图中我们用arr表示。
164 | * 原因之一:数组下标是变量时难以计算具体值
165 | * 在之后介绍的算法中,**可作为Instance field处理**
166 |
167 | 
168 |
169 | ### 关注的语句类型
170 |
171 | 具体来说,我们关注五种基本类型的语句:
172 |
173 | ```cpp
174 | // New
175 | x = new T()
176 |
177 | // Assign
178 | x = y
179 |
180 | // Store
181 | x.f = y
182 |
183 | // Load
184 | y = x.f
185 |
186 | // Call
187 | r = x.k(a, …)
188 | ```
189 |
190 | 复杂的Store和Load指令可以解构成简单的,所以我们可以只考虑对上述五种基本类型语句的分析:
191 |
192 | 
193 |
194 | ## Key points
195 |
196 | * **What is pointer analysis?**
197 | * Understand **the key factors** of pointer analysis
198 | * Understand **what we analyze** in pointer analysis
199 |
200 |
--------------------------------------------------------------------------------
/ch3/pointer-analysis/03-02-pointer2-analysis-spa.md:
--------------------------------------------------------------------------------
1 | # 指针分析理论(上)
2 |
3 | 接下来两篇文章将主要介绍以下四点内容。前三点对应线下课程第九课,最后一点对应第十课。
4 |
5 | 1. Pointer Analysis: Rules
6 | 2. How to Implement Pointer Analysis
7 | 3. Pointer Analysis: Algorithms
8 | 4. Pointer Analysis with Method Calls
9 |
10 | 我们先关注前三点,暂时不理会函数调用。
11 |
12 | ## Notations
13 |
14 | 
15 |
16 | 首先介绍常用数学符号,不会的同学可以复习一下离散数学。
17 |
18 | 
19 |
20 | 分别定义变量,域,对象(用下标标识是在第几行创建的对象),实例域和指针(是变量和实例对象的并),和指向关系。`X`表示笛卡尔积。
21 |
22 | pt\(p\)代表的是指针p可能指向的对象。如在下面的代码块后,pt\(x\)可能指向的目标可以记为$$ {o_2,o_4}$$(以行号作为object的下标)。
23 |
24 | ```java
25 | if(...){
26 | x = new A();
27 | } else {
28 | x = new B();
29 | }
30 | ```
31 |
32 | ## Pointer Analysis: Rules
33 |
34 | _前排提示:与《数理逻辑》/《形式化语义》梦幻联动。没学过的同学也不要着急。_
35 |
36 | 
37 |
38 | 主要解释Rule一列中的内容。**横线上的内容是前提\(Premises\),横线下的内容是结论\(Conclusion\)。**
39 |
40 | 用简单易懂的语言描述,看到new语句,我们就将新建的对象加入`pt(x)`。
41 |
42 | 
43 |
44 | 对于Assign语句,我们将x指向y指向的对象。
45 |
46 | 
47 |
48 | 对于Store和Load亦然。
49 |
50 | 
51 |
52 | 
53 |
54 | ### Summary
55 |
56 | 最后用一图总结。**第一条规则添加指向,而后三条规则传递指向关系。**
57 |
58 | 
59 |
60 | ## How to Implement Pointer Analysis
61 |
62 | _别处的资料都没有全家桶,只介绍某些特殊情况下的分析算法。在这里你能喜提一个完整的指针分析算法全家桶。_
63 |
64 | 本质上来说,指针分析是在指针间**传递**指向关系。
65 |
66 | 
67 |
68 | inclusion constraints的具体解释:在上述表示的结论部分中可以写作两个集合间的包含关系。如Load应该表示为:
69 |
70 | * 前提:`y=x.f`和 $$ o_i \in pt(x)$$
71 | * 结论:$$ pt(o_i.f) \subset pt(y)$$
72 |
73 | > Key to implementation: when 𝑝𝑡\(𝑥\)is **changed**, **propagate** the **changed par**t to the **related pointers** of 𝑥
74 |
75 | 
76 |
77 | ### Pointer Flow Graph
78 |
79 | > Pointer Flow Graph \(PFG\) of a program is a directed graph
80 | > that expresses how objects flow among the pointers in the program.
81 |
82 | 为了实现指针分析,我们首先了解与之密切相关的数据结构——指针流图。
83 |
84 | 图的两大要素是Node和Edge。我们定义:
85 |
86 | * `Node: Pointer = V ⋃ (O × F)`
87 | * A node n represents **a variable** or **a field of an abstract object**
88 | * `Edges: Pointer × Pointer`
89 | * **An edge 𝑥 -> 𝑦** means that the objects pointed by pointer 𝑥 **may flow to \(and also be pointed to by\)** pointer 𝑦
90 |
91 | 
92 |
93 | ### Example
94 |
95 | 假设c和d一开始都指向 $$ o_i$$,根据上述规则,我们能够从左侧的程序语句从上到下构建出右侧的指针流图。
96 |
97 | 
98 |
99 | 因此,所有b所指向的对象更新时,都要传递到e中。这是一个求传递闭包\(transitive closure\)的过程。假如我们考虑j位置的一条新语句`b = new T();`
100 |
101 | 
102 |
103 | PFG的整个构造过程,需要在构建PFG和在已有的PFG上传递指向关系这两个步骤间循环往复。这两个步骤是相互依赖的,所以需要精心设计算法来实现分析。
104 |
105 | 
106 |
107 | ## Pointer Analysis: Algorithms
108 |
109 | ### Introduction to algorithm
110 |
111 | * 由于做流不敏感分析。输入为Set,丢失了语句的顺序关系也没关系。
112 | * WorkList:保存接下来要处理的指向信息,与BFS中的队列作用类似。
113 | * pts定义:Each worklist entry 𝑛, 𝑝𝑡𝑠 is a pair of pointer 𝑛 and points-to set 𝑝𝑡𝑠, which means that 𝑝𝑡𝑠 should be propagated to 𝑝𝑡\(𝑛\)
114 | * E.g., $$ [(x,\{o_i\}),(y,\{o_j, o_k\}),(x.f,\{(o_l)\}),\dots]$$
115 |
116 | 首先,四个红框部分对应之前提到的四种基本语句——New、Assign、Store和Load。接下来做详细讲解。
117 |
118 | 
119 |
120 | ### Handling of New and Assign
121 |
122 | #### Init and adding edges
123 |
124 | 
125 |
126 | 首先考虑两种简单的语句:New和Assign。
127 |
128 | * 前三行代码做初始化的工作,并针对所有的**New**语句,将所有的初始指向关系加入WorkList。注意pt\(n\)初始化后为空集{},随着算法的迭代会增加元素。
129 | * 之后的两行代码处理**Assign**语句,添加`y->x`的边到PFG中。添加边的具体算法如下
130 |
131 | 
132 |
133 | #### Propagate
134 |
135 | 
136 |
137 | 传播的具体算法如下,标号为2的语句是整个算法中唯一执行后改变指向关系的语句。
138 |
139 | 
140 |
141 | #### Detial-Differential Propagation
142 |
143 | 在真实的指针分析中,对象的数量非常巨大(上亿),我们通过Differential Propagation来消除冗余。
144 |
145 | ```cpp
146 | Solve(𝑆)
147 | ...
148 | while WL is not empty do
149 | remove 𝑛, 𝑝𝑡𝑠 from WL
150 | Δ = pts – pt(n) // Differential Propagation
151 | Propagate(n, Δ) // Differential Propagation
152 | ```
153 |
154 | 首先我们考虑不使用Differential Propagation的情况,首先是a->c->d的传递路线。
155 |
156 | 
157 |
158 | 然后是b->c->d的传递路线,虽然 $$ \{o_1, o_3\}$$之前已经在c所指向的集合中了,但依然需要参与传播,这是冗余的。
159 |
160 | 
161 |
162 | 我们再来看使用Differential Propagation的情况,只需要传播$$ \{o_5\}$$一项即可。在实际应用中这能够大大减小开销。
163 |
164 | 
165 |
166 | * In practice, Δ is usually small compared with the original set, so propagating only the new points-to information \(Δ\)
167 | * Besides, Δ is also important for efficiency when handling stores, loads, and method calls, as explained later
168 |
169 | ### Handling Store and Load
170 |
171 | 
172 |
173 | 对于AddEdge函数中第二个if的说明:仅在第一次添加s->t到PFG时添加pt\(s\)的信息到t,是因为Propagate中的语句能够处理后续的pt\(s\)变化。
174 |
175 | ### The Algorithm-Review
176 |
177 | 至此,我们完整地介绍了为了教学目的设计的指针分析算法。
178 |
179 | 
180 |
181 | ### Example
182 |
183 | **尝试用上述算法,计算以下代码的PFG。**
184 |
185 | ```java
186 | b = new C();
187 | a = b;
188 | c = new C();
189 | c.f = a;
190 | d = c;
191 | c.f = d;
192 | e = d.f;
193 | ```
194 |
195 | 这一例子动态内容很多,所以计划录制一小段视频讲解。先放个答案,能自己推导对的同学就可以跳过视频了。
196 |
197 | 
198 |
199 | ## Key points
200 |
201 | * **Rules** for pointer analysis
202 | * **PFG**\(Pointer flow graph\)
203 | * **Algorithm** for pointer analysis
204 |
205 |
--------------------------------------------------------------------------------
/ch3/pointer-analysis/03-03-pointer3-analysis-spa.md:
--------------------------------------------------------------------------------
1 | # 指针分析理论(下)
2 |
3 | 首先回顾一下在上一篇文章中列出的大纲。
4 |
5 | 1. Pointer Analysis: Rules
6 | 2. How to Implement Pointer Analysis
7 | 3. Pointer Analysis: Algorithms
8 | 4. Pointer Analysis with Method Calls
9 |
10 | 承接上一篇,本文谈谈包含指针分析如何处理函数调用。接下来用指针分析的方式来构建Call graph,先来对比一下CHA和指针分析两种方法:
11 |
12 | * CHA: imprecise, introduce spurious call graph edges and points-to relations
13 | * Pointer analysis: more precise than CHA, both for call graph and points-to relations\(a.k.a on-the-fly call graph construction\)
14 |
15 | ## Pointer Analysis with Method Calls
16 |
17 | 本课将给出一个包含函数间分析的适用于全程序的算法。
18 |
19 | 考虑下面这样一小段代码,显然,我们必须要有过程间的分析,才能有更准确的分析结果。
20 |
21 | ```java
22 | void foo(A a) {
23 | …
24 | // 𝑝𝑡(𝑎) = ?
25 | b = a.bar();
26 | // 𝑝𝑡(𝑏) = ?
27 | …
28 | }
29 | ```
30 |
31 | ### Rule for Call
32 |
33 | 和过程间分析紧密相关的是过程调用的处理。也就是上节课提到的最后一条与Call有关的规则。
34 |
35 | 这个规则看起来复杂得多,我们一点一点来解析。首先,请读者们暂停一下,回忆一般语言如何处理过程调用。即过程调用时到底发生了什么。
36 |
37 | 各个符号的定义为:
38 |
39 | 
40 |
41 | 
42 |
43 | > 一个参考答案:保存现场,构造调用栈帧,传递参数,跳转到目标函数开始执行……目标函数执行完毕跳转回来,后从预定的位置取返回值(若需要),恢复现场,继续往下执行……
44 |
45 | 在静态分析中,我们更多地关心数据流,而非控制流。而针对Java,处理函数调用的数据流可以分为以下四个部分:
46 |
47 | 1. 确定目标方法。用第7课介绍过的Dispatch函数完成。
48 | 2. 传receiver object
49 |
50 | 
51 |
52 | 3. 传参数
53 |
54 | 
55 |
56 | 4. 传返回值
57 |
58 | 
59 |
60 | 因此,我们可以对应规则,在PFG上添加Edge实现过程间信息的传递。完整的规则如下:
61 |
62 | 
63 |
64 | #### Detail-1
65 |
66 | **Question: Why not add PFG edge 𝑥 →** $$ 𝑚_{𝑡ℎ𝑖𝑠}$$**?**
67 |
68 | 通过这两个图可以直观地说明原因:
69 |
70 | 
71 |
72 | 
73 |
74 | _在每次算法执行时,_$$ o_i$$_是确定的某个(只有一个)对象,然后针对这个对象做Dispatch,能够找到对应的唯一的receiver object._
75 |
76 | #### Detail-2
77 |
78 | 像之前用CHA做过程间分析时一样,我们需要将分析的过程和Call graph构建的过程结合起来。
79 |
80 | 
81 |
82 | 不同的是,这次我们只分析从main方法(或者一般性地说,程序入口)开始可达的部分。原因有二:
83 |
84 | 1. 提升分析速度。因为我们能够避免分析不会被执行到的死代码。
85 | 2. 提升分析精度。避免了unreachable部分的代码调用reachable部分方法时可能引起的精度下降。
86 |
87 | 
88 |
89 | ## Algorithm: PA with Method Calls
90 |
91 | 接下来介绍一个具体的、易于理解和实现的算法。由于指针分析是静态程序分析的基础,理解了这个看起来枯燥的算法后,更容易在静态程序分析领域触类旁通。~~而且据说后面两节课会学得更加轻松~~
92 |
93 | 
94 |
95 | 算法整体上来说和上一节课所介绍的大框架相似,黄色标记的部分是这次新加入的部分。绿色部分是对新的全局变量的说明:
96 |
97 | * S里的statements就是RM里methods的statements(语句)
98 | * Call Graph和指针集作为最后的输出。
99 |
100 | ### Function: AddReachable
101 |
102 | AddReachable的作用是:
103 |
104 | * **输入参数**m是最新的可达方法。
105 | * 函数修改维护全局的RM、S和$$ S_m$$,并处理新的方法m中的New和Assign语句。
106 |
107 | 
108 |
109 | #### Detail-3
110 |
111 | **Question: 为什么要检查l->m是否在CG中,即为什么同样的l->m可能不止一次地被处理?**
112 |
113 | _l代表call site。可以用行号作为call site的label。_
114 |
115 | > Answer: $$ o_j, o_k$$同样可能通过Dispatch返回同一个m。
116 |
117 | ### Function:ProcessCall
118 |
119 | ProcessCall的作用是:
120 |
121 | * 输入的$$ o_i$$是x新指向的目标。
122 | * 函数在可达的语句集合S中,选择所有与x有关的过程调用,做之前提到的数据流相关四步处理(确定被调用方法、传对象、传参数,传返回值)。
123 |
124 | 
125 |
126 | 
127 |
128 | ## Example
129 |
130 | **利用之前学习的算法分析以下代码,构建Call graph和PFG。**
131 |
132 | ```java
133 | class A {
134 | static void main() {
135 | A a = new A();
136 | A b = new B();
137 | A c = b.foo(a);
138 | }
139 | A foo(A x) { … }
140 | }
141 | class B extends A {
142 | A foo(A y) {
143 | A r = new A();
144 | return r;
145 | }
146 | }
147 | ```
148 |
149 | 答案如下:
150 |
151 | 
152 |
153 | 这个流不敏感的分析算法在分析精度上仍然可以改进。我们将在接下来的课程中学习精度更高的流敏感分析。
154 |
155 | ## Key points
156 |
157 | * Pointer analysis **rule for method call**
158 | * **Algorithm** for inter-procedural pointer analysis
159 | * **On-the-fly call graph construction**
160 |
161 |
--------------------------------------------------------------------------------
/ch3/pointer-analysis/README.md:
--------------------------------------------------------------------------------
1 | # 指针分析简介
2 |
3 | 这一部分介绍比CHA分析精度更高的指针分析技术(上下文不敏感版本)。
--------------------------------------------------------------------------------
/ch4/04-01-security.assets/image-20201217183223733.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-01-security.assets/image-20201217183223733.png
--------------------------------------------------------------------------------
/ch4/04-01-security.assets/image-20201217183451069.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-01-security.assets/image-20201217183451069.png
--------------------------------------------------------------------------------
/ch4/04-01-security.assets/image-20201217184823323.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-01-security.assets/image-20201217184823323.png
--------------------------------------------------------------------------------
/ch4/04-01-security.assets/image-20201217185309441.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-01-security.assets/image-20201217185309441.png
--------------------------------------------------------------------------------
/ch4/04-01-security.assets/image-20201217185829167.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-01-security.assets/image-20201217185829167.png
--------------------------------------------------------------------------------
/ch4/04-01-security.assets/image-20201217190510106.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-01-security.assets/image-20201217190510106.png
--------------------------------------------------------------------------------
/ch4/04-01-security.assets/image-20201217191513356.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-01-security.assets/image-20201217191513356.png
--------------------------------------------------------------------------------
/ch4/04-01-security.assets/image-20201217191608133.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-01-security.assets/image-20201217191608133.png
--------------------------------------------------------------------------------
/ch4/04-01-security.assets/image-20201217191941119.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-01-security.assets/image-20201217191941119.png
--------------------------------------------------------------------------------
/ch4/04-01-security.assets/image-20201217193802763.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-01-security.assets/image-20201217193802763.png
--------------------------------------------------------------------------------
/ch4/04-01-security.assets/image-20201217194544398.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-01-security.assets/image-20201217194544398.png
--------------------------------------------------------------------------------
/ch4/04-01-security.assets/image-20201217195126758.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-01-security.assets/image-20201217195126758.png
--------------------------------------------------------------------------------
/ch4/04-01-security.assets/image-20201217195814591.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-01-security.assets/image-20201217195814591.png
--------------------------------------------------------------------------------
/ch4/04-01-security.assets/image-20201217200536542.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-01-security.assets/image-20201217200536542.png
--------------------------------------------------------------------------------
/ch4/04-01-security.assets/image-20201217200616889.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-01-security.assets/image-20201217200616889.png
--------------------------------------------------------------------------------
/ch4/04-01-security.assets/image-20201217201336388.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-01-security.assets/image-20201217201336388.png
--------------------------------------------------------------------------------
/ch4/04-01-security.md:
--------------------------------------------------------------------------------
1 | # Security
2 |
3 | > 前面的课程相当tough。~~今天来讲些简单有趣的内容。~~
4 |
5 | # Introduction
6 |
7 | 
8 |
9 | 尽管Computer Security在信息化的当代已经很重要了,但它依然越来越重要。如果你不注重它,就会[这样](https://www.7pay.co.jp)……
10 |
11 | 
12 |
13 | 我们接下来要讨论的问题,在[The Open Web Application Security Project® (OWASP)](https://owasp.org/)和[National Vulnerability Database](https://nvd.nist.gov/)近年所公布的网络安全议题中占据高位。它们是:
14 |
15 | - Injection errors
16 | - Information leaks
17 |
18 | ---
19 |
20 | 本课内容安排如下:
21 |
22 | 1. Information Flow Security
23 | 2. Confidentiality and Integrity
24 | 3. Explicit Flows and Covert Channels
25 | 4. Taint Analysis
26 |
27 | # Information Flow Security
28 |
29 | ## Access Control vs. Information Flow Security
30 |
31 | > "A practical system needs both access and flow control to satisfy all security requirements."
32 | >
33 | > --D. Denning, 1976
34 |
35 | - Access Control concerns how information is **accessed**.
36 | - Information Flow Security concerns how information is **propagated**.
37 |
38 | ## Information Flow
39 |
40 | If the information in variable x is transferred to variable y, then there is information flow x->y.
41 |
42 | 
43 |
44 | ### Information Flow Security
45 |
46 | Connects information flow to security
47 |
48 | - Classifies program variables into different **security level**
49 | - 为变量定出安全等级。可以类比Linux中的用户权限管理,如root用户和普通用户。
50 | - Specifies permissible flows between these levels, i.e., information flow policy
51 | - 然后设定信息流政策。比如Linux中的root用户可以做一切事情,而普通用户不可能访问root用户专有的文件和文件夹。
52 |
53 | 
54 |
55 | ### Information Flow Policy
56 |
57 | 一种常用的策略是Noninterference policy——高秘密等级的信息不应该影响到低秘密等级的信息。这能够保证攻击者无法通过观测低秘密等级的信息推测出和高秘密等级的信息。
58 |
59 | 
60 |
61 | 关于最后一个行:只要攻击者知道了低秘密等级的x和y的值,就能反推出高秘密等级的z的值。因此这样的赋值不应该被允许。
62 |
63 | # Confidentiality and Integrity
64 |
65 | 
66 |
67 | - Confidentiality(在信息流安全的语境中)侧重于防止攻击者获取到机密信息,**即保护关键数据不被攻击者读取**。
68 | - Integrity(在信息流安全的语境中)侧重于防止攻击者通过恶意提权或SQL注入等手段执行了高执行权限的命令,**即保护关键数据不被攻击者写入。**
69 |
70 | More on Integrity-a Board Definition(在信息流安全以外的语境中,Integrity有更多的含义):
71 |
72 | > To ensure the correctness, completeness, and consistency of data.
73 |
74 | - Correctness
75 | - E.g., for information flow integrity, the (trusted) critical data should not be corrupted by untrusted data
76 | - Completeness
77 | - E.g., a database system should store all data ompletely
78 | - Consistency
79 | - E.g., a file transfer system should ensure that the file contents
80 |
81 |
82 |
83 | # Explicit Flows and Covert Channels
84 |
85 | 信息在程序中流动的两种方式——显式流和隐藏信道。
86 |
87 | ### Explicit Flows
88 |
89 | 
90 |
91 | ### Covert Channels
92 |
93 | 
94 |
95 | - This kind of information flow is called implicit flow, which **may arise when the control flow is affected by secret information**.
96 | - Any differences in side effects under **secret control** encode information about the control, which may be **publicly observable** and leak secret information.
97 |
98 | 
99 |
100 | - Mechanisms for signalling information through a computing system are known as **channels**.
101 | - 信道传输信息。
102 | - Channels that exploit a mechanism whose primary purpose is not information transfer are called **covert channels**.
103 | - 原本的目的不是传递信息,却传递了信息的信道,我们就称之为隐藏信道。
104 |
105 | 
106 |
107 | More:
108 |
109 | - 通过观察电量消耗、网络流量特征、缓存命中率、服务器响应时长特征,都能以某种方式获得某种程度的机密信息。
110 |
111 | - Side Channel: "AF缺乏淡水"
112 |
113 | - 在电影《中途岛海战》中,有这样一段对话,大意如下:
114 |
115 | > "你不知道酒宴将在哪里举行,但你能发现酒店被预定,酒水被集中运到某个地点……"
116 |
117 | 不过,还是有好消息的:
118 |
119 | 
120 |
121 |
122 |
123 | # Taint Analysis
124 |
125 | ## Definition
126 |
127 | 类比于同位素标记,我们通过给关心的数据打上标记,而把数据分为tainted/untainted data.
128 |
129 | 接着我们定义Source和Sink:
130 |
131 | - **Sources of tainted data is called sources.** In practice, tainted data usually come from the return values of some methods (regarded as sources).
132 | - **Taint analysis tracks how tainted data flow through the program and observes if they can flow to locations of interest (called sinks).** In practice, sinks are usually some sensitive methods.
133 |
134 | 
135 |
136 | ---
137 |
138 | ## Taint & Pointer Analysis, Together
139 |
140 | > 等等等等,我们不是来学静态程序分析的吗?
141 |
142 | “Can tainted data flow to a sink?”换一种问法其实就是“Which tainted data a pointer (at a sink) can point to?”
143 |
144 | 所以之前学过的指针分析就有了用武之地:
145 |
146 | - Treats tainted data as (artificial) **objects**
147 | - Treats sources as **allocation sites** (of tainted data)
148 | - Leverages pointer analysis to **propagate** tainted data
149 |
150 | ### Domains & Notations
151 |
152 | 
153 |
154 | 我们在Domain中添加Tainted data。和之前一样,用下标的i和j标识data产生的位置。
155 |
156 | ### Inputs & Outputs
157 |
158 | **Inputs**
159 |
160 | - **𝑆𝑜𝑢𝑟𝑐𝑒𝑠**: a set of source methods (the calls to these methods return tainted data)
161 | - **𝑆𝑖𝑛𝑘𝑠**: a set of sink methods (that tainted data flow to these
162 | methods violates security polices)
163 |
164 | **Outputs**
165 |
166 | - **𝑇𝑎𝑖𝑛𝑡𝐹𝑙𝑜𝑤𝑠**: a set of pairs of tainted data and sink methods
167 | - E.g., $$ (𝑡_𝑖, 𝑚)\in$$ 𝑇𝑎𝑖𝑛𝑡𝐹𝑙𝑜𝑤𝑠 denotes that the tainted data from call site 𝑖 (which calls a source method) may flow to sink method 𝑚
168 |
169 | ### Rules
170 |
171 | 
172 |
173 | 
174 |
175 | ### Example
176 |
177 | 假设我们这样定义Source为`getPassword()`方法,Sink为`log(String)`方法。试着分析以下代码,看看输出指向关系和TaintFlows集合应该是什么?
178 |
179 | > 我们不希望有Sources->Sinks的信息流。先考虑一下动态执行时会发生什么事情?
180 |
181 | ```java
182 | void main() {
183 | A x = new A();
184 | String pw = getPassword();
185 | A y = x;
186 | x.f = pw;
187 | String s = y.f;
188 | log(s);
189 | // 这个log会写下什么惊人的东西吗?
190 | }
191 | String getPassword() {
192 | return new String(…);
193 | }
194 | class A {
195 | String f;
196 | }
197 | ```
198 |
199 | ~~过程在咕咕咕的视频讲解中。~~
200 |
201 | 
202 |
203 | ## Key Points
204 |
205 | 1. **Concept** of information flow security
206 | 2. **Confidentiality & integrity**
207 | 3. **Explicit** flows & **covert** channels
208 | 4. Use **taint analysis** to detect unwanted information flow
209 |
--------------------------------------------------------------------------------
/ch4/04-02-Datalog-Based-PA.assets/image-20201223184349163.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-02-Datalog-Based-PA.assets/image-20201223184349163.png
--------------------------------------------------------------------------------
/ch4/04-02-Datalog-Based-PA.assets/image-20201223184415502.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-02-Datalog-Based-PA.assets/image-20201223184415502.png
--------------------------------------------------------------------------------
/ch4/04-02-Datalog-Based-PA.assets/image-20201223185015690.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-02-Datalog-Based-PA.assets/image-20201223185015690.png
--------------------------------------------------------------------------------
/ch4/04-02-Datalog-Based-PA.assets/image-20201223185231533.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-02-Datalog-Based-PA.assets/image-20201223185231533.png
--------------------------------------------------------------------------------
/ch4/04-02-Datalog-Based-PA.assets/image-20201223185504296.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-02-Datalog-Based-PA.assets/image-20201223185504296.png
--------------------------------------------------------------------------------
/ch4/04-02-Datalog-Based-PA.assets/image-20201223185750701.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-02-Datalog-Based-PA.assets/image-20201223185750701.png
--------------------------------------------------------------------------------
/ch4/04-02-Datalog-Based-PA.assets/image-20201223185957740.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-02-Datalog-Based-PA.assets/image-20201223185957740.png
--------------------------------------------------------------------------------
/ch4/04-02-Datalog-Based-PA.assets/image-20201223190539380.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-02-Datalog-Based-PA.assets/image-20201223190539380.png
--------------------------------------------------------------------------------
/ch4/04-02-Datalog-Based-PA.assets/image-20201223190710495.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-02-Datalog-Based-PA.assets/image-20201223190710495.png
--------------------------------------------------------------------------------
/ch4/04-02-Datalog-Based-PA.assets/image-20201223190916420.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-02-Datalog-Based-PA.assets/image-20201223190916420.png
--------------------------------------------------------------------------------
/ch4/04-02-Datalog-Based-PA.assets/image-20201223191303096.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-02-Datalog-Based-PA.assets/image-20201223191303096.png
--------------------------------------------------------------------------------
/ch4/04-02-Datalog-Based-PA.assets/image-20201223191451507.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-02-Datalog-Based-PA.assets/image-20201223191451507.png
--------------------------------------------------------------------------------
/ch4/04-02-Datalog-Based-PA.assets/image-20201223191716873.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-02-Datalog-Based-PA.assets/image-20201223191716873.png
--------------------------------------------------------------------------------
/ch4/04-02-Datalog-Based-PA.assets/image-20201223192111827.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-02-Datalog-Based-PA.assets/image-20201223192111827.png
--------------------------------------------------------------------------------
/ch4/04-02-Datalog-Based-PA.assets/image-20201223193351919.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-02-Datalog-Based-PA.assets/image-20201223193351919.png
--------------------------------------------------------------------------------
/ch4/04-02-Datalog-Based-PA.assets/image-20201223193808413.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-02-Datalog-Based-PA.assets/image-20201223193808413.png
--------------------------------------------------------------------------------
/ch4/04-02-Datalog-Based-PA.assets/image-20201223194245876.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-02-Datalog-Based-PA.assets/image-20201223194245876.png
--------------------------------------------------------------------------------
/ch4/04-02-Datalog-Based-PA.assets/image-20201223194326258.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-02-Datalog-Based-PA.assets/image-20201223194326258.png
--------------------------------------------------------------------------------
/ch4/04-02-Datalog-Based-PA.assets/image-20201223194559347.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-02-Datalog-Based-PA.assets/image-20201223194559347.png
--------------------------------------------------------------------------------
/ch4/04-02-Datalog-Based-PA.assets/image-20201223195004344.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-02-Datalog-Based-PA.assets/image-20201223195004344.png
--------------------------------------------------------------------------------
/ch4/04-02-Datalog-Based-PA.assets/image-20201223195501180.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-02-Datalog-Based-PA.assets/image-20201223195501180.png
--------------------------------------------------------------------------------
/ch4/04-02-Datalog-Based-PA.assets/image-20201223200243589.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-02-Datalog-Based-PA.assets/image-20201223200243589.png
--------------------------------------------------------------------------------
/ch4/04-02-Datalog-Based-PA.assets/image-20201223200506410.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-02-Datalog-Based-PA.assets/image-20201223200506410.png
--------------------------------------------------------------------------------
/ch4/04-02-Datalog-Based-PA.assets/image-20201223200617134.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-02-Datalog-Based-PA.assets/image-20201223200617134.png
--------------------------------------------------------------------------------
/ch4/04-02-Datalog-Based-PA.assets/image-20201223200945544.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-02-Datalog-Based-PA.assets/image-20201223200945544.png
--------------------------------------------------------------------------------
/ch4/04-02-Datalog-Based-PA.assets/image-20201223201109543.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-02-Datalog-Based-PA.assets/image-20201223201109543.png
--------------------------------------------------------------------------------
/ch4/04-02-Datalog-Based-PA.assets/image-20201223201354991.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-02-Datalog-Based-PA.assets/image-20201223201354991.png
--------------------------------------------------------------------------------
/ch4/04-02-Datalog-Based-PA.assets/image-20201223201428109.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-02-Datalog-Based-PA.assets/image-20201223201428109.png
--------------------------------------------------------------------------------
/ch4/04-02-Datalog-Based-PA.assets/image-20201223201612811.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-02-Datalog-Based-PA.assets/image-20201223201612811.png
--------------------------------------------------------------------------------
/ch4/04-02-Datalog-Based-PA.assets/image-20201223201746117.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-02-Datalog-Based-PA.assets/image-20201223201746117.png
--------------------------------------------------------------------------------
/ch4/04-02-Datalog-Based-PA.assets/image-20201223201956852.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-02-Datalog-Based-PA.assets/image-20201223201956852.png
--------------------------------------------------------------------------------
/ch4/04-02-Datalog-Based-PA.assets/image-20201223202140289.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch4/04-02-Datalog-Based-PA.assets/image-20201223202140289.png
--------------------------------------------------------------------------------
/ch4/04-02-Datalog-Based-PA.md:
--------------------------------------------------------------------------------
1 | # Datalog-Based Program Analysis
2 |
3 | Datalog是一种声明式(Declarative)的编程语言。
4 |
5 | 主要内容如下:
6 |
7 | 1. Motivation
8 | 2. Introduction to Datalog
9 | 3. Pointer Analysis via Datalog
10 | 4. Taint Analysis via Datalog
11 |
12 | # Motivation
13 |
14 | 如果用Imperative的编程方式做指针分析,很麻烦。
15 |
16 | 
17 |
18 | 而如果用Declarative的方式做编程分析,能够极大地简化实现。
19 |
20 | 
21 |
22 | # Introduction to Datalog
23 |
24 | 接下来学习一个船新的语言——Datalog,它实际上是大名鼎鼎的Prolog的一个子集。
25 |
26 | `Datalog=Data+Logic(and,or,not)`
27 |
28 | - 没有副作用
29 | - 没有控制流
30 | - 没有函数
31 | - 不是图灵完备的
32 |
33 | ## Data
34 |
35 | ### Predicates
36 |
37 | 谓词(Predicates)是datalog中的一个主要组成部分,可以看作是数据所组成的一个表(table of data),每一行都代表一个事实(fact)。例如:
38 |
39 | 
40 |
41 | ### Atoms
42 |
43 | 原子(Atoms)是Datalog中的基本元素,组成和例子如下:
44 |
45 | 
46 |
47 | Atoms可以分成两类
48 |
49 | - Relational Atoms
50 |
51 | 
52 |
53 | - Arithmetic Atoms
54 | - 如`age >= 18`
55 |
56 | ## Logic
57 |
58 | ### Datalog Rules & Logic And
59 |
60 | Datalog使用规则来进行推导(inference),其定义如下:
61 |
62 | 
63 |
64 | 当Body中的所有表达式都为True时,Head才为True,如:
65 |
66 | 
67 |
68 | 求解过程(Interpretation of Datalog Rules)——枚举Body中所有关系表达式的可能取值组合,进而得到新的predicate/table。例如:
69 |
70 | 
71 |
72 | 
73 |
74 | 谓词分为两类:EDB & IDB。
75 |
76 | - EDB (extensional database)
77 | - 在程序运行前,这些数据已经给定
78 | - IDB (intensional database)
79 | - 这一类数据仅由规则推导得来
80 |
81 | 例如:
82 |
83 | 
84 |
85 | ### Logic Or
86 |
87 | 以上例子实际上是逻辑与,而逻辑或则有两种实现方式:
88 |
89 | 
90 |
91 | 此外还需要考虑运算优先级的问题,建议在书写程序时用括号明确地标识期望的运算优先级:`H<-A,(B;C)`。
92 |
93 | ### Logic Not/Negation
94 |
95 | 
96 |
97 | ### Recursion
98 |
99 | 
100 |
101 | ## Rule Satety
102 |
103 | 讲到这里,停下来思考一下,这两条Rules看起来有什么问题吗?
104 |
105 | - `A(x) <- B(y), x > y.`
106 | - `A(x) <- B(y), !C(x,y).`
107 |
108 | 
109 |
110 | ~~第一次学看不出问题也没问题的~~
111 |
112 | 由于x有无限的取值能满足规则,所以**生成的A是一个无限大的关系**。因此上述两条规则是不安全的。在Datalog中,只接受安全的规则。
113 |
114 | 这里我们需要记住一个判定的准则:**如果规则中的每个变量至少在一个non-nageted relational atom中出现一次,那么这个规则是安全的**。
115 |
116 | *这实际上是借助已有的predicates(它们必定是有限的)来限制变量的取值范围。*
117 |
118 | ---
119 |
120 | 类似地,还有这样的规则:
121 |
122 | `A(x) <- B(x), !A(x)`
123 |
124 | 
125 |
126 | 对应地有第二个准则:**不要把recursion和negation写在同一条规则里**,*即避免写出非A推导出A这样的规则*。
127 |
128 | ## Execution of Datalog Program
129 |
130 | 
131 |
132 | Datalog的两大重要特性:
133 |
134 | - 单调性。因为事实(facts)不会被删除的。
135 | - 必然终止。
136 | - 事实的数量是**单调**的。
137 | - 由Rule Safety,所能得到的IDB的大小也是**有限**的。
138 |
139 | # Pointer Analysis via Datalog
140 |
141 | 了解了Datalog的基本语法和性质,我们就可以用它来实现声明式的指针分析算法。其中三个重要的部分对应如下:
142 |
143 | - EDB:从程序的语义分析中能得到的与指针相关的信息
144 | - IDB:指针分析的结果
145 | - Rules:指针分析的规则
146 |
147 | 
148 |
149 | 和之前一样,我们把Call放到最后处理。
150 |
151 | ## Datalog Model-EDB&IDB
152 |
153 | 我们首先需要对前四条语句建模。输入的EDB代表了4个存储相应类型语句的table,输出为Variable和Field的指向关系。
154 |
155 | 
156 |
157 | 一个关于EDB的例子如下:
158 |
159 | 
160 |
161 | ## Datalog Rules
162 |
163 | Body按照红线所示代表前提,Head按照蓝线所示代表结论。
164 |
165 | 
166 |
167 | ## Example
168 |
169 | 利用刚刚讲解的算法和Datalog的执行规则,分析这一段代码,给出推导结束后的IDB。
170 |
171 | ```java
172 | b = new C();
173 | a = b;
174 | c = new C();
175 | c.f = a;
176 | d = c;
177 | c.f = d;
178 | e = d.f;
179 | ```
180 |
181 | 结果如下:
182 |
183 | 
184 |
185 | ## PA with Calls
186 |
187 | 回顾指针分析中Call的规则:
188 |
189 | 
190 |
191 | ### This
192 |
193 | 首先,我们需要引入新的EDB和IDB:
194 |
195 | (VCall即Virtual Call,ThisVar即This Variable)
196 |
197 | 
198 |
199 | 我们能够同时知道三个信息:
200 |
201 | 1. this指向对象o
202 | 2. 方法m是可达的
203 | 3. 方法m可达是因为在l行处存在对方法m的调用
204 |
205 | 
206 |
207 | ### Parameters
208 |
209 | 接下来要处理参数的传递,与之前类似,引入EDB标识Argument(调用语句行号,参数标号和参数本身)和Parameter(被调用方法,参数标号和参数本身):
210 |
211 | 
212 |
213 | 而对应用Datalog书写的规则如果用自然语言描述,就是处理行号l处对m的调用时,根据形参和实参的信息,将实参已经有的指向关系传递给形参数。
214 |
215 | 
216 |
217 | ### Return Value
218 |
219 | 引入EDB:
220 |
221 | 
222 |
223 | 对应的Datalog Rule,处理返回值的指向关系:
224 |
225 | 
226 |
227 | ### Sum up
228 |
229 | 以上三个部分总结起来,就能得到以下的Datalog Rules。
230 |
231 | 
232 |
233 | 进而能得到全程序的分析算法如下。值得一提的是,在VarPointsTo规则中,添加Reachable(m)跳过不可达方法中的对象。而其他规则不需要加这一条件,则是因为它们都有VarPointsTo规则作为Body的一部分。
234 |
235 | 
236 |
237 | # Taint Analysis via Datalog
238 |
239 | ## Datalog Model
240 |
241 | 同样需要用户提供Source和Sink。输出被标记的数据可能流到的Sink方法。
242 |
243 | 
244 |
245 | ## Datalog Rules
246 |
247 | 说明:这里参数列表中用`—`表示通配符,即不关心枚举时这个位置取什么值。
248 |
249 | 
250 |
251 | # Key Points
252 |
253 | - Pros
254 | - **Succinct** and **readable**
255 | - **Easy** to implement
256 | - **Benefit from off-the-shelf optimized Datalog engines**
257 | - Cons
258 | - **Restricted expressiveness**, i.e., it is impossible or inconvenient to express some logics
259 | - Cannot fully control **performance**
260 | - Overall Review
261 | - **Datalog** language
262 | - How to implement **pointer analysis via Datalog**
263 | - How to implement **taint analysis via Datalog**
264 |
--------------------------------------------------------------------------------
/ch4/ch4.md:
--------------------------------------------------------------------------------
1 | # 指针分析应用、实现与其他
2 |
3 | 接下来说说基于指针分析的静态分析相关技术知识:
4 |
5 | - 安全应用方向的污点分析(Taint Analysis)。
6 | - 如何用声明式的语言Datalog实现指针分析。
7 |
--------------------------------------------------------------------------------
/ch5/05-01-IFDS.assets/image-20201224200732868.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-01-IFDS.assets/image-20201224200732868.png
--------------------------------------------------------------------------------
/ch5/05-01-IFDS.assets/image-20201224201312394.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-01-IFDS.assets/image-20201224201312394.png
--------------------------------------------------------------------------------
/ch5/05-01-IFDS.assets/image-20201224201921134.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-01-IFDS.assets/image-20201224201921134.png
--------------------------------------------------------------------------------
/ch5/05-01-IFDS.assets/image-20201231184204252.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-01-IFDS.assets/image-20201231184204252.png
--------------------------------------------------------------------------------
/ch5/05-01-IFDS.assets/image-20201231184249491.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-01-IFDS.assets/image-20201231184249491.png
--------------------------------------------------------------------------------
/ch5/05-01-IFDS.assets/image-20201231185030483.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-01-IFDS.assets/image-20201231185030483.png
--------------------------------------------------------------------------------
/ch5/05-01-IFDS.assets/image-20201231185419312.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-01-IFDS.assets/image-20201231185419312.png
--------------------------------------------------------------------------------
/ch5/05-01-IFDS.assets/image-20201231185639039.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-01-IFDS.assets/image-20201231185639039.png
--------------------------------------------------------------------------------
/ch5/05-01-IFDS.assets/image-20201231190743854.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-01-IFDS.assets/image-20201231190743854.png
--------------------------------------------------------------------------------
/ch5/05-01-IFDS.assets/image-20201231191027738.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-01-IFDS.assets/image-20201231191027738.png
--------------------------------------------------------------------------------
/ch5/05-01-IFDS.assets/image-20201231191043066.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-01-IFDS.assets/image-20201231191043066.png
--------------------------------------------------------------------------------
/ch5/05-01-IFDS.assets/image-20201231191553161.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-01-IFDS.assets/image-20201231191553161.png
--------------------------------------------------------------------------------
/ch5/05-01-IFDS.assets/image-20201231191923368.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-01-IFDS.assets/image-20201231191923368.png
--------------------------------------------------------------------------------
/ch5/05-01-IFDS.assets/image-20201231192128228.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-01-IFDS.assets/image-20201231192128228.png
--------------------------------------------------------------------------------
/ch5/05-01-IFDS.assets/image-20201231193305999.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-01-IFDS.assets/image-20201231193305999.png
--------------------------------------------------------------------------------
/ch5/05-01-IFDS.assets/image-20201231193404292.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-01-IFDS.assets/image-20201231193404292.png
--------------------------------------------------------------------------------
/ch5/05-01-IFDS.assets/image-20201231193423998.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-01-IFDS.assets/image-20201231193423998.png
--------------------------------------------------------------------------------
/ch5/05-01-IFDS.assets/image-20201231193951460.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-01-IFDS.assets/image-20201231193951460.png
--------------------------------------------------------------------------------
/ch5/05-01-IFDS.assets/image-20201231194039123.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-01-IFDS.assets/image-20201231194039123.png
--------------------------------------------------------------------------------
/ch5/05-01-IFDS.assets/image-20201231194247160.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-01-IFDS.assets/image-20201231194247160.png
--------------------------------------------------------------------------------
/ch5/05-01-IFDS.assets/image-20201231194752369.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-01-IFDS.assets/image-20201231194752369.png
--------------------------------------------------------------------------------
/ch5/05-01-IFDS.assets/image-20201231195241378.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-01-IFDS.assets/image-20201231195241378.png
--------------------------------------------------------------------------------
/ch5/05-01-IFDS.assets/image-20201231195259204.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-01-IFDS.assets/image-20201231195259204.png
--------------------------------------------------------------------------------
/ch5/05-01-IFDS.assets/image-20201231195711805.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-01-IFDS.assets/image-20201231195711805.png
--------------------------------------------------------------------------------
/ch5/05-01-IFDS.assets/image-20201231195848429.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-01-IFDS.assets/image-20201231195848429.png
--------------------------------------------------------------------------------
/ch5/05-01-IFDS.assets/image-20201231200145777.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-01-IFDS.assets/image-20201231200145777.png
--------------------------------------------------------------------------------
/ch5/05-01-IFDS.assets/image-20201231200214568.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-01-IFDS.assets/image-20201231200214568.png
--------------------------------------------------------------------------------
/ch5/05-01-IFDS.assets/image-20201231200351183.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-01-IFDS.assets/image-20201231200351183.png
--------------------------------------------------------------------------------
/ch5/05-01-IFDS.assets/image-20201231200406642.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-01-IFDS.assets/image-20201231200406642.png
--------------------------------------------------------------------------------
/ch5/05-01-IFDS.assets/image-20201231200623730.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-01-IFDS.assets/image-20201231200623730.png
--------------------------------------------------------------------------------
/ch5/05-01-IFDS.assets/image-20201231200656200.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-01-IFDS.assets/image-20201231200656200.png
--------------------------------------------------------------------------------
/ch5/05-01-IFDS.assets/image-20201231201028380.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-01-IFDS.assets/image-20201231201028380.png
--------------------------------------------------------------------------------
/ch5/05-01-IFDS.assets/image-20201231202231523.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-01-IFDS.assets/image-20201231202231523.png
--------------------------------------------------------------------------------
/ch5/05-01-IFDS.assets/image-20201231202450969.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-01-IFDS.assets/image-20201231202450969.png
--------------------------------------------------------------------------------
/ch5/05-01-IFDS.md:
--------------------------------------------------------------------------------
1 | # CFL-Reachability and IFDS
2 |
3 | 前排提醒:如果你已经忘记了**数据流分析理论基础**部分的内容,请务必去复习一下再读本文。具体来说,你应该能够回忆起:
4 |
5 | - Meet/Join
6 | - Transfer function
7 | - Bottom/Top
8 |
9 | ---
10 |
11 | 标题看起来有点吓人,不过我们可以简单地描述一下即将要讲述的内容:
12 |
13 | > IFDS是一种分析框架,在这种框架下,分析的数据流是满足CFL-Reachability这一性质的。
14 |
15 | 本课主要内容如下:
16 |
17 | 1. Feasible and Realizable Paths
18 | 2. CFL-Reachability
19 | 3. Overview of IFDS
20 | 4. Supergraph and Flow Functions
21 | 5. Exploded Supergraph and Tabulation Algorithm
22 | 6. Understanding the Distributivity of IFDS
23 |
24 | # Feasible and Realizable Paths
25 |
26 | 实际分析时,JDK中一个方法能产生的CFG是非常复杂的。不过,并非所有的路径都会被执行到,一个很自然的想法是,只分析可能被执行的路径。
27 |
28 | 
29 |
30 | 虽然并非所有的路径都会被执行到。**可是`判断一条路径是否feasible`本身是不可判定(undecidable)的。**
31 |
32 | 这并不代表我们束手无策了,我们来看一个例子:
33 |
34 | 
35 |
36 | 动态执行时x和y都有确定的值,而上下文不敏感的分析中,x和y的取值都会是NAC,更具体的说,就是`{18,30,-1}`。
37 |
38 | 仔细地观察x的两个不精确的分析结果,可以发现-1这个结果在当前框架下是不可避免的:
39 |
40 | 
41 |
42 | 而30这个不精确的结果则是可以避免的(比如使用我们之前介绍过的上下文敏感指针分析):
43 |
44 | 
45 |
46 | 定义一个新概念`Realizable Paths`:
47 |
48 | > The paths in which “returns” are matched with corresponding “calls”.
49 |
50 | - Realizable paths may not be executable, but unrealizable paths
51 | must not be executable.
52 | - 可以把executable/feasible path看作realizable path的真子集
53 | - Our goal is to **recognize realizable paths** so that we could avoid polluting analysis results along unrealizable paths.
54 | - 这个问题和括号匹配问题本质上是一样的。
55 | - 如果你是计算机系大一的学生,或许会想到用stack来做括号匹配问题。
56 | - 而如果你刚刚修过计算理论课程,你应该能够想起来使用上下文无关文法能够很好地识别一个匹配的括号串(Balanced-Parenthesis Problem)。
57 |
58 | 
59 |
60 | # CFL-Reachability
61 |
62 | > A path is considered to connect two nodes A and B, or **B is reachable from A**, only if **the concatenation of the labels on the edges of the path is a word in a specified context-free language.**
63 |
64 | 这里默认读者学习过上下文无关语言(context-free language)相关的知识(编译原理和计算理论几乎是每个学校计算机系的必修课)。具体来说,你应该知道:
65 |
66 | - 终结符(nonterminal)
67 | - 非终结符(terminal)
68 | - 空串符号$$ \epsilon$$
69 | - (最左/最右)推导
70 | - 正则文法/上下文无关文法和图灵机之间计算表达能力的差异
71 |
72 | 我们进一步定义一个语言`L(realizable)`,右侧黄色框中的4个字符串都是语言L的一部分。
73 |
74 | 
75 |
76 | 还是太抽象了!我们拿两个例子来看看:
77 |
78 | 
79 |
80 | 图中绿色标记的Call Edge和Return Edge分别是字符串中的$$ (_1$$和$$ )_1$$,而其他的边则是字符串中的e。
81 |
82 | 看完一个属于L的例子,再来一个不属于L的例子:
83 |
84 | 
85 |
86 | # Overview of IFDS
87 |
88 | > “Precise Interprocedural Dataflow Analysis via Graph Reachability”
89 | >
90 | > --Thomas Reps, Susan Horwitz, and Mooly Sagiv, POPL’95
91 |
92 | 所谓IFDS,其实是四个单词(Interprocedural, Finite, Distributive, Subset)的缩写。如果一个问题满足这四个性质,则可以用相应的框架来解决问题。
93 |
94 | 复习两个旧概念,介绍一个新概念:
95 |
96 | - `Path Function`
97 |
98 | - > Path function for path p, denoted as $$ pf_p$$, is a composition of flow functions for all edges (sometimes nodes) on p
99 |
100 | - 可以理解按照顺序,先后应用一条path上edge/node的transfer function:
101 |
102 | - 
103 |
104 | - `Meet-Over-All-Paths(MOP)`
105 |
106 | - > For each node n, MOP n provides a “meet-over-all-paths” solution where Paths(start, n) denotes the set of paths in CFG from the start node to n.
107 |
108 | - 即对所有的开始点start,都以bottom作为path function的输入,并在终点n处对所有的结果做meet操作。
109 |
110 | - 
111 |
112 | - `Meet-Over-All-Realizable-Paths(MRP)`
113 |
114 | - > For each node n, MRP n provides a “meet-over-all-realizable-paths” solution where RPaths(start, n) denotes the set of realizable paths (the path’s word is in the language L(realizable)) from the start node to n.
115 |
116 | - 在前者概念的基础上限制Meet的对象为Realizable-Path
117 |
118 | - 
119 |
120 | ---
121 |
122 | 接下来要讲一些比较难懂的内容~~战术喝水~~。
123 |
124 | 
125 |
126 | # Supergraph and Flow Functions
127 |
128 | ## Supergraph
129 |
130 | 可以理解成IFDS分析体系下的ICFG(Interprocedural Control Flow Graph,即过程间控制流图)。这里只需要了解一下其中的三种edge(图中的G*即指supergraph):
131 |
132 | 
133 |
134 | ## Design Flow Functions
135 |
136 | 定义`Possibly-uninitialized variables`:
137 |
138 | > **For each node n** ∈ N*, determine **the set of variables that may be uninitialized** before execution reaches n.
139 |
140 | 我们接下来的例子求的就是这样的变量。
141 |
142 | ### lambda expression
143 |
144 | 为了后续叙述方便,这里简单地介绍一下lambda表达式。
145 |
146 | 以$$ \lambda$$标识一个lambda表达式,从开头到中间点间的符号代表**参数列表**,从中间点到最后的符号代表**函数体**。如下例子,就代表这样一个函数调用:
147 |
148 | - 函数以x作为输入参数
149 | - 函数返回值为x+1
150 | - 调用函数时传入的参数为3
151 |
152 | 
153 |
154 | ### Example of Flow Functions
155 |
156 | 在进入main后,全局变量g和局部变量x一定是没有初始化的。
157 |
158 | 
159 |
160 | 随后x被初始化:
161 |
162 | 
163 |
164 | 以x来初始化a,a是否被初始化与x一致。
165 |
166 | 
167 |
168 | 这个函数比较奇妙,它表达的意思是:如果a和g都被初始化了,则a是被初始化的,否则认为a没有被初始化。
169 |
170 | 
171 |
172 | 注意左侧以红色标记的函数,这样写能够使得在$$ Ret_p$$处g是否已经被赋值/初始化取决于是否在被调用函数中被赋值。
173 |
174 | 
175 |
176 | 这里涉及一个特殊的情况,由于离开了函数,所以要去除函数内部变量a。
177 |
178 | 
179 |
180 | # Exploded Supergraph and Tabulation Algorithm
181 |
182 | ## Build Exploded Supergraph
183 |
184 | Flow Function对应着二元关系。
185 |
186 | 
187 |
188 | 直接从左到右解释例子:
189 |
190 | 1. 输出和输入完全一致
191 | 2. 无论输入为什么,输出都包含a
192 | 3. 输出一定不包含a,且一定包含b,其他变量(这里是c)则保持不变
193 | 4. 如果输入包含a,则输出一定包含b;否则一定不包含b
194 |
195 | 你是否也觉得上面例子中0->0这条边挺奇怪的?它的存在是被刻意设计的。因为IFDS主要依赖于可达性(reachability)做分析。如果没有这样的边,在IFDS中没有办法判断在n4这个点处,a是否满足某种性质。
196 |
197 | 
198 |
199 | 而加上这条总是存在的Glue Edge之后,就可以满足IFDS分析的要求。
200 |
201 | 
202 |
203 | 回到我们之前的例子,用新的二元关系的视角去**手动分析**,将会是这样(视频之后会做的会做的~~吧~~,咕!):
204 |
205 | 标黄部分比较重要,它的意思是:如果a或g一开始没有被初始化,则a都没有被初始化。
206 |
207 | 
208 |
209 | 最后构造出来的Exploded Supergraph是这样的:
210 |
211 | 
212 |
213 | 怎样使用这样的分析结果呢?我们来考虑一个问题,全局变量g在程序片段运行结束时,是否可能没有被初始化?
214 |
215 | 
216 |
217 | 结果是,g在这里可能没有被初始化。
218 |
219 | 
220 |
221 | 而之前提到的realizable path在这里也能提供更高的精度。
222 |
223 | 
224 |
225 | 
226 |
227 | ## Tabulation Algorithm
228 |
229 | 刚才我们是手动分析的,而用Tabulation算法,可以在$$ O(ED^3)$$复杂度(E为Edge的数量,D为Data facts的数量,如在下面的例子中,D为3)下得到MRP的结果:
230 |
231 | 
232 |
233 | 
234 |
235 | 
236 |
237 | # Understanding the Distributivity of IFDS
238 |
239 | 这里的Distributivity是指Flow Function的性质,即满足:
240 |
241 | $$ \forall(x,y). f(x\cdot y)=f(x)\cdot f(y)$$
242 |
243 | - 这样的要求使得我们**无法用IFDS来做常量传播(constant propagation)和指针分析(pointer analysis)**
244 | - 换句话说,在IFDS中,我们**可以表达逻辑或,但无法表达逻辑与**
245 | - 更广泛地说,**如果我们需要考虑多个输入来决定输出**,那么由于Distributivity性质没有被满足,**无法用IFDS来解决**。
246 |
247 | 
248 |
249 | 上图最后的问题答案是**可以使用IFDS,因为只需要考虑单一的输入即可决定输出**。
250 |
251 | 再来看看指针分析的例子:
252 |
253 | 
254 |
255 | 注意图中的虚线部分,由于没有别名(alias)信息,这个边是无法被IFDS框架分析出来的。而IFDS是无法处理别名信息的,因为别名信息的另一种意义是“x和y**都**指向同一个对象”——这需要我们同时考虑x和y来决定他们是否指向同一个对象。
256 |
257 | > Note: If we want to obtain alias information in IFDS, say alias(x,y), to produce correct outputs, we need to consider multiple input data facts, x and y, which cannot be done in standard IFDS as **flow functions handle input facts independently (one fact per time). Thus pointer analysis is non-distributive.**
258 |
259 | ## Key Points
260 |
261 | - Understand **CFL-Reachability**
262 | - Understand **the basic idea** of IFDS
263 | - 大概知道有几个阶段即可
264 | - Understand **what problems can be solved** by IFDS
265 |
--------------------------------------------------------------------------------
/ch5/05-02-Soundiness.assets/image-20201224185622416.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-02-Soundiness.assets/image-20201224185622416.png
--------------------------------------------------------------------------------
/ch5/05-02-Soundiness.assets/image-20201224185800853.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-02-Soundiness.assets/image-20201224185800853.png
--------------------------------------------------------------------------------
/ch5/05-02-Soundiness.assets/image-20201224191028463.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-02-Soundiness.assets/image-20201224191028463.png
--------------------------------------------------------------------------------
/ch5/05-02-Soundiness.assets/image-20201224191640084.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-02-Soundiness.assets/image-20201224191640084.png
--------------------------------------------------------------------------------
/ch5/05-02-Soundiness.assets/image-20201224191711227.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-02-Soundiness.assets/image-20201224191711227.png
--------------------------------------------------------------------------------
/ch5/05-02-Soundiness.assets/image-20201224191813323.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-02-Soundiness.assets/image-20201224191813323.png
--------------------------------------------------------------------------------
/ch5/05-02-Soundiness.assets/image-20201224193417814.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-02-Soundiness.assets/image-20201224193417814.png
--------------------------------------------------------------------------------
/ch5/05-02-Soundiness.assets/image-20201224193616512.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-02-Soundiness.assets/image-20201224193616512.png
--------------------------------------------------------------------------------
/ch5/05-02-Soundiness.assets/image-20201224193811113.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-02-Soundiness.assets/image-20201224193811113.png
--------------------------------------------------------------------------------
/ch5/05-02-Soundiness.assets/image-20201224193954800.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-02-Soundiness.assets/image-20201224193954800.png
--------------------------------------------------------------------------------
/ch5/05-02-Soundiness.assets/image-20201224194144120.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-02-Soundiness.assets/image-20201224194144120.png
--------------------------------------------------------------------------------
/ch5/05-02-Soundiness.assets/image-20201224194505888.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-02-Soundiness.assets/image-20201224194505888.png
--------------------------------------------------------------------------------
/ch5/05-02-Soundiness.assets/image-20201224195102570.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-02-Soundiness.assets/image-20201224195102570.png
--------------------------------------------------------------------------------
/ch5/05-02-Soundiness.assets/image-20201224195524083.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-02-Soundiness.assets/image-20201224195524083.png
--------------------------------------------------------------------------------
/ch5/05-02-Soundiness.assets/image-20201224200127291.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-02-Soundiness.assets/image-20201224200127291.png
--------------------------------------------------------------------------------
/ch5/05-02-Soundiness.assets/image-20201224200343625.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/05-02-Soundiness.assets/image-20201224200343625.png
--------------------------------------------------------------------------------
/ch5/05-02-Soundiness.md:
--------------------------------------------------------------------------------
1 | # Soundiness
2 |
3 | 在时间中很难实现sound的算法,所以专家们提出一个与Soundness不同的概念Soundiness。(关于Soundness,可以回顾B站上的前两节课)。
4 |
5 | 本文主要内容如下:
6 |
7 | 1. Soundness and Soundiness
8 | 2. Hard Language Feature: Java Reflection
9 | 3. Hard Language Feature: Native Code
10 |
11 | # Soundness and Soundiness
12 |
13 | 回顾Soundness的定义(没有漏报bug就是sound):
14 |
15 | > **Conservative** approximation: the analysis **captures all program behaviors**, or the analysis result **models all possible executions** of the program.
16 |
17 | 无论是学术界还是工业界的算法,都是不完全sound的。
18 |
19 | 这是由于很多语言拥有的部分高级特性对于静态分析来说是难以分析的:
20 |
21 | - Java
22 | - Reflection, native code, dynamic class loading, etc.
23 | - JavaScript
24 | - eval, document object model (DOM), etc.
25 | - C/C++
26 | - Pointer arithmetic, function pointers, etc.
27 |
28 | 例如对C/C++中的一个指针p,加上某个经过运算的偏移量x,为了分析的安全,只能假设p+x可以指向内存中的任何一个地方。
29 |
30 | 为了解决这一问题,专家们提出一个新的概念Soundiness,对应的形容词是Soundy。
31 |
32 | > A **soundy** analysis typically means that the analysis is mostly sound, with **well-identified** unsound treatments to hard/specific language features.
33 |
34 | 把新旧词汇放到一起做个比较:
35 |
36 | - A **sound** analysis requires to **capture all** dynamic behaviors
37 | - 完全理想情况
38 | - A **soundy** analysis aims to **capture all** dynamic behaviors **with certain hard language features unsoundly handled within reason**
39 | - 现实情况
40 | - An **unsound** analysis **deliberately ignores certain behaviors in its design for better efficiency, precision or accessibility**
41 | - 过于现实的情况
42 |
43 | # Hard Language Feature: Java Reflection
44 |
45 | 说了这么多抽象的概念,接下来具体说说在Java里给静态分析添乱的特性。
46 |
47 | 
48 |
49 | ## Java Reflection
50 |
51 | 首先,右上角Run-time代码块中的前三行的Class、Method和Field都是Metaobject。然后就能够以Metaobject执行一系列操作,如`c.newInstance()`就相当于左下角的`new Person()`。
52 |
53 | 使用Reflection时,无法在编译时确定其行为,只能在运行时确定。
54 |
55 | 
56 |
57 | ## Why Analyze It
58 |
59 | 可能会**错失检测出某些bug的机会**(忽略`m.invoke`所引入的调用时发生),也可能**导致分析的结果不安全**(忽略`f.set(a,a)`的作用时发生,将会错误地认为箭头指向处的cast可以优化掉)。
60 |
61 | 
62 |
63 | ## How to Analyze It
64 |
65 | 一种方法是模拟动态运行过程,只要知道关键调用时的字符串,就能分析出结果:
66 |
67 | 
68 |
69 | **吗?**
70 |
71 | 
72 |
73 | 因为有太多的因素(见右边黄框内容)可能会影响到字符串的值,而其中很多是无法静态确定的。基于字符串常量的分析此时并不奏效……
74 |
75 | ## Real research paper
76 |
77 | 
78 |
79 | 这来源于一个巧妙的观察:
80 |
81 | > When string arguments cannot be resolved statically, **infer the reflective targets at their usage points**!
82 |
83 | getClass获得Class的Metaobject。
84 |
85 | 这里的cmd是动态的命令,静态时无法分析……
86 |
87 | 
88 |
89 | 但是!在篮圈处的调用中,由于只传入parameter这一个参数,而在155行我们已经知道其类型就是``FrameworkCommandInterpreter`(或其子类/父类)。
90 |
91 | 
92 |
93 | 
94 |
95 | 此外也有和动态分析结合的方法:
96 |
97 | 
98 |
99 | # Hard Language Feature: Native Code
100 |
101 | ## Native Code
102 |
103 | 在Java中,一句简单的`println`最后会调用**与底层平台相关的C或C++代码**,这些代码就称为Native Code。Java也借此实现了 `Run anywhere`的目标。
104 |
105 | 
106 |
107 | ### Java Native Interface(JNI)
108 |
109 | JNI允许JVM与Native Code写出的Native Lib交互。进而提供与OS交互、提高性能和代码复用(指在Java中使用别的C/C++编写的libraries)的功能。
110 |
111 | 
112 |
113 | ## Why Native Code is Hard
114 |
115 | 为了使用Native Library中的一个Method,需要经过这些步骤:
116 |
117 | 1. 用C/C++按照标准写一个库并编译生成`*.so`文件
118 | 2. 在Java中加载Native Library
119 | 3. 在Java中声明Native Method
120 | 4. 调用Native Method
121 |
122 | 然而:
123 |
124 | 1. 类似的JNI可提供的操作有230种(在2020年如此)
125 | 2. 由此引出紫框中的问题:`如何分析Native Call?`
126 |
127 | 
128 |
129 | ### Current Practice & More
130 |
131 | 接下来介绍一个现有的解决方法,然后给新的拓展阅读方向。~~对,本次讲的都是前沿内容。~~
132 |
133 | 
134 |
135 | arraycopy(src,3,dest,4,5)就是从src的第三个元素起,拷贝起始位置是dest的第四个元素,总共拷贝5个元素。
136 |
137 | 如果不分析Native Code,我们就会失去很多信息。而Modeling的分析方法是:
138 |
139 | - 先将其副作用用Java代码表示出来(图中第一个方框)
140 | - 然后用指针分析的方法进一步抽象其副作用(图中第二个方框)
141 |
142 | 
143 |
144 | 如果对Soundiness感兴趣,推荐网站http://soundiness.org
145 |
146 | 
147 |
148 | # Key Points
149 |
150 | - Understand **soundiness: its motivation and concept**
151 | - Understand why **Java reflection and native** code are hard to analyze
152 |
--------------------------------------------------------------------------------
/ch5/2DC0453A-EB41-4678-8A81-E6E48E4C62B4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RangerNJU/Static-Program-Analysis-Book/018e46a67fae832d18975dad9fcbee4a3025aa02/ch5/2DC0453A-EB41-4678-8A81-E6E48E4C62B4.png
--------------------------------------------------------------------------------
/ch5/ch5.md:
--------------------------------------------------------------------------------
1 | # 其他话题
2 |
3 | 接下来说说静态分析的其他相关内容:
4 |
5 | - 从理论的Soundness到实践的Soundiness。
6 | - 另外一种静态分析框架——IFDS。
7 |
--------------------------------------------------------------------------------