# Lab Work: Static Analysis

The aim of this lab is to introduce you to a concept of program analysis that is not as widely known as testing: **static analysis**. In static analysis, programs are scrutinised (for errors or other properties) without actually executing the program. Testing, where programs are executed, is then often referred to as _dynamic_ analysis.

This lab really serves as a teaser and not any kind of comprehensive introduction. You will find pointers to (optional) further reading.

At the core of several kinds of static analyses lie _control-flow graphs_ (https://www.sciencedirect.com/topics/computer-science/control-flow-graph). We have previously looked into control flow (https://en.wikipedia.org/wiki/Control_flow, as previously done in lecture 2). Control-flow graphs (CFGs) formalise this concept.

Once more, let's use our binary search implementation as an example:

In [2]:
# A is a sorted list of values
# A = [ 2, 42, 55, 78, 100 ]

# start is the offset to start the search from
# end is the upper bound of the range to be searched
# value is the element to be found
#
# binary_search returns True if, and only if, value was found in A[start, end)
def binary_search(A, end, start, value):
    if start >= end:
        # end of search reached
        return False

    # compute the mid point between start and end
    mid = (end - start) // 2 + start
    if A[mid] == value:
        # value found
        return True
    # recursive calls
    elif A[mid] > value:
        return binary_search(A=A, start=start, end=mid, value=value)
    else:
        return binary_search(A=A, start=mid + 1, end=end, value=value)


binary_search(A=[ 2, 42, 55, 78, 100 ], start=0, end=5, value=42)

True

## Task

After briefly reading about control-flow graphs via the above pointers, draw the control-flow graph for `binary_search`. You can freely choose whether to draw the intra- or the inter-procedural control-flow graph. Draw it using pen&paper or diagramming tools like https://draw.io.

See PDF version for the following solutions:
Intra-procedural CFG:

![Intra-procedural CFG](binary_search.png)
    
Inter-procedural CFG:

![Inter-procedural CFG](interprocedural_binary_search.png)

## Task: Draw CFGs for the following implementations

Python code:
````python
def absolute_value_1(x):
    if x < 0:
        return -x
    else:
        return x
    
def absolute_value_2(x):
    if x < 0:
        return -x
    return x

absolute_value_1(10)
absolute_value_2(-10)
````

Java code:
````java
class AbsoluteValue
{
    int absolute_value(int x)
    {
        if(x < 0)
            return -x;
        return x;
    }
    
    public static void main(String args[])
    {
        absolute_value(-10);
    }
}
````

See PDF version for the following solution:

![CFGs](absolute_value.png)

Note that not all static analyses require a control-flow graph. https://luminousmen.com/post/python-static-analysis-tools, for example, discusses various analyses that primarily work using pattern matching (cf. lab session on regular expressions).

When we do have a control-flow graph, however, we can answer questions about _reachability_: is a particular instruction reachable? The control-flow graph provides an over-approximation in that reachability in the graph does not guarantee that there is an actual execution where the statement is reachable. Consider the following example:
````python
x = input()
y = 0
if x < 0:
    y = -1
elif x >= 0:
    y = 1
else:
    assert False  # is this reachable?
````
If you draw the control-flow graph for the above example, you will find a path in that graph (i.e., a sequence of nodes and edges from the entry point) that reaches the node labelled `assert False`. A semantic interpretation of the conditions, however, would inform you that the `if` and `elif` case already cover all possible values of `x`.

Despite this over-approximation, control-flow graph based analysis is useful. Lyra (https://github.com/caterinaurban/Lyra) implements such analyses. (Lyra is an academic prototype and might not actually work at this time. You are nevertheless invited to try it out.)

A more precise analysis on top of control-flow graphs can be constructed by solving equations built using _static single assignment form_ (https://en.wikipedia.org/wiki/Static_single_assignment_form). Consider the following Python code:
````python
x = 42
x = x + 1
assert x == 43
````

The transformation to static single assignment form yields the following equations (equations, not assignments!):
\begin{align}
x_1 &= 42 \\
x_2 &= x_1 + 1 \\
\mathrm{assert}\ x_2 &= 43
\end{align}
The program-analysis question then is (this is the semantics of `assert`): is
$$(x_1 = 42 \wedge x_2 = x_1 + 1) \implies x_2 = 43$$
valid, i.e., is it true for all possible values of $x_1$, $x_2$?

We can answer this question by a sequence of tranformations involving DeMorgan's law:
1) Is $\neg (x_1 = 42 \wedge x_2 = x_1 + 1) \vee x_2 = 43$ valid?
2) Is $\neg (\neg (x_1 = 42 \wedge x_2 = x_1 + 1) \vee x_2 = 43)$ unsatisfiable? (There are tools to solve satisfiability/unsatisfiability questions.)
3) Applying substitution: is $\neg (\neg x_2 = 42 + 1 \vee x_2 = 43)$ unsatisfiable?
4) Pushing negation inwards: is $x_2 = 42 + 1 \wedge x_2 \not= 43$ unsatisfiable?

The last formula makes clear that this is a contradiction ($x_2$ cannot be both equal to and not-equal to $43$ at  the same time), hence the formula is unsatisfiable. Therefore, the original formula is valid: the assertion holds.

## Task

Replace the `assert` statement in the above code by `assert x == 44` (or any value other than $43$). You will arrive at a _satisfiable_ formula. Any model that you compute, i.e., values of $x_1$ and $x_2$ that satisfy the constraints, will amount to values that would be observed in an actual execution of the program.

## Task

Try out the Python code from the following code snippet. Does the assertion fail? Does it always fail (i.e., execute the code multiple times)?

````python
import random

x = random.randint(0, 1)
x = x + 1
assert x == 2
````

Apply static single assignment form as above to prove that that assertion can fail. To accomplish this, replace `x = random.randint(0, 1)` by $x_1 = r \wedge (r = 0 \vee r = 1)$.

<details>
<summary>Solution</summary>
\begin{align}
x_1 &= r \wedge (r = 0 \vee r = 1)\\
x_2 &= x_1 + 1\\
\mathrm{assert}\ x_2 &= 2
\end{align}

1) Is $x_1 = r \wedge (r = 0 \vee r = 1) \wedge x_2 = x_1 + 1 \implies x_2 = 2$ valid?
2) Is $\neg ((x_1 = 0 \vee x_1 = 1) \wedge x_2 = x_1 + 1) \vee x_2 = 2$ valid?
3) Is $(x_1 = 0 \vee x_1 = 1) \wedge x_2 = x_1 + 1 \wedge x_2 \not= 2$ unsatisfiable?
4) Is $(x_2 = 0 + 1 \wedge x_2 \not= 2) \vee (x_2 = 1 + 1 \wedge x_2 \not= 2)$ unsatisfiable?

The first disjunct _is_ satisfiable, implying that a value of $r = 0$ will make the assertion fail.
</details>

## Task

Prove (using static single assignment form) that the assertion in the following code snippet always holds:

````python
import random

x = random.randint(0, 1)
if x == 0:
    x = x + 1
assert x == 1
````

<details>
<summary>Solution</summary>
\begin{align}
x_1 &= r \wedge (r = 0 \vee r = 1)\\
x_2 &= x_1 + 1\\
x_3 &= x_1 = 0 ? x_2 : x_1 \\
\mathrm{assert}\ x_3 &= 1
\end{align}

1) Is $x_1 = r \wedge (r = 0 \vee r = 1) \wedge x_2 = x_1 + 1 wedge ((x_1 = 0 \wedge x_3 = x_2) \vee (x_1 \not= 0 \wedge x_3 = x_1)) \implies x_3 = 1$ valid?
2) Is $(x_1 = 0 \vee x_1 = 1) \wedge x_2 = x_1 + 1 \wedge ((x_1 = 0 \wedge x_3 = x_2) \vee (x_1 \not= 0 \wedge x_3 = x_1)) \wedge x_3 \not= 1$ unsatisfiable?
3) Is $(x_2 = 0 + 1 \wedge x_3 = x_2 \wedge x_3 \not= 1) \vee (x_2 = 1 + 1 \wedge x_3 = 1 \wedge x_3 \not= 1)$ unsatisfiable?

In this case, we find that both disjunctions include contradictions. Therefore, the formula is unsatisfiable. The assertion always holds.
</details>