JPH08272623A - Device and method for program analysis - Google Patents

Abstract

PURPOSE: To provide a program analysis device and method which can offer even the information on the detectable errors. CONSTITUTION: A program is inputted from an input device 1 in the form of an abstract syntax tree that can be evaluated by a prescribed evaluation rule. A setting means 2 sets an abstract area where the relation is shown between plural abstract value including the error value showing the possibility of at least the detectable errors and the abstract value that is produced as the result of every processing type included in the program for those abstract value. An allocation means 3 allocates the abstract value to every variable of the abstract syntax tree. Then an evaluation means 4 evaluates the abstract syntax tree based on every allocated abstract value, the abstract area and the evaluation rule, and therefore evaluates the possibility of errors at every stage of the program.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to improvements in a program analysis device and a program analysis method for analyzing a computer program.

[0002]

2. Description of the Related Art Methods for performing various tests and optimizations have been actively studied in order to improve the reliability and execution efficiency of programs, but in each method, it is common to analyze the program before execution. is there. Analyzing a program, collecting information about the program before execution, and using the information when developing or executing the program has the following advantages over the case where all the processing is performed at the time of execution. That is, a program error such as a type mismatch can be detected early, the load at the time of execution can be reduced, and various optimization techniques can be easily applied.

For example, in a functional language based on lazy evaluation, the execution rules of the program are defined by an argument passing method for passing variables without evaluation (calculation of the result). However, since the passed variables are evaluated at each occurrence location in the program, the execution efficiency tends to be inferior to the case where the variables are evaluated and then passed. If such a program is analyzed and it is known in advance that a certain variable will always be used in the module to which it is passed, it may affect the execution result of the program by evaluating the variable and then passing it as an argument. Therefore, the execution efficiency can be improved.

Computer analysis is generally realized by using a computer as a program analysis apparatus (program analysis method), and abstract interpretation is often used as a program analysis method. Abstract interpretation is an abstraction of a concrete description or data of a program into general elements such as types, execution and presence / absence of evaluation, and normal / abnormality, and the program is symbolically (abstract) on the abstracted area.・ It is a method of analyzing the specific properties of a program by executing and evaluating (generally). As used herein, "evaluating" a program means obtaining the final result of the program.

The conventional abstract interpretation typically focuses on abstractly analyzing whether or not the value of a certain variable causes an abort error of the entire program when the abort error occurs. The abort error can be understood as an error in which the program (evaluation) does not stop.

That is, consider a situation in which the evaluation of a specific variable does not stop, but ends with an abnormal result different from the originally intended result, and the evaluations of other variables all stop (normally). At this time, when the above-mentioned specific variable is always evaluated when evaluating the program (obtaining the final result), the abnormal evaluation result becomes the basis of the result of the entire program. Abnormal influence on the result. Moreover, since the evaluation of that variable is not stopped, the evaluation of the entire program is not stopped, and the existence of an abnormality cannot be detected mechanically. Such a state is an abort error.

On the other hand, if the evaluation of the variable is not always necessary for the evaluation of the entire program, the evaluation of the entire program can be performed without evaluating the variable. Therefore, it can be expected that the evaluation of the entire program will stop normally. Therefore, the abstract interpretation can be regarded as a problem whether or not an error hidden in non-stopping is always transmitted from one variable to the whole program.

Here, as an example of the program,

## EQU1 ## Consider if (x = 0) then x else y.

Of these, both x and y are integer type variables. Such a description can be easily converted into an abstract syntax tree format by performing preprocessing using a conventional technique such as lexical reading / syntactic analysis. Here, the abstract syntax tree is
This is tree-structured data in which the final result of the program is a vertex node and each process and variable leading to the result are sequentially lower nodes. Since the variables x and y are integer types, there is a possibility that they will take infinite numbers of values, but in the abstract analysis, the above program is considered on the abstract area consisting of two elements 0 and 1.

In the abstract interpretation, each variable has these 0
Or 1 is assigned, where 0 means that the variable is always evaluated and 1 means that it is unknown whether or not the variable is evaluated. Then, when checking whether or not the variable x must be evaluated, it is assumed that 1 is assigned to other variables appearing in the program, that is, whether or not the other variables are evaluated is unknown.

If we consider the subtree of the abstract syntax tree corresponding to the part x = 0 of the program, if x is always evaluated, then
Since this part is also evaluated, 0 is assigned to this subtree.

On the other hand, in the entire syntax tree, when 0 is assigned to the if part, if 0 is also assigned to the entire if part, 0 is assigned to the entire syntax tree.
It turns out that x is always used inside the program.
That is, the element (0 or 1) of the abstract area is given to each variable of (the abstract syntax tree of) the program, and the abstract syntax tree of the program is evaluated on the abstract area by the same method as the evaluation of the abstract syntax tree by the interpreter. Therefore, a method called abstract interpretation is used to obtain various kinds of information about programs.

In this case, when a certain variable is always evaluated, if 0 is assigned to the variable, the value in the abstract area of the entire program becomes 0. Further, when a variable is not always evaluated, the entire program may return 1 even if 0 is assigned to the variable.

For example, in such a case, it is known that values should be assigned according to the following table (reference: S.
Abramsky and C. Hankin (eds) .Abstract Interpretation
of Declarative Languages. Ellis Horwood Limited, 19
87.).

[0015]

[Table 1]

[0016]

Although the above-described abstract interpretation is useful, as the scale of programs has increased in recent years, it has become difficult to find errors, and one error is wider than that of programs. It affects the range. In order to detect errors in advance, it is possible to repeat tests or check the data integrity by static type checking before execution, but it is not possible to remove all errors in advance. Very difficult.

Considering errors, it can be seen that there are several types of errors. Among them, the above-mentioned abort error is often seen, but it is mainly an error in the algorithm configuration of the program such as continuing to go through the same loop. Such an error is usually constructed by theoretically involving a plurality of instructions. Therefore, it is difficult to detect it mechanically at the time of execution.

On the other hand, among the errors, a situation in which a certain number is divided by 0 can be detected at the time of execution. Many hardware and software systems have features such as error flags and interrupts to detect these errors. Therefore, even if such a detectable error occurs, the program description may be appropriately expanded so that the processing can be continued. For example, considering error as a value that represents a detectable error,
I changed the syntax of the program a little

[Equation 2] It is possible to create a program such as if (x / y> 0) = error then 1 else -1. However, when considering such a program, error
Is not a true / false value, so add a function corresponding to such a value to the language system, especially the compiler and interpreter.

In the present specification, a detectable error is an error that cannot be detected by static means such as type checking, but can be detected at the time of execution. For example, when the argument type and the result type are both integers in the division, the type check passes even if the second argument is 0, but an error occurs at the time of execution. In such error detection, it is premised that the programmer or language designer recognizes the possibility / necessity of error occurrence and detection.

In the conventional abstract interpretation, the detectable error is not particularly distinguished from the abort error, but the two can be distinguished from each other because of the difference in behavior such as whether or not the program stops. Furthermore, since the elements that make up a detectable error are simple in nature, it is often possible to take workarounds in a manner different from the abort error. For this reason, it is useful to make programming different from the abort error to improve the efficiency of program development.

That is, the conventional abstract interpretation gives information about an abort error, but does not reflect a detectable error. It is well known that exception handling including error handling is important in the development of large-scale programs, and it is expected that the analysis of programs incorporating detectable errors will become more important in the future. In particular, if the abstract interpretation, which is widely used as a program analysis technique, is extended to such a case, the efficiency of program development is improved as described above.

The present invention has been proposed in order to solve the above-mentioned problems of the prior art, and its object is to provide a program analysis device and a program which also provide information regarding a detectable error using abstract interpretation. It is to provide an analysis method. Another object of the present invention is to provide a program analysis device and a program analysis method that can easily deal with errors.

[0023]

In order to achieve the above object, the program analysis device according to claim 1 comprises an input means for inputting a program in the form of an abstract syntax tree which can be evaluated by a predetermined evaluation rule, Setting means for setting an abstract area indicating a relation between a plurality of abstract values including at least an error value indicating the possibility of a detectable error and the resulting abstract value for each type of processing in the program for the abstract value An assigning unit that assigns the abstract value to each variable of the abstract syntax tree; and the program by evaluating the abstract syntax tree based on the assigned abstract value, the abstract area, and the evaluation rule. And an evaluation means for evaluating the possibility of an error in each stage of.

According to the invention of claim 2, in the program analysis device according to claim 1, by analyzing the result of the evaluation, an error value occurs in the abstract syntax tree or an error occurs in the abstract syntax tree. It is characterized by having an analysis means for specifying at least one of the paths through which the value is transmitted.

The program analysis method according to claim 3 is
An input step for entering a program in the form of an abstract syntax tree that can be evaluated by a predetermined evaluation rule, a plurality of abstract values including at least an error value indicating a possibility of a detectable error, and the program for the abstract value A relationship with the resulting abstract value for each type of processing in, a step of setting an abstract region that represents, a step of assigning the abstract value to each variable of the abstract syntax tree,
An evaluation step of evaluating the possibility of an error at each stage of the program by evaluating the abstract syntax tree based on each of the assigned abstract values, the abstract area, and the evaluation rule. Is characterized by.

According to a fourth aspect of the present invention, in the program analysis method according to the third aspect, by analyzing the result of the evaluation, an error value occurs in the abstract syntax tree or an error occurs in the abstract syntax tree. It is characterized by including an analysis step of specifying at least one of the paths through which the value is transmitted.

[0027]

The present invention having the above structure has the following functions. First, in claims 1 and 3, the abstract syntax tree is tree-structured data composed of arcs representing a usage relationship between a node representing a process and a variable. In the abstract syntax tree, the previous processing such as the lower function in the arithmetic expression is represented by the lower node,
This represents the processing after the upper node (vertex of the subtree) uses the value generated by the lower node. Also, terminal nodes represent individual variables, and the root represents the process that produces the final result.
The processing content for each type of each node is held as an evaluation rule such as an interpreter.

The abstract value indicates the presence or absence of an error possibility, and the possibility of a detectable error such as division by 0 is represented by a specific error value. These abstract values are assigned to each variable, and the nodes are sequentially evaluated from the lower side of the abstract syntax tree based on the evaluation rule. At each node, the abstract value that is the result of the processing is determined by using the abstract value generated by the processing of the lower node as an argument. At this time, depending on the type of processing, even if each abstract value that is the basis of processing does not have the possibility of an error value, the new abstract value resulting from the processing may include the possibility of an error value. . Such a combination of the argument and the type of the abstract value of the processing result is set for each type of processing in the program and is included in the abstract area. For example, division x /
In y, there is a possibility that y = 0 even if both x and y are normal values, and as a result, an error value occurs.

This evaluation means simulating the possibility that an error value will occur during processing in the syntax tree and will be propagated via variables. Therefore, it is possible to specify the location of the program that should deal with the possibility of a detectable error, and it becomes easy to take countermeasures such as case classification, so that the reliability of the program such as a large-scale program is improved.

According to the second and fourth aspects of the invention, not only the evaluation is performed, but also the generation place of the error value and the transmission path are specified by the analysis and output, so that the programmer can easily deal with the error. .

[0031]

Embodiments of the present invention will now be specifically described with reference to the drawings. It should be noted that each function of the embodiment is realized by a predetermined software controlling a computer and peripheral devices. That is, in the present specification, the invention and the embodiments are described on the assumption of virtual circuit blocks (“-means”, “-units”, etc.) corresponding to each function and each process. Therefore, each hardware element or software element does not correspond to each block on a one-to-one basis.

A computer for realizing the embodiment is
In addition to a main storage device including a CPU and a RAM, typically, an input device such as a keyboard and a mouse, an external storage device such as a hard disk device, and an output device such as a CRT display device and a printer printing device are required. It includes an input / output control circuit. However, the scale and configuration of the computer and the number and form of the CPU are arbitrary, such as a computer network,
Distributed processing, multitasking, etc. can be used freely. Also,
Other input devices such as a trackball and an image scanner, other storage devices such as a floppy disk device, a magneto-optical disk device, a flash memory, and other output devices such as a liquid crystal display device may be used.

Further, the software format for realizing the embodiment is typically application software on an OS, or a high-level language or a machine language compiled from an assembler, but the present invention is embodied. OS as much as possible
You can change it freely, such as not using, or running the software in an interpreter. Further, the software may be stored in any desired manner, for example, it may be stored in the ROM, read from the external storage device at one time or in part, or may be stored in different parts. Further, with respect to each step of the processing, the order can be changed and the parallel processing can be freely performed unless the property is violated.

Further, in the present specification, "input" includes not only external input but also file input, and includes not only original input but also echo back and correction / edit. Similarly, "output" includes not only external output but also file output, and includes not only original output but also output range designation. The user interface may be of any type such as an interactive type, a menu type, a graphical user interface, or a multi-window. In addition,
Input and output may be realized by an integrated operation by an interactive input / output procedure, and by such an integrated operation,
Processing such as selection / designation / specification may be performed.

Further, in the present specification, the expression format of data and the format of the data storage means are arbitrary. For example, the data storage location may be internal storage or external storage, and the file format may be used. Further, the data need only be retained for as long as necessary, and may be lost thereafter. Information that is not changed for the time being, such as dictionary data, may be stored in the ROM.

Further, general information necessary for operation and a storage area thereof, such as various pointers, stacks, counters, flags, parameters, work areas, buffers, etc., are appropriately used, even if not explicitly stated in this specification.

Unless otherwise specified, information required by each part of the embodiment for processing is obtained from another part holding the information, for example, access to a variable or memory storing the information. Earned by. Further, the embodiment may be realized together with or as a part of other software, or part of the function may be replaced with an electronic circuit.

(1) Configuration of the Embodiment A program analysis device of this embodiment (hereinafter referred to as "this device") corresponds to claims 1 to 4, and its purpose is to:
It is an object of the present invention to provide a program analysis device and a program analysis method which also provide information regarding a detectable error using abstract interpretation. Another object of the present embodiment is to provide a program analysis device and a program analysis method that can easily deal with errors.

First, FIG. 1 is a functional block diagram showing the configuration of the program analysis apparatus of this embodiment. That is, the present apparatus, as shown in this figure, has an input means 1 for inputting a program in the form of an abstract syntax tree that can be evaluated by a predetermined evaluation rule, and at least an error value indicating the possibility of a detectable error. And setting means 2 for setting an abstract area that represents the relationship between a plurality of abstract values including the following and the resulting abstract value for each type of processing in the program for the abstract value.

Also, the present apparatus evaluates the abstract syntax tree based on the assigning means 3 for assigning an abstract value to each variable of the abstract syntax tree and the assigned abstract value, abstract area and evaluation rule. The evaluation means 4 evaluates the possibility of an error at each stage of the program.

Further, the present apparatus analyzes the result of the evaluation to specify at least one of a location where an error value occurs in the abstract syntax tree or a path through which the error value is transmitted in the abstract syntax tree. 5 and output means 6 for outputting the analysis result.

(2) Operation and effect of the embodiment This embodiment having the above-mentioned structure has the following operation. Here, FIG. 2 is a flowchart showing a processing procedure in the present embodiment.

[Abstract Area Setting Step] First, before and after the input of the program (here, before the input), the setting means 2 is set.
Using, the abstract area is set (step 1). Here, the abstract area represents a relationship between a plurality of abstract values including an error value indicating a possibility of an error and an abstract value generated as a result of each type of processing in the program for the abstract value.

As an abstract value to be assigned to each variable,
A set consisting of three elements of a detectable error value 2, a normal value 1, and an abort value 0 is used. At this time, the detectable error value means that the variable may have any of a detectable error, normal execution, and abort. The normal value means that the variable may be normally executed or aborted. However, the abort value means that there is only the possibility of abort in the variable.

The abstract area also includes the relationship between the abstract value and the resulting abstract value for each type of processing in the program. For example, for division x / y, the following relationship is given.

[Table 2]

Further, the relation regarding the multiplication x * y is given in the following table.

[Table 3]

The difference between the two is that the pair (x, y) = (0, 0)
, Which corresponds to a detectable error that can occur when y is 0 in the division. Once the abstract area has been set, the setting can be omitted when another program that behaves in the same abstract area is subsequently evaluated.

[Program Input Step] Then, the program to be evaluated is input from the input means 1 in the form of the abstract syntax tree (step 2). This abstract syntax tree is tree structure data composed of arcs that represent the usage relationships between nodes and variables that represent processing. In the abstract syntax tree, the previous processing such as a lower function in the arithmetic expression is represented by the lower node, and the upper node (the vertex of the subtree) represents the processing after using the value generated by the lower node. Also, terminal nodes represent individual variables, and the root represents the process that produces the final result. FIG.
It is a figure which shows the example of the abstract syntax tree in a present Example.

Here, it is assumed that the program includes a description that may cause a detectable error. Further, the evaluation rule for evaluating or executing the simulation of this program is given in advance as a set of individual evaluation rules for executing the processing contents for each type of node like an interpreter.

[Assignment Step] Subsequently, the assigning means 3 assigns an abstract value to each variable of the abstract syntax tree (step 3). This allocation may be done automatically or manually. For example, a normal value 1 may be automatically assigned to a normal variable, or an abort value 0 may be given to a variable which is known in advance to bring an abort value as the processing result of another subroutine. FIG. 4 shows the variables A, B, C, and
An abstract syntax tree in a state where a normal value 1 is assigned to D and E is shown.

[Evaluation Step] Next, the evaluation means 4
The possibility of an error at each stage of the program is evaluated by sequentially evaluating the nodes of the abstract syntax tree based on each assigned abstract value, abstract region, and evaluation rule. Specifically, this evaluation can be realized by the following procedure.

That is, vertices (nodes) which have not been processed, that is, whose abstract value has not been determined (step 4) are sequentially selected one by one from the terminal side of the subtree (step 5). In other words, the vertices immediately above the vertices for which the end element unit or the abstract value determination is completed and the value is obtained are selected. Then, the abstract value of the vertex is evaluated / determined by using the evaluation rules corresponding to the already-obtained end-side abstract values and the syntactic unit represented by the selected vertex (step 6).

Note that if there is a recursive function definition, the fixed point operator "fix" can remove the recursive definition. For example, the standard definition of the factorial function fact is

[Formula 3] fact (x) = if (x = 0) then 1 else x * fact (x-1). To remove recursion from this recursive definition, we introduce the higher-order function FACT as follows:

## EQU00004 ## FACT (f) = x-> if (x = 0) then 1 else x * f (x-1) x-> E represents a function that associates E with x. For example,
x-> x is an identity function. At this time, the function fact is the relational expression

(5) FACT (fact) = fact is satisfied, that is, fact is a fixed point of the higher-order function FACT. If a higher-order function that associates the fixed point with a higher-order function is represented by fix, the factorial function fact is
Can be defined as (FACT). In this way, the recursive definition can be rewritten using the fixed point operator.

When such an abstract syntax tree is given, the problem is how to calculate the fixed point of the higher-order function F. A function that returns an abort value of 0 for all inputs

(Equation 6) It is represented by. Function sequence at this time

(Equation 7) Is configured. Using this function sequence, fix (F)

(Equation 8) , Fix (F) is a fixed point of the higher-order function F, that is,

## EQU9 ## It is known that fix (F) = F (fix (F)). here

[Equation 10] Is the largest of 0, 1, 2 appearing in the column {a _i } (for the order 0 <1 <2).

The abstract value 0, for the vertices of all subtrees
This loop is repeated until a value of 1 or 2 is given. As a result, in each node, the abstract value that is the result of the processing is determined by using the abstract value that has occurred in the processing of the lower node as an argument. FIG. 5 is a diagram showing a state of the abstract syntax tree in the middle of evaluation in the present embodiment, and in this state, the highlighted node is about to be evaluated.

Depending on the type of processing, even if each abstract value that is the basis of processing does not have the possibility of an error value,
It is possible that the new abstract value that is the result of this processing includes the possibility of an error value. Such a combination of the argument and the type of the abstract value of the processing result is set for each type of processing in the program and is included in the abstract area. For example, in division x / y, even if both x and y are normal values, there is a possibility that y = 0, resulting in an error value. In FIG. 5, the detectable error value 2 occurs in the division C / D.

The evaluation as described above means simulating a situation in which a possibility of an error value occurs in the processing in the syntax tree and the error value is transmitted via a variable. Therefore, it is possible to specify the location of the program that should deal with the possibility of a detectable error, and it becomes easy to take countermeasures such as case classification, so that the reliability of the program such as a large-scale program is improved. FIG. 6 is a diagram showing the state of the abstract syntax tree that has been evaluated in this embodiment, and the abstract value has been determined for all nodes.

[Analysis Step] Finally, the analysis means 5
By analyzing the result of the evaluation, at least one of a location where an error value occurs in the abstract syntax tree and a path through which the error value propagates in the abstract syntax tree is specified (step 7). Such identification can be realized by detecting a predetermined error value, for example, a detectable error value 2 in the determined abstract value, and pointing out a node or a route corresponding to the detected error value.

The specified location and route are output from the output means 6 (step 8). For example, it is pointed out what kind of route the detectable error at the end of the subtree extends to which range on the upper side. FIG. 7 is a diagram showing an output example of the analysis result in the present embodiment, in which the transmission path of the detectable error value 2 is highlighted.

The programmer can improve reliability by utilizing such output results and handling errors in the programming on the lower side, and handling errors when accepting the values on the upper side. Can be planned.

As an example of error handling, it is conceivable to replace a value that causes an error in an arithmetic routine or an arithmetic chip with another value that has the same meaning in a program but does not cause an error. Another example is checking the arguments that cause an error in the routine that defines the evaluation function, in which case avoiding the stop without actually performing the operation, and for the module that called itself, It is to return a predetermined return value.

As described above, in the present embodiment, not only the evaluation is performed, but also the place where the error value occurs and the transmission path are specified by the analysis and output, so that the programmer can easily deal with the error.

(3) Other Embodiments The present invention is not limited to the above embodiments,
Since the embodiment can be freely changed, the present invention also includes other embodiments as illustrated below. For example, the contents of the programming language and evaluation rules may be freely defined. Further, the input means only needs to be able to acquire the program in the format of the abstract syntax tree. For example, the user may input the source text and then automatically convert it into the format of the abstract syntax tree.

Further, the concrete definition of the abstract value including the error value is free, and not only the abort value and the detectable error value but also other kinds of error values may be defined. Also, the contents of the abstract area can be freely defined. For example, if necessary, the abstract value obtained as a processing result can be set as a condition by restrictions such as wait time based on system configuration such as multitasking and server use. It may be divided. Further, the mode of allocating the abstract value to the variable is also free, and for example, a mode may be considered in which a normal value is temporarily substituted for the abstract value of the portion for which the error handling processing has been completed and the entire simulation is performed again.

The content of the analysis and the output form of the analysis result are also free. For example, the analysis result may be output in the form of a list with the statement of the program as a unit.

[0066]

As described above, according to the present invention, since information about a detectable error is also provided, it is easy to deal with the error and the program development is made efficient.

[Brief description of drawings]

FIG. 1 is a functional block diagram showing a configuration of a program analysis device according to an embodiment of the present invention.

FIG. 2 is a flowchart showing a processing procedure in the embodiment of the present invention.

FIG. 3 is a diagram showing an example of an abstract syntax tree in the embodiment of the present invention.

FIG. 4 shows the variables A, B, C, and
Indicates an abstract syntax tree in which D and E are assigned normal value 1.

FIG. 5 is a diagram showing a state of an abstract syntax tree in the middle of evaluation in the embodiment of the present invention.

FIG. 6 is a diagram showing a state of an abstract syntax tree that has been evaluated in the embodiment of the present invention.

FIG. 7 is a diagram showing an output example of an analysis result in the embodiment of the present invention.

[Explanation of symbols]

 DESCRIPTION OF SYMBOLS 1 ... Input means 2 ... Setting means 3 ... Allocation means 4 ... Evaluation means 5 ... Analysis means 6 ... Output means STEP ... Each step of a procedure

Claims (4)

[Claims] 1. Input means for inputting a program in the form of an abstract syntax tree that can be evaluated by a predetermined evaluation rule, a plurality of abstract values including at least an error value indicating a possibility of a detectable error, and an abstract The relationship between the value and the resulting abstract value for each type of processing in the program,
Setting means for setting an abstract area that represents the abstract syntax, allocation means for allocating the abstract value to each variable of the abstract syntax tree, and the abstract syntax based on the allocated abstract value, the abstract area, and the evaluation rule. A program analysis device comprising: an evaluation unit that evaluates a possibility of an error at each stage of the program by evaluating a tree. 2. An analysis unit is provided which analyzes at least one of a location where an error value occurs in the abstract syntax tree and a path through which an error value is transmitted in the abstract syntax tree by analyzing the result of the evaluation. The program analysis device according to claim 1, wherein 3. A step of input for inputting a program in the form of an abstract syntax tree that can be evaluated by a predetermined evaluation rule, and a plurality of abstract values including at least an error value representing a possibility of a detectable error, The relationship between the abstract value and the resulting abstract value for each type of processing in the program,
And a step of assigning the abstract value to each variable of the abstract syntax tree, based on the assigned abstract value, the abstract area and the evaluation rule, And a step of evaluating the possibility of an error at each stage of the program by evaluating an abstract syntax tree. 4. A step of analysis for analyzing at least one of a location where an error value occurs in the abstract syntax tree and a path through which an error value is transmitted in the abstract syntax tree by analyzing the result of the evaluation. The program analysis method according to claim 3, further comprising: