Ravi Mangal Mayur Naik Hongseok Yang

Slides:



Advertisements
Similar presentations
Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Advertisements

ASSUMPTION HIERARCHY FOR A CHA CALL GRAPH CONSTRUCTION ALGORITHM JASON SAWIN & ATANAS ROUNTEV.
De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.
A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Pallavi Joshi  Chang-Seo Park  Koushik Sen  Mayur Naik ‡  Par Lab, EECS, UC Berkeley‡
Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.
Effective Static Deadlock Detection
Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.
Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.
Demand-driven Alias Analysis Implementation Based on Open64 Xiaomi An
Inferring Disjunctive Postconditions Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore - ASIAN
A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
Refinement-Based Context-Sensitive Points-To Analysis for JAVA Soonho Kong 17 January Work of Manu Sridharan and Rastislav Bodik, UC Berkeley.
Probabilistic Calling Context Michael D. Bond Kathryn S. McKinley University of Texas at Austin.
Heap Shape Scalability Scalable Garbage Collection on Highly Parallel Platforms Kathy Barabash, Erez Petrank Computer Science Department Technion, Israel.
Parameterized Object Sensitivity for Points-to Analysis for Java Presented By: - Anand Bahety Dan Bucatanschi.
Program Analysis with Set Constraints Ravi Chugh.
Pointer and Shape Analysis Seminar Context-sensitive points-to analysis: is it worth it? Article by Ondřej Lhoták & Laurie Hendren from McGill University.
Purity Analysis : Abstract Interpretation Formulation Ravichandhran Madhavan, G. Ramalingam, Kapil Vaswani Microsoft Research, India.
Mayur Naik Alex Aiken John Whaley Stanford University Effective Static Race Detection for Java.
Control Flow Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
Speeding Up Dataflow Analysis Using Flow- Insensitive Pointer Analysis Stephen Adams, Tom Ball, Manuvir Das Sorin Lerner, Mark Seigle Westley Weimer Microsoft.
Approach #1 to context-sensitivity Keep information for different call sites separate In this case: context is the call site from which the procedure is.
KQS More exercises/practice What about research frontier? Reading material Meetings for project Post notes more promptly.
1 Control Flow Analysis Mooly Sagiv Tel Aviv University Textbook Chapter 3
1 Refinement-Based Context-Sensitive Points-To Analysis for Java Manu Sridharan, Rastislav Bodík UC Berkeley PLDI 2006.
Modular Shape Analysis for Dynamically Encapsulated Programs Noam Rinetzky Tel Aviv University Arnd Poetzsch-HeffterUniversität Kaiserlauten Ganesan RamalingamMicrosoft.
Interprocedural Analysis Noam Rinetzky Mooly Sagiv Tel Aviv University Textbook Chapter 2.5.
Recap from last time g() { lock; } h() { unlock; } f() { h(); if (...) { main(); } } main() { g(); f(); lock; unlock; } mainfgh ;;;;;;; u u ” ”””” ” ”
ESP [Das et al PLDI 2002] Interface usage rules in documentation –Order of operations, data access –Resource management –Incomplete, wordy, not checked.
Approach #1 to context-sensitivity Keep information for different call sites separate In this case: context is the call site from which the procedure is.
Modular Shape Analysis for Dynamically Encapsulated Programs Noam Rinetzky Tel Aviv University Arnd Poetzsch-HeffterUniversität Kaiserlauten Ganesan RamalingamMicrosoft.
Reps Horwitz and Sagiv 95 (RHS) Another approach to context-sensitive interprocedural analysis Express the problem as a graph reachability query Works.
Transfer functions Our pairs of summaries look like functions from input information to output information We call these transfer functions Complete transfer.
Impact Analysis of Database Schema Changes Andy Maule, Wolfgang Emmerich and David S. Rosenblum London Software Systems Dept. of Computer Science, University.
Mark Marron IMDEA-Software (Madrid, Spain) 1.
PRESTO: Program Analyses and Software Tools Research Group, Ohio State University STATIC ANALYSES FOR JAVA IN THE PRESENCE OF DISTRIBUTED COMPONENTS AND.
Exploring Multi-Threaded Java Application Performance on Multicore Hardware Ghent University, Belgium OOPSLA 2012 presentation – October 24 th 2012 Jennifer.
The Quest for Minimal Program Abstractions Mayur Naik Georgia Tech Ravi Mangal and Xin Zhang (Georgia Tech), Percy Liang (Stanford), Mooly Sagiv (Tel-Aviv.
Precise Interprocedural Dataflow Analysis via Graph Reachibility
Finding Optimum Abstractions in Parametric Dataflow Analysis Xin Zhang Georgia Tech Mayur Naik Georgia Tech Hongseok Yang University of Oxford.
PRESTO: Program Analyses and Software Tools Research Group, Ohio State University Merging Equivalent Contexts for Scalable Heap-cloning-based Points-to.
Free-Me: A Static Analysis for Automatic Individual Object Reclamation Samuel Z. Guyer, Kathryn McKinley, Daniel Frampton Presented by: Dimitris Prountzos.
Breadcrumbs: Efficient Context Sensitivity for Dynamic Bug Detection Analyses Michael D. Bond University of Texas at Austin Graham Z. Baker Tufts / MIT.
Mark Marron IMDEA-Software (Madrid, Spain) 1.
ESEC/FSE-99 1 Data-Flow Analysis of Program Fragments Atanas Rountev 1 Barbara G. Ryder 1 William Landi 2 1 Department of Computer Science, Rutgers University.
PRESTO: Program Analyses and Software Tools Research Group, Ohio State University Merging Equivalent Contexts for Scalable Heap-cloning-based Points-to.
Beyond Reachability: Shape Abstraction in the presence of Pointer Arithmetic Hongseok Yang (Queen Mary, University of London) (Joint work with Dino Distefano,
Data Flow Analysis for Software Prefetching Linked Data Structures in Java Brendon Cahoon Dept. of Computer Science University of Massachusetts Amherst,
CS 343 presentation Concrete Type Inference Department of Computer Science Stanford University.
Effective Static Deadlock Detection Mayur Naik (Intel Research) Chang-Seo Park and Koushik Sen (UC Berkeley) David Gay (Intel Research)
Pointer and Escape Analysis for Multithreaded Programs Alexandru Salcianu Martin Rinard Laboratory for Computer Science Massachusetts Institute of Technology.
Pointer Analysis – Part I CS Pointer Analysis Answers which pointers can point to which memory locations at run-time Central to many program optimization.
Constructing Accurate Application Call Graphs For Java To Model Library Callbacks Weilei Zhang, Barbara Ryder Department of Computer Science Rutgers University.
Sept 12ICSM'041 Precise Identification of Side-Effect-Free Methods in Java Atanas (Nasko) Rountev Ohio State University.
Making k-Object-Sensitive Pointer Analysis More Precise with Still k-Limiting Tian Tan, Yue Li and Jingling Xue SAS 2016 September,
Challenges in Pointer Analysis of JavaScript
Static Analysis of Object References in RMI-based Java Software
Partially Disjunctive Heap Abstraction
Pointer Analysis Lecture 2
Interprocedural Analysis Chapter 19
Query-Guided Maximum Satisfiability
Ravi Mangal, Xin Zhang, Mayur Naik
Jipeng Huang, Michael D. Bond Ohio State University
Johannes Lerch, Johannes Späth, Eric Bodden, and Mira Mezini
Inlining and Devirtualization Hal Perkins Autumn 2011
Inlining and Devirtualization Hal Perkins Autumn 2009
창 병 모 숙명여대 전산학과 자바 언어를 위한 정적 분석 틀 (A Framework for SBA for Java) KAIST 프로그램 분석시스템 연구단 세미나 창 병 모 숙명여대 전산학과.
자바 언어를 위한 정적 분석 (Static Analyses for Java) ‘99 한국정보과학회 가을학술발표회 튜토리얼
Interprocedural analyses and optimizations
Presentation transcript:

Ravi Mangal Mayur Naik Hongseok Yang A Correspondence between two approaches to Interprocedural Analysis in the presence of Join Ravi Mangal Mayur Naik Hongseok Yang

Landscape of Procedural Analyses Inter-Procedural Context-Sensitive (Callstrings, Summaries,…) Cost Context-Insensitive Intra-Procedural Precision ESOP 2014

Context-Insensitive Analysis 1: void main(){ 2: foo(); …. 3: foo(); 4: foo(); 5: } 6: void foo(){ 7: bar(); 8: } main foo bar 0-CFA ESOP 2014

Inter-Procedural Analysis Landscape Cost 0CFA Precision ESOP 2014

Callstring-based Analysis (1CFA) 1: void main(){ 2: foo(); …. 3: foo(); 4: foo(); 5: } 6: void foo(){ 7: bar(); 8: } main 2:foo 3:foo 4:foo 7:bar 1-CFA ESOP 2014

Inter-Procedural Analysis Landscape Cost 1CFA 0CFA Precision ESOP 2014

Callstring-based Analysis (2CFA) 1: void main(){ 2: foo(); …. 3: foo(); 4: foo(); 5: } 6: void foo(){ 7: bar(); 8: } main 2:foo 3:foo 4:foo 7,2:bar 7,3:bar 7,4:bar 2-CFA ESOP 2014

Inter-Procedural Analysis Landscape Shivers [1988], bddbddb [2004] , Paddle [2004], Doop [2009], … Cost ∞-CFA 2CFA 1CFA 0CFA Precision ESOP 2014

Summary-based Analysis (SBA) 1: void main(){ 2: foo(); …. 3: foo(); …. 4: foo(); 5: } 6: void foo(){ 7: bar(); 8: } τ1 main τ1 τ2 τ1:foo τ2:foo τ3 τ3:bar Summary-based ESOP 2014

Inter-Procedural Analysis Landscape Sharir-Pnueli [1981], Reps et al. [1995], … SBA Cost Precision ESOP 2014

Summary-based Analysis (SBA) 1: void main(){ … 2: if(*) 3: s1; 4: else 5: s2; 6: } 1: void main(){ … 2: if(*) 3: s1; 4: else 5: s2; 6: } τ1 τ1 τ2 τ2 τ3 τ3 τ4 = τ2 ⊔ τ3 τ2 τ3 Non-disjunctive summary-based (ND-SBA) Disjunctive summary-based (D-SBA) ESOP 2014

Inter-Procedural Analysis Landscape SLAM [2000] TVLA [2004], SpaceInvader [2008], … D-SBA Partially D-SBA SAFE [2008] ND-SBA Distributive? Yes Sharir- Pnueli [1981] 𝑓 𝑥⊔𝑦 =𝑓 𝑥 ⊔𝑓 𝑦 ? Cost ∞-CFA No 2CFA Grove-Chambers [2001] conjecture Our Result 1CFA 0CFA Precision ESOP 2014

Our Contributions Proved ∞-CFA = SBA for non-distributive analyses with finite domains. Generalized Sharir-Pnueli’s 1981 result and resolved 2001 conjecture by Grove-Chambers. Empirically observed the precision of ∞-CFA via SBA for pointer analysis and improved over existing k-CFA approaches. ESOP 2014

New Inter-Procedural Analysis Landscape D-SBA Partially D-SBA ND-SBA Cost ∞-CFA 2CFA 1CFA 0CFA Precision ESOP 2014

Proof Challenges Challenge 1: Unused summaries in SBA fixpoint solution. Challenge 2: Non-monotonicity of SBA. ESOP 2014

Proof Challenges (1) ⊤ -0 - 0+ + ⊥ 1: int x; 2: void main(){ 3: x = 0; 4: while(*){ 5: inc(x); 6: } 7: } 8: void inc(int x){ 9: x++; 10: } ⊤ -0 - 0+ + ⊥ [x:⊤] [x:0] [x:0] [x:0+] [x:+] Unused summary in the fixpoint solution Sign Abstract Domain [x:0] [x:0+] [x:+] [x:+] ESOP 2014

Proof Challenges (1) Challenge 1: Unused summaries in SBA fixpoint solution. Solution: Garbage collection on results computed by SBA. ESOP 2014

Non-monotonicity of SBA Proof Challenges (2) 1: int x; 2: void main(){ 3: … 4: … 5: inc(x); 6: … 7: } 8: void inc(int x){ 9: x++; 10: } 𝑥≼𝑦 ⇒ 𝑓 𝑥 ≼𝑓 𝑦 ⊤ -0 - 0+ + ⊥ [x:0] ≼ [x:0+] [x:+] [x:⊥] ≼ [x:⊥] Sign Abstract Domain [x:0] ≼ [x:0] [x:0+] [x:+] ≼ Non-monotonicity of SBA [x:+] ESOP 2014

Proof Challenges (2) Challenge 2: Non-monotonicity of SBA. Solution: Fixpoint of a non-monotone function is approximated by pre-fixpoint of the function. ESOP 2014

Experimental Motivation Existing k-CFA approaches scale to low k values. Correspondence result allows us to simulate the effect of ∞-CFA via SBA. Empirically study the scalability of SBA and the precision of ∞-CFA. ESOP 2014

Experimental Setup 3 client analyses: call graph reachability, downcast safety, monomorphic callsite inference. All clients based on an underlying interprocedural pointer analysis for Java bytecode. Implemented using Chord. 10 benchmarks from Dacapo suite. ESOP 2014

Pointer Analysis Clients Downcast safety: Downcast is safe if the object to which it is applied is a subtype of the target type. 1: void main(){ 2: Shape s = new Square(); 3: Circle c = (Circle) s; 4: } 1: void main(){ 2: Shape s = new Circle(); 3: Circle c = (Circle) s; 4: } Shape Circle Square ESOP 2014

Pointer Analysis Clients Call graph reachability: Pairwise reachability between program functions. reach(foo,bar) reach(foo,taz) 1: void main(){ 2: foo(); 3: taz(); 4: } 5: void foo(){ 6: bar(); 7: } ESOP 2014

Pointer Analysis Clients Monomorphic callsite inference: Dynamically dispatched callsite with single target method. 1: void main(){ 2: Shape s; 3: if(*){ 4: s = new Circle(); 5: }else{ 6: s = new Square(); 7: } 8: s.area(); 9: } 1: void main(){ 2: Circle c = new Circle(); 3: c.area(); 4: } ESOP 2014

Benchmarks name # functions bytecode (KB) KLOC antlr 7.2k 467 224 avrora 6.9k 423 214 bloat 9.1k 586 258 chart 11.4k 778 366 hsqldb 10.2k 670 322 luindex 7.7k 487 237 lusearch 7.6k 477 231 pmd 578 247 sunflow 13.3k 934 419 xalan 6.7k 417 208 ESOP 2014

Given that k-CFA does not scale, does SBA even scale? Question 1 Given that k-CFA does not scale, does SBA even scale? ESOP 2014

Running Time of Pointer Analysis On average, 2CFA is 3x-5x slower than SBA. ESOP 2014

Different Contexts Per Method On average, 2CFA computes 4x-7x more contexts than SBA. ESOP 2014

What is the precision gain from using ∞-CFA compared to k-CFA? Question 2 What is the precision gain from using ∞-CFA compared to k-CFA? ESOP 2014

On average, SBA proves 12% more queries than 2CFA. Downcast Safety On average, SBA proves 12% more queries than 2CFA. ESOP 2014

Call Graph Reachability On average, SBA call graph has: 3.3% fewer functions, 4.7% fewer edges, 15% fewer pairwise reachable functions than 2CFA call graph. On average, SBA proves 9% more queries than 2CFA. ESOP 2014

Monomorphic Call Site Inference On average, SBA proves 0.6% more queries than 2CFA. ESOP 2014

Experimental Results Summary For our clients: SBA scales better than k-CFA; analyzes each method in fewer contexts. SBA is more precise than 2CFA; greater benefit for harder queries. General comments: Scalability of SBA depends on the richness of the abstract domain. Callstring length just one of the factors affecting analysis precision. ESOP 2014

Open Question k-Object Sensitive Analyses: Proposed by Milanova et al. [2002], uses allocation site of receiver objects to distinguish calling contexts. Empirically shown to be more precise and scalable than k-CFA for similar k values. Theoretically incomparable to k-CFA. Theoretical and empirical comparison with SBA? ESOP 2014

Inter-Procedural Analysis Landscape D-SBA Partially D-SBA ND-SBA Cost ∞-CFA ∞-OBJ 2CFA 3OBJ 1CFA 2OBJ 0CFA 1OBJ Precision ESOP 2014

Conclusion Proved that ∞-CFA = SBA for non-disjunctive, non- distributive analyses and generalized Sharir-Pnueli’s result. Developed new proof techniques for garbage collection of summaries and approximating fixpoints of non-monotonic analyses. Empirically observed the precision of ∞-CFA via SBA, and found SBA is more scalable in practice. ESOP 2014

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.