Context Sensitive Points-to Analysis

Slides:

Advertisements

Similar presentations

Chapter 17 vector and Free Store Bjarne Stroustrup

Advertisements

Chapter 18 Vectors and Arrays

R O O T S Field-Sensitive Points-to-Analysis Eda GÜNGÖR

CPSC 388 – Compiler Design and Construction

DATAFLOW TESTING DONE BY A.PRIYA, 08CSEE17, II- M.s.c [C.S].

Chapter 18 Vectors and Arrays John Keyser’s Modification of Slides by Bjarne Stroustrup

Course Outline Traditional Static Program Analysis –Theory Compiler Optimizations; Control Flow Graphs Data-flow Analysis – today’s class –Classic analyses.

Course Outline Traditional Static Program Analysis Software Testing

Templates in C++. Generic Programming Programming/developing algorithms with the abstraction of types The uses of the abstract type define the necessary.

Chapter 17 vector and Free Store John Keyser’s Modifications of Slides By Bjarne Stroustrup

1 CS 201 Compiler Construction Lecture 3 Data Flow Analysis.

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

1 CS 201 Compiler Construction Machine Code Generation.

Course Outline Traditional Static Program Analysis –Theory Compiler Optimizations; Control Flow Graphs Data-flow Analysis – today’s class –Classic analyses.

Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.

Analysis of programs with pointers. Simple example What are the dependences in this program? Problem: just looking at variable names will not give you.

Demand-driven Alias Analysis Implementation Based on Open64 Xiaomi An

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Refinement-Based Context-Sensitive Points-To Analysis for JAVA Soonho Kong 17 January Work of Manu Sridharan and Rastislav Bodik, UC Berkeley.

Program Representations. Representing programs Goals.

Memory Management & Method Calls in Java Program Execution © Allan C. Milne v

Thin Slicing Manu Sridharan, Stephen J. Fink, Rastislav Bodík.

Parameterized Object Sensitivity for Points-to Analysis for Java Presented By: - Anand Bahety Dan Bucatanschi.

Interprocedural analysis © Marcelo d’Amorim 2010.

Pointer and Shape Analysis Seminar Context-sensitive points-to analysis: is it worth it? Article by Ondřej Lhoták & Laurie Hendren from McGill University.

Scaling CFL-Reachability-Based Points- To Analysis Using Context-Sensitive Must-Not-Alias Analysis Guoqing Xu, Atanas Rountev, Manu Sridharan Ohio State.

1 CS 201 Compiler Construction Lecture 3 Data Flow Analysis.

1 Refinement-Based Context-Sensitive Points-To Analysis for Java Manu Sridharan, Rastislav Bodík UC Berkeley PLDI 2006.

Stacks. 2 What is a stack? A stack is a Last In, First Out (LIFO) data structure Anything added to the stack goes on the “top” of the stack Anything removed.

Java Alias Analysis for Online Environments Manu Sridharan 2004 OSQ Retreat Joint work with Rastislav Bodik, Denis Gopan, Jong-Deok Choi.

Overview of program analysis Mooly Sagiv html://

Detecting Inefficiently-Used Containers to Avoid Bloat Guoqing Xu and Atanas Rountev Department of Computer Science and Engineering Ohio State University.

Data Flow Analysis Compiler Design Nov. 8, 2005.

Program Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.

Testing a program Remove syntax and link errors: Look at compiler comments where errors occurred and check program around these lines Run time errors:

Overview of program analysis Mooly Sagiv html://

CSE 413 Programming Languages & Implementation Hal Perkins Autumn 2012 Context-Free Grammars and Parsing 1.

1 COSC3557: Object-Oriented Programming Haibin Zhu, Ph. D. Associate Professor of CS, Nipissing University.

PRESTO: Program Analyses and Software Tools Research Group, Ohio State University Merging Equivalent Contexts for Scalable Heap-cloning-based Points-to.

PRESTO: Program Analyses and Software Tools Research Group, Ohio State University Merging Equivalent Contexts for Scalable Heap-cloning-based Points-to.

OOP in C++ CS 124. Program Structure C++ Program: collection of files Source (.cpp) files be compiled separately to be linked into an executable Files.

Some odds and ends about Classes and Objects. 6-2 Object-Oriented Programming Object Data (Fields) Methods That Operate on the Data.

1 Control Flow Analysis Topic today Representation and Analysis Paper (Sections 1, 2) For next class: Read Representation and Analysis Paper (Section 3)

Heap liveness and its usage in automatic memory management Ran Shaham Elliot Kolodner Mooly Sagiv ISMM’02 Unpublished TVLA.

Detecting Inefficiently-Used Containers to Avoid Bloat Guoqing Xu and Atanas Rountev Department of Computer Science and Engineering Ohio State University.

Reachability Analysis for Callbacks 北京大学唐浩

CS412/413 Introduction to Compilers Radu Rugina Lecture 13 : Static Semantics 18 Feb 02.

Pointer Analysis – Part I CS Pointer Analysis Answers which pointers can point to which memory locations at run-time Central to many program optimization.

Unified Modeling Language (UML)

Java Bytecode Verification Types Chris Male, David J. Pearce, Alex Potanin and Constantine Dymnikov Victoria University of Wellington, New.

Design issues for Object-Oriented Languages

Lecture 7 Syntax Analysis (5) Operator-Precedence Parsing

Lecture 9 Symbol Table and Attributed Grammars

Recursion Recursion is a fundamental programming technique that can provide an elegant solution certain kinds of problems © 2004 Pearson Addison-Wesley.

Constructing Precedence Table

Parsing & Context-Free Grammars

Compilers Principles, Techniques, & Tools Taught by Jing Zhang

Graph-Based Operational Semantics

Amir Kamil and Katherine Yelick

Compiler Design 4. Language Grammars

Compiler Design 18. Object Oriented Semantic Analysis (Symbol Tables, Type Checking) Kanat Bolazar March 30, 2010.

Paul Ammann & Jeff Offutt

Chapter 6 Intermediate-Code Generation

The Procedure Abstraction Part V: Run-time Structures for OOLs

Lecture 7: Introduction to Parsing (Syntax Analysis)

Demand-Driven Context-Sensitive Alias Analysis for Java

Java Lesson 36 Mr. Kalmes.

Amir Kamil and Katherine Yelick

COMPILERS Semantic Analysis

Lec00-outline May 18, 2019 Compiler Design CS416 Compiler Design.

Presentation transcript:

Context Sensitive Points-to Analysis Saad Bashir Alvi alvi@cs.uni-bonn.de

Context-Sensitive Formulation A language Lc that filters unrealizable paths. It only needs to model program semantics related to method calls and returns. A field-sensitive and context-sensitive points-to analysis can be formulated as reachability over the intersection of LF and Lc. Formulation here both filters unrealizable paths and yields a context- sensitive heap abstraction.

Context-Sensitive Formulation A language Lc that filters unrealizable paths. It only needs to model program semantics related to method calls and returns. A field-sensitive and context-sensitive points-to analysis can be formulated as reachability over the intersection of LF and Lc. Formulation here both filters unrealizable paths and yields a context- sensitive heap abstraction. Specifying Lc

Context Sensitive Formulation Context-free grammer for Lc

Context Sensitive Formulation Code Example Graph Representation static Object id(Object o) { return o; } main() { x = new object(); y = new object(); a = id(x); b = id(y);

Context Sensitive Formulation Code Example Graph Representation static Object id(Object o) { return o; } main() { x = new object(); y = new object(); a = id(x); b = id(y);

Context Sensitive Formulation Code Example Graph Representation static Object id(Object o) { return o; } main() { x = new object(); y = new object(); a = id(x); b = id(y);

Context Sensitive Formulation Code Example Graph Representation static Object id(Object o) { return o; } main() { x = new object(); y = new object(); a = id(x); b = id(y);

Context Sensitive Formulation Code Example Graph Representation static Object id(Object o) { return o; } main() { x = new object(); y = new object(); a = id(x); b = id(y);

Context Sensitive Formulation Code Example Graph Representation static Object id(Object o) { return o; } main() { x = new object(); y = new object(); a = id(x); b = id(y);

Context Sensitive Formulation Code Example Graph Representation static Object id(Object o) { return o; } main() { x = new object(); y = new object(); a = id(x); b = id(y);

Context Sensitive Formulation Code Example Graph Representation static Object id(Object o) { return o; } main() { x = new object(); y = new object(); a = id(x); b = id(y);

Context Sensitive Formulation Lc Path from o5 to a Graph Representation o5 new x param[7] pid assign retid return[7] a

Context Sensitive Formulation Lc Path from o5 to a Graph Representation o5 new x param[7] pid assign retid return[7] a o5 nonCallTerm x callEntry[7] pid nonCallTerm retid callExit[7] a

Context Sensitive Formulation Lc Path from o5 to a Graph Representation o5 new x param[7] pid assign retid return[7] a o5 nonCallTerm x callEntry[7] pid nonCallTerm retid callExit[7] a o5 balanced x balanced a

Context Sensitive Formulation Lc Path from o5 to a Graph Representation o5 new x param[7] pid assign retid return[7] a o5 nonCallTerm x callEntry[7] pid nonCallTerm retid callExit[7] a o5 balanced x balanced a o5 balanced a

Context Sensitive Formulation Lc Path from o5 to a Graph Representation o5 new x param[7] pid assign retid return[7] a o5 nonCallTerm x callEntry[7] pid nonCallTerm retid callExit[7] a o5 balanced x balanced a o5 balanced a a is LcF-reachable from o5

Context Sensitive Formulation Lc Path from o5 to a Graph Representation o5 new x param[7] pid assign retid return[7] a o5 nonCallTerm x callEntry[7] pid nonCallTerm retid callExit[7] a o5 balanced x balanced a o5 balanced a a is LcF-reachable from o5 No Lc-Path from o5 to b.

Context Sensitive Formulation Lc Path from o5 to a Graph Representation o5 new x param[7] pid assign retid return[7] a o5 nonCallTerm x callEntry[7] pid nonCallTerm retid callExit[7] a o5 balanced x balanced a o5 balanced a a is LcF-reachable from o5 No Lc-Path from o5 to b. LcF-reachability keeps two calls seperate by filtering out unrealizatble paths.

Context Sensitive Formulation Handling Globals Graph edges representing global accesses can connect locals in different methods.

Context Sensitive Formulation Handling Globals Graph edges representing global accesses can connect locals in different methods. These edges allow paths to connect local variables in distinct methods without including the call entry and exit edges.

Context Sensitive Formulation Handling Globals Graph edges representing global accesses can connect locals in different methods. These edges allow paths to connect local variables in distinct methods without including the call entry and exit edges. PROBLEM: Without modification, Lc -reachability would unsoundly filter some paths with assignglobal edges.

Context Sensitive Formulation Handling Globals Graph edges representing global accesses can connect locals in different methods. These edges allow paths to connect local variables in distinct methods without including the call entry and exit edges. PROBLEM: Without modification, Lc -reachability would unsoundly filter some paths with assignglobal edges. It can occur when a call entry edge precedes assignglobal edges on a path, but those assignglobal edges lead to a local in a distinct method.

Context Sensitive Formulation Handling Globals Graph edges representing global accesses can connect locals in different methods. These edges allow paths to connect local variables in distinct methods without including the call entry and exit edges. PROBLEM: Without modification, Lc -reachability would unsoundly filter some paths with assignglobal edges. It can occur when a call entry edge precedes assignglobal edges on a path, but those assignglobal edges lead to a local in a distinct method. SOLUTION: Add self-edges on all global variable nodes with all possible callExit[i] edges.

Context Sensitive Formulation Code Example (Handling of Globals) Graph Representation class A { static obj f; } obj rf() { return A.f; void wf(obj p) { A.f = p; main () { obj x = new obj(); wf(x); obj y = rf();

Context Sensitive Formulation Code Example (Handling of Globals) Graph Representation class A { static obj f; } obj rf() { return A.f; void wf(obj p) { A.f = p; main () { obj x = new obj(); wf(x); obj y = rf();

Context Sensitive Formulation Code Example (Handling of Globals) Graph Representation class A { static obj f; } obj rf() { return A.f; void wf(obj p) { A.f = p; main () { obj x = new obj(); wf(x); obj y = rf();

Context Sensitive Formulation Code Example (Handling of Globals) Graph Representation class A { static obj f; } obj rf() { return A.f; void wf(obj p) { A.f = p; main () { obj x = new obj(); wf(x); obj y = rf();

Context Sensitive Formulation Code Example (Handling of Globals) Graph Representation class A { static obj f; } obj rf() { return A.f; void wf(obj p) { A.f = p; main () { obj x = new obj(); wf(x); obj y = rf();

Context Sensitive Formulation Heap Abstraction Lc-reachability tracks the unmatched callEntry[i] edges on paths through abstract location nodes.

Context Sensitive Formulation Heap Abstraction Lc-reachability tracks the unmatched callEntry[i] edges on paths through abstract location nodes. It is equivalent to creating a copy of the abstract location particular to that sequence of call entries, yielding a context- sensitive heap abstraction.

Refinement-based Context Sensitive point-to Analysis Types of Context-sensitivity Filtering-out of unrealizable paths

Refinement-based Context Sensitive point-to Analysis Types of Context-sensitivity Filtering-out of unrealizable paths Calls and returns are matched

Refinement-based Context Sensitive point-to Analysis Types of Context-sensitivity Filtering-out of unrealizable paths Calls and returns are matched A context-sensitive heap abstraction

Refinement-based Context Sensitive point-to Analysis Types of Context-sensitivity Filtering-out of unrealizable paths Calls and returns are matched A context-sensitive heap abstraction Objects allocated by same statements in different calling contexts are distinguished

Refinement-based Context Sensitive point-to Analysis Types of Context-sensitivity Filtering-out of unrealizable paths Calls and returns are matched A context-sensitive heap abstraction Objects allocated by same statements in different calling contexts are distinguished A context sensitive call graph

Refinement-based Context Sensitive point-to Analysis Types of Context-sensitivity Filtering-out of unrealizable paths Calls and returns are matched A context-sensitive heap abstraction Objects allocated by same statements in different calling contexts are distinguished A context sensitive call graph Targets of virtual calls are computed seperately for each calling context.

Refinement-based Context Sensitive point-to Analysis Algorithm Overview Fully Context and field-sensitive points-to Analysis is undecidable. Checking for both balanced field and method call paratheses requires reachability over the intersection of a context-free and a regular language. Assume presence of ahead-of-time call graph. Analysis require CFL-reachability with language Lscf = Lsf ∩ Rsc over ∑p.

Refinement-based Context Sensitive point-to Analysis Algorithm Overview Paths to ilustrate the behaviour of context-sensitive refinement algorithm.

Context Sensitive Analysis Code Example (Points to Analysis Algorithm) Graph Representation 1 class Vector { 2 Object[] elems; int count; 3 Vector() { t = new Object[10]; 4 this.elems = t; } 5 void add(Object p) { 6 t = this.elems; 7 t[count++] = p; // writes t.arr 8 } 9 Object get(int ind) { 10 t = this.elems; 11 return t[ind]; // reads t.arr 12 } ... 13 } 14 class AddrBook { 15 private Vector names; 16 AddrBook() { t = new Vector(); 17 this.names = t; } 18 void addEntry(String n, ...) { 19 t = this.names; ...; 20 t.add(n); 21. } 22 void update() { 23 t = this.names; 24 for (int i = 0; i < t.size(); i++) { 25 Object name = t.get(i); 26 // is this cast safe? 27 String nameStr = (String)name; 28 ... 29 } 30 } 31 } 32 void useVec() { 33 Vector v = new Vector(); 34 Integer i1 = new Integer(); 35 v.add(i1); 36 Integer i2 = (Integer)v.get(0); 37 }

Context Sensitive Analysis Graph Representation Code Example (Points to Analysis Algorithm) 1 class Vector { 2 Object[] elems; int count; 3 Vector() { t = new Object[10]; 4 this.elems = t; } 5 void add(Object p) { 6 t = this.elems; 7 t[count++] = p; // writes t.arr 8 } 9 Object get(int ind) { 10 t = this.elems; 11 return t[ind]; // reads t.arr 12 } ... 13 } 14 class AddrBook { 15 private Vector names; 16 AddrBook() { t = new Vector(); 17 this.names = t; } 18 void addEntry(String n, ...) { 19 t = this.names; ...; 20 t.add(n); 21. } 22 void update() { 23 t = this.names; 24 for (int i = 0; i < t.size(); i++) { 25 Object name = t.get(i); 26 // is this cast safe? 27 String nameStr = (String)name; 28 ... 29 } 30 } 31 } 32 void useVec() { 33 Vector v = new Vector(); 34 Integer i1 = new Integer(); 35 v.add(i1); 36 Integer i2 = (Integer)v.get(0); 37 }

Conclusion Following it with On-The-Fly Call graph

References Aho A.V., Sethi R. & Ullman J.D. “Compilers: Principles, Techniques and Tools”, Addison Wesley. Sridharan M., Bodík R. “Refinement based Context-Sensitive points-to Analysis for java” PLDI ’06. Sridharan, Manu. “Refinement based program analysis tools” Dissertation. University of California at Berkeley, 2007. Add publisher, URL, ISBN, etc. … everything that helps locate the reference.