Interprocedural analysis © Marcelo d’Amorim 2010.

Slides:



Advertisements
Similar presentations
Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Advertisements

R O O T S Field-Sensitive Points-to-Analysis Eda GÜNGÖR
Continuing Abstract Interpretation We have seen: 1.How to compile abstract syntax trees into control-flow graphs 2.Lattices, as structures that describe.
P3 / 2004 Register Allocation. Kostis Sagonas 2 Spring 2004 Outline What is register allocation Webs Interference Graphs Graph coloring Spilling Live-Range.
Exercise 1 Generics and Assignments. Language with Generics and Lots of Type Annotations Simple language with this syntax types:T ::= Int | Bool | T =>
The University of Adelaide, School of Computer Science
Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.
Programming Languages and Paradigms
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
Programming Languages and Paradigms The C Programming Language.
Programming Paradigms Introduction. 6/15/2005 Copyright 2005, by the authors of these slides, and Ateneo de Manila University. All rights reserved. L1:
Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.
Analysis of programs with pointers. Simple example What are the dependences in this program? Problem: just looking at variable names will not give you.
1 CS 201 Compiler Construction Lecture Interprocedural Data Flow Analysis.
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
Composition CMSC 202. Code Reuse Effective software development relies on reusing existing code. Code reuse must be more than just copying code and changing.
Symbolic execution © Marcelo d’Amorim 2010.
Graph Coverage for Design Elements 1.  Use of data abstraction and object oriented software has increased importance on modularity and reuse.  Therefore.
Principles of programming languages 4: Parameter passing, Scope rules Department of Information Science and Engineering Isao Sasano.
1 Practical Object-sensitive Points-to Analysis for Java Ana Milanova Atanas Rountev Barbara Ryder Rutgers University.
Parameterized Object Sensitivity for Points-to Analysis for Java Presented By: - Anand Bahety Dan Bucatanschi.
Semi-Sparse Flow-Sensitive Pointer Analysis Ben Hardekopf Calvin Lin The University of Texas at Austin POPL ’09 Simplified by Eric Villasenor.
Recap from last time We were trying to do Common Subexpression Elimination Compute expressions that are available at each program point.
Pointer and Shape Analysis Seminar Context-sensitive points-to analysis: is it worth it? Article by Ondřej Lhoták & Laurie Hendren from McGill University.
1 Chapter 7: Runtime Environments. int * larger (int a, int b) { if (a > b) return &a; //wrong else return &b; //wrong } int * larger (int *a, int *b)
Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.
From last time: reaching definitions For each use of a variable, determine what assignments could have set the value being read from the variable Information.
1 Control Flow Analysis Mooly Sagiv Tel Aviv University Textbook Chapter 3
Scaling CFL-Reachability-Based Points- To Analysis Using Context-Sensitive Must-Not-Alias Analysis Guoqing Xu, Atanas Rountev, Manu Sridharan Ohio State.
Another example p := &x; *p := 5 y := x + 1;. Another example p := &x; *p := 5 y := x + 1; x := 5; *p := 3 y := x + 1; ???
1 Pertemuan 20 Run-Time Environment Matakuliah: T0174 / Teknik Kompilasi Tahun: 2005 Versi: 1/6.
Range Analysis. Intraprocedural Points-to Analysis Want to compute may-points-to information Lattice:
Run time vs. Compile time
A Context-Sensitive Pointer Analysis Phase in Open64 Compiler Tianwei Sheng, Wenguang Chen, Weimin Zheng Tsinghua University.
Interprocedural Analysis Noam Rinetzky Mooly Sagiv Tel Aviv University Textbook Chapter 2.5.
Intraprocedural Points-to Analysis Flow functions:
Projects. Dataflow analysis Dataflow analysis: what is it? A common framework for expressing algorithms that compute information about a program Why.
Comparison Caller precisionCallee precisionCode bloat Inlining context-insensitive interproc Context sensitive interproc Specialization.
Reps Horwitz and Sagiv 95 (RHS) Another approach to context-sensitive interprocedural analysis Express the problem as a graph reachability query Works.
From last time: reaching definitions For each use of a variable, determine what assignments could have set the value being read from the variable Information.
Model Checking Lecture 5. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Pointer analysis. Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis Andersen and.
Constant Propagation. The constant propagation framework is different from all the data-flow problems discussed so far, in that It has an unbounded set.
Procedure Optimizations and Interprocedural Analysis Chapter 15, 19 Mooly Sagiv.
PRESTO: Program Analyses and Software Tools Research Group, Ohio State University STATIC ANALYSES FOR JAVA IN THE PRESENCE OF DISTRIBUTED COMPONENTS AND.
Introduction to Software Testing Chapter 2.4 Graph Coverage for Design Elements Paul Ammann & Jeff Offutt
PRESTO: Program Analyses and Software Tools Research Group, Ohio State University Merging Equivalent Contexts for Scalable Heap-cloning-based Points-to.
1 Graph Coverage (4). Reading Assignment P. Ammann and J. Offutt “Introduction to Software Testing” ◦ Section
Introduction to Software Testing (2nd edition) Chapter 7.4 Graph Coverage for Design Elements Paul Ammann & Jeff Offutt
ESEC/FSE-99 1 Data-Flow Analysis of Program Fragments Atanas Rountev 1 Barbara G. Ryder 1 William Landi 2 1 Department of Computer Science, Rutgers University.
PRESTO: Program Analyses and Software Tools Research Group, Ohio State University Merging Equivalent Contexts for Scalable Heap-cloning-based Points-to.
Pointer Analysis Survey. Rupesh Nasre. Aug 24, 2007.
1 Control Flow Analysis Topic today Representation and Analysis Paper (Sections 1, 2) For next class: Read Representation and Analysis Paper (Section 3)
Escape Analysis for Java Will von Rosenberg Noah Wallace.
Pointer Analysis – Part I CS Pointer Analysis Answers which pointers can point to which memory locations at run-time Central to many program optimization.
Inter-procedural analysis
Manuel Fahndrich Jakob Rehof Manuvir Das
Spring 2016 Program Analysis and Verification
Dataflow analysis.
Principles of programming languages 4: Parameter passing, Scope rules
Graph-Based Operational Semantics
Interprocedural Analysis Chapter 19
G. Ramalingam Microsoft Research, India & K. V. Raghavan
Dataflow Testing G. Rothermel.
Paul Ammann & Jeff Offutt
Hongtao Yu Wei Huo ZhaoQing Zhang XiaoBing Feng
Dataflow analysis.
Inlining and Devirtualization Hal Perkins Autumn 2011
Pointer analysis.
Presentation transcript:

Interprocedural analysis © Marcelo d’Amorim 2010

Intraprocedural analysis Intraprocedural analysis considers the body of a single function – Useful for many applications For instance, to identify local variable definition without use (or the contrary) public void foo(int x) { int tmp; if (x > 10) { tmp = 10; … } else { … } … = tmp } © Marcelo d’Amorim 2010

Some applications require analyses across multiple functions. For instance, to identify methods that can read data that another writes. © Marcelo d’Amorim 2010

Interprocedural analysis Data flows across function calls Naive solution: ??? © Marcelo d’Amorim 2010

Interprocedural analysis Data flows across function calls Naive solution: Inline all calls – Limitations ??? © Marcelo d’Amorim 2010

Interprocedural analysis Data flows across function calls Naive solution: Inline all calls – Limitations Program size “explodes” with number of call sites Does not handle recursion in general – requires bounded unfolding of function declarations © Marcelo d’Amorim 2010

Interprocedural analysis Data flows across function calls Naive solution: Inline all calls – Limitations Program size “explodes” with number of call sites Does not handle recursion in general – requires bounded unfolding of function declarations © Marcelo d’Amorim 2010 May be good enough for you!

Classical approach Build flow graph with special nodes+edges to propagate function call data © Marcelo d’Amorim 2010

Syntax of language with procedures © Marcelo d’Amorim 2010 *From Principles of Program Analysis, F. Nielson et al., Springer 2005

Flow graphs for programs (as opposed to a procedure) Needs to consider effects of – Call – Procedure entry – Procedure exit – Return © Marcelo d’Amorim 2010 *From Principles of Program Analysis, F. Nielson et al., Springer 2005

Exercise Build FG for the following program begin proc fib(val z, u, res v) is if z < 3 then v := u + 1 else call fib(z-1,u,v); call fib(z-2,v,v) end; end © Marcelo d’Amorim 2010

Program flow graph *From Principles of Program Analysis, F. Nielson et al., Springer 2005 © Marcelo d’Amorim 2010

Data propagates across edges just as before. Intraprocedural analysis still applies for every non function-related node.

A problem to overcome… foo() call site 1 call site 2 Suppose this is part of one program flow graph. Can you see the problem in the way data may flow? © Marcelo d’Amorim 2010

A problem to overcome… foo() call site 1 call site 2 This control path does not exist. Ignoring this issue may affect precision! Context sensitivity eliminates such data flows. But adds complexity to the analysis: impact on time/memory requirements. © Marcelo d’Amorim 2010

A problem to overcome… foo() call site 1 call site 2 A context-sensitive analysis will only consider valid control paths in the flow graph © Marcelo d’Amorim 2010

Quick Question © Marcelo d’Amorim 2010 Would such invalid paths arise in the inline approach?

Context sensitive analysis General approach: Encode context information with analysis information © Marcelo d’Amorim 2010

Context sensitive analysis General approach: Encode context information with analysis information – At entry node, appends origin location – At exit node, only transfer data that have flown from origin © Marcelo d’Amorim 2010 foo() call site 1 call site 2

Exercise We have programs with integer variables and want to detect statically the signs they can hold. What lattice would you use? © Marcelo d’Amorim 2010 *From Principles of Program Analysis, F. Nielson et al., Springer 2005

Exercise This formulation allows one to associate signs of distinct variables. © Marcelo d’Amorim 2010 *From Principles of Program Analysis, F. Nielson et al., Springer 2005 One option…

Context information in the lattice Back to Detection of Signs Analysis Data is labeled by calling context △. © Marcelo d’Amorim 2010

Transfer functions © Marcelo d’Amorim 2010 *From Principles of Program Analysis, F. Nielson et al., Springer 2005

Transfer functions For declarations Two transfer functions Define effect of entry (exit) at (from) p For illustration purposes assume both function are identity © Marcelo d’Amorim 2010 *From Principles of Program Analysis, F. Nielson et al., Springer 2005

Transfer functions For calls Transfer function for call: Function f lc “saves” calling context together with data © Marcelo d’Amorim 2010 *From Principles of Program Analysis, F. Nielson et al., Springer 2005

Transfer functions For calls Transfer function for return Function f lc,lr “restores” context and only propagate data that correspond to the call © Marcelo d’Amorim 2010 *From Principles of Program Analysis, F. Nielson et al., Springer 2005

Two standard encodings of context Call strings Assumption sets © Marcelo d’Amorim 2010

Call Strings String consisting of pending procedure call on the stack Call strings of fib – [], [9,4], [9,6], [9,4,4], [9,4,6], [9,6,4], [9,6,6], etc. Unbounded ( ) or Bounded ( ) length © Marcelo d’Amorim 2010

Call Strings String consisting of pending procedure call on the stack Call strings of fib – [], [9,4], [9,6], [9,4,4], [9,4,6], [9,6,4], [9,6,6], etc. Unbounded ( ) or Bounded ( ) length © Marcelo d’Amorim 2010 Context is a stack of string elements, each denoting function calls.

Assumption Sets Use abstract states to caracterize context For instance, make △ = or △ = © Marcelo d’Amorim 2010

Flow sensitivity Considers the order of statements – Flow insensitive analysis produce same results for S;S’ and S’;S So far, only flow sensitive examples © Marcelo d’Amorim 2010

Example begin proc fib(val z) is if z < 3 then call add(1) else call fib(z-1); call fib(z-2) end; proc add(val u) is (y:=y+u; u:=0) end; y:=0; call fib(x) end © Marcelo d’Amorim 2010

What globals are updated? Two auxiliary functions: – AV: Name => P (Name) – CP: Name => P (Name) Defintion: – IAV(p) = (AV(S) \ {x}) U U {IAV(p’) | p’ ∈ CP(s)}, where proc p(val x, res y) is S end IAV(fib) = ( Ø \ {z}) U IAV(fib) U IAV(add) IAV(add) = {y,u} \ {u} © Marcelo d’Amorim 2010

Points-to Analysis Analysis that computes a function Null deref? – null ∈ pt(o) Alias possible? – pt(a) ∩ pt(b) ≠ Ø © Marcelo d’Amorim 2010 pt: Var => P (Loc)

Question Points to set are typically large. For type safe languages, these sets can be significantly reduced. Why? © Marcelo d’Amorim 2010

Points-to Analysis Two algorithms for finding “points-to” sets: – Andersen’s – Steensgaard’s © Marcelo d’Amorim 2010 possible seminar selection

Points-to Analysis Main applications – Null pointer analysis – Shape analysis – Mutability analysis © Marcelo d’Amorim 2010 Important for interprocedural analysis. E.g., more detailed flow graphs for oo programs can be built by constraining the actual types of method callers.

APPLICATIONS OF STATIC ANALYSIS © Marcelo d’Amorim 2010

Some applications Change Impact Analysis – Guide inspection, debugging, and testing activities – See work of Barbara Ryder at Rutgers Univ. Dataflow testing – Test is “good” if exercises data dependency – See work of Mauro Pezze at Politechnical de Milano © Marcelo d’Amorim 2010

Some applications Change Impact Analysis – Guide inspection, debugging, and testing activities – See work of Barbara Ryder at Rutgers Univ. Dataflow testing – Test is “good” if exercises data dependency – See work of Mauro Pezze at Politechnical de Milano © Marcelo d’Amorim 2010 Focus

Traditional dataflow Check if test activates pair of def-use – Variations: all pairs, all uses, all defs © Marcelo d’Amorim 2010

Question Why traditional dataflow testing may not be appropriate for oo programs? © Marcelo d’Amorim 2010

Question Why traditional dataflow testing may not be appropriate for oo programs? © Marcelo d’Amorim 2010 Imagine the scenario where all fields are encapsulated with accessor methods (getters & setters). Dataflow adequacy will be vacuous (and trivial to obtain)!

Question Why traditional dataflow testing may not be appropriate for oo programs? © Marcelo d’Amorim 2010 Imagine the scenario where all fields are encapsulated with accessor methods (getters & setters). Dataflow adequacy will be vacuous (and trivial to obtain)! Would that be a problem with a flat state (i.e., all state global no object)?

Data encapsulation Encapsulation is key to information-hiding and advocated in OO programming © Marcelo d’Amorim 2010

Contextual def-use associations Stronger requirement: add context information to associations (test requirement) – A contextual def-use association is a tuple (d,u,cd,cu) – Example: (19,22,Storage::storeMsg()-> Storage::setStored(), Storage::getStored()) © Marcelo d’Amorim 2010 Distinguish from context-free associations in that invocations to accessors are mediated. Context of definition and use

© Marcelo d’Amorim 2010

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.