Pointer and Shape Analysis Seminar Context-sensitive points-to analysis: is it worth it? Article by Ondřej Lhoták & Laurie Hendren from McGill University.

Slides:



Advertisements
Similar presentations
R O O T S Field-Sensitive Points-to-Analysis Eda GÜNGÖR
Advertisements

Objects and Classes David Walker CS 320. Advanced Languages advanced programming features –ML data types, exceptions, modules, objects, concurrency,...
ASSUMPTION HIERARCHY FOR A CHA CALL GRAPH CONSTRUCTION ALGORITHM JASON SAWIN & ATANAS ROUNTEV.
Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.
Improving the Static Resolution of Dynamic Java Features Jason Sawin Ohio State University.
Program Representations. Representing programs Goals.
Pointer Analysis Lecture 2 G. Ramalingam Microsoft Research, India.
Parallel Inclusion-based Points-to Analysis Mario Méndez-Lojo Augustine Mathew Keshav Pingali The University of Texas at Austin (USA) 1.
1 Practical Object-sensitive Points-to Analysis for Java Ana Milanova Atanas Rountev Barbara Ryder Rutgers University.
CS 326 Programming Languages, Concepts and Implementation Instructor: Mircea Nicolescu Lecture 18.
Faculty of Computer Science LCPC 2007 Using ZBDDs in Points-to Analysis Stephen Curial Jose Nelson Amaral Department of Computing Science University of.
Parameterized Object Sensitivity for Points-to Analysis for Java Presented By: - Anand Bahety Dan Bucatanschi.
Semi-Sparse Flow-Sensitive Pointer Analysis Ben Hardekopf Calvin Lin The University of Texas at Austin POPL ’09 Simplified by Eric Villasenor.
Interprocedural analysis © Marcelo d’Amorim 2010.
Common Sub-expression Elim Want to compute when an expression is available in a var Domain:
Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.
From last time: live variables Set D = 2 Vars Lattice: (D, v, ?, >, t, u ) = (2 Vars, µ, ;,Vars, [, Å ) x := y op z in out F x := y op z (out) = out –
Approach #1 to context-sensitivity Keep information for different call sites separate In this case: context is the call site from which the procedure is.
Scaling CFL-Reachability-Based Points- To Analysis Using Context-Sensitive Must-Not-Alias Analysis Guoqing Xu, Atanas Rountev, Manu Sridharan Ohio State.
1 Refinement-Based Context-Sensitive Points-To Analysis for Java Manu Sridharan, Rastislav Bodík UC Berkeley PLDI 2006.
Computation Engines: BDDs and SAT (part 2) 290N: The Unknown Component Problem Lecture 8.
Compile-Time Deallocation of Individual Objects Sigmund Cherem and Radu Rugina International Symposium on Memory Management June, 2006.
Direction of analysis Although constraints are not directional, flow functions are All flow functions we have seen so far are in the forward direction.
Swerve: Semester in Review. Topics  Symbolic pointer analysis  Model checking –C programs –Abstract counterexamples  Symbolic simulation and execution.
Approach #1 to context-sensitivity Keep information for different call sites separate In this case: context is the call site from which the procedure is.
Comparison Caller precisionCallee precisionCode bloat Inlining context-insensitive interproc Context sensitive interproc Specialization.
Recap from last time: live variables x := 5 y := x + 2 x := x + 1 y := x y...
Pointer and Shape Analysis Seminar Mooly Sagiv Schriber 317 Office Hours Thursday
Direction of analysis Although constraints are not directional, flow functions are All flow functions we have seen so far are in the forward direction.
An Efficient Inclusion-Based Points-To Analysis for Strictly-Typed Languages John Whaley Monica S. Lam Computer Systems Laboratory Stanford University.
Cloning-Based Context-Sensitive Pointer Alias Analysis using BDDs John Whaley Monica Lam Stanford University June 10, 2004.
Pointer analysis. Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis Andersen and.
Precision Going back to constant prop, in what cases would we lose precision?
Impact Analysis of Database Schema Changes Andy Maule, Wolfgang Emmerich and David S. Rosenblum London Software Systems Dept. of Computer Science, University.
Mark Marron IMDEA-Software (Madrid, Spain) 1.
PRESTO: Program Analyses and Software Tools Research Group, Ohio State University STATIC ANALYSES FOR JAVA IN THE PRESENCE OF DISTRIBUTED COMPONENTS AND.
Storage Allocation for Embedded Processors By Jan Sjodin & Carl von Platen Present by Xie Lei ( PLS Lab)
PRESTO: Program Analyses and Software Tools Research Group, Ohio State University Merging Equivalent Contexts for Scalable Heap-cloning-based Points-to.
Context-Sensitivity Analysis Literature Review by José Nelson Amaral University of Alberta.
Pointer Analysis Lecture 2 G. Ramalingam Microsoft Research, India.
Free-Me: A Static Analysis for Automatic Individual Object Reclamation Samuel Z. Guyer, Kathryn McKinley, Daniel Frampton Presented by: Dimitris Prountzos.
Mark Marron 1, Deepak Kapur 2, Manuel Hermenegildo 1 1 Imdea-Software (Spain) 2 University of New Mexico 1.
Mark Marron IMDEA-Software (Madrid, Spain) 1.
Static Detection of Loop-Invariant Data Structures Harry Xu, Tony Yan, and Nasko Rountev University of California, Irvine Ohio State University 1.
ESEC/FSE-99 1 Data-Flow Analysis of Program Fragments Atanas Rountev 1 Barbara G. Ryder 1 William Landi 2 1 Department of Computer Science, Rutgers University.
PRESTO: Program Analyses and Software Tools Research Group, Ohio State University Merging Equivalent Contexts for Scalable Heap-cloning-based Points-to.
Using Types to Analyze and Optimize Object-Oriented Programs By: Amer Diwan Presented By: Jess Martin, Noah Wallace, and Will von Rosenberg.
Pointer Analysis Survey. Rupesh Nasre. Aug 24, 2007.
Pointer Analysis Lecture 2 G. Ramalingam Microsoft Research, India & K. V. Raghavan.
Pointer Analysis – Part II CS Unification vs. Inclusion Earlier scalable pointer analysis was context- insensitive unification-based [Steensgaard.
Points-To Analysis in Almost Linear Time Josh Bauman Jason Bartkowiak CSCI 3294 OCTOBER 9, 2001.
Detecting Inefficiently-Used Containers to Avoid Bloat Guoqing Xu and Atanas Rountev Department of Computer Science and Engineering Ohio State University.
Programming Languages and Design Lecture 6 Names, Scopes and Binding Instructor: Li Ma Department of Computer Science Texas Southern University, Houston.
CS 343 presentation Concrete Type Inference Department of Computer Science Stanford University.
How to execute Program structure Variables name, keywords, binding, scope, lifetime Data types – type system – primitives, strings, arrays, hashes – pointers/references.
Pointer Analysis – Part I CS Pointer Analysis Answers which pointers can point to which memory locations at run-time Central to many program optimization.
Sept 12ICSM'041 Precise Identification of Side-Effect-Free Methods in Java Atanas (Nasko) Rountev Ohio State University.
Evaluating the Precision of Static Reference Analysis Using Profiling Maikel Pennings, Donglin Liang, Mary Jean Harrold Georgia Institute of Technology.
ECE 750 Topic 8 Meta-programming languages, systems, and applications Automatic Program Specialization for J ava – U. P. Schultz, J. L. Lawall, C. Consel.
Pick Your Contexts Well: Understanding Object-Sensitivity The Making of a Precise and Scalable Pointer Analysis Yannis Smaragdakis University of Massachusetts,
Inter-procedural analysis
INFORMATION-FLOW ANALYSIS OF ANDROID APPLICATIONS IN DROIDSAFE JARED YOUNG.
Dataflow analysis.
Compositional Pointer and Escape Analysis for Java Programs
Pointer Analysis Lecture 2
Ravi Mangal Mayur Naik Hongseok Yang
Discrete Controller Synthesis
Introduction to Data Structure
Presentation transcript:

Pointer and Shape Analysis Seminar Context-sensitive points-to analysis: is it worth it? Article by Ondřej Lhoták & Laurie Hendren from McGill University Presentation by Roza Pogalnikova

Pointer and Shape Analysis Seminar 28/02/082 Abstract Evaluate precision of subset-based points-to analysis Compare different context-sensitivity approaches:  call site strings  object sensitivity  algorithm by Zhu and Calman, Whaley and Lam (ZCWL)‏

Pointer and Shape Analysis Seminar 28/02/083 Subset-based PTA Finding allocation sites that reach variable:  S: a = new A() // allocation statement  for variable x somewhere in the program: can it point to object allocated at S?

Pointer and Shape Analysis Seminar 28/02/084 Context Sensitivity Call site: by program statement of method invocation Object sensitivity: by receiving object of method invocation ZCWL: k-CFA, where k is call graph depth without SCCs Run context-insensitive algorithm on cloned context-sensitive call graph. S: this->call_method()‏

Pointer and Shape Analysis Seminar 28/02/085 Parameters Include:  specialize only pointer variables  use heap abstraction as well Different lengths of context strings

Pointer and Shape Analysis Seminar 28/02/086 Measurements Measure to guide implementation:  number of contexts  number of distinct contexts  number of distinct point-to sets Measure to evaluate:  size of the call graph (methods/edges)‏  devirtualizable call sites  casts statically provable to be safe

Pointer and Shape Analysis Seminar 28/02/087 Results Object sensitivity is the best and most scalable Heap abstraction improves precision of analysis Reduced analysis precision when no context sensitivity call graph in cycles

Pointer and Shape Analysis Seminar 28/02/088 What Compare three kinds of context-sensitive points-to analysis:  call sites as context abstraction  object-sensitive analysis  ZCWL algorithm

Pointer and Shape Analysis Seminar 28/02/089 How Implemented with JEDD system:  language extension of Java  abstraction of work with Binary Decision Diagrams (BDDs)‏  Soot framework written in JEDD: points-to analysis call graph construction side-effect analysis in BDDs virtual call resolution

Pointer and Shape Analysis Seminar 28/02/0810 BDDs Binary decision tree and truth table for the function f(x1, x2, x3) = -x1 * -x2 * -x3 + x1 * x2 + x2 * x3 BDD for the function f * credit:

Pointer and Shape Analysis Seminar 28/02/0811 PTA using BDDs Program: A: a = new O() B: b = new O() C: c = new O() a = b b = a c = b Points-to: (a, A) (b, B) (c, C) (a, B) (b, A) (c, A), (c, B)

Pointer and Shape Analysis Seminar 28/02/0812 PTA using BDDs Binary representation:  a & A as 00  b & B as 01  c & C as 10 Points-to representation: (a, A) as 0000 (a, B) as 0001 (b, A) as 0100 (b, B) as 0101 (c, A) as 1000 (c, B) as 1001 (c, C) as 1010

Pointer and Shape Analysis Seminar 28/02/0813 PTA using BDDs Compact way to represent points-to relations: * credit: [2] Points-to Analysis using BDDs

Pointer and Shape Analysis Seminar 28/02/0814 Determine How many contexts generalized? How number of contexts relates to precision of analysis? How likely scalable solution to be feasible?

Pointer and Shape Analysis Seminar 28/02/0815 Background O - pointer targets (objects)‏ P – pointers I – method invocation p may point to o: O(o) pt(P(p))‏

Pointer and Shape Analysis Seminar 28/02/0816 Background O as – program statement where object was allocated P var - pointer to local variable [O(o), f] - field f of object o P fs (o.f) – pointer to a field f of object o

Pointer and Shape Analysis Seminar 28/02/0817 Background Compare 2 families of invocation abstraction:  call site I cs (i) (program statement of metacall)‏  receiver object I ro (i) = O(o) (object on which method was invoked)

Pointer and Shape Analysis Seminar 28/02/0818 Background String of contexts given base abstraction I base : I string (i) = [I base (i), I base (i 2 ), I base (i 3 ),...] i j is a j'th topmost invocation on stack during i (i = i 1 )‏ Two approaches to make it finite:  define limit k to length of context string  ZCWL: exclude cycle edges from call graph

Pointer and Shape Analysis Seminar 28/02/0819 Background Another choice: which pointers/objects to model context-sensitively? Given context-insensitive P ci and context I model run-time pointer p:  context-sensitively by P(p) = [I(i p ), P ci (p)] (i p method invocation with p)‏  context-insensitively by P(p) = P ci (p)‏

Pointer and Shape Analysis Seminar 28/02/0820 Background Given allocation site abstraction O as, and context I model object o:  context-sensitively by O(o) = [I(i o ), O as (o)] (i o method invocation where o was allocated)‏  context insensitively by O(o) = O as (o)‏

Pointer and Shape Analysis Seminar 28/02/0821 Benchmarks The study was performed on:  SpecJVM 98 benchmark suite  DaCapo benchmark suite (ver. beta050224)‏  Ashes benchmark suite  Polyglot extensible Java front-end SUN standard library 1.3.1_01

Pointer and Shape Analysis Seminar 28/02/0822 Benchmarks

Pointer and Shape Analysis Seminar 28/02/0823 Contexts Number Considered intractable:  propagate context from call site to called method  context strings number grows exponentially in the length of call chains

Pointer and Shape Analysis Seminar 28/02/0824 Contexts Number Clarify next issues:  how many of these contexts improve analysis results?  why BDDs can represent such number, and is there hope to represent it with traditional techniques?

Pointer and Shape Analysis Seminar 28/02/0825 Total contexts number Count method-context pairs Empty spots – analysis not completed with available memory BDD lib. could allocate 41 million BDD nodes (~820 MB)‏

Pointer and Shape Analysis Seminar 28/02/0826 Total contexts number

Pointer and Shape Analysis Seminar 28/02/0827 Total contexts number Explicit context representation not scaling good Contexts number grows slowly in object- sensitive (this pointer method invocations)‏ ZCWL  k is max call depth in the call graph after merging SCCs  big variations because k different for each benchmark

Pointer and Shape Analysis Seminar 28/02/0828 Equivalent contexts Method-context pairs (m 1, c 1 ) and (m 2, c 2 ) are equivalent if:  m 1 = m 2  ∀ local pointer p in the method, pt(P(p)) is the same for c 1 and c 2 Equivalence classes reflect precision improvement due to context sensitivity

Pointer and Shape Analysis Seminar 28/02/0829 Equivalent contexts

Pointer and Shape Analysis Seminar 28/02/0830 Equivalent contexts BDD “automatically” merges equal points-to relations, i. e. is effective Object-sensitive vs. call sites – more precise Context string length does not have great impact Surprisingly ZCWL is less precise due to context-insensitivity in SCCs

Pointer and Shape Analysis Seminar 28/02/0831 Distinct points-to sets Measures analysis cost Approximates space requirements in “traditional”representation, like shared bit- vectors Similar results for all context-sensitive variations Increase in distinct point-to sets with context- sensitive heap abstraction

Pointer and Shape Analysis Seminar 28/02/0832 Distinct points-to sets

Pointer and Shape Analysis Seminar 28/02/0833 Call Graph Compare context-insensitive projection of context-sensitive call graphs  each node is method (and not method-context pair)  reachable methods preserved  ZCWL excluded (same as input context-insensitive graph)‏

Pointer and Shape Analysis Seminar 28/02/0834 Reachable methods

Pointer and Shape Analysis Seminar 28/02/0835 Reachable methods Context-sensitivity discovers more unreachable methods (bloat)‏ Context-sensitivity for heap objects:  In object-sensitive adds precision (sablecc-j)‏  In call site no impact

Pointer and Shape Analysis Seminar 28/02/0836 Call edges

Pointer and Shape Analysis Seminar 28/02/0837 Call edges Compare size of call graph in call edges The same with exception of large difference in sablecc-j (specific code pattern)‏

Pointer and Shape Analysis Seminar 28/02/0838 Virtual call resolution Number of virtual calls with more then one implementation Object-sensitive analysis has clear advantage over call site.  heap objects add precision (sablecc-j)‏

Pointer and Shape Analysis Seminar 28/02/0839 Virtual call resolution

Pointer and Shape Analysis Seminar 28/02/0840 Cast safety Cast cannot fail if pointer can point-to only to object of “right” type (sub-type of the type in cast)‏ Count non-provable casts Object-sensitivity, especially with heap objects is the best (polyglot, javac)

Pointer and Shape Analysis Seminar 28/02/0841 Cast safety

Pointer and Shape Analysis Seminar 28/02/0842 Conclusions Context-sensitive variations:  object-sensitive analysis  call sites as context abstraction  ZCWL algorithm Evaluated effects:  generated contexts  distinct point-to sets  precision of call graph construction  virtual call resolution  cast safety analysis

Pointer and Shape Analysis Seminar 28/02/0843 Conclusions Context-sensitivity improvements:  small: call graph precision  medium: virtual call resolution  major: cast safety analysis Object-sensitive analysis was the best:  analysis precision  potential scalability

Pointer and Shape Analysis Seminar 28/02/0844 Conclusions Object-sensitive variations improvements:  small: length of context strings  significant: heap objects with context  implementable with other existing techniques

Pointer and Shape Analysis Seminar 28/02/0845 Conclusions ZCWL algorithm:  disappointing results  caused by context-insensitive treatment of calls within SCCs of the initial graph  large proportion of edges in SCC