A Context-Sensitive Pointer Analysis Phase in Open64 Compiler Tianwei Sheng, Wenguang Chen, Weimin Zheng Tsinghua University

outline Motivation Definitions & State of the Art Summary High Level Design Context-Sensitive Pointer Analysis Field-Sensitive Pointer Analysis Global Variable Graph Preliminary Experiment Results Future Work Conclusion 2

Motivation Very important for compiler and program analysis tools Many inter-procedural analysis phases need alias information  Lock-set Based Static Data Race Detection  Mod-Ref Analysis  Data Layout More precise information clients get, more accurate results the clients can produce In open64, still based on Steensgaard’95 algorithm

Examples (a)(b) void foo(int index,int *p, int *q) { int i; for(i = 0; i < index; i++) { *(p + i) = *q; } } pthread_mutex_t lock1; pthread_mutex_t lock2; int x, y; void foo(int*p, int *q) { pthread_mutex_lock(&lock1); *p = 1; pthread_mutex_unlock(&lock1); *q = 2; } void bar() { p = &x; q = &y; foo(p,q); }

Definitions & State of the Art Summary AlgorithmEq/Sub/ReachCS CG CS heap FS/FIlanuageShown to ScaleNotes LattnerEqXXFSC/C++XPLDI‘07 Steensgaard(CS)EqXXFSC/C++X Microsoft’ latest progress ScridharanReachXXFSJavaXPLDI‘06 BenSubFSC/C++XPLDI’07 ZhengReachFICXPOPL‘08 Zhu/WhaleySubFSJavaXPLDI’04 FahandrichEqC/C++XPLDI‘00 WilsonSubXFSC/C++PLDI’95 LiangEqXFSC/C++SAS‘01 GuyerSubXSAS‘03 Defintions:  Context-Sensitive: consider the calling context of each callsites  Field-Sensitive: distinguish the individual member of structure variables  Equality/Subset: methods to model the pointer assignments, also known as Steensgaard and Andersen methods  Heap cloning: be able to distinguish the memory location on the heap State of the Art:

High Level Design(1) (a): IPA framework (b): existing alias analysis framework Problem:  IPA phases can not make use of any pointer analysis results  The existing algorithm is context-insensitive, field-insensitive

High Level Design(2) The new phase ： after Call Graph Construction and DFE(Dead Function Elimination)  Use IPA_Node to read all WHIRL tree  DFE can use simple address taken techniques to eliminate dead functions. Major components  Local Phase: apply a new local phase to read all WHIRL tree and create the local alias graph  Bottom-Up Phase: Major context-sensitive phase, use cloning to inline the pointer information of callee into caller  Top-Down Phase: Incorporate caller’s information into callee and eliminate the incomplete information in callee due to formal parameters

High Level Design(3) IPA IPO Intra-Procedural Phase Call Graph Construction and DFE New Context Sensitive Pointer Analysis Phase Other Analysis Phases The Inter-procedural Pointer Information will be passed into Intra Phase

Context-Sensitive Pointer Analysis int foo(int **p, int*q) { *p = q; *q = 1; } int main() { int b, y; int *a, *t; foo(&a,&b); foo(&t,&y); printf(“b = %d\n",b); printf("y = %d\n",y); return 0; } Context-sensitive: p1 = &a; p2 = &t; q1 = &b; q2 = &y; *p1 = q1 *p2 = q2 *q1 = 1; *q2 = 1; Solution: a->{b}, t->{y} Context-insensitive: p = &a; p = &t; q = &b; q = &y; *p = q *q = 1 Solution: s->{b,y}, t->{b,y}

Context-Sensitive (continued) We use the Cloning(Lattner,PLDI’07) methods to achieve context-sensitivity Basic Constructs:  Alias Node: denote the memory location for variables  Alias Rep: Unify several Alias Nodes into an Alias Rep (Unification Methods)  Alias Graph: The points-to relations set, where the edges denotes the points-to relations

Context-Sensitive (continued) typedef struct { int a; int *s; }STR; int x; STR str; extern STR* bar(STR*); STR* foo(int **q) { STR* str_p; int *p; p = &x; str_p = bar(&str); str_p->s = p; *q = p; return str_p; }

Context-Sensitive ： detailed algorithm Local Phase  Traverse every PU,visit each statements in the PU and create the local alias graph(callsite, return value, formal param information). The only phase which inspects the IR Bottom-Up Phase  Inline Callee’s Alias Graph into Caller. Only copy reachable nodes into caller since the scope of local variable in callee does not include caller  Use a SCC (Strong Connect Component) detection algorithm to visit all functions, and for recursive functions that form a SCC, Merge all function inside the SCC into a single alias graph.  Treat function pointers as normal pointers, and resolve them during the SCC visit algorithm, update the caller graph on the fly  For global variables, create the global variables graph to hold all global variables in the program, update the local graph and global graph interactively.

Context-Sensitive (continued) int foo(int **p, int*q) { *p = q; *q = 1; } int main() { int b, y; int *a, *t; foo(&a,&b); foo(&t,&y); printf(“b = %d\n",b); printf("y = %d\n",y); return 0; } (a) :Local graph for main (b) :Local graph for foo (c) :BU graph for main

Why Top-Down Phase? 1.After Bottom-Up phase, foo’s alias graph is copied into the bar. 2.Without inlining, we still do not know the alias information for the formal parameter of foo, p and q 3.The top-down phase will copy the a and x into foo, and make p and q point-to respectively

Field-Sensitive Pointer Analysis an alias node for each member of structures variables, collapse if consistent access pattern disable/enable field-sensitive, field number threshold Problems: in C/C++, we can take the address of the field member, we solve this problem through matching the type information for ADD’s parent WHIRL node struct List{ struct List* forward; struct List* backward; }; struct Hosp{ int c; struct List waiting; struct List assess; }; struct Hosp* hosp_p = &hosp; addList(&hosp_p->assess); addList_2(&(hosp_p->assess.forward)); LOC 1 26 addList(&hosp_p->assess); U8U8LDID 0 T U8INTCONST 24 (0x18) U8ADD U8PARM 2 T # by_value VCALL 126 # flags 0x7e LOC 1 27 addList_2(&(hosp_p->assess.forward)); U8U8LDID 0 T U8INTCONST 24 (0x18) U8ADD U8PARM 2 T # by_value VCALL 126 # flags 0x7e

Global Variable Graph(1) To overcome the bottleneck of copying all global variables during the bottom-up and top-down phase holds all information about global variable update the local graph and global variable graph interactively:  During the local phase, when Visiting a PU, create a global variable alias node in global graph if it is referenced in this PU  During the bottom-up phase, before inlining any callee, first update the local graph according to the global graph  During the bottom-up phase, after inlining all callees, update the global graph

Global Variable Graph(2) Steps: 1.Local phase: s->p, p->x, q->y, in global graph: s->p->x, q->y 2.Bottom-up phase, when inline bar’s information into bar_1, without global graph, we get p->y. With global graph, we know that p also points-to x, then we get p->{x,y}, finally update the global graph s->p p->x q->y s->p->x,q->y Before inline, what p points-to?

Experimental Results The preliminary results show that:  The bottom-up phase does not increase the alias node very much, this is consistent with the fact that we only do reachable cloning for non-local variables  Original Field-Sensitive will incurs very large overhead if the benchmarks contain large number of structure variables, such as 177.mesa and mysql alias node number Statistics :

Future Work Design the alias query interface How to pass the alias information into intra- procedural efficiently (do not store all alias graph) Design and Implement client optimizations, such as mod-ref, race detection Compare with other algorithm, both scalability and precision Combined with Subset methods to further improve the precision

Conclusion We design and implement a new cloning based context-sensitive pointer analysis phase in Open64 Compiler The algorithm is based on DSA algorithm in LLVM, we do several tradeoffs due to the IR and framework of Open64 For all the benchmarks we studied, the cloning phase does not increase the alias node very much

Thanks very much !