A simple approach Given call graph and CFGs of procedures, create a single CFG (control flow super-graph) by: –connecting call sites to entry nodes of.

Slides:



Advertisements
Similar presentations
Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.
Advertisements

CS412/413 Introduction to Compilers Radu Rugina Lecture 37: DU Chains and SSA Form 29 Apr 02.
1 CS 201 Compiler Construction Lecture Interprocedural Data Flow Analysis.
A Fixpoint Calculus for Local and Global Program Flows Swarat Chaudhuri, U.Penn (with Rajeev Alur and P. Madhusudan)
Parameterized Object Sensitivity for Points-to Analysis for Java Presented By: - Anand Bahety Dan Bucatanschi.
Common Sub-expression Elim Want to compute when an expression is available in a var Domain:
Recap from last time We were trying to do Common Subexpression Elimination Compute expressions that are available at each program point.
Feedback: Keep, Quit, Start
Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.
Interprocedural analyses and optimizations. Costs of procedure calls Up until now, we treated calls conservatively: –make the flow function for call nodes.
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts, Amherst Advanced Compilers CMPSCI 710.
Approach #1 to context-sensitivity Keep information for different call sites separate In this case: context is the call site from which the procedure is.
Inlining pros and cons (discussion). Inlining pros and cons Pros –eliminate overhead of call/return sequence –eliminate overhead of passing args & returning.
Interprocedural pointer analysis for C We’ll look at Wilson & Lam PLDI 95, and focus on two problems solved by this paper: –how to represent pointer information.
From last time: reaching definitions For each use of a variable, determine what assignments could have set the value being read from the variable Information.
KQS More exercises/practice What about research frontier? Reading material Meetings for project Post notes more promptly.
Constraints for reaching definitions Using may-point-to information: out = in [ { x ! s | x 2 may-point-to(p) } Using must-point-to aswell: out = in –
Previous finals up on the web page use them as practice problems look at them early.
Range Analysis. Intraprocedural Points-to Analysis Want to compute may-points-to information Lattice:
Run time vs. Compile time
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
Intraprocedural Points-to Analysis Flow functions:
Constraints for reaching definitions Using may-point-to information: out = in [ { x ! s | x 2 may-point-to(p) } Using must-point-to aswell: out = in –
Direction of analysis Although constraints are not directional, flow functions are All flow functions we have seen so far are in the forward direction.
Recap from last time g() { lock; } h() { unlock; } f() { h(); if (...) { main(); } } main() { g(); f(); lock; unlock; } mainfgh ;;;;;;; u u ” ”””” ” ”
ESP [Das et al PLDI 2002] Interface usage rules in documentation –Order of operations, data access –Resource management –Incomplete, wordy, not checked.
Approach #1 to context-sensitivity Keep information for different call sites separate In this case: context is the call site from which the procedure is.
From last time: Inlining pros and cons Pros –eliminate overhead of call/return sequence –eliminate overhead of passing args & returning results –can optimize.
Another lock protocol example g() { if(isLocked()) { unlock; } else { lock; } } mainfg ;;;;; u ” ”””” ” ””” ” ” ”” ” ” ” ”””” u l l ” ””” ” ” ” ” ” {u,l}
Comparison Caller precisionCallee precisionCode bloat Inlining context-insensitive interproc Context sensitive interproc Specialization.
Recap from last time: live variables x := 5 y := x + 2 x := x + 1 y := x y...
Course project presentations Midterm project presentation Originally scheduled for Tuesday Nov 4 th Can move to Th Nov 6 th or Th Nov 13 th.
Reps Horwitz and Sagiv 95 (RHS) Another approach to context-sensitive interprocedural analysis Express the problem as a graph reachability query Works.
From last time: reaching definitions For each use of a variable, determine what assignments could have set the value being read from the variable Information.
Schedule Midterm out tomorrow, due by next Monday Final during finals week Project updates next week.
Direction of analysis Although constraints are not directional, flow functions are All flow functions we have seen so far are in the forward direction.
Transfer functions Our pairs of summaries look like functions from input information to output information We call these transfer functions Complete transfer.
Examples of summaries. Issues with summaries Level of “context” sensitivity: –For example, one summary that summarizes the entire procedure for all call.
Improving the Precision of Abstract Simulation using Demand-driven Analysis Olatunji Ruwase Suzanne Rivoire CS June 12, 2002.
Pointer analysis. Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis Andersen and.
From last class. The above is Click’s solution (PLDI 95)
Symbolic Path Simulation in Path-Sensitive Dataflow Analysis Hari Hampapuram Jason Yue Yang Manuvir Das Center for Software Excellence (CSE) Microsoft.
Precision Going back to constant prop, in what cases would we lose precision?
PRESTO: Program Analyses and Software Tools Research Group, Ohio State University STATIC ANALYSES FOR JAVA IN THE PRESENCE OF DISTRIBUTED COMPONENTS AND.
PRESTO Research Group, Ohio State University Interprocedural Dataflow Analysis in the Presence of Large Libraries Atanas (Nasko) Rountev Scott Kagan Ohio.
Global Redundancy Elimination: Computing Available Expressions Copyright 2011, Keith D. Cooper & Linda Torczon, all rights reserved. Students enrolled.
1 The System Dependence Graph and its use in Program Slicing.
PRESTO: Program Analyses and Software Tools Research Group, Ohio State University Merging Equivalent Contexts for Scalable Heap-cloning-based Points-to.
Formalization of DFA using lattices. Recall worklist algorithm let m: map from edge to computed value at edge let worklist: work list of nodes for each.
1 Control Flow Analysis Topic today Representation and Analysis Paper (Sections 1, 2) For next class: Read Representation and Analysis Paper (Section 3)
Escape Analysis for Java Will von Rosenberg Noah Wallace.
Pointer Analysis – Part I CS Pointer Analysis Answers which pointers can point to which memory locations at run-time Central to many program optimization.
Interprocedural analyses and optimizations. Costs of procedure calls Up until now, we treated calls conservatively: –make the flow function for call nodes.
Interprocedural analyses and optimizations. Costs of procedure calls Up until now, we treated calls conservatively: –make the flow function for call nodes.
Optimization Simone Campanoni
Introduction to Computer Programming Concepts M. Uyguroğlu R. Uyguroğlu.
Inter-procedural analysis
Compositional Pointer and Escape Analysis for Java Programs
Spring 2016 Program Analysis and Verification
Graph Coverage for Design Elements CS 4501 / 6501 Software Testing
Finding rational numbers between rational numbers
Another example: constant prop
Dataflow analysis.
Control Flow Analysis (Chapter 7)
Pointer analysis.
Interprocedural analyses and optimizations
Formalization of DFA using lattices
Formalization of DFA using lattices
Formalization of DFA using lattices
Procedure Linkages Standard procedure linkage Procedure has
Presentation transcript:

A simple approach Given call graph and CFGs of procedures, create a single CFG (control flow super-graph) by: –connecting call sites to entry nodes of callees (entries become merges) –connecting return nodes of callees back to calls (returns become splits) Cons: –speed? –separate compilation? –imprecision due to “unrealizable paths”

Another approach: summaries Compute summary info for each procedure Callee summary: summarizes effect/results of callee procedures for callers –used to implement the flow function for a call node Caller summaries: summarizes context of all callers for callee procedure –used to start analysis of a procedure

Examples of summaries

Issues with summaries Level of “context” sensitivity: –For example, one summary that summarizes the entire procedure for all call sites –Or, one summary for each call site (getting close to the precision of inlining) –Or... Various levels of captured information –as small as a single bit –as large as the whole source code for callee/callers How does separate compilation work?

How to compute summaries Using iterative analysis Keep the current solution in a map from procs to summaries Keep a worklist of procedures to process Pick a proc from the worklist, compute its summary using intraprocedural analysis and the current summaries for all other nodes If summary has changed, add callers/callees to the worklist for callee/caller summaries

How to compute callee summaries let m: map from proc to computed summary let worklist: work list of procs for each proc p in call graph do m(p) := ? for each proc p do worklist.add(p) while (worklist.empty.not) do let p := worklist.remove_any; // compute summary using intraproc analysis // and current summaries m let summary := compute_summary(p,m); if (m(p)  summary) m(p) := summary; for each caller c of p worklist.add(c)

Examples Let’s see how this works on some examples We’ll use an analysis for program verification as a running example

Protocol checking Interface usage rules in documentation –Order of operations, data access –Resource management –Incomplete, wordy, not checked Violated rules ) crashes –Failed runtime checks –Unreliable software

FSM protocols These protocols can often be expressed as FSMs For example: lock protocol Unlocked Locked lock unlock Error unlock lock *

FSM protocols Alphabet of FSM are actions that affect the state of the FSM Often leave error state implicit These FSMs can get pretty big for realistic kernel protocols

FSM protocol checking Goal: make sure that FSM does not enter error state Lattice:

Lock protocol example g() { lock; } h() { unlock; } f() { h(); if (...) { main(); } main() { g(); f(); lock; unlock; }

Lock protocol example g() { lock; } h() { unlock; } f() { h(); if (...) { main(); } } main() { g(); f(); lock; unlock; } mainfgh

Lock protocol example g() { lock; } h() { unlock; } f() { h(); if (...) { main(); } } main() { g(); f(); lock; unlock; } mainfgh ;;;;;;; u u ” ”””” ” ” l ” ””” ” ” l ” ”” ” ” ”” ” ” ””” ”” ” ” ”” ” ”” ” l ” ” ” ” ”” ” ” ” ” ” ”” ” ” ” ” ” ”” ” u u u u

Another lock protocol example g() { if(isLocked()) { unlock; } else { lock; } f() { g(); if (...) { main(); } main() { g(); f(); lock; unlock; }

Another lock protocol example g() { if(isLocked()) { unlock; } else { lock; } } mainfg ;;;;; u ” ”””” ” ””” ” ” ”” ” ” u l l f() { g(); if (...) { main(); } } main() { g(); f(); lock; unlock; }

Another lock protocol example g() { if(isLocked()) { unlock; } else { lock; } } mainfg ;;;;; u ” ”””” ” ””” ” ” ”” ” ” ” ”””” u l l ” ””” ” ” ” ” ” {u,l} f() { g(); if (...) { main(); } } main() { g(); f(); lock; unlock; } {u,l} ”” ” ” {u,e}

What went wrong?

We merged info from two call sites of g() Solution: summaries that keep different contexts separate What is a context?

Approach #1 to context-sensitivity Keep information for different call sites separate In this case: context is the call site from which the procedure is called

Example again g() { if(isLocked()) { unlock; } else { lock; } } mainfg f() { g(); if (...) { main(); } } main() { g(); f(); lock; unlock; }

Example again g() { if(isLocked()) { unlock; } else { lock; } } mainfg f() { g(); if (...) { main(); } } main() { g(); f(); lock; unlock; }

How should we change the example? How should we change our example to break our context sensitivity strategy? g() { if(isLocked()) { unlock; } else { lock; } f() { g(); if (...) { main(); } main() { g(); f(); lock; unlock; }

Answer h() { g() } g() { if(isLocked()) { unlock; } else { lock; } f() { h(); if (...) { main(); } main() { h(); f(); lock; unlock; }

In general Our first attempt was to make the context be the immediate call site Previous example shows that we may need 2 levels of the stack –the context for an analysis of function f is: call site L 1 where f was called from AND call site L 2 where f’s caller was called from Can generalize to k levels –k-length call strings approach of Sharir and Pnueli –Shiver’s k-CFA

Approach #2 to context-sensitivity

Use dataflow information at call site as the context, not the call site itself

Using dataflow info as context g() { if(isLocked()) { unlock; } else { lock; } } mainfg f() { g(); if (...) { main(); } } main() { g(); f(); lock; unlock; }

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.