Points-to Analysis as a System of Linear Equations Rupesh Nasre. Computer Science and Automation Indian Institute of Science Advisor: Prof. R. Govindarajan Feb 22, 2010

What is Pointer Analysis? a = &x; b = a; if (b == *p) { … } else { … } Is this condition always satisfied? Pointer Analysis is a mechanism to statically find out run-time values of a pointer. a and b are aliases. a points to x.

Why Pointer Analysis? For Parallelization.  fun(p) || fun(q); For Optimization.  a = p + 2;  b = q + 2; For Bug-Finding. For Program Understanding.... Clients of Pointer Analysis.

Placement of Pointer Analysis. Pointer Analysis. Parallelizing compiler. String vulnerability finder. Program slicer. Data flow analyzer. Lock synchronizer. Affine expression analyzer. Memory leak detector. Type analyzer. Improved runtime. Secure code. Better debugging. Better compile time.

Normalized Input. p = &q address-of p = q copy p = *q load *p = q store

Normalized Input. p = &q address-of p = q copy p = *q load *p = q store pq

Normalized Input. p = &q address-of p = q copy p = *q load *p = q store pq

Normalized Input. p = &q address-of p = q copy p = *q load *p = q store p q

Normalized Input. p = &q address-of p = q copy p = *q load *p = q store p q

Normalized Input. p = &q address-of p = q copy p = *q load *p = q store qp

Normalized Input. p = &q address-of p = q copy p = *q load *p = q store qp

Normalized Input. p = &q address-of p = q copy p = *q load *p = q store qp

Normalized Input. p = &q address-of p = q copy p = *q load *p = q store qp

Why as a Linear System? Scalability.  Code sizes going into billions. Scalability.  Analyses trade off at least one of i. memory requirement, ii. analysis time, iii.precision. Scalability.  Linear algebra is a mature topic.

Outline. Introduction.  First-cut approach. Prime-factorization approach. Evaluation.

First-cut Approach: Transformations p = &q p = q – 1 p = q p = q p = *q p = q + 1 *p = q p + 1 = q Each address-taken variable (&v) would be assigned a unique value.

First-cut Approach. a = &x; p = &a; b = *p; c = b; a = x - 1 p = a - 1 b = p + 1 c = b Transform. Solve. x = r a = r - 1 b = r - 1 c = r – 1 p = r - 2 a points to x. Solve. a, b, c point to x. p points to a.

First-cut Approach. a = &x; p = &a; b = *p; c = b; a = x - 1 p = a - 1 b = p + 1 c = b Transform. Solve. x = r a = r - 1 b = r - 1 c = r – 1 p = r - 2 b points to x. Solve. a, b, c point to x. p points to a.

First-cut Approach. a = &x; p = &a; b = *p; c = b; a = x - 1 p = a - 1 b = p + 1 c = b Transform. Solve. x = r a = r - 1 b = r - 1 c = r – 1 p = r - 2 c points to x. Solve. a, b, c point to x. p points to a.

First-cut Approach. a = &x; p = &a; b = *p; c = b; a = x - 1 p = a - 1 b = p + 1 c = b Transform. Solve. x = r a = r - 1 b = r - 1 c = r – 1 p = r - 2 p points to a. Solve. a, b, c point to x. p points to a.

First-cut Approach. a = &x; p = &a; b = *p; c = b; a = x - 1 p = a - 1 b = p + 1 c = b Transform. Solve. x = r a = r - 1 b = r - 1 c = r – 1 p = r - 2 a, b, c point to x. p points to a. p points to b. p points to c. Solve. a, b, c point to x. p points to a. Imprecise analysis..

Issues with First-cut Approach. Dereferencing.  a = &x versus *a = x. a = &x*a = x a = x-1 a+1 = x Semantically different. Mathematically same.

Issues with First-cut Approach. Dereferencing.  a = &x versus *a = x. Multiple assignments.  a = &x, a = &y; a = &x; a = &y; Transform. a = x-1; a = y-1; Solve. No solution.

Issues with First-cut Approach. Dereferencing.  a = &x versus *a = x. Multiple assignments.  a = &x, a = &y; Cyclic assignments.  a = &a; a = &a; Transform. a = a-1 Solve. No solution.

Issues with First-cut Approach. Dereferencing.  a = &x versus *a = x. Multiple assignments.  a = &x, a = &y; Cyclic assignments.  a = &a; Symmetry of assignment.  a = b implies b = a.

Outline. Introduction. First-cut approach.  Prime-factorization approach. Evaluation.

Important Ideas. Address of a variable as a prime number. Points-to set as a multiplication of primes. Variable renaming to avoid inconsistency.

Prime-factorization Approach: Transformations p = &q p i * (p = prime(&q)) p = q p i * (p = q) p = *q p i * (p = q + 1) *p = q handled separately Each address-taken variable (&v) would be assigned a unique prime number.

Points-to Information Lattice … … 3*5*73*5*113*7*115*7*11… 3*5*7*11*… 1 Precision increases We start with larger primes to avoid composition gap problem.

Algorithm Outline. do { equations = Linearize(constraints); solution = LinSolve(equations); points-to = Interpret(solution); constraints += AddConstraints(store-constraints, points-to); } while points-to information changes;

Example. a = &x; p = &a; b = *p; c = b; a = a0*17 p = p0*101 b = b0*(p+1) c = c0*b Transform. Solve. &x = 17 &a = 101 a0 = 1 b0 = 1 c0 = 1 p0 = 1 a = 17 p = 101 b = 102 c = 102 Interpret. a = 17 p = 101 b = 17 c = => => 1 dereference on 101 => 1 dereference on &a => a => 17.

Solution Properties. Integrality. – Only addition and multiplication over integers. Feasibility. – No negative weight cycle. Uniqueness. – Each variable is defined only once.

Soundness. If &x = 7, &y = 11 and p points to x and y, then p is a multiple of 77.  Base: p points to x and y by direct assignment.  Induction: p points to x and y due to an indirect assignment (copy, load, store).  Prove that all indirect assignments are safe.  Argument: Multiplication moves the dataflow fact upwards in the lattice. Assumption: No problem due to composition gaps. p1 + k1 is not misinterpreted as p2 + k2. The assumption can be enforced by careful offline selection of primes.

Precision. If &x = 7, &y = 11 and p is a multiple of 77, then p points to x and y. Argument: Prime factorization is unique. Thus, 77 can be decomposed only as 7*11. Prove that none of the address-of, copy, load, store statements add extra primes into the composition. Assumption: No problem due to composition gaps. p1 + k1 is not misinterpreted as p2 + k2. The assumption can be enforced by careful offline selection of primes.

Properties. If the value of a pointer p is a prime number, then it defines a must-point-to relation, else it is a may-point-to relation. If the value of p is 1, then p is unused. If pointers p1 and p2 have the same value, then p1 and p2 are pointer equivalent. Variables x and y are location equivalent when &x dividing the value of pointer p implies &x*&y also divide the value. Pointers p1 and p2 are aliases if gcd(p1, p2) != 1.

Outline. Introduction. First-cut approach. Modified approach.  Evaluation.

Evaluation. Benchmarks: SPEC 2000, httpd, sendmail. Configuration: Intel Xeon, 2 Ghz clock, 4MB L2 cache, 3GB RAM. Analysis: Context-sensitive, Flow-insensitive.

Analysis Time (seconds).

Memory (MB).

Summary. We proposed a novel representation of points- to information using prime factorization. We solved pointer analysis as a system of linear equations. We empirically showed that it is competitive to the state-of-the-art algorithms.

Points-to Analysis as a System of Linear Equations Rupesh Nasre. Computer Science and Automation Indian Institute of Science Advisor: Prof. R. Govindarajan Feb 22, 2010

Our Contributions. Ordering points-to statements in an intelligent way to improve the analysis time. Dynamic partitioning of points-to statements for a prioritized points-to analysis. Probabilistic points-to analysis using bloom filters.  Points-to analysis as a set of linear equations.

Normalized Input. p = &q address-of p = q copy p = *q load *p = q store p q pq p q p q qp qp qp qp