Presentation is loading. Please wait.

Presentation is loading. Please wait.

Pointer Analysis – A Survey Vishwanath Raman (call me vishwa please) Dec. 1, 2004.

Published byDinah Hardy Modified over 8 years ago

Similar presentations

Presentation on theme: "Pointer Analysis – A Survey Vishwanath Raman (call me vishwa please) Dec. 1, 2004."— Presentation transcript:

1 Pointer Analysis – A Survey Vishwanath Raman (call me vishwa please) vishwa@soe.ucsc.edu Dec. 1, 2004

2 I did say Pointer Analysis He certainly is a pointer.. By first impressions he seems earnest. But also wickedly gleeful. The puffing out of his chest is suggestive.. Seriously…

3 What is it? – For variables of pointer type, what are the objects they may point to at runtime. Where is it used? –Compiler optimizations – register allocation, constant propagation. –Bug detection – NULL pointer dereference. –Security violations – buffer overruns. –Tracking resource usage in static schedulers. ?/! (clearly borrowed)

4 Consider the following C snippet - int x, y, *p, **q; p = &x; q = &p; *q = &y; Points-to set: [q -> {p}, p -> {x, y}] Example

5 –Analysis based on a type system by Bjarne Steensgaard (Microsoft Research). –Analysis based on BDDs from the SABLE group at McGill. –An application of pointer analysis for bug detection from the SUIF group at Stanford. The survey covers?

6 In the interest of time… BDD based approach A BDD is a directed acyclic graph used to represent boolean functions and state spaces. Interpreted as sets – 1.S = {11} 2.S = {01, 10, 11} 1. 2.

7 a = allocate; // encode a = 00, location = 00 b = allocate; // b = 01, location = 01 c = allocate; // c = 10, location = 10 a = b; c = b; Points-to for allocate, Y = {(a, A), (b, B), (c, C)} Points-to for assignments X = {(b, a), (b, c)} In terms of bit strings (each bit is a BDD var) - {(0000), (0101), (1010)} and {(0100), (0110)} Analyze this...

8 RelProd(X, Y, V1) = {(v 2, h) | 1 v 1. ((v 1, v 2 ) ε X and (v 1, h) ε Y)} Points-to for allocate, Y = {(a, A), (b, B), (c, C)} Points-to for assignments, X = {(b, a), (b, c)} RelProd(X, Y, V1) = {(a, B), (c, B)} To get well formed BDDs, there are two variable domains (V1 and V2) with the same encoding BDD operations to die for 1 Can someone please tell me how to get the $#!@% symbol for “there exists” in Windows

9 Replace will replace variables in one domain with variables from another domain Replace ( RelProd ( X, Y, V1 ) ) = {(a, B), (c, B)} Now, a and c are from the V1 domain as opposed to the V2 domain. More operations to die for

10 Union has the usual meaning Union ( Replace ( RelProd ( X, Y, V1 ) ), Y ) = {(a, A), (b, B), (c, C), (a, B), (c, B)} as desired. Remember the program : a = allocate; b = allocate; c = allocate; a = b; c = b;

11 The types based approach defines a type system over a storage model and assigns types to locations. Two locations (variables) have unique type assignments, unless they HAVE to be of the same type for ALL statements to be well-formed. Types joined through unification. Algorithm produces a storage shape graph which can be used to get points-to sets and alias sets. An epitome of elegance

12 The bug detector from SUIF is more orthodox. Uses a variant of Static Single Assignment forms to compute def-use chains. def-use chains are analyzed for potential violations such as buffer overruns. Technique is inter-procedural, flow-sensitive and context-sensitive. Claim to fame

13 Thanks. If you are still interested and just can’t wait to get your hands on the survey - www.soe.ucsc.edu/~vishwa/publications/Pointers.pdf

Download ppt "Pointer Analysis – A Survey Vishwanath Raman (call me vishwa please) Dec. 1, 2004."

Similar presentations

Symbol Table.

Symbol Table.
Continuing Abstract Interpretation We have seen: 1.How to compile abstract syntax trees into control-flow graphs 2.Lattices, as structures that describe.

Continuing Abstract Interpretation We have seen: 1.How to compile abstract syntax trees into control-flow graphs 2.Lattices, as structures that describe.
Class 2 ssh, memory, data types, variables

Class 2 ssh, memory, data types, variables
1 CS 201 Compiler Construction Lecture 3 Data Flow Analysis.

1 CS 201 Compiler Construction Lecture 3 Data Flow Analysis.
Computer Architecture Lecture 7 Compiler Considerations and Optimizations.

Computer Architecture Lecture 7 Compiler Considerations and Optimizations.
Hand Trace and Output for: int digit = 0; int number = 1423; do { digit = number % 10; System.out.println(digit); number = number / 10; } while (number.

Hand Trace and Output for: int digit = 0; int number = 1423; do { digit = number % 10; System.out.println(digit); number = number / 10; } while (number.
Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.

Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.
CS412/413 Introduction to Compilers Radu Rugina Lecture 37: DU Chains and SSA Form 29 Apr 02.

CS412/413 Introduction to Compilers Radu Rugina Lecture 37: DU Chains and SSA Form 29 Apr 02.
Flow-Insensitive Points-to Analysis with Term and Set Constraints Presentation by Kaleem Travis Patrick.

Flow-Insensitive Points-to Analysis with Term and Set Constraints Presentation by Kaleem Travis Patrick.
Names and Bindings.

Names and Bindings.
Various languages….  Could affect performance  Could affect reliability  Could affect language choice.

Various languages….  Could affect performance  Could affect reliability  Could affect language choice.
Pointer Analysis Lecture 2 G. Ramalingam Microsoft Research, India.

Pointer Analysis Lecture 2 G. Ramalingam Microsoft Research, India.
Chapter 8 Runtime Support. How program structures are implemented in a computer memory? The evolution of programming language design has led to the creation.

Chapter 8 Runtime Support. How program structures are implemented in a computer memory? The evolution of programming language design has led to the creation.
The Ant and The Grasshopper Fast and Accurate Pointer Analysis for Millions of Lines of Code Ben Hardekopf and Calvin Lin PLDI 2007 (Best Paper & Best.

The Ant and The Grasshopper Fast and Accurate Pointer Analysis for Millions of Lines of Code Ben Hardekopf and Calvin Lin PLDI 2007 (Best Paper & Best.
Semi-Sparse Flow-Sensitive Pointer Analysis Ben Hardekopf Calvin Lin The University of Texas at Austin POPL ’09 Simplified by Eric Villasenor.

Semi-Sparse Flow-Sensitive Pointer Analysis Ben Hardekopf Calvin Lin The University of Texas at Austin POPL ’09 Simplified by Eric Villasenor.
Recap from last time We were trying to do Common Subexpression Elimination Compute expressions that are available at each program point.

Recap from last time We were trying to do Common Subexpression Elimination Compute expressions that are available at each program point.
Pointer and Shape Analysis Seminar Context-sensitive points-to analysis: is it worth it? Article by Ondřej Lhoták & Laurie Hendren from McGill University.

Pointer and Shape Analysis Seminar Context-sensitive points-to analysis: is it worth it? Article by Ondřej Lhoták & Laurie Hendren from McGill University.
1 HOIST: A System for Automatically Deriving Static Analyzers for Embedded Systems John Regehr Alastair Reid School of Computing, University of Utah.

1 HOIST: A System for Automatically Deriving Static Analyzers for Embedded Systems John Regehr Alastair Reid School of Computing, University of Utah.
Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.

Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.
Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.

Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.

Similar presentations

Ads by Google