Presentation is loading. Please wait.

Presentation is loading. Please wait.

창 병 모 숙명여대 전산학과 http://cs.sookmyung.ac.kr/~chang 자바 언어를 위한 정적 분석 틀 (A Framework for SBA for Java) KAIST 프로그램 분석시스템 연구단 세미나 1999. 11. 1 창 병 모 숙명여대 전산학과.

Similar presentations


Presentation on theme: "창 병 모 숙명여대 전산학과 http://cs.sookmyung.ac.kr/~chang 자바 언어를 위한 정적 분석 틀 (A Framework for SBA for Java) KAIST 프로그램 분석시스템 연구단 세미나 1999. 11. 1 창 병 모 숙명여대 전산학과."— Presentation transcript:

1 창 병 모 숙명여대 전산학과 http://cs.sookmyung.ac.kr/~chang
자바 언어를 위한 정적 분석 틀 (A Framework for SBA for Java) KAIST 프로그램 분석시스템 연구단 세미나 창 병 모 숙명여대 전산학과

2 목차 Java Overview Why static analyses ? Static analyses
Higher-order CFA and Class analysis Exception analysis Speed-up SBA by partitioning Conclusions

3 Java overview Object oriented C-like syntax Static typing
classes (single inheritance) object types (interfaces) objects C-like syntax Static typing type soundness by Eisenbach in ECOOP’97 by Nipkow in ACM POPL’98

4 Java overview Dynamic binding Exception handling
inheritance and overriding class analysis (object type inference) Exception handling uncaught exception analysis Automatic memory management escape analysis Concurrency

5 Why Static Analyses for Java
Class analysis for call graph and fast method dispatch in compiler Exception analysis for verification and programming environments Escape analysis for efficient memory management and synchronization optimization

6 Higher-order CFA and Class Analyses

7 Higher-order Flow Analysis
Call graphs Many program analyses rely on a call-graph. There is an edge (f,g) if function f calls function g. Call graphs are easy to compute in FORTRAN. Not so easy in higher-order languages functional (ML) object-oriented (Java, C++) pointer-based (C)

8 Higher-order Flow Analysis
In a functional language e1 e2 closure analysis [Shivers88] In an object oriented language e.m() class analysis In a pointer language (*p)() pointer analysis In each case it is unclear which function is called.

9 Class Analyses for Java
The goal is to approximate the classes of the objects, to which an expression refer Also gives an approximation of the call graph

10 Class Analyses for Java
A set variable Ce for each expression e. class names of the objects, to which the expression e refers Set up set-constraints of the form : Ce Ê se Analysis assigns possible classes of e to Ce. Solution of the constraints yield the information

11 Sample Constraints for Class Analyses
Suppose e is each of the following expressions new C | Ce Ê {C} if e0 then e1 else e2 | Ce Ê Ce1 È Ce2 id = e1 | Cid Ê Ce1 Method application e0.m(e1) for each class C in [e0] with a method m(x1) = return em C Î Ce0 Þ (Cx1 Ê Ce1) Ce Ê Cem

12 History in Class Analyses
Constraint resolution in O(n3 ) time. This analysis was discovered by Palsberg and Schwartzbach in 1991. closely related to closure analysis for functional programs (Jones,Shivers). Fast interprocedural class analysis by node(set variable) merging Grove and Chambers in ACM POPL’98

13 Objects and Methods in Java
class C { int n; void incr() { n++; } void decr() { n--; } } Method invocation: [[e.m(arg)]] = object * o = [[e]]; lookup(o®vtable, m)(o, [[arg]]) method table void C::incr(this) { this.n++; g} object incr decr Value of n void C::decr(this) { this.n--; }

14 Objects and Methods in Java
Layout of method tables attached to objects based on inheritance hierarchies Transformation of method invocations into method lookups + calls. We can generate a direct call c.m using analysis if that set is a singleton {c} or if all elements in that set have the same implementation of method m

15 Uncaught Exception Analysis

16 Exceptions in Java Every exception is declared as Throw exceptions
a subclass of “Exception” class Throw exceptions throw e Exception handling try { … } catch (E x) { … } Specify uncaught exceptions in method definition m(...) throws … { …}

17 Uncaught Exception Analysis in JDK
Intraprocedural analysis Based on programmer’s specifications. Not elaborate enough to suggest for specialized handling nor remove unnecessary handlers

18 Uncaught Exception Analysis
We need an interprocedural analysis to estimate Java program's exception flows independently of the programmer's specs. Approximate all possible uncaught exceptions for every expression and every method Exception analysis after class analysis

19 Deriving Set Constraints
A set variable Pe for every expression e class names of uncaught exceptions from e. Deriving set constraints of the form : Pe Ê se Analysis assigns classes of possible uncaught exceptions of e to Pe

20 Deriving Set Constraints
Suppose e is each of the following expressions id = e1 | Pe Ê Pe1 if e0 then e1 else e2 | Pe Ê Pe0 È Pe1 È Pe2 throw e1 | Pe Ê Ce1 È Pe1 try e0 catch (c1 x1 ) e1 | Pe Ê (Pe0 - {c1}*) È Pe1 Method invocation e0.m(e1) - Pe Ê Pe0 È Pe1 - for each class C in Ce0 with a method m(x1) = em C Î Ce0 Þ Pe Ê Pem

21 Speed up SBA by partitioning

22 Motivation SBA usually derives a set-constraint for every expression
SBA tends to be not practical for large programs There are too many set variables and set-constraints for large programs.

23 Main idea Reduce the number of set variables and so set-constaints
How to reduce ? The basic idea is to partition a collection of set variables. Each set variable in set constraints is replaced by the set variable for the block, to which it belongs Any disjoint partition of set variables gives a sound approximation to the original set constraints.

24 Partitioning Partition of set-variables
Let  be a set of set-variables. Let  / = {B1, B2, ..., Bn } be a partition of  Let [Xe] be the set-variable for the block, to which a set variable Xe belongs. Transform a set-constraint C into C' Replace each set variable Xe in C by [Xe] Xe  se is transformed into [Xe]  se/ where se/ is obtained by replacing each set variable Xe by [Xe]

25 Theorem on Partitioning
Soundness theorem sba(C') is a sound approximation of sba(C) in that lm(C')([Xe])  lm(C)(Xe) for every expression e. Proof. Galois insertion : (  L)  (/  L) set-constraints using monotone operators

26 Questions on Partitioning
If I is a model for C, then is I/ also model for C’ ? This is not always valid !! What partitions is this valid for ? What partitions don’t lose precision ?

27 Partition times Definition time Set-up time Analysis time
Define a specific analysis for a language and derive set-constraints for that. Set-up time Set up set-constrains for input programs Analysis time Find a least solution for the set-constraints

28 Set-up time Partitioning
Partitioning at Set-up time After setting up set-constraints and before evaluation Merge set-variables based on some relation Partitioning at dataflow analysis [Soffa94] Idempotence X = Y Common subexpression X =  Y = 

29 Analysis-time Partitioning
Partitioning at Analysis time Merging set-variables during analysis Example Fast interprocedural class analysis [Chambers98] Merging set-variables which are evaluated often during analysis

30 Definition-time Partitioning
Partitioning at Definition time Partitioning at design stage of analysis Starting from the expression-level set constraints, define one set variable for a block of set-variables We can mechanically derive set-constraints from the set-constraints. Example Method-level analysis Expression-kind-level analysis

31 Method-level Exception Analysis
Cost-Effective ? Too Many Set Variables for large programs Observations exceptions are sparse objects exceptions are usually explicit methods are usually explicit

32 Set Variables for Method-level Analysis
Pf for each method f class names of uncaught exceptions during the call to f Pg for try expressions eg in try eg catch (c1 x1) e1 Assume that Ce represents classes that are ``available'' at an expression e

33 Method-level Set Constraints
Suppose each expression is in a method f id = e1 | Pf Ê Pf if e0 then e1 else e2 | Pf Ê Pf È Pf È Pf throw e1 | Pf Ê Ce1 È Pf try e0 catch (c1 x1 ) e1 | Pf Ê (Pg - {c1}*) È Pf Method invocation e0.m(e1) - Pf Ê Pf È Pf - for each class C in [e0] with a method m(x1) = em C Î Ce0 Þ Pf Ê Pc.m

34 Method-level Set Constraints
Suppose each expression is in a method f id = e1 | if e0 then e1 else e2 | throw e1 | Pf Ê Ce1 Ç ExnClasses try eg catch (c1 x1) e1 | Pf Ê Pg - {c1}* Method invocation e0.m(e1) - for each class C in [e0] with a method m(x1) = em C Î Ce0 Þ Pf Ê Pc.m

35 Expression-kind-level Analysis
Pf,k for each expression-kind k in a method f class names of uncaught exceptions during the call to f Pg,k for each expression-kind k in a try expression eg try eg catch (c1 x1) e1 Assume that Ce represents classes that are ``available'' at an expression e

36 Expression-kind-level Set Constraints
Suppose each expression is in a method f id = e1 | Pf,ass Ê Pf,k1 where k1 = kind(e1) if e0 then e1 else e2 | Pf,if Ê Pf,k1 È Pf,k2 È Pf,k3 throw e1 | Pf,throw Ê Ce1 È Pf,k1 try eg catch (c1 x1 ) e1 | Pf,try Ê (Pg,k0 - {c1}*) È Pf,k1 Method invocation e0.m(e1) - Pf,call Ê Pf,k0 È Pf,k1 - for each class C in Ce0 with a method m(x1) = em C Î Ce0 Þ Pf,call Ê Pm,km

37 Exception Analyses for Java
Exception analysis for Java by Yi and Chang in ECOOP’99 Workshop Expression-level and Method-level We are currently devising a general framework for method-level analysis Jex A tool for a view of the exception flow by Robillard and Murphy in 1999

38 Applications of Exception Analysis
A kind of program verification Provide programmers information on all possible uncaught exceptions Can be incorporated in Java programming environment

39 Escape Analysis

40 Escape Analysis Escape analysis is basically
lifetime analysis of objects An object escapes a method if it is passed as a parameter returned Basic idea of applications: Basically all objects are allocated in a heap. If an object doesn’t escape a method(or region), it can be allocated on stack

41 Escape Graph for Escape Analysis
inside node object created inside the currently analyzed region and accessed via inside edges. outside node object created outside the currently analyzed region or accessed via outside edges. inside edge references created inside the current region outside edge references created outside the current region

42 Example Class complex { double x, y;
complex (double a, double b) { x = a; y = b;} complex multiply(complex a) { complex product = new complex(x*a.x - y*a.y, x*a.y+y*a.x); return product; } complex add(complex a) { complex sum = new complex(x+a.x,y+a.y); return sum; complex multiplyAdd(complex a, complex b) { complex product = a.multiply(b); complex sum = this.add(product);

43 Example Analysis Result for mutiplyAdd a b this product sum
Inside edge Outside edge Inside node Outside node Return value

44 Escape Analysis Intraprocedural analysis Interprocedural analysis
Construction of escape graph following the control-flow Interprocedural analysis For every method invocation cite, mapping between caller and callee. To simulate parameter passing and returning

45 Escape Analysis OOPSLA’99
Compositional Pointer and Escape Analysis for Java Programs by J. Whaley and M. Rinard Escape analysis for object-oriented languages: application to Java by B Blanchet Escape analysis for Java by J.D. Choi et al.

46 Conclusions We surveyed major analyses for Java
A new framework for SBA for speed-up Further research topics Refining the framework and proof, ... static analysis in connection with verification analyses of Java bytecode


Download ppt "창 병 모 숙명여대 전산학과 http://cs.sookmyung.ac.kr/~chang 자바 언어를 위한 정적 분석 틀 (A Framework for SBA for Java) KAIST 프로그램 분석시스템 연구단 세미나 1999. 11. 1 창 병 모 숙명여대 전산학과."

Similar presentations


Ads by Google