Presentation is loading. Please wait.

Presentation is loading. Please wait.

Efficient Field-Sensitive Pointer Analysis for C David J. Pearce, Paul H.J. Kelly and Chris Hankin Imperial College, London, UK

Published byEli Meadow Modified over 9 years ago

Similar presentations

Presentation on theme: "Efficient Field-Sensitive Pointer Analysis for C David J. Pearce, Paul H.J. Kelly and Chris Hankin Imperial College, London, UK"— Presentation transcript:

1 Efficient Field-Sensitive Pointer Analysis for C David J. Pearce, Paul H.J. Kelly and Chris Hankin Imperial College, London, UK d.pearce@doc.ic.ac.uk www.doc.ic.ac.uk/~djp1/

2 What is Pointer Analysis?  Determine pointer targets without running program  What is flow-insensitive pointer analysis? >One solution for all statements – so precision lost >This is a trade-off for efficiency over precision >This work considers flow-insensitive pointer analysis only int a,b,*p,*q = NULL; p = &a; if(…) q = p; // p  {a,b}, q  {a,NULL} p = &b;

3 Pointer analysis via set-constraints  Generate set-constraints from program and solve them >Use constraint graph for efficient solving int a,b,c,*p,*q,*r; p = &a; r = &b; q = &c; if(...) q = p; else q = r; (program)

4 Pointer analysis via set-constraints int a,b,c,*p,*q,*r; p = &a; // p  { a } r = &b; // r  { b } q = &c; // q  { c } if(...) q = p; // q  p else q = r; // q  r (program)(constraints)  Generate set-constraints from program and solve them >Use constraint graph for efficient solving

5 Pointer analysis via set-constraints int a,b,c,*p,*q,*r; p = &a; // p  { a } r = &b; // r  { b } q = &c; // q  { c } if(...) q = p; // q  p else q = r; // q  r pqr {a}{b} (program)(constraints)(constraint graph) {c}  Generate set-constraints from program and solve them >Use constraint graph for efficient solving

6 Pointer analysis via set-constraints int a,b,c,*p,*q,*r; p = &a; // p  { a } r = &b; // r  { b } q = &c; // q  { c } if(...) q = p; // q  p else q = r; // q  r pqr {a}{b} (program)(constraints)(constraint graph) {a,b,c}  Generate set-constraints from program and solve them >Use constraint graph for efficient solving

7 Field-Sensitivity  How to deal with aggregate types ? >Standard approach treats them as single variables typedef struct { int *f1; int *f2; } t1; int a,b,*p,*q,*r; t1 x; p = &a; // p  { a } q = &b; // q  { b } x.f1 = p; // x  p x.f2 = q; // x  q r = x.f1; // r  x pxq {a} {b} {} r

8 Field-Sensitivity  How to deal with aggregate types ? >Standard approach treats them as single variables typedef struct { int *f1; int *f2; } t1; int a,b,*p,*q,*r; t1 x; p = &a; // p  { a } q = &b; // q  { b } x.f1 = p; // x  p x.f2 = q; // x  q r = x.f1; // r  x pxq {a} {b} {a,b}{a,b} r {a,b}{a,b}

9 Field-Sensitivity – A simple solution  Use a separate node per field for each aggregate >Node “x” split in two typedef struct { int *f1; int *f2 } t1; int a,b,*p,*q,*r; t1 x; p = &a; // p  { a } q = &b; // q  { b } x.f1 = p; // x f1  p x.f2 = q; // x f2  q r = x.f1; // r  x f1 px f2 q {a} {b} {} r x f1 {}

10 Field-Sensitivity – A simple solution  Use a separate node per field for each aggregate >Node “x” split in two typedef struct { int *f1; int *f2 } t1; int a,b,*p,*q,*r; t1 x; p = &a; // p  { a } q = &b; // q  { b } x.f1 = p; // x f1  p x.f2 = q; // x f2  q r = x.f1; // r  x f1 px f2 q {a} {b} {a}{a} r {a}{a} x f1 {b}{b}

11 Problem – can take address of field in C  System thus far has no mechanism for this  First idea – use string concatenation operator || >Works well for this example typedef struct { int *f1; int *f2; } t1; int **p; t1 x,*s; s = &x; // s  { x } p = &(s->f2); // p  ? x f2 {..} x f1 {..}

12 Problem – can take address of field in C  System thus far has no mechanism for this  First idea – use string concatenation operator || >Works well for this example typedef struct { int *f1; int *f2; } t1; int **p; t1 x,*s; s = &x; // s  { x } p = &(s->f2); // p  (*s) || f2 x f2 {..} x f1 {..}

13 Problem – can take address of field in C  System thus far has no mechanism for this  First idea – use string concatenation operator || >Works well for this example typedef struct { int *f1; int *f2; } t1; int **p; t1 x,*s; s = &x; // s  { x } p = &(s->f2); // p  (*s) || f2  p  { x } || f2  p  { x f2 } x f2 {..} x f1 {..}

14 Problem – compatible types  First idea – use string concatenation operator || >Casting identical types except for field names >Derivation same as before - but,node x f2 no longer exists! typedef struct { int *f1; int *f2; } t1; typedef struct { int *f3; int *f4; } t2; int **p; t1 *s; t2 x; s = (t1*) &x; // s  { x } p = &(s->f2); // p  (*s) || f2 x f4 {..} x f3 {..}

15 Problem – compatible types  First idea – use string concatenation operator || >Casting identical types except for field names >Derivation same as before - but,node x f2 no longer exists! typedef struct { int *f1; int *f2; } t1; typedef struct { int *f3; int *f4; } t2; int **p; t1 *s; t2 x; s = (t1*) &x; // s  { x } p = &(s->f2); // p  (*s) || f2  p  { x } || f2  p  { x f2 } x f4 {..} x f3 {..}

16 Field-Sensitivity – Our Solution typedef struct { int *f1; int *f2; } t1; typedef struct { int *f3; int *f4; } t2; int **p; t1 *s; t2 x; s = (t1*) &x; // s  { x f3 } p = &(s->f2); // p  s + 1  Our solution – map variables to integers >Solution sets become integer sets >Use integer addition to model taking address of field >Address of aggregate modelled by address of its first field psx f3 x f4 0123

17 Field-Sensitivity – Our Solution typedef struct { int *f1; int *f2; } t1; typedef struct { int *f3; int *f4; } t2; int **p; t1 *s; t2 x; s = (t1*) &x; // s  { x f3 }  s  { 2 } p = &(s->f2); // p  s + 1  Our solution – map variables to integers >Solution sets become integer sets >Use integer addition to model taking address of field >Address of aggregate modelled by address of its first field psx f3 x f4 0123

18 Field-Sensitivity – Our Solution typedef struct { int *f1; int *f2; } t1; typedef struct { int *f3; int *f4; } t2; int **p; t1 *s; t2 x; s = (t1*) &x; // s  { x f3 }  s  { 2 } p = &(s->f2); // p  s + 1  p  { 2 } + 1  p  { 3 }  Our solution – map variables to integers >Solution sets become integer sets >Use integer addition to model taking address of field >Address of aggregate modelled by address of its first field psx f3 x f4 0123

19 Experimental Study Time (s)Avg Deref Size bash (55324 LOC) Field-insensitive Field-sensitive 0.51 0.53 543.0 86.7 emacs (93151 LOC) Field-insensitive Field-sensitive 0.4 0.69 79.3 5.4 sendmail (49053 LOC) Field-insensitive Field-sensitive 0.49 2.05 558.4 214.2 Named (75599 LOC) Field-insensitive Field-sensitive 30.0 129.1 2865.5 2167.7 ghostscript (159853 LOC) Field-insensitive Field-sensitive 277.4 2510.4 7703.1 7365.2

20 Conclusion  Field-sensitive Pointer Analysis >Presented new technique for C language >Elegantly copes with language features -Taking address of field -Compatible types and casting -Technique also handles function pointers without modification >Experimental evaluation over 7 common C programs -Considerable improvements in precision obtained -But, much higher solving times -And, relative gains appear to diminish with larger benchmarks

21 Constraint Graphs (continued)  What about statements involving a pointer dereference? >Cannot be represented in the constraint graph >Instead, add edges as solution of q becomes known >Thus, computation similar to dynamic transitive closure int a,*r,*s,**p,**q; p = &r; // p  { r } s = &a; // s  { a } q = p; // q  p *q = s; // *q  s pq {r} sr {} {a} (program)(constraints)(constraint graph) {}

22 Constraint Graphs (continued)  What about statements involving a pointer dereference? >Cannot be represented in the constraint graph >Instead, add edges as solution of q becomes known >Thus, computation similar to dynamic transitive closure int a,*r,*s,**p,**q; p = &r; // p  { r } s = &a; // s  { a } q = p; // q  p *q = s; // *q  s  r  s pq {r} sr {} {a} (program)(constraints)(constraint graph) {r}{r}

23 Constraint Graphs (continued)  What about statements involving a pointer dereference? >Cannot be represented in the constraint graph >Instead, add edges as solution of q becomes known >Thus, computation similar to dynamic transitive closure int a,*r,*s,**p,**q; p = &r; // p  { r } s = &a; // s  { a } q = p; // q  p *q = s; // *q  s  r  s pq {r} sr {} {a} (program)(constraints)(constraint graph) {r}{r}

24 Constraint Graphs (continued)  What about statements involving a pointer dereference? >Cannot be represented in the constraint graph >Instead, add edges as solution of q becomes known >Thus, computation similar to dynamic transitive closure int a,*r,*s,**p,**q; p = &r; // p  { r } s = &a; // s  { a } q = p; // q  p *q = s; // *q  s  r  s pq {r} sr {a}{a} {a} (program)(constraints)(constraint graph) {r}{r}

Download ppt "Efficient Field-Sensitive Pointer Analysis for C David J. Pearce, Paul H.J. Kelly and Chris Hankin Imperial College, London, UK"

Similar presentations

Pointers.

Pointers.
Heuristic Search techniques

Heuristic Search techniques
CS 11 C track: lecture 7 Last week: structs, typedef, linked lists This week: hash tables more on the C preprocessor extern const.

CS 11 C track: lecture 7 Last week: structs, typedef, linked lists This week: hash tables more on the C preprocessor extern const.
C Structures What is a structure? A structure is a collection of related variables. It may contain variables of many different data types---in contrast.

C Structures What is a structure? A structure is a collection of related variables. It may contain variables of many different data types---in contrast.
Objects and Classes David Walker CS 320. Advanced Languages advanced programming features –ML data types, exceptions, modules, objects, concurrency,...

Objects and Classes David Walker CS 320. Advanced Languages advanced programming features –ML data types, exceptions, modules, objects, concurrency,...
Chapter 17 vector and Free Store John Keyser’s Modifications of Slides By Bjarne Stroustrup www.stroustrup.com/Programming.

Chapter 17 vector and Free Store John Keyser’s Modifications of Slides By Bjarne Stroustrup
Introduction to Linked Lists In your previous programming course, you saw how data is organized and processed sequentially using an array. You probably.

Introduction to Linked Lists In your previous programming course, you saw how data is organized and processed sequentially using an array. You probably.
Analysis of programs with pointers. Simple example What are the dependences in this program? Problem: just looking at variable names will not give you.

Analysis of programs with pointers. Simple example What are the dependences in this program? Problem: just looking at variable names will not give you.
3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.

3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.
Preference Elicitation Partial-revelation VCG mechanism for Combinatorial Auctions and Eliciting Non-price Preferences in Combinatorial Auctions.

Preference Elicitation Partial-revelation VCG mechanism for Combinatorial Auctions and Eliciting Non-price Preferences in Combinatorial Auctions.
Principles of programming languages 4: Parameter passing, Scope rules Department of Information Science and Engineering Isao Sasano.

Principles of programming languages 4: Parameter passing, Scope rules Department of Information Science and Engineering Isao Sasano.
INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.

INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.
Pointer Analysis Lecture 2 G. Ramalingam Microsoft Research, India.

Pointer Analysis Lecture 2 G. Ramalingam Microsoft Research, India.
1 CS 162 Introduction to Computer Science Chapter 8 Pointers Herbert G. Mayer, PSU Status 11/20/2014.

1 CS 162 Introduction to Computer Science Chapter 8 Pointers Herbert G. Mayer, PSU Status 11/20/2014.
ECE 103 Engineering Programming Chapter 11 One Minute Synopsis Herbert G. Mayer, PSU CS Status 7/1/2014.

ECE 103 Engineering Programming Chapter 11 One Minute Synopsis Herbert G. Mayer, PSU CS Status 7/1/2014.
Program Analysis with Set Constraints Ravi Chugh.

Program Analysis with Set Constraints Ravi Chugh.
The Ant and The Grasshopper Fast and Accurate Pointer Analysis for Millions of Lines of Code Ben Hardekopf and Calvin Lin PLDI 2007 (Best Paper & Best.

The Ant and The Grasshopper Fast and Accurate Pointer Analysis for Millions of Lines of Code Ben Hardekopf and Calvin Lin PLDI 2007 (Best Paper & Best.
Program Analysis with Set Constraints Ravi Chugh.

Program Analysis with Set Constraints Ravi Chugh.
Dynamic Data Structures H&K Chapter 14 Instructor – Gokcen Cilingir Cpt S 121 (July 26, 2011) Washington State University.

Dynamic Data Structures H&K Chapter 14 Instructor – Gokcen Cilingir Cpt S 121 (July 26, 2011) Washington State University.
Objects and Classes David Walker CS 320. Advanced Languages advanced programming features –ML data types, exceptions, modules, objects, concurrency,...

Objects and Classes David Walker CS 320. Advanced Languages advanced programming features –ML data types, exceptions, modules, objects, concurrency,...

Similar presentations

Ads by Google