Presentation is loading. Please wait.

Presentation is loading. Please wait.

Type-Based Flow Analysis: From Polymorphic Subtyping to CFL-Reachability Jakob Rehof and Manuel Fähndrich Microsoft Research.

Published byGraham Pressey Modified over 9 years ago

Similar presentations

Presentation on theme: "Type-Based Flow Analysis: From Polymorphic Subtyping to CFL-Reachability Jakob Rehof and Manuel Fähndrich Microsoft Research."— Presentation transcript:

1 Type-Based Flow Analysis: From Polymorphic Subtyping to CFL-Reachability Jakob Rehof and Manuel Fähndrich Microsoft Research

2 Type-Based Program Analysis Common vocabulary Data access paths Function summary Context-sensitivity Directional flow Type-based Type structure (  ) Function type (->) Type instantiation, polymorphism (  ) Subtyping (  )

3 +CS -DI ( ,=) +CS +DI GOAL: Scaleable Flow Analysis of H.O. Programs w. Polymorphic Subtyping -CS +DI (=,  ) +CS +DI ( ,  ) Precision and Cost -CS -DI (=,=) Type-based Higher-order Context-sensitive (CS) Directional (DI)

4 Outline Goals Problems and Results Current Flow Analysis w.  +  Our Solution Summary

5 Current Method (  ) Polymorphism by copying types (  ) Subtyping by constrained types (  +  )  constraint copying

6 Problems w. Current Method Constraint copying is expensive (memory) Constraint simplification is hard Previous algorithm (Mossin) No on-demand algorithms (n = size of type-annotated program)

7 Results No constraint copying On-demand queries All flow in

8 Outline Goals Problems and Results Current Flow Analysis w.  +  Our Solution Summary

9 Current Flow Analysis w.  +  (Mossin) max(s,t) = if s<=t then t else s real * real -> real standard type

10 Current Flow Analysis w.  +  max(s:a,t:b) = (if s<=t then t else s) :c {a  c, b  c} => real:a * real:b -> real:c analysis type subtyping constraints flow label

11 Current Flow Analysis w.  +  max(s:a,t:b) = (if s<=t then t else s) :c {a  c, b  c} => real:a * real:b -> real:c

12 max(s:a,t:b) : {a  c, b  c} => real:a * real:b -> real:c max(x0,y0) max(x1,y1) Current Flow Analysis w.  + 

13 max(s:a,t:b) : {a  c, b  c} => real:a * real:b -> real:c max(x0:a0,y0:b0):c0 max(x1:a1,y1:b1):c1 {a0  c0,b0  c0}=>c0

14 max(s:a,t:b) : {a  c, b  c} => real:a * real:b -> real:c max(x0:a0,y0:b0):c0 max(x1:a1,y1:b1):c1 {a0  c0,b0  c0}=>c0 {a1  c1,b1  c1}=>c1 Current Flow Analysis w.  + 

15 with and

16 Without Subtyping: norm(x,y ) = let m = max(x,y) in scale(x,y,m) end; scale(z,w,n) = (z/n,w/n) max(s:a,t:a) = if s<=t then t else s real:a * real:a -> real:a  :a’

17 Without Subtyping: norm(x:a’,y:a’) = let m = max(x,y) in scale(x,y,m) end; scale(z,w,n) = (z/n,w/n) max(s:a,t:a) = if s<=t then t else s real:a * real:a -> real:a 

18 Outline Goals Problems and Results Current Flow Analysis w.  +  Our Solution Summary

19 Flow Analysis Overview Source Code Type Instantiation Graph Flow Graph A B Type Inference

20 Flow Analysis Overview Source Code Type Instantiation Graph Flow Graph A B Type Inference CFL- Reachability Polymorphic Subtyping

21 Eliminating constraint copies max(s:a,t:b) : {a  c, b  c} => real:a * real:b -> real:c max(x0:a0,y0:b0):c0 max(x1:a1,y1:b1):c1 {a0  c0, b0  c0} => real:a0 * real:b0 -> real:c0 {a1  c1, b1  c1} => real:a1 * real:b1 -> real:c1

22 1. Get a graph max(s:a,t:b) : real:a * real:b -> real:c max(x0:a0,y0:b0):c0 max(x1:a1,y1:b1):c1 real:a0 * real:b0 -> real:c0 real:a1 * real:b1 -> real:c1

23 2. Label instantiation sites max(s:a,t:b) : real:a * real:b -> real:c i: max(x0:a0,y0:b0):c0 j: max(x1:a1,y1:b1):c1 real:a0 * real:b0 -> real:c0 real:a1 * real:b1 -> real:c1

24 3. Represent substitutions max(s:a,t:b) : real:a * real:b -> real:c a a0 a a1 b b0 b b1 c c0 c c1 i: max(x0:a0,y0:b0):c0 j: max(x1:a1,y1:b1):c1 real:a0 * real:b0 -> real:c0 real:a1 * real:b1 -> real:c1

25 3.a. … as a graph max(s:a,t:b) : real:a * real:b -> real:c i: max(x0:a0,y0:b0):c0 j: max(x1:a1,y1:b1):c1 real:a0 * real:b0 -> real:c0 real:a1 * real:b1 -> real:c1 i i i

26 3.a. … as a graph max(s:a,t:b) : real:a * real:b -> real:c i: max(x0:a0,y0:b0):c0 j: max(x1:a1,y1:b1):c1 real:a0 * real:b0 -> real:c0 real:a1 * real:b1 -> real:c1 i i i j j j

27 4. Eliminate constraint copies ! max(s:a,t:b) : real:a * real:b -> real:c i: max(x0:a0,y0:b0):c0 j: max(x1:a1,y1:b1):c1 real:a0 * real:b0 -> real:c0 real:a1 * real:b1 -> real:c1 i i i j j j

28 ? ? ? max(s:a,t:b) : real:a * real:b -> real:c i: max(x0:a0,y0:b0):c0 j: max(x1:a1,y1:b1):c1 real:a0 * real:b0 -> real:c0 real:a1 * real:b1 -> real:c1 i i i j j j

29 Type Theory to the Rescue ! Polarity (+,-) ->    - + + - - + +

30 5. Polarities (+,-) max(s:a,t:b) : real:a * real:b -> real:c i: max(x0:a0,y0:b0):c0 j: max(x1:a1,y1:b1):c1 real:a0 * real:b0 -> real:c0 real:a1 * real:b1 -> real:c1 i i i j j j - - - - + +

31 6. Reverse negative edges max(s:a,t:b) : real:a * real:b -> real:c i: max(x0:a0,y0:b0):c0 j: max(x1:a1,y1:b1):c1 real:a0 * real:b0 -> real:c0 real:a1 * real:b1 -> real:c1 i i i j j j - - - - + +

32 7. Recover flow max(s:a,t:b) : real:a * real:b -> real:c i: max(x0:a0,y0:b0):c0 j: max(x1:a1,y1:b1):c1 real:a0 * real:b0 -> real:c0 real:a1 * real:b1 -> real:c1 i i i j j j - - - - + +

33 7. Recover flow max(s:a,t:b) : real:a * real:b -> real:c i: max(x0:a0,y0:b0):c0 j: max(x1:a1,y1:b1):c1 real:a0 * real:b0 -> real:c0 real:a1 * real:b1 -> real:c1 i i i j j j - - - - + +

34 7. Recover flow max(s:a,t:b) : real:a * real:b -> real:c i: max(x0:a0,y0:b0):c0 j: max(x1:a1,y1:b1):c1 real:a0 * real:b0 -> real:c0 real:a1 * real:b1 -> real:c1 i i i j j j - - - - + +

35 8. Be careful ! max(s:a,t:b) : real:a * real:b -> real:c i: max(x0:a0,y0:b0):c0 j: max(x1:a1,y1:b1):c1 real:a0 * real:b0 -> real:c0 real:a1 * real:b1 -> real:c1 i i i j j j - - - - + + Spurious !

36 9. Do CFL-reachability max(s:a,t:b) : real:a * real:b -> real:c i: max(x0:a0,y0:b0):c0 j: max(x1:a1,y1:b1):c1 real:a0 * real:b0 -> real:c0 real:a1 * real:b1 -> real:c1 [i ]i [j ]j M  [k M ]k d d CFG

37 Further Issues Polymorphic type structure Recursive type structure –context-sensitive data-dependence analysis is uncomputable [Reps 00] –our techniques require finite types –regular unbounded data types handled via finite approximations: recursive type expressions

38 One-level implementation GOLF analysis system for C by Manuvir Das (MSR) and Ben Liblit (Berkeley) Exhaustive points-to sets for MS Word 97, 1.4 Mloc, in 2 minutes

39 Outline Goals Problems and Results Current Flow Analysis w.  +  Our Solution Summary

40 Elimination of constraint copying Reformulation of polymorphic subtyping with instantiation constraints Transfer of CFL-reachability techniques to type-based flow analysis

41 Scaleable Program Analysis Project (MSR, spt ) +CS -DI ( ,=) -CS +DI (=,  ) +CS +DI ( ,  ) -CS -DI (=,=) [ RF, POPL 01 ] [ Das, PLDI 00 ] [ FRD, PLDI 00 ] research.microsoft.com/spa

42 Summary Type-based flow analysis –all flow in, n = typed pgm size –context-sensitive (polymorphism) –directional (subtyping) –demand-driven algorithm –incorporates label-polymorphic recursion –works directly on H.O. programs –structured data of finite type –unbounded data structures via approx.

43 CFL Formulation S  P N P  M P | [ P |  N  M N | ] N |  M  [k M ]k | M M | d | 

44 Type System e = let max(s:a,t:b) = … in (max(x0:a0,y0:b0), max(x1:a1,y1:b1)) end a a0, b b0, c c0, a a1, b b1, c c1 a  cb  ca  cb  c  |-; ; e : c0*c1

45 Type System e = let max(s:a,t:b) = … in (max(x0:a0,y0:b0), max(x1:a1,y1:b1)) end a a0, b b0, c c0, a a1, b b1, c c1 a  cb  ca  cb  c  |-; ; e : c0*c1 instantiation constraints subtyping constraints type environment

Download ppt "Type-Based Flow Analysis: From Polymorphic Subtyping to CFL-Reachability Jakob Rehof and Manuel Fähndrich Microsoft Research."

Similar presentations

Solve the system of inequalities by graphing. x ≤ – 2 y > 3

Solve the system of inequalities by graphing. x ≤ – 2 y > 3
R O O T S Field-Sensitive Points-to-Analysis Eda GÜNGÖR

R O O T S Field-Sensitive Points-to-Analysis Eda GÜNGÖR
Data-Flow Analysis II CS 671 March 13, 2008. CS 671 – Spring 2008 1 Data-Flow Analysis Gather conservative, approximate information about what a program.

Data-Flow Analysis II CS 671 March 13, CS 671 – Spring Data-Flow Analysis Gather conservative, approximate information about what a program.
SDN Controller Challenges

SDN Controller Challenges
Lecture 11: Code Optimization CS 540 George Mason University.

Lecture 11: Code Optimization CS 540 George Mason University.
Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.

Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.
Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.

Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.
CS412/413 Introduction to Compilers Radu Rugina Lecture 37: DU Chains and SSA Form 29 Apr 02.

CS412/413 Introduction to Compilers Radu Rugina Lecture 37: DU Chains and SSA Form 29 Apr 02.
Demand-driven Alias Analysis Implementation Based on Open64 Xiaomi An

Demand-driven Alias Analysis Implementation Based on Open64 Xiaomi An
1 CS 201 Compiler Construction Lecture Interprocedural Data Flow Analysis.

1 CS 201 Compiler Construction Lecture Interprocedural Data Flow Analysis.
B Multi-Layer Network Design II Dr. Greg Bernstein Grotto Networking www.grotto-networking.com.

B Multi-Layer Network Design II Dr. Greg Bernstein Grotto Networking
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
Building a Better Backtrace: Techniques for Postmortem Program Analysis Ben Liblit & Alex Aiken.

Building a Better Backtrace: Techniques for Postmortem Program Analysis Ben Liblit & Alex Aiken.
Refinement-Based Context-Sensitive Points-To Analysis for JAVA Soonho Kong 17 January 2009 1 Work of Manu Sridharan and Rastislav Bodik, UC Berkeley.

Refinement-Based Context-Sensitive Points-To Analysis for JAVA Soonho Kong 17 January Work of Manu Sridharan and Rastislav Bodik, UC Berkeley.
Introduction to Markov Random Fields and Graph Cuts Simon Prince

Introduction to Markov Random Fields and Graph Cuts Simon Prince
A Fixpoint Calculus for Local and Global Program Flows Swarat Chaudhuri, U.Penn (with Rajeev Alur and P. Madhusudan)

A Fixpoint Calculus for Local and Global Program Flows Swarat Chaudhuri, U.Penn (with Rajeev Alur and P. Madhusudan)
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
Approximate Counting via Correlation Decay Pinyan Lu Microsoft Research.

Approximate Counting via Correlation Decay Pinyan Lu Microsoft Research.
The Ant and The Grasshopper Fast and Accurate Pointer Analysis for Millions of Lines of Code Ben Hardekopf and Calvin Lin PLDI 2007 (Best Paper & Best.

The Ant and The Grasshopper Fast and Accurate Pointer Analysis for Millions of Lines of Code Ben Hardekopf and Calvin Lin PLDI 2007 (Best Paper & Best.
1 Constraint Problems in Program Analysis from the sublime to the ridiculous Alex Aiken Stanford University.

1 Constraint Problems in Program Analysis from the sublime to the ridiculous Alex Aiken Stanford University.

Similar presentations

Ads by Google