Download presentation
Presentation is loading. Please wait.
1
1 Control Flow Analysis Mooly Sagiv http://www.math.tau.ac.il/~sagiv/courses/pa01.html Tel Aviv University 640-6706 Textbook Chapter 3 http://www.cs.berkeley.edu/Research/~Aiken/bane.html http://www.cs.washington.edu/research/projects/cecil Assign 3 (11/7)
2
2 Goals u Understand the problem of Control Flow Analysis –in Functional Languages –In Object Oriented Languages –Function Pointers u Learn Constraint Based Program Analysis Technique –General –Usage for Control Flow Analysis –Algorithms –Systems u Similarities between Problems &Techniques
3
3 Outline u A Motivating Example (OO) u The Control Flow Analysis Problem u Set Constraints u Solving Constraints u Adding Dataflow information u Adding Context Information u Back to the Motivating Example
4
4 A Motivating Example class Vehicle Object { int position = 10; void move (int x1) { position = position + x1 ;}} class Car extends Vehicle { int passengers; void await(Vehicle v) { if (v.position < position) then v.move(position - v.position); else this.move(10); }} class Truck extends Vehicle { void move(int x2) { if (x2 < 55) position += x2; }} void main { Car c; Truck t; Vehicle v1; new c; new t; v1 := c; c.passangers := 2; c.move(60); v1.move(70); c.await(t) ;}
5
5 A Motivating Example class Vehicle Object { int position = 10; static void move (Vehicle this1 {Car}, int x1) { position = position + x1 ;}} class Car extends Vehicle { int passengers; static void await(Car this2 {Car}, Vehicle v {Truck}) { if (v.position < position) then v.move(v, position - v.position); else this2.move(this2, 10); }} class Truck extends Vehicle { static void move(Truck this3 {Truck}, int x2) { if (x2 < 55) position += x2; }} void main { Car c; Truck t; Vehicle v1; new c; new t; v1 := c; c.passangers := 2; c.move(c, 60); v1.move(v1, 70); c.await(c, t) ;}
6
6 The Control Flow Analysis (CFA) Problem u Given a program in a functional programming language with higher order functions (functions can serve as parameters and return values) u Find out for each function invocation which functions may be applied u Obvious in C without function pointers u Difficult in C++, Java and ML u The Dynamic Dispatch Problem
7
7 An ML Example let f = fn x => x 1 ; g = fn y => y + 2 ; h = fn z => z + 3; in (f g) + (f h)
8
8 An ML Example let f = fn x => /* {g, h} */ x 1 ; g = fn y => y + 2 ; h = fn z => z + 3; in (f g) + (f h)
9
9 The Language FUN u Notations –e Exp // expressions (or labeled terms) –t Term // terms (or unlabeled terms) –f, x Var // variables –c Const // Constants –op Op // Binary operators –l Lab // Labels u Abstract Syntax –e ::= t l –t ::= c | x | fn x e // function definition | fun f x e // recursive function definition | e 1 e 2 // function applications | if e 0 then e 1 else e 2 | let x = e 1 in e 2 | e 1 op e 2
10
10 A Simple Example ((fn x x 1 ) 2 (fn y y 3 ) 4 ) 5
11
11 Factorial (let fact = fun f n (if (n = 0) 1 then 1 2 else ((n 3 * (f 4 (n 5 – 1 6 ) 7 ) 8 ) 9 ) 10
12
12 An Example which Always Loops (let g = fun f x (f 1 (fn y y 2 ) 3 ) 4 ) 5 (g 6 (fn z z 7 ) 8 ) 9 ) 10
13
13 The 0-CFA Problem u Control flow analysis without contexts u Compute for every program a pair (C, ) where: –C is the abstract cache associating abstract values with labeled program points – is the abstract environment associating abstract values with program variables u Abstract Values –v Val = P(Term) // Abstract values – Env = Var Val // Abstract environment –C Cache =Lab Val // Abstract Cache –For function application (t 1 l1 t 2 l2 ) l C(l1) determines the function that can be applied –Formally …
14
14 Possible Solutions for ((fn x x 1 ) 2 (fn y y 3 ) 4 ) 5
15
15 (let g = fun f x (f 1 (fn y y 2 ) 3 ) 4 ) 5 (g 6 (fn z z 7 ) 8 ) 9 Shorthands sf fun f x (f 1 (fn y y 2 ) 3 ) 4 id y fn y y 2 id z fn z z 7 C(1) = {sf} C(2) = {}C(3) = {id y } C(4) = {} C(5) = {sf}C(6) = {sf} C(7) = {}C(8) = {id z }C(9) = {} C(10) = {} (x) = {id y, id z } (y) = {} (z) = {}
16
16 Relationship to Dataflow Analysis u Expressions are side effect free –no entry/exit u A single environment u Represents information at different points via maps u A single value for all occurrences of a variable u Function applications act similar to assignments –“Definition” - Function abstraction is created –“Use”- Function is applied
17
17 A Formal Specification of 0-CFA u A Boolean function define when a solution is acceptable u (C, ) e means that (C, ) is acceptable for the expression e u Define by structural induction on e u Every function is analyzed once u Every acceptable solution is sound (conservative) u Many acceptable solutions u Generate a set of constraints u Obtain the least acceptable solution by solving the constraints
18
18 Solving 0-CFA (1) u Define a concrete semantics u Define a Galois connection between the concrete and the abstract semantics u Define abstract meaning for statements u Show local soundness u Implement Chaotic iterations
19
19 Solving 0-CFA (2) u Generate a system of set of constraints –lhs rhs –{t} rhs’ lhs rhs (conditional constraint) u Show that any solution to the set of constraints is sound u Find the minimal solution u Systems for finding the minimal solution exist u Applicable to different programming languages
20
20 Set Constraints u A set of rules of the form: –lhs rhs –{t} rhs’ lhs rhs (conditional constraint) –lhs, rhs, rhs’ are »terms »C(l) » (x) u The least solution (C, ) can be found iteratively –start with empty sets –add terms when needed u Efficient cubic graph based solution
21
21 Syntax Directed Constraint Generation (Part I) C * c l = {} C * x l = {r (x) C (l)} C * (fn x e) l = C * e { {fn x e} C(l)} C * (fun f x e) l = C * e { {fun f x e} C(l)} {{fun f x e} r( f)} C * (t 1 l1 t 2 l2 ) l = C * t 1 l1 C * t 2 l2 {{t} C(l) C (l2) r (x) | t=fn x t 0 l0 Term * } {{t} C(l) C (l0) C (l) | t=fn x t 0 l0 Term * } {{t} C(l) C (l2) r (x) | t=fun x t 0 l0 Term * } {{t} C(l) C (l0) C (l) | t=fun x t 0 l0 Term * }
22
22 Syntax Directed Constraint Generation (Part II) C * (if t 0 l0 then t 1 l1 else t 2 l2 ) l = C * t 0 l0 C * t 1 l1 C * t 2 l2 {C(l1) C (l)} {C(l2) C (l)} C * (let x = t 1 l1 in t 2 l2 ) l = C * t 1 l1 C * t 2 l2 {C(l1) r (x)} {C(l2) C(l)} C * (t 1 l1 op t 2 l2 ) l = C * t 1 l1 C * t 2 l2
23
23 Set Constraints for ((fn x x 1 ) 2 (fn y y 3 ) 4 ) 5
24
24 Iterative Solution to the Set Constraints for ((fn x x 1 ) 2 (fn y y 3 ) 4 ) 5
25
25 Graph Based Solution to Constraint Systems u Construct a directed graph –Nodes »Set variables –Edges »u v u The set variable v may depend on u u Iteratively traverse the graph –Every operation adds a term –Must terminate u Read the solution from the graph
26
26 The Constraint Graph for 0-CFA u Nodes –C(l) –r(x) u Edges –p1 p2 »Construct p1 p2 –{t} p p1 p2 »Construct p1 p2 »Construct p p2 u Dependencies –D[v] »The set of terms that must be included in v
27
27 WL := For all nodes v: D[v] := E[v] := For all constraints c: case c {t} p: add(p, {t}) case c p1 p2: E[p1] := E[p1] {c} case c={t} p p1 p2 E[p] := E[p] {c} E[p1] := E[p1] {c} procedure add(q, s) if (s D(q)) then D[q] : = D[q] s WL := WL {q} while WL do select and remove an element v from WL for all c E[v] do case c p1 p2: add(p2, D[p1]) case c={t} p p1 p2 if t D[p] then add(p2, D[p1])
28
28 Adding Data Flow Information u Dataflow values can affect control flow analysis u Example (let f = (fn x (if (x 1 > 0 2 ) 3 then (fn y y 4 ) 5 else (fn z 5 6 ) 7 ) 8 ) 9 in ((f 10 3 11 ) 12 0 13 ) 14 ) 15
29
29 Adding Data Flow Information u Add a finite set of “abstract” values per program Data u Update Val = P(Term Data) – Env = Var Val // Abstract environment –C Cache - Lab Val // Abstract Cache u Generate extra constraints for data u Obtained a more precise solution u A special of case of product domain (4.4) u The combination of two analyses may be more precise than both u For some programs may even be more efficient
30
30 Adding Dataflow Information (Sign Analysis) u Sign analysis u Add a finite set of “abstract” values per program Data = {P, N, TT, FF} u Update Val = P(Term Data) u d c is the abstract value that represents a constant c – d 3 = {p} –d -7 = {n} –d true = {tt} –d false = {ff} u Every operator is conservatively interpreted
31
31 Syntax Directed Constraint Generation (Part I) C * c l = d c C (l)} C * x l = {r (x) C (l)} C * (fn x e) l = C * e { {fn x e} C(l)} C * (fun f x e) l = C * e { {fun f x e} C(l)} {{fun f x e} r( f)} C * (t 1 l1 t 2 l2 ) l = C * t 1 l1 C * t 2 l2 {{t} C(l) C (l2) r (x) | t=fn x t 0 l0 Term * } {{t} C(l) C (l0) C (l) | t=fn x t 0 l0 Term * } {{t} C(l) C (l2) r (x) | t=fun x t 0 l0 Term * } {{t} C(l) C (l0) C (l) | t=fun x t 0 l0 Term * }
32
32 Syntax Directed Constraint Generation (Part II) C * (if t 0 l0 then t 1 l1 else t 2 l2 ) l = C * t 0 l0 C * t 1 l1 C * t 2 l2 {d t C (l0) C(l1) C (l)} {d f C (l0) C(l2) C (l)} C * (let x = t 1 l1 in t 2 l2 ) l = C * t 1 l1 C * t 2 l2 {C(l1) r (x)} {C(l2) C(l)} C * (t 1 l1 op t 2 l2 ) l = C * t 1 l1 C * t 2 l2 {C(l1) op C(l2) C(l)}
33
33 Adding Context Information u The analysis does not distinguish between different occurrences of a variable (Monovariant analysis) u Example (let f = (fn x x 1 ) 2 in ((f 3 f 4 ) 5 (fn y y 6 ) 7 ) 8 ) 9 u Source to source can help (but may lead to code explosion) u Example rewritten let f1 = fn x1 x1 in let f2 = fn x2 x2 in (f1 f2) (fn y y )
34
34 Simplified K-CFA u Records the last k dynamic calls (for some fixed k) u Similar to the call string approach u Remember the context in which expression is evaluated u Val is now P(Term) Contexts – Env = Var Contexts Val –C Cache - Lab Contexts Val
35
35 1-CFA u (let f = (fn x x 1 ) 2 in ((f 3 f 4 ) 5 (fn y y 6 ) 7 ) 8 ) 9 u Contexts – [] - The empty context –[5] The application at label 5 –[8] The application at label 8 u Polyvariant Control Flow C(1, [5]) = (x, 5)= C(2, []) = C(3, []) = (f, []) = ({(fn x x 1 )}, [] ) C(1, [8]) = (x, 8)= C(7, []) = C(8, []) = C(9, []) = ({(fn y y 6 )}, [] )
36
36 A Motivating Example class Vehicle Object { int position = 10; static void move (Vehicle this1 {Car}, int x1) { position = position + x1 ;}} class Car extends Vehicle { int passengers; static void await(Car this2 {Car}, Vehicle v {Truck}) { if (v.position < position) then v.move(v, position - v.position); else this2.move(this2, 10); }} class Truck extends Vehicle { static void move(Truck this3 {Truck}, int x2) { if (x2 < 55) position += x2; }} void main { Car c; Truck t; Vehicle v1; new c; new t; v1 := c; c.passangers := 2; c.move(c, 60); v1.move(v1, 70); c.await(c, t) ;}
37
37 class Vehicle Object { int position = 10; static void move (Vehicle t1, int x1) { position = position + x1 ;}} class Car extends Vehicle { int passengers; static void await(Car t2, Vehicle v) { if (v.position < position) then v.move(v, position - v.position); else t2.move(t2, 10); }} class Truck extends Vehicle { static void move(Truck t3, int x2) { if (x2 < 55) position += x2; }} void main { Car c; Truck t; Vehicle v1; new c; new t; v1 := c; c.passangers := 2; c.move(c, 60); v1.move(v1, 70); c.await(c, t) ;} {V} cl(v) cl(v) cl(t1) {T} cl(v) cl(v) cl(t3) {C} cl(v) cl(v) cl(t1) {C} cl(t2) cl(t2) cl(t1) {C} cl(c) {T} cl(t) cl(c) cl(v1) {C} cl(c) cl(c) cl(t1) {V} cl(v1) cl(v1) cl(t1) {T} cl(v1) cl(v1) cl(t3) {C} cl(v1) cl(v1) cl(t1) {C} cl(c) cl(t) cl(v) {C} cl(c) cl(c) cl(t2)
38
38 {V} cl(v) cl(v) cl(t1) {T} cl(v) cl(v) cl(t3) {C} cl(v) cl(v) cl(t1) {C} cl(t2) cl(t2) cl(t1) {C} cl(c) {T} cl(t) cl(c) cl(v1) {C} cl(c) cl(c) cl(t1) {V} cl(v1) cl(v1) cl(t1) {T} cl(v1) cl(v1) cl(t3) {C} cl(v1) cl(v1) cl(t1) {C} cl(c) cl(t) cl(v) {C} cl(c) cl(c) cl(t2) cl(c) cl(t1) cl(t2) cl(t3) cl(v) cl(t) cl(v1) WL c t
39
39 {V} cl(v) cl(v) cl(t1) {T} cl(v) cl(v) cl(t3) {C} cl(v) cl(v) cl(t1) {C} cl(t2) cl(t2) cl(t1) {C} cl(c) {T} cl(t) cl(c) cl(v1) {C} cl(c) cl(c) cl(t1) {V} cl(v1) cl(v1) cl(t1) {T} cl(v1) cl(v1) cl(t3) {C} cl(v1) cl(v1) cl(t1) {C} cl(c) cl(t) cl(v) {C} cl(c) cl(c) cl(t2) cl(c) cl(t1) cl(t2) cl(t3) cl(v) cl(t) cl(v1) WL c t c c c t
40
40 {V} cl(v) cl(v) cl(t1) {T} cl(v) cl(v) cl(t3) {C} cl(v) cl(v) cl(t1) {C} cl(t2) cl(t2) cl(t1) {C} cl(c) {T} cl(t) cl(c) cl(v1) {C} cl(c) cl(c) cl(t1) {V} cl(v1) cl(v1) cl(t1) {T} cl(v1) cl(v1) cl(t3) {C} cl(v1) cl(v1) cl(t1) {C} cl(c) cl(t) cl(v) {C} cl(c) cl(c) cl(t2) cl(c) cl(t1) cl(t2) cl(t3) cl(v) cl(t) cl(v1) WL c t c c c t t
41
41 {V} cl(v) cl(v) cl(t1) {T} cl(v) cl(v) cl(t3) {C} cl(v) cl(v) cl(t1) {C} cl(t2) cl(t2) cl(t1) {C} cl(c) {T} cl(t) cl(c) cl(v1) {C} cl(c) cl(c) cl(t1) {V} cl(v1) cl(v1) cl(t1) {T} cl(v1) cl(v1) cl(t3) {C} cl(v1) cl(v1) cl(t1) {C} cl(c) cl(t) cl(v) {C} cl(c) cl(c) cl(t2) cl(c) cl(t1) cl(t2) cl(t3) cl(v) cl(t) cl(v1) WL c t c c c t t
42
42 {V} cl(v) cl(v) cl(t1) {T} cl(v) cl(v) cl(t3) {C} cl(v) cl(v) cl(t1) {C} cl(t2) cl(t2) cl(t1) {C} cl(c) {T} cl(t) cl(c) cl(v1) {C} cl(c) cl(c) cl(t1) {V} cl(v1) cl(v1) cl(t1) {T} cl(v1) cl(v1) cl(t3) {C} cl(v1) cl(v1) cl(t1) {C} cl(c) cl(t) cl(v) {C} cl(c) cl(c) cl(t2) cl(c) cl(t1) cl(t2) cl(t3) cl(v) cl(t) cl(v1) WL c t c c c t t
43
43 {V} cl(v) cl(v) cl(t1) {T} cl(v) cl(v) cl(t3) {C} cl(v) cl(v) cl(t1) {C} cl(t2) cl(t2) cl(t1) {C} cl(c) {T} cl(t) cl(c) cl(v1) {C} cl(c) cl(c) cl(t1) {V} cl(v1) cl(v1) cl(t1) {T} cl(v1) cl(v1) cl(t3) {C} cl(v1) cl(v1) cl(t1) {C} cl(c) cl(t) cl(v) {C} cl(c) cl(c) cl(t2) cl(c) cl(t1) cl(t2) cl(t3) cl(v) cl(t) cl(v1) WL c t c c c t t
44
44 {V} cl(v) cl(v) cl(t1) {T} cl(v) cl(v) cl(t3) {C} cl(v) cl(v) cl(t1) {C} cl(t2) cl(t2) cl(t1) {C} cl(c) {T} cl(t) cl(c) cl(v1) {C} cl(c) cl(c) cl(t1) {V} cl(v1) cl(v1) cl(t1) {T} cl(v1) cl(v1) cl(t3) {C} cl(v1) cl(v1) cl(t1) {C} cl(c) cl(t) cl(v) {C} cl(c) cl(c) cl(t2) cl(c) cl(t1) cl(t2) cl(t3) cl(v) cl(t) cl(v1) WL c t c c c t t
45
45 {V} cl(v) cl(v) cl(t1) {T} cl(v) cl(v) cl(t3) {C} cl(v) cl(v) cl(t1) {C} cl(t2) cl(t2) cl(t1) {C} cl(c) {T} cl(t) cl(c) cl(v1) {C} cl(c) cl(c) cl(t1) {V} cl(v1) cl(v1) cl(t1) {T} cl(v1) cl(v1) cl(t3) {C} cl(v1) cl(v1) cl(t1) {C} cl(c) cl(t) cl(v) {C} cl(c) cl(c) cl(t2) cl(c) cl(t1) cl(t2) cl(t3) cl(v) cl(t) cl(v1) WL c t c c c t t
46
46 {V} cl(v) cl(v) cl(t1) {T} cl(v) cl(v) cl(t3) {C} cl(v) cl(v) cl(t1) {C} cl(t2) cl(t2) cl(t1) {C} cl(c) {T} cl(t) cl(c) cl(v1) {C} cl(c) cl(c) cl(t1) {V} cl(v1) cl(v1) cl(t1) {T} cl(v1) cl(v1) cl(t3) {C} cl(v1) cl(v1) cl(t1) {C} cl(c) cl(t) cl(v) {C} cl(c) cl(c) cl(t2) cl(c) cl(t1) cl(t2) cl(t3) cl(v) cl(t) cl(v1) c t c c c t t
47
47 A Motivating Example class Vehicle Object { int position = 10; static void move (Vehicle this1 {Car}, int x1) { position = position + x1 ;}} class Car extends Vehicle { int passengers; static void await(Car this2 {Car}, Vehicle v {Truck}) { if (v.position < position) then v.move(v, position - v.position); else this2.move(this2, 10); }} class Truck extends Vehicle { static void move(Truck this3 {Truck}, int x2) { if (x2 < 55) position += x2; }} void main { Car c; Truck t; Vehicle v1; new c; new t; v1 := c; c.passangers := 2; c.move(c, 60); v1.move(v1, 70); c.await(c, t) ;}
48
48 Missing Material u Efficient Cubic Solution to Set Constraints www.cs.berkeley.edu/Research/Aiken/bane.html u Experimental results for OO www.cs.washington.edu/research/projects/cecil u Operational Semantics for FUN (3.2.1) u Defining acceptability of set constraints u Using general lattices as Dataflow values instead of powersets (3.5.2) u Lower-bounds –Decidability of JOP –Polynomiality
49
49 Conclusions u Set constraints are quite useful –A Uniform syntax –Can even deal with pointers u But semantic foundation is still based on abstract interpretation u Techniques used in functional and imperative (OO) programming are similar u Control and data flow analysis are related
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.