Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Control Flow Analysis Mooly Sagiv Tel Aviv University 640-6706 Textbook Chapter 3

Similar presentations


Presentation on theme: "1 Control Flow Analysis Mooly Sagiv Tel Aviv University 640-6706 Textbook Chapter 3"— Presentation transcript:

1 1 Control Flow Analysis Mooly Sagiv http://www.math.tau.ac.il/~sagiv/courses/pa01.html Tel Aviv University 640-6706 Textbook Chapter 3 http://www.cs.berkeley.edu/Research/~Aiken/bane.html http://www.cs.washington.edu/research/projects/cecil Assign 3 (11/7)

2 2 Goals u Understand the problem of Control Flow Analysis –in Functional Languages –In Object Oriented Languages –Function Pointers u Learn Constraint Based Program Analysis Technique –General –Usage for Control Flow Analysis –Algorithms –Systems u Similarities between Problems &Techniques

3 3 Outline u A Motivating Example (OO) u The Control Flow Analysis Problem u Set Constraints u Solving Constraints u Adding Dataflow information u Adding Context Information u Back to the Motivating Example

4 4 A Motivating Example class Vehicle Object { int position = 10; void move (int x1) { position = position + x1 ;}} class Car extends Vehicle { int passengers; void await(Vehicle v) { if (v.position < position) then v.move(position - v.position); else this.move(10); }} class Truck extends Vehicle { void move(int x2) { if (x2 < 55) position += x2; }} void main { Car c; Truck t; Vehicle v1; new c; new t; v1 := c; c.passangers := 2; c.move(60); v1.move(70); c.await(t) ;}

5 5 A Motivating Example class Vehicle Object { int position = 10; static void move (Vehicle this1 {Car}, int x1) { position = position + x1 ;}} class Car extends Vehicle { int passengers; static void await(Car this2 {Car}, Vehicle v {Truck}) { if (v.position < position) then v.move(v, position - v.position); else this2.move(this2, 10); }} class Truck extends Vehicle { static void move(Truck this3 {Truck}, int x2) { if (x2 < 55) position += x2; }} void main { Car c; Truck t; Vehicle v1; new c; new t; v1 := c; c.passangers := 2; c.move(c, 60); v1.move(v1, 70); c.await(c, t) ;}

6 6 The Control Flow Analysis (CFA) Problem u Given a program in a functional programming language with higher order functions (functions can serve as parameters and return values) u Find out for each function invocation which functions may be applied u Obvious in C without function pointers u Difficult in C++, Java and ML u The Dynamic Dispatch Problem

7 7 An ML Example let f = fn x => x 1 ; g = fn y => y + 2 ; h = fn z => z + 3; in (f g) + (f h)

8 8 An ML Example let f = fn x => /* {g, h} */ x 1 ; g = fn y => y + 2 ; h = fn z => z + 3; in (f g) + (f h)

9 9 The Language FUN u Notations –e  Exp // expressions (or labeled terms) –t  Term // terms (or unlabeled terms) –f, x  Var // variables –c  Const // Constants –op  Op // Binary operators –l  Lab // Labels u Abstract Syntax –e ::= t l –t ::= c | x | fn x  e // function definition | fun f x  e // recursive function definition | e 1 e 2 // function applications | if e 0 then e 1 else e 2 | let x = e 1 in e 2 | e 1 op e 2

10 10 A Simple Example ((fn x  x 1 ) 2 (fn y  y 3 ) 4 ) 5

11 11 Factorial (let fact = fun f n  (if (n = 0) 1 then 1 2 else ((n 3 * (f 4 (n 5 – 1 6 ) 7 ) 8 ) 9 ) 10

12 12 An Example which Always Loops (let g = fun f x  (f 1 (fn y  y 2 ) 3 ) 4 ) 5 (g 6 (fn z  z 7 ) 8 ) 9 ) 10

13 13 The 0-CFA Problem u Control flow analysis without contexts u Compute for every program a pair (C,  ) where: –C is the abstract cache associating abstract values with labeled program points –  is the abstract environment associating abstract values with program variables u Abstract Values –v  Val = P(Term) // Abstract values –   Env = Var  Val // Abstract environment –C  Cache =Lab  Val // Abstract Cache –For function application (t 1 l1 t 2 l2 ) l C(l1) determines the function that can be applied –Formally …

14 14 Possible Solutions for ((fn x  x 1 ) 2 (fn y  y 3 ) 4 ) 5

15 15 (let g = fun f x  (f 1 (fn y  y 2 ) 3 ) 4 ) 5 (g 6 (fn z  z 7 ) 8 ) 9 Shorthands sf  fun f x  (f 1 (fn y  y 2 ) 3 ) 4 id y  fn y  y 2 id z  fn z  z 7 C(1) = {sf} C(2) = {}C(3) = {id y } C(4) = {} C(5) = {sf}C(6) = {sf} C(7) = {}C(8) = {id z }C(9) = {} C(10) = {}  (x) = {id y, id z }  (y) = {}  (z) = {}

16 16 Relationship to Dataflow Analysis u Expressions are side effect free –no entry/exit u A single environment u Represents information at different points via maps u A single value for all occurrences of a variable u Function applications act similar to assignments –“Definition” - Function abstraction is created –“Use”- Function is applied

17 17 A Formal Specification of 0-CFA u A Boolean function  define when a solution is acceptable u (C,  )  e means that (C,  ) is acceptable for the expression e u Define  by structural induction on e u Every function is analyzed once u Every acceptable solution is sound (conservative) u Many acceptable solutions u Generate a set of constraints u Obtain the least acceptable solution by solving the constraints

18 18 Solving 0-CFA (1) u Define a concrete semantics u Define a Galois connection between the concrete and the abstract semantics u Define abstract meaning for statements u Show local soundness u Implement Chaotic iterations

19 19 Solving 0-CFA (2) u Generate a system of set of constraints –lhs  rhs –{t}  rhs’  lhs  rhs (conditional constraint) u Show that any solution to the set of constraints is sound u Find the minimal solution u Systems for finding the minimal solution exist u Applicable to different programming languages

20 20 Set Constraints u A set of rules of the form: –lhs  rhs –{t}  rhs’  lhs  rhs (conditional constraint) –lhs, rhs, rhs’ are »terms »C(l) »  (x) u The least solution (C,  ) can be found iteratively –start with empty sets –add terms when needed u Efficient cubic graph based solution

21 21 Syntax Directed Constraint Generation (Part I) C *  c l  = {} C *  x l  = {r (x)  C (l)} C *  (fn x  e) l  = C *  e   { {fn x  e}  C(l)} C *  (fun f x  e) l  = C *  e   { {fun f x  e}  C(l)}  {{fun f x  e}  r( f)} C *  (t 1 l1 t 2 l2 ) l  = C *  t 1 l1   C *  t 2 l2   {{t}  C(l)  C (l2)  r (x) | t=fn x  t 0 l0  Term * }  {{t}  C(l)  C (l0)  C (l) | t=fn x  t 0 l0  Term * }  {{t}  C(l)  C (l2)  r (x) | t=fun x  t 0 l0  Term * }  {{t}  C(l)  C (l0)  C (l) | t=fun x  t 0 l0  Term * }

22 22 Syntax Directed Constraint Generation (Part II) C *  (if t 0 l0 then t 1 l1 else t 2 l2 ) l  = C *  t 0 l0   C *  t 1 l1   C *  t 2 l2   {C(l1)  C (l)}  {C(l2)  C (l)} C *  (let x = t 1 l1 in t 2 l2 ) l  = C *  t 1 l1   C *  t 2 l2   {C(l1)  r (x)}  {C(l2)  C(l)} C *  (t 1 l1 op t 2 l2 ) l  = C *  t 1 l1   C *  t 2 l2 

23 23 Set Constraints for ((fn x  x 1 ) 2 (fn y  y 3 ) 4 ) 5

24 24 Iterative Solution to the Set Constraints for ((fn x  x 1 ) 2 (fn y  y 3 ) 4 ) 5

25 25 Graph Based Solution to Constraint Systems u Construct a directed graph –Nodes »Set variables –Edges »u  v u The set variable v may depend on u u Iteratively traverse the graph –Every operation adds a term –Must terminate u Read the solution from the graph

26 26 The Constraint Graph for 0-CFA u Nodes –C(l) –r(x) u Edges –p1  p2 »Construct p1  p2 –{t}  p  p1  p2 »Construct p1  p2 »Construct p  p2 u Dependencies –D[v] »The set of terms that must be included in v

27 27 WL :=  For all nodes v: D[v] :=  E[v] :=  For all constraints c: case c  {t}  p: add(p, {t}) case c  p1  p2: E[p1] := E[p1]  {c} case c={t}  p  p1  p2 E[p] := E[p]  {c} E[p1] := E[p1]  {c} procedure add(q, s) if (s  D(q)) then D[q] : = D[q]  s WL := WL  {q} while WL  do select and remove an element v from WL for all c  E[v] do case c  p1  p2: add(p2, D[p1]) case c={t}  p  p1  p2 if t  D[p] then add(p2, D[p1])

28 28 Adding Data Flow Information u Dataflow values can affect control flow analysis u Example (let f = (fn x  (if (x 1 > 0 2 ) 3 then (fn y  y 4 ) 5 else (fn z  5 6 ) 7 ) 8 ) 9 in ((f 10 3 11 ) 12 0 13 ) 14 ) 15

29 29 Adding Data Flow Information u Add a finite set of “abstract” values per program Data u Update Val = P(Term  Data) –   Env = Var  Val // Abstract environment –C  Cache - Lab  Val // Abstract Cache u Generate extra constraints for data u Obtained a more precise solution u A special of case of product domain (4.4) u The combination of two analyses may be more precise than both u For some programs may even be more efficient

30 30 Adding Dataflow Information (Sign Analysis) u Sign analysis u Add a finite set of “abstract” values per program Data = {P, N, TT, FF} u Update Val = P(Term  Data) u d c is the abstract value that represents a constant c – d 3 = {p} –d -7 = {n} –d true = {tt} –d false = {ff} u Every operator is conservatively interpreted

31 31 Syntax Directed Constraint Generation (Part I) C *  c l  = d c  C (l)} C *  x l  = {r (x)  C (l)} C *  (fn x  e) l  = C *  e   { {fn x  e}  C(l)} C *  (fun f x  e) l  = C *  e   { {fun f x  e}  C(l)}  {{fun f x  e}  r( f)} C *  (t 1 l1 t 2 l2 ) l  = C *  t 1 l1   C *  t 2 l2   {{t}  C(l)  C (l2)  r (x) | t=fn x  t 0 l0  Term * }  {{t}  C(l)  C (l0)  C (l) | t=fn x  t 0 l0  Term * }  {{t}  C(l)  C (l2)  r (x) | t=fun x  t 0 l0  Term * }  {{t}  C(l)  C (l0)  C (l) | t=fun x  t 0 l0  Term * }

32 32 Syntax Directed Constraint Generation (Part II) C *  (if t 0 l0 then t 1 l1 else t 2 l2 ) l  = C *  t 0 l0   C *  t 1 l1   C *  t 2 l2   {d t  C (l0)  C(l1)  C (l)}  {d f  C (l0)  C(l2)  C (l)} C *  (let x = t 1 l1 in t 2 l2 ) l  = C *  t 1 l1   C *  t 2 l2   {C(l1)  r (x)}  {C(l2)  C(l)} C *  (t 1 l1 op t 2 l2 ) l  = C *  t 1 l1   C *  t 2 l2   {C(l1) op C(l2)  C(l)}

33 33 Adding Context Information u The analysis does not distinguish between different occurrences of a variable (Monovariant analysis) u Example (let f = (fn x  x 1 ) 2 in ((f 3 f 4 ) 5 (fn y  y 6 ) 7 ) 8 ) 9 u Source to source can help (but may lead to code explosion) u Example rewritten let f1 = fn x1  x1 in let f2 = fn x2  x2 in (f1 f2) (fn y  y )

34 34 Simplified K-CFA u Records the last k dynamic calls (for some fixed k) u Similar to the call string approach u Remember the context in which expression is evaluated u Val is now P(Term)  Contexts –   Env = Var  Contexts  Val –C  Cache - Lab  Contexts  Val

35 35 1-CFA u (let f = (fn x  x 1 ) 2 in ((f 3 f 4 ) 5 (fn y  y 6 ) 7 ) 8 ) 9 u Contexts – [] - The empty context –[5] The application at label 5 –[8] The application at label 8 u Polyvariant Control Flow C(1, [5]) =  (x, 5)= C(2, []) = C(3, []) =  (f, []) = ({(fn x  x 1 )}, [] ) C(1, [8]) =  (x, 8)= C(7, []) = C(8, []) = C(9, []) = ({(fn y  y 6 )}, [] )

36 36 A Motivating Example class Vehicle Object { int position = 10; static void move (Vehicle this1 {Car}, int x1) { position = position + x1 ;}} class Car extends Vehicle { int passengers; static void await(Car this2 {Car}, Vehicle v {Truck}) { if (v.position < position) then v.move(v, position - v.position); else this2.move(this2, 10); }} class Truck extends Vehicle { static void move(Truck this3 {Truck}, int x2) { if (x2 < 55) position += x2; }} void main { Car c; Truck t; Vehicle v1; new c; new t; v1 := c; c.passangers := 2; c.move(c, 60); v1.move(v1, 70); c.await(c, t) ;}

37 37 class Vehicle Object { int position = 10; static void move (Vehicle t1, int x1) { position = position + x1 ;}} class Car extends Vehicle { int passengers; static void await(Car t2, Vehicle v) { if (v.position < position) then v.move(v, position - v.position); else t2.move(t2, 10); }} class Truck extends Vehicle { static void move(Truck t3, int x2) { if (x2 < 55) position += x2; }} void main { Car c; Truck t; Vehicle v1; new c; new t; v1 := c; c.passangers := 2; c.move(c, 60); v1.move(v1, 70); c.await(c, t) ;} {V}  cl(v)  cl(v)  cl(t1) {T}  cl(v)  cl(v)  cl(t3) {C}  cl(v)  cl(v)  cl(t1) {C}  cl(t2)  cl(t2)  cl(t1) {C}  cl(c) {T}  cl(t) cl(c)  cl(v1) {C}  cl(c)  cl(c)  cl(t1) {V}  cl(v1)  cl(v1)  cl(t1) {T}  cl(v1)  cl(v1)  cl(t3) {C}  cl(v1)  cl(v1)  cl(t1) {C}  cl(c)  cl(t)  cl(v) {C}  cl(c)  cl(c)  cl(t2)

38 38 {V}  cl(v)  cl(v)  cl(t1) {T}  cl(v)  cl(v)  cl(t3) {C}  cl(v)  cl(v)  cl(t1) {C}  cl(t2)  cl(t2)  cl(t1) {C}  cl(c) {T}  cl(t) cl(c)  cl(v1) {C}  cl(c)  cl(c)  cl(t1) {V}  cl(v1)  cl(v1)  cl(t1) {T}  cl(v1)  cl(v1)  cl(t3) {C}  cl(v1)  cl(v1)  cl(t1) {C}  cl(c)  cl(t)  cl(v) {C}  cl(c)  cl(c)  cl(t2) cl(c) cl(t1) cl(t2) cl(t3) cl(v) cl(t) cl(v1) WL c t

39 39 {V}  cl(v)  cl(v)  cl(t1) {T}  cl(v)  cl(v)  cl(t3) {C}  cl(v)  cl(v)  cl(t1) {C}  cl(t2)  cl(t2)  cl(t1) {C}  cl(c) {T}  cl(t) cl(c)  cl(v1) {C}  cl(c)  cl(c)  cl(t1) {V}  cl(v1)  cl(v1)  cl(t1) {T}  cl(v1)  cl(v1)  cl(t3) {C}  cl(v1)  cl(v1)  cl(t1) {C}  cl(c)  cl(t)  cl(v) {C}  cl(c)  cl(c)  cl(t2) cl(c) cl(t1) cl(t2) cl(t3) cl(v) cl(t) cl(v1) WL c t c c c t

40 40 {V}  cl(v)  cl(v)  cl(t1) {T}  cl(v)  cl(v)  cl(t3) {C}  cl(v)  cl(v)  cl(t1) {C}  cl(t2)  cl(t2)  cl(t1) {C}  cl(c) {T}  cl(t) cl(c)  cl(v1) {C}  cl(c)  cl(c)  cl(t1) {V}  cl(v1)  cl(v1)  cl(t1) {T}  cl(v1)  cl(v1)  cl(t3) {C}  cl(v1)  cl(v1)  cl(t1) {C}  cl(c)  cl(t)  cl(v) {C}  cl(c)  cl(c)  cl(t2) cl(c) cl(t1) cl(t2) cl(t3) cl(v) cl(t) cl(v1) WL c t c c c t t

41 41 {V}  cl(v)  cl(v)  cl(t1) {T}  cl(v)  cl(v)  cl(t3) {C}  cl(v)  cl(v)  cl(t1) {C}  cl(t2)  cl(t2)  cl(t1) {C}  cl(c) {T}  cl(t) cl(c)  cl(v1) {C}  cl(c)  cl(c)  cl(t1) {V}  cl(v1)  cl(v1)  cl(t1) {T}  cl(v1)  cl(v1)  cl(t3) {C}  cl(v1)  cl(v1)  cl(t1) {C}  cl(c)  cl(t)  cl(v) {C}  cl(c)  cl(c)  cl(t2) cl(c) cl(t1) cl(t2) cl(t3) cl(v) cl(t) cl(v1) WL c t c c c t t

42 42 {V}  cl(v)  cl(v)  cl(t1) {T}  cl(v)  cl(v)  cl(t3) {C}  cl(v)  cl(v)  cl(t1) {C}  cl(t2)  cl(t2)  cl(t1) {C}  cl(c) {T}  cl(t) cl(c)  cl(v1) {C}  cl(c)  cl(c)  cl(t1) {V}  cl(v1)  cl(v1)  cl(t1) {T}  cl(v1)  cl(v1)  cl(t3) {C}  cl(v1)  cl(v1)  cl(t1) {C}  cl(c)  cl(t)  cl(v) {C}  cl(c)  cl(c)  cl(t2) cl(c) cl(t1) cl(t2) cl(t3) cl(v) cl(t) cl(v1) WL c t c c c t t

43 43 {V}  cl(v)  cl(v)  cl(t1) {T}  cl(v)  cl(v)  cl(t3) {C}  cl(v)  cl(v)  cl(t1) {C}  cl(t2)  cl(t2)  cl(t1) {C}  cl(c) {T}  cl(t) cl(c)  cl(v1) {C}  cl(c)  cl(c)  cl(t1) {V}  cl(v1)  cl(v1)  cl(t1) {T}  cl(v1)  cl(v1)  cl(t3) {C}  cl(v1)  cl(v1)  cl(t1) {C}  cl(c)  cl(t)  cl(v) {C}  cl(c)  cl(c)  cl(t2) cl(c) cl(t1) cl(t2) cl(t3) cl(v) cl(t) cl(v1) WL c t c c c t t

44 44 {V}  cl(v)  cl(v)  cl(t1) {T}  cl(v)  cl(v)  cl(t3) {C}  cl(v)  cl(v)  cl(t1) {C}  cl(t2)  cl(t2)  cl(t1) {C}  cl(c) {T}  cl(t) cl(c)  cl(v1) {C}  cl(c)  cl(c)  cl(t1) {V}  cl(v1)  cl(v1)  cl(t1) {T}  cl(v1)  cl(v1)  cl(t3) {C}  cl(v1)  cl(v1)  cl(t1) {C}  cl(c)  cl(t)  cl(v) {C}  cl(c)  cl(c)  cl(t2) cl(c) cl(t1) cl(t2) cl(t3) cl(v) cl(t) cl(v1) WL c t c c c t t

45 45 {V}  cl(v)  cl(v)  cl(t1) {T}  cl(v)  cl(v)  cl(t3) {C}  cl(v)  cl(v)  cl(t1) {C}  cl(t2)  cl(t2)  cl(t1) {C}  cl(c) {T}  cl(t) cl(c)  cl(v1) {C}  cl(c)  cl(c)  cl(t1) {V}  cl(v1)  cl(v1)  cl(t1) {T}  cl(v1)  cl(v1)  cl(t3) {C}  cl(v1)  cl(v1)  cl(t1) {C}  cl(c)  cl(t)  cl(v) {C}  cl(c)  cl(c)  cl(t2) cl(c) cl(t1) cl(t2) cl(t3) cl(v) cl(t) cl(v1) WL c t c c c t t

46 46 {V}  cl(v)  cl(v)  cl(t1) {T}  cl(v)  cl(v)  cl(t3) {C}  cl(v)  cl(v)  cl(t1) {C}  cl(t2)  cl(t2)  cl(t1) {C}  cl(c) {T}  cl(t) cl(c)  cl(v1) {C}  cl(c)  cl(c)  cl(t1) {V}  cl(v1)  cl(v1)  cl(t1) {T}  cl(v1)  cl(v1)  cl(t3) {C}  cl(v1)  cl(v1)  cl(t1) {C}  cl(c)  cl(t)  cl(v) {C}  cl(c)  cl(c)  cl(t2) cl(c) cl(t1) cl(t2) cl(t3) cl(v) cl(t) cl(v1) c t c c c t t

47 47 A Motivating Example class Vehicle Object { int position = 10; static void move (Vehicle this1 {Car}, int x1) { position = position + x1 ;}} class Car extends Vehicle { int passengers; static void await(Car this2 {Car}, Vehicle v {Truck}) { if (v.position < position) then v.move(v, position - v.position); else this2.move(this2, 10); }} class Truck extends Vehicle { static void move(Truck this3 {Truck}, int x2) { if (x2 < 55) position += x2; }} void main { Car c; Truck t; Vehicle v1; new c; new t; v1 := c; c.passangers := 2; c.move(c, 60); v1.move(v1, 70); c.await(c, t) ;}

48 48 Missing Material u Efficient Cubic Solution to Set Constraints www.cs.berkeley.edu/Research/Aiken/bane.html u Experimental results for OO www.cs.washington.edu/research/projects/cecil u Operational Semantics for FUN (3.2.1) u Defining acceptability of set constraints u Using general lattices as Dataflow values instead of powersets (3.5.2) u Lower-bounds –Decidability of JOP –Polynomiality

49 49 Conclusions u Set constraints are quite useful –A Uniform syntax –Can even deal with pointers u But semantic foundation is still based on abstract interpretation u Techniques used in functional and imperative (OO) programming are similar u Control and data flow analysis are related


Download ppt "1 Control Flow Analysis Mooly Sagiv Tel Aviv University 640-6706 Textbook Chapter 3"

Similar presentations


Ads by Google