Presentation is loading. Please wait.

Presentation is loading. Please wait.

Pointer and Shape Analysis Seminar Mooly Sagiv Schriber 317 Office Hours Thursday 15-16.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Pointer and Shape Analysis Seminar Mooly Sagiv Schriber 317 Office Hours Thursday 15-16."— Presentation transcript:

1 Pointer and Shape Analysis Seminar http://www.cs.tau.ac.il/~msagiv/courses/shape.html Mooly Sagiv Schriber 317 msagiv@post Office Hours Thursday 15-16

2 General Information Prerequisites –Compilers | Program Analysis –Select 3 topics by Sunday –Participate in 9 seminar talks –Present a paper

3 Outline 1.Schedule 2.Point-to analysis

4 Tentative Schedule 7/2Shachar ItzhakyPractical virtual method call resolution for Java 14/2Roy GanorEffective Static Race Detection for Java 17/2 13-15 Hongseok YangScalable Shape Analysis 28/2Roza PogalnikovaContext-Sensitive Points-to Analysis: Is It Worth It? 3/3Ory SamorodnitzkyThe undecidability of aliasing 14/3Alex ShapiroError detection using client driven poniter analysis 21/3Roman SimkinFree-Me: A Static Analysis for Automatic Individual Object Reclamation 28/3Uri Inon

5 Points-To Analysis Determine if a variable points to a variable at some (all) execution paths [1] p = &a; [2] q = &b; [3] if (getc()) [4] q = &c [5] p   a q   c q   b

6 Iterative Program Analysis Start by optimistically assuming that nothing is wrong –No points-to set At every iteration apply the abstract meaning of programming language statements and add more points-to pairs Stop when no changes occur

7 Iterative Points-to Analysis t= &a y= &b z= &c p= &yp= &z tata t  a, y  b t  a, y  b, z  c, p  y t  a, y  b, z  c t  a, y  b, z  c, p  z t  a, y  b, z  c, p  y, p  z t  a, y  b, z  c *p= t

8 Iterative Points-to Analysis t= &a y= &b z= &c p= &yp= &z tata t  a, y  b t  a, y  b, z  c, p  yt  a, y  b, z  c, p  z t  a, y  b, z  c, p  y, p  z *p= t t  a, y  b, z  c, p  y, p  z t  a, y  b, z  c, p  y, p  z, y  a, z  a

9 Iterative Points-to Analysis t= &a y= &b z= &c p= &yp= &z tata t  a, y  b t  a, y  b, z  c, p  y, p  z *p= t t  a, y  b, z  c, p  y, p  z t  a, y  b, z  c, p  y, p  z, y  a, z  a t  a, y  b, z  c, p  y, y  a, z  a t  a, y  b, z  c, p  z, y  a, z  a

10 Iterative Points-to Analysis t= &a y= &b z= &c p= &yp= &z tata t  a, y  b *p= t t  a, y  b, z  c, p  y, p  z, y  a, z  a t  a, y  b, z  c, p  y, y  a, z  a t  a, y  b, z  c, p  z, y  a, z  a t  a, y  b, z  c, p  y, p  z, y  a, z  a

11 A Simple Programming Language Arbitrary (uninterpreted) control flow statement Atomic statements –x = y –x = &y –x = *y –*x = y

12 Abstract Semantics For every atomic statement S  S  # : P(Var*  Var*)  P(Var*  Var*)  x := &y  # (pt) = pt – {(x, *)}  {(x, y)}  x := y  # (pt) = pt – {(x, *)}  {(x, z)| (y, z)  pt}  x := *y  # (pt) = pt – {(x, *)}  {(x, z)| (y, w), (w, z)  pt}  *x := y  # (pt) = pt  {(w, t)| (x, w), (y, t)  pt}

13 t= &a y= &b z= &c p= &yp= &z *p= t 1 2 3 4 56 7 pt[1]={} 1pt[2]={(t, a)} 2pt[3]={(t, a), (y, b)} 3pt[4]={(t, a), (y, b), (z, c){ 4pt[5]= {(t, a), (y, b), (z, c)} pt[6]= {(t, a), (y, b), (z, c)} 5pt[7]= {(t, a), (y, b), (z, c), (p, y){ 6pt[7]= {(t, a), (y, b), (z, c), (p, y), (p, z)} 7pt[4]= {(t, a), (y, b), (z, c), (p, y), (p, z)} 4pt[5]= {(t, a), (y, b), (z, c), (p, y), (p, z), (y, a), (z, a)} pt[6]= {(t, a), (y, b), (z, c), (p, y), (p, z), (y, a), (z, a)} 5 6

14 Supporting Memory Allocation Uniform treatment of the memory allocated at an allocation statement For every atomic statement S –  S  #: P(Var*  Var*)  P(Var*  Var*) –  x := &y  # (pt) = pt – {(x, *)}  {(x, y)} –  x := y  # (pt) = pt – {(x, *)}  {(x, z)| (y, z)  pt} –  x := *y  # (pt) = pt – {(x, *)}  {(x, z)| (y, w), (w, z)  pt} –  *x := y  #(pt) = pt  {(w, t)| (x, w), (y, t)  pt} –  l: x := malloc()  #(pt) = pt – {(x, *)}  {(x, l)}

15 Summary Flow-Sensitive Solution Limited destructive updates –Can be improved with must information O(N * Var 2 ) space

16 Context-Sensitivity How to handle procedures Separate points-to sets for every call A uniform set for all calls

17 Context Sensitivity Example x = &t1; a = &t2; foo(x, a); z = &t3; b = &t4; foo(z, b); void foo(source, target) { *source = target; }

18 Flow-Insensitive Analysis Ignore control flow statements Arbitrary statement order Only accumulate Points-to Usually represented as a directed graph O(n 2 ) space

19 Flow Insensitive Solution t= &a y= &b z= &c p= &yp= &z *p= t

20 Set Constraints A set of rules of the form: –lhs  rhs –t  rhs’  lhs  rhs (conditional constraint) lhs, rhs, rhs’ are variables over sets of terms t is a term The least solution can be found iteratively –start with empty sets –add terms when needed Cubic graph based solution

21 t := &a; {a}  pt[t] y := &b; {b}  pt[y] z := &c; {c}  pt[z] if (nondet()) p:= &y; {y}  pt[p] else p:= &z; {z}  pt[p] *p := t; a  pt[p]  pt[t]  pt[a] b  pt[p]  pt[t]  pt[b] c  pt[p]  pt[t]  pt[c] y  pt[p]  pt[t]  pt[y] z  pt[p]  pt[t]  pt[z] t  pt[p]  pt[t]  pt[t] p  pt[p]  pt[t]  pt[p] tyz abc p

22 Unification Based Solution Steengard 1996 Treat assignments as equalities Employ union-find algorithm Almost linear time complexity

23 Conclusions Points-to analysis is a simple pointer analysis problem Effective solutions (8MLoc) But rather imprecise Set constraints are useful beyond pointer analysis –Class level analysis

Download ppt "Pointer and Shape Analysis Seminar Mooly Sagiv Schriber 317 Office Hours Thursday 15-16."

Similar presentations

Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.

Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.
Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.

Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.
3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.

3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.
Some Properties of SSA Mooly Sagiv. Outline Why is it called Static Single Assignment form What does it buy us? How much does it cost us? Open questions.

Some Properties of SSA Mooly Sagiv. Outline Why is it called Static Single Assignment form What does it buy us? How much does it cost us? Open questions.
Flow insensitive pointer analysis: fixed S1: l := new Cons p := l S2: t := new Cons *p := t p := t l p S1 l p tS2 l p S1 t S2 l t S1 p S2 l t S1 p S2 l.

Flow insensitive pointer analysis: fixed S1: l := new Cons p := l S2: t := new Cons *p := t p := t l p S1 l p tS2 l p S1 t S2 l t S1 p S2 l t S1 p S2 l.
Pointer Analysis Lecture 2 G. Ramalingam Microsoft Research, India.

Pointer Analysis Lecture 2 G. Ramalingam Microsoft Research, India.
1 Practical Object-sensitive Points-to Analysis for Java Ana Milanova Atanas Rountev Barbara Ryder Rutgers University.

1 Practical Object-sensitive Points-to Analysis for Java Ana Milanova Atanas Rountev Barbara Ryder Rutgers University.
Static Data Race detection for Concurrent Programs with Asynchronous Calls Presenter: M. Amin Alipour Software Design Laboratory

Static Data Race detection for Concurrent Programs with Asynchronous Calls Presenter: M. Amin Alipour Software Design Laboratory
Parameterized Object Sensitivity for Points-to Analysis for Java Presented By: - Anand Bahety Dan Bucatanschi.

Parameterized Object Sensitivity for Points-to Analysis for Java Presented By: - Anand Bahety Dan Bucatanschi.
The Ant and The Grasshopper Fast and Accurate Pointer Analysis for Millions of Lines of Code Ben Hardekopf and Calvin Lin PLDI 2007 (Best Paper & Best.

The Ant and The Grasshopper Fast and Accurate Pointer Analysis for Millions of Lines of Code Ben Hardekopf and Calvin Lin PLDI 2007 (Best Paper & Best.
Interprocedural analysis © Marcelo d’Amorim 2010.

Interprocedural analysis © Marcelo d’Amorim 2010.
Pointer and Shape Analysis Seminar Context-sensitive points-to analysis: is it worth it? Article by Ondřej Lhoták & Laurie Hendren from McGill University.

Pointer and Shape Analysis Seminar Context-sensitive points-to analysis: is it worth it? Article by Ondřej Lhoták & Laurie Hendren from McGill University.
Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.

Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.
Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.

Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc06.html.

Program analysis Mooly Sagiv html://
Control Flow Analysis Mooly Sagiv Tel Aviv University 640-6706 Sunday 18-21 Scrieber 8 Monday 10-12 Schrieber.

Control Flow Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel.

Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel.
Interprocedural pointer analysis for C We’ll look at Wilson & Lam PLDI 95, and focus on two problems solved by this paper: –how to represent pointer information.

Interprocedural pointer analysis for C We’ll look at Wilson & Lam PLDI 95, and focus on two problems solved by this paper: –how to represent pointer information.
Flow insensitivity and imprecision If you ignore flow, then you lose precision. main() { x := &y;... x := &z; } Flow insensitive analysis tells us that.

Flow insensitivity and imprecision If you ignore flow, then you lose precision. main() { x := &y;... x := &z; } Flow insensitive analysis tells us that.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc08.html.

Program analysis Mooly Sagiv html://

Similar presentations

Ads by Google