Presentation is loading. Please wait.

Presentation is loading. Please wait.

MrFlow: Why MrSpidey Failed Philippe Meunier Paul Steckler.

Published byKristian Dickerson Modified over 9 years ago

Similar presentations

Presentation on theme: "MrFlow: Why MrSpidey Failed Philippe Meunier Paul Steckler."— Presentation transcript:

1 MrFlow: Why MrSpidey Failed Philippe Meunier Paul Steckler

2 Value-flow Analysis Which values might an expression produce at run-time ? Where do they come from ? Useful for –debugging –optimization –security –soft-typing –etc… MrSpidey

3 From MrSpidey to MrFlow MrSpidey’s selector-based analysis framework is overly conservative Framework can be extended, but resulting analysis very slow Conditional-constraint-based framework gives faster analysis, results just as good Can be extended to support full language  MrFlow

4 Languages Lambda calculus (for a start): V = c | ( x. E) | (cons V V) E = x | V | (E E) | (car E) | (cdr E) Constraint language:  =  | c | | pair | dom(  ) | rng(  ) | car(  ) | cdr(  ) Constraints:       3  dom(  )

5 Analysis Derivation phase: analyze terms and create constraints Propagation phase: create new constraints from old ones

6 Derivation (( x. x) 3) App

7 Derivation (( x. x) 3) App

8 Derivation (( x. x) 3) App x :  Env x : 

9 Derivation (( x. x) 3) App x :  Env  Env(x)    x :  x 

10 Derivation (( x. x) 3) App x :  Env  Env(x)     , dom   ,   rng(  ) x :   x 

11 Derivation (( x. x) 3) App x :  Env  Env(x)     , dom   ,   rng(  ) 3   x :   3  x 

12 Derivation (( x. x) 3) App x :  Env  Env(x)     , dom   ,   rng(  ) 3     dom(  ), rng(  )   x :  x  3   

13 Derivation (( x. x) 3) App x :  Env  Env(x)     , dom   ,   rng(  ) 3     dom(  ), rng(  )   x :  x  3   

14 Propagation 3  ,   dom(  ), dom   ,   ,   rng(  ), rng(  )  ,  

15 Propagation 3  ,   dom(  ), dom   ,   ,   rng(  ), rng(  )  ,  

16 Propagation 3  ,   dom(  ), dom   ,   ,   rng(  ), rng(  )  ,   3  dom(  ), dom   ,   ,   rng(  ), rng(  )  ,  

17 Propagation 3  ,   dom(  ), dom   ,   ,   rng(  ), rng(  )  ,   3  dom(  ), dom   ,   ,   rng(  ), rng(  )  ,  

18 Propagation 3  ,   dom(  ), dom   ,   ,   rng(  ), rng(  )  ,   3  dom(  ), dom   ,   ,   rng(  ), rng(  )  ,   3  ,   ,   rng(  ), rng(  )  ,  

19 Propagation 3  ,   dom(  ), dom   ,   ,   rng(  ), rng(  )  ,   3  dom(  ), dom   ,   ,   rng(  ), rng(  )  ,   3  ,   ,   rng(  ), rng(  )  ,  

20 Propagation 3  ,   dom(  ), dom   ,   ,   rng(  ), rng(  )  ,   3  dom(  ), dom   ,   ,   rng(  ), rng(  )  ,   3  ,   ,   rng(  ), rng(  )  ,   3  ,   rng(  ), rng(  )  ,  

21 Propagation 3  ,   dom(  ), dom   ,   ,   rng(  ), rng(  )  ,   3  dom(  ), dom   ,   ,   rng(  ), rng(  )  ,   3  ,   ,   rng(  ), rng(  )  ,   3  ,   rng(  ), rng(  )  ,  

22 Propagation 3  ,   dom(  ), dom   ,   ,   rng(  ), rng(  )  ,   3  dom(  ), dom   ,   ,   rng(  ), rng(  )  ,   3  ,   ,   rng(  ), rng(  )  ,   3  ,   rng(  ), rng(  )  ,   3  rng(  ), rng(  )  ,  

23 Propagation 3  ,   dom(  ), dom   ,   ,   rng(  ), rng(  )  ,   3  dom(  ), dom   ,   ,   rng(  ), rng(  )  ,   3  ,   ,   rng(  ), rng(  )  ,   3  ,   rng(  ), rng(  )  ,   3  rng(  ), rng(  )  ,  

24 Propagation 3  ,   dom(  ), dom   ,   ,   rng(  ), rng(  )  ,   3  dom(  ), dom   ,   ,   rng(  ), rng(  )  ,   3  ,   ,   rng(  ), rng(  )  ,   3  ,   rng(  ), rng(  )  ,   3  rng(  ), rng(  )  ,   3  ,  

25 Propagation 3  ,   dom(  ), dom   ,   ,   rng(  ), rng(  )  ,   3  dom(  ), dom   ,   ,   rng(  ), rng(  )  ,   3  ,   ,   rng(  ), rng(  )  ,   3  ,   rng(  ), rng(  )  ,   3  rng(  ), rng(  )  ,   3  ,   3 is the result of the application Rules from Flanagan (1997), based on Heintze (1994)

26 Limitations We want to handle multiple arguments (lambda (x y) 1) Analysis: only one argument  MrSpidey:pack all the arguments in a list (tuple) and hope for the best.

27 Limitations We want to handle rest arguments (lambda (x y. z) 1) Analysis: only one argument  MrSpidey:all the arguments are already in a list, nothing more to do.

28 Limitations We want to handle case-lambda (overloading by arity) (case-lambda [(x) 1] [(x y) 2]) –part of PLT Scheme and used –used also in expansion of opt-lambda –will replace lambda Analysis: only one clause  MrSpidey:flow in and out of all clauses regardless of arity.

29 Limitations Arity error detected String still flows into x and out of the function to create other error

30 Limitations 42 flows into x and y z is empty

31 Limitations Second clause is unreachable 64 still flows into second clause

32 Limitations Results of both clauses flow out, even though only first clause matches

33 Limitations Correct but too conservative  Spurious errors

34 Solution: annotated selectors Extend framework: annotations to dom and rng selectors Specify: –argument position in a clause ( and app) dom j (  ) –total number of arguments (app) dom j,n (  ) –if clause has rest argument ( and app) dom [i,  ] j,n (  ) –arities of previous clauses ( ) dom ([i,  ],(I 1,I 2,...)) j,n (  )

35 Solution: annotated selectors Direct extension of old MrSpidey rules Computes strictly better results (solves all the previously shown problems) Resulting framework extremely complex dom ([i,  ],(I 1,I 2,...)) j,n (  )

36 Performance MrSpidey –O(n) set expressions  O(n 2 ) constraints –for a given constraint matching the premise of a rule: O(n) constraints matching the other premise  O(n 3 )

37 Performance Annotated selectors –O(n 2 ) set expressions  O(n 4 ) constraints selectors only on one side of constraint  O(n 3 ) shape of propagation rules limits number of new constraints created  O(n 2 ) constraints –for a given constraint matching the premise of a rule: O(n) constraints matching the other premise O(n) for matching arities O(n) for encoding constraints (prevent duplicates)  O(n 5 )

38 Performance Test programs: (define f (case-lambda [(a) a] [(a b) a] [(a b c) a])) ((f (f (f f))) f f f) DrScheme v103 UltraSPARC II, 2 GB RAM, 300 MHz

39 Performance MrSpidey: O(n 2.4 ) Analysis with annotations: O(n 2.9 ) Still outperforms MrSpidey on some tests

40 Performance Many more constraints Search for match and annotations encoding slow When a function propagates, the dom and rng selectors have to propagate with it   dom   ,     dom    Use different framework: conditional constraints instead of selectors

41 Languages Lambda calculus (for a start): V = c | ( x. E ) | (cons V V ) E = x | V | (E E ) | (car E ) | (cdr E ) Set of values for term labeled with :  ( ) Compound labels: ( ’), (cons ’) Constraints: – ’   ( ) –  ( ’)   ( ) –If ’   ( ) then … Based on Palsberg and Schwartzbach (1994)

42 Derivation (( x 1. x 2 ) 3 3 4 ) 5 App

43 Derivation App (( x 1. x 2 ) 3 3 4 ) 5

44 Derivation App x : 1  Env x : 1 (( x 1. x 2 ) 3 3 4 ) 5

45 x 2 Derivation App x : 1 (( x 1. x 2 ) 3 3 4 ) 5 x : 1  Env 1  Env(x)  ( 1 )   ( 2 )

46 3 x : 1  Env 1  Env(x)  ( 1 )   ( 2 ) ( 1 2 )   ( 3 ) x 2 Derivation App x : 1 (( x 1. x 2 ) 3 3 4 ) 5

47 3 4 3 x : 1  Env 1  Env(x)  ( 1 )   ( 2 ) ( 1 2 )   ( 3 ) 4   ( 4 ) x 2 Derivation App x : 1 (( x 1. x 2 ) 3 3 4 ) 5

48 5 3 4 3 x : 1  Env 1  Env(x)  ( 1 )   ( 2 ) ( 1 2 )   ( 3 ) 4   ( 4 ) If ( ’)   ( 3 ) then  ( 4 )   ( )  ( ’)   ( 5 ) x 2 Derivation App x : 1 (( x 1. x 2 ) 3 3 4 ) 5

49 5 3 4 3 x : 1  Env 1  Env(x)  ( 1 )   ( 2 ) ( 1 2 )   ( 3 ) 4   ( 4 ) If ( ’)   ( 3 ) then  ( 4 )   ( )  ( ’)   ( 5 ) x 2 Derivation App x : 1 (( x 1. x 2 ) 3 3 4 ) 5

50 5 3 4 3 x : 1  Env 1  Env(x)  ( 1 )   ( 2 ) ( 1 2 )   ( 3 ) 4   ( 4 ) If ( ’)   ( 3 ) then  ( 4 )   ( )  ( ’)   ( 5 )  ( 4 )   ( 1 )  ( 2 )   ( 5 ) x 2 Derivation App x : 1 (( x 1. x 2 ) 3 3 4 ) 5

51 Derivation Propagate as we derive Conditional constraints: –Actual arguments flow directly into formal arguments –Value of body of function flows directly out into result of application –Function represented by compound label and only that needs to flow Results just as good

52 Performance O(n) constraints created O(n 2 ) possible flows O(n) possible values to flow  O(n 3 ) Analysis with conditional constraints: O(n 1.04 )

53 Extending the analysis MrSpidey analyses PLT Scheme (v103) We want at least R5RS Scheme to compare

54 Extending the analysis Cannot have a derivation rule for each primitive –specify a type for each primitive + : (case-lambda [() 0] [(rest number (listof number)) number]))) –rules to transform type into set of constraints –mutators implemented as special case All R5RS primitives implemented

55 Extending the analysis Other language constructs (if, let, letrec, begin) –simple extensions Multiple values –implemented as tuples –must restrict set inclusion for “in” flows   ( ’)   ( ) becomes  ( ’)  v  ( )  performance loss

56 Extending the analysis Set! (define x 1) (define f (lambda () (set! x 2))) x (f) x –We want a conservative but good approximation –Need to delay set! until f applied  Add extra information to compound label

57 Extending the analysis Generative structures –not R5RS Scheme, but needed for PLT Scheme (define f (lambda () (define-struct foo (a b)))) –New structure type each time f is applied –define-struct is a macro  ad-hoc rule

58 Performance Extended analysis with conditional constraints: O(n 1.07 ) DrScheme v200 Real programs: still faster (except type checking), need more data.

59 Conclusion MrSpidey works fine, but framework limited framework can be extended Annotations make analysis very slow Conditional-constraint-based analysis faster, results just as good Can be extended to support full language MrFlow to replace MrSpidey

Download ppt "MrFlow: Why MrSpidey Failed Philippe Meunier Paul Steckler."

Similar presentations

Types and Programming Languages Lecture 13 Simon Gay Department of Computing Science University of Glasgow 2006/07.

Types and Programming Languages Lecture 13 Simon Gay Department of Computing Science University of Glasgow 2006/07.
Reconciling OO and Haskell-Style Overloading Mark Shields Simon Peyton Jones Microsoft Research Cambridge

Reconciling OO and Haskell-Style Overloading Mark Shields Simon Peyton Jones Microsoft Research Cambridge
1 Turing Machines and Equivalent Models Section 13.2 The Church-Turing Thesis.

1 Turing Machines and Equivalent Models Section 13.2 The Church-Turing Thesis.
CSE341: Programming Languages Lecture 2 Functions, Pairs, Lists Dan Grossman Winter 2013.

CSE341: Programming Languages Lecture 2 Functions, Pairs, Lists Dan Grossman Winter 2013.
Cs776 (Prasad)L4Poly1 Polymorphic Type System. cs776 (Prasad)L4Poly2 Goals Allow expression of “for all types T” fun I x = x I : ’a -> ’a Allow expression.

Cs776 (Prasad)L4Poly1 Polymorphic Type System. cs776 (Prasad)L4Poly2 Goals Allow expression of “for all types T” fun I x = x I : ’a -> ’a Allow expression.
Scheme in Scheme. Why implement Scheme in Scheme  Implementing a language is a good way to learn more about programming languages  Interpreters are.

Scheme in Scheme. Why implement Scheme in Scheme  Implementing a language is a good way to learn more about programming languages  Interpreters are.
1 Programming Languages (CS 550) Lecture Summary Functional Programming and Operational Semantics for Scheme Jeremy R. Johnson.

1 Programming Languages (CS 550) Lecture Summary Functional Programming and Operational Semantics for Scheme Jeremy R. Johnson.
CSE341: Programming Languages Lecture 16 Datatype-Style Programming With Lists or Structs Dan Grossman Winter 2013.

CSE341: Programming Languages Lecture 16 Datatype-Style Programming With Lists or Structs Dan Grossman Winter 2013.
Getting started with ML ML is a functional programming language. ML is statically typed: The types of literals, values, expressions and functions in a.

Getting started with ML ML is a functional programming language. ML is statically typed: The types of literals, values, expressions and functions in a.
Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.

Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.
Safety as a Software Metric Matthias Felleisen and Robert Corky Cartwright Rice University.

Safety as a Software Metric Matthias Felleisen and Robert Corky Cartwright Rice University.
1 Scheme Scheme is a functional language. Scheme is based on lambda calculus. lambda abstraction = function definition In Scheme, a function is defined.

1 Scheme Scheme is a functional language. Scheme is based on lambda calculus. lambda abstraction = function definition In Scheme, a function is defined.
Control Flow Analysis Mooly Sagiv Tel Aviv University 640-6706 Sunday 18-21 Scrieber 8 Monday 10-12 Schrieber.

Control Flow Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
Functional programming: LISP Originally developed for symbolic computing Main motivation: include recursion (see McCarthy biographical excerpt on web site).

Functional programming: LISP Originally developed for symbolic computing Main motivation: include recursion (see McCarthy biographical excerpt on web site).
Picking and Choosing… …Amb Above the Line. Intro to Nondeterminism So before we programmed to compute an answer to a problem. What if we set up a system.

Picking and Choosing… …Amb Above the Line. Intro to Nondeterminism So before we programmed to compute an answer to a problem. What if we set up a system.
Lexical vs. Dynamic Scope …where do I point to?. Intro… Remember in Scheme whenever we call a procedure we pop a frame and point it to where the procedure.

Lexical vs. Dynamic Scope …where do I point to?. Intro… Remember in Scheme whenever we call a procedure we pop a frame and point it to where the procedure.
Functional programming: LISP Originally developed for symbolic computing First interactive, interpreted language Dynamic typing: values have types, variables.

Functional programming: LISP Originally developed for symbolic computing First interactive, interpreted language Dynamic typing: values have types, variables.
Type-Directed, Whitespace-Delimited Parsing for Embedded DSLs Cyrus Omar School of Computer Science Carnegie Mellon University [GlobalDSL13] Benjamin ChungAlex.

Type-Directed, Whitespace-Delimited Parsing for Embedded DSLs Cyrus Omar School of Computer Science Carnegie Mellon University [GlobalDSL13] Benjamin ChungAlex.
Cs1120 Fall 2009 David Evans Lecture 19: Stateful Evaluation.

Cs1120 Fall 2009 David Evans Lecture 19: Stateful Evaluation.
Plt-2002-2 9/8/2015 2.2-1 Inductive Sets of Data Programming Language Essentials 2nd edition Chapter 1.2 Recursively Specified Programs.

Plt /8/ Inductive Sets of Data Programming Language Essentials 2nd edition Chapter 1.2 Recursively Specified Programs.

Similar presentations

Ads by Google