Weighted Pushdown Systems and their Application to Interprocedural Dataflow Analysis

About This Presentation
Title:

Weighted Pushdown Systems and their Application to Interprocedural Dataflow Analysis

Description:

Thomas Reps1, Stefan Schwoon2, and Somesh Jha1. 1 University of Wisconsin ... Intraprocedural Analysis. enter. n. V0. MOP(n) = pfp(V0) p PathsTo[n] pfp = fk fk-1 ... –

Number of Views:83
Avg rating:3.0/5.0
Slides: 50
Provided by: thoma55
Category:

less

Transcript and Presenter's Notes

Title: Weighted Pushdown Systems and their Application to Interprocedural Dataflow Analysis


1
Weighted Pushdown Systemsand their Application
toInterprocedural Dataflow Analysis
  • Thomas Reps1, Stefan Schwoon2, and Somesh Jha1
  • 1 University of Wisconsin
  • 2 University of Stuttgart

2
Weighted Pushdown Systemsand their Application
toInterprocedural Dataflow Analysis
Weighted Pushdown Systems
Pushdown Systems
Application
Interprocedural Dataflow Analysis
Dataflow Analysis
3
Weighted Pushdown Systemsand their Application
toInterprocedural Dataflow Analysis
Weighted Pushdown Systems
Pushdown Systems
Application
Interprocedural Dataflow Analysis
Dataflow Analysis
4
Intraprocedural Analysis
f1
f2
fk-1
fk
V0
n
enter
pfp fk ? fk-1 ? ? f2 ? f1
MOP(n) ? pfp(V0)
p?PathsTon
5
if . . .
6
Context-Sensitive Interprocedural Analysis
callq
ret
f1
V0
fk
fk-1
f2
n
start
fk-2
f3
enterq
exitq
f4
fk-3
f5
MOVP(n) ? pfp(V0)
p?MatchedPathsTon
7
An Expanded Set of Queries
5
  • void p()
  • if (...)
  • x x 1
  • p() // p_calls_p1
  • x x - 1
  • if (...)
  • x x - 1
  • p() // p_calls_p2
  • x x 1
  • return
  • int x
  • void main()
  • x 5
  • p() //main_calls_p
  • return

ltx, enterp p_calls_p2 p_calls_p1 main_calls_pgt
8
An Expanded Set of Queries
x 5
x x 1
x x - 1
x 5
9
An Expanded Set of Queries
  • void p()
  • if (...)
  • x x 1
  • p() // p_calls_p1
  • x x - 1
  • if (...)
  • x x - 1
  • p() // p_calls_p2
  • x x 1
  • return
  • int x
  • void main()
  • x 5
  • p() //main_calls_p
  • return

5
ltx, enterp (p_calls_p2 p_calls_p1)
main_calls_pgt
10
An Expanded Set of Queries
5
4
5 ? 4 ?
  • void p()
  • if (...)
  • x x 1
  • p() // p_calls_p1
  • x x - 1
  • if (...)
  • x x - 1
  • p() // p_calls_p2
  • x x 1
  • return
  • int x
  • void main()
  • x 5
  • p() //main_calls_p
  • return

ltx, enterp (p_calls_p2 p_calls_p1)
main_calls_pgt
11
An Expanded Set of Queries
5
4
5 ? 4 ?
  • void p()
  • if (...)
  • x x 1
  • p() // p_calls_p1
  • x x - 1
  • if (...)
  • x x - 1
  • p() // p_calls_p2
  • x x 1
  • return
  • int x
  • void main()
  • x 5
  • p() //main_calls_p
  • return

ltx, enterp Sgt
12
An Expanded Set of Queries
MOVP(n) ? pfp(V0)
p?MatchedPathsTon
MOVP(L) ? pfp(V0)
c ? L,
p ? MatchedPathsToc

L1 ltx, enterp p_calls_p2 p_calls_p1
main_calls_pgt L2 ltx, enterp (p_calls_p2
p_calls_p1) main_calls_pgt L3 ltx, enterp
(p_calls_p2 p_calls_p1) main_calls_pgt L4 ltx,
enterp Sgt
MOVP(L3) MOVP(L4) MOVP(enterp)
13
So What? Who Cares? Yawn
  • Virtual inline expansion
  • Value for x in configurations with an even of
    calls to p
  • MOVP(ltx, n (p_calls_p p_calls_p)
    main_calls_pgt)
  • Value for x in configurations with an odd of
    calls to p
  • MOVP(ltx,n p_calls_p (p_calls_p p_calls_p)
    main_calls_pgt)
  • Stack-constrained queries
  • at breakpoint at n, fetch stack from debugger
    (say S)
  • stack-constrained slicing
  • What are the program elements that could have
    affected the values used at n, given that we have
    reached n with stack S?

14
Unrolled Program Transition System
p
a
j
b
g
h
i
c
f
15
Unrolled Program 8Transition System
p
a
f
b
d
c
e
16
Pushdown System (PDS)
States s1, s2, s3, s4 Stack symbols
A, B, C, D Transition rules lts1, Agt ? lts2,
egt lts1, Agt ? lts2, Bgt lts1, Agt ? lts2, B Cgt
17
Pushdown System (PDS)
States s1, s2, s3, s4 Stack symbols
A, B, C, D Transition rules lts1, Agt ? lts2,
egt lts1, Agt ? lts2, Bgt lts1, Agt ? lts2, B Cgt
18
Pushdown System (PDS)
States s1, s2, s3, s4 Stack symbols
A, B, C, D Transition rules lts1, Agt ? lts2,
egt lts1, Agt ? lts2, Bgt lts1, Agt ? lts2, B Cgt
19
Pushdown System (PDS)
States s1, s2, s3, s4 Stack symbols
A, B, C, D Transition rules lts1, Agt ? lts2,
egt lts1, Agt ? lts2, Bgt lts1, Agt ? lts2, B Cgt
20
Rules Define a Transition Relation
lts,Agt ? lts,egt
lts,Agt ? lts,Bgt
lts,Agt ? lts,B Cgt
21
Pushdown System (PDS)
  • PDS Pushdown automaton without an input tape
  • Mechanism for defining a class of infinite-state
    transition systems
  • lts, Agt ? lts, A Agt

lts,Agt
lts,AAgt
lts,AAAgt
lts,AAAAgt
?
22
Supergraph as a PDS
p
a
j
b
g
h
i
c
f
lts, agt ? lts, bgt
q
d
e
23
Supergraph as a PDS
p
a
j
b
g
h
i
c
f
lts, bgt ? lts, cgt
q
d
e
24
Supergraph as a PDS
p
a
j
b
g
h
i
c
f
lts, cgt ? lts, d fgt
q
d
e
25
Supergraph as a PDS
p
a
j
b
g
h
i
c
f
lts, dgt ? lts, egt
q
d
e
26
Supergraph as a PDS
p
a
j
b
g
h
i
c
f
lts, egt ? lts, egt
q
d
e
27
Supergraph as a PDS
p
a
j
b
g
h
i
c
f
lts, fgt ? lts, ggt
q
d
e
28
Supergraph as a PDS
p
a
j
b
g
h
i
c
f
lts, ggt ? lts, hgt
q
d
e
29
Supergraph as a PDS
p
a
j
b
g
h
i
c
f
lts, hgt ? lts, d igt
q
d
e
30
Unrolled Program 8 Transition System
p
a
f
b
d
c
e
31
PDS Terminology
Configuration lts, f e cgt
c ? c (transition relation) c follows from c
by a transition rule c predecessor of c c
successor of c c0 ? c1 ? . . . ? cn (a run)
c ? c reflexive transitive closure of ?
32
A Run
  • lts,agt
  • ? lts,bgt
  • lts,acgt
  • lts,bcgt
  • lts,accgt
  • lts,fccgt
  • lts,ccgt
  • lts,dcgt
  • lts,aecgt
  • lts,fecgt

p
a
f
b
d
c
e
p
a
f
b
d
c
e
p
p
a
f
a
f
b
d
c
e
b
d
c
e
33
A Run
p
a
f
b
d
c
e
p
a
f
b
d
c
e
p
p
a
f
a
f
b
d
c
e
b
d
c
e
34
A Run
p
a
f
b
d
c
e
p
a
f
b
d
c
e
p
p
a
f
a
f
b
d
c
e
b
d
c
e
35
Representing Distributive FunctionsPOPL 95
?
a
b
c
Identity Function
f ?V.V
f(a,b) a,b
a
?
b
c
Constant Function
f ?V.b
f(a,b) b
36
Representing Distributive FunctionsPOPL 95
?
a
b
c
Gen/Kill Function
f ?V.(V ? b) ? c
f(a,b) a,c
a
?
b
c
Non-Gen/Kill Function
f ?V. if a?V then V ?b
else V ? b
f(a,b) a,b
37
if . . .
??, start? ? ??, x 3? ??, start? ? ?x,
x 3? ??, start? ? ?y, x 3?
??, x 3? ? ??, p(x,y)? ?y, x 3? ? ?y,
p(x,y)?
38
pre(M)
M
39
Representation Issue
  • The set of configurations pre(S) can
    be infinite
  • Example
  • lts,Agt ? lts, e gt
  • pre ( lts,Agt) s Ai i 1
  • Solution in the PDS literature
  • Represent a set of configurations
  • with an automaton

40
From M to Pre(M)
lts,Agt ? lts1,A1 . . . Amgt
41
Observation
  • For IFDS problems (Reps, Horwitz, Sagiv POPL
    95), PDS literature provides solution to MOVP
    problem
  • Bouajjani, Esparza, Maler Concur 97
  • Esparza et al. CAV 00
  • But . . . some problems are not IFDS
  • linear constants Sagiv, Reps, Horwitz 96
  • affine relations Müller-Olm Seidl 03

42
Dataflow Analysis
Interprocedural Dataflow Analysis
Application
Pushdown Systems
Weighted Pushdown Systems
43
Weighted Pushdown System (WPDS)
States s1, s2, s3, s4 Stack symbols
A, B, C, D Transition rules lts1, Agt ? lts2,
egt lts1, Agt ? lts2, Bgt lts1, Agt ? lts2, B Cgt
w1
w2
w3
44
Idempotent Semiring (D, ?, ?, 0, 1) Meet
Semilattice (D, ?, ..., ?, ...)
a ? b iff a ? b a ? ? ? ?
a ? 0 a a ? b b ? a a ? (b ? c) (a ? b) ?
c a ? a a
a ? 1 a a ? (b ? c) (a ? b) ? c
a ? (b ? c) (a ? b) ? (a ? c) (a ? b) ? c (a
? c) ? (b ? c) a ? 0 0 ? a a
45
From M to Pre(M)
sk
X
A
? (w ? X)
V
s
46
Correctness Argument
  • Characterize certain sequences of PDS transitions
    using grammar flow analysis (GFA)
  • Pop sequence net pop of one symbol

A
p
q
?
?
w
E.g., for each rule ?p,A? ? ?p,A?
?x.w ? x( )
PS(p,A,q) PS(p,A,q)
PS(p,A,q) PS(p,A,q)
  • Automaton construction
  • finding the productive nonterminals
  • coincidence theorem for GFA ? correct weights

47
An Application
  • Analysis of x86 code
  • no use of debugging information
  • Subgoal discover affine relations on registers
  • Interprocedural affine-relation analysis
    Müller-Olm Seidl 03
  • Constraint system ? WPDS
  • Preliminary performance
  • cat.exe (2,163 inst.) 4.6
    sec.
  • cut.exe (2,491 inst.) 17.8
    sec.
  • notepad.exe (9,918 inst.) 149 sec.
  • Running time linear in program size
  • Constant of proportionality k10 ? k8
  • Only 8 registers ? operations on 9 x 9 matrices
  • 81-fold improvement possible??

48
Contributions
  • Algorithm for generalized pushdown reachability
    problem
  • MOVP(L) ?
    pfp(V0)
  • c
    ? L,
  • p ?
    MatchedPathsToc
  • Running time O(Q2 x PDS x H)
  • Sound solutions for non-distributive dataflow
    problems
  • Construction of witness trees
  • Publicly available implementation (WPDS Library)
  • Supports both post and pre queries

49
Related Work
  • Pushdown systems
  • Bouajjani, Esparza, Maler Concur 97
  • Esparza et al. CAV 00
  • Bouajjani, Esparza, Touili POPL 03
  • Dataflow analysis
  • Sharir Pnueli 81
  • IDE framework Sagiv, Reps, Horwitz TCS 96
  • Weighted-hypergraph problems
  • Knuth IPL 77
  • Grammar flow analysis Möncke Wilhelm WAGA 91
  • Ramalingam thesis LNCS 1089
  • Ramalingam Reps J. Alg 96

50
(No Transcript)
51
An Expanded Set of Queries
  • void p()
  • if (...)
  • x x 1
  • p() // p_calls_p1
  • x x - 1
  • if (...)
  • x x - 1
  • p() // p_calls_p2
  • x x 1
  • return
  • int x
  • void main()
  • x 5
  • p() //main_calls_p
  • return

Demo
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The : "Weighted Pushdown Systems and their Application to Interprocedural Dataflow Analysis" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!