Interprocedural Analysis

1
Interprocedural Analysis

• Noam Rinetzky
• Mooly Sagiv
• http//www.math.tau.ac.il/sagiv/courses/pa04.html
  
• Tel Aviv University
• 640-6706
• Textbook Chapter 2.5

2
Outline

• The trivial solution
• Why isnt it adequate
• Challenges in interprocedural analysis
• Simplifying assumptions
• A naive solution
• Join over valid paths
• The functional approach
• A case study linear constant propagation
• Context free reachability
• The call-string approach
• Modularity issues
• Other solutions

3
A Trivial treatment of procedures

• Analyze a single procedure
• After every call continue with conservative
  information
• Global variables and local variables which may
  be modified by the call are mapped to ?
• Can be easily implemented
• Procedures can be written in different languages
• Procedure inline can help
• Side-effect analysis can help

4
Disadvantages of the trivial solution

• Modular (object oriented and functional)
  programming encourages small frequently called
  procedures
• Optimization
• Modern machines allows the compiler to schedule
  many instructions in parallel
• Need to optimize many instructions
• Inline can be a bad solution
• Software engineering
• Many bugs result from interface misuse
• Procedures define partial functions

5
Challenges in Interprocedural Analysis

• Procedure nesting
• Respect call-return mechanism
• Handling recursion
• Local variables
• Parameter passing mechanisms value,
  value-result, reference, by name
• The called procedure is not always known
• The source code of the called procedure is not
  always available
• separate compilation
• vendor code
• ...

6
Simplifying Assumptions

• All the code is available
• Simple parameter passing
• The called procedure is syntactically known
• No nesting
• Procedure names are syntactically different from
  variables
• Procedures are uniquely defined
• Recursion is supported

7
Extended Syntax of While
P begin D S end
D proc id(val id, res id) isl S endl D D
S x al call p(a, z)ll
skipl S1 S2 if bl then S1 else S2
while bl do S
b true false not b b1 opb b2 a1 opr a2
a x n a1 opa a2
8
Fibonacci Example
begin
0
proc fib
1
begin proc fib(val z, u, res v) is1 if z lt32
then v u 13 else ( call fib(z-1, u,
v)45 call fib(z-2, v, v)67 ) end8 call
fib(x, 0, y)910 end11
2
9
call fib(x, 0, y)
if z lt3
3
3
vu1
call fib(z-1, u, v)
4
call fib(z-1, u, v)
5
call fib(x, 0, y)
10
call fib(z-2, v, v)
6
call fib(z-2, v, v)
7
end
11
end
8
9
Constant Example
begin proc p(val a) is1 if b2 then ( a
a -13 call p(a)45 a a 16 ) x
-2 a 57 end8 call p(7)910 end
10
A naive Interprocedural solution

• Treat procedure calls as gotos
• Obtain a conservative solution
• Find the least fixed point of the system
• Use Chaotic iterations

DFentry(s) ?
DFentry(v) ?f(e)(DFentry(u) (u, v) ? E
11
Simple Example
begin proc p(val a) is1 x a 12
end3 call p(7)45 print x6 call
p(9)78 print x9 end
12
Constant Example
begin proc p(val a) is1 if b2 then ( a
a -13 call p(a)45 a a 16 ) x
-2 a 57 end8 call p(7)910 end
13
A More Precise Solution

• Only considers matching calls and returns (valid)
• Can be defined via context free grammar
• Every call is a different letter
• Matching calls and returns
• The control flow graph can also be defined via
  context free grammar

14
Simple Example
begin proc p(val a) is1 x a 12
end3 call p(7)45 print x6 call
p(9)78 print x9 end
15
Constant Example
begin proc p(val a) is1 if b2 then ( a
a -13 call p(a)45 a a 16 ) x
-2 a 57 end8 call p(7)910 end
16
The Join-Over-Valid-Paths (JVP)

• For a sequence of labels l1, l2, , ln definef
  l1, l2, , ln L ? L by composing the effects
  of basic blocks
• fl(s)s
• f l, p(s) fp (fl (s))
• JVPl ?fl1, l2, , l(?) l1, l2, , l
  ? vpaths(l)
• Compute a safe approximation to JVP
• In some cases the JVP can be computed
• Distributivity of f
• Functional representation

17
The Call String Approach for Approximating JVP

• No assumptions
• Record at every node a pair (l, c) where l ? L is
  the dataflow information and c is a suffix of
  unmatched calls
• Use Chaotic iterations
• To guarantee termination limit the size of c
  (typically 1 or 2)
• Emulates inline (but no code growth)
• Exponential in C
• For a finite lattice there exists a C which leads
  to join over all valid paths

18
Simple Example
begin proc p(val a) is1 x a 12
end3 call p(7)45 print x6 call
p(9)78 print x9 end
19
Constant Example
begin proc p(val a) is1 if b2 then ( a
a -13 call p(a)45 a a 16 ) x
-2 a 57 end8 call p(7)910
print x end
20
The Functional Approach

• The meaning of a function is mapping from values
  of actual variables into states
• The abstract meaning of a function is function
  from the abstract values of the numbers to
  abstract stores
• Iterate on the abstract domain of functions from
  L to L

21
Motivating Example
begin
0
proc p
N Function
1 ?a,x. x?x, a?a
2 ?a,x. x?x. a? a
7 ?a,x.x? x, a? a
8 ?a,x.x?-2a5, a? a
3 ?a,x.x?x, a? a
4 ?a,x.x?x, a? a-1
5 ?a,x.x?-2a5, a? a-1
6 ?a,x.x?-2a5, a? a-1
7 ?a,x.x?-2a5, a? a
8 ?a, x.x?-2a5, a? a
1
2
call p(7)
if
9
aa-1
3
call p(a)
4
call p(7)
5
10
call p(a)
6
aa-1
11
print x
7
x-2a5
end
8
end
22
Motivating Example(2)
begin
0
proc p
N Value
1 x?0, a?7
2 x?0. a? 7a
7 x? -9, a? 7
8 ?a,x.x?-9, a?7
3 ?a,x.x?-9, a? 7
4 ?a,x.x?-9, a? 6
5 ?a,x.x?-9, a? 6
6 ?a,x.x?-9, a?6
7 ?a,x.x???, a? 7
8 ?a, x.x?-9, a?7
1 ?a, x.x??, a??
1
2
call p(7)
if
9
3
aa-1
call p(a)
4
call p(7)
5
10
call p(a)
6
aa-1
11
print x
7
x-2a5
end
8
end
23
Issues in Functional Approach

• How to guarantee that finite height for
  functional lattice?
• It may happen that L has finite height and yet
  the lattice of monotonic function from L to L do
  not
• Efficiently represent functions
• Functional join
• Functional composition
• Testing equality
• Usually non-trivial
• But can be done for distributive functions

24
Example Linear Constant Propagation

• Consider the constant propagation lattice
• The value of every variable y at the program exit
  can be represented by y ? (axx bx ) x
  ?Var ? c ax ,c ?Z ??, ? bx ?Z
• Supports efficient composition and functional
  join
• z a y b
• Computes JVP

25
Constant Example
a?a. (a 1 0) ? ?
begin proc p(val a) is1 if b2 then ( a
a -13 call p(a)45 a a 16 ) x
-2 a 57 end8 call p(7)910 end
?a. (a -1 0) ? ?
?a. (a -1 0) ? ?
?a. (a 0) ? ?
?a. a ? ?
26
Functional Approach via Context Free Reachablity

• The problem of computing reachability in a graph
  restricted by a context free grammar can be
  solved in cubic time
• Can be used to compute JVP in arbitrary finite
  distributive data flow problems (not just
  bitvector)
• Nodes in the graph correspond to individual facts
• Efficient implementations exit (MOPED)

27
Conclusion

• Handling functions is crucial for abstract
  interpretation
• Virtual functions and exceptions complicate
  thinks
• But scalability is an issue
• Assume-guarantee helps
• But relies on specifications