Control%20Flow%20Analysis

1
Control Flow Analysis

• Mooly Sagiv
• http//www.math.tau.ac.il/sagiv/courses/pa01.html
  
• Tel Aviv University
• 640-6706
• Textbook Chapter 3
• http//www.cs.berkeley.edu/Research/Aiken/bane.ht
  ml
• http//www.cs.washington.edu/research/projects/cec
  il
• Assign 3 (11/7)

2
Goals

• Understand the problem of Control Flow Analysis
• in Functional Languages
• In Object Oriented Languages
• Function Pointers
• Learn Constraint Based Program Analysis Technique
• General
• Usage for Control Flow Analysis
• Algorithms
• Systems
• Similarities between Problems Techniques

3
Outline

• A Motivating Example (OO)
• The Control Flow Analysis Problem
• Set Constraints
• Solving Constraints
• Adding Dataflow information
• Adding Context Information
• Back to the Motivating Example

4
A Motivating Example

• class Vehicle Object int position 10
• void move (int x1)
• position position x1
• class Car extends Vehicle int passengers
• void await(Vehicle v)
• if (v.position lt position)
• then v.move(position - v.position)
• else this.move(10)
• class Truck extends Vehicle
• void move(int x2)
• if (x2 lt 55) position x2
• void main Car c Truck t Vehicle v1
• new c
• new t
• v1 c
• c.passangers 2
• c.move(60)
• v1.move(70)
• c.await(t)

5
A Motivating Example

• class Vehicle Object int position 10
• static void move (Vehicle this1 Car , int
  x1)
• position position x1
• class Car extends Vehicle int passengers
• static void await(Car this2 Car , Vehicle v
  Truck)
• if (v.position lt position)
• then v.move(v, position - v.position)
• else this2.move(this2, 10)
• class Truck extends Vehicle
• static void move(Truck this3 Truck, int x2)
• if (x2 lt 55) position x2
• void main Car c Truck t Vehicle v1
• new c
• new t
• v1 c
• c.passangers 2
• c.move(c, 60)
• v1.move(v1, 70)
• c.await(c, t)

6
The Control Flow Analysis (CFA) Problem

• Given a program in a functional programming
  language with higher order functions(functions
  can serve as parameters and return values)
• Find out for each function invocation which
  functions may be applied
• Obvious in C without function pointers
• Difficult in C, Java and ML
• The Dynamic Dispatch Problem

7
An ML Example
let f fn x gt x 1 g fn y gt y 2
h fn z gt z 3 in (f g) (f h)
8
An ML Example
let f fn x gt / g, h / x 1 g fn
y gt y 2 h fn z gt z 3 in (f g)
(f h)
9
The Language FUN

• Notations
• e ? Exp // expressions (or labeled terms)
• t ? Term // terms (or unlabeled terms)
• f, x ? Var // variables
• c ? Const // Constants
• op ? Op // Binary operators
• l ? Lab // Labels
• Abstract Syntax
• e tl
• t c x fn x ? e // function
  definition fun f x ? e // recursive
  function definition e1 e2 // function
  applications if e0 then e1 else e2
  let x e1 in e2 e1 op e2

10
A Simple Example
((fn x ? x1)2 (fn y ? y3)4)5
11
Factorial
(let fact fun f n ? (if (n 0)1 then
12 else ((n3 (f4 (n5
16)7)8)9 )10
12
An Example which Always Loops
(let g fun f x ? (f1 (fn y ? y2)3)4
)5 (g6
(fn z ? z7)8)9)10
13
The 0-CFA Problem

• Control flow analysis without contexts
• Compute for every program a pair (C, ?) where
• C is the abstract cache associating abstract
  values with labeled program points
• ? is the abstract environment associating
  abstract values with program variables
• Abstract Values
• v ? Val P(Term) // Abstract values
• ? ? Env Var ? Val // Abstract environment
• C ? Cache Lab ? Val // Abstract Cache
• For function application (t1l1 t2l2)l C(l1)
  determines the function that can be applied
• Formally

14
Possible Solutions for ((fn x ? x1)2 (fn y ?
y3)4)5
15
(let g fun f x ? (f1 (fn y ? y2)3)4
)5 (g6
(fn z ? z7)8)9
Shorthands sf ? fun f x ? (f1 (fn y ?
y2)3)4 idy ? fn y ? y2 idz ? fn z ? z7
C(1) sf C(2) C(3) idy C(4)
C(5) sf C(6) sf C(7) C(8)
idz C(9) C(10) ?(x) idy , idz
?(y) ?(z)
16
Relationship to Dataflow Analysis

• Expressions are side effect free
• no entry/exit
• A single environment
• Represents information at different points via
  maps
• A single value for all occurrences of a variable
• Function applications act similar to assignments
• Definition - Function abstraction is created
• Use - Function is applied

17
A Formal Specification of 0-CFA

• A Boolean function ? define when a solution is
  acceptable
• (C, ?) ? e means that (C, ?) is acceptable for
  the expression e
• Define ? by structural induction on e
• Every function is analyzed once
• Every acceptable solution is sound (conservative)
• Many acceptable solutions
• Generate a set of constraints
• Obtain the least acceptable solution by solving
  the constraints

18
Solving 0-CFA (1)

• Define a concrete semantics
• Define a Galois connection between the concrete
  and the abstract semantics
• Define abstract meaning for statements
• Show local soundness
• Implement Chaotic iterations

19
Solving 0-CFA (2)

• Generate a system of set of constraints
• lhs ? rhs
• t ? rhs ? lhs ? rhs (conditional constraint)
• Show that any solution to the set of constraints
  is sound
• Find the minimal solution
• Systems for finding the minimal solution exist
• Applicable to different programming languages

20
Set Constraints

• A set of rules of the form
• lhs ? rhs
• t ? rhs ? lhs ? rhs (conditional constraint)
• lhs, rhs, rhs are
• terms
• C(l)
• ?(x)
• The least solution (C, ?) can be found
  iteratively
• start with empty sets
• add terms when needed
• Efficient cubic graph based solution

21
Syntax Directed Constraint Generation (Part I)
C ?cl ? C ?xl ? r (x) ? C (l)
C ?(fn x ? e)l ? C ? e ? ? fn x ? e ?
C(l) C ?(fun f x ? e)l ? C ? e ? ? fun f
x ? e ? C(l) ? fun f x ? e ? r( f)
C ? (t1l1 t2l2)l ? C ? t1l1 ? ? C ?t2l2 ?
? t ? C(l) ? C (l2) ? r (x) tfn x ? t0l0
?Term ? t ? C(l) ? C (l0) ? C
(l) tfn x ? t0l0 ?Term ? t ? C(l) ? C
(l2) ? r (x) tfun x ? t0l0 ?Term ? t ?
C(l) ? C (l0) ? C (l) tfun x ? t0l0 ?Term
22
Syntax Directed Constraint Generation (Part II)
C ?(if t0l0 then t1l1 else t2l2)l ? C ?
t0l0 ? ? C ? t1l1 ? ? C ?t2l2 ? ? C(l1) ?
C (l) ? C(l2) ? C (l) C? (let x t1l1
in t2l2)l ? C ? t1l1 ? ? C ?t2l2 ? ?
C(l1) ? r (x) ? C(l2) ? C(l) C?
(t1l1 op t2l2)l ? C ? t1l1 ? ? C ?t2l2 ?
23
Set Constraints for ((fn x ? x1)2 (fn y ? y3)4)5
24
Iterative Solution to the Set Constraints for
((fn x ? x1)2 (fn y ? y3)4)5
25
Graph Based Solution toConstraint Systems

• Construct a directed graph
• Nodes
• Set variables
• Edges
• u ? v
• The set variable v may depend on u
• Iteratively traverse the graph
• Every operation adds a term
• Must terminate
• Read the solution from the graph

26
The Constraint Graph for 0-CFA

• Nodes
• C(l)
• r(x)
• Edges
• p1 ? p2
• Construct p1 ? p2
• t ? p ? p1 ? p2
• Construct p1 ? p2
• Construct p ? p2
• Dependencies
• Dv
• The set of terms that must be included in v

27
while WL ?? do select and remove an element v
from WL for all c ?Ev do case c? p1
? p2 add(p2, Dp1) case ct ?p ? p1 ?
p2 if t ? Dp then add(p2, Dp1)
WL ? For all nodes v Dv ? Ev
? For all constraints c case c? t ? p
add(p, t) case c? p1 ? p2 Ep1 Ep1
?c case ct ?p ? p1 ? p2 Ep Ep ?
c Ep1 Ep1 ?c
procedure add(q, s) if (s ?D(q)) then Dq
Dq ? s WL WL ?q
28
Adding Data Flow Information

• Dataflow values can affect control flow analysis
• Example(let f (fn x ? (if (x1 gt 02)3
  then (fn y ? y4)5
  else (fn z ? 56)7
  )8
  )9in ((f10 311)12 013)14)15

29
Adding Data Flow Information

• Add a finite set of abstract values per program
  Data
• Update Val P(Term?Data)
• ? ? Env Var ? Val // Abstract environment
• C ? Cache - Lab ? Val // Abstract Cache
• Generate extra constraints for data
• Obtained a more precise solution
• A special of case of product domain (4.4)
• The combination of two analyses may be more
  precise than both
• For some programs may even be more efficient

30
Adding Dataflow Information (Sign Analysis)

• Sign analysis
• Add a finite set of abstract values per program
  Data P, N, TT, FF
• Update Val P(Term?Data)
• dc is the abstract value that represents a
  constant c
• d3 p
• d-7 n
• dtrue tt
• dfalse ff
• Every operator is conservatively interpreted

31
Syntax Directed Constraint Generation (Part I)
C ?cl ? dc ? C (l) C ?xl ? r (x) ? C (l)
C ?(fn x ? e)l ? C ? e ? ? fn x ? e ?
C(l) C ?(fun f x ? e)l ? C ? e ? ? fun f
x ? e ? C(l) ? fun f x ? e ? r( f)
C ? (t1l1 t2l2)l ? C ? t1l1 ? ? C ?t2l2 ?
? t ? C(l) ? C (l2) ? r (x) tfn x ? t0l0
?Term ? t ? C(l) ? C (l0) ? C
(l) tfn x ? t0l0 ?Term ? t ? C(l) ? C
(l2) ? r (x) tfun x ? t0l0 ?Term ? t ?
C(l) ? C (l0) ? C (l) tfun x ? t0l0 ?Term
32
Syntax Directed Constraint Generation (Part II)
C ?(if t0l0 then t1l1 else t2l2)l ? C ?
t0l0 ? ? C ? t1l1 ? ? C ?t2l2 ? ? dt ? C
(l0) ? C(l1) ? C (l) ? df? C (l0) ? C(l2) ?
C (l) C? (let x t1l1 in t2l2)l ? C ?
t1l1 ? ? C ?t2l2 ? ? C(l1) ? r (x) ?
C(l2) ? C(l) C? (t1l1 op t2l2)l ? C
? t1l1 ? ? C ?t2l2 ? ?
C(l1) op C(l2) ? C(l)
33
Adding Context Information

• The analysis does not distinguish between
  different occurrences of a variable(Monovariant
  analysis)
• Example(let f (fn x ? x1) 2 in ((f3 f4)5
  (fn y ? y6) 7)8)9
• Source to source can help (but may lead to code
  explosion)
• Example rewrittenlet f1 fn x1 ? x1 in let
  f2 fn x2 ? x2 in (f1 f2) (fn y ? y)

34
Simplified K-CFA

• Records the last k dynamic calls (for some fixed
  k)
• Similar to the call string approach
• Remember the context in which expression is
  evaluated
• Val is now P(Term)?Contexts
• ? ? Env Var ?Contexts ? Val
• C ? Cache - Lab?Contexts ? Val

35
1-CFA

• (let f (fn x ? x1) 2 in ((f3 f4)5 (fn y ?
  y6) 7)8)9
• Contexts
• - The empty context
• 5 The application at label 5
• 8 The application at label 8
• Polyvariant Control FlowC(1, 5) ? (x, 5)
  C(2, ) C(3, ) ? (f, )
  ((fn x ? x1), )C(1, 8) ? (x, 8)
  C(7, ) C(8, ) C(9, )
  ((fn y ? y6), )

36
A Motivating Example

• class Vehicle Object int position 10
• static void move (Vehicle this1 Car , int
  x1)
• position position x1
• class Car extends Vehicle int passengers
• static void await(Car this2 Car , Vehicle v
  Truck)
• if (v.position lt position)
• then v.move(v, position - v.position)
• else this2.move(this2, 10)
• class Truck extends Vehicle
• static void move(Truck this3 Truck, int x2)
• if (x2 lt 55) position x2
• void main Car c Truck t Vehicle v1
• new c
• new t
• v1 c
• c.passangers 2
• c.move(c, 60)
• v1.move(v1, 70)
• c.await(c, t)

37
V ? cl(v) ? cl(v)?cl(t1)

• class Vehicle Object int position 10
• static void move (Vehicle t1 , int x1)
• position position x1
• class Car extends Vehicle int passengers
• static void await(Car t2 , Vehicle v)
• if (v.position lt position)
• then v.move(v, position -
  v.position)
• else t2.move(t2, 10)
• class Truck extends Vehicle
• static void move(Truck t3, int x2)
• if (x2 lt 55) position x2
• void main Car c Truck t Vehicle v1
• new c
• new t
• v1 c
• c.passangers 2
• c.move(c, 60)
• v1.move(v1, 70)
• c.await(c, t)

C ? cl(v) ? cl(v)?cl(t1)
T ? cl(v) ? cl(v)?cl(t3)
C ? cl(t2) ? cl(t2)?cl(t1)
C ? cl(c)
T ? cl(t)
cl(c) ? cl(v1)
C ? cl(c) ? cl(c)?cl(t1)
V ? cl(v1) ? cl(v1)?cl(t1)
C ? cl(v1) ? cl(v1)?cl(t1)
T ? cl(v1) ? cl(v1)?cl(t3)
C ? cl(c) ? cl(c)?cl(t2)
C ? cl(c) ? cl(t)?cl(v)
38
V ? cl(v) ? cl(v)?cl(t1)
cl(v)
C ? cl(v) ? cl(v)?cl(t1)
cl(t2)
T ? cl(v) ? cl(v)?cl(t3)
C ? cl(t2) ? cl(t2)?cl(t1)
cl(t3)
C ? cl(c)
WL
T ? cl(t)
cl(t1)
cl(c) ? cl(v1)
cl(c)
c
C ? cl(c) ? cl(c)?cl(t1)
V ? cl(v1) ? cl(v1)?cl(t1)
cl(t)
t
C ? cl(v1) ? cl(v1)?cl(t1)
T ? cl(v1) ? cl(v1)?cl(t3)
cl(v1)
C ? cl(c) ? cl(c)?cl(t2)
C ? cl(c) ? cl(t)?cl(v)
39
V ? cl(v) ? cl(v)?cl(t1)
cl(v)
t
C ? cl(v) ? cl(v)?cl(t1)
cl(t2)
T ? cl(v) ? cl(v)?cl(t3)
c
C ? cl(t2) ? cl(t2)?cl(t1)
cl(t3)
WL
C ? cl(c)
T ? cl(t)
cl(t1)
c
cl(c) ? cl(v1)
cl(c)
c
C ? cl(c) ? cl(c)?cl(t1)
V ? cl(v1) ? cl(v1)?cl(t1)
cl(t)
C ? cl(v1) ? cl(v1)?cl(t1)
t
T ? cl(v1) ? cl(v1)?cl(t3)
cl(v1)
c
C ? cl(c) ? cl(c)?cl(t2)
C ? cl(c) ? cl(t)?cl(v)
40
V ? cl(v) ? cl(v)?cl(t1)
cl(v)
t
C ? cl(v) ? cl(v)?cl(t1)
cl(t2)
T ? cl(v) ? cl(v)?cl(t3)
c
C ? cl(t2) ? cl(t2)?cl(t1)
cl(t3)
t
WL
C ? cl(c)
T ? cl(t)
cl(t1)
c
cl(c) ? cl(v1)
cl(c)
c
C ? cl(c) ? cl(c)?cl(t1)
V ? cl(v1) ? cl(v1)?cl(t1)
cl(t)
C ? cl(v1) ? cl(v1)?cl(t1)
t
T ? cl(v1) ? cl(v1)?cl(t3)
cl(v1)
c
C ? cl(c) ? cl(c)?cl(t2)
C ? cl(c) ? cl(t)?cl(v)
41
V ? cl(v) ? cl(v)?cl(t1)
cl(v)
t
C ? cl(v) ? cl(v)?cl(t1)
cl(t2)
T ? cl(v) ? cl(v)?cl(t3)
c
C ? cl(t2) ? cl(t2)?cl(t1)
cl(t3)
t
WL
C ? cl(c)
T ? cl(t)
cl(t1)
c
cl(c) ? cl(v1)
cl(c)
c
C ? cl(c) ? cl(c)?cl(t1)
V ? cl(v1) ? cl(v1)?cl(t1)
cl(t)
C ? cl(v1) ? cl(v1)?cl(t1)
t
T ? cl(v1) ? cl(v1)?cl(t3)
cl(v1)
c
C ? cl(c) ? cl(c)?cl(t2)
C ? cl(c) ? cl(t)?cl(v)
42
V ? cl(v) ? cl(v)?cl(t1)
cl(v)
t
C ? cl(v) ? cl(v)?cl(t1)
cl(t2)
T ? cl(v) ? cl(v)?cl(t3)
c
C ? cl(t2) ? cl(t2)?cl(t1)
cl(t3)
t
WL
C ? cl(c)
T ? cl(t)
cl(t1)
c
cl(c) ? cl(v1)
cl(c)
c
C ? cl(c) ? cl(c)?cl(t1)
V ? cl(v1) ? cl(v1)?cl(t1)
cl(t)
C ? cl(v1) ? cl(v1)?cl(t1)
t
T ? cl(v1) ? cl(v1)?cl(t3)
cl(v1)
c
C ? cl(c) ? cl(c)?cl(t2)
C ? cl(c) ? cl(t)?cl(v)
43
V ? cl(v) ? cl(v)?cl(t1)
cl(v)
t
C ? cl(v) ? cl(v)?cl(t1)
cl(t2)
T ? cl(v) ? cl(v)?cl(t3)
c
C ? cl(t2) ? cl(t2)?cl(t1)
cl(t3)
t
WL
C ? cl(c)
T ? cl(t)
cl(t1)
c
cl(c) ? cl(v1)
cl(c)
c
C ? cl(c) ? cl(c)?cl(t1)
V ? cl(v1) ? cl(v1)?cl(t1)
cl(t)
C ? cl(v1) ? cl(v1)?cl(t1)
t
T ? cl(v1) ? cl(v1)?cl(t3)
cl(v1)
c
C ? cl(c) ? cl(c)?cl(t2)
C ? cl(c) ? cl(t)?cl(v)
44
V ? cl(v) ? cl(v)?cl(t1)
cl(v)
t
C ? cl(v) ? cl(v)?cl(t1)
cl(t2)
T ? cl(v) ? cl(v)?cl(t3)
c
C ? cl(t2) ? cl(t2)?cl(t1)
cl(t3)
t
WL
C ? cl(c)
T ? cl(t)
cl(t1)
c
cl(c) ? cl(v1)
cl(c)
c
C ? cl(c) ? cl(c)?cl(t1)
V ? cl(v1) ? cl(v1)?cl(t1)
cl(t)
C ? cl(v1) ? cl(v1)?cl(t1)
t
T ? cl(v1) ? cl(v1)?cl(t3)
cl(v1)
c
C ? cl(c) ? cl(c)?cl(t2)
C ? cl(c) ? cl(t)?cl(v)
45
V ? cl(v) ? cl(v)?cl(t1)
cl(v)
t
C ? cl(v) ? cl(v)?cl(t1)
cl(t2)
T ? cl(v) ? cl(v)?cl(t3)
c
C ? cl(t2) ? cl(t2)?cl(t1)
cl(t3)
t
WL
C ? cl(c)
T ? cl(t)
cl(t1)
c
cl(c) ? cl(v1)
cl(c)
c
C ? cl(c) ? cl(c)?cl(t1)
V ? cl(v1) ? cl(v1)?cl(t1)
cl(t)
C ? cl(v1) ? cl(v1)?cl(t1)
t
T ? cl(v1) ? cl(v1)?cl(t3)
cl(v1)
c
C ? cl(c) ? cl(c)?cl(t2)
C ? cl(c) ? cl(t)?cl(v)
46
V ? cl(v) ? cl(v)?cl(t1)
cl(v)
t
C ? cl(v) ? cl(v)?cl(t1)
cl(t2)
T ? cl(v) ? cl(v)?cl(t3)
c
C ? cl(t2) ? cl(t2)?cl(t1)
cl(t3)
t
C ? cl(c)
T ? cl(t)
cl(t1)
c
cl(c) ? cl(v1)
cl(c)
c
C ? cl(c) ? cl(c)?cl(t1)
V ? cl(v1) ? cl(v1)?cl(t1)
cl(t)
C ? cl(v1) ? cl(v1)?cl(t1)
t
T ? cl(v1) ? cl(v1)?cl(t3)
cl(v1)
c
C ? cl(c) ? cl(c)?cl(t2)
C ? cl(c) ? cl(t)?cl(v)
47
A Motivating Example

• class Vehicle Object int position 10
• static void move (Vehicle this1 Car , int
  x1)
• position position x1
• class Car extends Vehicle int passengers
• static void await(Car this2 Car , Vehicle v
  Truck)
• if (v.position lt position)
• then v.move(v, position - v.position)
• else this2.move(this2, 10)
• class Truck extends Vehicle
• static void move(Truck this3 Truck, int x2)
• if (x2 lt 55) position x2
• void main Car c Truck t Vehicle v1
• new c
• new t
• v1 c
• c.passangers 2
• c.move(c, 60)
• v1.move(v1, 70)
• c.await(c, t)

48
Missing Material

• Efficient Cubic Solution to Set Constraints
  www.cs.berkeley.edu/Research/Aiken/bane.html
• Experimental results for OO www.cs.washington.edu
  /research/projects/cecil
• Operational Semantics for FUN (3.2.1)
• Defining acceptability of set constraints
• Using general lattices as Dataflow values
  instead of powersets (3.5.2)
• Lower-bounds
• Decidability of JOP
• Polynomiality

49
Conclusions

• Set constraints are quite useful
• A Uniform syntax
• Can even deal with pointers
• But semantic foundation is still based on
  abstract interpretation
• Techniques used in functional and imperative (OO)
  programming are similar
• Control and data flow analysis are related