Interprocedural Analysis

1
Interprocedural Analysis
Noam RinetzkyMooly Sagiv
2
Challenges in Interprocedural Analysis

• Respect call-return mechanism
• Handling recursion
• Local variables
• Parameter passing mechanisms
• The called procedure is not always known
• The source code of the called procedure is not
  always available
• Concurrency

3
Stack regime
call
P() R()
Q() R()
call
R()
return
return
R
P
4
Guiding light

• Exploit stack regime
• Precision
• Efficiency

5
Simplifying Assumptions

• Parameter passed by value
• No OO
• No nesting
• No concurrency
• Recursion is supported

6
Topics Covered

• The trivial approach
• Procedure Inlining
• The naive approach
• The call string approach
• Functional Approach

• Valid paths
• Interprocedural Analysis via Graph Reachability
• Beyond reachability
• Demand analysis
• Advanced Topics
• Karrs analysis
• Backward
• MOPED

7
Constant Propagation

• Find variables with constant value at a given
  program location

int p(int x) return x x void
main() int z if (...) z p(5) 5 else
z p(4) 4 printf (z)
8
Example Program
x 5 y 7 if (...) y x 2 z x y
9
Undecidability Issues

• It is undecidable if a program point is
  reachablein some execution
• Some static analysis problems are undecidable
  even if the program conditions are ignored

10
The Constant Propagation Example
while (...) if (...) x_1 x_1 1
if (...) x_2 x_2 1 ...
if (...) x_n x_n 1 y
truncate (1/ (1 p2(x_1, x_2, ..., x_n))/ Is
y0 here? /
11
Conservative Solution

• Every detected constant is indeed constant
• But may fail to identify some constants
• Every potential impact is identified
• Superfluous impacts

12
The extra cost of procedures

• Call return complicates the analysis
• Unbounded stack memory
• Increases asymptotic complexity
• But can be tolerable in practice
• Sometimes even cheaper/more precise than
  intraprocedural analysis

13
A trivial treatment of procedure

• Analyze a single procedure
• After every call continue with conservative
  information
• Global variables and local variables which may
  be modified by the call have unknown values
• Can be easily implemented
• Procedures can be written in different languages
• Procedure inline can help

14
Disadvantages of the trivial solution

• Modular (object oriented and functional)
  programming encourages small frequently called
  procedures
• Almost all information is lost

15
Procedure Inlining

• Inline called procedures
• Simple
• Does not handle recursion
• Exponential blow up

p1 call p2 call p2
p2 call p3 call p3
p3
16
A Naive Interprocedural solution

• Treat procedure calls as gotos
• Abstract call/return correlations
• Obtain a conservative solution
• Use chaotic iterations
• Usually fast

17
Simple Example
int p(int a) return a 1
void main() int x x p(7) x
p(9)
18
Simple Example
int p(int a) a ?7 return a 1
void main() int x x p(7) x
p(9)
19
Simple Example
int p(int a) a ?7 return a 1 a
?7, ?8
void main() int x x p(7) x
p(9)
20
Simple Example
int p(int a) a ?7 return a 1 a
?7, ?8
void main() int x x p(7) x
?8 x p(9) x ?8
21
Simple Example
int p(int a) a ?7 return a 1 a
?7, ?8
void main() int x x l p(7) x
?8 x p(9) x ?8
22
Simple Example
int p(int a) a ?? return a 1 a
?7, ?8
void main() int x x p(7) x
?8 x p(9) x ?8
23
Simple Example
int p(int a) a ?? return a 1 a
??, ??
void main() int x x p(7) x
?8 x p(9) x ?8
24
Simple Example
int p(int a) a ?? return a 1 a
??, ??
void main() int x x p(7) x
?? x p(9) x ??
25
The Call String Approach

• The data flow value is associated with sequences
  of calls (call string)
• Use Chaotic iterations
• To guarantee termination limit the size of call
  string (typically 1 or 2)
• Represents tails of calls
• Abstract inline

26
Simple Example
int p(int a) return a 1
void main() int x c1 x p(7)
c2 x p(9)
27
Simple Example
int p(int a) c1 a ?7 return a 1
void main() int x c1 x p(7)
c2 x p(9)
28
Simple Example
int p(int a) c1 a ?7 return a 1
c1a ?7, ?8
void main() int x c1 x p(7)
c2 x p(9)
29
Simple Example
int p(int a) c1 a ?7 return a 1
c1a ?7, ?8
void main() int x c1 x p(7)
? x ? 8 c2 x p(9)
30
Simple Example
int p(int a) c1a ?7 return a 1
c1a ?7, ?8
void main() int x c1 x p(7)
? x ? 8 c2 x p(9)
31
Simple Example
int p(int a) c1a ?7 c2a ?9
return a 1 c1a ?7, ?8
void main() int x c1 x p(7)
? x ? 8 c2 x p(9)
32
Simple Example
int p(int a) c1a ?7 c2a ?9
return a 1 c1a ?7, ?8 c2a ?9,
?10
void main() int x c1 x p(7)
? x ? 8 c2 x p(9)
33
Simple Example
int p(int a) c1a ?7 c2a ?9
return a 1 c1a ?7, ?8 c2a ?9,
?10
void main() int x c1 x p(7)
? x ? 8 c2 x p(9) ? x ? 10
34
Another Example
int p(int a) c1a ?7 c2a ?9
return c3 p1(a 1) c1a ?7, ??
c2a ?9, ??
int p1(int b) (c1c2)c3b ?? return 2
b (c1c2)c3b ??, ??
void main() int x c1 x p(7)
? x ? 8 c2 x p(9) ? x ? 10
35
Recursion
int p(int a) c1 a ? 7 if ()
c1 a ? 7 a a -1 c1 a ? 6
c2 p (a) a a 1 x -2a 5
void main() c1 x p(7)
36
Recursion
int p(int a) c1 a ? 7 c1.c2 a ?
6 if () c1 a ? 7 a a
-1 c1 a ? 6 c2 p (a) a
a 1 x -2a 5
void main() c1 x p(7)
37
Recursion
int p(int a) c1 a ? 7 c1.c2 a ?
6 if () c1 a ? 7 c1.c2
a ? 6 a a -1 c1 a ? 6
c2 p (a) a a 1 x -2a 5
void main() c1 x p(7)
38
Recursion
int p(int a) c1 a ? 7 c1.c2 a ?
6 if () c1 a ? 7 c1.c2
a ? 6 a a -1 c1 a ? 6
c1.c2 a ? 5 c2 p (a) a a
1 x -2a 5
void main() c1 x p(7)
39
Recursion
int p(int a) c1 a ? 7 c1.c2 a ?
? if () c1 a ? 7 c1.c2
a ? 6 a a -1 c1 a ? 6
c1.c2 a ? 5 c2 p (a) a a
1 x -2a 5
void main() c1 x p(7)
40
Recursion
int p(int a) c1 a ? 7 c1.c2 a ?
? if () c1 a ? 7 c1.c2
a ? ? a a -1 c1 a ? 6
c1.c2 a ? 5 c2 p (a) a a
1 x -2a 5
void main() c1 x p(7)
41
Recursion
int p(int a) c1 a ? 7 c1.c2 a ?
? if () c1 a ? 7 c1.c2
a ? ? a a -1 c1 a ? 6
c1.c2 a ? ? c2 p (a) a a
1 x -2a 5
void main() c1 x p(7)
42
int p(int a) c1 a ? 7 c1.c2 a ?
? if () c1 a ? 7 c1.c2
a ? ? a a -1 c1 a ? 6
c1.c2 a ? ? c2 p (a) a a
1 c1 a ? 7 c1.c2 a ? ? x -2a
5 c1 a ? 7, x ?-9 c1.c2 a ? ?, x??
void main() c1 x p(7)
43
int p(int a) c1 a ? 7 c1.c2 a ?
? if () c1 a ? 7 c1.c2 a ?
? a a -1 c1 a ? 6 c1.c2
a ? ? c2 p (a) c1.c2 a ? ?,
x?? a a 1 c1 a ? 7 c1.c2 a
? ? x -2a 5 c1 a ? 7, x ?-9 c1.c2 a
? ?, x??
void main() c1 x p(7)
44
int p(int a) c1 a ? 7 c1.c2 a ?
? if () c1 a ? 7 c1.c2 a ?
? a a -1 c1 a ? 6 c1.c2
a ? ? c2 p (a) c1.c2 a ? ?,
x?? a a 1 c1.c2 a ? ?, x??
c1 a ? 7 c1.c2 a ? ? x -2a 5 c1
a ? 7, x ?-9 c1.c2 a ? ?, x??
void main() c1 x p(7)
45
int p(int a) c1 a ? 7 c1.c2 a ?
? if () c1 a ? 7 c1.c2 a ?
? a a -1 c1 a ? 6 c1.c2
a ? ? c2 p (a) c1 a ? ?, x ??
a a 1 c1.c2 a ? ?, x?? c1 a ?
?, x ?? c1 a ? 7 c1.c2 a ? ? x -2a
5 c1 a ? ?, x ?? c1.c2 a ? ?, x??
void main() c1 x p(7)
46
int p(int a) c1 a ? 7 c1.c2 a ?
? if () c1 a ? 7 c1.c2 a ?
? a a -1 c1 a ? 6 c1.c2
a ? ? c2 p (a) c1.c2 a ? ?
a a 1 c1.c2 a ? ? c1.c2 a
? ? x -2a 5 c1.c2 a ? ?, x??
void main() c1 p(7) ? x ??
47
Special cases and Extensions

• Finite distributive lattice
• There exists a bound on the call string which
  leads to join over all valid paths
• Solution seemingly unsafe
• Decomposable problem (Independent attributes)
• L L1 x L2 x x Lk
• F F1 x F2 x x Fk
• Cost is quadratic in max Li
• Kill-Gen is a special case
• Abstract call strings
• Generalizes k-limiting of suffixes

48
Summary Call String

• Easy to implement
• Efficient for small call strings
• For finite domains can be precise even with
  recursion
• Limited precision
• Order of calls can be abstracted
• Related method procedure cloning

49
The Functional Approach

• The meaning of a procedure is mapping from states
  into states
• The abstract meaning of a procedure is function
  from an abstract state to abstract states
• Relation between input and output

50
The Functional Approach

• Two phase algorithm
• Compute the dataflow solution at the exit of a
  procedure as a function of the initial values at
  the procedure entry (functional values)
• Compute the dataflow values at every point using
  the functional values

51
Phase 1
int p(int a) a ?a0, x ?x0 if ()
a a -1 p (a) a a 1
x -2a 5 a ?a0, x ?-2a0 5
void main() p(7)
52
Phase 1
int p(int a) a ?a0, x ?x0 if ()
a a -1 p (a) a a 1
a ?a0, x ?x0 x -2a 5
void main() p(7)
53
Phase 1
int p(int a) a ?a0, x ?x0 if ()
a a -1 p (a) a a 1
a ?a0, x ?x0 x -2a 5 a ?a0, x ?-2a0
5
void main() p(7)
54
Phase 1
int p(int a) a ?a0, x ?x0 if ()
a a -1 a ?a0-1, x ?x0 p (a)
a a 1 a ?a0, x ?x0 x -2a
5 a ?a0, x ?-2a0 5
void main() p(7)
55
Phase 1
int p(int a) a ?a0, x ?x0 if ()
a a -1 a ?a0-1, x ?x0 p (a)
a ?a0-1, x ?? a a 1 a ?a0,
x ?x0 x -2a 5 a ?a0, x ?-2a0 5
void main() p(7)
56
Phase 1
int p(int a) a ?a0, x ?x0 if ()
a a -1 a ?a0-1, x ?x0 p (a)
a ?a0-1, x ?? a a 1 a ?a0, x
?? a ?a0, x ?x0 x -2a 5 a ?a0, x
?-2a0 5
void main() p(7)
57
Phase 1
int p(int a) a ?a0, x ?x0 if ()
a a -1 a ?a0-1, x ?x0 p (a)
a ?a0-1, x ?-2(a0-1) 5 a a 1
a ?a0, x ? -2(a0-1) 5 a ?a0, x ?? x
-2a 5 a ?a0, x ?-2a0 5
void main() p(7)
58
Phase 2
int p(int a) if () a a -1 p
(a) a a 1 x -2a 5
void main() p(7) x ? -9
p(a0,x0) a ?a0, x ?-2a0 5
59
Phase 2
void main() p(7) x ? -9
int p(int a) a ?7, x ?0 if () a
a -1 p (a) a a 1 x
-2a 5
p(a0,x0) a ?a0, x ?-2a0 5
60
Phase 2
void main() p(7) x ? -9
int p(int a) a ?7, x ?0 if () a
a -1 p (a) a a 1 a
?7, x ?0 x -2a 5
p(a0,x0) a ?a0, x ?-2a0 5
61
Phase 2
int p(int a) a ?7, x ?0 if () a
a -1 p (a) a a 1 a
?7, x ?0 x -2a 5 a ?7, x ?-9
void main() p(7) x ? -9
p(a0,x0) a ?a0, x ?-2a0 5
62
Phase 2
int p(int a) a ?7, x ?0 if () a
a -1 a ?6, x ?0 p (a) a a
1 a ?7, x ?0 x -2a 5 a ?7, x
?-9
void main() p(7) x ? -9
p(a0,x0) a ?a0, x ?-2a0 5
63
Phase 2
int p(int a) a ?7, x ?0 if () a
a -1 a ?6, x ?0 p (a) a ?6,
x ?-9 a a 1 a ?7, x ?0 x
-2a 5 a ?7, x ?-9
void main() p(7) x ? -9
p(a0,x0) a ?a0, x ?-2a0 5
64
Phase 2
int p(int a) a ?7, x ?0 if () a
a -1 a ?6, x ?0 p (a) a ?6,
x ?-9 a a 1 a ?7, x ?-9
a ?7, x ?0 x -2a 5 a ?7, x ?-9
void main() p(7) x ? -9
p(a0,x0) a ?a0, x ?-2a0 5
65
Phase 2
int p(int a) a ?7, x ?0 if () a
a -1 a ?6, x ?0 p (a) a ?6,
x ?-9 a a 1 a ?7, x ?-9
a ?7, x ?? x -2a 5 a ?7, x ?-9
void main() p(7) x ? -9
p(a0,x0) a ?a0, x ?-2a0 5
66
Phase 2
int p(int a) a ?7, x ?0 if () a
a -1 a ?6, x ?0 p (a) a ?6,
x ?-9 a a 1 a ?7, x ?-9
a ?7, x ?? x -2a 5 a ?7, x ?-9
void main() p(7) x ? -9
p(a0,x0) a ?a0, x ?-2a0 5
67
Phase 2
int p(int a) a ?7, x ?0 a ?6, x ?0 if ()
a a -1 a ?6, x ?0 p
(a) a ?6, x ?-9 a a 1 a
?7, x ?-9 a ?7, x ?? x -2a 5 a
?7, x ?-9
void main() p(7) x ? -9
p(a0,x0) a ?a0, x ?-2a0 5
68
Phase 2
int p(int a) a ??, x ?0 if () a
a -1 a ?6, x ?0 p (a) a ?6,
x ?-9 a a 1 a ?7, x ?-9
a ?7, x ?? x -2a 5 a ?7, x ?-9
void main() p(7) x ? -9
p(a0,x0) a ?a0, x ?-2a0 5
69
Phase 2
int p(int a) a ??, x ?0 if () a
a -1 a ??, x ?0 p (a) a ?6,
x ?-9 a a 1 a ?7, x ?-9
a ?7, x ?? x -2a 5 a ?7, x ?-9
void main() p(7) x ? -9
p(a0,x0) a ?a0, x ?-2a0 5
70
Phase 2
int p(int a) a ??, x ?0 if () a
a -1 a ??, x ?0 p (a) a ??,
x ?? a a 1 a ?7, x ?-9
a ?7, x ?? x -2a 5 a ?7, x ?-9
void main() p(7) x ? -9
p(a0,x0) a ?a0, x ?-2a0 5
71
Phase 2
int p(int a) a ??, x ?0 if () a
a -1 a ??, x ?0 p (a) a ??,
x ?? a a 1 a ??, x ?? a ?7,
x ?? x -2a 5 a ?7, x ?-9
void main() p(7) x ? -9
p(a0,x0) a ?a0, x ?-2a0 5
72
Phase 2
int p(int a) a ??, x ?0 if () a
a -1 a ??, x ?0 p (a) a ??,
x ?? a a 1 a ??, x ?? a ??,
x ?? x -2a 5 a ?7, x ?-9
void main() p(7) x ? -9
p(a0,x0) a ?a0, x ?-2a0 5
73
Phase 2
int p(int a) a ??, x ?0 if () a
a -1 a ??, x ?0 p (a) a ??,
x ?? a a 1 a ??, x ?? a ??,
x ?? x -2a 5 a ??, x ??
void main() p(7) x ? -9
p(a0,x0) a ?a0, x ?-2a0 5
74
Summary Functional approach

• Computes procedure abstraction
• Sharing between different contexts
• Rather precise
• Recursive procedures may be more
  precise/efficient than loops
• But requires more from the implementation
• Representing relations
• Composing relations

75
Interprocedural analysis
Q
P
R
Entry node
sP
sQ
sR
Call node
fc2e
f1
fc2e
Call node
f1
f1
f1
n4
n6
n1
n2
Call Q
Call Q
f3
f2
f1
n5
n7
n3
Return node
Return node
fx2r
f5
fx2r
f6
f3
eP
eQ
eR
Exit node
Supergraph
76
Paths
s

• paths(n) the set of paths from s to n
• ( (s,n1), (n1,n3), (n3,n1) )

f1
f1
n1
n2
f3
f2
f1
n3
f3
e
77
Interprocedural Valid Paths
callq
f1
ret
fk
fk-1
f2
fk-2
f3
enterq
exitq
f4
fk-3
f5

• IVP all paths with matching calls and returns
• And prefixes

78
Interprocedural Valid Paths

• IVP set of paths
• Start at program entry
• Only considers matching calls and returns
• aka, valid
• Can be defined via context free grammar
• matched matched (i matched )i e
• valid valid (i matched matched
• paths can be defined by a regular expression

79
Join Over All Paths (JOP)
i
?L ? L

• JOPv ?e1, e2, ,en(?) (e1, , en) ?
  paths(v)
• JOP ? LFP
• Sometimes JOP LFP
• precise up to symbolic execution
• Distributive problem

80
The Join-Over-Valid-Paths (JVP)

• vpaths(n) all valid paths from program start to n
• JVPn ?e1, e2, , e(?) (e1,
  e2, , e) ? vpaths(n)
• JVP ? JFP
• In some cases the JVP can be computed
• (Distributive problem)

81
Main idea functional approach

• Iterate on the abstract domain of functions from
  L to L
• Two phase algorithm
• Compute the dataflow solution at the exit of a
  procedure as a function of the initial values at
  the procedure entry (functional values)
• Compute the dataflow values at every point using
  the functional values
• Computes JVP for distributive problems

82
Example Constant propagation

• L Var?N ? ?, ?
• Domain FL?L
• (f1?f2)(x) f1(x)?f2(x)

Id?env?L.env
x7
?env.envx?7
?env.envx?7 ? ?env.env
yx1
?env.envy?env(x)1
?env.envy?env(x)1 ? ?env.envx?7 ? ?env.env
xy
83
Example Constant propagation

• L Var?N ? ?, ?
• Domain FL?L
• (f1?f2)(x) f1(x)?f2(x)

Id?env.env
Id?env.env
x7
yx1
?env.envy?env(x)1
?env.envx?7
?env.envy?env(x)1 ? ?env.envx?7
xy
84
init
N Function
0 ?e.x?e(x), a?e(a)id
1 ?e.x?e(x), a?e(a)id
3-13 ?e.?
p1
begin0
If( )2
a79
aa-13
call p10
call p4
call p11
call p5
print(x)12
aa16
end13
x-2a57
end8
85
Phase 1
N Function
1 ?e. x?e(x), a?e(a)id
2 id
7 id
8 ?e.x?-2e(a)5, a? e(a)
3 id
4 ?e.x?e(x), a? e(a)-1
5 f8 ? ?e.x?e(x), a? e(a)-1 ?e.x?-2(e(a)-1)5, a? e(a)-1
6 ?e.x?-2(e(a)-1) 5, a? e(a)-1
7 ?e.x?-2(e(a)-1)5, a? e(a) ? ?e.x? e(x), a? e(a)
8 ?a, x.x?-2e(a)5, a? e(a)
p1
begin0
If( )2
a79
aa-13
call p10
call p4
call p11
call p5
print(x)12
aa16
end13
0 ?e.x?e(x), a?e(a)id
10 ?e.x?e(x), a?7
11 ?a, x.x?-2e(a)5, a? e(a) ? f10
x-2a57
end8
86
Phase 2
N Function
1 x?0, a?7
2 x?0, a?7
7 x?0, a?7
8 x?-9, a?7
3 x?0, a?7
4 x?0, a?6
1 x?-7, a?6
6 x?-7, a?7
7 x??, a?7
8 x?-9, a?7
1 x??, a??
p1
begin0
If( )2
a79
aa-13
Call p10
Call p4
Call p11
Call p5
print(x)12
aa16
end13
0 x?0, a?0
10 x?0, a?7
11 x?-9, a?7
x-2a57
end8
87
Issues in Functional Approach

• How to guarantee that finite height for
  functional lattice?
• It may happen that L has finite height and yet
  the lattice of monotonic function from L to L do
  not
• Efficiently represent functions
• Functional join
• Functional composition
• Testing equality

88
Knoop and Steffen, CC92

• Extends the functional approach
• Adds parameters, local variables
• Information at return-site on
• Globals comes from return-site (SP81)
• Locals comes from call-site
• Combiner Rn (C?C) ? C
• Coincidence theorem
• Analysis computes (approximates) JVP
• nC ? C are distributive (monotonic)
• Rn (C?C) ? C are distributive (monotonic)
• Theorem more general

89
Knoop and Steffen, CC92

• Extends the functional approach
• Adds parameters, local variables
• Approach
• Lifts abstract semantics to manipulate unbounded
  stacks of abstract values
• C lattice ? STACK of C
• statement n on stk?
  n(stk) push( pop(skt),
  n(top(stk)) )
• Call p on stk ? push( stk, call-to-entry
  p(top(stk)) )
• return from stk ?
  push( pop(pop(stk)),Rn(top(pop(stk))
  ,top(stk)) ) ()

90
Coincidence theorem

• Analyze program with domain STACK?STACK
• Shows that stacks are always at height ? 2
• Analysis computes (approximates) JVP
• nC ? C are distributive (monotonic)
• Rn (C?C) ? C are distributive (monotonic)
• C?C is a lattice
• f (C?C) ? (C?C) is distributive if
• f(c,c) ? f(c,c) f((c, c) ? (c,
  c) ) is distributive

91
CFL-Graph reachability

• Special cases of functional analysis
• Finite distributive lattices
• Provides more efficient analysis algorithms
• Reduce the interprocedural analysis problem to
  finding context free reachability

92
IDFS / IDE

• IDFS Interprocedural Distributive Finite Subset
  Precise interprocedural dataflow analysis via
  graph reachability. Reps, Horowitz, and Sagiv,
  POPL95
• IDE Interprocedural Distributive Environment
  Precise interprocedural dataflow analysis with
  applications to constant propagation. Reps,
  Horowitz, and Sagiv, FASE95, TCS96
• More general solutions exist

93
Possibly Uninitialized Variables

w,x,y
w,y
w,y
w,y
w
w,y

94
Efficiently Representing Functions

• Let f2D?2D be a distributive function
• Then f(X) f(?) ? ?z ? X f(z)

95
Representing Dataflow Functions
Identity Function
a
b
c
Constant Function
96
Representing Dataflow Functions
a
b
c
Gen/Kill Function
a
b
c
Non-Gen/Kill Function
97
if . . .
98
Composing Dataflow Functions
99
x
y
a
b
if . . .
100
Interprocedural Dataflow Analysisvia
CFL-Reachability

• Graph Exploded control-flow graph
• L L(unbalLeft)
• unbalLeft valid
• Fact d holds at n iff there is an
  L(unbalLeft)-path from

101
Asymptotic Running Time

• CFL-reachability
• Exploded control-flow graph ND nodes
• Running time O(N3D3)
• Exploded control-flow graph Special
  structure

Running time O(ED3)
Typically E l N, hence O(ED3) l O(ND3)
Gen/kill problems O(ED)
102
Dataflow Flow Functions
103
x
y
a
b
if . . .
104
Local variables

• Global information
• Exit-to-return edges
• Local information
• Call-to-return edges
• Can be generalized to handle binary combiner
  functions
• Rinetzky, Sagiv, and Yahav, SAS05

105
IDE

• Goes beyond IFDS problems
• Can handle unbounded domains
• Requires special form of the domain
• Can be much more efficient than IFDS

106
Domain of environments

• Environments Env(D,L) D?L
• D finite set of program symbols
• L finite height lattice
• E.g., map from variables (D) to values (L)
• e ? e ?d.(e(d) ? e(d) )
• Top in Env(D,L) is ?d.?

107
Environment transformers

• t Env(D,L) ? Env(D,L)
• t should be distributive
• ?d?D (?t(e)e ? E)(d) (t(?(e) e ? E))(d)
• Must hold for inifinite sets E ? Env(D,L)

108
IDE Problem

• IP(G,D,L,M)
• G supergraph
• D, L as above
• M assigns distributive transformers to E

109
(No Transcript)
110
Point-wise representation of environments

• IFDS with weights
• Bi-partite graph
• D ? ? ? D ? ?
• Rt(d,d) ?l.
• t (?d. ) macro-function
• Rt(d,d) (?l.) micro-function

a
x
?l.l - 2
?l.l
?l.l
x a - 2
Rt(env)(d) f( Rt( , ) )(d)
t Rt
111
Point-wise representation of environments

• ? top
• ? bottom
• ? join

112
Point-wise representation of environments
? bottom ? top
Rt(env)(d)Rt(?,d)(?) ?(?d?D
Rt(d,d)(env(d)))
t Rt
113
Example Linear Constant Propagation

• Consider the constant propagation lattice
• The value of every variable y at the program exit
  can be represented by y ? (axx bx ) x
  ?Var ? c ax ,c ?Z ??, ? bx ?Z
• Supports efficient composition and functional
  join
• z a y b
• What about zxy?

114
Linear constant propagation
Point-wise representation of environment
transformers
115
IDE Analysis

• Point-wise representation closed under
  composition
• CFL-Reachability on the exploded graph
• Compose functions

116
(No Transcript)
117
(No Transcript)
118
Costs

• O(ED3)
• Class of value transformers F ? L?L
• id?F
• Finite height
• Representation scheme with (efficient)
• Application
• Composition
• Join
• Equality
• Storage

119
New Techniques

• Representing affine relations
• a1 x1 a2 x2 an xn
• Backward summary computations

120
Conclusion

• Handling functions is crucial for abstract
  interpretation
• Virtual functions and exceptions complicate
  things
• But scalability is an issue
• Small call strings
• Small functional domains
• Demand analysis