Interprocedural Analysis - PowerPoint PPT Presentation

About This Presentation
Title:

Interprocedural Analysis

Description:

Interprocedural Analysis Noam Rinetzky Mooly Sagiv – PowerPoint PPT presentation

Number of Views:171
Avg rating:3.0/5.0
Slides: 97
Provided by: Dor103
Category:

less

Transcript and Presenter's Notes

Title: Interprocedural Analysis


1
Interprocedural Analysis
Noam RinetzkyMooly Sagiv
2
Challenges in Interprocedural Analysis
  • Respect call-return mechanism
  • Handling recursion
  • Local variables
  • Parameter passing mechanisms
  • The called procedure is not always known
  • The source code of the called procedure is not
    always available
  • Concurrency

3
Stack regime
call
P() R()
Q() R()
call
R()
return
return
R
P
4
Guiding light
  • Exploit stack regime
  • Precision
  • Efficiency

5
Simplifying Assumptions
  • Parameter passed by value
  • No OO
  • No nesting
  • No concurrency
  • Recursion is supported

6
Topics Covered
  • The trivial approach
  • Procedure Inlining
  • The naive approach
  • The call string approach
  • Functional Approach
  • Valid paths
  • Interprocedural Analysis via Graph Reachability
  • Beyond reachability
  • Demand analysis
  • Advanced Topics
  • Karrs analysis
  • Backward
  • MOPED

7
Constant Propagation
  • Find variables with constant value at a given
    program location

int p(int x) return x x void
main() int z if (...) z p(5) 5 else
z p(4) 4 printf (z)
8
Example Program
x 5 y 7 if (...) y x 2 z x y
9
Undecidability Issues
  • It is undecidable if a program point is
    reachablein some execution
  • Some static analysis problems are undecidable
    even if the program conditions are ignored

10
The Constant Propagation Example
while (...) if (...) x_1 x_1 1
if (...) x_2 x_2 1 ...
if (...) x_n x_n 1 y
truncate (1/ (1 p2(x_1, x_2, ..., x_n))/ Is
y0 here? /
11
Conservative Solution
  • Every detected constant is indeed constant
  • But may fail to identify some constants
  • Every potential impact is identified
  • Superfluous impacts

12
The extra cost of procedures
  • Call return complicates the analysis
  • Unbounded stack memory
  • Increases asymptotic complexity
  • But can be tolerable in practice
  • Sometimes even cheaper/more precise than
    intraprocedural analysis

13
A trivial treatment of procedure
  • Analyze a single procedure
  • After every call continue with conservative
    information
  • Global variables and local variables which may
    be modified by the call have unknown values
  • Can be easily implemented
  • Procedures can be written in different languages
  • Procedure inline can help

14
Disadvantages of the trivial solution
  • Modular (object oriented and functional)
    programming encourages small frequently called
    procedures
  • Almost all information is lost

15
Procedure Inlining
  • Inline called procedures
  • Simple
  • Does not handle recursion
  • Exponential blow up

p1 call p2 call p2
p2 call p3 call p3
p3
16
A Naive Interprocedural solution
  • Treat procedure calls as gotos
  • Abstract call/return correlations
  • Obtain a conservative solution
  • Use chaotic iterations
  • Usually fast

17
Simple Example
int p(int a) return a 1
void main() int x x p(7) x
p(9)
18
Simple Example
int p(int a) a ?7 return a 1
void main() int x x p(7) x
p(9)
19
Simple Example
int p(int a) a ?7 return a 1 a
?7, ?8
void main() int x x p(7) x
p(9)
20
Simple Example
int p(int a) a ?7 return a 1 a
?7, ?8
void main() int x x p(7) x
?8 x p(9) x ?8
21
Simple Example
int p(int a) a ?7 return a 1 a
?7, ?8
void main() int x x l p(7) x
?8 x p(9) x ?8
22
Simple Example
int p(int a) a ?? return a 1 a
?7, ?8
void main() int x x p(7) x
?8 x p(9) x ?8
23
Simple Example
int p(int a) a ?? return a 1 a
??, ??
void main() int x x p(7) x
?8 x p(9) x ?8
24
Simple Example
int p(int a) a ?? return a 1 a
??, ??
void main() int x x p(7) x
?? x p(9) x ??
25
The Call String Approach
  • The data flow value is associated with sequences
    of calls (call string)
  • Use Chaotic iterations
  • To guarantee termination limit the size of call
    string (typically 1 or 2)
  • Represents tails of calls
  • Abstract inline

26
Simple Example
int p(int a) return a 1
void main() int x c1 x p(7)
c2 x p(9)
27
Simple Example
int p(int a) c1 a ?7 return a 1
void main() int x c1 x p(7)
c2 x p(9)
28
Simple Example
int p(int a) c1 a ?7 return a 1
c1a ?7, ?8
void main() int x c1 x p(7)
c2 x p(9)
29
Simple Example
int p(int a) c1 a ?7 return a 1
c1a ?7, ?8
void main() int x c1 x p(7)
? x ? 8 c2 x p(9)
30
Simple Example
int p(int a) c1a ?7 return a 1
c1a ?7, ?8
void main() int x c1 x p(7)
? x ? 8 c2 x p(9)
31
Simple Example
int p(int a) c1a ?7 c2a ?9
return a 1 c1a ?7, ?8
void main() int x c1 x p(7)
? x ? 8 c2 x p(9)
32
Simple Example
int p(int a) c1a ?7 c2a ?9
return a 1 c1a ?7, ?8 c2a ?9,
?10
void main() int x c1 x p(7)
? x ? 8 c2 x p(9)
33
Simple Example
int p(int a) c1a ?7 c2a ?9
return a 1 c1a ?7, ?8 c2a ?9,
?10
void main() int x c1 x p(7)
? x ? 8 c2 x p(9) ? x ? 10
34
Another Example
int p(int a) c1a ?7 c2a ?9
return c3 p1(a 1) c1a ?7, ??
c2a ?9, ??
int p1(int b) (c1c2)c3b ?? return 2
b (c1c2)c3b ??, ??
void main() int x c1 x p(7)
? x ? 8 c2 x p(9) ? x ? 10
35
Recursion
int p(int a) c1 a ? 7 if ()
c1 a ? 7 a a -1 c1 a ? 6
c2 p (a) a a 1 x -2a 5
void main() c1 x p(7)
36
Recursion
int p(int a) c1 a ? 7 c1.c2 a ?
6 if () c1 a ? 7 a a
-1 c1 a ? 6 c2 p (a) a
a 1 x -2a 5
void main() c1 x p(7)
37
Recursion
int p(int a) c1 a ? 7 c1.c2 a ?
6 if () c1 a ? 7 c1.c2
a ? 6 a a -1 c1 a ? 6
c2 p (a) a a 1 x -2a 5
void main() c1 x p(7)
38
Recursion
int p(int a) c1 a ? 7 c1.c2 a ?
6 if () c1 a ? 7 c1.c2
a ? 6 a a -1 c1 a ? 6
c1.c2 a ? 5 c2 p (a) a a
1 x -2a 5
void main() c1 x p(7)
39
Recursion
int p(int a) c1 a ? 7 c1.c2 a ?
? if () c1 a ? 7 c1.c2
a ? 6 a a -1 c1 a ? 6
c1.c2 a ? 5 c2 p (a) a a
1 x -2a 5
void main() c1 x p(7)
40
Recursion
int p(int a) c1 a ? 7 c1.c2 a ?
? if () c1 a ? 7 c1.c2
a ? ? a a -1 c1 a ? 6
c1.c2 a ? 5 c2 p (a) a a
1 x -2a 5
void main() c1 x p(7)
41
Recursion
int p(int a) c1 a ? 7 c1.c2 a ?
? if () c1 a ? 7 c1.c2
a ? ? a a -1 c1 a ? 6
c1.c2 a ? ? c2 p (a) a a
1 x -2a 5
void main() c1 x p(7)
42
int p(int a) c1 a ? 7 c1.c2 a ?
? if () c1 a ? 7 c1.c2
a ? ? a a -1 c1 a ? 6
c1.c2 a ? ? c2 p (a) a a
1 c1 a ? 7 c1.c2 a ? ? x -2a
5 c1 a ? 7, x ?-9 c1.c2 a ? ?, x??
void main() c1 x p(7)
43
int p(int a) c1 a ? 7 c1.c2 a ?
? if () c1 a ? 7 c1.c2 a ?
? a a -1 c1 a ? 6 c1.c2
a ? ? c2 p (a) c1.c2 a ? ?,
x?? a a 1 c1 a ? 7 c1.c2 a
? ? x -2a 5 c1 a ? 7, x ?-9 c1.c2 a
? ?, x??
void main() c1 x p(7)
44
int p(int a) c1 a ? 7 c1.c2 a ?
? if () c1 a ? 7 c1.c2 a ?
? a a -1 c1 a ? 6 c1.c2
a ? ? c2 p (a) c1.c2 a ? ?,
x?? a a 1 c1.c2 a ? ?, x??
c1 a ? 7 c1.c2 a ? ? x -2a 5 c1
a ? 7, x ?-9 c1.c2 a ? ?, x??
void main() c1 x p(7)
45
int p(int a) c1 a ? 7 c1.c2 a ?
? if () c1 a ? 7 c1.c2 a ?
? a a -1 c1 a ? 6 c1.c2
a ? ? c2 p (a) c1 a ? ?, x ??
a a 1 c1.c2 a ? ?, x?? c1 a ?
?, x ?? c1 a ? 7 c1.c2 a ? ? x -2a
5 c1 a ? ?, x ?? c1.c2 a ? ?, x??
void main() c1 x p(7)
46
int p(int a) c1 a ? 7 c1.c2 a ?
? if () c1 a ? 7 c1.c2 a ?
? a a -1 c1 a ? 6 c1.c2
a ? ? c2 p (a) c1.c2 a ? ?
a a 1 c1.c2 a ? ? c1.c2 a
? ? x -2a 5 c1.c2 a ? ?, x??
void main() c1 p(7) ? x ??
47
Special cases and Extensions
  • Finite distributive lattice
  • There exists a bound on the call string which
    leads to join over all valid paths
  • Solution seemingly unsafe
  • Decomposable problem (Independent attributes)
  • L L1 x L2 x x Lk
  • F F1 x F2 x x Fk
  • Cost is quadratic in max Li
  • Kill-Gen is a special case
  • Abstract call strings
  • Generalizes k-limiting of suffixes

48
Summary Call String
  • Easy to implement
  • Efficient for small call strings
  • For finite domains can be precise even with
    recursion
  • Limited precision
  • Order of calls can be abstracted
  • Related method procedure cloning

49
The Functional Approach
  • The meaning of a procedure is mapping from states
    into states
  • The abstract meaning of a procedure is function
    from an abstract state to abstract states
  • Relation between input and output

50
The Functional Approach
  • Two phase algorithm
  • Compute the dataflow solution at the exit of a
    procedure as a function of the initial values at
    the procedure entry (functional values)
  • Compute the dataflow values at every point using
    the functional values

51
Phase 1
int p(int a) a ?a0, x ?x0 if ()
a a -1 p (a) a a 1
x -2a 5 a ?a0, x ?-2a0 5
void main() p(7)
52
Phase 1
int p(int a) a ?a0, x ?x0 if ()
a a -1 p (a) a a 1
a ?a0, x ?x0 x -2a 5
void main() p(7)
53
Phase 1
int p(int a) a ?a0, x ?x0 if ()
a a -1 p (a) a a 1
a ?a0, x ?x0 x -2a 5 a ?a0, x ?-2a0
5
void main() p(7)
54
Phase 1
int p(int a) a ?a0, x ?x0 if ()
a a -1 a ?a0-1, x ?x0 p (a)
a a 1 a ?a0, x ?x0 x -2a
5 a ?a0, x ?-2a0 5
void main() p(7)
55
Phase 1
int p(int a) a ?a0, x ?x0 if ()
a a -1 a ?a0-1, x ?x0 p (a)
a ?a0-1, x ?? a a 1 a ?a0,
x ?x0 x -2a 5 a ?a0, x ?-2a0 5
void main() p(7)
56
Phase 1
int p(int a) a ?a0, x ?x0 if ()
a a -1 a ?a0-1, x ?x0 p (a)
a ?a0-1, x ?? a a 1 a ?a0, x
?? a ?a0, x ?x0 x -2a 5 a ?a0, x
?-2a0 5
void main() p(7)
57
Phase 1
int p(int a) a ?a0, x ?x0 if ()
a a -1 a ?a0-1, x ?x0 p (a)
a ?a0-1, x ?-2(a0-1) 5 a a 1
a ?a0, x ? -2(a0-1) 5 a ?a0, x ?? x
-2a 5 a ?a0, x ?-2a0 5
void main() p(7)
58
Phase 2
int p(int a) if () a a -1 p
(a) a a 1 x -2a 5
void main() p(7) x ? -9
p(a0,x0) a ?a0, x ?-2a0 5
59
Phase 2
void main() p(7) x ? -9
int p(int a) a ?7, x ?0 if () a
a -1 p (a) a a 1 x
-2a 5
p(a0,x0) a ?a0, x ?-2a0 5
60
Phase 2
void main() p(7) x ? -9
int p(int a) a ?7, x ?0 if () a
a -1 p (a) a a 1 a
?7, x ?0 x -2a 5
p(a0,x0) a ?a0, x ?-2a0 5
61
Phase 2
int p(int a) a ?7, x ?0 if () a
a -1 p (a) a a 1 a
?7, x ?0 x -2a 5 a ?7, x ?-9
void main() p(7) x ? -9
p(a0,x0) a ?a0, x ?-2a0 5
62
Phase 2
int p(int a) a ?7, x ?0 if () a
a -1 a ?6, x ?0 p (a) a a
1 a ?7, x ?0 x -2a 5 a ?7, x
?-9
void main() p(7) x ? -9
p(a0,x0) a ?a0, x ?-2a0 5
63
Phase 2
int p(int a) a ?7, x ?0 if () a
a -1 a ?6, x ?0 p (a) a ?6,
x ?-9 a a 1 a ?7, x ?0 x
-2a 5 a ?7, x ?-9
void main() p(7) x ? -9
p(a0,x0) a ?a0, x ?-2a0 5
64
Phase 2
int p(int a) a ?7, x ?0 if () a
a -1 a ?6, x ?0 p (a) a ?6,
x ?-9 a a 1 a ?7, x ?-9
a ?7, x ?0 x -2a 5 a ?7, x ?-9
void main() p(7) x ? -9
p(a0,x0) a ?a0, x ?-2a0 5
65
Phase 2
int p(int a) a ?7, x ?0 if () a
a -1 a ?6, x ?0 p (a) a ?6,
x ?-9 a a 1 a ?7, x ?-9
a ?7, x ?? x -2a 5 a ?7, x ?-9
void main() p(7) x ? -9
p(a0,x0) a ?a0, x ?-2a0 5
66
Phase 2
int p(int a) a ?7, x ?0 if () a
a -1 a ?6, x ?0 p (a) a ?6,
x ?-9 a a 1 a ?7, x ?-9
a ?7, x ?? x -2a 5 a ?7, x ?-9
void main() p(7) x ? -9
p(a0,x0) a ?a0, x ?-2a0 5
67
Phase 2
int p(int a) a ?7, x ?0 a ?6, x ?0 if ()
a a -1 a ?6, x ?0 p
(a) a ?6, x ?-9 a a 1 a
?7, x ?-9 a ?7, x ?? x -2a 5 a
?7, x ?-9
void main() p(7) x ? -9
p(a0,x0) a ?a0, x ?-2a0 5
68
Phase 2
int p(int a) a ??, x ?0 if () a
a -1 a ?6, x ?0 p (a) a ?6,
x ?-9 a a 1 a ?7, x ?-9
a ?7, x ?? x -2a 5 a ?7, x ?-9
void main() p(7) x ? -9
p(a0,x0) a ?a0, x ?-2a0 5
69
Phase 2
int p(int a) a ??, x ?0 if () a
a -1 a ??, x ?0 p (a) a ?6,
x ?-9 a a 1 a ?7, x ?-9
a ?7, x ?? x -2a 5 a ?7, x ?-9
void main() p(7) x ? -9
p(a0,x0) a ?a0, x ?-2a0 5
70
Phase 2
int p(int a) a ??, x ?0 if () a
a -1 a ??, x ?0 p (a) a ??,
x ?? a a 1 a ?7, x ?-9
a ?7, x ?? x -2a 5 a ?7, x ?-9
void main() p(7) x ? -9
p(a0,x0) a ?a0, x ?-2a0 5
71
Phase 2
int p(int a) a ??, x ?0 if () a
a -1 a ??, x ?0 p (a) a ??,
x ?? a a 1 a ??, x ?? a ?7,
x ?? x -2a 5 a ?7, x ?-9
void main() p(7) x ? -9
p(a0,x0) a ?a0, x ?-2a0 5
72
Phase 2
int p(int a) a ??, x ?0 if () a
a -1 a ??, x ?0 p (a) a ??,
x ?? a a 1 a ??, x ?? a ??,
x ?? x -2a 5 a ?7, x ?-9
void main() p(7) x ? -9
p(a0,x0) a ?a0, x ?-2a0 5
73
Phase 2
int p(int a) a ??, x ?0 if () a
a -1 a ??, x ?0 p (a) a ??,
x ?? a a 1 a ??, x ?? a ??,
x ?? x -2a 5 a ??, x ??
void main() p(7) x ? -9
p(a0,x0) a ?a0, x ?-2a0 5
74
Summary Functional approach
  • Computes procedure abstraction
  • Sharing between different contexts
  • Rather precise
  • Recursive procedures may be more
    precise/efficient than loops
  • But requires more from the implementation
  • Representing relations
  • Composing relations

75
Interprocedural analysis
Q
P
R
Entry node
sP
sQ
sR
Call node
fc2e
f1
fc2e
Call node
f1
f1
f1
n4
n6
n1
n2
Call Q
Call Q
f3
f2
f1
n5
n7
n3
Return node
Return node
fx2r
f5
fx2r
f6
f3
eP
eQ
eR
Exit node
Supergraph
76
Paths
s
  • paths(n) the set of paths from s to n
  • ( (s,n1), (n1,n3), (n3,n1) )

f1
f1
n1
n2
f3
f2
f1
n3
f3
e
77
Interprocedural Valid Paths
callq
f1
ret
fk
fk-1
f2
fk-2
f3
enterq
exitq
f4
fk-3
f5
  • IVP all paths with matching calls and returns
  • And prefixes

78
Interprocedural Valid Paths
  • IVP set of paths
  • Start at program entry
  • Only considers matching calls and returns
  • aka, valid
  • Can be defined via context free grammar
  • matched matched (i matched )i e
  • valid valid (i matched matched
  • paths can be defined by a regular expression

79
Join Over All Paths (JOP)
i
?L ? L
  • JOPv ?e1, e2, ,en(?) (e1, , en) ?
    paths(v)
  • JOP ? LFP
  • Sometimes JOP LFP
  • precise up to symbolic execution
  • Distributive problem

80
The Join-Over-Valid-Paths (JVP)
  • vpaths(n) all valid paths from program start to n
  • JVPn ?e1, e2, , e(?) (e1,
    e2, , e) ? vpaths(n)
  • JVP ? JFP
  • In some cases the JVP can be computed
  • (Distributive problem)

81
Main idea functional approach
  • Iterate on the abstract domain of functions from
    L to L
  • Two phase algorithm
  • Compute the dataflow solution at the exit of a
    procedure as a function of the initial values at
    the procedure entry (functional values)
  • Compute the dataflow values at every point using
    the functional values
  • Computes JVP for distributive problems

82
Example Constant propagation
  • L Var?N ? ?, ?
  • Domain FL?L
  • (f1?f2)(x) f1(x)?f2(x)

Id?env?L.env
x7
?env.envx?7
?env.envx?7 ? ?env.env
yx1
?env.envy?env(x)1
?env.envy?env(x)1 ? ?env.envx?7 ? ?env.env
xy
83
Example Constant propagation
  • L Var?N ? ?, ?
  • Domain FL?L
  • (f1?f2)(x) f1(x)?f2(x)

Id?env.env
Id?env.env
x7
yx1
?env.envy?env(x)1
?env.envx?7
?env.envy?env(x)1 ? ?env.envx?7
xy
84
init
N Function
0 ?e.x?e(x), a?e(a)id
1 ?e.x?e(x), a?e(a)id
3-13 ?e.?
p1
begin0
If( )2
a79
aa-13
call p10
call p4
call p11
call p5
print(x)12
aa16
end13
x-2a57
end8
85
Phase 1
N Function
1 ?e. x?e(x), a?e(a)id
2 id
7 id
8 ?e.x?-2e(a)5, a? e(a)
3 id
4 ?e.x?e(x), a? e(a)-1
5 f8 ? ?e.x?e(x), a? e(a)-1 ?e.x?-2(e(a)-1)5, a? e(a)-1
6 ?e.x?-2(e(a)-1) 5, a? e(a)-1
7 ?e.x?-2(e(a)-1)5, a? e(a) ? ?e.x? e(x), a? e(a)
8 ?a, x.x?-2e(a)5, a? e(a)
p1
begin0
If( )2
a79
aa-13
call p10
call p4
call p11
call p5
print(x)12
aa16
end13
0 ?e.x?e(x), a?e(a)id
10 ?e.x?e(x), a?7
11 ?a, x.x?-2e(a)5, a? e(a) ? f10
x-2a57
end8
86
Phase 2
N Function
1 x?0, a?7
2 x?0, a?7
7 x?0, a?7
8 x?-9, a?7
3 x?0, a?7
4 x?0, a?6
1 x?-7, a?6
6 x?-7, a?7
7 x??, a?7
8 x?-9, a?7
1 x??, a??
p1
begin0
If( )2
a79
aa-13
Call p10
Call p4
Call p11
Call p5
print(x)12
aa16
end13
0 x?0, a?0
10 x?0, a?7
11 x?-9, a?7
x-2a57
end8
87
Issues in Functional Approach
  • How to guarantee that finite height for
    functional lattice?
  • It may happen that L has finite height and yet
    the lattice of monotonic function from L to L do
    not
  • Efficiently represent functions
  • Functional join
  • Functional composition
  • Testing equality

88
Knoop and Steffen, CC92
  • Extends the functional approach
  • Adds parameters, local variables
  • Information at return-site on
  • Globals comes from return-site (SP81)
  • Locals comes from call-site
  • Combiner Rn (C?C) ? C
  • Coincidence theorem
  • Analysis computes (approximates) JVP
  • nC ? C are distributive (monotonic)
  • Rn (C?C) ? C are distributive (monotonic)
  • Theorem more general

89
Knoop and Steffen, CC92
  • Extends the functional approach
  • Adds parameters, local variables
  • Approach
  • Lifts abstract semantics to manipulate unbounded
    stacks of abstract values
  • C lattice ? STACK of C
  • statement n on stk?
    n(stk) push( pop(skt),
    n(top(stk)) )
  • Call p on stk ? push( stk, call-to-entry
    p(top(stk)) )
  • return from stk ?
    push( pop(pop(stk)),Rn(top(pop(stk))
    ,top(stk)) ) ()

90
Coincidence theorem
  • Analyze program with domain STACK?STACK
  • Shows that stacks are always at height ? 2
  • Analysis computes (approximates) JVP
  • nC ? C are distributive (monotonic)
  • Rn (C?C) ? C are distributive (monotonic)
  • C?C is a lattice
  • f (C?C) ? (C?C) is distributive if
  • f(c,c) ? f(c,c) f((c, c) ? (c,
    c) ) is distributive

91
CFL-Graph reachability
  • Special cases of functional analysis
  • Finite distributive lattices
  • Provides more efficient analysis algorithms
  • Reduce the interprocedural analysis problem to
    finding context free reachability

92
IDFS / IDE
  • IDFS Interprocedural Distributive Finite Subset
    Precise interprocedural dataflow analysis via
    graph reachability. Reps, Horowitz, and Sagiv,
    POPL95
  • IDE Interprocedural Distributive Environment
    Precise interprocedural dataflow analysis with
    applications to constant propagation. Reps,
    Horowitz, and Sagiv, FASE95, TCS96
  • More general solutions exist

93
Possibly Uninitialized Variables

w,x,y
w,y
w,y
w,y
w
w,y

94
Efficiently Representing Functions
  • Let f2D?2D be a distributive function
  • Then f(X) f(?) ? ?z ? X f(z)

95
Representing Dataflow Functions
Identity Function
a
b
c
Constant Function
96
Representing Dataflow Functions
a
b
c
Gen/Kill Function
a
b
c
Non-Gen/Kill Function
97
if . . .
98
Composing Dataflow Functions
99
x
y
a
b
if . . .
100
Interprocedural Dataflow Analysisvia
CFL-Reachability
  • Graph Exploded control-flow graph
  • L L(unbalLeft)
  • unbalLeft valid
  • Fact d holds at n iff there is an
    L(unbalLeft)-path from

101
Asymptotic Running Time
  • CFL-reachability
  • Exploded control-flow graph ND nodes
  • Running time O(N3D3)
  • Exploded control-flow graph Special
    structure

Running time O(ED3)
Typically E l N, hence O(ED3) l O(ND3)
Gen/kill problems O(ED)
102
Dataflow Flow Functions
103
x
y
a
b
if . . .
104
Local variables
  • Global information
  • Exit-to-return edges
  • Local information
  • Call-to-return edges
  • Can be generalized to handle binary combiner
    functions
  • Rinetzky, Sagiv, and Yahav, SAS05

105
IDE
  • Goes beyond IFDS problems
  • Can handle unbounded domains
  • Requires special form of the domain
  • Can be much more efficient than IFDS

106
Domain of environments
  • Environments Env(D,L) D?L
  • D finite set of program symbols
  • L finite height lattice
  • E.g., map from variables (D) to values (L)
  • e ? e ?d.(e(d) ? e(d) )
  • Top in Env(D,L) is ?d.?

107
Environment transformers
  • t Env(D,L) ? Env(D,L)
  • t should be distributive
  • ?d?D (?t(e)e ? E)(d) (t(?(e) e ? E))(d)
  • Must hold for inifinite sets E ? Env(D,L)

108
IDE Problem
  • IP(G,D,L,M)
  • G supergraph
  • D, L as above
  • M assigns distributive transformers to E

109
(No Transcript)
110
Point-wise representation of environments
  • IFDS with weights
  • Bi-partite graph
  • D ? ? ? D ? ?
  • Rt(d,d) ?l.
  • t (?d. ) macro-function
  • Rt(d,d) (?l.) micro-function

a
x
?l.l - 2
?l.l
?l.l
x a - 2
Rt(env)(d) f( Rt( , ) )(d)
t Rt
111
Point-wise representation of environments
  • ? top
  • ? bottom
  • ? join

112
Point-wise representation of environments
? bottom ? top
Rt(env)(d)Rt(?,d)(?) ?(?d?D
Rt(d,d)(env(d)))
t Rt
113
Example Linear Constant Propagation
  • Consider the constant propagation lattice
  • The value of every variable y at the program exit
    can be represented by y ? (axx bx ) x
    ?Var ? c ax ,c ?Z ??, ? bx ?Z
  • Supports efficient composition and functional
    join
  • z a y b
  • What about zxy?

114
Linear constant propagation
Point-wise representation of environment
transformers
115
IDE Analysis
  • Point-wise representation closed under
    composition
  • CFL-Reachability on the exploded graph
  • Compose functions

116
(No Transcript)
117
(No Transcript)
118
Costs
  • O(ED3)
  • Class of value transformers F ? L?L
  • id?F
  • Finite height
  • Representation scheme with (efficient)
  • Application
  • Composition
  • Join
  • Equality
  • Storage

119
New Techniques
  • Representing affine relations
  • a1 x1 a2 x2 an xn
  • Backward summary computations

120
Conclusion
  • Handling functions is crucial for abstract
    interpretation
  • Virtual functions and exceptions complicate
    things
  • But scalability is an issue
  • Small call strings
  • Small functional domains
  • Demand analysis
Write a Comment
User Comments (0)
About PowerShow.com