Pointer analysis lecture 2
This presentation is the property of its rightful owner.
Sponsored Links
1 / 40

Pointer Analysis Lecture 2 PowerPoint PPT Presentation


  • 100 Views
  • Uploaded on
  • Presentation posted in: General

Pointer Analysis Lecture 2. G. Ramalingam Microsoft Research, India. Andersen’s Analysis. A flow-insensitive analysis computes a single points-to solution valid at all program points ignores control-flow – treats program as a set of statements

Download Presentation

Pointer Analysis Lecture 2

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Pointer analysis lecture 2

Pointer AnalysisLecture 2

G. Ramalingam

Microsoft Research, India


Andersen s analysis

Andersen’s Analysis

  • A flow-insensitive analysis

    • computes a single points-to solution valid at all program points

    • ignores control-flow – treats program as a set of statements

    • equivalent to merging all vertices into one (and applying algorithm A)

    • equivalent to adding an edge between every pair of vertices (and applying algo. A)

    • a solution R: Vars -> 2Vars’ such that

      R IdealMayPT(u) for every vertex u


Example flow sensitive analysis

Example(Flow-Sensitive Analysis)

1

x = &a;

y = x;

x = &b;

z = x;

x = &a

2

y = x

3

x = &b

4

z = x

5


Example andersen s analysis

Example:Andersen’s Analysis

1

x = &a;

y = x;

x = &b;

z = x;

x = &a

2

y = x

3

x = &b

4

z = x

5


Andersen s analysis1

Andersen’s Analysis

  • Strong updates?

  • Initial state?


Why flow insensitive analysis

Why Flow-Insensitive Analysis?

  • Reduced space requirements

    • a single points-to solution

  • Reduced time complexity

    • no copying

      • individual updates more efficient

    • no need for joins

    • number of iterations?

    • a cubic-time algorithm

  • Scales to millions of lines of code

    • most popular points-to analysis


Andersen s analysis a set constraints formulation

Andersen’s AnalysisA Set-Constraints Formulation

  • Compute PTx for every variable x


Steensgaard s analysis

Steensgaard’s Analysis

  • Unification-based analysis

  • Inspired by type inference

    • an assignment “lhs := rhs” is interpreted as a constraint that lhs and rhs have the same type

    • the type of a pointer variable is the set of variables it can point-to

  • “Assignment-direction-insensitive”

    • treats “lhs := rhs” as if it were both “lhs := rhs” and “rhs := lhs”

  • An almost-linear time algorithm

    • single-pass algorithm; no iteration required


Example andersen s analysis1

Example:Andersen’s Analysis

1

x = &a;

y = x;

y = &b;

b = &c;

x = &a

2

y = x

3

y = &b

4

b = &c

5


Example steensgaard s analysis

Example:Steensgaard’s Analysis

1

x = &a;

y = x;

y = &b;

b = &c;

x = &a

2

y = x

3

y = &b

4

b = &c

5


Steensgaard s analysis1

Steensgaard’s Analysis

  • Can be implemented using Union-Find data-structure

  • Leads to an almost-linear time algorithm


May point to analyses

May-Point-To Analyses

Ideal-May-Point-To

???

Algorithm A

more efficient / less precise

Andersen’s

more efficient / less precise

Steensgaard’s


Ideal points to analysis definition recap

Ideal Points-To Analysis:Definition Recap

  • A sequence of states s1s2 … snis said to be an execution (of the program) iff

    • s1is the Initial-State

    • si| si+1for 1 <= I < n

  • A state s is said to be a reachable stateiff there exists some execution s1s2 … snis such that sn= s.

  • RS(u) = { s | (u,s) is reachable }

  • IdealMayPT (u) = { (p,x) | $ s Î RS(u). s(p) == x }

  • IdealMustPT (u) = { (p,x) | " s Î RS(u). s(p) == x }


Does algorithm a compute the most precise solution

Does Algorithm A Compute The Most Precise Solution?


Ideal algorithm a

Ideal <-> Algorithm A

  • Abstract away correlations between variables

    • relational analysis vs.

    • independent attribute

x: &y

y: &z

x: &b

y: &x

g

x: &b

x: &y

y: &x

y: &x

a

x: {&y,&b}

y: {&x,&z}

x: &y

y: &z

x: &b

y: &z


Does algorithm a compute the most precise solution1

Does Algorithm A Compute The Most Precise Solution?


Is the precise solution computable

Is The Precise Solution Computable?

  • Claim: The set RS(u) of reachable concrete states (for our language) is computable.

  • Note: This is true for any collecting semantics with a finite state space.


Computing rs u

Computing RS(u)


Precise points to analysis decidability

Precise Points-To Analysis:Decidability

  • Corollary: Precise may-point-to analysis is computable.

  • Corollary: Precise (demand) may-alias analysis is computable.

    • Given ptr-exp1, ptr-exp2, and a program point u, identify if there exists some reachable state at u where ptr-exp1 and ptr-exp2 are aliases.

  • Ditto for must-point-to and must-alias

  • … for our restricted language!


Precise points to analysis computational complexity

Precise Points-To Analysis:Computational Complexity

  • What’s the complexity of the least-fixed point computation using the collecting semantics?

  • The worst-case complexity of computing reachable states is exponential in the number of variables.

    • Can we do better?

  • Theorem: Computing precise may-point-to is PSPACE-hard even if we have only two-level pointers.


May point to analyses1

May-Point-To Analyses

Ideal-May-Point-To

more efficient / less precise

Algorithm A

more efficient / less precise

Andersen’s

more efficient / less precise

Steensgaard’s


Precise points to analysis caveats

Precise Points-To Analysis: Caveats

  • Theorem: Precise may-alias analysis is undecidable in the presence of dynamic memory allocation.

    • Add “x = new/malloc ()” to language

    • State-space becomes infinite

  • Digression: Integer variables + conditional-branching also makes any precise analysis undecidable.


May point to analyses2

May-Point-To Analyses

Ideal (with Int, with Malloc)

Ideal (with Int)

Ideal (with Malloc)

Ideal (no Int, no Malloc)

Algorithm A

Andersen’s

Steensgaard’s


Dynamic memory allocation

Dynamic Memory Allocation

  • s: x = new () / malloc ()

  • Assume, for now, that allocated object stores one pointer

    • s: x = malloc ( sizeof(void*) )

  • Introduce a pseudo-variable Vs to represent objects allocated at statement s, and use previous algorithm

    • treat s as if it were “x = &Vs”

    • also track possible values of Vs

    • allocation-site based approach

  • Key aspect: Vs represents a set of objects (locations), not a single object

    • referred to as a summary object (node)


Dynamic memory allocation example

Dynamic Memory Allocation:Example

1

x = new;

y = x;

*y = &b;

*y = &a;

x = new

2

y = x

3

*y = &b

4

*y = &a

5


Dynamic memory allocation summary object update

Dynamic Memory Allocation:Summary Object Update

4

*y = &a

5


Dynamic memory allocation object fields

Dynamic Memory Allocation:Object Fields

  • Field-sensitive analysis

class Foo {

A* f;

B* g;

}

s: x = new Foo()

x->f = &b;

x->g = &a;


Dynamic memory allocation object fields1

Dynamic Memory Allocation:Object Fields

  • Field-insensitive analysis

class Foo {

A* f;

B* g;

}

s: x = new Foo()

x->f = &b;

x->g = &a;


Interpreting branch conditions

Interpreting Branch Conditions


Conditional control flow in the concrete semantics

Conditional Control-Flow(In The Concrete Semantics)

  • Encoding conditional-control-flow

    • using “assume” statements

1

if (P) then

S1;

else

S2;

endif

assume !P

assume P

2

4

S1

S2

3

5


Conditional control flow in the concrete semantics1

Conditional Control-Flow(In The Concrete Semantics)

  • Semantics of “assume” statements

    • DataState -> {true,false}

1

if (P) then

S1;

else

S2;

endif

assume !P

assume P

2

4

S1

S2

3

5


Abstracting assume statements

Abstracting “assume” statements

1

if (x != null) then

y = x;

else

endif

assume (x != null)

assume (x == null)

2

4

y = x

S2

3

5


Abstracting assume statements1

Abstracting “assume” statements

2

assume x == y

3


Other aspects

Other Aspects

  • Context-sensitivity

  • Indirect (virtual) function calls and call-graph construction

  • Pointer arithmetic

  • Object-sensitivity


Andersen s analysis further optimizations and extensions

Andersen’s Analysis:Further Optimizations and Extensions

  • Fahndrich et al., Partial online cycle elimination in inclusion constraint graphs, PLDI 1998.

  • Rountev and Chandra, Offline variable substitution for scaling points-to analysis, 2000.

  • Heintze and Tardieu, Ultra-fast aliasing analysis using CLA: a million lines of C code in a second, PLDI 2001.

  • M. Hind, Pointer analysis: Haven’t we solved this problem yet?, PASTE 2001.

  • Hardekopf and Lin, The ant and the grasshopper: fast and accurate pointer analysis for millions of lines of code, PLDI 2007.

  • Hardekopf and Lin, Exploiting pointer and location equivalence to optimize pointer analysis, SAS 2007.

  • Hardekopf and Lin, Semi-sparse flow-sensitive pointer analysis, POPL 2009.


Andersen s analysis further optimizations

Andersen’s Analysis:Further Optimizations

  • Cycle Elimination

    • Offline

    • Online

  • Pointer Variable Equivalence


Context sensitivity etc

Context-Sensitivity Etc.

  • Liang & Harrold, Efficient computation of parameterized pointer information for interprocedural analyses. SAS 2001.

  • Lattner et al., Making context-sensitive points-to analysis with heap cloning practical for the real world, PLDI 2007.

  • Zhu & Calman, Symbolic pointer analysis revisited. PLDI 2004.

  • Whaley & Lam, Cloning-based context-sensitive pointer alias analysis using BDD, PLDI 2004.

  • Rountev et al. Points-to analysis for Java using annotated constraints. OOPSLA 2001.

  • Milanova et al. Parameterized object sensitivity for points-to and side-effect analyses for Java. ISSTA 2002.


Applications

Applications

  • Compiler optimizations

  • Verification & Bug Finding

    • use in preliminary phases

    • use in verification itself


Questions

Questions?


  • Login