1 / 40

Pointer Analysis Lecture 2

Pointer Analysis Lecture 2. G. Ramalingam Microsoft Research, India. Andersen’s Analysis. A flow-insensitive analysis computes a single points-to solution valid at all program points ignores control-flow – treats program as a set of statements

onawa
Download Presentation

Pointer Analysis Lecture 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Pointer AnalysisLecture 2 G. Ramalingam Microsoft Research, India

  2. Andersen’s Analysis • A flow-insensitive analysis • computes a single points-to solution valid at all program points • ignores control-flow – treats program as a set of statements • equivalent to merging all vertices into one (and applying algorithm A) • equivalent to adding an edge between every pair of vertices (and applying algo. A) • a solution R: Vars -> 2Vars’ such that R IdealMayPT(u) for every vertex u

  3. Example(Flow-Sensitive Analysis) 1 x = &a; y = x; x = &b; z = x; x = &a 2 y = x 3 x = &b 4 z = x 5

  4. Example:Andersen’s Analysis 1 x = &a; y = x; x = &b; z = x; x = &a 2 y = x 3 x = &b 4 z = x 5

  5. Andersen’s Analysis • Strong updates? • Initial state?

  6. Why Flow-Insensitive Analysis? • Reduced space requirements • a single points-to solution • Reduced time complexity • no copying • individual updates more efficient • no need for joins • number of iterations? • a cubic-time algorithm • Scales to millions of lines of code • most popular points-to analysis

  7. Andersen’s AnalysisA Set-Constraints Formulation • Compute PTx for every variable x

  8. Steensgaard’s Analysis • Unification-based analysis • Inspired by type inference • an assignment “lhs := rhs” is interpreted as a constraint that lhs and rhs have the same type • the type of a pointer variable is the set of variables it can point-to • “Assignment-direction-insensitive” • treats “lhs := rhs” as if it were both “lhs := rhs” and “rhs := lhs” • An almost-linear time algorithm • single-pass algorithm; no iteration required

  9. Example:Andersen’s Analysis 1 x = &a; y = x; y = &b; b = &c; x = &a 2 y = x 3 y = &b 4 b = &c 5

  10. Example:Steensgaard’s Analysis 1 x = &a; y = x; y = &b; b = &c; x = &a 2 y = x 3 y = &b 4 b = &c 5

  11. Steensgaard’s Analysis • Can be implemented using Union-Find data-structure • Leads to an almost-linear time algorithm

  12. May-Point-To Analyses Ideal-May-Point-To ??? Algorithm A more efficient / less precise Andersen’s more efficient / less precise Steensgaard’s

  13. Ideal Points-To Analysis:Definition Recap • A sequence of states s1s2 … snis said to be an execution (of the program) iff • s1is the Initial-State • si| si+1for 1 <= I < n • A state s is said to be a reachable stateiff there exists some execution s1s2 … snis such that sn= s. • RS(u) = { s | (u,s) is reachable } • IdealMayPT (u) = { (p,x) | $ s Î RS(u). s(p) == x } • IdealMustPT (u) = { (p,x) | " s Î RS(u). s(p) == x }

  14. Does Algorithm A Compute The Most Precise Solution?

  15. Ideal <-> Algorithm A • Abstract away correlations between variables • relational analysis vs. • independent attribute x: &y y: &z x: &b y: &x g x: &b x: &y y: &x y: &x a x: {&y,&b} y: {&x,&z} x: &y y: &z x: &b y: &z

  16. Does Algorithm A Compute The Most Precise Solution?

  17. Is The Precise Solution Computable? • Claim: The set RS(u) of reachable concrete states (for our language) is computable. • Note: This is true for any collecting semantics with a finite state space.

  18. Computing RS(u)

  19. Precise Points-To Analysis:Decidability • Corollary: Precise may-point-to analysis is computable. • Corollary: Precise (demand) may-alias analysis is computable. • Given ptr-exp1, ptr-exp2, and a program point u, identify if there exists some reachable state at u where ptr-exp1 and ptr-exp2 are aliases. • Ditto for must-point-to and must-alias • … for our restricted language!

  20. Precise Points-To Analysis:Computational Complexity • What’s the complexity of the least-fixed point computation using the collecting semantics? • The worst-case complexity of computing reachable states is exponential in the number of variables. • Can we do better? • Theorem: Computing precise may-point-to is PSPACE-hard even if we have only two-level pointers.

  21. May-Point-To Analyses Ideal-May-Point-To more efficient / less precise Algorithm A more efficient / less precise Andersen’s more efficient / less precise Steensgaard’s

  22. Precise Points-To Analysis: Caveats • Theorem: Precise may-alias analysis is undecidable in the presence of dynamic memory allocation. • Add “x = new/malloc ()” to language • State-space becomes infinite • Digression: Integer variables + conditional-branching also makes any precise analysis undecidable.

  23. May-Point-To Analyses Ideal (with Int, with Malloc) Ideal (with Int) Ideal (with Malloc) Ideal (no Int, no Malloc) Algorithm A Andersen’s Steensgaard’s

  24. Dynamic Memory Allocation • s: x = new () / malloc () • Assume, for now, that allocated object stores one pointer • s: x = malloc ( sizeof(void*) ) • Introduce a pseudo-variable Vs to represent objects allocated at statement s, and use previous algorithm • treat s as if it were “x = &Vs” • also track possible values of Vs • allocation-site based approach • Key aspect: Vs represents a set of objects (locations), not a single object • referred to as a summary object (node)

  25. Dynamic Memory Allocation:Example 1 x = new; y = x; *y = &b; *y = &a; x = new 2 y = x 3 *y = &b 4 *y = &a 5

  26. Dynamic Memory Allocation:Summary Object Update 4 *y = &a 5

  27. Dynamic Memory Allocation:Object Fields • Field-sensitive analysis class Foo { A* f; B* g; } s: x = new Foo() x->f = &b; x->g = &a;

  28. Dynamic Memory Allocation:Object Fields • Field-insensitive analysis class Foo { A* f; B* g; } s: x = new Foo() x->f = &b; x->g = &a;

  29. Interpreting Branch Conditions

  30. Conditional Control-Flow(In The Concrete Semantics) • Encoding conditional-control-flow • using “assume” statements 1 if (P) then S1; else S2; endif assume !P assume P 2 4 S1 S2 3 5

  31. Conditional Control-Flow(In The Concrete Semantics) • Semantics of “assume” statements • DataState -> {true,false} 1 if (P) then S1; else S2; endif assume !P assume P 2 4 S1 S2 3 5

  32. Abstracting “assume” statements 1 if (x != null) then y = x; else … endif assume (x != null) assume (x == null) 2 4 y = x S2 3 5

  33. Abstracting “assume” statements 2 assume x == y 3

  34. Other Aspects • Context-sensitivity • Indirect (virtual) function calls and call-graph construction • Pointer arithmetic • Object-sensitivity

  35. Andersen’s Analysis:Further Optimizations and Extensions • Fahndrich et al., Partial online cycle elimination in inclusion constraint graphs, PLDI 1998. • Rountev and Chandra, Offline variable substitution for scaling points-to analysis, 2000. • Heintze and Tardieu, Ultra-fast aliasing analysis using CLA: a million lines of C code in a second, PLDI 2001. • M. Hind, Pointer analysis: Haven’t we solved this problem yet?, PASTE 2001. • Hardekopf and Lin, The ant and the grasshopper: fast and accurate pointer analysis for millions of lines of code, PLDI 2007. • Hardekopf and Lin, Exploiting pointer and location equivalence to optimize pointer analysis, SAS 2007. • Hardekopf and Lin, Semi-sparse flow-sensitive pointer analysis, POPL 2009.

  36. Andersen’s Analysis:Further Optimizations • Cycle Elimination • Offline • Online • Pointer Variable Equivalence

  37. Context-Sensitivity Etc. • Liang & Harrold, Efficient computation of parameterized pointer information for interprocedural analyses. SAS 2001. • Lattner et al., Making context-sensitive points-to analysis with heap cloning practical for the real world, PLDI 2007. • Zhu & Calman, Symbolic pointer analysis revisited. PLDI 2004. • Whaley & Lam, Cloning-based context-sensitive pointer alias analysis using BDD, PLDI 2004. • Rountev et al. Points-to analysis for Java using annotated constraints. OOPSLA 2001. • Milanova et al. Parameterized object sensitivity for points-to and side-effect analyses for Java. ISSTA 2002.

  38. Applications • Compiler optimizations • Verification & Bug Finding • use in preliminary phases • use in verification itself

  39. Questions?

More Related