1 / 23

Pointer and Shape Analysis Seminar cs.tau.ac.il/~msagiv/courses/shape.html

Pointer and Shape Analysis Seminar http://www.cs.tau.ac.il/~msagiv/courses/shape.html. Mooly Sagiv Schriber 317 msagiv@post Office Hours Thursday 15-16. General Information. Prerequisites Compilers | Program Analysis Select 3 topics by Sunday Participate in 9 seminar talks

hashim
Download Presentation

Pointer and Shape Analysis Seminar cs.tau.ac.il/~msagiv/courses/shape.html

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Pointer and Shape Analysis Seminarhttp://www.cs.tau.ac.il/~msagiv/courses/shape.html Mooly Sagiv Schriber 317 msagiv@post Office Hours Thursday 15-16

  2. General Information • Prerequisites • Compilers | Program Analysis • Select 3 topics by Sunday • Participate in 9 seminar talks • Present a paper

  3. Outline • Schedule • Point-to analysis

  4. Tentative Schedule

  5. Points-To Analysis • Determine if a variable points to a variable at some (all) execution paths [1] p = &a; [2] q = &b; [3] if (getc()) [4] q = &c [5] q  b p  a q  c

  6. Iterative Program Analysis • Start by optimistically assuming that nothing is wrong • No points-to set • At every iteration apply the abstract meaning of programming language statements and add more points-to pairs • Stop when no changes occur

  7. Iterative Points-to Analysis t= &a ta y= &b ta, yb z= &c ta, yb, z c *p= t ta, yb, z c ta, yb, z c p= &y p= &z ta, yb, z c, py ta, yb, z c, pz ta, yb, z c, py, pz

  8. Iterative Points-to Analysis t= &a ta y= &b ta, yb z= &c ta, yb, z c, py, pz *p= t ta, yb, z c, py, pz, ya, za ta, yb, z c, py, pz, ya, za p= &y p= &z ta, yb, z c, py ta, yb, z c, pz ta, yb, z c, py, pz

  9. Iterative Points-to Analysis t= &a ta y= &b ta, yb z= &c ta, yb, z c, py, pz *p= t ta, yb, z c, py, pz, ya, za ta, yb, z c, py, pz, ya, za p= &y p= &z ta, yb, z c, py, ya, za ta, yb, z c, pz, ya, za ta, yb, z c, py, pz

  10. Iterative Points-to Analysis t= &a ta y= &b ta, yb z= &c ta, yb, z c, py, pz, ya, za *p= t ta, yb, z c, py, pz, ya, za ta, yb, z c, py, pz, ya, za p= &y p= &z ta, yb, z c, py, ya, za ta, yb, z c, pz, ya, za ta, yb, z c, py, pz, ya, za

  11. A Simple Programming Language • Arbitrary (uninterpreted) control flow statement • Atomic statements • x = y • x = &y • x = *y • *x = y

  12. Abstract Semantics • For every atomic statement S S  #: P(Var* Var*) P(Var* Var*) x := &y # (pt) = pt – {(x, *)}  {(x, y)} x := y #(pt) = pt – {(x, *)}  {(x, z)| (y, z) pt} x := *y # (pt) = pt – {(x, *)}  {(x, z)| (y, w), (w, z) pt} *x := y #(pt) = pt  {(w, t)| (x, w), (y, t) pt}

  13. t= &a 1 y= &b 2 z= &c 3 *p= t 4 5 6 p= &y p= &z 7

  14. Supporting Memory Allocation • Uniform treatment of the memory allocated at an allocation statement • For every atomic statement S • S  #: P(Var* Var*) P(Var* Var*) • x := &y # (pt) = pt – {(x, *)}  {(x, y)} • x := y # (pt) = pt – {(x, *)}  {(x, z)| (y, z) pt} • x := *y # (pt) = pt – {(x, *)}  {(x, z)| (y, w), (w, z) pt} • *x := y #(pt) = pt  {(w, t)| (x, w), (y, t) pt} • l: x := malloc() #(pt) = pt – {(x, *)}  {(x, l)}

  15. Summary Flow-Sensitive Solution • Limited destructive updates • Can be improved with must information • O(N * Var2) space

  16. Context-Sensitivity • How to handle procedures • Separate points-to sets for every call • A uniform set for all calls

  17. Context Sensitivity Example x = &t1; a = &t2; foo(x, a); z = &t3; b = &t4; foo(z, b); void foo(source, target) { *source = target; }

  18. Flow-Insensitive Analysis • Ignore control flow statements • Arbitrary statement order • Only accumulate Points-to • Usually represented as a directed graph • O(n2) space

  19. Flow Insensitive Solution t= &a y= &b z= &c *p= t p= &y p= &z

  20. Set Constraints • A set of rules of the form: • lhs  rhs • t  rhs’  lhs rhs (conditional constraint) • lhs, rhs, rhs’ are variables over sets of terms • t is a term • The least solution can be found iteratively • start with empty sets • add terms when needed • Cubic graph based solution

  21. p t y z a b c t := &a; {a}  pt[t] y := &b; {b}  pt[y] z := &c; {c}  pt[z] if (nondet()) p:= &y;{y}  pt[p] else p:= &z; {z}  pt[p] *p := t; a pt[p]  pt[t]  pt[a] b pt[p]  pt[t]  pt[b] c pt[p]  pt[t]  pt[c] y pt[p]  pt[t]  pt[y] z pt[p]  pt[t]  pt[z] t pt[p]  pt[t]  pt[t] p pt[p] pt[t]  pt[p]

  22. Unification Based Solution Steengard 1996 • Treat assignments as equalities • Employ union-find algorithm • Almost linear time complexity

  23. Conclusions • Points-to analysis is a simple pointer analysis problem • Effective solutions (8MLoc) • But rather imprecise • Set constraints are useful beyond pointer analysis • Class level analysis

More Related