Presentation is loading. Please wait.

Presentation is loading. Please wait.

Crystal-izing Sophisticated Code Analyses Ciera Jaspan Kevin Bierhoff Jonathan Aldrich

Published byCathleen Lloyd Modified over 8 years ago

Similar presentations

Presentation on theme: "Crystal-izing Sophisticated Code Analyses Ciera Jaspan Kevin Bierhoff Jonathan Aldrich"— Presentation transcript:

1 Crystal-izing Sophisticated Code Analyses Ciera Jaspan Kevin Bierhoff Jonathan Aldrich http://code.google.com/p/crystalsaf

2 2 Installation Pre-requisites Eclipse with Java Development Tools (JDT) Plugin Development Environment (PDE) Crystal Available from our Eclipse update site http://crystalsaf.googlecode.com/svn/trunk/EclipseUpdate/ The USB drive contains: A version of Eclipse with Crystal already installed Samples of several null pointer analyses Sample test code to run the null analysis on Audience pre-reqs: familiarity with abstract interpretation!

3 http://code.google.com/p/crystalsaf3 Crystal A framework for creating static analyses AST walkers Simple dataflow Branch-sensitive dataflow Use of specifications Primarily for educational purposes Easy startup into a static analysis Direct from theory to implementation Incremental development of analyses “Wow factor”: power of Eclipse Also found to be useful for research prototypes

4 http://code.google.com/p/crystalsaf4 Crystal in the classroom Crystal is used in a professional masters program in software engineering Course: Analysis of Software Artifacts Students: Real-world experience, may not have (or want!) a theoretical background How can program analysis be used in industry, now and in the near future? Students will learn What can affect the usability and precision of a static analysis What kind of problems static analysis can solve

5 http://code.google.com/p/crystalsaf5 Crystal in research High transferability from paper to code made Crystal natural choice for research Currently 4 research analyses written in Crystal 3 are published (OOPSLA 08, ECOOP 09, OOPSLA 09) Allows incremental development to more sophisticated features Annotations with custom parsers Branch-sensitivity Automated testing Widening v. regular join

6 http://code.google.com/p/crystalsaf6 An incremental approach Students typically answer questions on paper first We’ll note questions we can ask students in red! Then, students transfer that knowledge directly to code We’ll note how to code the answer in blue! Use an incremental approach Instructions on the wiki with verification points Today, everyone will make a simple flow analysis We’ll move a little faster to create a smart flow analysis You can follow along with the code samples

7 http://code.google.com/p/crystalsaf7 This tutorial Install Crystal Register an analysis Create a simple AST walker for nullness Add a simple flow analysis Add annotations Add branch-sensitivity We’ll provide sample analyses and sample assignments for classes For more information, visit our wiki

8 http://code.google.com/p/crystalsaf8 Everything installed right? Crystal menu is where analyses appear Several built-in ones already available

9 http://code.google.com/p/crystalsaf9 Steps for making an analysis Install Crystal Register an analysis Create a simple AST walker for nullness Add a simple flow analysis Add annotations Add branch-sensitivity

10 http://code.google.com/p/crystalsaf10 Register and Run Create a new plugin project Make it depend on Crystal and JDT Implement ICrystalAnalysis Register with the extension-point CrystalAnalysis in the plugin.xml file Select Run -> Run Configuration… Make a new Eclipse configuration Run! Your analysis name should appear in the Crystal menu.

11 http://code.google.com/p/crystalsaf11 Steps for making an analysis Install Crystal Register an analysis Create a simple AST walker for nullness Add a simple flow analysis Add annotations Add branch-sensitivity

12 http://code.google.com/p/crystalsaf12 Use an AST walker We’re ready to make an analysis now. What kinds of expressions do we want to check for an null pointer analysis? Method calls Field access Array access In analyzeMethod(), create an ASTVisitor that gives an error when it encounters these operations.

13 http://code.google.com/p/crystalsaf13 Everything running? Create a new project in the child Eclipse Add code to analyze Test with Crystal->MyAnalysis Can also run automated tests in JUnit Will not cover that today See wiki for more information

14 http://code.google.com/p/crystalsaf14 Steps for making an analysis Install Crystal Register an analysis Create a simple AST walker for nullness Add a simple flow analysis Add annotations Add branch-sensitivity

15 http://code.google.com/p/crystalsaf15 Abstract interpretation concepts Lattice The abstract states the program can be in Control flow graph The order of control flow through the nodes of the AST Transfer functions How the states change as the analysis encounters new program instructions Worklist algorithm Traverses the control flow graph and runs the transfer functions

16 http://code.google.com/p/crystalsaf16 Lattice A finite lattice of the abstract states the program can be in Control flow graph The order of control flow through the nodes of the AST Transfer functions How the states change as the analysis encounters new program instructions Worklist algorithm Traverses the control flow graph and runs the transfer functions Abstract interpretation concepts

17 http://code.google.com/p/crystalsaf17 Lattice review Top of lattice represents least precise info Bottom of lattice represents an unanalyzed element Must have finite height to ensure termination Unique least upper bound must exist for any two elements  a b 

18 http://code.google.com/p/crystalsaf18 Transfer function review Given An instruction An incoming lattice element  Produce An outgoing lattice element  ’  ( instr,  ) =  ’ Make a different transfer function on each type of instruction

19 http://code.google.com/p/crystalsaf19 Map all variables to an element in the lattice above Tuple Lattice: A lattice which maps a key to an element in another lattice A simple null analysis  is a map of every program variable to a null lattice element  ( x = null,  ) =  [ x  NULL ]  ( x = y,  ) =  [ x   ( y )]  ( x = new C(),  ) =  [ x  NOT_NULL ]  ( x = y.m(z1,…,zn),  ) =  [ y  NOT_NULL ] (array access, field access, etc.) MAYBE_NULL NOT_NULLNULL 

20 http://code.google.com/p/crystalsaf20 The lattice What are the elements in the lattice? Bottom, null, not null, and maybe null Create a type which represents the elements Crystal allows this to be an arbitrary type This is likely an immutable type, like an enum Tuple Lattices We will use TupleLatticeElement Just create the type which represents the sub-lattice public enum NullLatticeElement { BOTTOM, NULL, NOT_NULL, MAYBE_NULL; }

21 http://code.google.com/p/crystalsaf21 The lattice What is the bottom-most element? What is the the top-most? What is the ordering of elements? What does the join operation look like? Extend SimpleLatticeOperations LE bottom() boolean atLeastAsPrecise(LE, LE) LE join(LE, LE) LE copy(LE)

22 http://code.google.com/p/crystalsaf22 Setting up the flow analysis What is the lattice element at the start of the method? Everything may be null (except this is not null) Extend AbstractingTransferFunction Implement createEntryValue() and getLatticeOperations() (Don’t override the transfer functions yet) We’ll also now have the visitor call the flow analysis

23 http://code.google.com/p/crystalsaf23 Transfer functions Which instructions cause the lattice element to change? How do they change the lattice element? Null: makes target null Constructor: makes target non-null Copying assignment: makes target same as right side In the derived transfer function, override the relevant instructions

24 http://code.google.com/p/crystalsaf24 You now have a Crystal flow analysis And that’s it! From here, we’re just going to improve it Annotations: teach students power of specifications Branch-sensitivity: teach students power of abstractions closer to code We’ll move a little faster Assistants are ready to help if you wish to follow along

25 http://code.google.com/p/crystalsaf25 Why Three Address Code Does mean students work with both Eclipse AST and TAC However TAC has no sub-expressions TAC has many fewer kinds of nodes Students able to understand TAC as it matched what they wrote down on paper

26 http://code.google.com/p/crystalsaf26 Relevant packages edu.cmu.cs.crystal Core package for analyses org.eclipse.jdt.core.dom The Eclipse AST edu.cmu.cs.crystal.simple Simple interfaces for flow analyses edu.cmu.cs.crystal.tac.model The interfaces for three address code instructions

27 http://code.google.com/p/crystalsaf27 Steps for making an analysis Install Crystal Register an analysis Create a simple AST walker for nullness Add a simple flow analysis Add annotations Add branch-sensitivity

28 http://code.google.com/p/crystalsaf28 Annotations What specifications could we add to make the analysis more precise? Non-null on method parameters Create a Java annotation Put it in a jar separate from your analysis Make it available to the code being analyzed @Target({ElementType.METHOD, ElementType.PARAMETER}) public @interface NonNull {}

29 http://code.google.com/p/crystalsaf29 Annotations What transfer functions can use this annotation to improve precision? Initial lattice information Method call instruction (return value) Annotations are available from the Eclipse AST But hard to get No desugaring Use the AnnotationDatabase Pass in an AnnotationDatabase to the transfer functions Query it to find instances of the @NotNull annotation Can also give Crystal a custom parser for complex annotations @Invariant(“x == foo and y != bar”)

30 http://code.google.com/p/crystalsaf30 Annotations Where can the visitor use annotations for additional checking? Method call parameters and return value Constructor call parameters Use the AnnotationDatabase Query it to find instances of the @NotNull annotation Check that parameter is not null

31 http://code.google.com/p/crystalsaf31 Steps for making an analysis Install Crystal Register an analysis Create a simple AST walker for nullness Add a simple flow analysis Add annotations Add branch-sensitivity

32 http://code.google.com/p/crystalsaf32 Branch-sensitivity Take advantage of knowledge gained through tests Specify different exit paths through a method An invariant that doesn’t hold on exceptional exit Labeled branches let us distinguish these Must return different lattice elements for each label if (x != null) { //hey, it’s safe //to use x in here! } else { //but it’s an //error in here! }

33 http://code.google.com/p/crystalsaf33 On paper… No branch sensitivity  ( x == y,  ) =  Branch sensitivity  T ( x == y,  ) = if (  ( x ) < MAYBE_NULL )  [ y   ( x )] else if (  ( y ) < MAYBE_NULL )  [ x   ( y )] else  Separate definition for the false branch  F ( x == y,  )

34 http://code.google.com/p/crystalsaf34 Branching example foo() if (foo()) { a; } else { b; } c; public boolean foo() ab c true false

35 http://code.google.com/p/crystalsaf35 Branching example, with exceptions foo() try { if (foo()) { a; } else { b; } c; } catch (MyException exp) { d; } e; public boolean foo() throws MyException; ab c d e true false MyException

36 http://code.google.com/p/crystalsaf36 Types of labels True/false All conditionals (if, while, ?:, etc.) Methods calls that return a boolean Binary relational operators (&&, <, ==, etc.) Exceptional Methods calls that throw exceptions Throw statements Catch and Finally statements Switch (used on switch) Iterator (used on enhanced for) Normal

37 http://code.google.com/p/crystalsaf37 Changing to branch-sensitive analyses 1.Implement AbstractTACBranchSensitiveTransferFunction 2.Change signatures on transfer functions 3.Wrap return lattice in an IResult At this point, transfer functions run as they did before public LE transfer(TACInstruction instr, LE value)  public IResult transfer(TACInstruction instr, List labels, LE value) return value;  return LabeledSingleResult.createResult(value, labels);

38 http://code.google.com/p/crystalsaf38 Using the branches Which instructions can provide different information on each branch? x == y x != y Create a new LabeledResult with the labels and a default value Copy the lattice element for each branch Change the lattice elements Put them into the labeled result with the right label

39 http://code.google.com/p/crystalsaf39 Crystal Static Analysis Framework Fast startup into a simple analysis Direct from theory to implementation Incremental sophistication of analysis Full power of Eclipse infrastructure Proven useful for both teaching and research 4 research analyses Used for several years in a professional master’s course

Download ppt "Crystal-izing Sophisticated Code Analyses Ciera Jaspan Kevin Bierhoff Jonathan Aldrich"

Similar presentations

OO Programming in Java Objectives for today: Overriding the toString() method Polymorphism & Dynamic Binding Interfaces Packages and Class Path.

OO Programming in Java Objectives for today: Overriding the toString() method Polymorphism & Dynamic Binding Interfaces Packages and Class Path.
Continuing Abstract Interpretation We have seen: 1.How to compile abstract syntax trees into control-flow graphs 2.Lattices, as structures that describe.

Continuing Abstract Interpretation We have seen: 1.How to compile abstract syntax trees into control-flow graphs 2.Lattices, as structures that describe.
Control Structures Ranga Rodrigo. Control Structures in Brief C++ or JavaEiffel if-elseif-elseif-else-end caseinspect for, while, do-whilefrom-until-loop-end.

Control Structures Ranga Rodrigo. Control Structures in Brief C++ or JavaEiffel if-elseif-elseif-else-end caseinspect for, while, do-whilefrom-until-loop-end.
School of EECS, Peking University “Advanced Compiler Techniques” (Fall 2011) SSA Guo, Yao.

School of EECS, Peking University “Advanced Compiler Techniques” (Fall 2011) SSA Guo, Yao.
Chapter 1 Object-Oriented Concepts. A class consists of variables called fields together with functions called methods that act on those fields.

Chapter 1 Object-Oriented Concepts. A class consists of variables called fields together with functions called methods that act on those fields.
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
Chapter 10- Instruction set architectures

Chapter 10- Instruction set architectures
Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.

Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.
CS162 Week 2 Kyle Dewey. Overview Continuation of Scala Assignment 1 wrap-up Assignment 2a.

CS162 Week 2 Kyle Dewey. Overview Continuation of Scala Assignment 1 wrap-up Assignment 2a.
Some Properties of SSA Mooly Sagiv. Outline Why is it called Static Single Assignment form What does it buy us? How much does it cost us? Open questions.

Some Properties of SSA Mooly Sagiv. Outline Why is it called Static Single Assignment form What does it buy us? How much does it cost us? Open questions.
1 Mooly Sagiv and Greta Yorsh School of Computer Science Tel-Aviv University Modern Compiler Design.

1 Mooly Sagiv and Greta Yorsh School of Computer Science Tel-Aviv University Modern Compiler Design.
Written by: Dr. JJ Shepherd

Written by: Dr. JJ Shepherd
Program Representations. Representing programs Goals.

Program Representations. Representing programs Goals.
FIT1002 2006 1 FIT1002 Computer Programming Unit 19 Testing and Debugging.

FIT FIT1002 Computer Programming Unit 19 Testing and Debugging.
Common Sub-expression Elim Want to compute when an expression is available in a var Domain:

Common Sub-expression Elim Want to compute when an expression is available in a var Domain:
Administrative info Subscribe to the class mailing list –instructions are on the class web page, which is accessible from my home page, which is accessible.

Administrative info Subscribe to the class mailing list –instructions are on the class web page, which is accessible from my home page, which is accessible.
From last time: reaching definitions For each use of a variable, determine what assignments could have set the value being read from the variable Information.

From last time: reaching definitions For each use of a variable, determine what assignments could have set the value being read from the variable Information.
4/25/08Prof. Hilfinger CS164 Lecture 371 Global Optimization Lecture 37 (From notes by R. Bodik & G. Necula)

4/25/08Prof. Hilfinger CS164 Lecture 371 Global Optimization Lecture 37 (From notes by R. Bodik & G. Necula)
Another example p := &x; *p := 5 y := x + 1;. Another example p := &x; *p := 5 y := x + 1; x := 5; *p := 3 y := x + 1; ???

Another example p := &x; *p := 5 y := x + 1;. Another example p := &x; *p := 5 y := x + 1; x := 5; *p := 3 y := x + 1; ???
Data Flow Analysis 1 15-411 Compiler Design October 5, 2004 These slides live on the Web. I obtained them from Jeff Foster and he said that he obtained.

Data Flow Analysis Compiler Design October 5, 2004 These slides live on the Web. I obtained them from Jeff Foster and he said that he obtained.

Similar presentations

Ads by Google