Pointer and Shape Analysis Seminar Mooly Sagiv Schriber 317 Office Hours Thursday 15-16.

Slides:



Advertisements
Similar presentations
Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.
Advertisements

Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.
3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.
Some Properties of SSA Mooly Sagiv. Outline Why is it called Static Single Assignment form What does it buy us? How much does it cost us? Open questions.
Flow insensitive pointer analysis: fixed S1: l := new Cons p := l S2: t := new Cons *p := t p := t l p S1 l p tS2 l p S1 t S2 l t S1 p S2 l t S1 p S2 l.
Pointer Analysis Lecture 2 G. Ramalingam Microsoft Research, India.
1 Practical Object-sensitive Points-to Analysis for Java Ana Milanova Atanas Rountev Barbara Ryder Rutgers University.
Static Data Race detection for Concurrent Programs with Asynchronous Calls Presenter: M. Amin Alipour Software Design Laboratory
Parameterized Object Sensitivity for Points-to Analysis for Java Presented By: - Anand Bahety Dan Bucatanschi.
The Ant and The Grasshopper Fast and Accurate Pointer Analysis for Millions of Lines of Code Ben Hardekopf and Calvin Lin PLDI 2007 (Best Paper & Best.
Interprocedural analysis © Marcelo d’Amorim 2010.
Pointer and Shape Analysis Seminar Context-sensitive points-to analysis: is it worth it? Article by Ondřej Lhoták & Laurie Hendren from McGill University.
Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.
Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.
Program analysis Mooly Sagiv html://
Control Flow Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel.
Interprocedural pointer analysis for C We’ll look at Wilson & Lam PLDI 95, and focus on two problems solved by this paper: –how to represent pointer information.
Flow insensitivity and imprecision If you ignore flow, then you lose precision. main() { x := &y;... x := &z; } Flow insensitive analysis tells us that.
Program analysis Mooly Sagiv html://
1 Control Flow Analysis Mooly Sagiv Tel Aviv University Textbook Chapter 3
Range Analysis. Intraprocedural Points-to Analysis Want to compute may-points-to information Lattice:
Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space html://
Class canceled next Tuesday. Recap: Components of IR Control dependencies: sequencing of operations –evaluation of if & then –side-effects of statements.
Intraprocedural Points-to Analysis Flow functions:
Pointer and Shape Analysis Seminar Mooly Sagiv Schriber 317 Office Hours Thursday
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts, Amherst Advanced Compilers CMPSCI 710.
Overview of program analysis Mooly Sagiv html://
Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.
Comparison Caller precisionCallee precisionCode bloat Inlining context-insensitive interproc Context sensitive interproc Specialization.
Program Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
1 A Seminar on Memory Management Mooly Sagiv Schriber 317 Office Hours Wed
Overview of program analysis Mooly Sagiv html://
Pointer analysis. Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis Andersen and.
Procedure Optimizations and Interprocedural Analysis Chapter 15, 19 Mooly Sagiv.
Putting Pointer Analysis to Work Rakesh Ghiya and Laurie J. Hendren Presented by Shey Liggett & Jason Bartkowiak.
A GPU Implementation of Inclusion-based Points-to Analysis Mario Méndez-Lojo (AMD) Martin Burtscher (Texas State University, USA) Keshav Pingali (U.T.
Fast Points-to Analysis for Languages with Structured Types Michael Jung and Sorin A. Huss Integrated Circuits and Systems Lab. Department of Computer.
Pointer Analysis Lecture 2 G. Ramalingam Microsoft Research, India.
Basic Semantics Associating meaning with language entities.
Static Program Analyses of DSP Software Systems Ramakrishnan Venkitaraman and Gopal Gupta.
Mark Marron IMDEA-Software (Madrid, Spain) 1.
Featherweight X10: A Core Calculus for Async-Finish Parallelism Jonathan K. Lee, Jens Palsberg Presented By- Vasvi Kakkad.
Program Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
PRESTO: Program Analyses and Software Tools Research Group, Ohio State University Merging Equivalent Contexts for Scalable Heap-cloning-based Points-to.
Pointer Analysis Survey. Rupesh Nasre. Aug 24, 2007.
Pointer Analysis Lecture 2 G. Ramalingam Microsoft Research, India & K. V. Raghavan.
Pointer Analysis for Multithreaded Programs Radu Rugina and Martin Rinard M I T Laboratory for Computer Science.
Points-To Analysis in Almost Linear Time Josh Bauman Jason Bartkowiak CSCI 3294 OCTOBER 9, 2001.
Heap liveness and its usage in automatic memory management Ran Shaham Elliot Kolodner Mooly Sagiv ISMM’02 Unpublished TVLA.
1 Combining Abstract Interpreters Mooly Sagiv Tel Aviv University
Pointer Analysis. Rupesh Nasre. Advisor: Prof R Govindarajan. Apr 05, 2008.
Pointer Analysis – Part I CS Pointer Analysis Answers which pointers can point to which memory locations at run-time Central to many program optimization.
1 Iterative Program Analysis Mooly Sagiv Tel Aviv University Textbook: Principles of Program.
1 Iterative Program Analysis Abstract Interpretation Mooly Sagiv Tel Aviv University Textbook:
Points-to Analysis as a System of Linear Equations Rupesh Nasre. Computer Science and Automation Indian Institute of Science Advisor: Prof. R. Govindarajan.
Operational Semantics Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
Program Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
1PLDI 2000 Off-line Variable Substitution for Scaling Points-to Analysis Atanas (Nasko) Rountev PROLANGS Group Rutgers University Satish Chandra Bell Labs.
Manuel Fahndrich Jakob Rehof Manuvir Das
Textbook: Principles of Program Analysis
Simone Campanoni Dependences Simone Campanoni
Seminar in automatic tools for analyzing programs with dynamic memory
Pointer Analysis Lecture 2
Interprocedural Analysis Chapter 19
Iterative Program Analysis Abstract Interpretation
Pointer Analysis Lecture 2
Pointer analysis.
Spring 2016 Program Analysis and Verification
Presentation transcript:

Pointer and Shape Analysis Seminar Mooly Sagiv Schriber 317 Office Hours Thursday 15-16

General Information Prerequisites –Compilers | Program Analysis –Select 3 topics by Sunday –Participate in 9 seminar talks –Present a paper

Outline 1.Schedule 2.Point-to analysis

Tentative Schedule 7/2Shachar ItzhakyPractical virtual method call resolution for Java 14/2Roy GanorEffective Static Race Detection for Java 17/ Hongseok YangScalable Shape Analysis 28/2Roza PogalnikovaContext-Sensitive Points-to Analysis: Is It Worth It? 3/3Ory SamorodnitzkyThe undecidability of aliasing 14/3Alex ShapiroError detection using client driven poniter analysis 21/3Roman SimkinFree-Me: A Static Analysis for Automatic Individual Object Reclamation 28/3Uri Inon

Points-To Analysis Determine if a variable points to a variable at some (all) execution paths [1] p = &a; [2] q = &b; [3] if (getc()) [4] q = &c [5] p   a q   c q   b

Iterative Program Analysis Start by optimistically assuming that nothing is wrong –No points-to set At every iteration apply the abstract meaning of programming language statements and add more points-to pairs Stop when no changes occur

Iterative Points-to Analysis t= &a y= &b z= &c p= &yp= &z tata t  a, y  b t  a, y  b, z  c, p  y t  a, y  b, z  c t  a, y  b, z  c, p  z t  a, y  b, z  c, p  y, p  z t  a, y  b, z  c *p= t

Iterative Points-to Analysis t= &a y= &b z= &c p= &yp= &z tata t  a, y  b t  a, y  b, z  c, p  yt  a, y  b, z  c, p  z t  a, y  b, z  c, p  y, p  z *p= t t  a, y  b, z  c, p  y, p  z t  a, y  b, z  c, p  y, p  z, y  a, z  a

Iterative Points-to Analysis t= &a y= &b z= &c p= &yp= &z tata t  a, y  b t  a, y  b, z  c, p  y, p  z *p= t t  a, y  b, z  c, p  y, p  z t  a, y  b, z  c, p  y, p  z, y  a, z  a t  a, y  b, z  c, p  y, y  a, z  a t  a, y  b, z  c, p  z, y  a, z  a

Iterative Points-to Analysis t= &a y= &b z= &c p= &yp= &z tata t  a, y  b *p= t t  a, y  b, z  c, p  y, p  z, y  a, z  a t  a, y  b, z  c, p  y, y  a, z  a t  a, y  b, z  c, p  z, y  a, z  a t  a, y  b, z  c, p  y, p  z, y  a, z  a

A Simple Programming Language Arbitrary (uninterpreted) control flow statement Atomic statements –x = y –x = &y –x = *y –*x = y

Abstract Semantics For every atomic statement S  S  # : P(Var*  Var*)  P(Var*  Var*)  x := &y  # (pt) = pt – {(x, *)}  {(x, y)}  x := y  # (pt) = pt – {(x, *)}  {(x, z)| (y, z)  pt}  x := *y  # (pt) = pt – {(x, *)}  {(x, z)| (y, w), (w, z)  pt}  *x := y  # (pt) = pt  {(w, t)| (x, w), (y, t)  pt}

t= &a y= &b z= &c p= &yp= &z *p= t pt[1]={} 1pt[2]={(t, a)} 2pt[3]={(t, a), (y, b)} 3pt[4]={(t, a), (y, b), (z, c){ 4pt[5]= {(t, a), (y, b), (z, c)} pt[6]= {(t, a), (y, b), (z, c)} 5pt[7]= {(t, a), (y, b), (z, c), (p, y){ 6pt[7]= {(t, a), (y, b), (z, c), (p, y), (p, z)} 7pt[4]= {(t, a), (y, b), (z, c), (p, y), (p, z)} 4pt[5]= {(t, a), (y, b), (z, c), (p, y), (p, z), (y, a), (z, a)} pt[6]= {(t, a), (y, b), (z, c), (p, y), (p, z), (y, a), (z, a)} 5 6

Supporting Memory Allocation Uniform treatment of the memory allocated at an allocation statement For every atomic statement S –  S  #: P(Var*  Var*)  P(Var*  Var*) –  x := &y  # (pt) = pt – {(x, *)}  {(x, y)} –  x := y  # (pt) = pt – {(x, *)}  {(x, z)| (y, z)  pt} –  x := *y  # (pt) = pt – {(x, *)}  {(x, z)| (y, w), (w, z)  pt} –  *x := y  #(pt) = pt  {(w, t)| (x, w), (y, t)  pt} –  l: x := malloc()  #(pt) = pt – {(x, *)}  {(x, l)}

Summary Flow-Sensitive Solution Limited destructive updates –Can be improved with must information O(N * Var 2 ) space

Context-Sensitivity How to handle procedures Separate points-to sets for every call A uniform set for all calls

Context Sensitivity Example x = &t1; a = &t2; foo(x, a); z = &t3; b = &t4; foo(z, b); void foo(source, target) { *source = target; }

Flow-Insensitive Analysis Ignore control flow statements Arbitrary statement order Only accumulate Points-to Usually represented as a directed graph O(n 2 ) space

Flow Insensitive Solution t= &a y= &b z= &c p= &yp= &z *p= t

Set Constraints A set of rules of the form: –lhs  rhs –t  rhs’  lhs  rhs (conditional constraint) lhs, rhs, rhs’ are variables over sets of terms t is a term The least solution can be found iteratively –start with empty sets –add terms when needed Cubic graph based solution

t := &a; {a}  pt[t] y := &b; {b}  pt[y] z := &c; {c}  pt[z] if (nondet()) p:= &y; {y}  pt[p] else p:= &z; {z}  pt[p] *p := t; a  pt[p]  pt[t]  pt[a] b  pt[p]  pt[t]  pt[b] c  pt[p]  pt[t]  pt[c] y  pt[p]  pt[t]  pt[y] z  pt[p]  pt[t]  pt[z] t  pt[p]  pt[t]  pt[t] p  pt[p]  pt[t]  pt[p] tyz abc p

Unification Based Solution Steengard 1996 Treat assignments as equalities Employ union-find algorithm Almost linear time complexity

Conclusions Points-to analysis is a simple pointer analysis problem Effective solutions (8MLoc) But rather imprecise Set constraints are useful beyond pointer analysis –Class level analysis

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.