Improving the Precision of Abstract Simulation using Demand-driven Analysis Olatunji Ruwase Suzanne Rivoire CS 343 - June 12, 2002.

Slides:



Advertisements
Similar presentations
Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Advertisements

Overview Structural Testing Introduction – General Concepts
Data-Flow Analysis II CS 671 March 13, CS 671 – Spring Data-Flow Analysis Gather conservative, approximate information about what a program.
Lecture 11: Code Optimization CS 540 George Mason University.
1 CS 201 Compiler Construction Lecture 3 Data Flow Analysis.
CS412/413 Introduction to Compilers Radu Rugina Lecture 37: DU Chains and SSA Form 29 Apr 02.
1 CS 201 Compiler Construction Lecture Interprocedural Data Flow Analysis.
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
1 Program Slicing Purvi Patel. 2 Contents Introduction What is program slicing? Principle of dependences Variants of program slicing Slicing classifications.
1 Refining Buffer Overflow Detection via Demand-Driven Path-Sensitive Analysis Wei Le and Mary Lou Soffa University of Virginia sotesty.cs.virginia.edu.
Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley.
Common Sub-expression Elim Want to compute when an expression is available in a var Domain:
Recap from last time We were trying to do Common Subexpression Elimination Compute expressions that are available at each program point.
Interprocedural Analysis Noam Rinetzky Mooly Sagiv.
Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.
Final exam week Three things on finals week: –final exam –final project presentations –final project report.
From last time: live variables Set D = 2 Vars Lattice: (D, v, ?, >, t, u ) = (2 Vars, µ, ;,Vars, [, Å ) x := y op z in out F x := y op z (out) = out –
Speeding Up Dataflow Analysis Using Flow- Insensitive Pointer Analysis Stephen Adams, Tom Ball, Manuvir Das Sorin Lerner, Mark Seigle Westley Weimer Microsoft.
4/25/08Prof. Hilfinger CS164 Lecture 371 Global Optimization Lecture 37 (From notes by R. Bodik & G. Necula)
Range Analysis. Intraprocedural Points-to Analysis Want to compute may-points-to information Lattice:
1 CS 201 Compiler Construction Lecture 3 Data Flow Analysis.
Data Flow Analysis Compiler Design October 5, 2004 These slides live on the Web. I obtained them from Jeff Foster and he said that he obtained.
Interprocedural Analysis Noam Rinetzky Mooly Sagiv Tel Aviv University Textbook Chapter 2.5.
Intraprocedural Points-to Analysis Flow functions:
1 CS 201 Compiler Construction Lecture 6 Code Optimizations: Constant Propagation & Folding.
From last lecture x := y op z in out F x := y op z (in) = in [ x ! in(y) op in(z) ] where a op b =
Direction of analysis Although constraints are not directional, flow functions are All flow functions we have seen so far are in the forward direction.
ESP [Das et al PLDI 2002] Interface usage rules in documentation –Order of operations, data access –Resource management –Incomplete, wordy, not checked.
A simple approach Given call graph and CFGs of procedures, create a single CFG (control flow super-graph) by: –connecting call sites to entry nodes of.
Role Analysis Victor Kunkac, Patric Lam, Martin Rinard Laboratory for Computer Science, MIT Presentation by George Caragea CMSC631,
Comparison Caller precisionCallee precisionCode bloat Inlining context-insensitive interproc Context sensitive interproc Specialization.
Recap from last time: live variables x := 5 y := x + 2 x := x + 1 y := x y...
Load-Reuse Analysis design and evaluation Rastislav Bodík Rajiv Gupta Mary Lou Soffa.
Reps Horwitz and Sagiv 95 (RHS) Another approach to context-sensitive interprocedural analysis Express the problem as a graph reachability query Works.
Global optimization. Data flow analysis To generate better code, need to examine definitions and uses of variables beyond basic blocks. With use- definition.
From last lecture We want to find a fixed point of F, that is to say a map m such that m = F(m) Define ?, which is ? lifted to be a map: ? = e. ? Compute.
Direction of analysis Although constraints are not directional, flow functions are All flow functions we have seen so far are in the forward direction.
Pointer analysis. Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis Andersen and.
Symbolic Path Simulation in Path-Sensitive Dataflow Analysis Hari Hampapuram Jason Yue Yang Manuvir Das Center for Software Excellence (CSE) Microsoft.
Prof. Bodik CS 164 Lecture 16, Fall Global Optimization Lecture 16.
Procedure Optimizations and Interprocedural Analysis Chapter 15, 19 Mooly Sagiv.
Precision Going back to constant prop, in what cases would we lose precision?
1 CS 201 Compiler Construction Data Flow Analysis.
Example x := read() v := a + b x := x + 1 w := x + 1 a := w v := a + b z := x + 1 t := a + b.
Precise Interprocedural Dataflow Analysis via Graph Reachibility
Software (Program) Analysis. Automated Static Analysis Static analyzers are software tools for source text processing They parse the program text and.
1 Semantic Analysis Aaron Bloomfield CS 415 Fall 2005.
Predicated Static Single Assignment (PSSA) Presented by AbdulAziz Al-Shammari
Dataflow Analysis Topic today Data flow analysis: Section 3 of Representation and Analysis Paper (Section 3) NOTE we finished through slide 30 on Friday.
Static Program Analysis of Embedded Software Ramakrishnan Venkitaraman Graduate Student, Computer Science Advisor: Dr. Gopal Gupta
Pointer Analysis for Multithreaded Programs Radu Rugina and Martin Rinard M I T Laboratory for Computer Science.
CS412/413 Introduction to Compilers Radu Rugina Lecture 18: Control Flow Graphs 29 Feb 02.
1 Control Flow Graphs. 2 Optimizations Code transformations to improve program –Mainly: improve execution time –Also: reduce program size Can be done.
1 Software Testing & Quality Assurance Lecture 13 Created by: Paulo Alencar Modified by: Frank Xu.
CS 598 Scripting Languages Design and Implementation 9. Constant propagation and Type Inference.
Course topics Representing programs Analyzing and transforming programs Applications of these techniques.
Phoenix Based Dynamic Slicing Debugging Tool Eric Cheng Lin Xu Matt Gruskin Ravi Ramaseshan Microsoft Phoenix Intern Team (Summer '06)
Data Flow Analysis Suman Jana
Symbolic Implementation of the Best Transformer
Dataflow Testing G. Rothermel.
Topic 10: Dataflow Analysis
Program Slicing Baishakhi Ray University of Virginia
University Of Virginia
Another example: constant prop
CS 201 Compiler Construction
Data Flow Analysis Compiler Design
Pointer analysis.
Advanced Compiler Design
Live variables and copy propagation
Presentation transcript:

Improving the Precision of Abstract Simulation using Demand-driven Analysis Olatunji Ruwase Suzanne Rivoire CS June 12, 2002

Background Abstract Simulation Path sensitive analysis of abstract state of program Improves precision of RHS Exploded supergraph Symbolic Store to capture branch correlation Implemented in ESP using constant instantiation

Weakness of Abstract Simulation [$u, T,T ] [$u, ~d,~flag] [$u, d,flag] [$u, T, T ] [$u, ~d,~flag][$u, ~d,flag][$o, d,~flag][$o, d,flag] [$u, T, T ] [$e, ~d,flag][$o, d,~flag] entry if(d) f = fopen() if(flag) if(d) flag = 0flag = 1 fclose(f) exit T stands for all behaviours [$u, ~d, T ] [$u, d, T ] [$u, ~d, T ][$u, d,T ] [$u, ~d, T ][$u, d, T ]

Our Proposal Short-term goal: Demand-driven intraprocedural algorithm to improve path sensitivity Refinements: Predicate substitution; interprocedural analysis Long-term goal: Build more general framework to handle different FSMs

Improving Path Sensitivity: The Basic Algorithm Examine symbolic store Propagate query & running symbolic store back to predecessors, substituting if nec’y Terminate query when it is resolved or when a path is killed Propagate answer, symbolic store values forward

Sample code if (d) fclose (…) flag = 1flag = 0 if (flag) fopen (…) if (d) d = 0 …

Exploded supergraph entry else fopen(…); if (d) flag = 0; if (d) flag = 1; d = 0; if (flag) (flag == true); Kill query Resolve: YES

But isn’t this really complex? Adds an O(N*E) term, with a very low constant Abstract simulation is currently O(N*E*H) N = # of nodes in exploded supergraph E = # of edges in exploded supergraph H = height of lattice (=3 here)

Related Work M. Das,S. Lerner and M. Seigle. Path-Sensitive Program Verification in Polynomial Time M. Das, S. Lerner, and M. Seigle. ESP : Path-Sensitive Program Verification in Polynomial Time E. Duesterwald, R. Gupta and M.L. Soffa. Demand-driven Computation of Interprocedural Data Flow R. Bodik, R. Gupta and M.L. Soffa. Refining Data flow Information using Infeasible Paths P. Tu, D. Padua. Gated SSA-based demand-driven symbolic analysis of parallelizing compilers. W. Bush, J. Pincus and D. Sielaff. A static analyzer for finding dynamic programming errors T. Reps, S. Horwitz and M. Sangiv. Precise inter-procedural dataflow analysis via graph reachability

Future Extensions Handling of more complex predicates (e.g x > 2) Current approach and strength Introduce boolean variables mapped to predicates on the fly Interprocedural Analysis Procedure entry nodes instantiated with approximation of symbolic stores at all call sites Expected Complexity

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.