Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ravi Mangal Mayur Naik Hongseok Yang

Published byJeffery Hancock Modified over 5 years ago

Similar presentations

Presentation on theme: "Ravi Mangal Mayur Naik Hongseok Yang"— Presentation transcript:

1 Ravi Mangal Mayur Naik Hongseok Yang
A Correspondence between two approaches to Interprocedural Analysis in the presence of Join Ravi Mangal Mayur Naik Hongseok Yang

2 Landscape of Procedural Analyses
Inter-Procedural Context-Sensitive (Callstrings, Summaries,…) Cost Context-Insensitive Intra-Procedural Precision ESOP 2014

3 Context-Insensitive Analysis
1: void main(){ 2: foo(); …. 3: foo(); 4: foo(); 5: } 6: void foo(){ 7: bar(); 8: } main foo bar 0-CFA ESOP 2014

4 Inter-Procedural Analysis Landscape
Cost 0CFA Precision ESOP 2014

5 Callstring-based Analysis (1CFA)
1: void main(){ 2: foo(); …. 3: foo(); 4: foo(); 5: } 6: void foo(){ 7: bar(); 8: } main 2:foo 3:foo 4:foo 7:bar 1-CFA ESOP 2014

6 Inter-Procedural Analysis Landscape
Cost 1CFA 0CFA Precision ESOP 2014

7 Callstring-based Analysis (2CFA)
1: void main(){ 2: foo(); …. 3: foo(); 4: foo(); 5: } 6: void foo(){ 7: bar(); 8: } main 2:foo 3:foo 4:foo 7,2:bar 7,3:bar 7,4:bar 2-CFA ESOP 2014

8 Inter-Procedural Analysis Landscape
Shivers [1988], bddbddb [2004] , Paddle [2004], Doop [2009], … Cost ∞-CFA 2CFA 1CFA 0CFA Precision ESOP 2014

9 Summary-based Analysis (SBA)
1: void main(){ 2: foo(); …. 3: foo(); …. 4: foo(); 5: } 6: void foo(){ 7: bar(); 8: } τ1 main τ1 τ2 τ1:foo τ2:foo τ3 τ3:bar Summary-based ESOP 2014

10 Inter-Procedural Analysis Landscape
Sharir-Pnueli [1981], Reps et al. [1995], … SBA Cost Precision ESOP 2014

11 Summary-based Analysis (SBA)
1: void main(){ 2: if(*) 3: s1; 4: else 5: s2; 6: } 1: void main(){ 2: if(*) 3: s1; 4: else 5: s2; 6: } τ1 τ1 τ2 τ2 τ3 τ3 τ4 = τ2 ⊔ τ3 τ2 τ3 Non-disjunctive summary-based (ND-SBA) Disjunctive summary-based (D-SBA) ESOP 2014

12 Inter-Procedural Analysis Landscape
SLAM [2000] TVLA [2004], SpaceInvader [2008], … D-SBA Partially D-SBA SAFE [2008] ND-SBA Distributive? Yes Sharir- Pnueli [1981] 𝑓 𝑥⊔𝑦 =𝑓 𝑥 ⊔𝑓 𝑦 ? Cost ∞-CFA No 2CFA Grove-Chambers [2001] conjecture Our Result 1CFA 0CFA Precision ESOP 2014

13 Our Contributions Proved ∞-CFA = SBA for non-distributive analyses with finite domains. Generalized Sharir-Pnueli’s 1981 result and resolved 2001 conjecture by Grove-Chambers. Empirically observed the precision of ∞-CFA via SBA for pointer analysis and improved over existing k-CFA approaches. ESOP 2014

14 New Inter-Procedural Analysis Landscape
D-SBA Partially D-SBA ND-SBA Cost ∞-CFA 2CFA 1CFA 0CFA Precision ESOP 2014

15 Proof Challenges Challenge 1: Unused summaries in SBA fixpoint solution. Challenge 2: Non-monotonicity of SBA. ESOP 2014

16 Proof Challenges (1) ⊤ -0 - 0+ + ⊥
1: int x; 2: void main(){ 3: x = 0; 4: while(*){ 5: inc(x); 6: } 7: } 8: void inc(int x){ 9: x++; 10: } -0 - 0+ + [x:⊤] [x:0] [x:0] [x:0+] [x:+] Unused summary in the fixpoint solution Sign Abstract Domain [x:0] [x:0+] [x:+] [x:+] ESOP 2014

17 Proof Challenges (1) Challenge 1: Unused summaries in SBA fixpoint solution. Solution: Garbage collection on results computed by SBA. ESOP 2014

18 Non-monotonicity of SBA
Proof Challenges (2) 1: int x; 2: void main(){ 3: … 4: … 5: inc(x); 6: … 7: } 8: void inc(int x){ 9: x++; 10: } 𝑥≼𝑦 ⇒ 𝑓 𝑥 ≼𝑓 𝑦 -0 - 0+ + [x:0] [x:0+] [x:+] [x:⊥] [x:⊥] Sign Abstract Domain [x:0] [x:0] [x:0+] [x:+] Non-monotonicity of SBA [x:+] ESOP 2014

19 Proof Challenges (2) Challenge 2: Non-monotonicity of SBA.
Solution: Fixpoint of a non-monotone function is approximated by pre-fixpoint of the function. ESOP 2014

20 Experimental Motivation
Existing k-CFA approaches scale to low k values. Correspondence result allows us to simulate the effect of ∞-CFA via SBA. Empirically study the scalability of SBA and the precision of ∞-CFA. ESOP 2014

21 Experimental Setup 3 client analyses: call graph reachability, downcast safety, monomorphic callsite inference. All clients based on an underlying interprocedural pointer analysis for Java bytecode. Implemented using Chord. 10 benchmarks from Dacapo suite. ESOP 2014

22 Pointer Analysis Clients
Downcast safety: Downcast is safe if the object to which it is applied is a subtype of the target type. 1: void main(){ 2: Shape s = new Square(); 3: Circle c = (Circle) s; 4: } 1: void main(){ 2: Shape s = new Circle(); 3: Circle c = (Circle) s; 4: } Shape Circle Square ESOP 2014

23 Pointer Analysis Clients
Call graph reachability: Pairwise reachability between program functions. reach(foo,bar) reach(foo,taz) 1: void main(){ 2: foo(); 3: taz(); 4: } 5: void foo(){ 6: bar(); 7: } ESOP 2014

24 Pointer Analysis Clients
Monomorphic callsite inference: Dynamically dispatched callsite with single target method. 1: void main(){ 2: Shape s; 3: if(*){ 4: s = new Circle(); 5: }else{ 6: s = new Square(); 7: } 8: s.area(); 9: } 1: void main(){ 2: Circle c = new Circle(); 3: c.area(); 4: } ESOP 2014

25 Benchmarks name # functions bytecode (KB) KLOC antlr 7.2k 467 224
avrora 6.9k 423 214 bloat 9.1k 586 258 chart 11.4k 778 366 hsqldb 10.2k 670 322 luindex 7.7k 487 237 lusearch 7.6k 477 231 pmd 578 247 sunflow 13.3k 934 419 xalan 6.7k 417 208 ESOP 2014

26 Given that k-CFA does not scale, does SBA even scale?
Question 1 Given that k-CFA does not scale, does SBA even scale? ESOP 2014

27 Running Time of Pointer Analysis
On average, 2CFA is 3x-5x slower than SBA. ESOP 2014

28 Different Contexts Per Method
On average, 2CFA computes 4x-7x more contexts than SBA. ESOP 2014

29 What is the precision gain from using ∞-CFA compared to k-CFA?
Question 2 What is the precision gain from using ∞-CFA compared to k-CFA? ESOP 2014

30 On average, SBA proves 12% more queries than 2CFA.
Downcast Safety On average, SBA proves 12% more queries than 2CFA. ESOP 2014

31 Call Graph Reachability
On average, SBA call graph has: 3.3% fewer functions, 4.7% fewer edges, 15% fewer pairwise reachable functions than 2CFA call graph. On average, SBA proves 9% more queries than 2CFA. ESOP 2014

32 Monomorphic Call Site Inference
On average, SBA proves 0.6% more queries than 2CFA. ESOP 2014

33 Experimental Results Summary
For our clients: SBA scales better than k-CFA; analyzes each method in fewer contexts. SBA is more precise than 2CFA; greater benefit for harder queries. General comments: Scalability of SBA depends on the richness of the abstract domain. Callstring length just one of the factors affecting analysis precision. ESOP 2014

34 Open Question k-Object Sensitive Analyses:
Proposed by Milanova et al. [2002], uses allocation site of receiver objects to distinguish calling contexts. Empirically shown to be more precise and scalable than k-CFA for similar k values. Theoretically incomparable to k-CFA. Theoretical and empirical comparison with SBA? ESOP 2014

35 Inter-Procedural Analysis Landscape
D-SBA Partially D-SBA ND-SBA Cost ∞-CFA ∞-OBJ 2CFA 3OBJ 1CFA 2OBJ 0CFA 1OBJ Precision ESOP 2014

36 Conclusion Proved that ∞-CFA = SBA for non-disjunctive, non- distributive analyses and generalized Sharir-Pnueli’s result. Developed new proof techniques for garbage collection of summaries and approximating fixpoints of non-monotonic analyses. Empirically observed the precision of ∞-CFA via SBA, and found SBA is more scalable in practice. ESOP 2014

Download ppt "Ravi Mangal Mayur Naik Hongseok Yang"

Similar presentations

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
ASSUMPTION HIERARCHY FOR A CHA CALL GRAPH CONSTRUCTION ALGORITHM JASON SAWIN & ATANAS ROUNTEV.

ASSUMPTION HIERARCHY FOR A CHA CALL GRAPH CONSTRUCTION ALGORITHM JASON SAWIN & ATANAS ROUNTEV.
De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.

De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.
A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Pallavi Joshi  Chang-Seo Park  Koushik Sen  Mayur Naik ‡  Par Lab, EECS, UC Berkeley‡

A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Pallavi Joshi  Chang-Seo Park  Koushik Sen  Mayur Naik ‡  Par Lab, EECS, UC Berkeley‡
Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.

Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.
Effective Static Deadlock Detection

Effective Static Deadlock Detection
Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.

Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.
Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.

Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.
Demand-driven Alias Analysis Implementation Based on Open64 Xiaomi An

Demand-driven Alias Analysis Implementation Based on Open64 Xiaomi An
Inferring Disjunctive Postconditions Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore - ASIAN 2006 -

Inferring Disjunctive Postconditions Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore - ASIAN
A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.

A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
Refinement-Based Context-Sensitive Points-To Analysis for JAVA Soonho Kong 17 January 2009 1 Work of Manu Sridharan and Rastislav Bodik, UC Berkeley.

Refinement-Based Context-Sensitive Points-To Analysis for JAVA Soonho Kong 17 January Work of Manu Sridharan and Rastislav Bodik, UC Berkeley.
Probabilistic Calling Context Michael D. Bond Kathryn S. McKinley University of Texas at Austin.

Probabilistic Calling Context Michael D. Bond Kathryn S. McKinley University of Texas at Austin.
Heap Shape Scalability Scalable Garbage Collection on Highly Parallel Platforms Kathy Barabash, Erez Petrank Computer Science Department Technion, Israel.

Heap Shape Scalability Scalable Garbage Collection on Highly Parallel Platforms Kathy Barabash, Erez Petrank Computer Science Department Technion, Israel.
Parameterized Object Sensitivity for Points-to Analysis for Java Presented By: - Anand Bahety Dan Bucatanschi.

Parameterized Object Sensitivity for Points-to Analysis for Java Presented By: - Anand Bahety Dan Bucatanschi.
Program Analysis with Set Constraints Ravi Chugh.

Program Analysis with Set Constraints Ravi Chugh.
Pointer and Shape Analysis Seminar Context-sensitive points-to analysis: is it worth it? Article by Ondřej Lhoták & Laurie Hendren from McGill University.

Pointer and Shape Analysis Seminar Context-sensitive points-to analysis: is it worth it? Article by Ondřej Lhoták & Laurie Hendren from McGill University.
Purity Analysis : Abstract Interpretation Formulation Ravichandhran Madhavan, G. Ramalingam, Kapil Vaswani Microsoft Research, India.

Purity Analysis : Abstract Interpretation Formulation Ravichandhran Madhavan, G. Ramalingam, Kapil Vaswani Microsoft Research, India.
Mayur Naik Alex Aiken John Whaley Stanford University Effective Static Race Detection for Java.

Mayur Naik Alex Aiken John Whaley Stanford University Effective Static Race Detection for Java.

Similar presentations

Ads by Google