Presentation is loading. Please wait.

Presentation is loading. Please wait.

Improving the Precision of Abstract Simulation using Demand-driven Analysis Olatunji Ruwase Suzanne Rivoire CS 343 - June 12, 2002.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Improving the Precision of Abstract Simulation using Demand-driven Analysis Olatunji Ruwase Suzanne Rivoire CS 343 - June 12, 2002."— Presentation transcript:

1 Improving the Precision of Abstract Simulation using Demand-driven Analysis Olatunji Ruwase Suzanne Rivoire CS 343 - June 12, 2002

2 Background Abstract Simulation Path sensitive analysis of abstract state of program Improves precision of RHS Exploded supergraph Symbolic Store to capture branch correlation Implemented in ESP using constant instantiation

3 Weakness of Abstract Simulation [$u, T,T ] [$u, ~d,~flag] [$u, d,flag] [$u, T, T ] [$u, ~d,~flag][$u, ~d,flag][$o, d,~flag][$o, d,flag] [$u, T, T ] [$e, ~d,flag][$o, d,~flag] entry if(d) f = fopen() if(flag) if(d) flag = 0flag = 1 fclose(f) exit T stands for all behaviours [$u, ~d, T ] [$u, d, T ] [$u, ~d, T ][$u, d,T ] [$u, ~d, T ][$u, d, T ]

4 Our Proposal Short-term goal: Demand-driven intraprocedural algorithm to improve path sensitivity Refinements: Predicate substitution; interprocedural analysis Long-term goal: Build more general framework to handle different FSMs

5 Improving Path Sensitivity: The Basic Algorithm Examine symbolic store Propagate query & running symbolic store back to predecessors, substituting if nec’y Terminate query when it is resolved or when a path is killed Propagate answer, symbolic store values forward

6 Sample code if (d) fclose (…) flag = 1flag = 0 if (flag) fopen (…) if (d) d = 0 …

7 Exploded supergraph entry else fopen(…); if (d) flag = 0; if (d) flag = 1; d = 0; if (flag) (flag == true); Kill query Resolve: YES

8 But isn’t this really complex? Adds an O(N*E) term, with a very low constant Abstract simulation is currently O(N*E*H) N = # of nodes in exploded supergraph E = # of edges in exploded supergraph H = height of lattice (=3 here)

9 Related Work M. Das,S. Lerner and M. Seigle. Path-Sensitive Program Verification in Polynomial Time M. Das, S. Lerner, and M. Seigle. ESP : Path-Sensitive Program Verification in Polynomial Time E. Duesterwald, R. Gupta and M.L. Soffa. Demand-driven Computation of Interprocedural Data Flow R. Bodik, R. Gupta and M.L. Soffa. Refining Data flow Information using Infeasible Paths P. Tu, D. Padua. Gated SSA-based demand-driven symbolic analysis of parallelizing compilers. W. Bush, J. Pincus and D. Sielaff. A static analyzer for finding dynamic programming errors T. Reps, S. Horwitz and M. Sangiv. Precise inter-procedural dataflow analysis via graph reachability

10 Future Extensions Handling of more complex predicates (e.g x > 2) Current approach and strength Introduce boolean variables mapped to predicates on the fly Interprocedural Analysis Procedure entry nodes instantiated with approximation of symbolic stores at all call sites Expected Complexity

Download ppt "Improving the Precision of Abstract Simulation using Demand-driven Analysis Olatunji Ruwase Suzanne Rivoire CS 343 - June 12, 2002."

Similar presentations

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Overview Structural Testing Introduction – General Concepts

Overview Structural Testing Introduction – General Concepts
Data-Flow Analysis II CS 671 March 13, 2008. CS 671 – Spring 2008 1 Data-Flow Analysis Gather conservative, approximate information about what a program.

Data-Flow Analysis II CS 671 March 13, CS 671 – Spring Data-Flow Analysis Gather conservative, approximate information about what a program.
Lecture 11: Code Optimization CS 540 George Mason University.

Lecture 11: Code Optimization CS 540 George Mason University.
1 CS 201 Compiler Construction Lecture 3 Data Flow Analysis.

1 CS 201 Compiler Construction Lecture 3 Data Flow Analysis.
CS412/413 Introduction to Compilers Radu Rugina Lecture 37: DU Chains and SSA Form 29 Apr 02.

CS412/413 Introduction to Compilers Radu Rugina Lecture 37: DU Chains and SSA Form 29 Apr 02.
1 CS 201 Compiler Construction Lecture Interprocedural Data Flow Analysis.

1 CS 201 Compiler Construction Lecture Interprocedural Data Flow Analysis.
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
1 Program Slicing Purvi Patel. 2 Contents Introduction What is program slicing? Principle of dependences Variants of program slicing Slicing classifications.

1 Program Slicing Purvi Patel. 2 Contents Introduction What is program slicing? Principle of dependences Variants of program slicing Slicing classifications.
1 Refining Buffer Overflow Detection via Demand-Driven Path-Sensitive Analysis Wei Le and Mary Lou Soffa University of Virginia sotesty.cs.virginia.edu.

1 Refining Buffer Overflow Detection via Demand-Driven Path-Sensitive Analysis Wei Le and Mary Lou Soffa University of Virginia sotesty.cs.virginia.edu.
Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley.

Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley.
Common Sub-expression Elim Want to compute when an expression is available in a var Domain:

Common Sub-expression Elim Want to compute when an expression is available in a var Domain:
Recap from last time We were trying to do Common Subexpression Elimination Compute expressions that are available at each program point.

Recap from last time We were trying to do Common Subexpression Elimination Compute expressions that are available at each program point.
Interprocedural Analysis Noam Rinetzky Mooly Sagiv.

Interprocedural Analysis Noam Rinetzky Mooly Sagiv.
Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.

Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.
Final exam week Three things on finals week: –final exam –final project presentations –final project report.

Final exam week Three things on finals week: –final exam –final project presentations –final project report.
From last time: live variables Set D = 2 Vars Lattice: (D, v, ?, >, t, u ) = (2 Vars, µ, ;,Vars, [, Å ) x := y op z in out F x := y op z (out) = out –

From last time: live variables Set D = 2 Vars Lattice: (D, v, ?, >, t, u ) = (2 Vars, µ, ;,Vars, [, Å ) x := y op z in out F x := y op z (out) = out –
Speeding Up Dataflow Analysis Using Flow- Insensitive Pointer Analysis Stephen Adams, Tom Ball, Manuvir Das Sorin Lerner, Mark Seigle Westley Weimer Microsoft.

Speeding Up Dataflow Analysis Using Flow- Insensitive Pointer Analysis Stephen Adams, Tom Ball, Manuvir Das Sorin Lerner, Mark Seigle Westley Weimer Microsoft.
4/25/08Prof. Hilfinger CS164 Lecture 371 Global Optimization Lecture 37 (From notes by R. Bodik & G. Necula)

4/25/08Prof. Hilfinger CS164 Lecture 371 Global Optimization Lecture 37 (From notes by R. Bodik & G. Necula)

Similar presentations

Ads by Google