Program analysis Mooly Sagiv html://msagiv/courses/wcc06.html.
Pointer and Shape Analysis Seminar cs.tau.ac.il/~msagiv/courses/shape.html
description
Transcript of Pointer and Shape Analysis Seminar cs.tau.ac.il/~msagiv/courses/shape.html
![Page 1: Pointer and Shape Analysis Seminar cs.tau.ac.il/~msagiv/courses/shape.html](https://reader035.fdocuments.net/reader035/viewer/2022062802/56814471550346895db1035c/html5/thumbnails/1.jpg)
Pointer and Shape Analysis Seminarhttp://www.cs.tau.ac.il/~msagiv/courses/shape.html
Mooly Sagiv
Schriber 317
msagiv@post
Office Hours Thursday 15-16
![Page 2: Pointer and Shape Analysis Seminar cs.tau.ac.il/~msagiv/courses/shape.html](https://reader035.fdocuments.net/reader035/viewer/2022062802/56814471550346895db1035c/html5/thumbnails/2.jpg)
General Information
• Prerequisites– Compilers | Program Analysis– Select 3 topics by Sunday– Participate in 9 seminar talks – Present a paper
![Page 3: Pointer and Shape Analysis Seminar cs.tau.ac.il/~msagiv/courses/shape.html](https://reader035.fdocuments.net/reader035/viewer/2022062802/56814471550346895db1035c/html5/thumbnails/3.jpg)
Outline
1. Schedule
2. Point-to analysis
![Page 4: Pointer and Shape Analysis Seminar cs.tau.ac.il/~msagiv/courses/shape.html](https://reader035.fdocuments.net/reader035/viewer/2022062802/56814471550346895db1035c/html5/thumbnails/4.jpg)
Tentative Schedule7/2 Shachar Itzhaky Practical virtual method call resolution for
Java
14/2 Roy Ganor Effective Static Race Detection for Java
17/2
13-15
Hongseok Yang Scalable Shape Analysis
28/2 Roza Pogalnikova Context-Sensitive Points-to Analysis: Is It Worth It?
3/3 Ory Samorodnitzky The undecidability of aliasing
14/3 Alex Shapiro Error detection using client driven poniter analysis
21/3 Roman Simkin Free-Me: A Static Analysis for Automatic Individual Object Reclamation
28/3 Uri Inon
![Page 5: Pointer and Shape Analysis Seminar cs.tau.ac.il/~msagiv/courses/shape.html](https://reader035.fdocuments.net/reader035/viewer/2022062802/56814471550346895db1035c/html5/thumbnails/5.jpg)
Points-To Analysis
• Determine if a variable points to a variable at some (all) execution paths
[1] p = &a;
[2] q = &b;
[3] if (getc())
[4] q = &c
[5] p a
q c
q b
![Page 6: Pointer and Shape Analysis Seminar cs.tau.ac.il/~msagiv/courses/shape.html](https://reader035.fdocuments.net/reader035/viewer/2022062802/56814471550346895db1035c/html5/thumbnails/6.jpg)
Iterative Program Analysis
• Start by optimistically assuming that nothing is wrong– No points-to set
• At every iteration apply the abstract meaning of programming language statements and add more points-to pairs
• Stop when no changes occur
![Page 7: Pointer and Shape Analysis Seminar cs.tau.ac.il/~msagiv/courses/shape.html](https://reader035.fdocuments.net/reader035/viewer/2022062802/56814471550346895db1035c/html5/thumbnails/7.jpg)
Iterative Points-to Analysist= &a
y= &b
z= &c
p= &y p= &z
ta
ta, yb
ta, yb, z c, py
ta, yb, z c
ta, yb, z c, pz
ta, yb, z c, py, pz
ta, yb, z c ta, yb, z c*p= t
![Page 8: Pointer and Shape Analysis Seminar cs.tau.ac.il/~msagiv/courses/shape.html](https://reader035.fdocuments.net/reader035/viewer/2022062802/56814471550346895db1035c/html5/thumbnails/8.jpg)
Iterative Points-to Analysist= &a
y= &b
z= &c
p= &y p= &z
ta
ta, yb
ta, yb, z c, py ta, yb, z c, pz
ta, yb, z c, py, pz
*p= tta, yb, z c, py, pz
ta, yb, z c, py, pz, ya, za ta, yb, z c, py, pz, ya, za
![Page 9: Pointer and Shape Analysis Seminar cs.tau.ac.il/~msagiv/courses/shape.html](https://reader035.fdocuments.net/reader035/viewer/2022062802/56814471550346895db1035c/html5/thumbnails/9.jpg)
Iterative Points-to Analysist= &a
y= &b
z= &c
p= &y p= &z
ta
ta, yb
ta, yb, z c, py, pz
*p= tta, yb, z c, py, pz
ta, yb, z c, py, pz, ya, za ta, yb, z c, py, pz, ya, za
ta, yb, z c, py, ya, za ta, yb, z c, pz, ya, za
![Page 10: Pointer and Shape Analysis Seminar cs.tau.ac.il/~msagiv/courses/shape.html](https://reader035.fdocuments.net/reader035/viewer/2022062802/56814471550346895db1035c/html5/thumbnails/10.jpg)
Iterative Points-to Analysist= &a
y= &b
z= &c
p= &y p= &z
ta
ta, yb
*p= tta, yb, z c, py, pz, ya, za
ta, yb, z c, py, pz, ya, za ta, yb, z c, py, pz, ya, za
ta, yb, z c, py, ya, za ta, yb, z c, pz, ya, za
ta, yb, z c, py, pz, ya, za
![Page 11: Pointer and Shape Analysis Seminar cs.tau.ac.il/~msagiv/courses/shape.html](https://reader035.fdocuments.net/reader035/viewer/2022062802/56814471550346895db1035c/html5/thumbnails/11.jpg)
A Simple Programming Language
• Arbitrary (uninterpreted) control flow statement
• Atomic statements– x = y– x = &y– x = *y– *x = y
![Page 12: Pointer and Shape Analysis Seminar cs.tau.ac.il/~msagiv/courses/shape.html](https://reader035.fdocuments.net/reader035/viewer/2022062802/56814471550346895db1035c/html5/thumbnails/12.jpg)
Abstract Semantics
•For every atomic statement S
S #: P(Var* Var*) P(Var* Var*)
x := &y # (pt) = pt – {(x, *)} {(x, y)}
x := y #(pt) = pt – {(x, *)} {(x, z)| (y, z) pt}
x := *y # (pt) = pt – {(x, *)} {(x, z)| (y, w), (w, z) pt}
*x := y #(pt) = pt {(w, t)| (x, w), (y, t) pt}
![Page 13: Pointer and Shape Analysis Seminar cs.tau.ac.il/~msagiv/courses/shape.html](https://reader035.fdocuments.net/reader035/viewer/2022062802/56814471550346895db1035c/html5/thumbnails/13.jpg)
t= &a
y= &b
z= &c
p= &y p= &z
*p= t
1
2
3
4
5 6
7
pt[1]={}
1 pt[2]={(t, a)}
2 pt[3]={(t, a), (y, b)}
3 pt[4]={(t, a), (y, b), (z, c){
4 pt[5]= {(t, a), (y, b), (z, c)}
pt[6]= {(t, a), (y, b), (z, c)}
5 pt[7]= {(t, a), (y, b), (z, c), (p, y){
6 pt[7]= {(t, a), (y, b), (z, c), (p, y), (p, z)}
7 pt[4]= {(t, a), (y, b), (z, c), (p, y), (p, z)}
4 pt[5]= {(t, a), (y, b), (z, c), (p, y), (p, z), (y, a), (z, a)}
pt[6]= {(t, a), (y, b), (z, c), (p, y), (p, z), (y, a), (z, a)}
5
6
![Page 14: Pointer and Shape Analysis Seminar cs.tau.ac.il/~msagiv/courses/shape.html](https://reader035.fdocuments.net/reader035/viewer/2022062802/56814471550346895db1035c/html5/thumbnails/14.jpg)
Supporting Memory Allocation• Uniform treatment of the memory allocated at an
allocation statement• For every atomic statement S
S #: P(Var* Var*) P(Var* Var*) x := &y # (pt) = pt – {(x, *)} {(x, y)} x := y # (pt) = pt – {(x, *)} {(x, z)| (y, z) pt} x := *y # (pt) = pt – {(x, *)} {(x, z)| (y, w), (w, z) pt} *x := y #(pt) = pt {(w, t)| (x, w), (y, t) pt} l: x := malloc() #(pt) = pt – {(x, *)} {(x, l)}
![Page 15: Pointer and Shape Analysis Seminar cs.tau.ac.il/~msagiv/courses/shape.html](https://reader035.fdocuments.net/reader035/viewer/2022062802/56814471550346895db1035c/html5/thumbnails/15.jpg)
Summary Flow-Sensitive Solution
• Limited destructive updates– Can be improved with must information
• O(N * Var2) space
![Page 16: Pointer and Shape Analysis Seminar cs.tau.ac.il/~msagiv/courses/shape.html](https://reader035.fdocuments.net/reader035/viewer/2022062802/56814471550346895db1035c/html5/thumbnails/16.jpg)
Context-Sensitivity
• How to handle procedures
• Separate points-to sets for every call
• A uniform set for all calls
![Page 17: Pointer and Shape Analysis Seminar cs.tau.ac.il/~msagiv/courses/shape.html](https://reader035.fdocuments.net/reader035/viewer/2022062802/56814471550346895db1035c/html5/thumbnails/17.jpg)
Context Sensitivity Example
x = &t1;
a = &t2;
foo(x, a);
z = &t3;
b = &t4;
foo(z, b);
void foo(source, target) {
*source = target;
}
![Page 18: Pointer and Shape Analysis Seminar cs.tau.ac.il/~msagiv/courses/shape.html](https://reader035.fdocuments.net/reader035/viewer/2022062802/56814471550346895db1035c/html5/thumbnails/18.jpg)
Flow-Insensitive Analysis
• Ignore control flow statements
• Arbitrary statement order
• Only accumulate Points-to
• Usually represented as a directed graph
• O(n2) space
![Page 19: Pointer and Shape Analysis Seminar cs.tau.ac.il/~msagiv/courses/shape.html](https://reader035.fdocuments.net/reader035/viewer/2022062802/56814471550346895db1035c/html5/thumbnails/19.jpg)
Flow Insensitive Solution
t= &a
y= &b
z= &c
p= &y p= &z
*p= t
![Page 20: Pointer and Shape Analysis Seminar cs.tau.ac.il/~msagiv/courses/shape.html](https://reader035.fdocuments.net/reader035/viewer/2022062802/56814471550346895db1035c/html5/thumbnails/20.jpg)
Set Constraints
• A set of rules of the form:– lhs rhs– t rhs’ lhs rhs (conditional constraint)
• lhs, rhs, rhs’ are variables over sets of terms• t is a term
• The least solution can be found iteratively– start with empty sets– add terms when needed
• Cubic graph based solution
![Page 21: Pointer and Shape Analysis Seminar cs.tau.ac.il/~msagiv/courses/shape.html](https://reader035.fdocuments.net/reader035/viewer/2022062802/56814471550346895db1035c/html5/thumbnails/21.jpg)
t := &a; {a} pt[t]
y := &b; {b} pt[y]
z := &c; {c} pt[z]
if (nondet()) p:= &y; {y} pt[p]
else p:= &z; {z} pt[p]
*p := t; a pt[p] pt[t] pt[a]
b pt[p] pt[t] pt[b]c pt[p] pt[t] pt[c]
y pt[p] pt[t] pt[y]
z pt[p] pt[t] pt[z]
t pt[p] pt[t] pt[t] p pt[p] pt[t] pt[p]
t y z
a b c
p
![Page 22: Pointer and Shape Analysis Seminar cs.tau.ac.il/~msagiv/courses/shape.html](https://reader035.fdocuments.net/reader035/viewer/2022062802/56814471550346895db1035c/html5/thumbnails/22.jpg)
Unification Based Solution Steengard 1996
• Treat assignments as equalities
• Employ union-find algorithm
• Almost linear time complexity
![Page 23: Pointer and Shape Analysis Seminar cs.tau.ac.il/~msagiv/courses/shape.html](https://reader035.fdocuments.net/reader035/viewer/2022062802/56814471550346895db1035c/html5/thumbnails/23.jpg)
Conclusions
• Points-to analysis is a simple pointer analysis problem
• Effective solutions (8MLoc)
• But rather imprecise
• Set constraints are useful beyond pointer analysis– Class level analysis