1
Control Flow AnalysisMooly Sagiv
http://www.math.tau.ac.il/~sagiv/courses/pa01.html
Tel Aviv University
640-6706
Textbook Chapter 3
http://www.cs.berkeley.edu/Research/~Aiken/bane.html
http://www.cs.washington.edu/research/projects/cecil
Assign 3 (11/7)
2
Goals
Understand the problem of Control Flow Analysis– in Functional Languages
– In Object Oriented Languages
– Function Pointers
Learn Constraint Based Program Analysis Technique– General
– Usage for Control Flow Analysis
– Algorithms
– Systems
Similarities between Problems &Techniques
4
A Motivating Exampleclass Vehicle Object { int position = 10; void move (int x1) { position = position + x1 ;}}class Car extends Vehicle { int passengers;
void await(Vehicle v) { if (v.position < position) then v.move(position - v.position); else this.move(10); }}class Truck extends Vehicle {
void move(int x2) { if (x2 < 55) position += x2; }}void main { Car c; Truck t; Vehicle v1;
new c; new t; v1 := c;c.passangers := 2;c.move(60);v1.move(70);c.await(t) ;}
5
A Motivating Exampleclass Vehicle Object { int position = 10; static void move (Vehicle this1 {Car} , int x1) { position = position + x1 ;}}class Car extends Vehicle { int passengers;
static void await(Car this2 {Car} , Vehicle v {Truck}) { if (v.position < position) then v.move(v, position - v.position); else this2.move(this2, 10); }}class Truck extends Vehicle {
static void move(Truck this3 {Truck}, int x2) { if (x2 < 55) position += x2; }}void main { Car c; Truck t; Vehicle v1;
new c; new t; v1 := c;c.passangers := 2;c.move(c, 60);v1.move(v1, 70);c.await(c, t) ;}
6
The Control Flow Analysis (CFA) Problem
Given a program in a functional programming language with higher order functions(functions can serve as parameters and return values)
Find out for each function invocation which functions may be applied
Obvious in C without function pointers Difficult in C++, Java and ML The Dynamic Dispatch Problem
8
An ML Example
let f = fn x => /* {g, h} */ x 1 ;
g = fn y => y + 2 ;
h = fn z => z + 3;
in (f g) + (f h)
9
The Language FUN Notations
– e Exp // expressions (or labeled terms)
– t Term // terms (or unlabeled terms)
– f, x Var // variables
– c Const // Constants
– op Op // Binary operators
– l Lab // Labels
Abstract Syntax– e ::= tl
– t ::= c | x | fn x e // function definition | fun f x e // recursive function definition | e1 e2 // function applications | if e0 then e1 else e2 | let x = e1 in e2 | e1 op e2
13
The 0-CFA Problem Control flow analysis without contexts Compute for every program a pair (C, ) where:
– C is the abstract cache associating abstract values with labeled program points
is the abstract environment associating abstract values with program variables
Abstract Values– v Val = P(Term) // Abstract values Env = Var Val // Abstract environment
– C Cache =Lab Val // Abstract Cache
– For function application (t1l1 t2
l2)l
C(l1) determines the function that can be applied
– Formally …
14
Possible Solutions for ((fn x x1)2 (fn y y3)4)5
1 {fn y y3} {fn y y3}
2 {fn x x1} {fn x x1}
3 {} {}
4 {fn y y3} {fn y y3}
5 {fn y y3} {fn y y3}
x {fn y y3} {}
y {} {}
15
(let g = fun f x (f1 (fn y y2)3)4
)5
(g6 (fn z z7)8)9
Shorthands
sf fun f x (f1 (fn y y2)3)4
idy fn y y2
idz fn z z7
C(1) = {sf} C(2) = {} C(3) = {idy}
C(4) = {} C(5) = {sf} C(6) = {sf}
C(7) = {} C(8) = {idz} C(9) = {}
C(10) = {} (x) = {idy , idz } (y) = {}
(z) = {}
16
Relationship to Dataflow Analysis
Expressions are side effect free– no entry/exit
A single environment Represents information at different points via
maps A single value for all occurrences of a variable Function applications act similar to assignments
– “Definition” - Function abstraction is created
– “Use” - Function is applied
17
A Formal Specification of 0-CFA
A Boolean function define when a solution is acceptable
(C, ) e means that (C, ) is acceptable for the expression e
Define by structural induction on e Every function is analyzed once Every acceptable solution is sound (conservative) Many acceptable solutions Generate a set of constraints Obtain the least acceptable solution by solving the
constraints
18
Solving 0-CFA (1)
Define a concrete semantics Define a Galois connection between the concrete
and the abstract semantics Define abstract meaning for statements Show local soundness Implement Chaotic iterations
19
Solving 0-CFA (2)
Generate a system of set of constraints – lhs rhs
– {t} rhs’ lhs rhs (conditional constraint)
Show that any solution to the set of constraints is sound
Find the minimal solution Systems for finding the minimal solution exist Applicable to different programming languages
20
Set Constraints
A set of rules of the form:– lhs rhs
– {t} rhs’ lhs rhs (conditional constraint)
– lhs, rhs, rhs’ are» terms
» C(l)(x)
The least solution (C, ) can be found iteratively– start with empty sets
– add terms when needed
Efficient cubic graph based solution
21
Syntax Directed Constraint Generation (Part I)
C* cl = {}C* xl = {r (x) C (l)}
C* (fn x e)l = C* e { {fn x e} C(l)}C* (fun f x e)l = C* e { {fun f x e} C(l)} {{fun f x e} r( f)}
C* (t1l1 t2
l2)l = C* t1l1 C* t2
l2 {{t} C(l) C (l2) r (x) | t=fn x t0
l0 Term* } {{t} C(l) C (l0) C (l) | t=fn x t0
l0 Term* } {{t} C(l) C (l2) r (x) | t=fun x t0
l0 Term* } {{t} C(l) C (l0) C (l) | t=fun x t0
l0 Term* }
22
Syntax Directed Constraint Generation (Part II)
C* (if t0l0 then t1
l1 else t2l2)l = C* t0
l0 C* t1l1 C* t2
l2 {C(l1) C (l)} {C(l2) C (l)}
C* (let x = t1l1 in t2
l2)l = C* t1l1 C* t2
l2 {C(l1) r (x)} {C(l2) C(l)}
C* (t1l1 op t2
l2)l = C* t1l1 C* t2
l2
24
Iterative Solution to the Set Constraints for ((fn x x1)2 (fn y y3)4)5
step Constraint 1 2 3 4 x y
25
Graph Based Solution toConstraint Systems
Construct a directed graph– Nodes
» Set variables
– Edges» u v
The set variable v may depend on u
Iteratively traverse the graph– Every operation adds a term
– Must terminate
Read the solution from the graph
26
The Constraint Graph for 0-CFA Nodes
– C(l)– r(x)
Edges – p1 p2
» Construct p1 p2
– {t} p p1 p2» Construct p1 p2» Construct p p2
Dependencies– D[v]
» The set of terms that must be included in v
27
WL :=
For all nodes v:
D[v] :=
E[v] :=
For all constraints c:
case c {t} p:
add(p, {t})
case c p1 p2:
E[p1] := E[p1] {c}
case c={t} p p1 p2
E[p] := E[p] {c}
E[p1] := E[p1] {c}
procedure add(q, s)
if (s D(q)) then
D[q] : = D[q] s
WL := WL {q}
while WL do
select and remove an element v from WL
for all c E[v] do
case c p1 p2: add(p2, D[p1])
case c={t} p p1 p2
if t D[p] then add(p2, D[p1])
28
Adding Data Flow Information
Dataflow values can affect control flow analysis Example
(let f = (fn x (if (x1 > 02)3 then (fn y y4)5
else (fn z 56)7
)8
)9
in ((f10 311)12 013)14)15
29
Adding Data Flow Information Add a finite set of “abstract” values per program
Data Update Val = P(TermData)
Env = Var Val // Abstract environment
– C Cache - Lab Val // Abstract Cache
Generate extra constraints for data Obtained a more precise solution A special of case of product domain (4.4) The combination of two analyses may be more
precise than both For some programs may even be more efficient
30
Adding Dataflow Information (Sign Analysis)
Sign analysis Add a finite set of “abstract” values per program
Data = {P, N, TT, FF} Update Val = P(TermData) dc is the abstract value that represents a constant c
– d3 = {p}
– d-7= {n}
– dtrue= {tt}
– dfalse= {ff}
Every operator is conservatively interpreted
31
Syntax Directed Constraint Generation (Part I)
C* cl = dc C (l)}C* xl = {r (x) C (l)}
C* (fn x e)l = C* e { {fn x e} C(l)}C* (fun f x e)l = C* e { {fun f x e} C(l)} {{fun f x e} r( f)}
C* (t1l1 t2
l2)l = C* t1l1 C* t2
l2 {{t} C(l) C (l2) r (x) | t=fn x t0
l0 Term* } {{t} C(l) C (l0) C (l) | t=fn x t0
l0 Term* } {{t} C(l) C (l2) r (x) | t=fun x t0
l0 Term* } {{t} C(l) C (l0) C (l) | t=fun x t0
l0 Term* }
32
Syntax Directed Constraint Generation (Part II)
C* (if t0l0 then t1
l1 else t2l2)l = C* t0
l0 C* t1l1 C* t2
l2 {dt C (l0) C(l1) C (l)} {df C (l0) C(l2) C (l)}
C* (let x = t1l1 in t2
l2)l = C* t1l1 C* t2
l2 {C(l1) r (x)} {C(l2) C(l)}
C* (t1l1 op t2
l2)l = C* t1l1 C* t2
l2 {C(l1) op C(l2) C(l)}
33
Adding Context Information The analysis does not distinguish between different
occurrences of a variable(Monovariant analysis)
Example(let f = (fn x x1) 2
in ((f3 f4)5 (fn y y6) 7)8)9
Source to source can help (but may lead to code explosion)
Example rewrittenlet f1 = fn x1 x1 in let f2 = fn x2 x2
in (f1 f2) (fn y y)
34
Simplified K-CFA
Records the last k dynamic calls (for some fixed k)
Similar to the call string approach Remember the context in which expression is
evaluated Val is now P(Term)Contexts
Env = Var Contexts Val
– C Cache - LabContexts Val
35
1-CFA (let f = (fn x x1) 2 in ((f3 f4)5 (fn y y6) 7)8)9
Contexts– [] - The empty context
– [5] The application at label 5
– [8] The application at label 8
Polyvariant Control FlowC(1, [5]) = (x, 5)= C(2, []) = C(3, []) = (f, []) = ({(fn x x1)}, [] )C(1, [8]) = (x, 8)= C(7, []) = C(8, []) = C(9, []) = ({(fn y y6)}, [] )
36
A Motivating Exampleclass Vehicle Object { int position = 10; static void move (Vehicle this1 {Car} , int x1) { position = position + x1 ;}}class Car extends Vehicle { int passengers;
static void await(Car this2 {Car} , Vehicle v {Truck}) { if (v.position < position) then v.move(v, position - v.position); else this2.move(this2, 10); }}class Truck extends Vehicle {
static void move(Truck this3 {Truck}, int x2) { if (x2 < 55) position += x2; }}void main { Car c; Truck t; Vehicle v1;
new c; new t; v1 := c;c.passangers := 2;c.move(c, 60);v1.move(v1, 70);c.await(c, t) ;}
37
class Vehicle Object { int position = 10; static void move (Vehicle t1 , int x1) { position = position + x1 ;}}class Car extends Vehicle { int passengers;
static void await(Car t2 , Vehicle v) { if (v.position < position) then v.move(v, position - v.position); else t2.move(t2, 10); }}class Truck extends Vehicle {
static void move(Truck t3, int x2) { if (x2 < 55) position += x2; }}void main { Car c; Truck t; Vehicle v1;
new c; new t; v1 := c;c.passangers := 2;c.move(c, 60);v1.move(v1, 70);c.await(c, t) ;}
{V} cl(v) cl(v)cl(t1)
{T} cl(v) cl(v)cl(t3)
{C} cl(v) cl(v)cl(t1)
{C} cl(t2) cl(t2)cl(t1)
{C} cl(c)
{T} cl(t)
cl(c) cl(v1)
{C} cl(c) cl(c)cl(t1)
{V} cl(v1) cl(v1)cl(t1)
{T} cl(v1) cl(v1)cl(t3)
{C} cl(v1) cl(v1)cl(t1)
{C} cl(c) cl(t)cl(v)
{C} cl(c) cl(c)cl(t2)
38
{V} cl(v) cl(v)cl(t1)
{T} cl(v) cl(v)cl(t3)
{C} cl(v) cl(v)cl(t1)
{C} cl(t2) cl(t2)cl(t1)
{C} cl(c)
{T} cl(t)
cl(c) cl(v1)
{C} cl(c) cl(c)cl(t1)
{V} cl(v1) cl(v1)cl(t1)
{T} cl(v1) cl(v1)cl(t3)
{C} cl(v1) cl(v1)cl(t1)
{C} cl(c) cl(t)cl(v)
{C} cl(c) cl(c)cl(t2)
cl(c)
cl(t1)
cl(t2)
cl(t3)
cl(v)
cl(t)
cl(v1)
WL
c
t
39
{V} cl(v) cl(v)cl(t1)
{T} cl(v) cl(v)cl(t3)
{C} cl(v) cl(v)cl(t1)
{C} cl(t2) cl(t2)cl(t1)
{C} cl(c)
{T} cl(t)
cl(c) cl(v1)
{C} cl(c) cl(c)cl(t1)
{V} cl(v1) cl(v1)cl(t1)
{T} cl(v1) cl(v1)cl(t3)
{C} cl(v1) cl(v1)cl(t1)
{C} cl(c) cl(t)cl(v)
{C} cl(c) cl(c)cl(t2)
cl(c)
cl(t1)
cl(t2)
cl(t3)
cl(v)
cl(t)
cl(v1)
WL
c
t
c
c
c
t
40
{V} cl(v) cl(v)cl(t1)
{T} cl(v) cl(v)cl(t3)
{C} cl(v) cl(v)cl(t1)
{C} cl(t2) cl(t2)cl(t1)
{C} cl(c)
{T} cl(t)
cl(c) cl(v1)
{C} cl(c) cl(c)cl(t1)
{V} cl(v1) cl(v1)cl(t1)
{T} cl(v1) cl(v1)cl(t3)
{C} cl(v1) cl(v1)cl(t1)
{C} cl(c) cl(t)cl(v)
{C} cl(c) cl(c)cl(t2)
cl(c)
cl(t1)
cl(t2)
cl(t3)
cl(v)
cl(t)
cl(v1)
WL
c
t
c
c
c
t
t
41
{V} cl(v) cl(v)cl(t1)
{T} cl(v) cl(v)cl(t3)
{C} cl(v) cl(v)cl(t1)
{C} cl(t2) cl(t2)cl(t1)
{C} cl(c)
{T} cl(t)
cl(c) cl(v1)
{C} cl(c) cl(c)cl(t1)
{V} cl(v1) cl(v1)cl(t1)
{T} cl(v1) cl(v1)cl(t3)
{C} cl(v1) cl(v1)cl(t1)
{C} cl(c) cl(t)cl(v)
{C} cl(c) cl(c)cl(t2)
cl(c)
cl(t1)
cl(t2)
cl(t3)
cl(v)
cl(t)
cl(v1)
WL
c
t
c
c
c
t
t
42
{V} cl(v) cl(v)cl(t1)
{T} cl(v) cl(v)cl(t3)
{C} cl(v) cl(v)cl(t1)
{C} cl(t2) cl(t2)cl(t1)
{C} cl(c)
{T} cl(t)
cl(c) cl(v1)
{C} cl(c) cl(c)cl(t1)
{V} cl(v1) cl(v1)cl(t1)
{T} cl(v1) cl(v1)cl(t3)
{C} cl(v1) cl(v1)cl(t1)
{C} cl(c) cl(t)cl(v)
{C} cl(c) cl(c)cl(t2)
cl(c)
cl(t1)
cl(t2)
cl(t3)
cl(v)
cl(t)
cl(v1)
WL
c
t
c
c
c
t
t
43
{V} cl(v) cl(v)cl(t1)
{T} cl(v) cl(v)cl(t3)
{C} cl(v) cl(v)cl(t1)
{C} cl(t2) cl(t2)cl(t1)
{C} cl(c)
{T} cl(t)
cl(c) cl(v1)
{C} cl(c) cl(c)cl(t1)
{V} cl(v1) cl(v1)cl(t1)
{T} cl(v1) cl(v1)cl(t3)
{C} cl(v1) cl(v1)cl(t1)
{C} cl(c) cl(t)cl(v)
{C} cl(c) cl(c)cl(t2)
cl(c)
cl(t1)
cl(t2)
cl(t3)
cl(v)
cl(t)
cl(v1)
WL
c
t
c
c
c
t
t
44
{V} cl(v) cl(v)cl(t1)
{T} cl(v) cl(v)cl(t3)
{C} cl(v) cl(v)cl(t1)
{C} cl(t2) cl(t2)cl(t1)
{C} cl(c)
{T} cl(t)
cl(c) cl(v1)
{C} cl(c) cl(c)cl(t1)
{V} cl(v1) cl(v1)cl(t1)
{T} cl(v1) cl(v1)cl(t3)
{C} cl(v1) cl(v1)cl(t1)
{C} cl(c) cl(t)cl(v)
{C} cl(c) cl(c)cl(t2)
cl(c)
cl(t1)
cl(t2)
cl(t3)
cl(v)
cl(t)
cl(v1)
WL
c
t
c
c
c
t
t
45
{V} cl(v) cl(v)cl(t1)
{T} cl(v) cl(v)cl(t3)
{C} cl(v) cl(v)cl(t1)
{C} cl(t2) cl(t2)cl(t1)
{C} cl(c)
{T} cl(t)
cl(c) cl(v1)
{C} cl(c) cl(c)cl(t1)
{V} cl(v1) cl(v1)cl(t1)
{T} cl(v1) cl(v1)cl(t3)
{C} cl(v1) cl(v1)cl(t1)
{C} cl(c) cl(t)cl(v)
{C} cl(c) cl(c)cl(t2)
cl(c)
cl(t1)
cl(t2)
cl(t3)
cl(v)
cl(t)
cl(v1)
WL
c
t
c
c
c
t
t
46
{V} cl(v) cl(v)cl(t1)
{T} cl(v) cl(v)cl(t3)
{C} cl(v) cl(v)cl(t1)
{C} cl(t2) cl(t2)cl(t1)
{C} cl(c)
{T} cl(t)
cl(c) cl(v1)
{C} cl(c) cl(c)cl(t1)
{V} cl(v1) cl(v1)cl(t1)
{T} cl(v1) cl(v1)cl(t3)
{C} cl(v1) cl(v1)cl(t1)
{C} cl(c) cl(t)cl(v)
{C} cl(c) cl(c)cl(t2)
cl(c)
cl(t1)
cl(t2)
cl(t3)
cl(v)
cl(t)
cl(v1)
c
t
c
c
c
t
t
47
A Motivating Exampleclass Vehicle Object { int position = 10; static void move (Vehicle this1 {Car} , int x1) { position = position + x1 ;}}class Car extends Vehicle { int passengers;
static void await(Car this2 {Car} , Vehicle v {Truck}) { if (v.position < position) then v.move(v, position - v.position); else this2.move(this2, 10); }}class Truck extends Vehicle {
static void move(Truck this3 {Truck}, int x2) { if (x2 < 55) position += x2; }}void main { Car c; Truck t; Vehicle v1;
new c; new t; v1 := c;c.passangers := 2;c.move(c, 60);v1.move(v1, 70);c.await(c, t) ;}
48
Missing Material Efficient Cubic Solution to Set Constraints
www.cs.berkeley.edu/Research/Aiken/bane.html Experimental results for OO
www.cs.washington.edu/research/projects/cecil Operational Semantics for FUN (3.2.1) Defining acceptability of set constraints Using general lattices as Dataflow values
instead of powersets (3.5.2) Lower-bounds
– Decidability of JOP– Polynomiality
Top Related