Ravi Chugh Setconstraint based analysis Another technique for computing information about program variables Phase 1 constraint generation Create set variables corresponding to program Add inclusion constraints between these sets ID: 935451
Download Presentation The PPT/PDF document "Program Analysis with Set Constraints" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Program Analysiswith Set Constraints
Ravi Chugh
Slide2Set-constraint based analysis
Another technique for computing information about program variables
Phase 1: constraint generation
Create set variables corresponding to program
Add inclusion constraints between these sets
Usually a local, syntax-directed process (
ASTs
vs
CFGs
)
Phase 2: constraint resolution
Solve for values of all set variables
Extends naturally to inter-procedural analysis
Slide3Constant propagation
int abs(int i) {
if (...) { return i; }
else { return –i; }
}
int id(int j) { return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...}
Want to determine whether
x
and
y
are constant values when they are used
We will build a flow-insensitive analysis
Slide4Set constraints
Terms
t := c (constant)
| X (set variable)
| C(t
1,...,tn) (constructed term)Constraints t1 t2 (set inclusion)ConstructorsC(v1,...,vn) is an n-arg ctor C with variances vivi is either
+
(covariant) or
–
(contravariant)
Covariance corresponds to “forwards flow”
Contravariance corresponds to “backwards flow”
Slide5Additional constraintsImplicit constraints added by following rules:
1) Transitivity
if
t
1
t2 and t2 t3 then t1 t32) Variance through constructed termsif C(...,ti,...) C(...,ui
,...)
then
t
i
u
i
for covariant positions of
C
u
i
t
i
for contravariant positions of
C
Slide6Constraint graphs
1
X
X Y
Ctor(A,B,C)
Ctor(D,E,F)
where
Ctor(+,-,+)
X
1
Y
Ctor
A
B
C
Ctor
D
E
F
Slide7Function calls
Define ctor
Fun(-,+)
for one input/one output
To encode a function def/call:
int z = id(2); Fun(i,r) id Fun(2,z)By contravariance, the actual 2 flows to iBy covariance, the return value of id flows to zFun
i
r
Fun
2
z
id
Slide8int abs(int i) {
if (...) { return i; }
else { return –i; }
}
int id(int j) {
return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...}
Slide9int abs(int i) {
if (...) { return i; }
else { return –i; }
}
int id(int j) {
return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...}
Slide10int abs(int i) {
if (...) { return i; }
else { return –i; }
}
int id(int j) {
return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...}
Fun(i,r1)
abs
Fun
i
r1
abs
Slide11int abs(int i) {
if (...) {
return i;
}
else { return –i; }
}int id(int j) { return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...}
Fun(i,r1)
abs
Fun
i
r1
abs
Slide12int abs(int i) {
if (...) {
return i;
}
else { return –i; }
}int id(int j) { return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...}
Fun(i,r1)
abs
i
r1
Fun
i
r1
abs
Slide13int abs(int i) {
if (...) { return i; }
else {
return –i;
}
}int id(int j) { return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...}
Fun(i,r1)
abs
i
r1
Fun
i
r1
abs
Slide14int abs(int i) {
if (...) { return i; }
else {
return –i;
}
}int id(int j) { return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...}
Fun(i,r1)
abs
i
r1
T
r1
Fun
i
r1
abs
T
Slide15int abs(int i) {
if (...) { return i; }
else { return –i; }
}
int id(int j) {
return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...}
Fun(i,r1)
abs
i
r1
T
r1
Fun
i
r1
abs
T
Slide16int abs(int i) {
if (...) { return i; }
else { return –i; }
}
int id(int j) {
return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...}
Fun(i,r1)
abs
i
r1
T
r1
Fun(j,r2)
id
Fun
j
r2
id
Fun
i
r1
abs
T
Slide17int abs(int i) {
if (...) { return i; }
else { return –i; }
}
int id(int j) {
return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...} Fun(i,r1)
abs
i
r1
T
r1
Fun(j,r2)
id
Fun
j
r2
id
Fun
i
r1
abs
T
Slide18int abs(int i) {
if (...) { return i; }
else { return –i; }
}
int id(int j) {
return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...} Fun(i,r1)
abs
i
r1
T
r1
Fun(j,r2)
id
j r2
Fun
j
r2
id
Fun
i
r1
abs
T
Slide19int abs(int i) {
if (...) { return i; }
else { return –i; }
}
int id(int j) {
return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...} Fun(i,r1)
abs
i
r1
T
r1
Fun(j,r2)
id j
r2
Fun
j
r2
id
Fun
i
r1
abs
T
Slide20int abs(int i) {
if (...) { return i; }
else { return –i; }
}
int id(int j) {
return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...} Fun(i,r1)
abs
i
r1
T
r1
Fun(j,r2)
id j
r2
1
a
2 b
Fun
j
r2
id
b
2
Fun
i
r1
abs
a
1
T
Slide21int abs(int i) {
if (...) { return i; }
else { return –i; }
}
int id(int j) {
return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...} Fun(i,r1)
abs
i
r1
T
r1
Fun(j,r2)
id j
r2
1
a
2 b
Fun
j
r2
id
b
2
Fun
i
r1
abs
a
1
T
Slide22int abs(int i) {
if (...) { return i; }
else { return –i; }
}
int id(int j) {
return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...} Fun(i,r1)
abs
i
r1
T
r1
Fun(j,r2)
id j
r2
1
a
2 b
abs
Fun(a,x)
Fun
j
r2
id
b
2
Fun
i
r1
Fun
x
abs
a
1
T
Slide23int abs(int i) {
if (...) { return i; }
else { return –i; }
}
int id(int j) {
return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...} Fun(i,r1)
abs
i
r1
T
r1
Fun(j,r2)
id
j r2
1
a 2 b
abs Fun(a,x)
Fun
j
r2
id
b
2
Fun
i
r1
Fun
x
abs
a
1
T
Slide24int abs(int i) {
if (...) { return i; }
else { return –i; }
}
int id(int j) {
return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...} Fun(i,r1)
abs
i
r1
T
r1
Fun(j,r2)
id
j r2
1
a 2 b
abs Fun(a,x)
id
Fun(b,y)
Fun
j
r2
Fun
y
id
b
2
Fun
i
r1
Fun
x
abs
a
1
T
Slide25int abs(int i) {
if (...) { return i; }
else { return –i; }
}
int id(int j) {
return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...}
Fun(i,r1)
abs
i
r1
T
r1
Fun(j,r2) id j
r2
1
a 2
b abs
Fun(a,x)
id
Fun(b,y)
Fun
j
r2
Fun
y
id
b
2
Fun
i
r1
Fun
x
abs
a
1
T
??
x
??
y
Slide26int abs(int i) {
if (...) { return i; }
else { return –i; }
}
int id(int j) {
return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...}
Fun(i,r1)
abs
i
r1
T
r1
Fun(j,r2) id j
r2
1
a 2
b abs
Fun(a,x)
id
Fun(b,y)
Fun
j
r2
Fun
y
id
b
2
Fun
i
r1
Fun
x
abs
a
1
T
{1,T}
x
??
y
Slide27int abs(int i) {
if (...) { return i; }
else { return –i; }
}
int id(int j) {
return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...}
Fun(i,r1)
abs
i
r1
T
r1
Fun(j,r2) id j
r2
1
a 2
b abs
Fun(a,x)
id
Fun(b,y)
Fun
j
r2
Fun
y
id
b
2
Fun
i
r1
Fun
x
abs
a
1
T
{1,T}
x
{2}
y
Slide28Pointers
Handle pointers with a
Ref(-,+)
constructor
Two args correspond to set and get operations
int i = 1;int *p = &i;*p = 2;
int
j = *p;
1
i
Slide29Pointers
Handle pointers with a
Ref(-,+)
constructor
Two args correspond to set and get operations
int i = 1;int *p = &i;*p
= 2;
int
j = *p;
Ref
i
1
Slide30Pointers
Handle pointers with a
Ref(-,+)
constructor
Two args correspond to set and get operations
int i = 1;int *p = &i;*p = 2;
int
j = *p;
Ref
i
p
1
Slide31Pointers
Handle pointers with a
Ref(-,+)
constructor
Two args correspond to set and get operations
int i = 1;int *p = &i;*p = 2;
int
j = *p;
Ref
2
Ref
i
p
1
Slide32Pointers
Handle pointers with a
Ref(-,+)
constructor
Two args correspond to set and get operations
int i = 1;int *p = &i;*p = 2;
int
j = *p;
Ref
2
Ref
j
Ref
i
p
1
Slide33Pointers
Handle pointers with a
Ref(-,+)
constructor
Two args correspond to set and get operations
int i = 1;int *p = &i;*p = 2;
int
j = *p;
Ref
2
Ref
j
Ref
i
p
1
Slide34More on functions
This encoding supports higher-order functions
Passing around
Fun
terms just like constants
Function pointers also work int (*funcPtr)(int); int id(int j) { return j }; funcPtr = &id; int x = (*funcPtr)(0);Fun
j
id
Slide35More on functions
This encoding supports higher-order functions
Passing around
Fun
terms just like constants
Function pointers also work int (*funcPtr)(int); int id(int j) { return j }; funcPtr = &id; int x = (*funcPtr)(0);Fun
j
Ref
id
id
Slide36More on functions
This encoding supports higher-order functions
Passing around
Fun
terms just like constants
Function pointers also work int (*funcPtr)(int); int id(int j) { return j }; funcPtr = &id; int x = (*funcPtr)(0);Fun
j
funcPtr
Ref
id
Slide37Ref
More on functions
This encoding supports higher-order functions
Passing around
Fun
terms just like constantsFunction pointers also work int (*funcPtr)(int); int id(int j) { return j }; funcPtr = &id; int x = (*funcPtr)(0);
Fun
j
Fun
0
x
Ref
id
funcPtr
Slide38Context (in)sensitivityMultiple call sites
int x = id(1);
int y = id(2);
Fun
2
y
id
Fun
1
x
Fun
j
r
{1,2}
x{1,2}
y
Slide39Context sensitivity
Multiple call sites
int x = id
1
(1); int y = id2(2);Option 1: SpecializationEach call idi gets a new copy of idEliminates smearing but increases graph size
Fun
2
y
id
2
Fun
j
2
r
2
Fun
1
x
id
1
Fun
j
1
r
1
{1}
x
{2}
y
Slide40Context sensitivityOption 2: Unique labeled edges for each call site
Not using
Fun
constructor
There is flow only if there is a path that spells a substring of a well-bracketed string
[a[b]b]a and [a]a[b are valid; [a[b]a]b is notFor both options, if there are higher-order functions or function pointers, need a first pass to compute pointer targets
[
1
]
1
[
2
]
2
1
x
2
y
j
r
Slide41Field sensitivity
For each field
f
, define
Fld
f(-,+)constructorobj o = { f:3; g:4 };
int readG(obj p) { return p.g; }
int w = id(o.f);
int z = readG(o);
o
Fld
f
o.f
Fld
g
o.g
Fld
f
3
Fld
g
4
id
Fun
j
r
Slide42Field sensitivity
For each field
f
, define
Fld
f(-,+)constructorobj o = { f:3; g:4 };
int readG(obj p) { return p.g; }
int w = id(o.f);
int z = readG(o);
o
Fld
f
o.f
Fld
g
o.g
Fld
f
3
Fld
g
4
id
Fun
j
r
Slide43Field sensitivity
For each field
f
, define
Fld
f(-,+)constructorobj o = { f:3; g:4 };
int readG(obj p) { return p.g; }
int w = id(o.f);
int z = readG(o);
id
Fun
j
r
readG
Fun
p
r
3
Fld
g
Fld
f
o.f
Fld
g
o.g
o
Fld
f
3
Fld
g
4
Slide44Field sensitivity
For each field
f
, define
Fld
f(-,+)constructorobj o = { f:3; g:4 };
int readG(obj p) { return p.g; }
int w = id(o.f);
int z = readG(o);
id
Fun
j
r
readG
Fun
p
r
3
Fld
g
Fld
f
o.f
Fld
g
o.g
o
Fld
f
3
Fld
g
4
Fld
f
Fun
w
Slide45Field sensitivity
For each field
f
, define
Fld
f(-,+)constructorobj o = { f:3; g:4 };
int readG(obj p) { return p.g; }
int w = id(o.f);
int z = readG(o);
id
Fun
j
r
readG
Fun
p
r
3
Fld
g
Fld
f
o.f
Fld
g
o.g
o
Fld
f
3
Fld
g
4
Fld
f
Fun
w
Slide46Field sensitivity
For each field
f
, define
Fld
f(-,+)constructorobj o = { f:3; g:4 };
int readG(obj p) { return p.g; }
int w = id(o.f);
int z = readG(o);
id
Fun
j
r
readG
Fun
p
r
3
Fld
g
Fld
f
o.f
Fld
g
o.g
o
Fld
f
3
Fld
g
4
Fun
z
Fld
f
Fun
w
Slide47Field sensitivity
For each field
f
, define
Fld
f(-,+)constructorobj o = { f:3; g:4 };
int readG(obj p) { return p.g; }
int w = id(o.f);
int z = readG(o);
id
Fun
j
r
readG
Fun
p
r
3
Fld
g
Fld
f
o.f
Fld
g
o.g
o
Fld
f
3
Fld
g
4
Fun
z
Fld
f
Fun
w
Slide48ScalabilityConstraint graph for entire program is in memory
Even for flow-insensitive analyses, this can become a bottleneck
Even worse for flow-sensitive analyses
Techniques for analyzing parts of program in isolation and storing summaries of their observable effects
Slide49SummarySet constraints a natural way to express various program analyses
Constant propagation, pointer analysis
Closure analysis
Receiver class analysis, prototype-based inheritance
Information flow
Rich literature on solving systems of constraintsNon-trivial to extend to flow-sensitive or summary-based analysesInterference between functions and references