Level by Level: - PowerPoint Presentation

379 views
Uploaded On 2016-05-14

Level by Level: - PPT Presentation

Making Flow and ContextSensitive Pointer Analysis Scalable for Millions of Lines of Code Hongtao Yu Zhaoqing Zhang Xiaobing Feng Wei Huo Institute of Computing Technology Chinese Academy of Sciences ID: 318965

int amp level foo amp int foo level context points obj analysis pointer sensitive flow l11 l12 analyze void

Link:

Copy

Embed:

<iframe width="560" height="315" src="https://www.docslides.com/embed/318965" frameborder="0" allowfullscreen></iframe>

Download Presentation from below link

Download Presentation The PPT/PDF document "Level by Level:" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Presentation Transcript

Slide1

Level by Level: Making Flow- and Context-Sensitive Pointer Analysis Scalable for Millions of Lines of Code

Hongtao Yu Zhaoqing Zhang Xiaobing Feng Wei Huo Institute of Computing Technology, Chinese Academy of Sciences { htyu, zqzhang, fxb, huowei }@ict.ac.cn

Jingling

Xue

University of New South Wales

jingling@cse.unsw.edu.au

Slide2

OutlineIntroduction

FrameworkAnalyzing a LevelExperimentsConclusion

2Slide3

Introduction

MotivationWho needs flow- and context-sensitive (FSCS) pointer analysis ?Software checking toolsProgram understandingParallelization tools Hardware synthesis

Existed methods cannot scale to large real programsAiming at millions of lines of C code

3Slide4

Improve scalabilityFor flow-sensitivity

Decreasing iterations in dataflow analysisSaving space of points-to graphFor context-sensitivitySummary-basedLow storage penaltyLow apply penalty4Slide5

Idea

Level by Level analysisAnalyze the pointers in decreasing order of their points-to levelsSuppose int **q, *p, x;q

has a level 2, p has a level 1 and x

has a level 0.

Fast flow-sensitive analysis on full sparse SSA

Fast and accurate context-sensitive analysis using a full transfer function

5Slide6

Contribution

performs a full-sparse flow-sensitive pointer analysis using a flow-insensitive algorithmperforms a context-sensitive pointer analysis efficiently with precise full transfer functionyields a flow-

and context-sensitive interproce-dural may/must mod/ref on a compact SSA formanalyzes million lines of code in minutes,

fast-

than the state-of-the art FSCS pointer

ana-lysis

algorithms

6Slide7

Framework

Figure 1. Level-by-level pointer analysis (LevPA).

Evalute transfer functions

Bottom-up

Top-down

Propagate points-to set

Compute points-to level

for points-to level from the highest to lowest

incremental build call graph

7Slide8

Points-to levelProperty 1.

If a variable x is possibly pointed to by a pointer y, then ptl(

x) ≤ ptl(y

Property 2

If a variable

is possibly assigned to

, then

ptl

(

) =

ptl

(

Compute points-to level by a Unification-based pointer analysis

8Slide9

Example

int o, t; main() { L1: int **x, **y;

L2: int *a, *b, *c, *d, *e; L3: x = &a; y = &b;

L4:

foo

(x, y);

L5: *b = 5;

L6:

( … ) { x = &c; y = &e; }

L7:

else

{ x = &d; y = &d; }

L8: c = &t;

L9:

foo

( x, y);

L10: *e = 10; }

void

foo

(

int

**p,

int

**q) {

L11: *p = *q;

L12: *q = &

obj

;

}

ptl(x, y, p, q

) =2ptl(

b, c, d, e) =1 ptl

(t, o) =

analyze

first {

}

then {

}

last {

t, o

}Slide10

Bottom-up analyze level 2

void

foo( int **p, int **q) { L11: *p = *q;

L12: *q = &obj; }

main() {

L1:

int

**x, **y;

L2:

int

*a, *b, *c, *d, *e;

L3: x = &a; y = &b;

L4:

foo

(x, y);

L5: *b = 5;

L6:

( … ) { x = &c; y = &e; }

L7:

else

{ x = &d; y = &d; }

L8: c = &t;

L9:

foo

( x, y);

L10: *e = 10; }

10Slide11

Bottom-up analyze level 2

void

foo( int **p, int **q) { L11: *p

= *q

;

L12: *q

= &obj; }

main() {

L1:

int

**x, **y;

L2:

int

*a, *b, *c, *d, *e;

L3: x = &a; y = &b;

L4: foo(x, y);

L5: *b = 5;

L6:

( … ) { x = &c; y = &e; }

L7:

else

{ x = &d; y = &d; }

L8: c = &t;

L9: foo( x, y);

L10: *e = 10; }

11 p1’s points-to depend on formal-in p

q1’s points-to depend on formal-in qSlide12

Bottom-up analyze level 2

void

foo( int **p, int **q) { L11: *p

= *q

;

L12: *q

= &obj; }

main() {

L1:

int

**x, **y;

L2:

int

*a, *b, *c, *d, *e;

L3: x

= &a; y

= &b;

L4: foo(x

, y

);

L5: *b = 5;

L6: if ( … ) { x

2 = &c; y2 = &e; } L7: else { x

3 = &d; y3 = &d; } x

4=ϕ (x

2, x3); y

4=ϕ (y

2, y3) L8: c = &t;

L9: foo( x

, y

);

L10: *e = 10; }

’s

points-to depend on formal-in p

’s

points-to depend on formal-in q

→

{ a }

→

{ b }

→

{ c }

→

{ e }

→

{ d }

→

{ d }

→

{ c, d }

→

{ e, d }Slide13

Full-sparse AnalysisAchieve flow-sensitivity flow-insensitively Regard each SSA name as a unique variable

Set constraint-based pointer analysisFull sparseSaving timeSaving space13Slide14

Top-down analyze level 2

L4: foo.p

→ { a } foo.q

→

{ b }

L9:

foo.p

→

{ c, d }

foo.q

→

{ d, e }

foo.p

→

{ a, c, d }

foo.q

→

{ b, d, e }

main

Propagate to

callsite

void

foo

(

int

**p,

int **q) { L11: *p = *q; L12: *q = &

obj; }

main() {

L1:

int

**x, **y;

L2:

int

*a, *b, *c, *d, *e;

L3: x = &a; y = &b;

L4:

foo

(x, y);

L5: *b = 5;

L6:

( … ) { x = &c; y = &e; }

L7:

else

{ x = &d; y = &d; }

L8: c = &t;

L9:

foo

( x, y);

L10: *e = 10; }Slide15

Top-down analyze level 2

void foo

( int **p, int

**q) {

μ(b, d, e)

L11: *

= *

;

χ(a, c, d)

L12: *

= &

obj

;

χ(b, d, e)

}

foo

: E

xpand pointer dereferences

Merging calling contexts here

void foo

( int **p, int

**q) { L11: *p = *q; L12: *q = &

obj; }

main() {

L1:

int

**x, **y;

L2:

int

*a, *b, *c, *d, *e;

L3: x = &a; y = &b;

L4:

foo

(x, y);

L5: *b = 5;

L6:

( … ) { x = &c; y = &e; }

L7:

else

{ x = &d; y = &d; }

L8: c = &t;

L9:

foo

( x, y);

L10: *e = 10; }Slide16

Context Condition

To be context-sensitivePoints-to relation cip ⟹ v (p→v

) , p must (may) point to v, p is a formal parameter.

Context Condition ℂ

,…,c

)

a Boolean function consists of

higher-level

points-to relations

Context-sensitive μ and χ

μ(

ℂ(c

,…,c

)

i+1

=χ(v

i, M, ℂ(c1,…,c

k)) M ∈ {may, must}, indicates weak/strong update

16Slide17

Context-sensitive μ and χ

void foo( int **p, int **q) { μ(b, q⟹b) μ(d, q

→d) μ(e, q

→

)

L11: *p

= *q

;

a=χ(a , must,

p⟹a

)

c=χ(c , may,

p→c

)

d=χ(d , may,

p→d

)

L12: *q1 = &

obj

;

b=χ(b , must,

q⟹b

) d=χ(d , may, q→d)

e=χ(e , may, q→e)}

17Slide18

Bottom-up analyze level 1

void foo( int **p, int **q) { μ(b1, q⟹b)

μ(d1, q→

)

μ(e

→

)

L11: *p

= *q

;

=χ

, must

p⟹a)

c2=χ(c

1 , may, p→

c) d2

=χ(d1 , may, p→

d)L12: *q1 = &obj;

b2=χ(b1 , must, q⟹b) d3

=χ(d2 , may, q→d)

e2=χ(e1 , may, q

→e)}

18Slide19

Points-to SetLocal Points-to Set

Loc (p) = { <v, ℂ(c1,…,ck)> | ℂ(c1,…,c

k) is a context condition}. p can point to v

if and only if

ℂ(c

,…,c

)

holds.

is computed explicitly during the bottom-up analysis.

Dependence Set

Dep(p) =

{ <

q, ℂ(c

,…,c

is a formal-in parameter of level

lev

and

ℂ(c

,…,ck) is a context condition

Ptr(p) includes Ptr(q) if and only if ℂ(c

1,…,ck) holds.

19Slide20

Transfer functionTrans(proc, v

)< Loc(v), Dep(v), ℂ(c1,…,ck), M >

v is a formal-out parameterℂ(c

,…,c

)

is a context condition.

can be modified at a

callsite

invoking

proc

only if

ℂ(

,…,c

)

holds at the

callsite

M ∈ {may, must

}

，

indicates may/must mod effect

Trans(proc)

a set of all individual transfer functions Trans(proc, v).

20Slide21

Bottom-up analyze level 1

void foo( int **p, int **q) { μ(b1, q⟹b) μ(d1, q→d)

μ(e1, q→e)

L11: *p

= *q

;

=χ(a

, must

⟹

)

=χ(c

, may

→c) d2=χ(d

1 , may, p→d)

L12: *q1 = &obj; b

2=χ(b1 , must, q⟹

b) d3=χ(d2

, may, q→d) e2

=χ(e1 , may, q→e)}Trans(

foo, a) = < { }, { <b, q⟹

b> , < d, q→d>, <

e, q→e>} ,

p⟹a, must >

Trans(

foo

, c)

= < { }, { <

⟹

> , <

→

>, <

→

may

Trans(

foo

, b)

= < {<

obj

⟹

> }, { } ,

q⟹b

must

Trans(

foo

, e)

= < {<

obj

→

> }, { } ,

→

may

Trans(

foo

, d)

= < {<

obj

→

> }, { <

→

∧

⟹

> , <

→

>, <

→

∧

→

> } ,

→

∨

→

may

> Slide22

Bottom-up analyze level 1

int obj, t; main() { L1: int

**x, **y; L2: int

*a, *b, *c, *d, *e;

L3:

= &a;

= &b;

μ(

true

)

L4:

foo

(

);

2=χ(a

1 , must, true

) b2=χ(b1 ,

must, true)

L5: *

b1 = 5;

L6: if ( … ) { x

2 = &c; y2

= &e; }

L7:

else

{

= &d;

= &d; }

(

)

(

)

L8:

= &t;

μ(

true

)

μ(

true

)

L9:

foo

(

);

=χ(c

may ,

true

)

=χ(d

may , true) e2=χ(e1, may , true) L10: *e1= 10; }

at L4, p ⟹ a holds, q ⟹ b holds

at L9, p → c, p → d holds,q → e, q → d holds,

22Slide23

BDD and context conditionContext conditions are implemented using BDD

Compactly represented Boolean operations efficiently23

variable

represents

→

variable

represents

→

variable

represents

→

BDD for

ℂ = (

p → a ∧ q → a) ∨ p → b

if only p → b holds at a call site, we can write

ℂ

x1=0;x2=0;x3=1

to see whether C holds at the call site.Slide24

ExperimentAnalyzes million lines of code in minutes

Faster than the state-of-the art FSCS pointer analysis algorithms.Table 2. Performance (secs).

Benchmark

KLOC

LevPA

Bootstrapping(PLDI’08)

64bit

32bit

Icecast-2.3.1

2.18

5.73

sendmail

115

72.63

143.68

939

httpd

128

16.32

35.42

161

445.gombk

197

21.37

40.78

wine-0.9.24

1905

502.29

891.16

wireshark

-1.2.2

2383

366.63

845.23

/Slide25

ConclusionWe present a scalable method for flow- and

context-sensitive pointer analysisAnalyzes the pointers in a program level by level in terms of their points-to levels. Fast flow-sensitive analysis on full sparse SSA form Fast and accurate context-sensitive analysis using full transfer functions represented by BDD.

Can analyze million lines of C code in minutes, faster than the state-of-the-art methods.

25Slide26

Thanks