interprocedural analysis noam rinetzky mooly sagiv
Post on 21-Dec-2015
235 views
TRANSCRIPT
![Page 1: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/1.jpg)
Interprocedural Analysis
Noam Rinetzky
Mooly Sagiv
![Page 2: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/2.jpg)
Challenges in Interprocedural Analysis
• Respect call-return mechanism• Handling recursion• Local variables• Parameter passing mechanisms• The called procedure is not always known• The source code of the called procedure is
not always available• Concurrency
![Page 3: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/3.jpg)
Stack regime
P() {
…
R();
…
}
R(){
…
}
Q() {
…
R();
…
}
call
return
call
retu
rn
P
R
![Page 4: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/4.jpg)
Guiding light
• Exploit stack regimePrecisionEfficiency
![Page 5: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/5.jpg)
Simplifying Assumptions
Parameter passed by value No OO No nesting No concurrencyRecursion is supported
![Page 6: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/6.jpg)
Topics Covered
• The trivial approach• Procedure Inlining• The naive approach• The call string
approach• Functional Approach
• Valid paths • Interprocedural
Analysis via Graph Reachability
• Beyond reachability• [Demand analysis]• [Advanced Topics]
– Karr’s analysis– Backward– MOPED
![Page 7: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/7.jpg)
Constant Propagation
• Find variables with constant value at a given program location
int p(int x){ return x * x; void main()}{int z; if (...)
z = p(5) + 5;else z = p(4) + 4;
printf (z);}
![Page 8: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/8.jpg)
Example Program
x = 5;
y = 7;
if (...)
y = x + 2;
z = x +y;
![Page 9: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/9.jpg)
Undecidability Issues
• It is undecidable if a program point is reachablein some execution
• Some static analysis problems are undecidable even if the program conditions are ignored
![Page 10: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/10.jpg)
The Constant Propagation Example
while (...) { if (...) x_1 = x_1 + 1;
if (...) x_2 = x_2 + 1; ... if (...) x_n = x_n + 1; }y = truncate (1/ (1 + p2(x_1, x_2, ..., x_n))/* Is y=0 here? */
![Page 11: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/11.jpg)
Conservative Solution
• Every detected constant is indeed constant– But may fail to identify some constants
• Every potential impact is identified– Superfluous impacts
![Page 12: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/12.jpg)
The extra cost of procedures
• Call return complicates the analysis
• Unbounded stack memory
• Increases asymptotic complexity
• But can be tolerable in practice
• Sometimes even cheaper/more precise than intraprocedural analysis
![Page 13: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/13.jpg)
A trivial treatment of procedure
• Analyze a single procedure• After every call continue with conservative
information– Global variables and local variables which “may be
modified by the call” have unknown values
• Can be easily implemented• Procedures can be written in different languages• Procedure inline can help
![Page 14: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/14.jpg)
Disadvantages of the trivial solution• Modular (object oriented and functional)
programming encourages small frequently called procedures
• Almost all information is lost
![Page 15: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/15.jpg)
Procedure Inlining
• Inline called procedures
• Simple
• Does not handle recursion
• Exponential blow up
p1 {
call p2
…
call p2
}
p2 {
call p3
…
call p3
}
p3{
}
![Page 16: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/16.jpg)
A Naive Interprocedural solution
• Treat procedure calls as gotos
• Abstract call/return correlations
• Obtain a conservative solution
• Use chaotic iterations
• Usually fast
![Page 17: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/17.jpg)
Simple Exampleint p(int a) {
return a + 1;
}
void main() {
int x ;
x = p(7);
x = p(9) ;
}
![Page 18: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/18.jpg)
Simple Exampleint p(int a) {
[a 7]
return a + 1;
}
void main() {
int x ;
x = p(7);
x = p(9) ;
}
![Page 19: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/19.jpg)
Simple Exampleint p(int a) {
[a 7]
return a + 1;
[a 7, $$ 8]
}
void main() {
int x ;
x = p(7);
x = p(9) ;
}
![Page 20: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/20.jpg)
Simple Exampleint p(int a) {
[a 7]
return a + 1;
[a 7, $$ 8]
}
void main() {
int x ;
x = p(7);
[x 8]
x = p(9) ;
[x 8]
}
![Page 21: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/21.jpg)
Simple Exampleint p(int a) {
[a 7]
return a + 1;
[a 7, $$ 8]
}
void main() {
int x ;
x =l p(7);
[x 8]
x = p(9) ;
[x 8]
}
![Page 22: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/22.jpg)
Simple Exampleint p(int a) {
[a ]
return a + 1;
[a 7, $$ 8]
}
void main() {
int x ;
x = p(7);
[x 8]
x = p(9) ;
[x 8]
}
![Page 23: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/23.jpg)
Simple Exampleint p(int a) {
[a ]
return a + 1;
[a , $$ ]
}
void main() {
int x ;
x = p(7);
[x 8]
x = p(9);
[x 8]
}
![Page 24: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/24.jpg)
Simple Exampleint p(int a) {
[a ]
return a + 1;
[a , $$ ]
}
void main() {
int x ;
x = p(7) ;
[x ]
x = p(9) ;
[x ]
}
![Page 25: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/25.jpg)
The Call String Approach
• The data flow value is associated with sequences of calls (call string)
• Use Chaotic iterations
• To guarantee termination limit the size of call string (typically 1 or 2)– Represents tails of calls
• Abstract inline
![Page 26: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/26.jpg)
Simple Exampleint p(int a) {
return a + 1;
}
void main() {
int x ;
c1: x = p(7);
c2: x = p(9) ;
}
![Page 27: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/27.jpg)
Simple Exampleint p(int a) {
c1: [a 7]
return a + 1;
}
void main() {
int x ;
c1: x = p(7);
c2: x = p(9) ;
}
![Page 28: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/28.jpg)
Simple Exampleint p(int a) {
c1: [a 7]
return a + 1;
c1:[a 7, $$ 8]
}
void main() {
int x ;
c1: x = p(7);
c2: x = p(9) ;
}
![Page 29: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/29.jpg)
Simple Exampleint p(int a) {
c1: [a 7]
return a + 1;
c1:[a 7, $$ 8]
}
void main() {
int x ;
c1: x = p(7);
: x 8
c2: x = p(9) ;
}
![Page 30: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/30.jpg)
Simple Exampleint p(int a) {
c1:[a 7]
return a + 1;
c1:[a 7, $$ 8]
}
void main() {
int x ;
c1: x = p(7);
: [x 8]
c2: x = p(9) ;
}
![Page 31: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/31.jpg)
Simple Exampleint p(int a) {
c1:[a 7] c2:[a 9]
return a + 1;
c1:[a 7, $$ 8]
}
void main() {
int x ;
c1: x = p(7);
: [x 8]
c2: x = p(9) ;
}
![Page 32: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/32.jpg)
Simple Exampleint p(int a) {
c1:[a 7] c2:[a 9]
return a + 1;
c1:[a 7, $$ 8] c2:[a 9, $$10]
}
void main() {
int x ;
c1: x = p(7);
: [x 8]
c2: x = p(9) ;
}
![Page 33: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/33.jpg)
Simple Exampleint p(int a) {
c1:[a 7] c2:[a 9]
return a + 1;
c1:[a 7, $$ 8] c2:[a 9, $$ 10]
}
void main() {
int x ;
c1: x = p(7);
: [x 8]
c2: x = p(9) ;
: [x 10]
}
![Page 34: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/34.jpg)
Another Exampleint p(int a) {
c1:[a 7] c2:[a 9]
return c3: p1(a + 1);
c1:[a 7, $$ ] c2:[a 9, $$ ]
}
void main() {
int x ;
c1: x = p(7);
: [x 8]
c2: x = p(9) ;
: [x 10]
}
int p1(int b) {
(c1|c2)c3:[b ]
return 2 * b;
(c1|c2)c3:[b , $$]
}
![Page 35: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/35.jpg)
int p(int a) {
c1: [a 7] c1.c2+: [a ]
if (…) {
c1: [a 7] c1.c2+: [a ]
a = a -1 ;
c1: [a 6] c1.c2+: [a ]
c2: p (a);
c1.c2*: [a ]
a = a + 1; c1.c2*: [a ] }c1.c2*: [a ]
x = -2*a + 5;c1.c2*: [a , x]
}
void main() {
c1: p(7);: [x ]
}
![Page 36: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/36.jpg)
Summary Call String
• Easy to implement
• Efficient for small call strings
• For finite domains can be precise even with recursion
• Limited precision
• Order of calls can be abstracted
• Related method: procedure cloning
![Page 37: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/37.jpg)
The Functional Approach
• The meaning of a procedure is mapping from states into states
• The abstract meaning of a procedure is function from an abstract state to abstract states
• Relation between input and output
![Page 38: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/38.jpg)
The Functional Approach
• Two phase algorithm– Compute the dataflow solution at the exit of a
procedure as a function of the initial values at the procedure entry (functional values)
– Compute the dataflow values at every point using the functional values
![Page 39: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/39.jpg)
Phase 1int p(int a) {
[a a0, x x0]
if (…) {
a = a -1 ;
p (a);
a = a + 1;
{
x = -2*a + 5;
[a a0, x -2a0 + 5]
}
void main() {
p(7);
}
![Page 40: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/40.jpg)
Phase 1int p(int a) {
[a a0, x x0]
if (…) {
a = a -1 ;
p (a);
a = a + 1;
{
[a a0, x x0]
x = -2*a + 5;
}
void main() {
p(7);
}
![Page 41: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/41.jpg)
Phase 1int p(int a) {
[a a0, x x0]
if (…) {
a = a -1 ;
p (a);
a = a + 1;
{
[a a0, x x0]
x = -2*a + 5;
[a a0, x -2a0 + 5]
}
void main() {
p(7);
}
![Page 42: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/42.jpg)
Phase 1int p(int a) {
[a a0, x x0]
if (…) {
a = a -1 ;
[a a0-1, x x0]
p (a);
a = a + 1;
{
[a a0, x x0]
x = -2*a + 5;
[a a0, x -2a0 + 5]
}
void main() {
p(7);
}
![Page 43: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/43.jpg)
Phase 1int p(int a) {
[a a0, x x0]
if (…) {
a = a -1 ;
[a a0-1, x x0]
p (a);
[a a0-1, x ]
a = a + 1;
{
[a a0, x x0]
x = -2*a + 5;
[a a0, x -2a0 + 5]
}
void main() {
p(7);
}
![Page 44: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/44.jpg)
Phase 1int p(int a) {
[a a0, x x0]
if (…) {
a = a -1 ;
[a a0-1, x x0]
p (a);
[a a0-1, x ]
a = a + 1;
[a a0, x ]
{
[a a0, x x0]
x = -2*a + 5;
[a a0, x -2a0 + 5]
}
void main() {
p(7);
}
![Page 45: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/45.jpg)
Phase 1int p(int a) {
[a a0, x x0]
if (…) {
a = a -1 ;
[a a0-1, x x0]
p (a);
[a a0-1, x -2(a0-1) + 5]
a = a + 1;
[a a0, x -2(a0-1) + 5]
{
[a a0, x ]
x = -2*a + 5;
[a a0, x -2a0 + 5]
}
void main() {
p(7);
}
![Page 46: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/46.jpg)
Phase 2int p(int a) {
if (…) {
a = a -1 ;
p (a);
a = a + 1;
{
x = -2*a + 5;
}
void main() {
p(7);
[x -9]
}
p(a0,x0) = [a a0, x -2a0 + 5]
![Page 47: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/47.jpg)
Phase 2int p(int a) {
[a 7, x 0]
if (…) {
a = a -1 ;
p (a);
a = a + 1;
{
x = -2*a + 5;
}
void main() {
p(7);
[x -9]
}
p(a0,x0) = [a a0, x -2a0 + 5]
![Page 48: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/48.jpg)
Phase 2int p(int a) {
[a 7, x 0]
if (…) {
a = a -1 ;
p (a);
a = a + 1;
{
[a 7, x 0]
x = -2*a + 5;
}
void main() {
p(7);
[x -9]
}
p(a0,x0) = [a a0, x -2a0 + 5]
![Page 49: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/49.jpg)
Phase 2int p(int a) {
[a 7, x 0]
if (…) {
a = a -1 ;
p (a);
a = a + 1;
{
[a 7, x 0]
x = -2*a + 5;
[a 7, x -9]
}
void main() {
p(7);
[x -9]
}
p(a0,x0) = [a a0, x -2a0 + 5]
![Page 50: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/50.jpg)
Phase 2int p(int a) {
[a 7, x 0]
if (…) {
a = a -1 ;
[a 6, x 0]
p (a);
a = a + 1;
{
[a 7, x 0]
x = -2*a + 5;
[a 7, x -9]
}
void main() {
p(7);
[x -9]
}
p(a0,x0) = [a a0, x -2a0 + 5]
![Page 51: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/51.jpg)
Phase 2int p(int a) {
[a 7, x 0]
if (…) {
a = a -1 ;
[a 6, x 0]
p (a);
[a 6, x -9]
a = a + 1;
{
[a 7, x 0]
x = -2*a + 5;
[a 7, x -9]
}
void main() {
p(7);
[x -9]
}
p(a0,x0) = [a a0, x -2a0 + 5]
![Page 52: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/52.jpg)
Phase 2int p(int a) {
[a 7, x 0]
if (…) {
a = a -1 ;
[a 6, x 0]
p (a);
[a 6, x -9]
a = a + 1;
[a 7, x -9]
{
[a 7, x 0]
x = -2*a + 5;
[a 7, x -9]
}
void main() {
p(7);
[x -9]
}
p(a0,x0) = [a a0, x -2a0 + 5]
![Page 53: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/53.jpg)
Phase 2int p(int a) {
[a 7, x 0]
if (…) {
a = a -1 ;
[a 6, x 0]
p (a);
[a 6, x -9]
a = a + 1;
[a 7, x -9]
{
[a 7, x ]
x = -2*a + 5;
[a 7, x -9]
}
void main() {
p(7);
[x -9]
}
p(a0,x0) = [a a0, x -2a0 + 5]
![Page 54: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/54.jpg)
Phase 2int p(int a) {
[a 7, x 0]
if (…) {
a = a -1 ;
[a 6, x 0]
p (a);
[a 6, x -9]
a = a + 1;
[a 7, x -9]
{
[a 7, x ]
x = -2*a + 5;
[a 7, x -9]
}
void main() {
p(7);
[x -9]
}
p(a0,x0) = [a a0, x -2a0 + 5]
![Page 55: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/55.jpg)
Phase 2int p(int a) {
[a 7, x 0] [a 6, x 0]
if (…) {
a = a -1 ;
[a 6, x 0]
p (a);
[a 6, x -9]
a = a + 1;
[a 7, x -9]
{
[a 7, x ]
x = -2*a + 5;
[a 7, x -9]
}
void main() {
p(7);
[x -9]
}
p(a0,x0) = [a a0, x -2a0 + 5]
![Page 56: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/56.jpg)
Phase 2int p(int a) {
[a , x 0]
if (…) {
a = a -1 ;
[a 6, x 0]
p (a);
[a 6, x -9]
a = a + 1;
[a 7, x -9]
{
[a 7, x ]
x = -2*a + 5;
[a 7, x -9]
}
void main() {
p(7);
[x -9]
}
p(a0,x0) = [a a0, x -2a0 + 5]
![Page 57: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/57.jpg)
Phase 2int p(int a) {
[a , x 0]
if (…) {
a = a -1 ;
[a , x 0]
p (a);
[a 6, x -9]
a = a + 1;
[a 7, x -9]
{
[a 7, x ]
x = -2*a + 5;
[a 7, x -9]
}
void main() {
p(7);
[x -9]
}
p(a0,x0) = [a a0, x -2a0 + 5]
![Page 58: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/58.jpg)
Phase 2int p(int a) {
[a , x 0]
if (…) {
a = a -1 ;
[a , x 0]
p (a);
[a , x ]
a = a + 1;
[a 7, x -9]
{
[a 7, x ]
x = -2*a + 5;
[a 7, x -9]
}
void main() {
p(7);
[x -9]
}
p(a0,x0) = [a a0, x -2a0 + 5]
![Page 59: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/59.jpg)
Phase 2int p(int a) {
[a , x 0]
if (…) {
a = a -1 ;
[a , x 0]
p (a);
[a , x ]
a = a + 1;
[a , x ]
{
[a 7, x ]
x = -2*a + 5;
[a 7, x -9]
}
void main() {
p(7);
[x -9]
}
p(a0,x0) = [a a0, x -2a0 + 5]
![Page 60: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/60.jpg)
Phase 2int p(int a) {
[a , x 0]
if (…) {
a = a -1 ;
[a , x 0]
p (a);
[a , x ]
a = a + 1;
[a , x ]
{
[a , x ]
x = -2*a + 5;
[a 7, x -9]
}
void main() {
p(7);
[x -9]
}
p(a0,x0) = [a a0, x -2a0 + 5]
![Page 61: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/61.jpg)
Phase 2int p(int a) {
[a , x 0]
if (…) {
a = a -1 ;
[a , x 0]
p (a);
[a , x ]
a = a + 1;
[a , x ]
{
[a , x ]
x = -2*a + 5;
[a , x ]
}
void main() {
p(7);
[x -9]
}
p(a0,x0) = [a a0, x -2a0 + 5]
![Page 62: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/62.jpg)
Summary Functional approach
• Computes procedure abstraction
• Sharing between different contexts
• Rather precise
• Recursive procedures may be more precise/efficient than loops
• But requires more from the implementation– Representing relations– Composing relations
![Page 63: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/63.jpg)
Interprocedural analysis
sR
n1
n3
n2
f1
f3f2
f1
eR
f3
sP
n5
n4
f1
eP
f5
P R
Call Q
fc2e
fx2r
Call node
Return node
Entry node
Exit node
sQ
n7
n6
f1
eQ
f6
Q
Call Q
Call node
Return node
fc2e
fx2r
f1
Supergraph
![Page 64: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/64.jpg)
•paths(n) the set of paths from s to n –) )s,n1) ,(n1,n3) ,(n3,n1 ( (
Pathss
n1
n3
n2
f1f1
f3f2
f1
e
f3
![Page 65: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/65.jpg)
Interprocedural Valid Paths
( )
f1 f2 fk-1 fk
f3
f4
f5
fk-2
fk-3
callq
enterq exitq
ret
• IVP: all paths with matching calls and returns– And prefixes
![Page 66: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/66.jpg)
Interprocedural Valid Paths
• IVP set of paths– Start at program entry
• Only considers matching calls and returns – aka, valid
• Can be defined via context free grammar– matched ::= matched (i matched )i | ε– valid ::= valid (i matched | matched
• paths can be defined by a regular expression
![Page 67: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/67.jpg)
Join Over All Paths (JOP)
start n
i
ffff)]],...,[[( 1211
kkkee
f 1 f 2 f kf 1k
• JOP[v] = {[[e1, e2, …,en]]() | (e1, …, en) paths(v)}
• JOP LFP– Sometimes JOP = LFP
• precise up to “symbolic execution”
• Distributive problem
e1 e2 ekek 1
f 1 f 2 f kf 1k
L L
![Page 68: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/68.jpg)
The Join-Over-Valid-Paths (JVP)• vpaths(n) all valid paths from program start to n• JVP[n] = {[[e1, e2, …, e]]()
(e1, e2, …, e) vpaths(n)}• JVP JFP
– In some cases the JVP can be computed– (Distributive problem)
![Page 69: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/69.jpg)
Main idea functional approach
• Iterate on the abstract domain of functions from L to L
• Two phase algorithm– Compute the dataflow solution at the exit of a
procedure as a function of the initial values at the procedure entry (functional values)
– Compute the dataflow values at every point using the functional values
• Computes JVP for distributive problems
![Page 70: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/70.jpg)
Example: Constant propagation
• L = VarN {, }• Domain: F:LL
– (f1f2)(x) = f1(x)f2(x)
x=7
y=x+1
x=y
env.env[x7]
env.env[yenv(x)+1]
Id=envL.env
env.env[x7] ○ env.env
env.env[yenv(x)+1] ○ env.env[x7] ○ env.env
![Page 71: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/71.jpg)
Example: Constant propagation
• L = VarN {, }• Domain: F:LL
– (f1f2)(x) = f1(x)f2(x)
x=7 y=x+1
x=y
env.env[x7] env.env[yenv(x)+1]
Id=env.envId=env.env
env.env[yenv(x)+1] env.env[x7]
![Page 72: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/72.jpg)
init
a=79
call p10
call p11
print(x)12
p1
If( … )2
a=a-13
call p4
call p5
a=a+16
x=-2a+57
end8
begin0
end13
NFunction
0e.[xe(x), ae(a)]=id
1e.[xe(x), ae(a)]=id
3-13e.
![Page 73: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/73.jpg)
Phase 1NFunction
1e. [xe(x), ae(a)]=id
2id
7id
8e.[x-2e(a)+5, a e(a)]
3id
4e.[xe(x), a e(a)-1]
5f8 ○ e.[xe(x), a e(a)-1]=
e.[x-2(e(a)-1)+5, a e(a)-1]
6e.[x-2(e(a)-1)+ 5, a e(a)-1]
7e.[x-2(e(a)-1)+5, a e(a)] e.[x e(x), a e(a)]
8a, x.[x-2e(a)+5, a e(a)]
a=79
call p10
call p11
print(x)12
p1
If( … )2
a=a-13
call p4
call p5
a=a+16
x=-2a+57
end8
begin0
end130e.[xe(x), ae(a)]=id
10e.[xe(x), a7]
11a, x.[x-2e(a)+5, a e(a)] ○ f10
![Page 74: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/74.jpg)
Phase 2NFunction
1]x0, a7[
2]x0, a7[
7]x0, a7[
8]x-9, a7[
3]x0, a7[
4]x0, a6[
1]x-7, a6[
6]x-7, a7[
7]x, a7[
8]x-9, a7[
1]x, a[
a=79
Call p10
Call p11
print(x)12
p1
If( … )2
a=a-13
Call p4
Call p5
a=a+16
x=-2a+57
end8
begin0
end13
0]x0, a0[
10]x0, a7[
11]x-9, a7[
![Page 75: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/75.jpg)
Issues in Functional Approach
• How to guarantee that finite height for functional lattice?– It may happen that L has finite height and yet the
lattice of monotonic function from L to L do not
• Efficiently represent functions – Functional join– Functional composition– Testing equality
![Page 76: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/76.jpg)
CFL-Graph reachability
• Special cases of functional analysis
• Finite distributive lattices
• Provides more efficient analysis algorithms
• Reduce the interprocedural analysis problem to finding context free reachability
![Page 77: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/77.jpg)
IDFS / IDE
• IDFS Interprocedural Distributive Finite Subset Precise interprocedural dataflow analysis via graph reachability. Reps, Horowitz, and Sagiv, POPL’95
• IDE Interprocedural Distributive Environment Precise interprocedural dataflow analysis with applications to constant propagation. Reps, Horowitz, and Sagiv, FASE’95, TCS’96– More general solutions exist
![Page 78: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/78.jpg)
Possibly Uninitialized VariablesStart
x = 3
if . . .
y = x
y = w
w = 8
printf(y)
},,.{ yxwV
}{. xVV
VV .VV .
}{. wVV
}{ else }{ then
if .
yVyV
VxV
}{ else }{ then
if .
yVyV
VwV
{w,x,y}
{w,y}
{w,y}
{w,y}
{w}
{w,y}{}
{w,y}
{}
![Page 79: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/79.jpg)
Efficiently Representing Functions
• Let f:2D2D be a distributive function
• Then: f(X) = f() {z X: f({z}) }
![Page 80: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/80.jpg)
Representing Dataflow Functions
Identity Function
VV .f
}{.f bVConstant Function
a b c
a b c
},{}),f({ baba
}{}),f({ bba
![Page 81: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/81.jpg)
}{}){.(f cbVV
}{ else }{ then
if .f
bVbV
VaV
“Gen/Kill” Function
Non-“Gen/Kill” Function a b c
a b c
},{}),f({ caba
},{}),f({ baba
Representing Dataflow Functions
![Page 82: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/82.jpg)
x = 3
p(x,y)
return from p
printf(y)
start main
exit main
start p(a,b)
if . . .
b = a
p(a,b)
return from p
printf(b)
exit p
x y a b
![Page 83: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/83.jpg)
else }{ then
if .f 2
cVbV
a b c}{ else }{then
if .f 1
bVbV
VaV
b ca
Composing Dataflow Functions
}{ else }{then
if .f 1
bVbV
VaV
b ca
else }{ then
if .f 2
cVbV
}),({ff 12 ca }{c
![Page 84: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/84.jpg)
x = 3
p(x,y)
return from p
start main
exit main
start p(a,b)
if . . .
b = a
p(a,b)
return from p
exit p
x y a b
printf(y)
Might b beuninitializedhere?
printf(b) NO!
(
]
Might y beuninitializedhere?
YES!
(
)
![Page 85: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/85.jpg)
Interprocedural Dataflow Analysisvia CFL-Reachability
• Graph: Exploded control-flow graph
• L: L(unbalLeft)
– unbalLeft = valid
• Fact d holds at n iff there is an L(unbalLeft)-
path from dnstartmain , to,
![Page 86: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/86.jpg)
Asymptotic Running Time
• CFL-reachability– Exploded control-flow graph: ND nodes– Running time: O(N3D3)
• Exploded control-flow graph Special structure
Running time: O(ED3)
Typically: E N, hence O(ED3) O(ND3)
“Gen/kill” problems: O(ED)
![Page 87: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/87.jpg)
Local variables
• Global information:– Exit-to-return edges
• Local information:– Call-to-return edges
• Can be generalized to handle binary combiner functions– Rinetzky, Sagiv, and Yahav, SAS’05
![Page 88: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/88.jpg)
IDE
• Goes beyond IFDS problems– Can handle unbounded domains
• Requires special form of the domain
• Can be much more efficient than IFDS
![Page 89: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/89.jpg)
Example Linear Constant Propagation
• Consider the constant propagation lattice• The value of every variable y at the program exit
can be represented by: y = {(axx + bx )| x Var* } c ax ,c Z {, } bx Z
• Supports efficient composition and “functional” join– [z := a * y + b]– What about [z:=x+y]?
![Page 90: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/90.jpg)
Linear constant propagation
Point-wise representation of environment transformers
![Page 91: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/91.jpg)
IDE Analysis
• Point-wise representation closed under composition
• CFL-Reachability on the exploded graph
• Compose functions
![Page 92: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/92.jpg)
![Page 93: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/93.jpg)
![Page 94: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/94.jpg)
Costs
• O(ED3)• Class of value transformers F LL
– idF – Finite height
• Representation scheme with (efficient)• Application• Composition• Join• Equality• Storage
![Page 95: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/95.jpg)
New Techniques
• Representing affine relations– a1 * x1 + a2 * x2 + … + an * xn
• Backward summary computations
![Page 96: Interprocedural Analysis Noam Rinetzky Mooly Sagiv](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d585503460f94a36e6f/html5/thumbnails/96.jpg)
Conclusion
• Handling functions is crucial for abstract interpretation
• Virtual functions and exceptions complicate things
• But scalability is an issue– Small call strings– Small functional domains– Demand analysis