interprocedural heap analysis using access graphs and ...rohanpadhye/files/mtp...actual heap layout...
TRANSCRIPT
![Page 1: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/1.jpg)
Interprocedural Heap Analysis using Access Graphs andValue Contexts
with applications to liveness-based garbage collection
Rohan Padhyeunder the guidance of
Prof. Uday Khedker
Department of Computer Science & EngineeringIndian Institute of Technology Bombay
M.Tech Project
![Page 2: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/2.jpg)
Outline
1 Background and MotivationHeap Reference AnalysisKey Issues
2 Heap Alias AnalysisNeed for Alias AnalysisExisting AbstractionsProposed Abstraction: Acccessor Relationship Graph
3 Interprocedural AnalysisExisting FrameworksOur Framework: Value ContextsThe Role of Call Graphs
4 Access Graphs for Garbage CollectionExisting IdeasNovel Technique: Dynamic Heap Pruning
5 Summary & Future Work
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 2 / 32
![Page 3: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/3.jpg)
Background
Heap Reference Analysis [Khedker, Sanyal & Karkare, 2007]
S1: x = root
S2: while (x.val > M):
S3: x = x.l
S4: x = x.r
S5: print x.val
S6: EXIT
x l3 r4
Access graph for x at S2.
rootx
1
2
4
8 9
5
10 11
3
6
12 13
7
14 15
The binary tree in the heap at S2.Filled nodes are live objects.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 3 / 32
![Page 4: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/4.jpg)
Key Issues
Three main issues in performing Heap Reference Analysis:
1 How to perform a precise alias analysis for arbitrary access paths inthe heap?
2 How to implement whole-program heap reference analysis in aninter-procedural manner?
3 How to use the resulting access graphs to improve garbagecollection?
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 4 / 32
![Page 5: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/5.jpg)
Outline
1 Background and MotivationHeap Reference AnalysisKey Issues
2 Heap Alias AnalysisNeed for Alias AnalysisExisting AbstractionsProposed Abstraction: Acccessor Relationship Graph
3 Interprocedural AnalysisExisting FrameworksOur Framework: Value ContextsThe Role of Call Graphs
4 Access Graphs for Garbage CollectionExisting IdeasNovel Technique: Dynamic Heap Pruning
5 Summary & Future Work
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 5 / 32
![Page 6: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/6.jpg)
Need for Alias Analysis
S1
S2 S3
x .p = zS4
u = y .pS5
v = u.qS6
use vS7
x and y do not alias at S4.
LVIN4
x
y p5 q6
LVOUT4y p5 q6
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 6 / 32
![Page 7: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/7.jpg)
Need for Alias Analysis
S1
x = yS2 S3
x .p = zS4
u = y .pS5
v = u.qS6
use vS7
x may alias y at S4
LVIN4
x
y p5 q6
z q6
LVOUT4y p5 q6
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 7 / 32
![Page 8: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/8.jpg)
Need for Alias Analysis
x = yS1
S2 S3
x .p = zS4
u = y .pS5
v = u.qS6
use vS7
x must alias y at S4
LVIN4
x
y
z q6
LVOUT4y p5 q6
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 8 / 32
![Page 9: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/9.jpg)
Need for Alias Analysis
May-alias analysis is required for sound heap liveness analysis.
Must-alias analysis is desirable for performing strong updates.
In general, alias queries may not be as straightforward as thepreceeding examples:
w .r = z
x p3 q4 r5
In the above program, z is live if w may be aliased to any objectaccessible by the pattern x(.p)∗.q.
The key obervation is here is that we need to determine aliasesbetween live access patterns.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 9 / 32
![Page 10: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/10.jpg)
Access Graphs and Access Patterns
S1: w.r = z
S2: while (...):
S3: x = x.p
S4: x = x.q
S5: x = x.r
S6: use x
S7: EXIT
Consider liveness at S2.
Access Graph
x p3 q4 r5
Equivalent Automaton
x p q r
p
q
Access Patterns
x/p3 : x .p(.p)∗x/q4 : x(.p)∗.qx/r5 : x(.p)∗.q.r
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 10 / 32
![Page 11: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/11.jpg)
Approaches to Heap Alias Analysis
Modelling an unbounded number of objects using a finite abstraction:
Muchnick & Jones, 1981: k-limited graph
Chase, Wegman & Zadeck, 1990: Merge on allocation sites
Sagiv, Reps & Wilhelm, 1996: “Materialization”
Sagiv, Reps & Wilhelm, 1999: 3-valued logic
Our approach: Use access patterns from liveness graphs toimprove expressibility of points-to graph
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 11 / 32
![Page 12: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/12.jpg)
Approaches to Heap Alias Analysis
Modelling an unbounded number of objects using a finite abstraction:
Muchnick & Jones, 1981: k-limited graph
Chase, Wegman & Zadeck, 1990: Merge on allocation sites
Sagiv, Reps & Wilhelm, 1996: “Materialization”
Sagiv, Reps & Wilhelm, 1999: 3-valued logic
Our approach: Use access patterns from liveness graphs toimprove expressibility of points-to graph
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 11 / 32
![Page 13: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/13.jpg)
Proposed Approach
y = newS0
z = newS1
t = newS2
t.n = xS3
x = tS4
a = xS5
b = a.nS6
a.n = yS7 b.n = zS8
use x .nS9
exitS10
Actual heap layout after S6
x · · ·n n n n
a b
y z
P0: Initial Points-to Analysis
PTOUT6 = PTIN7 = PTIN8:
x S2 n
a b
y S0 z S1
P1: Points-to Analysis using L1PTOUT6 = PTIN7 = PTIN8:
x S2 S2 S2x , a x/n9, b −
n nn
a b
y S0y
z S1z
L1: Liveness after P0
LVIN9 = LVOUT7 = LVOUT8:x n9
LVIN7 (considering amay= x):
a x n9 y, ,
LVIN8 (considering bmay= x):
b x n9 z, ,
LVOUT6 = LVIN7 ∪ LVIN8:a b x n9 y, , , z,
L2: Liveness after P1
LVIN9 = LVOUT7 = LVOUT8:x n9
LVIN7 (considering amust= x):
x y,
LVIN8 (considering b 6= x):
x n9
LVOUT6 = LVIN7 ∪ LVIN8:x n9 y,
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 12 / 32
Note
We are not performing “materialization”.P1 does not use P0 and L2 does not use L1.These are new passes from scratch!Li uses Pi−1 for implicit updates.Pi uses Li for expressibility.
![Page 14: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/14.jpg)
Proposed Approach
y = newS0
z = newS1
t = newS2
t.n = xS3
x = tS4
a = xS5
b = a.nS6
a.n = yS7 b.n = zS8
use x .nS9
exitS10
Actual heap layout after S6
x · · ·n n n n
a b
y z
P0: Initial Points-to Analysis
PTOUT6 = PTIN7 = PTIN8:
x S2 n
a b
y S0 z S1
P1: Points-to Analysis using L1PTOUT6 = PTIN7 = PTIN8:
x S2 S2 S2x , a x/n9, b −
n nn
a b
y S0y
z S1z
L1: Liveness after P0
LVIN9 = LVOUT7 = LVOUT8:x n9
LVIN7 (considering amay= x):
a x n9 y, ,
LVIN8 (considering bmay= x):
b x n9 z, ,
LVOUT6 = LVIN7 ∪ LVIN8:a b x n9 y, , , z,
L2: Liveness after P1
LVIN9 = LVOUT7 = LVOUT8:x n9
LVIN7 (considering amust= x):
x y,
LVIN8 (considering b 6= x):
x n9
LVOUT6 = LVIN7 ∪ LVIN8:x n9 y,
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 12 / 32
Note
We are not performing “materialization”.P1 does not use P0 and L2 does not use L1.These are new passes from scratch!Li uses Pi−1 for implicit updates.Pi uses Li for expressibility.
![Page 15: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/15.jpg)
Proposed Approach
y = newS0
z = newS1
t = newS2
t.n = xS3
x = tS4
a = xS5
b = a.nS6
a.n = yS7 b.n = zS8
use x .nS9
exitS10
Actual heap layout after S6
x · · ·n n n n
a b
y z
P0: Initial Points-to Analysis
PTOUT6 = PTIN7 = PTIN8:
x S2 n
a b
y S0 z S1
P1: Points-to Analysis using L1PTOUT6 = PTIN7 = PTIN8:
x S2 S2 S2x , a x/n9, b −
n nn
a b
y S0y
z S1z
L1: Liveness after P0
LVIN9 = LVOUT7 = LVOUT8:x n9
LVIN7 (considering amay= x):
a x n9 y, ,
LVIN8 (considering bmay= x):
b x n9 z, ,
LVOUT6 = LVIN7 ∪ LVIN8:a b x n9 y, , , z,
L2: Liveness after P1
LVIN9 = LVOUT7 = LVOUT8:x n9
LVIN7 (considering amust= x):
x y,
LVIN8 (considering b 6= x):
x n9
LVOUT6 = LVIN7 ∪ LVIN8:x n9 y,
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 12 / 32
Note
We are not performing “materialization”.P1 does not use P0 and L2 does not use L1.These are new passes from scratch!Li uses Pi−1 for implicit updates.Pi uses Li for expressibility.
![Page 16: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/16.jpg)
Proposed Approach
y = newS0
z = newS1
t = newS2
t.n = xS3
x = tS4
a = xS5
b = a.nS6
a.n = yS7 b.n = zS8
use x .nS9
exitS10
Actual heap layout after S6
x · · ·n n n n
a b
y z
P0: Initial Points-to Analysis
PTOUT6 = PTIN7 = PTIN8:
x S2 n
a b
y S0 z S1
P1: Points-to Analysis using L1PTOUT6 = PTIN7 = PTIN8:
x S2 S2 S2x , a x/n9, b −
n nn
a b
y S0y
z S1z
L1: Liveness after P0
LVIN9 = LVOUT7 = LVOUT8:x n9
LVIN7 (considering amay= x):
a x n9 y, ,
LVIN8 (considering bmay= x):
b x n9 z, ,
LVOUT6 = LVIN7 ∪ LVIN8:a b x n9 y, , , z,
L2: Liveness after P1
LVIN9 = LVOUT7 = LVOUT8:x n9
LVIN7 (considering amust= x):
x y,
LVIN8 (considering b 6= x):
x n9
LVOUT6 = LVIN7 ∪ LVIN8:x n9 y,
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 12 / 32
Note
We are not performing “materialization”.P1 does not use P0 and L2 does not use L1.These are new passes from scratch!Li uses Pi−1 for implicit updates.Pi uses Li for expressibility.
![Page 17: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/17.jpg)
Proposed Approach
y = newS0
z = newS1
t = newS2
t.n = xS3
x = tS4
a = xS5
b = a.nS6
a.n = yS7 b.n = zS8
use x .nS9
exitS10
Actual heap layout after S6
x · · ·n n n n
a b
y z
P0: Initial Points-to Analysis
PTOUT6 = PTIN7 = PTIN8:
x S2 n
a b
y S0 z S1
P1: Points-to Analysis using L1PTOUT6 = PTIN7 = PTIN8:
x S2 S2 S2x , a x/n9, b −
n nn
a b
y S0y
z S1z
L1: Liveness after P0
LVIN9 = LVOUT7 = LVOUT8:x n9
LVIN7 (considering amay= x):
a x n9 y, ,
LVIN8 (considering bmay= x):
b x n9 z, ,
LVOUT6 = LVIN7 ∪ LVIN8:a b x n9 y, , , z,
L2: Liveness after P1
LVIN9 = LVOUT7 = LVOUT8:x n9
LVIN7 (considering amust= x):
x y,
LVIN8 (considering b 6= x):
x n9
LVOUT6 = LVIN7 ∪ LVIN8:x n9 y,
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 12 / 32
Note
We are not performing “materialization”.P1 does not use P0 and L2 does not use L1.These are new passes from scratch!Li uses Pi−1 for implicit updates.Pi uses Li for expressibility.
![Page 18: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/18.jpg)
Proposed Approach
y = newS0
z = newS1
t = newS2
t.n = xS3
x = tS4
a = xS5
b = a.nS6
a.n = yS7 b.n = zS8
use x .nS9
exitS10
Actual heap layout after S6
x · · ·n n n n
a b
y z
P0: Initial Points-to Analysis
PTOUT6 = PTIN7 = PTIN8:
x S2 n
a b
y S0 z S1
P1: Points-to Analysis using L1PTOUT6 = PTIN7 = PTIN8:
x S2 S2 S2x , a x/n9, b −
n nn
a b
y S0y
z S1z
L1: Liveness after P0
LVIN9 = LVOUT7 = LVOUT8:x n9
LVIN7 (considering amay= x):
a x n9 y, ,
LVIN8 (considering bmay= x):
b x n9 z, ,
LVOUT6 = LVIN7 ∪ LVIN8:a b x n9 y, , , z,
L2: Liveness after P1
LVIN9 = LVOUT7 = LVOUT8:x n9
LVIN7 (considering amust= x):
x y,
LVIN8 (considering b 6= x):
x n9
LVOUT6 = LVIN7 ∪ LVIN8:x n9 y,
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 12 / 32
Note
We are not performing “materialization”.P1 does not use P0 and L2 does not use L1.These are new passes from scratch!Li uses Pi−1 for implicit updates.Pi uses Li for expressibility.
![Page 19: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/19.jpg)
Proposed Approach
y = newS0
z = newS1
t = newS2
t.n = xS3
x = tS4
a = xS5
b = a.nS6
a.n = yS7 b.n = zS8
use x .nS9
exitS10
Actual heap layout after S6
x · · ·n n n n
a b
y z
P0: Initial Points-to Analysis
PTOUT6 = PTIN7 = PTIN8:
x S2 n
a b
y S0 z S1
P1: Points-to Analysis using L1PTOUT6 = PTIN7 = PTIN8:
x S2 S2 S2x , a x/n9, b −
n nn
a b
y S0y
z S1z
L1: Liveness after P0
LVIN9 = LVOUT7 = LVOUT8:x n9
LVIN7 (considering amay= x):
a x n9 y, ,
LVIN8 (considering bmay= x):
b x n9 z, ,
LVOUT6 = LVIN7 ∪ LVIN8:a b x n9 y, , , z,
L2: Liveness after P1
LVIN9 = LVOUT7 = LVOUT8:x n9
LVIN7 (considering amust= x):
x y,
LVIN8 (considering b 6= x):
x n9
LVOUT6 = LVIN7 ∪ LVIN8:x n9 y,
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 12 / 32
Note
We are not performing “materialization”.P1 does not use P0 and L2 does not use L1.These are new passes from scratch!Li uses Pi−1 for implicit updates.Pi uses Li for expressibility.
![Page 20: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/20.jpg)
Proposed Approach
Key idea: distinguish between objects accessible by distinct sets ofaccess patterns.
Thus, our approach is more precise than naive summarization in that:1 Unnecessary may-aliases are avoided.2 Useful must-aliases are discovered.
Inter-dependence of liveness and points-to analysis:1 Perform naive points-to (summarize on alloc sites).2 Backward analysis to get huge liveness info (sound but imprecise).3 Again do points-to, distinguishing on access patterns found above.4 Another round of backward analysis to get precise liveness info.5 Fixed point...?
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 13 / 32
![Page 21: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/21.jpg)
Accessor Relationship Graph
Symbol Definition Cardinality
V Variables Proportional to program sizeM Memory allocation sites Proportional to program sizeR Field dereference points Proportional to program sizeA Access graph nodes |V |+ |V | × |R|H Heap graph nodes |M| × 2|A|
Definition
Accessor Relationship Graph is a 3-tuple 〈Ev ,Ef , summary〉, where:
Ev ⊆ V × H
Ef ⊆ H × F × H
summary : H → {true, false}
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 14 / 32
![Page 22: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/22.jpg)
Accessor Relationship Graph
Symbol Definition Cardinality
V Variables Proportional to program sizeM Memory allocation sites Proportional to program sizeR Field dereference points Proportional to program sizeA Access graph nodes |V |+ |V | × |R|H Heap graph nodes |M| × 2|A|
Definition
Accessor Relationship Graph is a 3-tuple 〈Ev ,Ef , summary〉, where:
Ev ⊆ V × H
Ef ⊆ H × F × H
summary : H → {true, false}
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 14 / 32
![Page 23: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/23.jpg)
Lattice Representation
Definition
〈Ev ,Ef , summary〉 w 〈E ′v ,E ′f , summary ′〉 if:
Ev ⊆ E ′v
Ef ⊆ E ′f∀k ∈ H : summary(k)⇒ summary ′(k)
Definition
〈Ev ,Ef , summary〉 u 〈E ′v ,E ′f , summary ′〉 = 〈E ′′v ,E ′′f , summary ′′〉 such that:
E ′′v = Ev ∪ E ′v
E ′′f = Ef ∪ E ′f∀k ∈ H : summary ′′(k) = summary(k) ∨ summary ′(k)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 15 / 32
![Page 24: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/24.jpg)
Lattice Representation
Definition
〈Ev ,Ef , summary〉 w 〈E ′v ,E ′f , summary ′〉 if:
Ev ⊆ E ′v
Ef ⊆ E ′f∀k ∈ H : summary(k)⇒ summary ′(k)
Definition
〈Ev ,Ef , summary〉 u 〈E ′v ,E ′f , summary ′〉 = 〈E ′′v ,E ′′f , summary ′′〉 such that:
E ′′v = Ev ∪ E ′v
E ′′f = Ef ∪ E ′f∀k ∈ H : summary ′′(k) = summary(k) ∨ summary ′(k)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 15 / 32
![Page 25: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/25.jpg)
Data Flow Analysis
Normalization: Θ(X , L) = Consistency + Reachability
x = x .nS5
n8n6n5x x S1 S1 S1 S1n n n
n
x x/n5 x/n6 x/n8
n8n6x x S1 S1 S1 S1n n n
n
x x/n5x
x/n6 x/n8
Data Flow Equations:
PTINb = up∈pred(b)
Θ(PTOUTp, LVINb)
PTOUTb = Θ(fb(PTINb), LVOUTb)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 16 / 32
![Page 26: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/26.jpg)
Data Flow Analysis
Normalization: Θ(X , L) = Consistency + Reachability
x = x .nS5
n8n6n5x x S1 S1 S1 S1n n n
n
x x/n5 x/n6 x/n8
n8n6x x S1 S1 S1 S1n n n
n
x x/n5x
x/n6 x/n8
Data Flow Equations:
PTINb = up∈pred(b)
Θ(PTOUTp, LVINb)
PTOUTb = Θ(fb(PTINb), LVOUTb)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 16 / 32
![Page 27: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/27.jpg)
System Model
L̂ : S × AP → {true, false} (Results of liveness analysis)
P̂ : S × AP × AP → {true, false} (Results of points-to analysis)
HLA : P̂ → L̂ (Heap Liveness Analysis)
PTA : L̂→ P̂ (Heap Points-To Analysis)
L̂0 = λsλa.false
∀i ≥ 0 : P̂i = PTA(L̂i )
∀i ≥ 0 : L̂i+1 = HLA(P̂i )
L̂i ⊆ L̂j iff ∀s ∈ S ,∀a ∈ AP : L̂i (s, a)⇒ L̂j(s, a)
P̂i ⊆ P̂j iff ∀s ∈ S ,∀a ∈ AP,∀b ∈ AP : P̂i (s, a, b)⇒ P̂j(s, a, b)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 17 / 32
![Page 28: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/28.jpg)
System Model
L̂ : S × AP → {true, false} (Results of liveness analysis)
P̂ : S × AP × AP → {true, false} (Results of points-to analysis)
HLA : P̂ → L̂ (Heap Liveness Analysis)
PTA : L̂→ P̂ (Heap Points-To Analysis)
L̂0 = λsλa.false
∀i ≥ 0 : P̂i = PTA(L̂i )
∀i ≥ 0 : L̂i+1 = HLA(P̂i )
L̂i ⊆ L̂j iff ∀s ∈ S ,∀a ∈ AP : L̂i (s, a)⇒ L̂j(s, a)
P̂i ⊆ P̂j iff ∀s ∈ S ,∀a ∈ AP,∀b ∈ AP : P̂i (s, a, b)⇒ P̂j(s, a, b)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 17 / 32
![Page 29: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/29.jpg)
Precision of Liveness
L̂0 P̂0 L̂1 P̂1 L̂2 P̂2 L̂3 P̂3 L̂4 · · ·
Theorem
The results of the second round of heap liveness analysis is the mostprecise result which is also sound. That is, ∀k > 0 : L̂2 ⊆ L̂k .
Lemma (1)
∀i , j : L̂i ⊆ L̂j ⇒ P̂i ⊇ P̂j
Lemma (2)
∀i , j : P̂i ⊆ P̂j ⇒ L̂i+1 ⊆ L̂j+1
Proof.
1. ∀k ≥ 0 : L̂0 ⊆ L̂k (By Definition)2. ∀k ≥ 0 : P̂0 ⊇ P̂k (Lemma 1)3. ∀k ≥ 0 : L̂1 ⊇ L̂k+1 (Lemma 2)4. ∀k ≥ 0 : P̂1 ⊆ P̂k+1 (Lemma 1)5. ∀k ≥ 0 : L̂2 ⊆ L̂k+2 (Lemma 2)6. ∀k > 0 : L̂2 ⊆ L̂k (Step 3 and 5)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 18 / 32
![Page 30: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/30.jpg)
Precision of Liveness
L̂0 P̂0 L̂1 P̂1 L̂2 P̂2 L̂3 P̂3 L̂4 · · ·
Theorem
The results of the second round of heap liveness analysis is the mostprecise result which is also sound. That is, ∀k > 0 : L̂2 ⊆ L̂k .
Lemma (1)
∀i , j : L̂i ⊆ L̂j ⇒ P̂i ⊇ P̂j
Lemma (2)
∀i , j : P̂i ⊆ P̂j ⇒ L̂i+1 ⊆ L̂j+1
Proof.
1. ∀k ≥ 0 : L̂0 ⊆ L̂k (By Definition)2. ∀k ≥ 0 : P̂0 ⊇ P̂k (Lemma 1)3. ∀k ≥ 0 : L̂1 ⊇ L̂k+1 (Lemma 2)4. ∀k ≥ 0 : P̂1 ⊆ P̂k+1 (Lemma 1)5. ∀k ≥ 0 : L̂2 ⊆ L̂k+2 (Lemma 2)6. ∀k > 0 : L̂2 ⊆ L̂k (Step 3 and 5)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 18 / 32
![Page 31: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/31.jpg)
Precision of Liveness
L̂0 P̂0 L̂1 P̂1 L̂2 P̂2 L̂3 P̂3 L̂4 · · ·
Theorem
The results of the second round of heap liveness analysis is the mostprecise result which is also sound. That is, ∀k > 0 : L̂2 ⊆ L̂k .
Lemma (1)
∀i , j : L̂i ⊆ L̂j ⇒ P̂i ⊇ P̂j
Lemma (2)
∀i , j : P̂i ⊆ P̂j ⇒ L̂i+1 ⊆ L̂j+1
Proof.
1. ∀k ≥ 0 : L̂0 ⊆ L̂k (By Definition)2. ∀k ≥ 0 : P̂0 ⊇ P̂k (Lemma 1)3. ∀k ≥ 0 : L̂1 ⊇ L̂k+1 (Lemma 2)4. ∀k ≥ 0 : P̂1 ⊆ P̂k+1 (Lemma 1)5. ∀k ≥ 0 : L̂2 ⊆ L̂k+2 (Lemma 2)6. ∀k > 0 : L̂2 ⊆ L̂k (Step 3 and 5)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 18 / 32
![Page 32: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/32.jpg)
Precision of Liveness
L̂0 P̂0 L̂1 P̂1 L̂2 P̂2 L̂3 P̂3 L̂4 · · ·
Theorem
The results of the second round of heap liveness analysis is the mostprecise result which is also sound. That is, ∀k > 0 : L̂2 ⊆ L̂k .
Lemma (1)
∀i , j : L̂i ⊆ L̂j ⇒ P̂i ⊇ P̂j
Lemma (2)
∀i , j : P̂i ⊆ P̂j ⇒ L̂i+1 ⊆ L̂j+1
Proof.
1. ∀k ≥ 0 : L̂0 ⊆ L̂k (By Definition)2. ∀k ≥ 0 : P̂0 ⊇ P̂k (Lemma 1)3. ∀k ≥ 0 : L̂1 ⊇ L̂k+1 (Lemma 2)4. ∀k ≥ 0 : P̂1 ⊆ P̂k+1 (Lemma 1)5. ∀k ≥ 0 : L̂2 ⊆ L̂k+2 (Lemma 2)6. ∀k > 0 : L̂2 ⊆ L̂k (Step 3 and 5)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 18 / 32
![Page 33: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/33.jpg)
Outline
1 Background and MotivationHeap Reference AnalysisKey Issues
2 Heap Alias AnalysisNeed for Alias AnalysisExisting AbstractionsProposed Abstraction: Acccessor Relationship Graph
3 Interprocedural AnalysisExisting FrameworksOur Framework: Value ContextsThe Role of Call Graphs
4 Access Graphs for Garbage CollectionExisting IdeasNovel Technique: Dynamic Heap Pruning
5 Summary & Future Work
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 19 / 32
![Page 34: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/34.jpg)
Interprocedural Analysis
No existing implementation of inter-procedural heap reference analysis
Soot has excellent API for data flow analysis - only intraprocedural
IFDS/IDE solver [Bodden, SOAP 2012]
f ({x , y , z}) = f ({x}) u f ({y}) u f ({z})Functions on 2D reduced to functions on DModelled as a graph reachability problemMain limitation: Requires distributive flow functionsNot suitable for many types of heap analysis
x = y .n
y o1 o2n
y o1 o2n
x
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 20 / 32
![Page 35: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/35.jpg)
Interprocedural Analysis
No existing implementation of inter-procedural heap reference analysis
Soot has excellent API for data flow analysis - only intraprocedural
IFDS/IDE solver [Bodden, SOAP 2012]
f ({x , y , z}) = f ({x}) u f ({y}) u f ({z})Functions on 2D reduced to functions on DModelled as a graph reachability problemMain limitation: Requires distributive flow functionsNot suitable for many types of heap analysis
x = y .n
y o1 o2n
y o1 o2n
x
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 20 / 32
![Page 36: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/36.jpg)
Interprocedural Analysis
No existing implementation of inter-procedural heap reference analysis
Soot has excellent API for data flow analysis - only intraprocedural
IFDS/IDE solver [Bodden, SOAP 2012]
f ({x , y , z}) = f ({x}) u f ({y}) u f ({z})Functions on 2D reduced to functions on DModelled as a graph reachability problemMain limitation: Requires distributive flow functionsNot suitable for many types of heap analysis
x = y .n
y o1 o2n
y o1 o2n
x
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 20 / 32
![Page 37: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/37.jpg)
Interprocedural Analysis
No existing implementation of inter-procedural heap reference analysis
Soot has excellent API for data flow analysis - only intraprocedural
IFDS/IDE solver [Bodden, SOAP 2012]
f ({x , y , z}) = f ({x}) u f ({y}) u f ({z})
Functions on 2D reduced to functions on DModelled as a graph reachability problemMain limitation: Requires distributive flow functionsNot suitable for many types of heap analysis
x = y .n
y o1 o2n
y o1 o2n
x
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 20 / 32
![Page 38: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/38.jpg)
Interprocedural Analysis
No existing implementation of inter-procedural heap reference analysis
Soot has excellent API for data flow analysis - only intraprocedural
IFDS/IDE solver [Bodden, SOAP 2012]
f ({x , y , z}) = f ({x}) u f ({y}) u f ({z})Functions on 2D reduced to functions on D
Modelled as a graph reachability problemMain limitation: Requires distributive flow functionsNot suitable for many types of heap analysis
x = y .n
y o1 o2n
y o1 o2n
x
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 20 / 32
![Page 39: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/39.jpg)
Interprocedural Analysis
No existing implementation of inter-procedural heap reference analysis
Soot has excellent API for data flow analysis - only intraprocedural
IFDS/IDE solver [Bodden, SOAP 2012]
f ({x , y , z}) = f ({x}) u f ({y}) u f ({z})Functions on 2D reduced to functions on DModelled as a graph reachability problem
Main limitation: Requires distributive flow functionsNot suitable for many types of heap analysis
x = y .n
y o1 o2n
y o1 o2n
x
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 20 / 32
![Page 40: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/40.jpg)
Interprocedural Analysis
No existing implementation of inter-procedural heap reference analysis
Soot has excellent API for data flow analysis - only intraprocedural
IFDS/IDE solver [Bodden, SOAP 2012]
f ({x , y , z}) = f ({x}) u f ({y}) u f ({z})Functions on 2D reduced to functions on DModelled as a graph reachability problemMain limitation: Requires distributive flow functions
Not suitable for many types of heap analysis
x = y .n
y o1 o2n
y o1 o2n
x
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 20 / 32
![Page 41: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/41.jpg)
Interprocedural Analysis
No existing implementation of inter-procedural heap reference analysis
Soot has excellent API for data flow analysis - only intraprocedural
IFDS/IDE solver [Bodden, SOAP 2012]
f ({x , y , z}) = f ({x}) u f ({y}) u f ({z})Functions on 2D reduced to functions on DModelled as a graph reachability problemMain limitation: Requires distributive flow functionsNot suitable for many types of heap analysis
x = y .n
y o1 o2n
y o1 o2n
x
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 20 / 32
![Page 42: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/42.jpg)
Interprocedural Analysis
No existing implementation of inter-procedural heap reference analysis
Soot has excellent API for data flow analysis - only intraprocedural
IFDS/IDE solver [Bodden, SOAP 2012]
f ({x , y , z}) = f ({x}) u f ({y}) u f ({z})Functions on 2D reduced to functions on DModelled as a graph reachability problemMain limitation: Requires distributive flow functionsNot suitable for many types of heap analysis
x = y .n
y o1 o2n
y o1 o2n
x
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 20 / 32
![Page 43: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/43.jpg)
Interprocedural Analysis
No existing implementation of inter-procedural heap reference analysis
Soot has excellent API for data flow analysis - only intraprocedural
IFDS/IDE solver [Bodden, SOAP 2012]
f ({x , y , z}) = f ({x}) u f ({y}) u f ({z})Functions on 2D reduced to functions on DModelled as a graph reachability problemMain limitation: Requires distributive flow functionsNot suitable for many types of heap analysis
x = y .n
y o1 o2n
y o1 o2n
x
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 20 / 32
![Page 44: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/44.jpg)
Interprocedural Analysis
The most general and precise solutions:
Call Strings (maintain an abstract call stack) [Sharir & Pnueli, 1981]
Functional (flow functions for call statements) [Sharir & Pnueli, 1981]
Function composition methodTabulation method
Modified call-strings method [Khedker & Karkare, 2008]
Value-based termination of call string construction
Value contexts [Padhye & Khedker, 2013]
Reformulation of tabulation methodSuitable for bi-directional interleaved analysesCan map arbitrary call string to value context (dynamic optimizations)Context-sensitive data flow solution (specialization)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 21 / 32
![Page 45: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/45.jpg)
Interprocedural Analysis
The most general and precise solutions:
Call Strings (maintain an abstract call stack) [Sharir & Pnueli, 1981]
Functional (flow functions for call statements) [Sharir & Pnueli, 1981]
Function composition methodTabulation method
Modified call-strings method [Khedker & Karkare, 2008]
Value-based termination of call string construction
Value contexts [Padhye & Khedker, 2013]
Reformulation of tabulation methodSuitable for bi-directional interleaved analysesCan map arbitrary call string to value context (dynamic optimizations)Context-sensitive data flow solution (specialization)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 21 / 32
![Page 46: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/46.jpg)
Interprocedural Analysis
The most general and precise solutions:
Call Strings (maintain an abstract call stack) [Sharir & Pnueli, 1981]
Functional (flow functions for call statements) [Sharir & Pnueli, 1981]
Function composition methodTabulation method
Modified call-strings method [Khedker & Karkare, 2008]
Value-based termination of call string construction
Value contexts [Padhye & Khedker, 2013]
Reformulation of tabulation methodSuitable for bi-directional interleaved analysesCan map arbitrary call string to value context (dynamic optimizations)Context-sensitive data flow solution (specialization)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 21 / 32
![Page 47: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/47.jpg)
Interprocedural Analysis
The most general and precise solutions:
Call Strings (maintain an abstract call stack) [Sharir & Pnueli, 1981]
Functional (flow functions for call statements) [Sharir & Pnueli, 1981]
Function composition methodTabulation method
Modified call-strings method [Khedker & Karkare, 2008]
Value-based termination of call string construction
Value contexts [Padhye & Khedker, 2013]
Reformulation of tabulation methodSuitable for bi-directional interleaved analysesCan map arbitrary call string to value context (dynamic optimizations)Context-sensitive data flow solution (specialization)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 21 / 32
![Page 48: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/48.jpg)
Interprocedural Analysis
The most general and precise solutions:
Call Strings (maintain an abstract call stack) [Sharir & Pnueli, 1981]
Functional (flow functions for call statements) [Sharir & Pnueli, 1981]
Function composition methodTabulation method
Modified call-strings method [Khedker & Karkare, 2008]
Value-based termination of call string construction
Value contexts [Padhye & Khedker, 2013]
Reformulation of tabulation methodSuitable for bi-directional interleaved analysesCan map arbitrary call string to value context (dynamic optimizations)Context-sensitive data flow solution (specialization)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 21 / 32
![Page 49: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/49.jpg)
Interprocedural Analysis
The most general and precise solutions:
Call Strings (maintain an abstract call stack) [Sharir & Pnueli, 1981]
Functional (flow functions for call statements) [Sharir & Pnueli, 1981]
Function composition methodTabulation method
Modified call-strings method [Khedker & Karkare, 2008]
Value-based termination of call string construction
Value contexts [Padhye & Khedker, 2013]
Reformulation of tabulation methodSuitable for bi-directional interleaved analysesCan map arbitrary call string to value context (dynamic optimizations)Context-sensitive data flow solution (specialization)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 21 / 32
![Page 50: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/50.jpg)
Interprocedural Analysis
The most general and precise solutions:
Call Strings (maintain an abstract call stack) [Sharir & Pnueli, 1981]
Functional (flow functions for call statements) [Sharir & Pnueli, 1981]
Function composition methodTabulation method
Modified call-strings method [Khedker & Karkare, 2008]
Value-based termination of call string construction
Value contexts [Padhye & Khedker, 2013]
Reformulation of tabulation methodSuitable for bi-directional interleaved analysesCan map arbitrary call string to value context (dynamic optimizations)Context-sensitive data flow solution (specialization)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 21 / 32
![Page 51: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/51.jpg)
Interprocedural Analysis
The most general and precise solutions:
Call Strings (maintain an abstract call stack) [Sharir & Pnueli, 1981]
Functional (flow functions for call statements) [Sharir & Pnueli, 1981]
Function composition methodTabulation method
Modified call-strings method [Khedker & Karkare, 2008]
Value-based termination of call string construction
Value contexts [Padhye & Khedker, 2013]
Reformulation of tabulation method
Suitable for bi-directional interleaved analysesCan map arbitrary call string to value context (dynamic optimizations)Context-sensitive data flow solution (specialization)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 21 / 32
![Page 52: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/52.jpg)
Interprocedural Analysis
The most general and precise solutions:
Call Strings (maintain an abstract call stack) [Sharir & Pnueli, 1981]
Functional (flow functions for call statements) [Sharir & Pnueli, 1981]
Function composition methodTabulation method
Modified call-strings method [Khedker & Karkare, 2008]
Value-based termination of call string construction
Value contexts [Padhye & Khedker, 2013]
Reformulation of tabulation methodSuitable for bi-directional interleaved analyses
Can map arbitrary call string to value context (dynamic optimizations)Context-sensitive data flow solution (specialization)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 21 / 32
![Page 53: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/53.jpg)
Interprocedural Analysis
The most general and precise solutions:
Call Strings (maintain an abstract call stack) [Sharir & Pnueli, 1981]
Functional (flow functions for call statements) [Sharir & Pnueli, 1981]
Function composition methodTabulation method
Modified call-strings method [Khedker & Karkare, 2008]
Value-based termination of call string construction
Value contexts [Padhye & Khedker, 2013]
Reformulation of tabulation methodSuitable for bi-directional interleaved analysesCan map arbitrary call string to value context (dynamic optimizations)
Context-sensitive data flow solution (specialization)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 21 / 32
![Page 54: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/54.jpg)
Interprocedural Analysis
The most general and precise solutions:
Call Strings (maintain an abstract call stack) [Sharir & Pnueli, 1981]
Functional (flow functions for call statements) [Sharir & Pnueli, 1981]
Function composition methodTabulation method
Modified call-strings method [Khedker & Karkare, 2008]
Value-based termination of call string construction
Value contexts [Padhye & Khedker, 2013]
Reformulation of tabulation methodSuitable for bi-directional interleaved analysesCan map arbitrary call string to value context (dynamic optimizations)Context-sensitive data flow solution (specialization)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 21 / 32
![Page 55: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/55.jpg)
Value Contexts
Value contexts:
X = 〈method , entryValue〉exitValue(X )
Data Flow Analysis is performed using traditional work-list method
Work-list contains 〈context, node〉 pairs
Call-sites: Find value context X = 〈method , entryValue〉
Found: Re-use exitValue(X )Not found: Create new X and add all nodes to work-listRecord transition from this call-site to X
Exit-sites: Set exitValue(X ) and add callers to work-list
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 22 / 32
![Page 56: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/56.jpg)
Value Contexts
Value contexts:
X = 〈method , entryValue〉
exitValue(X )
Data Flow Analysis is performed using traditional work-list method
Work-list contains 〈context, node〉 pairs
Call-sites: Find value context X = 〈method , entryValue〉
Found: Re-use exitValue(X )Not found: Create new X and add all nodes to work-listRecord transition from this call-site to X
Exit-sites: Set exitValue(X ) and add callers to work-list
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 22 / 32
![Page 57: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/57.jpg)
Value Contexts
Value contexts:
X = 〈method , entryValue〉exitValue(X )
Data Flow Analysis is performed using traditional work-list method
Work-list contains 〈context, node〉 pairs
Call-sites: Find value context X = 〈method , entryValue〉
Found: Re-use exitValue(X )Not found: Create new X and add all nodes to work-listRecord transition from this call-site to X
Exit-sites: Set exitValue(X ) and add callers to work-list
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 22 / 32
![Page 58: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/58.jpg)
Value Contexts
Value contexts:
X = 〈method , entryValue〉exitValue(X )
Data Flow Analysis is performed using traditional work-list method
Work-list contains 〈context, node〉 pairs
Call-sites: Find value context X = 〈method , entryValue〉
Found: Re-use exitValue(X )Not found: Create new X and add all nodes to work-listRecord transition from this call-site to X
Exit-sites: Set exitValue(X ) and add callers to work-list
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 22 / 32
![Page 59: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/59.jpg)
Value Contexts
Value contexts:
X = 〈method , entryValue〉exitValue(X )
Data Flow Analysis is performed using traditional work-list method
Work-list contains 〈context, node〉 pairs
Call-sites: Find value context X = 〈method , entryValue〉
Found: Re-use exitValue(X )Not found: Create new X and add all nodes to work-listRecord transition from this call-site to X
Exit-sites: Set exitValue(X ) and add callers to work-list
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 22 / 32
![Page 60: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/60.jpg)
Value Contexts
Value contexts:
X = 〈method , entryValue〉exitValue(X )
Data Flow Analysis is performed using traditional work-list method
Work-list contains 〈context, node〉 pairs
Call-sites: Find value context X = 〈method , entryValue〉
Found: Re-use exitValue(X )Not found: Create new X and add all nodes to work-listRecord transition from this call-site to X
Exit-sites: Set exitValue(X ) and add callers to work-list
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 22 / 32
![Page 61: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/61.jpg)
Value Contexts
Value contexts:
X = 〈method , entryValue〉exitValue(X )
Data Flow Analysis is performed using traditional work-list method
Work-list contains 〈context, node〉 pairs
Call-sites: Find value context X = 〈method , entryValue〉Found: Re-use exitValue(X )
Not found: Create new X and add all nodes to work-listRecord transition from this call-site to X
Exit-sites: Set exitValue(X ) and add callers to work-list
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 22 / 32
![Page 62: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/62.jpg)
Value Contexts
Value contexts:
X = 〈method , entryValue〉exitValue(X )
Data Flow Analysis is performed using traditional work-list method
Work-list contains 〈context, node〉 pairs
Call-sites: Find value context X = 〈method , entryValue〉Found: Re-use exitValue(X )Not found: Create new X and add all nodes to work-list
Record transition from this call-site to X
Exit-sites: Set exitValue(X ) and add callers to work-list
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 22 / 32
![Page 63: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/63.jpg)
Value Contexts
Value contexts:
X = 〈method , entryValue〉exitValue(X )
Data Flow Analysis is performed using traditional work-list method
Work-list contains 〈context, node〉 pairs
Call-sites: Find value context X = 〈method , entryValue〉Found: Re-use exitValue(X )Not found: Create new X and add all nodes to work-listRecord transition from this call-site to X
Exit-sites: Set exitValue(X ) and add callers to work-list
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 22 / 32
![Page 64: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/64.jpg)
Value Contexts
Value contexts:
X = 〈method , entryValue〉exitValue(X )
Data Flow Analysis is performed using traditional work-list method
Work-list contains 〈context, node〉 pairs
Call-sites: Find value context X = 〈method , entryValue〉Found: Re-use exitValue(X )Not found: Create new X and add all nodes to work-listRecord transition from this call-site to X
Exit-sites: Set exitValue(X ) and add callers to work-list
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 22 / 32
![Page 65: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/65.jpg)
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉
〈X3, a−b+〉 〈X1, a+b−〉
〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main >X1 f a+b−
X2 g u+
X3 f a−b+
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
![Page 66: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/66.jpg)
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉
〈X3, a−b+〉 〈X1, a+b−〉
〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >
X1 f a+b−
X2 g u+
X3 f a−b+
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
![Page 67: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/67.jpg)
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉
〈X3, a−b+〉 〈X1, a+b−〉
〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >
X1 f a+b−
X2 g u+
X3 f a−b+
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
![Page 68: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/68.jpg)
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉
〈X3, a−b+〉 〈X1, a+b−〉
〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >
X1 f a+b−
X2 g u+
X3 f a−b+
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
![Page 69: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/69.jpg)
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉
〈X3, a−b+〉 〈X1, a+b−〉
〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >
X2 g u+
X3 f a−b+
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
![Page 70: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/70.jpg)
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉
〈X3, a−b+〉 〈X1, a+b−〉
〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >
X2 g u+
X3 f a−b+
Value Contexts
X0 X1
X2 X3
c1
c2 c3
c2c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
![Page 71: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/71.jpg)
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉
〈X3, a−b+〉 〈X1, a+b−〉
〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >
X2 g u+
X3 f a−b+
Value Contexts
X0 X1
X2 X3
c1
c2 c3
c2c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
![Page 72: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/72.jpg)
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉
〈X3, a−b+〉
〈X1, a+b−〉
〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >
X2 g u+
X3 f a−b+
Value Contexts
X0 X1
X2 X3
c1
c2 c3
c2c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
![Page 73: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/73.jpg)
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉
〈X3, a−b+〉
〈X1, a+b−〉
〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ >
X3 f a−b+
Value Contexts
X0 X1
X2 X3
c1
c2 c3
c2c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
![Page 74: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/74.jpg)
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉
〈X3, a−b+〉
〈X1, a+b−〉
〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ >
X3 f a−b+
Value Contexts
X0 X1 X2
X3
c1 c2
c3
c2c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
![Page 75: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/75.jpg)
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉
〈X3, a−b+〉
〈X1, a+b−〉
〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ >
X3 f a−b+
Value Contexts
X0 X1 X2
X3
c1 c2
c3
c2c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
![Page 76: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/76.jpg)
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉
〈X3, a−b+〉
〈X1, a+b−〉
〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ >X3 f a−b+ >
Value Contexts
X0 X1 X2
X3
c1 c2
c3
c2c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
![Page 77: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/77.jpg)
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉
〈X3, a−b+〉
〈X1, a+b−〉
〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ >X3 f a−b+ >
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
![Page 78: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/78.jpg)
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+〉
〈X1, a+b−〉
〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ >X3 f a−b+ >
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
![Page 79: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/79.jpg)
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+〉
〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ >X3 f a−b+ >
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
![Page 80: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/80.jpg)
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+〉
〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ >X3 f a−b+ >
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2
c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
![Page 81: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/81.jpg)
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+〉
〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+c−〉
〈X3, a−b+〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ >X3 f a−b+ >
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2
c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
![Page 82: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/82.jpg)
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+〉〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+c−〉
〈X3, a−b+〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ >X3 f a−b+ >
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2
c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
![Page 83: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/83.jpg)
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+〉〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+c−〉〈X3, a−b+〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ >X3 f a−b+ >
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2
c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
![Page 84: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/84.jpg)
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+〉〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+c−〉〈X3, a−b+〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ >X3 f a−b+ >
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2
c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
![Page 85: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/85.jpg)
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+〉〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+c−〉〈X3, a−b+〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ >X3 f a−b+ a−b+c−
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2
c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
![Page 86: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/86.jpg)
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+〉〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+c−〉〈X3, a−b+〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ >X3 f a−b+ a−b+c−
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2
c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
![Page 87: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/87.jpg)
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+〉〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+c−〉〈X3, a−b+〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ u+v−
X3 f a−b+ a−b+c−
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2
c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
![Page 88: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/88.jpg)
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+〉〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+c−〉 〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ u+v−
X3 f a−b+ a−b+c−
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2
c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
![Page 89: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/89.jpg)
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+〉〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+c−〉 〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ u+v−
X3 f a−b+ a−b+c−
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2
c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
![Page 90: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/90.jpg)
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+c−〉 〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ u+v−
X3 f a−b+ a−b+c−
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2
c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
![Page 91: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/91.jpg)
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ u+v−
X3 f a−b+ a−b+c−
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2
c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
![Page 92: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/92.jpg)
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ u+v−
X3 f a−b+ a−b+c−
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2
c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
![Page 93: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/93.jpg)
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− a+b−c−
X2 g u+ u+v−
X3 f a−b+ a−b+c−
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2
c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
![Page 94: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/94.jpg)
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− a+b−c−
X2 g u+ u+v−
X3 f a−b+ a−b+c−
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2
c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
![Page 95: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/95.jpg)
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− a+b−c−
X2 g u+ u+v−
X3 f a−b+ a−b+c−
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
![Page 96: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/96.jpg)
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− a+b−c−
X2 g u+ u+v−
X3 f a−b+ a−b+c−
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
![Page 97: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/97.jpg)
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > p+q−r−
X1 f a+b− a+b−c−
X2 g u+ u+v−
X3 f a−b+ a−b+c−
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
![Page 98: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/98.jpg)
Implementation Framework
Context<M,N,A>
+ getMethod(): M+ getEntryValue() : A+ getExitValue() : A+ getValueBefore(N) : A+ getValueAfter(N) : A
InterProceduralAnalysis<M,N,A>
+ topValue() : A+ boundaryValue(M) : A+ copy(A) : A+ meet(A,A) : A+ normalFlowFunction(Context<M,N,A>, N, A) : A+ callEntryFlowFunction(Context<M,N,A>, M, N, A) : A+ callExitFlowFunction(Context<M,N,A>, M, N, A) : A+ callLocalFlowFunction(Context<M,N,A>, N, A) : A+ programRepresentation() : ProgramRepresentation<M,N>+ doAnalysis() : void+ getContexts() : Map<M,List<Context<M,N,A>>>+ getMeetOverPathsSolution() : DataFlowSolution<M,N,A>
ForwardInterProceduralAnalysis<M,N,A>
+ doAnalysis() : void
BackwardInterProceduralAnalysis<M,N,A>
+ doAnalysis() : void
ProgramRepresentation<M,N>
+ getEntryPoints() : List<M>+ getControlFlowGraph(M) : DirectedGraph<N>+ isCall(N) : boolean+ resolveTargets(M, N) : List<M>
https://github.com/rohanpadhye/vasco
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 24 / 32
![Page 99: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/99.jpg)
The Role of Call Graphs
Context-sensitivity only useful if call graph is precise
OOP: Use points-to analysis to resolve virtual calls
Imprecise points-to analysis ⇒ “spurious” edges
SPARK: Thousands of spurious edges even for small programs
e.g. Over 250 targets for x.hashCode() in HashSet
Affects efficiency and precision of interprocedural analysis
Points-to Analysis using Value Contexts
Flow and context-sensitive points-to analysis (FCPA)Context-sensitive call graph constructed on-the-fly
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 25 / 32
![Page 100: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/100.jpg)
The Role of Call Graphs
Context-sensitivity only useful if call graph is precise
OOP: Use points-to analysis to resolve virtual calls
Imprecise points-to analysis ⇒ “spurious” edges
SPARK: Thousands of spurious edges even for small programs
e.g. Over 250 targets for x.hashCode() in HashSet
Affects efficiency and precision of interprocedural analysis
Points-to Analysis using Value Contexts
Flow and context-sensitive points-to analysis (FCPA)Context-sensitive call graph constructed on-the-fly
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 25 / 32
![Page 101: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/101.jpg)
The Role of Call Graphs
Context-sensitivity only useful if call graph is precise
OOP: Use points-to analysis to resolve virtual calls
Imprecise points-to analysis ⇒ “spurious” edges
SPARK: Thousands of spurious edges even for small programs
e.g. Over 250 targets for x.hashCode() in HashSet
Affects efficiency and precision of interprocedural analysis
Points-to Analysis using Value Contexts
Flow and context-sensitive points-to analysis (FCPA)Context-sensitive call graph constructed on-the-fly
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 25 / 32
![Page 102: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/102.jpg)
The Role of Call Graphs
Context-sensitivity only useful if call graph is precise
OOP: Use points-to analysis to resolve virtual calls
Imprecise points-to analysis ⇒ “spurious” edges
SPARK: Thousands of spurious edges even for small programs
e.g. Over 250 targets for x.hashCode() in HashSet
Affects efficiency and precision of interprocedural analysis
Points-to Analysis using Value Contexts
Flow and context-sensitive points-to analysis (FCPA)Context-sensitive call graph constructed on-the-fly
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 25 / 32
![Page 103: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/103.jpg)
The Role of Call Graphs
Context-sensitivity only useful if call graph is precise
OOP: Use points-to analysis to resolve virtual calls
Imprecise points-to analysis ⇒ “spurious” edges
SPARK: Thousands of spurious edges even for small programs
e.g. Over 250 targets for x.hashCode() in HashSet
Affects efficiency and precision of interprocedural analysis
Points-to Analysis using Value Contexts
Flow and context-sensitive points-to analysis (FCPA)Context-sensitive call graph constructed on-the-fly
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 25 / 32
![Page 104: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/104.jpg)
The Role of Call Graphs
Context-sensitivity only useful if call graph is precise
OOP: Use points-to analysis to resolve virtual calls
Imprecise points-to analysis ⇒ “spurious” edges
SPARK: Thousands of spurious edges even for small programs
e.g. Over 250 targets for x.hashCode() in HashSet
Affects efficiency and precision of interprocedural analysis
Points-to Analysis using Value Contexts
Flow and context-sensitive points-to analysis (FCPA)Context-sensitive call graph constructed on-the-fly
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 25 / 32
![Page 105: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/105.jpg)
The Role of Call Graphs
Context-sensitivity only useful if call graph is precise
OOP: Use points-to analysis to resolve virtual calls
Imprecise points-to analysis ⇒ “spurious” edges
SPARK: Thousands of spurious edges even for small programs
e.g. Over 250 targets for x.hashCode() in HashSet
Affects efficiency and precision of interprocedural analysis
Points-to Analysis using Value Contexts
Flow and context-sensitive points-to analysis (FCPA)Context-sensitive call graph constructed on-the-fly
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 25 / 32
![Page 106: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/106.jpg)
The Role of Call Graphs
Context-sensitivity only useful if call graph is precise
OOP: Use points-to analysis to resolve virtual calls
Imprecise points-to analysis ⇒ “spurious” edges
SPARK: Thousands of spurious edges even for small programs
e.g. Over 250 targets for x.hashCode() in HashSet
Affects efficiency and precision of interprocedural analysis
Points-to Analysis using Value Contexts
Flow and context-sensitive points-to analysis (FCPA)
Context-sensitive call graph constructed on-the-fly
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 25 / 32
![Page 107: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/107.jpg)
The Role of Call Graphs
Context-sensitivity only useful if call graph is precise
OOP: Use points-to analysis to resolve virtual calls
Imprecise points-to analysis ⇒ “spurious” edges
SPARK: Thousands of spurious edges even for small programs
e.g. Over 250 targets for x.hashCode() in HashSet
Affects efficiency and precision of interprocedural analysis
Points-to Analysis using Value Contexts
Flow and context-sensitive points-to analysis (FCPA)Context-sensitive call graph constructed on-the-fly
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 25 / 32
![Page 108: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/108.jpg)
Results of Points-To Analysis
Tested on 7 benchmarks from SPEC JVM98 and DaCapo 2006
Time to analyze: 1.15 sec (compress) to 697.4 sec (antlr)
Average contexts per method: 4.24 (mpegaudio) to 25.04 (jess)
Number of interprocedural paths in resulting call graph (for k = 10):
Over 96% less paths in FCPA over SPARK for 3 benchmarks62-92% less paths in FCPA over SPARK for remaining benchmarks
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 26 / 32
![Page 109: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/109.jpg)
Results of Points-To Analysis
Tested on 7 benchmarks from SPEC JVM98 and DaCapo 2006
Time to analyze: 1.15 sec (compress) to 697.4 sec (antlr)
Average contexts per method: 4.24 (mpegaudio) to 25.04 (jess)
Number of interprocedural paths in resulting call graph (for k = 10):
Over 96% less paths in FCPA over SPARK for 3 benchmarks62-92% less paths in FCPA over SPARK for remaining benchmarks
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 26 / 32
![Page 110: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/110.jpg)
Results of Points-To Analysis
Tested on 7 benchmarks from SPEC JVM98 and DaCapo 2006
Time to analyze: 1.15 sec (compress) to 697.4 sec (antlr)
Average contexts per method: 4.24 (mpegaudio) to 25.04 (jess)
Number of interprocedural paths in resulting call graph (for k = 10):
Over 96% less paths in FCPA over SPARK for 3 benchmarks62-92% less paths in FCPA over SPARK for remaining benchmarks
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 26 / 32
![Page 111: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/111.jpg)
Results of Points-To Analysis
Tested on 7 benchmarks from SPEC JVM98 and DaCapo 2006
Time to analyze: 1.15 sec (compress) to 697.4 sec (antlr)
Average contexts per method: 4.24 (mpegaudio) to 25.04 (jess)
Number of interprocedural paths in resulting call graph (for k = 10):
Over 96% less paths in FCPA over SPARK for 3 benchmarks62-92% less paths in FCPA over SPARK for remaining benchmarks
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 26 / 32
![Page 112: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/112.jpg)
Results of Points-To Analysis
Tested on 7 benchmarks from SPEC JVM98 and DaCapo 2006
Time to analyze: 1.15 sec (compress) to 697.4 sec (antlr)
Average contexts per method: 4.24 (mpegaudio) to 25.04 (jess)
Number of interprocedural paths in resulting call graph (for k = 10):
Over 96% less paths in FCPA over SPARK for 3 benchmarks
62-92% less paths in FCPA over SPARK for remaining benchmarks
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 26 / 32
![Page 113: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/113.jpg)
Results of Points-To Analysis
Tested on 7 benchmarks from SPEC JVM98 and DaCapo 2006
Time to analyze: 1.15 sec (compress) to 697.4 sec (antlr)
Average contexts per method: 4.24 (mpegaudio) to 25.04 (jess)
Number of interprocedural paths in resulting call graph (for k = 10):
Over 96% less paths in FCPA over SPARK for 3 benchmarks62-92% less paths in FCPA over SPARK for remaining benchmarks
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 26 / 32
![Page 114: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/114.jpg)
Outline
1 Background and MotivationHeap Reference AnalysisKey Issues
2 Heap Alias AnalysisNeed for Alias AnalysisExisting AbstractionsProposed Abstraction: Acccessor Relationship Graph
3 Interprocedural AnalysisExisting FrameworksOur Framework: Value ContextsThe Role of Call Graphs
4 Access Graphs for Garbage CollectionExisting IdeasNovel Technique: Dynamic Heap Pruning
5 Summary & Future Work
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 27 / 32
![Page 115: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/115.jpg)
Access Graphs for Garbage Collection
How to use access graphs for improving garbage collection?
1 Assign null to dead access paths.
Requires availability and anticipability analysis to prevent exceptions.Cannot nullify access paths that are not provably safe to dereference.The safety analyses themselves depend on alias information.Increase in code size and possible performance penalty.Redundant nullification of same reference from aliased access paths.
2 Augment garbage collector to traverse access graphs.
No need of safety analysis.Perfect alias information available at run-time.Difficult to map named variables and fields to run-time offsets.Optimizations after HRA (static or JIT) invalidate access graphs.
3 Dynamic heap pruning - a hybrid approach.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 28 / 32
![Page 116: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/116.jpg)
Access Graphs for Garbage Collection
How to use access graphs for improving garbage collection?1 Assign null to dead access paths.
Requires availability and anticipability analysis to prevent exceptions.Cannot nullify access paths that are not provably safe to dereference.The safety analyses themselves depend on alias information.Increase in code size and possible performance penalty.Redundant nullification of same reference from aliased access paths.
2 Augment garbage collector to traverse access graphs.
No need of safety analysis.Perfect alias information available at run-time.Difficult to map named variables and fields to run-time offsets.Optimizations after HRA (static or JIT) invalidate access graphs.
3 Dynamic heap pruning - a hybrid approach.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 28 / 32
![Page 117: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/117.jpg)
Access Graphs for Garbage Collection
How to use access graphs for improving garbage collection?1 Assign null to dead access paths.
Requires availability and anticipability analysis to prevent exceptions.
Cannot nullify access paths that are not provably safe to dereference.The safety analyses themselves depend on alias information.Increase in code size and possible performance penalty.Redundant nullification of same reference from aliased access paths.
2 Augment garbage collector to traverse access graphs.
No need of safety analysis.Perfect alias information available at run-time.Difficult to map named variables and fields to run-time offsets.Optimizations after HRA (static or JIT) invalidate access graphs.
3 Dynamic heap pruning - a hybrid approach.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 28 / 32
![Page 118: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/118.jpg)
Access Graphs for Garbage Collection
How to use access graphs for improving garbage collection?1 Assign null to dead access paths.
Requires availability and anticipability analysis to prevent exceptions.Cannot nullify access paths that are not provably safe to dereference.
The safety analyses themselves depend on alias information.Increase in code size and possible performance penalty.Redundant nullification of same reference from aliased access paths.
2 Augment garbage collector to traverse access graphs.
No need of safety analysis.Perfect alias information available at run-time.Difficult to map named variables and fields to run-time offsets.Optimizations after HRA (static or JIT) invalidate access graphs.
3 Dynamic heap pruning - a hybrid approach.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 28 / 32
![Page 119: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/119.jpg)
Access Graphs for Garbage Collection
How to use access graphs for improving garbage collection?1 Assign null to dead access paths.
Requires availability and anticipability analysis to prevent exceptions.Cannot nullify access paths that are not provably safe to dereference.The safety analyses themselves depend on alias information.
Increase in code size and possible performance penalty.Redundant nullification of same reference from aliased access paths.
2 Augment garbage collector to traverse access graphs.
No need of safety analysis.Perfect alias information available at run-time.Difficult to map named variables and fields to run-time offsets.Optimizations after HRA (static or JIT) invalidate access graphs.
3 Dynamic heap pruning - a hybrid approach.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 28 / 32
![Page 120: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/120.jpg)
Access Graphs for Garbage Collection
How to use access graphs for improving garbage collection?1 Assign null to dead access paths.
Requires availability and anticipability analysis to prevent exceptions.Cannot nullify access paths that are not provably safe to dereference.The safety analyses themselves depend on alias information.Increase in code size and possible performance penalty.
Redundant nullification of same reference from aliased access paths.
2 Augment garbage collector to traverse access graphs.
No need of safety analysis.Perfect alias information available at run-time.Difficult to map named variables and fields to run-time offsets.Optimizations after HRA (static or JIT) invalidate access graphs.
3 Dynamic heap pruning - a hybrid approach.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 28 / 32
![Page 121: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/121.jpg)
Access Graphs for Garbage Collection
How to use access graphs for improving garbage collection?1 Assign null to dead access paths.
Requires availability and anticipability analysis to prevent exceptions.Cannot nullify access paths that are not provably safe to dereference.The safety analyses themselves depend on alias information.Increase in code size and possible performance penalty.Redundant nullification of same reference from aliased access paths.
2 Augment garbage collector to traverse access graphs.
No need of safety analysis.Perfect alias information available at run-time.Difficult to map named variables and fields to run-time offsets.Optimizations after HRA (static or JIT) invalidate access graphs.
3 Dynamic heap pruning - a hybrid approach.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 28 / 32
![Page 122: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/122.jpg)
Access Graphs for Garbage Collection
How to use access graphs for improving garbage collection?1 Assign null to dead access paths.
Requires availability and anticipability analysis to prevent exceptions.Cannot nullify access paths that are not provably safe to dereference.The safety analyses themselves depend on alias information.Increase in code size and possible performance penalty.Redundant nullification of same reference from aliased access paths.
2 Augment garbage collector to traverse access graphs.
No need of safety analysis.Perfect alias information available at run-time.Difficult to map named variables and fields to run-time offsets.Optimizations after HRA (static or JIT) invalidate access graphs.
3 Dynamic heap pruning - a hybrid approach.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 28 / 32
![Page 123: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/123.jpg)
Access Graphs for Garbage Collection
How to use access graphs for improving garbage collection?1 Assign null to dead access paths.
Requires availability and anticipability analysis to prevent exceptions.Cannot nullify access paths that are not provably safe to dereference.The safety analyses themselves depend on alias information.Increase in code size and possible performance penalty.Redundant nullification of same reference from aliased access paths.
2 Augment garbage collector to traverse access graphs.
No need of safety analysis.
Perfect alias information available at run-time.Difficult to map named variables and fields to run-time offsets.Optimizations after HRA (static or JIT) invalidate access graphs.
3 Dynamic heap pruning - a hybrid approach.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 28 / 32
![Page 124: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/124.jpg)
Access Graphs for Garbage Collection
How to use access graphs for improving garbage collection?1 Assign null to dead access paths.
Requires availability and anticipability analysis to prevent exceptions.Cannot nullify access paths that are not provably safe to dereference.The safety analyses themselves depend on alias information.Increase in code size and possible performance penalty.Redundant nullification of same reference from aliased access paths.
2 Augment garbage collector to traverse access graphs.
No need of safety analysis.Perfect alias information available at run-time.
Difficult to map named variables and fields to run-time offsets.Optimizations after HRA (static or JIT) invalidate access graphs.
3 Dynamic heap pruning - a hybrid approach.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 28 / 32
![Page 125: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/125.jpg)
Access Graphs for Garbage Collection
How to use access graphs for improving garbage collection?1 Assign null to dead access paths.
Requires availability and anticipability analysis to prevent exceptions.Cannot nullify access paths that are not provably safe to dereference.The safety analyses themselves depend on alias information.Increase in code size and possible performance penalty.Redundant nullification of same reference from aliased access paths.
2 Augment garbage collector to traverse access graphs.
No need of safety analysis.Perfect alias information available at run-time.Difficult to map named variables and fields to run-time offsets.
Optimizations after HRA (static or JIT) invalidate access graphs.
3 Dynamic heap pruning - a hybrid approach.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 28 / 32
![Page 126: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/126.jpg)
Access Graphs for Garbage Collection
How to use access graphs for improving garbage collection?1 Assign null to dead access paths.
Requires availability and anticipability analysis to prevent exceptions.Cannot nullify access paths that are not provably safe to dereference.The safety analyses themselves depend on alias information.Increase in code size and possible performance penalty.Redundant nullification of same reference from aliased access paths.
2 Augment garbage collector to traverse access graphs.
No need of safety analysis.Perfect alias information available at run-time.Difficult to map named variables and fields to run-time offsets.Optimizations after HRA (static or JIT) invalidate access graphs.
3 Dynamic heap pruning - a hybrid approach.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 28 / 32
![Page 127: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/127.jpg)
Access Graphs for Garbage Collection
How to use access graphs for improving garbage collection?1 Assign null to dead access paths.
Requires availability and anticipability analysis to prevent exceptions.Cannot nullify access paths that are not provably safe to dereference.The safety analyses themselves depend on alias information.Increase in code size and possible performance penalty.Redundant nullification of same reference from aliased access paths.
2 Augment garbage collector to traverse access graphs.
No need of safety analysis.Perfect alias information available at run-time.Difficult to map named variables and fields to run-time offsets.Optimizations after HRA (static or JIT) invalidate access graphs.
3 Dynamic heap pruning - a hybrid approach.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 28 / 32
![Page 128: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/128.jpg)
Dynamic Heap Pruning
Manipulate the heap using a debugger!
1 Pause a running program when pruning has to be performed.2 For each frame on the call stack do:
1 Find the paused program point P using return address of next frame(or PC for top-of-stack).
2 Construct the call string σ using the sequence of return addresses fromthe bottom-of-stack.
3 Determine the value context X by traversing σ in the contexttransition graph.
4 Retrieve the access graphs for point P in context X .5 Traverse the access graphs from the root variables (stack locals) and
label heap objects with the set of accessor nodes that reach them.
3 For each labelled object in the heap do:
1 Find the set of live fields by looking at the edges out of every accessorthat reaches it.
2 Set the value of all other fields (which are dead) to null.
4 Resume the program. Let garbage collection run as normal.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 29 / 32
![Page 129: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/129.jpg)
Dynamic Heap Pruning
Manipulate the heap using a debugger!
1 Pause a running program when pruning has to be performed.
2 For each frame on the call stack do:
1 Find the paused program point P using return address of next frame(or PC for top-of-stack).
2 Construct the call string σ using the sequence of return addresses fromthe bottom-of-stack.
3 Determine the value context X by traversing σ in the contexttransition graph.
4 Retrieve the access graphs for point P in context X .5 Traverse the access graphs from the root variables (stack locals) and
label heap objects with the set of accessor nodes that reach them.
3 For each labelled object in the heap do:
1 Find the set of live fields by looking at the edges out of every accessorthat reaches it.
2 Set the value of all other fields (which are dead) to null.
4 Resume the program. Let garbage collection run as normal.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 29 / 32
![Page 130: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/130.jpg)
Dynamic Heap Pruning
Manipulate the heap using a debugger!
1 Pause a running program when pruning has to be performed.2 For each frame on the call stack do:
1 Find the paused program point P using return address of next frame(or PC for top-of-stack).
2 Construct the call string σ using the sequence of return addresses fromthe bottom-of-stack.
3 Determine the value context X by traversing σ in the contexttransition graph.
4 Retrieve the access graphs for point P in context X .5 Traverse the access graphs from the root variables (stack locals) and
label heap objects with the set of accessor nodes that reach them.
3 For each labelled object in the heap do:
1 Find the set of live fields by looking at the edges out of every accessorthat reaches it.
2 Set the value of all other fields (which are dead) to null.
4 Resume the program. Let garbage collection run as normal.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 29 / 32
![Page 131: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/131.jpg)
Dynamic Heap Pruning
Manipulate the heap using a debugger!
1 Pause a running program when pruning has to be performed.2 For each frame on the call stack do:
1 Find the paused program point P using return address of next frame(or PC for top-of-stack).
2 Construct the call string σ using the sequence of return addresses fromthe bottom-of-stack.
3 Determine the value context X by traversing σ in the contexttransition graph.
4 Retrieve the access graphs for point P in context X .5 Traverse the access graphs from the root variables (stack locals) and
label heap objects with the set of accessor nodes that reach them.
3 For each labelled object in the heap do:
1 Find the set of live fields by looking at the edges out of every accessorthat reaches it.
2 Set the value of all other fields (which are dead) to null.
4 Resume the program. Let garbage collection run as normal.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 29 / 32
![Page 132: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/132.jpg)
Dynamic Heap Pruning
Manipulate the heap using a debugger!
1 Pause a running program when pruning has to be performed.2 For each frame on the call stack do:
1 Find the paused program point P using return address of next frame(or PC for top-of-stack).
2 Construct the call string σ using the sequence of return addresses fromthe bottom-of-stack.
3 Determine the value context X by traversing σ in the contexttransition graph.
4 Retrieve the access graphs for point P in context X .5 Traverse the access graphs from the root variables (stack locals) and
label heap objects with the set of accessor nodes that reach them.
3 For each labelled object in the heap do:
1 Find the set of live fields by looking at the edges out of every accessorthat reaches it.
2 Set the value of all other fields (which are dead) to null.
4 Resume the program. Let garbage collection run as normal.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 29 / 32
![Page 133: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/133.jpg)
Dynamic Heap Pruning
Manipulate the heap using a debugger!
1 Pause a running program when pruning has to be performed.2 For each frame on the call stack do:
1 Find the paused program point P using return address of next frame(or PC for top-of-stack).
2 Construct the call string σ using the sequence of return addresses fromthe bottom-of-stack.
3 Determine the value context X by traversing σ in the contexttransition graph.
4 Retrieve the access graphs for point P in context X .5 Traverse the access graphs from the root variables (stack locals) and
label heap objects with the set of accessor nodes that reach them.
3 For each labelled object in the heap do:
1 Find the set of live fields by looking at the edges out of every accessorthat reaches it.
2 Set the value of all other fields (which are dead) to null.
4 Resume the program. Let garbage collection run as normal.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 29 / 32
![Page 134: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/134.jpg)
Dynamic Heap Pruning
Manipulate the heap using a debugger!
1 Pause a running program when pruning has to be performed.2 For each frame on the call stack do:
1 Find the paused program point P using return address of next frame(or PC for top-of-stack).
2 Construct the call string σ using the sequence of return addresses fromthe bottom-of-stack.
3 Determine the value context X by traversing σ in the contexttransition graph.
4 Retrieve the access graphs for point P in context X .
5 Traverse the access graphs from the root variables (stack locals) andlabel heap objects with the set of accessor nodes that reach them.
3 For each labelled object in the heap do:
1 Find the set of live fields by looking at the edges out of every accessorthat reaches it.
2 Set the value of all other fields (which are dead) to null.
4 Resume the program. Let garbage collection run as normal.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 29 / 32
![Page 135: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/135.jpg)
Dynamic Heap Pruning
Manipulate the heap using a debugger!
1 Pause a running program when pruning has to be performed.2 For each frame on the call stack do:
1 Find the paused program point P using return address of next frame(or PC for top-of-stack).
2 Construct the call string σ using the sequence of return addresses fromthe bottom-of-stack.
3 Determine the value context X by traversing σ in the contexttransition graph.
4 Retrieve the access graphs for point P in context X .5 Traverse the access graphs from the root variables (stack locals) and
label heap objects with the set of accessor nodes that reach them.
3 For each labelled object in the heap do:
1 Find the set of live fields by looking at the edges out of every accessorthat reaches it.
2 Set the value of all other fields (which are dead) to null.
4 Resume the program. Let garbage collection run as normal.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 29 / 32
![Page 136: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/136.jpg)
Dynamic Heap Pruning
Manipulate the heap using a debugger!
1 Pause a running program when pruning has to be performed.2 For each frame on the call stack do:
1 Find the paused program point P using return address of next frame(or PC for top-of-stack).
2 Construct the call string σ using the sequence of return addresses fromthe bottom-of-stack.
3 Determine the value context X by traversing σ in the contexttransition graph.
4 Retrieve the access graphs for point P in context X .5 Traverse the access graphs from the root variables (stack locals) and
label heap objects with the set of accessor nodes that reach them.
3 For each labelled object in the heap do:
1 Find the set of live fields by looking at the edges out of every accessorthat reaches it.
2 Set the value of all other fields (which are dead) to null.
4 Resume the program. Let garbage collection run as normal.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 29 / 32
![Page 137: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/137.jpg)
Dynamic Heap Pruning
Manipulate the heap using a debugger!
1 Pause a running program when pruning has to be performed.2 For each frame on the call stack do:
1 Find the paused program point P using return address of next frame(or PC for top-of-stack).
2 Construct the call string σ using the sequence of return addresses fromthe bottom-of-stack.
3 Determine the value context X by traversing σ in the contexttransition graph.
4 Retrieve the access graphs for point P in context X .5 Traverse the access graphs from the root variables (stack locals) and
label heap objects with the set of accessor nodes that reach them.
3 For each labelled object in the heap do:1 Find the set of live fields by looking at the edges out of every accessor
that reaches it.
2 Set the value of all other fields (which are dead) to null.
4 Resume the program. Let garbage collection run as normal.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 29 / 32
![Page 138: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/138.jpg)
Dynamic Heap Pruning
Manipulate the heap using a debugger!
1 Pause a running program when pruning has to be performed.2 For each frame on the call stack do:
1 Find the paused program point P using return address of next frame(or PC for top-of-stack).
2 Construct the call string σ using the sequence of return addresses fromthe bottom-of-stack.
3 Determine the value context X by traversing σ in the contexttransition graph.
4 Retrieve the access graphs for point P in context X .5 Traverse the access graphs from the root variables (stack locals) and
label heap objects with the set of accessor nodes that reach them.
3 For each labelled object in the heap do:1 Find the set of live fields by looking at the edges out of every accessor
that reaches it.2 Set the value of all other fields (which are dead) to null.
4 Resume the program. Let garbage collection run as normal.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 29 / 32
![Page 139: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/139.jpg)
Dynamic Heap Pruning
Manipulate the heap using a debugger!
1 Pause a running program when pruning has to be performed.2 For each frame on the call stack do:
1 Find the paused program point P using return address of next frame(or PC for top-of-stack).
2 Construct the call string σ using the sequence of return addresses fromthe bottom-of-stack.
3 Determine the value context X by traversing σ in the contexttransition graph.
4 Retrieve the access graphs for point P in context X .5 Traverse the access graphs from the root variables (stack locals) and
label heap objects with the set of accessor nodes that reach them.
3 For each labelled object in the heap do:1 Find the set of live fields by looking at the edges out of every accessor
that reaches it.2 Set the value of all other fields (which are dead) to null.
4 Resume the program. Let garbage collection run as normal.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 29 / 32
![Page 140: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/140.jpg)
Outline
1 Background and MotivationHeap Reference AnalysisKey Issues
2 Heap Alias AnalysisNeed for Alias AnalysisExisting AbstractionsProposed Abstraction: Acccessor Relationship Graph
3 Interprocedural AnalysisExisting FrameworksOur Framework: Value ContextsThe Role of Call Graphs
4 Access Graphs for Garbage CollectionExisting IdeasNovel Technique: Dynamic Heap Pruning
5 Summary & Future Work
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 30 / 32
![Page 141: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/141.jpg)
Summary
The following were the main contributions of this project:
1 A liveness-driven heap abstraction for precise alias analysis.
2 A generic access graph library implemented in Java.
3 A generic inter-procedural data flow analysis framework implementedin Java.
4 A flow- and context-sensitive points-to analysis implemented in Sootthat constructs precise call graphs.
5 A technique for performing dynamic heap pruning implemented usingthe Java Debug Interface (JDI).
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 31 / 32
![Page 142: Interprocedural Heap Analysis using Access Graphs and ...rohanpadhye/files/mtp...Actual heap layout after S 6 x n n n n a b y z P 0: Initial Points-to Analysis PTOUT 6 =PTIN 7 = PTIN](https://reader035.vdocuments.us/reader035/viewer/2022071412/610a009d2fc4bc5371107ac6/html5/thumbnails/142.jpg)
Future Work
1 Implementation of an inter-procedural liveness-driven heap points-toanalysis.
2 Performance analysis of dynamic heap pruning on real benchmarks.
3 Shape analysis using accessor relationship graphs.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 32 / 32