program analysis via graph reachability
DESCRIPTION
Program Analysis via Graph Reachability. Thomas Reps University of Wisconsin. http://www.cs.wisc.edu/~reps/. See http://www.cs.wisc.edu/wpis/papers/tr1386.ps. PLDI 00 Registration Form. PLDI 00: …………………….. $ ____ Tutorial (morning): …………… $ ____ Tutorial (afternoon): ………….. $ ____ - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/1.jpg)
Program Analysis via Graph Reachability
Thomas Reps
University of Wisconsinhttp://www.cs.wisc.edu/~reps/
See http://www.cs.wisc.edu/wpis/papers/tr1386.ps
![Page 2: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/2.jpg)
PLDI 00 Registration Form
• PLDI 00: …………………….. $ ____
• Tutorial (morning): …………… $ ____
• Tutorial (afternoon): ………….. $ ____
• Tutorial (evening): ……………. $ – 0 –
![Page 3: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/3.jpg)
1987
1993
1994
1995
1997
1998
1996
Slicing&
Applications
DataflowAnalysis Demand
Algorithms
SetConstraints
Structure-TransmittedDependences
CFLReachability
![Page 4: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/4.jpg)
Applications
• Program optimization
• Software engineering– Program understanding
– Reengineering
– Static bug-finding
• Security (information flow)
![Page 5: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/5.jpg)
Collaborators
• Susan Horwitz
• Mooly Sagiv
• Genevieve Rosay
• David Melski
• David Binkley
• Michael Benedikt
• Patrice Godefroid
![Page 6: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/6.jpg)
Themes
• Harnessing CFL-reachability
• Exhaustive alg. Demand alg.
![Page 7: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/7.jpg)
int main() {int sum = 0;int i = 1;while (i < 11) {
sum = sum + i;i = i + 1;
}printf(“%d\n”,sum);printf(“%d\n”,i);
}
Backward Slice
Backward slice with respect to “printf(“%d\n”,i)”
![Page 8: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/8.jpg)
int main() {int sum = 0;int i = 1;while (i < 11) {
sum = sum + i;i = i + 1;
}printf(“%d\n”,sum);printf(“%d\n”,i);
}
Backward Slice
Backward slice with respect to “printf(“%d\n”,i)”
![Page 9: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/9.jpg)
int main() {
int i = 1;while (i < 11) {
i = i + 1;}
printf(“%d\n”,i);}
Slice Extraction
Backward slice with respect to “printf(“%d\n”,i)”
![Page 10: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/10.jpg)
Forward Slice
int main() {int sum = 0;int i = 1;while (i < 11) {
sum = sum + i;i = i + 1;
}printf(“%d\n”,sum);printf(“%d\n”,i);
}
Forward slice with respect to “sum = 0”
![Page 11: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/11.jpg)
Forward slice with respect to “sum = 0”
Forward Slice
int main() {int sum = 0;int i = 1;while (i < 11) {
sum = sum + i;i = i + 1;
}printf(“%d\n”,sum);printf(“%d\n”,i);
}
![Page 12: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/12.jpg)
What Are Slices Useful For?• Understanding Programs
– What is affected by what?
• Restructuring Programs– Isolation of separate “computational threads”
• Program Specialization and Reuse– Slices = specialized programs– Only reuse needed slices
• Program Differencing– Compare slices to identify changes
• Testing– What new test cases would improve coverage?– What regression tests must be rerun after a change?
![Page 13: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/13.jpg)
Line-Character-Count Program
void line_char_count(FILE *f) {int lines = 0;int chars;BOOL eof_flag = FALSE;int n;extern void scan_line(FILE *f, BOOL *bptr, int *iptr);scan_line(f, &eof_flag, &n);chars = n;while(eof_flag == FALSE){
lines = lines + 1;scan_line(f, &eof_flag, &n);chars = chars + n;
}printf(“lines = %d\n”, lines);printf(“chars = %d\n”, chars);
}
![Page 14: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/14.jpg)
Character-Count Program
void char_count(FILE *f) {int lines = 0;int chars;BOOL eof_flag = FALSE;int n;extern void scan_line(FILE *f, BOOL *bptr, int *iptr);scan_line(f, &eof_flag, &n);chars = n;while(eof_flag == FALSE){
lines = lines + 1;scan_line(f, &eof_flag, &n);chars = chars + n;
}printf(“lines = %d\n”, lines);printf(“chars = %d\n”, chars);
}
![Page 15: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/15.jpg)
Line-Character-Count Program
void line_char_count(FILE *f) {int lines = 0;int chars;BOOL eof_flag = FALSE;int n;extern void scan_line(FILE *f, BOOL *bptr, int *iptr);scan_line(f, &eof_flag, &n);chars = n;while(eof_flag == FALSE){
lines = lines + 1;scan_line(f, &eof_flag, &n);chars = chars + n;
}printf(“lines = %d\n”, lines);printf(“chars = %d\n”, chars);
}
![Page 16: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/16.jpg)
Line-Count Program
void line_count(FILE *f) {int lines = 0;int chars;BOOL eof_flag = FALSE;int n;extern void scan_line2(FILE *f, BOOL *bptr, int *iptr);scan_line2(f, &eof_flag, &n);chars = n;while(eof_flag == FALSE){
lines = lines + 1;scan_line2(f, &eof_flag, &n);chars = chars + n;
}printf(“lines = %d\n”, lines);printf(“chars = %d\n”, chars);
}
![Page 17: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/17.jpg)
Specialization Via Slicing
wc -lc
wc -c wc -l
![Page 18: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/18.jpg)
Control Flow Graph
Enter
sum = 0 i = 1 while(i < 11) printf(sum) printf(i)
sum = sum + i i = i + i
T
F
int main() {int sum = 0;int i = 1;while (i < 11) {
sum = sum + i;i = i + 1;
}printf(“%d\n”,sum);printf(“%d\n”,i);
}
![Page 19: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/19.jpg)
q is reached from pif condition p istrue (T), not otherwise.
Control Dependence Graph
Control dependence
p qT
p qF
Similar for false (F).
Enter
sum = 0 i = 1 while(i < 11) printf(sum) printf(i)
sum = sum + i i = i + i
T T
TT T
TTT
int main() {int sum = 0;int i = 1;while (i < 11) {
sum = sum + i;i = i + 1;
}printf(“%d\n”,sum);printf(“%d\n”,i);
}
![Page 20: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/20.jpg)
Flow Dependence Graphint main() {
int sum = 0;int i = 1;while (i < 11) {
sum = sum + i;i = i + 1;
}printf(“%d\n”,sum);printf(“%d\n”,i);
} Enter
sum = 0 printf(sum) printf(i)
sum = sum + i i = i + i
Flow dependence
p q Value of variableassigned at p may beused at q.
i = 1 while(i < 11)
![Page 21: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/21.jpg)
Program Dependence Graph (PDG)int main() {
int sum = 0;int i = 1;while (i < 11) {
sum = sum + i;i = i + 1;
}printf(“%d\n”,sum);printf(“%d\n”,i);
} Enter
sum = 0 i = 1 while(i < 11) printf(sum) printf(i)
sum = sum + i i = i + i
T
TT T
T
Control dependence
Flow dependence
TT
T
![Page 22: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/22.jpg)
Program Dependence Graph (PDG)int main() {
int i = 1;int sum = 0;while (i < 11) {
sum = sum + i;i = i + 1;
}printf(“%d\n”,sum);printf(“%d\n”,i);
} Enter
sum = 0 i = 1 while(i < 11) printf(sum) printf(i)
sum = sum + i i = i + i
T
TT T
TTT
T
Opposite Order
Same PDG
![Page 23: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/23.jpg)
Backward Sliceint main() {
int sum = 0;int i = 1;while (i < 11) {
sum = sum + i;i = i + 1;
}printf(“%d\n”,sum);printf(“%d\n”,i);
} Enter
sum = 0 i = 1 while(i < 11) printf(sum) printf(i)
sum = sum + i i = i + i
T
TT T
TTT
T
![Page 24: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/24.jpg)
Backward Slice (2)int main() {
int sum = 0;int i = 1;while (i < 11) {
sum = sum + i;i = i + 1;
}printf(“%d\n”,sum);printf(“%d\n”,i);
} Enter
sum = 0 i = 1 while(i < 11) printf(sum) printf(i)
sum = sum + i i = i + i
T
TT T
TTT
T
![Page 25: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/25.jpg)
Backward Slice (3)int main() {
int sum = 0;int i = 1;while (i < 11) {
sum = sum + i;i = i + 1;
}printf(“%d\n”,sum);printf(“%d\n”,i);
} Enter
sum = 0 i = 1 while(i < 11) printf(sum) printf(i)
sum = sum + i i = i + i
T
TT T
TTT
T
![Page 26: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/26.jpg)
Backward Slice (4)int main() {
int sum = 0;int i = 1;while (i < 11) {
sum = sum + i;i = i + 1;
}printf(“%d\n”,sum);printf(“%d\n”,i);
} Enter
sum = 0 i = 1 while(i < 11) printf(sum) printf(i)
sum = sum + i i = i + i
TT
TT T
TTT
![Page 27: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/27.jpg)
Slice Extractionint main() {
int i = 1;while (i < 11) {
i = i + 1;}
printf(“%d\n”,i);} Enter
i = 1 while(i < 11) printf(i)
i = i + iT
TT
TT
![Page 28: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/28.jpg)
CodeSurfer
![Page 29: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/29.jpg)
![Page 30: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/30.jpg)
Browsing a Dependence Graph
Pretend this is your favorite browser
What does clicking on a link do?You geta new page
Or you move to an internal tag
![Page 31: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/31.jpg)
![Page 32: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/32.jpg)
![Page 33: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/33.jpg)
Interprocedural Slice
int main() {int sum = 0;int i = 1;while (i < 11) {
sum = add(sum,i);i = add(i,1);
}printf(“%d\n”,sum);printf(“%d\n”,i);
}
int add(int x, int y) {return x + y;
}
Backward slice with respect to “printf(“%d\n”,i)”
![Page 34: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/34.jpg)
Interprocedural Slice
int main() {int sum = 0;int i = 1;while (i < 11) {
sum = add(sum,i);i = add(i,1);
}printf(“%d\n”,sum);printf(“%d\n”,i);
}
int add(int x, int y) {return x + y;
}
Backward slice with respect to “printf(“%d\n”,i)”
![Page 35: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/35.jpg)
int main() {int sum = 0;int i = 1;while (i < 11) {
sum = add(sum,i);i = add(i,1);
}printf(“%d\n”,sum);printf(“%d\n”,i);
}
Interprocedural Slice
int add(int x, int y) {return x + y;
}
Superfluous components included by Weiser’s slicing algorithm [TSE 84]Left out by algorithm of Horwitz, Reps, & Binkley [PLDI 88; TOPLAS 90]
![Page 36: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/36.jpg)
System Dependence Graph (SDG)
Enter main
Call p Call p
Enter p
![Page 37: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/37.jpg)
SDG for the Sum ProgramEnter main
sum = 0 i = 1 while(i < 11) printf(sum) printf(i)
Call add Call add
xin = sum yin = i sum = xout xin = i yin= 1 i = xout
Enter add
x = xin y = yin x = x + y xout = x
![Page 38: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/38.jpg)
Interprocedural Backward SliceEnter main
Call p Call p
Enter p
![Page 39: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/39.jpg)
Interprocedural Backward Slice (2)Enter main
Call p Call p
Enter p
![Page 40: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/40.jpg)
Interprocedural Backward Slice (3)Enter main
Call p Call p
Enter p
![Page 41: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/41.jpg)
Interprocedural Backward Slice (4)Enter main
Call p Call p
Enter p
![Page 42: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/42.jpg)
Interprocedural Backward Slice (5)Enter main
Call p Call p
Enter p
![Page 43: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/43.jpg)
Interprocedural Backward Slice (6)Enter main
Call p Call p
Enter p
[
]
)
(
![Page 44: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/44.jpg)
Matched-Parenthesis Path
)(
)[
![Page 45: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/45.jpg)
Interprocedural Backward Slice (6)Enter main
Call p Call p
Enter p
![Page 46: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/46.jpg)
Interprocedural Backward Slice (7)Enter main
Call p Call p
Enter p
![Page 47: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/47.jpg)
Slice ExtractionEnter main
Call p
Enter p
![Page 48: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/48.jpg)
Slice of the Sum ProgramEnter main
i = 1 while(i < 11) printf(i)
Call add
xin = i yin= 1 i = xout
Enter add
x = xin y = yin x = x + y xout = x
![Page 49: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/49.jpg)
CFL-Reachability[Yannakakis 90]
• G: Graph (N nodes, E edges)
• L: A context-free language
• L-path from s to t iff
• Running time: O(N 3)
Lts ,*
![Page 50: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/50.jpg)
Interprocedural Slicingvia CFL-Reachability
• Graph: System dependence graph
• L: L(matched) [roughly]
• Node m is in the slice w.r.t. n iff there
is an L(matched)-path from m to n
![Page 51: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/51.jpg)
Asymptotic Running Time [Reps, Horwitz, Sagiv, & Rosay 94]
• CFL-reachability
– System dependence graph: N nodes, E edges
– Running time: O(N 3)
• System dependence graph Special structure
Running time: O(E + CallSites MaxParams3)
![Page 52: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/52.jpg)
( e [
e
]e
[
e ] ] e )
matched | e | [ matched ] | ( matched ) | matched matched
CFL-Reachability
s ts
( e e e e e e[[ [
t
)]] ]
s ts t
Ordinary Graph Reachability
![Page 53: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/53.jpg)
Regular-Language Reachability[Yannakakis 90]
• G: Graph (N nodes, E edges)
• L: A regular language
• L-path from s to t iff
• Running time: O(N+E)
• Ordinary reachability (= transitive closure)
– Label each edge with e
– L is e*
Lts ,*
vs. O(N3)
![Page 54: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/54.jpg)
CFL-Reachability via Dynamic Programming
GrammarGraph
BC
A
A B C
![Page 55: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/55.jpg)
s t
Degenerate Case: CFL-Recognition
“(a + b) * c” L(exp) ?
exp id | exp + exp | exp * exp | ( exp )
)( a cb+ *
![Page 56: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/56.jpg)
*a + +)b c
s t
Degenerate Case: CFL-Recognition
“a + b) * c +” L(exp) ?
exp id | exp + exp | exp * exp | ( exp )
![Page 57: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/57.jpg)
S T
Program Chopping
Given source S and target T, what program points transmit effects from S to T?
Intersect forward slice from S with backward slice from T, right?
![Page 58: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/58.jpg)
Non-Transitivity and Slicing
int main() {int sum = 0;int i = 1;while (i < 11) {
sum = add(sum,i);i = add(i,1);
}printf(“%d\n”,sum);printf(“%d\n”,i);
}
int add(int x, int y) {return x + y;
}
Forward slice with respect to “sum = 0”
![Page 59: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/59.jpg)
int main() {int sum = 0;int i = 1;while (i < 11) {
sum = add(sum,i);i = add(i,1);
}printf(“%d\n”,sum);printf(“%d\n”,i);
}
Forward slice with respect to “sum = 0”
Non-Transitivity and Slicing
int add(int x, int y) {return x + y;
}
![Page 60: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/60.jpg)
Non-Transitivity and Slicing
int main() {int sum = 0;int i = 1;while (i < 11) {
sum = add(sum,i);i = add(i,1);
}printf(“%d\n”,sum);printf(“%d\n”,i);
}
int add(int x, int y) {return x + y;
}
Backward slice with respect to “printf(“%d\n”,i)”
![Page 61: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/61.jpg)
Non-Transitivity and Slicing
int main() {int sum = 0;int i = 1;while (i < 11) {
sum = add(sum,i);i = add(i,1);
}printf(“%d\n”,sum);printf(“%d\n”,i);
}
int add(int x, int y) {return x + y;
}
Backward slice with respect to “printf(“%d\n”,i)”
![Page 62: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/62.jpg)
Forward slice with respect to “sum = 0”
Non-Transitivity and Slicing
int main() {int sum = 0;int i = 1;while (i < 11) {
sum = add(sum,i);i = add(i,1);
}printf(“%d\n”,sum);printf(“%d\n”,i);
}
int add(int x, int y) {return x + y;
}
Backward slice with respect to “printf(“%d\n”,i)”
![Page 63: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/63.jpg)
Non-Transitivity and Slicing
int main() {int sum = 0;int i = 1;while (i < 11) {
sum = add(sum,i);i = add(i,1);
}printf(“%d\n”,sum);printf(“%d\n”,i);
}
int add(int x, int y) {return x + y;
}
Chop with respect to “sum = 0” and “printf(“%d\n”,i)”
![Page 64: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/64.jpg)
Non-Transitivity and SlicingEnter main
sum = 0 i = 1 while(i < 11) printf(sum) printf(i)
Call add Call add
xin = sum yin = i sum = xout xin = i yin= 1 i = xout
Enter add
x = xin y = yin x = x + y xout = x
( ]
![Page 65: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/65.jpg)
Program Chopping
Given source S and target T, what program points transmit effects from S to T?
S T
“Precise interprocedural chopping”[Reps & Rosay FSE 95]
![Page 66: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/66.jpg)
Dataflow Analysis
• Goal: For each point in the program, determine a superset of the “facts” that could possibly hold during execution
• Examples– Constant propagation– Reaching definitions– Live variables– Possibly uninitialized variables
![Page 67: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/67.jpg)
Possibly Uninitialized VariablesStart
x = 3
if . . .
y = x
y = w
w = 8
printf(y)
},,.{ yxwV
}{. xVV
VV .VV .
}{. wVV
}{ else }{ then
if .
yVyV
VxV
}{ else }{ then
if .
yVyV
VwV
{w,x,y}
{w,y}
{w,y}
{w,y}
{w}
{w,y}{}
{w,y}
{}
![Page 68: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/68.jpg)
Precise Intraprocedural Analysis
start n
C f 1 f 2 f kf 1k
pfp = fk fk-1 … f2 f1
MOP[n] = pfp(C) pPathsTo[n]
![Page 69: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/69.jpg)
x = 3
p(x,y)
return from p
printf(y)
start main
exit main
start p(a,b)
if . . .
b = a
p(a,b)
return from p
printf(b)
exit p
(
)
]
(
![Page 70: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/70.jpg)
Precise Interprocedural Analysis
start n
C
f 4
f 5
f 3
start q exitq
callq retf 1 f 2 f kf 1k
f 2k
f 3k
( )
[Sharir & Pnueli 81]
MOMP[n] = pfp(C) pMatchedPathsTo[n]
![Page 71: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/71.jpg)
Representing Dataflow Functions
Identity Function
VV .f
}{.f bVConstant Function
a b c
a b c
},{}),f({ baba
}{}),f({ bba
![Page 72: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/72.jpg)
Representing Dataflow Functions
}{}){.(f cbVV
}{ else }{ then
if .f
bVbV
VaV
“Gen/Kill” Function
Non-“Gen/Kill” Function a b c
a b c
},{}),f({ caba
},{}),f({ baba
![Page 73: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/73.jpg)
x = 3
p(x,y)
return from p
printf(y)
start main
exit main
start p(a,b)
if . . .
b = a
p(a,b)
return from p
printf(b)
exit p
x y a b
![Page 74: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/74.jpg)
else }{ then
if .f 2
cVbV
a b c}{ else }{then
if .f 1
bVbV
VaV
b ca
Composing Dataflow Functions
}{ else }{then
if .f 1
bVbV
VaV
b ca
else }{ then
if .f 2
cVbV
}{cf2 f1({a,c}) =
![Page 75: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/75.jpg)
x = 3
p(x,y)
return from p
start main
exit main
start p(a,b)
if . . .
b = a
p(a,b)
return from p
exit p
x y a b
printf(y)
Might b beuninitializedhere?
printf(b) NO!
(
]
Might y beuninitializedhere?
YES!
(
)
![Page 76: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/76.jpg)
matched matched matched
| (i matched )i 1 i CallSites | edge |
stack
) ( (
((
(
)
) )
)
stack
( )
Off Limits!
![Page 77: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/77.jpg)
) (
(
((
(
)
)
)
( )
(
stack
(
(
unbalLeft matched unbalLeft
| (i unbalLeft 1 i CallSites |
stack
Off Limits!
![Page 78: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/78.jpg)
Interprocedural Dataflow Analysisvia CFL-Reachability
• Graph: Exploded control-flow graph
• L: L(unbalLeft)
• Fact d holds at n iff there is an L(unbalLeft)-path
from dnstartmain , to,
![Page 79: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/79.jpg)
Asymptotic Running Time [Reps, Horwitz, & Sagiv 95]
• CFL-reachability– Exploded control-flow graph: ND nodes– Running time: O(N3D3)
• Exploded control-flow graph Special structure
Running time: O(ED3)
Typically: E N, hence O(ED3) O(ND3)
“Gen/kill” problems: O(ED)
![Page 80: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/80.jpg)
Why Bother?“We’re only interested in million-line programs”
• Know thy enemy!– “Any” algorithm must do these operations– Avoid pitfalls (e.g., claiming O(N2) algorithm)
• The essence of “context sensitivity”• Special cases
– “Gen/kill” problems: O(ED)• Compression techniques
– Basic blocks– SSA form, sparse evaluation graphs
• Demand algorithms
![Page 81: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/81.jpg)
Unifying Conceptual Modelfor Dataflow-Analysis Literature
• Linear-time gen-kill [Hecht 76], [Kou 77]• Path-constrained DFA [Holley & Rosen 81]• Linear-time GMOD [Cooper & Kennedy 88]• Flow-sensitive MOD [Callahan 88]• Linear-time interprocedural gen-kill
[Knoop & Steffen 93]• Linear-time bidirectional gen-kill [Dhamdhere 94]• Relationship to interprocedural DFA
[Sharir & Pneuli 81], [Knoop & Steffen 92]
![Page 82: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/82.jpg)
Themes
• Harnessing CFL-reachability
• Exhaustive alg. Demand alg.
![Page 83: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/83.jpg)
Exhaustive Versus Demand Analysis
• Exhaustive analysis: All facts at all points
• Optimization: Concentrate on inner loops
• Program-understanding tools: Only some facts
are of interest
![Page 84: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/84.jpg)
Exhaustive Versus Demand Analysis
• Demand analysis:– Does a given fact hold at a given point?– Which facts hold at a given point?– At which points does a given fact hold?
• Demand analysis via CFL-reachability– single-source/single-target CFL-reachability– single-source/multi-target CFL-reachability– multi-source/single-target CFL-reachability
![Page 85: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/85.jpg)
x = 3
p(x,y)
return from p
printf(y)
start main
exit main
start p(a,b)
if . . .
b = a
p(a,b)
return from p
printf(b)
exit p
x y a b
YES!
(
)
NO!
“Semi-exhaustive”:All “appropriate” demands
Might y beuninitializedhere?
Might b beuninitializedhere?
![Page 86: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/86.jpg)
Experimental Results[Horwitz , Reps, & Sagiv 1995]
• 53 C programs (200-6,700 lines)• For a single fact of interest:
– demand always better than exhaustive
• All “appropriate” demands beats exhaustive when percentage of “yes” answers is high– Live variables– Truly live variables– Constant predicates– . . .
![Page 87: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/87.jpg)
A Related Result [Sagiv, Reps, & Horwitz 1996]
• [Uses a generalized analysis technique]• 38 C programs (300-6,000 lines)
– copy-constant propagation– linear-constant propagation
• All “appropriate” demands always beats exhaustive– factor of 1.14 to about 6
![Page 88: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/88.jpg)
Exhaustive Versus Demand Analysis
• Demand algorithms for
– Interprocedural dataflow analysis
– Set constraints
– Points-to analysis
![Page 89: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/89.jpg)
Most Significant Contributions: 1987-2000
• Asymptotically fastest algorithms– Interprocedural slicing– Interprocedural dataflow analysis
• Demand algorithms– Interprocedural dataflow analysis [CC94,FSE95]– All “appropriate” demands beats exhaustive
• Tool for slicing and browsing ANSI C– Slices programs as large as 75,000 lines– University research distribution– Commercial product: CodeSurfer
(GrammaTech, Inc.)
![Page 90: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/90.jpg)
References
• Papers by Reps and collaborators:– http://www.cs.wisc.edu/~reps/
• CFL-reachability– Yannakakis, M., Graph-theoretic methods in
database theory, PODS 90.– Reps, T., Program analysis via graph
reachability, Inf. and Softw. Tech. 98.
![Page 91: Program Analysis via Graph Reachability](https://reader036.vdocuments.us/reader036/viewer/2022062807/56815156550346895dbf79f9/html5/thumbnails/91.jpg)
References
• Slicing, chopping, etc.– Horwitz, Reps, & Binkley, TOPLAS 90– Reps, Horwitz, Sagiv, & Rosay, FSE 94– Reps & Rosay, FSE 95
• Dataflow analysis– Reps, Horwitz, & Sagiv, POPL 95– Horwitz, Reps, & Sagiv, FSE 95, TR-1283