program analysis with set constraints ravi chugh
Post on 19-Dec-2015
223 views
TRANSCRIPT
![Page 1: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/1.jpg)
Program Analysiswith Set Constraints
Ravi Chugh
![Page 2: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/2.jpg)
Set-constraint based analysis• Another technique for computing information
about program variables• Phase 1: constraint generation– Create set variables corresponding to program– Add inclusion constraints between these sets– Usually a local, syntax-directed process (ASTs vs CFGs)
• Phase 2: constraint resolution– Solve for values of all set variables
• Extends naturally to inter-procedural analysis
![Page 3: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/3.jpg)
Constant propagationint abs(int i) { if (...) { return i; } else { return –i; }}int id(int j) { return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...}
• Want to determine whether x and y are constant values when they are used
• We will build a flow-insensitive analysis
![Page 4: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/4.jpg)
Set constraints• Terms
t := c (constant) | X (set variable) | C(t1,...,tn) (constructed term)
• Constraints t1 <= t2 (set inclusion)
• Constructors– C(v1,...,vn) is an n-arg ctor C with variances vi
– vi is either + (covariant) or – (contravariant)– Covariance corresponds to “forwards flow”– Contravariance corresponds to “backwards flow”
![Page 5: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/5.jpg)
Set constraints and graph reachability• Tight correspondence between set-inclusion
constraints and edges in a flow graph
![Page 6: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/6.jpg)
Set constraints and graph reachability• Tight correspondence between set-inclusion
constraints and edges in a flow graph
• 1 <= X X1
![Page 7: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/7.jpg)
Set constraints and graph reachability• Tight correspondence between set-inclusion
constraints and edges in a flow graph
• 1 <= X• X <= Y
X1
Y
![Page 8: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/8.jpg)
Set constraints and graph reachability• Tight correspondence between set-inclusion
constraints and edges in a flow graph
• 1 <= X• X <= Y
• Ctor(A,B,C) <= Ctor(D,E,F)
where Ctor(+,-,+)
X1
Ctor ( A , B , C )
Ctor ( D , E , F )
Y
![Page 9: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/9.jpg)
Set constraints and graph reachability• Tight correspondence between set-inclusion
constraints and edges in a flow graph
• 1 <= X• X <= Y
• Ctor(A,B,C) <= Ctor(D,E,F)
where Ctor(+,-,+)
X1
Ctor ( A , B , C )
Ctor ( D , E , F )
Y
![Page 10: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/10.jpg)
Constraint resolution• System of constraints Con• Additional constraints added by following rules• 1) Transitivity of sets– Con with x <= y ∧ y <= z Con ∧ x <= z
• 2) Constructed terms– Con with C(...,xi,...) <= C(...,yi,...)
Con ∧i strainti
• strainti is xi <= yi if C covariant in i
• strainti is yi <= xi if C contravariant in i
• 3) Inconsistent terms– Con with C(...) <= D(...) Inconsistent
![Page 11: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/11.jpg)
Fun constructor• For simplicity, assume all functions take one arg• Define constructor Fun(-,+)• Places for function input and output• Encoding a function call: int z = id(2);
Fun(i, retid) <= Fun(2, z)
![Page 12: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/12.jpg)
Fun constructor• For simplicity, assume all functions take one arg• Define constructor Fun(-,+)• Places for function input and output• Encoding a function call: int z = id(2);
Fun(i, retid) <= Fun(2, z)• By contravariance, the actual 2 flows to i• By covariance, the return value of id flows to z
Fun ( i , retid)
Fun ( 2 , z )
![Page 13: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/13.jpg)
int abs(int i) { if (...) { return
i; } else { return –i; }}int id(int j) { return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...}
![Page 14: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/14.jpg)
int abs(int i) { if (...) { return
i; } else { return –i; }}int id(int j) { return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...}
Fun(i,ret1) <= abs
Fun (i, ret1)
abs
![Page 15: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/15.jpg)
int abs(int i) { if (...) { return
i; } else { return –i; }}int id(int j) { return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...}
Fun(i,ret1) <= abs
Fun (i, ret1)
abs
![Page 16: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/16.jpg)
int abs(int i) { if (...) { return
i; } else { return –i; }}int id(int j) { return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...}
Fun(i,ret1) <= abs i <= ret1
Fun (i, ret1)
abs
![Page 17: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/17.jpg)
int abs(int i) { if (...) { return
i; } else { return –i; }}int id(int j) { return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...}
Fun(i,ret1) <= abs i <= ret1
Fun (i, ret1)
abs
![Page 18: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/18.jpg)
int abs(int i) { if (...) { return
i; } else { return –i; }}int id(int j) { return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...}
Fun(i,ret1) <= abs i <= ret1 T <= ret1
Fun (i, ret1)
abs
T
![Page 19: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/19.jpg)
int abs(int i) { if (...) { return
i; } else { return –i; }}int id(int j) { return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...}
Fun(i,ret1) <= abs i <= ret1 T <= ret1
Fun (i, ret1)
abs
T
![Page 20: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/20.jpg)
int abs(int i) { if (...) { return
i; } else { return –i; }}int id(int j) { return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...}
Fun(i,ret1) <= abs i <= ret1 T <= ret1
Fun(j,ret2) <= id
Fun (i, ret1)
abs
T
Fun (j, ret2)
id
![Page 21: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/21.jpg)
int abs(int i) { if (...) { return
i; } else { return –i; }}int id(int j) { return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...}
Fun(i,ret1) <= abs i <= ret1 T <= ret1
Fun(j,ret2) <= id
Fun (i, ret1)
abs
T
Fun (j, ret2)
id
![Page 22: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/22.jpg)
int abs(int i) { if (...) { return
i; } else { return –i; }}int id(int j) { return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...}
Fun(i,ret1) <= abs i <= ret1 T <= ret1
Fun(j,ret2) <= id j <= ret2
Fun (i, ret1)
abs
T
Fun (j, ret2)
id
![Page 23: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/23.jpg)
int abs(int i) { if (...) { return
i; } else { return –i; }}int id(int j) { return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...}
Fun(i,ret1) <= abs i <= ret1 T <= ret1
Fun(j,ret2) <= id j <= ret2
Fun (i, ret1)
abs
T
Fun (j, ret2)
id
![Page 24: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/24.jpg)
int abs(int i) { if (...) { return
i; } else { return –i; }}int id(int j) { return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...}
Fun(i,ret1) <= abs i <= ret1 T <= ret1
Fun(j,ret2) <= id j <= ret2
1 <= a 2 <= b
Fun (i, ret1)
abs
T
Fun (j, ret2)
id
a
1
b
2
![Page 25: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/25.jpg)
int abs(int i) { if (...) { return
i; } else { return –i; }}int id(int j) { return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...}
Fun(i,ret1) <= abs i <= ret1 T <= ret1
Fun(j,ret2) <= id j <= ret2
1 <= a 2 <= b
Fun (i, ret1)
abs
T
Fun (j, ret2)
id
a
1
b
2
![Page 26: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/26.jpg)
int abs(int i) { if (...) { return
i; } else { return –i; }}int id(int j) { return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...}
Fun(i,ret1) <= abs i <= ret1 T <= ret1
Fun(j,ret2) <= id j <= ret2
1 <= a 2 <= b abs <= Fun(a,x)
Fun (i, ret1)
abs
T
Fun (j, ret2)
id
a
1
b
2
Fun ( , x )
![Page 27: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/27.jpg)
int abs(int i) { if (...) { return
i; } else { return –i; }}int id(int j) { return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...}
Fun(i,ret1) <= abs i <= ret1 T <= ret1
Fun(j,ret2) <= id j <= ret2
1 <= a 2 <= b abs <= Fun(a,x)
Fun (i, ret1)
abs
T
Fun (j, ret2)
id
a
1
b
2
Fun ( , x )
![Page 28: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/28.jpg)
int abs(int i) { if (...) { return
i; } else { return –i; }}int id(int j) { return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...}
Fun(i,ret1) <= abs i <= ret1 T <= ret1
Fun(j,ret2) <= id j <= ret2
1 <= a 2 <= b abs <= Fun(a,x)
Fun (i, ret1)
abs
T
Fun (j, ret2)
id
a
1
b
2
Fun ( , x )
![Page 29: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/29.jpg)
int abs(int i) { if (...) { return
i; } else { return –i; }}int id(int j) { return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...}
Fun(i,ret1) <= abs i <= ret1 T <= ret1
Fun(j,ret2) <= id j <= ret2
1 <= a 2 <= b abs <= Fun(a,x) id <= Fun(b,y)
Fun (i, ret1)
abs
T
Fun (j, ret2)
id
a
1
b
2
Fun ( , x ) Fun ( , y )
![Page 30: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/30.jpg)
int abs(int i) { if (...) { return
i; } else { return –i; }}int id(int j) { return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...}
Fun(i,ret1) <= abs i <= ret1 T <= ret1
Fun(j,ret2) <= id j <= ret2
1 <= a 2 <= b abs <= Fun(a,x) id <= Fun(b,y)
Fun (i, ret1)
abs
T
Fun (j, ret2)
id
a
1
b
2
Fun ( , x ) Fun ( , y )
![Page 31: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/31.jpg)
int abs(int i) { if (...) { return
i; } else { return –i; }}int id(int j) { return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...}
Fun(i,ret1) <= abs i <= ret1 T <= ret1
Fun(j,ret2) <= id j <= ret2
1 <= a 2 <= b abs <= Fun(a,x) id <= Fun(b,y)
Fun (i, ret1)
abs
T
Fun (j, ret2)
id
a
1
b
2
Fun ( , x ) Fun ( , y )
[[x]] = [[y]] =
![Page 32: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/32.jpg)
int abs(int i) { if (...) { return
i; } else { return –i; }}int id(int j) { return j;}void main() { int a = 1, b = 2; int x = abs(a); int y = id(b); ... use x ... ... use y ...}
Fun(i,ret1) <= abs i <= ret1 T <= ret1
Fun(j,ret2) <= id j <= ret2
1 <= a 2 <= b abs <= Fun(a,x) id <= Fun(b,y)
Fun (i, ret1)
abs
T
Fun (j, ret2)
id
a
1
b
2
Fun ( , x ) Fun ( , y )
[[x]] = {1, T}[[y]] = {2}
![Page 33: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/33.jpg)
Pointers• Handle pointers with a Ref(-,+) constructor• Two args correspond to set and get operations
int i = 1;int *p = &i;*p = 2;int j = *p;
![Page 34: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/34.jpg)
Pointers• Handle pointers with a Ref(-,+) constructor• Two args correspond to set and get operations
int i = 1;int *p = &i;*p = 2;int j = *p;
i
1
![Page 35: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/35.jpg)
Pointers• Handle pointers with a Ref(-,+) constructor• Two args correspond to set and get operations
int i = 1;int *p = &i;*p = 2;int j = *p;
1
i
![Page 36: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/36.jpg)
Pointers• Handle pointers with a Ref(-,+) constructor• Two args correspond to set and get operations
int i = 1;int *p = &i;*p = 2;int j = *p;
Ref (seti, i)
1
![Page 37: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/37.jpg)
Pointers• Handle pointers with a Ref(-,+) constructor• Two args correspond to set and get operations
int i = 1;int *p = &i;*p = 2;int j = *p;
Ref (seti, i)
1
![Page 38: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/38.jpg)
Pointers• Handle pointers with a Ref(-,+) constructor• Two args correspond to set and get operations
int i = 1;int *p = &i;*p = 2;int j = *p;
Ref (seti, i)
1
p
![Page 39: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/39.jpg)
Pointers• Handle pointers with a Ref(-,+) constructor• Two args correspond to set and get operations
int i = 1;int *p = &i;*p = 2;int j = *p;
Ref (seti, i)
1
p
![Page 40: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/40.jpg)
Pointers• Handle pointers with a Ref(-,+) constructor• Two args correspond to set and get operations
int i = 1;int *p = &i;*p = 2;int j = *p;
Ref (seti, i)
1
p
Ref ( 2 , _)
![Page 41: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/41.jpg)
Pointers• Handle pointers with a Ref(-,+) constructor• Two args correspond to set and get operations
int i = 1;int *p = &i;*p = 2;int j = *p;
Ref (seti, i)
1
p
Ref ( 2 , _)
![Page 42: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/42.jpg)
Pointers• Handle pointers with a Ref(-,+) constructor• Two args correspond to set and get operations
int i = 1;int *p = &i;*p = 2;int j = *p;
Ref (seti, i)
1
p
Ref ( 2 , _)
![Page 43: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/43.jpg)
Pointers• Handle pointers with a Ref(-,+) constructor• Two args correspond to set and get operations
int i = 1;int *p = &i;*p = 2;int j = *p;
Ref (seti, i)
1
p
Ref ( 2 , _) Ref ( _ , j)
![Page 44: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/44.jpg)
Pointers• Handle pointers with a Ref(-,+) constructor• Two args correspond to set and get operations
int i = 1;int *p = &i;*p = 2;int j = *p;
Ref (seti, i)
1
p
Ref ( 2 , _) Ref ( _ , j)
![Page 45: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/45.jpg)
Pointers• Handle pointers with a Ref(-,+) constructor• Two args correspond to set and get operations
int i = 1;int *p = &i;*p = 2;int j = *p;
Ref (seti, i)
1
p
Ref ( 2 , _) Ref ( _ , j)
[[j]] =
![Page 46: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/46.jpg)
Pointers• Handle pointers with a Ref(-,+) constructor• Two args correspond to set and get operations
int i = 1;int *p = &i;*p = 2;int j = *p;
Ref (seti, i)
1
p
Ref ( 2 , _) Ref ( _ , j)
[[j]] = {1, 2}
![Page 47: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/47.jpg)
More on functions• Our encoding supports higher-order functions– Passing around Fun terms just like constants
• Function pointers also just work int (*funcPtr)(int);
int foo(int i) { return i };funcPtr = &foo;int x = (*funcPtr)(0);
![Page 48: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/48.jpg)
More on functions• Our encoding supports higher-order functions– Passing around Fun terms just like constants
• Function pointers also just work int (*funcPtr)(int);
int foo(int i) { return i };funcPtr = &foo;int x = (*funcPtr)(0);
funcPtr
![Page 49: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/49.jpg)
More on functions• Our encoding supports higher-order functions– Passing around Fun terms just like constants
• Function pointers also just work int (*funcPtr)(int);
int foo(int i) { return i };funcPtr = &foo;int x = (*funcPtr)(0);
funcPtr
![Page 50: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/50.jpg)
More on functions• Our encoding supports higher-order functions– Passing around Fun terms just like constants
• Function pointers also just work int (*funcPtr)(int);
int foo(int i) { return i };funcPtr = &foo;int x = (*funcPtr)(0);
funcPtr
Fun (i, ret)
foo
![Page 51: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/51.jpg)
More on functions• Our encoding supports higher-order functions– Passing around Fun terms just like constants
• Function pointers also just work int (*funcPtr)(int);
int foo(int i) { return i };funcPtr = &foo;int x = (*funcPtr)(0);
funcPtr
Fun (i, ret)
foo
![Page 52: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/52.jpg)
More on functions• Our encoding supports higher-order functions– Passing around Fun terms just like constants
• Function pointers also just work int (*funcPtr)(int);
int foo(int i) { return i };funcPtr = &foo;int x = (*funcPtr)(0);
funcPtr
Fun (i, ret)
Ref (setF, foo)
![Page 53: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/53.jpg)
More on functions• Our encoding supports higher-order functions– Passing around Fun terms just like constants
• Function pointers also just work int (*funcPtr)(int);
int foo(int i) { return i };funcPtr = &foo;int x = (*funcPtr)(0); Fun (i, ret)
Ref (setF, foo)
funcPtr
![Page 54: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/54.jpg)
More on functions• Our encoding supports higher-order functions– Passing around Fun terms just like constants
• Function pointers also just work int (*funcPtr)(int);
int foo(int i) { return i };funcPtr = &foo;int x = (*funcPtr)(0);
funcPtr
Fun (i, ret)
Ref (setF, foo)
![Page 55: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/55.jpg)
More on functions• Our encoding supports higher-order functions– Passing around Fun terms just like constants
• Function pointers also just work int (*funcPtr)(int);
int foo(int i) { return i };funcPtr = &foo;int x = (*funcPtr)(0);
funcPtr
Fun (i, ret)
Ref (setF, foo)
![Page 56: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/56.jpg)
More on functions• Our encoding supports higher-order functions– Passing around Fun terms just like constants
• Function pointers also just work int (*funcPtr)(int);
int foo(int i) { return i };funcPtr = &foo;int x = (*funcPtr)(0);
funcPtr
Fun (i, ret)
Ref (setF, foo)
Ref ( _ , Fun (0, x )
![Page 57: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/57.jpg)
More on functions• Our encoding supports higher-order functions– Passing around Fun terms just like constants
• Function pointers also just work int (*funcPtr)(int);
int foo(int i) { return i };funcPtr = &foo;int x = (*funcPtr)(0);
funcPtr
Fun (i, ret)
Ref (setF, foo)
Ref ( _ , Fun (0, x )
![Page 58: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/58.jpg)
More on functions• Our encoding supports higher-order functions– Passing around Fun terms just like constants
• Function pointers also just work int (*funcPtr)(int);
int foo(int i) { return i };funcPtr = &foo;int x = (*funcPtr)(0);
funcPtr
Fun (i, ret)
Ref (setF, foo)
Ref ( _ , Fun (0, x )
![Page 59: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/59.jpg)
Context sensitivity• Smearing call sites
int x = id(1);int y = id(2);
Fun (j, r)id
Fun (1, x) Fun (2, y)[[x]] = {1, 2}[[y]] = {1, 2}
![Page 60: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/60.jpg)
Context sensitivity• Smearing call sites
int x = id(1);int y = id(2);
• Option 1:Specialization
• Each call idi gets anew copy of id
• Eliminates smearing, but graph size increases
Fun (j, r)id
Fun (1, x) Fun (2, y)
Fun (j, r)
id1
Fun (1, x)
Fun (j, r)
id2
Fun (2, y)
[[x]] = {1, 2}[[y]] = {1, 2}
![Page 61: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/61.jpg)
Context sensitivity• Option 2: Unique labeled edges for each call site• Not using Fun constructor
• There is flow only if there is a path that spells a substring of a well-bracketed string– [a[b]b]a and [a]a[b are valid; [a[b]a]b is not
• For both options, if there are higher-order functions or function pointers, need a first pass to compute pointer targets
j r
1 x 2 y
[1 ]1 [2 ]2
![Page 62: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/62.jpg)
Field sensitivity• For each field f, define Fldf(-,+)constructorint readG(obj p) { return p.g;}obj o;o.f = 3;o.g = 4;int w = id(o.f);int z = readG(o);
Fun (j, ret2)
id
![Page 63: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/63.jpg)
Field sensitivity
int readG(obj p) { return p.g;}obj o;o.f = 3;o.g = 4;int w = id(o.f);int z = readG(o);
Fun (j, ret2)
id
• For each field f, define Fldf(-,+)constructor
![Page 64: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/64.jpg)
Field sensitivity
int readG(obj p) { return p.g;}obj o;o.f = 3;o.g = 4;int w = id(o.f);int z = readG(o);
Fun (j, ret2)
id
• For each field f, define Fldf(-,+)constructor
Fun (p, ret3)
readG
Fldg (_, )
![Page 65: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/65.jpg)
Field sensitivity
int readG(obj p) { return p.g;}obj o;o.f = 3;o.g = 4;int w = id(o.f);int z = readG(o);
Fun (j, ret2)
id
• For each field f, define Fldf(-,+)constructor
Fun (p, ret3)
readG
Fldg (_, )
![Page 66: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/66.jpg)
Field sensitivity
int readG(obj p) { return p.g;}obj o;o.f = 3;o.g = 4;int w = id(o.f);int z = readG(o);
Fun (j, ret2)
id
• For each field f, define Fldf(-,+)constructor
Fun (p, ret3)
readG
Fldg (_, )
o
Fldg (_, og)Fldf (_, of)
![Page 67: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/67.jpg)
Field sensitivity
int readG(obj p) { return p.g;}obj o;o.f = 3;o.g = 4;int w = id(o.f);int z = readG(o);
Fun (j, ret2)
id
• For each field f, define Fldf(-,+)constructor
Fun (p, ret3)
readG
Fldg (_, )
o
Fldg (_, og)Fldf (_, of)
![Page 68: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/68.jpg)
Field sensitivity
int readG(obj p) { return p.g;}obj o;o.f = 3;o.g = 4;int w = id(o.f);int z = readG(o);
Fun (j, ret2)
id
• For each field f, define Fldf(-,+)constructor
Fun (p, ret3)
readG
Fldg (_, )
o
Fldg (_, og)Fldf (_, of)
Fldf (3, _)
Fldg (4, _)
![Page 69: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/69.jpg)
Field sensitivity
int readG(obj p) { return p.g;}obj o;o.f = 3;o.g = 4;int w = id(o.f);int z = readG(o);
Fun (j, ret2)
id
• For each field f, define Fldf(-,+)constructor
Fun (p, ret3)
readG
Fldg (_, )
o
Fldg (_, og)Fldf (_, of)
Fldf (3, _)
Fldg (4, _)
![Page 70: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/70.jpg)
Field sensitivity
int readG(obj p) { return p.g;}obj o;o.f = 3;o.g = 4;int w = id(o.f);int z = readG(o);
Fun (j, ret2)
id
• For each field f, define Fldf(-,+)constructor
Fun (p, ret3)
readG
Fldg (_, )
o
Fldg (_, og)Fldf (_, of)
Fun ( , w )
Fldf (_, )
Fldf (3, _)
Fldg (4, _)
![Page 71: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/71.jpg)
Field sensitivity
int readG(obj p) { return p.g;}obj o;o.f = 3;o.g = 4;int w = id(o.f);int z = readG(o);
Fun (j, ret2)
id
• For each field f, define Fldf(-,+)constructor
Fun (p, ret3)
readG
Fldg (_, )
o
Fldg (_, og)Fldf (_, of)
Fun ( , w )
Fldf (_, )
Fldf (3, _)
Fldg (4, _)
![Page 72: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/72.jpg)
Field sensitivity
int readG(obj p) { return p.g;}obj o;o.f = 3;o.g = 4;int w = id(o.f);int z = readG(o);
Fun (j, ret2)
id
• For each field f, define Fldf(-,+)constructor
Fun (p, ret3)
readG
Fldg (_, )
o
Fldg (_, og)Fldf (_, of)
Fun ( , z )Fun ( , w )
Fldf (_, )
Fldf (3, _)
Fldg (4, _)
![Page 73: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/73.jpg)
Scalability• Constraint graph for entire program is in memory• Even for flow-insensitive analyses, this can
become a bottleneck• Even worse for flow-sensitive analyses• Techniques for analyzing parts of program in
isolation and storing summaries of their observable effects
![Page 74: Program Analysis with Set Constraints Ravi Chugh](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649d2d5503460f94a03fde/html5/thumbnails/74.jpg)
Summary• Set constraints are often natural for expressing
various program analyses– Constant propagation, pointer analysis– Closure analysis– Receiver class analysis– Information flow
• Rich literature on solving systems of constraints• Non-trivial to extend to flow-sensitive or
summary-based analyses• Interference between functions and references