Docstoc

cfa

Document Sample
cfa Powered By Docstoc
					       Control Flow Analysis
                   Mooly Sagiv
 http://www.math.tau.ac.il/~sagiv/courses/pa01.html
              Tel Aviv University
                   640-6706


                Textbook Chapter 3
http://www.cs.berkeley.edu/Research/~Aiken/bane.html
 http://www.cs.washington.edu/research/projects/cecil
                   Assign 3 (11/7)


                                                        1
                       Goals
 Understand     the problem of Control Flow Analysis
   – in Functional Languages
   – In Object Oriented Languages
   – Function Pointers
 LearnConstraint Based Program Analysis
  Technique
   –   General
   –   Usage for Control Flow Analysis
   –   Algorithms
   –   Systems
                                                        2
 Similarities   between Problems &Techniques
                A Motivating Example
class Vehicle Object { int position = 10;
         void move (int x1) {
                  position = position + x1 ;}}
class Car extends Vehicle { int passengers;
         void await(Vehicle v) {
                  if (v.position < position)
                            then v.move(position - v.position);
                            else this.move(10); }}
class Truck extends Vehicle {
         void move(int x2) {
                  if (x2 < 55) position += x2; }}
void main { Car c; Truck t; Vehicle v1;
         new c;
         new t;
         v1 := c;
         c.passangers := 2;
         c.move(60);
         v1.move(70);
         c.await(t) ;}                                            4
                A Motivating Example
class Vehicle Object { int position = 10;
         static void move (Vehicle this1 {Car} , int x1) {
                   position = position + x1 ;}}
class Car extends Vehicle { int passengers;
         static void await(Car this2 {Car} , Vehicle v {Truck}) {
                   if (v.position < position)
                             then v.move(v, position - v.position);
                             else this2.move(this2, 10); }}
class Truck extends Vehicle {
         static void move(Truck this3 {Truck}, int x2) {
                   if (x2 < 55) position += x2; }}
void main { Car c; Truck t; Vehicle v1;
         new c;
         new t;
         v1 := c;
         c.passangers := 2;
         c.move(c, 60);
         v1.move(v1, 70);
         c.await(c, t) ;}                                             5
The Control Flow Analysis (CFA) Problem

 Given  a program in a functional programming
  language with higher order functions
  (functions can serve as parameters and return
  values)
 Find out for each function invocation
   which functions may be applied
 Obvious in C without function pointers
 Difficult in C++, Java and ML
 The Dynamic Dispatch Problem



                                                  6
           An ML Example
let f = fn x => x 1 ;
    g = fn y => y + 2 ;
    h = fn z => z + 3;
in (f g) + (f h)




                           7
          An ML Example
let f = fn x => /* {g, h} */ x 1 ;
    g = fn y => y + 2 ;
    h = fn z => z + 3;
in (f g) + (f h)




                                     8
                   The Language FUN
 Notations
  –   e  Exp // expressions (or labeled terms)
  –   t  Term // terms (or unlabeled terms)
  –   f, x  Var // variables
  –   c  Const // Constants
  –   op  Op // Binary operators
  –   l  Lab // Labels
 Abstract   Syntax
  – e ::= tl
  – t ::= c | x
         | fn x  e // function definition
         | fun f x  e // recursive function definition
         | e1 e2 // function applications
         | if e0 then e1 else e2
                                                          9
         | let x = e1 in e2 | e1 op e2
       A Simple Example
((fn x  x1)2 (fn y  y3)4)5




                               10
               Factorial
(let fact = fun f n 
     (if (n = 0)1 then 12
                else ((n3 * (f4 (n5 – 16)7)8)9
      )10




                                                 11
An Example which Always Loops

 (let g = fun f x  (f1 (fn y  y2)3)4
                      )5
       (g6 (fn z  z7)8)9
 )10




                                         12
         The 0-CFA Problem
        flow analysis without contexts
 Control
 Compute for every program a pair (C, ) where:
   – C is the abstract cache associating abstract values with
     labeled program points
   –  is the abstract environment associating abstract values
     with program variables
 Abstract   Values
   – v  Val = P(Term) // Abstract values
   –   Env = Var  Val // Abstract environment
   – C  Cache =Lab  Val // Abstract Cache
   – For function application (t1l1 t2l2)l
     C(l1) determines the function that can be applied
   – Formally …                                                  13
Possible Solutions for ((fn x  x1)2 (fn y  y3)4)5
         1 {fn yy3} {fn yy3}

         2 {fn xx1} {fn xx1}

         3 {}                {}

         4 {fn yy3} {fn yy3}

         5 {fn yy3} {fn yy3}

         x {fn yy3} {}
                                                      14
         y {}                {}
(let g = fun f x  (f1 (fn y  y2)3)4
                     )5
        (g6 (fn z  z7)8)9

                         Shorthands
              sf  fun f x  (f1 (fn y  y2)3)4
                      idy  fn y  y2
                       idz  fn z  z7

C(1) = {sf}     C(2) = {}       C(3) = {idy}
C(4) = {}       C(5) = {sf}     C(6) = {sf}
C(7) = {}       C(8) = {idz} C(9) = {}
C(10) = {}       (x) = {idy , idz }     (y) = {}
                                                     15
(z) = {}
Relationship to Dataflow Analysis
  Expressions    are side effect free
    – no entry/exit
 A  single environment
  Represents information at different points via
   maps
  A single value for all occurrences of a variable
  Function applications act similar to assignments
    – “Definition” - Function abstraction is created
    – “Use” - Function is applied
                                                       16
A Formal Specification of 0-CFA
 A  Boolean function  define when a solution is
   acceptable
  (C, )  e means that (C, ) is acceptable for the
   expression e
  Define  by structural induction on e
  Every function is analyzed once
  Every acceptable solution is sound (conservative)
  Many acceptable solutions
  Generate a set of constraints
  Obtain the least acceptable solution by solving the
                                                         17
   constraints
           Solving 0-CFA (1)
 Define a concrete semantics
 Define a Galois connection between the concrete
  and the abstract semantics
 Define abstract meaning for statements
 Show local soundness
 Implement Chaotic iterations




                                                    18
           Solving 0-CFA (2)
 Generate   a system of set of constraints
   – lhs  rhs
   – {t}  rhs’  lhs  rhs (conditional constraint)
 Show   that any solution to the set of constraints is
  sound
 Find the minimal solution
 Systems for finding the minimal solution exist
 Applicable to different programming languages


                                                          19
                  Set Constraints
A   set of rules of the form:
   – lhs  rhs
   – {t}  rhs’  lhs  rhs (conditional constraint)
   – lhs, rhs, rhs’ are
        » terms
        » C(l)
        » (x)
 The   least solution (C, ) can be found iteratively
   – start with empty sets
   – add terms when needed
 Efficient   cubic graph based solution                 20
   Syntax Directed Constraint Generation (Part I)
C* cl  = {}
C* xl  = {r (x)  C (l)}

C* (fn x  e)l  = C*  e   { {fn x  e}  C(l)}
C* (fun f x  e)l  = C*  e   { {fun f x  e}  C(l)} 
                     {{fun f x  e}  r( f)}

C*  (t1l1 t2l2)l     = C*  t1l1   C* t2l2  
       {{t}  C(l)  C (l2)  r (x) | t=fn x  t0l0 Term* } 
       {{t}  C(l)  C (l0)  C (l) | t=fn x  t0l0 Term* } 
       {{t}  C(l)  C (l2)  r (x) | t=fun x  t0l0 Term* } 
       {{t}  C(l)  C (l0)  C (l) | t=fun x  t0l0 Term* }


                                                                  21
 Syntax Directed Constraint Generation (Part II)


C* (if t0l0 then t1l1 else t2l2)l  = C*  t0l0   C*  t1l1   C*
t2l2  
                                  {C(l1)  C (l)} 
                                  {C(l2)  C (l)}
C* (let x = t1l1 in t2l2)l  = C*  t1l1   C* t2l2  
                         {C(l1)  r (x)} 
                         {C(l2)  C(l)}
C* (t1l1 op t2l2)l  = C*  t1l1   C* t2l2 




                                                                   22
Set Constraints for ((fn x  x1)2 (fn y  y3)4)5




                                                   23
       Iterative Solution to the Set Constraints for
               ((fn x  x1)2 (fn y  y3)4)5

step   Constraint            1     2     3     4       x    y




                                                           24
Graph Based Solution to
Constraint Systems
  Construct     a directed graph
    – Nodes
       » Set variables
    – Edges
       » uv
              The set variable v may depend on u

  Iteratively    traverse the graph
    – Every operation adds a term
    – Must terminate
  Read   the solution from the graph
                                                    25
The Constraint Graph for 0-CFA
  Nodes
   – C(l)
   – r(x)
  Edges
   – p1  p2
      » Construct p1  p2
   – {t}  p  p1  p2
      » Construct p1  p2
      » Construct p  p2
  Dependencies
   – D[v]
      » The set of terms that must be included in v   26
WL :=                   while WL  do
For all nodes v:          select and remove an element v from WL
   D[v] := 
                          for all c E[v] do
   E[v] := 
                            case c p1  p2: add(p2, D[p1])
For all constraints c:
                            case c={t} p  p1  p2
case c {t}  p:
  add(p, {t})                  if t  D[p] then add(p2, D[p1])
case c p1  p2:
  E[p1] := E[p1] {c}
case c={t} p  p1  p2
  E[p] := E[p]  {c}       procedure add(q, s)
  E[p1] := E[p1] {c}       if (s D(q)) then
                                   D[q] : = D[q]  s
                                   WL := WL {q}                   27
Adding Data Flow Information
 Dataflow   values can affect control flow analysis
 Example
  (let f = (fn x  (if (x1 > 02)3
                             then (fn y  y4)5
                            else (fn z  56)7
                    )8
           )9
  in ((f10 311)12 013)14)15


                                                       28
Adding Data Flow Information
 Add   a finite set of “abstract” values per program
  Data
 Update Val = P(TermData)
  –   Env = Var  Val // Abstract environment
  – C  Cache - Lab  Val // Abstract Cache
 Generate  extra constraints for data
 Obtained a more precise solution
 A special of case of product domain (4.4)
 The combination of two analyses may be more
  precise than both                                     29
Adding Dataflow Information (Sign Analysis)

  Sign  analysis
  Add a finite set of “abstract” values per program
   Data = {P, N, TT, FF}
  Update Val = P(TermData)
  dc is the abstract value that represents a constant c
    –   d3 = {p}
    –   d-7= {n}
    –   dtrue= {tt}
    –   dfalse= {ff}
  Every     operator is conservatively interpreted        30
   Syntax Directed Constraint Generation (Part I)
C* cl  = dc  C (l)}
C* xl  = {r (x)  C (l)}

C* (fn x  e)l  = C*  e   { {fn x  e}  C(l)}
C* (fun f x  e)l  = C*  e   { {fun f x  e}  C(l)} 
                     {{fun f x  e}  r( f)}

C*  (t1l1 t2l2)l     = C*  t1l1   C* t2l2  
       {{t}  C(l)  C (l2)  r (x) | t=fn x  t0l0 Term* } 
       {{t}  C(l)  C (l0)  C (l) | t=fn x  t0l0 Term* } 
       {{t}  C(l)  C (l2)  r (x) | t=fun x  t0l0 Term* } 
       {{t}  C(l)  C (l0)  C (l) | t=fun x  t0l0 Term* }


                                                                  31
 Syntax Directed Constraint Generation (Part II)


C* (if t0l0 then t1l1 else t2l2)l  = C*  t0l0   C*  t1l1   C*
t2l2  
                                  {dt  C (l0)  C(l1)  C (l)} 
                                  {df C (l0)  C(l2)  C (l)}
C* (let x = t1l1 in t2l2)l  = C*  t1l1   C* t2l2  
                         {C(l1)  r (x)} 
                         {C(l2)  C(l)}
C* (t1l1 op t2l2)l  = C*  t1l1   C* t2l2  
                        {C(l1) op C(l2)  C(l)}




                                                                   32
Adding Context Information
  The   analysis does not distinguish between
   different occurrences of a variable
   (Monovariant analysis)
  Example
   (let f = (fn x  x1) 2
        in ((f3 f4)5 (fn y  y6) 7)8)9
  Source to source can help (but may lead to code
   explosion)
  Example rewritten
   let f1 = fn x1  x1
        in let f2 = fn x2  x2
                in (f1 f2) (fn y  y)                33
         Simplified K-CFA
 Records   the last k dynamic calls (for some fixed
  k)
 Similar to the call string approach
 Remember the context in which expression is
  evaluated
 Val is now P(Term)Contexts
   –   Env = Var Contexts  Val
   – C  Cache - LabContexts  Val


                                                       34
                       1-CFA
     f = (fn x  x1) 2 in ((f3 f4)5 (fn y  y6) 7)8)9
 (let
 Contexts
   – [] - The empty context
   – [5] The application at label 5
   – [8] The application at label 8
 Polyvariant  Control Flow
  C(1, [5]) =  (x, 5)= C(2, []) = C(3, []) =  (f, []) =
              ({(fn x  x1)}, [] )
  C(1, [8]) =  (x, 8)= C(7, []) = C(8, []) = C(9, []) =
             ({(fn y  y6)}, [] )

                                                            35
                A Motivating Example
class Vehicle Object { int position = 10;
         static void move (Vehicle this1 {Car} , int x1) {
                   position = position + x1 ;}}
class Car extends Vehicle { int passengers;
         static void await(Car this2 {Car} , Vehicle v {Truck}) {
                   if (v.position < position)
                             then v.move(v, position - v.position);
                             else this2.move(this2, 10); }}
class Truck extends Vehicle {
         static void move(Truck this3 {Truck}, int x2) {
                   if (x2 < 55) position += x2; }}
void main { Car c; Truck t; Vehicle v1;
         new c;
         new t;
         v1 := c;
         c.passangers := 2;
         c.move(c, 60);
         v1.move(v1, 70);
         c.await(c, t) ;}                                             36
                                                    {V}  cl(v)  cl(v)cl(t1)
class Vehicle Object { int position = 10;
          static void move (Vehicle t1 , int x1) {C}  cl(v)  cl(v)cl(t1)
            { position = position + x1 ;}}
class Car extends Vehicle { int passengers;          {T}  cl(v)  cl(v)cl(t3)
          static void await(Car t2 , Vehicle v) {
             if (v.position < position)                 {C}  cl(t2)  cl(t2)cl(t1)
                 then v.move(v, position - v.position);
                else t2.move(t2, 10); }}             {C}  cl(c)
class Truck extends Vehicle {
          static void move(Truck t3, int x2) {       {T}  cl(t)
          if (x2 < 55) position += x2; }}
void main { Car c; Truck t; Vehicle v1;          cl(c)  cl(v1)
          new c;
          new t;                        {C}  cl(c)  cl(c)cl(t1)
          v1 := c;
          c.passangers := 2;          {V}  cl(v1)  cl(v1)cl(t1)
          c.move(c, 60);
          v1.move(v1, 70);       {C}  cl(v1)  cl(v1)cl(t1)
          c.await(c, t) ;}
                               {T}  cl(v1)  cl(v1)cl(t3)

                           {C}  cl(c)  cl(c)cl(t2)
                                                                                       37
                      {C}  cl(c)  cl(t)cl(v)
{V}  cl(v)  cl(v)cl(t1)
                               cl(v)
{C}  cl(v)  cl(v)cl(t1)

{T}  cl(v)  cl(v)cl(t3)     cl(t2)
{C}  cl(t2)  cl(t2)cl(t1)

{C}  cl(c)
                               cl(t3)
                                             WL
{T}  cl(t)
                               cl(t1)
cl(c)  cl(v1)
{C}  cl(c)  cl(c)cl(t1)     cl(c)     c

{V}  cl(v1)  cl(v1)cl(t1)

{C}  cl(v1)  cl(v1)cl(t1)   cl(t) t
{T}  cl(v1)  cl(v1)cl(t3)

{C}  cl(c)  cl(c)cl(t2)     cl(v1)
                                             38
{C}  cl(c)  cl(t)cl(v)
{V}  cl(v)  cl(v)cl(t1)
                               cl(v)     t
{C}  cl(v)  cl(v)cl(t1)

{T}  cl(v)  cl(v)cl(t3)     cl(t2) c
{C}  cl(t2)  cl(t2)cl(t1)

{C}  cl(c)
                               cl(t3)             WL
{T}  cl(t)
                               cl(t1) c
cl(c)  cl(v1)

{C}  cl(c)  cl(c)cl(t1)     cl(c)     c
{V}  cl(v1)  cl(v1)cl(t1)

{C}  cl(v1)  cl(v1)cl(t1)   cl(t) t
{T}  cl(v1)  cl(v1)cl(t3)

{C}  cl(c)  cl(c)cl(t2)     cl(v1)        c
                                                 39
{C}  cl(c)  cl(t)cl(v)
{V}  cl(v)  cl(v)cl(t1)
                               cl(v)     t
{C}  cl(v)  cl(v)cl(t1)

{T}  cl(v)  cl(v)cl(t3)     cl(t2) c
{C}  cl(t2)  cl(t2)cl(t1)

{C}  cl(c)
                               cl(t3)        t    WL
{T}  cl(t)
                               cl(t1) c
cl(c)  cl(v1)

{C}  cl(c)  cl(c)cl(t1)     cl(c)     c
{V}  cl(v1)  cl(v1)cl(t1)

{C}  cl(v1)  cl(v1)cl(t1)   cl(t) t
{T}  cl(v1)  cl(v1)cl(t3)

{C}  cl(c)  cl(c)cl(t2)     cl(v1)        c
                                                 40
{C}  cl(c)  cl(t)cl(v)
{V}  cl(v)  cl(v)cl(t1)
                               cl(v)     t
{C}  cl(v)  cl(v)cl(t1)

{T}  cl(v)  cl(v)cl(t3)     cl(t2) c
{C}  cl(t2)  cl(t2)cl(t1)

{C}  cl(c)
                               cl(t3)        t    WL
{T}  cl(t)
                               cl(t1) c
cl(c)  cl(v1)

{C}  cl(c)  cl(c)cl(t1)     cl(c)     c
{V}  cl(v1)  cl(v1)cl(t1)

{C}  cl(v1)  cl(v1)cl(t1)   cl(t) t
{T}  cl(v1)  cl(v1)cl(t3)

{C}  cl(c)  cl(c)cl(t2)     cl(v1)        c
                                                 41
{C}  cl(c)  cl(t)cl(v)
{V}  cl(v)  cl(v)cl(t1)
                               cl(v)     t
{C}  cl(v)  cl(v)cl(t1)

{T}  cl(v)  cl(v)cl(t3)     cl(t2) c
{C}  cl(t2)  cl(t2)cl(t1)

{C}  cl(c)
                               cl(t3)        t    WL
{T}  cl(t)
                               cl(t1) c
cl(c)  cl(v1)

{C}  cl(c)  cl(c)cl(t1)     cl(c)     c
{V}  cl(v1)  cl(v1)cl(t1)

{C}  cl(v1)  cl(v1)cl(t1)   cl(t) t
{T}  cl(v1)  cl(v1)cl(t3)

{C}  cl(c)  cl(c)cl(t2)     cl(v1)        c
                                                 42
{C}  cl(c)  cl(t)cl(v)
{V}  cl(v)  cl(v)cl(t1)
                               cl(v)     t
{C}  cl(v)  cl(v)cl(t1)

{T}  cl(v)  cl(v)cl(t3)     cl(t2) c
{C}  cl(t2)  cl(t2)cl(t1)

{C}  cl(c)
                               cl(t3)        t    WL
{T}  cl(t)
                               cl(t1) c
cl(c)  cl(v1)

{C}  cl(c)  cl(c)cl(t1)     cl(c)     c
{V}  cl(v1)  cl(v1)cl(t1)

{C}  cl(v1)  cl(v1)cl(t1)   cl(t) t
{T}  cl(v1)  cl(v1)cl(t3)

{C}  cl(c)  cl(c)cl(t2)     cl(v1)        c
                                                 43
{C}  cl(c)  cl(t)cl(v)
{V}  cl(v)  cl(v)cl(t1)
                               cl(v)     t
{C}  cl(v)  cl(v)cl(t1)

{T}  cl(v)  cl(v)cl(t3)     cl(t2) c
{C}  cl(t2)  cl(t2)cl(t1)

{C}  cl(c)
                               cl(t3)        t    WL
{T}  cl(t)
                               cl(t1) c
cl(c)  cl(v1)

{C}  cl(c)  cl(c)cl(t1)     cl(c)     c
{V}  cl(v1)  cl(v1)cl(t1)

{C}  cl(v1)  cl(v1)cl(t1)   cl(t) t
{T}  cl(v1)  cl(v1)cl(t3)

{C}  cl(c)  cl(c)cl(t2)     cl(v1)        c
                                                 44
{C}  cl(c)  cl(t)cl(v)
{V}  cl(v)  cl(v)cl(t1)
                               cl(v)     t
{C}  cl(v)  cl(v)cl(t1)

{T}  cl(v)  cl(v)cl(t3)     cl(t2) c
{C}  cl(t2)  cl(t2)cl(t1)

{C}  cl(c)
                               cl(t3)        t    WL
{T}  cl(t)
                               cl(t1) c
cl(c)  cl(v1)

{C}  cl(c)  cl(c)cl(t1)     cl(c)     c
{V}  cl(v1)  cl(v1)cl(t1)

{C}  cl(v1)  cl(v1)cl(t1)   cl(t) t
{T}  cl(v1)  cl(v1)cl(t3)

{C}  cl(c)  cl(c)cl(t2)     cl(v1)        c
                                                 45
{C}  cl(c)  cl(t)cl(v)
{V}  cl(v)  cl(v)cl(t1)
                               cl(v)     t
{C}  cl(v)  cl(v)cl(t1)

{T}  cl(v)  cl(v)cl(t3)     cl(t2) c
{C}  cl(t2)  cl(t2)cl(t1)

{C}  cl(c)
                               cl(t3)        t
{T}  cl(t)
                               cl(t1) c
cl(c)  cl(v1)

{C}  cl(c)  cl(c)cl(t1)     cl(c)     c
{V}  cl(v1)  cl(v1)cl(t1)

{C}  cl(v1)  cl(v1)cl(t1)   cl(t) t
{T}  cl(v1)  cl(v1)cl(t3)

{C}  cl(c)  cl(c)cl(t2)     cl(v1)        c
                                                 46
{C}  cl(c)  cl(t)cl(v)
                A Motivating Example
class Vehicle Object { int position = 10;
         static void move (Vehicle this1 {Car} , int x1) {
                   position = position + x1 ;}}
class Car extends Vehicle { int passengers;
         static void await(Car this2 {Car} , Vehicle v {Truck}) {
                   if (v.position < position)
                             then v.move(v, position - v.position);
                             else this2.move(this2, 10); }}
class Truck extends Vehicle {
         static void move(Truck this3 {Truck}, int x2) {
                   if (x2 < 55) position += x2; }}
void main { Car c; Truck t; Vehicle v1;
         new c;
         new t;
         v1 := c;
         c.passangers := 2;
         c.move(c, 60);
         v1.move(v1, 70);
         c.await(c, t) ;}                                             47
                Missing Material
 Efficient   Cubic Solution to Set Constraints
    www.cs.berkeley.edu/Research/Aiken/bane.html
   Experimental results for OO
  www.cs.washington.edu/research/projects/cecil
 Operational Semantics for FUN (3.2.1)
 Defining acceptability of set constraints
 Using general lattices as Dataflow values
  instead of powersets (3.5.2)
 Lower-bounds
    – Decidability of JOP
    – Polynomiality
                                                   48
                 Conclusions
 Set   constraints are quite useful
   – A Uniform syntax
   – Can even deal with pointers
 But  semantic foundation is still based on abstract
  interpretation
 Techniques used in functional and imperative
  (OO) programming are similar
 Control and data flow analysis are related



                                                        49

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:9
posted:8/13/2012
language:English
pages:48