# cfa

Document Sample

```					       Control Flow Analysis
Mooly Sagiv
http://www.math.tau.ac.il/~sagiv/courses/pa01.html
Tel Aviv University
640-6706

Textbook Chapter 3
http://www.cs.berkeley.edu/Research/~Aiken/bane.html
http://www.cs.washington.edu/research/projects/cecil
Assign 3 (11/7)

1
Goals
 Understand     the problem of Control Flow Analysis
– in Functional Languages
– In Object Oriented Languages
– Function Pointers
 LearnConstraint Based Program Analysis
Technique
–   General
–   Usage for Control Flow Analysis
–   Algorithms
–   Systems
2
 Similarities   between Problems &Techniques
A Motivating Example
class Vehicle Object { int position = 10;
void move (int x1) {
position = position + x1 ;}}
class Car extends Vehicle { int passengers;
void await(Vehicle v) {
if (v.position < position)
then v.move(position - v.position);
else this.move(10); }}
class Truck extends Vehicle {
void move(int x2) {
if (x2 < 55) position += x2; }}
void main { Car c; Truck t; Vehicle v1;
new c;
new t;
v1 := c;
c.passangers := 2;
c.move(60);
v1.move(70);
c.await(t) ;}                                            4
A Motivating Example
class Vehicle Object { int position = 10;
static void move (Vehicle this1 {Car} , int x1) {
position = position + x1 ;}}
class Car extends Vehicle { int passengers;
static void await(Car this2 {Car} , Vehicle v {Truck}) {
if (v.position < position)
then v.move(v, position - v.position);
else this2.move(this2, 10); }}
class Truck extends Vehicle {
static void move(Truck this3 {Truck}, int x2) {
if (x2 < 55) position += x2; }}
void main { Car c; Truck t; Vehicle v1;
new c;
new t;
v1 := c;
c.passangers := 2;
c.move(c, 60);
v1.move(v1, 70);
c.await(c, t) ;}                                             5
The Control Flow Analysis (CFA) Problem

 Given  a program in a functional programming
language with higher order functions
(functions can serve as parameters and return
values)
 Find out for each function invocation
which functions may be applied
 Obvious in C without function pointers
 Difficult in C++, Java and ML
 The Dynamic Dispatch Problem

6
An ML Example
let f = fn x => x 1 ;
g = fn y => y + 2 ;
h = fn z => z + 3;
in (f g) + (f h)

7
An ML Example
let f = fn x => /* {g, h} */ x 1 ;
g = fn y => y + 2 ;
h = fn z => z + 3;
in (f g) + (f h)

8
The Language FUN
 Notations
–   e  Exp // expressions (or labeled terms)
–   t  Term // terms (or unlabeled terms)
–   f, x  Var // variables
–   c  Const // Constants
–   op  Op // Binary operators
–   l  Lab // Labels
 Abstract   Syntax
– e ::= tl
– t ::= c | x
| fn x  e // function definition
| fun f x  e // recursive function definition
| e1 e2 // function applications
| if e0 then e1 else e2
9
| let x = e1 in e2 | e1 op e2
A Simple Example
((fn x  x1)2 (fn y  y3)4)5

10
Factorial
(let fact = fun f n 
(if (n = 0)1 then 12
else ((n3 * (f4 (n5 – 16)7)8)9
)10

11
An Example which Always Loops

(let g = fun f x  (f1 (fn y  y2)3)4
)5
(g6 (fn z  z7)8)9
)10

12
The 0-CFA Problem
flow analysis without contexts
 Control
 Compute for every program a pair (C, ) where:
– C is the abstract cache associating abstract values with
labeled program points
–  is the abstract environment associating abstract values
with program variables
 Abstract   Values
– v  Val = P(Term) // Abstract values
–   Env = Var  Val // Abstract environment
– C  Cache =Lab  Val // Abstract Cache
– For function application (t1l1 t2l2)l
C(l1) determines the function that can be applied
– Formally …                                                  13
Possible Solutions for ((fn x  x1)2 (fn y  y3)4)5
1 {fn yy3} {fn yy3}

2 {fn xx1} {fn xx1}

3 {}                {}

4 {fn yy3} {fn yy3}

5 {fn yy3} {fn yy3}

x {fn yy3} {}
14
y {}                {}
(let g = fun f x  (f1 (fn y  y2)3)4
)5
(g6 (fn z  z7)8)9

Shorthands
sf  fun f x  (f1 (fn y  y2)3)4
idy  fn y  y2
idz  fn z  z7

C(1) = {sf}     C(2) = {}       C(3) = {idy}
C(4) = {}       C(5) = {sf}     C(6) = {sf}
C(7) = {}       C(8) = {idz} C(9) = {}
C(10) = {}       (x) = {idy , idz }     (y) = {}
15
(z) = {}
Relationship to Dataflow Analysis
 Expressions    are side effect free
– no entry/exit
A  single environment
 Represents information at different points via
maps
 A single value for all occurrences of a variable
 Function applications act similar to assignments
– “Definition” - Function abstraction is created
– “Use” - Function is applied
16
A Formal Specification of 0-CFA
A  Boolean function  define when a solution is
acceptable
 (C, )  e means that (C, ) is acceptable for the
expression e
 Define  by structural induction on e
 Every function is analyzed once
 Every acceptable solution is sound (conservative)
 Many acceptable solutions
 Generate a set of constraints
 Obtain the least acceptable solution by solving the
17
constraints
Solving 0-CFA (1)
 Define a concrete semantics
 Define a Galois connection between the concrete
and the abstract semantics
 Define abstract meaning for statements
 Show local soundness
 Implement Chaotic iterations

18
Solving 0-CFA (2)
 Generate   a system of set of constraints
– lhs  rhs
– {t}  rhs’  lhs  rhs (conditional constraint)
 Show   that any solution to the set of constraints is
sound
 Find the minimal solution
 Systems for finding the minimal solution exist
 Applicable to different programming languages

19
Set Constraints
A   set of rules of the form:
– lhs  rhs
– {t}  rhs’  lhs  rhs (conditional constraint)
– lhs, rhs, rhs’ are
» terms
» C(l)
» (x)
 The   least solution (C, ) can be found iteratively
 Efficient   cubic graph based solution                 20
Syntax Directed Constraint Generation (Part I)
C* cl  = {}
C* xl  = {r (x)  C (l)}

C* (fn x  e)l  = C*  e   { {fn x  e}  C(l)}
C* (fun f x  e)l  = C*  e   { {fun f x  e}  C(l)} 
{{fun f x  e}  r( f)}

C*  (t1l1 t2l2)l     = C*  t1l1   C* t2l2  
{{t}  C(l)  C (l2)  r (x) | t=fn x  t0l0 Term* } 
{{t}  C(l)  C (l0)  C (l) | t=fn x  t0l0 Term* } 
{{t}  C(l)  C (l2)  r (x) | t=fun x  t0l0 Term* } 
{{t}  C(l)  C (l0)  C (l) | t=fun x  t0l0 Term* }

21
Syntax Directed Constraint Generation (Part II)

C* (if t0l0 then t1l1 else t2l2)l  = C*  t0l0   C*  t1l1   C*
t2l2  
{C(l1)  C (l)} 
{C(l2)  C (l)}
C* (let x = t1l1 in t2l2)l  = C*  t1l1   C* t2l2  
{C(l1)  r (x)} 
{C(l2)  C(l)}
C* (t1l1 op t2l2)l  = C*  t1l1   C* t2l2 

22
Set Constraints for ((fn x  x1)2 (fn y  y3)4)5

23
Iterative Solution to the Set Constraints for
((fn x  x1)2 (fn y  y3)4)5

step   Constraint            1     2     3     4       x    y

24
Graph Based Solution to
Constraint Systems
 Construct     a directed graph
– Nodes
» Set variables
– Edges
» uv
   The set variable v may depend on u

 Iteratively    traverse the graph
– Every operation adds a term
– Must terminate
 Read   the solution from the graph
25
The Constraint Graph for 0-CFA
 Nodes
– C(l)
– r(x)
 Edges
– p1  p2
» Construct p1  p2
– {t}  p  p1  p2
» Construct p1  p2
» Construct p  p2
 Dependencies
– D[v]
» The set of terms that must be included in v   26
WL :=                   while WL  do
For all nodes v:          select and remove an element v from WL
D[v] := 
for all c E[v] do
E[v] := 
case c p1  p2: add(p2, D[p1])
For all constraints c:
case c={t} p  p1  p2
case c {t}  p:
case c p1  p2:
E[p1] := E[p1] {c}
case c={t} p  p1  p2
E[p] := E[p]  {c}       procedure add(q, s)
E[p1] := E[p1] {c}       if (s D(q)) then
D[q] : = D[q]  s
WL := WL {q}                   27
 Dataflow   values can affect control flow analysis
 Example
(let f = (fn x  (if (x1 > 02)3
then (fn y  y4)5
else (fn z  56)7
)8
)9
in ((f10 311)12 013)14)15

28
 Add   a finite set of “abstract” values per program
Data
 Update Val = P(TermData)
–   Env = Var  Val // Abstract environment
– C  Cache - Lab  Val // Abstract Cache
 Generate  extra constraints for data
 Obtained a more precise solution
 A special of case of product domain (4.4)
 The combination of two analyses may be more
precise than both                                     29

 Sign  analysis
 Add a finite set of “abstract” values per program
Data = {P, N, TT, FF}
 Update Val = P(TermData)
 dc is the abstract value that represents a constant c
–   d3 = {p}
–   d-7= {n}
–   dtrue= {tt}
–   dfalse= {ff}
 Every     operator is conservatively interpreted        30
Syntax Directed Constraint Generation (Part I)
C* cl  = dc  C (l)}
C* xl  = {r (x)  C (l)}

C* (fn x  e)l  = C*  e   { {fn x  e}  C(l)}
C* (fun f x  e)l  = C*  e   { {fun f x  e}  C(l)} 
{{fun f x  e}  r( f)}

C*  (t1l1 t2l2)l     = C*  t1l1   C* t2l2  
{{t}  C(l)  C (l2)  r (x) | t=fn x  t0l0 Term* } 
{{t}  C(l)  C (l0)  C (l) | t=fn x  t0l0 Term* } 
{{t}  C(l)  C (l2)  r (x) | t=fun x  t0l0 Term* } 
{{t}  C(l)  C (l0)  C (l) | t=fun x  t0l0 Term* }

31
Syntax Directed Constraint Generation (Part II)

C* (if t0l0 then t1l1 else t2l2)l  = C*  t0l0   C*  t1l1   C*
t2l2  
{dt  C (l0)  C(l1)  C (l)} 
{df C (l0)  C(l2)  C (l)}
C* (let x = t1l1 in t2l2)l  = C*  t1l1   C* t2l2  
{C(l1)  r (x)} 
{C(l2)  C(l)}
C* (t1l1 op t2l2)l  = C*  t1l1   C* t2l2  
{C(l1) op C(l2)  C(l)}

32
 The   analysis does not distinguish between
different occurrences of a variable
(Monovariant analysis)
 Example
(let f = (fn x  x1) 2
in ((f3 f4)5 (fn y  y6) 7)8)9
 Source to source can help (but may lead to code
explosion)
 Example rewritten
let f1 = fn x1  x1
in let f2 = fn x2  x2
in (f1 f2) (fn y  y)                33
Simplified K-CFA
 Records   the last k dynamic calls (for some fixed
k)
 Similar to the call string approach
 Remember the context in which expression is
evaluated
 Val is now P(Term)Contexts
–   Env = Var Contexts  Val
– C  Cache - LabContexts  Val

34
1-CFA
f = (fn x  x1) 2 in ((f3 f4)5 (fn y  y6) 7)8)9
 (let
 Contexts
– [] - The empty context
– [5] The application at label 5
– [8] The application at label 8
 Polyvariant  Control Flow
C(1, [5]) =  (x, 5)= C(2, []) = C(3, []) =  (f, []) =
({(fn x  x1)}, [] )
C(1, [8]) =  (x, 8)= C(7, []) = C(8, []) = C(9, []) =
({(fn y  y6)}, [] )

35
A Motivating Example
class Vehicle Object { int position = 10;
static void move (Vehicle this1 {Car} , int x1) {
position = position + x1 ;}}
class Car extends Vehicle { int passengers;
static void await(Car this2 {Car} , Vehicle v {Truck}) {
if (v.position < position)
then v.move(v, position - v.position);
else this2.move(this2, 10); }}
class Truck extends Vehicle {
static void move(Truck this3 {Truck}, int x2) {
if (x2 < 55) position += x2; }}
void main { Car c; Truck t; Vehicle v1;
new c;
new t;
v1 := c;
c.passangers := 2;
c.move(c, 60);
v1.move(v1, 70);
c.await(c, t) ;}                                             36
{V}  cl(v)  cl(v)cl(t1)
class Vehicle Object { int position = 10;
static void move (Vehicle t1 , int x1) {C}  cl(v)  cl(v)cl(t1)
{ position = position + x1 ;}}
class Car extends Vehicle { int passengers;          {T}  cl(v)  cl(v)cl(t3)
static void await(Car t2 , Vehicle v) {
if (v.position < position)                 {C}  cl(t2)  cl(t2)cl(t1)
then v.move(v, position - v.position);
else t2.move(t2, 10); }}             {C}  cl(c)
class Truck extends Vehicle {
static void move(Truck t3, int x2) {       {T}  cl(t)
if (x2 < 55) position += x2; }}
void main { Car c; Truck t; Vehicle v1;          cl(c)  cl(v1)
new c;
new t;                        {C}  cl(c)  cl(c)cl(t1)
v1 := c;
c.passangers := 2;          {V}  cl(v1)  cl(v1)cl(t1)
c.move(c, 60);
v1.move(v1, 70);       {C}  cl(v1)  cl(v1)cl(t1)
c.await(c, t) ;}
{T}  cl(v1)  cl(v1)cl(t3)

{C}  cl(c)  cl(c)cl(t2)
37
{C}  cl(c)  cl(t)cl(v)
{V}  cl(v)  cl(v)cl(t1)
cl(v)
{C}  cl(v)  cl(v)cl(t1)

{T}  cl(v)  cl(v)cl(t3)     cl(t2)
{C}  cl(t2)  cl(t2)cl(t1)

{C}  cl(c)
cl(t3)
WL
{T}  cl(t)
cl(t1)
cl(c)  cl(v1)
{C}  cl(c)  cl(c)cl(t1)     cl(c)     c

{V}  cl(v1)  cl(v1)cl(t1)

{C}  cl(v1)  cl(v1)cl(t1)   cl(t) t
{T}  cl(v1)  cl(v1)cl(t3)

{C}  cl(c)  cl(c)cl(t2)     cl(v1)
38
{C}  cl(c)  cl(t)cl(v)
{V}  cl(v)  cl(v)cl(t1)
cl(v)     t
{C}  cl(v)  cl(v)cl(t1)

{T}  cl(v)  cl(v)cl(t3)     cl(t2) c
{C}  cl(t2)  cl(t2)cl(t1)

{C}  cl(c)
cl(t3)             WL
{T}  cl(t)
cl(t1) c
cl(c)  cl(v1)

{C}  cl(c)  cl(c)cl(t1)     cl(c)     c
{V}  cl(v1)  cl(v1)cl(t1)

{C}  cl(v1)  cl(v1)cl(t1)   cl(t) t
{T}  cl(v1)  cl(v1)cl(t3)

{C}  cl(c)  cl(c)cl(t2)     cl(v1)        c
39
{C}  cl(c)  cl(t)cl(v)
{V}  cl(v)  cl(v)cl(t1)
cl(v)     t
{C}  cl(v)  cl(v)cl(t1)

{T}  cl(v)  cl(v)cl(t3)     cl(t2) c
{C}  cl(t2)  cl(t2)cl(t1)

{C}  cl(c)
cl(t3)        t    WL
{T}  cl(t)
cl(t1) c
cl(c)  cl(v1)

{C}  cl(c)  cl(c)cl(t1)     cl(c)     c
{V}  cl(v1)  cl(v1)cl(t1)

{C}  cl(v1)  cl(v1)cl(t1)   cl(t) t
{T}  cl(v1)  cl(v1)cl(t3)

{C}  cl(c)  cl(c)cl(t2)     cl(v1)        c
40
{C}  cl(c)  cl(t)cl(v)
{V}  cl(v)  cl(v)cl(t1)
cl(v)     t
{C}  cl(v)  cl(v)cl(t1)

{T}  cl(v)  cl(v)cl(t3)     cl(t2) c
{C}  cl(t2)  cl(t2)cl(t1)

{C}  cl(c)
cl(t3)        t    WL
{T}  cl(t)
cl(t1) c
cl(c)  cl(v1)

{C}  cl(c)  cl(c)cl(t1)     cl(c)     c
{V}  cl(v1)  cl(v1)cl(t1)

{C}  cl(v1)  cl(v1)cl(t1)   cl(t) t
{T}  cl(v1)  cl(v1)cl(t3)

{C}  cl(c)  cl(c)cl(t2)     cl(v1)        c
41
{C}  cl(c)  cl(t)cl(v)
{V}  cl(v)  cl(v)cl(t1)
cl(v)     t
{C}  cl(v)  cl(v)cl(t1)

{T}  cl(v)  cl(v)cl(t3)     cl(t2) c
{C}  cl(t2)  cl(t2)cl(t1)

{C}  cl(c)
cl(t3)        t    WL
{T}  cl(t)
cl(t1) c
cl(c)  cl(v1)

{C}  cl(c)  cl(c)cl(t1)     cl(c)     c
{V}  cl(v1)  cl(v1)cl(t1)

{C}  cl(v1)  cl(v1)cl(t1)   cl(t) t
{T}  cl(v1)  cl(v1)cl(t3)

{C}  cl(c)  cl(c)cl(t2)     cl(v1)        c
42
{C}  cl(c)  cl(t)cl(v)
{V}  cl(v)  cl(v)cl(t1)
cl(v)     t
{C}  cl(v)  cl(v)cl(t1)

{T}  cl(v)  cl(v)cl(t3)     cl(t2) c
{C}  cl(t2)  cl(t2)cl(t1)

{C}  cl(c)
cl(t3)        t    WL
{T}  cl(t)
cl(t1) c
cl(c)  cl(v1)

{C}  cl(c)  cl(c)cl(t1)     cl(c)     c
{V}  cl(v1)  cl(v1)cl(t1)

{C}  cl(v1)  cl(v1)cl(t1)   cl(t) t
{T}  cl(v1)  cl(v1)cl(t3)

{C}  cl(c)  cl(c)cl(t2)     cl(v1)        c
43
{C}  cl(c)  cl(t)cl(v)
{V}  cl(v)  cl(v)cl(t1)
cl(v)     t
{C}  cl(v)  cl(v)cl(t1)

{T}  cl(v)  cl(v)cl(t3)     cl(t2) c
{C}  cl(t2)  cl(t2)cl(t1)

{C}  cl(c)
cl(t3)        t    WL
{T}  cl(t)
cl(t1) c
cl(c)  cl(v1)

{C}  cl(c)  cl(c)cl(t1)     cl(c)     c
{V}  cl(v1)  cl(v1)cl(t1)

{C}  cl(v1)  cl(v1)cl(t1)   cl(t) t
{T}  cl(v1)  cl(v1)cl(t3)

{C}  cl(c)  cl(c)cl(t2)     cl(v1)        c
44
{C}  cl(c)  cl(t)cl(v)
{V}  cl(v)  cl(v)cl(t1)
cl(v)     t
{C}  cl(v)  cl(v)cl(t1)

{T}  cl(v)  cl(v)cl(t3)     cl(t2) c
{C}  cl(t2)  cl(t2)cl(t1)

{C}  cl(c)
cl(t3)        t    WL
{T}  cl(t)
cl(t1) c
cl(c)  cl(v1)

{C}  cl(c)  cl(c)cl(t1)     cl(c)     c
{V}  cl(v1)  cl(v1)cl(t1)

{C}  cl(v1)  cl(v1)cl(t1)   cl(t) t
{T}  cl(v1)  cl(v1)cl(t3)

{C}  cl(c)  cl(c)cl(t2)     cl(v1)        c
45
{C}  cl(c)  cl(t)cl(v)
{V}  cl(v)  cl(v)cl(t1)
cl(v)     t
{C}  cl(v)  cl(v)cl(t1)

{T}  cl(v)  cl(v)cl(t3)     cl(t2) c
{C}  cl(t2)  cl(t2)cl(t1)

{C}  cl(c)
cl(t3)        t
{T}  cl(t)
cl(t1) c
cl(c)  cl(v1)

{C}  cl(c)  cl(c)cl(t1)     cl(c)     c
{V}  cl(v1)  cl(v1)cl(t1)

{C}  cl(v1)  cl(v1)cl(t1)   cl(t) t
{T}  cl(v1)  cl(v1)cl(t3)

{C}  cl(c)  cl(c)cl(t2)     cl(v1)        c
46
{C}  cl(c)  cl(t)cl(v)
A Motivating Example
class Vehicle Object { int position = 10;
static void move (Vehicle this1 {Car} , int x1) {
position = position + x1 ;}}
class Car extends Vehicle { int passengers;
static void await(Car this2 {Car} , Vehicle v {Truck}) {
if (v.position < position)
then v.move(v, position - v.position);
else this2.move(this2, 10); }}
class Truck extends Vehicle {
static void move(Truck this3 {Truck}, int x2) {
if (x2 < 55) position += x2; }}
void main { Car c; Truck t; Vehicle v1;
new c;
new t;
v1 := c;
c.passangers := 2;
c.move(c, 60);
v1.move(v1, 70);
c.await(c, t) ;}                                             47
Missing Material
 Efficient   Cubic Solution to Set Constraints
www.cs.berkeley.edu/Research/Aiken/bane.html
   Experimental results for OO
www.cs.washington.edu/research/projects/cecil
 Operational Semantics for FUN (3.2.1)
 Defining acceptability of set constraints
 Using general lattices as Dataflow values
 Lower-bounds
– Decidability of JOP
– Polynomiality
48
Conclusions
 Set   constraints are quite useful
– A Uniform syntax
– Can even deal with pointers
 But  semantic foundation is still based on abstract
interpretation
 Techniques used in functional and imperative
(OO) programming are similar
 Control and data flow analysis are related

49

```
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
 views: 9 posted: 8/13/2012 language: English pages: 48