Class 10 - cc.gatech.eduharrold/6340/cs6340_fall2009/Slides/... · D. Programs with pointers E....
Transcript of Class 10 - cc.gatech.eduharrold/6340/cs6340_fall2009/Slides/... · D. Programs with pointers E....
![Page 1: Class 10 - cc.gatech.eduharrold/6340/cs6340_fall2009/Slides/... · D. Programs with pointers E. Programs with complex data structures. Arbitrary Interprocedural CF yThree ways in](https://reader031.fdocuments.in/reader031/viewer/2022030406/5a82bd4a7f8b9a571e8e786e/html5/thumbnails/1.jpg)
1
Class 10
• Review; questions• Questions about project• Arbitrary interprocedural control flow (cont’d)• Pointers• Assign (see Schedule for links)
• Readings on symbolic execution• Problem Set 5: due 9/22/09• Project proposal
• Initial: due by e-mail 9/22/09• Final: due (written, 2 pages) 9/29/09
Complicating Factors
A. Programs with more than one procedureB. Programs with recursionC. Programs with arbitrary control flowD. Programs with pointersE. Programs with complex data structures
![Page 2: Class 10 - cc.gatech.eduharrold/6340/cs6340_fall2009/Slides/... · D. Programs with pointers E. Programs with complex data structures. Arbitrary Interprocedural CF yThree ways in](https://reader031.fdocuments.in/reader031/viewer/2022030406/5a82bd4a7f8b9a571e8e786e/html5/thumbnails/2.jpg)
Arbitrary Interprocedural CF
Three ways in which intra-procedural control dependences can be inaccurate
Entry-dependence effectMultiple-context effectReturn-dependence effect
Identify potentially non-returning call sites
Construct augmented control-flow graph
Compute partial control dependencesConstruct augmented control-dependence graph
Construct interprocedural control-dependence graphPropagate control dependences
Computation of Interprocedural CD
![Page 3: Class 10 - cc.gatech.eduharrold/6340/cs6340_fall2009/Slides/... · D. Programs with pointers E. Programs with complex data structures. Arbitrary Interprocedural CF yThree ways in](https://reader031.fdocuments.in/reader031/viewer/2022030406/5a82bd4a7f8b9a571e8e786e/html5/thumbnails/3.jpg)
PNRC Analysis
Step 1: Identifies three setsDNRPList: Definitely non-returning proceduresUnreachList: Statically unreachable nodesHNList: Halt statements reachable from entry
MethodBuild ICFGDepth first traversal along realizable paths marking visited nodes
Unmarked nodes are unreachableUnmarked exit nodes indicate DNRPsMarked halt nodes indicate reachable halts
PNRC Analysis
Step 1: Identifies three setsDNRPList: Definitely non-returning proceduresUnreachList: Statically unreachable nodesHNList: Halt statements reachable from entry
MethodBuild ICFGDepth first traversal along realizable paths marking visited nodes
Unmarked nodes are unreachableUnmarked exit nodes indicate DNRPsMarked halt nodes indicate reachable halts
![Page 4: Class 10 - cc.gatech.eduharrold/6340/cs6340_fall2009/Slides/... · D. Programs with pointers E. Programs with complex data structures. Arbitrary Interprocedural CF yThree ways in](https://reader031.fdocuments.in/reader031/viewer/2022030406/5a82bd4a7f8b9a571e8e786e/html5/thumbnails/4.jpg)
PNRC Analysis
10a10a
PNRC Analysis
10a10a
All nodes reachedNo DNRPsOne halt node
reached
![Page 5: Class 10 - cc.gatech.eduharrold/6340/cs6340_fall2009/Slides/... · D. Programs with pointers E. Programs with complex data structures. Arbitrary Interprocedural CF yThree ways in](https://reader031.fdocuments.in/reader031/viewer/2022030406/5a82bd4a7f8b9a571e8e786e/html5/thumbnails/5.jpg)
PNRC Analysis
10a10a
What if we change program?
PNRC Analysis
10a10a
Some nodes not reached
B and C are DNRPs
![Page 6: Class 10 - cc.gatech.eduharrold/6340/cs6340_fall2009/Slides/... · D. Programs with pointers E. Programs with complex data structures. Arbitrary Interprocedural CF yThree ways in](https://reader031.fdocuments.in/reader031/viewer/2022030406/5a82bd4a7f8b9a571e8e786e/html5/thumbnails/6.jpg)
PNRC Analysis
Step 2: Compute partial CDIdentify PNRCList: Possibly non-returning call-sitesBuild ACFGs
MethodBackward traversal of ICFG starting from (1) halt nodes and (2) calls to DNRPs
Ascending into callers, but not descending into callees (similar to SDG slicing)
Any call site reached is a PNRC
PNRC Analysis
10a10a
![Page 7: Class 10 - cc.gatech.eduharrold/6340/cs6340_fall2009/Slides/... · D. Programs with pointers E. Programs with complex data structures. Arbitrary Interprocedural CF yThree ways in](https://reader031.fdocuments.in/reader031/viewer/2022030406/5a82bd4a7f8b9a571e8e786e/html5/thumbnails/7.jpg)
PNRC Analysis
10a10a
Identify potentially non-returning call sites
Construct augmented control-flow graph
Compute partial control dependencesConstruct augmented control-dependence graph
Construct interprocedural control-dependence graphPropagate control dependences
Computation of Interprocedural CD
![Page 8: Class 10 - cc.gatech.eduharrold/6340/cs6340_fall2009/Slides/... · D. Programs with pointers E. Programs with complex data structures. Arbitrary Interprocedural CF yThree ways in](https://reader031.fdocuments.in/reader031/viewer/2022030406/5a82bd4a7f8b9a571e8e786e/html5/thumbnails/8.jpg)
Augmented Control-Flow GraphFor each procedure, starting from its CFG
Create super-exit nodeFor each potentially non-returning call site
create return-predicatenodeConnect return-predicate node to potential return sitesEliminate edge between call and return
entry
8 exit
6a
5b
5a
4
3
2
T
F
7
Augmented Control-Flow Graph
6b
For each procedure, starting from its CFG• Create super-exit node• For each potentially non-
returning call site• Create return-predicate
node• Connect return-predicate
node to potential return sites
• Eliminate edge between call and return
super exit
RP5b
RP6b
T
T
F
F
![Page 9: Class 10 - cc.gatech.eduharrold/6340/cs6340_fall2009/Slides/... · D. Programs with pointers E. Programs with complex data structures. Arbitrary Interprocedural CF yThree ways in](https://reader031.fdocuments.in/reader031/viewer/2022030406/5a82bd4a7f8b9a571e8e786e/html5/thumbnails/9.jpg)
Identify potentially non-returning call sites
Construct augmented control-flow graph
Compute partial control dependencesConstruct augmented control-dependence graph
Construct interprocedural control-dependence graphPropagate control dependences
Computation of Interprocedural CD
Partial Control Dependences
Partial CD
2,3
5b
4
6b,7,8
5a,6a
8 exit
6a
5b
5a
4
3
2
T
F
7
6b
super exit
RP5b
RP6b
T
T
F
F
entry
![Page 10: Class 10 - cc.gatech.eduharrold/6340/cs6340_fall2009/Slides/... · D. Programs with pointers E. Programs with complex data structures. Arbitrary Interprocedural CF yThree ways in](https://reader031.fdocuments.in/reader031/viewer/2022030406/5a82bd4a7f8b9a571e8e786e/html5/thumbnails/10.jpg)
Partial Control Dependences
Partial CD
2,3
5b
4
6b,7,8
5a,6a
8 exit
6a
5b
5a
4
3
2
T
F
7
6b
super exit
RP5b
RP6b
T
T
F
F
entry
entryentry
4RP5b
RP5bRP6b
Augmented CDG
Partial CD
2,3
5b
4
6b,7,8
5a,6a
entryentry
4RP5b
RP5bRP6b
Build ACDG• CDG built from an ACFG• Replace return-predicate nodes with corresponding return
![Page 11: Class 10 - cc.gatech.eduharrold/6340/cs6340_fall2009/Slides/... · D. Programs with pointers E. Programs with complex data structures. Arbitrary Interprocedural CF yThree ways in](https://reader031.fdocuments.in/reader031/viewer/2022030406/5a82bd4a7f8b9a571e8e786e/html5/thumbnails/11.jpg)
Identify potentially non-returning call sites
Construct augmented control-flow graph
Compute partial control dependencesConstruct augmented control-dependence graph
Construct interprocedural control-dependence graphPropagate control dependences
Computation of Interprocedural CD
Interprocedural CDGBuild ICDG• Connect ACDGs with interprocedural control-flow edges• Replace all dependences to placeholder
• Backward traversal from the placeholders to the first (non-placeholder) predicate node along each path=> add control dependence
![Page 12: Class 10 - cc.gatech.eduharrold/6340/cs6340_fall2009/Slides/... · D. Programs with pointers E. Programs with complex data structures. Arbitrary Interprocedural CF yThree ways in](https://reader031.fdocuments.in/reader031/viewer/2022030406/5a82bd4a7f8b9a571e8e786e/html5/thumbnails/12.jpg)
Interprocedural CDGBuild ICDG• Connect ACDGs with interprocedural control-flow edges• Replace all dependences to placeholder
• Backward traversal from the placeholders to the first (non-placeholder) predicate node along each path=> add control dependence
Interprocedural CDGBuild ICDG• Connect ACDGs with interprocedural control-flow edges• Replace all dependences to placeholder
• Backward traversal from the placeholders to the first (non-placeholder) predicate node along each path=> add control dependence
17
![Page 13: Class 10 - cc.gatech.eduharrold/6340/cs6340_fall2009/Slides/... · D. Programs with pointers E. Programs with complex data structures. Arbitrary Interprocedural CF yThree ways in](https://reader031.fdocuments.in/reader031/viewer/2022030406/5a82bd4a7f8b9a571e8e786e/html5/thumbnails/13.jpg)
Interprocedural CDGBuild ICDG• Connect ACDGs with interprocedural control-flow edges• Replace all dependences to placeholder
• Backward traversal from the placeholders to the first (non-placeholder) predicate node along each path=> add control dependence
Interprocedural CDG
4
Build ICDG• Connect ACDGs with interprocedural control-flow edges• Replace all dependences to placeholder
• Backward traversal from the placeholders to the first (non-placeholder) predicate node along each path=> add control dependence
![Page 14: Class 10 - cc.gatech.eduharrold/6340/cs6340_fall2009/Slides/... · D. Programs with pointers E. Programs with complex data structures. Arbitrary Interprocedural CF yThree ways in](https://reader031.fdocuments.in/reader031/viewer/2022030406/5a82bd4a7f8b9a571e8e786e/html5/thumbnails/14.jpg)
Interprocedural CDGBuild ICDG• Connect ACDGs with interprocedural control-flow edges• Replace all dependences to placeholder
• Backward traversal from the placeholders to the first (non-placeholder) predicate node along each path=> add control dependence
Interprocedural CDG
17
Build ICDG• Connect ACDGs with interprocedural control-flow edges• Replace all dependences to placeholder
• Backward traversal from the placeholders to the first (non-placeholder) predicate node along each path=> add control dependence
![Page 15: Class 10 - cc.gatech.eduharrold/6340/cs6340_fall2009/Slides/... · D. Programs with pointers E. Programs with complex data structures. Arbitrary Interprocedural CF yThree ways in](https://reader031.fdocuments.in/reader031/viewer/2022030406/5a82bd4a7f8b9a571e8e786e/html5/thumbnails/15.jpg)
Interprocedural CDG
17
Build ICDG• Connect ACDGs with interprocedural control-flow edges• Replace all dependences to placeholder
• Backward traversal from the placeholders to the first (non-placeholder) predicate node along each path=> add control dependence
Interprocedural CDGPartial CD
2,3
7,8
4
5,6
entryentry
417
17
![Page 16: Class 10 - cc.gatech.eduharrold/6340/cs6340_fall2009/Slides/... · D. Programs with pointers E. Programs with complex data structures. Arbitrary Interprocedural CF yThree ways in](https://reader031.fdocuments.in/reader031/viewer/2022030406/5a82bd4a7f8b9a571e8e786e/html5/thumbnails/16.jpg)
Applications of Interprocedural CD
Computing interprocedural slicesIdentifying conditions associated with statements/proceduresComputing control coupling…
Complicating Factors
Programs with more than one procedureRecursionPrograms with pointersPrograms with complex data structuresPrograms with arbitrary control flow
![Page 17: Class 10 - cc.gatech.eduharrold/6340/cs6340_fall2009/Slides/... · D. Programs with pointers E. Programs with complex data structures. Arbitrary Interprocedural CF yThree ways in](https://reader031.fdocuments.in/reader031/viewer/2022030406/5a82bd4a7f8b9a571e8e786e/html5/thumbnails/17.jpg)
Complicating Factors (pointers)
Aliasing: different names reference the same memory location
1 main() {2 int*p, x, y;3 x = 0;4 p = &x;5 *p = *p+1;6 y = x;7 }
*p is an alias for x=> x = x+1;
• Alias information conveniently represented with points-to sets (e.g., *p -> {x})
• Typically, MAY information
Complicating Factors (pointers)
Pointers complicate data-flow
Consider an example
S1. x = read()
S2. y = read()
S4. p = &yS3. p = &x
S5. *p = read()
S6. print(*p)
S7. print(x)
What is Def(S5)?Can we simply “plug-in”
alias information?
![Page 18: Class 10 - cc.gatech.eduharrold/6340/cs6340_fall2009/Slides/... · D. Programs with pointers E. Programs with complex data structures. Arbitrary Interprocedural CF yThree ways in](https://reader031.fdocuments.in/reader031/viewer/2022030406/5a82bd4a7f8b9a571e8e786e/html5/thumbnails/18.jpg)
Complicating Factors (pointers)
Extending def-use conceptsDDEF: Definite DefinitionPDEF: Possible DefinitionDUSE: Definite UsePUSE: Possible Use
Extending algorithmsBoth possible and definite info in GENOnly definite info in KILL
Complicating Factors (pointers)
S1. x = read()
S2. y = read()
S3. p = &x
S5. *p = read()
S6. print(*p)
S7. print(x)
Pointers complicate data-flow
Consider an example
Are we in better shape in this case?(p* -> {x})
![Page 19: Class 10 - cc.gatech.eduharrold/6340/cs6340_fall2009/Slides/... · D. Programs with pointers E. Programs with complex data structures. Arbitrary Interprocedural CF yThree ways in](https://reader031.fdocuments.in/reader031/viewer/2022030406/5a82bd4a7f8b9a571e8e786e/html5/thumbnails/19.jpg)
Pointer/Alias Analysis
Control flowanalysis
Alias Analysis
Controldependence
Datadependence
SlicingConstantpropagation
Live-variableanalysis
Developmenttools
Testingtools
Maintenancetools
Optimizationtools
Goal: determine memory locations accessed through pointer dereferences Importance:
Alias Analysis (AA)
Must alias information indicates that the alias occurs on all paths in the CFG
May alias information indicates that the alias occurs on some path in the CFG
Flow-sensitive (flow-insensitive) aliasinginformation depends (does not depend) on the control flow in a procedure
Context-sensitive (context-insensitive) aliasinginformation obeys (does not obey) the calling context when propagating
![Page 20: Class 10 - cc.gatech.eduharrold/6340/cs6340_fall2009/Slides/... · D. Programs with pointers E. Programs with complex data structures. Arbitrary Interprocedural CF yThree ways in](https://reader031.fdocuments.in/reader031/viewer/2022030406/5a82bd4a7f8b9a571e8e786e/html5/thumbnails/20.jpg)
Introduction, Motivation
Precise alias analysis is undecidableApproximation algorithms
Flow-sensitive (FS) vs flow-insensitive (FI)Context-sensitive (CS) vs context-insensitive (CI)
P() {p=&x;*p=0;…p=&y;
}
x=0
{x,y}=0
FI
FS
Introduction, Motivation
Precise alias analysis is undecidableApproximation algorithms
Flow-sensitive (FS) vs flow-insensitive (FI)Context-sensitive (CS) vs context-insensitive (CI)
P() {p=&x;*p=0;…p=&y;
}
x=0
{x,y}=0
FI
FS P1() {p=&x;…Q()…
}
P2() {p=&y;…Q()*p=0;
}
Q() {……
}
y=0{x,y}=0 CSCI
![Page 21: Class 10 - cc.gatech.eduharrold/6340/cs6340_fall2009/Slides/... · D. Programs with pointers E. Programs with complex data structures. Arbitrary Interprocedural CF yThree ways in](https://reader031.fdocuments.in/reader031/viewer/2022030406/5a82bd4a7f8b9a571e8e786e/html5/thumbnails/21.jpg)
Precise alias analysis is undecidableApproximation algorithms
Flow-sensitive (FS) vs flow-insensitive (FI)Context-sensitive (CS) vs context-insensitive (CI)
precisioncost
flow-insensitive flow-sensitive
context-insensitive context-sensitive
Introduction, Motivation
Steendgaard’s
Existing Approaches
p = &x;q = &y;r = q;
p = &z;
p = &y;
proc1
proc2
p
x
q
y
r
Program-specific points-to graph
![Page 22: Class 10 - cc.gatech.eduharrold/6340/cs6340_fall2009/Slides/... · D. Programs with pointers E. Programs with complex data structures. Arbitrary Interprocedural CF yThree ways in](https://reader031.fdocuments.in/reader031/viewer/2022030406/5a82bd4a7f8b9a571e8e786e/html5/thumbnails/22.jpg)
Steendgaard’s
Existing Approaches
p = &x;q = &y;r = q;
p = &z;
p = &y;
proc1
proc2
p
x,z
q
y
r
Program-specific points-to graph
Steendgaard’s
Existing Approaches
p = &x;q = &y;r = q;
p = &z;
p = &y;
proc1
proc2
p q
y,x,z
r
Program-specific points-to graph
![Page 23: Class 10 - cc.gatech.eduharrold/6340/cs6340_fall2009/Slides/... · D. Programs with pointers E. Programs with complex data structures. Arbitrary Interprocedural CF yThree ways in](https://reader031.fdocuments.in/reader031/viewer/2022030406/5a82bd4a7f8b9a571e8e786e/html5/thumbnails/23.jpg)
Landi and Ryder’s
Existing Approaches
p = &x;q = &y;r = q;
p = &z;
p = &y;
proc1
proc2
p
x
Point-specific points-to graph
Landi and Ryder’s
Existing Approaches
p = &x;q = &y;r = q;
p = &z;
p = &y;
proc1
proc2
p
x
q
y
Point-specific points-to graph
![Page 24: Class 10 - cc.gatech.eduharrold/6340/cs6340_fall2009/Slides/... · D. Programs with pointers E. Programs with complex data structures. Arbitrary Interprocedural CF yThree ways in](https://reader031.fdocuments.in/reader031/viewer/2022030406/5a82bd4a7f8b9a571e8e786e/html5/thumbnails/24.jpg)
Landi and Ryder’s
Existing Approaches
p = &x;q = &y;r = q;
p = &z;
p = &y;
proc1
proc2
p
x
q
y
r
Point-specific points-to graph
Landi and Ryder’s
Existing Approaches
p = &x;q = &y;r = q;
p = &z;
p = &y;
proc1
proc2
p
z
q
y
r
Point-specific points-to graph
![Page 25: Class 10 - cc.gatech.eduharrold/6340/cs6340_fall2009/Slides/... · D. Programs with pointers E. Programs with complex data structures. Arbitrary Interprocedural CF yThree ways in](https://reader031.fdocuments.in/reader031/viewer/2022030406/5a82bd4a7f8b9a571e8e786e/html5/thumbnails/25.jpg)
Landi and Ryder’s
Existing Approaches
p = &x;q = &y;r = q;
p = &z;
p = &y;
proc1
proc2
p
y
Point-specific points-to graph
Program Analysis w/ Pointers
• Step 1: Perform alias analysis• Step 2: Resolve pointer dereferences• Step 3: Perform whole-program analysis
Time for alias analysis
Time for whole-program analysis
Steensgaard’s
Landi and Ryder’s
Precision
Time for alias analysis
Steensgaard’s
Landi and Ryder’s