ESEC/FSE-99 1 Data-Flow Analysis of Program Fragments Atanas Rountev 1 Barbara G. Ryder 1 William...
-
Upload
jacob-bond -
Category
Documents
-
view
214 -
download
0
Transcript of ESEC/FSE-99 1 Data-Flow Analysis of Program Fragments Atanas Rountev 1 Barbara G. Ryder 1 William...
![Page 1: ESEC/FSE-99 1 Data-Flow Analysis of Program Fragments Atanas Rountev 1 Barbara G. Ryder 1 William Landi 2 1 Department of Computer Science, Rutgers University.](https://reader036.fdocuments.in/reader036/viewer/2022082712/56649f565503460f94c7a0ae/html5/thumbnails/1.jpg)
1
ESEC/FSE-99
Data-Flow Analysis of Program Fragments
Atanas Rountev 1 Barbara G. Ryder
1 William Landi 2
1 Department of Computer Science, Rutgers University2 Siemens Corporate Research
http://www.prolangs.rutgers.edu
Funded by NSF grants CCR-9501761, CCR-9804065and Siemens Corporate Research
![Page 2: ESEC/FSE-99 1 Data-Flow Analysis of Program Fragments Atanas Rountev 1 Barbara G. Ryder 1 William Landi 2 1 Department of Computer Science, Rutgers University.](https://reader036.fdocuments.in/reader036/viewer/2022082712/56649f565503460f94c7a0ae/html5/thumbnails/2.jpg)
2
ESEC/FSE-99
Overview
• Motivation
• Theoretical model
• Application for pointer alias analysis
• Experimental results
![Page 3: ESEC/FSE-99 1 Data-Flow Analysis of Program Fragments Atanas Rountev 1 Barbara G. Ryder 1 William Landi 2 1 Department of Computer Science, Rutgers University.](https://reader036.fdocuments.in/reader036/viewer/2022082712/56649f565503460f94c7a0ae/html5/thumbnails/3.jpg)
3
ESEC/FSE-99
Data-Flow Analysis
• Information about program behavior
• Defines:– Graph for the control-flow structure– Lattice L of data-flow values– Transfer functions fi : L L
• Flow sensitivity: propagate data-flow values by respecting execution order of statements
![Page 4: ESEC/FSE-99 1 Data-Flow Analysis of Program Fragments Atanas Rountev 1 Barbara G. Ryder 1 William Landi 2 1 Department of Computer Science, Rutgers University.](https://reader036.fdocuments.in/reader036/viewer/2022082712/56649f565503460f94c7a0ae/html5/thumbnails/4.jpg)
4
ESEC/FSE-99
Limitations of Whole-Program Analysis
• Traditionally designed as whole-program analysis
• Precise analyses do not scale for large programs
• Incomplete programs cannot be analyzed: e.g., programs with libraries
• Information may be needed only for a small part of a large program
![Page 5: ESEC/FSE-99 1 Data-Flow Analysis of Program Fragments Atanas Rountev 1 Barbara G. Ryder 1 William Landi 2 1 Department of Computer Science, Rutgers University.](https://reader036.fdocuments.in/reader036/viewer/2022082712/56649f565503460f94c7a0ae/html5/thumbnails/5.jpg)
5
ESEC/FSE-99
Fragment Data-Flow Analysis
• Idea: analyze a program fragment instead of a whole program
• Use summary information about the rest of the program
• Advantages:– Analyze fragments of large programs– Analyze incomplete programs– Analyze only the “interesting part” of the program
![Page 6: ESEC/FSE-99 1 Data-Flow Analysis of Program Fragments Atanas Rountev 1 Barbara G. Ryder 1 William Landi 2 1 Department of Computer Science, Rutgers University.](https://reader036.fdocuments.in/reader036/viewer/2022082712/56649f565503460f94c7a0ae/html5/thumbnails/6.jpg)
6
ESEC/FSE-99
Questions
• What is the analysis structure?
• What is the relationship to whole-program analysis?
• How to define and ensure safety?
• What factors affect analysis cost and precision?
![Page 7: ESEC/FSE-99 1 Data-Flow Analysis of Program Fragments Atanas Rountev 1 Barbara G. Ryder 1 William Landi 2 1 Department of Computer Science, Rutgers University.](https://reader036.fdocuments.in/reader036/viewer/2022082712/56649f565503460f94c7a0ae/html5/thumbnails/7.jpg)
7
ESEC/FSE-99
Model of Whole-Program Analysis
• Consider only flow-sensitive analysis
• Interprocedural control-flow graph:
• Lattice L of data-flow values
• Node transfer functions fi : L L
• Solutions and safety
Call
ReturnExit
Entry
Return
CallProcedure
![Page 8: ESEC/FSE-99 1 Data-Flow Analysis of Program Fragments Atanas Rountev 1 Barbara G. Ryder 1 William Landi 2 1 Department of Computer Science, Rutgers University.](https://reader036.fdocuments.in/reader036/viewer/2022082712/56649f565503460f94c7a0ae/html5/thumbnails/8.jpg)
8
ESEC/FSE-99
Fragment Analysis Structure• Input: fragment + whole-program information
• Graph, lattice , node transfer functions
• Boundary nodes: entry, call, return
• Boundary entry: summary value from
• Boundary call: summary function
Call Exit
Entry
Return
Call EntryCall
′ L
′ L
f : ′ L → ′ L
Fragment
![Page 9: ESEC/FSE-99 1 Data-Flow Analysis of Program Fragments Atanas Rountev 1 Barbara G. Ryder 1 William Landi 2 1 Department of Computer Science, Rutgers University.](https://reader036.fdocuments.in/reader036/viewer/2022082712/56649f565503460f94c7a0ae/html5/thumbnails/9.jpg)
9
ESEC/FSE-99
Fragment Analysis Safety
• All possible containing programs: p Progs
• Abstraction relation
If , then safely abstracts x
• A safe solution safely abstracts the most precise whole-program solution for every p
• Sufficient requirements for analysis safety: transfer functions, boundary summaries
α p ⊆Lp × ′ L
(x, ′ x ) ∈ α p ′ x
![Page 10: ESEC/FSE-99 1 Data-Flow Analysis of Program Fragments Atanas Rountev 1 Barbara G. Ryder 1 William Landi 2 1 Department of Computer Science, Rutgers University.](https://reader036.fdocuments.in/reader036/viewer/2022082712/56649f565503460f94c7a0ae/html5/thumbnails/10.jpg)
10
ESEC/FSE-99
An Application
• Initial whole-program flow-insensitive analysis
• Fragment analysis input– Flow-insensitive solution– Call graph
• Use flow-insensitive solution at the boundary
• Two fragment pointer alias analyses
![Page 11: ESEC/FSE-99 1 Data-Flow Analysis of Program Fragments Atanas Rountev 1 Barbara G. Ryder 1 William Landi 2 1 Department of Computer Science, Rutgers University.](https://reader036.fdocuments.in/reader036/viewer/2022082712/56649f565503460f94c7a0ae/html5/thumbnails/11.jpg)
11
ESEC/FSE-99
Pointer Alias Analysis
• Aliases refer to the same memory location
Example: p = &x; (*p,x)
• Whole-program flow- and context-sensitive analysis [Landi-Ryder]
• Fixed and non-fixed locations: x, s.f, *p, pg
• Resolution of through-deref assignments
Example: *p = 0;
![Page 12: ESEC/FSE-99 1 Data-Flow Analysis of Program Fragments Atanas Rountev 1 Barbara G. Ryder 1 William Landi 2 1 Department of Computer Science, Rutgers University.](https://reader036.fdocuments.in/reader036/viewer/2022082712/56649f565503460f94c7a0ae/html5/thumbnails/12.jpg)
12
ESEC/FSE-99
Fragment Alias Analyses
• Input: whole-program flow-insensitive solution– Flow-insensitive analysis: almost linear time
[Steensgaard, Zhang-Ryder-Landi]
• Basic analysis: assumptions at boundary
• Extended analysis: include called procedures; no boundary calls
![Page 13: ESEC/FSE-99 1 Data-Flow Analysis of Program Fragments Atanas Rountev 1 Barbara G. Ryder 1 William Landi 2 1 Department of Computer Science, Rutgers University.](https://reader036.fdocuments.in/reader036/viewer/2022082712/56649f565503460f94c7a0ae/html5/thumbnails/13.jpg)
13
ESEC/FSE-99
Experiments
• Sun Sparc-20, 75 MHz, 352 MB
• 6 data programs: 8K - 25K LOC
• 12 fragments: – Cohesive subsets of procedures implementing
certain functionality– Size: 2%-22% of program size, median 7%
• Resolved through-deref assignments– Metric: average number of modified fixed locations
![Page 14: ESEC/FSE-99 1 Data-Flow Analysis of Program Fragments Atanas Rountev 1 Barbara G. Ryder 1 William Landi 2 1 Department of Computer Science, Rutgers University.](https://reader036.fdocuments.in/reader036/viewer/2022082712/56649f565503460f94c7a0ae/html5/thumbnails/14.jpg)
14
ESEC/FSE-99
Analysis Precision
0
10
20
30
40
50
60
70
1 2 3 4 5 6 7 8 9 10
Fragment number
Flow-insensitive Basic Extended
![Page 15: ESEC/FSE-99 1 Data-Flow Analysis of Program Fragments Atanas Rountev 1 Barbara G. Ryder 1 William Landi 2 1 Department of Computer Science, Rutgers University.](https://reader036.fdocuments.in/reader036/viewer/2022082712/56649f565503460f94c7a0ae/html5/thumbnails/15.jpg)
15
ESEC/FSE-99
Analysis Time• Flow-insensitive analysis
– Range: 2-9 s– Median: 7 s
• Basic analysis– Range: 18-99 s– Median: 52 s
• Extended analysis– Range: 18-187 s– Median: 85 s
![Page 16: ESEC/FSE-99 1 Data-Flow Analysis of Program Fragments Atanas Rountev 1 Barbara G. Ryder 1 William Landi 2 1 Department of Computer Science, Rutgers University.](https://reader036.fdocuments.in/reader036/viewer/2022082712/56649f565503460f94c7a0ae/html5/thumbnails/16.jpg)
16
ESEC/FSE-99
Summary• Fragment analysis as an alternative to whole-
program analysis• Theoretical issues of safety and feasibility• Application using inexpensive whole-program
analysis• Initial experiments
– Extended analysis: significant precision increase at
a practical cost
• Ongoing work: scalability, incomplete programs
![Page 17: ESEC/FSE-99 1 Data-Flow Analysis of Program Fragments Atanas Rountev 1 Barbara G. Ryder 1 William Landi 2 1 Department of Computer Science, Rutgers University.](https://reader036.fdocuments.in/reader036/viewer/2022082712/56649f565503460f94c7a0ae/html5/thumbnails/17.jpg)
17
ESEC/FSE-99
The New Lattice
• What is the set of names?
• Number of names should not depend on the size of the whole program
• Each whole-program name is:– preserved– ignored– represented by a placeholder
• One placeholder name per equivalence class
![Page 18: ESEC/FSE-99 1 Data-Flow Analysis of Program Fragments Atanas Rountev 1 Barbara G. Ryder 1 William Landi 2 1 Department of Computer Science, Rutgers University.](https://reader036.fdocuments.in/reader036/viewer/2022082712/56649f565503460f94c7a0ae/html5/thumbnails/18.jpg)
18
ESEC/FSE-99
Fragment Sizes
0
5
10
15
20
25
1 2 3 4 5 6 7 8 9 10 11 12
Fragment number