1 Control Flow Analysis Mooly Sagiv sagiv/courses/pa01.html Tel Aviv University 640-6706 Textbook Chapter 3 Aiken/bane.html.

1

Control Flow AnalysisMooly Sagiv

http://www.math.tau.ac.il/~sagiv/courses/pa01.html

Tel Aviv University

640-6706

Textbook Chapter 3

http://www.cs.berkeley.edu/Research/~Aiken/bane.html

http://www.cs.washington.edu/research/projects/cecil

Assign 3 (11/7)

http://www.cs.washington.edu/research/projects/cecil

2

Goals

Understand the problem of Control Flow Analysis– in Functional Languages

– In Object Oriented Languages

– Function Pointers

Learn Constraint Based Program Analysis Technique– General

– Usage for Control Flow Analysis

– Algorithms

– Systems

Similarities between Problems &Techniques

4

A Motivating Exampleclass Vehicle Object { int position = 10; void move (int x1) { position = position + x1 ;}}class Car extends Vehicle { int passengers;

void await(Vehicle v) { if (v.position < position) then v.move(position - v.position); else this.move(10); }}class Truck extends Vehicle {

void move(int x2) { if (x2 < 55) position += x2; }}void main { Car c; Truck t; Vehicle v1;

new c; new t; v1 := c;c.passangers := 2;c.move(60);v1.move(70);c.await(t) ;}

5

A Motivating Exampleclass Vehicle Object { int position = 10; static void move (Vehicle this1 {Car} , int x1) { position = position + x1 ;}}class Car extends Vehicle { int passengers;

static void await(Car this2 {Car} , Vehicle v {Truck}) { if (v.position < position) then v.move(v, position - v.position); else this2.move(this2, 10); }}class Truck extends Vehicle {

static void move(Truck this3 {Truck}, int x2) { if (x2 < 55) position += x2; }}void main { Car c; Truck t; Vehicle v1;

new c; new t; v1 := c;c.passangers := 2;c.move(c, 60);v1.move(v1, 70);c.await(c, t) ;}

6

The Control Flow Analysis (CFA) Problem

Given a program in a functional programming language with higher order functions(functions can serve as parameters and return values)

Find out for each function invocation which functions may be applied

Obvious in C without function pointers Difficult in C++, Java and ML The Dynamic Dispatch Problem

7

An ML Example

let f = fn x => x 1 ;

g = fn y => y + 2 ;

h = fn z => z + 3;

in (f g) + (f h)

8

An ML Example

let f = fn x => /* {g, h} */ x 1 ;

g = fn y => y + 2 ;

h = fn z => z + 3;

in (f g) + (f h)

9

The Language FUN Notations

– e Exp // expressions (or labeled terms)

– t Term // terms (or unlabeled terms)

– f, x Var // variables

– c Const // Constants

– op Op // Binary operators

– l Lab // Labels

Abstract Syntax– e ::= tl

– t ::= c | x | fn x e // function definition | fun f x e // recursive function definition | e1 e2 // function applications | if e0 then e1 else e2 | let x = e1 in e2 | e1 op e2

10

A Simple Example

((fn x x1)2 (fn y y3)4)5

11

Factorial

(let fact = fun f n (if (n = 0)1 then 12

else ((n3 * (f4 (n5 – 16)7)8)9

)10

12

An Example which Always Loops

(let g = fun f x (f1 (fn y y2)3)4

)5

(g6 (fn z z7)8)9

)10

13

The 0-CFA Problem Control flow analysis without contexts Compute for every program a pair (C, ) where:

– C is the abstract cache associating abstract values with labeled program points

is the abstract environment associating abstract values with program variables

Abstract Values– v Val = P(Term) // Abstract values Env = Var Val // Abstract environment

– C Cache =Lab Val // Abstract Cache

– For function application (t1l1 t2

l2)l

C(l1) determines the function that can be applied

– Formally …

14

Possible Solutions for ((fn x x1)2 (fn y y3)4)5

1 {fn y y3} {fn y y3}

2 {fn x x1} {fn x x1}

3 {} {}

4 {fn y y3} {fn y y3}

5 {fn y y3} {fn y y3}

x {fn y y3} {}

y {} {}

15

(let g = fun f x (f1 (fn y y2)3)4

)5

(g6 (fn z z7)8)9

Shorthands

sf fun f x (f1 (fn y y2)3)4

idy fn y y2

idz fn z z7

C(1) = {sf} C(2) = {} C(3) = {idy}

C(4) = {} C(5) = {sf} C(6) = {sf}

C(7) = {} C(8) = {idz} C(9) = {}

C(10) = {} (x) = {idy , idz } (y) = {}

(z) = {}

16

Relationship to Dataflow Analysis

Expressions are side effect free– no entry/exit

A single environment Represents information at different points via

maps A single value for all occurrences of a variable Function applications act similar to assignments

– “Definition” - Function abstraction is created

– “Use” - Function is applied

17

A Formal Specification of 0-CFA

A Boolean function define when a solution is acceptable

(C, ) e means that (C, ) is acceptable for the expression e

Define by structural induction on e Every function is analyzed once Every acceptable solution is sound (conservative) Many acceptable solutions Generate a set of constraints Obtain the least acceptable solution by solving the

constraints

18

Solving 0-CFA (1)

Define a concrete semantics Define a Galois connection between the concrete

and the abstract semantics Define abstract meaning for statements Show local soundness Implement Chaotic iterations

19

Solving 0-CFA (2)

Generate a system of set of constraints – lhs rhs

– {t} rhs’ lhs rhs (conditional constraint)

Show that any solution to the set of constraints is sound

Find the minimal solution Systems for finding the minimal solution exist Applicable to different programming languages

20

Set Constraints

A set of rules of the form:– lhs rhs

– {t} rhs’ lhs rhs (conditional constraint)

– lhs, rhs, rhs’ are» terms

» C(l)(x)

The least solution (C, ) can be found iteratively– start with empty sets

– add terms when needed

Efficient cubic graph based solution

21

Syntax Directed Constraint Generation (Part I)

C* cl = {}C* xl = {r (x) C (l)}

C* (fn x e)l = C* e { {fn x e} C(l)}C* (fun f x e)l = C* e { {fun f x e} C(l)} {{fun f x e} r( f)}

C* (t1l1 t2

l2)l = C* t1l1 C* t2

l2 {{t} C(l) C (l2) r (x) | t=fn x t0

l0 Term* } {{t} C(l) C (l0) C (l) | t=fn x t0

l0 Term* } {{t} C(l) C (l2) r (x) | t=fun x t0

l0 Term* } {{t} C(l) C (l0) C (l) | t=fun x t0

l0 Term* }

22

Syntax Directed Constraint Generation (Part II)

C* (if t0l0 then t1

l1 else t2l2)l = C* t0

l0 C* t1l1 C* t2

l2 {C(l1) C (l)} {C(l2) C (l)}

C* (let x = t1l1 in t2

l2)l = C* t1l1 C* t2

l2 {C(l1) r (x)} {C(l2) C(l)}

C* (t1l1 op t2

l2)l = C* t1l1 C* t2

l2

23

Set Constraints for ((fn x x1)2 (fn y y3)4)5

24

Iterative Solution to the Set Constraints for ((fn x x1)2 (fn y y3)4)5

step Constraint 1 2 3 4 x y

25

Graph Based Solution toConstraint Systems

Construct a directed graph– Nodes

» Set variables

– Edges» u v

The set variable v may depend on u

Iteratively traverse the graph– Every operation adds a term

– Must terminate

Read the solution from the graph

26

The Constraint Graph for 0-CFA Nodes

– C(l)– r(x)

Edges – p1 p2

» Construct p1 p2

– {t} p p1 p2» Construct p1 p2» Construct p p2

Dependencies– D[v]

» The set of terms that must be included in v

27

WL :=

For all nodes v:

D[v] :=

E[v] :=

For all constraints c:

case c {t} p:

add(p, {t})

case c p1 p2:

E[p1] := E[p1] {c}

case c={t} p p1 p2

E[p] := E[p] {c}

E[p1] := E[p1] {c}

procedure add(q, s)

if (s D(q)) then

D[q] : = D[q] s

WL := WL {q}

while WL do

select and remove an element v from WL

for all c E[v] do

case c p1 p2: add(p2, D[p1])

case c={t} p p1 p2

if t D[p] then add(p2, D[p1])

28

Adding Data Flow Information

Dataflow values can affect control flow analysis Example

(let f = (fn x (if (x1 > 02)3 then (fn y y4)5

else (fn z 56)7

)8

)9

in ((f10 311)12 013)14)15

29

Adding Data Flow Information Add a finite set of “abstract” values per program

Data Update Val = P(TermData)

Env = Var Val // Abstract environment

– C Cache - Lab Val // Abstract Cache

Generate extra constraints for data Obtained a more precise solution A special of case of product domain (4.4) The combination of two analyses may be more

precise than both For some programs may even be more efficient

30

Adding Dataflow Information (Sign Analysis)

Sign analysis Add a finite set of “abstract” values per program

Data = {P, N, TT, FF} Update Val = P(TermData) dc is the abstract value that represents a constant c

– d3 = {p}

– d-7= {n}

– dtrue= {tt}

– dfalse= {ff}

Every operator is conservatively interpreted

31

Syntax Directed Constraint Generation (Part I)

C* cl = dc C (l)}C* xl = {r (x) C (l)}

C* (fn x e)l = C* e { {fn x e} C(l)}C* (fun f x e)l = C* e { {fun f x e} C(l)} {{fun f x e} r( f)}

C* (t1l1 t2

l2)l = C* t1l1 C* t2

l2 {{t} C(l) C (l2) r (x) | t=fn x t0

l0 Term* } {{t} C(l) C (l0) C (l) | t=fn x t0

l0 Term* } {{t} C(l) C (l2) r (x) | t=fun x t0

l0 Term* } {{t} C(l) C (l0) C (l) | t=fun x t0

l0 Term* }

32

Syntax Directed Constraint Generation (Part II)

C* (if t0l0 then t1

l1 else t2l2)l = C* t0

l0 C* t1l1 C* t2

l2 {dt C (l0) C(l1) C (l)} {df C (l0) C(l2) C (l)}

C* (let x = t1l1 in t2

l2)l = C* t1l1 C* t2

l2 {C(l1) r (x)} {C(l2) C(l)}

C* (t1l1 op t2

l2)l = C* t1l1 C* t2

l2 {C(l1) op C(l2) C(l)}

33

Adding Context Information The analysis does not distinguish between different

occurrences of a variable(Monovariant analysis)

Example(let f = (fn x x1) 2

in ((f3 f4)5 (fn y y6) 7)8)9

Source to source can help (but may lead to code explosion)

Example rewrittenlet f1 = fn x1 x1 in let f2 = fn x2 x2

in (f1 f2) (fn y y)

34

Simplified K-CFA

Records the last k dynamic calls (for some fixed k)

Similar to the call string approach Remember the context in which expression is

evaluated Val is now P(Term)Contexts

Env = Var Contexts Val

– C Cache - LabContexts Val

35

1-CFA (let f = (fn x x1) 2 in ((f3 f4)5 (fn y y6) 7)8)9

Contexts– [] - The empty context

– [5] The application at label 5

– [8] The application at label 8

Polyvariant Control FlowC(1, [5]) = (x, 5)= C(2, []) = C(3, []) = (f, []) = ({(fn x x1)}, [] )C(1, [8]) = (x, 8)= C(7, []) = C(8, []) = C(9, []) = ({(fn y y6)}, [] )

36





37

class Vehicle Object { int position = 10; static void move (Vehicle t1 , int x1) { position = position + x1 ;}}class Car extends Vehicle { int passengers;

static void await(Car t2 , Vehicle v) { if (v.position < position) then v.move(v, position - v.position); else t2.move(t2, 10); }}class Truck extends Vehicle {

static void move(Truck t3, int x2) { if (x2 < 55) position += x2; }}void main { Car c; Truck t; Vehicle v1;


{V} cl(v) cl(v)cl(t1)

{T} cl(v) cl(v)cl(t3)

{C} cl(v) cl(v)cl(t1)

{C} cl(t2) cl(t2)cl(t1)

{C} cl(c)

{T} cl(t)

cl(c) cl(v1)

{C} cl(c) cl(c)cl(t1)

{V} cl(v1) cl(v1)cl(t1)

{T} cl(v1) cl(v1)cl(t3)

{C} cl(v1) cl(v1)cl(t1)

{C} cl(c) cl(t)cl(v)


38





{C} cl(c)

{T} cl(t)

cl(c) cl(v1)







cl(c)

cl(t1)

cl(t2)

cl(t3)

cl(v)

cl(t)

cl(v1)

WL

c

t

39





{C} cl(c)

{T} cl(t)

cl(c) cl(v1)







cl(c)

cl(t1)

cl(t2)

cl(t3)

cl(v)

cl(t)

cl(v1)

WL

c

t

c

c

c

t

40





{C} cl(c)

{T} cl(t)

cl(c) cl(v1)







cl(c)

cl(t1)

cl(t2)

cl(t3)

cl(v)

cl(t)

cl(v1)

WL

c

t

c

c

c

t

t

41





{C} cl(c)

{T} cl(t)

cl(c) cl(v1)







cl(c)

cl(t1)

cl(t2)

cl(t3)

cl(v)

cl(t)

cl(v1)

WL

c

t

c

c

c

t

t

42





{C} cl(c)

{T} cl(t)

cl(c) cl(v1)







cl(c)

cl(t1)

cl(t2)

cl(t3)

cl(v)

cl(t)

cl(v1)

WL

c

t

c

c

c

t

t

43





{C} cl(c)

{T} cl(t)

cl(c) cl(v1)







cl(c)

cl(t1)

cl(t2)

cl(t3)

cl(v)

cl(t)

cl(v1)

WL

c

t

c

c

c

t

t

44





{C} cl(c)

{T} cl(t)

cl(c) cl(v1)







cl(c)

cl(t1)

cl(t2)

cl(t3)

cl(v)

cl(t)

cl(v1)

WL

c

t

c

c

c

t

t

45





{C} cl(c)

{T} cl(t)

cl(c) cl(v1)







cl(c)

cl(t1)

cl(t2)

cl(t3)

cl(v)

cl(t)

cl(v1)

WL

c

t

c

c

c

t

t

46





{C} cl(c)

{T} cl(t)

cl(c) cl(v1)







cl(c)

cl(t1)

cl(t2)

cl(t3)

cl(v)

cl(t)

cl(v1)

c

t

c

c

c

t

t

47





48

Missing Material Efficient Cubic Solution to Set Constraints

www.cs.berkeley.edu/Research/Aiken/bane.html Experimental results for OO

www.cs.washington.edu/research/projects/cecil Operational Semantics for FUN (3.2.1) Defining acceptability of set constraints Using general lattices as Dataflow values

instead of powersets (3.5.2) Lower-bounds

– Decidability of JOP– Polynomiality

49

Conclusions

Set constraints are quite useful– A Uniform syntax

– Can even deal with pointers

But semantic foundation is still based on abstract interpretation

Techniques used in functional and imperative (OO) programming are similar

Control and data flow analysis are related

1 Control Flow Analysis Mooly Sagiv sagiv/courses/pa01.html Tel Aviv University 640-6706 Textbook Chapter 3 Aiken/bane.html.

Documents

position position

values u

int position

outline u

u obvious

goals u

fun f x f

f g f h slide