Page 1
Interprocedural Heap Analysis using Access Graphs andValue Contexts
with applications to liveness-based garbage collection
Rohan Padhyeunder the guidance of
Prof. Uday Khedker
Department of Computer Science & EngineeringIndian Institute of Technology Bombay
M.Tech Project
Page 2
Outline
1 Background and MotivationHeap Reference AnalysisKey Issues
2 Heap Alias AnalysisNeed for Alias AnalysisExisting AbstractionsProposed Abstraction: Acccessor Relationship Graph
3 Interprocedural AnalysisExisting FrameworksOur Framework: Value ContextsThe Role of Call Graphs
4 Access Graphs for Garbage CollectionExisting IdeasNovel Technique: Dynamic Heap Pruning
5 Summary & Future Work
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 2 / 32
Page 3
Background
Heap Reference Analysis [Khedker, Sanyal & Karkare, 2007]
S1: x = root
S2: while (x.val > M):
S3: x = x.l
S4: x = x.r
S5: print x.val
S6: EXIT
x l3 r4
Access graph for x at S2.
rootx
1
2
4
8 9
5
10 11
3
6
12 13
7
14 15
The binary tree in the heap at S2.Filled nodes are live objects.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 3 / 32
Page 4
Key Issues
Three main issues in performing Heap Reference Analysis:
1 How to perform a precise alias analysis for arbitrary access paths inthe heap?
2 How to implement whole-program heap reference analysis in aninter-procedural manner?
3 How to use the resulting access graphs to improve garbagecollection?
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 4 / 32
Page 5
Outline
1 Background and MotivationHeap Reference AnalysisKey Issues
2 Heap Alias AnalysisNeed for Alias AnalysisExisting AbstractionsProposed Abstraction: Acccessor Relationship Graph
3 Interprocedural AnalysisExisting FrameworksOur Framework: Value ContextsThe Role of Call Graphs
4 Access Graphs for Garbage CollectionExisting IdeasNovel Technique: Dynamic Heap Pruning
5 Summary & Future Work
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 5 / 32
Page 6
Need for Alias Analysis
S1
S2 S3
x .p = zS4
u = y .pS5
v = u.qS6
use vS7
x and y do not alias at S4.
LVIN4
x
y p5 q6
LVOUT4y p5 q6
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 6 / 32
Page 7
Need for Alias Analysis
S1
x = yS2 S3
x .p = zS4
u = y .pS5
v = u.qS6
use vS7
x may alias y at S4
LVIN4
x
y p5 q6
z q6
LVOUT4y p5 q6
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 7 / 32
Page 8
Need for Alias Analysis
x = yS1
S2 S3
x .p = zS4
u = y .pS5
v = u.qS6
use vS7
x must alias y at S4
LVIN4
x
y
z q6
LVOUT4y p5 q6
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 8 / 32
Page 9
Need for Alias Analysis
May-alias analysis is required for sound heap liveness analysis.
Must-alias analysis is desirable for performing strong updates.
In general, alias queries may not be as straightforward as thepreceeding examples:
w .r = z
x p3 q4 r5
In the above program, z is live if w may be aliased to any objectaccessible by the pattern x(.p)∗.q.
The key obervation is here is that we need to determine aliasesbetween live access patterns.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 9 / 32
Page 10
Access Graphs and Access Patterns
S1: w.r = z
S2: while (...):
S3: x = x.p
S4: x = x.q
S5: x = x.r
S6: use x
S7: EXIT
Consider liveness at S2.
Access Graph
x p3 q4 r5
Equivalent Automaton
x p q r
p
q
Access Patterns
x/p3 : x .p(.p)∗x/q4 : x(.p)∗.qx/r5 : x(.p)∗.q.r
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 10 / 32
Page 11
Approaches to Heap Alias Analysis
Modelling an unbounded number of objects using a finite abstraction:
Muchnick & Jones, 1981: k-limited graph
Chase, Wegman & Zadeck, 1990: Merge on allocation sites
Sagiv, Reps & Wilhelm, 1996: “Materialization”
Sagiv, Reps & Wilhelm, 1999: 3-valued logic
Our approach: Use access patterns from liveness graphs toimprove expressibility of points-to graph
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 11 / 32
Page 12
Approaches to Heap Alias Analysis
Modelling an unbounded number of objects using a finite abstraction:
Muchnick & Jones, 1981: k-limited graph
Chase, Wegman & Zadeck, 1990: Merge on allocation sites
Sagiv, Reps & Wilhelm, 1996: “Materialization”
Sagiv, Reps & Wilhelm, 1999: 3-valued logic
Our approach: Use access patterns from liveness graphs toimprove expressibility of points-to graph
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 11 / 32
Page 13
Proposed Approach
y = newS0
z = newS1
t = newS2
t.n = xS3
x = tS4
a = xS5
b = a.nS6
a.n = yS7 b.n = zS8
use x .nS9
exitS10
Actual heap layout after S6
x · · ·n n n n
a b
y z
P0: Initial Points-to Analysis
PTOUT6 = PTIN7 = PTIN8:
x S2 n
a b
y S0 z S1
P1: Points-to Analysis using L1PTOUT6 = PTIN7 = PTIN8:
x S2 S2 S2x , a x/n9, b −
n nn
a b
y S0y
z S1z
L1: Liveness after P0
LVIN9 = LVOUT7 = LVOUT8:x n9
LVIN7 (considering amay= x):
a x n9 y, ,
LVIN8 (considering bmay= x):
b x n9 z, ,
LVOUT6 = LVIN7 ∪ LVIN8:a b x n9 y, , , z,
L2: Liveness after P1
LVIN9 = LVOUT7 = LVOUT8:x n9
LVIN7 (considering amust= x):
x y,
LVIN8 (considering b 6= x):
x n9
LVOUT6 = LVIN7 ∪ LVIN8:x n9 y,
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 12 / 32
Note
We are not performing “materialization”.P1 does not use P0 and L2 does not use L1.These are new passes from scratch!Li uses Pi−1 for implicit updates.Pi uses Li for expressibility.
Page 14
Proposed Approach
y = newS0
z = newS1
t = newS2
t.n = xS3
x = tS4
a = xS5
b = a.nS6
a.n = yS7 b.n = zS8
use x .nS9
exitS10
Actual heap layout after S6
x · · ·n n n n
a b
y z
P0: Initial Points-to Analysis
PTOUT6 = PTIN7 = PTIN8:
x S2 n
a b
y S0 z S1
P1: Points-to Analysis using L1PTOUT6 = PTIN7 = PTIN8:
x S2 S2 S2x , a x/n9, b −
n nn
a b
y S0y
z S1z
L1: Liveness after P0
LVIN9 = LVOUT7 = LVOUT8:x n9
LVIN7 (considering amay= x):
a x n9 y, ,
LVIN8 (considering bmay= x):
b x n9 z, ,
LVOUT6 = LVIN7 ∪ LVIN8:a b x n9 y, , , z,
L2: Liveness after P1
LVIN9 = LVOUT7 = LVOUT8:x n9
LVIN7 (considering amust= x):
x y,
LVIN8 (considering b 6= x):
x n9
LVOUT6 = LVIN7 ∪ LVIN8:x n9 y,
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 12 / 32
Note
We are not performing “materialization”.P1 does not use P0 and L2 does not use L1.These are new passes from scratch!Li uses Pi−1 for implicit updates.Pi uses Li for expressibility.
Page 15
Proposed Approach
y = newS0
z = newS1
t = newS2
t.n = xS3
x = tS4
a = xS5
b = a.nS6
a.n = yS7 b.n = zS8
use x .nS9
exitS10
Actual heap layout after S6
x · · ·n n n n
a b
y z
P0: Initial Points-to Analysis
PTOUT6 = PTIN7 = PTIN8:
x S2 n
a b
y S0 z S1
P1: Points-to Analysis using L1PTOUT6 = PTIN7 = PTIN8:
x S2 S2 S2x , a x/n9, b −
n nn
a b
y S0y
z S1z
L1: Liveness after P0
LVIN9 = LVOUT7 = LVOUT8:x n9
LVIN7 (considering amay= x):
a x n9 y, ,
LVIN8 (considering bmay= x):
b x n9 z, ,
LVOUT6 = LVIN7 ∪ LVIN8:a b x n9 y, , , z,
L2: Liveness after P1
LVIN9 = LVOUT7 = LVOUT8:x n9
LVIN7 (considering amust= x):
x y,
LVIN8 (considering b 6= x):
x n9
LVOUT6 = LVIN7 ∪ LVIN8:x n9 y,
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 12 / 32
Note
We are not performing “materialization”.P1 does not use P0 and L2 does not use L1.These are new passes from scratch!Li uses Pi−1 for implicit updates.Pi uses Li for expressibility.
Page 16
Proposed Approach
y = newS0
z = newS1
t = newS2
t.n = xS3
x = tS4
a = xS5
b = a.nS6
a.n = yS7 b.n = zS8
use x .nS9
exitS10
Actual heap layout after S6
x · · ·n n n n
a b
y z
P0: Initial Points-to Analysis
PTOUT6 = PTIN7 = PTIN8:
x S2 n
a b
y S0 z S1
P1: Points-to Analysis using L1PTOUT6 = PTIN7 = PTIN8:
x S2 S2 S2x , a x/n9, b −
n nn
a b
y S0y
z S1z
L1: Liveness after P0
LVIN9 = LVOUT7 = LVOUT8:x n9
LVIN7 (considering amay= x):
a x n9 y, ,
LVIN8 (considering bmay= x):
b x n9 z, ,
LVOUT6 = LVIN7 ∪ LVIN8:a b x n9 y, , , z,
L2: Liveness after P1
LVIN9 = LVOUT7 = LVOUT8:x n9
LVIN7 (considering amust= x):
x y,
LVIN8 (considering b 6= x):
x n9
LVOUT6 = LVIN7 ∪ LVIN8:x n9 y,
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 12 / 32
Note
We are not performing “materialization”.P1 does not use P0 and L2 does not use L1.These are new passes from scratch!Li uses Pi−1 for implicit updates.Pi uses Li for expressibility.
Page 17
Proposed Approach
y = newS0
z = newS1
t = newS2
t.n = xS3
x = tS4
a = xS5
b = a.nS6
a.n = yS7 b.n = zS8
use x .nS9
exitS10
Actual heap layout after S6
x · · ·n n n n
a b
y z
P0: Initial Points-to Analysis
PTOUT6 = PTIN7 = PTIN8:
x S2 n
a b
y S0 z S1
P1: Points-to Analysis using L1PTOUT6 = PTIN7 = PTIN8:
x S2 S2 S2x , a x/n9, b −
n nn
a b
y S0y
z S1z
L1: Liveness after P0
LVIN9 = LVOUT7 = LVOUT8:x n9
LVIN7 (considering amay= x):
a x n9 y, ,
LVIN8 (considering bmay= x):
b x n9 z, ,
LVOUT6 = LVIN7 ∪ LVIN8:a b x n9 y, , , z,
L2: Liveness after P1
LVIN9 = LVOUT7 = LVOUT8:x n9
LVIN7 (considering amust= x):
x y,
LVIN8 (considering b 6= x):
x n9
LVOUT6 = LVIN7 ∪ LVIN8:x n9 y,
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 12 / 32
Note
We are not performing “materialization”.P1 does not use P0 and L2 does not use L1.These are new passes from scratch!Li uses Pi−1 for implicit updates.Pi uses Li for expressibility.
Page 18
Proposed Approach
y = newS0
z = newS1
t = newS2
t.n = xS3
x = tS4
a = xS5
b = a.nS6
a.n = yS7 b.n = zS8
use x .nS9
exitS10
Actual heap layout after S6
x · · ·n n n n
a b
y z
P0: Initial Points-to Analysis
PTOUT6 = PTIN7 = PTIN8:
x S2 n
a b
y S0 z S1
P1: Points-to Analysis using L1PTOUT6 = PTIN7 = PTIN8:
x S2 S2 S2x , a x/n9, b −
n nn
a b
y S0y
z S1z
L1: Liveness after P0
LVIN9 = LVOUT7 = LVOUT8:x n9
LVIN7 (considering amay= x):
a x n9 y, ,
LVIN8 (considering bmay= x):
b x n9 z, ,
LVOUT6 = LVIN7 ∪ LVIN8:a b x n9 y, , , z,
L2: Liveness after P1
LVIN9 = LVOUT7 = LVOUT8:x n9
LVIN7 (considering amust= x):
x y,
LVIN8 (considering b 6= x):
x n9
LVOUT6 = LVIN7 ∪ LVIN8:x n9 y,
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 12 / 32
Note
We are not performing “materialization”.P1 does not use P0 and L2 does not use L1.These are new passes from scratch!Li uses Pi−1 for implicit updates.Pi uses Li for expressibility.
Page 19
Proposed Approach
y = newS0
z = newS1
t = newS2
t.n = xS3
x = tS4
a = xS5
b = a.nS6
a.n = yS7 b.n = zS8
use x .nS9
exitS10
Actual heap layout after S6
x · · ·n n n n
a b
y z
P0: Initial Points-to Analysis
PTOUT6 = PTIN7 = PTIN8:
x S2 n
a b
y S0 z S1
P1: Points-to Analysis using L1PTOUT6 = PTIN7 = PTIN8:
x S2 S2 S2x , a x/n9, b −
n nn
a b
y S0y
z S1z
L1: Liveness after P0
LVIN9 = LVOUT7 = LVOUT8:x n9
LVIN7 (considering amay= x):
a x n9 y, ,
LVIN8 (considering bmay= x):
b x n9 z, ,
LVOUT6 = LVIN7 ∪ LVIN8:a b x n9 y, , , z,
L2: Liveness after P1
LVIN9 = LVOUT7 = LVOUT8:x n9
LVIN7 (considering amust= x):
x y,
LVIN8 (considering b 6= x):
x n9
LVOUT6 = LVIN7 ∪ LVIN8:x n9 y,
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 12 / 32
Note
We are not performing “materialization”.P1 does not use P0 and L2 does not use L1.These are new passes from scratch!Li uses Pi−1 for implicit updates.Pi uses Li for expressibility.
Page 20
Proposed Approach
Key idea: distinguish between objects accessible by distinct sets ofaccess patterns.
Thus, our approach is more precise than naive summarization in that:1 Unnecessary may-aliases are avoided.2 Useful must-aliases are discovered.
Inter-dependence of liveness and points-to analysis:1 Perform naive points-to (summarize on alloc sites).2 Backward analysis to get huge liveness info (sound but imprecise).3 Again do points-to, distinguishing on access patterns found above.4 Another round of backward analysis to get precise liveness info.5 Fixed point...?
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 13 / 32
Page 21
Accessor Relationship Graph
Symbol Definition Cardinality
V Variables Proportional to program sizeM Memory allocation sites Proportional to program sizeR Field dereference points Proportional to program sizeA Access graph nodes |V |+ |V | × |R|H Heap graph nodes |M| × 2|A|
Definition
Accessor Relationship Graph is a 3-tuple 〈Ev ,Ef , summary〉, where:
Ev ⊆ V × H
Ef ⊆ H × F × H
summary : H → {true, false}
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 14 / 32
Page 22
Accessor Relationship Graph
Symbol Definition Cardinality
V Variables Proportional to program sizeM Memory allocation sites Proportional to program sizeR Field dereference points Proportional to program sizeA Access graph nodes |V |+ |V | × |R|H Heap graph nodes |M| × 2|A|
Definition
Accessor Relationship Graph is a 3-tuple 〈Ev ,Ef , summary〉, where:
Ev ⊆ V × H
Ef ⊆ H × F × H
summary : H → {true, false}
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 14 / 32
Page 23
Lattice Representation
Definition
〈Ev ,Ef , summary〉 w 〈E ′v ,E ′f , summary ′〉 if:
Ev ⊆ E ′v
Ef ⊆ E ′f∀k ∈ H : summary(k)⇒ summary ′(k)
Definition
〈Ev ,Ef , summary〉 u 〈E ′v ,E ′f , summary ′〉 = 〈E ′′v ,E ′′f , summary ′′〉 such that:
E ′′v = Ev ∪ E ′v
E ′′f = Ef ∪ E ′f∀k ∈ H : summary ′′(k) = summary(k) ∨ summary ′(k)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 15 / 32
Page 24
Lattice Representation
Definition
〈Ev ,Ef , summary〉 w 〈E ′v ,E ′f , summary ′〉 if:
Ev ⊆ E ′v
Ef ⊆ E ′f∀k ∈ H : summary(k)⇒ summary ′(k)
Definition
〈Ev ,Ef , summary〉 u 〈E ′v ,E ′f , summary ′〉 = 〈E ′′v ,E ′′f , summary ′′〉 such that:
E ′′v = Ev ∪ E ′v
E ′′f = Ef ∪ E ′f∀k ∈ H : summary ′′(k) = summary(k) ∨ summary ′(k)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 15 / 32
Page 25
Data Flow Analysis
Normalization: Θ(X , L) = Consistency + Reachability
x = x .nS5
n8n6n5x x S1 S1 S1 S1n n n
n
x x/n5 x/n6 x/n8
n8n6x x S1 S1 S1 S1n n n
n
x x/n5x
x/n6 x/n8
Data Flow Equations:
PTINb = up∈pred(b)
Θ(PTOUTp, LVINb)
PTOUTb = Θ(fb(PTINb), LVOUTb)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 16 / 32
Page 26
Data Flow Analysis
Normalization: Θ(X , L) = Consistency + Reachability
x = x .nS5
n8n6n5x x S1 S1 S1 S1n n n
n
x x/n5 x/n6 x/n8
n8n6x x S1 S1 S1 S1n n n
n
x x/n5x
x/n6 x/n8
Data Flow Equations:
PTINb = up∈pred(b)
Θ(PTOUTp, LVINb)
PTOUTb = Θ(fb(PTINb), LVOUTb)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 16 / 32
Page 27
System Model
L̂ : S × AP → {true, false} (Results of liveness analysis)
P̂ : S × AP × AP → {true, false} (Results of points-to analysis)
HLA : P̂ → L̂ (Heap Liveness Analysis)
PTA : L̂→ P̂ (Heap Points-To Analysis)
L̂0 = λsλa.false
∀i ≥ 0 : P̂i = PTA(L̂i )
∀i ≥ 0 : L̂i+1 = HLA(P̂i )
L̂i ⊆ L̂j iff ∀s ∈ S ,∀a ∈ AP : L̂i (s, a)⇒ L̂j(s, a)
P̂i ⊆ P̂j iff ∀s ∈ S ,∀a ∈ AP,∀b ∈ AP : P̂i (s, a, b)⇒ P̂j(s, a, b)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 17 / 32
Page 28
System Model
L̂ : S × AP → {true, false} (Results of liveness analysis)
P̂ : S × AP × AP → {true, false} (Results of points-to analysis)
HLA : P̂ → L̂ (Heap Liveness Analysis)
PTA : L̂→ P̂ (Heap Points-To Analysis)
L̂0 = λsλa.false
∀i ≥ 0 : P̂i = PTA(L̂i )
∀i ≥ 0 : L̂i+1 = HLA(P̂i )
L̂i ⊆ L̂j iff ∀s ∈ S ,∀a ∈ AP : L̂i (s, a)⇒ L̂j(s, a)
P̂i ⊆ P̂j iff ∀s ∈ S ,∀a ∈ AP,∀b ∈ AP : P̂i (s, a, b)⇒ P̂j(s, a, b)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 17 / 32
Page 29
Precision of Liveness
L̂0 P̂0 L̂1 P̂1 L̂2 P̂2 L̂3 P̂3 L̂4 · · ·
Theorem
The results of the second round of heap liveness analysis is the mostprecise result which is also sound. That is, ∀k > 0 : L̂2 ⊆ L̂k .
Lemma (1)
∀i , j : L̂i ⊆ L̂j ⇒ P̂i ⊇ P̂j
Lemma (2)
∀i , j : P̂i ⊆ P̂j ⇒ L̂i+1 ⊆ L̂j+1
Proof.
1. ∀k ≥ 0 : L̂0 ⊆ L̂k (By Definition)2. ∀k ≥ 0 : P̂0 ⊇ P̂k (Lemma 1)3. ∀k ≥ 0 : L̂1 ⊇ L̂k+1 (Lemma 2)4. ∀k ≥ 0 : P̂1 ⊆ P̂k+1 (Lemma 1)5. ∀k ≥ 0 : L̂2 ⊆ L̂k+2 (Lemma 2)6. ∀k > 0 : L̂2 ⊆ L̂k (Step 3 and 5)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 18 / 32
Page 30
Precision of Liveness
L̂0 P̂0 L̂1 P̂1 L̂2 P̂2 L̂3 P̂3 L̂4 · · ·
Theorem
The results of the second round of heap liveness analysis is the mostprecise result which is also sound. That is, ∀k > 0 : L̂2 ⊆ L̂k .
Lemma (1)
∀i , j : L̂i ⊆ L̂j ⇒ P̂i ⊇ P̂j
Lemma (2)
∀i , j : P̂i ⊆ P̂j ⇒ L̂i+1 ⊆ L̂j+1
Proof.
1. ∀k ≥ 0 : L̂0 ⊆ L̂k (By Definition)2. ∀k ≥ 0 : P̂0 ⊇ P̂k (Lemma 1)3. ∀k ≥ 0 : L̂1 ⊇ L̂k+1 (Lemma 2)4. ∀k ≥ 0 : P̂1 ⊆ P̂k+1 (Lemma 1)5. ∀k ≥ 0 : L̂2 ⊆ L̂k+2 (Lemma 2)6. ∀k > 0 : L̂2 ⊆ L̂k (Step 3 and 5)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 18 / 32
Page 31
Precision of Liveness
L̂0 P̂0 L̂1 P̂1 L̂2 P̂2 L̂3 P̂3 L̂4 · · ·
Theorem
The results of the second round of heap liveness analysis is the mostprecise result which is also sound. That is, ∀k > 0 : L̂2 ⊆ L̂k .
Lemma (1)
∀i , j : L̂i ⊆ L̂j ⇒ P̂i ⊇ P̂j
Lemma (2)
∀i , j : P̂i ⊆ P̂j ⇒ L̂i+1 ⊆ L̂j+1
Proof.
1. ∀k ≥ 0 : L̂0 ⊆ L̂k (By Definition)2. ∀k ≥ 0 : P̂0 ⊇ P̂k (Lemma 1)3. ∀k ≥ 0 : L̂1 ⊇ L̂k+1 (Lemma 2)4. ∀k ≥ 0 : P̂1 ⊆ P̂k+1 (Lemma 1)5. ∀k ≥ 0 : L̂2 ⊆ L̂k+2 (Lemma 2)6. ∀k > 0 : L̂2 ⊆ L̂k (Step 3 and 5)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 18 / 32
Page 32
Precision of Liveness
L̂0 P̂0 L̂1 P̂1 L̂2 P̂2 L̂3 P̂3 L̂4 · · ·
Theorem
The results of the second round of heap liveness analysis is the mostprecise result which is also sound. That is, ∀k > 0 : L̂2 ⊆ L̂k .
Lemma (1)
∀i , j : L̂i ⊆ L̂j ⇒ P̂i ⊇ P̂j
Lemma (2)
∀i , j : P̂i ⊆ P̂j ⇒ L̂i+1 ⊆ L̂j+1
Proof.
1. ∀k ≥ 0 : L̂0 ⊆ L̂k (By Definition)2. ∀k ≥ 0 : P̂0 ⊇ P̂k (Lemma 1)3. ∀k ≥ 0 : L̂1 ⊇ L̂k+1 (Lemma 2)4. ∀k ≥ 0 : P̂1 ⊆ P̂k+1 (Lemma 1)5. ∀k ≥ 0 : L̂2 ⊆ L̂k+2 (Lemma 2)6. ∀k > 0 : L̂2 ⊆ L̂k (Step 3 and 5)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 18 / 32
Page 33
Outline
1 Background and MotivationHeap Reference AnalysisKey Issues
2 Heap Alias AnalysisNeed for Alias AnalysisExisting AbstractionsProposed Abstraction: Acccessor Relationship Graph
3 Interprocedural AnalysisExisting FrameworksOur Framework: Value ContextsThe Role of Call Graphs
4 Access Graphs for Garbage CollectionExisting IdeasNovel Technique: Dynamic Heap Pruning
5 Summary & Future Work
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 19 / 32
Page 34
Interprocedural Analysis
No existing implementation of inter-procedural heap reference analysis
Soot has excellent API for data flow analysis - only intraprocedural
IFDS/IDE solver [Bodden, SOAP 2012]
f ({x , y , z}) = f ({x}) u f ({y}) u f ({z})Functions on 2D reduced to functions on DModelled as a graph reachability problemMain limitation: Requires distributive flow functionsNot suitable for many types of heap analysis
x = y .n
y o1 o2n
y o1 o2n
x
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 20 / 32
Page 35
Interprocedural Analysis
No existing implementation of inter-procedural heap reference analysis
Soot has excellent API for data flow analysis - only intraprocedural
IFDS/IDE solver [Bodden, SOAP 2012]
f ({x , y , z}) = f ({x}) u f ({y}) u f ({z})Functions on 2D reduced to functions on DModelled as a graph reachability problemMain limitation: Requires distributive flow functionsNot suitable for many types of heap analysis
x = y .n
y o1 o2n
y o1 o2n
x
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 20 / 32
Page 36
Interprocedural Analysis
No existing implementation of inter-procedural heap reference analysis
Soot has excellent API for data flow analysis - only intraprocedural
IFDS/IDE solver [Bodden, SOAP 2012]
f ({x , y , z}) = f ({x}) u f ({y}) u f ({z})Functions on 2D reduced to functions on DModelled as a graph reachability problemMain limitation: Requires distributive flow functionsNot suitable for many types of heap analysis
x = y .n
y o1 o2n
y o1 o2n
x
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 20 / 32
Page 37
Interprocedural Analysis
No existing implementation of inter-procedural heap reference analysis
Soot has excellent API for data flow analysis - only intraprocedural
IFDS/IDE solver [Bodden, SOAP 2012]
f ({x , y , z}) = f ({x}) u f ({y}) u f ({z})
Functions on 2D reduced to functions on DModelled as a graph reachability problemMain limitation: Requires distributive flow functionsNot suitable for many types of heap analysis
x = y .n
y o1 o2n
y o1 o2n
x
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 20 / 32
Page 38
Interprocedural Analysis
No existing implementation of inter-procedural heap reference analysis
Soot has excellent API for data flow analysis - only intraprocedural
IFDS/IDE solver [Bodden, SOAP 2012]
f ({x , y , z}) = f ({x}) u f ({y}) u f ({z})Functions on 2D reduced to functions on D
Modelled as a graph reachability problemMain limitation: Requires distributive flow functionsNot suitable for many types of heap analysis
x = y .n
y o1 o2n
y o1 o2n
x
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 20 / 32
Page 39
Interprocedural Analysis
No existing implementation of inter-procedural heap reference analysis
Soot has excellent API for data flow analysis - only intraprocedural
IFDS/IDE solver [Bodden, SOAP 2012]
f ({x , y , z}) = f ({x}) u f ({y}) u f ({z})Functions on 2D reduced to functions on DModelled as a graph reachability problem
Main limitation: Requires distributive flow functionsNot suitable for many types of heap analysis
x = y .n
y o1 o2n
y o1 o2n
x
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 20 / 32
Page 40
Interprocedural Analysis
No existing implementation of inter-procedural heap reference analysis
Soot has excellent API for data flow analysis - only intraprocedural
IFDS/IDE solver [Bodden, SOAP 2012]
f ({x , y , z}) = f ({x}) u f ({y}) u f ({z})Functions on 2D reduced to functions on DModelled as a graph reachability problemMain limitation: Requires distributive flow functions
Not suitable for many types of heap analysis
x = y .n
y o1 o2n
y o1 o2n
x
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 20 / 32
Page 41
Interprocedural Analysis
No existing implementation of inter-procedural heap reference analysis
Soot has excellent API for data flow analysis - only intraprocedural
IFDS/IDE solver [Bodden, SOAP 2012]
f ({x , y , z}) = f ({x}) u f ({y}) u f ({z})Functions on 2D reduced to functions on DModelled as a graph reachability problemMain limitation: Requires distributive flow functionsNot suitable for many types of heap analysis
x = y .n
y o1 o2n
y o1 o2n
x
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 20 / 32
Page 42
Interprocedural Analysis
No existing implementation of inter-procedural heap reference analysis
Soot has excellent API for data flow analysis - only intraprocedural
IFDS/IDE solver [Bodden, SOAP 2012]
f ({x , y , z}) = f ({x}) u f ({y}) u f ({z})Functions on 2D reduced to functions on DModelled as a graph reachability problemMain limitation: Requires distributive flow functionsNot suitable for many types of heap analysis
x = y .n
y o1 o2n
y o1 o2n
x
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 20 / 32
Page 43
Interprocedural Analysis
No existing implementation of inter-procedural heap reference analysis
Soot has excellent API for data flow analysis - only intraprocedural
IFDS/IDE solver [Bodden, SOAP 2012]
f ({x , y , z}) = f ({x}) u f ({y}) u f ({z})Functions on 2D reduced to functions on DModelled as a graph reachability problemMain limitation: Requires distributive flow functionsNot suitable for many types of heap analysis
x = y .n
y o1 o2n
y o1 o2n
x
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 20 / 32
Page 44
Interprocedural Analysis
The most general and precise solutions:
Call Strings (maintain an abstract call stack) [Sharir & Pnueli, 1981]
Functional (flow functions for call statements) [Sharir & Pnueli, 1981]
Function composition methodTabulation method
Modified call-strings method [Khedker & Karkare, 2008]
Value-based termination of call string construction
Value contexts [Padhye & Khedker, 2013]
Reformulation of tabulation methodSuitable for bi-directional interleaved analysesCan map arbitrary call string to value context (dynamic optimizations)Context-sensitive data flow solution (specialization)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 21 / 32
Page 45
Interprocedural Analysis
The most general and precise solutions:
Call Strings (maintain an abstract call stack) [Sharir & Pnueli, 1981]
Functional (flow functions for call statements) [Sharir & Pnueli, 1981]
Function composition methodTabulation method
Modified call-strings method [Khedker & Karkare, 2008]
Value-based termination of call string construction
Value contexts [Padhye & Khedker, 2013]
Reformulation of tabulation methodSuitable for bi-directional interleaved analysesCan map arbitrary call string to value context (dynamic optimizations)Context-sensitive data flow solution (specialization)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 21 / 32
Page 46
Interprocedural Analysis
The most general and precise solutions:
Call Strings (maintain an abstract call stack) [Sharir & Pnueli, 1981]
Functional (flow functions for call statements) [Sharir & Pnueli, 1981]
Function composition methodTabulation method
Modified call-strings method [Khedker & Karkare, 2008]
Value-based termination of call string construction
Value contexts [Padhye & Khedker, 2013]
Reformulation of tabulation methodSuitable for bi-directional interleaved analysesCan map arbitrary call string to value context (dynamic optimizations)Context-sensitive data flow solution (specialization)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 21 / 32
Page 47
Interprocedural Analysis
The most general and precise solutions:
Call Strings (maintain an abstract call stack) [Sharir & Pnueli, 1981]
Functional (flow functions for call statements) [Sharir & Pnueli, 1981]
Function composition methodTabulation method
Modified call-strings method [Khedker & Karkare, 2008]
Value-based termination of call string construction
Value contexts [Padhye & Khedker, 2013]
Reformulation of tabulation methodSuitable for bi-directional interleaved analysesCan map arbitrary call string to value context (dynamic optimizations)Context-sensitive data flow solution (specialization)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 21 / 32
Page 48
Interprocedural Analysis
The most general and precise solutions:
Call Strings (maintain an abstract call stack) [Sharir & Pnueli, 1981]
Functional (flow functions for call statements) [Sharir & Pnueli, 1981]
Function composition methodTabulation method
Modified call-strings method [Khedker & Karkare, 2008]
Value-based termination of call string construction
Value contexts [Padhye & Khedker, 2013]
Reformulation of tabulation methodSuitable for bi-directional interleaved analysesCan map arbitrary call string to value context (dynamic optimizations)Context-sensitive data flow solution (specialization)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 21 / 32
Page 49
Interprocedural Analysis
The most general and precise solutions:
Call Strings (maintain an abstract call stack) [Sharir & Pnueli, 1981]
Functional (flow functions for call statements) [Sharir & Pnueli, 1981]
Function composition methodTabulation method
Modified call-strings method [Khedker & Karkare, 2008]
Value-based termination of call string construction
Value contexts [Padhye & Khedker, 2013]
Reformulation of tabulation methodSuitable for bi-directional interleaved analysesCan map arbitrary call string to value context (dynamic optimizations)Context-sensitive data flow solution (specialization)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 21 / 32
Page 50
Interprocedural Analysis
The most general and precise solutions:
Call Strings (maintain an abstract call stack) [Sharir & Pnueli, 1981]
Functional (flow functions for call statements) [Sharir & Pnueli, 1981]
Function composition methodTabulation method
Modified call-strings method [Khedker & Karkare, 2008]
Value-based termination of call string construction
Value contexts [Padhye & Khedker, 2013]
Reformulation of tabulation methodSuitable for bi-directional interleaved analysesCan map arbitrary call string to value context (dynamic optimizations)Context-sensitive data flow solution (specialization)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 21 / 32
Page 51
Interprocedural Analysis
The most general and precise solutions:
Call Strings (maintain an abstract call stack) [Sharir & Pnueli, 1981]
Functional (flow functions for call statements) [Sharir & Pnueli, 1981]
Function composition methodTabulation method
Modified call-strings method [Khedker & Karkare, 2008]
Value-based termination of call string construction
Value contexts [Padhye & Khedker, 2013]
Reformulation of tabulation method
Suitable for bi-directional interleaved analysesCan map arbitrary call string to value context (dynamic optimizations)Context-sensitive data flow solution (specialization)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 21 / 32
Page 52
Interprocedural Analysis
The most general and precise solutions:
Call Strings (maintain an abstract call stack) [Sharir & Pnueli, 1981]
Functional (flow functions for call statements) [Sharir & Pnueli, 1981]
Function composition methodTabulation method
Modified call-strings method [Khedker & Karkare, 2008]
Value-based termination of call string construction
Value contexts [Padhye & Khedker, 2013]
Reformulation of tabulation methodSuitable for bi-directional interleaved analyses
Can map arbitrary call string to value context (dynamic optimizations)Context-sensitive data flow solution (specialization)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 21 / 32
Page 53
Interprocedural Analysis
The most general and precise solutions:
Call Strings (maintain an abstract call stack) [Sharir & Pnueli, 1981]
Functional (flow functions for call statements) [Sharir & Pnueli, 1981]
Function composition methodTabulation method
Modified call-strings method [Khedker & Karkare, 2008]
Value-based termination of call string construction
Value contexts [Padhye & Khedker, 2013]
Reformulation of tabulation methodSuitable for bi-directional interleaved analysesCan map arbitrary call string to value context (dynamic optimizations)
Context-sensitive data flow solution (specialization)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 21 / 32
Page 54
Interprocedural Analysis
The most general and precise solutions:
Call Strings (maintain an abstract call stack) [Sharir & Pnueli, 1981]
Functional (flow functions for call statements) [Sharir & Pnueli, 1981]
Function composition methodTabulation method
Modified call-strings method [Khedker & Karkare, 2008]
Value-based termination of call string construction
Value contexts [Padhye & Khedker, 2013]
Reformulation of tabulation methodSuitable for bi-directional interleaved analysesCan map arbitrary call string to value context (dynamic optimizations)Context-sensitive data flow solution (specialization)
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 21 / 32
Page 55
Value Contexts
Value contexts:
X = 〈method , entryValue〉exitValue(X )
Data Flow Analysis is performed using traditional work-list method
Work-list contains 〈context, node〉 pairs
Call-sites: Find value context X = 〈method , entryValue〉
Found: Re-use exitValue(X )Not found: Create new X and add all nodes to work-listRecord transition from this call-site to X
Exit-sites: Set exitValue(X ) and add callers to work-list
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 22 / 32
Page 56
Value Contexts
Value contexts:
X = 〈method , entryValue〉
exitValue(X )
Data Flow Analysis is performed using traditional work-list method
Work-list contains 〈context, node〉 pairs
Call-sites: Find value context X = 〈method , entryValue〉
Found: Re-use exitValue(X )Not found: Create new X and add all nodes to work-listRecord transition from this call-site to X
Exit-sites: Set exitValue(X ) and add callers to work-list
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 22 / 32
Page 57
Value Contexts
Value contexts:
X = 〈method , entryValue〉exitValue(X )
Data Flow Analysis is performed using traditional work-list method
Work-list contains 〈context, node〉 pairs
Call-sites: Find value context X = 〈method , entryValue〉
Found: Re-use exitValue(X )Not found: Create new X and add all nodes to work-listRecord transition from this call-site to X
Exit-sites: Set exitValue(X ) and add callers to work-list
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 22 / 32
Page 58
Value Contexts
Value contexts:
X = 〈method , entryValue〉exitValue(X )
Data Flow Analysis is performed using traditional work-list method
Work-list contains 〈context, node〉 pairs
Call-sites: Find value context X = 〈method , entryValue〉
Found: Re-use exitValue(X )Not found: Create new X and add all nodes to work-listRecord transition from this call-site to X
Exit-sites: Set exitValue(X ) and add callers to work-list
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 22 / 32
Page 59
Value Contexts
Value contexts:
X = 〈method , entryValue〉exitValue(X )
Data Flow Analysis is performed using traditional work-list method
Work-list contains 〈context, node〉 pairs
Call-sites: Find value context X = 〈method , entryValue〉
Found: Re-use exitValue(X )Not found: Create new X and add all nodes to work-listRecord transition from this call-site to X
Exit-sites: Set exitValue(X ) and add callers to work-list
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 22 / 32
Page 60
Value Contexts
Value contexts:
X = 〈method , entryValue〉exitValue(X )
Data Flow Analysis is performed using traditional work-list method
Work-list contains 〈context, node〉 pairs
Call-sites: Find value context X = 〈method , entryValue〉
Found: Re-use exitValue(X )Not found: Create new X and add all nodes to work-listRecord transition from this call-site to X
Exit-sites: Set exitValue(X ) and add callers to work-list
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 22 / 32
Page 61
Value Contexts
Value contexts:
X = 〈method , entryValue〉exitValue(X )
Data Flow Analysis is performed using traditional work-list method
Work-list contains 〈context, node〉 pairs
Call-sites: Find value context X = 〈method , entryValue〉Found: Re-use exitValue(X )
Not found: Create new X and add all nodes to work-listRecord transition from this call-site to X
Exit-sites: Set exitValue(X ) and add callers to work-list
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 22 / 32
Page 62
Value Contexts
Value contexts:
X = 〈method , entryValue〉exitValue(X )
Data Flow Analysis is performed using traditional work-list method
Work-list contains 〈context, node〉 pairs
Call-sites: Find value context X = 〈method , entryValue〉Found: Re-use exitValue(X )Not found: Create new X and add all nodes to work-list
Record transition from this call-site to X
Exit-sites: Set exitValue(X ) and add callers to work-list
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 22 / 32
Page 63
Value Contexts
Value contexts:
X = 〈method , entryValue〉exitValue(X )
Data Flow Analysis is performed using traditional work-list method
Work-list contains 〈context, node〉 pairs
Call-sites: Find value context X = 〈method , entryValue〉Found: Re-use exitValue(X )Not found: Create new X and add all nodes to work-listRecord transition from this call-site to X
Exit-sites: Set exitValue(X ) and add callers to work-list
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 22 / 32
Page 64
Value Contexts
Value contexts:
X = 〈method , entryValue〉exitValue(X )
Data Flow Analysis is performed using traditional work-list method
Work-list contains 〈context, node〉 pairs
Call-sites: Find value context X = 〈method , entryValue〉Found: Re-use exitValue(X )Not found: Create new X and add all nodes to work-listRecord transition from this call-site to X
Exit-sites: Set exitValue(X ) and add callers to work-list
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 22 / 32
Page 65
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉
〈X3, a−b+〉 〈X1, a+b−〉
〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main >X1 f a+b−
X2 g u+
X3 f a−b+
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
Page 66
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉
〈X3, a−b+〉 〈X1, a+b−〉
〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >
X1 f a+b−
X2 g u+
X3 f a−b+
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
Page 67
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉
〈X3, a−b+〉 〈X1, a+b−〉
〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >
X1 f a+b−
X2 g u+
X3 f a−b+
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
Page 68
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉
〈X3, a−b+〉 〈X1, a+b−〉
〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >
X1 f a+b−
X2 g u+
X3 f a−b+
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
Page 69
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉
〈X3, a−b+〉 〈X1, a+b−〉
〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >
X2 g u+
X3 f a−b+
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
Page 70
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉
〈X3, a−b+〉 〈X1, a+b−〉
〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >
X2 g u+
X3 f a−b+
Value Contexts
X0 X1
X2 X3
c1
c2 c3
c2c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
Page 71
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉
〈X3, a−b+〉 〈X1, a+b−〉
〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >
X2 g u+
X3 f a−b+
Value Contexts
X0 X1
X2 X3
c1
c2 c3
c2c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
Page 72
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉
〈X3, a−b+〉
〈X1, a+b−〉
〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >
X2 g u+
X3 f a−b+
Value Contexts
X0 X1
X2 X3
c1
c2 c3
c2c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
Page 73
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉
〈X3, a−b+〉
〈X1, a+b−〉
〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ >
X3 f a−b+
Value Contexts
X0 X1
X2 X3
c1
c2 c3
c2c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
Page 74
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉
〈X3, a−b+〉
〈X1, a+b−〉
〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ >
X3 f a−b+
Value Contexts
X0 X1 X2
X3
c1 c2
c3
c2c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
Page 75
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉
〈X3, a−b+〉
〈X1, a+b−〉
〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ >
X3 f a−b+
Value Contexts
X0 X1 X2
X3
c1 c2
c3
c2c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
Page 76
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉
〈X3, a−b+〉
〈X1, a+b−〉
〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ >X3 f a−b+ >
Value Contexts
X0 X1 X2
X3
c1 c2
c3
c2c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
Page 77
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉
〈X3, a−b+〉
〈X1, a+b−〉
〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ >X3 f a−b+ >
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
Page 78
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+〉
〈X1, a+b−〉
〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ >X3 f a−b+ >
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
Page 79
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+〉
〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ >X3 f a−b+ >
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
Page 80
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+〉
〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ >X3 f a−b+ >
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2
c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
Page 81
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+〉
〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+c−〉
〈X3, a−b+〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ >X3 f a−b+ >
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2
c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
Page 82
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+〉〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+c−〉
〈X3, a−b+〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ >X3 f a−b+ >
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2
c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
Page 83
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+〉〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+c−〉〈X3, a−b+〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ >X3 f a−b+ >
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2
c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
Page 84
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+〉〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+c−〉〈X3, a−b+〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ >X3 f a−b+ >
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2
c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
Page 85
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+〉〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+c−〉〈X3, a−b+〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ >X3 f a−b+ a−b+c−
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2
c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
Page 86
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+〉〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+c−〉〈X3, a−b+〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ >X3 f a−b+ a−b+c−
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2
c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
Page 87
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+〉〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+c−〉〈X3, a−b+〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ u+v−
X3 f a−b+ a−b+c−
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2
c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
Page 88
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+〉〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+c−〉 〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ u+v−
X3 f a−b+ a−b+c−
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2
c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
Page 89
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+〉〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+c−〉 〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ u+v−
X3 f a−b+ a−b+c−
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2
c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
Page 90
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−〉〈X3, a−b+〉
〈X3, a−b+c−〉 〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ u+v−
X3 f a−b+ a−b+c−
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2
c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
Page 91
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ u+v−
X3 f a−b+ a−b+c−
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2
c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
Page 92
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− >X2 g u+ u+v−
X3 f a−b+ a−b+c−
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2
c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
Page 93
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− a+b−c−
X2 g u+ u+v−
X3 f a−b+ a−b+c−
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2
c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
Page 94
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− a+b−c−
X2 g u+ u+v−
X3 f a−b+ a−b+c−
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2
c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
Page 95
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− a+b−c−
X2 g u+ u+v−
X3 f a−b+ a−b+c−
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
Page 96
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > >X1 f a+b− a+b−c−
X2 g u+ u+v−
X3 f a−b+ a−b+c−
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
Page 97
Example - Sign Analysis
main()
p = 5n1
q = f(p, -3)c1
r = g(-q)c4
exitn6
f(a, b)
if (...)n2
c = a * bn3 c = g(10)c2
return cn5
g(u)
v = f(-u, u)c3
return vn6
〈X0,>〉
〈X0, p+〉
〈X0, p+q−〉
〈X0, p+q−r−〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−〉〈X3, a−b+〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X1, a+b−c−〉〈X3, a−b+c−〉
〈X2, u+〉
〈X2, u+v−〉
Context Proc. Entry Exit
X0 main > p+q−r−
X1 f a+b− a+b−c−
X2 g u+ u+v−
X3 f a−b+ a−b+c−
Value Contexts
X0 X1 X2 X3
c1 c2 c3
c2c4
Context Transitions
>
− 0 +
⊥Component
Lattice
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 23 / 32
Page 98
Implementation Framework
Context<M,N,A>
+ getMethod(): M+ getEntryValue() : A+ getExitValue() : A+ getValueBefore(N) : A+ getValueAfter(N) : A
InterProceduralAnalysis<M,N,A>
+ topValue() : A+ boundaryValue(M) : A+ copy(A) : A+ meet(A,A) : A+ normalFlowFunction(Context<M,N,A>, N, A) : A+ callEntryFlowFunction(Context<M,N,A>, M, N, A) : A+ callExitFlowFunction(Context<M,N,A>, M, N, A) : A+ callLocalFlowFunction(Context<M,N,A>, N, A) : A+ programRepresentation() : ProgramRepresentation<M,N>+ doAnalysis() : void+ getContexts() : Map<M,List<Context<M,N,A>>>+ getMeetOverPathsSolution() : DataFlowSolution<M,N,A>
ForwardInterProceduralAnalysis<M,N,A>
+ doAnalysis() : void
BackwardInterProceduralAnalysis<M,N,A>
+ doAnalysis() : void
ProgramRepresentation<M,N>
+ getEntryPoints() : List<M>+ getControlFlowGraph(M) : DirectedGraph<N>+ isCall(N) : boolean+ resolveTargets(M, N) : List<M>
https://github.com/rohanpadhye/vasco
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 24 / 32
Page 99
The Role of Call Graphs
Context-sensitivity only useful if call graph is precise
OOP: Use points-to analysis to resolve virtual calls
Imprecise points-to analysis ⇒ “spurious” edges
SPARK: Thousands of spurious edges even for small programs
e.g. Over 250 targets for x.hashCode() in HashSet
Affects efficiency and precision of interprocedural analysis
Points-to Analysis using Value Contexts
Flow and context-sensitive points-to analysis (FCPA)Context-sensitive call graph constructed on-the-fly
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 25 / 32
Page 100
The Role of Call Graphs
Context-sensitivity only useful if call graph is precise
OOP: Use points-to analysis to resolve virtual calls
Imprecise points-to analysis ⇒ “spurious” edges
SPARK: Thousands of spurious edges even for small programs
e.g. Over 250 targets for x.hashCode() in HashSet
Affects efficiency and precision of interprocedural analysis
Points-to Analysis using Value Contexts
Flow and context-sensitive points-to analysis (FCPA)Context-sensitive call graph constructed on-the-fly
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 25 / 32
Page 101
The Role of Call Graphs
Context-sensitivity only useful if call graph is precise
OOP: Use points-to analysis to resolve virtual calls
Imprecise points-to analysis ⇒ “spurious” edges
SPARK: Thousands of spurious edges even for small programs
e.g. Over 250 targets for x.hashCode() in HashSet
Affects efficiency and precision of interprocedural analysis
Points-to Analysis using Value Contexts
Flow and context-sensitive points-to analysis (FCPA)Context-sensitive call graph constructed on-the-fly
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 25 / 32
Page 102
The Role of Call Graphs
Context-sensitivity only useful if call graph is precise
OOP: Use points-to analysis to resolve virtual calls
Imprecise points-to analysis ⇒ “spurious” edges
SPARK: Thousands of spurious edges even for small programs
e.g. Over 250 targets for x.hashCode() in HashSet
Affects efficiency and precision of interprocedural analysis
Points-to Analysis using Value Contexts
Flow and context-sensitive points-to analysis (FCPA)Context-sensitive call graph constructed on-the-fly
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 25 / 32
Page 103
The Role of Call Graphs
Context-sensitivity only useful if call graph is precise
OOP: Use points-to analysis to resolve virtual calls
Imprecise points-to analysis ⇒ “spurious” edges
SPARK: Thousands of spurious edges even for small programs
e.g. Over 250 targets for x.hashCode() in HashSet
Affects efficiency and precision of interprocedural analysis
Points-to Analysis using Value Contexts
Flow and context-sensitive points-to analysis (FCPA)Context-sensitive call graph constructed on-the-fly
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 25 / 32
Page 104
The Role of Call Graphs
Context-sensitivity only useful if call graph is precise
OOP: Use points-to analysis to resolve virtual calls
Imprecise points-to analysis ⇒ “spurious” edges
SPARK: Thousands of spurious edges even for small programs
e.g. Over 250 targets for x.hashCode() in HashSet
Affects efficiency and precision of interprocedural analysis
Points-to Analysis using Value Contexts
Flow and context-sensitive points-to analysis (FCPA)Context-sensitive call graph constructed on-the-fly
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 25 / 32
Page 105
The Role of Call Graphs
Context-sensitivity only useful if call graph is precise
OOP: Use points-to analysis to resolve virtual calls
Imprecise points-to analysis ⇒ “spurious” edges
SPARK: Thousands of spurious edges even for small programs
e.g. Over 250 targets for x.hashCode() in HashSet
Affects efficiency and precision of interprocedural analysis
Points-to Analysis using Value Contexts
Flow and context-sensitive points-to analysis (FCPA)Context-sensitive call graph constructed on-the-fly
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 25 / 32
Page 106
The Role of Call Graphs
Context-sensitivity only useful if call graph is precise
OOP: Use points-to analysis to resolve virtual calls
Imprecise points-to analysis ⇒ “spurious” edges
SPARK: Thousands of spurious edges even for small programs
e.g. Over 250 targets for x.hashCode() in HashSet
Affects efficiency and precision of interprocedural analysis
Points-to Analysis using Value Contexts
Flow and context-sensitive points-to analysis (FCPA)
Context-sensitive call graph constructed on-the-fly
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 25 / 32
Page 107
The Role of Call Graphs
Context-sensitivity only useful if call graph is precise
OOP: Use points-to analysis to resolve virtual calls
Imprecise points-to analysis ⇒ “spurious” edges
SPARK: Thousands of spurious edges even for small programs
e.g. Over 250 targets for x.hashCode() in HashSet
Affects efficiency and precision of interprocedural analysis
Points-to Analysis using Value Contexts
Flow and context-sensitive points-to analysis (FCPA)Context-sensitive call graph constructed on-the-fly
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 25 / 32
Page 108
Results of Points-To Analysis
Tested on 7 benchmarks from SPEC JVM98 and DaCapo 2006
Time to analyze: 1.15 sec (compress) to 697.4 sec (antlr)
Average contexts per method: 4.24 (mpegaudio) to 25.04 (jess)
Number of interprocedural paths in resulting call graph (for k = 10):
Over 96% less paths in FCPA over SPARK for 3 benchmarks62-92% less paths in FCPA over SPARK for remaining benchmarks
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 26 / 32
Page 109
Results of Points-To Analysis
Tested on 7 benchmarks from SPEC JVM98 and DaCapo 2006
Time to analyze: 1.15 sec (compress) to 697.4 sec (antlr)
Average contexts per method: 4.24 (mpegaudio) to 25.04 (jess)
Number of interprocedural paths in resulting call graph (for k = 10):
Over 96% less paths in FCPA over SPARK for 3 benchmarks62-92% less paths in FCPA over SPARK for remaining benchmarks
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 26 / 32
Page 110
Results of Points-To Analysis
Tested on 7 benchmarks from SPEC JVM98 and DaCapo 2006
Time to analyze: 1.15 sec (compress) to 697.4 sec (antlr)
Average contexts per method: 4.24 (mpegaudio) to 25.04 (jess)
Number of interprocedural paths in resulting call graph (for k = 10):
Over 96% less paths in FCPA over SPARK for 3 benchmarks62-92% less paths in FCPA over SPARK for remaining benchmarks
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 26 / 32
Page 111
Results of Points-To Analysis
Tested on 7 benchmarks from SPEC JVM98 and DaCapo 2006
Time to analyze: 1.15 sec (compress) to 697.4 sec (antlr)
Average contexts per method: 4.24 (mpegaudio) to 25.04 (jess)
Number of interprocedural paths in resulting call graph (for k = 10):
Over 96% less paths in FCPA over SPARK for 3 benchmarks62-92% less paths in FCPA over SPARK for remaining benchmarks
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 26 / 32
Page 112
Results of Points-To Analysis
Tested on 7 benchmarks from SPEC JVM98 and DaCapo 2006
Time to analyze: 1.15 sec (compress) to 697.4 sec (antlr)
Average contexts per method: 4.24 (mpegaudio) to 25.04 (jess)
Number of interprocedural paths in resulting call graph (for k = 10):
Over 96% less paths in FCPA over SPARK for 3 benchmarks
62-92% less paths in FCPA over SPARK for remaining benchmarks
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 26 / 32
Page 113
Results of Points-To Analysis
Tested on 7 benchmarks from SPEC JVM98 and DaCapo 2006
Time to analyze: 1.15 sec (compress) to 697.4 sec (antlr)
Average contexts per method: 4.24 (mpegaudio) to 25.04 (jess)
Number of interprocedural paths in resulting call graph (for k = 10):
Over 96% less paths in FCPA over SPARK for 3 benchmarks62-92% less paths in FCPA over SPARK for remaining benchmarks
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 26 / 32
Page 114
Outline
1 Background and MotivationHeap Reference AnalysisKey Issues
2 Heap Alias AnalysisNeed for Alias AnalysisExisting AbstractionsProposed Abstraction: Acccessor Relationship Graph
3 Interprocedural AnalysisExisting FrameworksOur Framework: Value ContextsThe Role of Call Graphs
4 Access Graphs for Garbage CollectionExisting IdeasNovel Technique: Dynamic Heap Pruning
5 Summary & Future Work
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 27 / 32
Page 115
Access Graphs for Garbage Collection
How to use access graphs for improving garbage collection?
1 Assign null to dead access paths.
Requires availability and anticipability analysis to prevent exceptions.Cannot nullify access paths that are not provably safe to dereference.The safety analyses themselves depend on alias information.Increase in code size and possible performance penalty.Redundant nullification of same reference from aliased access paths.
2 Augment garbage collector to traverse access graphs.
No need of safety analysis.Perfect alias information available at run-time.Difficult to map named variables and fields to run-time offsets.Optimizations after HRA (static or JIT) invalidate access graphs.
3 Dynamic heap pruning - a hybrid approach.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 28 / 32
Page 116
Access Graphs for Garbage Collection
How to use access graphs for improving garbage collection?1 Assign null to dead access paths.
Requires availability and anticipability analysis to prevent exceptions.Cannot nullify access paths that are not provably safe to dereference.The safety analyses themselves depend on alias information.Increase in code size and possible performance penalty.Redundant nullification of same reference from aliased access paths.
2 Augment garbage collector to traverse access graphs.
No need of safety analysis.Perfect alias information available at run-time.Difficult to map named variables and fields to run-time offsets.Optimizations after HRA (static or JIT) invalidate access graphs.
3 Dynamic heap pruning - a hybrid approach.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 28 / 32
Page 117
Access Graphs for Garbage Collection
How to use access graphs for improving garbage collection?1 Assign null to dead access paths.
Requires availability and anticipability analysis to prevent exceptions.
Cannot nullify access paths that are not provably safe to dereference.The safety analyses themselves depend on alias information.Increase in code size and possible performance penalty.Redundant nullification of same reference from aliased access paths.
2 Augment garbage collector to traverse access graphs.
No need of safety analysis.Perfect alias information available at run-time.Difficult to map named variables and fields to run-time offsets.Optimizations after HRA (static or JIT) invalidate access graphs.
3 Dynamic heap pruning - a hybrid approach.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 28 / 32
Page 118
Access Graphs for Garbage Collection
How to use access graphs for improving garbage collection?1 Assign null to dead access paths.
Requires availability and anticipability analysis to prevent exceptions.Cannot nullify access paths that are not provably safe to dereference.
The safety analyses themselves depend on alias information.Increase in code size and possible performance penalty.Redundant nullification of same reference from aliased access paths.
2 Augment garbage collector to traverse access graphs.
No need of safety analysis.Perfect alias information available at run-time.Difficult to map named variables and fields to run-time offsets.Optimizations after HRA (static or JIT) invalidate access graphs.
3 Dynamic heap pruning - a hybrid approach.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 28 / 32
Page 119
Access Graphs for Garbage Collection
How to use access graphs for improving garbage collection?1 Assign null to dead access paths.
Requires availability and anticipability analysis to prevent exceptions.Cannot nullify access paths that are not provably safe to dereference.The safety analyses themselves depend on alias information.
Increase in code size and possible performance penalty.Redundant nullification of same reference from aliased access paths.
2 Augment garbage collector to traverse access graphs.
No need of safety analysis.Perfect alias information available at run-time.Difficult to map named variables and fields to run-time offsets.Optimizations after HRA (static or JIT) invalidate access graphs.
3 Dynamic heap pruning - a hybrid approach.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 28 / 32
Page 120
Access Graphs for Garbage Collection
How to use access graphs for improving garbage collection?1 Assign null to dead access paths.
Requires availability and anticipability analysis to prevent exceptions.Cannot nullify access paths that are not provably safe to dereference.The safety analyses themselves depend on alias information.Increase in code size and possible performance penalty.
Redundant nullification of same reference from aliased access paths.
2 Augment garbage collector to traverse access graphs.
No need of safety analysis.Perfect alias information available at run-time.Difficult to map named variables and fields to run-time offsets.Optimizations after HRA (static or JIT) invalidate access graphs.
3 Dynamic heap pruning - a hybrid approach.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 28 / 32
Page 121
Access Graphs for Garbage Collection
How to use access graphs for improving garbage collection?1 Assign null to dead access paths.
Requires availability and anticipability analysis to prevent exceptions.Cannot nullify access paths that are not provably safe to dereference.The safety analyses themselves depend on alias information.Increase in code size and possible performance penalty.Redundant nullification of same reference from aliased access paths.
2 Augment garbage collector to traverse access graphs.
No need of safety analysis.Perfect alias information available at run-time.Difficult to map named variables and fields to run-time offsets.Optimizations after HRA (static or JIT) invalidate access graphs.
3 Dynamic heap pruning - a hybrid approach.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 28 / 32
Page 122
Access Graphs for Garbage Collection
How to use access graphs for improving garbage collection?1 Assign null to dead access paths.
Requires availability and anticipability analysis to prevent exceptions.Cannot nullify access paths that are not provably safe to dereference.The safety analyses themselves depend on alias information.Increase in code size and possible performance penalty.Redundant nullification of same reference from aliased access paths.
2 Augment garbage collector to traverse access graphs.
No need of safety analysis.Perfect alias information available at run-time.Difficult to map named variables and fields to run-time offsets.Optimizations after HRA (static or JIT) invalidate access graphs.
3 Dynamic heap pruning - a hybrid approach.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 28 / 32
Page 123
Access Graphs for Garbage Collection
How to use access graphs for improving garbage collection?1 Assign null to dead access paths.
Requires availability and anticipability analysis to prevent exceptions.Cannot nullify access paths that are not provably safe to dereference.The safety analyses themselves depend on alias information.Increase in code size and possible performance penalty.Redundant nullification of same reference from aliased access paths.
2 Augment garbage collector to traverse access graphs.
No need of safety analysis.
Perfect alias information available at run-time.Difficult to map named variables and fields to run-time offsets.Optimizations after HRA (static or JIT) invalidate access graphs.
3 Dynamic heap pruning - a hybrid approach.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 28 / 32
Page 124
Access Graphs for Garbage Collection
How to use access graphs for improving garbage collection?1 Assign null to dead access paths.
Requires availability and anticipability analysis to prevent exceptions.Cannot nullify access paths that are not provably safe to dereference.The safety analyses themselves depend on alias information.Increase in code size and possible performance penalty.Redundant nullification of same reference from aliased access paths.
2 Augment garbage collector to traverse access graphs.
No need of safety analysis.Perfect alias information available at run-time.
Difficult to map named variables and fields to run-time offsets.Optimizations after HRA (static or JIT) invalidate access graphs.
3 Dynamic heap pruning - a hybrid approach.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 28 / 32
Page 125
Access Graphs for Garbage Collection
How to use access graphs for improving garbage collection?1 Assign null to dead access paths.
Requires availability and anticipability analysis to prevent exceptions.Cannot nullify access paths that are not provably safe to dereference.The safety analyses themselves depend on alias information.Increase in code size and possible performance penalty.Redundant nullification of same reference from aliased access paths.
2 Augment garbage collector to traverse access graphs.
No need of safety analysis.Perfect alias information available at run-time.Difficult to map named variables and fields to run-time offsets.
Optimizations after HRA (static or JIT) invalidate access graphs.
3 Dynamic heap pruning - a hybrid approach.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 28 / 32
Page 126
Access Graphs for Garbage Collection
How to use access graphs for improving garbage collection?1 Assign null to dead access paths.
Requires availability and anticipability analysis to prevent exceptions.Cannot nullify access paths that are not provably safe to dereference.The safety analyses themselves depend on alias information.Increase in code size and possible performance penalty.Redundant nullification of same reference from aliased access paths.
2 Augment garbage collector to traverse access graphs.
No need of safety analysis.Perfect alias information available at run-time.Difficult to map named variables and fields to run-time offsets.Optimizations after HRA (static or JIT) invalidate access graphs.
3 Dynamic heap pruning - a hybrid approach.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 28 / 32
Page 127
Access Graphs for Garbage Collection
How to use access graphs for improving garbage collection?1 Assign null to dead access paths.
Requires availability and anticipability analysis to prevent exceptions.Cannot nullify access paths that are not provably safe to dereference.The safety analyses themselves depend on alias information.Increase in code size and possible performance penalty.Redundant nullification of same reference from aliased access paths.
2 Augment garbage collector to traverse access graphs.
No need of safety analysis.Perfect alias information available at run-time.Difficult to map named variables and fields to run-time offsets.Optimizations after HRA (static or JIT) invalidate access graphs.
3 Dynamic heap pruning - a hybrid approach.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 28 / 32
Page 128
Dynamic Heap Pruning
Manipulate the heap using a debugger!
1 Pause a running program when pruning has to be performed.2 For each frame on the call stack do:
1 Find the paused program point P using return address of next frame(or PC for top-of-stack).
2 Construct the call string σ using the sequence of return addresses fromthe bottom-of-stack.
3 Determine the value context X by traversing σ in the contexttransition graph.
4 Retrieve the access graphs for point P in context X .5 Traverse the access graphs from the root variables (stack locals) and
label heap objects with the set of accessor nodes that reach them.
3 For each labelled object in the heap do:
1 Find the set of live fields by looking at the edges out of every accessorthat reaches it.
2 Set the value of all other fields (which are dead) to null.
4 Resume the program. Let garbage collection run as normal.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 29 / 32
Page 129
Dynamic Heap Pruning
Manipulate the heap using a debugger!
1 Pause a running program when pruning has to be performed.
2 For each frame on the call stack do:
1 Find the paused program point P using return address of next frame(or PC for top-of-stack).
2 Construct the call string σ using the sequence of return addresses fromthe bottom-of-stack.
3 Determine the value context X by traversing σ in the contexttransition graph.
4 Retrieve the access graphs for point P in context X .5 Traverse the access graphs from the root variables (stack locals) and
label heap objects with the set of accessor nodes that reach them.
3 For each labelled object in the heap do:
1 Find the set of live fields by looking at the edges out of every accessorthat reaches it.
2 Set the value of all other fields (which are dead) to null.
4 Resume the program. Let garbage collection run as normal.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 29 / 32
Page 130
Dynamic Heap Pruning
Manipulate the heap using a debugger!
1 Pause a running program when pruning has to be performed.2 For each frame on the call stack do:
1 Find the paused program point P using return address of next frame(or PC for top-of-stack).
2 Construct the call string σ using the sequence of return addresses fromthe bottom-of-stack.
3 Determine the value context X by traversing σ in the contexttransition graph.
4 Retrieve the access graphs for point P in context X .5 Traverse the access graphs from the root variables (stack locals) and
label heap objects with the set of accessor nodes that reach them.
3 For each labelled object in the heap do:
1 Find the set of live fields by looking at the edges out of every accessorthat reaches it.
2 Set the value of all other fields (which are dead) to null.
4 Resume the program. Let garbage collection run as normal.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 29 / 32
Page 131
Dynamic Heap Pruning
Manipulate the heap using a debugger!
1 Pause a running program when pruning has to be performed.2 For each frame on the call stack do:
1 Find the paused program point P using return address of next frame(or PC for top-of-stack).
2 Construct the call string σ using the sequence of return addresses fromthe bottom-of-stack.
3 Determine the value context X by traversing σ in the contexttransition graph.
4 Retrieve the access graphs for point P in context X .5 Traverse the access graphs from the root variables (stack locals) and
label heap objects with the set of accessor nodes that reach them.
3 For each labelled object in the heap do:
1 Find the set of live fields by looking at the edges out of every accessorthat reaches it.
2 Set the value of all other fields (which are dead) to null.
4 Resume the program. Let garbage collection run as normal.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 29 / 32
Page 132
Dynamic Heap Pruning
Manipulate the heap using a debugger!
1 Pause a running program when pruning has to be performed.2 For each frame on the call stack do:
1 Find the paused program point P using return address of next frame(or PC for top-of-stack).
2 Construct the call string σ using the sequence of return addresses fromthe bottom-of-stack.
3 Determine the value context X by traversing σ in the contexttransition graph.
4 Retrieve the access graphs for point P in context X .5 Traverse the access graphs from the root variables (stack locals) and
label heap objects with the set of accessor nodes that reach them.
3 For each labelled object in the heap do:
1 Find the set of live fields by looking at the edges out of every accessorthat reaches it.
2 Set the value of all other fields (which are dead) to null.
4 Resume the program. Let garbage collection run as normal.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 29 / 32
Page 133
Dynamic Heap Pruning
Manipulate the heap using a debugger!
1 Pause a running program when pruning has to be performed.2 For each frame on the call stack do:
1 Find the paused program point P using return address of next frame(or PC for top-of-stack).
2 Construct the call string σ using the sequence of return addresses fromthe bottom-of-stack.
3 Determine the value context X by traversing σ in the contexttransition graph.
4 Retrieve the access graphs for point P in context X .5 Traverse the access graphs from the root variables (stack locals) and
label heap objects with the set of accessor nodes that reach them.
3 For each labelled object in the heap do:
1 Find the set of live fields by looking at the edges out of every accessorthat reaches it.
2 Set the value of all other fields (which are dead) to null.
4 Resume the program. Let garbage collection run as normal.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 29 / 32
Page 134
Dynamic Heap Pruning
Manipulate the heap using a debugger!
1 Pause a running program when pruning has to be performed.2 For each frame on the call stack do:
1 Find the paused program point P using return address of next frame(or PC for top-of-stack).
2 Construct the call string σ using the sequence of return addresses fromthe bottom-of-stack.
3 Determine the value context X by traversing σ in the contexttransition graph.
4 Retrieve the access graphs for point P in context X .
5 Traverse the access graphs from the root variables (stack locals) andlabel heap objects with the set of accessor nodes that reach them.
3 For each labelled object in the heap do:
1 Find the set of live fields by looking at the edges out of every accessorthat reaches it.
2 Set the value of all other fields (which are dead) to null.
4 Resume the program. Let garbage collection run as normal.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 29 / 32
Page 135
Dynamic Heap Pruning
Manipulate the heap using a debugger!
1 Pause a running program when pruning has to be performed.2 For each frame on the call stack do:
1 Find the paused program point P using return address of next frame(or PC for top-of-stack).
2 Construct the call string σ using the sequence of return addresses fromthe bottom-of-stack.
3 Determine the value context X by traversing σ in the contexttransition graph.
4 Retrieve the access graphs for point P in context X .5 Traverse the access graphs from the root variables (stack locals) and
label heap objects with the set of accessor nodes that reach them.
3 For each labelled object in the heap do:
1 Find the set of live fields by looking at the edges out of every accessorthat reaches it.
2 Set the value of all other fields (which are dead) to null.
4 Resume the program. Let garbage collection run as normal.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 29 / 32
Page 136
Dynamic Heap Pruning
Manipulate the heap using a debugger!
1 Pause a running program when pruning has to be performed.2 For each frame on the call stack do:
1 Find the paused program point P using return address of next frame(or PC for top-of-stack).
2 Construct the call string σ using the sequence of return addresses fromthe bottom-of-stack.
3 Determine the value context X by traversing σ in the contexttransition graph.
4 Retrieve the access graphs for point P in context X .5 Traverse the access graphs from the root variables (stack locals) and
label heap objects with the set of accessor nodes that reach them.
3 For each labelled object in the heap do:
1 Find the set of live fields by looking at the edges out of every accessorthat reaches it.
2 Set the value of all other fields (which are dead) to null.
4 Resume the program. Let garbage collection run as normal.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 29 / 32
Page 137
Dynamic Heap Pruning
Manipulate the heap using a debugger!
1 Pause a running program when pruning has to be performed.2 For each frame on the call stack do:
1 Find the paused program point P using return address of next frame(or PC for top-of-stack).
2 Construct the call string σ using the sequence of return addresses fromthe bottom-of-stack.
3 Determine the value context X by traversing σ in the contexttransition graph.
4 Retrieve the access graphs for point P in context X .5 Traverse the access graphs from the root variables (stack locals) and
label heap objects with the set of accessor nodes that reach them.
3 For each labelled object in the heap do:1 Find the set of live fields by looking at the edges out of every accessor
that reaches it.
2 Set the value of all other fields (which are dead) to null.
4 Resume the program. Let garbage collection run as normal.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 29 / 32
Page 138
Dynamic Heap Pruning
Manipulate the heap using a debugger!
1 Pause a running program when pruning has to be performed.2 For each frame on the call stack do:
1 Find the paused program point P using return address of next frame(or PC for top-of-stack).
2 Construct the call string σ using the sequence of return addresses fromthe bottom-of-stack.
3 Determine the value context X by traversing σ in the contexttransition graph.
4 Retrieve the access graphs for point P in context X .5 Traverse the access graphs from the root variables (stack locals) and
label heap objects with the set of accessor nodes that reach them.
3 For each labelled object in the heap do:1 Find the set of live fields by looking at the edges out of every accessor
that reaches it.2 Set the value of all other fields (which are dead) to null.
4 Resume the program. Let garbage collection run as normal.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 29 / 32
Page 139
Dynamic Heap Pruning
Manipulate the heap using a debugger!
1 Pause a running program when pruning has to be performed.2 For each frame on the call stack do:
1 Find the paused program point P using return address of next frame(or PC for top-of-stack).
2 Construct the call string σ using the sequence of return addresses fromthe bottom-of-stack.
3 Determine the value context X by traversing σ in the contexttransition graph.
4 Retrieve the access graphs for point P in context X .5 Traverse the access graphs from the root variables (stack locals) and
label heap objects with the set of accessor nodes that reach them.
3 For each labelled object in the heap do:1 Find the set of live fields by looking at the edges out of every accessor
that reaches it.2 Set the value of all other fields (which are dead) to null.
4 Resume the program. Let garbage collection run as normal.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 29 / 32
Page 140
Outline
1 Background and MotivationHeap Reference AnalysisKey Issues
2 Heap Alias AnalysisNeed for Alias AnalysisExisting AbstractionsProposed Abstraction: Acccessor Relationship Graph
3 Interprocedural AnalysisExisting FrameworksOur Framework: Value ContextsThe Role of Call Graphs
4 Access Graphs for Garbage CollectionExisting IdeasNovel Technique: Dynamic Heap Pruning
5 Summary & Future Work
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 30 / 32
Page 141
Summary
The following were the main contributions of this project:
1 A liveness-driven heap abstraction for precise alias analysis.
2 A generic access graph library implemented in Java.
3 A generic inter-procedural data flow analysis framework implementedin Java.
4 A flow- and context-sensitive points-to analysis implemented in Sootthat constructs precise call graphs.
5 A technique for performing dynamic heap pruning implemented usingthe Java Debug Interface (JDI).
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 31 / 32
Page 142
Future Work
1 Implementation of an inter-procedural liveness-driven heap points-toanalysis.
2 Performance analysis of dynamic heap pruning on real benchmarks.
3 Shape analysis using accessor relationship graphs.
Rohan Padhye (IIT Bombay) Interprocedural Heap Analysis MTP 32 / 32