Address Taken FIAlias, which is equivalent to Steensgaard. CS553 Lecture Alias Analysis II 2



Similar documents
Write Barrier Removal by Static Analysis

General Flow-Sensitive Pointer Analysis and Call Graph Construction

Review; questions Discussion of Semester Project Arbitrary interprocedural control flow Assign (see Schedule for links)

Introduction to Data-flow analysis

Static Taint-Analysis on Binary Executables

How to Write a Checker in 24 Hours

A Scalable Technique for Characterizing the Usage of Temporaries in Framework-intensive Java Applications

The Union-Find Problem Kruskal s algorithm for finding an MST presented us with a problem in data-structure design. As we looked at each edge,

Lecture Notes on Static Analysis

Lecture 2 Introduction to Data Flow Analysis

Binary Heap Algorithms

Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Technical Report)

CSE 326, Data Structures. Sample Final Exam. Problem Max Points Score 1 14 (2x7) 2 18 (3x6) Total 92.

Securing software by enforcing data-flow integrity

Using inter-procedural side-effect information in JIT optimizations

Static analysis for detecting taint-style vulnerabilities in web applications

Programming Language Features (cont.) CMSC 330: Organization of Programming Languages. Parameter Passing in OCaml. Call-by-Value

Practical Memory Leak Detection using Guarded Value-Flow Analysis

Efficiency of algorithms. Algorithms. Efficiency of algorithms. Binary search and linear search. Best, worst and average case.

C++FA 5.1 PRACTICE MID-TERM EXAM

A staged static program analysis to improve the performance of runtime monitoring

Roots of Polynomials

µz An Efficient Engine for Fixed points with Constraints

Parameter Passing. Parameter Passing. Parameter Passing Modes in Fortran. Parameter Passing Modes in C

90% Perspiration: Engineering Static Analysis Techniques for Industrial Applications

Questions 1 through 25 are worth 2 points each. Choose one best answer for each.

5. A full binary tree with n leaves contains [A] n nodes. [B] log n 2 nodes. [C] 2n 1 nodes. [D] n 2 nodes.

5.1 Bipartite Matching

Union-Find Algorithms. network connectivity quick find quick union improvements applications

Integrated System Modeling for Handling Big Data in Electric Utility Systems

A Practical Blended Analysis for Dynamic Features in JavaScript

Computer Graphics. Geometric Modeling. Page 1. Copyright Gotsman, Elber, Barequet, Karni, Sheffer Computer Science - Technion. An Example.

Static Analysis. Find the Bug! : Analysis of Software Artifacts. Jonathan Aldrich. disable interrupts. ERROR: returning with interrupts disabled

Analysis report examination with CUBE

CS104: Data Structures and Object-Oriented Design (Fall 2013) October 24, 2013: Priority Queues Scribes: CS 104 Teaching Team

Chapter 4, Arithmetic in F [x] Polynomial arithmetic and the division algorithm.

Comprehensive Static Analysis Using Polyspace Products. A Solution to Today s Embedded Software Verification Challenges WHITE PAPER

Probabilità e Nondeterminismo nella teoria dei domini

Optimizations. Optimization Safety. Optimization Safety. Control Flow Graphs. Code transformations to improve program

Linear Programming. Widget Factory Example. Linear Programming: Standard Form. Widget Factory Example: Continued.

3. Interpolation. Closing the Gaps of Discretization... Beyond Polynomials

A Practical Blended Analysis for Dynamic Features in JavaScript

Finding Application Errors and Security Flaws Using PQL: a Program Query Language

Which Pointer Analysis Should I Use?

Data Structures and Algorithms Written Examination

Lecture 2 CS An example of a middleware service: DNS Domain Name System

AUTOMATED TEST GENERATION FOR SOFTWARE COMPONENTS

Sample Questions Csci 1112 A. Bellaachia

1. Relational database accesses data in a sequential form. (Figures 7.1, 7.2)

Recursive Algorithms. Recursion. Motivating Example Factorial Recall the factorial function. { 1 if n = 1 n! = n (n 1)! if n > 1

Krishna Institute of Engineering & Technology, Ghaziabad Department of Computer Application MCA-213 : DATA STRUCTURES USING C

Software Tamper Resistance: Obstructing Static Analysis of Programs

Astrée: Building a Static Analyzer for Real-Life Programs

Contents. System Development Models and Methods. Design Abstraction and Views. Synthesis. Control/Data-Flow Models. System Synthesis Models

Data Structure with C

PES Institute of Technology-BSC QUESTION BANK

CS 575 Parallel Processing

CSE373: Data Structures and Algorithms Lecture 3: Math Review; Algorithm Analysis. Linda Shapiro Winter 2015

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 20: Stack Frames 7 March 08

CIS570 Modern Programming Language Implementation. Office hours: TDB 605 Levine

Adaptive Context-sensitive Analysis for JavaScript

Finding Frequent Patterns Based On Quantitative Binary Attributes Using FP-Growth Algorithm

QUADRATIC, EXPONENTIAL AND LOGARITHMIC FUNCTIONS

Application-only Call Graph Construction

Why have SSA? Birth Points (cont) Birth Points (a notion due to Tarjan)

Algorithms Chapter 12 Binary Search Trees

Correlation Tracking for Points-To Analysis of JavaScript

Static Analysis for Dynamic Coupling Measures

Transcription:

Alias Analysis Last time Alias analysis I (pointer analysis) Address Taken FIAlias, which is equivalent to Steensgaard Today Alias analysis II (pointer analysis) Anderson Emami Next time Midterm review CS553 Lecture Alias Analysis II 2 Properties of Alias Analysis Scope: Intraprocedural (per procedure) or Interprocedural (whole program) Representation Alias pairs - pairs of memory references that may access the same location Points-to sets - relations of the form (a->b) such that location a contains the address of location b Equivalence sets - all memory references in the same set may alias Flow sensitivity: Sensitive versus insensitive Context sensitivity: Sensitive versus insensitive Definiteness: May versus must as well Heap Modeling - How are dynamically allocated locations modeled? Aggregate Modeling - are fields in structs or records modeled separately? CS553 Lecture Alias Analysis II 6 1

Address Taken Algorithm overview Assume that nothing must alias Assume that all pointer dereferences may alias each other Assume that variables whose addresses are taken (and globals) may alias all pointer dereferences Characterization of Address Taken Per procedure Flow-insensitive Context-insensitive May analysis Alias representation: equivalence sets Heap modeling: none Aggregate modeling: none int **a, *b, c, *d, e; 1: a = &b; 2: b = &c; 3: d = &e; 4: a = &d; two equivalence sets a **a, *a, *b, *d, b, c, e, d CS553 Lecture Alias Analysis II 7 Steensgaard 96 equivalent to FIAlias [Ryder et. al. 2001] Overview Uses unification constraints, for pointer assignments, p = q, Pts-to(p) = Pts-to(q). The union is done recursively for multiple-level pointers Almost linear in terms of program size, O(n) Uses fast union-find algorithm Imprecision stems from merging points-to sets Characterization of Steensgaard Whole program Flow-insensitive Context-insensitive May analysis Alias representation: points-to Heap modeling: none Aggregate modeling: possibly int **a, *b, c, *d, e; 1: a = &b; 2: b = &c; 3: d = &e; 4: a = &d; source: Barbara Ryder s Reference Analysis slides CS553 Lecture Alias Analysis II 8 2

Unification Constraints Conceptual Outline Add a constraint for each statement Solve the set of constraints Steensgaard Constraints for C s: p = &x; x Pts-to(p) s: p = q; Pts-to(p) = Pts-to(q) s: p = *q; a Pts-to(q), Pts-to(p) = Pts-to(a) s: *p = q; b Pts-to(p), Pts-to(b) = Pts-to(q) CS553 Lecture Alias Analysis II 9 Andersen 94 Overview Uses inclusion constraints, for pointer assignments, p = q, Pts-to(q) Pts-to(p) Cubic complexity in program size, O(n 3 ) Characterization of Andersen Whole program Flow-insensitive Context-insensitive May analysis Alias representation: points-to Heap modeling? Aggregate modeling: fields int **a, *b, c, *d, e; 1: a = &b; 2: b = &c; 3: d = &e; 4: a = &d; source: Barbara Ryder s Reference Analysis slides CS553 Lecture Alias Analysis II 10 3

Outline of Andersen s Algorithm Find all pointer assignments in the program For each pointer assignment For p = q, all outgoing points-to edges from q are copied to be outgoing from p If new outgoing edges are added to q during the algorithm they must also be copied to p Using flow-insensitive, points-to s: p = &x; x Pts-to(p) s: p = q; Pts-to(q) Pts-to(p) s: p = *q; a Pts-to(q), Pts-to(a) Pts-to(p) s: *p = q; b Pts-to(p), Pts-to(q) Pts-to(b) source: Barbara Ryder slides and Maks Orlovich Slides CS553 Lecture Alias Analysis II 11 Flow-sensitive May Points-To Analysis Analogous flow functions is s: p = &x; out[s] = {(p x)} (in[s] {(p y) y}) s: p = q; out[s] = {(p t) (q t) in[s]} (in[s] {(p y) y)}) s: p = *q; out[s] = {(p t) (q r) in[s] & (r t) in[s]} (in[s] {(p x) x}) s: *p = q; out[s] = {(r t) (p r) in[s] & (q t) in[s]} (in[s] {(r x) x (p r) in must [s]}) CS553 Lecture Alias Analysis II 12 4

Flow-sensitive May Alias-Pairs Analysis In the below data-flow equations, M and N represent any memory reference expression and + represents a specific number of dereferences. Meet function is s: p = &x; out[s] = {(*p,x)} (in[s] {(*p y) y}) {(*M,x) (M,p) in[s]} {(**+M,N) (M,p) in[s] & (+x,n) in[s]} s: p = q; out[s] = {(*p,t) (*q,t) in[s]} (in[s] {(*p,y) y)}) {(*M,t) (M,p) in[s] & (*q,t) in[s] } {(**+M,N) (M,p) in[s] & (*q,t) in[s] & (+t,n) in[s]} s: p = *q; out[s] = {(*p,t) (*q,r) in[s] & (*r,t) in[s]} (in[s] {(*p,x) x}) {(*M,t) (M,p) in[s] & (*q,r) in[s] & (*r,t) in[s] } {(**+M,N) (M,p) in[s] & (*q,r) in[s] & (*r,t) in[s]} & (+t,n) in[s]} s: *p = q; out[s] = {(*r,t) (*p,r) in[s] & (*q,t) in[s]} (in[s] {(*r,x) x (*p,r) in must [s]}) {(*M,t) (M,r) in[s] & (*p,r) in[s] & (*q,t) in[s]} {(**+M,N) (M,r) in[s] & (*p,r) in[s] & (*q,t) in[s]&(+t,n) in[s]} CS553 Lecture Alias Analysis II 13 Other Issues (Modeling the Heap) Issue Each allocation creates a new piece of storage e.g., p = new T Proposal? Generate (at compile-time) a new variable to stand for new storage newvar: Creates a new variable Flow function s: p = new T; out[s] = {(p newvar)} (in[s] {(p x) x}) Problem Domain is unbounded! Iterative data-flow analysis may not converge CS553 Lecture Alias Analysis II 14 5

Modeling the Heap (cont) Simple solution Create a summary variable (node) for each allocation statement Domain: 2 (Var Stmt) (Var Stmt) rather than 2Var Var Monotonic flow function s: p = new T; out[s] = {(p stmt s )} (in[s] {(p x) x}) Less precise (but finite) Alternatives Summary node for entire heap Summary node for each type K-limited summary Maintain distinct nodes up to k links removed from root variables CS553 Lecture Alias Analysis II 15 Other issues: Function Calls Question How do function calls affect our points-to sets? e.g., p1 = &x; p2 = &p1;... {(p1 x), (p2 p1)} foo();??? Be conservative Assume that any reachable pointer may be changed Pointers can be reached via globals and parameters May pass through objects in the heap Can be changed to anything reachable or something else Can we prune aliases using types? Problem Lose a lot of information CS553 Lecture Alias Analysis II 16 6

Emami 1994 Overview Compute L and R locations to implement flow-sensitive data-flow analysis Uses invocation graph for context-sensitivity Can be exponential in program size Handles function pointers Characterization of Steensgaard Whole program Flow-sensitive Context-sensitive May and must analysis Alias representation: points-to Heap modeling: one heap variable Aggregate modeling: fields and first array element int **a, *b, c, *d, e; 1: a = &b; 2: b = &c; 3: d = &e; 4: a = &d; CS553 Lecture Alias Analysis II 17 Using Alias Information Example: reaching definitions Compute at each point in the program a set of (s,v) pairs, indicating that statement s may define variable v Flow functions s: *p = x; out reach [s] = {(s,z) (p z) in may-pt [s]} (in reach [s] {(t,y) t (p y) in must-pt [s]} s: x = *p; out reach [s] = {(s,x)} (in reach [s] {(t,x) t}... CS553 Lecture Alias Analysis II 18 7

Concepts Properties of alias analyses Alias/Pointer Analysis algorithms Address Taken Steensgaard or FIAlias Andersen Emami Flow-insensitive alias algorithms can be specified with constraint equations Flow-sensitive alias algorithms can be specified with data-flow equations Function calls degrade alias information Context-sensitive interprocedural analysis CS553 Lecture Alias Analysis II 19 Next Time Assignments HW2 due Lecture Midterm review CS553 Lecture Alias Analysis II 20 8