Control-Flow Analysis

Similar documents
Class notes Program Analysis course given by Prof. Mooly Sagiv Computer Science Department, Tel Aviv University second lecture 8/3/2007

Testing LTL Formula Translation into Büchi Automata

Static Analysis. Find the Bug! : Analysis of Software Artifacts. Jonathan Aldrich. disable interrupts. ERROR: returning with interrupts disabled

HECTOR a software model checker with cooperating analysis plugins. Nathaniel Charlton and Michael Huth Imperial College London

Chapter 7: Functional Programming Languages

Address Taken FIAlias, which is equivalent to Steensgaard. CS553 Lecture Alias Analysis II 2

Andrew Pitts chapter for D. Sangorgi and J. Rutten (eds), Advanced Topics in Bisimulation and Coinduction, Cambridge Tracts in Theoretical Computer

Write Barrier Removal by Static Analysis

Instruction Set Architecture (ISA)

Software Analysis (POPA Sec , 2.5.4, 2.5.6)

Simulation-Based Security with Inexhaustible Interactive Turing Machines

2) Write in detail the issues in the design of code generator.

Symbol Tables. Introduction

Static Taint-Analysis on Binary Executables

5.1 Bipartite Matching

Lecture 11: Tail Recursion; Continuations

Reducing Clocks in Timed Automata while Preserving Bisimulation

Lecture 19: Introduction to NP-Completeness Steven Skiena. Department of Computer Science State University of New York Stony Brook, NY

Software Model Checking. Equivalence Hierarchy

Rigorous Software Development CSCI-GA

Reading 13 : Finite State Automata and Regular Expressions

CS510 Software Engineering

Cartesian Products and Relations

Efficiency of algorithms. Algorithms. Efficiency of algorithms. Binary search and linear search. Best, worst and average case.

Lecture Notes on Static Analysis

An Open Framework for Reverse Engineering Graph Data Visualization. Alexandru C. Telea Eindhoven University of Technology The Netherlands.

Obfuscation: know your enemy

COMP 356 Programming Language Structures Notes for Chapter 10 of Concepts of Programming Languages Implementing Subprograms.

Introduction to Logic in Computer Science: Autumn 2006

Welcome to... Problem Analysis and Complexity Theory , 3 VU

AUTOMATED TEST GENERATION FOR SOFTWARE COMPONENTS

Using Datalog for Fast and Easy Program Analysis

µz An Efficient Engine for Fixed points with Constraints

Algorithmic Software Verification

FOUNDATIONS OF ALGEBRAIC GEOMETRY CLASS 22

Dedekind s forgotten axiom and why we should teach it (and why we shouldn t teach mathematical induction in our calculus classes)

Termination Checking: Comparing Structural Recursion and Sized Types by Examples

Completing Description Logic Knowledge Bases using Formal Concept Analysis

CSC 373: Algorithm Design and Analysis Lecture 16

Fall 2006 CS/ECE 333 Lab 1 Programming in SRC Assembly

Limitations of E-R Designs. Relational Normalization Theory. Redundancy and Other Problems. Redundancy. Anomalies. Example

CMPSCI611: Approximating MAX-CUT Lecture 20

Analysis of Partitioned Global Address Space Programs. Research Project

Software Testing. Jeffrey Carver University of Alabama. April 7, 2016

P NP for the Reals with various Analytic Functions

Artificial Intelligence

Disjunction of Non-Binary and Numeric Constraint Satisfaction Problems

A STUDY OF SEMANTICS, TYPES AND LANGUAGES FOR DATABASES AND OBJECT-ORIENTED PROGRAMMING ATSUSHI OHORI. Computer and Information Science

Lecture 17 : Equivalence and Order Relations DRAFT

Pushdown automata. Informatics 2A: Lecture 9. Alex Simpson. 3 October, School of Informatics University of Edinburgh als@inf.ed.ac.

Application-only Call Graph Construction

University of Ostrava. Reasoning in Description Logic with Semantic Tableau Binary Trees

6.852: Distributed Algorithms Fall, Class 2

language 1 (source) compiler language 2 (target) Figure 1: Compiling a program

each college c i C has a capacity q i - the maximum number of students it will admit

Pick Your Contexts Well: Understanding Object-Sensitivity

! " # The Logic of Descriptions. Logics for Data and Knowledge Representation. Terminology. Overview. Three Basic Features. Some History on DLs

Diagonalization. Ahto Buldas. Lecture 3 of Complexity Theory October 8, Slides based on S.Aurora, B.Barak. Complexity Theory: A Modern Approach.

Lecture 1: Course overview, circuits, and formulas

Krishna Institute of Engineering & Technology, Ghaziabad Department of Computer Application MCA-213 : DATA STRUCTURES USING C

Linear Programming. Widget Factory Example. Linear Programming: Standard Form. Widget Factory Example: Continued.

Towards practical reactive security audit using extended static checkers 1

Data Structures Fibonacci Heaps, Amortized Analysis

Overview. Essential Questions. Grade 2 Mathematics, Quarter 4, Unit 4.4 Representing and Interpreting Data Using Picture and Bar Graphs

BASIC ANALYSIS OF TCP/IP NETWORKS

Boolean Expressions, Conditions, Loops, and Enumerations. Precedence Rules (from highest to lowest priority)

Fun with Henry. Dirk Pattinson Department of Computing Imperial College London

Massachusetts Institute of Technology Department of Electrical Engineering and Computer Science

Question 2: How do you solve a linear programming problem with a graph?

Degrees of Truth: the formal logic of classical and quantum probabilities as well as fuzzy sets.

Semantic Analysis: Types and Type Checking

OPERATIONAL TYPE THEORY by Adam Petcher Prepared under the direction of Professor Aaron Stump A thesis presented to the School of Engineering of

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 20: Stack Frames 7 March 08

Dynamic programming formulation

1 The Java Virtual Machine

CSE 135: Introduction to Theory of Computation Decidability and Recognizability

Analyzing Strategic Business Rules through Simulation Modeling

Creating, Solving, and Graphing Systems of Linear Equations and Linear Inequalities

Checking Access to Protected Members in the Java Virtual Machine

Logic in general. Inference rules and theorem proving

[Refer Slide Time: 05:10]

The programming language C. sws1 1

Introduction CORBA Distributed COM. Sections 9.1 & 9.2. Corba & DCOM. John P. Daigle. Department of Computer Science Georgia State University

How to Write a Checker in 24 Hours

Compiling Object Oriented Languages. What is an Object-Oriented Programming Language? Implementation: Dynamic Binding

How To Compare A Markov Algorithm To A Turing Machine

Non-deterministic Semantics and the Undecidability of Boolean BI

Habanero Extreme Scale Software Research Project

Basic Logic Gates. Logic Gates. andgate: accepts two binary inputs x and y, emits x & y. orgate: accepts two binary inputs x and y, emits x y

Relational Databases

Midlands Graduate School in the Foundations of Computer Science

Complexity of Higher-Order Queries

Policy Analysis for Administrative Role Based Access Control without Separate Administration

The Graphical Method: An Example

Bindings, mobility of bindings, and the -quantifier

Chapter 3. Cartesian Products and Relations. 3.1 Cartesian Products

Class Overview. CSE 326: Data Structures. Goals. Goals. Data Structures. Goals. Introduction

A Survey of Static Program Analysis Techniques

A binary search tree or BST is a binary tree that is either empty or in which the data element of each node has a key, and:

Master of Sciences in Informatics Engineering Programming Paradigms 2005/2006. Final Examination. January 24 th, 2006

Transcription:

Control-Flow Analysis CS5r Spring Includes (a lot of) material from slides for Principles of Program Analysis by Nielson, Nielson, and Hankin http://www.imm.dtu.dk/~riis/ppa/ppasup4.html

Outline What s the problem? -CFA Uniform k-cfa The k-cfa paradox Stephen Chong, Harvard University

What is control-flow analysis? Data-flow analysis relied on a control-flow graph How do we construct CFG? For intra-procedural analysis, relatively straightforward Identify basic blocks, control-flow structures We will not delve into this For inter-procedural analysis If functions/procedures are not first-class, relatively simple For languages with dynamic dispatch, it s harder Dynamic dispatch: which procedure/function gets invoked depends on runtime values Functional languages, OO, imperative languages with procedures as parameters,... Stephen Chong, Harvard University 3

CFA in higher-order languages We ll mostly focus today on control-flow analysis of functional languages For each function application, which functions may be applied? E.g. let f = fn x => x ; g = fn y => y+; h = fn z => z+3 in ( f g ) + ( f h ) Stephen Chong, Harvard University 4

Syntax of language e Exp expressions (or labelled terms) t Term terms (or unlabelled expressions) f, x Var variables c Const constants op Op binary operators Lab labels e ::= t t ::= c x fn x => e fun f x => e e e if e then e else e let x = e in e e op e Stephen Chong, Harvard University 5

Examples ((fn x => x ) (fn y => y 3 ) 4 ) 5 (let f = (fn x => (x ) 3 ) 4 ; in (let g = (fn y => y 5 ) 6 ; in (let h = (fn z => z 7 ) 8 in ((f 9 g ) + (f h 3 ) 4 ) 5 ) 6 ) 7 ) 8 (let g = (fun f x => (f (fn y => y ) 3 ) 4 ) 5 in (g 6 (fn z => z 7 ) 8 ) 9 ) Stephen Chong, Harvard University 6

-CFA -CFA is an context-insensitive CFA. Result of a -CFA analysis is pair (Ĉ, ^ρ) Ĉ is an abstract cache ^ρ is an abstract environment Actually, just functions v Val = P(Term) abstract values ρ Env = Var Val abstract environments Notes: C Cache = Lab Val abstract caches Could combine these into one entity: (Var Lab) ^Val Could also require A-normal form, where all subterms are appropriately labeled by variables Stephen Chong, Harvard University 7

Example ((fn x => x ) (fn y => y 3 ) 4 ) 5 3 4 5 x y ( C e, ρ e ) ( C e, ρ e) ( C e, ρ {fn y => y 3 } {fn x => x } {fn y => y 3 } {fn y => y 3 } {fn y => y 3 } {fn x => x } {fn y => y 3 } {fn y => y 3 } {fn y => y 3 } e ) {fn x => x, fn y => y 3 } {fn x => x, fn y => y 3 } {fn x => x, fn y => y 3 } {fn x => x, fn y => y 3 } {fn x => x, fn y => y 3 } {fn x => x, fn y => y 3 } {fn x => x, fn y => y 3 } Stephen Chong, Harvard University Acceptable Not acceptable Acceptable but less precise 8

Abstract specification What does it mean for (Ĉ, ^ρ) to be acceptable? Define relation indicating when (Ĉ, ^ρ) is acceptable -CFA of expression e ( C, ρ) = e = :( Cache Env Exp) {true, false} Stephen Chong, Harvard University 9

Abstract specification ( C, ρ) = c always ( C, ρ) = x iff ρ(x) C() ( C, ρ) = (let x = t in t iff ( C, ρ) = t ( C, ρ) = t C( ) ρ(x) C( ) C() ) Stephen Chong, Harvard University

Abstract specification ( C, ρ) = (if t then t else t iff ( C, ρ) = t ( C, ρ) = t ( C, ρ) = t C( ) C() C( ) C() ) ( C, ρ) = (t op t iff ( C, ρ) = t ( C, ρ) = t ) Stephen Chong, Harvard University

Abstract specification ( C, ρ) = (fn x => t ) iff {fn x => t } C() ( C, ρ) = (t t ) iff ( C, ρ) = t ( C, ρ) = t ( ( fn x => t ) C( ): ( C, ρ) = t C( ) ρ(x) C( ) C()) Stephen Chong, Harvard University

Abstract specification ( C, ρ) = (fun f x => e ) iff {fun f x => e } C() ( C, ρ) = (t t ) iff ( C, ρ) = t ( C, ρ) = t ( ( fn x => t ) C( ): ( C, ρ) = t C( ) ρ(x) C( ) C()) ( ( fun f x => t ) C( ): ( C, ρ) = t C( ) ρ(x) C( ) C() {fun f x => t } ρ(f) ) Stephen Chong, Harvard University 3

What s acceptable ((fn x => x ) (fn y => y 3 ) 4 ) 5 3 4 5 x y ( C e, ρ e ) ( C e, ρ e) {fn y => y 3 } {fn x => x } {fn y => y 3 } {fn y => y 3 } {fn y => y 3 } {fn y => y 3 } {fn x => x } {fn y => y 3 } {fn y => y 3 } ( C e, ρ e ) = ((fn x => x ) (fn y => y 3 ) 4 ) 5 ( C e, ρ e) = ((fn x => x ) (fn y => y 3 ) 4 ) 5 Stephen Chong, Harvard University 4

Abstract specification Note that we can t define by structural induction on expressions ( C, ρ) = (t t ) iff ( C, ρ) = t ( C, ρ) = t ( ( fn x => t ) C( ): ( C, ρ) = t C( ) ρ(x) C( ) C()) ( ( fun f x => t ) C( ): ( C, ρ) = t C( ) ρ(x) C( ) C() {fun f x => t } ρ(f) ) Instead, define coinductively Want the greatest fixed point that satisfies equations for Note: not an algorithm for solving, but a specification Stephen Chong, Harvard University 5

Semantic correctness Also need to show that acceptability of analysis results implies semantic correctness That is, ^C and ^p accurately describe the concrete execution. Like a type-soundness statement Stephen Chong, Harvard University 6

Syntax-directed -CFA Another formulation of -CFA that approximates the abstract specification i.e., Define s such that if (Ĉ, ^ρ) s e then (Ĉ, ^ρ) e Stephen Chong, Harvard University 7

Syntax-directed -CFA ( C, ρ) = s c always ( C, ρ) = s x iff ρ(x) C() ( C, ρ) = s (if t then t else t iff ( C, ρ) = s t ( C, ρ) = s t ( C, ρ) = s t C( ) C() C( ) C() ) ( C, ρ) = s (let x = t in t iff ( C, ρ) = s t ( C, ρ) = s t C( ) ρ(x) C( ) C() ) ( C, ρ) = s (t op t ) iff ( C, ρ) = s t ( C, ρ) = s t Stephen Chong, Harvard University 8

Syntax-directed -CFA ( C, ρ) = s (fn x => e ) iff {fn x => e } C() ( C, ρ) = s e ( C, ρ) = s (fun f x => e ) iff ( C, ρ) = s (t {fun f x => e } C() ( C, ρ) = s e {fun f x => e } ρ(f) t ) iff ( C, ρ) = s t ( C, ρ) = s t ( (fn x => t ) C( ): C( ) ρ(x) C( ) C() Note: may check some function bodies that aren t reachable, in return for enabling induction on syntax ( (fun f x => t ) C( ): C( ) ρ(x) C( ) C() ) ) Stephen Chong, Harvard University 9

Syntax-directed -CFA For any expression e, there is a least (Ĉ, ^ρ) such that (Ĉ, ^ρ) s e Can turn this syntax-directed -CFA specification into an equivalent algorithm that generates a set of constraints Least solution to set of constraints is least solution to syntax-directed -CFA Stephen Chong, Harvard University

Constraint-based -CFA C [[e ]] is a set of constraints of the form lhs rhs {t} rhs lhs rhs where rhs ::= C() r(x) lhs ::= C() r(x) {t} and all occurrences of t are of the form fn x => e or fun f x => e Stephen Chong, Harvard University

Constraint-based -CFA C [[c ]] = C [[x ]] = { r(x) C() } C [[(if t then t else t ) ]] = C [[t ]] C [[t ]] C [[t ]] { C( ) C() } { C( ) C() } C [[(let x = t in t ) ]] = C [[t ]] C [[t ]] { C( ) r(x) } { C( ) C() } C [[(t op t ) ]] = C [[t ]] C [[t ]] Stephen Chong, Harvard University

Constraint-based -CFA C [[(fn x => e ) ]] = { {fn x => e } C() } C [[e ]] C [[(fun f x => e ) ]] = { {fun f x => e } C() } C [[e ]] { {fun f x => e } r(f) } C [[(t t ) ]] = C [[t ]] C [[t ]] { {t} C( ) C( ) r(x) t =(fn x => t ) Term } { {t} C( ) C( ) C() t =(fn x => t ) Term } { {t} C( ) C( ) r(x) t =(fun f x => t ) Term } { {t} C( ) C( ) C() t =(fun f x => t ) Term } Stephen Chong, Harvard University 3

Example C [[((fn x => x ) (fn y => y 3 ) 4 ) 5 ]] = {{fn x => x } C(), r(x) C(), {fn y => y 3 } C(4), r(y) C(3), {fn x => x } C() C(4) r(x), {fn x => x } C() C() C(5), {fn y => y 3 } C() C(4) r(y), {fn y => y 3 } C() C(3) C(5) } Stephen Chong, Harvard University 4

Correctness Translating syntactic entities to sets of terms: ( C, ρ)[[c()]] = C() ( C, ρ)[[r(x)]] = ρ(x) ( C, ρ)[[{t}]] = {t} Satisfaction relation for constraints: ( C, ρ) = c (lhs rhs) ( C, ρ) = c (lhs rhs) iff ( C, ρ)[[lhs]] ( C, ρ)[[rhs]] ( C, ρ) = c ({t} rhs lhs rhs) iff ({t} ( C, ρ)[[rhs ]] ( C, ρ)[[lhs]] ( C, ρ)[[rhs]]) ({t} ( C, ρ)[[rhs ]]) Proposition: ( C, ρ) = s e if and only if ( C, ρ) = c C [[e ]]. Stephen Chong, Harvard University 5

Adding data-flow analysis Current domain equations Actually, just functions v Val = P(Term) abstract values ρ Env = Var Val abstract environments C Cache = Lab Val abstract caches Idea: extend abstract values to include other things than just functions E.g., let Data be set of abstract data values e.g., {tt, ff, -,, +} v Val d = P(Term Data) abstract values Stephen Chong, Harvard University 6

Abstract data values For each constant c, need abstract data value d c For each operator op need abstract operator op : Data Data P(Data) Data sign = {tt, ff, -,, +} d true =tt d 7 = + + is defined from d + tt ff - + tt ff - {-} {-} {-,, +} {-} {} {+} + {-,, +} {+} {+} Stephen Chong, Harvard University 7

Data-flow and control-flow spec ( C, ρ) = d c iff {d c } C() ( C, ρ) = d x iff ρ(x) C() ( C, ρ) = d (if t then t else t iff ( C, ρ) = d t Is flow sensitive: can determine whether true or false branches can be taken ) (d true C( ) ( ( C, ρ) = d t C( ) C())) (d false C( ) ( ( C, ρ) = d t C( ) C())) ( C, ρ) = d (let x = t in t iff ( C, ρ) = d t ( C, ρ) = d t C( ) ρ(x) C( ) C() ( C, ρ) = d (t op t ) ) iff ( C, ρ) = d t ( C, ρ) = d t C( ) op C( ) C() Stephen Chong, Harvard University 8

Arbitrary lattices ^Val = P(Term Data) = P(Term) P(Data) Could also use an arbitrary lattice ^Val = P(Term Data) = P(Term) L Stephen Chong, Harvard University 9

Adding contexts -CFA is a context-insensitive (or mono-variant) analysis Does not distinguish various instances of program variables and program points from each other Context-sensitive (or poly-variant) analysis does distingtuish Stephen Chong, Harvard University 3

Uniform k-cfa v Val = P(Term) abstract values ρ Env = Var Val abstract environments C Cache = Lab Val abstract caches Idea: extend ^Val to include context information Contexts δ will record last k dynamic call-sites δ = Lab k context information Definition point of free variables of terms ce CEnv = Var context environments v Val = P(Term CEnv) abstract values ρ Env = (Var ) Val abstract environments Called uniform because both environment and cache use same precision Stephen Chong, Harvard University C Cache = (Lab ) Val abstract caches 3

Acceptability relation ( C, ρ) = ce δ e ce is current context environment i.e., for free variables of e, in which context were they bound? Changes as variables are bound δ is current context Changes as functions are applied Stephen Chong, Harvard University 3

Acceptability relation ( C, ρ) = ce δ c always ( C, ρ) = ce δ x iff ρ(x, ce(x) ) C(, δ) ( C, ρ) = ce δ (if t then t else t ) iff ( C, ρ) = ce δ t ( C, ρ) = ce δ t ( C, ρ) = ce C(, δ) C(, δ) C(, δ) C(, δ) δ t ( C, ρ) = ce δ (let x = t in t ) iff ( C, ρ) = ce δ t ( C, ρ) = ce δ t C(, δ) ρ(x, δ) C(, δ) C(, δ) where ce = ce[x δ] ( C, ρ) = ce δ (t op t ) iff ( C, ρ) = ce δ t ( C, ρ) = ce δ t Stephen Chong, Harvard University 33

Acceptability relation ( C, ρ) = ce δ (fn x => e ) iff {(fn x => e, ce )} C(, δ) ( C, ρ) = ce δ (fun f x => e ) iff {(fun f x => e, ce )} C(, δ) ( C, ρ) = ce δ (t iff t ) ( C, ρ) = ce δ t ( C, ρ) = ce δ t ( (fn x => t, ce ) C(, δ) : ( C, ρ) = ce δ t C(, δ) ρ(x, δ ) C(, δ ) C(, δ) where δ = δ, k and ce = ce [x δ ]) ( (fun f x => t, ce ) C(, δ) : ( C, ρ) = ce δ t C(, δ) ρ(x, δ ) C(, δ ) C(, δ) {(fun f x => t, ce )} ρ(f,δ ) where δ = δ, k and ce = ce [f δ,x δ ]) Stephen Chong, Harvard University 34

Example (let f = (fn x => x ) in ((f 3 f 4 ) 5 (fn y => y 6 ) 7 ) 8 ) 9 Contexts of interest for uniform -CFA Λ: the initial context 5: the context when the application point labelled 5 has been passed 8: the context when the application point labelled 8 has been passed Context environments of interest for uniform -CFA ce = [ ] ce = ce [f Λ] ce = ce [x 5] ce 3 = ce [x 8] the initial (empty) context environment the context environment for the analysis of the body of the let-construct the context environment used for the analysis of the body of f initiated at the application point 5 the context environment used for the analysis of the body of f initiated at the application point 8. Stephen Chong, Harvard University 35

Example C id (, 5) = {(fn x => x,ce )} C id (, 8) = {(fn y => y 6,ce )} C id (, Λ) ={(fn x => x,ce )} C id (3, Λ) ={(fn x => x,ce )} C id (4, Λ) ={(fn x => x,ce )} C id (5, Λ) ={(fn x => x,ce )} C id (7, Λ) ={(fn y => y 6,ce )} C id (8, Λ) ={(fn y => y 6,ce )} C id (9, Λ) ={(fn y => y 6,ce )} ρ id (f, Λ) ={(fn x => x,ce )} ρ id (x, 5) = {(fn x => x,ce )} ρ id (x, 8) = {(fn y => y 6,ce )} This is an acceptable analysis result: ( C id, ρ id ) = ce Λ (let f = (fn x => x ) in ((f 3 f 4 ) 5 (fn y => y 6 ) 7 ) 8 ) 9 Stephen Chong, Harvard University 36

Complexity δ = Lab k context information ce CEnv = Var context environments v Val = P(Term CEnv) abstract values ρ Env = (Var ) Val abstract environments C Cache = (Lab ) Val abstract caches k-cfa has worst-case exponential complexity in size of program Size n program, p variables Δ has O(n) elements Size of CEnv is O(n p ) ^Val is powerset of pairs (t, ce), and there are O(n n p ) pairs, so Val has height O(n n p ) p = O(n) -CFA has worst-case polynomial complexity Stephen Chong, Harvard University 37

Variations on k-cfa Uniform k-cfa ce CEnv = Var context environments v Val = P(Term CEnv) abstract values ρ Env = (Var ) Val abstract environments C Cache = (Lab ) Val abstract caches k-cfa C Cache = (Lab CEnv) Val abstract caches Polynomial k-cfa v Val = P(Term ) abstract values Stephen Chong, Harvard University 38

k-cfa Paradox [Might, Smaragdakis, van Horn, PLDI ] k-cfa is exponential for k But k-cfa is like using context of k most recent call-sites Polynomial for OO languages Doop implemented in Datalog, which only allows polynomial time alogrithms OO has dynamic dispatch What gives? Stephen Chong, Harvard University 39

Wait, which k-cfa? In OO world, translate k-cfa to k-call-site sensitive interprocedural pointer analysis with a k-context-sensitive heap and onthe-fly call-graph construction i.e., data flow (points-to relation) and call-graph dependent on each other Is it the same analysis? Yes. And paradox still holds. Stephen Chong, Harvard University 4

Paradox resolved In functional languages, closures are created incrementally Each variable in a closure could be bound in a different context Source of exponentiallity In OO languages, closures created explicitly by invoking constructor Variables are copied, and so effectively all variables bound in same context CEnv = Δ instead of Var Δ δ = Lab k context information ce CEnv = Var context environments v Val = P(Term CEnv) abstract values ρ Env = (Var ) Val abstract environments C Cache = (Lab ) Val abstract caches Stephen Chong, Harvard University 4

Example OO program caller() { foo(ox);... foo(oxn); } + foo(object x) { ClosureX cx = new ClosureX(x); cx.bar(oy);... cx.bar(oym); } + class ClosureX { Object x; ClosureX(Object x) { class ClosureXY { x = x; } // constructor } bar(object y) { ClosureXY cxy = new ClosureXY(x,y); cxy.baz( );... } } Object x,y; ClosureXY(Object x, Object y) { x = x; y = y; } // constructor baz( ) {... x... y... } Equivalent functional program caller() { foo(ox);! foo(object x) {... Closure cx = foo(oxn); } cx(oy);... cx(oym); }! lambda(object y) { Closure cxy = } cxy( );... lambda( ) {... x... y... } Stephen Chong, Harvard University 4

m-cfa From this insight, Might, Smaragdakis and Van Horn develop m-cfa Contexts are the top m stack frames (Different from last k call sites when in continuationpassing style) Essentially CEnv = Δ instead of Var Δ Polynomial-time analysis, seems as precise a k- CFA for significantly less time Stephen Chong, Harvard University 43

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information