Pointer and Shape Analysis Seminarhttp://www.cs.tau.ac.il/~msagiv/courses/shape.html

Mooly Sagiv

Schriber 317

msagiv@post

Office Hours Thursday 15-16

General Information

• Prerequisites– Compilers | Program Analysis– Select 3 topics by Sunday– Participate in 9 seminar talks – Present a paper

Outline

1. Schedule

2. Point-to analysis

Tentative Schedule7/2 Shachar Itzhaky Practical virtual method call resolution for

Java

14/2 Roy Ganor Effective Static Race Detection for Java

17/2

13-15

Hongseok Yang Scalable Shape Analysis

28/2 Roza Pogalnikova Context-Sensitive Points-to Analysis: Is It Worth It?

3/3 Ory Samorodnitzky The undecidability of aliasing

14/3 Alex Shapiro Error detection using client driven poniter analysis

21/3 Roman Simkin Free-Me: A Static Analysis for Automatic Individual Object Reclamation

28/3 Uri Inon

Points-To Analysis

• Determine if a variable points to a variable at some (all) execution paths

[1] p = &a;

[2] q = &b;

[3] if (getc())

[4] q = &c

[5] p a

q c

q b

Iterative Program Analysis

• Start by optimistically assuming that nothing is wrong– No points-to set

• At every iteration apply the abstract meaning of programming language statements and add more points-to pairs

• Stop when no changes occur

Iterative Points-to Analysist= &a

y= &b

z= &c

p= &y p= &z

ta

ta, yb

ta, yb, z c, py

ta, yb, z c

ta, yb, z c, pz

ta, yb, z c, py, pz

ta, yb, z c ta, yb, z c*p= t

Iterative Points-to Analysist= &a

y= &b

z= &c

p= &y p= &z

ta

ta, yb

ta, yb, z c, py ta, yb, z c, pz

ta, yb, z c, py, pz

*p= tta, yb, z c, py, pz

ta, yb, z c, py, pz, ya, za ta, yb, z c, py, pz, ya, za

Iterative Points-to Analysist= &a

y= &b

z= &c

p= &y p= &z

ta

ta, yb

ta, yb, z c, py, pz

*p= tta, yb, z c, py, pz

ta, yb, z c, py, pz, ya, za ta, yb, z c, py, pz, ya, za

ta, yb, z c, py, ya, za ta, yb, z c, pz, ya, za

Iterative Points-to Analysist= &a

y= &b

z= &c

p= &y p= &z

ta

ta, yb

*p= tta, yb, z c, py, pz, ya, za

ta, yb, z c, py, pz, ya, za ta, yb, z c, py, pz, ya, za

ta, yb, z c, py, ya, za ta, yb, z c, pz, ya, za

ta, yb, z c, py, pz, ya, za

A Simple Programming Language

• Arbitrary (uninterpreted) control flow statement

• Atomic statements– x = y– x = &y– x = *y– *x = y

Abstract Semantics

•For every atomic statement S

S #: P(Var* Var*) P(Var* Var*)

x := &y # (pt) = pt – {(x, *)} {(x, y)}

x := y #(pt) = pt – {(x, *)} {(x, z)| (y, z) pt}

x := *y # (pt) = pt – {(x, *)} {(x, z)| (y, w), (w, z) pt}

*x := y #(pt) = pt {(w, t)| (x, w), (y, t) pt}

t= &a

y= &b

z= &c

p= &y p= &z

*p= t

1

2

3

4

5 6

7

pt[1]={}

1 pt[2]={(t, a)}

2 pt[3]={(t, a), (y, b)}

3 pt[4]={(t, a), (y, b), (z, c){

4 pt[5]= {(t, a), (y, b), (z, c)}

pt[6]= {(t, a), (y, b), (z, c)}

5 pt[7]= {(t, a), (y, b), (z, c), (p, y){

6 pt[7]= {(t, a), (y, b), (z, c), (p, y), (p, z)}

7 pt[4]= {(t, a), (y, b), (z, c), (p, y), (p, z)}

4 pt[5]= {(t, a), (y, b), (z, c), (p, y), (p, z), (y, a), (z, a)}

pt[6]= {(t, a), (y, b), (z, c), (p, y), (p, z), (y, a), (z, a)}

5

6

Supporting Memory Allocation• Uniform treatment of the memory allocated at an

allocation statement• For every atomic statement S

S #: P(Var* Var*) P(Var* Var*) x := &y # (pt) = pt – {(x, *)} {(x, y)} x := y # (pt) = pt – {(x, *)} {(x, z)| (y, z) pt} x := *y # (pt) = pt – {(x, *)} {(x, z)| (y, w), (w, z) pt} *x := y #(pt) = pt {(w, t)| (x, w), (y, t) pt} l: x := malloc() #(pt) = pt – {(x, *)} {(x, l)}

Summary Flow-Sensitive Solution

• Limited destructive updates– Can be improved with must information

• O(N * Var2) space

Context-Sensitivity

• How to handle procedures

• Separate points-to sets for every call

• A uniform set for all calls

Context Sensitivity Example

x = &t1;

a = &t2;

foo(x, a);

z = &t3;

b = &t4;

foo(z, b);

void foo(source, target) {

*source = target;

}

Flow-Insensitive Analysis

• Ignore control flow statements

• Arbitrary statement order

• Only accumulate Points-to

• Usually represented as a directed graph

• O(n2) space

Flow Insensitive Solution

t= &a

y= &b

z= &c

p= &y p= &z

*p= t

Set Constraints

• A set of rules of the form:– lhs rhs– t rhs’ lhs rhs (conditional constraint)

• lhs, rhs, rhs’ are variables over sets of terms• t is a term

• The least solution can be found iteratively– start with empty sets– add terms when needed

• Cubic graph based solution

t := &a; {a} pt[t]

y := &b; {b} pt[y]

z := &c; {c} pt[z]

if (nondet()) p:= &y; {y} pt[p]

else p:= &z; {z} pt[p]

*p := t; a pt[p] pt[t] pt[a]

b pt[p] pt[t] pt[b]c pt[p] pt[t] pt[c]

y pt[p] pt[t] pt[y]

z pt[p] pt[t] pt[z]

t pt[p] pt[t] pt[t] p pt[p] pt[t] pt[p]

t y z

a b c

p

Unification Based Solution Steengard 1996

• Treat assignments as equalities

• Employ union-find algorithm

• Almost linear time complexity

Conclusions

• Points-to analysis is a simple pointer analysis problem

• Effective solutions (8MLoc)

• But rather imprecise

• Set constraints are useful beyond pointer analysis– Class level analysis