Control Flow Analysis Mooly Sagiv sagiv/courses/pa.html Tel Aviv University 640-6706 Sunday 18-21...

Control Flow AnalysisMooly Sagiv

http://www.math.tau.ac.il/~sagiv/courses/pa.html

Tel Aviv University

640-6706

Sunday 18-21 Scrieber 8

Monday 10-12 Schrieber 317

Textbook Chapter 3(Simplified+OO)

Goals

Understand the problem of Control Flow Analysis– in Functional Languages

– In Object Oriented Languages

– Function Pointers

Learn Constraint Based Program Analysis Technique– General

– Usage for Control Flow Analysis

– Algorithms

– Systems

Similarities between Problems &Techniques

Outline A Motivating Example (OO) The Control Flow Analysis Problem A Formal Specification Set Constraints Solving Constraints Adding Dataflow information Adding Context Information Back to the Motivating Example Conclusions

A Motivating Exampleclass Vehicle Object { int position = 10; void move(x1 : int) { position = position + x1 ;}}class Car extends Vehicle { int passengers;

void await(v : Vehicle) { if (v.position < position) then v.move(position - v.position); else self.move(10); }}class Truck extends Vehicle {

void move(x2 : int) { if (x2 < 55) position = position + x2; }}void main { Car c; Truck t; Vehicle v1;

new c; new t; v1 := c;c.passangers := 2;c.move(60);v1.move(70);c.await(t) ;}

The Control Flow Analysis (CFA) Problem

Given a program in a functional programming language with higher order functions(functions can serve as parameters and return values)

Find out for each function invocation which functions may be applied

Obvious in C without function pointers Difficult in C++, Java and ML The Dynamic Dispatch Problem

An ML Example

let f = fn x => x 1 ;

g = fn y => y + 2 ;

h = fn z => z + 3;

in (f g) + (f h)

An ML Example

let f = fn x => /* {g, h} */ x 1 ;

g = fn y => y + 2 ;

h = fn z => z + 3;

in (f g) + (f h)

The Language FUN Notations

– e Exp // expressions (or labeled terms)

– t Term // terms (or unlabeled terms)

– f, x Var // variables

– c Const // Constants

– op Op // Binary operators

– l Lab // Labels

Abstract Syntax– e ::= tl

– t ::= c | x | fn x e // function definition | fun f x e // recursive function definition | e1 e2 // function applications | if e0 then e1 else e2 | let x = e1 in e2 | e1 op e2

A Simple Example

((fn x x1)2 (fn y y3)4)5

An Example which Loops

(let g = fun f x (f1 (fn y y2)3)4

)5

(g6 (fn z z7)8)9

)10

The 0-CFA Problem Compute for every program a pair (C, ) where:

– C is the abstract cache associating abstract values with labeled program points

is the abstract environment associating abstract values with variables

Formally– v Val = P(Term) // Abstract values Env = Var Val // Abstract environment

– C Cache - Lab Val // Abstract Cache

– For function application (t1l1 t2

l2)l

C(l1) determine the function that can be applied

These maps are finite for a given program No context is considered for parameters

Possible Solutions for ((fn x x1)2 (fn y y3)4)5

1 {fn y y3} {fn y y3}

2 {fn x x1} {fn x x1}

3 {} {}

4 {fn y y3} {fn y y3}

5 {fn y y3} {fn y y3}

x {fn y y3} {}

y {} {}

(let g = fun f x (f1 (fn y y2)3)4

)5

(g6 (fn z z7)8)9

)10

Shorthand

sf fun f x (f1 (fn y y2)3)4

idy fn y y2

idz fn z z7

C(1) = {sf} C(2) = {} C(3) = {idy}

C(4) = {} C(5) = {sf} C(6) = {sf}

C(7) = {} C(8) = {idy} C(9) = {}

C(10) = {} (x) = {idy , idy } (y) = {}

(z) = {}

Relationship to Dataflow Analysis

Expressions are side effect free– no entry/exit

A single environment Represents information at different points via

maps A single value for all occurrences of a variable Function applications act similar to assignments

– “Definition” - Function abstraction is created

– “Use” - Function is applied

A Formal Specification of 0-CFA

A Boolean function define when a solution is acceptable

(C, ) e means that (C, ) is acceptable for the expression e

Define by structural induction on e Every function is analyzed once Every acceptable solution is sound (conservative) Many acceptable solutions Generate a set of constraints Obtain the least acceptable solution by solving the

constraints

Syntax Directed 0-CFA(Simple Expressions)

[const] (C, ) cl always[var] (C, ) xl if (x) C (l)

Syntax Directed 0-CFAFunction Abstraction

[fn] (C, ) (fn x e)l if:(C, ) e

fn x e C(l) [fun] (C, ) (fun f x e)l if:

(C, ) efun x e C(l)

fun x e (f)

Syntax Directed 0-CFAFunction Application

[app] (C, ) (t1l1 t2

l2)l if:(C, ) t1

l1

(C, ) t2l2

for all fn x t0l0 C(l):

C (l2) (x) C(l0) C(l) for all fun x t0

l0 C(l): C (l2) (x) C(l0) C(l)

Syntax Directed 0-CFAOther Constructs

[if] (C, ) (if t0l0 then t1

l1 else t2l2)l if:

(C, ) t0l0

(C, ) t1l1

(C, ) t2l2

C(l1) C(l)C(l2) C(l)

[let] (C, ) (let x = t1l1 in t2

l2)l if:(C, ) t1

l1

(C, ) t2l2

C(l1) (x) C(l2) C(l)

[op] (C, ) (t1l1 op t2

l2)l if:(C, ) t1

l1

(C, ) t2l2

Possible Solutions for ((fn x x1)2 (fn y y3)4)5

1 {fn y y3} {fn y y3}

2 {fn x x1} {fn x x1}

3 {} {}

4 {fn y y3} {fn y y3}

5 {fn y y3} {fn y y3}

x {fn y y3} {}

y {} {}

Set Constraints

A set of rules of the form:– lhs rhs

– {t} rhs’ lhs rhs (conditional constraint)

– lhs, rhs, rhs’ are» terms

» C(l)(x)

The least solution (C, ) can be found iterativelly– start with empty sets

– add terms when needed

Efficient cubic graph based solution

Syntax Directed Constraint Generation (Part I)

C* cl = {}C* xl = { (x) C (l)}

C* (fn x e)l = C* e { {fn x e} C(l)}C* (fun x e)l = C* e { {fun x e} C(l)} {{fun x e} ( f)}

C* (t1l1 t2

l2)l = C* t1l1 C* t2

l2 {{t} C(l) C (l2) (x) | t=fn x t0

l0 Term* } {{t} C(l) C (l0) C (l) | t=fn x t0

l0 Term* } {{t} C(l) C (l2) (x) | t=fun x t0

l0 Term* } {{t} C(l) C (l0) C (l) | t=fun x t0

l0 Term* }

Syntax Directed Constraint Generation (Part II)

C* (if t0l0 then t1

l1 else t2l2)l = C* t0

l0 C* t1l1 C* t2

l2 {C(l1) C (l)} {C(l2) C (l)}

C* (let x = t1l1 in t2

l2)l = C* t1l1 C* t2

l2 {C(l1) (x)} {C(l2) C(l)}

C* (t1l1 op t2

l2)l = C* t1l1 C* t2

l2

Set Constraints for ((fn x x1)2 (fn y y3)4)5

Iterative Solution to the Set Constraints for ((fn x x1)2 (fn y y3)4)5

step Constraint 1 2 3 4 x y

Adding Data Flow Information

Dataflow values can affect control flow analysis Example

(let f = (fn x (if (x1 > 02)3 then (fn y y4)5

else (fn z 56)7

)8

)9

in ((f10 311)12 013)14)15

Adding Data Flow Information Add a finite set of “abstract” values per program

Data Update Val = P(TermData)

Env = Var Val // Abstract environment

– C Cache - Lab Val // Abstract Cache

Generate extra constraints for data Obtained a more precise solution A special of case of product domain (4.4) The combination of two analyses may be more

precise than both For some programs may even be more efficient

Adding Dataflow Information (Sign Analysis)

Sign analysis Add a finite set of “abstract” values per program

Data = {P, N, TT, FF} Update Val = P(TermData) dc is the abstract value that represents a constant c

– d3 = {p}

– d-7= {n}

– dtrue= {tt}

– dfalse= {ff}

Every operator is conservatively interpreted

Syntax Directed Constraint Generation (Part I)

C* cl = dc C (l)}C* xl = { (x) C (l)}

C* (fn x e)l = C* e { {fn x e} C(l)}C* (fun x e)l = C* e { {fun x e} C(l)} {{fun x e} ( f)}

C* (t1l1 t2

l2)l = C* t1l1 C* t2

l2 {{t} C(l) C (l2) (x) | t=fn x t0

l0 Term* } {{t} C(l) C (l0) C (l) | t=fn x t0

l0 Term* } {{t} C(l) C (l2) (x) | t=fun x t0

l0 Term* } {{t} C(l) C (l0) C (l) | t=fun x t0

l0 Term* }

Syntax Directed Constraint Generation (Part II)

C* (if t0l0 then t1

l1 else t2l2)l = C* t0

l0 C* t1l1 C* t2

l2 {dt C (l0) C(l1) C (l)} {df C (l0) C(l2) C (l)}

C* (let x = t1l1 in t2

l2)l = C* t1l1 C* t2

l2 {C(l1) (x)} {C(l2) C(l)}

C* (t1l1 op t2

l2)l = C* t1l1 C* t2

l2 {C(l1) op C(l2) C(l)}

Adding Context Information The analysis does not distinguish between different

occurrences of a variable(Monovariant analysis)

Example(let f = (fn x x1) 2

in ((f3 f4)5 (fn y y6) 7)8)9

Source to source can help (but may lead to code explosion)

Example rewrittenlet f1 = fn x1 x1 in let f2 = fn x2 x2

in (f1 f2) (fn y y)

Simplified K-CFA

Records the last k dynamic calls (for some fixed k)

Similar to the call string approach Remember the context in which expression is

evaluated Val is now P(Term)Contexts

Env = Var Contexts Val

– C Cache - LabContexts Val

1-CFA (let f = (fn x x1) 2 in ((f3 f4)5 (fn y y6) 7)8)9

Contexts– [] - The empty context

– [5] The application at label 5

– [8] The application at label 8

Polyvariant Control FlowC(1, [5]) = (x, 5)= C(2, []) = C(3, []) = (f, []) = ({(fn x x1)}, [] )C(1, [8]) = (x, 8)= C(7, []) = C(8, []) = C(9, []) = ({(fn y y6)}, [] )

The Motivating Exampleclass Vehicle Object { int position = 10; void move(x1 : int) { position = position + x1 ;}}class Car extends Vehicle { int passengers;

void await(v : Vehicle) { if (v.position < position) then v.move(position - v.position); else self.move(10); }}class Truck extends Vehicle {

void move(x2 : int) { if (x2 < 55) position = position + x2; }}void main { Car c; Truck t; Vehicle v1;

new c; new t; v1 := c;c.passangers := 2;c.move(60);v1.move(70);c.await(t) ;}

Missing Material Efficient Cubic Solution to Set Constraints

www.cs.berkeley.edu/Research/Aiken/bane.html Experimental results for OO

www.cs.washington.edu/research/projects/cecil Operational Semantics for FUN (3.2.1) Defining acceptability without structural induction

– More precise treatment of termination (3.2.2)

– Needs Co-Induction (greatest fixed point)

Using general lattices as Dataflow values instead of powersets (3.5.2)

Lower-bounds– Decidability of JOP– Polynomiality

Conclusions

Set constraints are quite useful– A Uniform syntax

– Can even deal with pointers

But semantic foundation is still based on abstract interpretation

Techniques used in functional and imperative (OO) programming are similar

Control and data flow analysis are related