CO444H. Ben Livshits. Datalog Pointer analysis

Transcription

1 CO444H Ben Livshits Datalog Pointer analysis 1

2 Call Graphs Class analysis: Given a reference variable x, what are the classes of the objects that x refers to at runtime? We saw CHA and RTA Deal with polymorphic/virtual calls: x.m() Compilers: can we devirtualize a virtual call x.m()? Software engineering: Construct the call graph of the program Why is that important in everyday development?

3 Features of RTA RTA may evaluate a method several times If new callers are discovered the method has to be re-evaluated RTA runs until the worklist is empty, at which point it has reached a fixed point and cannot resolve any new call edges to add to the call graph 3

4 RTA Revisited RAPID TYPE ANALYSIS RTA = call graph of only methods (no edges) CHA = class hierarchy analysis call graph W = worklist containing the main method while W is not empty M = next method in W T = set of allocated types in M T = T U {allocated types in RTA callers of M} for each callsite (C) in M if C is a static dispatch or constructor: add an edge to statically resolved method otherwise: M' = methods called from M in CHA M' = M' intersection {methods declared in T or supertypes of T} add an edge from the method M to each method in M' add each method in M' to worklist W 4

5 Using RTA in Eclipse 5

6 RTA May Be Unsound public static void main(string[] args){ Object o = foo(); bar(o); } public static Object foo(){ return new A(); } public static void bar(object o){ o.tostring() } main calls foo, which returns an allocation of type A that is then passed as a parameter in the call to bar The call edge to A. tostring would be missing because neither bar or its parents (main) allocated a type of A 6

7 Call Graph Construction: Reachability Computation Queue worklist CallGraph graph; worklist.addattail(main()) Graph.addNode(main()) while (worklist.notempty()) { m = worklist.getfromhead(); process_method_body(m); }

8 Next Steps Ingredients Adding pointers Adding call graphs Combining those two How to we mix the ingredients? Can first build a call graph; then add pointers Can do it all at once: we can use Datalog to represent everything, with some Datalog relations encoding intraprocedural aspects and some interprocedural 8

9 9 Pointer Analysis: Basics and Algorithms

10 Variants of Pointer Analysis For C: Andersen analysis Steensgard analysis Pointer analysis for Java How to encode these in Datalog Other variants 10

11 What is the Goal of Pointer Analysis? What memory locations can a pointer expression refer to? Alias analysis: When do two pointer expressions refer to the same storage location? int x; p = &x; q = p; *p and *q alias as do x and *p and x and *q 11

12 Sources of Aliasing Aliasing can arise due to several reasons, depending on the language Pointers e.g., int *p, i; p = &i; Call-by-reference void m(object a, Object b) { } m(x,x); // a and b alias in m Array indexing int i, j, a[100]; i = j; // a[i] and a[j] alias 12

13 Why do we Want to Know? Pointer analysis tells us what memory locations code uses or modifies Useful in many analyses E.g., available expressions *p = a + b; y = a + b; If *p aliases a or b, then second computation of a+b is not redundant E.g., consider constant propagation x = 3; *p = 4; y = x; Is y constant? If *p and x do not alias each other, then yes. If *p and x always alias each other, then yes. If *p and x sometimes alias each 13

14 Pointer Analysis Dimensions Intraprocedural / interprocedural Flow-sensitive / flow-insensitive Context-sensitive / context-insensitive Definiteness: May versus must Heap modelling Data representation 14

15 Flow-sensitive vs. Flowinsensitive Points-To Flow-sensitive pointer analysis computes for each program point what memory locations pointer expressions may refer to Flow-insensitive pointer analysis computes what memory locations pointer expressions may refer to, at any time in program execution Flow-sensitive pointer analysis is (traditionally) too expensive to perform for whole program Flow-insensitive pointer analyses typically used for whole program analyses 15

16 Context Sensitivity Also difficult, but success in scaling up to hundreds of thousands LOC BDDs see Whaley and Lam PLDI 2004 Doop, Bravenboer and Smaragdakis OOPSLA

17 May vs. Must May analysis: aliasing that may occur during execution (cf. must-not alias, although often has different representation) Must analysis: aliasing that must occur during execution Sometimes both are useful E.g., consider liveness analysis for *p = *q + 4; If *p must alias x, then x in kill set for statement If *q may alias y, then y in gen set for statement 17

18 Representation Options Points-to pairs: first element points to the second e.g., (p b), (q b) p and b alias, as do *q and b, as do *p and *q Pairs that refer to the same memory e.g., (*p,b), (*q,b), (*p,*q), (**r, b) General, may be less concise than points-to pairs Equivalence sets: sets that are aliases e.g., {*p,*q,b} 18

19 Modeling Memory Locations We want to describe what memory locations a pointer expression may refer to How do we model memory locations? For global variables, no trouble, use a single node For local variables, use a single node per context i.e., just one node if context insensitive For dynamically allocated memory Problem: Potentially unbounded locations created at runtime Need to model locations with some finite abstraction 19

20 Modeling Dynamic Memory Locations For each allocation statement, use one node per context Note: could choose context-sensitivity for modelling heap locations to be less precise than contextsensitivity for modelling procedure invocation Other solutions: One node for entire heap One node for each type Nodes based on analysis of shape of heap 20

21 Problem Statement Let s consider flowinsensitive may pointer analysis Assume program consists of statements of form p = &a (address of, includes allocation statements) p = q *p = q p = *q Assume pointers p,q P and address-taken variables a,b A are disjoint Can transform program to make this true For any variable v for which this isn t true, add statement pv = &av, and replace v with *pv Want to compute relation pts : P A 2 A Essentially points to pairs 21

22 Andersen-style Pointer Analysis View pointer assignments as subset constraints Use constraints to propagate points-to information Called inclusion-based pointer analysis 22

23 Andersen-style Pointer Analysis Can solve these constraints directly on sets pts(p) p = &a; p {a} q = p; q p p = &b; p {b} r = p; r p 23

24 Example of Subset Constraints 24

25 How Precise Is This Analysis? 25

26 Andersen-style as Graph Closure Can be cast as a graph closure problem One node for each pts(p), pts(a) Each node has an associated points-to set Compute transitive closure of graph, and add edges according to complex constraints 26

27 Work List Algorithm Initialize graph and points to sets using base and simple constraints Let W = { v pts(v) } (all nodes with non-empty points to sets) While W not empty v select from W for each a pts(v) do add edge a p, and add a to W if edge is new for each constraint *v q add edge q a, and add q to W if edge is new for each edge v q do pts(q) = pts(q) pts(v), and add q to W if pts(q) changed 27

28 Same Example, as A Graph (Initial) W: p q r s a 28

29 Same Example, as A Graph (Final) W: {} 29

30 Cycle Elimination Andersen-style pointer analysis is O(n 3 ), for number of nodes in graph Actually, quadratic in practice [Sridharan and Fink, SAS 09]; Improve scalability by reducing the value of n Cycle elimination: important optimization for Andersenstyle analysis Detect strongly connected components in points-to graph, collapse to single node Why? All nodes in an SCC will have same points-to relation at end of analysis 30

31 Steensgaard-style Analysis Also a constraint-based analysis Uses equality constraints instead of subset constraints Originally phrased as a type-inference problem Less precise than Andersen-style, thus more scalable 31

32 Steensgaard-style Example p q a b c p,q a,b p,q a,b p,q,s,t a,b p,q,s,t,r a,b,c c r c r c All pointers end up in the same equivalence class pointing to all the locations 32

33 Implementing Steensgaard Can be efficiently implemented using UnionFind algorithm Nearly linear time: O(nα(n)) Each statement needs to be processed just once Unlike Andersen s, which is a lot more difficult to scale 33

34 34 Datalog-based Formulation of Pointer Analysis

35 Pointer or Points-to Analysis We shall consider Andersen s formulation of Java object references. Flow/context insensitive analysis. Cast of characters: 1. Local (or stack) variables, which point to 2. Heap objects, which may have fields that are references to other heap objects. 35

36 Matches a Language Like Java Stack 1 Stack 2 Heap Pointers (or references) go from the stack(s) to the heap elements Also from one heap element to another 36

37 Representing Heap Objects A heap object is named by the statement in which it is created. Note many run-time objects may have the same name. Example: h: T v = new T; says variable v can point to (one of) the heap object(s) created by statement h. v h 37

38 Field Store v.f = w makes the f field of the heap object h pointed to by v point to what variable w points to. v w i f h f g 38

39 Field Load v = w.f makes v point to what the f field of the heap object h pointed to by w points to. i v w g f h 39

40 Variable Assignment v = w makes v point to whatever w points to Interprocedural Analysis : Also models copying an actual parameter to the corresponding formal or return value to a variable v w h 40

41 EDB (Initial) Relations The facts about the statements in the program and what they do to pointers are accumulated and placed in several EDB relations. Example: there would be an EDB relation Copy(To,From) whose tuples are the pairs (v,w) such that there is a copy statement v=w. 41

42 Convention for Initial EDB Instead of using EDB relations for the various statement forms, we shall simply use the quoted statement itself to stand for an atom derived from the statement. Example: v=w stands for Copy(v,w). 42

43 What Do We Compute? Pts(V,H) will get the set of pairs (v, h) such that variable v can point to heap object h. Hpts(H1,F,H2) will get the set of triples (h, f, g) such that the field f of heap object h can point to heap object g. 43

44 Datalog Rules for Points-to 1. Pts(V,H) :- H: V = new T 2. Pts(V,H) :- V=W, Pts(W,H). 3. Pts(V,H) :- V=W.F, Pts(W,G), Hpts(G,F,H). 4. Hpts(H,F,G) :- V.F=W, Pts(V,H), Pts(W,G). 44

45 Program Example T p(t x) { h: T a = new T; a.f = x; return a; } void main() { g: T b = new T; b = p(b); b = b.f; } 45

46 Apply Rules Recursively --- Round 1 T p(t x) {h: T a = new T; a.f = x; return a;} void main() {g: T b = new T; b = p(b); b = b.f;} Pts(a,h) Pts(b,g) 46

47 Apply Rules Recursively --- Round 2 T p(t x) {h: T a = new T; a.f = x; return a;} void main() {g: T b = new T; b = p(b); b = b.f;} Pts(a,h) Pts(b,g) Pts(x,g) Pts(b,h) 47

48 Apply Rules Recursively --- Round 3 T p(t x) {h: T a = new T; a.f = x; return a;} void main() {g: T b = new T; b = p(b); b = b.f;} Pts(a,h) Pts(b,g) Pts(x,g) Pts(b,h) Pts(x,h) Hpts(h,f,g) 48

49 Apply Rules Recursively --- Round 4 T p(t x) {h: T a = new T; a.f = x; return a;} void main() {g: T b = new T; b = p(b); b = b.f;} Pts(a,h) Pts(b,g) Pts(x,g) Pts(b,h) Pts(x,h) Hpts(h,f,g) Hpts(h,f,h) 49

50 Extension to Support Flow Sensitivity IDB predicates need additional arguments B, I. B = block number. I = position within block, 0, 1,, n for n -statement block. Position 0 is before first statement, position 1 is between 1 st and 2 nd statement, etc. Is there another way to introduce flow sensitivity? 50

51 Adding Context Sensitivity Include a component C = context. C doesn t change within a function. Call and return can extend the context if the called function is not mutually recursive with the caller. 51

52 Context Sensitive Analysis: Maintaining the Context Pts(X,H,B0,0,D) :- Pts(V,H,B,I,C), B,I: call P(,V, ), X is the corresponding actual to V in P, B0 is the entry of P, context D is C extended by P. 52

53 Path Numbering To Make Calling Contexts Finite Cloning-Based Context-Sensitive Pointer Alias Analysis Using Binary Decision Diagrams, Whaley and Lam,

54 Expressing the Entire Analysis in Datalog 54