# Interprocedural Analysis

• View
31

1

Embed Size (px)

DESCRIPTION

Interprocedural Analysis. Noam Rinetzky Mooly Sagiv http://www.math.tau.ac.il/~sagiv/courses/pa04.html Tel Aviv University 640-6706 Textbook Chapter 2.5. Outline. The trivial solution Why isn’t it adequate Challenges in interprocedural analysis Simplifying assumptions A naive solution - PowerPoint PPT Presentation

### Text of Interprocedural Analysis

• Interprocedural AnalysisNoam RinetzkyMooly Sagivhttp://www.math.tau.ac.il/~sagiv/courses/pa04.htmlTel Aviv University640-6706Textbook Chapter 2.5

• OutlineThe trivial solutionWhy isnt it adequateChallenges in interprocedural analysisSimplifying assumptionsA naive solutionJoin over valid pathsThe functional approachA case study linear constant propagationContext free reachabilityThe call-string approachModularity issuesOther solutions

• A Trivial treatment of procedures Analyze a single procedureAfter every call continue with conservative informationGlobal variables and local variables which may be modified by the call are mapped to Can be easily implementedProcedures can be written in different languagesProcedure inline can helpSide-effect analysis can help

• Disadvantages of the trivial solutionModular (object oriented and functional) programming encourages small frequently called proceduresOptimizationModern machines allows the compiler to schedule many instructions in parallelNeed to optimize many instructionsInline can be a bad solutionSoftware engineering Many bugs result from interface misuseProcedures define partial functions

• Challenges in Interprocedural AnalysisProcedure nestingRespect call-return mechanismHandling recursionLocal variablesParameter passing mechanisms: value, value-result, reference, by name The called procedure is not always knownThe source code of the called procedure is not always available separate compilationvendor code...

• Simplifying AssumptionsAll the code is availableSimple parameter passingThe called procedure is syntactically knownNo nestingProcedure names are syntactically different from variablesProcedures are uniquely definedRecursion is supported

• Extended Syntax of Whilea := x | n | a1 opa a2 b := true | false | not b | b1 opb b2 | a1 opr a2S := [x := a]l | [call p(a, z)]ll | [skip]l | S1 ; S2 | if [b]l then S1 else S2 | while [b]l do SP := begin D S endD := proc id(val id*, res id*) isl S endl | D D

• Fibonacci Examplebegin proc fib(val z, u, res v) is1if [z
• Constant Examplebegin proc p(val a) is1if [b]2 then ([a := a -1]3[call p(a)]45[a := a + 1]6)[x := -2* a + 5]7end8[call p(7)]910end

• A naive Interprocedural solutionTreat procedure calls as gotosObtain a conservative solutionFind the least fixed point of the system:

Use Chaotic iterationsDFentry(s) = DFentry(v) = {f(e)(DFentry(u) : (u, v) E}

• Simple Examplebegin proc p(val a) is1 [x := a + 1]2 end3[call p(7)]45[print x]6[call p(9)]78[print x]9end

• Constant Examplebegin proc p(val a) is1if [b]2 then ([a := a -1]3[call p(a)]45[a := a + 1]6)[x := -2* a + 5]7end8[call p(7)]910end

• A More Precise SolutionOnly considers matching calls and returns (valid)Can be defined via context free grammarEvery call is a different letterMatching calls and returnsThe control flow graph can also be defined via context free grammar

• Simple Examplebegin proc p(val a) is1 [x := a + 1]2 end3[call p(7)]45[print x]6[call p(9)]78[print x]9end

• Constant Examplebegin proc p(val a) is1if [b]2 then ([a := a -1]3[call p(a)]45[a := a + 1]6)[x := -2* a + 5]7end8[call p(7)]910end

• The Join-Over-Valid-Paths (JVP)For a sequence of labels [l1, l2, , ln] define f [l1, l2, , ln]: L L by composing the effects of basic blocksf[l](s)=sf [l, p](s) = f[p] (fl (s))JVPl = {f[l1, l2, , l]() [l1, l2, , l] vpaths(l)}Compute a safe approximation to JVPIn some cases the JVP can be computedDistributivity of fFunctional representation

• The Call String Approach for Approximating JVPNo assumptionsRecord at every node a pair (l, c) where l L is the dataflow information and c is a suffix of unmatched callsUse Chaotic iterationsTo guarantee termination limit the size of c (typically 1 or 2)Emulates inline (but no code growth)Exponential in CFor a finite lattice there exists a C which leads to join over all valid paths

• Simple Examplebegin proc p(val a) is1 [x := a + 1]2 end3[call p(7)]45[print x]6[call p(9)]78[print x]9end

• Constant Examplebegin proc p(val a) is1if [b]2 then ([a := a -1]3[call p(a)]45[a := a + 1]6)[x := -2* a + 5]7end8[call p(7)]910 print xend

• The Functional Approach

The meaning of a function is mapping from values of actual variables into statesThe abstract meaning of a function is function from the abstract values of the numbers to abstract storesIterate on the abstract domain of functions from L to L

• Motivating Examplebegincall p(7)call p(7)print x011proc p1if 2a:=a-134call p(a)6call p(a)9end8a:=a-1x:=-2*a+57end510

• Motivating Example(2)begincall p(7)call p(7)print x011proc p1if 2a:=a-134call p(a)6call p(a)9end8a:=a-1x:=-2*a+57end510

• Issues in Functional Approach How to guarantee that finite height for functional lattice?It may happen that L has finite height and yet the lattice of monotonic function from L to L do notEfficiently represent functions Functional joinFunctional compositionTesting equalityUsually non-trivialBut can be done for distributive functions

• Example Linear Constant PropagationConsider the constant propagation latticeThe value of every variable y at the program exit can be represented by: y = {(axx + bx )| x Var* } c ax ,c Z {, } bx Z Supports efficient composition and functional join[z := a * y + b]Computes JVP

• Constant Examplebegin proc p(val a) is1if [b]2 then ([a := a -1]3[call p(a)]45[a := a + 1]6)[x := -2* a + 5]7end8[call p(7)]910end a=a. (a *1 + 0) a. (a -1 + 0) a. a a. (a -1 + 0) a. (a + 0)

• Functional Approach via Context Free ReachablityThe problem of computing reachability in a graph restricted by a context free grammar can be solved in cubic timeCan be used to compute JVP in arbitrary finite distributive data flow problems (not just bitvector)Nodes in the graph correspond to individual factsEfficient implementations exit (MOPED)

• ConclusionHandling functions is crucial for abstract interpretationVirtual functions and exceptions complicate thinksBut scalability is an issueAssume-guarantee helpsBut relies on specifications

The functional approach was introduced independently by Cousot and Sharir and Pnueli. Cousot used the term relational since the analysis computes a relation between input and output values. Both did not address the problem of complexity addressed Reps at el.It was implemented in SLAM and expected to be released in DDK

Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents