[PPT] - Improving Flow Analyses via CFA Abstract Garbage Collection and PowerPoint Presentation

SLIDE 1

Improving Flow Analyses via ΓCFA

Abstract Garbage Collection and Counting Matthew Might∗ Olin Shivers†

∗Georgia Institute of Technology †Northeastern University

ICFP 2006

1

SLIDE 2

The Big Idea

The Process

1. Add garbage collection to a concrete semantics.

2

SLIDE 3

The Big Idea

The Process

1. Add garbage collection to a concrete semantics.
2. Create an abstract interpretation of these semantics.

3

SLIDE 4

The Big Idea

The Process

1. Add garbage collection to a concrete semantics.
2. Create an abstract interpretation of these semantics.

The Payoff

The abstract GC improves both speed and precision.

4

SLIDE 5

The Problem: Imprecision in Abstract Interpretation

{x,y,z} w z y x {w} Concrete Space Abstract Space

Abstract Interpretation

Larger space mapped to smaller space: Overlap leads to imprecision.

5

SLIDE 6

An Example: Analyzing Integer Arithmetic

Goal

Given an arithmetic expression, safely approximate its sign.

6

SLIDE 7

An Example: Analyzing Integer Arithmetic

Goal

Given an arithmetic expression, safely approximate its sign.

Example

◮ 4 + 3 could be positive. ◮ 4 - 10 could be negative. ◮ 4 + (3 - 10) could be positive or negative. (Imprecision allowed.)

7

SLIDE 8

An Example: Analyzing Integer Arithmetic

Abstracting the Integers

Integers abstract to a singleton set of their sign.

Example

◮ |4| = {positive} ◮ |0| = {zero} ◮ |−3| = {negative}

8

SLIDE 9

An Example: Analyzing Integer Arithmetic

Abstracting Addition

Addition abstracts “naturally” to sets of signs.

Example

◮ {positive} ⊕ {positive} = {positive} ◮ {positive, negative} ⊕ {zero} = {positive, negative} ◮ {positive} ⊕ {negative} = {negative, zero, positive}

9

SLIDE 10

An Example: Analyzing Integer Arithmetic

Example

Analyze: −4 + 4

10

SLIDE 11

An Example: Analyzing Integer Arithmetic

Example

Analyze: −4 + 4 ⇒ |−4| ⊕ |4|

11

SLIDE 12

An Example: Analyzing Integer Arithmetic

Example

Analyze: −4 + 4 ⇒ |−4| ⊕ |4| ⇒ {negative} ⊕ {positive}

12

SLIDE 13

An Example: Analyzing Integer Arithmetic

Example

Analyze: −4 + 4 ⇒ |−4| ⊕ |4| ⇒ {negative} ⊕ {positive} ⇒ {negative, zero, positive}

Imprecision!

{zero} is the tightest, safest answer.

13

SLIDE 14

0CFA & Precision

Flow analysis question: What “values” could flow to each expression? (let* ((id (λ (x) x)) (y (id 3))) (id 4)) 0CFA thinks... id → x → (id 3) → y → (id 4) →

14

SLIDE 15

0CFA & Precision

Flow analysis question: What “values” could flow to each expression? (let* ((id (λ (x) x)) (y (id 3))) (id 4)) 0CFA thinks...

1. (λ (x) x) flows to id.

id → (λ (x) x) x → (id 3) → y → (id 4) →

15

SLIDE 16

0CFA & Precision

Flow analysis question: What “values” could flow to each expression? (let* ((id (λ (x) x)) (y (id 3))) (id 4)) 0CFA thinks...

1. (λ (x) x) flows to id.
2. Then, 3 flows to x.

id → (λ (x) x) x → 3 (id 3) → y → (id 4) →

16

SLIDE 17

0CFA & Precision

Flow analysis question: What “values” could flow to each expression? (let* ((id (λ (x) x)) (y (id 3))) (id 4)) 0CFA thinks...

1. (λ (x) x) flows to id.
2. Then, 3 flows to x.
3. Then, 3 flows to y, (id 3).

id → (λ (x) x) x → 3 (id 3) → 3 y → 3 (id 4) →

17

SLIDE 18

0CFA & Precision

Flow analysis question: What “values” could flow to each expression? (let* ((id (λ (x) x)) (y (id 3))) (id 4)) 0CFA thinks...

1. (λ (x) x) flows to id.
2. Then, 3 flows to x.
3. Then, 3 flows to y, (id 3).
4. Then, 4 flows to x.

id → (λ (x) x) x → 3, 4 (id 3) → 3 y → 3 (id 4) →

18

SLIDE 19

0CFA & Precision

Flow analysis question: What “values” could flow to each expression? (let* ((id (λ (x) x)) (y (id 3))) (id 4)) 0CFA thinks...

1. (λ (x) x) flows to id.
2. Then, 3 flows to x.
3. Then, 3 flows to y, (id 3).
4. Then, 4 flows to x.
5. Then, 3 or 4 could flow to

(id 4)!? id → (λ (x) x) x → 3, 4 (id 3) → 3 y → 3 (id 4) → 3, 4

Problem

Flow analyses overlap different bindings to the same variable.

19

SLIDE 20

0CFA & Precision

Flow analysis question: What “values” could flow to each expression? (let* ((id (λ (x) x)) (y (id 3))) (id 4)) 0CFA thinks...

1. (λ (x) x) flows to id.
2. Then, 3 flows to x.
3. Then, 3 flows to y, (id 3).
4. Then, 4 flows to x.
5. Then, 3 or 4 could flow to

(id 4)!? id → (λ (x) x) x → 3, 4 (id 3) → 3 y → 3 (id 4) → 3, 4

Solution

Garbage collect dead bindings mid-analysis.

20

SLIDE 21

Example: Abstract Garbage Collection

3-address concrete heap. 2-address abstract counterpart. concrete abstract

1

a1

|
1|

a2

ˆ

a1,2

a3

ˆ

a3

21

SLIDE 22

Example: Abstract Garbage Collection

3-address concrete heap. 2-address abstract counterpart. concrete abstract

1

a1

|
1|

a2

ˆ

a1,2

a3

ˆ

a3 Address

22

SLIDE 23

Example: Abstract Garbage Collection

3-address concrete heap. 2-address abstract counterpart. concrete abstract

1

a1

|
1|

a2

ˆ

a1,2

a3

ˆ

a3 Object Address

23

SLIDE 24

Example: Abstract Garbage Collection

3-address concrete heap. 2-address abstract counterpart. concrete abstract

1

a1

|
1|

a2

ˆ

a1,2

a3

ˆ

a3 Object Address GC Root

24

SLIDE 25

Example: Abstract Garbage Collection

3-address concrete heap. 2-address abstract counterpart. concrete abstract

1

a1

|
1|

a2

ˆ

a1,2

a3

ˆ

a3 Object Address GC Root Address

25

SLIDE 26

Example: Abstract Garbage Collection

3-address concrete heap. 2-address abstract counterpart. concrete abstract

1

a1

|
1|

a2

ˆ

a1,2

a3

ˆ

a3 Object Address GC Root Address Object

26

SLIDE 27

Example: Abstract Garbage Collection

3-address concrete heap. 2-address abstract counterpart. concrete abstract

1

a1

|
1|

a2

ˆ

a1,2

a3

ˆ

a3 Object Address GC Root GC Root Address Object

27

SLIDE 28

Example: Abstract Garbage Collection

3-address concrete heap. 2-address abstract counterpart. concrete abstract

1

a1

|
1|

a2

ˆ

a1,2

a3

ˆ

a3

28

SLIDE 29

Example: Abstract Garbage Collection

Next: Allocate object o2 to address a3. Shift root to a3. concrete abstract

1

a1

|
1|

a2

ˆ

a1,2

a3

ˆ

a3

29

SLIDE 30

Example: Abstract Garbage Collection

Next: Allocate object o3 to address a2. Point o2 to a2. concrete abstract

1

a1

|
1|

a2

ˆ

a1,2

2

a3

ˆ

a3

|
2|

30

SLIDE 31

Example: Abstract Garbage Collection

Uh-oh! Zombie born. Concrete-abstract symmetry broken. concrete abstract

1

a1

|
1|
3

a2

ˆ

a1,2

|
3|
2
a3
ˆ

a3

|
2|
31

SLIDE 32

Example: Abstract Garbage Collection

Solution: Rewind and garbage collect first. concrete abstract

1

a1

|
1|
3

a2

ˆ

a1,2

|
3|
2
a3
ˆ

a3

|
2|
32

SLIDE 33

Example: Abstract Garbage Collection

As it was: concrete abstract

1

a1

|
1|

a2

ˆ

a1,2

2

a3

ˆ

a3

|
2|

33

SLIDE 34

Example: Abstract Garbage Collection

After garbage collection: concrete abstract a1

a2

ˆ

a1,2

2

a3

ˆ

a3

|
2|

34

SLIDE 35

Example: Abstract Garbage Collection

Try again: Allocate object o3 to address a2. Point o2 to a2. concrete abstract a1

a2

ˆ

a1,2

2

a3

ˆ

a3

|
2|

35

SLIDE 36

Example: Abstract Garbage Collection

No overapproximation! concrete abstract a1

3

a2

ˆ

a1,2

|
3|
2
a3
ˆ

a3

|
2|
36

SLIDE 37

Implementation: ΓCFA

37

SLIDE 38

Tool: Continuation-Passing Style (CPS)

Contract

◮ Calls don’t return. ◮ Continuations are passed—to receive return values. CPS λ-calculus

e, f ∈ EXP ::= v

| (λ (v1 · · · vn) call) call ∈ CALL ::= (f e1 · · · en)

38

SLIDE 39

CPS Narrows Concern

λ is universal representation of control & env. Construct encoding fun call call to λ fun return call to λ iteration call to λ sequencing call to λ conditional call to λ exception call to λ coroutine call to λ . . . . . .

Advantage

Now λ is fine-grained construct.

39

SLIDE 40

Eval-to-Apply Transition

proc = A(f, β, ve) di = A(ei, β, ve) ([ [(f e1 · · · en)] ], β, ve, t) ⇒(proc, d, ve, t + 1)

Apply-to-Eval Transition

proc = ([ [(λ (v1 · · · vn) call)] ], β′) (proc, d, ve, t) ⇒(call, β′[vi → t], ve[(vi, t) → di], t)

Domains

ς ∈ Eval = CALL × BEnv × VEnv × Time + Apply = Proc × D∗ × VEnv × Time β ∈ BEnv = VAR → Time ve ∈ VEnv = VAR × Time → D proc ∈ Proc = Clo + {halt} clo ∈ Clo = LAM × BEnv d ∈ D = Proc t ∈ Time = infinite set of times (contours)

Lookup function

A(lam, β, ve) = (lam, β) A(v, β, ve) = ve(v, β(v))

40

SLIDE 41

Eval-to-Apply Transition

proc ∈

A(f, β, ve)

di =

A(ei, β, ve) ([ [(f e1 · · · en)] ], β, ve, t) ≈ > ( proc, d, ve, succ( t))

Apply-to-Eval Transition

proc = ([

[(λ (v1 · · · vn) call)] ], β′) ( proc, d, ve, t) ≈ > (call, β′[vi → t], ve ⊔ [(vi, t) → di], t)

Domains

ς ∈

Eval = CALL × BEnv × VEnv × Time + Apply = Proc × D∗ × VEnv × Time

β ∈

BEnv = VAR → Time

ve ∈

VEnv = VAR × Time → D

proc ∈

Proc = Clo + {halt}

clo ∈

Clo = LAM × BEnv

d ∈
D

= P( Proc)

t ∈

Time = finite set of times (contours)

Lookup function

A(lam,

β, ve) = {(lam, β)}

A(v,

β, ve) = ve(v, β(v))

41

SLIDE 42

Eval-to-Apply Transition

proc ∈

A(f, β, ve)

di =

A(ei, β, ve) ([ [(f e1 · · · en)] ], β, ve, t) ≈ > ( proc, d, ve, succ( t))

Apply-to-Eval Transition

proc = ([

[(λ (v1 · · · vn) call)] ], β′) ( proc, d, ve, t) ≈ > (call, β′[vi → t], ve ⊔ [(vi, t) → di], t)

Domains

ς ∈

Eval = CALL × BEnv × VEnv × Time + Apply = Proc × D∗ × VEnv × Time

β ∈

BEnv = VAR → Time

ve ∈

VEnv = VAR × Time → D

proc ∈

Proc = Clo + {halt}

clo ∈

Clo = LAM × BEnv

d ∈
D

= P( Proc)

t ∈

Time = finite set of times (contours)

Lookup function

A(lam,

β, ve) = {(lam, β)}

A(v,

β, ve) = ve(v, β(v))

42

SLIDE 43

Concrete v. Abstract Interpretations

Interpretation

Concrete: ς1 Abstract:

ς1

43

SLIDE 44

Concrete v. Abstract Interpretations

Interpretation

Concrete: ς1

ς2

Abstract:

ς1

ς2

44

SLIDE 45

Concrete v. Abstract Interpretations

Interpretation

Concrete: ς1

ς2 ς3

Abstract:

ς1

ς2 ς3

45

SLIDE 46

Concrete v. Abstract Interpretations

Interpretation

Concrete: ς1

ς2 ς3 ς4

ς3.1,1

Abstract:

ς1

ς2 ς3

ς4
ς3.2,1

46

SLIDE 47

Concrete v. Abstract Interpretations

Interpretation

Concrete: ς1

ς2 ς3 ς4 ς5

ς3.1,1

ς3.1,2 Abstract:

ς1

ς2 ς3

ς4
ς3.2,1
47

SLIDE 48

Technique: Abstract Counting

The Idea

1. Count times an abstract resource has been allocated.
2. Count of one means only one concrete counterpart.

48

SLIDE 49

ΓCFA Environment Condition

Basic Principle

If {x} = {y}, then x = y.

Theorem (Environment condition)

If β1(v) = β2(v), and µ(v, β1(v)) = µ(v, β2(v)) = 1, then β1(v) = β2(v).

49

SLIDE 50

ΓCFA Environment Condition

Basic Principle

If {x} = {y}, then x = y.

Theorem (Environment condition)

If β1(v) = β2(v), and µ(v, β1(v)) = µ(v, β2(v)) = 1, then β1(v) = β2(v).

50

SLIDE 51

ΓCFA Environment Condition

Basic Principle

If {x} = {y}, then x = y.

Theorem (Environment condition)

If β1(v) = β2(v), and µ(v, β1(v)) = µ(v, β2(v)) = 1, then β1(v) = β2(v).

51

SLIDE 52

ΓCFA Environment Condition

Basic Principle

If {x} = {y}, then x = y.

Theorem (Environment condition)

If β1(v) = β2(v), and µ(v, β1(v)) = µ(v, β2(v)) = 1, then β1(v) = β2(v).

52

SLIDE 53

ΓCFA Environment Condition

Basic Principle

If {x} = {y}, then x = y.

Theorem (Environment condition)

If β1(v) = β2(v), and µ(v, β1(v)) = µ(v, β2(v)) = 1, then β1(v) = β2(v).

Increase in Power

Enables the Super-β class of optimizations.

53

SLIDE 54

ΓCFA Counting Machinery

Abstract binding counter, µ : “Bindings” → {0, 1, ∞}.

Eval

([ [(f e1 · · · en)] ], β, ve,

t) ≈

> ( proc, d, ve,

succ(

t)) where

proc ∈

A(f, β, ve)

di =

A(ei, β, ve)

Apply

(([ [(λ (v1 · · · vn) call)] ], βb), d, ve,

t) ≈

> (call, β′, ve′,

t)

where     

β′ =

βb[vi → t]

ve′ =

ve ⊔ [(vi, t) → di]

54

SLIDE 55

ΓCFA Counting Machinery

Abstract binding counter, µ : “Bindings” → {0, 1, ∞}.

Eval

([ [(f e1 · · · en)] ], β, ve, µ, t) ≈ > ( proc, d, ve, µ, succ( t)) where

proc ∈

A(f, β, ve)

di =

A(ei, β, ve)

Apply

(([ [(λ (v1 · · · vn) call)] ], βb), d, ve, µ, t) ≈ > (call, β′, ve′, µ′, t) where     

β′ =

βb[vi → t]

ve′ =

ve ⊔ [(vi, t) → di]

µ′ =

µ ⊕ [(vi, t) → 1]

55

SLIDE 56

Technique: Abstract Garbage Collection

The Idea

1. Trace out bindings reachable from current state.
2. Restrict domain of environment to these bindings.

56

SLIDE 57

Looking at the Variable Environment

b1
proc1
b2
proc2
b3
proc3
b4
proc4

Edge Types

b →

proc iff proc ∈ ve( b)

proc ··>

b iff b ∈ T ( proc)

57

SLIDE 58

Looking at the Variable Environment

b1
proc1
b2
proc2
b3
proc3
b4
Edge Types
b →

proc iff proc ∈ ve( b)

proc ··>

b iff b ∈ T ( proc)

58

SLIDE 59

ΓCFA GC Machinery

Bindings touched by an object, T :

T (lam,

β) =

(v,

β(v)) : v ∈ free(lam)

T (halt) = {}
T {

proc1, . . . , procn} = T ( proc1) ∪ · · · ∪ T ( procn)

r, by a state:
T (call,

β, ve, µ, t) =

(v,

β(v)) : v ∈ free(call)

T (

proc, d, ve, µ, t) = T ( proc) ∪ T ( d1) ∪ · · · ∪ T ( dn)

59

SLIDE 60

ΓCFA GC Machinery

Relation ˆ

ve is set of “touching” edges between abstract bindings:
b ˆ
ve

b′ ⇐ ⇒ b′ ∈ T ( ve( b))

60

SLIDE 61

ΓCFA GC Machinery

Bindings reachable by state, R : State → P( Bind):

R(

ς) =

b′ :

b ∈ T ( ς) and b ˆ ∗

ve

ς

b′

61

SLIDE 62

ΓCFA GC Machinery

GC routine, Γ : State → State:

Γ(

ς) =

(

proc, d, ve| R( ς), µ| R( ς), t)

ς = (

proc, d, ve, µ, t) (call, β, ve| R( ς), µ| R( ς), t)

ς = (call,

β, ve, µ, t).

62

SLIDE 63

Improving Speed and Precision

CFA:

ς1

ΓCFA:

ς1

63

SLIDE 64

Improving Speed and Precision

CFA:

ς1

ς2 ΓCFA:

ς1

ς2

64

SLIDE 65

Improving Speed and Precision

CFA:

ς1

ς2 ς3 ΓCFA:

ς1

ς2 ς3 (f e1 · · · en) In CFA: f → clo1, clo2, clo3 In ΓCFA: f → clo1

65

SLIDE 66

Improving Speed and Precision

ς3.1,1

CFA:

ς1

ς2 ς3

ς4
ς3.2,1

ΓCFA:

ς1

ς2 ς3 ς4 (f e1 · · · en) In CFA: f → clo1, clo2, clo3 In ΓCFA: f → clo1

66

SLIDE 67

Improving Speed and Precision

ς3.1,1

ς3.1,2 CFA:

ς1

ς2 ς3

ς4
ς3.2,1
ς3.1,2

ΓCFA:

ς1

ς2 ς3 ς4

67

SLIDE 68

ΓCFA & Precision

(let* ((id (λ (x) x)) (y (id 3))) (id 4)) ΓCFA thinks... id → x → (id 3) → y → (id 4) →

68

SLIDE 69

ΓCFA & Precision

(let* ((id (λ (x) x)) (y (id 3))) (id 4)) ΓCFA thinks...

1. (λ (x) x) flows to id.

id → (λ (x) x) x → (id 3) → y → (id 4) →

69

SLIDE 70

ΓCFA & Precision

(let* ((id (λ (x) x)) (y (id 3))) (id 4)) ΓCFA thinks...

1. (λ (x) x) flows to id.
2. Then, 3 flows to x.

id → (λ (x) x) x → 3 (id 3) → y → (id 4) →

70

SLIDE 71

ΓCFA & Precision

(let* ((id (λ (x) x)) (y (id 3))) (id 4)) ΓCFA thinks...

1. (λ (x) x) flows to id.
2. Then, 3 flows to x.
3. Then, 3 flows to y, (id 3);

x → 3 now dead. id → (λ (x) x) x → — 3 (id 3) → 3 y → 3 (id 4) →

71

SLIDE 72

ΓCFA & Precision

(let* ((id (λ (x) x)) (y (id 3))) (id 4)) ΓCFA thinks...

1. (λ (x) x) flows to id.
2. Then, 3 flows to x.
3. Then, 3 flows to y, (id 3);

x → 3 now dead.

4. Then, 4 flows to x.

id → (λ (x) x) x → — 3 4 (id 3) → 3 y → 3 (id 4) →

72

SLIDE 73

ΓCFA & Precision

(let* ((id (λ (x) x)) (y (id 3))) (id 4)) ΓCFA thinks...

1. (λ (x) x) flows to id.
2. Then, 3 flows to x.
3. Then, 3 flows to y, (id 3);

x → 3 now dead.

4. Then, 4 flows to x.
5. Then, 4 flows to (id 4).

id → (λ (x) x) x → — 3 4 (id 3) → 3 y → 3 (id 4) → 4

73

SLIDE 74

Important Details: Concrete Correctness

Theorem (Correctness of GC semantics)

All states at any depth in execution tree are equivalent modulo GC. I(pr)

ς1

1

ς2

1

ς1

2

ς2

2

ς3

2

ς4

2

74

SLIDE 75

Important Details: Concrete Correctness

Theorem (Correctness of GC semantics)

All states at any depth in execution tree are equivalent modulo GC. ς4

3

ς3

2

ς3

3

ς2

1

ς2

2

ς2

3

I(pr)
ς1

1

ς1

2

ς1

3

75

SLIDE 76

Important Details: Abstract Correctness

Theorem (Correctness of ΓCFA)

ΓCFA simulates the concrete semantics. ς

⇒

|·|

|ς|

⊑

ς

≈ >

ς′

|·| |ς′| ⊑

ς′

76

SLIDE 77

Early Results: 0CFA

2000 4000 6000 8000 10000 12000 14000 20 40 60 80 100 120 140 160 180 States Lines of Code 0CFA 0CFA+GC

77

SLIDE 78

Early Results: 1CFA

3000 6000 9000 12000 15000 18000 21000 24000 27000 30000 20 40 60 80 100 120 140 160 180 States Lines of Code 0CFA 0CFA+GC

78

SLIDE 79

Related Work

Family

◮ Cousot & Cousot: Abstract interpretation. ◮ Steele: CPS as intermediate representation. ◮ Hudak: Abstract reference counting.

Friends

◮ Jagannathan, et al.: “Singleness” analysis. ◮ Wand & Steckler: Invariance sets.

79

SLIDE 80

Ongoing and Future Work

◮ Implementation in MLton.

◮ CPS phase added. (Ben Chambers & Daniel Harvey) ◮ k-CFA effort underway. (Ben Chambers) ◮ ΓCFA to follow. ◮ 100,000+ line benchmarks.

◮ Fully exploit counting: weave in theorem proving, LFA/ΠCFA. ◮ Adaptations for direct-style, ANF, SSA.

◮ Possible, but so far, uglier.

◮ Investigate relationship with constraint-based flow analyses.

80

SLIDE 81

Thank you.

81

SLIDE 82

Question

How often do you garbage collect?

Answer

Whenever precision loss is imminent. In practice, roughly one in four transitions.

82

SLIDE 83