Interprocedural Analysis: Sharir-Pnuelis Call-strings Approach - PowerPoint PPT Presentation

Interprocedural Analysis: Sharir-Pnueli’s Call-strings Approach Deepak D’Souza Department of Computer Science and Automation Indian Institute of Science, Bangalore. 06 October 2010

Call strings approach For a given program P and analysis (( D , ≤ ) , f MN , d 0 ), the 6 A F join over all interprocedurally 1 7 valid paths (JVP) at point N is read a,b a == 0 defined to be: B G O 2 L 8 � f ρ ( d 0 ) . t := a*b a := a−1 H C c 2 ρ ∈ IVP ( r 1 , N ) c 1 9 3 call p call p Idea: collect data values that Q P t := a*b 10 reach each point, tagged with 4 call-string of associated path. I t := a*b M This helps to say which values D J N 11 pass to a given return site. 5 ret print t Now we can set up equations E that capture JVP values.

Call-string along an interprocedurally valid path Call-string associated with an IVP path ρ , denoted CM ( p ), is the sequence of pending calls in ρ . A path ρ in IVP ( r 1 , I ) for example program: 3 2 1 0 A B C O F G H L F K J M I J N D Associated call-string CM ( ρ ) is c 1 .

Call-string along an interprocedurally valid path Call-string associated with an IVP path ρ , denoted CM ( p ), is the sequence of pending calls in ρ . A path ρ in IVP ( r 1 , I ) for example program: 3 2 1 0 A B C O F G H L F K J M I J N D Associated call-string CM ( ρ ) is c 1 . For ρ ′ = ABCOFGHLF CM ( ρ ′ ) = c 1 c 2 . Denote set of all call-strings for given program by Γ.

Tagging with call-strings Classify paths reaching N according to call-strings. For each call-string γ maintain data value � d = f ρ ( d 0 ) . ρ ∈ CM − 1 ( γ ) Thus elements of L ∗ are maps ξ : Γ → D , and ordering ξ 1 ≤ ξ 2 is pointwise extension of ≤ in D . Tagged JVP value: ξ ∗ N : γ �→ � ρ ∈ CM − 1 ( γ ) f ρ ( d 0 ). JVP value d N = � γ ∈ Γ ξ ∗ N ( γ ).

Example: Tagging 6 A F Eg: Path ABCOFGHLFKJ 1 7 a == 0 read a,b has associated callstring c 1 c 2 . G B O 2 L 8 γ : ǫ c 1 c 1 c 2 t := a*b a := a−1 ξ ( γ ) : H C c 2 K c 1 9 3 call p call p Q P Tagged data values at J for t := a*b 10 for availability of a*b analysis 4 I t := a*b γ : ǫ c 1 c 1 c 2 c 1 c 2 c 2 M ξ ( γ ) : ⊥ 1 0 0 D J N 11 5 ret print t E

Data-flow analysis with tagged data values Let D ∗ = Γ → D . Pointwise ordering on D ∗ ξ ≤ ′ ξ ′ iff ξ ( γ ) ≤ ξ ′ ( γ ) for each call-string γ . ( D ∗ , ≤ ′ ) is also a complete lattice. Initial value ξ 0 is given by � d 0 if γ = ǫ ξ 0 ( γ ) = ⊥ otherwise . Transfer functions for non call/ret nodes: f ∗ MN = λξ. f MN ◦ ξ . Transfer functions f ∗ MN ’s are monotonic (distributive) if f MN ’s are monotonic (distributive).

Transfer functions f ∗ MN by example 6 A F (Non-call/ret node) 1 7 a == 0 read a,b G B ξ C = f BC ◦ ξ B . O 2 L 8 t := a*b a := a−1 (Call node) H C c 2 K c 1 9 � ξ C ( γ ′ ) 3 if γ = γ ′ · c 1 call p call p ξ F ( γ ) = Q ⊥ otherwise P t := a*b 10 4 (Return site) I t := a*b M D J N ξ P ( γ ) = ξ J ( γ · c 1 ) . 11 5 ret print t E

Correctness claims Claim Let the LFP of the analysis (( D ∗ , ≤ ′ ) , f ∗ MN , ξ 0 ) be ξ ∗ . Then � x ∗ N = ξ ∗ N ( γ ) γ ∈ Γ is an over-approximation of the JVP at N . When f MN ’s are distributive x ∗ N coincides with JVN at N .

Exercise Use Kildall’s algo to compute the ξ table values for the example program, for | γ | ≤ 4. Start with initial value d 0 = 0. 6 A F ǫ 0 1 7 read a,b a == 0 B G O 2 L 8 t := a*b a := a−1 H C c 2 K c 1 9 3 call p call p Q P t := a*b 10 4 I t := a*b M D J N 11 5 ret print t E

Exercise Use Kildall’s algo to compute the ξ table values for the example program, for | γ | ≤ 4. Start with initial value d 0 = 0. 6 A F ǫ 0 1 7 read a,b a == 0 B G ǫ 0 O 2 L 8 t := a*b a := a−1 H C c 2 K c 1 9 3 call p call p Q P t := a*b 10 4 I t := a*b M D J N 11 5 ret print t E

Exercise Use Kildall’s algo to compute the ξ table values for the example program, for | γ | ≤ 4. Start with initial value d 0 = 0. 6 A F ǫ 0 1 7 read a,b a == 0 B G ǫ 0 O 2 L 8 t := a*b a := a−1 H C ǫ 1 c 2 K c 1 9 3 call p call p Q P t := a*b 10 4 I t := a*b M D J N 11 5 ret print t E

Exercise Use Kildall’s algo to compute the ξ table values for the example program, for | γ | ≤ 4. Start with initial value d 0 = 0. 6 A F c 1 ǫ 0 1 1 7 read a,b a == 0 B G ǫ 0 O 2 L 8 t := a*b a := a−1 H C ǫ 1 c 2 K c 1 9 3 call p call p Q P t := a*b 10 4 I t := a*b M D J N 11 5 ret print t E

Exercise Use Kildall’s algo to compute the ξ table values for the example program, for | γ | ≤ 4. Start with initial value d 0 = 0. 6 A F c 1 ǫ 0 1 1 7 read a,b a == 0 B G ǫ 0 O 2 L 8 t := a*b a := a−1 H C ǫ 1 c 2 K c 1 9 3 call p call p Q P t := a*b 10 4 I t := a*b M D J N 11 5 ret print t E

Convergence of iteration Lattice ( D ∗ , ≤ ′ ) is infinite for recursive programs. It is possible to bound the size of call strings Γ we need to consider. Let k be the number of call sites in P .

Convergence of iteration Claim For any path p with a prefix q such that | CM ( q ) | > k | D | 2 = M there is a path p ′ with | CM ( q ′ ) | ≤ M for each prefix q ′ of p ′ , and f p ( d 0 ) = f p ′ ( d 0 ). Paths with bounded call-strings M p ′ p Proof follows shortly.

Ensuring convergence Go over to a finite lattice. Consider only call strings of length ≤ M (Call this Γ M ). IVP Γ M ( r 1 , N ) = paths from r 1 to N such that for each prefix q , CM ( q ) ≤ M .

Data-flow analysis for JVP over IVP Γ M 6 A F 1 7 a == 0 read a,b (Non-call/ret node) G B O ξ C = f BC ◦ ξ B . 2 L 8 t := a*b a := a−1 (Call node) H C c 2 K c 1 9 3 if γ = γ ′ · c 1 8 ξ C ( γ ′ ) call p < ξ F ( γ ) = and γ ∈ Γ M call p Q otherwise : ⊥ P t := a*b 10 4 (Return site) I t := a*b ξ P ( γ ) = ξ J ( γ · c 1 ) . M D J N 11 5 ret print t E

Bounding call-string size Claim For any path p in IVP ( r 1 , N ) such that | CM ( q ) | > M = k | D | 2 for some prefix q of p , there is a path p ′ in IVP Γ M ( r 1 , N ) with f p ′ ( d 0 ) = f p ( d 0 ). Sufficient to prove: Subclaim For any path p in IVP ( r 1 , N ) with a prefix q such that | CM ( q ) | > M , we can produce a smaller path p ′ in IVP ( r 1 , N ) with f p ′ ( d 0 ) = f p ( d 0 ). ...since if | p | ≤ M then p ∈ IVP Γ M .

Proving subclaim: Path decomposition A path ρ in IVP ( r 1 , n ) can be decomposed as ρ 1 � ( c 1 , r p 2 ) � ρ 2 � ( c 2 , r p 3 ) � σ 3 � · · · � ( c j − 1 , r p j ) � ρ j . where each ρ i ( i < j )is a valid and complete path from r p i to c i , and ρ j is a valid and complete path from r p j to n . Thus c 1 , . . . , c j are the unfinished calls at the end of ρ . 4 3 2 c 2 ρ 3 1 c 1 ρ 2 0 c 1 c 2 c 2 r 2 c 2 c 2 r 2 r 2 r 2 c 2

Proving subclaim Let p 0 be the first prefix of p where | CM | > M . Let decomposition of p 0 be ρ 1 � ( c 1 , r p 2 ) � ρ 2 � ( c 2 , r p 3 ) � σ 3 � · · · � ( c j − 1 , r p j ) � ρ j . Tag each unfinished-call c i in p 0 by ( c i , f q · c i ( d 0 ) , f q · c i q ′ e i +1 ) where e i +1 is corresponding return of c i in p . If no return for c i in p tag with ( c , f q · c i ( d 0 ) , ⊥ ). Number of distinct such tags is k · | D | 2 . So there are two calls qc and qcq ′ c with same tag values.

Proving subclaim – tag values are ⊥ p M c c p ′

Proving subclaim – tag values are not ⊥ M p c c e e p ′

Example T S 6 E A r 1 n ′ n 2 t:=a*b a := 0 read a,b B F I c 1 c ′ c 2 R call p1 call p1 call p2 G K K m ′ m 2 n 1 C L M Q e 1 P return D N e 2 return O