SLIDE 1
Pushdown Control-Flow Analysis of Higher Order Programs
Christopher Earl1 Matthew Might1 David Van Horn2
1University of Utah
{cwearl,might}@cs.utah.edu
2Northeastern University
dvanhorn@ccs.neu.edu
Pushdown Control-Flow Analysis of Higher Order Programs Christopher - - PowerPoint PPT Presentation
Pushdown Control-Flow Analysis of Higher Order Programs Christopher - - PowerPoint PPT Presentation
Pushdown Control-Flow Analysis of Higher Order Programs Christopher Earl 1 Matthew Might 1 David Van Horn 2 1 University of Utah { cwearl,might } @cs.utah.edu 2 Northeastern University dvanhorn@ccs.neu.edu August 21, 2010 Who uses function
SLIDE 2
SLIDE 3
Who uses function (calls)? Pushdown control-flow analysis models function calls precisely.
SLIDE 4
Simple example of merging return-points
(let* ((id (lambda (x) x)) (a (id 3)) (b (id 4))) a)
SLIDE 5
The big picture
Classical control-flow analysis is not precise enough.
SLIDE 6
The big picture
Classical control-flow analysis is not precise enough. Pushdown control-flow analysis has better precision.
SLIDE 7
The big picture
Classical control-flow analysis is not precise enough. Pushdown control-flow analysis has better precision. We generalize k-CFA to a pushdown control-flow analysis.
SLIDE 8
The big picture
Classical control-flow analysis is not precise enough. Pushdown control-flow analysis has better precision. We generalize k-CFA to a pushdown control-flow analysis. Our approach has several advantages: Direct-style Polyvariant Polynomial
SLIDE 9
Control-flow analysis < pushdown control-flow analysis
Expressiveness of k-CFA = NFA
SLIDE 10
Control-flow analysis < pushdown control-flow analysis
Expressiveness of k-CFA = NFA Expressiveness of PDCFA = PDA
SLIDE 11
Our approach
SLIDE 12
Target language/stack behavior
(let ((x e1)) e2) = ⇒ Push frame (x, e2, . . . ) onto stack.
SLIDE 13
Target language/stack behavior
(let ((x e1)) e2) = ⇒ Push frame (x, e2, . . . ) onto stack. a = ⇒ Pop top of stack.
SLIDE 14
Target language/stack behavior
(let ((x e1)) e2) = ⇒ Push frame (x, e2, . . . ) onto stack. a = ⇒ Pop top of stack. (f a) = ⇒ Stack no-op.
SLIDE 15
Concrete Semantics
A CESK machine.
SLIDE 16
Concrete Semantics
A CESK machine. Configuration = State × Stack
SLIDE 17
Concrete Semantics
A CESK machine. Configuration = State × Stack State = Expression × Environment × Store
SLIDE 18
Abstract Semantics
Abstracted environment = ⇒
SLIDE 19
Abstract Semantics
Abstracted environment = ⇒ environments = finite
SLIDE 20
Abstract Semantics
Abstracted environment = ⇒ environments = finite Abstracted store = ⇒
SLIDE 21
Abstract Semantics
Abstracted environment = ⇒ environments = finite Abstracted store = ⇒ stores = finite
SLIDE 22
Abstract Semantics
Abstracted environment = ⇒ environments = finite Abstracted store = ⇒ stores = finite Abstracted state = ⇒
SLIDE 23
Abstract Semantics
Abstracted environment = ⇒ environments = finite Abstracted store = ⇒ stores = finite Abstracted state = ⇒ states = finite
SLIDE 24
Size of the abstract configuration-space
Using the stack = ⇒
SLIDE 25
Size of the abstract configuration-space
Using the stack = ⇒ configuration-space = infinite
SLIDE 26
Size of the abstract configuration-space
Using the stack = ⇒ configuration-space = infinite The configuration-space cannot be explicitly searched.
SLIDE 27
Size of the abstract state-space
State-space = finite Always.
SLIDE 28
Finite model of pushdown control-flow analysis
· · ·
- · · ·
ˆ ς1
ˆ φ+
- ˆ
ς5
- ˆ
ς2
ǫ
ˆ
ς3
ǫ
ˆ
ς4
ˆ φ−
SLIDE 29
Finite model of pushdown control-flow analysis
· · ·
- · · ·
ˆ ς1
ˆ φ+
- ˆ
ς5
- ˆ
ς2
ǫ
ˆ
ς3
ǫ
ˆ
ς4
ˆ φ−
- This representation is a PDA.
SLIDE 30
While finite, this naive PDA is inefficient:
· · ·
- · · ·
ˆ ς1
ˆ φ+
- ˆ
ς5
- ˆ
ς2
ǫ
ˆ
ς3
ǫ
ˆ
ς4
ˆ φ−
- ˆ
φ′
−
- ˆ
φ′′
−
- ˆ
ς6 ˆ ς7
SLIDE 31
While finite, this naive PDA is inefficient:
· · ·
- · · ·
ˆ ς1
ˆ φ+
- ˆ
ς5
- ˆ
ς2
ǫ
ˆ
ς3
ǫ
ˆ
ς4
ˆ φ−
- ˆ
φ′
−
- ˆ
φ′′
−
- ˆ
ς6 ˆ ς7 (Provably) unreachable configurations/states are included.
SLIDE 32
While finite, this naive PDA is inefficient:
· · ·
- · · ·
ˆ ς1
ˆ φ+
- ˆ
ς5
- ˆ
ς2
ǫ
ˆ
ς3
ǫ
ˆ
ς4
ˆ φ−
- ˆ
φ′
−
- ˆ
φ′′
−
- ˆ
ς6 ˆ ς7 (Provably) unreachable configurations/states are included. Legal path from initial configuration/state = ⇒
SLIDE 33
While finite, this naive PDA is inefficient:
· · ·
- · · ·
ˆ ς1
ˆ φ+
- ˆ
ς5
- ˆ
ς2
ǫ
ˆ
ς3
ǫ
ˆ
ς4
ˆ φ−
- ˆ
φ′
−
- ˆ
φ′′
−
- ˆ
ς6 ˆ ς7 (Provably) unreachable configurations/states are included. Legal path from initial configuration/state = ⇒ reachable
SLIDE 34
Shortcut edges: finding the top of the stack
· · ·
- · · ·
ˆ ς1
ˆ φ+
- ˆ
ς5
- ˆ
ς2
ǫ
- ǫ
- ˆ
ς3
ǫ
ˆ
ς4
ˆ φ−
- ˆ
φ′
−
- ˆ
φ′′
−
- ˆ
ς6 ˆ ς7
SLIDE 35
Shortcut edges: finding the top of the stack
· · ·
- · · ·
ˆ ς1
ˆ φ+
- ǫ
ˆ
ς5
- ˆ
ς2
ǫ
- ǫ
- ˆ
ς3
ǫ
ˆ
ς4
ˆ φ−
- ˆ
φ′
−
- ˆ
φ′′
−
- ˆ
ς6 ˆ ς7
SLIDE 36
Shortcut edges: finding the top of the stack
ˆ ς0
ˆ φ′
+
- · · ·
ˆ ς1
ˆ φ+
- ǫ
ˆ
ς5
- ˆ
ς2
ǫ
- ǫ
- ˆ
ς3
ǫ
ˆ
ς4
ˆ φ−
- ˆ
φ′
−
- ˆ
φ′′
−
- ˆ
ς6 ˆ ς7
SLIDE 37
Shortcut edges: finding the top of the stack
ˆ ς0
ˆ φ′
+
- ˆ
ς8 ˆ ς1
ˆ φ+
- ǫ
ˆ
ς5
ˆ φ′
−
- ˆ
ς2
ǫ
- ǫ
- ˆ
ς3
ǫ
ˆ
ς4
ˆ φ−
- ˆ
φ′
−
- ˆ
φ′′
−
- ˆ
ς6 ˆ ς7
SLIDE 38
Shortcut edges: finding the top of the stack
ˆ ς0
ˆ φ′
+
- ǫ
ˆ
ς8 ˆ ς1
ˆ φ+
- ǫ
ˆ
ς5
ˆ φ′
−
- ˆ
ς2
ǫ
- ǫ
- ˆ
ς3
ǫ
ˆ
ς4
ˆ φ−
- ˆ
φ′
−
- ˆ
φ′′
−
- ˆ
ς6 ˆ ς7
SLIDE 39
Dyck state graphs: a lean PDA representation
ˆ ς0
ˆ φ′
+
- ǫ
ˆ
ς8 ˆ ς1
ˆ φ+
- ǫ
ˆ
ς5
ˆ φ′
−
- ˆ
ς2
ǫ
- ǫ
- ˆ
ς3
ǫ
ˆ
ς4
ˆ φ−
- Only reachable states and configurations are included.
SLIDE 40
Our contributions
SLIDE 41
Direct-style Polyvariant Polynomial
SLIDE 42
Direct-style:
SLIDE 43
Direct-style: by the language (A-Normal Form)
SLIDE 44
Direct-style: by the language (A-Normal Form) Polyvariant:
SLIDE 45
Direct-style: by the language (A-Normal Form) Polyvariant: the abstract semantics can use a parameter, k, identical to the k in k-CFA
SLIDE 46
Polynomial: monovariance and store-widening
Standard (infinite) pushdown control-flow analysis: Configuration = Expression × Environment × Store × Stack Frame = Variable × Expression × Environment
SLIDE 47
Polynomial: monovariance and store-widening
Dyck state graphs: State = Expression × Environment × Store Frame = Variable × Expression × Environment
SLIDE 48
Polynomial: monovariance and store-widening
Monovariant Dyck state graphs: State = Expression × Store Frame = Variable × Expression
SLIDE 49
Polynomial: monovariance and store-widening
Monovariant Dyck state graphs with store-widening: State = Expression (with a global store) Frame = Variable × Expression
SLIDE 50
Recap
Pushdown control-flow analysis precisely models the stack.
SLIDE 51
Recap
Pushdown control-flow analysis precisely models the stack. Our formulation only explores reachable configurations/states.
SLIDE 52
Recap
Pushdown control-flow analysis precisely models the stack. Our formulation only explores reachable configurations/states. Our formulation works for direct-style programs.
SLIDE 53
Recap
Pushdown control-flow analysis precisely models the stack. Our formulation only explores reachable configurations/states. Our formulation works for direct-style programs. Our formulation allows for either:
SLIDE 54
Recap
Pushdown control-flow analysis precisely models the stack. Our formulation only explores reachable configurations/states. Our formulation works for direct-style programs. Our formulation allows for either: Polyvariance
SLIDE 55
Recap
Pushdown control-flow analysis precisely models the stack. Our formulation only explores reachable configurations/states. Our formulation works for direct-style programs. Our formulation allows for either: Polyvariance Polynomial running-time
SLIDE 56
Questions?
SLIDE 57