Static Analysis of Accessed Regions in Recursive Data Structures - - PowerPoint PPT Presentation

Static Analysis of Accessed Regions in Recursive Data Structures

Stephen Chong Radu Rugina Cornell University

SAS'03 - June 2003 Static Analysis of Accessed Regions

What This Talk is About

Problem: Precise characterization of regions accessed

by statements and procedures

For recursive programs with destructive updates Fine-grained notion of regions: substructures within

recursive data structures.

• E.g. sublists within lists, sub trees within trees

How we do it:

Context sensitive interprocedural analysis algorithm Precise shape information Region access information

Uses:

Parallelization, Program Understanding, Correctness

SAS'03 - June 2003 Static Analysis of Accessed Regions

Sorts a sublist in place (i.e. with

destructive updates)

Quicksort Example

first … …

5 2 8 6 3

last

SAS'03 - June 2003 Static Analysis of Accessed Regions

Sorts a sublist in place (i.e. with

destructive updates)

Quicksort Example

first … …

5 2 8 6 3

last Sort these elements

SAS'03 - June 2003 Static Analysis of Accessed Regions

Chooses a pivot value Partitions list into sublists destructively

Quicksort Example

first … …

5 2 8 6 3

last Sort these elements first … …

3 2 5 8 6

last

SAS'03 - June 2003 Static Analysis of Accessed Regions

Quicksort Example: Partitioning

first … …

5 2 8 6 3

last

SAS'03 - June 2003 Static Analysis of Accessed Regions

Quicksort Example: Partitioning

first … …

5 2 8 6 3

last mid

SAS'03 - June 2003 Static Analysis of Accessed Regions

Quicksort Example: Partitioning

first … …

5 2 8 6 3

last mid crt prev

SAS'03 - June 2003 Static Analysis of Accessed Regions

Quicksort Example: Partitioning

first … …

5 2 8 6 3

last mid crt prev

mid.val > crt.val ?

Yes!

SAS'03 - June 2003 Static Analysis of Accessed Regions

Quicksort Example: Partitioning

first … …

5 2 8 6 3

last mid crt prev

mid.val > crt.val ?

Yes!

SAS'03 - June 2003 Static Analysis of Accessed Regions

Quicksort Example: Partitioning

first … …

5 2 8 6 3

last mid crt prev

mid.val > crt.val ?

Yes!

SAS'03 - June 2003 Static Analysis of Accessed Regions

Quicksort Example: Partitioning

first … …

2 5 8 6 3

last

mid.val > crt.val ?

Yes! crt mid prev

SAS'03 - June 2003 Static Analysis of Accessed Regions

Quicksort Example: Partitioning

first … …

2 5 8 6 3

last crt mid prev

crt = prev-> next

SAS'03 - June 2003 Static Analysis of Accessed Regions

Quicksort Example: Partitioning

first … …

2 5 8 6 3

last crt mid prev

mid.val > crt.val ?

No!

SAS'03 - June 2003 Static Analysis of Accessed Regions

Quicksort Example: Partitioning

first … …

2 5 8 6 3

last crt mid

crt = prev-> next

prev

SAS'03 - June 2003 Static Analysis of Accessed Regions

Quicksort Example: Partitioning

first … …

3 2 5 8 6

last mid

SAS'03 - June 2003 Static Analysis of Accessed Regions

Quicksort Example: Recursing

first … …

2 3 5 6 8

last mid

SAS'03 - June 2003 Static Analysis of Accessed Regions

Quicksort Example: Accessed Regions

first … …

2 3 5 6 8

last Modified these locations

SAS'03 - June 2003 Static Analysis of Accessed Regions

Quicksort Example: Accessed Regions

first … …

2 3 5 6 8

last

Recursive call modified these locations Recursive call modified these locations

first … …

2 3 5 6 8

last Modified these locations mid

Static Analysis of Accessed Regions

voi d qui c ks or t ( l i s t *f i r s t , l i s t *l a s t ) { l i s t *m i d, *c r t , *pr e v; m i d = pr e v = f i r s t - >ne xt ; i f ( m i d == l a s t ) r e t ur n; c r t = pr e v- >ne xt ; i f ( c r t == l a s t ) r e t ur n; whi l e ( c r t ! = l a s t ) { i f ( c r t - >va l > m i d- >va l ) { pr e v = c r t ; } e l s e { pr e v- >ne xt = c r t - >ne xt ; c r t - >ne xt = f i r s t - >ne xt ; f i r s t - >ne xt = c r t ; } c r t = pr e v- >ne xt ; } qui c ks or t ( f i r s t , m i d) ; qui c ks or t ( m i d, l a s t ) ; }

Quicksort Example

Static Analysis of Accessed Regions

voi d qui c ks or t ( l i s t *f i r s t , l i s t *l a s t ) { l i s t *m i d, *c r t , *pr e v; m i d = pr e v = f i r s t - >ne xt ; i f ( m i d == l a s t ) r e t ur n; c r t = pr e v- >ne xt ; i f ( c r t == l a s t ) r e t ur n; whi l e ( c r t ! = l a s t ) { i f ( c r t - >va l > m i d- >va l ) { pr e v = c r t ; } e l s e { pr e v- >ne xt = c r t - >ne xt ; c r t - >ne xt = f i r s t - >ne xt ; f i r s t - >ne xt = c r t ; } c r t = pr e v- >ne xt ; } qui c ks or t ( f i r s t , m i d) ; qui c ks or t ( m i d, l a s t ) ; }

Quicksort Example

Base cases

Static Analysis of Accessed Regions

voi d qui c ks or t ( l i s t *f i r s t , l i s t *l a s t ) { l i s t *m i d, *c r t , *pr e v; m i d = pr e v = f i r s t - >ne xt ; i f ( m i d == l a s t ) r e t ur n; c r t = pr e v- >ne xt ; i f ( c r t == l a s t ) r e t ur n; whi l e ( c r t ! = l a s t ) { i f ( c r t - >va l > m i d- >va l ) { pr e v = c r t ; } e l s e { pr e v- >ne xt = c r t - >ne xt ; c r t - >ne xt = f i r s t - >ne xt ; f i r s t - >ne xt = c r t ; } c r t = pr e v- >ne xt ; } qui c ks or t ( f i r s t , m i d) ; qui c ks or t ( m i d, l a s t ) ; }

Quicksort Example

List partitioning

Static Analysis of Accessed Regions

voi d qui c ks or t ( l i s t *f i r s t , l i s t *l a s t ) { l i s t *m i d, *c r t , *pr e v; m i d = pr e v = f i r s t - >ne xt ; i f ( m i d == l a s t ) r e t ur n; c r t = pr e v- >ne xt ; i f ( c r t == l a s t ) r e t ur n; whi l e ( c r t ! = l a s t ) { i f ( c r t - >va l > m i d- >va l ) { pr e v = c r t ; } e l s e { pr e v- >ne xt = c r t - >ne xt ; c r t - >ne xt = f i r s t - >ne xt ; f i r s t - >ne xt = c r t ; } c r t = pr e v- >ne xt ; } qui c ks or t ( f i r s t , m i d) ; qui c ks or t ( m i d, l a s t ) ; }

Quicksort Example

Recursive calls

Static Analysis of Accessed Regions

Quicksort Example

voi d qui c ks or t ( l i s t *f i r s t , l i s t *l a s t ) { l i s t *m i d, *c r t , *pr e v; m i d = pr e v = f i r s t - >ne xt ; i f ( m i d == l a s t ) r e t ur n; c r t = pr e v- >ne xt ; i f ( c r t == l a s t ) r e t ur n; whi l e ( c r t ! = l a s t ) { i f ( c r t - >va l > m i d- >va l ) { pr e v = c r t ; } e l s e { pr e v- >ne xt = c r t - >ne xt ; c r t - >ne xt = f i r s t - >ne xt ; f i r s t - >ne xt = c r t ; } c r t = pr e v- >ne xt ; } qui c ks or t ( f i r s t , m i d) ; qui c ks or t ( m i d, l a s t ) ; }

Goal: Automatically determine that the procedure accesses only the sublist between first and last.

Static Analysis of Accessed Regions

voi d qui c ks or t ( l i s t *f i r s t , l i s t *l a s t ) { l i s t *m i d, *c r t , *pr e v; m i d = pr e v = f i r s t - >ne xt ; i f ( m i d == l a s t ) r e t ur n; c r t = pr e v- >ne xt ; i f ( c r t == l a s t ) r e t ur n; whi l e ( c r t ! = l a s t ) { i f ( c r t - >va l > m i d- >va l ) { pr e v = c r t ; } e l s e { pr e v- >ne xt = c r t - >ne xt ; c r t - >ne xt = f i r s t - >ne xt ; f i r s t - >ne xt = c r t ; } c r t = pr e v- >ne xt ; } qui c ks or t ( f i r s t , m i d) ; qui c ks or t ( m i d, l a s t ) ; }

Quicksort Example: Abstraction

α

first

β

last

Static Analysis of Accessed Regions

voi d qui c ks or t ( l i s t *f i r s t , l i s t *l a s t ) { l i s t *m i d, *c r t , *pr e v; m i d = pr e v = f i r s t - >ne xt ; i f ( m i d == l a s t ) r e t ur n; c r t = pr e v- >ne xt ; i f ( c r t == l a s t ) r e t ur n; whi l e ( c r t ! = l a s t ) { i f ( c r t - >va l > m i d- >va l ) { pr e v = c r t ; } e l s e { pr e v- >ne xt = c r t - >ne xt ; c r t - >ne xt = f i r s t - >ne xt ; f i r s t - >ne xt = c r t ; } c r t = pr e v- >ne xt ; } qui c ks or t ( f i r s t , m i d) ; qui c ks or t ( m i d, l a s t ) ; }

Quicksort Example: Abstraction

α

first

β

last

first last

Static Analysis of Accessed Regions

voi d qui c ks or t ( l i s t *f i r s t , l i s t *l a s t ) { l i s t *m i d, *c r t , *pr e v; m i d = pr e v = f i r s t - >ne xt ; i f ( m i d == l a s t ) r e t ur n; c r t = pr e v- >ne xt ; i f ( c r t == l a s t ) r e t ur n; whi l e ( c r t ! = l a s t ) { i f ( c r t - >va l > m i d- >va l ) { pr e v = c r t ; } e l s e { pr e v- >ne xt = c r t - >ne xt ; c r t - >ne xt = f i r s t - >ne xt ; f i r s t - >ne xt = c r t ; } c r t = pr e v- >ne xt ; } qui c ks or t ( f i r s t , m i d) ; qui c ks or t ( m i d, l a s t ) ; }

Quicksort Example: Abstraction

α

first

β

last

Effects: Reads: α Writes: α

Static Analysis of Accessed Regions

voi d qui c ks or t ( l i s t *f i r s t , l i s t *l a s t ) { l i s t *m i d, *c r t , *pr e v; m i d = pr e v = f i r s t - >ne xt ; i f ( m i d == l a s t ) r e t ur n; c r t = pr e v- >ne xt ; i f ( c r t == l a s t ) r e t ur n; whi l e ( c r t ! = l a s t ) { i f ( c r t - >va l > m i d- >va l ) { pr e v = c r t ; } e l s e { pr e v- >ne xt = c r t - >ne xt ; c r t - >ne xt = f i r s t - >ne xt ; f i r s t - >ne xt = c r t ; } c r t = pr e v- >ne xt ; } qui c ks or t ( f i r s t , m i d) ; qui c ks or t ( m i d, l a s t ) ; }

Quicksort Example: Abstraction

Static Analysis of Accessed Regions

voi d qui c ks or t ( l i s t *f i r s t , l i s t *l a s t ) { l i s t *m i d, *c r t , *pr e v; m i d = pr e v = f i r s t - >ne xt ; i f ( m i d == l a s t ) r e t ur n; c r t = pr e v- >ne xt ; i f ( c r t == l a s t ) r e t ur n; whi l e ( c r t ! = l a s t ) { i f ( c r t - >va l > m i d- >va l ) { pr e v = c r t ; } e l s e { pr e v- >ne xt = c r t - >ne xt ; c r t - >ne xt = f i r s t - >ne xt ; f i r s t - >ne xt = c r t ; } c r t = pr e v- >ne xt ; } qui c ks or t ( f i r s t , m i d) ; qui c ks or t ( m i d, l a s t ) ; }

Quicksort Example: Abstraction

α

prev

α

crt

α

mid

β

last

α

first

α

mid prev

α

crt

α

first

β

last

Static Analysis of Accessed Regions

voi d qui c ks or t ( l i s t *f i r s t , l i s t *l a s t ) { l i s t *m i d, *c r t , *pr e v; m i d = pr e v = f i r s t - >ne xt ; i f ( m i d == l a s t ) r e t ur n; c r t = pr e v- >ne xt ; i f ( c r t == l a s t ) r e t ur n; whi l e ( c r t ! = l a s t ) { i f ( c r t - >va l > m i d- >va l ) { pr e v = c r t ; } e l s e { pr e v- >ne xt = c r t - >ne xt ; c r t - >ne xt = f i r s t - >ne xt ; f i r s t - >ne xt = c r t ; } c r t = pr e v- >ne xt ; } qui c ks or t ( f i r s t , m i d) ; qui c ks or t ( m i d, l a s t ) ; }

Quicksort Example: Abstraction

α

prev

α

crt

α

mid

β

last

α

first

first last crt mid prev

α

mid prev

α

crt

α

first

β

last

Static Analysis of Accessed Regions

voi d qui c ks or t ( l i s t *f i r s t , l i s t *l a s t ) { l i s t *m i d, *c r t , *pr e v; m i d = pr e v = f i r s t - >ne xt ; i f ( m i d == l a s t ) r e t ur n; c r t = pr e v- >ne xt ; i f ( c r t == l a s t ) r e t ur n; whi l e ( c r t ! = l a s t ) { i f ( c r t - >va l > m i d- >va l ) { pr e v = c r t ; } e l s e { pr e v- >ne xt = c r t - >ne xt ; c r t - >ne xt = f i r s t - >ne xt ; f i r s t - >ne xt = c r t ; } c r t = pr e v- >ne xt ; } qui c ks or t ( f i r s t , m i d) ; qui c ks or t ( m i d, l a s t ) ; }

Quicksort Example: Abstraction

α

prev

α

crt

α

mid

β

last

α

first

α

mid prev

α

crt

α

first

β

last

Reads: α Writes: α

Details of the Analysis

SAS'03 - June 2003 Static Analysis of Accessed Regions

Outline of the Analysis

Abstraction Intraprocedural Analysis

Shape Analysis Region Analysis

Interprocedural Analysis

SAS'03 - June 2003 Static Analysis of Accessed Regions

Shape Abstraction

A heap is:

an (unbounded) number of locations Each location may have at most one out-

going pointer

Stack pointers point to heap locations

Need a finite abstraction for heaps

Uses summary nodes to denote regions Based on reachability from stack pointers

SAS'03 - June 2003 Static Analysis of Accessed Regions

Shape Abstraction Example

x y z w

SAS'03 - June 2003 Static Analysis of Accessed Regions

Shape Abstraction Example

Root locations are immediately pointed

to by stack pointers

x y z w

SAS'03 - June 2003 Static Analysis of Accessed Regions

Shape Abstraction Example

A location h is owned by a set of stack

pointers S, if all paths from a stack pointer to the location h must go through the root of S

x y z w

SAS'03 - June 2003 Static Analysis of Accessed Regions

Shape Abstraction Example

A location h is owned by a set of stack

pointers S, if all paths from a stack pointer to the location h must go through the root of S

x y z w

{ x} { y, z} { w}

SAS'03 - June 2003 Static Analysis of Accessed Regions

Shape Abstraction Example

A location h is owned by a set of stack

pointers S, if all paths from a stack pointer to the location h must go through the root of S

x y z w

{ x} { y, z} { w}

SAS'03 - June 2003 Static Analysis of Accessed Regions

Shape Abstraction Example

A location h is owned by a set of stack

pointers S, if all paths from a stack pointer to the location h must go through the root of S

x y z w

{ x} { y, z} { w}

SAS'03 - June 2003 Static Analysis of Accessed Regions

Shape Abstraction Example

x y z w

{ x} { y, z} { w}

x y, z w

nφ Concrete Heap: Abstract Heap:

Intraprocedural Shape Analysis

SAS'03 - June 2003 Static Analysis of Accessed Regions

Intraprocedural Shape Analysis

Shape Analysis is formulated as a dataflow

analysis

Set of shape graphs computed for each program

point

A shape graph is a tuple (N, E, C), where:

N: set of summary nodes E ∈ N×N → {0,½,1}: edges with reachability info C ∈ N → {0,½,1}: cyclicity info for nodes

Transfer functions defined for

x=m a l l oc( ) , x=y- >ne xt , x=NULL, x- >ne xt =y , x- >ne xt =NULL, x=y

Merge operation defined for shape graphs

SAS'03 - June 2003 Static Analysis of Accessed Regions

Merge Operation

(N1, E1, C1) (N2, E2, C2) = (N, E, C) where:

N = N1 ∪ N2 E(x, y) = E1(x, y) 3 E2(x, y)

if x, y ∈ N1 ∩N2

C(x) = C1(x) 3 C2(x)

if x ∈ N1 ∩N2

3 is the merge operation for logic values:

1 ½ ½ 1 ½ ½ ½ ½ ½ ½ 1 ½

3

½ 1

SAS'03 - June 2003 Static Analysis of Accessed Regions

Materialization and Summarization

Standard shape analysis techniques

[ Sagiv et al., POPL’96]

Materialization: creating a new

summary node from a summary node

a result of traversing a self-edge E.g. y=x- >ne xt

Summarization: combining summary

nodes together

a result of nullifying a stack pointer E.g. x=NULL

SAS'03 - June 2003 Static Analysis of Accessed Regions

Materialization

y = x- >ne xt x x y

⇒

SAS'03 - June 2003 Static Analysis of Accessed Regions

Summarization

x = NULL x y t

⇒

t y

SAS'03 - June 2003 Static Analysis of Accessed Regions

Summarization

x = NULL

⇒

Harder case: x y t z y t z nφ

SAS'03 - June 2003 Static Analysis of Accessed Regions

Summarization

x = NULL x

⇒

Even harder case: y t z y t z nφ

Intraprocedural Region Analysis

SAS'03 - June 2003 Static Analysis of Accessed Regions

Regions

Extend shape abstraction to analyze which

regions a procedure accesses.

Summarize effects of procedures and express

results in terms of regions

Problem: summary nodes may represent

different heap locations at different program points

A heap location may be owned by different stack

pointers at different program points

SAS'03 - June 2003 Static Analysis of Accessed Regions

Regions: Problem

y x x y

SAS'03 - June 2003 Static Analysis of Accessed Regions

Regions: Problem

y x

y = y- >ne xt

x y

SAS'03 - June 2003 Static Analysis of Accessed Regions

Regions: Problem

y x

y = y- >ne xt

y x

⇓

x y x y

⇓

SAS'03 - June 2003 Static Analysis of Accessed Regions

Regions: Problem

y x

y = y- >ne xt

⇓

x y

⇓

y x x y

SAS'03 - June 2003 Static Analysis of Accessed Regions

Regions: Problem

y x

y = y- >ne xt

y x

⇓

x y x y

⇓

SAS'03 - June 2003 Static Analysis of Accessed Regions

Regions: Solution

Use labels on summary nodes to

indicate the regions they represent.

α

x

β

y

y = y- >ne xt α,β

x

β

y

⇓ ⇓

y x y x

SAS'03 - June 2003 Static Analysis of Accessed Regions

Region Analysis

Fresh region labels are assigned at the

start of a procedure, and used throughout the analysis of procedure

⇒Region labels on shape graphs refer to regions at the beginning of the procedure

Transfer functions defined for region

labels

Interesting cases are materialization and

summarization

SAS'03 - June 2003 Static Analysis of Accessed Regions

Region Analysis

Materialization Summarization y = x- >ne xt α x α x α y

⇒

x = NULL β x α,β y

⇒

α y

SAS'03 - June 2003 Static Analysis of Accessed Regions

Can use the region information to track which

regions are read and written by a procedure

Write regions:

• x- >next =NULL, x- >next =y
• Add the region(s) for the x node to the write set

Read regions:

• y=x- >next
• Add the region(s) for x node to the read set
• E. g.

Region Accesses

α z β x y = x- >next

⇒

Read: β

SAS'03 - June 2003 Static Analysis of Accessed Regions

Transfer functions defined for all

statements (including materialization and summarization cases)

Theoretical results:

Termination

• Transfer functions monotonic over a finite

height lattice

Soundness

• Transfer functions sound with respect to our

abstraction function

Formal Treatment

Interprocedural Analysis

SAS'03 - June 2003 Static Analysis of Accessed Regions

Interprocedural Analysis

• Performs context-sensitive

interprocedural analysis

• Can handle recursive procedures
• At each call site:

1.

Map current analysis information into name space of invoked procedure

2.

Analyze procedure for the calling context

3.

Unmap results

Static Analysis of Accessed Regions

voi d qui c ks or t ( l i s t *f i r s t , l i s t *l a s t ) { l i s t *m i d, *c r t , *pr e v; m i d = pr e v = f i r s t - >ne xt ; i f ( m i d == l a s t ) r e t ur n; c r t = pr e v- >ne xt ; i f ( c r t == l a s t ) r e t ur n; whi l e ( c r t ! = l a s t ) { i f ( c r t - >va l > m i d- >va l ) { pr e v = c r t ; } e l s e { pr e v- >ne xt = c r t - >ne xt ; c r t - >ne xt = f i r s t - >ne xt ; f i r s t - >ne xt = c r t ; } c r t = pr e v- >ne xt ; } qui c ks or t ( f i r s t , m i d) ; qui c ks or t ( m i d, l a s t ) ; }

Example

α

mid

α

prev

α

first

β

last crt

Static Analysis of Accessed Regions

Example: Mapping

α

mid

α

prev

α

first

β

last crt voi d qui c ks or t ( l i s t *f i r s t , l i s t *l a s t ) { l i s t *m i d, *c r t , *pr e v; m i d = pr e v = f i r s t - >ne xt ; i f ( m i d == l a s t ) r e t ur n; c r t = pr e v- >ne xt ; i f ( c r t == l a s t ) r e t ur n; whi l e ( c r t ! = l a s t ) { i f ( c r t - >va l > m i d- >va l ) { pr e v = c r t ; } e l s e { pr e v- >ne xt = c r t - >ne xt ; c r t - >ne xt = f i r s t - >ne xt ; f i r s t - >ne xt = c r t ; } c r t = pr e v- >ne xt ; } qui c ks or t ( f i r s t , m i d) ; qui c ks or t ( m i d, l a s t ) ; } first last

Static Analysis of Accessed Regions

voi d qui c ks or t ( l i s t *f i r s t , l i s t *l a s t ) { l i s t *m i d, *c r t , *pr e v; m i d = pr e v = f i r s t - >ne xt ; i f ( m i d == l a s t ) r e t ur n; c r t = pr e v- >ne xt ; i f ( c r t == l a s t ) r e t ur n; whi l e ( c r t ! = l a s t ) { i f ( c r t - >va l > m i d- >va l ) { pr e v = c r t ; } e l s e { pr e v- >ne xt = c r t - >ne xt ; c r t - >ne xt = f i r s t - >ne xt ; f i r s t - >ne xt = c r t ; } c r t = pr e v- >ne xt ; } qui c ks or t ( f i r s t , m i d) ; qui c ks or t ( m i d, l a s t ) ; }

Example: Mapping

α α α β

first last

Static Analysis of Accessed Regions

voi d qui c ks or t ( l i s t *f i r s t , l i s t *l a s t ) { l i s t *m i d, *c r t , *pr e v; m i d = pr e v = f i r s t - >ne xt ; i f ( m i d == l a s t ) r e t ur n; c r t = pr e v- >ne xt ; i f ( c r t == l a s t ) r e t ur n; whi l e ( c r t ! = l a s t ) { i f ( c r t - >va l > m i d- >va l ) { pr e v = c r t ; } e l s e { pr e v- >ne xt = c r t - >ne xt ; c r t - >ne xt = f i r s t - >ne xt ; f i r s t - >ne xt = c r t ; } c r t = pr e v- >ne xt ; } qui c ks or t ( f i r s t , m i d) ; qui c ks or t ( m i d, l a s t ) ; }

Example: Mapping

α,β

last

α

first

Static Analysis of Accessed Regions

Example: Mapping

β’ α’

voi d qui c ks or t ( l i s t *f i r s t , l i s t *l a s t ) { l i s t *m i d, *c r t , *pr e v; m i d = pr e v = f i r s t - >ne xt ; i f ( m i d == l a s t ) r e t ur n; c r t = pr e v- >ne xt ; i f ( c r t == l a s t ) r e t ur n; whi l e ( c r t ! = l a s t ) { i f ( c r t - >va l > m i d- >va l ) { pr e v = c r t ; } e l s e { pr e v- >ne xt = c r t - >ne xt ; c r t - >ne xt = f i r s t - >ne xt ; f i r s t - >ne xt = c r t ; } c r t = pr e v- >ne xt ; } qui c ks or t ( f i r s t , m i d) ; qui c ks or t ( m i d, l a s t ) ; } first last

Static Analysis of Accessed Regions

voi d qui c ks or t ( l i s t *f i r s t , l i s t *l a s t ) { l i s t *m i d, *c r t , *pr e v; m i d = pr e v = f i r s t - >ne xt ; i f ( m i d == l a s t ) r e t ur n; c r t = pr e v- >ne xt ; i f ( c r t == l a s t ) r e t ur n; whi l e ( c r t ! = l a s t ) { i f ( c r t - >va l > m i d- >va l ) { pr e v = c r t ; } e l s e { pr e v- >ne xt = c r t - >ne xt ; c r t - >ne xt = f i r s t - >ne xt ; f i r s t - >ne xt = c r t ; } c r t = pr e v- >ne xt ; } qui c ks or t ( f i r s t , m i d) ; qui c ks or t ( m i d, l a s t ) ; }

Example: Mapping

β’ α’

first last

α

first

α

m id

α

prev

β

last crt

Static Analysis of Accessed Regions

Example: Mapping

β’ α’

first last voi d qui c ks or t ( l i s t *f i r s t , l i s t *l a s t ) { l i s t *m i d, *c r t , *pr e v; m i d = pr e v = f i r s t - >ne xt ; i f ( m i d == l a s t ) r e t ur n; c r t = pr e v- >ne xt ; i f ( c r t == l a s t ) r e t ur n; whi l e ( c r t ! = l a s t ) { i f ( c r t - >va l > m i d- >va l ) { pr e v = c r t ; } e l s e { pr e v- >ne xt = c r t - >ne xt ; c r t - >ne xt = f i r s t - >ne xt ; f i r s t - >ne xt = c r t ; } c r t = pr e v- >ne xt ; } qui c ks or t ( f i r s t , m i d) ; qui c ks or t ( m i d, l a s t ) ; }

Static Analysis of Accessed Regions

voi d qui c ks or t ( l i s t *f i r s t , l i s t *l a s t ) { l i s t *m i d, *c r t , *pr e v; m i d = pr e v = f i r s t - >ne xt ; i f ( m i d == l a s t ) r e t ur n; c r t = pr e v- >ne xt ; i f ( c r t == l a s t ) r e t ur n; whi l e ( c r t ! = l a s t ) { i f ( c r t - >va l > m i d- >va l ) { pr e v = c r t ; } e l s e { pr e v- >ne xt = c r t - >ne xt ; c r t - >ne xt = f i r s t - >ne xt ; f i r s t - >ne xt = c r t ; } c r t = pr e v- >ne xt ; } qui c ks or t ( f i r s t , m i d) ; qui c ks or t ( m i d, l a s t ) ; }

Example: Analysis

β’ α’

first last

β’ α’

first last

⇓

Read= {α’} Write= {α’}

Static Analysis of Accessed Regions

Example: Unmapping

voi d qui c ks or t ( l i s t *f i r s t , l i s t *l a s t ) { l i s t *m i d, *c r t , *pr e v; m i d = pr e v = f i r s t - >ne xt ; i f ( m i d == l a s t ) r e t ur n; c r t = pr e v- >ne xt ; i f ( c r t == l a s t ) r e t ur n; whi l e ( c r t ! = l a s t ) { i f ( c r t - >va l > m i d- >va l ) { pr e v = c r t ; } e l s e { pr e v- >ne xt = c r t - >ne xt ; c r t - >ne xt = f i r s t - >ne xt ; f i r s t - >ne xt = c r t ; } c r t = pr e v- >ne xt ; } qui c ks or t ( f i r s t , m i d) ; qui c ks or t ( m i d, l a s t ) ; }

β’ α’

first last

Read= {α’} Write= {α’}

Static Analysis of Accessed Regions

Read= {α’} Write= {α’}

Example: Unmapping

voi d qui c ks or t ( l i s t *f i r s t , l i s t *l a s t ) { l i s t *m i d, *c r t , *pr e v; m i d = pr e v = f i r s t - >ne xt ; i f ( m i d == l a s t ) r e t ur n; c r t = pr e v- >ne xt ; i f ( c r t == l a s t ) r e t ur n; whi l e ( c r t ! = l a s t ) { i f ( c r t - >va l > m i d- >va l ) { pr e v = c r t ; } e l s e { pr e v- >ne xt = c r t - >ne xt ; c r t - >ne xt = f i r s t - >ne xt ; f i r s t - >ne xt = c r t ; } c r t = pr e v- >ne xt ; } qui c ks or t ( f i r s t , m i d) ; qui c ks or t ( m i d, l a s t ) ; }

β’ α’

first last

α

first

α

m id

α

prev

β

last crt

Static Analysis of Accessed Regions

Example: Unmapping

voi d qui c ks or t ( l i s t *f i r s t , l i s t *l a s t ) { l i s t *m i d, *c r t , *pr e v; m i d = pr e v = f i r s t - >ne xt ; i f ( m i d == l a s t ) r e t ur n; c r t = pr e v- >ne xt ; i f ( c r t == l a s t ) r e t ur n; whi l e ( c r t ! = l a s t ) { i f ( c r t - >va l > m i d- >va l ) { pr e v = c r t ; } e l s e { pr e v- >ne xt = c r t - >ne xt ; c r t - >ne xt = f i r s t - >ne xt ; f i r s t - >ne xt = c r t ; } c r t = pr e v- >ne xt ; } qui c ks or t ( f i r s t , m i d) ; qui c ks or t ( m i d, l a s t ) ; }

α α’

first mid

α

prev

β

last crt

α

first

Read= {α’} Write= {α’}

Static Analysis of Accessed Regions

Example: Unmapping

voi d qui c ks or t ( l i s t *f i r s t , l i s t *l a s t ) { l i s t *m i d, *c r t , *pr e v; m i d = pr e v = f i r s t - >ne xt ; i f ( m i d == l a s t ) r e t ur n; c r t = pr e v- >ne xt ; i f ( c r t == l a s t ) r e t ur n; whi l e ( c r t ! = l a s t ) { i f ( c r t - >va l > m i d- >va l ) { pr e v = c r t ; } e l s e { pr e v- >ne xt = c r t - >ne xt ; c r t - >ne xt = f i r s t - >ne xt ; f i r s t - >ne xt = c r t ; } c r t = pr e v- >ne xt ; } qui c ks or t ( f i r s t , m i d) ; qui c ks or t ( m i d, l a s t ) ; }

α α

first mid

α

prev

β

last crt

Read= {α} Write= {α}

SAS'03 - June 2003 Static Analysis of Accessed Regions

Extensions

Multiple Selectors

Extend analysis to deal with more than a single

selector name:

• Annotate edges with selector sets
• Add cyclicity and sharedness info for selector sets

Refining the nφ node

nφ currently represents all heap locations not

• wned by any stack pointers

Could use different shared nodes sX (X a subset of

stack pointers), that represents all heap locations reachable from all roots of pointers in X

SAS'03 - June 2003 Static Analysis of Accessed Regions

Analysis Uses

Parallelization

Statements accessing disjoint heap regions

can be executed in parallel

Program Understanding

The shape graph and region output of the

analysis can aid understanding of the effect

• f procedures on heap structures

Correctness

Analysis can verify programmer-supplied

specifications

Static Analysis of Accessed Regions

Using Analysis for Correctness

voi d qui c ks or t ( l i s t *f i r s t , l i s t *l a s t ) { l i s t *m i d, *c r t , *pr e v; m i d = pr e v = f i r s t - >ne xt ; i f ( m i d == l a s t ) r e t ur n; c r t = pr e v- >ne xt ; i f ( c r t == l a s t ) r e t ur n; whi l e ( c r t ! = l a s t ) { i f ( c r t - >va l > m i d- >va l ) { pr e v = c r t ; } e l s e { pr e v- >ne xt = c r t - >ne xt ; c r t - >ne xt = f i r s t - >ne xt ; f i r s t - >ne xt = c r t ; } c r t = pr e v- >ne xt ; } qui c ks or t ( f i r s t , m i d) ; qui c ks or t ( m i d, l a s t ) ; }

Static Analysis of Accessed Regions

Using Analysis for Correctness

voi d qui c ks or t ( l i s t *f i r s t , l i s t *l a s t ) Re ads : α W r i t e s : α { l i s t *m i d, *c r t , *pr e v; m i d = pr e v = f i r s t - >ne xt ; i f ( m i d == l a s t ) r e t ur n; c r t = pr e v- >ne xt ; i f ( c r t == l a s t ) r e t ur n; whi l e ( c r t ! = l a s t ) { i f ( c r t - >va l > m i d- >va l ) { pr e v = c r t ; } e l s e { pr e v- >ne xt = c r t - >ne xt ; c r t - >ne xt = f i r s t - >ne xt ; f i r s t - >ne xt = c r t ; } c r t = pr e v- >ne xt ; } qui c ks or t ( f i r s t , m i d) ; qui c ks or t ( m i d, l a s t ) ; }

Static Analysis of Accessed Regions

Using Analysis for Correctness

voi d qui c ks or t ( l i s t *f i r s t , l i s t *l a s t ) Re ads : α W r i t e s : α { l i s t *m i d, *c r t , *pr e v; m i d = pr e v = f i r s t - >ne xt ; i f ( m i d == l a s t ) r e t ur n; c r t = pr e v- >ne xt ; i f ( c r t == l a s t ) r e t ur n; whi l e ( pr ev ! = l a s t ) { i f ( c r t - >va l > m i d- >va l ) { pr e v = c r t ; } e l s e { pr e v- >ne xt = c r t - >ne xt ; c r t - >ne xt = f i r s t - >ne xt ; f i r s t - >ne xt = c r t ; } c r t = pr e v- >ne xt ; } qui c ks or t ( f i r s t , m i d) ; qui c ks or t ( m i d, l a s t ) ; }

Static Analysis of Accessed Regions

Using Analysis for Correctness

voi d qui c ks or t ( l i s t *f i r s t , l i s t *l a s t ) Re ads : α W r i t e s : α { l i s t *m i d, *c r t , *pr e v; m i d = pr e v = f i r s t - >ne xt ; i f ( m i d == l a s t ) r e t ur n; c r t = pr e v- >ne xt ; i f ( c r t == l a s t ) r e t ur n; whi l e ( pr ev ! = l a s t ) { i f ( c r t - >va l > m i d- >va l ) { pr e v = c r t ; } e l s e { pr e v- >ne xt = c r t - >ne xt ; c r t - >ne xt = f i r s t - >ne xt ; f i r s t - >ne xt = c r t ; } c r t = pr e v- >ne xt ; } qui c ks or t ( f i r s t , m i d) ; qui c ks or t ( m i d, l a s t ) ; }

α

mid

α

prev

β

last crt

α

first

Static Analysis of Accessed Regions

Using Analysis for Correctness

voi d qui c ks or t ( l i s t *f i r s t , l i s t *l a s t ) Re ads : α W r i t e s : α { l i s t *m i d, *c r t , *pr e v; m i d = pr e v = f i r s t - >ne xt ; i f ( m i d == l a s t ) r e t ur n; c r t = pr e v- >ne xt ; i f ( c r t == l a s t ) r e t ur n; whi l e ( pr ev ! = l a s t ) { i f ( c r t - >va l > m i d- >va l ) { pr e v = c r t ; } e l s e { pr e v- >ne xt = c r t - >ne xt ; c r t - >ne xt = f i r s t - >ne xt ; f i r s t - >ne xt = c r t ; } c r t = pr e v- >ne xt ; } qui c ks or t ( f i r s t , m i d) ; qui c ks or t ( m i d, l a s t ) ; }

α

mid

α

prev

β

last crt

α

first

Read= {α, β} Write= {α, β}!

Related Work

SAS'03 - June 2003 Static Analysis of Accessed Regions

Related Work

Shape Analysis

[ Horwitz,Pfeiffer,Reps, PLDI'89] ,

[ Chase,Wegman,Zadek,PLDI’90] , [ Ghiya,Hendren,POPL96] , [ Sagiv,Reps,Wilhelm,TOPLAS’98, TOPLAS’02] , With reachability: [ Dor,Rodeh,Sagiv,SAS’00]

Interprocedural: [ Rinetzky,Sagiv,CC’01] ,

[ Kuncak,Rinard,POPL02]

Regions

Language support: RC[ Gay,Aiken,PLDI’98] ,

Vault[ DeLine,Fahndrich,PLDI’01] , Cyclone[ Grossman et.al.,PLDI’02]

Region Inference: [Tofte,Talpin, POPL’94] ,

[ Lattner,Adve MSP’02]

SAS'03 - June 2003 Static Analysis of Accessed Regions

Conclusions

Analysis of accessed regions in

recursive data structures

Regions = sublists, subtrees, etc. Dataflow analysis formulation Interprocedural analysis Applies to recursive programs with

destructive heap updates

SAS'03 - June 2003 Static Analysis of Accessed Regions

Chooses a pivot value Partitions list into sublists destructively

Quicksort Example

first … …

5 2 8 6 3

last first … …

3 2 5 8 6

last

Recursively sort this sublist Recursively sort this sublist

Sort these elements

SAS'03 - June 2003 Static Analysis of Accessed Regions

Chooses a pivot value Partitions list into sublists destructively

Quicksort Example

first … …

5 2 8 6 3

last Sort these elements first … …

2 3 5 6 8

last

Recursively sort this sublist Recursively sort this sublist

SAS'03 - June 2003 Static Analysis of Accessed Regions

Quicksort Example: Partitioning

first … …

2 5 8 6 3

last crt mid prev

mid.val > crt.val ?

No!

SAS'03 - June 2003 Static Analysis of Accessed Regions

voi d qui c ks or t ( l i s t *f i r s t , l i s t *l a s t ) { l i s t *m i d, *c r t , *pr e v; m i d = pr e v = f i r s t - >ne xt ; i f ( m i d == l a s t ) r e t ur n; c r t = pr e v- >ne xt ; i f ( c r t == l a s t ) r e t ur n; whi l e ( c r t ! = l a s t ) { i f ( c r t - >va l > m i d- >va l ) { pr e v = c r t ; } e l s e { pr e v- >ne xt = c r t - >ne xt ; c r t - >ne xt = f i r s t - >ne xt ; f i r s t - >ne xt = c r t ; } c r t = pr e v- >ne xt ; } qui c ks or t ( f i r s t , m i d) ; qui c ks or t ( m i d, l a s t ) ; }

Quicksort Example: Abstraction

α

mid prev

α

crt

α

first

β

last

α

prev

α

crt

α

mid

β

last

α

first

SAS'03 - June 2003 Static Analysis of Accessed Regions

Quicksort Example: Abstraction

voi d qui c ks or t ( l i s t *f i r s t , l i s t *l a s t ) { l i s t *m i d, *c r t , *pr e v; m i d = pr e v = f i r s t - >ne xt ; i f ( m i d == l a s t ) r e t ur n; c r t = pr e v- >ne xt ; i f ( c r t == l a s t ) r e t ur n; whi l e ( c r t ! = l a s t ) { i f ( c r t - >va l > m i d- >va l ) { pr e v = c r t ; } e l s e { pr e v- >ne xt = c r t - >ne xt ; c r t - >ne xt = f i r s t - >ne xt ; f i r s t - >ne xt = c r t ; } c r t = pr e v- >ne xt ; } qui c ks or t ( f i r s t , m i d) ; qui c ks or t ( m i d, l a s t ) ; }

α

mid

α

prev

α

first

β

last crt

SAS'03 - June 2003 Static Analysis of Accessed Regions

voi d qui c ks or t ( l i s t *f i r s t , l i s t *l a s t ) { l i s t *m i d, *c r t , *pr e v; m i d = pr e v = f i r s t - >ne xt ; i f ( m i d == l a s t ) r e t ur n; c r t = pr e v- >ne xt ; i f ( c r t == l a s t ) r e t ur n; whi l e ( c r t ! = l a s t ) { i f ( c r t - >va l > m i d- >va l ) { pr e v = c r t ; } e l s e { pr e v- >ne xt = c r t - >ne xt ; c r t - >ne xt = f i r s t - >ne xt ; f i r s t - >ne xt = c r t ; } c r t = pr e v- >ne xt ; } qui c ks or t ( f i r s t , m i d) ; qui c ks or t ( m i d, l a s t ) ; }

Quicksort Example: Abstraction

α

mid

α

prev first

β

last crt

first last prev mid

α

SAS'03 - June 2003 Static Analysis of Accessed Regions

Traversing a may-edge makes it a

must-edge

E.g. In any execution where z =x- >ne xt

succeeds, then the root of z is definitely reachable from the root of x

Traversing May-Edges

x y z = x- >ne xt

⇒

x y, z

SAS'03 - June 2003 Static Analysis of Accessed Regions

Related Work

Effect Systems

FX-87[ Gifford,Jouvelot,Lucassen, POPL88] , Broadway[ Guyer,Lin,LCPC’00,SAS’03] , Array accesses[ Rugina,Rinard,CC’01] , Cyclone[ Morrisett et. al.,USENIX’02] , Roles[ Kuncak,Rinard, POPL’02]