cs 293s pointer analysis
play

CS 293S Pointer Analysis Yufei Ding Slides adapted from Wei Le, - PowerPoint PPT Presentation

Dec 08, 2023 •27 likes •347 views

CS 293S Pointer Analysis Yufei Ding Slides adapted from Wei Le, Stephen Chong Focus of this lecture Terms and concepts Algorithms: Andersen-Style and Steensgaard-Style Advanced topics 2 What is Pointer/Alias/points-to Analysis?

  1. CS 293S Pointer Analysis Yufei Ding Slides adapted from Wei Le, Stephen Chong

  2. Focus of this lecture � Terms and concepts � Algorithms: Andersen-Style and Steensgaard-Style � Advanced topics 2

  3. What is Pointer/Alias/points-to Analysis? � Pointer analysis statically determines: � the possible runtime values of a pointer � what storage locations a pointer can point to � there are certain models can represent the storage locations: � Pointer analysis is hard, but essential for enabling many compiler optimizations. Note: pointer analysis, alias analysis, points-to analysis often are used interchangeably 3

  4. May and Must Aliasing � May aliasing: � aliasing that may occur during execution (e.g., if (c) p = &i) � Must aliasing: � aliasing that must occur during execution (e.g., p = &i) � Easiest alias analysis: nothing must alias, everything may alias 4

  5. Example Optimizations � GCSE needs info on what is read/written: � Can p point to a or b? *p = a + b; x = a + b; � Reaching definitions and constant propagation: � Can p point to x? x = 5; *p = 42; y = x; 5

  6. How Hard Is This Problem? � Undecidable [Landi1992] [Ramalingan1994] � Approximation algorithms, worst-case complexity, range from almost linear to doubly exponential [Hind2001] � Two primary algorithms for point-to analysis � Andersen-style Analysis � Steensgaard-style Analysis 6

  7. Andersen-Style Pointer Analysis [Andersen1994] � Flow-insensitive, context-insensitive analysis � First for C programs, later for Java � View pointer assignments as subset constraints: 7

  8. Andersen-Style Pointer Analysis � Basic idea: � map to subset constraints � construct the constraint graphs � compute transitive closure to propagate points-to relations along the edges of the constraint graphs � Constraint graph: � one node for each variable representing its points-to set, e.g., pts(p), pts(a) � one directed edge for certain constraint 8

  9. Andersen-Style Pointer Analysis: Constructing Constraint Graphs 9

  10. Andersen-Style Pointer Analysis 10

  11. Andersen-style analysis: Algorithm Analysis � Can be reduced to computing the transitive closure of a dynamic graph � dynamic graph: the graph changes over the analysis of the program � the transitive closure of a directed acyclic graph (DAG) is the reachability relation of the DAG. (graph: a set of nodes, and binary relations among the nodes) � A well-studied problem for which the best known complexity is O(n3) (n is the number of node) 11

  12. Andersen-Style Pointer Analysis: Cycle Elimination � Impart optimization for Anderson-style analysis � Detect strongly connected components in points-to graph, collapse to a singe node � Why? All nodes in an SCC will have the same points-to relation at the end of analysis � How to detect cycles efficiently? � Some reduction can be done statically, some on-the-fly as new edges added � See Fast and Accurate Pointer Analysis for Millions of Lines of Code, Hardekopf and Lin, PLDI 2007. 12

  13. Andersen-Style Pointer Analysis: Cycle Elimination 13

  14. Steensgaard-Style Pointer Analysis [Steensgaard1996POPL] � Points-to Analysis in almost linear time � Uses equality constraints instead of subset constraints � Unification based approach: assignment unifies the graph nodes, e.g., x = y (unified x and y in the same node), also called union-find algorithm, exclusion-based approaches, nearly linear complexity � O(n · α ( n)), where α ( n) is the inverse Ackermann’s function, α (2132) < 4 � Scalable � Less precise than Andersen-style, thus more 14

  15. Steensgaard-Style Pointer Analysis � Key idea: maintain a set of disjoint sets and supports two operations: � FIND(x): return the set containing x � UNION(x, y): union the two sets containing x and y 15

  16. Steensgaard-Style Pointer Analysis [Steensgaard1996POPL] 16

  17. Andersen vs. Steensgaard Style Pointer Analysis 17

  18. Andersen vs. Steensgaard Style Pointer Analysis 18

  19. Andersen vs. Steensgaard Style Pointer Analysis 19

  20. Andersen vs. Steensgaard Style Pointer Analysis 20

  21. Points-to Analyses Work in Real Data FlowProblems? 21

  22. Summary: Andersen vs. Steensgaard � Both are flow-insensitive and context-insensitive � Control flow information is not used, the order of statements is not considered � Differ in points-to set construction � Andersen-style: many out edges, one variable per node � Steensgaard-style: one out edge, many variables per node � Andersen-style: inclusion-based, subset-based � the slowest but most precise flow-insensitive algorithm � Steensgaard-style: equality-based, unification-based � the fastest but least precise 22

  23. Advanced point-to analysis The Horwitz-Shapiro Approach: 1997 POPL –Fast and Accurate Flow- 23 Insensitive Points-ToAnalysis

  24. Advanced point-to analysis 24

  25. Advanced point-to analysis 25

  26. Advanced point-to analysis 26

  27. Advanced point-to analysis 27

  28. Advanced point-to analysis 28

  29. Advanced point-to analysis 29

  30. Advanced point-to analysis 30

  31. Advanced point-to analysis 31

  32. Advanced point-to analysis 32

Recommend

Precision-Guided Context Sensitivity for Pointer Analysis Yue Li, Tian Tan, Anders Mller,

Precision-Guided Context Sensitivity for Pointer Analysis Yue Li, Tian Tan, Anders Mller,

Precision-Guided Context Sensitivity for Pointer Analysis Yue Li, Tian Tan, Anders Mller, Yannis Smaragdakis OOPSLA 2018 1 A New Pointer Analysis T echnique for Object-Oriented Programs 2 Pointer Analysis Determines which

841 views • 64 slides
Alias Analysis Last time Alias analysis I (pointer analysis) Address Taken FIAlias,

Alias Analysis Last time Alias analysis I (pointer analysis) Address Taken FIAlias,

Alias Analysis Last time Alias analysis I (pointer analysis) Address Taken FIAlias, which is equivalent to Steensgaard Today Alias analysis II (pointer analysis) Anderson Emami Next time Midterm review CS553

207 views • 8 slides
Making k- Object-Sensitive Pointer Analysis More Precise with Still k -Limiting Tian Tan , Yue Li

Making k- Object-Sensitive Pointer Analysis More Precise with Still k -Limiting Tian Tan , Yue Li

Making k- Object-Sensitive Pointer Analysis More Precise with Still k -Limiting Tian Tan , Yue Li and Jingling Xue SAS 2016 September, 2016 1 A New Pointer Analysis for Object-Oriented Programs 2 Pointer Analysis Determine which

965 views • 70 slides
CS711 Advanced Programming Languages Pointer Analysis Overview and Flow-Sensitive Analysis Radu

CS711 Advanced Programming Languages Pointer Analysis Overview and Flow-Sensitive Analysis Radu

CS711 Advanced Programming Languages Pointer Analysis Overview and Flow-Sensitive Analysis Radu Rugina 8 Sep 2005 Pointer Analysis Informally: determine where pointers (or references) in the program may point to. Significant amount of

339 views • 21 slides
Scalability-First Pointer Analysis with Self-Tuning Context Sensitivity Yue Li, Tian Tan, Anders

Scalability-First Pointer Analysis with Self-Tuning Context Sensitivity Yue Li, Tian Tan, Anders

Scalability-First Pointer Analysis with Self-Tuning Context Sensitivity Yue Li, Tian Tan, Anders Mller and Yannis Smaragdakis 1 Pointer Analysis Concept Which objects a variable may point to? Importance Fundamental for virtually

769 views • 54 slides
Alias Analysis Last time Reuse optimization Today Alias analysis (pointer analysis)

Alias Analysis Last time Reuse optimization Today Alias analysis (pointer analysis)

Alias Analysis Last time Reuse optimization Today Alias analysis (pointer analysis) Next time More alias analysis (pointer analysis) CS553 Lecture Alias Analysis I 2 Aliasing What is aliasing? When two expressions denote

265 views • 8 slides
Pointer Analysis in the Presence of Dynamic Class Loading Martin Hirzel, Amer Diwan University

Pointer Analysis in the Presence of Dynamic Class Loading Martin Hirzel, Amer Diwan University

Pointer Analysis in the Presence of Dynamic Class Loading Martin Hirzel, Amer Diwan University of Colorado at Boulder Michael Hind IBM T.J. Watson Research Center 1 Pointer analysis motivation Code a = new C( ); // G What does it do? b =

439 views • 30 slides
Alias Analysis Last time Interprocedural analysis Today Intro to alias analysis (pointer

Alias Analysis Last time Interprocedural analysis Today Intro to alias analysis (pointer

Alias Analysis Last time Interprocedural analysis Today Intro to alias analysis (pointer analysis) CS553 Lecture Alias Analysis I 1 Aliasing What is aliasing? When two expressions denote the same mutable memory location e.g.,

812 views • 19 slides
Hierarchical Pointer Analysis for Distributed Programs Distributed Programs Amir Kamil and

Hierarchical Pointer Analysis for Distributed Programs Distributed Programs Amir Kamil and

Hierarchical Pointer Analysis for Distributed Programs Distributed Programs Amir Kamil and Katherine Yelick U.C. Berkeley A August 23, 2007 t 23 2007 1 Hierarchical Pointer Analysis Amir Kamil Background 2 Hierarchical Pointer Analysis

650 views • 41 slides
CO444H Pointer analysis Ben Livshits 1 Call Graphs Class analysis: Given a reference

CO444H Pointer analysis Ben Livshits 1 Call Graphs Class analysis: Given a reference

Datalog CO444H Pointer analysis Ben Livshits 1 Call Graphs Class analysis: Given a reference variable x, what are the classes of the objects that x refers to at runtime? We saw CHA and RTA Deal with polymorphic/virtual calls:

1.01k views • 54 slides
Laser Pointer Engineering Analysis Jeb Duncan, Eddie Hoopingarner, Cole Middlebrook, Michael

Laser Pointer Engineering Analysis Jeb Duncan, Eddie Hoopingarner, Cole Middlebrook, Michael

Laser Pointer Engineering Analysis Jeb Duncan, Eddie Hoopingarner, Cole Middlebrook, Michael Orrill 11/19/2013 Overview Background Concepts Chosen for analysis Structural Analysis Thermal Analysis Schedule Conclusion

544 views • 20 slides
Pointer Analysis CSE 501 Spring 15 Course Outline Sta8c

Pointer Analysis CSE 501 Spring 15 Course Outline Sta8c

Pointer Analysis CSE 501 Spring 15 Course Outline Sta8c analysis Dataflow and abstract interpreta8on We are here Applica8ons Beyond

515 views • 36 slides
A Probabilistic Pointer Analysis A Probabilistic Pointer Analysis for Speculative Optimization

A Probabilistic Pointer Analysis A Probabilistic Pointer Analysis for Speculative Optimization

A Probabilistic Pointer Analysis A Probabilistic Pointer Analysis for Speculative Optimization for Speculative Optimization Jeff DaSilva Jeff DaSilva Greg Steffan Greg Steffan Electrical and Computer Engineering Electrical and Computer

890 views • 38 slides
Pointer arithmetic arrays only arrays only Pointer arithmetic Can add or subtract an

Pointer arithmetic arrays only arrays only Pointer arithmetic Can add or subtract an

Pointer arithmetic arrays only arrays only Pointer arithmetic Can add or subtract an integer as long as result is still within the bounds of the array Can subtract a pointer from another pointer iff both point to

140 views • 9 slides
CO444H Pointer analysis Ben Livshits 1 Approaches to Finding Reliability and Security Bugs

CO444H Pointer analysis Ben Livshits 1 Approaches to Finding Reliability and Security Bugs

Datalog CO444H Pointer analysis Ben Livshits 1 Approaches to Finding Reliability and Security Bugs Static Analysis Tools Black-box Testing/Fuzzing 2 Coverity: a Static Analysis Company 3 Bug Report From Coverity Actual bug Path

701 views • 59 slides
Pointer Basics Lecture 13 COP 3014 Fall 2019 November 7, 2019 What is a Pointer? A pointer

Pointer Basics Lecture 13 COP 3014 Fall 2019 November 7, 2019 What is a Pointer? A pointer

Pointer Basics Lecture 13 COP 3014 Fall 2019 November 7, 2019 What is a Pointer? A pointer is a variable that stores a memory address. Pointers are used to store the addresses of other variables or memory items. Pointers are very

742 views • 23 slides
Dangling Pointer Dangling Pointer Jonathan Afek, 2/ 8/ 07, BlackHat USA 1 Table of Contents

Dangling Pointer Dangling Pointer Jonathan Afek, 2/ 8/ 07, BlackHat USA 1 Table of Contents

Dangling Pointer Dangling Pointer Jonathan Afek, 2/ 8/ 07, BlackHat USA 1 Table of Contents What is a Dangling Pointer? Code Injection Object Overriding Demonstrations Remediation Summary Q&amp;A 2 What is a

543 views • 28 slides
Pointers The Pointer Defined int *x; Read as: declare x as a pointer to a 32-bit integer

Pointers The Pointer Defined int *x; Read as: declare x as a pointer to a 32-bit integer

Pointers The Pointer Defined int *x; Read as: declare x as a pointer to a 32-bit integer Interpretation: declare x as a variable on the stack that holds the numeric address of the location in memory at which are 32 bits that we intend

359 views • 15 slides
Introduction to Program Analysis: A Pointer Centric View Uday Khedker

Introduction to Program Analysis: A Pointer Centric View Uday Khedker

Introduction to Program Analysis: A Pointer Centric View Uday Khedker (www.cse.iitb.ac.in/uday) Department of Computer Science and Engineering, Indian Institute of Technology, Bombay Dec 2017 WSSE Pune Intro to PA: Outline 1/7 An Outline

552 views • 8 slides
Offline Data Processing: Tasks and Infrastructure Support T. Yang, UCSB 293S Table of Content

Offline Data Processing: Tasks and Infrastructure Support T. Yang, UCSB 293S Table of Content

Offline Data Processing: Tasks and Infrastructure Support T. Yang, UCSB 293S Table of Content Offline incremental data processing: case study Example of content analysis System support Offline Architecture for Ask.com Search

379 views • 15 slides
Incrementalized Pointer and Escape Analysis Frdric Vivien Martin Rinard ICPS/LSIIT

Incrementalized Pointer and Escape Analysis Frdric Vivien Martin Rinard ICPS/LSIIT

Incrementalized Pointer and Escape Analysis Frdric Vivien Martin Rinard ICPS/LSIIT Laboratory for Computer Science Universit Louis Pasteur Massachusetts Institute of Technology Strasbourg, France Cambridge, MA, USA Start with a

1.54k views • 99 slides
Shape Analysis Syntax of the pointer language p | n | a 1 op a a 2 | nil a ::= Goal: to obtain

Shape Analysis Syntax of the pointer language p | n | a 1 op a a 2 | nil a ::= Goal: to obtain

Shape Analysis Syntax of the pointer language p | n | a 1 op a a 2 | nil a ::= Goal: to obtain a finite representation of the shape of the heap of a ::= x | x. sel p language with pointers. b ::= true | false | not b | b 1 op b b 2 | a 1 op

430 views • 11 slides
Pointer Analysis: The Big Picture View Uday Khedker (www.cse.iitb.ac.in/uday) Department of

Pointer Analysis: The Big Picture View Uday Khedker (www.cse.iitb.ac.in/uday) Department of

Pointer Analysis: The Big Picture View Uday Khedker (www.cse.iitb.ac.in/uday) Department of Computer Science and Engineering, Indian Institute of Technology, Bombay Dec 2017 WSSE Pune PTA Big Picture: The Big Picture 1/22 Outline The

831 views • 67 slides
From Pointer Systems to Counter Systems using Shape Analysis Arnaud Sangnier EDF R&amp;D, LSV,

From Pointer Systems to Counter Systems using Shape Analysis Arnaud Sangnier EDF R&amp;D, LSV,

From Pointer Systems to Counter Systems using Shape Analysis Arnaud Sangnier EDF R&amp;D, LSV, ENS Cachan &amp; CNRS joint work with: S ebastien Bardin, Alain Finkel, Etienne Lozes LSV, ENS Cachan &amp; CNRS ACI S ecurit e

428 views • 40 slides

More recommend