Context Sensitive Analysis

1
Context Sensitive Analysis

• Part 2

2
Quick reminder

• Context-sensitive analyses are sensitive to call
  sites. They kill unrealizable paths that involve
  unmatched procedure entry/exit pairs
• Lackwit used a type-inference approach to do this

3
Full context sensitivity

• Emami and others propose reanalyzing a procedure
  at each call site
• This means no unrealizable paths involving
  procedure boundaries
• It also means paying massive computation costs

4
Efficient Context-Sensitive Pointer Analysis for
C Programs

• Wilson and Lam

5
What we need

• We want full context-sensitivity
• Wed like to be able to expand the analysis to be
  flow-sensitive, too, if we have lots of cycles
• We want efficiency
• If the analysis doesnt finish, we dont get the
  results
• We want it to run on actual programs
• Otherwise its just a fun toy

6
Interval Analysis

• Interval analysis involves producing a summary of
  what a procedure does, and encapsulating it in a
  transfer function.
• Generally more complex than the transfer
  functions you saw for dataflow analyses in 243
• Just apply the function at each call site, and
  map the calling context to the post-calling
  context

7
Why it wont work

• Transfer functions have to be simple
• Otherwise, just passing in the arguments takes as
  long as doing a complete analysis would be, to
  say nothing of how convoluted the function itself
  is
• Points-to graphs arent terribly concise
• A full transfer function is not really any more
  efficient than doing total reanalysis

8
Solution PTFs

• A Partial Transfer Function computes the side
  effects, but only has valid values for aliasing
  situations that actually occur in the code
• Just as fully-context sensitive, but without the
  wasted effort.

9
Whats a pointer?

• Nominally, a pointer is supposed to point at a
  memory location
• Tragically, C uses pointers for everything
• Pointers to one word
• Pointers to a struct
• Arrays
• Arrays of structs

10
Solution Location Sets

• Uniform way of referencing all of these
• Refers to any location (fi) in a memory block b
• Stored as three components the block, an offset
  from the start of the block, and a stride.

11
Location Sets (cont.)

• The memory block sets bounds on the region
  (array, plus any intentional overflows)
• The offset is for working your way into a struct
  to get at a specific field
• The stride is the size of a pointer allows for
  arbitrary pointer arithmetic

12
Basic algorithm

• Basic worklist-style dataflow analysis, tracking
  pointers.
• Yes, its flow-sensitive and context-sensitive.
• Fuse points-to data at meet
• Apply an appropriate PTF at call sites, or
  compute one if no such PTF exists yet
• Never evaluate a node unless at least one
  predecessor has been evaluated

13
Recursive cycles

• Recursive calls are treated monomorphically, and
  iterate to a fixed point
• To save space in the analysis, intermediate steps
  overwrite themselves instead of registering a new
  PTF each time

14
Assignments

• If you assign to a unique location (one set,
  stride 0), then this is a strong update
• This obliterates all old data in that points-to
  set at that program point
• Strong updates on unknown pointers potentially
  invalidate every single pointer in the entire
  program!

15
Experimental Results

• Analysis is reasonably fast
• No results for programs gt5,000 lines of code
• Average of PTFs per procedure is 1.0
• Good application to automatic parallelization

16
Questions

• So, whats the catch? What kills this analysis?
• What does OO code do to this algorithm?
• What can this algorithm do for OO code?
• Just how scalable is this? Can it be made more
  modular?