Iterative Dataflow Analysis

Transcription

1 Iterative Dataflow Analysis CS 352 9/24/07 Slides adapted from Nielson, Nielson, Hankin Principles of Program Analysis

2 Key Ideas Need a mechanism to evaluate (statically) statements in a program Problem: how do mimic runtime behavior statically? Approach: abstract away unnecessary or statically uncomputable aspects of execution Result: an abstract interpretation of the program that provides useful dataflow information 2

3 Components Dataflow analysis via abstract interpretation has three main components: A transfer function (f(n)) that approximates the execution of instruction n based on the (approximate) inputs given. A join operation that abstracts statically uncomputable operations (e.g., conditionals) A direction (forward or reverse) describing the order in which instructions are interpreted. 3

4 Approach After deciding the structure of the transfer function, join operation, and analysis direction, we run the analysis. We continue to iterate until no new information is generated. Formally: forward Backward 4

5 Example: Reaching Definitions Definition d of variable x reaches statement s if there exists a path from d to s with no intervening redefinition of x. Assignment to x generates a definition, and kills previous definition. Equations: GEN[n]: the set of definitions that n creates KILL[n]: the set of definitions that n kills. Transfer function: f(n) = GEN[n] U (IN[n] - KILL[n]) Join: Union 5

6 Simple Language a ::= x n a 1 op a a 2 b ::= true false not b b 1 op b b 2 a 1 op r a 2 S ::= [x := a] l [skip] l S 1 ; S 2 if [b] l then S 1 else S 2 while [b] l do S Example: [z:=1] 1 ; while [x>0] 2 do ([z:=z*y] 3 ; [x:=x-1] 4 ) 6

7 Flow Graph init( ) = 1 [z:=1] 1 final( ) = {2} labels( ) = {1, 2, 3, 4} flow( ) = {(1, 2), (2, 3), (3, 4), (4, 2)} [x>0] 2 yes [z:=z*y] 3 no flow R ( ) = {(2, 1), (2, 4), (3, 2), (4, 3)} [x:=x-1] 4 7

8 Initial and Final Labels init : Stmt Lab init([x := a] l ) = l init([skip] l ) = l init(s 1 ; S 2 ) = init(s 1 ) init(if [b] l then S 1 else S 2 ) = l init(while [b] l do S) = l final : Stmt P(Lab) final([x := a] l ) = {l} final([skip] l ) = {l} final(s 1 ; S 2 ) = final(s 2 ) final(if [b] l then S 1 else S 2 ) = final(s 1 ) final(s 2 ) final(while [b] l do S) = {l} init([z:=1] 1 ; while [x>0] 2 do ([z:=z*y] 3 ; [x:=x-1] 4 )) = 1 final([z:=1] 1 ; while [x>0] 2 do ([z:=z*y] 3 ; [x:=x-1] 4 )) = {2} 8

9 Capturing Control-Flow Represent a program s control-flow through relations built using labels: flow, flow R : Stmt P(Lab Lab) flow([x := a] l ) = flow([skip] l ) = flow(s 1 ; S 2 ) = flow(s 1 ) flow(s 2 ) {(l, init(s 2 )) l final(s 1 )} flow(if [b] l then S 1 else S 2 ) = flow(s 1 ) flow(s 2 ) {(l, init(s 1 )), (l, init(s 2 ))} flow(while [b] l do S) = flow(s) {(l, init(s))} {(l, l) l final(s)} flow R (S) = {(l, l ) (l, l) flow(s)} 9

10 Basic Blocks Aggregate statements into a set of blocks blocks : Stmt P(Blocks) blocks([x := a] l ) = {[x := a] l } blocks([skip] l ) = {[skip] l } blocks(s 1 ; S 2 ) = blocks(s 1 ) blocks(s 2 ) blocks(if [b] l then S 1 else S 2 ) = {[b] l } blocks(s 1 ) blocks(s 2 ) blocks(while [b] l do S) = {[b] l } blocks(s) 10

11 Available Expressions For each program point, which expressions have already been computed, and not later modified on all paths to this point. point of interest [x:= a+b ] 1 ; [y:=a*b] 2 ; while [y> a+b ] 3 do ([a:=a+1] 4 ; [x:= a+b ] 5 ) The analysis enables a transformation into [x:= a+b] 1 ; [y:=a*b] 2 ; while [y> x ] 3 do ([a:=a+1] 4 ; [x:= a+b] 5 ) 11

12 Available Expressions X 1 X 2 N = X 1 X 2 x := a { kill }}{ X = (N\{expressions with an x} ) {subexpressions of a without an x} }{{} gen 12

13 Specification kill and gen functions kill AE ([x := a] l ) = {a AExp x FV(a )} kill AE ([skip] l ) = kill AE ([b] l ) = gen AE ([x := a] l ) = {a AExp(a) x FV(a )} gen AE ([skip] l ) = gen AE ([b] l ) = AExp(b) Transfer Functions data flow equations: AE = { if l = init(s ) AE entry (l) = {AEexit (l ) (l, l) flow(s )} otherwise AE exit (l) = (AE entry (l)\kill AE (B l )) gen AE (B l ) where B l blocks(s ) 13

14 Example [x:=a+b] 1 ; [y:=a*b] 2 ; while [y>a+b] 3 do ([a:=a+1] 4 ; [x:=a+b] 5 ) kill and gen functions: l kill AE (l) gen AE (l) 1 {a+b} 2 {a*b} 3 {a+b} 4 {a+b, a*b, a+1} 5 {a+b} 14

15 Example (cont) [x:=a+b] 1 ; [y:=a*b] 2 ; while [y>a+b] 3 do ([a:=a+1] 4 ; [x:=a+b] 5 ) Equations: AE entry (1) = AE entry (2) = AE exit (1) AE entry (3) = AE exit (2) AE exit (5) AE entry (4) = AE exit (3) AE entry (5) = AE exit (4) AE exit (1) = AE entry (1) {a+b} AE exit (2) = AE entry (2) {a*b} AE exit (3) = AE entry (3) {a+b} AE exit (4) = AE entry (4)\{a+b, a*b, a+1} AE exit (5) = AE entry (5) {a+b} 15

16 Solutions Available expressions is an example of a forward analysis: We are interested in the largest solution that satisfies the equations. [x:=a+b] 1 ; [y:=a*b] 2 ; while [y> a+b ] 3 do ([a:=a+1] 4 ; [x:=a+b] 5 ) l AE entry (l) AE exit (l) 1 {a+b} 2 {a+b} {a+b, a*b} 3 {a+b} {a+b} 4 {a+b} 5 {a+b} 16

17 Largest Solutions [z:=x+y] l ; while [true] l do [skip] l Equations: AE entry (l) = AE entry (l ) = AE exit (l) AE exit (l ) [ ] l AE entry (l ) = AE exit (l ) [ ] l AE exit (l) = AE entry (l) {x+y} yes AE exit (l ) = AE entry (l ) AE exit (l ) = AE entry (l ) [ ] l no After some simplification: AE entry (l ) = {x+y} AE entry (l ) Two solutions to this equation: {x+y} and 17

18 Live Variable Analysis A variable is live at the exit from a label if there is a path from the label to a use of the variable that does not re-define the variable. The aim of the Live Variables Analysis is to determine For each program point, which variables may be live at the exit from the point. Example: point of interest [ x :=2] 1 ; [y:=4] 2 ; [x:=1] 3 ; (if [y>x] 4 then [z:=y] 5 else [z:=y*y] 6 ); [x:=z] 7 The analysis enables a transformation into [y:=4] 2 ; [x:=1] 3 ; (if [y>x] 4 then [z:=y] 5 else [z:=y*y] 6 ); [x:=z] 7 18

19 Live Variable Analysis {}}{ kill N = (X\{x} ) {all variables of a} }{{} gen x := a X = N 1 N 2 N 1 N 2 19

20 Specification kill and gen functions kill LV ([x := a] l ) = {x} kill LV ([skip] l ) = kill LV ([b] l ) = gen LV ([x := a] l ) = FV(a) gen LV ([skip] Text l ) = gen LV ([b] l ) = FV(b) Transfer functions data flow equations: LV = { if l final(s ) LV exit (l) = {LVentry (l ) (l, l) flow R (S )} otherwise LV entry (l) = (LV exit (l)\kill LV (B l )) gen LV (B l ) where B l blocks(s ) 20

21 Example [x:=2] 1 ; [y:=4] 2 ; [x:=1] 3 ; (if [y>x] 4 then [z:=y] 5 else [z:=y*y] 6 ); [x:=z] 7 kill and gen functions: l kill LV (l) gen LV (l) 1 {x} 2 {y} 3 {x} 4 {x, y} 5 {z} {y} 6 {z} {y} 7 {x} {z} 21

22 Example [x:=2] 1 ; [y:=4] 2 ; [x:=1] 3 ; (if [y>x] 4 then [z:=y] 5 else [z:=y*y] 6 ); [x:=z] 7 Equations: LV entry (1) = LV exit (1)\{x} LV entry (2) = LV exit (2)\{y} LV entry (3) = LV exit (3)\{x} LV entry (4) = LV exit (4) {x, y} LV entry (5) = (LV exit (5)\{z}) {y} LV entry (6) = (LV exit (6)\{z}) {y} LV entry (7) = {z} LV exit (1) = LV entry (2) LV exit (2) = LV entry (3) LV exit (3) = LV entry (4) LV exit (4) = LV entry (5) LV entry (6) LV exit (5) = LV entry (7) LV exit (6) = LV entry (7) LV exit (7) = 22

23 Solutions Live variable analysis is an example of a backwards analysis: We are interested in the smallest solution that satisfies the equations. [x:=2] 1 ; [y:=4] 2 ; [x:=1] 3 ; (if [y>x] 4 then [z:=y] 5 else [z:=y*y] 6 ); [x:=z] 7 l LV entry (l) LV exit (l) 1 2 {y} 3 {y} {x, y} 4 {x, y} {y} 5 {y} {z} 6 {y} {z} 7 {z} 23

24 Smallest Solutions Why smallest solution? Equations: (while [x>1] l do [skip] l ); [x:=x+1] l LV entry (l) = LV exit (l) {x} LV entry (l ) = LV exit (l ) LV entry (l ) = {x} LV exit (l) = LV entry (l ) LV entry (l ) LV exit (l ) = LV entry (l) [ ] l yes [ ] l no [ ] l LV exit (l ) = After some calculations: LV exit (l) = LV exit (l) {x} Many solutions to this equation: any superset of {x} 24

25 Reaching Definitions Recall that a reaching definitions analysis determines: For each program point, the set of assignments made, but not overwritten, when execution reaches this point along some path. 25

26 Reaching Definitions X 1 X 2 N = X 1 X 2 [x := a] l { kill }}{ X = (N\{(x,?), (x, 1), } ) {(x, l)} }{{} gen 26

27 Analysis kill and gen functions kill RD ([x := a] l ) = {(x,?)} {(x, l ) B l is an assignment to x in S } kill RD ([skip] l ) = kill RD ([b] l ) = gen RD ([x := a] l ) = {(x, l)} gen RD ([skip] l ) = gen RD ([b] l ) = Transfer functions data flow equations: RD = { {(x,?) x FV(S )} if l = init(s RD entry (l) = ) {RDexit (l ) (l, l) flow(s )} otherwise RD exit (l) = (RD entry (l)\kill RD (B l )) gen RD (B l ) where B l blocks(s ) 27

28 Example [x:=5] 1 ; [y:=1] 2 ; while [x>1] 3 do ([y:=x*y] 4 ; [x:=x-1] 5 ) l kill RD (l) gen RD (l) 1 {(x,?), (x, 1), (x, 5)} {(x, 1)} 2 {(y,?), (y, 2), (y, 4)} {(y, 2)} 3 4 {(y,?), (y, 2), (y, 4)} {(y, 4)} 5 {(x,?), (x, 1), (x, 5)} {(x, 5)} 28

29 Equations [x:=5] 1 ; [y:=1] 2 ; while [x>1] 3 do ([y:=x*y] 4 ; [x:=x-1] 5 ) RD entry (1) = {(x,?), (y,?)} RD entry (2) = RD exit (1) RD entry (3) = RD exit (2) RD exit (5) RD entry (4) = RD exit (3) RD entry (5) = RD exit (4) RD exit (1) = (RD entry (1)\{(x,?), (x, 1), (x, 5)}) {(x, 1)} RD exit (2) = (RD entry (2)\{(y,?), (y, 2), (y, 4)}) {(y, 2)} RD exit (3) = RD entry (3) RD exit (4) = (RD entry (4)\{(y,?), (y, 2), (y, 4)}) {(y, 4)} RD exit (5) = (RD entry (5)\{(x,?), (x, 1), (x, 5)}) {(x, 5)} 29

30 Solutions [x:=5] 1 ; [y:=1] 2 ; while [x>1] 3 do ([y:= x*y ] 4 ; [x:=x-1] 5 ) lest solution: l RD entry (l) RD exit (l) 1 {(x,?), (y,?)} {(y,?), (x, 1)} 2 {(y,?), (x, 1)} {(x, 1), (y, 2)} 3 {(x, 1), (y, 2), (y, 4), (x, 5)} {(x, 1), (y, 2), (y, 4), (x, 5)} 4 {(x, 1), (y, 2), (y, 4), (x, 5)} {(x, 1), (y, 4), (x, 5)} 5 {(x, 1), (y, 4), (x, 5)} {(y, 4), (x, 5)} 30

31 Solutions [z:=x+y] l ; while [true] l do [skip] l Equations: RD entry (l) = {(x,?), (y,?), (z,?)} RD entry (l ) = RD exit (l) RD exit (l ) RD entry (l ) = RD exit (l ) RD exit (l) = (RD entry (l) \ {(z,?)}) {(z, l)} RD exit (l ) = RD entry (l ) [ ] l [ ] l RD exit (l ) = RD entry (l ) [ ] l yes no After some simplification: RD entry (l ) = {(x,?), (y,?), (z, l)} RD entry (l ) Many solutions to this equation: any superset of {(x,?), (y,?), (z, l)} 31