6. Pointer Analysis Flashcards

1
Q

Pointer Analysis

A

flow of non primitive things

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

pointer aliasing

A

Expressions built using pointers, such as x.radius, allow the same memory address to be referred to in
different ways

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

pointer aliasing circle example

A
Circle x = new Circle()
Circle z = ?
x. radius = 1
z.radius = 2
y = x.radius 
assert(y==1) 

Because we don’t know if z represents the same circle as x or not, the analysis is unable to continue past z.radius =2 since we’d be unsure if x.radius still equaled 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

May-Alias Analysis

A

An analysis that is dedicated to proving facts of the form “x may-alias z?” is called
a MAY-alias analysis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Is pointer analysis must-alias or may-alias analysis?

A

may-alias

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

May-Alias circle example

A
Circle x = new Circle()
Circle z = new Circle()
x. radius = 1
z.radius = 2
y = x.radius 
assert(y==1) 

We know now in this case that x!=z so after z.radius=2 is done, we can confidently say that x.radius is still 1.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Must-Alias circle example

A
Circle x = new Circle()
Circle z = x
x. radius = 1
z.radius = 2
y = x.radius 
assert(y==1) 

after the assignment to z, we know that x == z. x.radius =1 makes the x radius 1. z.radius=2 makes x.radius=2 since we previously established that x == z.
x and z MUST Alias in this case.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

May alias vs must alias

A

Must alias is more advance, but it is less useful in practice.
May alias analysis is useful for more practical dataflow analysis than must alias.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Why is pointer analysis hard?

A

you have to keep track of everything. In the case of a doubly linked list, you could refer to h.data in a number of ways:
h.next.prev.data, h.next.next.prev.prev.data, etc
cycles are hard yo

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Pointer analysis problem is undecidable. T/F

A

True. We must sacrifice some combination of Soundness, Completeness, Termination.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

what does pointer analysis sacrifice to become decidable?

A

completeness. This means that we can expect false positives, but no false negatives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

False positive

A

If the answer is no, but yes is the returned answer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How can a false positive manifest in the circle example?

A
Circle x = new Circle()
Circle z = new Circle()
x. radius = 1
z.radius = 2
y = x.radius 
assert(y==1) 
x May-Alias z returns YES. 
means that after z=new Circle() our analysis cannot determine that x!=z, but that x==z or x!=z. So going down the remaining analysis we reach the conclusion that y==1 or y==2
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Approximate algorithms for pointer analysis have varying levels of precision. These algorithms differ in two key aspects:

A
  1. How to abstract the heap (ie dynamically allocated data)

2. How to abstract control-flow

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Abstracting the heap (Elevator example): Abstract object based on site they are allocated

A

Basically take the levels of the program and combine all those things into a single node in the graph. all objects allocated within a for loop are represented by a single node.
Creates a Points to graph http://imgur.com/a/nXlBb

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Abstracting the control flow (Elevator example)

A

only a single points to graph for entire program, so we abstract the control flow.

remember how the Points to graph looked before? Instead of changing the graph representation, change the code itself to create that graph. http://imgur.com/a/a18LY

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

flow insensitivity

A

http://imgur.com/a/a18LY idk man
all constructs such as for loops are removed
; are removed as well
all statements that do not affect pointers removed
indices replaced with nondeterministic *s
no order to these statements now even though they are still in rough order

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Chaotic Iteration Algorithm

A

Start with empty point to graph
go through each statement s in set
while applying rule corresponding to s on graph
until graph stops changing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Statement types

A
v = new
v = v2 object copy
v2 = v.f field read statement
v.f = v2 field write statement
v2 = v[*] field read 
v[*] = v2 field write
20
Q

Convert v.events = new Object[] to the statement grammar or whatever its called

A
tmp = new Object[]
v.events = tmp
21
Q

convert

v.events[*] = e

A
tmp = v.events
tmp[*] = e
22
Q

convert

v1.f = v2.f

A
tmp = v2.f
v1.f = tmp
23
Q

convert

v1.f.g = v2.h

A

tmp1 = v1.f
tmp2 = v2.h
tmp1.g=tmp2

24
Q

Rule for object allocation sites: Weak update

A

if there is already an arrow from v to another allocation site node and we just need to add another.

25
Q

Rule for object allocation sites: Strong update

A

replace the points-to information

26
Q

Rule for Object Copy

A

v1 = v2
create variable node for v1
add blue arrow from v1 to all nodes pointed to by v2

27
Q

Rule for field writes

A

v1.f=v2
if v1 points to A and v2 points to B
we add a red arrow from A to B and label it by name for field or by * if its an index

28
Q

rule for field reads

A

v1 = v2.f
if v2 points to B and B points to C by f or *
we add a blue arrow from v1 to C

29
Q

Classifying Pointer Analysis Algorithms

A

Flow sensitive
Context Sensitive
What heap abstraction scheme
how are aggregate data types modeled

30
Q

flow sensitivity

A

how to model control flow within a procedure

either flow insensitive or flow sensitive

31
Q

flow insensitive

A

weak updates
only generate new facts, doesn’t kill any old facts
suffice for may-alias analysis

32
Q

flow sensitive

A

strong updates - killing and generating facts

must-alias analysis

33
Q

Inpractical for a must alias analysis to have a low false positive rate by being flow insensitive

A

true

34
Q

Context sensitivity

A

how to model control flow across procedures
context insensitive
context sensitive

35
Q

context insensitive

A

only analyze each procedure once despite how many times its called in the program
inprecise but efficient

36
Q

context sensitive

A

analyze each procedure possibly multiple times, once per abstract calling context

37
Q

heap abstraction scheme

A

scheme to partition unbounded set of concrete objects into finitely many abstract objects (oval nodes)
Ensures pointer analysis terminates
Many sound schemes exist

38
Q

Heap abstraction scheme: too few abstract objects ==

A

efficient but imprecise

39
Q

Heap abstraction scheme: too many abstract objects ==

A

expensive but precise

40
Q

Heap abstraction scheme #1: Allocation-Site Based

A

one abstract object per allocation site
Allocation site identified by: “new” keyword in Java/C++, malloc() call in C
Finitely many allocation sites in program, so guaranteed finitely many abstract objects

41
Q

Allocation site based downsides

A

costly
large programs
clients needing quick turnaround time
overly fine granularity of sites

42
Q

Heap abstraction scheme #2: Type Based

A

one abstract object per type

finitely many types in program, so finitely many abstract objects

43
Q

Heap abstraction scheme #3: Heap Insensitive

A

Single abstract object representing the entire heap.

highly imprecise, but sound

44
Q

When is heap insensitive scheme useful

A

popular for languages with primarily stack-directed pointers (C)

45
Q

Do quiz #31 in lesson 6

A

dumbass

46
Q

Modeling Aggregate Data Types: Arrays

A

Common choice: single [*] field to represent all array elements

47
Q

Modeling Aggregate Data Types: Records

A

structs or objects
Three common choices:
1. field insensitive - merge all fields of each record object
2. field based - merge each field of all record objects
3, field sensitive - keep each field of each record object separate