Constraint based analysis

Question 1

Benefits of constraint based analysis

Answer 1

Separates analysis specs from implementation. Hence analysis writer focuses on what rather than on how.

Another benefit of constraint-based analysis is that it yields natural program
specifications: just like types in a type system, constraints are usually defined locally,
and solving their conjunction captures global properties about the program.
Finally, the modularization of the program analysis task into a specification and an
implementation sub-problem allows the specification to be agnostic of the
implementation. In other words, we can leverage powerful, off-the-shelf constraint
solvers in a “plug-and-play” manner, giving us flexibility that would otherwise not be
available.

Question 2

Datalog

Answer 2

a constraint language.

Datalog is a declarative logic programming language.
It is not a Turing-complete language: it can be viewed as a subset of Prolog, or as
SQL with recursion. Efficient algorithms exist to evaluate programs in these
languages, so there exist efficient algorithms to evaluate Datalog programs.
Datalog originated as a query language for deductive databases. It was later applied in
many other domains, including software analysis, data mining, networking, security,
knowledge representation, and cloud computing among others.

Question 3

Two static analyses in Datalog

Answer 3

an intra-procedural analysis in Datalog, that is, an
analysis that is restricted to a single procedure. How to
specify computing reaching definitions.

an inter-procedural analysis in Datalog, that is, an
analysis of a program involving multiple procedures. How
to specify computing points-to information.

Question 4

intra-procedural dataflow analysis

Answer 4

The specification of reaching definitions analysis is as follows:
OUT[n] = (IN[n] - KILL[n]) ∪ GEN[n]
IN[n] = U n’ ∈ predecessors[n] OUT[n’]

Question 5

KILL[n]

Answer 5

set of definitions killed at program point n

Question 6

GEN[n]

Answer 6

the set of
definitions generated at program point n

Question 7

predecessors(n)

Answer 7

the set of program
points that immediately precede program point n in the input procedure’s control-flow
graph.

Question 8

define the relation kill(n:N, d:D)

Answer 8

the definition d is in the KILL set
of program point n …
the relation gen(n:N, d:D) to mean that the definition d is in the GEN set of program
point n …

Question 9

the relation gen(n:N, d:D)

Answer 9

the definition d is in the GEN set of program
point n …

Question 10

next(n:N, m:N)

Answer 10

that program point m is an immediate
successor of program point n, or equivalently, that program point n is an immediate
predecessor of program point m.

Question 11

in(n:P, d:D)

Answer 11

the relation that asserts that the
definition d is a member of the IN set of program point n—that is, definition d may
reach the program point just before n …

Question 12

out(n:P, d:D)

Answer 12

definition d is a member of the OUT
set of program point n—that is, definition d may reach the program point just after n.

Question 13

rules of inference to compute the IN and OUT sets.

Answer 13

out(n, d) :- gen(n, d).
out(n, d) :- in(n, d), !kill(n, d).
in(m, d) :- out(n, d), next(n, m).