context-sensitive flow analysis using instantiation constraints cs 343, spring 01/02 john whaley...
Post on 20-Dec-2015
214 views
TRANSCRIPT
![Page 1: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/1.jpg)
Context-Sensitive Flow Analysis Using Instantiation Constraints
CS 343, Spring 01/02John Whaley
Based on a presentation by Chris Unkel
![Page 2: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/2.jpg)
Instantiation Constraints Flow-insensitive Context-sensitive Handles higher-order functions
(function pointers) smoothly “Flow” analysis (“provenance”
analysis) Inspired by Henglein’s Type Inference
with Polymorphic Recursion 1993 Constraint-based analysis
![Page 3: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/3.jpg)
Constraint-Based Analysis Pattern of program analysis Program is read to produce abstract
representation—set of constraints Graph System of equations
Abstract representation is processed Result is examined to tell us about the
program
![Page 4: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/4.jpg)
Types
a2 ptr3
a4
Alpha type Pointer type
pointer
pointee
func4
a5 a6
Function type
function
input return
![Page 5: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/5.jpg)
Equality Constraint Result of an assignment Values flow both ways
From *x to *y From *y to *x
Handle with unification
*x = *y;x: ptr1
*x: a2
y: ptr3
*y: a4
![Page 6: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/6.jpg)
Instantiation Constraint Used to make connections across
procedures Values flow one direction only Generated by naming functions Identified with labels
int foo(int x)
{ … }
…
foo1(b);
foo: func
4x: a5
a6
foo1: func
1b: a2 a3
)1
![Page 7: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/7.jpg)
Call Id Twice Exampleint *id(int *x)
{
return x;
}
void main(void)
{
int *a, *b, *c, *d;
int e, f;
b = &e;
d = &f;
a = id1(b);
c = id2(d);
}
![Page 8: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/8.jpg)
Generated Graph
id: func
x: a5
a: ptrb: ptr c: ptrd: ptr
fe *a *c
id2: func
id1: func
)1 )2
![Page 9: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/9.jpg)
Processing Rules (1)foo: func
4x: a5
a6
foo1: func
1b: a2 a3
)1
foo: func
4x: a5
a6
foo1: func
1b: a2 a3
)1
)1(1
![Page 10: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/10.jpg)
Processing Rules (2)
ptr1
a2
ptr3
a4
)1
(1
ptr1
a2
ptr3
a4
)1
(1
)1
ptr1
a2
ptr3
a4
ptr1
a2
ptr3
a4
)1
(1
(1
![Page 11: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/11.jpg)
Processing Rules (3)
a1 a3
)1(1
a2
a1 a3
)1(1
a2
a1, a3
)1 (1
a2
“Closure rule”
![Page 12: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/12.jpg)
Generated Graph
id: func
x: a5
a: ptrb: ptr c: ptrd: ptr
fe *a *c
id2: func
id1: func
)1 )2
![Page 13: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/13.jpg)
Processing Graph (1)
id: func
x: a5
a: ptrb: ptr c: ptrd: ptr
fe *a *c
id2: func
id1: func
)2
)2
)1
(2
![Page 14: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/14.jpg)
Processing Graph (2)
id: func
x: a5
a: ptrb: ptr c: ptrd: ptr
fe *a *c
id2: func
id1: func
)2
)2
)1
(2
![Page 15: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/15.jpg)
Processing Graph (3)
id: func
x: a5
a: ptrb: ptr c, d: ptr
fe *a
id2: func
id1: func
)2
)2
)1
(2
![Page 16: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/16.jpg)
Processing Graph (4)
id: func
x: a5
a: ptrb: ptr c, d: ptr
fe *a
id2: func
id1: func
)2
)2
)1
(2(1
)1
![Page 17: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/17.jpg)
Processing Graph (5)
id: func
x: a5
a: ptrb: ptr c, d: ptr
fe *a
id2: func
id1: func
)2
)2
)1
(2(1
)1
![Page 18: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/18.jpg)
Result
id: func
x: a5
a, b: ptr
c, d: ptr
fe
id2: func
id1: func
)2
)2
)1
(2(1
)1
![Page 19: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/19.jpg)
Result
id: func
x: a5
a, b: ptr
c, d: ptr
fe
id2: func
id1: func
)2
)2
)1
(2(1
)1
![Page 20: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/20.jpg)
Nuts and Bolts Build the constraints for a procedure Simplify those constraints Instantiate (copy) those constraints
to the callers
Polarity: Distinguish between function inputs and
outputs
![Page 21: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/21.jpg)
Using the Results A value in on variable can end up in a
second if: There is a path in the graph consisting of 0 or more red/close paren edges followed by 0 or more green/open paren edges
From a to x: yes From a to c: no
**()
![Page 22: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/22.jpg)
An Application Format String Vulnerability
Some format strings can cause data to be overwritten
E.g. “%n%n%n%n%n%n%n%n” Malicious format string can gain control
of program Problem formulation
Values should not flow from an unsafe source to a format string
Source, network in recv Format string, first argument to printf
![Page 23: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/23.jpg)
Inst. Constraints Summary Result shows provenance—source of
values Can be used as a pointer analysis Algorithm is actually undecidable
But seems to run quickly in practice Context-sensitive
Paren-matching through closure rule Interesting base analysis to build tools
on
![Page 24: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/24.jpg)
The End
![Page 25: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/25.jpg)
Some Other Pointer Work Andersen
Flow-insensitive, with directional assignments
Assignment copies points-to set of rhs to lhs Cycles make it slow; other work to find and
collapse cycles Das (“one level flow”)
One pointer level of directionality Handles the common cases in C well
Multiple return values, altering parameters
Wilson and Lam Flow-sensitive, context-sensitive
![Page 26: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/26.jpg)
Further ReadingManuvir Das. Unification-Based Pointer Analysis with Directional
Assignments. Proceedings of the ACM SIGPLAN 2000 Conference on Programming Language Design and Implementation, Vancouver, BC, Canada, June 2000.
Manuel Fahndrich, Jakob Rehof, Manuvir Das. Scalable context-sensitive flow analysis using instantiation constraints. Proceedings of the ACM SIGPLAN 2000 Conference on Programming Language Design and Implementation, Vancouver, BC, Canada, June 2000.
R. P. Wilson and M. S. Lam. Efficient context-sensitive pointer analysis for C programs. Proceedings of the ACM SIGPLAN 1995 Conference on Programming Language Design and Implementation, June 1995.
L.O. Andersen. Program analysis and specialization for the C programming language. Technical Report 94-19, University of Copenhagen, 1994.
![Page 27: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/27.jpg)
Overview Steensgaard ’95
Flow-insensitive, context-insensitive alias analysis
Liang and Harrold ’99 Straightforward context-sensitive
extension of Steensgaard Fahndrich, Rehof, Das ’00
Context-sensitive extension of Steensgaard that handles function pointers and higher-order functions smoothly
![Page 28: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/28.jpg)
Steensgaard Preliminaries “Type inference”
Types here do not refer to integer, char, etc!
“Non-standard” or “extended” types Two objects sharing the same type have
some property in common Point to the same things
Each variable in the program has a type Type rules describe a consistent typing
Points-to sets vs. alias pairs Begin by ignoring the conditional join
stuff
![Page 29: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/29.jpg)
Steensgaard Basic operation
After an assignment x=y, x and y point to the same set of things (*x and *y are the same)
Non-directional: x=y has same effect as y=x Also implies that *x and *y point to the same
set of things (and **x and **y, and so on) Alias relation (not points-to relation) is
symmetric, reflexive, transitive Types can be grouped into equivalence
classes of objects that point to the same things
Assignment joins equivalence classes of pointees together
![Page 30: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/30.jpg)
Steensgaard Example (1)a = &x;
b = &y;
if (p)
y = &z;
else
y = &x;
c = &y;
a
b
c
x
y
z
&x
&y
&z
*a
*c
*b
*y
![Page 31: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/31.jpg)
Steensgaard Example (2)a = &x;
b = &y;
if (p)
y = &z;
else
y = &x;
c = &y;
a
b
c
x
y
z
&x
&y
&z
*a
*c
*b
*y
![Page 32: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/32.jpg)
Steensgaard Example (3)a = &x;
b = &y;
if (p)
y = &z;
else
y = &x;
c = &y;
a
b
c
y
z
&x
&y
&z
*a, x
*c
*b
*y
![Page 33: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/33.jpg)
Steensgaard Example (4)a = &x;
b = &y;
if (p)
y = &z;
else
y = &x;
c = &y;
a
b
c
y
z
&x
&y
&z
*a, x
*c
*b
*y
![Page 34: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/34.jpg)
Steensgaard Example (5)a = &x;
b = &y;
if (p)
y = &z;
else
y = &x;
c = &y;
a
b
c z
&x
&y
&z
*a, x
*c
*b, y
*y
![Page 35: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/35.jpg)
Steensgaard Example (6)a = &x;
b = &y;
if (p)
y = &z;
else
y = &x;
c = &y;
a
b
c z
&x
&y
&z
*a, x
*c
*b, y
*y
![Page 36: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/36.jpg)
Steensgaard Example (7)a = &x;
b = &y;
if (p)
y = &z;
else
y = &x;
c = &y;
a
b
c
&x
&y
&z
*a, x
*c
*b, y
*y, z
![Page 37: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/37.jpg)
Steensgaard Example (8)a = &x;
b = &y;
if (p)
y = &z;
else
y = &x;
c = &y;
a
b
c
&x
&y
&z
*a, x
*c
*b, y
*y, z
![Page 38: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/38.jpg)
Steensgaard Example (9)a = &x;
b = &y;
if (p)
y = &z;
else
y = &x;
c = &y;
a
b
c
&x
&y
&z
*a, x, *y,
z
*c
*b, y
![Page 39: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/39.jpg)
Steensgaard Example (10)a = &x;
b = &y;
if (p)
y = &z;
else
y = &x;
c = &y;
a
b
c
&x
&y
&z
*a, x, *y,
z
*c
*b, y
![Page 40: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/40.jpg)
Steensgaard Example (Result)a = &x;
b = &y;
if (p)
y = &z;
else
y = &x;
c = &y;
a
b
c
&x
&y
&z
*a, x, *y,
z
*b, y, *c
![Page 41: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/41.jpg)
Observation: forcing pointees to join is sometimes too strong an action Assignment is really directional After x=y, x points to everything y points to Using a directional assignment prevents
using equivalence classes/union find But, if y’s points-to set is null, OK to do
nothing When we see x=y for y not a pointer
(bottom type in this notation), don’t join immediately, but record the fact that if y later is found to point to something, we must join it with x.
![Page 42: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/42.jpg)
A Typing RuleGIVEN
x : ref(a) x has type pointer to type ay : ref(b) y has type pointer to type bb a b is not a pointer type, or
a and b are the same typewe conclude that
welltyped (x = y) our types are well-typed for statement x = y (we have a consistent points-to graph)
Reading downward verifies consistency; upward gives constraints.
![Page 43: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/43.jpg)
Steensgaard Summary Fast union-find allows solution in
“near-linear” (linear times inverse Ackerman’s function) time
Does not handle structs (but see later paper by same author)
Flow-insensitive Context-insensitive Non-directional assignments
![Page 44: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/44.jpg)
Liang & Harrold Operation Do Steensgaard within each procedure
to build a summary Then do bottom-up, top-down
propagation of results Bottom-up: aliases from callees to callers Top-down: from callers to callees
“FICS”=flow-insensitive context-sensitive
![Page 45: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/45.jpg)
L & H Example (1)int *id(int *x)
{
return x;
}
int e, f;
void main(void)
{
int *a, *b, *c, *d;
b = &e;
d = &f;
a = id(b);
c = id(d);
}
main
id
![Page 46: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/46.jpg)
L & H Example (2) (Phase 1)
a idret
*x, *idret
xb c d
fe
This is the result of applying Steensgaard to eachprocedure individually; the result is a summary of
the pointer behavior of each function.
main id
![Page 47: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/47.jpg)
L & H Example (3) (Phase 2)
a idret
*x, *idret
xb c d
fe
Propagate pointer information from callees tocallers (apply summaries of called functions.)Bind formals to actuals, and returns to where
they are assigned. (Bottom-up phase.)
main id
bindings
inducededge
First call site
![Page 48: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/48.jpg)
L & H Example (4) (Phase 2)
a idret
*x, *idret
xb c d
fe
main id
Second call site
![Page 49: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/49.jpg)
L & H Example (5) (Phase 3)
a idret
*x, *idret, e
xb c d
fe
Propagate pointer information from callersto callees. (Top-down phase.)
main id
First call site
![Page 50: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/50.jpg)
L & H Example (6) (Phase 3)
a idret
*x, *idret, e, f
xb c d
fe
main id
Second call site
![Page 51: Context-Sensitive Flow Analysis Using Instantiation Constraints CS 343, Spring 01/02 John Whaley Based on a presentation by Chris Unkel](https://reader031.vdocuments.site/reader031/viewer/2022032704/56649d435503460f94a1f5cb/html5/thumbnails/51.jpg)
L & H Summary Cycles in call graph
In BU/TD phases, iterate among procedures in each SCC to find a fixpoint
Presumes call graph pre-exists With function pointers, need pointer
analysis to provide call graph! Algorithm as expressed doesn’t handle
function pointers