Demand-driven Alias Analysis : Formalizing Bidirectional Analyses for Soundness and Precision

name. We compute demand in terms of abstract names. The abstract names of an access expression α are normalized access expressions obtained by • eliminating pointer indirections (∗ and→) in α by their pointee variables in A, and • replacing the variables by its type in case of type-based abstraction. Let x be a pointer to an object,y be a pointer to a pointer to an object and a be an object of type τ . Abstract names for different access expressions is shown in Table 1. Entry in row absName(α ,A)asb depicts the abstract names computed using allocation-site-based abstraction and absName(α ,A)tba depicts the abstract names computed using type-based abstraction. Abstract name for access expression ∗x will never be encountered. This is because program will model such a use by copy of an object which copies all the members of one object to respective members of another object. , Vol. 1, No. 1, Article . Publication date: February 2018. :10 Swati Jaiswal, Uday P. Khedker, and Supratik Chakraborty Algorithm 1 Worklist based demand-driven alias analysis algorithm with improved speculation (Id) 1: procedure Id 2: for each node n in program P do 3: Set Dinn ,Doutn ,Ainn,Aoutn as ∅ 4: Dworklist = {n | n ∈ origin} 5: Aworklist = {startNode} 6: while Dworklist is not empty or Aworklist is not empty do 7: while Dworklist is not empty do 8: Select a node n from Dworklist 9: OldDinn = Dinn 10: Compute Doutn , Dgenn , Dkilln and Dinn using Equations 4, 5, 6, 3. 11: if OldDinn ! = Dinn then 12: add predecessors of n to Dworklist and Aworklist 13: while Aworklist is not empty do 14: Select a node n from Aworklist 15: OldAoutn = Aoutn 16: Compute Ainn , Agenn , Akilln and Aoutn using Equations 10, 12, 13, 11. 17: if OldAoutn ! = Aoutn then 18: add successors of n to Aworklist and Dworklist 3.2 Data Flow Equations for Intraprocedural Version Let the virtual call statements be recorded in the set origin. Our data flow equations compute the following for each statement n : ln = r n : (i) the demands (Dinn/Doutn), and (ii) the alias relationships (Ainn/Aoutn). The equations have a bidirectional dependency because of the dependence of Dinn/Doutn (Equations 3 and 4) on Ainn/ Aoutn (Equations 10 and 11). Startp and Endp denote the entry and exit nodes of procedure p. At the intraprocedural level, the boundary information BI associated with these nodes is ∅. The changes for interprocedural propagation is described towards the end of this section. The algorithm to perform our proposed demand-driven method with improved speculation (henceforth denoted as Id) is presented in Algorithm 1. The algorithm terminates when simultaneous fixed point computation of both the aliases and demands are reached. The inner loops represent individual fixed point computations of demands and aliases for a round of mutual dependence between them. The first innerwhile loop represents fixed point computation of demands using aliases from the previous round and the second inner while loop represents fixed point computation of aliases using demands from the same round. This is more formally represented and proved to be the MFP solution in Lemma 4 in Section 6. Computing the demand. The equations forDinn/Doutn are backward data flow equations which raises demands in the form of abstract name. We thus transform l and r of statement n to its appropriate abstract name form as ln = absName(ln ,Ainn) rn = absName(r n,Ainn) 3 The nature of statements recorded in the set origin is governed by the application. The set origin can be suitably redefined for any other demand-driven application. , Vol. 1, No. 1, Article . Publication date: February 2018. Demand-driven Alias Analysis :11 Complete demand at a program point is computed with the help of the alias closure (Equation 2) for the demand stored in Dinn/Doutn . Consider α ∈ Doutn and an alias (α , β) ∈ Aoutn , then alias closure of the demand will identify {α , β} ⊆ Dout ′ n . We use the below notation to denote the complete demand computed by taking alias closure at a program point. Dout ′ n = Aoutn(Doutn) Equation 5 represents the demand generated for statement n. When ln belongs to the demand raised at out of statement n, we raise demand for r n and when rn belongs to the demand raised at out of statement n, we raise demand for ln . This gives rise to four cases while computing Dgenn which are, (a) when both l and r belongs to the demand at out, (b) when only l belongs to the demand at out, (c) when only r belongs to the demand at out, or (d) when neither l nor r belongs to the demand at out. Also, demand needs to be raised at the point of virtual function call recorded in the set origin. This condition is combined with case (b) of the Dgenn Equation 5. We perform weak update due to the use of an abstraction to model objects on heap. We kill demand only when ln is of the form x . We overload ⊆ operator such that ln ⊆ Dout ′ n implies ln , ∅ ∧ ln ⊆ Dout ′ n . Dinn = (Doutn − Dkilln) ∪ Dgenn (3) Doutn =   BI n is Endp ⋃ s ∈succ(n) Dins otherwise (4) Dgenn =   LDgen(r n ,Ainn) ∪ RDgen(ln) ln ⊆ Dout ′ n ∧ rn ⊆ Dout ′ n LDgen(r n ,Ainn) ln ⊆ Dout ′ n ∨ n ∈ origin RDgen(ln) rn ⊆ Dout ′ n ∅ otherwise (5) Dkilln = {ln | ln ≡ x} (6) We compute Dgen as a union of LDgen and RDgen. LDgen is computed when abstract name of l belongs to Doutn . In such a case demand for r needs to be raised. RDgen is computed when abstract name of r belongs to Doutn . In such a case demand for l needs to be raised. Further, the demand for r is generated incrementally depending upon the aliases of the base of r . First case for LDgen involve access expression whose base(r ) , ∅ which represents access expressions of the form ∗x or x → f . It raises demand for the var involved in the access expression and also the abstract name of the entire access expression. Second case refers to the access expression of the form &x and third case considers access expression of the form x and x . f . Demand for address-of a variable is raised using addrExpr as per our proposed speculation. LDgen(r ,A) =   var(r ) ∪ addrExpr(r ) ∪ absName(r ,A) base(r ) , ∅ {r } isAddr(r ) absName(r ,A) ∪ addrExpr(r ) var(r ) , ∅ ∅ otherwise (7) RDgen(l) = base(l) ∪ addrExpr(l) (8)