scispace - formally typeset
Search or ask a question
Book ChapterDOI

Scalable Context-Sensitive Points-to Analysis Using Multi-dimensional Bloom Filters

Rupesh Nasre1, Kaushik Rajan2, Ramaswamy Govindarajan1, Uday P. Khedker3
Indian Institute of Science1, Microsoft2, Indian Institute of Technology Bombay3
03 Dec 2009-pp 47-62
TL;DR: A scalable flow-insensitive context-sensitive inclusion-based points- to analysis that uses a specially designed multi-dimensional bloom filter to store the points-to information that achieves almost the same precision as the exact implementation.
Abstract: Context-sensitive points-to analysis is critical for several program optimizations. However, as the number of contexts grows exponentially, storage requirements for the analysis increase tremendously for large programs, making the analysis non-scalable. We propose a scalable flow-insensitive context-sensitive inclusion-based points-to analysis that uses a specially designed multi-dimensional bloom filter to store the points-to information. Two key observations motivate our proposal: (i ) points-to information (between pointer-object and between pointer-pointer) is sparse, and (ii ) moving from an exact to an approximate representation of points-to information only leads to reduced precision without affecting correctness of the (may-points-to) analysis. By using an approximate representation a multi-dimensional bloom filter can significantly reduce the memory requirements with a probabilistic bound on loss in precision. Experimental evaluation on SPEC 2000 benchmarks and two large open source programs reveals that with an average storage requirement of 4MB, our approach achieves almost the same precision (98.6%) as the exact implementation. By increasing the average memory to 27MB, it achieves precision upto 99.7% for these benchmarks. Using Mod/Ref analysis as the client, we find that the client analysis is not affected that often even when there is some loss of precision in the points-to representation. We find that the NoModRef percentage is within 2% of the exact analysis while requiring 4MB (maximum 15MB) memory and less than 4 minutes on average for the points-to analysis. Another major advantage of our technique is that it allows to trade off precision for memory usage of the analysis.

Summary (3 min read)

Jump to: [1 Introduction][2 Background][2.1 Context-Sensitive Points-to Analysis][2.2 Bloom Filter][3 Points-to Analysis using Bloom Filters][3.1 Multi-Dimensional Bloom Filter][4.1 Implementation Details and Experimental Setup][4.2 Tradeoff between Precision, Memory and Analysis Time][4.3 Mod/Ref Analysis as a Client to Points-to Analysis][5 Related Work.] and [6 Conclusions]

1 Introduction

  • Pointer analysis enables many compiler optimization opportunities and remains as one of the most important compiler analyses.
  • The objective of a context-sensitive points-to analysis is to construct, for each pointer and context, a set containing all the memory locations that the pointer can point to in that context.
  • The third dimension (hash functions) is essential to control loss in precision.
  • In effect, multibloom significantly reduces the memory requirement with a very low probabilistically bound loss in precision.
  • The major contributions of this paper are: – We propose a multi-dimensional bloom filter that can compactly represent the points-to information with almost no loss in precision.the authors.the authors.

2 Background

  • General purpose languages like C pose many challenges to the compiler community.
  • Use of pointers hinders many compiler optimizations.
  • Pointers with multiple indirections, pointers to functions, etc. only add to these challenges.
  • The authors analysis handles all aspects of C (including recursion), except variable number of arguments.

2.1 Context-Sensitive Points-to Analysis

  • A context-sensitive points-to analysis distinguishes between various calling contexts of a program and thus, is able to more accurately determine the points-to information compared to the context-insensitive version [5].
  • The number of distinct paths from main to the leaf nodes in the graph is equal to the number of different contexts the program has.
  • Therefore, for a context-sensitive points-to analysis, the number of points-to tuples can be exponential (in the number of functions in the program).
  • Reducing the storage requirements of a context-sensitive points-to analysis has attracted much research in pointer analysis.
  • Absolute values of memory and time required are substantially high.

2.2 Bloom Filter

  • Note that element 3 also hashes to the same location as 13.
  • This introduces false positives, as the membership query would return true for element 3 even if it is not inserted.
  • The false positive rate can be reduced drastically by using multiple hash functions.
  • P = (1/2)d (1 − nd N ) (1) This is under the assumption that the individual hash functions are random and different hash functions are independent.
  • Unlike traditional data structures used in points-to analysis[5][8], time to insert elements in a bloom filter and to check for their membership is independent of the number of elements in the filter.

3 Points-to Analysis using Bloom Filters

  • A naive implementation stores context-sensitive points-to tuples in a bloom filter by hashing the tuple 〈p, c, x〉 and setting that bit in the bloom filter.
  • One way to solve this problem is to keep track of the set of all pointees .
  • This way, the query FindPointsTo(p, c) to find the points-to set for a pointer p under context c is answered by checking the bits that are set for each of the pointees.
  • It requires storing all possible pointees, making it storage inefficient.

3.1 Multi-Dimensional Bloom Filter

  • The proposed multi-dimensional bloom filter is a generalization of the basic bloom filter introduced in Section 2.2.
  • To obtain a good balance of storage requirement, analysis time and precision, the authors employ a combination of the above two techniques.
  • The conservative strategy results in little precision loss considering that less than 1% of all dynamic pointer statements contain more than two levels of pointer indirections (obtained empirically).
  • Extending multibloom for two-level pointers makes it look like mb[P ][S][C][D][B] where S is the number of entries for pointers that are pointees of a two-level pointer.
  • Therefore the number of entries per bloom filter would be twice the average number of pointees per context-wise pointer.

4.1 Implementation Details and Experimental Setup

  • All their implementation is done in the LLVM compiler infrastructure[13] and the analysis is run as a post linking phase.
  • Neither version implements optimizations like offline variable substitution[16].
  • Their characteristics are given in Table 1.
  • The authors empirically found that the number of entries S for pointers pointed to by two-level pointers gives a good trade off between memory and precision for S = 5.
  • From now on, when the authors report the results, they refer to the multibloom configuration by the tuple (C−D−B).

4.2 Tradeoff between Precision, Memory and Analysis Time

  • In Tables 3-4 the authors report the precision, time and memory requirements for various benchmarks.
  • At the other end, medium and large config- urations achieve full precision for all the benchmarks with significant savings in memory requirement for those requiring at least 15MB memory.
  • For larger benchmarks the authors see significant improvements in analysis time using bloom filter.
  • One unique advantage of using multibloom is the user-control over various parameters to trade off precision for memory or vice versa.
  • The authors observe that with at most 1% reduction in average precision, they can obtain around 18% reduction in average memory requirement.

4.3 Mod/Ref Analysis as a Client to Points-to Analysis

  • Next the authors analyze how the loss in precision in the points-to analysis due to false positives affect the client analyses.
  • The authors use the Mod/Ref analysis as the client of their multibloom based points-to analysis.
  • For a query GetModRef(callsite, pointer), the Mod/Ref analysis checks whether callsite reads or modifies the memory pointed to by pointer.
  • From the figure, it can be seen that the NoModRef percentage with multibloom is 96.9% of the exact analysis even with a tiny configuration.
  • For scalable analyses, one can reduce these values trading off some precision.

6 Conclusions

  • In this paper the authors propose the use of multi-dimensional bloom filter for storing points-to information.
  • The proposed representation, though, may introduce false positives, significantly reduces the memory requirement and provides a probabilistic lower bound on loss of precision.
  • With average 4MB memory, multibloom achieves almost the same (98.6%) precision as the exact analysis taking about average 4 minutes per benchmark.
  • Using Mod/Ref analysis as the client, the authors find that the client analysis is not affected that often even with some loss of precision in points-to representation.
  • The authors approach, for the first time, provides user a control on the memory requirement, yet giving a probabilistic lower bound on the loss in precision.

Did you find this useful? Give us your feedback

Figures (7)

Content maybe subject to copyright    Report

Scalable Context-Sensitive Points-To Analysis
using Multi-Dimensional Bloom Filters.
Rupesh Nasre
1
, Kaushik Rajan
2
, R. Govindarajan
1
, Uday P. Khedker
3
.
1
Indian Institute of Science, Bangalore, India
2
Microsoft Research, Bangalore, India
3
Indian Institute of Technology, Bombay, India.
nasre@csa.iisc.ernet.in, kaushik@msr.microsoft.com,
govind@serc.iisc.ernet.in, uday@cse.iitb.ac.in
Abstract. Context-sensitive points-to analysis is critical for several pro-
gram optimizations. However, as the number of contexts grows exponen-
tially, storage requirements for the analysis increase tremendously for
large programs, making the analysis non-scalable. We propose a scal-
able flow-insensitive context -sensitive inclusion-based points-to analysis
that uses a specially designed multi-dimensional bloom filter to store
the points-to information. Two key observations motivate our proposal:
(i) points-to information (between pointer-object and between pointer-
pointer) is sparse, and (ii) movin g from an exact to an approximate
representation of points-to information only leads to reduced precision
without affecting correctness of the (may-points-to) analysis. By using
an approximate representation a multi-dimensional bloom filter can sig-
nificantly reduce the memory requirements with a probabilistic bound
on loss in precision. Experimental evaluation on SPEC 2000 benchmark s
and two large op en source programs reveals that with an average storage
requirement of 4MB, our approach achieves almost the same precision
(98.6%) as the exact implementation. By increasing the average mem-
ory to 27MB, it achieves p recision upto 99.7% for these benchmarks.
Using Mod/Ref analysis as the client, we find that the client analysis
is not affected that often even when there is some loss of precision in
the points-to representation. We fin d that the NoModRef percentage is
within 2% of the exact analysis while requiring 4MB (maximum 15MB)
memory and less than 4 minutes on average for the points-to analysis.
Another major advantage of our technique is that it allows to trade off
precision for memory usage of the analysis.
1 Introduction
Pointer analysis enables many compiler optimization opportunities and remains
as one of the most important compiler ana ly ses. For c lient analyses, both pre-
cision and speed of the underlying pointer analysis play a vital role. Several
context-insensitive algorithms have been shown to scale well for large programs
[1][2][3][4]. However, these algorithms are significantly less precise for rea l world
programs compared to their context-sensitive counterparts[5][6][7][8 ]. Unfortu-
nately, c ontext-sensitive pointer analysis improves precision at the cost of high
often unacceptable storage req uirement and analysis time. These large over-
heads ar e an artifact of the la rge number of contexts that a program might
have. For example, the SPEC2000 be nchmark eon has 19K pointers if we do not
consider context infor mation but the number increases to 417K pointers if we
consider all context-wise pointers. Scaling a context sensitive points-to analysis
is therefore a challenging task. Recent research (see Related Work in Section
5) has focused on the scalability aspect of context-sensitive points-to analysis
and achieves moderate success in that dir e ction[9][4]. However, the memory re-
quirements are still considerably large. For instance, in [9], most of the larger
benchmarks require over 100 MB for points-to analysis. Hence, scalability still
remains an issue. Also, none of the current analyses provide a handle to the user
to control the memo ry usage of a points-to analysis. Such a feature will be useful
when analyzing a progr am in a memor y constrained environment.
The objective of a context-sensitive points-to analysis is to construct, for
each pointer and context, a set containing all the memory locations (pointees)
that the pointer can point to in that context. This paper proposes a new way of
representing points-to information using a special kind of bloom filter[10] that
we call a multi-dimensional bloom filter.
A bloom filter is a compact, and approximate, representation (typically in
the form of bit vectors) of a set of elements which trades off some precision
for significa nt savings in memory. It is a lossy repre sentation that can incur
false positives, i.e., an element not in the set may be answered to be in the set.
However, it does not have false negatives, i.e., no element in the set would be
answered as not in the set. To mainta in this property, the operations on a bloom
filter are restricted so that items can only be added to the set but can never
be deleted
1
. Our motivation for using blo om filters for context-sensitive flow-
insensitive points to analysis stems from the following three key observations.
Conservative static analysis: As with any other compiler analysis, static
points-to analysis tends to be conservative as correctness is an absolute re-
quirement. Thus, in c ase of sta tic may-points-to analysis, a pointer not point-
ing to a variable at run time can be considered otherwise, but not vice-versa.
As a bloom filter does not have fa lse negatives, a repr e sentation that uses
bloom filters is safe. A bloom filter can only (falsely) answer that a pointer
points to a few e xtra pointees. This only makes the analysis less precise and
does not po se any threat to c orrectness. Further, as a bloom filter is designed
to e fficiently trade off pr ecision for space it is an attractive representation to
enable sca lability of points-to analysis.
Sparse points-to information: The number of pointees that each context-
wise pointer (pointer under a given context) actually points to is many or-
ders of magnitude less than both the number of context-wise pointers and
the total number of potential pointees. Hence, though the points-to set can
1
Some modified bloom filter structures[11] have been proposed that can support dele-
tion but they do so at the expense of introducing false negatives.
potentially be very large, in practice, it is typically small a nd sparse. A
bloom filter is idea lly suited to repr e sent data of this kind. When the set is
sparse, a bloom filter c an significantly reduce the memory requirement with
a probabilistically low bound o n loss in precision.
Monotonic data flow analysis: As long as the underlying analysis uses
a monotonic iterative data flow analysis, the size of the points-to set can
only increase monotonically. This makes a bloom filter a suitable choice as
monotonicity guarantees that there is no need to support deletions.
The above observations make a bloom filter a promising candidate for represent-
ing points-to information. However, using the bloom filter as originally proposed
in [10] is not efficient for a context sensitive analysis. We therefore extend the
basic bloom filter to a multi-dimensional bloom filter (multibloom) to enable ef-
ficient storage and manipulation of context aware points-to information. The
added dimensions c orrespo nd to pointers, calling contexts, and hash functions.
The bloom filter is extended along the first two dimensions (pointers and calling
contexts) to support all the common pointer manipulation operations (p = q,
p = &q, p = q and p = q) and the query operation DoAlias(p, q) efficiently.
The third dimension (hash functions) is essential to control loss in precision. We
theoretically show and empirically observe that larger the number of hash func-
tions, lower is the loss in precision. In effect, multibloom significantly reduces
the memory requirement with a very low pro babilistically bound loss in pre-
cision. The compact representation of points-to information allows the context
sensitive analysis to scale well with the program size.
The major contributions of this pap er are:
We propose a multi-dimensional blo om filter (multibloom) that can com-
pactly represent the points- to information with almost no loss in precision.
Using extended bloom filter operations, we develop a contex t-s e nsitive flow-
insensitive points-to analysis for C programs in the LLVM compilation in-
frastructure.
We show that by using multibloom, a user can control the total memory
requirement of a compiler analysis, unlike in most other analyses.
We demonstrate the eectiveness of multibloom through experimenta l evalu-
ation on 16 SPEC 2000 benchmarks and 2 real world applications. With less
than 4MB memory on average (maximum 15MB ), multibloom achieves more
than 98% precision, taking les s than 4 minutes per benchmark on average.
We also evaluate precision of a client Mod/ Ref analysis. We find that using
multibloom, the NoModRef percentage is within 1.3% of the exact analysis
while requiring 4MB memory and 4 minutes on average for the points-to
analysis.
2 Background
General purpose languages like C pose ma ny challenges to the compiler commu-
nity. Use of pointers hinders many compiler optimizations. Pointers w ith multiple
void main() {
S1: p1 = f(&x);
p3 = p1;
S2: p2 = f(&y);
}
int *f(int *a) {
S3: u = g(&x);
S4: v = g(&y);
return a;
}
int *g(int *b) {
return b;
}
int *u, *v;
g
f
main
ggg
f
S1 S2
S3 S4
S3 S4
Fig. 1. Example program and its invocation graph.
indirections, pointer s to functions, etc. only a dd to these challenges. For ana-
lyzing such complicated progr ams, however, it is sufficient to assume that all
pointer statements in the program are represented using one of the four basic
forms: address-of assignment (p = &q), copy assignment (p = q), load assignment
(p = q) and store assig nment (p = q)[12] (we describe how these statements
are handled by our analysis in Section 3). Our analysis handles all aspects of C
(including re c ursion), except variable number of arguments.
2.1 Context-Sensitive Points-to Analysis
A context-sensitive points-to analysis distinguishes between various calling con-
texts of a program and thus, is able to more accurately determine the points-to
information compared to the context-insensitive version [5]. This pre cision, how-
ever, comes at a price: storing the number of contexts, which is huge in a large
C progr am. Consider the example progra m and its invocation gr aph shown in
Figure 1. The invocation graph shows that for different contexts, function f has
2 instances and function g has 4 instances. The number of distinct paths from
main to the leaf nodes in the graph is equal to the number of different con-
texts the program has. In general, the numb er of contexts in a prog ram can
be exponential in terms of the number of functions. For instance, the number
of methods in the open source program pmd is 197 1, but it has 10
23
context-
sensitive paths[9]. Therefore, for a context-sensitive points-to analysis, the num-
ber of points-to tuples can be exponential (in the number of functions in the
program). The exponential blow up in the number of contexts, typically results
in an exponential blow up in the storage requirement for exact representation of
context-wise po ints-to tuples.
Reducing the storage requirements of a context-sensitive points- to analysis
has attracted much research in pointer analysis. Several novel approaches have
been proposed for scalable pointer analyses (see Section 5 for r e lated work).
Despite these advances, absolute values of memory and time required are sub-
stantially high. For instance, in [9], all the benchmarks having more than 10K
methods (columba, gantt, jxplorer, jedit, gruntspud) require over 100MB of mem-
ory. For the benchmarks we evaluate, we find that the number of pointers in-
creases by 1 or 2 orders of magnitude if we track them in a context-wise manner.
So it is po ssible that the memory and time requirements of a context-sensitive
analysis will be a few orders of ma gnitude higher than a context insensitive
analysis.
Our goal, in this paper, is to reduce this storage and e xecution time require-
ment of a context-sensitive points-to analysis. This is achieved by using a variant
of bloom filter, which sacrifices a small amount of precision. As we shall se e in
the next subsection, once the user fixes the size of a bloom filter, he/she can es-
timate a probabilistic bound on the loss in precision as a function of the average
number of pointees of a pointer (in a given context).
2.2 Bloom Filter
A bloom filter is a probabilistic data structure used to store a set of elements
and test the membership of a given element[10]. In its simplest form, a bloom
filter is an array of N bits. An element e belonging to the set is represented
by setting the kth bit to 1, where h(e) = k and h is the hash function mapping
element e to k
th
bit. For instance, if the hash function is h
1
(e) = (3 e+ 5)%N,
and if N = 10, then for elements e = 13 and 100, the bits 4 and 5 are set.
Membership of an element e is tested by using the same hash function. Note
that element 3 also hashes to the same location as 13. This intr oduces false
positives, as the membership query would retur n true fo r element 3 even if it is
not inse rted. Note, however, that there is no possibility of false negatives, since
we never reset any bit.
The false positive rate can be reduced drastically by using multiple hash
functions. Thus, if we use two hash functions for the above example, with
h
2
(e) = (e/2 + 9)%N , then the elements e = 13, 100 get hashed to bits
5, 9. No te that a membership query to 3 would return false as location 0 (cor-
responding to h
2
(3)) is 0, even though location 4 (corresponding to h
1
(3)) is set.
Thus, us ing multiple hash functions the false positives can be reduced.
The fals e positive rate P fo r a bloom filter of size N bits after n elements are
added to the filter with d hash functions is given by Equation 1 (from [10]).
P =
(1/2)
d
(1
nd
N
)
(1)
This is under the assumption that the individual hash functions are random and
different hash functions are independent. Unlike traditional data structures used
in points-to analy sis[5][8], time to insert elements in a bloom filter and to check
for their membership is independent of the number of elements in the filter.
3 Points-to Analysis using Bloom Filters
A points-to tuple hp, c, xi represents a pointer p pointing to variable x in calling
context c. A context is defined by a sequence of functions and their call-sites. A
naive implementation stores context-sensitive points-to tuples in a bloom filter
by hashing the tuple hp, c, xi and setting that bit in the bloom filter. This simple
Citations
More filters
Proceedings ArticleDOI
Parallel flow-sensitive pointer analysis by graph-rewriting

[...]

Vaivaswatha Nagaraj1, Ramaswamy Govindarajan1
Indian Institute of Science1
07 Oct 2013
TL;DR: This paper formulates the staged flow-sensitive pointer analysis as a graph-rewriting problem and implements the parallel algorithm using Intel Threading Building Blocks and demonstrates considerable scaling for 8 threads on a set of 10 benchmarks.
Abstract: Precise pointer analysis is a problem of interest to both the compiler and the program verification community. Flow-sensitivity is an important dimension of pointer analysis that affects the precision of the final result computed. Scaling flow-sensitive pointer analysis to millions of lines of code is a major challenge. Recently, staged flow-sensitive pointer analysis has been proposed, which exploits a sparse representation of program code created by staged analysis. In this paper we formulate the staged flow-sensitive pointer analysis as a graph-rewriting problem. Graph-rewriting has already been used for flow-insensitive analysis. However, formulating flow-sensitive pointer analysis as a graph-rewriting problem adds additional challenges due to the nature of flow-sensitivity. We implement our parallel algorithm using Intel Threading Building Blocks and demonstrate considerable scaling (upto 2.6x) for 8 threads on a set of 10 benchmarks. Compared to the sequential implementation of staged flow-sensitive analysis, a single threaded execution of our implementation performs better in 8 of the benchmarks.

21 citations

Book ChapterDOI
Parallel replication-based points-to analysis

[...]

Sandeep Putta1, Rupesh Nasre1
Indian Institute of Science1
24 Mar 2012
TL;DR: This article proposes a parallel version of context-sensitive inclusion-based points-to analysis for C programs that makes use of replication of points- to sets to improve parallelism and devise several novel optimizations to further improve the overall speed-up.
Abstract: Pointer analysis is one of the most important static analyses during compilation. While several enhancements have been made to scale pointer analysis, the work on parallelizing the analysis itself is still in infancy. In this article, we propose a parallel version of context-sensitive inclusion-based points-to analysis for C programs. Our analysis makes use of replication of points-to sets to improve parallelism. In comparison to the former work on parallel points-to analysis, we extract more parallelism by exploiting a key insight based on monotonicity and unordered nature of flow-insensitive points-to analysis. By taking advantage of the nature of points-to analysis and the structure of constraint graph, we devise several novel optimizations to further improve the overall speed-up. We show the effectiveness of our approach using 16 SPEC 2000 benchmarks and five large open source programs that range from 1.2 KLOC to 0.5 MLOC. Specifically, our context-sensitive analysis achieves an average speed-up of 3.4× on an 8-core machine.

17 citations

Cites background from "Scalable Context-Sensitive Points-t..."

  • ...[23,21] hashed contexts to alleviate the need to store complete context information....

    [...]

Proceedings ArticleDOI
Prioritizing constraint evaluation for efficient points-to analysis

[...]

Rupesh Nasre1, Ramaswamy Govindarajan1
Indian Institute of Science1
02 Apr 2011
TL;DR: This paper implements prioritized versions of Andersen's analysis, Deep Propagation, Hardekopf and Lin's Lazy Cycle Detection and Bloom Filter based points-to analysis, and reports significant improvements in the analysis times as well as the memory requirements for a large suite of programs.
Abstract: Pervasive use of pointers in large-scale real-world applications continues to make points-to analysis an important optimization-enabler. Rapid growth of software systems demands a scalable pointer analysis algorithm. A typical inclusion-based points-to analysis iteratively evaluates constraints and computes a points-to solution until a fixpoint. In each iteration, (i) points-to information is propagated across directed edges in a constraint graph G and (ii) more edges are added by processing the points-to constraints. We observe that prioritizing the order in which the information is processed within each of the above two steps can lead to efficient execution of the points-to analysis. While earlier work in the literature focuses only on the propagation order, we argue that the other dimension, that is, prioritizing the constraint processing, can lead to even higher improvements on how fast the fixpoint of the points-to algorithm is reached. This becomes especially important as we prove that finding an optimal sequence for processing the points-to constraints is NP-Complete. The prioritization scheme proposed in this paper is general enough to be applied to any of the existing points-to analyses. Using the prioritization framework developed in this paper, we implement prioritized versions of Andersen's analysis, Deep Propagation, Hardekopf and Lin's Lazy Cycle Detection and Bloom Filter based points-to analysis. In each case, we report significant improvements in the analysis times (33%, 47%, 44%, 20% respectively) as well as the memory requirements for a large suite of programs, including SPEC 2000 benchmarks and five large open source programs.

13 citations

Cites background or methods from "Scalable Context-Sensitive Points-t..."

  • ...[11] hashed contexts to alleviate the need to store the complete context information....

    [...]

  • ...For our experiments, we use the medium configuration [11] which results in less than 2% precision loss for the chosen benchmarks....

    [...]

  • ...analysis [1], BDD-based Lazy Cycle Detection [10], Deep Propagation [7] and Bloom Filters [11]) for SPEC 2000 benchmarks and five large open source programs (httpd, sendmail, gdb, wine-server and ghostscript) (Section V)....

    [...]

  • ...· We show the effectiveness of our approach by applying it on top of the state-of-the-art algorithms (Andersen s analysis [1], BDD-based Lazy Cycle Detection [10], Deep Propagation [7] and Bloom Filters [11]) for SPEC 2000 benchmarks and .ve large open source programs (httpd, sendmail, gdb, wine-server and ghostscript) (Sec­ tion V)....

    [...]

Posted Content
Dead code elimination based pointer analysis for multithreaded programs

[...]

Mohamed A. El-Zawawy1
Cairo University1
20 Dec 2012-arXiv: Software Engineering
TL;DR: In this article, the authors present a new approach for optimizing multi-headed programs with pointer constructs, which has applications in the area of certified code (proof-carrying code) where a justification or a proof for the correctness of each optimization is required.
Abstract: This paper presents a new approach for optimizing multitheaded programs with pointer constructs. The approach has applications in the area of certified code (proof-carrying code) where a justification or a proof for the correctness of each optimization is required. The optimization meant here is that of dead code elimination. Towards optimizing multithreaded programs the paper presents a new operational semantics for parallel constructs like join-fork constructs, parallel loops, and conditionally spawned threads. The paper also presents a novel type system for flow-sensitive pointer analysis of multithreaded programs. This type system is extended to obtain a new type system for live-variables analysis of multithreaded programs. The live-variables type system is extended to build the third novel type system, proposed in this paper, which carries the optimization of dead code elimination. The justification mentioned above takes the form of type derivation in our approach.

12 citations

Journal ArticleDOI
Dead code elimination based pointer analysis for multithreaded programs

[...]

Mohamed A. El-Zawawy1
Cairo University1
01 Apr 2012-Journal of the Egyptian Mathematical Society
TL;DR: A novel type system for flow-sensitive pointer analysis of multithreaded programs and a new operational semantics for parallel constructs like join-fork constructs, parallel loops, and conditionally spawned threads are presented.

12 citations

Cites background from "Scalable Context-Sensitive Points-t..."

  • ...The idea of context-sensitive approach [20,33] is to produce a points-to relation for the context of each call site of each procedure....

    [...]

References
More filters
Journal ArticleDOI
Space/time trade-offs in hash coding with allowable errors

[...]

Burton H. Bloom
01 Jul 1970-Communications of The ACM
TL;DR: Analysis of the paradigm problem demonstrates that allowing a small number of test messages to be falsely identified as members of the given set will permit a much smaller hash area to be used without increasing reject time.
Abstract: In this paper trade-offs among certain computational factors in hash coding are analyzed. The paradigm problem considered is that of testing a series of messages one-by-one for membership in a given set of messages. Two new hash-coding methods are examined and compared with a particular conventional hash-coding method. The computational factors considered are the size of the hash area (space), the time required to identify a message as a nonmember of the given set (reject time), and an allowable error frequency.The new methods are intended to reduce the amount of space required to contain the hash-coded information from that associated with conventional methods. The reduction in space is accomplished by exploiting the possibility that a small fraction of errors of commission may be tolerable in some applications, in particular, applications in which a large amount of data is involved and a core resident hash area is consequently not feasible using conventional methods.In such applications, it is envisaged that overall performance could be improved by using a smaller core resident hash area in conjunction with the new methods and, when necessary, by using some secondary and perhaps time-consuming test to “catch” the small fraction of errors associated with the new methods. An example is discussed which illustrates possible areas of application for the new methods.Analysis of the paradigm problem demonstrates that allowing a small number of test messages to be falsely identified as members of the given set will permit a much smaller hash area to be used without increasing reject time.

7,390 citations

"Scalable Context-Sensitive Points-t..." refers background or methods in this paper

  • ...However, using the bloom filter as originally proposed in [10] is not efficient for a context sensitive analysis....

    [...]

  • ...A bloom filter is a probabilistic data structure used to store a set of elements and test the membership of a given element[10]....

    [...]

  • ...The false positive rate P for a bloom filter of size N bits after n elements are added to the filter with d hash functions is given by Equation 1 (from [10])....

    [...]

  • ...This paper proposes a new way of representing points-to information using a special kind of bloom filter[10] that we call a multi-dimensional bloom filter....

    [...]

Journal ArticleDOI
Summary cache: a scalable wide-area web cache sharing protocol

[...]

Li Fan1, Pei Cao2, Jussara M. Almeida1, Andrei Z. Broder
University of Wisconsin-Madison1, Cisco Systems, Inc.2
01 Jun 2000-IEEE ACM Transactions on Networking
TL;DR: This paper demonstrates the benefits of cache sharing, measures the overhead of the existing protocols, and proposes a new protocol called "summary cache", which reduces the number of intercache protocol messages, reduces the bandwidth consumption, and eliminates 30% to 95% of the protocol CPU overhead, all while maintaining almost the same cache hit ratios as ICP.
Abstract: The sharing of caches among Web proxies is an important technique to reduce Web traffic and alleviate network bottlenecks. Nevertheless it is not widely deployed due to the overhead of existing protocols. In this paper we demonstrate the benefits of cache sharing, measure the overhead of the existing protocols, and propose a new protocol called "summary cache". In this new protocol, each proxy keeps a summary of the cache directory of each participating proxy, and checks these summaries for potential hits before sending any queries. Two factors contribute to our protocol's low overhead: the summaries are updated only periodically, and the directory representations are very economical, as low as 8 bits per entry. Using trace-driven simulations and a prototype implementation, we show that, compared to existing protocols such as the Internet cache protocol (ICP), summary cache reduces the number of intercache protocol messages by a factor of 25 to 60, reduces the bandwidth consumption by over 50%, eliminates 30% to 95% of the protocol CPU overhead, all while maintaining almost the same cache hit ratios as ICP. Hence summary cache scales to a large number of proxies. (This paper is a revision of Fan et al. 1998; we add more data and analysis in this version.).

2,174 citations

Proceedings ArticleDOI
Points-to analysis in almost linear time

[...]

Bjarne Steensgaard1
Microsoft1
01 Jan 1996
TL;DR: This is the asymptotically fastest non-trivial interprocedural points-to analysis algorithm yet described and is based on a non-standard type system for describing a universally valid storage shape graph for a program in linear space.
Abstract: We present an interprocedural flow-insensitive points-to analysis based on type inference methods with an almost linear time cost complexity To our knowledge, this is the asymptotically fastest non-trivial interprocedural points-to analysis algorithm yet described The algorithm is based on a non-standard type system. The type inferred for any variable represents a set of locations and includes a type which in turn represents a set of locations possibly pointed to by the variable. The type inferred for a function variable represents a set of functions It may point to and includes a type signature for these functions The results are equivalent to those of a flow-insensitive alias analysis (and control flow analysis) that assumes alias relations are reflexive and transitive.This work makes three contributions. The first is a type system for describing a universally valid storage shape graph for a program in linear space. The second is a constraint system which often leads to better results than the "obvious" constraint system for the given type system The third is an almost linear time algorithm for points-to analysis by solving a constraint system.

1,127 citations

"Scalable Context-Sensitive Points-t..." refers background or methods in this paper

  • ...Many scalable pointer analysis algorithms are context- and flow-insensitive [1]....

    [...]

  • ...To handle store statement ∗q = p where p is a single-level pointer and q is a two-level pointer, the cube mb[P ][1] of p is bitwise-ORed with each cube mb[Q][i] of q, ∀i = 1....

    [...]

  • ...Several context-insensitive algorithms have been shown to scale well for large programs [1][2][3][4]....

    [...]

  • ...Since inclusion-based analyses are costly, several unificationbased algorithms were introduced, trading off precision for speed [1], [18]....

    [...]

Program Analysis and Specialization for the C Programming Language

[...]

Lars Ole Andersen1, Peter Lee
University of Copenhagen Faculty of Science1
01 Jan 2005
TL;DR: This thesis presents an automatic partial evaluator for the Ansi C programming language, and proves that partial evaluation at most can accomplish linear speedup, and develops an automatic speedup analysis.
Abstract: Software engineers are faced with a dilemma. They want to write general and wellstructured programs that are flexible and easy to maintain. On the other hand, generality has a price: efficiency. A specialized program solving a particular problem is often significantly faster than a general program. However, the development of specialized software is time-consuming, and is likely to exceed the production of today’s programmers. New techniques are required to solve this so-called software crisis. Partial evaluation is a program specialization technique that reconciles the benefits of generality with efficiency. This thesis presents an automatic partial evaluator for the Ansi C programming language. The content of this thesis is analysis and transformation of C programs. We develop several analyses that support the transformation of a program into its generating extension. A generating extension is a program that produces specialized programs when executed on parts of the input. The thesis contains the following main results. • We develop a generating-extension transformation, and describe specialization of the various parts of C, including pointers and structures. • We develop constraint-based inter-procedural pointer and binding-time analysis. Both analyses are specified via non-standard type inference systems, and implemented by constraint solving. • We develop a side-effect and an in-use analysis. These analyses are developed in the classical monotone data-flow analysis framework. Some intriguing similarities with constraint-based analysis are observed. • We investigate separate and incremental program analysis and transformation. Realistic programs are structured into modules, which break down inter-procedural analyses that need global information about functions. • We prove that partial evaluation at most can accomplish linear speedup, and develop an automatic speedup analysis. • We study the stronger transformation technique driving, and initiate the development of generating super-extensions. The developments in this thesis are supported by an implementation. Throughout the chapters we present empirical results.

1,009 citations

"Scalable Context-Sensitive Points-t..." refers methods in this paper

  • ...Both versions are implemented by extending Andersen’s algorithm [15] for contextsensitivity....

    [...]

Proceedings ArticleDOI
Cloning-based context-sensitive pointer alias analysis using binary decision diagrams

[...]

John Whaley1, Monica S. Lam1
Stanford University1
09 Jun 2004
TL;DR: This paper presents the first scalable context-sensitive, inclusion-based pointer alias analysis for Java programs, and develops a system called bddbddb that automatically translates Datalog programs into highly efficient BDD implementations.
Abstract: This paper presents the first scalable context-sensitive, inclusion-based pointer alias analysis for Java programs. Our approach to context sensitivity is to create a clone of a method for every context of interest, and run a context-insensitive algorithm over the expanded call graph to get context-sensitive results. For precision, we generate a clone for every acyclic path through a program's call graph, treating methods in a strongly connected component as a single node. Normally, this formulation is hopelessly intractable as a call graph often has 10 14 acyclic paths or more. We show that these exponential relations can be computed efficiently using binary decision diagrams (BDDs). Key to the scalability of the technique is a context numbering scheme that exposes the commonalities across contexts. We applied our algorithm to the most popular applications available on Sourceforge, and found that the largest programs, with hundreds of thousands of Java bytecodes, can be analyzed in under 20 minutes.This paper shows that pointer analysis, and many other queries and algorithms, can be described succinctly and declaratively using Datalog, a logic programming language. We have developed a system called bddbddb that automatically translates Datalog programs into highly efficient BDD implementations. We used this approach to develop a variety of context-sensitive algorithms including side effect analysis, type analysis, and escape analysis.

618 citations

"Scalable Context-Sensitive Points-t..." refers background or methods in this paper

  • ...Recent research (see Related Work in Section 5) has focused on the scalability aspect of context-sensitive points-to analysis and achieves moderate success in that direction[9][4]....

    [...]

  • ...Several novel data structures have been used in the last decade to scale points-to analysis, like ROBDD[2][23][9], ZBDD[24]....

    [...]

  • ...For instance, in [9], most of the larger benchmarks require over 100 MB for points-to analysis....

    [...]

  • ...For instance, the number of methods in the open source program pmd is 1971, but it has 10(23) contextsensitive paths[9]....

    [...]

  • ...For instance, in [9], all the benchmarks having more than 10K methods (columba, gantt, jxplorer, jedit, gruntspud) require over 100MB of memory....

    [...]

Related Papers (5)
Points-to analysis in almost linear time

[...]

01 Jan 1996
Bjarne Steensgaard
Unification-based pointer analysis with directional assignments

[...]

01 May 2000
Manuvir Das
Partial online cycle elimination in inclusion constraint graphs

[...]

01 May 1998
Manuel Fähndrich, Jeffrey S. Foster, Zhendong Su, Alex Aiken 
Program Analysis and Specialization for the C Programming Language

[...]

01 Jan 2005
Lars Ole Andersen, Peter Lee
Making context-sensitive points-to analysis with heap cloning practical for the real world

[...]

10 Jun 2007
Chris Lattner, Andrew Lenharth, Vikram Adve
Frequently Asked Questions (18)
Q1. What contributions have the authors mentioned in the paper "Scalable context-sensitive points-to analysis using multi-dimensional bloom filters" ?

The authors propose a scalable flow-insensitive context-sensitive inclusion-based points-to analysis that uses a specially designed multi-dimensional bloom filter to store the points-to information. Experimental evaluation on SPEC 2000 benchmarks and two large open source programs reveals that with an average storage requirement of 4MB, their approach achieves almost the same precision ( 98. 6 % ) as the exact implementation. Using Mod/Ref analysis as the client, the authors find that the client analysis is not affected that often even when there is some loss of precision in the points-to representation. 

As a future work, it would be interesting to see the effect of approximation introduced using bloom filters with the approximations introduced in control-flow analyses such as kCFA or in unification of contexts. 

context-sensitive pointer analysis improves precision at the cost of high — often unacceptable — storage requirement and analysis time. 

For a query GetModRef(callsite, pointer), the Mod/Ref analysis checks whether callsite reads or modifies the memory pointed to by pointer. 

To handle load statement p = ∗q where p is a single-level pointer and q is a two-level pointer, all the cubes mb[Q][i] (i.e., C × D × B bits) corresponding to pointer q, ∀i = 1..S are bitwise-ORed to get a resultant cube. 

A points-to tuple 〈p, c, x〉 represents a pointer p pointing to variable x in calling context c. A context is defined by a sequence of functions and their call-sites. 

A naive implementation stores context-sensitive points-to tuples in a bloom filter by hashing the tuple 〈p, c, x〉 and setting that bit in the bloom filter. 

Three out of the 18 benchmarks run out of memory when the authors run an exact analysis, highlighting the need for a scalable context-sensitive points-to analysis. 

Various enhancements have also been made to the original Andersen’s inclusionbased algorithm: online cycle elimination[20] to break dependence cycles on the fly, offline variable substitution[16] to reduce the number of pointers tracked during the analysis, location equivalence[21] and semi-sparse flow-sensitivity[22]. 

To measure the false positive rate the authors will now try to map the values back from a 4-dimensional multibloom to a 2-dimensional bloom filter so that the authors can apply Equation 1. 

As scalability became an important factor with increasing code size, interesting mechanisms were introduced to approximate the precision of a full blowncontext-sensitive and flow-sensitive analysis. [17] proposed one level flow to improve precision of context-insensitive, flow-insensitive analyses, still maintaining the scalability. 

4. The mapping function hs is defined as hs(p1) = 1 and hs(p2) = 2. Initially, all bits in the buckets for each pointer are set to 0. 

KLOC is the number of Kilo lines of code, Total Inst is the total number of static LLVM instructions, Pointer Inst is the number of static pointer-type LLVM instructions and No. of Fns is the number of functions in the benchmark. 

It makes each pointer pointed to by q point to the pointees pointed to by p.Handling context-sensitive load/store statements requires a modification to address-of assignment p = &q. 

The memory requirement is three orders less, while the access time is reduced to about one-fourth for all benchmarks which take at least 20 seconds. 

For each hash function the algorithm needs to determine if the corresponding bit vectors have at least one common bit with the value 1. 

This shows that a client analysis is hardly affected due to loss in precision by using an approximate representation, while still enjoying the benefits of reduced memory and time requirements. 

The false positive rate P for a bloom filter of size N bits after n elements are added to the filter with d hash functions is given by Equation 1 (from [10]).