Scribd
Upload
111 views

PLDITutorial

The document discusses a tutorial on using Datalog and binary decision diagrams (BDDs) for program analysis. The tutorial is structured into four parts that cover essential background on Datalog and BDDs, using relevant tools, developing advanced analyses, and debugging techniques. Program analysis can be specified concisely using Datalog rules that directly correspond to inference rules. Datalog is well-suited for program analysis implementation using BDDs due to the correspondence between Datalog semantics and BDD operations.

Uploaded by

Pritom Rajkhowa
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
111 views

PLDITutorial

The document discusses a tutorial on using Datalog and binary decision diagrams (BDDs) for program analysis. The tutorial is structured into four parts that cover essential background on Datalog and BDDs, using relevant tools, developing advanced analyses, and debugging techniques. Program analysis can be specified concisely using Datalog rules that directly correspond to inference rules. Datalog is well-suited for program analysis implementation using BDDs due to the correspondence between Datalog semantics and BDD operations.

Uploaded by

Pritom Rajkhowa
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 180

bddbddb:

Using Datalog and BDDs for


Program Analysis

John Whaley
Stanford University and moka5 Inc.

June 11, 2006


Implementing Program
Analysis

vs.

• 2x faster
• Fewer bugs
…56 pages! • Extensible
June 11, Using Datalog and 2
Is it really that easy?
• Requires:
– A different way of thinking
– Knowledge, experience, and intuition
– Perseverance to try different techniques
– A lot of tuning and tweaking
– Luck
• Despite all this, people who use it
swear by it and could “never go back”

June 11, Using Datalog and 3


Tutorial Structure
Part I: Essential Background
– …
Part II: Using the Tools
– …
Part III: Developing Advanced Analyses
– …
Part IV: Profiling, Debugging, Avoiding Gotchas
– …

Short break every 30 minutes

June 11, Using Datalog and 4


Tutorial Structure
Part I: Essential Background
– Datalog for Program Analysis
– Binary Decision Diagrams
Part II: Using the Tools
– …
Part III: Developing Advanced Analyses
– …
Part IV: Profiling, Debugging, Avoiding Gotchas
– …

June 11, Using Datalog and 5


Tutorial Structure
Part I: Essential Background
– …
Part II: Using the Tools
– bddbddb
– Compiler interface (Joeq compiler)
– Datalog editor in Eclipse
– Interactive mode
Part III: Developing Advanced Analyses
– …
Part IV: Profiling, Debugging, Avoiding Gotchas
– …

June 11, Using Datalog and 6


Tutorial Structure
Part I: Essential Background
– …
Part II: Using the Tools
– …
Part III: Developing Advanced Analyses
– Context sensitivity
– Combining multiple analyses
– Race detection examples
– Using advanced bddbddb features
Part IV: Profiling, Debugging, Avoiding Gotchas
– …

June 11, Using Datalog and 7


Tutorial Structure
Part I: Essential Background
– …
Part II: Using the Tools
– …
Part III: Developing Advanced Analyses
– …
Part IV: Profiling, Debugging, Avoiding Gotchas
– Variable ordering
– Iteration order
– Machine learning
– What it’s good for, what it isn’t good for

June 11, Using Datalog and 8


Try it yourself…
• Available as moka5 LivePC
– Non-intrusive installation in a VM
– Automatically kept up to date
– Easy to try, easy to share
– Complete environment on a USB stick

June 11, Using Datalog and 9


Part I: Essential Background
Program Analysis in Datalog

June 11, Using Datalog and 10


Datalog
• Declarative language for deductive
databases [Ullman 1989]
– Like Prolog, but no function symbols,
no predefined evaluation strategy

June 11, Using Datalog and 11


Datalog Basics
Predicate
Atom = Reach(d,x,i) Arguments:
variables or constants

Literal = Atom or NOT Atom

Rule = Atom :- Literal & … & Literal

Make this The body :


atom true For each assignment of values
(the head ). to variables that makes all these
true …

June 11, Using Datalog and 12


Datalog Example
parent(x,y) :- child(y,x).
grandparent(x,z) :- parent(x,y), parent(y,z).

ancestor(x,y) :- parent(x,y).
ancestor(x,z) :- parent(x,y), ancestor(y,z).

June 11, Using Datalog and 13


Datalog
• Intuition: subgoals in the body are
combined by “and” (strictly
speaking: “join”).
• Intuition: Multiple rules for a
predicate (head) are combined by
“or.”

June 11, Using Datalog and 14


Another Datalog Example
hasChild(x) :- child(_,x).
hasNoChild(x) :- !child(_,x).
“!” inverts the relation, not the atom!

hasSibling(x) :- child(x,y), child(z,y), z!=x.


onlyChild(x) :- child(x,_), !hasSibling(x).
_ means “Dont-care” (at least one)
! means “Not”

June 11, Using Datalog and 15


Reaching Defs in Datalog
Reach(d,x,j) :- Reach(d,x,i),
StatementAt(i,s),
!Assign(s,x),
Follows(i,j).
Reach(s,x,j) :- StatementAt(i,s),
Assign(s,x),
Follows(i,j).

June 11, Using Datalog and 16


Definition: EDB Vs. IDB
Predicates
• Some predicates come from the
program, and their tuples are
computed by inspection.
– Called EDB, or extensional database
predicates.
• Others are defined by the rules only.
– Called IDB, or intensional database
predicates.

June 11, Using Datalog and 17


Negation
• Negation makes things tricky.
• Semantics of negation
– No negation allowed [Ullman 1988]
– Stratified Datalog [Chandra 1985]
– Well-founded semantics [Van Gelder
1991]

June 11, Using Datalog and 18


Stratification
• A risk occurs if there are negated literals
involved in a recursive predicate.
– Leads to oscillation in the result.
• Requirement for stratification :
– Must be able to order the IDB predicates so
that if a rule with P in the head has NOT Q in
the body, then Q is either EDB or earlier in
the order than P.

June 11, Using Datalog and 19


Example: Nonstratification
P(x) :- E(x), !P(x).
• If E(1) is true, is P(1) true?
• It is after the first round.
• But not after the second.
• True after the third, not after the
fourth,…

June 11, Using Datalog and 20


Iterative Algorithm for
Datalog
• Start with the EDB predicates =
“whatever the code dictates,” and
with all IDB predicates empty.
• Repeatedly examine the bodies of
the rules, and see what new IDB
facts can be discovered from the EDB
and existing IDB facts.

June 11, Using Datalog and 21


Datalog evaluation strategy
• “Semi-naïve” evaluation
– Remember that a new fact can be
inferred by a rule in a given round only if
it uses in the body some fact discovered
on the previous round.
• Evaluation strategy
– Top-down (goal-directed) [Ullman 1985]
– Bottom-up (infer from base facts)
[Ullman 1989]

June 11, Using Datalog and 22


Our Dialect of Datalog
• Totally-ordered finite domains
– Domains are of a given, finite size
– Makes all Datalog programs “safe”
– Cannot mix variables of different domains
• Constants (named/integers)
• Comparison operators:
= != < <= > >=
• Dont-care: _ Universe: *

June 11, Using Datalog and 23


Why Datalog?
• Developed a tool to translate inference
rules to BDD implementation
• Later, discovered Datalog (Ullman, Reps)
• Semantics of BDDs match Datalog exactly
– Obvious implementation of relations
– Operations occur a set-at-a-time
– Fast set compare, set difference
– Wealth of literature about semantics,
optimization, etc.

June 11, Using Datalog and 24


Inference Rules
Assign(v11,, vv22), vPointsTo(v
Assign(v vPointsTo(v2,2,o).
o)
vPointsTo(v1, o)

:-

• Datalog rules directly correspond to


inference rules.
June 11, Using Datalog and 25
Flow-Insensitive
Pointer Analysis
Input Tuples
o1: p = new Object(); vPointsTo(p, o1)
o2: q = new Object(); vPointsTo(q, o2)
p.f = q; Store(p, f, q)
r = p.f; Load(p, f, r)

p o1 Output Relations
f
hPointsTo(o1, f, o2)
q o2 r
vPointsTo(r, o2)
June 11, Using Datalog and 26
Inference Rule in Datalog
Assignments:
:- Assign(v1, v2),
vPointsTo(v1, o) vPointsTo(v2, o).

v1 = v2;

v2 o

v1

June 11, Using Datalog and 27


Inference Rule in Datalog
Stores:
:- Store(v1, f, v2),
hPointsTo(o1, f, o2) vPointsTo(v1, o1),
vPointsTo(v2, o2).

v1.f = v2;

v1 o1
f
v2 o2

June 11, Using Datalog and 28


Inference Rule in Datalog
Loads:
:- Load(v1, f, v2),
vPointsTo(v2, o2) vPointsTo(v1, o1),
hPointsTo(o1, f, o2).

v2 = v1.f;

v1 o1
f
v2 o2

June 11, Using Datalog and 29


The Whole Algorithm
vPointsTo(v, o) :- vPointsTo0(v, o).
:- Assign(v1, v2),
vPointsTo(v1, o) vPointsTo(v2, o).

:- Store(v1, f, v2),
hPointsTo(o1, f, o2) vPointsTo(v1, o1),
vPointsTo(v2, o2).

:- Load(v1, f, v2),
vPointsTo(v2, o2) vPointsTo(v1, o1),
hPointsTo(o1, f, o2).

June 11, Using Datalog and 30


Format of a Datalog file
• Domains
Name Size ( map file )
V 65536 var.map
H 32768
• Relations
Name ( <attribute list> ) flags
Store (v1 : V, f : F, v2 : V) input
PointsTo (v : V, h : H) input, output
• Rules
Head :- Body .
PointsTo(v1,h) :- Assign(v1,v), PointsTo(v,h).

June 11, Using Datalog and 31


Key Point
• Program information is stored in a
relational database.
– Everything in the program is numbered.
• Write declarative inference rules to
infer new facts about the program.
• Negations OK if they are not in a
recursive cycle.

June 11, Using Datalog and 32


Take a break…
(Next up: Binary Decision Diagrams)

June 11, Using Datalog and 33


Part I: Essential Background
Binary Decision Diagrams

June 11, Using Datalog and 34


Call graph relation
• Call graph expressed as a relation.
– Five edges:
• Calls(A,B)
A
• Calls(A,C)
• Calls(A,D) B C
• Calls(B,D)
• Calls(C,D) D

June 11, Using Datalog and 35


Call graph relation
• Relation expressed as a
binary function.
– A=00, B=01, C=10, D=11

Calls(A,B) → 00 01 A 00
Calls(A,C) → 00 10
01 B C 10
Calls(A,D) → 00 11
Calls(B,D) → 01 11 D 11
Calls(C,D) → 10 11

June 11, Using Datalog and 36


from
Call graph relation
to
x1 x2 x3 x4 f
0 0 0 0 0 • Relation expressed as a
0 0 0 1 1 binary function.
0 0 1 0 1
0 0 1 1 1 – A=00, B=01, C=10, D=11
0 1 0 0 0
0 1 0 1 0 A 00
0 1 1 0 0
0 1 1 1 1
1 0 0 0 0 01 B C 10
1 0 0 1 0
1 0 1 0 0 D 11
1 0 1 1 1
1 1 0 0 0
1 1 0 1 0
1 1 1 0 0
1 1 1 1 0
June 11, Using Datalog and 37
Binary Decision Diagrams
(Bryant 1986)
• Graphical encoding of a truth table.
x1 0 edge
1 edge
x2 x2

x3 x3 x3 x3

x4 x4 x4 x4 x4 x4 x4 x4

0 1 1 1 0 0 0 1 0 0 0 1 0 0 0 0
June 11, Using Datalog and 38
Binary Decision Diagrams
• Collapse redundant nodes.
x1 0 edge
1 edge
x2 x2

x3 x3 x3 x3

x4 x4 x4 x4 x4 x4 x4 x4

0 1 1 1 0 0 0 1 0 0 0 1 0 0 0 0
June 11, Using Datalog and 39
Binary Decision Diagrams
• Collapse redundant nodes.
x1 0 edge
1 edge
x2 x2

x3 x3 x3 x3

x4 x4 x4 x4 x4 x4 x4 x4

0 1
June 11, Using Datalog and 40
Binary Decision Diagrams
• Collapse redundant nodes.
x1 0 edge
1 edge
x2 x2

x3 x3 x3 x3

x4 x4 x4

0 1
June 11, Using Datalog and 41
Binary Decision Diagrams
• Collapse redundant nodes.
x1 0 edge
1 edge
x2 x2

x3 x3 x3

x4 x4 x4

0 1
June 11, Using Datalog and 42
Binary Decision Diagrams
• Eliminate unnecessary nodes.
x1 0 edge
1 edge
x2 x2

x3 x3 x3

x4 x4 x4

0 1
June 11, Using Datalog and 43
Binary Decision Diagrams
• Eliminate unnecessary nodes.
x1 0 edge
1 edge
x2 x2

x3 x3

x4

0 1
June 11, Using Datalog and 44
Binary Decision Diagrams
• Size depends on amount of redundancy,
NOT size of relation.
– Identical subtrees share the same
representation.
– As set gets very large, more nodes have
identical zero and one successors, so the size
decreases.

June 11, Using Datalog and 45


BDD Variable Order is
Important!
x1x2 + x3x4
x1
x1

x2 x3 x3

x3 x2 x2

x4
x4

0 1 0 1
x1<x2<x3<x4 x1<x3<x2<x4
June 11, Using Datalog and 46
Variable ordering is NP-hard
• No good general heuristic solutions
• Dynamic reordering heuristics don’t
work well on these problems

• We use:
– Trial and error
– Active learning

June 11, Using Datalog and 47


Apply Operation
• Concept
– Basic technique for building OBDD from Boolean
formula.
A op B A op B
a


a a

b b

c | c c

d d d

0 1 0 1 0 1

Arguments A, B, op Result
 A and B: Boolean Functions  OBDD
 Represented as OBDDs
representing
composite
 op: Boolean Operation (e.g., ^, &, function
|)
June 11, Using Datalog and  A op
48 B
Apply Execution Example
Argument A Argument B Recursive Calls
A1 a a B1 A1,B1

A2 b A2,B2
Operation
c A6 | c B5 A6,B2 A6,B5

A3 d B2 d A3,B2 A5,B2 A3,B4

A4 0 1 A5 B3 0 1 B4 A4,B3 A5,B4

• Optimizations
– Dynamic programming
– Early termination rules

June 11, Using Datalog and 49


Apply Result Generation
Recursive Calls Without Reduction With Reduction
A1,B1 a a

A2,B2 b b

A6,B2 A6,B5 c c c

A3,B2 A5,B2 A3,B4 d 1 1 d

A4,B3 A5,B4 0 1 0 1

– Recursive calling structure implicitly defines unreduced


BDD
– Apply reduction rules bottom-up as return from recursive
calls
June 11, Using Datalog and 50
BDD implementation
• ‘Unique’ table
– Huge hash table
– Each entry: level, left, right, hash, next
• Operation cache
– Memoization cache for operations
• Garbage collection
– Mark and sweep, free list.

June 11, Using Datalog and 51


Code for BDD ‘and’.

Base case:

Memo cache
lookup:

Recursive step:

Memo
June cache
11, insert: Using Datalog and 52
BDD Libraries
• BuDDy
– Simple, fast, memory-friendly
– Identifies BDD by index in unique table
• JavaBDD
– 100% Java, based on BuDDy
– Also native interface to BuDDY, CUDD, CAL, JDD
• CUDD
– Most popular, most feature-complete
– Not as fast as BuDDy
– Other types: ZDD, ADD
• JDD
– 100% Java, fresh implementation
– Still under development

June 11, Using Datalog and 53


Depth-first vs. breadth-first
• BDD algorithms have natural depth-
first recursive formulations.
• Some work on using breadth-first
evaluation for better parallelism and
locality
– CAL: breadth-first BDD package
• General idea: Assume independent,
fixup if not.
• Doesn’t perform well in practice.
June 11, Using Datalog and 54
Take a break…
(Next up: Using the Tools)

June 11, Using Datalog and 55


Tutorial Structure
Part I: Essential Background
– Datalog for Program Analysis
– Binary Decision Diagrams
Part II: Using the Tools
– bddbddb
– Compiler interface (Joeq compiler)
– Datalog editor in Eclipse
– Interactive mode
Part III: Developing Advanced Analyses
– Context sensitivity
– Combining multiple analyses
– Race detection examples
– Using advanced bddbddb features
Part IV: Profiling, Debugging, Avoiding Gotchas
– Variable ordering
– Iteration order
– Machine learning
– What it’s good for, what it isn’t good for

June 11, Using Datalog and 56


Part II: Using the Tools
bddbddb
(BDD-based deductive database)

June 11, Using Datalog and 57


bddbddb System Overview

Java Joeq Input


bytecod frontend relations
e

Datalog Output
program relations

June 11, Using Datalog and 58


Compiler Frontend
• Convert IR into tuples
• Tuples format:
# V0:16 F0:11 V1:16 header line
001
012 one tuple per line

1470 0 1464

June 11, Using Datalog and 59


Compiler Frontend
• Robust frontends:
– Joeq compiler
– Soot compiler
– SUIF compiler (for C code)
• Still experimental:
– Eclipse frontend
– gcc frontend
–…

June 11, Using Datalog and 60


Extracting Relations
• Idea: Iterate thru compiler IR,
numbering and dumping relations of
interest.
– Types
– Methods
– Fields
– Variables
– …

June 11, Using Datalog and 61


joeq.Main.GenRelations
• Generate initial relations for points-to
analysis.
– Does initial pass to discover call graph.
• Options:
-fly : dump on-the-fly call graph info
-cs: dump context-sensitive info
-ssa : dump SSA representation
-partial : no call graph discovery
-Dpa.dumppath= : where to save files
-Dpa.icallgraph= : location of initial call graph
-Dpa.dumpdotgraph : dump call graph in dot

June 11, Using Datalog and 62


Demo of joeq GenRelations

June 11, Using Datalog and 63


Part II: Using the Tools
bddbddb:
From Datalog to BDDs

June 11, Using Datalog and 64


An Adventure in BDDs
• Context-sensitive numbering scheme
– Modify BDD library to add special operations.
– Can’t even analyze small programs. Time: 
• Improved variable ordering
– Group similar BDD variables together.
– Interleave equivalence relations.
– Move common subsets to edges of variable
order. Time: 40h
• Incrementalize outermost loop
– Very tricky, many bugs. Time: 36h
• Factor away control flow, assignments
– Reduces number of variables. Time: 32h

June 11, Using Datalog and 65


An Adventure in BDDs
• Exhaustive search for best BDD order
– Limit search space by not considering intradomain
orderings. Time: 10h
• Eliminate expensive rename operations
– When rename changes relative order, result is not
isomorphic. Time: 7h
• Improved BDD memory layout
– Preallocate to guarantee contiguous. Time: 6h
• BDD operation cache tuning
– Too small: redo work, too big: bad locality
– Parameter sweep to find best values. Time: 2h

June 11, Using Datalog and 66


An Adventure in BDDs
• Simplified treatment of exceptions
– Reduce number of variables, iterations
necessary for convergence. Time: 1h
• Change iteration order
– Required redoing much of the code. Time: 48m
• Eliminate redundant operations
– Introduced subtle bugs. Time: 45m
• Specialized caches for different operations
– Different caches for and, or, etc. Time: 41m

June 11, Using Datalog and 67


An Adventure in BDDs
• Compacted BDD nodes
– 20 bytes  16 bytes Time: 38m
• Improved BDD hashing function
– Simpler hash function. Time: 37m

• Total development time: 1 year


– 1 year per analysis?!?
• Optimizations obscured the algorithm.
• Many bugs discovered, maybe still more.

June 11, Using Datalog and 68


bddbddb:
BDD-Based Deductive
DataBase
• Automatically generate from Datalog
– Optimizations based on my experience
with handcoded version.
– Plus traditional compiler algorithms.

• bddbddb even better than handcoded


– handcoded: 37m bddbddb: 19m

June 11, Using Datalog and 69


Datalog  BDDs
Datalog BDDs
Relations Boolean functions
Relation ops: Boolean function ops:
⋈, ∪, select, project ∧, ∨, −, ∼
Relation at a time Function at a time
Semi-naïve Incrementalization
evaluation
Fixed-point Iterate until stable

June 11, Using Datalog and 70


Compiling Datalog to BDDs
1. Apply Datalog source level transforms.
2. Stratify and determine iteration order.
3. Translate into relational algebra IR.
4. Optimize IR and replace relational
algebra ops with equivalent BDD ops.
5. Assign relation attributes to physical BDD
domains.
6. Perform more optimizations after domain
assignment.
7. Interpret the resulting program.
June 11, Using Datalog and 71
High-Level Transform:
Magic Set Transformation
• Add “magic” predicates to control
generated tuples [Bancilhon 1986,
Beeri 1987]
– Combines ideas from top-down and
bottom-up evaluation
• Doesn’t always help
– Leads to more iterations
– BDDs are good at large operations

June 11, Using Datalog and 72


Predicate Dependency
Graph
vPointsTo0

Load Assign

Store vPointsTo

hPointsTo add edge from RHS


to LHS
:- Store(v1, f, v2),
hPointsTo(o 1, f,
vPointsTo(v o)
2, o22)
:- Load(v1, f, v2),
vPointsTo(v1, o1),
vPointsTo(v1, o1),
:- Assign(v
vPointsTo(v2,1,o2v
hPointsTo(o1, f, o22).),
vPointsTo(v 1, o)
).
vPointsTo(v, o) :- vPointsTo(v
vPointsTo , o). 0(v, o).
2

June 11, Using Datalog and 73


Determining Iteration Order
• Tradeoff between faster convergence
and BDD cache locality
• Static heuristic
– Visit rules in reverse post-order
– Iterate shorter loops before longer loops
• Profile-directed feedback
• User can control iteration order
– pri=# keywords on rules/relations

June 11, Using Datalog and 74


Predicate Dependency
Graph
vPointsTo0

Load Assign

Store vPointsTo

hPointsTo

June 11, Using Datalog and 75


Datalog to Relational
Algebra
:- Assign(v1, v2),
vPointsTo(v1, o) vPointsTo(v2, o).

t1 = ρvariable→source(vPointsTo);
t2 = assign ⋈ t1;
t3 = πsource(t2);
t4 = ρdest→variable(t3);
vPointsTo = vPointsTo ∪ t4;

June 11, Using Datalog and 76


Incrementalization
vP’’ = vP – vP’;
vP’ = vP;
assign’’ = assign – assign’;
assign’ = assign;
t1 = ρvariable→source(vP); t1 = ρvariable→source(vP’’);
t2 = assign ⋈ t1;
t2 = assign ⋈ t1;
t5 = ρvariable→source(vP);
t3 = πsource(t2); t6 = assign’’ ⋈ t5;
t4 = ρdest→variable(t3); t7 = t2 ∪ t6;
t3 = πsource(t7);
vP = vP ∪ t4;
t4 = ρdest→variable(t3);
vP = vP ∪ t4;

June 11, Using Datalog and 77


Optimize into BDD operations
vP’’ = vP – vP’;
vP’ = vP;
assign’’ = assign – assign’;
assign’ = assign; vP’’ = diff(vP, vP’);
t1 = ρvariable→source(vP’’);
t2 = assign ⋈ t1;
vP’ = copy(vP);
t5 = ρvariable→source(vP); t1 = replace(vP’’,variable→source);
t6 = assign’’ ⋈ t5;
t3 = relprod(t1,assign,source);
t7 = t2 ∪ t6;
t3 = πsource(t7); t4 = replace(t3,dest→variable);
t4 = ρdest→variable(t3); vP = or(vP, t4);
vP = vP ∪ t4;

June 11, Using Datalog and 78


Physical domain assignment
vP’’ = diff(vP, vP’);
vP’’ = diff(vP, vP’);
vP’ = copy(vP);
vP’ = copy(vP);
t1 = replace(vP’’,variable→source);
t3 =
t3 = relprod(t1,assign,source); relprod(vP’’,assign,V0);
t4 = replace(t3,dest→variable); t4 = replace(t3, V1→V0);
vP = or(vP, t4); vP = or(vP, t4);

• Minimizing renames is NP-complete


• Renames have vastly different costs
• Priority-based assignment algorithm
June 11, Using Datalog and 79
Other optimizations
• Dead code elimination
• Constant propagation
• Definition-use chaining
• Redundancy elimination
• Global value numbering
• Copy propagation
• Liveness analysis

June 11, Using Datalog and 80


Splitting rules
R(a,e) :- A(a,b), B(b,c), C(c,d), R(d,e).
Can be split into:
T1(a,c) :- A(a,b), B(b,c).
T2(a,d) :- T1(a,c), C(c,d).
R(a,e) :- T2(a,d), R(d,e).

Affects incrementalization, iteration.


Use “split” keyword to auto-split rules.
June 11, Using Datalog and 81
Other Tools
• Banshee (John Kodumal)
– Results are harder to use (not relational)
• Paddle/Jedd (Ondrej Lhotak)
– Imperative style: more expressive
– Not as efficient, doesn’t scale as well

June 11, Using Datalog and 82


Jedd code
• Jedd code is like bddbddb internal IR
before domain assignment:
vP’’ = diff(vP, vP’);
vP’ = copy(vP);
t1 = replace(vP’’,variable→source);
t3 = relprod(t1,assign,source);
t4 = replace(t3,dest→variable);
vP = or(vP, t4);

June 11, Using Datalog and 83


Demo of using bddbddb

June 11, Using Datalog and 84


Tutorial Structure
Part I: Essential Background
– Datalog for Program Analysis
– Binary Decision Diagrams
Part II: Using the Tools
– bddbddb
– Compiler interface (Joeq compiler)
– Datalog editor in Eclipse
– Interactive mode
Part III: Developing Advanced Analyses
– Context sensitivity
– Combining multiple analyses
– Race detection examples
– Using advanced bddbddb features
Part IV: Profiling, Debugging, Avoiding Gotchas
– Variable ordering
– Iteration order
– Machine learning
– What it’s good for, what it isn’t good for

June 11, Using Datalog and 85


Part III: Developing Advanced Analyses
Context Sensitivity

June 11, Using Datalog and 86


Old Technique:
Summary-Based Analysis
• Idea: Summarize the effect of a
method on its callers.
– Sharir, Pnueli [Muchnick 1981]
– Landi, Ryder [PLDI 1992]
– Wilson, Lam [PLDI 1995]
– Whaley, Rinard [OOPSLA 1999]

June 11, Using Datalog and 87


Old Technique:
Summary-Based Analysis
• Problems:
– Difficult to summarize pointer analysis.
– Composed summaries can get large.
– Recursion is difficult: Must find fixpoint.
– Queries (e.g. which context points to x)
require expanding an exponential
number of contexts.

June 11, Using Datalog and 88


My Technique:
Cloning-Based Analysis
• Simple brute force technique.
– Clone every path through the call graph.
– Run context-insensitive algorithm on
expanded call graph.
• The catch: exponential blowup

June 11, Using Datalog and 89


Cloning is exponential!

June 11, Using Datalog and 90


Recursion
• Actually, cloning is unbounded in the
presence of recursive cycles.
• Technique: We treat all methods
within a strongly-connected
component as a single node.

June 11, Using Datalog and 91


Recursion
A A

B C D B C D

E F E F E F E F

G G G G

June 11, Using Datalog and 92


Top 20 Sourceforge Java Apps

1016

1012

108

104

100

June 11, Using Datalog and 93


Cloning is infeasible (?)
• Typical large program has ~1014 paths.
• If you need 1 byte to represent a clone:
– Would require 256 terabytes of storage
– >12 times size of Library of Congress
– Registered ECC 1GB DIMMs: $41.7 million
• Power: 96.4 kilowatts = Power for 128 homes
– 500 GB hard disks: 564 x $195 = $109,980
• Time to read sequential: 70.8 days

June 11, Using Datalog and 94


Key Insight
• There are many similarities across
contexts.
– Many copies of nearly-identical results.
• BDDs can represent large sets of
redundant data efficiently.
– Need a BDD encoding that exploits the
similarities.

June 11, Using Datalog and 95


Expanded Call Graph
A A0

B C D B0 C0 D0

E E0 E1 E2

F G F0 F1 F2 G0 G1 G2

H H0 H1 H2 H3 H4 H5

June 11, Using Datalog and 96


Numbering Clones
0
A A0
0 0 0
B C D B0 C0 D0
1
0 2
E E0 E1 E2
0-2 0-2
F G F0 F1 F2 G0 G1 G2

0-2 3-5
H H0 H1 H2 H3 H4 H5

June 11, Using Datalog and 97


Context-sensitive Pointer
Analysis Algorithm
1. First, do context-insensitive pointer
analysis to get call graph.
2. Number clones.
3. Do context-insensitive algorithm on
the cloned graph.
• Results explicitly generated for every clone.
• Individual results retrievable with Datalog
query.

June 11, Using Datalog and 98


Counting rule
• IEnum(i,m,vc2,vc1) :- roots(m), mI0(m,i),
IE0(i,m). number

• Special rule to define numbering.


• Head: result of numbering
– First two variables: edge you want to number
– Second two variables: context numbering
• Subgoals: graph edges
– Single variable: roots of graph

June 11, Using Datalog and 99


Demo of context-sensitive

June 11, Using Datalog and 100


Part III: Developing Advanced Analyses
Example: Race Detection

June 11, Using Datalog and 101


Object Sensitivity
• k-object-sensitivity (Milanova, Ryder, Rountev 2003)

• k=3 suffices in our experiments

• CHA/context-insensitive/k-CFA too imprecise

static main() { Contexts of method bar():


h1: C a = new A();
h2: C b = new B(); 1-CFA: { p4 }
p1: foo(a); 2-CFA: { p1:p4, p2:p4, p3:p4 }
p2: foo(b);
p3: foo(a); } 1-objsens: { h1, h2 }
static foo(C c) { 2-objsens: { h1, h2 }
p4: c.bar(); }
June 11, Using Datalog and 102
Open Programs
• Analyzing open programs is important
– Many “programs” are libraries
– Developers need to understand behavior w/o a client

• Standard approach
– Write a “harness” manually
– A client exercising the interface of the open program

• Our approach
– Generate the harness automatically

June 11, Using Datalog and 103


Race Detection
• A multi-threaded program contains a race if:
– Two threads can access a memory
location
– At least one access is a write
– No ordering between the accesses

• As a rule, races are bad


– And common …
– And hard to find …

June 11, Using Datalog and 104


Running Example
public A() { static public void main() {
f = 0; } A a;
public int get() { a = new A();
return rd(); } a.get();
public sync int inc() { a.inc(); }
int t = rd() + (new A()).wr(1);
return wr(t); }

private int rd() { Harness


return f; } (Note: Single-threaded)
private int wr(int x) {
f = x;
return x; }

June 11, Using Datalog and 105


Example: Two Object-Sensitive
Contexts
static public void main() { public A() {
A a; f = 0; }
a = new A(); public int get() {
a.get(); return rd(); }
public sync int inc() {
a.inc(); }
int t = rd() + (new A()).wr(1);
return wr(t); }

private int rd() {


return f; }
private int wr(int x) {
f = x;
return x; }

June 11, Using Datalog and 106


Example: 1st Context
static public void main() { public A() {
A a; f = 0; }
a = new A(); public int get() {
a.get(); return rd(); }
public sync int inc() {
a.inc(); }
int t = rd() + (new A()).wr(1);
return wr(t); }

private int rd() {


return f; }
private int wr(int x) {
f = x;
return x; }

June 11, Using Datalog and 107


Example: 2nd Context
static public void main() { public A() {
A a; f = 0; }
a = new A(); public int get() {
a.get(); return rd(); }
public sync int inc() {
a.inc(); }
int t = rd() + (new A()).wr(1);
return wr(t); }

private int rd() {


return f; }
private int wr(int x) {
f = x;
return x; }

June 11, Using Datalog and 108


Computing Original Pairs
All pairs of accesses such that
– Both references of one of the following forms:
• e1.f and e2.f (the same instance field)
• C.g and C.g (the same static field)
• e1[e3] and e2[e4] (any array elements)
– At least one is a write

June 11, Using Datalog and 109


Example: Original Pairs
public A() { public A() {
f = 0; } f = 0; }
public int get() { public int get() {
return rd(); } return rd(); }
public sync int inc() { public sync int inc() {
int t = rd() + (new A()).wr(1); int t = rd() + (new A()).wr(1);
return wr(t); } return wr(t); }

private int rd() { private int rd() {


return f; } return f; }
private int wr(int x) { private int wr(int x) {
f = x; f = x;
return x; } return x; }

June 11, Using Datalog and 110


Computing Reachable Pairs
• Step 1
– Access pairs with at least one write to same field

• Step 2
– Consider any access pair (e1, e2)
– To be a race e1 must be:
– Reachable from a thread-spawning call site s1
• Without “switching” threads
– Where s1 is reachable from main
– (and similarly for e2)

June 11, Using Datalog and 111


Example: Reachable Pairs
static public void main() { public A() {
A a; f = 0; }
a = new A(); public int get() {
a.get(); return rd(); }
public sync int inc() {
a.inc(); }
int t = rd() + (new A()).wr(1);
return wr(t); }

private int rd() { private int rd() {


return f; } return f; }
private int wr(int x) { private int wr(int x) {
f = x; f = x;
return x; } return x; }

June 11, Using Datalog and 112


Computing Aliasing Pairs
• Steps 1-2
– Access pairs with at least one write to same field
– And both are executed in a thread in some context

• Step 3
– To have a race, both must access the same memory
location
– Use alias analysis

June 11, Using Datalog and 113


Example: Aliasing Pairs
static public void main() { public A() {
A a; f = 0; }
a = new A(); public int get() {
a.get(); return rd(); }
public sync int inc() {
a.inc(); }
int t = rd() + (new A()).wr(1);
return wr(t); }

private int rd() { private int rd() {


return f; } return f; }
private int wr(int x) { private int wr(int x) {
f = x; f = x;
return x; } return x; }

June 11, Using Datalog and 114


Computing Escaping Pairs
• Steps 1-3
– Access pairs with at least one write to same field
– And both are executed in a thread in some context
– And both can access the same memory location

• Step 4
– To have a race, the memory location must also
be thread-shared
– Use thread-escape analysis

June 11, Using Datalog and 115


Example: Escaping Pairs
static public void main() { public A() {
A a; f = 0; }
a = new A(); public int get() {
a.get(); return rd(); }
public sync int inc() {
a.inc(); }
int t = rd() + (new A()).wr(1);
return wr(t); }

private int rd() { private int rd() {


return f; } return f; }
private int wr(int x) { private int wr(int x) {
f = x; f = x;
return x; } return x; }

June 11, Using Datalog and 116


Computing Unlocked Pairs
• Steps 1-4
– Access pairs with at least one write to same field
– And both are executed in a thread in some context
– And both can access the same memory location
– And the memory location is thread-shared

• Step 5
– Discard pairs where the memory location is guarded
by a common lock in both accesses

June 11, Using Datalog and 117


Example: Unlocked Pairs
static public void main() { public A() {
A a; f = 0; }
a = new A(); public int get() {
a.get(); return rd(); }
public sync int inc() {
a.inc(); }
int t = rd() + (new A()).wr(1);
return wr(t); }

private int rd() { private int rd() {


return f; } return f; }
private int wr(int x) { private int wr(int x) {
f = x; f = x;
return x; } return x; }

June 11, Using Datalog and 118


Counterexamples
• Each pair of paths in the context-sensitive call graph
from a pair of roots to a pair of accesses along
which a common lock may not be held

• Different from most other systems


– Pairs of paths (instead of single interleaved path)
– At call-graph level

June 11, Using Datalog and 119


Example: Counterexample
// file Harness.java // file A.java
static public void main() { public A() {
A a; f = 0; }
a = new A(); public int get() {
4: return rd(); }
4: a.get();
public sync int inc() {
5: a.inc(); }
int t= rd() + (new A()).wr(1);
7: return wr(t); }
field reference A.f (A.java:10) [Rd]
A.get(A.java:4)
private int rd() {
Harness.main(Harness.java:4)
10: return f; }
field reference A.f (A.java:12) [Wr] private int wr(int x) {
A.inc(A.java:7) 12: f = x;
Harness.main(Harness.java:5) return x; }
June 11, Using Datalog and 120
Race Checker Datalog

June 11, Using Datalog and 121


Map Sensitivity
...
String username = request.getParameter(“user”)
map.put(“USER_NAME”, username);

... “USER_NAME” ≠ “SEARCH_QUERY”

String query = (String) map.get(“SEARCH_QUERY”);


stmt.executeQuery(query);
...

• Maps with constant string keys are common


• Augment pointer analysis:
– Model Map.put/get operations specially
June 11, Using Datalog and 122
Resolving Reflection
• Reflection is a dynamic language feature
• Used to query object and class information
– static Class Class.forName(String className)
• Obtain a java.lang.Class object
• I.e. Class.forName(“java.lang.String”) gets an
object corresponding to class String
– Object Class.newInstance()
• Object constructor in disguise
• Create a new object of a given class

Class c = Class.forName(“java.lang.String”);
Object o = c.newInstance();

• This makes a new empty string o

June 11, Using Datalog and 123


What to Do About Reflection?

1. String className = ...;


2. Class c = Class.forName(className);
3. Object o = c.newInstance();
4. T t = (T) o;

1. Anything goes 2. Ask the user 3. Subtypes of T 4. Analyze className

+ Obviously + Good results + More + Better still


conservativ - A lot of work precise - Need to
e
for user, - T may have know where
- Call graph difficult to many className
extremely
find subtypes comes from
big and
imprecise answers

June 11, Using Datalog and 124


Analyzing Class Names

• Looking at className seems promising

String stringClass = “java.lang.String”;


foo(stringClass);
...
void foo(String clazz){
bar(clazz);
}
void bar(String className){
Class c = Class.forName(className);
}

June•11,This is interprocedural
Using Datalog and 125
const+copy prop on strings
Pointer Analysis Can Help

Stack variables Heap objects

stringClass

clazz

className
java.lang.String

June 11, Using Datalog and 126


Reflection Resolution Using
Points-to

1. String className = ...;


2. Class c = Class.forName(className);
3. Object o = c.newInstance();
4. T t = (T) o;

• Need to know what className is


– Could be a local string constant like java.lang.String
– But could be a variable passed through many layers of calls
• Points-to analysis says what className refers to
– className --> concrete heap object

June 11, Using Datalog and 127


Reflection Resolution
Constants Specification
points

1. String className = ...;


2. Class c = Class.forName(className); Q: what
3. Object o = c.newInstance(); object does
4. T t = (T) o; this create?

1. String className = ...;


2. Class c = Class.forName(className);
Object o = new T1();
Object o = new T2();
Object o = new T3();
June
4. 11,
T t Using
= (T) o; Datalog and 128
Resolution May Fail!
1. String className = r.readLine();
2. Class c = Class.forName(className);
3. Object o = c.newInstance();
4. T t = (T) o;

• Need help figuring out what className is


• Two options
1. Can ask user for help
• Call to r.readLine on line 1 is a specification point
• User needs to specify what can be read from a file
• Analysis helps the user by listing all specification points
2. Can use cast information
• Constrain possible types instantiated on line 3 to subclasses of T
• Need additional assumptions

June 11, Using Datalog and 129


1. Specification Files
 Format: invocation site => class
loadImpl() @ 43 InetAddress.java:1231 =>
java.net.Inet4AddressImpl

loadImpl() @ 43 InetAddress.java:1231 =>


java.net.Inet6AddressImpl

lookup() @ 86 AbstractCharsetProvider.java:126 =>


sun.nio.cs.ISO_8859_15

lookup() @ 86 AbstractCharsetProvider.java:126 =>


sun.nio.cs.MS1251

tryToLoadClass() @ 29 DataFlavor.java:64 =>


java.io.InputStream

June 11, Using Datalog and 130


2. Using Cast Information
1. String className = ...;
2. Class c = Class.forName(className);
3. Object o = c.newInstance();
4. T t = (T) o;

• Providing specification files is tedious,


time-consuming, error-prone
• Leverage cast data instead
– o instanceof T
– Can constrain type of o if
1. Cast succeeds
2. We know all subclasses of T

June 11, Using Datalog and 131


Analysis Assumptions
1. Assumption: Correct casts.
Type cast operations that always operate
on the result of a call to
Class.newInstance are correct; they will
always succeed without throwing a
ClassCastException.

2. Assumption: Closed world.


We assume that only classes reachable
from the class path at analysis time can
be used by the application at runtime.

June 11, Using Datalog and 132


Casts Aren’t Always Present
• Can’t do anything if no cast post-
dominating a Class.newInstance call
Object factory(String className){
Class c = Class.forName(className);
return c.newInstance();
}
...
SunEncoder t = (SunEncoder)
factory(“sun.io.encoder.” + enc);
SomethingElse e = (SomethingElse)
factory(“SomethingElse“);

June 11, Using Datalog and 133


Call Graph Discovery Process

Program
Program IR
IR Call
Call graph
graph Reflection
Reflection Resolved
Resolved Final
Final call
call
construction
construction resolution
resolution calls
calls graph
graph
using
using
points-to
points-to

User-provided
User-provided Cast-based
Cast-based
spec
spec approximation
approximation

Specification
Specification
June 11, Using points
Datalog and
points 134
Implementation Details
• Call graph construction algorithm in the
presence of reflection is integrated with
pointer analysis
– Pointer analysis already has to deal with virtual calls:
new methods are discovered, points-to relations for
them are created
– Reflection analysis is another level of complexity

• See Datalog specification

June 11, Using Datalog and 135


Reflection Resolution
• Applied to 6 largeResults
Java apps, 190,000 LOC combined
Call graph sizes compared

June 11, Using Datalog and 136


Map relations
• Need to map from values in one
domain to another?
• Use special operator “=>”
• mapAtoB(a,b) :- a => b.
• Elements in A are appended to
domain of B
– A must have map file.
– B must have enough space.

June 11, Using Datalog and 137


Using Code Fragments
• Execute a code fragment before/after every
rule invocation.
A(x,y) :- B(y,a), C(a,z). { code goes here }
• Can access:
– Relations by name.
– Rule information.
– Solver information.
• Can also add code fragment to relations
(triggered on change).
• Special keywords: “modifies”, “pre”, “post”

June 11, Using Datalog and 138


Take a break…
(Next up: Profiling, Debugging)

June 11, Using Datalog and 139


Tutorial Structure
Part I: Essential Background
– Datalog for Program Analysis
– Binary Decision Diagrams
Part II: Using the Tools
– bddbddb
– Compiler interface (Joeq compiler)
– Datalog editor in Eclipse
– Interactive mode
Part III: Developing Advanced Analyses
– Context sensitivity
– Combining multiple analyses
– Race detection examples
– Using advanced bddbddb features
Part IV: Profiling, Debugging, Avoiding Gotchas
– Variable ordering
– Iteration order
– Machine learning
– What it’s good for, what it isn’t good for

June 11, Using Datalog and 140


Part IV: Profiling, Debugging, Avoiding Gotchas

Variable Ordering

June 11, Using Datalog and 141


TryDomainOrders
• Try all possible domain orders for a given
operation and inputs.
– Bounded: if an order takes longer than current
best, abort it.
• To profile slow-running operations:
Run with -Ddumpslow, -Ddumpcutoff=5000
java net.sf.bddbddb.TryDomainOrders
• If you know ordering constraints, you can add
them to rules/relations
– Constraints automatically propagated to other
rules/relations

June 11, Using Datalog and 142


Variable Numbering:
Active Machine Learning
• Must be determined dynamically
• Limit trials with properties of relations
• Each trial may take a long time
• Active learning:
select trials based on uncertainty
– Can build up trial database to improve
accuracy
• Several hours
• Comparable to exhaustive for small apps

June 11, Using Datalog and 143


Using Machine Learning
• -Dfindbestorder
– Enable machine learning
• -Dfbocutoff=#
– Minimum runtime (in ms) for an
operation to be considered
• -Dfbotrials=#
– Maximum number of trials to run
• -Dtrialfile=
– Filename to load/store trial information.

June 11, Using Datalog and 144


Changing Iteration Order
• bddbddb uses simple iteration order
heuristic – not always optimal
• If a rule is iterating too many times:
– Lower its priority with pri=5
– Increase other rules with pri=-5
– Can also adjust priority of relations
• Solver prints iteration order on startup
• Also try reformulating the problem or
changing input relations

June 11, Using Datalog and 145


Reformulate the Problem
• Change rule form:
A(a,c) :- A(a,b), A(b,c).
vs
A(a,c) :- A(a,b), A(b,c).
• Change input relations
– Short-circuit paths
• Filter relations as you go

June 11, Using Datalog and 146


Debugging
• Debugging can be tricky
– Relations are huge
– Declarative: not so straightforward
• Adding code fragments can help.
• Try it on a small example with full
trace information.
• Best: Interactive solver

June 11, Using Datalog and 147


“Comes from” query
• Special kind of query:
A(3,5) :- ?
“What contributed to (3,5) being added to
A?”

• Add ‘single’ keyword to get only one path.


• Doesn’t solve the negated problem
(missing tuples)

June 11, Using Datalog and 148


Solver options
-Dnoisy -Dbasedir=
-Dtracesolve -Dincludedirs=
-Dfulltracesolve -Ddumprulegraph
-Dbddvarorder= -Duseir
-Dbddnodes= -Dprintir
-Dbddcache= -Dsplit_all_rules
-Dbddminfree= -Dsplit_no_rules
-Dfindbestorder

June 11, Using Datalog and 149


Datalog directives
• .include • .bddvarorder
• .split_all_rules • .bddnodes
• .report_stats • .bddcache
• .noisy • .bddminfree
• .strict • .findbestorder
• .singleignore • .incremental
• .trace • .dot
• .basedir

June 11, Using Datalog and 150


Relation
Rule options
options
input / inputtuples split
output / outputtuples number
printtuples single
printsize cacheafterrename
pri=# findbestorder
{ code fragment } trace / tracefull
x<y pre / post { code }
modifies R

June 11, Using Datalog and 151


Experimental Features
• Distributed computation: (dbddbddb?)
• Profile-directed feedback of iteration
order
• Eclipse integration
• Touchgraph integration
• Debugging interface
• Tracing information
• Include rules in come-from query
June 11, Using Datalog and 152
What works well
• Big sets of mostly redundant data
– Pointer analysis
– Context-sensitive analysis
• Short propagation paths
– Each iteration takes quite a bit of time, so
>1000 iterations will hurt
– Try to preprocess/reformulate problem to
shorten paths
• Natural ‘flow’ problems
• Pure analysis problems (no transformations)

June 11, Using Datalog and 153


What doesn’t work well
• Long propagation paths
– Traditional dataflow analysis (use sparse form
instead)
• Huge problems with little redundancy
– Too much context sensitivity
• Domains that are not easily countable
– Need to manufacture names on the fly
• Problems that have inherently complicated
formulations
• Problems optimized for particular data
structures (union-find, etc.)

June 11, Using Datalog and 154


Using bddbddb in a class
• bddbddb has been very useful in Stanford
advanced compiler course
– Comparing/contrasting analyses becomes easier
– Students can implement and evaluate multiple
techniques without much overhead
• Projects:
– Implement an algorithm from a paper in Datalog,
make a small change and evaluate its
effectiveness
– Experiment with different kinds of context
sensitivity on a given problem
– Improve on BDD solver efficiency
– Build a tool based on analysis results

June 11, Using Datalog and 155


Questions?

June 11, Using Datalog and 156


That’s all, folks!

Thanks for sticking around for all 157 slides!

June 11, Using Datalog and 157


Experimental Results

June 11, Using Datalog and 158


Experimental Results

June 11, Using Datalog and 159


Experimental Results

June 11, Using Datalog and 160


Experimental Results

June 11, Using Datalog and 161


Experimental Results

June 11, Using Datalog and 162


Experimental Results

June 11, Using Datalog and 163


Experimental Results

June 11, Using Datalog and 164


Experimental Results

June 11, Using Datalog and 165


Experimental Results

June 11, Using Datalog and 166


Experimental Results

June 11, Using Datalog and 167


Experimental Results

June 11, Using Datalog and 168


Experimental Results

June 11, Using Datalog and 169


Related Work
• Datalog in Program Analysis
– Specify as Datalog query [Ullman 1989]
– Toupie system [Corsini 1993]
– Demand-driven using magic sets [Reps 1994]
– Program analysis with logic programming [Dawson
1996]
– Crocopat system [Beyer 2003]
– Modular class analysis [Besson 2003]
• BDDs in Program Analysis
– Predicate abstraction [Ball 2000]
– Shape analysis [Manevich 2002, Yavuz-Kahveci 2002]
– Pointer Analysis [Zhu 2002, Berndl 2003, Zhu 2004]
– Jedd system [Lhotak 2004]

June 11, Using Datalog and 170


Related Work
• BDD Variable Ordering
– Variable ordering is NP-complete [Bollig 1996]
– Interleaving [Fujii 1993]
– Sifting [Rudell 1993]
– Genetic algorithms [Drechsler 1995]
– Machine learning for BDD orders [Grumberg 2003]
• Efficient Evaluation of Datalog
– Semi-naïve evaluation [Balbin 1987]
– Bottom-up evaluation [Ullman 1989, Ceri 1990, Naughton
1991]
– Top-down evaluation with tabling [Tamaki 1986, Chen 1996]
– Rule ordering [Ramakrishnan 1990]
– Magic sets transformation [Bancilhon 1986]
– Computing with BDDs [Iwaihara 1995]
– Time and space guarantees [Liu 2003]

June 11, Using Datalog and 171


Program Analysis with bddbddb
• Context-sensitive Java • Object-sensitive
pointer analysis analysis
• C pointer analysis • Cartesian product
• Escape analysis algorithm
• Type analysis • Resolving Java reflection
• External lock analysis • Bounds check
elimination
• Finding memory leaks
• Finding race conditions
• Interprocedural def-use
• Finding Java security
• Interprocedural mod-ref
vulnerabilities
• And many more…
Performance better than handcoded!
June 11, Using Datalog and 172
Conclusion
• bddbddb: new paradigm in program analysis
– Datalog compiled into optimized BDD operations
– Efficiently and easily implement context-sensitive
analyses
– Easier to develop correct analyses
– Easily experiment with new ideas
– Growing library of program analyses
– Easily use and build upon work of others
• Available as open-source LGPL:
http://bddbddb.sourceforge.net
June 11, Using Datalog and 173
My Contribution (2)
bddbddb
(BDD-based deductive database)
– Pointer analysis in 6 lines of Datalog
(a database language)
• Hard to create & debug efficient BDD-based
algorithms (3451 lines, 1 man-year)
• Automatic optimizations in bddbddb
– Easy to create context-sensitive analyses
using pointer analysis results (a few lines)
– Created many analyses using bddbddb

June 11, Using Datalog and 174


Outline
• Pointer Analysis
– Problem Overview
– Brief History
– Pointer Analysis in Datalog
• Context Sensitivity
• Improving Performance
• bddbddb: BDD-based deductive database
• Experimental Results
– Analysis Time
– Analysis Memory
– Analysis Accuracy
• Conclusion

June 11, Using Datalog and 175


Performance is Tricky!
• Context-sensitive numbering scheme
– Modify BDD library to add special operations.
– Can’t even analyze small programs. Time: 
• Improved variable ordering
– Group similar BDD variables together.
– Interleave equivalence relations.
– Move common subsets to edges of variable
order. Time: 40h
• Incrementalize outermost loop
– Very tricky, many bugs. Time: 36h
• Factor away control flow, assignments
– Reduces number of variables. Time: 32h

June 11, Using Datalog and 176


Java Security Vulnerabilities
Application Reported Errors Actual
context- context- Errors
Classe insensitiv sensitive
Name s e
blueblog 306 1 1 1
webgoat 349 81 6 6
blojsom 428 48 2 2
personalblog 611 350 2 2
snipsnap 653 >321 27 15
road2hibern 867 15 1 1
a
pebble 889 427 1 1
roller 989 >267 1 1
Total
June 11, 5356 >1508
Using Datalog and 41
177 29
due to V. Benjamin Livshits
Vulnerabilities Found
SQL HTTP Cross-site Path
Total
injection splitting scripting traversal

Header 0 6 4 0 10
Parameter 6 5 0 2 13
Cookie 1 0 0 0 1
Non-Web 2 0 0 3 5
Total 9 11 4 5 29

June 11, Using Datalog and 178


Summary of Contributions
• The first scalable context-sensitive subset-based
pointer analysis.
– Cloning-based technique using BDDs
– Clever context numbering
– Experimental results on the effects of context sensitivity
• bddbddb: new paradigm in program analysis
– Efficiently and easily implement context-sensitive analyses
– Datalog compiled into optimized BDD operations
– Library of program analyses (with many others)
– Active learning for BDD variable orders (with M. Carbin)
• Artifacts:
– Joeq compiler and virtual machine
– JavaBDD library and BuDDy library
– bddbddb tool

June 11, Using Datalog and 179


Conclusion
• The first scalable context-sensitive subset-
based pointer analysis.
– Accurate: Results for up to 1014 contexts.
– Scales to large programs.

• bddbddb: a new paradigm in prog analysis


– High-level spec  Efficient implementation

• System is publicly available at:


http://bddbddb.sourceforge.net

June 11, Using Datalog and 180

You might also like