CFA2: A Context-Free Approach to Control-Flow Analysis

In a functional language, the dominant control-flow mechanism is function call and return. Most higher-order flow analyses, including k-CFA, do not handle call and return well: they remember only a bounded number of pending calls because they approximate programs with control-flow graphs. Call/return mismatch introduces precision-degrading spurious control-flow paths and increases the analysis time. We describe CFA2, the first flow analysis with precise call/return matching in the presence of higher-order functions and tail calls. We formulate CFA2 as an abstract interpretation of programs in continuation passing style and describe a sound and complete summarization algorithm for our abstract semantics. A preliminary evaluation shows that CFA2 gives more accurate data-flow information than 0CFA and 1CFA.

[1]  Thomas W. Reps,et al.  Precise interprocedural dataflow analysis via graph reachability , 1995, POPL '95.

[2]  Michael Hind,et al.  Pointer analysis: haven't we solved this problem yet? , 2001, PASTE '01.

[3]  Stefan Schwoon,et al.  Model checking pushdown systems , 2002 .

[4]  Javier Esparza,et al.  Reachability Analysis of Pushdown Automata: Application to Model-Checking , 1997, CONCUR.

[5]  Saumya K. Debray,et al.  Interprocedural control flow analysis of first-order programs with tail-call optimization , 1997, TOPL.

[6]  Jr. Guy L. Steele,et al.  Rabbit: A Compiler for Scheme , 1978 .

[7]  Jakob Rehof,et al.  Type-base flow analysis: from polymorphic subtyping to CFL-reachability , 2001, POPL '01.

[8]  Paul Hudak,et al.  ORBIT: an optimizing compiler for scheme , 1986, SIGPLAN '86.

[9]  Manu Sridharan,et al.  Snugglebug: a powerful approach to weakest preconditions , 2009, PLDI '09.

[10]  William D. Clinger,et al.  Lambda, the ultimate label or a simple optimizing compiler for Scheme , 1994, LFP '94.

[11]  Olin Shivers,et al.  Control-flow analysis of higher-order languages of taming lambda , 1991 .

[12]  Olin Shivers Higher-order control-flow analysis in retrospect: lessons learned, lessons abandoned , 2004, SIGP.

[13]  Rajeev Alur,et al.  Analysis of recursive state machines , 2001, TOPL.

[14]  Pierre Wolper,et al.  A direct symbolic approach to model checking pushdown systems , 1997, INFINITY.

[15]  Amr Sabry,et al.  Reasoning about programs in continuation-passing style , 1992, LFP '92.

[16]  Suresh Jagannathan,et al.  Polymorphic splitting: an effective polyvariant flow analysis , 1998, TOPL.

[17]  Thomas P. Jensen,et al.  Control-flow analysis of function calls and returns by abstract interpretation , 2009, Inf. Comput..

[18]  Mihalis Yannakakis,et al.  Graph-theoretic methods in database theory , 1990, PODS.

[19]  Ole Agesen The Cartesian Product Algorithm: Simple and Precise Type Inference Of Parametric Polymorphism , 1995, ECOOP.

[20]  Matthew Might,et al.  Environment Analysis of Higher-Order Languages , 2007 .

[21]  Nevin Charles Heintze,et al.  Set based program analysis , 1992 .

[22]  Amr Sabry,et al.  The essence of compiling with continuations , 1993, PLDI '93.

[23]  Thomas W. Reps,et al.  Interconvertibility of a class of set constraints and context-free-language reachability , 2000, Theor. Comput. Sci..

[24]  Manu Sridharan,et al.  Refinement-based context-sensitive points-to analysis for Java , 2006, PLDI '06.

[25]  Josef Svenningsson,et al.  Constraint Abstractions , 2001, PADO.

[26]  Harry G. Mairson,et al.  Deciding $k$CFA is complete for EXPTIME , 2008, ICFP 2008.

[27]  Swarat Chaudhuri,et al.  Subcubic algorithms for recursive state machines , 2008, POPL '08.

[28]  Olin Shivers,et al.  CFA2: A Context-Free Approach to Control-Flow Analysis , 2010, ESOP.

[29]  Matthew Might,et al.  Improving flow analyses via ΓCFA: abstract garbage collection and counting , 2006, ICFP '06.

[30]  Naoki Kobayashi Types and higher-order recursion schemes for verification of higher-order programs , 2009, POPL '09.