UCLA CS 232 Static Program Analysis Fall 2008
Homework 1: Constraint-based analysis
Write set constraints for constraint-based analysis of the Java expressions
new (), method call with one argument, and Java assignment.
For a method call, allow the set for the actual parameter to be a subset
of the set for the formal parameter.
Give a second version of the constraints in which we insist that
for a method call, the set for the actual parameter must be equal
to the set for the formal parameter.
The second version is more conservative, that is, less precise.
Show an example program that illustrates why the second version
is more conservative.
Present the constraints for both the first and the second version
of the analysis,
as well as the least solution for each one.
Homework 2: Pointer analysis
In the paper by Nevin Heintze and Olivier Tardieu entitled
Ultra-fast Aliasing Analysis using CLA:
A Million Lines of C Code in a Second,
Figure 2 presents deduction rules for pointer analysis.
Rephrase the analysis in Figure 2 to use set constraints.
Show the set constraints and their least solution for the example
in Figure 3.
Homework 3: SSA form
Let S be a family of nonempty sets.
The intersection graph of S is obtained by
representing each set in S by
a vertex and connecting two vertices by an edge if and only
if their corresponding sets intersect.
The intersection graph of the live ranges of a program is called an
A graph is chordal if and only if it can be represented as an intersection graph
of subtrees of a tree.
a program in strict SSA form has a chordal interference graph.
Homework 4: Context-sensitive analysis
The goal of the homework is to write a competitive, context-sensitive
static program analysis using the
The source language is
The MiniJava grammar is in JavaCC format; you can use JTB and JavaCC
if you like; you can also rewrite the grammar into a different format.
If you want to work with a different source language, you are welcome
to do that; come talk with me first.
Your main task is to write the necessary code to be able to use the bddbddb tool
as described by John Whaley, Monica S. Lam in
Cloning-based context-sensitive pointer alias analysis using
binary decision diagrams.
Experiment with both a context-insensitive and a context-sensitive version
of the constraints; try algorithms 1-6 in the Whaley-Lam paper.
Write a MiniJava benchmark suite which helps illustrate
how the context-sensitive analysis gives more precise information
that the context-insensitive analysis.
Submit your benchmark suite along with a report which
details your implementation strategy,
shows the best of your MiniJava benchmark programs and explains in detail what
it helps illustrate and how, and
reports on the total time to analyze each of the MiniJava benchmark programs
with each of the algorithms,
both for the MiniJava programs
and the ones you wrote yourself.
- Prepare to show a demo of your program analysis.
Homework 5: Type-safe method inlining
Read the paper by Neal Glew and Jens Palsberg called
Type-safe method inlining.
On p.16, item (36) is a form of constraint generated from
occurrences of "this".
Suppose we don't generate this constraint.
Now do one of two things.
Either prove that the resulting analysis satisfies
Typability Preservation (Theorem 4 in the paper);
submit your proof.
write a program in the example language of the paper
such that (1) the program type checks and
(2) after analysis and transformation, the transformed program
does not type check.
a brief explanation of the intuition why the program will
not type check after analysis and transformation,
a note that you have type checked the program using javac,
the flow analysis constraints generated from the program,
the least solution of the constraints,
the transformed program,
an explanation of why the transformed program does not type check.
Homework 6: Fast control-flow analysis
Consider the lambda-term:
G = [lambda1 f.(f(f(lambda2 x.x)))](lambda3 y.y)
Show the graph for G that is used by the Heintze/McAllester
flow analysis algorithm.
What is the label set for G produced by the algorithm?
Homework 7: Relationships between static analysis and type systems
Consider the language generated by the grammar:
e ::= x | lambda x.e | e e | 0 | e+1
We can define a type system with the simple types
t ::= int | t -> t
see for example "A simple algorithm and proof for type inference"
by Mitchell Wand.
Specify a flow analysis which is equivalent to the type system with
Here "equivalent" is in the sense of "A type system
equivalent to flow analysis" by Jens Palsberg and Patrick O'Keefe.
Justify informally in detail why your flow analysis is equivalent
to the type system.
Homework 8: Stack bounds for event-driven software
In the interrupt calculus of
Stack Size Analysis of Interrupt Driven Software,
write the simplest program you can think of
which has 3 interrupt handlers and for which the maximum stack size is 6.
Argue informally why your program has a maximum stack size of 6.
Homework 9: Logical abstract interpretation
Homework 9 is described in