# UCLA CS 232 Static Program Analysis Fall 2008

## Homework 1: Constraint-based analysis

Write set constraints for constraint-based analysis of the Java expressions new (), method call with one argument, and Java assignment. For a method call, allow the set for the actual parameter to be a subset of the set for the formal parameter. Give a second version of the constraints in which we insist that for a method call, the set for the actual parameter must be equal to the set for the formal parameter. The second version is more conservative, that is, less precise. Show an example program that illustrates why the second version is more conservative. Present the constraints for both the first and the second version of the analysis, as well as the least solution for each one.

## Homework 2: Pointer analysis

In the paper by Nevin Heintze and Olivier Tardieu entitled Ultra-fast Aliasing Analysis using CLA: A Million Lines of C Code in a Second, Figure 2 presents deduction rules for pointer analysis. Rephrase the analysis in Figure 2 to use set constraints. Show the set constraints and their least solution for the example in Figure 3.

## Homework 3: SSA form

Let S be a family of nonempty sets. The intersection graph of S is obtained by representing each set in S by a vertex and connecting two vertices by an edge if and only if their corresponding sets intersect. The intersection graph of the live ranges of a program is called an interference graph. A graph is chordal if and only if it can be represented as an intersection graph of subtrees of a tree. Prove that a program in strict SSA form has a chordal interference graph.

## Homework 4: Context-sensitive analysis

• The goal of the homework is to write a competitive, context-sensitive static program analysis using the bddbddb tool.
• The source language is MiniJava. The MiniJava grammar is in JavaCC format; you can use JTB and JavaCC if you like; you can also rewrite the grammar into a different format. If you want to work with a different source language, you are welcome to do that; come talk with me first.
• Your main task is to write the necessary code to be able to use the bddbddb tool as described by John Whaley, Monica S. Lam in Cloning-based context-sensitive pointer alias analysis using binary decision diagrams.
• Experiment with both a context-insensitive and a context-sensitive version of the constraints; try algorithms 1-6 in the Whaley-Lam paper.
• Write a MiniJava benchmark suite which helps illustrate how the context-sensitive analysis gives more precise information that the context-insensitive analysis.
• Submit your benchmark suite along with a report which
2. shows the best of your MiniJava benchmark programs and explains in detail what it helps illustrate and how, and
3. reports on the total time to analyze each of the MiniJava benchmark programs with each of the algorithms, both for the MiniJava programs here and the ones you wrote yourself.
• Prepare to show a demo of your program analysis.

## Homework 5: Type-safe method inlining

Read the paper by Neal Glew and Jens Palsberg called Type-safe method inlining. On p.16, item (36) is a form of constraint generated from occurrences of "this". Suppose we don't generate this constraint. Now do one of two things. Either prove that the resulting analysis satisfies Typability Preservation (Theorem 4 in the paper); submit your proof. Or else write a program in the example language of the paper such that (1) the program type checks and (2) after analysis and transformation, the transformed program does not type check. Submit
• a brief explanation of the intuition why the program will not type check after analysis and transformation,
• a note that you have type checked the program using javac,
• the flow analysis constraints generated from the program,
• the least solution of the constraints,
• the transformed program,
• an explanation of why the transformed program does not type check.

## Homework 6: Fast control-flow analysis

Consider the lambda-term:
G = [lambda1 f.(f(f(lambda2 x.x)))](lambda3 y.y)
Show the graph for G that is used by the Heintze/McAllester quadratic-time flow analysis algorithm. What is the label set for G produced by the algorithm?

## Homework 7: Relationships between static analysis and type systems

Consider the language generated by the grammar:
e ::= x | lambda x.e | e e | 0 | e+1
We can define a type system with the simple types
t ::= int | t -> t
see for example "A simple algorithm and proof for type inference" by Mitchell Wand. Specify a flow analysis which is equivalent to the type system with simple types. Here "equivalent" is in the sense of "A type system equivalent to flow analysis" by Jens Palsberg and Patrick O'Keefe. Justify informally in detail why your flow analysis is equivalent to the type system.

## Homework 8: Stack bounds for event-driven software

In the interrupt calculus of Stack Size Analysis of Interrupt Driven Software, write the simplest program you can think of which has 3 interrupt handlers and for which the maximum stack size is 6. Argue informally why your program has a maximum stack size of 6.