ABSTRACT
Many static analyses do not scale as they are made more precise. For example, increasing the amount of context sensitivity in a k-limited pointer analysis causes the number of contexts to grow exponentially with k. Iterative refinement techniques can mitigate this growth by starting with a coarse abstraction and only refining parts of the abstraction that are deemed relevant with respect to a given client.
In this paper, we introduce a new technique called pruning that uses client feedback in a different way. The basic idea is to use coarse abstractions to prune away parts of the program analysis deemed irrelevant for proving a client query, and then using finer abstractions on the sliced program analysis. For a k-limited pointer analysis, this approach amounts to adaptively refining and pruning a set of prefix patterns representing the contexts relevant for the client. By pruning, we are able to scale up to much more expensive abstractions than before. We also prove that the pruned analysis is both sound and complete, that is, it yields the same results as an analysis that uses a more expensive abstraction directly without pruning.
- T. Ball, R. Majumdar, T. Millstein, and S. Rajamani. Automatic predicate abstraction of C programs. In PLDI, pages 203--213, 2001. Google ScholarDigital Library
- M. Bravenboer and Y. Smaragdakis. Strictly declarative specification of sophisticated points-to analyses. In OOPSLA, pages 243--262, 2009. Google ScholarDigital Library
- S. Graf and H. Saidi. Construction of abstract state graphs with PVS. Computer Aided Verification, 1254: 72--83, 1997. Google ScholarDigital Library
- S. Guyer and C. Lin. Client-driven pointer analysis. In SAS, pages 214--236, 2003. Google ScholarDigital Library
- N. Heintze and O. Tardieu. Demand-driven pointer analysis. In PLDI, pages 24--34, 2001. Google ScholarDigital Library
- T. A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre. Lazy abstraction. In POPL, 2002. Google ScholarDigital Library
- O. Lhoták and L. Hendren. Context-sensitive points-to analysis: is it worth it? In CC, pages 47--64, 2006. Google ScholarDigital Library
- O. Lhoták and L. Hendren. Evaluating the benefits of context-sensitive points-to analysis using a BDD-based implementation. ACM Transactions on Software Engineering and Methodology, 18 (1): 1--53, 2008. Google ScholarDigital Library
- P. Liang, O. Tripp, M. Naik, and M. Sagiv. A dynamic evaluation of static heap abstractions. In OOPSLA, pages 411--427, 2010. Google ScholarDigital Library
- P. Liang, O. Tripp, and M. Naik. Learning minimal abstractions. In POPL, 2011. Google ScholarDigital Library
- K. McMillan. Lazy abstraction with interpolants. In CAV, pages 123--136, 2006. Google ScholarDigital Library
- A. Milanova, A. Rountev, and B. Ryder. Parameterized object sensitivity for points-to and side-effect analyses for Java. In ISSTA, pages 1--11, 2002. Google ScholarDigital Library
- A. Milanova, A. Rountev, and B. Ryder. Parameterized object sensitivity for points-to analysis for Java. ACM Transactions on Software Engineering and Methodology, 14 (1): 1--41, 2005. Google ScholarDigital Library
- M. Naik, A. Aiken, and J. Whaley. Effective static race detection for Java. In PLDI, pages 308--319, 2006. Google ScholarDigital Library
- J. Plevyak and A. Chien. Precise concrete type inference for object-oriented languages. In OOPSLA, pages 324--340. Google ScholarDigital Library
- O. Shivers. Control-flow analysis in Scheme. In PLDI, pages 164--174, 1988. Google ScholarDigital Library
- Y. Smaragdakis, M. Bravenboer, and O. Lhotak. Pick your contexts well: Understanding object-sensitivity. In POPL, 2011. Google ScholarDigital Library
- S. A. Spoon and O. Shivers. Demand-driven type inference with subgoal pruning: Trading precision for scalability. In ECOOP, 2004.Google ScholarCross Ref
- M. Sridharan and R. Bodík. Refinement-based context-sensitive points-to analysis for Java. In PLDI, pages 387--400, 2006. Google ScholarDigital Library
- V. Vipindeep and P. Jalote. Efficient static analysis with path pruning using coverage data. In International Workshop on Dynamic Analysis (WODA), 2005. Google ScholarDigital Library
- J. Whaley. Context-Sensitive Pointer Analysis using Binary Decision Diagrams. PhD thesis, Stanford University, 2007. Google ScholarDigital Library
- J. Whaley and M. Lam. Cloning-based context-sensitive pointer alias analysis using binary decision diagrams. In PLDI, pages 131--144, 2004. Google ScholarDigital Library
- X. Zheng and R. Rugina. Demand-driven alias analysis for C. In POPL, pages 197--208, 1998. Google ScholarDigital Library
Index Terms
- Scaling abstraction refinement via pruning
Recommendations
Efficient and precise points-to analysis: modeling the heap by merging equivalent automata
PLDI 2017: Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and ImplementationMainstream points-to analysis techniques for object-oriented languages rely predominantly on the allocation-site abstraction to model heap objects. We present MAHJONG, a novel heap abstraction that is specifically developed to address the needs of an ...
Scaling abstraction refinement via pruning
PLDI '11Many static analyses do not scale as they are made more precise. For example, increasing the amount of context sensitivity in a k-limited pointer analysis causes the number of contexts to grow exponentially with k. Iterative refinement techniques can ...
TAJ: effective taint analysis of web applications
PLDI '09: Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and ImplementationTaint analysis, a form of information-flow analysis, establishes whether values from untrusted methods and parameters may flow into security-sensitive operations. Taint analysis can detect many common vulnerabilities in Web applications, and so has ...
Comments