Abstract
Computing precise (fully flow- and context-sensitive) and exhaustive (as against demand-driven) points-to information is known to be expensive. Top-down approaches require repeated analysis of a procedure for separate contexts. Bottom-up approaches need to model unknown pointees accessed indirectly through pointers that may be defined in the callers and hence do not scale while preserving precision. Therefore, most approaches to precise points-to analysis begin with a scalable but imprecise method and then seek to increase its precision. We take the opposite approach in that we begin with a precise method and increase its scalability. In a nutshell, we create naive but possibly non-scalable procedure summaries and then use novel optimizations to compact them while retaining their soundness and precision.
For this purpose, we propose a novel abstraction called the generalized points-to graph (GPG), which views points-to relations as memory updates and generalizes them using the counts of indirection levels leaving the unknown pointees implicit. This allows us to construct GPGs as compact representations of bottom-up procedure summaries in terms of memory updates and control flow between them. Their compactness is ensured by strength reduction (which reduces the indirection levels), control flow minimization (which removes control flow edges while preserving soundness and precision), and call inlining (which enhances the opportunities of these optimizations).
The effectiveness of GPGs lies in the fact that they discard as much control flow as possible without losing precision. This is the reason GPGs are very small even for main procedures that contain the effect of the entire program. This allows our implementation to scale to 158 kLoC for C programs.
At a more general level, GPGs provide a convenient abstraction to represent and transform memory in the presence of pointers. Future investigations can try to combine it with other abstractions for static analyses that can benefit from points-to information.
Supplemental Material
Available for Download
Supplemental movie, appendix, image and software files for, Exploring the Needs, Preferences, and Concerns of Persons with Visual Impairments Regarding Autonomous Vehicles
- Alfred V. Aho, Monica S. Lam, Ravi Sethi, and Jeffrey D. Ullman. 2006. Compilers: Principles, Techniques, and Tools (2nd ed.). Addison Wesley Longman, Boston, MA.Google ScholarDigital Library
- Thomas Ball and Sriram K. Rajamani. 2002. The SLAM project: Debugging system software via static analysis. In Proceedings of the 29th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’02). ACM, New York, NY, 1--3. DOI:https://doi.org/10.1145/503272.503274Google ScholarDigital Library
- A. J. Bernstein. 1996. Analysis of programs for parallel processing. IEEE Trans. Elec. Comp. EC-15, 5 (1996), 746--757. https://ci.nii.ac.jp/naid/10009998541/en/.Google Scholar
- Marcio Buss, Daniel Brand, Vugranam Sreedhar, and Stephen A. Edwards. 2010. A novel analysis space for pointer analysis and its application for bug finding. Sci. Comput. Program. 75, 11 (Nov. 2010), 921--942. DOI:https://doi.org/10.1016/j.scico.2009.08.002Google ScholarDigital Library
- Ramkrishna Chatterjee, Barbara G. Ryder, and William A. Landi. 1999. Relevant context inference. In Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’99). ACM, New York, NY, 133--146. DOI:https://doi.org/10.1145/292540.292554Google ScholarDigital Library
- Ben-Chung Cheng and Wen-Mei W. Hwu. 2000. Modular interprocedural pointer analysis using access paths: Design, implementation, and evaluation. In Proceedings of the ACM SIGPLAN 2000 Conference on Programming Language Design and Implementation (PLDI’00). ACM, New York, NY, 57--69. DOI:https://doi.org/10.1145/349299.349311Google ScholarDigital Library
- Isil Dillig, Thomas Dillig, and Alex Aiken. 2008. Sound, complete and scalable path-sensitive analysis. In Proceedings of the 29th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’08). ACM, New York, NY. DOI:https://doi.org/10.1145/1375581.1375615Google ScholarDigital Library
- Maryam Emami, Rakesh Ghiya, and Laurie J. Hendren. 1994. Context-sensitive interprocedural points-to analysis in the presence of function pointers. In Proceedings of the ACM SIGPLAN 1994 Conference on Programming Language Design and Implementation (PLDI’94). ACM, New York, NY, 242--256. DOI:https://doi.org/10.1145/178243.178264Google ScholarDigital Library
- Yu Feng, Xinyu Wang, Isil Dillig, and Thomas Dillig. 2015. Bottom-up context-sensitive pointer analysis for Java. In Proceedings of the 13th Asian Symposium on Programming Languages and Systems (APLAS’15). DOI:https://doi.org/10.1007/978-3-319-26529-2_25Google ScholarCross Ref
- Pritam M. Gharat. 2018. Generalized Points-to Graph: A New Abstraction of Memory in Presence of Pointers. Ph.D. Dissertation. Indian Institute of Technology Bombay, Mumbai, India.Google Scholar
- Pritam M. Gharat, Uday P. Khedker, and Alan Mycroft. 2016. Flow- and context-sensitive points-to analysis using generalized points-to graphs. In Proceedings of the 23rd Static Analysis Symposium (SAS’16).Google ScholarCross Ref
- Brian Hackett and Alex Aiken. 2006. How is aliasing used in systems software? In Proceedings of the 14th ACM SIGSOFT International Symposium on Foundations of Software Engineering (SIGSOFT’06/FSE-14). ACM, New York, NY. DOI:https://doi.org/10.1145/1181775.1181785Google ScholarDigital Library
- Nevin Heintze and Olivier Tardieu. 2001. Demand-driven pointer analysis. In Proceedings of the ACM SIGPLAN 2001 Conference on Programming Language Design and Implementation (PLDI’01). ACM, New York, NY. DOI:https://doi.org/10.1145/378795.378802Google ScholarDigital Library
- Michael Hind and Anthony Pioli. 1998. Assessing the effects of flow-sensitivity on pointer alias analyses. In Proceedings of the 5th International Symposium on Static Analysis (SAS’98). 57--81. DOI:https://doi.org/10.1007/3-540-49727-7_4Google ScholarCross Ref
- Michael Hind and Anthony Pioli. 2000. Which pointer analysis should I use? In Proceedings of the 2000 ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA’00). ACM, New York, NY, 113--123. DOI:https://doi.org/10.1145/347324.348916Google ScholarDigital Library
- Vineet Kahlon. 2008. Bootstrapping: A technique for scalable flow and context-sensitive pointer alias analysis. In Proceedings of the 29th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’08). ACM, New York, NY, 249--259. DOI:https://doi.org/10.1145/1375581.1375613Google ScholarDigital Library
- Vini Kanvar and Uday P. Khedker. 2016. Heap abstractions for static analysis. ACM Comput. Surv. 49, 2 (June 2016), Article 29, 47 pages. DOI:https://doi.org/10.1145/2931098Google ScholarDigital Library
- Owen Kaser, C. R. Ramakrishnan, and Shaunak Pawagi. 1993. On the conversion of indirect to direct recursion. ACM Lett. Program. Lang. Syst. 2, 1-4 (March 1993), 151--164. DOI:https://doi.org/10.1145/176454.176510Google ScholarDigital Library
- Ken Kennedy and John R. Allen. 2002. Optimizing Compilers for Modern Architectures: A Dependence-Based Approach. Morgan Kaufmann, San Francisco, CA.Google ScholarDigital Library
- Uday P. Khedker and Bageshri Karkare. 2008. Efficiency, precision, simplicity, and generality in interprocedural data flow analysis: Resurrecting the classical call strings method. In Proceedings of the Joint European Conferences on Theory and Practice of Software and the 17th International Conference on Compiler Construction (CC’08/ETAPS’08).Google Scholar
- Uday P. Khedker, Alan Mycroft, and Prashant Singh Rawat. 2012. Liveness-based pointer analysis. In Proceedings of the 19th International Static Analysis Symposium (SAS’12). DOI:https://doi.org/10.1007/978-3-642-33125-1_19Google ScholarCross Ref
- U. P. Khedker, A. Sanyal, and B. Sathe. 2009. Data Flow Analysis: Theory and Practice. Taylor 8 Francis (CRC Press), Boca Raton, FL.Google Scholar
- Chris Lattner, Andrew Lenharth, and Vikram Adve. 2007. Making context-sensitive points-to analysis with heap cloning practical for the real world. In Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’07). ACM, New York, NY, 278--289. DOI:https://doi.org/10.1145/1250734.1250766Google ScholarDigital Library
- Ondrej Lhotak, Yannis Smaragdakis, and Manu Sridharan. 2013. Pointer analysis (Dagstuhl seminar 13162). Dagstuhl Reports 3, 4 (2013), 91--113. DOI:https://doi.org/10.4230/DagRep.3.4.91Google ScholarCross Ref
- Lian Li, Cristina Cifuentes, and Nathan Keynes. 2013. Precise and scalable context-sensitive pointer analysis via value flow graph. In Proceedings of the 2013 International Symposium on Memory Management (ISMM’13). ACM, New York, NY. DOI:https://doi.org/10.1145/2464157.2466483Google ScholarDigital Library
- Ravichandhran Madhavan, G. Ramalingam, and Kapil Vaswani. 2012. Modular heap analysis for higher-order programs. In Proceedings of the 19th International Conference on Static Analysis (SAS’12). DOI:https://doi.org/10.1007/978-3-642-33125-1_25Google ScholarDigital Library
- Ravichandhran Madhavan, G. Ramalingam, and Kapil Vaswani. 2015. A framework for efficient modular heap analysis. Found. Trends Program. Lang. 1, 4 (Jan. 2015), 269--381. DOI:https://doi.org/10.1561/2500000020Google ScholarDigital Library
- Steven S. Muchnick. 1997. Advanced Compiler Design and Implementation. Morgan Kaufmann, San Francisco, CA.Google ScholarDigital Library
- Rohan Padhye and Uday P. Khedker. 2013. Interprocedural data flow analysis in SOOT using value contexts. In Proceedings of the 2nd ACM SIGPLAN International Workshop on State of the Art in Java Program Analysis (SOAP’13). ACM, New York, NY. DOI:https://doi.org/10.1145/2487568.2487569Google ScholarDigital Library
- Thomas Reps, Susan Horwitz, and Mooly Sagiv. 1995. Precise interprocedural dataflow analysis via graph reachability. In Proceedings of the 22nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’95). ACM, New York, NY. DOI:https://doi.org/10.1145/199448.199462Google ScholarDigital Library
- Barbara G. Ryder, William A. Landi, Philip A. Stocks, Sean Zhang, and Rita Altucher. 2001. A schema for interprocedural modification side-effect analysis with pointer aliasing. ACM Trans. Program. Lang. Syst. 23, 2 (March 2001), 105--186. DOI:https://doi.org/10.1145/383043.381532Google ScholarDigital Library
- Mooly Sagiv, Thomas Reps, and Susan Horwitz. 1996. Precise interprocedural dataflow analysis with applications to constant propagation. In Selected Papers from the 6th International Joint Conference on Theory and Practice of Software Development (TAPSOFT’95). Elsevier Science Publishers B. V., Amsterdam, The Netherlands. http://dl.acm.org/citation.cfm?id=243753.243762Google Scholar
- Lei Shang, Xinwei Xie, and Jingling Xue. 2012. On-demand dynamic summary-based points-to analysis. In Proceedings of the 10th International Symposium on Code Generation and Optimization (CGO’12). ACM, New York, NY. DOI:https://doi.org/10.1145/2259016.2259050Google ScholarDigital Library
- M. Sharir and A. Pneuli. 1981. Two approaches to interprocedural data flow analysis. In Program Flow Analysis: Theory and Applications, S. S. Muchnick and N. D. Jones (Eds.). Prentice Hall, 189–234.Google Scholar
- Yannis Smaragdakis and George Balatsouras. 2015. Pointer analysis. Foundations and Trends® in Programming Languages 2, 1 (2015), 1--69. DOI:https://doi.org/10.1561/2500000014Google ScholarDigital Library
- Johannes Späth, Lisa Nguyen, Karim Ali, and Eric Bodden. 2016. Boomerang: Demand-driven flow- and context-sensitive pointer analysis for Java. In Proceedings of the European Conference on Object-Oriented Programming (ECOOP’16).Google Scholar
- Manu Sridharan, Denis Gopan, Lexin Shan, and Rastislav Bodík. 2005. Demand-driven points-to analysis for Java. In Proceedings of the 20th Annual ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA’05). ACM, New York, NY. DOI:https://doi.org/10.1145/1094811.1094817Google ScholarDigital Library
- Stefan Staiger-Stöhr. 2013. Practical integrated analysis of pointers, dataflow and control flow. ACM Trans. Program. Lang. Syst. 35, 1 (2013), Article 5, 48 pages. DOI:https://doi.org/10.1145/2450136.2450140Google ScholarDigital Library
- Alexandru Sălcianu and Martin Rinard. 2005. Purity and side effect analysis for Java programs. In Proceedings of the 6th International Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI’05). DOI:https://doi.org/10.1007/978-3-540-30579-8_14Google ScholarDigital Library
- Yulei Sui and Jingling Xue. 2016. On-demand strong update analysis via value-flow refinement. In Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE’16). ACM, New York, NY, 460--473. DOI:https://doi.org/10.1145/2950290.2950296Google ScholarDigital Library
- Yulei Sui and Jingling Xue. 2016. SVF: Interprocedural static value-flow analysis in LLVM. In Proceedings of the 25th International Conference on Compiler Construction (CC’16). ACM, New York, NY, 265--266. DOI:https://doi.org/10.1145/2892208.2892235Google ScholarDigital Library
- John Whaley and Martin Rinard. 1999. Compositional pointer and escape analysis for Java programs. In Proceedings of the 14th ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA’99). ACM, New York, NY. DOI:https://doi.org/10.1145/320384.320400Google ScholarDigital Library
- R. P. Wilson and M. S. Lam. 1995. Efficient context-sensitive pointer analysis for C programs. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’95). citeseer.ist.psu.edu/wilson95efficient.htmlGoogle Scholar
- Dacong Yan, Guoqing Xu, and Atanas Rountev. 2012. Rethinking SOOT for summary-based whole-program analysis. In Proceedings of the ACM SIGPLAN International Workshop on State of the Art in Java Program Analysis (SOAP’12). ACM, New York, NY. DOI:https://doi.org/10.1145/2259051.2259053Google ScholarDigital Library
- Greta Yorsh, Eran Yahav, and Satish Chandra. 2008. Generating precise and concise procedure summaries. In Proceedings of the 35th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’08). ACM, New York, NY. DOI:https://doi.org/10.1145/1328438.1328467Google ScholarDigital Library
- Hongtao Yu, Jingling Xue, Wei Huo, Xiaobing Feng, and Zhaoqing Zhang. 2010. Level by level: Making flow- and context-sensitive pointer analysis scalable for millions of lines of code. In Proceedings of the 8th Annual IEEE/ACM International Symposium on Code Generation and Optimization (CGO’10). ACM, New York, NY, 218--229. DOI:https://doi.org/10.1145/1772954.1772985Google ScholarDigital Library
- Xin Zhang, Ravi Mangal, Mayur Naik, and Hongseok Yang. 2014. Hybrid top-down and bottom-up interprocedural analysis. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’14). ACM, New York, NY. DOI:https://doi.org/10.1145/2594291.2594328Google ScholarDigital Library
- Jianwen Zhu and Silvian Calman. 2005. Context sensitive symbolic pointer analysis. IEEE Trans. Comput. Aided Des. Integr. Circ. Syst. 24 (May 2005), 516--531. DOI:https://doi.org/10.1109/TCAD.2005.844092Google ScholarDigital Library
Index Terms
- Generalized Points-to Graphs: A Precise and Scalable Abstraction for Points-to Analysis
Recommendations
On-demand dynamic summary-based points-to analysis
CGO '12: Proceedings of the Tenth International Symposium on Code Generation and OptimizationStatic analyses can be typically accelerated by reducing redundancies. Modern demand-driven points-to or alias analysis techniques rest on the foundation of Context-Free Language (CFL) reachability. These techniques achieve high precision efficiently ...
Refinement-based context-sensitive points-to analysis for Java
Proceedings of the 2006 PLDI ConferenceWe present a scalable and precise context-sensitive points-to analysis with three key properties: (1) filtering out of unrealizable paths, (2) a context-sensitive heap abstraction, and (3) a context-sensitive call graph. Previous work [21] has shown ...
Dynamic points-to sets: a comparison with static analyses and potential applications in program understanding and optimization
PASTE '01: Proceedings of the 2001 ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineeringIn this paper, we compare the behavior of pointers in C programs, as approximated by static pointer analysis algorithms, with the actual behavior of pointers when these programs are run. In order to perform this comparison, we have implemented several ...
Comments