research-article

On-demand strong update analysis via value-flow refinement

Authors:
Yulei Sui

UNSW, Australia

UNSW, Australia
View Profile

,
Jingling Xue

UNSW, Australia

UNSW, Australia
View Profile

FSE 2016: Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software EngineeringNovember 2016Pages 460–473https://doi.org/10.1145/2950290.2950296

Published:01 November 2016Publication History

FSE 2016: Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering

Pages 460–473

ABSTRACT

We present a new Strong UPdate Analysis for C programs, called Supa, that enables computing points-to information on-demand via value-flow refinement, in environments with small time and memory budgets such as IDEs. We formulate Supa by solving a graph-reachability problem on a value- flow graph representation of the program, so that strong updates are performed where needed, as long as the total analysis budget is not exhausted. Supa facilitates efficiency and precision tradeoffs by allowing different pointer analyses to be applied in a hybrid multi-stage analysis framework.

We have implemented Supa in LLVM with its artifact available at [1]. We evaluate Supa by choosing uninitialized pointer detection as a major client on 12 open-source C programs. As the analysis budget increases, Supa achieves improved precision, with its single-stage flow-sensitive analysis reaching 97% of that achieved by whole-program flow- sensitive analysis by consuming about 0.19 seconds and 36KB of memory per query, on average (with a budget of at most 10000 value-flow edges per query).

References

SUPA. http://www.cse.unsw.edu.au/˜corg/supa.Google Scholar
M. Acharya and B. Robinson. Practical change impact analysis based on static program slicing for industrial software systems. In ICSE ’11, pages 746–755, 2011. Google ScholarDigital Library
L. Andersen. Program analysis and specialization for the C programming language. PhD thesis, DIKU, University of Copenhagen, 1994.Google Scholar
S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau, and P. McDaniel. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In PLDI ’14, pages 259–269, 2014. Google ScholarDigital Library
S. Blackshear, B.-Y. E. Chang, and M. Sridharan. Thresher: Precise refutations for heap reachability. In PLDI ’13, pages 275–286, 2013. Google ScholarDigital Library
J.-D. Choi, M. Burke, and P. Carini. Efficient flow-sensitive interprocedural computation of pointer-induced aliases and side effects. In POPL ’93, pages 232–245, 1993. Google ScholarDigital Library
J.-D. Choi, R. Cytron, and J. Ferrante. Automatic construction of sparse data flow evaluation graphs. In POPL ’91, pages 55–66, 1991. Google ScholarDigital Library
F. Chow, S. Chan, S. Liu, R. Lo, and M. Streich. Effective representation of aliases and indirect memory operations in SSA form. In CC ’96, pages 253–267, 1996. Google ScholarDigital Library
M. Das. Unification-based pointer analysis with directional assignments. In PLDI ’00, pages 35–46, 2000. Google ScholarDigital Library
R. Emami, M. Ghiya and J. Hendren. Context-sensitive interprocedural points-to analysis in presence of function pointers. In PLDI ’94, pages 242–256, 1994. Google ScholarDigital Library
Y. Feng, X. Wang, I. Dillig, and C. Lin. EXPLORER: query- and demand-driven exploration of interprocedural control flow properties. In OOPSLA ’15, pages 520–534, 2015. Google ScholarDigital Library
S. J. Fink, E. Yahav, N. Dor, G. Ramalingam, and E. Geay. Effective typestate verification in the presence of aliasing. ACM TOSEM, 17(2):9, 2008. Google ScholarDigital Library
S. Z. Guyer and C. Lin. Client-driven pointer analysis. In SAS ’03, pages 1073–1073, 2003. Google ScholarDigital Library
B. Hardekopf and C. Lin. Semi-sparse flow-sensitive pointer analysis. In POPL ’09, pages 226–238, 2009. Google ScholarDigital Library
B. Hardekopf and C. Lin. Flow-Sensitive Pointer Analysis for Millions of Lines of Code. In CGO ’11, pages 289–298, 2011. Google ScholarDigital Library
N. Heintze and O. Tardieu. Demand-driven pointer analysis. In PLDI ’01, pages 24–34, 2001. Google ScholarDigital Library
M. Hind and A. Pioli. Assessing the effects of flow-sensitivity on pointer alias analyses. In SAS ’98, pages 57–81. 1998. Google ScholarDigital Library
J. B. Kam and J. D. Ullman. Monotone data flow analysis frameworks. Acta Informatica, 7(3):305–317, 1977. Google ScholarDigital Library
G. Kastrinis and Y. Smaragdakis. Hybrid context-sensitivity for points-to analysis. In PLDI ’13, pages 423–434, 2013. Google ScholarDigital Library
U. P. Khedker, A. Mycroft, and P. S. Rawat. Liveness-based pointer analysis. In SAS ’12, pages 265–282. 2012. Google ScholarDigital Library
W. Landi. Undecidability of static analysis. ACM Letters on Programming Languages and Systems (LOPLAS), 1(4):323–337, 1992. Google ScholarDigital Library
C. Lattner and V. Adve. LLVM: A compilation framework for lifelong program analysis & transformation. In CGO ’04, pages 75–86, 2004. Google ScholarDigital Library
O. Lhoták and K.-C. A. Chung. Points-to analysis with efficient strong updates. In POPL ’11, pages 3–16, 2011. Google ScholarDigital Library
O. Lhoták and L. Hendren. Scaling Java points-to analysis using Spark. CC ’03, pages 153 – 169.Google Scholar
L. Li, C. Cifuentes, and N. Keynes. Boosting the performance of flow-sensitive points-to analysis using value flow. In FSE ’11, pages 343–353, 2011. Google ScholarDigital Library
Y. Li, T. Tan, Y. Sui, and J. Xue. Self-inferencing reflection resolution for Java. In ECOOP ’14, pages 27–53. Google ScholarDigital Library
Y. Li, T. Tan, and J. Xue. Effective soundness-guided reflection analysis. In SAS ’15, pages 162–180.Google Scholar
Y. Li, T. Tan, Y. Zhang, and J. Xue. Program Tailoring: Slicing by Sequential Criteria. In ECOOP ’16, pages 15:1–15:27, 2016.Google Scholar
Y. Lu, L. Shang, X. Xie, and J. Xue. An incremental points-to analysis with CFL-reachability. In CC’13, 2013. Google ScholarDigital Library
M. Méndez-Lojo, M. Burtscher, and K. Pingali. A GPU implementation of inclusion-based points-to analysis. In PPoPP ’12, pages 107–116, 2012. Google ScholarDigital Library
M. Méndez-Lojo, A. Mathew, and K. Pingali. Parallel inclusion-based points-to analysis. In OOPSLA ’10, pages 428–443, 2010. Google ScholarDigital Library
A. Milanova, A. Rountev, and B. G. Ryder. Parameterized object sensitivity for points-to and side-effect analyses for java. ISSTA ’02. Google ScholarDigital Library
A. Milanova, A. Rountev, and B. G. Ryder. Parameterized object sensitivity for points-to analysis for Java. ACM Trans. Softw. Eng. Methodol., 14(1):1–41, 2005. Google ScholarDigital Library
V. Nagaraj and R. Govindarajan. Parallel flow-sensitive pointer analysis by graph-rewriting. In PACT ’13, pages 19–28, 2013. Google ScholarDigital Library
H. Oh, K. Heo, W. Lee, W. Lee, and K. Yi. Design and implementation of sparse global analyses for C-like languages. In PLDI ’12, pages 229–238, 2012. Google ScholarDigital Library
D. Pearce, P. Kelly, and C. Hankin. Efficient field-sensitive pointer analysis of C. ACM TOPLAS, 30(1):4–es, 2007. Google ScholarDigital Library
S. Putta and R. Nasre. Parallel replication-based points-to analysis. In CC ’12, pages 61–80, 2012. Google ScholarDigital Library
G. Ramalingam. The undecidability of aliasing. ACM TOPLAS, 16(5):1467–1471, 1994. Google ScholarDigital Library
G. Ramalingam. On sparse evaluation representations. Theoretical Computer Science, 277(1):119–147, 2002. Google ScholarDigital Library
T. Reps, S. Horwitz, and M. Sagiv. Precise interprocedural dataflow analysis via graph reachability. In POPL ’95, pages 49–61, 1995. Google ScholarDigital Library
L. Shang, X. Xie, and J. Xue. On-demand dynamic summary-based points-to analysis. In CGO ’12, pages 264–274, 2012. Google ScholarDigital Library
Y. Smaragdakis, M. Bravenboer, and O. Lhoták. Pick your contexts well: understanding object-sensitivity. In POPL’11, pages 17–30, 2011. Google ScholarDigital Library
J. Späth, L. N. Q. Do, K. Ali, and E. Bodden. Boomerang: Demand-driven flow-and context-sensitive pointer analysis for java. ECOOP, 2016.Google Scholar
M. Sridharan and R. Bod´ık. Refinement-based context-sensitive points-to analysis for java. PLDI ’06, pages 387–400, 2006. Google ScholarDigital Library
M. Sridharan, D. Gopan, L. Shan, and R. Bod´ık. Demand-driven points-to analysis for java. In OOPSLA ’05, pages 59–76, 2005. Google ScholarDigital Library
Y. Su, D. Ye, and J. Xue. Accelerating inclusion-based pointer analysis on heterogeneous CPU-GPU systems. In HiPC ’13, pages 149–158, 2013.Google ScholarCross Ref
Y. Su, D. Ye, and J. Xue. Parallel pointer analysis with cfl-reachability. In ICPP ’14, pages 451–460, Sept 2014.Google ScholarDigital Library
Y. Sui, P. Di, and J. Xue. Sparse flow-sensitive pointer analysis for multithreaded programs. In CGO ’16, pages 160–170. ACM, 2016. Google ScholarDigital Library
Y. Sui and J. Xue. SVF: Interprocedural static value-flow analysis in LLVM. In CC ’16, pages 265–266, 2016. Google ScholarDigital Library
Y. Sui, D. Ye, and J. Xue. Static memory leak detection using full-sparse value-flow analysis. In ISSTA ’12, pages 254–264, 2012. Google ScholarDigital Library
Y. Sui, D. Ye, and J. Xue. Detecting memory leaks statically with full-sparse value-flow analysis. TSE ’14, 40(2):107–122, 2014. Google ScholarDigital Library
Y. Sui, S. Ye, J. Xue, and P. Yew. SPAS: Scalable path-sensitive pointer analysis on full-sparse SSA. In APLAS ’11, pages 155–171, 2011. Google ScholarDigital Library
Q. Sun, J. Zhao, and Y. Chen. Probabilistic points-to analysis for java. In CC ’11, pages 62–81, 2011. Google ScholarDigital Library
T. Tan, Y. Li, and J. Xue. Making k-object-sensitive pointer analysis more precise with still k-limiting. In SAS ’16. 2016.Google ScholarCross Ref
R. Wilson and M. Lam. Efficient context-sensitive pointer analysis for C programs. PLDI ’95, pages 1–12, 1995. Google ScholarDigital Library
X. Xiao and C. Zhang. Geometric encoding: forging the high performance context sensitive points-to analysis for Java. In ISSTA ’11, pages 188–198, 2011. Google ScholarDigital Library
D. Yan, G. Xu, and A. Rountev. Demand-driven context-sensitive alias analysis for Java. In ISSTA ’11, pages 155–165, 2011. Google ScholarDigital Library
D. Ye, Y. Sui, and J. Xue. Accelerating dynamic detection of uses of undefined variables with static value-flow analysis. In CGO ’14, 2014. Google ScholarDigital Library
S. Ye, Y. Sui, and J. Xue. Region-based selective flow-sensitive pointer analysis. In SAS ’14, pages 319–336. 2014.Google Scholar
H. Yu, J. Xue, W. Huo, X. Feng, and Z. Zhang. Level by level: making flow-and context-sensitive pointer analysis scalable for millions of lines of code. In CGO ’10, pages 218–229, 2010. Google ScholarDigital Library
Q. Zhang, X. Xiao, C. Zhang, H. Yuan, and Z. Su. Efficient subcubic alias analysis for C. In PLDI ’14, pages 829–845, 2014. Google ScholarDigital Library
X. Zhang, R. Mangal, R. Grigore, M. Naik, and H. Yang. On abstraction refinement for program analyses in Datalog. In PLDI ’14, pages 239–248, 2014. Google ScholarDigital Library
J. Zhao, S. Nagarakatte, M. M. Martin, and S. Zdancewic. Formalizing the LLVM intermediate representation for verified program transformations. In POPL ’12, pages 427–440, 2012. Google ScholarDigital Library
X. Zheng and R. Rugina. Demand-driven alias analysis for C. In POPL ’08, pages 197–208, 2008. Google ScholarDigital Library

Index Terms

On-demand strong update analysis via value-flow refinement
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
  2. Software notations and tools
    1. Compilers
2. Theory of computation
  1. Models of computation
    1. Concurrency

Recommendations

SVF: interprocedural static value-flow analysis in LLVM
CC 2016: Proceedings of the 25th International Conference on Compiler Construction

This paper presents SVF, a tool that enables scalable and precise interprocedural Static Value-Flow analysis for C programs by leveraging recent advances in sparse analysis. SVF, which is fully implemented in LLVM, allows value-flow construction and ...
Read More
Points-to analysis with efficient strong updates
POPL '11: Proceedings of the 38th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages

This paper explores a sweet spot between flow-insensitive and flow-sensitive subset-based points-to analysis. Flow-insensitive analysis is efficient: it has been applied to million-line programs and even its worst-case requirements are quadratic space ...
Read More
Points-to analysis with efficient strong updates
POPL '11

This paper explores a sweet spot between flow-insensitive and flow-sensitive subset-based points-to analysis. Flow-insensitive analysis is efficient: it has been applied to million-line programs and even its worst-case requirements are quadratic space ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
FSE 2016: Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering
November 2016
1156 pages
ISBN:9781450342186
DOI:10.1145/2950290
General Chair:
Thomas Zimmermann
Microsoft Research, USA
,
Program Chairs:
Jane Cleland-Huang
University of Notre Dame, USA
,
Zhendong Su
University of California at Davis, USA
Copyright © 2016 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 1 November 2016
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
flow sensitivity
pointer analysis
strong updates
value flow
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate17of128submissions,13%
Upcoming Conference
FSE '24

Sponsor:

sigsoft

32nd ACM International Conference on the Foundations of Software Engineering

July 15 - 19, 2024

Ipojuca (Pernambuco) , Brazil
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 62
  Total Citations
  View Citations
- 462
  Total Downloads
- Downloads (Last 12 months)34
- Downloads (Last 6 weeks)3
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.