ABSTRACT
We present a new Strong UPdate Analysis for C programs, called Supa, that enables computing points-to information on-demand via value-flow refinement, in environments with small time and memory budgets such as IDEs. We formulate Supa by solving a graph-reachability problem on a value- flow graph representation of the program, so that strong updates are performed where needed, as long as the total analysis budget is not exhausted. Supa facilitates efficiency and precision tradeoffs by allowing different pointer analyses to be applied in a hybrid multi-stage analysis framework.
We have implemented Supa in LLVM with its artifact available at [1]. We evaluate Supa by choosing uninitialized pointer detection as a major client on 12 open-source C programs. As the analysis budget increases, Supa achieves improved precision, with its single-stage flow-sensitive analysis reaching 97% of that achieved by whole-program flow- sensitive analysis by consuming about 0.19 seconds and 36KB of memory per query, on average (with a budget of at most 10000 value-flow edges per query).
- SUPA. http://www.cse.unsw.edu.au/˜corg/supa.Google Scholar
- M. Acharya and B. Robinson. Practical change impact analysis based on static program slicing for industrial software systems. In ICSE ’11, pages 746–755, 2011. Google ScholarDigital Library
- L. Andersen. Program analysis and specialization for the C programming language. PhD thesis, DIKU, University of Copenhagen, 1994.Google Scholar
- S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau, and P. McDaniel. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In PLDI ’14, pages 259–269, 2014. Google ScholarDigital Library
- S. Blackshear, B.-Y. E. Chang, and M. Sridharan. Thresher: Precise refutations for heap reachability. In PLDI ’13, pages 275–286, 2013. Google ScholarDigital Library
- J.-D. Choi, M. Burke, and P. Carini. Efficient flow-sensitive interprocedural computation of pointer-induced aliases and side effects. In POPL ’93, pages 232–245, 1993. Google ScholarDigital Library
- J.-D. Choi, R. Cytron, and J. Ferrante. Automatic construction of sparse data flow evaluation graphs. In POPL ’91, pages 55–66, 1991. Google ScholarDigital Library
- F. Chow, S. Chan, S. Liu, R. Lo, and M. Streich. Effective representation of aliases and indirect memory operations in SSA form. In CC ’96, pages 253–267, 1996. Google ScholarDigital Library
- M. Das. Unification-based pointer analysis with directional assignments. In PLDI ’00, pages 35–46, 2000. Google ScholarDigital Library
- R. Emami, M. Ghiya and J. Hendren. Context-sensitive interprocedural points-to analysis in presence of function pointers. In PLDI ’94, pages 242–256, 1994. Google ScholarDigital Library
- Y. Feng, X. Wang, I. Dillig, and C. Lin. EXPLORER: query- and demand-driven exploration of interprocedural control flow properties. In OOPSLA ’15, pages 520–534, 2015. Google ScholarDigital Library
- S. J. Fink, E. Yahav, N. Dor, G. Ramalingam, and E. Geay. Effective typestate verification in the presence of aliasing. ACM TOSEM, 17(2):9, 2008. Google ScholarDigital Library
- S. Z. Guyer and C. Lin. Client-driven pointer analysis. In SAS ’03, pages 1073–1073, 2003. Google ScholarDigital Library
- B. Hardekopf and C. Lin. Semi-sparse flow-sensitive pointer analysis. In POPL ’09, pages 226–238, 2009. Google ScholarDigital Library
- B. Hardekopf and C. Lin. Flow-Sensitive Pointer Analysis for Millions of Lines of Code. In CGO ’11, pages 289–298, 2011. Google ScholarDigital Library
- N. Heintze and O. Tardieu. Demand-driven pointer analysis. In PLDI ’01, pages 24–34, 2001. Google ScholarDigital Library
- M. Hind and A. Pioli. Assessing the effects of flow-sensitivity on pointer alias analyses. In SAS ’98, pages 57–81. 1998. Google ScholarDigital Library
- J. B. Kam and J. D. Ullman. Monotone data flow analysis frameworks. Acta Informatica, 7(3):305–317, 1977. Google ScholarDigital Library
- G. Kastrinis and Y. Smaragdakis. Hybrid context-sensitivity for points-to analysis. In PLDI ’13, pages 423–434, 2013. Google ScholarDigital Library
- U. P. Khedker, A. Mycroft, and P. S. Rawat. Liveness-based pointer analysis. In SAS ’12, pages 265–282. 2012. Google ScholarDigital Library
- W. Landi. Undecidability of static analysis. ACM Letters on Programming Languages and Systems (LOPLAS), 1(4):323–337, 1992. Google ScholarDigital Library
- C. Lattner and V. Adve. LLVM: A compilation framework for lifelong program analysis & transformation. In CGO ’04, pages 75–86, 2004. Google ScholarDigital Library
- O. Lhoták and K.-C. A. Chung. Points-to analysis with efficient strong updates. In POPL ’11, pages 3–16, 2011. Google ScholarDigital Library
- O. Lhoták and L. Hendren. Scaling Java points-to analysis using Spark. CC ’03, pages 153 – 169.Google Scholar
- L. Li, C. Cifuentes, and N. Keynes. Boosting the performance of flow-sensitive points-to analysis using value flow. In FSE ’11, pages 343–353, 2011. Google ScholarDigital Library
- Y. Li, T. Tan, Y. Sui, and J. Xue. Self-inferencing reflection resolution for Java. In ECOOP ’14, pages 27–53. Google ScholarDigital Library
- Y. Li, T. Tan, and J. Xue. Effective soundness-guided reflection analysis. In SAS ’15, pages 162–180.Google Scholar
- Y. Li, T. Tan, Y. Zhang, and J. Xue. Program Tailoring: Slicing by Sequential Criteria. In ECOOP ’16, pages 15:1–15:27, 2016.Google Scholar
- Y. Lu, L. Shang, X. Xie, and J. Xue. An incremental points-to analysis with CFL-reachability. In CC’13, 2013. Google ScholarDigital Library
- M. Méndez-Lojo, M. Burtscher, and K. Pingali. A GPU implementation of inclusion-based points-to analysis. In PPoPP ’12, pages 107–116, 2012. Google ScholarDigital Library
- M. Méndez-Lojo, A. Mathew, and K. Pingali. Parallel inclusion-based points-to analysis. In OOPSLA ’10, pages 428–443, 2010. Google ScholarDigital Library
- A. Milanova, A. Rountev, and B. G. Ryder. Parameterized object sensitivity for points-to and side-effect analyses for java. ISSTA ’02. Google ScholarDigital Library
- A. Milanova, A. Rountev, and B. G. Ryder. Parameterized object sensitivity for points-to analysis for Java. ACM Trans. Softw. Eng. Methodol., 14(1):1–41, 2005. Google ScholarDigital Library
- V. Nagaraj and R. Govindarajan. Parallel flow-sensitive pointer analysis by graph-rewriting. In PACT ’13, pages 19–28, 2013. Google ScholarDigital Library
- H. Oh, K. Heo, W. Lee, W. Lee, and K. Yi. Design and implementation of sparse global analyses for C-like languages. In PLDI ’12, pages 229–238, 2012. Google ScholarDigital Library
- D. Pearce, P. Kelly, and C. Hankin. Efficient field-sensitive pointer analysis of C. ACM TOPLAS, 30(1):4–es, 2007. Google ScholarDigital Library
- S. Putta and R. Nasre. Parallel replication-based points-to analysis. In CC ’12, pages 61–80, 2012. Google ScholarDigital Library
- G. Ramalingam. The undecidability of aliasing. ACM TOPLAS, 16(5):1467–1471, 1994. Google ScholarDigital Library
- G. Ramalingam. On sparse evaluation representations. Theoretical Computer Science, 277(1):119–147, 2002. Google ScholarDigital Library
- T. Reps, S. Horwitz, and M. Sagiv. Precise interprocedural dataflow analysis via graph reachability. In POPL ’95, pages 49–61, 1995. Google ScholarDigital Library
- L. Shang, X. Xie, and J. Xue. On-demand dynamic summary-based points-to analysis. In CGO ’12, pages 264–274, 2012. Google ScholarDigital Library
- Y. Smaragdakis, M. Bravenboer, and O. Lhoták. Pick your contexts well: understanding object-sensitivity. In POPL’11, pages 17–30, 2011. Google ScholarDigital Library
- J. Späth, L. N. Q. Do, K. Ali, and E. Bodden. Boomerang: Demand-driven flow-and context-sensitive pointer analysis for java. ECOOP, 2016.Google Scholar
- M. Sridharan and R. Bod´ık. Refinement-based context-sensitive points-to analysis for java. PLDI ’06, pages 387–400, 2006. Google ScholarDigital Library
- M. Sridharan, D. Gopan, L. Shan, and R. Bod´ık. Demand-driven points-to analysis for java. In OOPSLA ’05, pages 59–76, 2005. Google ScholarDigital Library
- Y. Su, D. Ye, and J. Xue. Accelerating inclusion-based pointer analysis on heterogeneous CPU-GPU systems. In HiPC ’13, pages 149–158, 2013.Google ScholarCross Ref
- Y. Su, D. Ye, and J. Xue. Parallel pointer analysis with cfl-reachability. In ICPP ’14, pages 451–460, Sept 2014.Google ScholarDigital Library
- Y. Sui, P. Di, and J. Xue. Sparse flow-sensitive pointer analysis for multithreaded programs. In CGO ’16, pages 160–170. ACM, 2016. Google ScholarDigital Library
- Y. Sui and J. Xue. SVF: Interprocedural static value-flow analysis in LLVM. In CC ’16, pages 265–266, 2016. Google ScholarDigital Library
- Y. Sui, D. Ye, and J. Xue. Static memory leak detection using full-sparse value-flow analysis. In ISSTA ’12, pages 254–264, 2012. Google ScholarDigital Library
- Y. Sui, D. Ye, and J. Xue. Detecting memory leaks statically with full-sparse value-flow analysis. TSE ’14, 40(2):107–122, 2014. Google ScholarDigital Library
- Y. Sui, S. Ye, J. Xue, and P. Yew. SPAS: Scalable path-sensitive pointer analysis on full-sparse SSA. In APLAS ’11, pages 155–171, 2011. Google ScholarDigital Library
- Q. Sun, J. Zhao, and Y. Chen. Probabilistic points-to analysis for java. In CC ’11, pages 62–81, 2011. Google ScholarDigital Library
- T. Tan, Y. Li, and J. Xue. Making k-object-sensitive pointer analysis more precise with still k-limiting. In SAS ’16. 2016.Google ScholarCross Ref
- R. Wilson and M. Lam. Efficient context-sensitive pointer analysis for C programs. PLDI ’95, pages 1–12, 1995. Google ScholarDigital Library
- X. Xiao and C. Zhang. Geometric encoding: forging the high performance context sensitive points-to analysis for Java. In ISSTA ’11, pages 188–198, 2011. Google ScholarDigital Library
- D. Yan, G. Xu, and A. Rountev. Demand-driven context-sensitive alias analysis for Java. In ISSTA ’11, pages 155–165, 2011. Google ScholarDigital Library
- D. Ye, Y. Sui, and J. Xue. Accelerating dynamic detection of uses of undefined variables with static value-flow analysis. In CGO ’14, 2014. Google ScholarDigital Library
- S. Ye, Y. Sui, and J. Xue. Region-based selective flow-sensitive pointer analysis. In SAS ’14, pages 319–336. 2014.Google Scholar
- H. Yu, J. Xue, W. Huo, X. Feng, and Z. Zhang. Level by level: making flow-and context-sensitive pointer analysis scalable for millions of lines of code. In CGO ’10, pages 218–229, 2010. Google ScholarDigital Library
- Q. Zhang, X. Xiao, C. Zhang, H. Yuan, and Z. Su. Efficient subcubic alias analysis for C. In PLDI ’14, pages 829–845, 2014. Google ScholarDigital Library
- X. Zhang, R. Mangal, R. Grigore, M. Naik, and H. Yang. On abstraction refinement for program analyses in Datalog. In PLDI ’14, pages 239–248, 2014. Google ScholarDigital Library
- J. Zhao, S. Nagarakatte, M. M. Martin, and S. Zdancewic. Formalizing the LLVM intermediate representation for verified program transformations. In POPL ’12, pages 427–440, 2012. Google ScholarDigital Library
- X. Zheng and R. Rugina. Demand-driven alias analysis for C. In POPL ’08, pages 197–208, 2008. Google ScholarDigital Library
Index Terms
- On-demand strong update analysis via value-flow refinement
Recommendations
SVF: interprocedural static value-flow analysis in LLVM
CC 2016: Proceedings of the 25th International Conference on Compiler ConstructionThis paper presents SVF, a tool that enables scalable and precise interprocedural Static Value-Flow analysis for C programs by leveraging recent advances in sparse analysis. SVF, which is fully implemented in LLVM, allows value-flow construction and ...
Points-to analysis with efficient strong updates
POPL '11: Proceedings of the 38th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languagesThis paper explores a sweet spot between flow-insensitive and flow-sensitive subset-based points-to analysis. Flow-insensitive analysis is efficient: it has been applied to million-line programs and even its worst-case requirements are quadratic space ...
Points-to analysis with efficient strong updates
POPL '11This paper explores a sweet spot between flow-insensitive and flow-sensitive subset-based points-to analysis. Flow-insensitive analysis is efficient: it has been applied to million-line programs and even its worst-case requirements are quadratic space ...
Comments