Zhiyuan Wan,Bo Zhou

DOI: https://doi.org/10.3785/j.issn.1008-973X.2015.06.005

2015-01-01

Abstract:A points-to analysis approach was proposed to generate partial call graphs of application part without analyzing the method bodies of libraries. A set of rules was bulit to model the interaction between application and libraries in order to infer the pointer information libraries. The approach was implemented based on the Soot program analysis framework. The performance, completeness and precision of generated call graphs were evaluated on 14 Java benchmarks. The experimental results showed that the proposed approach was faster than Averroes and Spark call graph construction approaches by a factor of 4.9 xand13. 7xrespectively. Meanwhile, the proposed approach can construct complete and precise partial call graphs.

Zhiyuan Wan,Bo Zhou,Ye Wang,Yuanhong Shen

2014-01-01

Abstract:Many static analysis tools provide whole-program analysis to generate call graphs. However, the whole-program analysis suffers from scalability issue. The increasing size of the libraries exacerbates the issue. For many Web applications, the libraries (e.g. Servlet containers) are even not available for whole-program analysis. We present HyPta, a points-to analysis approach, to construct partial call graphs for Java programs. HyPta extends the standard points-to analysis by establishing a hybrid heap model. Since our approach does not analyze the method bodies of the library classes, the heap model distinguishes between the abstract memory locations in the application and those in the library. HyPta infers the pointer information in the library from the interactions between the application and the library. We implement HyPta based on Spark framework and evaluate it on 14 widely cited Java benchmarks. The evaluation shows that HyPta is faster than Averroes and Spark by a factor of 4.9x and 13.7x, respectively. Meanwhile, it constructs sound and precise partial call graphs.

Tian Tan

2017-01-01

Abstract:Points-to analysis addresses a fundamental problem in program analysis: determining statically which objects a variable or reference can point to. As a fundamental technique, many real-world clients such as bug detection, security analysis, program understanding, compiler optimization and program verification, depend on the results of points-to analysis. A long-standing problem in points-to analysis is the balance between precision and efficiency. This thesis aims to improve both ends of the balance respectively. • For precision, object-sensitivity is usually considered as the most precise context-sensitivity for points-to analysis for object-oriented languages, such as Java. However, it suffers from the scalability problem when increasing the context length and thus it is hard to further improve its precision. We present Bean, a new object-sensitivity approach for points-to analysis. By identifying and eliminating the redundant context elements which contribute nothing to the precision, Bean is able to improve the precision of any kobject-sensitive analysis by still using a k-limiting context abstraction. • For efficiency, targeting the type-dependent clients such as call graph construction, devirtualization and may-fail casting, we present Mahjong, a new heap abstraction approach for points-to analysis. By merging equivalent automata representing type-consistent objects that are created by the

Zhang Yuping,Deng Zhaori,Zhang Xiaoning,Ma Yan

DOI: https://doi.org/10.2991/isci-15.2015.267

2015-01-01

Abstract:Aim at the potential that the time efficiency of the technology of Cycle elimination for invocation graph-based context-sensitive pointer analysis can be improved. Through using wave and deep propagation method, which is the state-of-the-art techniques of Inclusion Based Pointer Analysis on-line optimization Technology, to optimize the technology of cycle elimination for invocation graph-based context-sensitive pointer analysis, and then puts forward a context-sensitive wave and deep propagation algorithm. First, introduces the definition and initialization of new constraint graph; secondly, through an example to describe the context-sensitive wave and deep propagation, which can accurately and efficiently realize context-sensitive pointer analysis; finally, use the CIL tool for experiment, the experimental results show that these new algorithms save about 9s or 10s when the original technology and the new algorithm are all analyzing the same large scale program.

Haibo Yu,Qiang Sun,Kejun Xiao,Yuting Chen,Tsunenori Mine,Jianjun Zhao

DOI: https://doi.org/10.1109/QRS-C51114.2020.00026

2020-01-01

Abstract:Ahstract-Points-to analysis is a fundamental, but computationally intensive technique for static program analysis, optimization, debugging and verification. Context-Free Language (CFL) reachability has been proposed and widely used in demand-driven points-to analyses that aims for computing specific points-to relations on demand rather than all variables in the program. However, CFL-reachability-based points-to analysis still faces challenges when applied in practice especially for flow-sensitive points-to analysis, which aims at improving the precision of points-to analysis by taking account of the execution order of program statements. We propose a scalable approach named Parseeker to parallelize flow-sensitive demand-driven points-to analysis via CFL-reachability in order to improve the performance of points-to analysis with high precision. Our core insights are to (1) produce and process a set of fine-grained, parallelizable queries of points-to relations for the objective program, and (2) take a CFL-reachability-based points-to analysis to answer each query. The MapReduce is used to parallelize the queries and three optimization strategies are designed for further enhancing the efficiency.

Yulin Bao,Chenyi Zhang,Kaile Su

DOI: https://doi.org/10.1109/tr.2023.3236990

IF: 5.883

2024-01-01

IEEE Transactions on Reliability

Abstract:Pointer analysis or points-to analysis (PTA) is a static program analysis for variables in a program, which determines a set of heap objects that individual variables may refer to at run time. In the literature, various types of context-sensitive analyses have been applied to improve the precision of PTA. In this article, we propose a framework that unifies existing context-sensitive PTA methods, under which we further explore more efficient ways for points-to calculation. In particular, we propose a call-graph-based context generation algorithm that combines the object-sensitive PTA and parameter-sensitive PTA approaches, and we implement the algorithm in the Soot compiler framework. Our new algorithm generates contexts for methods in a more complete and effective way, and it has been shown to achieve better precision with fewer generated contexts and less execution time than some of the known state-of-the-art context-sensitive approaches for PTA when tested with a selection of benchmarks from the DaCapo suite.

LI Qian,TANG En-Yi,DAI Xue-Feng,WANG Lin-Zhang,ZHAO Jian-Hua

DOI: https://doi.org/10.3724/sp.j.1001.2011.04025

2011-01-01

Journal of Software

Abstract:Points-to analysis mainly aims to attain the runtime points-to sets of program variables.This paper describes the design and implementation of an efficient Andersen-style,context-sensitive points-to analysis for Java code.The implementation supports language features such as inheritance,polymorphism,and field objects.The study tracks the fields of individual objects separately and makes the algorithm in field-sensitive style for aggregate objects.To improve the efficiency and scalability of the algorithm,this study employs two kinds of optimizations,nodes topology construction with concomitance on-line cycle detection and cycle elimination.Experiment results show that this algorithm can be used to compute precise points-to sets for large-scale Java programs.

Tian Tan,Yue Li,Xiaoxing Ma,Chang Xu,Yannis Smaragdakis

DOI: https://doi.org/10.1145/3485524

2021-01-01

Proceedings of the ACM on Programming Languages

Abstract:Traditional context-sensitive pointer analysis is hard to scale for large and complex Java programs. To address this issue, a series of selective context-sensitivity approaches have been proposed and exhibit promising results. In this work, we move one step further towards producing highly-precise pointer analyses for hard-to-analyze Java programs by presenting the Unity-Relay framework, which takes selective context sensitivity to the next level. Briefly, Unity-Relay is a one-two punch: given a set of different selective context-sensitivity approaches, say S = S1, . . . , Sn, Unity-Relay first provides a mechanism (called Unity)to combine and maximize the precision of all components of S. When Unity fails to scale, Unity-Relay offers a scheme (called Relay) to pass and accumulate the precision from one approach Si in S to the next, Si+1, leading to an analysis that is more precise than all approaches in S. As a proof-of-concept, we instantiate Unity-Relay into a tool called Baton and extensively evaluate it on a set of hard-to-analyze Java programs, using general precision metrics and popular clients. Compared with the state of the art, Baton achieves the best precision for all metrics and clients for all evaluated programs. The difference in precision is often dramatic — up to 71% of alias pairs reported by previously-best algorithms are found to be spurious and eliminated.

Qiang Sun,Yuting Chen,Jianjun Zhao

DOI: https://doi.org/10.1007/s11704-013-3106-2

2014-01-01

Abstract:Points-to analysis is a static code analysis technique that establishes the relationships between variables of references and allocated objects. A number of points-to analysis algorithms have been proposed for procedural and object-oriented languages like C and Java, while few of them can be used for AspectJ as we know so far. One main reason is that AspectJ is an aspect-oriented language which implements the separation of crosscutting concerns by advices, pointcuts, and inter-type declarations, while a points-to analysis of AspectJ programs may be imprecise because any aspect woven into the base code may change the points-to relations in the program and thus a conservative analysis has to be taken in order to handle the aspects. In this paper, we propose a context-sensitive points-to analysis technique called AJPoints for AspectJ. Similar to the weaving mechanism for AspectJ, AJPoints obtains the constraints and templates on the points-to relations for the base code and the aspects, respectively, but weaves and solves them in an iterative manner in order to cross the boundary between the base code and the aspects. We have implemented AJPoints on abc AspectJ compiler and evaluated it by using twelve AspectJ benchmark programs. The experimental results show that our technique can achieve a high precision about points-to relations in AspectJ programs.

Aditya Anand,Manas Thakur

DOI: https://doi.org/10.1007/s10703-024-00458-x

2024-06-15

Formal Methods in System Design

Abstract:In spite of decades of static-analysis research behind developing precise whole-program dataflow analyses, languages that use just-in-time (JIT) compilers suffer from the imprecision of resource-bound analyses local to the scope of compilation. Recent promising approaches bridge this gap by splitting the analysis into two phases: a static phase that identifies interprocedural dependencies across program elements, and a dynamic phase that resolves those dependencies to generate final analysis results. Though this approach is capable of generating precise analysis results without incurring analysis cost in JIT compilers, such "staged analyses" lack a theoretical backing. In particular, it is unclear if one could transform a general whole-program analysis (that resolves dependencies across all program elements) to a staged one that involves evaluation of statically generated partial results later. Similarly, it would be interesting if one could generate "partial-result evaluators" in a way that can also be used to argue about their correctness. In this paper, we propose a novel model of partial analysis that addresses all these points for staged (static + dynamic) compilation systems, based on the classic theory of partial evaluation. We begin by highlighting how partial evaluation and Futamura projections are used to generate specialized program interpreters. We then describe partial analysis as the process of evaluating dependencies across program elements with respect to the statically available parts of a program, resulting into partial results . Next, we devise a strategy (by deriving a novel notion of AM projections from Futamura projections) to statically generate specialized evaluators that can process partial results using dynamic dependencies, during JIT compilation. Later, we use our proposed model to straightforwardly establish the correctness and precision properties of the idea of staging, independent of the analysis under consideration. We finally extend our model to soundly handle callbacks made from Java libraries to applications. We demonstrate the applicability of our model by showcasing examples from non-trivial Java program analyses, implementing the pipeline for one of them, and also discussing future possibilities to extend the same. We believe that our contributions in formulating this theory of partial analysis will significantly extend the usage of existing partial analyzers, as well as promote the design of new ones, for and even beyond Java.

computer science, theory & methods

Bozhen Liu,Jeff Huang,Lawrence Rauchwerger

DOI: https://doi.org/10.1145/3293606

IF: 1.714

2019-03-31

ACM Transactions on Programming Languages and Systems

Abstract:Pointer analysis is at the heart of most interprocedural program analyses. However, scaling pointer analysis to large programs is extremely challenging. In this article, we study incremental pointer analysis and present a new algorithm for computing the points-to information incrementally (i.e., upon code insertion, deletion, and modification). Underpinned by new observations of incremental pointer analysis, our algorithm significantly advances the state of the art in that it avoids redundant computations and the expensive graph reachability analysis, and preserves precision as the corresponding whole program exhaustive analysis. Moreover, it is parallel within each iteration of fixed-point computation. We have implemented our algorithm, IPA, for Java based on the WALA framework and evaluated its performance extensively on real-world large, complex applications. Experimental results show that IPA achieves more than 200X speedups over existing incremental algorithms, two to five orders of magnitude faster than whole program pointer analysis, and also improves the performance of an incremental data race detector by orders of magnitude. Our IPA implementation is open source and has been adopted by WALA.

computer science, software engineering

Li Qian,Zhao Jianhua,Li Xuandong

DOI: https://doi.org/10.1007/978-3-642-16558-0_46

2010-01-01

Abstract:This paper presents an efficient context-sensitive, field-based Andersen-style points-to analysis algorithm for Java programs. This algorithm first summarizes methods of the program under analysis using directed graphs. Then it performs local circle elimination on these summary graphs to reduce their sizes. The main analysis algorithm uses these graphs to construct the main points-to graph. Topological sort and cycle-elimination is performed on the nodes of both main points-to graphs and summary graphs to speed up the transitive closure computation on the main points-to graph. A suite of Java program benchmarks are used to demonstrate the efficiency of our algorithm.

Tian Tan,Yue Li,Jingling Xue

DOI: https://doi.org/10.1145/3062341.3062360

2017-01-01

ACM SIGPLAN Notices

Abstract:Mainstream points-to analysis techniques for object-oriented languages rely predominantly on the allocation-site abstraction to model heap objects. We present MAHJONG, a novel heap abstraction that is specifically developed to address the needs of an important class of type-dependent clients, such as call graph construction, devirtualization and may-fail casting. By merging equivalent automata representing type-consistent objects that are created by the allocation-site abstraction, MAHJONG enables an allocation-site-based points-to analysis to run significantly faster while achieving nearly the same precision for type-dependent clients. MAHJONG is simple conceptually, efficient, and drops easily on any allocation-site-based points-to analysis. We demonstrate its effectiveness by discussing some insights on why it is a better alternative of the allocation-site abstraction for type-dependent clients and evaluating it extensively on 12 large real-world Java programs with five context-sensitive points-to analyses and three widely used type-dependent clients. MAHJONG is expected to provide significant benefits for many program analyses where call graphs are required.

Yuexing Wang,Min Zhou,Ming Gu,Jiaguang Sun

DOI: https://doi.org/10.1109/apsec48747.2019.00044

2019-01-01

Abstract:Precise pointer analysis is desired since many program analyses benefit from it both in precision and performance. There are several dimensions of pointer analysis precision, flow sensitivity, context sensitivity, field sensitivity and path sensitivity. The more dimensions a pointer analysis considers, the more accurate its results will be. However, considering all dimensions is difficult because the trade-off between precision and efficiency should be balanced. This paper presents a flow, context, field and quasi path sensitive pointer analysis algorithm for C programs. Our algorithm runs on a control flow automaton, a key structure for our analysis to be flow sensitive. During the analysis process, we use function summaries to get context information. Elements of aggregate structures are handled to improve precision. We collect path conditions to filter unreachable paths and make all points-to relations gated. For efficiency, we propose a multi-entry mechanism. The algorithm is implemented in TsmartGP, which is an extension of CPAchecker. Our algorithm is compared with some state-of-the-art algorithms and TsmartGP is compared with cppcheck and Clang Static Analyzer by detecting uninitialized pointer errors in 13 real-world applications. The experimental results show that our algorithm is more accurate and TsmartGP can find more errors than other tools.

Jyoti Prakash,Abhishek Tiwari,Christian Hammer

DOI: https://doi.org/10.48550/arXiv.1912.00429

2019-12-01

Abstract:Pointer analysis is a foundational analysis leveraged by various static analyses. Therefore, it gathered wide attention in research for decades. Some pointer analysis frameworks are based on succinct declarative specifications. However, these tools are heterogeneous in terms of the underlying intermediate representation (IR), heap abstraction, and programming methodology. This situation complicates a fair comparison of these frameworks and thus hinders further research. Consequently, the literature lacks an evaluation of the strengths and weaknesses of these tools. In this work, we evaluate two major frameworks for pointer analysis, WALA and Doop, on the DaCapo set of benchmarks. We compare the pointer analyses available in Wala and Doop, and conclude that---even though based on a declarative specification---Doop provides a better pointer analysis than Wala in terms of precision and scalability. We also compare the two IRs used in Doop, i.e., Jimple from the Soot framework and IR from the Wala framework. Our evaluation shows that in the majority of the benchmarks Soot's IR gives a more precise and scalable pointer analysis. Finally, we propose a micro-benchmark \emph{PointerBench}, for which we manually validate the points-to statistics to evaluate the results of these tools.

Software Engineering,Programming Languages

Sun Hyoung Kim,Cong Sun,Dongrui Zeng,Gang Tan

DOI: https://doi.org/10.14722/ndss.2021.24386

2021-01-01

Abstract:Enforcing fine-grained Control-Flow Integrity (CFI) is critical for increasing software security. However, for commercial off-the-shelf (COTS) binaries, constructing highprecision Control-Flow Graphs (CFGs) is challenging, because there is no source-level information, such as symbols and types, to assist in indirect-branch target inference. The lack of sourcelevel information brings extra challenges to inferring targets for indirect calls compared to other kinds of indirect branches. Points-to analysis could be a promising solution for this problem, but there is no practical points-to analysis framework for inferring indirect call targets at the binary level. Value set analysis (VSA) is the state-of-the-art binary-level points-to analysis but does not scale to large programs. It is also highly conservative by design and thus leads to low-precision CFG construction. In this paper, we present a binary-level points-to analysis framework called BPA to construct sound and high-precision CFGs. It is a new way of performing points-to analysis at the binary level with the focus on resolving indirect call targets. BPA employs several major techniques, including assuming a block memory model and a memory access analysis for partitioning memory into blocks, to achieve a better balance between scalability and precision. In evaluation, we demonstrate that BPA achieves a 34.5% precision improvement rate over the current state-of-theart technique without introducing false negatives.

Qiang Sun,Jianjun Zhao,Yuting Chen

DOI: https://doi.org/10.1007/978-3-642-19861-8_5

2011-01-01

Abstract:Probabilistic points-to analysis is an analysis technique for defining the probabilities on the points-to relations in programs. It provides the compiler with some optimization chances such as speculative dead store elimination, speculative redundancy elimination, and speculative code scheduling. Although several static probabilistic points-to analysis techniques have been developed for C language, they cannot be applied directly to Java because they do not handle the classes, objects, inheritances and invocations of virtual methods. In this paper, we propose a context-insensitive and flow-sensitive probabilistic points-to analysis for Java (JPPA) for statically predicting the probability of points-to relations at all program points (i.e., points before or after statements) of a Java program. JPPA first constructs an interprocedural control flow graph (ICFG) for a Java program, whose edges are labeled with the probabilities calculated by an algorithm based on a static branch prediction approach, and then calculates the probabilistic points-to relations of the program based upon the ICFG.We have also developed a tool called Lukewarm to support JPPA and conducted an experiment to compare JPPA with a traditional context-insensitive and flow-sensitive points-to analysis approach. The experimental results show that JPPA is a precise and effective probabilistic points-to analysis technique for Java.

Jakub Kuderski,Jorge A. Navas,Arie Gurfinkel

DOI: https://doi.org/10.48550/arXiv.1906.01706

2019-08-16

Abstract:Pointer analysis is indispensable for effectively verifying heap-manipulating programs. Even though it has been studied extensively, there are no publicly available pointer analyses that are moderately precise while scalable to large real-world programs. In this paper, we show that existing context-sensitive unification-based pointer analyses suffer from the problem of oversharing -- propagating too many abstract objects across the analysis of different procedures, which prevents them from scaling to large programs. We present a new pointer analysis for LLVM, called TeaDsa, without such an oversharing. We show how to further improve precision and speed of TeaDsa with extra contextual information, such as flow-sensitivity at call- and return-sites, and type information about memory accesses. We evaluate TeaDsa on the verification problem of detecting unsafe memory accesses and compare it against two state-of-the-art pointer analyses: SVF and SeaDsa. We show that TeaDsa is one order of magnitude faster than either SVF or SeaDsa, strictly more precise than SeaDsa, and, surprisingly, sometimes more precise than SVF.

Programming Languages

Chenyu Zhou,Yuzhou Fang,Jingbo Wang,Chao Wang

2024-12-14

Abstract:We propose a method for conducting algebraic program analysis (APA) incrementally in response to changes of the program under analysis. APA is a program analysis paradigm that consists of two distinct steps: computing a path expression that succinctly summarizes the set of program paths of interest, and interpreting the path expression using a properly-defined semantic algebra to obtain program properties of interest. In this context, the goal of an incremental algorithm is to reduce the analysis time by leveraging the intermediate results computed before the program changes. We have made two main contributions. First, we propose a data structure for efficiently representing path expression as a tree together with a tree-based interpreting method. Second, we propose techniques for efficiently updating the program properties in response to changes of the path expression. We have implemented our method and evaluated it on thirteen Java applications from the DaCapo benchmark suite. The experimental results show that both our method for incrementally computing path expression and our method for incrementally interpreting path expression are effective in speeding up the analysis. Compared to the baseline APA and two state-of-the-art APA methods, the speedup of our method ranges from 160X to 4761X depending on the types of program analyses performed.

Programming Languages,Software Engineering

Huang Bo,Zang Binyu,Li Jing,Zhu Chuanqi

DOI: https://doi.org/10.1007/bf02943202

2001-01-01

Abstract:Pointer analysis is a technique to identify at compile-time the potential values of the pointer expressions in a program, which promises significant benefits for optimizing and parallelizing compilers. In this paper, a new approach to pointer analysis for assignments is presented. In this approach, assignments are classified into three categories: pointer assignments, structure (union) assignments and normal assignments which don’t affect the point-to information. Pointer analyses for these three kinds of assignments respectively make up the integrated algorithm. When analyzing a pointer assignment, a new method called expression expansion is used to calculate both the left targets and the right targets. The integration of recursive data structure analysis into pointer analysis is a significant originality of this paper, which uniforms the pointer analysis for heap variables and the pointer analysis for stack variables. This algorithm is implemented in Agassiz, an analyzing tool for C programs developed by Institute of Parallel Processing, Fudan University Its accuracy and effectiveness are illustrated by experimental data.