Jingbo Lu,Jingling Xue

DOI: https://doi.org/10.1145/3360574

2019-10-10

Proceedings of the ACM on Programming Languages

Abstract:Object-sensitivity is widely used as a context abstraction for computing the points-to information context-sensitively for object-oriented languages like Java. Due to the combinatorial explosion of contexts in large programs, k -object-sensitive pointer analysis (under k -limiting), denoted k -obj, is scalable only for small values of k , where k ⩽2 typically. A few recent solutions attempt to improve its efficiency by instructing k -obj to analyze only some methods in the program context-sensitively, determined heuristically by a pre-analysis. While already effective, these heuristics-based pre-analyses do not provide precision guarantees, and consequently, are limited in the efficiency gains achieved. We introduce a radically different approach, Eagle, that makes k -obj run significantly faster than the prior art while maintaining its precision. The novelty of Eagle is to enable k -obj to analyze a method with partial context-sensitivity, i.e., context-sensitively for only some of its selected variables/allocation sites. Eagle makes these selections during a lightweight pre-analysis by reasoning about context-free-language (CFL) reachability at the level of variables/objects in the program, based on a new CFL-reachability formulation of k -obj. We demonstrate the advances made by Eagle by comparing it with the prior art in terms of a set of popular Java benchmarks and applications.

Tian Tan

2017-01-01

Abstract:Points-to analysis addresses a fundamental problem in program analysis: determining statically which objects a variable or reference can point to. As a fundamental technique, many real-world clients such as bug detection, security analysis, program understanding, compiler optimization and program verification, depend on the results of points-to analysis. A long-standing problem in points-to analysis is the balance between precision and efficiency. This thesis aims to improve both ends of the balance respectively. • For precision, object-sensitivity is usually considered as the most precise context-sensitivity for points-to analysis for object-oriented languages, such as Java. However, it suffers from the scalability problem when increasing the context length and thus it is hard to further improve its precision. We present Bean, a new object-sensitivity approach for points-to analysis. By identifying and eliminating the redundant context elements which contribute nothing to the precision, Bean is able to improve the precision of any kobject-sensitive analysis by still using a k-limiting context abstraction. • For efficiency, targeting the type-dependent clients such as call graph construction, devirtualization and may-fail casting, we present Mahjong, a new heap abstraction approach for points-to analysis. By merging equivalent automata representing type-consistent objects that are created by the

Yue Li,Tian Tan,Anders Moller,Yannis Smaragdakis

DOI: https://doi.org/10.1145/3381915

IF: 1.714

2020-01-01

ACM Transactions on Programming Languages and Systems

Abstract:Context sensitivity is an essential technique for ensuring high precision in static analyses. It has been observed that applying context sensitivity partially, only on a select subset of the methods, can improve the balance between analysis precision and speed. However, existing techniques are based on heuristics that do not provide much insight into what characterizes this method subset. In this work, we present a more principled approach for identifying precision-critical methods, based on general patterns of value flows that explain where most of the imprecision arises in context-insensitive pointer analysis. Using this theoretical foundation, we present an efficient algorithm, ZIPPER, to recognize these flow patterns in a given program and employ context sensitivity accordingly. We also present a variant, ZIPPERe, that additionally takes into account which methods are disproportionally costly to analyze with context sensitivity. Our experimental results on standard benchmark and real-world Java programs show that ZIPPER preserves effectively all of the precision (98.8%) of a highly precise conventional context-sensitive pointer analysis (2-object-sensitive with a context-sensitive heap, 2obj for short), with a substantial speedup (on average, 3.4× and up to 9.4×), and that ZIPPERe preserves 94.7% of the precision of 2obj, with an order-of-magnitude speedup (on average, 25.5× and up to 88×). In addition, for 10 programs that cannot be analyzed by 2obj within a three-hour time limit, on average ZIPPERe can guide 2obj to finish analyzing them in less than 11 minutes with high precision compared to context-insensitive and introspective context-sensitive analyses.

Tian Tan,Yue Li,Xiaoxing Ma,Chang Xu,Yannis Smaragdakis

DOI: https://doi.org/10.1145/3485524

2021-01-01

Proceedings of the ACM on Programming Languages

Abstract:Traditional context-sensitive pointer analysis is hard to scale for large and complex Java programs. To address this issue, a series of selective context-sensitivity approaches have been proposed and exhibit promising results. In this work, we move one step further towards producing highly-precise pointer analyses for hard-to-analyze Java programs by presenting the Unity-Relay framework, which takes selective context sensitivity to the next level. Briefly, Unity-Relay is a one-two punch: given a set of different selective context-sensitivity approaches, say S = S1, . . . , Sn, Unity-Relay first provides a mechanism (called Unity)to combine and maximize the precision of all components of S. When Unity fails to scale, Unity-Relay offers a scheme (called Relay) to pass and accumulate the precision from one approach Si in S to the next, Si+1, leading to an analysis that is more precise than all approaches in S. As a proof-of-concept, we instantiate Unity-Relay into a tool called Baton and extensively evaluate it on a set of hard-to-analyze Java programs, using general precision metrics and popular clients. Compared with the state of the art, Baton achieves the best precision for all metrics and clients for all evaluated programs. The difference in precision is often dramatic — up to 71% of alias pairs reported by previously-best algorithms are found to be spurious and eliminated.

Yue Li,Tian Tan,Anders Moller,Yannis Smaragdakis

DOI: https://doi.org/10.1145/3276511

2018-01-01

Proceedings of the ACM on Programming Languages

Abstract:Context sensitivity is an essential technique for ensuring high precision in Java pointer analyses. It has been observed that applying context sensitivity partially, only on a select subset of the methods, can improve the balance between analysis precision and speed. However, existing techniques are based on heuristics that do not provide much insight into what characterizes this method subset. In this work, we present a more principled approach for identifying precision-critical methods, based on general patterns of value flows that explain where most of the imprecision arises in context-insensitive pointer analysis. Accordingly, we provide an efficient algorithm to recognize these flow patterns in a given program and exploit them to yield good tradeoffs between analysis precision and speed. Our experimental results on standard benchmark and real-world programs show that a pointer analysis that applies context sensitivity partially, only on the identified precision-critical methods, preserves effectively all (98.8%) of the precision of a highly-precise conventional context-sensitive pointer analysis (2-object-sensitive with a context-sensitive heap), with a substantial speedup (on average 3.4X, and up to 9.2X).

Zhiyuan Wan,Bo Zhou

DOI: https://doi.org/10.3785/j.issn.1008-973X.2015.06.005

2015-01-01

Abstract:A points-to analysis approach was proposed to generate partial call graphs of application part without analyzing the method bodies of libraries. A set of rules was bulit to model the interaction between application and libraries in order to infer the pointer information libraries. The approach was implemented based on the Soot program analysis framework. The performance, completeness and precision of generated call graphs were evaluated on 14 Java benchmarks. The experimental results showed that the proposed approach was faster than Averroes and Spark call graph construction approaches by a factor of 4.9 xand13. 7xrespectively. Meanwhile, the proposed approach can construct complete and precise partial call graphs.

Bozhen Liu,Jeff Huang

DOI: https://doi.org/10.1145/3527332

2022-12-08

Proceedings of the ACM on Programming Languages

Abstract:We present SHARP, an incremental context-sensitive pointer analysis algorithm that scales to real-world large complex Java programs and can also be efficiently parallelized. To our knowledge, SHARP is the first algorithm to tackle context-sensitivity in the state-of-the-art incremental pointer analysis (with regards to code modifications including both statement additions and deletions), which applies to both k-CFA and k-obj. To achieve it, SHARP tackles several technical challenges: soundness, redundant computations, and parallelism to improve scalability without losing precision. We conduct an extensive empirical evaluation of SHARP on large and popular Java projects and their code commits, showing impressive performance improvement: our incremental algorithm only requires on average 31 seconds to handle a real-world code commit for k-CFA and k-obj, which has comparable performance to the state-of-the-art incremental context-insensitive pointer analysis. Our parallelization further improves the performance and enables SHARP to finish within 18 seconds per code commit on average on an eight-core machine.

Yue Li,Tian Tan,Anders Moller,Yannis Smaragdakis

DOI: https://doi.org/10.1145/3236024.3236041

2018-01-01

Abstract:Context-sensitivity is important in pointer analysis to ensure high precision, but existing techniques suffer from unpredictable scalability. Many variants of context-sensitivity exist, and it is difficult to choose one that leads to reasonable analysis time and obtains high precision, without running the analysis multiple times. We present the Scaler framework that addresses this problem. Scaler efficiently estimates the amount of points-to information that would be needed to analyze each method with different variants of context-sensitivity. It then selects an appropriate variant for each method so that the total amount of points-to information is bounded, while utilizing the available space to maximize precision. Our experimental results demonstrate that Scaler achieves predictable scalability for all the evaluated programs (e.g., speedups can reach 10x for 2-object-sensitivity), while providing a precision that matches or even exceeds that of the best alternative techniques.

Yutian Yang,Jinjiang Tu,Wenbo Shen,Songbo Zhu,Rui Chang,Yajin Zhou

DOI: https://doi.org/10.1109/tdsc.2023.3334268

2024-01-01

Abstract:Nowadays, code reuse attacks impose a substantial threat to the security of operating system kernels. Control-flow graph-based CFI techniques, while effective, bring considerable performance overhead, thus limiting their practical adoption in real-world products. As an alternative approach, recent research suggests safeguarding the integrity of sensitive pointers as a countermeasure against manipulation attempts. Unfortunately, existing pointer integrity protection schemes only protect sensitive pointers partially and ignore assembly code, leaving protection gaps. To fill up these protection gaps, we propose a novel security concept named full life-cycle integrity , which enforces the integrity of a sensitive pointer at every step on its value flow chain. To realize full life-cycle integrity, we propose three novel techniques, including assembly-aware sensitivity for analyzing assembly code, Merkle PAC tree for protecting interrupt context securely and efficiently, and pointer-grained authentication for defeating spatial substitution attacks. We have developed a practical implementation of comprehensive life-cycle integrity for the Linux kernel, called ”kernel Code Pointer Authentication” (kCPA), which leverages the ARM Pointer Authentication (PAuth) mechanism. This implementation has been extended to the Apple M1 architecture for real-world evaluation on PAuth hardware. Our assessment demonstrates that kCPA effectively mitigates a range of real-world attacks while incurring a minimal 2.5% performance overhead for the Phoronix Test Suite and nearly negligible performance impact for SPEC2017 benchmarks.

Jakub Kuderski,Jorge A. Navas,Arie Gurfinkel

DOI: https://doi.org/10.48550/arXiv.1906.01706

2019-08-16

Abstract:Pointer analysis is indispensable for effectively verifying heap-manipulating programs. Even though it has been studied extensively, there are no publicly available pointer analyses that are moderately precise while scalable to large real-world programs. In this paper, we show that existing context-sensitive unification-based pointer analyses suffer from the problem of oversharing -- propagating too many abstract objects across the analysis of different procedures, which prevents them from scaling to large programs. We present a new pointer analysis for LLVM, called TeaDsa, without such an oversharing. We show how to further improve precision and speed of TeaDsa with extra contextual information, such as flow-sensitivity at call- and return-sites, and type information about memory accesses. We evaluate TeaDsa on the verification problem of detecting unsafe memory accesses and compare it against two state-of-the-art pointer analyses: SVF and SeaDsa. We show that TeaDsa is one order of magnitude faster than either SVF or SeaDsa, strictly more precise than SeaDsa, and, surprisingly, sometimes more precise than SVF.

Programming Languages

Jyoti Prakash,Abhishek Tiwari,Christian Hammer

DOI: https://doi.org/10.48550/arXiv.1912.00429

2019-12-01

Abstract:Pointer analysis is a foundational analysis leveraged by various static analyses. Therefore, it gathered wide attention in research for decades. Some pointer analysis frameworks are based on succinct declarative specifications. However, these tools are heterogeneous in terms of the underlying intermediate representation (IR), heap abstraction, and programming methodology. This situation complicates a fair comparison of these frameworks and thus hinders further research. Consequently, the literature lacks an evaluation of the strengths and weaknesses of these tools. In this work, we evaluate two major frameworks for pointer analysis, WALA and Doop, on the DaCapo set of benchmarks. We compare the pointer analyses available in Wala and Doop, and conclude that---even though based on a declarative specification---Doop provides a better pointer analysis than Wala in terms of precision and scalability. We also compare the two IRs used in Doop, i.e., Jimple from the Soot framework and IR from the Wala framework. Our evaluation shows that in the majority of the benchmarks Soot's IR gives a more precise and scalable pointer analysis. Finally, we propose a micro-benchmark \emph{PointerBench}, for which we manually validate the points-to statistics to evaluate the results of these tools.

Software Engineering,Programming Languages

Tian Tan,Yue Li,Jingling Xue

DOI: https://doi.org/10.1145/3062341.3062360

2017-01-01

ACM SIGPLAN Notices

Abstract:Mainstream points-to analysis techniques for object-oriented languages rely predominantly on the allocation-site abstraction to model heap objects. We present MAHJONG, a novel heap abstraction that is specifically developed to address the needs of an important class of type-dependent clients, such as call graph construction, devirtualization and may-fail casting. By merging equivalent automata representing type-consistent objects that are created by the allocation-site abstraction, MAHJONG enables an allocation-site-based points-to analysis to run significantly faster while achieving nearly the same precision for type-dependent clients. MAHJONG is simple conceptually, efficient, and drops easily on any allocation-site-based points-to analysis. We demonstrate its effectiveness by discussing some insights on why it is a better alternative of the allocation-site abstraction for type-dependent clients and evaluating it extensively on 12 large real-world Java programs with five context-sensitive points-to analyses and three widely used type-dependent clients. MAHJONG is expected to provide significant benefits for many program analyses where call graphs are required.

Wenjie Ma,Shengyuan Yang,Tian Tan,Xiaoxing Ma,Chang Xu,Yue Li

2023-04-24

Abstract:Over the past decades, context sensitivity has been considered as one of the most effective ideas for improving the precision of pointer analysis for Java. However, despite great precision benefits, as each method is equivalently cloned and analyzed under each context, context sensitivity brings heavy efficiency costs. In this work, we present a fundamentally different approach called Cut-Shortcut for fast and precise pointer analysis for Java. Its insight is simple: the main effect of cloning methods under different contexts is to filter spurious object flows that have been merged inside a callee method; from the view of a typical pointer flow graph (PFG), such effect can be simulated by cutting off (Cut) the edges that introduce precision loss to certain pointers and adding Shortcut edges directly from source pointers to the target ones circumventing the method on PFG. As a result, we can achieve the effect of context sensitivity without contexts. We identify three general program patterns and develop algorithms based on them to safely cut off and add shortcut edges on PFG, formalize them and formally prove the soundness. To comprehensively validate Cut-Shortcut's effectiveness, we implement two versions of Cut-Shortcut for two state-of-the-art pointer analysis frameworks for Java, one in Datalog for the declarative Doop and the other in Java for the imperative Tai-e, and we consider all the large and complex programs used in recent literatures that meet the experimental requirements. The evaluation results are extremely promising: Cut-Shortcut is even able to run faster than context insensitivity for most evaluated programs while obtaining high precision that is comparable to context sensitivity (if scalable) in both frameworks. This is for the first time that we have been able to achieve such a good efficiency and precision trade-off for those hard-to-analyze programs.

Programming Languages

Yuexing Wang,Min Zhou,Ming Gu,Jiaguang Sun

DOI: https://doi.org/10.1109/apsec48747.2019.00044

2019-01-01

Abstract:Precise pointer analysis is desired since many program analyses benefit from it both in precision and performance. There are several dimensions of pointer analysis precision, flow sensitivity, context sensitivity, field sensitivity and path sensitivity. The more dimensions a pointer analysis considers, the more accurate its results will be. However, considering all dimensions is difficult because the trade-off between precision and efficiency should be balanced. This paper presents a flow, context, field and quasi path sensitive pointer analysis algorithm for C programs. Our algorithm runs on a control flow automaton, a key structure for our analysis to be flow sensitive. During the analysis process, we use function summaries to get context information. Elements of aggregate structures are handled to improve precision. We collect path conditions to filter unreachable paths and make all points-to relations gated. For efficiency, we propose a multi-entry mechanism. The algorithm is implemented in TsmartGP, which is an extension of CPAchecker. Our algorithm is compared with some state-of-the-art algorithms and TsmartGP is compared with cppcheck and Clang Static Analyzer by detecting uninitialized pointer errors in 13 real-world applications. The experimental results show that our algorithm is more accurate and TsmartGP can find more errors than other tools.

Ju Qian,Lin Chen,Baowen Xu,Xiaofang Zhang

DOI: https://doi.org/10.1016/j.infsof.2010.11.004

IF: 3.9

2011-01-01

Information and Software Technology

Abstract:Context: Different method calls may have different contributions to the precision of the final application when abstracted into the call strings. The existing call string based pointer analysis algorithms do not consider such contribution difference and hence may not achieve best cost-effectiveness. Objective: To be more cost-effective, we try to leverage the contribution information of each method call in call string based pointer analysis. Method: The paper firstly proposes a contribution-based call stack abstraction method which abstracts the call stacks into call strings with the contribution information under consideration. Then, we apply the new call stack abstraction method to the pointer analysis of AspectJ programs and propose a concern-sensitive points-to analysis method. Besides, the new abstraction method is also applied to multi-threaded Java programs and results in a thread-sensitive pointer analysis method. Results: The experimental results show that the two pointer analysis methods with contribution-based call stack abstraction can be more cost-effective than the ordinary call string based approaches for an application that detects harmful advices and an application that detects inter-thread data flow. Conclusion: These pointer analysis methods more concretely and more clearly show that the contribution-based call stack abstraction can lead to better cost-effectiveness for the given applications.

Ju Qian,Zifeng Cui,Baowen Xu,Xiaofang Zhang

DOI: https://doi.org/10.1109/apsec.2009.28

2009-01-01

Abstract:Different method calls may have different contributions to the precision of the final application when abstracted into the call strings. The existing call string based pointer analysis algorithms do not consider such contribution difference and hence often can not achieve best cost-effectiveness. To solve the problem, this paper firstly proposes a contribution-based call stack abstraction method which abstracts the call stacks to the call strings with the contribution information under consideration. Then, we apply the new call stack abstraction method to the pointer analysis of AspectJ programs and propose a concern-sensitive points-to analysis method. The concern-sensitive points-to analysis is more cost-effective than the ordinary call string based approaches for an application that detects harmful advices. It more concretely and more clearly shows that the contribution-based call stack abstraction can lead to better cost-effectiveness for the given applications.

Shashin Halalingaiah,Vijay Sundaresan,Daryl Maier,V. Krishna Nandivada

DOI: https://doi.org/10.1145/3689803

2024-09-03

Abstract:Data-flow analyses like points-to analysis can vastly improve the precision of other analyses, and help perform powerful code optimizations. However, whole-program points-to analysis of large programs tend to be expensive - both in terms of time and memory. Consequently, many compilers (both static and JIT) and program-analysis tools tend to employ faster - but more conservative - points-to analysis to improve usability. As an alternative to such trading of precision for performance, various techniques have been proposed to perform precise yet expensive fixed-point points-to analyses ahead of time in a static analyzer, store the results, and then transmit them to independent compilation/program-analysis stages that may need them. However, an underlying concern of safety affects all such techniques - can a compiler (or program analysis tool) trust the points-to analysis results generated by another compiler/tool? In this work, we address this issue of trust, while keeping the issues of performance efficiency in mind. We propose ART: Analysis-results Representation Template - a novel scheme to efficiently and concisely encode results of flow-sensitive, context-insensitive points-to analysis computed by a static analyzer for use in any independent system that may benefit from such a highly precise points-to analysis. Our scheme has two components: (i) a producer that can statically perform expensive points-to analysis and encode the same concisely. (ii) a consumer that, on receiving such encoded results, can regenerate the points-to analysis results encoded by the artwork if it is deemed safe. We demonstrate the usage of ART by implementing a producer (in Soot) and two consumers (in Soot and the Eclipse OpenJ9 JIT compiler). We evaluate our implementation over various benchmarks from the DaCapo and SPECjvm2008 suites.

Programming Languages

LI Qian,TANG En-Yi,DAI Xue-Feng,WANG Lin-Zhang,ZHAO Jian-Hua

DOI: https://doi.org/10.3724/sp.j.1001.2011.04025

2011-01-01

Journal of Software

Abstract:Points-to analysis mainly aims to attain the runtime points-to sets of program variables.This paper describes the design and implementation of an efficient Andersen-style,context-sensitive points-to analysis for Java code.The implementation supports language features such as inheritance,polymorphism,and field objects.The study tracks the fields of individual objects separately and makes the algorithm in field-sensitive style for aggregate objects.To improve the efficiency and scalability of the algorithm,this study employs two kinds of optimizations,nodes topology construction with concomitance on-line cycle detection and cycle elimination.Experiment results show that this algorithm can be used to compute precise points-to sets for large-scale Java programs.

Xun An

DOI: https://doi.org/10.48550/arXiv.2310.16559

2023-11-07

Abstract:An important dimension of pointer analysis is field-Sensitive, which has been proven to effectively enhance the accuracy of pointer analysis results. A crucial area of research within field-Sensitive is Structure-Sensitive. Structure-Sensitive has been shown to further enhance the precision of pointer analysis. However, existing structure-sensitive methods cannot handle cases where an object possesses multiple structures, even though it's common for an object to have multiple structures throughout its lifecycle. This paper introduces MTO-SS, a flow-sensitive pointer analysis method for objects with multiple structures. Our observation is that it's common for an object to possess multiple structures throughout its lifecycle. The novelty of MTO-SS lies in: MTO-SS introduces Structure-Flow-Sensitive. An object has different structure information at different locations in the program. To ensure the completeness of an object's structure information, MTO-SS always performs weak updates on the object's type. This means that once an object possesses a structure, this structure will accompany the object throughout its lifecycle. We evaluated our method of multi-structured object pointer analysis using the 12 largest programs in GNU Coreutils and compared the experimental results with sparse flow-sensitive method and another method, TYPECLONE, which only allows an object to have one structure information. Our experimental results confirm that MTO-SS is more precise than both sparse flow-sensitive pointer analysis and TYPECLONE, being able to answer, on average, over 22\% more alias queries with a no-alias result compared to the former, and over 3\% more compared to the latter. Additionally, the time overhead introduced by our method is very low.

Programming Languages

Tianwei Sheng,Wenguang Chen,Weimin Zheng

2009-01-01

Abstract:The precision of the pointer analysis plays an important role in compiler and other software understanding tools. Context- sensitivity is proven to be an effective methods to improve the precision of the final results of pointer analysis. Many context-sensitive pointer analysis methods have been pro- posed, however, few of them have been incorporated into pro- duction compilers. In Open64 compiler, it still uses a flow- insensitive, context-insensitive, and field-insensitive pointer analysis. In this paper, we design and implement a cloning-based inter-procedural context-sensitive pointer analysis in Open64 compiler. We expect that the new pointer analysis phase will improve the performance and give a good infrastructure for any program analysis tool based on Open64 compiler.