Abstract
Many static analyses do not scale as they are made more precise. For example, increasing the amount of context sensitivity in a k-limited pointer analysis causes the number of contexts to grow exponentially with k. Iterative refinement techniques can mitigate this growth by starting with a coarse abstraction and only refining parts of the abstraction that are deemed relevant with respect to a given client.
In this paper, we introduce a new technique called pruning that uses client feedback in a different way. The basic idea is to use coarse abstractions to prune away parts of the program analysis deemed irrelevant for proving a client query, and then using finer abstractions on the sliced program analysis. For a k-limited pointer analysis, this approach amounts to adaptively refining and pruning a set of prefix patterns representing the contexts relevant for the client. By pruning, we are able to scale up to much more expensive abstractions than before. We also prove that the pruned analysis is both sound and complete, that is, it yields the same results as an analysis that uses a more expensive abstraction directly without pruning.
- T. Ball, R. Majumdar, T. Millstein, and S. Rajamani. Automatic predicate abstraction of C programs. In PLDI, pages 203--213, 2001. Google Scholar
Digital Library
- M. Bravenboer and Y. Smaragdakis. Strictly declarative specification of sophisticated points-to analyses. In OOPSLA, pages 243--262, 2009. Google Scholar
Digital Library
- S. Graf and H. Saidi. Construction of abstract state graphs with PVS. Computer Aided Verification, 1254: 72--83, 1997. Google Scholar
Digital Library
- S. Guyer and C. Lin. Client-driven pointer analysis. In SAS, pages 214--236, 2003. Google Scholar
Digital Library
- N. Heintze and O. Tardieu. Demand-driven pointer analysis. In PLDI, pages 24--34, 2001. Google Scholar
Digital Library
- T. A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre. Lazy abstraction. In POPL, 2002. Google Scholar
Digital Library
- O. Lhoták and L. Hendren. Context-sensitive points-to analysis: is it worth it? In CC, pages 47--64, 2006. Google Scholar
Digital Library
- O. Lhoták and L. Hendren. Evaluating the benefits of context-sensitive points-to analysis using a BDD-based implementation. ACM Transactions on Software Engineering and Methodology, 18 (1): 1--53, 2008. Google Scholar
Digital Library
- P. Liang, O. Tripp, M. Naik, and M. Sagiv. A dynamic evaluation of static heap abstractions. In OOPSLA, pages 411--427, 2010. Google Scholar
Digital Library
- P. Liang, O. Tripp, and M. Naik. Learning minimal abstractions. In POPL, 2011. Google Scholar
Digital Library
- K. McMillan. Lazy abstraction with interpolants. In CAV, pages 123--136, 2006. Google Scholar
Digital Library
- A. Milanova, A. Rountev, and B. Ryder. Parameterized object sensitivity for points-to and side-effect analyses for Java. In ISSTA, pages 1--11, 2002. Google Scholar
Digital Library
- A. Milanova, A. Rountev, and B. Ryder. Parameterized object sensitivity for points-to analysis for Java. ACM Transactions on Software Engineering and Methodology, 14 (1): 1--41, 2005. Google Scholar
Digital Library
- M. Naik, A. Aiken, and J. Whaley. Effective static race detection for Java. In PLDI, pages 308--319, 2006. Google Scholar
Digital Library
- J. Plevyak and A. Chien. Precise concrete type inference for object-oriented languages. In OOPSLA, pages 324--340. Google Scholar
Digital Library
- O. Shivers. Control-flow analysis in Scheme. In PLDI, pages 164--174, 1988. Google Scholar
Digital Library
- Y. Smaragdakis, M. Bravenboer, and O. Lhotak. Pick your contexts well: Understanding object-sensitivity. In POPL, 2011. Google Scholar
Digital Library
- S. A. Spoon and O. Shivers. Demand-driven type inference with subgoal pruning: Trading precision for scalability. In ECOOP, 2004.Google Scholar
Cross Ref
- M. Sridharan and R. Bodík. Refinement-based context-sensitive points-to analysis for Java. In PLDI, pages 387--400, 2006. Google Scholar
Digital Library
- V. Vipindeep and P. Jalote. Efficient static analysis with path pruning using coverage data. In International Workshop on Dynamic Analysis (WODA), 2005. Google Scholar
Digital Library
- J. Whaley. Context-Sensitive Pointer Analysis using Binary Decision Diagrams. PhD thesis, Stanford University, 2007. Google Scholar
Digital Library
- J. Whaley and M. Lam. Cloning-based context-sensitive pointer alias analysis using binary decision diagrams. In PLDI, pages 131--144, 2004. Google Scholar
Digital Library
- X. Zheng and R. Rugina. Demand-driven alias analysis for C. In POPL, pages 197--208, 1998. Google Scholar
Digital Library
Index Terms
Scaling abstraction refinement via pruning
Recommendations
Efficient and precise points-to analysis: modeling the heap by merging equivalent automata
PLDI 2017: Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and ImplementationMainstream points-to analysis techniques for object-oriented languages rely predominantly on the allocation-site abstraction to model heap objects. We present MAHJONG, a novel heap abstraction that is specifically developed to address the needs of an ...
Scaling abstraction refinement via pruning
PLDI '11: Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and ImplementationMany static analyses do not scale as they are made more precise. For example, increasing the amount of context sensitivity in a k-limited pointer analysis causes the number of contexts to grow exponentially with k. Iterative refinement techniques can ...
TAJ: effective taint analysis of web applications
PLDI '09: Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and ImplementationTaint analysis, a form of information-flow analysis, establishes whether values from untrusted methods and parameters may flow into security-sensitive operations. Taint analysis can detect many common vulnerabilities in Web applications, and so has ...







Comments