Abstract
This article presents a family of static analyses to determine pointer targets, control flow, and dataflow in combination. The integrated solution to these mutually dependent problems approaches the result from the optimistic side. It is a general strategy for static program analysis and does not need any upfront approximation for one of the problems to overcome the mutual dependencies. A degenerated case yields Andersen’s famous pointer analysis; otherwise, the analyses are flow-sensitive and can support direct and indirect strong updates, within the same cubic asymptotic complexity as known for Andersen, albeit with larger constants.
Surprisingly, the ideas behind the integrated analysis are intuitive. The strategy we describe naturally evolves from considering the mutual dependencies between the three problems, or from generalizing Andersen’s analysis to flow sensitivity. Such a flow-sensitive Andersen analysis not only computes pointer targets with higher precision than the original analysis, but it also creates an interprocedural SSA form at the same time.
Our extensive experimental evaluation shows that the integrated solution is practical as it can be applied to reasonably large real-world programs within a few seconds or minutes. This uses some optimizations which together achieve a speedup of more than 100 for several programs. We compare several members of the family of analyses, from flow- and field-insensitive to flow- and field-sensitive with strong updates, both with and without optimizations. This gives some insights into the effects of these dimensions of precision on the results. It also sheds new light on the benefits of flow sensitivity versus the costs associated with it.
- Andersen, L. O. 1994. Program analysis and specialization for the C programming language. Ph.D. dissertation. DIKU, University of Copenhagen.Google Scholar
- Chang, W., Streiff, B., and Lin, C. 2008. Efficient and extensible security enforcement using dynamic data flow analysis. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS’08). ACM Press, New York, 39--50. Google Scholar
Digital Library
- Chase, D. R., Wegman, M., and Zadeck, F. K. 1990. Analysis of pointers and structures. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’90). ACM Press, New York, 296--310. Google Scholar
Digital Library
- Chatterjee, R., Ryder, B. G., and Landi, W. A. 1999. Relevant context inference. In Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’99). ACM Press, New York, 133--146. Google Scholar
Digital Library
- Choi, J.-D., Burke, M., and Carini, P. 1993. Efficient flow-sensitive interprocedural computation of pointer-induced aliases and side effects. In Proceedings of the 20th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’93). ACM Press, New York, 232--245. Google Scholar
Digital Library
- Cytron, R., Ferrante, J., Rosen, B. K., Wegman, M. N., and Zadeck, F. K. 1991. Efficiently computing static single assignment form and the control dependence graph. ACM Trans. Program. Lang. Syst. 13, 4, 451--490. Google Scholar
Digital Library
- Fahndrich, M., Foster, J. S., Su, Z., and Aiken, A. 1998. Partial online cycle elimination in inclusion constraint graphs. SIGPLAN Not. 33, 5, 85--96. Google Scholar
Digital Library
- Fink, S. J., Yahav, E., Dor, N., Ramalingam, G., and Geay, E. 2008. Effective typestate verification in the presence of aliasing. ACM Trans. Softw. Engin. Methodol. 17, 2, 9:1--9:34. Google Scholar
Digital Library
- Goyal, D. 2005. Transformational derivation of an improved alias analysis algorithm. Higher-Order Symbol. Comput. 18, 1--2, 15--49. Google Scholar
Digital Library
- Gutzmann, T., Lundberg, J., and Lowe, W. 2007. Towards path-sensitive points-to analysis. In Proceedings of the 7th IEEE International Working Conference on Source Code Analysis and Manipulation (SCAM’07). 59--68. Google Scholar
Digital Library
- Guyer, S. Z. and Lin, C. 2005. Error checking with client-driven pointer analysis. Sci. Comput. Program. 58, 1-2, 83--114. Google Scholar
Digital Library
- Hardekopf, B. and Lin, C. 2007. The ant and the grasshopper: Fast and accurate pointer analysis for millions of lines of code. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’07). ACM Press, New York, 290--299. Google Scholar
Digital Library
- Hardekopf, B. and Lin, C. 2009. Semi-sparse flow-sensitive pointer analysis. In Proceedings of the ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’09). 226--238. Google Scholar
Digital Library
- Hardekopf, B. and Lin, C. 2011. Flow-sensitive pointer analysis for millions of lines of code. In Proceedings of the International Symposium on Code Generation and Optimization (CGO’11). 289--298. Google Scholar
Digital Library
- Hasti, R. and Horwitz, S. 1998. Using static single assignment form to improve flow-insensitive pointer analysis. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’98). 97--105. Google Scholar
Digital Library
- Heintze, N. and Tardieu, O. 2001. Ultra-fast aliasing analysis using CLA: A million lines of C code in a second. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’01). ACM Press, New York, 254--263. Google Scholar
Digital Library
- Hind, M. 2001. Pointer analysis: Haven’t we solved this problem yet? In Proceedings of the ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering (PASTE’01). ACM Press, New York, 54--61. Google Scholar
Digital Library
- Hind, M., Burke, M., Carini, P., and Choi, J. D. 1999. Interprocedural pointer alias analysis. ACM Trans. Program. Lang. Syst. 21, 4, 848--894. Google Scholar
Digital Library
- Hind, M. and Pioli, A. 1998. Assessing the effects of flow-sensitivity on pointer alias analyses. In Proceedings of the 5th International Symposium on Static Analysis (SAS’98). Lecture Notes in Computer Science, vol. 1503, Springer, 57--81. Google Scholar
Digital Library
- Hind, M. and Pioli, A. 2000. Which pointer analysis should I use? In Proceedings of the ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA’00). ACM Press, New York, 113--123. Google Scholar
Digital Library
- Kahlon, V. 2008. Bootstrapping: A technique for scalable flow and context-sensitive pointer alias analysis. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’08). ACM Press, New York, 249--259. Google Scholar
Digital Library
- Landi, W. and Ryder, B. G. 1992. A safe approximate algorithm for interprocedural pointer aliasing. SIGPLAN Not. 27, 7, 235--248. Google Scholar
Digital Library
- Lhotak, O. 2006. Program analysis using binary decision diagrams. Ph.D. dissertation, McGill University, Montreal, Quebec, Canada. Google Scholar
Digital Library
- Lhotak, O. and Chung, A. K.-C. 2011. Points-to analysis with efficient strong updates. In Proceedings of the 38th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’11). ACM Press, New York, 3--16. Google Scholar
Digital Library
- Lhotak, O. and Hendren, L. 2006. Context-sensitive points-to analysis: Is it worth it? In Proceedings of the Conference on Compiler Construction (CC’06). Lecture Notes in Computer Science, vol. 3923, Springer, 47--64. Google Scholar
Digital Library
- Lhotak, O. and Hendren, L. 2008. Evaluating the benefits of context-sensitive points-to analysis using a BDD-based implementation. ACM Trans. Softw. Engin. Methodol. 18, 1. Google Scholar
Digital Library
- Lindenmaier, G., Beck, M., Boesler, B., and Geiß, R. 2005. Firm, an intermediate language for compiler research. Tech. rep. 2005-8, University of Karlsruhe.Google Scholar
- Lundberg, J. and Lowe, W. 2007. A scalable flow-sensitive points-to analysis. In Compiler Construction Advances and Applications, Festschrift on the Occasion of the Retirement of Prof. Dr. H. C. Gerhard Goos. Springer. http://w3.msi.vxu.se/_jonasl/goos07.pdf.Google Scholar
- Pearce, D. J. 2005. Some directed graph algorithms and their application to pointer analysis. Ph.D. dissertation, University of London.Google Scholar
- Pearce, D. J., Kelly, P. H. J., and Hankin, C. 2007. Efficient field-sensitive pointer analysis of C. ACM Trans. Program. Lang. Syst. 30, 1. Google Scholar
Digital Library
- Raza, A., Vogel, G., and Pldereder, E. 2006. Bauhaus -- A tool suite for program analysis and reverse engineering. In Proceedings of the 11th Ada-Europe International Conference on Reliable Software Technologies. Lecture Notes in Computer Science, vol. 4006, Springer, 71--82. Google Scholar
Digital Library
- Reps, T., Horwitz, S., and Sagiv, M. 1995. Precise interprocedural dataflow analysis via graph reachability. In Proceedings of the 22nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’95). ACM Press, New York, 49--61. Google Scholar
Digital Library
- Rountev, A., Milanova, A., and Ryder, B. G. 2001. Points-to analysis for java using annotated constraints. SIGPLAN Not. 36, 11, 43--55. Google Scholar
Digital Library
- Ruf, E. 1995. Context-insensitive alias analysis reconsidered. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’95). ACM Press, New York, 13--22. Google Scholar
Digital Library
- Ryder, B. G. 2003. Dimensions of precision in reference analysis of object-oriented programming languages. In Proceedings of the 12th International Conference on Compiler Construction (CC’03). Lecture Notes in Computer Science, vol. 2622, Springer, 126--137. Google Scholar
Digital Library
- Salcianu, A. and Rinard, M. 2001. Pointer and escape analysis for multithreaded programs. In Proceedings of the 8th ACM SIGPLAN Symposium on Principles and Practices of Parallel Programming (PPoPP’01). ACM Press, New York, 12--23. Google Scholar
Digital Library
- Shapiro, M. and Horwitz, S. 1997. Fast and accurate flow-insensitive points-to analysis. In Proceedings of the 24th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’97). ACM Press, New York, 1--14. Google Scholar
Digital Library
- Staiger-Stöhr, S. 2009. Kombinierte Statische Ermittlung von Zeigerzielen, Kontroll- und Datenfluss. Ph.D. dissertation, University of Stuttgart.Google Scholar
- Steensgaard, B. 1996. Points-to analysis in almost linear time. In Proceedings of the 23rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’96). ACM Press, New York, 32--41. Google Scholar
Digital Library
- Sui, Y., Ye, S., Xue, J., and Yew, P.-C. 2011. SPAS: Scalable path-sensitive pointer analysis on full-sparse SSA. In Proceedings of the 9th Asian Conference on Programming Languages and Systems (APLAS’11). Springer, 155--171. Google Scholar
Digital Library
- Tarjan, R. E. 1972. Depth-first search and linear graph algorithms. SIAM J. Comput. 1, 2, 146--160.Google Scholar
Digital Library
- Tok, T. B. 2007. Removing unimportant computations in interprocedural program analysis. Ph.D. dissertation, University of Texas. Google Scholar
Digital Library
- Tok, T. B., Guyer, S. Z., and Lin, C. 2006. Efficient flow-sensitive interprocedural data-flow analysis in the presence of pointers. In Proceedings of the 15th International Conference on Compiler Construction (CC’06). Springer, 17--31. Google Scholar
Digital Library
- Whaley, J. 2007. Context-sensitive pointer analysis using binary decision diagrams. Ph.D. dissertation, Stanford University, Stanford, CA. Google Scholar
Digital Library
- Whaley, J. and Lam, M. S. 2002. An efficient inclusion-based points-to analysis for strictly-typed languages. In Proceedings of the International Symposium on Static Analysis (SAS’02). Lecture Notes in Computer Science, vol. 2477, Springer, 180--195. Google Scholar
Digital Library
- Wilson, R. P. 1997. Efficient, context-sensitive pointer analysis for C programs. Ph.D. dissertation, Stanford University. Google Scholar
Digital Library
- Yu, H., Xue, J., Huo, W., Feng, X., and Zhang, Z. 2010. Level by level: Making flow and context-sensitive pointer analysis scalable for millions of lines of code. In Proceedings of the 8th Annual IEEE/ACM International Symposium on Code Generation and Optimization (CGO’10). ACM Press, New York, 218--229. Google Scholar
Digital Library
- Zhu, J. 2005. Towards scalable flow and context sensitive pointer analysis. In Proceedings of the 42nd Annual Conference on Design Automation (DAC’05). ACM Press, New York, 831--836. Google Scholar
Digital Library
Index Terms
Practical Integrated Analysis of Pointers, Dataflow and Control Flow
Recommendations
Semi-sparse flow-sensitive pointer analysis
POPL '09Pointer analysis is a prerequisite for many program analyses, and the effectiveness of these analyses depends on the precision of the pointer information they receive. Two major axes of pointer analysis precision are flow-sensitivity and context-...
Semi-sparse flow-sensitive pointer analysis
POPL '09: Proceedings of the 36th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languagesPointer analysis is a prerequisite for many program analyses, and the effectiveness of these analyses depends on the precision of the pointer information they receive. Two major axes of pointer analysis precision are flow-sensitivity and context-...
On-demand strong update analysis via value-flow refinement
FSE 2016: Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software EngineeringWe present a new Strong UPdate Analysis for C programs, called Supa, that enables computing points-to information on-demand via value-flow refinement, in environments with small time and memory budgets such as IDEs. We formulate Supa by solving a graph-...






Comments