Abstract
We present Graphick, a new technique for automatically learning graph-based heuristics for pointer analysis. Striking a balance between precision and scalability of pointer analysis requires designing good analysis heuristics. For example, because applying context sensitivity to all methods in a real-world program is impractical, pointer analysis typically uses a heuristic to employ context sensitivity only when it is necessary. Past research has shown that exploiting the program's graph structure is a promising way of developing cost-effective analysis heuristics, promoting the recent trend of ``graph-based heuristics'' that work on the graph representations of programs obtained from a pre-analysis. Although promising, manually developing such heuristics remains challenging, requiring a great deal of expertise and laborious effort. In this paper, we aim to reduce this burden by learning graph-based heuristics automatically, in particular without hand-crafted application-specific features. To do so, we present a feature language to describe graph structures and an algorithm for learning analysis heuristics within the language. We implemented Graphick on top of Doop and used it to learn graph-based heuristics for object sensitivity and heap abstraction. The evaluation results show that our approach is general and can generate high-quality heuristics. For both instances, the learned heuristics are as competitive as the existing state-of-the-art heuristics designed manually by analysis experts.
Supplemental Material
- Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (Edinburgh, United Kingdom) (PLDI '14). ACM, New York, NY, USA, 259-269. https: //doi.org/10.1145/2594291.2594299 Google Scholar
Digital Library
- Dzintars Avots, Michael Dalton, V. Benjamin Livshits, and Monica S. Lam. 2005. Improving Software Security with a C Pointer Analysis. In Proceedings of the 27th International Conference on Software Engineering (St. Louis, MO, USA) ( ICSE '05). ACM, New York, NY, USA, 332-341. https://doi.org/10.1145/1062455.1062520 Google Scholar
Digital Library
- Stephen M. Blackburn, Robin Garner, Chris Hofmann, Asjad M. Khang, Kathryn S. McKinley, Rotem Bentzur, Amer Diwan, Daniel Feinberg, Daniel Frampton, Samuel Z. Guyer, Martin Hirzel, Antony Hosking, Maria Jump, Han Lee, J. Eliot B. Moss, Aashish Phansalkar, Darko Stefanović, Thomas VanDrunen, Daniel von Dincklage, and Ben Wiedermann. 2006. The DaCapo Benchmarks: Java Benchmarking Development and Analysis. In Proceedings of the 21st Annual ACM SIGPLAN on the Foundations of Software Engineering (Lake Buena Vista, FL, USA) (ESEC/FSE 2018 ). Association for Computing Machinery, New York, NY, USA, 95-106. https://doi.org/10.1145/3236024.3236079 Google Scholar
Digital Library
- Yue Li, Tian Tan, Anders Møller, and Yannis Smaragdakis. 2018a. Precision-guided Context Sensitivity for Pointer Analysis. Proc. ACM Program. Lang. 2, OOPSLA, Article 141 (Oct. 2018 ), 29 pages. https://doi.org/10.1145/3276511 Google Scholar
Digital Library
- Yue Li, Tian Tan, Anders Møller, and Yannis Smaragdakis. 2018b. Scalability-first Pointer Analysis with Self-tuning Contextsensitivity. In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (Lake Buena Vista, FL, USA) ( ESEC/FSE 2018). ACM, New York, NY, USA, 129-140. https://doi.org/10.1145/3236024.3236041 Google Scholar
Digital Library
- Percy Liang and Mayur Naik. 2011. Scaling Abstraction Refinement via Pruning. In Proceedings of the 32Nd ACM SIGPLAN Conference on Programming Language Design and Implementation (San Jose, California, USA) ( PLDI '11). ACM, New York, NY, USA, 590-601. https://doi.org/10.1145/1993498.1993567 Google Scholar
Digital Library
- Percy Liang, Omer Tripp, and Mayur Naik. 2011. Learning Minimal Abstractions. In Proceedings of the 38th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (Austin, Texas, USA) ( POPL '11). ACM, New York, NY, USA, 31-42. https://doi.org/10.1145/1926385.1926391 Google Scholar
Digital Library
- V. Benjamin Livshits and Monica S. Lam. 2003. Tracking Pointers with Path and Context Sensitivity for Bug Detection in C Programs. In Proceedings of the 9th European Software Engineering Conference Held Jointly with 11th ACM SIGSOFT International Symposium on Foundations of Software Engineering (Helsinki, Finland) (ESEC/FSE-11). ACM, New York, NY, USA, 317-326. https://doi.org/10.1145/940071.940114 Google Scholar
Digital Library
- Jingbo Lu and Jingling Xue. 2019. Precision-Preserving yet Fast Object-Sensitive Pointer Analysis with Partial Context Sensitivity. Proc. ACM Program. Lang. 3, OOPSLA, Article 148 (Oct. 2019 ), 29 pages. https://doi.org/10.1145/3360574 Google Scholar
Digital Library
- Ana Milanova, Atanas Rountev, and Barbara G. Ryder. 2002. Parameterized Object Sensitivity for Points-to and Side-efect Analyses for Java. In Proceedings of the 2002 ACM SIGSOFT International Symposium on Software Testing and Analysis (Roma, Italy) ( ISSTA '02). ACM, New York, NY, USA, 1-11. https://doi.org/10.1145/566172.566174 Google Scholar
Digital Library
- Ana Milanova, Atanas Rountev, and Barbara G. Ryder. 2005. Parameterized Object Sensitivity for Points-to Analysis for Java. ACM Trans. Softw. Eng. Methodol. 14, 1 (Jan. 2005 ), 1-41. https://doi.org/10.1145/1044834.1044835 Google Scholar
Digital Library
- Mayur Naik, Alex Aiken, and John Whaley. 2006. Efective Static Race Detection for Java. In Proceedings of the 27th ACM SIGPLAN Conference on Programming Language Design and Implementation (Ottawa, Ontario, Canada) ( PLDI '06). ACM, New York, NY, USA, 308-319. https://doi.org/10.1145/1133981.1134018 Google Scholar
Digital Library
- Mayur Naik, Chang-Seo Park, Koushik Sen, and David Gay. 2009. Efective Static Deadlock Detection. In Proceedings of the 31st International Conference on Software Engineering (ICSE '09). IEEE Computer Society, Washington, DC, USA, 386-396. https://doi.org/10.1109/ICSE. 2009.5070538 Google Scholar
Digital Library
- Hakjoo Oh, Wonchan Lee, Kihong Heo, Hongseok Yang, and Kwangkeun Yi. 2014. Selective Context-sensitivity Guided by Impact Pre-analysis. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (Edinburgh, United Kingdom) (PLDI '14). ACM, New York, NY, USA, 475-484. https://doi.org/10.1145/ 2594291.2594318 Google Scholar
Digital Library
- Hakjoo Oh, Hongseok Yang, and Kwangkeun Yi. 2015. Learning a Strategy for Adapting a Program Analysis via Bayesian Optimisation. In Proceedings of the 2015 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications (Pittsburgh, PA, USA) ( OOPSLA 2015). ACM, New York, NY, USA, 572-588. https: //doi.org/10.1145/2814270.2814309 Google Scholar
Digital Library
- Gagandeep Singh, Markus Püschel, and Martin Vechev. 2018. Fast Numerical Program Analysis with Reinforcement Learning. In Computer Aided Verification, Hana Chockler and Georg Weissenbacher (Eds.). Springer International Publishing, Cham, 211-229.Google Scholar
- Yannis Smaragdakis and George Balatsouras. 2015. Pointer Analysis. Foundations and Trends in Programming Languages 2, 1 ( 2015 ), 1-69. https://doi.org/10.1561/2500000014 Google Scholar
Digital Library
- Yannis Smaragdakis, Martin Bravenboer, and Ondrej Lhoták. 2011. Pick Your Contexts Well: Understanding Object-sensitivity. In Proceedings of the 38th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (Austin, Texas, USA) ( POPL '11). ACM, New York, NY, USA, 17-30. https://doi.org/10.1145/1926385.1926390 Google Scholar
Digital Library
- Yannis Smaragdakis, George Kastrinis, and George Balatsouras. 2014. Introspective Analysis: Context-sensitivity, Across the Board. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (Edinburgh, United Kingdom) (PLDI '14). ACM, New York, NY, USA, 485-495. https://doi.org/10.1145/2594291.2594320 Google Scholar
Digital Library
- SPEC SPECjvm98. 1999. Release 1.03. Standard Performance Evaluation Corporation ( 1999 ).Google Scholar
- Y. Sui, D. Ye, and J. Xue. 2014. Detecting Memory Leaks Statically with Full-Sparse Value-Flow Analysis. IEEE Transactions on Software Engineering 40, 2 (Feb 2014 ), 107-122. https://doi.org/10.1109/TSE. 2014.2302311 Google Scholar
Digital Library
- Tian Tan, Yue Li, and Jingling Xue. 2016. Making k-Object-Sensitive Pointer Analysis More Precise with Still k-Limiting. In Static Analysis, Xavier Rival (Ed.). Springer Berlin Heidelberg, Berlin, Heidelberg, 489-510.Google Scholar
- Tian Tan, Yue Li, and Jingling Xue. 2017. Eficient and Precise Points-to Analysis: Modeling the Heap by Merging Equivalent Automata. In Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation (Barcelona, Spain) ( PLDI 2017). ACM, New York, NY, USA, 278-291. https://doi.org/10.1145/3062341.3062360 Google Scholar
Digital Library
- Omer Tripp, Marco Pistoia, Stephen J. Fink, Manu Sridharan, and Omri Weisman. 2009. TAJ: Efective Taint Analysis of Web Applications. In Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation (Dublin, Ireland) ( PLDI '09). ACM, New York, NY, USA, 87-97. https://doi.org/10.1145/1542476.1542486 Google Scholar
Digital Library
- Guoqing Xu and Atanas Rountev. 2008. Merging Equivalent Contexts for Scalable Heap-cloning-based Context-sensitive Points-to Analysis. In Proceedings of the 2008 International Symposium on Software Testing and Analysis (Seattle, WA, USA) ( ISSTA '08). ACM, New York, NY, USA, 225-236. https://doi.org/10.1145/1390630.1390658 Google Scholar
Digital Library
- Xuezheng Xu, Yulei Sui, Hua Yan, and Jingling Xue. 2019. VFix: Value-Flow-Guided Precise Program Repair for Null Pointer Dereferences. In Proceedings of the 41st International Conference on Software Engineering (Montreal, Quebec, Canada) ( ICSE '19). IEEE Press, 512-523. https://doi.org/10.1109/ICSE. 2019.00063 Google Scholar
Digital Library
- Hua Yan, Yulei Sui, Shiping Chen, and Jingling Xue. 2017. Machine-Learning-Guided Typestate Analysis for Static UseAfter-Free Detection. In Proceedings of the 33rd Annual Computer Security Applications Conference (Orlando, FL, USA) ( ACSAC 2017). ACM, New York, NY, USA, 42-54. https://doi.org/10.1145/3134600.3134620 Google Scholar
Digital Library
- Xin Zhang, Ravi Mangal, Radu Grigore, Mayur Naik, and Hongseok Yang. 2014. On Abstraction Refinement for Program Analyses in Datalog. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (Edinburgh, United Kingdom) (PLDI '14). ACM, New York, NY, USA, 239-248. https://doi.org/10.1145/2594291.2594327 Google Scholar
Digital Library
- Xin Zhang, Mayur Naik, and Hongseok Yang. 2013. Finding Optimum Abstractions in Parametric Dataflow Analysis. In Proceedings of the 34th ACM SIGPLAN Conference on Programming Language Design and Implementation (Seattle, Washington, USA) ( PLDI '13). Association for Computing Machinery, New York, NY, USA, 365-376. https://doi.org/10. 1145/2491956.2462185 Google Scholar
Digital Library
Index Terms
Learning graph-based heuristics for pointer analysis without handcrafting application-specific features
Recommendations
Return of CFA: call-site sensitivity can be superior to object sensitivity even for object-oriented programs
In this paper, we challenge the commonly-accepted wisdom in static analysis that object sensitivity is superior to call-site sensitivity for object-oriented programs. In static analysis of object-oriented programs, object sensitivity has been ...
Semi-sparse flow-sensitive pointer analysis
POPL '09Pointer analysis is a prerequisite for many program analyses, and the effectiveness of these analyses depends on the precision of the pointer information they receive. Two major axes of pointer analysis precision are flow-sensitivity and context-...
Merging equivalent contexts for scalable heap-cloning-based context-sensitive points-to analysis
ISSTA '08: Proceedings of the 2008 international symposium on Software testing and analysisA context-sensitive points-to analysis maintains separate points-to relationships for each possible (abstract) calling context of a method. Previous work has shown that a large number of equivalence classes exists in the representation of calling ...






Comments