Pick Your Contexts Well : Understanding Object-Sensitivity The Making of a Precise and Scalable Pointer Analysis

Object-sensitivity has emerged as an excellent context abs traction for points-to analysis in object-oriented languages. Desp it its practical success, however, object-sensitivity is poorly unde rstood. For instance, for a context depth of 2 or higher, past scalable im plementations deviate significantly from the original definiti on of an object-sensitive analysis. The reason is that the analysis has many degrees of freedom, relating to which context elements are p icked at every method call and object creation. We o ffer a clean model for the analysis design space, and discuss a formal and infor mal understanding of object-sensitivity and of how to create good bjectsensitive analyses. The results are surprising in their ext ent. We find that past implementations have made a sub-optimal choic e of contexts, to the severe detriment of precision and performa nce. We define a “full-object-sensitive” analysis that results in s ignificantly higher precision, and often performance, for the exact same context depth. We also introduce “type-sensitivity” as an expl icit approximation of object-sensitivity that preserves high con text quality at substantially reduced cost. A type-sensitive points -to analysis makes an unconventional use of types as context: the context types are not dynamic types of objects involved in the analysis, bu t instead upper bounds on the dynamic types of their allocator ob jects. Our results expose the influence of context choice on the qual ity of points-to analysis and demonstrate type-sensitivity to be an idea with major impact: It decisively advances the state-of-the -art with a spectrum of analyses that simultaneously enjoy speed (sev eral times faster than an analogous object-sensitive analysis) , scalability (comparable to analyses with much less context-sensiti vity), and precision (comparable to the best object-sensitive analys is with the same context depth).

[1]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[2]  Olin Shivers,et al.  Control-flow analysis of higher-order languages of taming lambda , 1991 .

[3]  Andrew A. Chien,et al.  Precise Concrete Type Inference for Object-Oriented Languages , 1994, OOPSLA.

[4]  Andrew A. Chien,et al.  Precise concrete type inference for object-oriented languages , 1994, OOPSLA 1994.

[5]  Ole Agesen The Cartesian Product Algorithm: Simple and Precise Type Inference Of Parametric Polymorphism , 1995, ECOOP.

[6]  Laurie J. Hendren,et al.  Practical virtual method call resolution for Java , 2000, OOPSLA '00.

[7]  Practical virtual method call resolution for Java , 2000, OOPSLA.

[8]  Philip Wadler,et al.  Featherweight Java: a minimal core calculus for Java and GJ , 2001, TOPL.

[9]  Barbara G. Ryder Dimensions of Precision in Reference Analysis of Object-Oriented Programming Languages , 2003, CC.

[10]  Monica S. Lam,et al.  Using Datalog with Binary Decision Diagrams for Program Analysis , 2005, APLAS.

[11]  Donglin Liang,et al.  Evaluating the impact of context-sensitivity on Andersen's algorithm for Java programs , 2005, PASTE '05.

[12]  Benjamin Livshits,et al.  Reflection Analysis for Java , 2005, APLAS.

[13]  Barbara G. Ryder,et al.  Parameterized object sensitivity for points-to analysis for Java , 2005, TSEM.

[14]  Refinement-based context-sensitive points-to analysis for Java , 2006, PLDI.

[15]  Ondrej Lhoták,et al.  Program analysis using binary decision diagrams , 2006 .

[16]  Alexander Aiken,et al.  Effective static race detection for Java , 2006, PLDI '06.

[17]  Manu Sridharan,et al.  Refinement-based context-sensitive points-to analysis for Java , 2006, PLDI '06.

[18]  Eran Yahav,et al.  Effective typestate verification in the presence of aliasing , 2006, TSEM.

[19]  John H. Reppy Type-sensitive control-flow analysis , 2006, ML '06.

[20]  Ondrej Lhoták,et al.  Relations as an abstraction for BDD-based program analysis , 2008, TOPL.

[21]  Ondrej Lhoták,et al.  Evaluating the benefits of context-sensitive points-to analysis using a BDD-based implementation , 2008, TSEM.

[22]  Yannis Smaragdakis,et al.  Strictly declarative specification of sophisticated points-to analyses , 2009, OOPSLA '09.

[23]  Yannis Smaragdakis,et al.  Exception analysis and points-to analysis: better together , 2009, ISSTA.

[24]  Yannis Smaragdakis,et al.  Resolving and exploiting the k-CFA paradox: illuminating functional vs. object-oriented program analysis , 2010, PLDI '10.