Making k-Object-Sensitive Pointer Analysis More Precise with Still k-Limiting

Object-sensitivity is regarded as arguably the best context abstraction for pointer analysis in object-oriented languages. However, a k-object-sensitive pointer analysis, which uses a sequence of k allocation sites (as k context elements) to represent a calling context of a method call, may end up using some context elements redundantly without inducing a finer partition of the space of (concrete) calling contexts for the method call. In this paper, we introduce Bean, a general approach for improving the precision of any k-object-sensitive analysis, denoted \(k\)-obj, by still using a k-limiting context abstraction. The novelty is to identify allocation sites that are redundant context elements in \(k\)-obj from an Object Allocation Graph (OAG), which is built based on a pre-analysis (e.g., a context-insensitive Andersen’s analysis) performed initially on a program and then avoid them in the subsequent k-object-sensitive analysis for the program. Bean is generally more precise than \(k\)-obj, with a precision that is guaranteed to be as good as \(k\)-obj in the worst case. We have implemented Bean as an open-source tool and applied it to refine two state-of-the-art whole-program pointer analyses in Doop. For two representative clients (may-alias and may-fail-cast) evaluated on a set of nine large Java programs from the DaCapo benchmark suite, Bean has succeeded in making both analyses more precise for all these benchmarks under each client at only small increases in analysis cost.

[1]  Jeff H. Perkins,et al.  Information Flow Analysis of Android Applications in DroidSafe , 2015, NDSS.

[2]  Jingling Xue,et al.  Detecting Memory Leaks Statically with Full-Sparse Value-Flow Analysis , 2014, IEEE Transactions on Software Engineering.

[3]  Alexander Aiken,et al.  Effective static race detection for Java , 2006, PLDI '06.

[4]  Isil Dillig,et al.  Bottom-Up Context-Sensitive Pointer Analysis for Java , 2015, APLAS.

[5]  Ondrej Lhoták,et al.  Points-to analysis with efficient strong updates , 2011, POPL '11.

[6]  Yannis Smaragdakis,et al.  Hybrid context-sensitivity for points-to analysis , 2013, PLDI.

[7]  Eran Yahav,et al.  Alias Analysis for Object-Oriented Programs , 2013, Aliasing in Object-Oriented Programming.

[8]  Yannis Smaragdakis,et al.  Strictly declarative specification of sophisticated points-to analyses , 2009, OOPSLA.

[9]  Eran Yahav,et al.  Effective typestate verification in the presence of aliasing , 2006, TSEM.

[10]  Hongtao Yu,et al.  Level by level: making flow- and context-sensitive pointer analysis scalable for millions of lines of code , 2010, CGO '10.

[11]  Manu Sridharan,et al.  Refinement-based context-sensitive points-to analysis for Java , 2006, PLDI '06.

[12]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[13]  Ben Hardekopf,et al.  Flow-sensitive pointer analysis for millions of lines of code , 2011, International Symposium on Code Generation and Optimization (CGO 2011).

[14]  Ondrej Lhoták,et al.  Context-Sensitive Points-to Analysis: Is It Worth It? , 2006, CC.

[15]  Xin Zhang,et al.  On abstraction refinement for program analyses in Datalog , 2014, PLDI 2014.

[16]  Yifei Zhang,et al.  Program Tailoring: Slicing by Sequential Criteria , 2016, ECOOP.

[17]  Jingling Xue,et al.  Static memory leak detection using full-sparse value-flow analysis , 2012, ISSTA 2012.

[18]  Barbara G. Ryder,et al.  Parameterized object sensitivity for points-to analysis for Java , 2005, TSEM.

[19]  Xin Zhang,et al.  A user-guided approach to program analysis , 2015, ESEC/SIGSOFT FSE.

[20]  Sergiu M. Dascalu,et al.  Unit-level test adequacy criteria for visual dataflow languages and a testing methodology , 2008, TSEM.

[21]  Olin Shivers,et al.  Control-flow analysis of higher-order languages of taming lambda , 1991 .

[22]  Julian Dolby,et al.  Scalable and precise taint analysis for Android , 2015, ISSTA.

[23]  Ondrej Lhoták,et al.  Program analysis using binary decision diagrams , 2006 .

[24]  Hongseok Yang,et al.  Selective context-sensitivity guided by impact pre-analysis , 2014, PLDI.

[25]  Michael Hind,et al.  Pointer analysis: haven't we solved this problem yet? , 2001, PASTE '01.

[26]  Ondrej Lhoták,et al.  Pick your contexts well: understanding object-sensitivity , 2011, POPL '11.

[27]  Jingling Xue,et al.  Query-directed adaptive heap cloning for optimizing compilers , 2013, Proceedings of the 2013 IEEE/ACM International Symposium on Code Generation and Optimization (CGO).

[28]  Ondrej Lhoták,et al.  Evaluating the benefits of context-sensitive points-to analysis using a BDD-based implementation , 2008, TSEM.

[29]  Jingling Xue,et al.  Self-inferencing Reflection Resolution for Java , 2014, ECOOP.

[30]  Jingling Xue,et al.  Effective Soundness-Guided Reflection Analysis , 2015, SAS.

[31]  Amer Diwan,et al.  The DaCapo benchmarks: java benchmarking development and analysis , 2006, OOPSLA '06.

[32]  Sam Blackshear,et al.  Selective control-flow abstraction via jumping , 2015, OOPSLA.

[33]  Barbara G. Ryder,et al.  Parameterized object sensitivity for points-to and side-effect analyses for Java , 2002, ISSTA '02.

[34]  Jingling Xue,et al.  Sparse flow-sensitive pointer analysis for multithreaded programs , 2016, 2016 IEEE/ACM International Symposium on Code Generation and Optimization (CGO).