Access-based abstract memory localization in static analysis

a b s t r a c t On-the-fly localization of abstract memory states is vital for economical abstract interpretation of imperative programs. Such localization is sometimes called ‘‘abstract garbage collection’’ or ‘‘framing’’. In this article we present a new memory localization technique that is more effective than the conventional reachability-based approach. Our technique is based on a key observation that collecting the reachable memory parts is too conservative and the accessed parts are usually tiny subsets of the reachable part. Our technique first estimates, by an efficient pre-analysis, which parts of input states will be accessed during the analysis of each code block. Then the main analysis uses the access-set results to trim the memory entries before analyzing code blocks. In experiments with an industrial-strength global C static analyzer, the technique is applied right before analyzing each procedure’s body and reduces the average analysis time and memory by 92.1% and 71.2%, respectively, without sacrificing the analysis precision. In addition, we present three extensions of access-based localization: (1) we generalize the idea and apply the localization more frequently such as at loop bodies and basic blocks as well as procedure bodies, additionally reducing analysis time by an average of 31.8%; (2) we present a technique to mitigate a performance problem of localization in handling recursive procedures, and show that this extension improves the average analysis time by 42%; (3) we show how to incorporate the access-based localization into relational numeric analyses.

[1]  Hakjoo Oh Large Spurious Cycle in Global Static Analyses and Its Algorithmic Mitigation , 2009, APLAS.

[2]  Thomas W. Reps,et al.  Analyzing Memory Accesses in x86 Executables , 2004, CC.

[3]  Sorin Lerner,et al.  Speeding Up Dataflow Analysis Using Flow-Insensitive Pointer Analysis , 2002, SAS.

[4]  Reinhard Wilhelm,et al.  A semantics for procedure local heaps and its abstractions , 2005, POPL '05.

[5]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[6]  Bertrand Jeannet,et al.  Apron: A Library of Numerical Abstract Domains for Static Analysis , 2009, CAV.

[7]  Patrick Cousot,et al.  Why does Astrée scale up? , 2009, Formal Methods Syst. Des..

[8]  Eran Yahav,et al.  Interprocedural Shape Analysis for Cutpoint-Free Programs , 2005, SAS.

[9]  Patrick Cousot,et al.  Comparing the Galois Connection and Widening/Narrowing Approaches to Abstract Interpretation , 1992, PLILP.

[10]  Matthew Might,et al.  Model Checking Via GammaCFA , 2007, VMCAI.

[11]  Hakjoo Oh,et al.  An algorithmic mitigation of large spurious interprocedural cycles in static analysis , 2010 .

[12]  Deepak Kapur,et al.  Efficient Context-Sensitive Shape Analysis with Graph Based Heap Models , 2008, CC.

[13]  Matthew Might,et al.  Improving flow analyses via ΓCFA: abstract garbage collection and counting , 2006, ICFP '06.

[14]  Peter W. O'Hearn,et al.  Scalable Shape Analysis for Systems Code , 2008, CAV.

[15]  Suresh Jagannathan,et al.  Single and loving it: must-alias analysis for higher-order languages , 1998, POPL '98.

[16]  Alexey Gotsman,et al.  Interprocedural Shape Analysis with Separated Heap Abstractions , 2006, SAS.

[17]  Kwangkeun Yi,et al.  Practical memory leak detector based on parameterized procedural summaries , 2008, ISMM '08.

[18]  Peter W. O'Hearn,et al.  Compositional Shape Analysis by Means of Bi-Abduction , 2011, JACM.

[19]  François Bourdoncle,et al.  Efficient chaotic iteration strategies with widenings , 1993, Formal Methods in Programming and Their Applications.

[20]  Patrick Cousot,et al.  Static determination of dynamic properties of programs , 1976 .

[21]  Peter W. O'Hearn,et al.  On Scalable Shape Analysis , 2007 .

[22]  Kwangkeun Yi,et al.  An Abstract Interpretation with the Interval Domain for C-like Programs , 2006 .

[23]  Guillaume Brat,et al.  Precise and efficient static array bound checking for large embedded C programs , 2004, PLDI '04.

[24]  Williams Ludwell HarrisonIII The interprocedural analysis and automatic parallelization of Scheme programs , 1989 .

[25]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[26]  Peter W. O'Hearn,et al.  Symbolic Execution with Separation Logic , 2005, APLAS.

[27]  Li-Ling Chen,et al.  An efficient approach to computing fixpoints for complex program analysis , 1994, ICS '94.

[28]  Patrick Cousot,et al.  A static analyzer for large safety-critical software , 2003, PLDI.

[29]  Manu Sridharan,et al.  Scaling CFL-Reachability-Based Points-To Analysis Using Context-Sensitive Must-Not-Alias Analysis , 2009, ECOOP.

[30]  Williams Ludwell Harrison,et al.  The interprocedural analysis and automatic parallelization of Scheme programs , 1990, LISP Symb. Comput..

[31]  Hakjoo Oh,et al.  Access-Based Localization with Bypassing , 2011, APLAS.

[32]  Antoine Miné,et al.  The octagon abstract domain , 2001, High. Order Symb. Comput..

[33]  Kwangkeun Yi,et al.  Taming False Alarms from a Domain-Unaware C Analyzer by a Bayesian Statistical Post Analysis , 2005, SAS.

[34]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[35]  Michael Hind,et al.  Combining Interprocedural Pointer Analysis and Conditional Constant Propagation , 1999 .

[36]  Xavier Allamigeon,et al.  Static Analysis of String Manipulations in Critical Embedded C Programs , 2006, SAS.

[37]  Jim Davies,et al.  Science of Computer Programming , 2014 .

[38]  T. Mexia,et al.  Author ' s personal copy , 2009 .

[39]  Stephen Chong,et al.  Static Analysis of Accessed Regions in Recursive Data Structures , 2003, SAS.

[40]  Hakjoo Oh,et al.  Access Analysis-Based Tight Localization of Abstract Memories , 2011, VMCAI.