Access-Path Abstraction: Scaling Field-Sensitive Data-Flow Analysis with Unbounded Access Paths (T)

Precise data-flow analyses frequently model field accesses through access paths with varying length. While using longer access paths increases precision, their size must be bounded to assure termination, and should anyway be small to enable a scalable analysis. We present Access-Path Abstraction, which for the first time combines efficiency with maximal precision. At control-flow merge points Access-Path Abstraction represents all those access paths that are rooted at the same base variable through this base variable only. The full access paths are reconstructed on demand where required. This makes it unnecessary to bound access paths to a fixed maximal length. Experiments with Stanford SecuriBench and the Java Class Library compare our open-source implementation against a field-based approach and against a field-sensitive approach that uses bounded access paths. The results show that the proposed approach scales as well as a field-based approach, whereas the approach using bounded access paths runs out of memory.

[1]  Neil D. Jones,et al.  Flow analysis and optimization of LISP-like structures , 1979, POPL.

[2]  Peter Thiemann,et al.  Precise Interprocedural Side-Effect Analysis , 2014, ICTAC.

[3]  Manu Sridharan,et al.  Demand-driven points-to analysis for Java , 2005, OOPSLA '05.

[4]  Eric Bodden,et al.  Inter-procedural data-flow analysis with IFDS/IDE and Soot , 2012, SOAP '12.

[5]  Ondrej Lhoták,et al.  Typestate-like analysis of multiple interacting objects , 2008, OOPSLA.

[6]  Manu Sridharan,et al.  Snugglebug: a powerful approach to weakest preconditions , 2009, PLDI '09.

[7]  Deepak D'Souza,et al.  Scalable Flow-Sensitive Pointer Analysis for Java with Strong Updates , 2012, ECOOP.

[8]  Manu Sridharan,et al.  Scaling CFL-Reachability-Based Points-To Analysis Using Context-Sensitive Must-Not-Alias Analysis , 2009, ECOOP.

[9]  Alain Deutsch,et al.  Interprocedural may-alias analysis for pointers: beyond k-limiting , 1994, PLDI '94.

[10]  Ben Hermann,et al.  Design your analysis: a case study on implementation reusability of data-flow functions , 2015, SOAP@PLDI.

[11]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[12]  Atanas Rountev,et al.  Demand-driven context-sensitive alias analysis for Java , 2011, ISSTA '11.

[13]  Thomas W. Reps,et al.  Precise interprocedural dataflow analysis via graph reachability , 1995, POPL '95.

[14]  Mira Mezini,et al.  FlowTwist: efficient context-sensitive inside-out taint analysis for large codebases , 2014, SIGSOFT FSE.

[15]  Patrick Cousot,et al.  Andromeda: Accurate and Scalable Security Analysis of Web Applications , 2013, FASE.

[16]  Ondrej Lhoták,et al.  The Soot framework for Java program analysis: a retrospective , 2011 .

[17]  Peter Thiemann,et al.  Interprocedural Analysis with Lazy Propagation , 2010, SAS.

[18]  Barbara G. Ryder,et al.  A safe approximate algorithm for interprocedural aliasing , 1992, PLDI '92.

[19]  Eran Yahav,et al.  Generating precise and concise procedure summaries , 2008, POPL '08.