Existential Label Flow Inference Via CFL Reachability

In programming languages, existential quantification is useful for describing relationships among members of a structured type. For example, we may have a list in which there exists some mutual exclusion lock l in each list element such that l protects the data stored in that element. With this information, a static analysis can reason about the relationship between locks and locations in the list even when the precise identity of the lock and/or location is unknown. To facilitate the construction of such static analyses, this paper presents a context-sensitive label flow analysis algorithm with support for existential quantification. Label flow analysis is a core part of many static analysis systems. Following Rehof et al, we use context-free language (CFL) reachability to develop an efficient O(n3) label flow inference algorithm. We prove the algorithm sound by reducing its derivations to those in a system based on polymorphically-constrained types, in the style of Mossin. We have implemented a variant of our analysis as part of a data race detection tool for C programs.

[1]  Jens Palsberg,et al.  Type-based analysis and applications , 2001, PASTE '01.

[2]  Manuel Fähndrich,et al.  Making Set-Constraint Program Analyses Scale , 1996 .

[3]  George C. Necula,et al.  Capriccio: scalable threads for internet services , 2003, SOSP '03.

[4]  Manuel Fähndrich,et al.  Making Set-Constraint Based Program Analyses Scale , 1996 .

[5]  Thomas W. Reps,et al.  Precise interprocedural dataflow analysis via graph reachability , 1995, POPL '95.

[6]  Manuel Fähndrich,et al.  Bane: a library for scalable constraint-based program analysis , 1999 .

[7]  Frank Pfenning,et al.  Dependent types in practical programming , 1999, POPL '99.

[8]  Matthias Felleisen,et al.  Componential set-based analysis , 1997, TOPL.

[9]  Benjamin C. Pierce,et al.  Types and programming languages: the next generation , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[10]  Jakob Rehof,et al.  Estimating the Impact of Scalable Pointer Analysis on Optimization , 2001, SAS.

[11]  Alexander Aiken,et al.  The set constraint/CFL reachability connection in practice , 2004, PLDI '04.

[12]  Manuvir Das,et al.  Unification-based pointer analysis with directional assignments , 2000, PLDI '00.

[13]  Vincent Simonet,et al.  An extension of HM(X) with bounded existential and universal data-types , 2003, ICFP '03.

[14]  David A. Wagner,et al.  Finding User/Kernel Pointer Bugs with Type Inference , 2004, USENIX Security Symposium.

[15]  John C. Mitchell,et al.  Type inference with simple subtypes , 1991, Journal of Functional Programming.

[16]  Didier Rémy,et al.  MLF: raising ML to the power of system F , 2003, ACM SIGPLAN Notices.

[17]  Joe B. Wells,et al.  Typability and Type Checking in System F are Equivalent and Undecidable , 1999, Ann. Pure Appl. Log..

[18]  Jakob Rehof,et al.  Type-Based Flow Analysis : From Polymorphi Subtyping to CFL-Rea hability , 2006 .

[19]  Jeffrey S. Foster,et al.  LOCKSMITH: context-sensitive correlation analysis for race detection , 2006, PLDI '06.

[20]  John C. Mitchell,et al.  Abstract types have existential types , 1985, POPL.

[21]  Fritz Henglein,et al.  Type inference with polymorphic recursion , 1993, TOPL.

[22]  Alexander Aiken,et al.  Checking and inferring local non-aliasing , 2003, PLDI '03.

[23]  Martin Odersky,et al.  Polymorphic type inference and abstract data types , 1994, TOPL.

[24]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[25]  Jakob Rehof,et al.  Scalable context-sensitive flow analysis using instantiation constraints , 2000, PLDI '00.

[26]  Jeffrey S. Foster,et al.  Flow-insensitive type qualifiers , 2006, TOPL.

[27]  Didier Rémy,et al.  Programming Objects with ML-ART, an Extension to ML with Abstract and Record Types , 1994, TACS.

[28]  Jakob Rehof,et al.  From Polymorphic Subtyping to CFL Reachability: Context-Sensitive Flow Analysis Using Instantiation Constraints , 2000 .

[29]  Martín Abadi,et al.  Types for Safe Locking , 1999, ESOP.

[30]  Martin Odersky,et al.  Type Inference with Constrained Types , 1999, Theory Pract. Object Syst..

[31]  Jakob Rehof,et al.  Type-base flow analysis: from polymorphic subtyping to CFL-reachability , 2001, POPL '01.

[32]  Robert Harper,et al.  Typed closure conversion , 1996, POPL '96.

[33]  Christian Mossin,et al.  Flow analysis of typed higher-order programs , 1996, Technical report / University of Copenhagen / Datalogisk institut.