A Correspondence between Two Approaches to Interprocedural Analysis in the Presence of Join

Many interprocedural static analyses perform a lossy join for reasons of termination or efficiency. We study the relationship between two predominant approaches to interprocedural analysis, the summary-based or functional approach and the call-strings or k-CFA approach, in the presence of a lossy join. Despite the use of radically different ways to distinguish procedure contexts by these two approaches, we prove that post-processing their results using a form of garbage collection renders them equivalent. Our result extends the classic result by Sharir and Pnueli that showed the equivalence between these two approaches in the setting of distributive analysis, wherein the join is lossless. We also empirically compare these two approaches by applying them to a pointer analysis that performs a lossy join. Our experiments on ten Java programs of size 400K---900K bytecodes show that the summary-based approach outperforms an optimized implementation of the k-CFA approach: the k-CFA implementation does not scale beyond $k\!\!=\!\!2$ , while the summary-based approach proves up to 46% more pointer analysis client queries than 2-CFA. The summary-based approach thus enables, via our equivalence result, to measure the precision of k-CFA with unbounded k, for the class of interprocedural analyses that perform a lossy join.

[1]  Alan Mycroft,et al.  Liveness-Based Pointer Analysis , 2012, SAS.

[2]  Andreas Podelski,et al.  Boolean and Cartesian abstraction for model checking C programs , 2001, International Journal on Software Tools for Technology Transfer.

[3]  Monica S. Lam,et al.  Cloning-based context-sensitive pointer alias analysis using binary decision diagrams , 2004, PLDI '04.

[4]  Antoine Miné,et al.  The octagon abstract domain , 2001, High. Order Symb. Comput..

[5]  Sriram K. Rajamani,et al.  Bebop: a path-sensitive interprocedural dataflow engine , 2001, PASTE '01.

[6]  Yannis Smaragdakis,et al.  Strictly declarative specification of sophisticated points-to analyses , 2009, OOPSLA.

[7]  Eran Yahav,et al.  Effective typestate verification in the presence of aliasing , 2006, TSEM.

[8]  Frédéric Besson CPA beats ∞-CFA , 2009, FTfJP@ECOOP.

[9]  G RyderBarbara,et al.  Parameterized object sensitivity for points-to analysis for Java , 2005 .

[10]  Barbara G. Ryder,et al.  Parameterized object sensitivity for points-to analysis for Java , 2005, TSEM.

[11]  Olin Shivers,et al.  CFA2: A Context-Free Approach to Control-Flow Analysis , 2010, ESOP.

[12]  Olin Shivers,et al.  Control flow analysis in scheme , 1988, PLDI '88.

[13]  Antoine Mid The Octagon Abstract Domain , 2001 .

[14]  Ole Agesen The Cartesian Product Algorithm: Simple and Precise Type Inference Of Parametric Polymorphism , 1995, ECOOP.

[15]  Ondrej Lhoták,et al.  Pick your contexts well: understanding object-sensitivity , 2011, POPL '11.

[16]  Ondrej Lhoták,et al.  Evaluating the benefits of context-sensitive points-to analysis using a BDD-based implementation , 2008, TSEM.

[17]  Ondrej Lhoták,et al.  Points-to analysis using BDDs , 2003, PLDI '03.

[18]  Antoine Miné,et al.  The octagon abstract domain , 2001, Proceedings Eighth Working Conference on Reverse Engineering.

[19]  Jianwen Zhu,et al.  Symbolic pointer analysis revisited , 2004, PLDI '04.

[20]  Yannis Smaragdakis,et al.  Resolving and Exploiting the k-CFA Paradox , 2013 .

[21]  Thomas W. Reps,et al.  Precise interprocedural dataflow analysis via graph reachability , 1995, POPL '95.

[22]  Yannis Smaragdakis,et al.  Resolving and exploiting the k-CFA paradox: illuminating functional vs. object-oriented program analysis , 2010, PLDI '10.

[23]  Patrick Cousot,et al.  Abstract Interpretation Frameworks , 1992, J. Log. Comput..

[24]  Barbara G. Ryder,et al.  Parameterized object sensitivity for points-to and side-effect analyses for Java , 2002, ISSTA '02.

[25]  Roman Manevich,et al.  Partially Disjunctive Heap Abstraction , 2004, SAS.

[26]  David Grove,et al.  A framework for call graph construction algorithms , 2001, TOPL.

[27]  Monica S. Lam,et al.  Context-sensitive pointer analysis using binary decision diagrams , 2007 .

[28]  Uday P. Khedker,et al.  Efficiency, Precision, Simplicity, and Generality in Interprocedural Data Flow Analysis: Resurrecting the Classical Call Strings Method , 2008, CC.

[29]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[30]  Peter W. O'Hearn,et al.  Scalable Shape Analysis for Systems Code , 2008, CAV.

[31]  Andreas Podelski,et al.  Boolean and Cartesian Abstraction for Model Checking C Programs , 2001, TACAS.