Cycle elimination for invocation graph-based context-sensitive pointer analysis

Context: Pointer analysis is an important building block of optimizing compilers and program analyzers for C language. Various methods with precision and performance trade-offs have been proposed. Among them, cycle elimination has been successfully used to improve the scalability of context-insensitive pointer analyses without losing any precision. Objective: In this article, we present a new method on context-sensitive pointer analysis with an effective application of cycle elimination. Method: To obtain similar benefits of cycle elimination for context-sensitive analysis, we propose a novel constraint-based formulation that uses sets of contexts as annotations. Our method is not based on binary decision diagram (BDD). Instead, we directly use invocation graphs to represent context sets and apply a hash-consing technique to deal with the exponential blow-up of contexts. Result: Experimental results on C programs ranging from 20,000 to 290,000 lines show that applying cycle elimination to our new formulation results in 4.5 xspeedup over the previous BDD-based approach. Conclusion: We showed that cycle elimination is an effective method for improving the scalability of context-sensitive pointer analysis.

[1]  Jean-Christophe Filliâtre,et al.  Type-safe modular hash-consing , 2006, ML '06.

[2]  Chris Hankin,et al.  Efficient field-sensitive pointer analysis of C , 2007, TOPL.

[3]  D. Avots,et al.  Improving software security with a C pointer analysis , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[4]  Ondrej Lhoták,et al.  Context-Sensitive Points-to Analysis: Is It Worth It? , 2006, CC.

[5]  Fernando Magno Quintão Pereira,et al.  Wave Propagation and Deep Propagation for Pointer Analysis , 2009, 2009 International Symposium on Code Generation and Optimization.

[6]  Yannis Smaragdakis,et al.  Strictly declarative specification of sophisticated points-to analyses , 2009, OOPSLA.

[7]  Atanas Rountev,et al.  Off-line variable substitution for scaling points-to analysis , 2000, PLDI '00.

[8]  Michael Hind,et al.  Which pointer analysis should I use? , 2000, ISSTA '00.

[9]  Robert E. Tarjan,et al.  Depth-First Search and Linear Graph Algorithms , 1972, SIAM J. Comput..

[10]  Michael Hind,et al.  Pointer analysis: haven't we solved this problem yet? , 2001, PASTE '01.

[11]  Olin Shivers,et al.  Control-flow analysis of higher-order languages of taming lambda , 1991 .

[12]  Monica S. Lam,et al.  Cloning-based context-sensitive pointer alias analysis using binary decision diagrams , 2004, PLDI '04.

[13]  Edmund M. Clarke,et al.  Symbolic Model Checking: 10^20 States and Beyond , 1990, Inf. Comput..

[14]  Ben Hardekopf,et al.  The ant and the grasshopper: fast and accurate pointer analysis for millions of lines of code , 2007, PLDI '07.

[15]  Jianwen Zhu,et al.  Towards scalable flow and context sensitive pointer analysis , 2005, Proceedings. 42nd Design Automation Conference, 2005..

[16]  Atanas Rountev,et al.  Merging equivalent contexts for scalable heap-cloning-based context-sensitive points-to analysis , 2008, ISSTA '08.

[17]  George C. Necula,et al.  CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs , 2002, CC.

[18]  Sriram K. Rajamani,et al.  The SLAM project: debugging system software via static analysis , 2002, POPL '02.

[19]  Jianwen Zhu,et al.  Symbolic pointer analysis revisited , 2004, PLDI '04.

[20]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[21]  Letizia Tanca,et al.  What you Always Wanted to Know About Datalog (And Never Dared to Ask) , 1989, IEEE Trans. Knowl. Data Eng..

[22]  Lars Ole Andersen,et al.  Program Analysis and Specialization for the C Programming Language , 2005 .

[23]  Alexander Aiken,et al.  Banshee: A Scalable Constraint-Based Analysis Toolkit , 2005, SAS.

[24]  Roman Manevich,et al.  Compactly Representing First-Order Structures for Static Analysis , 2002, SAS.

[25]  Robert E. Tarjan,et al.  Efficiency of a Good But Not Linear Set Union Algorithm , 1972, JACM.

[26]  Laurie J. Hendren,et al.  Context-sensitive interprocedural points-to analysis in the presence of function pointers , 1994, PLDI '94.

[27]  Bjarne Steensgaard,et al.  Points-to analysis in almost linear time , 1996, POPL '96.

[28]  Alexander Aiken,et al.  Partial online cycle elimination in inclusion constraint graphs , 1998, PLDI.

[29]  Fausto Giunchiglia,et al.  NUSMV: A New Symbolic Model Verifier , 1999, CAV.

[30]  Olivier Tardieu,et al.  Ultra-fast aliasing analysis using CLA: a million lines of C code in a second , 2001, PLDI '01.

[31]  Mark N. Wegman,et al.  An efficient method of computing static single assignment form , 1989, POPL '89.

[32]  Chris Hankin,et al.  Online Cycle Detection and Difference Propagation: Applications to Pointer Analysis , 2004, Software Quality Journal.