Scaling abstraction refinement via pruning

Many static analyses do not scale as they are made more precise. For example, increasing the amount of context sensitivity in a k-limited pointer analysis causes the number of contexts to grow exponentially with k. Iterative refinement techniques can mitigate this growth by starting with a coarse abstraction and only refining parts of the abstraction that are deemed relevant with respect to a given client. In this paper, we introduce a new technique called pruning that uses client feedback in a different way. The basic idea is to use coarse abstractions to prune away parts of the program analysis deemed irrelevant for proving a client query, and then using finer abstractions on the sliced program analysis. For a k-limited pointer analysis, this approach amounts to adaptively refining and pruning a set of prefix patterns representing the contexts relevant for the client. By pruning, we are able to scale up to much more expensive abstractions than before. We also prove that the pruned analysis is both sound and complete, that is, it yields the same results as an analysis that uses a more expensive abstraction directly without pruning.

[1]  Monica S. Lam,et al.  Context-sensitive pointer analysis using binary decision diagrams , 2007 .

[2]  Ondrej Lhoták,et al.  Context-Sensitive Points-to Analysis: Is It Worth It? , 2006, CC.

[3]  Yannis Smaragdakis,et al.  Strictly declarative specification of sophisticated points-to analyses , 2009, OOPSLA '09.

[4]  Calvin Lin,et al.  Client-Driven Pointer Analysis , 2003, SAS.

[5]  Manu Sridharan,et al.  Refinement-based context-sensitive points-to analysis for Java , 2006, PLDI '06.

[6]  Xin Zheng,et al.  Demand-driven alias analysis for C , 2008, POPL '08.

[7]  Alexander Aiken,et al.  Effective static race detection for Java , 2006, PLDI '06.

[8]  Barbara G. Ryder,et al.  Parameterized object sensitivity for points-to and side-effect analyses for Java , 2002, ISSTA '02.

[9]  Barbara G. Ryder,et al.  Parameterized object sensitivity for points-to analysis for Java , 2005, TSEM.

[10]  Mayur Naik,et al.  A dynamic evaluation of the precision of static heap abstractions , 2010, OOPSLA.

[11]  Pankaj Jalote,et al.  Efficient static analysis with path pruning using coverage data , 2005, ACM SIGSOFT Softw. Eng. Notes.

[12]  Ondrej Lhoták,et al.  Evaluating the benefits of context-sensitive points-to analysis using a BDD-based implementation , 2008, TSEM.

[13]  Hassen Saïdi,et al.  Construction of Abstract State Graphs with PVS , 1997, CAV.

[14]  Olin Shivers,et al.  Demand-Driven Type Inference with Subgoal Pruning: Trading Precision for Scalability , 2004, ECOOP.

[15]  Kenneth L. McMillan,et al.  Lazy Abstraction with Interpolants , 2006, CAV.

[16]  Mayur Naik,et al.  Learning minimal abstractions , 2011, POPL '11.

[17]  Andrew A. Chien,et al.  Precise Concrete Type Inference for Object-Oriented Languages , 1994, OOPSLA.

[18]  Andrew A. Chien,et al.  Precise concrete type inference for object-oriented languages , 1994, OOPSLA 1994.

[19]  Monica S. Lam,et al.  Cloning-based context-sensitive pointer alias analysis using binary decision diagrams , 2004, PLDI '04.

[20]  Todd Millstein,et al.  Automatic predicate abstraction of C programs , 2001, PLDI '01.

[21]  Olivier Tardieu,et al.  Demand-driven pointer analysis , 2001, PLDI '01.

[22]  Olin Shivers,et al.  Control flow analysis in scheme , 1988, PLDI '88.

[23]  Ondrej Lhoták,et al.  Pick your contexts well: understanding object-sensitivity , 2011, POPL '11.

[24]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.