Scalability-first pointer analysis with self-tuning context-sensitivity

Context-sensitivity is important in pointer analysis to ensure high precision, but existing techniques suffer from unpredictable scalability. Many variants of context-sensitivity exist, and it is difficult to choose one that leads to reasonable analysis time and obtains high precision, without running the analysis multiple times. We present the Scaler framework that addresses this problem. Scaler efficiently estimates the amount of points-to information that would be needed to analyze each method with different variants of context-sensitivity. It then selects an appropriate variant for each method so that the total amount of points-to information is bounded, while utilizing the available space to maximize precision. Our experimental results demonstrate that Scaler achieves predictable scalability for all the evaluated programs (e.g., speedups can reach 10x for 2-object-sensitivity), while providing a precision that matches or even exceeds that of the best alternative techniques.

[1]  Lian Li,et al.  Boosting the performance of flow-sensitive points-to analysis using value flow , 2011, ESEC/FSE '11.

[2]  Yi Lu,et al.  An efficient tunable selective points-to analysis for large codebases , 2017, SOAP@PLDI.

[3]  Peter Thiemann,et al.  Type Analysis for JavaScript , 2009, SAS.

[4]  Barbara G. Ryder,et al.  Parameterized object sensitivity for points-to and side-effect analyses for Java , 2002, ISSTA '02.

[5]  Yannis Smaragdakis,et al.  P/Taint: unified points-to and taint analysis , 2017, Proc. ACM Program. Lang..

[6]  Yannis Smaragdakis,et al.  Strictly declarative specification of sophisticated points-to analyses , 2009, OOPSLA.

[7]  Eran Yahav,et al.  Effective typestate verification in the presence of aliasing , 2006, TSEM.

[8]  Yifei Zhang,et al.  Program Tailoring: Slicing by Sequential Criteria , 2016, ECOOP.

[9]  Manu Sridharan,et al.  Refinement-based context-sensitive points-to analysis for Java , 2006, PLDI '06.

[10]  Ondrej Lhoták,et al.  Points-to analysis using BDDs , 2003, PLDI '03.

[11]  Jingling Xue,et al.  Efficient and precise points-to analysis: modeling the heap by merging equivalent automata , 2017, PLDI.

[12]  Donglin Liang,et al.  Efficient points-to analysis for whole-program analysis , 1999, ESEC/FSE-7.

[13]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[14]  Ondrej Lhoták,et al.  Scaling Java Points-to Analysis Using SPARK , 2003, CC.

[15]  Barbara G. Ryder,et al.  Parameterized object sensitivity for points-to analysis for Java , 2005, TSEM.

[16]  Manu Sridharan,et al.  Thin slicing , 2007, PLDI '07.

[17]  Laurie Hendren,et al.  Soot: a Java bytecode optimization framework , 2010, CASCON.

[18]  Jingling Xue,et al.  Making k-Object-Sensitive Pointer Analysis More Precise with Still k-Limiting , 2016, SAS.

[19]  A Pnueli,et al.  Two Approaches to Interprocedural Data Flow Analysis , 2018 .

[20]  Jingling Xue,et al.  Effective Soundness-Guided Reflection Analysis , 2015, SAS.

[21]  Amer Diwan,et al.  The DaCapo benchmarks: java benchmarking development and analysis , 2006, OOPSLA '06.

[22]  Yannis Smaragdakis,et al.  Pointer Analysis , 2015, Found. Trends Program. Lang..

[23]  Frank Tip,et al.  A survey of program slicing techniques , 1994, J. Program. Lang..

[24]  Ondrej Lhoták,et al.  Context-Sensitive Points-to Analysis: Is It Worth It? , 2006, CC.

[25]  Yannis Smaragdakis,et al.  Introspective analysis: context-sensitivity, across the board , 2014, PLDI.

[26]  Michael Hind,et al.  Pointer analysis: haven't we solved this problem yet? , 2001, PASTE '01.

[27]  Hakjoo Oh,et al.  Data-driven context-sensitivity for points-to analysis , 2017, Proc. ACM Program. Lang..

[28]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[29]  Barbara G. Ryder,et al.  Adaptive Context-sensitive Analysis for JavaScript , 2015, ECOOP.

[30]  Yannis Smaragdakis,et al.  More Sound Static Handling of Java Reflection , 2015, APLAS.

[31]  Ondrej Lhoták,et al.  Pick your contexts well: understanding object-sensitivity , 2011, POPL '11.

[32]  Mark N. Wegman,et al.  Analysis of pointers and structures , 1990, SIGP.

[33]  Thomas R. Gross,et al.  Statically checking API protocol conformance with mined multi-object specifications , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[34]  Jingling Xue,et al.  Self-inferencing Reflection Resolution for Java , 2014, ECOOP.

[35]  Manu Sridharan,et al.  Snugglebug: a powerful approach to weakest preconditions , 2009, PLDI '09.

[36]  Jeff H. Perkins,et al.  Information Flow Analysis of Android Applications in DroidSafe , 2015, NDSS.

[37]  Alexander Aiken,et al.  Effective static race detection for Java , 2006, PLDI '06.

[38]  Yannis Smaragdakis,et al.  Hybrid context-sensitivity for points-to analysis , 2013, PLDI.

[39]  Eran Yahav,et al.  Alias Analysis for Object-Oriented Programs , 2013, Aliasing in Object-Oriented Programming.