Making pointer analysis more precise by unleashing the power of selective context sensitivity

Traditional context-sensitive pointer analysis is hard to scale for large and complex Java programs. To address this issue, a series of selective context-sensitivity approaches have been proposed and exhibit promising results. In this work, we move one step further towards producing highly-precise pointer analyses for hard-to-analyze Java programs by presenting the Unity-Relay framework, which takes selective context sensitivity to the next level. Briefly, Unity-Relay is a one-two punch: given a set of different selective context-sensitivity approaches, say S = S1, . . . , Sn, Unity-Relay first provides a mechanism (called Unity)to combine and maximize the precision of all components of S. When Unity fails to scale, Unity-Relay offers a scheme (called Relay) to pass and accumulate the precision from one approach Si in S to the next, Si+1, leading to an analysis that is more precise than all approaches in S. As a proof-of-concept, we instantiate Unity-Relay into a tool called Baton and extensively evaluate it on a set of hard-to-analyze Java programs, using general precision metrics and popular clients. Compared with the state of the art, Baton achieves the best precision for all metrics and clients for all evaluated programs. The difference in precision is often dramatic — up to 71% of alias pairs reported by previously-best algorithms are found to be spurious and eliminated.

[1]  Hakjoo Oh,et al.  A Machine-Learning Algorithm with Disjunctive Model for Data-Driven Program Analysis , 2019, TOPL.

[2]  Craig Chambers,et al.  Towards automatic construction of staged compilers , 2002, POPL '02.

[3]  Eric Bodden,et al.  Context-, flow-, and field-sensitive data-flow analysis using synchronized Pushdown systems , 2019, Proc. ACM Program. Lang..

[4]  Isil Dillig,et al.  Bottom-Up Context-Sensitive Pointer Analysis for Java , 2015, APLAS.

[5]  Xin Zhang,et al.  On abstraction refinement for program analyses in Datalog , 2014, PLDI 2014.

[6]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[7]  Jingling Xue,et al.  Precision-preserving yet fast object-sensitive pointer analysis with partial context sensitivity , 2019, Proc. ACM Program. Lang..

[8]  V. Krishna Nandivada,et al.  Mix your contexts well: opportunities unleashed by recent advances in scaling context-sensitivity , 2020, CC.

[9]  Yannis Smaragdakis,et al.  Hybrid context-sensitivity for points-to analysis , 2013, PLDI.

[10]  Yannis Smaragdakis,et al.  Introspective analysis: context-sensitivity, across the board , 2014, PLDI.

[11]  Mayur Naik,et al.  Scaling abstraction refinement via pruning , 2011, PLDI '11.

[12]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[13]  Yannis Smaragdakis,et al.  A Principled Approach to Selective Context Sensitivity for Pointer Analysis , 2020, ACM Trans. Program. Lang. Syst..

[14]  Atanas Rountev,et al.  Merging equivalent contexts for scalable heap-cloning-based context-sensitive points-to analysis , 2008, ISSTA '08.

[15]  Yifei Zhang,et al.  Program Tailoring: Slicing by Sequential Criteria , 2016, ECOOP.

[16]  Ondrej Lhoták,et al.  Context-Sensitive Points-to Analysis: Is It Worth It? , 2006, CC.

[17]  Manu Sridharan,et al.  Snugglebug: a powerful approach to weakest preconditions , 2009, PLDI '09.

[18]  Thomas W. Reps,et al.  Program analysis via graph reachability , 1997, Inf. Softw. Technol..

[19]  Christian Wimmer,et al.  Scalable pointer analysis of data structures using semantic models , 2020, CC.

[20]  Amer Diwan,et al.  The DaCapo benchmarks: java benchmarking development and analysis , 2006, OOPSLA '06.

[21]  Yannis Smaragdakis,et al.  Strictly declarative specification of sophisticated points-to analyses , 2009, OOPSLA '09.

[22]  Jingling Xue,et al.  On-demand strong update analysis via value-flow refinement , 2016, SIGSOFT FSE.

[23]  Barbara G. Ryder,et al.  Adaptive Context-sensitive Analysis for JavaScript , 2015, ECOOP.

[24]  Manu Sridharan,et al.  Demand-driven points-to analysis for Java , 2005, OOPSLA '05.

[25]  Eric Bodden,et al.  Boomerang: Demand-Driven Flow- and Context-Sensitive Pointer Analysis for Java , 2016, ECOOP.

[26]  Ondrej Lhoták,et al.  Pick your contexts well: understanding object-sensitivity , 2011, POPL '11.

[27]  Lawrence Rauchwerger,et al.  Rethinking Incremental and Parallel Pointer Analysis , 2019, ACM Trans. Program. Lang. Syst..

[28]  Yannis Smaragdakis,et al.  Pointer Analysis , 2015, Found. Trends Program. Lang..

[29]  Jingling Xue,et al.  Making k-Object-Sensitive Pointer Analysis More Precise with Still k-Limiting , 2016, SAS.

[30]  Christian Bird,et al.  What developers want and need from program analysis: An empirical study , 2016, 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).

[31]  Hakjoo Oh,et al.  Learning graph-based heuristics for pointer analysis without handcrafting application-specific features , 2020, Proc. ACM Program. Lang..

[32]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[33]  Eran Yahav,et al.  Effective typestate verification in the presence of aliasing , 2008, ACM Trans. Softw. Eng. Methodol..

[34]  Yannis Smaragdakis,et al.  Scalability-first pointer analysis with self-tuning context-sensitivity , 2018, ESEC/SIGSOFT FSE.

[35]  Uday P. Khedker,et al.  Heap Abstractions for Static Analysis , 2014, ACM Comput. Surv..

[36]  Manu Sridharan,et al.  Thin slicing , 2007, PLDI '07.

[37]  Mira Mezini,et al.  Taming reflection: Aiding static analysis in the presence of reflection and custom class loaders , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[38]  Hongseok Yang,et al.  Selective context-sensitivity guided by impact pre-analysis , 2014, PLDI.

[39]  Calvin Lin,et al.  Client-Driven Pointer Analysis , 2003, SAS.

[40]  Alexander Aiken,et al.  Effective static race detection for Java , 2006, PLDI '06.

[41]  Eran Yahav,et al.  Alias Analysis for Object-Oriented Programs , 2013, Aliasing in Object-Oriented Programming.

[42]  Ondrej Lhoták,et al.  Evaluating the benefits of context-sensitive points-to analysis using a BDD-based implementation , 2008, TSEM.

[43]  Yannis Smaragdakis,et al.  Precision-guided context sensitivity for pointer analysis , 2018, Proc. ACM Program. Lang..

[44]  Hakjoo Oh,et al.  Precise and scalable points-to analysis via data-driven context tunneling , 2018, Proc. ACM Program. Lang..

[45]  Jingling Xue,et al.  Efficient and precise points-to analysis: modeling the heap by merging equivalent automata , 2017, PLDI.

[46]  Kai Wang,et al.  Graspan: A Single-machine Disk-based Graph System for Interprocedural Static Analyses of Large-scale Systems Code , 2017, ASPLOS.

[47]  Manu Sridharan,et al.  Refinement-based context-sensitive points-to analysis for Java , 2006, PLDI '06.

[48]  Barbara G. Ryder,et al.  Parameterized object sensitivity for points-to analysis for Java , 2005, TSEM.

[49]  Yi Lu,et al.  An efficient tunable selective points-to analysis for large codebases , 2017, SOAP@PLDI.

[50]  Ondrej Lhoták,et al.  Context transformations for pointer analysis , 2017, PLDI.

[51]  V. Krishna Nandivada,et al.  Compare less, defer more: scaling value-contexts based whole-program heap analyses , 2019, CC.

[52]  Hongseok Yang,et al.  Selective X-Sensitive Analysis Guided by Impact Pre-Analysis , 2015, ACM Trans. Program. Lang. Syst..

[53]  Hakjoo Oh,et al.  Data-driven context-sensitivity for points-to analysis , 2017, Proc. ACM Program. Lang..

[54]  Thomas R. Gross,et al.  Statically checking API protocol conformance with mined multi-object specifications , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[55]  Barbara G. Ryder,et al.  Parameterized object sensitivity for points-to and side-effect analyses for Java , 2002, ISSTA '02.