Towards Path-Sensitive Points-to Analysis

Points-to analysis is a static program analysis aiming at analyzing the reference structure of dynamically allocated objects at compile-time. It constitutes the basis for many analyses and optimizations in software engineering and compiler construction. Sparse program representations, such as Whole Program Points-to Graph (WPP2G) and Points-to SSA (P2SSA), represent only dataflow that is directly relevant for points-to analysis. They have proved to be practical in terms of analysis precision and efficiency. However, intra-procedural control flow information is removed from these representations, which sacrifices analysis precision to improve analysis performance. We show an approach for keeping control flow related information even in sparse program representations by representing control flow effects as operations on the data transferred, i.e., as dataflow information. These operations affect distinct paths of the program differently, thus yielding a certain degree of path-sensitivity. Our approach works with both WPP2G and P2SSA representations. We apply the approach to P2SSA-based and flow-sensitive points-to analysis and evaluate a context-insensitive and a context-sensitive variant. We assess our approach using abstract precision metrics. Moreover, we investigate the precision improvements and performance penalties when used as an input to three source-code-level analyses: dead code, cast safety, and null pointer analysis.

[1]  Barbara G. Ryder,et al.  Relevant context inference , 1999, POPL '99.

[2]  Barbara G. Ryder,et al.  Properties of data flow frameworks , 1990, Acta Informatica.

[3]  James R. Larus,et al.  Improving data-flow analysis with path profiles , 1998, PLDI.

[4]  Sorin Lerner,et al.  ESP: path-sensitive program verification in polynomial time , 2002, PLDI '02.

[5]  Michael Hind,et al.  Pointer analysis: haven't we solved this problem yet? , 2001, PASTE '01.

[6]  Flemming Nielson,et al.  Principles of Program Analysis , 1999, Springer Berlin Heidelberg.

[7]  Ondrej Lhoták,et al.  Scaling Java Points-to Analysis Using SPARK , 2003, CC.

[8]  Barbara G. Ryder,et al.  Parameterized object sensitivity for points-to analysis for Java , 2005, TSEM.

[9]  Monica S. Lam,et al.  An Efficient Inclusion-Based Points-To Analysis for Strictly-Typed Languages , 2002, SAS.

[10]  David Grove,et al.  Call graph construction in object-oriented languages , 1997, OOPSLA '97.

[11]  Bowen Alpern,et al.  Detecting equality of variables in programs , 1988, POPL '88.

[12]  Barbara G. Ryder Dimensions of Precision in Reference Analysis of Object-Oriented Programming Languages , 2003, CC.

[13]  Monica S. Lam,et al.  Cloning-based context-sensitive pointer alias analysis using binary decision diagrams , 2004, PLDI '04.

[14]  Mark N. Wegman,et al.  An efficient method of computing static single assignment form , 1989, POPL '89.

[15]  Welf Löwe,et al.  A Scalable Flow-Sensitive Points-to Analysis , 2006 .

[16]  Guy L. Steele,et al.  Java(TM) Language Specification, The (3rd Edition) (Java (Addison-Wesley)) , 2005 .

[17]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[18]  Dawson R. Engler,et al.  ARCHER: using symbolic, path-sensitive analysis to detect memory access errors , 2003, ESEC/FSE-11.

[19]  Ken Kennedy,et al.  Conversion of control dependence to data dependence , 1983, POPL '83.

[20]  Rastislav Bodík,et al.  Path-sensitive value-flow analysis , 1998, POPL '98.

[21]  Barbara G. Ryder,et al.  Parameterized object sensitivity for points-to and side-effect analyses for Java , 2002, ISSTA '02.

[22]  Robert E. Tarjan,et al.  A fast algorithm for finding dominators in a flowgraph , 1979, TOPL.

[23]  Jens Palsberg,et al.  Object-oriented type inference , 1991, OOPSLA 1991.

[24]  Paul Havlak,et al.  Construction of Thinned Gated Single-Assignment Form , 1993, LCPC.

[25]  Donglin Liang,et al.  Extending and evaluating flow-insenstitive and context-insensitive points-to analyses for Java , 2001, PASTE '01.

[26]  Götz Lindenmaier,et al.  Firm. An intermediate language for compiler research , 2005 .

[27]  Ondrej Lhoták,et al.  Context-Sensitive Points-to Analysis: Is It Worth It? , 2006, CC.

[28]  Martin Trapp,et al.  Optimierung objektorientierter Programme , 2001 .

[29]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[30]  Amer Diwan,et al.  Simple and effective analysis of statically-typed object-oriented programs , 1996, OOPSLA '96.

[31]  Ken Kennedy,et al.  AS imple, Fast Dominance Algorithm , 1999 .

[32]  Gregor Snelting,et al.  Points-To for Java: A General Framework and an Empirical Comparison , 2008 .

[33]  Barbara G. Ryder,et al.  Points-to analysis for Java based on annotated constraints , 2000 .