Online Cycle Detection and Difference Propagation: Applications to Pointer Analysis

This paper presents and evaluates a number of techniques to improve the execution time of interprocedural pointer analysis in the context of C programs. The analysis is formulated as a graph of set constraints and solved using a worklist algorithm. Indirections lead to new constraints being added during this procedure. The solution process can be simplified by identifying cycles, and we present a novel online algorithm for doing this. We also present a difference propagation scheme which avoids redundant work by tracking changes to each solution set. The effectiveness of these and other methods are shown in an experimental study over 12 common ‘C’ programs ranging between 1000 to 150,000 lines of code.

[1]  Alfred V. Aho,et al.  The Transitive Reduction of a Directed Graph , 1972, SIAM J. Comput..

[2]  Wuu Yang,et al.  The Semantics of Program Slicing and Program Integration , 1989, TAPSOFT, Vol.2.

[3]  Alberto Marchetti-Spaccamela,et al.  Maintaining a Topological Order Under Edge Insertions , 1996, Inf. Process. Lett..

[4]  Alexander Aiken,et al.  Projection merging: reducing redundancies in inclusion constraint graphs , 2000, POPL '00.

[5]  Hausi A. Müller,et al.  Analyzing Java software by combining metrics and program visualization , 2000, Proceedings of the Fourth European Conference on Software Maintenance and Reengineering.

[6]  Monica S. Lam,et al.  Efficient context-sensitive pointer analysis for C programs , 1995, PLDI '95.

[7]  Barbara G. Ryder,et al.  Relevant context inference , 1999, POPL '99.

[8]  Thomas A. Henzinger,et al.  Software Verification with BLAST , 2003, SPIN.

[9]  Oded Shmueli Dynamic Cycle Detection , 1983, Inf. Process. Lett..

[10]  William Landi,et al.  Undecidability of static analysis , 1992, LOPL.

[11]  Helmut Seidl,et al.  An Even Faster Solver for General Systems of Equations , 1996, SAS.

[12]  Susan Horwitz,et al.  An efficient general iterative algorithm for dataflow analysis , 2004, Acta Informatica.

[13]  Tiziano Villa,et al.  VIS: A System for Verification and Synthesis , 1996, CAV.

[14]  Jon A. Rochlis,et al.  With microscope and tweezers: an analysis of the Internet virus of November 1988 , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[15]  Patrice Godefroid,et al.  VeriSoft: A Tool for the Automatic Analysis of Concurrent Reactive Software , 1997, CAV.

[16]  Michael Hind,et al.  Pointer analysis: haven't we solved this problem yet? , 2001, PASTE '01.

[17]  Flemming Nielson,et al.  Principles of Program Analysis , 1999, Springer Berlin Heidelberg.

[18]  S LamMonica,et al.  Efficient context-sensitive pointer analysis for C programs , 1995 .

[19]  François Bourdoncle,et al.  Efficient chaotic iteration strategies with widenings , 1993, Formal Methods in Programming and Their Applications.

[20]  Lars Ole Andersen,et al.  Program Analysis and Specialization for the C Programming Language , 2005 .

[21]  G. Ramalingam,et al.  The undecidability of aliasing , 1994, TOPL.

[22]  Donglin Liang,et al.  Efficient Computation of Parameterized Pointer Information for Interprocedural Analyses , 2001, SAS.

[23]  Gerard J. Holzmann,et al.  The SPIN Model Checker , 2003 .

[24]  Susan Horwitz,et al.  Fast and accurate flow-insensitive points-to analysis , 1997, POPL '97.

[25]  Amer Diwan,et al.  Type-based alias analysis , 1998, PLDI.

[26]  Atanas Rountev,et al.  Off-line variable substitution for scaling points-to analysis , 2000, PLDI '00.

[27]  B. A. Myers,et al.  Visual programming, programming by example, and program visualization: a taxonomy , 1986, CHI '86.

[28]  Donglin Liang,et al.  Extending and evaluating flow-insenstitive and context-insensitive points-to analyses for Java , 2001, PASTE '01.

[29]  David A. Schmidt,et al.  The essence of computation: complexity, analysis, transformation , 2002 .

[30]  Thomas W. Reps,et al.  Pointer analysis for programs with structures and casting , 1999, PLDI '99.

[31]  Jakob Rehof,et al.  Scalable context-sensitive flow analysis using instantiation constraints , 2000, PLDI '00.

[32]  Thomas W. Reps,et al.  Program Specialization via Program Slicing , 1996, Dagstuhl Seminar on Partial Evaluation.

[33]  Steven P. Reiss Cacti: a front end for program visualization , 1997, Proceedings of VIZ '97: Visualization Conference, Information Visualization Symposium and Parallel Rendering Symposium.

[34]  Alexander Aiken,et al.  Polymorphic versus Monomorphic Flow-Insensitive Points-to Analysis for C , 2000, SAS.

[35]  Jakob Rehof,et al.  Estimating the Impact of Scalable Pointer Analysis on Optimization , 2001, SAS.

[36]  Satish Chandra,et al.  Physical type checking for C , 1999, PASTE '99.

[37]  Thomas Ball,et al.  Slicing Programs with Arbitrary Control-flow , 1993, AADEBUG.

[38]  Erik Ruf,et al.  Context-insensitive alias analysis reconsidered , 1995, PLDI '95.

[39]  Barbara G. Ryder,et al.  Points-to analysis for Java using annotated constraints , 2001, OOPSLA '01.

[40]  Thomas A. Henzinger,et al.  HYTECH: a model checker for hybrid systems , 1997, International Journal on Software Tools for Technology Transfer.

[41]  Bjarne Steensgaard Points-to Analysis by Type Inference of Programs with Structures and Unions , 1996, CC.

[42]  Mark N. Wegman,et al.  Efficiently computing static single assignment form and the control dependence graph , 1991, TOPL.

[43]  Huang Bo Context Sensitive Interprocedural Pointer Analysis , 2000 .

[44]  Michael Hind,et al.  Which pointer analysis should I use? , 2000, ISSTA '00.

[45]  Robert E. Tarjan,et al.  Depth-First Search and Linear Graph Algorithms , 1972, SIAM J. Comput..

[46]  Ondrej Lhoták,et al.  Scaling Java Points-to Analysis Using SPARK , 2003, CC.

[47]  Deepak Goyal An Improved Intra-procedural May-alias Analysis Algorithm , 1999 .

[48]  Larry G. Jones,et al.  Efficient evaluation of circular attribute grammars , 1990, TOPL.

[49]  Patrick Cousot,et al.  Design and Implementation of a Special-Purpose Static Program Analyzer for Safety-Critical Real-Time Embedded Software , 2002, The Essence of Computation.

[50]  Alexander Aiken,et al.  Introduction to Set Constraint-Based Program Analysis , 1999, Sci. Comput. Program..

[51]  Cormac Flanagan,et al.  Effective Static Debugging via Compential Set-Based Analysis , 1997 .

[52]  David J. Pearce,et al.  Some directed graph algorithms and their application to pointer analysis , 2005 .

[53]  Li-Ling Chen,et al.  An efficient approach to computing fixpoints for complex program analysis , 1994, ICS '94.

[54]  A. Aiken,et al.  Flow-Insensitive Points-to Analysis with Term and Set Constraints , 1997 .

[55]  Patrick Cousot,et al.  A static analyzer for large safety-critical software , 2003, PLDI.

[56]  Calvin Lin,et al.  Incorporating domain-specific information into the compilation process , 2003 .

[57]  Chris Hankin,et al.  Online cycle detection and difference propagation for pointer analysis , 2003, Proceedings Third IEEE International Workshop on Source Code Analysis and Manipulation.

[58]  Laurie J. Hendren,et al.  Context-sensitive interprocedural points-to analysis in the presence of function pointers , 1994, PLDI '94.

[59]  David W. Binkley,et al.  The application of program slicing to regression testing , 1998, Inf. Softw. Technol..

[60]  Helmut Seidl,et al.  Propagating Differences: An Efficient New Fixpoint Algorithm for Distributive Constraint Systems , 1998, Nord. J. Comput..

[61]  Thomas A. Henzinger,et al.  MOCHA: Modularity in Model Checking , 1998, CAV.

[62]  Susan Horwitz,et al.  Precise flow-insensitive may-alias analysis is NP-hard , 1997, TOPL.

[63]  François Bourdoncle,et al.  Abstract debugging of higher-order imperative languages , 1993, PLDI '93.

[64]  Bjarne Steensgaard,et al.  Points-to analysis in almost linear time , 1996, POPL '96.

[65]  Andrea De Lucia,et al.  Program slicing: methods and applications , 2001, Proceedings First IEEE International Workshop on Source Code Analysis and Manipulation.

[66]  William Landi,et al.  Interprocedural aliasing in the presence of pointers , 1992 .

[67]  Alexander Aiken,et al.  Set Constraints: Results, Applications, and Future Directions , 1994, PPCP.

[68]  Raymond Lo,et al.  Effective Representation of Aliases and Indirect Memory Operations in SSA Form , 1996, CC.

[69]  Greg Nelson,et al.  Extended static checking for Java , 2002, PLDI '02.

[70]  Laurie J. Hendren,et al.  Extended SSA Numbering: Introducing SSA Properties to Language with Multi-level Pointers , 1998, CC.

[71]  Barbara G. Ryder,et al.  Parameterized object sensitivity for points-to and side-effect analyses for Java , 2002, ISSTA '02.

[72]  Ron Cytron,et al.  Efficient accommodation of may-alias information in SSA form , 1993, PLDI '93.

[73]  Gerard J. Holzmann,et al.  The Model Checker SPIN , 1997, IEEE Trans. Software Eng..

[74]  David W. Binkley,et al.  Interprocedural slicing using dependence graphs , 1990, TOPL.

[75]  Alexander Aiken,et al.  Partial online cycle elimination in inclusion constraint graphs , 1998, PLDI.

[76]  Nevin Heintze,et al.  Set-based analysis of ML programs , 1994, LFP '94.

[77]  Olivier Tardieu,et al.  Ultra-fast aliasing analysis using CLA: a million lines of C code in a second , 2001, PLDI '01.

[78]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[79]  Mark Harman,et al.  Amorphous program slicing , 1997, Proceedings Fifth International Workshop on Program Comprehension. IWPC'97.

[80]  Michael Rodeh,et al.  CSSV: towards a realistic tool for statically detecting all buffer overflows in C , 2003, PLDI '03.

[81]  Susan Horwitz,et al.  Using static single assignment form to improve flow-insensitive pointer analysis , 1998, PLDI '98.

[82]  John T. Stasko,et al.  Visualization of test information to assist fault localization , 2002, ICSE '02.

[83]  Paul H. J. Kelly,et al.  A Dynamic Algorithm for Topologically Sorting Directed Acyclic Graphs , 2004, WEA.

[84]  Alexander Aiken,et al.  Type inclusion constraints and type inference , 1993, FPCA '93.

[85]  Manuvir Das,et al.  Unification-based pointer analysis with directional assignments , 2000, PLDI '00.

[86]  Incremental Computation of Static Single Assignment Form , 1996, CC.

[87]  Eljas Soisalon-Soininen,et al.  On Finding the Strongly Connected Components in a Directed Graph , 1994, Inf. Process. Lett..

[88]  Mark N. Wegman,et al.  An efficient method of computing static single assignment form , 1989, POPL '89.

[89]  Mark Harman,et al.  ConSIT: a conditioned program slicer , 2000, Proceedings 2000 International Conference on Software Maintenance.

[90]  Donglin Liang,et al.  Efficient points-to analysis for whole-program analysis , 1999, ESEC/FSE-7.

[91]  Jong-Deok Choi,et al.  Interprocedural pointer alias analysis , 1999, TOPL.

[92]  Robert Glück,et al.  Selected Papers from the International Seminar on Partial Evaluation , 1996 .