Towards Path-Sensitive Points-to Analysis

Points-to analysis is a static program analysis aiming at analyzing the reference structure of dynamically allocated objects at compile-time. It constitutes the basis for many analyses and optimizations in software engineering and compiler construction. Sparse program representations, such as Whole Program Points-to Graph (WPP2G) and Points-to SSA (P2SSA), represent only dataflow that is directly relevant for points-to analysis. They have proved to be practical in terms of analysis precision and efficiency. However, intra-procedural control flow information is removed from these representations, which sacrifices analysis precision to improve analysis performance. We show an approach for keeping control flow related information even in sparse program representations by representing control flow effects as operations on the data transferred, i.e., as dataflow information. These operations affect distinct paths of the program differently, thus yielding a certain degree of path-sensitivity. Our approach works with both WPP2G and P2SSA representations. We apply the approach to P2SSA-based and flow-sensitive points-to analysis and evaluate a context-insensitive and a context-sensitive variant. We assess our approach using abstract precision metrics. Moreover, we investigate the precision improvements and performance penalties when used as an input to three source-code-level analyses: dead code, cast safety, and null pointer analysis.

[1]  Robert E. Tarjan,et al.  A fast algorithm for finding dominators in a flowgraph , 1979, TOPL.

[2]  Ken Kennedy,et al.  Conversion of control dependence to data dependence , 1983, POPL '83.

[3]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[4]  Bowen Alpern,et al.  Detecting equality of variables in programs , 1988, POPL '88.

[5]  Mark N. Wegman,et al.  An efficient method of computing static single assignment form , 1989, POPL '89.

[6]  Olin Shivers,et al.  Control-flow analysis of higher-order languages of taming lambda , 1991 .

[7]  Jens Palsberg,et al.  Object-oriented type inference , 1991, OOPSLA 1991.

[8]  Paul Havlak,et al.  Construction of Thinned Gated Single-Assignment Form , 1993, LCPC.

[9]  Amer Diwan,et al.  Simple and effective analysis of statically-typed object-oriented programs , 1996, OOPSLA '96.

[10]  David Grove,et al.  Call graph construction in object-oriented languages , 1997, OOPSLA '97.

[11]  Rastislav Bodík,et al.  Path-sensitive value-flow analysis , 1998, POPL '98.

[12]  Flemming Nielson,et al.  Principles of Program Analysis , 1999, Springer Berlin Heidelberg.

[13]  Barbara G. Ryder,et al.  Relevant context inference , 1999, POPL '99.

[14]  Barbara G. Ryder,et al.  Points-to analysis for Java based on annotated constraints , 2000 .

[15]  Martin Trapp,et al.  Optimierung objektorientierter Programme , 2001 .

[16]  Timothy J. Harvey,et al.  AS imple, Fast Dominance Algorithm , 1999 .

[17]  Michael Hind,et al.  Pointer analysis: haven't we solved this problem yet? , 2001, PASTE '01.

[18]  Donglin Liang,et al.  Extending and evaluating flow-insenstitive and context-insensitive points-to analyses for Java , 2001, PASTE '01.

[19]  Barbara G. Ryder,et al.  Parameterized object sensitivity for points-to and side-effect analyses for Java , 2002, ISSTA '02.

[20]  Sorin Lerner,et al.  ESP: path-sensitive program verification in polynomial time , 2002, PLDI '02.

[21]  Monica S. Lam,et al.  An Efficient Inclusion-Based Points-To Analysis for Strictly-Typed Languages , 2002, SAS.

[22]  Dawson R. Engler,et al.  ARCHER: using symbolic, path-sensitive analysis to detect memory access errors , 2003, ESEC/FSE-11.

[23]  Barbara G. Ryder Dimensions of Precision in Reference Analysis of Object-Oriented Programming Languages , 2003, CC.

[24]  Ondrej Lhoták,et al.  Scaling Java Points-to Analysis Using SPARK , 2003, CC.

[25]  J. Larus,et al.  Improving data-flow analysis with path profiles , 2004, SIGP.

[26]  Monica S. Lam,et al.  Cloning-based context-sensitive pointer alias analysis using binary decision diagrams , 2004, PLDI '04.

[27]  James Gosling,et al.  The Java Language Specification, 3rd Edition , 2005 .

[28]  Barbara G. Ryder,et al.  Properties of data flow frameworks , 1990, Acta Informatica.

[29]  Götz Lindenmaier,et al.  Firm. An intermediate language for compiler research , 2005 .

[30]  Barbara G. Ryder,et al.  Parameterized object sensitivity for points-to analysis for Java , 2005, TSEM.

[31]  Welf Löwe,et al.  A Scalable Flow-Sensitive Points-to Analysis , 2006 .

[32]  Ondrej Lhoták,et al.  Context-Sensitive Points-to Analysis: Is It Worth It? , 2006, CC.

[33]  Gregor Snelting,et al.  Points-To for Java: A General Framework and an Empirical Comparison , 2008 .

[34]  Welf Löwe,et al.  Fast and precise points-to analysis , 2009, Inf. Softw. Technol..