Heap Abstractions for Static Analysis

Heap data is potentially unbounded and seemingly arbitrary. Hence, unlike stack and static data, heap data cannot be abstracted in terms of a fixed set of program variables. This makes it an interesting topic of study and there is an abundance of literature employing heap abstractions. Although most studies have addressed similar concerns, insights gained in one description of heap abstraction may not directly carry over to some other description. In our search of a unified theme, we view heap abstraction as consisting of two steps: (a) heap modelling, which is the process of representing a heap memory (i.e., an unbounded set of concrete locations) as a heap model (i.e., an unbounded set of abstract locations), and (b) summarization, which is the process of bounding the heap model by merging multiple abstract locations into summary locations. We classify the heap models as storeless, store based, and hybrid. We describe various summarization techniques based on k-limiting, allocation sites, patterns, variables, other generic instrumentation predicates, and higher-order logics. This approach allows us to compare the insights of a large number of seemingly dissimilar heap abstractions and also paves the way for creating new abstractions by mix and match of models and summarization techniques.

[1]  Ravichandhran Madhavan,et al.  Purity Analysis: An Abstract Interpretation Formulation , 2011, SAS.

[2]  Ondrej Lhoták,et al.  Pointer Analysis (Dagstuhl Seminar 13162) , 2013, Dagstuhl Reports.

[3]  Alexander Aiken,et al.  Introduction to Set Constraint-Based Program Analysis , 1999, Sci. Comput. Program..

[4]  Hanspeter Mössenböck,et al.  Escape analysis in the context of dynamic compilation and deoptimization , 2005, VEE '05.

[5]  Ahmed Bouajjani,et al.  Programs with lists are counter automata , 2011, Formal Methods Syst. Des..

[6]  Xin Zhang,et al.  Hybrid top-down and bottom-up interprocedural analysis , 2014, PLDI.

[7]  Stephen Chong,et al.  Static Analysis of Accessed Regions in Recursive Data Structures , 2003, SAS.

[8]  Sam Blackshear,et al.  Thresher: precise refutations for heap reachability , 2013, PLDI.

[9]  Michael Hind,et al.  Which pointer analysis should I use? , 2000, ISSTA '00.

[10]  Viktor Kuncak,et al.  Generalized Typestate Checking for Data Structure Consistency , 2005, VMCAI.

[11]  Alain Deutsch,et al.  Interprocedural may-alias analysis for pointers: beyond k-limiting , 1994, PLDI '94.

[12]  Chris Lattner,et al.  Data Structure Analysis: A Fast and Scalable Context-Sensitive Heap Analysis , 2003 .

[13]  Amey Karkare,et al.  Heap reference analysis using access graphs , 2006, ACM Trans. Program. Lang. Syst..

[14]  Thomas W. Reps,et al.  Recency-Abstraction for Heap-Allocated Storage , 2006, SAS.

[15]  Shrawan Kumar,et al.  Static program analysis of large embedded code base: an experience , 2011, ISEC.

[16]  Reinhard Wilhelm,et al.  Shape Analysis , 2000, CC.

[17]  Amer Diwan,et al.  On the usefulness of type and liveness accuracy for garbage collection and leak detection , 2002, TOPL.

[18]  Zachary Kincaid,et al.  Verification of parameterized concurrent programs by modular reasoning about data and control , 2012, POPL '12.

[19]  Sam Blackshear,et al.  Selective control-flow abstraction via jumping , 2015, OOPSLA.

[20]  Eran Yahav,et al.  Establishing local temporal heap safety properties with applications to compile-time memory management , 2003, Sci. Comput. Program..

[21]  Eran Yahav,et al.  Verifying safety properties of concurrent Java programs using 3-valued logic , 2001, POPL '01.

[22]  Michael Hind,et al.  Pointer analysis: haven't we solved this problem yet? , 2001, PASTE '01.

[23]  Flemming Nielson,et al.  Principles of Program Analysis , 1999, Springer Berlin Heidelberg.

[24]  Lawrence C. Paulson,et al.  Isabelle - A Generic Theorem Prover (with a contribution by T. Nipkow) , 1994, Lecture Notes in Computer Science.

[25]  Calvin Lin,et al.  Client-Driven Pointer Analysis , 2003, SAS.

[26]  Alexandru Nicolau,et al.  Parallelizing Programs with Recursive Data Structures , 1989, IEEE Trans. Parallel Distributed Syst..

[27]  Alexey Gotsman,et al.  Interprocedural Shape Analysis with Separated Heap Abstractions , 2006, SAS.

[28]  Thomas W. Reps,et al.  Shape Analysis and Applications , 2007, The Compiler Design Handbook, 2nd ed..

[29]  A. Deutsch,et al.  A storeless model of aliasing and its abstractions using finite representations of right-regular equivalence relations , 1992, Proceedings of the 1992 International Conference on Computer Languages.

[30]  Laurie J. Hendren,et al.  Putting pointer analysis to work , 1998, POPL '98.

[31]  Lawrence Charles Paulson,et al.  Isabelle: A Generic Theorem Prover , 1994 .

[32]  James R. Larus,et al.  Detecting conflicts between structure accesses , 1988, PLDI '88.

[33]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 1999, POPL '99.

[34]  Uday P. Khedker,et al.  Flow and Context Sensitive Points-to Analysis using Higher Order Reachability , 2016, ArXiv.

[35]  Chris Hankin,et al.  Efficient field-sensitive pointer analysis of C , 2007, TOPL.

[36]  C. A. R. Hoare,et al.  An axiomatic basis for computer programming , 1969, CACM.

[37]  Priti Shankar,et al.  The Compiler Design Handbook: Optimizations and Machine Code Generation, Second Edition , 2007, The Compiler Design Handbook, 2nd ed..

[38]  Amey Karkare,et al.  Liveness-Based Garbage Collection , 2014, CC.

[39]  Raghavan Komondoor,et al.  Precise Slicing in Imperative Programs via Term-Rewriting and Abstract Interpretation , 2013, SAS.

[40]  Neil D. Jones,et al.  Flow analysis and optimization of LISP-like structures , 1979, POPL.

[41]  Manu Sridharan,et al.  Refinement-based context-sensitive points-to analysis for Java , 2006, PLDI '06.

[42]  César Sánchez,et al.  Abstracting runtime heaps for program understanding , 2013, IEEE Transactions on Software Engineering.

[43]  Reinhard Wilhelm,et al.  A semantics for procedure local heaps and its abstractions , 2005, POPL '05.

[44]  Michael Rodeh,et al.  Detecting memory errors via static pointer analysis (preliminary experience) , 1998, PASTE '98.

[45]  Neil D. Jones,et al.  Termination Analysis of Higher-Order Functional Programs , 2005, APLAS.

[46]  Barbara G. Ryder,et al.  Data-flow analysis of program fragments , 1999, ESEC/FSE-7.

[47]  David A. Schmidt,et al.  Pointer analysis and separation logic , 2007 .

[48]  Amey Karkare,et al.  Liveness-based garbage collection for lazy languages , 2016, ISMM.

[49]  H. Rice Classes of recursively enumerable sets and their decision problems , 1953 .

[50]  Ravichandhran Madhavan,et al.  Null dereference verification via over-approximated weakest pre-conditions analysis , 2011, OOPSLA '11.

[51]  Susan Horwitz,et al.  The Effects of the Precision of Pointer Analysis , 1997, SAS.

[52]  Ben Hardekopf,et al.  Semi-sparse flow-sensitive pointer analysis , 2009, POPL '09.

[53]  Rafael Asenjo,et al.  Towards a Versatile Pointer Analysis Framework , 2006, Euro-Par.

[54]  Nils Klarlund,et al.  Graph types , 1993, POPL '93.

[55]  Barbara G. Ryder,et al.  Parameterized object sensitivity for points-to and side-effect analyses for Java , 2002, ISSTA '02.

[56]  Laurie J. Hendren,et al.  Practical virtual method call resolution for Java , 2000, OOPSLA '00.

[57]  Supratik Chakraborty,et al.  Reasoning about Heap Manipulating Programs using Automata Techniques , 2012, Modern Applications of Automata Theory.

[58]  Marius Bozga,et al.  Storeless semantics and alias logic , 2003, PPoPP 2003.

[59]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[60]  Jong-Deok Choi,et al.  Interprocedural pointer alias analysis , 1999, TOPL.

[61]  Barbara G. Ryder Dimensions of Precision in Reference Analysis of Object-Oriented Programming Languages , 2003, CC.

[62]  Michael I. Schwartzbach,et al.  The pointer assertion logic engine , 2000, PLDI '01.

[63]  Roman Manevich,et al.  Combining Shape Analyses by Intersecting Abstractions , 2006, VMCAI.

[64]  Viktor Kuncak,et al.  Modular Pluggable Analyses for Data Structure Consistency , 2006, IEEE Transactions on Software Engineering.

[65]  Barnali Basak,et al.  Heap Dependence Analysis for Sequential Programs , 2011, PARCO.

[66]  Ondrej Lhoták,et al.  Points-to analysis using BDDs , 2003, PLDI '03.

[67]  Venkatesan T. Chakaravarthy New results on the computability and complexity of points--to analysis , 2003, POPL '03.

[68]  Flemming Nielson,et al.  International Workshop on Principles of Program Analysis , 1999 .

[69]  Ondrej Lhoták,et al.  In defense of soundiness , 2015, Commun. ACM.

[70]  Jianwen Zhu Symbolic pointer analysis , 2002, ICCAD 2002.

[71]  Mark N. Wegman,et al.  Analysis of pointers and structures , 1990, SIGP.

[72]  Alexandru Nicolau,et al.  Intererence analysis tools for parallelizing programs with recursive data structures , 1989, ICS '89.

[73]  Laurie J. Hendren,et al.  Is it a tree, a DAG, or a cyclic graph? A shape analysis for heap-directed pointers in C , 1996, POPL '96.

[74]  Rupesh Nasre,et al.  Scaling Context-Sensitive Points-To Analysis , 2012 .

[75]  Peter Thiemann,et al.  Precise Interprocedural Side-Effect Analysis , 2014, ICTAC.

[76]  Hong-Seok Kim,et al.  Importance of heap specialization in pointer analysis , 2004, PASTE '04.

[77]  Nils Klarlund,et al.  Automatic verification of pointer programs using monadic second-order logic , 1997, PLDI '97.

[78]  Ben Hardekopf,et al.  Flow-sensitive pointer analysis for millions of lines of code , 2011, International Symposium on Code Generation and Optimization (CGO 2011).

[79]  Priti Shankar,et al.  The Compiler Design Handbook: Optimizations and Machine Code Generation , 2002, The Compiler Design Handbook.

[80]  Markus Weinhardt,et al.  Interprocedural heap analysis for parallelizing imperative programs , 1993, Proceedings of Workshop on Programming Models for Massively Parallel Computers.

[81]  Viktor Kuncak,et al.  Hob: A Tool for Verifying Data Structure Consistency , 2005, CC.

[82]  David Hovemeyer,et al.  Evaluating and tuning a static analysis to find null pointer bugs , 2005, PASTE '05.

[83]  Mayur Naik,et al.  Scaling abstraction refinement via pruning , 2011, PLDI '11.

[84]  Ondrej Lhoták,et al.  Points-to analysis with efficient strong updates , 2011, POPL '11.

[85]  P KhedkerUday,et al.  Heap Abstractions for Static Analysis , 2016 .

[86]  Alan Mycroft,et al.  Liveness-Based Pointer Analysis , 2012, SAS.

[87]  Guang R. Gao,et al.  Designing the McCAT Compiler Based on a Family of Structured Intermediate Representations , 1992, LCPC.

[88]  Ondrej Lhoták,et al.  Pick your contexts well: understanding object-sensitivity , 2011, POPL '11.

[89]  Bjarne Steensgaard,et al.  Points-to analysis in almost linear time , 1996, POPL '96.

[90]  Yannis Smaragdakis,et al.  Pointer Analysis , 2015, Found. Trends Program. Lang..

[91]  Thomas W. Reps,et al.  Putting static analysis to work for verification: A case study , 2000, ISSTA '00.

[92]  Peter W. O'Hearn,et al.  Compositional Shape Analysis by Means of Bi-Abduction , 2011, JACM.

[93]  Amer Diwan,et al.  Simple and effective analysis of statically-typed object-oriented programs , 1996, OOPSLA '96.

[94]  Thomas W. Reps,et al.  Program analysis via graph reachability , 1997, Inf. Softw. Technol..

[95]  Katsuro Inoue,et al.  Analysis of functional programs to detect run-time garbage cells , 1988, TOPL.

[96]  Monica S. Lam,et al.  Cloning-based context-sensitive pointer alias analysis using binary decision diagrams , 2004, PLDI '04.

[97]  Frédéric Vivien,et al.  Incrementalized pointer and escape analysis , 2001, PLDI '01.

[98]  Radhia Cousot Static analysis : 10th International Symposium, SAS 2003, San Diego, CA, USA, June 11-13, 2003 : proceedings , 2003 .

[99]  Rohan Padhye,et al.  Interprocedural data flow analysis in Soot using value contexts , 2013, SOAP '13.

[100]  Alexander Aiken,et al.  Saturn: A scalable framework for error detection using Boolean satisfiability , 2007, TOPL.

[101]  Susan Horwitz,et al.  Precise flow-insensitive may-alias analysis is NP-hard , 1997, TOPL.

[102]  Peter W. O'Hearn,et al.  A Local Shape Analysis Based on Separation Logic , 2006, TACAS.

[103]  Eran Yahav,et al.  Alias Analysis for Object-Oriented Programs , 2013, Aliasing in Object-Oriented Programming.

[104]  Atanas Rountev,et al.  Merging equivalent contexts for scalable heap-cloning-based context-sensitive points-to analysis , 2008, ISSTA '08.

[105]  Roberto Giacobazzi Static analysis : 11th International Symposium, SAS 2004, Verona, Italy, August 26-28, 2004 : proceedings , 2004 .

[106]  Barbara G. Ryder,et al.  Points-to analysis for Java using annotated constraints , 2001, OOPSLA '01.

[107]  Zhe Yang,et al.  Software validation via scalable path-sensitive value flow analysis , 2004, ISSTA '04.

[108]  Ondrej Lhoták,et al.  Scaling Java Points-to Analysis Using SPARK , 2003, CC.

[109]  Vikram S. Adve,et al.  Making context-sensitive points-to analysis with heap cloning practical for the real world , 2007, PLDI '07.

[110]  Lars Ole Andersen,et al.  Program Analysis and Specialization for the C Programming Language , 2005 .

[111]  G. Ramalingam,et al.  The undecidability of aliasing , 1994, TOPL.

[112]  Deepak D'Souza,et al.  Scalable Flow-Sensitive Pointer Analysis for Java with Strong Updates , 2012, ECOOP.

[113]  共立出版株式会社 コンピュータ・サイエンス : ACM computing surveys , 1978 .

[114]  Vivek Sarkar,et al.  Unified Analysis of Array and Object References in Strongly Typed Languages , 2000, SAS.

[115]  Barbara G. Ryder,et al.  A safe approximate algorithm for interprocedural aliasing , 1992, PLDI '92.

[116]  Reinhard Wilhelm,et al.  Solving shape-analysis problems in languages with destructive updating , 1998, TOPL.

[117]  Tarek S. Abdelrahman,et al.  Efficient bottom-up heap analysis for symbolic path-based data access summaries , 2012, CGO '12.