Speeding Up Dataflow Analysis Using Flow-Insensitive Pointer Analysis

In recent years, static analysis has increasingly been applied to the problem of program verification. Systems for program verification typically use precise and expensive interprocedural dataflow algorithms that are difficult to scale to large programs. An attractive way to scale these analyses is to use a preprocessing step to reduce the number of dataflow facts propagated by the analysis and/or the number of statements to be processed, before the dataflow analysis is run. This paper describes an approach that achieves this effect. We first run a scalable, control-flow-insensitive pointer analysis to produce a conservative representation of value flow in the program. We query the value flow representation at the program points where a dataflow solution is required, in order to obtain a conservative over-approximation of the dataflow facts and the statements that must be processed by the analysis. We then run the dataflow analysis on this "slice" of the program.We present experimental evidence in support of our approach by considering two client dataflow analyses for program verification: typestate analysis, and software model checking. We show that in both cases, our approach leads to dramatic speedups.

[1]  Olivier Tardieu,et al.  Ultra-fast aliasing analysis using CLA: a million lines of C code in a second , 2001, PLDI '01.

[2]  Barbara G. Ryder,et al.  Relevant context inference , 1999, POPL '99.

[3]  Erik Ruf Partitioning dataflow analyses using types , 1997, POPL '97.

[4]  James C. Corbett,et al.  Bandera: extracting finite-state models from Java source code , 2000, ICSE.

[5]  Rajiv Gupta,et al.  Demand-driven computation of interprocedural data flow , 1995, POPL '95.

[6]  Mark N. Wegman,et al.  Efficiently computing static single assignment form and the control dependence graph , 1991, TOPL.

[7]  S LamMonica,et al.  Efficient context-sensitive pointer analysis for C programs , 1995 .

[8]  Manuvir Das,et al.  Unification-based pointer analysis with directional assignments , 2000, PLDI '00.

[9]  Alexander Aiken,et al.  Flow-sensitive type qualifiers , 2002, PLDI '02.

[10]  Sorin Lerner Path-Sensitive Program Veri cation in Polynomial Time , 2002 .

[11]  David W. Binkley,et al.  Interprocedural slicing using dependence graphs , 1988, SIGP.

[12]  Robert O'Callahan,et al.  Lackwit: A Program Understanding Tool Based on Type Inference , 1997, Proceedings of the (19th) International Conference on Software Engineering.

[13]  Monica S. Lam,et al.  Efficient context-sensitive pointer analysis for C programs , 1995, PLDI '95.

[14]  Thomas W. Reps,et al.  Demand interprocedural dataflow analysis , 1995, SIGSOFT FSE.

[15]  Jakob Rehof,et al.  Estimating the Impact of Scalable Pointer Analysis on Optimization , 2001, SAS.

[16]  Donglin Liang,et al.  Efficient points-to analysis for whole-program analysis , 1999, ESEC/FSE-7.

[17]  Sriram K. Rajamani,et al.  Automatically validating temporal safety properties of interfaces , 2001, SPIN '01.

[18]  Wen-mei W. Hwu,et al.  Modular interprocedural pointer analysis using access paths: design, implementation, and evaluation , 2000, PLDI '00.

[19]  Barbara G. Ryder,et al.  Program decomposition for pointer aliasing: a step toward practical analyses , 1996, SIGSOFT '96.

[20]  Sriram K. Rajamani,et al.  Bebop: a path-sensitive interprocedural dataflow engine , 2001, PASTE '01.

[21]  Sorin Lerner,et al.  ESP: path-sensitive program verification in polynomial time , 2002, PLDI '02.

[22]  Barbara G. Ryder,et al.  Data-flow analysis of program fragments , 1999, ESEC/FSE-7.

[23]  Robert E. Strom,et al.  Typestate: A programming language concept for enhancing software reliability , 1986, IEEE Transactions on Software Engineering.

[24]  Frank Tip,et al.  A survey of program slicing techniques , 1994, J. Program. Lang..