Unification-based Pointer Analysis without Oversharing

Pointer analysis is indispensable for effectively verifying heap-manipulating programs. Even though it has been studied extensively, there are no publicly available pointer analyses that are moderately precise while scalable to large real-world programs. In this paper, we show that existing context-sensitive unification-based pointer analyses suffer from the problem of oversharing – propagating too many abstract objects across the analysis of different procedures, which prevents them from scaling to large programs. We present a new pointer analysis for LLVM, called TEADSA, without such an oversharing. We show how to further improve precision and speed of TEADSA with extra contextual information, such as flow-sensitivity at call- and return-sites, and type information about memory accesses. We evaluate TEADSA on the verification problem of detecting unsafe memory accesses and compare it against two state-of-the-art pointer analyses: SVF and SEADSA. We show that TEADSA is one order of magnitude faster than either SVF or SEADSA, strictly more precise than SEADSA, and, surprisingly, sometimes more precise than SVF.

[1]  Ondrej Lhoták,et al.  Pick your contexts well: understanding object-sensitivity , 2011, POPL '11.

[2]  Michael Hind,et al.  Pointer analysis: haven't we solved this problem yet? , 2001, PASTE '01.

[3]  Bjarne Steensgaard,et al.  Points-to analysis in almost linear time , 1996, POPL '96.

[4]  Ravichandhran Madhavan,et al.  A Framework For Efficient Modular Heap Analysis , 2015, Found. Trends Program. Lang..

[5]  Ben Hardekopf,et al.  Flow-sensitive pointer analysis for millions of lines of code , 2011, International Symposium on Code Generation and Optimization (CGO 2011).

[6]  Lars Ole Andersen,et al.  Program Analysis and Specialization for the C Programming Language , 2005 .

[7]  Vikram S. Adve,et al.  Automatic pool allocation: improving performance by controlling data structure layout in the heap , 2005, PLDI '05.

[8]  Jingling Xue,et al.  Sparse flow-sensitive pointer analysis for multithreaded programs , 2016, 2016 IEEE/ACM International Symposium on Code Generation and Optimization (CGO).

[9]  Jorge A. Navas,et al.  The SeaHorn Verification Framework , 2015, CAV.

[10]  Jie Zhang,et al.  Making context‐sensitive inclusion‐based pointer analysis practical for compilers using parameterised summarisation , 2014, Softw. Pract. Exp..

[11]  Jingling Xue,et al.  SVF: interprocedural static value-flow analysis in LLVM , 2016, CC.

[12]  Yannis Smaragdakis,et al.  Pointer Analysis , 2015, Found. Trends Program. Lang..

[13]  Yannis Smaragdakis,et al.  Structure-Sensitive Points-To Analysis for C and C++ , 2016, SAS.

[14]  Jakub Kuderski Scalable Context-Sensitive Pointer Analysis for LLVM , 2019 .

[15]  Rongxin Wu,et al.  Pinpoint: fast and precise sparse value flow analysis for million lines of code , 2018, PLDI.

[16]  Shiping Chen,et al.  Spatio-Temporal Context Reduction: A Pointer-Analysis-Based Static Approach for Detecting Use-After-Free Vulnerabilities , 2018, 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE).

[17]  Dirk Beyer,et al.  Automatic Verification of C and Java Programs: SV-COMP 2019 , 2019, TACAS.

[18]  Jorge A. Navas,et al.  A Context-Sensitive Memory Model for Verification of C/C++ Programs , 2017, SAS.

[19]  Alan J. Hu,et al.  A Scalable Memory Model for Low-Level Code , 2008, VMCAI.