Flow and Context Sensitive Points-to Analysis using Higher Order Reachability

The bottom up interprocedural methods construct summary flow functions for procedures to represent their calls. These methods have been effectively used for many analyses except for flow and context sensitive points-to analysis which require representing indirect accesses of pointees defined in the callers. This is conventionally handled by using placeholders which explicate the unknown locations resulting in either a large number of placeholders or multiple call-specific summary flow functions for a procedure. We propose a bounded representation of summary flow functions for may points-to analysis called the higher order reachability graph (HRG). The conventional graph reachability based program analyses relate variables but not their pointees whereas HRGs relate the (transitively indirect) pointees of a variable with those of another variable in terms of indirection levels. A simple arithmetic on indirection levels allows unknown locations to be left implicit and is sufficient to relate the indirect pointees defined in the callers obviating the need of placeholders. Thus we construct a single summary flow function (HRG) per procedure which is bounded by the number of variables, is flow sensitive, and performs strong updates in the calling contexts. Our empirical measurements on SPEC benchmarks show that most summary flow functions are compact and are used multiple times. We have been able to scale flow and context sensitive points-to analysis to 158 kLoC using HRGs. Thus, this is a promising direction for further investigations in efficiency and scalability of points-to analysis without compromising on precision.

[1]  Martin C. Rinard,et al.  Purity and Side Effect Analysis for Java Programs , 2005, VMCAI.

[2]  Isil Dillig,et al.  Bottom-Up Context-Sensitive Pointer Analysis for Java , 2015, APLAS.

[3]  Thomas W. Reps,et al.  Precise Interprocedural Dataflow Analysis with Applications to Constant Propagation , 1995, TAPSOFT.

[4]  Atanas Rountev,et al.  Rethinking Soot for summary-based whole-program analysis , 2012, SOAP '12.

[5]  Uday P. Khedker,et al.  Efficiency, Precision, Simplicity, and Generality in Interprocedural Data Flow Analysis: Resurrecting the Classical Call Strings Method , 2008, CC.

[6]  Isil Dillig,et al.  Sound, complete and scalable path-sensitive analysis , 2008, PLDI '08.

[7]  A Pnueli,et al.  Two Approaches to Interprocedural Data Flow Analysis , 2018 .

[8]  Thomas W. Reps,et al.  Precise interprocedural dataflow analysis via graph reachability , 1995, POPL '95.

[9]  Manu Sridharan,et al.  Demand-driven points-to analysis for Java , 2005, OOPSLA '05.

[10]  Ondrej Lhoták,et al.  Practical Extensions to the IFDS Algorithm , 2010, CC.

[11]  David Eppstein,et al.  Dynamic graph algorithms , 2010 .

[12]  Sumit Gulwani,et al.  Computing Procedure Summaries for Interprocedural Analysis , 2007, ESOP.

[13]  Hongseok Yang,et al.  Selective context-sensitivity guided by impact pre-analysis , 2014, PLDI.

[14]  Jeffrey D. Ullman,et al.  Introduction to automata theory, languages, and computation, 2nd edition , 2001, SIGA.

[15]  Eran Yahav,et al.  Generating precise and concise procedure summaries , 2008, POPL '08.

[16]  S LamMonica,et al.  Efficient context-sensitive pointer analysis for C programs , 1995 .

[17]  Hakjoo Oh,et al.  Design and implementation of sparse global analyses for C-like languages , 2012, PLDI.

[18]  Amitabha Sanyal,et al.  Data Flow Analysis - Theory and Practice , 2009 .

[19]  Ravichandhran Madhavan,et al.  Modular Heap Analysis for Higher-Order Programs , 2012, SAS.

[20]  Alexander Aiken,et al.  How is aliasing used in systems software? , 2006, SIGSOFT '06/FSE-14.

[21]  Jingling Xue,et al.  On-demand dynamic summary-based points-to analysis , 2012, CGO '12.

[22]  Martin C. Rinard,et al.  Compositional pointer and escape analysis for Java programs , 1999, OOPSLA '99.

[23]  Rohan Padhye,et al.  Interprocedural data flow analysis in Soot using value contexts , 2013, SOAP '13.

[24]  Xin Zhang,et al.  Hybrid top-down and bottom-up interprocedural analysis , 2014, PLDI.

[25]  Hong-Seok Kim,et al.  Bottom-Up and Top-Down Context-Sensitive Summary-Based Pointer Analysis , 2004, SAS.

[26]  Alan Mycroft,et al.  Liveness-Based Pointer Analysis , 2012, SAS.

[27]  Monica S. Lam,et al.  Efficient context-sensitive pointer analysis for C programs , 1995, PLDI '95.

[28]  Lian Li,et al.  Precise and scalable context-sensitive pointer analysis via value flow graph , 2013, ISMM '13.

[29]  Giuseppe F. Italiano,et al.  Mantaining Dynamic Matrices for Fully Dynamic Transitive Closure , 2001, Algorithmica.

[30]  Olivier Tardieu,et al.  Demand-driven pointer analysis , 2001, PLDI '01.