An algorithmic mitigation of large spurious interprocedural cycles in static analysis

We present a simple algorithmic extension of the approximate call-strings approach to mitigate substantial performance degradation caused by spurious interprocedural cycles. Spurious interprocedural cycles are, in a realistic setting, the key reasons for why approximate call-return semantics in both context-sensitive and -insensitive static analysis can make the analysis much slower than expected. In the approximate call-strings-based context-sensitive static analysis, because the number of distinguished contexts is finite, multiple call-contexts are inevitably joined at the entry of a procedure and the output at the exit is propagated to multiple return-sites. We found that these multiple returns frequently create a single large cycle (we call it ‘butterfly cycle’) covering almost all parts of the program and such a spurious cycle makes analyses very slow and inaccurate. Our simple algorithmic technique (within the fixpoint iteration algorithm) identifies and prunes these spurious interprocedural flows. The technique's effectiveness is proven by experiments with a realistic C analyzer to reduce the analysis time by 7–96p. As the technique is algorithmic, it can be easily applicable to existing analyses without changing the underlying abstract semantics, it is orthogonal to the underlying abstract semantics' context-sensitivity, and its correctness is obvious. Copyright © 2010 John Wiley & Sons, Ltd.

[1]  Eugene W. Myers,et al.  A precise inter-procedural data flow algorithm , 1981, POPL '81.

[2]  Florian Martin,et al.  PAG – an efficient program analyzer generator , 1998, International Journal on Software Tools for Technology Transfer.

[3]  Kwangkeun Yi,et al.  Practical memory leak detector based on parameterized procedural summaries , 2008, ISMM '08.

[4]  Amitabha Sanyal,et al.  Data Flow Analysis - Theory and Practice , 2009 .

[5]  Thomas W. Reps,et al.  Program analysis via graph reachability , 1997, Inf. Softw. Technol..

[6]  Thomas Reps,et al.  Analyzing Memory Accesses in x86 Binary Executables , 2003 .

[7]  Manu Sridharan,et al.  Refinement-based context-sensitive points-to analysis for Java , 2006, PLDI '06.

[8]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[9]  Monica S. Lam,et al.  Cloning-based context-sensitive pointer alias analysis using binary decision diagrams , 2004, PLDI '04.

[10]  Kwangkeun Yi,et al.  Taming False Alarms from a Domain-Unaware C Analyzer by a Bayesian Statistical Post Analysis , 2005, SAS.

[11]  François Bourdoncle,et al.  Efficient chaotic iteration strategies with widenings , 1993, Formal Methods in Programming and Their Applications.

[12]  Thomas W. Reps,et al.  Analyzing Memory Accesses in x86 Executables , 2004, CC.

[13]  Thomas W. Reps,et al.  Precise Interprocedural Dataflow Analysis with Applications to Constant Propagation , 1995, TAPSOFT.

[14]  Patrick Cousot,et al.  A static analyzer for large safety-critical software , 2003, PLDI.

[15]  Florian Martin Experimental Comparison of call string and functional Approaches to Interprocedural Analysis , 1999, CC.

[16]  Susan Horwitz,et al.  The Effects of the Precision of Pointer Analysis , 1997, SAS.

[17]  Thomas W. Reps,et al.  Precise interprocedural dataflow analysis via graph reachability , 1995, POPL '95.

[18]  Xavier Rival,et al.  The trace partitioning abstract domain , 2007, TOPL.

[19]  David Grove,et al.  Frameworks for Intra- and Interprocedural Dataflow Analysis , 1998 .

[20]  Uday P. Khedker,et al.  Efficiency, Precision, Simplicity, and Generality in Interprocedural Data Flow Analysis: Resurrecting the Classical Call Strings Method , 2008, CC.

[21]  Hakjoo Oh Large Spurious Cycle in Global Static Analyses and Its Algorithmic Mitigation , 2009, APLAS.

[22]  Uday P. Khedker,et al.  An improved bound for call strings based interprocedural analysis of bit vector frameworks , 2007, TOPL.