Academia.eduAcademia.edu

Outline

Title
Abstract
Introduction
Background
Alias Analysis
Overview
Experimental Evaluation
Related Work
Conclusion
References
All Topics
Computer Science

Precise Null Pointer Analysis Through Global Value Numbering

Profile image of Ankush DasAnkush Das

2017, Automated Technology for Verification and Analysis

https://doi.org/10.1007/978-3-319-68167-2_2
visibility

description

17 pages

link

1 file

Abstract

Precise analysis of pointer information plays an important role in many static analysis tools. The precision, however, must be balanced against the scalability of the analysis. This paper focusses on improving the precision of standard context and flow insensitive alias analysis algorithms at a low scalability cost. In particular, we present a semantics-preserving program transformation that drastically improves the precision of existing analyses when deciding if a pointer can alias Null. Our program transformation is based on Global Value Numbering, a scheme inspired from compiler optimization literature. It allows even a flow-insensitive analysis to make use of branch conditions such as checking if a pointer is Null and gain precision. We perform experiments on real-world code and show that the transformation improves precision (in terms of the number of dereferences proved safe) from 86.56% to 98.05%, while incurring a small overhead in the running time.

Related papers

SafeType: detecting type violations for type‐basedalias analysis of C
José Amaral

Software: Practice and Experience, 2015

SummaryTo improve the ability of compilers to determine alias relations in a program, the C standard restricts the types of expressions that may access objects in memory. In practice, however, many existing C programs do not conform to these restrictions, making type‐based alias analysis unsound for those programs. As a result, type‐based alias analysis is frequently disabled. Existing approaches for verifying type safety exist within larger frameworks designed to verify overall memory safety, requiring both static analysis and runtime checks. This paper describes the motivation for analyzing the safety of type‐based alias analysis independently; presents SafeType, a purely static approach to detection of violations of the C standard's restrictions on memory accesses; describes an implementation of SafeType in the IBM XL C compiler, with flow‐sensitive and context‐sensitive queries to handle variables with type void *; evaluates that implementation, showing that it scales to pro...

View PDFchevron_right
Precision-preserving yet fast object-sensitive pointer analysis with partial context sensitivity
Jingling Xue

Proceedings of the ACM on programming languages, 2019

Object-sensitivity is widely used as a context abstraction for computing the points-to information contextsensitively for object-oriented languages like Java. Due to the combinatorial explosion of contexts in large programs, k-object-sensitive pointer analysis (under k-limiting), denoted k-obj, is scalable only for small values of k, where k ⩽ 2 typically. A few recent solutions attempt to improve its efficiency by instructing k-obj to analyze only some methods in the program context-sensitively, determined heuristically by a preanalysis. While already effective, these heuristics-based pre-analyses do not provide precision guarantees, and consequently, are limited in the efficiency gains achieved. We introduce a radically different approach, Eagle, that makes k-obj run significantly faster than the prior art while maintaining its precision. The novelty of Eagle is to enable k-obj to analyze a method with partial context-sensitivity, i.e., context-sensitively for only some of its selected variables/allocation sites. Eagle makes these selections during a lightweight pre-analysis by reasoning about context-free-language (CFL) reachability at the level of variables/objects in the program, based on a new CFL-reachability formulation of k-obj. We demonstrate the advances made by Eagle by comparing it with the prior art in terms of a set of popular Java benchmarks and applications. CCS Concepts: • Theory of computation → Program analysis.

View PDFchevron_right
Total Pasta: Static Analysis For Unfailing Pointer Programs
Neil Mitchell

Abstract Most errors in computer programs are only found once they are run, which results in critical errors being missed due to inadequate testing. If additional static analysis is performed, then the possibility exists for detecting such errors, and correcting them. This helps to improve the quality of the resulting code, increasing reliability.

View PDFchevron_right
Alias Analysis for Object-Oriented Programs
Julian Dolby

Lecture Notes in Computer Science, 2013

We present a high-level survey of state-of-the-art alias analyses for object-oriented programs, based on a years-long effort developing industrial-strength static analyses for Java. We first present common variants of points-to analysis, including a discussion of key implementation techniques. We then describe flow-sensitive techniques based on tracking of access paths, which can yield greater precision for certain clients. We also discuss how whole-program alias analysis has become less useful for modern Java programs, due to increasing use of reflection in libraries and frameworks. We have found that for real-world programs, an under-approximate alias analysis based on access-path tracking often provides the best results for a variety of practical clients. 2 Motivating Analyses Many program analyses for object-oriented languages rely on an effective alias analysis. Here we illustrate a number of alias analysis concerns in the context of an analysis for detecting resource leaks in Java programs, and discuss how these concerns also pertain to other analyses. 2.1 Resource Leaks 1 public void test(File file, String enc) throws IOException { 2

View PDFchevron_right
Speculative alias analysis for executable code
Manel Fernandez

Proceedings.International Conference on Parallel Architectures and Compilation Techniques, 2002

Optimizations performed at link time or directly applied to final program executables have received increased attention in recent years. Such low-level optimizations can benefit greatly from pointer alias information. However, as almost all existing alias analyses are formulated in terms of source language constructs, they turn out to be of limited utility at the machine code level. This paper describes two different approaches to highquality, low-cost, speculative may-alias analysis, to be applied in the context of link-time or executable code optimizers. The key idea behind our proposals is the introduction of unsafe speculations at analysis-time, which increases alias precision on important portions of code, and keeps the analysis reasonably cost-efficient. Experimental results indicate that introducing speculation at analysis-time is clearly beneficial: precision increases up to 83% in average, against a baseline precision of 16%. Furthermore, the percentage of dynamic misspeculations is typically about 2%, which shows that our technique can be used even for scenarios where speculation recovery is expensive.

View PDFchevron_right
srcPtr: A Framework for Implementing Static Pointer Analysis Approaches
Michael L Collard

2019 IEEE/ACM 27th International Conference on Program Comprehension (ICPC)

A lightweight pointer-analysis framework, srcPtr, is presented to support the implementation and comparison of points-to analysis algorithms. It differentiates itself from existing tools by performing the analysis directly on the abstract syntax tree, as opposed to an intermediate representation (e.g., LLVM IR), by using srcML, an XML representation of source code. Working with srcML and the abstract syntax allows easy access to the actual source code as the programmer views it, thus better supporting comprehension. Currently the framework provides example implementations for both Andersen's and Steensgaard's pointer-analysis algorithms. It also allows for easy integration of other points-to algorithms for comparison of accuracy/speed. The approach is very scalable and can generate pointer dependencies for a 750 KLOC program in less than a minute.

View PDFchevron_right
Compile Time Elimination of Null- and Bounds-Checks
Wolfram Amme

SafeTSA is a new type safe intermediate representation for mobile code based on static single assignment form. We developed SafeTSA as an alternative to the Java Virtual Machine. Programs in SafeTSA contain explicit null-and bounds-check instructions, allowing their elimination. Type safety is maintained by enforcing the use of only null-and bounds-checked values in dereference and index operations. Currently, our compiler produces SafeTSA code from programs written in Java. As a proof of concept we implemented constant propagation, dead code elimination, and common subexpression elimination. These opimizations resulted in the elimination of, on average, 30% of the null-checks and 17% of the bounds-checks. 3rd Workshop on Feedback-Directed and Dynamic Optimization (FDDO-3). Monterey, California. December 2000.

View PDFchevron_right
Lazy Pointer Analysis
Uday Khedker

Flow-and context-sensitive pointer analysis is generally considered too expensive for large programs; most tools relax one or both of the requirements for scalability. We formulate a flow-and context-sensitive points-to analysis that is lazy in the following sense: points-to information is computed only for live pointers and its propagation is sparse (restricted to live ranges of respective pointers). Our analysis also: (i) uses strong liveness, effectively including dead code elimination; (ii) afterwards calculates must-points-to information from may-points-to information instead of using a mutual fixed-point; (iii) uses valuebased termination of call strings during interprocedural analysis (which reduces the number of call strings significantly). A naive implementation of our analysis within GCC-4.6.0 gave analysis time and size of points-to measurements for SPEC2006. Using liveness reduced the amount of points-to information by an order of magnitude with no loss of precision. For all programs under 30kLoC we found that the results were much more precise than gcc's analysis. What comes as a pleasant surprise however, is the fact that below this cross-over point, our naive linked-list implementation is faster than a flow-and context-insensitive analysis which is primarily used for efficiency. We speculate that lazy flow-and context-sensitive analyses may be not only more precise, but also more efficient, than current approaches.

View PDFchevron_right
General flow-sensitive pointer analysis and call graph construction
Judit Jasz

2005

Pointer analysis is a well known, widely used and very important static program analyzing technique. After having studied the literature in this field of research we found that most of the methods approach the problem in a flow-insensitive way, i.e. they omit the use of the control-flow information. Our goal was to develop a technique that is flow-sensitive and can be used in the analysis of large programs. During this process we have found that our method can give more accurate results if we build the call graph and compute the pointer information at the same time. In this paper we present two of our algorithms for pointer analysis and give some examples to help their comprehension. In the future these algorithms are planed to form the basis of a flow-and context-sensitive method used in the impact analysis of real life applications.

View PDFchevron_right
Understanding Uncertainty in Static Pointer Analysis
Constantino Ribeiro

2009

For programs that make extensive use of pointers, pointer analysis is often critical for the effectiveness of optimising compilers and tools for reasoning about program behaviour and correctness. Static pointer analysis has been extensively studied and several algorithms have been proposed, but these only provide approximate solutions. As such inaccuracy may hinder further optimisations, it is important to understand how short these algorithms come of providing accurate information about the points-to relations. This thesis attempts to quantify the amount of uncertainty of the points-to relations that remains after a state-of-the-art contextand flow-sensitive pointer analysis algorithm is applied to a collection of programs from two well-known benchmark suites: SPEC integer and MediaBench. This remaining static uncertainty is then compared to the run-time behaviour. Unlike previous work that compared run-time behaviour against less accurate contextand flow-insensitive algorithms, th...

View PDFchevron_right

References (29)

  1. Andersen, L.O.: Program analysis and specialization for the C programming lan- guage. Ph.D. thesis, DIKU, University of Copenhagen, May 1994
  2. Barnett, M., Qadeer, S.: BCT: A translator from MSIL to Boogie. In: Sev- enth Workshop on Bytecode Semantics, Verification, Analysis and Transformation (2012)
  3. Choi, J.D., Burke, M., Carini, P.: Efficient flow-sensitive interprocedural compu- tation of pointer-induced aliases and side effects. In: Principles of Programming Languages, pp. 232-245 (1993)
  4. Cocke, J.: Global common subexpression elimination. In: Proceedings of a Sympo- sium on Compiler Optimization, pp. 20-24. ACM, New York (1970)
  5. Cytron, R., Ferrante, J., Rosen, B.K., Wegman, M.N., Zadeck, F.K.: Efficiently computing static single assignment form and the control dependence graph. ACM Trans. Program. Lang. Syst. 13(4), 451-490 (1991)
  6. Das, A., Lahiri, S.K., Lal, A., Li, Y.: Angelic verification: precise verification mod- ulo unknowns. In: Kroening, D., Pȃsȃreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206, pp. 324-342. Springer, Cham (2015). doi:10.1007/978-3-319-21690-4 19
  7. Das, A., Lal, A.: Precise null pointer analysis through global value numbering. CoRR abs/1702.05807 (2017). http://arxiv.org/abs/1702.05807
  8. De, A., D'Souza, D.: Scalable flow-sensitive pointer analysis for java with strong updates. In: Noble, J. (ed.) ECOOP 2012. LNCS, vol. 7313, pp. 665-687. Springer, Heidelberg (2012). doi:10.1007/978-3-642-31057-7 29
  9. Fink, S.J., Yahav, E., Dor, N., Ramalingam, G., Geay, E.: Effective typestate verification in the presence of aliasing. ACM Trans. Softw. Eng. Methodol. 17(2), 9:1-9:34 (2008)
  10. Gulwani, S., Necula, G.C.: Global value numbering using random interpretation. In: Principles of Programming Languages, POPL, pp. 342-352 (2004)
  11. Hardekopf, B., Lin, C.: Flow-sensitive pointer analysis for millions of lines of code. In: Code Generation and Optimization (CGO), pp. 289-298 (2011)
  12. Hasti, R., Horwitz, S.: Using static single assignment form to improve flow- insensitive pointer analysis. In: Programming Language Design and Implemen- tation (PLDI), pp. 97-105 (1998)
  13. Heintze, N., Tardieu, O.: Demand-driven pointer analysis. In: Programming Lan- guage Design and Implementation (PLDI), pp. 24-34 (2001)
  14. Horwitz, S.: Precise flow-insensitive may-alias analysis is NP-Hard. ACM Trans. Program. Lang. Syst. 19(1), 1-6 (1997)
  15. Jones, N.D., Muchnick, S.S.: A flexible approach to interprocedural data flow analy- sis and programs with recursive data structures. In: Principles of Programming Languages (POPL), pp. 66-74 (1982)
  16. Kildall, G.A.: A unified approach to global program optimization. In: Principles of Programming Languages, pp. 194-206 (1973)
  17. Lal, A., Qadeer, S.: Powering the static driver verifier using corral. In: Foundations of Software Engineering, pp. 202-212 (2014)
  18. Landi, W., Ryder, B.G.: A safe approximate algorithm for interprocedural pointer aliasing. SIGPLAN Not. 39(4), 473-489 (2004)
  19. Leino, K.R.M.: This is boogie 2 (2008). https://github.com/boogie-org/boogie
  20. Lerch, J., Spth, J., Bodden, E., Mezini, M.: Access-path abstraction: scaling field- sensitive data-flow analysis with unbounded access paths (t). In: Automated Soft- ware Engineering (ASE), pp. 619-629 (2015)
  21. Lhoták, O., Hendren, L.: Evaluating the benefits of context-sensitive points-to analysis using a bdd-based implementation. ACM Trans. Softw. Eng. Methodol. (TOSEM) 18(1), 3 (2008)
  22. Microsoft: Static driver verifier. http://msdn.microsoft.com/en-us/library/ windows/hardware/ff552808(v=vs.85).aspx
  23. Rakamarić, Z., Emmi, M.: SMACK: decoupling source language details from veri- fier implementations. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 106-113. Springer, Cham (2014). doi:10.1007/978-3-319-08867-9 7
  24. Ramalingam, G.: The undecidability of aliasing. ACM Trans. Program. Lang. Syst. 16(5), 1467-1471 (1994)
  25. Sharir, M., Pnueli, A.: Two approaches to interprocedural data flow analysis, pp. 189-234. Prentice-Hall, Englewood Cliffs, NJ (1981). Chap. 7
  26. Sridharan, M., Chandra, S., Dolby, J., Fink, S.J., Yahav, E.: Alias analysis for object-oriented programs. In: Clarke, D., Noble, J., Wrigstad, T. (eds.) Aliasing in Object-Oriented Programming. Types, Analysis and Verification. LNCS, vol. 7850, pp. 196-232. Springer, Heidelberg (2013). doi:10.1007/978-3-642-36946-9 8
  27. Steensgaard, B.: Points-to analysis in almost linear time. In: Principles of Pro- gramming Languages (POPL), pp. 32-41. ACM, New York (1996)
  28. Whaley, J., Lam, M.S.: An efficient inclusion-based points-to analysis for strictly- typed languages. In: Static Analysis Symposium, pp. 180-195 (2002)
  29. Zheng, X., Rugina, R.: Demand-driven alias analysis for c. In: Proceedings of the 35th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2008, pp. 197-208. ACM, New York (2008)

Related papers

Efficient flow-sensitive interprocedural computation of pointer-induced aliases and side effects
Michael Burke

Proceedings of the 20th ACM SIGPLAN-SIGACT symposium on Principles of programming languages - POPL '93, 1993

We present practical approximation methods for computing interprocedural aliases and side effects for a program written in a language that includes pointers, reference parameters and recursion. We present the following results: 1) An algorithm for flow-senwtzve interprocedural alias analysis which is more precise and efficient than the best interprocedural method known. 2) An extension of traditional flow-insensztzve alias analysis which accommodates pointers and provides a framework for a family of algorithms which trade off precision for efficiency. 3) An algorithm which correctly computes side effects in the presence of pointers. Pointers cannot be correctly handled by conventional methods for side effect analysis. 4) An alias naming technique which handles dynamically allocated objects and guarantees the correctness of data-flow analysis. 5) A compact representation based on transitive reduction which does not result in a loss of precision and improves precision in some cases. 6) A method for intraprocedural alias analysis which is based on a sparse represent ation.

View PDFchevron_right
AutoAlias: Automatic Variable-Precision Alias Analysis for Object-Oriented Programs
Bertrand Meyer

SN Computer Science, 2019

The aliasing question (can two reference expressions point, during an execution, to the same object?) is both one of the most critical in practice, for applications ranging from compiler optimization to programmer verification, and one of the most heavily researched, with many hundreds of publications over several decades. One might then expect that good off-the-shelf solutions are widely available, ready to be plugged into a compiler or verifier. This is not the case. In practice, efficient and precise alias analysis remains an open problem. We present a practical tool, AutoAlias, which can be used to perform automatic alias analysis for object-oriented programs. Based on the theory of "duality semantics", an application of Abstract Interpretation ideas, it is directed at object-oriented languages and has been implemented for Eiffel as an addition to the EiffelStudio environment. It offers variable-precision analysis, controllable through the choice of a constant that governs the number of fixpoint iterations: a higher number means better precision and higher computation time. All the source code of AutoAlias, as well as detailed results of analyses reported in this article, are publicly available. Practical applications so far have covered a library of data structures and algorithms and a library for GUI creation. For the former, AutoAlias achieves a precision appropriate for practical purposes and execution times in the order of 25 s for about 8000 lines of intricate code. For the GUI library, AutoAlias produces the alias analysis in around 232 s for about 150,000 lines of intricate code.

View PDFchevron_right
An incremental flow- and context-sensitive pointer aliasing analysis
Jyh-shiarn Yur

1999

Pointer aliasing analysis is used to determine if two object names containing dereferences and/or field selectors, (e.g., *p,q->t), may refer to the same location during execution. Such information is necessary for applications such as dataflow-based testers, program understanding tools, and debuggers, but is expensive to calculate with acceptable precision. Incremental algorithms update data flow information after a program change rather than recomputing it from scratch, under the assumption that the change impact will be limited. Two versions of a practical incremental pointer aliaaing algorithm have been developed, based on Land&Ryder flow-and context-sensitive alias analysis. Empirical results attest to the time savings over exhaustive analysis (a six-fold speedup on average), and the precision of the approximate solution obtained (on average same solution as exhaustive algorithm for 75% of the tests.) Keywords Interprocedural pointer al&zing, incremental analysis, interprocedural side effect analysis.

View PDFchevron_right
Type-based alias analysis
Eliot Moss

1998

This paper evaluates three alias analyses based on programming language types. The first analysis uses type compatibility to determine aliases. The second extends the first by using additional high-level information such as field names. The third extends the second with a flow-insensitive analysis. Although other researchers suggests using types to disambiguate memory references, none evaluates its effectiveness. We perform both static and dynamic evaluations of type-based alias analyses for Modula-3, a statically-typed type-safe language. The static analysis reveals that type compatibility alone yields a very imprecise alias analysis, but the other two analyses significantly improve alias precision. We use redundant load elimination (RLE) to demonstrate the effectiveness of the three alias algorithms in terms of the opportunities for optimization, the impact on simulated execution times, and to compute an upper bound on what a perfect alias analysis would yield. We show modest dynamic improvements for (RLE), and more surprisingly, that on average our alias analysis is within 2.5% of a perfect alias analysis with respect to RLE on 8 Modula-3 programs. These results illustrate that to explore thoroughly the effectiveness of alias analyses, researchers need static, dynamic, and upper-bound analysis. In addition, we show that for type-safe languages like Modula-3 and Java, a fast and simple alias analysis may be sufficient for many applications.

View PDFchevron_right
Speeding Up Dataflow Analysis Using Flow-Insensitive Pointer Analysis
Mark Seigle

Lecture Notes in Computer Science, 2002

In recent years, static analysis has increasingly been applied to the problem of program verification. Systems for program verification typically use precise and expensive interprocedural dataflow algorithms that are difficult to scale to large programs. An attractive way to scale these analyses is to use a preprocessing step to reduce the number of dataflow facts propagated by the analysis and/or the number of statements to be processed, before the dataflow analysis is run. This paper describes an approach that achieves this effect. We first run a scalable, control-flow-insensitive pointer analysis to produce a conservative representation of value flow in the program. We query the value flow representation at the program points where a dataflow solution is required, in order to obtain a conservative over-approximation of the dataflow facts and the statements that must be processed by the analysis. We then run the dataflow analysis on this "slice" of the program. We present experimental evidence in support of our approach by considering two client dataflow analyses for program verification: typestate analysis, and software model checking. We show that in both cases, our approach leads to dramatic speedups.

View PDFchevron_right

Related topics

  • Computer Science
    • 580 California St., Suite 400
    San Francisco, CA, 94104
    © 2025 Academia. All rights reserved