Refinement-Based Context-Sensitive Points-To Analysis for JAVA Soonho Kong 17 January Work of Manu Sridharan and Rastislav Bodik, UC Berkeley
What Is It? Scalable and Precise Context-sensitive Points-to Analysis 2
3 Scalability: Time and Memory Average query time less than 1 second – Interactive performance (for IDE) – At most 13 minutes for casts Low memory usage: at most 35MB – Compare with >2GB for 1-ObjSens analysis 3
4 Precision: Cast Checking Proved 61% More 4
Approach Scalable – Demand-Driven : only do requested work – Client-Driven Refinement : stop when client satisfied Precision – Filtering out unrealizable path 5
Points-To Analysis as CFL Reachability Program = Graph – Node : Variable, Abstract location – Edge : Assignment – o -> … -> x : “x may point to o” Compute reachability with two filters – Language of balanced call parens – Language of balanced field parens 6
Points-To Analysis as CFL Reachability 7 1) Assignments x = new Obj(); // o 1 y = new Obj(); // o 2 z = x; o1o1 x y z o2o2 a b p id ret id dc (1(1 )1)1 (2(2 )2)2 [f[f [g[g ]f]f 2) Method calls id(p) { return p; } a = id(x); b = id(y); 3) Heap accesses c.f = x; c.g = y; d = c.f; pt(x) = { o | o flowsTo x } flowsTo: balanced call and field parens flowsTo: balanced call parens flowsTo: path exists 7
8 Problem, Goal, Insight Problem: Show path is unbalanced Goal: Reduce number of visited edges Insight: Enough to find one unbalanced paren o x t0t0 t1t1 t2t2 [f[f (1(1 )1)1 [h[h [ f ( 1 ) 1 [ h t5t5 )5)5 t6t6 (7(7 t8t8 t9t9 t7t7 … … … ]j]j [p[p )8)8 o2o2 t 10 t 11 t 12 ]g]g ]k]k 8
9 Approximation via Match Edges Match edges connect matched field parens – From source of open to sink of close – Initially, all pairs connected Use match edges to skip subpaths ot3t3 t0t0 t1t1 t2t2 [f[f [g[g [h[h ]h]h t4t4 x ]j]j ]f]f [ f [ g [ h ] h ] j ] f 9
10 Refining the Approximation Refine by removing some match edges – Exposes more of original path for checking Remove where unbalanced parens expected – Explore deeper levels of pointer indirection ot3t3 t0t0 t1t1 [f[f [g[g t4t4 x ]j]j ]f]f [ f [ g [ h ] h ] j ] f 10
11 Refinement With Both Languages ot5t5 t0t0 t1t1 t2t2 (1(1 )1)1 [g[g ]g]g t6t6 x ]f]f )3)3 t3t3 t4t4 [f[f (2(2 Match edges enable approximation of calls Only can check calls on match-free subpaths Match edge removal => more call checking Key point: refine heap and calls together Calls: ( 1 ) 1 ( 2 ) 3 Fields: [ f [ g ] g ] f 11
Thank You 12