1 Practical Object-sensitive Points-to Analysis for Java Ana Milanova Atanas Rountev Barbara Ryder Rutgers University.

Slides:

Advertisements

Similar presentations

ASSUMPTION HIERARCHY FOR A CHA CALL GRAPH CONSTRUCTION ALGORITHM JASON SAWIN & ATANAS ROUNTEV.

Advertisements

Effective Static Deadlock Detection

Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.

Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.

Demand-driven Alias Analysis Implementation Based on Open64 Xiaomi An

Pointer Analysis Lecture 2 G. Ramalingam Microsoft Research, India.

1 E. Yahav School of Computer Science Tel-Aviv University Verifying Safety Properties using Separation and Heterogeneous Abstractions G. Ramalingam IBM.

Parameterized Object Sensitivity for Points-to Analysis for Java Presented By: - Anand Bahety Dan Bucatanschi.

The Ant and The Grasshopper Fast and Accurate Pointer Analysis for Millions of Lines of Code Ben Hardekopf and Calvin Lin PLDI 2007 (Best Paper & Best.

Interprocedural analysis © Marcelo d’Amorim 2010.

Course Outline Traditional Static Program Analysis –Classic analyses and applications Software Testing, Refactoring Dynamic Program Analysis.

Pointer and Shape Analysis Seminar Context-sensitive points-to analysis: is it worth it? Article by Ondřej Lhoták & Laurie Hendren from McGill University.

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts, Amherst Advanced Compilers CMPSCI 710.

Scaling CFL-Reachability-Based Points- To Analysis Using Context-Sensitive Must-Not-Alias Analysis Guoqing Xu, Atanas Rountev, Manu Sridharan Ohio State.

Range Analysis. Intraprocedural Points-to Analysis Want to compute may-points-to information Lattice:

Pointer Analysis for CASH Compiler Framework Deepak Garg Himanshu Jain Spring 2005.

Intraprocedural Points-to Analysis Flow functions:

Java Alias Analysis for Online Environments Manu Sridharan 2004 OSQ Retreat Joint work with Rastislav Bodik, Denis Gopan, Jong-Deok Choi.

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts, Amherst Advanced Compilers CMPSCI 710.

Direction of analysis Although constraints are not directional, flow functions are All flow functions we have seen so far are in the forward direction.

ESP [Das et al PLDI 2002] Interface usage rules in documentation –Order of operations, data access –Resource management –Incomplete, wordy, not checked.

Approach #1 to context-sensitivity Keep information for different call sites separate In this case: context is the call site from which the procedure is.

Comparison Caller precisionCallee precisionCode bloat Inlining context-insensitive interproc Context sensitive interproc Specialization.

Reps Horwitz and Sagiv 95 (RHS) Another approach to context-sensitive interprocedural analysis Express the problem as a graph reachability query Works.

1 PASTE’07 Discovering Accurate Interclass Test Dependence Weilei Zhang, Barbara Ryder Department of Computer Science Rutgers University.

An Efficient Inclusion-Based Points-To Analysis for Strictly-Typed Languages John Whaley Monica S. Lam Computer Systems Laboratory Stanford University.

Pointer analysis. Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis Andersen and.

From last class. The above is Click’s solution (PLDI 95)

Impact Analysis of Database Schema Changes Andy Maule, Wolfgang Emmerich and David S. Rosenblum London Software Systems Dept. of Computer Science, University.

Programming Languages and Paradigms Object-Oriented Programming.

PRESTO: Program Analyses and Software Tools Research Group, Ohio State University STATIC ANALYSES FOR JAVA IN THE PRESENCE OF DISTRIBUTED COMPONENTS AND.

PRESTO Research Group, Ohio State University Interprocedural Dataflow Analysis in the Presence of Large Libraries Atanas (Nasko) Rountev Scott Kagan Ohio.

Control Flow Resolution in Dynamic Language Author: Štěpán Šindelář Supervisor: Filip Zavoral, Ph.D.

Change Impact Analysis for AspectJ Programs Sai Zhang, Zhongxian Gu, Yu Lin and Jianjun Zhao Shanghai Jiao Tong University.

Inference and Checking of Object Ownership Wei Huang 1, Werner Dietl 2, Ana Milanova 1, Michael D. Ernst 2 1 Rensselaer Polytechnic Institute 2 University.

PRESTO: Program Analyses and Software Tools Research Group, Ohio State University Merging Equivalent Contexts for Scalable Heap-cloning-based Points-to.

1 Evaluating the Impact of Thread Escape Analysis on Memory Consistency Optimizations Chi-Leung Wong, Zehra Sura, Xing Fang, Kyungwoo Lee, Samuel P. Midkiff,

Pointer Analysis Lecture 2 G. Ramalingam Microsoft Research, India.

Java Objects and Classes. Overview n Creating objects that belong to the classes in the standard Java library n Creating your own classes.

Mark Marron IMDEA-Software (Madrid, Spain) 1.

CBSE'051 Component-Level Dataflow Analysis Atanas (Nasko) Rountev Ohio State University.

Adapting Side-Effects Analysis for Modular Program Model Checking M.S. Defense Oksana Tkachuk Major Professor: Matthew Dwyer Support US National Science.

ESEC/FSE-99 1 Data-Flow Analysis of Program Fragments Atanas Rountev 1 Barbara G. Ryder 1 William Landi 2 1 Department of Computer Science, Rutgers University.

11th Nov 2004PLDI Region Inference for an Object-Oriented Language Wei Ngan Chin 1,2 Joint work with Florin Craciun 1, Shengchao Qin 1,2, Martin.

Software Engineering Research Group, Graduate School of Engineering Science, Osaka University A Slicing Method for Object-Oriented Programs Using Lightweight.

PRESTO: Program Analyses and Software Tools Research Group, Ohio State University Merging Equivalent Contexts for Scalable Heap-cloning-based Points-to.

Testing Inheritance & Polymorphism in OO Software using Formal Specification Presented by : Mahreen Aziz Ahmad (Center for Software Dependability, MAJU)

Pointer Analysis Survey. Rupesh Nasre. Aug 24, 2007.

Pointer Analysis Lecture 2 G. Ramalingam Microsoft Research, India & K. V. Raghavan.

Pointer Analysis for Multithreaded Programs Radu Rugina and Martin Rinard M I T Laboratory for Computer Science.

Points-To Analysis in Almost Linear Time Josh Bauman Jason Bartkowiak CSCI 3294 OCTOBER 9, 2001.

Reducing Combinatorics in Testing Product Lines Chang Hwan Peter Kim, Don Batory, and Sarfraz Khurshid University of Texas at Austin.

CS 343 presentation Concrete Type Inference Department of Computer Science Stanford University.

Pointer Analysis – Part I CS Pointer Analysis Answers which pointers can point to which memory locations at run-time Central to many program optimization.

5/7/03ICSE Fragment Class Analysis for Testing of Polymorphism in Java Software Atanas (Nasko) Rountev Ohio State University Ana Milanova Barbara.

Sept 12ICSM'041 Precise Identification of Side-Effect-Free Methods in Java Atanas (Nasko) Rountev Ohio State University.

ReIm & ReImInfer: Checking and Inference of Reference Immutability and Method Purity Wei Huang 1, Ana Milanova 1, Werner Dietl 2, Michael D. Ernst 2 1.

Object Naming Analysis for Reverse- Engineered Sequence Diagrams Atanas (Nasko) Rountev Beth Harkness Connell Ohio State University.

Evaluating the Precision of Static Reference Analysis Using Profiling Maikel Pennings, Donglin Liang, Mary Jean Harrold Georgia Institute of Technology.

1PLDI 2000 Off-line Variable Substitution for Scaling Points-to Analysis Atanas (Nasko) Rountev PROLANGS Group Rutgers University Satish Chandra Bell Labs.

Pick Your Contexts Well: Understanding Object-Sensitivity The Making of a Precise and Scalable Pointer Analysis Yannis Smaragdakis University of Massachusetts,

Inter-procedural analysis

Making k-Object-Sensitive Pointer Analysis More Precise with Still k-Limiting Tian Tan, Yue Li and Jingling Xue SAS 2016 September,

Static Analysis of Object References in RMI-based Java Software

Pointer Analysis Lecture 2

Atanas (Nasko) Rountev Barbara G. Ryder Rutgers University

Points-to Analysis for Java Using Annotated Constraints

Pointer Analysis Lecture 2

Pointer analysis.

자바 언어를 위한 정적 분석 (Static Analyses for Java) ‘99 한국정보과학회 가을학술발표회 튜토리얼

Presentation transcript:

1 Practical Object-sensitive Points-to Analysis for Java Ana Milanova Atanas Rountev Barbara Ryder Rutgers University

2 Points-to Analysis for Java Which objects may reference variable x point to? Builds a points-to graph x = new A(); y = new B(); x.f = y; x o1o1 o2o2 y f

3 Uses of Points-to Information Clients: SE tools and compilers Side-effect analysis Data-flow based testing Call graph construction Interprocedural analyses Program Slicing Coverage analysis Compiler optimizations

4 Existing Practical Points-to Analyses for Java Flow- and context-insensitive Extend existing analyses for C Context insensitivity inherently compromises precision for object-oriented languages Goal: Introduce context sensitivity and remain practical

5 Our Work Object sensitivity Form of context sensitivity for flow-insensitive points-to analysis of OO languages Object-sensitive Andersen’s analysis Object sensitivity applicable to other analyses Parameterization framework Cost vs. precision tradeoff Empirical evaluation Vs. context-insensitive Andersen’s analysis

6 Outline Imprecision of context-insensitive analysis Object-sensitive analysis Parameterization Empirical results Related work Summary and future work

7 The Imprecision of Context-insensitive Analysis Does not distinguish contexts for instance methods and constructors States of distinct objects are merged Common OO features and idioms Encapsulation Inheritance Containers, maps and iterators

8 Example: Imprecision class Y extends X { … } class A { X f; void m(X q) { this.f=q ; } } A a = new A() ; a.m(new X()) ; A aa = new A() ; aa.m(new Y()) ; o2o2 o1o1 a this A.m q o3o3 aao4o4 f f f f

9 Object-sensitive Analysis Instance methods and constructors analyzed for different contexts Receiver objects used as contexts Multiple copies of reference variables this.f=q this A.m.f=q o1o1 o1o1 o1o1

10 Example: Object-sensitive Analysis class A { X f; void m(X q) { this.f=q ; } } A a = new A() ; a.m(new X()) ; A aa = new A() ; aa.m(new Y()) ; o2o2 f o1o1 a this A.m o1o1 q A.m o1o1 this A.m.f=q o1o1 o1o1 o1o1 this.f=q ; o3o3 aa o4o4 o3o3 this A.m o3o3 q A.m this A.m.f=q o3o3 o3o3 f

11 Parameterization Goal: tunable analysis Multiple copies for a subset of variables For the other variables a single copy Result: reduces points-to graph size and analysis cost At the expense of precision loss

12 Implementation Implemented one instance this, formals and return variables replicated Constraint-based, on top of Andersen’s analysis Optimizations Comparison with Andersen’s analysis

13 Empirical Results 23 Java programs: 14 – 677 user classes Added the necessary library classes Machine: 360 MHz, 512Mb Object Sensitive vs. Andersen Comparable cost Better precision Modification side-effect analysis Virtual call resolution

14 Analysis Time

15 Side-effect Analysis: Modified Objects Per Statement jbjesssableccraytraceAverage OBJECT SENSITIVE ANDERSEN

16 Improvement in Resolved Calls

17 Related Work Context-sensitive points-to analysis for OO languages Grove et al. OOPSLA’97, Chatterjee et al. POPL’99, Ruf PLDI’00, Grove-Chambers TOPLAS’01 Context-insensitive points-to analysis for OO languages Liang et al. PASTE’01, Rountev et al. OOPSLA’01 Context-sensitive class analysis Oxhoj et al. ECOOP’92, Agesen SAS’94, Plevyak-Chien OOPSLA’94, Agesen ECOOP’95, Grove et al. OOPSLA’97, Grove-Chambers TOPLAS’01

18 Summary Object sensitivity – context sensitivity for flow-insensitive analysis of OO languages Parameterization allows flexibility Practical cost, comparable to Andersen’s analysis Better precision than Andersen’s analysis

19 Future Work Implement other instances Object naming schemes Theoretical and empirical comparison Call string context sensitivity Other instances of functional approach Impact on client applications

20

21 Modification Side-Effect (MOD) Analysis Which objects may be modified by statement s? Points-to analysis is prerequisite Object-sensitive MOD analysis Based on object-sensitive points-to analysis Set of modified objects for each context