better together
play

Better Together Martin Bravenboer LogicBlox Yannis Smaragdakis - PowerPoint PPT Presentation

Sep 15, 2023 •170 likes •1.18k views

Exception Analysis and Points-to Analysis Better Together Martin Bravenboer LogicBlox Yannis Smaragdakis UMass Amherst ISSTA 2009 International Symposium on Software Testing and Analysis overview 1 what do we do? precise analysis of

  1. datalog: declarative mutual recursion 10 source AssignObjectAllocation a = new A(); a new A() b = new B(); b new B() c = new C(); c new C() a = b; b = a; Assign c = b; b a a b b c VarPointsTo(?var, ?obj) <- AssignObjectAllocation(?var, ?obj). VarPointsTo(?to, ?obj) <- Assign(?from, ?to), VarPointsTo(?from, ?obj).

  2. datalog: declarative mutual recursion 10 source AssignObjectAllocation a = new A(); a new A() b = new B(); b new B() c = new C(); c new C() a = b; b = a; Assign c = b; b a a b b c VarPointsTo(?var, ?obj) <- AssignObjectAllocation(?var, ?obj). VarPointsTo(?to, ?obj) <- Assign(?from, ?to), VarPointsTo(?from, ?obj).

  3. datalog: declarative mutual recursion 10 source AssignObjectAllocation VarPointsTo a = new A(); a new A() b = new B(); b new B() c = new C(); c new C() a = b; b = a; Assign c = b; b a a b b c VarPointsTo(?var, ?obj) <- AssignObjectAllocation(?var, ?obj). VarPointsTo(?to, ?obj) <- Assign(?from, ?to), VarPointsTo(?from, ?obj).

  4. datalog: declarative mutual recursion 10 source AssignObjectAllocation VarPointsTo a = new A(); a new A() b = new B(); b new B() c = new C(); c new C() a = b; b = a; Assign c = b; b a a b b c VarPointsTo(?var, ?obj) <- AssignObjectAllocation(?var, ?obj). VarPointsTo(?to, ?obj) <- Assign(?from, ?to), VarPointsTo(?from, ?obj).

  5. datalog: declarative mutual recursion 10 source AssignObjectAllocation VarPointsTo a = new A(); a new A() b = new B(); b new B() c = new C(); c new C() a = b; b = a; Assign c = b; b a a b b c VarPointsTo(?var, ?obj) <- AssignObjectAllocation(?var, ?obj). VarPointsTo(?to, ?obj) <- Assign(?from, ?to), VarPointsTo(?from, ?obj).

  6. datalog: declarative mutual recursion 10 source AssignObjectAllocation VarPointsTo a = new A(); a new A() b = new B(); b new B() c = new C(); c new C() a = b; b = a; Assign c = b; b a a b b c VarPointsTo(?var, ?obj) <- AssignObjectAllocation(?var, ?obj). VarPointsTo(?to, ?obj) <- Assign(?from, ?to), VarPointsTo(?from, ?obj).

  7. datalog: declarative mutual recursion 10 source AssignObjectAllocation VarPointsTo a = new A(); a new A() b = new B(); b new B() c = new C(); c new C() a = b; b = a; Assign c = b; b a a b b c VarPointsTo(?var, ?obj) <- AssignObjectAllocation(?var, ?obj). VarPointsTo(?to, ?obj) <- Assign(?from, ?to), VarPointsTo(?from, ?obj).

  8. datalog: declarative mutual recursion 10 source AssignObjectAllocation VarPointsTo a = new A(); a new A() a new A() b = new B(); b new B() b new B() c = new C(); c new C() c new C() a = b; b = a; Assign c = b; b a a b b c VarPointsTo(?var, ?obj) <- AssignObjectAllocation(?var, ?obj). VarPointsTo(?to, ?obj) <- Assign(?from, ?to), VarPointsTo(?from, ?obj).

  9. datalog: declarative mutual recursion 10 source AssignObjectAllocation VarPointsTo a = new A(); a new A() a new A() b = new B(); b new B() b new B() c = new C(); c new C() c new C() a = b; b = a; Assign c = b; b a a b b c VarPointsTo(?var, ?obj) <- AssignObjectAllocation(?var, ?obj). VarPointsTo(?to, ?obj) <- Assign(?from, ?to), VarPointsTo(?from, ?obj).

  10. datalog: declarative mutual recursion 10 source AssignObjectAllocation VarPointsTo a = new A(); a new A() a new A() b = new B(); b new B() b new B() c = new C(); c new C() c new C() a = b; a new B() b = a; Assign c = b; b a a b b c VarPointsTo(?var, ?obj) <- AssignObjectAllocation(?var, ?obj). VarPointsTo(?to, ?obj) <- Assign(?from, ?to), VarPointsTo(?from, ?obj).

  11. datalog: declarative mutual recursion 10 source AssignObjectAllocation VarPointsTo a = new A(); a new A() a new A() b = new B(); b new B() b new B() c = new C(); c new C() c new C() a = b; a new B() b = a; Assign b new A() c = b; c new B() b a c new A() a b b c VarPointsTo(?var, ?obj) <- AssignObjectAllocation(?var, ?obj). VarPointsTo(?to, ?obj) <- Assign(?from, ?to), VarPointsTo(?from, ?obj).

  12. datalog: properties 11 limited logic programming • sql with recursion prolog without complex terms (constructors) • captures PTIME complexity class strictly declarative • as opposed to prolog - conjunction commutative - rules commutative • increases optimization opportunities - enables different execution strategies - enables more aggressive optimization writing datalog is less programming, more specification

  13. Strictly Declarative Specification of Sophisticated Points-to Analyses - performance - scalability - declarative specification - no BDDs http://doop.program-analysis.org

  14. declarative on-the-fly exception analysis 13 method invocations: propagated exceptions void f() { --... }

  15. declarative on-the-fly exception analysis 13 method invocations: propagated exceptions void f() { --g(); }

  16. declarative on-the-fly exception analysis 13 method invocations: propagated exceptions void f() { • ThrowPointsTo(?caller, ?obj) <- --g(); } Method declaration ?caller may throw exception object ?obj

  17. declarative on-the-fly exception analysis 13 method invocations: propagated exceptions void f() { ThrowPointsTo(?caller, ?obj) <- --g(); • CallGraphEdge(?invocation, ?tomethod), } Method invocation ?invocation may invoke method ?tomethod

  18. declarative on-the-fly exception analysis 13 method invocations: propagated exceptions void f() { ThrowPointsTo(?caller, ?obj) <- --g(); CallGraphEdge(?invocation, ?tomethod), } • ThrowPointsTo(?tomethod, ?obj), Method declaration ?tomethod may throw exception object ?obj

  19. declarative on-the-fly exception analysis 13 method invocations: propagated exceptions void f() { ThrowPointsTo(?caller, ?obj) <- --g(); CallGraphEdge(?invocation, ?tomethod), } ThrowPointsTo(?tomethod, ?obj), • Object:Type[?obj] = ?objtype, The type of the object allocated at ?obj is ?objtype

  20. declarative on-the-fly exception analysis 13 method invocations: propagated exceptions void f() { ThrowPointsTo(?caller, ?obj) <- --g(); CallGraphEdge(?invocation, ?tomethod), } ThrowPointsTo(?tomethod, ?obj), Object:Type[?obj] = ?objtype, • not exists ExceptionHandler[?objtype, ?invocation], Exceptions of specific type ?objtype , thrown at instruction ?invocation , are handled by exception handler ?handler

  21. declarative on-the-fly exception analysis 13 method invocations: propagated exceptions void f() { ThrowPointsTo(?caller, ?obj) <- --g(); CallGraphEdge(?invocation, ?tomethod), } ThrowPointsTo(?tomethod, ?obj), Object:Type[?obj] = ?objtype, not exists ExceptionHandler[?objtype, ?invocation], • Instruction:Method[?invocation] = ?caller. Instruction ?invocation is in method ?caller

  22. declarative on-the-fly exception analysis 13 method invocations: propagated exceptions void f() { ThrowPointsTo(?caller, ?obj) <- --g(); CallGraphEdge(?invocation, ?tomethod), } ThrowPointsTo(?tomethod, ?obj), Object:Type[?obj] = ?objtype, not exists ExceptionHandler[?objtype, ?invocation], Instruction:Method[?invocation] = ?caller. method invocations: caught exceptions void f() { --try {...} --catch(E e) {...} }

  23. declarative on-the-fly exception analysis 13 method invocations: propagated exceptions void f() { ThrowPointsTo(?caller, ?obj) <- --g(); CallGraphEdge(?invocation, ?tomethod), } ThrowPointsTo(?tomethod, ?obj), Object:Type[?obj] = ?objtype, not exists ExceptionHandler[?objtype, ?invocation], Instruction:Method[?invocation] = ?caller. method invocations: caught exceptions void f() { --try { g(); } --catch(E e) {...} }

  24. declarative on-the-fly exception analysis 13 method invocations: propagated exceptions void f() { ThrowPointsTo(?caller, ?obj) <- --g(); CallGraphEdge(?invocation, ?tomethod), } ThrowPointsTo(?tomethod, ?obj), Object:Type[?obj] = ?objtype, not exists ExceptionHandler[?objtype, ?invocation], Instruction:Method[?invocation] = ?caller. method invocations: caught exceptions void f() { --try { g(); } • VarPointsTo(?param, ?obj) <- --catch(E e) {...} }

  25. declarative on-the-fly exception analysis 13 method invocations: propagated exceptions void f() { ThrowPointsTo(?caller, ?obj) <- --g(); • CallGraphEdge(?invocation, ?tomethod), } • ThrowPointsTo(?tomethod, ?obj), • Object:Type[?obj] = ?objtype, not exists ExceptionHandler[?objtype, ?invocation], Instruction:Method[?invocation] = ?caller. method invocations: caught exceptions void f() { --try { g(); } VarPointsTo(?param, ?obj) <- --catch(E e) {...} • CallGraphEdge(?invocation, ?tomethod), } • ThrowPointsTo(?tomethod, ?obj), • Type[?obj] = ?objtype,

  26. declarative on-the-fly exception analysis 13 method invocations: propagated exceptions void f() { ThrowPointsTo(?caller, ?obj) <- --g(); CallGraphEdge(?invocation, ?tomethod), } ThrowPointsTo(?tomethod, ?obj), Object:Type[?obj] = ?objtype, not exists ExceptionHandler[?objtype, ?invocation], Instruction:Method[?invocation] = ?caller. method invocations: caught exceptions void f() { --try { g(); } VarPointsTo(?param, ?obj) <- --catch(E e) {...} CallGraphEdge(?invocation, ?tomethod), } ThrowPointsTo(?tomethod, ?obj), Type[?obj] = ?objtype, • ExceptionHandler[?objtype, ?invocation] = ?handler,

  27. declarative on-the-fly exception analysis 13 method invocations: propagated exceptions void f() { ThrowPointsTo(?caller, ?obj) <- --g(); CallGraphEdge(?invocation, ?tomethod), } ThrowPointsTo(?tomethod, ?obj), Object:Type[?obj] = ?objtype, not exists ExceptionHandler[?objtype, ?invocation], Instruction:Method[?invocation] = ?caller. method invocations: caught exceptions void f() { --try { g(); } VarPointsTo(?param, ?obj) <- --catch(E e) {...} CallGraphEdge(?invocation, ?tomethod), } ThrowPointsTo(?tomethod, ?obj), Type[?obj] = ?objtype, ExceptionHandler[?objtype, ?invocation] = ?handler, • ExceptionHandler:FormalParam[?handler] = ?param.

  28. what did you just see here? • modular extension of variety of base points-to analyses • approximation only comes from points-to abstraction – exception logic as precise as possible! • complex mutually recursive dependencies • specified elegantly in a few lines of logic you might wonder ... does that work?!

  29. experimental findings

  30. major experimental findings: precision and speed 14 statistics highlights for object sensitive analysis: • precision of points-to results context-insensitive: imprecise > precise × 1.9 context-sensitive: imprecise > precise × 3 • size of call graph context-insensitive: no significant difference context-sensitive: 1.9 × to 6.1 × more edges • performance imprecise 14 × , 12 × , 5-10 × , 1.8 × slower

  31. major experimental findings: precision and speed 14 statistics highlights for object sensitive analysis: • precision of points-to results context-insensitive: imprecise > precise × 1.9 context-sensitive: imprecise > precise × 3 • size of call graph context-insensitive: no significant difference context-sensitive: 1.9 × to 6.1 × more edges • performance imprecise 14 × , 12 × , 5-10 × , 1.8 × slower our finding Precise exception handling has a major impact on the precision and performance of context-sensitive points-to analyses. With imprecise exception handling, the size of the problem is largely determined by exceptions.

  32. why exception analysis? (2) 15 application: test coverage of exceptional situations [Fu et al.] testsuite application library

  33. major experimental findings: exception-flow analysis 16 test coverage: possible exception-catch links [Fu et al.] I/O sel time insens 104 12s imprecise ftpd 1 obj 91 23s insens 490 22s muffin 1 obj 420 86s insens ftpd precise 1 obj insens muffin 1 obj

  34. major experimental findings: exception-flow analysis 16 test coverage: possible exception-catch links [Fu et al.] I/O sel time insens 104 12s imprecise ftpd 1 obj 91 23s insens 490 22s muffin 1 obj 420 86s insens 47 15s ftpd precise 1 obj 15 15s insens 237 31s muffin 1 obj 49 94s

  35. major experimental findings: exception-flow analysis 16 test coverage: possible exception-catch links [Fu et al.] I/O sel time insens 104 12s imprecise ftpd 1 obj 91 23s insens 490 22s muffin 1 obj 420 86s insens 47 15s custom: ∼ 5 min ftpd precise 1 obj 15 15s insens 237 31s custom: > 1 h muffin 1 obj 49 94s

  36. major experimental findings: exception-flow analysis 16 test coverage: possible exception-catch links [Fu et al.] I/O sel time insens 104 12s imprecise ftpd 1 obj 91 23s insens 490 22s muffin 1 obj 420 86s insens 47 15s custom: ∼ 5 min ftpd precise 1 obj 15 15s insens 237 31s custom: > 1 h muffin 1 obj 49 94s our finding Our general joint points-to and exception analysis achieves precision comparable to a custom exception-flow anal- ysis, but runs much faster.

  37. major experimental findings: approximations 17 selectively remove features from fully precise analysis • order of exception handlers not considered (o) catch(FileNotFoundException e) {...} catch(IOException e) {...} • no filtering of caught exceptions (f) void foo() { try {...} catch(IOException e) {...} } • context-insensitive throw points-to (cs) - methods throw same exceptions in all contexts

  38. major experimental findings: approximations 18 cs o f call graph edges var points-to throw points-to 1.0M 598K 579K × × ×

  39. major experimental findings: approximations 18 cs o f call graph edges var points-to throw points-to 1.0M 598K 579K × × × × 1.5 × 1.0 × 1.1 × ×

  40. major experimental findings: approximations 18 cs o f call graph edges var points-to throw points-to 1.0M 598K 579K × × × × 1.5 × 1.0 × 1.1 × × × 2.6 × 1.2 × 1.9 × ×

  41. major experimental findings: approximations 18 cs o f call graph edges var points-to throw points-to 1.0M 598K 579K × × × × 1.5 × 1.0 × 1.1 × × × 2.6 × 1.2 × 1.9 × × × 2.6 × 1.3 × 1.9 ×

  42. major experimental findings: approximations 18 cs o f call graph edges var points-to throw points-to 1.0M 598K 579K × × × × 1.5 × 1.0 × 1.1 × × × 2.6 × 1.2 × 1.9 × × × 2.6 × 1.3 × 1.9 × × 1.1 × 1.1 × 1.9 × ×

  43. major experimental findings: approximations 18 cs o f call graph edges var points-to throw points-to 1.0M 598K 579K × × × × 1.5 × 1.0 × 1.1 × × × 2.6 × 1.2 × 1.9 × × × 2.6 × 1.3 × 1.9 × × 1.1 × 1.1 × 1.9 × × × 1.6 × 1.2 × 2.1 × × 2.7 × 1.4 × 3.4 × × 2.7 × 1.5 × 3.4

  44. major experimental findings: approximations 18 cs o f call graph edges var points-to throw points-to 1.0M 598K 579K × × × × 1.5 × 1.0 × 1.1 × × × 2.6 × 1.2 × 1.9 × × × 2.6 × 1.3 × 1.9 × × 1.1 × 1.1 × 1.9 × × × 1.6 × 1.2 × 2.1 × × 2.7 × 1.4 × 3.4 × × 2.7 × 1.5 × 3.4 imprecise × 6.1 × 2.0 -

  45. major experimental findings: approximations 18 cs o f call graph edges var points-to throw points-to 1.0M 598K 579K × × × × 1.5 × 1.0 × 1.1 × × × 2.6 × 1.2 × 1.9 × × × 2.6 × 1.3 × 1.9 × × 1.1 × 1.1 × 1.9 × × × 1.6 × 1.2 × 2.1 × × 2.7 × 1.4 × 3.4 × × 2.7 × 1.5 × 3.4 imprecise × 6.1 × 2.0 - our finding Every approximation of exception handling significantly increases var points-to, throw points-to, or call graph edges.

  46. major experimental findings 19 points-to analysis Precise exception handling has a major impact on the precision and performance of context-sensitive points-to analyses. exception-flow analysis Our general joint points-to and exception analysis achieves precision comparable to a custom exception-flow analysis, but runs much faster. approximations Every approximation of exception handling significantly increases var points-to, throw points-to, or call graph edges.

  47. related work 20 type-based exception analyses [Robillard, Jex] • do not determine where an exception comes from • conservative/unsound for ‘computed’ exceptions

  48. related work 20 type-based exception analyses [Robillard, Jex] • do not determine where an exception comes from • conservative/unsound for ‘computed’ exceptions exception-flow and exception-chain analysis [Fu et al.] • precise analysis • slow, automatically supported by points-to analysis

  49. related work 20 type-based exception analyses [Robillard, Jex] • do not determine where an exception comes from • conservative/unsound for ‘computed’ exceptions exception-flow and exception-chain analysis [Fu et al.] • precise analysis • slow, automatically supported by points-to analysis spark, paddle [Lhotak et al.] , bddbddb [Whaley et al] • imprecise exception analysis • generally not integrated in the analysis

  50. related work 20 type-based exception analyses [Robillard, Jex] • do not determine where an exception comes from • conservative/unsound for ‘computed’ exceptions exception-flow and exception-chain analysis [Fu et al.] • precise analysis • slow, automatically supported by points-to analysis spark, paddle [Lhotak et al.] , bddbddb [Whaley et al] • imprecise exception analysis • generally not integrated in the analysis doop compared to other datalog-based points-to analysis • full end-to-end analysis in datalog • first precise declarative exception analysis

  51. conclusion 21 what have we seen? • joint points-to and exception analysis

  52. conclusion 21 what have we seen? • joint points-to and exception analysis • precision of exception analysis has significant impact on points-to analysis

  53. conclusion 21 what have we seen? • joint points-to and exception analysis • precision of exception analysis has significant impact on points-to analysis • exception analysis as precise, but much faster than custom exception analyses

Recommend

More recommend