making k object sensitive pointer analysis
play

Making k- Object-Sensitive Pointer Analysis More Precise with Still k - PowerPoint PPT Presentation

Feb 01, 2023 •253 likes •965 views

Making k- Object-Sensitive Pointer Analysis More Precise with Still k -Limiting Tian Tan , Yue Li and Jingling Xue SAS 2016 September, 2016 1 A New Pointer Analysis for Object-Oriented Programs 2 Pointer Analysis Determine which

  1. Making k- Object-Sensitive Pointer Analysis More Precise with Still k -Limiting Tian Tan , Yue Li and Jingling Xue SAS 2016 September, 2016 1

  2. A New Pointer Analysis for Object-Oriented Programs 2

  3. Pointer Analysis  Determine “which objects can a variable point to?”  Foundation of many clients: ◦ Bug detection ◦ Security analysis ◦ Compiler optimization ◦ Program understanding ◦ … 3

  4. Object-Oriented Programs  Java, C#, Object- C, JavaScript, … ◦ Embedded software: ◦ Mobile application: ◦ Web server: ◦ Desktop application: 4

  5. A Practically Useful Pointer Analysis for Object-Oriented Programs 5

  6. A Practically Useful Pointer Analysis for Object-Oriented Programs Good Context Abstraction (Context Sensitivity) 6

  7. A Practically Useful Pointer Analysis for Object-Oriented Programs Good Context Abstraction (Context Sensitivity) k -CFA (call-site-sensitivity), type- sensitivity, … 7

  8. Object-Sensitivity Arguably the best context abstraction for pointer analysis for object-oriented programs 8

  9. Object-Sensitivity  Widely used in diverse real-world clients ◦ Property Verification (e.g., API protocol) ISSTA’06, TOSEM’08, PLDI’14, FSE’15, … ◦ Bug Detection (e.g., data race, deadlock) PLDI’06, ICSE’09, ISSTA’13, OOPSLA’15, … ◦ Security Analysis (e.g., taint analysis) PLDI’09, IEEE S&P’11, FSE ’14 , NDSS’15, FSE ’ 15, … ◦ Other Fundamental Analyses (e.g., slicing) PLDI ’07, PLDI’14, ICSE’14, ECOOP’16 , … 9

  10. Object-Sensitivity  Widely implemented in analysis platforms Chord A PPOSCOPY 10

  11. What is Object-Sensitivity?  Objects (allocation sites) as contexts  k -CFA  k -obj 11

  12. A Code Example class A { class B { void foo() { void bar() { v = … A a1 = new A(); // A/1 } a1.foo(); } A a2 = new A(); // A/2 a2.foo(); } } 12

  13. 1-CFA (call-site) class A { class B { void foo() { void bar() { v = … A a1 = new A(); // A/1 } a1.foo() ; } A a2 = new A(); // A/2 a2.foo() ; } } Context Variable Object … [a1.foo()] v … [a2.foo()] v 13

  14. 1-obj (allocation-site of receiver object) class A { class B { void foo() { void bar() { v = … A a1 = new A(); // A/1 } a1.foo(); } A a2 = new A(); // A/2 a2.foo(); } } Context Variable Object … [A/1] v … [A/2] v 14

  15. k -obj when k > 1? class A { class B { void foo() { void bar() { v = … A a1 = new A(); // A/1 } a1.foo(); } A a2 = new A(); // A/2 a2.foo(); } } 15

  16. 2-obj (allocation- sites of 2 “consecutive” receiver objects) class A { class B { class C { void foo() { void bar() { void m() { v = … A a1 = new A(); // A/1 B b = new B(); // B/1 } a1.foo(); b.bar(); } } A a2 = new A(); // A/2 } a2.foo(); } } Context Variable Object … [B/1,A/1] v … [B/1,A/2] v 16

  17. 2-obj (allocation- sites of 2 “consecutive” receiver objects) class A { class B { class C { void foo() { void bar() { void m() { v = … A a1 = new A(); // A/1 B b = new B(); // B/1 } a1.foo(); b.bar(); } } A a2 = new A(); // A/2 } a2.foo(); } } B/1 Context Variable Object … [B/1,A/1] v … [B/1,A/2] v A/1 A/2 17

  18. 2-obj (allocation- sites of 2 “consecutive” receiver objects) class A { class B { class C { void foo() { void bar() { void m() { v = … A a1 = new A(); // A/1 B b = new B(); // B/1 } a1.foo(); b.bar(); } } A a2 = new A(); // A/2 } a2.foo(); } } k = 2 B/1 Context Variable Object … [B/1,A/1] v … k = 1 [B/1,A/2] v A/1 A/2 18

  19. 2-obj (allocation- sites of 2 “consecutive” receiver objects) class A { class B { class C { void foo() { void bar() { void m() { v = … A a1 = new A(); // A/1 B b = new B(); // B/1 } a1.foo(); b.bar(); } } A a2 = new A(); // A/2 } a2.foo(); } } k = 2 B/1 Context Variable Object … [B/1,A/1] v … k = 1 [B/1,A/2] v A/1 A/2 Object Allocation Graph (OAG) 19

  20. An Observation  Redundant Context Element 20

  21. An Observation  Redundant Context Element HashSet/1 HashSet/2 HashMap/1 Entry/1 An example from JDK, java.util.* 21

  22. 3-obj  Contexts fully separated  Precise Two contexts: k = 3 HashSet/1 HashSet/2 [HashSet/1,HashMap/1,Entry/1] [HashSet/2,HashMap/1,Entry/1] HashMap/1 k = 2 k = 1 Entry/1 An example from JDK, java.util.* 22

  23. 3-obj  Contexts fully separated  Precise Two contexts: k = 3 HashSet/1 HashSet/2 [HashSet/1,HashMap/1,Entry/1] [HashSet/2,HashMap/1,Entry/1] HashMap/1 k = 2 3-obj is unscalable k = 1 Entry/1 An example from JDK, java.util.* 23

  24. 2-obj  Contexts not separated One context: HashSet/1 HashSet/2 [HashMap/1,Entry/1] HashMap/1 k = 2 k = 1 Entry/1 An example from JDK, java.util.* 24

  25. 2-obj  Contexts not separated  Imprecise One context: HashSet/1 HashSet/2 [HashMap/1,Entry/1] HashMap/1 k = 2 k = 1 Entry/1 An example from JDK, java.util.* 25

  26. 2-obj  Contexts not separated  Imprecise  Redundant context elements used One context: HashSet/1 HashSet/2 [ HashMap/1 ,Entry/1] HashMap/1 k = 2 HashMap/1 as context element k = 1 Entry/1 is redundant An example from JDK, java.util.* 26

  27. This Paper: Avoid Redundant Context Element 27

  28. 2-obj HashSet/1 HashSet/2 k = 2 HashMap/1 k = 1 Entry/1 One context: [HashMap/1,Entry/1] 28

  29. 2-obj Our approach k = 2 HashSet/1 HashSet/2 HashSet/1 HashSet/2 k = 2 HashMap/1 HashMap/1 k = 1 k = 1 Entry/1 Entry/1 Redundant One context: Two contexts: one removed [HashMap/1,Entry/1] [HashSet/1,Entry/1] [HashSet/2,Entry/1] 29

  30. 2-obj Our approach k = 2 HashSet/1 HashSet/2 HashSet/1 HashSet/2 k = 2 HashMap/1 HashMap/1 k = 1 k = 1 Entry/1 Entry/1 Redundant One context: Two contexts: one removed [HashMap/1,Entry/1] [HashSet/1,Entry/1] [HashSet/2,Entry/1] Benefit: improve precision with still k -limiting 30

  31. Methodology (BEAN) Context Graph Selection Problem Problem 31

  32. Context Graph Selection Problem Problem Object Allocation HashSet/1 HashSet/2 Context Relation Graph (OAG) HashMap/1 Entry/1 32

  33. Context Graph Selection Problem Problem Object Allocation HashSet/1 HashSet/2 Context Relation Graph (OAG) HashMap/1 Contexts in k -obj Paths in OAG Entry/1 33

  34. Context Graph Selection Problem Problem Object Allocation HashSet/1 HashSet/2 Context Relation Graph (OAG) HashMap/1 Contexts in k -obj Paths in OAG Entry/1 Avoid Redundant Select Representative Nodes Context Elements to Distinguish Paths 34

  35. An OAG 35

  36. 5 contexts in k -obj 5 paths in OAG An OAG 36

  37. Select 5 contexts in k -obj 5 paths in OAG Distinguish An OAG 37

  38. Select 5 contexts in k -obj k = 8 5 paths in OAG Distinguish k = 7 k = 6 k = 5 k -obj: k = 8 (all nodes selected) k = 4 k = 3 k = 2 k = 1 An OAG 38

  39. Select 5 contexts in k -obj 5 paths in OAG Distinguish k = 3 1 2 k -obj: k = 8 (all nodes selected) BEAN: k = 3 (representative nodes selected) k = 2 4 5 3 k = 1 6 An OAG 39

  40. Select 5 contexts in k -obj 5 paths in OAG Distinguish k = 3 1 2 k -obj: k = 8 (all nodes selected) BEAN: k = 3 (representative nodes selected) k = 2 4 5 3 k = 1 6 5 contexts selected by BEAN: [1,3,6], [2,3,6], An OAG [1,4,6], [2,4,6], [5,6] 40

  41. Select 5 contexts in k -obj 5 paths in OAG Distinguish k = 3 1 2 k -obj: k = 8 (all nodes selected) precision = BEAN: k = 3 (representative nodes selected) k = 2 4 5 3 k = 1 6 5 contexts selected by BEAN: [1,3,6], [2,3,6], An OAG [1,4,6], [2,4,6], [5,6] 41

  42. How to Select Representative Nodes to Distinguish Paths? 42

  43. How to Select Representative Nodes to Distinguish Paths?  Our intuition: Multiple paths 43

  44. How to Select Representative Nodes to Distinguish Paths?  Our intuition: Multiple paths = Divergence 44

  45. How to Select Representative Nodes to Distinguish Paths?  Our intuition: Multiple paths = Divergence … … + 45

  46. How to Select Representative Nodes to Distinguish Paths?  Our intuition: Multiple paths = Divergence … … + Confluence 46

  47. How to Select Representative Nodes to Distinguish Paths?  Our intuition: Multiple paths = Divergence … … + Confluence 47

  48. How to Select Representative Nodes to Distinguish Paths?  Our intuition: Multiple paths = Divergence … … + Confluence Representative nodes 48

  49. 49

  50. Representative nodes 50

  51. Theorem 1  Under full -object-sensitivity (when k = ∞) Precision Precision of = of BEAN k -obj 51

  52. Theorem 2  Under the same k -limiting Precision Precision of ≥ of BEAN k -obj 52

  53. B EAN : Framework Points-To Information OAG Construction Pointer OAG Chord Analysis Selected Contexts Contexts Selection 53

  54. Open-Source Implementation www.cse.unsw.edu.au/~corg/bean 54

  55. Evaluation - Clients  May-Alias  May-Fail-Cast Typical clients to evaluate pointer analysis’s effectiveness e.g., APLAS’15, PLDI’14, PLDI’13, POPL’11, OOPSLA’09, … 55

  56. Evaluation - Analyzed Targets  Standard DaCapo Java benchmarks  Large Java library: JDK 1.6 Widely used programs and library in pointer analysis e.g., PLDI ’14, ECOOP’14, PLDI’13, OOPSLA’13, POPL’11, … 56

Recommend

CS711 Advanced Programming Languages Pointer Analysis Overview and Flow-Sensitive Analysis Radu

CS711 Advanced Programming Languages Pointer Analysis Overview and Flow-Sensitive Analysis Radu

CS711 Advanced Programming Languages Pointer Analysis Overview and Flow-Sensitive Analysis Radu Rugina 8 Sep 2005 Pointer Analysis Informally: determine where pointers (or references) in the program may point to. Significant amount of

339 views • 21 slides
Precision-Guided Context Sensitivity for Pointer Analysis Yue Li, Tian Tan, Anders Mller,

Precision-Guided Context Sensitivity for Pointer Analysis Yue Li, Tian Tan, Anders Mller,

Precision-Guided Context Sensitivity for Pointer Analysis Yue Li, Tian Tan, Anders Mller, Yannis Smaragdakis OOPSLA 2018 1 A New Pointer Analysis T echnique for Object-Oriented Programs 2 Pointer Analysis Determines which

841 views • 64 slides
Parallel Flow-Sensitive Pointer Analysis by Graph-Rewriting Vaivaswatha Nagaraj R. Govindarajan

Parallel Flow-Sensitive Pointer Analysis by Graph-Rewriting Vaivaswatha Nagaraj R. Govindarajan

Parallel Flow-Sensitive Pointer Analysis by Graph-Rewriting Vaivaswatha Nagaraj R. Govindarajan Indian Institute of Science, Bangalore PACT 2013 PACT'13 2 Outline Introduction Background Flow-sensitive graph-rewriting formulation

1.06k views • 74 slides
From Object Fields to Local Variables: a Practical Approach to Field-Sensitive Analysis Elvira

From Object Fields to Local Variables: a Practical Approach to Field-Sensitive Analysis Elvira

From Object Fields to Local Variables: a Practical Approach to Field-Sensitive Analysis Elvira Albert (1) , Puri Arenas (1) , Samir Genaim (1) , an Puebla (2) and Diana Ram rez (2) Germ (1) Complutense University of Madrid (2) Technical

1.27k views • 77 slides
Page 1 1. Add Visibility Information Implementation of UML Visibility in Java Tournament UML

Page 1 1. Add Visibility Information Implementation of UML Visibility in Java Tournament UML

Object Design Object-Oriented Software Engineering ! Object design is the process of adding details to the requirements analysis and making implementation decisions ! The object designer must choose among different ways to implement the analysis

323 views • 5 slides
Alias Analysis Last time Alias analysis I (pointer analysis) Address Taken FIAlias,

Alias Analysis Last time Alias analysis I (pointer analysis) Address Taken FIAlias,

Alias Analysis Last time Alias analysis I (pointer analysis) Address Taken FIAlias, which is equivalent to Steensgaard Today Alias analysis II (pointer analysis) Anderson Emami Next time Midterm review CS553

207 views • 8 slides
Dangling Pointer Dangling Pointer Jonathan Afek, 2/ 8/ 07, BlackHat USA 1 Table of Contents

Dangling Pointer Dangling Pointer Jonathan Afek, 2/ 8/ 07, BlackHat USA 1 Table of Contents

Dangling Pointer Dangling Pointer Jonathan Afek, 2/ 8/ 07, BlackHat USA 1 Table of Contents What is a Dangling Pointer? Code Injection Object Overriding Demonstrations Remediation Summary Q&A 2 What is a

543 views • 28 slides
Specifying Interfaces Object Design: Chapter 9, Object Design ! Object design is the process of

Specifying Interfaces Object Design: Chapter 9, Object Design ! Object design is the process of

Object-Oriented Software Engineering Using UML, Patterns, and Java Specifying Interfaces Object Design: Chapter 9, Object Design ! Object design is the process of adding details to the requirements analysis and making implementation decisions

500 views • 28 slides
Scalability-First Pointer Analysis with Self-Tuning Context Sensitivity Yue Li, Tian Tan, Anders

Scalability-First Pointer Analysis with Self-Tuning Context Sensitivity Yue Li, Tian Tan, Anders

Scalability-First Pointer Analysis with Self-Tuning Context Sensitivity Yue Li, Tian Tan, Anders Mller and Yannis Smaragdakis 1 Pointer Analysis Concept Which objects a variable may point to? Importance Fundamental for virtually

769 views • 54 slides
Making Context-sensitive Points-to Analysis with Heap Cloning Practical For The Real World Chris

Making Context-sensitive Points-to Analysis with Heap Cloning Practical For The Real World Chris

Making Context-sensitive Points-to Analysis with Heap Cloning Practical For The Real World Chris Lattner Andrew Lenharth Vikram Adve Apple UIUC UIUC What is Heap Cloning? Distinguish objects by acyclic call path void foo() { list*

556 views • 28 slides
1 What Can Alias? (cont) Alias Analysis Arrays Goal: Statically identify aliases do b[c[i 1 ]]

1 What Can Alias? (cont) Alias Analysis Arrays Goal: Statically identify aliases do b[c[i 1 ]]

Alias Analysis Aliasing Last time What is aliasing? Midterm When two expressions denote the same mutable memory location e.g., p = new Object; Today q = p; * p and * q alias Alias analysis (pointer analysis) How do aliases

162 views • 5 slides
Chapter 8, Object Design: Object design is the process of adding details to the requirements

Chapter 8, Object Design: Object design is the process of adding details to the requirements

Object Design Object-Oriented Software Engineering Chapter 8, Object Design: Object design is the process of adding details to the requirements analysis and making implementation decisions Reuse and Patterns I The object designer must

301 views • 15 slides
Alias Analysis Last time Reuse optimization Today Alias analysis (pointer analysis)

Alias Analysis Last time Reuse optimization Today Alias analysis (pointer analysis)

Alias Analysis Last time Reuse optimization Today Alias analysis (pointer analysis) Next time More alias analysis (pointer analysis) CS553 Lecture Alias Analysis I 2 Aliasing What is aliasing? When two expressions denote

265 views • 8 slides
CS 293S Pointer Analysis Yufei Ding Slides adapted from Wei Le, Stephen Chong Focus of this

CS 293S Pointer Analysis Yufei Ding Slides adapted from Wei Le, Stephen Chong Focus of this

CS 293S Pointer Analysis Yufei Ding Slides adapted from Wei Le, Stephen Chong Focus of this lecture Terms and concepts Algorithms: Andersen-Style and Steensgaard-Style Advanced topics 2 What is Pointer/Alias/points-to Analysis?

347 views • 32 slides
Pointer Analysis in the Presence of Dynamic Class Loading Martin Hirzel, Amer Diwan University

Pointer Analysis in the Presence of Dynamic Class Loading Martin Hirzel, Amer Diwan University

Pointer Analysis in the Presence of Dynamic Class Loading Martin Hirzel, Amer Diwan University of Colorado at Boulder Michael Hind IBM T.J. Watson Research Center 1 Pointer analysis motivation Code a = new C( ); // G What does it do? b =

439 views • 30 slides
Alias Analysis Last time Interprocedural analysis Today Intro to alias analysis (pointer

Alias Analysis Last time Interprocedural analysis Today Intro to alias analysis (pointer

Alias Analysis Last time Interprocedural analysis Today Intro to alias analysis (pointer analysis) CS553 Lecture Alias Analysis I 1 Aliasing What is aliasing? When two expressions denote the same mutable memory location e.g.,

812 views • 19 slides
Context-sensitive Analysis Attribute Grammar And Type Checking cs5363 1 Context-Sensitive

Context-sensitive Analysis Attribute Grammar And Type Checking cs5363 1 Context-Sensitive

Context-sensitive Analysis Attribute Grammar And Type Checking cs5363 1 Context-Sensitive Analysis To understand the input computation, a compiler/interpreter need to discover The types of values stored in each variable The types

576 views • 39 slides
Hierarchical Pointer Analysis for Distributed Programs Distributed Programs Amir Kamil and

Hierarchical Pointer Analysis for Distributed Programs Distributed Programs Amir Kamil and

Hierarchical Pointer Analysis for Distributed Programs Distributed Programs Amir Kamil and Katherine Yelick U.C. Berkeley A August 23, 2007 t 23 2007 1 Hierarchical Pointer Analysis Amir Kamil Background 2 Hierarchical Pointer Analysis

650 views • 41 slides
CO444H Pointer analysis Ben Livshits 1 Call Graphs Class analysis: Given a reference

CO444H Pointer analysis Ben Livshits 1 Call Graphs Class analysis: Given a reference

Datalog CO444H Pointer analysis Ben Livshits 1 Call Graphs Class analysis: Given a reference variable x, what are the classes of the objects that x refers to at runtime? We saw CHA and RTA Deal with polymorphic/virtual calls:

1.01k views • 54 slides
2019/3/3 Object-oriented Analysis and Design Object-oriented Analysis and Design Chapters

2019/3/3 Object-oriented Analysis and Design Object-oriented Analysis and Design Chapters

2019/3/3 Object-oriented Analysis and Design Object-oriented Analysis and Design Chapters Object oriented analysis and design 1. Iterative, evolutionary, and agile Applying UML and Patterns 2. Case study 3. An Introduction to Text book,

394 views • 6 slides
Laser Pointer Engineering Analysis Jeb Duncan, Eddie Hoopingarner, Cole Middlebrook, Michael

Laser Pointer Engineering Analysis Jeb Duncan, Eddie Hoopingarner, Cole Middlebrook, Michael

Laser Pointer Engineering Analysis Jeb Duncan, Eddie Hoopingarner, Cole Middlebrook, Michael Orrill 11/19/2013 Overview Background Concepts Chosen for analysis Structural Analysis Thermal Analysis Schedule Conclusion

544 views • 20 slides
Pointer Analysis CSE 501 Spring 15 Course Outline Sta8c

Pointer Analysis CSE 501 Spring 15 Course Outline Sta8c

Pointer Analysis CSE 501 Spring 15 Course Outline Sta8c analysis Dataflow and abstract interpreta8on We are here Applica8ons Beyond

515 views • 36 slides
Objects and nesting and pointers, oh my! If we have a pointer variable ptr , we access the

Objects and nesting and pointers, oh my! If we have a pointer variable ptr , we access the

Objects and nesting and pointers, oh my! If we have a pointer variable ptr , we access the thing that a pointer points to with the syntax *ptr To access a field or method of a class through an object variable, use the syntax

282 views • 13 slides
2019/6/3 Object-oriented Analysis and Design Object-oriented Analysis and Design Applying UML

2019/6/3 Object-oriented Analysis and Design Object-oriented Analysis and Design Applying UML

2019/6/3 Object-oriented Analysis and Design Object-oriented Analysis and Design Applying UML and Patterns Chap 14 On to Object Design An Introduction to Object-oriented Analysis and Design and Iterative Development Part III Elaboration

274 views • 3 slides

More recommend