precision guided context sensitivity for pointer analysis
play

Precision-Guided Context Sensitivity for Pointer Analysis Yue Li, - PowerPoint PPT Presentation

Apr 05, 2023 •200 likes •841 views

Precision-Guided Context Sensitivity for Pointer Analysis Yue Li, Tian Tan, Anders Mller, Yannis Smaragdakis OOPSLA 2018 1 A New Pointer Analysis T echnique for Object-Oriented Programs 2 Pointer Analysis Determines which

  1. Precision-Guided Context Sensitivity for Pointer Analysis Yue Li, Tian Tan, Anders Møller, Yannis Smaragdakis OOPSLA 2018 1

  2. A New Pointer Analysis T echnique for Object-Oriented Programs 2

  3. Pointer Analysis Determines “which objects a variable can point to?” 3

  4. Uses of Pointer Analysis Clients Tools  Security analysis  Bug detection  Compiler optimization Chord  Program verification  Program understanding …  … 4

  5. Uses of Pointer Analysis Clients Tools  Security analysis  Bug detection  Compiler optimization Chord  Program verification  Program understanding …  … A precise pointer analysis benefits all above clients & tools 5

  6. Context Sensitivity One of the most successful pointer analysis techniques for producing high precision for OO programs 6

  7. Context Sensitivity Distinguishes points-to information of methods by different calling contexts 7

  8. Context Sensitivity: Example class A { static void main() { String foo(String s) { A a1 = new A(); // A/1 return s; b1 = a1.foo("s1"); } } A a2 = new A(); // A/2 b2 = a2.foo("s2"); } Variable Object "s1" , "s2" s "s1" , "s2" b1 "s1" , "s2" b2 Context-Insensitivity 8

  9. Context Sensitivity: Example class A { static void main() { String foo(String s) { A a1 = new A(); // A/1 return s; b1 = a1.foo("s1"); } } A a2 = new A(); // A/2 b2 = a2.foo("s2"); } Variable Object "s1" , "s2" s "s1" , "s2" b1 "s1" , "s2" b2 Context-Insensitivity 9

  10. Context Sensitivity: Example class A { static void main() { String foo(String s) { A a1 = new A(); // A/1 return s; b1 = a1.foo("s1"); } } A a2 = new A(); // A/2 b2 = a2.foo("s2"); } Context Variable Object [ A/1 ] Variable Object s "s1" "s1" , "s2" [ A/2 ] s "s2" s [ ] "s1" , "s2" b1 b1 "s1" "s1" , "s2" [ ] b2 b2 "s2" 1-Object-Sensitivity Context-Insensitivity 10

  11. Context Sensitivity Widely adopted by static analysis frameworks for OO programs Chord FlowDroid 11

  12. Problem of Context Sensitivity (C.S.) Comes with heavy efficiency costs Conventional: apply C.S. to all methods 12

  13. Problem of Context Sensitivity (C.S.) Comes with heavy efficiency costs Conventional: apply C.S. to all methods Do not benefit from C.S. Analyzed for multiple contexts redundantly 13

  14. Problem of Context Sensitivity (C.S.) Comes with heavy efficiency costs Conventional: apply C.S. to all methods Benefit from C.S. Do not benefit (gain precision) from C.S. Precision-critical Analyzed for multiple methods contexts redundantly 14

  15. Problem of Context Sensitivity (C.S.) Comes with heavy efficiency costs Benefit from C.S. Do not benefit (gain precision) from C.S. C.S. C.I. Precision-critical Analyzed for multiple methods contexts redundantly 15

  16. Problem of Context Sensitivity (C.S.) Comes with heavy efficiency costs Preserve precision of C.S. Improve efficiency Benefit from C.S. Do not benefit (gain precision) from C.S. C.S. C.I. Precision-critical Analyzed for multiple methods contexts redundantly 16

  17. Our Goal Identify precision-critical methods Preserve precision of C.S. Improve efficiency Benefit from C.S. Do not benefit (gain precision) from C.S. C.S. C.I. Precision-critical Analyzed for multiple methods contexts redundantly 17

  18. Challenge Still unclear where and how imprecision is introduced in a context-insensitive pointer analysis context-sensitive precision yield When? analysis benefits omitting introduce precision When? context sensitivity losses 18

  19. Our Key Contribution Classify source of imprecision into three general precision-loss patterns ◦ Direct flow ◦ Wrapped flow ◦ Unwrapped flow 19

  20. Our Key Contribution Classify source of imprecision into three general precision-loss patterns ◦ Direct flow account for ~99% ◦ Wrapped flow of precision ◦ Unwrapped flow 20

  21. Our Key Contribution Classify source of imprecision into three general precision-loss patterns ◦ Direct flow account for ~99% ◦ Wrapped flow of precision ◦ Unwrapped flow Recognize Identify Three Flow Precision-Critical Patterns Methods 21

  22. IN and OUT Methods Given a class ◦ IN methods  One or more parameters ◦ OUT methods  non- void return types 22

  23. IN and OUT Methods Given a class class Foo { C f; ◦ IN methods void setF(C p) {  One or more parameters this.f = p; } ◦ OUT methods C getF() { C r = this.f;  non- void return types return r; } void bar() { this.f = null; } } 23

  24. IN and OUT Methods Given a class class Foo { C f; ◦ IN methods IN void setF(C p) {  One or more parameters this.f = p; } ◦ OUT methods C getF() { C r = this.f;  non- void return types OUT return r; } void bar() { this.f = null; } } 24

  25. The Three General Flow Patterns  Direct flow  Wrapped flow  Unwrapped flow Identified by leveraging a context-insensitive pointer analysis (as pre-analysis) 25

  26. The Three General Flow Patterns  Direct flow  Wrapped flow  Unwrapped flow 26

  27. Direct Flow O class C { void M1(Object p) { IN ... } ... Object M2() { ... OUT return r; } } O 27

  28. Direct Flow O class C { void M1(Object p) { IN ... } • variable assignments • field load/store ... • method calls/returns Object M2() { ... OUT return r; } } O 28

  29. Direct Flow O class C { void set(Object p) { void M1(Object p) { IN this.f = p; ... } } • variable assignments • field load/store ... • method calls/returns Object get() { Object M2() { Object r = this.f; ... return r; OUT return r; } Example: common } setter & getter } O 29

  30. Key Insight: Causes of Imprecision C.I. B A IN • Direct flow Flows: objects merge and propagate OUT B A B A 30

  31. Key Insight: Causes of Imprecision C.I. B A IN • Direct flow Flows: objects • Wrapped flow merge and • Unwrapped flow propagate • Combinations OUT B A B A 31

  32. The Three General Flow Patterns  Direct flow  Wrapped flow  Unwrapped flow 32

  33. Wrapped Flow O class C { void M1(Object p) { IN ... } ... object wrapping void Mi() { o.f = q; } ... W Object M2() { ... OUT return r; } } • variable assignments • field load/store W • method calls/returns 33

  34. Wrapped Flow O class C { void M1(Object p) { IN ... } ... object wrapping void Mi() { o.f = q; } ... W Object M2() { ... Example: OUT return r; collection & } iterator } • variable assignments • field load/store W • method calls/returns 34

  35. Wrapped Flow O class C { void M1(Object p) { IN ... } ... multiple object wrapping void Mi() { o.f = q; } ... W Object M2() { ... OUT return r; } } • variable assignments • field load/store W ’ • method calls/returns 35

  36. The Three General Flow Patterns  Direct flow  Wrapped flow  Unwrapped flow 36

  37. Unwrapped Flow O class C { void M1(Object p) { IN ... } ... object unwrapping void Mi() { q = o.f; } U ... Object M2() { ... OUT return r; } } • variable assignments U • field load/store • method calls/returns 37

  38. Unwrapped Flow O class C { void M1(Object p) { IN ... } ... object unwrapping void Mi() { q = o.f; } U ... Object M2() { ... Example: JDK OUT return r; synchronized } container } • variable assignments U • field load/store • method calls/returns 38

  39. Unwrapped Flow O class C { void M1(Object p) { IN ... } ... multiple object unwrapping void Mi() { q = o.f; } U ... Object M2() { ... OUT return r; } } • variable assignments U ’ • field load/store • method calls/returns 39

  40. Combinations of Three General Flows The direct, wrapped and unwrapped flows can be combined, e.g., unwrapped wrapped + IN OUT flow flow O W U 40

  41. C.I. B A IN • Direct flow • Wrapped flow • Unwrapped flow • Combinations OUT A B B A Precision-critical methods: the methods involved in the flows 41

  42. Identify precision-critical methods C.I. B A IN • Direct flow • Wrapped flow • Unwrapped flow • Combinations OUT A B B A Precision-critical methods: the methods involved in the flows 42

  43. Identify precision-critical methods Apply C.S. only to C.I. C.S. B A B A IN IN • Direct flow • Wrapped flow • Unwrapped flow • Combinations OUT OUT A B A B B A Precision-critical methods: the methods involved in the flows 43

  44. Identify precision-critical methods Apply C.S. only to C.I. C.S. B A B A IN IN OUT OUT A B A B B A Precision-critical methods: the methods involved in the flows 44

  45. How to Analyze Flow Patterns? We propose precision flow graph (PFG) expresses direct, wrapped, unwrapped flows, and their combinations, in an uniform way 45

  46. How to Analyze Flow Patterns? We propose precision flow graph (PFG) expresses direct, wrapped, unwrapped flows, and their combinations, in an uniform way Flows in Program Paths in PFG 46

Recommend

Scalability-First Pointer Analysis with Self-Tuning Context Sensitivity Yue Li, Tian Tan, Anders

Scalability-First Pointer Analysis with Self-Tuning Context Sensitivity Yue Li, Tian Tan, Anders

Scalability-First Pointer Analysis with Self-Tuning Context Sensitivity Yue Li, Tian Tan, Anders Mller and Yannis Smaragdakis 1 Pointer Analysis Concept Which objects a variable may point to? Importance Fundamental for virtually

769 views • 54 slides
Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ? Basic analysis ! Example : Flow analysis ! Increasing precision ! Context -, flow -, and path sensitivity Scaling it up !

527 views • 27 slides
Climate Sensitivity We consider climate sensitivity in a very simple context. Climate Sensitivity

Climate Sensitivity We consider climate sensitivity in a very simple context. Climate Sensitivity

Climate Sensitivity We consider climate sensitivity in a very simple context. Climate Sensitivity We consider climate sensitivity in a very simple context. We consider a single-layer isothermal atmosphere. Climate Sensitivity We consider

1.09k views • 81 slides
Alias Analysis Last time Alias analysis I (pointer analysis) Address Taken FIAlias,

Alias Analysis Last time Alias analysis I (pointer analysis) Address Taken FIAlias,

Alias Analysis Last time Alias analysis I (pointer analysis) Address Taken FIAlias, which is equivalent to Steensgaard Today Alias analysis II (pointer analysis) Anderson Emami Next time Midterm review CS553

207 views • 8 slides
Making k- Object-Sensitive Pointer Analysis More Precise with Still k -Limiting Tian Tan , Yue Li

Making k- Object-Sensitive Pointer Analysis More Precise with Still k -Limiting Tian Tan , Yue Li

Making k- Object-Sensitive Pointer Analysis More Precise with Still k -Limiting Tian Tan , Yue Li and Jingling Xue SAS 2016 September, 2016 1 A New Pointer Analysis for Object-Oriented Programs 2 Pointer Analysis Determine which

965 views • 70 slides
CS711 Advanced Programming Languages Pointer Analysis Overview and Flow-Sensitive Analysis Radu

CS711 Advanced Programming Languages Pointer Analysis Overview and Flow-Sensitive Analysis Radu

CS711 Advanced Programming Languages Pointer Analysis Overview and Flow-Sensitive Analysis Radu Rugina 8 Sep 2005 Pointer Analysis Informally: determine where pointers (or references) in the program may point to. Significant amount of

339 views • 21 slides
Precision, Recall, and Sensitivity of Monitoring Partially Synchronous Distributed Systems

Precision, Recall, and Sensitivity of Monitoring Partially Synchronous Distributed Systems

RunHme VerificaHon 2016 (RV16) Precision, Recall, and Sensitivity of Monitoring Partially Synchronous Distributed Systems Sorrachai Yingchareonthawornchai 1 , Duong Nguyen 1 , Vidhya Tekken Valapil 1 , Sandeep Kulkarni 1 , and Murat Demirbas 2

1.01k views • 55 slides
Bootstrapping Sensitivity analysis Qingyuan Zhao Statistical Laboratory, University of Cambridge

Bootstrapping Sensitivity analysis Qingyuan Zhao Statistical Laboratory, University of Cambridge

Bootstrapping Sensitivity analysis Qingyuan Zhao Statistical Laboratory, University of Cambridge August 3, 2020 @ JSM Sensitivity analysis The broader concept [Saltelli et al., 2004] Sensitivity analysis is the study of how the

477 views • 19 slides
Alias Analysis Last time Reuse optimization Today Alias analysis (pointer analysis)

Alias Analysis Last time Reuse optimization Today Alias analysis (pointer analysis)

Alias Analysis Last time Reuse optimization Today Alias analysis (pointer analysis) Next time More alias analysis (pointer analysis) CS553 Lecture Alias Analysis I 2 Aliasing What is aliasing? When two expressions denote

265 views • 8 slides
Review Running a program requires the code & stack segments in memory. Context = memory

Review Running a program requires the code & stack segments in memory. Context = memory

Review Running a program requires the code & stack segments in memory. Context = memory address space + stack pointer + instruction pointer A CPU is in the context of a program if its instruction pointer and stack pointer registers

797 views • 40 slides
Precision Beauty at High Sensitivity Chris Quigg Fermilab Nikhef Amsterdam October

Precision Beauty at High Sensitivity Chris Quigg Fermilab Nikhef Amsterdam October

Precision Beauty at High Sensitivity Chris Quigg Fermilab Nikhef Amsterdam October 29, 2019 See also Dream Machines 1808.06036 Perspectives and Questions zenodo.3376597 Origin Story . . . PHYSICAL REVIEW LETTERS VOLUME

608 views • 48 slides
Decision Aid Methodologies In Transportation Lecture 3: Duality and sensitivity analysis Duality

Decision Aid Methodologies In Transportation Lecture 3: Duality and sensitivity analysis Duality

Decision Aid Methodologies In Transportation Lecture 3: Duality and sensitivity analysis Duality Sensitivity Analysis Shadi SHARIF AZADEH Transport and Mobility Laboratory TRANSP-OR cole Polytechnique Fdrale de Lausanne EPFL Motivation

394 views • 26 slides
CS 293S Pointer Analysis Yufei Ding Slides adapted from Wei Le, Stephen Chong Focus of this

CS 293S Pointer Analysis Yufei Ding Slides adapted from Wei Le, Stephen Chong Focus of this

CS 293S Pointer Analysis Yufei Ding Slides adapted from Wei Le, Stephen Chong Focus of this lecture Terms and concepts Algorithms: Andersen-Style and Steensgaard-Style Advanced topics 2 What is Pointer/Alias/points-to Analysis?

347 views • 32 slides
Pointer Analysis in the Presence of Dynamic Class Loading Martin Hirzel, Amer Diwan University

Pointer Analysis in the Presence of Dynamic Class Loading Martin Hirzel, Amer Diwan University

Pointer Analysis in the Presence of Dynamic Class Loading Martin Hirzel, Amer Diwan University of Colorado at Boulder Michael Hind IBM T.J. Watson Research Center 1 Pointer analysis motivation Code a = new C( ); // G What does it do? b =

439 views • 30 slides
Alias Analysis Last time Interprocedural analysis Today Intro to alias analysis (pointer

Alias Analysis Last time Interprocedural analysis Today Intro to alias analysis (pointer

Alias Analysis Last time Interprocedural analysis Today Intro to alias analysis (pointer analysis) CS553 Lecture Alias Analysis I 1 Aliasing What is aliasing? When two expressions denote the same mutable memory location e.g.,

812 views • 19 slides
UCSF 2013 Operation CRISPR: Operation CRISPR: Deploying precision guided tools

UCSF 2013 Operation CRISPR: Operation CRISPR: Deploying precision guided tools

UCSF 2013 Operation CRISPR: Operation CRISPR: Deploying precision guided tools to target unique species in a complex microbiome Microbiomes play an important role in

826 views • 54 slides
Hierarchical Pointer Analysis for Distributed Programs Distributed Programs Amir Kamil and

Hierarchical Pointer Analysis for Distributed Programs Distributed Programs Amir Kamil and

Hierarchical Pointer Analysis for Distributed Programs Distributed Programs Amir Kamil and Katherine Yelick U.C. Berkeley A August 23, 2007 t 23 2007 1 Hierarchical Pointer Analysis Amir Kamil Background 2 Hierarchical Pointer Analysis

650 views • 41 slides
Sensitivity Analysis and Farkas Lemma Marco Chiarandini Department of Mathematics & Computer

Sensitivity Analysis and Farkas Lemma Marco Chiarandini Department of Mathematics & Computer

DM545 Linear and Integer Programming Lecture 6 Sensitivity Analysis and Farkas Lemma Marco Chiarandini Department of Mathematics & Computer Science University of Southern Denmark Geometric Interpretation Sensitivity Analysis Outline

456 views • 28 slides
CO444H Pointer analysis Ben Livshits 1 Call Graphs Class analysis: Given a reference

CO444H Pointer analysis Ben Livshits 1 Call Graphs Class analysis: Given a reference

Datalog CO444H Pointer analysis Ben Livshits 1 Call Graphs Class analysis: Given a reference variable x, what are the classes of the objects that x refers to at runtime? We saw CHA and RTA Deal with polymorphic/virtual calls:

1.01k views • 54 slides
Laser Pointer Engineering Analysis Jeb Duncan, Eddie Hoopingarner, Cole Middlebrook, Michael

Laser Pointer Engineering Analysis Jeb Duncan, Eddie Hoopingarner, Cole Middlebrook, Michael

Laser Pointer Engineering Analysis Jeb Duncan, Eddie Hoopingarner, Cole Middlebrook, Michael Orrill 11/19/2013 Overview Background Concepts Chosen for analysis Structural Analysis Thermal Analysis Schedule Conclusion

544 views • 20 slides
SENSITIVITY TO NEW PHYSICS OF PRECISION HIGGS AND EW OBSERVABLES JiJi Fan Syracuse University

SENSITIVITY TO NEW PHYSICS OF PRECISION HIGGS AND EW OBSERVABLES JiJi Fan Syracuse University

SENSITIVITY TO NEW PHYSICS OF PRECISION HIGGS AND EW OBSERVABLES JiJi Fan Syracuse University FCC week, Washington DC, 3/26/15 OUTLINE Higgs Coupling Measurements at Future Colliders EWPT at Future Colliders New Physics Reach

515 views • 36 slides
Pointer Analysis CSE 501 Spring 15 Course Outline Sta8c

Pointer Analysis CSE 501 Spring 15 Course Outline Sta8c

Pointer Analysis CSE 501 Spring 15 Course Outline Sta8c analysis Dataflow and abstract interpreta8on We are here Applica8ons Beyond

515 views • 36 slides
Reduced-Precision Floa1ng-Point Analysis via Binary Modifica1on

Reduced-Precision Floa1ng-Point Analysis via Binary Modifica1on

Reduced-Precision Floa1ng-Point Analysis via Binary Modifica1on Mike Lam, UMD Jeff Hollingsworth, UMD Context Floa1ng-point arithme1c represents real

294 views • 25 slides
Sensitivity analysis for the outages of nuclear power plants Kengy Barty , Fr eric Bonnans

Sensitivity analysis for the outages of nuclear power plants Kengy Barty , Fr eric Bonnans

Introduction Study of the reference problem Sensitivity analysis Sensitivity analysis for the outages of nuclear power plants Kengy Barty , Fr eric Bonnans , and Laurent Pfeiffer ed INRIA Saclay and CMAP, Ecole

831 views • 32 slides

More recommend