Scaling CFL-Reachability-Based Points-To Analysis Using Context-Sensitive Must-Not-Alias Analysis
description
Transcript of Scaling CFL-Reachability-Based Points-To Analysis Using Context-Sensitive Must-Not-Alias Analysis
![Page 1: Scaling CFL-Reachability-Based Points-To Analysis Using Context-Sensitive Must-Not-Alias Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062521/568156ee550346895dc493f8/html5/thumbnails/1.jpg)
Scaling CFL-Reachability-Based Points-To Analysis Using Context-Sensitive
Must-Not-Alias Analysis
Guoqing Xu, Atanas Rountev, Manu SridharanOhio State University
IBM T. J. Watson Research Center
![Page 2: Scaling CFL-Reachability-Based Points-To Analysis Using Context-Sensitive Must-Not-Alias Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062521/568156ee550346895dc493f8/html5/thumbnails/2.jpg)
Points-to Analysis• Many static analysis tools need highly precise
whole-program points-to solution– (e.g., data race detector, slicer)
• Context-free-language(CFL) reachability formulation of points-to/alias analysis [Sridharan-Bodik PLDI’06]– High precision– Does not scale well for whole program analysis– A lot of redundant computation
• Our approach targets CFL-reachability-based points-to analysis– Pre-analyze the program to reduce the redundancy
2
![Page 3: Scaling CFL-Reachability-Based Points-To Analysis Using Context-Sensitive Must-Not-Alias Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062521/568156ee550346895dc493f8/html5/thumbnails/3.jpg)
Example of CFL-Reachability Formulation[PLDI’06]
3
a = new A(); // o1
b = new A(); // o2
c = a;
o1 a
b
c
o2
x
y
p reto3
(1 )1
(2 )2
[f
[f
]f
o4
e
id(p){ return p;}x = id(a); // call 1y = id(b); // call 2
a.f = new C(); //o3
b.f = new C(); //o4
e = x.f;o pts(v) if o flowsTo v
![Page 4: Scaling CFL-Reachability-Based Points-To Analysis Using Context-Sensitive Must-Not-Alias Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062521/568156ee550346895dc493f8/html5/thumbnails/4.jpg)
Targeted Inefficiency• A pair of heap load and store a.f = o; v = b.f;
• What if a and b can never alias?– v can not point to o– May be redundant to perform the entire sequence of
checks4
a bo v
alias?[f ]f
o’
flowsTo? flowsTo?
]gc d[g
alias?flowsTo? flowsTo?
(c.g =a)
(b=d.g )
o’’
X
![Page 5: Scaling CFL-Reachability-Based Points-To Analysis Using Context-Sensitive Must-Not-Alias Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062521/568156ee550346895dc493f8/html5/thumbnails/5.jpg)
Our Approach• Must-not-alias analysis
– Use an imprecise but cheap off-line analysis to find x and b are not aliases under any possible calling context
– Quickly conclude that e cannot point to o4 in the points-to analysis, if our analysis reports (x, b) must not alias
5
![Page 6: Scaling CFL-Reachability-Based Points-To Analysis Using Context-Sensitive Must-Not-Alias Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062521/568156ee550346895dc493f8/html5/thumbnails/6.jpg)
Program Representation• Intraprocedural Symbolic Points-To Graph (SPG)
– Introduce symbolic node s for • formal parameter• field dereference a.f in a heap load• a call site that returns a reference-typed value
– Compute intraprocedural flowsTo path – Points-to edge a o SPG if o flowsTo a is found– Points-to edge o1 o2 SPG if o1 flowsTo a, o2 flowsTo b,
and a.f = b are found
6
B m(A a){ C c = new C();// o1
a.f = c; return c.g;}
o1sa f
sgret
cg
f
a
![Page 7: Scaling CFL-Reachability-Based Points-To Analysis Using Context-Sensitive Must-Not-Alias Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062521/568156ee550346895dc493f8/html5/thumbnails/7.jpg)
Interprocedural Symbolic Points-To Graph• Connect intraprocedural symbolic points-to graphs
with entry and exit edges
7
B m(A a){ C c = new C();// o1
a.f = c; return c.g;}
o1sa
f
sgret
cg
A d = new A(); // o2
B b = m(d); // call m
do2
b sm
entrym
exitm
a
![Page 8: Scaling CFL-Reachability-Based Points-To Analysis Using Context-Sensitive Must-Not-Alias Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062521/568156ee550346895dc493f8/html5/thumbnails/8.jpg)
Must-Not-Alias Analysis• Context-insensitive memAlias formuation
– Treat a pair of points to edges and as balanced parentheses
–
– Allocation or symbolic node m and n are aliases if m memAlias n
8
f f
![Page 9: Scaling CFL-Reachability-Based Points-To Analysis Using Context-Sensitive Must-Not-Alias Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062521/568156ee550346895dc493f8/html5/thumbnails/9.jpg)
Example
9
B m(A a){ C c = new C();// o1
a.f = c; return c.g;}
A a = new A(); // o2
B b = m(a);
C(){ this.g = new B();// o3 }
o1sa
sgret
cg
ao2
b sm
exitm
entrym
sthisgo3
entryC
this
![Page 10: Scaling CFL-Reachability-Based Points-To Analysis Using Context-Sensitive Must-Not-Alias Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062521/568156ee550346895dc493f8/html5/thumbnails/10.jpg)
Algorithm• Add pairs of nodes (a, b) in memAlias, if they are
reachable from the same node c, and the strings between (c, a) and (c, b) are the same
– Example: a a0 … c … b0 b
10
f1 f2 fn fn f2 f1
![Page 11: Scaling CFL-Reachability-Based Points-To Analysis Using Context-Sensitive Must-Not-Alias Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062521/568156ee550346895dc493f8/html5/thumbnails/11.jpg)
Algorithm (Cond.)while a fixed point is not reached do• Add pairs of nodes (a, b) in memAlias, if (a, f)
memAlias, (g, b) memAlias, (f, g) memAlias– a f g b
• Add pairs of nodes (d, e) in memAlias, if there is a pair (f, g) memAlias, d and e are reachable from f and g, respectively, and the two strings between (f, d) and (e, g) are the same
– f a0 … d e … b0 g
end while11
f1 f2 fn fn f2 f1
![Page 12: Scaling CFL-Reachability-Based Points-To Analysis Using Context-Sensitive Must-Not-Alias Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062521/568156ee550346895dc493f8/html5/thumbnails/12.jpg)
Context-Sensitive Must-Not-Alias Analysis• Context-sensitivity is achieved by
– Bottom-up traversing the call graph (i.e., summary-based)
– Cloning objects for 1-level method calls when composing summaries
• Context sensitivity– Full context-sensitivity for pointer variables– 1-level context-sensitivity for pointer targets– Has almost the same precision as the 1-object-sensitive
analysis, but much cheaper
12
![Page 13: Scaling CFL-Reachability-Based Points-To Analysis Using Context-Sensitive Must-Not-Alias Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062521/568156ee550346895dc493f8/html5/thumbnails/13.jpg)
Example
13
B m(A a){ C c = new C();// o1
a.f = c; return c.g;}
A a = new A(); // o2
B b = m(a);
C(){ this.g = new B();// o3 }
o3c
o1mo1 sg
g
smo2
sthisg o3
entryC
sa
entrymexitm
sthisc
sam f sg
m
![Page 14: Scaling CFL-Reachability-Based Points-To Analysis Using Context-Sensitive Must-Not-Alias Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062521/568156ee550346895dc493f8/html5/thumbnails/14.jpg)
Using Must-Not-Alias Information• Object or symbolic nodes m and n must not alias if
(m, n) memAlias • Using must-not-alias information in Sridharan-
Bodik analysis – Check a pair of load and store a.f = o; c = b.f;– Don’t check whether a and b can alias if, for any object or
symbolic nodes oa and ob such that a oa and b ob ISPG, oa and ob must not alias
14
![Page 15: Scaling CFL-Reachability-Based Points-To Analysis Using Context-Sensitive Must-Not-Alias Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062521/568156ee550346895dc493f8/html5/thumbnails/15.jpg)
Experiments• Benchmarks
– SpecJVM : 7 programs– DaCapo: 4 programs– Others: 8 programs– Number of methods ranging from 2344 to 8789
• Comparison between Sridharan-Bodik representation and ISPG without var nodes– 1.7 reduction in the number of nodes– 5.6 reduction in the number of edges
15
![Page 16: Scaling CFL-Reachability-Based Points-To Analysis Using Context-Sensitive Must-Not-Alias Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062521/568156ee550346895dc493f8/html5/thumbnails/16.jpg)
Running Time Reduction
16
Average: 3
![Page 17: Scaling CFL-Reachability-Based Points-To Analysis Using Context-Sensitive Must-Not-Alias Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062521/568156ee550346895dc493f8/html5/thumbnails/17.jpg)
Precision (casts proved safe)
17Precision = % #safe casts/#total castsCI:3.2%, MA:8.0%, 1-OBJ:10.5% , SB:23.5%
![Page 18: Scaling CFL-Reachability-Based Points-To Analysis Using Context-Sensitive Must-Not-Alias Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062521/568156ee550346895dc493f8/html5/thumbnails/18.jpg)
Conclusions• Refinement-based points-to analysis is precise but
expensive• A context-sensitive must-not-alias analysis
– Pre-computes aliasing information– memAlias-reachability formulation– Used to quickly eliminate non-aliasing pairs in the
points-to analysis• Experimental results
– Alias analysis has short running time– Significant time reduction for the points-to analysis– Points-to information derived from memAlias is almost
as precise as 1-object-sensitive analysis18
![Page 19: Scaling CFL-Reachability-Based Points-To Analysis Using Context-Sensitive Must-Not-Alias Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062521/568156ee550346895dc493f8/html5/thumbnails/19.jpg)
Thank you
19
![Page 20: Scaling CFL-Reachability-Based Points-To Analysis Using Context-Sensitive Must-Not-Alias Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062521/568156ee550346895dc493f8/html5/thumbnails/20.jpg)
Running Time• ISPG construction
– 48 – 245s– On average 2.064 s/1000 Jimple statements
• Must-not-alias analysis– 9 – 80s– On average 0.579 s/1000 Jimple statements
• Modified points-to analysis– 185 – 2350s– On average 9.65 s/1000 Jimple statements
• Total– 282 – 2854s– On average 12.294 s/1000 Jimple statements20