Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and...
Transcript of Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and...
![Page 1: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/1.jpg)
Yue Li and Tian Tan
Static Program Analysis
2020 Spring
![Page 2: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/2.jpg)
Nanjing University
Tian Tan
2020
Pointer Analysis
Static Program Analysis
![Page 3: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/3.jpg)
Contents
1. Motivation
2. Introduction to Pointer Analysis
3. Key Factors of Pointer Analysis
4. Concerned Statements
3Tian Tan @ Nanjing University
![Page 4: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/4.jpg)
Contents
1. Motivation
2. Introduction to Pointer Analysis
3. Key Factors of Pointer Analysis
4. Concerned Statements
4Tian Tan @ Nanjing University
![Page 5: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/5.jpg)
Problem of CHA
5
void foo() {Number n = new One();int x = n.get();
}
interface Number {int get();
}class Zero implements Number {
public int get() { return 0; }}class One implements Number {
public int get() { return 1; }}class Two implements Number {
public int get() { return 2; }}
Tian Tan @ Nanjing University
![Page 6: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/6.jpg)
Problem of CHA
6
void foo() {Number n = new One();int x = n.get();
}
interface Number {int get();
}class Zero implements Number {
public int get() { return 0; }}class One implements Number {
public int get() { return 1; }}class Two implements Number {
public int get() { return 2; }}
CHA:
• call targets
Tian Tan @ Nanjing University
![Page 7: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/7.jpg)
Problem of CHA
7
void foo() {Number n = new One();int x = n.get();
}
interface Number {int get();
}class Zero implements Number {
public int get() { return 0; }}class One implements Number {
public int get() { return 1; }}class Two implements Number {
public int get() { return 2; }}
CHA: based onclass hierarchy• 3 call targets
Tian Tan @ Nanjing University
![Page 8: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/8.jpg)
Problem of CHA
8
void foo() {Number n = new One();int x = n.get();
}
interface Number {int get();
}class Zero implements Number {
public int get() { return 0; }}class One implements Number {
public int get() { return 1; }}class Two implements Number {
public int get() { return 2; }}
CHA: based onclass hierarchy• 3 call targets
Constant propagation• x =
Tian Tan @ Nanjing University
![Page 9: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/9.jpg)
Problem of CHA
9
void foo() {Number n = new One();int x = n.get();
}
interface Number {int get();
}class Zero implements Number {
public int get() { return 0; }}class One implements Number {
public int get() { return 1; }}class Two implements Number {
public int get() { return 2; }}
CHA: based onclass hierarchy• 3 call targets
Constant propagation• x = NAC
Tian Tan @ Nanjing University
![Page 10: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/10.jpg)
Problem of CHA
10
void foo() {Number n = new One();int x = n.get();
}
interface Number {int get();
}class Zero implements Number {
public int get() { return 0; }}class One implements Number {
public int get() { return 1; }}class Two implements Number {
public int get() { return 2; }}
CHA: based on only considersclass hierarchy• 3 call targets• 2 false positives
Constant propagation• x = NACX X
Tian Tan @ Nanjing University
imprecise
![Page 11: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/11.jpg)
Via Pointer Analysis
11
void foo() {Number n = new One();int x = n.get();
}
interface Number {int get();
}class Zero implements Number {
public int get() { return 0; }}class One implements Number {
public int get() { return 1; }}class Two implements Number {
public int get() { return 2; }}
CHA: based on only considersclass hierarchy• 3 call targets• 2 false positives
Constant propagation• x = NAC
Pointer analysis: based on points-to relation• 1 call target
Tian Tan @ Nanjing University
imprecise
n points to new One
![Page 12: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/12.jpg)
Via Pointer Analysis
12
void foo() {Number n = new One();int x = n.get();
}
interface Number {int get();
}class Zero implements Number {
public int get() { return 0; }}class One implements Number {
public int get() { return 1; }}class Two implements Number {
public int get() { return 2; }}
CHA: based on only considersclass hierarchy• 3 call targets• 2 false positives
Constant propagation• x = NAC
Pointer analysis: based on points-to relation• 1 call target
Constant propagation• x = 1
Tian Tan @ Nanjing University
imprecise
n points to new One
![Page 13: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/13.jpg)
Via Pointer Analysis
13
void foo() {Number n = new One();int x = n.get();
}
interface Number {int get();
}class Zero implements Number {
public int get() { return 0; }}class One implements Number {
public int get() { return 1; }}class Two implements Number {
public int get() { return 2; }}
CHA: based on only considersclass hierarchy• 3 call targets• 2 false positives
Constant propagation• x = NAC
Pointer analysis: based on points-to relation• 1 call target• 0 false positive
Constant propagation• x = 1
Tian Tan @ Nanjing University
imprecise
precise
n points to new One
![Page 14: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/14.jpg)
Contents
14Tian Tan @ Nanjing University
1. Motivation
2. Introduction to Pointer Analysis
3. Key Factors of Pointer Analysis
4. Concerned Statements
![Page 15: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/15.jpg)
Pointer Analysis• A fundamental static analysis
• Computes which memory locations a pointer can point to
15Tian Tan @ Nanjing University
![Page 16: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/16.jpg)
Pointer Analysis• A fundamental static analysis
• Computes which memory locations a pointer can point to
• For object-oriented programs (focus on Java)• Computes which objects a pointer (variable or field) can point to
16Tian Tan @ Nanjing University
![Page 17: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/17.jpg)
Pointer Analysis• A fundamental static analysis
• Computes which memory locations a pointer can point to
• For object-oriented programs (focus on Java)• Computes which objects a pointer (variable or field) can point to
• Regarded as a may-analysis• Computes an over-approximation of the set of objects that a pointer
can point to, i.e., we ask “a pointer may point to which objects?”
17Tian Tan @ Nanjing University
![Page 18: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/18.jpg)
Pointer Analysis• A fundamental static analysis
• Computes which memory locations a pointer can point to
• For object-oriented programs (focus on Java)• Computes which objects a pointer (variable or field) can point to
• Regarded as a may-analysis• Computes an over-approximation of the set of objects that a pointer
can point to, i.e., we ask “a pointer may point to which objects?”
18
A research area with 40+ years of history➢ William E. Weihl, “Interprocedural Data Flow Analysis in the Presence
of Pointers, Procedure Variables, and Label Variables”. POPL 1980.
Still an active area today➢ OOPSLA’18, FSE’18, TOPLAS’19, OOPSLA’19, TOPLAS’20, …
Tian Tan @ Nanjing University
![Page 19: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/19.jpg)
Example
19
void foo() {A a = new A();B x = new B();a.setB(x);B y = a.getB();
}
class A {B b;void setB(B b) { this.b = b; }B getB() { return this.b; }
}
“Which objects a pointer can point to?”
Program Points-to relations
Tian Tan @ Nanjing University
![Page 20: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/20.jpg)
Example
20
void foo() {A a = new A();B x = new B();a.setB(x);B y = a.getB();
}
class A {B b;void setB(B b) { this.b = b; }B getB() { return this.b; }
}
Variable Object
a new A
x new B
Program Points-to relations
“Which objects a pointer can point to?”
Tian Tan @ Nanjing University
![Page 21: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/21.jpg)
Example
Variable Object
a new A
x new B
this
b
21
void foo() {A a = new A();B x = new B();a.setB(x);B y = a.getB();
}
class A {B b;void setB(B b) { this.b = b; }B getB() { return this.b; }
}
Program Points-to relations
“Which objects a pointer can point to?”
Tian Tan @ Nanjing University
![Page 22: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/22.jpg)
Example
Variable Object
a new A
x new B
this new A
b new B
22
void foo() {A a = new A();B x = new B();a.setB(x);B y = a.getB();
}
class A {B b;void setB(B b) { this.b = b; }B getB() { return this.b; }
}
Program Points-to relations
“Which objects a pointer can point to?”
Tian Tan @ Nanjing University
![Page 23: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/23.jpg)
Example
Variable Object
a new A
x new B
this new A
b new B
23
void foo() {A a = new A();B x = new B();a.setB(x);B y = a.getB();
}
class A {B b;void setB(B b) { this.b = b; }B getB() { return this.b; }
}
Field Object
new A.b new B
Program
“Which objects a pointer can point to?”
Points-to relations
Tian Tan @ Nanjing University
![Page 24: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/24.jpg)
Example
24
void foo() {A a = new A();B x = new B();a.setB(x);B y = a.getB();
}
class A {B b;void setB(B b) { this.b = b; }B getB() { return this.b; }
}
Field Object
new A.b new B
Variable Object
a new A
x new B
this new A
b new B
y
Program Points-to relations
“Which objects a pointer can point to?”
Tian Tan @ Nanjing University
![Page 25: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/25.jpg)
Example
25
void foo() {A a = new A();B x = new B();a.setB(x);B y = a.getB();
}
class A {B b;void setB(B b) { this.b = b; }B getB() { return this.b; }
}
Field Object
new A.b new B
Variable Object
a new A
x new B
this new A
b new B
y new B
Program Points-to relations
“Which objects a pointer can point to?”
Tian Tan @ Nanjing University
![Page 26: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/26.jpg)
Example
Program Points-to relations
26
void foo() {A a = new A();B x = new B();a.setB(x);B y = a.getB();
}
class A {B b;void setB(B b) { this.b = b; }B getB() { return this.b; }
}
Field Object
new A.b new B
Variable Object
a new A
x new B
this new A
b new B
y new B
Pointer Analysis
input output
“Which objects a pointer can point to?”
Tian Tan @ Nanjing University
![Page 27: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/27.jpg)
Pointer Analysis and Alias Analysis
Two closely related but different concepts• Pointer analysis: which objects a pointer can point to?
• Alias analysis: can two pointers point to the same object?
Tian Tan @ Nanjing University 27
![Page 28: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/28.jpg)
Pointer Analysis and Alias Analysis
Two closely related but different concepts• Pointer analysis: which objects a pointer can point to?
• Alias analysis: can two pointers point to the same object?
If two pointers, say p and q, refer to the same object, then pand q are aliases
Tian Tan @ Nanjing University 28
p = new C();q = p;x = new X();y = new Y();
p and q are aliasesx and y are not aliases
![Page 29: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/29.jpg)
Pointer Analysis and Alias Analysis
Two closely related but different concepts• Pointer analysis: which objects a pointer can point to?
• Alias analysis: can two pointers point to the same object?
If two pointers, say p and q, refer to the same object, then pand q are aliases
Tian Tan @ Nanjing University 29
Alias information can be derived from points-to relations
p = new C();q = p;x = new X();y = new Y();
p and q are aliasesx and y are not aliases
![Page 30: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/30.jpg)
Applications of Pointer Analysis
• Fundamental informationoCall graph, aliases, …
• Compiler optimizationoVirtual call inlining, …
• Bug detectionoNull pointer detection, …
• Security analysiso Information flow analysis, …
• And many more …
30Tian Tan @ Nanjing University
“Pointer analysis is one of the most fundamental static program analyses,
on which virtually all others are built.”*
![Page 31: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/31.jpg)
Applications of Pointer Analysis
• Fundamental informationoCall graph, aliases, …
• Compiler optimizationoVirtual call inlining, …
• Bug detectionoNull pointer detection, …
• Security analysiso Information flow analysis, …
• And many more …
31
“Pointer analysis is one of the most fundamental static program analyses,
on which virtually all others are built.”*
*Pointer Analysis - Report from Dagstuhl Seminar 13162. 2013.Tian Tan @ Nanjing University
![Page 32: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/32.jpg)
Contents
32Tian Tan @ Nanjing University
1. Motivation
2. Introduction to Pointer Analysis
3. Key Factors of Pointer Analysis
4. Concerned Statements
![Page 33: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/33.jpg)
Key Factors in Pointer Analysis
33
• Pointer analysis is a complex system• Multiple factors affect the precision and efficiency of the system
Tian Tan @ Nanjing University
![Page 34: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/34.jpg)
Key Factors in Pointer Analysis
Factor Problem Choice
Heap abstraction
How to model heap memory?
• Allocation-site• Storeless
Context sensitivity
How to model calling contexts?
• Context-sensitive• Context-insensitive
Flow sensitivity How to model control flow?
• Flow-sensitive• Flow-insensitive
Analysis scope Which parts of program should be analyzed?
• Whole-program• Demand-driven
34
• Pointer analysis is a complex system• Multiple factors affect the precision and efficiency of the system
Tian Tan @ Nanjing University
![Page 35: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/35.jpg)
Key Factors in Pointer Analysis
Factor Problem Choice
Heap abstraction
How to model heap memory?
• Allocation-site• Storeless
Context sensitivity
How to model calling contexts?
• Context-sensitive• Context-insensitive
Flow sensitivity How to model control flow?
• Flow-sensitive• Flow-insensitive
Analysis scope Which parts of program should be analyzed?
• Whole-program• Demand-driven
35
• Pointer analysis is a complex system• Multiple factors affect the precision and efficiency of the system
Tian Tan @ Nanjing University
![Page 36: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/36.jpg)
Key Factors in Pointer Analysis
Factor Problem Choice
Heap abstraction
How to model heap memory?
• Allocation-site• Storeless
Context sensitivity
How to model calling contexts?
• Context-sensitive• Context-insensitive
Flow sensitivity How to model control flow?
• Flow-sensitive• Flow-insensitive
Analysis scope Which parts of program should be analyzed?
• Whole-program• Demand-driven
36
• Pointer analysis is a complex system• Multiple factors affect the precision and efficiency of the system
Tian Tan @ Nanjing University
![Page 37: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/37.jpg)
Key Factors in Pointer Analysis
Factor Problem Choice
Heap abstraction
How to model heap memory?
• Allocation-site• Storeless
Context sensitivity
How to model calling contexts?
• Context-sensitive• Context-insensitive
Flow sensitivity How to model control flow?
• Flow-sensitive• Flow-insensitive
Analysis scope Which parts of program should be analyzed?
• Whole-program• Demand-driven
37
• Pointer analysis is a complex system• Multiple factors affect the precision and efficiency of the system
Tian Tan @ Nanjing University
![Page 38: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/38.jpg)
Key Factors in Pointer Analysis
Factor Problem Choice
Heap abstraction
How to model heap memory?
• Allocation-site• Storeless
Context sensitivity
How to model calling contexts?
• Context-sensitive• Context-insensitive
Flow sensitivity How to model control flow?
• Flow-sensitive• Flow-insensitive
Analysis scope Which parts of program should be analyzed?
• Whole-program• Demand-driven
38
• Pointer analysis is a complex system• Multiple factors affect the precision and efficiency of the system
Tian Tan @ Nanjing University
![Page 39: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/39.jpg)
Heap Abstraction
How to model heap memory?
• In dynamic execution, the number of heap objects can be unbounded due to loops and recursion
39
for (…) {A a = new A();
}
Tian Tan @ Nanjing University
![Page 40: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/40.jpg)
Heap Abstraction
How to model heap memory?
• In dynamic execution, the number of heap objects can be unbounded due to loops and recursion
• To ensure termination, heap abstraction models dynamically allocated, unbounded concrete objects as finite abstract objects for static analysis
40
for (…) {A a = new A();
}
Tian Tan @ Nanjing University
![Page 41: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/41.jpg)
…
Heap Abstraction
How to model heap memory?
• In dynamic execution, the number of heap objects can be unbounded due to loops and recursion
• To ensure termination, heap abstraction models dynamically allocated, unbounded concrete objects as finite abstract objects for static analysis
41
Dynamic execution Static analysis
abstracted
Bounded abstract objectsUnbounded concrete objects
for (…) {A a = new A();
}
Tian Tan @ Nanjing University
![Page 42: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/42.jpg)
Heap Abstraction
42Tian Tan @ Nanjing University
Vini Kanvar, Uday P. Khedker, “Heap Abstractions for Static Analysis”. ACM CSUR 2016
![Page 43: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/43.jpg)
Heap Abstraction
43Tian Tan @ Nanjing University
Vini Kanvar, Uday P. Khedker, “Heap Abstractions for Static Analysis”. ACM CSUR 2016
![Page 44: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/44.jpg)
Allocation-Site Abstraction
• Model concrete objects by their allocation sites
• One abstract object per allocation site to represent all its allocated concrete objects
44
The most commonly-used heap abstraction
Tian Tan @ Nanjing University
![Page 45: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/45.jpg)
Allocation-Site Abstraction
• Model concrete objects by their allocation sites
• One abstract object per allocation site to represent all its allocated concrete objects
45
1 for (i = 0; i < 3; ++i) {2 a = new A();3 …4 }
Dynamic execution
𝑜2, iteration i = 0𝑜2, iteration i = 1𝑜2, iteration i = 2
Tian Tan @ Nanjing University
The most commonly-used heap abstraction
![Page 46: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/46.jpg)
Allocation-Site Abstraction
• Model concrete objects by their allocation sites
• One abstract object per allocation site to represent all its allocated concrete objects
46
1 for (i = 0; i < 3; ++i) {2 a = new A();3 …4 }
𝑜2
Dynamic execution
Allocation-site
abstraction
𝑜2, iteration i = 0𝑜2, iteration i = 1𝑜2, iteration i = 2
abstracted
Tian Tan @ Nanjing University
The most commonly-used heap abstraction
![Page 47: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/47.jpg)
Allocation-Site Abstraction
• Model concrete objects by their allocation sites
• One abstract object per allocation site to represent all its allocated concrete objects
47
1 for (i = 0; i < 3; ++i) {2 a = new A();3 …4 }
𝑜2
Dynamic execution
𝑜2, iteration i = 0𝑜2, iteration i = 1𝑜2, iteration i = 2
abstracted
Tian Tan @ Nanjing University
The number of allocation sites in a program is bounded,
thus the abstract objects must be finite.
The most commonly-used heap abstraction
Allocation-site
abstraction
![Page 48: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/48.jpg)
Key Factors in Pointer Analysis
Factor Problem Choice
Heap abstraction
How to model heap memory?
• Allocation-site• Storeless
Context sensitivity
How to model calling contexts?
• Context-sensitive• Context-insensitive
Flow sensitivity How to model control flow?
• Flow-sensitive• Flow-insensitive
Analysis scope Which parts of program should be analyzed?
• Whole-program• Demand-driven
48
• Pointer analysis is a complex system• Multiple factors affect the precision and efficiency of the system
Tian Tan @ Nanjing University
![Page 49: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/49.jpg)
Context SensitivityHow to model calling contexts?
49
Context-sensitive Context-insensitive
Distinguish different calling contexts of a method
Merge all calling contexts of a method
Analyze each method multiple times, once for each context
Analyze each method once
Tian Tan @ Nanjing University
![Page 50: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/50.jpg)
Context SensitivityHow to model calling contexts?
50
a.foo(x); b.foo(y);
Context 1:
void foo(T p) {…
}
Context-sensitive Context-insensitive
Distinguish different calling contexts of a method
Merge all calling contexts of a method
Analyze each method multiple times, once for each context
Analyze each method once
Context 2:
void foo(T p) {…
}
Tian Tan @ Nanjing University
![Page 51: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/51.jpg)
Context SensitivityHow to model calling contexts?
51
a.foo(x); b.foo(y);
Context 1:
void foo(T p) {…
}
Context-sensitive Context-insensitive
Distinguish different calling contexts of a method
Merge all calling contexts of a method
Analyze each method multiple times, once for each context
Analyze each method once
Context 2:
void foo(T p) {…
}
Tian Tan @ Nanjing University
a.foo(x); b.foo(y);
void foo(T p) {…
}
![Page 52: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/52.jpg)
Context SensitivityHow to model calling contexts?
52
a.foo(x); b.foo(y);
Context 1:
void foo(T p) {…
}
Context-sensitive Context-insensitive
Distinguish different calling contexts of a method
Merge all calling contexts of a method
Analyze each method multiple times, once for each context
Analyze each method once
Context 2:
void foo(T p) {…
}
Tian Tan @ Nanjing University
a.foo(x); b.foo(y);
void foo(T p) {…
}
![Page 53: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/53.jpg)
Context SensitivityHow to model calling contexts?
53
a.foo(x); b.foo(y);
Context 1:
void foo(T p) {…
}
Context-sensitive Context-insensitive
Distinguish different calling contexts of a method
Merge all calling contexts of a method
Analyze each method multiple times, once for each context
Analyze each method once
Context 2:
void foo(T p) {…
}
Tian Tan @ Nanjing University
a.foo(x); b.foo(y);
void foo(T p) {…
}
Very useful technique Significantly improve precision More details in later lectures
We start with this
![Page 54: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/54.jpg)
Key Factors in Pointer Analysis
Factor Problem Choice
Heap abstraction
How to model heap memory?
• Allocation-site• Storeless
Context sensitivity
How to model calling contexts?
• Context-sensitive• Context-insensitive
Flow sensitivity How to model control flow?
• Flow-sensitive• Flow-insensitive
Analysis scope Which parts of program should be analyzed?
• Whole-program• Demand-driven
54
• Pointer analysis is a complex system• Multiple factors affect the precision and efficiency of the system
Tian Tan @ Nanjing University
![Page 55: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/55.jpg)
Flow SensitivityHow to model control flow?
55
Flow-sensitive Flow-insensitive
Respect the execution order of the statements
Ignore the control-flow order, treat the program as a set of unordered statements
Maintain a map of points-to relations at each program location
Maintain one map of points-to relations for the whole program
Tian Tan @ Nanjing University
![Page 56: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/56.jpg)
Flow SensitivityHow to model control flow?
56
Flow-sensitive Flow-insensitive
Respect the execution order of the statements
Ignore the control-flow order, treat the program as a set of unordered statements
Maintain a map of points-to relations at each program location
Maintain one map of points-to relations for the whole program
Tian Tan @ Nanjing University
So far, all data-flow analyseswe have learnt are flow-sensitive
![Page 57: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/57.jpg)
Flow SensitivityHow to model control flow?
57
Flow-sensitive Flow-insensitive
Respect the execution order of the statements
Ignore the control-flow order, treat the program as a set of unordered statements
Maintain a map of points-to relations at each program location
Maintain one map of points-to relations for the whole program
1 c = new C();2 c.f = "x";3 s = c.f;4 c.f = "y";
Tian Tan @ Nanjing University
![Page 58: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/58.jpg)
Flow SensitivityHow to model control flow?
58
Flow-sensitive Flow-insensitive
Respect the execution order of the statements
Ignore the control-flow order, treat the program as a set of unordered statements
Maintain a map of points-to relations at each program location
Maintain one map of points-to relations for the whole program
1 c = new C();2 c.f = "x";3 s = c.f;4 c.f = "y";
c ➝ {o1}
Tian Tan @ Nanjing University
![Page 59: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/59.jpg)
Flow SensitivityHow to model control flow?
59
Flow-sensitive Flow-insensitive
Respect the execution order of the statements
Ignore the control-flow order, treat the program as a set of unordered statements
Maintain a map of points-to relations at each program location
Maintain one map of points-to relations for the whole program
1 c = new C();2 c.f = "x";3 s = c.f;4 c.f = "y";
c ➝ {o1}
c ➝ {o1}
o1.f ➝ {"x"}
Tian Tan @ Nanjing University
![Page 60: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/60.jpg)
Flow SensitivityHow to model control flow?
60
Flow-sensitive Flow-insensitive
Respect the execution order of the statements
Ignore the control-flow order, treat the program as a set of unordered statements
Maintain a map of points-to relations at each program location
Maintain one map of points-to relations for the whole program
1 c = new C();2 c.f = "x";3 s = c.f;4 c.f = "y";
c ➝ {o1}
o1.f ➝ {"x"}
s ➝
c ➝ {o1}
c ➝ {o1}
o1.f ➝ {"x"}
Tian Tan @ Nanjing University
![Page 61: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/61.jpg)
Flow SensitivityHow to model control flow?
61
Flow-sensitive Flow-insensitive
Respect the execution order of the statements
Ignore the control-flow order, treat the program as a set of unordered statements
Maintain a map of points-to relations at each program location
Maintain one map of points-to relations for the whole program
1 c = new C();2 c.f = "x";3 s = c.f;4 c.f = "y";
c ➝ {o1}
o1.f ➝ {"x"}
s ➝ {"x"}
c ➝ {o1}
c ➝ {o1}
o1.f ➝ {"x"}
Tian Tan @ Nanjing University
![Page 62: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/62.jpg)
Flow SensitivityHow to model control flow?
62
Flow-sensitive Flow-insensitive
Respect the execution order of the statements
Ignore the control-flow order, treat the program as a set of unordered statements
Maintain a map of points-to relations at each program location
Maintain one map of points-to relations for the whole program
1 c = new C();2 c.f = "x";3 s = c.f;4 c.f = "y";
c ➝ {o1}
o1.f ➝ {"x"}
s ➝ {"x"}
c ➝ {o1}
c ➝ {o1}
o1.f ➝ {"x"}
![Page 63: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/63.jpg)
Flow SensitivityHow to model control flow?
63
Flow-sensitive Flow-insensitive
Respect the execution order of the statements
Ignore the control-flow order, treat the program as a set of unordered statements
Maintain a map of points-to relations at each program location
Maintain one map of points-to relations for the whole program
1 c = new C();2 c.f = "x";3 s = c.f;4 c.f = "y";
c ➝ {o1}
o1.f ➝ {"x"}
s ➝ {"x"}
c ➝ {o1}
c ➝ {o1}
o1.f ➝ {"x"}
c ➝ {o1}
o1.f ➝ {"y"}
s ➝ {"x"}
![Page 64: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/64.jpg)
Flow SensitivityHow to model control flow?
64
Flow-sensitive Flow-insensitive
Respect the execution order of the statements
Ignore the control-flow order, treat the program as a set of unordered statements
Maintain a map of points-to relations at each program location
Maintain one map of points-to relations for the whole program
1 c = new C();2 c.f = "x";3 s = c.f;4 c.f = "y";
c ➝ {o1}
o1.f ➝ {"x"}
s ➝ {"x"}
c ➝ {o1}c ➝ {o1}
c ➝ {o1}
o1.f ➝ {"x"}
c ➝ {o1}
o1.f ➝ {"y"}
s ➝ {"x"}
![Page 65: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/65.jpg)
Flow SensitivityHow to model control flow?
65
Flow-sensitive Flow-insensitive
Respect the execution order of the statements
Ignore the control-flow order, treat the program as a set of unordered statements
Maintain a map of points-to relations at each program location
Maintain one map of points-to relations for the whole program
1 c = new C();2 c.f = "x";3 s = c.f;4 c.f = "y";
c ➝ {o1}
o1.f ➝ {"x"}
s ➝ {"x"}
c ➝ {o1}
o1.f ➝
c ➝ {o1}
c ➝ {o1}
o1.f ➝ {"x"}
c ➝ {o1}
o1.f ➝ {"y"}
s ➝ {"x"}
![Page 66: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/66.jpg)
Flow SensitivityHow to model control flow?
66
Flow-sensitive Flow-insensitive
Respect the execution order of the statements
Ignore the control-flow order, treat the program as a set of unordered statements
Maintain a map of points-to relations at each program location
Maintain one map of points-to relations for the whole program
1 c = new C();2 c.f = "x";3 s = c.f;4 c.f = "y";
c ➝ {o1}
o1.f ➝ {"x"}
s ➝ {"x"}
c ➝ {o1}
o1.f ➝ {"x", "y"}
c ➝ {o1}
c ➝ {o1}
o1.f ➝ {"x"}
c ➝ {o1}
o1.f ➝ {"y"}
s ➝ {"x"}
![Page 67: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/67.jpg)
Flow SensitivityHow to model control flow?
67
Flow-sensitive Flow-insensitive
Respect the execution order of the statements
Ignore the control-flow order, treat the program as a set of unordered statements
Maintain a map of points-to relations at each program location
Maintain one map of points-to relations for the whole program
1 c = new C();2 c.f = "x";3 s = c.f;4 c.f = "y";
c ➝ {o1}
o1.f ➝ {"x"}
s ➝ {"x"}
c ➝ {o1}
o1.f ➝ {"x", "y"}
s ➝
c ➝ {o1}
c ➝ {o1}
o1.f ➝ {"x"}
c ➝ {o1}
o1.f ➝ {"y"}
s ➝ {"x"}
![Page 68: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/68.jpg)
Flow SensitivityHow to model control flow?
68
Flow-sensitive Flow-insensitive
Respect the execution order of the statements
Ignore the control-flow order, treat the program as a set of unordered statements
Maintain a map of points-to relations at each program location
Maintain one map of points-to relations for the whole program
1 c = new C();2 c.f = "x";3 s = c.f;4 c.f = "y";
c ➝ {o1}
o1.f ➝ {"x"}
s ➝ {"x"}
c ➝ {o1}
o1.f ➝ {"x", "y"}
s ➝ {"x", "y"}
c ➝ {o1}
c ➝ {o1}
o1.f ➝ {"x"}
c ➝ {o1}
o1.f ➝ {"y"}
s ➝ {"x"}
![Page 69: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/69.jpg)
Flow SensitivityHow to model control flow?
69
Flow-sensitive Flow-insensitive
Respect the execution order of the statements
Ignore the control-flow order, treat the program as a set of unordered statements
Maintain a map of points-to relations at each program location
Maintain one map of points-to relations for the whole program
1 c = new C();2 c.f = "x";3 s = c.f;4 c.f = "y";
c ➝ {o1}
o1.f ➝ {"x"}
s ➝ {"x"}
c ➝ {o1}
o1.f ➝ {"x", "y"}
s ➝ {"x", "y"}
c ➝ {o1}
c ➝ {o1}
o1.f ➝ {"x"}
c ➝ {o1}
o1.f ➝ {"y"}
s ➝ {"x"}
false positive
![Page 70: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/70.jpg)
Flow SensitivityHow to model control flow?
70
Flow-sensitive Flow-insensitive
Respect the execution order of the statements
Ignore the control-flow order, treat the program as a set of unordered statements
Maintain a map of points-to relations at each program location
Maintain one map of points-to relations for the whole program
1 c = new C();2 c.f = "x";3 s = c.f;4 c.f = "y";
c ➝ {o1}
o1.f ➝ {"x"}
s ➝ {"x"}
c ➝ {o1}
o1.f ➝ {"x", "y"}
s ➝ {"x", "y"}
c ➝ {o1}
c ➝ {o1}
o1.f ➝ {"x"}
c ➝ {o1}
o1.f ➝ {"y"}
s ➝ {"x"}
Chosen in this course
![Page 71: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/71.jpg)
Key Factors in Pointer Analysis
Factor Problem Choice
Heap abstraction
How to model heap memory?
• Allocation-site• Storeless
Context sensitivity
How to model calling contexts?
• Context-sensitive• Context-insensitive
Flow sensitivity How to model control flow?
• Flow-sensitive• Flow-insensitive
Analysis scope Which parts of program should be analyzed?
• Whole-program• Demand-driven
71
• Pointer analysis is a complex system• Multiple factors affect the precision and efficiency of the system
Tian Tan @ Nanjing University
![Page 72: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/72.jpg)
Analysis ScopeWhich parts of program should be analyzed?
72
Whole-program Demand-driven
Compute points-to information for all pointers in the program
Only compute points-to information for the pointers that may affect specific sites of interest (on demand)
Provide information for all possible clients Provide information for specific clients
Tian Tan @ Nanjing University
![Page 73: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/73.jpg)
Analysis ScopeWhich parts of program should be analyzed?
73
Whole-program Demand-driven
Compute points-to information for all pointers in the program
Only compute points-to information for the pointers that may affect specific sites of interest (on demand)
Provide information for all possible clients Provide information for specific clients
1 x = new A();2 y = x;3 …4 z = new T();5 z.bar();
Tian Tan @ Nanjing University
![Page 74: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/74.jpg)
Analysis ScopeWhich parts of program should be analyzed?
74
Whole-program Demand-driven
Compute points-to information for all pointers in the program
Only compute points-to information for the pointers that may affect specific sites of interest (on demand)
Provide information for all possible clients Provide information for specific clients
1 x = new A();2 y = x;3 … 4 z = new T();5 z.bar();
x ➝ {o1}
y ➝ {o1}
z ➝ {o4}
Tian Tan @ Nanjing University
![Page 75: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/75.jpg)
Analysis ScopeWhich parts of program should be analyzed?
75
Whole-program Demand-driven
Compute points-to information for all pointers in the program
Only compute points-to information for the pointers that may affect specific sites of interest (on demand)
Provide information for all possible clients Provide information for specific clients
1 x = new A();2 y = x;3 …4 z = new T();5 z.bar();
x ➝ {o1}
y ➝ {o1}
z ➝ {o4}
Client: call graph constructionSite of interest: line 5
What points-to information
do we need
Tian Tan @ Nanjing University
![Page 76: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/76.jpg)
Analysis ScopeWhich parts of program should be analyzed?
76
Whole-program Demand-driven
Compute points-to information for all pointers in the program
Only compute points-to information for the pointers that may affect specific sites of interest (on demand)
Provide information for all possible clients Provide information for specific clients
1 x = new A();2 y = x;3 …4 z = new T();5 z.bar();
x ➝ {o1}
y ➝ {o1}
z ➝ {o4}
Client: call graph constructionSite of interest: line 5
z ➝ {o4}
Tian Tan @ Nanjing University
![Page 77: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/77.jpg)
Analysis ScopeWhich parts of program should be analyzed?
77
Whole-program Demand-driven
Compute points-to information for all pointers in the program
Only compute points-to information for the pointers that may affect specific sites of interest (on demand)
Provide information for all possible clients Provide information for specific clients
1 x = new A();2 y = x;3 … 4 z = new T();5 z.bar();
Chosen in this course
Client: call graph constructionSite of interest: line 5
z ➝ {o4}
x ➝ {o1}
y ➝ {o1}
z ➝ {o4}
Tian Tan @ Nanjing University
![Page 78: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/78.jpg)
Pointer Analysis in This Course
Factor Problem Choice
Heap abstraction
How to model heap memory?
• Allocation-site• Storeless
Context sensitivity
How to model calling contexts?
• Context-sensitive• Context-insensitive
Flow sensitivity
How to model control flow?
• Flow-sensitive• Flow-insensitive
Analysis scope Which parts of program should be analyzed?
• Whole-program• Demand-driven
78Tian Tan @ Nanjing University
![Page 79: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/79.jpg)
Contents
79Tian Tan @ Nanjing University
1. Motivation
2. Introduction to Pointer Analysis
3. Key Factors of Pointer Analysis
4. Concerned Statements
![Page 80: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/80.jpg)
What Do We Analyze?• Modern languages typically have many kinds of statements
• if-else
• switch-case
• for/while/do-while
• break/continue
• …
80Tian Tan @ Nanjing University
![Page 81: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/81.jpg)
What Do We Analyze?• Modern languages typically have many kinds of statements
• if-else
• switch-case
• for/while/do-while
• break/continue
• …
• We only focus on pointer-affecting statements
81
Do not directly affect pointers Ignored in pointer analysis
Tian Tan @ Nanjing University
![Page 82: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/82.jpg)
Pointers in Java
• Local variable: x
• Static field: C.f
• Instance field: x.f
• Array element: array[i]
Tian Tan @ Nanjing University 82
![Page 83: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/83.jpg)
Pointers in Java
• Local variable: x
• Static field: C.f
• Instance field: x.f
• Array element: array[i]
Tian Tan @ Nanjing University 83
![Page 84: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/84.jpg)
Pointers in Java
• Local variable: x
• Static field: C.f
• Instance field: x.f
• Array element: array[i]
Tian Tan @ Nanjing University 84
Sometimes referred as global variable
![Page 85: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/85.jpg)
Pointers in Java
• Local variable: x
• Static field: C.f
• Instance field: x.f
• Array element: array[i]
Tian Tan @ Nanjing University 85
Modeled as an object (pointed by x) with a field f
![Page 86: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/86.jpg)
Pointers in Java
• Local variable: x
• Static field: C.f
• Instance field: x.f
• Array element: array[i]
Tian Tan @ Nanjing University 86
Ignore indexes. Modeled as an object (pointed by array)
with a single field, say arr, which may point to any value
stored in array
array = new String[10];array[0] = "x";array[1] = "y";s = array[0];
array = new String[];array.arr = "x";array.arr = "y";s = array.arr;
Real code Perspective of pointer analysis
![Page 87: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/87.jpg)
Pointers in Java
• Local variable: x
• Static field: C.f
• Instance field: x.f
• Array element: array[i]
Tian Tan @ Nanjing University 87
![Page 88: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/88.jpg)
Pointer-Affecting Statements
Tian Tan @ Nanjing University 88
New x = new T()
Assign x = y
Store x.f = y
Load y = x.f
Call r = x.k(a, …)
![Page 89: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/89.jpg)
Pointer-Affecting Statements
Tian Tan @ Nanjing University 89
New x = new T()
Assign x = y
Store x.f = y
Load y = x.f
Call r = x.k(a, …)
x.f.g.h = y;
t1 = x.ft2 = t1.gt2.h = y;
Complex memory-accesses will be converted to three-address code by
introducing temporary variables
![Page 90: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/90.jpg)
Pointer-Affecting Statements
Tian Tan @ Nanjing University 90
New x = new T()
Assign x = y
Store x.f = y
Load y = x.f
Call r = x.k(a, …)
• Static call C.foo()
• Special call super.foo()/x.<init>()/this.privateFoo()
• Virtual call x.foo()
![Page 91: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/91.jpg)
• Static call C.foo()
• Special call super.foo()/x.<init>()/this.privateFoo()
• Virtual call x.foo()
Pointer-Affecting Statements
Tian Tan @ Nanjing University 91
New x = new T()
Assign x = y
Store x.f = y
Load y = x.f
Call r = x.k(a, …)
focus
![Page 92: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/92.jpg)
TheX You Need To Understand in This Lecture
• What is pointer analysis?
• Understand the key factors of pointer analysis
• Understand what we analyze in pointer analysis
Tian Tan @ Nanjing University
![Page 93: Static Program Analysis - pascal-group.bitbucket.io · xand yare not aliases. Pointer Analysis and Alias Analysis Two closely related but different concepts •Pointer analysis: which](https://reader033.fdocuments.in/reader033/viewer/2022053019/5f228a6810ddf453115a100f/html5/thumbnails/93.jpg)
南京大学
李樾
谭添
计算机科学与技术系
程序设计语言
静态分析研究组
与
软件分析