Presentation is loading. Please wait.

Presentation is loading. Please wait.

Making k-Object-Sensitive Pointer Analysis More Precise with Still k-Limiting Tian Tan, Yue Li and Jingling Xue SAS 2016 September,

Published byBethanie Powers Modified over 7 years ago

Similar presentations

Presentation on theme: "Making k-Object-Sensitive Pointer Analysis More Precise with Still k-Limiting Tian Tan, Yue Li and Jingling Xue SAS 2016 September,"— Presentation transcript:

1 Making k-Object-Sensitive Pointer Analysis More Precise with Still k-Limiting Tian Tan, Yue Li and Jingling Xue SAS 2016 September, 2016 1

2 A New Pointer Analysis for Object-Oriented Programs 2

3 Pointer Analysis Determine “which objects can a variable point to?” Foundation of many clients: ◦ Bug detection ◦ Security analysis ◦ Compiler optimization ◦ Program understanding ◦ … 3

4 Object-Oriented Programs Java, C#, Object-C, JavaScript, … ◦ Embedded software: ◦ Mobile application: ◦ Web server: ◦ Desktop application: 4

5 A Practically Useful Pointer Analysis for Object-Oriented Programs 5

6 Good Context Abstraction (Context Sensitivity) 6

7 A Practically Useful Pointer Analysis for Object-Oriented Programs Good Context Abstraction (Context Sensitivity) 7 k-CFA (call-site-sensitivity), type-sensitivity, …

8 Object-Sensitivity Arguably the best context abstraction for pointer analysis for object-oriented programs 8

9 Object-Sensitivity Widely used in diverse real-world clients ◦ Property Verification (e.g., API protocol) ISSTA’06, TOSEM’08, PLDI’14, FSE’15, … ◦ Bug Detection (e.g., data race, deadlock) PLDI’06, ICSE’09, ISSTA’13, OOPSLA’15, … ◦ Security Analysis (e.g., taint analysis) PLDI’09, IEEE S&P’11, FSE’14, NDSS’15, FSE’15, … ◦ Other Fundamental Analyses (e.g., slicing) PLDI’07, PLDI’14, ICSE’14, ECOOP’16, … 9

10 Object-Sensitivity Widely implemented in analysis platforms A PPOSCOPY Chord 10

11 What is Object-Sensitivity? Objects (allocation sites) as contexts k-CFA  k-obj 11

12 A Code Example class B { void bar() { A a1 = new A(); // A/1 a1.foo(); A a2 = new A(); // A/2 a2.foo(); } class A { void foo() { v = … } 12

13 class B { void bar() { A a1 = new A(); // A/1 a1.foo(); A a2 = new A(); // A/2 a2.foo(); } class A { void foo() { v = … } 1-CFA (call-site) ContextVariableObject [a1.foo()]v… [a2.foo()]v… 13

14 class B { void bar() { A a1 = new A(); // A/1 a1.foo(); A a2 = new A(); // A/2 a2.foo(); } class A { void foo() { v = … } 1-obj (allocation-site of receiver object) 14 ContextVariableObject [A/1]v… [A/2]v…

15 class B { void bar() { A a1 = new A(); // A/1 a1.foo(); A a2 = new A(); // A/2 a2.foo(); } class A { void foo() { v = … } k-obj when k > 1? 15

16 class B { void bar() { A a1 = new A(); // A/1 a1.foo(); A a2 = new A(); // A/2 a2.foo(); } class A { void foo() { v = … } 2-obj (allocation-sites of 2 “consecutive” receiver objects) class C { void m() { B b = new B(); // B/1 b.bar(); } 16 ContextVariableObject [B/1,A/1]v… [B/1,A/2]v…

17 class B { void bar() { A a1 = new A(); // A/1 a1.foo(); A a2 = new A(); // A/2 a2.foo(); } class A { void foo() { v = … } class C { void m() { B b = new B(); // B/1 b.bar(); } A/1 A/2 B/1 17 ContextVariableObject [B/1,A/1]v… [B/1,A/2]v… 2-obj (allocation-sites of 2 “consecutive” receiver objects)

18 class B { void bar() { A a1 = new A(); // A/1 a1.foo(); A a2 = new A(); // A/2 a2.foo(); } class A { void foo() { v = … } class C { void m() { B b = new B(); // B/1 b.bar(); } A/1 A/2 B/1 k = 1 k = 2 18 ContextVariableObject [B/1,A/1]v… [B/1,A/2]v… 2-obj (allocation-sites of 2 “consecutive” receiver objects)

19 class B { void bar() { A a1 = new A(); // A/1 a1.foo(); A a2 = new A(); // A/2 a2.foo(); } class A { void foo() { v = … } class C { void m() { B b = new B(); // B/1 b.bar(); } A/1 A/2 B/1 k = 1 k = 2 19 ContextVariableObject [B/1,A/1]v… [B/1,A/2]v… 2-obj (allocation-sites of 2 “consecutive” receiver objects) Object Allocation Graph (OAG)

20 An Observation Redundant Context Element 20

21 An Observation Redundant Context Element HashSet/1HashSet/2 HashMap/1 Entry/1 An example from JDK, java.util.* 21

22 3-obj Contexts fully separated Precise HashSet/1HashSet/2 HashMap/1 Entry/1 An example from JDK, java.util.* Two contexts: [HashSet/1,HashMap/1,Entry/1] [HashSet/2,HashMap/1,Entry/1] k = 1 k = 3 k = 2 22

23 3-obj Contexts fully separated Precise HashSet/1HashSet/2 HashMap/1 Entry/1 An example from JDK, java.util.* k = 1 k = 3 k = 2 3-obj is unscalable Two contexts: [HashSet/1,HashMap/1,Entry/1] [HashSet/2,HashMap/1,Entry/1] 23

24 2-obj Contexts not separated HashSet/1HashSet/2 HashMap/1 Entry/1 An example from JDK, java.util.* k = 1 k = 2 One context: [HashMap/1,Entry/1] 24

25 2-obj Contexts not separated Imprecise HashSet/1HashSet/2 HashMap/1 Entry/1 An example from JDK, java.util.* k = 1 k = 2 One context: [HashMap/1,Entry/1] 25

26 2-obj Contexts not separated Imprecise Redundant context elements used HashSet/1HashSet/2 HashMap/1 Entry/1 An example from JDK, java.util.* k = 1 k = 2 One context: [HashMap/1,Entry/1] HashMap/1 as context element is redundant 26

27 This Paper: Avoid Redundant Context Element 27

28 HashSet/1HashSet/2 HashMap/1 Entry/1 k = 1 k = 2 One context: [HashMap/1,Entry/1] 2-obj 28

29 HashSet/1HashSet/2 HashMap/1 Entry/1 k = 1 k = 2 k = 1 k = 2 HashSet/1HashSet/2 HashMap/1 Entry/1 Our approach One context: [HashMap/1,Entry/1] Two contexts: [HashSet/1,Entry/1] [HashSet/2,Entry/1] Redundant one removed 2-obj 29

30 HashSet/1HashSet/2 HashMap/1 Entry/1 k = 1 k = 2 k = 1 k = 2 HashSet/1HashSet/2 HashMap/1 Entry/1 Our approach One context: [HashMap/1,Entry/1] Two contexts: [HashSet/1,Entry/1] [HashSet/2,Entry/1] Redundant one removed 2-obj Benefit: improve precision with still k-limiting 30

31 Methodology (BEAN) Context Selection Problem Graph Problem 31

32 Context Relation Object Allocation Graph (OAG) HashSet/1HashSet/2 HashMap/1 Entry/1 Context Selection Problem Graph Problem 32

33 Context Relation Object Allocation Graph (OAG) Contexts in k-objPaths in OAG HashSet/1HashSet/2 HashMap/1 Entry/1 Context Selection Problem Graph Problem 33

34 Context Relation Object Allocation Graph (OAG) Contexts in k-objPaths in OAG HashSet/1HashSet/2 HashMap/1 Entry/1 Context Selection Problem Graph Problem 34 Avoid Redundant Context Elements Select Representative Nodes to Distinguish Paths

35 An OAG 35

36 An OAG 5 contexts in k-obj 5 paths in OAG 36

37 An OAG 5 contexts in k-obj 5 paths in OAG Select Distinguish 37

38 An OAG k = 1 k = 2 k = 3 k = 4 k = 5 k = 6 k = 7 k = 8 k-obj: k = 8 (all nodes selected) 5 contexts in k-obj 5 paths in OAG Select Distinguish 38

39 An OAG 12 3 45 6 5 contexts in k-obj 5 paths in OAG Select Distinguish k-obj: k = 8 (all nodes selected) k = 1 k = 2 k = 3 BEAN: k = 3 (representative nodes selected) 39

40 An OAG 12 3 45 6 5 contexts in k-obj 5 paths in OAG Select Distinguish k-obj: k = 8 (all nodes selected) k = 1 k = 2 k = 3 BEAN: k = 3 (representative nodes selected) 5 contexts selected by BEAN: [1,3,6], [2,3,6], [1,4,6], [2,4,6], [5,6] 40

41 An OAG 12 3 45 6 5 contexts in k-obj 5 paths in OAG Select Distinguish k-obj: k = 8 (all nodes selected) k = 1 k = 2 k = 3 BEAN: k = 3 (representative nodes selected) 5 contexts selected by BEAN: [1,3,6], [2,3,6], [1,4,6], [2,4,6], [5,6] = precision 41

42 How to Select Representative Nodes to Distinguish Paths? 42

43 How to Select Representative Nodes to Distinguish Paths? Our intuition: Multiple paths 43

44 How to Select Representative Nodes to Distinguish Paths? Our intuition: Multiple paths Divergence = 44

45 How to Select Representative Nodes to Distinguish Paths? Our intuition: Multiple paths Divergence = + …… 45

46 How to Select Representative Nodes to Distinguish Paths? Our intuition: Multiple paths Divergence Confluence = + …… 46

47 How to Select Representative Nodes to Distinguish Paths? Our intuition: Multiple paths Divergence Confluence = + …… 47

48 How to Select Representative Nodes to Distinguish Paths? Our intuition: Multiple paths Divergence Confluence = + …… Representative nodes 48

49 49

50 Representative nodes 50

51 Theorem 1 Under full-object-sensitivity (when k = ∞) Precision of BEAN Precision of k-obj = 51

52 Theorem 2 Under the same k-limiting Precision of BEAN Precision of k-obj ≥ 52

53 B EAN : Framework Pointer Analysis Pointer Analysis OAG Construction Contexts Selection Points-To Information Selected Contexts OAG Chord 53

54 Open-Source Implementation www.cse.unsw.edu.au/~corg/bean 54

55 Evaluation - Clients May-Alias May-Fail-Cast Typical clients to evaluate pointer analysis’s effectiveness e.g., APLAS’15, PLDI’14, PLDI’13, POPL’11, OOPSLA’09, … 55

56 Evaluation - Analyzed Targets Standard DaCapo Java benchmarks Large Java library: JDK 1.6 Widely used programs and library in pointer analysis e.g., PLDI’14, ECOOP’14, PLDI’13, OOPSLA’13, POPL’11, … 56

57 Evaluation - Compared Analyses 1.2-CFA: 2-call-site-sensitive analysis 2.2-obj: 2-object-sensitive analysis 3.B-2-obj: B EAN -directed 2-obj 4.S-2-obj: Selective hybrids of 2-obj* 5.B-S-2-obj: B EAN -directed S-2-obj * Kastrinis et al., Hybrid Context-Sensitivity for Points-To Analysis, PLDI’13 57

58 Evaluation - Metrics Precision Performance 58

59 Precision 2 clients 5 pointer analyses (2 state-of-the-art) 9 evaluated Java programs B EAN improves the precision of both state-of-the-art analyses, under each client, for each program! 59

60

61 61 Non-alias pairs by B-2-obj (B-S-2-obj) Non-alias pairs by 2-obj (S-2-obj) May-AliasMay-Fail-Cast Safe casts by B-2-obj (B-S-2-obj) Safe casts by 2-obj (S-2-obj)

62 62 May-AliasMay-Fail-Cast Verify Theorem 2 practically Under the same k-limiting Precision of BEAN Precision of k-obj ≥ Non-alias pairs by B-2-obj (B-S-2-obj) Non-alias pairs by 2-obj (S-2-obj) Safe casts by B-2-obj (B-S-2-obj) Safe casts by 2-obj (S-2-obj)

63 Performance of B EAN CI: Context-Insensitive pointer analysis OAG: OAG construction CTX-COMP: Context Computation On Average: about 2 minutes 63

64 Evaluation Summary 64 2-CFA 1991 2-obj 2002 2-Sobj 2013 CMU ThesisISSTAPLDI M o r e P r e c i s e M o r e U s e f u l M u c h H a r d e r

65 Evaluation Summary 65 2-CFA 1991 2-obj 2002 2-Sobj 2013 CMU ThesisISSTAPLDI M o r e P r e c i s e M o r e U s e f u l M u c h H a r d e r

66 Evaluation Summary 66 2-CFA 1991 2-obj 2002 2-Sobj 2013 2-B-Sobj 2016 CMU ThesisISSTAPLDISAS M o r e P r e c i s e M o r e U s e f u l M u c h H a r d e r

67 Evaluation Summary 67 2-CFA 1991 2-obj 2002 2-Sobj 2013 2-B-Sobj 2016 CMU ThesisISSTAPLDISAS M o r e P r e c i s e M o r e U s e f u l M u c h H a r d e r Verification Bug detection Security analysis …

68 Evaluation Summary 68 2-CFA 1991 2-obj 2002 2-Sobj 2013 2-B-Sobj 2016 CMU ThesisISSTAPLDISAS M o r e P r e c i s e M o r e U s e f u l M u c h H a r d e r Verification Bug detection Security analysis … "Using static data race detection will likely show even more dramatic improvement in precision using your approach."

69 Conclusion Improve the precision of object-sensitivity by avoiding redundant context elements ◦ k-limiting, k+ precision ◦ Scalable Easily applied to other context-sensitive analyses ◦ k-CFA ◦ Type-sensitive analysis Making k-Object-Sensitive Pointer Analysis More Precise with Still k-Limiting 69

70 Thank you! 70 Tian Tan UNSW Australia

Download ppt "Making k-Object-Sensitive Pointer Analysis More Precise with Still k-Limiting Tian Tan, Yue Li and Jingling Xue SAS 2016 September,"

Similar presentations

A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Pallavi Joshi  Chang-Seo Park  Koushik Sen  Mayur Naik ‡  Par Lab, EECS, UC Berkeley‡

A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Pallavi Joshi  Chang-Seo Park  Koushik Sen  Mayur Naik ‡  Par Lab, EECS, UC Berkeley‡
Effective Static Deadlock Detection

Effective Static Deadlock Detection
Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.

Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.
Efficient, Context-Sensitive Dynamic Analysis via Calling Context Uptrees Jipeng Huang, Michael D. Bond Ohio State University.

Efficient, Context-Sensitive Dynamic Analysis via Calling Context Uptrees Jipeng Huang, Michael D. Bond Ohio State University.
Demand-driven Alias Analysis Implementation Based on Open64 Xiaomi An

Demand-driven Alias Analysis Implementation Based on Open64 Xiaomi An
A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.

A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.
Refinement-Based Context-Sensitive Points-To Analysis for JAVA Soonho Kong 17 January 2009 1 Work of Manu Sridharan and Rastislav Bodik, UC Berkeley.

Refinement-Based Context-Sensitive Points-To Analysis for JAVA Soonho Kong 17 January Work of Manu Sridharan and Rastislav Bodik, UC Berkeley.
Pointer Analysis Lecture 2 G. Ramalingam Microsoft Research, India.

Pointer Analysis Lecture 2 G. Ramalingam Microsoft Research, India.
1 Practical Object-sensitive Points-to Analysis for Java Ana Milanova Atanas Rountev Barbara Ryder Rutgers University.

1 Practical Object-sensitive Points-to Analysis for Java Ana Milanova Atanas Rountev Barbara Ryder Rutgers University.
1 E. Yahav School of Computer Science Tel-Aviv University Verifying Safety Properties using Separation and Heterogeneous Abstractions G. Ramalingam IBM.

1 E. Yahav School of Computer Science Tel-Aviv University Verifying Safety Properties using Separation and Heterogeneous Abstractions G. Ramalingam IBM.
Parameterized Object Sensitivity for Points-to Analysis for Java Presented By: - Anand Bahety Dan Bucatanschi.

Parameterized Object Sensitivity for Points-to Analysis for Java Presented By: - Anand Bahety Dan Bucatanschi.
Permissive Interfaces Tom Henzinger Ranjit Jhala Rupak Majumdar.

Permissive Interfaces Tom Henzinger Ranjit Jhala Rupak Majumdar.
Pointer and Shape Analysis Seminar Context-sensitive points-to analysis: is it worth it? Article by Ondřej Lhoták & Laurie Hendren from McGill University.

Pointer and Shape Analysis Seminar Context-sensitive points-to analysis: is it worth it? Article by Ondřej Lhoták & Laurie Hendren from McGill University.
Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.

Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.
Purity Analysis : Abstract Interpretation Formulation Ravichandhran Madhavan, G. Ramalingam, Kapil Vaswani Microsoft Research, India.

Purity Analysis : Abstract Interpretation Formulation Ravichandhran Madhavan, G. Ramalingam, Kapil Vaswani Microsoft Research, India.
Mayur Naik Alex Aiken John Whaley Stanford University Effective Static Race Detection for Java.

Mayur Naik Alex Aiken John Whaley Stanford University Effective Static Race Detection for Java.
Finding Low-Utility Data Structures Guoqing Xu 1, Nick Mitchell 2, Matthew Arnold 2, Atanas Rountev 1, Edith Schonberg 2, Gary Sevitsky 2 1 Ohio State.

Finding Low-Utility Data Structures Guoqing Xu 1, Nick Mitchell 2, Matthew Arnold 2, Atanas Rountev 1, Edith Schonberg 2, Gary Sevitsky 2 1 Ohio State.
Software Bloat Analysis: Detecting, Removing, and Preventing Performance Problems in Modern Large- Scale Object-Oriented Applications Guoqing Xu, Nick.

Software Bloat Analysis: Detecting, Removing, and Preventing Performance Problems in Modern Large- Scale Object-Oriented Applications Guoqing Xu, Nick.
Scaling CFL-Reachability-Based Points- To Analysis Using Context-Sensitive Must-Not-Alias Analysis Guoqing Xu, Atanas Rountev, Manu Sridharan Ohio State.

Scaling CFL-Reachability-Based Points- To Analysis Using Context-Sensitive Must-Not-Alias Analysis Guoqing Xu, Atanas Rountev, Manu Sridharan Ohio State.
1 Refinement-Based Context-Sensitive Points-To Analysis for Java Manu Sridharan, Rastislav Bodík UC Berkeley PLDI 2006.

1 Refinement-Based Context-Sensitive Points-To Analysis for Java Manu Sridharan, Rastislav Bodík UC Berkeley PLDI 2006.

Similar presentations

Ads by Google