Download presentation
Presentation is loading. Please wait.
1
Context Sensitive Points-to Analysis
Saad Bashir Alvi
2
Context-Sensitive Formulation
A language Lc that filters unrealizable paths. It only needs to model program semantics related to method calls and returns. A field-sensitive and context-sensitive points-to analysis can be formulated as reachability over the intersection of LF and Lc. Formulation here both filters unrealizable paths and yields a context- sensitive heap abstraction.
3
Context-Sensitive Formulation
A language Lc that filters unrealizable paths. It only needs to model program semantics related to method calls and returns. A field-sensitive and context-sensitive points-to analysis can be formulated as reachability over the intersection of LF and Lc. Formulation here both filters unrealizable paths and yields a context- sensitive heap abstraction. Specifying Lc
4
Context Sensitive Formulation
Context-free grammer for Lc
5
Context Sensitive Formulation
Code Example Graph Representation static Object id(Object o) { return o; } main() { x = new object(); y = new object(); a = id(x); b = id(y);
6
Context Sensitive Formulation
Code Example Graph Representation static Object id(Object o) { return o; } main() { x = new object(); y = new object(); a = id(x); b = id(y);
7
Context Sensitive Formulation
Code Example Graph Representation static Object id(Object o) { return o; } main() { x = new object(); y = new object(); a = id(x); b = id(y);
8
Context Sensitive Formulation
Code Example Graph Representation static Object id(Object o) { return o; } main() { x = new object(); y = new object(); a = id(x); b = id(y);
9
Context Sensitive Formulation
Code Example Graph Representation static Object id(Object o) { return o; } main() { x = new object(); y = new object(); a = id(x); b = id(y);
10
Context Sensitive Formulation
Code Example Graph Representation static Object id(Object o) { return o; } main() { x = new object(); y = new object(); a = id(x); b = id(y);
11
Context Sensitive Formulation
Code Example Graph Representation static Object id(Object o) { return o; } main() { x = new object(); y = new object(); a = id(x); b = id(y);
12
Context Sensitive Formulation
Code Example Graph Representation static Object id(Object o) { return o; } main() { x = new object(); y = new object(); a = id(x); b = id(y);
13
Context Sensitive Formulation
Lc Path from o5 to a Graph Representation o5 new x param[7] pid assign retid return[7] a
14
Context Sensitive Formulation
Lc Path from o5 to a Graph Representation o5 new x param[7] pid assign retid return[7] a o5 nonCallTerm x callEntry[7] pid nonCallTerm retid callExit[7] a
15
Context Sensitive Formulation
Lc Path from o5 to a Graph Representation o5 new x param[7] pid assign retid return[7] a o5 nonCallTerm x callEntry[7] pid nonCallTerm retid callExit[7] a o5 balanced x balanced a
16
Context Sensitive Formulation
Lc Path from o5 to a Graph Representation o5 new x param[7] pid assign retid return[7] a o5 nonCallTerm x callEntry[7] pid nonCallTerm retid callExit[7] a o5 balanced x balanced a o5 balanced a
17
Context Sensitive Formulation
Lc Path from o5 to a Graph Representation o5 new x param[7] pid assign retid return[7] a o5 nonCallTerm x callEntry[7] pid nonCallTerm retid callExit[7] a o5 balanced x balanced a o5 balanced a a is LcF-reachable from o5
18
Context Sensitive Formulation
Lc Path from o5 to a Graph Representation o5 new x param[7] pid assign retid return[7] a o5 nonCallTerm x callEntry[7] pid nonCallTerm retid callExit[7] a o5 balanced x balanced a o5 balanced a a is LcF-reachable from o5 No Lc-Path from o5 to b.
19
Context Sensitive Formulation
Lc Path from o5 to a Graph Representation o5 new x param[7] pid assign retid return[7] a o5 nonCallTerm x callEntry[7] pid nonCallTerm retid callExit[7] a o5 balanced x balanced a o5 balanced a a is LcF-reachable from o5 No Lc-Path from o5 to b. LcF-reachability keeps two calls seperate by filtering out unrealizatble paths.
20
Context Sensitive Formulation
Handling Globals Graph edges representing global accesses can connect locals in different methods.
21
Context Sensitive Formulation
Handling Globals Graph edges representing global accesses can connect locals in different methods. These edges allow paths to connect local variables in distinct methods without including the call entry and exit edges.
22
Context Sensitive Formulation
Handling Globals Graph edges representing global accesses can connect locals in different methods. These edges allow paths to connect local variables in distinct methods without including the call entry and exit edges. PROBLEM: Without modification, Lc -reachability would unsoundly filter some paths with assignglobal edges.
23
Context Sensitive Formulation
Handling Globals Graph edges representing global accesses can connect locals in different methods. These edges allow paths to connect local variables in distinct methods without including the call entry and exit edges. PROBLEM: Without modification, Lc -reachability would unsoundly filter some paths with assignglobal edges. It can occur when a call entry edge precedes assignglobal edges on a path, but those assignglobal edges lead to a local in a distinct method.
24
Context Sensitive Formulation
Handling Globals Graph edges representing global accesses can connect locals in different methods. These edges allow paths to connect local variables in distinct methods without including the call entry and exit edges. PROBLEM: Without modification, Lc -reachability would unsoundly filter some paths with assignglobal edges. It can occur when a call entry edge precedes assignglobal edges on a path, but those assignglobal edges lead to a local in a distinct method. SOLUTION: Add self-edges on all global variable nodes with all possible callExit[i] edges.
25
Context Sensitive Formulation
Code Example (Handling of Globals) Graph Representation class A { static obj f; } obj rf() { return A.f; void wf(obj p) { A.f = p; main () { obj x = new obj(); wf(x); obj y = rf();
26
Context Sensitive Formulation
Code Example (Handling of Globals) Graph Representation class A { static obj f; } obj rf() { return A.f; void wf(obj p) { A.f = p; main () { obj x = new obj(); wf(x); obj y = rf();
27
Context Sensitive Formulation
Code Example (Handling of Globals) Graph Representation class A { static obj f; } obj rf() { return A.f; void wf(obj p) { A.f = p; main () { obj x = new obj(); wf(x); obj y = rf();
28
Context Sensitive Formulation
Code Example (Handling of Globals) Graph Representation class A { static obj f; } obj rf() { return A.f; void wf(obj p) { A.f = p; main () { obj x = new obj(); wf(x); obj y = rf();
29
Context Sensitive Formulation
Code Example (Handling of Globals) Graph Representation class A { static obj f; } obj rf() { return A.f; void wf(obj p) { A.f = p; main () { obj x = new obj(); wf(x); obj y = rf();
30
Context Sensitive Formulation
Heap Abstraction Lc-reachability tracks the unmatched callEntry[i] edges on paths through abstract location nodes.
31
Context Sensitive Formulation
Heap Abstraction Lc-reachability tracks the unmatched callEntry[i] edges on paths through abstract location nodes. It is equivalent to creating a copy of the abstract location particular to that sequence of call entries, yielding a context- sensitive heap abstraction.
32
Refinement-based Context Sensitive point-to Analysis
Types of Context-sensitivity Filtering-out of unrealizable paths
33
Refinement-based Context Sensitive point-to Analysis
Types of Context-sensitivity Filtering-out of unrealizable paths Calls and returns are matched
34
Refinement-based Context Sensitive point-to Analysis
Types of Context-sensitivity Filtering-out of unrealizable paths Calls and returns are matched A context-sensitive heap abstraction
35
Refinement-based Context Sensitive point-to Analysis
Types of Context-sensitivity Filtering-out of unrealizable paths Calls and returns are matched A context-sensitive heap abstraction Objects allocated by same statements in different calling contexts are distinguished
36
Refinement-based Context Sensitive point-to Analysis
Types of Context-sensitivity Filtering-out of unrealizable paths Calls and returns are matched A context-sensitive heap abstraction Objects allocated by same statements in different calling contexts are distinguished A context sensitive call graph
37
Refinement-based Context Sensitive point-to Analysis
Types of Context-sensitivity Filtering-out of unrealizable paths Calls and returns are matched A context-sensitive heap abstraction Objects allocated by same statements in different calling contexts are distinguished A context sensitive call graph Targets of virtual calls are computed seperately for each calling context.
38
Refinement-based Context Sensitive point-to Analysis
Algorithm Overview Fully Context and field-sensitive points-to Analysis is undecidable. Checking for both balanced field and method call paratheses requires reachability over the intersection of a context-free and a regular language. Assume presence of ahead-of-time call graph. Analysis require CFL-reachability with language Lscf = Lsf ∩ Rsc over ∑p.
39
Refinement-based Context Sensitive point-to Analysis
Algorithm Overview Paths to ilustrate the behaviour of context-sensitive refinement algorithm.
40
Context Sensitive Analysis
Code Example (Points to Analysis Algorithm) Graph Representation 1 class Vector { Object[] elems; int count; Vector() { t = new Object[10]; this.elems = t; } void add(Object p) { t = this.elems; t[count++] = p; // writes t.arr } Object get(int ind) { t = this.elems; return t[ind]; // reads t.arr } ... 13 } 14 class AddrBook { private Vector names; AddrBook() { t = new Vector(); this.names = t; } void addEntry(String n, ...) { t = this.names; ...; t.add(n); } void update() { t = this.names; for (int i = 0; i < t.size(); i++) { Object name = t.get(i); // is this cast safe? String nameStr = (String)name; } } 31 } 32 void useVec() { Vector v = new Vector(); Integer i1 = new Integer(); v.add(i1); Integer i2 = (Integer)v.get(0); 37 }
41
Context Sensitive Analysis
Graph Representation Code Example (Points to Analysis Algorithm) 1 class Vector { Object[] elems; int count; Vector() { t = new Object[10]; this.elems = t; } void add(Object p) { t = this.elems; t[count++] = p; // writes t.arr } Object get(int ind) { t = this.elems; return t[ind]; // reads t.arr } ... 13 } 14 class AddrBook { private Vector names; AddrBook() { t = new Vector(); this.names = t; } void addEntry(String n, ...) { t = this.names; ...; t.add(n); } void update() { t = this.names; for (int i = 0; i < t.size(); i++) { Object name = t.get(i); // is this cast safe? String nameStr = (String)name; } } 31 } 32 void useVec() { Vector v = new Vector(); Integer i1 = new Integer(); v.add(i1); Integer i2 = (Integer)v.get(0); 37 }
42
Conclusion Following it with On-The-Fly Call graph
43
References Aho A.V., Sethi R. & Ullman J.D. “Compilers: Principles, Techniques and Tools”, Addison Wesley. Sridharan M., Bodík R. “Refinement based Context-Sensitive points-to Analysis for java” PLDI ’06. Sridharan, Manu. “Refinement based program analysis tools” Dissertation. University of California at Berkeley, 2007. Add publisher, URL, ISBN, etc. … everything that helps locate the reference.
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.