efficient and precise points to analysis
play

Efficient and Precise Points-to Analysis: Modeling the Heap by - PowerPoint PPT Presentation

Sep 10, 2022 •115 likes •800 views

Efficient and Precise Points-to Analysis: Modeling the Heap by Merging Equivalent Automata Tian Tan, Yue Li and Jingling Xue PLDI 2017 June, 2017 1 A New Points-to Analysis T echnique for Object-Oriented Programs 2 Points-to Analysis

  1. Efficient and Precise Points-to Analysis: Modeling the Heap by Merging Equivalent Automata Tian Tan, Yue Li and Jingling Xue PLDI 2017 June, 2017 1

  2. A New Points-to Analysis T echnique for Object-Oriented Programs 2

  3. Points-to Analysis  Determines ◦ “which objects a variable can point to?” 3

  4. Uses of Points-to Analysis Clients Tools  Security analysis  Bug detection  Compiler optimization Chord  Program verification  Program understanding …  … 4

  5. Uses of Points-to Analysis Clients Tools  Security analysis  Bug detection  Compiler optimization Chord  Program verification  Program understanding …  … Call Graph 5

  6. Existing Call Graph Construction  On-the-fly construction (run with points-to analysis) ◦ Precise ◦ Inefficient 6

  7. Existing Call Graph Construction  On-the-fly construction (run with points-to analysis) ◦ Precise ◦ Inefficient  3-object-sensitive points-to analysis ◦ Very precise ◦ Adopted by, e.g., Chord 7 7

  8. 3-Object-Sensitive Points-to Analysis  Analyze Java programs ◦ Intel Xeon E5 3.70GHz,128GB of memory ◦ Time budget: 5 hours (18000 secs) 8

  9. 3-Object-Sensitive Points-to Analysis  Analyze Java programs ◦ Intel Xeon E5 3.70GHz,128GB of memory ◦ Time budget: 5 hours (18000 secs) Analysis time (sec.) 14469 pmd (4 hours) Unscalable findbugs (> 5 hours) 0 5000 10000 15000 9

  10. T wo Mainstreams of Points-to Analysis T echniques  Model control-flow  Model data-flow 10

  11. T wo Mainstreams of Points-to Analysis T echniques  Model control-flow ◦ Context-sensitivity  Call-site- sensitivity (PLDI’04, PLDI’06)  Object- sensitivity (ISSTA’02, TOSEM’05, SAS’16)  Type- sensitivity (POPL’11)  …  Model data-flow 11

  12. T wo Mainstreams of Points-to Analysis T echniques  Model control-flow ◦ Context-sensitivity  Call-site- sensitivity (PLDI’04, PLDI’06)  Object- sensitivity (ISSTA’02, TOSEM’05, SAS’16)  Type- sensitivity (POPL’11)  …  Model data-flow ◦ Heap abstraction  Allocation-site abstraction  Type-based abstraction  … 12

  13. T wo Mainstreams of Points-to Analysis T echniques  Model control-flow ◦ Context-sensitivity  Call-site- sensitivity (PLDI’04, PLDI’06)  Object- sensitivity (ISSTA’02, TOSEM’05, SAS’16)  Type- sensitivity (POPL’11)  …  Model data-flow ◦ Heap abstraction  Allocation-site abstraction  Type-based abstraction  … 13

  14. Heap Abstraction Dynamic Static execution analysis abstracted or partitioned … … Finite Infinite-size (abstract) heap objects 14

  15. Allocation-Site Abstraction  One object per allocation site 1 A a1 = new A(); 2 A a2 = new A(); 3 B b = new B() ; 15

  16. Allocation-Site Abstraction  One object per allocation site o 1 A 1 A a1 = new A(); A o 2 2 A a2 = new A(); 3 B b = new B() ; o 3 B 16

  17. Allocation-Site Abstraction  One object per allocation site ◦ Adopted by all mainstream points-to analyses o 1 A 1 A a1 = new A(); A o 2 2 A a2 = new A(); 3 B b = new B() ; o 3 B 17

  18. Allocation-Site Abstraction  Over-partition for call graph construction o 1 o 2 A A o 1 A 1 A a1 = new A(); void foo(Object o) { o.toString(); 2 A a2 = new A(); A o 2 3 foo(a1); } 4 foo(a2); A::toString() 18

  19. Allocation-Site Abstraction  Over-partition for type-dependent clients ◦ Call graph construction ◦ Devirtualization ◦ May-fail casting o 1 o 2 A A ◦ … o 1 A 1 A a1 = new A(); void foo(Object o) { o.toString(); 2 A a2 = new A(); A o 2 3 foo(a1); A a = (A) o; 4 foo(a2); } 19

  20. Type-Based Abstraction  One object per type 1 A a1 = new A(); 2 A a2 = new A(); 3 B b = new B() ; 20

  21. Type-Based Abstraction  One object per type A o 1 A a1 = new A(); 2 A a2 = new A(); B o 3 B b = new B(); 21

  22. Type-Based Abstraction  Precision loss for type-dependent clients A o A a1 = new A(); A a2 = new A(); B o B b = new B(); C c = new C(); C o a1.f = b; a2.f = c; Object o = a1.f; o.toString(); 22

  23. Type-Based Abstraction  Precision loss for type-dependent clients A o A a1 = new A(); A a2 = new A(); B o B b = new B(); C c = new C(); C o B o A o a1.f = b; a2.f = c; C o Object o = a1.f; o.toString(); 23

  24. Type-Based Abstraction  Precision loss for type-dependent clients A o A a1 = new A(); A a2 = new A(); B o B b = new B(); C c = new C(); C o B o A o a1.f = b; a2.f = c; C o B o Object o = a1.f; o.toString(); C o 24

  25. Type-Based Abstraction  Precision loss for type-dependent clients A o A a1 = new A(); A a2 = new A(); B o B b = new B(); C c = new C(); C o B o A o a1.f = b; a2.f = c; C o B o Object o = a1.f; B::toString() o.toString(); C o C::toString() 25

  26. Type-Based Abstraction  Precision loss for type-dependent clients A o A a1 = new A(); A a2 = new A(); B o B b = new B(); C c = new C(); C o B o A o a1.f = b; a2.f = c; C o B o Object o = a1.f; B::toString() o.toString(); C o C::toString() False positive 26

  27. Our Goal: Improve Efficiency Preserve Precision 27

  28. M AHJONG : A New Heap Abstraction Analysis Time (sec.) 128 14469 pmd (4 fours) 524 Unscalable findbugs (> 5 hours) MAHJONG Allocation-site abstraction Improve Efficiency Adopted by all mainstream points-to analyses 28

  29. M AHJONG : A New Heap Abstraction Analysis Time (sec.) 128 14469 pmd (4 fours) 524 Unscalable findbugs (> 5 hours) MAHJONG Allocation-site abstraction Improve Efficiency Adopted by all mainstream points-to analyses #call graph edges 44016 pmd 44004 MAHJONG Allocation-site abstraction Preserve Precision 29

  30. M AHJONG : A New Heap Abstraction Analysis Time (sec.) 128 14469 pmd (4 fours) 524 Unscalable findbugs (> 5 hours) MAHJONG Allocation-site abstraction Improve Efficiency Adopted by all mainstream points-to analyses #call graph edges 44016 pmd 44004 MAHJONG Allocation-site abstraction Preserve Precision How? 30

  31. alleviate Merging Objects Over-Partition cause Blindly Merging Objects Precision Loss 31

  32. alleviate Merging Objects Over-Partition cause Blindly Merging Objects Precision Loss f o 3 o 1 B A f o 4 C o 2 A inconsistent inconsistent types types 32

  33. alleviate Merging Objects Over-Partition cause Blindly Merging Objects Precision Loss f B o 3 o 1 B A o f A o f f C o 4 o C o 2 A inconsistent types 33

  34. Type-Consistent Objects  Definition T and O j T are type-consistent objects, O i if for every sequence of field names, = f 1 . f 2 . ... . f n : f O i T . and O j T . point to the objects of the f f same types. 34

  35. Type-Consistent Objects  Definition T and O j T are type-consistent objects, O i if for every sequence of field names, = f 1 . f 2 . ... . f n : f O i T . and O j T . point to the objects of the f f same types. M AHJONG only merges type-consistent objects 35

  36. Type-Consistent Objects  Example o 7 Y h h o 3 T f U o 9 Y o 1 g k o 11 o 5 Y X o 4 U h f o 2 T o 8 Y g o 6 X k 36

  37. Type-Consistent Objects  Example O 1 O 2 T T o 7 Y h .f U U h o 3 T f U o 9 Y o 1 .f.h Y Y g k o 11 o 5 Y X .g X X .g.k Y Y o 4 U h f o 2 T o 8 Y g o 6 X k 37

  38. Type-Consistent Objects  Example ∵ O 1 O 2 T T o 7 Y h .f U U h o 3 T f U o 9 Y o 1 .f.h Y Y g k o 11 o 5 Y X .g X X .g.k Y Y o 4 U h f T and O 2 T are o 2 T o 8 Y O 1 ∴ type-consistent objects g o 6 X k 38

  39. How to Check Type-Consistency? 39

  40. Our Solution: Sequential Automata Check Test T ype-Consistency Equivalence of Objects of Automata 40

  41. Sequential Automata  6-tuple (Q, Σ , δ , q 0 , Γ , γ ), where: ◦ Q is a set of states ◦ Σ is a set of input symbols ◦ δ is the next-state map: Q × Σ  P (Q) ◦ q 0 is the initial state ◦ Γ is a set of output symbols ◦ γ is the output map: Q  Γ 41

  42. Check Test T ype-Consistency Equivalence of Objects of Automata How? 42

  43. Objects Automata  A set of objects  Q: a set of states  A set of field names  Σ : a set of input symbols  δ : the next-state map  The field points-to map  The object to be checked  q 0 : the initial state  A set of types  Γ : a set of output symbols  The object-to-type map  γ : the output map o 4 U h f o 2 T o 8 Y o 6 X g k 43

  44. Objects Automata  A set of objects  Q: a set of states  A set of field names  Σ : a set of input symbols  δ : the next-state map  The field points-to map  The object to be checked  q 0 : the initial state  A set of types  Γ : a set of output symbols  The object-to-type map  γ : the output map objects ↔ states o 4 U h f O 2 T , O 4 U , O 6 X , O 8 Y o 2 T o 8 Y o 6 X g k 44

  45. Objects Automata  A set of objects  Q: a set of states  A set of field names  Σ : a set of input symbols  δ : the next-state map  The field points-to map  The object to be checked  q 0 : the initial state  A set of types  Γ : a set of output symbols  The object-to-type map  γ : the output map field names ↔ input symbols o 4 U h f f, g, h, k o 2 T o 8 Y o 6 X g k 45

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Efficient and Precise Dynamic Impact Analysis Using Execute-After Sequences Taweesup (Term)

Efficient and Precise Dynamic Impact Analysis Using Execute-After Sequences Taweesup (Term)

Efficient and Precise Dynamic Impact Analysis Using Execute-After Sequences Taweesup (Term) Apiwattanapong Alessandro Orso Mary Jean Harrold College of Computing Georgia Institute of Technology National Science Foundation awards CCR-0306372,

419 views • 20 slides
TZTEC TZTEC Etched Parts precise efficient quickly NEW We produce for you etched

TZTEC TZTEC Etched Parts precise efficient quickly NEW We produce for you etched

TZTEC TZTEC Etched Parts precise efficient quickly NEW We produce for you etched parts out of all usual materials cost-efficient, quick, with high quality TZTEC GMBH - Kraatzer Weg 1 - 16775 Gransee 50 km north of Berlin

393 views • 4 slides
Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis of Programs with Dynamic Memory Mihaela Sighireanu IRIF, University Paris Diderot & CNRS VTSA 2015 1 / 99 Static Analysis Establish

2.15k views • 186 slides
Optimal Prices in the Towards a Precise . . . Towards a Precise . . . Presence of Discounts:

Optimal Prices in the Towards a Precise . . . Towards a Precise . . . Presence of Discounts:

Practical Situation: . . . How to Describe . . . Formulation of the . . . Optimal Prices in the Towards a Precise . . . Towards a Precise . . . Presence of Discounts: Precise Optimization . . . A New Economic Main result Proof: Part I

449 views • 12 slides
Efficient and good Delaunay meshes from points random points M. S. Ebeida et a.l Intro MPS M.

Efficient and good Delaunay meshes from points random points M. S. Ebeida et a.l Intro MPS M.

Efficient and good Delaunay meshes from random Efficient and good Delaunay meshes from points random points M. S. Ebeida et a.l Intro MPS M. S. Ebeida 1 , S. A. Mitchell 1 , Andrew A. Davidson 2 , MPS Anjul Patney 2 , Patrick Knupp 1 and

641 views • 51 slides
Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis of Programs with Dynamic Memory Mihaela Sighireanu IRIF, University Paris Diderot & CNRS VTSA 2015 1 / 149 Outline Introduction 1 Formal

861 views • 68 slides
Problems Implementing a points-to analysis to handle the details of Java is a lot of work. is

Problems Implementing a points-to analysis to handle the details of Java is a lot of work. is

Scaling Java Points-To Analysis Using S PARK (Soot Pointer Analysis Research Kit) Ond rej Lhot ak and Laurie Hendren Sable Research Group McGill University April 8th, 2003 p. 1/53 Problems Implementing a points-to analysis to

610 views • 59 slides
Precise Performance LTD Jake Yarranton jake@precise-performance.co.uk 07468 465754 Precise

Precise Performance LTD Jake Yarranton jake@precise-performance.co.uk 07468 465754 Precise

Precise Performance LTD Jake Yarranton jake@precise-performance.co.uk 07468 465754 Precise Performance LTD Independent Bike fitting and coaching specialists Our main focus is to help cyclists of every ability improve Experts in

388 views • 15 slides
Better Together Martin Bravenboer LogicBlox Yannis Smaragdakis UMass Amherst ISSTA 2009

Better Together Martin Bravenboer LogicBlox Yannis Smaragdakis UMass Amherst ISSTA 2009

Exception Analysis and Points-to Analysis Better Together Martin Bravenboer LogicBlox Yannis Smaragdakis UMass Amherst ISSTA 2009 International Symposium on Software Testing and Analysis overview 1 what do we do? precise analysis of

1.18k views • 101 slides
Scalable and Precise Taint Analysis for Android Wei Huang 12 , Yao Dong 1 , Ana Milanova 1 ,

Scalable and Precise Taint Analysis for Android Wei Huang 12 , Yao Dong 1 , Ana Milanova 1 ,

Scalable and Precise Taint Analysis for Android Wei Huang 12 , Yao Dong 1 , Ana Milanova 1 , Julian Dolby 3 1 Rensselaer Polytechnic Institute 2 Google 3 IBM Research 1 Taint Analysis for Android Tracks flow of private data Controlled at

629 views • 35 slides
What is points-to analysis? Informally: analysis determining what locations (objects) pointers

What is points-to analysis? Informally: analysis determining what locations (objects) pointers

4/5/2010 What is points-to analysis? Informally: analysis determining what locations (objects) pointers can point to Points-To Analysis Program main() { x = &a; Meeting 21, CSCI 5535, Spring 2010 y = &b; z = x; Guest Lecture:

484 views • 6 slides
Resolution of T. Wards Question and the IsraelFinch Conjecture. Precise Asymptotic Analysis

Resolution of T. Wards Question and the IsraelFinch Conjecture. Precise Asymptotic Analysis

Resolution of T. Wards Question and the IsraelFinch Conjecture. Precise Asymptotic Analysis of an Integer Sequence Motivated by the Dynamical Mertens Theorem for Quasihyperbolic Toral Automorphisms Mark Daniel Ward, Department of

962 views • 48 slides
Cluster Analysis Objective: Group data points into classes of similar points based on a series of

Cluster Analysis Objective: Group data points into classes of similar points based on a series of

Multivariate Fundamentals: Distance Cluster Analysis Objective: Group data points into classes of similar points based on a series of variables Useful to find the true groups that are assumed to really exist, BUT if the analysis generates

179 views • 7 slides
Is our knowledge of ecology becoming more precise and accurate over time? A meta-analysis of

Is our knowledge of ecology becoming more precise and accurate over time? A meta-analysis of

Is our knowledge of ecology becoming more precise and accurate over time? A meta-analysis of meta-analyses Jeremy Fox University of Calgary Lab: foxlabcalgary.wordpress.com Blog: dynamicecology.wordpress.com The big vague motivating question

612 views • 23 slides
Making k- Object-Sensitive Pointer Analysis More Precise with Still k -Limiting Tian Tan , Yue Li

Making k- Object-Sensitive Pointer Analysis More Precise with Still k -Limiting Tian Tan , Yue Li

Making k- Object-Sensitive Pointer Analysis More Precise with Still k -Limiting Tian Tan , Yue Li and Jingling Xue SAS 2016 September, 2016 1 A New Pointer Analysis for Object-Oriented Programs 2 Pointer Analysis Determine which

965 views • 70 slides
Efficient classification of billions of points into complex geographic regions using hierarchical

Efficient classification of billions of points into complex geographic regions using hierarchical

Efficient classification of billions of points into complex geographic regions using hierarchical triangular mesh Dniel Kondor , Lszl Dobos , Istvn Csabai , Andrs Bodor , Gbor Vattay , Tams Budavri ,

722 views • 30 slides
Measurement and Analysis of Online Social Networks Alan Mislove Massimiliano Marcon

Measurement and Analysis of Online Social Networks Alan Mislove Massimiliano Marcon

Measurement and Analysis of Online Social Networks Alan Mislove Massimiliano Marcon Krishna Gummadi Peter Druschel Bobby Bhattacharjee Max Planck Institute for Software Systems Rice University University of Maryland

679 views • 38 slides
Task Analy ask Analysis T sis Tool ool

Task Analy ask Analysis T sis Tool ool

Task Analy ask Analysis T sis Tool ool

61 views • 3 slides
Transaction clustering using network traffic blockchains analysis for Bitcoin and derived

Transaction clustering using network traffic blockchains analysis for Bitcoin and derived

Transaction clustering using network traffic analysis for Bitcoin and derived Transaction clustering using network traffic blockchains analysis for Bitcoin and derived blockchains Biryukov, Tikhomirov Introduction Network privacy Alex

491 views • 30 slides
via Multi-Dimensional Trace Analysis Yanpei Chen, Kiran Srinivasan, Garth Goodson, Randy Katz UC

via Multi-Dimensional Trace Analysis Yanpei Chen, Kiran Srinivasan, Garth Goodson, Randy Katz UC

Design Implications for Enterprise Storage Systems via Multi-Dimensional Trace Analysis Yanpei Chen, Kiran Srinivasan, Garth Goodson, Randy Katz UC Berkeley AMP Lab, NetApp Inc. Motivation Understand data access patterns Client Server How

685 views • 26 slides
Coronavirus Covid-19: An Analysis by Milo Schield ASA Fellow Consultant: University of New

Coronavirus Covid-19: An Analysis by Milo Schield ASA Fellow Consultant: University of New

V2 Schield: 2020 Covid19 Analysis Slides 0308 1 Coronavirus Covid-19: An Analysis by Milo Schield ASA Fellow Consultant: University of New Mexico President: National Numeracy Network March 8, 2020 www.StatLit.org/pdf/

530 views • 14 slides
CS630 Object-Oriented Systems Analysis and Design Les Waguespack, Ph.D. Orientation

CS630 Object-Oriented Systems Analysis and Design Les Waguespack, Ph.D. Orientation

CS630 Object-Oriented Systems Analysis and Design Les Waguespack, Ph.D. Orientation Orientation Slides Zero: 1 We Are Here Course Title: Object-Oriented Systems Analysis and Design Course Description: This course prepares the student for

480 views • 9 slides
A Stepwise Analysis of Aggregated Crowdsourced Labels Describing Multimodal Emotional Behaviors

A Stepwise Analysis of Aggregated Crowdsourced Labels Describing Multimodal Emotional Behaviors

A Stepwise Analysis of Aggregated Crowdsourced Labels Describing Multimodal Emotional Behaviors Alec Burmania and Carlos Busso Multimodal Signal Processing (MSP) lab The University of Texas at Dallas Erik Jonsson School of Engineering and

504 views • 23 slides
Real Analysis a short presentation on what and why I. Fourier Analysis Fourier analysis is

Real Analysis a short presentation on what and why I. Fourier Analysis Fourier analysis is

Real Analysis a short presentation on what and why I. Fourier Analysis Fourier analysis is about taking functions and realizing them or approximating them in terms of periodic (trig) functions. Many, many practical applications. Def: R = {

191 views • 17 slides

More recommend