making k object sensitive pointer analysis
play

Making k- Object-Sensitive Pointer Analysis More Precise with Still k - PowerPoint PPT Presentation

Feb 01, 2023 •253 likes •965 views

Making k- Object-Sensitive Pointer Analysis More Precise with Still k -Limiting Tian Tan , Yue Li and Jingling Xue SAS 2016 September, 2016 1 A New Pointer Analysis for Object-Oriented Programs 2 Pointer Analysis Determine which

  1. Making k- Object-Sensitive Pointer Analysis More Precise with Still k -Limiting Tian Tan , Yue Li and Jingling Xue SAS 2016 September, 2016 1

  2. A New Pointer Analysis for Object-Oriented Programs 2

  3. Pointer Analysis  Determine “which objects can a variable point to?”  Foundation of many clients: ◦ Bug detection ◦ Security analysis ◦ Compiler optimization ◦ Program understanding ◦ … 3

  4. Object-Oriented Programs  Java, C#, Object- C, JavaScript, … ◦ Embedded software: ◦ Mobile application: ◦ Web server: ◦ Desktop application: 4

  5. A Practically Useful Pointer Analysis for Object-Oriented Programs 5

  6. A Practically Useful Pointer Analysis for Object-Oriented Programs Good Context Abstraction (Context Sensitivity) 6

  7. A Practically Useful Pointer Analysis for Object-Oriented Programs Good Context Abstraction (Context Sensitivity) k -CFA (call-site-sensitivity), type- sensitivity, … 7

  8. Object-Sensitivity Arguably the best context abstraction for pointer analysis for object-oriented programs 8

  9. Object-Sensitivity  Widely used in diverse real-world clients ◦ Property Verification (e.g., API protocol) ISSTA’06, TOSEM’08, PLDI’14, FSE’15, … ◦ Bug Detection (e.g., data race, deadlock) PLDI’06, ICSE’09, ISSTA’13, OOPSLA’15, … ◦ Security Analysis (e.g., taint analysis) PLDI’09, IEEE S&P’11, FSE ’14 , NDSS’15, FSE ’ 15, … ◦ Other Fundamental Analyses (e.g., slicing) PLDI ’07, PLDI’14, ICSE’14, ECOOP’16 , … 9

  10. Object-Sensitivity  Widely implemented in analysis platforms Chord A PPOSCOPY 10

  11. What is Object-Sensitivity?  Objects (allocation sites) as contexts  k -CFA  k -obj 11

  12. A Code Example class A { class B { void foo() { void bar() { v = … A a1 = new A(); // A/1 } a1.foo(); } A a2 = new A(); // A/2 a2.foo(); } } 12

  13. 1-CFA (call-site) class A { class B { void foo() { void bar() { v = … A a1 = new A(); // A/1 } a1.foo() ; } A a2 = new A(); // A/2 a2.foo() ; } } Context Variable Object … [a1.foo()] v … [a2.foo()] v 13

  14. 1-obj (allocation-site of receiver object) class A { class B { void foo() { void bar() { v = … A a1 = new A(); // A/1 } a1.foo(); } A a2 = new A(); // A/2 a2.foo(); } } Context Variable Object … [A/1] v … [A/2] v 14

  15. k -obj when k > 1? class A { class B { void foo() { void bar() { v = … A a1 = new A(); // A/1 } a1.foo(); } A a2 = new A(); // A/2 a2.foo(); } } 15

  16. 2-obj (allocation- sites of 2 “consecutive” receiver objects) class A { class B { class C { void foo() { void bar() { void m() { v = … A a1 = new A(); // A/1 B b = new B(); // B/1 } a1.foo(); b.bar(); } } A a2 = new A(); // A/2 } a2.foo(); } } Context Variable Object … [B/1,A/1] v … [B/1,A/2] v 16

  17. 2-obj (allocation- sites of 2 “consecutive” receiver objects) class A { class B { class C { void foo() { void bar() { void m() { v = … A a1 = new A(); // A/1 B b = new B(); // B/1 } a1.foo(); b.bar(); } } A a2 = new A(); // A/2 } a2.foo(); } } B/1 Context Variable Object … [B/1,A/1] v … [B/1,A/2] v A/1 A/2 17

  18. 2-obj (allocation- sites of 2 “consecutive” receiver objects) class A { class B { class C { void foo() { void bar() { void m() { v = … A a1 = new A(); // A/1 B b = new B(); // B/1 } a1.foo(); b.bar(); } } A a2 = new A(); // A/2 } a2.foo(); } } k = 2 B/1 Context Variable Object … [B/1,A/1] v … k = 1 [B/1,A/2] v A/1 A/2 18

  19. 2-obj (allocation- sites of 2 “consecutive” receiver objects) class A { class B { class C { void foo() { void bar() { void m() { v = … A a1 = new A(); // A/1 B b = new B(); // B/1 } a1.foo(); b.bar(); } } A a2 = new A(); // A/2 } a2.foo(); } } k = 2 B/1 Context Variable Object … [B/1,A/1] v … k = 1 [B/1,A/2] v A/1 A/2 Object Allocation Graph (OAG) 19

  20. An Observation  Redundant Context Element 20

  21. An Observation  Redundant Context Element HashSet/1 HashSet/2 HashMap/1 Entry/1 An example from JDK, java.util.* 21

  22. 3-obj  Contexts fully separated  Precise Two contexts: k = 3 HashSet/1 HashSet/2 [HashSet/1,HashMap/1,Entry/1] [HashSet/2,HashMap/1,Entry/1] HashMap/1 k = 2 k = 1 Entry/1 An example from JDK, java.util.* 22

  23. 3-obj  Contexts fully separated  Precise Two contexts: k = 3 HashSet/1 HashSet/2 [HashSet/1,HashMap/1,Entry/1] [HashSet/2,HashMap/1,Entry/1] HashMap/1 k = 2 3-obj is unscalable k = 1 Entry/1 An example from JDK, java.util.* 23

  24. 2-obj  Contexts not separated One context: HashSet/1 HashSet/2 [HashMap/1,Entry/1] HashMap/1 k = 2 k = 1 Entry/1 An example from JDK, java.util.* 24

  25. 2-obj  Contexts not separated  Imprecise One context: HashSet/1 HashSet/2 [HashMap/1,Entry/1] HashMap/1 k = 2 k = 1 Entry/1 An example from JDK, java.util.* 25

  26. 2-obj  Contexts not separated  Imprecise  Redundant context elements used One context: HashSet/1 HashSet/2 [ HashMap/1 ,Entry/1] HashMap/1 k = 2 HashMap/1 as context element k = 1 Entry/1 is redundant An example from JDK, java.util.* 26

  27. This Paper: Avoid Redundant Context Element 27

  28. 2-obj HashSet/1 HashSet/2 k = 2 HashMap/1 k = 1 Entry/1 One context: [HashMap/1,Entry/1] 28

  29. 2-obj Our approach k = 2 HashSet/1 HashSet/2 HashSet/1 HashSet/2 k = 2 HashMap/1 HashMap/1 k = 1 k = 1 Entry/1 Entry/1 Redundant One context: Two contexts: one removed [HashMap/1,Entry/1] [HashSet/1,Entry/1] [HashSet/2,Entry/1] 29

  30. 2-obj Our approach k = 2 HashSet/1 HashSet/2 HashSet/1 HashSet/2 k = 2 HashMap/1 HashMap/1 k = 1 k = 1 Entry/1 Entry/1 Redundant One context: Two contexts: one removed [HashMap/1,Entry/1] [HashSet/1,Entry/1] [HashSet/2,Entry/1] Benefit: improve precision with still k -limiting 30

  31. Methodology (BEAN) Context Graph Selection Problem Problem 31

  32. Context Graph Selection Problem Problem Object Allocation HashSet/1 HashSet/2 Context Relation Graph (OAG) HashMap/1 Entry/1 32

  33. Context Graph Selection Problem Problem Object Allocation HashSet/1 HashSet/2 Context Relation Graph (OAG) HashMap/1 Contexts in k -obj Paths in OAG Entry/1 33

  34. Context Graph Selection Problem Problem Object Allocation HashSet/1 HashSet/2 Context Relation Graph (OAG) HashMap/1 Contexts in k -obj Paths in OAG Entry/1 Avoid Redundant Select Representative Nodes Context Elements to Distinguish Paths 34

  35. An OAG 35

  36. 5 contexts in k -obj 5 paths in OAG An OAG 36

  37. Select 5 contexts in k -obj 5 paths in OAG Distinguish An OAG 37

  38. Select 5 contexts in k -obj k = 8 5 paths in OAG Distinguish k = 7 k = 6 k = 5 k -obj: k = 8 (all nodes selected) k = 4 k = 3 k = 2 k = 1 An OAG 38

  39. Select 5 contexts in k -obj 5 paths in OAG Distinguish k = 3 1 2 k -obj: k = 8 (all nodes selected) BEAN: k = 3 (representative nodes selected) k = 2 4 5 3 k = 1 6 An OAG 39

  40. Select 5 contexts in k -obj 5 paths in OAG Distinguish k = 3 1 2 k -obj: k = 8 (all nodes selected) BEAN: k = 3 (representative nodes selected) k = 2 4 5 3 k = 1 6 5 contexts selected by BEAN: [1,3,6], [2,3,6], An OAG [1,4,6], [2,4,6], [5,6] 40

  41. Select 5 contexts in k -obj 5 paths in OAG Distinguish k = 3 1 2 k -obj: k = 8 (all nodes selected) precision = BEAN: k = 3 (representative nodes selected) k = 2 4 5 3 k = 1 6 5 contexts selected by BEAN: [1,3,6], [2,3,6], An OAG [1,4,6], [2,4,6], [5,6] 41

  42. How to Select Representative Nodes to Distinguish Paths? 42

  43. How to Select Representative Nodes to Distinguish Paths?  Our intuition: Multiple paths 43

  44. How to Select Representative Nodes to Distinguish Paths?  Our intuition: Multiple paths = Divergence 44

  45. How to Select Representative Nodes to Distinguish Paths?  Our intuition: Multiple paths = Divergence … … + 45

  46. How to Select Representative Nodes to Distinguish Paths?  Our intuition: Multiple paths = Divergence … … + Confluence 46

  47. How to Select Representative Nodes to Distinguish Paths?  Our intuition: Multiple paths = Divergence … … + Confluence 47

  48. How to Select Representative Nodes to Distinguish Paths?  Our intuition: Multiple paths = Divergence … … + Confluence Representative nodes 48

  49. 49

  50. Representative nodes 50

  51. Theorem 1  Under full -object-sensitivity (when k = ∞) Precision Precision of = of BEAN k -obj 51

  52. Theorem 2  Under the same k -limiting Precision Precision of ≥ of BEAN k -obj 52

  53. B EAN : Framework Points-To Information OAG Construction Pointer OAG Chord Analysis Selected Contexts Contexts Selection 53

  54. Open-Source Implementation www.cse.unsw.edu.au/~corg/bean 54

  55. Evaluation - Clients  May-Alias  May-Fail-Cast Typical clients to evaluate pointer analysis’s effectiveness e.g., APLAS’15, PLDI’14, PLDI’13, POPL’11, OOPSLA’09, … 55

  56. Evaluation - Analyzed Targets  Standard DaCapo Java benchmarks  Large Java library: JDK 1.6 Widely used programs and library in pointer analysis e.g., PLDI ’14, ECOOP’14, PLDI’13, OOPSLA’13, POPL’11, … 56

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CS711 Advanced Programming Languages Pointer Analysis Overview and Flow-Sensitive Analysis Radu

CS711 Advanced Programming Languages Pointer Analysis Overview and Flow-Sensitive Analysis Radu

CS711 Advanced Programming Languages Pointer Analysis Overview and Flow-Sensitive Analysis Radu Rugina 8 Sep 2005 Pointer Analysis Informally: determine where pointers (or references) in the program may point to. Significant amount of

339 views • 21 slides
Precision-Guided Context Sensitivity for Pointer Analysis Yue Li, Tian Tan, Anders Mller,

Precision-Guided Context Sensitivity for Pointer Analysis Yue Li, Tian Tan, Anders Mller,

Precision-Guided Context Sensitivity for Pointer Analysis Yue Li, Tian Tan, Anders Mller, Yannis Smaragdakis OOPSLA 2018 1 A New Pointer Analysis T echnique for Object-Oriented Programs 2 Pointer Analysis Determines which

841 views • 64 slides
Parallel Flow-Sensitive Pointer Analysis by Graph-Rewriting Vaivaswatha Nagaraj R. Govindarajan

Parallel Flow-Sensitive Pointer Analysis by Graph-Rewriting Vaivaswatha Nagaraj R. Govindarajan

Parallel Flow-Sensitive Pointer Analysis by Graph-Rewriting Vaivaswatha Nagaraj R. Govindarajan Indian Institute of Science, Bangalore PACT 2013 PACT'13 2 Outline Introduction Background Flow-sensitive graph-rewriting formulation

1.06k views • 74 slides
From Object Fields to Local Variables: a Practical Approach to Field-Sensitive Analysis Elvira

From Object Fields to Local Variables: a Practical Approach to Field-Sensitive Analysis Elvira

From Object Fields to Local Variables: a Practical Approach to Field-Sensitive Analysis Elvira Albert (1) , Puri Arenas (1) , Samir Genaim (1) , an Puebla (2) and Diana Ram rez (2) Germ (1) Complutense University of Madrid (2) Technical

1.27k views • 77 slides
Page 1 1. Add Visibility Information Implementation of UML Visibility in Java Tournament UML

Page 1 1. Add Visibility Information Implementation of UML Visibility in Java Tournament UML

Object Design Object-Oriented Software Engineering ! Object design is the process of adding details to the requirements analysis and making implementation decisions ! The object designer must choose among different ways to implement the analysis

323 views • 5 slides
Alias Analysis Last time Alias analysis I (pointer analysis) Address Taken FIAlias,

Alias Analysis Last time Alias analysis I (pointer analysis) Address Taken FIAlias,

Alias Analysis Last time Alias analysis I (pointer analysis) Address Taken FIAlias, which is equivalent to Steensgaard Today Alias analysis II (pointer analysis) Anderson Emami Next time Midterm review CS553

207 views • 8 slides
Dangling Pointer Dangling Pointer Jonathan Afek, 2/ 8/ 07, BlackHat USA 1 Table of Contents

Dangling Pointer Dangling Pointer Jonathan Afek, 2/ 8/ 07, BlackHat USA 1 Table of Contents

Dangling Pointer Dangling Pointer Jonathan Afek, 2/ 8/ 07, BlackHat USA 1 Table of Contents What is a Dangling Pointer? Code Injection Object Overriding Demonstrations Remediation Summary Q&A 2 What is a

543 views • 28 slides
Specifying Interfaces Object Design: Chapter 9, Object Design ! Object design is the process of

Specifying Interfaces Object Design: Chapter 9, Object Design ! Object design is the process of

Object-Oriented Software Engineering Using UML, Patterns, and Java Specifying Interfaces Object Design: Chapter 9, Object Design ! Object design is the process of adding details to the requirements analysis and making implementation decisions

500 views • 28 slides
Scalability-First Pointer Analysis with Self-Tuning Context Sensitivity Yue Li, Tian Tan, Anders

Scalability-First Pointer Analysis with Self-Tuning Context Sensitivity Yue Li, Tian Tan, Anders

Scalability-First Pointer Analysis with Self-Tuning Context Sensitivity Yue Li, Tian Tan, Anders Mller and Yannis Smaragdakis 1 Pointer Analysis Concept Which objects a variable may point to? Importance Fundamental for virtually

769 views • 54 slides
Making Context-sensitive Points-to Analysis with Heap Cloning Practical For The Real World Chris

Making Context-sensitive Points-to Analysis with Heap Cloning Practical For The Real World Chris

Making Context-sensitive Points-to Analysis with Heap Cloning Practical For The Real World Chris Lattner Andrew Lenharth Vikram Adve Apple UIUC UIUC What is Heap Cloning? Distinguish objects by acyclic call path void foo() { list*

556 views • 28 slides
1 What Can Alias? (cont) Alias Analysis Arrays Goal: Statically identify aliases do b[c[i 1 ]]

1 What Can Alias? (cont) Alias Analysis Arrays Goal: Statically identify aliases do b[c[i 1 ]]

Alias Analysis Aliasing Last time What is aliasing? Midterm When two expressions denote the same mutable memory location e.g., p = new Object; Today q = p; * p and * q alias Alias analysis (pointer analysis) How do aliases

162 views • 5 slides
Chapter 8, Object Design: Object design is the process of adding details to the requirements

Chapter 8, Object Design: Object design is the process of adding details to the requirements

Object Design Object-Oriented Software Engineering Chapter 8, Object Design: Object design is the process of adding details to the requirements analysis and making implementation decisions Reuse and Patterns I The object designer must

301 views • 15 slides
Alias Analysis Last time Reuse optimization Today Alias analysis (pointer analysis)

Alias Analysis Last time Reuse optimization Today Alias analysis (pointer analysis)

Alias Analysis Last time Reuse optimization Today Alias analysis (pointer analysis) Next time More alias analysis (pointer analysis) CS553 Lecture Alias Analysis I 2 Aliasing What is aliasing? When two expressions denote

265 views • 8 slides
CS 293S Pointer Analysis Yufei Ding Slides adapted from Wei Le, Stephen Chong Focus of this

CS 293S Pointer Analysis Yufei Ding Slides adapted from Wei Le, Stephen Chong Focus of this

CS 293S Pointer Analysis Yufei Ding Slides adapted from Wei Le, Stephen Chong Focus of this lecture Terms and concepts Algorithms: Andersen-Style and Steensgaard-Style Advanced topics 2 What is Pointer/Alias/points-to Analysis?

347 views • 32 slides
Pointer Analysis in the Presence of Dynamic Class Loading Martin Hirzel, Amer Diwan University

Pointer Analysis in the Presence of Dynamic Class Loading Martin Hirzel, Amer Diwan University

Pointer Analysis in the Presence of Dynamic Class Loading Martin Hirzel, Amer Diwan University of Colorado at Boulder Michael Hind IBM T.J. Watson Research Center 1 Pointer analysis motivation Code a = new C( ); // G What does it do? b =

439 views • 30 slides
Alias Analysis Last time Interprocedural analysis Today Intro to alias analysis (pointer

Alias Analysis Last time Interprocedural analysis Today Intro to alias analysis (pointer

Alias Analysis Last time Interprocedural analysis Today Intro to alias analysis (pointer analysis) CS553 Lecture Alias Analysis I 1 Aliasing What is aliasing? When two expressions denote the same mutable memory location e.g.,

812 views • 19 slides
Binding in Java Beans Inspecting bean properties with a GUI binding veto GUI BEANS Pieter van

Binding in Java Beans Inspecting bean properties with a GUI binding veto GUI BEANS Pieter van

Binding in Java Beans HOM,DOS beans? convention Binding in Java Beans Inspecting bean properties with a GUI binding veto GUI BEANS Pieter van den Hombergh Summary on Java Beans FX Properties Thijs Dorssers Fontys Hogeschool voor

428 views • 18 slides
Session 20 Data Sharing & Cookies 1 Reading & Reference Reading Shared scopes

Session 20 Data Sharing & Cookies 1 Reading & Reference Reading Shared scopes

Session 20 Data Sharing Session 20 Data Sharing & Cookies 1 Reading & Reference Reading Shared scopes Java EE 7 Tutorial Section 17.3 Reference http state management www.ietf.org/rfc/rfc2965.txt Cookies

656 views • 23 slides
301AA - Advanced Programming Lecturer: Andrea Corradini andrea@di.unipi.it

301AA - Advanced Programming Lecturer: Andrea Corradini andrea@di.unipi.it

301AA - Advanced Programming Lecturer: Andrea Corradini andrea@di.unipi.it http://pages.di.unipi.it/corradini/ AP-08 : JavaBeans Overview Kinds of components in Java JavaBeans: design and deployment Properties Property

1.02k views • 49 slides
Type Safe Nondeterminism A Formal Semantics of Java Threads Andreas Lochbihler University of

Type Safe Nondeterminism A Formal Semantics of Java Threads Andreas Lochbihler University of

Type Safe Nondeterminism A Formal Semantics of Java Threads Andreas Lochbihler University of Passau Germany 01/13/2008 Funded by DFG grant Sn11/10-1 Andreas Lochbihler Type Safe Nondeterminism FOOL 08 1 / 17 Overview Motivation 1

750 views • 46 slides
Spring 3 Spring without XML Agenda Industry Forces Whats New Spring 2.0

Spring 3 Spring without XML Agenda Industry Forces Whats New Spring 2.0

Spring 3 Spring without XML Agenda Industry Forces Whats New Spring 2.0 Spring 2.5 Spring Annotations Reducing Spring XML Spring Without XML! Industry Forces Annotations EJB 3.X JSR-250 Common

999 views • 82 slides
95 Taking a look at the source for Servlets that we have already created, there are a number of

95 Taking a look at the source for Servlets that we have already created, there are a number of

95 Taking a look at the source for Servlets that we have already created, there are a number of weaknesses: HTML and Java combined: The Java code and HTML code are mixed together. In a large page the Java could get lost among the HTML and

892 views • 51 slides
Using JDBC JDBC (Java Database Connectivity) is an API that describes how applicatio developers

Using JDBC JDBC (Java Database Connectivity) is an API that describes how applicatio developers

Using JDBC JDBC (Java Database Connectivity) is an API that describes how applicatio developers can connect to relational databases and execute SQL statements from a Java program. JDBC is supported by most DBMS such as Oracle, mySQL, SQL Server,

316 views • 3 slides
Database Programming (JDBC) Lecture 5 1 Outline Java DB Connectivity (JDBC) overview

Database Programming (JDBC) Lecture 5 1 Outline Java DB Connectivity (JDBC) overview

Database Programming (JDBC) Lecture 5 1 Outline Java DB Connectivity (JDBC) overview JDBC API Reading: http://java.sun.com/products/jdbc/overview.html 2 Embedded SQL Direct SQL (= ad-hoc SQL) is rarely used In

333 views • 15 slides

More recommend