SLIDE 1
Making k-Object-Sensitive Pointer Analysis More Precise with Still k-Limiting
Tian Tan, Yue Li and Jingling Xue
SAS 2016 September, 2016
1
A New Pointer Analysis for Object-Oriented Programs
2
Making k- Object-Sensitive Pointer Analysis More Precise with Still k - - PowerPoint PPT Presentation
Making k- Object-Sensitive Pointer Analysis More Precise with Still k - - PowerPoint PPT Presentation
Making k- Object-Sensitive Pointer Analysis More Precise with Still k -Limiting Tian Tan , Yue Li and Jingling Xue SAS 2016 September, 2016 1 A New Pointer Analysis for Object-Oriented Programs 2 Pointer Analysis Determine which
SLIDE 2
SLIDE 3
Pointer Analysis
Determine
“which objects can a variable point to?”
Foundation of many clients:
- Bug detection
- Security analysis
- Compiler optimization
- Program understanding
- …
3
SLIDE 4
Object-Oriented Programs
Java, C#, Object-C, JavaScript, …
- Embedded software:
- Mobile application:
- Web server:
- Desktop application:
4
SLIDE 5
A Practically Useful Pointer Analysis for Object-Oriented Programs
5
SLIDE 6
A Practically Useful Pointer Analysis for Object-Oriented Programs
Good Context Abstraction (Context Sensitivity)
6
SLIDE 7
A Practically Useful Pointer Analysis for Object-Oriented Programs
Good Context Abstraction (Context Sensitivity)
7
k-CFA (call-site-sensitivity), type-sensitivity, …
SLIDE 8
Object-Sensitivity
Arguably the best context abstraction for pointer analysis for
- bject-oriented programs
8
SLIDE 9
Object-Sensitivity
Widely used in diverse real-world clients
- Property Verification (e.g., API protocol)
ISSTA’06, TOSEM’08, PLDI’14, FSE’15, …
- Bug Detection (e.g., data race, deadlock)
PLDI’06, ICSE’09, ISSTA’13, OOPSLA’15, …
- Security Analysis (e.g., taint analysis)
PLDI’09, IEEE S&P’11, FSE’14, NDSS’15, FSE’15, …
- Other Fundamental Analyses (e.g., slicing)
PLDI’07, PLDI’14, ICSE’14, ECOOP’16, …
9
SLIDE 10
Object-Sensitivity
Widely implemented in analysis platforms
APPOSCOPY
Chord
10
SLIDE 11
What is Object-Sensitivity?
Objects (allocation sites) as contexts k-CFA k-obj
11
SLIDE 12
A Code Example
class B { void bar() { A a1 = new A(); // A/1 a1.foo(); A a2 = new A(); // A/2 a2.foo(); } } class A { void foo() { v = … } } 12
SLIDE 13
class B { void bar() { A a1 = new A(); // A/1 a1.foo(); A a2 = new A(); // A/2 a2.foo(); } } class A { void foo() { v = … } }
1-CFA (call-site)
Context Variable Object [a1.foo()] v … [a2.foo()] v …
13
SLIDE 14
class B { void bar() { A a1 = new A(); // A/1 a1.foo(); A a2 = new A(); // A/2 a2.foo(); } } class A { void foo() { v = … } }
1-obj (allocation-site of receiver object)
14
Context Variable Object [A/1] v … [A/2] v …
SLIDE 15
class B { void bar() { A a1 = new A(); // A/1 a1.foo(); A a2 = new A(); // A/2 a2.foo(); } } class A { void foo() { v = … } }
k-obj when k > 1?
15
SLIDE 16
class B { void bar() { A a1 = new A(); // A/1 a1.foo(); A a2 = new A(); // A/2 a2.foo(); } } class A { void foo() { v = … } }
2-obj (allocation-sites of 2 “consecutive” receiver objects)
class C { void m() { B b = new B(); // B/1 b.bar(); } } 16
Context Variable Object [B/1,A/1] v … [B/1,A/2] v …
SLIDE 17
class B { void bar() { A a1 = new A(); // A/1 a1.foo(); A a2 = new A(); // A/2 a2.foo(); } } class A { void foo() { v = … } } class C { void m() { B b = new B(); // B/1 b.bar(); } }
A/1 A/2 B/1
17
Context Variable Object [B/1,A/1] v … [B/1,A/2] v …
2-obj (allocation-sites of 2 “consecutive” receiver objects)
SLIDE 18
class B { void bar() { A a1 = new A(); // A/1 a1.foo(); A a2 = new A(); // A/2 a2.foo(); } } class A { void foo() { v = … } } class C { void m() { B b = new B(); // B/1 b.bar(); } }
A/1 A/2 B/1
k = 1 k = 2
18
Context Variable Object [B/1,A/1] v … [B/1,A/2] v …
2-obj (allocation-sites of 2 “consecutive” receiver objects)
SLIDE 19
class B { void bar() { A a1 = new A(); // A/1 a1.foo(); A a2 = new A(); // A/2 a2.foo(); } } class A { void foo() { v = … } } class C { void m() { B b = new B(); // B/1 b.bar(); } }
A/1 A/2 B/1
k = 1 k = 2
19
Context Variable Object [B/1,A/1] v … [B/1,A/2] v …
2-obj (allocation-sites of 2 “consecutive” receiver objects)
Object Allocation Graph (OAG)
SLIDE 20
An Observation
Redundant Context Element
20
SLIDE 21
An Observation
Redundant Context Element
HashSet/1 HashSet/2 HashMap/1 Entry/1
An example from JDK, java.util.*
21
SLIDE 22
3-obj
Contexts fully separated Precise
HashSet/1 HashSet/2 HashMap/1 Entry/1
An example from JDK, java.util.*
Two contexts: [HashSet/1,HashMap/1,Entry/1] [HashSet/2,HashMap/1,Entry/1] k = 1 k = 3 k = 2
22
SLIDE 23
3-obj
Contexts fully separated Precise
HashSet/1 HashSet/2 HashMap/1 Entry/1
An example from JDK, java.util.*
k = 1 k = 3 k = 2
3-obj is unscalable
Two contexts: [HashSet/1,HashMap/1,Entry/1] [HashSet/2,HashMap/1,Entry/1]
23
SLIDE 24
2-obj
Contexts not separated
HashSet/1 HashSet/2 HashMap/1 Entry/1
An example from JDK, java.util.*
k = 1 k = 2 One context: [HashMap/1,Entry/1]
24
SLIDE 25
2-obj
Contexts not separated Imprecise
HashSet/1 HashSet/2 HashMap/1 Entry/1
An example from JDK, java.util.*
k = 1 k = 2 One context: [HashMap/1,Entry/1]
25
SLIDE 26
2-obj
Contexts not separated Imprecise Redundant context elements used
HashSet/1 HashSet/2 HashMap/1 Entry/1
An example from JDK, java.util.*
k = 1 k = 2 One context: [HashMap/1,Entry/1] HashMap/1 as context element is redundant
26
SLIDE 27
This Paper: Avoid Redundant Context Element
27
SLIDE 28
HashSet/1 HashSet/2 HashMap/1 Entry/1
k = 1 k = 2 One context: [HashMap/1,Entry/1]
2-obj
28
SLIDE 29
HashSet/1 HashSet/2 HashMap/1 Entry/1
k = 1 k = 2 k = 1 k = 2
HashSet/1 HashSet/2 HashMap/1 Entry/1
Our approach
One context: [HashMap/1,Entry/1] Two contexts: [HashSet/1,Entry/1] [HashSet/2,Entry/1]
Redundant
- ne removed
2-obj
29
SLIDE 30
HashSet/1 HashSet/2 HashMap/1 Entry/1
k = 1 k = 2 k = 1 k = 2
HashSet/1 HashSet/2 HashMap/1 Entry/1
Our approach
One context: [HashMap/1,Entry/1] Two contexts: [HashSet/1,Entry/1] [HashSet/2,Entry/1]
Redundant
- ne removed
2-obj Benefit: improve precision with still k-limiting
30
SLIDE 31
Methodology (BEAN)
Context Selection Problem Graph Problem
31
SLIDE 32
Context Relation Object Allocation Graph (OAG)
HashSet/1 HashSet/2 HashMap/1 Entry/1
Context Selection Problem Graph Problem
32
SLIDE 33
Context Relation Object Allocation Graph (OAG) Contexts in k-obj Paths in OAG
HashSet/1 HashSet/2 HashMap/1 Entry/1
Context Selection Problem Graph Problem
33
SLIDE 34
Context Relation Object Allocation Graph (OAG) Contexts in k-obj Paths in OAG
HashSet/1 HashSet/2 HashMap/1 Entry/1
Context Selection Problem Graph Problem
34
Avoid Redundant Context Elements Select Representative Nodes to Distinguish Paths
SLIDE 35
An OAG
35
SLIDE 36
An OAG 5 contexts in k-obj 5 paths in OAG
36
SLIDE 37
An OAG 5 contexts in k-obj 5 paths in OAG Select Distinguish
37
SLIDE 38
An OAG
k = 1 k = 2 k = 3 k = 4 k = 5 k = 6 k = 7 k = 8
k-obj: k = 8 (all nodes selected) 5 contexts in k-obj 5 paths in OAG Select Distinguish
38
SLIDE 39
An OAG 1 2 3 4 5 6 5 contexts in k-obj 5 paths in OAG Select Distinguish k-obj: k = 8 (all nodes selected)
k = 1 k = 2 k = 3
BEAN: k = 3 (representative nodes selected)
39
SLIDE 40
An OAG 1 2 3 4 5 6 5 contexts in k-obj 5 paths in OAG Select Distinguish k-obj: k = 8 (all nodes selected)
k = 1 k = 2 k = 3
BEAN: k = 3 (representative nodes selected)
5 contexts selected by BEAN: [1,3,6], [2,3,6], [1,4,6], [2,4,6], [5,6]
40
SLIDE 41
An OAG 1 2 3 4 5 6 5 contexts in k-obj 5 paths in OAG Select Distinguish k-obj: k = 8 (all nodes selected)
k = 1 k = 2 k = 3
BEAN: k = 3 (representative nodes selected)
5 contexts selected by BEAN: [1,3,6], [2,3,6], [1,4,6], [2,4,6], [5,6]
=
precision
41
SLIDE 42
How to Select Representative Nodes to Distinguish Paths?
42
SLIDE 43
How to Select Representative Nodes to Distinguish Paths?
Our intuition:
Multiple paths
43
SLIDE 44
How to Select Representative Nodes to Distinguish Paths?
Our intuition:
Multiple paths Divergence
=
44
SLIDE 45
How to Select Representative Nodes to Distinguish Paths?
Our intuition:
Multiple paths Divergence
= +
… …
45
SLIDE 46
How to Select Representative Nodes to Distinguish Paths?
Our intuition:
Multiple paths Divergence Confluence
= +
… …
46
SLIDE 47
How to Select Representative Nodes to Distinguish Paths?
Our intuition:
Multiple paths Divergence Confluence
= +
… …
47
SLIDE 48
How to Select Representative Nodes to Distinguish Paths?
Our intuition:
Multiple paths Divergence Confluence
= +
… …
Representative nodes
48
SLIDE 49
49
SLIDE 50
Representative nodes
50
SLIDE 51
Theorem 1
Under full-object-sensitivity (when k = ∞)
Precision
- f
BEAN Precision
- f
k-obj
=
51
SLIDE 52
Theorem 2
Under the same k-limiting
Precision
- f
BEAN Precision
- f
k-obj
≥
52
SLIDE 53
BEAN: Framework
Pointer Analysis OAG Construction Contexts Selection
Points-To Information Selected Contexts OAG
Chord
53
SLIDE 54
Open-Source Implementation
www.cse.unsw.edu.au/~corg/bean
54
SLIDE 55
Evaluation - Clients
May-Alias May-Fail-Cast
Typical clients to evaluate pointer analysis’s effectiveness
e.g., APLAS’15, PLDI’14, PLDI’13, POPL’11, OOPSLA’09, …
55
SLIDE 56
Evaluation - Analyzed Targets
Standard DaCapo Java benchmarks Large Java library: JDK 1.6
Widely used programs and library in pointer analysis
e.g., PLDI’14, ECOOP’14, PLDI’13, OOPSLA’13, POPL’11, …
56
SLIDE 57
Evaluation - Compared Analyses
- 1. 2-CFA: 2-call-site-sensitive analysis
- 2. 2-obj:
2-object-sensitive analysis
- 3. B-2-obj:
BEAN-directed 2-obj
- 4. S-2-obj:
Selective hybrids of 2-obj*
- 5. B-S-2-obj: BEAN-directed S-2-obj
* Kastrinis et al., Hybrid Context-Sensitivity for Points-To Analysis, PLDI’13
57
SLIDE 58
Evaluation - Metrics
Precision Performance
58
SLIDE 59
Precision
2 clients 5 pointer analyses (2 state-of-the-art) 9 evaluated Java programs
BEAN improves the precision
- f both state-of-the-art analyses,
under each client, for each program!
59
SLIDE 60
SLIDE 61
61
Non-alias pairs by B-2-obj (B-S-2-obj) Non-alias pairs by 2-obj (S-2-obj)
May-Alias May-Fail-Cast
Safe casts by B-2-obj (B-S-2-obj) Safe casts by 2-obj (S-2-obj)
SLIDE 62
62
May-Alias May-Fail-Cast
Verify Theorem 2 practically Under the same k-limiting
Precision
- f
BEAN Precision
- f
k-obj
≥
Non-alias pairs by B-2-obj (B-S-2-obj) Non-alias pairs by 2-obj (S-2-obj) Safe casts by B-2-obj (B-S-2-obj) Safe casts by 2-obj (S-2-obj)
SLIDE 63
Performance
- f BEAN
CI: Context-Insensitive pointer analysis OAG: OAG construction CTX-COMP: Context Computation
On Average: about 2 minutes
63
SLIDE 64
Evaluation Summary
64
2-CFA 1991 2-obj 2002 2-Sobj 2013 CMU Thesis ISSTA PLDI
SLIDE 65
Evaluation Summary
65
2-CFA 1991 2-obj 2002 2-Sobj 2013 CMU Thesis ISSTA PLDI 1 h
- u
r s N
- t
s c a l a b l e Existing k-obj/k-Sobj (e.g., k = 3)
SLIDE 66
Evaluation Summary
66
1 h
- u
r s N
- t
s c a l a b l e Existing k-obj/k-Sobj (e.g., k = 3) BEAN 2 m i n t u e s 2-CFA 1991 2-obj 2002 2-Sobj 2013 2-B-Sobj 2016 CMU Thesis ISSTA PLDI SAS
SLIDE 67
Evaluation Summary
67
1 h
- u
r s N
- t
s c a l a b l e Existing k-obj/k-Sobj (e.g., k = 3) BEAN 2 m i n t u e s 2-CFA 1991 2-obj 2002 2-Sobj 2013 2-B-Sobj 2016 CMU Thesis ISSTA PLDI SAS
Verification Bug detection Security analysis …
SLIDE 68
Evaluation Summary
68
1 h
- u
r s N
- t
s c a l a b l e Existing k-obj/k-Sobj (e.g., k = 3) BEAN 2 m i n t u e s 2-CFA 1991 2-obj 2002 2-Sobj 2013 2-B-Sobj 2016 CMU Thesis ISSTA PLDI SAS
Verification Bug detection Security analysis … "Using static data race detection will likely show even more dramatic improvement in precision using your approach."
SLIDE 69
Conclusion
Improve the precision of object-sensitivity by
avoiding redundant context elements
- k-limiting, k+ precision
- Scalable
Easily applied to other context-sensitive analyses
- k-CFA
- Type-sensitive analysis
Making k-Object-Sensitive Pointer Analysis More Precise with Still k-Limiting
69
SLIDE 70
Thank you!
70