Pointer Analysis in the Presence of Dynamic Class Loading Martin - - PowerPoint PPT Presentation

pointer analysis in the presence of dynamic class loading
SMART_READER_LITE
LIVE PREVIEW

Pointer Analysis in the Presence of Dynamic Class Loading Martin - - PowerPoint PPT Presentation

Oct 31, 2023 123 likes •443 views

Pointer Analysis in the Presence of Dynamic Class Loading Martin Hirzel, Amer Diwan University of Colorado at Boulder Michael Hind IBM T.J. Watson Research Center 1 Pointer analysis motivation Code a = new C( ); // G What does it do? b =

slide-1
SLIDE 1

1

Pointer Analysis in the Presence

  • f Dynamic Class Loading

Martin Hirzel, Amer Diwan University of Colorado at Boulder Michael Hind IBM T.J. Watson Research Center

slide-2
SLIDE 2

2

Pointer analysis motivation

Code a = new C( ); // G b = new C( ); // H a = b; a.f = b; Points-to sets pointsTo(a) == {G,H} pointsTo(b) == {H} pointsTo(G.f ) == {H} pointsTo(H.f ) == {H}

Code browsing Code transformations Error detection Devirtualization Load elimination Parallelization

Clients

Tools Optimizations Connectivity-based garbage collection

What does it do? What is it good for?

slide-3
SLIDE 3

3

Method compilation Constraint finder Call graph builder Constraint propagator Constraint graph

Clients

Analysis components Analysis data structures

Static flow- and context-insensitive pointer analysis by Andersen

Code Points-to sets

slide-4
SLIDE 4

4

Static analysis can not deal with all of Java

  • Class loading may be implicitly

triggered by any …

– Constructor call – Static field access – Static method call

  • Classes may come from the web or

be generated on the fly Pretending a “static world” fails for most real-world applications

slide-5
SLIDE 5

5

Method compilation Constraint finder Call graph builder Constraint propagator Constraint graph Clients Analysis components Analysis data structures

Java challenges

  • 4. Reflection and

native code

  • 3. Unresolved

types

  • 2. Re-propagation
  • 1. Online call

graph building

slide-6
SLIDE 6

6

  • 1. Online call graph building

a = x.m(b); A::m(c) { return d; } caller callee

slide-7
SLIDE 7

7

  • 1. Online call graph building

a = x.m(b); A::m(c) { return d; } e = y.m(f ); caller callee

slide-8
SLIDE 8

8

  • 1. Online call graph building

a = x.m(b); A::m(c) { return d; } B::m(g) { return h; } e = y.m(f ); caller callee

slide-9
SLIDE 9

9

Method compilation Constraint finder Call graph builder Constraint propagator Constraint graph Clients Analysis components Analysis data structures Caller/callee look-up

Architecture for

  • nline call graph building
slide-10
SLIDE 10

10

Method compilation Constraint finder Call graph builder Constraint propagator Constraint graph Clients Analysis components Analysis data structures Caller/callee look-up

Java challenges

  • 4. Reflection and

native code

  • 3. Unresolved

types

  • 2. Re-propagation
slide-11
SLIDE 11

11

  • 2. Focused re-propagation

Code a = new C( ); // G b = new C( ); // H a.f = b; a = b; Points-to sets pointsTo(a) == {G} pointsTo(b) == {H} pointsTo(G.f ) == {H} pointsTo(H.f ) == { }

slide-12
SLIDE 12

12

  • 2. Focused re-propagation

Code a = new C( ); // G b = new C( ); // H a.f = b; a = b; Points-to sets pointsTo(a) == {G,H} pointsTo(b) == {H} pointsTo(G.f ) == {H} pointsTo(H.f ) == { }

slide-13
SLIDE 13

13

  • 2. Focused re-propagation

Code a = new C( ); // G b = new C( ); // H a.f = b; a = b; Points-to sets pointsTo(a) == {G,H} pointsTo(b) == {H} pointsTo(G.f ) == {H} pointsTo(H.f ) == {H}

slide-14
SLIDE 14

14

Method compilation Constraint finder Call graph builder Constraint propagator Constraint graph Clients Propagator worklist Analysis components Analysis data structures Caller/callee look-up

Architecture for focused re-propagation

slide-15
SLIDE 15

15

Method compilation Constraint finder Call graph builder Constraint propagator Constraint graph Clients Propagator worklist Analysis components Analysis data structures Caller/callee look-up

Java challenges

  • 4. Reflection and

native code

  • 3. Unresolved

types

slide-16
SLIDE 16

16

  • 3. Unresolved types

X x = …; a = x.m(b); Y::m(c) { return d; } caller callee Can X have a subclass that inherits m from Y?

?

Cannot tell before X is resolved!

!

slide-17
SLIDE 17

17

Method compilation Constraint finder Call graph builder Constraint propagator Constraint graph Clients Propagator worklist Resolution manager Type resolution Deferred constraints Virtual machine events Analysis components Analysis data structures Caller/callee look-up

Architecture for managing unresolved types

slide-18
SLIDE 18

18

Method compilation Constraint finder Call graph builder Constraint propagator Constraint graph Clients Propagator worklist Resolution manager Type resolution Deferred constraints Virtual machine events Analysis components Analysis data structures Caller/callee look-up

Java challenges

  • 4. Reflection and

native code

slide-19
SLIDE 19

19

  • 4. Reflection and native code

Field f = B.class.getField(“…”); B b = …; f.set(b,v); 00100101 01001110 10010011 01001001 10001111 10001111 00100101 Java-side code Native-side code Object VM_JNIFunctions. CallObjectMethod(method, args) { return method.invoke(args); } Reflection Native code a = b.m(c);

slide-20
SLIDE 20

20

Method compilation Constraint finder Call graph builder Constraint propagator Constraint graph Clients Propagator worklist Resolution manager Type resolution Deferred constraints Reflection execution Native code execution

Architecture for dealing with reflection and native code

Virtual machine events Analysis components Analysis data structures Caller/callee look-up

slide-21
SLIDE 21

21

Method compilation Constraint finder Call graph builder Constraint propagator Constraint graph Clients Propagator worklist Resolution manager Type resolution Deferred constraints Reflection execution Native code execution

Other events leading to constraints

Bytecode attributes Building and start-up Virtual machine events Analysis components Analysis data structures Caller/callee look-up

slide-22
SLIDE 22

22

Method compilation Constraint finder Call graph builder Constraint propagator Constraint graph Clients Propagator worklist Resolution manager Type resolution Deferred constraints Reflection execution Native code execution

Clients using our pointer analysis

Building and start-up Virtual machine events Analysis components Analysis data structures Caller/callee look-up Bytecode attributes

slide-23
SLIDE 23

23

Dealing with invalidated results

Many techniques from prior work

– Guard optimized code (extant analysis) – Pre-existence based inlining – On-stack replacement – and more

Connectivity-based garbage collection

– Trigger propagator only before collection – Merge partitions if necessary

slide-24
SLIDE 24

24

Evaluation methodology

Java virtual machine

– Jikes RVM from IBM, is itself written in Java

Benchmarks

– SPECjvm98 suite, xalan, hsql

Results not comparable to static analysis

– Analyze more code: Jikes RVM adds a lot of Java code – Analyze less code: Not all application classes get loaded

slide-25
SLIDE 25

25

Propagation cost

7m45s 2m01s 2m01s 1 5h22m 11.2s 1,726 xalan 6m27s 9m32s 1m54s 5 3h50m 12.5s 1,103 javac 3m02s 5m53s 1m58s 3 3h26m 16.8s 734 jess 7m07s 7m40s 1m17s 6 1h06m 10.1s 391 hsql Total Total Avg. Count Total Avg. Count At End At GC Eager

Eagerness trades off average cost against total cost On average, focused re-propagation is much cheaper than full propagation Total cost is a function of code size and propagator eagerness

slide-26
SLIDE 26

26

How long does a program have to run to amortize the analysis cost?

8d08h 4d04h 1d16h 5h 1d16h 20h 10h 1h 10h 5h 2h30m 15m 3h20m 1h40m 50m 5m 2.5% 5% 10% Analysis cost to amortize Overall analysis overhead 7m45s 2m01s 2m01s 1 5h22m 11.2s 1,726 xalan 6m27s 9m32s 1m54s 5 3h50m 12.5s 1,103 javac 3m02s 5m53s 1m58s 3 3h26m 16.8s 734 jess 7m07s 7m40s 1m17s 6 1h06m 10.1s 391 hsql Total Total Avg. Count Total Avg. Count At End At GC Eager

Long-running applications can amortize not-too-eager analysis cost

Application runtime

slide-27
SLIDE 27

27

Method compilation Constraint finder Call graph builder Constraint propagator Constraint graph Clients Propagator worklist Resolution manager Type resolution Deferred constraints Reflection execution Native code execution Validation

Validation

Building and start-up Virtual machine events Analysis components Analysis data structures Caller/callee look-up Bytecode attributes

slide-28
SLIDE 28

28

Validation

  • Piggy-back validation on garbage

collection

  • For each pointer, check consistency with

analysis results

  • Incorrect analysis would lead to tricky

bugs in clients

slide-29
SLIDE 29

29

Related work

Andersen’s analysis for “static Java”

[RountevMilanovaRyder’01] [LiangPenningsHarrold’01] [WhaleyLam’02] [LhotakHendren’03]

Weaker analyses with dynamic class loading

DOIT – [PechtchanskiSarkar’01] XTA – [QianHendren’04] Ruf’s escape analysis – [BogdaSingh’01, King’03]

Demand-driven / incremental analysis

slide-30
SLIDE 30

30

Conclusions

  • 1st non-trivial pointer analysis for all of Java
  • Identified and solved the challenges:
  • 1. Online call graph building
  • 2. Focused re-propagation
  • 3. Managing unresolved types
  • 4. Reflection and native code
  • Evaluated efficiency
  • Validated correctness