precision guided context sensitivity for pointer analysis
play

Precision-Guided Context Sensitivity for Pointer Analysis Yue Li, - PowerPoint PPT Presentation

Apr 05, 2023 •200 likes •841 views

Precision-Guided Context Sensitivity for Pointer Analysis Yue Li, Tian Tan, Anders Mller, Yannis Smaragdakis OOPSLA 2018 1 A New Pointer Analysis T echnique for Object-Oriented Programs 2 Pointer Analysis Determines which

  1. Precision-Guided Context Sensitivity for Pointer Analysis Yue Li, Tian Tan, Anders Møller, Yannis Smaragdakis OOPSLA 2018 1

  2. A New Pointer Analysis T echnique for Object-Oriented Programs 2

  3. Pointer Analysis Determines “which objects a variable can point to?” 3

  4. Uses of Pointer Analysis Clients Tools  Security analysis  Bug detection  Compiler optimization Chord  Program verification  Program understanding …  … 4

  5. Uses of Pointer Analysis Clients Tools  Security analysis  Bug detection  Compiler optimization Chord  Program verification  Program understanding …  … A precise pointer analysis benefits all above clients & tools 5

  6. Context Sensitivity One of the most successful pointer analysis techniques for producing high precision for OO programs 6

  7. Context Sensitivity Distinguishes points-to information of methods by different calling contexts 7

  8. Context Sensitivity: Example class A { static void main() { String foo(String s) { A a1 = new A(); // A/1 return s; b1 = a1.foo("s1"); } } A a2 = new A(); // A/2 b2 = a2.foo("s2"); } Variable Object "s1" , "s2" s "s1" , "s2" b1 "s1" , "s2" b2 Context-Insensitivity 8

  9. Context Sensitivity: Example class A { static void main() { String foo(String s) { A a1 = new A(); // A/1 return s; b1 = a1.foo("s1"); } } A a2 = new A(); // A/2 b2 = a2.foo("s2"); } Variable Object "s1" , "s2" s "s1" , "s2" b1 "s1" , "s2" b2 Context-Insensitivity 9

  10. Context Sensitivity: Example class A { static void main() { String foo(String s) { A a1 = new A(); // A/1 return s; b1 = a1.foo("s1"); } } A a2 = new A(); // A/2 b2 = a2.foo("s2"); } Context Variable Object [ A/1 ] Variable Object s "s1" "s1" , "s2" [ A/2 ] s "s2" s [ ] "s1" , "s2" b1 b1 "s1" "s1" , "s2" [ ] b2 b2 "s2" 1-Object-Sensitivity Context-Insensitivity 10

  11. Context Sensitivity Widely adopted by static analysis frameworks for OO programs Chord FlowDroid 11

  12. Problem of Context Sensitivity (C.S.) Comes with heavy efficiency costs Conventional: apply C.S. to all methods 12

  13. Problem of Context Sensitivity (C.S.) Comes with heavy efficiency costs Conventional: apply C.S. to all methods Do not benefit from C.S. Analyzed for multiple contexts redundantly 13

  14. Problem of Context Sensitivity (C.S.) Comes with heavy efficiency costs Conventional: apply C.S. to all methods Benefit from C.S. Do not benefit (gain precision) from C.S. Precision-critical Analyzed for multiple methods contexts redundantly 14

  15. Problem of Context Sensitivity (C.S.) Comes with heavy efficiency costs Benefit from C.S. Do not benefit (gain precision) from C.S. C.S. C.I. Precision-critical Analyzed for multiple methods contexts redundantly 15

  16. Problem of Context Sensitivity (C.S.) Comes with heavy efficiency costs Preserve precision of C.S. Improve efficiency Benefit from C.S. Do not benefit (gain precision) from C.S. C.S. C.I. Precision-critical Analyzed for multiple methods contexts redundantly 16

  17. Our Goal Identify precision-critical methods Preserve precision of C.S. Improve efficiency Benefit from C.S. Do not benefit (gain precision) from C.S. C.S. C.I. Precision-critical Analyzed for multiple methods contexts redundantly 17

  18. Challenge Still unclear where and how imprecision is introduced in a context-insensitive pointer analysis context-sensitive precision yield When? analysis benefits omitting introduce precision When? context sensitivity losses 18

  19. Our Key Contribution Classify source of imprecision into three general precision-loss patterns ◦ Direct flow ◦ Wrapped flow ◦ Unwrapped flow 19

  20. Our Key Contribution Classify source of imprecision into three general precision-loss patterns ◦ Direct flow account for ~99% ◦ Wrapped flow of precision ◦ Unwrapped flow 20

  21. Our Key Contribution Classify source of imprecision into three general precision-loss patterns ◦ Direct flow account for ~99% ◦ Wrapped flow of precision ◦ Unwrapped flow Recognize Identify Three Flow Precision-Critical Patterns Methods 21

  22. IN and OUT Methods Given a class ◦ IN methods  One or more parameters ◦ OUT methods  non- void return types 22

  23. IN and OUT Methods Given a class class Foo { C f; ◦ IN methods void setF(C p) {  One or more parameters this.f = p; } ◦ OUT methods C getF() { C r = this.f;  non- void return types return r; } void bar() { this.f = null; } } 23

  24. IN and OUT Methods Given a class class Foo { C f; ◦ IN methods IN void setF(C p) {  One or more parameters this.f = p; } ◦ OUT methods C getF() { C r = this.f;  non- void return types OUT return r; } void bar() { this.f = null; } } 24

  25. The Three General Flow Patterns  Direct flow  Wrapped flow  Unwrapped flow Identified by leveraging a context-insensitive pointer analysis (as pre-analysis) 25

  26. The Three General Flow Patterns  Direct flow  Wrapped flow  Unwrapped flow 26

  27. Direct Flow O class C { void M1(Object p) { IN ... } ... Object M2() { ... OUT return r; } } O 27

  28. Direct Flow O class C { void M1(Object p) { IN ... } • variable assignments • field load/store ... • method calls/returns Object M2() { ... OUT return r; } } O 28

  29. Direct Flow O class C { void set(Object p) { void M1(Object p) { IN this.f = p; ... } } • variable assignments • field load/store ... • method calls/returns Object get() { Object M2() { Object r = this.f; ... return r; OUT return r; } Example: common } setter & getter } O 29

  30. Key Insight: Causes of Imprecision C.I. B A IN • Direct flow Flows: objects merge and propagate OUT B A B A 30

  31. Key Insight: Causes of Imprecision C.I. B A IN • Direct flow Flows: objects • Wrapped flow merge and • Unwrapped flow propagate • Combinations OUT B A B A 31

  32. The Three General Flow Patterns  Direct flow  Wrapped flow  Unwrapped flow 32

  33. Wrapped Flow O class C { void M1(Object p) { IN ... } ... object wrapping void Mi() { o.f = q; } ... W Object M2() { ... OUT return r; } } • variable assignments • field load/store W • method calls/returns 33

  34. Wrapped Flow O class C { void M1(Object p) { IN ... } ... object wrapping void Mi() { o.f = q; } ... W Object M2() { ... Example: OUT return r; collection & } iterator } • variable assignments • field load/store W • method calls/returns 34

  35. Wrapped Flow O class C { void M1(Object p) { IN ... } ... multiple object wrapping void Mi() { o.f = q; } ... W Object M2() { ... OUT return r; } } • variable assignments • field load/store W ’ • method calls/returns 35

  36. The Three General Flow Patterns  Direct flow  Wrapped flow  Unwrapped flow 36

  37. Unwrapped Flow O class C { void M1(Object p) { IN ... } ... object unwrapping void Mi() { q = o.f; } U ... Object M2() { ... OUT return r; } } • variable assignments U • field load/store • method calls/returns 37

  38. Unwrapped Flow O class C { void M1(Object p) { IN ... } ... object unwrapping void Mi() { q = o.f; } U ... Object M2() { ... Example: JDK OUT return r; synchronized } container } • variable assignments U • field load/store • method calls/returns 38

  39. Unwrapped Flow O class C { void M1(Object p) { IN ... } ... multiple object unwrapping void Mi() { q = o.f; } U ... Object M2() { ... OUT return r; } } • variable assignments U ’ • field load/store • method calls/returns 39

  40. Combinations of Three General Flows The direct, wrapped and unwrapped flows can be combined, e.g., unwrapped wrapped + IN OUT flow flow O W U 40

  41. C.I. B A IN • Direct flow • Wrapped flow • Unwrapped flow • Combinations OUT A B B A Precision-critical methods: the methods involved in the flows 41

  42. Identify precision-critical methods C.I. B A IN • Direct flow • Wrapped flow • Unwrapped flow • Combinations OUT A B B A Precision-critical methods: the methods involved in the flows 42

  43. Identify precision-critical methods Apply C.S. only to C.I. C.S. B A B A IN IN • Direct flow • Wrapped flow • Unwrapped flow • Combinations OUT OUT A B A B B A Precision-critical methods: the methods involved in the flows 43

  44. Identify precision-critical methods Apply C.S. only to C.I. C.S. B A B A IN IN OUT OUT A B A B B A Precision-critical methods: the methods involved in the flows 44

  45. How to Analyze Flow Patterns? We propose precision flow graph (PFG) expresses direct, wrapped, unwrapped flows, and their combinations, in an uniform way 45

  46. How to Analyze Flow Patterns? We propose precision flow graph (PFG) expresses direct, wrapped, unwrapped flows, and their combinations, in an uniform way Flows in Program Paths in PFG 46

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Scalability-First Pointer Analysis with Self-Tuning Context Sensitivity Yue Li, Tian Tan, Anders

Scalability-First Pointer Analysis with Self-Tuning Context Sensitivity Yue Li, Tian Tan, Anders

Scalability-First Pointer Analysis with Self-Tuning Context Sensitivity Yue Li, Tian Tan, Anders Mller and Yannis Smaragdakis 1 Pointer Analysis Concept Which objects a variable may point to? Importance Fundamental for virtually

769 views • 54 slides
Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ? Basic analysis ! Example : Flow analysis ! Increasing precision ! Context -, flow -, and path sensitivity Scaling it up !

527 views • 27 slides
Climate Sensitivity We consider climate sensitivity in a very simple context. Climate Sensitivity

Climate Sensitivity We consider climate sensitivity in a very simple context. Climate Sensitivity

Climate Sensitivity We consider climate sensitivity in a very simple context. Climate Sensitivity We consider climate sensitivity in a very simple context. We consider a single-layer isothermal atmosphere. Climate Sensitivity We consider

1.09k views • 81 slides
Alias Analysis Last time Alias analysis I (pointer analysis) Address Taken FIAlias,

Alias Analysis Last time Alias analysis I (pointer analysis) Address Taken FIAlias,

Alias Analysis Last time Alias analysis I (pointer analysis) Address Taken FIAlias, which is equivalent to Steensgaard Today Alias analysis II (pointer analysis) Anderson Emami Next time Midterm review CS553

207 views • 8 slides
Making k- Object-Sensitive Pointer Analysis More Precise with Still k -Limiting Tian Tan , Yue Li

Making k- Object-Sensitive Pointer Analysis More Precise with Still k -Limiting Tian Tan , Yue Li

Making k- Object-Sensitive Pointer Analysis More Precise with Still k -Limiting Tian Tan , Yue Li and Jingling Xue SAS 2016 September, 2016 1 A New Pointer Analysis for Object-Oriented Programs 2 Pointer Analysis Determine which

965 views • 70 slides
CS711 Advanced Programming Languages Pointer Analysis Overview and Flow-Sensitive Analysis Radu

CS711 Advanced Programming Languages Pointer Analysis Overview and Flow-Sensitive Analysis Radu

CS711 Advanced Programming Languages Pointer Analysis Overview and Flow-Sensitive Analysis Radu Rugina 8 Sep 2005 Pointer Analysis Informally: determine where pointers (or references) in the program may point to. Significant amount of

339 views • 21 slides
Precision, Recall, and Sensitivity of Monitoring Partially Synchronous Distributed Systems

Precision, Recall, and Sensitivity of Monitoring Partially Synchronous Distributed Systems

RunHme VerificaHon 2016 (RV16) Precision, Recall, and Sensitivity of Monitoring Partially Synchronous Distributed Systems Sorrachai Yingchareonthawornchai 1 , Duong Nguyen 1 , Vidhya Tekken Valapil 1 , Sandeep Kulkarni 1 , and Murat Demirbas 2

1.01k views • 55 slides
Bootstrapping Sensitivity analysis Qingyuan Zhao Statistical Laboratory, University of Cambridge

Bootstrapping Sensitivity analysis Qingyuan Zhao Statistical Laboratory, University of Cambridge

Bootstrapping Sensitivity analysis Qingyuan Zhao Statistical Laboratory, University of Cambridge August 3, 2020 @ JSM Sensitivity analysis The broader concept [Saltelli et al., 2004] Sensitivity analysis is the study of how the

477 views • 19 slides
Alias Analysis Last time Reuse optimization Today Alias analysis (pointer analysis)

Alias Analysis Last time Reuse optimization Today Alias analysis (pointer analysis)

Alias Analysis Last time Reuse optimization Today Alias analysis (pointer analysis) Next time More alias analysis (pointer analysis) CS553 Lecture Alias Analysis I 2 Aliasing What is aliasing? When two expressions denote

265 views • 8 slides
Review Running a program requires the code & stack segments in memory. Context = memory

Review Running a program requires the code & stack segments in memory. Context = memory

Review Running a program requires the code & stack segments in memory. Context = memory address space + stack pointer + instruction pointer A CPU is in the context of a program if its instruction pointer and stack pointer registers

797 views • 40 slides
Precision Beauty at High Sensitivity Chris Quigg Fermilab Nikhef Amsterdam October

Precision Beauty at High Sensitivity Chris Quigg Fermilab Nikhef Amsterdam October

Precision Beauty at High Sensitivity Chris Quigg Fermilab Nikhef Amsterdam October 29, 2019 See also Dream Machines 1808.06036 Perspectives and Questions zenodo.3376597 Origin Story . . . PHYSICAL REVIEW LETTERS VOLUME

608 views • 48 slides
Decision Aid Methodologies In Transportation Lecture 3: Duality and sensitivity analysis Duality

Decision Aid Methodologies In Transportation Lecture 3: Duality and sensitivity analysis Duality

Decision Aid Methodologies In Transportation Lecture 3: Duality and sensitivity analysis Duality Sensitivity Analysis Shadi SHARIF AZADEH Transport and Mobility Laboratory TRANSP-OR cole Polytechnique Fdrale de Lausanne EPFL Motivation

394 views • 26 slides
CS 293S Pointer Analysis Yufei Ding Slides adapted from Wei Le, Stephen Chong Focus of this

CS 293S Pointer Analysis Yufei Ding Slides adapted from Wei Le, Stephen Chong Focus of this

CS 293S Pointer Analysis Yufei Ding Slides adapted from Wei Le, Stephen Chong Focus of this lecture Terms and concepts Algorithms: Andersen-Style and Steensgaard-Style Advanced topics 2 What is Pointer/Alias/points-to Analysis?

347 views • 32 slides
Pointer Analysis in the Presence of Dynamic Class Loading Martin Hirzel, Amer Diwan University

Pointer Analysis in the Presence of Dynamic Class Loading Martin Hirzel, Amer Diwan University

Pointer Analysis in the Presence of Dynamic Class Loading Martin Hirzel, Amer Diwan University of Colorado at Boulder Michael Hind IBM T.J. Watson Research Center 1 Pointer analysis motivation Code a = new C( ); // G What does it do? b =

439 views • 30 slides
Alias Analysis Last time Interprocedural analysis Today Intro to alias analysis (pointer

Alias Analysis Last time Interprocedural analysis Today Intro to alias analysis (pointer

Alias Analysis Last time Interprocedural analysis Today Intro to alias analysis (pointer analysis) CS553 Lecture Alias Analysis I 1 Aliasing What is aliasing? When two expressions denote the same mutable memory location e.g.,

812 views • 19 slides
UCSF 2013 Operation CRISPR: Operation CRISPR: Deploying precision guided tools

UCSF 2013 Operation CRISPR: Operation CRISPR: Deploying precision guided tools

UCSF 2013 Operation CRISPR: Operation CRISPR: Deploying precision guided tools to target unique species in a complex microbiome Microbiomes play an important role in

826 views • 54 slides
Non-Profiled Deep Learning-based Side-Channel attacks with Sensitivity Analysis Benjamin Timon

Non-Profiled Deep Learning-based Side-Channel attacks with Sensitivity Analysis Benjamin Timon

Non-Profiled Deep Learning-based Side-Channel attacks with Sensitivity Analysis Benjamin Timon August 28, 2019 Python notebook presentation for CHES 2019 1 Introduction & Motivation Profiled vs Non-Profiled attacks Machine Learning trend

407 views • 14 slides
Lecture 13: Classification 6.0002 LECTURE 13 1 uncements Anno nounc Reading Chapter 24

Lecture 13: Classification 6.0002 LECTURE 13 1 uncements Anno nounc Reading Chapter 24

Lecture 13: Classification 6.0002 LECTURE 13 1 uncements Anno nounc Reading Chapter 24 Section 5.3.2 (list comprehension) Course evaluations Online evaluation now through noon on Friday, December 16 2 6.0002 LECTURE 13

786 views • 34 slides
Sensitivity of Joint Estimation in Multi Agent Iterative Learning Control Angela Schoellig and

Sensitivity of Joint Estimation in Multi Agent Iterative Learning Control Angela Schoellig and

Sensitivity of Joint Estimation in Multi Agent Iterative Learning Control Angela Schoellig and Raffaello DAndrea Institute for Dynamic Systems and Control ETH Zurich, Switzerland 1 IFAC World Congress 2011, Milano Aug 29, 2011 OUR FOCUS

865 views • 18 slides
Subdomain Sensitive Statistical Parsing Barbara Plank & Khalil Simaan using Raw Corpora

Subdomain Sensitive Statistical Parsing Barbara Plank & Khalil Simaan using Raw Corpora

Subdomain Sensitive Statistical Parsing using Raw Corpora Subdomain Sensitive Statistical Parsing Barbara Plank & Khalil Simaan using Raw Corpora Introduction and Motivation Subdomain Sensitive Barbara Plank 1 and Khalil Simaan

484 views • 23 slides
Multicore OS Benchmarks: We Can Do Better Ihor Kuz* , Zachary Anderson, Pravin Shinde, Timothy

Multicore OS Benchmarks: We Can Do Better Ihor Kuz* , Zachary Anderson, Pravin Shinde, Timothy

Multicore OS Benchmarks: We Can Do Better Ihor Kuz* , Zachary Anderson, Pravin Shinde, Timothy Roscoe Systems Group, ETH Zurich * NICTA Australia 1 Multicore OS benchmarks do not evaluate performance isolation between independent apps. 2

214 views • 10 slides
Building sensitive forecast models and common forecast assumptions Victoria Clark CGMA

Building sensitive forecast models and common forecast assumptions Victoria Clark CGMA

DataCamp Financial Forecasting in Python FINANCIAL FORECASTING IN PYTHON Building sensitive forecast models and common forecast assumptions Victoria Clark CGMA Financial Analyst DataCamp Financial Forecasting in Python Considerations when

306 views • 16 slides
Global Sensitivity Analysis in Stochastic Systems Olivier Le Matre, Omar Knio LIMSI CNRS,

Global Sensitivity Analysis in Stochastic Systems Olivier Le Matre, Omar Knio LIMSI CNRS,

Variance-Based Sensitivity Analysis for SODEs Stochastic Simulators Conclusions Global Sensitivity Analysis in Stochastic Systems Olivier Le Matre, Omar Knio LIMSI CNRS, Orsay, France KAUST, Saudi-Arabia Duke University, Durham, North

981 views • 49 slides
Differential Privacy Li Xiong Outline Differential Privacy Definition Basic techniques

Differential Privacy Li Xiong Outline Differential Privacy Definition Basic techniques

CS573 Data Privacy and Security Differential Privacy Li Xiong Outline Differential Privacy Definition Basic techniques Composition theorems Statistical Data Privacy Non-interactive vs interactive Privacy goal: individual is

1.15k views • 64 slides

More recommend