unification based pointer analysis without oversharing
play

Unification-based Pointer Analysis without Oversharing Jakub - PowerPoint PPT Presentation

Feb 11, 2023 •240 likes •518 views

Unification-based Pointer Analysis without Oversharing Jakub Kuderski 1,3 , Jorge A. Navas 2 , Arie Gurfinkel 1 1 University of Waterloo, Canada 2 SRI International, USA 3 Currently Google Canada FMCAD 2019, San Jose, CA, USA, October 23 2019 1

  1. Unification-based Pointer Analysis without Oversharing Jakub Kuderski 1,3 , Jorge A. Navas 2 , Arie Gurfinkel 1 1 University of Waterloo, Canada 2 SRI International, USA 3 Currently Google Canada FMCAD 2019, San Jose, CA, USA, October 23 2019 1

  2. TeaDsa -- a new Pointer Analysis for LLVM A state-of-the-art PTA for LLVM, based on SeaDsa • Unification-based (Steensgaard-style); • Context-, field-, and array-sensitive. Contributions: 1. A modular formulation of DSA; 2. Elimination of abstract object copying in the Top-Down phase of DSA; 3. Improved inter-procedural reasoning with partial flow-sensitivity; 4. Improved intra-procedural reasoning with type-awareness. Evaluation based on a program verification task: detecting field-overflow bugs. 2 Statement Inclusion-based Unification-based

  3. Outline 1. Verification Challenges for Low-level Programs 2. Pointer Analysis 3. Oversharing in Existing Unification-based Pointer Analyses 4. Analyzing Pointer Analyses 5. TeaDsa -- a Scalable Context-Sensitive Pointer Analysis for LLVM 6. Evaluation and Conclusions 3 Statement Inclusion-based Unification-based

  4. Pointers in Low-level Languages ● Used for strings, arrays, passing function parameters, return values. ● Pointers to fields of aggregates (e.g., structs, arrays). ● Pointer arithmetic, integer-to-pointer conversions, type casts. 4

  5. Pointers in Low-level Languages Definition: Pointer -- object identifier and offset within that object. float f; int i; Data *next; data px 5

  6. Pointers in Program Verification ● What strings can line 9 print? ● What is the result of the comparison on line 23? Can foo overwrite the label field of conf ? ● Is accessing the label field of conf safe in foo ? ● 6

  7. Pointer Analysis (PTA) Pointer Analysis (PTA) -- determining whether a given pointer: a. aliases with another pointer (alias analysis) alias(p1, p2) b. points to an object (points-to analysis) p ⟼ o ● Indispensable in reasoning about programs: ○ Static Program Analysis, Program Verification, Compiler Optimizations. ● Undecidable -- we need approximate solutions. ● Numerous publications about Pointer Analysis, yet very few quality open-source implementations for LLVM: ○ e.g., DSA, SeaDsa, SVF. 7

  8. Inclusion- and Unification-based PTAs Definitions: Objects distinguished by their Allocation Site , e.g., calls to allocating functions, declarations of address-taken variables. Soundnes: If a PTA says that two pointers do not alias, there must be no program execution where they point to the same object. Inclusion-based Unification-based (Andersen-style): (Steensgaard-style) ● ● e.g., SVF e.g., DSA, SeaDsa o1 o2 ptr_ptr ptr_ptr o1, o3 o2 o3 8

  9. Inclusion and Unification Constraints Inclusion-based Unification-based (Andersen-style): (Steensgaard-style) ● ● e.g., SVF. e.g., DSA, SeaDsa. o1 o2 ptr_ptr ptr_ptr o1, o3 o2 o3 Instruction Inclusion (subset) constraint Unification constraint p = malloc(n) p ⊇ loc(malloc) p ≈ loc(malloc) p = q p ⊇ q p ≈ q *p = q pts(p) ⊇ q pts(p) ≈ q p = *q p ⊇ pts(q) p ≈ pts(q) p = &x p ⊇ loc(x) p ≈ loc(x) 9

  10. Conventional Wisdom Inclusion-based Unification-based (Andersen-style): (Steensgaard-style) ● ● e.g., SVF. e.g., DSA, SeaDsa. o1 o2 ptr_ptr ptr_ptr o1, o3 o2 o3 Property Inclusion-based Unification-based Definition: Precision? Precise Imprecise Precision -- roughly, the fewer Speed? Slow Fast points-to facts a PTA derives the more precise it is. Memory consumption? Large Small Patent issues? No Yes 10

  11. Dimensions of PTAs 1. Flow-sensitivity -- separate results for each program instruction. (e.g., SVF) 2. Field-sensitivity -- distinguishing fields of aggregates. (e.g., SVF, SeaDsa) 3. Context-sensitivity -- distinguishing different calling contexts. (e.g., SeaDsa) 4. More... Inclusion-based PTAs are typically flow-sensitive but context-insensitive. Unification-based PTAs are typically context-sensitive but flow-insensitive. 11

  12. Unification-based PTA -- an example 3 A Context-insensitive Points-To Graph: 1 2 12

  13. Unification-based PTA -- an example A Context-sensitive Points-To Graph: Definition: Oversharing -- existence of large number of inaccessible foreign objects during the analysis of a particular function. 13

  14. Data Structure Analysis (DSA) A state-of-the-art PTA for LLVM [1]. • Unification-based (Steensgaard-style), context- and field-sensitive. • Uses a Union-Find data structure for efficient abstract object grouping. • Analysis performed in 3 phases: • Local -- resolves local points-to information; • Bottom-Up -- inlines points-to information from callees to callers; • Top-Down -- inlines points-to information from callers to callees. • Works around the problem of having too many abstract object by maintaining a separate context-insensitive points-to graph for global variables. SeaDsa -- an implementation of DSA used by the SeaHorn verification framework [2]: ● Context-, field-, and array-sensitive; ● Designed to work on (small) SVComp benchmarks, no workaround for global variables. [1] C. Lattner, V. S. Adve: Automatic pool allocation: improving performance by controlling data structure layout in the heap. PLDI 2005 [2] A. Gurfinkel, J. A. Navas: A Context-Sensitive Memory Model for Verification of C/C++ Programs. SAS 2017 14 Statement Inclusion-based Unification-based

  15. Contribution #1 DSA -- a Formulation with Inference Rules PTA inference rules. A simple LLVM-like Low-level language. 15 Statement Inclusion-based Unification-based

  16. DSA -- an Improved Example A better Points-To Graph for print : Contribution #2 Based on the formulation, we show that no abstract objects should be copied during the Top-Down phase of DSA. 16

  17. DSA -- Improving Precision Precision can be improved by: 1. More precise intraprocedural (local) analysis ○ Less confusion locally and less local confusion propagated to analyses of other functions. 2. More precise interprocedural analysis ○ Less confusion propagated across functions. 17 Statement Inclusion-based Unification-based

  18. DSA -- Improving Interprocedural Rules Observation: Abstract objects that do not alias the passed parameters and foo returned values do not have to be propagated. Contribution #3 Improved global reasoning with Partial Flow-Sensitivity at call- and return-sites. 18

  19. DSA -- Improving Local Rules The C11 programming language in Section 6.5 introduces effective type rules: ● Roughly, every memory location has a type determined by the last write and all reads from that memory location must be of compatible types. When analyzing memory reads in PTA, we can exploit it and ignore writes of incompatible types that definitely do not affect the read values. Must be an int 19

  20. DSA -- Improving Local Rules The C11 programming language in Section 6.5 introduces effective type rules: ● Roughly, every memory location has a type determined by the last write and all reads from that memory location must be of compatible types. When analyzing memory reads in PTA, we can exploit it and ignore writes of incompatible types that definitely do not affect the read values. Contribution #4 Improved local reasoning, based on the effective type rules of C11. 20

  21. Evaluation -- a Program Verification Task A program verification task: detecting a class of memory-safety bugs, called field-overflow bugs: • A field-overflow happens when a field not present in an object is tried to be accessed, causing an access outside of the allocated object. To know if an access is safe or not, we need to identify all potential Allocation Sites of the accessed pointer. 1 2 If the Allocation Site the pointer originates from is too small, the access is not safe. Only safe for 2 21 Statement Inclusion-based Unification-based

  22. Evaluation -- Simple Memory Checker • A checker for the Program Verification Task, implemented in the SeaHorn verification framework. • For all memory accesses, identifies all potential allocation sites and checks if the accesses pointer comes from an allocation site of insufficient size. a. All allocation sites of variable size are discarded. b. Allocation sites of statically-known insufficient size need to be checked. c. Allocation sites of statically-known sufficient size are safe. 22 Statement Inclusion-based Unification-based

  23. Evaluation -- Setup Based on the Simple Memory Checker analysis. ● Comparison against the vanilla SeaDsa, SeaDsa with the Top-Down optimization and Partial Flow-Sensitivity. ● Comparison against two PTAs from SVF: the WaveDiff pre-analysis and the Sparse Value-Flow PTA. ○ Inclusion-based flow-sensitive state-of-the-art PTAs. ○ Allocation site detection modified to match the one from SeaDsa and TeaDsa. ● All target programs linked into a single LLVM bitcode file (whole-program analysis). ○ Popular C and C++ programs. ○ Program size ranges from 140 kB to 157 MB of bitcode. 23 Statement Inclusion-based Unification-based

  24. Evaluation -- Performance 24 Statement Inclusion-based Unification-based

  25. Evaluation -- Precision * Lower is better 25 Statement Inclusion-based Unification-based

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Precision-Guided Context Sensitivity for Pointer Analysis Yue Li, Tian Tan, Anders Mller,

Precision-Guided Context Sensitivity for Pointer Analysis Yue Li, Tian Tan, Anders Mller,

Precision-Guided Context Sensitivity for Pointer Analysis Yue Li, Tian Tan, Anders Mller, Yannis Smaragdakis OOPSLA 2018 1 A New Pointer Analysis T echnique for Object-Oriented Programs 2 Pointer Analysis Determines which

841 views • 64 slides
Alias Analysis Last time Alias analysis I (pointer analysis) Address Taken FIAlias,

Alias Analysis Last time Alias analysis I (pointer analysis) Address Taken FIAlias,

Alias Analysis Last time Alias analysis I (pointer analysis) Address Taken FIAlias, which is equivalent to Steensgaard Today Alias analysis II (pointer analysis) Anderson Emami Next time Midterm review CS553

207 views • 8 slides
Making k- Object-Sensitive Pointer Analysis More Precise with Still k -Limiting Tian Tan , Yue Li

Making k- Object-Sensitive Pointer Analysis More Precise with Still k -Limiting Tian Tan , Yue Li

Making k- Object-Sensitive Pointer Analysis More Precise with Still k -Limiting Tian Tan , Yue Li and Jingling Xue SAS 2016 September, 2016 1 A New Pointer Analysis for Object-Oriented Programs 2 Pointer Analysis Determine which

965 views • 70 slides
The unification type of Workshop on Admissible Rules and Unification

The unification type of Workshop on Admissible Rules and Unification

The unication type The unification type of Workshop on Admissible Rules and Unification http://logica.dmi.unisa.it/lucaspada University of Salerno Department of Mathematics Luca Spada Based on a joint work with V. Marra ukasiewicz logic

1.83k views • 145 slides
CS711 Advanced Programming Languages Pointer Analysis Overview and Flow-Sensitive Analysis Radu

CS711 Advanced Programming Languages Pointer Analysis Overview and Flow-Sensitive Analysis Radu

CS711 Advanced Programming Languages Pointer Analysis Overview and Flow-Sensitive Analysis Radu Rugina 8 Sep 2005 Pointer Analysis Informally: determine where pointers (or references) in the program may point to. Significant amount of

339 views • 21 slides
Scalability-First Pointer Analysis with Self-Tuning Context Sensitivity Yue Li, Tian Tan, Anders

Scalability-First Pointer Analysis with Self-Tuning Context Sensitivity Yue Li, Tian Tan, Anders

Scalability-First Pointer Analysis with Self-Tuning Context Sensitivity Yue Li, Tian Tan, Anders Mller and Yannis Smaragdakis 1 Pointer Analysis Concept Which objects a variable may point to? Importance Fundamental for virtually

769 views • 54 slides
Alias Analysis Last time Reuse optimization Today Alias analysis (pointer analysis)

Alias Analysis Last time Reuse optimization Today Alias analysis (pointer analysis)

Alias Analysis Last time Reuse optimization Today Alias analysis (pointer analysis) Next time More alias analysis (pointer analysis) CS553 Lecture Alias Analysis I 2 Aliasing What is aliasing? When two expressions denote

265 views • 8 slides
CS 293S Pointer Analysis Yufei Ding Slides adapted from Wei Le, Stephen Chong Focus of this

CS 293S Pointer Analysis Yufei Ding Slides adapted from Wei Le, Stephen Chong Focus of this

CS 293S Pointer Analysis Yufei Ding Slides adapted from Wei Le, Stephen Chong Focus of this lecture Terms and concepts Algorithms: Andersen-Style and Steensgaard-Style Advanced topics 2 What is Pointer/Alias/points-to Analysis?

347 views • 32 slides
A sound unification algorithm based on telescope equivalences Jesper Cockx DistriNet KU

A sound unification algorithm based on telescope equivalences Jesper Cockx DistriNet KU

A sound unification algorithm based on telescope equivalences Jesper Cockx DistriNet KU Leuven 20 April 2016 Pattern matching is awesome Agda uses unification to: check which constructors are possible specialize the result type data Vec

701 views • 67 slides
Pointer Analysis in the Presence of Dynamic Class Loading Martin Hirzel, Amer Diwan University

Pointer Analysis in the Presence of Dynamic Class Loading Martin Hirzel, Amer Diwan University

Pointer Analysis in the Presence of Dynamic Class Loading Martin Hirzel, Amer Diwan University of Colorado at Boulder Michael Hind IBM T.J. Watson Research Center 1 Pointer analysis motivation Code a = new C( ); // G What does it do? b =

439 views • 30 slides
Alias Analysis Last time Interprocedural analysis Today Intro to alias analysis (pointer

Alias Analysis Last time Interprocedural analysis Today Intro to alias analysis (pointer

Alias Analysis Last time Interprocedural analysis Today Intro to alias analysis (pointer analysis) CS553 Lecture Alias Analysis I 1 Aliasing What is aliasing? When two expressions denote the same mutable memory location e.g.,

812 views • 19 slides
Hierarchical Pointer Analysis for Distributed Programs Distributed Programs Amir Kamil and

Hierarchical Pointer Analysis for Distributed Programs Distributed Programs Amir Kamil and

Hierarchical Pointer Analysis for Distributed Programs Distributed Programs Amir Kamil and Katherine Yelick U.C. Berkeley A August 23, 2007 t 23 2007 1 Hierarchical Pointer Analysis Amir Kamil Background 2 Hierarchical Pointer Analysis

650 views • 41 slides
CO444H Pointer analysis Ben Livshits 1 Call Graphs Class analysis: Given a reference

CO444H Pointer analysis Ben Livshits 1 Call Graphs Class analysis: Given a reference

Datalog CO444H Pointer analysis Ben Livshits 1 Call Graphs Class analysis: Given a reference variable x, what are the classes of the objects that x refers to at runtime? We saw CHA and RTA Deal with polymorphic/virtual calls:

1.01k views • 54 slides
Unification in the Description Logic EL EL - unification Minimal unifiers Franz Baader and

Unification in the Description Logic EL EL - unification Minimal unifiers Franz Baader and

Unification in EL Baader & Morawska Introduction Unification in the Description Logic EL EL - unification Minimal unifiers Franz Baader and Barbara Morawska Decision Procedure Conclusion TU Dresden, Germany UNIF 2009 Unification in

359 views • 25 slides
Grammar: Features and Unification Plan for the Talk Problems with CFG (PCFG) Features

Grammar: Features and Unification Plan for the Talk Problems with CFG (PCFG) Features

Grammar: Features and Unification Plan for the Talk Problems with CFG (PCFG) Features Structure Attribute-value Matrix (AVM) Unification Grammar formalisms based on unification Agreement Constraints that hold among various

504 views • 48 slides
unification 2016 unification strategic roadmap succession unification strategic roadmap

unification 2016 unification strategic roadmap succession unification strategic roadmap

unification 2016 unification strategic roadmap succession unification strategic roadmap succession Board rd CE CEO Committe ttees unification strategic roadmap succession Global Member Value Centre Advocacy & Education

347 views • 30 slides
CKM * physics at hadron colliders Mat Charles (Sorbonne Universit/LPNHE) representing the LHCb

CKM * physics at hadron colliders Mat Charles (Sorbonne Universit/LPNHE) representing the LHCb

CKM * physics at hadron colliders Mat Charles (Sorbonne Universit/LPNHE) representing the LHCb collaboration * meaning here: flavour physics that lets us make serious, indirect tests of the SM either by itself or in combination with other

1.1k views • 80 slides
Rectifiability and Singular Integrals: solving DavidSemmes problem A paper by F. Nazarov,

Rectifiability and Singular Integrals: solving DavidSemmes problem A paper by F. Nazarov,

Rectifiability and Singular Integrals: solving DavidSemmes problem A paper by F. Nazarov, X. Tolsa, and A. Volberg Michigan State University October, 2012 Alexander Volberg Solving a problem of David and Semmes Meinen Dank f ur eine

1.24k views • 103 slides
Package Development in Windows Duncan Murdoch Department of Statistical and Actuarial Sciences

Package Development in Windows Duncan Murdoch Department of Statistical and Actuarial Sciences

Why packages? The Windows tools A sample package Going further Package Development in Windows Duncan Murdoch Department of Statistical and Actuarial Sciences University of Western Ontario August 13, 2008 1 of 46 Why packages? The Windows

796 views • 21 slides
Hadron Mass Effects on Kaon production on deuteron Juan Guerrero Hampton University &

Hadron Mass Effects on Kaon production on deuteron Juan Guerrero Hampton University &

Hadron Mass Effects on Kaon production on deuteron Juan Guerrero Hampton University & Jefferson Lab Hadronic Physics with Lepton and Hadron Beams September 6, 2017 Based on: J. G., J. Ethier, A. Accardi, S. Casper ,W.

357 views • 31 slides
Entropy stable schemes for hyperbolic conservation laws Praveen Chandrashekar

Entropy stable schemes for hyperbolic conservation laws Praveen Chandrashekar

Entropy stable schemes for hyperbolic conservation laws Praveen Chandrashekar praveen@math.tifrbng.res.in Center for Applicable Mathematics Tata Institute of Fundamental Research Bangalore-560065, India http://cpraveen.github.io GIAN Course

1.25k views • 111 slides
Linear and Nonlinear Waves in Gas Dynamics Barbara Lee Keyfitz The Ohio State University

Linear and Nonlinear Waves in Gas Dynamics Barbara Lee Keyfitz The Ohio State University

Linear and Nonlinear Waves in Gas Dynamics Barbara Lee Keyfitz The Ohio State University bkeyfitz@math.ohio-state.edu April 2, 2016 Barbara Keyfitz (Ohio State) Linear and Nonlinear Waves April 2, 2016 1 / 28 Outline 1 Background

654 views • 28 slides
Efficient long-term research and innovation program under grant agreement No 689868. open-access

Efficient long-term research and innovation program under grant agreement No 689868. open-access

This project has received funding from the European Unions Horizon 2020 Efficient long-term research and innovation program under grant agreement No 689868. open-access data archiving in mining industries Saulius Graulis & the SOLSA

592 views • 36 slides
Computer Algebra and Formal Proof James Davenport 1 University of Bath J.H.Davenport@bath.ac.uk

Computer Algebra and Formal Proof James Davenport 1 University of Bath J.H.Davenport@bath.ac.uk

Computer Algebra and Formal Proof James Davenport 1 University of Bath J.H.Davenport@bath.ac.uk 21 July 2017 1 Thanks to EU H2020-FETOPEN-2016-2017-CSA project SC 2 (712689) and the Isaac Newton Institute through EPSRC K/032208/1 Davenport

349 views • 22 slides

More recommend