Screaming Fast Declarative Pointer Analysis

Size: px

Start display at page:

Download "Screaming Fast Declarative Pointer Analysis"

Kellie Melton
5 years ago
Views:

1 Screaming Fast Declarative Pointer Analysis Martin Bravenboer and Yannis Smaragdakis University of Massachusetts Amherst University of Oregon NEPLS March 5, 2008

2 overview 1 what do we do?

3 overview 1 what do we do? fully declarative pointer analysis fast, really fast

4 overview 1 what do we do? fully declarative pointer analysis fast, really fast how do we do it? novel, aggressive optimization exposition of indexes

5 overview 1 what do we do? fully declarative pointer analysis fast, really fast how do we do it? novel, aggressive optimization exposition of indexes why do you care? fast sophisticated, simple different

6 overview 1 what do we do? fully declarative pointer analysis fast, really fast how do we do it? novel, aggressive optimization exposition of indexes why do you care? fast sophisticated, simple different why is it relevant? optimization understanding, find bugs

7 program analysis: run faster 2

8 program analysis: software understanding 3

9 program analysis: find bugs 4

10 pointer analysis 5 what objects can a variable point to? program void foo() { a = new A1(); b = id(a); } void bar() { a = new A2(); b = id(a); } A id(a a) { return a; }

11 pointer analysis 5 ˆ ˆ what objects can a variable point to? program points-to void foo() { foo.a new A1() a = new A1(); b = id(a); bar.a new A2() } void bar() { a = new A2(); b = id(a); } A id(a a) { return a; }

12 pointer analysis 5 ˆ ˆ what objects can a variable point to? program points-to void foo() { foo.a new A1() a = new A1(); bar.a new A2() b = id(a); } id.a new A1(), new A2() void bar() { a = new A2(); b = id(a); } ˆ A id(a a) { return a; }

13 pointer analysis 5 ˆ ˆ ˆ what objects can a variable point to? program points-to void foo() { foo.a new A1() a = new A1(); bar.a new A2() } b = id(a); id.a new A1(), new A2() foo.b new A1(), new A2() void bar() { bar.b new A1(), new A2() a = new A2(); b = id(a); } A id(a a) { return a; }

14 pointer analysis 5 what objects can a variable point to? program void foo() { a = new A1(); b = id(a); } void bar() { a = new A2(); b = id(a); } A id(a a) { return a; } points-to foo.a bar.a id.a foo.b bar.b new A1() new A2() new A1(), new A2() new A1(), new A2() new A1(), new A2() context-sensitive points-to foo.a bar.a id.a (foo) id.a (bar) foo.b bar.b new A1() new A2() new A1() new A2() new A1() new A2()

15 pointer analysis: a complex domain 6 inclusion-based subset-based unification-based equality-based flow-sensitive context-sensitive k-cfa field-based field-sensitive heap cloning context-sensitive heap abstraction

16 algorithms in a 10-page pointer analysis paper 7

17 algorithms in a 10-page pointer analysis paper 7

18 algorithms in a 10-page pointer analysis paper 7

19 algorithms in a 10-page pointer analysis paper 7

20 algorithms in a 10-page pointer analysis paper 7

21 algorithms in a 10-page pointer analysis paper 7

22 algorithms in a 10-page pointer analysis paper 7

23 algorithms in a 10-page pointer analysis paper 7

24 algorithms in a 10-page pointer analysis paper 7 variation points unclear every variant new algorithm correctness unclear insights, specifics? incomparable in precision incomparable in performance

25 program analysis: a domain of mutual recursion 8 var points-to

26 program analysis: a domain of mutual recursion 8 x = y var points-to

27 program analysis: a domain of mutual recursion 8 x = y var points-to

28 program analysis: a domain of mutual recursion 8 x = f() var points-to call graph

29 program analysis: a domain of mutual recursion 8 x = f() var points-to call graph

30 program analysis: a domain of mutual recursion 8 x = y.f() var points-to call graph

31 program analysis: a domain of mutual recursion 8 x = new A() var points-to call graph reachable methods

32 program analysis: a domain of mutual recursion 8 x = new A() var points-to call graph reachable methods

33 program analysis: a domain of mutual recursion 8 x.f = y var points-to call graph field points-to reachable methods

34 program analysis: a domain of mutual recursion 8 x.f = y var points-to call graph field points-to reachable methods

35 program analysis: a domain of mutual recursion 8 x = f.y var points-to call graph field points-to reachable methods

36 program analysis: a domain of mutual recursion 8 throw e var points-to call graph exceptions field points-to reachable methods

37 program analysis: a domain of mutual recursion 8 throw e var points-to call graph exceptions field points-to reachable methods

38 program analysis: a domain of mutual recursion 8 catch(e e) var points-to call graph exceptions field points-to reachable methods

39 program analysis: a domain of mutual recursion 8 g() var points-to call graph exceptions field points-to reachable methods

40 datalog: declarative mutual recursion 9 source a = new A(); b = new B(); c = new C(); a = b; b = a; c = b;

41 datalog: declarative mutual recursion 9 source a = new A(); b = new B(); c = new C(); a = b; b = a; c = b; AssignHeapAllocation a new A() b new B() c new C() Assign b a a b b c

42 datalog: declarative mutual recursion 9 source a = new A(); b = new B(); c = new C(); a = b; b = a; c = b; AssignHeapAllocation a new A() b new B() c new C() Assign b a a b b c VarPointsTo(?var,?heap) <- AssignHeapAllocation(?var,?heap). VarPointsTo(?to,?heap) <- Assign(?from,?to), VarPointsTo(?from,?heap).

43 datalog: declarative mutual recursion 9 source a = new A(); b = new B(); c = new C(); a = b; b = a; c = b; AssignHeapAllocation a new A() b new B() c new C() Assign b a a b b c VarPointsTo VarPointsTo(?var,?heap) <- AssignHeapAllocation(?var,?heap). VarPointsTo(?to,?heap) <- Assign(?from,?to), VarPointsTo(?from,?heap).

44 datalog: declarative mutual recursion 9 source a = new A(); b = new B(); c = new C(); a = b; b = a; c = b; AssignHeapAllocation a new A() b new B() c new C() Assign b a a b b c VarPointsTo a new A() b new B() c new C() ˆ VarPointsTo(?var,?heap) <- AssignHeapAllocation(?var,?heap). VarPointsTo(?to,?heap) <- Assign(?from,?to), VarPointsTo(?from,?heap).

45 datalog: declarative mutual recursion 9 source a = new A(); b = new B(); c = new C(); a = b; b = a; c = b; AssignHeapAllocation a new A() b new B() c new C() Assign b a a b b c VarPointsTo a new A() b new B() c new C() VarPointsTo(?var,?heap) <- AssignHeapAllocation(?var,?heap). VarPointsTo(?to,?heap) <- Assign(?from,?to), VarPointsTo(?from,?heap).

46 datalog: declarative mutual recursion 9 source a = new A(); b = new B(); c = new C(); a = b; b = a; c = b; AssignHeapAllocation a new A() b new B() c new C() Assign b a a b b c VarPointsTo a new A() b new B() c new C() VarPointsTo(?var,?heap) <- AssignHeapAllocation(?var,?heap). ˆ VarPointsTo(?to,?heap) <- Assign(?from,?to), VarPointsTo(?from,?heap).

47 datalog: declarative mutual recursion 9 source a = new A(); b = new B(); c = new C(); a = b; b = a; c = b; AssignHeapAllocation a new A() b new B() c new C() Assign b a a b b c VarPointsTo a new A() b new B() c new C() a new B() VarPointsTo(?var,?heap) <- AssignHeapAllocation(?var,?heap). ˆ VarPointsTo(?to,?heap) <- Assign(?from,?to), VarPointsTo(?from,?heap).

48 datalog: declarative mutual recursion 9 source a = new A(); b = new B(); c = new C(); a = b; b = a; c = b; AssignHeapAllocation a new A() b new B() c new C() Assign b a a b b c VarPointsTo a new A() b new B() c new C() a new B() b new A() c new B() VarPointsTo(?var,?heap) <- AssignHeapAllocation(?var,?heap). VarPointsTo(?to,?heap) <- Assign(?from,?to), VarPointsTo(?from,?heap).

49 datalog: declarative mutual recursion 9 source a = new A(); b = new B(); c = new C(); a = b; b = a; c = b; AssignHeapAllocation a new A() b new B() c new C() Assign b a a b b c VarPointsTo a new A() b new B() c new C() a new B() b new A() c new B() c new A() VarPointsTo(?var,?heap) <- AssignHeapAllocation(?var,?heap). VarPointsTo(?to,?heap) <- Assign(?from,?to), VarPointsTo(?from,?heap).

50 datalog: properties 10 limited logic programming sql with recursion prolog without complex terms (constructors) guaranteed termination captures PTIME complexity class purely declarative as opposed to prolog - conjunction commutative - clauses commutative enables different execution strategies enables more aggressive optimization writing datalog is less programming, more specification

51 datalog: naive evaluation 11 datalog VarPointsTo(?var,?heap) <- AssignHeapAllocation(?heap,?var). VarPointsTo(?to,?heap) <- Assign(?from,?to), VarPointsTo(?from,?heap). naive evaluation (relational algebra) VarPointsTo := AssignHeapAllocation repeat tmp := π to var,heap (VarPointsTo from=var VarPointsTo := VarPointsTo tmp until fixpoint Assign)

52 datalog: naive evaluation 11 datalog VarPointsTo(?var,?heap) <- AssignHeapAllocation(?heap,?var). VarPointsTo(?to,?heap) <- Assign(?from,?to), VarPointsTo(?from,?heap). naive evaluation (relational algebra) VarPointsTo := AssignHeapAllocation repeat tmp := π to var,heap (VarPointsTo from=var Assign) VarPointsTo := VarPointsTo tmp until fixpoint VarPointsTo(var, heap) Assign(from, to)

53 datalog: naive evaluation 11 datalog VarPointsTo(?var,?heap) <- AssignHeapAllocation(?heap,?var). VarPointsTo(?to,?heap) <- Assign(?from,?to), VarPointsTo(?from,?heap). naive evaluation (relational algebra) VarPointsTo := AssignHeapAllocation repeat DO loops are so 1950s! tmp := π to var,heap (VarPointsTo from=var Assign) VarPointsTo := VarPointsTo tmp until fixpoint VarPointsTo(var, heap) Assign(from, to)

54 datalog: semi-naive evaluation 12 VarPointsTo Assign

55 datalog: semi-naive evaluation 12 VarPointsTo Assign

56 datalog: semi-naive evaluation 12 VarPointsTo Assign

57 datalog: semi-naive evaluation 12 VarPointsTo Assign

58 datalog: semi-naive evaluation 12 VarPointsTo Assign

59 datalog: semi-naive evaluation 13 InstanceFieldPointsTo(?baseheap,?signature,?heap) <- StoreInstanceField(?from,?base,?signature), VarPointsTo(?base,?baseheap), VarPointsTo(?from,?heap). StoreInstanceField(?from,?base,?signature)?base.?signature =?from InstanceFieldPointsTo(?baseheap,?signature,?heap) field?signature of object?baseheap may point to object?heap

60 datalog: semi-naive evaluation 13 InstanceFieldPointsTo(?baseheap,?signature,?heap) <- StoreInstanceField(?from,?base,?signature), VarPointsTo(?base,?baseheap), VarPointsTo(?from,?heap). i InstanceFieldPointsTo(?heap,?signature,?baseheap) <- StoreInstanceField(?from,?signature,?base), i 1 VarPointsTo(?base,?baseheap), VarPointsTo(?from,?heap).

61 datalog: semi-naive evaluation 13 InstanceFieldPointsTo(?baseheap,?signature,?heap) <- StoreInstanceField(?from,?base,?signature), VarPointsTo(?base,?baseheap), VarPointsTo(?from,?heap). i InstanceFieldPointsTo(?heap,?signature,?baseheap) <- StoreInstanceField(?from,?signature,?base), i 1 VarPointsTo(?base,?baseheap), VarPointsTo(?from,?heap). i InstanceFieldPointsTo(?heap,?signature,?baseheap) <- StoreInstanceField(?from,?signature,?base), VarPointsTo(?base,?baseheap), i 1 VarPointsTo(?from,?heap).

62 pointer analysis: implementation approaches 14 context-sensitive pointer analysis implementations paddle implemented in java + relational algebra + bdd wala implemented in java, conventional constraint-based bddbddb implemented in datalog + bdd (+ java)

63 pointer analysis: implementation approaches 14 context-sensitive pointer analysis implementations paddle implemented in java + relational algebra + bdd wala implemented in java, conventional constraint-based bddbddb implemented in datalog + bdd (+ java) not a single fully declarative specification

64 unconventional theses 15 sophisticated pointer analysis fully expressible in datalog

65 unconventional theses 15 sophisticated pointer analysis fully expressible in datalog Lhotak: [E]ncoding all the details of a complicated program analysis problem (such as the interrelated analyses [on-the-fly call graph construction, handling of Java features]) purely in terms of subset constraints may be difficult or impossible.

66 unconventional theses 15 sophisticated pointer analysis fully expressible in datalog explicit representation fits in memory

67 unconventional theses 15 sophisticated pointer analysis fully expressible in datalog explicit representation fits in memory Naik: All publicly available implementations of k-object sensitive alias analysis ran out of memory on most of our benchmarks for k=1

68 unconventional theses 15 sophisticated pointer analysis fully expressible in datalog explicit representation fits in memory Naik: All publicly available implementations of k-object sensitive alias analysis ran out of memory on most of our benchmarks for k=1 Lhotak: Efficiently implementing a 1H-object-sensitive analysis without BDDs will require new improvements in the data structures and algorithms used to implement points-to analyses

69 unconventional theses 15 sophisticated pointer analysis fully expressible in datalog explicit representation fits in memory Naik: All publicly available implementations of k-object sensitive alias analysis ran out of memory on most of our benchmarks for k=1 Lhotak: Efficiently implementing a 1H-object-sensitive analysis without BDDs will require new improvements in the data structures and algorithms used to implement points-to analyses Whaley: Owing to the power of the BDD data structure, bddbddb can even solve analysis problems that were previously intractable

70 unconventional theses 15 sophisticated pointer analysis fully expressible in datalog explicit representation fits in memory Naik: All publicly available implementations of k-object sensitive alias analysis ran out of memory on most of our benchmarks for k=1 Lhotak: Efficiently implementing a 1H-object-sensitive analysis without BDDs will require new improvements in the data structures and algorithms used to implement points-to analyses Whaley: Owing to the power of the BDD data structure, bddbddb can even solve analysis problems that were previously intractable Lhotak: I ve never managed to get Paddle to run in available memory with these settings [2-cfa context-heap], at least not on real benchmarks complete with the standard library.

71 unconventional theses 15 sophisticated pointer analysis fully expressible in datalog explicit representation fits in memory semi-naive evaluation: performance size of results

72 unconventional theses 15 sophisticated pointer analysis fully expressible in datalog explicit representation fits in memory semi-naive evaluation: performance size of results Whaley: By using BDDs to represent relations, bddbddb can operate on entire relations at once, instead of iterating over individual tuples.

73 unconventional theses 15 sophisticated pointer analysis fully expressible in datalog explicit representation fits in memory semi-naive evaluation: performance size of results

74 unconventional theses 15 sophisticated pointer analysis fully expressible in datalog explicit representation fits in memory semi-naive evaluation: performance size of results

75 unconventional theses 15 sophisticated pointer analysis fully expressible in datalog explicit representation fits in memory semi-naive evaluation: performance size of results

76 unconventional theses 15 sophisticated pointer analysis fully expressible in datalog explicit representation fits in memory semi-naive evaluation: performance size of results

77 unconventional theses 15 sophisticated pointer analysis fully expressible in datalog explicit representation fits in memory semi-naive evaluation: performance size of results

78 benchmark: 1-call-site-sensitive+heap doop paddle analysis time (seconds) antlr bloat chart eclipse hsqldb jython luindex lusearch pmd xalan

79 benchmark: 1-call-site-sensitive+heap full order of magnitude faster! doop paddle 5000 analysis time (seconds) comparable: demonstrated equivalence of results! antlr bloat chart eclipse hsqldb jython luindex lusearch pmd xalan

80 where is the magic? 17 fully declarative everything is incremental efficient architecture for datalog engine but, not a magic tool! novel optimizations targeting recursive logic yet, relatively easy!

81 datalog engine architecture 18 interning "<java.lang.thread: void <clinit>()>" 32-bit int tuple compression call-graph edge: invocation method 64-bit int relations are indexes (b-trees) index-organized tables efficient representation of sparse relations alternative datastructures for (partially) dense relations indexes exposed in the language reverse argument order is index VarPointsTo(?var,?heap)

82 optimization principles 19 always use index efficiently Assign(?from,?to), VarPointsTo(?from,?heap) Assign(?to,?from), VarPointsTo(?from,?heap)

83 optimization principles 19 always use index efficiently Assign(?from,?to), VarPointsTo(?from,?heap) Assign(?to,?from), VarPointsTo(?from,?heap) never iterate over full views Assign(?to,?from), VarPointsTo(?from,?heap) Assign(?to,?from), VarPointsTo(?heap,?from)

84 optimization principles 19 always use index efficiently Assign(?from,?to), VarPointsTo(?from,?heap) Assign(?to,?from), VarPointsTo(?from,?heap) never iterate over full views Assign(?to,?from), VarPointsTo(?from,?heap) Assign(?to,?from), VarPointsTo(?heap,?from) never iterate over big input relations StoreInstanceField(?from,?signature,?base), VarPointsTo(?baseheap,?base), VarPointsTo(?heap,?from) we ll get back to that...

85 optimization principles 19 always use index efficiently Assign(?from,?to), VarPointsTo(?from,?heap) Assign(?to,?from), VarPointsTo(?from,?heap) never iterate over full views Assign(?to,?from), VarPointsTo(?from,?heap) Assign(?to,?from), VarPointsTo(?heap,?from) never iterate over big input relations StoreInstanceField(?from,?signature,?base), VarPointsTo(?baseheap,?base), iterate over delta VarPointsTo(?heap,?from) access big relations with we ll get back to that... index

86 optimization: variable ordering 20 unoptimized VarPointsTo(?to,?heap) <- Assign(?from,?to), VarPointsTo(?from,?heap). constraints Assign VarPointsTo 1. Assign 2. VarPointsTo -?from 1. VarPointsTo 2. Assign?from - optimized VarPointsTo(?heap,?to) <- Assign(?to,?from), VarPointsTo(?heap,?from).

87 optimization: variable ordering 20 unoptimized VarPointsTo(?to,?heap) <- Assign(?from,?to), VarPointsTo(?from,?heap). constraints Assign VarPointsTo 1. Assign 2. VarPointsTo -?from 1. VarPointsTo 2. Assign?from - optimized VarPointsTo(?heap,?to) <- Assign(?to,?from), VarPointsTo(?heap,?from). other join orderings not interesting: pruned immediately

88 optimization: folding 21 InstanceFieldPointsTo(?baseheap,?signature,?heap) <- StoreInstanceField(?from,?base,?signature), VarPointsTo 1 (?baseheap,?base), VarPointsTo 2 (?heap,?from). Store VarPointsTo 1 VarPointsTo 2 1. VarPointsTo 1 2. StoreInstanceField 3. VarPointsTo 2?base -?from 1. VarPointsTo 2 2. StoreInstanceField?from?base - 3. VarPointsTo 1

89 optimization: folding 21 InstanceFieldPointsTo(?baseheap,?signature,?heap) <- StoreInstanceField(?from,?base,?signature), VarPointsTo 1 (?baseheap,?base), VarPointsTo 2 (?heap,?from). Store VarPointsTo 1 VarPointsTo 2 1. VarPointsTo 1 2. StoreInstanceField 3. VarPointsTo 2?base -?from 1. VarPointsTo 2 2. StoreInstanceField 3. VarPointsTo 1?from?base - conflicting constraints! there is no efficient index.

90 optimization: folding 21 InstanceFieldPointsTo(?baseheap,?signature,?heap) <- StoreInstanceField(?from,?base,?signature), VarPointsTo 1 (?baseheap,?base), VarPointsTo 2 (?heap,?from). fold StoreInstanceField and VarPointsTo 1 to create an index: InstanceFieldPointsTo(?heap,?signature,?baseheap) <- StoreHeapInstanceField(?baseheap,?signature,?from), VarPointsTo(?heap,?from). StoreHeapInstanceField(?baseheap,?signature,?from) <- StoreInstanceField(?from,?signature,?base), VarPointsTo(?baseheap,?base). we have just introduced a materialized view!

91 precise exception analysis 22 method invocations: propagated exceptions ThrowPointsTo(?heap,?callerMethod) <- CallGraphEdge(?invocation,?tomethod), ThrowPointsTo(?heap,?tomethod), HeapAllocation:Type[?heap] =?heaptype, not exists ExceptionHandler[?heaptype,?invocation], Instruction:Method[?invocation] =?callermethod. method invocations: caught exceptions VarPointsTo(?heap,?param) <- CallGraphEdge(?invocation,?tomethod), ThrowPointsTo(?heap,?tomethod), HeapAllocation:Type[?heap] =?heaptype, ExceptionHandler[?heaptype,?invocation] =?handler, ExceptionHandler:FormalParam[?handler] =?param.

92 precise exception analysis 22 method invocations: propagated exceptions ˆ ThrowPointsTo(?heap,?callerMethod) <- CallGraphEdge(?invocation,?tomethod), ThrowPointsTo(?heap,?tomethod), HeapAllocation:Type[?heap] =?heaptype, not exists ExceptionHandler[?heaptype,?invocation], Instruction:Method[?invocation] =?callermethod. method invocations: caught exceptions VarPointsTo(?heap,?param) <- CallGraphEdge(?invocation,?tomethod), ThrowPointsTo(?heap,?tomethod), HeapAllocation:Type[?heap] =?heaptype, ExceptionHandler[?heaptype,?invocation] =?handler, ExceptionHandler:FormalParam[?handler] =?param.

93 precise exception analysis 22 method invocations: propagated exceptions ˆ ThrowPointsTo(?heap,?callerMethod) <- CallGraphEdge(?invocation,?tomethod), ThrowPointsTo(?heap,?tomethod), HeapAllocation:Type[?heap] =?heaptype, not exists ExceptionHandler[?heaptype,?invocation], Instruction:Method[?invocation] =?callermethod. method invocations: caught exceptions VarPointsTo(?heap,?param) <- CallGraphEdge(?invocation,?tomethod), ThrowPointsTo(?heap,?tomethod), HeapAllocation:Type[?heap] =?heaptype, ExceptionHandler[?heaptype,?invocation] =?handler, ExceptionHandler:FormalParam[?handler] =?param.

94 precise exception analysis 22 method invocations: propagated exceptions ˆ ThrowPointsTo(?heap,?callerMethod) <- CallGraphEdge(?invocation,?tomethod), ThrowPointsTo(?heap,?tomethod), HeapAllocation:Type[?heap] =?heaptype, not exists ExceptionHandler[?heaptype,?invocation], Instruction:Method[?invocation] =?callermethod. method invocations: caught exceptions VarPointsTo(?heap,?param) <- CallGraphEdge(?invocation,?tomethod), ThrowPointsTo(?heap,?tomethod), HeapAllocation:Type[?heap] =?heaptype, ExceptionHandler[?heaptype,?invocation] =?handler, ExceptionHandler:FormalParam[?handler] =?param.

95 precise exception analysis 22 method invocations: propagated exceptions ˆ ThrowPointsTo(?heap,?callerMethod) <- CallGraphEdge(?invocation,?tomethod), ThrowPointsTo(?heap,?tomethod), HeapAllocation:Type[?heap] =?heaptype, not exists ExceptionHandler[?heaptype,?invocation], Instruction:Method[?invocation] =?callermethod. method invocations: caught exceptions VarPointsTo(?heap,?param) <- CallGraphEdge(?invocation,?tomethod), ThrowPointsTo(?heap,?tomethod), HeapAllocation:Type[?heap] =?heaptype, ExceptionHandler[?heaptype,?invocation] =?handler, ExceptionHandler:FormalParam[?handler] =?param.

96 precise exception analysis 22 method invocations: propagated exceptions ˆ ThrowPointsTo(?heap,?callerMethod) <- CallGraphEdge(?invocation,?tomethod), ThrowPointsTo(?heap,?tomethod), HeapAllocation:Type[?heap] =?heaptype, not exists ExceptionHandler[?heaptype,?invocation], Instruction:Method[?invocation] =?callermethod. method invocations: caught exceptions VarPointsTo(?heap,?param) <- CallGraphEdge(?invocation,?tomethod), ThrowPointsTo(?heap,?tomethod), HeapAllocation:Type[?heap] =?heaptype, ExceptionHandler[?heaptype,?invocation] =?handler, ExceptionHandler:FormalParam[?handler] =?param.

97 precise exception analysis 22 method invocations: propagated exceptions ˆ ThrowPointsTo(?heap,?callerMethod) <- CallGraphEdge(?invocation,?tomethod), ThrowPointsTo(?heap,?tomethod), HeapAllocation:Type[?heap] =?heaptype, not exists ExceptionHandler[?heaptype,?invocation], Instruction:Method[?invocation] =?callermethod. method invocations: caught exceptions VarPointsTo(?heap,?param) <- CallGraphEdge(?invocation,?tomethod), ThrowPointsTo(?heap,?tomethod), HeapAllocation:Type[?heap] =?heaptype, ExceptionHandler[?heaptype,?invocation] =?handler, ExceptionHandler:FormalParam[?handler] =?param.

98 precise exception analysis 22 method invocations: propagated exceptions ThrowPointsTo(?heap,?callerMethod) <- CallGraphEdge(?invocation,?tomethod), ThrowPointsTo(?heap,?tomethod), HeapAllocation:Type[?heap] =?heaptype, not exists ExceptionHandler[?heaptype,?invocation], Instruction:Method[?invocation] =?callermethod. method invocations: caught exceptions ˆ VarPointsTo(?heap,?param) <- CallGraphEdge(?invocation,?tomethod), ThrowPointsTo(?heap,?tomethod), HeapAllocation:Type[?heap] =?heaptype, ExceptionHandler[?heaptype,?invocation] =?handler, ExceptionHandler:FormalParam[?handler] =?param.

99 precise exception analysis 22 method invocations: propagated exceptions ThrowPointsTo(?heap,?callerMethod) <- CallGraphEdge(?invocation,?tomethod), ThrowPointsTo(?heap,?tomethod), HeapAllocation:Type[?heap] =?heaptype, not exists ExceptionHandler[?heaptype,?invocation], Instruction:Method[?invocation] =?callermethod. method invocations: caught exceptions ˆ VarPointsTo(?heap,?param) <- CallGraphEdge(?invocation,?tomethod), ThrowPointsTo(?heap,?tomethod), HeapAllocation:Type[?heap] =?heaptype, ExceptionHandler[?heaptype,?invocation] =?handler, ExceptionHandler:FormalParam[?handler] =?param.

100 declarative program analysis is paying off 23 declarativeness precise exception analysis sophisticated reflection analysis java references, finalization, threading, etc. high-level optimization hand-optimization not difficult potential automation automatic incrementalization naive evaluation would be horrible automatic memory management out-of-core analyses automatic parallelization very promising for program analysis

101 questions? 24

Software Challenges: Abstraction and Analysis

Software Challenges: Abstraction and Analysis Martin Bravenboer University of Massachusetts Amherst University of Oregon April 2, 2009 University of Waterloo my research 1 the design and implementation