Bottom-up Context-Sensitive Pointer Analysis for Java

Size: px

Start display at page:

Download "Bottom-up Context-Sensitive Pointer Analysis for Java"

Christal Conley
6 years ago
Views:

1 Bottom-up Context-Sensitive Pointer Analysis for Java Yu Feng, Xinyu Wang, Isil Dillig and Thomas Dillig UT Austin 1

2 What is this talk about? Pointer analysis Given a program variable v, what are the heap locations v can point to? Many applications: compiler optimizations, verification (e.g., memory safety), software engineering, Our goal: Context- sensitive, compositional pointer analysis for Java Context-sensitive: more precise because it differentiates information at each call site Compositional: Analyzes each method only once and generates a polymorphic summary 2

3 What is this talk about? Summary Generation Summary Instantiation Constraint-based handling for virtual calls 3

4 Existing approaches Almost all context-sensitive pointer analyses for Java are top-down Not compositional! Reanalyze every method multiple times in different calling contexts Very hard to scale m1 m2 m3 m4 m5 m6 Existing approaches compromise precision by limiting context information (e.g., 1-CFA, 2-obj) m7 4

5 Our approach: bottom-up Our approach: Analyze each procedure independently of callers and generate a polymorphic points-to summary naturally context-sensitive because summary plugged in at the call site Key advantage: scalability Each summary can be used in multiple calling contexts and across applications m1 m2 m3 m4 m5 m6 m7 5

6 Wait, hasn t this been done before? Lots of works on bottom-up pointer analysis for C or C++ Cheng et al. PLDI 00, Lattner et al. PLDI 07, Dillig PLDI 11 Not much work for object-oriented languages like Java Some works rely on global points-to information: Yorsh et al. POPL 08, Zhang et al. PLDI 14 Whaley et al. OOPSLA 99 does not handle virtual calls precisely One of key problems: How to handle virtual method calls 6

7 A strawman solution for virtual calls A alloc1 E:goo <:= <:= <:= B C D <:= <:= <:= <:= void bar(a o) { o.goo(); } arg1.f alloc2 arg1.g H:goo E F G H alloc3 D:goo Instantiate summary of goo() for all possible dynamic types of o 7

8 A strawman solution for virtual calls alloc1 E:goo void bar(a o) { o.goo(); } arg1.f alloc2 arg1.g H:goo void foo(x x, H z) { z.g = new Z();//alloc0 bar(z); } alloc3 D:goo This solution is completely imprecise!! Strawman solution is (almost) as bad as context-insensitive analysis! 8

9 Our Key Idea Key idea: Qualify points-to edges with constraints Traditional points-to graph Nodes denote abstract heap objects Directed edges represent may-point-to relations Our points-to graph x Constraints on edges stipulate dynamic type of receiver x type(v) <= T y y x points to y only if the dynamic type of v is subtype of T! class T { X x; X y; void bar() { x=y; } } main() { v.bar(); } 9

10 Revisiting example E F A <:= <:= <:= B C D <:= <:= <:= <:= G H void bar(a o) { o.baz(); } arg1.f type(arg1) <:= E type(arg1) <:= H type(arg1) <:= H type(arg1) <:= D alloc1 alloc2 arg1.g alloc3 Access paths represent heap objects allocated by caller Allocations represent heap objects allocated by current method or its callees 10

11 Revisiting example, cont. bar type(arg1) <:= E alloc1 type(arg2) <:= E foo alloc1@foo arg1.f type(arg1) <:= H alloc2 arg2.f type(arg2) <:= H alloc2@foo type(arg1) <:= H type(arg2) <:= H arg1.g alloc0 type(arg1) <:= D type(arg2) <:= D alloc3 alloc3@foo void foo(a a, H z) { z.g = new Z();//alloc0 bar(z); } 11

12 Using SMT solver Since we have types on points-to edges, use constraint solver to check if points-to edge is feasible Translate subtyping constraints into linear inequalities and feed to SMT solver Subtyping constraints Linear inequalities 12

13 Translating subtyping constraints to linear inequalities A <:= <:= <:= B C D Post-order labeling 8 A B C D E <:= <:= <:= <:= F G H 1 2 E F 4 G 5 H 11 type(v) <:= C 4 <= type(v) <= 6 13

14 Back to previous example Static type of arg2 is H, we have : type(arg2) <:= H : type(arg2) <:= E type(arg2) <:= E alloc1@foo : type(arg2) <:= D arg2.f type(arg2) <:= H type(arg2) <:= H alloc2@foo alloc0 Assumption : is UNSAT is UNSAT type(arg2) <:= D alloc3@foo is valid 14

15 Experiment Benchmarks Analyzed 10 large benchmarks from Dacapo and Ashes Compared Scuba with k-cfa and k-obj in terms of running time k refers to number of contexts tracked by analysis k-cfa uses call sites as contexts k-obj uses receiver object as context Compared precision with two clients: May-alias analysis: # of pairs that are proven NOT aliased (larger is better) Downcast analysis: # downcasts that are proven safe (larger is better) 15

16 Experiment Analysis time in seconds (Smaller is better) 16

17 Experiment May-alias results (Larger is better) 17

18 Experiment Downcast results (Larger is better) 18

19 Conclusion Bottom-up and context-sensitive pointer analysis for Java Constraint-based handling of virtual calls Generate polymorphic method summaries Our tool is both precise and scalable 19

20 Thank you! Program analysis Scuba SMT solver 20

Calvin Lin The University of Texas at Austin

Calvin Lin The University of Texas at Austin Interprocedural Analysis Last time Introduction to alias analysis Today Interprocedural analysis March 4, 2015 Interprocedural Analysis 1 Motivation Procedural abstraction Cornerstone of programming Introduces