Context-sensitive points-to analysis: is it worth it?

Pointer and Shape Analysis Seminar

Context-sensitiveContext-sensitivepoints-to analysis:points-to analysis:

is it worth it?is it worth it?Article by

Ondřej Lhoták & Laurie Hendrenfrom McGill University

Presentation by Roza Pogalnikova

28/02/08 2


AbstractAbstract Evaluate precision of subset-based

points-to analysis Compare different context-sensitivity

approaches: call site strings object sensitivity algorithm by Zhu and Calman, Whaley and

Lam (ZCWL)

28/02/08 3


Subset-based PTASubset-based PTA Finding allocation sites that reach

variable: S: a = new A() // allocation statement for variable x somewhere in the program: can

it point to object allocated at S?

28/02/08 4


Context SensitivityContext Sensitivity Call site: by program statement of method

invocation

Object sensitivity: by receiving object of method invocation

ZCWL: k-CFA, where k is call graph depth without SCCs Run context-insensitive algorithm on cloned context-sensitive call graph.

S: this->call_method()

S: this->call_method()

28/02/08 5


ParametersParameters Include:

specialize only pointer variables use heap abstraction as well

Different lengths of context strings

28/02/08 6


MeasurementsMeasurements Measure to guide implementation:

number of contexts number of distinct contexts number of distinct point-to sets

Measure to evaluate: size of the call graph (methods/edges) devirtualizable call sites casts statically provable to be safe

28/02/08 7


ResultsResults Object sensitivity is the best and most

scalable Heap abstraction improves precision of

analysis Reduced analysis precision when no

context sensitivity call graph in cycles

28/02/08 8


WhatWhat Compare three kinds of context-sensitive

points-to analysis: call sites as context abstraction object-sensitive analysis ZCWL algorithm

28/02/08 9


HowHow Implemented with JEDD system:

language extension of Java abstraction of work with Binary Decision

Diagrams (BDDs) Soot framework written in JEDD:

points-to analysis call graph construction side-effect analysis in BDDs virtual call resolution

28/02/08 10


BDDsBDDs

Binary decision tree and truth table for the function f(x1, x2, x3) = -x1 * -x2 * -x3 + x1 * x2 + x2 * x3 BDD for the function f

* credit: http://en.wikipedia.org/wiki/Binary_decision_diagram

28/02/08 11


PTA using BDDsPTA using BDDs Program:

A: a = new O()B: b = new O()C: c = new O()a = bb = ac = b

Points-to:(a, A)(b, B)(c, C)(a, B)(b, A)(c, A), (c, B)

28/02/08 12


PTA using BDDsPTA using BDDs Binary

representation: a & A as 00 b & B as 01 c & C as 10

Points-to representation:(a, A) as 0000(a, B) as 0001(b, A) as 0100(b, B) as 0101(c, A) as 1000(c, B) as 1001(c, C) as 1010

28/02/08 13


PTA using BDDsPTA using BDDs Compact way to represent points-to

relations:

* credit: [2] Points-to Analysis using BDDs

28/02/08 14


DetermineDetermine How many contexts generalized? How number of contexts relates to

precision of analysis? How likely scalable solution to be

feasible?

28/02/08 15


BackgroundBackground O - pointer targets (objects) P – pointers I – method invocation

p may point to o: O(o) ϵ pt(P(p))

28/02/08 16


BackgroundBackground Oas – program statement where object

was allocated Pvar - pointer to local variable [O(o), f] - field f of object o Pfs(o.f) – pointer to a field f of object o

28/02/08 17


BackgroundBackground Compare 2 families of invocation

abstraction: call site Ics(i) (program statement of metacall) receiver object Iro(i) = O(o) (object on which

method was invoked)

28/02/08 18


BackgroundBackground String of contexts given base abstraction

Ibase: Istring(i) = [Ibase(i), Ibase(i2), Ibase(i3), ...]

ij is a j'th topmost invocation on stack during i (i = i1)

Two approaches to make it finite: define limit k to length of context string ZCWL: exclude cycle edges from call graph

28/02/08 19


BackgroundBackground Another choice: which pointers/objects to

model context-sensitively? Given context-insensitive Pci and context I

model run-time pointer p: context-sensitively by P(p) = [I(ip), Pci(p)]

(ip method invocation with p) context-insensitively by P(p) = Pci(p)

28/02/08 20


BackgroundBackground Given allocation site abstraction Oas, and

context I model object o: context-sensitively by O(o) = [I(io), Oas(o)]

(io method invocation where o was allocated) context insensitively by O(o) = Oas(o)

28/02/08 21


BenchmarksBenchmarks The study was performed on:

SpecJVM 98 benchmark suite DaCapo benchmark suite (ver. beta050224) Ashes benchmark suite Polyglot extensible Java front-end

SUN standard library 1.3.1_01

28/02/08 22


BenchmarksBenchmarks

28/02/08 23


Contexts NumberContexts Number Considered intractable:

propagate context from call site to called method

context strings number grows exponentially in the length of call chains

28/02/08 24


Contexts NumberContexts Number Clarify next issues:

how many of these contexts improve analysis results?

why BDDs can represent such number, and is there hope to represent it with traditional techniques?

28/02/08 25


Total contexts numberTotal contexts number Count method-context pairs Empty spots – analysis not completed

with available memory BDD lib. could allocate 41 million BDD

nodes (~820 MB)

28/02/08 26


Total contexts numberTotal contexts number

28/02/08 27


Total contexts numberTotal contexts number Explicit context representation not scaling

good Contexts number grows slowly in object-

sensitive (this pointer method invocations)

ZCWL k is max call depth in the call graph after

merging SCCs big variations because k different for each

benchmark

28/02/08 28


Equivalent contextsEquivalent contexts Method-context pairs (m1, c1) and (m2, c2)

are equivalent if: m1 = m2

∀ local pointer p in the method, pt(P(p)) is the same for c1 and c2

Equivalence classes reflect precision improvement due to context sensitivity

28/02/08 29


Equivalent contextsEquivalent contexts

28/02/08 30


Equivalent contextsEquivalent contexts BDD “automatically” merges equal points-

to relations, i. e. is effective Object-sensitive vs. call sites – more

precise Context string length does not have great

impact Surprisingly ZCWL is less precise due to

context-insensitivity in SCCs

28/02/08 31


Distinct points-to setsDistinct points-to sets Measures analysis cost Approximates space requirements in

“traditional”representation, like shared bit-vectors

Similar results for all context-sensitive variations

Increase in distinct point-to sets with context-sensitive heap abstraction

28/02/08 32


Distinct points-to setsDistinct points-to sets

28/02/08 33


Call GraphCall Graph Compare context-insensitive projection of

context-sensitive call graphs each node is method (and not method-

context pair) reachable methods preserved ZCWL excluded (same as input context-

insensitive graph)

28/02/08 34


Reachable methodsReachable methods

28/02/08 35


Reachable methodsReachable methods Context-sensitivity discovers more

unreachable methods (bloat) Context-sensitivity for heap objects:

In object-sensitive adds precision (sablecc-j) In call site no impact

28/02/08 36


Call edgesCall edges

28/02/08 37


Call edgesCall edges Compare size of call graph in call edges The same with exception of large

difference in sablecc-j (specific code pattern)

28/02/08 38


Virtual call resolutionVirtual call resolution Number of virtual calls with more then

one implementation Object-sensitive analysis has clear

advantage over call site. heap objects add precision (sablecc-j)

28/02/08 39


Virtual call resolutionVirtual call resolution

28/02/08 40


Cast safetyCast safety Cast cannot fail if pointer can point-to

only to object of “right” type (sub-type of the type in cast)

Count non-provable casts Object-sensitivity, especially with heap

objects is the best (polyglot, javac)

28/02/08 41


Cast safetyCast safety

28/02/08 42


ConclusionsConclusions Context-sensitive

variations: object-sensitive

analysis call sites as context

abstraction ZCWL algorithm

Evaluated effects: generated contexts distinct point-to

sets precision of call

graph construction virtual call

resolution cast safety analysis

28/02/08 43


ConclusionsConclusions Context-sensitivity improvements:

small: call graph precision medium: virtual call resolution major: cast safety analysis

Object-sensitive analysis was the best: analysis precision potential scalability

28/02/08 44


ConclusionsConclusions Object-sensitive variations improvements:

small: length of context strings significant: heap objects with context implementable with other existing techniques

28/02/08 45


ConclusionsConclusions ZCWL algorithm:

disappointing results caused by context-insensitive treatment of

calls within SCCs of the initial graph large proportion of edges in SCC

Documents

Context-sensitive points-to analysis: is it worth it?