Scaling CFL-Reachability-Based Points-To Analysis Using Context-Sensitive Must-Not-Alias Analysis

  • View
    58

  • Download
    1

Embed Size (px)

DESCRIPTION

Scaling CFL-Reachability-Based Points-To Analysis Using Context-Sensitive Must-Not-Alias Analysis. Guoqing Xu, Atanas Rountev, Manu Sridharan Ohio State University IBM T. J. Watson Research Center. Points-to Analysis. - PowerPoint PPT Presentation

Text of Scaling CFL-Reachability-Based Points-To Analysis Using Context-Sensitive Must-Not-Alias Analysis

  • Scaling CFL-Reachability-Based Points-To Analysis Using Context-Sensitive Must-Not-Alias AnalysisGuoqing Xu, Atanas Rountev, Manu SridharanOhio State UniversityIBM T. J. Watson Research Center

  • Points-to AnalysisMany static analysis tools need highly precise whole-program points-to solution(e.g., data race detector, slicer)Context-free-language(CFL) reachability formulation of points-to/alias analysis [Sridharan-Bodik PLDI06]High precisionDoes not scale well for whole program analysisA lot of redundant computationOur approach targets CFL-reachability-based points-to analysisPre-analyze the program to reduce the redundancy

    *

  • Example of CFL-Reachability Formulation[PLDI06]*a = new A(); // o1b = new A(); // o2c = a;o1abco2xypreto3(1)1(2)2[f [f]fo4eid(p){ return p;}x = id(a); // call 1 y = id(b); // call 2a.f = new C(); //o3b.f = new C(); //o4e = x.f;o pts(v) if o flowsTo v

  • Targeted InefficiencyA pair of heap load and store a.f = o; v = b.f;

    What if a and b can never alias? v can not point to o May be redundant to perform the entire sequence of checks

    *abovalias?[f

    ]foflowsTo?flowsTo?]g

    cd[g

    alias?flowsTo?flowsTo?(c.g =a)(b=d.g )oX

  • Our ApproachMust-not-alias analysisUse an imprecise but cheap off-line analysis to find x and b are not aliases under any possible calling contextQuickly conclude that e cannot point to o4 in the points-to analysis, if our analysis reports (x, b) must not alias*

  • Program RepresentationIntraprocedural Symbolic Points-To Graph (SPG)Introduce symbolic node s for formal parameterfield dereference a.f in a heap loada call site that returns a reference-typed valueCompute intraprocedural flowsTo path Points-to edge a o SPG if o flowsTo a is foundPoints-to edge o1 o2 SPG if o1 flowsTo a, o2 flowsTo b, and a.f = b are found*B m(A a){ C c = new C();// o1 a.f = c; return c.g;}o1safsgretcgfa

  • Interprocedural Symbolic Points-To GraphConnect intraprocedural symbolic points-to graphs with entry and exit edges

    *B m(A a){ C c = new C();// o1 a.f = c; return c.g;}o1safsgretcgA d = new A(); // o2B b = m(d); // call mdo2bsmentrymexitma

  • Must-Not-Alias AnalysisContext-insensitive memAlias formuationTreat a pair of points to edges and as balanced parentheses

    Allocation or symbolic node m and n are aliases if m memAlias n

    *ff

  • Example*B m(A a){ C c = new C();// o1 a.f = c; return c.g;}A a = new A(); // o2B b = m(a);C(){ this.g = new B();// o3 }o1sasgretcgao2bsmexitmentrymsthisgo3entryCthis

  • AlgorithmAdd pairs of nodes (a, b) in memAlias, if they are reachable from the same node c, and the strings between (c, a) and (c, b) are the same

    Example: a a0 c b0 b

    *f1f2fnfnf2f1

  • Algorithm (Cond.)while a fixed point is not reached doAdd pairs of nodes (a, b) in memAlias, if (a, f) memAlias, (g, b) memAlias, (f, g) memAliasa f g bAdd pairs of nodes (d, e) in memAlias, if there is a pair (f, g) memAlias, d and e are reachable from f and g, respectively, and the two strings between (f, d) and (e, g) are the same

    f a0 d e b0 gend while*f1f2fnfnf2f1

  • Context-Sensitive Must-Not-Alias AnalysisContext-sensitivity is achieved byBottom-up traversing the call graph (i.e., summary-based)Cloning objects for 1-level method calls when composing summariesContext sensitivityFull context-sensitivity for pointer variables1-level context-sensitivity for pointer targetsHas almost the same precision as the 1-object-sensitive analysis, but much cheaper*

  • Example*B m(A a){ C c = new C();// o1 a.f = c; return c.g;}A a = new A(); // o2B b = m(a);C(){ this.g = new B();// o3 }o3c o1mo1sggsmo2sthisgo3entryCsaentrymexitmsthiscsamfsgm

  • Using Must-Not-Alias InformationObject or symbolic nodes m and n must not alias if (m, n) memAlias Using must-not-alias information in Sridharan-Bodik analysis Check a pair of load and store a.f = o; c = b.f;Dont check whether a and b can alias if, for any object or symbolic nodes oa and ob such that a oa and b ob ISPG, oa and ob must not alias

    *

  • ExperimentsBenchmarksSpecJVM : 7 programsDaCapo: 4 programsOthers: 8 programsNumber of methods ranging from 2344 to 8789Comparison between Sridharan-Bodik representation and ISPG without var nodes1.7 reduction in the number of nodes5.6 reduction in the number of edges

    *

  • Running Time Reduction*Average: 3

  • Precision (casts proved safe)*Precision = % #safe casts/#total castsCI:3.2%, MA:8.0%, 1-OBJ:10.5% , SB:23.5%

  • ConclusionsRefinement-based points-to analysis is precise but expensiveA context-sensitive must-not-alias analysisPre-computes aliasing informationmemAlias-reachability formulationUsed to quickly eliminate non-aliasing pairs in the points-to analysisExperimental resultsAlias analysis has short running timeSignificant time reduction for the points-to analysisPoints-to information derived from memAlias is almost as precise as 1-object-sensitive analysis

    *

  • Thank you*

  • Running TimeISPG construction48 245sOn average 2.064 s/1000 Jimple statementsMust-not-alias analysis9 80sOn average 0.579 s/1000 Jimple statementsModified points-to analysis185 2350sOn average 9.65 s/1000 Jimple statementsTotal282 2854sOn average 12.294 s/1000 Jimple statements

    *