research-article

Boosting the performance of flow-sensitive points-to analysis using value flow

Authors:

Cristina Cifuentes,

Nathan KeynesAuthors Info & Claims

ESEC/FSE '11: Proceedings of the 19th ACM SIGSOFT symposium and the 13th European conference on Foundations of software engineering

Pages 343 - 353

https://doi.org/10.1145/2025113.2025160

Published: 09 September 2011 Publication History

Abstract

Points-to analysis is a fundamental static analysis technique which computes the set of memory objects that a pointer may point to. Many different applications, such as security-related program analyses, bug checking, and analyses of multi-threaded programs, require precise points-to information to be effective. Recent work has focused on improving the precision of points-to analysis through flow-sensitivity and great progress has been made. However, even with all recent progress, flow-sensitive points-to analysis can still be much slower than a flow-insensitive analysis.

In this paper, we propose a novel method that simplifies flow-sensitive points-to analysis to a general graph reachability problem in a value flow graph. The value flow graph summarizes dependencies between pointer variables, including those memory dependencies via pointer dereferences. The points-to set for each pointer variable can then be computed as the set of memory objects that can reach it in the graph. We develop an algorithm to build the value flow graph efficiently by examining the pointed-to-by set of a memory object, i.e., the set of pointers that point to an object. The pointed-to-by information of memory objects is very useful for applications such as escape analysis, and information flow analysis.

Our approach is intuitive, easy to implement and very efficient. The implementation is around 2000 lines of code and it is more efficient than existing flow-sensitive points-to analyses. The runtime is comparable with the state-of-the-art flow-insensitive points-to analysis.

References

[1]

M. Berndl, O. Lhoták, F. Qian, L. Hendren, and N. Umanee. Points-to analysis using bdds. In Proceedings of the ACM SIGPLAN 2003 conference on Programming language design and implementation, PLDI '03, pages 103--114, New York, NY, USA, 2003. ACM.

Digital Library

[2]

R. Bodik. Path-sensitive, value-flow optimizations of programs. PhD thesis, Pittsburgh, PA, USA, 1999.

Digital Library

[3]

R. Bodik and S. Anik. Path-sensitive value-flow analysis. In Proceedings of the 25th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, POPL '98, pages 237--251, New York, NY, USA, 1998. ACM.

Digital Library

[4]

D. R. Chase, M. Wegman, and F. K. Zadeck. Analysis of pointers and structures. In Proceedings of the ACM SIGPLAN 1990 conference on Programming language design and implementation, PLDI '90, pages 296--310, New York, NY, USA, 1990. ACM.

Digital Library

[5]

R. Chatterjee, B. G. Ryder, and W. A. Landi. Relevant context inference. In Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, POPL '99, pages 133--146, New York, NY, USA, 1999. ACM.

Digital Library

[6]

S. Cherem, L. Princehouse, and R. Rugina. Practical memory leak detection using guarded value-flow analysis. In Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation, PLDI '07, pages 480--491, New York, NY, USA, 2007. ACM.

Digital Library

[7]

J.-D. Choi, R. Cytron, and J. Ferrante. Automatic construction of sparse data flow evaluation graphs. In Proceedings of the 18th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, POPL '91, pages 55--66, New York, NY, USA, 1991. ACM.

Digital Library

[8]

F. C. Chow, S. Chan, S.-M. Liu, R. Lo, and M. Streich. Effective representation of aliases and indirect memory operations in ssa form. In Proceedings of the 6th International Conference on Compiler Construction, pages 253--267, London, UK, 1996. Springer-Verlag.

Digital Library

[9]

R. Cytron, J. Ferrante, B. K. Rosen, M. N. Wegman, and F. K. Zadeck. Efficiently computing static single assignment form and the control dependence graph. ACM Transactions on Programming Languages and Systems, 13(4):451--490, October 1991.

Digital Library

[10]

N. Dor, S. Adams, M. Das, and Z. Yang. Software validation via scalable path-sensitive value flow analysis. In Proceedings of the 2004 ACM SIGSOFT international symposium on Software testing and analysis, ISSTA '04, pages 12--22, New York, NY, USA, 2004. ACM.

Digital Library

[11]

M. Fähndrich, J. S. Foster, Z. Su, and A. Aiken. Partial online cycle elimination in inclusion constraint graphs. In Proceedings of the ACM SIGPLAN 1998 conference on Programming language design and implementation, PLDI '98, pages 85--96, New York, NY, USA, 1998. ACM.

Digital Library

[12]

S. J. Fink, E. Yahav, N. Dor, G. Ramalingam, and E. Geay. Effective typestate verification in the presence of aliasing. ACM Trans. Softw. Eng. Methodol., 17:9:1--9:34, May 2008.

Digital Library

[13]

D. Goyal. Transformational derivation of an improved alias analysis algorithm. Higher Order Symbol. Comput., 18:15--49, June 2005.

Digital Library

[14]

B. Hackett and A. Aiken. How is aliasing used in systems software? In Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering, SIGSOFT '06/FSE-14, pages 69--80, New York, NY, USA, 2006. ACM.

Digital Library

[15]

B. Hardekopf and C. Lin. The ant and the grasshopper: fast and accurate pointer analysis for millions of lines of code. In Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation, PLDI '07, pages 290--299, New York, NY, USA, 2007. ACM.

Digital Library

[16]

B. Hardekopf and C. Lin. Exploiting pointer and location equivalence to optimize pointer analysis. In In International Static Analysis Symposium (SAS), pages 265--280, 2007.

Digital Library

[17]

B. Hardekopf and C. Lin. Semi-sparse flow-sensitive pointer analysis. In Proceedings of the 36th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages, POPL '09, pages 226--238, New York, NY, USA, 2009. ACM.

Digital Library

[18]

B. C. Hardekopf. Pointer analysis: building a foundation for effective program analysis. PhD thesis, Austin, TX, USA, 2009.

Digital Library

[19]

R. Hasti and S. Horwitz. Using static single assignment form to improve flow-insensitive pointer analysis. In Proceedings of the ACM SIGPLAN 1998 conference on Programming language design and implementation, PLDI '98, pages 97--105, New York, NY, USA, 1998. ACM.

Digital Library

[20]

M. Hind, M. Burke, P. Carini, and J.-D. Choi. Interprocedural pointer alias analysis. ACM Trans. Program. Lang. Syst., 21:848--894, July 1999.

Digital Library

[21]

M. Hind and A. Pioli. Assessing the effects of flow-sensitivity on pointer alias analyses. In Proceedings of the 5th International Symposium on Static Analysis, SAS '98, pages 57--81, London, UK, 1998. Springer-Verlag.

Digital Library

[22]

V. Kahlon. Bootstrapping: a technique for scalable flow and context-sensitive pointer alias analysis. In Proceedings of the 2008 ACM SIGPLAN conference on Programming language design and implementation, PLDI '08, pages 249--259, New York, NY, USA, 2008. ACM.

Digital Library

[23]

C. Lattner, A. Lenharth, and V. Adve. Making context-sensitive points-to analysis with heap cloning practical for the real world. In Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation, PLDI '07, pages 278--289, New York, NY, USA, 2007. ACM.

Digital Library

[24]

O. Lhoták and K.-C. A. Chung. Points-to analysis with efficient strong updates. In Proceedings of the 38th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages, POPL '11, pages 3--16, New York, NY, USA, 2011. ACM.

Digital Library

[25]

L. Li, C. Cifuentes, and N. Keynes. Practical and effective symbolic analysis for buffer overflow detection. In Proceedings of the eighteenth ACM SIGSOFT international symposium on Foundations of software engineering, FSE '10, pages 317--326, New York, NY, USA, 2010. ACM.

Digital Library

[26]

LLVM. Low Level Virtual Machine. http://www.llvm.org, detail on website.

[27]

E. M. Nystrom, H.-S. Kim, and W. mei W. Hwu. Bottom-up and top-down context-sensitive summary-based pointer analysis. In SAS'04, pages 165--180, 2004.

[28]

J. H. Reif and H. R. Lewis. Symbolic evaluation and the global value graph. In Proceedings of the 4th ACM SIGACT-SIGPLAN symposium on Principles of programming languages, POPL '77, pages 104--118, New York, NY, USA, 1977. ACM.

Digital Library

[29]

A. Salcianu and M. Rinard. Pointer and escape analysis for multithreaded programs. In Proceedings of the eighth ACM SIGPLAN symposium on Principles and practices of parallel programming, PPoPP '01, pages 12--23, New York, NY, USA, 2001. ACM.

Digital Library

[30]

M. Sridharan and R. Bodík. Refinement-based context-sensitive points-to analysis for java. In Proceedings of the 2006 ACM SIGPLAN conference on Programming language design and implementation, PLDI '06, pages 387--400, New York, NY, USA, 2006. ACM.

Digital Library

[31]

S. Staiger-Stöhr. Implementing sparse flow-sensitive andersen analysis. Technical report, Universität Stuttgart, 2009.

[32]

B. Steensgaard. Points-to analysis in almost linear time. In Proceedings of the 23rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages, POPL '96, pages 32--41, New York, NY, USA, 1996. ACM.

Digital Library

[33]

T. B. Tok, S. Z. Guyer, and C. Lin. Efficient flow-sensitive interprocedural data-flow analysis in the presence of pointers. In 15th International Conference on Compiler Construction, pages 17--31. Springer, 2006.

Digital Library

[34]

J. Whaley and M. S. Lam. Cloning-based context-sensitive pointer alias analysis using binary decision diagrams. In Proceedings of the ACM SIGPLAN 2004 conference on Programming language design and implementation, PLDI '04, pages 131--144, New York, NY, USA, 2004. ACM.

Digital Library

[35]

D. A. Wheeler. SLOC Count User Guide. http://www.dwheeler.com/sloccount/. Last accessed: 16 March 2009.

[36]

H. Yu, J. Xue, W. Huo, X. Feng, and Z. Zhang. Level by level: making flow- and context-sensitive pointer analysis scalable for millions of lines of code. In Proceedings of the 8th annual IEEE/ACM international symposium on Code generation and optimization, CGO '10, pages 218--229, New York, NY, USA, 2010. ACM.

Digital Library

[37]

B. Zheng and P. chung Yew. A hierarchical approach to context-sensitive interprocedural alias analysis, 1999.

[38]

J. Zhu. Towards scalable flow and context sensitive pointer analysis. In Proceedings of the 42nd annual Design Automation Conference, DAC '05, pages 831--836, New York, NY, USA, 2005. ACM.

Digital Library

[39]

J. Zhu and S. Calman. Symbolic pointer analysis revisited. In Proceedings of the ACM SIGPLAN 2004 conference on Programming language design and implementation, PLDI '04, pages 145--157, New York, NY, USA, 2004. ACM.

Digital Library

Cited By

Kozak DStancu CVojnar TWimmer CDoerfert JGrosser TLeather HSadayappan P(2025)SkipFlow: Improving the Precision of Points-to Analysis using Primitive Values and Predicate EdgesProceedings of the 23rd ACM/IEEE International Symposium on Code Generation and Optimization10.1145/3696443.3708932(347-361)Online publication date: 1-Mar-2025
https://dl.acm.org/doi/10.1145/3696443.3708932
Cai YJin YZhang CBalzarotti DXu W(2024)Unleashing the power of type-based call graph construction by using regional pointer informationProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698978(1383-1400)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3698978
Ding BLi QZhang YTang FChen J(2024)MEA2: A Lightweight Field-Sensitive Escape Analysis with Points-to Calculation for GolangProceedings of the ACM on Programming Languages10.1145/36897598:OOPSLA2(1362-1389)Online publication date: 8-Oct-2024
https://dl.acm.org/doi/10.1145/3689759
Show More Cited By

Index Terms

Boosting the performance of flow-sensitive points-to analysis using value flow
1. Theory of computation
  1. Semantics and reasoning
    1. Program reasoning
      1. Program analysis
    2. Program semantics

Recommendations

Precise and scalable context-sensitive pointer analysis via value flow graph
ISMM '13

In this paper, we propose a novel method for context-sensitive pointer analysis using the value flow graph (VFG) formulation. We achieve context-sensitivity by simultaneously applying function cloning and computing context-free language reachability (...
Comprehensive path-sensitive data-flow analysis
CGO '08: Proceedings of the 6th annual IEEE/ACM international symposium on Code generation and optimization

Data-flow analysis is an integral part of any aggressive optimizing compiler. We propose a framework for improving the precision of data-flow analysis in the presence of complex control-flow. We initially perform data-flow analysis to determine those ...
Semi-sparse flow-sensitive pointer analysis
POPL '09

Pointer analysis is a prerequisite for many program analyses, and the effectiveness of these analyses depends on the precision of the pointer information they receive. Two major axes of pointer analysis precision are flow-sensitivity and context-...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ESEC/FSE '11: Proceedings of the 19th ACM SIGSOFT symposium and the 13th European conference on Foundations of software engineering

September 2011

548 pages

ISBN:9781450304436

DOI:10.1145/2025113

General Chair:
Tibor Gyimóthy
University of Szeged, Hungary
,
Program Chair:
Andreas Zeller
Saarland University, Germany

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 September 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ESEC/FSE'11

Sponsor:

SIGSOFT

ESEC/FSE'11: Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering

September 5 - 9, 2011

Szeged, Hungary

Acceptance Rates

Overall Acceptance Rate 17 of 128 submissions, 13%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

96
Total Citations
View Citations
686
Total Downloads

Downloads (Last 12 months)60
Downloads (Last 6 weeks)4

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Kozak DStancu CVojnar TWimmer CDoerfert JGrosser TLeather HSadayappan P(2025)SkipFlow: Improving the Precision of Points-to Analysis using Primitive Values and Predicate EdgesProceedings of the 23rd ACM/IEEE International Symposium on Code Generation and Optimization10.1145/3696443.3708932(347-361)Online publication date: 1-Mar-2025
https://dl.acm.org/doi/10.1145/3696443.3708932
Cai YJin YZhang CBalzarotti DXu W(2024)Unleashing the power of type-based call graph construction by using regional pointer informationProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698978(1383-1400)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3698978
Ding BLi QZhang YTang FChen J(2024)MEA2: A Lightweight Field-Sensitive Escape Analysis with Points-to Calculation for GolangProceedings of the ACM on Programming Languages10.1145/36897598:OOPSLA2(1362-1389)Online publication date: 8-Oct-2024
https://dl.acm.org/doi/10.1145/3689759
An XJia XDu HXie Y(2024)Structure-Sensitive Pointer Analysis for Multi-structure ObjectsProceedings of the 15th Asia-Pacific Symposium on Internetware10.1145/3671016.3671396(155-164)Online publication date: 24-Jul-2024
https://dl.acm.org/doi/10.1145/3671016.3671396
Wimmer CStancu CKozak DWürthinger T(2024)Scaling Type-Based Points-to Analysis with SaturationProceedings of the ACM on Programming Languages10.1145/36564178:PLDI(990-1013)Online publication date: 20-Jun-2024
https://dl.acm.org/doi/10.1145/3656417
Yao PZhou JXiao XShi QWu RZhang C(2024)Falcon: A Fused Approach to Path-Sensitive Sparse Data Dependence AnalysisProceedings of the ACM on Programming Languages10.1145/36564008:PLDI(567-592)Online publication date: 20-Jun-2024
https://dl.acm.org/doi/10.1145/3656400
Guo YYao PZhang CChristakis MPradel M(2024)Precise Compositional Buffer Overflow Detection via Heap DisjointnessProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3652110(63-75)Online publication date: 11-Sep-2024
https://dl.acm.org/doi/10.1145/3650212.3652110
Tang WDong DLi SWang CYao PZhou JZhang C(2024) Octopus: Scaling Value-Flow Analysis via Parallel Collection of Realizable Path ConditionsACM Transactions on Software Engineering and Methodology10.1145/363274333:3(1-33)Online publication date: 24-Jan-2024
https://dl.acm.org/doi/10.1145/3632743
Shi CLi HSui YLu JLi LXue J(2024)Pearl: A Multi-Derivation Approach to Efficient CFL-Reachability SolvingIEEE Transactions on Software Engineering10.1109/TSE.2024.343768450:9(2379-2397)Online publication date: 5-Aug-2024
https://dl.acm.org/doi/10.1109/TSE.2024.3437684
Li HTan TLi YLu JMeng HCao LHuang YLi LGao LDi PLin LCui C(2024)Generic Sensitivity: Generics-Guided Context Sensitivity for Pointer AnalysisIEEE Transactions on Software Engineering10.1109/TSE.2024.337764550:5(1144-1162)Online publication date: 12-Apr-2024
https://dl.acm.org/doi/10.1109/TSE.2024.3377645
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten