research-article

A Context-Sensitive Pointer Analysis Framework for Rust and Its Application to Call Graph Construction

Authors:

Jingling XueAuthors Info & Claims

CC 2024: Proceedings of the 33rd ACM SIGPLAN International Conference on Compiler Construction

Pages 60 - 72

https://doi.org/10.1145/3640537.3641574

Published: 20 February 2024 Publication History

Abstract

Existing program analysis tools for Rust lack the ability to effectively detect security vulnerabilities due to the absence of an accurate call graph and precise points-to information. We present Rupta, the first context-sensitive pointer analysis framework designed for Rust, with a particular focus on its role in constructing call graphs. Operating on Rust MIR, Rupta employs callsite-based context-sensitivity and on-the-fly call graph construction to address a range of pointer analysis challenges, including method/function calls, pointer casts, and nested structs, while preserving type information.

Our assessment of Rupta against two state-of-the-art call graph construction techniques, Rurta (Rapid Type Analysis-based) and Ruscg (static dispatch-only), across 13 real-world Rust programs demonstrates its high efficiency and precision. In particular, our results reveal that Rupta surpasses Ruscg in soundness by discovering 29% more call graph edges and outperforms Rurta in precision by eliminating approximately 70% of spurious dynamic call edges. Consequently, Rupta has the potential to enhance existing security analysis tools, enabling them to identify a greater number of security vulnerabilities in Rust programs.

References

[1]

Lars Ole Andersen. 1994. Program analysis and specialization for the C programming language. Ph.D. Dissertation

[2]

Brian Anderson, Lars Bergstrom, Manish Goregaokar, Josh Matthews, Keegan McAllister, Jack Moffitt, and Simon Sapin. 2016. Engineering the Servo web browser engine using Rust. In Proceedings of the 38th International Conference on Software Engineering Companion (ICSE ’16). Association for Computing Machinery, New York, NY, USA. 81–89. isbn:9781450342056 https://doi.org/10.1145/2889160.2889229

Digital Library

[3]

Vytautas Astrauskas, Peter Müller, Federico Poli, and Alexander J. Summers. 2019. Leveraging Rust types for modular specification and verification. Proc. ACM Program. Lang., 3, OOPSLA (2019), Article 147, oct, 30 pages. https://doi.org/10.1145/3360573

Digital Library

[4]

Dzintars Avots, Michael Dalton, V. Benjamin Livshits, and Monica S. Lam. 2005. Improving software security with a C pointer analysis. In Proceedings of the 27th International Conference on Software Engineering (ICSE ’05). Association for Computing Machinery, New York, NY, USA. 332–341. isbn:1581139632 https://doi.org/10.1145/1062455.1062520

Digital Library

[5]

David F. Bacon and Peter F. Sweeney. 1996. Fast static analysis of C++ virtual function calls. In Proceedings of the 11th ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA ’96). Association for Computing Machinery, New York, NY, USA. 324–341. isbn:089791788X https://doi.org/10.1145/236337.236371

Digital Library

[6]

Yechan Bae, Youngsuk Kim, Ammar Askar, Jungwon Lim, and Taesoo Kim. 2021. Rudra: Finding Memory Safety Bugs in Rust at the Ecosystem Scale. In Proceedings of the ACM SIGOPS 28th Symposium on Operating Systems Principles (SOSP ’21). Association for Computing Machinery, New York, NY, USA. 84–99. isbn:9781450387095 https://doi.org/10.1145/3477132.3483570

Digital Library

[7]

George Balatsouras and Yannis Smaragdakis. 2016. Structure-sensitive points-to analysis for C and C++. In Static Analysis: 23rd International Symposium, SAS 2016, Edinburgh, UK, September 8-10, 2016, Proceedings 23. 84–104. https://doi.org/10.1007/978-3-662-53413-7_5

[8]

Marek Baranowski, Shaobo He, and Zvonimir Rakamarić. 2018. Verifying Rust Programs with SMACK. In Automated Technology for Verification and Analysis: 16th International Symposium, ATVA 2018, Los Angeles, CA, USA, October 7-10, 2018, Proceedings 16. 528–535. https://doi.org/10.1007/978-3-030-01090-4_32

[9]

Marc Berndl, Ondrej Lhoták, Feng Qian, Laurie Hendren, and Navindra Umanee. 2003. Points-to analysis using BDDs. In Proceedings of the ACM SIGPLAN 2003 Conference on Programming Language Design and Implementation (PLDI ’03). Association for Computing Machinery, New York, NY, USA. 103–114. isbn:1581136625 https://doi.org/10.1145/781131.781144

Digital Library

[10]

Kevin Boos, Namitha Liyanage, Ramla Ijaz, and Lin Zhong. 2020. Theseus: an Experiment in Operating System Structure and State Management. In 14th USENIX Symposium on Operating Systems Design and Implementation (OSDI 20). USENIX Association, 1–19. isbn:978-1-939133-19-9 https://www.usenix.org/conference/osdi20/presentation/boos

[11]

Martin Bravenboer and Yannis Smaragdakis. 2009. Strictly declarative specification of sophisticated points-to analyses. In Proceedings of the 24th ACM SIGPLAN Conference on Object Oriented Programming Systems Languages and Applications (OOPSLA ’09). Association for Computing Machinery, New York, NY, USA. 243–262. isbn:9781605587660 https://doi.org/10.1145/1640089.1640108

Digital Library

[12]

Cristian Cadar, Daniel Dunbar, and Dawson Engler. 2008. KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation (OSDI’08). USENIX Association, USA. 209–224. https://dl.acm.org/doi/10.5555/1855741.1855756

Digital Library

[13]

Edmund Clarke, Daniel Kroening, and Flavio Lerda. 2004. A tool for checking ANSI-C programs. In Tools and Algorithms for the Construction and Analysis of Systems: 10th International Conference, TACAS 2004, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2004, Barcelona, Spain, March 29-April 2, 2004. Proceedings 10. 168–176. https://doi.org/10.1007/978-3-540-24730-2_15

[14]

Mohan Cui, Chengjun Chen, Hui Xu, and Yangfan Zhou. 2023. SafeDrop: Detecting Memory Deallocation Bugs of Rust Programs via Static Data-flow Analysis. ACM Trans. Softw. Eng. Methodol., 32, 4 (2023), Article 82, may, 21 pages. issn:1049-331X https://doi.org/10.1145/3542948

Digital Library

[15]

Karel Driesen and Urs Hölzle. 1996. The direct cost of virtual function calls in C++. In Proceedings of the 11th ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA ’96). Association for Computing Machinery, New York, NY, USA. 306–323. isbn:089791788X https://doi.org/10.1145/236337.236369

Digital Library

[16]

Ana Nora Evans, Bradford Campbell, and Mary Lou Soffa. 2020. Is Rust used safely by software developers? In Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering (ICSE ’20). Association for Computing Machinery, New York, NY, USA. 246–257. isbn:9781450371216 https://doi.org/10.1145/3377811.3380413

Digital Library

[17]

Rust for Linux. 2023. The Rust for Linux Project. https://rust-for-linux.com/

[18]

Dongjie He, Yujiang Gui, Wei Li, Yonggang Tao, Changwei Zou, Yulei Sui, and Jingling Xue. 2023. A Container-Usage-Pattern-Based Context Debloating Approach for Object-Sensitive Pointer Analysis. Proc. ACM Program. Lang., 7, OOPSLA2 (2023), 971–1000. https://doi.org/10.1145/3622832

Digital Library

[19]

Dongjie He, Jingbo Lu, Yaoqing Gao, and Jingling Xue. 2021. Accelerating Object-Sensitive Pointer Analysis by Exploiting Object Containment and Reachability. In 35th European Conference on Object-Oriented Programming (ECOOP 2021), Anders Møller and Manu Sridharan (Eds.) (Leibniz International Proceedings in Informatics (LIPIcs), Vol. 194). Schloss Dagstuhl – Leibniz-Zentrum für Informatik, Dagstuhl, Germany. 16:1–16:31. isbn:978-3-95977-190-0 issn:1868-8969 https://doi.org/10.4230/LIPIcs.ECOOP.2021.16

[20]

Dongjie He, Jingbo Lu, and Jingling Xue. 2022. Context debloating for object-sensitive pointer analysis. In Proceedings of the 36th IEEE/ACM International Conference on Automated Software Engineering (ASE ’21). IEEE Press, 79–91. isbn:9781665403375 https://doi.org/10.1109/ASE51524.2021.9678880

Digital Library

[21]

Dongjie He, Jingbo Lu, and Jingling Xue. 2022. Qilin: A New Framework For Supporting Fine-Grained Context-Sensitivity in Java Pointer Analysis. In 36th European Conference on Object-Oriented Programming (ECOOP 2022), Karim Ali and Jan Vitek (Eds.) (Leibniz International Proceedings in Informatics (LIPIcs), Vol. 222). Schloss Dagstuhl – Leibniz-Zentrum für Informatik, Dagstuhl, Germany. 30:1–30:29. isbn:978-3-95977-225-9 issn:1868-8969 https://doi.org/10.4230/LIPIcs.ECOOP.2022.30

[22]

Ondřej Lhoták and Laurie Hendren. 2003. Scaling Java points-to analysis using Spark. In Compiler Construction: 12th International Conference, CC 2003 Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2003 Warsaw, Poland, April 7–11, 2003 Proceedings 12. 153–169. https://doi.org/10.1007/3-540-36579-6_12

[23]

Lian Li, Cristina Cifuentes, and Nathan Keynes. 2013. Precise and Scalable Context-Sensitive Pointer Analysis via Value Flow Graph. In Proceedings of the 2013 International Symposium on Memory Management (ISMM ’13). Association for Computing Machinery, New York, NY, USA. 85–96. isbn:9781450321006 https://doi.org/10.1145/2491894.2466483

Digital Library

[24]

Wei Li, Dongjie He, Yujiang Gui, Wenguang Chen, and Xue Jingling. 2024. Artifact associated to the paper "A Context-Sensitive Pointer Analysis Framework for Rust and Its Application to Call Graph Construction" published in CC’24. https://doi.org/10.5281/zenodo.10566216 artifact

[25]

Yue Li, Tian Tan, Anders Møller, and Yannis Smaragdakis. 2018. Precision-guided context sensitivity for pointer analysis. Proc. ACM Program. Lang., 2, OOPSLA (2018), Article 141, oct, 29 pages. https://doi.org/10.1145/3276511

Digital Library

[26]

Yue Li, Tian Tan, Anders Møller, and Yannis Smaragdakis. 2018. Scalability-first pointer analysis with self-tuning context-sensitivity. In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE 2018). Association for Computing Machinery, New York, NY, USA. 129–140. isbn:9781450355735 https://doi.org/10.1145/3236024.3236041

Digital Library

[27]

Zhuohua Li, Jincheng Wang, Mingshen Sun, and John C.S. Lui. 2021. MirChecker: Detecting Bugs in Rust Programs via Static Analysis. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (CCS ’21). Association for Computing Machinery, New York, NY, USA. 2183–2196. isbn:9781450384544 https://doi.org/10.1145/3460120.3484541

Digital Library

[28]

Marcus Lindner, Jorge Aparicius, and Per Lindgren. 2018. No Panic! Verification of Rust Programs by Symbolic Execution. In 2018 IEEE 16th International Conference on Industrial Informatics (INDIN). 108–114. https://doi.org/10.1109/INDIN.2018.8471992

[29]

Benjamin Livshits, Manu Sridharan, Yannis Smaragdakis, Ondřej Lhoták, J. Nelson Amaral, Bor-Yuh Evan Chang, Samuel Z. Guyer, Uday P. Khedker, Anders Møller, and Dimitrios Vardoulakis. 2015. In defense of soundiness: a manifesto. Commun. ACM, 58, 2 (2015), jan, 44–46. issn:0001-0782 https://doi.org/10.1145/2644805

Digital Library

[30]

Jingbo Lu, Dongjie He, and Jingling Xue. 2021. Selective Context-Sensitivity for k-CFA with CFL-Reachability. In Static Analysis: 28th International Symposium, SAS 2021, Chicago, IL, USA, October 17–19, 2021, Proceedings. Springer-Verlag, Berlin, Heidelberg. 261–285. isbn:978-3-030-88805-3 https://doi.org/10.1007/978-3-030-88806-0_13

Digital Library

[31]

Jingbo Lu and Jingling Xue. 2019. Precision-preserving yet fast object-sensitive pointer analysis with partial context sensitivity. Proc. ACM Program. Lang., 3, OOPSLA (2019), Article 148, oct, 29 pages. https://doi.org/10.1145/3360574

Digital Library

[32]

Ana Milanova, Atanas Rountev, and Barbara G. Ryder. 2002. Parameterized object sensitivity for points-to and side-effect analyses for Java. In Proceedings of the 2002 ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA ’02). Association for Computing Machinery, New York, NY, USA. 1–11. isbn:1581135629 https://doi.org/10.1145/566172.566174

Digital Library

[33]

Peter Müller, Malte Schwerhoff, and Alexander J. Summers. 2016. Viper: A Verification Infrastructure for Permission-Based Reasoning. In Proceedings of the 17th International Conference on Verification, Model Checking, and Abstract Interpretation - Volume 9583 (VMCAI 2016). Springer-Verlag, Berlin, Heidelberg. 41–62. isbn:9783662491218 https://doi.org/10.1007/978-3-662-49122-5_2

Digital Library

[34]

Vikram Narayanan, Tianjiao Huang, David Detweiler, Dan Appel, Zhaofeng Li, Gerd Zellweger, and Anton Burtsev. 2020. RedLeaf: Isolation and Communication in a Safe Operating System. In 14th USENIX Symposium on Operating Systems Design and Implementation (OSDI 20). USENIX Association, 21–39. isbn:978-1-939133-19-9 https://www.usenix.org/conference/osdi20/presentation/narayanan-vikram

[35]

Hakjoo Oh, Wonchan Lee, Kihong Heo, Hongseok Yang, and Kwangkeun Yi. 2014. Selective context-sensitivity guided by impact pre-analysis. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’14). Association for Computing Machinery, New York, NY, USA. 475–484. isbn:9781450327848 https://doi.org/10.1145/2594291.2594318

Digital Library

[36]

David J. Pearce, Paul H.J. Kelly, and Chris Hankin. 2007. Efficient field-sensitive pointer analysis of C. ACM Trans. Program. Lang. Syst., 30, 1 (2007), nov, 4–es. issn:0164-0925 https://doi.org/10.1145/1290520.1290524

Digital Library

[37]

Boqin Qin, Yilun Chen, Zeming Yu, Linhai Song, and Yiying Zhang. 2020. Understanding memory and thread safety practices and issues in real-world Rust programs. In Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2020). Association for Computing Machinery, New York, NY, USA. 763–779. isbn:9781450376136 https://doi.org/10.1145/3385412.3386036

Digital Library

[38]

Qingkai Shi, Xiao Xiao, Rongxin Wu, Jinguo Zhou, Gang Fan, and Charles Zhang. 2018. Pinpoint: Fast and Precise Sparse Value Flow Analysis for Million Lines of Code. In Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2018). Association for Computing Machinery, New York, NY, USA. 693–706. isbn:9781450356985 https://doi.org/10.1145/3192366.3192418

Digital Library

[39]

Yannis Smaragdakis, Martin Bravenboer, and Ondrej Lhoták. 2011. Pick your contexts well: understanding object-sensitivity. In Proceedings of the 38th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’11). Association for Computing Machinery, New York, NY, USA. 17–30. isbn:9781450304900 https://doi.org/10.1145/1926385.1926390

Digital Library

[40]

Jeff Vander Stoep and Stephen Hines. 2021. Rust in the Android platform. https://security.googleblog.com/2021/04/rust-in-android-platform.html

[41]

Yulei Sui and Jingling Xue. 2016. SVF: interprocedural static value-flow analysis in LLVM. In Proceedings of the 25th International Conference on Compiler Construction (CC 2016). Association for Computing Machinery, New York, NY, USA. 265–266. isbn:9781450342414 https://doi.org/10.1145/2892208.2892235

Digital Library

[42]

Yulei Sui, Ding Ye, and Jingling Xue. 2012. Static memory leak detection using full-sparse value-flow analysis. In International Symposium on Software Testing and Analysis, ISSTA 2012, Minneapolis, MN, USA, July 15-20, 2012, Mats Per Erik Heimdahl and Zhendong Su (Eds.). ACM, 254–264. https://doi.org/10.1145/2338965.2336784

Digital Library

[43]

John Toman, Stuart Pernsteiner, and Emina Torlak. 2015. CRUST: a bounded verifier for Rust. In Proceedings of the 30th IEEE/ACM International Conference on Automated Software Engineering (ASE ’15). IEEE Press, 75–80. isbn:9781509000241 https://doi.org/10.1109/ASE.2015.77

Digital Library

[44]

Alexa VanHattum, Daniel Schwartz-Narbonne, Nathan Chong, and Adrian Sampson. 2022. Verifying dynamic trait objects in Rust. In Proceedings of the 44th International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP ’22). Association for Computing Machinery, New York, NY, USA. 321–330. isbn:9781450392266 https://doi.org/10.1145/3510457.3513031

Digital Library

[45]

WALA. 2023. WALA: T.J. Watson Libraries for Analysis. http://wala.sourceforge.net/

[46]

Fabian Wolff, Aurel Bílý, Christoph Matheja, Peter Müller, and Alexander J. Summers. 2021. Modular specification and verification of closures in Rust. Proc. ACM Program. Lang., 5, OOPSLA (2021), Article 145, oct, 29 pages. https://doi.org/10.1145/3485522

Digital Library

[47]

Hui Xu, Zhuangbin Chen, Mingshen Sun, Yangfan Zhou, and Michael R. Lyu. 2021. Memory-Safety Challenge Considered Solved? An In-Depth Study with All Rust CVEs. ACM Trans. Softw. Eng. Methodol., 31, 1 (2021), Article 3, sep, 25 pages. issn:1049-331X https://doi.org/10.1145/3466642

Digital Library

[48]

Ziyi Zhang, Boqin Qin, Yilun Chen, Linhai Song, and Yiying Zhang. 2020. VRLifeTime – An IDE Tool to Avoid Concurrency and Memory Bugs in Rust. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (CCS ’20). Association for Computing Machinery, New York, NY, USA. 2085–2087. isbn:9781450370899 https://doi.org/10.1145/3372297.3420024

Digital Library

Cited By

Cui MXu HTian HZhou Y(2024)rCanary: Detecting Memory Leaks Across Semi-Automated Memory Management Boundary in RustIEEE Transactions on Software Engineering10.1109/TSE.2024.344362450:9(2472-2484)Online publication date: 13-Aug-2024
https://dl.acm.org/doi/10.1109/TSE.2024.3443624
Qin BChen YLiu HZhang HWen QSong LZhang Y(2024)Understanding and Detecting Real-World Safety Issues in RustIEEE Transactions on Software Engineering10.1109/TSE.2024.338039350:6(1306-1324)Online publication date: 25-Mar-2024
https://dl.acm.org/doi/10.1109/TSE.2024.3380393

Index Terms

A Context-Sensitive Pointer Analysis Framework for Rust and Its Application to Call Graph Construction
1. Software and its engineering
  1. Software organization and properties
    1. Software functional properties
      1. Formal methods
        Automated static analysis
2. Theory of computation
  1. Semantics and reasoning
    1. Program reasoning
      1. Program analysis

Recommendations

Semi-sparse flow-sensitive pointer analysis
POPL '09

Pointer analysis is a prerequisite for many program analyses, and the effectiveness of these analyses depends on the precision of the pointer information they receive. Two major axes of pointer analysis precision are flow-sensitivity and context-...
Semi-sparse flow-sensitive pointer analysis
POPL '09: Proceedings of the 36th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages

Pointer analysis is a prerequisite for many program analyses, and the effectiveness of these analyses depends on the precision of the pointer information they receive. Two major axes of pointer analysis precision are flow-sensitivity and context-...
Symbolic pointer analysis revisited
PLDI '04

Pointer analysis is a critical problem in optimizing compiler, parallelizing compiler, software engineering and most recently, hardware synthesis. While recent efforts have suggested symbolic method, which uses Bryant's Binary Decision Diagram as an ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CC 2024: Proceedings of the 33rd ACM SIGPLAN International Conference on Compiler Construction

February 2024

261 pages

ISBN:9798400705076

DOI:10.1145/3640537

General Chair:
Gabriel Rodríguez
Universidade da Coruña, Spain
,
Program Chairs:
P. Sadayappan
University of Utah, USA
,
Aravind Sukumaran-Rajam
Meta, USA

Copyright © 2024 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGPLAN: ACM Special Interest Group on Programming Languages

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 20 February 2024

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Badges

Author Tags

Qualifiers

Research-article

Funding Sources

Australian Research Council

Conference

CC '24

Sponsor:

SIGPLAN

CC '24: 33rd ACM SIGPLAN International Conference on Compiler Construction

March 2 - 3, 2024

Edinburgh, United Kingdom

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
546
Total Downloads

Downloads (Last 12 months)546
Downloads (Last 6 weeks)64

Reflects downloads up to 13 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Cui MXu HTian HZhou Y(2024)rCanary: Detecting Memory Leaks Across Semi-Automated Memory Management Boundary in RustIEEE Transactions on Software Engineering10.1109/TSE.2024.344362450:9(2472-2484)Online publication date: 13-Aug-2024
https://dl.acm.org/doi/10.1109/TSE.2024.3443624
Qin BChen YLiu HZhang HWen QSong LZhang Y(2024)Understanding and Detecting Real-World Safety Issues in RustIEEE Transactions on Software Engineering10.1109/TSE.2024.338039350:6(1306-1324)Online publication date: 25-Mar-2024
https://dl.acm.org/doi/10.1109/TSE.2024.3380393

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents