research-article

Open access

Reachability analysis of program variables

Authors:

Đurica Nikolić,

Fausto SpotoAuthors Info & Claims

ACM Transactions on Programming Languages and Systems (TOPLAS), Volume 35, Issue 4

Article No.: 14, Pages 1 - 68

https://doi.org/10.1145/2529990

Published: 03 January 2014 Publication History

Abstract

Reachability from a program variable v to a program variable w states that from v, it is possible to follow a path of memory locations that leads to the object bound to w. We present a new abstract domain for the static analysis of possible reachability between program variables or, equivalently, definite unreachability between them. This information is important for improving the precision of other static analyses, such as side-effects, field initialization, cyclicity and path-length analysis, as well as more complex analyses built upon them, such as nullness and termination analysis. We define and prove correct our reachability analysis for Java bytecode, defined as a constraint-based analysis, where the constraint is a graph whose nodes are the program points and whose arcs propagate reachability information in accordance to the abstract semantics of each bytecode instruction. For each program point p, our reachability analysis produces an overapproximation of the ordered pairs of variables 〈v, w〉 such that v might reach w at p. Seen the other way around, if a pair 〈v, w〉 is not present in the overapproximation at p, then v definitely does not reach w at p. We have implemented the analysis inside the Julia static analyzer. Our experiments of analysis of nontrivial Java and Android programs show the improvement of precision due to the presence of reachability information. Moreover, reachability analysis actually reduces the overall cost of nullness and termination analysis.

References

[1]

Albert, E., Arenas, P., Genaim, S., Puebla, G., and Zanardini, D. 2007. Cost analysis of Java bytecode. In Proceedings of the 16th European Symposium on Programming (ESOP). Lecture Notes in Computer Science, vol. 4421, Springer, Berlin, 157--172.

Digital Library

[2]

Balaban, I., Pnueli, A., and Zuck, L. D. 2005. Shape analysis by predicate abstraction. In Proceedings of the 6th International Conference on Verification, Model Checking and Abstract Interpretation (VMCAI). Lecture Notes in Computer Science, vol. 3385, Springer, 164--180.

Digital Library

[3]

Ball, T., Majumdar, R., Millstein, T., and Rajamani, S. K. 2001. Automatic predicate abstraction of C programs. In Proceedings of the 22nd Conference on Programming Language Design and Implementation (PLDI). Vol. 36, ACM, New York, 203--213.

Digital Library

[4]

Ball, T., Millstein, T., and Rajamani, S. K. 2005. Polymorphic predicate abstraction. ACM Trans. Program. Lang. Syst. (TOPLAS) 27, 314--343.

Digital Library

[5]

Berdine, J., Calcagno, C., Cook, B., Distefano, D., O'Hearn, P., Wies, T., and Yang, H. 2007. Shape analysis for composite data structures. In Proceedings of the 19th International Conference on Computer Aided Verification (CAV). Lecture Notes in Computer Science, vol. 4590, Springer, 178--192.

Digital Library

[6]

Bryant, R. E. 1986. Graph-based algorithms for boolean function manipulation. IEEE Trans. Comput. 8, 35, 677--691.

Digital Library

[7]

Calcagno, C., Distefano, D., O'Hearn, P., and Yang, H. 2009. Compositional shape analysis by means of bi-abduction. In Proceedings of the 36th Symposium on Principles of Programming Languages (POPL). ACM, New York, 289--300.

Digital Library

[8]

Chatterjee, S., Lahiri, S., Qadeer, S., and Rakamaric, Z. 2009. A low-level memory model and an accompanying reachability predicate. Int. J. Softw. Tools Technol. Transfer 11, 2, 105--116.

Digital Library

[9]

Corbett, J. C. 2000. Using shape analysis to reduce finite-state models of concurrent Java programs. ACM Trans. Softw. Eng. Methodo. 9, 1, 51--93.

Digital Library

[10]

Cousot, P. and Cousot, R. 1977. Abstract Interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proceedings of the 4th Symposium on Principles of Programming Languages (POPL). ACM, 238--252.

Digital Library

[11]

Cousot, P. and Cousot, R. 1979. Systematic design of program analysis frameworks. In Proceedings of the 6th Symposium on Principles of Programming Languages (POPL). ACM, 269--282.

Digital Library

[12]

Dams, D. and Namjoshi, K. S. 2003. Shape analysis through predicate abstraction and model checking. In Proceedings of the 4th International Conference on Verification, Model Checking and Abstract Interpretation (VMCAI). Springer, Berlin, 310--324.

Digital Library

[13]

Distefano, D., O'Hearn, P., and Yang, H. 2006. A local shape analysis based on separation logic. In Proceedings of the 2nd International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS). Lecture Notes in Computer Science, vol. 3920, Springer, 287--302.

Digital Library

[14]

Genaim, S. and Zanardini, D. 2010. The acyclicity inference of COSTA. In Proceedings of the International Workshop on Termination (WST). Edinburgh.

[15]

Genaim, S. and Zanardini, D. 2012. Reachability-based acyclicity analysis by abstract interpretation. Theoretical Comput. Sci. 474, 25, 60--79.

Digital Library

[16]

Hardekopf, B. C. 2009. Pointer analysis: Building a foundation for effective program analysis. Ph.D. thesis, University of Texas, Austin.

Digital Library

[17]

Hind, M. 2001. Pointer analysis: Haven't we solved this problem yet&quest; In Proceedings of the Workshop on Program Analysis for Software Tools and Engineering (PASTE). ACM, New York, 54--61.

Digital Library

[18]

Jump, M. and McKinley, K. S. 2009. Dynamic shape analysis via degree metrics. In Proceedings of the 8th International Symposium on Memory Management (ISMM). H. Kolodner and G. L. J. Steele, Eds., ACM, 119--128.

Digital Library

[19]

Lhoták, O. 2006. Program analysis using binary decision Diagrams. Ph.D. thesis, McGill University.

[20]

Lhoták, O. and Chung, K.-C. A. 2011. Points-to analysis with efficient strong updates. In Proceedings of the 38th Symposium on Principles of Programming Languages (POPL). ACM, 3--16.

Digital Library

[21]

Lhoták, O. and Hendren, L. 2003. Scaling Java points-to analysis using SPARK. In Proceedings of the 12th International Conference on Compiler Construction. Lecture Notes in Computer Science, vol. 2622. Springer, Berlin, 153--169.

Digital Library

[22]

Lindholm, T. and Yellin, F. 1999. The Java^#8482; Virtual Machine Specification 2nd Ed. Addison-Wesley.

Digital Library

[23]

Marron, M., Hermenegildo, M. V., Kapur, D., and Stefanovic, D. 2008. Efficient context-sensitive shape analysis with graph based heap models. In Proceedings of the 17th International Conference on Compiler Construction (CC). L. J. Hendren, Ed., Lecture Notes in Computer Science, vol. 4959, Springer, 245--259.

Digital Library

[24]

Nelson, G. 1983. Verifying reachability invariants of linked structures. In Proceedings of the 8th Symposium on Principles of Programming Languages (POPL). 38--47.

Digital Library

[25]

Nikolić, &Dstrok;. 2013. A general framework for constraint-based static analyses of Java bytecode programs. Ph.D. thesis, University of Verona.

[26]

Nikolić, &Dstrok;. and Spoto, F. 2012a. Automaton-based array initialization analysis. In Proceedings of the 6th International Conference on Language and Automata Theory and Applications (LATA'12). Lecture Notes in Computer Science, vol. 7183. Springer, Berlin, 420--432.

Digital Library

[27]

Nikolić, &Dstrok;. and Spoto, F. 2012b. Definite expression aliasing analysis for Java bytecode. In Proceedings of the 9th International Colloquium on Theoretical Aspects of Computing (ICTAC'12). Lecture Notes in Computer Science, vol. 7521, Springer-Verlag, Berlin, 74--89.

Digital Library

[28]

Nikolić, &Dstrok;. and Spoto, F. 2012c. Reachability analysis of program variables. In Proceedings of the 6th International Joint Conference on Automated Reasoning (IJCAR'12). Lecture Notes in Artificial Intelligence, vol. 7364, Springer-Verlag, Berlin, 423--438.

Digital Library

[29]

Nikolić, &Dstrok;. and Spoto, F. 2013. Inferring complete initialization of arrays. Theor. Comput. Sci. 484, 16--40.

Digital Library

[30]

Palsberg, J. and Schwartzbach, M. I. 1991. Object-oriented type inference. In Proceedings of the ACM Conference on Object-Oriented Programming: Systems, Languages & Applications (OOPSLA). ACM SIGPLAN Notices, vol. 26, 11, ACM, 146--161.

Digital Library

[31]

Papi, M. M., Ali, M., Correa, T. L., Perkins, J. H., and Ernst, M. D. 2008. Practical pluggable types for Java. In Proceedings of the International Symposium on Software Testing and Analysis (ISSTA). ACM, 201--212.

Digital Library

[32]

Payet, É. and Spoto, F. 2007. Magic-sets transformation for the analysis of Java bytecode. In Proceedings of the 14th International Static Analysis Symposium (SAS). Lecture Notes in Computer Science, vol. 4634, Springer, 452--467.

Digital Library

[33]

Pheng, S. and Verbrugge, C. 2005. Dynamic shape and data structure analysis in Java. Tech. rep., School of Computer Science, McGill University.

[34]

Rossignoli, S. and Spoto, F. 2006. Detecting non-cyclicity by abstract compilation into boolean functions. In Proceedings of the 7th International Conference on Verification, Model Checking and Abstract Interpretation (VMCAI). Lecture Notes in Computer Science, vol. 3855, Springer, 95--110.

Digital Library

[35]

Rountev, A., Milanova, A., and Ryder, B. G. 2001. Points-to analysis for Java using annotated constraints. In Proceedings of the 16th ACM Conference on of Object-Oriented Programming: Systems, Languages & Applications (OOPSLA). ACM, 43--55.

Digital Library

[36]

Sagiv, M., Reps, T., and Wilhelm, R. 1998. Solving shape-analysis problems in languages with destructive updating. ACM Trans. Program. Lang. Syst. 20, 1--50.

Digital Library

[37]

Sagiv, M., Reps, T., and Wilhelm, R. 2002. Parametric shape analysis via 3-valued logic. ACM Trans. Program. Lang. Syst. 24, 217--298.

Digital Library

[38]

Salcianu, A. D. 2006. Pointer analysis for Java programs: Novel techniques and applications. Ph.D. thesis, MIT, Cambridge, MA.

Digital Library

[39]

Secci, S. and Spoto, F. 2005. Pair-sharing analysis of object-oriented programs. In Proceedings of the 12th International Static Analysis Symposium (SAS). Lecture Notes in Computer Science, vol. 3672, Springer, 320--335.

Digital Library

[40]

Smaragdakis, Y., Bravenboer, M., and Lhoták, O. 2011. Pick your contexts well: Understanding object-sensitivity. In Proceedings of the 38th Symposium on Principles of Programming Languages (POPL). ACM, 17--30.

Digital Library

[41]

Spoto, F. 2008. Nullness analysis in boolean form. In Proceedings of the 6th IEEE International Conference on Software Engineering and Formal Methods. IEEE, Los Alamitos, CA, 21--30.

Digital Library

[42]

Spoto, F. 2011. Precise null-pointer analysis. Softw. Syst. Model. 10, 2, 219--252.

Digital Library

[43]

Spoto, F. and Ernst, M. D. 2011. Inference of field initialization. In Proceedings of the 33rd International Conference on Software Engineering (ICSE). ACM, 231--240.

Digital Library

[44]

Spoto, F., Mesnard, F., and Payet, E. 2010. A termination analyzer for Java bytecode based on path-length. ACM Trans. Program. Lang. Syst. 32, 3, 1--70.

Digital Library

Cited By

Yan QLi YWu YZhou J(2021) DFlow : A Data Flow Analysis Tool for C/C++ IEEJ Transactions on Electrical and Electronic Engineering10.1002/tee.2346716:12(1635-1641)Online publication date: 3-Aug-2021
https://doi.org/10.1002/tee.23467
Spoto FBurato EErnst MFerrara PLovato AMacedonio DSpiridon C(2019)Static Identification of Injection Attacks in JavaACM Transactions on Programming Languages and Systems10.1145/333237141:3(1-58)Online publication date: 2-Jul-2019
https://dl.acm.org/doi/10.1145/3332371
Zanardini D(2018)Field-sensitive sharingJournal of Logical and Algebraic Methods in Programming10.1016/j.jlamp.2017.10.00595(103-127)Online publication date: Feb-2018
https://doi.org/10.1016/j.jlamp.2017.10.005
Show More Cited By

Index Terms

Reachability analysis of program variables
1. Theory of computation
  1. Semantics and reasoning
    1. Program reasoning
      1. Program analysis
    2. Program semantics

Recommendations

Precise null-pointer analysis

In Java, C or C++, attempts to dereference the null value result in an exception or a segmentation fault. Hence, it is important to identify those program points where this undesired behaviour might occur or prove the other program points (and possibly ...
Field-sensitive unreachability and non-cyclicity analysis

Field-sensitive static analyses of object-oriented code use approximations of the computational states where fields are taken into account, for better precision. This article presents a novel and sound definite analysis of Java bytecode that ...
A relational approach to interprocedural shape analysis

This article addresses the verification of properties of imperative programs with recursive procedure calls, heap-allocated storage, and destructive updating of pointer-valued fields, that is, interprocedural shape analysis. The article makes three ...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Programming Languages and Systems

ACM Transactions on Programming Languages and Systems Volume 35, Issue 4

December 2013

169 pages

ISSN:0164-0925

EISSN:1558-4593

DOI:10.1145/2560142

Issue’s Table of Contents

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 January 2014

Accepted: 01 August 2013

Revised: 01 January 2013

Received: 01 May 2012

Published in TOPLAS Volume 35, Issue 4

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
590
Total Downloads

Downloads (Last 12 months)61
Downloads (Last 6 weeks)13

Reflects downloads up to 12 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Yan QLi YWu YZhou J(2021) DFlow : A Data Flow Analysis Tool for C/C++ IEEJ Transactions on Electrical and Electronic Engineering10.1002/tee.2346716:12(1635-1641)Online publication date: 3-Aug-2021
https://doi.org/10.1002/tee.23467
Spoto FBurato EErnst MFerrara PLovato AMacedonio DSpiridon C(2019)Static Identification of Injection Attacks in JavaACM Transactions on Programming Languages and Systems10.1145/333237141:3(1-58)Online publication date: 2-Jul-2019
https://dl.acm.org/doi/10.1145/3332371
Zanardini D(2018)Field-sensitive sharingJournal of Logical and Algebraic Methods in Programming10.1016/j.jlamp.2017.10.00595(103-127)Online publication date: Feb-2018
https://doi.org/10.1016/j.jlamp.2017.10.005
Payet ÉSpoto F(2018)Checking Array Bounds by Abstract Interpretation and Symbolic ExpressionsAutomated Reasoning10.1007/978-3-319-94205-6_46(706-722)Online publication date: 30-Jun-2018
https://doi.org/10.1007/978-3-319-94205-6_46
Spoto F(2016)The Julia Static Analyzer for JavaStatic Analysis10.1007/978-3-662-53413-7_3(39-57)Online publication date: 31-Aug-2016
https://doi.org/10.1007/978-3-662-53413-7_3
Schmeelk SYang JAho ATrien JProwell SBridges RGoodall J(2015)Android Malware Static Analysis TechniquesProceedings of the 10th Annual Cyber and Information Security Research Conference10.1145/2746266.2746271(1-8)Online publication date: 7-Apr-2015
https://dl.acm.org/doi/10.1145/2746266.2746271
Galeotti JFuria CMay EFraser GZeller A(2015)Inferring Loop Invariants by Mutation, Dynamic Analysis, and Static CheckingIEEE Transactions on Software Engineering10.1109/TSE.2015.243168841:10(1019-1037)Online publication date: 1-Oct-2015
https://dl.acm.org/doi/10.1109/TSE.2015.2431688
Ernst MLovato AMacedonio DSpiridon CSpoto F(2015)Boolean Formulas for the Static Identification of Injection Attacks in JavaProceedings of the 20th International Conference on Logic for Programming, Artificial Intelligence, and Reasoning - Volume 945010.1007/978-3-662-48899-7_10(130-145)Online publication date: 24-Nov-2015
https://dl.acm.org/doi/10.1007/978-3-662-48899-7_10
Zanardini DGenaim S(2014)Inference of Field-Sensitive Reachability and CyclicityACM Transactions on Computational Logic10.1145/262947815:4(1-41)Online publication date: 12-Sep-2014
https://dl.acm.org/doi/10.1145/2629478

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Media

Figures

Other

Tables

View Issue’s Table of Contents