Flow-Sensitive Type-Based Heap Cloning

Authors Mohamad Barbar, Yulei Sui, Shiping Chen



PDF
Thumbnail PDF

File

LIPIcs.ECOOP.2020.24.pdf
  • Filesize: 1.32 MB
  • 26 pages

Document Identifiers

Author Details

Mohamad Barbar
  • University of Technology Sydney, Australia
  • CSIRO’s Data61, Sydney, Australia
Yulei Sui
  • University of Technology Sydney, Australia
Shiping Chen
  • CSIRO’s Data61, Sydney, Australia

Acknowledgements

We would like to thank the anonymous reviewers for their helpful comments.

Cite AsGet BibTex

Mohamad Barbar, Yulei Sui, and Shiping Chen. Flow-Sensitive Type-Based Heap Cloning. In 34th European Conference on Object-Oriented Programming (ECOOP 2020). Leibniz International Proceedings in Informatics (LIPIcs), Volume 166, pp. 24:1-24:26, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2020)
https://doi.org/10.4230/LIPIcs.ECOOP.2020.24

Abstract

By respecting program control-flow, flow-sensitive pointer analysis promises more precise results than its flow-insensitive counterpart. However, existing heap abstractions for C and C++ flow-sensitive pointer analyses model the heap by creating a single abstract heap object for each memory allocation. Two runtime heap objects which originate from the same allocation site are imprecisely modelled using one abstract object, which makes them share the same imprecise points-to sets and thus reduces the benefit of analysing heap objects flow-sensitively. On the other hand, equipping flow-sensitive analysis with context-sensitivity, whereby an abstract heap object would be created (cloned) per calling context, can yield a more precise heap model, but at the cost of uncontrollable analysis overhead when analysing larger programs. This paper presents TypeClone, a new type-based heap model for flow-sensitive analysis. Our key insight is to differentiate concrete heap objects lazily using type information at use sites within the program control-flow (e.g., when accessed via pointer dereferencing) for programs which conform to the strict aliasing rules set out by the C and C++ standards. The novelty of TypeClone lies in its lazy heap cloning: an untyped abstract heap object created at an allocation site is killed and replaced with a new object (i.e. a clone), uniquely identified by the type information at its use site, for flow-sensitive points-to propagation. Thus, heap cloning can be performed within a flow-sensitive analysis without the need for context-sensitivity. Moreover, TypeClone supports new kinds of strong updates for flow-sensitive analysis where heap objects are filtered out from imprecise points-to relations at object use sites according to the strict aliasing rules. Our method is neither strictly superior nor inferior to context-sensitive heap cloning, but rather, represents a new dimension that achieves a sweet spot between precision and efficiency. We evaluate our analysis by comparing TypeClone with state-of-the-art sparse flow-sensitive points-to analysis using the 12 largest programs in GNU Coreutils. Our experimental results also confirm that TypeClone is more precise than flow-sensitive pointer analysis and is able to, on average, answer over 15% more alias queries with a no-alias result.

Subject Classification

ACM Subject Classification
  • Software and its engineering → Automated static analysis
Keywords
  • Heap cloning
  • type-based analysis
  • flow-sensitivity

Metrics

  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    0
    PDF Downloads

References

  1. ISO/IEC 14882:2017. Programming languages - C++. Standard, International Organization for Standardization, 2017. Google Scholar
  2. ISO/IEC 9899:2018. Information technology - programming languages - C. Standard, International Organization for Standardization, 2018. Google Scholar
  3. Mithun Acharya and Brian Robinson. Practical change impact analysis based on static program slicing for industrial software systems. In 2011 33rd International Conference on Software Engineering (ICSE), pages 746-755. IEEE, 2011. URL: https://doi.org/10.1145/1985793.1985898.
  4. Lars Ole Andersen. Program analysis and specialization for the C programming language. PhD thesis, University of Cophenhagen, 1994. Google Scholar
  5. Dzintars Avots, Michael Dalton, V Benjamin Livshits, and Monica S Lam. Improving software security with a C pointer analysis. In Proceedings of the 27th International Conference on Software Engineering (ICSE), pages 332-341. ACM, 2005. URL: https://doi.org/10.1145/1062455.1062520.
  6. George Balatsouras. Recovering Structural Information for Better Static Analysis. PhD thesis, National and Kapodistrian University of Athens, 2017. Google Scholar
  7. George Balatsouras and Yannis Smaragdakis. Structure-sensitive points-to analysis for C and C++. In International Static Analysis Symposium (SAS), pages 84-104. Springer, 2016. URL: https://doi.org/10.1007/978-3-662-53413-7_5.
  8. Jong-Deok Choi, Michael Burke, and Paul Carini. Efficient flow-sensitive interprocedural computation of pointer-induced aliases and side effects. In Proceedings of the 20th ACM SIGPLAN-SIGACT symposium on Principles of programming languages (POPL), pages 232-245. ACM, 1993. URL: https://doi.org/10.1145/158511.158639.
  9. Jong-Deok Choi, Ron Cytron, and Jeanne Ferrante. Automatic construction of sparse data flow evaluation graphs. In Proceedings of the 18th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL), pages 55-66. ACM, 1991. URL: https://doi.org/10.1145/99583.99594.
  10. Jong-Deok Choi, Ron Cytron, and Jeanne Ferrante. On the efficient engineering of ambitious program analysis. IEEE Transactions on Software Engineering, 20(2):105-114, 1994. URL: https://doi.org/10.1109/32.265631.
  11. Fred Chow, Sun Chan, Shin-Ming Liu, Raymond Lo, and Mark Streich. Effective representation of aliases and indirect memory operations in SSA form. In International Conference on Compiler Construction (CC), pages 253-267. Springer, 1996. URL: https://doi.org/10.1007/3-540-61053-7_66.
  12. Arnab De and Deepak D’Souza. Scalable flow-sensitive pointer analysis for Java with strong updates. In European Conference on Object-Oriented Programming (ECOOP), pages 665-687. Springer, 2012. URL: https://doi.org/10.1007/978-3-642-31057-7_29.
  13. Amer Diwan, Kathryn S McKinley, and J Eliot B Moss. Type-based alias analysis. In Proceedings of the ACM SIGPLAN 1998 Conference on Programming Language Design and Implementation (PLDI), page 106–117. ACM, 1998. URL: https://doi.org/10.1145/277650.277670.
  14. Gregory J Duck and Roland HC Yap. EffectiveSan: type and memory error detection using dynamically typed C/C++. In Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pages 181-195. ACM, 2018. URL: https://doi.org/10.1145/3192366.3192388.
  15. Maryam Emami, Rakesh Ghiya, and Laurie J Hendren. Context-sensitive interprocedural points-to analysis in the presence of function pointers. ACM SIGPLAN Notices, 29(6):242-256, 1994. URL: https://doi.org/10.1145/773473.178264.
  16. Xiaokang Fan, Yulei Sui, Xiangke Liao, and Jingling Xue. Boosting the precision of virtual call integrity protection with partial pointer analysis for C++. In Proceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA), pages 329-340. ACM, 2017. URL: https://doi.org/10.1145/3092703.3092729.
  17. Stephen J Fink, Eran Yahav, Nurit Dor, G Ramalingam, and Emmanuel Geay. Effective typestate verification in the presence of aliasing. ACM Transactions on Software Engineering and Methodology (TOSEM), 17(2):1-34, 2008. URL: https://doi.org/10.1145/1348250.1348255.
  18. Coreutils - GNU core utilities. URL: https://www.gnu.org/software/coreutils/.
  19. Ben Hardekopf and Calvin Lin. Semi-sparse flow-sensitive pointer analysis. In Proceedings of the 36th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL), page 226–238. ACM, 2009. URL: https://doi.org/10.1145/1594834.1480911.
  20. Ben Hardekopf and Calvin Lin. Flow-sensitive pointer analysis for millions of lines of code. In International Symposium on Code Generation and Optimization (CGO), pages 289-298. IEEE, 2011. URL: https://doi.org/10.1109/CGO.2011.5764696.
  21. Michael Hind, Michael Burke, Paul Carini, and Jong-Deok Choi. Interprocedural pointer alias analysis. ACM Transactions on Programming Languages and Systems (TOPLAS), 21(4):848-894, 1999. URL: https://doi.org/10.1145/325478.325519.
  22. Michael Hind and Anthony Pioli. Assessing the effects of flow-sensitivity on pointer alias analyses. In International Static Analysis Symposium (SAS), pages 57-81. Springer, 1998. URL: https://doi.org/10.1007/3-540-49727-7_4.
  23. Yuseok Jeon, Priyam Biswas, Scott Carr, Byoungyoung Lee, and Mathias Payer. HexType: Efficient detection of type confusion errors for C++. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 2373-2387. ACM, 2017. URL: https://doi.org/10.1145/3133956.3134062.
  24. Sehun Jeong, Minseok Jeon, Sungdeok Cha, and Hakjoo Oh. Data-driven context-sensitivity for points-to analysis. Proceedings of the ACM on Programming Languages, 1(OOPSLA):100, 2017. URL: https://doi.org/10.1145/3133924.
  25. John B Kam and Jeffrey D Ullman. Monotone data flow analysis frameworks. Acta Informatica, 7(3):305-317, 1977. URL: https://doi.org/10.1007/BF00290339.
  26. George Kastrinis and Yannis Smaragdakis. Hybrid context-sensitivity for points-to analysis. In Proceedings of the 34th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), page 423–434. ACM, 2013. URL: https://doi.org/10.1145/2499370.2462191.
  27. Chris Lattner and Vikram Adve. LLVM: A compilation framework for lifelong program analysis & transformation. In International Symposium on Code Generation and Optimization (CGO), pages 75-86. IEEE, 2004. URL: https://doi.org/10.1109/CGO.2004.1281665.
  28. Anatole Le, Ondřej Lhoták, and Laurie Hendren. Using inter-procedural side-effect information in JIT optimizations. In International Conference on Compiler Construction (CC), pages 287-304. Springer, 2005. URL: https://doi.org/10.1007/11406921_22.
  29. Yuxiang Lei and Yulei Sui. Fast and precise handling of positive weight cycles for field-sensitive pointer analysis. In International Static Analysis Symposium (SAS), pages 27-47. Springer, 2019. URL: https://doi.org/10.1007/978-3-030-32304-2_3.
  30. Ondrej Lhoták and Kwok-Chiang Andrew Chung. Points-to analysis with efficient strong updates. In Proceedings of the 38th annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL), pages 3-16. ACM, 2011. URL: https://doi.org/10.1145/1926385.1926389.
  31. Benjamin Livshits, Manu Sridharan, Yannis Smaragdakis, Ondřej Lhoták, J Nelson Amaral, Bor-Yuh Evan Chang, Samuel Z Guyer, Uday P Khedker, Anders Møller, and Dimitrios Vardoulakis. In defense of soundiness: A manifesto. Communications of the ACM, 58(2):44-46, 2015. URL: https://doi.org/10.1145/2644805.
  32. V Benjamin Livshits and Monica S Lam. Tracking pointers with path and context sensitivity for bug detection in C programs. In Proceedings of the 9th European Software Engineering Conference held jointly with 11th ACM SIGSOFT International Symposium on Foundations of Software Engineering (ESEC/FSE), pages 317-326. ACM, 2003. URL: https://doi.org/10.1145/940071.940114.
  33. Hakjoo Oh, Kihong Heo, Wonchan Lee, Woosuk Lee, and Kwangkeun Yi. Design and implementation of sparse global analyses for C-like languages. In Proceedings of the 33rd ACM SIGPLAN conference on Programming Language Design and Implementation (PLDI), pages 229-238. ACM, 2012. URL: https://doi.org/10.1145/2345156.2254092.
  34. Fernando Magno Quintao Pereira and Daniel Berlin. Wave propagation and deep propagation for pointer analysis. In 2009 International Symposium on Code Generation and Optimization (CGO), pages 126-135. IEEE, 2009. URL: https://doi.org/10.1109/CGO.2009.9.
  35. Rajiv Ravindran Rick Hank, Loreena Lee. Implementing next generation points-to in Open64. In Open64 Developers Forum, 2010. URL: http://www.affinic.com/documents/open64workshop/2010/.
  36. Qingkai Shi, Xiao Xiao, Rongxin Wu, Jinguo Zhou, Gang Fan, and Charles Zhang. Pinpoint: Fast and precise sparse value flow analysis for million lines of code. In Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pages 693-706. ACM, 2018. URL: https://doi.org/10.1145/3192366.3192418.
  37. Yannis Smaragdakis, Martin Bravenboer, and Ondrej Lhoták. Pick your contexts well: understanding object-sensitivity. In Proceedings of the 38th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages (POPL), pages 17-30. ACM, 2011. URL: https://doi.org/10.1145/1925844.1926390.
  38. Johannes Späth, Lisa Nguyen Quang Do, Karim Ali, and Eric Bodden. Boomerang: Demand-driven flow- and context-sensitive pointer analysis for Java. In 30th European Conference on Object-Oriented Programming (ECOOP). Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik, 2016. URL: https://doi.org/10.4230/LIPIcs.ECOOP.2016.22.
  39. Yulei Sui and Jingling Xue. On-demand strong update analysis via value-flow refinement. In ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE), pages 460-473. ACM, 2016. URL: https://doi.org/10.1145/2950290.2950296.
  40. Yulei Sui and Jingling Xue. SVF: interprocedural static value-flow analysis in LLVM. In Proceedings of the 25th International Conference on Compiler Construction (CC), pages 265-266. ACM, 2016. URL: https://doi.org/10.1145/2892208.2892235.
  41. Yulei Sui, Ding Ye, and Jingling Xue. Detecting memory leaks statically with full-sparse value-flow analysis. IEEE Transactions on Software Engineering, 40(2):107-122, 2014. URL: https://doi.org/10.1109/TSE.2014.2302311.
  42. Frank Tip. A survey of program slicing techniques. Centrum voor Wiskunde en Informatica Amsterdam, 1994. Google Scholar
  43. Mark Weiser. Program slicing. In Proceedings of the 5th International Conference on Software Engineering (ICSE), page 439–449. IEEE, 1981. URL: https://doi.org/10.1109/TSE.1984.5010248.
  44. John Whaley and Monica S Lam. Cloning-based context-sensitive pointer alias analysis using binary decision diagrams. In Proceedings of the ACM SIGPLAN 2004 Conference on Programming Language Design and Implementation (PLDI), pages 131-144. ACM, 2004. URL: https://doi.org/10.1145/996841.996859.
  45. Robert P Wilson and Monica S Lam. Efficient context-sensitive pointer analysis for C programs. ACM Sigplan Notices, 30(6):1-12, 1995. URL: https://doi.org/10.1145/223428.207111.
Questions / Remarks / Feedback
X

Feedback for Dagstuhl Publishing


Thanks for your feedback!

Feedback submitted

Could not send message

Please try again later or send an E-mail