Software Quality Journal

, Volume 12, Issue 4, pp 311–337 | Cite as

Online Cycle Detection and Difference Propagation: Applications to Pointer Analysis

  • David J. Pearce
  • Paul H.J. Kelly
  • Chris Hankin
Article

Abstract

This paper presents and evaluates a number of techniques to improve the execution time of interprocedural pointer analysis in the context of C programs. The analysis is formulated as a graph of set constraints and solved using a worklist algorithm. Indirections lead to new constraints being added during this procedure. The solution process can be simplified by identifying cycles, and we present a novel online algorithm for doing this. We also present a difference propagation scheme which avoids redundant work by tracking changes to each solution set. The effectiveness of these and other methods are shown in an experimental study over 12 common ‘C’ programs ranging between 1000 to 150,000 lines of code.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Aho, A.V., Garey, M.R., and Ullman, J.D. 1972. The transitive reduction of a directed graph, SIAM Journal on Computing 1(2): 131–137.Google Scholar
  2. Aiken, A. 1994. Set constraints: Results, applications, and future directions, Proceedings of the Workshop on Principles and Practice of Constraint Programming, Lecture Notes in Computer Science, Vol. 874, pp. 326–335. Springer.Google Scholar
  3. Aiken, A. 1999. Introduction to set constraint-based program analysis, Science of Computer Programming 35(2-3): 79–111.Google Scholar
  4. Aiken, A. and Wimmers, E.L. 1993. Type inclusion constraints and type inference, Proceedings of the ACM Conference on Functional Programming Languages and Computer Architecture, pp. 31–41. ACM Press.Google Scholar
  5. Alur, R., Henzinger, T.A., Mang, F.Y.C., Qadeer, S., Rajamani, S.K., and Tasiran, S. 1998. MOCHA: Modularity in model checking, Proceedings of the Conference on Computer Aided Verification, pp. 521–525.Google Scholar
  6. Andersen, L.O. 1994. Program Analysis and Specialization for the C Programming Language, Ph.D. Thesis, DIKU, University of Copenhagen.Google Scholar
  7. Ball, T. and Horwitz, S. 1993. Slicing programs with arbitrary control-flow, Proceedings of the Workshop on Automated and Algorithmic Debugging, Lecture Notes in Computer Science, Vol. 749, pp. 206–222. Springer.Google Scholar
  8. Binkley, D. 1998. The application of program slicing to regression testing, Information and Software Technology 40(11-12): 583–594.Google Scholar
  9. Blanchet, B., Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Monniaux, D., and Rival, X. 2002. Design and implementation of a special-purpose static program analyzer for safety-critical real-time embedded software, The Essence of Computation: Complexity, Analysis, Transformation, Lecture Notes in Computer Science, Vol. 2566, pp. 85–108. Springer.Google Scholar
  10. Blanchet, B., Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Monniaux, D., and Rival, X. 2003. A static analyzer for large safety-critical software, Proceedings of the ACM Conference on Programming Language Design and Implementation, pp. 196–207. ACM Press.Google Scholar
  11. Bourdoncle, F. 1993a. Abstract debugging of higher-order imperative languages, ACM SIGPLAN Notices 28(6): 46–55.Google Scholar
  12. Bourdoncle, F. 1993b. Efficient chaotic iteration strategies with widenings, Proceedings of the Conference on Formal Methods in Programming and their Applications, pp. 128–141.Google Scholar
  13. Burke, M., Carini, P.R., Choi, J.-D., and Hind, M. 1997. Interprocedural pointer alias analysis, Technical Report RC 21055, IBM Research.Google Scholar
  14. Chandra, S. and Reps, T. 1999. Physical type checking for C, Proceedings of the ACM Workshop on Program Analysis for Software Tools and Engineering, pp. 66–75. ACM Press.Google Scholar
  15. Chatterjee, R., Ryder, B.G., and Landi, W.A. 1999. Relevant context inference, Proceedings of the ACM Symposium on Principles of Programming Languages, pp. 133–146. ACM Press.Google Scholar
  16. Chen, L.-L. and Harrison, W.L. 1994. An efficient approach to computing fixpoints for complex program analysis, Proceedings of the ACM Conference on Supercomputing, pp. 98–106. ACM Press.Google Scholar
  17. Choi, J.-D., Sarkar, V., and Schonberg, E. 1996. Incremental computation of static single assignment form, Proceedings of the Conference on Compiler Construction, Lecture Notes in Computer Science, Vol. 1060, pp. 223–237. Springer.Google Scholar
  18. Chow, F.C., Chan, S., Liu, S.-M., Lo, R., and Streich, M. 1996. Effective representation of aliases and indirect memory operations in SSA form, Proceedings of the Conference on Compiler Construction, Lecture Notes in Computer Science, Vol. 1060, pp. 253–267. Springer.Google Scholar
  19. Cytron, R., Ferrante, J., Rosen, B.K., Wegman, M.K., and Zadeck, F.K. 1989. An efficient method of computing static single assignment form, Proceedings of the ACM Symposium on Principles of Programming Languages, pp. 25–35. ACM Press.Google Scholar
  20. Cytron, R., Ferrante, J., Rosen, B.K., Wegman, M.N., and Zadeck, F.K. 1991. Efficiently computing static single assignment form and the control dependence graph, ACM Transactions on Programming Languages and Systems 13(4): 451–490.Google Scholar
  21. Cytron, R. and Gershbein, R. 1993. Efficient accommodation of may-alias information in SSA form, Proceedings of the Conference on Programming Language Design and Implementation, pp. 36–45. ACM Press.Google Scholar
  22. Danicic, S., Fox, C., Harman, M., and Hierons, R. 2000. ConSIT: A conditioned program slicer, Proceedings of the IEEE Conference on Software Maintenance, pp. 216–226. IEEE Computer Society Press.Google Scholar
  23. Das, M. 2000. Unification-based pointer analysis with directional assignments, Proceedings of the ACM Conference on Programming Language Design and Implementation, pp. 35–46. ACM Press.Google Scholar
  24. Das, M., Liblit, B., Fähndrich, M., and Rehof, J. 2001. Estimating the impact of scalable pointer analysis on optimization, Proceedings of the Static Analysis Symposium, Lecture Notes in Computer Science, Vol. 2126, pp. 260–278. Springer.Google Scholar
  25. Diwan, A., McKinley, K.S., and Moss, J.E.B. 1998. Type-based alias analysis, Proceedings of the ACM Conference on Programming Language Design and Implementation, pp. 106–117. ACM Press.Google Scholar
  26. Dor, N., Rodeh, M., and Sagiv, M. 2003. CSSV: Towards a realistic tool for statically detecting all buffer overflows in C, Proceedings of the ACM Conference on Programming Language Design and Implementation, pp. 155–167. ACM Press.Google Scholar
  27. Eichin, M.W. and Rochlis, J.A. 1989. With microscope and tweezers: An analysis of the internet virus of november 1988, Proceedings of the IEEE Symposium on Research in Security and Privacy, pp. 326–343. IEEE Computer Society Press.Google Scholar
  28. Emami, M., Ghiya, R., and Hendren, L.J. 1994. Context-sensitive interprocedural points-to analysis in the presence of function pointers, Proceedings of the ACM Conference on Programming Language Design and Implementation, pp. 242–256. ACM Press.Google Scholar
  29. Fähndrich, M., Foster, J.S., Su, Z., and Aiken, A. 1998. Partial online cycle elimination in inclusion constraint graphs, Proceedings of the ACM Conference on Programming Language Design and Implementation, pp. 85–96. ACM Press.Google Scholar
  30. Fähndrich, M., Rehof, J., and Das, M. 2000. Scalable context-sensitive flow analysis using instantiation constraints, Proceedings of the ACM Conference on Programming Language Design and Implementation, pp. 253–263. ACM Press.Google Scholar
  31. Fecht, C. and Seidl, H. 1996. An even faster solver for general systems of equations, Proceedings of the Static Analysis Symposium, Lecture Notes in Computer Science, Vol. 1145, pp. 189–204.Google Scholar
  32. Fecht, C. and Seidl, H. 1998. Propagating differences: An efficient new fixpoint algorithm for distributive constraint systems, Proceedings of the European Symposium on Programming, Lecture Notes in Computer Science, Vol. 1381, pp. 90–104.Google Scholar
  33. Flanagan, C. 1997. Effective Static Debugging via Componential Set-Based Analysis, Ph.D. Thesis, Rice University.Google Scholar
  34. Flanagan, C., Leino, K.R.M., Lillibridge, M., Nelson, G., Saxe, J.B., and Stata, R. 2002. Extended static checking for Java, Proceedings of the ACM Conference on Programming Language Design and Implementation, pp. 234–245. ACM Press.Google Scholar
  35. Foster, J.S., Fahndrich, M., and Aiken, A. 1997. Flow-insensitive points-to analysis with term and set constraints, Technical Report CSD-97-964, University of California, Berkeley.Google Scholar
  36. Foster, J.S., Fahndrich, M., and Aiken, A. 2000. Polymorphic versus monomorphic flow-insensitive points-to analysis for C, Proceedings of the Static Analysis Symposium, pp. 175–198.Google Scholar
  37. Godefroid, P. 1997. VeriSoft: A tool for the automatic analysis of concurrent reactive software, Proceedings of the Conference on Computer Aided Verification, Lecture Notes in Computer Science, Vol. 1254, pp. 476–479.Google Scholar
  38. Goyal, D. 1999. An improved inter-procedural may-alias analysis algorithm, Technical Report 1999-777, New York University.Google Scholar
  39. Guyer, S.Z. 2003. Incorporating Domain-Specific Information into the Compilation Process, Ph.D. Thesis, University of Texas at Austin.Google Scholar
  40. Harman, M., Binkley, D., and Danicic, S. 2003. Amorphous program slicing, The Journal of Systems and Software 68(1): 45–64.Google Scholar
  41. Hasti, R. and Horwitz, S. 1998. Using static single assignment form to improve flow-insensitive pointer analysis, Proceedings of the ACM Conference on Programming Language Design and Implementation, pp. 97–105. ACM Press.Google Scholar
  42. Heintze, N. 1994. Set-based analysis of ML programs, Proceedings of the ACM Conference on Lisp and Functional Programming, pp. 306–317. ACM Press.Google Scholar
  43. Heintze, N. and Tardieu, O. 2001. Ultra-fast aliasing analysis using CLA: A million lines of C code in a second, Proceedings of the ACM Conference on Programming Language Design and Implementation, pp. 254–263. ACM Press.Google Scholar
  44. Henzinger, T.A., Ho, P.-H., and Wong-Toi, H. 1997. HYTECH: A model checker for hybrid systems, Proceedings of the Conference on Computer Aided Verification, Lecture Notes in Computer Science, Vol. 1254, pp. 460–463.Google Scholar
  45. Henzinger, T.A., Jhala, R., Majumdar, R., and Sutre, G. 2003. Software verification with Blast, Proceedings of the Workshop on Model Checking Software, Lecture Notes in Computer Science, Vol. 2648, pp. 235–239. Springer.Google Scholar
  46. Hind, M. 2001. Pointer analysis: haven’t we solved this problem yet? Proceedings of the ACM Workshop on Program Analysis for Software Tools and Engineering, pp. 54–61. ACM Press.Google Scholar
  47. Hind, M., Burke, M., Carini, P., and Choi, J.-D. 1999. Interprocedural pointer alias analysis, ACM Transactions on Programming Languages and Systems 21(4): 848–894.Google Scholar
  48. Hind, M. and Pioli, A. 2000. Which pointer analysis should I use? Proceedings of the ACM Symposium on Software Testing and Analysis, pp. 113–123. ACM Press.Google Scholar
  49. Holzmann, G.J. 1997. The Spin model checker, IEEE Transactions on Software Engineering 23(5): 279–295.Google Scholar
  50. Horwitz, S. 1997. Precise flow-insensitive may-alias analysis is NP-hard, ACM Transactions on Programming Languages and Systems 19(1): 1–6.Google Scholar
  51. Horwitz, S., Demers, A.J., and Teitelbaum, T. 1987. An efficient general iterative algorithm for dataflow analysis, Acta Informatica 24(6): 679–694.Google Scholar
  52. Horwitz, S., Reps, T., and Binkley, D. 1988. Interprocedural slicing using dependence graphs, ACM SIGPLAN Notices 23(7): 35–46.Google Scholar
  53. Jones, J.A., Harrold, M.J., and Stasko, J. 2002. Visualization of test information to assist fault localization, Proceedings of the ACM Conference on Software Engineering, pp. 467–477. ACM Press.Google Scholar
  54. Jones, L.G. 1990. Efficient evaluation of circular attribute grammars, ACM Transactions on Programming Languages and Systems 12(3): 429–462.Google Scholar
  55. Kanamori, A. and Weise, D. 1994. Worklist management strategies, Technical Report MSR-TR-94-12, Microsoft Research.Google Scholar
  56. Landi, W. 1992a. Interprocedural Aliasing in the Presence of Pointers. Ph.D. Thesis, Rutgers, The State University of New Jersey.Google Scholar
  57. Landi, W. 1992b. Undecidability of static analysis, ACM Letters on Programming Languages and Systems 1(4): 323–337.Google Scholar
  58. Lapkowski, C. and Hendren, L.J. 1998. Extended SSA numbering: Introducing SSA properties to language with multi-level pointers, Proceedings of the Conference on Compiler Construction, Lecture Notes in Computer Science, Vol. 1383, pp. 128–143. Springer.Google Scholar
  59. Lhoták, O. and Hendren, L.J. 2003. Scaling Java points-to analysis using SPARK, Proceedings of the Conference on Compiler Construction, Lecture Notes in Computer Science, Vol. 2622, pp. 153–169. Springer.Google Scholar
  60. Liang, D. and Harrold, M.J. 1999. Efficient points-to analysis for whole-program analysis, Proceedings of the Symposium on the Foundations of Software Engineering, Lecture Notes in Computer Science, Vol. 1687, pp. 199–215. Springer/ACM Press.Google Scholar
  61. Liang, D. and Harrold, M.J. 2001. Efficient computation of parameterized pointer information for interprocedural analyses, Proceedings of the Symposium on Static Analysis, Lecture Notes in Computer Science, Vol. 2126, pp. 279–298. Springer.Google Scholar
  62. Liang, D., Pennings, M., and Harrold, M.J. 2001. Extending and evaluating flow-insensitive and contextinsensitive points-to analyses for Java, Proceedings of the ACM Workshop on Program Analysis for Software Tools and Engineering, pp. 73–79. ACM Press.Google Scholar
  63. Lucia, A.D. 2001. Program slicing: Methods and applications, Proceedings of the IEEE Workshop on Source Code Analysis and Manipulation, pp. 142–149. IEEE Computer Society Press.Google Scholar
  64. Marchetti-Spaccamela, A., Nanni, U., and Rohnert, H. 1996. Maintaining a topological order under edge insertions, Information Processing Letters 59(1): 53–58.Google Scholar
  65. Milanova, A., Rountev, A., and Ryder, B. 2002. Parameterized object sensitivity for points-to and side-effect analyses for Java, Proceedings of the Symposium on Software Testing and Analysis, pp. 1–11.Google Scholar
  66. Myers, B.A. 1986. Visual programming, programming by example, and program visualization: A taxonomy, Human Factors in Computing Systems, pp. 59–66.Google Scholar
  67. Nielson, F., Nielson, H.R., and Hankin, C.L. 1999. Principles of Program Analysis. Springer, 1999.Google Scholar
  68. Nuutila, E. and Soisalon-Soininen, E. 1994. On finding the strongly connected components in a directed graph, Information Processing Letters 49(1): 9–14.Google Scholar
  69. Pearce, D.J. 2004. Some Directed Graph Algorithms and Their Application to Pointer Analysis, Ph.D. Thesis, Imperial College, London.Google Scholar
  70. Pearce, D.J. and Kelly, P.H.J. 2004. A dynamic algorithm for topologically sorting directed acyclic graphs, Proceedings of the Workshop on Efficient and Experimental Algorithms, Lecture Notes in Computer Science, Vol. 3059, pp. 383–398. Springer.Google Scholar
  71. Pearce, D.J., Kelly, P.H.J., and Hankin, C. 2003. Online cycle detection and difference propagation for pointer analysis, Proceedings of the IEEE Workshop on Source Code Analysis and Manipulation, pp. 3–12. IEEE Computer Society Press.Google Scholar
  72. Pearce, D.J., Kelly, P.H.J., and Hankin, C. 2004. Efficient field-sensitive pointer analysis for C, Proceedings of the ACM Workshop on Program Analysis for Software Tools and Engineering. ACM Press.Google Scholar
  73. Ramalingam, G. 1994. The undecidability of aliasing, ACM Transactions on Programming Languages and Systems 16(5): 1467–1471.Google Scholar
  74. Reiss, S.P. 1997. Cacti: a front end for program visualization, Proceedings of the IEEE Symposium on Information Visualization, pp. 46–50.Google Scholar
  75. Reps, T. and Turnidge, T. 1996. Program specialization via program slicing, Selected Papers from the International Seminar on Partial Evaluation, Lecture Notes in Computer Science, Vol. 1110, pp. 409–429. Springer.Google Scholar
  76. Reps, T. and Yang, W. 1989. The semantics of program slicing and program integration, Proceedings of the Joint Conference on Theory and Practice of Software Development, Volume 2, Lecture Notes in Computer Science, Vol. 352, pp. 360–374. Springer.Google Scholar
  77. Rountev, A. and Chandra, S. 2000. Off-line variable substitution for scaling points-to analysis, Proceedings of the ACM Conference on Programming Language Design and Implementation, pp. 47–56. ACM Press.Google Scholar
  78. Rountev, A., Milanova, A., and Ryder, B.G. 2001. Points-to analysis for Java using annotated constraints, Proceedings of the ACM Conference on Object Oriented Programming Systems, Languages and Applications, pp. 43–55. ACM Press.Google Scholar
  79. Ruf, E. 1995. Context-insensitive alias analysis reconsidered, Proceedings of the ACM Conference on Programming Language Design and Implementation, pp. 13–22. ACM Press.Google Scholar
  80. Shapiro, M. and Horwitz, S. 1997. Fast and accurate flow-insensitive points-to analysis, Proceedings of the ACM Symposium on Principles of Programming Languages, pp. 1–14. ACM Press.Google Scholar
  81. Shmueli, O. 1983. Dynamic cycle detection, Information Processing Letters 17(4): 185–188.Google Scholar
  82. Steensgaard, B. 1996a. Points-to analysis by type inference of programs with structures and unions. Proceedings of the Conference on Compiler Construction, pp. 136–150.Google Scholar
  83. Steensgaard, B. 1996b. Points-to analysis in almost linear time, Proceedings of the ACM Symposium on Principles of Programming Languages, pp. 32–41. ACM Press.Google Scholar
  84. Su, Z., Fähndrich, M., and Aiken, A. 2000. Projection merging: Reducing redundancies in inclusion constraint graphs, Proceedings of the Symposium on Principles of Programming Languages, pp. 81–95. ACM Press.Google Scholar
  85. Systä, T., Yu, P., and Müller, H. 2000. Analyzing Java software by combining metrics and program visualization, Proceedings of the IEEE Conference on Software Maintenance and Reengineering, pp. 199–208. IEEE Computer Society Press.Google Scholar
  86. Tarjan, R. 1972. Depth-first search and linear graph algorithms, SIAM Journal on Computing 1(2): 146–160.Google Scholar
  87. The Vis Group. 1996. VIS: A system for verification and synthesis, Proceedings of the Conference on Computer Aided Verification, Lecture Notes in Computer Science, Vol. 1102, pp. 428–432. Springer.Google Scholar
  88. Wagner, D., Foster, J.S., Brewer, E.A., and Aiken, A. 2000. A first step towards automated detection of buffer overrun vulnerabilities, Proceedings of the Network and Distributed System Security Symposium, pp. 3–17.Google Scholar
  89. Wilson, R.P. and Lam, M.S. 1995. Efficient context-sensitive pointer analysis for C programs, Proceedings of the ACM Conference on Programming Language Design and Implementation, pp. 1–12. ACM Press.Google Scholar
  90. Yong, S.H., Horwitz, S., and Reps, T. 1999. Pointer analysis for programs with structures and casting, Proceedings of the ACM Conference on Programming Language Design and Implementation, pp. 91–103. ACM Press.Google Scholar

Copyright information

© Kluwer Academic Publishers 2004

Authors and Affiliations

  • David J. Pearce
    • 1
  • Paul H.J. Kelly
    • 2
  • Chris Hankin
    • 3
  1. 1.Victoria University of WellingtonNew Zealand
  2. 2.Department of ComputingImperial CollegeUK
  3. 3.Department of ComputingImperial CollegeUK

Personalised recommendations