# Online Cycle Detection and Difference Propagation: Applications to Pointer Analysis

- 90 Downloads
- 10 Citations

## Abstract

This paper presents and evaluates a number of techniques to improve the execution time of interprocedural pointer analysis in the context of C programs. The analysis is formulated as a graph of set constraints and solved using a worklist algorithm. Indirections lead to new constraints being added during this procedure. The solution process can be simplified by identifying cycles, and we present a novel online algorithm for doing this. We also present a difference propagation scheme which avoids redundant work by tracking changes to each solution set. The effectiveness of these and other methods are shown in an experimental study over 12 common ‘C’ programs ranging between 1000 to 150,000 lines of code.

## Keywords

Experimental Study Operating System Data Structure Execution Time Information Theory## Preview

Unable to display preview. Download preview PDF.

## References

- Aho, A.V., Garey, M.R., and Ullman, J.D. 1972. The transitive reduction of a directed graph,
*SIAM Journal on Computing*1(2): 131–137.Google Scholar - Aiken, A. 1994. Set constraints: Results, applications, and future directions,
*Proceedings of the Workshop on Principles and Practice of Constraint Programming*, Lecture Notes in Computer Science, Vol. 874, pp. 326–335. Springer.Google Scholar - Aiken, A. 1999. Introduction to set constraint-based program analysis,
*Science of Computer Programming*35(2-3): 79–111.Google Scholar - Aiken, A. and Wimmers, E.L. 1993. Type inclusion constraints and type inference,
*Proceedings of the ACM Conference on Functional Programming Languages and Computer Architecture*, pp. 31–41. ACM Press.Google Scholar - Alur, R., Henzinger, T.A., Mang, F.Y.C., Qadeer, S., Rajamani, S.K., and Tasiran, S. 1998. MOCHA: Modularity in model checking,
*Proceedings of the Conference on Computer Aided Verification*, pp. 521–525.Google Scholar - Andersen, L.O. 1994.
*Program Analysis and Specialization for the C Programming Language*, Ph.D. Thesis, DIKU, University of Copenhagen.Google Scholar - Ball, T. and Horwitz, S. 1993. Slicing programs with arbitrary control-flow,
*Proceedings of the Workshop on Automated and Algorithmic Debugging*, Lecture Notes in Computer Science, Vol. 749, pp. 206–222. Springer.Google Scholar - Binkley, D. 1998. The application of program slicing to regression testing,
*Information and Software Technology*40(11-12): 583–594.Google Scholar - Blanchet, B., Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Monniaux, D., and Rival, X. 2002. Design and implementation of a special-purpose static program analyzer for safety-critical real-time embedded software,
*The Essence of Computation: Complexity, Analysis, Transformation*, Lecture Notes in Computer Science, Vol. 2566, pp. 85–108. Springer.Google Scholar - Blanchet, B., Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Monniaux, D., and Rival, X. 2003. A static analyzer for large safety-critical software,
*Proceedings of the ACM Conference on Programming Language Design and Implementation*, pp. 196–207. ACM Press.Google Scholar - Bourdoncle, F. 1993a. Abstract debugging of higher-order imperative languages,
*ACM SIGPLAN Notices*28(6): 46–55.Google Scholar - Bourdoncle, F. 1993b. Efficient chaotic iteration strategies with widenings,
*Proceedings of the Conference on Formal Methods in Programming and their Applications*, pp. 128–141.Google Scholar - Burke, M., Carini, P.R., Choi, J.-D., and Hind, M. 1997. Interprocedural pointer alias analysis, Technical Report RC 21055, IBM Research.Google Scholar
- Chandra, S. and Reps, T. 1999. Physical type checking for C,
*Proceedings of the ACM Workshop on Program Analysis for Software Tools and Engineering*, pp. 66–75. ACM Press.Google Scholar - Chatterjee, R., Ryder, B.G., and Landi, W.A. 1999. Relevant context inference,
*Proceedings of the ACM Symposium on Principles of Programming Languages*, pp. 133–146. ACM Press.Google Scholar - Chen, L.-L. and Harrison, W.L. 1994. An efficient approach to computing fixpoints for complex program analysis,
*Proceedings of the ACM Conference on Supercomputing*, pp. 98–106. ACM Press.Google Scholar - Choi, J.-D., Sarkar, V., and Schonberg, E. 1996. Incremental computation of static single assignment form,
*Proceedings of the Conference on Compiler Construction*, Lecture Notes in Computer Science, Vol. 1060, pp. 223–237. Springer.Google Scholar - Chow, F.C., Chan, S., Liu, S.-M., Lo, R., and Streich, M. 1996. Effective representation of aliases and indirect memory operations in SSA form,
*Proceedings of the Conference on Compiler Construction*, Lecture Notes in Computer Science, Vol. 1060, pp. 253–267. Springer.Google Scholar - Cytron, R., Ferrante, J., Rosen, B.K., Wegman, M.K., and Zadeck, F.K. 1989. An efficient method of computing static single assignment form,
*Proceedings of the ACM Symposium on Principles of Programming Languages*, pp. 25–35. ACM Press.Google Scholar - Cytron, R., Ferrante, J., Rosen, B.K., Wegman, M.N., and Zadeck, F.K. 1991. Efficiently computing static single assignment form and the control dependence graph,
*ACM Transactions on Programming Languages and Systems*13(4): 451–490.Google Scholar - Cytron, R. and Gershbein, R. 1993. Efficient accommodation of may-alias information in SSA form,
*Proceedings of the Conference on Programming Language Design and Implementation*, pp. 36–45. ACM Press.Google Scholar - Danicic, S., Fox, C., Harman, M., and Hierons, R. 2000. ConSIT: A conditioned program slicer,
*Proceedings of the IEEE Conference on Software Maintenance*, pp. 216–226. IEEE Computer Society Press.Google Scholar - Das, M. 2000. Unification-based pointer analysis with directional assignments,
*Proceedings of the ACM Conference on Programming Language Design and Implementation*, pp. 35–46. ACM Press.Google Scholar - Das, M., Liblit, B., Fähndrich, M., and Rehof, J. 2001. Estimating the impact of scalable pointer analysis on optimization,
*Proceedings of the Static Analysis Symposium*, Lecture Notes in Computer Science, Vol. 2126, pp. 260–278. Springer.Google Scholar - Diwan, A., McKinley, K.S., and Moss, J.E.B. 1998. Type-based alias analysis,
*Proceedings of the ACM Conference on Programming Language Design and Implementation*, pp. 106–117. ACM Press.Google Scholar - Dor, N., Rodeh, M., and Sagiv, M. 2003. CSSV: Towards a realistic tool for statically detecting all buffer overflows in C,
*Proceedings of the ACM Conference on Programming Language Design and Implementation*, pp. 155–167. ACM Press.Google Scholar - Eichin, M.W. and Rochlis, J.A. 1989. With microscope and tweezers: An analysis of the internet virus of november 1988,
*Proceedings of the IEEE Symposium on Research in Security and Privacy*, pp. 326–343. IEEE Computer Society Press.Google Scholar - Emami, M., Ghiya, R., and Hendren, L.J. 1994. Context-sensitive interprocedural points-to analysis in the presence of function pointers,
*Proceedings of the ACM Conference on Programming Language Design and Implementation*, pp. 242–256. ACM Press.Google Scholar - Fähndrich, M., Foster, J.S., Su, Z., and Aiken, A. 1998. Partial online cycle elimination in inclusion constraint graphs,
*Proceedings of the ACM Conference on Programming Language Design and Implementation*, pp. 85–96. ACM Press.Google Scholar - Fähndrich, M., Rehof, J., and Das, M. 2000. Scalable context-sensitive flow analysis using instantiation constraints,
*Proceedings of the ACM Conference on Programming Language Design and Implementation*, pp. 253–263. ACM Press.Google Scholar - Fecht, C. and Seidl, H. 1996. An even faster solver for general systems of equations,
*Proceedings of the Static Analysis Symposium*, Lecture Notes in Computer Science, Vol. 1145, pp. 189–204.Google Scholar - Fecht, C. and Seidl, H. 1998. Propagating differences: An efficient new fixpoint algorithm for distributive constraint systems,
*Proceedings of the European Symposium on Programming*, Lecture Notes in Computer Science, Vol. 1381, pp. 90–104.Google Scholar - Flanagan, C. 1997.
*Effective Static Debugging via Componential Set-Based Analysis*, Ph.D. Thesis, Rice University.Google Scholar - Flanagan, C., Leino, K.R.M., Lillibridge, M., Nelson, G., Saxe, J.B., and Stata, R. 2002. Extended static checking for Java,
*Proceedings of the ACM Conference on Programming Language Design and Implementation*, pp. 234–245. ACM Press.Google Scholar - Foster, J.S., Fahndrich, M., and Aiken, A. 1997. Flow-insensitive points-to analysis with term and set constraints, Technical Report CSD-97-964, University of California, Berkeley.Google Scholar
- Foster, J.S., Fahndrich, M., and Aiken, A. 2000. Polymorphic versus monomorphic flow-insensitive points-to analysis for C,
*Proceedings of the Static Analysis Symposium*, pp. 175–198.Google Scholar - Godefroid, P. 1997. VeriSoft: A tool for the automatic analysis of concurrent reactive software,
*Proceedings of the Conference on Computer Aided Verification*, Lecture Notes in Computer Science, Vol. 1254, pp. 476–479.Google Scholar - Goyal, D. 1999. An improved inter-procedural may-alias analysis algorithm, Technical Report 1999-777, New York University.Google Scholar
- Guyer, S.Z. 2003.
*Incorporating Domain-Specific Information into the Compilation Process*, Ph.D. Thesis, University of Texas at Austin.Google Scholar - Harman, M., Binkley, D., and Danicic, S. 2003. Amorphous program slicing,
*The Journal of Systems and Software*68(1): 45–64.Google Scholar - Hasti, R. and Horwitz, S. 1998. Using static single assignment form to improve flow-insensitive pointer analysis,
*Proceedings of the ACM Conference on Programming Language Design and Implementation*, pp. 97–105. ACM Press.Google Scholar - Heintze, N. 1994. Set-based analysis of ML programs,
*Proceedings of the ACM Conference on Lisp and Functional Programming*, pp. 306–317. ACM Press.Google Scholar - Heintze, N. and Tardieu, O. 2001. Ultra-fast aliasing analysis using CLA: A million lines of C code in a second,
*Proceedings of the ACM Conference on Programming Language Design and Implementation*, pp. 254–263. ACM Press.Google Scholar - Henzinger, T.A., Ho, P.-H., and Wong-Toi, H. 1997. HYTECH: A model checker for hybrid systems,
*Proceedings of the Conference on Computer Aided Verification*, Lecture Notes in Computer Science, Vol. 1254, pp. 460–463.Google Scholar - Henzinger, T.A., Jhala, R., Majumdar, R., and Sutre, G. 2003. Software verification with Blast,
*Proceedings of the Workshop on Model Checking Software*, Lecture Notes in Computer Science, Vol. 2648, pp. 235–239. Springer.Google Scholar - Hind, M. 2001. Pointer analysis: haven’t we solved this problem yet?
*Proceedings of the ACM Workshop on Program Analysis for Software Tools and Engineering*, pp. 54–61. ACM Press.Google Scholar - Hind, M., Burke, M., Carini, P., and Choi, J.-D. 1999. Interprocedural pointer alias analysis,
*ACM Transactions on Programming Languages and Systems*21(4): 848–894.Google Scholar - Hind, M. and Pioli, A. 2000. Which pointer analysis should I use?
*Proceedings of the ACM Symposium on Software Testing and Analysis*, pp. 113–123. ACM Press.Google Scholar - Holzmann, G.J. 1997. The Spin model checker,
*IEEE Transactions on Software Engineering*23(5): 279–295.Google Scholar - Horwitz, S. 1997. Precise flow-insensitive may-alias analysis is NP-hard,
*ACM Transactions on Programming Languages and Systems*19(1): 1–6.Google Scholar - Horwitz, S., Demers, A.J., and Teitelbaum, T. 1987. An efficient general iterative algorithm for dataflow analysis,
*Acta Informatica*24(6): 679–694.Google Scholar - Horwitz, S., Reps, T., and Binkley, D. 1988. Interprocedural slicing using dependence graphs,
*ACM SIGPLAN Notices*23(7): 35–46.Google Scholar - Jones, J.A., Harrold, M.J., and Stasko, J. 2002. Visualization of test information to assist fault localization,
*Proceedings of the ACM Conference on Software Engineering*, pp. 467–477. ACM Press.Google Scholar - Jones, L.G. 1990. Efficient evaluation of circular attribute grammars,
*ACM Transactions on Programming Languages and Systems*12(3): 429–462.Google Scholar - Kanamori, A. and Weise, D. 1994. Worklist management strategies, Technical Report MSR-TR-94-12, Microsoft Research.Google Scholar
- Landi, W. 1992a.
*Interprocedural Aliasing in the Presence of Pointers*. Ph.D. Thesis, Rutgers, The State University of New Jersey.Google Scholar - Landi, W. 1992b. Undecidability of static analysis,
*ACM Letters on Programming Languages and Systems*1(4): 323–337.Google Scholar - Lapkowski, C. and Hendren, L.J. 1998. Extended SSA numbering: Introducing SSA properties to language with multi-level pointers,
*Proceedings of the Conference on Compiler Construction*, Lecture Notes in Computer Science, Vol. 1383, pp. 128–143. Springer.Google Scholar - Lhoták, O. and Hendren, L.J. 2003. Scaling Java points-to analysis using SPARK,
*Proceedings of the Conference on Compiler Construction*, Lecture Notes in Computer Science, Vol. 2622, pp. 153–169. Springer.Google Scholar - Liang, D. and Harrold, M.J. 1999. Efficient points-to analysis for whole-program analysis,
*Proceedings of the Symposium on the Foundations of Software Engineering*, Lecture Notes in Computer Science, Vol. 1687, pp. 199–215. Springer/ACM Press.Google Scholar - Liang, D. and Harrold, M.J. 2001. Efficient computation of parameterized pointer information for interprocedural analyses,
*Proceedings of the Symposium on Static Analysis*, Lecture Notes in Computer Science, Vol. 2126, pp. 279–298. Springer.Google Scholar - Liang, D., Pennings, M., and Harrold, M.J. 2001. Extending and evaluating flow-insensitive and contextinsensitive points-to analyses for Java,
*Proceedings of the ACM Workshop on Program Analysis for Software Tools and Engineering*, pp. 73–79. ACM Press.Google Scholar - Lucia, A.D. 2001. Program slicing: Methods and applications,
*Proceedings of the IEEE Workshop on Source Code Analysis and Manipulation*, pp. 142–149. IEEE Computer Society Press.Google Scholar - Marchetti-Spaccamela, A., Nanni, U., and Rohnert, H. 1996. Maintaining a topological order under edge insertions,
*Information Processing Letters*59(1): 53–58.Google Scholar - Milanova, A., Rountev, A., and Ryder, B. 2002. Parameterized object sensitivity for points-to and side-effect analyses for Java,
*Proceedings of the Symposium on Software Testing and Analysis*, pp. 1–11.Google Scholar - Myers, B.A. 1986. Visual programming, programming by example, and program visualization: A taxonomy,
*Human Factors in Computing Systems*, pp. 59–66.Google Scholar - Nielson, F., Nielson, H.R., and Hankin, C.L. 1999.
*Principles of Program Analysis*. Springer, 1999.Google Scholar - Nuutila, E. and Soisalon-Soininen, E. 1994. On finding the strongly connected components in a directed graph,
*Information Processing Letters*49(1): 9–14.Google Scholar - Pearce, D.J. 2004.
*Some Directed Graph Algorithms and Their Application to Pointer Analysis*, Ph.D. Thesis, Imperial College, London.Google Scholar - Pearce, D.J. and Kelly, P.H.J. 2004. A dynamic algorithm for topologically sorting directed acyclic graphs,
*Proceedings of the Workshop on Efficient and Experimental Algorithms*, Lecture Notes in Computer Science, Vol. 3059, pp. 383–398. Springer.Google Scholar - Pearce, D.J., Kelly, P.H.J., and Hankin, C. 2003. Online cycle detection and difference propagation for pointer analysis,
*Proceedings of the IEEE Workshop on Source Code Analysis and Manipulation*, pp. 3–12. IEEE Computer Society Press.Google Scholar - Pearce, D.J., Kelly, P.H.J., and Hankin, C. 2004. Efficient field-sensitive pointer analysis for C,
*Proceedings of the ACM Workshop on Program Analysis for Software Tools and Engineering*. ACM Press.Google Scholar - Ramalingam, G. 1994. The undecidability of aliasing,
*ACM Transactions on Programming Languages and Systems*16(5): 1467–1471.Google Scholar - Reiss, S.P. 1997. Cacti: a front end for program visualization,
*Proceedings of the IEEE Symposium on Information Visualization*, pp. 46–50.Google Scholar - Reps, T. and Turnidge, T. 1996. Program specialization via program slicing,
*Selected Papers from the International Seminar on Partial Evaluation*, Lecture Notes in Computer Science, Vol. 1110, pp. 409–429. Springer.Google Scholar - Reps, T. and Yang, W. 1989. The semantics of program slicing and program integration,
*Proceedings of the Joint Conference on Theory and Practice of Software Development, Volume 2*, Lecture Notes in Computer Science, Vol. 352, pp. 360–374. Springer.Google Scholar - Rountev, A. and Chandra, S. 2000. Off-line variable substitution for scaling points-to analysis,
*Proceedings of the ACM Conference on Programming Language Design and Implementation*, pp. 47–56. ACM Press.Google Scholar - Rountev, A., Milanova, A., and Ryder, B.G. 2001. Points-to analysis for Java using annotated constraints,
*Proceedings of the ACM Conference on Object Oriented Programming Systems, Languages and Applications*, pp. 43–55. ACM Press.Google Scholar - Ruf, E. 1995. Context-insensitive alias analysis reconsidered,
*Proceedings of the ACM Conference on Programming Language Design and Implementation*, pp. 13–22. ACM Press.Google Scholar - Shapiro, M. and Horwitz, S. 1997. Fast and accurate flow-insensitive points-to analysis,
*Proceedings of the ACM Symposium on Principles of Programming Languages*, pp. 1–14. ACM Press.Google Scholar - Shmueli, O. 1983. Dynamic cycle detection,
*Information Processing Letters*17(4): 185–188.Google Scholar - Steensgaard, B. 1996a. Points-to analysis by type inference of programs with structures and unions.
*Proceedings of the Conference on Compiler Construction*, pp. 136–150.Google Scholar - Steensgaard, B. 1996b. Points-to analysis in almost linear time,
*Proceedings of the ACM Symposium on Principles of Programming Languages*, pp. 32–41. ACM Press.Google Scholar - Su, Z., Fähndrich, M., and Aiken, A. 2000. Projection merging: Reducing redundancies in inclusion constraint graphs,
*Proceedings of the Symposium on Principles of Programming Languages*, pp. 81–95. ACM Press.Google Scholar - Systä, T., Yu, P., and Müller, H. 2000. Analyzing Java software by combining metrics and program visualization,
*Proceedings of the IEEE Conference on Software Maintenance and Reengineering*, pp. 199–208. IEEE Computer Society Press.Google Scholar - Tarjan, R. 1972. Depth-first search and linear graph algorithms,
*SIAM Journal on Computing*1(2): 146–160.Google Scholar - The Vis Group. 1996. VIS: A system for verification and synthesis,
*Proceedings of the Conference on Computer Aided Verification*, Lecture Notes in Computer Science, Vol. 1102, pp. 428–432. Springer.Google Scholar - Wagner, D., Foster, J.S., Brewer, E.A., and Aiken, A. 2000. A first step towards automated detection of buffer overrun vulnerabilities,
*Proceedings of the Network and Distributed System Security Symposium*, pp. 3–17.Google Scholar - Wilson, R.P. and Lam, M.S. 1995. Efficient context-sensitive pointer analysis for C programs,
*Proceedings of the ACM Conference on Programming Language Design and Implementation*, pp. 1–12. ACM Press.Google Scholar - Yong, S.H., Horwitz, S., and Reps, T. 1999. Pointer analysis for programs with structures and casting,
*Proceedings of the ACM Conference on Programming Language Design and Implementation*, pp. 91–103. ACM Press.Google Scholar