Alias Analysis for Object-Oriented Programs

  • Manu Sridharan
  • Satish Chandra
  • Julian Dolby
  • Stephen J. Fink
  • Eran Yahav
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7850)

Abstract

We present a high-level survey of state-of-the-art alias analyses for object-oriented programs, based on a years-long effort developing industrial-strength static analyses for Java. We first present common variants of points-to analysis, including a discussion of key implementation techniques. We then describe flow-sensitive techniques based on tracking of access paths, which can yield greater precision for certain clients. We also discuss how whole-program alias analysis has become less useful for modern Java programs, due to increasing use of reflection in libraries and frameworks. We have found that for real-world programs, an under-approximate alias analysis based on access-path tracking often provides the best results for a variety of practical clients.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Agesen, O.: The Cartesian Product Algorithm: Simple and Precise Type Inference of Parametric Polymorphism. In: Olthoff, W. (ed.) ECOOP 1995. LNCS, vol. 952, pp. 2–26. Springer, Heidelberg (1995)Google Scholar
  2. 2.
    Aho, A.V., Lam, M.S., Sethi, R., Ullman, J.D.: Compilers: Principles, Techniques, & Tools with Gradiance, 2nd edn. Addison-Wesley Publishing Company, USA (2007)Google Scholar
  3. 3.
    Andersen, L.O.: Program Analysis and Specialization for the C Programming Language. PhD thesis, University of Copenhagen, DIKU (1994)Google Scholar
  4. 4.
    Bacon, D., Sweeney, P.: Fast static analysis of C++ virtual function calls. In: Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA), San Jose, CA (October 1996)Google Scholar
  5. 5.
    Balakrishnan, G., Reps, T.: Recency-Abstraction for Heap-Allocated Storage. In: Yi, K. (ed.) SAS 2006. LNCS, vol. 4134, pp. 221–239. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  6. 6.
    Berndl, M., Lhoták, O., Qian, F., Hendren, L., Umanee, N.: Points-to analysis using BDDs. In: Conference on Programming Language Design and Implementation (PLDI) (June 2003)Google Scholar
  7. 7.
    Bravenboer, M., Smaragdakis, Y.: Strictly declarative specification of sophisticated points-to analyses. In: Proceeding of the 24th ACM SIGPLAN Conference on Object Oriented Programming Systems Languages and Applications, OOPSLA 2009, pp. 243–262. ACM, New York (2009)CrossRefGoogle Scholar
  8. 8.
    Chase, D.R., Wegman, M., Zadeck, F.: Analysis of pointers and structures. In: Conference on Programming Language Design and Implementation (PLDI), pp. 296–310. ACM Press, New York (1990)Google Scholar
  9. 9.
    Choi, J.-D., Burke, M., Carini, P.: Efficient flow-sensitive interprocedural computation of pointer-induced aliases and side effects. In: POPL, pp. 232–245 (1993)Google Scholar
  10. 10.
    Clarke, E.M.: Model Checking. In: Ramesh, S., Sivakumar, G. (eds.) FST TCS 1997. LNCS, vol. 1346, pp. 54–56. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  11. 11.
    Cousot, P., Cousot, R.: Systematic design of program analysis frameworks. In: ACM Symposium on Principles of Programming Languages (POPL), pp. 269–282. ACM Press, New York (1979)Google Scholar
  12. 12.
    Das, M., Lerner, S., Seigle, M.: ESP: path-sensitive program verification in polynomial time. In: Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation, PLDI 2002, pp. 57–68. ACM, New York (2002)CrossRefGoogle Scholar
  13. 13.
    Dean, J., Grove, D., Chambers, C.: Optimization of Object-Oriented Programs Using Static Class Hierarchy Analysis. In: Olthoff, W. (ed.) ECOOP 1995. LNCS, vol. 952, pp. 77–101. Springer, Heidelberg (1995)Google Scholar
  14. 14.
    Dor, N., Adams, S., Das, M., Yang, Z.: Software validation via scalable path-sensitive value flow analysis. In: ISSTA, pp. 12–22 (2004)Google Scholar
  15. 15.
    Emami, M., Ghiya, R., Hendren, L.J.: Context-sensitive interprocedural points-to analysis in the presence of function pointers. In: PLDI 1994: Proceedings of the ACM SIGPLAN 1994 Conference on Programming Language Design and Implementation, pp. 242–256. ACM Press, New York (1994)CrossRefGoogle Scholar
  16. 16.
    Fähndrich, M., Rehof, J., Das, M.: Scalable context-sensitive flow analysis using instantiation constraints. In: Conference on Programming Language Design and Implementation (PLDI) (2000)Google Scholar
  17. 17.
    Fändrich, M., Foster, J.S., Su, Z., Aiken, A.: Partial online cycle elimination in inclusion constraint graphs. In: Conference on Programming Language Design and Implementation (PLDI), Montreal, Canada (June 1998)Google Scholar
  18. 18.
    Fecht, C., Seidl, H.: Propagating differences: an efficient new fixpoint algorithm for distributive constraint systems. Nordic J. of Computing 5(4), 304–329 (1998)MathSciNetMATHGoogle Scholar
  19. 19.
    Feldthaus, A., Millstein, T., Møller, A., Schäfer, M., Tip, F.: Tool-supported refactoring for JavaScript. In: Proceedings of the 2011 ACM International Conference on Object Oriented Programming Systems Languages and Applications, OOPSLA 2011, pp. 119–138. ACM, New York (2011)CrossRefGoogle Scholar
  20. 20.
    Fink, S.J., Yahav, E., Dor, N., Ramalingam, G., Geay, E.: Effective typestate verification in the presence of aliasing. ACM Transactions on Software Engineering and Methodology 17(2), 1–34 (2008)CrossRefGoogle Scholar
  21. 21.
    Grove, D., Chambers, C.: A framework for call graph construction algorithms. ACM Trans. Program. Lang. Syst. 23(6), 685–746 (2001)CrossRefGoogle Scholar
  22. 22.
    Guyer, S.Z., Lin, C.: Client-Driven Pointer Analysis. In: Cousot, R. (ed.) SAS 2003. LNCS, vol. 2694, pp. 214–236. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  23. 23.
    Hardekopf, B., Lin, C.: The ant and the grasshopper: fast and accurate pointer analysis for millions of lines of code. In: PLDI, pp. 290–299 (2007)Google Scholar
  24. 24.
    Heintze, N.: Analysis of Large Code Bases: The Compile-Link-Analyze Model (Draft of November 12, 1999)Google Scholar
  25. 25.
    Heintze, N., McAllester, D.: Linear-time subtransitive control flow analysis. SIGPLAN Not. 32(5), 261–272 (1997)CrossRefGoogle Scholar
  26. 26.
    Heintze, N., Tardieu, O.: Demand-driven pointer analysis. In: Conference on Programming Language Design and Implementation (PLDI), Snowbird, Utah (June 2001)Google Scholar
  27. 27.
    Heintze, N., Tardieu, O.: Ultra-fast aliasing analysis using CLA: A million lines of C code in a second. In: Conference on Programming Language Design and Implementation (PLDI) (June 2001)Google Scholar
  28. 28.
    Huang, S.S., Smaragdakis, Y.: Morphing: Structurally shaping a class by reflecting on others. ACM Trans. Program. Lang. Syst. 33, 6:1–6:44 (2011)MATHCrossRefGoogle Scholar
  29. 29.
    Kidd, N., Reps, T.W., Dolby, J., Vaziri, M.: Finding concurrency-related bugs using random isolation. STTT 13(6), 495–518 (2011)CrossRefGoogle Scholar
  30. 30.
    Landi, W., Ryder, B.G.: A safe approximate algorithm for interprocedural aliasing. In: PLDI 1992: Proceedings of the ACM SIGPLAN 1992 Conference on Programming Language Design and Implementation, pp. 235–248. ACM Press, New York (1992)CrossRefGoogle Scholar
  31. 31.
    Lattner, C., Lenharth, A., Adve, V.: Making context-sensitive points-to analysis with heap cloning practical for the real world. In: Proceedings of the 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2007, pp. 278–289. ACM, New York (2007)CrossRefGoogle Scholar
  32. 32.
    Lhoták, O., Hendren, L.: Scaling Java points-to analysis using Spark. In: International Conference on Compiler Construction (CC), Warsaw, Poland (April 2003)Google Scholar
  33. 33.
    Lhoták, O., Hendren, L.: Jedd: a BDD-based relational extension of Java. In: Conference on Programming Language Design and Implementation, PLDI (2004)Google Scholar
  34. 34.
    Lhoták, O., Hendren, L.: Evaluating the benefits of context-sensitive points-to analysis using a BDD-based implementation. ACM Trans. Softw. Eng. Methodol. 18, 3:1–3:53 (2008)CrossRefGoogle Scholar
  35. 35.
    Lhoták, O., Hendren, L.: Relations as an abstraction for BDD-based program analysis. ACM Trans. Program. Lang. Syst. 19, 19:1–19:63 (2008)CrossRefGoogle Scholar
  36. 36.
    Liang, P., Naik, M.: Scaling abstraction refinement via pruning. In: Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2011, pp. 590–601. ACM, New York (2011)CrossRefGoogle Scholar
  37. 37.
    Liang, P., Tripp, O., Naik, M.: Learning minimal abstractions. In: Proceedings of the 38th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2011, pp. 31–42. ACM, New York (2011)Google Scholar
  38. 38.
    Liang, P., Tripp, O., Naik, M., Sagiv, M.: A dynamic evaluation of the precision of static heap abstractions. In: Proceedings of the ACM International Conference on Object Oriented Programming Systems Languages and Applications, OOPSLA 2010, pp. 411–427. ACM, New York (2010)CrossRefGoogle Scholar
  39. 39.
    Livshits, B., Whaley, J., Lam, M.S.: Reflection Analysis for Java. In: Yi, K. (ed.) APLAS 2005. LNCS, vol. 3780, pp. 139–160. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  40. 40.
    Loginov, A., Yahav, E., Chandra, S., Fink, S., Rinetzky, N., Nanda, M.G.: Verifying dereference safety via expanding-scope analysis. In: ISSTA 2008: International Symposium on Software Testing and Analysis (2008)Google Scholar
  41. 41.
    Might, M., Smaragdakis, Y., Van Horn, D.: Resolving and exploiting the k-CFA paradox: illuminating functional vs. object-oriented program analysis. In: Proceedings of the 2010 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2010, pp. 305–315. ACM, New York (2010)CrossRefGoogle Scholar
  42. 42.
    Milanova, A., Rountev, A., Ryder, B.G.: Parameterized object sensitivity for points-to analysis for Java. ACM Trans. Softw. Eng. Methodol. 14(1), 1–41 (2005)CrossRefGoogle Scholar
  43. 43.
    Naik, M., Aiken, A., Whaley, J.: Effective static race detection for Java. In: PLDI, pp. 308–319 (2006)Google Scholar
  44. 44.
    O’Callahan, R.: Generalized Aliasing as a Basis for Program Analysis Tools. PhD thesis, Carnegie Mellon University (November 2000)Google Scholar
  45. 45.
    Palsberg, J., Schwartzbach, M.I.: Object-oriented type inference. In: Conference Proceedings on Object-Oriented Programming Systems, Languages, and Applications, OOPSLA 1991, pp. 146–161. ACM, New York (1991)CrossRefGoogle Scholar
  46. 46.
    Pearce, D.J.: Some directed graph algorithms and their application to pointer analysis. PhD thesis, Imperial College of Science, Technology and Medicine, University of London (2005)Google Scholar
  47. 47.
    Pearce, D.J., Kelly, P.H.J., Hankin, C.: Online cycle detection and difference propagation for pointer analysis. In: Proceedings of the Third International IEEE Workshop on Source Code Analysis and Manipulation (2003)Google Scholar
  48. 48.
    Reps, T.: Solving demand versions of interprocedural analysis problems. In: International Conference on Compiler Construction (CC), Edinburgh, Scotland (April 1994)Google Scholar
  49. 49.
    Reps, T.: Program analysis via graph reachability. Information and Software Technology 40(11-12), 701–726 (1998)CrossRefGoogle Scholar
  50. 50.
    Reps, T.: Undecidability of context-sensitive data-independence analysis. ACM Trans. Program. Lang. Syst. 22(1), 162–186 (2000)MathSciNetCrossRefGoogle Scholar
  51. 51.
    Reps, T., Horwitz, S., Sagiv, M.: Precise interprocedural dataflow analysis via graph reachability. In: ACM Symposium on Principles of Programming Languages (POPL) (1995)Google Scholar
  52. 52.
    Rountev, A., Milanova, A., Ryder, B.G.: Points-to analysis for Java using annotated constraints. In: Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA), Tampa Bay, Florida (October 2001)Google Scholar
  53. 53.
    Sagiv, M., Reps, T., Wilhelm, R.: Parametric shape analysis via 3-valued logic. ACM Trans. Program. Lang. Syst. 24, 217–298 (2002)CrossRefGoogle Scholar
  54. 54.
    Schäfer, M., Sridharan, M., Dolby, J., Tip, F.: Refactoring Java programs for flexible locking. In: Proceeding of the 33rd International Conference on Software Engineering, ICSE 2011, pp. 71–80. ACM, New York (2011)Google Scholar
  55. 55.
    Sharir, M., Pnueli, A.: Two approaches to interprocedural data flow analysis, ch. 7, pp. 189–233. Prentice-Hall (1981)Google Scholar
  56. 56.
    Shivers, O.: Control flow analysis in Scheme. In: Conference on Programming Language Design and Implementation, PLDI (1988)Google Scholar
  57. 57.
    Shoham, S., Yahav, E., Fink, S., Pistoia, M.: Static specification mining using automata-based abstractions. In: Proceedings of the 2007 International Symposium on Software Testing and Analysis, ISSTA 2007, pp. 174–184. ACM, New York (2007)CrossRefGoogle Scholar
  58. 58.
    Smaragdakis, Y., Bravenboer, M., Lhoták, O.: Pick your contexts well: understanding object-sensitivity. In: POPL, pp. 17–30 (2011)Google Scholar
  59. 59.
    Sridharan, M., Artzi, S., Pistoia, M., Guarnieri, S., Tripp, O., Berg, R.: F4F: taint analysis of framework-based web applications. In: Proceedings of the 2011 ACM International Conference on Object Oriented Programming Systems Languages and Applications, OOPSLA 2011, pp. 1053–1068. ACM, New York (2011)CrossRefGoogle Scholar
  60. 60.
    Sridharan, M., Bodík, R.: Refinement-based context-sensitive points-to analysis for Java. In: Conference on Programming Language Design and Implementation, PLDI (2006)Google Scholar
  61. 61.
    Sridharan, M., Dolby, J., Chandra, S., Schäfer, M., Tip, F.: Correlation Tracking for Points-To Analysis of JavaScript. In: Noble, J. (ed.) ECOOP 2012. LNCS, vol. 7313, pp. 435–458. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  62. 62.
    Sridharan, M., Fink, S.J.: The Complexity of Andersen’s Analysis in Practice. In: Palsberg, J., Su, Z. (eds.) SAS 2009. LNCS, vol. 5673, pp. 205–221. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  63. 63.
    Sridharan, M., Fink, S.J., Bodik, R.: Thin slicing. In: Proceedings of the 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2007, pp. 112–122. ACM, New York (2007)CrossRefGoogle Scholar
  64. 64.
    Sridharan, M., Gopan, D., Shan, L., Bodík, R.: Demand-driven points-to analysis for Java. In: Conference on Object-Oriented Programming, Systems, Languages, and Applications, OOPSLA (2005)Google Scholar
  65. 65.
    Steensgaard, B.: Points-to analysis in almost linear time. In: ACM Symposium on Principles of Programming Languages, POPL (1996)Google Scholar
  66. 66.
    Tip, F., Palsberg, J.: Scalable propagation-based call graph construction algorithms. In: Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA), Minneapolis, MN (October 2000)Google Scholar
  67. 67.
    Torlak, E., Chandra, S.: Effective interprocedural resource leak detection. In: Proceedings of the 32nd ACM/IEEE International Conference on Software Engineering, ICSE 2010, pp. 535–544. ACM, New York (2010)Google Scholar
  68. 68.
    Tripp, O., Pistoia, M., Fink, S.J., Sridharan, M., Weisman, O.: TAJ: effective taint analysis of web applications. In: PLDI (2009)Google Scholar
  69. 69.
    T.J. Watson Libraries for Analysis (WALA), http://wala.sf.net.
  70. 70.
    Whaley, J., Avots, D., Carbin, M., Lam, M.S.: Using Datalog with Binary Decision Diagrams for Program Analysis. In: Yi, K. (ed.) APLAS 2005. LNCS, vol. 3780, pp. 97–118. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  71. 71.
    Whaley, J., Lam, M.S.: An Efficient Inclusion-Based Points-To Analysis for Strictly-Typed Languages. In: Hermenegildo, M.V., Puebla, G. (eds.) SAS 2002. LNCS, vol. 2477, pp. 180–195. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  72. 72.
    Whaley, J., Lam, M.S.: Cloning-based context-sensitive pointer alias analysis using binary decision diagrams. In: Conference on Programming Language Design and Implementation (PLDI) (2004)Google Scholar
  73. 73.
    Whaley, J., Rinard, M.: Compositional pointer and escape analysis for Java programs. In: Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA) (November 1999)Google Scholar
  74. 74.
    Wilson, R.P., Lam, M.S.: Efficient context-sensitive pointer analysis for C programs. In: Conference on Programming Language Design and Implementation, PLDI (1995)Google Scholar
  75. 75.
    Yahav, E., Fink, S.: The SAFE experience. In: Engineering of Software, pp. 17–33. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  76. 76.
    Zhu, J., Calman, S.: Symbolic pointer analysis revisited. In: Conference on Programming Language Design and Implementation (PLDI) (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Manu Sridharan
    • 1
  • Satish Chandra
    • 1
  • Julian Dolby
    • 1
  • Stephen J. Fink
    • 1
  • Eran Yahav
    • 2
  1. 1.IBM T.J. Watson Research CenterUSA
  2. 2.TechnionIsrael

Personalised recommendations