On-demand dynamic summary-based points-to analysis

Shang, L.; Xie, Xinwei; Xue, Jingling

doi:10.1145/2259016.2259050

Cited by 73 publications

(61 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We introduce the state-of-the-art points-to analysis for Java formulated in terms of CFLreachability [26,27,28,36] which uses Spark's PAGs [17] as the program representation. In Section 2.1, we consider the syntax of PAGs and how to represent a Java example as a PAG.…”

Section: Cfl-reachabilitymentioning

confidence: 99%

“…Demand-driven points-to analysis [11] reduces the cost of analysis by only computing points-to information that is needed by its client analysis or optimisation. The state-of-the-art algorithms for Java [27,26,36] and C [41] are formulated in terms of CFL-reachability initially introduced in [23]. Given a CFL-reachability formulation, demand-driven analyses answer points-to queries as described in Section 2.…”

Section: Related Workmentioning

confidence: 99%

“…Points-to analysis has been studied extensively in order to improve its scalability, precision or tradeoffs [15,17,33,34], and continues to attract significant attention [10,9,26,25,27,35,30,37,39]. The majority of the previous solutions perform a wholeprogram points-to analysis to exhaustively compute points-to information for all variables in the program, which is often too resource-intensive in practice, especially for large programs.…”

Section: Introductionmentioning

confidence: 99%

“…The majority of the previous solutions perform a wholeprogram points-to analysis to exhaustively compute points-to information for all variables in the program, which is often too resource-intensive in practice, especially for large programs. Some recent efforts have focused on demand-driven points-to analysis [11,26,27,37], which mostly rely on Context-Free Language (CFL) reachability [22] to perform only the necessary work for a set of variables queried by a client rather than a whole-program analysis to find the points-to information for all its variables.…”

Section: Introductionmentioning

confidence: 99%

“…Existing solutions address the performance issue from several directions, by using refinement [27,28], (whole-program) pre-analysis [36], ad hoc caching [41], and procedural summarisation [26,25,37]. In this paper, we tackle this issue from a different angle.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

An Incremental Points-to Analysis with CFL-Reachability

Lü

Shang

Xie

et al. 2013

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract.Developing scalable and precise points-to analyses is increasingly important for analysing and optimising object-oriented programs where pointers are used pervasively. An incremental analysis for a program updates the existing analysis information after program changes to avoid reanalysing it from scratch. This can be efficiently deployed in software development environments where code changes are often small and frequent. This paper presents an incremental approach for demand-driven context-sensitive points-to analyses based on ContextFree Language (CFL) reachability. By tracing the CFL-reachable paths traversed in computing points-to sets, we can precisely identify and recompute on demand only the points-to sets affected by the program changes made. Combined with a flexible policy for controlling the granularity of traces, our analysis achieves significant speedups with little space overhead over reanalysis from scratch when evaluated with a null dereferencing client using 14 Java benchmarks.

show abstract

Section: Cfl-reachabilitymentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

An Incremental Points-to Analysis with CFL-Reachability

Lü

Shang

Xie

et al. 2013

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

Making context-sensitive inclusion-based pointer analysis practical for compilers using parameterised summarisation

Sui

Xue

et al. 2013

Softw. Pract. Exper.

Self Cite

View full text Add to dashboard Cite

SUMMARYBecause of its high precision as a flow‐insensitive pointer analysis, Andersen's analysis has been deployed in some modern optimising compilers. To obtain improved precision, we describe how to add context sensitivity on top of Andersen's analysis. The resulting analysis, called ICON, is efficient to analyse large programs while being sufficiently precise to drive compiler optimisations. Its novelty lies in summarising the side effects of a procedure by using one transfer function on virtual variables that represent fully parameterised locations accessed via its formal parameters. As a result, a good balance between efficiency and precision is made, resulting in ICON that is more powerful than a 1‐callsite‐sensitive analysis and less so than a call‐path‐sensitive analysis (when the recursion cycles in a program are collapsed in all cases). We have compared ICON with FULCRA, a state of the art Andersen's analysis that is context sensitive by acyclic call paths, in Open64 (with recursion cycles collapsed in both cases) using the 16 C/C++ benchmarks in SPEC2000 (totalling 600 KLOC) and 5 C applications (totalling 2.1 MLOC). Our results demonstrate scalability of ICON and lack of scalability of FULCRA. FULCRA spends over 2 h in analysing SPEC2000 and fails to run to completion within 5 h for two of the five applications tested. In contrast, ICON spends just under 7 min on the 16 benchmarks in SPEC2000 and just under 26 min on the same two applications. For the 19 benchmarks analysable by FULCRA, ICON is nearly as accurate as FULCRA in terms of the quality of the built Static Single Assignment (SSA) form and the precision of the discovered alias information. Copyright © 2013 John Wiley & Sons, Ltd.

show abstract

Ripple: Reflection analysis for Android apps in incomplete information environments

Zhang

Tan

et al. 2018

Softw Pract Exp

Self Cite

View full text Add to dashboard Cite

Summary Reflection poses grave problems for static security analysis, despite its widespread use in Android apps. In general, string inference has been mainly used to handle reflection, resulting in significantly missed security vulnerabilities. In this work, we bring forward the ubiquity of incomplete information environments (IIEs) for Android apps, where some critical dataflows are missing during static analysis and the need for resolving reflective calls under IIEs. We present Ripple, the first IIE‐aware static reflection analysis for Android apps that resolves reflective calls more soundly than string inference. Validation with 17 popular Android apps from Google Play demonstrates the effectiveness of Ripple in discovering reflective targets with a low false positive rate (due to its trade‐off made among soundness, precision, and scalability). As a result, Ripple enables FlowDroid, a taint analysis for Android apps, to find hundreds of sensitive data leakages that would otherwise be missed. As a fundamental analysis, Ripple will be valuable for many security analysis clients, since more program behaviors can now be analyzed under IIEs.

show abstract

On-demand dynamic summary-based points-to analysis

Cited by 73 publications

References 29 publications

An Incremental Points-to Analysis with CFL-Reachability

An Incremental Points-to Analysis with CFL-Reachability

Making context-sensitive inclusion-based pointer analysis practical for compilers using parameterised summarisation

Ripple: Reflection analysis for Android apps in incomplete information environments

Contact Info

Product

Resources

About