Strictly declarative specification of sophisticated points-to analyses

Bravenboer, Martin; Smaragdakis, Yannis

doi:10.1145/1640089.1640108

Cited by 259 publications

(196 citation statements)

References 30 publications

Supporting

Mentioning

196

Contrasting

Order By: Relevance

“…We analyzed both the DaCapo benchmark programs, v.2006-10-MR2 [3], and the SPEC JVM 98 benchmark programs [29] with JDK 1.4 (jre1.4.2.11) which is larger than JDK 1.3 used by Lhoták and Hendren [20] and similar to JDK 1.4 used by Bravenboer and Smaragdakis [6]. We also evaluate the soundness of the call graphs generated by Cgc by comparing them to the dynamic call graphs recorded at run time using the *J tool [11].…”

Section: Methodsmentioning

confidence: 99%

“…For ease of modification and experimentation, Cgc is implemented in Datalog. 3 Cgc uses a pointer analysis that is based on the context-insensitive pointer analysis from the Doop framework [6]. However, the analysis is independent of Datalog, and could be transcribed into Java to be embedded into an analysis framework such as Soot or Wala.…”

Section: Cgc Overviewmentioning

confidence: 99%

“…Doop [6] implements various pointer analysis algorithms for Java programs, all defined declaratively in Datalog. Doop constructs the call graph on-the-fly while computing the points-to sets.…”

Section: Related Workmentioning

confidence: 99%

“…The key reason is dynamic dispatch: the target of a call depends on the runtime type of the receiver of the call. Because the receiver could have been created anywhere in the program, a sound algorithm must either analyze the whole program [1,6,17,21,34], or make very conservative assumptions about the receiver type (e.g., Class Hierarchy Analysis [9]). Additionally, due to the large sizes of common libraries, whole-program analysis of even trivial programs is expensive [7,27,28].…”

Section: Introductionmentioning

confidence: 99%

“…Since a dynamic call graph does not represent all possible paths of a program, it does not make sense to use it to evaluate the precision of a static call graph. Therefore, we evaluate precision by comparing against call graphs constructed by whole-program analysis (using both the Spark [20] and Doop [6] call graph construction systems). We also compare the performance of our prototype par-tial call graph construction system with whole-program call graph construction.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

Application-Only Call Graph Construction

Ali

Lhoták

2012

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Since call graphs are an essential starting point for all interprocedural analyses, many tools and frameworks have been developed to generate the call graph of a given program. The majority of these tools focus on generating the call graph of the whole program (i.e., both the application and the libraries that the application depends on). A popular compromise to the excessive cost of building a call graph for the whole program is to ignore all the effects of the library code and any calls the library makes back into the application. This results in potential unsoundness in the generated call graph and therefore in any analysis that uses it. In this paper, we present Cgc, a tool that generates a sound call graph for the application part of a program without analyzing the code of the library.

show abstract

Section: Methodsmentioning

confidence: 99%

Section: Cgc Overviewmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Application-Only Call Graph Construction

Ali

Lhoták

2012

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

SafeType: detecting type violations for type‐basedalias analysis of C

et al. 2015

View full text Add to dashboard Cite

SUMMARYTo improve the ability of compilers to determine alias relations in a program, the C standard restricts the types of expressions that may access objects in memory. In practice, however, many existing C programs do not conform to these restrictions, making type-based alias analysis unsound for those programs. As a result, type-based alias analysis is frequently disabled. Existing approaches for verifying type safety exist within larger frameworks designed to verify overall memory safety, requiring both static analysis and runtime checks. This paper describes the motivation for analyzing the safety of type-based alias analysis independently; presents SafeType, a purely static approach to detection of violations of the C standard's restrictions on memory accesses; describes an implementation of SafeType in the IBM XL C compiler, with flowsensitive and context-sensitive queries to handle variables with type void * ; evaluates that implementation, showing that it scales to programs with hundreds of thousands of lines of code; and uses SafeType to identify a previously unreported violation in the 470.lbm benchmark in SPEC CPU2006.

show abstract

OPAL: An extensible framework for ontology‐based program analysis

2020

View full text Add to dashboard Cite

SummaryThe syntactic information of a program can be represented as resource description framework (RDF) triples called program triples. We propose an extensible static analysis framework, called OPAL—Ontology‐based Program AnaLysis. The framework enables formal representation of external knowledge, such as usage knowledge of libraries and domain knowledge. Utilizing this knowledge and the program triples, we compute the semantic information, called static trace of the program. It is generated through path‐sensitive intraprocedural traversal of the program. We approximate information in case of loops by unrolling them a fixed number of times. The main contribution of the framework is to store the static trace as RDF triples called semantic triples. They are described using the Program Analysis ontology proposed in this article. The program triples and the semantic triples are together called consolidated program triples. These triples are stored and used to accelerate the execution of client‐analyses specified by the end user. In the framework, a client‐analysis is specified by a set of conjunctive expressions that use SPARQL (W3C RDF query language) queries. The framework is effective for the client‐analyses that warrant sound and approximate information. The effectiveness is assessed first, using two source‐code‐analyses that require only the program triples, and then 10 intraprocedural path‐sensitive analyses that require the consolidated program triples. Using NPB and SPEC 2006 benchmarks, we achieve an improvement in the conciseness of analysis specifications. Also, the execution time using OPAL is competitive to LLVM's clang for individual analysis and outperforms clang over a series of analyses because of the reuse of consolidated program triples.

show abstract

Strictly declarative specification of sophisticated points-to analyses

Cited by 259 publications

References 30 publications

Application-Only Call Graph Construction

Application-Only Call Graph Construction

SafeType: detecting type violations for type‐basedalias analysis of C

OPAL: An extensible framework for ontology‐based program analysis

Contact Info

Product

Resources

About