1 practical object-sensitive points-to analysis for java ana milanova atanas rountev barbara ryder...
TRANSCRIPT
1
Practical Object-sensitive Points-to Analysis for Java
Ana Milanova Atanas Rountev Barbara Ryder
Rutgers University
2
Points-to Analysis for Java Which objects may reference
variable x point to? Builds a points-to graph
x = new A();
y = new B();
x.f = y;
x o1
o2y
f
3
Uses of Points-to Information Clients: SE tools and compilers Side-effect analysis
Data-flow based testing Call graph construction
Interprocedural analyses Program Slicing Coverage analysis
Compiler optimizations
4
Existing Practical Points-to Analyses for Java
Flow- and context-insensitive Extend existing analyses for C Context insensitivity inherently
compromises precision for object-oriented languages
Goal: Introduce context sensitivity and remain practical
5
Our Work Object sensitivity
Form of context sensitivity for flow-insensitive points-to analysis of OO languages
Object-sensitive Andersen’s analysis Object sensitivity applicable to other analyses
Parameterization framework Cost vs. precision tradeoff
Empirical evaluation Vs. context-insensitive Andersen’s analysis
6
Outline Imprecision of context-insensitive
analysis
Object-sensitive analysis
Parameterization
Empirical results
Related work
Summary and future work
7
The Imprecision of Context-insensitive Analysis
Does not distinguish contexts for instance methods and constructors States of distinct objects are merged
Common OO features and idioms Encapsulation Inheritance Containers, maps and iterators
8
Example: Imprecision class Y extends X
{ … }
class A { X f; void m(X q) {
this.f=q ; }}
A a = new A() ;a.m(new X()) ;A aa = new A() ;aa.m(new Y()) ;
o2o1a
thisA.m q
o3 aa o4f
f
f
f
9
Object-sensitive Analysis Instance methods and constructors
analyzed for different contexts Receiver objects used as contexts Multiple copies of reference variables
this.f=q thisA.m.f=q o1 o1
o1
10
Example: Object-sensitive Analysis
class A { X f; void m(X q) {
this.f=q ; }}
A a = new A() ;a.m(new X()) ;A aa = new A() ;aa.m(new Y()) ;
o2fo1a
thisA.mo1 qA.mo1thisA.m.f=q o1 o1
o1
this.f=q ;
o3 aa o4
o3thisA.mo3qA.m
thisA.m.f=q o3 o3
f
11
Parameterization
Goal: tunable analysis Multiple copies for a subset of
variables For the other variables a single copy
Result: reduces points-to graph size and analysis cost At the expense of precision loss
12
Implementation
Implemented one instance this, formals and return
variables replicated Constraint-based, on top of
Andersen’s analysis Optimizations
Comparison with Andersen’s analysis
13
Empirical Results 23 Java programs: 14 – 677 user
classes Added the necessary library classes Machine: 360 MHz, 512Mb
Object Sensitive vs. Andersen Comparable cost Better precision
Modification side-effect analysis Virtual call resolution
14
Analysis Time
0
50
100
150
200
250
compress
db jb echo
raytrace
mtrt
jtar
jlex
javacup
rabbit
jack
jflex
jess
mpegaudio
jjtree
sablecc
creature
mindterm
soot
muffin
javacc
Seco
nds
Object Sensitive Andersen
15
Side-effect Analysis:Modified Objects Per Statement
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
1 2 3 4 5 6 7 8 9 10 11 12 13 14
One Two or three Four to nine More than nine
jb jess sablecc raytrace Average
OB
JEC
T
SE
NSIT
IVE
AN
DER
SE
N
16
Improvement in Resolved Calls
0
10
20
30
40
50
60
pro
xy
com
press
db
jb echo
raytrace
mtrt
jtar
jlex
javacup
rabb
it
jack
jflex
jess
mp
egau
dio
jjtree
sablecc
javac
creature
min
dterm
soo
t
mu
ffin
javacc
Avg
Per
cen
t
17
Related Work Context-sensitive points-to analysis for OO
languages Grove et al. OOPSLA’97, Chatterjee et al. POPL’99,
Ruf PLDI’00, Grove-Chambers TOPLAS’01 Context-insensitive points-to analysis for OO
languages Liang et al. PASTE’01, Rountev et al. OOPSLA’01
Context-sensitive class analysis Oxhoj et al. ECOOP’92, Agesen SAS’94,
Plevyak-Chien OOPSLA’94, Agesen ECOOP’95, Grove et al. OOPSLA’97, Grove-Chambers TOPLAS’01
18
Summary Object sensitivity – context
sensitivity for flow-insensitive analysis of OO languages
Parameterization allows flexibility Practical cost, comparable to
Andersen’s analysis Better precision than Andersen’s
analysis
19
Future Work Implement other instances Object naming schemes Theoretical and empirical
comparison Call string context sensitivity Other instances of functional approach
Impact on client applications
20
21
Modification Side-Effect (MOD) Analysis Which objects may be modified by
statement s? Points-to analysis is prerequisite
Object-sensitive MOD analysis Based on object-sensitive points-to
analysis Set of modified objects for each
context